🔧

Section 11.6

Cross-Domain Composition: Worked Examples

Four worked examples that compose across the domains established earlier: Enterprise SD-WAN (MPLS L3VPN + CPE + IPAM + optional 5G backup), 5G enterprise URLLC slice (RAN + transport + core SLA composition), FTTH residential broadband (OLT + BNG + IPAM + CPE + workforce), and Enterprise Ethernet (L2VPN/EVPN + NID + activation testing TMF634). Each example shows the dependency graph, execution sequence, rollback scope, and assurance feedback path. Cross-cutting lessons: IPAM first, capacity-as-reservation, saga rollback (not transaction), activation testing as a gate, assurance armed at activation, workforce as a first-class actor.

The previous four sections established the layering (11.1), the universal integration pattern (11.2), and three domain integrations (11.3 IP/MPLS, 11.4 mobile core, 11.5 fixed access). This section shows the composition — how a real service order traverses multiple domains at once, with sequencing, rollback, and assurance feedback woven across them. Composition is where multi-domain orchestration earns its name; it is also where most orchestration architectures discover the gaps in their domain abstractions.

Each worked example below shows: (a) the dependency graph — which domain produces what for which other domain; (b) the execution sequence — what must happen in what order; (c) the rollback scope — what unwinds if a step fails; and (d) the assurance feedback — how runtime SLA observations close the loop. The examples are deliberately simplified for pedagogical clarity; production orchestration of these services involves more idempotency checks, more compensating actions, and more vendor-specific intermediaries than shown.

Worked Example 1: Enterprise SD-WAN

Service: Enterprise SD-WAN with MPLS L3VPN underlay, managed CPE at each site, public IP per site, and optional 5G FWA backup link for resilience. Domains touched: IP/MPLS (underlay VPN), fixed access or 5G FWA (last-mile), CPE management, IPAM, mobile core (for 5G backup).

Dependency graph — SD-WAN service

Producer domain	Output	Consumer domain
IPAM	Per-site WAN IPs (IPv4 + IPv6 prefix)	IP/MPLS (VRF), CPE, mobile core (5G backup APN)
IP/MPLS	L3VPN VRF on PE routers, route-targets, transport class	CPE (SD-WAN overlay endpoints)
CPE management	CPE config, overlay tunnel keys, monitoring	Customer CPE (via TR-369 USP)
Mobile core (optional)	5G FWA APN with backup-class QoS, SIM provisioning	CPE secondary uplink
Inventory	Service instance with all sub-RFS items linked	Assurance, billing, customer portal

Execution sequence — SD-WAN order to active service

COM/SOM receives the order

COM → SOM

Enterprise orders "SD-WAN Premium, 5 sites, 100 Mbps each, 5G backup". COM decomposes into per-site CFS instances. SOM decomposes each CFS into RFS items: L3VPN underlay, CPE config, public-IP allocation, optional 5G backup.

XDO requests IPAM allocations

XDO → IPAM

Cross-domain orchestrator allocates per-site WAN IP and IPv6 prefix from IPAM as the first concrete step. Allocations are reserved (not yet committed to network). If any IPAM allocation fails, the service is rejected before any network change.

IP/MPLS domain provisions L3VPN

XDO → IP/MPLS controller

XDO sends an L3NM-style request to NSO/NSP. The controller computes the PE template, configures VRFs, BGP-VPN sessions, route-targets, transport class. Returns service-instance state. Idempotent: replay produces the same VRF.

Mobile core (if 5G backup) provisions APN

XDO → 5GC NFs

XDO calls 5GC SBI (Nudm/Nsmf/Npcf) to create the backup APN/DNN, bind QoS profile, register the FWA SIM. UPF capacity is checked; new pods scaled if needed via MANO.

CPE configured via TR-369 USP

XDO → CPE management → CPE

CPE management pushes overlay tunnel keys, primary-link IP, optional secondary-link APN credentials, monitoring profile. CPE comes online; first-byte test succeeds; TMF634 service-test result captured.

Service instance committed; assurance armed

XDO → Inventory + Assurance

XDO commits the service instance to inventory. Assurance arms SLA monitors: latency budget per site, link availability, failover-to-5G test cadence. Closed-loop policies set: alert on link down, auto-failover within 30s.

Rollback scope

Failure at step 3 unwinds IPAM reservations. Failure at step 4 unwinds the L3VPN AND the IPAM reservations — this is a saga, not a transaction. Failure at step 5 unwinds 5GC config, L3VPN, and IPAM. Each compensating action is itself idempotent; each may itself fail (CPE unreachable, 5GC throttled), forcing manual ops escalation. Production designs assume at least one rollback per 100 orders fails midway.

Assurance feedback

Site-level link-down events from BNG / 5GC trigger automatic failover at the CPE. Persistent failures escalate via the assurance product to a service-level KPI breach, which can re-enter the orchestrator (auto-replan, scale 5G backup capacity, dispatch field tech). Without this loop, every degradation becomes a manual ticket.

Worked Example 2: 5G Enterprise Slice (URLLC)

Service: URLLC slice for an industrial customer — 10 ms end-to-end latency, 99.999% availability, isolated user plane, dedicated UPF capacity. Domains touched: 5GC, RAN (via O-RAN/SMO), transport (IP/MPLS with strict-class), assurance. The hard part is end-to-end SLA composition across three independent domains.

Dependency graph — 5G enterprise slice

Producer domain	Output	Consumer domain
Slice catalog (CSMF)	NEST-aligned slice template; S-NSSAI assigned	5GC, RAN, transport
Transport (IP/MPLS)	SR transport tunnel with latency budget commit	5GC user plane (UPF anchoring)
5GC (NSMF + NSSMF-core)	Slice-aware AMF/SMF/UPF, NSSF policy, dedicated UPF instance	RAN, subscribers
RAN (NSSMF-RAN)	Slice-aware scheduler weights, PRB partitioning per cell	Air interface
Assurance	Per-domain KPIs aggregated into slice-SLA dashboard	Closed-loop orchestration

Execution sequence — slice order to operational slice

Slice request received via CSMF

CSMF → NSMF

Enterprise (or vertical platform) requests a NEST-template slice. CSMF translates the customer-visible NEST into network-side requirements and hands a slice-instantiation request to NSMF.

XDO computes per-domain slice budgets

NSMF (XDO)

NSMF (cross-domain orchestrator) decomposes the 10 ms end-to-end target into RAN budget (~3 ms), transport budget (~3 ms), core budget (~4 ms). Capacity check: do RAN cells, transport paths, and UPF capacity exist? If not, scale or reject.

Transport slice provisioned

XDO → IP/MPLS controller

XDO sends an IETF slice-ng / SR-TE policy request to the IP/MPLS controller, which computes a strict-latency SR path between RAN sites and the UPF anchor. Reservation only — not yet committed.

Core slice realised — UPF scaled if needed

NSSMF-core → MANO + 5GC

NSSMF-core requests dedicated UPF capacity. NFVO + VNFM scale a new UPF instance; new pods register with NRF; SMF policies are bound to the slice S-NSSAI. AMF and PCF are configured for slice-aware admission and policy.

RAN slice configured

NSSMF-RAN → RAN

NSSMF-RAN configures slice-aware scheduler weights and PRB partitioning on the relevant gNBs. This is a multi-cell, often multi-vendor operation; vendor RAN orchestration (e.g. SMO in O-RAN) executes the per-cell config.

End-to-end test + slice live

XDO → Inventory + Assurance

Slice-level service test (3GPP TS 28.554 KPIs) executed: round-trip latency, packet loss, availability under load. Slice instance committed to inventory; assurance arms slice KPIs with closed-loop scaling and replanning policies.

Why this is the hardest worked example

Every other worked example involves a single SLA target (bandwidth, availability) at a single domain boundary. The 5G slice has distributed SLA composition — the 10 ms end-to-end target is met by independent budgets across RAN, transport, and core, each managed by a different team or vendor, each evolving on a different cadence. The orchestrator owns the budget allocation and the renegotiation logic when one domain reports it cannot meet its share.

Rollback scope and assurance feedback

Failure at step 4 (core scaling) unwinds the transport slice reservation and slice template. The orchestrator must not commit transport before core capacity is confirmed, because rolling back SR paths under live traffic forces convergence events that violate the slice SLA — a classic "rollback caused the outage" failure mode. Assurance feeds slice KPI breaches back into the orchestrator: scale UPF, reroute transport, or refuse new attaches. Without this loop, slicing degrades silently.

Worked Example 3: FTTH Residential Broadband

Service: 1 Gbps FTTH residential broadband with VoIP, public IPv4 (CGNAT) + IPv6 prefix, and a managed Wi-Fi mesh CPE. Domains touched: fixed access (OLT/ONT/BNG), CPE management, IPAM, billing/CRM, and field workforce for the truck roll. This is the most volume-driven worked example — Tier-1 operators run hundreds of thousands of these per year.

Dependency graph — FTTH residential service

Producer domain	Output	Consumer domain
Workforce / dispatch	Fibre installation, ONT placement, customer present	OLT (line ready), CPE (ready to be plugged)
Access controller	OLT line config, ONT registration, BNG subscriber profile	CPE, AAA, IPAM
IPAM	IPv4 (CGNAT) + IPv6 prefix lease	BNG, CPE
CPE management	CPE config push, Wi-Fi profile, mesh node provisioning	Customer CPE
Billing / CRM	Service active event → billing start; customer portal updated	Revenue assurance

Execution sequence — FTTH order to active service

Order captured; feasibility checked

COM

Customer orders FTTH 1 Gbps via retail channel. COM checks feasibility against access network inventory: is there a serviceable OLT? capacity on the right line card? available ONT in stock? If yes, order proceeds.

Truck roll scheduled

COM → Workforce

Workforce dispatches a field tech to install the fibre and ONT at the customer premise on a chosen appointment. Until media is in place, no network config can succeed.

IPAM and BNG provisioned in advance of customer present

XDO → IPAM + AAA

XDO allocates the IPAM lease (CGNAT IPv4 + /56 IPv6 prefix) and creates the BNG subscriber profile in AAA. These can complete before the truck roll lands; they cost nothing until the CPE comes online.

On site: ONT registered + line activated

Access controller + Field tech

Field tech connects the fibre, plugs in the ONT. Access controller registers the ONT against the OLT line, applies the service profile, completes line activation. The CPE is plugged in; first DHCP/IPoE event hits the BNG.

CPE configured via TR-369 USP

CPE management → CPE

CPE registers with the ACS; CPE management pushes Wi-Fi SSID/password from customer order, mesh-node configuration, IPv6 prefix delegation, voice (VoIP) line config. Customer's primary device gets internet within seconds.

Service active; billing starts

XDO → Billing + Assurance

Service-active event published. Billing starts, customer portal updates, customer-care notes the activation. Assurance arms: link health, Wi-Fi quality KPIs, NPS-relevant metrics.

The classic FTTH failure mode

Activation logic that reverses steps 3 and 4 — registering the ONT before the BNG profile and IPAM lease exist — is the single most common Tier-1 production incident in fixed access. The customer's line is "lit" (link up) but the BNG drops the session because there is no profile, or the IPAM has nothing to lease. The customer sees no service; the field tech is dispatched to a working line; activation SLA is missed. Catalog dependency modelling prevents this; ad-hoc workflow scripting cannot.

Worked Example 4: Enterprise Ethernet (E-Line / E-LAN)

Service: Symmetric 10 Gbps Ethernet between two enterprise sites, with strict CIR/EIR, MEF-compliant SLA, and end-to-end activation testing. Domains touched: IP/MPLS (L2VPN/EVPN), fibre/transport, CPE (NID at each site), workforce, assurance.

Dependency graph — Enterprise Ethernet service

Producer domain	Output	Consumer domain
Optical / transport	Wavelength or sub-λ between PoPs (if not already in place)	IP/MPLS (PE-PE link)
IP/MPLS	L2VPN/EVPN or VPLS instance, MAC-VRF, MTU policy	CPE NID, customer
CPE / NID	Per-site network interface device with policer, monitoring	Customer Ethernet handoff
Workforce	On-site CPE/NID install, fibre patch	Activation testing
Activation testing (TMF634)	Y.1731 / RFC 2544 results	Service-active gate

Execution sequence — Enterprise Ethernet activation

Order with feasibility against PoP capacity

CPQ → COM

CPQ + COM produces a feasibility-checked order: are both sites reachable from PoPs? does optical capacity exist? if not, plan optical augmentation as a dependency.

Optical reservation (if needed)

XDO → Optical controller

XDO reserves wavelength/sub-λ between the two PoPs via the optical controller. If no capacity, the workflow pauses for a separate transport build — composition does not bypass capacity reality.

L2VPN / EVPN provisioned on PEs

XDO → IP/MPLS controller

IP/MPLS controller configures EVPN MAC-VRF or VPLS instance on both PEs, with route-targets, MTU, CIR/EIR policer. Idempotent service-model push via NETCONF/YANG (L2NM-aligned).

NID install + service test

Workforce + Activation testing

Workforce installs NID at each site, patches fibre. Activation test (RFC 2544 throughput, Y.1731 OAM, latency check) executes. TMF634 test report captured. If test fails, escalate to NOC before customer handoff.

Customer handoff and service active

XDO → Billing + Assurance

Customer accepts handoff; service marked active in inventory. Billing starts. Assurance arms: SLA monitoring against MEF KPIs, monthly availability reporting, breach-to-credit logic.

Activation testing as a first-class step

Enterprise Ethernet differs from residential broadband in that the activation test is the gate for service-active, not an afterthought. TMF634 service test is part of the order workflow — a failed test pauses the activation, not the service. Operators that bolt activation testing on later, instead of integrating it into the orchestrator, end up with services declared "active" in BSS while customers experience packet loss in production.

Cross-Cutting Lessons from Composition

Patterns that recur across all four examples

Pattern	How it appears	Why it matters
IPAM allocation early	Reserve IP / prefix before any network change	Cheapest step to fail; prevents partial activation if IP unavailable
Capacity check before commit	Optical capacity, UPF capacity, OLT line — checked as reservation, committed as part of saga	Avoids partial commits that take live traffic down before failure is even known
Saga rollback, not transaction	Each domain commit is rolled back via compensating action; some compensations may fail	Production designs must plan for rollback failure, not assume rollback always succeeds
Activation testing as a gate	Test result blocks "active" state; test failure escalates rather than progressing	Otherwise the BSS sees services as live when the network is delivering nothing
Assurance loop registered at activation, not later	KPIs and closed-loop policies armed when the service is committed	Otherwise service operates uninstrumented for weeks; SLA violations go undetected
Workforce as a first-class actor	Truck rolls and field-tech handoff modelled in the workflow with explicit ready/blocked states	Physical reality dominates timing; the orchestrator must wait, not assume

Section 11.6 Key Takeaways

Composition is where multi-domain orchestration earns its name. The four worked examples — SD-WAN, 5G slice, FTTH, Enterprise Ethernet — show how dependency graphs, sequencing, rollback scope, and assurance feedback compose across domains.
IPAM allocation is the universal first concrete step. It costs nothing to roll back, and it gates the rest of the saga.
Capacity is checked as a reservation, then committed as part of the saga. Bypassing the reservation step turns capacity exhaustion into a partial activation, which is harder to recover from than a clean rejection.
Cross-domain rollback is a saga of compensating actions, not a transaction. Some compensations fail. Production designs assume at least one rollback per N orders fails midway.
Activation testing (TMF634) is a gate for service-active state on enterprise services. Without it, BSS sees a live service while the network delivers nothing.
Assurance loops must be armed at activation. Services that go live without assurance instrumentation drift unnoticed until the customer escalates.
Workforce is a first-class actor. Truck rolls, fibre installs, CPE shipping all dominate timing and must be modelled with explicit ready/blocked states — not assumed away.
The 5G slice is the hardest worked example because it requires distributed SLA composition across RAN, transport, and core. Every other example has a simpler SLA shape; this one trains the architectural muscle for the next decade of telco services.