BRAS Flat Campus Network

Background

As a growing number of colleges and universities connect multiple smart terminals to the Internet during digital transformation, wireless networks have become the basic facilities for campus informationization construction. The obvious fact that a single user has multiple terminals and the popularity of IPv6 construction has led to a sharp rise in the number of campus mobile applications. Consequently, the campus network solution is in urgent need of innovation and upgrading.

Insufficient device table entries and to-be-improved unified authentication

Many colleges and universities have undergone large-scale wireless network construction. The table entry issue is more obvious for traditional L3 gateways or wireless controller gateways, which cannot bear the forwarding of campus network traffic. The authentication and roaming experience of the multi-vendor wireless construction needs to be improved.

Poor authentication experience and insufficient fine-grained user management

The traditional authentication method requires the installation of the user client, frequently bringing about compatibility issues. The HTTPS redirected page does not pop up, which seriously affects the experience of teachers and students on the campus network. The explosive growth of Internet access traffic has brought huge pressure on the campus's egress bandwidth. Only increasing the egress bandwidth cannot solve the issues. A more precise management and control policy is required for the speed limit billing of teachers and students.

Complex IoT terminal management

A large number of water meters, electricity meters, printers, all-purpose cards, cameras, and other dumb terminals cannot perform dynamic authentication through 802.1x or popping up the portal. The queuing machines and self-service terminals cannot be dynamically authenticated even though they have intelligent systems. It is unsafe to cancel the authentication. Manual binding of IP and MAC addresses requires a heavy O&M workload.

Solution overview

The BRAS wired and wireless integrated solution can implement unified access authentication management of users in the campus network, eliminate the tedious configuration of VRRP and BFD, and simplify networking applications. The BRAS device can be used as an access gateway for broadband network applications to complete authentication and management of users, improve the utilization of multi-service edge devices in the campus network, and reduce costs. In addition, the solution can provide multiple user access authentication methods and support multiple access methods. The flat campus network draws on the experience of operators in similar scenarios and introduces the BRAS device as the core product of the solution. It solves tight table entries, rough management, and complicated O&M. It is an ideal solution for campus network reconstruction projects. Through the combination of active radar scanning and passive triggering, the Endpoints Profiling System can quickly discover the active IoT terminals in the network and generate endpoints according to the returned data packets. It compares the detected endpoints with the endpoints in the feature database and confirms the endpoint type. This achieves fine-grained management of terminals.

Solution highlights

Large table entries and constant roaming across ACs of different brands

The solution has multiple models and supports 256K table entries and carrier-grade professional BRAS routers. It supports multiple authentication modes commonly used in campus networks, including IPoE, PPPoE, and Web Portal.

IPv4/IPv6 dual-stack address is online for the same authentication. It supports IPv6 traceability, facilitates users to access the Chinese Education and Research Network using IPv6 addresses, and improves network security.

It adopts the excellent IRF virtualization function. The table entries of IPv4 and IPv6 are synchronized in milliseconds. Services keep uninterrupted even if a single device is down.

The powerful access capability enables unified authentication of teachers and students in wired and wireless devices of different brands. Cross-region and cross-vendor roaming require no re-authentication, and services keep uninterrupted.

Professional BRAS devices pass the operator's centralized acquisition test

Good authentication experience with multiple features of authentication and billing

This solution adopts IPoE with web portal authentication that does not require client installation and supports Layer 2 and Layer 3 wired and wireless user access. Combined with the imperceptible authentication technology, one-time authentication is valid for a long time, improving the access authentication experience of teachers and students.

The industry's excellent HTTPS redirection function reduces invalid operations of teachers and students. The web denoising and specified URL redirection reduce the pressure on the portal, speed up portal redirection, and provide a better authentication experience beyond users' expectations.

The speed limiting and billing policies are implemented based on different applications, links, and regions, and differentiated access authentication methods, billing modes, and access permissions are designed for users. If a user has overdue payments, the payment web page pops up. The flexible control policy allows access to the designated network to avoid impact on the important services of teachers and students due to the overdue payments.

HTTPS redirection to an authentication page

Fine-grained IoT management reduces the workloads of teachers

A series of mechanisms are supported, including active detection, deep scanning, and risk handling of various IoT terminals such as water meters, electricity meters, large screens, and cameras, ensuring the admission security of the campus IoT.

Terminals can be discovered and their types can be identified based on active polling in the ARP table of the switch through SNMP. Combining the Endpoints Profiling System (EPS) with the access device for MAC address authentication enables automatic binding of IP and MAC addresses.

The original baseline of all types of terminals on the network is formed through automatic discovering, scanning, and importing. It compares the real-time scanning results with the baseline to perform real-time monitoring of the network security status. Visualized IoT management and control solve the security issues of campus IoT terminals, improve the efficiency of service launching, and reduce the O&M workload of teachers.

Visual IP address management

Best practices

Tsinghua University

BRAS devices deployed at Tsinghua University are old. Services have to be interrupted during the active/standby switchover if an optical link is disconnected. The original network cannot achieve imperceptible authentication across three layers when teachers and students have access to the network in different colleges due to the complex access network architectures. Also, it does not support HTTPS redirection to the authentication page. The portal server often receives many junk messages, which decreases the efficiency of its redirection page popup and leads to a poor authentication experience for teachers and students. After the transformation and upgrade with the H3C BRAS router, IRF2 virtualization is supported and switchover across equipment rooms can be completed in milliseconds, featuring high reliability and simplified management. Both IPv4 and IPv6 access at Layer 2 and Layer 3 support hot backup and can achieve imperceptible authentication, so that service continuity can be guaranteed in case of a device link failure. The upload speed of the protocol packet can be limited for each user, which avoids excessive HTTP packets to attack the portal server. Moreover, HTTPS redirection is supported, which improves the authentication experience of teachers and students.

Ocean University of China

Ocean University of China provides students with Internet and on-campus IPTV service. The students have free access to the campus network but need to pay for the network outside the campus. Up to 16,000 concurrent users have access to the campus network during peak hours, but the campus network has insufficient egress bandwidth and east-west bandwidth. The iTA intelligent targeting traffic billing function based on H3C BRAS implements sub-domain traffic billing and limits the traffic rate for the user's intranet and the Internet. The IPoE+Web access mode with the AAA system achieves imperceptible authentication. The entire network supports IPv4/IPv6 dual-stack to comprehensively improve the access experience of students.