5G Dual-Domain Private Network Solutions Facilitate Personalized User Access

Release Date:2023-05-25 By Zhao Qiongying, Lu Qiang

With the expansion of 5G private network services, various industry customers such as schools, governments, medical centers, tourist resorts and industrial parks hope to replace their existing Wi-Fi networks or deploy hybrid private networks using 5G. For confidentiality requirements of business data, these enterprises usually have their own intranet. When employees use personal mobile phones to access the enterprise's intranet through 5G network, they need to log in through a VPN or by other means, which can be quite complex and poses potential security risks. Therefore, it would be a great convenience for enterprise or campus users to use their personal phones with B2C SIM cards (personal phone cards) to access both the Internet normally and enterprise intranet in the campus without changing the SIM cards or phone numbers, while preventing data outflow.

For seamless access, a dual-domain private network is essential to provide enterprise private network access services for both B2B and B2C. This network enables seamless interconnection between the Internet and enterprise services for industry customers, facilitating the integration of B2C and B2B services.

Combining the Internet and enterprise service access requirements of industry customers, ZTE provides flexible 5G dual-domain private network solutions to meet the deployment needs of different application scenarios.

5G Dual-Domain Private Network Solution Based on ULCL

The ULCL-based 5G dual-domain private network adopts the uplink classifier (ULCL) offloading solution. It forwards uplink data traffic to different UEs as required by the filter, and combines downlink data traffic from multiple anchors of the UEs. The traffic is offloaded through ULCL. In this case, the primary anchor is located on the user plane function (UPF) of the public network, while the secondary anchor is located on the edge UPF of the campus. Local traffic within the campus is offloaded to the campus's intranet through the edge UPF.

An enterprise user first forwards data traffic through the public network's UPF. When the user moves to the campus, a TA update message is triggered and SMF sends a policy update request to PCF for event update. After delivering the policy update, PCF triggers a UL-CL procedure and an edge UPF is inserted into the original user session. In this way, the user session is distributed locally by the edge UPF, while any missed data is still sent back to the public network's UPF for processing, as illustrated in Fig. 1.

The ULCL offloading solution has the following benefits:

  • Users in the campus can still use the data network name (DNN) of a public network without terminal awareness, resulting in good user experience.
  • Users in the traffic offload area (campus or home area) can access both the enterprise intranet and the Internet simultaneously.
  • Users can continue to access the Internet while roaming without the need to route Internet traffic back to their home location.

 

There are also some constraints in the ULCL offloading solution:

  • Campus services do not support access via 4G networks and roaming scenarios. Due to the lack of support for ULCL functionality in 4G scenarios and incomplete support in roaming scenarios in the 3GPP protocol, campus users are unable to access the enterprise intranet through ULCL while in 4G coverage.
  • Terminals in the campus are planned by the operator as B2C users. Therefore, IP address conflicts may occur when interconnecting with the campus. To avoid conflicts, network address translation (NAT) isolation is required.

 

5G Dual-Domain Private Network Solution Based on NodeEngine

ZTE's NodeEngine-based 5G dual-domain private network solution is a simplified private network solution for campuses, hospitals and industrial parks. The solution can rapidly provide industrial private network services only by deploying one computing board in the existing BBU, which significantly reduces deployment costs and shortens deployment cycles.

By adding this computing board, the NodeEngine-based 5G dual-domain private network solution enables 4G/5G simultaneous access. The solution splits traffic based on the rules such as PLMN, S-NSSAI and destination IP addresses, and meets the access requirements of both 4G/5G B2B and B2C services, achieving the goal of keeping B2B traffic data within the enterprise campus and enabling B2C users to access both the Internet and the local enterprise intranet simultaneously (Fig. 2).

 

  • Delay Reduction and Service Experience Optimization

Compared to using a public VPN to access internal services such as industrial applications and online training, adopting the 5G dual-domain private network solution based on NodeEngine can greatly shorten the access path and reduce the service access delay. In addition, 5G realizes indoor and outdoor continuous coverage with larger capacity, stronger interference resistance, and better mobility. This one-hop direct access greatly improves service experience over traditional public VPN access.

  • 4G/5G Multi-Service Integration with Local Access

A set of NodeEngine solution can support simultaneous 4G/5G network access and multi-service access to the enterprise intranet, satisfying the requirements of both mobile phones and B2B terminals and services. As a result, this solution meets the local access needs of existing 4G terminal users and protects the investment in 4G.

  • Seamless Offloading and Secure Control

The solution implements seamless data traffic divergence through one-phone-one-card access, allowing enterprise employees to simultaneously access the Internet and the enterprise intranet. The NodeEngine performs local traffic offloading and allows enterprise users to sign a specific RAT/frequency selection priority (RFSP). By identifying users with RFSP labels, it achieves synergetic access and effective management control for specific enterprise users on both public and private networks. Only signed enterprise users are allowed to access the enterprise's intranet services.

Applications

ZTE's 5G dual-domain private network solutions have been commercialized in several campuses and industrial parks. ZTE worked with a telecom operator to deploy the ULCL-based 5G dual-domain private network in a university in Wuhan in September 2021. Teachers and students can access both the Internet and intranet while on campus, and only the Internet when off the campus.

In August 2022, ZTE cooperated with an operator to deploy the NodeEngine-based 5G dual-domain private network in an industrial park in Inner Mongolia. A set of NodeEngine solution was used to enable simultaneous access of the 4G/5G private network and enterprise users in the industrial park. By signing a specific RFSP/

SPID with enterprise users, employees in the park can access both the Internet and the intranet. When leaving the park, they can only access the Internet.

Summary

With the rapid growth of 5G and further improvement of infrastructure, the trend of replacing Wi-Fi with 5G in campus scenarios has become inevitable. Both ULCL-based and the NodeEngine-based 5G dual-domain private network solutions are designed to address the limitations of campus networks and enable access to 4G/5G-converged networks, expanding their application scenarios. As a leading global provider of integrated communications solutions, ZTE has been committed to proactively addressing customer needs and working with partners to constantly improve 5G dual-domain private network solutions. This will drive the deep integration of 5G+ industries, promoting the digital and intelligent transformation across various sectors.