Design of gateway supporting ICT services based on MP1800 information communication equipment

“At present, the integration of information and communication (ICT) has become an obvious trend. In order to cope with this change, China’s three major telecom operators, which have launched full-service competition, urgently need to transform to integrated information service providers. The research results show that it is a good breakthrough point to provide integrated construction of information and communication infrastructure for government and enterprise users. This paper analyzes the needs of the government and small and medium-sized enterprises for information and communication infrastructure, and designs and implements an enterprise information and communication gateway that can effectively support the ICT business competition of operators.

“

At present, the integration of information and communication (ICT) has become an obvious trend. In order to cope with this change, China’s three major telecom operators, which have launched full-service competition, urgently need to transform to integrated information service providers. The research results show that it is a good breakthrough point to provide integrated construction of information and communication infrastructure for government and enterprise users. This paper analyzes the needs of the government and small and medium-sized enterprises for information and communication infrastructure, and designs and implements an enterprise information and communication gateway that can effectively support the ICT business competition of operators.

1. Demand for information and communication gateways

After more than 10 years of adjustments, China’s operator market has formed a three-legged competitive landscape. In order to cope with the increasingly fierce full-service competition and the trend of information and communication integration, the three major telecom operators have transformed into integrated information service providers in different ways.

The ideal value chain of telecom operators is to aggregate the self-operated service capabilities of content providers, application providers, equipment providers and telecom operators. Telecom operators hope to leverage the application development and technical support capabilities of their partners, using their own brands and channels, to jointly provide customers with information and communication solutions. Among them, how to provide comprehensive information services for the vast number of government or SME users is one of the key issues it faces. The research results show that providing government or SME users with integrated construction of information and communication infrastructure is a good breakthrough point. To this end, telecom operators need to deploy information and communication equipment to customers, and need to provide corporate customers with comprehensive services, including Internet access, VPN connections, and VoIP voice services.

The Chinese government and small and medium-sized enterprises are characterized by a large number of users, weak IT technology capabilities, and diversified needs for information and communication infrastructure. Therefore, if multiple services can be conveniently deployed on the same node, it will not only avoid the complexity of network equipment to the greatest extent possible This leads to the problem of multiple failure points, and can greatly reduce the initial investment and long-term operation and maintenance costs of enterprise network construction, which is a win-win for telecom operators and government and enterprise customers. Based on this, a new generation of enterprise information and communication gateways supporting ICT services needs to meet the following requirements.

Equipment access methods must be rich, not only traditional copper wire access methods, such as E1, V35 narrowband access and LAN Ethernet, WAN Ethernet, xDSL broadband access, but also the ascendant WLAN, 3G, and Broadband wireless access methods such as WiMAX. Because wireless access methods can bring great mobility and deployment flexibility to customer networking, it will be a hot technology for enterprise information and communication infrastructure construction in the future.

Some government customers put the security and performance requirements of the network to a very high position, not only requiring high forwarding capabilities, but also high-performance encryption and decryption capabilities to meet communication security requirements. Some customers also require the equipment to be equipped with a firewall function to solve more and more virus attacks and network attacks on the Internet.

In order to facilitate and complete the management of equipment, so as to help governments and small and medium-sized users who do not have the ability to maintain information and communication to solve the suffering of maintenance, telecom operators have put forward new requirements for the unified management of network access equipment, requiring communication equipment Support a variety of network management methods, such as Web, SNMP and TR069, etc.

Design of Enterprise Information Communication Gateway Supporting ICT Business

2. Architecture description

MP1800 is a new generation of information and communication equipment specially designed by Maipu Communication Technology Co., Ltd. for the government and small and medium-sized enterprises to meet the information and communication needs of telecom operators and small and medium-sized enterprises. It has 5 integrated features:

Routing and switching integration, supporting 2 Ethernet WAN ports plus 4/8 Ethernet LAN ports; broadband and narrowband integration, supporting wide area network link interfaces from N×64 kbit/s to 100 Mbit/s; wide area, Local area integration supports unified control and management of WAN and LAN; wired and wireless integration supports 3G and WLAN access and can be seamlessly connected to wired networks; data and voice integration supports the development and development of multiple data services VoIP function, and can be further expanded to IPPBX; information and communication integration, support rich value-added applications, network application supervision.

The MP1800 system architecture is shown in Figure 1.

Figure 1 System architecture of MP1800

MP1800 uses an advanced 400 MHz PowerPC embedded dual-core processor, with 256 MB, 64bit/133 MHz DDR2 SDRAM, and a maximum of 256 MB Flash. MP1800 provides good support for communication interfaces and value-added service Modules in its design, including narrowband interfaces (E1/CE1, synchronous and asynchronous serial ports, etc.) through the CPU’s own interface, 4-port IP voice module, 4/8 ports 10/100M/1 000M LAN Ethernet switch interface, 2-port 10/100M WAN Ethernet routing interface, 1-port ADSL/ADSL2+ interface, 4-port G. SHDSL interface; extended to support 802.1 through 64bit/33MHz PCI bus WLAN interface with b/g protocol and hardware encryption module that supports 100 Mbit/s encryption performance; expand the 3G Modem interface to support WCDMA/cdma2000/TD-CDMA through the USB2.0 interface.

Multi-service integration design

MP1800 achieves the perfect combination of multi-service and high performance, and realizes the functions of network management including routing, switching, IP voice, security, wireless access, firewall and meeting telecommunications requirements, and can undertake tasks that could only be undertaken by a variety of communication equipment in the past.

High-performance design of MP1800

In order to meet the increasingly high performance requirements of information and communication equipment from governments, small and medium-sized enterprises, and telecom operators, MP1800 has been specially designed and optimized in the software system. One of the most important features is the use of dual-core processors for data messages. Processing, one of the processor cores specializes in processing data messages from all communication interfaces, sending and receiving, identifying, classifying and fast forwarding them to ensure efficient data processing; while the other processor core deals with complex network applications With user configuration, such as network security, MPLS, and dynamic routing protocol functions, this design enables MP1800 to separate forwarding and control/management without being affected by each other, so MP1800 can achieve bidirectional 100M full line of 64 byte messages Fast forwarding, even when complex ACL/QoS functions are configured, the performance does not have much impact. In addition, in order to improve the IPSec security performance, the MP1800 uses a hardware encryption module, which can achieve 100 Mbit/s encryption and decryption performance.

QoS function of MP1800

As the government and SME customers pay more and more attention to the communication quality of key services, the QoS function will play an increasingly important role in future network applications. MP1800 provides users with multiple applications such as flow classification, flow monitoring, flow shaping, congestion management and congestion avoidance.

(1) Flow classification

The QoS of MP1800 supports a wealth of business classification standards, and can be widely used in traditional IP, MPLS and Ethernet and other business networks. MP1800 supports in-depth identification of services, can identify multiple application layer protocols, such as HTTP, BT applications, etc., and can provide different QoS services for different applications such as voice, video, file transfer, and Web browsing.

(2) Traffic supervision and traffic shaping

MP1800 supports single-speed dual-color and dual-speed three-color token bucket algorithms, and can implement pre-set supervision actions for traffic exceeding specifications. These actions can be: forwarding, discarding, changing priority and forwarding, and entering the next level of supervision.

(3) Congestion management

When a packet arrives at a speed greater than the interface sending speed, congestion will occur at the interface, packet loss occurs, and the loss of the packet may cause the host or router that sent the packet to retransmit due to timeout This message will lead to a vicious circle. The central content of congestion management is how to formulate a resource scheduling strategy when congestion occurs, and determine the processing order of message forwarding. The QoS of MP1800 provides a wealth of scheduling strategies, such as FIFO, PQ, CQ, WFQ, CBWFQ, and each scheduling strategy can be designed for a key business application.

MP1800’s layer 2 switching function

MP1800 provides a wealth of Layer 2 Ethernet functions, including MSTP, GARP/GVRP, LACP, Ethernet OAM, UDLD, etc. Therefore, the use of MP1800 can easily and completely construct a local area network and deploy various services quickly, effectively and safely. .

MSTP is a spanning tree protocol that can eliminate network layer 2 loops by selectively blocking network redundant links, and it also has a link backup function.

Port aggregation technology is divided into static aggregation and dynamic aggregation. It aggregates multiple ports together to form an aggregation group, which not only improves link bandwidth, realizes load sharing of traffic on the aggregation ports, but also improves connection reliability.

As a two-layer protocol, Ethernet OAM is a tool for monitoring and solving network problems. It can report the status of the network at the data link layer, enabling network administrators to manage the network more effectively. This feature enables telecom operators to easily manage and maintain equipment and improve their customer satisfaction.

Security features of MP1800

MP1800 implements a variety of security technologies to ensure the security of device information communication. These technologies include IPSec, SSL VPN, 802.1x access control authentication and firewalls.

(1) IPSec function to ensure data transmission security

IPSec is a three-layer tunnel encryption protocol, which can provide high-quality, interoperable, and cryptographic-based security guarantees for data transmitted on the Internet. It can provide the following security services:

Data confidentiality: IPSec sender encrypts the packet before transmitting it through the network; data integrity: IPSec receiver authenticates the packet sent by the sender to ensure that the data has not been tampered with during transmission; data source authentication: IPSec The receiver can authenticate whether the sender of the IPSec message is legal; anti-replay: the IPSec receiver can detect and refuse to receive outdated or duplicate messages.

Generally, IPSec is implemented through software on some low-end communication devices. Complex encryption/decryption and authentication algorithms consume a lot of CPU resources, which affects the overall processing efficiency of the device. MP1800 uses a hardware encryption module to process complex algorithms on hardware, so that the IPSec encryption performance of MP1800 can reach 100M bit/s, which fully meets the increasingly complex application and information communication security needs of governments and small and medium-sized enterprises in the future.

(2) Firewall function to prevent illegal access

Governments and small and medium-sized customers are paying more and more attention to network security. According to statistics, the biggest threats to network security are network attacks and illegal access.

Common attacks include ARP attacks, NAT attacks, routing attacks, and abnormal traffic attacks. For ARP attacks, MP1800 can use IP-MAC address binding to solve; for NAT attacks, routing attacks, and abnormal traffic attacks, it can adopt IP traffic rate limiting and NAT limiting.

MP1800 has a firewall internally designed to support packet filtering, access control, URL filtering and other functions. When it is required to restrict the Internet access of internal employees’ PCs, they can be prohibited from accessing the Internet by restricting their IP addresses; when it is required to restrict access to a certain website, access to non-work websites can be restricted through the URL filtering function.

MP1800 wireless function

(1) Support local area wireless WLAN function

The biggest advantage of WLAN is that it eliminates or reduces complicated network wiring. In support of WLAN, MP1800 can provide functions such as fine user control and management, flexible security mechanisms, and end-to-end QoS.

When MP1800 accesses wireless users, it can implement refined management of wireless users by setting up VLAN-based, AP-based, and SSID-based user access control methods.

The security of a WLAN wireless network is mainly embodied in two aspects: authentication and link encryption. Authentication is used to ensure that only authorized users can access, and link encryption ensures that the sent data can only be received by specific users. MP1800 supports 802.1X authentication, Open System and Share Key authentication methods; supports WPA-PSK, WPA2-PSK, WEP, AES, TKIP encryption.

(2) Support 3G function of wide area wireless

With the rapid popularization of 3G mobile networks, major operators provide 3G multimedia services while also bringing customers a higher bandwidth wireless access experience. 3G has become a flexible, fast, safe and efficient Internet access method. It has gradually become one of the mainstream choices for user WAN access.

MP1800’s 3G access solution can effectively meet the needs of wireless broadband access such as mobile office, mobile monitoring, and branch wireless access. MP1800 provides wireless uplink access through its own 3G wireless module or an external 3G Modem. The 3G solution of MP1800 supports three 3G standards: WCDMA, cdma2000 and TD-SCDMA. Currently, the supported 3G Modem models are rich, covering the mainstream models in the market, ensuring that the MP1800 can meet the adaptability and flexibility of 3G wireless communication applications.

(3) Complete business functions

The two wireless interfaces on the MP1800 are the same as other physical interfaces such as Ethernet, that is, the wireless interface on the MP1800 supports all services and functions based on the IP layer and above, such as interface backup, traffic statistics, network anti-attack, etc., which can be effective Give full play to the potential and value of wireless interface applications. For the wireless communication of MP1800, it can provide multiple management methods based on command line, Web, SNMP and TR069.

3. Typical application

3.1 SME networking applications

When MP1800 is used as an independent integrated access device for small and medium-sized enterprises, 3G communication link can be used as a backup or load sharing channel for WAN wired links. The internal networking of the enterprise can either use the wired connection method of Ethernet or the wireless connection of WLAN.

If the MP1800 is an information communication gateway purchased by a telecom operator or purchased as a gift to the customer, the operator can deploy a network management system in the operation and maintenance center to implement centralized configuration and management of equipment and interface cards. A typical example is China Telecom’s TR069-based network management system. The network scheme of small and medium-sized enterprises adopting MP1800 is shown in Figure 2.

Figure 2 Networking application of small and medium-sized enterprises

3.2 Unattended ATM wireless networking application

At present, more and more financial ATM machines are deployed in shopping malls, office buildings and other public places, especially those small and medium-sized banks that rely on providing flexible services to compete with large state-owned commercial banks for differentiated competition are more inclined to adopt this unattended deployment method. . Generally, wired communication links are difficult to obtain in these cases, and 3G wireless communication will be an ideal choice. The financial unattended ATM machine uses MP1800 as the access device, which is placed in the ATM machine and connected to the bank network center via 3G wireless. Considering application security, the MP1800 and the central equipment implement IPSec data encryption function to solve security risks. At the same time, the VoIP module of MP1800 can also be connected to an external telephone set to facilitate customers to use the telephone for business. Its networking scheme is shown in Figure 3.

Figure 3 3G wireless networking application of unattended ATM

3.3 Networking application of headquarters/branch-type government agencies and enterprises

Customers can use the various interfaces of MP1800 (shown as 3G link in Figure 4, in fact, it can also be a wired dedicated line link) to achieve wide-area interconnection between headquarters and branches, and branch nodes can use WLAN or Ethernet. Connect to the corporate LAN, as shown in Figure 4. Taking into account application security, branch offices and headquarters equipment can use IPSec data encryption. At the same time, branch offices can use MP1800 xDSL to access the Internet and enable various firewall functions on MP1800. The operation and maintenance center of the company headquarters can use the network management system to realize the centralized management of MP1800 equipment and interface modules.

Figure 4 Networking application of headquarters/branch-type government and enterprise customers

4 Conclusion

my country is currently in a period of integration of industrialization and informatization. The business activities of the government and small and medium-sized enterprises tend to be more efficient and flexible. Therefore, their demand for information and communication infrastructure is in a diversified state. This paper designs and implements an enterprise information communication gateway that can effectively support telecom operators to provide ICT services to government and enterprise customers, and describes typical applications.