ZXR10 8900E Product Description - AV-iQ · PDF fileZXR10 8900E core switch with large capacity...

Operator Logo

ZXR10 8900E series Core Switch Product Description


ZTE Confidential Proprietary © 2013 ZTE CORPORATION. All rights reserved. I


Version Date Author Approved By Remarks

V1.00 2011-03-25 Li Ying Shen Chunsheng Not open to the Third Party

V1.01 2012-6-13 Li Ying Huang HongRu Delete wrong description

V1.02 2012-10-10 Li Ying Huang HongRu

Add new function in version 3.00.02 including VSC、L2PT、MFF and so on. Modify the description about main control board and interface board. Update IPv6 function.

2012-11-16 Li Ying Huang HongRu Update：The description error

2013-02-19 Li Ying Huang HongRu Update：The description about software load and unload

© 2013 ZTE Corporation. All rights reserved.

ZTE CONFIDENTIAL: This document contains proprietary information of ZTE and is not to be disclosed or used without the prior written permission of ZTE.

Due to update and improvement of ZTE products and technologies, information in this document is subjected to change without notice.


II ©2013ZTE CORPORATION. All rights reserved. ZTE Confidential Proprietary

TABLE OF CONTENTS

1 Overview ......................................................................................................... 1

2 Highlights ........................................................................................................ 3 2.1 Super Big capacity/ High Density Interfaces ..................................................... 3 2.2 VSC Construct Solid Cloud Core ...................................................................... 3 2.3 Distributed Module Operating System ROS 5.0 ................................................ 3 2.4 Multi-service Bearing Capabilities ..................................................................... 4 2.5 Comprehensive IPv6 Features ......................................................................... 4 2.6 Multi-Dimensional Security & Reliability Mechanism Guarantees Ever-online

Services ........................................................................................................... 4 2.7 Environment-friendly Innovations ...................................................................... 5

3 Function introduction ..................................................................................... 6 3.1 L2 function ........................................................................................................ 6 3.1.1 Basic Ethernet features .................................................................................... 6 3.1.2 VLAN and relative features ............................................................................... 7 3.1.3 Link aggregation ............................................................................................. 11 3.1.4 Spanning tree ................................................................................................. 13 3.1.5 L2 multicast .................................................................................................... 15 3.1.6 L2PT ............................................................................................................... 16 3.2 L3 function ...................................................................................................... 17 3.2.1 IPv4 route protocol.......................................................................................... 17 3.2.2 Ipv6 Routing ................................................................................................... 20 3.2.3 IPv4/IPv6 Transition ........................................................................................ 20 3.2.4 L3 Multicast .................................................................................................... 21 3.2.5 Controllable Multicast ..................................................................................... 23 3.2.6 MCE ............................................................................................................... 25 3.3 MPLS VPN ..................................................................................................... 26 3.3.1 Basic Functions of MPLS ................................................................................ 26 3.3.2 MPLS TE ........................................................................................................ 29 3.3.3 MPLS L2 VPN ................................................................................................ 30 3.3.4 MPLS L3 VPN ................................................................................................ 34 3.4 QoS ................................................................................................................ 35 3.4.1 Basic QoS ...................................................................................................... 35 3.4.2 MPLS QoS ..................................................................................................... 40 3.5 OAM ............................................................................................................... 41 3.5.1 Ethernet OAM ................................................................................................. 41 3.6 Clock synchronization ..................................................................................... 42 3.6.1 Clock source ................................................................................................... 42 3.6.2 Synchronous Ethernet .................................................................................... 42 3.6.3 IEEE 1588 v2.................................................................................................. 43 3.6.4 Clock protection .............................................................................................. 44 3.7 Reliability protection ........................................................................................ 45 3.7.1 Equipment-level protection ............................................................................. 45 3.7.2 Network detection mechanism ........................................................................ 46 3.7.3 VSC ................................................................................................................ 48 3.7.4 Ethernet intelligent protection ......................................................................... 49


ZTE Confidential Proprietary © 2013 ZTE CORPORATION. All rights reserved. III

3.7.5 L3 route protection .......................................................................................... 52 3.7.6 VPN Protection ............................................................................................... 53 3.7.7 FRR Protection ............................................................................................... 56 3.8 Security and Authentication ............................................................................ 60 3.8.1 ACL ................................................................................................................ 60 3.8.2 Device Authentication ..................................................................................... 61 3.8.3 Access Security .............................................................................................. 63 3.8.4 MFF ................................................................................................................ 65 3.8.5 Network Security ............................................................................................ 66 3.9 Network Traffic Analysis ................................................................................. 68 3.9.1 Sflow .............................................................................................................. 68

4 System Architecture ..................................................................................... 70 4.1 Appearance .................................................................................................... 70 4.1.1 ZXR10 8912E Appearance ............................................................................. 70 4.1.2 ZXR10 8908E Appearance ............................................................................. 72 4.1.3 ZXR10 8905E Appearance ............................................................................. 74 4.1.4 ZXR10 8902E Appearance ............................................................................. 76 4.2 Hardware Architecture .................................................................................... 76 4.2.1 Overall Hardware Architecture ........................................................................ 77 4.2.2 Working Principles of Hardware System ......................................................... 79 4.3 Hardware Boards ............................................................................................ 81 4.3.1 Switching Main Control Board ......................................................................... 81 4.3.2 Power Module ................................................................................................. 88 4.3.3 Interface Module ............................................................................................. 89 4.4 Software Architecture ..................................................................................... 92 4.4.1 System Software Architecture ......................................................................... 92 4.4.2 Software Platform ........................................................................................... 94

5 Technical Specifications .............................................................................. 98 5.1 Basic features ................................................................................................. 98 5.2 Interface Specifications ................................................................................... 99 5.3 Functions ...................................................................................................... 101 5.3.1 L2 features ................................................................................................... 101 5.3.2 L3 features ................................................................................................... 102 5.3.3 Multicast features ......................................................................................... 102 5.3.4 MPLS ........................................................................................................... 102 5.3.5 QoS .............................................................................................................. 103 5.3.6 Service Management .................................................................................... 104 5.3.7 Reliability ...................................................................................................... 104 5.3.8 System security ............................................................................................ 105 5.3.9 Clock synchronization ................................................................................... 106 5.3.10 Operating and Maintenance .......................................................................... 106

6 Typical Networking Mode ........................................................................... 108 6.1 Application in Metro Ethernet ........................................................................ 108 6.2 Application in Data Center ............................................................................ 109 6.3 Application in Campus Network .................................................................... 110 6.4 Application in FTTx ....................................................................................... 111 6.5 Application in IP RAN ................................................................................... 112


IV ©2013ZTE CORPORATION. All rights reserved. ZTE Confidential Proprietary

7 Operation and Maintenance ....................................................................... 113 7.1 NetNumen U31 Unified Network Management Platform ............................... 113 7.1.1 Network Management Networking Mode ...................................................... 113 7.1.2 NetNumen U31 Network Management System ............................................. 114 7.2 Maintenance and Management .................................................................... 116 7.2.1 Multiple Configuration Modes ....................................................................... 116 7.2.2 Monitoring and Maintenance ......................................................................... 117 7.2.3 Software Upgrade ......................................................................................... 118 7.2.4 File System Management ............................................................................. 118

8 Glossary ...................................................................................................... 120


ZTE Confidential Proprietary © 2013 ZTE CORPORATION. All rights reserved. V

FIGURES

Figure 1-1 ZXR10 8900E series product appearance ........................................................... 2

Figure 3-1 MC-ELAM structure........................................................................................... 13

Figure 3-2 L2TP Networking ............................................................................................. 16

Figure 3-3 Architecture of MCE .......................................................................................... 25

Figure 3-4 MPLS working principle ..................................................................................... 27

Figure 3-5 MPLS header structure ..................................................................................... 28

Figure 3-6 Basic VPWS network model .............................................................................. 30

Figure 3-7 Basic VPLS network model ............................................................................... 32

Figure 3-8 H-VPLS networking with U-PW access ............................................................. 32

Figure 3-9 H-VPLS networking with QinQ access .............................................................. 33

Figure 3-10 Basic BGP MPLS VPN network model ............................................................ 34

Figure 3-11 end to end MPLS QoS .................................................................................... 41

Figure 3-12 SyncE synchronization .................................................................................... 43

Figure 3-13 IEEE 1588 synchronization ............................................................................. 44

Figure 3-14 SQA association ............................................................................................. 48

Figure 3-15 VSC system logic connection diagram ............................................................ 48

Figure 3-15 ZESR break alarm........................................................................................... 49

Figure 3-16 ZESS protection mechanism ........................................................................... 51

Figure 3-17 ZESR+ working principle ................................................................................. 51

Figure 3-18 PW single-hop redundancy protection ............................................................. 54

Figure 3-19 PW multi-hop redundancy protection .............................................................. 54

Figure 3-20 CE dual-homing to PE ..................................................................................... 55

Figure 3-21 UPE dual-homing to NPE ................................................................................ 56

Figure 3-22 Route switching diagram ................................................................................. 56

Figure 3-23 Label switching diagram .................................................................................. 57

Figure 3-24 TE FRR local link and node protection ............................................................ 58

Figure 3-25 CE dual-homing model .................................................................................... 59

Figure 3-26 Multi-Level Processing Procedure ...................... Error! Bookmark not defined. Figure 3-27 sFlow Multi-level Architecture .......................................................................... 69

Figure 4-1 ZXR10 8912E appearance ................................................................................ 71

Figure 4-2 ZXR10 8912E structure ..................................................................................... 72



VI ©2013ZTE CORPORATION. All rights reserved. ZTE Confidential Proprietary






Figure 4-9 ZXR10 8912E/8908E/8905E hardware system architecture .............................. 77

Figure 4-10 ZXR10 8902E hardware system architecture .................................................. 77

Figure 4-11 ZXR10 8905E/8908E/8912Esystem hardware diagram .................................. 80

Figure 4-12 ZXR10 8902E system hardware diagram ........................................................ 80

Figure 4-13 Principle diagram of 8912E/8908E/8905E main control board ......................... 81

Figure 4-14 Principle diagram of 8902E main control board ............................................... 81

Figure 4-15 8912EMSC1D main control board panel diagram ........................................... 84

Figure 4-16 8912EMSC1A main control board panel diagram ............................................ 85




Figure 4-20 8902EMSC1A main control board panel diagram ............................................ 86

Figure 4-21 8912E/8908E/8905E DC power board diagram ............................................... 88

Figure 4-22 8912E/8908E/8905E AC power board diagram ............................................... 89

Figure 4-23 8902E DC power board diagram ..................................................................... 89

Figure 4-24 8902E AC power board diagram ..................................................................... 89

Figure 4-25 E1GF24A ........................................................................................................ 91

Figure 4-26 H2GF24D ........................................................................................................ 91

Figure 4-27 H2GF48D ........................................................................................................ 91

Figure 4-28 H2GT48D ........................................................................................................ 91

Figure 4-29 H2XF8D .......................................................................................................... 91

Figure 4-30 S1XF12A ........................................................................................................ 91

Figure 4-31 S2XF48A ........................................................................................................ 91

Figure 4-32 S2LQ6L2A ...................................................................................................... 92

Figure 4-33 8900E software system architecture ............................................................... 93

Figure 4-34 New-generation ZXROS V5.0 software platform system architecture .............. 95

Figure 6-1 Application in metro network ........................................................................... 108

Figure 6-2 Application of Data Center .............................................................................. 109

Figure 6-3 Enterprise network Application ........................................................................ 110

Figure 6-4 FTTx Application ............................................................................................. 111


ZTE Confidential Proprietary © 2013 ZTE CORPORATION. All rights reserved. VII

Figure 6-5 Application in IP RAN ...................................................................................... 112

TABLES

Table 4-1 Main control board panel interface features ........................................................ 86

Table 4-2 Main control board panel button function description .......................................... 87

Table 4-3 Main control board panel indicator function description ...................................... 87

Table 4-4 8900E interface board type ................................................................................ 90

Table 5-1 Basic features and performance ......................................................................... 98

Table 5-2 Interface Specifications ...................................................................................... 99

Table 5-3 L2 features ....................................................................................................... 101

Table 5-4 L3 features ....................................................................................................... 102

Table 5-5 Multicast features ............................................................................................. 102

Table 5-6 MPLS feature ................................................................................................... 102

Table 5-7 QoS .................................................................................................................. 103

Table 5-8 Service Management ....................................................................................... 104

Table 5-9 Reliability .......................................................................................................... 104

Table 5-10 System security .............................................................................................. 105

Table 5-11 Clock synchronization .................................................................................... 106

Table 5-12 Operating and Maintenance ........................................................................... 106

Table 8-1 Abbreviations ................................................................................................... 120


ZTE Confidential Proprietary © 2013 ZTE CORPORATION. All rights reserved. 1

1 Overview ZXR10 8900E switch is ZTE’s new generation enhanced core switch. With years of experience in telecom network, ZTE designs and develops 8900E which has ultra-large system capacity, ultra-high port density and ultra-strong service functions. It can address immediate needs of metro network, data center network, campus network and enterprise network for network core equipment.

Today, telecom network tends to larger user broadband, service bearing over IP and flat network structure. Basic network is the uniform, converged and efficient platform bearing various services. Because of large-scale growth of VOIP/IPTV/VIP access/3G services and the introduction and deployment of IPv6 technology, there are higher requirements for core /convergence switch. And the network is more complex, CAPEX and maintenance cost remains high, more devices are in use, security and user experience (UX) is difficult to improve. How to get out of these troubles is a hard nut for carriers and network administrators.

ZXR10 8900E core switch with large capacity adopts distributed design to provide high-density FE, GE and 40G/100G port, low-power-consumption component, innovative fan and power supply. With physical port intelligent management mechanism, it expands network capacity, increases convergence rate with low investment, reduces the cost per user, saves the space in equipment room, and drops energy consumption. It offers reliable equipment/link/network-level protection, and supports independent supervision plane. Adopting reconfigurable design, the software supports multiple switching technologies, and guarantees E2E service experience with multilevel QoS, and improves network reliability and quality to bring down user maintenance cost. It supports multiservice bearing, several clock synchronization technologies, IPTV, IPv6, and all-directional security. It can bear data, video and voice services, and integrates the characteristics of multiple network equipments to meet the requirements of different networks and reduce CAPEX. It offers excellent performance and features to help the users to build efficient, intelligent and reliable network.

ZXR10 8900E series include ZXR10 8912E, ZXR10 8908E, ZXR10 8905E and ZXR10 8902E, which have 12, 8, 5 and 2 service slots respectively. They have high-integration interface boards and a wide variety of service functions. Their appearance is shown in Figure 1-1.


2 © 2013ZTE CORPORATION. All rights reserved. ZTE Confidential Proprietary

Figure 1-1 ZXR10 8900E series product appearance



2 Highlights

2.1 Super Big capacity/ High Density Interfaces With distributed modular design, non-blocking switching architecture, brand new big-bandwidth fabric, ZXR10 8900E is an advanced core switch in the industry.

Each single slot of ZXR10 8900E can provide maximally 48*10GE interfaces or 8*40GE interfaces. In the future 8900E will be able to be smoothly upgraded to provide 100G interfaces.

2.2 VSC Construct Solid Cloud Core ZXR10 8900E supports Virtual Switch Clustering (VSC), which means the virtualization of multiple physical switches into one logical switch. VSC enhances cluster system capacity and port density, while at the same time simplifies simple topology and eases administration.

Multiple physical switches can be interconnected through the normal line cards. The 80KM interconnection capability makes it possible to implement remote IDC backup.

The bandwidth of the VSC interconnection can reach 320Gbps, eliminating any possible bottleneck in the VSC system.

The forwarding inside VSC system is optimized so that there will be least amount of traffic passing between VSC members.

Switchover between master and slave in VSC system is really fast and the switchover will not cause any service interruption.

2.3 Distributed Module Operating System ROS 5.0 ZXR10 8900E adopts full-distributed modular design: each process enjoys its dedicated resources alone; the coordination between processes is efficient and secure.

Each line card has its own CPU, while the main-control card is equipped with a more powerful CPU. Distributed protocol processing helps promote the overall computing efficiency.

The expansion of management interfaces is flexible. Currently ZXR10 8900E is compatible with management interfaces Netconf.



2.4 Multi-service Bearing Capabilities ZXR10 8900E supports rich features, including full L2/L3 features, multicast, MPLS L2/L3 VPN, etc.

ZXR10 8900E supports complete L2/L3 multicast technologies, including administratively scoped multicast, MVR, IGMP Snooping, Filtering, Proxy, Fast Leave, IGMP,PIM-DM/SM, PIM-SSM, DVMRP and MSDP. All these features help Enterprise user to deploy multicast applications such as video conferencing and video surveillances.

2.5 Comprehensive IPv6 Features ZXR10 8900E supports comprehensive IPv6 features, to facilitate the migration to IPv6 network. For example, ZXR10 8900E supports all basic IPv6 features such as ICMPv6, ND, SNMPv6, RADIUSv6; It also supports IPv6 routing protocols such as OSPFv3, IS-ISv6, BGP4+, PIM-SM for IPv6, MLD snooping; Multiple tunnel technologies are also supported including 6to4 tunnel, ISATAP tunnel, 6PE, etc.

2.6 Multi-Dimensional Security & Reliability Mechanism Guarantees Ever-online Services Security/Reliability related designs in ZXR10 8900E fall into five categories, which

are secure architecture, secure management and control, secure operating system, secure calculation and reliable service.

Secure architecture: Redundant backup design has been put in place for the forwarding control engines. Fast active/standby switchover is supported. Redundant power supply module, fan module and clock module combined to make the switch more robust. What’s more, ZXR10 8900E supports intelligent inspection, control, warning and hot-swappable components.

Secure management and control: Independent control, monitoring and forwarding planes guarantee superior equipment stability.

Secure operating system: ZXR10 8900E supports modular service, intelligent function modules

Secure processing: Based upon multi-core CPU, ZXR10 8900E implements multi-thread parallel high-performance processing to guarantee seamless collaboration of multiple modules.

Reliable services: ZXR10 8900E supports multiple kinds of redundancy/backup mechanisms including ZESR intelligent Ethernet smart ring, VRRP, LACP, FRR, NSF and BFD. Service reliability can be well guaranteed.



2.7 Environment-friendly Innovations ZXR10 8900E supports multiple environmental-friendly innovations, including

centralized power management, 5 level intelligent fan speed adjustment. All these environmental friendly designs help cut the power consumption.

ZXR10 8900E supports dying gasp, in case there is a power failure, 8900E can still send out an alarm to the network OAM center, to inform about the reason of the network break down. In this way, the time to do the trouble-shooting on these kinds of events could be minimized.



3 Function introduction

3.1 L2 function

3.1.1 Basic Ethernet features

3.1.1.1 MAC address management

As all forwarding tables of ZXR10 8900E are closely associated with MAC addresses, MAC management is the most basic and most important module of Ethernet switch. It can maintain MAC address learning and synchronization and complete the following management function:

MAC address binding: Bind specific MAC address to switch port. After binding, do not dynamic learn MAC, which will limit user physical location and protect important MAC address.

MAC address filtering: After receiving the packets from source or destination MAC address to specific MAC address, the switch discard some packets to filter some undesired users.

MAC address number limit: Limit MAC address number of some ports to control user number of some ports, and prevent system resources of running out when the ports suffer from DOS attack.

MAC address freeze: Freeze some important physical ports in stable network, e.g., address of uplink port, so as to avoid network disconnection caused by the infringement of key MAC address.

MAC address multi-angle display: Display and count VLAN table according to VLAN, port, static and dynamic aspects, provide network diagnosis, and maintain network operation.

3.1.1.2 Port mirroring

Port mirroring can automatically copy the traffic of one port to the port so that network administrator makes real-time analysis on port traffic when he judges network issues. It provides network administrator with a monitoring means. For ZXR10 8900E, any port can be configured to mirroring port; the ports at different rate can mirror to each other; many-to-one, one-to-many and many-to-many port mirroring can also be done. The equipment supports cross-card port mirroring, and simultaneous mirroring of several



mirroring group. It supports port-based mirroring as well as flow-based and ACL-based one-to-many, many-to-one, and many-to-many mirroring.

ZXR10 8900E can perform port mirroring in the same equipment, and remote port mirroring in RSPAN and ERSPAN. For RSPAN, mirroring port and mirrored port may be in different switches. In some cases, monitoring equipment and switch are physically far away from each other, so a remote span technology is needed for monitoring. RSPAN monitoring principle is: set RSPAN source port at source switch, configure remote VLAN, and send it out via Reflector port to reach destination switch via intermediate switch; configure destination port at destination switch to reach remote monitoring destination. ERSPAN (Encapsulated Remote SPAN), another remote port mirroring technology, adopts GRE tunnel to encapsulate service stream of source port and transport it to remote destination switch port. In the mirroring mode, data stream can fulfill the mirroring across L3 interface, and ordinary SPAN and RSPAN can only fulfill the mirroring across L2 network.

3.1.1.3 Port security and protection

ZXR10 8900E supports port traffic control, broadcast storm suppression, whether to allow jumbo frame to pass, and rate negotiation to effectively control port data traffic, avoiding network blocking and ensuring normal operation of network services.

ZXR10 8900E can analyze line diagnosis, check whether line and line connection are normal, and accurately locate line fault.

ZXR10 8900E can set some or all port to loop check, and not check by default. The function can check user or switch loop of port connection to process the port so as to avoid switch broadcast storm and limit the effect to a certain port.

ZXR10 8900E supports VLAN-based loop check. The loop check can be performed in PVID VLAN or user-specified VLAN. One port supports the loop check of at most 8 VLANs at the same time.

The implementation principle of port loop check is that the port sends L2 multicast every 15 seconds; if there is a loop at a port, L2 multicast packet is returned to the port, thus it can be judged that the loop is available.

3.1.2 VLAN and relative features

VLAN protocol, a basic protocol of L2 switching equipment, enables the administrator to divide one physical LAN into several VLAN. Each VLAN has one VLAN ID which uniquely identifies the VLAN. Several VLANs share the switching equipment and links of physical LAN.



Each VLAN is logically like one independent LAN. All frame traffic in one VLAN is limited to the VLAN. Cross-VLAN access is made through L3 forwarding which will improve network performance and reduce the entire traffic in physical LAN.

VLAN reduces network broadcast storm and increases network security and centralized management control.

ZXR10 8900E supports 802.1Q VLAN. The untagged packet can be added with VLAN tag based on subnet, protocol and port to support a wide variety of VLAN features.

According to 802.1Q VLAN protocol, 12-bit VLAN is limit to 4096 in number, which affect some actual applications. 8900E has four extension modes: QinQ, PVLAN, VLAN translation, and L3-related Super VLAN.

3.1.2.1 PVLAN

Private VLAN is a mechanism that provides additional Layer 2 traffic isolation between ports within a regular VLAN. This feature places constrains on traffic flow between specific ports in a VLAN. For instance, in an enterprise network, client ports can communicate with server ports, but not among each other.

Private VLAN is port based and it can be enabled through PVLAN_ENABLE field in PORT_TABLE for each port. There are three types of private VLAN ports:

Promiscuous port—a promiscuous port can communicate with all interfaces, including the community and isolated ports within a private VLAN.

Isolated port—an isolated port has complete Layer 2 separation from all other ports within the same private VLAN except for the promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.

Community port—Community ports communicate among themselves and with the promiscuous ports. These interfaces are isolated at Layer 2 from all other interfaces in other communities or isolated ports within their private VLAN.

PVLAN can effectively ensure the communication security of network data. The user is connected only to his default gateway. Without several VLAN and IP subnets, one PVLAN can provide the connection with L2 data communication security. All users can access PVLAN to connect default gateway without any access to other users in the PVLAN. PVLAN ensure that the ports in one VLAN do not communicate with each other, but the services can go through Trunk port. Thus, the users in one VLAN will not affect each other because of service broadcast.

PVLAN does not need protocol message. It can be statically configure in ZXR10 8900E.



3.1.2.2 VLAN Translation

VLAN translation is an extension of VLAN function. If a port of the switch starts VLAN translation, the data stream from the port must be tagged packet. VLAN translation uses PORT plus VLAN ID in tagged packet as the index to search in MAC – VLAN table and get a new VID, then the traffic is switched in the new VLAN to translate data from one VLAN to the other.

VLAN translation does not need protocol message. It can be statically configure in ZXR10 8900E. It should be noticed that if VLAN translation is started, VLAN cannot be divided based on MAC address; if VLAN is divided based on MAC address, VLAN translation cannot be started.

In addition single tag conversion, 8900E uses VLAN translation and SVLAN to fulfill the following functions:

1. If the incoming packet is single tagged, be able to add outer tag according to policy, and modify outer tag’s 802.1P value according to inner tag’s 1P value, supporting policy-based mapping or one-to-one mapping;

2. If the incoming packet is single tagged, be able to modify inner tag and add outer tag according to policy, and modify inner and outer tag’s 1P value according to incoming tag’s 1P value, supporting policy-based mapping or one-to-one mapping;

3. If the incoming packet is double tagged, be able to delete outer tag according to policy;

4. If the incoming packet is double tagged, be able to delete outer tag, and modify inner tag according to policy, and modify 1P value of the new inner tag according to outer tag 1P value, supporting policy-based mapping or one-to-one mapping;

5. If the incoming packet is double tagged, be able to modify outer tag according to policy, and modify 1P value of the new outer tag based on 1P value of the incoming outer tag, supporting policy-based mapping or one-to-one mapping;

6. If the incoming packet is double tagged, be able to modify inner tag according to policy, and modify 1P value of the new inner tag based on 1P value of the outer tag, supporting policy-based mapping or one-to-one mapping;

7. If the incoming packet is double tagged, be able to modify inner and outer tag according to policy, and modify 1P values of the new inner and outer tags according to 1P value of the incoming outer tag, supporting policy-based mapping or one-to-one mapping.

8. If the incoming packet is untagged, be able to add inner and outer tag according to policy at one time.



3.1.2.3 Super VLAN

Super VLAN can make the hosts, which are in the same physical switching equipment but in different virtual broadcast domains, to locate in one IPv4 subnet and use one default gateway. In one large-scale switching LAN, the mechanism has several advantages over the traditional IPv4 addressing system. The biggest advantage is to save address space occupancy in IPv4 system.

Super VLAN and sub VLAN can be used to divide VLAN again. One or several sub VLANs belong to one Super VLAN and use its default gateway IP address, namely, aggregate several sub VLANs into one Super VLAN and use the same IP subnet and default gateway.

Super VLAN is a software function. Ethernet ASIC chip is transparent to the function and switches data according to software module VLAN setting. Super VLAN does not need protocol message. It can be statically configure in ZXR10 8900E.

3.1.2.4 QinQ

QinQ with the multilayer VLAN tag stack, refers to tunnel protocol based on 802.1 Q encapsulation. The core idea is to encapsulate private network VLAN tag to public network VLAN tag; the message with double-layer tag goes through backbone network to offer the user with a simple L2 VPN tunnel. QinQ, a simple and manageable protocol, does not need protocol message. It can be statically configure in ZXR10 8900E. It is applied to convergence-layer switch which can use QinQ (with double tags) to increase VLAN number in metro network.

In ZXR10 8900E software system, QinQ software functional module statically configures QinQ, and then correctly set the chip. QinQ VLAN consists of the following types:

SVLAN (Service VLAN): The VLAN defined in backbone network;

CVLAN (Customers VLAN): User-defined VLAN.

QinQ software functional module adds an attribute to the VLAN table. The attribute indicates that the VLAN is SVLAN or CVLAN, and drive interface function at the lower layer to set the QinQ function of the interface.

Ordinary QinQ only adds one outer tag to the datagram of a port, which greatly limits networking flexibility. For the flow received from one port, SVLAN (Selective VLAN) can selectively add different outer tag based on different inner tag according to user demands.

With Selective VLAN, service providers can use a unique VLAN (called a service-provider VLAN ID, or SP-VLAN ID) to support customers who have multiple VLANs, which offers the multipoint-to-multipoint virtual LAN transparent transport and a simple L2 VPN tunnel. Customer VLAN IDs (CE-VLAN IDs) are preserved and traffic from different customers is



segregated within the service-provider infrastructure even when they appear to be on the same VLAN. Selective VLAN expand the VLAN space by using a VLAN-in-VLAN hierarchy. The VLAN number can extend to 4094*4094. Another layer of 802.1Q tag (SP-VLAN ID) is added to the 802.1Q-tagged (CE-VLAN ID) packets that enter the service-provider network.

Some service streams require SVLAN also supports the transparent transport of VLAN service that the packet passes the switch without any interference, namely, the number and value of the tags remain unchanged.

SVLAN can work with VLAN translation to flexibly process both inner and outer tags. For details, refer to the chapter “VLAN translation”. In addition, SVLAN can fulfill the 802.1P CoS priority mapping of outer tag and inner tag.

ZXR10 8900E supports traditional SVLAN configuration and VFP-based SVLAN configuration. The latter can add the tags based on traffic type.

3.1.3 Link aggregation

Link aggregation means that physical links with the same transport medium and transport rate are bound and logically look like a link. Link aggregation greatly increases the bandwidth of peer physical links between switches or between switch and server. Therefore, it is an important technology to increase link bandwidth and create link transmission resilience and redundancy. Link aggregation can create several-multiple-gigabit connection in GE, and logic link with faster transport in FE. Meanwhile, link aggregation has good protection. When a fault occurs, the traffic in the trouble links will switch quickly to normal links of the aggregation. Link aggregation can increase the bandwidth and share traffic load.

ZXR10 8900E supports static and dynamic link aggregation of FE, GE, and 10G ports as well as cross-card and cross-equipment link aggregation. Logic port from ZXR10 8900E link aggregation is called smart group which can work as ordinary port.

3.1.3.1 Static aggregation

Static Trunk can manually add several physical ports into Trunk group to form one logic port, but it is difficult to observe the status of link aggregation port.

ZXR10 8900E configures link aggregation functions according to the following principle which is also applied to LACP:

128 Trunk groups can be configured, and each Trunk group includes at most 8 member ports.

Support cross-interface board aggregation. Member ports may be in any interface board, but the selected port must work in the full-duplex mode, and working rates must be consistent.



Member port may adopt the access, trunk or hybrid mode, which must be consistent.

3.1.3.2 LACP

LACP (Link Aggregation Control Protocol) follows IEEE 802.3ad. LACP dynamic aggregates several physical ports to Trunk group for one smart group port. LACP automatically aggregates to obtain the maximum bandwidth. LACP supports static aggregation and dynamic aggregation. Static LACP aggregation is manually configured, and dynamic LACP aggregation dynamically adds the port to aggregation group.

ZXR10 8900E supports smart group parameter configuration, and share traffic load according to the following modes (It can also be applied to static aggregation).

Source MAC address, VLAN, Ethernet type, and ingress port;

Destination MAC address, VLAN, Ethernet type, and ingress port;

Source and destination MAC address, VLAN, Ethernet type, and ingress port;

Source IP address, source TCP or UDP port;

Destination IP address, destination TCP or UDP port;

Source and destination IP address, and source and destination TCP or UDP port.

8900E also supports global mode, namely, share the load in one smart-group according to the parameters of protocol messages of IPv4, IPv6, MPLS L2 VPN and MPLS L3 VPN to distribute the traffic equably in the smart-group.

3.1.3.3 MC-ELAM

8900E support inter-card and intra-card link aggregation as well as MC-ELAM（Multi-Chassis Ethernet Link Aggregation Manager） whose working principle is shown as follows:



Figure 3-1 MC-ELAM structure

Normally, only half of the links from CE to PE1 and PE2 are aggregated successfully. As shown in the above figure, the successfully aggregated link from CE to PE1 is active link; the non-aggregated link from CE to PE2 is standby link; data stream is forwarded via active link. When active aggregation equipment PE1 goes wrong, PE2 will release the MC-ELAM control protocol signal of PE1 to process the LACP forwarding between PE2 and CE. When active equipment or active aggregation equipment returns to normal, MC-ELAM control protocol will recover the forwarding process. MC-ELAM can access the dual-uplink access network to increase network redundancy.

3.1.4 Spanning tree

3.1.4.1 STP

STP detects and clears the loop between L2 switching functional units, and provides redundancy link to improve LAN performance and reliability.

STP module has the following major functions:

Avoid network loop, prevent LAN broadcast storm, and offer redundant path.

Detect topology change and reconfigure STP topology accordingly.

After the switch in one subnet executes STP algorithm, one STP dynamic topology is formed. The topology prevents the loop between any two workstations in LAN to avoid LAN broadcast storm. Meanwhile, STP algorithm monitors topology change, create the new spanning tree after the change, and reconfigure spanning tree topology with fault tolerance. The switch maintains and updates MAC route table according to the status of STP dynamic topology, and finally gains the MAC-layer route.

STP algorithm aims to enable the switch to dynamically discover a no-loop subset (tree) in topology and assure adequate connectivity so that a path is available between every two LAN if the physical conditions allows. According to the principle in the figure, any line



including node and connection node has one spanning tree which has good destination connectivity and can avoid network cycling. Therefore, spanning tree algorithm and protocol can avoid network loop in any dynamic topology and clear the loop between any two stations.

As IEEE802.1s-defined MSTP is compatible with existing IEEE802.1w-defined RSTP and IEEE802.1D-defined ordinary STP, STP software module is only required to support MSTP. When started, MSTP can forcedly work as RSTP or STP to support STP and RSTP mixed networking. And it can start STP in aggregation link and support port-based enabling STP protocol.

ZXR10 8900E supports STP, RSTP and MSTP, and their mixed networking.

3.1.4.2 RSTP

RSTP (Rapid Spanning Tree Protocol), the STP upgrade version, follows IEEE 802.1w. RSTP provide the fast port switching mechanism and shorten network convergence time.

RSTP has the following defects:

The entire switching network has only one spanning tree. Large network has slow convergence and network topology change will have a great effect.

IEEE 802.1q is the switch connection standard protocol. In symmetrical connection (in VLAN, the connected ports between switches has the same trunk), one spanning tree has no influence on data forwarding between switches. However, in the asymmetrical connection, the connected ports between switches are blocked by RSTP, which will affect the connectivity and waste the bandwidth.

3.1.4.3 MSTP

MSTP (Multiple-instance Spanning Tree Protocol), developed based on STP/RSTP, follows IEEE 802.1s. MSTP divides switching networks into several zones, and several STP instances run in one zone. VLAN is translated to instance in M: 1 mode (bind several VLANs to one instance), thus each VLAN is transformed into a tree network to avoid the loop.

MSTP has the following advantages:

In single VLAN, STP supports rapid convergence.

As MSTP structure spanning tree through VLAN and does not block inter-switch connection port, the load will be shared.

M: 1 mapping reduces switch resource utilization rate.

MSTP is compatible with STP/RSTP to make network deployment simpler.



3.1.5 L2 multicast

After the router forwards multicast traffic, in the network, Ethernet switch forwards multicast traffic to multicast user. Traditional switch usually broadcasts the multicast traffic , which wastes network bandwidth, cause broadcast storm and affect normal service. Therefore the switch needs to support L2 multicast so as to join and leave multicast group according to multicast user status and dynamically maintain multicast group.

3.1.5.1 IGMP Snoooping

ZXR10 8900E supports the L2 multicast technology IGMP Snooping to manage multicast group members, suppress L2 network multicast flooding, and prevent unauthorized user from receiving multicast traffic. By snooping IGMP message in the communication between user and router, IGMP Snooping maintains the correspondence relation between multicast address and VLAN correspondence table. It maps the members of one multicast group to one VLAN, and forwards the received multicast packet only to the VLAN members of the multicast group. IGMP Snooping and IGMP protocol are both used for multicast group management and control, and both employ IGMP message. What is different is that IGMP protocol runs on network layer and IGMP Snooping on link layer. When the switch receives IGMP message, IGMP Snooping analyzes the information of IGMP message and create and maintain L2 MAC multicast address table.

When ZXR10 8900E starts IGMP Snooping, multicast message performs L2 multicast; when 8900E does not start IGMP Snooping, multicast message performs L2 broadcast. 8900E also support MLDv1/v2 snooping for smooth transition from IPv4 to IPv6.

3.1.5.2 IGMP Proxy

In some network topologies, IGMP proxy technology does not run multicast route protocol, but learns the multicast member and makes simple multicast forwarding according to the registered for multicast distribution. IGMP proxy supports host interface and router interface. Host interface (also known as uplink interface) points to root node of distribution tree, namely, uplink to multicast router. The interface runs the host function rather than IGMP. When receiving IGMP query packet, host interface sends IGMP member report. Multicast joining or leaving packet is sent to the connected router when member database changes. Host interface also forwards the received multicast packet according to member database. Router interface (downlink interface) deviates from root node and downlinks to user host. The interface runs IGMP protocol to register, query and delete downlink user group members. It receives member reports, creates and modifies one member form, sends query packet, queries whether the host leaves its group, and uplinks and downlinks the forwarded and received multicast packet according to the registered multicast member database.

IGMP Proxy and IGMP Snooping have the same function but different mechanism: IGMP Snooping looks into IGMP message to get relative information, and IGMP Proxy



intercepts and processes IGMP request of terminal user and then forwards it to upper-level router.

3.1.6 L2PT

In QinQ VPN mode, if VPN uses locating at different places want to initiate their L2 protocol for example, STP, LACP, ZDP, they need to use core network to transfer these L2 protocol messages transparently, and these messages with preserved MAC address for bridge cannot process transparent transmission normally. L2PT (layer 2 protocol transportation) solves this problem, so it is widely used to transfer user network L2 protocol message in QinQ VPN.

L2PT networking is as shown in the following figure.

Edge Switches: It locating at the edge of operator network connects customer network equipment.

Layer 2 protocol transportation port: On port of Edge Switch. The encapsulation of L2 protocol message.

Transportation PDU: Encapsulated protocol message, for example ZDP, STP and LACP, etc.

Figure 3-2 L2TP Networking

On the port without initiated L2PT, L2 protocol messages （STP，ZDP，LACP）instead of being forwarded is either discarded or sent up for protocol processing, which will cause several blocked stp domains in customer network as per different locations, so that the entire customer VPN cannot run an integrated STP topology. L2PT transfer BPDU message transparently in VPN, which helps customers to supply the gap.

The received L2 protocol messages will be encapsulated at the transportation port of edge switch, then broadcast the encapsulated messages. Initiate remote transportation switch port to encapsulate these messages.



The message encapsulation and de-capsulation can be done by changing message MAC address.

3.2 L3 function

3.2.1 IPv4 route protocol

3.2.1.1 RIP

RIP protocol is based on the vector distance routing algorithm of local network. It employs UDP packet to switch RIP route information, and the protocol packet to be transported is encapsulated into UDP packet. The route information in RIP message includes the number of the nodes on the route, namely, hop number. Route node decides the route to destination networks according to the hop number. RFC requires that the hop number is not more than 16, which is applied to internal gateway in small-scale autonomous system.

ZXR10 8900E RIP has the following functions:

Transmit and receive RIP message according to the protocol, check message correctness and verify its identification.

Support RIPV1/V2, plain text authentication and MD5 authentication, and route reallocation.

Route loop generation and route convergence acceleration adopt split-horizon and trigger updates technology.

Support protocol DEBUG.

3.2.1.2 OSPF

OSPF is the IETF-developed internal gateway protocol (IGP) based on link status and SPF algorithm. OSPF can converge routing table in a short time, and prevent loop, which is vital to mesh networks or different LANs connected via several bridges. Each equipment running OSPF maintains one unified database describing autonomous system topology structure. The database includes such information as partial status of each equipment, e.g., available interfaces and neighbors, connected network status and external route of autonomous system. OSPF uses link status algorithm to calculate the shortest path from each area to all destinations. When the equipment works or any route changes, the equipment configured with OSPF diffuses LSA to all equipments in one area. LSA includes link status and neighbor association information of the equipment. The information from LSA forms link status database. All equipments in the area use one specific database to describe topology structure in the area.



ZXR10 8900E OSPF has the following functions:

Adopt layered network topology structure which is suitable for enormous interconnected network.

Use dynamic route algorithm. Route calculation adopts Dijiksra algorithm to automatically follow network topology structure change at a quick rate;

Support display and configuration command from primary console as well as SNMP-related command, display and MIB variable.

Support route protocol packet authentication, including simple password validation and MD5 authentication, and prevent route protocol packet from illegal modification.

Adopt the retransmission and confirmation mechanism to assure the reliability of link status synchronization.

Support different distance measurement solutions, e.g., physical distance, delay, throughput, etc.

Support STUB AREA and NSSA functions.

Support domain boundary and autonomous system boundary router.

Support classless route and route aggregation.

Use Route-Map to control route reallocation and filtering.

3.2.1.3 IS-IS

IS-IS route protocol, the representation of router OSI model, is used for TCP/IP-based IP network. It can easily perform the extension, mainly IPv6. IS-IS system consists of two layers: backbone layer (L2) and area layer (L1). One router is in only one area. L1 router only knows the topology in its area. All traffic to other areas is sent to the nearest L2 router. L2 router must form the backbone, similar to OSPF backbone area 0.

ZXR10 8900E IS-IS protocol has the following functions::

Support L1 and L2 address aggregation.

Support L1 and L2 hierarchical routes and ATT identity.

Support 3-area address and smooth area address migration.

Support load balance to one destination.

Support plain text authentication of interface and area.



3.2.1.4 BGP

BGP, an external gateway protocol, switches no-loop route information between autonomous systems. The information has many attributes to create autonomous system topology, carry out route policy based on autonomous system. The path reachable information with autonomous system sequence attribute can clear route loop. Autonomous system is the collection of routers and terminals which locate in one management control domain, are treated as single entity, and control route table extension through BGP classless inter-domain routing. BGP-4 also introduces the mechanism to support route aggregation, including AS path aggregation. BGP is designed to use autonomous system to provide one structural view of Internet. The Internet is divided into several autonomous systems to create one large network which composed of small, easily manageable networks. These small networks adopt their own rules and management policies.

ZXR10 8900E BGP has the following functions:

Suitable for enormous networks, e.g., backbone network.

Support EBGP and IBGP.

Support EBGP multi-hop technology.

Support group attributes and route reflector.

Support AS ally and route turbulence suppression.

Support MP-BGP;

Support MD5 authentication and route filtering;

Support route reallocation.

3.2.1.5 Policy routing

Traditional routing policy performs route forwarding according to the route table generated by routing protocol or static route. However, in some applications, the users have some special requirements for routing. Traditional routing policy can only perform forwarding by destination address. This indiscriminating forwarding mechanism cannot meet the requirements of increasingly complicated network services.

Compared with traditional routing, policy routing provides more flexible message forwarding and route control capability. The network management users can not only perform route forwarding by destination address but also can select other forwarding paths according to protocol type, message size, application, IP source address and other conditions. Policy-based routing is more beneficial for network traffic distribution and QoS improvement. Policy routing means to match certain feature values in IP data packet according to the policy set by the network management user. Those that match the



condition are forwarded according to the route specified by the policy; those that fail to match are forwarded according to traditional route table.

ZXR10 8900E series realizes ACL-based policy routing.

In addition to policy routing, ZXR10 8900E series also provides policy routing backup function.

The switch uses Redirect command to realize policy routing function based on ACL. For one ACL rule, the route can only be redirected to a next-hop address. When this next-hop address has any problem, the corresponding policy routing will also fail. When the switch has multiple egresses, policy routing backup (PBR BACKUP) function can be realized by configuring Redirect to multiple next-hop addresses, so that when the active link is faulty, the route can be automatically switched to the backup next-hop address.

3.2.2 Ipv6 Routing

ZXR10 8900E supports the following IPv6 unicast route features:

Support IPv6 neighbor discovery protocol, which realizes the functions of router and prefix discovery, address resolution, next-hop address determination, neighbor unreachable test and repeated address test and which can better support the mobility of nodes.

Support IPv6 path MTU discovery protocol, which can discover the maximum transmission unit of the path so as to make sure the message size sent by the node does not exceed the MTU value of the path.

Support IPv6 static route.

Support IPv6-based dynamic routing protocols RIPng, OSPFv3, ISISv6 and BGP4+.

3.2.3 IPv4/IPv6 Transition

ZXR10 8900E provides a number of transitional mechanisms for conversion from Ipv4 network to Ipv6 network, including double stack technology and various tunnel technologies that are applicable to different environments:

Support IPv4/IPv6 double protocol stack. Double stack technology can completely solve the coexistence problem of IPv4/IPv6, but is only effective when the equipment in the whole network supports double stack. Therefore, it has high requirement for IPv4 network reform. It should be noted that the double stack technology is the foundation of all the tunnel mechanisms below.

Support manually configured IPv6 tunnel. Manual tunnel technology is simple, mature and stable, but has high management overhead and poor expandability. It is



applicable to be used in connection between two stable unchangeable IPv6 subnets.

Support 6to4 tunnel. The 6to4 technology uses special IPv6 address prefix to automatically construct tunnel for interconnection of IPv6 network. This mechanism consumes very few IPv4 addresses; one IPv6 subnet only needs one public IPv4 address, so it is applicable to interconnection between multiple IPv6 subnets. However, the disadvantage of 6to4 technology is that it must use IPv6 address in specific format, namely, 6to4 address.

Support ISATAP tunnel. ISATAP realizes interworking of IPv6 hosts by establishing tunnels, mainly used for interconnection between ISATAP hosts and ISATAP routers and between ISATAP hosts through IPv4 cloud. ISATAP tunnel is used inside a site without crossing domains, so it is especially applicable to IPv6 transitional scheme of campus area network, which can enable the customer to immediately realize communication of IPv6 network and can gradually develop to complete IPv6 network. ISATAP hosts inside the area can access external IPv6 networks via ISATAP router.

Support IPv6 Provider Edge Router (6PE) over MPLS. The 6PE technology is generally deployed in the environment where MPLS network is running or ready to run. Ipv6 messages are encapsulated at PE side and double tag is used. The internal tag carries Ipv6 route reachable information; the external tag uses the existing MPLS tag to interconnect with Ipv6 isolated island network via switching channel LSP. 6PE router is double stack router, so it can directly connect with the v4 network of Ipv4 protocol, which is convenient for the situation of v4/v6 coexistence, and it is unnecessary to reform P.

3.2.4 L3 Multicast

3.2.4.1 L3 Multicast Protocol

L3 multicast protocol includes multicast group management protocol and multicast routing protocol.

1. Multicast group management protocol

Multicast group management protocol runs between the host and L3 equipment and is used to establish the relationship between group members in associated network segments, that is, which multicast group members are under different ports. At present, the multicast group management protocol is mainly realized by IGMP (Internet Group Management Protocol) and MLD (Multicast Listener Discovery Protocol).

i. IGMP is the Internet group management protocol in Ipv4 network. The major versions used currently are IGMPv2 and IGMPv3. A new function is added to



IGMPv3 that the member can specify to receive or reject the messages from some multicast sources to support SSM model.

ii. MLD protocol is used for Ipv6 router to discover multicast listener in its associated network segments. MLD is divided to MLDv1 and MLDv2. The principle of MLDv1 is similar to IGMPv2 and that of MLDv2 is similar to IGMPv3.

2. cast routing protocol

Multicast routing protocol runs between layer 3 multicast equipments, used to establish and maintain multicast router and forward multicast data packets correctly and efficiently. IP multicast routing technology realizes efficient P2MP(point 2 multiple point) data transmission in IP network; it can effectively save network bandwidth and reduce network load. Therefore, IP multicast routing technology is widely used in resource discovery, multimedia conference, data copying, real-time data transmission, game and emulation. Multicast routing protocol is divided to intra-domain protocol and inter-domain protocol. Inter-domain protocols include MBGP (Multicast BGP) and MSDP (Multicast Source Discovery Protocol), and intra-domain protocol includes PIM (Protocol Independent Multicast). Intra-domain protocol is generally divided to two classes: sparse mode multicast routing protocol including PIM-SM (Sparse Mode) and dense mode multicast routing protocol including PIM-DM (Dense Mode). The most useful multicast protocol now is PIM-SM.

PIM-SM constructs the shared tree using the mechanism of multicast destination explicit join to perform multicast data packet distribution. In certain conditions, the destination can be switched to the shortest path tree. PIM-SM is irrelevant to unicast routing protocol. It uses unicast route table to perform RPF check but not depend on any specific unicast routing protocol. PIM-SM is more suitable for the multicast network that has potential multicast group members at the end of WAN link. Besides, PIM-SM allows to use SPT, and thus reduces network delay brought about by share tree and improves the efficiency. Therefore, PIM-SM is generally the best choice of multicast routing protocol in multicast network domain.

3. Multicast model

According to the processing mode of multicast source by the receiver, multicast can be divided to the following two models.

i. ASM (Any Source Multicast) model: In ASM model, any sender can send multicast information to a multicast group address as the multicast source; the receiver obtains the multicast information by joining the multicast group with the tag of this multicast group address. The receiver cannot know the location of the multicast source, but can join or leave the multicast group at any time.

ii. SSM (Source Specific Multicast) model: SSM provides the users with a transmission service in which they can specify the multicast source at the client, meeting the requirement of the users when they are only interested in



the multicast information sent form some multicast sources and do not want to receive information from other sources. SSM model directly builds the shortest path tree between the multicast source and multicast data receiver, which is highly efficient.

For ASM model, intra-domain and inter-domain multicast routing protocols are different. Intra-domain protocol is mainly PIM protocol and inter-domain protocol uses MSDP and MBGP protocols. For SSM model, there is no difference between intra-domain and inter-domain protocols. As the receiver knows the location of the multicast source in advance, multicast information can be transmitted by channel construction via PIM-SSM protocol. Meanwhile, SSM model also needs the support of IGMPv3.

ZXR10 8900E, supporting IGMPv2, IGMPv3 and MLDv1/v2, IPv4 PIM-DM and IPv4/v6-based PIM-SM and PIM-SSM, can provide complete multicast solutions. Besides, to provide enhanced and more reliable multicast services and guarantee the provisioning and operation of multicast services, 8900E also supports Multicast route guard and anycast RP functions.

Multicast route guard can prevent unauthorized connection of multicast servers. Designating a port as the multicast router port can allow multicast router control messages to pass, otherwise they are discarded.

In multicast network, the existence of a single RP may become the bottleneck or Single point of failure may occur. Anycast RP is to set multiple RPs with the same address in the same PIM-SM domain and establish MSDP peer relation between these RPs. The receiver originates RPT join to the nearest RP; the multicast originates registration to the nearest RP; each RP only maintains part source/group information in PIM-SM domain but it will exchange registration information via MSDP with other RPs. When one RP is faulty, the new registration multicast source and the joined multicast receiver will automatically select another near RP to perform registration and joining. Anycast RP ensures new multicast data stream can be established between the new multicast source and receiver at any time to realize RP load balance and backup.

3.2.5 Controllable Multicast

IPTV (Internet Protocol Television), also called network television, is a service using IP broadband network integrated with Internet, multimedia and telecommunication technologies to provide interactive services like live TV, video on demand and online browsing. It transmits stream media files or service control requests on the basis of IP and completes demand and playing of the programs. The user terminals can be IP set-top box + television or PC.

From network implementation, IPTV can be regarded as a specific application of controllable multicast technology. Traditional multicast technology cannot control unauthorized multicast services and thus cannot meet the controllable and manageable requirements of telecommunication operators. Controllable multicast technology adds



multicast control policy to original multicast technology and so realizes control on accessed multicast services.

ZXR10 8900E series switches support complete controllable multicast features. By supporting the functions including IGMP V1/V2/V3, IGMP Snooping, IGMP Proxy, IGMP Fast-leave, multicast VLAN, CAC (Channel Access Control) and CDR (Call Detail Record), they can realize precise control on multicast users.

In commercial IPTV network, controllable multicast technology integrated with current network authentication technology can realize user access authentication and user multicast authentication, enabling controllable multicast service access. CAC, CDR together with SMS system can provide multicast service management and control capability for users, facilitating the users to provide IPTV service. Multicast VLAN together with QoS provides complete multicast data stream control measures from multicast source to the receiver, effectively ensuring multicast quality. IGMP Snooping technology can record multicast data transmission from the multicast source, traffic and destination address. IGMP fastleave can strictly control and record a specific receiver joining and leaving a specific multicast group to enhance multicast management capability and provide technical support for IPTV billing. Multicast VLAN and IGMP Snooping can prevent flooding of multicast messages in L2 network, isolate multicast users and guarantee multicast information security.

Besides, the equipment provides the following controllable multicast management functions to facilitate users to perform management on IPTV channel and subscribers, including channel access control, channel management, suite management, preview configuration function, preview template management, CDR function and unified network management via MIB.

The procedure of IPTV user access control is generally as follows:

1. IPTV users have four kinds of rights: view, preview, query and reject.

2. The operator creates static channel table or suite table (can be regarded as multicast group), creates static port principle (CAC) table, and applies the channel or suite to the principle. In this way, the view function of some channels, preview function of some channels and query function of some channels are enabled on the port.

3. The user client sends a message to report, leave or query a multicast channel of IGMP from the local port; IPTV module searches the matching CAC principle according to the user’s port and VLAN and authenticates the rights of the channel applied for by the user. The authentication method is to search the channel rights (view, preview, query, reject) that has been configured in the principle and return the result to IGMP Snooping for further processing. The processing methods of IGMP Snooping for different rights are as follows to make the IPTV service management controllable in the network layer: view and preview right: add the user’s port in the multicast forwarding table; query right: broadcast the query message in the user’s VLAN.



4. When the use leaves this channel (multicast group), IGMP fastleave will delete the user from the multicast group to avoid illegal receiving; at the same time the system outputs user CDR to SMS system to realize billing management.

The controllable multicast technology provided by ZXR10 8900E series switches enables the operator to control multicast services precisely, perform overall management on the users and realize flexible provisioning of IPTV service.

3.2.6 MCE

In traditional MPLS VPN model, VPN access is provided by PE equipment and user isolation is performed on PE equipment. The present MPLS VPN model is a plane model, so no matter the PE equipment is located at which layer of the network, the requirements for its performance is the same. The routes aggregate layer by layer, even when PE extends to the edge direction, more routes need be maintained; while typical network is core-aggregation-access three-layer model, in which the equipment performance degrades sequentially and the network scale expands sequentially. This brings much difficulty for PE equipment to extend to the network edge. Besides, when VPN users are far away from PE, they need be linked by WAN links, whose number should be at least the same as the number of VPN users. Using routers to access users nearby and connecting them to PE via a WAN link after aggregation can save the cost and improve bandwidth utilization rate, but different VPN users should be distinguished on this WAN link.

MCE (Multi-VRF CE) technology extends the capability of CE and enables it to have VRF function. The equipment with this function is called MCE equipment. In networking, multiple MCEs together with PE are used to form a distributed PE. MCE enable multiple VPN users to share one CE device and at the same time isolates different users, solving the contradiction between security and cost. User data stream is terminated at MCE, avoiding adverse effects of broadcast stream on PE equipment. Generally speaking, MCE is a technology to realize multiple VPN users sharing one CE device in local area network and sharing the links between this CE device and PE device. MCE can realize total isolation between different services in transmission, solve the security problem of traditional local area network with low cost and largely satisfy the customers’ requirements.

Figure 3-3 Architecture of MCE



As shown in Figure 3-3, the characteristic of MCE technology is that it changes VPN access from PE to CE.

Multiple VRFs are configured on MCE, corresponding to multiple VPN sites. Each VRF needs an uplink interface to connect with PE; the same VRF is configured on the corresponding interface of PE. As MCE does not need to support MPLS, between MCE and PC equipment are ordinary data packets without MPLS label. This is different from layered PE. There is a layer of MPLS label between layered PEs. Therefore, VPN traffic can only be differentiated by the interfaces on PE. This means the number of VPN interfaces PE correspond to should be equal to the number of VPNs MCE supports (same configuration as PE supporting L3 VPN). A CE with MCE feature actually simulates multiples CEs. The virtual CEs are isolated from each other and can be accessed with multiple VPN users. PE equipment cannot sense whether this is multiple CEs or one MCE, so PE needs no expansion.

3.3 MPLS VPN

3.3.1 Basic Functions of MPLS

MPLS is a multi-layer switching technology integrating L2 switching and L3 routing technologies and using label as the means to aggregate and forward information. It runs in route layer architecture, supports multiple upper-layer protocols and can be realized in various physical platforms.

Labels are just like the zip codes of letters. Zip codes are encoded numbers for the destination addresses of letters and some special requirements (such as QoS, CoS and management information) which enable faster and more effective letter processing and speed up the routing process of the letters to reach the destination. The basic concept of label switching is label distribution, namely, binding of the label and network layer route.



The basic routing mode of MPLS is hop-by-hop routing, which allows simpler forwarding mechanism than data packets and can realize faster routing. As it uses universal method of label distribution and universal routing protocol on various media (such as packet, cell and frame), MPLS supports highly efficient and widely applicable specific routing (such as QoS routing) and universal traffic engineering method as well as other operation methods. Using LDP (label distribution protocol), its core protocol, together with standard network layer routing protocol, MPLS distributes label information among the devices in the MPLS network in the connectionless working mode. MPLS can also use connection-oriented working mode, namely, signaling protocol to establish specific routes for multimedia services that need long time and QoS support. Besides, MPLS can use the working mode of resource reservation without specific connection, namely, RSVP and RSVP-LSP-TUNNEL protocols, mainly in traffic engineering. The extended protocol of LDP, CRLDP can be used to implement some routes with specific paths.

The working principle of MPLS network is as shown in Figure 3-4. From the figure, the core components of an MPLS network are: Label Edge Switch Router (LER) and Label Switch Router (LSR). Through label distribution protocol (LDP), label information is distributed between LER and LSR and between LSR and LSR. Network routing information comes from some common routing protocols, such as OSPF. The system determines how to establish the label switching path (LSP) according to the routing information. When a packet enters LER, the ingress LER determines the LSR to the destination by searching the route table according to the input packet header, inserts the corresponding label of the LSP to the packet header and then outputs the packet to the path identified by the label. The network nodes perform label switching forwarding completely depending on the packet label without searching the route table. The egress LER forwards the packet to the destination according to certain principles.

Figure 3-4 MPLS working principle

Generally the structure of MPLS header is as shown in Figure 3-5, including 20-bit label, 3-bit EXP, commonly used for CoS, 1-bit S, used to identify whether this MPLS label is the bottom layer label, and 8-bit TTL (Time To Live).

In Out

3 6

8 3 6

LSR LSR

In Out

3

In Out

6 8

In Out

8

Ingress LER Egress

LER

LDP IP Route processing

LDP LDP



Figure 3-5 MPLS header structure

MPLS decides forwarding by label. A label is a 20-bit identifier, only having local effect in one hop link. What is identified by a label is a group of packets called Forwarding Equivalence Class (FEC), which can be all packets to the same destination address prefix or can be introduced with QoS to make the packets having the same service quality requirements belong to the same FEC. The packets belonging to the same FEC are forwarded according to the same forwarding policy.

When a packet without a label enters an MPLS domain, the edge LSR will analyze the destination address carried in the header, class this packet to an FEC according to QoS requirement, add the corresponding label of this FEC to the packet and then forward it to the next hop. The intermediate LSR maintains a table of mapping relations between incoming label, outgoing label and forwarding direction. When receiving a packet with a label, it will search the mapping relation table by the incoming label carried by the packet to obtain the outgoing label and forwarding direction, replace the incoming label with the effective outgoing label and then send it to the next hop. When the packet leaves the MPLS domain, the label will be deleted at the edge LSR, turn back to a packet without label and be sent to the next hop.

In forwarding, the label can be processed in the form of stack. The label value at the top of the label stack is the effective label, and LSR forwards packets by the top label of the stack. When a packet enters an MPLS domain, a label is pushed in the label stack occupying the top of the stack; at this time the stack depth increases by 1. The LSR in this MPLS domain only checks and replaces the top label and ignores the other labels. When the packet leaves the MPLS domain, POP operation is performed, and the label stack turns back to the original depth before entering the MPLS domain. The packet without label can be regarded as empty label stack; adding label to it when it first enters MPLS network environment can also be regarded as PUSH operation. In this way, MPLS can easily realize layered network. The depth of label stack indicates the network layer: when the packet passes a tunnel or a lower-level MPLS network, the depth of the label stack will increase; on the contrary, when the packet returns to the upper-level network, the depth decreases.

At present ZXR10 8900E series provides complete MPLS protocol with the major functions as below:



Support LDP and RSVP protocols;

Support TTL value decreasing, loop test, policy management and pop up at the last but one hop;

Support downstream independent label distribution mode and free label reservation mode;

Support fast rerouting of LSP and establishment of RSVP-LSP.

3.3.2 MPLS TE

Network congestion is a major problem that affects backbone network performance. The reason of congestion may be insufficient network resource or unbalanced network resource load which leads to local congestion. Traditional routing with shortest path first will cause unbalanced distribution of network traffic, that is, when a path is congested, the traffic will not be switched to other paths. With the expansion of network scale and development of network services, the customers have increasingly higher requirements for service quality; the problem of traditional routing is thoroughly exposed. TE (Traffic Engineering) is just to solve the congestion caused by unbalanced load. MPLS TE is a technology integrating traffic engineering with MPLS. By MPLS TE, the service provider can precisely control the path of the traffic, so as to avoid the congested node, solving the problem of some paths being overloaded and some paths being idle and making full use of the current bandwidth resource. At the same time, MPLS TE can reserve resource when establishing LSP tunnel to guarantee service quality.

MPLS TE creates link bandwidth resource database in the nodes of the MPLS network via OSPF TE or IS-IS TE, calculates tunnel creation path by CSPF algorithm according to link bandwidth resource database and tunnel restriction conditions, and finally creates TE tunnel using RSVP-TE signaling protocol in the path calculated by CSPF algorithm.

RSVP (Resource Reservation Protocol) is a TCP/IP based transport layer protocol. By RSVP, the host can apply for specific QoS to the network, providing secure data stream services for specific services, and meanwhile reserve resource on the router nodes where the data stream passes and keep this status until the service releases corresponding resource. RSVP-TE protocol, an extended protocol of RSVP, can carry parameters including bandwidth, some specific routes and color, create the LSP that meets the restriction conditions according to traffic engineering route calculation and complete link backup, node backup and load balance functions.

ZXR10 8900E supports MPLS TE-related technology and can provide the following features:

MPLS TE provides “non-IGP shortest path first” IP packet forwarding capability, which can effectively avoid network congestion caused by unbalanced network traffic by planning network resource reasonably.



MPLS TE provides bandwidth guarantee for traffic. Bandwidth reservation, priority definition and bandwidth preemption mechanisms are introduced for key traffic. It can ensure the transmission traffic will not be discarded because the link bandwidth is insufficient.

MPLS TE can also guarantee stable and reliable transmission of network traffic: when the link or transmission node fails, fast link switching can be achieved via MPLS TE FRR and MPLS TE tunnel backup technology. Besides, it also supports LSP full path protection and thus can largely reduce the impact on the traffic.

Support MPLS VPN over TE; provide LDP over RSVP; TE tunnel provides bandwidth guarantee and isolation for MPLS VPN service.

3.3.3 MPLS L2 VPN

MPLS L2 VPN can be divided into two classes. The first is called VPWS (Virtual Private Wire Service), which realizes communication between the sites in VPN by point-to-point connection. This mode is mostly used for users using ATM and FR connection. The connection between the users and network provider are not easy to be maintained, but the services are transmitted on the IP backbone network of the network provider after encapsulation. The second is called VPLS (Virtual Private LAN Service). The operator’s network emulates the function of LAN SWITCH or bridge, connecting all LANs of the users to form a simple bridge LAN. The major difference of VPLS and VPWS is that VPWS only provides point-to-point service while VPLS provides point-to-multipoint service. That is, the CE device in VPWS selects a virtual line and sends the data to a user site; the CE device in VPLS only simply sends the data to all destinations to the PE devices connected to it.

Figure 3-6 Basic VPWS network model

The most direct way to create L2 VPN is to create VC between CP and PE, and the operator’s network uses LSP of MPLS to bear these connections, as shown in Figure 3-6. MPLS TE can be adopted to meet the QoS requirement of the users. In this scheme, the workload of configuring PVC between CE and PE and MPLS LSP for bearing is heavy. Substantial LSP will occupy a lot of resource of LSR, which will reduce network



expandability. Targeting the above expandability problem, Martini draft suggests creating a fixed number of MPLS LSPs between PE and network devices. When VC bearer services between user CE device and PE need to pass through the network, they will enter the point-to-point sub-tunnel (i.e. “pseudo-wire”) in MPLS LSP. This LSP can be regarded as the bearer channel of multiple VCs. This is similar to the relation between VC channel and VP channel in ATM network. IETF draft defines the signaling to create sub-tunnel and the encapsulation format of forwarding ATM, FR and Ethernet data packets on sub-tunnel. Although this method save some network resource (such as LSP quantity), but when creating large-scale MPLS VPN, we need create all sub-tunnels manually; the configuration workload is quite high.

ZXR10 8900E series products support VPWS of Martini draft and extended LDP protocol. They can create different LSP channels by service type. They support Ethernet encapsulation and VLAN encapsulation as well as LDP-based extended VPLS.

3.3.3.1 VPLS

Virtual Private LAN Service (VPLS) is a kind of VPN with multi-station link in a single bridge domain in IP/MPLS network managed by operators. All customer stations in VPLS seem to locate in one LAN no matter where they actually locate. Since VPLS uses Ethernet interface to implement customer exchange, it simplifies LAN/WAN boundary and makes service providing quick and flexible. In VPLS, customers keep the complete control over routing. Besides, since all routers of customers in VPLS are a part of the same sub-net (LAN), they get a simplified IP address solution. This advantage becomes especially obvious when it is compared with the full-meshed structure constituted by different P2P links. Operators can also get benefits by reducing the complexity of VPLS service management.

In Figure 3-7, CE1, CE2, and CE3 are in one VPLS domain – VPLS A. They are connected by a packet switching network (here is MPLS network). Equipped with VPLS, PEs establish Full-Meshed VC connection between each other. If CE1 communicates with CE3, CE1 first learns MAC address of CE3, which is based on data flow. Meanwhile, there must be two layers of tags to PE3 on PE1. One is packet switching tag for outer layer, which is MPLS network here, and the other is VC tag for the inner layer. When PE1 receives MAC frames with the destination address of CE3, PE searches for inner and outer layer tags arriving PE3 according to MAC address, VCID and other information, and adds the tags to the data frames and transport them through MPLS network. Only inner layer tags are left with the data when it arrives PE3. PE3 gets the connecting port of PE3 where CE3 locates according to inner layer tag and MAC address, and transport it from the port. The data will arrive CE3. In this way communication between CE1 and CE3 is completed. Here all operations are implemented based on L2. Operators don’t need to concern users’ routing configuration so that it reduces users dependence on operators, and simplifies operators’ management of user services.



Figure 3-7 Basic VPLS network model

3.3.3.2 H-VPLS

VPLS adopts PE full-connection to avoid loopback so that LDP session or BGP session will be set up between all PEs in one VPLS instance, which brings great challenge to network scalability. In scenario with medium scale, PE full-connection is acceptable. But when PE increases in network, the number of sessions will grows by a square increase, which put high requirement of equipment performance. At the same time network management becomes very complicated. Hierarchical VPLS networking (H-VPLS) perfectly solve this problem.

H-VPLS divides PE into NPE and UPE. UPE works as CE for access user. NPE works as core layer of VPLS networking, providing transparent transport of user packet in operator’s network. NPEs in H-VPLS networking compose full-connection. UPE doesn’t need to establish connection with all PEs. With hierarchy, H-VPLS reduces PW number and PW signaling costs.

There are two types of H-VPLS: PW and QinQ.

1. U-PW Access:

Figure 3-8 H-VPLS networking with U-PW access



As shown in Figure 3-8, UPE works as aggregation device and establishes virtual connection U-PW with NPE1. UPE provides user data packet access and tags VC label corresponding to U-PW. When NPE1 receives the packet, it decides which VFI that the packet belongs to based on VC label, tags VC label corresponding to N-PW based on the destination MAC address of the packet, and forwards it. As for packets received from N-PW, NPE1 tags VC label corresponding to U-PW and forwards it to UPE.

2. QinQ Access:

Figure 3-9 H-VPLS networking with QinQ access

As shown in Figure 3-9, working as aggregation device, UPE is a standard bridging equipment supporting QinQ. UPE enables QinQ at access port of CE and tags VLAN-TAG as multiplexing separating mark. Packets are transparently transported through QinQ tunnel between UPE and N-PE to NPE1. NPE1 decides the VSI that the packet belongs to based on VLAN-TAG tagged by UPE, tags multiplexing separation mark (MPLS tag) based on the destination MAC of the packet and forwards it. When NPE1 receives packets from PW side, it decides which VFI that the packet belongs to based on the multiplexing separation tag (MPLS tag), tags VLAN-TAG based on the destination MAC of the packet, and forwards the packet via QinQ tunnel to UPE, which transfers the packet to CE.

If CE1 and CE2 exchange data for local CE, equipped with bridging, UPE can directly implement packet forwarding between the two without transporting the packets upwards to NPE1. However, UPE will forward first packet with unknown destination MAC or broadcasting packet to NPE1 via QinQ tunnel when UPE transmits traffic to CE2 by bridge broadcasting. NPE1 implements packet duplication and forwards it to each peer-end CE.

ZXR10 8900E support two above H-VPLS accesses.



3.3.4 MPLS L3 VPN

3.3.4.1 MPLS VPN

Figure 3-10 Basic BGP MPLS VPN network model

As shown in Figure 3-10, a basic BGP/MPLS VPN network is composed of CE router, PE router and P router. As customer edge equipment, CE is the router or switch connecting operator’s network in customer stations. VPN function is provided by PE router. P and CE router has no special VPN configuration needs.

To separate routing of a VPN and public Internet routing from other VPNs, PE router generates a separated route/forwarding instance (VRF) for each VPN. PE router generates a VRF table for each VPN connected by a CE router. Any customer and station belongs to VPN only have access to the VRF table of the VPN.

When we build BGP/MPLS VPN network, each PE router must operate MP-BGP (use MP-BGP between PE in MPLS VPN) to conduct VPN routing learning and notification between PE. MP-BGP inherits BGP’s request – make full-connection between the peers that run IBGP in one routing domain in order to notify BGP routing in routing domain. When there are a large quantity of PE in VPN, IBGP full-connections will be a great deal, which may cause N square problem and scalability problem. Routing reflector can be used to solve this.

If two sites of one VPN are located in different Autonomous Systems, the corresponding PE router cannot use IBGP connection to forward VPN-Ipv4 routes. At this time EBGP must be used to transport VPN-IPv4 route between AS with back-to-back VRF: using EBGP to distribute VPN-IPv4 route with mark and using Multi-hop EBGP to distribute VPN-IPv4 routes from one AS to another.

ZXR10 8900E series support complete MPLS L3 VPN, address overlapping, CE static routing, RIP, OSPF, and BGP access. They support BGP scalable union, capability negotiation, and route refreshing. They support binding of interface with VRF, and binding of VLAN with VRF.

VPN1

VPN2

VPN1

VPN2

CustomerEdge Switch

Service Provide Edge Switch

Backbone Switch

VRF VRF

PPE

PE



3.3.4.2 Cross-domain VPN

At the beginning, MPLS-VPN application is mainly developed in enterprise network or MAN with not very large scale. Deployment of MPLS-VPN inside an AS can meet the service needs. With the expansion of MPLS-VPN application scale and the expansion of network scale, cross-domain MPLS-VPN services are emerging. Multiple sites of user VPN connect to multiple ISP or different AS domains of an ISP. If the AS number for all AS domains are different, operators need to support Multi-AS cross-domain VPN.

The following are three solutions to solve Multi-AS cross-domain VPN:

VRF-to-VRF solution: set up logic sub-interface between edge routers with each sub-interface associated to one VPN. Edge router distributes IPv4 route to corresponding VPN user by sub-interface. Each VPN should be processed. It suits the beginning phase of VPN service with little network change and little VPN services provided.

Single hop MP-EBGP solution: edge routers distribute VPN user VPN-IPv4 routes by MP-EBGP, avoiding the trouble of processing each VPN on edge router by VRF to VRF. When VPN service develops to a certain phase, and edge router link is restricted, single-hop MP-EBGP can be considered to provide cross-domain VPN service.

Multi-hop MP-EBGP solution: Multi Hop MP-EBGP solution: It distributes user VPN-IPv4 route between PE by Multi-hop MP-EBGP. With no need to process VPN information by edge router, it suits cross-domain VPN service providing in a large scale. But it needs to be planned in an integrated way in network deployment.

ZXR10 8900E provides the above three VPN cross-domain deployment solutions.

3.4 QoS

3.4.1 Basic QoS

The existing Internet provides best-effort services. In this mode all service flows are “equally” and fairly compete for network resources. The router takes the working mode of First Come First Service (FCFS) for all IP packets. It tries its best to sent IP packets to the destination but provides no guarantee for reliability and delay of IP packet transport. This suits Email, FTP and WWW services well.

With the high-speed growth of Internet, IP service develops quickly and becomes diversified. With the emerging of multimedia service, computer is no longer a pure tool to process data but getting closer and closer to people’s lives. Computer exchange becomes more realtime and lively, which puts forward higher requirement to computer and internet. For those applications with special bandwidth, delay and jitter requirements. The existing “best-effort” service is apparently not enough. Although network bandwidth



and speed are greatly improved with the development of network technology, the data needs transmission is increasing as fast as network development. At the same time, some new applications emerged in recent years (such as multimedia and multicast) not only add to network traffic but also change the traffic on the Internet. They need brand-new service requirements. Without service quality guarantee, bandwidth reservation, and restricted network delay, the network cannot support the applications sensitive to indexes of bandwidth, delay, jitter and packet loss ratio such as VoIP, video conference, Providing capability to support QoS is a feasible measure to solve the problem. QoS aims to provide different service quality for various applications with different needs such as providing private bandwidth, reduce packet loss ratio, reduce packet transport delay and jitter.

QoS works to effectively provide users with E2E service quality control or guarantee. QoS enables network unit (such as program, host or network equipment) can guarantee its service flow and service requirements are satisfied at a certain level. QoS can control various network applications and satisfy multiple network application requirements. For example:

To control the resource: to restrict bandwidth used by FTP on backbone network, or to offer higher priority to database access.

Cuttable services: subscribers of ISP (Internet Service Provider) can transport voice, video or other realtime services. QoS can make ISP distinguish these different packets and provide different services.

Co-existence of multiple needs: be able to provide bandwidth and low delay guarantee for time-sensitive multimedia services. Other services in operation will not influence these time-sensitive services.

QoS doesn’t create bandwidth. It only manages bandwidth based on program needs and network situation. QoS has a series performance indexes including the following:

Service availability: the reliability of the connection between subscribers and Internet service.

Transmission delay: time interval of data packets transmitting and receiving between two reference points.

Variable delay: also called jitter, is the time difference between data packets in a group of data flow transmitted on one route.

Throughput: rate of data packets transmitted in the network, which can be represented in average rate or peak rate.

Packet loss ratio: the highest ratio of data packet loss in network. Data packet loss is usually caused by network congestion.

ZXR10 8900E series provides the following functions to realize the above objectives:



1．Traffic classification

2．Traffic monitoring

3．Traffic shaping

4．Queue scheduling and default 802.1p priority

5．Re-orientation and policy routing

6．Priority mark

7．Traffic mirroring

8．Traffic statistics

3.4.1.1 Traffic Classification

Traffic classification defines or describes packets with certain features by classifying packets go through the switch. Packet classification can be implemented by ACL, especially extended ACL. Packets can be classified into different categories based on different needs. Users classify packets based on filtering options of ACL such as packet source/destination IP address, source/destination MAC address, IP protocol type, TCP source/destination port number, UDP source/destination port number, DSCP, ToS, IP Precedence, VLAN ID, 802.1p priority value, MPLS EXP, and MPLS tag.

3.4.1.2 Traffic Monitoring

Traffic monitoring takes bandwidth restriction of a service to prevent it from exceeding the specified bandwidth or influencing other service flows. The following measures can be taken to deal with the exceeded traffic:

To drop or forward

To change its DSCP value

To change its dropping priority (packets with higher dropping priority are dropped first in queue congestion.)

ZXR10 8900E series swtich realizes Single Rate Three Color Marker (RFC2697) and Two Rate Three Color Marker (RFC4115). Both two algorithms support Color-Blind and Color-Aware modes.

Meter works in two modes: in Color-Blind mode, it supposes packets are uncolored. In Color-Aware mode, it supposes packets are marked with color. The data packets go through the switch will be distributed with a color based on certain rule (data packet



information). Marker colors the IP packets based on Meter result and the color is marked in DS domain.

The following are two types of marking algorithms.

1. Single Rate Three Color Marker (SrTCM)

This algorithm is used in Diffserv traffic conditioner. SrTCM measures information flow and marks the packets based on three parameters: Committed Information Rate (CIR), Committed Burst Size, (CBS), and Excess Burst Size (EBS). We call the three parameters green, yellow and red mark. When a packet goes through the ingress monitoring it takes token from CBS bucket first. The packet will be green if it can get a token from CBS bucket. It takes token from EBS bucket if it cannot take one from CBS bucket. The packet will be yellow if it can take one from EBS bucket. The packet will be red if it cannot take a token from EBS bucket. Red packets will be dropped by default.

2. Two Rate Three Color Marker

This algorithm is used in Diffserv traffic conditioner. TrTCM measures IP information traffic and marks data packets as green, yellow or red based on two rates: Peak Information Rate (PIR) and Committed Information Rate (CIR), as well as their related burst size (CBS and PBS). In color-aware mode, packet is marked as green if it doesn’t exceed CIR. It is marked as yellow if it exceeds CIR but doesn’t exceed PIR. And it is marked as red if it exceeds PIR. In color-blind mode, all packets are marked as green.

3.4.1.3 Traffic Shaping

Traffic shaping takes control over the rate of output packets to transmit the packets at an even rate. Traffic shaping is usually used to match the packet rate with the downstream equipment so as to avoid congestion and packet dropping.

The major difference between traffic shaping and traffic monitoring lies in the fact that traffic shaping buffers the packets exceed rate limit to send the packets at an even rate. While traffic monitoring drops the packets exceed rate limit. Traffic shaping adds to delay while traffic monitoring doesn’t add extra delay.

ZXR10 8900E supports two-level traffic shaping, as well as shaping based on VLAN and port. With two levels shaping of VLAN and port, the system can realize multi-level control over service flows to guarantee the implementation of multi-level QoS and differentiated management.

3.4.1.4 Congestion Avoidance

Network equipment has limited processing and buffering capability. Packets exceed equipment capability will cause congestion. Simply dropping of these packets will lead to “global synchronization”. ZXR10 8900E adopts RED/WRED to avoid congestion and



improve network quality. ZXR10 8900E WRED can sense the services including IP priority, DSCP and MPLS EXP. It can set different early dropping strategy for packets with different priorities to provide differentiated dropping feature.

3.4.1.5 Queue Scheduling

ZXR10 8900E series switch has each of its physical port supporting 8 output queues (queue0~7) called CoS queues. The switch takes output queue operation at ingress according to CoS queues corresponding to 802.1p of the packets. When network is congested, many packets may compete for resources. Queue scheduling can solve the problem.

ZXR10 8900E series switch supports three queue scheduling: Strict Priority (SP), Weighted Round Robin (WRR), and Dynamic Weighted Round Robin (DWRR). 8 output queues at the port can adopt different schedulings.

Strict Priority (SP)

SP takes scheduling of data of each queue based on the exact priority of the queue. Firstly it gets the packet out of the queue with the highest priority and sends it out until packets in the queue are send out. Then it sends packets in the queue with the second highest priority. Similarly, it sends all the packets in the queue and then sends packets in the queue with the third highest priority. And the rest can be done in the same way.

SP offers first processing for packets of key services so that quality of the key services is guaranteed. However, queues with lower priority may never get processed and get starved.

Weighted Round Robin (WRR)

WRR offers every queue chances to be scheduled without “starving”. However, each queue gets scheduling at different time with different weight (the proportion of resources each queue gets). Packets in the queue with higher priority are more possible to be scheduled than those in the queue with lower priority.

Dynamic Weighted Round Robin (DWRR)

DWRR offers every queue chances to be scheduled too. Each queue has different weight. The difference between DWRR and WRR lies in the fact that the weight configured by DWRR indicates the bytes that scheduled every time for 8 queues at the port with the unit of kbyte, while the weight configured by WRR indicates the packets that get scheduled every time for each queue. Therefore, the size of DWRR data packet has little influence on bandwidth.

802.1p tag covers data priority. If the data enters the port has no 802.1p tag, the switch will distribute a default 802.1p value to it.



3.4.1.6 Priority Mark

Priority mark re-distributes a set of service parameters to the particular traffic that described by ACL. The following operatons can be implemented:

1. Change CoS queue of the data packet and change its 802.1p value.

2. Change CoS queue of the data packet without changing its 802.1p value.

3. Change the DSCP value of data packet.

4. Change the dropping priority of the data packet.

3.4.2 MPLS QoS

MPLS QoS is an important part in QoS service deployment since DiffServ has good deployment flexibility and scalability. In practical MPLS networking solution, DiffServ mechanism is usually used to implement QoS. ZXR10 8900E supports DiffServ -based MPLS QoS. Traditional IP QoS decides the service level based on IP priority or DSCP so as to realize differentiated service of the service. MPLS QoS distinguish data flows of different services based on EXP value, implements mapping of priority between MPLS EXP and IP & Ethernet, realizes differentiated service of services, and guarantee the quality of voice and video services.

MPLS QoS has four modes:

Uniform mode

Pipe mode

Short Pipe mode

Long Pipe mode (mainly used in carrier supporting carrier architecture)

ZXR10 8900E supports uniform, pipe and short pipe. At MPLS Ingress PE node, packets decide whether to map or duplicate IP priority or VLAN priority to MPLS EXP based on uniform, pipe or short pipe. In backbone network classified traffic gets EXP value remarked based on service protocol, gets traffic monitoring, shaping and scheduling. At Egress node of MPLS, priority for IP or Ethernet service packets are redeployed based on Uniform, Pipe or Short Pipe model. E2E QoS is provided based on DiffServ as shown in Figure 3-11. In addition, ZXR10 8900E imports H-QoS into MPLS VPN, realizes multi-level scheduling in VPN and improves comprehensive network operation capability.



Figure 3-11 end to end MPLS QoS

3.5 OAM

3.5.1 Ethernet OAM

With the rapid development of Ethernet in recent years, Ethernet networking is taking larger proportion in network construction and Ethernet scale also keeps growing. Ethernet is used to replace ATM equipment in access, aggregation, and backbone network. At the same time IP bearer network is developing as a multiservice and broadband network. Without carrier-class management, the traditional Ethernet cannot detect, notify or separate L2 network failure. The network manamgement system adopting SNMP can only manage link and equipment state. It cannot detect E2E connection performance and state of user service. When there’s network failure, it cannot be located or located quickly. Besides, with the wide application of network equipment, the managers pay more attention to OAM of Ethernet equipment.

ZXR10 8900E series support three standards of Ethernet OAM at the moment:

IEEE 802.3ah(Operations, Administration, and Maintenance-OAM)

IEEE 802.1ag(Connectivity Fault Management-CFM)

IEEE 802.3ah operation, management and maintenance standard is the formal one of IEEE. It takes “link” level management, taking monitoring and failure processing of P2P (or virtual P2P) Ethernet link. The protocol has great significance in connection management of these points at the places where failures tend to occur such as the last mile for the network user.

IEEE 802.1ag Connectivity Fault Management is the draft standard of IEEE at present. It takes “service” level management. It provides the network with easy and quick fault discovery, detection and management. It submits effective detection, separation and connectivity fault report of the virtual bridge LAN.

8900E supports OAM that complies with the above standard. It provides Ethernet Connectivity Check (ETH-CC), Ethernet LoopBack (ETH-LB), and Ethernet Link Trace (ETH-LT). It supports Frame Loss Measurement (ETH-LM), and Frame Delay



Measurement (ETH-DM). It supports Ethernet link OAM, link discovery, link state monitoring, remote defect indication, and remote loopback that conform to IEEE802.3ah.

3.6 Clock synchronization Because of telecom bearing IP trend, there are clock requirements for Ethernet to provide precision clock for mobile wireless network. Mobile network has high requirements for high-precision synchronization. Its synchronization consists of frequency synchronization and time synchronization. ZXR10 8900E supports Synchronous Ethernet and 1588v2 solution which uses synchronous Ethernet technology for clock frequency synchronization, and IEEE 1588 phase fine control and time maintenance for clock time synchronization.

ZXR10 8900E can configure different clock source priorities. Clock sources are selected according to different priorities. The clock source with the highest priority will take effect in the earliest time. If the clock fails, the clock source with the second highest priority will take effect, and the rest will go similarly. The restoration policy of clock source is: If the clock with high priority is restored, it can be configured to select whether to switch back.

3.6.1 Clock source

ZXR10 8900E support 5 clock sources, and the main control decides which clock source information is distributed to the system.

Local clock: Local clock of system hardware, the most basic clock signal.

BITS: Support 2MHz analog signal and 2Mbits digital clock signal.

GPS: Traditional mobile network clock source providing high-precision clock signal and 1PPS+TOD signal.

SyncE: Support Synchronous Ethernet interface, and restore and extract the clock from physical layer.

1588v2: IEEE 1588v2 is a precision time synchronization protocol which transfers messages between active and standby equipments to precisely synchronize master/slave clock and time.

3.6.2 Synchronous Ethernet

Synchronous Ethernet (SyncE) technology adopts Ethernet link code stream to restore the clock. It synchronizes frequency rather than synchronization phase, and needs all bearer network equipments to support synchronous Ethernet features. ZXR10 8900E can extract the clock from Ethernet link, or get support reference clock from external synchronous interface (including BITS and GPS) as system clock. The system selects the proper system clock source and export clock source according to synchronization



status information or system alarm information. After clock source is determined, the system uses high-precision clock at the Ethernet interface to send data and transfer synchronization status information, synchronizing Ethernet physical-layer E2E data transceiving. Its synchronization mode is shown as Figure 3-12.

Figure 3-12 SyncE synchronization

3.6.3 IEEE 1588 v2

IEEE 1588 v2 is a precision time synchronization protocol, called PTP protocol for short. IEEE 1588 v2 adopts master/slave clock to transport time in the form of code. Time stamp is generated at the protocol layer adjacent to the physical layer. It uses symmetry and delay measurement technology of network link to synchronize frequency, phase and absolute time of master/slave clock. 1588 key lies in delay measurement.

IEEE 1588 v2 master/slave clock synchronization principle is shown in Figure 3-13: Slave clock synchronizes with master clock through offset measurement, and then delay measurement is made to get inter-clock link delay and time deviation to adjust time output of slave clock and synchronize the time between master clock and slave clock.



Figure 3-13 IEEE 1588 synchronization

ZXR10 8900E supports 1588 v2 protocol and the following working modes:

Ordinary clock: Only one port supports 1588v2 protocol. The clock works as grandmaster or slave.

Boundary clock: Several ports support 1588v2 protocol. The clock can connect several ordinary clocks or transparent clock.

Transparent clock: The node does not run 1588v2 protocol, but needs to modify time stamp. It is required in forwarding time message to fill in the time, when the node processes the message, in the modification location. Both E2E and P2P modes are included.

3.6.4 Clock protection

1. Port selection protection

ZXR10 8900E fulfills automatic protection switching of clock link based on SSM protocol and BMC optimal clock algorithm to reliably transmit the clock. It select an algorithm according to clock path to calculate the best synchronization path of clock and time information to avoid clock loop. When a fault occurs to the network, the system makes the protection switching of clock and time information according to clock path algorithm, and provide synchronization locking, hold-over and free-run of clock and time information.

2. Active/standby Main Control Module protection



ZXR10 8900E active/standby main control modules always synchronize clock information. When receiving Bits and GPS signals, one main control module sends the signals to the other main control module. Line card receives the clock signal from active and standby main control modules at the same time, but one line card only takes the clock of active main control module as system reference clock. When a fault happens to active main control module, line card can switch the clock to take the clock of standby main control module as system reference clock.

3.7 Reliability protection

3.7.1 Equipment-level protection

3.7.1.1 Main control board protection

ZXR10 8900E adopts the carrier-class reliability design. It has two main control boards. Each main control board has control module and switching module, and two main control boards can make load balance and redundant backup, and supports the redundancy of switching module and main control module. When a fault occurs to active module, services and data can be switched from active main control board to standby main control board to forward data and operate services without interruption.

3.7.1.2 Power supply module protection

To comply with strict equipment reliability requirements of telecom carriers, ZXR10 8900E adopts hot backup design for power supply, and employs 48V DC and 220V AC. DC adopts 1+1 mode, and AC adopts 1+1 or 2+1 backup according to different racks to improve the reliability of power supply system. Furthermore, 8900E power supply supports several intelligent protection mechanisms, and provides protection, detection and fault report for power supply according to such parameters as voltage, current and temperature.

3.7.1.3 System supervision protection

ZXR10 8900E meets the carrier-class reliability requirements and provides a whole set of system supervision means to drop user maintenance cost and improve equipment stability and reliability.

In terms of hardware, ZXR10 8900E can supervise such information as environment temperature, board temperature, fan status, power supply status, power supply power sampling (including PoE power supply). In terms of software, it can collects such status information as environment temperature, board temperature, fan status, power supply status, power supply power sampling (including PoE power supply). When going wrong



or exceeding alarm threshold, the system reports relative alarm and fault, and automatically saves and sends them to related server regularly.

3.7.2 Network detection mechanism

When network equipment runs, link fault, equipment single point of failure and equipment connectivity fault may take place. In order to find various network faults in time and start effective protection measures, ZXR10 8900E offers a series of effective network detection mechanisms. In addition to the detection technologies to be introduced below, ZXR10 8900E also supports some detection and positioning means such as UDLD, IP Ping, IP Trace, multicast Trace route, LSP Ping and LSP Trace route.

3.7.2.1 BFD

BFD (Bidirectional Forwarding Detection) is a path connectivity detection protocol. BFD aims to offer a low overhead to detect the fault between adjacent forwarding systems in a short time. BFD packet is the message encapsulated with UDP protocol, and can be loaded into any proper media or network protocol. BFD can run at several system layers.

BFD can detect the fault in any path between systems. The path may be direct physical link, virtual circuit, tunnel and MPLS, and indirect path. As BFD fault detection is simple, BFD can quickly detect the forwarding fault.

BFD status mechanism needs three handshakes. It is a simple service. It is only required to offer destination address and other parameters to create, delete and modify BFD session. When BFD session is up or down, a signal is returned to the system for proper processing.

BFD is a simple Hello protocol. It is partially similar to neighbor detection of famous route protocols in many respects. A pair of system periodically send detection message on the path of the session between them. If one system receives no detection message from the other in enough time, it will consider that a fault occurs to a part of the bidirectional path to the adjacent system. In certain conditions, transmitting and receiving rate between the systems need to be negotiated to reduce the load.

After bidirectional communication between two systems is established, only one path is running (unidirectional link is also possible). An independent BFD session may be created for each communication path or data protocol between two systems. Each system can evaluate the frequency of transmitting and receiving BFD packet so as to keep two systems consistent in fault detection duration. The parameters can be modified according to different surroundings to meet the demands.

BFD protocol describes bidirectional detection mechanism which consists of asynchronous mode and query mode. An auxiliary echo function can work with these modes. The difference of asynchronous mode and query mode lies in detection location. In asynchronous mode, one system periodically sends BFD control message, and the



other system remotely detects the BFD control message. In query mode, the system transmits and detects the BFD control message.

Asynchronous mode: In asynchronous mode, two systems periodically sends BFD control message to each other. If one receives no BFD control message from the other in detection time, it will be announced that the session is down.

Query mode: In query mode, supposed that each system has an independent approach to confirm that it is connected to other systems. Once a BFD session is created, the system will stop sending BFD control message unless a system needs to explicitly verify the connectivity. If it needs to explicitly verify the connectivity, the system sends a short BFD control message. If it receives no message returned in detection time, it will be announced that the session is down. If a message is returned, the protocol will remain silent again.

Echo function: One system sends a series of BFD echo messages, and the other system loops them back via its forwarding path. If several continuous echo messages are not received, it will be announced that the session is down. The echo function can work with the above two detection modes.

ZXR10 8900E support BFD for static route OSPF dynamic route and VRRP to fulfill fast convergence. It combines BFD and FRR technologies and provides fast fault detection mechanism to implement fast rerouting.

3.7.2.2 OAM detection

OAM offer a wide variety of detection means of network fault discovery. It consists of Ethernet OAM and MPLS OAM. Ethernet OAM detects and discover Ethernet link fault, and MPLS OAM provides defect detection tool and protection switching mechanism for MPLS network. For details, refer to Section 3.5. OAM message detection serves to detect link status, node status and tunnel connectivity. It can detect the fault while triggering the protection switching.

3.7.2.3 SQA

SQA (Service Quality Analyzer) sends the test message to analyze network performance, network service and QoS, and provide the user with network performance and QoS parameters, e.g., delay jitter, TCP connection delay, FTP connection delay and file transport rate. SQA helps the user to know current network status, and detect and position the fault to improve network management initiative and controllability .

ZXR10 8900E supports many kind of detections include ICMP-echo, DHCP, DNS, FTP, HTTP, UDP-jitter, SNMP, TCP, UDP-echo, Voice and DLSw, and associates detection result to VRRP function, as shown in Figure 3-14.



Figure 3-14 SQA association

3.7.3 VSC

VSC( Virtual Switch Cluster) system can virtualize multiple independent devices into one device to dynamically add or delete members. These VSC members that linked by VSC port can select one main device by a certain selection mechanism. And others work as forwarding devices. It’s like one device is expanded to support more interface cards, more interfaces, more services, provide equipment-level redundancy backup, and improve the reliability of the equipment and network.

VSC can make a simple network without complicated and slow STP or VRRP. Multiple devices only need one configuration to make the network more reliable to support Multi-chassis link aggregation, to implement protocol-level and equipment-level cross- chassis hot standby, and to make the network more effective. Multiple devices constitute VSC system to effectively improve the system capacity, to implement load balancing, and to fully utilize network bandwidth.

Figure 3-15 VSC system logic connection diagram



3.7.4 Ethernet intelligent protection

ZXR 8900E supports ZESR (ZTE Ethernet Switch Ring), ZESS (ZTE Ethernet Smart Switch) and ZESR+, and provides ring protection and dual-uplink protection mechanism.

3.7.4.1 ZESR

ZESR (ZTE Ethernet Smart Ring), the Ethernet ring technology, allows network administrator to create Ethernet ring, similar to fiber distributed data interface (FDDI) or SONET/SDH ring. It can recover any link or node fault within 50ms.

ZESR uses break alarm, ring monitoring and ring restoration to maintain the protocol.

1. Break alarm: When standby equipment in ZESR ring detects that a cable fault occurs to its active or standby port connected to the ring, it immediately sends break alarm frame from another port to active equipment. When active equipment receives the alarm frame and knows the ring goes wrong, it unlocks standby port, refreshes L2 forwarding table (L2 table), and sends a notification frame to notify other ring equipments to refresh their L2 tables, as shown in Figure 3-16.

Figure 3-16 ZESR break alarm

2. Ring monitoring: When working normally, active equipment periodically sends diagnosis frame via active port. If the ring works normally, standby port of active equipment will periodically receive the diagnosis frame, reset its timeout timer and go on operation. If the timer exceeds the set time but standby port receives no



diagnosis frame, active equipment will consider that the ring goes wrong and unlocks standby port to assure ring connectivity. Meanwhile, active equipment refreshes L2 table and sends a notification frame to notify other ring equipments to refresh their L2 tables. Ring monitoring mechanism is the backup of break alarm mechanism. Once break alarm frame is lost for unknown reason, the solution is a reliable backup support.

3. Ring restoration: When a ring link breaks, active equipment still periodically sends diagnosis frame via active port, but standby port cannot receives it. After the ring restores, the next diagnosis frame will be received by standby port of active equipment. When active equipment receives diagnosis frame, it knows the ring restores; then it sets standby port to blocked, refreshes L2 table and sends a notification frame to notify other ring equipments to refresh their L2 tables. When standby equipment detects that its connection restores, as diagnosis frame is periodically sent, active equipment will not receive diagnosis frame immediately (so standby port is unblocked). If no measure is taken now, standby port of active equipment will remain unblocked for some time, which will result in temporary loop and broadcast storm. To avoid the status, standby equipment needs to set the port to be temporarily blocked when the port connection restores. When standby equipment receives the notification frame from active equipment to refresh L2 table, standby equipment knows that active equipment blocks its standby port, and then standby equipment refreshes L2 table and unblock the restored port. Up to now the ring returns to normal status.

3.7.4.2 ZESS

ZESS (ZTE Ethernet Smart Switching) technology fulfills fast switching protection and load balance between L2 Ethernet links, and the active and standby links are switched within 50ms. Its working principle is as shown in Figure 3-17: The node supports ZESS; port 1 is active port and port 2 is standby port. When the node detects that active and standby ports are UP, it blocks the protection service VLAN forwarding function of standby port; when the node detects that active port is DOWN, it blocks the protection service VLAN forwarding function of active port and unblocks the protection service VLAN forwarding function of standby port; when the node detects that active port restores to UP, it adopts inverse and non-inverse modes. In inverse mode, it unblocks active port and blocks standby port again. In non-inverse mode, active port remains blocked and standby port unblocked. In addition, in ZESS switching, it is required to upgrade FDB of the blocked port.



Figure 3-17 ZESS protection mechanism

3.7.4.3 Intelligent dual-homed ZESR+

When metro core network uplinks backbone network, one switch has two uplink ports connecting two BRAS or SR, thus ZESS provides dual-uplink protection. Although the connection has uplink and SR or BRAS protection, there is single-point fault risk from uplink to BRAS or SR. For consideration of security in the actual networking, 2 uplink ports connected to the same SR or BRAS are located in 2 switches, and the downlink still uses the ZESR ring. Two uplink switches adopts ZESS and two switches remain the heartbeat hello. When port 4 goes wrong, the traffic switches to port 5; when a fault occurs to port 5, the traffic goes to the right switch. Thus lower-layer link fulfills the ring protection and traffic load balance and backup. The working principle is shown as Figure 3-18.

Figure 3-18 ZESR+ working principle



3.7.5 L3 route protection

3.7.5.1 Enhanced VRRP

If traditional VRRP technology is adopted, when router link goes wrong or powers off, backup router spends 3 seconds in switching, which cannot address the user demands when IP network bears voice service. Enhanced VRRP introduces fast BFD mechanism to replace VRRP heartbeat message. It speeds up the detection between VRRP entities and employs single-hop or multi-hop BFD to check whether the real-address communication between slave and master routers is normal. If not, the slave will consider the Master is unavailable and upgrade to the master to fulfill fast switching.

VRRP and BFD are bound based on BFD session between router and host, which means that master and slave routers are respectively bound to different BFD-sessions (These sessions are not established between master and slave routers). If the communication is abnormal between master router BFD and HOST, VRRP downgrades master to slave, and upgrades slave to master to link the communication between protection router and host and fulfill fast switching between master and slave routers.

Furthermore, ZXR10 8900E supports VRRP group management. Multiple VRRPs forms a VRRP management group, and each member keeps consistent with the group in the status. When VRRP management group creates a BFD session to trigger management group status switching, all members will make status switching. VRRP group management reduces inter-equipment BFD message traffic to facilitate VRRP management and bring down network and equipment load.

3.7.5.2 Route Load balance

Load balance helps the equipment to forward the traffic via several activated links so as to make full use of the bandwidth of these links. Load balance does not mean that the traffic of one link is equal to the other.

By configuring static route, route protocol and route number, ZXR10 8900E adopting route-based load balance sets several reachable routes to one destination address in the forwarding table so as to offer the basis for load balance.

The route technology for load balance includes ECMP (Equal-cost multi-path routing) and WCMP (Weight-cost multi-path routing). ECMP working principle is: When there are several paths reachable to one destination address in the network, the data is transmitted via several links. ECMP makes full use of the bandwidth of idle links and backs up data transport of failed links. WCMP improves ECMP. Because the links are different from each other in the bandwidth, if the data is averaged to the links to transport, it is impossible to make full use of the link with larger bandwidth. Therefore, WCMP adjusts the route weights according to a policy to make ECMP more flexible and practical.



ZXR10 8900E supports the per-destination load balance policy which considers source address and destination address of a packet so that the packets with the same “source address - destination address” go the same path (Even if several paths are available), and the packets with different “source address - destination address” pairs go different paths. The policy ensures the packets with the same “source address - destination address” pair reach in sequence.

3.7.5.3 GR (Graceful Restart)

GR (Graceful Restart) uses the neighbor equipment to implement non-reset for control plane session connection when the control plane has error and switching. GR realizes non-stop forwarding services in routing protocol restart. At the same time it can quickly recover the route. Each routing protocol has its own GR expansion.

When routing protocol restarts, it notifies its neighbor to wait for a specific period of time, during which it maintains their neighborhood relationship and keeps routing stable. When routing protocol restart is completed, the neighbor equipment helps it to implement routing information synchronization and set up the session again. Various routing information can be all recovered during a short period of time. With GR, protocol restart, routing and forwarding are comparatively stable to realize non-stop packet forwarding.

ZXR10 8900E series support relative routing protocols such as GR for OSPF/ISIS/BGP/RIP, which avoids network socillation and improve network stablity and reliability.

3.7.6 VPN Protection

3.7.6.1 PW Protection

PW (Psedudo Wire) is one of the linear protection in MPLS L2VPN used to solve end-to-end service convergence in CE dual-homing model. PW protection detects PW layer failure by OAM and BFD mechanisms and implements failure notification and fast traffic switching. Since PW can be set up between two PE and multi-hop PW can be set up between two PE, PW redundancy-based protection mechanism should support single-hop PW redundancy and multiple segment PW redundancy.

Single-hop PW redundancy set up multiple PW between PE. ZXR10 8900E series switch supports 1:1 redundancy backup. It can realize PW fast switching for active/standby, as shown in Figure 3-19.



Figure 3-19 PW single-hop redundancy protection

Multi-hop PW redundancy imports S-PE between PE. S-PE connects PW on the two ends. PE1 and PE2 sets up connection with S-PE respectively. In this way PW between PE1 and PE2 is composed of multiple segments of PW. ZXR10 8900E series switch supports 1:1 multi-segment PW redundancy backup. When PW1 fails, traffic can be quickly switched to PW3 to realize fast switching between active and standby PW as shown in Figure 3-20.

Figure 3-20 PW multi-hop redundancy protection

3.7.6.2 MPLS VPN Dual-homing Protection

1. CE Dual-homing to PE

In MPLS network, to provide network reliability and solve service interruption problem caused by route re-convergence results from single PE failure, we import CE dual-homing to PE solution. CE is accessed to two PE at the same time. One is active and the other is standby. When CE perceives active PE or active link fails by LACP, STP, ZESS, or port shutdown, it can automatically switch to standby PE and standby link. When failure recovers, the original active PE can recover or automatically change to standby PE based on certain strategy as shown in Figure 3-21.



Figure 3-21 CE dual-homing to PE

L3VPN adopts FRR to set active/standby forwarding item directing active PE1 and standby PE2 at remote PE. PE implements quick failure detection by BFD and MPLS OAM. When PE4 detects PE1 failure, it can forward traffic to PE2. Service traffic between CE1 and CE2 can be switched to PE2-PE4 link.

In L2VPN PE4 save PE1 and PE2 forwarding table at the same time. That is to say, MAC active egress for CE1 is PE1 and standby egress is PE2. PE4 forwarding item will set forwarding prefix, inner layer label, and selected outer layer LSP tunnel. When PE1 fails (for example, unavailable tunnel is perceived by BFD and MPLS OAM), PE4 can forward traffic to PE2. When CE1-PE1 link fails, PE1 will notify PE4 to refresh MAC address, change the egress, and switch the traffic to PE2-PE4 link.

2. UPE Dual-homing to NPE

In H-VPLS network, there’s also single-point failure. Dual-homing of UPE to NPE can improve network reliability and avoid link and NPE single-point failure. When a link fails, for example, BFD detection or port shutdown, traffic can be switched to standby link. When the failure is recovered, the original active NPE will recover or automatically become standby NPE based on certain strategy as shown in Figure 3-22.

In H-VPLS with U-PW access, LDP session is run between UPE and NPE. Whether the active PW fails can be decided based on LDP session state. In H-VPLS with QinQ access, STP can be run between UPE and the NPE connected to it to ensure that the other link is activated when one link fails.



Figure 3-22 UPE dual-homing to NPE

3.7.7 FRR Protection

3.7.7.1 IP FRR

IP FRR (IP Fast ReRoute) can reach 50ms switching, which can reduce data loss in case of failure to the best. IP FRR calculates standby route in advance. When active route fails, another route calculation is not implemented. Standby route is adopted to switch traffic to standby link. When active link recovers and gets stable, the traffic is switched back to the active route as shown in Figure 3-23.

Figure 3-23 Route switching diagram

NPE1

NPE3

NPE2

N-PW

U-PW

UPE

CE2

CE1Master

Backup



ZXR10 8900E supports FRR for static routing, OSPF, IS-IS, and RIP, which easily implements traffic switching of single-directional traffic to meet the switching time requirement.

3.7.7.2 LDP FRR

LDP FRR is MPLS-related reliability technology. With the help of LDP label distributing protocol, it distributes active/standby labels for routes. Saving the standby label, it quickly respond to route change, switch label to the standby label, and implement 50ms switching protection in case of network failure. Label standby equals to standby LSP. When a certain link or node on the protected LSP fails, label can be quickly switched to the standby link as shown in Figure 3-24. R2 directs e2/2 to back up e2/1 port. In this way LSP will has two next-hops. One is on the active link specified by the routing protocol. The other is standby. When port 2/1 is detected to fail, label will be quickly switched to e2/2. When the route recovers, label will be switched back to e2/1 port.

Figure 3-24 Label switching diagram

LDP FRR is only a temporary protection measure. When the protected link recovers, traffic will be switched back to the original LSP. LDP FRR doesn’t need to rely on complicated MPLS TE. Standby LSP for link, node or route doesn’t need to be set up respectively. It’s easy to implement with the spreading of MPLS.

3.7.7.3 MPLS TE FRR

MPLS TE FRR is a set of link protection and node protection mechanism in MPLS TE. When LSP link or node fails, protection is implemented at the node where failure occurs. In this way traffic can be permitted to go through via the tunnel of protected link or node so that data transmission will not be interrupted. At the same time head node can go on initiating recreation of active route with data transmission not influenced.



MPLS TE FRR uses a LSP set up in advance to protect one or multiple LSP. The LSP set up in advance is called FRR LSP. The protected LSP is called active LSP. The ultimate objective of MPLS TE FRR is to use FRR route to detour failed link or node so as to protect the active route as shown in Figure 3-25.

Figure 3-25 TE FRR local link and node protection

FRR LSP and active LSP creation get all components in MPLS TE system involved.

MPLS TE FRR complies with RFC4090 based on RSVP TE implementation.

There are two ways to realize FRR:

One-to-one Backup: one to one backup protection. One active LSP sets up a standby protection LSP, which is called Detour LSP.

Facility Backup: one to multiple backup protection. Multiple active LSP set up a standby protection LSP, which is called Bypass Tunnel.

Facility is usually adopted in MPLS TE FRR deployment. The creation of active LSP is the same with that of common LSP. RSVP sends PATH message from the head node to downstream hop by hop, and sends RESV message from the tail node to upstream hop by hop. It distributes labels, reserves resource and sets up LSP when it processes RESV messages. Bypass Tunnel can be set up in two ways: one is manual and the other is automatic. When active LSP has no FRR feature, Bypass Tunnel can be manually configured to protect the physical interface of the tunnel. Its configuration is similar to that of the common LSP except FRR cannot be configured. That is to say, Bypass Tunnel cannot work as active LSP at the same time. Nor LSP be protected by embedding. Automatic Bypass Tunnel is a simplified manual configuration. When active LSP needs FRR protection, it automatically sets up a Bypass Tunnel to protect the active LSP. A single automatic Bypass Tunnel can protect multiple active LSP. Bypass Tunnel is usually in idle state assuming no data services. If Bypass Tunnel is required to assume common data forwarding task at the same time when it protects active LSP, enough bandwidth should be configured. When link or node fails, if the interface is configured with FRR protection, data will be automatically switched to the protection link. When the failure recovers, normal forwarding path will be automatically recreated.



In MPLS TE network usually MPLS TE FRR is deployed, which is determined by MPLS TE’s features. In pure IP network, when there’s partial failure, if there are other available route to the same destination, packets will be forwarded along these routes. Before route change caused by the failure spreads to the whole network, only this mechanism can quickly implement partial failure protection. In MPLS network with no TE deployed, LDP setting up LSP by DU is widely applied. When partial failure occurs, if there are other available routes, LDP will initiate LSP creation to upstream nodes. Not considering TE related needs such as bandwidth, priority and link attribute, the possibility of successfully creating LSP is comparatively big. Thus the process from failure to recovery is short. In MPLS TE network, LSPs are usually established in DoD mode through RSVP. On a head end, the CSPF algorithm calculates a path based on the routing information of the area that satisfies the constraints and RSVP establishes an LSP along the path. When an element along the LSP fails, a new LSP needs to be established. However, CSPF cannot calculate the path before the head end knows the route change. In addition, a partial failure may make it necessary to reestablish multiple LSPs. During LSP reestablishment, problems such as insufficient bandwidth may intervene. Therefore, compared with pure IP network and MPLS network with no TE configured, MPLS TE network needs more time to recover from partial failure. So one standby LSP is set up in advance in MPLS TE network. Initiating FRR and quick switching can be implemented in partial network failure.

3.7.7.4 L3VPN FRR

L3VPN FRR is used to solve CE dual-homing, which is the most common end-to-end service convergence problem for network model. It can control end-to-end service convergence within 1s in case of PE node failure. Since MPLS TE FRR can only solve link or node failure between PE, and PE needs to rely on VPN route convergence when it has failure, end-to-end fast convergence cannot be realized. CE model is shown in Figure 3-26:

Figure 3-26 CE dual-homing model

Suppose the path for CE-B accessing CE-A is: CE-B——PE-E——P-C——PE-A——CE-A. When PE-A node fails, the path for CE-B accessing CE-A is converged as: CE-B——PE-E——P-D——PE-B——CE-A. Based on standard MPLS L3 VPN, PE-A and PE-B both distribute route directing to CE-A to PE-E, and distribute private network labels. In traditional technology, PE-E selects a VPNV4

CE-A CE-B

PE-A

PE-B

PE-C

PE-D

PE-E



route sent by MBGP neighbor based on certain strategy. In this instance, the route selected is distributed by PE-A. Only the route information distributed by PE-A (including forwarding prefix, inner layer label, selected outer layer LSP tunnel) is filled in the forwarding item used by forwarding engine to direct the forwarding.

When PE-A node fails, PE-E perceives PE-A’s failure (BGP neighbor is DOWN or outer layer LSP tunnel is unavailable), it re-select a route distributed by PE-B, re-distribute forwarding item, and complete service end-to-end convergence. Before PE-E re-distributes forwarding item corresponding to route that distributed by PE-B, since the destination of outer layer LSP tunnel that forwarding item of forwarding engine directs is PE-A, and PE-A node fails, during this period, CE-B cannot get access CE-A. End-to-end services are interrupted. In traditional technology, end-to-end service convergence time covers: 1) PE-E perceives PE-A failure. 2) PE-E re-selects VPN V4 route distributed by PE-B. 3) PE-E distributes new forwarding item to the forwarding engine. Obviously, step 2 and step 3 goes depending on the scale of VPN V4 route.

ZXR10 8900E switch can firstly download the route information distributed by PE-B to the forwarding engine as the second choice. It adopts BFD to check the link between PE-E and PE-A. Discovering failure, PE-E quickly switch the route to hte link between PE-E and PE-B. Packets will be switched to CE-B via PE-B to recover services between CE-B and CE-A and realize fast switching.

3.8 Security and Authentication

3.8.1 ACL

In order to filter data, the netework needs to set lots of matching rules. After identifying special objects, the corresponding packets can be allowed or forbidden to pass as per the preset rules. ACL (Access Control List) is used to realize these services.

By using ACL, message filtering, policy route and special traffic control can be realized. One ACL can contain one or more than more rules for one special type of packet. These rules tell the switch if the selected packets are allowed or forbidden to pass.

The rules defined by ACL can also be used in other scenario, e.g. traffic classification in QoS.

ZXR10 8900E series switch provides the following 4 types of ACL. Besides, it gives support to two sorts of Ipv6 ACL.

Basic ACL: match source IP address only.

Extended ACL: Match source IP address, destination IP address, IP protocol type, TCP source port number, TCP destination port number, UDP source port number, UDP destination port number, ICMP type, ICMP Code, DSCP (DiffServ Code Point), ToS and Precedence.



L2 ACL: match source MAC address, destination MAC address, source VLAN ID, L2 Ethernet protocol type and 802.1p precedence.

Hybrid IP address: match source MAC address, destination MAC address, source VLAN ID, source IP address, destination IP address, TCP source port number, TCP destination port number, UDP source port number and UDP destination port number. The perfect fields match three types mentioned above.

Basic IPv6 ACL: only match IPv6 source IP address.

Extended IPv6 ACL: match IPv6 source and destination addresses.

3.8.2 Device Authentication

3.8.2.1 AAA Authentication

ZXR10 8900E supports complete AAA (Authentication, Authorization and Accounting ) mechanism. So it not only can be used to arrange login user authentiation and authorization together with hierarchical protection mechanism of command line, but also can verify user’s validity in network management. based upon AAA mechanism, ZXR10 8900E can effectively prevent illegal users from logging in the system.

For different user access authentication policies, the device provides complete AAA service. As per different access authentication requirements, user can configure different access authentication policies to arrange different authentication and authorization services.

AAA supports three types of user authentication:

Local account authentication

RADIUS (Remote Authentication Dial-In User Service) authentication

TACACS+ (Terminal Access Controller Access Control System) authentication

AAA supports four types of authorization mode:

Direct authorization: for very trustable user, direct authorization without requiring account number is implemented.

Local account authorization: give authority as per user’s local account.

TACACS+ authorization: TACACS+ consists of authentication and authorization. TACACS+ server gives user authorities.

Authorization when RADIUS authentication is successful: the authentication and authorization of RADIUS can not be apart.



3.8.2.2 SSH

SSH (Secure Shell) is made by IETF network working team. SSH is a security protocol build on the basis of application layer and transport layer. SSH currently is a reliable security protocol designed particularly for remote login session and other network services. SSH protocol can be used to avoid information leaking effectively. Encrypting transport data via SSH protocol can avoid middle attack.

SSH supports the following two sorts of authentication:

The first one is the security authentication based upon password. Input correct account number and password, then user can access the remote host successfully. All transport data are encrypted. This mode ensures reliable data transmission. But it may lead to faud server which makes the data transferred to illegal servers.

The other security authentication is based upon encryption key. User must create a pair of encryption key and save the public key to the target server. The client software asks the server for security authentication via its own encryption key. When the server receives the request, it looks for the public encryption key in the root category of this user’s server. After confirming the two encryption keys are the same by comparing the public key with the public key sent by the client, the server will encrypt challenge and send it to the client software. After receiving the challenge, the client will decrypt it by private encryption key and send it to the server.

ZXR10 8900E supports security authentication of SSHv2 protocol.

3.8.2.3 Command Line Hierarchical Protection

Currently, ZXR10 8900E series switch realizes different levels of command (16 levels in total). For different access users, different levels of authority is used. Lower level leads to less command. Higher level leads to more commands. The administrator (highest level) is able to set different authority levels to different command, so that self-defined command authority configuration can be implemented.

In order to realize hierarchical authority, two parts of authority level should be maintained:

Command node authority level maintenance: when the switch is initiated, each command node has a default authority level. The administrator can change it.

Login user authority level maintenance: the administrator can set authority level for each login user. Conditions for displaying and implementing the command are: when user’s authority level is bigger or equals to the command authority level, this command can be displayed and executed on user’s terminal. In default situation, the administrator can use all commands. Other authority levels can only use some maintenance commands.



3.8.3 Access Security

3.8.3.1 802.1x

802.1X is a Client/Server-based access control and authentication protocol. When connecting with user device at system port via authentication, it confirms if the user is authorized to access system services via this port. In this way, unauthorized data transmission between the user and system can be avoided. At first, 802.1X access control only allows EAPOL frame to pass the port connecting with the user’s device. After authentication, other data can pass this port then.

802.1X enables the access point via which the authenticator connects with LAN to generate two logical ports: controlled port and uncontrolled port. The uncontrolled port which is free from port authorization status can exchange PDU with other systems freely, while the controlled port can only exchange PDU with other system when it is authorized. PAE is the base of the algorithms and protocols related to operating and authentication mechanisms. The authenticator’s PAE is responsible for communicating with requestor’s PAE and sending information collected from the requestor’s PAE to authenticator’s server. After verifying this information, the authentication server confirms if the requestor is authorized to access the authenticator’s service. The authenticator’s PAE determines the authorized and unauthorized status of the controlled port as per the authentication results. The authenticator’s PAE uses uncontrolled port and EAPOL protocol to exchange protocols with the requestor’s PAE. It uses EAPOR and RADIUS authentication server for communication.

The 802.1X unit of ZXR10 8900E series switch mainly realizes the following services:

Support services of authenticator.

Local authentication.

Support authenticator’s PAE to exchange protocols with EAPOL via the uncontrolled port.

Force-Unauthorized, Auto and Force-Authorized values of Auth-Controlled-Port-Control can be used to run the controlled port.

Support Admin-Controlled-Directions and OperControlled-Directions to run the controlled port.

Re-authentication timer can be used to authenticate the requestor again on a regular basis.

Transparent transmission of 802.1x authentication packet is supported when authentication is not initiated.



3.8.3.2 DHCP

DHCP server can allocate proper IP address for all sorts of device. With DHCP service, the network administrator instead of distributing IP address manually can allocate IP address automatically by exchanging DHCP protocol message. This not only reduces the workload caused by manual configuration and configuration error, but also enables unified IP address management when the device is moved.

DHCP adopts client/server communication mode. The client sends IP allocation application to the server , then DHCP server returns the related configuration information like allocated IP address to the server. When DHCP client gets the configuration information, it can realize dynamic IP address configuration and communication with external network. In this process, DHCP server can implement authentication. One DHCP server usually has one IP address pool, so that it can distribute IP address to multiple IP devices.

When DHCP server and DHCP client are not in the same network segment, DHCP relay is required. DHCP sends request message to DHCP server. When DHCP relay receives and processes the received messages, it will send the message to the DHCP server of one network segment. The server provides related information as per the request message. Then the DHCP relay will return the configuration information to the client to finish dynamic client configuration.

Besides, DHCP also includes some extension serv ices, e.g. DHCP snooping and DHCP Relay Agent Information Option (Option 82), etc. With some options in DHCP request message, DHCP option 82 enables DHCP server to confirm user’s location more accurately. In this way, different users adopt different address distribution policies to make users can be effectively controlled even when they are in different VLANs or network segments.

DHCP Snooping is mainly used to avoid some spoofing DHCP Server. The spoofing DHCP Server made by some devices feeds back user’s DHCP address request, which disable the user to get correct DHCP address and connect with the network. Or the spoofing DHCPO Client send DHCP address request to DHCP Server frequently to use DHCP Server address out. By initiating DHCP Snooping service, trust and un-trusted port can be set. DHCP Server responding messages sent by the un-trusted port will be discarded. In addition, Snooping can set the number of the IP address one un-trusted port can allocate, so that DDoS attack for DHCP Server can be avoided.

ZXR10 8900E support DHCPv4 server, DHCPv4 relay, DHCPv4/v6 snooping and DHCP option82 services. The specific supported options can be seen in the functional list.

3.8.3.3 IP source guard

IP source guard checks message source by binding port, VLAN, MAC and IP together. It realizes message security control. The binding table of IP source guard can be set up in the following two ways:



1. Static binding: binding table item generated by manual configuration is used to implement port control service. This method is suitable for one host or LAN where there are less hosts.

2. Dynamic binding: implement port control service by getting the binding table items of DHCP Snooping or DHCP Relay automatically. It is suitable for the LAN where there are lots of hosts. Using DHCP to implement dynamic host configuration can effectively avoid conflict IP address and IP address spoofing.when DHCP allocates one entry to the user, the dynamic binding service will add one more binding table entry to allow this user to access the network. If one user sets IP address privately, it will not allowed to access the network as DHCP is not initated to allocate table entry the dynamic binding service does not add related access rule.

ZXR10 8900E supports IP Source Guard service based upon IPv4 and IPv6.

3.8.3.4 DAI

DAI (Dynamic ARP Inspection) service sends ARP message to CPU to see its validity. Then this message will be discarded or forwarded. If the ARP message source MAC address, source IP address, port number and port VLAN are the same as DHCP Snooping table or manual IP static binding table entry, this message which is considered as legal ARP message will be forwarded. Otherwise, it will be discarded as illegal ARP message. As ARP message is sent to CPU, lots of ARP messages will lead to DoS attack. In real application, DoS attack to ARP message should be defended. ARP message is only suitable for IPv4 protocol. For IPv6 protocol, ND message will be monitored.

3.8.4 MFF

Based upon RFC 4562, MFF is applied on user access device. It aims at isolating user at user access side while providing effective IP address distribution. All streams are forwarded to uplink access gateway, then the gateway will determine the forwarding direction of these streams (L2 switching stream in one broadcasting domain is included). In the past, these streams were directly forwarded by access devices, which leaves potential security risks. MFF ensures user isolation, satisfies Broadband Forum (DSL Forum in the past) and matches the requirements for access node interconnection and security in TR101 report demanded by broadband access network.

Compared with PVLAN, MFF not only can realize user’s L2 isolation, but also saves some user’s information. So it is safer in processing and forwarding messages. At the same time, the communication between users in the same segment of layer 2 is controlled by gateway router, which makes the network more secure by realizing integrated control.



3.8.5 Network Security

Ideally, user-class virus inspection which requires user to install patch and anti-virus software is preffered in defending network virus. In most occasions, lots of users can not accomplish this task, so switch must be able to provide network-class virus inspection and alarm.

Besides, for some malicious network attacks, the switch must have some protective mechanisms to avoid the breakdown of the switch and network. ZXR10 8900E series switch mainly realizes network-based security mechanism. It configure security inspection service to different units.

In ZXR10 8900E series switch, the network security mainly includes the following services:

Inspect virus which cause outbreak traffic increase, e.g. “SQL worm”, “red code” and “shockwave”. Corresponding alarms will be generated, or the client port will be closed.

Avoid user’s ARP proofing.

MAC address flooding protection. Restrict port MAC address number.

Set port broadcasting packet threshold.

L2, L3 and L4 hybrid ACL filtering.

Route filtering

Forbid ICMP relocation service. Prevent attacker from sending spoofing ICMP message.

Defend CPU attack. Implement protocol message protection. Distribute different hardware CPU queue to protocol message. Set precedence, speed restriction, wred and other QoS mechanisms. Protect CPU.

Defend DoS attack based upon hardware queue. Support anti-land | null-scan | ping-of-death | smurf | sys-fin | syn-port-less-1024 | xma-scan | ping-flood | syn-flood attack. Anti-ping-flood | syn-flood attack can support speed restriction.

Anti-IPv4 URPF source address deception.

Automatic broadcasting storm suppression.

Control/signaling MD5 encryption authentication

DHCP snooping

IP Source guard and DAI based upon DHCP Snooping.

IPv6 ND security



3.8.5.1 Anti-DDoS Attack

Due to more and more complicated network environment, the switch should be more competent in fighting against attacks. There are lots of ways to prevent DDoS attack, CPU protection is a very important one.

Currently, controlling protocol message is used to protection CPU. The speed of messages sent to CPU can be set. If the real speed exceeds the threshold, this message will be discarded or its transport priority will be modified. CPU protection is implemented based upon the following principle.

CPU protection is mainly realized by using the switch to monitor the speed of messages sent to CPU. The speed threshold for messages going to CPU can be set on devices. When messages are sent to CPU in an abnormal speed, related alarms will be generated and the NM will be aware of the attack. At this moment, the NM can decide how to process the message according to the message type and speed. When the protocol protection unit finds one protocol message is transferred too fast, this unit will send an alarm to warn user. After reading this alarm, the user can configure protocol protection shutdown to avoid CPU failure.

Currently, the supported protocols include most L2 and L3 protocols. The covered Ipv4 protocol consists of: OSPF, PIM, IGMP, VRRP, ICMP, ARP reply, ARP request, group mng, VBASE, DHCP, RIP, BGP, telnet, LDP_TCP, LDP_UDP, TTL=1, BPDU, SNMP, MSDP and RADIUS. The included Ipv6 protocols are: MLD, ND, ICMP6, BGP4+, RIPng, OSPFv3, LDPtcp6, LDPudp6, telnet6 and PIM6. L2 protocols cover some messages like STP and MSTP, as well as some switch L2 ring protocols.

Based upon common CPU protection, 8900E has multi-level CPU protection which includes: hardware protection, software protection and protocol stack protection. CPU supports multiple hardware queues to make sure the precedence of key messages. Key message filtering makes sure key messages are sent to CPU. Protocol stack controls message transport speed. Via multi-level protection, network efficiency and key services operation are guaranteed.

Moreover, ZXR10 8900E can also use MAC address learning restriction, port speed restriction and multi-level ACL filtering to avoid DDoS attack.

3.8.5.2 Unicast Reverse Path Forwarding (uRPF)

Unicast Reverse Path Forwarding (uRPF) can be used to avoid the network attack based upon source address spoofing.Source address spoofing (A legal address made by attacker) in common DoS attack uses a fake source address to prevent the device from providing normal services. uRPF can avoid such attacks effectively. uRPF is made for normal route search. Normally when router receives packet and gets its destination address, route table will be looked up as per the destination address. If the route is found, the packet will be forwarded, otherwise, it will be discarded. uRPF by getting source address and incoming interface of the packet sets source address as the target address



to find out if the interface in forwarding table corresponding to the source address matches the incoming interface. If not, the source address is considered spoofing, and the packet will be dropped. In this way, malicious attack launched by modifying the source address can be stopped.

ZXR10 8900E series swith supports three types of uRPFs, i.e. strict, loose and loose-ingoring-default-route.

Strict mechanism strictly searches for outgoing port and incoming port as per source address. If they do not match, the packet will be dropped. If they match, process it normally.

Loose mechanism enables route search as per the source address. If the default route egress is the same as the ingress, process the packet normally. Otherwise, discard it.

Loose-ignoring-default-route ignores default route. If the route can be found by the source address, and it is not the default route, it will be processed normally. Otherwise, it will be dropped.

3.8.5.3 ND Security

The introduction of IPv6 can not solve the security issue in original IPv4 network. Some IPv6 network security problems are also aroused by IPv6 protocol. In IPv6, ND (Neighbor Discovery) protocol is similar to ARP protocol in IPv4. It resolutes MAC address, and realizes automatic IP address distribution in non status. ND protocol mainly consists of RS, RA, NS and NA protocols. RS and RA messages are used to get IP address prefix, and NS/NA messages are used to get neighbor MAC address. So ND protocol also has IP address prefix spoofing and MAC address spoofing issues.

ZXR10 8900E supports router trusted port. Trustable router address and restricted ND learning number can be configured. ND message filtering based upon ND snooping is supported. It supports the binding relationship between static IP address,l MAC, VLAN and port. Also, based upon DHCP IPv6 snooping entry, ND message can be inspected. Only legal messages can be allowed to pass.

3.9 Network Traffic Analysis

3.9.1 Sflow

sFlow service is mainly composed by three parts: sFlow message sampling unit, sFlow agent unit and sFlow collector(e.g. analyzer). The entire system architecture is as shown in Figure 3-28.



Figure 3-27 sFlow Multi-level Architecture

sFlow sampling and agent units are integrated in the network device. While sFlow analyzer outside the system analyzes multiple sFlow agent messages in the network. sFlow sampling service of 8900E is done by ASIC chip.

sFlow sampling service gets message samples via interfaces which give support to sFlow. The collected messages are sent and processed by sFlow agent.

sFlow Agent is mainly responsible for analyzing the sampled messages, and sent them to sFlow collector after encapsulation. At the same time, the statistical informaiton at the interface will be get and sent to sFlow collector.

sFlow Collector is a network device used for sFlow managment , monitoring, collection and analysis. After saving the messages sent by sFlow Agent, sFlow Collector makes analysis and writes reports and statistics on device traffic and services. At the same time, some collectors with MIB service can configure sFlow too.



4 System Architecture

4.1 Appearance ZXR10 8900E adopts a large-capacity rack structure. Its hardware system is composed of chassis, backplane, fan chassis, power supply unit, switching MCC and various line processing cards.

4.1.1 ZXR10 8912E Appearance

ZXR10 8912E appearance is shown in Figure 4-1



Figure 4-1 ZXR10 8912E appearance



ZXR10 8912E structure is shown in Figure 4-2.

Figure 4-2 ZXR10 8912E structure


ZXR10 8908E appearance is shown in Figure 4-3.








4.2 Hardware Architecture This section introduces the system hardware and working principle of ZXR10 8900E series core switch and gives users an understanding of the system. This section covers overall system architecture, functional modules, card principle diagram and working principles.



4.2.1 Overall Hardware Architecture

ZXR10 8900E series switch adopts rack design to implement a system architecture with separated forwarding plane, control plane and monitoring plane. The three planes work and implement system functions together. The system uses new-generation large-capacity high-speed serial bus back plane to connect main control switching card and all service line cards. The main control card and switching matrix are integrated in one, which supports 1:1 redundancy design. The main control switching card implements porotcol and signaling processing, fast data switching, system monitoring, clock synchronization, and maintenance & management. The main control card adopts super-large-capacity switching matrix to guarantee the switching capacity necessary for system wire-speed operation. Main control card uses high-performance CPU and large-capacity memory to guarantee high-speed protocol processing and storage space for huge table capacity. Each line card provides wire-speed packet processing capability by ASIC and provides 10G, GE, 100M and 40G interfaces based on service requirements. Each line card clock modules implement time and frequency synchronization by exchange between clock bus and main control clock module, so as to provide reliable and quality guarantee for clock synchronization. The main control node on the main control card manages the monitoring node on line cards and collect the monitoring information on the line cards by the monitoring bus, in order to realize intelligent management of the equipment. Figure 4-9 and Figure 4-10 are hardware system architecture diagram of ZXR10 8900E.

Figure 4-9 ZXR10 8912E/8908E/8905E hardware system architecture

Figure 4-10 ZXR10 8902E hardware system architecture



Large-capacity high-speed back plane

The system uses the latest passive large-capacity high-speed back plane design, and adopts 10G high-speed Serdes to connect main control switching card and every line cards. Thus it guarantees abundant switching capacity for system operation and reserve enough bandwidth for future upgrades. It supports 400G hardware platform, 40G line card, and smooth upgrade to 100G line card.

Main control switching card

The main control card is important comprehensive card with 1:1 and 1+1 redundancy. Each main control switching card covers a high-performance CPU, storage space with large memory capacity, an inter-board communication switching module, a monitoring module, and a clock module. Each main control card on 8912E/8908E/8905E contains a large-capacity switching matrix, which adopts independent design for multiple planes to guarantee its switching capability and future expansion capability. 8902E main control card has no switching matrix. Its line card implements back-to-back connection by high-speed back plane. During operation two main control cards of 8900E series switch maintain active connection with each other.

Service line card

Service line card directly takes processing of packets. It sends packet to a specific port of destination service line card based on the processing result. It has its own forwarding table on each service line card. Forwarding decision is implemented at local to guarantee wire-speed switching capability. There are many types of service line cards supporting clock and monitoring. At present the following service line card can be provided based on the needs:

− GE service card

Management and control Module

XAUI

SyncE/1588

POWER

IMPC

ASICSyncE/1588

Line card 1

SyncE/1588

Line card 2

IPMC

IPMC

ASIC



− 10G Ethernet service card

− 40G Ethernet service card

Power supply

8900E uses intelligent power supply unit. Main control system can monitor the power supply by RS485 interface to implement its intelligent monitoring of temperature, over/low-voltage, power-down alarm, and traffic limit.

Intelligent fan

8900E system uses intelligent fan to satisfy the functional requirements of fan speed adjusting, fan off alarm, fan speed alarm, and fan card temperature detection. It can also adjust the speed for fan at each slot based on their temperature to save energy.

4.2.2 Working Principles of Hardware System

ZXR10 8912E/8908E/8905E core switch system adopts a distributed architecture which is composed of forwarding, control and monitoring planes. Forwarding plane implements wire-speed switching by two-layer hardware switching. Layer 1 switching is implemented between ports of line cards by local ASIC chip, which is usually called Packet Processor (abbreviated as PP). Layer 2 switching is implemented between line cards by the switching matrix on the main control card. It can connect all PP to constitute a large-capacity switch system. On the control plane, each line card has an independent CPU to conduct local packet forwarding and protocol processing. It can communicate with main control card CPU by high-speed channel. CPU implements route calculation, management and control. The main monitoring node on main control card, sub-monitoring node on line card and monitoring bus connecting all monitoring nodes constitute a monitoring plane to realize the monitoring of the equipment and state of the whole system. The system diagram is shown in Figure 4-11.



Figure 4-11 ZXR10 8905E/8908E/8912Esystem hardware diagram

The switch structure for ZXR10 8902E is different in switching plane. When 8902E switch conducts two-layer hardware switching, layer 1 switching is implemented between ports of line cards. Layer 2 switching is implemented between two line cards by the high-speed Serdes bus directly connected to line cards. The system diagram is shown in Figure 4-12.

Figure 4-12 ZXR10 8902E system hardware diagram

Switching Fabric

Management and control

Module

XAUI

XAUI

XAUI

XAUI

IPMCGE SerdesGE SerdesPOWER

SyncE/1588

ASICSyncE/1588

Line card

SyncE/1588

Line card

IPMC

IPMC

ASIC

...Line card

Line card

IPMC

IPMC

...ASIC

ASIC

SyncE/1588

SyncE/1588

Management and control Module

XAUI

SyncE/1588

POWER

IMPC

ASICSyncE/1588

Line card 1

SyncE/1588

Line card 2

IPMC

IPMC

ASIC



4.3 Hardware Boards

4.3.1 Switching Main Control Board

In actual application of ZXR10 8912E/8908E/8905E, the switching module and control module are integrated on one main control board, including CPU subcard, switching chip, clock system and monitoring subcard, realizing management control for the whole system and switching function for data packets of line cards. It can be divided into the following functional modules: switching, control, clock, monitoring, outband communication, power supply and logic modules. Its principle diagram is as shown in Figure 4-13.

Figure 4-13 Principle diagram of 8912E/8908E/8905E main control board

In actual application of ZXR10 8902E, the main control board realizes the control function. Its principle diagram is as shown in Figure 4-14.

Figure 4-14 Principle diagram of 8902E main control board

CROSSBAR CPU syst em

SDRAM BOOTROM

Consol e i nt er f ace

MGT i nt er f ace

Hi gh- speed XAUI i nt er f ace

Hi gh- speed XAUI i nt er f ace

Cl ock subcar d

Moni t or i ng subcar d

I PMC i nt er f ace

CROSSBAR CPU syst em

SDRAM BOOTROM

Consol e i nt er f ace

MGT i nt er f ace

Cl ock subcar d

Moni t or i ng subcar d

I PMC i nt er f ace

GE i nt er f aces

GE i nt er f aces



4.3.1.1 Main Control Module

The main control module consists of a main processor and some external functional chips, providing various operation interfaces such as serial interface and Ethernet interface by which the system can process various applications. The main control module includes the following functional units and fulfills the following tasks:

NMS unit: run system network management protocol, such as SNMP;

Protocol processing unit: run network and route protocols, such as OSPF, RIP and BGP-4; maintain global routing and forwarding table; responsible for consistence of multiple processor nodes;

Monitoring unit: provide operation and management interfaces for line cards;

Internal communication unit: provide high-speed signaling channel between boards, so that the main control board can control the management CPU of other boards efficiently and correctly through the internal communication module, and transmit routing information to different boards via this channel.

The main control module has the following features:

Have high-performance CPU with powerful processing capability to run L2 and L3 protocol as well as network management and monitoring programs;

Provide GE outband communication channel that can be connected with the management interface to provide system management and program download and debugging function;

Provide an RS232 serial port as board debugging and management interface;

Provide temperature detection: each main control board has a temperature detection component connected to CPU subcard, which can provide temperature detection and report to background network management system;

Provide system log management function: all logs are stored in system FLASH;

CPU interface is mounted with clock chip to provide correct clock for the system;

Provide active/standby switching, active/standby status signal indication, line card reset signal and line card online detection functions;

Provide fault level: warning fault and switching fault;

Provide route data synchronization channel between the active and standby elements.



4.3.1.2 Switching Module

The switching module is responsible for data switching of the whole system and providing high-speed non-blocking switching channels between line cards. The switching module employs specialized CROSSBAR chip and integrates multiple high-speed bidirectional interfaces, so it can process wire-speed switching of multiple line cards. The switching chip has the following functions:

Storage, forwarding and switching;

Support 16K bytes jumbo frame;

Support priority queue: when CoS queue is congested, it can selectively discard some frames;

Provide a management control counter for each port.

4.3.1.3 Clock Module

This system adopts synchronous Ethernet Technology to realize clock frequency synchronization and uses IEEE 1588 to perform phase modulation and time maintenance to realize clock time synchronization. Synchronous Ethernet can perform system clock frequency synchronization through the reference clock generated by 4 clock sources: clock subcard local clock, Bits (2MHZ, 2Mbits), GPS, and line card line restorated clock. To realize time synchronization, all boards in the system can check time through GPS or 1588 information obtained from any line card.

Synchronous Ethernet restores the clock by the PHY chip in the Ethernet; each interface board selects one from the restored clocks of all ports and sends it to the two main control boards respectively via the backplane; the main control board selects two (active and standby) according to the configured policy and sends them to the clock module as the one of the references of clock sources; the clock module will select the highest-quality clock from clock subcard local clock, Bits (2MHZ, 2Mbits), GPS, and line card line restoration clock and send it to the main control board; or the clock sources can be configured with different priorities and the highest-priority clock is sent to the main control board, which then sends this clock to each interface board as clock source for its chip. In this way, Ethernet clock synchronization of the whole system is realized.

For 1588 processing, the line cards in the system and the main control board exchange 1588 information via bus connection. The main control board or any line card can be configured as the synchronization source of the system; all other boards obtain synchronization information from the synchronization source. Moreover, the clock subcard of main control board can realize conversion between 1588 information and GPS information via logic component to realize GPS time synchronization function.



4.3.1.4 Monitoring Module

The monitoring module (IPMC) is a component of the equipment monitoring system. It forms intelligent platform management system together with hardware management bus and software monitoring management module. IPMC is designed as modular subcard and located at the main control board and other boards. The monitoring modules of the main control board and other boards are interconnected via monitoring bus.

IPMC module can be divided to IPMC management node and IPMC ordinary node by its role in the system. IPMC in the active main control board is the manager of subsystems; the standby main control board and ordinary line cards are all IPMC ordinary nodes. The line card and standby main control functional nodes collect local information and send it to the active main control node to provide for the users. The control information sent by the users is distributed by the active main control node to the line card and standby main control functional nodes. The management node also monitors system power supply and fans.

The monitoring module fulfills the following tasks:

Information collection: collect information on environment temperature, board temperature, fan status, power supply statue and power supply power sampling;

Monitoring alarm: set alarm parameters for the above detection items and generate corresponding alarms when relevant faults occur;

Monitoring management: realize fan rotational speed control by user or automatic control as well as board power-on and power-off functions.

4.3.1.5 Main Control Panel diagram and Features

The panel diagram of 8912E main control board named 8912EMSC1D supporting clock synchronization is as shown.

Figure 4-15 8912EMSC1D main control board panel diagram

The panel diagram of 8912E main control board named 8912EMSC1A without clock synchronization is as shown.



Figure 4-16 8912EMSC1A main control board panel diagram





The panel diagram of 8902E main control board named 8902EMSC1D supporting Clock synchronization named is as shown.




The panel diagram of 8902E main control board named 8902EMSC1A without Clock synchronization is as shown.

Figure 4-20 8902EMSC1A main control board panel diagram

The main control board has Console interface, IPMC management interface, MGT interface, SD card interface and clock interface, that is, one BITS in, one BITS out, one GPS in and one GPS out. Among them, the Console interface is used for local configuration and management of the switch; MGT interface is mainly the 10/100/1000BASE-T interface used for upgrade and network management; IMPC management interface is used to monitor local management of the system; SD interface is used to insert SD card, which can control the software update, buffer and restoration. The capacity of SD card can be up to 32G. The features are as shown in Table 4-1.

Table 4-1 Main control board panel interface features

Interface name Feature

Console interface RJ45 connector RS232, baud rate 115200bit/s Transmission distance<15m

MGT interface

10/100/1000 Base-T Ethernet interface RJ45 connector Use CAT-5 Unshielded Twisted Pair (UTP) cable Max. transmission distance 100m Full duplex/half duplex

IMPC interface RJ45 CONNECTOR RS232, baud rate 115200bit/s Transmission distance<15m

PPS&TOD OUT interface

GPS signal second pulse (PPS) and time information (TOD) output RJ45 CONNECTOR RS422 level

PPS&TOD IN interface

GPS signal second pulse (PPS) and time information (TOD) input RJ45 CONNECTOR RS422 level

BITS OUT interface

BITS signal input Use BNC connector, 75Ω coaxial cable

BITS IN interface BITS signal input Use BNC connector, 75Ω coaxial cable



There are a number of buttons on the panel, such as RST, EXCH and CPY. Their functions are as shown in Table 4-2.

Table 4-2 Main control board panel button function description

Button name Function RST Board reset button, used to reset the whole board

EXCH Board switching button, used to switch the active main control board to standby board

CPY Reserved, not used

The functions of the indicators on the main control board panel are as shown in Table 4-3.

Table 4-3 Main control board panel indicator function description

Indicator Function

1~2/5/8/12

RUN (green) Off: corresponding line card fault or not in position Flash: corresponding line card works properly

ALM (red) Off: corresponding line card has no alarm or not in position On: corresponding line card has alarm

PWR1~2/3

RUN (green) Off: corresponding power module fault or not in position On: corresponding power module works properly

ALM (red) Off: corresponding power module has no alarm or not in position On: corresponding power module has alarm

RUN RUN (green)

Off: this main control board has fault Flash: this main control board works properly

ALM (red) Off: this main control board has no alarm On: this main control board has alarm

MST RUN (green)

On: this board is active Off: this board is standby

ALM (red) On: active/standby status is exceptional Off: active/standby status is normal

FAN (only 8902E has this indicator; for others, this is displayed on the fan frame)

RUN (green) On: fan frame power supply is normal Off: fan frame power supply is exceptional

ALM (red) On: fan frame works exceptionally Off: fan frame works properly or power supply is exceptional



Indicator Function

SD interface ACT (green)

On: this interface is inserted with SD card Off: this interface has no SD card or SD card is exceptional Flash: SD card is under reading/writing

ACT (green) Flash: data receiving/sending on 10/100/1000 Base-T Ethernet interface

LINK (green)

On: 10/100/1000 Base-T Ethernet interface link has been established Off: 10/100/1000 Base-T Ethernet interface is not connected with any other interface

4.3.2 Power Module

ZXR10 8912E/8908E/8905E/8902E core switches address the practical application need. To meet the strict requirement for equipment reliability, hot backup is designed for power supply Module, and both 48V DC power supply and 220V AC power supply are designed. DC power supply adopts 1+1 mode; AC power supply adopts 1+1 backup or 2+1 backup depending on different racks, which highly improves the reliability of the power system. Besides, 8900E series power supply also provides multiple intelligent protection mechanisms, which can perform protection, detection and fault report for the power supply according to voltage, current and temperature, including output overvoltage protection, output overcurrent protection, output undervoltage protection, output undercurrent protection, overtemperature short-cuicuit protection, input overvoltage protection, input undervoltage protection, overtemperature, overvoltage, fan fault and current limit alarm report function, voltage detection report function, current detection report function and temperature detection report function.

The diagram of 8912E/8908E/8905E DC power rear panel is as shown in Figure 4-21.

Figure 4-21 8912E/8908E/8905E DC power board diagram

The diagram of 8912E/8908E/8905E AC power rear panel is as shown in Figure 4-22.



Figure 4-22 8912E/8908E/8905E AC power board diagram

The diagram of 8902E DC power front panel is as shown in Figure 4-23.

Figure 4-23 8902E DC power board diagram

The diagram of 8902E AC power front panel is as shown in Figure 4-24.

Figure 4-24 8902E AC power board diagram

4.3.3 Interface Module

ZXR10 8900E series core switch interface module is the line interface card. The line card types provided include Gigabit Ethernet interface board, 10G Ethernet optical interface board and 40G Ethernet optical interface board. All optical interfaces of line cards in ZXR10 8900E series core switches adopt pluggable optical module, so the same line card can support multiple kinds of transmission media and transmission distances. Some line cards provide different types of ports, reducing the number of line cards that may be needed in many cases, so that the use can get the largest profit with minimal investment. Moreover, all user electrical interfaces in the line cards have cable diagnosis function. They can detect the connection of cables at any time, make diagnosis for short circuit and open circuit of cables and point out the position of the faults with a precision of less than 1m.



1. Types of 8900E interface boards (as shown in Table 4-4)

Table 4-4 8900E interface board type

Board type Fixed interface line processing board

name Port state Description

E1GF24A

24-port NP enhanced gigabit optical interface board

24 GE optical interfaces; support 100M and gigabit SFP

With NP extension; support MPLS; support big table entry; support H-QoS; support Ethernet OAM; support intelligent monitoring

H2GF24D 24-port gigabit optical interface board


Support MPLS; support big table entry; support Ethernet OAM; support clock (SyncE, 1588v2); support intelligent monitoring

H2GF48D 48-port gigabit optical interface board



H2GT48D 48-port gigabit electrical interface board

48 GE electrical interfaces; 10/100/1000M triple speed


H2XF8D 8-port 10G optical interface board

8*10G optical interfaces; support 10G SFP+


S1XF12A 12-port 10G optical interface board


Support L2/L3 and IPv4/v6 features; support SyncE; support intelligent monitoring

S2XF48A 48-port 10G optical interface board


Support L2/L3 and IPv4/v6 features; Support MPLS; support SyncE; support intelligent monitoring

S2LQ6L2A

6-port 40GE QSFP optical interface+2-port 40GE CFP optical interface board

6*40G QSFP interfaces+2*40G CFP interfaces

Support MPLS; support SyncE; support intelligent monitoring



2. Panel diagram of 8900E interface boards

Figure 4-25 E1GF24A

Figure 4-26 H2GF24D

Figure 4-27 H2GF48D

Figure 4-28 H2GT48D

Figure 4-29 H2XF8D

Figure 4-30 S1XF12A

Figure 4-31 S2XF48A



Figure 4-32 S2LQ6L2A

3. Features of optical and electrical interfaces of 8900E interface board

See table 5-2 Interface Indicators.

4.4 Software Architecture

4.4.1 System Software Architecture

ZXR10 8900E series switches are multi-layer switches that have L2 switching, L3 routing and MPLS L2/L3VPN and that support multiple service functions. They can provide L3 and L3 wire-speed switching and routing and QoS guarantee. The system software implements system management, control and data forwarding. Its basic work includes system startup, system configuration management, protocol running, table maintenance, switching chip setting and state control as well as forwarding of some special messages. The software system realizes the following functions:

Realize main L2 protocol functions, including 802.1D STP protocol, 802.1P priority level control, 802.1Q VLAN related functions and 802.3ad link aggregation function;

Support IPv4/IPv6 protocol stack and basic routing protocol;

Realize multicast protocol and support IPTV deployment;

Realize ACL and DHCP multi-layer services;

Realize partial broadband access function;

Realize the Agent function of network management protocol SNMPv3;

The user can perform network management for Ethernet switch via serial port terminal, Telnet/SSH and SNMP Manager, including: network configuration management, fault management, performance management and security management;

Software version can be upgraded smoothly; the active and standby protocol processing cards and switching network cards support online upgrade;



Equipment security and network security functions;

Realize MPLS related functions, including MPLS VPN, MPLS OAM and MPLS QoS;

Support fast switching and convergence of routes, links and network; provide highly reliable protection.

ZXR10 8900E series switch products adopt brand new software architecture to fulfill various functions of the software system. The two major subsystems “unified support platform” and “new-generation protocol stack platform” together with OAM, DB, product management and operating system (CGEL) subsystems comprise 8900E product software architecture, as shown in Figure 4-33:

Figure 4-33 8900E software system architecture

The functions of each subsystem are described below:

Unified support platform: It has operating system platform, componentized release and process space separation, and supports dynamic loading and hot patch capabilities. With the ability to be released independently, supporting centralized and distributed systems, the unified support platform can serve as the support platform for most product lines.

New-generation software platform: As the next-generation TCP/IP protocol stack platform, ZXROS (Zhong Xing Route Operating System) Version 5.0 supports full

Software (protocol stack) platform

Forwarding plane (firmware such as ASIC/microcode/FPGA)

OAM

DB

Distributed operating system infrastructure

Forwarding plane

managment

Inter

-plane

interconnection

PMVersion management

Equipment management



series of data products and service products from low end to high end. The protocol stack is realized in different processes by functional block to ensure the independence and reliability of functions and locate software fault with ease. It has NSR function, fast convergence capability, and mass route management capability. The whole equipment can support 64K VPN to ensure the competitiveness and progressiveness.

OAM: The system provides CLI, SNMP and HTTP management interfaces; the foreground performs overall management for the system in a unified way. For upper-level application part, OAM only provides management mechanism; relevant management functions can be added for the services separately to realize loose coupling of OAM and application.

DB: On the basis of the existing DB system, the system realizes multi-process repelling mechanism to ensure data intactness; database access can be performed concurrently in multi-channel multi-kernel system to improve access efficiency.

Product management: The software platform only concerns protocol realization; the other functions including equipment management, equipment monitoring, version management and line card management are all realized by product management.

OS: The operating system adopts self-developed Linux-based CGEL and is totally compatible with Linux standard system architecture. It supports multiple kernels, double state and multiple processes, and so meet the requirement for timeliness. It supports diverse drivers and realizes distributed extension.

4.4.2 Software Platform

ZXR10 8900E core switch is the latest Version 5.0 of the next-generation IP protocol stack platform ZXROS (Zhong Xing Route Operating System). The protocol realization of this platform is irrelevant to product; it only perceives protocol service functions but not specific products. All software components can run in the user state of micro kernel system to enhance system security; software components belong to different separate process spaces, realizing safe isolation of illegal operation of application program; the software is based on componentized management; component functions can be developed independently and independent versions can be released; non-stopping routing capability, distributed processing and fast reliable synchronization between different CPUs. The overall software components o ZXROS V5.0 software platform is as shown in Figure 4-34.



Figure 4-34 New-generation ZXROS V5.0 software platform system architecture

ZXROS V5.0 software platform includes the following subsystems:

Route subsystem: including unicast routing protocol and multicast routing protocol;

L2 subsystem: include all L2 functional protocols;

MPLS subsystem: include LDP, RSVP and PWE3 functional protocol;

L3&PSS subsystem: include TCP/UDP, ARP, ND, message receiving/sending, interface management, routing table, label table management, forwarding table collection, integration and synchronization;

Configuration and resource management subsystem: include configuration management modules such as ACL, route-map, L2VPN and L3VPN and system resource management such as label and ip pool;

Application protocol subsystem: include various application protocols such as Netflow, Radius, NTP and Telnet.

The key and competitive technologies of this software platform reflected in the following aspects:

The system kernel resource runs in the highest priority mode and all software components run in the user state of the micro-kernel system to enhance system security (up/down isolation);

Software components belong to different separate process spaces, realizing safe isolation of illegal operation of application program (left/right separation);

component functions can be developed independently and independent versions can be released;

Operating system micro-kernel

Distributed infrastructure

L3&PSS subsystem (message receiving/sending, interface management, table management, etc.)

Routing protocol subsystem

Configuration m

anagement and

resource maintenance

L2 protocol subsystem

OAM

MPLS subsystem

TACACS+

Configuration

RADIUS PING

FTP NTPNETFLOW

TRACE

. . . . . .

Application protocol subsystemSoftware platform



Software system architecture supports distributed protocol processing: message communication is used between processes;

Fast data synchronization can be realized between multiple CPUs; reliable multicast can be used to increase route convergence speed;

Separation of command configuration processing and specific protocol realization; low coupling of command scripts of platform and project;

Have unified external interfaces that support fast secondary development and can integrate with purchased parts;

Support non-stopping routing capability (NSR);

Support cluster technology.

Meanwhile, ZXROS V5.0 software platform has the following features:

High reliability and stability: meet the requirement of long-term stable running of network

− The faults of component do not affect each other

− Software components release versions and upgrade independently

− Low coupling of platform and project

Real-time performance: meet the time requirement for large-scale dynamic routing protocol, network management protocol and data synchronization between multiple processors.

Self restoration: try to detect, process and record exceptions in the whole system, perform necessary error restoration and equipment switching in exceptional cases.

Maintainable: perform necessary tracing and recording of usage and invocation of core resource and system service; the components are independent of each other which make it easier to trace faults.

Simple: only provide necessary system services to application programs and shield unnecessary system services.

Encapsulation: completely shield hardware characteristics to make application layer irrelevant to hardware, providing a unified and portable software platform for the application programs of processors.

Smooth evolution: support fast secondary development; able to integrate with purchased software and respond to customer requirements rapidly.



5 Technical Specifications

5.1 Basic features

Table 5-1 Basic features and performance

Features Description

8912E 8908E 8905E 8902E

Basic Performance

Backplane bandwidth 19.2 Tbps 19.2 Tbps 12Tbps 3.2Tbps

Switching capacity

2Tbps/7.68Tbps

2Tbps/7.68Tbps

1.28Tbps/4.8Tbps 960Gbps

Throughput

1536Mpps/5760Mpps

1536Mpps/5760Mpps

960 Mpps/3600Mpps

720Mpps

GE Port Densities 576 384 240 96

10GE Port Densities 576 384 240 96

40GE Port Densities 96 64 40 16

Physical parameters

Dimensions (Height x Width x Depth)

753mm*442mm*446mm

575mm*442mm*446mm

442mm*442mm*446mm

175mm*442mm*420mm

Weight <89.7kg <64.9kg <51.2kg <24kg

Slot number

Total slot 14 10 7 4 Service board slot 12 8 5 2

Power

Power supply (AC)

100V～240V, 50Hz ～60Hz

Power Supply (DC)

-57V～-40V

Maximum power consumption

<2718W <2084W <1235W <300W

Environmental Require

Operating temperature

Long time:-5°C～+45°C Short time:-10°C～+55°C



Features Description ments Storage

temperature

-40°C～+70°C

Relative Humidity 5%～95%, non-condensing

Earthquake-proof Richter 8 scale earthquake

5.2 Interface Specifications

Table 5-2 Interface Specifications

Interface type Description

10 /100 /1000BASE-T

IEEE802.3z RJ45 connector. Category-5 UTP cables Transmission distance: 100m Half duplex/Full duplex MDI/MDIX

100BASE-FX (SFP-M02K)

LC connector. Multi-mode fiber. Wavelength: 1310nm. Max. transmission distance: 2km Transmission power: -19dBm ~ -14dBm. Receive sensitivity: <-30dBm

100BASE-FX (SFP-S15K)

LC connector. Single-mode fiber. Wavelength: 1310nm. Max. transmission distance: 15km Transmission power: -14dBm ~-8dBm. Receive sensitivity:<-31dBm


LC connector. Single-mode fiber. Wavelength: 1310nm. Max. transmission distance: 40km Transmission power: -4dBm ~ -0dBm. Receive sensitivity:<-37dBm


LC connector. Single-mode fiber. Wavelength: 1550nm. Max. transmission distance: 80km Transmission power: -3~+3dBm. Receive sensitivity: <-37dBm

1000BASE-SX (SFP-M500)

LC connector. Multi-mode fiber. Wavelength: 850nm. Max. transmission distance: 500m Transmission power: -9.5dBm~-4dBm. Receive sensitivity: <-18dBm

1000BASE-LX (SFP-S10K)

LC connector. Single-mode fiber. Wavelength: 1310nm. Max. transmission distance: 10km Transmission power: -9.5dBm~-3dBm. Receive sensitivity: <-20dBm



Interface type Description

1000BASE-LX (SFP-S40K)

LC connector. Single-mode fiber. Wavelength: 1310nm. Max. transmission distance: 40km Transmission power: -4dBm~0dBm. Receive sensitivity: <-22dBm.

1000BASE-LX (SFP-S40K-1550)

LC connector. Single-mode fiber. Wavelength: 1550nm. Max. transmission distance: 40km Transmission power: -5dBm～0dBm. Receive sensitivity: <-22dBm

1000BASE-LH (SFP-S80K)

LC connector. Single-mode fiber. Wavelength: 1550nm. Max. transmission distance: 80km Transmission power: 0dBm~5dBm. Receive sensitivity: <-22dBm

1000BASE-LH (SFP-S120K)

LC connector. Single-mode fiber. Wavelength: 1550nm. Max. transmission distance: 120km Transmission power: 5dBm~9dBm. Receive sensitivity: <-24dBm.

10GBASE-SR (SFP+-M300)

LC connector. Multi-mode fiber. Wavelength: 850nm. Max. transmission distance: 300m Transmission power: -7.3dBm～-1.0dBm. Receive sensitivity: <-11.1dBm

10GBASE-LR (SFP+-S10K)

LC connector. Single-mode fiber. Wavelength: 1310nm. Max. transmission distance: 10Km Transmission power: -8.2dBm～0.5dBm. Receive sensitivity: <-10.3dBm

10GBASE-ER/EW (SFP+-S40K)

LC connector. Single-mode fiber. Wavelength: 1550nm. Max. transmission distance: 40Km Transmission power: -4.7dBm～4.0dBm. Receive sensitivity: <-14.1dBm

40GBASE-SR4 (QSFP+150-D)

40G QSFP optical transceivers Wavelength:850nm Max. transmission distance: 150m Transmission power: -7.0dBm～+2.3dBm. Receive sensitivity: <-5.4dBm

40GBASE-LR4 (CFP+-S10K-D)

40G CFP optical transceivers Wavelength: 1270nm,1290nm,1310nm,1330nm Max. transmission distance: 10Km Transmission power: -7.0dBm～2.3dBm. Receive sensitivity: <-11.5dBm



5.3 Functions

5.3.1 L2 features

Table 5-3 L2 features


L2 features

VLAN

Port-based VLAN, Protocol-based VLAN, IP subnet-based VLAN VLAN translation PVLAN Super VLAN

QinQ IEEE 802.1ad (QinQ) Selective QinQ and priority mapping TPID modification

MAC

MAC address learning, aging, and freezing Static MAC configuration MAC address number limit for preventing attacks MAC address binding

Link aggregation

IEEE 802.3ad (link aggregation) Static port aggregation Inter-board link aggregation Multi-chassis link aggregation

Port

Loop detect Port-based broadcast/multicast/unknown Unicast storm suppression Jumbo frames Flow control Peak Traffic Statistics in one minute Default shutdown

ARP

Static ARP configuration ARP learning, aging ARP Proxy Preventing ARP attacks

STP IEEE 802.1d (STP)/802.1w (RSTP)/802.1s (MSTP) Preventing BPDU attacks

MIRROR

Ingress port mirroring, Egress port mirroring and Traffic mirroring one-to-one, one-to-many, many-to-one, and many-to-many mirroring RSPAN ERSPAN

Ethernet OAM IEEE 802.1ag IEEE 802.3ah



5.3.2 L3 features

Table 5-4 L3 features


L3 features

IPv4 unicast routing

IPv4 Static routing RIPv1/v2, OSPFv2, IS-IS, BGP-4 Policy routing VRRP URPF ECMP

IPv6 unicast routing

ND, ND security, PMTUD IPv6 Static routing RIPng, OSPFv3, IS-ISv6, BGP4+ 6to4 tunnels, 6in4 tunnels, ISATAP 6PE

5.3.3 Multicast features

Table 5-5 Multicast features


Multicast

L2 Multicast

IGMP Snooping/proxy IGMP rate limit, IGMP rate filter MLD snooping PIM snooping Multicast VLAN

L3 Multicast

Static Multicast IGMPv1/v2/v3 PIM-SM, PIM-SSM, PIM-DM, MSDP Anycast RP

VPN Multicast VPN

5.3.4 MPLS

Table 5-6 MPLS feature


MPLS Basic

LDP CR-LDP RSVP/RSVP-TE

MPLS L2 VPN VPLS，VPWS，H-VPLS(QinQ Access, LSP Access) Vrf to Vrf method/Single-hop M-EBGP method



Features Description /Multi-hop M-EBGP method for Inter-AS L2 VPN CE dual-home to PE UPE dual-home to NPE

MPLS L3 VPN

L3 VPN FRR L3 VPN ECMP Vrf to Vrf method/Single-hop M-EBGP method /Multi-hop M-EBGP method for Inter-AS L3 VPN Multi-VRF(MCE)

MPLS TE

Static LSP Explicit-path LSP LSP Priorities/LSP Preemption/LSP Backup MPLS TE FRR MPLS L2VPN /MPLS L3VPN Over TE LDP over TE

MPLS OAM

CV/FFD 1 to 1 redundancy MPLS Ping MPLS Trace Route VCCV ping for VPWS

5.3.5 QoS

Table 5-7 QoS


QoS

Classification Physical port-based Classification Physical port and ACL based Classification

Marking and Remarking

802.1p, IP Precedence, IP DSCP, IP TOS, MPLS EXP priority marking and remarking Mapping priority between double VLAN tag

Flow control

Ingress port-based CAR Flow-based CAR Ingress/Egress Traffic Meter Remarking based on Traffic Meter

Congestion avoidance

Bandwidth control based on flow RED, WRED

Scheduling

Minimum of 8 priority queues per port Minimum bandwidth guarantee/ maximum bandwidth limitation per queue based Queue scheduling mechanisms: SP, WRR, SP+WRR, WDRR

Shaping Shaping per egress port Shaping per specified queue




H-QoS H-QoS ingress/egress H-QoS with 4-level queues and 3-level scheduling H-QoS for MPLS L2/L3 VPN

5.3.6 Service Management

Table 5-8 Service Management


Service Management

IEEE 802.1X, 802.1X Relay, 802.1X RADIUS Accounting, and forcing user offline RADIUS and TACACS+ authentication Hierarchical user management IPTV management (CAC, CDR, UMS) DHCPv4 Server, DHCP v4 Relay, DHCP v4/v6 Snooping Supporting DHCP OPTION 82

5.3.7 Reliability

Table 5-9 Reliability


8912E 8908E 8905E 8902E

Availability

MTBF >200000 hours MTTR <30 minutes Availability ≥99.999% Hot plugging Hot plugging of all components

main control board

1+1 redundancy backup

power module

AC: 2+1 redundancy, DC: 1+1 redundancy

AC 1+1 redundancy, DC 1+1 redundancy




Reliability

MPLS-TE end-to-end Path protection MPLS-TE FRR IP FRR LDP FRR Multicast FRR BFD for Static Routing, LDP, OSPF, ISIS, BGP, RIP, VRRP, LSP, FRR, PIM DR, Super VLAN Graceful Restart NSF VRRP Protection against loops for VPLS ESRP+ Ethernet ring protection Dual uplink dual homing protection ECMP UDLD LLDP LACP, MC-ELAM

5.3.8 System security

Table 5-10 System security


System security

Anti Attacks

Defend against attacks of DoS, MAC flood, ARP Spoof, IP Spoof, SYN flood of TCP, UDP flood, PING flood, Ping of Death, LAND, SMURF, Session hijacking, broadcast storms, IP fragment and large traffic BPDU guard, root guard, and loop guard IPv4 uRPF Hierarchical protection of command lines to prevent unauthorized users and grant different configuration rights to different levels of users

CPU protection

CPU channel guard by rate limiting of the messages sent to CPU Filter of the messages sent to CPU Priority Assignment of the messages sent to CPU

Advanced Security

Log record Broadcast storm auto suppression Hybrid ACL with L2, L3 and L4 fields filtering OSPF, RIP, and BGP MD5 authentication IP source guard/DAI ND Security DPI FIREWALL



5.3.9 Clock synchronization

Table 5-11 Clock synchronization


Clock

Synchronized Ethernet

Restore and extract clock data from the Synchronous Ethernet links Clock distribution in chassis Extract clock from physical links, BITS (2MHZ, 2Mbits) and GPS SSM (synchronization status message) handling

IEEE 1588v2

Clock Recovery from 1588v2 PTP Transparent Clocks E2E/P2P modes Precision Time Synchronization Best Master Clock (BMC) algorithm

5.3.10 Operating and Maintenance

Table 5-12 Operating and Maintenance


Operating and Maintenance

Operating and Maintenance

Command lines configuration Hierarchical protection of command lines to prevent unauthorized users and grant different configuration rights to different levels of users Password Aging and Verification Terminal services through the Console User Access Service Management Remote Management via SSH, TELNET, SNMP FTP/TFTP Multi-mode alarm service (Sound, Light, etc.) Unified NMS of ZXNM01 Hierarchical commands through NMS User access control Configuration saving and restore Log record, Syslog，RMON NTP clocks IPv6 network management Supporting standard MIB Traffic statistics

Group Management ZGMP, LLDP/ZTP/ZGMP

Traffic Monitoring sFlow

OAM Ethernet OAM



Features Description Network testing tools (LSP Ping, LSP trace route, VPLS MAC Ping, etc.)



6 Typical Networking Mode

6.1 Application in Metro Ethernet ZXR10 8900E can be deployed in the aggregation layer of metro Ethernet. Metro Ethernet has the demand for unified bearing of mobile, fixed broadband and Enterprise Customer and separated bearing of IP-based audio, video, data and IPTV services. ZXR10 8900E can realize full-service bearing and isolation of different service by VPN technology and provide carrier-class reliability for the operators with ring network technology, multiple protection technologies and OAM.

Realize isolation of end-to-end service and bearing by MPLS to edge mode to provide higher reliability and security;

Different service planes bear different services by MPLS VPN technology;

Ensure 50ms fast protection switching by MPLS TE/FRR/BFD technology;

Realize fast fault discovery by MPLS OAM/Ethernet OAM to improve network operation maintenance capability.

Common networking of multi-service bearer metro Ethernet is as shown in Figure 6-1.

Figure 6-1 Application in metro network



6.2 Application in Data Center Due to the development of broadband communications network, there are more and more people using fixed network and broadband network. As a result, interactive service and all sorts of Internet application are booming. Customers raise higher demands for resource, system operaiton and maintenance. The data center nowadays has to face unexpected pressure from capacity extension, power consumption and maintenance. ZXR10 8900E series switch with high-density 10G port and high-performance switching capacity, can be deployed in the core/aggregation layer of the data center network. It helps users to reduce their TCO and eliminate problems in capacity extension and OAM.

89E features large bandwidth, high performance and large capacity. So it can provide high-speed path for data center and cloud computing, ensuring non-blocking traffic.

With rich NM services, 8900E provides graphic network management, which enables data center maintenance engineer to carry out equipment maintenance. By providing northbound interface, it realizes unified network management.

As a green and energy-saving product, 8900E with 40nm chip is designed with controllable line card and port, which effectively reduces the power consumption of the devices in the data center.

Common data center networking mode is as shown in Figure 6-2.

Figure 6-2 Application of Data Center



6.3 Application in Campus Network Community network core layer requires large bandwidth and high-density port. The entire network must support user access authentification and security guarantee policies. ZXR10 8900E series switch can be deployed in community network core layer to implement high-speed service forwarding and service protection. The features of 8900E in enterprise network are:

The enterprise user should pay more attention to costs reduction and internal security enhancement. With rich security features, ZXR10 8900E supports DHCP server and snooping which gives conveniences to address management. It supports multiple authentication mechanisms like Radius and TACACS+ to realize authorized management. Besides, IP source guard, DAI and anti-DOS attack security guard services are provided to reduce network attacks. By support SQA, 8900E series switch can know operation status of application servers and reduce network failure.

Provide complete IPv6 solution. Via dual-stack technology and multiple v4/v6 tunnel technologies, it realizes seamless migration from IPv4 to IPv6. It helps universities to develop IPv6 research and facilitate IPv6 development.

The common enterprise networking mode is as shown in Figure 6-3.

Figure 6-3 Enterprise network Application



6.4 Application in FTTx Due to the increasing growth of services, users nowadays have higher requirements for access bandwidth and QoS quality. Traditional DSL access bandwidth is far behind the requirment of future service development. As the costs of optical access keeps going down, E-FTTx access becomes mainstream development in the future. ZXR10 8900E supports green and eco-friendly E-FTTx access mode, which in other words enables the access of the existing cable fibers while satisfying 100M/1000M optical access scenarios.

With rich interface cards, ZXR10 8900E provides highly integrated and large-bandwidth access mode, which effectively meets the requirements of FTTx for high density and high extensibility.

Via rich QoS feature, ZXR10 8900E realizes differentiated multiservice control as per different service requirements. It provides pefect user experience for low-latency and low-jitter services.

ZXR10 8900E supports SVLAN and MFF technologies to isolate service and user. It makes the network much safer.

Ethernet intelligent ring protection technology ZESR/ZESS satisfies different users with different requirements for reliability.

Switch-based IP over DWDM enables lower costs in network construction and maintenance. It is known for more powerful scalability too.

Common FTTx networking mode is as shown in Figure 6-4.

Figure 6-4 FTTx Application



6.5 Application in IP RAN IP backhaul focuses on the interconnection between base station and wireless service control point (Gateway) to realize the implementation of mobile IP voice and data services. In traditional 2G network, BTS uses TDM E1/T1 to access BSC (Base Station Controller). With the development of wireless network, IP Node B gradually becomes popular in 3G network as it can provide Ethernet interface to enable upstream traffic via the switch. The wireless traffic accesses/aggregates to RNC. IP backhaul network requires clock synchronization, high scalability and high reliability. ZXR10 8900E can be deployed on the aggregation node of IP Backhaul to serve for the entire network.

IP backhaul requires end-to-end clock synchronization. 8900E provides SyncE+1588v2 solution which synchronizes high-precise clock signal like BITS to all base stations.

The BS access ring and aggregation ring have ring protection requirements. 8900E realizes 50ms switchover via ZESR+ (EAPS) Ethernet ring.

By supporting superVLAN and QinQ technologies, 8900E reduces the load of the gateway when multiple base stations get accessed, which consumes less IP address, realizes unified base station management and makes the network more scalable.

8900E supports VPLS/H-VPLS and MPLS L3VPN technologies to give better support to multipoint-to-multipoint access.

Common IP Backhaul networking mode is as shown in Figure 6-5.

Figure 6-5 Application in IP RAN



7 Operation and Maintenance

7.1 NetNumen U31 Unified Network Management Platform IP network is going to bear more and more services. At the same time, due to large-scale network, complicated configuration and high market expectation, network management and working load become more complicated and bigger. Manual operation and negative maintenance obviously can not guarantee reliable operation of the entire system.

Maintenance staffs nowadays have to think of the way to arrange fast service deployment in the network, guarantee reliable network operation, forcast network operation quality and find out the network failure in the shortest time when problems occur. So active network monitoring, automatic network failure inspection and settlement must be implemented to make sure sound network operation and maximum network benefit.

ZTE based upon the time’s call develops NetNumen U31 unified network management system. Concentrating on multiple products like router, switch, ZXR10 8900E, NetNumen U31 is an integrated network management system melting network element management, network management and service management together. It supports multiple database, graphic interface in multiple languages and convenient operation. Provding flexible northbound interface, it is capable of powerful interconnection.

7.1.1 Network Management Networking Mode

Inband management and outband management can be used between NetNumen U31 NM system and ZXR10 8900E.

7.1.1.1 Inband Management

For inband management, network management information and service data are transferred in the same channel without asking for an extra DCN network. NetNumen U31 NM system only needs to connect with network devices nearby and configure SNMP parameters.

The advantage of inband management: flexible netwoking and no extra investment. However, network management information takes up too much bandwidth, which may seriously influence service quality.



7.1.1.2 Outband Management

For outband management, the network management information which is independent from service data is transferred in network management network. An extra DCN network is required. NetNumen U31 network management system connects with the outband management interface of ZXR10 8900E, so that, the network management information and service information can be transferred independently.

The advantage of outband management: The breakdown of service channel is independent from the device management carried out by the network management station. The network management information can be transferred more reliablely. But independent network management network is seriously restricted by areas and locations, and extra investment is needed.

7.1.2 NetNumen U31 Network Management System

NetNumen U31 network management system developed by ZTE is an integrated management system concentrating on multiple ZTE products like router, switch and CE, etc. Covering NE management, network management and service management, the network management system provides the following services.

Failure management ensures stable network operation.

In network management maintenance, the management staff wants to know the network running status to make sure stable operation. The failure management service of NetNumen U31 is responsible for receiving real-time device alarms and network events of all Nes in the entire network. With all these audible and visible services, maintenance staffs can make proper process after confirmation, e.g. file alarm reports for future alarm stat. and query. Failure management is a very important and commonly used method in user network operation maintenance, via which, users know ZXR10 8900E running and failure status, implement real-time monitoring, fault filtration, fault location, fault confirmation, fault deletion and fault analysis. NetNumen U31 system also provides voice tip, graphic alarm board and real-time access to alarm box system, Email and SMS to give user in-time notification. It gives conveniences to user’s daily maintenance.

Performance management gives overall understanding of network services.

Network traffic direction and traffic load are two key issues in network management. Performance management unit of NetNumen U31 is responsible for data network and device performance monitoring and analysis. Corresponding reports are generated when all sorts of performance data got from NE are processed, so that the maintenance and management departments can use them in future network construction, planning, adjustment and quality improvement. By performance management, users can implement statistics of device load, traffic direction and interface load, etc. In this way, they can get real-time network service quality and make in-time evaluation to network resource configuration.



Resource management enables rational use of network resource.

Resource management system which realizes physical resource and local resource management is a critical base station in operator’s service process. It is the most precondition in realizing automatic service intiation and service guarantee. By using resource management, user not only knows the management situation of the device, board, interface and interface in the network, but also can understand the running status of logcal resources like VLAN, L2/L3 VPN and MAC address in the network.

View management makes network running status clear.

View management provides unified network topology and multiview management which enables user to know entire network topology and device running status. At the same time, it offers network and device operating and maintenance interfaces. User can know network device running status and alarm situation via the view management. At the same time, it guides to other management systems.

Configuration management enables fast service deployment.

Configuration management enables ZXR10 8900E configuration, including device management, interface management, VLAN management, L2 attribute management, MPLS management, routing protocol management, QoS management, software upgrade management and configuration file management, etc. Also, it supports multiple customer-friendly configurtion modes like end-to-end configuration, in-batch configuration, wizard-based configuration. At the same time, default configuration templates of corresponding management are provided too.

Security management makes the network safer.

Security management makes sure legal adoption of the system. It realizes user, user group ad role management. By arranging rational relationship between user, user group and rule, it provides security mechanism for administrator’s safe management. Certification based upon login prevents illegal users from accessing the system. Authorized operation ensures secure operations.

Northbound interface makes integration easy.

Due to the booming telecom services, one operator sometimes has to manage multiple NE-based or network-based professional network management systems. Independent information in different professional NMs, complicated contents, diversified operating interfaces generate more and more restrictions. In order to make entire entwork management more efficient, one network management station can be used to control all interconnected networks, so that end-to-end integrated management can be implemented.

Interfaces are used between integrated NM and professional networks. The network should provide standard open northbound interface for the integrated network management system, so that they can integrate together rapidly and reliably. NetNumen



U31 supports multiple northbound interfaces, e.g. CORBA, SNMP, TL1,XML and FTP etc.

7.2 Maintenance and Management

7.2.1 Multiple Configuration Modes

ZXR10 8900E provides multiple device access and management configuration modes, which enables customers to choose proper connection way as per different application scenarios.

Multiple configuration and management modes:

Serial connection configuration： using VT100 termianl mode, serial connection can use Window operating system to offer super terminal tool for configuration. Bare metal or devices without connection or configuration must use this connection configuration mode.

Telnet connection configuration:

− Configure the switch according to IP address of the management Ethernet port (10/100/1000Base-T) on Telnet MPU.

− Configure IP address under VLAN interface. Set user name and password. Configure the switch according to IP address of telnet VLAN interface. When remote users wan to access the device and communicate with it, they have to choose this connection configuration method.

SSH (Secure Shell)protocol connection configuration: initate SSH server service on ZXR10 8900E. Connect VLAN port IP address or management Etnerhet IP address via SSH client software to configure safer switch. When remote customers have higher security requirements, this connection configuration mode should be preferred.

SNMP connection configuration: the background network management server is called SNMP server. The front device ZXR10 8900E is the Client of SNMP. Sharing one MIB management base, the front and background servers implement management configuration on ZXR10 8900E via the network management software. This connection configuration mode enables user to apply network management software to carry out effective management configuration.



7.2.2 Monitoring and Maintenance

ZXR10 8900E supports multiple types of equipment monitoring, management and maintenance. These services enable the device to take correct action in any abnomal cicurmstance. Also, they can offer all parameters related to equipment operation.

7.2.2.1 Equipment Monitoring

There are indicators on power supply unit, fan, MPU and all sorts of interface card to show the operating status of the components.

MPU hot-swappable implementation and switchover event are recorded.

When fan, power supply unit and temperature are wrong, sound alarm and software alarm will be generated.

Check the cross-division feature of the version when the system is running.

Check module temperature automatically in the course of running the system. Provide temperature control and software alarm services.

The system monitors the running status of the software. If serious abnormity happens, line card will be restarted and the MPU will be switched over.

7.2.2.2 Equipment Management and Maintenance

The command line provides flexible online help.

Provide hierarchical user authority management and command.

Support information center. Provide unified management of log, alarm and debugging information.

Support switch cluster management. Provide unified maintenance management channel for multiple devices.

Query basic information of MUP, interface card and optical module via CLI command line.

Enable the query of multiple information, including version, component status, environment temperature, CPU and memory utilization.

Support one-touch device information collection. The command result can either be displayed on the device or input in the file. Hardware environment, software information, version information, data configuration, real-time device running status and protocol information can be displayed. This information can be totally or partially exported.



ZXR10 8900E provides multiple diagnosis and debugging methods, which enables user to have more ways to adjust the device and to have more debugging information.

Ping and TraceRoute: network connectivity confirmation and packet transmission path record can be the reference of fault location.

Debug: each software has rich debug commands. Each debug command supports multiple debugging parameters, so it can be controlled flexibly. Debugging command can be used to export specific device operating process, message processing and tolerance inspection, etc.

Mirroring service: interface-based mirroring service is supported. The input/output or bidirectional messages of the observed interface are completely replicated to the observing interface. Giving support to RSPAN and ERSPAN, it can implement remote port mirroring.

OAM service: check network status via multiple OAM messages. Device, link and network fault can be monitored. It helps user to locate the failure rapidly.

SQA: SQA service can send all sorts of detective message to see if multiple applications and services are on line.

7.2.3 Software Upgrade

ZXR10 8900E enables software upgrade in normal and abnormal circumstances.

Version upgrade when the system is wrong: by changing boot intiation mode the version upgrade carried out when the device can not be initiated can be done by downloading new version from the management Ethernet port.

Version upgrade when the system is normal: local or remote FTP online upgrade is provided when the device is working correctly.

7.2.4 File System Management

1. File System Introduction

In ZXR10 8900E, the software and configuration files are saved in FLASH. The upgrade and configuration storage of the software version require FLASH operation. FLASH includes three default categories, i.e. IMG, CFG and DATA.

IMG: this category is used to save software version file. The software version file ended with .zar is special compression file. Version upgrade refers to the upgrade of the software version file in this category.

CFG: the configuration file is saved in this category. The configuration file is named startrun.dat.



DATA: this category is used to save equipment abnormal information. The file format is “time.zte”.

2. File System Operation

File backup and recovery: FTP/TFTP is used to backup the software version file, configuration file and log file of ZXR10 8900E to backgroud server. Or the backup file can be recovered from the background server.

File export and import: files can be exported and imported. Copy files to the background host via FTP/TFTP. The achievement of the alarm file and the modification of the configuration file can be done by importing or exporting services.



8 Glossary

Table 8-1 Abbreviations

Abbreviations Full Characteristics ACL Access Control List APS Automatic Protect Switch ASIC Application Specific Integrated Circuit ATM Asynchronous Transfer Mode BFD Bidirectional Forwarding Detection BGP Border Gateway Protocol BPDU Bridge PDU CAN Controller-area Network CAPEX Capital Expenditures CDN Content Distribution Network CDR Call Detail Record CE Carrier Ethernet CV Connectivity Verification DoS Denial of Service DPI Deep Packet Inspection DVMRP Distance vector Multicast Routing Protocol EAPS Ethernet Automatic Protection Switching

ECMP Equal Cost of Multi－path

ESRP Ethernet standby Routing Protocol FFD Fast Failure Detection FRR Fast Reroute GPS Global Position System GR Graceful restart H-VPLS Hierarchical Virtual Private Lan Service ICMP Internet Control Message Protocol IGMP Internet Group Management Protocol

ISIS Intermediate System－Intermediate System

LACP Link Aggregation Control Protocol LSP Label Switch Path

MPLS Multi－Protocol Label Switching

MSTP Multiple Spanning Tree Protocol MTU Maximum Transmission Unit NE Network Element



Abbreviations Full Characteristics NGN Next Generation Network OAM Operations Administration and Maintenance OPEX Operation Expense OSPF Open Shortest Path First PIM Protocol Independent Multicast

PIM-DM Protocol Independent Multicast－Dense Mode

PIM-SM Protocol Independent Multicast－Sparse Mode

PIM-SSM Protocol Independent Multicast－Source Specific Multicast

PSN Packet Switch Network PUPSPV Per User Per Service Per VLAN PVLAN Private VLAN

PW Pseudo－wire

PWE3 PW Emulation End to End RED Random Early Detection RIP Routing Information Protocol RNC Radio Network Controller RP Rendezvous Point RSTP Rapid Spanning Tree Protocol SDH Synchronous Digital Hierarchy SLA Service Level Agreement SMS Service Management System SNMP Simple Network Management Protocol SSM Source Specific Multicast STP Spanning Tree Protocol SyncE Synchronous Ethernet SVLAN Select VLAN TCO Total Cost of Ownership TCP Transport Control Protocol TDM Time Division Multiplex and Multiplexer TL1 Transaction Language 1 TM Traffic Manager UDP User Datagram Protocol URPF Unicast Reverse Path Forwarding VOIP Voice over IP VPLS Virtual Private Lan Service VPN Virtual Private Network VPWS Virtual Private Wire Service VRF Virtual Routing and Forwarding VRRP Virtual Router Redundancy Protocol



Abbreviations Full Characteristics WRED Weighted Random Early Detection WFQ Weighted Fair Queuing ZESR ZTE Ethernet Smart Ring ZESS ZTE Ethernet Smart Switching ZXROS ZTE Router Operating System

ZXR10 8900E Product Description - AV-iQ · PDF fileZXR10 8900E core switch with large capacity...

Documents

Transcript of ZXR10 8900E Product Description - AV-iQ · PDF fileZXR10 8900E core switch with large capacity...