Secure Optical LAN: TechNet Augusta 2015

ACCESS FOR TODAY. CONNECTED FOR TOMORROW.Passive Optical LAN & All Secure Passive Optical LAN: The BasicsMike NovakSenior Systems [email protected]

ACCESS FOR TODAY. CONNECTED FOR TOMORROW.

Agenda

Passive Optical LAN 101: The BasicsFundamentals of Optical LAN High Level Overview Components of an Optical LANWhy is Optical LAN so Popular Business Proposition Green AspectsSample Optical LAN LayoutsNetwork Support and Bandwidth

Passive Optical LAN 102: Advanced ConceptsOptical LAN Protocol SupportOptical LAN Standards Update (TIA, BICSI, DoD)Optical LAN Campus Design ConsiderationsRemote Powering ConceptsOptical LAN Redundancy OptionsFuture of Optical LAN: XGPON1 and XGPON2

“All-Secure PONTM” – Optical LAN for SIPR and other Classified/High Security Applications 2


Passive Optical LAN 101:The Basics


Fundamentals of Optical LANCompletely Single Mode fiber solution

Multimode fiber will not support the 20 – 30Km reach Multimode cannot support multiple wavelengths allowing for both upstream/downstream traffic

on a single filament Single mode supports over 101 TB. of throughput, making it a ‘future proof‘ transport medium

GPON connections are all simplex SC-APC connectors(That’s Angled Physical Contact, not Angled Polished Connector)

Communications closets (IDF/TR) become passive spaces for the fiber splitter, or simply a fiber pass thru.

A single strand of fiber (with a 2:32 splitter) can provided up to 128 GbE end user ports

Benefits of fiber plant vs. copper:

– Not susceptible to EMI, unmatched security

– Lower material and installation cost

– Non corrosive, great for shipboard applications

– Smaller cable footprint than a copper infrastructure

Turn this:

Into this:

Splitters are completely passive, and able to be placed in nearly any accessible space (floor, ceiling box, closet, manholes)

4


POLAN Layer-1 cabling and splitters on average cost 50% less than traditional fiber based solutions

Legacy LAN to POLAN Comparison

WAN/Internet

Layer-3 Dist.

Single or Multi Mode Fiber Riser

Fiber Access Layer witches

Horizontal Copper

WAN/Internet

GPON OLT

SM Fiber Riser

1:8 Splitter (Closet Based Design)

Wall Outlet ONT (32 per Splitter)

Legacy LAN (4-9s Available or 52.56mins/year) Passive Optical LAN (6-9s Available or 31.5secs/year)

2:32 Splitter or FDT(Zone Based Design)

Redundant SM Fiber Riser

1RU 24 GbE ONT

5


OpticalSplitter(2:32)

Optical Network Terminals (ONT)

Optical Line Terminal (OLT)

1490nm

1310nm

The Optical Line Terminal (OLT)• Acts as the central aggregation element• Located in the Core Data Center• Replaces multiple L2 switches• Can aggregate over 8,000 GbE Ports• Some offer Layer-3 Capabilities

20km

1, 10 or 40G Network Uplinks

Passive Optical LANOptical Infrastructure for Enterprise Customers

2:32

6



Passive Optical Network (PON)• Completely passive infrastructure• Single fiber carries multiple wavelengths• 2.48 Gbps downstream• 1.24 Gbps upstream• Serve Remote Buildings 20-30Km



1490nm

1310nm

20km


2:32


7



Passive Optical Splitter Feeding FDH• Completely passive components• Rack Mounted or Cassette Based• Splits single fiber up to 32 ways• Typically located where workgroup switches are deployed• Can be dual homed to redundant OLT chassis for failover


1490nm

1310nm

20km


2:32


8




Optical Network Terminals (ONT)• Terminates the fiber at the end user• Provides Data, VoIP, IP Video services• Some models also provide native POTS• Desktop, In Wall, Cubicle and Rack Mount Unit models



1490nm

1310nm

20km


2:32


9


Why Optical LAN is so Popular

10


72 Equipment Racks

Legacy EthernetUp to 8,064end users

Passive Optical LAN can offer 90% greater density compared to

Active Ethernet

Lower electronics cost: up to 50% Lower energy consumption: up to 80% Lower space consumption: up to 90%

(floor, rack, pathway, closet space)

Legacy Copper vs. Passive Optical LAN

Passive Optical LAN8,192 end users

Tellabs Optical LAN1 Rack

11


Lower electronics cost: up to 50% Lower energy consumption: up to 80% Lower space consumption: up to 90% (floor, rack, pathway, closet space)


Fiber on J-HooksCopper on Ladder Racks

12


Lower electronics cost: up to 50% Lower power consumption: up to 80% Lower space consumption: up to 90% (floor, rack, pathway, closet space)


• Passive Splitter Device• Ceiling, Floor or Closet• Zero power required• Zero HVAC required

BEFORE: Legacy IDF/TR After: Zone Based Passive Splitter

13


Lower electronics cost: up to 50% Lower power consumption: up to 80% Lower space consumption: up to 90% (floor, rack, pathway, closet space) Lower cable cost: up to 60% (fiber vs. copper)

Lower cabling installation cost: up to 60%


250 ports copper/Ethernet2000 ports fiber/optical 128 ports fiber

128 ports copper

14


World’s largest copper mine

Chile Chuquicamata

depth: 850 marea: 4 km x 3 km

Planned depth 1,3 km

Mining: Copper destroys 100 to 200x more environment than glass1)

–1 kg of copper consumes 500 kg of environment 2 kg of copper per 200 ft cable

– 1 kg of glass consumes 3 kg of environment 0.02 kg of glass per 200 ft cable

Institute f. Climate, Environment and Energy, GmbH, Wuppertalhttp://www.wupperinst.org/en/publications/wuppertal_spezial/index.html1) Schmidt-Bleek „ Der ökologische Rucksack“ – 1984, q.v.

Courtesy of Corning Cable Solutions

Green Aspects of Fiber Optic Cables

15


Optical LAN: a Value Network for Real Estate

Lower Energy Consumption

• Unmatched HD video quality• High capacity data downloading• All smart-building systems on 1 IP network• Easy, “hitless” modular upgrades for higher BW

Gain Productive Floor Space

Recapture up to 90% of IT closet and MDF square footage required for old-style copper & Ethernet switch networks

Reduce Building Materials

• Fiber vs copper – cost & space reduction• Reduced structural reinforcement requirements

due to dramatically lower weight of cabling• Fewer & smaller penetrations

• Reduce up to 80% of the energy required to power an equivalent copper network

• Eliminate up to 70% of the A/C required to cool IT closets

Place IP Super-highway in Building

Lower Lifecycle Costs

• Fewer and lower skilled technicians needed• Remotely managed via remote GUI• Dispatch to the premise rarely needed• Replace premise cabling in 30+ years…

TELLABS CONFIDENTIAL PROPRIETARY 16


2,000 User CapEx Comparison• OLAN Basis of Design

– 2 Gbe PoE Ports per User

– Reduced Layer-3 Core w/ Virtual Chassis Lag and 40G of uplink

– Mixture of desktop, closet and face-plate ONTs

– Zone based fiber distribution

• Legacy Copper LAN Basis of Design:

– 2 Gbe PoE Ports per User

– Dual Layer-3 core with meshed uplinks to each access layer switch

– 48-port access layer switches

– Dual Cat6 CMP to each desk

TELLABS CONFIDENTIAL PROPRIETARY 17


2,000 User OpEx Comparison

• Reduced HVAC Consumption and Sizing

• Reduced Annual Support

• Reduced 7-10 Year Re-Cabling

• $.125/KwH Rate

• Compares Equal PoE Load

18


Sample Optical LAN Layoutsand Loss Calculations

19


Zone Based Cabling

Multi Strand SMF from the horizontal-backbone fiber patch panel to each zone20


Closet Based Optical Splitter

Dedicated run from each ONT back to the IDF closet where the splitter is housed21


Fiber Hub and Fiber Terminal Deployment

MPO-MPO (Pre-terminated trunk) from the FDH to the Fiber Terminal22


Optical LAN Link Budgets

The maximum PON distance is limited primarily by optical attenuation. Contributors are fiber loss attenuation and PON splitter attenuation.Optical LAN loss budges must be between 8dB and 28dB; meaning smaller split ratios may require an inline attenuator to insert more loss.

PONSplitter

Fiber loss per km is 0.35 dB (1260 - 1360 nm)

Every time the signal is split two ways, half the power goes one way and half goes the other. So each direction gets half the power, or the signal is reduced by

10log(0.5)=3 dB

Practical loss is 3.5 dB nominal, so every two-way split costs about 10 km distance @ 1310 nm

HalfPower

HalfPower

Attenuator Loss Unit

Optical Loss 1310 nm 0.35 dB / Km



Splice Loss per unit 0.05 dB

Connector Loss 0.35 dB

1X32 PON Splitter 16.7 dB




1:2 split ratio

GPON Optical Budget –• Splitter (1:32) = 16.7

dB• Fiber loss (20km) = 7.0

dB• Connector / Splice loss = 3.5

dB27.2 dB

23


Will End Users ConnectivityChange from Legacy Copper/Ethernet?

24


Network Protocols Supported by MostPassive Optical LAN Platforms

Network IntegrationMultiple 1G and 10G Ethernet Uplinks

IEEE 802.3ad Link Aggregation Control Protocol (LACP)

IEEE 802.1Q VLAN Encapsulation

IEEE 802.1w Rapid Spanning Tree (RSTP)

IEEE 802.1s Multiple Spanning Tree (MSTP)

Virtual Router-to-Router Redundancy (VRRP)

IPv4 / IPv6

IGMPv2 / IGMPv3

Network Access Control (NAC)

IEEE 802.1x (Port-based Authentication)

Dynamic Host Control Protocol (DHCP)

DHCP Snooping and Option 82 insertion

Port Security, Sticky MACs

RFC-2267 (Denial of Service)

Traffic Storm Control

Bridge Protocol Data Unit (BPDU) Guard

Layer-3 Routing/Switch (OSPF/BGP)

Service Delivery802.1p: Class of Service

IP differentiated services code point (DSCP)

Quality of Service: Per-VLAN, Per-Port, Per-Service queuing / scheduling *

Sophisticated QoS and Traffic Management

Eight Queues per VLAN

Policing, Scheduling, Shaping per Queue

Congestion and Flow Control

Hardware Based ACLs: L2, L3, L4

Hardware Based Multicast Management

IEEE 802.3af, 802.3at (PoE)

Link Layer Discovery Protocol (LLDP)

Monitoring / ManagementSNMP v1, v2, v3

CLI Console Port

Remote Monitoring (RMON) software agent

RMON I & II

Enhanced SNMP MIB support

RFC 1213-MIB (MIB II)

Extended MIB support

Network Timing Protocol (NTP)

RADIUS based authentication

SSH v1, v2

VMWare Support for EMS

OLT SysLog

Ethernet Port MACSEC (Encryption)

Note – This is not an exhaustive list of supported protocols supported by either Optical LAN or Ethernet Switch solutions

Some solutions support certain protocols that others may or may not.

25


Bandwidth & QoS in the Passive Optical LAN

Burst Bandwidth

Guaranteed Bandwidth

Rate Limit

802.1p & DSCP Mappings for per profile/per port QoS Each Service Profile (broken up by broadcast domain/VLAN) receives its own values:

VLAN CDP/LLDP Type (Link Layer Discovery Protocol) L2 – L4 Access Control Lists Committed and Burst Bandwidth Rates (each and every ONT port is able to provide Gbe speeds IGMP/Multicast

Profiles are assigned (manually, auto-prov, or via NAC) to each ONT Ethernet port

Excess Information Rate (EIR)

Committed Information Rate (CIR)

QoS per VLAN per

Port

5 Mbps

1 Gbps

Passive Optical LAN = more effective & efficient management of oversubscription26


Typical Data Consumption in the Enterprise Typ. Data User: < 1Mbps Avg. Typ. VoIP Handset: < 512kbps Typ VDI: < 768kbps

Constant Typ VDI HD Video: < 1.5Mbps

Constant Typ. IP Camera: <5Mbps HD NefFlix: <6Mpbs Typ. Power User: <20Mbps Avg HD VTC ‘Room’: 16.75Mbps Avg Max Win7 Download: 420Mbps Max Win7 Upload: 380Mbps

Why Current ITU G.984 GPON is Beyond Sufficient for Nearly All Applications Are 1Gbps user interfaces used to their capacity today?

Users see a 1Gbps link, however their effective utilization is typically sub 1Mbps with ‘bursts’ to the typical 10Mbps range.

Full 1Gbps is not available in Windows desktop environments (See table to the right)

Virtual Desktop (VDI) drives bandwidth to a flat rate in the sub 1Mbps range

Gartner 2013 Estimates of Bandwidth needs through 2017 shows Super Users with a maximum requirement of sub-7Mbps

“Superior User” Category 2012: 1.820Mbps. 2013: 2.333Mbps 2014: 3.013Mbps 2015: 3.911Mbps 2016: 5.090Mbps 2017: 6.643Mbps

Gartner March 2013 “Network Capacity per Connected Device” Trend

“Standard User” Category 2012: .145Mbps. 2013: .182Mbps 2014: .232Mbps 2015: .2971Mbps 2016: .285Mbps 2017: .504Mbps

Source: Gartner Research Article ID:G00247697

How Passive Optical LAN Exceeds 2017 Requirements:

32 Users + 32 VoIP handsets:

(32 x (6.643Mbps + .512Mbps) ) = 228.96Mbps PON provides 2.38Gbps/1.18Gbps useable

bandwidth 2.15Gbps of downstream burst capacity remains 951Mbps of upstream burst capacity remains

27


• Access Switching is a $10B-20B a year business• OLAN faces fierce competition and pushback from Legacy

Ethernet manufacturers in the way of false statements

Why Optical LAN is the Right Choice

Common Legacy Mis-Statements on OLAN

No Quality of Service (QoS)

No Power over Ethernet (PoE)

No Port Authentication (802.1x)

Fiber is more Expensive

Fiber is more Difficult to Install

Inadequate Bandwidth in OLAN

OLAN is not Standards Based

Too Dramatic of a Change from Copper

Optical LAN Reality

Superior QoS through 802.1p, DSCP and CoS marking

802.3af and 802.3at compliant PoE on almost every ONT

Extensive 802.1x based Port Control, NAC and Dynamic Services

Fiber LANs prove to cost 50% less than legacy copper networks

Pre-term and field-term fiber installs require less skill and less time than copper networks

OLAN provides a more granular and efficient utilization of bandwidth than Legacy Ethernet solutions on a future proof medium

Optical LAN is an ITU standard with support from BICSI and TIA

Much like the switch from digital PBXs to VoIP, change is good in the end, and most integrators and customers are for a positive, cost saving solution

28


Passive Optical LAN 102:Advanced ConceptsMike NovakSenior Systems [email protected]


Agenda

PON 101 RecapOptical LAN Protocol SupportOptical LAN Standards Update (TIA, BICSI, DoD)Optical LAN Campus Design ConsiderationsRemote Powering ConceptsOptical LAN Redundancy OptionsFuture of Optical LAN: XGPON1 and XGPON2

30


PON 101 Recap Completely Single Mode fiber solution using SC-APC connectors on the

hardware 20 – 30 Km system reach Saves 50% in equipment and cabling cost Saves 80% in power consumption Saves 90% in space utilization (cable tray, rack units, pathways) Splitters are passive devices and available in rack mounted, cassette, fiber

distribution terminals, etc.

Optical LAN has an overall 28dB loss budget from Optical Line Terminal (OLT) to Optical Network Terminal (ONT)

28dB

31


Optical LAN Hardware & Protocol Support

32


Different Systems, Different Options

Like buying a tablet, there are lots of options: Some offer 8” screens Some offer 10” screens Some plug in at the top, others at the bottom Some have extra memory slots, others don’t Some have WiFi or 4G services Some have a front facing camera while others only rear facing

They all get you online in one way or another; certain features are a personal preference

33


Network Protocols Supported by MostPassive Optical LAN Platforms

Network IntegrationMultiple 1G and 10G Ethernet Uplinks

IEEE 802.3ad Link Aggregation Control Protocol (LACP)

IEEE 802.1Q VLAN Encapsulation

IEEE 802.1w Rapid Spanning Tree (RSTP)

IEEE 802.1s Multiple Spanning Tree (MSTP)

Virtual Router-to-Router Redundancy (VRRP)

IPv4 / IPv6

IGMPv2 / IGMPv3

Network Access Control (NAC)

IEEE 802.1x (Port-based Authentication)

Dynamic Host Control Protocol (DHCP)

DHCP Snooping and Option 82 insertion

Port Security, Sticky MACs

RFC-2267 (Denial of Service)

Traffic Storm Control

Bridge Protocol Data Unit (BPDU) Guard

Layer-3 Routing/Switch (OSPF/BGP)

Service Delivery802.1p: Class of Service

IP differentiated services code point (DSCP)

Quality of Service: Per-VLAN, Per-Port, Per-Service queuing / scheduling *

Sophisticated QoS and Traffic Management

Eight Queues per VLAN

Policing, Scheduling, Shaping per Queue

Congestion and Flow Control

Hardware Based ACLs: L2, L3, L4

Hardware Based Multicast Management

IEEE 802.3af, 802.3at (PoE)

Link Layer Discovery Protocol (LLDP)

Monitoring / ManagementSNMP v1, v2, v3

CLI Console Port

Remote Monitoring (RMON) software agent

RMON I & II

Enhanced SNMP MIB support

RFC 1213-MIB (MIB II)

Extended MIB support

Network Timing Protocol (NTP)

RADIUS based authentication

SSH v1, v2

VMWare Support for EMS

OLT SysLog

Ethernet Port MACSEC (Encryption)

Note – This is not an exhaustive list of supported protocols supported by either Optical LAN or Ethernet Switch solutions

Some solutions support certain protocols that others may or may not.

34


Hardware Features Supported by MostPassive Optical LAN Platforms

Form FactorRack Mounted ONTs

Desktop ONTs

Face Plate or Mini ONTs

Small Form Pluggable (SFP) based ONTs

ONT OptionsIntegrated Battery Backup

ONT Remote Powering

802.3AZ Power Sensing

802.3AE MACSEC Encryption

Every manufacturer provides Enterprise transport for the user; certain features are the decision of the customer

ONT Interfaces

10/100 Fast Ethernet Ports

10/100/1000 Gbe Ethernet Ports

75-Ohm RF Video Ports

RJ11 POTS Ports

24-Pair POTS Interfaces

PoE (15.4W) Interfaces

PoE+ (25.5W) Interfaces

35


Standards Updates:BICSI, TIA & US DoD

36


Recent Standards Updates

• BICSI TDMM 13th edition provides a sub-chapter on Optical LAN under the Horizontal

Distribution Systems chapter.

• TIA 568-C.2, Generic Cabling Standards provides loss budgets and distances for the

various Optical LAN flavors.

• To stay compliant with TIA 568-C, Generic Cabling Standards, the solution shall install a

duplex fiber to each fiber work area outlet to maintain the ‘generic’ nature of the 568

standard.

• Such that the system is in compliance with the TIA 568-C, a PON system can be

considered compliant with TIA 1179 as well.

• DoD updates have created Optical LAN inclusion for the:

• Unified Capabilities Requirements (UCR)

• Defense Information Systems Agency (DISA) Joint Interoperability Testing (JITC)

• US Army Installation and Campus Area Network Design Guide (ICAN)

37


Optical LAN Campus DesignConsiderations

38


Passive Optical LAN Configuration

QoS via 802.1P and DSCP mapping

ONTs support Voice, Data and Video

Y End Building Splitters are fed with dual inputs from ADN #1 and

ADN #2 to provide failover Provides rack mounted 72xGP ONTs to feed out legacy

copper drops (Cat5/5e/6) from the IDF/TR to provide Gbe PoE+ and POTS ports

Provides wall and desktop ONTs via fiber to the desk/outlet to provide ONTs w/ Gbe PoE+ services at the desktop level

OLT in the Campus Environment(Universities, Hospital Campus, Corp Business Park, Mixed Use Development)Y Dist. Node Legacy core

router/switches Provide 10G interfaces

to the OLTs to be dual homed (802.3ad)

Each splitter will require 1 strand of OSP fiber to each ADN #1 and ADN #2

OLT

FOPP

FOPP

24S

T S

MF

6ST SMF 2x2 Zone Box w/ 2:32 Splitter

1ST SMF

Legacy CatX

ADN #1

ADN #2

24ST SMF

24ST SMF OSP

OLT

DWDM

DWDM ONTs

39


Remote Powering Concepts


ONT Remote Powering & Backup

Comm Closet

Mai

n D

istri

butio

n Fr

ame

(MD

F)

Walls and Ceiling – Structured Cabling Office Environment

Bulk AC-DC Rectifier

Fiber and Power Solution provided in

conjunction with infrastructure partner

Desktop ONTw/ 48Vdc input

Provides 48Vdc to existing Cat5 cables or hybrid fiber/copper cable

10/2

Low

Vol

tage

Cab

le

SMF and #22/2 Copper Pair

Ceiling Zone Box:1. Splitter: 2x32 1RU Splitter or FDT2. PDU: Power distribution unit (32x 48Vdc outputs)

OLAN OLT

Zone Box

Face-plate ONTw/ 48Vdc input

Mini ONTw/ 48Vdc input

Mul

ti-S

trand

SM

F R

iser

Desktop ONTw/ local BBU

Benefits of Remote Powering: 1) Eliminates a local AC plug at the ONT2) Centralizes battery backup at the closetBenefits of Local Battery Backup Unit3) Battery is monitored for failures4) Does not require any copper in the horizontal for DC power

41


Calculating Cabling for Network Powering

R (resistance of copper) = 11.1 Ohms/1,000-ft

I = Amps required at the device (Calc out load of ONT, PoE requirements and sparing)

Watts/Volts

D = Distance (1-way) in ft

V = Voltage drop allowed in span

CM = Circular Mills (to convert to Gauge)

𝐶𝑀=(𝑅𝑥 𝐼 𝑥 𝐷 𝑥2 )

𝑉Perform a Rectifier to PDU calc and a PDU to ONT calc to

determine appropriate wire size based on requirements and distance

CM Value Corresponding Gauge #

404 – 642 #22

642 – 1020 #20

1020 – 1620 #18

1621 – 2580 #16

2581 – 4110 #14

4111 – 6350 #12

6351 – 10380 #10

10381 – 16510 #8

** Note the R value is not fixed, however this average works well

with the distances and power consumption for the ONT remote

powering concepts defined here **

42


Remote Powering Considerations• System must maintain NEC Class-2 compliance for 100VA rate limiting

• For most applications, a #22/2 is the correct PDU to ONT wire size to support ONTs between 50 and 300

feet away

• Systems integrators are responsible for basic calculations to ensure wire gauge is correct for an

application

• Understanding the power draw on the ONT and accounting for sparing is critical:

• If a VoIP handset today consumes only 6W of power, account for potential future video phone

applications

• As XGPON is more commonly deployed, account for higher power utilization of 10Gbe interfaces on

ONTs

• Coordinate the architecture with the Division 26 and 27 engineering firms in advance:

• Bulk rectifiers in a closet may require special 208V breakers and UPS power

• Active zone boxes will require generator/UPS fed AC outlets to feed the remote powering solution

• Work closely with the design firm to ensure the connector types at the remote ends are both

aesthetically pleasing, standards compliant, and the correct fit for the manufacturer and plug type of

the ONT

• While a hybrid cable provides advantages on physical cable pulls, the cost of

such cables can be prohibitive.

43


Optical LAN Redundancy Options


Optical LAN Redundancy Basics• Per the ITU G.984.1 Section 14.2.1 protection in an Optical LAN solution is defined as:

• Type-B protection: dual fed optical splitter with two inputs

• Type-C protection: dual fed optical splitter with two inputs and dual fed optics on the ONT

fed from two dual fed splitters

• Availability is a relative term:

• Standard dual fed Legacy access switches are 4-

9s (52.56mins of downtime) available

• OLAN has been field proven to over 5-9s

(5.26mins of downtime) availability with no

redundancy

• OLAN with Type-B protection is proven at over 6-

9s (31.5secs) availability

• It is suggested to design for 2:x splitters day-1, even if redundancy is not

desired; extra splitter cost is negligible

• Ensure OSP is designed for diverse/redundant pathways in a campus

environment

• Certain manufacturers support protection in a single OLT chassis, other

support protection between OLT chassis for facility protection.

Ann

ual D

ownt

ime

in S

econ

ds

Backup OLT

2:32Splitter

Primary OLT

45


Future of Optical LAN:XGPON1 and XGPON2


10GPON: Not as Far off as Once Thought

1270

nm

1310

nm

1490

nm15

50nm

1577

nm

10G

Up

GPO

N U

p

GPO

N D

own

RF

Ove

rlay

10G

Dow

nAllows for concurrent GPON and 10GPON over a single fiber infrastructure

• ITU G.984 GPON (2.48G/1.24G) and XGPON2 (10G Symmetrical)• XGPON is already standardized under ITU G.987• Manufacturers to provide XGPON2 solution for symmetrical 10GPON in the next 18-24

months• Limited 10G user interfaces required (Intelligence, Medical imaging, etc)• Due to separate wavelengths, both GPON and XGPON2 can run over the same fiber and

splitter plant concurrently; allowing selective deployment of 10G to users who require it• XGPON2 solutions will provide multiple 40G interfaces to the core Layer-3 network from the

OLT switch card• IEEE EPON standard uses the same wavelengths for EPON and 10EPON, meaning

concurrent use of fiber plant is not possible without expensive optics

47


“All-Secure PONTM” – Optical LAN for SIPR and other Classified/High Security Applications

48


All-Secure PON Solution

All-Secure PON combines the benefits of PON (CAPEX/Power/Space savings) with the cost savings of NIS Alarmed-Armored PDSTM

Up to 66% deployable savings vs. Legacy PDSUp to 75% cost savings on moves/adds/changesRapid scalability and reconfiguration of networksSupport for multiple network classificationsCombined PON + PDS cost savings up to 80%

Technology from Tellabs and NIS have been selected for each notable “Secure PON” project within the US Government to-date.

Air Force, Army and DHS are deploying the solution with other agencies currently reviewing requirements and considering testing and pilots.

NIS & Tellabs continue to collaborate at Industry Days and Trade Show events at various locations for education and training.

49


Secure Passive Optical LAN Government Adoption

U.S. Army - All-Secure PON Deployment• NETCOM, Greely Hall, Fort Huachuca, AZ• Fort Campbell, KY

U.S. Department of Homeland Security - All-Secure PON Deployment• Chooses Tellabs GPON and DWDM for DHS St Elizabeth’s HQ. Over 24,000 ports

U.S. Air Force - All-Secure PON Deployment• Chooses Tellabs GPON for multiple projects at Andrews AFB. Also deployed with Secure-PON Alarmed Fiber solution

Department of State USAID - All-Secure PON Deployment

50


2010 Department of Army DirectiveTechnical Guidance for Network Modernization April 23, 2010

51


2012 Department of Army MemorandumProgram Execution Requirements for Installation Information Infrastructure Modernization Program (I3MP) Fiscal Year (FY) 13

52


Passive Optical LANA True Enterprise Solution

Tellabs 700 SeriesDesktop Optical Network Terminal

Tellabs 72x SeriesWorkgroup Optical Network Terminal

Tellabs 1134Optical Line Terminal

Advanced VLAN capability Network segmentation Advanced security at the edge –

Network Access Control (NAC) Access Control Lists (ACLs) 802.1x Port Access Control Trusted Host / DoD-PKI / FIPS 140-2 L1 (AS-SIP)

Element Management System security Broad portfolio of enterprise ONTs with PoE

A True Enterprise Solution

Seamless replacement of Ethernet Switched Networks

Functions very similar to current Ethernet switch model Reduce technology adoption challenges The benefits of Optical LAN, the simplicity of Ethernet

Distributed Ethernet switching for efficient user-to-user communication

Tellabs 1150E (19”)Optical Line Terminal

Tellabs 1150 (23”)Optical Line Terminal

Tellabs 120 SeriesIn-Wall and Cubicle ONTs

53


DoD Unified CapabilitiesJITC Approved Products Lists

JITC APL Summary

• Tellabs 7100 USS and Nano• also includes: Tellabs 7100 Direct Connect

and L2 ASLAN Applications• Tellabs 7100E (Electrical Aggregation)• Tellabs 1150, 1150E and 1134 GPON OLTs• Tellabs GPON ONTs

54


Passive Optical LAN with GPON Optical Infrastructure for Enterprise Customers

Passive Optical Splitter Feeding FDH• Completely passive components• The size of a deck of cards• Splits single fiber up to 32 ways• Typically located where workgroup switches are deployed• Are mounted on the wall in Fiber Distribution Hubs (FDH)

Passive Optical Network (PON)• Completely passive infrastructure• Single fiber carries multiple wavelengths• 2.48 Gbps downstream• 1.24 Gbps upstream• Serve Remote Bldgs Up to 20Km

OpticalSplitter



1490nm

1310nm

1G or 10G NetworkUplinks

The Optical Line Terminal (OLT)• Acts as the central aggregation element• Located in the Core Data Center• Replaces multiple L2 switches• Can aggregate up to 8,192 end users

20km

Optical Network Terminals (ONT)• Terminates the fiber at the end user• Provides Data, VoIP, IP Video services• Some models also provide native POTS• Desktop and MultiDesk Unit models

55


Optical LAN Topology OLT Placement for All Secure PON

05/01/2023 05/01/2023

Network Core Layer

Top Level Architecture

SIPR Network and VoSIP

Network Distribution Layer

10G

10G

Server Farm

NetworkAccess Distribution Layer

NMS

C2 EUB

PON

Large EUB

10G

PON

TDM PBX

1G

T1

VGW

C2 EUB56


57


Tellabs Confidential Proprietary 58

text

text text

texttext

text text

Secure TR FL1-RSecure TR FL1-L

text

Coalition Secret

U.S. Secret

Zone 1-1

Zone 1-2

Zone 1-3 Zone 1-4 Zone 1-5 Zone 1-6

Zone 1-7

Zone 1-8

All-Secure Optical POD Solution


The Modern Mission Drivers for All-Secure PON

Rapidly increasing requirements for SIPR (or higher) classification network endpointsDecreasing budgets to support increasing mission demand for classified dataRequirements for multiple classifications at many or every desk in a buildingModern network infrastructures must be flexible to rapidly adapt to mission changesReduce O&M costs and frequency of refresh of network infrastructureSupport Green Building/Operations objectivesTechnology Evolution

59


Standards & SolutionsFor Secure Classified Networks

Protected Distribution Systems (PDS) standards have existed since 1996 (NSTISSI 7003). DoD organizations implement additional controls and SIPR cabling/installation guidelines.Certified Technical TEMPEST Authorities (CTTA) review PDS implementations and supports design, pre, and post-procurement activities to ensure compliant solution and accreditation path.Legacy Solutions = Rigid and Very Expensive NSA Type 1 Encryption (including “TACLANES”) “Hardened” PDS: rigid, exposed conduit/raceway (EMT/”Holocom”) Special Compartmentalized Information Facility (SCIF): physically hardened and

secured area for processing classified information.

Modern Solution = Flexible Design and Scalable Cost INTERCEPTOR 24/7/365 network cable monitoring, automated routine inspections,

managed inspections for Intrusion events, low/no construction costs, highly scalable. “Alarmed-Armored” PDS: INTERCEPTOR + Flexible Interlocking Armored Cable for

rapid-deployable, concealed infrastructure. Retro-Fit of Legacy PDS: INTERCEPTOR alarming to replace Encryption Devices or

Alarm existing Legacy PDS cables and pathways/conduits.

Modern Approach

Legacy Options

60


Threats in the News

05/01/2023 61


INTERCEPTOR Intelligent PDSTM & Alarmed-Armored PDSTM for Secure PON

• Network Integrity Systems has developed and delivered the Interceptor technology for DoD & other US Government applications since 2003 in response to post-9/11 network security requirements.

• More than 50 million port hours of in-service operation securing U.S. government classified networks on over 60 unique projects.

• Fifteen (16) U.S. and International patents granted to NIS for technologies incorporated in or enabled by Interceptor.

• Sufficient dynamic range to support dozens of secure drops per Zone (easily can support 1x32 GPON split).

• Recent government testing and validation of Alarmed-Armored PDS, the core of the Secure PON architecture.

• Manufactured in the USA at an ISO 9001 and ITAR registered manufacturing facility. 62


INTERCEPTOR Optical Network Security System

Standard fibers intrinsic to (inside) the cables being protected are used to monitor intrusions into the cables themselves

Designed specifically for US Government data infrastructure security, exclusive to US Government enabling use above SECRET.

Makes the entire cable a sensor- Use a pair of fibers inside the cable being protected, directly

monitor single mode fibers- When any component of the cable is abnormally handled, the

monitored fibers sense the disturbance

Event discrimination technology- Learns the ambient state of the network and differentiates between

benign events and real threats- False alarms eliminated- If an INTERCEPTOR alarms, there is a problem (perhaps not a

threat), intrusions lead to patterns of alarms that are reported to security panels and network management systems.

NSTISSI 7003 Compliant, CTTA Approved for projects in each US Government Agency– 2009 Air Force Armored Cable Validation– 2012 Army CTTA Armored Cable Validation– Many other non-armored cable deployments in all

agencies/branches of US Government.


How it Works

64


High Dynamic Range


Business Case:INTERCEPTOR vs. Hardened PDS

Lower up front System &

Installation cost: up to 66%

Lower Maintenance/Moves/Adds & Changes costs: up to 75%

Increased Security: Real-Time vs. Retro-active Human Inspection

Concealed and Re-configurable Classified Network: Easily re-deployable and expandable

66


Business Case:INTERCEPTOR vs. Type 1 Encryption

67


Alarmed-Armored PDS History2006-Present

Pioneered Armored Cable PDS R&D and Government Acceptance

• INTERCEPTOR’s unique capabilities (intrinsic monitoring) provided the technical option to eliminate conduit and monitor cables directly.

• In 2006 begin evaluating and testing multiple manufacturers of Flexible Interlocking Armored Cable in coordination with the government.

• Demonstrated the solution to the Air Force CTTA in 2007, and in 2009 the Air Force released an ESIM (2009-1) supporting INTERCEPTOR + Armored Cable.

• Trained its first customer implementingAlarmed-Armored PDS in 2008 andsold that system in 2009.

• Reviewed Alarmed-Armored PDSwith the Army CTTA in 2011 and 2012including lab testing that resulted in acceptance offlexible interlocking armored cable in replace of hardened conduit.

• Navy has deployed Alarmed-Armored PDS and other agencies areworking on requirements, testing and deployments for projects.

68


PON = JITC CertifiedINTERCEPTOR = CTTA & DAA Approval

Each project PDS Plan must be reviewed by the agency CTTA and installation DAA.

• INTERCEPTOR does not process classified data and does not require JITC certification.

• 95%+ of INTERCEPTOR deployments are dark fiber only

• Active fiber monitoring options exists for point-to-point applications when no spare fibers are available, does not impact bandwidth, and does not process classified data.

• INTERCEPTOR currently does not specifically require a Certificate of Networthiness (CoN) as a security appliance, but software applications that INTERCEPTOR reports to have been issued CoNs to manage alarm response procedures and notifications.

• Each PON + PDS project requires a PDS Plan that includes description of a Standard Operating Procedure for maintaining the security system and responding to alarm events.

• INTERCEPTOR has been approved for various types of PDS Plans within Army, Air Force, Navy, Marine Corps, Intelligence agencies, DHS & other civilian agencies.

69


Secure PON = “The New PDS”

Flexible Interlocking Armor Fiber Optic Cable

Optical Loopback

Fiber Optic Patch Panel

Data fiber to Tellabs GPON ONT

• Standard cable conveyance – PDS raceway, not necessary

• Combined cost savings up to 80%

• No end-end daily inspections required

• Cable may be concealed, above ceiling or below floor

• Enhanced facility aesthetics

GPONAlarmed-Armored

PDS

Secure PON“The New

PDS”+

GPON OLT

GPON ONT

INTERCEPTOR

Spare/expansion data fiber

2 darkmonitoring fibers

70


All-Secure PON Component Architecture

Thin/Zero Client and Cross Domain technologies can help further reduce the network infrastructure onto a single PON, single ONT at the desk to support multiple classifications.

71


Zone Box Example

This example shows one SIPR user and one NIPR user.The SIPR user would have a Secure Lockbox at their desk/endpoint.

72


Supporting Moves/Adds/Changes

This example shows converting User 2 to have both NIPR and SIPR access.User 2 now requires a Secure Lockbox would be required to terminate the alarm loop.

73


All-Secure PON Thin/Zero Client Architecture

Thin/Zero Client and Cross Domain technologies can help further reduce the network infrastructure onto a single PON, single ONT at the desk to support multiple classifications.


Intelligent PDS: Secure PON Zone Architecture Logically Mapping Physical Areas as Deployable ZonesMonitor optical cables for tampering or physical intrusion attemptsLearning mode for unique characteristics of a zone (HVAC systems, aircraft/heavy equipment, doors slamming, foot traffic, etc.) to eliminate false alarmsOptionally integrates shut down of PON Optics per Zone via integrated SNMP V3 trapsAn INTERCEPTOR Zone = GPON Zone = Network Infrastructure Zone Cabling

INTERCEPTORPort 2

INTERCEPTOR Port 4

INTERCEPTORPort 3

INTERCEPTOR Port 1

75


Alarm Management Options

• Gov’t requires detailed SOP for responding to alarms and managing the system and audit trail.

• These are components of a “PDS Plan” the certified systems integrator would develop, project-by-project based on threat levels, and resources available to handle security.

• Every deployment is unique, but INTERCEPTOR is flexible to support.

76


Enterprise Management via Software ToolsINTERCEPTOR and PON Integration

77


Capturing Events

78


All-Secure PON in other Market Verticals

• Differentiated Optical LAN monitoring technology from US Government solution leveraging NIS patented R&D.

• Infrastructure security requirements increasing in other market verticals where GPON is gaining traction.

• TIA TR-42 Developing Network Infrastructure Security/Alarming Standards.

• Secure PON Deployment now live at TIA HQ!

• Airports, Power Authorities, Hospitals. Casinos and other opportunities currently developing – especially markets where interaction/integration with federal government exists.

• Infrastructure types vary without a rigid “PDS” specification like the government.

• Opportunities exist for Layer 1 innovation.79 79


Long Distance & Location Detection

• Long haul fiber protection (up to 50 miles) with Intrusion Location Detection (within 25 meters)

• Specifically engineered for single mode fiber

• Integrate alarm response from INTERCEPTOR for ultimate ISP, OSP protection and PDS consolidation.

• Measurable cost savings compared to Hardened PDSor managing Encryption nodes that potentially shrink bandwidth.

80


All-Secure PON Takeaways

Proven Technologies Combined for Cost Savings, Flexibility and Security

All-Secure PON combines the benefits of PON (CAPEX/Power/Space savings) with the cost savings and enhanced security of NIS Alarmed-Armored PDSTM (66%/75% Installation/MAC savings) for a combined savings up to 80%

Rapid scalability and reconfiguration of networks Support for multiple network classifications Support for Thin/Zero Client and Cross Domain Applications Easily upgrade existing INTERCEPTOR PDS environments to accommodate

PON Technology Easily upgrade existing PON environments to secure with INTERCEPTOR

Tellabs and NIS offer formal training and certification for each Technology.

Work continues with Government agencies on evaluating and implementing the solution within network design standards and programs of record.

81


82

Secure Optical LAN: TechNet Augusta 2015

Technology

Transcript of Secure Optical LAN: TechNet Augusta 2015