Re: IPAM DDI Software, Subscriber Management, CMDB and Per Customer VLANs

[charles () thefnf org]

On 2014-05-13 16:37, Kyle Leissner wrote:
> I would like recommendations on the following software/hardware
> elements required to run an access network. Assume you are building a
> greenfield network using a combination of access technologies such as
> DSL, GPON, AE, and WiFi.


What a timely thread! With all the talk the past several days about 
incumbents and lack of alternatives, I'm glad to see someone starting a 
new network!

If it's not ultra proprietary, what (major) geographical region are you 
looking to start in, how many homes/businesses do you intend to pass? Or 
is this all theoretical?

I've recently helped a coalation of non profits start an access network 
in Kansans City Missiouri/Kansas. It passes about 1,000 homes. Uses wifi 
exclusively. Meraki / Ubiquiti gear in the access layer, Ubiquiti gear 
in the backbone. We've been ironing out things like grounding/access to 
facilities, user access policies, dealing with bandwidth hogs etc etc. 
Now we are getting to the support suite and asking some of the same 
questions you are.

One thing I don't see you mention below is a network monitoring system. 
What are you using for that?

> IPAM / DDI Solution: Needs full support for IPv6,

Of course. That's important.

> Customer VLANs,

QinQ? You looking at offering metro-e services?

 RFC
> 1918,

ewww. v6 sir! Greenfield network and everything.

> VRF, Overlapping Address Space,

ewww again. Those are horrible hacks, v6 all the things.

> integration with DNS, DNSSEC,

So what does that mean? Create forward/reverse zone entries? Do you want 
to be able to delegate zone editing to customers? You'll need strong 
ACLs and what not. What does integration with DNSSEC mean to you?


> Integration with DHCP,

v4? v6? SLACC? RADVD?


> and integration with ARIN.

You mean the ARIN API? So you can setup auto SWIP?


 Looks like there are
> both open source and commercial solutions available according to old
> NANOG posts.

Indeed. I've been looking at http://nocproject.org/ which should cater 
to most of the above requirements.


 Which cater to service providers? Who are the leaders in
> this space? Does anyone have experience with dealing with multiple
> vendors?

Multiple vendors in what regard? You mean integrating offerings from 
multiple vendors?

Honestly I'd spend money on a couple good integration engineers. What 
you are looking for almost certainly will need a good amount of 
perl/python/bash glue to work. You could also throw money at proprietary 
solutions, which might get you what you want.

> Subscriber Management/BRAS/BNG: Redback was the big player back in the
> day, but I believe they are no longer. Juniper has their Subscriber
> Management feature pack on their MX routers, and Cisco has their
> Broadband Network Gateway on their ASR routers. Besides these two
> vendors I am not sure what other solutions are out there. I believe
> both of these solutions communicate upstream to external radius
> servers and DHCP servers. Is anyone using Subscriber Management, or is
> there another way of doing it?

What is subscriber management? You mean like provisioning and such?

Ah here is a description:
"Broadband Subscriber Management is a method of dynamically provisioning 
and managing subscriber access in a multiplay or triple play network 
environment. This method uses AAA configuration in conjunction with 
dynamic profiles to provide dynamic, per-subscriber authentication, 
addressing, access, and configuration for a host of broadband services 
including Internet access, gaming, IPTV, Video on Demand (VoD), and 
subscriber wholesaling."

We (Free Network Foundation) are doing this with RADIUS. FreeRadius on 
the backend, hostapd on the access layer (fairly heavily modified, we'll 
be submitting patches upstream soon), pfsense (with pfblocker, but used 
in a reverse manner). This gives us full AAA capabilities. It's somewhat 
"hacked" together, but our testing has seen good results so far. We hope 
to deploy in limited production test this weekend.


> CMDB: A centralized database to keep track of all assets within the
> network would be nice. I would assume this would need to tie in with
> the IPAM solution and billing systems.

Yes. Agreed. I've not necessarily come up with a good system for this. 
I'm using a combination of Zenoss / Observium (will retire Observium 
once I have figured out the Zenoss API).


> If you had your choice starting from the ground up how would you
> deploy an access network today?

Well since I'm in the process of doing that:

v6 only (though to be honest, we are v4 right now, but heavily testing 
v6. Still lots of broken stuff, like gaming)
All FLOSS.
   Pfsense for internet edge (OSPF/BGP) routing, full l7 
firewalling/IDS/IPS, proxy/caching
   Zenoss (up/down, trending)  Observium (used as a CMDB, will be 
retiring for Zenoss soon)
   Slack/Rundeck (configuration management, command dispatching). Since 
everything is *NIX with a shell, I can just treat the routers/access 
points like *NIX boxes and have access to a full suite of tools.
 OpenWRT (qmp.cat firmware build) + Quagga (to redistribute the bmx6 
protocol routes (adhoc/dynamic wireless) into OSPF/BGP (static 
wireless/wired)
 hostapd (heavily patched)
 FreeRADIUS

Users fund/own the equipment. They can buy as little or much as they 
like (we advise them on a recommended bill of materials and help with 
sizing etc). This keeps costs low.

Multiple transit providers of course.

That's it off the top of my head.