SSG BRAS/BNG solution is based on Deep Packet Inspection technology. DPI provides analysis and processing of traffic passing through the platform, application of various services to the traffic and bandwidth management.
SSG BRAS/BNG consists of the following components:

1. fastDPI - responsible for traffic processing and termination:
   • NAS functions (IPoE, PPPoE, DHCP L2)
   • Speed limitation within the tariff plan
   • Channel policing and session policing
   • Application of platform services (CG-NAT, Whitelist and Captive Portal, Web-filtering, Mini-Firewall, DDoS protection)
   • Exporting traffic information in IPFIX and Netflow v5 format (Full NetFlow, Clickstream, NAT log)
2. fastPCRF - responsible for interaction of the platform with the telecom operator's OSS/BSS via RADIUS protocol. (AAA - Authentication, Authorization, Accounting). fastDPI and fastPCRF components communicate with each other by internal communication protocol via TCP/IP stack. PCRF can be placed either on a separate physical or virtual server or run on the same server together with fastDPI. In case of using several SSG, 2xPCRF (Active-Standby) and NxSSG scheme is used.
3. Router - used to announce routes using BGP and OSPF protocols with VRF support.
4. DHCP - KEA local DHCP server is used. SSG can operate in one of the modes:
   • DHCP-relay - redirects requests to a specific server. Initial client's request is forwarded to DHCP server, after issuing IP address SSG performs subscriber authorization.
   • DHCP radius proxy - the configuration information is transmitted in RADIUS responses, and the SSG acts as a DHCP server. For the Framed-pool attribute, SSG makes a DHCP request to local or external DHCP servers.
5. GUI - Graphical User Interface

L3-Connected BRAS/BNG communicates with subscribers through intermediate routers, so it does not see the original MAC addresses, and subscribers are already assigned IP addresses. IP address assignment in this scheme is done either statically in the network settings of the end equipment or on the access switches via DHCP Relay.
Authorization is performed by the first IP packet from the subscriber.
SSG BRAS L3 is not a hop, thus traffic routing is performed on the routers between which BRAS is installed.
The popularity of this scheme among broadband providers is explained by the ease of redundancy of network nodes and construction of a distributed network.

L2-Connected BRAS/BNG and the subscriber are in the same L2 domain. The SSG sees the original MAC addresses, VLAN or Q-in-Q, ARP and DHCP requests, based on which RADIUS requests are generated.
BRAS L2 options:

• DHCP — The subscriber obtains an IP address via SSG DHCP Proxy or DHCP relay and passes AAA in Billing.
• Static IP — The subscriber has a fixed IP address and passes AAA in Billing on the first IP packet.
• PPPoE — Subscriber raises PPP tunnel and by login/password passes AAA in Billing.
• PPPoL2TP — Subscriber raises L2TP and PPP tunnels and by login/password passes AAA in Billing.

• Termination of traffic from Subscribers to WAN, origination (landing) of response traffic from WAN to Subscribers.
• Monitoring of DHCP requests from Subscribers and their maintenance.
• IP source guard - allows you to control the compliance of VLAN tags and IP addresses for Subscribers.
• Closing local traffic between Subscribers and from Subscribers to local resources.
• Subscriber activity control.
• Traffic filtering - serving only certain subnets.
• Framed-Route - All IP addresses from the specified subnet will be routed through the specified gateway address.

BRAS/BNG with DPI technology when operating in a distributed network has many advantages and capabilities over traditional solutions:

• Traffic control and prioritization by applications and autonomous systems in the accessible band of each uplink.
• Limiting the bandwidth occupied by torrent when approaching the channel upper boundary.
• Traffic prioritization by applications and AS within the Subscriber’s data plan (this option is relevant for corporate clients: a number of corporate users work within a single data plan. Bandwidth for them needs to be allocated so as not to interfere with each other).
• Support for Subscribers with any number of IP addresses, including those issued dynamically.
• Redirection of Subscribers with zero balance to Captive Portal with an Allow list of resources. For example, bank resources for payment based on domain name or URL, including options with wildcard asterisks.
• Ability to capture full NetFlow from the entire band or billing NetFlow for billed subscribers only.
• Support for regulatory and law enforcement requirements, automatic loading and filtering by RKN and Ministry of Justice registers.
• Interaction with SORM (work as a puller SORM-3).