secure optical lan: technet augusta 2015
TRANSCRIPT
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.Passive Optical LAN & All Secure Passive Optical LAN: The BasicsMike NovakSenior Systems [email protected]
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Agenda
Passive Optical LAN 101: The BasicsFundamentals of Optical LAN High Level Overview Components of an Optical LANWhy is Optical LAN so Popular Business Proposition Green AspectsSample Optical LAN LayoutsNetwork Support and Bandwidth
Passive Optical LAN 102: Advanced ConceptsOptical LAN Protocol SupportOptical LAN Standards Update (TIA, BICSI, DoD)Optical LAN Campus Design ConsiderationsRemote Powering ConceptsOptical LAN Redundancy OptionsFuture of Optical LAN: XGPON1 and XGPON2
“All-Secure PONTM” – Optical LAN for SIPR and other Classified/High Security Applications 2
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Passive Optical LAN 101:The Basics
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Fundamentals of Optical LANCompletely Single Mode fiber solution
Multimode fiber will not support the 20 – 30Km reach Multimode cannot support multiple wavelengths allowing for both upstream/downstream traffic
on a single filament Single mode supports over 101 TB. of throughput, making it a ‘future proof‘ transport medium
GPON connections are all simplex SC-APC connectors(That’s Angled Physical Contact, not Angled Polished Connector)
Communications closets (IDF/TR) become passive spaces for the fiber splitter, or simply a fiber pass thru.
A single strand of fiber (with a 2:32 splitter) can provided up to 128 GbE end user ports
Benefits of fiber plant vs. copper:
– Not susceptible to EMI, unmatched security
– Lower material and installation cost
– Non corrosive, great for shipboard applications
– Smaller cable footprint than a copper infrastructure
Turn this:
Into this:
Splitters are completely passive, and able to be placed in nearly any accessible space (floor, ceiling box, closet, manholes)
4
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
POLAN Layer-1 cabling and splitters on average cost 50% less than traditional fiber based solutions
Legacy LAN to POLAN Comparison
WAN/Internet
Layer-3 Dist.
Single or Multi Mode Fiber Riser
Fiber Access Layer witches
Horizontal Copper
WAN/Internet
GPON OLT
SM Fiber Riser
1:8 Splitter (Closet Based Design)
Wall Outlet ONT (32 per Splitter)
Legacy LAN (4-9s Available or 52.56mins/year) Passive Optical LAN (6-9s Available or 31.5secs/year)
2:32 Splitter or FDT(Zone Based Design)
Redundant SM Fiber Riser
1RU 24 GbE ONT
5
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
OpticalSplitter(2:32)
Optical Network Terminals (ONT)
Optical Line Terminal (OLT)
1490nm
1310nm
The Optical Line Terminal (OLT)• Acts as the central aggregation element• Located in the Core Data Center• Replaces multiple L2 switches• Can aggregate over 8,000 GbE Ports• Some offer Layer-3 Capabilities
20km
1, 10 or 40G Network Uplinks
Passive Optical LANOptical Infrastructure for Enterprise Customers
2:32
6
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Passive Optical LANOptical Infrastructure for Enterprise Customers
Passive Optical Network (PON)• Completely passive infrastructure• Single fiber carries multiple wavelengths• 2.48 Gbps downstream• 1.24 Gbps upstream• Serve Remote Buildings 20-30Km
OpticalSplitter(2:32)
Optical Network Terminals (ONT)
1490nm
1310nm
20km
1, 10 or 40G Network Uplinks
2:32
Optical Line Terminal (OLT)
7
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Passive Optical LANOptical Infrastructure for Enterprise Customers
Passive Optical Splitter Feeding FDH• Completely passive components• Rack Mounted or Cassette Based• Splits single fiber up to 32 ways• Typically located where workgroup switches are deployed• Can be dual homed to redundant OLT chassis for failover
Optical Network Terminals (ONT)
1490nm
1310nm
20km
1, 10 or 40G Network Uplinks
2:32
Optical Line Terminal (OLT)
8
OpticalSplitter(2:32)
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Passive Optical LANOptical Infrastructure for Enterprise Customers
Optical Network Terminals (ONT)• Terminates the fiber at the end user• Provides Data, VoIP, IP Video services• Some models also provide native POTS• Desktop, In Wall, Cubicle and Rack Mount Unit models
OpticalSplitter(2:32)
Optical Network Terminals (ONT)
1490nm
1310nm
20km
1, 10 or 40G Network Uplinks
2:32
Optical Line Terminal (OLT)
9
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Why Optical LAN is so Popular
10
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
72 Equipment Racks
Legacy EthernetUp to 8,064end users
Passive Optical LAN can offer 90% greater density compared to
Active Ethernet
Lower electronics cost: up to 50% Lower energy consumption: up to 80% Lower space consumption: up to 90%
(floor, rack, pathway, closet space)
Legacy Copper vs. Passive Optical LAN
Passive Optical LAN8,192 end users
Tellabs Optical LAN1 Rack
11
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Lower electronics cost: up to 50% Lower energy consumption: up to 80% Lower space consumption: up to 90% (floor, rack, pathway, closet space)
Legacy Copper vs. Passive Optical LAN
Fiber on J-HooksCopper on Ladder Racks
12
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Lower electronics cost: up to 50% Lower power consumption: up to 80% Lower space consumption: up to 90% (floor, rack, pathway, closet space)
Legacy Copper vs. Passive Optical LAN
• Passive Splitter Device• Ceiling, Floor or Closet• Zero power required• Zero HVAC required
BEFORE: Legacy IDF/TR After: Zone Based Passive Splitter
13
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Lower electronics cost: up to 50% Lower power consumption: up to 80% Lower space consumption: up to 90% (floor, rack, pathway, closet space) Lower cable cost: up to 60% (fiber vs. copper)
Lower cabling installation cost: up to 60%
Legacy Copper vs. Passive Optical LAN
250 ports copper/Ethernet2000 ports fiber/optical 128 ports fiber
128 ports copper
14
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
World’s largest copper mine
Chile Chuquicamata
depth: 850 marea: 4 km x 3 km
Planned depth 1,3 km
Mining: Copper destroys 100 to 200x more environment than glass1)
–1 kg of copper consumes 500 kg of environment 2 kg of copper per 200 ft cable
– 1 kg of glass consumes 3 kg of environment 0.02 kg of glass per 200 ft cable
Institute f. Climate, Environment and Energy, GmbH, Wuppertalhttp://www.wupperinst.org/en/publications/wuppertal_spezial/index.html1) Schmidt-Bleek „ Der ökologische Rucksack“ – 1984, q.v.
Courtesy of Corning Cable Solutions
Green Aspects of Fiber Optic Cables
15
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Optical LAN: a Value Network for Real Estate
Lower Energy Consumption
• Unmatched HD video quality• High capacity data downloading• All smart-building systems on 1 IP network• Easy, “hitless” modular upgrades for higher BW
Gain Productive Floor Space
Recapture up to 90% of IT closet and MDF square footage required for old-style copper & Ethernet switch networks
Reduce Building Materials
• Fiber vs copper – cost & space reduction• Reduced structural reinforcement requirements
due to dramatically lower weight of cabling• Fewer & smaller penetrations
• Reduce up to 80% of the energy required to power an equivalent copper network
• Eliminate up to 70% of the A/C required to cool IT closets
Place IP Super-highway in Building
Lower Lifecycle Costs
• Fewer and lower skilled technicians needed• Remotely managed via remote GUI• Dispatch to the premise rarely needed• Replace premise cabling in 30+ years…
TELLABS CONFIDENTIAL PROPRIETARY 16
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
2,000 User CapEx Comparison• OLAN Basis of Design
– 2 Gbe PoE Ports per User
– Reduced Layer-3 Core w/ Virtual Chassis Lag and 40G of uplink
– Mixture of desktop, closet and face-plate ONTs
– Zone based fiber distribution
• Legacy Copper LAN Basis of Design:
– 2 Gbe PoE Ports per User
– Dual Layer-3 core with meshed uplinks to each access layer switch
– 48-port access layer switches
– Dual Cat6 CMP to each desk
TELLABS CONFIDENTIAL PROPRIETARY 17
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
2,000 User OpEx Comparison
• Reduced HVAC Consumption and Sizing
• Reduced Annual Support
• Reduced 7-10 Year Re-Cabling
• $.125/KwH Rate
• Compares Equal PoE Load
18
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Sample Optical LAN Layoutsand Loss Calculations
19
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Zone Based Cabling
Multi Strand SMF from the horizontal-backbone fiber patch panel to each zone20
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Closet Based Optical Splitter
Dedicated run from each ONT back to the IDF closet where the splitter is housed21
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Fiber Hub and Fiber Terminal Deployment
MPO-MPO (Pre-terminated trunk) from the FDH to the Fiber Terminal22
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Optical LAN Link Budgets
The maximum PON distance is limited primarily by optical attenuation. Contributors are fiber loss attenuation and PON splitter attenuation.Optical LAN loss budges must be between 8dB and 28dB; meaning smaller split ratios may require an inline attenuator to insert more loss.
PONSplitter
Fiber loss per km is 0.35 dB (1260 - 1360 nm)
Every time the signal is split two ways, half the power goes one way and half goes the other. So each direction gets half the power, or the signal is reduced by
10log(0.5)=3 dB
Practical loss is 3.5 dB nominal, so every two-way split costs about 10 km distance @ 1310 nm
HalfPower
HalfPower
Attenuator Loss Unit
Optical Loss 1310 nm 0.35 dB / Km
Optical Loss 1490 nm 0.25 dB / Km
Optical Loss 1550 nm 0.22 dB / Km
Splice Loss per unit 0.05 dB
Connector Loss 0.35 dB
1X32 PON Splitter 16.7 dB
1X16 PON Splitter 12.9 dB
1X8 PON Splitter 7.8 dB
1X4 PON Splitter 5.4 dB
1:2 split ratio
GPON Optical Budget –• Splitter (1:32) = 16.7
dB• Fiber loss (20km) = 7.0
dB• Connector / Splice loss = 3.5
dB27.2 dB
23
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Will End Users ConnectivityChange from Legacy Copper/Ethernet?
24
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Network Protocols Supported by MostPassive Optical LAN Platforms
Network IntegrationMultiple 1G and 10G Ethernet Uplinks
IEEE 802.3ad Link Aggregation Control Protocol (LACP)
IEEE 802.1Q VLAN Encapsulation
IEEE 802.1w Rapid Spanning Tree (RSTP)
IEEE 802.1s Multiple Spanning Tree (MSTP)
Virtual Router-to-Router Redundancy (VRRP)
IPv4 / IPv6
IGMPv2 / IGMPv3
Network Access Control (NAC)
IEEE 802.1x (Port-based Authentication)
Dynamic Host Control Protocol (DHCP)
DHCP Snooping and Option 82 insertion
Port Security, Sticky MACs
RFC-2267 (Denial of Service)
Traffic Storm Control
Bridge Protocol Data Unit (BPDU) Guard
Layer-3 Routing/Switch (OSPF/BGP)
Service Delivery802.1p: Class of Service
IP differentiated services code point (DSCP)
Quality of Service: Per-VLAN, Per-Port, Per-Service queuing / scheduling *
Sophisticated QoS and Traffic Management
Eight Queues per VLAN
Policing, Scheduling, Shaping per Queue
Congestion and Flow Control
Hardware Based ACLs: L2, L3, L4
Hardware Based Multicast Management
IEEE 802.3af, 802.3at (PoE)
Link Layer Discovery Protocol (LLDP)
Monitoring / ManagementSNMP v1, v2, v3
CLI Console Port
Remote Monitoring (RMON) software agent
RMON I & II
Enhanced SNMP MIB support
RFC 1213-MIB (MIB II)
Extended MIB support
Network Timing Protocol (NTP)
RADIUS based authentication
SSH v1, v2
VMWare Support for EMS
OLT SysLog
Ethernet Port MACSEC (Encryption)
Note – This is not an exhaustive list of supported protocols supported by either Optical LAN or Ethernet Switch solutions
Some solutions support certain protocols that others may or may not.
25
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Bandwidth & QoS in the Passive Optical LAN
Burst Bandwidth
Guaranteed Bandwidth
Rate Limit
802.1p & DSCP Mappings for per profile/per port QoS Each Service Profile (broken up by broadcast domain/VLAN) receives its own values:
VLAN CDP/LLDP Type (Link Layer Discovery Protocol) L2 – L4 Access Control Lists Committed and Burst Bandwidth Rates (each and every ONT port is able to provide Gbe speeds IGMP/Multicast
Profiles are assigned (manually, auto-prov, or via NAC) to each ONT Ethernet port
Excess Information Rate (EIR)
Committed Information Rate (CIR)
QoS per VLAN per
Port
5 Mbps
1 Gbps
Passive Optical LAN = more effective & efficient management of oversubscription26
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Typical Data Consumption in the Enterprise Typ. Data User: < 1Mbps Avg. Typ. VoIP Handset: < 512kbps Typ VDI: < 768kbps
Constant Typ VDI HD Video: < 1.5Mbps
Constant Typ. IP Camera: <5Mbps HD NefFlix: <6Mpbs Typ. Power User: <20Mbps Avg HD VTC ‘Room’: 16.75Mbps Avg Max Win7 Download: 420Mbps Max Win7 Upload: 380Mbps
Why Current ITU G.984 GPON is Beyond Sufficient for Nearly All Applications Are 1Gbps user interfaces used to their capacity today?
Users see a 1Gbps link, however their effective utilization is typically sub 1Mbps with ‘bursts’ to the typical 10Mbps range.
Full 1Gbps is not available in Windows desktop environments (See table to the right)
Virtual Desktop (VDI) drives bandwidth to a flat rate in the sub 1Mbps range
Gartner 2013 Estimates of Bandwidth needs through 2017 shows Super Users with a maximum requirement of sub-7Mbps
“Superior User” Category 2012: 1.820Mbps. 2013: 2.333Mbps 2014: 3.013Mbps 2015: 3.911Mbps 2016: 5.090Mbps 2017: 6.643Mbps
Gartner March 2013 “Network Capacity per Connected Device” Trend
“Standard User” Category 2012: .145Mbps. 2013: .182Mbps 2014: .232Mbps 2015: .2971Mbps 2016: .285Mbps 2017: .504Mbps
Source: Gartner Research Article ID:G00247697
How Passive Optical LAN Exceeds 2017 Requirements:
32 Users + 32 VoIP handsets:
(32 x (6.643Mbps + .512Mbps) ) = 228.96Mbps PON provides 2.38Gbps/1.18Gbps useable
bandwidth 2.15Gbps of downstream burst capacity remains 951Mbps of upstream burst capacity remains
27
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
• Access Switching is a $10B-20B a year business• OLAN faces fierce competition and pushback from Legacy
Ethernet manufacturers in the way of false statements
Why Optical LAN is the Right Choice
Common Legacy Mis-Statements on OLAN
No Quality of Service (QoS)
No Power over Ethernet (PoE)
No Port Authentication (802.1x)
Fiber is more Expensive
Fiber is more Difficult to Install
Inadequate Bandwidth in OLAN
OLAN is not Standards Based
Too Dramatic of a Change from Copper
Optical LAN Reality
Superior QoS through 802.1p, DSCP and CoS marking
802.3af and 802.3at compliant PoE on almost every ONT
Extensive 802.1x based Port Control, NAC and Dynamic Services
Fiber LANs prove to cost 50% less than legacy copper networks
Pre-term and field-term fiber installs require less skill and less time than copper networks
OLAN provides a more granular and efficient utilization of bandwidth than Legacy Ethernet solutions on a future proof medium
Optical LAN is an ITU standard with support from BICSI and TIA
Much like the switch from digital PBXs to VoIP, change is good in the end, and most integrators and customers are for a positive, cost saving solution
28
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Passive Optical LAN 102:Advanced ConceptsMike NovakSenior Systems [email protected]
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Agenda
PON 101 RecapOptical LAN Protocol SupportOptical LAN Standards Update (TIA, BICSI, DoD)Optical LAN Campus Design ConsiderationsRemote Powering ConceptsOptical LAN Redundancy OptionsFuture of Optical LAN: XGPON1 and XGPON2
30
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
PON 101 Recap Completely Single Mode fiber solution using SC-APC connectors on the
hardware 20 – 30 Km system reach Saves 50% in equipment and cabling cost Saves 80% in power consumption Saves 90% in space utilization (cable tray, rack units, pathways) Splitters are passive devices and available in rack mounted, cassette, fiber
distribution terminals, etc.
Optical LAN has an overall 28dB loss budget from Optical Line Terminal (OLT) to Optical Network Terminal (ONT)
28dB
31
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Optical LAN Hardware & Protocol Support
32
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Different Systems, Different Options
Like buying a tablet, there are lots of options: Some offer 8” screens Some offer 10” screens Some plug in at the top, others at the bottom Some have extra memory slots, others don’t Some have WiFi or 4G services Some have a front facing camera while others only rear facing
They all get you online in one way or another; certain features are a personal preference
33
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Network Protocols Supported by MostPassive Optical LAN Platforms
Network IntegrationMultiple 1G and 10G Ethernet Uplinks
IEEE 802.3ad Link Aggregation Control Protocol (LACP)
IEEE 802.1Q VLAN Encapsulation
IEEE 802.1w Rapid Spanning Tree (RSTP)
IEEE 802.1s Multiple Spanning Tree (MSTP)
Virtual Router-to-Router Redundancy (VRRP)
IPv4 / IPv6
IGMPv2 / IGMPv3
Network Access Control (NAC)
IEEE 802.1x (Port-based Authentication)
Dynamic Host Control Protocol (DHCP)
DHCP Snooping and Option 82 insertion
Port Security, Sticky MACs
RFC-2267 (Denial of Service)
Traffic Storm Control
Bridge Protocol Data Unit (BPDU) Guard
Layer-3 Routing/Switch (OSPF/BGP)
Service Delivery802.1p: Class of Service
IP differentiated services code point (DSCP)
Quality of Service: Per-VLAN, Per-Port, Per-Service queuing / scheduling *
Sophisticated QoS and Traffic Management
Eight Queues per VLAN
Policing, Scheduling, Shaping per Queue
Congestion and Flow Control
Hardware Based ACLs: L2, L3, L4
Hardware Based Multicast Management
IEEE 802.3af, 802.3at (PoE)
Link Layer Discovery Protocol (LLDP)
Monitoring / ManagementSNMP v1, v2, v3
CLI Console Port
Remote Monitoring (RMON) software agent
RMON I & II
Enhanced SNMP MIB support
RFC 1213-MIB (MIB II)
Extended MIB support
Network Timing Protocol (NTP)
RADIUS based authentication
SSH v1, v2
VMWare Support for EMS
OLT SysLog
Ethernet Port MACSEC (Encryption)
Note – This is not an exhaustive list of supported protocols supported by either Optical LAN or Ethernet Switch solutions
Some solutions support certain protocols that others may or may not.
34
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Hardware Features Supported by MostPassive Optical LAN Platforms
Form FactorRack Mounted ONTs
Desktop ONTs
Face Plate or Mini ONTs
Small Form Pluggable (SFP) based ONTs
ONT OptionsIntegrated Battery Backup
ONT Remote Powering
802.3AZ Power Sensing
802.3AE MACSEC Encryption
Every manufacturer provides Enterprise transport for the user; certain features are the decision of the customer
ONT Interfaces
10/100 Fast Ethernet Ports
10/100/1000 Gbe Ethernet Ports
75-Ohm RF Video Ports
RJ11 POTS Ports
24-Pair POTS Interfaces
PoE (15.4W) Interfaces
PoE+ (25.5W) Interfaces
35
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Standards Updates:BICSI, TIA & US DoD
36
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Recent Standards Updates
• BICSI TDMM 13th edition provides a sub-chapter on Optical LAN under the Horizontal
Distribution Systems chapter.
• TIA 568-C.2, Generic Cabling Standards provides loss budgets and distances for the
various Optical LAN flavors.
• To stay compliant with TIA 568-C, Generic Cabling Standards, the solution shall install a
duplex fiber to each fiber work area outlet to maintain the ‘generic’ nature of the 568
standard.
• Such that the system is in compliance with the TIA 568-C, a PON system can be
considered compliant with TIA 1179 as well.
• DoD updates have created Optical LAN inclusion for the:
• Unified Capabilities Requirements (UCR)
• Defense Information Systems Agency (DISA) Joint Interoperability Testing (JITC)
• US Army Installation and Campus Area Network Design Guide (ICAN)
37
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Optical LAN Campus DesignConsiderations
38
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Passive Optical LAN Configuration
QoS via 802.1P and DSCP mapping
ONTs support Voice, Data and Video
Y End Building Splitters are fed with dual inputs from ADN #1 and
ADN #2 to provide failover Provides rack mounted 72xGP ONTs to feed out legacy
copper drops (Cat5/5e/6) from the IDF/TR to provide Gbe PoE+ and POTS ports
Provides wall and desktop ONTs via fiber to the desk/outlet to provide ONTs w/ Gbe PoE+ services at the desktop level
OLT in the Campus Environment(Universities, Hospital Campus, Corp Business Park, Mixed Use Development)Y Dist. Node Legacy core
router/switches Provide 10G interfaces
to the OLTs to be dual homed (802.3ad)
Each splitter will require 1 strand of OSP fiber to each ADN #1 and ADN #2
OLT
FOPP
FOPP
24S
T S
MF
6ST SMF 2x2 Zone Box w/ 2:32 Splitter
1ST SMF
Legacy CatX
ADN #1
ADN #2
24ST SMF
24ST SMF OSP
OLT
DWDM
DWDM ONTs
39
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Remote Powering Concepts
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
ONT Remote Powering & Backup
Comm Closet
Mai
n D
istri
butio
n Fr
ame
(MD
F)
Walls and Ceiling – Structured Cabling Office Environment
Bulk AC-DC Rectifier
Fiber and Power Solution provided in
conjunction with infrastructure partner
Desktop ONTw/ 48Vdc input
Provides 48Vdc to existing Cat5 cables or hybrid fiber/copper cable
10/2
Low
Vol
tage
Cab
le
SMF and #22/2 Copper Pair
Ceiling Zone Box:1. Splitter: 2x32 1RU Splitter or FDT2. PDU: Power distribution unit (32x 48Vdc outputs)
OLAN OLT
Zone Box
Face-plate ONTw/ 48Vdc input
Mini ONTw/ 48Vdc input
Mul
ti-S
trand
SM
F R
iser
Desktop ONTw/ local BBU
Benefits of Remote Powering: 1) Eliminates a local AC plug at the ONT2) Centralizes battery backup at the closetBenefits of Local Battery Backup Unit3) Battery is monitored for failures4) Does not require any copper in the horizontal for DC power
41
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Calculating Cabling for Network Powering
R (resistance of copper) = 11.1 Ohms/1,000-ft
I = Amps required at the device (Calc out load of ONT, PoE requirements and sparing)
Watts/Volts
D = Distance (1-way) in ft
V = Voltage drop allowed in span
CM = Circular Mills (to convert to Gauge)
𝐶𝑀=(𝑅𝑥 𝐼 𝑥 𝐷 𝑥2 )
𝑉Perform a Rectifier to PDU calc and a PDU to ONT calc to
determine appropriate wire size based on requirements and distance
CM Value Corresponding Gauge #
404 – 642 #22
642 – 1020 #20
1020 – 1620 #18
1621 – 2580 #16
2581 – 4110 #14
4111 – 6350 #12
6351 – 10380 #10
10381 – 16510 #8
** Note the R value is not fixed, however this average works well
with the distances and power consumption for the ONT remote
powering concepts defined here **
42
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Remote Powering Considerations• System must maintain NEC Class-2 compliance for 100VA rate limiting
• For most applications, a #22/2 is the correct PDU to ONT wire size to support ONTs between 50 and 300
feet away
• Systems integrators are responsible for basic calculations to ensure wire gauge is correct for an
application
• Understanding the power draw on the ONT and accounting for sparing is critical:
• If a VoIP handset today consumes only 6W of power, account for potential future video phone
applications
• As XGPON is more commonly deployed, account for higher power utilization of 10Gbe interfaces on
ONTs
• Coordinate the architecture with the Division 26 and 27 engineering firms in advance:
• Bulk rectifiers in a closet may require special 208V breakers and UPS power
• Active zone boxes will require generator/UPS fed AC outlets to feed the remote powering solution
• Work closely with the design firm to ensure the connector types at the remote ends are both
aesthetically pleasing, standards compliant, and the correct fit for the manufacturer and plug type of
the ONT
• While a hybrid cable provides advantages on physical cable pulls, the cost of
such cables can be prohibitive.
43
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Optical LAN Redundancy Options
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Optical LAN Redundancy Basics• Per the ITU G.984.1 Section 14.2.1 protection in an Optical LAN solution is defined as:
• Type-B protection: dual fed optical splitter with two inputs
• Type-C protection: dual fed optical splitter with two inputs and dual fed optics on the ONT
fed from two dual fed splitters
• Availability is a relative term:
• Standard dual fed Legacy access switches are 4-
9s (52.56mins of downtime) available
• OLAN has been field proven to over 5-9s
(5.26mins of downtime) availability with no
redundancy
• OLAN with Type-B protection is proven at over 6-
9s (31.5secs) availability
• It is suggested to design for 2:x splitters day-1, even if redundancy is not
desired; extra splitter cost is negligible
• Ensure OSP is designed for diverse/redundant pathways in a campus
environment
• Certain manufacturers support protection in a single OLT chassis, other
support protection between OLT chassis for facility protection.
Ann
ual D
ownt
ime
in S
econ
ds
Backup OLT
2:32Splitter
Primary OLT
45
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Future of Optical LAN:XGPON1 and XGPON2
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
10GPON: Not as Far off as Once Thought
1270
nm
1310
nm
1490
nm15
50nm
1577
nm
10G
Up
GPO
N U
p
GPO
N D
own
RF
Ove
rlay
10G
Dow
nAllows for concurrent GPON and 10GPON over a single fiber infrastructure
• ITU G.984 GPON (2.48G/1.24G) and XGPON2 (10G Symmetrical)• XGPON is already standardized under ITU G.987• Manufacturers to provide XGPON2 solution for symmetrical 10GPON in the next 18-24
months• Limited 10G user interfaces required (Intelligence, Medical imaging, etc)• Due to separate wavelengths, both GPON and XGPON2 can run over the same fiber and
splitter plant concurrently; allowing selective deployment of 10G to users who require it• XGPON2 solutions will provide multiple 40G interfaces to the core Layer-3 network from the
OLT switch card• IEEE EPON standard uses the same wavelengths for EPON and 10EPON, meaning
concurrent use of fiber plant is not possible without expensive optics
47
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
“All-Secure PONTM” – Optical LAN for SIPR and other Classified/High Security Applications
48
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
All-Secure PON Solution
All-Secure PON combines the benefits of PON (CAPEX/Power/Space savings) with the cost savings of NIS Alarmed-Armored PDSTM
Up to 66% deployable savings vs. Legacy PDSUp to 75% cost savings on moves/adds/changesRapid scalability and reconfiguration of networksSupport for multiple network classificationsCombined PON + PDS cost savings up to 80%
Technology from Tellabs and NIS have been selected for each notable “Secure PON” project within the US Government to-date.
Air Force, Army and DHS are deploying the solution with other agencies currently reviewing requirements and considering testing and pilots.
NIS & Tellabs continue to collaborate at Industry Days and Trade Show events at various locations for education and training.
49
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Secure Passive Optical LAN Government Adoption
U.S. Army - All-Secure PON Deployment• NETCOM, Greely Hall, Fort Huachuca, AZ• Fort Campbell, KY
U.S. Department of Homeland Security - All-Secure PON Deployment• Chooses Tellabs GPON and DWDM for DHS St Elizabeth’s HQ. Over 24,000 ports
U.S. Air Force - All-Secure PON Deployment• Chooses Tellabs GPON for multiple projects at Andrews AFB. Also deployed with Secure-PON Alarmed Fiber solution
Department of State USAID - All-Secure PON Deployment
50
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
2010 Department of Army DirectiveTechnical Guidance for Network Modernization April 23, 2010
51
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
2012 Department of Army MemorandumProgram Execution Requirements for Installation Information Infrastructure Modernization Program (I3MP) Fiscal Year (FY) 13
52
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Passive Optical LANA True Enterprise Solution
Tellabs 700 SeriesDesktop Optical Network Terminal
Tellabs 72x SeriesWorkgroup Optical Network Terminal
Tellabs 1134Optical Line Terminal
Advanced VLAN capability Network segmentation Advanced security at the edge –
Network Access Control (NAC) Access Control Lists (ACLs) 802.1x Port Access Control Trusted Host / DoD-PKI / FIPS 140-2 L1 (AS-SIP)
Element Management System security Broad portfolio of enterprise ONTs with PoE
A True Enterprise Solution
Seamless replacement of Ethernet Switched Networks
Functions very similar to current Ethernet switch model Reduce technology adoption challenges The benefits of Optical LAN, the simplicity of Ethernet
Distributed Ethernet switching for efficient user-to-user communication
Tellabs 1150E (19”)Optical Line Terminal
Tellabs 1150 (23”)Optical Line Terminal
Tellabs 120 SeriesIn-Wall and Cubicle ONTs
53
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
DoD Unified CapabilitiesJITC Approved Products Lists
JITC APL Summary
• Tellabs 7100 USS and Nano• also includes: Tellabs 7100 Direct Connect
and L2 ASLAN Applications• Tellabs 7100E (Electrical Aggregation)• Tellabs 1150, 1150E and 1134 GPON OLTs• Tellabs GPON ONTs
54
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Passive Optical LAN with GPON Optical Infrastructure for Enterprise Customers
Passive Optical Splitter Feeding FDH• Completely passive components• The size of a deck of cards• Splits single fiber up to 32 ways• Typically located where workgroup switches are deployed• Are mounted on the wall in Fiber Distribution Hubs (FDH)
Passive Optical Network (PON)• Completely passive infrastructure• Single fiber carries multiple wavelengths• 2.48 Gbps downstream• 1.24 Gbps upstream• Serve Remote Bldgs Up to 20Km
OpticalSplitter
Optical Network Terminals (ONT)
Optical Line Terminal (OLT)
1490nm
1310nm
1G or 10G NetworkUplinks
The Optical Line Terminal (OLT)• Acts as the central aggregation element• Located in the Core Data Center• Replaces multiple L2 switches• Can aggregate up to 8,192 end users
20km
Optical Network Terminals (ONT)• Terminates the fiber at the end user• Provides Data, VoIP, IP Video services• Some models also provide native POTS• Desktop and MultiDesk Unit models
55
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Optical LAN Topology OLT Placement for All Secure PON
05/01/2023 05/01/2023
Network Core Layer
Top Level Architecture
SIPR Network and VoSIP
Network Distribution Layer
10G
10G
Server Farm
NetworkAccess Distribution Layer
NMS
C2 EUB
PON
Large EUB
10G
PON
TDM PBX
1G
T1
VGW
C2 EUB56
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
57
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Tellabs Confidential Proprietary 58
text
text text
texttext
text text
Secure TR FL1-RSecure TR FL1-L
text
Coalition Secret
U.S. Secret
Zone 1-1
Zone 1-2
Zone 1-3 Zone 1-4 Zone 1-5 Zone 1-6
Zone 1-7
Zone 1-8
All-Secure Optical POD Solution
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
The Modern Mission Drivers for All-Secure PON
Rapidly increasing requirements for SIPR (or higher) classification network endpointsDecreasing budgets to support increasing mission demand for classified dataRequirements for multiple classifications at many or every desk in a buildingModern network infrastructures must be flexible to rapidly adapt to mission changesReduce O&M costs and frequency of refresh of network infrastructureSupport Green Building/Operations objectivesTechnology Evolution
59
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Standards & SolutionsFor Secure Classified Networks
Protected Distribution Systems (PDS) standards have existed since 1996 (NSTISSI 7003). DoD organizations implement additional controls and SIPR cabling/installation guidelines.Certified Technical TEMPEST Authorities (CTTA) review PDS implementations and supports design, pre, and post-procurement activities to ensure compliant solution and accreditation path.Legacy Solutions = Rigid and Very Expensive NSA Type 1 Encryption (including “TACLANES”) “Hardened” PDS: rigid, exposed conduit/raceway (EMT/”Holocom”) Special Compartmentalized Information Facility (SCIF): physically hardened and
secured area for processing classified information.
Modern Solution = Flexible Design and Scalable Cost INTERCEPTOR 24/7/365 network cable monitoring, automated routine inspections,
managed inspections for Intrusion events, low/no construction costs, highly scalable. “Alarmed-Armored” PDS: INTERCEPTOR + Flexible Interlocking Armored Cable for
rapid-deployable, concealed infrastructure. Retro-Fit of Legacy PDS: INTERCEPTOR alarming to replace Encryption Devices or
Alarm existing Legacy PDS cables and pathways/conduits.
Modern Approach
Legacy Options
60
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Threats in the News
05/01/2023 61
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
INTERCEPTOR Intelligent PDSTM & Alarmed-Armored PDSTM for Secure PON
• Network Integrity Systems has developed and delivered the Interceptor technology for DoD & other US Government applications since 2003 in response to post-9/11 network security requirements.
• More than 50 million port hours of in-service operation securing U.S. government classified networks on over 60 unique projects.
• Fifteen (16) U.S. and International patents granted to NIS for technologies incorporated in or enabled by Interceptor.
• Sufficient dynamic range to support dozens of secure drops per Zone (easily can support 1x32 GPON split).
• Recent government testing and validation of Alarmed-Armored PDS, the core of the Secure PON architecture.
• Manufactured in the USA at an ISO 9001 and ITAR registered manufacturing facility. 62
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
INTERCEPTOR Optical Network Security System
Standard fibers intrinsic to (inside) the cables being protected are used to monitor intrusions into the cables themselves
Designed specifically for US Government data infrastructure security, exclusive to US Government enabling use above SECRET.
Makes the entire cable a sensor- Use a pair of fibers inside the cable being protected, directly
monitor single mode fibers- When any component of the cable is abnormally handled, the
monitored fibers sense the disturbance
Event discrimination technology- Learns the ambient state of the network and differentiates between
benign events and real threats- False alarms eliminated- If an INTERCEPTOR alarms, there is a problem (perhaps not a
threat), intrusions lead to patterns of alarms that are reported to security panels and network management systems.
NSTISSI 7003 Compliant, CTTA Approved for projects in each US Government Agency– 2009 Air Force Armored Cable Validation– 2012 Army CTTA Armored Cable Validation– Many other non-armored cable deployments in all
agencies/branches of US Government.
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
How it Works
64
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
High Dynamic Range
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Business Case:INTERCEPTOR vs. Hardened PDS
Lower up front System &
Installation cost: up to 66%
Lower Maintenance/Moves/Adds & Changes costs: up to 75%
Increased Security: Real-Time vs. Retro-active Human Inspection
Concealed and Re-configurable Classified Network: Easily re-deployable and expandable
66
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Business Case:INTERCEPTOR vs. Type 1 Encryption
67
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Alarmed-Armored PDS History2006-Present
Pioneered Armored Cable PDS R&D and Government Acceptance
• INTERCEPTOR’s unique capabilities (intrinsic monitoring) provided the technical option to eliminate conduit and monitor cables directly.
• In 2006 begin evaluating and testing multiple manufacturers of Flexible Interlocking Armored Cable in coordination with the government.
• Demonstrated the solution to the Air Force CTTA in 2007, and in 2009 the Air Force released an ESIM (2009-1) supporting INTERCEPTOR + Armored Cable.
• Trained its first customer implementingAlarmed-Armored PDS in 2008 andsold that system in 2009.
• Reviewed Alarmed-Armored PDSwith the Army CTTA in 2011 and 2012including lab testing that resulted in acceptance offlexible interlocking armored cable in replace of hardened conduit.
• Navy has deployed Alarmed-Armored PDS and other agencies areworking on requirements, testing and deployments for projects.
68
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
PON = JITC CertifiedINTERCEPTOR = CTTA & DAA Approval
Each project PDS Plan must be reviewed by the agency CTTA and installation DAA.
• INTERCEPTOR does not process classified data and does not require JITC certification.
• 95%+ of INTERCEPTOR deployments are dark fiber only
• Active fiber monitoring options exists for point-to-point applications when no spare fibers are available, does not impact bandwidth, and does not process classified data.
• INTERCEPTOR currently does not specifically require a Certificate of Networthiness (CoN) as a security appliance, but software applications that INTERCEPTOR reports to have been issued CoNs to manage alarm response procedures and notifications.
• Each PON + PDS project requires a PDS Plan that includes description of a Standard Operating Procedure for maintaining the security system and responding to alarm events.
• INTERCEPTOR has been approved for various types of PDS Plans within Army, Air Force, Navy, Marine Corps, Intelligence agencies, DHS & other civilian agencies.
69
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Secure PON = “The New PDS”
Flexible Interlocking Armor Fiber Optic Cable
Optical Loopback
Fiber Optic Patch Panel
Data fiber to Tellabs GPON ONT
• Standard cable conveyance – PDS raceway, not necessary
• Combined cost savings up to 80%
• No end-end daily inspections required
• Cable may be concealed, above ceiling or below floor
• Enhanced facility aesthetics
GPONAlarmed-Armored
PDS
Secure PON“The New
PDS”+
GPON OLT
GPON ONT
INTERCEPTOR
Spare/expansion data fiber
2 darkmonitoring fibers
70
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
All-Secure PON Component Architecture
Thin/Zero Client and Cross Domain technologies can help further reduce the network infrastructure onto a single PON, single ONT at the desk to support multiple classifications.
71
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Zone Box Example
This example shows one SIPR user and one NIPR user.The SIPR user would have a Secure Lockbox at their desk/endpoint.
72
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Supporting Moves/Adds/Changes
This example shows converting User 2 to have both NIPR and SIPR access.User 2 now requires a Secure Lockbox would be required to terminate the alarm loop.
73
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
All-Secure PON Thin/Zero Client Architecture
Thin/Zero Client and Cross Domain technologies can help further reduce the network infrastructure onto a single PON, single ONT at the desk to support multiple classifications.
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Intelligent PDS: Secure PON Zone Architecture Logically Mapping Physical Areas as Deployable ZonesMonitor optical cables for tampering or physical intrusion attemptsLearning mode for unique characteristics of a zone (HVAC systems, aircraft/heavy equipment, doors slamming, foot traffic, etc.) to eliminate false alarmsOptionally integrates shut down of PON Optics per Zone via integrated SNMP V3 trapsAn INTERCEPTOR Zone = GPON Zone = Network Infrastructure Zone Cabling
INTERCEPTORPort 2
INTERCEPTOR Port 4
INTERCEPTORPort 3
INTERCEPTOR Port 1
75
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Alarm Management Options
• Gov’t requires detailed SOP for responding to alarms and managing the system and audit trail.
• These are components of a “PDS Plan” the certified systems integrator would develop, project-by-project based on threat levels, and resources available to handle security.
• Every deployment is unique, but INTERCEPTOR is flexible to support.
76
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Enterprise Management via Software ToolsINTERCEPTOR and PON Integration
77
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Capturing Events
78
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
All-Secure PON in other Market Verticals
• Differentiated Optical LAN monitoring technology from US Government solution leveraging NIS patented R&D.
• Infrastructure security requirements increasing in other market verticals where GPON is gaining traction.
• TIA TR-42 Developing Network Infrastructure Security/Alarming Standards.
• Secure PON Deployment now live at TIA HQ!
• Airports, Power Authorities, Hospitals. Casinos and other opportunities currently developing – especially markets where interaction/integration with federal government exists.
• Infrastructure types vary without a rigid “PDS” specification like the government.
• Opportunities exist for Layer 1 innovation.79 79
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Long Distance & Location Detection
• Long haul fiber protection (up to 50 miles) with Intrusion Location Detection (within 25 meters)
• Specifically engineered for single mode fiber
• Integrate alarm response from INTERCEPTOR for ultimate ISP, OSP protection and PDS consolidation.
• Measurable cost savings compared to Hardened PDSor managing Encryption nodes that potentially shrink bandwidth.
80
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
All-Secure PON Takeaways
Proven Technologies Combined for Cost Savings, Flexibility and Security
All-Secure PON combines the benefits of PON (CAPEX/Power/Space savings) with the cost savings and enhanced security of NIS Alarmed-Armored PDSTM (66%/75% Installation/MAC savings) for a combined savings up to 80%
Rapid scalability and reconfiguration of networks Support for multiple network classifications Support for Thin/Zero Client and Cross Domain Applications Easily upgrade existing INTERCEPTOR PDS environments to accommodate
PON Technology Easily upgrade existing PON environments to secure with INTERCEPTOR
Tellabs and NIS offer formal training and certification for each Technology.
Work continues with Government agencies on evaluating and implementing the solution within network design standards and programs of record.
81
ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
82