NE40E V300R003 Product Description.pdf

Product Description

Quidway NetEngine40E Core Router V300R003

Issue 04

Date 2008-08-6

HUAWEI TECHNOLOGIES CO., LTD.

Issue 04 (2008-08-6) Commercial in Confidence of 164

Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. Please feel free to contact our local office or company headquarters.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Copyright © Huawei Technologies Co., Ltd. 2008. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

http://www.huawei.com

mailto:[email protected]


Product Description


About This Document

Author Prepared by Du fang Date 2007-07-24

Reviewed by Tian xiao dong, Geng aiju, Lu guang, Wang xiaotang, Li xue

Date 2007-08-10

Approved by Wen zhixiang Date 2007-09-10

Summary This document describes the product features, hardware architecture, link features, software features, operation and maintenance, network management, networking applications, and technical specifications of the Quidway NetEngine40E core router.

This document includes:

Chapter Details

1 Product Features This chapter introduces the product positioning and features of the NE40E.

2 System Architecture This chapter describes the physical, logical, and software architecture of the NE40E.

3 Hardware Architecture This chapter describes the chassis, fans, power modules, and board types of the NE40E.

4 Link Features This chapter describes the link features of the NE40E.

5 Primary Service Features This chapter describes the service features of the NE40E.

6 Maintenance and Network Management System

This chapter describes operation and maintenance, and network management of the NE40E.

7 Networking Applications This chapter describes the networking applications of the NE40E.


Product Description


Chapter Details

8 Technical Specifications This chapter describes the technical specifications of the NE40E.


Product Description


History Issue Details Date Author Approved

by

01 Creation 2007-09-10 Du fang Wen zhixiang

02 This is the second release. 1, The descriptions about the TSU and the NetStream SPUC are deleted. The description of the SPUC is added. 2, The table that lists the reliability specifications is deleted. 3, The descriptions about VLAN switch and EcRTP over MPLS are deleted. 4, The descriptions about lawful interception, local attack defense, in-service upgrading, and customized alarm damping are updated. 5, The desriptions about the features including LLDP, ARP attack defense enhanced, mVRRP, and mVSI are added.

2008-1-10 Xie juan Wen zhixiang


Product Description


Issue Details Date Author Approved by

03 This is the third release. 1, The GTL feature is added.

2008-4-30 Xie juan huzhenyu

04 This is the fourth release. 1, The document is refined. 2, New features are added in NE80E/40E V300R003C03.

2008-8-6 lixiaowen huzhengyu


Product Description


Contents

1 Product Features.......................................................................................................... 13 1.1 Positioning ................................................................................................................................ 13 1.2 Abundant Services .................................................................................................................... 13 1.3 Types of Interfaces .................................................................................................................... 13 1.4 Powerful Forwarding Capacity ................................................................................................... 15 1.5 Perfect QoS Mechanism............................................................................................................ 15 1.6 Excellent Security Design .......................................................................................................... 15 1.7 Good IPv4 and IPv6 Compatibility.............................................................................................. 16 1.8 Compatibility and Expansion Capacity ....................................................................................... 16 1.9 Carrier-class Reliability and Manageability................................................................................. 17

2 System Architecture .................................................................................................... 19 2.1 Physical System Architecture..................................................................................................... 19 2.2 Logical System Architecture....................................................................................................... 20 2.3 Software Architecture ................................................................................................................ 21 2.4 VRPv5 Architecture ................................................................................................................... 22

3 Hardware Architecture ................................................................................................. 24 3.1 Chassis ..................................................................................................................................... 24 3.2 Fans.......................................................................................................................................... 26

3.2.1 Fan Module....................................................................................................................... 26 3.2.2 Ventilation and Heat Dissipation System............................................................................ 27

3.3 Power Modules ......................................................................................................................... 27 3.3.1 DC-Input Power Supply..................................................................................................... 28 3.3.2 AC-Input Power Supply ..................................................................................................... 28

3.4 Board Cage............................................................................................................................... 29 3.4.1 Board Cage ...................................................................................................................... 29 3.4.2 Board Distribution in the Board Cage ................................................................................ 30

3.5 Boards ...................................................................................................................................... 31 3.5.1 SRU.................................................................................................................................. 31 3.5.2 SFU.................................................................................................................................. 32 3.5.3 LPU .................................................................................................................................. 32 3.5.4 Service Boards SPUC....................................................................................................... 39

4 Link Features................................................................................................................ 41 4.1 Ethernet Link Features .............................................................................................................. 41

4.1.1 Basic Features.................................................................................................................. 41


Product Description


4.1.2 Ethernet Bundling ............................................................................................................. 41 4.1.3 Virtual Ethernet Interfaces................................................................................................. 42

4.2 FR Link Features....................................................................................................................... 43 4.3 POS Link Features .................................................................................................................... 43

4.3.1 SDH/SONET..................................................................................................................... 43 4.3.2 POS Interface ................................................................................................................... 43 4.3.3 POS Sub-interface ............................................................................................................ 44 4.3.4 IP Trunk ............................................................................................................................ 44

4.4 CPOS Link Features.................................................................................................................. 45 4.4.1 Channelization.................................................................................................................. 45 4.4.2 PPP/HDLC........................................................................................................................ 45

4.5 ATM Link Features..................................................................................................................... 45 4.5.1 SDH/SONET..................................................................................................................... 45 4.5.2 PVP/PVC.......................................................................................................................... 46 4.5.3 IPoA ................................................................................................................................. 46 4.5.4 ATM Sub-interface............................................................................................................. 46 4.5.5 ATM OAM ......................................................................................................................... 46 4.5.6 1483B............................................................................................................................... 46 4.5.7 ATM Cell Relay ................................................................................................................. 47

4.6 RPR Link Features .................................................................................................................... 49 4.6.1 RPR Fairness Algorithm.................................................................................................... 49 4.6.2 Protection Mechanism....................................................................................................... 50

4.7 CE1/CT1/E3/T3 Link Features................................................................................................... 52 4.7.1 PPP/HDLC/FR.................................................................................................................. 52 4.7.2 Channelized Links............................................................................................................. 52 4.7.3 Link Binding ...................................................................................................................... 52

5 Primary Service Features ............................................................................................ 53 5.1 Ethernet Features...................................................................................................................... 53

5.1.1 Switched Ethernet Link Features....................................................................................... 53 5.1.2 Routed Ethernet Link Features.......................................................................................... 54 5.1.3 Ethernet Clock Synchronization......................................................................................... 54 5.1.4 PBB-TE ............................................................................................................................ 55 5.1.5 QinQ................................................................................................................................. 57 5.1.6 RRPP Link Features ......................................................................................................... 62 5.1.7 RSTP/MSTP ..................................................................................................................... 64 5.1.8 BPDU Tunnel .................................................................................................................... 64

5.2 IP Features................................................................................................................................ 65 5.2.1 IPv4/IPv6 Dual-Protocol Stacks......................................................................................... 65 5.2.2 IPv4 Features ................................................................................................................... 65 5.2.3 IPv6 Features ................................................................................................................... 66 5.2.4 GRE ................................................................................................................................. 66


Product Description


5.2.5 IPv4-IPv6 Transition Technologies..................................................................................... 69 5.3 Routing Protocols ...................................................................................................................... 71

5.3.1 Unicast Routing................................................................................................................. 71 5.3.2 Multicast Routing .............................................................................................................. 71

5.4 MPLS Features ......................................................................................................................... 76 5.4.1 Basic Functions................................................................................................................. 76 5.4.2 MPLS TE .......................................................................................................................... 77 5.4.3 MPLS OAM....................................................................................................................... 80

5.5 VPN Features............................................................................................................................ 81 5.5.1 Tunnel Policy .................................................................................................................... 81 5.5.2 VPN Tunnel ...................................................................................................................... 82 5.5.3 MPLS L2VPN.................................................................................................................... 82 5.5.4 MPLS/BGP L3VPN ........................................................................................................... 91 5.5.5 L2VPN Access to the L3VPN ............................................................................................ 97 5.5.6 VPN QoS.......................................................................................................................... 99

5.6 IPTN Features......................................................................................................................... 101 5.7 QoS Features.......................................................................................................................... 102

5.7.1 DiffServ Model ................................................................................................................ 103 5.7.2 Traffic Classification ........................................................................................................ 104 5.7.3 Traffic Policing................................................................................................................. 104 5.7.4 Queue Scheduling .......................................................................................................... 106 5.7.5 Congestion Management ................................................................................................ 107 5.7.6 Traffic Shaping................................................................................................................ 107 5.7.7 HQoS.............................................................................................................................. 107 5.7.8 QPPB ............................................................................................................................. 108 5.7.9 Ethernet QoS.................................................................................................................. 109 5.7.10 ATM QoS .......................................................................................................................110 5.7.11 FR QoS..........................................................................................................................111

5.8 Traffic Statistics ........................................................................................................................113 5.8.1 URPF Traffic Statistics......................................................................................................113 5.8.2 ACL Traffic Statistics.........................................................................................................114 5.8.3 CAR Traffic Statistics........................................................................................................114 5.8.4 HQoS Traffic Statistics......................................................................................................116 5.8.5 Interface-based Traffic Statistics.......................................................................................116 5.8.6 VPN Traffic Statistics........................................................................................................116 5.8.7 TE Tunnel Traffic Statistics ...............................................................................................116

5.9 IP Compression........................................................................................................................116 5.10 Network Security ....................................................................................................................117

5.10.1 AAA ...............................................................................................................................118 5.10.2 Protocol Security Authentication .....................................................................................118 5.10.3 RPF/URPF.....................................................................................................................119 5.10.4 MAC Limit ......................................................................................................................119


Product Description


5.10.5 Unknown Traffic Limit .................................................................................................... 120 5.10.6 DHCP Snooping............................................................................................................ 120 5.10.7 Local Anti-attack............................................................................................................ 121 5.10.8 GTSM........................................................................................................................... 122 5.10.9 ARP Attack Defense...................................................................................................... 123 5.10.10 Mirroring ..................................................................................................................... 124 5.10.11 NetStream................................................................................................................... 125 5.10.12 Lawful Interception...................................................................................................... 127

5.11 Network Reliability ................................................................................................................. 128 5.11.1 Backup of Key Modules................................................................................................. 129 5.11.2 High Reliability of the LPU............................................................................................. 129 5.11.3 Alarm Customized Damping .......................................................................................... 130 5.11.4 Ethernet OAM ............................................................................................................... 130 5.11.5 VRRP............................................................................................................................ 132 5.11.6 GR................................................................................................................................ 134 5.11.7 BFD .............................................................................................................................. 135 5.11.8 FRR .............................................................................................................................. 136

6 Maintenance and Network Management System .................................................... 141 6.1 Maintenance Functions and Features ...................................................................................... 141

6.1.1 System Configuration Mode ............................................................................................ 141 6.1.2 System Management and Maintenance........................................................................... 141 6.1.3 System Service and Status Tracking ............................................................................... 142 6.1.4 System Test and Diagnosis ............................................................................................. 142 6.1.5 Online Debugging ........................................................................................................... 143 6.1.6 Upgrade Features ........................................................................................................... 143 6.1.7 GTL ................................................................................................................................ 143 6.1.8 Miscellaneous Features .................................................................................................. 144

6.2 Network Management System................................................................................................. 144 6.2.1 NMS ............................................................................................................................... 144 6.2.2 LLDP .............................................................................................................................. 144

7 Networking Applications ........................................................................................... 147 7.1 Application on the National Backbone Network ........................................................................ 147 7.2 Application on the IP Bearer Network....................................................................................... 148 7.3 Application on the IPTV Bearer Network .................................................................................. 150 7.4 Application on the Multi-Service IP MAN.................................................................................. 152 7.5 Application on the IPv6 Backbone Network .............................................................................. 153

8 Technical Specifications............................................................................................ 155 8.1 Physical Specifications ............................................................................................................ 155 8.2 System Configuration .............................................................................................................. 156 8.3 Specifications of System Features and Service Performances ................................................. 157

8.3.1 Specifications of System Features................................................................................... 157


Product Description


8.3.2 Specifications of Service Performances........................................................................... 163


Product Description


1 Product Features

1.1 Positioning The Huawei Quidway NetEngine40E core router (hereinafter referred to as the NE40E) is a high-end router with 10-Gbit/s interfaces designed for core and backbone networks. The NE40E is positioned as the core, edge, or convergence router on the Metropolitan Area Network (MAN).

Based on the powerful Versatile Routing Platform (VRP), the NE40E features the following:

l Abundant services l Large capacity l High performance l High reliability

1.2 Abundant Services Based on the VRPv5, the NE40E provides the following abundant service features:

l IPv4/IPv6 unicast and multicast routing protocols, MPLS, and MPLS TE l Complete VPN services, such as L2 VPN, VPLS, VLL, L3 VPN, and multicast

VPN services, HoVPN services, and multi-role host services l Abundant Layer 2 service features, such as Layer 2 VLAN, selective QinQ, QinQ

termination, PBB-TE, RRPP, and STP//RSTP/MSTP

IPv4 = Internet Protocol version 4; IPv6 = Internet Protocol version 6; MPLS = MultiProtocol Label Switching; TE = Traffic Engineering; VPN = Virtual Private Network; Virtual Private LAN Service; VLL = Virtual Leased Line; HoVPN = Hierarchy of VPN; VLAN = virtual LAN; LAN = Local Area Network; QinQ = 802.1Q in 802.1Q; RRPP = Rapid Ring Protection Protocol; STP = Spanning Tree Protocol; MSTP = Multiple Spanning Tree Protocol

1.3 Types of Interfaces The NE40E provides types of interfaces.


Product Description


l LAN and MAN interfaces − 10M/100M/1000M/10G Ethernet interfaces − 10G/2.5G/GE RPR interfaces

l WAN interfaces − POS: 155M/622M/2.5G/10G POS interfaces − CPOS: 155M CPOS interfaces − ATM: 155M/622M ATM interfaces − TDM: CE1/CT1/E1/T1/E3/T3 TDM interfaces

RPR = Resilient Packet Ring; WAN = Wide Area Network; POS = Packet over SONET/SDH; CPOS = channelized POS; ATM = Asynchronous Transfer Mode; TDM = Time Division Multiplexing

Table 1-1 Common interfaces that the NE40E supports

Interface Type Quantity per Board Quantity in the System

10G POS 2 NE40E-8:16 NE40E-4:8

2.5G POS 16 NE40E-8:208 NE40E-4:34

622M POS 32 NE40E-8:256 NE40E-4:128

155M POS 32 NE40E-8:256 NE40E-4:128

10GE 4 NE40E-8:32 NE40E-4:16

GE 40 NE40E-8:320 NE40E-4:160

10G RPR 1 NE40E-8:8 NE40E-4:4

2.5G RPR 4 NE40E-8:32 NE40E-4:16

GE RPR 4 NE40E-8:32 NE40E-4:16

622M ATM 8 NE40E-8:64 NE40E-4:32

155M ATM 16 NE40E-8:128 NE40E-4:64


Product Description


1.4 Powerful Forwarding Capacity Designed with the hardware-based forwarding engine, the NE40E carries out the following:

l Full-duplex line-rate forwarding that includes IPv4/IPv6/MPLS/Layer 2 forwarding of all interfaces

l ACL-based line-rate forwarding l Line-rate multicasting

The hardware completes two-level packet replication: − The SFU replicates the multicast packets to the LPU. − The forwarding engine of the LPU replicates the multicast packets to its

interface.

The LPU supports packet buffer in 200 ms. No packet loss is thus ensured in the case of burst traffic.

1.5 Perfect QoS Mechanism The NE40E provides the following QoS scheduling and buffer mechanisms:

l PQ and WRR/WFQ They guarantee fair dispatching and ensure that high-precedence services are performed first.

l Three-stage switching network based on the CIOQ It avoids head of line blocking.

l Flow-based dispatching It facilitates MPLS TE and supports the DiffServ and Inter-Serv.

l Eight precedence dispatching queues They prevent the high-precedence traffic from being interfered.

l Hardware-based QoS functions They ensure packet forwarding at the line rate when QoS is enabled.

l HQoS of five-level scheduling

PQ = Priority Queue; WRR = Weighted Round Robin; WFQ = Weighted Fair Queuing; CIOQ = Combined Input and Output Queuing; DiffServ = Differentiated Service; QoS = Quality of Service; HQoS = Hierarchical QoS

The perfect QoS mechanism answers the demands of the IP Telephony Network (IPTN). It guarantees the delay, jitter, bandwidth, and packet drop ratio of different services. It also guarantees the launch of carrier-class services such as Voice over IP (VoIP) and meets the requirements of the development of multi-service IP bearer networks.

1.6 Excellent Security Design The NE40E takes multiple security measures to protect the data of Internet Service Provider (ISP) networks and end users. The measures can prevent denial-of-service


Product Description


attacks, illegal access, and overload of the control plane. The NE40E adopts a distributed structure and guarantees the separation between the data plane and the control plane. It provides a security performance leading in the industry.

The NE40E provides the following security features:

l Three user authentication modes: local authentication, RADIUS authentication, and HWTACACS authentication, which can be used to authenticate and authorize users.

l Hardware-based packet filtering and sampling without affecting forwarding capacities, which guarantees high performance and expansibility.

l Multiple authentication methods including plain text authentication and MD5 for upper-layer routing protocols such as OSPF, IS-IS, RIP, and BGP-4

l ACL on the forwarding plane and control plane l Local anti-attack l Lawful interception/URPF l DHCP snooping and MAC address limit l GTSM

RADIUS = Remote Authentication Dial in User Service; MD5 = Message Digest 5; OSPF = Open Shortest Path First; IS-IS = Intermediate System-to-Intermediate System; RIP = Routing Information Protocol; BGP = Border Gateway Protocol; ACL = Access Control List; URPF = Unicast Reverse Path Forwarding; DHCP = Dynamic Host Configuration Protocol; GTSM = Generalized TTL Security Mechanism

1.7 Good IPv4 and IPv6 Compatibility The NE40E fully supports the IPv4 and IPv6 dual protocol stacks. It can provide all IPv6 features, and offers a good solution to the smooth transition from IPv4 networks to IPv6 networks.

l The NE40E provides various IPv6 over IPv4 tunnels and IPv4 over IPv6 tunnels. l The routing table and the forwarding table with large capacity enable the NE40E

to serve as the VPN Provider Edge (PE), and support future expansion of services.

l The NE40E supports distributed forwarding of both IPv4/IPv6 and MPLS packets, and has large-capacity routing tables and powerful routing capabilities.

l The NE40E supports IPv4/IPv6 dynamic unicast and multicast routing protocols.

1.8 Compatibility and Expansion Capacity The NE40E provides powerful compatibility and expansion capacity as follows:

l The capacity of the backplane of the NE40E is greatness, which reserves enough bandwidth for future capacity expansion.

l The NE40E forwards services through the NP, which is flexible in programming. Therefore, you can install software to expand services.

l Designed with separated TM from the PFE, the NE40E supports two PFEs, namely ASIC and NP, to realize various applications.


Product Description


1.9 Carrier-class Reliability and Manageability On the basis of the carrier-class design, the chassis of the NE40E supports hot swap. It can be installed in an N68-22 or standard 19-inch cabinet.

The NE40E provides a powerful monitoring system. With the main control module, the NE40E manages and maintains the whole system. The main control module manages, monitors, and maintains boards, fans and the power module.

The system complies with Electro Magnetic Compatibility (EMC). The modular design of the system realizes the EMC between boards.

The NE40E fully meets the requirements for the high reliability of carrier-class and high-end routers.

The NE40E provides the following features to ensure high reliability.

Table 1-2 Reliability features

Item Description

Hot swappable boards, power modules, and fans

1:1 backup of the SRUs

3+1 load balancing and backup of the Switch Fabric Units (SFUs)

1+1 backup of the power modules

Backup of clocks and management buses

Restarts automatically when abnormalities occur and recovers

Resets a board when abnormalities occur on the board and recovers

Protections against abnormalities

Automatically restores the interface configuration

Provides protections against over-current and over-voltage for power and interface modules

Provides protection against mis-insertion

Power alarm monitoring

Provides alarm prompt, alarm indication, running status query and alarm status query

System protection mechanism

Voltage and environment temperature monitoring

Provides alarm prompt, alarm indication, running status query and alarm status query

Applies hardware-based forwarding Reliability design

Separates the control channel from the service channel to provide a non-blocking control channel


Product Description


Item Description

Provides system and board fault detection, indicators, and NMS alarm function

Supports in-service patching

Supports version backoff

Supports in-service upgrade of the BootROM

The backplane provides 8BCP check

Reliable upgrade

Supports Error Checking and Correction (ECC) RAM

Data backup Supports data hot backup between active and standby units

Synchronization configuration

Supports the synchronization between LPUs and Main_Control_Boards

Automatically selects and boots correct applications

Supports the automatic upgrade and restoration of the BootROM program

Backs up configuration files to the remote FTP server

Automatically selects and runs correct configuration files

Fault tolerance design

Provides the abnormality monitoring for system software, such as automatic restoration and log record

Provides password protection for system operations

Provides hierarchical commands by the configuration of subscriber levels and command levels

Supports configuration terminal locking by commands in case of invalid usage

Operation security

Provides protection and prompt for improper operation, such as the operation and confirmation prompts for some commands which may degrade the system performance

Operation and maintenance center

Applies the generic integrated Network Management System (NMS) platform which is developed by Huawei


Product Description


2 System Architecture

2.1 Physical System Architecture Figure 2-1 shows the NE40E physical architecture that includes the following systems:

l Power distribution system l Functional host system l Heat dissipation system l Network management system

Except the network management system (NMS), all other systems are in the integrated cabinet. The following takes the DC power module for an instance.

Figure 2-1 Physical architecture

Network management subsystem

-48 V -48 V RTN

Integratedchassis

-48 V -48 V

-48 V RTN-48 V RTN

Monitorbus

Ethernet

Power distribution system

Functional host system Fan heat dissipation system

RTN indicates Return.

Both the power distribution system is in 1+1 backup mode. The following introduces only the functional host system.

The functional host system processes data. In addition, it monitors and manages the whole system, such as the power distribution system, the fan heat dissipation system, and the NMS through NMS interfaces.


Product Description


Figure 2-2 shows the functional host system of the NE40E.

Figure 2-2 Functional host system

Sys

tem

bac

kpla

ne

Forwardingunit

LPU

Physicalinterface unit

POS/Ethernet

Monitoringbus

Managementbus

Serial linkgroup

Monitoring unit

Forwardingunit

LPU

Management unit

Physicalinterface unit

Monitoringbus

Managementbus

Serial linkgroup

Monitoringbus

Managementbus

(1)(Active)

System monitoring

Management busswitching unit

MPU

Monitoringbus

Managementbus

(Slave)(1)

Switching networkmonitoring unit

Switching networkcontrol unit

Switching networkSerial link

groupSFU module

(1): The link connects to management bus switching unit of another MPU

Management unit

Monitoring unit

Monitoringbus

Managementbus

POS/Ethernet

unit

switching unit

unitSystem monitoring

Management bus

MPU

MPUMPU

The functional host system is composed of the system backplane, SRUs, LPUs, and SFUs.

2.2 Logical System Architecture As shown in Figure 2-3, the NE40E is logically divided into:

l Data plane l Control and management plane l Monitoring plane


Product Description


Figure 2-3 Logical architecture

Forwardingunit

Forwardingunit

Switchingnetwork

Managementunit

Managementunit

Systemcontrol unit

Switching networkcontrol unit

Monitoring Monitoringunit

Monitoring MonitoringSystem

monitoring unit

Forwardingunit

LPU LPU

LPU LPU

MPU

SFU

Monitoringplane

Control &management

plane

Data plane

unit

unit

Managementunit

Forwardingunit

Managementunit

unit

2.3 Software Architecture Figure 2-4 shows the software architecture of the NE40E.


Product Description


Figure 2-4 Software architecture

FanmonitoringPower

monitoring

RPSActive

RPSStandby

FSU

EFU

FSU

EFU

FSU

EFU

LPU LPU LPU

IPC

SNMP

In terms of the software, the NE40E consists of the Routing Process System (RPS), power monitoring module, fan monitoring module, Forwarding Support Unit (FSU), and Express Forwarding Unit (EFU).

l The RPS is the control and management module that runs on the SRU. The RPSs of the active SRU and the standby SRU back up each other. They support IPv4/IPv6, MPLS, LDP, and routing protocols, calculate routes, set up LSPs and the SPT, generate the unicast, multicast, and MPLS forwarding table, and deliver the routing information to the LPU.

l The FSU realizes the functions of the link layer and IP protocol stacks on an interface.

l The EFU performs hardware-based IPv4/IPv6 forwarding, multicast forwarding, MPLS forwarding, and statistics.

2.4 VRPv5 Architecture The VRPv5 consists of:

l System service plane It provides such functions as task and memory management, timer, software loading and patching on the basis of the operating system. It uses the modular technology to facilitate system upgrade and customization.

l Versatile control plane It is the core of the VRP datacom plane as well as the basis of security and QoS. It supports link management, IPv4/IPv6 protocol stacks, routing protocol


Product Description


processing, MPLS, and MPLS VPN TE. It is used to control the data forwarding plane and realize various functions of the device.

l Data forwarding plane It forwards data under the control of the versatile control platform. The VRPv5 supports data forwarding based on software and hardware. The data forwarding plane is the task executor of the NE40E.

l Service control plane It controls and manages the system as required, including authentication, authorization, and accounting.

l System management plane It manages user interfaces and Input/Output. It is the basis of network management and maintenance.

The VRPv5 has the following characteristics:

l The system structure adopts the modular design. l The components can be upgraded independently, without affecting the running of

other components. l The system is easy to maintain and supports smooth service expansion. l In-service patching offers flexible methods of enhancing service features and

correcting defects. Network reliability is thus guaranteed.


Product Description


3 Hardware Architecture

3.1 Chassis The NE40E is divided into two types: NE40E-8 and NE40E-4.

The NE40E consists of an integrated chassis (with a backplane), power modules, ventilation and heat dissipation system, and boards.

l The dimensions of the NE40E-8 are 442 mm x 669 mm x 886 mm (width x depth x height). The chassis of the NE40E-8 is 20 U high. The NE40E-8 can be mounted in a standard 19-inch cabinet or an N68-22 cabinet. Figure 3-1 shows the appearance of the NE40E-8.

l The dimensions of the NE40E-4 are 442 mm x 669 mm x 442 mm (width x depth x height). The chassis of the NE40E-4 is 10 U high. The NE40E-4 can be mounted in a standard 19-inch cabinet or an N68-22 cabinet. Figure 3-2 shows the appearance of the NE40E-4.


Product Description


Figure 3-1 Appearance of the NE40E-8

1

2

3

4

56

7

8

9

1. Panel of the fan module 2. Fan module 3. Board cage

4. Air intake frame 5. Plastic panel of the power module 6. Power module

7. Handle 8. Rack-mounting ear 9. Cabling trough


Product Description


Figure 3-2 Appearance of theNE40E-4

3

7

6

5

2

1

4

1. Board cage 2. Power module 3. Plastic panel of the power module 4. Rack-mounting ear 5. Handle 6. Fan module 7. Air filter

3.2 Fans 3.2.1 Fan Module

The NE40E-8 has one fan module, in which there are nine fans; the NE40E-4 has one fan module, in which there are six fans.

l The fan module helps in the air ventilation and heat dissipation of the boards.


Product Description


l The main Monitorbus module on the SRU can control the speed of the fans based on the temperature in the board cage.

Figure 3-3 and Figure 3-4 show the appearances of the NE40E-8 and NE40E-4 fan modules respectively.

Figure 3-3 Appearance of the NE40E-8 fan module

Figure 3-4 Appearance of the NE40E-4 fan module

3.2.2 Ventilation and Heat Dissipation System Ventilation and heat dissipation are performed from bottom up on the board cage of the NE40E-8.

Ventilation and heat dissipation are performed from left to right on the board cage of the NE40E-4.

l The fans integrated on the power module are located at the bottom of the chassis.

l The air channels of the power module and the board cage are separated from each other.

l The air flows from the front of the power module to the back for ventilation and heat dissipation.

3.3 Power Modules The NE40E provides two types of power supply:


Product Description


l DC-input power supply l AC-input power supply

3.3.1 DC-Input Power Supply The DC power modules of the NE40E work in 1+1 backup mode. The power module behind the plastic panel inputs DC power and distributes the power.

The –48 V DC power module is designed with the 3 U high structure.

Figure 3-5 shows the appearance of the DC power module.

Figure 3-5 Appearance of the DC power module

The –48 V DC power module outputs:

l Primary straight-through power l Secondary –48 V DC regulated voltage

The DC power module provides protections against the following:

l Short circuit l Over-current l Over-voltage l Short circuit

It also supports the alarm function.

3.3.2 AC-Input Power Supply The AC power modules of the NE40E work in 1+1 backup mode. The power module behind the plastic panel inputs AC power and distributes the power.

The AC power module is designed with the 3 U high structure.

Figure 3-6 shows the appearance of the AC power module.


Product Description


Figure 3-6 Appearance of the AC power module

The maximum output power of the AC power module on the NE40E-8 is 3000 W; the maximum output power of the AC power module on the NE40E-4 is 2400 W.

The AC power module provides protections against the following:

l Output over-current l Output over-voltage l Output under-voltage l Input over-voltage l Input under-voltage l Over-temperature l Short circuit

It also supports the alarm function.

3.4 Board Cage 3.4.1 Board Cage

The NE40E-8 has one board cage, which has 11 slots. The slots can hold 8 LPUs, 2 SFUs (sharing one slot), and 2 SRUs.

As shown in Figure 3-7, the left is the entity diagram and the right is the schematic diagram.


Product Description


Figure 3-7 Board cage of the NE40E-8

The NE40E-4 has one board cage, which has 7 slots. The slots can hold 4 LPUs, 2 SFUs (sharing one slot), and 2 SRUs.

As shown in Figure 3-8, the left is the entity diagram and the right is the schematic diagram.

Figure 3-8 Board cage of the NE40E-4

3.4.2 Board Distribution in the Board Cage

Table 3-1 Board distribution of the NE40E-8

Slot Number Quantity Slot Width Remark

1–8 8 41 mm (1.6 inch) LPUs

9 and 10 2 36 mm (1.3 inch) SRUs, on which MPUs work in 1:1 backup

11 and 12 2 36 mm (1.4 inch) SFUs in 3+1 backup


Product Description


Table 3-2 Board distribution of the NE40E-4

Slot Number Quantity Slot Width Remark

1–4 4 41 mm (1.6 inch) LPUs

5 and 6 2 36 mm (1.4 inch) SRUs, on which MPUs work in 1:1 backup

7 and 8 2 36 mm (1.4 inch) SFUs in 3+1 backup

3.5 Boards 3.5.1 SRU

The SRU integrates multiple functional modules such as the clock module, LAN switch module, and Compact Flash (CF) module. As the system clock source and the management and maintenance unit, the SRU runs as the core of system control and management. It provides the functions of the control plane and the maintenance plane.

The SRU controls and manages the system. It is designed in 1:1 backup mode. The SRU is composed of the main control unit, the system monitoring unit, the management bus switching unit, and the clock unit.

l The main control unit processes network protocols and manages the whole system. The main control unit of each SRU is connected with the management bus switching unit of both the master and the slave SRUs. It controls and manages all the functional units such as SRUs, SFUs, and LPUs. The main control unit also communicates with the system monitoring unit. The system monitoring unit reports the status and environment information about the monitoring plane to the management control plane. And then the management control plane sends control signals to the monitoring plane.

l The system monitoring unit collects the system monitoring information and interacts with the main control unit. In addition, it monitors the status and environment of its SRU. It communicates with the monitoring units in the system or other boards or subsystems through the Monitorbus.

l The management bus switching unit carries out the switching of the management bus. It connects to the control units of two SRUs, all LPUs, and SFUs. Thus, there are two sets of management buses in the system to perform the master/slave backup protection no matter which Main_Control_Board is in master mode.


Product Description


Figure 3-9 Management bus connection

MPU

LPU1

LPU 8

SFU1

SFU 4


MPU (Active)

MPU


MPU (Standby)

3.5.2 SFU As the switching network unit of the NE40E, the SFU supports service data exchange for the whole system.

The SFUs operate in 3+1 load balancing and backup mode. They share data processing. The whole system can thus support line-rate switching of 640 Gbit/s traffic.

There is a control channel on the SFU to provide the following functions:

l Detecting voltage, current, and temperature l Providing protections against over-voltage, over-current, and over-heat

3.5.3 LPU The NE40E provides types of physical interfaces, such as GE, POS, CPOS, ATM, RPR, and CE1/CT1/E1/T1/E3/T3 interfaces, to interconnect various network devices as required.

Function The LPU board consists of the Physical Interface Card (PIC), Line Processing Unit (LPU), and Fabric Adaptor (FAD).

They work jointly to realize the following functions:

l Fast processing and forwarding of service data l Maintenance and management of the link protocol and the service forwarding

table

The main functions of each module are described in Table 3-3.


Product Description


Table 3-3 Functions of all modules on the LPU

Module Name Function Description

LPU module l Processing and encapsulation of multiple link protocols (such as Ethernet II, and PPP)

l Traffic classification of packets and packet filtering for traffic policing and ACL

l Data buffer management and scheduling l Data forwarding based on the forwarding table l Identification of control protocol packets and packet forwarding

to the active CPU through the non-line-rate interface

FAD module l Traffic management: data queuing and buffer according to the input data traffic classification, and buffered data scheduling based on the congestion of the switching network

l Switching network interface adaptor: the translation from the parallel port SPI4.2 to the high-speed serial port

l A part of the switching network: traffic control according to the queuing status to ensure no data loss in the network

PIC Implementation of the functions of the physical interface, including optical/electro conversion and physical layer control

The NE40E provides Common LPUs and flexible cards.

Common LPUs l Ethernet LPU

The NE40E supports the Ethernet LPUs shown in Table 3-4.

Table 3-4 Ethernet LPUs

LPU Name Remark

1 port 10G Ethernet LAN Optical Interface LPU (XFP optical module)

—

1-port 10G Ethernet WAN Optical Interface LPU (XFP optical module)

—

24-port 10M/100M/1000M Ethernet Electrical Interface LPU —

24-port 100M/1000M Interface LPU (SFP module) —

24-port Gigabit Ethernet Optical Interface LPU (SFP optical module)

—

5/10-port Gigabit Ethernet Optical Interface LPU (SFP optical module)

—


Product Description


The SFP and XFP are pluggable.

The 10G Ethernet optical interface LPUs can be classified into WAN and LAN ones. − The WAN LPU adopts SDH/SONET to encapsulate MAC frames and

transmits the MAC frames through optical fibers. The interface of a WAN LPU can be connected with the interface of another WAN LPU or the SDH/SONET transmission device, which is used for interconnections between Ethernet WANs.

− The LAN LPU carries out the optical/electro conversion in Ethernet MAC frames and transmits the frames by the optical fiber. The interface of the LAN LPU, however, can be connected with only the interface of another LAN LPU, which is used for interconnections between Ethernet LANs.

− The packets sent by the interfaces on the WAN and LAN LPUs can be transmitted along the Dense Wavelength Division Multiplexing (DWDM) line.

LAN = Local Area Network; SDH = Synchronous Digital Hierarchy; SONET = Synchronous Optical Network

l POS LPU POS LPUs are used to connect the NE40E with SDH transmission devices or other devices. The NE40E provides the POS optical interface LPUs shown in Table 3-5.

Table 3-5 POS optical interface LPUs

LPU Name Remark

1-port OC-192c/STM-64c POS Optical Interface LPU (XFP optical module)

—

1/2-port OC-192c/STM-64c POS Optical Interface PIM Card (XFP optical module) Enhanced

—

4-port OC-48c/STM-16c POS Optical Interface LPU (SFP optical module)

—

4-port OC-12c/STM-4c POS Optical Interface LPU (SFP optical module)

—

4/8-port OC-3c/STM-1 POS Optical Interface LPU (SFP optical module) enhanced

—

l RPR optical interface LPU The RPR optical interface LPU can realize the access function of the RPR ring network, and provides efficient and reliable RPR networking solutions. The NE40E provides the RPR LPUs shown in Table 3-6.


Product Description


Table 3-6 RPR LPUs

LPU Name Remark

1-port OC-192c/STM-64c RPR Interface LPU (XFP optical module)

—

2/4-port OC-48c/STM-16c RPR Interface LPU (SFP optical module)

—

2/4-port GE RPR Interface LPU (SFP optical module) —

Flexible Plug-in Boards The NE40E provides the flexible plug-in motherboard (hereinafter referred to as motherboard) to enhance networking flexibility. The NE40E also provides low-cost and customized solutions as required. The motherboard works with the flexible card to provide the flexible plug-in feature; thus the hardware configuration is flexible.

The NE40E supports five types of motherboards and their flexible cards.

l Motherboard LPUF and its flexible cards LPUF provides two slots, in which two of the full-height flexible cards listed in Table 3-7 can be inserted.

Table 3-7 Flexible cards supported by LPUF

Flexible Card Name Remark

3-port E3 Interface Flexible Card(SMB) —

3-port T3 Interface Flexible Card(SMB) —

l Motherboard LPUF-D and its flexible cards LPUF-D provides two slots, in which two of the full-height flexible cards listed in Table 3-8 can be inserted.

Table 3-8 Flexible cards supported by LPUF-D

Flexible card Name Remark

8-port CE1 Interface Flexible Card —

8-port CT1 Interface Flexible Card —

1-port OC-3c/STM-1 CPOS Interface Flexible Card —

l Motherboard LPUF-10 and its flexible cards LPUF-10 provides four slots, in which four half-height flexible cards and two full-height flexible cards (requiring two slots) can be inserted. The maximum bandwidth provided by LPUF-10 is 10 Gbit/s.


Product Description


The flexible cards supported by LPUF-10 are hot swappable. They support automatic configuration restoration and card intermixing.

Table 3-9 Flexible cards supported by LPUF-10


1-Port OC-192c/STM-64c POS-XFP Flexible Card

It is a full-height card.

1/2/4-Port OC-48c/STM-16c POS-SFP Flexible Card

It is a half-height card.

4/8-Port OC-12c/STM-4c POS-SFP Flexible Card

It is a half-height card.

4/8-Port OC-3c/STM-1c POS-SFP Flexible Card It is a half-height card.

8-Port 100/1000Base-X-SFP Flexible Card It is a half-height card. It supports Ethernet clock synchronization. In addition, ports 0 and 1 support synchronization of sending and receiving clock signals simultaneously; other ports support only synchronization of sending clock signals.

2-Port OC-12c/STM-4c ATM-SFP Flexible Card It is a half-height card.

4-Port OC-3c/STM-1c ATM-SFP Flexible Card It is a half-height card.

l Motherboard LPUF-20 and its flexible cards The motherboard LPUF-20 series board provides two slots, each of which can hold a flexible pluggable interface card. The LPUF-20 series board supports a maximum of 20 Gbit/s bandwidth. It does not support hot swap of flexible cards. It supports intermixing of flexible cards. LPUF-20 series board is classified into LPUF-20-A and LPUF-20-B according to different specifications: − LPUF-20-A provides all the software features of the NE40E. − LPUF-20-B provides all the software features of the NE40E, except L3VPN,

Multicast VPN (MVPN), and IPv6. Table 3-10 lists the flexible cards that LPUF-20 series board supports.

Table 3-10 Flexible cards supported by LPU-20 series board


1-Port OC-192c/STM-64c POS-XFP Flexible Card It is a half-width card. It can be used together with the LPUF-20 and LPUF-21 series board.


Product Description



1-Port 10GBase WAN/LAN-XFP Flexible Card It is a half-width card. It can be used together with the LPUF-20 and LPUF-21 series board. You can configure the interface to run in LAN or WAN mode through commands. The interface supports both synchronization of sending clock signals and that of receiving clock signals.

12-Port 100/1000Base-SFP Flexible Card It is a half-width card. It can be used together with the LPUF-20 and LPUF-21 series board. The card supports Ethernet clock synchronization. In addition, ports 0 and 1 support synchronization of sending and receiving clock signals simultaneously; other ports support only synchronization of sending clock signals.

12-Port 10/100/1000Base-RJ45 Flexible Card It is a half-width card. It can be used together with the LPUF-20 and LPUF-21 series board.

l Motherboard LPUF-21 and its flexible cards The LPUF-21 series board provides two slots, each slot can be inserted with one half-width flexible card. After removing the slide rail between the two slots on the LPUF-21 series board, you can insert a full-width flexible card into the slot. The half-width cards supported by the LPU-21 and that supported by the LPU-20 are of the same type. Full-width cards are applicable only to the LPUF-21. The LPUF-21 series board supports a maximum of 20 Gbit/s bandwidth. It supports hot swap of flexible cards. It supports intermixing of flexible cards. LPUF-21 series board is classified into LPUF-21-A and LPUF-21-B according to different specifications: − LPUF-21-A provides all the software features of the NE40E. − LPUF-21-B provides all the software features of the NE40E, except L3VPN,

Multicast VPN (MVPN), and IPv6. Table 3-11 lists the flexible cards that LPUF-20 series board supports.


Product Description


Table 3-11 Flexible cards supported by LPU-21 series board


1-Port OC-192c/STM-64c POS-XFP Flexible Card It is a half-width card. It can be used together with the LPUF-20 and LPUF-21 series board.

1-Port 10GBase WAN/LAN-XFP Flexible Card It is a half-width card. It can be used together with the LPUF-20 and LPUF-21 series board. You can configure the interface to run in LAN or WAN mode through commands. The interface supports both synchronization of sending clock signals and that of receiving clock signals.

1-Port 10GBase WAN/LAN-XFP Flexible Card It is a full-width card. It can be used together with the LPUF-21 series board.

12-Port 100/1000Base-SFP Flexible Card It is a half-width card. It can be used together with the LPUF-20 and LPUF-21 series board. The card supports Ethernet clock synchronization. In addition, ports 0 and 1 support synchronization of sending and receiving clock signals simultaneously; other ports support only synchronization of sending clock signals.

40-Port 100/1000Base-SFP Flexible Card It is a full-width card. It can be used together with the LPUF-21 series board.

12-Port 10/100/1000Base-RJ45 Flexible Card It is a half-width card. It can be used together with the LPUF-20 and LPUF-21 series board.


Product Description



40-Port 10/100/1000Base-RJ45 Flexible Card It is a full-width card. It can be used together with the LPUF-21 series board.

3.5.4 Service Boards SPUC The SPUC provides no interface and only performs integrated processing for specific services. The NE40E supports load balancing among multiple SPUCs.

The SPUC provides the following functions:

l Integrated NetStream: The Line Processing Unit (LPU) samples packets; the SPUC collects traffic statistics. The high processing efficiency in this way minimizes the effect on the forwarding performance. When initiating integrated NetStream on the SPUC, the system must be configured with a NetStream license for SPUC according to the number of SPUCs.

l Integrated MVPN: When proving the integrated MVPN, the system must be configured with a certain number of SPUCs. The number of SPUCs is determined by the requirements of the MVPN performance. In addition, the system must be configured with a MVPN License for SPUC according to the number of SPUCs.

l Integrated tunnel: provides the functions of lawful interception, Generic Routing Encapsulation (GRE) tunnels and 6PE tunnels. When starting an integrated tunnel on the SPUC, the system must be configured with the Tunnel Licenses for SPUC according to the number of the SPUCs.


Product Description


4 Link Features

4.1 Ethernet Link Features 4.1.1 Basic Features

The Ethernet link provided by the NE40E supports the following:

l VLAN trunk l VLANIF l VLAN aggregation l Inter-VLAN port isolation l Ethernet sub-interface l VLAN sub-interface l Ethernet clock synchronization

4.1.2 Ethernet Bundling Link aggregation refers to a method of bundling a group of Ethernet physical interfaces to a logical interface Eth-Trunk to increase the bandwidth.

The Eth-Trunk of the NE40E functions as follows: l Supports the bundling of up to 16 physical interfaces. The formed Eth-Trunk

interface runs as the normal Ethernet interface. l Supports the bundling of ports of different rates. l Supports active/standby mode and performs active/standby switchover

automatically in accordance with the link status of the interface.

The NE40E provides link aggregation in two modes:

l Port bundling in manual mode l Link aggregation in static LACP mode

Layer 2 Ethernet Bundling Interface When you run the portswitch command for the formed Eth-Trunk interface, the interface becomes a Layer 2 Ethernet bundling interface. The Eth-Trunk interface then provides the following features of the switched Ethernet link:


Product Description


l VLAN interfaces l Inter-VLAN port isolation l VLAN aggregation l VLAN trunk l VLAN mapping l QinQ and VLAN stacking l Layer 2 features such as MSTP and RRPP l Switched Ethernet links

Layer 3 Ethernet Bundling Interface By default, the formed Eth-Trunk interface is a Layer 3 Ethernet bundling interface. The Eth-Trunk interface then provides the following features of the routed Ethernet link:

l IPv4/IPv6 forwarding l MPLS forwarding l Multicast forwarding l L3VPN l L2VPN

LACP (802.3ad) The NE40E supports link aggregation in Link Aggregation Control Protocol (LACP) static mode. Link aggregation in static LACP mode is in contrast with the link aggregation in manual mode. Port bundling in manual mode requires neither LACP nor exchange of protocol packets. Port aggregation is specified by the administrator. Link aggregation in LACP static mode resorts to LACP and automatically maintains the interface status by exchanging protocol packets. The administrator, however, needs to create the aggregation group and add the member links manually. LACP cannot change the configuration of the administrator.

The NE40E supports LACP that conforms to IEEE 802.3ad. The administrator creates the Eth-Trunk interface, adds member ports to it, and enables LACP on the Eth-Trunk interface. The NE40E negotiates which ports to use for data forwarding with the peer device by exchanging LACP protocol packets. That is, they negotiate to determine whether the outbound interface is in the selected or standby state.

LACP maintains the link status in accordance with the port status. Once the aggregation conditions change, LACP automatically adjusts or de-aggregates the link.

4.1.3 Virtual Ethernet Interfaces The NE40E supports virtual Ethernet interfaces. By mapping the ATM PVC to the manually-created virtual Ethernet interface, Ethernet packets can be transmitted over the ATM Adaptation Layer (AAL5). The virtual Ethernet interface thus provides Layer 2 switched and Layer 3 IP services.


Product Description


4.2 FR Link Features Frame Relay (FR) is a fast packet switching technology to forward and switch data in a simple way on the link layer.

FR only realizes functions of the physical layer and the link layer of OSI. Traffic control and error correction are implemented by the intelligent terminal. In this manner, the processing time is reduced; the network throughput is increased; and the delay for communications is reduced.

FR uses virtual circuits to make full use of network resources. Therefore, FR features large throughput, short delay. FR is applicable to burst services.

The NE40E provides the following FR features:

l DLCI l VC: PVC and SVC l FR address mapping l FR LMI l FR sub-interfaces l FR switch PVC backup l FR compression l MFR

DLCI = Data Link Connection Identifier; PVC = Permanent Virtual Circuit; SVC = Switching Virtual Circuit; LMI = Local Management Interface; MFR = Multilink Frame Relay

4.3 POS Link Features 4.3.1 SDH/SONET

The physical layer of the POS link adopts the Synchronous Optical Network (SONET) defined by the ANSI or the Synchronous Digital Hierarchy (SDH) defined by the ITU-T. POS interfaces provide alarms for the physical layer.

4.3.2 POS Interface The NE40E provides POS interfaces of 155 Mbit/s, 622 Mbit/s, 2.5 Gbit/s, and 10 Gbit/s.

On the link layer, POS supports:

l Point-to-Point Protocol (PPP) l High-level Data Link Control (HDLC) l FR

PPP on the POS interface supports:

l Link Control Protocol (LCP) l Internet Protocol Control Protocol (IPCP) l Multi-Protocol Label Switching Control Protocol (MPLSCP)


Product Description


l Multilink Protocol (MP) l Password Authentication Protocol (PAP) l Challenge Handshake Authentication Protocol (CHAP)

4.3.3 POS Sub-interface On the NE40E, you can manually create POS sub-interfaces, to provide multiple logical links over a POS link. Then, you need to configure FR on the link layer of the POS sub-interface to interwork with the network-layer device that supports POS FR or the FR switch that supports POS interfaces. POS sub-interfaces support point-to-point (P2P) and point-to-multipoint (P2MP).

4.3.4 IP Trunk In the case that HDLC is adopted as the link layer encapsulation on the POS interface, you can bind multiple physical POS interfaces into a logical IP-Trunk interface, as shown in Figure 4-1.

You can configure the trunk interface to implement routing protocols and carry MPLS and VPN services. The physical POS interfaces that are bound to a trunk are called trunk members. All configurations on the trunk interface also take effect on the trunk members. The trunk members use the IP address of the logical trunk interface.

The IP trunk technology helps to:

l Increase bandwidth The bandwidth of the trunk interface is the sum of member bandwidth.

l Enhance reliability If a member link fails, the traffic of this link is automatically switched to other available links. This can improve the reliability of the whole trunk.

l Carry out load sharing Different flows pass through different trunk members. That is, when both the source IP address and destination IP address are different among packets, the packet flows pass through different member links. Otherwise, the packets with the same source IP address and destination IP address form a flow, and the flow passes through the same member link.

Figure 4-1 IP trunk

Trunk

The NE40E supports:

l Inter-board IP trunk l IP trunk of channels with different rates l Dynamic establishment and removing of IP-trunk interfaces l Binding a physical channel to a trunk through the command line on a physical

interface


Product Description


4.4 CPOS Link Features In a network, a great number of access devices are connected to the upstream convergence devices through the low-speed E1/T1 interfaces. In this case, the convergence devices need to possess the capability of converging many low-speed E1/T1 or POS interfaces. On the NE40E, the CPOS interfaces of various rates can answer the requirements mentioned above.

4.4.1 Channelization A CPOS interface is a channelized POS interface. Channelization is carried out by transmitting multiple independent data flows on an optical fiber through the low-speed branch signals of STM-N. Each data flow has its own bandwidth and monitoring policy. When multiple low-speed signals are sent, bandwidth can be better utilized channelization.

The granularity of CPOS interface channelization is as follows:

l The 155M CPOS LPU can provide 63 E1 channels, 84 T1 channels, or 1023 N x 64K channels.

l The 155M CPOS LPU can provide 3 E3 or 3 T3 channels.

The NE40E supports binding of E1/T1 channels. Up to 84 channels can be bound in a binding set. Each 155M CPOS LPU supports up to 168 binding sets.

The NE40E supports binding of T3 channels. Up to 3 channels can be bound in a binding set. Each 155M CPOS LPU supports up to 3 binding sets.

4.4.2 PPP/HDLC The NE40E provides 155Mbit/s CPOS interfaces.

On the link layer, CPOS supports:

l PPP l HDLC

PPP on the CPOS interface supports:

l LCP l IPCP l MPLSCP l MP l LFI l PAP l CHAP

4.5 ATM Link Features 4.5.1 SDH/SONET

The ATM interfaces of the NE40E support SONET/SDH as well as the SONET/SDH overhead configuration and mapped physical-layer alarms.


Product Description


4.5.2 PVP/PVC ATM interfaces support the PVP/PVC creation:

l Traffic shaping based on VP/VC l User-to-Network Interface (UNI) signaling l RFC1483: Multi-protocol Encapsulation over ATM Adaptation Layer 5 l RFC1577: Classical IP and ARP over ATM l F4 and F5 End-to-End Loopback OAM l ATM Adaptation Layer 5 (AAL5) l Non-real-time Variable Bit Rate (NRT_VBR) l Unspecified Bit Rate (UBR) l Real-time Variable Bit Rate (rt_VBR) l Constant Bit Rate (CBR)

4.5.3 IPoA IP over ATM (IPoA) is a kind of technology to bear IP services on the ATM network. It inherits the fundamentals of TCP/IP and regards the ATM network as a kind of physical subnet. For IP protocols, the ATM network is equivalent to the physical subnet such as the Ethernet. Using IPoA, you can directly run IP protocols and network applications in the ATM network.

On the NE40E, you can set up address mapping between PVC and the IP address of the peer device in two ways:

l Static mapping l Inverse Address Resolution Protocol (InARP)

4.5.4 ATM Sub-interface The NE40E supports the ATM sub-interface. The ATM interface supports multiple virtual connections at the same time, and the peer networks of virtual connections are in different network segments. In this case, you need to create sub-interfaces on the interface to support communications with different peers. You can configure multiple PVCs on one sub-interface.

4.5.5 ATM OAM ATM Operation, Administration and Maintenance (OAM) checks the fault, locates the fault, and detects the performance, without interrupting services. ATM OAM provides specific information about the network by adding the OAM cell in the standard cell format to the user cell.

The NE40E supports the F4 and F5 OAM. The OAM functions to check the statuses of the PVP and PVC links, that is, to check whether the link is Up or Down.

4.5.6 1483B RFC 1483 defines the technological standards of transmitting multi-protocol data unit on the ATM network, including the following two kinds:

l The 1483 Bridged


Product Description


It is applied to the bridged protocol data unit. l The 1483 Routing

It is applied to the routing protocol data unit.

The RFC 1483 Bridged encapsulates the data packet of the network layer in the data link layer. It imitates the bridge function of the Ethernet network, so that the terminal devices at the user side and the bridge devices at the network side are connected.

Figure 4-2 shows the stack protocol of 1483B.

Figure 4-2 Stack protocol of 1483B

Access router

IP

Ethernet

1483B

AAL5

ATM

TCP/UDP

IP

Ethernet

TCP/UDP

ATM network

RouterA RouterB

The IPoE Ethernet stack protocol is used to connect the device at the user side. After 1483B is configured on the ingress Router A on the ATM network, Router A can implement the bridge of Ethernet packets to the ATM cells, so that the received IPoE packets can be transmitted transparently on the ATM network.

IPoEoA is the main application of 1483B supported by the NE40E. IPoEoA indicates that AAL5 bears Ethernet packets, and the Ethernet bears IP packets, so that the layer 2 forwarding of IPoEoA packets between the Ethernet and PVC can be implemented. IPoEoA converges the ATM backbone network and the IP network and supports Ethernet protocols and IP protocols.

4.5.7 ATM Cell Relay PWE3 uses the PSN network to connect the traditional networks such as ATM, FR, or LAN and emulates traditional services. The emulation of the original services to the utmost on the PSN keeps the end user from feeling differences. In this manner, it


Product Description


protects the settled investment of users and operators in the network consolidation and establishment.

The Layer 2 emulate services on the PSN set up the P2P tunnel and convey the data packet, cell and bit stream through the public or private PSN. Between the two PE routers of the PW, the original service is emulated.

Figure 4-3 shows the label encapsulation used when the PSN transparently transmits the ATM service.

Figure 4-3 Network diagram for ATM encapsulation over a PSN

PSN Tunnel

Pseudo-wire

MPLSNetwork

L2Network

ATM Service

MPLS PSN tunnelidentified by outer label

PSN Transport Header

ATM Encapsulationover PSN

Pseudo-wire Header

Pseudo-wire identifiedby inner label

Outer MPLS Label

Inner MPLS Label

ATM Control Word

ATM Service Payload

L2Network

PE PE

ATM Service

The outer PSN label identifies the PSN tunnel, while the inner label, namely, PW Header identifies a PW.

In ATM cell transport, the following two kinds of services are transmitted on the PSN:

l The services whose PW payload is ATM cells l The services whose PW payload is AAL5 SDU/PDU

ATM cell transport can help transfer the earlier ATM or ISP network through the PSN network without adding new ATM devices and changing the ATM CE configurations. ATM CE routers consider the ATM cell transport service as the TDM leased line and implements ATM interconnection through transparent transmission of cells over a PSN.

The NE40E supports ATM cell transport over Permanent Virtual Circuit (PVC) and Permanent Virtual Path (PVP) , and AAL5 SDU.

Generally, the NE40E support the following ATM cell transport modes:

l ATM whole port cell transport l 1-to-1 VCC cell transport l N-to-1 VCC cell transport l 1-to-1 VPC cell transport


Product Description


l N-to-1 VPC cell transport l ATM AAL5-SDU VCC transport

4.6 RPR Link Features The NE40E supports RPR networking. Based on the packet-based optical transport technology, RPR provides access to multiple services. Integrating the broad bandwidth and fast self-healing capability of the optical network, RPR provides cost-effective services for the carriers over the current optical network.

An RPR ring adopts the topology of two counter-rotating ringlets. An RPR network consists of Ringlet0, Ringlet1, stations, and spans, as shown in Figure 4-4.

Figure 4-4 RPR networking diagram

Ringlet0

Station

Domain

Span

Ringlet1East

East

EastEast

East

East

WestWest

West

WestWest

West

As shown in Figure 4-4, each node of the RPR network is connected by two pairs of fibers for ringlet 0 and ringlet 1 transmission and receiving. In the RPR network, the unicast traffic only travels between its source node and destination node, thus improving the bandwidth utilization.

4.6.1 RPR Fairness Algorithm RPR controls network congestion through RPR Fairness Algorithm (RPR-FA). If a node is congested, it sends an RPR fairness packet to its upstream node through the counter-clockwise ring. The fairness packet also serves to maintain the link status. According to the information in the packet, the upstream node adjusts its transmission rate to avoid congestions.

RPR-FA controls only the transmission of packets with low precedence. The packets with high precedence are not controlled by RPR-FA and are sent as long as there are enough transit buffers.

RPR automatic switch is implemented through four kinds of control packets:


Product Description


l Topology and Protection packet (TP) are broadcast on the whole ring. l Topology Checksum (TC) packet are sent or received only between adjacent

nodes. l Attribute Discovery (ATD) packet is used to update the site information in the

topology database except the topology discovery and checksum. l Link Round Trip Time (LRTT) packet is used to detect the delay of

high-preference control frames among all nodes on the network.

4.6.2 Protection Mechanism In the RPR network, if a node fails, the protection mechanism can make the traffic pass through the failed node. If a line fails, the protection mechanism can transfer the traffic to the ring in the opposite direction (in wrapping mode), or change the direction of the traffic (in steering mode). The protection mechanism can implement RPR forward performance monitoring, event detection, fast self-healing and fast recovery of service in case of the node or fiber failure. Thus, the network can detect events and respond to them appropriately to ensure continuous services.

Pass-Through Some node failures may stop Layer 3 forwarding temporarily, but the MAC layer can still forward packets. You can set the node in pass-through mode by shutting down the RPR interface. In this case, all packets that reach this node are forwarded in transparent mode and this node is invisible in the RPR network, as shown in Figure 4-5.

Figure 4-5 Pass-Through mode

Pass-through

Wrapping and Steering When failures like fiber disconnection occur, the system adopts two self-healing modes, namely wrapping and steering.

l In the wrapping mode, the traffic that is transmitted on the ringlet 0 from A to B is sent to the node adjacent to the failed line, and then to B on the ringlet 1. See Figure 4-6.


Product Description


l In the steering mode, the traffic that is previously on the ringlet 0 is directly redirected to the ringlet 1 for transmission. See Figure 4-7.

Figure 4-6 RPR network in wrapping mode

A

B

RPR

Figure 4-7 RPR network in steering mode

RPR

A

B

The wrapping mode and steering mode in RPR have their respective advantages and disadvantages. The wrapping mode implements fast switchover without data loss, but wastes the bandwidth. The steering mode needs neither loopback nor wrapping, and thus does not waste the bandwidth, but it implements a slow protection with data loss.

The RPR designed by Huawei combines the advantages of these two modes, and adopts the "first wrapping and second steering" mode. Providing the failure protection switchover within 50 ms, it implements non-stop services without bandwidth waste to achieve the best performance.


Product Description


4.7 CE1/CT1/E3/T3 Link Features The NE40E provides CE1, CT1, E3, and T3 interfaces.

4.7.1 PPP/HDLC/FR CE1/CT1/E3/T3 interface supports serial interfaces and the following link protocols are supported:

l PPP l HDLC l Frame Relay supported by the CE1/CT1 interface

PPP on the serial interface supports:

l LCP l IPCP l MPLSCP l MP l PAP l CHAP

4.7.2 Channelized Links The CE1/CT1 links can be channelized to 64 K links.

4.7.3 Link Binding Multiple CE1 or CT1 interfaces can be bundled as a logical interface. Each bundling set contains up to 8 channels. Each CE1 LPU supports a maximum of 16 bundling sets.


Product Description


5 Primary Service Features

5.1 Ethernet Features 5.1.1 Switched Ethernet Link Features

The Ethernet interfaces of the NE40E can run as switched interfaces to provide VLAN, VPLS, and QoS services. They can also run at the User Network Interface (UNI) side to support MPLS VPN.

VLAN Trunk Trunk is a P2P link between two routers. The interfaces on the connected routers are called trunk interfaces. One VLAN trunk can transmit data flows of different VLANs and allow the VLAN to contain the interfaces of many routers. The NE40E can dynamically add, delete, or modify the VLANs of a VLAN trunk to maintain the consistency of VLAN configuration in the whole network. The NE40E can also work with non-Huawei devices for interworking.

VLANIF The NE40E supports VLANIF interfaces. You can assign IP addresses to VLANIF interfaces and bind VLANIF interfaces to VPNs. This implements the Layer 3 access of VLANIF interfaces. You can also bind VSIs to VLANIF interfaces to implement the VPLS access.

VLAN Aggregation Inter-VLAN routing is involved in the communication between VLANs. If each VLAN interface is assigned an IP address, IP address resources will be used up.

You can aggregate a group of VLANs to a super-VLAN. The VLANs in the super VLAN are called branch VLANs. A super VLAN is associated with an interface at the IP layer. In addition, all branch VLANs in the super VLAN use the IP addresses in the same network segment to improve the utilization of the IP addresses.

Interface Isolation in a VLAN You can configure an interface in a VLAN to be an isolated interface on the NE40E. IP routing instead of Layer 2 forwarding can be performed between isolated interfaces.


Product Description


Layer 2 forwarding, however, can be performed between an isolated interface and a non-isolated interface in a VLAN.

On the NE40E, you can add the interfaces that need to be isolated in a VLAN to the same interface groups. Any two interfaces of different interface groups are isolated from each other. The interfaces outside the group are not isolated.

Supporting Ethernet Sub-interfaces The NE40E supports the configuration of sub-interfaces for a switched Ethernet interface. You can configure Layer 3 services on the sub-interfaces and Layer 2 services on the primary interface. In this manner, the switched Ethernet interfaces can support both Layer 2 and Layer 3 services.

5.1.2 Routed Ethernet Link Features The Ethernet interfaces of the NE40E can run as routed interfaces to provide IPv4/IPv6, MPLS, QoS, and multicast services.

GE interfaces and FE interfaces can be configured with sub-interfaces. The sub-interface supports VLAN encapsulation used to terminate a VLAN.

Ethernet Sub-interface A normal Ethernet sub-interface, which can belong to a VLAN only, functions as follows:

l Terminates the enterprise customer's services. l Supports routing protocols. l Supports MPLS forwarding.

VLAN Sub-interface A VLAN sub-interface, which can belong to multiple VLANs, functions as follows:

l Terminates the individual users' services. l Supports DHCP relay, DHCP binding, URPF, and ACLs, ensuring the security.

5.1.3 Ethernet Clock Synchronization Clock synchronization refers to restricting the clock frequency deviation and the phase deviation of each network element in the digital network within the allowed error range. If the clock frequency deviation and phase deviation exceed the allowed error range, error codes and jitter occur, degrading the forwarding performance.

The LPUF-10 and LPUF-20 provide the function of Ethernet clock synchronization. The clock quality and stratum can thus be guaranteed.


Product Description


Figure 5-1 Ethernet clock synchronization

Node B

RNC

Node B RNC

IP

NC

Nb

McMc

MGW MGW

MSC-SERVER

MSC-SERVER

GGSNSGSNGi

SCPHLR

IP

IP

PSTN

In ternetIn ternetIn ternetIn ternet

IP

IP

Iu-CS

Iu-PS

Iu-PS

IurSS7/TDM SS7/IPIP

PS

In a wireless network, Ethernet links put high requirements for clocks. As shown in Figure 5-1, in the future IP-RAN solution, the IP network runs as the bearer layer between Node-B and RNC. With the function of Ethernet clock synchronization, the problem of clock transmission in the IP network can be solved.

In addition, Ethernet clock synchronization supports the backup of the clock reference source to enhance the reliability of the link. When an Ethernet link goes Down, the system automatically selects the backup Ethernet interface to extract the clock information.

5.1.4 PBB-TE The NE40E supports the PBB-TE technology that conforms to IEEE 802.1ah. PBB-TE realizes transmission of P2P and multipoint-to-multipoint services. The transmission network is set up on the basis of the Ethernet. In this manner, the Ethernet solution is extended from the access layer and the convergence layer to the core layer in the MAN and even in the WAN.

PBB-TE is a tunneling technique based on MAC stacking. PBB-TE means appending a MAC address of the ISP to the MAC address of the user Ethernet frame. This realizes transparent transmission of user Ethernet frames through public networks.

When a PBB-TE tunnel is set up between two MANs, it functions over the core network of the ISP. For the ISP network, the MAC address of a user is isolated. This improves the security of services. In addition, double MAC addresses applied expand the space of MAC addresses.

The PBB-TE tunnel can be set up between the NE40Es. It supports fault detection, fault location, and the Automatic Protection Switching (APS). APS controls the protection switchover of the tunnel. The NE40E supports 1+1 and 1:1 protection modes of the MAC tunnel. The NE40E also supports the revertive mode, hold-off time, and APS configuration mismatch test. This guarantees fast recovery of services.


Product Description


Figure 5-2 Leased line service PBB-TE

Metro(+Core)

In the P2Papplication, endnodes ignore the

user DA

UPE

CE CE

Bridge nodes areconfigured with static

forwarding entries

PBB-TE

Figure 5-3 Convergence service PBB-TE

Metro NPE

CE

Core


user DA

Bridge nodes areconfigured with static

forwarding entries

PBB-TE

Figure 5-4 Leased line service PBB-TE trunk

Metro(+Core)UPE

CE CE

PBB-TETrunk


user DA


Product Description


Figure 5-5 Convergence service PBB-TE trunk

MetroNPE

CE

PBB-TETrunk

Core


user DA

Figure 5-6 Multipoint-to-multipoint PBB-TE

Metro(+Core)

PE

CE

PE

PE

PE

CE

CE

CE

5.1.5 QinQ The QinQ protocol is a Layer 2 tunneling protocol based on IEEE 802.1Q. The QinQ technology expands the VLAN space by adding an IEEE 802.1Q tag to a packet already carrying an 802.1Q tag. As a result, private VLANs can transparently transmit packets over the public network. These functions are the same as the Layer 2 VPN. Packets that are forwarded over the backbone network carry two 802.1Q tags, one for the public network and the other for the private network. This is called 802.1Q-in-802.1Q, or QinQ for short.


Product Description


The ISP network only provides one VLAN ID for different VLANs from the same user network. This saves VLAN IDs of an ISP. Meanwhile, the QinQ provides a simple Layer 2 VPN solution to a small MAN or a LAN.

The QinQ technology can be applied to multiple services in a metropolitan area Ethernet solution.

This technology has the following features:

l Packets of the same VLAN from different users are not transmitted transparently. l Private networks are effectively segregated from the public network. l ISP's VLAN IDs are saved to the maximum.

Without being a formal protocol, QinQ is widely applied by carriers due to its facility and convenience. Especially, the emergence of selective QinQ (VLAN stacking) makes QinQ more popular among carriers. With the development of the metropolitan area Ethernet, all device vendors have put forward their solutions to the metropolitan area Ethernet. The QinQ technology plays an important role in the solutions because of its simplicity and flexibility.

The NE40E provides abundant QinQ features. Diverse networking requirements can be satisfied.

Interface-based QinQ Figure 5-7 is a diagram of typical networking through the interface-based QinQ feature. A user sets the interface-based QinQ feature on the router. When the user's packets, carrying the user's VLAN tag, arrive at the router, the router takes the user's packets as untagged packets and adds a VLAN tag of the ISP over the existing VLAN tag. After the user's packets go over the VLAN tunnel of the ISP and reach the remote user, the VLAN tag of the ISP is stripped away. This function has been realized on the Figure 5-7.

Figure 5-7 Typical networking diagram of the interface-based QinQ application

Router

VLAN100

VLAN200

ISPNetwork

100

200

100 300

200 300

Interface-based QinQ provides the following functions:

l Access to the VPLS to transparently transmit private VLAN packets l Access to the L2VPN and PWE3 to transparently transmit private VLAN packets


Product Description


VLAN-based QinQ VLAN-based QinQ is also called selective QinQ. Figure 5-8 shows the VLAN-based QinQ. With the development of services such as broadband access to the Internet, VOIP and IPTV, ISPs sometimes want to plan inner VLAN tags of the network for different services. For example:

l VLAN 1000–VLAN 1999: broadband access to the Internet l VLAN 2000–VLAN 2999: IPTV services l VLAN 3000–VLAN 3999: VOIP services

Figure 5-8 Typical networking diagram of the VLAN-based QinQ application

IP backbone/MAN

Service gateway

VLAN200 VLAN3xxx

VLAN300 VLAN2xxxVLAN100 VLAN1xxx

PC IPTV PC IPTV

Broadband access

VOIP access

IPTV access

VLAN2001VLAN3001VLAN1001

PVC1001PVC2001PVC3001

VLAN2002VLAN3002VLAN1002LAN Switch

Videophone Videophone

iManager N2000

Users access DSLAM through multiple-PVC mode. DSLAM transfers data from PVC to VLAN. Enable flexible QinQ on a gateway to apply the outer VLAN tag VLAN 100 to the services of broadband access to the Internet, the outer VLAN tag VLAN 200 to the VOIP services and outer VLAN tag VLAN 300 to the IPTV services. This breaks the limit of 4094 VLAN IDs for one ISP network. In addition, services are distributed, which is in favor of ISP's service management.

The services are distributed in one of the following three ways:

l Marking outer VLANs with tags of different VLAN intervals, that is, changing one tag into two tags so that services are distributed to different terminals.

l Marking outer VLANs with tags of different protocol IDs, that is, adding a tag to the protocol packet so that services are distributed to different terminals.

l Redistributing outer VLAN tags according to inner VLAN intervals, that is, substituting one tag with another tag so that services are distributed according to user types. This is called VLAN mapping.


Product Description


VLAN-based QinQ may serve as one of the VPLS modes to let packets of private VLANs be transmitted transparently through the backbone network. It may also serve as one of the L2VPN or PWE3 modes to let packets of private VLANs be transmitted transparently through the backbone network. Such a QinQ mode is realized on the switched interfaces.

The difference between VLAN-based QinQ and interface-based QinQ is as follows:

l In interface-based QinQ mode, user's packets from the same user side are added with the same outer VLAN tag by the PE.

l In VLAN-based QinQ mode, user's packets from the same user side are added with different outer VLAN tags depending on user's VLAN tags.

Therefore, VLAN-based QinQ is more flexible than interface-based QinQ. VLAN-based QinQ is also called flexible QinQ.

VLAN Stacking The early QinQ technology is used on Layer 2 networks and embodied on switches. With the VLAN stacking, packets are forwarded at Layer 2 by means of the outer VLAN tag. The outer VLAN usually refers to the VLAN of an ISP network. VLAN stacking is usually applied on the switched interface.

The sub-interface for VLAN stacking is deployed on a PE. The sub-interface identifies the user's VLAN and then performs VLAN stacking to user's Layer 2 packets. After that, packets are forwarded at Layer 2 by means of the outer VLAN tag.

The sub-interface for VLAN stacking is used to solve the problem of transmitting transparently packets of many VLANs through one sub-interface. Packets access an L2VPN through the outer VLAN of the stacking. The inner VLAN is transparent to the ISP. User's packets of multiple VLANs can thus be transmitted transparently.

VLAN Stacking supports the following:

l Access to VPLS through the sub-interface for VLAN stacking l Access to VLL/PWE3 through the sub-interface for VLAN stacking

Sub-interface for QinQ VLAN Tag Termination Sub-interfaces for QinQ VLAN tag termination refer to the sub-interfaces that terminate the double VLAN tags of users. The difference between the sub-interface for QinQ VLAN tag termination and the sub-interface for VLAN Stacking is as follows: For the sub-interfaces for QinQ VLAN tag termination, a PE removes the double VLAN tags of user packets when they enter the ISP network.

Double VLAN tags for customers have specific meanings. For example, the outer VLAN tag specifies a service and the inner VLAN tag specifies a customer. Sub-interfaces for QinQ VLAN tag termination access the customer and identify the service by terminating double VLAN tags.

Sub-interfaces for QinQ VLAN tag termination are similar to normal VLAN sub-interfaces. In addition, sub-interfaces for QinQ VLAN tag termination are used to terminate double VLAN tags and provide the following functions:

l IP forwarding l VPLS l L3VPN/PWE3/VLL


Product Description


l ARP agent l VRRP l Routing protocols l DHCP Serve/DHCP Relay

Sub-interfaces for QinQ VLAN tag termination terminate double VLAN tags in the following two ways:

l Exact termination Double VLAN tags of specified VLAN IDs are terminated.

l Fuzzy termination Double VLAN tags of VLAN IDs in a specified range are terminated.

Compatibility of the Etype of QinQ Outer TPIDs According to IEEE 802.1Q, the Etype value of the tag protocol identifier (TPID) is 0x8100, as shown in Figure 5-9. In QinQ encapsulation, the Etype value of the inner TPID used by vendors is 0x8100. The Etype value of the outer TPID is different among router manufacturers. Intercommunication between devices of different manufacturers demands compatibility of the Etype of the TPID. For this reason, the devices should be able to identify and encapsulate such QinQ packets.

IEEE 802.1ad specifies that the Etype value of the outer TPID as 0x88a8.

Figure 5-9 Compatibility of the Etype of QinQ outer TPIDs

IP/MPLSCore

Router A Router B

Router C

Switch A0x91000x9100

0x8100

As shown in Figure 5-9, at receiving packets the interface of Router B needs to recognize the Etype value 0x9100 of outer TPID. The Etype values, such as 0x9100 and 0x8100, of different outer TPIDs can be set on devices according to different manufacturers so that devices of different manufacturers can communicate with each other.

Application of Multicast QinQ Figure 5-10 shows the typical networking diagram of multicast QinQ application. QinQ runs between the multicast router PE1 and the access device PE2. At the user side of PE2, different VLANs are attached.


Product Description


Figure 5-10 Typical networking diagram of multicast QinQ application

VLAN2 VLAN3

PE2

QinQ(VLAN1)

PE1Internet/Intranet

Multicastsource

No matter whether multicast data packets or multicast protocol packets are received, they are not encapsulated by QinQ. Only the outer P-VLAN tag is added to send packets. In IGMP snooping learning, only the P-VLAN ID mapping to the user host is maintained. In forwarding, the system searches for the member host of the mapped group according to the P-VLAN ID and substitutes the P-VLAN with the C-VLAN in the packet for forwarding.

5.1.6 RRPP Link Features The Rapid Ring Protection Protocol (RRPP) is a link protocol exclusively used by Ethernet rings. When the Ethernet ring is in the normal state, RRPP can avoid broadcast storm caused by loop. When a link on the Ethernet link is disconnected, RRPP can promptly enable the standby link to restore the connection.


Product Description


Figure 5-11 Networking of RRPP tangent ring application to the MAN

RRPP Domain

RRPP Sub-Ring 2

RRPP Sub-Ring 1

RRPP Major-Ring

Master NodeAssistant Node

Edge Node

MasterNode

MasterNode

Transit Node

Transit Node

RouterA

RouterB

RouterC

SwitchA

SwitchB

Traditionally, an RRPP domain consists of a group of interconnected switches with the same domain ID and control VLAN.

An RRPP domain includes the following parts:

l Major ring and sub-ring l Control VLAN l Master node and transit node l Common port and edge port l Primary port and secondary port

Polling Mechanism Polling is a mechanism used by the master node on the RRPP ring to detect the network status.

The master node sends Hello packets periodically from its primary port. The packets are transmitted by the transit nodes on the ring. If the master node can receive the packets from its secondary interface within a specified period of time, it indicates that the link of the ring is in the normal state; otherwise, the master node considers that a link fault occurs to the ring.

When the master node that is in the Failed state receives the Hello packets from its secondary interface, it changes into the Complete state, blocks its secondary interface, and refreshes the Forwarding Database (FDB).

The master node also sends packets from its primary interface to inform all transit nodes to release the temporary blocked interface and refresh the FDB.


Product Description


Link Status Notification Mechanism If a link fault occurs to the ring, the directly connected interface of the link becomes Down. The transit node informs the master node of the fault by sending Link-Down packets.

When the master node receives the Link-Down packets, it considers that the ring is in the abnormal state, enables its secondary interface, and sends packets to inform other transit nodes to refresh the FDB at the same time. After other transit nodes refresh the FDB, the traffic is switched back to the normal link.

After link fault recovery, the interface of the transit node becomes Up. The transit node temporarily blocks the interface that becomes Up. Hello packets sent by the master node can pass through the blocked interface.

When the secondary interface of the master node receives the Hello packets sent by itself, it considers that the link becomes normal again. The master node blocks the secondary interface, sends packets to inform other transit nodes to enable the temporarily blocked interface, and refreshes the FDB.

Channel Status Detection of Sub-Ring Protocol Packets on the Major Ring Channel status detection of sub-ring protocol packets on the major ring is applied to the networking in which multiple sub-rings are intersectant with the major ring. When a fault occurs to the major ring and the master nodes on all the sub-rings enable the secondary interfaces, a broadcast storm is caused. To avoid this, channel status detection mechanism of sub-ring protocol packets on the major ring is introduced.

The mechanism requires the cooperation between edge nodes and assistant edge nodes. Before the master nodes on the sub-rings enable the secondary interfaces, loop between the sub-rings can be avoided by blocking the interfaces of the edge nodes. The edge node is the initiator and decision maker of the mechanism. The assistant edge nodes monitor the channel status and inform the edge nodes of the channel status change on time.

5.1.7 RSTP/MSTP The Rapid Spanning Tree Protocol (RSTP) is an enhancement of the Spanning Tree Protocol (STP). RSTP simplifies the processing of the state machine, blocks some redundant paths with specific algorithms, and reconstructs the networks with loops to a loop-free network. In this way, the packets are prevented from increasing and infinitely looping. Compared with STP, RSTP speeds up the Layer 2 loop convergence. In a Layer 2 network, only one Shortest Path Tree (SPT) is generated.

The Multiple Spanning Tree Protocol (MSTP) is the multi-instance RSTP. MSTP supports the running of STP based on one or more VLAN. In a Layer 2 network, MSTP can be generated.

5.1.8 BPDU Tunnel BPDUs are Layer 2 protocol messages and are transparently transmitted through a Layer 2 protocol tunnel or a BPDU tunnel across an ISP network.

To transmit BPDUs transparently across an ISP network, ensure that the following requirements are met:

l All branches of the same user network are able to receive their own BPDUs.


Product Description


l BPDUs of a user network cannot be processed by the CPU of the ISP network. l BPDUs of different customers must be segregated to prevent them from mutual

access.

The NE40E supports the following types of transparent transmission of BPDUs:

l Transparent transmission of interface-based BPDUs of the same user network l Transparent transmission of interface-based BPDUs of different user networks l Transparent transmission of VLAN-based BPDUs l Transparent transmission of QinQ-based BPDUs

5.2 IP Features 5.2.1 IPv4/IPv6 Dual-Protocol Stacks

IPv4/IPv6 dual-protocol stacks have good interoperability and are easy to implement. Figure 5-12 shows the structure of the IPv4/IPv6 dual-protocol stacks.

Figure 5-12 Dual-protocol stacks structure

IPv4 IPv6

TCP UDP

IPv4/IPv6 Application

Link Layer

5.2.2 IPv4 Features The NE40E supports the following IPv4 features:

l TCP/IP protocol suite such as ICMP, IP, TCP, UDP, Socket (TCP/UDP/Raw IP), and ARP

l Static DNS and DNS server l FTP server/client and TFTP client l DHCP relay agent and DHCP server l Ping, tracert, and NQA

NQA can detect the status of ICMP, TCP, UDP, DHCP, FTP, HTTP, and SNMP services and test the response time of the services.

l IP policy-based routing


Product Description


The system supports specifying the next hop based on the attribute of packets without search for routes in the routing table.

5.2.3 IPv6 Features The IPv6 features include:

l IPv6 neighbor discovery (ND) l Path MTU (PMTU) discovery l TCP6, ping IPv6, tracert IPv6, and socket IPv6 l Static IPv6 DNS and specified IPv6 DNS servers l TFTP IPv6 client l IPv6 policy routes

5.2.4 GRE The Generic Routing Encapsulation (GRE) protocol is used to encapsulate packets of certain network layer protocols such as IP and IPX packets so that these encapsulated packets can be transmitted in the network running another network layer protocol such as IP.

As the Layer 3 tunnel protocol for VPNs, GRE adopts the tunnel technology between protocol layers. A tunnel can be taken as a virtual interface that supports only P2P connections. The tunnel interface provides a tunnel for data forwarding and the packets are encapsulated and decapsulated at both ends of the tunnel respectively.

Multi-Protocol Local Network Transmission Through Single-Protocol Backbone Network

Figure 5-13 Multi-protocol local network transmission through the single-protocol backbone network

Internet

RouterA RouterB

Novell IPXGroup 2

IPTeam 2

Novell IPXGroup 1

IPTeam 1

GRE tunnel

In Figure 5-13, Group 1 and Group 2 are the local networks running Novell IPX. Team 1 and Team 2 are the local networks running the IP protocol.

The tunnel between Router A and Router B adopts the GRE protocol; therefore, Group 1 communicates with Group 2 without affecting the communication between Team 1 and Team 2.


Product Description


Enlarging Operation Scope of the Network with Limited Hops

Figure 5-14 Enlarging the network operation scope

IP network

IP networkIP network

PC PC

Tunnel

In Figure 5-14, the IP protocol is run on the network. Assume that the IP protocol limits the hop count to 255. If the hop count between two PCs is greater than 255, they cannot communicate. When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the network operation.

Connecting Some Discontinuous Sub-Networks to Establish a VPN GRE tunnels can be used to connect discontinuous sub-networks to implement the VPN across the WAN.

For example, two VPN sub-networks, Site 1 and Site 2 are in two cities. By setting up a GRE tunnel between the devices at the network edge, you can connect the two sub-networks to a continuous VPN network.

GRE can be applied both in L2VPN and L3VPN in two modes as follows:

l As shown in Figure 5-15, the two ends of the GRE tunnel reside on the CE router in the CPE-based VPN.

Figure 5-15 GRE in the CPE-based VPN

GRE tunnelVPNsite2

VPNsite1 VPN

backboneCE CEPEPE

l As shown in Figure 5-16, the two ends of the GRE tunnel reside on the PE router in the network-based VPN.


Product Description


Figure 5-16 GRE in the network-based VPN

GRE tunnelVPNsite2

VPNsite1

VPNbackbone

CE CEPEPE

Usually, the MPLS VPN backbone network uses label switched paths (LSPs) as the public network tunnel. If the core router P in the backbone network, however, provides only the IP function without the MPLS function while the PE router at the network edge has the MPLS function, the LSP cannot be used as the public network tunnel. Then, you can use the GRE tunnel in place of the LSP to provide Layer 3 or Layer 2 VPN solutions at the core network.

CE Access to MPLS VPN Through GRE Tunnels The VPN service based on the MPLS backbone network provides services for customers better than the traditional IP VPN services. Therefore, the operators tend to choose the MPLS VPN technology. The Internet, however, is based on the IP technology and a great number of backbone networks based on the IP technology still exist.

In the MPLS VPN, to access a Customer Edge (CE) router to the VPN, a physical link is needed to directly connect the CE router to the PE router in the MPLS backbone network, that is, the CE router and the PE router must be in the same network. In this networking, you must associate the VPN with the PE physical interface that is connected to the CE router.

In actual networking, not all the CE routers and PE routers can be directly connected through physical links. For example, for multiple institutes that are connected to the Internet or based on the IP technology, their CE routers and PE routers are geographically dispersed and cannot directly access the PE router in the MPLS backbone network. These institutes cannot directly access the sites inside the MPLS VPN through the Internet or the IP backbone network.

Figure 5-17 CEs accessing the MPLS VPN backbone network through the backbone network based on the IP technology

IPnetwork

MPLSnetwork

VPNSite

VPNSite

CE PEPE CE

To access a CE router to the MPLS VPN, you can create a direct logical connection between the CE router and the PE router. That is, you can connect the CE router and the PE router by using the public network or private network, and create a GRE tunnel between the CE router and the PE router. Then, the CE router and the PE router can be regarded as being directly connected. When associating the VPN with the PE


Product Description


interface that is connected to the CE router, you can regard the GRE tunnel as a physical interface.

5.2.5 IPv4-IPv6 Transition Technologies

IPv6 over IPv4 Tunnel As shown in Figure 5-18, the IPv6 over IPv4 tunnel is a technology used for transition from the IPv4 network to the IPv6 network.

Figure 5-18 IPv6 over IPv4 tunnel

IPv6 IPv6

IPv6 Header IPv6 Data IPv6 Header IPv6 Data

IPv4 Header IPv6 Header IPv6 Data

Dual StackRouter

IPv6 host IPv6 host

Tunnel

Dual StackRouter

IPv4

The NE40E uses the following IPv6 over IPv4 tunnels:

l Manually configured IPv6 tunnel The IPv6 tunnel is manually configured on two edge routers at both ends of the tunnel. The source and destination IPv4 addresses of the tunnel are configured manually. The tunnel is equivalent to a permanent link between two IPv6 domains over an IPv4 backbone network. The tunnel is used for regular and secure communication between two edge routers on IPv6 islands.

l IPv6 over IPv4 GRE tunnel The IPv6 traffic can be carried over the IPv4 GRE tunnels. When carrying the IPv6 traffic, the IPv4 GRE tunnels are called IPv6 over IPv4 GRE tunnels (GRE tunnels for short). Like the manually configured IPv6 over IPv4 tunnel, a GRE tunnel is a link between two nodes, with a separate tunnel for each link. The tunnels are not tied to a specific passenger or transport protocol, and only carry IPv6 as the passenger protocol and GRE as the carrier protocol.

l Automatically configured IPv4-compatible IPv6 tunnel (automatic tunnel for short) An IPv4-campatible IPv6 address needs to create an IPv6 over IPv4 automatic tunnel. The low order 32 bits of an IPV4-compatible IPv6 address is an IPv4 address. It is used to identify the destination address of the automatic tunnel. To configure an automatic tunnel, you need to specify only the source address of the tunnel on an edge router or a host. The destination address of the tunnel can be automatically recognized according to the next hop address (an IPv4-compatible IPv6 address) of IPv6 packets.

l 6to4 tunnel A 6to4 tunnel connects isolated IPv6 islands to the IPv6 Internet over an IPv4 network.


Product Description


The difference between the 6to4 tunnel and the manually configured tunnel is that the former can be a point-to-multipoint connection, but the latter is a P2P connection. Hence, routers of the 6to4 tunnel are not configured in pairs. Similar to the automatic tunnel, the 6to4 tunnel can automatically find another end of the tunnel. It need not be configured with an IPv4-compatible IPv6 address. The 6to4 tunnel uses a kind of special IPv6 address, that is, 6to4 address.

IPv4 over IPv6 Tunnel In the post-phase of the transition from the IPv4 network to the IPv6 network, a great number of IPv6 networks are constructed. Then the isolated IPv4 site may emerge. It is not economic to connect the isolated sites through the dedicated lines. With the tunneling technology, tunnels can be created in the IPv6 network; thus the isolated IPv4 sites can be interconnected. This is similar to the VPN deployment in the IP network with tunneling. The tunnels that are used to connect the isolated IPv4 sites, in the IPv6 network, are called IPv4 over IPv6 tunnels.

To set up IPv4 over IPv6 tunnels, IPv4/IPv6 dual stack needs to be enabled on the router at the edge of the IPv6 network and the IPv4 network.

Figure 5-19 Networking diagram of the IPv4 over IPv6 tunnel

IPv6 networkIPv4network

IPv4network

IPv4 over IPv6 Tunnel

Dual StackRouter

Dual StackRouter

IPv4Host

IPv4Host

IPv6 HeaderIPv4 Header

IPv4 PayloadIPv4 Header

IPv4 Payload

IPv4 Header

IPv4 Payload

6PE The IPv6 Provider Edge (6PE) router allows communication between the IPv6 isolated CE routers over the IPv4 network. See Figure 5-20. With 6PE routers, ISPs can provide access services to the IPv6 network of isolated customers over the existing IPv4 backbone network.


Product Description


Figure 5-20 6PE topology

6PERouter

IPv6 CloudCustomer site

IPv6 CloudCustomer site

6PERouter

CE CE

IPv4/MPLSCloud

P

IBGP

The 6PE router labels IPv6 routing information and floods them onto ISP’s IPv4 backbone network through Internal Border Gateway Protocol (IBGP) sessions. The IPv6 packets are labeled before flowing into tunnels such as the GRE tunnel and MPLS LSP on the backbone network.

The IGP protocol used on the ISP network can be OSPF or IS-IS, and the protocol used between CE routers and 6PE routers can be a static routing protocol, IGP or EBGP.

When ISPs want to extend their IPv4/MPLS networks with IPv6 traffic exchange capability, they can just update the PE router. Therefore, using the 6PE feature as an IPv6 transition mechanism is a cost-effective solution for ISPs.

5.3 Routing Protocols The NE40E supports various unicast and multicast routing protocols; thus different networking requirements are satisfied.

5.3.1 Unicast Routing The NE40E supports the following unicast routing features:

l IPv4 routing protocols: RIP, OSPF, IS-IS, and BGPv4 l IPv6 routing protocols: RIPng, OSPFv3, IS-ISv6, and BGP4+ l Static routes to simplify network configuration and improve network performance l Large-capacity routing table to support MAN operation effectively l Determining the optimal route through the routing policy

5.3.2 Multicast Routing To save network bandwidth and reduce network load, the NE40E supports multicast.

Basic Multicast Functions The NE40E provides the following multicast functions:


Product Description


l Multicast protocols: Internet Group Management Protocol (IGMP), Protocol Independent Multicast-Dense Mode (PIM-DM) and Protocol Independent Multicast-Sparse Mode (PIM-SM), Multicast Source Discovery Protocol (MSDP), and Multi-protocol Border Gateway Protocol (MBGP).

l RPF check: When a router creates and maintains a multicast routing table, it performs the Reverse Path Forwarding (RPF) check to ensure that the multicast data is transferred along the correct path.

l PIM-SSM: If the multicast source is specified, a host can join the multicast source directly, without registering with the Rendezvous Point (RP).

l Anycast RP: Multiple RPs can exist in a domain and they are configured as MSDP peers. A multicast source can choose the nearest RP for registration, and the receiver can also choose the nearest RP to join the shared tree. When a certain RP fails, its previous registered sources and receivers chooses another RP instead. In this way, load balancing is carried out among the RPs.

l IPv6 multicast routing protocols: PIM-IPv6-DM, PIM-IPv6-SM, and PIM-IPv6-SSM.

l MLD: MLD is used to set up and maintain the member relationship of groups between hosts and their directly connected multicast routers. The functions and principles of MLD are the same as those of IGMP.MLD has the follow versions: − MLDv1

MLDv1 is defined in RFC 2710, and is derived from IGMPv2. MLDv1 supports the Any-Source Multicast (ASM) model. With the help of SSM mapping, MLDv1 can support the Source-Specific Multicast (SSM) model.

− MLDv2 MLDv2 is defined in RFC 3810, and is derived from IGMPv3. MLDv2 supports the ASM and SSM models.

l Multicast static routes. l When receiving, importing and advertising multicast routes or forwarding IP

packets, the multicast routing module can filter the routes or packets based on routing policies.

l Multicast VPN: The NE40E adopts the Multicast Domains (MD) scheme to implement centralized processing.

l Addition and deletion of dummy entries.

IGMP Snooping For the NE40E, Layer 2, Layer 3, and QinQ interfaces, STP, RRPP, and VPLS PW support IGMP snooping.

IGMP snooping listens to the IGMP messages between routers and hosts and sets up the Layer 2 forwarding table for multicast data packets. In this manner, IGMP snooping controls and manages the forwarding of multicast data packets to carry out Layer 2 multicast.

IGMP snooping aims to control the flooding of multicast flows, forward packets as required, and save network resources. For the interface that joins a multicast group without the IGMP report application, the device does not send the multicast flow to the interface.


Product Description


Multicast Flow Control Unknown multicast packets refer to those packets for which no forwarding entry is found in the multicast forwarding table. The NE40E supports the following measures to deal with the unknown multicast packets:

l Discarding the packets directly after receiving them l Broadcasting the packets in the VLAN to which the receiving interface belongs

To control multicast traffic, the NE40E also supports the limit to the maximum percentage of multicast traffic on the Ethernet interface.

Multicast VLAN Multicast VLAN refers to the VLAN that converges multicast flows. When users need certain multicast flows, they send a request to the multicast VLAN. Then the multicast VLAN copies the multicast packets to different user VLANs. This realizes the function of multicast across VLANs.

The NE40E forwards multicast packets through the multicast VLAN, and copies the packets based on the multicast routing entries. Then, the NE40E sends these packets to the VLANs of different users. Using the multicast VLAN, the NE40E can converge the multicast flows of different user VLANs to one or several specified VLANs.

Multicast across VLANs enables the NE40E to send unicast packets and multicast packets across different VLANs. This helps managing and controlling the multicast flows and saving the bandwidth resource. Network security is thus improved.

1+1 Protection of Multicast Flows 1+1 protection of multicast flows is realized through the multicast across VLANs.

The Internet Context Provider (ICP) copies and sends the multicast packets to two multicast VLANs. The multicast packets and the Continuity Check Message (CCM) for checking the link status in those two multicast VLANs are then forwarded to the NE40E at the user side. The NE40E at the user side judges the link status based on the CCM received and specifies a multicast VLAN in the good link state to receive multicast packets.

At present, the NE40E supports only VLAN-based 1+1 protection.

Multicast VPN With the application of the VPN, the requirements of users for operating multicast services over the VPN are increasingly strict. The VRP adopts the multicast domain (MD) solution to implement multicast transmission over the VPN.

MPLS/BGP VPN is a type of VPN, implemented based on the BGP and MPLS expansion. The MPLS/BGP VPN consists of the backbone network of carriers and every site of users.

As the VPN user sites, the sites are isolated from each other and can interconnect only through the backbone network. A VPN can be regarded as the division of sites based on policies. These policies are used to control the connections between sites. As shown in Figure 5-21, Site 1, Site 2, and Site 3 constitute VPN A; Site 4, Site 5, and Site 6 constitute VPN B.


Product Description


Figure 5-21 Application of MPLS/BGP VPN

CE4 CE1

VPN Bsite5

VPN Bsite4

VPN Bsite6

VPNAsite1

VPN Asite3

VPN Asite2

CE5

CE2

CE6

PE2

PE1

PE3

CE3

P2P1

P3

CoreLayer

EdgeLayer

CPElayer

Table 5-1 Functions of various devices in MPLS/BGP VPNs

Device Full Description

P Provider Router As a core router of the backbone network, the router is responsible for MPLS forwarding.

PE Provider Edge Router

As an edge router of the backbone network, the router processes VPN routes and implements MPLS Layer 3 VPN.

CE Custom Edge Router

As an edge router of the user network, the router advertises user network routes.

The network shown in Figure 5-21 runs multicast. VPN users in various sites receive multicast data in the local VPN. The edge PE router in the public network supports multi-instance.

As shown in Figure 5-22, public network instances on each PE router and the P router implement public network multicast. VPN multicast data is multicast in the public network.


Product Description


Figure 5-22 Public network multicast

PE2_public-instance

PE1_public-instance

PE3_public-instanceP2

P1

P3

As shown in Figure 5-23, VPN A instances on each PE router and the sites that belong to VPN A implement VPN A multicast.

Figure 5-23 VPN A multicast

CE1

VPNAsite1

VPN Asite3

VPN Asite2

CE2

PE2_vpnA-instance

PE1_vpnA-instance

PE3_vpnA-instance

CE3

MD A

As shown in Figure 5-24, VPN B instances on each PE router and the sites that belong to VPN B implement VPN B multicast.


Product Description


Figure 5-24 VPN B multicast

CE4

VPN Bsite5

VPN Bsite4

VPN Bsite6

CE5

CE6PE2_vpnB-instance

PE1_vpnB-instance

MD B

Take VPN A instance as an example. Multicast VPN refers to the following:

l The multicast source S1 belongs to VPN A. S1 sends multicast data to G, a multicast group.

l Among all possible data receivers, only members of VPN A can receive multicast data from S1.

l Multicast data is multicast at various sites and on the public network.

To implement multicast VPN, the following network conditions are required:

l Each site that supports multicast based on VPN instance l A public network that supports the multicast based on public instances l A PE router that supports the following multi-instance multicast:

− Connecting sites through VPN instance and supporting multicast based on VPN instances

− Connecting the public network by using public network instances and supporting multicast based on public network instances

− Supporting information communication and data switching between public network instances and VPN instances

5.4 MPLS Features 5.4.1 Basic Functions

The NE40E supports MPLS, static LSPs, and dynamic LSPs. The static LSP requires the administrator to configure the Label Switch Routers (LSRs) along the LSP and set up LSPs manually. The dynamic LSP indicates that the Label Distribution Protocol (LDP) and RSVP-TE dynamically set up the LSPs in accordance with the routing information.


Product Description


The NE40E supports the following MPLS functions:

l Basic MPLS functions, service forwarding, and LDP LDP distributes labels, sets up LSPs, and transfers parameters used for setting up LSPs.

l LDP − DU label distribution modes − Sequential label control modes − Liberal retention mode

l MPLS ping and tracert MPLS echo requests and MPLS echo replies are used to test the availability of an LSP.

l LSP-based traffic statistics l LSP loop detection mechanism l MPLS QoS, ToS mapping to MPLS EXP value of IP packets, and MPLS uniform,

pipe, and short pipe modes l Static configuration of LSPs and label forwarding based on traffic classification l MPLS TRAP function

The NE40E can work as a Label Edge Router (LER) or an LSR.

l The LER is used at the edge of the MPLS network to connect with other networks and to classify services, distribute labels, encapsulate or strip off multi-layer labels.

l The LSR is the core router of the MPLS network, and it switches and distributes labels.

5.4.2 MPLS TE Insufficient network resources and unbalanced load cause congestion in the network. This affects the performance of the backbone network. TE solves the preceding problem.

MPLS TE is a technique that integrates TE with MPLS. Through the MPLS TE, you can create an LSP tunnel to a specified path to reserve resources. Thus, network traffic can avoid to pass through the congested node, and thus be balanced.

MPLS TE is a technique that integrates TE with MPLS. Through the MPLS TE, you can create an LSP tunnel to a specified path, to reserve resources and implement re-optimization.

In case of resource scarcity, MPLS TE helps to preempt the bandwidth resource of the LSP tunnels with a low priority. This meets the demands of the LSPs with large bandwidth or important services. MPLS TE also provides protection against link or node failures through the use of path backup and Fast Reroute (FRR).

MPLS TE provides the following functions:

l Processing of static LSPs MPLS TE creates and deletes static LSPs, which require bandwidth but are manually configured.

l Processing of Constrained Route-Label Switched Path (CR-LSP) MPLS TE processes various types of CR-LSPs.


Product Description


The processing of static LSPs is easier. CR-LSPs are classified into the types described in the following sections.

DS-TE DiffServ is a QoS solution. It classifies traffic according to the Class of Service (CoS) and provides differentiated QoS based on the CoS.

As a traffic engineering solution, MPLS TE optimizes the use of network resources.

DiffServ-Aware TE combines the advantages of the preceding two solutions. It can thus optimize the use of network resources according to the CoS. That is, the bandwidth is restricted for traffic of different CoSs.

To summarize, DS-TE maps traffic of various CoSs to LSPs and makes the LSP that traffic passes through comply with the relevant TE constraints.

DS-TE involves the following concepts:

l Class type (CT): refers to a collection of links that meet certain bandwidth constraints and is used to assign link bandwidth, execute constraint-based routing and perform access control. For a specified traffic trunk, all the links it passes belong to the same CT.

l Bandwidth constraints (BC): Different bandwidth constraint models are constructed to control CT. The models are determined by two parts: the maximum BC number (MaxBC) and the relationship between BC and CT.

The NE40E implements DS-TE, and supports two CTs: CT0 and CT1. CT0 and CT1 correspond to the Assured Forwarding (AF) and the Expedited Forwarding (EF) defined in QoS respectively. Their bandwidth constraints are BC0 and BC1 respectively, and each supports eight priorities (with the value ranging from 0 to 7). A total of 16 TE classes are supported. BC0 indicates the global bandwidth and BC1 indicates the sub-pool bandwidth.

Normal TE tunnels that are not MPLS DiffServ-Aware TE tunnels are mapped to the AF according to CT0.

RSVP-TE The Resource Reservation Protocol (RSVP) is designed for the Integrated Service (Inter-Serv) model and used on each node on a path for resource reservation.

RSVP has the following characteristics:

l Unidirectional. l Receiver-oriented. The receiver initiates a request for resource reservation and

maintains the resource reservation information. l Uses a soft state mechanism to maintain the resource reservation information.

RSVP, after being extended, supports MPLS label distribution. While transmitting label mapping messages, it also carries the resource reservation information. The extended RSVP is called RSVP-TE, as a signaling protocol to establish LSP tunnels in the MPLS TE.


Product Description


Auto Route Auto Route refers to taking an LSP as a logical link to calculate the IGP route and using a tunnel interface as the egress. In this manner, the LSP is considered as a point-to-point link. Auto Route is calculated in either of the following ways:

l IGP shortcut: The LSP is not advertised to the neighbor router. Therefore, other routers cannot use the LSP.

l Forwarding adjacency: The LSP is advertised to the neighbor router. Therefore, other routers can use the LSP.

Fast Reroute FRR is a technique to implement partial protection in MPLS TE. The time spent on FRR fast switchover can reach 50 milliseconds. It minimizes data loss when the network fails.

FRR is only a means of temporary protection. After the protected link or node is restored or a new LSP is established, traffic is switched back to the original LSP or the newly established LSP.

After the FRR function is configured to the LSP, traffic is switched to the standby link when a certain link or node on LSP is out of service. Meanwhile, the ingress of LSP attempts to establish a new LSP.

Auto FRR The FRR technology requires that when configuring a protected tunnel, you must configure a bypass tunnel to bind with it. When the link or node is Down, the data flow can be automatically switched to the bypass tunnel.

For the FRR protection, the bypass tunnel must be configured manually. If it is not configured, the tunnel cannot be protected. The Auto FRR can solve the preceding problem.

Auto FRR is an extension of MPLS TE FRR. Bypass LSPs can be automatically set up along the LSP after you configure the attributes of bypass LSPs, global Auto FRR attributes, and the Auto FRR attributes of the interface on the primary LSP. In addition, once the primary LSP changes, the original bypass LSPs can be automatically deleted and new bypass LSPs meeting the requirements are set up.

CR-LSP Backup The CR-LSP backup indicates establishing a backup CR-LSP for a CR-LSP. When the primary CR-LSP fails, the ingress switches the traffic to the backup CR-LSP immediately. It switches to the primary CR-LSP once the primary CR-LSP recovers.

The two methods of backup are as follows:

l Hot-standby backup: The backup CR-LSP is established immediately after the primary CR-LSP is established. MPLS TE switches immediately to the backup CR-LSP when the primary CR-LSP fails.

l Ordinary backup: The backup CR-LSP is established when the primary CR-LSP fails.


Product Description


LDP over TE In current networks, not all devices support MPLS TE. Only the devices in the network core support TE and the devices at the network edge use LDP. The application of LDP over TE is then put forward. The TE tunnel is taken as a hop of the entire LDP LSP.

LDP is widely used in MPLS VPN. To avoid the congestion of VPN traffic on nodes, you can configure this feature.

Figure 5-25 Typical application of LDP over TE

R1 R2

R3

R4

R5 R6

10 10

1020

Figure 5-25 shows the MPLS VPN networking. Here, LDP is used as the signaling protocol.

As the PE router, Router 1 and Router 6 discover that the links between Router 2 and Router 3 are rather congested after a large amount of user access. This also happens because the traffic between Router 1 and Router 6 must pass through this link. The link between Router 2 and Router 4 is free. The LSP, however, cannot use the link between Router 2 and Router 4 for the influence of the IGP cost value.

Establish the TE tunnel passing through Router 4 between R2 and R5, and adjust the metric value or the IGP shortcut. Thus, the two routes of R2 implement load balancing:

l The physical interface between R2 and R3 l The TE tunnel interface from R2 to R5

LDP establishes the LSP for load balancing to let traffic go along the idle link.

5.4.3 MPLS OAM MPLS supports multiple Layer 2 and Layer 3 protocols such as IP, FR, ATM, and Ethernet. It supports an OAM mechanism that is independent of the upper and lower layers. MPLS OAM provides the following functions:

l Detecting the LSP connectivity l Measuring the network utility and performance l Performing the protection switching in the case of a link failure. l Providing services based on the Service Level Agreement (SLA) signed with the

customers.


Product Description


With MPLS OAM, you can detect, identify, and locate failures in an MPLS network. The failure is reported and removed in time. In addition, MPLS OAM provides a mechanism for triggering protection switching.

MPLS OAM provides the following functions:

l MPLS OAM detection MPLS OAM sends CV/FFD and BDI packets along the LSPs to be detected and the reverse channels between the LSP ingress and egress to detect the connectivity.

Figure 5-26 MPLS OAM

IngressLSR

EgressLSR

CV/FFD

BDI

CV/FFD

BDI

l OAM auto protocol function l Protection switch

1:1, 1+1, sharing protection, and packet-level protection are supported.

5.5 VPN Features 5.5.1 Tunnel Policy

The tunnel policy (TP) selects tunnels according to the destination IP address. Proper tunnels need to be selected for each type of service according to the TP. If no TP is set, the tunnel management module selects tunnels based on the default TP.

The NE40E supports two kinds of tunnel policies:

l For sequential tunnel policies, you can set the sequence to select a tunnel and the number of tunnels for load balancing. The Up tunnel in the front of the queue is always selected to transmit services destined for the same destination, no matter whether the tunnel carries other services or not. The tunnels at the end of the queue are not selected generally, unless load balancing is required or the tunnels before them are Down.

l The VPN tunnel binding policy associates a VPN peer with an MPLS TE tunnel on the PE router of the VPN backbone network. The data from the VPN to the peer is transmitted through the special TE tunnel. The TE tunnel bound carries only the specified VPN services. In this way, QoS of the VPN service can be ensured.


Product Description


5.5.2 VPN Tunnel The NE40E supports the following kinds of VPN tunnels:

l LSP tunnels Once a label is distributed to an FEC on the LSP ingress, traffic is transparently forwarded along the transit nodes of the LSP according to the label. In this manner, an LSP can be taken as an LSP tunnel.

l GRE tunnels If the PE router at the edge of the ISP network supports MPLS while the P router supports only IP, the LSP cannot be used as the public tunnel. In this case, GRE tunnels can substitute the LSP to run as the tunnel in the VPN backbone network.

l TE tunnels To carry out reroute or transmit traffic over multiple paths, many LSPs may be required. In TE, a group of these kinds of LSPs are called Traffic Engineered (TE) tunnel. These TE tunnels are identified by the tunnel ID or the LSP ID. In addition, the tunnel ID uniquely identifies a TE tunnel.

5.5.3 MPLS L2VPN The NE40E provides Layer 2 VPN services based on MPLS. This allows the ISP to provide Layer 2 VPNs over different media.

VLL Figure 5-27 shows the typical networking diagram of MPLS L2VPN application that the NE40E supports.


Product Description


Figure 5-27 MPLS L2VPN

VPN1 site1

VPN2 site2

VPN1 site2

VPN2 site2

VPN2 site3

VPN1 site3MPLS

network

PE

PE

PE

PEPE-ASBR

Support access to the MPLSL2VPN through PPP, HDLC, ATM,Eth/VLAN, and Q-in-Q

Supportinternetworking

PE-ASBR

VPN3 site1 VPN3 site2

Support MPLS VPN over GREand MPLS VPN over TE tunnel

Provide the VPN managerto manage VPNs amongdevices of different vendors

Support inter-ASsolutions:VRF-to-VRFMP-Multihop EBGP

Support dynamic Martini/Kompella L2VPNSupport static CCC/SVC L2VPN

l Martini MPLS L2VPN The Martini mode uses double labels. The inner label uses the extended LDP as the signaling protocol to transmit information. The Martini mode conforms to the draft of draft-martini-l2circuit-trans-mpls. In the Martini draft, LDP is extended by adding an FEC type (VC FEC) for exchanging VC labels. In addition, if the two PEs that exchange VC labels are not directly connected, a remote LDP session must be created on which the VC FEC and the VC label are transmitted. The PE assigns a VC label to each connection between CEs. The L2VPN information that carries the VC is forwarded to the peer PE of the remote session through the LSP that is set up through LDP. In this manner, a VC LSP is set up on the ordinary LSP.

l Kompella MPLS L2VPN The L2VPN in Kompella mode is similar to the Layer 3 BGP/MPLS VPN defined in RFC 2547. They adopt BGP as the switching signaling protocol. Similar to the MPLS L3VPN, PEs automatically discover the L2VPN nodes by setting up BGP sessions. The MPLS L2VPN adopts BGP as the signaling protocol to transmit Layer 2 information and VC labels, and implements L2VPN in end-to-end (CE-to-CE) mode in the MPLS network. Similar to the BGP/MPLS VPN, the


Product Description


MPLS L2VPN in Kompella mode also uses VPN targets to control the sending and receiving of the VPN routes, which makes the networking flexible. The MPLS L2VPN in Kompella mode can support inter-AS VPN solutions.

l CCC MPLS L2VPN Circuit Cross Connect (CCC) is a technique to implement MPLS L2VPN through static configuration. Different from common MPLS L2VPN, CCC MPLS L2VPN adopts a 1-layer label to transfer user data, and so it can use LSPs exclusively. CCC LSP is used to transfer the data of this CCC connection only. It can neither be used for other MPLS L2VPN connections and BGP/MPLS VPN connections nor carry common IP packets. For the CCC connection, the static LSP in the PE routers need not be configured. If two PE routers are not directly connected, the transit static LSP must be configured on the intermediate routers.

l SVC MPLS L2VPN Static VC (SVC) is similar to Martini MPLS L2VPN but SVC can transfer Layer 2 VCs and link signaling information without using the LDP. VC labels are configured manually.

l L2VPN Interworking If the link types of CE routers at the two ends of an L2VPN are different, use the L2VPN interworking feature. According to the recommendation in draft-kompella-ppvpn-l2vpn, IP-interworking should be used as the encapsulation type of the L2VPN interface on the PE router to set up an L2VPN connection. In this case, Layer 3 data (IP packets) can be delivered transparently across the MPLS network. When the L2VPN interworking feature is adopted, − You need to encapsulate the L2VPN interface on the PE router at the two ends

with IP-interworking. − The PE router begins to establish the L2VPN connection after the physical

status of the VC goes up. − The PE router allows L2VPN forwarding once the L2VPN connection is

established. In this case, the system considers the physical link for transparent transmission available irrespective of whether the status of the link layer protocol is up or down.

− After the status of both the AC and L2VPN tunnel goes up, the CE routers at the two ends can transmit and receive IP packets.

After the L2VPN connection is established, the IP packets processing is as follows: − On receiving an IP packet from the CE router, the PE router decapsulates the

link layer packet and delivers the IP packet to the MPLS network. − The IP packet is transparently transported to the peer PE router across the

MPLS network. − The peer PE router re-encapsulates the IP packet according to its own link

layer protocol type, and then sends the encapsulated packet to the CE router connected with it.

− The link layer control packet sent by the CE router is processed by the PE router and does not enter the MPLS network.


Product Description


− All non-IP packets (such as MPLS and IPX packets) are discarded and none of them is transferred across the MPLS network.

l Inter-AS MPLS L2VPN Compared with the implementation of inter-AS L3VPN, inter-AS can be realized through the following modes:

In CCC mode, the label has a single layer. Therefore, the inter-AS can be realized as long as the static LSP is set up between the ASBRs.

− SVC, Martini and Kompella modes can realize the inter-AS Option A (VRF-to-VRF) . In the L2VPN networking, the link type between the ASBRs and that of the VC must be the same. In the inter-AS Option A, each ASBR must reserve a sub-interface for each inter-AS VC. If the number of the inter-AS VCs is small, the Option A can be adopted. Compared with the L3VPN, the inter-AS Option A of the L2VPN consume more resources and needs more configurations, and is not recommended.

− Option B requires the switching of both the inner label and the outer label on the ASBR. Therefore, Option B is not suitable for the L2VPN.

− Option C is a better solution. The SP network devices need only set up the outer tunnel on the PE routers of different ASs. The ASBR needs not maintain information about the inter-AS L2VPN. The ASBR also needs not reserve interfaces for the inter-AS L2VPN. The L2VPN information is exchanged only between PE routers. Thus, the resources consumption decreases and the configurations are simplified.

VPLS The VPLS network structure is shown in Figure 5-28. Several virtual switches (VSs) can be created on a PE router. VSs on different PE routers form an L2VPN. LANs at the user end can access the L2VPN through VSs. In this way, users can expand their own LAN over WAN. VPLS can be regarded as the VS across public networks. Like L3VPN, it establishes LSP tunnels on public networks for traffic exchange.

Figure 5-28 VPLS network structure

VS1 VS1

VS2

VS1

VS2

VS2

PE

PE

PE

VLAN1 VLAN1

VLAN1

VLAN2 VLAN2

VLAN2


Product Description


VPLS requires users to log in through Ethernet links. It directly forwards packets according to VLAN ID. For communication with remote users, a Virtual Channel (VC) that can traverse public network is established between PE routers, and the VC is associated with the VLAN ID. Users communicate with each other over the Layer 2 tunnel through the VC. VLAN ID is used to identify users' VPN.

While establishing the VC, the PE router allocates two layers of labels to the VC. The exterior label is the MPLS LSP label of public network and is allocated by LDP. The inner label is the VC label and is allocated by remote LDP session negotiation on the loopback interface.

l QinQ VPLS QinQ is a tunnel protocol based on IEEE 802.1Q encapsulation. It encapsulates the VLAN tag of private networks in the VLAN tag of public networks. Packets carry two layers of tags to traverse ISPs' backbone networks, thus saving VC resources and providing users with a relatively simple L2VPN tunnel.

l HVPLS VPLS needs PE routers to forward the Ethernet frame by the full-mesh Ethernet emulation circuit or Pseudo-Wire (PW). Therefore, all PE routers must be connected with each other in the same VPLS. If the VPLS has n PE routers, the VPLS has n x (n-1)/2 connections. When the number of PEs increases, the number of VPLS connections increases by n2. Hierarchical Virtual Private LAN Service (HVPLS) is a networking solution used to realize full-mesh VPLS. Figure 5-29 shows the HVPLS model.

Figure 5-29 HVPLS model

basic VPLS full mesh

PWUPE

SPE

CE

CE

SPE

SPE

AC

ACPW

PW

PW

− UPE The device directly connected with CE routers is called Underlayer PE (UPE). The UPE only needs to be connected with one of PE routers in the basic VPLS. The UPE supports routing and MPLS encapsulation. If one UPE is connected with many CE routers and provides bridging functions, only the UPE needs to forward the data frame to reduce the burden on the SPE.

− SPE


Product Description


The device connected with the UPE and located in the core of the full-mesh VPLS is called Superstratum PE (SPE). The SPE is connected with all other devices in the VPLS. The SPE takes the UPE connected as a CE router. The PW established between the UPE and the SPE is taken as the AC of the SPE. The SPE needs to learn the MAC addresses of sites at the UPE side and the MAC addresses of the UPE interfaces connected with the SPE.

l IGMP snooping VPNs can be implemented n a VPLS network. Each VPN needs to support IGMP snooping, that is, the multi-instance IGMP snooping. VPLS learns MAC addresses in the following modes: − Unqualified

The Unqualified mode refers to allowing numerous VLANs in a VSI to share a MAC address space and a broadcast area. VLANs need be learned.

− Qualified The Qualified mode refers to allowing a VLAN in a VSI to have an independent MAC address space and broadcast area. VLANs need not be learned.

l mVPLS mVPLS refers to a management VPLS. The VSIs associated with the mVPLS are called management VSIs (mVSIs). The prerequisite to the Up state of an mVSI differs from that to a common VSI (service VSI) as follows: − Common VSI: has two or more Up AC interfaces, or has both one Up AC

interface and one Up PW. − mVSI: has one Up PW or AC interface.

An mVSI can be bound to a common VSI. When an mVSI receives a gratuitous ARP packet or a BFD Down packet, the mVSI notifies all the common VSIs bound to it to clear MAC address entries and re-learn MAC addresses.

l Ethernet loop detection Virtual Private LAN Service (VPLS) is a significant technology for the Metropolitan Area Network (MAN). To avoid the impact of single point failures on services, user networks are connected to the VPLS network of a carrier through redundant links. The redundant links, however, lead to loops, which further causes the broadcast storm. In networking applications, you can deploy the Spanning Tree Protocol (STP) or common loopback detection technologies to avoid the preceding problems. In practice, however, STP should be deployed at the user side, and the common loopback detection technology requires the devices at the user side to allow special Layer 2 loopback detection packets to pass through. When user networks cannot be controlled, you can deploy Ethernet loop detection supported by the NE40E over the carrier network. Ethernet loop detection need not be deployed at the user side. This also avoids the broadcast storm caused by loops formed in a VPLS network.

PWE3 Pseudo-Wire Emulation Edge to Edge (PWE3) is a technology used to carry end-to-end Layer 2 services. In the Packet Switched Network (PSN), PWE3 simulates ATM, Frame Relay (FR), Ethernet, low-speed TDM, and SONET/SDH.


Product Description


l Classifications of PW PW can be classified into: − Static PW and dynamic PW in terms of implementation − Single-hop PW and multi-hop PW in terms of networking − LDP-PW and RSVP-PW in terms of signaling

l Control Word The CW is negotiated at the control plane, and is used for packet sequence detection, packet fragmentation, and packet reassembly at the forwarding plane. In the PWE3 protocols, ATM Adaptation Layer Type 5 (AAL5) and FR require the support for the CW. The negotiation of the CW at the control plane is simple. If the CW is supported after the negotiation, the negotiation result needs to be delivered to the forwarding module, which detects the packet sequence and reassembles the packet. The CW has the following functions: − Carries the sequence number for forwarding packets

If the control plane supports the CW, a 32-bit CW is added before the data packet to indicate the packet sequence. When the load balancing is supported, the packets may be out of sequence. The CW can be used to number the packets so that the peer can reassemble the packets.

− Fills the packet to prevent the packet from being too short. For example, if Ethernet is between PEs and PPP is between PEs and CEs, the size of the PPP control packet is smaller than the smallest MTU supported by the Ethernet. Then the PPP negotiation fails. You can avoid this by adding the CW, that is, by adding the fill bit.

− Carries the control information of the Layer 2 frame header. In certain cases, the frame does not need to be transmitted completely in the L2VPN packets on the network. The frame header is stripped at the ingress and added at the egress. This method, however, cannot be used if the information in the frame header needs to be carried. You can use the CW to solve this problem. The CW can carry the negotiated information between the ingress PE and the egress PE. At the control plane, the negotiation succeeds only when both ends or neither end supports the CW. At the forwarding plane, the negotiation result at the control plane determines whether the CW is added to the packet.

l VCCV-Ping VCCV ping is a tool that is used to manually test the connectivity of the virtual circuit. Similar to ICMP ping and LSP ping, it is realized through the extended LSP ping. The VCCV defines a series of messages transmitted between PEs to verify the connectivity of PWs. To ensure that the path of VCCV packets is consistent with the path of data packets in PWs, the encapsulation type and the passed tunnel of VCCV packets must be the same as those of PW packets. For details, refer to draft-ietf-pwe3-vccv and draft-ietf-mpls-lsp-ping. The NE40E supports the manual detection on the connectivity of LDP PWs on the U-PE, that is, the VCCV ping, including the detection on the connectivity of static PWs, dynamic PWs, single-hop PWs, and multi-hop PWs. Figure 5-30 shows the reference model of the PWE3 VCCV.


Product Description


Figure 5-30 Reference model of the PWE3 VCCV

PW1

PW2

ACAC

U-PE1 U-PE2CE1 CE2

Emulate Service

VCCV

The VCCV can be used as a fault detection and diagnostic tool for PWs. The VCCV can be a combination of one type of CCs and one type of connectivity verifications (CVs), because the lower layer PSNs are different, such as LSP ping, L2TPv3, or Internet Control Message Protocol (ICMP) ping.

l PW Template A PW template is a set of public attributes abstracted from PWs. A PW template is shared by different PWs. For convenience of expansion, the command mode of the PW template is added to set some public attributes of PWs. When creating a PW in interface mode, you can use this template. In the NE40E, the PW can be bound with the PW template and can be reset.

l Interconnectivity of heterogeneous media PWE3 can support: − Interconnectivity of homogenous media and heterogeneous media − Cell relay of data with different encapsulations At present, the NE40E supports the following data transport by using PWE3: − ATM AAL5 SDU VCC transport − Ethernet − HDLC − ATM n-to-one VCC cell transport − IP Layer 2 transport − ATM one-to-one VCC cell mode

l ATM cell relay The NE40E supports transparent transmission of ATM cells. ATM cell transparent transmission is a technology to transmit ATM cells on the PWE3 virtual circuit. Label encapsulation for ATM cell transparent transmission through PSN is shown in Figure 5-31.


Product Description


Figure 5-31 Diagram of ATM relay through PSN

PSN TunnelPseudo-wire

MPLS

PEL2 L2PE

Layer 2 connectione.g ATM VCC/VPC

Connection or 'port'carried On pseudo-wire

MPLS PSN tunnelidentified by outer label

PSN Transport Header

MPLS Label Stack

Pseudo-wire Header

Control Word (sequencing& protocol info)

Layer 1/2 Payload

Pseudo-wire identifiedby inner label

Outer Label

Inner Label

A PSN label of the exterior layer identifies a PSN tunnel, while the PW header of interior layer identifies a PW. ATM cell relay is used to load the following services on a PSN: − The services whose PW payload is ATM cell − The services whose PW payload is AAL5 SDU ATM cell transparent transmission can also be used to migrate the former ATM network through a PSN, with no new ATM devices and no change of the ATM CE configuration. ATM CE takes ATM cell transparent transmission as the TDM leased line, and transmits cells through a PSN for ATM interconnections.

ATM IWF The ATM Inter-Working Function (ATM IWF) provides interoperation function between the ATM link that is accessed through 1483B and the Ethernet link. With the implementation of L2VPN, you can transparently transmit the ATM packets that are accessed through 1483B to the Ethernet link. To keep the access information of ATM (VPI and VCI accessed to a packet), VPI is mapped to be the external VLAN and VCI is mapped to be the internal VLAN. By adding two layers of VLANs to the frame header of the data link layer, the router can transmit the ATM packets with VPI/VCI information to the Ethernet link through the two VLANs.

ATM IWF runs on L2VPN and has two implementation methods according to the actual networking: the CCC local connection and PW.

l CCC local connection The CCC is implemented between sub-interfaces of ATM and Ethernet on the same router. As shown in Figure 5-32, in the CCC local connection, the NE40E cross transmits the flow that is based on 1483 encapsulation out of the ATM flow accessed from devices like DSLAM to the Ethernet link. VPI is mapped to be the external VLAN, and VCI is mapped to be the internal VLAN. Then, the packets are forwarded from the Ethernet interface to the access device such as BRAS. The BRAS


Product Description


distinguishes different DSLAM users based on the labels on the two-layer of VLAN of a packet.

Figure 5-32 ATM IWF diagram in the CCC local connection

DSLAM RouterA BRAS

ATM GE

CCC

l PW Through the LSP tunnel of L2VPN, layer 2 transparent transmissions of data packets of the ATM link and the Ethernet link can be carried out between peer PE routers. As shown in Figure 5-33, the ATM flow based on 1483B encapsulation can be transparently transmitted to the remote Ethernet link through PW (such as configuring Martini or Kompella L2VPN). In the process, VPI is mapped to be the external VLAN and VCI is mapped to be the internal VLAN. The ATM packets are then transparently transmitted to the remote BRAS. The BRAS distinguishes different DSLAM users based on the labels on the two-layer VLAN of a packet.

Figure 5-33 Diagram of ATM IWF in PW

ATM Switch

RouterA RouterB

BRAS

ATM

ATM GE

PW

5.5.4 MPLS/BGP L3VPN The NE40E implements BGP/MPLS L3VPN, and thus provides carriers with end-to-end VPN solutions. Carriers can provide VPN service for users as a new value-added service, which serves as a flexible selection.

Figure 5-34 shows the application of MPLS/BGP L3VPN that the NE40E supports.


Product Description


Figure 5-34 MPLS/BGP L3VPN

Support access to MPLS VPNthrough PPP, HDLC, ATM, Eth/VLAN, and remote dial-in/tunnelaccess

MPLSnetwork

VPN1 site1

VPN2 site2

VPN1 site2

VPN2 site2

VPN2 site3

VPN1 site3

MPLSnetwork

PE

PESPE

UPE

UPE

MP-BGP

PE-ASBR

Support HoVPN toextend the VPN

HierarchicalPE

Support routing protocols betweenPEs and CEs, such as staticrouting, BGP, RIP, OSPF, andISIS

PE-ASBR

VPN3 site1 VPN3 site2

Provide the VPN managerto manage VPNs amongdevices of differentvendors

Support inter-ASsolutions:VRF-to-VRFMP-EBGPMP-Multihop EBGP

Support MPLS VPN over GREand MPLS VPN over TE tunnel

l As a PE router, it supports access of CE routers through kinds of interfaces such as Ethernet, POS, and VLAN interfaces.

l It supports static routes and dynamic routing protocols such as BGP, RIP, OSPF, and IS-IS, between CE routers and PE routers.

l It supports various inter-AS VPN solutions.

Carrier's Carrier The customer of the BGP/MPLS IP VPN service provider can serve as a service provider. In this case, the BGP/MPLS IP VPN service provider is called the provider carrier or the level 1 carrier. The customer is called the customer carrier or the level 2 carrier. This networking model is called carrier's carrier. In this model, the level 2 SP serves as a CE router of the level 1 SP.

To keep good extensibility, the level 2 carrier adopts the operating mode similar to the stub VPN. That is, the CE router of the level 2 carrier only advertises the routes (internal routes) of the VPN where it resides to the PE router of the level 1 carrier. It does not advertise its customers' routes (external routes). PE routers in the level 2 carrier exchange external routes by using BGP. This can greatly reduce the number of routes maintained by the level 1 carrier network.


Product Description


Inter-AS VPN The NE40E supports the following three inter-AS VPN solutions represented in RFC 2547bis:

l VPN instance to VPN instance: ASBRs manage VPN routes in between by using sub-interfaces, which is also called Inter-Provider Backbones Option A.

l EBGP redistribution of labeled VPN-IPv4 routes: ASBRs advertise labeled VPN-IPv4 routes to each other through MP-EBGP, which is also called Inter-Provider Backbones Option B.

l Multihop EBGP redistribution of labeled VPN-IPv4 routes: PE routers advertise labeled VPN-IPv4 routes to each other through Multihop MP-EBGP, which is also called Inter-Provider Backbones Option C.

Multicast VPN The NE40E supports multicast MPLS/BGP VPN.

IPv6 VPN The next-generation network protocol IPv6 is an enhancement of IPv4. IPv6 improves the address space, configuration, maintenance, and security and supports access of more users and devices to the Internet.

The VPN is an extension of the private network constructed by the shared link or the public network such as the Internet. The VPN enables the computers across two areas of a client to transmit data through the shared link or the public network; thus the function of the P2P private link is realized.

When each site of a VPN supports IPv6, all the sites can be connected to the PE router of the Service Provider (SP) through an interface or sub-interface with the IPv6 address. In this way, the sites are connected to the backbone network of the SP and the VPN is called an IPv6 VPN. Simply speaking, IPv6 VPN indicates that a PE router receives IPv6 packets from a CE router, which is different from the IPv4 VPN.

Currently, the IPv6 VPN services are carried over the IPv4 network of the SP. In this case, the backbone network runs IPv4 while the user sites use IPv6 addresses. PE routers need to support the IPv4/IPv6 dual stack, as shown in Figure 5-35. Any network protocol that bears IPv6 traffic CE routers and PE routers can run between PE routers and CE routers. The PE routers run IPv6 on the interfaces connecting clients and IPv4 on the interfaces connecting the public network.


Product Description


Figure 5-35 Networking diagram of the IPv6 VPN over the IPv4 backbone network

CE PE

PE

PE

P

P

CE

CE

IPv6VPN site1

IPv4 VPN backbone

IPv6VPN site1

IPv6VPN site1

CE

IPv6VPN site2

CE

IPv6VPN site2

The implementation principle of the IPv6 VPN is similar to that of BGP/MPLS IP VPN. The IPv6 VPN advertises VPN-IPv6 routing information through Multiprotocol Extensions for BGP-4 (MP-BGP) on the backbone network. The IPv6 VPN triggers MPLS to allocate labels to identify IPv6 packets, and then transmits data of the private network across the backbone network through LSP, MPLS TE, or GRE tunnels.

IPv6 VPN networking schemes that the NE40E supports are:

l Intranet VPN l Extranet VPN l Hub&Spoke l Inter-AS or multi-AS backbones VPN l Carriers' Carrier

HoVPN In BGP/MPLS VPN solutions, the key device, PE router, functions in the following aspects:

l Provides access functions for users. To do this, a PE router needs a great number of interfaces.

l Manages and advertises VPN routes and processes user packets. Therefore, a PE router needs large-capacity memory and high forwarding capability.

This will make the PE router become a bottleneck. To address the problem of expansibility, Huawei initiates Hierarchy of VPN (HoVPN) solution. In HoVPN, functions of a PE router are distributed to multiple devices. Acting as different roles in a hierarchical architecture, the routers fulfill functions of a centralized PE router together.


Product Description


The basic architecture of HoVPN is shown in Figure 5-36. The device that is directly connected with users is called Underlayer PE or User-end PE (hereafter referred to as UPE). The device which is connected with UPE in the internal network is called Superstratum PE or Service Provider-end PE (hereafter referred to as SPE). Multiple UPEs and the SPE form the hierarchical PE, functioning together as a traditional PE router.

Figure 5-36 Basic architecture of HoVPN

VPN1 site

VPN2 site

VPN1 site

VPN2 site

VPN1 site

VPN2 site

MPLSnetwork

PE

PE

SPE

HoVPN

UPE1

UPE2

In the networking of HoVPN, functions of PE routers are implemented hierarchically. Therefore, the solution is also called Hierarchy of PE (HoPE).

The UPE and SPE provide the following functions:

l The UPE implements user access. It maintains the routes of VPN sites that are directly connected with it. It does not maintain the routes of other remote sites in the VPN, or only maintains their summary routes only. The UPE assigns interior layer labels to the routes of the directly connected sites, and advertises the labels to the SPE through VPN routes with MP-BGP.

l The SPE manages and advertises VPN routes. It maintains the routes of all the VPNs that are connected through UPEs, including the routes of local and remote sites. The SPE does not advertise routes of remote sites to UPEs. It advertises only the default routes of VPN-instances or summary routes to UPEs with the label.

Different roles result in different requirements for the SPE and UPE:

l SPE: large capacity of routing table, high forwarding performance, few interface resources

l UPE: small capacity of routing table, low forwarding performance, high access capacity


Product Description


The HoVPN takes advantage of the performance of SPEs and access capability of UPEs.

The HoPE is the same as the traditional PE in appearance. It can exist together with common PEs in an MPLS network.

HoVPN supports the embedding of HoPE:

l A HoPE can act as a UPE, and compose a new HoPE with another SPE. l A HoPE can act as an SPE, and compose a new HoPE with multiple UPEs.

Multiple embedding processes are supported.

The embedding of HoPE can infinitely extend a VPN network in theory.

RRVPN Resource Reserved VPN (RRVPN) is a tunnel-multiplexing technology. It can provide end-to-end QoS guarantee for VPN users.

To implement reserved and isolated resources for VPN, RSVP-TE tunnels must be used. In the process of implementation, different VPNs use various tunnels, but resources of the tunnels that depend on the same tunnel interface are isolated and reserved.

Note that, the total bandwidth of the tunnels must not exceed the total bandwidth reserved for the physical link.

Multi-role Hosts In a BGP/MPLS IP VPN, the VPN attributes of the packets received by PEs from CEs are decided by the VPN instance of the incoming interfaces on the PEs. Thus, all the CE that are forwarded by the same PE interface belong to the same VPN.

In practice, however, a server or terminal is generally required to access multiple VPNs. The server is called a multi-role host.For example, a server in a financial system in VPN 1 and a server in an accounting system in VPN 2 need to communicate.

In a multi-role host model, only the multi-role host can access multiple VPNs; the non-multi-role hosts can access only the VPN to which the hosts belong.

The implementation principle of a multi-role host is simple. A multi-role host generally fulfils the following functions:

l Ensures the data stream of the multi-role host can reach the destination VPN network.

l Ensures the data stream from the destination VPN network can reach the multi-role host.

As shown in Figure 5-37, the VPN to which the multi-role host PC belongs is VPN1. If the VPN1 routes and VPN2 routes on PE1 do not import each other, the PC can access only VPN1 instead of VPN2. The data stream from the PC to VPN2 can be transmitted only by searching the VPN1 routing table of PE1. If the destination address of a packet does not exist in the VPN1 routing table, PE1 discards the packet.

To ensure that the data stream of the PC can reach VPN2, configure PBR on PE1 interfaces through which CE1 accesses PE1. After the configuration, if the destination address of a packet from CE1 does not exist in the VPN1 routing table, the VPN2


Product Description


routing table is searched. The PBR here is generally based on IP addresses and can guide data streams to access different VPNs.

Figure 5-37 Implementation of a multi-role host

VPN1

VPN2

PC

CE1

CE2

CE3

PE1

PE2

PE3

VPN1 Backbone

Policy-Based Routing

Static-Route

To ensure that the data streams from the destination VPN network can return to the PC, PE1 must be able to search the routes in the VPN1 routing table for the data streams from VPN2. This is implemented through injecting the static route to the PC into the VPN2 routing table on PE1. The outgoing interface of the static route is the PE1 interface that connects CE1.

The functions of a multi-role host are realized mainly on the PE that the CE accesses. (The multi-role host accesses the CE.)

l Through the PBR on a PE, the data streams from the same VPN can be transmitted by searching routing tables of different VPNs at the same time.

l Static routes are installed to the routing table of the destination VPN on the PE. The outgoing interfaces of the static routes are the interfaces that connect the multi-role host and the VPN.

Note that the IP addresses of the VPN where a multi-role host resides and the VPN that the host accesses cannot be the same.

5.5.5 L2VPN Access to the L3VPN Layer 2 VPN (L2VPN) is a type of technology that provides L2VPN services on the basis of an MPLS network. L2VPN data is transmitted transparently over the MPLS network that features high reliability and security, easy maintenance, and powerful QoS. L2VPN provides tunnels for transmitting user data. This reduces the number of links maintained by the routers in the middle.

Using an L2VPN, users can access L3VPN services running on a public network or bearer network. This reduces the user information that is maintained by access devices. Therefore, the low-end devices can be deployed in the access network, reducing the networking cost. For users, the access network is transparent, and users seem to connect to the public network or L3VPN directly. This makes the networking more flexible.


Product Description


Figure 5-38 Networking diagram of traditional access of L2VPN to L3VPN

L3VPNL2VPN

NPEUPE PE-AGG PE

CE1 CE2

Access network Bearer network

In a traditional network, a Provider Edge Aggregation (PE-AGG) and a Network Provider Edge (NPE) are required to connect the access network to the bearer network. Then, L2VPN can access the public network or L3VPN.

As shown in Figure 5-38, the User Provider Edge (UPE) devices are responsible for accessing user sites by creating an L2VPN tunnel between the access network and PE-AGG. The PE-AGG terminates L2VPN and connects to the other NPE. L3VPN is set up between the NPE and other common PEs on the bearer network of the carrier. As a CE of L2VPN, NPE connects to the PE-AGG. For the L3VPN on the bearer network, CE1 accesses the L3VPN through the leased line emulated by L2VPN.

Figure 5-39 Networking diagram of connection from L2VPN to L3VPN supported by the NE40E

L2VPN

NPE

UPE

PE

CE1 CE2

L3VPN

Accessnetwork

Bearernetwork

If an NPE device can provide the functions of both PE-AGG and NPE devices, it helps lower the networking cost and simplify the network. As shown in Figure 5-39, the NE40E functions as an NPE, and it is connected to and terminates the L2VPN and L3VPN on a same device by creating a Virtual Ethernet group (VE-group). Therefore, the NE40E realizes the functionalities of both PE-AGG and NPE devices on traditional network.


Product Description


In a VE-group, the VE interface used to terminate L2VPN is called Layer 2 Virtual Ethernet (L2VE), and that used to terminate L3VPN is called Layer 3 Virtual Ethernet (L3VE).

5.5.6 VPN QoS The ISP provides L2VPN or L3VPN access services for a VPN user and signs the SLA with the user. The SLA includes the following:

l Total bandwidth used by the user to access the MPLS VPN l Priority level of the user service in the MPLS network

The preceding two points determine the volume of user traffic that can access the ISP network. After the user's access to the ISP network, the problem to be faced with lies in the type of QoS the provider offers.

l The bandwidth for the user traffic to a specified peer PE router is guaranteed. l Types of services to a specific peer PE router, such as voice, video, important

data, and common network services, require guaranteed bandwidth and delay.

VPN QoS provides a relatively complete L2VPN or L3VPN QoS solution. It resorts to various QoS techniques to answer the diversified and delicate QoS demands of VPN users. The VPN QoS provides QoS in the MPLS DiffServ network and end-to-end QoS in the MPLS TE network. In the application, you can select the QoS policy as required.

L3VPN with QPPB The Qos Policy Propagation Through the Border Gateway Protocol (QPPB) propagates the QoS policy through BGP.

The receiver of BGP routes can do as follows:

l Sets QoS parameters for BGP routes based on the attributes of BGP routes. l Classifies traffic by matching QoS parameters and sets the QoS policy for the

classified traffic. l Forwards packets in accordance with the locally-set QoS policy to propagate the

QoS policy through BGP.

In an L3VPN, you can set the QPPB policy for private routes to classify L3VPN traffic, remark the traffic class, and limit the traffic volume.

L2VPN/L3VPN with MPLS DiffServ In this case, VPN QoS has the following functions:

l On the ingress PE router, VPN QoS classifies VPN traffic according to simple traffic classification or complex traffic classification. The classified traffic is limited, re-marked, and scheduled based on the priority level. Traffic classification and scheduling support uniform and pipe/short pipe modes.

l VPN QoS performs differentiated queue scheduling according to the MPLS EXP field on the P router.

l On the egress PE router, VPN QoS performs differentiated queue scheduling based on the EXP field and limit and shape traffic on the outbound interface.


Product Description


The inherent defect lies in this scheme. That is, the transit nodes perform the QoS action only according to the predefined PHB. This fails to guarantee the end-to-end QoS and eradicate network congestion.

L2VPN/L3VPN with MPLS TE The characteristic of this scheme is that the P and PE routers on the MPLS network reserve bandwidth through the TE signaling protocol. In this manner, this scheme is free from blocking, providing end-to-end bandwidth guarantee. But the P routers do not differentiate service types inside the tunnel and uniformly process the packets of various types. QoS mapping between MPLS packets and IP packets or Layer 2 packets on the PE router supports the pipe/short pipe model.

In this scheme, the ingress PE router binds the VPN to the TE tunnel.

l At the network side, the PE router performs queue scheduling based on VPNs, ensures the bandwidth of VPN services to access the TE tunnel, and guarantees the total bandwidth of the TE tunnel.

l The P router guarantees the bandwidth of the TE tunnel.

The ingress nodes do not differentiate priority levels of services inside the TE tunnel. Therefore, services of various priority levels need to be allocated to different VPNs in the network planning.

Figure 5-40 L2VPN/L3VPN with MPLS TE

VPNAsite 1

VPNAsite 3

VPNAsite 2

Backbonenetwork

PE1

PE2

PE3

Only one type of services inVPNA

L2VPN/L3VPN with MPLS DS-TE The characteristic of this scheme is that the P router and PE routers on the MPLS network reserve bandwidth through the DS-TE signaling protocol for various types of services. In this manner, the network is free from blocking, providing end-to-end


Product Description


bandwidth guarantee. Besides, services inside the tunnel are differentiated and are processed in different ways.

In this scheme, the ingress PE router binds the VPN to the DS-TE tunnel. At the network side, the PE router schedules queues based on VPNs, ensures the bandwidth of the VPN services to access the DS-TE tunnel, and ensures the total bandwidth of the DS-TE tunnel. The P router guarantees the bandwidth of the DS-TE tunnel.

Figure 5-41 L2VPN/L3VPN with MPLS DS-TE

VPNAsite 1

VPNAsite 3

VPNAsite 2

Backbonenetwork

PE1

PE2

PE3

VPNA carries three types of services,ensuring the QoS for each service in

the same VPN

5.6 IPTN Features How to provide services with end-to-end QoS guarantee on the IP bearer network has become an urgent demand. Therefore, the current Internet needs to be upgraded in order to provide better data services. To meet this demand, Huawei puts forward the IP telecommunication network (IPTN) solution.

In the IPTN solution, the bearer control layer is introduced between the service control layer and the bearer layer. Resources are applied, kept, and released respectively before, during, and after they are used. This is to provide end-to-end QoS on the current IP network.

Figure 5-42 shows the scenario in which the NE40E serves as an SR in an IPTN network.


Product Description


Figure 5-42 Scenario of the IPTN

DSLAM

SR

COPS

DHCP Server

ISP

User

An IP packet of the user is encapsulated in a QinQ packet with double VLAN tags through the DSLAM and then accesses the SR. The outer VLAN ID specifies the DSLAM; the inner VLAN ID specifies the user.

With the DHCP relay function, the SR forwards the DHCP request packet to the DHCP server when receiving an access request from the user. After the DHCP server returns an assigned IP address to the user, the SR reports information about the online user to the COPS server.

The information includes:

l Location of the user, that is, the CircuitId of the DHCP Option82 l VPN to which the user belongs l IP address of the user l MAC address of the user

In addition, the NE40E provides the following functions:

l Supports the three-level limit to the number of users. l Provides the detection of online users and the processing of the user getting

offline. l Checks the validity of IPTN users. l Displays information about online users and forcibly cuts off online users.

5.7 QoS Features The NE40E provides the QoS features of integrated services including real-time services.

In particular, the NE40E supports DiffServ as follows:

l Traffic classification l Traffic policing l Traffic shaping l Queue management and queue scheduling


Product Description


The NE40E can implement all the eight groups of PHB such as EF, AF1 to AF4, BE, CS6, and CS7. With the NE40E, ISP can provide users with differentiated QoS guarantee, and make the Internet an integrated network that can carry data, voice, and video services simultaneously.

Figure 5-43 shows the hierarchical QoS of the NE40E.

Figure 5-43 Multi-level scheduling of QoS

L1L2L3L4

Receivepackets

CARREDWRED ......

......

......

Inboundinterface

Classifyand

markpackets

Congestionavoidancedetection

Priorityscheduling

PQCQ

CBWFQ

VOQ switchPrevent the head

packet from blockingmulticast switch

Outboundinterface

Forwardpackets

......

Priorityscheduling/

trafficshaping

PQCBWFQ

......

ScheduletrafficLLSNLSPBS

REDWREDSARED

Congestionavoidancedetection

L1L2L3L4

Markpackets

accordingto the class

CAR

The following describes the QoS features of the NE40E.

5.7.1 DiffServ Model After entering a network, service traffic is classified, regulated, and distributed to different behavior aggregates (BAs). A BA is identified by a DSCP code. At the core of the network, the packets are forwarded in accordance with the per-hop behavior (PHB) identified by the DSCP code.

The advantage of DiffServ is that many service flows converge at a BA and are forwarded according to the same PHB on the router. In this way, the service processing and storage are simplified.

In the DiffServ core network, packet-based QoS ignores the signaling processing.


Product Description


5.7.2 Traffic Classification Traffic classification refers to classifying traffic on the basis of a certain rule and associating a certain behavior with the traffic of the same type to constitute a policy. After the policy is applied, traffic policing, traffic shaping, congestion avoidance based on classes are implemented.

If no QoS guarantee or traffic classification is required, or there are no rules to match packets after traffic classification, the device processes the packets with the Best-Effort (BE) service.

The NE40E supports simple and complex traffic classifications.

Complex traffic classification is usually configured on the router at the network edge; simple traffic classification is configured on the core router.

Simple Traffic Classification Simple traffic classification means dividing packets into several priorities or service classes according to the IP precedence or DSCP of IP packet, EXP field of MPLS packets, or 802.1p field of VLAN packets. Traffic policy based on simple traffic classification is used to map the priority of traffic on one type of network to another type. That is, transmit the traffic in the other network according to the previous priority.

Currently the NE40E supports simple traffic classification on:

l Physical interfaces and sub-interfaces l Logical interfaces including VLANIF, RINGIF, and trunk interfaces

Complex Traffic Classification Complex traffic classification means classifying packets based on quintuple (source IP address, destination IP address, source port number, destination port number and protocol type). It is usually applied to the edge of the network and must be associated with specific traffic control or resource allocation actions. It is used to provide differentiated services.

Currently, the NE40E supports:

l Classifications based on the source MAC address, the destination MAC address, the protocol number carried in the header of the Ethernet packet over the link layer, the precedence of the packet with a tag

l Classifications based on the IP precedence/DSCP/ToS value of the IPv4 packet, the source IP address prefix, the destination IP address prefix, the protocol number carried over the IP packet, the fragmentation tag, the TCP SYN label, the TCP/UDP source port number or range, the TCP/UDP destination port number or range

The NE40E supports complex traffic classification on:

l Physical interfaces l Logical interfaces including sub-interfaces, RINGIF and trunk interfaces

5.7.3 Traffic Policing In traffic policing, the committed access rate (CAR) is used to control traffic. Packets are classified according to a preset matching rule. If conforming to the rule, the


Product Description


packets are forwarded by the router. If exceeding the limit specified by the rule, the packets are then either discarded or forward after their precedence is re-marked.

To control traffic, the token bucket (TB) is introduced to the CAR technology. Figure 5-44 shows the procedure of traffic policing with CAR.

Figure 5-44 Flowchart of traffic policing with CAR

Classifying

Token bucket

Incoming packets Outgoing packets

Dropped

Passed

Filling the bucketwith tokens at aspecified rate

Tokens

...

l The tokens are put into the TB at the rate preset by the user. The capacity of the TB is also preset by users. When the number of tokens reaches the capacity of the TB, the number does not increase any more.

l On arrival, the packets are classified according to the information such as the IP precedence, source address, or destination address. The packets that conform to the preset feature go into the TB for further processing.

l If the TB has enough tokens for sending packets, packets are forwarded. Meanwhile, the number of tokens is reduced by the packet length. If the TB contains insufficient tokens or is empty, the packets that are not assigned with tokens or not assigned with enough tokens are discarded; or the information about the IP precedence, DSCP, or EXP values are re-marked and the packets are forward. At this time, the number of tokens in the TB remains unchanged.

The preceding process shows that the CAR technology enables a router to control traffic, and to mark or re-mark packets.

To limit the traffic rate is the main function of CAR. With the CAR technology, a TB is used to measure the data traffic that flows through the interfaces of a router so that in the specified time only the packets that are assigned with tokens go through the router. In this way, the traffic rate is limited. CAR limits the maximum traffic rates of both incoming packets at the ingress and outgoing packets at the egress. Meanwhile, the rate of certain types of traffic can be controlled according to such information as the IP address, port number, and precedence. The traffic not conforming to the present conditions is not limited in rate; such traffic is forwarded at the original rate.

The CAR technology is used at the network edge to ensure that the core device can process data normally. The NE40E supports CAR in both the inbound and outbound directions.


Product Description


5.7.4 Queue Scheduling In computerized data communications, communication channels are shared by many computers. In addition, the bandwidth of a WAN is usually less than that of a Local Area Network (LAN). As a result, when a computer in one LAN sends data to a computer in another LAN, data cannot be transmitted over a WAN as fast as over a LAN because the WAN bottlenecks the data transmission. At this time, some packets cannot be sent by the router between the LAN and the WAN, that is, the network is congested.

As shown in Figure 5-45, when LAN 1 sends packets to LAN 2 at the rate of 10 Mbit/s, traffic congestion occurs on the interface Serial 1 of Router A.

Figure 5-45 Network congestion

Ethernet

10 Mbit/s

PC2RouterB

Server2

Frame Relay/X.25/DDN

RouterA

Ethernet

PC1

Server1

Serial 1

Serial 1

2 Mbit/s

10 Mbit/s

LAN 2

LAN 1

Congestion management provides means to manage and control traffic when traffic congestion occurs. The queue scheduling technology is used to handle traffic congestion. Packets sent from one interface are placed into many queues which are identified with different priorities. Packets are then sent according to the priorities. A proper queue scheduling mechanism can provide packets of different types with reasonable QoS features such as the bandwidth, latency, and jitter. The queue here refers to the outgoing packet queue. Packets are buffered into queues before the interface is able to send them. Therefore, the queue scheduling mechanism works only when an outbound interface is congested. The queue scheduling mechanism can re-arrange the order of packets except those in First In First Out (FIFO) queues.

Commonly used queue scheduling mechanisms are: l FIFO l PQ l Custom Queuing (CQ) l WFQ l Class-based WFQ (CBWFQ)


Product Description


The NE40E supports FIFO, PQ, and WFQ to realize the queue scheduling on the interface.

5.7.5 Congestion Management The NE40E adopts the Weighted Random Early Detection (WRED) congestion control mechanism.

l The congestion control mechanism can be configured on each port based on the priority of the queue.

l The NE40E uses a microsecond-level timer to trace the occupation of the shared memory with the first-order weighted iteration method.

l Consequently, the NE40E can sense the congestion in a timely manner and avoid network flapping. It drops the packets of different drop preferences at different probabilities within the same traffic stream. This can effectively avoid and control network congestion.

5.7.6 Traffic Shaping When the network congestion occurs, the traffic policing (CAR technology) is used to control the traffic features of the packets and restrain the traffic, so that the packets that do not conform to the traffic features are dropped. Sometimes, to decrease the lost packets, the packets that do not conform to the traffic specifications are cached and then sent at a uniform rate under the control of the token bucket. This is traffic shaping. Traffic shaping both decreases the lost packets and satisfies the traffic features of the packets.

A typical application of traffic shaping is to control the flow and burst of outgoing traffic based on the network connection. Thus, the packets can be sent at a uniform rate. The traffic shaping adopts the Generic Traffic Shaping (GTS) to shape the traffic that is irregular or does not conform to the preset traffic features, which is convenient for the bandwidth match between the network upstream and downstream.

5.7.7 HQoS Hierarchical QoS (HQoS) is a kind of QoS technology that can control user traffic and schedule service queues according to the priority level.

The HQoS of the NE40E has the following functions:

l The system provides abundant services with the five-level QoS scheduling mechanism.

l The system supports PQ and Confirmed Bandwidth Priority Queue (CBPQ). − PQ is based on the absolute priority level. After you configure PQ, the packets

with the highest priority level are permitted; the packets with low priority levels are discarded, once the network is congested. PQ is unable to configure bandwidth for packets of all priority levels.

− CBPQ is based on bandwidth guarantee. CBPQ makes full use of bandwidth resources in the case of bandwidth guarantee.

l Multiple sub-interfaces or QinQ sub-interfaces can share an SQ queue. l The system supports the configuration of the parameters of a queue, such as the

maximum queue length, WRED, low delay, SP/WRR weight, committed burst size (CBS), PBS, and statistics enabling.


Product Description


l The system supports the configuration of parameters such as the CIR, PIR, number of queues, and scheduling algorithms between queues for each user.

l The system supports traffic statistics. It enables carriers to view the status of bandwidth use of each service. The users can thus analyze traffic and properly allocate bandwidth for services.

l The system supports the HQoS of VPLS, L3VPN, VLL, and TE.

5.7.8 QPPB QoS policy propagation through the Border Gateway Protocol (QPPB) is a kind of technology to propagate the QoS policy through BGP.

On the BGP receiver, you can:

l Set QoS parameters for BGP routes, such as IP precedence and traffic behavior, based on the attributes of the route.

l Set the receiver to classify traffic based on QoS parameters, and set a QoS policy for the classified traffic.

l Set the receiver to forward packets based on the QoS policy to realize QPPB.

On the BGP receiver, you can set QoS parameters, such as IP precedence and traffic behavior, according to the following attributes of BGP routes:

l ACL l AS path list l Community attribute list l Route cost l Address prefix list

Figure 5-46 QPPB

AS100 AS200

Advertise routinginformation

Packets filtered bythe QoS policy

Configure aQoS policy

In the complex network environment, the policy for route classification needs to be changed from time to time. QPPB can simplify the change of the policy on the BGP receiver. Using QPPB, you can change the routing policy on the BGP receiver by changing that on the BGP sender.


Product Description


5.7.9 Ethernet QoS

L2 Simple Traffic Classification The NE40E supports simple traffic classification in accordance with the 802.1p value in VLAN packets. On the ingress PE router, the 802.1p value in a Layer 2 packet can be mapped to the precedence field of the upper layer protocol such as the IP DSCP value or the MPLS EXP value. In this manner, the DiffServ is provided for the packet in the backbone network. On the egress PE router, the precedence field of the upper layer protocol is mapped back to the 802.1p value to keep the original Ethernet precedence.

QinQ Simple Traffic Classification After QinQ encapsulation is performed, transmission devices do not sense the 802.1p priority in the inner VLAN tag during the process of packet forwarding. The inner VLAN tag, however, is used to distinguish key services from normal services. Thus, the classes of services are thus not differentiated.

In the process of QinQ implementation, the 802.1p value in the inner VLAN tag needs to be sensed. You can set rules to sense the 802.1p value through commands as follows:

l Ignore the 802.1p value in the inner VLAN tag and set a new 802.1p value in the outer VLAN tag.

l Automatically set the 802.1p value in the inner VLAN tag as the 802.1p value in the outer VLAN tag.

l Set the 802.1p value in the outer VLAN tag according to the 802.1p value in the inner VLAN tag.

As shown in Figure 5-47, QinQ supports 802.1p remark in the following three modes:

l Set a value (Pipe mode). l Use the 802.1p value in the inner VLAN tag (Uniform mode). l Map the 802.1p value in the inner VLAN tag to a value in the outer VLAN tag. The

values in multiple inner VLAN tags can be mapped to the same value in the outer VLAN tags. The value in an inner VLAN tag cannot be mapped to different values in multiple outer VLAN tags.

Figure 5-47 Typical networking diagram of 802.1p Remark supported by QinQ

ISPNetwork

PECE

Q-in-Q Supports802.1p Remark


Product Description


5.7.10 ATM QoS At the edge of the ATM network, the router is responsible for access to the IP network. Data is encapsulated in AAL5 frames such as IPoA and IPoEoA. Such frames are decapsulated by the router and are forwarded to other types of interfaces, or are forwarded to the Ethernet interface as Layer 2 Ethernet frames.

The IP network and the ATM network communicate through the IPoA technology. IPoA, however, cannot make full use of all ATM functions. Moreover, when fully connected PVCs are adopted, the extensibility of ATM applications is restricted. Therefore, the IP network with Ethernet interfaces over 10 Gbit/s cannot communicate with the ATM network; otherwise, traffic congestion may occur and QoS cannot be ensured. Traffic planning and traffic policing are required for interoperability between IP backbone networks and ATM backbone networks. Thus, ATM QoS is introduced.

The ATM network possesses the QoS capability. With the transition from the ATM network to the IP/MPLS network, the QoS capability of the ATM network needs to be kept. The mappings between IP precedence and ATM precedence enable ATM cells with higher precedence to transfer with the same precedence in the IP network. Similarly, it enables IP packets with higher precedence to transfer with the same precedence in the ATM network.

ATM Simple Traffic Classification When the ATM network is taken as the bearer layer of the IP network, however, the QoS mechanisms of the ATM network and the IP network must be combined to obtain end-to-end QoS.

By enabling ATM simple traffic classification on the interface, PVC, or PVP, you can map the CoS and the CLP value to the internal priority of the router for upstream ATM cells, and map the internal priority to the CoS and CLP value for downstream ATM cells. Thus, various QoS services can be transmitted in different ATM networks.

ATM simple traffic classification supports:

l Transparent transmission of ATM cells l 1483R traffic l 1483B traffic

The 1483R protocol is used to encapsulate IP packets to carry out IPoA service. The 1483B protocol is used to encapsulate Ethernet packets to carry out IPoEoA service.

ATM Forcible Traffic Classification Although ATM cells in the ATM network hold information about precedence, it is very difficult to carry out IPoA, transparent transmission of cells, and IWF simple traffic classification based on the precedence information. You can adopt forcible traffic classification on the upstream interface. That is, you can use command lines to set the precedence and color manually for a specific PVC, interface (including the sub-interface), or PVP, and carry information about the precedence and color to the downstream interface.

As shown in Figure 5-48, you can set the precedence and color for a specific flow on the upstream ATM interface of Router A by using command lines. Then the downstream interface can designate a queue on the interface for the outgoing traffic


Product Description


based on the set precedence and color of the traffic. In this manner, ATM QoS is implemented.

Figure 5-48 ATM forcible traffic classification

...

BE

AF1

EF

CS6

CS7

RouterARouterB

Set the packet precedenceand mark the packet on the

upstream ATM interface

The downstream ATM interfacespecifies the outgoing queue for

the flow according to theprecedence and color of the flow

ATM physical interfaces, ATM sub-interfaces, ATM PVCs, and ATM PVPs all support forcible traffic classification.

5.7.11 FR QoS FR has its own QoS that can be configured with PVCs to provide flexible services for customers.

FRTS Frame Relay Traffic Shaping (FRTS) is used on the outbound interface of the router to limit the ratio of the packet sent from the VC.

FRTP Frame Relay Traffic Policing (FRTP) is used on the inbound interface of the router to monitor traffic received from the VC. If the traffic exceeds the specific value, the packets are discarded.

FRTP can be used only on the Data Circuit-terminating Equipment (DCE) interface to monitor traffic from the Data Terminal Equipment (DTE).

FR Congestion Management The FR packet includes bits used for congestion management:

l Forward Explicit Congestion Notification (FECN) If it is 1, congestion occurs on the forwarding direction.

l Backward Explicit Congestion Notification (BECN)


Product Description


If it is 1, congestion occurs on the backward direction. If no backward packet is forwarded during a period, the router automatically sends Q.922A Test Response whose BECN tag is 1 to the DTE.

l DE It specifies whether to discard the packet or not. If it is 1, the packet is discarded in the case of congestion.

Figure 5-49 Diagram of FR congestion management

Router BRouter ADTE NNIDCE

BECN

FECN

Data direction

Frame RelayNetwork

The system determines congestion based on the proportion of the current queue length of the FR interface or the VC to the total length of the interface or the queue. If the proportion exceeds the threshold, it is taken that congestion occurs. The packets whose DE is 1 are discarded; otherwise, the FECN and BECN are set to 1.

You can set the congestion threshold in the following two ways:

l Set the congestion threshold of the interface in the interface view. l Set the congestion threshold of the FR VC in the FR class view.

FR Queue Management Normally, an FR interface has a queue while an FR VC has no queue. When the FR interface is enabled with FR traffic shaping, all the VCs on the interface have their own queues and the packets sent on the VC join in the queue first.

Figure 5-50 shows the relationship between the VC queue and the interface queue.

Figure 5-50 Diagram of FR queues

Virtual circuit queues

Interface queue

The FR interface supports the following queues:

l First-In First-Out queue l Priority queue l Custom queue l Weighted fair queue


Product Description


l Class-based queue l Realtime Transport Protocol priority queue l PVC interface priority queue

FR Fragmentation In the process of transmitting voice with data, a large packet takes up the bandwidth for a long period. As a result, the voice packet may be delayed or discarded and voice quality is degraded.

FR fragmentation is used to shorten the delay to ensure the real-time voice. After FR fragmentation configuration, a large data packet is disassembled into fragments and the voice packet and the fragments can be transmitted alternately. In this way, the voice packet can be processed on time and delay is shortened.

5.8 Traffic Statistics The NE40E provides types of traffic statistics functions. It can collect statistics on access traffic of different users.

Traffic statistics have the following functions:

l Helping carriers to analyze the traffic model of the network l Providing reference data for carriers to deploy and maintain DiffServ TE l Supporting traffic-based accounting for the users that are not monthly-free

5.8.1 URPF Traffic Statistics The NE40E collects statistics either on the overall traffic that complies with URPF or on the discarded traffic that does not comply with URPF.


Product Description


Figure 5-51 URPF traffic statistics

Packets Statistics

The default action forunmatched packets is Pass

Statistics

Packets thatmatch rules

Allow the packets complyingwith URPF to pass through

Discard the packets withoutcomplying with URPF

Statistics

Classifier

Perform theaction

5.8.2 ACL Traffic Statistics The NE40E supports the ACL traffic statistics function. When the created ACLs are applied to QoS and policy-based routing, the NE40E can collect statistics based on ACL numbers after the ACL traffic statistics function is enabled. The system also provides commands to query the number of matched ACL rules and bytes.

5.8.3 CAR Traffic Statistics The NE40E provides numerous QoS features such as traffic classification, traffic policing CAR, and queue scheduling. Directed at these QoS features, the NE40E provides the relevant QoS traffic statistics function.

l In traffic classification, the system can collect statistics on the traffic that matches rules and fails to match rules.


Product Description


Figure 5-52 Traffic statistics in traffic classification

Packets Statistics

The default action forunmatched packets isPass

Statistics

Filter, CAR, mirror, redirect,re-mark, sample, URPF,TTL check

Packets thatmatch rules

Classifier

Perform the action

l In traffic policing, the system supports statistics on the following traffic: − Total traffic that matches the CAR rule. − Traffic that is permitted or discarded by the CAR rule.

Figure 5-53 CAR traffic statistics

Packets Statistics

Tokens in bucket Care enough

Tokens inbucket C arenot enough

Tokens in bucket E areenough

Tokens inbucket E arenot enough

Bucket C

Bucket E

Statistics

Tokens in bucket E are notenough

Statistics

Processpackets

accordingto the color

marked

Allow the packetsmarked green to pass

through

Re-mark the packetsmarked yellow

Discard the packetsmarked red

l The system supports interface-based traffic statistics.


Product Description


l When the same traffic policy is applied on various interfaces, the CAR traffic statistics in the traffic policy is based on the interface.

5.8.4 HQoS Traffic Statistics The system supports the following statistics on traffic queues:

l Statistics on the number of forwarded packets, bytes, and discarded packets of the queues of eight priority levels

l Statistics on the number of forwarded packets, bytes, and discarded packets of the user group queue

l Statistics on the number of forwarded packets, bytes, and discarded packets of eight class queues on an interface

5.8.5 Interface-based Traffic Statistics The system supports traffic statistics on an interface or a sub-interface.

5.8.6 VPN Traffic Statistics The NE40E supports the following VPN statistics:

l In a VPLS network, the NE40E can collect statistics on incoming and outgoing traffic of the access L2VPN user when it runs as a PE router.

l In an L3VPN, the NE40E can collect statistics on incoming and outgoing traffic of access users of various types when it runs as a PE router. The access users include: − Users that access the network through interfaces including logical interfaces − Multi-role hosts − Users that access the network through the VPLS/VLL

5.8.7 TE Tunnel Traffic Statistics When the NE40E runs as a PE router in the MPLS TE network, it supports statistics on incoming and outgoing traffic of the tunnel. When the VPN is statically bound to the TE tunnel, the system can collect statistics on traffic of each resource-isolated VPN over the TE tunnel and the total traffic over the TE tunnel.

5.9 IP Compression In the NGN bearer network, some carriers lack transmission resources. The RTP/UDP/IP packet header, however, contains about 40 bytes in the IP NGN service. For voice compression algorithms that work well, the voice data in each packet occupies less than 30 bytes. In this case, the packet header costs much, with low transmission efficiency. The NE40E provides types of compression algorithms. The transmission efficiency of the network can thus be improved and the lack of transmission resources can be solved.

The Compressed Real-Time Protocol (cRTP) defined in RFC 2508 can compress the 40 byte RTP header including the UDP and IP headers into a header of 2–4 bytes. In this manner, the lack of transmission resources is solved.


Product Description


In the traditional network, voice over IP is supported through RTP, as shown in Figure 5-54.

Figure 5-54 Format of RTP packets

PPP IP UDP RTP Voice data

8 bytes 20 bytes 8 bytes 12 bytes 15-30 bytes

Header encapsulation

In the figure given above, the voice data occupies tens of bytes; the IP, UDP, and RTP headers contain more than 40 bytes. In a session, half bytes of the header, such as the source and destination IP addresses and the source and destination port numbers, remain unchanged. Besides, the length field in the IP/UDP header is unnecessary because the length can be obtained by calculating the length of the link layer header. Differential coding can be performed although some fields change. After these redundant fields are compressed, only 2-4 bytes need to be reserved (normally, two bytes are kept; four bytes contain the UDP checksum), as shown in Figure 5-55.

Figure 5-55 Format of cRTP packets

PPP cRTP Voice data

8 bytes 2-4 bytes

Header encapsulation

15-30 bytes

5.10 Network Security When the NE40E runs as the security gateway to access the customer's network and the service system, it can provide the following functions:

l Advanced security system structure l Abundant security protocols l Strict service access control


Product Description


Figure 5-56 Security features

Routing protocolMD5 authentication

The control planeseparated from theforwarding plane

Control informationfiltering and limitation

Secure VRPsystem

SSH

RADIUS

TACACS+

SYSLOG

NQA

Bidirectional ACL

URPF

MIRROR

NETSTREAM

SINKHOLE

Layer 2 limit ARPattackproof DHCP snooping Port rate limit Broadcast/abnormal

traffic suppression

Service accesssecurity

Routing security

Managementsecurity

Forwardingsecurity

The following section describes the security features that the NE40E supports.

5.10.1 AAA The NE40E implements a perfect AAA, performing authentication, authorization and accounting for access users based on the policy.

AAA supports three types of user authentication:

l Local authentication l Remote Authentication Dial-In User Service (RADIUS) l Huawei Terminal Access Controller Access Control System (HWTACACS)

authentication

AAA supports four authorization modes:

l Direct authorization: In this mode, users are directly authorized to pass through. l Local authorization: In this mode, local users are authorized according to the

configured attributes of the user accounts. l HWTACACS authorization: In this mode, users are authorized by the

HWTACACS server. l if-authenticated authorization: In this mode, users are authorized to pass through

if they pass the authentication and the authentication mode is not "none".

AAA supports the following accounting modes:

l Non-accounting: provides free services. l Remote accounting: supports remote accounting through the RADIUS server or

the HWTACACS server.

5.10.2 Protocol Security Authentication PPP supports PAP and CHAP authentication modes.


Product Description


Routing protocols including RIPv2, OSPF, IS-IS, and BGP support plain text authentication and MD5 encrypted text authentication.

LDP and RSVP support MD5 authentication in encrypted mode.

SNMP supports SNMPv3 encryption and authentication.

5.10.3 RPF/URPF Unicast Reverse Path Forwarding (URPF) can avoid the source address-based network attacks.

When a router receives a packet, it obtains the destination address of the packet, and searches routes according to the destination address. If the router finds the corresponding route, it forwards the packet; otherwise, the router discards the packet. When a packet is sent to a URPF-enabled interface on the server, the URPF obtains the source address and the inbound interface of the packet. The URPF then takes the source address as the destination address to retrieve the corresponding inbound interface and compares the retrieved one with the inbound interface. If they do not match, the URPF considers the source address as fake and discards the packet.

URPF is applicable to the preceding environment and prevents such kind of network attacks.

5.10.4 MAC Limit With the abundant MAC limit functions, the NE40E can provide various security solutions for the large-scale Layer 2 network and the VPLS network.

MAC Address Limit With the rapid development of the Metro Ethernet, security plays a more and more important role on the ingress of the MAN. In the Metro Ethernet, a large number of individual users access the Internet over Ethernet links and it is common that hackers and virus perform MAC attacks on the network. MAC address limit that is supported by the NE40E can effectively defend the network against the preceding attacks and guarantee the security of the ISP network.

With the function of MAC address limit, the system can limit the number of access MAC addresses of a customer to prevent the customer from crushing the MAC address space of other customers; the system can also discard attack packets on the ingress and prohibit invalid packets from consuming bandwidth.

MAC address learning is the basic feature of Layer 2 forwarding. It is automatically carried out and is easy to use. It, however, needs to be deployed with caution to avoid attacks.

The NE40E supports the following types of limit to MAC address learning:

l Limit to the MAC addresses that can be learned l Limit to the speed of MAC address learning l Limit to interface-based MAC address learning l Limit to MAC address learning based on VLAN+port l Limit to MAC address learning based on port+VSI l Limit to MAC address learning based on QinQ


Product Description


Limit to MAC address learning can be applied in the network environment with fixed access users and lacking in security, such as the community access or the intranet without security management. When the number of MAC addresses learnt by an interface exceeds the limited threshold, the MAC address of a new access user is not learnt. The traffic of this user is thus broadcast at a restricted transmission rate.

MAC Address Entry Deletion In a VPLS or Layer 2 network, the MAC address table is the key of forwarding. It, however, is also vulnerable to attacks although the MAC entries are to be aged. Invalid MAC entries need to be deleted to release MAC resources, without causing large impacts on other services.

The NE40E provides the following types of MAC address entry deletion:

l Deletion of MAC address entries based on port+VSI l Deletion of MAC address entries based on port+VLAN l Deletion of MAC address entries based on the trunk interface l Deletion of MAC address entries based on the outbound QinQ interface

5.10.5 Unknown Traffic Limit In the VPLS or Layer 2 network, unknown traffic limit supported by the NE40E functions as follows:

l Manages users' traffic. l Allocates bandwidth to users. l Limits unknown unicast, unknown multicast, and unknown broadcast traffic.

In this way, the network bandwidth is efficiently used and network security is guaranteed.

5.10.6 DHCP Snooping DHCP snooping, a DHCP security feature filters untrusted DHCP messages by creating and maintaining a binding table for DHCP snooping. This binding table contains the MAC address, IP address, lease time, binding type, VLAN ID, and interface information. DHCP snooping functions as a firewall between clients and DHCP servers.

DHCP snooping prevents DHCP Denial of Service (DOS) attacks, bogus DHCP server attacks, ARP middleman attacks, and IP/MAC spoofing attacks when DHCP is enabled on the device.

DHCP snooping provides various working modes to prevent different types of attacks. Table 5-2 shows the types of attacks and the corresponding working modes of DHCP snooping.

Table 5-2 Attack types and DHCP snooping working modes

Attack Type DHCP Snooping Working Mode

DHCP exhaustion attack MAC address limitation

Bogus DHCP server attack Trusted/Untrusted


Product Description


Middleman attack or IP/MAC Spoofing attack

Binding table of DHCP snooping

Attack by changing CHADDR value Check on CHADDR of DHCP messages

5.10.7 Local Anti-attack The NE40E provides a uniform local anti-attack module to maintain and manage the anti-attack policy of the whole system. An all-around anti-attack solution that is operable and maintainable is thus provided for users.

Whitelist The whitelist refers to a group of valid users or users with the high priority. By setting the whitelist, you can enable the system to protect existing services or user services with the high priority. You can define the whitelist through Access Control Lists (ACLs). Then, the packets matching the whitelist are sent to the CPU in preference at a high rate.

The valid users that normally access the system as confirmed and the users with the high priority can be added to the whitelist.

Blacklist The blacklist refers to a group of invalid users. You can define the blacklist through ACLs. Then, the packets matching the blacklist are discarded or sent to the CPU in a low priority.

The invalid users that involve attacks as confirmed can be added to the blacklist.

User-defined flows User-defined flows indicate that the user defines anti-attack ACLs. It is applied when unknown attacks emerge on the network. The user can flexibly specify the characteristics of the attack data flows and limit the data flows that match the specified characteristic.

ALP When a Border Gateway Protocol (BGP) session is set up, information about this session is synchronized to the whitelist. In this way, the reliability and stability of the relevant services are ensured. When detecting that the BGP session is deleted, the system deletes information about this session from the whitelist.

The NE40E protects the data based on the BGP session through the whitelist, which is called Active Link Protection (ALP). Through ALP, the running of the existing services can be ensured in the case of attacks.

CAR Committed Access Rate (CAR) is used to set the rate of sending the classified packets to the CPU. You can set the average rate, peak rate, and the priority for each


Product Description


type of packets. Through the different CAR rules for various packets, the system can make the packets be free from affecting each other to protect the CPU. CAR can also be used to set the total rate of sending the packets to the CPU. When the total rate exceeds the upper limit, the system discards the packets, avoiding the CPU overload.

Smallest packet compensation The NE40E can efficiently solve the problem of small packets attack with the smallest packet compensation function. After receiving the packets to be sent to the CPU, the system detects the packet length.

l When the packet length is smaller than the preset minimum packet length, the system calculates the sending rate with the preset minimum length.

l When the packet length is greater than the preset minimum packet length, the system calculates the sending rate with the actual packet length.

LPUA supports the presetting of the minimum packet length. The minimum packet length supported by LPUB is 128 bytes.

Application-layer service association The system dynamically detects the enabled application-layer information. When the application-layer services are started, the system accepts the packets of the application-layer services; when the application-layer services are closed, the system discards the packets of the services.

The NE40E realizes the application-layer service association of BGP. After BGP services are started, the BGP packets are sent to the CPU; after BGP services are terminated, the BGP packets are discarded.

5.10.8 GTSM Currently, some attackers on the network simulate valid packets to attack a router. As a result, the finite resources of the router such as the CPU on the SRU is heavily loaded and consumed. For example, the attacker continuously sends simulate BGP protocol packets to a router. After the LPU of the router receives the packets destined for the local host, the LPU sends the packets to the BGP processing module of the CPU on the SRU rather than identifying the validity of the packets. As a result, the system is abnormally busy with the high CPU utilization rate as the SRU of the router processes these “valid packets”.

To avoid the preceding attack, the NE40E provides the GTSM. The GTSM protects services of the upper layer over the IP layer, by checking whether the TTL value in the IP header is within the specified range. In the application, the GTSM is used to protect the TCP/IP-based control layer such as the routing protocol from the type of CPU-utilization attacks such as CPU overload.

The NE40E supports the following types of GTSM:

l BGP GTSM l OSPF GTSM


Product Description


5.10.9 ARP Attack Defense In the current ISP network, the Ethernet is widely used for access. ARP runs as an open protocol on the Ethernet, exposing security vulnerabilities to malicious attackers. Malicious attackers intrude a network from the perspectives of space and time.

l Space-based attacks indicate that the attacker resorts to the finite ARP buffer of a router. The attacker sends a larger number of simulate ARP request and response messages to the router. As a result, the ARP buffer is overflowed; normal ARP entries cannot be buffered. Normal forwarding is thus interrupted.

l Time-based attacks indicate that the attacker resorts to the finity of the processing capability of a router. The attacker sends a large number of simulate ARP request, response, or other packets that can trigger the router to perform ARP processing. As a result, the computation resources of the router are busy with ARP processing during a long period; other services cannot be processed. Normal forwarding is thus interrupted.

Interface-based ARP Entry Restriction The interface-based ARP entry restriction function effectively minimizes the attacked range when the ARP entry overflow attack occurs. The attack aims at the interface instead of the entire system. In this manner, other interfaces of the board or the whole system are not affected.

Timestamp-based Scanning-proof The timestamp-based scanning-proof function can identify the scanning attack on time and suppress the processing of requests generated by the scanning when a scanning attack occurs, regardless of whether it is an ARP scanning attack or IP scanning attack. In this way, the CPU is kept away from attacks.

ARP Bidirectional Isolation As ARP request packets come from the outside of a device and can be initiated at any time, the device cannot differentiate between normal packets and attack packets when the ARP request packets carry valid IP addresses.

According to the analysis of actual ARP attacks on some networks, the ARP attack traffic comprises 50% ARP request packets and 50% ARP response packets. Therefore, a solution to the attacks of numerous ARP packets must be based on the two aspects: ARP request packets and ARP response packets.

ARP bidirectional isolation enables a device to process ARP request packets and ARP response packets separately.

l The device performs stateless responses for ARP request packets. That is, the device generates neither ARP entries nor relevant states after replying to the ARP request packets. Without sending the ARP request packets to the CPU for processing, the device defends the ARP table of the gateway against address spoofing attacks by ARP request packets.

l The device processes only the ARP response packets of the ARP request packets sent by its CPU. The ARP response packets of the ARP request packets that are not sent by its CPU are then discarded. The normal ARP request packets can thus be promptly processed.


Product Description


Filtering of Illegitimate ARP Packets The NE40E filters the following types of ARP packets:

l Illegitimate ARP packets that are the ARP request packets with a unicast address as the destination MAC address, the ARP request packets with a non-unicast address as the source MAC address, and the ARP response packets with a non-unicast address as the destination MAC address

l Gratuitous ARP packets l The ARP request packets with the destination MAC address being not null

You can configure the system to filter out either one or more of the preceding illegitimate packets with commands.

Dynamic CAR for Normal ARP Packets Destined for the CPU Dynamic CAR refers to limiting the bytes of the ARP packets destined for the CPU on the premise of restricting the number of the ARP packets destined for the CPU per seconds.

The dynamic CAR is a dynamic allocation mechanism of ARP CAR resources. After you configure ARP CAR on an interface, the system does not allocate resources at once, but it allocates CAR resources when the number of the received ARP packets exceeds the set threshold. Then the system delivers the CAR settings. During each interval (the timer value is set to 5 seconds), the system checks whether the receiving rate for ARP packets is greater than the set threshold. The system retracts the CAR resources if the receiving rate does not exceed 75% of the threshold after three continuous checking.

5.10.10 Mirroring Mirroring indicates that the system sends a copy of the packet on the current node to a specific observing port without interrupting services. You can specify the number of the port to be observed and connect the packet analysis equipment with the observing port to observe the traffic.

Mirroring is divided into the following types according to the requirements for the packets to be copied:

l Port mirroring: The packets received and sent by a mirroring port are completely copied to a specific observing port.

l Flow mirroring: On the basis of traffic classification, the packets that match specific rules are copied and other packets are filtered out. The efficiency of the packet analysis equipment can thus be improved.

Mirroring is divided into the following types according to the direction in which the packets are copied:

l Inbound (upstream) mirroring: The system copies the received packets or packets meeting specified requirement of traffic classification on a monitoring port to the specified observing port.

l Outbound (downstream) mirroring, requires that the system copy the packet to be sent on a port and send the copy to the specified port.

Figure 5-57 shows the typical networking of mirroring.


Product Description


Figure 5-57 Typical networking of mirroring

PortA

PortC

PortBNetwork1 Network2

Packet analysis equipment

Outboundpackets

Inboundpackets

Mirroringpackets

5.10.11 NetStream The Internet develops rapidly. This requires more delicate network monitoring and management while this provides more bandwidth resources. Developing a technology to answer the preceding demands becomes urgent.

NetStream is a technology that is based on network traffic statistics. It collects statistics on traffic flows and resource usage in the network accordingly, and monitors and manages the network based on types of services and resources. NetStream provides the following functions:

l Accounting NetStream provides detailed statistics for the resource-occupation-based (such as links, bandwidth, and time periods) accounting. Statistics such as IP addresses, number of packets and bytes, transmission time, ToS fields, and application types are collected. Based on the collected statistics, the ISP can charge users flexibly based on time periods, bandwidth, application, or QoS; enterprises can count their expenses or distribute costs to make better use of resources.

l Network planning and analyzing NetStream provides key information for advanced network management tools to optimize the network design and planning. The minimum network operation cost thus achieves the best network performance and reliability.

l Network monitoring NetStream realizes the real-time network monitoring. The remote monitoring (RMON), RMON-2, and flow-based analysis technology visualizedly displays the flow mode on a single router or routers across the network. This provides basis for effective fault detection, location, and rectification.

l Application monitoring and analyzing NetStream provides detailed application statistics about the network. For example, the network administrator can view the proportion of each application, such as Web, the File Transfer Protocol (FTP), Telnet, and other TCP/IP applications to network traffic. The ICP and ISP then properly plan and allocate network application resources to meet the users' requirements according to these application statistics.

l Abnormal traffic detecting


Product Description


NetStream detects the abnormal traffic such as network attack traffic of various types in the real-time manner. NetStream ensures network security by means of alarms of the NMS and the cooperation with devices.

NetStream devices involve the following:

l NDE l NSC l NDA

Figure 5-58 shows the relationships between the preceding NetStream devices.

Figure 5-58 NetStream devices

RouterA

RouterB

NSC

NSC

NDA

The NetStream Data Exporter (NDE) samples packets and exports the information to the NSC. The NetStream Collector (NSC) is responsible for collecting and storing the statistics data from the NDE. The NetStream Data Analyzer (NDA) analyzes the statistics data and then provides the basis for various services, such as network accounting, network planning, network monitoring, application monitoring, and analysis.

The NE40E can run as an NDE to sample packets, aggregate flows, and output flows.

According to the position of sampling packets and processing flows, NetStream on the NE40E is classified into independent NetStream and integrated NetStream. Distributed NetStream supports load balancing among multiple NetStream boards.

l Distributed NetStream: Certain LPUs can support all NetStream functions such as packet sampling, flow aggregation, and flow output.

l Integrated NetStream: Certain LPUs do not process Netstream flows. They only sample packets and then send the sampled packets to the NetStream SPU for flow aggregation and output.

The NE40E provides the following functions from the aspect of sampling:

l Supports sampling in the inbound and outbound directions. Some boards support sampling on the inbound interface.

l Supports interface-based sampling and traffic-classification-based sampling. l Supports sampling on IPv4 unicast/multicast packets, fragmented packets, MPLS

packets, and MPLS L3VPN packets. l Supports regular packet sampling, random packet sampling, regular time

sampling, and random time sampling.


Product Description


l Supports sampling of various physical and logical interfaces such as POS interfaces, Ethernet interfaces, VLAN sub-interfaces, serial/MP/FR PVC/FR MP interfaces provided by CPOS interfaces, ATM interfaces, FR interfaces, RPR interfaces, trunk interfaces, VLANIF interfaces, and GRE interfaces.

The NE40E provides the following functions from the aspect of aggregation and output:

l IPv4 supports the ten aggregation modes that are as, as-tos, protocol-port, protocol-port-tos, source-prefix, source-prefix-tos, destination-prefix, destination-prefix-tos, prefix, and prefix-tos 10.

l Supports aggregation of MPLS packets based on three-layer labels. l Outputs the generated statistics in v5, v8, and v9 formats. l Each kind of aggregation flow can be output to two NMS servers.

5.10.12 Lawful Interception In lawful interception, the following information is intercepted:

l CC: the content of the communication, for example, email, and VoIP packets l IRI: the information related to the communication, including the address, time,

and network location

The content of communication (CC) and intercepted related information (IRI) can be provided by the network devices of the carrier. The IRI is generally provided by the AAA server. The CC is provided by the edge router, for example, the NE40E.

Figure 5-59 shows the scenario for lawful interception.

In this scenario, the IRI is provided by the AAA server and the CC is provided by the NE40E.

Figure 5-59 Scenario for lawful interception

Interceptionmanagement center

Carrier

Interceptionmanagement

center

LIG management system

LIG

L1HI1

HI2

HI3

X1,X2

X1,X3

AAA server

Router

Interception center 1

...Interception center 2

Interception center N ISP interceptionmanagement

ISP network

ISP network device

Lawful interception involves the following roles:

l Interception center


Product Description


The law enforcement agency intercepts the activities of online users. The interception center initiates the interception and receives the interception result. The functions of the interception center are as follows: − Defining the intercepted target − Initiating or terminating the interception − Receiving and recording the interception result − Analyzing the interception result

l Interception management center The interception management center is the agent of the interception centers. The interception management center receives the interception request from the interception center, transforms the information in the request to the location and service identifier, and then delivers the configuration of interception to the network devices of the carrier.

l LIG The LIG acts as the agent between the interception management center and the devices of the carrier. The LIG plays an important role in lawful interception. Its functions are as follows: − Indirectly receives the interception request from the interception management

center through the L1 and H1 interfaces. − Delivers the configuration of interception to network devices and obtains

intercepted contents through the X interfaces. − Sends the intercepted contents to the interception management center

through the HI2 and HI3 interfaces. l LIG management system

The LIG management system receives the interception request from the interception management center and sends the request to the LIG. An LIG management system can manage multiple LIGs.

The LIG management system delivers the configuration to the LIG through the L1 interface. The LIG is located in the network of the carrier, and the LIG management system is managed by the interception management center.

l Carrier The carrier deploys the lawful interception function on the network devices in the carrier network. The devices that support lawful interception receive the configuration from the interception management center, and then send the intercepted traffic to the interception management center.

5.11 Network Reliability The NE40E provides all-around reliability techniques. This caters to the requirements for reliability of the carrier-class network.


Product Description


Figure 5-60 Reliability techniques

Device reliability 99.999% Network reliability

Active/standbyMPUsMultiple SFUsActive/standbypower modules

GraceRestart

Fastdetectionof linkfault

Fast routeconvergenceLoose policy-based routingECMP

IP FRRTE FRRLDP FRRVLL FRRVPN FRR

Backup NSF BFD Routingoptimization FRRInterface

backupLink

reliability

Eth TrunkIP TrunkInter-boardport binding

RPR interfacebackup

Customizedalarm damping

Ethernet OAM

5.11.1 Backup of Key Modules The NE40E can work with a single SRU or two SRUs in backup mode.

The SRU of the NE40E supports hot backup. If the device is configured with two SRUs for backup, the master SRU works in active state and the slave SRU is in standby state. In addition, users cannot access the management interface of the slave SRU, or configure commands on the Console port or the AUX port. The slave SRU exchanges information (including heartbeat messages and data backup) only with the master SRU.

The system supports active/standby switchover in two ways: automatic switchover and forcible switchover. The automatic switchover may be triggered by serious faults or resetting of the master SRU. The forcible switchover is triggered with commands. You can forcibly prohibit the active/standby switchover of the SRU through the related command.

The NE40E supports backup of management bus and 1+1 backup for the power module. The LPU, the power module, and the fan module are hot swappable.

These designs enable the system to recover or respond quickly when a severe abnormality is detected on the device or the network, thereby improving the Mean Time between Failure (MTBF) and minimizing the impact of unreliable factors on normal service.

5.11.2 High Reliability of the LPU TheNE40E provides backup for service interfaces of the same type.

l The NE40E supports the Virtual Router Redundancy Protocol (VRRP) on the Ethernet interface. With the extended VRRP, the NE40E enables two interfaces on one router or on different routers to back up each other, thus ensuring high reliability of the interfaces.

l The NE40E supports member interfaces of Eth-Trunk and IP-Trunk. The Eth-Trunk and the IP-Trunk support inside backup and outside backup for member interfaces.


Product Description


l The NE40E supports inter-board trunk bundling. − Users can access different LPUs over double links for inter-board bundling.

This ensures the high reliability of services. − The NE40E realizes the inter-board bundling by the high-performance engine

and forwards packets in load balancing mode at the line rate over multiple links.

− The Hash algorithm based on the source and destination IP addresses carries out even load balancing to forward traffic over links.

− Seamless switchover is performed in the case of a link failure, without interrupting services.

l The NE40E also provides backup of RPR-based interfaces through the RPR protocol and RPR networking technologies.

The NE40E provides backup for key service interfaces through protocol extension. In this manner, the NE40E can monitor and back up the running status of the interface when bearing LAN, MAN or WAN services. In this case, the status change of the interface that is backed up does not affect the routing table and the service on the interface can be restored quickly.

5.11.3 Alarm Customized Damping With a higher requirement for device reliabilities posed by the current carrier-class network, network devices must have the capability of fast fault detection.

After an interface is initiated with fast fault detection, the physical status of the interface frequently converts between Up and Down because alarm generation is speeded up. In this case, the network repetitively flaps.

Therefore, generated alarms need be filtered and suppressed to avoid frequent network flaps.

Alarm damping can effectively filter and suppress alarms, avoiding repetitive flaps of the interface status; alarm customization enables you to control the impact of alarms on the interface status.

Alarm customization and alarm damping function as follows:

l Allows you to customize alarms, that is, specify which kinds of alarms that can trigger the change of the interface status.

l Enables the system to suppress alarms, filter burrs, and damp the frequent flaps of a network.

5.11.4 Ethernet OAM The NE40E supports the Ethernet OAM functions as follows:

l Fault management l Performance management

With the fault management mechanism, the NE40E can detect the network connectivity by sending the detection OAM packets periodically or through manual triggering. This mechanism is similar to the Bidirectional Forwarding Detection (BFD). The NE40E can also locate faults of Ethernet by using means similar to the ping and tracert tools on IP networks. The NE40E triggers protection switchover in less than 50 ms.


Product Description


Performance management is used to measure the packet loss ratio, delay, and jitter during the transmission of packets. It also collects statistics on various kinds of traffic such as the number of transmitted bytes and the number of errored packets.

Point-to-Point Fault Management for Ethernet IEEE 802.3ah was brought forward by Ethernet in the First Mile Alliance (EFMA). IEEE 802.3ah defines the following functions:

l Capability discovery l Link performance monitoring l Fault detection and alarm l Loop test

The PDUs of IEEE 802.3ah OAM are transmitted by a slow protocol. Fault detection messages are sent every one second.

Conforming to IEEE 802.3ah, the NE40E supports the point-to-point Ethernet fault management. It can detect faults in the last kilometer of the direct link at the user side of the Ethernet. By now, the NE40E supports the following functions defined in IEEE 802.3ah:

l Automatic neighbor discovery l Link fault monitoring l Remote fault notification l Remote loopback configuration

End-to-End Fault Management for Ethernet This section describes the end-to-end fault management for Ethernet from the following two aspects:

l Hierarchical MD The NE40E realizes the end-to-end fault management for Ethernet by conforming to IEEE 802.1ag or breaking away IEEE 802.1ag. IEEE 802.1ag is used to test the end-to-end Ethernet connectivity and locate faults. It provides different levels of management domains. OAM messages with a low level are not forwarded to the management domain with a high level. This guarantees security and maintainability of networks. According to IEEE 802.1ag, the network that bears the Ethernet OAM mechanism is divided into different Maintenance Domains (MDs). An MD is an interconnected Ethernet network that is maintained by the same administrator. Multiple Service Instances (SIs) can be applied on an MD. An SI corresponds to a VLAN. An SI consists of multiple devices. The border port in the SI is called the Maintenance association End Point (MEP); all the other ports are called the Maintenance association Internal Point (MIP). MIPs are responsible for connecting different MEPs. Both MEPs and MIPs are called MP. All the MEPs in an SI form a Maintenance Association (MA), in which fault detection is carried out. Part of the network in an MD might be maintained by another administrator, namely, the MD might be nested. The MD level is used to differentiate various levels of OAM that can be carried out in an MA. The MD level is carried in the


Product Description


OAM message. The OAM message with a low level are discarded in the high-level MP.

l End-to-end fault detection and location The ISP and Internet Context Provider (ICP) have gradually used fault detection to guarantee QoS and reduce maintenance expense. Fault detection is realized by sending and detecting the Continuity Check (CC) message at a scheduled time. The NE40E supports the tools of MAC ping and MAC trace by using the Loop Back (LB) and Link Trace (LT) packet defined in IEEE 802.1ag to locate faults. − MAC ping

MAC ping realized by the LB message is used to test whether a device on the network is reachable. It acquires the network status and the delay parameter. To carry out MAC ping between any two devices on the network, the NE40E needs to meet the following requirements: The originating point is a MEP. The two points are MPs belonging to the same MA. Ethernet packets between the two points can be interchanged.

− MAC trace MAC trace realized by the LT message is used to test the transmission paths of messages and the link break point between the two devices. The requirements for MAC ping also apply to MAC trace.

Ethernet Performance Management Conforming to ITU-T Y.1731 recommendations, the NE40E supports the Ethernet performance management. The NE40E can measure the delay, jitter, and packet loss ratio in transmission. To achieve that, the NE40E inserts the timestamp in the LB message defined in IEEE 802.1ag. In this way, the NE40E can detect performance during a specified time period and on a specified network segment to obtain the performance parameters of an end-to-end service flow. The NE40E can measure the performance parameter at a scheduled time. The NE40E also combines the performance parameter with the network management information to output reports.

By using the performance management tools, the ISP can monitor the network status in real time through the NMS station. The ISP checks whether the forwarding capacity of the network complies with the SLA signed. Then, faults can be swiftly located. The ISP need not carry out detection at the user side. This greatly decreases the maintenance expense.

5.11.5 VRRP The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. VRRP realizes route selection among multiple egress gateways by separating the physical devices from logical devices.

VRRP is applicable to such a LAN that supports multicast or broadcast as the Ethernet. VRRP uses logical gateways to ensure high availability of transmission links. This avoids service interruption that results from a gateway device failure, without changing the configuration of routing protocols.

VRRP combines a group of routers in a LAN into a backup group that functions as a virtual router. Hosts in the LAN know the IP address of only this virtual router rather


Product Description


than that of a specific router in the backup group. Hosts set the IP address of the virtual router as their own default next-hop address. Hosts in the LAN thus access other networks through the virtual router.

In the backup group, only one router is active and called master router; other routers are in backup state with different priorities and called backup router.

Figure 5-61 shows the backup group consisting of three routers.

Figure 5-61 Typical networking diagram of VRRP

RouterA10.100.10.2/24 Master

RouterB

Backup10.100.10.3/24

RouterC

10.100.10.4/24

Backup

Backup groupVirtual IP address10.100.10.1/24

Internet

ServerInternal network10.100.10.0/24

PC

VRRP dynamically associates the virtual router with a physical router that undertakes transmission services. VRRP can select a new router to take over the transmission when the physical router fails. The entire process is transparent to users, and realizes non-blocking communication between the internal network and the external network.

mVRRP The management Virtual Router Redundancy Protocol (mVRRP) refers to a management VRRP group. The only difference between an mVRRP group and a common VRRP group is that the mVRRP group can be bound to common VRRP groups and determine the status of a common VRRP group according to the binding.

An mVRRP group cannot serve as a common VRRP group and be bound to other mVRRP groups although it can be bound to multiple common VRRP groups.

An mVRRP group can join a VGMP group as a member. After an mVRRP group joins a VGMP group, you can configure the mVRRP group to monitor the statuses of both the peer and link BFD sessions. The mVRRP group, however, loses its independence. Except for the Initialize state, the Backup and Master statuses depend on the status of the VGMP group that the mVRRP group joins.

VGMP Some applications require the same come-and-go path of a session. That is, the packets of the same session must pass through the same devices. In this case, VRRP has its own limitations. If the master/backup switchover is performed, the come-and-go path of the same session cannot be ensured the same.


Product Description


To avoid the preceding problem, Huawei develops the VRRP Group Management Protocol (VGMP) on the basis of VRRP. The VRRP management group set up on the basis of VGMP uniformly manages the joining VRRP backup groups. On a router, the interfaces that belong to different VRRP backup groups are thus kept master or backup simultaneously. In this manner, the VRRP statuses of the router are kept consistent.

Configure VGMP in the following scenarios:

l The system is configured with a large number of VRRP backup groups. The system processes the VRRP protocol packets on the SRU. A large number of VRRP backup groups may generate many VRRP protocol packets. These protocol packets compete with other protocol packets for the CPU resources and the channel as well as the bandwidth of the inter-board communication. In this case, the system is overloaded. When you configure a VRRP management group to uniformly manage the VRRP backup groups, the managed VRRP backup groups do not send protocol packets independently. In this way, the occupancy of system resources is reduced.

l The router has functions of the firewall, NAT gateway, or proxy server. These functions require the same come-and-go path of a session. Configuring a VRRP management group to uniformly manage the VRRP backup groups ensures the status of the VRRP backup group consistent.

5.11.6 GR Graceful Restart (GR) is a key technique that provides high availability (HA). The administrator or faults can trigger GR switchover and subsequent restart. GR neither deletes the routing information from the routing table or the FIB nor resets the interface board during the switchover caused by failure. This prevents the services interruption of the whole system.

GR has the advantages as follows:

l Simple and easy to complete. You only need to modify some protocols. l The status information about the backup protocol is not needed. l Only a little information needs to be backed up from AMB to SMB. The

information includes the configuration change or update, interface status change, and topologies or routing information that can be obtained from the neighbor after the restart.

l The rate of stopping forwarding packets is rather low when the main board switches.

l The network can aggregate fast.

The NE40E supports system-based GR and protocol-based GR. The protocol-based GR includes:

l BGP GR l OSPF GR l ISIS GR l MPLS LDP GR l L3VPN GR l RSVP GR


Product Description


5.11.7 BFD Bidirectional Forwarding Detection (BFD) is a detection mechanism used in the entire network. It is used to quickly detect and monitor the connectivity of network links or IP routing.

BFD sends detection packets from both ends of a bidirectional link to detect the link status in both directions. This allows BFD to detect link faults in milliseconds. BFD provides single-hop detection and multi-hop detection.

The NE40E supports BFD as follows.

BFD for VRRP The BFD detects and monitors the link or IP routes forwarding at a fast pace. So VRRP fast switch is implemented.

BFD for Fast Reroute l BFD for LDP FRR

BFD detects the protected interface and triggers the LDP FRR switchover. l BFD for IP FRR and BFD for VPN FRR

For the NE40E, the IP FRR and the VPN FRR are triggered only after the detected faults are reported to the control plane.

BFD for Static Routes Static routes do not have detection mechanism. When a fault occurs on the network, an administrator is needed.

Through the BFD for static routes, you can use the BFD session to detect the status of the public network IPv4 static routes. Based on the status of the BFD session, the routing management system can determine whether the static route can be used.

BFD for IS-IS In the NE40E, the statically configured BFD session is used to detect the IS-IS peer relationship.

The BFD detects the link fault between IS-IS peer nodes, and fast reports it to IS-IS. The IS-IS fast convergence is thus triggered.

BFD for OSPF/BGP In the NE40E, the OSPF and the BGP can dynamically set up and delete a BFD session.

l When peers of OSPF/BGP are set up, OSPF/BGP uses the routing management module to inform the BFD of setting up a session. The BFD session then fast detects the OSPF/BGP peer relationship. The detection parameters of the BFD session are determined by OSPF/BGP.

l When the BFD detects a fault, its status becomes Down. The BFD uses the routing management module to trigger the route convergence.


Product Description


The general routing protocol implements the detection of second level according to the Keepalive mechanism of Hello packet. The BFD is of millisecond level. The period of the BFD is 10 ms. If the Detect Mult parameter is set to 3, the BFD can report the protocol fault in 50 ms. The route convergence thus speeds up.

l When the peer status is unreachable, OSPF/BGP uses the routing management module to inform the BFD of deleting the corresponding session.

BFD for PIM PIM BFD is applicable to the shared network segment where routers enabled with PIM reside. PIM BFD fast detects the fault of the DR or Assert Winner.

PIM BFD uses normal BFD messages. It automatically sets up BFD sessions between PIM neighbors, monitors the status of the PIM neighbors, and responds to the failure of the neighbor promptly.

BFD for IP-Trunk and Eth-Trunk Both IP-Trunk and Eth-Trunk consist of multiple member links. They provide higher transmission rate and enhance the reliability of a link.

Only when the number of the member links in the Up state is up to the certain value, the corresponding trunk can keep the Up state.

In the NE40E, the BFD detects the trunk link and the trunk member link respectively. As a result, BFD can detect the interconnection of the entire trunk and detect the interconnection of an important link member.

BFP for LSP BFD for LSP refers to sending BFD messages over static LSPs, dynamic LDP LSPs, RSVP-TE tunnels, and PWs. By fast transceiving BFD messages, BFD for LSP completes the fast fault detection of these tunnels. It thus triggers the fast switchover for the carried services, protecting services.

BFD for LSP performs fast fault detection of LSPs, TE tunnels, and PWs. In this way, BFD for LSP realizes fast switchover of MPLS services such as VPN FRR, TE FRR, and VLL FRR.

5.11.8 FRR The NE40E provides multiple fast reroute (FRR) features. You can deploy FRR as required to improve network reliability.

IP FRR FRR can minimize data loss due to network faults. The switch time can achieve less than 50 ms.

The NE40E provides the fast reroute function, which enables the system to monitor and store the real-time state of the service card and the port, and check the status of the port during forwarding. When an abnormality occurs on the port, the system can fast switch traffic to the other route (if there is), thereby improving the MTBF and reducing the amount of lost packets.


Product Description


LDP FRR The traditional IP FRR cannot protect the MPLS traffic efficiently. Supporting LDP FRR, the NE40E provides a port-based protection solution.

When LDP works in the downstream label distribution, sequential label control and liberal retention modes, LSR stores all label mappings received. Only the label map from the next hop of the corresponding route of FEC can generate a label forwarding table. With this feature, if the liberal label map can generate a label forwarding table, the standby LSP is established.

When the network runs normally, use the active LSP. If the outbound interface of LSP is down, adopt the standby LSP. You can thus ensure that services are not interrupted before network convergence.

TE FRR TE FRR is a technology used in the MPLS TE to implement local protection to the network. Only the interface rate of which is up to 100 Mbit/s can support TE FRR. The switching time of FRR can reach 50 ms, which minimizes packet loss in the case of network fault.

FRR is only a temporary measure. Once the protected LSP recovers or a new LSP is established, the traffic is switched to the original LSP or the new LSP.

After configuration of FRR for an LSP, when a certain link or node on the LSP becomes invalid, the traffic is switched to the protected link while the ingress of the LSP manages to establish a new LSP.

Based on the objects to be protected, FRR is divided into the following two types:

l Link protection: Direct link connection exists between PLR and MP, and primary LSP passes this link. When this link is out of service, traffic is switched to bypass LSP. As shown in Figure 5-62, the primary LSP is R1→R2→R3→R4, and the bypass LSP is R2→R6→R3.

Figure 5-62 Schematic diagram of FRR link protection

R1 R2 R3 R4

R6

PLR MP

Primary LSP

Bypass LSP

l Node protection: PLR is connected with MP through R3, and primary LSP passes this router. When R3 fails, traffic is switched to bypass LSP. As shown in Figure 5-63, the primary LSP is R1→R2→R3→R4→R5, and the bypass LSP is R2→R6→R4. R3 is the protected router.


Product Description


Figure 5-63 Schematic diagram of FRR node protection

R1 R2 R3 R4 R5

R6

PLR MP

Primary LSP

Bypass LSP

VLL FRR VLL FRR is a technique of realizing network protection in the L2VPN. It fast switches user traffic to the backup link after a fault occurs to the network. In this way, the reliability of the L2VPN is improved. VLL FRR is also called VLL redundancy.

VLL FRR in the L2VPN includes fault detection, fault notification, and active/standby switchover of links.

The NE40E provides kinds of features that can be combined to realize VLL FRR.

l Fault detection − BFD for LSP/PW can fast detect the fault of the LSP/PW at the network side in

an L2VPN. − Ethernet OAM, ATM OAM, PPP, and FR can fast detect the fault at the access

circuit (AC) side in an L2VPN. l Fault notification

− LDP, BGP, or RSVP can notify the remote PE router of the fault of the LSP/PW or the AC.

− BFD for LSP/PW can inform the remote PE router of the fault of the LSP/PW or the AC.

− Ethernet OAM, ATM OAM, PPP, and FR can notify the local CE router of the fault.

l Active/standby switchover of links − In a symmetric network, CE routers perform the active/standby switchover. − In an asymmetric network, PE routers work with CE routers to perform

active/standby switchover.

VPN FRR In the traditional L3VPN, the local PE router senses the fault of the remote PE router through the BGP Hello packets. The time taken to sense the fault defaults to 90 seconds. That is, VPN routes on the local PE router converge after the fault of the remote PE router lasts 90 seconds.

VPN FRR supported by the NE40E can solve the preceding problem. When the CE router is dual-homed, VPN FRR can fast switch VPN services to the backup tunnel and PE router after the link between the CE router and the PE router is disconnected or after the PE router restarts. In this manner, services are restored within a short period.


Product Description


l The forwarding engine of the local PE router keeps not only the outer labels of the remote active PE router and the inner labels distributed to VPN routes, but also the outer labels of the remote standby PE router and the inner labels distributed to VPN routes.

l With the end-to-end fault detection mechanisms such as BFD, the local PE router senses the fault of the remote active PE router within 200 milliseconds and then switches the outer and inner labels of the remote active and standby PEs at the same time.

l VPN FRR solves the problem of switchover between inner labels. The switchover priority level of VPN FRR is lower than that of LDP/MPLS TE FRR. The time taken by VPN FRR to sense the fault is thus more than that taken by LDP/TE FRR.


Product Description


6 Maintenance and Network Management System

The NE40E provides various maintenance functions such as software download, online upgrade, operation detection, diagnosis and real-time query. This greatly facilitates the system maintenance.

The NE40E adopts Huawei Quidway network management system (NMS). It supports the Simple Network Management Protocol (SNMP) V1/V2c/V3 and the Client-Server architecture. The NE40E NMS can operate on multiple operating systems such as Windows NT/2000/XP and UNIX (SUN, HP, and IBM). The NE40E NMS provides graphic user interfaces in multiple languages.

6.1 Maintenance Functions and Features 6.1.1 System Configuration Mode

The NE40E provides two configuration modes, that is, command line configuration and NMS configuration.

Command line configuration supports:

l Local configuration through the Console port l Remote configuration through the AUX port with a Modem l Remote configuration through Telnet

NMS configuration supports the SNMP-based NMS.

6.1.2 System Management and Maintenance The NE40E provides the following system management and maintenance functions:

l Board-in-position detection, hot-swap detection, Watch Dog, board reset, control over running and debugging indicators, fan monitoring, power monitoring, active/standby switchover control, and version query

l Local and remote software upgrading and data loading, upgrade backoff, backup, storage, and removal


Product Description


l Hierarchical user authority management, operation log management, online help and comment for command line

l Multi-user operation l Collection of multi-layer information, including port information, Layer 2

information, and Layer 3 information l Hierarchical management, alarm classification and alarm filtering

6.1.3 System Service and Status Tracking The NE40E can track the system service and status as follows:

l Monitors the change of the state machine of routing protocols. l Monitors the change of the state machine of the MPLS LDP. l Monitors the change of VPN-related state machine. l Monitors the type of upstream protocol packets sent by the NP, and displays

details about the packets with the debugging function. l Monitors and takes account of abnormal packets. l Displays notification when processing of the abnormality takes effect. l Collects statistics on the resource used by each feature system.

6.1.4 System Test and Diagnosis The NE40E provides debugging for running services. It can in-service record key events, packet processing, packet resolution and state switchover at the specified period. This helps in device debugging and networking. You can enable or disable the debugging of a specific service (such as a routing protocol) and a specific interface (such as the routing protocol information on the specified interface) through the debugging command.

The trace function provided by the NE40E can detect and diagnose faults. It can in-service record key events such as task switchover, task interruption, queue read-and-write, and system abnormality. When the system is restarted after a fault occurs, you can read the trace information for fault location. You can enable or disable the trace function through the tracert command.

In addition, you can query the CPU usage of the SRU and the LPU in real time.

The debugging and trace functions of the NE40E classify the information. The sensitive information of different classes is directed to different destinations of output based on the user configuration. The destinations of output include the Console display, Syslog server, and SNMP Trap trigger alarm.

The NE40E also provides the Network Quality Analysis (NQA) function.

NQA measures the performance of each protocol run in the network and helps the network operator collect network running indexes, such as total delay of HTTP, delay of a TCP connection, delay of DNS resolution, rate of file transfer, delay of an FTP connection and rate of wrong DNS resolution. Through controlling these indexes, the network operator provides users with services of various grades and charges them differently.

NQA is also an effective tool in diagnosing and locating faults in the network.


Product Description


6.1.5 Online Debugging The NE40E provides the port mirroring function which is used to map the specified traffic to a monitored port so that maintenance personnel can debug and analyze the operation status of the network.

6.1.6 Upgrade Features

In-Service Upgrade The router supports in-service upgrading and patching of the software. Thus, you can upgrade only the features that require modification.

System Upgrade The system upgrade optimizes the upgrading process. You can use one command to complete the upgrading. Thus, you can save time. During the upgrading process, the progress is displayed. After the upgrading is complete, you can view the results.

Rollback During the upgrading process, if the new system software cannot start the system, you can use the previous one that successfully started the system.

The rollback function can protect services against the failure in the system upgrading.

PAF and License PAF is adopted to tailor features or the resource occupancy of the product in a simple and effective way.

License is adopted so that the NE40E can provide authorized service functions and capacities to customers. According to the contract signed by a customer, Huawei provides a License file with a signature. Moreover, the License file is unique for the device of the customer. The customer can perform authorized configurations and implement authorized functions only when the signature on the License file is verified, and the serial number of the device is consistent with that in the License file.

6.1.7 GTL The NE40E is bearing more software features. Thus, the cost of software gradually constitutes a larger percentage of the total cost. This mode, however, cannot cater to users and carriers in the following aspects:

l Common users want to reduce the purchase cost. l Users that need upgrade the devices want to be able to expand the capacity of

devices and choose the service features as required.

To meet different requirements, the NE40E provides flexible authorization of service features.

The NE40E provides a management platform of license authorization through the Global Trotter License (GTL). This achieves the authorization of service features. In this mode,


Product Description


l Common users can purchase the service features as required. The purchase cost is thus reduced.

l Users that need upgrade the devices can expand the capacity of devices and add new service features by applying for new licenses.

Provided with GTL, the NE40E manages the features of L3VPN, L2VPN, MVPN, GRE tunnels, IPv6 tunnels, 6PE (IPv4 over IPv6) tunnels, Netstream, and PBB-TE.

6.1.8 Miscellaneous Features The NE40E provides the following additional configuration features:

l Hierarchical protection for configuration commands, ensuring that the unauthorized users can not access the router.

l Online help available if you type a "?". l Various debugging information for network troubleshooting. l DosKey-like function for running a history command. l Fuzzy search for command lines. For example, you can enter the non-conflicting

key words "disp" for the display command.

6.2 Network Management System 6.2.1 NMS

The NE40E adopts Huawei iManager N2000 NMS. It supports SNMP V1/V2c/V3 and the Client-Server architecture. The NE40E NMS can operate on multiple operating systems such as Windows NT/2000/XP and UNIX (SUN, HP, and IBM). The NE40E NMS provides graphic user interfaces in multiple languages.

The iManager N2000 NMS can be seamlessly integrated with the NMS of other Huawei fixed network telecom equipments, for centralized management.

The N2000 NMS can also be integrated with other universal NMSs in the industry, such as HP OpenView, IBM NetView, What's up Gold and SNMPc. This makes it possible to perform the unified management on the devices of multiple vendors. The N2000 NMS provides real-time management on topology, fault, performance, configuration tool, equipment log, security and users, QoS policy, and VPN service. Besides, it can be used to download, save, modify, and upload configuration files, as well as upgrade the system software.

6.2.2 LLDP At present, the Ethernet technology is widely used in the Local Area Network (LAN) and Metropolitan Area Network (MAN).With increasing demand for large-scale networks, the capabilities for the Network Management System (NMS) are highly required. For example, the NMS should address problems such as obtaining topology of interconnected devices and conflicts in configurations on different devices.

Recently, the NMS software adopts the function of automated discovery to trace changes in topology. However, most NMS software can at best analyze the Layer 3 network topology and group devices to different IP subnets. Data provided by the NMS concern only the basic events of adding or deleting devices. The NMS cannot


Product Description


get the information about which interfaces on a device are used to connect another device. That is, the NMS cannot locate a device or judge its operation mode.

The Layer 2 Discovery (L2D) protocol can precisely discover information about which interfaces reside on the devices and which devices are connected to other devices, and display the paths between the client, switch, router, application server, and network server. The preceding detailed information helps find the root cause for the network failure.

The Link Layer Discovery Protocol (LLDP) is an L2D protocol defined in the IEEE 802.1ab. The LLDP protocol specifies that the status information is stored on all the interfaces and the device can send its status to the neighbor stations. The interfaces can also send information about changes in the status to the neighbor stations as required. The neighbor stations then store the received information in the standard Management Information Base (MIB) of the Simple Network Management Protocol (SNMP). The NMS can search for the Layer 2 information in the MIB. As specified in the IEEE 802.1ab standard, the NMS can also find the unreasonable Layer 2 configurations based on the information provided by LLDP.

When the LLDP protocol runs on the devices, the NMS can obtain the Layer 2 information about all the devices it connects and the detailed network topology information. This expands the scope of network management. LLDP also helps find unreasonable configurations on the network and reports the configurations to the NMS. This removes error configurations timely.


Product Description


7 Networking Applications

The NE40E is mainly applicable to the IP core/backbone network or the convergence node with heavy traffic. It also acts as a gateway on the data center network with features of a carrier-class device. The NE40E provides multiple services such as IPv4/IPv6 routing and high-speed forwarding, MPLS, and IP multicast. In addition, it provides MPLS TE to solve the traffic problem on the backbone network.

The NE40E can be used:

l As a core node on the national or provincial backbone network l As a Point of Presence (POP) access node on the national or provincial

backbone network l As a core node on the MAN

7.1 Application on the National Backbone Network As shown in Figure 7-1, the national backbone network adopts the partial net topology. It is upstream connected to the international egress, and downstream connected to provincial backbone networks. It is also connected with other ISP networks through the Network Access Point (NAP). The NE40E can work as a core node of the national backbone network because of its large capacity, powerful routing and high-speed forwarding capability.


Product Description


Figure 7-1 Application on the national backbone network

NAP Internationalegress

NE5000E/80E

NE5000E/80E

NE5000E/80E

NE5000E/80E

NE5000E/80E

NE5000E/80E

Nationalbackbone

Provinicalbackbone

NE80E/40E

NE80E/40ENE80E/40E NE80E/40E

Provinicalbackbone

Internationalegress

The NE40E supports IPv6 and can meet the requirements for bearing multiple services on the IP backbone network, with the following features:

l Fifth-generation service expansion and smooth upgrade l Carrier-class stability l Perfect compatibility l Perfect QoS mechanisms

7.2 Application on the IP Bearer Network Figure 7-2 shows the application on the IP bearer network.


Product Description


Figure 7-2 Application on the IP bearer network

Core layer

SD1

XA1PJ1

SY1

NJ1

GZ1WH1

SH1

SoftX3000

SoftX3000

Convergence layer

Access layer

CRNE5000E

BRNE80E

ARNE40E

Directed at the condition of the existing bearer network and positioned on the NGN bearer network and the 3G services, it is necessary for carriers to set up a core bearer network to carry NGN multi-services. In the new market competition environment, with the development of new services and technologies, the newly-built bearer network will become the next-generation multi-service bearer platform that supports voice, data, and video transmission. Specifically, the newly-built bearer network will carry such services as NGN, video conference, video phone, streaming media, enterprise interconnection, and 3G. It will bring about the milestone of network transformation and network convergence for carriers.

In this solution, the NE5000E acts as the core router to forward data at a high speed and ensure high reliability; the NE80E/40E acts as the convergence router to access services of NGN voice, signaling, NMS, and customers.

This application has the following characteristics:

l The core layer uses double planes. The NE5000Es are connected in full-mesh mode.

l The NE80E is dual-homed to the NE5000E. l Two devices are deployed on an important node to back up each other. l MPLS VPN is uniformly planned to realize user isolation and service isolation. l VPN FRR is deployed on all PE routers. l Such techniques for high reliability as TE FRR, GR, BFD for VRRP, and IGP fast

convergence are used on the network.


Product Description


7.3 Application on the IPTV Bearer Network Figure 7-3 shows the application on the IPTV bearer network.

Figure 7-3 Application on the IPTV bearer network

Core bearernetwork

NMS

BAS

ESNE80E

Convergenceswitch

Multicast switch

End switch

DSLAM

PCTV

Homegateway

Homegateway

PCTV

CS

DiffServ, multicast fastconvergence, Anycast RP

provides reliability

QinQ, 4K x 4K VLANs,isolated unicast services,

secure access

Multicast replication onthe edge, ensuring high

efficiency andcontrollable multicast

Dynamic IP+MAC+VLANbinding, strict URPF,ensuring access security

Selective QinQ, dedicatedmulticast VLAN， avoidingreplication on the gateway

Multicast switch,saving reconstruction

expense

In this application, the devices are recommended as follows:

l The NE80E/40E can run as the core-layer router to provide consummate functions of VPN, multicast, and QoS scheduling.

l The MA5200G/ME60 that is the multi-service control gateway of high performance and large capacity can run as the service-control-layer device. The MA5200G/ME60 supports authentication through PPPoE and DHCP and multicast replication based on VLANs and PPPoE sessions. The MA5200G/ME60 also supports the five-level QoS scheduling.

l The S8500 switch can run at the convergence layer. The S8500 supports selective QinQ and effectively differentiates services.

l The S6500 can run as the multicast switch. It supports inter-VLAN multicast replication for attached switches or DSLAMs without the multicast functions.


Product Description


l The S3000 and S2000 can run as the access switch. They provide multicast features such as multicast VLAN and IGMP snooping/proxy.

l The Huawei SMARTAX DSLAMs such as MA5100/5300/5600 can run as the access end DSLAM. Based on the ATM structure, the MA5100 supports multicast with the newly added EVM boards. The original network services and new video services can access different networks through various boards. Based on the IP structure, the MA5300/5600 provides abundant multicast functions.

This application has the following characteristics:

l The IPTV bearer network and the original MAN access network use the same platform. The IPTV bearer network is thus integrated in the whole network structure of carriers.

l At the core layer, the high-end router NE80E/40E is used to build the MPLS VPN and construct the logical plane for various services. Besides, the NE80E/40E forwards data at a high speed and provides high-performance QoS.

l The BRAS at the service control layer is deployed as follows: − In the early phase of the development of IPTV services, normal services and

IPTV services access the same BRAS and are distributed. In this manner, little change is performed on the whole network and new services are deployed promptly.

− With the development of large-scale services, dedicated IPTV BRASs are required. Broadband access services access the original BRAS; IPTV services access the dedicated IPTV BRAS. In this way, IPTV services and other services are free from interacting each other; the requirements of high-traffic of IPTV services are satisfied. Besides, the powerful control capability of the BRAS ensures the secure access of IPTV services. IPTV services and other services are distributed on the L2 convergence-layer device.


Product Description


7.4 Application on the Multi-Service IP MAN Figure 7-4 Application on the multi-service IP MAN

Internetbackbonenetwork

IPbearer

network

Customer and NGN access networkIP broadband access networkAccessnetwork

Service control layer

MAN core network

Egress routerIP MAN

BRAS

Backbonenetwork

USR

ASBR-PE

Broadband access Customer service NGN service

As shown in Figure 7-4, the IP MAN is divided into the core layer, service control layer, and access layer.

The NE80E is usually used in the core position on the IP backbone network, IP MAN, and large-scale IP network. In this application, the NE80E can be deployed on the egress of the IP MAN core network. The NE40E is usually deployed as the core or convergence node on the IP MAN. In this application, the NE40E can be deployed as the convergence node on the IP MAN core network.

The core layer is responsible for high-performance and large-capacity data forwarding. It requires the simple network structure and secure and reliable transmission of multiple services. Huawei enables IP routing at the core layer and enables IP/MPLS in the entire network. This allows a physical network to realize multiple logical service bearer planes through the MPLS VPN technology. To ensure network security and reliability, Huawei adopts many reliability techniques at the core layer, such as device high-reliability, network high-reliability, and inter-AS high-reliability. Huawei provides core-layer devices of large capacity, high-density interfaces, and high forwarding performance, answering the requirements for the core layer.

The NE80E/40E provides the following features that can answer the demands of the core layer of the MAN:

l The NE80E/40E has the powerful switching capacity. The interface capacity of a single system reaches 640 Gbit/s. The NE80E/40E provides line-rate 10-Gbit/s


Product Description


interfaces. In addition, the NE40E provides high-density GE interfaces. This meets the requirements for large-capacity and high-performance forwarding of the core network.

l The NE80E/40E provides the powerful routing capability and various routing protocols. The NE80E/40E supports IP/MPLS and provides multiple VPN solutions such as MPLS/BGP L3VPN and MPLS L2VPN. In this manner, multiple services are carried over the logical bearer plane of the core network. Service isolation and security are thus realized.

l The NE80E/40E supports inter-AS VPN Option A/B/C. This guarantees the reliable running of inter-AS services.

l The NE80E/40E provides the carrier-class reliability, such as redundancy of key modules and in-service patching. In addition, the NE80E/40E provides various FRR techniques, such as IP FRR, LDP FRR, and TE FRR to guarantee the reliability of the entire network.

7.5 Application on the IPv6 Backbone Network Figure 7-5 Application on an IPv6 backbone network

NE5000E/80E

PE

NE80E

PE

NE80E

PE

NE80E/40E

PE

NE80E/40E

PE

IPv6 Core

NE5000E/80E

NE5000E/80E

IPv6 EDGE

IPv6/IPv4

IPv6

L3 Switch

MA 5200

SOHO IPv6

L3 Switch

L2 Switch

SOHO IPv6

IPv6 Internet

IPv4 Internet

NE80E

PE: Provider Edge PT: Protocol Translation NAT: Network Address Translation

As shown in Figure 7-5, the IPv6 application on the backbone network does not impact the original IPv4 services such as IPv4 forwarding and MPLS VPN. The application needs to solve two problems:

l Interconnection between IPv6 islands


Product Description


l Interworking between IPv6 and IPv4 networks

The NE40E brings forward the following solutions based on IPv6:

l All the routers on the backbone network support the IPv4/IPv6 dual-stack. In this case, IPv4 services are forwarded over IPv4, while IPv6 services are forwarded over IPv6. Both problems can be solved.

l The interconnection between IPv6 islands can be implemented through L3 tunnels, manually configured tunnels or 6to4 tunnels. The core router only needs to support the IPv4 forwarding, and it does not need to be upgraded. You can implement the interworking between IPv6 and IPv4 networks by configuring the NAT-PT on gateways.

l The interconnection between IPv6 islands can be implemented through MPLS L2 tunnels by applying MPLS L2 VPN techniques such as VPLS and CCC. The core router needs only to support the MPLS forwarding. You can implement the interworking between IPv6 and IPv4 networks by configuring the NAT-PT on gateways.


Product Description


8 Technical Specifications

8.1 Physical Specifications Table 8-1 Physical specifications

Item Description

External dimensions (width x depth x height)

l NE40E-8: 442 mm x 669 mm x 886 mm(20U) l NE40E-4: 442 mm x 669 mm x 442 mm(10U)

Installation Mounted in a 19-inch standard cabinet or an N68-22 cabinet

Weight Fully configured: l NE40E-8: 110 kg l NE40E-4: 75 kg Empty: l NE40E-8: 65 kg l NE40E-4: 35 kg 3.8 kg (SRU) 3.0 kg (SFU) 4.8 kg (LPU)

Maximum power NE40E-8: 3000 W NE40E-4: 2400W

Rated voltage –48 V DC input voltage

Maximum voltage range

–72 V to –38 V

Rated voltage range

200 V to 240 V AC input voltage

Maximum voltage range

176 V to 275 V

Environmental Long-term 0°C to 45°C


Product Description


Item Description

Short-term –5°C to 55°C temperature

Remark Restriction on the temperature variation rate: 30°C per hour

Storage temperature –40°C to 70°C

Long-term 5% to 85% RH, non-condensing Relative environmental humidity Short-term 0% to 95% RH, non-condensing

Relative storage humidity 0% to 95% RH, non-condensing

Altitude for permanent work Within 3000 meters

Storage altitude Within 5000 meters

8.2 System Configuration Table 8-2 System configuration list

Item System configuration Remark

Processing unit Main frequency: 1 GHz —

BootROM 1 MB —

SDRAM 2 GB —

NVRAM 512 KB —

Flash 32 MB —

CF card 512 MB The capacity can be extended. The CF card is used as a mass storage device to store data files. l The CF card on the SRU

stores logs and is hot swappable.

l The CF card inside the SRU stores system files and is not hot swappable.

Switching capacity 640 Gbit/s (bidirectional)

—

Backplane capacity 2 Tbit/s (bidirectional) —

Interface capacity 320 Gbit/s (bidirectional)

It can be extended to 640 Gbit/s.


Product Description


Item System configuration Remark

Number of LPU slots NE40E-8: 8 NE40E-4: 4

LPU (optional)

Transmitting rate of the LPU

16 kbit/s Bidirectional: sending packets to the SRU and receiving packets from the SRU

Number of SRU slots 2 SRU

Transmitting rate of the SRU

32 kbit/s Bidirectional: sending packets to the SRU and receiving packets from the LPU

Number of SFU slots 2 SFU

Maximum port rate supported by LPUs

10 Gbit/s —

8.3 Specifications of System Features and Service Performances 8.3.1 Specifications of System Features

Table 8-3 Specifications of the system features

Feature Description

Interworking LAN protocols Ethernet_II IEEE802.1Q IEEE802.1p


Product Description


Feature Description

Link layer protocols

PPP, MP HDLC FR ATM IP over ATM RPR RRPP

Ethernet switching

Basic VLAN features VLAN aggregation VLAN trunk Dynamic learning between VLAN members VLANIF Inter-VLAN routing VLAN translation VLAN stacking/VLAN mapping STP/RSTP/MSTP QinQ

Network protocol

IPv4 routing protocols

Static routes Dynamic unicast routing protocols: l RIP-1/RIP-2 l OSPF l IS-IS l BGP Multicast protocols: l IGMP l IGMP snooping l PIM-DM l PIM-SM l PIM-SSM l MBGP l MSDP Multicast VLAN Multicast VPN Multicast flow control Routing policies


Product Description


Feature Description

IPv6 IPv4-to-IPv6 transition technologies: l Manually configured tunnel l GRE l Automatic tunnel l 6to4 tunnel l 6PE l IPv4 over IPv6 tunnel IPv6 static routing IPv6 dynamic unicast routing l BGP4+ l RIPng l OSPFv3 l IS-ISv6 IPv6 Multicast protocols: l MLD l PIM-IPv6-DM l PIM-IPv6-SM l PIM-IPv6-SSM

MPLS Basic functions

MPLS forwarding MPLS LDP MPLS TE MPLS QoS MPLS Uniform, Pipe and Short Pipe MPLS OAM IPTN

L2VPN VLL/PWE3 (Martini, Kompella) VPLS QinQ HVPLS ATM Inter-Working Function (ATM IWF)

VPN

L3VPN MPLS/BGP VPN (as the PE router or the P router) HoVPN Multicast VPN Inter-AS VPN Carrier's carrier RRVPN Policy-based routing to VPN Multi-role host


Product Description


Feature Description

IPv6 L3VPN IPv6 MPLS/BGP VPN (as the PE router or the P router) Inter-VPN Carrier's carrier

AAA CHAP PAP RADIUS HWTACACS

Other security features

SSH Port mirroring Port traffic sampling Traffic control on the LPU and the SRU URPF Layer 2 limit ARP anti-attack Attack defense GTSM Lawful interception

Security

Hierarchical commands to defend against unauthorized users' login

Hot backup 1:1 backup of SRUs; 3+1 load balancing and backup of SFUs 1+1 backup of the power module 1+1 backup of the system management bus and data bus

GR Protocol-level GR: IS-ISv4, OSPF, BGP4, LDP, and VPN System-level GR

Reliability

Other IP FRR LDP FRR TE FRR VLL FRR VPN FRR VRRP BFD Dampening control to support Up/Down of interfaces Customized alarm damping


Product Description


Feature Description

Traffic classification

Simple traffic classification Complex traffic classification: based-on port; based on Layer 2, Layer 3 or Layer 4 packets

Traffic policing and shaping

Traffic policing and traffic shaping based on srTCM or trTCM DiffServ EF, AF services GTS

Congestion management

PQ/WFQ

Congestion avoidance

WRED

Policy-based routing

Route redirection, MPLS LSP explicit route distribution

QPPB IP precedence Specific traffic behavior

BGP accounting

BGP identifies and classifies the routes through BGP traffic index to account the traffic on the basis of classification

VPN QoS QoS that transmits the private network routes through BGP is an extension of QPPB in the L3VPN Supports traffic classification, traffic shaping, and queue scheduling in the L2VPN and L3VPN Supports the combination between VPN QoS and MPLS DiffServ/MPLS TE/MPLS DS-TE

QinQ QoS 802.1p remark supported by QinQ 802.1p and DSCP Remark During QinQ Termination 802.1p and EXP Remark During QinQ Termination

ATM QoS Simple traffic classification and forcible traffic classification

QoS

FR QoS Traffic shaping, traffic policing, congestion management, queue management, and FR fragmentation


Product Description


Feature Description

HQoS Two-level scheduling mode Level 1 scheduling ensures bandwidth for each user and level 2 scheduling ensures bandwidth for services of each user L2VPN HQoS L3VPN HQoS TE and DS-TE HQoS

Configuration management

Command line interface

Local configuration through the Console port Local or remote configuration through the AUX port Local or remote configuration by Telnet Local or remote configuration by SSH login Hierarchical commands to defend against unauthorized users' login Detailed debugging information for network faults diagnosis Network test tools such as tracert and ping Supports logging in to and managing other routers by Telnet FTP server and client functions to upload and download configuration files and applications TFTP client functions to upload and download configuration files and applications Upload and download configuration files and applications through the XModem protocol System logs Virtual file system


Product Description


Feature Description

Time service Time Zone Summer Time NTP server and NTP client

Online services

In-service upload In-service smooth upgrade In-service patching

Information center

Provides three types of information: alarm, log, and debugging Provides eight levels of information: emergency, alert, critical, error, warning, notification, informational, and debugging Information can be output to the log host or user terminal; log information and alarm information can be output through the SNMP Agent or the buffer

Network management

Supports SNMP v1/v2c/v3 RMON NetStream Traffic statistics

8.3.2 Specifications of Service Performances

Table 8-4 Service performance specifications

Attribute Service Feature Technical and Performance Specifications

IPv4/IPv6 forwarding Line-rate forwarding of IPv4/IPv6 packets on the high-speed interface

IPv4/IPv6 routing entries 2M/256K

IPv4 FIB 1M

Routing convergence speed In milliseconds

Number of IPv6 over IPv4 tunnels 8000

IP unicast

Number of 6PEs 1000

Label layers 6

Number of LSPs 1 M

Number of LDP neighbors More than 1000

MPLS

MPLS FRR switching time < 50 ms


Product Description


Attribute Service Feature Technical and Performance Specifications

Layer 2 features

MAC table (dynamic and static) 128 K

VLL entries 16 K L2VPN

VSI entries 8 K

Number of traffic classification rules

16 K/LPU

CAR granularity 64 K

Number of queues 256 K (bidirectional)/LPU

Levels of HQoS scheduling 5 levels

QoS

Packet buffer time 200 ms

Number of multicast static routes 256

Number of multicast forwarding table entries

8 K

Multicast

Forwarding rate 10 Gbit/s

NE40E V300R003 Product Description.pdf

Documents

Transcript of NE40E V300R003 Product Description.pdf