BRAS/BNG mode description and architecture

SSG BRAS/BNG solution is based on Deep Packet Inspection technology. DPI provides analysis and processing of traffic passing through the platform, application of various services to the traffic and bandwidth management.
SSG BRAS/BNG consists of the following components:

1. fastDPI - responsible for traffic processing and termination:
   • NAS functions (IPoE, PPPoE, DHCP L2)
   • Speed limitation within the tariff plan
   • Channel policing and session policing
   • Application of platform services (CG-NAT, Whitelist and Captive Portal, Web-filtering, Mini-Firewall, DDoS protection)
   • Exporting traffic information in IPFIX and Netflow v5 format (Full NetFlow, Clickstream, NAT log)
2. fastPCRF - responsible for interaction of the platform with the telecom operator's OSS/BSS via RADIUS protocol. (AAA - Authentication, Authorization, Accounting). fastDPI and fastPCRF components communicate with each other by internal communication protocol via TCP/IP stack. PCRF can be placed either on a separate physical or virtual server or run on the same server together with fasDPI. In case of using several SSG, 2xPCRF (Active-Standby) and NxSSG scheme is used.
3. Router - used to announce routes using BGP and OSPF protocols with VRF support.
4. DHCP - KEA local DHCP server is used. SSG can operate in one of the modes:
   • DHCP-relay - redirects requests to a specific server. Initial client's request is forwarded to DHCP server, after issuing IP address SSG performs subscriber authorization.
   • DHCP radius proxy - the configuration information is transmitted in RADIUS responses, and the SSG acts as a DHCP server. For the Framed-pool attribute, SSG makes a DHCP request to local or external DHCP servers.
5. GUI - Graphical User Interface

L3-Connected BRAS/BNG communicates with subscribers through intermediate routers, so it does not see the original MAC addresses, and subscribers are already assigned IP addresses. IP address assignment in this scheme is done either statically in the network settings of the end equipment or on the access switches via DHCP Relay.

The popularity of this scheme among broadband providers is explained by the ease of redundancy of network nodes and construction of a distributed network.

L2-Connected BRAS/BNG and the subscriber are in the same L2 domain. The SSG sees the original MAC addresses, VLAN or Q-in-Q, ARP and DHCP requests, based on which RADIUS requests are generated.
BRAS/BNG L2 options:

• DHCP - The subscriber receives an IP address via SSG DHCP Proxy and proceeds to AAA in the Billing system. SSG terminates the subscriber and transfers him to the border.
• Static IP - Subscriber has a static IP address, proceeds to AAA in the Billing system with ARP authorization, is terminated by SSG and gets to the border.
• PPPoE - Subscriber creates a PPP tunnel with SSG, proceeds to AAA in the Billing using login/password, is terminated by SSG and gets to the border

• Termination of traffic from Subscribers to WAN, origination (landing) of response traffic from WAN to Subscribers.
• Monitoring of DHCP requests from Subscribers and their maintenance.
• IP source guard - allows you to control the compliance of VLAN tags and IP addresses for Subscribers.
• Closing local traffic between Subscribers and from Subscribers to local resources.
• Subscriber activity control.
• Traffic filtering - serving only certain subnets.
• Framed-Route - All IP addresses from the specified subnet will be routed through the specified gateway address.

BRAS/BNG with DPI technology when operating in a distributed network has many advantages and capabilities over traditional solutions:

• Traffic control and prioritization by applications and autonomous systems in the accessible band of each uplink
• Limiting the bandwidth occupied by torrent when approaching the channel upper boundary
• Traffic prioritization by applications and AS within the Subscriber’s data plan (this option is relevant for corporate clients: a number of corporate users work within single data plan. Bandwidth for them needs to be allocated so as not to interfere with each other)
• Support for subscribers with any number of IP addresses, including dynamically allocated
• Redirection of Subscribers with zero balance to Captive Portal with an Allow list of resources. For example, bank resources for payment based on domain name or URL, including options with wildcard asterisks
• Ability to gather full NetFlow Statistics for bandwidth or for billed subscribers only
• Support for regulatory and law enforcement requirements, automatic loading and filtering by RKN and Ministry of Justice registers
• Interaction with SORM (work as a puller SORM-3)