Table of Contents
Introduction: Role of Aggregation in BNG Networks
In a previous article, we discussed the development direction of BNG and openBNG networks, focusing on the BNG device layer. However, access and aggregation switches also play a critical role in enabling internet access. This article highlights the key functions and traffic optimization capabilities of Asterfusion access and aggregation switches for SONiC-based BNG networks, showing how they ensure efficient data forwarding and service quality to deliver a smooth internet experience.
FTTx Network Topology Overview
In FTTx scenarios, the network topology can be divided into four layers:
- User Access: Connects end-user devices, such as home or enterprise equipment, using Asterfusion GPON/XGS-PON OLT Stick or ONU/ONT.
- Aggregation Layer: Uses Asterfusion CX-M series switches as access and aggregation devices. They provide VLAN/QinQ aggregation, multicast distribution, policy enforcement, rate management, and security control, optimizing the aggregated traffic before forwarding it to the BNG layer.
- BNG Layer: Deploys Asterfusion ET2500 with AsterNOS-VPP, providing user session management, authentication and billing, IP assignment, and QoS control.
- Core Network: Primarily based on core routers, which can also deploy ET2500 with AsterNOS-VPP to provide internet egress, IPTV, and VoIP services.
Aggregation Switches Supporting SONiC-Based BNG Network
Asterfusion aggregation switches provide the following core functions for SONiC-based BNG networks to enable traffic optimization.
Traffic Classification and VLAN Management
Before reaching the BNG network, user traffic typically passes through the path: user access → aggregation switch → BNG. The access side may serve thousands of users with different traffic types, including the internet and IPTV. To isolate users and differentiate traffic, an identification mechanism is required at the aggregation layer.
Here, a Multi-Customer VLAN (M-VLAN) two-layer VLAN scheme is used to manage multiple users and services concurrently:
- C-VLAN (Customer VLAN): Identifies individual users or devices.
- S-VLAN (Service VLAN): Identifies the service type or aggregates user traffic, also called upper-layer VLAN
Each user is assigned a unique C-VLAN, while multiple users share the same S-VLAN to indicate service type. The combination of S-VLAN and C-VLAN achieves traffic isolation and service aggregation while reducing VLAN resource consumption for large-scale home bandwidth access.
As shown, traffic from users A, B, and C is tagged with C-VLANs 10, 20, and 30, respectively. The OLT/OLT Stick forwards the traffic to the access/aggregation switch. The switch identifies the C-VLANs and maps them to the same S-VLAN as needed. Upon reaching the BNG device, the S-VLAN is used to identify the service, and the C-VLAN is used to identify the user.
The aggregation switch is configured as follows:
Multicast Traffic Handling
In traditional home broadband IPTV, each user (e.g., home gateway or STB) has a dedicated VLAN. If ten users subscribe to the same channel, each VLAN carries a separate multicast stream, resulting in ten copies across the network. This consumes bandwidth and increases network load.
Configuring a Multicast VLAN (M-VLAN) on the aggregation device addresses this issue.
The upstream network carries a single IPTV multicast stream in the M-VLAN, while the downstream switch maps user IGMP join requests from C-VLANs to the M-VLAN. Multicast traffic from the M-VLAN is then selectively replicated back to the corresponding C-VLANs for delivery to users.
From the above figure, the access switch maintains a mapping table between M-VLAN and user VLANs, performing multicast replication locally. By moving the replication point to the edge device, the load on upstream Layer 3 devices is significantly reduced. At the same time, the aggregation switch allows centralized configuration of multicast policies, making traffic paths clearer and improving efficiency in policy management, status monitoring, and operational maintenance.
Relavant configuration is as follows:
QoS for SONiC-Based BNG Network
Home broadband networks carry multiple traffic types. Each type has different sensitivity, as shown in the table .
| Service Type | Characteristics | Requirements |
| IPTV | Streaming media, high bandwidth occupancy | Low packet loss, low latency, low jitter |
| VoIP | Small packets with high frequency, real-time interaction | Low latency, high stability |
| Broadband Internet | Bursty traffic, non-real-time | Throughput priority, latency tolerant |
| Smart Gateway Management | Small data volume, periodic upload | Reliability priority |
As shown in the above table, without prioritization, IPTV multicast may be dropped causing video stutter, or VoIP traffic may experience high delay and jitter, degrading user experience eventually.
Asterfusion CX-M aggregation switches support full traffic classification, marking, queue scheduling, and rate limiting. They implement the full process of traffic identification, prioritization, shaping, and scheduling. Each egress interface supports eight queues, configurable for combined scheduling as needed.
| Business Type | DSCP Priority | Queue Strategy | Rate Limiting & Re-marking |
| IPTV | AF41 | SP | ≤300 kbit/s maintains priority; excess re-marked to 0 |
| VoIP | EF | SP | |
| Smart Gateway Management | CS6 | SP | |
| Broadband Internet | 0 | WRR | Normal priority |
When user traffic enters the switch, the DSCP field is examined. Traffic marked as high priority (DSCP ≠ 0) is treated as priority traffic and scheduled using Strict Priority (SP) queuing: CS6 > EF > AF41.
Meanwhile, rate limiting restricts priority traffic to 300 kbit/s. Traffic exceeding this threshold is remarked to DSCP 0 (Best Effort) and forwarded to normal queues, sharing bandwidth with standard internet traffic under WRR scheduling.
This rate limiting ensures low latency for real-time services while preventing misuse of high-priority marking.
Relavant configuration is as follows:
Security and Network Protection
Aggregation and access switches are at the network edge, facing many end users and serving as the first line of defense. AsterNOS switches implement multi-layer security mechanisms on both data and control planes:
User Isolation Different user ports on the same access switch operate in strict isolation mode, leveraging VLAN-based broadcast domain separation. Traffic from these ports can only uplink to the BNG, providing Layer 2 user security isolation. This prevents mutual access, ARP learning, broadcast interference, and other cross-user issues on the same switch, ensuring strict user isolation.
MAC Learning and Spoofing Protection The number of MAC addresses learned per port is limited to prevent excessive device connections or MAC flooding attacks from the user side. User ports are prohibited from learning MAC addresses already present on high-priority uplink ports, preventing users from forging MAC addresses to impersonate upstream devices and mitigating address spoofing.
Broadcast and Multicast Storm Suppression User-side ports enforce broadcast rate limits (e.g., 10 packets per second) to prevent broadcast storms caused by terminal anomalies or attacks from consuming normal network bandwidth. On the control plane, IGMP packet rates and the number of multicast groups are limited to prevent terminals or set-top boxes from sending frequent Join/Leave messages that could impact the switch CPU and cause abnormal multicast subscription behavior.
The relevant configurations are as follows:
Switch configuration can be verified using show commands.
Conclusion: End-to-End Performance with CX-M and ET2500
The Asterfusion CX-M series switches play a critical role in the SONiC-Based BNG aggregation layer. Through C-VLAN + S-VLAN isolation, multi-user traffic aggregation, multicast mapping and distribution, priority queue scheduling, and rate shaping, they enable efficient traffic forwarding and optimized management. Security features such as MAC learning limits, spoof protection, and broadcast/multicast storm suppression ensure network stability and user isolation. These represent only a portion of the switch’s capabilities.
The aggregation switch is only part of the BNG network. The BNG layer is supported by Asterfusion ET2500 with AsterNOS-VPP, which handles user session management, authentication and billing, IP assignment, QoS control, and L3 routing, ensuring efficient interaction between upstream traffic and the core network.
Together, CX-M switches and ET2500 acting as a BNG router provide a high-performance, manageable, and securely scalable SONiC-Based BNG network, delivering stable and reliable experiences for home broadband, IPTV, and VoIP services.
Contact US !
- To receive timely and relevant information from Asterfusion, sign up at AsterNOS Community Portal
- To submit a case, visit Support Portal.
- To find user manuals for a specific command or scenario, access AsterNOS Documentation
- To find a product or product family, visit Asterfusion-cloudswit.ch .
- To contact Sales, Send E-Mail to bd@cloudswit.ch
