Zxr10 8900e Series

Operator Logo
ZXR10 8900E series Core

Switch Product Description
Downloaded from www.Manualslib.com manuals search engine
ZXR10 8900E series Core Switch Product Description

Version
Date
Author
Approved By
Remarks
V1.00
2011-03-25
Li Ying
Shen Chunsheng
Not open to the Third Party
V1.01
2012-6-13
Li Ying
Huang HongRu
Delete wrong description
V1.02
2012-10-10
Li Ying
Huang HongRu
Add new function in version

3.00.02 including VSCL2PT
MFF and so on. Modify the
description about main control
board and interface board.
Update IPv6 function.
2012-11-16
Li Ying
Huang HongRu
UpdateThe description error
2013-02-19
Li Ying
Huang HongRu
UpdateThe description about

software load and unload
2013 ZTE Corporation. All rights reserved.

ZTE CONFIDENTIAL: This document contains proprietary information of ZTE and is not to be
disclosed or used without the prior written permission of ZTE.
Due to update and improvement of ZTE products and technologies, information in this document is
subjected to change without notice.
ZTE Confidential Proprietary
2013 ZTE CORPORATION. All rights reserved.
TABLE OF CONTENTS
1
Overview ......................................................................................................... 1
2
2.1
2.2
2.3
2.4
2.5
2.6
2.7
Highlights ........................................................................................................ 3
Super Big capacity/ High Density Interfaces ..................................................... 3
VSC Construct Solid Cloud Core ...................................................................... 3
Distributed Module Operating System ROS 5.0 ................................................ 3
Multi-service Bearing Capabilities ..................................................................... 4
Comprehensive IPv6 Features ......................................................................... 4
Multi-Dimensional Security & Reliability Mechanism Guarantees Ever-online
Services ........................................................................................................... 4
Environment-friendly Innovations ...................................................................... 5
3
3.1
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.3
3.3.1
3.3.2
3.3.3
3.3.4
3.4
3.4.1
3.4.2
3.5
3.5.1
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.7
3.7.1
3.7.2
3.7.3
3.7.4
Function introduction..................................................................................... 6
L2 function ........................................................................................................ 6
Basic Ethernet features .................................................................................... 6
VLAN and relative features ............................................................................... 7
Link aggregation ............................................................................................. 11
Spanning tree ................................................................................................. 13
L2 multicast .................................................................................................... 15
L2PT ............................................................................................................... 16
L3 function ...................................................................................................... 17
IPv4 route protocol.......................................................................................... 17
Ipv6 Routing ................................................................................................... 20
IPv4/IPv6 Transition........................................................................................ 20
L3 Multicast .................................................................................................... 21
Controllable Multicast ..................................................................................... 23
MCE ............................................................................................................... 25
MPLS VPN ..................................................................................................... 26
Basic Functions of MPLS ................................................................................ 26
MPLS TE ........................................................................................................ 29
MPLS L2 VPN ................................................................................................ 30
MPLS L3 VPN ................................................................................................ 34
QoS ................................................................................................................ 35
Basic QoS ...................................................................................................... 35
MPLS QoS ..................................................................................................... 40
OAM ............................................................................................................... 41
Ethernet OAM ................................................................................................. 41
Clock synchronization ..................................................................................... 42
Clock source ................................................................................................... 42
Synchronous Ethernet .................................................................................... 42
IEEE 1588 v2.................................................................................................. 43
Clock protection .............................................................................................. 44
Reliability protection........................................................................................ 45
Equipment-level protection ............................................................................. 45
Network detection mechanism ........................................................................ 46
VSC ................................................................................................................ 48
Ethernet intelligent protection ......................................................................... 49
II
2013ZTE CORPORATION. All rights reserved.
3.7.5
3.7.6
3.7.7
3.8
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.9
3.9.1
L3 route protection .......................................................................................... 52

VPN Protection ............................................................................................... 53
FRR Protection ............................................................................................... 56
Security and Authentication ............................................................................ 60
ACL ................................................................................................................ 60
Device Authentication ..................................................................................... 61
Access Security .............................................................................................. 63
MFF ................................................................................................................ 65
Network Security ............................................................................................ 66
Network Traffic Analysis ................................................................................. 68
Sflow .............................................................................................................. 68
4
4.1
4.1.1
4.1.2
4.1.3
4.1.4
4.2
4.2.1
4.2.2
4.3
4.3.1
4.3.2
4.3.3
4.4
4.4.1
4.4.2
System Architecture ..................................................................................... 70

Appearance .................................................................................................... 70
ZXR10 8912E Appearance ............................................................................. 70
ZXR10 8908E Appearance ............................................................................. 72
ZXR10 8905E Appearance ............................................................................. 74
ZXR10 8902E Appearance ............................................................................. 76
Hardware Architecture .................................................................................... 76
Overall Hardware Architecture ........................................................................ 77
Working Principles of Hardware System ......................................................... 79
Hardware Boards ............................................................................................ 81
Switching Main Control Board ......................................................................... 81
Power Module................................................................................................. 88
Interface Module ............................................................................................. 89
Software Architecture ..................................................................................... 92
System Software Architecture......................................................................... 92
Software Platform ........................................................................................... 94
5
5.1
5.2
5.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
Technical Specifications .............................................................................. 98

Basic features ................................................................................................. 98
Interface Specifications................................................................................... 99
Functions ...................................................................................................... 101
L2 features ................................................................................................... 101
L3 features ................................................................................................... 102
Multicast features ......................................................................................... 102
MPLS ........................................................................................................... 102
QoS .............................................................................................................. 103
Service Management .................................................................................... 104
Reliability ...................................................................................................... 104
System security ............................................................................................ 105
Clock synchronization ................................................................................... 106
Operating and Maintenance.......................................................................... 106
6
6.1
6.2
6.3
6.4
6.5
Typical Networking Mode........................................................................... 108

Application in Metro Ethernet ........................................................................ 108
Application in Data Center ............................................................................ 109
Application in Campus Network .................................................................... 110
Application in FTTx ....................................................................................... 111
Application in IP RAN ................................................................................... 112
III
7
7.1
7.1.1
7.1.2
7.2
7.2.1
7.2.2
7.2.3
7.2.4
Operation and Maintenance ....................................................................... 113

NetNumen U31 Unified Network Management Platform ............................... 113
Network Management Networking Mode ...................................................... 113
NetNumen U31 Network Management System............................................. 114
Maintenance and Management .................................................................... 116
Multiple Configuration Modes ....................................................................... 116
Monitoring and Maintenance......................................................................... 117
Software Upgrade ......................................................................................... 118
File System Management ............................................................................. 118
Glossary ...................................................................................................... 120
IV
FIGURES
Figure 1-1 ZXR10 8900E series product appearance........................................................... 2
Figure 3-1 MC-ELAM structure........................................................................................... 13
Figure 3-2
L2TP Networking ............................................................................................. 16
Figure 3-3 Architecture of MCE .......................................................................................... 25

Figure 3-4 MPLS working principle ..................................................................................... 27
Figure 3-5 MPLS header structure ..................................................................................... 28
Figure 3-6 Basic VPWS network model.............................................................................. 30
Figure 3-7 Basic VPLS network model ............................................................................... 32
Figure 3-8 H-VPLS networking with U-PW access ............................................................. 32
Figure 3-9 H-VPLS networking with QinQ access .............................................................. 33
Figure 3-10 Basic BGP MPLS VPN network model ............................................................ 34
Figure 3-11 end to end MPLS QoS .................................................................................... 41
Figure 3-12 SyncE synchronization .................................................................................... 43
Figure 3-13 IEEE 1588 synchronization ............................................................................. 44
Figure 3-14 SQA association ............................................................................................. 48
Figure 3-15 VSC system logic connection diagram ............................................................ 48
Figure 3-15 ZESR break alarm........................................................................................... 49
Figure 3-16 ZESS protection mechanism ........................................................................... 51
Figure 3-17 ZESR+ working principle ................................................................................. 51
Figure 3-18 PW single-hop redundancy protection ............................................................. 54
Figure 3-19 PW multi-hop redundancy protection .............................................................. 54
Figure 3-20 CE dual-homing to PE..................................................................................... 55
Figure 3-21 UPE dual-homing to NPE ................................................................................ 56
Figure 3-22 Route switching diagram ................................................................................. 56
Figure 3-23 Label switching diagram .................................................................................. 57
Figure 3-24 TE FRR local link and node protection ............................................................ 58
Figure 3-25 CE dual-homing model .................................................................................... 59
Figure 3-26 Multi-Level Processing Procedure ...................... Error! Bookmark not defined.
Figure 3-27 sFlow Multi-level Architecture .......................................................................... 69
Figure 4-1 ZXR10 8912E appearance ................................................................................ 71
Figure 4-2 ZXR10 8912E structure ..................................................................................... 72

Figure 4-9 ZXR10 8912E/8908E/8905E hardware system architecture .............................. 77
Figure 4-10 ZXR10 8902E hardware system architecture .................................................. 77
Figure 4-11 ZXR10 8905E/8908E/8912Esystem hardware diagram .................................. 80
Figure 4-12 ZXR10 8902E system hardware diagram ........................................................ 80
Figure 4-13 Principle diagram of 8912E/8908E/8905E main control board ......................... 81
Figure 4-14 Principle diagram of 8902E main control board ............................................... 81
Figure 4-15 8912EMSC1D main control board panel diagram ........................................... 84
Figure 4-16 8912EMSC1A main control board panel diagram ............................................ 85
Figure 4-20 8902EMSC1A main control board panel diagram ............................................ 86
Figure 4-21 8912E/8908E/8905E DC power board diagram ............................................... 88
Figure 4-22 8912E/8908E/8905E AC power board diagram ............................................... 89
Figure 4-23 8902E DC power board diagram ..................................................................... 89
Figure 4-24 8902E AC power board diagram ..................................................................... 89
Figure 4-25 E1GF24A ........................................................................................................ 91
Figure 4-26 H2GF24D........................................................................................................ 91
Figure 4-27 H2GF48D........................................................................................................ 91
Figure 4-28 H2GT48D........................................................................................................ 91
Figure 4-29 H2XF8D .......................................................................................................... 91
Figure 4-30 S1XF12A ........................................................................................................ 91
Figure 4-31 S2XF48A ........................................................................................................ 91
Figure 4-32 S2LQ6L2A ...................................................................................................... 92
Figure 4-33 8900E software system architecture ............................................................... 93
Figure 4-34 New-generation ZXROS V5.0 software platform system architecture .............. 95
Figure 6-1 Application in metro network ........................................................................... 108
Figure 6-2 Application of Data Center .............................................................................. 109
Figure 6-3 Enterprise network Application ........................................................................ 110
Figure 6-4 FTTx Application ............................................................................................. 111
VI
Figure 6-5 Application in IP RAN ...................................................................................... 112
TABLES
Table 4-1 Main control board panel interface features........................................................ 86
Table 4-2 Main control board panel button function description .......................................... 87
Table 4-3 Main control board panel indicator function description ...................................... 87
Table 4-4 8900E interface board type ................................................................................ 90
Table 5-1 Basic features and performance ......................................................................... 98
Table 5-2 Interface Specifications ...................................................................................... 99
Table 5-3 L2 features ....................................................................................................... 101
Table 5-4 L3 features ....................................................................................................... 102
Table 5-5 Multicast features ............................................................................................. 102
Table 5-6 MPLS feature ................................................................................................... 102
Table 5-7 QoS.................................................................................................................. 103
Table 5-8 Service Management ....................................................................................... 104
Table 5-9 Reliability.......................................................................................................... 104
Table 5-10 System security .............................................................................................. 105
Table 5-11 Clock synchronization .................................................................................... 106
Table 5-12 Operating and Maintenance ........................................................................... 106
Table 8-1 Abbreviations ................................................................................................... 120
VII
Overview
ZXR10 8900E switch is ZTEs new generation enhanced core switch. With years of
experience in telecom network, ZTE designs and develops 8900E which has ultra-large
system capacity, ultra-high port density and ultra-strong service functions. It can address
immediate needs of metro network, data center network, campus network and enterprise
network for network core equipment.
Today, telecom network tends to larger user broadband, service bearing over IP and flat
network structure. Basic network is the uniform, converged and efficient platform bearing
various services. Because of large-scale growth of VOIP/IPTV/VIP access/3G services
and the introduction and deployment of IPv6 technology, there are higher requirements
for core /convergence switch. And the network is more complex, CAPEX and
maintenance cost remains high, more devices are in use, security and user experience
(UX) is difficult to improve. How to get out of these troubles is a hard nut for carriers and
network administrators.
ZXR10 8900E core switch with large capacity adopts distributed design to provide
high-density FE, GE and 40G/100G port, low-power-consumption component, innovative
fan and power supply. With physical port intelligent management mechanism, it expands
network capacity, increases convergence rate with low investment, reduces the cost per
user, saves the space in equipment room, and drops energy consumption. It offers
reliable equipment/link/network-level protection, and supports independent supervision
plane. Adopting reconfigurable design, the software supports multiple switching
technologies, and guarantees E2E service experience with multilevel QoS, and improves
network reliability and quality to bring down user maintenance cost. It supports
multiservice bearing, several clock synchronization technologies, IPTV, IPv6, and
all-directional security. It can bear data, video and voice services, and integrates the
characteristics of multiple network equipments to meet the requirements of different
networks and reduce CAPEX. It offers excellent performance and features to help the
users to build efficient, intelligent and reliable network.
ZXR10 8900E series include ZXR10 8912E, ZXR10 8908E, ZXR10 8905E and ZXR10
8902E, which have 12, 8, 5 and 2 service slots respectively. They have high-integration
interface boards and a wide variety of service functions. Their appearance is shown in
Figure 1-1.
Figure 1-1
ZXR10 8900E series product appearance
Highlights
2.1
Super Big capacity/ High Density Interfaces

With distributed modular design, non-blocking switching architecture, brand new
big-bandwidth fabric, ZXR10 8900E is an advanced core switch in the industry.
Each single slot of ZXR10 8900E can provide maximally 48*10GE interfaces or 8*40GE
interfaces. In the future 8900E will be able to be smoothly upgraded to provide 100G
interfaces.
2.2
VSC Construct Solid Cloud Core

ZXR10 8900E supports Virtual Switch Clustering (VSC), which means the virtualization of
multiple physical switches into one logical switch. VSC enhances cluster system capacity
and port density, while at the same time simplifies simple topology and eases
administration.
Multiple physical switches can be interconnected through the normal line cards. The
80KM interconnection capability makes it possible to implement remote IDC backup.
The bandwidth of the VSC interconnection can reach 320Gbps, eliminating any possible
bottleneck in the VSC system.
The forwarding inside VSC system is optimized so that there will be least amount of traffic
passing between VSC members.
Switchover between master and slave in VSC system is really fast and the switchover will
not cause any service interruption.
2.3
Distributed Module Operating System ROS 5.0

ZXR10 8900E adopts full-distributed modular design: each process enjoys its dedicated
resources alone; the coordination between processes is efficient and secure.
Each line card has its own CPU, while the main-control card is equipped with a more
powerful CPU. Distributed protocol processing helps promote the overall computing
efficiency.
The expansion of management interfaces is flexible. Currently ZXR10 8900E is
compatible with management interfaces Netconf.
2.4
Multi-service Bearing Capabilities

ZXR10 8900E supports rich features, including full L2/L3 features, multicast, MPLS L2/L3
VPN, etc.
ZXR10 8900E supports complete L2/L3 multicast technologies, including administratively
scoped multicast, MVR, IGMP Snooping, Filtering, Proxy, Fast Leave, IGMP,PIM-DM/SM,
PIM-SSM, DVMRP and MSDP. All these features help Enterprise user to deploy
multicast applications such as video conferencing and video surveillances.
2.5
Comprehensive IPv6 Features

ZXR10 8900E supports comprehensive IPv6 features, to facilitate the migration to IPv6
network. For example, ZXR10 8900E supports all basic IPv6 features such as ICMPv6,
ND, SNMPv6, RADIUSv6; It also supports IPv6 routing protocols such as OSPFv3,
IS-ISv6, BGP4+, PIM-SM for IPv6, MLD snooping; Multiple tunnel technologies are also
supported including 6to4 tunnel, ISATAP tunnel, 6PE, etc.
2.6
Multi-Dimensional Security & Reliability

Mechanism Guarantees Ever-online Services
Security/Reliability related designs in ZXR10 8900E fall into five categories, which
are secure architecture, secure management and control, secure operating system,
secure calculation and reliable service.
Secure architecture: Redundant backup design has been put in place for the
forwarding control engines. Fast active/standby switchover is supported. Redundant
power supply module, fan module and clock module combined to make the switch
more robust. Whats more, ZXR10 8900E supports intelligent inspection, control,
warning and hot-swappable components.
Secure management and control: Independent control, monitoring and forwarding

planes guarantee superior equipment stability.
Secure operating system: ZXR10 8900E supports modular service, intelligent

function modules
Secure processing: Based upon multi-core CPU, ZXR10 8900E implements

multi-thread parallel high-performance processing to guarantee seamless
collaboration of multiple modules.
Reliable services: ZXR10 8900E supports multiple kinds of redundancy/backup

mechanisms including ZESR intelligent Ethernet smart ring, VRRP, LACP, FRR,
NSF and BFD. Service reliability can be well guaranteed.
2.7
Environment-friendly Innovations
ZXR10 8900E supports multiple environmental-friendly innovations, including

centralized power management, 5 level intelligent fan speed adjustment. All these
environmental friendly designs help cut the power consumption.
ZXR10 8900E supports dying gasp, in case there is a power failure, 8900E can still
send out an alarm to the network OAM center, to inform about the reason of the
network break down. In this way, the time to do the trouble-shooting on these kinds
of events could be minimized.
Function introduction
3.1
L2 function
3.1.1
Basic Ethernet features
3.1.1.1
MAC address management

As all forwarding tables of ZXR10 8900E are closely associated with MAC addresses,
MAC management is the most basic and most important module of Ethernet switch. It
can maintain MAC address learning and synchronization and complete the following
management function:
3.1.1.2
MAC address binding: Bind specific MAC address to switch port. After binding, do
not dynamic learn MAC, which will limit user physical location and protect important
MAC address.
MAC address filtering: After receiving the packets from source or destination MAC
address to specific MAC address, the switch discard some packets to filter some
undesired users.
MAC address number limit: Limit MAC address number of some ports to control
user number of some ports, and prevent system resources of running out when the
ports suffer from DOS attack.
MAC address freeze: Freeze some important physical ports in stable network, e.g.,
address of uplink port, so as to avoid network disconnection caused by the
infringement of key MAC address.
MAC address multi-angle display: Display and count VLAN table according to
VLAN, port, static and dynamic aspects, provide network diagnosis, and maintain
network operation.
Port mirroring
Port mirroring can automatically copy the traffic of one port to the port so that network
administrator makes real-time analysis on port traffic when he judges network issues. It
provides network administrator with a monitoring means. For ZXR10 8900E, any port can
be configured to mirroring port; the ports at different rate can mirror to each other;
many-to-one, one-to-many and many-to-many port mirroring can also be done. The
equipment supports cross-card port mirroring, and simultaneous mirroring of several
mirroring group. It supports port-based mirroring as well as flow-based and ACL-based

one-to-many, many-to-one, and many-to-many mirroring.
ZXR10 8900E can perform port mirroring in the same equipment, and remote port
mirroring in RSPAN and ERSPAN. For RSPAN, mirroring port and mirrored port may be
in different switches. In some cases, monitoring equipment and switch are physically far
away from each other, so a remote span technology is needed for monitoring. RSPAN
monitoring principle is: set RSPAN source port at source switch, configure remote VLAN,
and send it out via Reflector port to reach destination switch via intermediate switch;
configure destination port at destination switch to reach remote monitoring destination.
ERSPAN (Encapsulated Remote SPAN), another remote port mirroring technology,
adopts GRE tunnel to encapsulate service stream of source port and transport it to
remote destination switch port. In the mirroring mode, data stream can fulfill the mirroring
across L3 interface, and ordinary SPAN and RSPAN can only fulfill the mirroring across
L2 network.
3.1.1.3
Port security and protection

ZXR10 8900E supports port traffic control, broadcast storm suppression, whether to
allow jumbo frame to pass, and rate negotiation to effectively control port data traffic,
avoiding network blocking and ensuring normal operation of network services.
ZXR10 8900E can analyze line diagnosis, check whether line and line connection are
normal, and accurately locate line fault.
ZXR10 8900E can set some or all port to loop check, and not check by default. The
function can check user or switch loop of port connection to process the port so as to
avoid switch broadcast storm and limit the effect to a certain port.
ZXR10 8900E supports VLAN-based loop check. The loop check can be performed in
PVID VLAN or user-specified VLAN. One port supports the loop check of at most 8
VLANs at the same time.
The implementation principle of port loop check is that the port sends L2 multicast every
15 seconds; if there is a loop at a port, L2 multicast packet is returned to the port, thus it
can be judged that the loop is available.
3.1.2
VLAN and relative features

VLAN protocol, a basic protocol of L2 switching equipment, enables the administrator to
divide one physical LAN into several VLAN. Each VLAN has one VLAN ID which uniquely
identifies the VLAN. Several VLANs share the switching equipment and links of physical
LAN.
Each VLAN is logically like one independent LAN. All frame traffic in one VLAN is limited
to the VLAN. Cross-VLAN access is made through L3 forwarding which will improve
network performance and reduce the entire traffic in physical LAN.
VLAN reduces network broadcast storm and increases network security and centralized
management control.
ZXR10 8900E supports 802.1Q VLAN. The untagged packet can be added with VLAN
tag based on subnet, protocol and port to support a wide variety of VLAN features.
According to 802.1Q VLAN protocol, 12-bit VLAN is limit to 4096 in number, which affect
some actual applications. 8900E has four extension modes: QinQ, PVLAN, VLAN
translation, and L3-related Super VLAN.
3.1.2.1
PVLAN
Private VLAN is a mechanism that provides additional Layer 2 traffic isolation between
ports within a regular VLAN. This feature places constrains on traffic flow between
specific ports in a VLAN. For instance, in an enterprise network, client ports can
communicate with server ports, but not among each other.
Private VLAN is port based and it can be enabled through PVLAN_ENABLE field in
PORT_TABLE for each port. There are three types of private VLAN ports:
Promiscuous porta promiscuous port can communicate with all interfaces,

including the community and isolated ports within a private VLAN.
Isolated portan isolated port has complete Layer 2 separation from all other ports
within the same private VLAN except for the promiscuous ports. Private VLANs
block all traffic to isolated ports except traffic from promiscuous ports. Traffic
received from an isolated port is forwarded only to promiscuous ports.
Community portCommunity ports communicate among themselves and with the

promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces
in other communities or isolated ports within their private VLAN.
PVLAN can effectively ensure the communication security of network data. The user is
connected only to his default gateway. Without several VLAN and IP subnets, one
PVLAN can provide the connection with L2 data communication security. All users can
access PVLAN to connect default gateway without any access to other users in the
PVLAN. PVLAN ensure that the ports in one VLAN do not communicate with each other,
but the services can go through Trunk port. Thus, the users in one VLAN will not affect
each other because of service broadcast.
PVLAN does not need protocol message. It can be statically configure in ZXR10 8900E.
3.1.2.2
VLAN Translation
VLAN translation is an extension of VLAN function. If a port of the switch starts VLAN
translation, the data stream from the port must be tagged packet. VLAN translation uses
PORT plus VLAN ID in tagged packet as the index to search in MAC VLAN table and
get a new VID, then the traffic is switched in the new VLAN to translate data from one
VLAN to the other.
VLAN translation does not need protocol message. It can be statically configure in
ZXR10 8900E. It should be noticed that if VLAN translation is started, VLAN cannot be
divided based on MAC address; if VLAN is divided based on MAC address, VLAN
translation cannot be started.
In addition single tag conversion, 8900E uses VLAN translation and SVLAN to fulfill the
following functions:
1.
If the incoming packet is single tagged, be able to add outer tag according to policy,
and modify outer tags 802.1P value according to inner tags 1P value, supporting
policy-based mapping or one-to-one mapping;
2.
If the incoming packet is single tagged, be able to modify inner tag and add outer tag
according to policy, and modify inner and outer tags 1P value according to incoming
tags 1P value, supporting policy-based mapping or one-to-one mapping;
3.
If the incoming packet is double tagged, be able to delete outer tag according to
policy;
4.
If the incoming packet is double tagged, be able to delete outer tag, and modify
inner tag according to policy, and modify 1P value of the new inner tag according to
outer tag 1P value, supporting policy-based mapping or one-to-one mapping;
5.
If the incoming packet is double tagged, be able to modify outer tag according to
policy, and modify 1P value of the new outer tag based on 1P value of the incoming
outer tag, supporting policy-based mapping or one-to-one mapping;
6.
If the incoming packet is double tagged, be able to modify inner tag according to
policy, and modify 1P value of the new inner tag based on 1P value of the outer tag,
supporting policy-based mapping or one-to-one mapping;
7.
If the incoming packet is double tagged, be able to modify inner and outer tag
according to policy, and modify 1P values of the new inner and outer tags according
to 1P value of the incoming outer tag, supporting policy-based mapping or
one-to-one mapping.
8.
If the incoming packet is untagged, be able to add inner and outer tag according to
policy at one time.
3.1.2.3
Super VLAN
Super VLAN can make the hosts, which are in the same physical switching equipment
but in different virtual broadcast domains, to locate in one IPv4 subnet and use one
default gateway. In one large-scale switching LAN, the mechanism has several
advantages over the traditional IPv4 addressing system. The biggest advantage is to
save address space occupancy in IPv4 system.
Super VLAN and sub VLAN can be used to divide VLAN again. One or several sub
VLANs belong to one Super VLAN and use its default gateway IP address, namely,
aggregate several sub VLANs into one Super VLAN and use the same IP subnet and
default gateway.
Super VLAN is a software function. Ethernet ASIC chip is transparent to the function and
switches data according to software module VLAN setting. Super VLAN does not need
protocol message. It can be statically configure in ZXR10 8900E.
3.1.2.4
QinQ
QinQ with the multilayer VLAN tag stack, refers to tunnel protocol based on 802.1 Q
encapsulation. The core idea is to encapsulate private network VLAN tag to public
network VLAN tag; the message with double-layer tag goes through backbone network to
offer the user with a simple L2 VPN tunnel. QinQ, a simple and manageable protocol,
does not need protocol message. It can be statically configure in ZXR10 8900E. It is
applied to convergence-layer switch which can use QinQ (with double tags) to increase
VLAN number in metro network.
In ZXR10 8900E software system, QinQ software functional module statically configures
QinQ, and then correctly set the chip. QinQ VLAN consists of the following types:
SVLAN (Service VLAN): The VLAN defined in backbone network;
CVLAN (Customers VLAN): User-defined VLAN.
QinQ software functional module adds an attribute to the VLAN table. The attribute
indicates that the VLAN is SVLAN or CVLAN, and drive interface function at the lower
layer to set the QinQ function of the interface.
Ordinary QinQ only adds one outer tag to the datagram of a port, which greatly limits
networking flexibility. For the flow received from one port, SVLAN (Selective VLAN) can
selectively add different outer tag based on different inner tag according to user
demands.
With Selective VLAN, service providers can use a unique VLAN (called a service-provider
VLAN ID, or SP-VLAN ID) to support customers who have multiple VLANs, which offers
the multipoint-to-multipoint virtual LAN transparent transport and a simple L2 VPN tunnel.
Customer VLAN IDs (CE-VLAN IDs) are preserved and traffic from different customers is
10
segregated within the service-provider infrastructure even when they appear to be on the
same VLAN. Selective VLAN expand the VLAN space by using a VLAN-in-VLAN
hierarchy. The VLAN number can extend to 4094*4094. Another layer of 802.1Q tag
(SP-VLAN ID) is added to the 802.1Q-tagged (CE-VLAN ID) packets that enter the
service-provider network.
Some service streams require SVLAN also supports the transparent transport of VLAN
service that the packet passes the switch without any interference, namely, the number
and value of the tags remain unchanged.
SVLAN can work with VLAN translation to flexibly process both inner and outer tags. For
details, refer to the chapter VLAN translation. In addition, SVLAN can fulfill the 802.1P
CoS priority mapping of outer tag and inner tag.
ZXR10 8900E supports traditional SVLAN configuration and VFP-based SVLAN
configuration. The latter can add the tags based on traffic type.
3.1.3
Link aggregation
Link aggregation means that physical links with the same transport medium and transport
rate are bound and logically look like a link. Link aggregation greatly increases the
bandwidth of peer physical links between switches or between switch and server.
Therefore, it is an important technology to increase link bandwidth and create link
transmission
resilience
and
redundancy.
Link
aggregation
can
create
several-multiple-gigabit connection in GE, and logic link with faster transport in FE.
Meanwhile, link aggregation has good protection. When a fault occurs, the traffic in the
trouble links will switch quickly to normal links of the aggregation. Link aggregation can
increase the bandwidth and share traffic load.
ZXR10 8900E supports static and dynamic link aggregation of FE, GE, and 10G ports as
well as cross-card and cross-equipment link aggregation. Logic port from ZXR10 8900E
link aggregation is called smart group which can work as ordinary port.
3.1.3.1
Static aggregation
Static Trunk can manually add several physical ports into Trunk group to form one logic
port, but it is difficult to observe the status of link aggregation port.
ZXR10 8900E configures link aggregation functions according to the following principle
which is also applied to LACP:
128 Trunk groups can be configured, and each Trunk group includes at most 8
member ports.
Support cross-interface board aggregation. Member ports may be in any interface

board, but the selected port must work in the full-duplex mode, and working rates
must be consistent.
11
3.1.3.2
Member port may adopt the access, trunk or hybrid mode, which must be
consistent.
LACP
LACP (Link Aggregation Control Protocol) follows IEEE 802.3ad. LACP dynamic
aggregates several physical ports to Trunk group for one smart group port. LACP
automatically aggregates to obtain the maximum bandwidth. LACP supports static
aggregation and dynamic aggregation. Static LACP aggregation is manually configured,
and dynamic LACP aggregation dynamically adds the port to aggregation group.
ZXR10 8900E supports smart group parameter configuration, and share traffic load
according to the following modes (It can also be applied to static aggregation).
Source MAC address, VLAN, Ethernet type, and ingress port;
Destination MAC address, VLAN, Ethernet type, and ingress port;
Source and destination MAC address, VLAN, Ethernet type, and ingress port;
Source IP address, source TCP or UDP port;
Destination IP address, destination TCP or UDP port;
Source and destination IP address, and source and destination TCP or UDP port.
8900E also supports global mode, namely, share the load in one smart-group according
to the parameters of protocol messages of IPv4, IPv6, MPLS L2 VPN and MPLS L3 VPN
to distribute the traffic equably in the smart-group.
3.1.3.3
MC-ELAM
8900E support inter-card and intra-card link aggregation as well as MC-ELAM
Multi-Chassis Ethernet Link Aggregation Manager whose working principle is shown
as follows:
12
Figure 3-1
MC-ELAM structure
Normally, only half of the links from CE to PE1 and PE2 are aggregated successfully. As
shown in the above figure, the successfully aggregated link from CE to PE1 is active link;
the non-aggregated link from CE to PE2 is standby link; data stream is forwarded via
active link. When active aggregation equipment PE1 goes wrong, PE2 will release the
MC-ELAM control protocol signal of PE1 to process the LACP forwarding between PE2
and CE. When active equipment or active aggregation equipment returns to normal,
MC-ELAM control protocol will recover the forwarding process. MC-ELAM can access the
dual-uplink access network to increase network redundancy.
3.1.4
Spanning tree
3.1.4.1
STP
STP detects and clears the loop between L2 switching functional units, and provides
redundancy link to improve LAN performance and reliability.
STP module has the following major functions:
Avoid network loop, prevent LAN broadcast storm, and offer redundant path.
Detect topology change and reconfigure STP topology accordingly.
After the switch in one subnet executes STP algorithm, one STP dynamic topology is
formed. The topology prevents the loop between any two workstations in LAN to avoid
LAN broadcast storm. Meanwhile, STP algorithm monitors topology change, create the
new spanning tree after the change, and reconfigure spanning tree topology with fault
tolerance. The switch maintains and updates MAC route table according to the status of
STP dynamic topology, and finally gains the MAC-layer route.
STP algorithm aims to enable the switch to dynamically discover a no-loop subset (tree)
in topology and assure adequate connectivity so that a path is available between every
two LAN if the physical conditions allows. According to the principle in the figure, any line
13
including node and connection node has one spanning tree which has good destination
connectivity and can avoid network cycling. Therefore, spanning tree algorithm and
protocol can avoid network loop in any dynamic topology and clear the loop between any
two stations.
As IEEE802.1s-defined MSTP is compatible with existing IEEE802.1w-defined RSTP
and IEEE802.1D-defined ordinary STP, STP software module is only required to support
MSTP. When started, MSTP can forcedly work as RSTP or STP to support STP and
RSTP mixed networking. And it can start STP in aggregation link and support port-based
enabling STP protocol.
ZXR10 8900E supports STP, RSTP and MSTP, and their mixed networking.
3.1.4.2
RSTP
RSTP (Rapid Spanning Tree Protocol), the STP upgrade version, follows IEEE 802.1w.
RSTP provide the fast port switching mechanism and shorten network convergence time.
RSTP has the following defects:
3.1.4.3
The entire switching network has only one spanning tree. Large network has slow
convergence and network topology change will have a great effect.
IEEE 802.1q is the switch connection standard protocol. In symmetrical connection

(in VLAN, the connected ports between switches has the same trunk), one spanning
tree has no influence on data forwarding between switches. However, in the
asymmetrical connection, the connected ports between switches are blocked by
RSTP, which will affect the connectivity and waste the bandwidth.
MSTP
MSTP (Multiple-instance Spanning Tree Protocol), developed based on STP/RSTP,
follows IEEE 802.1s. MSTP divides switching networks into several zones, and several
STP instances run in one zone. VLAN is translated to instance in M: 1 mode (bind several
VLANs to one instance), thus each VLAN is transformed into a tree network to avoid the
loop.
MSTP has the following advantages:
14
In single VLAN, STP supports rapid convergence.
As MSTP structure spanning tree through VLAN and does not block inter-switch
connection port, the load will be shared.
M: 1 mapping reduces switch resource utilization rate.
MSTP is compatible with STP/RSTP to make network deployment simpler.
3.1.5
L2 multicast
After the router forwards multicast traffic, in the network, Ethernet switch forwards
multicast traffic to multicast user. Traditional switch usually broadcasts the multicast
traffic , which wastes network bandwidth, cause broadcast storm and affect normal
service. Therefore the switch needs to support L2 multicast so as to join and leave
multicast group according to multicast user status and dynamically maintain multicast
group.
3.1.5.1
IGMP Snoooping
ZXR10 8900E supports the L2 multicast technology IGMP Snooping to manage multicast
group members, suppress L2 network multicast flooding, and prevent unauthorized user
from receiving multicast traffic. By snooping IGMP message in the communication
between user and router, IGMP Snooping maintains the correspondence relation
between multicast address and VLAN correspondence table. It maps the members of
one multicast group to one VLAN, and forwards the received multicast packet only to the
VLAN members of the multicast group. IGMP Snooping and IGMP protocol are both used
for multicast group management and control, and both employ IGMP message. What is
different is that IGMP protocol runs on network layer and IGMP Snooping on link layer.
When the switch receives IGMP message, IGMP Snooping analyzes the information of
IGMP message and create and maintain L2 MAC multicast address table.
When ZXR10 8900E starts IGMP Snooping, multicast message performs L2 multicast;
when 8900E does not start IGMP Snooping, multicast message performs L2 broadcast.
8900E also support MLDv1/v2 snooping for smooth transition from IPv4 to IPv6.
3.1.5.2
IGMP Proxy
In some network topologies, IGMP proxy technology does not run multicast route
protocol, but learns the multicast member and makes simple multicast forwarding
according to the registered for multicast distribution. IGMP proxy supports host interface
and router interface. Host interface (also known as uplink interface) points to root node of
distribution tree, namely, uplink to multicast router. The interface runs the host function
rather than IGMP. When receiving IGMP query packet, host interface sends IGMP
member report. Multicast joining or leaving packet is sent to the connected router when
member database changes. Host interface also forwards the received multicast packet
according to member database. Router interface (downlink interface) deviates from root
node and downlinks to user host. The interface runs IGMP protocol to register, query and
delete downlink user group members. It receives member reports, creates and modifies
one member form, sends query packet, queries whether the host leaves its group, and
uplinks and downlinks the forwarded and received multicast packet according to the
registered multicast member database.
IGMP Proxy and IGMP Snooping have the same function but different mechanism:
IGMP Snooping looks into IGMP message to get relative information, and IGMP Proxy
15
intercepts and processes IGMP request of terminal user and then forwards it to
upper-level router.
3.1.6
L2PT
In QinQ VPN mode, if VPN uses locating at different places want to initiate their L2
protocol for example, STP, LACP, ZDP, they need to use core network to transfer these
L2 protocol messages transparently, and these messages with preserved MAC address
for bridge cannot process transparent transmission normally. L2PT (layer 2 protocol
transportation) solves this problem, so it is widely used to transfer user network L2
protocol message in QinQ VPN.
L2PT networking is as shown in the following figure.
Edge Switches: It locating at the edge of operator network connects customer

network equipment.
Layer 2 protocol transportation port: On port of Edge Switch. The encapsulation of

L2 protocol message.
Transportation PDU: Encapsulated protocol message, for example ZDP, STP and
LACP, etc.
Figure 3-2
L2TP Networking
On the port without initiated L2PT, L2 protocol messages STPZDPLACPinstead

of being forwarded is either discarded or sent up for protocol processing, which will cause
several blocked stp domains in customer network as per different locations, so that the
entire customer VPN cannot run an integrated STP topology. L2PT transfer BPDU
message transparently in VPN, which helps customers to supply the gap.
The received L2 protocol messages will be encapsulated at the transportation port of
edge switch, then broadcast the encapsulated messages. Initiate remote transportation
switch port to encapsulate these messages.
16
The message encapsulation and de-capsulation can be done by changing message MAC
address.
3.2
L3 function
3.2.1
IPv4 route protocol
3.2.1.1
RIP
RIP protocol is based on the vector distance routing algorithm of local network. It
employs UDP packet to switch RIP route information, and the protocol packet to be
transported is encapsulated into UDP packet. The route information in RIP message
includes the number of the nodes on the route, namely, hop number. Route node decides
the route to destination networks according to the hop number. RFC requires that the hop
number is not more than 16, which is applied to internal gateway in small-scale
autonomous system.
ZXR10 8900E RIP has the following functions:
3.2.1.2
Transmit and receive RIP message according to the protocol, check message
correctness and verify its identification.
Support RIPV1/V2, plain text authentication and MD5 authentication, and route
reallocation.
Route loop generation and route convergence acceleration adopt split-horizon and
trigger updates technology.
Support protocol DEBUG.
OSPF
OSPF is the IETF-developed internal gateway protocol (IGP) based on link status and
SPF algorithm. OSPF can converge routing table in a short time, and prevent loop, which
is vital to mesh networks or different LANs connected via several bridges. Each
equipment running OSPF maintains one unified database describing autonomous system
topology structure. The database includes such information as partial status of each
equipment, e.g., available interfaces and neighbors, connected network status and
external route of autonomous system. OSPF uses link status algorithm to calculate the
shortest path from each area to all destinations. When the equipment works or any route
changes, the equipment configured with OSPF diffuses LSA to all equipments in one
area. LSA includes link status and neighbor association information of the equipment.
The information from LSA forms link status database. All equipments in the area use one
specific database to describe topology structure in the area.
17
ZXR10 8900E OSPF has the following functions:
3.2.1.3
Adopt layered network topology structure which is suitable for enormous

interconnected network.
Use dynamic route algorithm. Route calculation adopts Dijiksra algorithm to

automatically follow network topology structure change at a quick rate;
Support display and configuration command from primary console as well as

SNMP-related command, display and MIB variable.
Support route protocol packet authentication, including simple password validation

and MD5 authentication, and prevent route protocol packet from illegal modification.
Adopt the retransmission and confirmation mechanism to assure the reliability of link
status synchronization.
Support different distance measurement solutions, e.g., physical distance, delay,

throughput, etc.
Support STUB AREA and NSSA functions.
Support domain boundary and autonomous system boundary router.
Support classless route and route aggregation.
Use Route-Map to control route reallocation and filtering.
IS-IS
IS-IS route protocol, the representation of router OSI model, is used for TCP/IP-based IP
network. It can easily perform the extension, mainly IPv6. IS-IS system consists of two
layers: backbone layer (L2) and area layer (L1). One router is in only one area. L1 router
only knows the topology in its area. All traffic to other areas is sent to the nearest L2
router. L2 router must form the backbone, similar to OSPF backbone area 0.
ZXR10 8900E IS-IS protocol has the following functions::
18
Support L1 and L2 address aggregation.
Support L1 and L2 hierarchical routes and ATT identity.
Support 3-area address and smooth area address migration.
Support load balance to one destination.
Support plain text authentication of interface and area.
3.2.1.4
BGP
BGP, an external gateway protocol, switches no-loop route information between
autonomous systems. The information has many attributes to create autonomous system
topology, carry out route policy based on autonomous system. The path reachable
information with autonomous system sequence attribute can clear route loop.
Autonomous system is the collection of routers and terminals which locate in one
management control domain, are treated as single entity, and control route table
extension through BGP classless inter-domain routing. BGP-4 also introduces the
mechanism to support route aggregation, including AS path aggregation. BGP is
designed to use autonomous system to provide one structural view of Internet. The
Internet is divided into several autonomous systems to create one large network which
composed of small, easily manageable networks. These small networks adopt their own
rules and management policies.
ZXR10 8900E BGP has the following functions:
3.2.1.5
Suitable for enormous networks, e.g., backbone network.
Support EBGP and IBGP.
Support EBGP multi-hop technology.
Support group attributes and route reflector.
Support AS ally and route turbulence suppression.
Support MP-BGP;
Support MD5 authentication and route filtering;
Support route reallocation.
Policy routing
Traditional routing policy performs route forwarding according to the route table
generated by routing protocol or static route. However, in some applications, the users
have some special requirements for routing. Traditional routing policy can only perform
forwarding by destination address. This indiscriminating forwarding mechanism cannot
meet the requirements of increasingly complicated network services.
Compared with traditional routing, policy routing provides more flexible message
forwarding and route control capability. The network management users can not only
perform route forwarding by destination address but also can select other forwarding
paths according to protocol type, message size, application, IP source address and other
conditions. Policy-based routing is more beneficial for network traffic distribution and QoS
improvement. Policy routing means to match certain feature values in IP data packet
according to the policy set by the network management user. Those that match the
19
condition are forwarded according to the route specified by the policy; those that fail to
match are forwarded according to traditional route table.
ZXR10 8900E series realizes ACL-based policy routing.
In addition to policy routing, ZXR10 8900E series also provides policy routing backup
function.
The switch uses Redirect command to realize policy routing function based on ACL. For
one ACL rule, the route can only be redirected to a next-hop address. When this next-hop
address has any problem, the corresponding policy routing will also fail. When the switch
has multiple egresses, policy routing backup (PBR BACKUP) function can be realized by
configuring Redirect to multiple next-hop addresses, so that when the active link is faulty,
the route can be automatically switched to the backup next-hop address.
3.2.2
Ipv6 Routing
ZXR10 8900E supports the following IPv6 unicast route features:
3.2.3
Support IPv6 neighbor discovery protocol, which realizes the functions of router and
prefix discovery, address resolution, next-hop address determination, neighbor
unreachable test and repeated address test and which can better support the
mobility of nodes.
Support IPv6 path MTU discovery protocol, which can discover the maximum
transmission unit of the path so as to make sure the message size sent by the node
does not exceed the MTU value of the path.
Support IPv6 static route.
Support IPv6-based dynamic routing protocols RIPng, OSPFv3, ISISv6 and BGP4+.
IPv4/IPv6 Transition
ZXR10 8900E provides a number of transitional mechanisms for conversion from Ipv4
network to Ipv6 network, including double stack technology and various tunnel
technologies that are applicable to different environments:
20
Support IPv4/IPv6 double protocol stack. Double stack technology can completely
solve the coexistence problem of IPv4/IPv6, but is only effective when the
equipment in the whole network supports double stack. Therefore, it has high
requirement for IPv4 network reform. It should be noted that the double stack
technology is the foundation of all the tunnel mechanisms below.
Support manually configured IPv6 tunnel. Manual tunnel technology is simple,

mature and stable, but has high management overhead and poor expandability. It is
applicable to be used in connection between two stable unchangeable IPv6

subnets.
Support 6to4 tunnel. The 6to4 technology uses special IPv6 address prefix to
automatically construct tunnel for interconnection of IPv6 network. This mechanism
consumes very few IPv4 addresses; one IPv6 subnet only needs one public IPv4
address, so it is applicable to interconnection between multiple IPv6 subnets.
However, the disadvantage of 6to4 technology is that it must use IPv6 address in
specific format, namely, 6to4 address.
Support ISATAP tunnel. ISATAP realizes interworking of IPv6 hosts by establishing

tunnels, mainly used for interconnection between ISATAP hosts and ISATAP
routers and between ISATAP hosts through IPv4 cloud. ISATAP tunnel is used
inside a site without crossing domains, so it is especially applicable to IPv6
transitional scheme of campus area network, which can enable the customer to
immediately realize communication of IPv6 network and can gradually develop to
complete IPv6 network. ISATAP hosts inside the area can access external IPv6
networks via ISATAP router.
Support IPv6 Provider Edge Router (6PE) over MPLS. The 6PE technology is
generally deployed in the environment where MPLS network is running or ready to
run. Ipv6 messages are encapsulated at PE side and double tag is used. The
internal tag carries Ipv6 route reachable information; the external tag uses the
existing MPLS tag to interconnect with Ipv6 isolated island network via switching
channel LSP. 6PE router is double stack router, so it can directly connect with the v4
network of Ipv4 protocol, which is convenient for the situation of v4/v6 coexistence,
and it is unnecessary to reform P.
3.2.4
L3 Multicast
3.2.4.1
L3 Multicast Protocol
L3 multicast protocol includes multicast group management protocol and multicast
routing protocol.
1.
Multicast group management protocol
Multicast group management protocol runs between the host and L3 equipment and is
used to establish the relationship between group members in associated network
segments, that is, which multicast group members are under different ports. At present,
the multicast group management protocol is mainly realized by IGMP (Internet Group
Management Protocol) and MLD (Multicast Listener Discovery Protocol).
i.
IGMP is the Internet group management protocol in Ipv4 network. The major
versions used currently are IGMPv2 and IGMPv3. A new function is added to
21
IGMPv3 that the member can specify to receive or reject the messages from
some multicast sources to support SSM model.
ii.
2.
MLD protocol is used for Ipv6 router to discover multicast listener in its
associated network segments. MLD is divided to MLDv1 and MLDv2. The
principle of MLDv1 is similar to IGMPv2 and that of MLDv2 is similar to
IGMPv3.
cast routing protocol
Multicast routing protocol runs between layer 3 multicast equipments, used to establish
and maintain multicast router and forward multicast data packets correctly and efficiently.
IP multicast routing technology realizes efficient P2MP(point 2 multiple point) data
transmission in IP network; it can effectively save network bandwidth and reduce network
load. Therefore, IP multicast routing technology is widely used in resource discovery,
multimedia conference, data copying, real-time data transmission, game and emulation.
Multicast routing protocol is divided to intra-domain protocol and inter-domain protocol.
Inter-domain protocols include MBGP (Multicast BGP) and MSDP (Multicast Source
Discovery Protocol), and intra-domain protocol includes PIM (Protocol Independent
Multicast). Intra-domain protocol is generally divided to two classes: sparse mode
multicast routing protocol including PIM-SM (Sparse Mode) and dense mode multicast
routing protocol including PIM-DM (Dense Mode). The most useful multicast protocol now
is PIM-SM.
PIM-SM constructs the shared tree using the mechanism of multicast destination explicit
join to perform multicast data packet distribution. In certain conditions, the destination
can be switched to the shortest path tree. PIM-SM is irrelevant to unicast routing protocol.
It uses unicast route table to perform RPF check but not depend on any specific unicast
routing protocol. PIM-SM is more suitable for the multicast network that has potential
multicast group members at the end of WAN link. Besides, PIM-SM allows to use SPT,
and thus reduces network delay brought about by share tree and improves the efficiency.
Therefore, PIM-SM is generally the best choice of multicast routing protocol in multicast
network domain.
3.
Multicast model
According to the processing mode of multicast source by the receiver, multicast can be
divided to the following two models.
22
i.
ASM (Any Source Multicast) model: In ASM model, any sender can send
multicast information to a multicast group address as the multicast source; the
receiver obtains the multicast information by joining the multicast group with
the tag of this multicast group address. The receiver cannot know the location
of the multicast source, but can join or leave the multicast group at any time.
ii.
SSM (Source Specific Multicast) model: SSM provides the users with a
transmission service in which they can specify the multicast source at the
client, meeting the requirement of the users when they are only interested in
the multicast information sent form some multicast sources and do not want to
receive information from other sources. SSM model directly builds the shortest
path tree between the multicast source and multicast data receiver, which is
highly efficient.
For ASM model, intra-domain and inter-domain multicast routing protocols are different.
Intra-domain protocol is mainly PIM protocol and inter-domain protocol uses MSDP and
MBGP protocols. For SSM model, there is no difference between intra-domain and
inter-domain protocols. As the receiver knows the location of the multicast source in
advance, multicast information can be transmitted by channel construction via PIM-SSM
protocol. Meanwhile, SSM model also needs the support of IGMPv3.
ZXR10 8900E, supporting IGMPv2, IGMPv3 and MLDv1/v2, IPv4 PIM-DM and
IPv4/v6-based PIM-SM and PIM-SSM, can provide complete multicast solutions. Besides,
to provide enhanced and more reliable multicast services and guarantee the provisioning
and operation of multicast services, 8900E also supports Multicast route guard and
anycast RP functions.
Multicast route guard can prevent unauthorized connection of multicast servers.
Designating a port as the multicast router port can allow multicast router control
messages to pass, otherwise they are discarded.
In multicast network, the existence of a single RP may become the bottleneck or Single
point of failure may occur. Anycast RP is to set multiple RPs with the same address in the
same PIM-SM domain and establish MSDP peer relation between these RPs. The
receiver originates RPT join to the nearest RP; the multicast originates registration to the
nearest RP; each RP only maintains part source/group information in PIM-SM domain
but it will exchange registration information via MSDP with other RPs. When one RP is
faulty, the new registration multicast source and the joined multicast receiver will
automatically select another near RP to perform registration and joining. Anycast RP
ensures new multicast data stream can be established between the new multicast source
and receiver at any time to realize RP load balance and backup.
3.2.5
Controllable Multicast
IPTV (Internet Protocol Television), also called network television, is a service using IP
broadband network integrated with Internet, multimedia and telecommunication
technologies to provide interactive services like live TV, video on demand and online
browsing. It transmits stream media files or service control requests on the basis of IP
and completes demand and playing of the programs. The user terminals can be IP
set-top box + television or PC.
From network implementation, IPTV can be regarded as a specific application of
controllable multicast technology. Traditional multicast technology cannot control
unauthorized multicast services and thus cannot meet the controllable and manageable
requirements of telecommunication operators. Controllable multicast technology adds
23
multicast control policy to original multicast technology and so realizes control on

accessed multicast services.
ZXR10 8900E series switches support complete controllable multicast features. By
supporting the functions including IGMP V1/V2/V3, IGMP Snooping, IGMP Proxy, IGMP
Fast-leave, multicast VLAN, CAC (Channel Access Control) and CDR (Call Detail
Record), they can realize precise control on multicast users.
In commercial IPTV network, controllable multicast technology integrated with current
network authentication technology can realize user access authentication and user
multicast authentication, enabling controllable multicast service access. CAC, CDR
together with SMS system can provide multicast service management and control
capability for users, facilitating the users to provide IPTV service. Multicast VLAN
together with QoS provides complete multicast data stream control measures from
multicast source to the receiver, effectively ensuring multicast quality. IGMP Snooping
technology can record multicast data transmission from the multicast source, traffic and
destination address. IGMP fastleave can strictly control and record a specific receiver
joining and leaving a specific multicast group to enhance multicast management
capability and provide technical support for IPTV billing. Multicast VLAN and IGMP
Snooping can prevent flooding of multicast messages in L2 network, isolate multicast
users and guarantee multicast information security.
Besides, the equipment provides the following controllable multicast management
functions to facilitate users to perform management on IPTV channel and subscribers,
including channel access control, channel management, suite management, preview
configuration function, preview template management, CDR function and unified network
management via MIB.
The procedure of IPTV user access control is generally as follows:
24
1.
IPTV users have four kinds of rights: view, preview, query and reject.
2.
The operator creates static channel table or suite table (can be regarded as
multicast group), creates static port principle (CAC) table, and applies the channel or
suite to the principle. In this way, the view function of some channels, preview
function of some channels and query function of some channels are enabled on the
port.
3.
The user client sends a message to report, leave or query a multicast channel of
IGMP from the local port; IPTV module searches the matching CAC principle
according to the users port and VLAN and authenticates the rights of the channel
applied for by the user. The authentication method is to search the channel rights
(view, preview, query, reject) that has been configured in the principle and return the
result to IGMP Snooping for further processing. The processing methods of IGMP
Snooping for different rights are as follows to make the IPTV service management
controllable in the network layer: view and preview right: add the users port in the
multicast forwarding table; query right: broadcast the query message in the users
VLAN.
4.
When the use leaves this channel (multicast group), IGMP fastleave will delete the
user from the multicast group to avoid illegal receiving; at the same time the system
outputs user CDR to SMS system to realize billing management.
The controllable multicast technology provided by ZXR10 8900E series switches enables
the operator to control multicast services precisely, perform overall management on the
users and realize flexible provisioning of IPTV service.
3.2.6
MCE
In traditional MPLS VPN model, VPN access is provided by PE equipment and user
isolation is performed on PE equipment. The present MPLS VPN model is a plane model,
so no matter the PE equipment is located at which layer of the network, the requirements
for its performance is the same. The routes aggregate layer by layer, even when PE
extends to the edge direction, more routes need be maintained; while typical network is
core-aggregation-access three-layer model, in which the equipment performance
degrades sequentially and the network scale expands sequentially. This brings much
difficulty for PE equipment to extend to the network edge. Besides, when VPN users are
far away from PE, they need be linked by WAN links, whose number should be at least
the same as the number of VPN users. Using routers to access users nearby and
connecting them to PE via a WAN link after aggregation can save the cost and improve
bandwidth utilization rate, but different VPN users should be distinguished on this WAN
link.
MCE (Multi-VRF CE) technology extends the capability of CE and enables it to have VRF
function. The equipment with this function is called MCE equipment. In networking,
multiple MCEs together with PE are used to form a distributed PE. MCE enable multiple
VPN users to share one CE device and at the same time isolates different users, solving
the contradiction between security and cost. User data stream is terminated at MCE,
avoiding adverse effects of broadcast stream on PE equipment. Generally speaking,
MCE is a technology to realize multiple VPN users sharing one CE device in local area
network and sharing the links between this CE device and PE device. MCE can realize
total isolation between different services in transmission, solve the security problem of
traditional local area network with low cost and largely satisfy the customers
requirements.
Figure 3-3
Architecture of MCE
25
As shown in Figure 3-3, the characteristic of MCE technology is that it changes VPN
access from PE to CE.
Multiple VRFs are configured on MCE, corresponding to multiple VPN sites. Each VRF
needs an uplink interface to connect with PE; the same VRF is configured on the
corresponding interface of PE. As MCE does not need to support MPLS, between MCE
and PC equipment are ordinary data packets without MPLS label. This is different from
layered PE. There is a layer of MPLS label between layered PEs. Therefore, VPN traffic
can only be differentiated by the interfaces on PE. This means the number of VPN
interfaces PE correspond to should be equal to the number of VPNs MCE supports
(same configuration as PE supporting L3 VPN). A CE with MCE feature actually
simulates multiples CEs. The virtual CEs are isolated from each other and can be
accessed with multiple VPN users. PE equipment cannot sense whether this is multiple
CEs or one MCE, so PE needs no expansion.
3.3
MPLS VPN
3.3.1
Basic Functions of MPLS

MPLS is a multi-layer switching technology integrating L2 switching and L3 routing
technologies and using label as the means to aggregate and forward information. It runs
in route layer architecture, supports multiple upper-layer protocols and can be realized in
various physical platforms.
Labels are just like the zip codes of letters. Zip codes are encoded numbers for the
destination addresses of letters and some special requirements (such as QoS, CoS and
management information) which enable faster and more effective letter processing and
speed up the routing process of the letters to reach the destination. The basic concept of
label switching is label distribution, namely, binding of the label and network layer route.
26
The basic routing mode of MPLS is hop-by-hop routing, which allows simpler forwarding
mechanism than data packets and can realize faster routing. As it uses universal method
of label distribution and universal routing protocol on various media (such as packet, cell
and frame), MPLS supports highly efficient and widely applicable specific routing (such
as QoS routing) and universal traffic engineering method as well as other operation
methods. Using LDP (label distribution protocol), its core protocol, together with standard
network layer routing protocol, MPLS distributes label information among the devices in
the MPLS network in the connectionless working mode. MPLS can also use
connection-oriented working mode, namely, signaling protocol to establish specific routes
for multimedia services that need long time and QoS support. Besides, MPLS can use
the working mode of resource reservation without specific connection, namely, RSVP
and RSVP-LSP-TUNNEL protocols, mainly in traffic engineering. The extended protocol
of LDP, CRLDP can be used to implement some routes with specific paths.
The working principle of MPLS network is as shown in Figure 3-4. From the figure, the
core components of an MPLS network are: Label Edge Switch Router (LER) and Label
Switch Router (LSR). Through label distribution protocol (LDP), label information is
distributed between LER and LSR and between LSR and LSR. Network routing
information comes from some common routing protocols, such as OSPF. The system
determines how to establish the label switching path (LSP) according to the routing
information. When a packet enters LER, the ingress LER determines the LSR to the
destination by searching the route table according to the input packet header, inserts the
corresponding label of the LSP to the packet header and then outputs the packet to the
path identified by the label. The network nodes perform label switching forwarding
completely depending on the packet label without searching the route table. The egress
LER forwards the packet to the destination according to certain principles.
Figure 3-4
MPLS working principle

LDP
IP Route processing
LSR
LSR
Ingress
LER
LDP
LDP
In
Egress
LER
Out
In
Out
In
Out
In
Out
Generally the structure of MPLS header is as shown in Figure 3-5, including 20-bit label,
3-bit EXP, commonly used for CoS, 1-bit S, used to identify whether this MPLS label is
the bottom layer label, and 8-bit TTL (Time To Live).
27
Figure 3-5
MPLS header structure
MPLS decides forwarding by label. A label is a 20-bit identifier, only having local effect in
one hop link. What is identified by a label is a group of packets called Forwarding
Equivalence Class (FEC), which can be all packets to the same destination address
prefix or can be introduced with QoS to make the packets having the same service quality
requirements belong to the same FEC. The packets belonging to the same FEC are
forwarded according to the same forwarding policy.
When a packet without a label enters an MPLS domain, the edge LSR will analyze the
destination address carried in the header, class this packet to an FEC according to QoS
requirement, add the corresponding label of this FEC to the packet and then forward it to
the next hop. The intermediate LSR maintains a table of mapping relations between
incoming label, outgoing label and forwarding direction. When receiving a packet with a
label, it will search the mapping relation table by the incoming label carried by the packet
to obtain the outgoing label and forwarding direction, replace the incoming label with the
effective outgoing label and then send it to the next hop. When the packet leaves the
MPLS domain, the label will be deleted at the edge LSR, turn back to a packet without
label and be sent to the next hop.
In forwarding, the label can be processed in the form of stack. The label value at the top
of the label stack is the effective label, and LSR forwards packets by the top label of the
stack. When a packet enters an MPLS domain, a label is pushed in the label stack
occupying the top of the stack; at this time the stack depth increases by 1. The LSR in
this MPLS domain only checks and replaces the top label and ignores the other labels.
When the packet leaves the MPLS domain, POP operation is performed, and the label
stack turns back to the original depth before entering the MPLS domain. The packet
without label can be regarded as empty label stack; adding label to it when it first enters
MPLS network environment can also be regarded as PUSH operation. In this way, MPLS
can easily realize layered network. The depth of label stack indicates the network layer:
when the packet passes a tunnel or a lower-level MPLS network, the depth of the label
stack will increase; on the contrary, when the packet returns to the upper-level network,
the depth decreases.
At present ZXR10 8900E series provides complete MPLS protocol with the major
functions as below:
28
3.3.2
Support LDP and RSVP protocols;
Support TTL value decreasing, loop test, policy management and pop up at the last
but one hop;
Support downstream independent label distribution mode and free label reservation
mode;
Support fast rerouting of LSP and establishment of RSVP-LSP.
MPLS TE
Network congestion is a major problem that affects backbone network performance. The
reason of congestion may be insufficient network resource or unbalanced network
resource load which leads to local congestion. Traditional routing with shortest path first
will cause unbalanced distribution of network traffic, that is, when a path is congested, the
traffic will not be switched to other paths. With the expansion of network scale and
development of network services, the customers have increasingly higher requirements
for service quality; the problem of traditional routing is thoroughly exposed. TE (Traffic
Engineering) is just to solve the congestion caused by unbalanced load. MPLS TE is a
technology integrating traffic engineering with MPLS. By MPLS TE, the service provider
can precisely control the path of the traffic, so as to avoid the congested node, solving the
problem of some paths being overloaded and some paths being idle and making full use
of the current bandwidth resource. At the same time, MPLS TE can reserve resource
when establishing LSP tunnel to guarantee service quality.
MPLS TE creates link bandwidth resource database in the nodes of the MPLS network
via OSPF TE or IS-IS TE, calculates tunnel creation path by CSPF algorithm according to
link bandwidth resource database and tunnel restriction conditions, and finally creates TE
tunnel using RSVP-TE signaling protocol in the path calculated by CSPF algorithm.
RSVP (Resource Reservation Protocol) is a TCP/IP based transport layer protocol. By
RSVP, the host can apply for specific QoS to the network, providing secure data stream
services for specific services, and meanwhile reserve resource on the router nodes
where the data stream passes and keep this status until the service releases
corresponding resource. RSVP-TE protocol, an extended protocol of RSVP, can carry
parameters including bandwidth, some specific routes and color, create the LSP that
meets the restriction conditions according to traffic engineering route calculation and
complete link backup, node backup and load balance functions.
ZXR10 8900E supports MPLS TE-related technology and can provide the following
features:
MPLS TE provides non-IGP shortest path first IP packet forwarding capability,

which can effectively avoid network congestion caused by unbalanced network
traffic by planning network resource reasonably.
29
3.3.3
MPLS TE provides bandwidth guarantee for traffic. Bandwidth reservation, priority

definition and bandwidth preemption mechanisms are introduced for key traffic. It
can ensure the transmission traffic will not be discarded because the link bandwidth
is insufficient.
MPLS TE can also guarantee stable and reliable transmission of network traffic:
when the link or transmission node fails, fast link switching can be achieved via
MPLS TE FRR and MPLS TE tunnel backup technology. Besides, it also supports
LSP full path protection and thus can largely reduce the impact on the traffic.
Support MPLS VPN over TE; provide LDP over RSVP; TE tunnel provides
bandwidth guarantee and isolation for MPLS VPN service.
MPLS L2 VPN
MPLS L2 VPN can be divided into two classes. The first is called VPWS (Virtual Private
Wire Service), which realizes communication between the sites in VPN by point-to-point
connection. This mode is mostly used for users using ATM and FR connection. The
connection between the users and network provider are not easy to be maintained, but
the services are transmitted on the IP backbone network of the network provider after
encapsulation. The second is called VPLS (Virtual Private LAN Service). The operators
network emulates the function of LAN SWITCH or bridge, connecting all LANs of the
users to form a simple bridge LAN. The major difference of VPLS and VPWS is that
VPWS only provides point-to-point service while VPLS provides point-to-multipoint
service. That is, the CE device in VPWS selects a virtual line and sends the data to a
user site; the CE device in VPLS only simply sends the data to all destinations to the PE
devices connected to it.
Figure 3-6
Basic VPWS network model
The most direct way to create L2 VPN is to create VC between CP and PE, and the
operators network uses LSP of MPLS to bear these connections, as shown in Figure 3-6.
MPLS TE can be adopted to meet the QoS requirement of the users. In this scheme, the
workload of configuring PVC between CE and PE and MPLS LSP for bearing is heavy.
Substantial LSP will occupy a lot of resource of LSR, which will reduce network
30
expandability. Targeting the above expandability problem, Martini draft suggests creating
a fixed number of MPLS LSPs between PE and network devices. When VC bearer
services between user CE device and PE need to pass through the network, they will
enter the point-to-point sub-tunnel (i.e. pseudo-wire) in MPLS LSP. This LSP can be
regarded as the bearer channel of multiple VCs. This is similar to the relation between VC
channel and VP channel in ATM network. IETF draft defines the signaling to create
sub-tunnel and the encapsulation format of forwarding ATM, FR and Ethernet data
packets on sub-tunnel. Although this method save some network resource (such as LSP
quantity), but when creating large-scale MPLS VPN, we need create all sub-tunnels
manually; the configuration workload is quite high.
ZXR10 8900E series products support VPWS of Martini draft and extended LDP protocol.
They can create different LSP channels by service type. They support Ethernet
encapsulation and VLAN encapsulation as well as LDP-based extended VPLS.
3.3.3.1
VPLS
Virtual Private LAN Service (VPLS) is a kind of VPN with multi-station link in a single
bridge domain in IP/MPLS network managed by operators. All customer stations in VPLS
seem to locate in one LAN no matter where they actually locate. Since VPLS uses
Ethernet interface to implement customer exchange, it simplifies LAN/WAN boundary
and makes service providing quick and flexible. In VPLS, customers keep the complete
control over routing. Besides, since all routers of customers in VPLS are a part of the
same sub-net (LAN), they get a simplified IP address solution. This advantage becomes
especially obvious when it is compared with the full-meshed structure constituted by
different P2P links. Operators can also get benefits by reducing the complexity of VPLS
service management.
In Figure 3-7, CE1, CE2, and CE3 are in one VPLS domain VPLS A. They are
connected by a packet switching network (here is MPLS network). Equipped with VPLS,
PEs establish Full-Meshed VC connection between each other. If CE1 communicates
with CE3, CE1 first learns MAC address of CE3, which is based on data flow. Meanwhile,
there must be two layers of tags to PE3 on PE1. One is packet switching tag for outer
layer, which is MPLS network here, and the other is VC tag for the inner layer. When PE1
receives MAC frames with the destination address of CE3, PE searches for inner and
outer layer tags arriving PE3 according to MAC address, VCID and other information, and
adds the tags to the data frames and transport them through MPLS network. Only inner
layer tags are left with the data when it arrives PE3. PE3 gets the connecting port of PE3
where CE3 locates according to inner layer tag and MAC address, and transport it from
the port. The data will arrive CE3. In this way communication between CE1 and CE3 is
completed. Here all operations are implemented based on L2. Operators dont need to
concern users routing configuration so that it reduces users dependence on operators,
and simplifies operators management of user services.
31
Figure 3-7
3.3.3.2
Basic VPLS network model
H-VPLS
VPLS adopts PE full-connection to avoid loopback so that LDP session or BGP session
will be set up between all PEs in one VPLS instance, which brings great challenge to
network scalability. In scenario with medium scale, PE full-connection is acceptable. But
when PE increases in network, the number of sessions will grows by a square increase,
which put high requirement of equipment performance. At the same time network
management becomes very complicated. Hierarchical VPLS networking (H-VPLS)
perfectly solve this problem.
H-VPLS divides PE into NPE and UPE. UPE works as CE for access user. NPE works as
core layer of VPLS networking, providing transparent transport of user packet in
operators network. NPEs in H-VPLS networking compose full-connection. UPE doesnt
need to establish connection with all PEs. With hierarchy, H-VPLS reduces PW number
and PW signaling costs.
There are two types of H-VPLS: PW and QinQ.
1.
U-PW Access:
Figure 3-8
32
H-VPLS networking with U-PW access
As shown in Figure 3-8, UPE works as aggregation device and establishes virtual
connection U-PW with NPE1. UPE provides user data packet access and tags VC label
corresponding to U-PW. When NPE1 receives the packet, it decides which VFI that the
packet belongs to based on VC label, tags VC label corresponding to N-PW based on the
destination MAC address of the packet, and forwards it. As for packets received from
N-PW, NPE1 tags VC label corresponding to U-PW and forwards it to UPE.
2.
QinQ Access:
Figure 3-9
H-VPLS networking with QinQ access
As shown in Figure 3-9, working as aggregation device, UPE is a standard bridging

equipment supporting QinQ. UPE enables QinQ at access port of CE and tags
VLAN-TAG as multiplexing separating mark. Packets are transparently transported
through QinQ tunnel between UPE and N-PE to NPE1. NPE1 decides the VSI that the
packet belongs to based on VLAN-TAG tagged by UPE, tags multiplexing separation
mark (MPLS tag) based on the destination MAC of the packet and forwards it. When
NPE1 receives packets from PW side, it decides which VFI that the packet belongs to
based on the multiplexing separation tag (MPLS tag), tags VLAN-TAG based on the
destination MAC of the packet, and forwards the packet via QinQ tunnel to UPE, which
transfers the packet to CE.
If CE1 and CE2 exchange data for local CE, equipped with bridging, UPE can directly
implement packet forwarding between the two without transporting the packets upwards
to NPE1. However, UPE will forward first packet with unknown destination MAC or
broadcasting packet to NPE1 via QinQ tunnel when UPE transmits traffic to CE2 by
bridge broadcasting. NPE1 implements packet duplication and forwards it to each
peer-end CE.
ZXR10 8900E support two above H-VPLS accesses.
33
3.3.4
MPLS L3 VPN
3.3.4.1
MPLS VPN
Figure 3-10
Basic BGP MPLS VPN network model
Customer
Edge Switch
VPN1
VPN2
VRF
VRF
VPN1
Backbone Switch
PE
Service Provide
Edge Switch
PE
VPN2
As shown in Figure 3-10, a basic BGP/MPLS VPN network is composed of CE router, PE

router and P router. As customer edge equipment, CE is the router or switch connecting
operators network in customer stations. VPN function is provided by PE router. P and CE
router has no special VPN configuration needs.
To separate routing of a VPN and public Internet routing from other VPNs, PE router
generates a separated route/forwarding instance (VRF) for each VPN. PE router
generates a VRF table for each VPN connected by a CE router. Any customer and
station belongs to VPN only have access to the VRF table of the VPN.
When we build BGP/MPLS VPN network, each PE router must operate MP-BGP (use
MP-BGP between PE in MPLS VPN) to conduct VPN routing learning and notification
between PE. MP-BGP inherits BGPs request make full-connection between the peers
that run IBGP in one routing domain in order to notify BGP routing in routing domain.
When there are a large quantity of PE in VPN, IBGP full-connections will be a great deal,
which may cause N square problem and scalability problem. Routing reflector can be
used to solve this.
If two sites of one VPN are located in different Autonomous Systems, the corresponding
PE router cannot use IBGP connection to forward VPN-Ipv4 routes. At this time EBGP
must be used to transport VPN-IPv4 route between AS with back-to-back VRF: using
EBGP to distribute VPN-IPv4 route with mark and using Multi-hop EBGP to distribute
VPN-IPv4 routes from one AS to another.
ZXR10 8900E series support complete MPLS L3 VPN, address overlapping, CE static
routing, RIP, OSPF, and BGP access. They support BGP scalable union, capability
negotiation, and route refreshing. They support binding of interface with VRF, and
binding of VLAN with VRF.
34
3.3.4.2
Cross-domain VPN
At the beginning, MPLS-VPN application is mainly developed in enterprise network or
MAN with not very large scale. Deployment of MPLS-VPN inside an AS can meet the
service needs. With the expansion of MPLS-VPN application scale and the expansion of
network scale, cross-domain MPLS-VPN services are emerging. Multiple sites of user
VPN connect to multiple ISP or different AS domains of an ISP. If the AS number for all
AS domains are different, operators need to support Multi-AS cross-domain VPN.
The following are three solutions to solve Multi-AS cross-domain VPN:
VRF-to-VRF solution: set up logic sub-interface between edge routers with each
sub-interface associated to one VPN. Edge router distributes IPv4 route to
corresponding VPN user by sub-interface. Each VPN should be processed. It suits
the beginning phase of VPN service with little network change and little VPN
services provided.
Single hop MP-EBGP solution: edge routers distribute VPN user VPN-IPv4 routes
by MP-EBGP, avoiding the trouble of processing each VPN on edge router by VRF
to VRF. When VPN service develops to a certain phase, and edge router link is
restricted, single-hop MP-EBGP can be considered to provide cross-domain VPN
service.
Multi-hop MP-EBGP solution: Multi Hop MP-EBGP solution: It distributes user

VPN-IPv4 route between PE by Multi-hop MP-EBGP. With no need to process VPN
information by edge router, it suits cross-domain VPN service providing in a large
scale. But it needs to be planned in an integrated way in network deployment.
ZXR10 8900E provides the above three VPN cross-domain deployment solutions.
3.4
QoS
3.4.1
Basic QoS
The existing Internet provides best-effort services. In this mode all service flows are
equally and fairly compete for network resources. The router takes the working mode of
First Come First Service (FCFS) for all IP packets. It tries its best to sent IP packets to the
destination but provides no guarantee for reliability and delay of IP packet transport. This
suits Email, FTP and WWW services well.
With the high-speed growth of Internet, IP service develops quickly and becomes
diversified. With the emerging of multimedia service, computer is no longer a pure tool to
process data but getting closer and closer to peoples lives. Computer exchange
becomes more realtime and lively, which puts forward higher requirement to computer
and internet. For those applications with special bandwidth, delay and jitter requirements.
The existing best-effort service is apparently not enough. Although network bandwidth
35
and speed are greatly improved with the development of network technology, the data
needs transmission is increasing as fast as network development. At the same time,
some new applications emerged in recent years (such as multimedia and multicast) not
only add to network traffic but also change the traffic on the Internet. They need
brand-new service requirements. Without service quality guarantee, bandwidth
reservation, and restricted network delay, the network cannot support the applications
sensitive to indexes of bandwidth, delay, jitter and packet loss ratio such as VoIP, video
conference, Providing capability to support QoS is a feasible measure to solve the
problem. QoS aims to provide different service quality for various applications with
different needs such as providing private bandwidth, reduce packet loss ratio, reduce
packet transport delay and jitter.
QoS works to effectively provide users with E2E service quality control or guarantee.
QoS enables network unit (such as program, host or network equipment) can guarantee
its service flow and service requirements are satisfied at a certain level. QoS can control
various network applications and satisfy multiple network application requirements. For
example:
To control the resource: to restrict bandwidth used by FTP on backbone network, or to
offer higher priority to database access.
Cuttable services: subscribers of ISP (Internet Service Provider) can transport voice,
video or other realtime services. QoS can make ISP distinguish these different packets
and provide different services.
Co-existence of multiple needs: be able to provide bandwidth and low delay guarantee
for time-sensitive multimedia services. Other services in operation will not influence these
time-sensitive services.
QoS doesnt create bandwidth. It only manages bandwidth based on program needs and
network situation. QoS has a series performance indexes including the following:
Service availability: the reliability of the connection between subscribers and Internet
service.
Transmission delay: time interval of data packets transmitting and receiving between two
reference points.
Variable delay: also called jitter, is the time difference between data packets in a group of
data flow transmitted on one route.
Throughput: rate of data packets transmitted in the network, which can be represented in
average rate or peak rate.
Packet loss ratio: the highest ratio of data packet loss in network. Data packet loss is
usually caused by network congestion.
ZXR10 8900E series provides the following functions to realize the above objectives:
36
1Traffic classification
2Traffic monitoring
3Traffic shaping
4Queue scheduling and default 802.1p priority
5Re-orientation and policy routing
6Priority mark
7Traffic mirroring
8Traffic statistics
3.4.1.1
Traffic Classification
Traffic classification defines or describes packets with certain features by classifying
packets go through the switch. Packet classification can be implemented by ACL,
especially extended ACL. Packets can be classified into different categories based on
different needs. Users classify packets based on filtering options of ACL such as packet
source/destination IP address, source/destination MAC address, IP protocol type, TCP
source/destination port number, UDP source/destination port number, DSCP, ToS, IP
Precedence, VLAN ID, 802.1p priority value, MPLS EXP, and MPLS tag.
3.4.1.2
Traffic Monitoring
Traffic monitoring takes bandwidth restriction of a service to prevent it from exceeding the
specified bandwidth or influencing other service flows. The following measures can be
taken to deal with the exceeded traffic:
To drop or forward
To change its DSCP value
To change its dropping priority (packets with higher dropping priority are dropped
first in queue congestion.)
ZXR10 8900E series swtich realizes Single Rate Three Color Marker (RFC2697) and
Two Rate Three Color Marker (RFC4115). Both two algorithms support Color-Blind and
Color-Aware modes.
Meter works in two modes: in Color-Blind mode, it supposes packets are uncolored. In
Color-Aware mode, it supposes packets are marked with color. The data packets go
through the switch will be distributed with a color based on certain rule (data packet
37
information). Marker colors the IP packets based on Meter result and the color is marked
in DS domain.
The following are two types of marking algorithms.
1.
Single Rate Three Color Marker (SrTCM)
This algorithm is used in Diffserv traffic conditioner. SrTCM measures information flow
and marks the packets based on three parameters: Committed Information Rate (CIR),
Committed Burst Size, (CBS), and Excess Burst Size (EBS). We call the three
parameters green, yellow and red mark. When a packet goes through the ingress
monitoring it takes token from CBS bucket first. The packet will be green if it can get a
token from CBS bucket. It takes token from EBS bucket if it cannot take one from CBS
bucket. The packet will be yellow if it can take one from EBS bucket. The packet will be
red if it cannot take a token from EBS bucket. Red packets will be dropped by default.
2.
Two Rate Three Color Marker
This algorithm is used in Diffserv traffic conditioner. TrTCM measures IP information

traffic and marks data packets as green, yellow or red based on two rates: Peak
Information Rate (PIR) and Committed Information Rate (CIR), as well as their related
burst size (CBS and PBS). In color-aware mode, packet is marked as green if it doesnt
exceed CIR. It is marked as yellow if it exceeds CIR but doesnt exceed PIR. And it is
marked as red if it exceeds PIR. In color-blind mode, all packets are marked as green.
3.4.1.3
Traffic Shaping
Traffic shaping takes control over the rate of output packets to transmit the packets at an
even rate. Traffic shaping is usually used to match the packet rate with the downstream
equipment so as to avoid congestion and packet dropping.
The major difference between traffic shaping and traffic monitoring lies in the fact that
traffic shaping buffers the packets exceed rate limit to send the packets at an even rate.
While traffic monitoring drops the packets exceed rate limit. Traffic shaping adds to delay
while traffic monitoring doesnt add extra delay.
ZXR10 8900E supports two-level traffic shaping, as well as shaping based on VLAN and
port. With two levels shaping of VLAN and port, the system can realize multi-level control
over service flows to guarantee the implementation of multi-level QoS and differentiated
management.
3.4.1.4
Congestion Avoidance
Network equipment has limited processing and buffering capability. Packets exceed
equipment capability will cause congestion. Simply dropping of these packets will lead to
global synchronization. ZXR10 8900E adopts RED/WRED to avoid congestion and
38
improve network quality. ZXR10 8900E WRED can sense the services including IP
priority, DSCP and MPLS EXP. It can set different early dropping strategy for packets
with different priorities to provide differentiated dropping feature.
3.4.1.5
Queue Scheduling
ZXR10 8900E series switch has each of its physical port supporting 8 output queues
(queue0~7) called CoS queues. The switch takes output queue operation at ingress
according to CoS queues corresponding to 802.1p of the packets. When network is
congested, many packets may compete for resources. Queue scheduling can solve the
problem.
ZXR10 8900E series switch supports three queue scheduling: Strict Priority (SP),
Weighted Round Robin (WRR), and Dynamic Weighted Round Robin (DWRR). 8 output
queues at the port can adopt different schedulings.
Strict Priority (SP)
SP takes scheduling of data of each queue based on the exact priority of the queue.
Firstly it gets the packet out of the queue with the highest priority and sends it out until
packets in the queue are send out. Then it sends packets in the queue with the second
highest priority. Similarly, it sends all the packets in the queue and then sends packets in
the queue with the third highest priority. And the rest can be done in the same way.
SP offers first processing for packets of key services so that quality of the key services is
guaranteed. However, queues with lower priority may never get processed and get
starved.
Weighted Round Robin (WRR)
WRR offers every queue chances to be scheduled without starving. However, each
queue gets scheduling at different time with different weight (the proportion of resources
each queue gets). Packets in the queue with higher priority are more possible to be
scheduled than those in the queue with lower priority.
Dynamic Weighted Round Robin (DWRR)
DWRR offers every queue chances to be scheduled too. Each queue has different weight.
The difference between DWRR and WRR lies in the fact that the weight configured by
DWRR indicates the bytes that scheduled every time for 8 queues at the port with the unit
of kbyte, while the weight configured by WRR indicates the packets that get scheduled
every time for each queue. Therefore, the size of DWRR data packet has little influence
on bandwidth.
802.1p tag covers data priority. If the data enters the port has no 802.1p tag, the switch
will distribute a default 802.1p value to it.
39
3.4.1.6
Priority Mark
Priority mark re-distributes a set of service parameters to the particular traffic that
described by ACL. The following operatons can be implemented:
3.4.2
1.
Change CoS queue of the data packet and change its 802.1p value.
2.
Change CoS queue of the data packet without changing its 802.1p value.
3.
Change the DSCP value of data packet.
4.
Change the dropping priority of the data packet.
MPLS QoS
MPLS QoS is an important part in QoS service deployment since DiffServ has good
deployment flexibility and scalability. In practical MPLS networking solution, DiffServ
mechanism is usually used to implement QoS. ZXR10 8900E supports DiffServ -based
MPLS QoS. Traditional IP QoS decides the service level based on IP priority or DSCP so
as to realize differentiated service of the service. MPLS QoS distinguish data flows of
different services based on EXP value, implements mapping of priority between MPLS
EXP and IP & Ethernet, realizes differentiated service of services, and guarantee the
quality of voice and video services.
MPLS QoS has four modes:
Uniform mode
Pipe
Short Pipe mode
Long Pipe mode (mainly used in carrier supporting carrier architecture)
mode
ZXR10 8900E supports uniform, pipe and short pipe. At MPLS Ingress PE node, packets
decide whether to map or duplicate IP priority or VLAN priority to MPLS EXP based on
uniform, pipe or short pipe. In backbone network classified traffic gets EXP value
remarked based on service protocol, gets traffic monitoring, shaping and scheduling. At
Egress node of MPLS, priority for IP or Ethernet service packets are redeployed based
on Uniform, Pipe or Short Pipe model. E2E QoS is provided based on DiffServ as shown
in Figure 3-11. In addition, ZXR10 8900E imports H-QoS into MPLS VPN, realizes
multi-level scheduling in VPN and improves comprehensive network operation capability.
40
Figure 3-11
end to end MPLS QoS
3.5
OAM
3.5.1
Ethernet OAM
With the rapid development of Ethernet in recent years, Ethernet networking is taking
larger proportion in network construction and Ethernet scale also keeps growing.
Ethernet is used to replace ATM equipment in access, aggregation, and backbone
network. At the same time IP bearer network is developing as a multiservice and
broadband network. Without carrier-class management, the traditional Ethernet cannot
detect, notify or separate L2 network failure. The network manamgement system
adopting SNMP can only manage link and equipment state. It cannot detect E2E
connection performance and state of user service. When theres network failure, it cannot
be located or located quickly. Besides, with the wide application of network equipment,
the managers pay more attention to OAM of Ethernet equipment.
ZXR10 8900E series support three standards of Ethernet OAM at the moment:
IEEE 802.3ah(Operations, Administration, and Maintenance-OAM)
IEEE 802.1ag(Connectivity Fault Management-CFM)
IEEE 802.3ah operation, management and maintenance standard is the formal one of
IEEE. It takes link level management, taking monitoring and failure processing of P2P
(or virtual P2P) Ethernet link. The protocol has great significance in connection
management of these points at the places where failures tend to occur such as the last
mile for the network user.
IEEE 802.1ag Connectivity Fault Management is the draft standard of IEEE at present. It
takes service level management. It provides the network with easy and quick fault
discovery, detection and management. It submits effective detection, separation and
connectivity fault report of the virtual bridge LAN.
8900E supports OAM that complies with the above standard. It provides Ethernet
Connectivity Check (ETH-CC), Ethernet LoopBack (ETH-LB), and Ethernet Link Trace
(ETH-LT). It supports Frame Loss Measurement (ETH-LM), and Frame Delay
41
Measurement (ETH-DM). It supports Ethernet link OAM, link discovery, link state
monitoring, remote defect indication, and remote loopback that conform to IEEE802.3ah.
3.6
Clock synchronization
Because of telecom bearing IP trend, there are clock requirements for Ethernet to provide
precision clock for mobile wireless network. Mobile network has high requirements for
high-precision synchronization. Its synchronization consists of frequency synchronization
and time synchronization. ZXR10 8900E supports Synchronous Ethernet and 1588v2
solution which uses synchronous Ethernet technology for clock frequency
synchronization, and IEEE 1588 phase fine control and time maintenance for clock time
synchronization.
ZXR10 8900E can configure different clock source priorities. Clock sources are selected
according to different priorities. The clock source with the highest priority will take effect in
the earliest time. If the clock fails, the clock source with the second highest priority will
take effect, and the rest will go similarly. The restoration policy of clock source is: If the
clock with high priority is restored, it can be configured to select whether to switch back.
3.6.1
Clock source
ZXR10 8900E support 5 clock sources, and the main control decides which clock source
information is distributed to the system.
3.6.2
Local clock: Local clock of system hardware, the most basic clock signal.
BITS: Support 2MHz analog signal and 2Mbits digital clock signal.
GPS: Traditional mobile network clock source providing high-precision clock signal
and 1PPS+TOD signal.
SyncE: Support Synchronous Ethernet interface, and restore and extract the clock
from physical layer.
1588v2: IEEE 1588v2 is a precision time synchronization protocol which transfers

messages between active and standby equipments to precisely synchronize
master/slave clock and time.
Synchronous Ethernet
Synchronous Ethernet (SyncE) technology adopts Ethernet link code stream to restore
the clock. It synchronizes frequency rather than synchronization phase, and needs all
bearer network equipments to support synchronous Ethernet features. ZXR10 8900E can
extract the clock from Ethernet link, or get support reference clock from external
synchronous interface (including BITS and GPS) as system clock. The system selects
the proper system clock source and export clock source according to synchronization
42
status information or system alarm information. After clock source is determined, the
system uses high-precision clock at the Ethernet interface to send data and transfer
synchronization status information, synchronizing Ethernet physical-layer E2E data
transceiving. Its synchronization mode is shown as Figure 3-12.
Figure 3-12
3.6.3
SyncE synchronization
IEEE 1588 v2
IEEE 1588 v2 is a precision time synchronization protocol, called PTP protocol for short.
IEEE 1588 v2 adopts master/slave clock to transport time in the form of code. Time
stamp is generated at the protocol layer adjacent to the physical layer. It uses symmetry
and delay measurement technology of network link to synchronize frequency, phase and
absolute time of master/slave clock. 1588 key lies in delay measurement.
IEEE 1588 v2 master/slave clock synchronization principle is shown in Figure 3-13: Slave
clock synchronizes with master clock through offset measurement, and then delay
measurement is made to get inter-clock link delay and time deviation to adjust time
output of slave clock and synchronize the time between master clock and slave clock.
43
Figure 3-13
IEEE 1588 synchronization
ZXR10 8900E supports 1588 v2 protocol and the following working modes:
3.6.4
Ordinary clock: Only one port supports 1588v2 protocol. The clock works as
grandmaster or slave.
Boundary clock: Several ports support 1588v2 protocol. The clock can connect
several ordinary clocks or transparent clock.
Transparent clock: The node does not run 1588v2 protocol, but needs to modify
time stamp. It is required in forwarding time message to fill in the time, when the
node processes the message, in the modification location. Both E2E and P2P
modes are included.
Clock protection
1.
Port selection protection
ZXR10 8900E fulfills automatic protection switching of clock link based on SSM protocol
and BMC optimal clock algorithm to reliably transmit the clock. It select an algorithm
according to clock path to calculate the best synchronization path of clock and time
information to avoid clock loop. When a fault occurs to the network, the system makes
the protection switching of clock and time information according to clock path algorithm,
and provide synchronization locking, hold-over and free-run of clock and time
information.
2.
44
Active/standby Main Control Module protection
ZXR10 8900E active/standby main control modules always synchronize clock information.
When receiving Bits and GPS signals, one main control module sends the signals to the
other main control module. Line card receives the clock signal from active and standby
main control modules at the same time, but one line card only takes the clock of active
main control module as system reference clock. When a fault happens to active main
control module, line card can switch the clock to take the clock of standby main control
module as system reference clock.
3.7
Reliability protection
3.7.1
Equipment-level protection
3.7.1.1
Main control board protection

ZXR10 8900E adopts the carrier-class reliability design. It has two main control boards.
Each main control board has control module and switching module, and two main control
boards can make load balance and redundant backup, and supports the redundancy of
switching module and main control module. When a fault occurs to active module,
services and data can be switched from active main control board to standby main
control board to forward data and operate services without interruption.
3.7.1.2
Power supply module protection

To comply with strict equipment reliability requirements of telecom carriers, ZXR10
8900E adopts hot backup design for power supply, and employs 48V DC and 220V AC.
DC adopts 1+1 mode, and AC adopts 1+1 or 2+1 backup according to different racks to
improve the reliability of power supply system. Furthermore, 8900E power supply
supports several intelligent protection mechanisms, and provides protection, detection
and fault report for power supply according to such parameters as voltage, current and
temperature.
3.7.1.3
System supervision protection

ZXR10 8900E meets the carrier-class reliability requirements and provides a whole set of
system supervision means to drop user maintenance cost and improve equipment
stability and reliability.
In terms of hardware, ZXR10 8900E can supervise such information as environment
temperature, board temperature, fan status, power supply status, power supply power
sampling (including PoE power supply). In terms of software, it can collects such status
information as environment temperature, board temperature, fan status, power supply
status, power supply power sampling (including PoE power supply). When going wrong
45
or exceeding alarm threshold, the system reports relative alarm and fault, and
automatically saves and sends them to related server regularly.
3.7.2
Network detection mechanism

When network equipment runs, link fault, equipment single point of failure and equipment
connectivity fault may take place. In order to find various network faults in time and start
effective protection measures, ZXR10 8900E offers a series of effective network
detection mechanisms. In addition to the detection technologies to be introduced below,
ZXR10 8900E also supports some detection and positioning means such as UDLD, IP
Ping, IP Trace, multicast Trace route, LSP Ping and LSP Trace route.
3.7.2.1
BFD
BFD (Bidirectional Forwarding Detection) is a path connectivity detection protocol. BFD
aims to offer a low overhead to detect the fault between adjacent forwarding systems in a
short time. BFD packet is the message encapsulated with UDP protocol, and can be
loaded into any proper media or network protocol. BFD can run at several system layers.
BFD can detect the fault in any path between systems. The path may be direct physical
link, virtual circuit, tunnel and MPLS, and indirect path. As BFD fault detection is simple,
BFD can quickly detect the forwarding fault.
BFD status mechanism needs three handshakes. It is a simple service. It is only required
to offer destination address and other parameters to create, delete and modify BFD
session. When BFD session is up or down, a signal is returned to the system for proper
processing.
BFD is a simple Hello protocol. It is partially similar to neighbor detection of famous route
protocols in many respects. A pair of system periodically send detection message on the
path of the session between them. If one system receives no detection message from the
other in enough time, it will consider that a fault occurs to a part of the bidirectional path
to the adjacent system. In certain conditions, transmitting and receiving rate between the
systems need to be negotiated to reduce the load.
After bidirectional communication between two systems is established, only one path is
running (unidirectional link is also possible). An independent BFD session may be
created for each communication path or data protocol between two systems. Each
system can evaluate the frequency of transmitting and receiving BFD packet so as to
keep two systems consistent in fault detection duration. The parameters can be modified
according to different surroundings to meet the demands.
BFD protocol describes bidirectional detection mechanism which consists of
asynchronous mode and query mode. An auxiliary echo function can work with these
modes. The difference of asynchronous mode and query mode lies in detection location.
In asynchronous mode, one system periodically sends BFD control message, and the
46
other system remotely detects the BFD control message. In query mode, the system
transmits and detects the BFD control message.
Asynchronous mode: In asynchronous mode, two systems periodically sends BFD
control message to each other. If one receives no BFD control message from the other in
detection time, it will be announced that the session is down.
Query mode: In query mode, supposed that each system has an independent approach
to confirm that it is connected to other systems. Once a BFD session is created, the
system will stop sending BFD control message unless a system needs to explicitly verify
the connectivity. If it needs to explicitly verify the connectivity, the system sends a short
BFD control message. If it receives no message returned in detection time, it will be
announced that the session is down. If a message is returned, the protocol will remain
silent again.
Echo function: One system sends a series of BFD echo messages, and the other system
loops them back via its forwarding path. If several continuous echo messages are not
received, it will be announced that the session is down. The echo function can work with
the above two detection modes.
ZXR10 8900E support BFD for static route OSPF dynamic route and VRRP to fulfill fast
convergence. It combines BFD and FRR technologies and provides fast fault detection
mechanism to implement fast rerouting.
3.7.2.2
OAM detection
OAM offer a wide variety of detection means of network fault discovery. It consists of
Ethernet OAM and MPLS OAM. Ethernet OAM detects and discover Ethernet link fault,
and MPLS OAM provides defect detection tool and protection switching mechanism for
MPLS network. For details, refer to Section 3.5. OAM message detection serves to detect
link status, node status and tunnel connectivity. It can detect the fault while triggering the
protection switching.
3.7.2.3
SQA
SQA (Service Quality Analyzer) sends the test message to analyze network performance,
network service and QoS, and provide the user with network performance and QoS
parameters, e.g., delay jitter, TCP connection delay, FTP connection delay and file
transport rate. SQA helps the user to know current network status, and detect and
position the fault to improve network management initiative and controllability .
ZXR10 8900E supports many kind of detections include ICMP-echo, DHCP, DNS, FTP,
HTTP, UDP-jitter, SNMP, TCP, UDP-echo, Voice and DLSw, and associates detection
result to VRRP function, as shown in Figure 3-14.
47
Figure 3-14
3.7.3
SQA association
VSC
VSC( Virtual Switch Cluster) system can virtualize multiple independent devices into one
device to dynamically add or delete members. These VSC members that linked by VSC
port can select one main device by a certain selection mechanism. And others work as
forwarding devices. Its like one device is expanded to support more interface cards,
more interfaces, more services, provide equipment-level redundancy backup, and
improve the reliability of the equipment and network.
VSC can make a simple network without complicated and slow STP or VRRP. Multiple
devices only need one configuration to make the network more reliable to support
Multi-chassis link aggregation, to implement protocol-level and equipment-level crosschassis hot standby, and to make the network more effective. Multiple devices constitute
VSC system to effectively improve the system capacity, to implement load balancing, and
to fully utilize network bandwidth.
Figure 3-15
48
VSC system logic connection diagram
3.7.4
Ethernet intelligent protection

ZXR 8900E supports ZESR (ZTE Ethernet Switch Ring), ZESS (ZTE Ethernet Smart
Switch) and ZESR+, and provides ring protection and dual-uplink protection mechanism.
3.7.4.1
ZESR
ZESR (ZTE Ethernet Smart Ring), the Ethernet ring technology, allows network
administrator to create Ethernet ring, similar to fiber distributed data interface (FDDI) or
SONET/SDH ring. It can recover any link or node fault within 50ms.
ZESR uses break alarm, ring monitoring and ring restoration to maintain the protocol.
1.
Break alarm: When standby equipment in ZESR ring detects that a cable fault
occurs to its active or standby port connected to the ring, it immediately sends break
alarm frame from another port to active equipment. When active equipment receives
the alarm frame and knows the ring goes wrong, it unlocks standby port, refreshes
L2 forwarding table (L2 table), and sends a notification frame to notify other ring
equipments to refresh their L2 tables, as shown in Figure 3-16.
Figure 3-16
2.
ZESR break alarm
Ring monitoring: When working normally, active equipment periodically sends

diagnosis frame via active port. If the ring works normally, standby port of active
equipment will periodically receive the diagnosis frame, reset its timeout timer and
go on operation. If the timer exceeds the set time but standby port receives no
49
diagnosis frame, active equipment will consider that the ring goes wrong and
unlocks standby port to assure ring connectivity. Meanwhile, active equipment
refreshes L2 table and sends a notification frame to notify other ring equipments to
refresh their L2 tables. Ring monitoring mechanism is the backup of break alarm
mechanism. Once break alarm frame is lost for unknown reason, the solution is a
reliable backup support.
3.
3.7.4.2
Ring restoration: When a ring link breaks, active equipment still periodically sends
diagnosis frame via active port, but standby port cannot receives it. After the ring
restores, the next diagnosis frame will be received by standby port of active
equipment. When active equipment receives diagnosis frame, it knows the ring
restores; then it sets standby port to blocked, refreshes L2 table and sends a
notification frame to notify other ring equipments to refresh their L2 tables. When
standby equipment detects that its connection restores, as diagnosis frame is
periodically sent, active equipment will not receive diagnosis frame immediately (so
standby port is unblocked). If no measure is taken now, standby port of active
equipment will remain unblocked for some time, which will result in temporary loop
and broadcast storm. To avoid the status, standby equipment needs to set the port
to be temporarily blocked when the port connection restores. When standby
equipment receives the notification frame from active equipment to refresh L2 table,
standby equipment knows that active equipment blocks its standby port, and then
standby equipment refreshes L2 table and unblock the restored port. Up to now the
ring returns to normal status.
ZESS
ZESS (ZTE Ethernet Smart Switching) technology fulfills fast switching protection and
load balance between L2 Ethernet links, and the active and standby links are switched
within 50ms. Its working principle is as shown in Figure 3-17: The node supports ZESS;
port 1 is active port and port 2 is standby port. When the node detects that active and
standby ports are UP, it blocks the protection service VLAN forwarding function of
standby port; when the node detects that active port is DOWN, it blocks the protection
service VLAN forwarding function of active port and unblocks the protection service
VLAN forwarding function of standby port; when the node detects that active port restores
to UP, it adopts inverse and non-inverse modes. In inverse mode, it unblocks active port
and blocks standby port again. In non-inverse mode, active port remains blocked and
standby port unblocked. In addition, in ZESS switching, it is required to upgrade FDB of
the blocked port.
50
Figure 3-17
3.7.4.3
ZESS protection mechanism
Intelligent dual-homed ZESR+

When metro core network uplinks backbone network, one switch has two uplink ports
connecting two BRAS or SR, thus ZESS provides dual-uplink protection. Although the
connection has uplink and SR or BRAS protection, there is single-point fault risk from
uplink to BRAS or SR. For consideration of security in the actual networking, 2 uplink
ports connected to the same SR or BRAS are located in 2 switches, and the downlink still
uses the ZESR ring. Two uplink switches adopts ZESS and two switches remain the
heartbeat hello. When port 4 goes wrong, the traffic switches to port 5; when a fault
occurs to port 5, the traffic goes to the right switch. Thus lower-layer link fulfills the ring
protection and traffic load balance and backup. The working principle is shown as Figure
3-18.
Figure 3-18
ZESR+ working principle
51
3.7.5
L3 route protection
3.7.5.1
Enhanced VRRP
If traditional VRRP technology is adopted, when router link goes wrong or powers off,
backup router spends 3 seconds in switching, which cannot address the user demands
when IP network bears voice service. Enhanced VRRP introduces fast BFD mechanism
to replace VRRP heartbeat message. It speeds up the detection between VRRP entities
and employs single-hop or multi-hop BFD to check whether the real-address
communication between slave and master routers is normal. If not, the slave will consider
the Master is unavailable and upgrade to the master to fulfill fast switching.
VRRP and BFD are bound based on BFD session between router and host, which means
that master and slave routers are respectively bound to different BFD-sessions (These
sessions are not established between master and slave routers). If the communication is
abnormal between master router BFD and HOST, VRRP downgrades master to slave,
and upgrades slave to master to link the communication between protection router and
host and fulfill fast switching between master and slave routers.
Furthermore, ZXR10 8900E supports VRRP group management. Multiple VRRPs forms
a VRRP management group, and each member keeps consistent with the group in the
status. When VRRP management group creates a BFD session to trigger management
group status switching, all members will make status switching. VRRP group
management reduces inter-equipment BFD message traffic to facilitate VRRP
management and bring down network and equipment load.
3.7.5.2
Route Load balance

Load balance helps the equipment to forward the traffic via several activated links so as
to make full use of the bandwidth of these links. Load balance does not mean that the
traffic of one link is equal to the other.
By configuring static route, route protocol and route number, ZXR10 8900E adopting
route-based load balance sets several reachable routes to one destination address in the
forwarding table so as to offer the basis for load balance.
The route technology for load balance includes ECMP (Equal-cost multi-path routing) and
WCMP (Weight-cost multi-path routing). ECMP working principle is: When there are
several paths reachable to one destination address in the network, the data is transmitted
via several links. ECMP makes full use of the bandwidth of idle links and backs up data
transport of failed links. WCMP improves ECMP. Because the links are different from
each other in the bandwidth, if the data is averaged to the links to transport, it is
impossible to make full use of the link with larger bandwidth. Therefore, WCMP adjusts
the route weights according to a policy to make ECMP more flexible and practical.
52
ZXR10 8900E supports the per-destination load balance policy which considers source
address and destination address of a packet so that the packets with the same source
address - destination address go the same path (Even if several paths are available),
and the packets with different source address - destination address pairs go different
paths. The policy ensures the packets with the same source address - destination
address pair reach in sequence.
3.7.5.3
GR (Graceful Restart)
GR (Graceful Restart) uses the neighbor equipment to implement non-reset for control
plane session connection when the control plane has error and switching. GR realizes
non-stop forwarding services in routing protocol restart. At the same time it can quickly
recover the route. Each routing protocol has its own GR expansion.
When routing protocol restarts, it notifies its neighbor to wait for a specific period of time,
during which it maintains their neighborhood relationship and keeps routing stable. When
routing protocol restart is completed, the neighbor equipment helps it to implement
routing information synchronization and set up the session again. Various routing
information can be all recovered during a short period of time. With GR, protocol restart,
routing and forwarding are comparatively stable to realize non-stop packet forwarding.
ZXR10 8900E series support relative routing protocols such as GR for
OSPF/ISIS/BGP/RIP, which avoids network socillation and improve network stablity and
reliability.
3.7.6
VPN Protection
3.7.6.1
PW Protection
PW (Psedudo Wire) is one of the linear protection in MPLS L2VPN used to solve
end-to-end service convergence in CE dual-homing model. PW protection detects PW
layer failure by OAM and BFD mechanisms and implements failure notification and fast
traffic switching. Since PW can be set up between two PE and multi-hop PW can be set
up between two PE, PW redundancy-based protection mechanism should support
single-hop PW redundancy and multiple segment PW redundancy.
Single-hop PW redundancy set up multiple PW between PE. ZXR10 8900E series switch
supports 1:1 redundancy backup. It can realize PW fast switching for active/standby, as
shown in Figure 3-19.
53
Figure 3-19
PW single-hop redundancy protection
Multi-hop PW redundancy imports S-PE between PE. S-PE connects PW on the two
ends. PE1 and PE2 sets up connection with S-PE respectively. In this way PW between
PE1 and PE2 is composed of multiple segments of PW. ZXR10 8900E series switch
supports 1:1 multi-segment PW redundancy backup. When PW1 fails, traffic can be
quickly switched to PW3 to realize fast switching between active and standby PW as
Figure 3-20
3.7.6.2
PW multi-hop redundancy protection
MPLS VPN Dual-homing Protection

1.
CE Dual-homing to PE
In MPLS network, to provide network reliability and solve service interruption problem
caused by route re-convergence results from single PE failure, we import CE
dual-homing to PE solution. CE is accessed to two PE at the same time. One is active
and the other is standby. When CE perceives active PE or active link fails by LACP, STP,
ZESS, or port shutdown, it can automatically switch to standby PE and standby link.
When failure recovers, the original active PE can recover or automatically change to
standby PE based on certain strategy as shown in Figure 3-21.
54
Figure 3-21
CE dual-homing to PE
L3VPN adopts FRR to set active/standby forwarding item directing active PE1 and
standby PE2 at remote PE. PE implements quick failure detection by BFD and MPLS
OAM. When PE4 detects PE1 failure, it can forward traffic to PE2. Service traffic between
CE1 and CE2 can be switched to PE2-PE4 link.
In L2VPN PE4 save PE1 and PE2 forwarding table at the same time. That is to say, MAC
active egress for CE1 is PE1 and standby egress is PE2. PE4 forwarding item will set
forwarding prefix, inner layer label, and selected outer layer LSP tunnel. When PE1 fails
(for example, unavailable tunnel is perceived by BFD and MPLS OAM), PE4 can forward
traffic to PE2. When CE1-PE1 link fails, PE1 will notify PE4 to refresh MAC address,
change the egress, and switch the traffic to PE2-PE4 link.
2.
UPE Dual-homing to NPE
In H-VPLS network, theres also single-point failure. Dual-homing of UPE to NPE can
improve network reliability and avoid link and NPE single-point failure. When a link fails,
for example, BFD detection or port shutdown, traffic can be switched to standby link.
When the failure is recovered, the original active NPE will recover or automatically
become standby NPE based on certain strategy as shown in Figure 3-22.
In H-VPLS with U-PW access, LDP session is run between UPE and NPE. Whether the
active PW fails can be decided based on LDP session state. In H-VPLS with QinQ
access, STP can be run between UPE and the NPE connected to it to ensure that the
other link is activated when one link fails.
55
Figure 3-22
UPE dual-homing to NPE
NPE1
CE1
Master
N-PW
UPE
NPE3
U-PW
Backup
CE2
NPE2
3.7.7
FRR Protection
3.7.7.1
IP FRR
IP FRR (IP Fast ReRoute) can reach 50ms switching, which can reduce data loss in case
of failure to the best. IP FRR calculates standby route in advance. When active route fails,
another route calculation is not implemented. Standby route is adopted to switch traffic to
standby link. When active link recovers and gets stable, the traffic is switched back to the
active route as shown in Figure 3-23.
Figure 3-23
56
Route switching diagram
ZXR10 8900E supports FRR for static routing, OSPF, IS-IS, and RIP, which easily
implements traffic switching of single-directional traffic to meet the switching time
requirement.
3.7.7.2
LDP FRR
LDP FRR is MPLS-related reliability technology. With the help of LDP label distributing
protocol, it distributes active/standby labels for routes. Saving the standby label, it quickly
respond to route change, switch label to the standby label, and implement 50ms
switching protection in case of network failure. Label standby equals to standby LSP.
When a certain link or node on the protected LSP fails, label can be quickly switched to
the standby link as shown in Figure 3-24. R2 directs e2/2 to back up e2/1 port. In this way
LSP will has two next-hops. One is on the active link specified by the routing protocol.
The other is standby. When port 2/1 is detected to fail, label will be quickly switched to
e2/2. When the route recovers, label will be switched back to e2/1 port.
Figure 3-24
Label switching diagram
LDP FRR is only a temporary protection measure. When the protected link recovers,
traffic will be switched back to the original LSP. LDP FRR doesnt need to rely on
complicated MPLS TE. Standby LSP for link, node or route doesnt need to be set up
respectively. Its easy to implement with the spreading of MPLS.
3.7.7.3
MPLS TE FRR
MPLS TE FRR is a set of link protection and node protection mechanism in MPLS TE.
When LSP link or node fails, protection is implemented at the node where failure occurs.
In this way traffic can be permitted to go through via the tunnel of protected link or node
so that data transmission will not be interrupted. At the same time head node can go on
initiating recreation of active route with data transmission not influenced.
57
MPLS TE FRR uses a LSP set up in advance to protect one or multiple LSP. The LSP set
up in advance is called FRR LSP. The protected LSP is called active LSP. The ultimate
objective of MPLS TE FRR is to use FRR route to detour failed link or node so as to
protect the active route as shown in Figure 3-25.
Figure 3-25
TE FRR local link and node protection
FRR LSP and active LSP creation get all components in MPLS TE system involved.
MPLS TE FRR complies with RFC4090 based on RSVP TE implementation.
There are two ways to realize FRR:
One-to-one Backup: one to one backup protection. One active LSP sets up a standby
protection LSP, which is called Detour LSP.
Facility Backup: one to multiple backup protection. Multiple active LSP set up a standby
protection LSP, which is called Bypass Tunnel.
Facility is usually adopted in MPLS TE FRR deployment. The creation of active LSP is
the same with that of common LSP. RSVP sends PATH message from the head node to
downstream hop by hop, and sends RESV message from the tail node to upstream hop
by hop. It distributes labels, reserves resource and sets up LSP when it processes RESV
messages. Bypass Tunnel can be set up in two ways: one is manual and the other is
automatic. When active LSP has no FRR feature, Bypass Tunnel can be manually
configured to protect the physical interface of the tunnel. Its configuration is similar to that
of the common LSP except FRR cannot be configured. That is to say, Bypass Tunnel
cannot work as active LSP at the same time. Nor LSP be protected by embedding.
Automatic Bypass Tunnel is a simplified manual configuration. When active LSP needs
FRR protection, it automatically sets up a Bypass Tunnel to protect the active LSP. A
single automatic Bypass Tunnel can protect multiple active LSP. Bypass Tunnel is
usually in idle state assuming no data services. If Bypass Tunnel is required to assume
common data forwarding task at the same time when it protects active LSP, enough
bandwidth should be configured. When link or node fails, if the interface is configured
with FRR protection, data will be automatically switched to the protection link. When the
failure recovers, normal forwarding path will be automatically recreated.
58
In MPLS TE network usually MPLS TE FRR is deployed, which is determined by MPLS

TEs features. In pure IP network, when theres partial failure, if there are other available
route to the same destination, packets will be forwarded along these routes. Before route
change caused by the failure spreads to the whole network, only this mechanism can
quickly implement partial failure protection. In MPLS network with no TE deployed, LDP
setting up LSP by DU is widely applied. When partial failure occurs, if there are other
available routes, LDP will initiate LSP creation to upstream nodes. Not considering TE
related needs such as bandwidth, priority and link attribute, the possibility of successfully
creating LSP is comparatively big. Thus the process from failure to recovery is short. In
MPLS TE network, LSPs are usually established in DoD mode through RSVP. On a head
end, the CSPF algorithm calculates a path based on the routing information of the area
that satisfies the constraints and RSVP establishes an LSP along the path. When an
element along the LSP fails, a new LSP needs to be established. However, CSPF cannot
calculate the path before the head end knows the route change. In addition, a partial
failure may make it necessary to reestablish multiple LSPs. During LSP reestablishment,
problems such as insufficient bandwidth may intervene. Therefore, compared with pure
IP network and MPLS network with no TE configured, MPLS TE network needs more
time to recover from partial failure. So one standby LSP is set up in advance in MPLS TE
network. Initiating FRR and quick switching can be implemented in partial network failure.
3.7.7.4
L3VPN FRR
L3VPN FRR is used to solve CE dual-homing, which is the most common end-to-end
service convergence problem for network model. It can control end-to-end service
convergence within 1s in case of PE node failure. Since MPLS TE FRR can only solve
link or node failure between PE, and PE needs to rely on VPN route convergence when it
has failure, end-to-end fast convergence cannot be realized. CE model is shown in
Figure 3-26:
Figure 3-26
CE dual-homing model
PE-A
PE-C
CE-A
CE-B
PE-E
PE-B
PE-D
Suppose
the
path
for
CE-B
accessing
CE-A
is:
CE-BPE-EP-CPE-ACE-A. When PE-A node fails, the path for CE-B
accessing CE-A is converged as: CE-BPE-EP-DPE-BCE-A. Based on
standard MPLS L3 VPN, PE-A and PE-B both distribute route directing to CE-A to PE-E,
and distribute private network labels. In traditional technology, PE-E selects a VPNV4
59
route sent by MBGP neighbor based on certain strategy. In this instance, the route
selected is distributed by PE-A. Only the route information distributed by PE-A (including
forwarding prefix, inner layer label, selected outer layer LSP tunnel) is filled in the
forwarding item used by forwarding engine to direct the forwarding.
When PE-A node fails, PE-E perceives PE-As failure (BGP neighbor is DOWN or outer
layer LSP tunnel is unavailable), it re-select a route distributed by PE-B, re-distribute
forwarding item, and complete service end-to-end convergence. Before PE-E
re-distributes forwarding item corresponding to route that distributed by PE-B, since the
destination of outer layer LSP tunnel that forwarding item of forwarding engine directs is
PE-A, and PE-A node fails, during this period, CE-B cannot get access CE-A. End-to-end
services are interrupted. In traditional technology, end-to-end service convergence time
covers: 1) PE-E perceives PE-A failure. 2) PE-E re-selects VPN V4 route distributed by
PE-B. 3) PE-E distributes new forwarding item to the forwarding engine. Obviously, step
2 and step 3 goes depending on the scale of VPN V4 route.
ZXR10 8900E switch can firstly download the route information distributed by PE-B to the
forwarding engine as the second choice. It adopts BFD to check the link between PE-E
and PE-A. Discovering failure, PE-E quickly switch the route to hte link between PE-E
and PE-B. Packets will be switched to CE-B via PE-B to recover services between CE-B
and CE-A and realize fast switching.
3.8
Security and Authentication
3.8.1
ACL
In order to filter data, the netework needs to set lots of matching rules. After identifying
special objects, the corresponding packets can be allowed or forbidden to pass as per
the preset rules. ACL (Access Control List) is used to realize these services.
By using ACL, message filtering, policy route and special traffic control can be realized.
One ACL can contain one or more than more rules for one special type of packet. These
rules tell the switch if the selected packets are allowed or forbidden to pass.
The rules defined by ACL can also be used in other scenario, e.g. traffic classification in
QoS.
ZXR10 8900E series switch provides the following 4 types of ACL. Besides, it gives
support to two sorts of Ipv6 ACL.
60
Basic ACL: match source IP address only.
Extended ACL: Match source IP address, destination IP address, IP protocol type,

TCP source port number, TCP destination port number, UDP source port number,
UDP destination port number, ICMP type, ICMP Code, DSCP (DiffServ Code Point),
ToS and Precedence.
L2 ACL: match source MAC address, destination MAC address, source VLAN ID,
L2 Ethernet protocol type and 802.1p precedence.
Hybrid IP address: match source MAC address, destination MAC address, source
VLAN ID, source IP address, destination IP address, TCP source port number, TCP
destination port number, UDP source port number and UDP destination port
number. The perfect fields match three types mentioned above.
Basic IPv6 ACL: only match IPv6 source IP address.
Extended IPv6 ACL: match IPv6 source and destination addresses.
3.8.2
Device Authentication
3.8.2.1
AAA
Authentication
ZXR10 8900E supports complete AAA (Authentication, Authorization and Accounting )

mechanism. So it not only can be used to arrange login user authentiation and
authorization together with hierarchical protection mechanism of command line, but also
can verify users validity in network management. based upon AAA mechanism, ZXR10
8900E can effectively prevent illegal users from logging in the system.
For different user access authentication policies, the device provides complete AAA
service. As per different access authentication requirements, user can configure different
access authentication policies to arrange different authentication and authorization
services.
AAA supports three types of user authentication:
Local account authentication
RADIUS (Remote Authentication Dial-In User Service) authentication
TACACS+ (Terminal Access Controller Access Control System) authentication
AAA supports four types of authorization mode:
Direct authorization: for very trustable user, direct authorization without requiring
account number is implemented.
Local account authorization: give authority as per users local account.
TACACS+ authorization: TACACS+ consists of authentication and authorization.

TACACS+ server gives user authorities.
Authorization when RADIUS authentication is successful: the authentication and

authorization of RADIUS can not be apart.
61
3.8.2.2
SSH
SSH (Secure Shell) is made by IETF network working team. SSH is a security protocol
build on the basis of application layer and transport layer. SSH currently is a reliable
security protocol designed particularly for remote login session and other network
services. SSH protocol can be used to avoid information leaking effectively. Encrypting
transport data via SSH protocol can avoid middle attack.
SSH supports the following two sorts of authentication:
The first one is the security authentication based upon password. Input correct account
number and password, then user can access the remote host successfully. All transport
data are encrypted. This mode ensures reliable data transmission. But it may lead to faud
server which makes the data transferred to illegal servers.
The other security authentication is based upon encryption key. User must create a pair
of encryption key and save the public key to the target server. The client software asks
the server for security authentication via its own encryption key. When the server
receives the request, it looks for the public encryption key in the root category of this
users server. After confirming the two encryption keys are the same by comparing the
public key with the public key sent by the client, the server will encrypt challenge and
send it to the client software. After receiving the challenge, the client will decrypt it by
private encryption key and send it to the server.
ZXR10 8900E supports security authentication of SSHv2 protocol.
3.8.2.3
Command Line Hierarchical Protection

Currently, ZXR10 8900E series switch realizes different levels of command (16 levels in
total). For different access users, different levels of authority is used. Lower level leads to
less command. Higher level leads to more commands. The administrator (highest level)
is able to set different authority levels to different command, so that self-defined
command authority configuration can be implemented.
In order to realize hierarchical authority, two parts of authority level should be maintained:
62
Command node authority level maintenance: when the switch is initiated, each
command node has a default authority level. The administrator can change it.
Login user authority level maintenance: the administrator can set authority level for
each login user. Conditions for displaying and implementing the command are:
when users authority level is bigger or equals to the command authority level, this
command can be displayed and executed on users terminal. In default situation, the
administrator can use all commands. Other authority levels can only use some
maintenance commands.
3.8.3
Access Security
3.8.3.1
802.1x
802.1X is a Client/Server-based access control and authentication protocol. When
connecting with user device at system port via authentication, it confirms if the user is
authorized to access system services via this port. In this way, unauthorized data
transmission between the user and system can be avoided. At first, 802.1X access
control only allows EAPOL frame to pass the port connecting with the users device. After
authentication, other data can pass this port then.
802.1X enables the access point via which the authenticator connects with LAN to
generate two logical ports: controlled port and uncontrolled port. The uncontrolled port
which is free from port authorization status can exchange PDU with other systems freely,
while the controlled port can only exchange PDU with other system when it is authorized.
PAE is the base of the algorithms and protocols related to operating and authentication
mechanisms. The authenticators PAE is responsible for communicating with requestors
PAE and sending information collected from the requestors PAE to authenticators
server. After verifying this information, the authentication server confirms if the requestor
is authorized to access the authenticators service. The authenticators PAE determines
the authorized and unauthorized status of the controlled port as per the authentication
results. The authenticators PAE uses uncontrolled port and EAPOL protocol to exchange
protocols with the requestors PAE. It uses EAPOR and RADIUS authentication server for
communication.
The 802.1X unit of ZXR10 8900E series switch mainly realizes the following services:
Support services of authenticator.
Local authentication.
Support authenticators PAE to exchange protocols with EAPOL via the uncontrolled
port.
Force-Unauthorized,
Auto
and
Force-Authorized
values
Auth-Controlled-Port-Control can be used to run the controlled port.
Support Admin-Controlled-Directions and OperControlled-Directions to run the

controlled port.
Re-authentication timer can be used to authenticate the requestor again on a

regular basis.
Transparent transmission of 802.1x authentication packet is supported when

authentication is not initiated.
63
of
3.8.3.2
DHCP
DHCP server can allocate proper IP address for all sorts of device. With DHCP service,
the network administrator instead of distributing IP address manually can allocate IP
address automatically by exchanging DHCP protocol message. This not only reduces the
workload caused by manual configuration and configuration error, but also enables
unified IP address management when the device is moved.
DHCP adopts client/server communication mode. The client sends IP allocation
application to the server , then DHCP server returns the related configuration information
like allocated IP address to the server. When DHCP client gets the configuration
information, it can realize dynamic IP address configuration and communication with
external network. In this process, DHCP server can implement authentication. One
DHCP server usually has one IP address pool, so that it can distribute IP address to
multiple IP devices.
When DHCP server and DHCP client are not in the same network segment, DHCP relay
is required. DHCP sends request message to DHCP server. When DHCP relay receives
and processes the received messages, it will send the message to the DHCP server of
one network segment. The server provides related information as per the request
message. Then the DHCP relay will return the configuration information to the client to
finish dynamic client configuration.
Besides, DHCP also includes some extension serv ices, e.g. DHCP snooping and DHCP
Relay Agent Information Option (Option 82), etc. With some options in DHCP request
message, DHCP option 82 enables DHCP server to confirm users location more
accurately. In this way, different users adopt different address distribution policies to
make users can be effectively controlled even when they are in different VLANs or
network segments.
DHCP Snooping is mainly used to avoid some spoofing DHCP Server. The spoofing
DHCP Server made by some devices feeds back users DHCP address request, which
disable the user to get correct DHCP address and connect with the network. Or the
spoofing DHCPO Client send DHCP address request to DHCP Server frequently to use
DHCP Server address out. By initiating DHCP Snooping service, trust and un-trusted port
can be set. DHCP Server responding messages sent by the un-trusted port will be
discarded. In addition, Snooping can set the number of the IP address one un-trusted
port can allocate, so that DDoS attack for DHCP Server can be avoided.
ZXR10 8900E support DHCPv4 server, DHCPv4 relay, DHCPv4/v6 snooping and DHCP
option82 services. The specific supported options can be seen in the functional list.
3.8.3.3
IP source guard
IP source guard checks message source by binding port, VLAN, MAC and IP together. It
realizes message security control. The binding table of IP source guard can be set up in
the following two ways:
64
1.
Static binding: binding table item generated by manual configuration is used to

implement port control service. This method is suitable for one host or LAN where
there are less hosts.
2.
Dynamic binding: implement port control service by getting the binding table items of
DHCP Snooping or DHCP Relay automatically. It is suitable for the LAN where there
are lots of hosts. Using DHCP to implement dynamic host configuration can
effectively avoid conflict IP address and IP address spoofing.when DHCP allocates
one entry to the user, the dynamic binding service will add one more binding table
entry to allow this user to access the network. If one user sets IP address privately, it
will not allowed to access the network as DHCP is not initated to allocate table entry
the dynamic binding service does not add related access rule.
ZXR10 8900E supports IP Source Guard service based upon IPv4 and IPv6.
3.8.3.4
DAI
DAI (Dynamic ARP Inspection) service sends ARP message to CPU to see its validity.
Then this message will be discarded or forwarded. If the ARP message source MAC
address, source IP address, port number and port VLAN are the same as DHCP
Snooping table or manual IP static binding table entry, this message which is considered
as legal ARP message will be forwarded. Otherwise, it will be discarded as illegal ARP
message. As ARP message is sent to CPU, lots of ARP messages will lead to DoS attack.
In real application, DoS attack to ARP message should be defended. ARP message is
only suitable for IPv4 protocol. For IPv6 protocol, ND message will be monitored.
3.8.4
MFF
Based upon RFC 4562, MFF is applied on user access device. It aims at isolating user at
user access side while providing effective IP address distribution. All streams are
forwarded to uplink access gateway, then the gateway will determine the forwarding
direction of these streams (L2 switching stream in one broadcasting domain is included).
In the past, these streams were directly forwarded by access devices, which leaves
potential security risks. MFF ensures user isolation, satisfies Broadband Forum (DSL
Forum in the past) and matches the requirements for access node interconnection and
security in TR101 report demanded by broadband access network.
Compared with PVLAN, MFF not only can realize users L2 isolation, but also saves
some users information. So it is safer in processing and forwarding messages. At the
same time, the communication between users in the same segment of layer 2 is
controlled by gateway router, which makes the network more secure by realizing
integrated control.
65
3.8.5
Network Security
Ideally, user-class virus inspection which requires user to install patch and anti-virus
software is preffered in defending network virus. In most occasions, lots of users can not
accomplish this task, so switch must be able to provide network-class virus inspection
and alarm.
Besides, for some malicious network attacks, the switch must have some protective
mechanisms to avoid the breakdown of the switch and network. ZXR10 8900E series
switch mainly realizes network-based security mechanism. It configure security
inspection service to different units.
In ZXR10 8900E series switch, the network security mainly includes the following
services:
Inspect virus which cause outbreak traffic increase, e.g. SQL worm, red code and
shockwave. Corresponding alarms will be generated, or the client port will be closed.
Avoid users ARP proofing.
MAC address flooding protection. Restrict port MAC address number.
Set port broadcasting packet threshold.
L2, L3 and L4 hybrid ACL filtering.
Route filtering
Forbid ICMP relocation service. Prevent attacker from sending spoofing ICMP message.
66
Defend CPU attack. Implement protocol message protection. Distribute different

hardware CPU queue to protocol message. Set precedence, speed restriction, wred
and other QoS mechanisms. Protect CPU.
Defend DoS attack based upon hardware queue. Support anti-land | null-scan |
ping-of-death | smurf | sys-fin | syn-port-less-1024 | xma-scan | ping-flood |
syn-flood attack. Anti-ping-flood | syn-flood attack can support speed restriction.
Anti-IPv4 URPF source address deception.
Automatic broadcasting storm suppression.
Control/signaling MD5 encryption authentication
DHCP snooping
IP Source guard and DAI based upon DHCP Snooping.
IPv6 ND security
3.8.5.1
Anti-DDoS Attack
Due to more and more complicated network environment, the switch should be more
competent in fighting against attacks. There are lots of ways to prevent DDoS attack,
CPU protection is a very important one.
Currently, controlling protocol message is used to protection CPU. The speed of
messages sent to CPU can be set. If the real speed exceeds the threshold, this message
will be discarded or its transport priority will be modified. CPU protection is implemented
based upon the following principle.
CPU protection is mainly realized by using the switch to monitor the speed of messages
sent to CPU. The speed threshold for messages going to CPU can be set on devices.
When messages are sent to CPU in an abnormal speed, related alarms will be generated
and the NM will be aware of the attack. At this moment, the NM can decide how to
process the message according to the message type and speed. When the protocol
protection unit finds one protocol message is transferred too fast, this unit will send an
alarm to warn user. After reading this alarm, the user can configure protocol protection
shutdown to avoid CPU failure.
Currently, the supported protocols include most L2 and L3 protocols. The covered Ipv4
protocol consists of: OSPF, PIM, IGMP, VRRP, ICMP, ARP reply, ARP request, group
mng, VBASE, DHCP, RIP, BGP, telnet, LDP_TCP, LDP_UDP, TTL=1, BPDU, SNMP,
MSDP and RADIUS. The included Ipv6 protocols are: MLD, ND, ICMP6, BGP4+, RIPng,
OSPFv3, LDPtcp6, LDPudp6, telnet6 and PIM6. L2 protocols cover some messages like
STP and MSTP, as well as some switch L2 ring protocols.
Based upon common CPU protection, 8900E has multi-level CPU protection which
includes: hardware protection, software protection and protocol stack protection. CPU
supports multiple hardware queues to make sure the precedence of key messages. Key
message filtering makes sure key messages are sent to CPU. Protocol stack controls
message transport speed. Via multi-level protection, network efficiency and key services
operation are guaranteed.
Moreover, ZXR10 8900E can also use MAC address learning restriction, port speed
restriction and multi-level ACL filtering to avoid DDoS attack.
3.8.5.2
Unicast Reverse Path Forwarding (uRPF)

Unicast Reverse Path Forwarding (uRPF) can be used to avoid the network attack based
upon source address spoofing.Source address spoofing (A legal address made by
attacker) in common DoS attack uses a fake source address to prevent the device from
providing normal services. uRPF can avoid such attacks effectively. uRPF is made for
normal route search. Normally when router receives packet and gets its destination
address, route table will be looked up as per the destination address. If the route is found,
the packet will be forwarded, otherwise, it will be discarded. uRPF by getting source
address and incoming interface of the packet sets source address as the target address
67
to find out if the interface in forwarding table corresponding to the source address
matches the incoming interface. If not, the source address is considered spoofing, and
the packet will be dropped. In this way, malicious attack launched by modifying the
source address can be stopped.
ZXR10 8900E series swith supports three types of uRPFs, i.e. strict, loose and
loose-ingoring-default-route.
3.8.5.3
Strict mechanism strictly searches for outgoing port and incoming port as per source
address. If they do not match, the packet will be dropped. If they match, process it
normally.
Loose mechanism enables route search as per the source address. If the default
route egress is the same as the ingress, process the packet normally. Otherwise,
discard it.
Loose-ignoring-default-route ignores default route. If the route can be found by the

source address, and it is not the default route, it will be processed normally.
Otherwise, it will be dropped.
ND Security
The introduction of IPv6 can not solve the security issue in original IPv4 network. Some
IPv6 network security problems are also aroused by IPv6 protocol. In IPv6, ND (Neighbor
Discovery) protocol is similar to ARP protocol in IPv4. It resolutes MAC address, and
realizes automatic IP address distribution in non status. ND protocol mainly consists of
RS, RA, NS and NA protocols. RS and RA messages are used to get IP address prefix,
and NS/NA messages are used to get neighbor MAC address. So ND protocol also has
IP address prefix spoofing and MAC address spoofing issues.
ZXR10 8900E supports router trusted port. Trustable router address and restricted ND
learning number can be configured. ND message filtering based upon ND snooping is
supported. It supports the binding relationship between static IP address,l MAC, VLAN
and port. Also, based upon DHCP IPv6 snooping entry, ND message can be inspected.
Only legal messages can be allowed to pass.
3.9
Network Traffic Analysis
3.9.1
Sflow
sFlow service is mainly composed by three parts: sFlow message sampling unit, sFlow
agent unit and sFlow collector(e.g. analyzer). The entire system architecture is as shown
in Figure 3-28.
68
Figure 3-27
sFlow Multi-level Architecture
sFlow sampling and agent units are integrated in the network device. While sFlow
analyzer outside the system analyzes multiple sFlow agent messages in the network.
sFlow sampling service of 8900E is done by ASIC chip.
sFlow sampling service gets message samples via interfaces which give support to sFlow.
The collected messages are sent and processed by sFlow agent.
sFlow Agent is mainly responsible for analyzing the sampled messages, and sent them to
sFlow collector after encapsulation. At the same time, the statistical informaiton at the
interface will be get and sent to sFlow collector.
sFlow Collector is a network device used for sFlow managment , monitoring, collection
and analysis. After saving the messages sent by sFlow Agent, sFlow Collector makes
analysis and writes reports and statistics on device traffic and services. At the same time,
some collectors with MIB service can configure sFlow too.
69
System Architecture
4.1
Appearance
ZXR10 8900E adopts a large-capacity rack structure. Its hardware system is composed
of chassis, backplane, fan chassis, power supply unit, switching MCC and various line
processing cards.
4.1.1
ZXR10 8912E Appearance

ZXR10 8912E appearance is shown in Figure 4-1
70
Figure 4-1
ZXR10 8912E appearance
71
ZXR10 8912E structure is shown in Figure 4-2.
Figure 4-2
4.1.2
ZXR10 8912E structure

ZXR10 8908E appearance is shown in Figure 4-3.
72
Figure 4-3
73
Figure 4-4
4.1.3

74
Figure 4-5
Figure 4-6
75
4.1.4

Figure 4-7
Figure 4-8
4.2
Hardware Architecture
This section introduces the system hardware and working principle of ZXR10 8900E
series core switch and gives users an understanding of the system. This section covers
overall system architecture, functional modules, card principle diagram and working
principles.
76
4.2.1
Overall Hardware Architecture

ZXR10 8900E series switch adopts rack design to implement a system architecture with
separated forwarding plane, control plane and monitoring plane. The three planes work
and implement system functions together. The system uses new-generation
large-capacity high-speed serial bus back plane to connect main control switching card
and all service line cards. The main control card and switching matrix are integrated in
one, which supports 1:1 redundancy design. The main control switching card implements
porotcol and signaling processing, fast data switching, system monitoring, clock
synchronization, and maintenance & management. The main control card adopts
super-large-capacity switching matrix to guarantee the switching capacity necessary for
system wire-speed operation. Main control card uses high-performance CPU and
large-capacity memory to guarantee high-speed protocol processing and storage space
for huge table capacity. Each line card provides wire-speed packet processing capability
by ASIC and provides 10G, GE, 100M and 40G interfaces based on service requirements.
Each line card clock modules implement time and frequency synchronization by
exchange between clock bus and main control clock module, so as to provide reliable
and quality guarantee for clock synchronization. The main control node on the main
control card manages the monitoring node on line cards and collect the monitoring
information on the line cards by the monitoring bus, in order to realize intelligent
management of the equipment. Figure 4-9 and Figure 4-10 are hardware system
architecture diagram of ZXR10 8900E.
Figure 4-9
Figure 4-10
ZXR10 8912E/8908E/8905E hardware system architecture
ZXR10 8902E hardware system architecture
77
XAUI
Line card 1
ASIC
SyncE/
1588
Management and
control Module
IPMC
Line card 2
ASIC
SyncE/
1588
IPMC
IMPC
POWER
SyncE/
1588
Large-capacity high-speed back plane
The system uses the latest passive large-capacity high-speed back plane design, and
adopts 10G high-speed Serdes to connect main control switching card and every line
cards. Thus it guarantees abundant switching capacity for system operation and reserve
enough bandwidth for future upgrades. It supports 400G hardware platform, 40G line
card, and smooth upgrade to 100G line card.
Main control switching card
The main control card is important comprehensive card with 1:1 and 1+1 redundancy.
Each main control switching card covers a high-performance CPU, storage space with
large memory capacity, an inter-board communication switching module, a monitoring
module, and a clock module. Each main control card on 8912E/8908E/8905E contains a
large-capacity switching matrix, which adopts independent design for multiple planes to
guarantee its switching capability and future expansion capability. 8902E main control
card has no switching matrix. Its line card implements back-to-back connection by
high-speed back plane. During operation two main control cards of 8900E series switch
maintain active connection with each other.
Service line card
Service line card directly takes processing of packets. It sends packet to a specific port of
destination service line card based on the processing result. It has its own forwarding
table on each service line card. Forwarding decision is implemented at local to guarantee
wire-speed switching capability. There are many types of service line cards supporting
clock and monitoring. At present the following service line card can be provided based on
the needs:
78
GE service card
10G Ethernet service card
40G Ethernet service card
Power supply
8900E uses intelligent power supply unit. Main control system can monitor the power
supply by RS485 interface to implement its intelligent monitoring of temperature,
over/low-voltage, power-down alarm, and traffic limit.
Intelligent fan
8900E system uses intelligent fan to satisfy the functional requirements of fan speed
adjusting, fan off alarm, fan speed alarm, and fan card temperature detection. It can also
adjust the speed for fan at each slot based on their temperature to save energy.
4.2.2
Working Principles of Hardware System

ZXR10 8912E/8908E/8905E core switch system adopts a distributed architecture which
is composed of forwarding, control and monitoring planes. Forwarding plane implements
wire-speed switching by two-layer hardware switching. Layer 1 switching is implemented
between ports of line cards by local ASIC chip, which is usually called Packet Processor
(abbreviated as PP). Layer 2 switching is implemented between line cards by the
switching matrix on the main control card. It can connect all PP to constitute a
large-capacity switch system. On the control plane, each line card has an independent
CPU to conduct local packet forwarding and protocol processing. It can communicate
with main control card CPU by high-speed channel. CPU implements route calculation,
management and control. The main monitoring node on main control card,
sub-monitoring node on line card and monitoring bus connecting all monitoring nodes
constitute a monitoring plane to realize the monitoring of the equipment and state of the
whole system. The system diagram is shown in Figure 4-11.
79
Figure 4-11
ZXR10 8905E/8908E/8912Esystem hardware diagram
Line card
Line card
XAUI
ASIC
XAUI
SyncE
/1588
..
.
SyncE
/1588
IPMC
..
.
IPMC
Switching
Fabric
XAUI
XAUI
Line card
Line card
ASIC
ASIC
SyncE
/1588
SyncE
/1588
IPMC
ASIC
IPMC
IPMC
POWER
GE Serdes
Management
and control
Module
GE Serdes
SyncE/
1588
The switch structure for ZXR10 8902E is different in switching plane. When 8902E switch
conducts two-layer hardware switching, layer 1 switching is implemented between ports
of line cards. Layer 2 switching is implemented between two line cards by the high-speed
Serdes bus directly connected to line cards. The system diagram is shown in Figure 4-12.
Figure 4-12
ZXR10 8902E system hardware diagram
XAUI
Line card 1
ASIC
SyncE/
1588
Management and
control Module
IPMC
Line card 2
ASIC
SyncE/
1588
IPMC
80
IMPC
POWER
SyncE/
1588
4.3
Hardware Boards
4.3.1
Switching Main Control Board

In actual application of ZXR10 8912E/8908E/8905E, the switching module and control
module are integrated on one main control board, including CPU subcard, switching chip,
clock system and monitoring subcard, realizing management control for the whole
system and switching function for data packets of line cards. It can be divided into the
following functional modules: switching, control, clock, monitoring, outband
communication, power supply and logic modules. Its principle diagram is as shown in
Figure 4-13.
Figure 4-13
Principle diagram of 8912E/8908E/8905E main control board
Hi gh- speed XAUI

i nt er f ace
SDRAM
CROSSBAR
BOOTROM
CPU
syst em
Consol e
i nt er f ace
MGT i nt er f ace
I PMC i nt er f ace
Hi gh- speed XAUI

i nt er f ace
Cl ock
subcar d
Moni t or i ng
subcar d
In actual application of ZXR10 8902E, the main control board realizes the control function.
Its principle diagram is as shown in Figure 4-14.
Figure 4-14
Principle diagram of 8902E main control board
GE i nt er f aces
SDRAM
CROSSBAR
BOOTROM
CPU
syst em
Consol e
i nt er f ace
MGT i nt er f ace
I PMC i nt er f ace
GE i nt er f aces
Cl ock
subcar d
Moni t or i ng
subcar d
81
4.3.1.1
Main Control Module

The main control module consists of a main processor and some external functional
chips, providing various operation interfaces such as serial interface and Ethernet
interface by which the system can process various applications. The main control module
includes the following functional units and fulfills the following tasks:
NMS unit: run system network management protocol, such as SNMP;
Protocol processing unit: run network and route protocols, such as OSPF, RIP and
BGP-4; maintain global routing and forwarding table; responsible for consistence of
multiple processor nodes;
Monitoring unit: provide operation and management interfaces for line cards;
Internal communication unit: provide high-speed signaling channel between boards,

so that the main control board can control the management CPU of other boards
efficiently and correctly through the internal communication module, and transmit
routing information to different boards via this channel.
The main control module has the following features:
82
Have high-performance CPU with powerful processing capability to run L2 and L3

protocol as well as network management and monitoring programs;
Provide GE outband communication channel that can be connected with the

management interface to provide system management and program download and
debugging function;
Provide an RS232 serial port as board debugging and management interface;
Provide temperature detection: each main control board has a temperature

detection component connected to CPU subcard, which can provide temperature
detection and report to background network management system;
Provide system log management function: all logs are stored in system FLASH;
CPU interface is mounted with clock chip to provide correct clock for the system;
Provide active/standby switching, active/standby status signal indication, line card

reset signal and line card online detection functions;
Provide fault level: warning fault and switching fault;
Provide route data synchronization channel between the active and standby
elements.
4.3.1.2
Switching Module
The switching module is responsible for data switching of the whole system and providing
high-speed non-blocking switching channels between line cards. The switching module
employs specialized CROSSBAR chip and integrates multiple high-speed bidirectional
interfaces, so it can process wire-speed switching of multiple line cards. The switching
chip has the following functions:
4.3.1.3
Storage, forwarding and switching;
Support 16K bytes jumbo frame;
Support priority queue: when CoS queue is congested, it can selectively discard
some frames;
Provide a management control counter for each port.
Clock Module
This system adopts synchronous Ethernet Technology to realize clock frequency
synchronization and uses IEEE 1588 to perform phase modulation and time maintenance
to realize clock time synchronization. Synchronous Ethernet can perform system clock
frequency synchronization through the reference clock generated by 4 clock sources:
clock subcard local clock, Bits (2MHZ, 2Mbits), GPS, and line card line restorated clock.
To realize time synchronization, all boards in the system can check time through GPS or
1588 information obtained from any line card.
Synchronous Ethernet restores the clock by the PHY chip in the Ethernet; each interface
board selects one from the restored clocks of all ports and sends it to the two main
control boards respectively via the backplane; the main control board selects two (active
and standby) according to the configured policy and sends them to the clock module as
the one of the references of clock sources; the clock module will select the highest-quality
clock from clock subcard local clock, Bits (2MHZ, 2Mbits), GPS, and line card line
restoration clock and send it to the main control board; or the clock sources can be
configured with different priorities and the highest-priority clock is sent to the main control
board, which then sends this clock to each interface board as clock source for its chip. In
this way, Ethernet clock synchronization of the whole system is realized.
For 1588 processing, the line cards in the system and the main control board exchange
1588 information via bus connection. The main control board or any line card can be
configured as the synchronization source of the system; all other boards obtain
synchronization information from the synchronization source. Moreover, the clock
subcard of main control board can realize conversion between 1588 information and
GPS information via logic component to realize GPS time synchronization function.
83
4.3.1.4
Monitoring Module
The monitoring module (IPMC) is a component of the equipment monitoring system. It
forms intelligent platform management system together with hardware management bus
and software monitoring management module. IPMC is designed as modular subcard
and located at the main control board and other boards. The monitoring modules of the
main control board and other boards are interconnected via monitoring bus.
IPMC module can be divided to IPMC management node and IPMC ordinary node by its
role in the system. IPMC in the active main control board is the manager of subsystems;
the standby main control board and ordinary line cards are all IPMC ordinary nodes. The
line card and standby main control functional nodes collect local information and send it
to the active main control node to provide for the users. The control information sent by
the users is distributed by the active main control node to the line card and standby main
control functional nodes. The management node also monitors system power supply and
fans.
The monitoring module fulfills the following tasks:
4.3.1.5
Information collection: collect information on environment temperature, board

temperature, fan status, power supply statue and power supply power sampling;
Monitoring alarm: set alarm parameters for the above detection items and generate
corresponding alarms when relevant faults occur;
Monitoring management: realize fan rotational speed control by user or automatic

control as well as board power-on and power-off functions.
Main Control Panel diagram and Features

The panel diagram of 8912E main control board named 8912EMSC1D supporting clock
synchronization is as shown.
Figure 4-15
8912EMSC1D main control board panel diagram
The panel diagram of 8912E main control board named 8912EMSC1A without clock
84
Figure 4-16
8912EMSC1A main control board panel diagram
Figure 4-17
Figure 4-18
The panel diagram of 8902E main control board named 8902EMSC1D supporting Clock
synchronization named is as shown.
Figure 4-19
85
The panel diagram of 8902E main control board named 8902EMSC1A without Clock
Figure 4-20
8902EMSC1A main control board panel diagram
The main control board has Console interface, IPMC management interface, MGT
interface, SD card interface and clock interface, that is, one BITS in, one BITS out, one
GPS in and one GPS out. Among them, the Console interface is used for local
configuration and management of the switch; MGT interface is mainly the
10/100/1000BASE-T interface used for upgrade and network management; IMPC
management interface is used to monitor local management of the system; SD interface
is used to insert SD card, which can control the software update, buffer and restoration.
The capacity of SD card can be up to 32G. The features are as shown in Table 4-1.
Table 4-1
Main control board panel interface features
Interface name
86
Feature
Console interface
RJ45 connector
RS232, baud rate 115200bit/s
Transmission distance<15m
MGT interface
10/100/1000 Base-T Ethernet interface

RJ45 connector
Use CAT-5 Unshielded Twisted Pair (UTP) cable
Max. transmission distance 100m
Full duplex/half duplex
IMPC interface
RJ45 CONNECTOR
RS232, baud rate 115200bit/s
Transmission distance<15m
PPS&TOD OUT
interface
GPS signal second pulse (PPS) and time information (TOD)

output
RJ45 CONNECTOR
RS422 level
PPS&TOD IN
interface
GPS signal second pulse (PPS) and time information (TOD)

input
RJ45 CONNECTOR
RS422 level
BITS OUT
interface
BITS signal input

Use BNC connector, 75 coaxial cable
BITS IN interface
BITS signal input

Use BNC connector, 75 coaxial cable
There are a number of buttons on the panel, such as RST, EXCH and CPY. Their
functions are as shown in Table 4-2.
Table 4-2
Main control board panel button function description
Button name
Function
RST
Board reset button, used to reset the whole board
EXCH
Board switching button, used to switch the active main control

board to standby board
CPY
Reserved, not used
The functions of the indicators on the main control board panel are as shown in Table
4-3.
Table 4-3
Main control board panel indicator function description

Indicator
Function
RUN (green)
Off: corresponding line card fault or not in position

Flash: corresponding line card works properly
ALM (red)
Off: corresponding line card has no alarm or not in

position
On: corresponding line card has alarm
RUN (green)
Off: corresponding power module fault or not in

position
On: corresponding power module works properly
ALM (red)
Off: corresponding power module has no alarm or not

in position
On: corresponding power module has alarm
RUN (green)
Off: this main control board has fault

Flash: this main control board works properly
ALM (red)
Off: this main control board has no alarm

On: this main control board has alarm
RUN (green)
On: this board is active

Off: this board is standby
ALM (red)
On: active/standby status is exceptional

Off: active/standby status is normal
RUN (green)
On: fan frame power supply is normal

Off: fan frame power supply is exceptional
ALM (red)
On: fan frame works exceptionally

Off: fan frame works properly or power supply is
exceptional
1~2/5/8/12
PWR1~2/3
RUN
MST
FAN (only
8902E has
this
indicator;
for others,
this is
displayed
on the fan
frame)
87
Indicator
4.3.2
Function
SD interface ACT (green)
On: this interface is inserted with SD card

Off: this interface has no SD card or SD card is
exceptional
Flash: SD card is under reading/writing
ACT (green)
Flash: data receiving/sending on 10/100/1000 Base-T

Ethernet interface
LINK (green)
On: 10/100/1000 Base-T Ethernet interface link has

been established
Off: 10/100/1000 Base-T Ethernet interface is not
connected with any other interface
Power Module
ZXR10 8912E/8908E/8905E/8902E core switches address the practical application need.
To meet the strict requirement for equipment reliability, hot backup is designed for power
supply Module, and both 48V DC power supply and 220V AC power supply are designed.
DC power supply adopts 1+1 mode; AC power supply adopts 1+1 backup or 2+1 backup
depending on different racks, which highly improves the reliability of the power system.
Besides, 8900E series power supply also provides multiple intelligent protection
mechanisms, which can perform protection, detection and fault report for the power
supply according to voltage, current and temperature, including output overvoltage
protection, output overcurrent protection, output undervoltage protection, output
undercurrent protection, overtemperature short-cuicuit protection, input overvoltage
protection, input undervoltage protection, overtemperature, overvoltage, fan fault and
current limit alarm report function, voltage detection report function, current detection
report function and temperature detection report function.
The diagram of 8912E/8908E/8905E DC power rear panel is as shown in Figure 4-21.
Figure 4-21
8912E/8908E/8905E DC power board diagram
The diagram of 8912E/8908E/8905E AC power rear panel is as shown in Figure 4-22.
88
Figure 4-22
8912E/8908E/8905E AC power board diagram
The diagram of 8902E DC power front panel is as shown in Figure 4-23.
Figure 4-23
8902E DC power board diagram
The diagram of 8902E AC power front panel is as shown in Figure 4-24.
Figure 4-24
4.3.3
8902E AC power board diagram
Interface Module
ZXR10 8900E series core switch interface module is the line interface card. The line card
types provided include Gigabit Ethernet interface board, 10G Ethernet optical interface
board and 40G Ethernet optical interface board. All optical interfaces of line cards in
ZXR10 8900E series core switches adopt pluggable optical module, so the same line
card can support multiple kinds of transmission media and transmission distances. Some
line cards provide different types of ports, reducing the number of line cards that may be
needed in many cases, so that the use can get the largest profit with minimal investment.
Moreover, all user electrical interfaces in the line cards have cable diagnosis function.
They can detect the connection of cables at any time, make diagnosis for short circuit and
open circuit of cables and point out the position of the faults with a precision of less than
1m.
89
1.
Types of 8900E interface boards (as shown in Table 4-4)
Table 4-4
8900E interface board type
Board type
Fixed interface line

processing board
name
E1GF24A
H2GF24D
H2GF48D
H2GT48D
90
Port state
Description
24-port NP
enhanced gigabit
optical interface
board
24 GE optical
interfaces; support
100M and gigabit
SFP
With NP extension;
support MPLS; support
big table entry; support
H-QoS; support Ethernet
OAM; support intelligent
monitoring
24-port gigabit
optical interface
board
24 GE optical
interfaces; support
100M and gigabit
SFP
Support MPLS; support

Ethernet OAM; support
clock (SyncE, 1588v2);
support intelligent
monitoring
48-port gigabit
optical interface
board
48 GE optical
interfaces; support
100M and gigabit
SFP

support intelligent
monitoring
48-port gigabit
electrical interface
board
48 GE electrical
interfaces;
10/100/1000M
triple speed

support intelligent
monitoring
H2XF8D
8-port 10G optical

interface board
8*10G optical
interfaces; support
10G SFP+

support intelligent
monitoring
S1XF12A
12-port 10G optical

interface board
12*10G optical
interfaces; support
10G SFP+
Support L2/L3 and

IPv4/v6 features; support
SyncE; support intelligent
monitoring
S2XF48A
48-port 10G optical

interface board
48*10G optical
interfaces; support
10G SFP+
Support L2/L3 and

IPv4/v6 features; Support
MPLS; support SyncE;
support intelligent
monitoring
S2LQ6L2A
6-port 40GE QSFP

optical
interface+2-port
40GE CFP optical
interface board
6*40G QSFP
interfaces+2*40G
CFP interfaces

SyncE; support intelligent
monitoring
2.
Panel diagram of 8900E interface boards
Figure 4-25
E1GF24A
Figure 4-26
H2GF24D
Figure 4-27
H2GF48D
Figure 4-28
H2GT48D
Figure 4-29
H2XF8D
Figure 4-30
S1XF12A
Figure 4-31
S2XF48A
91
Figure 4-32
3.
S2LQ6L2A
Features of optical and electrical interfaces of 8900E interface board
See table 5-2 Interface Indicators.
4.4
Software Architecture
4.4.1
System Software Architecture

ZXR10 8900E series switches are multi-layer switches that have L2 switching, L3 routing
and MPLS L2/L3VPN and that support multiple service functions. They can provide L3
and L3 wire-speed switching and routing and QoS guarantee. The system software
implements system management, control and data forwarding. Its basic work includes
system startup, system configuration management, protocol running, table maintenance,
switching chip setting and state control as well as forwarding of some special messages.
The software system realizes the following functions:
92
Realize main L2 protocol functions, including 802.1D STP protocol, 802.1P priority
level control, 802.1Q VLAN related functions and 802.3ad link aggregation function;
Support IPv4/IPv6 protocol stack and basic routing protocol;
Realize multicast protocol and support IPTV deployment;
Realize ACL and DHCP multi-layer services;
Realize partial broadband access function;
Realize the Agent function of network management protocol SNMPv3;
The user can perform network management for Ethernet switch via serial port
terminal, Telnet/SSH and SNMP Manager, including: network configuration
management, fault management, performance management and security
management;
Software version can be upgraded smoothly; the active and standby protocol
processing cards and switching network cards support online upgrade;
Equipment security and network security functions;
Realize MPLS related functions, including MPLS VPN, MPLS OAM and MPLS QoS;
Support fast switching and convergence of routes, links and network; provide highly
reliable protection.
ZXR10 8900E series switch products adopt brand new software architecture
various functions of the software system. The two major subsystems unified
platform and new-generation protocol stack platform together with OAM, DB,
management and operating system (CGEL) subsystems comprise 8900E
software architecture, as shown in Figure 4-33:
Figure 4-33
to fulfill
support
product
product
8900E software system architecture
PM
tn
e
m
eg
an
a
m
n
o
is
re
V
tn
e
m
eg
Software
an (protocol stack)
aplatform
en
m
al
tn
p
e
g
m
n
id
p
t
iu
n
ra
e
q
m
E
rw
g
an o
a F
m
DB
OAM
n
o
tic
en
n
o
rce
tn r
i et
n
Ie
n
la-p
Distributed operating system infrastructure
Forwarding plane (firmware such as ASIC/microcode/FPGA)
The functions of each subsystem are described below:
Unified support platform: It has operating system platform, componentized release

and process space separation, and supports dynamic loading and hot patch
capabilities. With the ability to be released independently, supporting centralized
and distributed systems, the unified support platform can serve as the support
platform for most product lines.
New-generation software platform: As the next-generation TCP/IP protocol stack

platform, ZXROS (Zhong Xing Route Operating System) Version 5.0 supports full
93
series of data products and service products from low end to high end. The protocol
stack is realized in different processes by functional block to ensure the
independence and reliability of functions and locate software fault with ease. It has
NSR function, fast convergence capability, and mass route management capability.
The whole equipment can support 64K VPN to ensure the competitiveness and
progressiveness.
4.4.2
OAM: The system provides CLI, SNMP and HTTP management interfaces; the
foreground performs overall management for the system in a unified way. For
upper-level application part, OAM only provides management mechanism; relevant
management functions can be added for the services separately to realize loose
coupling of OAM and application.
DB: On the basis of the existing DB system, the system realizes multi-process
repelling mechanism to ensure data intactness; database access can be performed
concurrently in multi-channel multi-kernel system to improve access efficiency.
Product management: The software platform only concerns protocol realization; the
other functions including equipment management, equipment monitoring, version
management and line card management are all realized by product management.
OS: The operating system adopts self-developed Linux-based CGEL and is totally
compatible with Linux standard system architecture. It supports multiple kernels,
double state and multiple processes, and so meet the requirement for timeliness. It
supports diverse drivers and realizes distributed extension.
Software Platform
ZXR10 8900E core switch is the latest Version 5.0 of the next-generation IP protocol
stack platform ZXROS (Zhong Xing Route Operating System). The protocol realization of
this platform is irrelevant to product; it only perceives protocol service functions but not
specific products. All software components can run in the user state of micro kernel
system to enhance system security; software components belong to different separate
process spaces, realizing safe isolation of illegal operation of application program; the
software is based on componentized management; component functions can be
developed independently and independent versions can be released; non-stopping
routing capability, distributed processing and fast reliable synchronization between
different CPUs. The overall software components o ZXROS V5.0 software platform is as
94
Figure 4-34
n
New-generation ZXROS V5.0 software platform system architecture
o
i
t
a
r
u
g
fi
n
o
C
Software platform
Configuration management and
resource maintenance
O
A
M
Application protocol subsystem

FTP
NETFLOW
TACACS+
RADIUS
Routing protocol
subsystem
......
PING
MPLS subsystem
NTP
TRACE
L2 protocol
subsystem
L3&PSS subsystem (message receiving/sending, interface management,

table management, etc.)
Distributed infrastructure
Operating system micro-kernel
ZXROS V5.0 software platform includes the following subsystems:
Route subsystem: including unicast routing protocol and multicast routing protocol;
L2 subsystem: include all L2 functional protocols;
MPLS subsystem: include LDP, RSVP and PWE3 functional protocol;
L3&PSS subsystem: include TCP/UDP, ARP, ND, message receiving/sending,

interface management, routing table, label table management, forwarding table
collection, integration and synchronization;
Configuration and resource management subsystem: include configuration

management modules such as ACL, route-map, L2VPN and L3VPN and system
resource management such as label and ip pool;
Application protocol subsystem: include various application protocols such as

Netflow, Radius, NTP and Telnet.
The key and competitive technologies of this software platform reflected in the following
aspects:
The system kernel resource runs in the highest priority mode and all software
components run in the user state of the micro-kernel system to enhance system
security (up/down isolation);
Software components belong to different separate process spaces, realizing safe

isolation of illegal operation of application program (left/right separation);
component functions can be developed independently and independent versions

can be released;
95
Software system architecture supports distributed protocol processing: message

communication is used between processes;
Fast data synchronization can be realized between multiple CPUs; reliable multicast
can be used to increase route convergence speed;
Separation of command configuration processing and specific protocol realization;

low coupling of command scripts of platform and project;
Have unified external interfaces that support fast secondary development and can
integrate with purchased parts;
Support non-stopping routing capability (NSR);
Support cluster technology.
Meanwhile, ZXROS V5.0 software platform has the following features:
96
High reliability and stability: meet the requirement of long-term stable running of
network
The faults of component do not affect each other
Software components release versions and upgrade independently
Low coupling of platform and project
Real-time performance: meet the time requirement for large-scale dynamic routing
protocol, network management protocol and data synchronization between multiple
processors.
Self restoration: try to detect, process and record exceptions in the whole system,
perform necessary error restoration and equipment switching in exceptional cases.
Maintainable: perform necessary tracing and recording of usage and invocation of

core resource and system service; the components are independent of each other
which make it easier to trace faults.
Simple: only provide necessary system services to application programs and shield
unnecessary system services.
Encapsulation: completely shield hardware characteristics to make application

layer irrelevant to hardware, providing a unified and portable software platform for
the application programs of processors.
Smooth evolution: support fast secondary development; able to integrate with

purchased software and respond to customer requirements rapidly.
97
Technical Specifications
5.1
Basic features
Table 5-1
Basic features and performance

Description
Features
Basic
Perform
ance
Physica
l
parame
ters
Slot
number
Power
Environ
mental
Require
98
8912E
8908E
Backplane
bandwidth
19.2 Tbps
19.2 Tbps
12Tbps
3.2Tbps
Switching
capacity
2Tbps/7.68T
bps
2Tbps/7.68T
bps
1.28Tbps/4.8
Tbps
960Gbps
Throughpu
t
1536Mpps/5
760Mpps
1536Mpps/5
760Mpps
960
Mpps/3600M
pps
720Mpps
GE Port
Densities
576
384
240
96
10GE Port
Densities
576
384
240
96
40GE Port
Densities
96
64
40
16
Dimension
s (Height x
Width x
Depth)
753mm*442
mm*446mm
575mm*442
mm*446mm
442mm*442
mm*446mm
175mm*442
mm*420mm
Weight
<89.7kg
<64.9kg
<51.2kg
<24kg
Total slot
14
10
Service
board slot
12
Power
supply
(AC)
100V240V, 50Hz 60Hz
Power
Supply
(DC)
-57V-40V
Maximum
power
consumpti
on
<2718W
Operating
temperatur
e
Long time:-5C+45C
Short time:-10C+55C
<2084W
8905E
<1235W
8902E
<300W
Features
ments
Storage
temperatur
e
5.2
Description
-40C+70C
Relative
Humidity
5%95%, non-condensing
Earthquak
e-proof
Richter 8 scale earthquake
Interface Specifications
Table 5-2
Interface Specifications
Interface type
Description
10 /100 /1000BASE-T
IEEE802.3z
RJ45 connector. Category-5 UTP cables
Transmission distance: 100m
Half duplex/Full duplex
MDI/MDIX
100BASE-FX (SFP-M02K)
LC connector. Multi-mode fiber. Wavelength:

1310nm. Max. transmission distance: 2km
Transmission power: -19dBm ~ -14dBm. Receive
sensitivity: <-30dBm
100BASE-FX (SFP-S15K)
LC connector. Single-mode fiber. Wavelength:

Transmission power: -14dBm ~-8dBm. Receive
sensitivity:<-31dBm

Transmission power: -4dBm ~ -0dBm. Receive
sensitivity:<-37dBm

Transmission power: -3~+3dBm. Receive
1000BASE-SX (SFP-M500)

850nm. Max. transmission distance: 500m
Transmission power: -9.5dBm~-4dBm. Receive
1000BASE-LX (SFP-S10K)

Transmission power: -9.5dBm~-3dBm. Receive
99
Interface type
100
Description
1000BASE-LX (SFP-S40K)

Transmission power: -4dBm~0dBm. Receive
sensitivity: <-22dBm.
1000BASE-LX
(SFP-S40K-1550)

Transmission power: -5dBm0dBm. Receive
1000BASE-LH (SFP-S80K)

Transmission power: 0dBm~5dBm. Receive
1000BASE-LH (SFP-S120K)

Transmission power: 5dBm~9dBm. Receive
sensitivity: <-24dBm.
10GBASE-SR (SFP+-M300)

850nm. Max. transmission distance: 300m
Transmission power: -7.3dBm-1.0dBm. Receive
sensitivity: <-11.1dBm
10GBASE-LR (SFP+-S10K)

1310nm. Max. transmission distance: 10Km
Transmission power: -8.2dBm0.5dBm. Receive
10GBASE-ER/EW
(SFP+-S40K)

1550nm. Max. transmission distance: 40Km
Transmission power: -4.7dBm4.0dBm. Receive
40GBASE-SR4 (QSFP+150-D)
40G QSFP optical transceivers

Wavelength:850nm
Max. transmission distance: 150m
Transmission power: -7.0dBm+2.3dBm.
Receive sensitivity: <-5.4dBm
40GBASE-LR4
(CFP+-S10K-D)
40G CFP optical transceivers

Wavelength: 1270nm,1290nm,1310nm,1330nm
Max. transmission distance: 10Km
Transmission power: -7.0dBm2.3dBm.
Receive sensitivity: <-11.5dBm
5.3
Functions
5.3.1
L2 features
Table 5-3
L2 features
Features
Description
VLAN
Port-based VLAN, Protocol-based VLAN, IP

subnet-based VLAN
VLAN translation
PVLAN
Super VLAN
QinQ
IEEE 802.1ad (QinQ)

Selective QinQ and priority mapping
TPID modification
MAC
MAC address learning, aging, and freezing

Static MAC configuration
MAC address number limit for preventing attacks
MAC address binding
Link
aggregation
IEEE 802.3ad (link aggregation)

Static port aggregation
Inter-board link aggregation
Multi-chassis link aggregation
Port
Loop detect
Port-based broadcast/multicast/unknown Unicast
storm suppression
Jumbo frames
Flow control
Peak Traffic Statistics in one minute
Default shutdown
ARP
Static ARP configuration

ARP learning, aging
ARP Proxy
Preventing ARP attacks
STP
IEEE 802.1d (STP)/802.1w (RSTP)/802.1s (MSTP)

Preventing BPDU attacks
MIRROR
Ingress port mirroring, Egress port mirroring and

Traffic mirroring
one-to-one, one-to-many, many-to-one, and
many-to-many mirroring
RSPAN
ERSPAN
Ethernet OAM
IEEE 802.1ag
IEEE 802.3ah
L2 features
101
5.3.2
L3 features
Table 5-4
L3 features
Features
IPv4 unicast
routing
IPv4 Static routing

RIPv1/v2, OSPFv2, IS-IS, BGP-4
Policy routing
VRRP
URPF
ECMP
IPv6 unicast
routing
ND, ND security, PMTUD

IPv6 Static routing
RIPng, OSPFv3, IS-ISv6, BGP4+
6to4 tunnels, 6in4 tunnels, ISATAP
6PE
L3 features
5.3.3
Description
Multicast features
Table 5-5
Multicast features
Features
L2 Multicast
IGMP Snooping/proxy
IGMP rate limit, IGMP rate filter
MLD snooping
PIM snooping
Multicast VLAN
L3 Multicast
Static Multicast
IGMPv1/v2/v3
PIM-SM, PIM-SSM, PIM-DM, MSDP
Anycast RP
VPN
Multicast VPN
Multicast
5.3.4
Description
MPLS
Table 5-6
MPLS feature
Features
Basic
LDP
CR-LDP
RSVP/RSVP-TE
MPLS L2 VPN
VPLSVPWSH-VPLS(QinQ Access, LSP Access)

Vrf to Vrf method/Single-hop M-EBGP method
MPLS
102
Description
Features
5.3.5
Description
/Multi-hop M-EBGP method for Inter-AS L2 VPN
CE dual-home to PE
UPE dual-home to NPE
MPLS L3 VPN
L3 VPN FRR
L3 VPN ECMP
Vrf to Vrf method/Single-hop M-EBGP method
/Multi-hop M-EBGP method for Inter-AS L3 VPN
Multi-VRF(MCE)
MPLS TE
Static LSP
Explicit-path LSP
LSP Priorities/LSP Preemption/LSP Backup
MPLS TE FRR
MPLS L2VPN /MPLS L3VPN Over TE
LDP over TE
MPLS OAM
CV/FFD
1 to 1 redundancy
MPLS Ping
MPLS Trace Route
VCCV ping for VPWS
QoS
Table 5-7
QoS
Features
Description
Classification
Physical port-based Classification

Physical port and ACL based Classification
Marking and
Remarking
802.1p, IP Precedence, IP DSCP, IP TOS, MPLS

EXP priority marking and remarking
Mapping priority between double VLAN tag
Flow control
Ingress port-based CAR

Flow-based CAR
Ingress/Egress Traffic Meter
Remarking based on Traffic Meter
Congestion
avoidance
Bandwidth control based on flow

RED, WRED
Scheduling
Minimum of 8 priority queues per port

Minimum bandwidth guarantee/ maximum bandwidth
limitation per queue based
Queue scheduling mechanisms: SP, WRR,
SP+WRR, WDRR
Shaping
Shaping per egress port

Shaping per specified queue
QoS
103
Features
H-QoS
5.3.6
Description
ingress/egress H-QoS with 4-level queues and
3-level scheduling
H-QoS for MPLS L2/L3 VPN
H-QoS
Service Management
Table 5-8
Service Management
Features
IEEE 802.1X, 802.1X Relay, 802.1X RADIUS Accounting, and

forcing user offline
RADIUS and TACACS+ authentication
Hierarchical user management
IPTV management (CAC, CDR, UMS)
DHCPv4 Server, DHCP v4 Relay, DHCP v4/v6 Snooping
Supporting DHCP OPTION 82
Service
Management
5.3.7
Description
Reliability
Table 5-9
Reliability
Features
Availability
104
Description
8912E
8908E
>200000 hours
MTTR
<30 minutes
Availability
99.999%
Hot
plugging
Hot plugging of all components
main
control
board
1+1 redundancy backup
power
module
AC: 2+1
redundancy,
DC: 1+1
redundancy
8902E
AC 1+1 redundancy, DC 1+1 redundancy
8905E
MTBF
Features
Description
MPLS-TE end-to-end Path protection
MPLS-TE FRR
IP FRR
LDP FRR
Multicast FRR
BFD for Static Routing, LDP, OSPF, ISIS, BGP, RIP, VRRP,
LSP, FRR, PIM DR, Super VLAN
Graceful Restart
NSF
VRRP
Protection against loops for VPLS
ESRP+ Ethernet ring protection
Dual uplink dual homing protection
ECMP
UDLD
LLDP
LACP, MC-ELAM
Reliability
5.3.8
System security
Table 5-10
System security
Features
Anti
System
security
Description
Attacks
Defend against attacks of DoS, MAC flood, ARP

Spoof, IP Spoof, SYN flood of TCP, UDP flood, PING
flood, Ping of Death, LAND, SMURF, Session
hijacking, broadcast storms, IP fragment and large
traffic
BPDU guard, root guard, and loop guard
IPv4 uRPF
Hierarchical protection of command lines to prevent
unauthorized users and grant different configuration
rights to different levels of users
CPU
protection
CPU channel guard by rate limiting of the messages

sent to CPU
Filter of the messages sent to CPU
Priority Assignment of the messages sent to CPU
Advanced
Security
Log record
Broadcast storm auto suppression
Hybrid ACL with L2, L3 and L4 fields filtering
OSPF, RIP, and BGP MD5 authentication
IP source guard/DAI
ND Security
DPI
FIREWALL
105
5.3.9
Table 5-11
Features
Synchronized
Ethernet
Restore and extract clock data from the Synchronous

Ethernet links
Clock distribution in chassis
Extract clock from physical links, BITS (2MHZ,
2Mbits) and GPS
SSM (synchronization status message) handling
IEEE 1588v2
Clock Recovery from 1588v2 PTP

Transparent Clocks
E2E/P2P modes
Precision Time Synchronization
Best Master Clock (BMC) algorithm
Clock
5.3.10
Description
Operating and Maintenance

Table 5-12
Operating and Maintenance

Features
Operating and
Maintenance
Group
Management
ZGMP, LLDP/ZTP/ZGMP
Traffic
Monitoring
sFlow
OAM
Ethernet OAM
Operating
and
Maintenance
106
Description
Command lines configuration
Hierarchical protection of command lines to prevent
unauthorized users and grant different configuration
rights to different levels of users
Password Aging and Verification
Terminal services through the Console
User Access Service Management
Remote Management via SSH, TELNET, SNMP
FTP/TFTP
Multi-mode alarm service (Sound, Light, etc.)
Unified NMS of ZXNM01
Hierarchical commands through NMS
User access control
Configuration saving and restore
Log record, SyslogRMON
NTP clocks
IPv6 network management
Supporting standard MIB
Traffic statistics
Features
Description
Network testing tools (LSP Ping, LSP trace route,
VPLS MAC Ping, etc.)
107
Typical Networking Mode
6.1
Application in Metro Ethernet

ZXR10 8900E can be deployed in the aggregation layer of metro Ethernet. Metro
Ethernet has the demand for unified bearing of mobile, fixed broadband and Enterprise
Customer and separated bearing of IP-based audio, video, data and IPTV services.
ZXR10 8900E can realize full-service bearing and isolation of different service by VPN
technology and provide carrier-class reliability for the operators with ring network
technology, multiple protection technologies and OAM.
Realize isolation of end-to-end service and bearing by MPLS to edge mode to

provide higher reliability and security;
Different service planes bear different services by MPLS VPN technology;
Ensure 50ms fast protection switching by MPLS TE/FRR/BFD technology;
Realize fast fault discovery by MPLS OAM/Ethernet OAM to improve network

operation maintenance capability.
Common networking of multi-service bearer metro Ethernet is as shown in Figure 6-1.
Figure 6-1
108
Application in metro network
6.2
Application in Data Center

Due to the development of broadband communications network, there are more and
more people using fixed network and broadband network. As a result, interactive service
and all sorts of Internet application are booming. Customers raise higher demands for
resource, system operaiton and maintenance. The data center nowadays has to face
unexpected pressure from capacity extension, power consumption and maintenance.
ZXR10 8900E series switch with high-density 10G port and high-performance switching
capacity, can be deployed in the core/aggregation layer of the data center network. It
helps users to reduce their TCO and eliminate problems in capacity extension and OAM.
89E features large bandwidth, high performance and large capacity. So it can
provide high-speed path for data center and cloud computing, ensuring
non-blocking traffic.
With rich NM services, 8900E provides graphic network management, which

enables data center maintenance engineer to carry out equipment maintenance. By
providing northbound interface, it realizes unified network management.
As a green and energy-saving product, 8900E with 40nm chip is designed with
controllable line card and port, which effectively reduces the power consumption of
the devices in the data center.
Common data center networking mode is as shown in Figure 6-2.
Figure 6-2
Application of Data Center
109
6.3
Application in Campus Network

Community network core layer requires large bandwidth and high-density port. The entire
network must support user access authentification and security guarantee policies.
ZXR10 8900E series switch can be deployed in community network core layer to
implement high-speed service forwarding and service protection. The features of 8900E
in enterprise network are:
The enterprise user should pay more attention to costs reduction and internal
security enhancement. With rich security features, ZXR10 8900E supports DHCP
server and snooping which gives conveniences to address management. It supports
multiple authentication mechanisms like Radius and TACACS+ to realize authorized
management. Besides, IP source guard, DAI and anti-DOS attack security guard
services are provided to reduce network attacks. By support SQA, 8900E series
switch can know operation status of application servers and reduce network failure.
Provide complete IPv6 solution. Via dual-stack technology and multiple v4/v6 tunnel
technologies, it realizes seamless migration from IPv4 to IPv6. It helps universities
to develop IPv6 research and facilitate IPv6 development.
The common enterprise networking mode is as shown in Figure 6-3.
Figure 6-3
110
Enterprise network Application
6.4
Application in FTTx
Due to the increasing growth of services, users nowadays have higher requirements for
access bandwidth and QoS quality. Traditional DSL access bandwidth is far behind the
requirment of future service development. As the costs of optical access keeps going
down, E-FTTx access becomes mainstream development in the future. ZXR10 8900E
supports green and eco-friendly E-FTTx access mode, which in other words enables the
access of the existing cable fibers while satisfying 100M/1000M optical access scenarios.
With rich interface cards, ZXR10 8900E provides highly integrated and
large-bandwidth access mode, which effectively meets the requirements of FTTx for
high density and high extensibility.
Via rich QoS feature, ZXR10 8900E realizes differentiated multiservice control as
per different service requirements. It provides pefect user experience for low-latency
and low-jitter services.
ZXR10 8900E supports SVLAN and MFF technologies to isolate service and user. It
makes the network much safer.
Ethernet intelligent ring protection technology ZESR/ZESS satisfies different users

with different requirements for reliability.
Switch-based IP over DWDM enables lower costs in network construction and

maintenance. It is known for more powerful scalability too.
Common FTTx networking mode is as shown in Figure 6-4.
Figure 6-4
FTTx Application
111
6.5
Application in IP RAN
IP backhaul focuses on the interconnection between base station and wireless service
control point (Gateway) to realize the implementation of mobile IP voice and data
services. In traditional 2G network, BTS uses TDM E1/T1 to access BSC (Base Station
Controller). With the development of wireless network, IP Node B gradually becomes
popular in 3G network as it can provide Ethernet interface to enable upstream traffic via
the switch. The wireless traffic accesses/aggregates to RNC. IP backhaul network
requires clock synchronization, high scalability and high reliability. ZXR10 8900E can be
deployed on the aggregation node of IP Backhaul to serve for the entire network.
IP backhaul requires end-to-end clock synchronization. 8900E provides SyncE+1588v2
solution which synchronizes high-precise clock signal like BITS to all base stations.
The BS access ring and aggregation ring have ring protection requirements. 8900E
realizes 50ms switchover via ZESR+ (EAPS) Ethernet ring.
By supporting superVLAN and QinQ technologies, 8900E reduces the load of the
gateway when multiple base stations get accessed, which consumes less IP
address, realizes unified base station management and makes the network more
scalable.
8900E supports VPLS/H-VPLS and MPLS L3VPN technologies to give better

support to multipoint-to-multipoint access.
Common IP Backhaul networking mode is as shown in Figure 6-5.
Figure 6-5
112
Application in IP RAN
Operation and Maintenance
7.1
NetNumen U31 Unified Network Management

Platform
IP network is going to bear more and more services. At the same time, due to large-scale
network, complicated configuration and high market expectation, network management
and working load become more complicated and bigger. Manual operation and negative
maintenance obviously can not guarantee reliable operation of the entire system.
Maintenance staffs nowadays have to think of the way to arrange fast service deployment
in the network, guarantee reliable network operation, forcast network operation quality
and find out the network failure in the shortest time when problems occur. So active
network monitoring, automatic network failure inspection and settlement must be
implemented to make sure sound network operation and maximum network benefit.
ZTE based upon the times call develops NetNumen U31 unified network management
system. Concentrating on multiple products like router, switch, ZXR10 8900E, NetNumen
U31 is an integrated network management system melting network element
management, network management and service management together. It supports
multiple database, graphic interface in multiple languages and convenient operation.
Provding flexible northbound interface, it is capable of powerful interconnection.
7.1.1
Network Management Networking Mode

Inband management and outband management can be used between NetNumen U31
NM system and ZXR10 8900E.
7.1.1.1
Inband Management
For inband management, network management information and service data are
transferred in the same channel without asking for an extra DCN network. NetNumen
U31 NM system only needs to connect with network devices nearby and configure SNMP
parameters.
The advantage of inband management: flexible netwoking and no extra investment.
However, network management information takes up too much bandwidth, which may
seriously influence service quality.
113
7.1.1.2
Outband Management
For outband management, the network management information which is independent
from service data is transferred in network management network. An extra DCN network
is required. NetNumen U31 network management system connects with the outband
management interface of ZXR10 8900E, so that, the network management information
and service information can be transferred independently.
The advantage of outband management: The breakdown of service channel is
independent from the device management carried out by the network management
station. The network management information can be transferred more reliablely. But
independent network management network is seriously restricted by areas and locations,
and extra investment is needed.
7.1.2
NetNumen U31 Network Management System

NetNumen U31 network management system developed by ZTE is an integrated
management system concentrating on multiple ZTE products like router, switch and CE,
etc. Covering NE management, network management and service management, the
network management system provides the following services.
Failure management ensures stable network operation.
In network management maintenance, the management staff wants to know the network
running status to make sure stable operation. The failure management service of
NetNumen U31 is responsible for receiving real-time device alarms and network events
of all Nes in the entire network. With all these audible and visible services, maintenance
staffs can make proper process after confirmation, e.g. file alarm reports for future
alarm stat. and query. Failure management is a very important and commonly used
method in user network operation maintenance, via which, users know ZXR10 8900E
running and failure status, implement real-time monitoring, fault filtration, fault location,
fault confirmation, fault deletion and fault analysis. NetNumen U31 system also provides
voice tip, graphic alarm board and real-time access to alarm box system, Email and SMS
to give user in-time notification. It gives conveniences to users daily maintenance.
Performance management gives overall understanding of network services.
Network traffic direction and traffic load are two key issues in network management.
Performance management unit of NetNumen U31 is responsible for data network and
device performance monitoring and analysis. Corresponding reports are generated when
all sorts of performance data got from NE are processed, so that the maintenance and
management departments can use them in future network construction, planning,
adjustment and quality improvement. By performance management, users can
implement statistics of device load, traffic direction and interface load, etc. In this way,
they can get real-time network service quality and make in-time evaluation to network
resource configuration.
114
Resource management enables rational use of network resource.

Resource management system which realizes physical resource and local resource
management is a critical base station in operators service process. It is the most
precondition in realizing automatic service intiation and service guarantee. By using
resource management, user not only knows the management situation of the device,
board, interface and interface in the network, but also can understand the running status
of logcal resources like VLAN, L2/L3 VPN and MAC address in the network.
View management makes network running status clear.
View management provides unified network topology and multiview management which
enables user to know entire network topology and device running status. At the same
time, it offers network and device operating and maintenance interfaces. User can know
network device running status and alarm situation via the view management. At the same
time, it guides to other management systems.
Configuration management enables fast service deployment.
Configuration management enables ZXR10 8900E configuration, including device

management, interface management, VLAN management, L2 attribute management,
MPLS management, routing protocol management, QoS management, software upgrade
management and configuration file management, etc. Also, it supports multiple
customer-friendly configurtion modes like end-to-end configuration, in-batch configuration,
wizard-based configuration. At the same time, default configuration templates of
corresponding management are provided too.
Security management makes the network safer.
Security management makes sure legal adoption of the system. It realizes user, user
group ad role management. By arranging rational relationship between user, user group
and rule, it provides security mechanism for administrators safe management.
Certification based upon login prevents illegal users from accessing the system.
Authorized operation ensures secure operations.
Northbound interface makes integration easy.
Due to the booming telecom services, one operator sometimes has to manage multiple
NE-based or network-based professional network management systems. Independent
information in different professional NMs, complicated contents, diversified operating
interfaces generate more and more restrictions. In order to make entire entwork
management more efficient, one network management station can be used to control all
interconnected networks, so that end-to-end integrated management can be
implemented.
Interfaces are used between integrated NM and professional networks. The network
should provide standard open northbound interface for the integrated network
management system, so that they can integrate together rapidly and reliably. NetNumen
115
U31 supports multiple northbound interfaces, e.g. CORBA, SNMP, TL1,XML and FTP
etc.
7.2
Maintenance and Management
7.2.1
Multiple Configuration Modes

ZXR10 8900E provides multiple device access and management configuration modes,
which enables customers to choose proper connection way as per different application
scenarios.
Multiple configuration and management modes:
116
Serial connection configuration using VT100 termianl mode, serial connection

can use Window operating system to offer super terminal tool for configuration. Bare
metal or devices without connection or configuration must use this connection
configuration mode.
Telnet connection configuration:
Configure the switch according to IP address of the management Ethernet port

(10/100/1000Base-T) on Telnet MPU.
Configure IP address under VLAN interface. Set user name and password.
Configure the switch according to IP address of telnet VLAN interface. When
remote users wan to access the device and communicate with it, they have to
choose this connection configuration method.
SSH (Secure Shell)protocol connection configuration: initate SSH server service on

ZXR10 8900E. Connect VLAN port IP address or management Etnerhet IP address
via SSH client software to configure safer switch. When remote customers have
higher security requirements, this connection configuration mode should be
preferred.
SNMP connection configuration: the background network management server is

called SNMP server. The front device ZXR10 8900E is the Client of SNMP. Sharing
one MIB management base, the front and background servers implement
management configuration on ZXR10 8900E via the network management
software. This connection configuration mode enables user to apply network
management software to carry out effective management configuration.
7.2.2
Monitoring and Maintenance

ZXR10 8900E supports multiple types of equipment monitoring, management and
maintenance. These services enable the device to take correct action in any abnomal
cicurmstance. Also, they can offer all parameters related to equipment operation.
7.2.2.1
7.2.2.2
Equipment Monitoring
There are indicators on power supply unit, fan, MPU and all sorts of interface card to
show the operating status of the components.
MPU hot-swappable implementation and switchover event are recorded.
When fan, power supply unit and temperature are wrong, sound alarm and software
alarm will be generated.
Check the cross-division feature of the version when the system is running.
Check module temperature automatically in the course of running the system.

Provide temperature control and software alarm services.
The system monitors the running status of the software. If serious abnormity
happens, line card will be restarted and the MPU will be switched over.
Equipment Management and Maintenance
The command line provides flexible online help.
Provide hierarchical user authority management and command.
Support information center. Provide unified management of log, alarm and

debugging information.
Support switch cluster management. Provide unified maintenance management

channel for multiple devices.
Query basic information of MUP, interface card and optical module via CLI
command line.
Enable the query of multiple information, including version, component status,

environment temperature, CPU and memory utilization.
Support one-touch device information collection. The command result can either be
displayed on the device or input in the file. Hardware environment, software
information, version information, data configuration, real-time device running status
and protocol information can be displayed. This information can be totally or partially
exported.
117
ZXR10 8900E provides multiple diagnosis and debugging methods, which enables user
to have more ways to adjust the device and to have more debugging information.
7.2.3
Ping and TraceRoute: network connectivity confirmation and packet transmission

path record can be the reference of fault location.
Debug: each software has rich debug commands. Each debug command supports
multiple debugging parameters, so it can be controlled flexibly. Debugging
command can be used to export specific device operating process, message
processing and tolerance inspection, etc.
Mirroring service: interface-based mirroring service is supported. The input/output or

bidirectional messages of the observed interface are completely replicated to the
observing interface. Giving support to RSPAN and ERSPAN, it can implement
remote port mirroring.
OAM service: check network status via multiple OAM messages. Device, link and
network fault can be monitored. It helps user to locate the failure rapidly.
SQA: SQA service can send all sorts of detective message to see if multiple
applications and services are on line.
Software Upgrade
ZXR10 8900E enables software upgrade in normal and abnormal circumstances.
7.2.4
Version upgrade when the system is wrong: by changing boot intiation mode the
version upgrade carried out when the device can not be initiated can be done by
downloading new version from the management Ethernet port.
Version upgrade when the system is normal: local or remote FTP online upgrade is
provided when the device is working correctly.
File System Management

1.
File System Introduction
In ZXR10 8900E, the software and configuration files are saved in FLASH. The upgrade
and configuration storage of the software version require FLASH operation. FLASH
includes three default categories, i.e. IMG, CFG and DATA.
118
IMG: this category is used to save software version file. The software version file
ended with .zar is special compression file. Version upgrade refers to the upgrade of
the software version file in this category.
CFG: the configuration file is saved in this category. The configuration file is named
startrun.dat.
DATA: this category is used to save equipment abnormal information. The file
format is time.zte.
2.
File System Operation
File backup and recovery: FTP/TFTP is used to backup the software version file,
configuration file and log file of ZXR10 8900E to backgroud server. Or the backup
file can be recovered from the background server.
File export and import: files can be exported and imported. Copy files to the
background host via FTP/TFTP. The achievement of the alarm file and the
modification of the configuration file can be done by importing or exporting services.
119
Glossary
Table 8-1
Abbreviations
Abbreviations
120
Full Characteristics
ACL
Access Control List
APS
Automatic Protect Switch
ASIC
Application Specific Integrated Circuit
ATM
Asynchronous Transfer Mode
BFD
Bidirectional
BGP
Border Gateway Protocol
Forwarding Detection
BPDU
Bridge PDU
CAN
Controller-area Network
CAPEX
Capital Expenditures
CDN
Content Distribution Network
CDR
Call Detail Record
CE
Carrier Ethernet
CV
Connectivity Verification
DoS
Denial of Service
DPI
Deep Packet Inspection
DVMRP
Distance vector Multicast Routing Protocol
EAPS
Ethernet Automatic
ECMP
Equal Cost of Multipath
ESRP
Ethernet standby Routing Protocol
FFD
Fast Failure Detection
FRR
Fast Reroute
GPS
Global Position System
GR
Graceful restart
H-VPLS
Hierarchical Virtual Private Lan Service
ICMP
Internet Control Message Protocol
IGMP
Internet Group
ISIS
Intermediate SystemIntermediate System
LACP
Link Aggregation Control Protocol
LSP
Label Switch Path
MPLS
MultiProtocol Label Switching
MSTP
Multiple Spanning Tree Protocol
MTU
Maximum Transmission Unit
NE
Network Element
Protection Switching
Management Protocol
Abbreviations
NGN
Next Generation Network
OAM
Operations Administration and Maintenance
OPEX
Operation Expense
OSPF
Open Shortest Path First
PIM
Protocol Independent Multicast
PIM-DM
Protocol Independent MulticastDense Mode
PIM-SM
Protocol Independent MulticastSparse
PIM-SSM
Protocol Independent MulticastSource Specific Multicast
PSN
Packet Switch Network
PUPSPV
Per User Per Service Per VLAN
PVLAN
Private VLAN
PW
Pseudowire
PWE3
PW Emulation End to End
RED
Random Early Detection
RIP
Routing Information Protocol
RNC
Radio Network Controller
RP
Rendezvous Point
RSTP
Rapid Spanning Tree Protocol
SDH
Synchronous Digital Hierarchy
SLA
Service Level Agreement
SMS
Service Management System
SNMP
Simple Network Management Protocol
SSM
Source Specific Multicast
STP
Spanning Tree Protocol
SyncE
Synchronous Ethernet
SVLAN
Select VLAN
TCO
Total Cost of Ownership
TCP
Transport Control Protocol
TDM
Time Division Multiplex and Multiplexer
TL1
Transaction Language 1
TM
Traffic Manager
UDP
User Datagram Protocol
URPF
Unicast Reverse Path Forwarding
VOIP
Voice over IP
VPLS
Virtual Private Lan Service
VPN
Virtual Private Network
VPWS
Virtual Private Wire Service
VRF
Virtual Routing and Forwarding
VRRP
Virtual Router Redundancy Protocol
Mode
121
Abbreviations
122
WRED
Weighted Random Early Detection
WFQ
Weighted Fair Queuing
ZESR
ZTE Ethernet Smart Ring
ZESS
ZTE Ethernet Smart Switching
ZXROS
ZTE Router Operating System

Zxr10 8900e Series

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Zxr10 8900e Series

Загружено:

Авторское право:

Доступные форматы

Operator Logo

ZXR10 8900E series Core

Downloaded from www.Manualslib.com manuals search engine

Downloaded from www.Manualslib.com manuals search engine

ZXR10 8900E series Core Switch Product Description

ZXR10 8900E series Core Switch Product Description

Not open to the Third Party

Delete wrong description

Add new function in version

UpdateThe description error

UpdateThe description about

2013 ZTE Corporation. All rights reserved.

ZTE Confidential Proprietary

Downloaded from www.Manualslib.com manuals search engine

2013 ZTE CORPORATION. All rights reserved.

ZXR10 8900E series Core Switch Product Description

2013ZTE CORPORATION. All rights reserved.

Downloaded from www.Manualslib.com manuals search engine

ZTE Confidential Proprietary

ZXR10 8900E series Core Switch Product Description

L3 route protection .......................................................................................... 52

System Architecture ..................................................................................... 70

Technical Specifications .............................................................................. 98

Typical Networking Mode........................................................................... 108

ZTE Confidential Proprietary

Downloaded from www.Manualslib.com manuals search engine

2013 ZTE CORPORATION. All rights reserved.

ZXR10 8900E series Core Switch Product Description

Operation and Maintenance ....................................................................... 113

Glossary ...................................................................................................... 120

2013ZTE CORPORATION. All rights reserved.

Downloaded from www.Manualslib.com manuals search engine

ZTE Confidential Proprietary

ZXR10 8900E series Core Switch Product Description

L2TP Networking ............................................................................................. 16

Figure 3-3 Architecture of MCE .......................................................................................... 25

ZTE Confidential Proprietary

Downloaded from www.Manualslib.com manuals search engine

2013 ZTE CORPORATION. All rights reserved.

ZXR10 8900E series Core Switch Product Description

Figure 4-4 ZXR10 8908E structure ..................................................................................... 74

2013ZTE CORPORATION. All rights reserved.

Downloaded from www.Manualslib.com manuals search engine

ZTE Confidential Proprietary

ZXR10 8900E series Core Switch Product Description

Figure 6-5 Application in IP RAN ...................................................................................... 112

ZTE Confidential Proprietary

Downloaded from www.Manualslib.com manuals search engine

2013 ZTE CORPORATION. All rights reserved.

Downloaded from www.Manualslib.com manuals search engine

ZXR10 8900E series Core Switch Product Description

ZTE Confidential Proprietary

Downloaded from www.Manualslib.com manuals search engine

2013 ZTE CORPORATION. All rights reserved.

ZXR10 8900E series Core Switch Product Description

ZXR10 8900E series product appearance

2013ZTE CORPORATION. All rights reserved.

Downloaded from www.Manualslib.com manuals search engine

ZTE Confidential Proprietary

ZXR10 8900E series Core Switch Product Description

Super Big capacity/ High Density Interfaces

VSC Construct Solid Cloud Core

Distributed Module Operating System ROS 5.0

ZTE Confidential Proprietary