🔧

Section 11.5

Fixed Access & Broadband

Fixed access as an orchestration domain dominated by subscribers, sessions, and CPE. Covers BNG/BRAS subscriber session model (IPoE/PPPoE, RADIUS), PON access (OLT/ONT/ONU), CPE management (TR-069 and TR-369/USP), IPAM coupling (CGNAT, IPv6 prefix delegation), access controllers (Nokia Altiplano, Calix SMx, Adtran Mosaic, Huawei iManager/NCE), and the activation chain from media to service. Anti-patterns: ONT activated before upstream service path, session events treated as orchestration events, IPAM as an afterthought.

Fixed access is the orchestration domain that touches the largest number of customer endpoints in any operator — millions of homes and businesses, each with a physical media (fibre, copper, coax, fixed wireless) and a CPE. The orchestration story is dominated by subscribers, sessions, and CPE lifecycle, not by service models, and it is the domain most coupled to physical fulfilment workflows (truck rolls, line handover, CPE shipping).

This section covers BNG/BRAS subscriber sessions, PON access (OLT/ONT/ONU), CPE management, IPAM coupling, and the dominant access controllers. The goal is to make the orchestration interface explicit at three places where this domain is uniquely fragile: subscriber session state, IP allocation, and the activation sequence between physical media and service.

Domain Anatomy: BNG, OLT, ONT, CPE

Fixed access is a multi-element domain — every customer connection involves at least three managed elements (CPE, ONT/modem, OLT/BNG) plus AAA and IPAM. Understanding what each element does dictates the orchestration responsibilities and where state has to live.

Element classes in the fixed-access domain

Element	Role	Typical integration	Examples
BNG / BRAS (Broadband Network Gateway)	Subscriber session termination at the IP edge — IPoE/PPPoE, RADIUS, QoS enforcement	NETCONF/YANG (modern), RADIUS/Diameter for sessions, SNMP/CLI (legacy)	Nokia 7750 SR-BNG, Cisco ASR9k BNG, Juniper MX-series, Huawei MA5800
OLT (Optical Line Terminal)	Aggregation point for PON access — manages downstream ONTs, line cards, PON ports	NETCONF/YANG (modern OLT), proprietary EMS for legacy	Nokia 7360 ISAM, Calix E-series, Adtran SDX, Huawei MA5800
ONT / ONU (Optical Network Terminal)	Customer-side PON termination; handoff to home network	OMCI on PON; TR-069 / TR-369 (USP) for management	Vendor-matched to OLT; sometimes interoperable for GPON
CPE / Residential Gateway	Customer-premises router/Wi-Fi; the customer's view of "broadband"	TR-069 / TR-369 (USP) via ACS	Operator-branded gateways (typically white-label Sagemcom, Technicolor, eero, Plume)
AAA / RADIUS server	Subscriber authentication, authorisation, accounting	RADIUS / Diameter from BNG; CRUD via OSS subscriber-mgmt API	Vendor RADIUS, FreeRADIUS, Cisco ISE, Aviatrix, Pareteum (legacy)
IPAM	IP address and prefix allocation; CGNAT pools; IPv6 prefix delegation	REST API to OSS; integration with BNG/RADIUS for dynamic assignment	Infoblox, BlueCat, Men&Mice, vendor-native (Nokia NSP IPAM, Cisco DDI)

The end-to-end activation chain

A working fixed-access service requires every element in the chain to be configured in the right order: media (fibre/copper) installed → OLT line card configured → ONT registered and activated → BNG subscriber profile created → AAA configured → IPAM allocated → CPE configured. Get one out of order and the customer sees no service. Get the dependency model wrong in the catalog and ops works around it manually for years.

Access Technologies and Their Orchestration Implications

The access medium determines the elements involved and the activation flow. Most operators run several technologies in parallel — FTTH for new build, DSL/copper for legacy, DOCSIS for cable estates, fixed wireless for hard-to-reach areas — each with its own controller, EMS, or vendor stack.

Access technologies and their orchestration footprint

Technology	Active elements	Typical controller / EMS	Notes
GPON / XGS-PON (FTTH)	OLT, ONT, BNG (or pseudo-wire to BNG)	Nokia Altiplano, Calix SMx, Adtran Mosaic, Huawei iManager	Dominant new-build technology; modern OLTs are NETCONF/YANG-managed
25G/50G PON, NG-PON2	Higher-speed OLT/ONT pairs; same orchestration surface	Same controllers as GPON, with capability extensions	Emerging in business-grade FTTH and 5G x-haul
VDSL / FTTC	DSLAM, BNG, copper distribution point	Vendor DSLAM EMS; often legacy (ADSL2+ kit pre-NETCONF)	Declining footprint; copper is being decommissioned in most markets
DOCSIS (cable)	CMTS, cable modem	Cable-specific controllers (CableLabs DOCSIS PnP, vendor CMTS EMS)	Distinct ecosystem; provisioning model differs from PON
Fixed Wireless Access (5G FWA, LTE FWA)	gNB / eNB + 5GC/EPC + indoor CPE/router	Mobile core orchestration (see 11.4) + CPE management	Sold as a fixed product; orchestrated through mobile core for the radio side
Wholesale access (e.g. Openreach, Chorus, NBN)	Wholesale provider's OLT/DSLAM; retail BNG	B2B integration via wholesaler portals + SI8 / file-based interfaces	Orchestration coordinates retail catalog with wholesaler order workflow

The Subscriber Session Model

Unlike IP/MPLS — where the orchestrator configures relatively static services — fixed access is dominated by subscriber sessions that come and go. A customer's session is created when their CPE connects, authenticated against AAA, given an IP address by IPAM, granted policy by the BNG, and torn down on disconnect. The orchestrator does not manage individual sessions; it manages the subscriber profile that determines what sessions are allowed and how they are policed.

IPoE

IP over Ethernet — the modern access pattern. CPE/ONT comes online; the BNG sees the MAC, authenticates via Option 82 / DHCP / RADIUS, assigns IP and policy. No PPP session, no per-session tunnel. Used for most modern FTTH deployments.

PPPoE

Point-to-Point Protocol over Ethernet — the legacy pattern. CPE establishes a PPP session with the BNG, authenticates, gets an IP. More overhead than IPoE but provides cleaner per-subscriber session isolation. Still used in many DSL and some FTTH deployments.

The orchestrator never manages the session

Subscriber sessions are runtime state owned by BNG and AAA. The orchestrator manages the profile — a service contract that says "this subscriber, when they connect, gets these characteristics". Treating session creation as an orchestration step (rather than a BNG/AAA-driven event) leads to brittle integration where every CPE reboot becomes an OSS event.

Service Abstractions in Fixed Access

Service abstractions exposed by the access domain

Abstraction	What it represents	Hides from XDO
Residential broadband service	Internet access with bandwidth tier, optional VAS, CPE-managed	BNG profile, RADIUS attributes, OLT line config, IPAM lease, CPE TR-069 config
Business Ethernet / leased line	Symmetric uncontended L2/L3 service over fibre with SLA	OLT business profile, BNG VRF, IP block, monitoring config
Bundled triple-play	Internet + IPTV multicast + voice (VoIP)	Multicast group config, IGMP snooping, VoIP CPE provisioning, QoS profiles
FTTH activation order	Line ready, ONT registered, service profile applied	Truck-roll workflow, ONT registration, OLT line assignment, BNG subscriber CRUD
Wholesale broadband	Retail product backed by a wholesaler-delivered access circuit	Wholesaler order coordination, port mapping, bitstream/EFM/FTTC handoff

Access Controllers and EMS

The access domain has fewer controller options than IP/MPLS or mobile core, partly because access is heavily vendor-locked at the OLT layer (the OLT vendor and ONT vendor must match for legacy GPON). The major access controllers all combine OLT/ONT control with subscriber management and increasingly with CPE management.

Nokia Altiplano

Cloud-native access management for Nokia ISAM OLTs, multi-PON-flavour support

NETCONF/YANG NBI; integrates with Nokia NSP for transport
Strong fit for Nokia-dominated FTTH deployments
Often paired with Nokia Orchestration Center for cross-domain composition

Calix SMx / SMx-OS

SDN-style access controller; Calix-native + selected multi-vendor

Strong in altnet and Tier-2/3 FTTH operators
Subscriber-centric model — service definition aligned with operator product catalog
REST and NETCONF NBI

Adtran Mosaic

Vendor-agnostic ambition; controller + assurance + service automation

Designed multi-vendor; production maturity varies by deployment
Used in altnet and broadband cooperatives
API-first NBI

Huawei iManager U2000 / NCE

Huawei-native EMS / controller for Huawei MA5800 and OLTs

Dominant where Huawei access is deployed (especially APAC, Africa)
Legacy iManager is element-management; NCE is the modern controller direction
NETCONF/YANG and proprietary protocols

Vendor lock at the OLT layer is structural

GPON ONTs are typically vendor-matched to the OLT (intervendor interoperability is technically possible but rarely deployed in production due to operational risk). This means the access controller is effectively a vendor-specific product per OLT footprint, and multi-vendor access orchestration is multi-controller orchestration — not multi-vendor-within-one-controller.

IPAM Coupling: The Hardest Integration

Every fixed-access subscriber needs IP. At Tier-1 scale, that is millions of IPv4 addresses (most behind CGNAT) and IPv6 prefixes. IPAM is the hardest integration in the access domain because it is the only one that has to be transactional, low-latency, and survive every BNG event without divergence between IPAM, BNG, and RADIUS state.

IPv4 with CGNAT — public IPv4 pools shared via CGNAT; the orchestrator allocates the inside-IP, the BNG/CGNAT box does the public mapping at session time.
IPv6 prefix delegation — each subscriber typically gets a /56 or /64 prefix, allocated by IPAM, delegated through the BNG via DHCPv6-PD or RADIUS attributes.
Dual-stack — most operators run IPv4 + IPv6 simultaneously, each from its own pool, with their own address-family lifetime and renewal cadence.
Static allocation — business customers and BGP-peered enterprises need static IPs; these must be reserved, never recycled, and tied to the customer record across CPE replacements.

IPAM state divergence is a top-three production incident

When IPAM, BNG, and RADIUS disagree on what IP is assigned to which subscriber, customers get black-holed traffic, duplicated allocations, or routing failures. The orchestrator must own the lease lifecycle as a first-class service object, not as a side-effect of subscriber provisioning. Every Tier-1 has a story about a CGNAT pool exhaustion or a stale allocation that paged the network team at 3am.

CPE Management: TR-069 and TR-369 (USP)

The CPE is the only OSS-managed element inside the customer's home or office. Managing it requires a remote-management protocol that survives NAT, intermittent connectivity, and the customer's right to power-cycle their router on a whim.

TR-069 and TR-369 — the CPE management protocols

Aspect	TR-069 (CWMP)	TR-369 (USP — User Services Platform)
Status	Production at scale; legacy in design	Modern; rolling out across new CPE
Transport	HTTP/SOAP	WebSocket, MQTT, STOMP, CoAP
Control flow	CPE polls ACS; ACS pushes via reverse-call	Event-driven, bi-directional, near-real-time
Data model	Device:2 (per BBF)	Device:2 + USP extensions
Use	Wide-area broadband, VoIP, IPTV	Smart-home, mesh Wi-Fi, NFV in CPE, 5G FWA CPE

CPE management is where customer experience lives

Network outages are visible to ops; CPE problems are visible to the customer. Wi-Fi coverage, mesh node reachability, IoT device behaviour, parental controls — all of these are TR-069/USP territory. Operators that treat CPE management as a tier-2 concern below "real" orchestration end up with NPS-driven escalations they can't resolve from the OSS.

Anti-Patterns in Fixed-Access Orchestration

Fixed-access anti-patterns

Anti-pattern	What it looks like	What breaks first
ONT activated before upstream service path provisioned	OLT-side ONT registration happens before BNG subscriber profile, IPAM lease, or AAA config exist	Customer powers on the CPE and gets nothing — the line is "lit" but the service is not. Field tech is dispatched to a working line; customer-care escalation; activation SLA missed
Session events treated as orchestration events	Every CPE reboot, every PPPoE re-auth triggers an OSS workflow	OSS event queue saturates; workflows back up; real activations stall behind session noise
IPAM as an afterthought	No coordinated lease lifecycle; allocations from spreadsheets; CGNAT pools sized once and forgotten	CGNAT pool exhaustion at peak hours; stale leases preventing reactivation; IPAM/BNG/RADIUS divergence
Wholesaler workflow grafted onto retail orchestrator	Retail OSS calls wholesaler API directly with no integration model — every wholesaler change is a retail code change	New wholesaler product onboarded in months instead of weeks; retail catalog drifts from wholesaler reality
CPE as untracked endpoint	CPE shipped without serial-number/MAC-to-customer link recorded; ACS sees an unknown device	No remote troubleshooting; no firmware upgrade campaigns possible; CPE rooting / spoofing risks
Triple-play modelled as three independent services	Internet, IPTV, voice activated as three orders with no awareness of the shared CPE / line	CPE config conflicts; multicast and unicast policies fight; VAS de-activation breaks the data service

Section 11.5 Key Takeaways

Fixed access touches the most endpoints of any OSS domain. The orchestration story is dominated by subscribers, sessions, and CPE — not by service models in the IP/MPLS sense.
A working access service requires media → OLT → ONT → BNG → AAA → IPAM → CPE configured in the right order. Catalog models that miss the dependency chain force operational workarounds permanently.
The orchestrator manages the subscriber profile, not the session. Sessions are BNG/AAA runtime state; the orchestrator must not be in the loop on every CPE reboot.
Major controllers — Nokia Altiplano, Calix SMx, Adtran Mosaic, Huawei iManager/NCE — all combine OLT control with subscriber management. Multi-vendor at the OLT layer is multi-controller, not multi-vendor-within-controller, because GPON intervendor operation is rarely deployed.
IPAM is the hardest integration in this domain. Lease lifecycle, CGNAT, IPv6 prefix delegation, and dual-stack must be modelled as first-class service objects, not side-effects of provisioning.
TR-069 is production at scale; TR-369 (USP) is the modern direction. CPE management is where customer experience lives — Wi-Fi quality, mesh, IoT, FWA — and is where operators most often under-invest in orchestration.
The defining anti-pattern is activating the ONT before the upstream path is provisioned. Every Tier-1 has lived this; the catalog must enforce dependency ordering.