Академический Документы
Профессиональный Документы
Культура Документы
Date
Author
Approved By
Remarks
V1.00
2011-03-25
Li Ying
Shen Chunsheng
V1.01
2012-6-13
Li Ying
Huang HongRu
V1.02
2012-10-10
Li Ying
Huang HongRu
2012-11-16
Li Ying
Huang HongRu
2013-02-19
Li Ying
Huang HongRu
TABLE OF CONTENTS
1
Overview ......................................................................................................... 1
2
2.1
2.2
2.3
2.4
2.5
2.6
2.7
Highlights ........................................................................................................ 3
Super Big capacity/ High Density Interfaces ..................................................... 3
VSC Construct Solid Cloud Core ...................................................................... 3
Distributed Module Operating System ROS 5.0 ................................................ 3
Multi-service Bearing Capabilities ..................................................................... 4
Comprehensive IPv6 Features ......................................................................... 4
Multi-Dimensional Security & Reliability Mechanism Guarantees Ever-online
Services ........................................................................................................... 4
Environment-friendly Innovations ...................................................................... 5
3
3.1
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.3
3.3.1
3.3.2
3.3.3
3.3.4
3.4
3.4.1
3.4.2
3.5
3.5.1
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.7
3.7.1
3.7.2
3.7.3
3.7.4
Function introduction..................................................................................... 6
L2 function ........................................................................................................ 6
Basic Ethernet features .................................................................................... 6
VLAN and relative features ............................................................................... 7
Link aggregation ............................................................................................. 11
Spanning tree ................................................................................................. 13
L2 multicast .................................................................................................... 15
L2PT ............................................................................................................... 16
L3 function ...................................................................................................... 17
IPv4 route protocol.......................................................................................... 17
Ipv6 Routing ................................................................................................... 20
IPv4/IPv6 Transition........................................................................................ 20
L3 Multicast .................................................................................................... 21
Controllable Multicast ..................................................................................... 23
MCE ............................................................................................................... 25
MPLS VPN ..................................................................................................... 26
Basic Functions of MPLS ................................................................................ 26
MPLS TE ........................................................................................................ 29
MPLS L2 VPN ................................................................................................ 30
MPLS L3 VPN ................................................................................................ 34
QoS ................................................................................................................ 35
Basic QoS ...................................................................................................... 35
MPLS QoS ..................................................................................................... 40
OAM ............................................................................................................... 41
Ethernet OAM ................................................................................................. 41
Clock synchronization ..................................................................................... 42
Clock source ................................................................................................... 42
Synchronous Ethernet .................................................................................... 42
IEEE 1588 v2.................................................................................................. 43
Clock protection .............................................................................................. 44
Reliability protection........................................................................................ 45
Equipment-level protection ............................................................................. 45
Network detection mechanism ........................................................................ 46
VSC ................................................................................................................ 48
Ethernet intelligent protection ......................................................................... 49
II
3.7.5
3.7.6
3.7.7
3.8
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.9
3.9.1
4
4.1
4.1.1
4.1.2
4.1.3
4.1.4
4.2
4.2.1
4.2.2
4.3
4.3.1
4.3.2
4.3.3
4.4
4.4.1
4.4.2
5
5.1
5.2
5.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.3.7
5.3.8
5.3.9
5.3.10
6
6.1
6.2
6.3
6.4
6.5
III
7
7.1
7.1.1
7.1.2
7.2
7.2.1
7.2.2
7.2.3
7.2.4
IV
FIGURES
Figure 1-1 ZXR10 8900E series product appearance........................................................... 2
Figure 3-1 MC-ELAM structure........................................................................................... 13
Figure 3-2
VI
TABLES
Table 4-1 Main control board panel interface features........................................................ 86
Table 4-2 Main control board panel button function description .......................................... 87
Table 4-3 Main control board panel indicator function description ...................................... 87
Table 4-4 8900E interface board type ................................................................................ 90
Table 5-1 Basic features and performance ......................................................................... 98
Table 5-2 Interface Specifications ...................................................................................... 99
Table 5-3 L2 features ....................................................................................................... 101
Table 5-4 L3 features ....................................................................................................... 102
Table 5-5 Multicast features ............................................................................................. 102
Table 5-6 MPLS feature ................................................................................................... 102
Table 5-7 QoS.................................................................................................................. 103
Table 5-8 Service Management ....................................................................................... 104
Table 5-9 Reliability.......................................................................................................... 104
Table 5-10 System security .............................................................................................. 105
Table 5-11 Clock synchronization .................................................................................... 106
Table 5-12 Operating and Maintenance ........................................................................... 106
Table 8-1 Abbreviations ................................................................................................... 120
VII
Overview
ZXR10 8900E switch is ZTEs new generation enhanced core switch. With years of
experience in telecom network, ZTE designs and develops 8900E which has ultra-large
system capacity, ultra-high port density and ultra-strong service functions. It can address
immediate needs of metro network, data center network, campus network and enterprise
network for network core equipment.
Today, telecom network tends to larger user broadband, service bearing over IP and flat
network structure. Basic network is the uniform, converged and efficient platform bearing
various services. Because of large-scale growth of VOIP/IPTV/VIP access/3G services
and the introduction and deployment of IPv6 technology, there are higher requirements
for core /convergence switch. And the network is more complex, CAPEX and
maintenance cost remains high, more devices are in use, security and user experience
(UX) is difficult to improve. How to get out of these troubles is a hard nut for carriers and
network administrators.
ZXR10 8900E core switch with large capacity adopts distributed design to provide
high-density FE, GE and 40G/100G port, low-power-consumption component, innovative
fan and power supply. With physical port intelligent management mechanism, it expands
network capacity, increases convergence rate with low investment, reduces the cost per
user, saves the space in equipment room, and drops energy consumption. It offers
reliable equipment/link/network-level protection, and supports independent supervision
plane. Adopting reconfigurable design, the software supports multiple switching
technologies, and guarantees E2E service experience with multilevel QoS, and improves
network reliability and quality to bring down user maintenance cost. It supports
multiservice bearing, several clock synchronization technologies, IPTV, IPv6, and
all-directional security. It can bear data, video and voice services, and integrates the
characteristics of multiple network equipments to meet the requirements of different
networks and reduce CAPEX. It offers excellent performance and features to help the
users to build efficient, intelligent and reliable network.
ZXR10 8900E series include ZXR10 8912E, ZXR10 8908E, ZXR10 8905E and ZXR10
8902E, which have 12, 8, 5 and 2 service slots respectively. They have high-integration
interface boards and a wide variety of service functions. Their appearance is shown in
Figure 1-1.
Figure 1-1
Highlights
2.1
2.2
2.3
2.4
2.5
2.6
Security/Reliability related designs in ZXR10 8900E fall into five categories, which
are secure architecture, secure management and control, secure operating system,
secure calculation and reliable service.
Secure architecture: Redundant backup design has been put in place for the
forwarding control engines. Fast active/standby switchover is supported. Redundant
power supply module, fan module and clock module combined to make the switch
more robust. Whats more, ZXR10 8900E supports intelligent inspection, control,
warning and hot-swappable components.
2.7
Environment-friendly Innovations
ZXR10 8900E supports dying gasp, in case there is a power failure, 8900E can still
send out an alarm to the network OAM center, to inform about the reason of the
network break down. In this way, the time to do the trouble-shooting on these kinds
of events could be minimized.
Function introduction
3.1
L2 function
3.1.1
3.1.1.1
3.1.1.2
MAC address binding: Bind specific MAC address to switch port. After binding, do
not dynamic learn MAC, which will limit user physical location and protect important
MAC address.
MAC address filtering: After receiving the packets from source or destination MAC
address to specific MAC address, the switch discard some packets to filter some
undesired users.
MAC address number limit: Limit MAC address number of some ports to control
user number of some ports, and prevent system resources of running out when the
ports suffer from DOS attack.
MAC address freeze: Freeze some important physical ports in stable network, e.g.,
address of uplink port, so as to avoid network disconnection caused by the
infringement of key MAC address.
MAC address multi-angle display: Display and count VLAN table according to
VLAN, port, static and dynamic aspects, provide network diagnosis, and maintain
network operation.
Port mirroring
Port mirroring can automatically copy the traffic of one port to the port so that network
administrator makes real-time analysis on port traffic when he judges network issues. It
provides network administrator with a monitoring means. For ZXR10 8900E, any port can
be configured to mirroring port; the ports at different rate can mirror to each other;
many-to-one, one-to-many and many-to-many port mirroring can also be done. The
equipment supports cross-card port mirroring, and simultaneous mirroring of several
3.1.1.3
3.1.2
Each VLAN is logically like one independent LAN. All frame traffic in one VLAN is limited
to the VLAN. Cross-VLAN access is made through L3 forwarding which will improve
network performance and reduce the entire traffic in physical LAN.
VLAN reduces network broadcast storm and increases network security and centralized
management control.
ZXR10 8900E supports 802.1Q VLAN. The untagged packet can be added with VLAN
tag based on subnet, protocol and port to support a wide variety of VLAN features.
According to 802.1Q VLAN protocol, 12-bit VLAN is limit to 4096 in number, which affect
some actual applications. 8900E has four extension modes: QinQ, PVLAN, VLAN
translation, and L3-related Super VLAN.
3.1.2.1
PVLAN
Private VLAN is a mechanism that provides additional Layer 2 traffic isolation between
ports within a regular VLAN. This feature places constrains on traffic flow between
specific ports in a VLAN. For instance, in an enterprise network, client ports can
communicate with server ports, but not among each other.
Private VLAN is port based and it can be enabled through PVLAN_ENABLE field in
PORT_TABLE for each port. There are three types of private VLAN ports:
Isolated portan isolated port has complete Layer 2 separation from all other ports
within the same private VLAN except for the promiscuous ports. Private VLANs
block all traffic to isolated ports except traffic from promiscuous ports. Traffic
received from an isolated port is forwarded only to promiscuous ports.
PVLAN can effectively ensure the communication security of network data. The user is
connected only to his default gateway. Without several VLAN and IP subnets, one
PVLAN can provide the connection with L2 data communication security. All users can
access PVLAN to connect default gateway without any access to other users in the
PVLAN. PVLAN ensure that the ports in one VLAN do not communicate with each other,
but the services can go through Trunk port. Thus, the users in one VLAN will not affect
each other because of service broadcast.
PVLAN does not need protocol message. It can be statically configure in ZXR10 8900E.
3.1.2.2
VLAN Translation
VLAN translation is an extension of VLAN function. If a port of the switch starts VLAN
translation, the data stream from the port must be tagged packet. VLAN translation uses
PORT plus VLAN ID in tagged packet as the index to search in MAC VLAN table and
get a new VID, then the traffic is switched in the new VLAN to translate data from one
VLAN to the other.
VLAN translation does not need protocol message. It can be statically configure in
ZXR10 8900E. It should be noticed that if VLAN translation is started, VLAN cannot be
divided based on MAC address; if VLAN is divided based on MAC address, VLAN
translation cannot be started.
In addition single tag conversion, 8900E uses VLAN translation and SVLAN to fulfill the
following functions:
1.
If the incoming packet is single tagged, be able to add outer tag according to policy,
and modify outer tags 802.1P value according to inner tags 1P value, supporting
policy-based mapping or one-to-one mapping;
2.
If the incoming packet is single tagged, be able to modify inner tag and add outer tag
according to policy, and modify inner and outer tags 1P value according to incoming
tags 1P value, supporting policy-based mapping or one-to-one mapping;
3.
If the incoming packet is double tagged, be able to delete outer tag according to
policy;
4.
If the incoming packet is double tagged, be able to delete outer tag, and modify
inner tag according to policy, and modify 1P value of the new inner tag according to
outer tag 1P value, supporting policy-based mapping or one-to-one mapping;
5.
If the incoming packet is double tagged, be able to modify outer tag according to
policy, and modify 1P value of the new outer tag based on 1P value of the incoming
outer tag, supporting policy-based mapping or one-to-one mapping;
6.
If the incoming packet is double tagged, be able to modify inner tag according to
policy, and modify 1P value of the new inner tag based on 1P value of the outer tag,
supporting policy-based mapping or one-to-one mapping;
7.
If the incoming packet is double tagged, be able to modify inner and outer tag
according to policy, and modify 1P values of the new inner and outer tags according
to 1P value of the incoming outer tag, supporting policy-based mapping or
one-to-one mapping.
8.
If the incoming packet is untagged, be able to add inner and outer tag according to
policy at one time.
3.1.2.3
Super VLAN
Super VLAN can make the hosts, which are in the same physical switching equipment
but in different virtual broadcast domains, to locate in one IPv4 subnet and use one
default gateway. In one large-scale switching LAN, the mechanism has several
advantages over the traditional IPv4 addressing system. The biggest advantage is to
save address space occupancy in IPv4 system.
Super VLAN and sub VLAN can be used to divide VLAN again. One or several sub
VLANs belong to one Super VLAN and use its default gateway IP address, namely,
aggregate several sub VLANs into one Super VLAN and use the same IP subnet and
default gateway.
Super VLAN is a software function. Ethernet ASIC chip is transparent to the function and
switches data according to software module VLAN setting. Super VLAN does not need
protocol message. It can be statically configure in ZXR10 8900E.
3.1.2.4
QinQ
QinQ with the multilayer VLAN tag stack, refers to tunnel protocol based on 802.1 Q
encapsulation. The core idea is to encapsulate private network VLAN tag to public
network VLAN tag; the message with double-layer tag goes through backbone network to
offer the user with a simple L2 VPN tunnel. QinQ, a simple and manageable protocol,
does not need protocol message. It can be statically configure in ZXR10 8900E. It is
applied to convergence-layer switch which can use QinQ (with double tags) to increase
VLAN number in metro network.
In ZXR10 8900E software system, QinQ software functional module statically configures
QinQ, and then correctly set the chip. QinQ VLAN consists of the following types:
QinQ software functional module adds an attribute to the VLAN table. The attribute
indicates that the VLAN is SVLAN or CVLAN, and drive interface function at the lower
layer to set the QinQ function of the interface.
Ordinary QinQ only adds one outer tag to the datagram of a port, which greatly limits
networking flexibility. For the flow received from one port, SVLAN (Selective VLAN) can
selectively add different outer tag based on different inner tag according to user
demands.
With Selective VLAN, service providers can use a unique VLAN (called a service-provider
VLAN ID, or SP-VLAN ID) to support customers who have multiple VLANs, which offers
the multipoint-to-multipoint virtual LAN transparent transport and a simple L2 VPN tunnel.
Customer VLAN IDs (CE-VLAN IDs) are preserved and traffic from different customers is
10
segregated within the service-provider infrastructure even when they appear to be on the
same VLAN. Selective VLAN expand the VLAN space by using a VLAN-in-VLAN
hierarchy. The VLAN number can extend to 4094*4094. Another layer of 802.1Q tag
(SP-VLAN ID) is added to the 802.1Q-tagged (CE-VLAN ID) packets that enter the
service-provider network.
Some service streams require SVLAN also supports the transparent transport of VLAN
service that the packet passes the switch without any interference, namely, the number
and value of the tags remain unchanged.
SVLAN can work with VLAN translation to flexibly process both inner and outer tags. For
details, refer to the chapter VLAN translation. In addition, SVLAN can fulfill the 802.1P
CoS priority mapping of outer tag and inner tag.
ZXR10 8900E supports traditional SVLAN configuration and VFP-based SVLAN
configuration. The latter can add the tags based on traffic type.
3.1.3
Link aggregation
Link aggregation means that physical links with the same transport medium and transport
rate are bound and logically look like a link. Link aggregation greatly increases the
bandwidth of peer physical links between switches or between switch and server.
Therefore, it is an important technology to increase link bandwidth and create link
transmission
resilience
and
redundancy.
Link
aggregation
can
create
several-multiple-gigabit connection in GE, and logic link with faster transport in FE.
Meanwhile, link aggregation has good protection. When a fault occurs, the traffic in the
trouble links will switch quickly to normal links of the aggregation. Link aggregation can
increase the bandwidth and share traffic load.
ZXR10 8900E supports static and dynamic link aggregation of FE, GE, and 10G ports as
well as cross-card and cross-equipment link aggregation. Logic port from ZXR10 8900E
link aggregation is called smart group which can work as ordinary port.
3.1.3.1
Static aggregation
Static Trunk can manually add several physical ports into Trunk group to form one logic
port, but it is difficult to observe the status of link aggregation port.
ZXR10 8900E configures link aggregation functions according to the following principle
which is also applied to LACP:
128 Trunk groups can be configured, and each Trunk group includes at most 8
member ports.
11
3.1.3.2
Member port may adopt the access, trunk or hybrid mode, which must be
consistent.
LACP
LACP (Link Aggregation Control Protocol) follows IEEE 802.3ad. LACP dynamic
aggregates several physical ports to Trunk group for one smart group port. LACP
automatically aggregates to obtain the maximum bandwidth. LACP supports static
aggregation and dynamic aggregation. Static LACP aggregation is manually configured,
and dynamic LACP aggregation dynamically adds the port to aggregation group.
ZXR10 8900E supports smart group parameter configuration, and share traffic load
according to the following modes (It can also be applied to static aggregation).
Source and destination MAC address, VLAN, Ethernet type, and ingress port;
Source and destination IP address, and source and destination TCP or UDP port.
8900E also supports global mode, namely, share the load in one smart-group according
to the parameters of protocol messages of IPv4, IPv6, MPLS L2 VPN and MPLS L3 VPN
to distribute the traffic equably in the smart-group.
3.1.3.3
MC-ELAM
8900E support inter-card and intra-card link aggregation as well as MC-ELAM
Multi-Chassis Ethernet Link Aggregation Manager whose working principle is shown
as follows:
12
Figure 3-1
MC-ELAM structure
Normally, only half of the links from CE to PE1 and PE2 are aggregated successfully. As
shown in the above figure, the successfully aggregated link from CE to PE1 is active link;
the non-aggregated link from CE to PE2 is standby link; data stream is forwarded via
active link. When active aggregation equipment PE1 goes wrong, PE2 will release the
MC-ELAM control protocol signal of PE1 to process the LACP forwarding between PE2
and CE. When active equipment or active aggregation equipment returns to normal,
MC-ELAM control protocol will recover the forwarding process. MC-ELAM can access the
dual-uplink access network to increase network redundancy.
3.1.4
Spanning tree
3.1.4.1
STP
STP detects and clears the loop between L2 switching functional units, and provides
redundancy link to improve LAN performance and reliability.
STP module has the following major functions:
Avoid network loop, prevent LAN broadcast storm, and offer redundant path.
Detect topology change and reconfigure STP topology accordingly.
After the switch in one subnet executes STP algorithm, one STP dynamic topology is
formed. The topology prevents the loop between any two workstations in LAN to avoid
LAN broadcast storm. Meanwhile, STP algorithm monitors topology change, create the
new spanning tree after the change, and reconfigure spanning tree topology with fault
tolerance. The switch maintains and updates MAC route table according to the status of
STP dynamic topology, and finally gains the MAC-layer route.
STP algorithm aims to enable the switch to dynamically discover a no-loop subset (tree)
in topology and assure adequate connectivity so that a path is available between every
two LAN if the physical conditions allows. According to the principle in the figure, any line
13
including node and connection node has one spanning tree which has good destination
connectivity and can avoid network cycling. Therefore, spanning tree algorithm and
protocol can avoid network loop in any dynamic topology and clear the loop between any
two stations.
As IEEE802.1s-defined MSTP is compatible with existing IEEE802.1w-defined RSTP
and IEEE802.1D-defined ordinary STP, STP software module is only required to support
MSTP. When started, MSTP can forcedly work as RSTP or STP to support STP and
RSTP mixed networking. And it can start STP in aggregation link and support port-based
enabling STP protocol.
ZXR10 8900E supports STP, RSTP and MSTP, and their mixed networking.
3.1.4.2
RSTP
RSTP (Rapid Spanning Tree Protocol), the STP upgrade version, follows IEEE 802.1w.
RSTP provide the fast port switching mechanism and shorten network convergence time.
RSTP has the following defects:
3.1.4.3
The entire switching network has only one spanning tree. Large network has slow
convergence and network topology change will have a great effect.
MSTP
MSTP (Multiple-instance Spanning Tree Protocol), developed based on STP/RSTP,
follows IEEE 802.1s. MSTP divides switching networks into several zones, and several
STP instances run in one zone. VLAN is translated to instance in M: 1 mode (bind several
VLANs to one instance), thus each VLAN is transformed into a tree network to avoid the
loop.
MSTP has the following advantages:
14
As MSTP structure spanning tree through VLAN and does not block inter-switch
connection port, the load will be shared.
3.1.5
L2 multicast
After the router forwards multicast traffic, in the network, Ethernet switch forwards
multicast traffic to multicast user. Traditional switch usually broadcasts the multicast
traffic , which wastes network bandwidth, cause broadcast storm and affect normal
service. Therefore the switch needs to support L2 multicast so as to join and leave
multicast group according to multicast user status and dynamically maintain multicast
group.
3.1.5.1
IGMP Snoooping
ZXR10 8900E supports the L2 multicast technology IGMP Snooping to manage multicast
group members, suppress L2 network multicast flooding, and prevent unauthorized user
from receiving multicast traffic. By snooping IGMP message in the communication
between user and router, IGMP Snooping maintains the correspondence relation
between multicast address and VLAN correspondence table. It maps the members of
one multicast group to one VLAN, and forwards the received multicast packet only to the
VLAN members of the multicast group. IGMP Snooping and IGMP protocol are both used
for multicast group management and control, and both employ IGMP message. What is
different is that IGMP protocol runs on network layer and IGMP Snooping on link layer.
When the switch receives IGMP message, IGMP Snooping analyzes the information of
IGMP message and create and maintain L2 MAC multicast address table.
When ZXR10 8900E starts IGMP Snooping, multicast message performs L2 multicast;
when 8900E does not start IGMP Snooping, multicast message performs L2 broadcast.
8900E also support MLDv1/v2 snooping for smooth transition from IPv4 to IPv6.
3.1.5.2
IGMP Proxy
In some network topologies, IGMP proxy technology does not run multicast route
protocol, but learns the multicast member and makes simple multicast forwarding
according to the registered for multicast distribution. IGMP proxy supports host interface
and router interface. Host interface (also known as uplink interface) points to root node of
distribution tree, namely, uplink to multicast router. The interface runs the host function
rather than IGMP. When receiving IGMP query packet, host interface sends IGMP
member report. Multicast joining or leaving packet is sent to the connected router when
member database changes. Host interface also forwards the received multicast packet
according to member database. Router interface (downlink interface) deviates from root
node and downlinks to user host. The interface runs IGMP protocol to register, query and
delete downlink user group members. It receives member reports, creates and modifies
one member form, sends query packet, queries whether the host leaves its group, and
uplinks and downlinks the forwarded and received multicast packet according to the
registered multicast member database.
IGMP Proxy and IGMP Snooping have the same function but different mechanism:
IGMP Snooping looks into IGMP message to get relative information, and IGMP Proxy
15
intercepts and processes IGMP request of terminal user and then forwards it to
upper-level router.
3.1.6
L2PT
In QinQ VPN mode, if VPN uses locating at different places want to initiate their L2
protocol for example, STP, LACP, ZDP, they need to use core network to transfer these
L2 protocol messages transparently, and these messages with preserved MAC address
for bridge cannot process transparent transmission normally. L2PT (layer 2 protocol
transportation) solves this problem, so it is widely used to transfer user network L2
protocol message in QinQ VPN.
L2PT networking is as shown in the following figure.
Transportation PDU: Encapsulated protocol message, for example ZDP, STP and
LACP, etc.
Figure 3-2
L2TP Networking
16
The message encapsulation and de-capsulation can be done by changing message MAC
address.
3.2
L3 function
3.2.1
3.2.1.1
RIP
RIP protocol is based on the vector distance routing algorithm of local network. It
employs UDP packet to switch RIP route information, and the protocol packet to be
transported is encapsulated into UDP packet. The route information in RIP message
includes the number of the nodes on the route, namely, hop number. Route node decides
the route to destination networks according to the hop number. RFC requires that the hop
number is not more than 16, which is applied to internal gateway in small-scale
autonomous system.
ZXR10 8900E RIP has the following functions:
3.2.1.2
Transmit and receive RIP message according to the protocol, check message
correctness and verify its identification.
Support RIPV1/V2, plain text authentication and MD5 authentication, and route
reallocation.
Route loop generation and route convergence acceleration adopt split-horizon and
trigger updates technology.
OSPF
OSPF is the IETF-developed internal gateway protocol (IGP) based on link status and
SPF algorithm. OSPF can converge routing table in a short time, and prevent loop, which
is vital to mesh networks or different LANs connected via several bridges. Each
equipment running OSPF maintains one unified database describing autonomous system
topology structure. The database includes such information as partial status of each
equipment, e.g., available interfaces and neighbors, connected network status and
external route of autonomous system. OSPF uses link status algorithm to calculate the
shortest path from each area to all destinations. When the equipment works or any route
changes, the equipment configured with OSPF diffuses LSA to all equipments in one
area. LSA includes link status and neighbor association information of the equipment.
The information from LSA forms link status database. All equipments in the area use one
specific database to describe topology structure in the area.
17
3.2.1.3
Adopt the retransmission and confirmation mechanism to assure the reliability of link
status synchronization.
IS-IS
IS-IS route protocol, the representation of router OSI model, is used for TCP/IP-based IP
network. It can easily perform the extension, mainly IPv6. IS-IS system consists of two
layers: backbone layer (L2) and area layer (L1). One router is in only one area. L1 router
only knows the topology in its area. All traffic to other areas is sent to the nearest L2
router. L2 router must form the backbone, similar to OSPF backbone area 0.
ZXR10 8900E IS-IS protocol has the following functions::
18
3.2.1.4
BGP
BGP, an external gateway protocol, switches no-loop route information between
autonomous systems. The information has many attributes to create autonomous system
topology, carry out route policy based on autonomous system. The path reachable
information with autonomous system sequence attribute can clear route loop.
Autonomous system is the collection of routers and terminals which locate in one
management control domain, are treated as single entity, and control route table
extension through BGP classless inter-domain routing. BGP-4 also introduces the
mechanism to support route aggregation, including AS path aggregation. BGP is
designed to use autonomous system to provide one structural view of Internet. The
Internet is divided into several autonomous systems to create one large network which
composed of small, easily manageable networks. These small networks adopt their own
rules and management policies.
ZXR10 8900E BGP has the following functions:
3.2.1.5
Support MP-BGP;
Policy routing
Traditional routing policy performs route forwarding according to the route table
generated by routing protocol or static route. However, in some applications, the users
have some special requirements for routing. Traditional routing policy can only perform
forwarding by destination address. This indiscriminating forwarding mechanism cannot
meet the requirements of increasingly complicated network services.
Compared with traditional routing, policy routing provides more flexible message
forwarding and route control capability. The network management users can not only
perform route forwarding by destination address but also can select other forwarding
paths according to protocol type, message size, application, IP source address and other
conditions. Policy-based routing is more beneficial for network traffic distribution and QoS
improvement. Policy routing means to match certain feature values in IP data packet
according to the policy set by the network management user. Those that match the
19
condition are forwarded according to the route specified by the policy; those that fail to
match are forwarded according to traditional route table.
ZXR10 8900E series realizes ACL-based policy routing.
In addition to policy routing, ZXR10 8900E series also provides policy routing backup
function.
The switch uses Redirect command to realize policy routing function based on ACL. For
one ACL rule, the route can only be redirected to a next-hop address. When this next-hop
address has any problem, the corresponding policy routing will also fail. When the switch
has multiple egresses, policy routing backup (PBR BACKUP) function can be realized by
configuring Redirect to multiple next-hop addresses, so that when the active link is faulty,
the route can be automatically switched to the backup next-hop address.
3.2.2
Ipv6 Routing
ZXR10 8900E supports the following IPv6 unicast route features:
3.2.3
Support IPv6 neighbor discovery protocol, which realizes the functions of router and
prefix discovery, address resolution, next-hop address determination, neighbor
unreachable test and repeated address test and which can better support the
mobility of nodes.
Support IPv6 path MTU discovery protocol, which can discover the maximum
transmission unit of the path so as to make sure the message size sent by the node
does not exceed the MTU value of the path.
Support IPv6-based dynamic routing protocols RIPng, OSPFv3, ISISv6 and BGP4+.
IPv4/IPv6 Transition
ZXR10 8900E provides a number of transitional mechanisms for conversion from Ipv4
network to Ipv6 network, including double stack technology and various tunnel
technologies that are applicable to different environments:
20
Support IPv4/IPv6 double protocol stack. Double stack technology can completely
solve the coexistence problem of IPv4/IPv6, but is only effective when the
equipment in the whole network supports double stack. Therefore, it has high
requirement for IPv4 network reform. It should be noted that the double stack
technology is the foundation of all the tunnel mechanisms below.
Support 6to4 tunnel. The 6to4 technology uses special IPv6 address prefix to
automatically construct tunnel for interconnection of IPv6 network. This mechanism
consumes very few IPv4 addresses; one IPv6 subnet only needs one public IPv4
address, so it is applicable to interconnection between multiple IPv6 subnets.
However, the disadvantage of 6to4 technology is that it must use IPv6 address in
specific format, namely, 6to4 address.
Support IPv6 Provider Edge Router (6PE) over MPLS. The 6PE technology is
generally deployed in the environment where MPLS network is running or ready to
run. Ipv6 messages are encapsulated at PE side and double tag is used. The
internal tag carries Ipv6 route reachable information; the external tag uses the
existing MPLS tag to interconnect with Ipv6 isolated island network via switching
channel LSP. 6PE router is double stack router, so it can directly connect with the v4
network of Ipv4 protocol, which is convenient for the situation of v4/v6 coexistence,
and it is unnecessary to reform P.
3.2.4
L3 Multicast
3.2.4.1
L3 Multicast Protocol
L3 multicast protocol includes multicast group management protocol and multicast
routing protocol.
1.
Multicast group management protocol runs between the host and L3 equipment and is
used to establish the relationship between group members in associated network
segments, that is, which multicast group members are under different ports. At present,
the multicast group management protocol is mainly realized by IGMP (Internet Group
Management Protocol) and MLD (Multicast Listener Discovery Protocol).
i.
IGMP is the Internet group management protocol in Ipv4 network. The major
versions used currently are IGMPv2 and IGMPv3. A new function is added to
21
IGMPv3 that the member can specify to receive or reject the messages from
some multicast sources to support SSM model.
ii.
2.
MLD protocol is used for Ipv6 router to discover multicast listener in its
associated network segments. MLD is divided to MLDv1 and MLDv2. The
principle of MLDv1 is similar to IGMPv2 and that of MLDv2 is similar to
IGMPv3.
Multicast routing protocol runs between layer 3 multicast equipments, used to establish
and maintain multicast router and forward multicast data packets correctly and efficiently.
IP multicast routing technology realizes efficient P2MP(point 2 multiple point) data
transmission in IP network; it can effectively save network bandwidth and reduce network
load. Therefore, IP multicast routing technology is widely used in resource discovery,
multimedia conference, data copying, real-time data transmission, game and emulation.
Multicast routing protocol is divided to intra-domain protocol and inter-domain protocol.
Inter-domain protocols include MBGP (Multicast BGP) and MSDP (Multicast Source
Discovery Protocol), and intra-domain protocol includes PIM (Protocol Independent
Multicast). Intra-domain protocol is generally divided to two classes: sparse mode
multicast routing protocol including PIM-SM (Sparse Mode) and dense mode multicast
routing protocol including PIM-DM (Dense Mode). The most useful multicast protocol now
is PIM-SM.
PIM-SM constructs the shared tree using the mechanism of multicast destination explicit
join to perform multicast data packet distribution. In certain conditions, the destination
can be switched to the shortest path tree. PIM-SM is irrelevant to unicast routing protocol.
It uses unicast route table to perform RPF check but not depend on any specific unicast
routing protocol. PIM-SM is more suitable for the multicast network that has potential
multicast group members at the end of WAN link. Besides, PIM-SM allows to use SPT,
and thus reduces network delay brought about by share tree and improves the efficiency.
Therefore, PIM-SM is generally the best choice of multicast routing protocol in multicast
network domain.
3.
Multicast model
According to the processing mode of multicast source by the receiver, multicast can be
divided to the following two models.
22
i.
ASM (Any Source Multicast) model: In ASM model, any sender can send
multicast information to a multicast group address as the multicast source; the
receiver obtains the multicast information by joining the multicast group with
the tag of this multicast group address. The receiver cannot know the location
of the multicast source, but can join or leave the multicast group at any time.
ii.
SSM (Source Specific Multicast) model: SSM provides the users with a
transmission service in which they can specify the multicast source at the
client, meeting the requirement of the users when they are only interested in
the multicast information sent form some multicast sources and do not want to
receive information from other sources. SSM model directly builds the shortest
path tree between the multicast source and multicast data receiver, which is
highly efficient.
For ASM model, intra-domain and inter-domain multicast routing protocols are different.
Intra-domain protocol is mainly PIM protocol and inter-domain protocol uses MSDP and
MBGP protocols. For SSM model, there is no difference between intra-domain and
inter-domain protocols. As the receiver knows the location of the multicast source in
advance, multicast information can be transmitted by channel construction via PIM-SSM
protocol. Meanwhile, SSM model also needs the support of IGMPv3.
ZXR10 8900E, supporting IGMPv2, IGMPv3 and MLDv1/v2, IPv4 PIM-DM and
IPv4/v6-based PIM-SM and PIM-SSM, can provide complete multicast solutions. Besides,
to provide enhanced and more reliable multicast services and guarantee the provisioning
and operation of multicast services, 8900E also supports Multicast route guard and
anycast RP functions.
Multicast route guard can prevent unauthorized connection of multicast servers.
Designating a port as the multicast router port can allow multicast router control
messages to pass, otherwise they are discarded.
In multicast network, the existence of a single RP may become the bottleneck or Single
point of failure may occur. Anycast RP is to set multiple RPs with the same address in the
same PIM-SM domain and establish MSDP peer relation between these RPs. The
receiver originates RPT join to the nearest RP; the multicast originates registration to the
nearest RP; each RP only maintains part source/group information in PIM-SM domain
but it will exchange registration information via MSDP with other RPs. When one RP is
faulty, the new registration multicast source and the joined multicast receiver will
automatically select another near RP to perform registration and joining. Anycast RP
ensures new multicast data stream can be established between the new multicast source
and receiver at any time to realize RP load balance and backup.
3.2.5
Controllable Multicast
IPTV (Internet Protocol Television), also called network television, is a service using IP
broadband network integrated with Internet, multimedia and telecommunication
technologies to provide interactive services like live TV, video on demand and online
browsing. It transmits stream media files or service control requests on the basis of IP
and completes demand and playing of the programs. The user terminals can be IP
set-top box + television or PC.
From network implementation, IPTV can be regarded as a specific application of
controllable multicast technology. Traditional multicast technology cannot control
unauthorized multicast services and thus cannot meet the controllable and manageable
requirements of telecommunication operators. Controllable multicast technology adds
23
24
1.
IPTV users have four kinds of rights: view, preview, query and reject.
2.
The operator creates static channel table or suite table (can be regarded as
multicast group), creates static port principle (CAC) table, and applies the channel or
suite to the principle. In this way, the view function of some channels, preview
function of some channels and query function of some channels are enabled on the
port.
3.
The user client sends a message to report, leave or query a multicast channel of
IGMP from the local port; IPTV module searches the matching CAC principle
according to the users port and VLAN and authenticates the rights of the channel
applied for by the user. The authentication method is to search the channel rights
(view, preview, query, reject) that has been configured in the principle and return the
result to IGMP Snooping for further processing. The processing methods of IGMP
Snooping for different rights are as follows to make the IPTV service management
controllable in the network layer: view and preview right: add the users port in the
multicast forwarding table; query right: broadcast the query message in the users
VLAN.
4.
When the use leaves this channel (multicast group), IGMP fastleave will delete the
user from the multicast group to avoid illegal receiving; at the same time the system
outputs user CDR to SMS system to realize billing management.
The controllable multicast technology provided by ZXR10 8900E series switches enables
the operator to control multicast services precisely, perform overall management on the
users and realize flexible provisioning of IPTV service.
3.2.6
MCE
In traditional MPLS VPN model, VPN access is provided by PE equipment and user
isolation is performed on PE equipment. The present MPLS VPN model is a plane model,
so no matter the PE equipment is located at which layer of the network, the requirements
for its performance is the same. The routes aggregate layer by layer, even when PE
extends to the edge direction, more routes need be maintained; while typical network is
core-aggregation-access three-layer model, in which the equipment performance
degrades sequentially and the network scale expands sequentially. This brings much
difficulty for PE equipment to extend to the network edge. Besides, when VPN users are
far away from PE, they need be linked by WAN links, whose number should be at least
the same as the number of VPN users. Using routers to access users nearby and
connecting them to PE via a WAN link after aggregation can save the cost and improve
bandwidth utilization rate, but different VPN users should be distinguished on this WAN
link.
MCE (Multi-VRF CE) technology extends the capability of CE and enables it to have VRF
function. The equipment with this function is called MCE equipment. In networking,
multiple MCEs together with PE are used to form a distributed PE. MCE enable multiple
VPN users to share one CE device and at the same time isolates different users, solving
the contradiction between security and cost. User data stream is terminated at MCE,
avoiding adverse effects of broadcast stream on PE equipment. Generally speaking,
MCE is a technology to realize multiple VPN users sharing one CE device in local area
network and sharing the links between this CE device and PE device. MCE can realize
total isolation between different services in transmission, solve the security problem of
traditional local area network with low cost and largely satisfy the customers
requirements.
Figure 3-3
Architecture of MCE
25
As shown in Figure 3-3, the characteristic of MCE technology is that it changes VPN
access from PE to CE.
Multiple VRFs are configured on MCE, corresponding to multiple VPN sites. Each VRF
needs an uplink interface to connect with PE; the same VRF is configured on the
corresponding interface of PE. As MCE does not need to support MPLS, between MCE
and PC equipment are ordinary data packets without MPLS label. This is different from
layered PE. There is a layer of MPLS label between layered PEs. Therefore, VPN traffic
can only be differentiated by the interfaces on PE. This means the number of VPN
interfaces PE correspond to should be equal to the number of VPNs MCE supports
(same configuration as PE supporting L3 VPN). A CE with MCE feature actually
simulates multiples CEs. The virtual CEs are isolated from each other and can be
accessed with multiple VPN users. PE equipment cannot sense whether this is multiple
CEs or one MCE, so PE needs no expansion.
3.3
MPLS VPN
3.3.1
26
The basic routing mode of MPLS is hop-by-hop routing, which allows simpler forwarding
mechanism than data packets and can realize faster routing. As it uses universal method
of label distribution and universal routing protocol on various media (such as packet, cell
and frame), MPLS supports highly efficient and widely applicable specific routing (such
as QoS routing) and universal traffic engineering method as well as other operation
methods. Using LDP (label distribution protocol), its core protocol, together with standard
network layer routing protocol, MPLS distributes label information among the devices in
the MPLS network in the connectionless working mode. MPLS can also use
connection-oriented working mode, namely, signaling protocol to establish specific routes
for multimedia services that need long time and QoS support. Besides, MPLS can use
the working mode of resource reservation without specific connection, namely, RSVP
and RSVP-LSP-TUNNEL protocols, mainly in traffic engineering. The extended protocol
of LDP, CRLDP can be used to implement some routes with specific paths.
The working principle of MPLS network is as shown in Figure 3-4. From the figure, the
core components of an MPLS network are: Label Edge Switch Router (LER) and Label
Switch Router (LSR). Through label distribution protocol (LDP), label information is
distributed between LER and LSR and between LSR and LSR. Network routing
information comes from some common routing protocols, such as OSPF. The system
determines how to establish the label switching path (LSP) according to the routing
information. When a packet enters LER, the ingress LER determines the LSR to the
destination by searching the route table according to the input packet header, inserts the
corresponding label of the LSP to the packet header and then outputs the packet to the
path identified by the label. The network nodes perform label switching forwarding
completely depending on the packet label without searching the route table. The egress
LER forwards the packet to the destination according to certain principles.
Figure 3-4
LSR
Ingress
LER
LDP
LDP
In
Egress
LER
Out
In
Out
In
Out
In
Out
Generally the structure of MPLS header is as shown in Figure 3-5, including 20-bit label,
3-bit EXP, commonly used for CoS, 1-bit S, used to identify whether this MPLS label is
the bottom layer label, and 8-bit TTL (Time To Live).
27
Figure 3-5
MPLS decides forwarding by label. A label is a 20-bit identifier, only having local effect in
one hop link. What is identified by a label is a group of packets called Forwarding
Equivalence Class (FEC), which can be all packets to the same destination address
prefix or can be introduced with QoS to make the packets having the same service quality
requirements belong to the same FEC. The packets belonging to the same FEC are
forwarded according to the same forwarding policy.
When a packet without a label enters an MPLS domain, the edge LSR will analyze the
destination address carried in the header, class this packet to an FEC according to QoS
requirement, add the corresponding label of this FEC to the packet and then forward it to
the next hop. The intermediate LSR maintains a table of mapping relations between
incoming label, outgoing label and forwarding direction. When receiving a packet with a
label, it will search the mapping relation table by the incoming label carried by the packet
to obtain the outgoing label and forwarding direction, replace the incoming label with the
effective outgoing label and then send it to the next hop. When the packet leaves the
MPLS domain, the label will be deleted at the edge LSR, turn back to a packet without
label and be sent to the next hop.
In forwarding, the label can be processed in the form of stack. The label value at the top
of the label stack is the effective label, and LSR forwards packets by the top label of the
stack. When a packet enters an MPLS domain, a label is pushed in the label stack
occupying the top of the stack; at this time the stack depth increases by 1. The LSR in
this MPLS domain only checks and replaces the top label and ignores the other labels.
When the packet leaves the MPLS domain, POP operation is performed, and the label
stack turns back to the original depth before entering the MPLS domain. The packet
without label can be regarded as empty label stack; adding label to it when it first enters
MPLS network environment can also be regarded as PUSH operation. In this way, MPLS
can easily realize layered network. The depth of label stack indicates the network layer:
when the packet passes a tunnel or a lower-level MPLS network, the depth of the label
stack will increase; on the contrary, when the packet returns to the upper-level network,
the depth decreases.
At present ZXR10 8900E series provides complete MPLS protocol with the major
functions as below:
28
3.3.2
Support TTL value decreasing, loop test, policy management and pop up at the last
but one hop;
Support downstream independent label distribution mode and free label reservation
mode;
MPLS TE
Network congestion is a major problem that affects backbone network performance. The
reason of congestion may be insufficient network resource or unbalanced network
resource load which leads to local congestion. Traditional routing with shortest path first
will cause unbalanced distribution of network traffic, that is, when a path is congested, the
traffic will not be switched to other paths. With the expansion of network scale and
development of network services, the customers have increasingly higher requirements
for service quality; the problem of traditional routing is thoroughly exposed. TE (Traffic
Engineering) is just to solve the congestion caused by unbalanced load. MPLS TE is a
technology integrating traffic engineering with MPLS. By MPLS TE, the service provider
can precisely control the path of the traffic, so as to avoid the congested node, solving the
problem of some paths being overloaded and some paths being idle and making full use
of the current bandwidth resource. At the same time, MPLS TE can reserve resource
when establishing LSP tunnel to guarantee service quality.
MPLS TE creates link bandwidth resource database in the nodes of the MPLS network
via OSPF TE or IS-IS TE, calculates tunnel creation path by CSPF algorithm according to
link bandwidth resource database and tunnel restriction conditions, and finally creates TE
tunnel using RSVP-TE signaling protocol in the path calculated by CSPF algorithm.
RSVP (Resource Reservation Protocol) is a TCP/IP based transport layer protocol. By
RSVP, the host can apply for specific QoS to the network, providing secure data stream
services for specific services, and meanwhile reserve resource on the router nodes
where the data stream passes and keep this status until the service releases
corresponding resource. RSVP-TE protocol, an extended protocol of RSVP, can carry
parameters including bandwidth, some specific routes and color, create the LSP that
meets the restriction conditions according to traffic engineering route calculation and
complete link backup, node backup and load balance functions.
ZXR10 8900E supports MPLS TE-related technology and can provide the following
features:
29
3.3.3
MPLS TE can also guarantee stable and reliable transmission of network traffic:
when the link or transmission node fails, fast link switching can be achieved via
MPLS TE FRR and MPLS TE tunnel backup technology. Besides, it also supports
LSP full path protection and thus can largely reduce the impact on the traffic.
Support MPLS VPN over TE; provide LDP over RSVP; TE tunnel provides
bandwidth guarantee and isolation for MPLS VPN service.
MPLS L2 VPN
MPLS L2 VPN can be divided into two classes. The first is called VPWS (Virtual Private
Wire Service), which realizes communication between the sites in VPN by point-to-point
connection. This mode is mostly used for users using ATM and FR connection. The
connection between the users and network provider are not easy to be maintained, but
the services are transmitted on the IP backbone network of the network provider after
encapsulation. The second is called VPLS (Virtual Private LAN Service). The operators
network emulates the function of LAN SWITCH or bridge, connecting all LANs of the
users to form a simple bridge LAN. The major difference of VPLS and VPWS is that
VPWS only provides point-to-point service while VPLS provides point-to-multipoint
service. That is, the CE device in VPWS selects a virtual line and sends the data to a
user site; the CE device in VPLS only simply sends the data to all destinations to the PE
devices connected to it.
Figure 3-6
The most direct way to create L2 VPN is to create VC between CP and PE, and the
operators network uses LSP of MPLS to bear these connections, as shown in Figure 3-6.
MPLS TE can be adopted to meet the QoS requirement of the users. In this scheme, the
workload of configuring PVC between CE and PE and MPLS LSP for bearing is heavy.
Substantial LSP will occupy a lot of resource of LSR, which will reduce network
30
expandability. Targeting the above expandability problem, Martini draft suggests creating
a fixed number of MPLS LSPs between PE and network devices. When VC bearer
services between user CE device and PE need to pass through the network, they will
enter the point-to-point sub-tunnel (i.e. pseudo-wire) in MPLS LSP. This LSP can be
regarded as the bearer channel of multiple VCs. This is similar to the relation between VC
channel and VP channel in ATM network. IETF draft defines the signaling to create
sub-tunnel and the encapsulation format of forwarding ATM, FR and Ethernet data
packets on sub-tunnel. Although this method save some network resource (such as LSP
quantity), but when creating large-scale MPLS VPN, we need create all sub-tunnels
manually; the configuration workload is quite high.
ZXR10 8900E series products support VPWS of Martini draft and extended LDP protocol.
They can create different LSP channels by service type. They support Ethernet
encapsulation and VLAN encapsulation as well as LDP-based extended VPLS.
3.3.3.1
VPLS
Virtual Private LAN Service (VPLS) is a kind of VPN with multi-station link in a single
bridge domain in IP/MPLS network managed by operators. All customer stations in VPLS
seem to locate in one LAN no matter where they actually locate. Since VPLS uses
Ethernet interface to implement customer exchange, it simplifies LAN/WAN boundary
and makes service providing quick and flexible. In VPLS, customers keep the complete
control over routing. Besides, since all routers of customers in VPLS are a part of the
same sub-net (LAN), they get a simplified IP address solution. This advantage becomes
especially obvious when it is compared with the full-meshed structure constituted by
different P2P links. Operators can also get benefits by reducing the complexity of VPLS
service management.
In Figure 3-7, CE1, CE2, and CE3 are in one VPLS domain VPLS A. They are
connected by a packet switching network (here is MPLS network). Equipped with VPLS,
PEs establish Full-Meshed VC connection between each other. If CE1 communicates
with CE3, CE1 first learns MAC address of CE3, which is based on data flow. Meanwhile,
there must be two layers of tags to PE3 on PE1. One is packet switching tag for outer
layer, which is MPLS network here, and the other is VC tag for the inner layer. When PE1
receives MAC frames with the destination address of CE3, PE searches for inner and
outer layer tags arriving PE3 according to MAC address, VCID and other information, and
adds the tags to the data frames and transport them through MPLS network. Only inner
layer tags are left with the data when it arrives PE3. PE3 gets the connecting port of PE3
where CE3 locates according to inner layer tag and MAC address, and transport it from
the port. The data will arrive CE3. In this way communication between CE1 and CE3 is
completed. Here all operations are implemented based on L2. Operators dont need to
concern users routing configuration so that it reduces users dependence on operators,
and simplifies operators management of user services.
31
Figure 3-7
3.3.3.2
H-VPLS
VPLS adopts PE full-connection to avoid loopback so that LDP session or BGP session
will be set up between all PEs in one VPLS instance, which brings great challenge to
network scalability. In scenario with medium scale, PE full-connection is acceptable. But
when PE increases in network, the number of sessions will grows by a square increase,
which put high requirement of equipment performance. At the same time network
management becomes very complicated. Hierarchical VPLS networking (H-VPLS)
perfectly solve this problem.
H-VPLS divides PE into NPE and UPE. UPE works as CE for access user. NPE works as
core layer of VPLS networking, providing transparent transport of user packet in
operators network. NPEs in H-VPLS networking compose full-connection. UPE doesnt
need to establish connection with all PEs. With hierarchy, H-VPLS reduces PW number
and PW signaling costs.
There are two types of H-VPLS: PW and QinQ.
1.
U-PW Access:
Figure 3-8
32
As shown in Figure 3-8, UPE works as aggregation device and establishes virtual
connection U-PW with NPE1. UPE provides user data packet access and tags VC label
corresponding to U-PW. When NPE1 receives the packet, it decides which VFI that the
packet belongs to based on VC label, tags VC label corresponding to N-PW based on the
destination MAC address of the packet, and forwards it. As for packets received from
N-PW, NPE1 tags VC label corresponding to U-PW and forwards it to UPE.
2.
QinQ Access:
Figure 3-9
33
3.3.4
MPLS L3 VPN
3.3.4.1
MPLS VPN
Figure 3-10
Customer
Edge Switch
VPN1
VPN2
VRF
VRF
VPN1
Backbone Switch
PE
Service Provide
Edge Switch
PE
VPN2
34
3.3.4.2
Cross-domain VPN
At the beginning, MPLS-VPN application is mainly developed in enterprise network or
MAN with not very large scale. Deployment of MPLS-VPN inside an AS can meet the
service needs. With the expansion of MPLS-VPN application scale and the expansion of
network scale, cross-domain MPLS-VPN services are emerging. Multiple sites of user
VPN connect to multiple ISP or different AS domains of an ISP. If the AS number for all
AS domains are different, operators need to support Multi-AS cross-domain VPN.
The following are three solutions to solve Multi-AS cross-domain VPN:
VRF-to-VRF solution: set up logic sub-interface between edge routers with each
sub-interface associated to one VPN. Edge router distributes IPv4 route to
corresponding VPN user by sub-interface. Each VPN should be processed. It suits
the beginning phase of VPN service with little network change and little VPN
services provided.
Single hop MP-EBGP solution: edge routers distribute VPN user VPN-IPv4 routes
by MP-EBGP, avoiding the trouble of processing each VPN on edge router by VRF
to VRF. When VPN service develops to a certain phase, and edge router link is
restricted, single-hop MP-EBGP can be considered to provide cross-domain VPN
service.
ZXR10 8900E provides the above three VPN cross-domain deployment solutions.
3.4
QoS
3.4.1
Basic QoS
The existing Internet provides best-effort services. In this mode all service flows are
equally and fairly compete for network resources. The router takes the working mode of
First Come First Service (FCFS) for all IP packets. It tries its best to sent IP packets to the
destination but provides no guarantee for reliability and delay of IP packet transport. This
suits Email, FTP and WWW services well.
With the high-speed growth of Internet, IP service develops quickly and becomes
diversified. With the emerging of multimedia service, computer is no longer a pure tool to
process data but getting closer and closer to peoples lives. Computer exchange
becomes more realtime and lively, which puts forward higher requirement to computer
and internet. For those applications with special bandwidth, delay and jitter requirements.
The existing best-effort service is apparently not enough. Although network bandwidth
35
and speed are greatly improved with the development of network technology, the data
needs transmission is increasing as fast as network development. At the same time,
some new applications emerged in recent years (such as multimedia and multicast) not
only add to network traffic but also change the traffic on the Internet. They need
brand-new service requirements. Without service quality guarantee, bandwidth
reservation, and restricted network delay, the network cannot support the applications
sensitive to indexes of bandwidth, delay, jitter and packet loss ratio such as VoIP, video
conference, Providing capability to support QoS is a feasible measure to solve the
problem. QoS aims to provide different service quality for various applications with
different needs such as providing private bandwidth, reduce packet loss ratio, reduce
packet transport delay and jitter.
QoS works to effectively provide users with E2E service quality control or guarantee.
QoS enables network unit (such as program, host or network equipment) can guarantee
its service flow and service requirements are satisfied at a certain level. QoS can control
various network applications and satisfy multiple network application requirements. For
example:
To control the resource: to restrict bandwidth used by FTP on backbone network, or to
offer higher priority to database access.
Cuttable services: subscribers of ISP (Internet Service Provider) can transport voice,
video or other realtime services. QoS can make ISP distinguish these different packets
and provide different services.
Co-existence of multiple needs: be able to provide bandwidth and low delay guarantee
for time-sensitive multimedia services. Other services in operation will not influence these
time-sensitive services.
QoS doesnt create bandwidth. It only manages bandwidth based on program needs and
network situation. QoS has a series performance indexes including the following:
Service availability: the reliability of the connection between subscribers and Internet
service.
Transmission delay: time interval of data packets transmitting and receiving between two
reference points.
Variable delay: also called jitter, is the time difference between data packets in a group of
data flow transmitted on one route.
Throughput: rate of data packets transmitted in the network, which can be represented in
average rate or peak rate.
Packet loss ratio: the highest ratio of data packet loss in network. Data packet loss is
usually caused by network congestion.
ZXR10 8900E series provides the following functions to realize the above objectives:
36
1Traffic classification
2Traffic monitoring
3Traffic shaping
4Queue scheduling and default 802.1p priority
5Re-orientation and policy routing
6Priority mark
7Traffic mirroring
8Traffic statistics
3.4.1.1
Traffic Classification
Traffic classification defines or describes packets with certain features by classifying
packets go through the switch. Packet classification can be implemented by ACL,
especially extended ACL. Packets can be classified into different categories based on
different needs. Users classify packets based on filtering options of ACL such as packet
source/destination IP address, source/destination MAC address, IP protocol type, TCP
source/destination port number, UDP source/destination port number, DSCP, ToS, IP
Precedence, VLAN ID, 802.1p priority value, MPLS EXP, and MPLS tag.
3.4.1.2
Traffic Monitoring
Traffic monitoring takes bandwidth restriction of a service to prevent it from exceeding the
specified bandwidth or influencing other service flows. The following measures can be
taken to deal with the exceeded traffic:
To drop or forward
To change its dropping priority (packets with higher dropping priority are dropped
first in queue congestion.)
ZXR10 8900E series swtich realizes Single Rate Three Color Marker (RFC2697) and
Two Rate Three Color Marker (RFC4115). Both two algorithms support Color-Blind and
Color-Aware modes.
Meter works in two modes: in Color-Blind mode, it supposes packets are uncolored. In
Color-Aware mode, it supposes packets are marked with color. The data packets go
through the switch will be distributed with a color based on certain rule (data packet
37
information). Marker colors the IP packets based on Meter result and the color is marked
in DS domain.
The following are two types of marking algorithms.
1.
This algorithm is used in Diffserv traffic conditioner. SrTCM measures information flow
and marks the packets based on three parameters: Committed Information Rate (CIR),
Committed Burst Size, (CBS), and Excess Burst Size (EBS). We call the three
parameters green, yellow and red mark. When a packet goes through the ingress
monitoring it takes token from CBS bucket first. The packet will be green if it can get a
token from CBS bucket. It takes token from EBS bucket if it cannot take one from CBS
bucket. The packet will be yellow if it can take one from EBS bucket. The packet will be
red if it cannot take a token from EBS bucket. Red packets will be dropped by default.
2.
3.4.1.3
Traffic Shaping
Traffic shaping takes control over the rate of output packets to transmit the packets at an
even rate. Traffic shaping is usually used to match the packet rate with the downstream
equipment so as to avoid congestion and packet dropping.
The major difference between traffic shaping and traffic monitoring lies in the fact that
traffic shaping buffers the packets exceed rate limit to send the packets at an even rate.
While traffic monitoring drops the packets exceed rate limit. Traffic shaping adds to delay
while traffic monitoring doesnt add extra delay.
ZXR10 8900E supports two-level traffic shaping, as well as shaping based on VLAN and
port. With two levels shaping of VLAN and port, the system can realize multi-level control
over service flows to guarantee the implementation of multi-level QoS and differentiated
management.
3.4.1.4
Congestion Avoidance
Network equipment has limited processing and buffering capability. Packets exceed
equipment capability will cause congestion. Simply dropping of these packets will lead to
global synchronization. ZXR10 8900E adopts RED/WRED to avoid congestion and
38
improve network quality. ZXR10 8900E WRED can sense the services including IP
priority, DSCP and MPLS EXP. It can set different early dropping strategy for packets
with different priorities to provide differentiated dropping feature.
3.4.1.5
Queue Scheduling
ZXR10 8900E series switch has each of its physical port supporting 8 output queues
(queue0~7) called CoS queues. The switch takes output queue operation at ingress
according to CoS queues corresponding to 802.1p of the packets. When network is
congested, many packets may compete for resources. Queue scheduling can solve the
problem.
ZXR10 8900E series switch supports three queue scheduling: Strict Priority (SP),
Weighted Round Robin (WRR), and Dynamic Weighted Round Robin (DWRR). 8 output
queues at the port can adopt different schedulings.
SP takes scheduling of data of each queue based on the exact priority of the queue.
Firstly it gets the packet out of the queue with the highest priority and sends it out until
packets in the queue are send out. Then it sends packets in the queue with the second
highest priority. Similarly, it sends all the packets in the queue and then sends packets in
the queue with the third highest priority. And the rest can be done in the same way.
SP offers first processing for packets of key services so that quality of the key services is
guaranteed. However, queues with lower priority may never get processed and get
starved.
WRR offers every queue chances to be scheduled without starving. However, each
queue gets scheduling at different time with different weight (the proportion of resources
each queue gets). Packets in the queue with higher priority are more possible to be
scheduled than those in the queue with lower priority.
DWRR offers every queue chances to be scheduled too. Each queue has different weight.
The difference between DWRR and WRR lies in the fact that the weight configured by
DWRR indicates the bytes that scheduled every time for 8 queues at the port with the unit
of kbyte, while the weight configured by WRR indicates the packets that get scheduled
every time for each queue. Therefore, the size of DWRR data packet has little influence
on bandwidth.
802.1p tag covers data priority. If the data enters the port has no 802.1p tag, the switch
will distribute a default 802.1p value to it.
39
3.4.1.6
Priority Mark
Priority mark re-distributes a set of service parameters to the particular traffic that
described by ACL. The following operatons can be implemented:
3.4.2
1.
Change CoS queue of the data packet and change its 802.1p value.
2.
Change CoS queue of the data packet without changing its 802.1p value.
3.
4.
MPLS QoS
MPLS QoS is an important part in QoS service deployment since DiffServ has good
deployment flexibility and scalability. In practical MPLS networking solution, DiffServ
mechanism is usually used to implement QoS. ZXR10 8900E supports DiffServ -based
MPLS QoS. Traditional IP QoS decides the service level based on IP priority or DSCP so
as to realize differentiated service of the service. MPLS QoS distinguish data flows of
different services based on EXP value, implements mapping of priority between MPLS
EXP and IP & Ethernet, realizes differentiated service of services, and guarantee the
quality of voice and video services.
MPLS QoS has four modes:
Uniform mode
Pipe
mode
ZXR10 8900E supports uniform, pipe and short pipe. At MPLS Ingress PE node, packets
decide whether to map or duplicate IP priority or VLAN priority to MPLS EXP based on
uniform, pipe or short pipe. In backbone network classified traffic gets EXP value
remarked based on service protocol, gets traffic monitoring, shaping and scheduling. At
Egress node of MPLS, priority for IP or Ethernet service packets are redeployed based
on Uniform, Pipe or Short Pipe model. E2E QoS is provided based on DiffServ as shown
in Figure 3-11. In addition, ZXR10 8900E imports H-QoS into MPLS VPN, realizes
multi-level scheduling in VPN and improves comprehensive network operation capability.
40
Figure 3-11
3.5
OAM
3.5.1
Ethernet OAM
With the rapid development of Ethernet in recent years, Ethernet networking is taking
larger proportion in network construction and Ethernet scale also keeps growing.
Ethernet is used to replace ATM equipment in access, aggregation, and backbone
network. At the same time IP bearer network is developing as a multiservice and
broadband network. Without carrier-class management, the traditional Ethernet cannot
detect, notify or separate L2 network failure. The network manamgement system
adopting SNMP can only manage link and equipment state. It cannot detect E2E
connection performance and state of user service. When theres network failure, it cannot
be located or located quickly. Besides, with the wide application of network equipment,
the managers pay more attention to OAM of Ethernet equipment.
ZXR10 8900E series support three standards of Ethernet OAM at the moment:
IEEE 802.3ah(Operations, Administration, and Maintenance-OAM)
IEEE 802.1ag(Connectivity Fault Management-CFM)
IEEE 802.3ah operation, management and maintenance standard is the formal one of
IEEE. It takes link level management, taking monitoring and failure processing of P2P
(or virtual P2P) Ethernet link. The protocol has great significance in connection
management of these points at the places where failures tend to occur such as the last
mile for the network user.
IEEE 802.1ag Connectivity Fault Management is the draft standard of IEEE at present. It
takes service level management. It provides the network with easy and quick fault
discovery, detection and management. It submits effective detection, separation and
connectivity fault report of the virtual bridge LAN.
8900E supports OAM that complies with the above standard. It provides Ethernet
Connectivity Check (ETH-CC), Ethernet LoopBack (ETH-LB), and Ethernet Link Trace
(ETH-LT). It supports Frame Loss Measurement (ETH-LM), and Frame Delay
41
Measurement (ETH-DM). It supports Ethernet link OAM, link discovery, link state
monitoring, remote defect indication, and remote loopback that conform to IEEE802.3ah.
3.6
Clock synchronization
Because of telecom bearing IP trend, there are clock requirements for Ethernet to provide
precision clock for mobile wireless network. Mobile network has high requirements for
high-precision synchronization. Its synchronization consists of frequency synchronization
and time synchronization. ZXR10 8900E supports Synchronous Ethernet and 1588v2
solution which uses synchronous Ethernet technology for clock frequency
synchronization, and IEEE 1588 phase fine control and time maintenance for clock time
synchronization.
ZXR10 8900E can configure different clock source priorities. Clock sources are selected
according to different priorities. The clock source with the highest priority will take effect in
the earliest time. If the clock fails, the clock source with the second highest priority will
take effect, and the rest will go similarly. The restoration policy of clock source is: If the
clock with high priority is restored, it can be configured to select whether to switch back.
3.6.1
Clock source
ZXR10 8900E support 5 clock sources, and the main control decides which clock source
information is distributed to the system.
3.6.2
Local clock: Local clock of system hardware, the most basic clock signal.
BITS: Support 2MHz analog signal and 2Mbits digital clock signal.
GPS: Traditional mobile network clock source providing high-precision clock signal
and 1PPS+TOD signal.
SyncE: Support Synchronous Ethernet interface, and restore and extract the clock
from physical layer.
Synchronous Ethernet
Synchronous Ethernet (SyncE) technology adopts Ethernet link code stream to restore
the clock. It synchronizes frequency rather than synchronization phase, and needs all
bearer network equipments to support synchronous Ethernet features. ZXR10 8900E can
extract the clock from Ethernet link, or get support reference clock from external
synchronous interface (including BITS and GPS) as system clock. The system selects
the proper system clock source and export clock source according to synchronization
42
status information or system alarm information. After clock source is determined, the
system uses high-precision clock at the Ethernet interface to send data and transfer
synchronization status information, synchronizing Ethernet physical-layer E2E data
transceiving. Its synchronization mode is shown as Figure 3-12.
Figure 3-12
3.6.3
SyncE synchronization
IEEE 1588 v2
IEEE 1588 v2 is a precision time synchronization protocol, called PTP protocol for short.
IEEE 1588 v2 adopts master/slave clock to transport time in the form of code. Time
stamp is generated at the protocol layer adjacent to the physical layer. It uses symmetry
and delay measurement technology of network link to synchronize frequency, phase and
absolute time of master/slave clock. 1588 key lies in delay measurement.
IEEE 1588 v2 master/slave clock synchronization principle is shown in Figure 3-13: Slave
clock synchronizes with master clock through offset measurement, and then delay
measurement is made to get inter-clock link delay and time deviation to adjust time
output of slave clock and synchronize the time between master clock and slave clock.
43
Figure 3-13
ZXR10 8900E supports 1588 v2 protocol and the following working modes:
3.6.4
Ordinary clock: Only one port supports 1588v2 protocol. The clock works as
grandmaster or slave.
Boundary clock: Several ports support 1588v2 protocol. The clock can connect
several ordinary clocks or transparent clock.
Transparent clock: The node does not run 1588v2 protocol, but needs to modify
time stamp. It is required in forwarding time message to fill in the time, when the
node processes the message, in the modification location. Both E2E and P2P
modes are included.
Clock protection
1.
ZXR10 8900E fulfills automatic protection switching of clock link based on SSM protocol
and BMC optimal clock algorithm to reliably transmit the clock. It select an algorithm
according to clock path to calculate the best synchronization path of clock and time
information to avoid clock loop. When a fault occurs to the network, the system makes
the protection switching of clock and time information according to clock path algorithm,
and provide synchronization locking, hold-over and free-run of clock and time
information.
2.
44
ZXR10 8900E active/standby main control modules always synchronize clock information.
When receiving Bits and GPS signals, one main control module sends the signals to the
other main control module. Line card receives the clock signal from active and standby
main control modules at the same time, but one line card only takes the clock of active
main control module as system reference clock. When a fault happens to active main
control module, line card can switch the clock to take the clock of standby main control
module as system reference clock.
3.7
Reliability protection
3.7.1
Equipment-level protection
3.7.1.1
3.7.1.2
3.7.1.3
45
or exceeding alarm threshold, the system reports relative alarm and fault, and
automatically saves and sends them to related server regularly.
3.7.2
3.7.2.1
BFD
BFD (Bidirectional Forwarding Detection) is a path connectivity detection protocol. BFD
aims to offer a low overhead to detect the fault between adjacent forwarding systems in a
short time. BFD packet is the message encapsulated with UDP protocol, and can be
loaded into any proper media or network protocol. BFD can run at several system layers.
BFD can detect the fault in any path between systems. The path may be direct physical
link, virtual circuit, tunnel and MPLS, and indirect path. As BFD fault detection is simple,
BFD can quickly detect the forwarding fault.
BFD status mechanism needs three handshakes. It is a simple service. It is only required
to offer destination address and other parameters to create, delete and modify BFD
session. When BFD session is up or down, a signal is returned to the system for proper
processing.
BFD is a simple Hello protocol. It is partially similar to neighbor detection of famous route
protocols in many respects. A pair of system periodically send detection message on the
path of the session between them. If one system receives no detection message from the
other in enough time, it will consider that a fault occurs to a part of the bidirectional path
to the adjacent system. In certain conditions, transmitting and receiving rate between the
systems need to be negotiated to reduce the load.
After bidirectional communication between two systems is established, only one path is
running (unidirectional link is also possible). An independent BFD session may be
created for each communication path or data protocol between two systems. Each
system can evaluate the frequency of transmitting and receiving BFD packet so as to
keep two systems consistent in fault detection duration. The parameters can be modified
according to different surroundings to meet the demands.
BFD protocol describes bidirectional detection mechanism which consists of
asynchronous mode and query mode. An auxiliary echo function can work with these
modes. The difference of asynchronous mode and query mode lies in detection location.
In asynchronous mode, one system periodically sends BFD control message, and the
46
other system remotely detects the BFD control message. In query mode, the system
transmits and detects the BFD control message.
Asynchronous mode: In asynchronous mode, two systems periodically sends BFD
control message to each other. If one receives no BFD control message from the other in
detection time, it will be announced that the session is down.
Query mode: In query mode, supposed that each system has an independent approach
to confirm that it is connected to other systems. Once a BFD session is created, the
system will stop sending BFD control message unless a system needs to explicitly verify
the connectivity. If it needs to explicitly verify the connectivity, the system sends a short
BFD control message. If it receives no message returned in detection time, it will be
announced that the session is down. If a message is returned, the protocol will remain
silent again.
Echo function: One system sends a series of BFD echo messages, and the other system
loops them back via its forwarding path. If several continuous echo messages are not
received, it will be announced that the session is down. The echo function can work with
the above two detection modes.
ZXR10 8900E support BFD for static route OSPF dynamic route and VRRP to fulfill fast
convergence. It combines BFD and FRR technologies and provides fast fault detection
mechanism to implement fast rerouting.
3.7.2.2
OAM detection
OAM offer a wide variety of detection means of network fault discovery. It consists of
Ethernet OAM and MPLS OAM. Ethernet OAM detects and discover Ethernet link fault,
and MPLS OAM provides defect detection tool and protection switching mechanism for
MPLS network. For details, refer to Section 3.5. OAM message detection serves to detect
link status, node status and tunnel connectivity. It can detect the fault while triggering the
protection switching.
3.7.2.3
SQA
SQA (Service Quality Analyzer) sends the test message to analyze network performance,
network service and QoS, and provide the user with network performance and QoS
parameters, e.g., delay jitter, TCP connection delay, FTP connection delay and file
transport rate. SQA helps the user to know current network status, and detect and
position the fault to improve network management initiative and controllability .
ZXR10 8900E supports many kind of detections include ICMP-echo, DHCP, DNS, FTP,
HTTP, UDP-jitter, SNMP, TCP, UDP-echo, Voice and DLSw, and associates detection
result to VRRP function, as shown in Figure 3-14.
47
Figure 3-14
3.7.3
SQA association
VSC
VSC( Virtual Switch Cluster) system can virtualize multiple independent devices into one
device to dynamically add or delete members. These VSC members that linked by VSC
port can select one main device by a certain selection mechanism. And others work as
forwarding devices. Its like one device is expanded to support more interface cards,
more interfaces, more services, provide equipment-level redundancy backup, and
improve the reliability of the equipment and network.
VSC can make a simple network without complicated and slow STP or VRRP. Multiple
devices only need one configuration to make the network more reliable to support
Multi-chassis link aggregation, to implement protocol-level and equipment-level crosschassis hot standby, and to make the network more effective. Multiple devices constitute
VSC system to effectively improve the system capacity, to implement load balancing, and
to fully utilize network bandwidth.
Figure 3-15
48
3.7.4
3.7.4.1
ZESR
ZESR (ZTE Ethernet Smart Ring), the Ethernet ring technology, allows network
administrator to create Ethernet ring, similar to fiber distributed data interface (FDDI) or
SONET/SDH ring. It can recover any link or node fault within 50ms.
ZESR uses break alarm, ring monitoring and ring restoration to maintain the protocol.
1.
Break alarm: When standby equipment in ZESR ring detects that a cable fault
occurs to its active or standby port connected to the ring, it immediately sends break
alarm frame from another port to active equipment. When active equipment receives
the alarm frame and knows the ring goes wrong, it unlocks standby port, refreshes
L2 forwarding table (L2 table), and sends a notification frame to notify other ring
equipments to refresh their L2 tables, as shown in Figure 3-16.
Figure 3-16
2.
49
diagnosis frame, active equipment will consider that the ring goes wrong and
unlocks standby port to assure ring connectivity. Meanwhile, active equipment
refreshes L2 table and sends a notification frame to notify other ring equipments to
refresh their L2 tables. Ring monitoring mechanism is the backup of break alarm
mechanism. Once break alarm frame is lost for unknown reason, the solution is a
reliable backup support.
3.
3.7.4.2
Ring restoration: When a ring link breaks, active equipment still periodically sends
diagnosis frame via active port, but standby port cannot receives it. After the ring
restores, the next diagnosis frame will be received by standby port of active
equipment. When active equipment receives diagnosis frame, it knows the ring
restores; then it sets standby port to blocked, refreshes L2 table and sends a
notification frame to notify other ring equipments to refresh their L2 tables. When
standby equipment detects that its connection restores, as diagnosis frame is
periodically sent, active equipment will not receive diagnosis frame immediately (so
standby port is unblocked). If no measure is taken now, standby port of active
equipment will remain unblocked for some time, which will result in temporary loop
and broadcast storm. To avoid the status, standby equipment needs to set the port
to be temporarily blocked when the port connection restores. When standby
equipment receives the notification frame from active equipment to refresh L2 table,
standby equipment knows that active equipment blocks its standby port, and then
standby equipment refreshes L2 table and unblock the restored port. Up to now the
ring returns to normal status.
ZESS
ZESS (ZTE Ethernet Smart Switching) technology fulfills fast switching protection and
load balance between L2 Ethernet links, and the active and standby links are switched
within 50ms. Its working principle is as shown in Figure 3-17: The node supports ZESS;
port 1 is active port and port 2 is standby port. When the node detects that active and
standby ports are UP, it blocks the protection service VLAN forwarding function of
standby port; when the node detects that active port is DOWN, it blocks the protection
service VLAN forwarding function of active port and unblocks the protection service
VLAN forwarding function of standby port; when the node detects that active port restores
to UP, it adopts inverse and non-inverse modes. In inverse mode, it unblocks active port
and blocks standby port again. In non-inverse mode, active port remains blocked and
standby port unblocked. In addition, in ZESS switching, it is required to upgrade FDB of
the blocked port.
50
Figure 3-17
3.7.4.3
Figure 3-18
51
3.7.5
L3 route protection
3.7.5.1
Enhanced VRRP
If traditional VRRP technology is adopted, when router link goes wrong or powers off,
backup router spends 3 seconds in switching, which cannot address the user demands
when IP network bears voice service. Enhanced VRRP introduces fast BFD mechanism
to replace VRRP heartbeat message. It speeds up the detection between VRRP entities
and employs single-hop or multi-hop BFD to check whether the real-address
communication between slave and master routers is normal. If not, the slave will consider
the Master is unavailable and upgrade to the master to fulfill fast switching.
VRRP and BFD are bound based on BFD session between router and host, which means
that master and slave routers are respectively bound to different BFD-sessions (These
sessions are not established between master and slave routers). If the communication is
abnormal between master router BFD and HOST, VRRP downgrades master to slave,
and upgrades slave to master to link the communication between protection router and
host and fulfill fast switching between master and slave routers.
Furthermore, ZXR10 8900E supports VRRP group management. Multiple VRRPs forms
a VRRP management group, and each member keeps consistent with the group in the
status. When VRRP management group creates a BFD session to trigger management
group status switching, all members will make status switching. VRRP group
management reduces inter-equipment BFD message traffic to facilitate VRRP
management and bring down network and equipment load.
3.7.5.2
52
ZXR10 8900E supports the per-destination load balance policy which considers source
address and destination address of a packet so that the packets with the same source
address - destination address go the same path (Even if several paths are available),
and the packets with different source address - destination address pairs go different
paths. The policy ensures the packets with the same source address - destination
address pair reach in sequence.
3.7.5.3
GR (Graceful Restart)
GR (Graceful Restart) uses the neighbor equipment to implement non-reset for control
plane session connection when the control plane has error and switching. GR realizes
non-stop forwarding services in routing protocol restart. At the same time it can quickly
recover the route. Each routing protocol has its own GR expansion.
When routing protocol restarts, it notifies its neighbor to wait for a specific period of time,
during which it maintains their neighborhood relationship and keeps routing stable. When
routing protocol restart is completed, the neighbor equipment helps it to implement
routing information synchronization and set up the session again. Various routing
information can be all recovered during a short period of time. With GR, protocol restart,
routing and forwarding are comparatively stable to realize non-stop packet forwarding.
ZXR10 8900E series support relative routing protocols such as GR for
OSPF/ISIS/BGP/RIP, which avoids network socillation and improve network stablity and
reliability.
3.7.6
VPN Protection
3.7.6.1
PW Protection
PW (Psedudo Wire) is one of the linear protection in MPLS L2VPN used to solve
end-to-end service convergence in CE dual-homing model. PW protection detects PW
layer failure by OAM and BFD mechanisms and implements failure notification and fast
traffic switching. Since PW can be set up between two PE and multi-hop PW can be set
up between two PE, PW redundancy-based protection mechanism should support
single-hop PW redundancy and multiple segment PW redundancy.
Single-hop PW redundancy set up multiple PW between PE. ZXR10 8900E series switch
supports 1:1 redundancy backup. It can realize PW fast switching for active/standby, as
shown in Figure 3-19.
53
Figure 3-19
Multi-hop PW redundancy imports S-PE between PE. S-PE connects PW on the two
ends. PE1 and PE2 sets up connection with S-PE respectively. In this way PW between
PE1 and PE2 is composed of multiple segments of PW. ZXR10 8900E series switch
supports 1:1 multi-segment PW redundancy backup. When PW1 fails, traffic can be
quickly switched to PW3 to realize fast switching between active and standby PW as
shown in Figure 3-20.
Figure 3-20
3.7.6.2
CE Dual-homing to PE
In MPLS network, to provide network reliability and solve service interruption problem
caused by route re-convergence results from single PE failure, we import CE
dual-homing to PE solution. CE is accessed to two PE at the same time. One is active
and the other is standby. When CE perceives active PE or active link fails by LACP, STP,
ZESS, or port shutdown, it can automatically switch to standby PE and standby link.
When failure recovers, the original active PE can recover or automatically change to
standby PE based on certain strategy as shown in Figure 3-21.
54
Figure 3-21
CE dual-homing to PE
L3VPN adopts FRR to set active/standby forwarding item directing active PE1 and
standby PE2 at remote PE. PE implements quick failure detection by BFD and MPLS
OAM. When PE4 detects PE1 failure, it can forward traffic to PE2. Service traffic between
CE1 and CE2 can be switched to PE2-PE4 link.
In L2VPN PE4 save PE1 and PE2 forwarding table at the same time. That is to say, MAC
active egress for CE1 is PE1 and standby egress is PE2. PE4 forwarding item will set
forwarding prefix, inner layer label, and selected outer layer LSP tunnel. When PE1 fails
(for example, unavailable tunnel is perceived by BFD and MPLS OAM), PE4 can forward
traffic to PE2. When CE1-PE1 link fails, PE1 will notify PE4 to refresh MAC address,
change the egress, and switch the traffic to PE2-PE4 link.
2.
In H-VPLS network, theres also single-point failure. Dual-homing of UPE to NPE can
improve network reliability and avoid link and NPE single-point failure. When a link fails,
for example, BFD detection or port shutdown, traffic can be switched to standby link.
When the failure is recovered, the original active NPE will recover or automatically
become standby NPE based on certain strategy as shown in Figure 3-22.
In H-VPLS with U-PW access, LDP session is run between UPE and NPE. Whether the
active PW fails can be decided based on LDP session state. In H-VPLS with QinQ
access, STP can be run between UPE and the NPE connected to it to ensure that the
other link is activated when one link fails.
55
Figure 3-22
NPE1
CE1
Master
N-PW
UPE
NPE3
U-PW
Backup
CE2
NPE2
3.7.7
FRR Protection
3.7.7.1
IP FRR
IP FRR (IP Fast ReRoute) can reach 50ms switching, which can reduce data loss in case
of failure to the best. IP FRR calculates standby route in advance. When active route fails,
another route calculation is not implemented. Standby route is adopted to switch traffic to
standby link. When active link recovers and gets stable, the traffic is switched back to the
active route as shown in Figure 3-23.
Figure 3-23
56
ZXR10 8900E supports FRR for static routing, OSPF, IS-IS, and RIP, which easily
implements traffic switching of single-directional traffic to meet the switching time
requirement.
3.7.7.2
LDP FRR
LDP FRR is MPLS-related reliability technology. With the help of LDP label distributing
protocol, it distributes active/standby labels for routes. Saving the standby label, it quickly
respond to route change, switch label to the standby label, and implement 50ms
switching protection in case of network failure. Label standby equals to standby LSP.
When a certain link or node on the protected LSP fails, label can be quickly switched to
the standby link as shown in Figure 3-24. R2 directs e2/2 to back up e2/1 port. In this way
LSP will has two next-hops. One is on the active link specified by the routing protocol.
The other is standby. When port 2/1 is detected to fail, label will be quickly switched to
e2/2. When the route recovers, label will be switched back to e2/1 port.
Figure 3-24
LDP FRR is only a temporary protection measure. When the protected link recovers,
traffic will be switched back to the original LSP. LDP FRR doesnt need to rely on
complicated MPLS TE. Standby LSP for link, node or route doesnt need to be set up
respectively. Its easy to implement with the spreading of MPLS.
3.7.7.3
MPLS TE FRR
MPLS TE FRR is a set of link protection and node protection mechanism in MPLS TE.
When LSP link or node fails, protection is implemented at the node where failure occurs.
In this way traffic can be permitted to go through via the tunnel of protected link or node
so that data transmission will not be interrupted. At the same time head node can go on
initiating recreation of active route with data transmission not influenced.
57
MPLS TE FRR uses a LSP set up in advance to protect one or multiple LSP. The LSP set
up in advance is called FRR LSP. The protected LSP is called active LSP. The ultimate
objective of MPLS TE FRR is to use FRR route to detour failed link or node so as to
protect the active route as shown in Figure 3-25.
Figure 3-25
FRR LSP and active LSP creation get all components in MPLS TE system involved.
MPLS TE FRR complies with RFC4090 based on RSVP TE implementation.
There are two ways to realize FRR:
One-to-one Backup: one to one backup protection. One active LSP sets up a standby
protection LSP, which is called Detour LSP.
Facility Backup: one to multiple backup protection. Multiple active LSP set up a standby
protection LSP, which is called Bypass Tunnel.
Facility is usually adopted in MPLS TE FRR deployment. The creation of active LSP is
the same with that of common LSP. RSVP sends PATH message from the head node to
downstream hop by hop, and sends RESV message from the tail node to upstream hop
by hop. It distributes labels, reserves resource and sets up LSP when it processes RESV
messages. Bypass Tunnel can be set up in two ways: one is manual and the other is
automatic. When active LSP has no FRR feature, Bypass Tunnel can be manually
configured to protect the physical interface of the tunnel. Its configuration is similar to that
of the common LSP except FRR cannot be configured. That is to say, Bypass Tunnel
cannot work as active LSP at the same time. Nor LSP be protected by embedding.
Automatic Bypass Tunnel is a simplified manual configuration. When active LSP needs
FRR protection, it automatically sets up a Bypass Tunnel to protect the active LSP. A
single automatic Bypass Tunnel can protect multiple active LSP. Bypass Tunnel is
usually in idle state assuming no data services. If Bypass Tunnel is required to assume
common data forwarding task at the same time when it protects active LSP, enough
bandwidth should be configured. When link or node fails, if the interface is configured
with FRR protection, data will be automatically switched to the protection link. When the
failure recovers, normal forwarding path will be automatically recreated.
58
3.7.7.4
L3VPN FRR
L3VPN FRR is used to solve CE dual-homing, which is the most common end-to-end
service convergence problem for network model. It can control end-to-end service
convergence within 1s in case of PE node failure. Since MPLS TE FRR can only solve
link or node failure between PE, and PE needs to rely on VPN route convergence when it
has failure, end-to-end fast convergence cannot be realized. CE model is shown in
Figure 3-26:
Figure 3-26
CE dual-homing model
PE-A
PE-C
CE-A
CE-B
PE-E
PE-B
PE-D
Suppose
the
path
for
CE-B
accessing
CE-A
is:
CE-BPE-EP-CPE-ACE-A. When PE-A node fails, the path for CE-B
accessing CE-A is converged as: CE-BPE-EP-DPE-BCE-A. Based on
standard MPLS L3 VPN, PE-A and PE-B both distribute route directing to CE-A to PE-E,
and distribute private network labels. In traditional technology, PE-E selects a VPNV4
59
route sent by MBGP neighbor based on certain strategy. In this instance, the route
selected is distributed by PE-A. Only the route information distributed by PE-A (including
forwarding prefix, inner layer label, selected outer layer LSP tunnel) is filled in the
forwarding item used by forwarding engine to direct the forwarding.
When PE-A node fails, PE-E perceives PE-As failure (BGP neighbor is DOWN or outer
layer LSP tunnel is unavailable), it re-select a route distributed by PE-B, re-distribute
forwarding item, and complete service end-to-end convergence. Before PE-E
re-distributes forwarding item corresponding to route that distributed by PE-B, since the
destination of outer layer LSP tunnel that forwarding item of forwarding engine directs is
PE-A, and PE-A node fails, during this period, CE-B cannot get access CE-A. End-to-end
services are interrupted. In traditional technology, end-to-end service convergence time
covers: 1) PE-E perceives PE-A failure. 2) PE-E re-selects VPN V4 route distributed by
PE-B. 3) PE-E distributes new forwarding item to the forwarding engine. Obviously, step
2 and step 3 goes depending on the scale of VPN V4 route.
ZXR10 8900E switch can firstly download the route information distributed by PE-B to the
forwarding engine as the second choice. It adopts BFD to check the link between PE-E
and PE-A. Discovering failure, PE-E quickly switch the route to hte link between PE-E
and PE-B. Packets will be switched to CE-B via PE-B to recover services between CE-B
and CE-A and realize fast switching.
3.8
3.8.1
ACL
In order to filter data, the netework needs to set lots of matching rules. After identifying
special objects, the corresponding packets can be allowed or forbidden to pass as per
the preset rules. ACL (Access Control List) is used to realize these services.
By using ACL, message filtering, policy route and special traffic control can be realized.
One ACL can contain one or more than more rules for one special type of packet. These
rules tell the switch if the selected packets are allowed or forbidden to pass.
The rules defined by ACL can also be used in other scenario, e.g. traffic classification in
QoS.
ZXR10 8900E series switch provides the following 4 types of ACL. Besides, it gives
support to two sorts of Ipv6 ACL.
60
L2 ACL: match source MAC address, destination MAC address, source VLAN ID,
L2 Ethernet protocol type and 802.1p precedence.
Hybrid IP address: match source MAC address, destination MAC address, source
VLAN ID, source IP address, destination IP address, TCP source port number, TCP
destination port number, UDP source port number and UDP destination port
number. The perfect fields match three types mentioned above.
3.8.2
Device Authentication
3.8.2.1
AAA
Authentication
Direct authorization: for very trustable user, direct authorization without requiring
account number is implemented.
61
3.8.2.2
SSH
SSH (Secure Shell) is made by IETF network working team. SSH is a security protocol
build on the basis of application layer and transport layer. SSH currently is a reliable
security protocol designed particularly for remote login session and other network
services. SSH protocol can be used to avoid information leaking effectively. Encrypting
transport data via SSH protocol can avoid middle attack.
SSH supports the following two sorts of authentication:
The first one is the security authentication based upon password. Input correct account
number and password, then user can access the remote host successfully. All transport
data are encrypted. This mode ensures reliable data transmission. But it may lead to faud
server which makes the data transferred to illegal servers.
The other security authentication is based upon encryption key. User must create a pair
of encryption key and save the public key to the target server. The client software asks
the server for security authentication via its own encryption key. When the server
receives the request, it looks for the public encryption key in the root category of this
users server. After confirming the two encryption keys are the same by comparing the
public key with the public key sent by the client, the server will encrypt challenge and
send it to the client software. After receiving the challenge, the client will decrypt it by
private encryption key and send it to the server.
ZXR10 8900E supports security authentication of SSHv2 protocol.
3.8.2.3
62
Command node authority level maintenance: when the switch is initiated, each
command node has a default authority level. The administrator can change it.
Login user authority level maintenance: the administrator can set authority level for
each login user. Conditions for displaying and implementing the command are:
when users authority level is bigger or equals to the command authority level, this
command can be displayed and executed on users terminal. In default situation, the
administrator can use all commands. Other authority levels can only use some
maintenance commands.
3.8.3
Access Security
3.8.3.1
802.1x
802.1X is a Client/Server-based access control and authentication protocol. When
connecting with user device at system port via authentication, it confirms if the user is
authorized to access system services via this port. In this way, unauthorized data
transmission between the user and system can be avoided. At first, 802.1X access
control only allows EAPOL frame to pass the port connecting with the users device. After
authentication, other data can pass this port then.
802.1X enables the access point via which the authenticator connects with LAN to
generate two logical ports: controlled port and uncontrolled port. The uncontrolled port
which is free from port authorization status can exchange PDU with other systems freely,
while the controlled port can only exchange PDU with other system when it is authorized.
PAE is the base of the algorithms and protocols related to operating and authentication
mechanisms. The authenticators PAE is responsible for communicating with requestors
PAE and sending information collected from the requestors PAE to authenticators
server. After verifying this information, the authentication server confirms if the requestor
is authorized to access the authenticators service. The authenticators PAE determines
the authorized and unauthorized status of the controlled port as per the authentication
results. The authenticators PAE uses uncontrolled port and EAPOL protocol to exchange
protocols with the requestors PAE. It uses EAPOR and RADIUS authentication server for
communication.
The 802.1X unit of ZXR10 8900E series switch mainly realizes the following services:
Local authentication.
Support authenticators PAE to exchange protocols with EAPOL via the uncontrolled
port.
Force-Unauthorized,
Auto
and
Force-Authorized
values
Auth-Controlled-Port-Control can be used to run the controlled port.
63
of
3.8.3.2
DHCP
DHCP server can allocate proper IP address for all sorts of device. With DHCP service,
the network administrator instead of distributing IP address manually can allocate IP
address automatically by exchanging DHCP protocol message. This not only reduces the
workload caused by manual configuration and configuration error, but also enables
unified IP address management when the device is moved.
DHCP adopts client/server communication mode. The client sends IP allocation
application to the server , then DHCP server returns the related configuration information
like allocated IP address to the server. When DHCP client gets the configuration
information, it can realize dynamic IP address configuration and communication with
external network. In this process, DHCP server can implement authentication. One
DHCP server usually has one IP address pool, so that it can distribute IP address to
multiple IP devices.
When DHCP server and DHCP client are not in the same network segment, DHCP relay
is required. DHCP sends request message to DHCP server. When DHCP relay receives
and processes the received messages, it will send the message to the DHCP server of
one network segment. The server provides related information as per the request
message. Then the DHCP relay will return the configuration information to the client to
finish dynamic client configuration.
Besides, DHCP also includes some extension serv ices, e.g. DHCP snooping and DHCP
Relay Agent Information Option (Option 82), etc. With some options in DHCP request
message, DHCP option 82 enables DHCP server to confirm users location more
accurately. In this way, different users adopt different address distribution policies to
make users can be effectively controlled even when they are in different VLANs or
network segments.
DHCP Snooping is mainly used to avoid some spoofing DHCP Server. The spoofing
DHCP Server made by some devices feeds back users DHCP address request, which
disable the user to get correct DHCP address and connect with the network. Or the
spoofing DHCPO Client send DHCP address request to DHCP Server frequently to use
DHCP Server address out. By initiating DHCP Snooping service, trust and un-trusted port
can be set. DHCP Server responding messages sent by the un-trusted port will be
discarded. In addition, Snooping can set the number of the IP address one un-trusted
port can allocate, so that DDoS attack for DHCP Server can be avoided.
ZXR10 8900E support DHCPv4 server, DHCPv4 relay, DHCPv4/v6 snooping and DHCP
option82 services. The specific supported options can be seen in the functional list.
3.8.3.3
IP source guard
IP source guard checks message source by binding port, VLAN, MAC and IP together. It
realizes message security control. The binding table of IP source guard can be set up in
the following two ways:
64
1.
2.
Dynamic binding: implement port control service by getting the binding table items of
DHCP Snooping or DHCP Relay automatically. It is suitable for the LAN where there
are lots of hosts. Using DHCP to implement dynamic host configuration can
effectively avoid conflict IP address and IP address spoofing.when DHCP allocates
one entry to the user, the dynamic binding service will add one more binding table
entry to allow this user to access the network. If one user sets IP address privately, it
will not allowed to access the network as DHCP is not initated to allocate table entry
the dynamic binding service does not add related access rule.
ZXR10 8900E supports IP Source Guard service based upon IPv4 and IPv6.
3.8.3.4
DAI
DAI (Dynamic ARP Inspection) service sends ARP message to CPU to see its validity.
Then this message will be discarded or forwarded. If the ARP message source MAC
address, source IP address, port number and port VLAN are the same as DHCP
Snooping table or manual IP static binding table entry, this message which is considered
as legal ARP message will be forwarded. Otherwise, it will be discarded as illegal ARP
message. As ARP message is sent to CPU, lots of ARP messages will lead to DoS attack.
In real application, DoS attack to ARP message should be defended. ARP message is
only suitable for IPv4 protocol. For IPv6 protocol, ND message will be monitored.
3.8.4
MFF
Based upon RFC 4562, MFF is applied on user access device. It aims at isolating user at
user access side while providing effective IP address distribution. All streams are
forwarded to uplink access gateway, then the gateway will determine the forwarding
direction of these streams (L2 switching stream in one broadcasting domain is included).
In the past, these streams were directly forwarded by access devices, which leaves
potential security risks. MFF ensures user isolation, satisfies Broadband Forum (DSL
Forum in the past) and matches the requirements for access node interconnection and
security in TR101 report demanded by broadband access network.
Compared with PVLAN, MFF not only can realize users L2 isolation, but also saves
some users information. So it is safer in processing and forwarding messages. At the
same time, the communication between users in the same segment of layer 2 is
controlled by gateway router, which makes the network more secure by realizing
integrated control.
65
3.8.5
Network Security
Ideally, user-class virus inspection which requires user to install patch and anti-virus
software is preffered in defending network virus. In most occasions, lots of users can not
accomplish this task, so switch must be able to provide network-class virus inspection
and alarm.
Besides, for some malicious network attacks, the switch must have some protective
mechanisms to avoid the breakdown of the switch and network. ZXR10 8900E series
switch mainly realizes network-based security mechanism. It configure security
inspection service to different units.
In ZXR10 8900E series switch, the network security mainly includes the following
services:
Inspect virus which cause outbreak traffic increase, e.g. SQL worm, red code and
shockwave. Corresponding alarms will be generated, or the client port will be closed.
Avoid users ARP proofing.
MAC address flooding protection. Restrict port MAC address number.
Set port broadcasting packet threshold.
L2, L3 and L4 hybrid ACL filtering.
Route filtering
Forbid ICMP relocation service. Prevent attacker from sending spoofing ICMP message.
66
Defend DoS attack based upon hardware queue. Support anti-land | null-scan |
ping-of-death | smurf | sys-fin | syn-port-less-1024 | xma-scan | ping-flood |
syn-flood attack. Anti-ping-flood | syn-flood attack can support speed restriction.
DHCP snooping
IPv6 ND security
3.8.5.1
Anti-DDoS Attack
Due to more and more complicated network environment, the switch should be more
competent in fighting against attacks. There are lots of ways to prevent DDoS attack,
CPU protection is a very important one.
Currently, controlling protocol message is used to protection CPU. The speed of
messages sent to CPU can be set. If the real speed exceeds the threshold, this message
will be discarded or its transport priority will be modified. CPU protection is implemented
based upon the following principle.
CPU protection is mainly realized by using the switch to monitor the speed of messages
sent to CPU. The speed threshold for messages going to CPU can be set on devices.
When messages are sent to CPU in an abnormal speed, related alarms will be generated
and the NM will be aware of the attack. At this moment, the NM can decide how to
process the message according to the message type and speed. When the protocol
protection unit finds one protocol message is transferred too fast, this unit will send an
alarm to warn user. After reading this alarm, the user can configure protocol protection
shutdown to avoid CPU failure.
Currently, the supported protocols include most L2 and L3 protocols. The covered Ipv4
protocol consists of: OSPF, PIM, IGMP, VRRP, ICMP, ARP reply, ARP request, group
mng, VBASE, DHCP, RIP, BGP, telnet, LDP_TCP, LDP_UDP, TTL=1, BPDU, SNMP,
MSDP and RADIUS. The included Ipv6 protocols are: MLD, ND, ICMP6, BGP4+, RIPng,
OSPFv3, LDPtcp6, LDPudp6, telnet6 and PIM6. L2 protocols cover some messages like
STP and MSTP, as well as some switch L2 ring protocols.
Based upon common CPU protection, 8900E has multi-level CPU protection which
includes: hardware protection, software protection and protocol stack protection. CPU
supports multiple hardware queues to make sure the precedence of key messages. Key
message filtering makes sure key messages are sent to CPU. Protocol stack controls
message transport speed. Via multi-level protection, network efficiency and key services
operation are guaranteed.
Moreover, ZXR10 8900E can also use MAC address learning restriction, port speed
restriction and multi-level ACL filtering to avoid DDoS attack.
3.8.5.2
67
to find out if the interface in forwarding table corresponding to the source address
matches the incoming interface. If not, the source address is considered spoofing, and
the packet will be dropped. In this way, malicious attack launched by modifying the
source address can be stopped.
ZXR10 8900E series swith supports three types of uRPFs, i.e. strict, loose and
loose-ingoring-default-route.
3.8.5.3
Strict mechanism strictly searches for outgoing port and incoming port as per source
address. If they do not match, the packet will be dropped. If they match, process it
normally.
Loose mechanism enables route search as per the source address. If the default
route egress is the same as the ingress, process the packet normally. Otherwise,
discard it.
ND Security
The introduction of IPv6 can not solve the security issue in original IPv4 network. Some
IPv6 network security problems are also aroused by IPv6 protocol. In IPv6, ND (Neighbor
Discovery) protocol is similar to ARP protocol in IPv4. It resolutes MAC address, and
realizes automatic IP address distribution in non status. ND protocol mainly consists of
RS, RA, NS and NA protocols. RS and RA messages are used to get IP address prefix,
and NS/NA messages are used to get neighbor MAC address. So ND protocol also has
IP address prefix spoofing and MAC address spoofing issues.
ZXR10 8900E supports router trusted port. Trustable router address and restricted ND
learning number can be configured. ND message filtering based upon ND snooping is
supported. It supports the binding relationship between static IP address,l MAC, VLAN
and port. Also, based upon DHCP IPv6 snooping entry, ND message can be inspected.
Only legal messages can be allowed to pass.
3.9
3.9.1
Sflow
sFlow service is mainly composed by three parts: sFlow message sampling unit, sFlow
agent unit and sFlow collector(e.g. analyzer). The entire system architecture is as shown
in Figure 3-28.
68
Figure 3-27
sFlow sampling and agent units are integrated in the network device. While sFlow
analyzer outside the system analyzes multiple sFlow agent messages in the network.
sFlow sampling service of 8900E is done by ASIC chip.
sFlow sampling service gets message samples via interfaces which give support to sFlow.
The collected messages are sent and processed by sFlow agent.
sFlow Agent is mainly responsible for analyzing the sampled messages, and sent them to
sFlow collector after encapsulation. At the same time, the statistical informaiton at the
interface will be get and sent to sFlow collector.
sFlow Collector is a network device used for sFlow managment , monitoring, collection
and analysis. After saving the messages sent by sFlow Agent, sFlow Collector makes
analysis and writes reports and statistics on device traffic and services. At the same time,
some collectors with MIB service can configure sFlow too.
69
System Architecture
4.1
Appearance
ZXR10 8900E adopts a large-capacity rack structure. Its hardware system is composed
of chassis, backplane, fan chassis, power supply unit, switching MCC and various line
processing cards.
4.1.1
70
Figure 4-1
71
Figure 4-2
4.1.2
72
Figure 4-3
73
Figure 4-4
4.1.3
74
Figure 4-5
Figure 4-6
75
4.1.4
Figure 4-7
Figure 4-8
4.2
Hardware Architecture
This section introduces the system hardware and working principle of ZXR10 8900E
series core switch and gives users an understanding of the system. This section covers
overall system architecture, functional modules, card principle diagram and working
principles.
76
4.2.1
Figure 4-9
Figure 4-10
77
XAUI
Line card 1
ASIC
SyncE/
1588
Management and
control Module
IPMC
Line card 2
ASIC
SyncE/
1588
IPMC
IMPC
POWER
SyncE/
1588
The system uses the latest passive large-capacity high-speed back plane design, and
adopts 10G high-speed Serdes to connect main control switching card and every line
cards. Thus it guarantees abundant switching capacity for system operation and reserve
enough bandwidth for future upgrades. It supports 400G hardware platform, 40G line
card, and smooth upgrade to 100G line card.
The main control card is important comprehensive card with 1:1 and 1+1 redundancy.
Each main control switching card covers a high-performance CPU, storage space with
large memory capacity, an inter-board communication switching module, a monitoring
module, and a clock module. Each main control card on 8912E/8908E/8905E contains a
large-capacity switching matrix, which adopts independent design for multiple planes to
guarantee its switching capability and future expansion capability. 8902E main control
card has no switching matrix. Its line card implements back-to-back connection by
high-speed back plane. During operation two main control cards of 8900E series switch
maintain active connection with each other.
Service line card directly takes processing of packets. It sends packet to a specific port of
destination service line card based on the processing result. It has its own forwarding
table on each service line card. Forwarding decision is implemented at local to guarantee
wire-speed switching capability. There are many types of service line cards supporting
clock and monitoring. At present the following service line card can be provided based on
the needs:
78
GE service card
Power supply
8900E uses intelligent power supply unit. Main control system can monitor the power
supply by RS485 interface to implement its intelligent monitoring of temperature,
over/low-voltage, power-down alarm, and traffic limit.
Intelligent fan
8900E system uses intelligent fan to satisfy the functional requirements of fan speed
adjusting, fan off alarm, fan speed alarm, and fan card temperature detection. It can also
adjust the speed for fan at each slot based on their temperature to save energy.
4.2.2
79
Figure 4-11
Line card
Line card
XAUI
ASIC
XAUI
SyncE
/1588
..
.
SyncE
/1588
IPMC
..
.
IPMC
Switching
Fabric
XAUI
XAUI
Line card
Line card
ASIC
ASIC
SyncE
/1588
SyncE
/1588
IPMC
ASIC
IPMC
IPMC
POWER
GE Serdes
Management
and control
Module
GE Serdes
SyncE/
1588
The switch structure for ZXR10 8902E is different in switching plane. When 8902E switch
conducts two-layer hardware switching, layer 1 switching is implemented between ports
of line cards. Layer 2 switching is implemented between two line cards by the high-speed
Serdes bus directly connected to line cards. The system diagram is shown in Figure 4-12.
Figure 4-12
XAUI
Line card 1
ASIC
SyncE/
1588
Management and
control Module
IPMC
Line card 2
ASIC
SyncE/
1588
IPMC
80
IMPC
POWER
SyncE/
1588
4.3
Hardware Boards
4.3.1
Figure 4-13
CROSSBAR
BOOTROM
CPU
syst em
Consol e
i nt er f ace
MGT i nt er f ace
I PMC i nt er f ace
Cl ock
subcar d
Moni t or i ng
subcar d
In actual application of ZXR10 8902E, the main control board realizes the control function.
Its principle diagram is as shown in Figure 4-14.
Figure 4-14
GE i nt er f aces
SDRAM
CROSSBAR
BOOTROM
CPU
syst em
Consol e
i nt er f ace
MGT i nt er f ace
I PMC i nt er f ace
GE i nt er f aces
Cl ock
subcar d
Moni t or i ng
subcar d
81
4.3.1.1
Protocol processing unit: run network and route protocols, such as OSPF, RIP and
BGP-4; maintain global routing and forwarding table; responsible for consistence of
multiple processor nodes;
Monitoring unit: provide operation and management interfaces for line cards;
82
Provide system log management function: all logs are stored in system FLASH;
CPU interface is mounted with clock chip to provide correct clock for the system;
Provide route data synchronization channel between the active and standby
elements.
4.3.1.2
Switching Module
The switching module is responsible for data switching of the whole system and providing
high-speed non-blocking switching channels between line cards. The switching module
employs specialized CROSSBAR chip and integrates multiple high-speed bidirectional
interfaces, so it can process wire-speed switching of multiple line cards. The switching
chip has the following functions:
4.3.1.3
Support priority queue: when CoS queue is congested, it can selectively discard
some frames;
Clock Module
This system adopts synchronous Ethernet Technology to realize clock frequency
synchronization and uses IEEE 1588 to perform phase modulation and time maintenance
to realize clock time synchronization. Synchronous Ethernet can perform system clock
frequency synchronization through the reference clock generated by 4 clock sources:
clock subcard local clock, Bits (2MHZ, 2Mbits), GPS, and line card line restorated clock.
To realize time synchronization, all boards in the system can check time through GPS or
1588 information obtained from any line card.
Synchronous Ethernet restores the clock by the PHY chip in the Ethernet; each interface
board selects one from the restored clocks of all ports and sends it to the two main
control boards respectively via the backplane; the main control board selects two (active
and standby) according to the configured policy and sends them to the clock module as
the one of the references of clock sources; the clock module will select the highest-quality
clock from clock subcard local clock, Bits (2MHZ, 2Mbits), GPS, and line card line
restoration clock and send it to the main control board; or the clock sources can be
configured with different priorities and the highest-priority clock is sent to the main control
board, which then sends this clock to each interface board as clock source for its chip. In
this way, Ethernet clock synchronization of the whole system is realized.
For 1588 processing, the line cards in the system and the main control board exchange
1588 information via bus connection. The main control board or any line card can be
configured as the synchronization source of the system; all other boards obtain
synchronization information from the synchronization source. Moreover, the clock
subcard of main control board can realize conversion between 1588 information and
GPS information via logic component to realize GPS time synchronization function.
83
4.3.1.4
Monitoring Module
The monitoring module (IPMC) is a component of the equipment monitoring system. It
forms intelligent platform management system together with hardware management bus
and software monitoring management module. IPMC is designed as modular subcard
and located at the main control board and other boards. The monitoring modules of the
main control board and other boards are interconnected via monitoring bus.
IPMC module can be divided to IPMC management node and IPMC ordinary node by its
role in the system. IPMC in the active main control board is the manager of subsystems;
the standby main control board and ordinary line cards are all IPMC ordinary nodes. The
line card and standby main control functional nodes collect local information and send it
to the active main control node to provide for the users. The control information sent by
the users is distributed by the active main control node to the line card and standby main
control functional nodes. The management node also monitors system power supply and
fans.
The monitoring module fulfills the following tasks:
4.3.1.5
Monitoring alarm: set alarm parameters for the above detection items and generate
corresponding alarms when relevant faults occur;
Figure 4-15
The panel diagram of 8912E main control board named 8912EMSC1A without clock
synchronization is as shown.
84
Figure 4-16
The panel diagram of 8908E main control board named 8908EMSC1D supporting clock
synchronization is as shown.
Figure 4-17
The panel diagram of 8905E main control board named 8905EMSC1D supporting clock
synchronization is as shown.
Figure 4-18
The panel diagram of 8902E main control board named 8902EMSC1D supporting Clock
synchronization named is as shown.
Figure 4-19
85
The panel diagram of 8902E main control board named 8902EMSC1A without Clock
synchronization is as shown.
Figure 4-20
The main control board has Console interface, IPMC management interface, MGT
interface, SD card interface and clock interface, that is, one BITS in, one BITS out, one
GPS in and one GPS out. Among them, the Console interface is used for local
configuration and management of the switch; MGT interface is mainly the
10/100/1000BASE-T interface used for upgrade and network management; IMPC
management interface is used to monitor local management of the system; SD interface
is used to insert SD card, which can control the software update, buffer and restoration.
The capacity of SD card can be up to 32G. The features are as shown in Table 4-1.
Table 4-1
Interface name
86
Feature
Console interface
RJ45 connector
RS232, baud rate 115200bit/s
Transmission distance<15m
MGT interface
IMPC interface
RJ45 CONNECTOR
RS232, baud rate 115200bit/s
Transmission distance<15m
PPS&TOD OUT
interface
PPS&TOD IN
interface
BITS OUT
interface
BITS IN interface
There are a number of buttons on the panel, such as RST, EXCH and CPY. Their
functions are as shown in Table 4-2.
Table 4-2
Button name
Function
RST
EXCH
CPY
The functions of the indicators on the main control board panel are as shown in Table
4-3.
Table 4-3
Function
RUN (green)
ALM (red)
RUN (green)
ALM (red)
RUN (green)
ALM (red)
RUN (green)
ALM (red)
RUN (green)
ALM (red)
1~2/5/8/12
PWR1~2/3
RUN
MST
FAN (only
8902E has
this
indicator;
for others,
this is
displayed
on the fan
frame)
87
Indicator
4.3.2
Function
ACT (green)
LINK (green)
Power Module
ZXR10 8912E/8908E/8905E/8902E core switches address the practical application need.
To meet the strict requirement for equipment reliability, hot backup is designed for power
supply Module, and both 48V DC power supply and 220V AC power supply are designed.
DC power supply adopts 1+1 mode; AC power supply adopts 1+1 backup or 2+1 backup
depending on different racks, which highly improves the reliability of the power system.
Besides, 8900E series power supply also provides multiple intelligent protection
mechanisms, which can perform protection, detection and fault report for the power
supply according to voltage, current and temperature, including output overvoltage
protection, output overcurrent protection, output undervoltage protection, output
undercurrent protection, overtemperature short-cuicuit protection, input overvoltage
protection, input undervoltage protection, overtemperature, overvoltage, fan fault and
current limit alarm report function, voltage detection report function, current detection
report function and temperature detection report function.
The diagram of 8912E/8908E/8905E DC power rear panel is as shown in Figure 4-21.
Figure 4-21
88
Figure 4-22
Figure 4-23
Figure 4-24
4.3.3
Interface Module
ZXR10 8900E series core switch interface module is the line interface card. The line card
types provided include Gigabit Ethernet interface board, 10G Ethernet optical interface
board and 40G Ethernet optical interface board. All optical interfaces of line cards in
ZXR10 8900E series core switches adopt pluggable optical module, so the same line
card can support multiple kinds of transmission media and transmission distances. Some
line cards provide different types of ports, reducing the number of line cards that may be
needed in many cases, so that the use can get the largest profit with minimal investment.
Moreover, all user electrical interfaces in the line cards have cable diagnosis function.
They can detect the connection of cables at any time, make diagnosis for short circuit and
open circuit of cables and point out the position of the faults with a precision of less than
1m.
89
1.
Table 4-4
Board type
E1GF24A
H2GF24D
H2GF48D
H2GT48D
90
Port state
Description
24-port NP
enhanced gigabit
optical interface
board
24 GE optical
interfaces; support
100M and gigabit
SFP
With NP extension;
support MPLS; support
big table entry; support
H-QoS; support Ethernet
OAM; support intelligent
monitoring
24-port gigabit
optical interface
board
24 GE optical
interfaces; support
100M and gigabit
SFP
48-port gigabit
optical interface
board
48 GE optical
interfaces; support
100M and gigabit
SFP
48-port gigabit
electrical interface
board
48 GE electrical
interfaces;
10/100/1000M
triple speed
H2XF8D
8*10G optical
interfaces; support
10G SFP+
S1XF12A
12*10G optical
interfaces; support
10G SFP+
S2XF48A
48*10G optical
interfaces; support
10G SFP+
S2LQ6L2A
6*40G QSFP
interfaces+2*40G
CFP interfaces
2.
Figure 4-25
E1GF24A
Figure 4-26
H2GF24D
Figure 4-27
H2GF48D
Figure 4-28
H2GT48D
Figure 4-29
H2XF8D
Figure 4-30
S1XF12A
Figure 4-31
S2XF48A
91
Figure 4-32
3.
S2LQ6L2A
4.4
Software Architecture
4.4.1
92
Realize main L2 protocol functions, including 802.1D STP protocol, 802.1P priority
level control, 802.1Q VLAN related functions and 802.3ad link aggregation function;
The user can perform network management for Ethernet switch via serial port
terminal, Telnet/SSH and SNMP Manager, including: network configuration
management, fault management, performance management and security
management;
Software version can be upgraded smoothly; the active and standby protocol
processing cards and switching network cards support online upgrade;
Realize MPLS related functions, including MPLS VPN, MPLS OAM and MPLS QoS;
Support fast switching and convergence of routes, links and network; provide highly
reliable protection.
ZXR10 8900E series switch products adopt brand new software architecture
various functions of the software system. The two major subsystems unified
platform and new-generation protocol stack platform together with OAM, DB,
management and operating system (CGEL) subsystems comprise 8900E
software architecture, as shown in Figure 4-33:
Figure 4-33
to fulfill
support
product
product
PM
tn
e
m
eg
an
a
m
n
o
is
re
V
tn
e
m
eg
Software
an (protocol stack)
aplatform
en
m
al
tn
p
e
g
m
n
id
p
t
iu
n
ra
e
q
m
E
rw
g
an o
a F
m
DB
OAM
n
o
tic
en
n
o
rce
tn r
i et
n
Ie
n
la-p
93
series of data products and service products from low end to high end. The protocol
stack is realized in different processes by functional block to ensure the
independence and reliability of functions and locate software fault with ease. It has
NSR function, fast convergence capability, and mass route management capability.
The whole equipment can support 64K VPN to ensure the competitiveness and
progressiveness.
4.4.2
OAM: The system provides CLI, SNMP and HTTP management interfaces; the
foreground performs overall management for the system in a unified way. For
upper-level application part, OAM only provides management mechanism; relevant
management functions can be added for the services separately to realize loose
coupling of OAM and application.
DB: On the basis of the existing DB system, the system realizes multi-process
repelling mechanism to ensure data intactness; database access can be performed
concurrently in multi-channel multi-kernel system to improve access efficiency.
Product management: The software platform only concerns protocol realization; the
other functions including equipment management, equipment monitoring, version
management and line card management are all realized by product management.
OS: The operating system adopts self-developed Linux-based CGEL and is totally
compatible with Linux standard system architecture. It supports multiple kernels,
double state and multiple processes, and so meet the requirement for timeliness. It
supports diverse drivers and realizes distributed extension.
Software Platform
ZXR10 8900E core switch is the latest Version 5.0 of the next-generation IP protocol
stack platform ZXROS (Zhong Xing Route Operating System). The protocol realization of
this platform is irrelevant to product; it only perceives protocol service functions but not
specific products. All software components can run in the user state of micro kernel
system to enhance system security; software components belong to different separate
process spaces, realizing safe isolation of illegal operation of application program; the
software is based on componentized management; component functions can be
developed independently and independent versions can be released; non-stopping
routing capability, distributed processing and fast reliable synchronization between
different CPUs. The overall software components o ZXROS V5.0 software platform is as
shown in Figure 4-34.
94
Figure 4-34
n
New-generation ZXROS V5.0 software platform system architecture
o
i
t
a
r
u
g
fi
n
o
C
Software platform
Configuration management and
resource maintenance
O
A
M
NETFLOW
TACACS+
RADIUS
Routing protocol
subsystem
......
PING
MPLS subsystem
NTP
TRACE
L2 protocol
subsystem
Distributed infrastructure
Route subsystem: including unicast routing protocol and multicast routing protocol;
The key and competitive technologies of this software platform reflected in the following
aspects:
The system kernel resource runs in the highest priority mode and all software
components run in the user state of the micro-kernel system to enhance system
security (up/down isolation);
95
Fast data synchronization can be realized between multiple CPUs; reliable multicast
can be used to increase route convergence speed;
Have unified external interfaces that support fast secondary development and can
integrate with purchased parts;
96
High reliability and stability: meet the requirement of long-term stable running of
network
Real-time performance: meet the time requirement for large-scale dynamic routing
protocol, network management protocol and data synchronization between multiple
processors.
Self restoration: try to detect, process and record exceptions in the whole system,
perform necessary error restoration and equipment switching in exceptional cases.
Simple: only provide necessary system services to application programs and shield
unnecessary system services.
97
Technical Specifications
5.1
Basic features
Table 5-1
Features
Basic
Perform
ance
Physica
l
parame
ters
Slot
number
Power
Environ
mental
Require
98
8912E
8908E
Backplane
bandwidth
19.2 Tbps
19.2 Tbps
12Tbps
3.2Tbps
Switching
capacity
2Tbps/7.68T
bps
2Tbps/7.68T
bps
1.28Tbps/4.8
Tbps
960Gbps
Throughpu
t
1536Mpps/5
760Mpps
1536Mpps/5
760Mpps
960
Mpps/3600M
pps
720Mpps
GE Port
Densities
576
384
240
96
10GE Port
Densities
576
384
240
96
40GE Port
Densities
96
64
40
16
Dimension
s (Height x
Width x
Depth)
753mm*442
mm*446mm
575mm*442
mm*446mm
442mm*442
mm*446mm
175mm*442
mm*420mm
Weight
<89.7kg
<64.9kg
<51.2kg
<24kg
Total slot
14
10
Service
board slot
12
Power
supply
(AC)
Power
Supply
(DC)
-57V-40V
Maximum
power
consumpti
on
<2718W
Operating
temperatur
e
Long time:-5C+45C
Short time:-10C+55C
<2084W
8905E
<1235W
8902E
<300W
Features
ments
Storage
temperatur
e
5.2
Description
-40C+70C
Relative
Humidity
5%95%, non-condensing
Earthquak
e-proof
Interface Specifications
Table 5-2
Interface Specifications
Interface type
Description
10 /100 /1000BASE-T
IEEE802.3z
RJ45 connector. Category-5 UTP cables
Transmission distance: 100m
Half duplex/Full duplex
MDI/MDIX
100BASE-FX (SFP-M02K)
100BASE-FX (SFP-S15K)
100BASE-FX (SFP-S40K)
100BASE-FX (SFP-S80K)
1000BASE-SX (SFP-M500)
1000BASE-LX (SFP-S10K)
99
Interface type
100
Description
1000BASE-LX (SFP-S40K)
1000BASE-LX
(SFP-S40K-1550)
1000BASE-LH (SFP-S80K)
1000BASE-LH (SFP-S120K)
10GBASE-SR (SFP+-M300)
10GBASE-LR (SFP+-S10K)
10GBASE-ER/EW
(SFP+-S40K)
40GBASE-SR4 (QSFP+150-D)
40GBASE-LR4
(CFP+-S10K-D)
5.3
Functions
5.3.1
L2 features
Table 5-3
L2 features
Features
Description
VLAN
QinQ
MAC
Link
aggregation
Port
Loop detect
Port-based broadcast/multicast/unknown Unicast
storm suppression
Jumbo frames
Flow control
Peak Traffic Statistics in one minute
Default shutdown
ARP
STP
MIRROR
Ethernet OAM
IEEE 802.1ag
IEEE 802.3ah
L2 features
101
5.3.2
L3 features
Table 5-4
L3 features
Features
IPv4 unicast
routing
IPv6 unicast
routing
L3 features
5.3.3
Description
Multicast features
Table 5-5
Multicast features
Features
L2 Multicast
IGMP Snooping/proxy
IGMP rate limit, IGMP rate filter
MLD snooping
PIM snooping
Multicast VLAN
L3 Multicast
Static Multicast
IGMPv1/v2/v3
PIM-SM, PIM-SSM, PIM-DM, MSDP
Anycast RP
VPN
Multicast VPN
Multicast
5.3.4
Description
MPLS
Table 5-6
MPLS feature
Features
Basic
LDP
CR-LDP
RSVP/RSVP-TE
MPLS L2 VPN
MPLS
102
Description
Features
5.3.5
Description
/Multi-hop M-EBGP method for Inter-AS L2 VPN
CE dual-home to PE
UPE dual-home to NPE
MPLS L3 VPN
L3 VPN FRR
L3 VPN ECMP
Vrf to Vrf method/Single-hop M-EBGP method
/Multi-hop M-EBGP method for Inter-AS L3 VPN
Multi-VRF(MCE)
MPLS TE
Static LSP
Explicit-path LSP
LSP Priorities/LSP Preemption/LSP Backup
MPLS TE FRR
MPLS L2VPN /MPLS L3VPN Over TE
LDP over TE
MPLS OAM
CV/FFD
1 to 1 redundancy
MPLS Ping
MPLS Trace Route
VCCV ping for VPWS
QoS
Table 5-7
QoS
Features
Description
Classification
Marking and
Remarking
Flow control
Congestion
avoidance
Scheduling
Shaping
QoS
103
Features
H-QoS
5.3.6
Description
ingress/egress H-QoS with 4-level queues and
3-level scheduling
H-QoS for MPLS L2/L3 VPN
H-QoS
Service Management
Table 5-8
Service Management
Features
Service
Management
5.3.7
Description
Reliability
Table 5-9
Reliability
Features
Availability
104
Description
8912E
8908E
>200000 hours
MTTR
<30 minutes
Availability
99.999%
Hot
plugging
main
control
board
power
module
AC: 2+1
redundancy,
DC: 1+1
redundancy
8902E
8905E
MTBF
Features
Description
MPLS-TE end-to-end Path protection
MPLS-TE FRR
IP FRR
LDP FRR
Multicast FRR
BFD for Static Routing, LDP, OSPF, ISIS, BGP, RIP, VRRP,
LSP, FRR, PIM DR, Super VLAN
Graceful Restart
NSF
VRRP
Protection against loops for VPLS
ESRP+ Ethernet ring protection
Dual uplink dual homing protection
ECMP
UDLD
LLDP
LACP, MC-ELAM
Reliability
5.3.8
System security
Table 5-10
System security
Features
Anti
System
security
Description
Attacks
CPU
protection
Advanced
Security
Log record
Broadcast storm auto suppression
Hybrid ACL with L2, L3 and L4 fields filtering
OSPF, RIP, and BGP MD5 authentication
IP source guard/DAI
ND Security
DPI
FIREWALL
105
5.3.9
Clock synchronization
Table 5-11
Clock synchronization
Features
Synchronized
Ethernet
IEEE 1588v2
Clock
5.3.10
Description
Operating and
Maintenance
Group
Management
ZGMP, LLDP/ZTP/ZGMP
Traffic
Monitoring
sFlow
OAM
Ethernet OAM
Operating
and
Maintenance
106
Description
Command lines configuration
Hierarchical protection of command lines to prevent
unauthorized users and grant different configuration
rights to different levels of users
Password Aging and Verification
Terminal services through the Console
User Access Service Management
Remote Management via SSH, TELNET, SNMP
FTP/TFTP
Multi-mode alarm service (Sound, Light, etc.)
Unified NMS of ZXNM01
Hierarchical commands through NMS
User access control
Configuration saving and restore
Log record, SyslogRMON
NTP clocks
IPv6 network management
Supporting standard MIB
Traffic statistics
Features
Description
Network testing tools (LSP Ping, LSP trace route,
VPLS MAC Ping, etc.)
107
6.1
Figure 6-1
108
6.2
89E features large bandwidth, high performance and large capacity. So it can
provide high-speed path for data center and cloud computing, ensuring
non-blocking traffic.
As a green and energy-saving product, 8900E with 40nm chip is designed with
controllable line card and port, which effectively reduces the power consumption of
the devices in the data center.
Figure 6-2
109
6.3
The enterprise user should pay more attention to costs reduction and internal
security enhancement. With rich security features, ZXR10 8900E supports DHCP
server and snooping which gives conveniences to address management. It supports
multiple authentication mechanisms like Radius and TACACS+ to realize authorized
management. Besides, IP source guard, DAI and anti-DOS attack security guard
services are provided to reduce network attacks. By support SQA, 8900E series
switch can know operation status of application servers and reduce network failure.
Provide complete IPv6 solution. Via dual-stack technology and multiple v4/v6 tunnel
technologies, it realizes seamless migration from IPv4 to IPv6. It helps universities
to develop IPv6 research and facilitate IPv6 development.
Figure 6-3
110
6.4
Application in FTTx
Due to the increasing growth of services, users nowadays have higher requirements for
access bandwidth and QoS quality. Traditional DSL access bandwidth is far behind the
requirment of future service development. As the costs of optical access keeps going
down, E-FTTx access becomes mainstream development in the future. ZXR10 8900E
supports green and eco-friendly E-FTTx access mode, which in other words enables the
access of the existing cable fibers while satisfying 100M/1000M optical access scenarios.
With rich interface cards, ZXR10 8900E provides highly integrated and
large-bandwidth access mode, which effectively meets the requirements of FTTx for
high density and high extensibility.
Via rich QoS feature, ZXR10 8900E realizes differentiated multiservice control as
per different service requirements. It provides pefect user experience for low-latency
and low-jitter services.
ZXR10 8900E supports SVLAN and MFF technologies to isolate service and user. It
makes the network much safer.
Figure 6-4
FTTx Application
111
6.5
Application in IP RAN
IP backhaul focuses on the interconnection between base station and wireless service
control point (Gateway) to realize the implementation of mobile IP voice and data
services. In traditional 2G network, BTS uses TDM E1/T1 to access BSC (Base Station
Controller). With the development of wireless network, IP Node B gradually becomes
popular in 3G network as it can provide Ethernet interface to enable upstream traffic via
the switch. The wireless traffic accesses/aggregates to RNC. IP backhaul network
requires clock synchronization, high scalability and high reliability. ZXR10 8900E can be
deployed on the aggregation node of IP Backhaul to serve for the entire network.
IP backhaul requires end-to-end clock synchronization. 8900E provides SyncE+1588v2
solution which synchronizes high-precise clock signal like BITS to all base stations.
The BS access ring and aggregation ring have ring protection requirements. 8900E
realizes 50ms switchover via ZESR+ (EAPS) Ethernet ring.
By supporting superVLAN and QinQ technologies, 8900E reduces the load of the
gateway when multiple base stations get accessed, which consumes less IP
address, realizes unified base station management and makes the network more
scalable.
Figure 6-5
112
Application in IP RAN
7.1
7.1.1
7.1.1.1
Inband Management
For inband management, network management information and service data are
transferred in the same channel without asking for an extra DCN network. NetNumen
U31 NM system only needs to connect with network devices nearby and configure SNMP
parameters.
The advantage of inband management: flexible netwoking and no extra investment.
However, network management information takes up too much bandwidth, which may
seriously influence service quality.
113
7.1.1.2
Outband Management
For outband management, the network management information which is independent
from service data is transferred in network management network. An extra DCN network
is required. NetNumen U31 network management system connects with the outband
management interface of ZXR10 8900E, so that, the network management information
and service information can be transferred independently.
The advantage of outband management: The breakdown of service channel is
independent from the device management carried out by the network management
station. The network management information can be transferred more reliablely. But
independent network management network is seriously restricted by areas and locations,
and extra investment is needed.
7.1.2
In network management maintenance, the management staff wants to know the network
running status to make sure stable operation. The failure management service of
NetNumen U31 is responsible for receiving real-time device alarms and network events
of all Nes in the entire network. With all these audible and visible services, maintenance
staffs can make proper process after confirmation, e.g. file alarm reports for future
alarm stat. and query. Failure management is a very important and commonly used
method in user network operation maintenance, via which, users know ZXR10 8900E
running and failure status, implement real-time monitoring, fault filtration, fault location,
fault confirmation, fault deletion and fault analysis. NetNumen U31 system also provides
voice tip, graphic alarm board and real-time access to alarm box system, Email and SMS
to give user in-time notification. It gives conveniences to users daily maintenance.
Network traffic direction and traffic load are two key issues in network management.
Performance management unit of NetNumen U31 is responsible for data network and
device performance monitoring and analysis. Corresponding reports are generated when
all sorts of performance data got from NE are processed, so that the maintenance and
management departments can use them in future network construction, planning,
adjustment and quality improvement. By performance management, users can
implement statistics of device load, traffic direction and interface load, etc. In this way,
they can get real-time network service quality and make in-time evaluation to network
resource configuration.
114
View management provides unified network topology and multiview management which
enables user to know entire network topology and device running status. At the same
time, it offers network and device operating and maintenance interfaces. User can know
network device running status and alarm situation via the view management. At the same
time, it guides to other management systems.
Security management makes sure legal adoption of the system. It realizes user, user
group ad role management. By arranging rational relationship between user, user group
and rule, it provides security mechanism for administrators safe management.
Certification based upon login prevents illegal users from accessing the system.
Authorized operation ensures secure operations.
Due to the booming telecom services, one operator sometimes has to manage multiple
NE-based or network-based professional network management systems. Independent
information in different professional NMs, complicated contents, diversified operating
interfaces generate more and more restrictions. In order to make entire entwork
management more efficient, one network management station can be used to control all
interconnected networks, so that end-to-end integrated management can be
implemented.
Interfaces are used between integrated NM and professional networks. The network
should provide standard open northbound interface for the integrated network
management system, so that they can integrate together rapidly and reliably. NetNumen
115
U31 supports multiple northbound interfaces, e.g. CORBA, SNMP, TL1,XML and FTP
etc.
7.2
7.2.1
116
Configure IP address under VLAN interface. Set user name and password.
Configure the switch according to IP address of telnet VLAN interface. When
remote users wan to access the device and communicate with it, they have to
choose this connection configuration method.
7.2.2
7.2.2.1
7.2.2.2
Equipment Monitoring
There are indicators on power supply unit, fan, MPU and all sorts of interface card to
show the operating status of the components.
When fan, power supply unit and temperature are wrong, sound alarm and software
alarm will be generated.
Check the cross-division feature of the version when the system is running.
The system monitors the running status of the software. If serious abnormity
happens, line card will be restarted and the MPU will be switched over.
Query basic information of MUP, interface card and optical module via CLI
command line.
Support one-touch device information collection. The command result can either be
displayed on the device or input in the file. Hardware environment, software
information, version information, data configuration, real-time device running status
and protocol information can be displayed. This information can be totally or partially
exported.
117
ZXR10 8900E provides multiple diagnosis and debugging methods, which enables user
to have more ways to adjust the device and to have more debugging information.
7.2.3
Debug: each software has rich debug commands. Each debug command supports
multiple debugging parameters, so it can be controlled flexibly. Debugging
command can be used to export specific device operating process, message
processing and tolerance inspection, etc.
OAM service: check network status via multiple OAM messages. Device, link and
network fault can be monitored. It helps user to locate the failure rapidly.
SQA: SQA service can send all sorts of detective message to see if multiple
applications and services are on line.
Software Upgrade
ZXR10 8900E enables software upgrade in normal and abnormal circumstances.
7.2.4
Version upgrade when the system is wrong: by changing boot intiation mode the
version upgrade carried out when the device can not be initiated can be done by
downloading new version from the management Ethernet port.
Version upgrade when the system is normal: local or remote FTP online upgrade is
provided when the device is working correctly.
In ZXR10 8900E, the software and configuration files are saved in FLASH. The upgrade
and configuration storage of the software version require FLASH operation. FLASH
includes three default categories, i.e. IMG, CFG and DATA.
118
IMG: this category is used to save software version file. The software version file
ended with .zar is special compression file. Version upgrade refers to the upgrade of
the software version file in this category.
CFG: the configuration file is saved in this category. The configuration file is named
startrun.dat.
DATA: this category is used to save equipment abnormal information. The file
format is time.zte.
2.
File backup and recovery: FTP/TFTP is used to backup the software version file,
configuration file and log file of ZXR10 8900E to backgroud server. Or the backup
file can be recovered from the background server.
File export and import: files can be exported and imported. Copy files to the
background host via FTP/TFTP. The achievement of the alarm file and the
modification of the configuration file can be done by importing or exporting services.
119
Glossary
Table 8-1
Abbreviations
Abbreviations
120
Full Characteristics
ACL
APS
ASIC
ATM
BFD
Bidirectional
BGP
Forwarding Detection
BPDU
Bridge PDU
CAN
Controller-area Network
CAPEX
Capital Expenditures
CDN
CDR
CE
Carrier Ethernet
CV
Connectivity Verification
DoS
Denial of Service
DPI
DVMRP
EAPS
Ethernet Automatic
ECMP
ESRP
FFD
FRR
Fast Reroute
GPS
GR
Graceful restart
H-VPLS
ICMP
IGMP
Internet Group
ISIS
LACP
LSP
MPLS
MSTP
MTU
NE
Network Element
Protection Switching
Management Protocol
Abbreviations
Full Characteristics
NGN
OAM
OPEX
Operation Expense
OSPF
PIM
PIM-DM
PIM-SM
PIM-SSM
PSN
PUPSPV
PVLAN
Private VLAN
PW
Pseudowire
PWE3
RED
RIP
RNC
RP
Rendezvous Point
RSTP
SDH
SLA
SMS
SNMP
SSM
STP
SyncE
Synchronous Ethernet
SVLAN
Select VLAN
TCO
TCP
TDM
TL1
Transaction Language 1
TM
Traffic Manager
UDP
URPF
VOIP
Voice over IP
VPLS
VPN
VPWS
VRF
VRRP
Mode
121
Abbreviations
122
Full Characteristics
WRED
WFQ
ZESR
ZESS
ZXROS