Documente Academic
Documente Profesional
Documente Cultură
Issue Date
01 2007-09-10
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. Please feel free to contact our local office or company headquarters.
Copyright
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 3 of 154
Summary
This document describes the product features, hardware architecture, link features, software features, operation and maintenance, network management, networking applications, and technical specifications of the Quidway NetEngine80E core router. This document includes: Chapter 1 Product Features 2 System Architecture 3 Hardware Architecture 4 Link Features 5 Primary Service Features 6 Maintenance and Network Management System 7 Networking Applications Details This chapter introduces the product positioning and features of the NE80E. This chapter describes the physical, logical, and software architecture of the NE80E. This chapter describes the chassis, fans, power modules, and board types of the NE80E. This chapter describes the link features of the NE80E. This chapter describes the service features of the NE80E. This chapter describes operation and maintenance, and network management of the NE80E. This chapter describes the networking applications of the NE80E.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 5 of 154
Issue 01 (2007-09-10)
Commercial in Confidence
Page 6 of 154
History
Issue 01 Details Creation Date 2007-09-10 Author Du fang Approved by Wen zhixiang
Issue 01 (2007-09-10)
Commercial in Confidence
Page 7 of 154
Contents
1 Product Features.......................................................................................................... 13
1.1 Positioning ................................................................................................................................ 13 1.2 Abundant Services .................................................................................................................... 13 1.3 High-Density LPUs .................................................................................................................... 13 1.4 Powerful Forwarding Capacity ................................................................................................... 14 1.5 Perfect QoS Mechanism............................................................................................................ 15 1.6 Excellent Security Design .......................................................................................................... 15 1.7 Good IPv4 and IPv6 Compatibility.............................................................................................. 16 1.8 Compatibility and Expansion Capacity ....................................................................................... 16 1.9 High Reliability .......................................................................................................................... 16
Issue 01 (2007-09-10)
Commercial in Confidence
Page 8 of 154
Quidway NetEngine80E Core Router V300R003 Product Description 3.6.3 LPU .................................................................................................................................. 32 3.6.4 Service Boards ................................................................................................................. 37
4 Link Features................................................................................................................ 38
4.1 Ethernet Link Features .............................................................................................................. 38 4.1.1 Basic Features.................................................................................................................. 38 4.1.2 Ethernet Bundling ............................................................................................................. 38 4.1.3 Virtual Ethernet Interfaces................................................................................................. 39 4.2 FR Link Features....................................................................................................................... 39 4.3 POS Link Features .................................................................................................................... 40 4.3.1 SDH/SONET..................................................................................................................... 40 4.3.2 POS Interface ................................................................................................................... 40 4.3.3 POS Sub-interface ............................................................................................................ 41 4.3.4 IP Trunk ............................................................................................................................ 41 4.4 CPOS Link Features.................................................................................................................. 41 4.4.1 Channelization .................................................................................................................. 42 4.4.2 PPP/HDLC........................................................................................................................ 42 4.5 ATM Link Features..................................................................................................................... 42 4.5.1 SDH/SONET..................................................................................................................... 42 4.5.2 PVP/PVC.......................................................................................................................... 42 4.5.3 IPoA ................................................................................................................................. 43 4.5.4 ATM Sub-interface............................................................................................................. 43 4.5.5 ATM OAM ......................................................................................................................... 43 4.5.6 1483B ............................................................................................................................... 43 4.5.7 ATM Cell Relay ................................................................................................................. 44 4.6 RPR Link Features .................................................................................................................... 45 4.6.1 RPR Fairness Algorithm .................................................................................................... 46 4.6.2 Protection Mechanism....................................................................................................... 47 4.7 CE1/CT1/E3/T3 Link Features................................................................................................... 48 4.7.1 PPP/HDLC/FR .................................................................................................................. 49 4.7.2 Channelized Links............................................................................................................. 49 4.7.3 Link Binding ...................................................................................................................... 49
Issue 01 (2007-09-10)
Commercial in Confidence
Page 9 of 154
Quidway NetEngine80E Core Router V300R003 Product Description 5.1.9 V-Switch............................................................................................................................ 62 5.2 IP Features................................................................................................................................ 62 5.2.1 IPv4/IPv6 Dual-Protocol Stacks......................................................................................... 62 5.2.2 IPv4 Features ................................................................................................................... 63 5.2.3 IPv6 Features ................................................................................................................... 63 5.2.4 GRE ................................................................................................................................. 63 5.2.5 IPv4-IPv6 Transition Technologies..................................................................................... 66 5.3 Routing Protocols ...................................................................................................................... 69 5.3.1 Unicast Routing................................................................................................................. 69 5.3.2 Multicast Routing .............................................................................................................. 69 5.4 MPLS Features ......................................................................................................................... 73 5.4.1 Basic Functions................................................................................................................. 73 5.4.2 MPLS TE .......................................................................................................................... 74 5.4.3 MPLS OAM....................................................................................................................... 77 5.5 VPN Features............................................................................................................................ 78 5.5.1 Tunnel Policy .................................................................................................................... 78 5.5.2 VPN Tunnel ...................................................................................................................... 78 5.5.3 MPLS L2VPN.................................................................................................................... 79 5.5.4 MPLS/BGP L3VPN ........................................................................................................... 87 5.5.5 L2VPN Access to the L3VPN ............................................................................................ 93 5.5.6 VPN QoS.......................................................................................................................... 95 5.6 IPTN Features........................................................................................................................... 98 5.7 QoS Features.......................................................................................................................... 100 5.7.1 DiffServ Model ................................................................................................................ 101 5.7.2 Traffic Classification ........................................................................................................ 101 5.7.3 Traffic Policing................................................................................................................. 102 5.7.4 Queue Scheduling .......................................................................................................... 103 5.7.5 Congestion Management ................................................................................................ 104 5.7.6 Traffic Shaping................................................................................................................ 104 5.7.7 HQoS.............................................................................................................................. 104 5.7.8 QPPB ............................................................................................................................. 105 5.7.9 Ethernet QoS.................................................................................................................. 106 5.7.10 ATM QoS ...................................................................................................................... 107 5.7.11 FR QoS......................................................................................................................... 108 5.8 Traffic Statistics ........................................................................................................................110 5.8.1 URPF Traffic Statistics......................................................................................................110 5.8.2 ACL Traffic Statistics......................................................................................................... 111 5.8.3 CAR Traffic Statistics........................................................................................................ 111 5.8.4 HQoS Traffic Statistics......................................................................................................113 5.8.5 Interface-based Traffic Statistics.......................................................................................113 5.8.6 VPN Traffic Statistics........................................................................................................113 5.8.7 TE Tunnel Traffic Statistics ...............................................................................................113
Issue 01 (2007-09-10)
Commercial in Confidence
Page 10 of 154
Quidway NetEngine80E Core Router V300R003 Product Description 5.9 IP Compression........................................................................................................................113 5.10 Network Security ....................................................................................................................115 5.10.1 AAA ...............................................................................................................................116 5.10.2 Protocol Security Authentication .....................................................................................116 5.10.3 URPF.............................................................................................................................117 5.10.4 MAC Limit ......................................................................................................................117 5.10.5 Unknown Traffic Limit .....................................................................................................118 5.10.6 DHCP Snooping.............................................................................................................118 5.10.7 Local Anti-attack.............................................................................................................119 5.10.8 GTSM ........................................................................................................................... 120 5.10.9 ARP Anti-attack ............................................................................................................. 120 5.10.10 Mirroring ..................................................................................................................... 121 5.10.11 NetStream ................................................................................................................... 121 5.10.12 Lawful Interception ...................................................................................................... 123 5.11 Network Reliability ................................................................................................................. 124 5.11.1 Backup of Key Modules................................................................................................. 124 5.11.2 High Reliability of the LPU ............................................................................................. 125 5.11.3 Customized Alarm Damping .......................................................................................... 125 5.11.4 Ethernet OAM ............................................................................................................... 126 5.11.5 VRRP............................................................................................................................ 128 5.11.6 VGMP ........................................................................................................................... 129 5.11.7 GR ................................................................................................................................ 129 5.11.8 BFD .............................................................................................................................. 130 5.11.9 FRR .............................................................................................................................. 131
Issue 01 (2007-09-10)
Commercial in Confidence
Page 11 of 154
Quidway NetEngine80E Core Router V300R003 Product Description 8.1 Physical Specifications ............................................................................................................ 146 8.2 System Configuration .............................................................................................................. 147 8.3 Specifications of System Features and Service Performances ................................................. 148 8.3.1 Specifications of System Features................................................................................... 148 8.3.2 Specifications of Service Performances........................................................................... 153
Issue 01 (2007-09-10)
Commercial in Confidence
Page 12 of 154
1
1.1 Positioning
l l l l
Product Features
The Huawei Quidway NetEngine80E core router (hereinafter referred to as NE80E) is a high-end router with 10-Gbit/s interfaces designed for core and backbone networks. The NE80E is positioned as the core, edge, or convergence router on the Metropolitan Area Network (MAN). Based on the powerful Versatile Routing Platform (VRP), the NE80E features the following: Abundant services Large capacity High performance High reliability
IPv4/IPv6 unicast and multicast routing protocols, MPLS, and MPLS TE Complete VPN services, such as L2 VPN, VPLS, VLL, L3 VPN, and multicast VPN services, HoVPN services, and multi-role host services Abundant Layer 2 service features, such as Layer 2 VLAN, selective QinQ, QinQ termination, MACinMAC, RRPP, and STP/MSTP
IPv4 = Internet Protocol version 4; IPv6 = Internet Protocol version 6; MPLS = MultiProtocol Label Switching; TE = Traffic Engineering; VPN = Virtual Private Network; Virtual Private LAN Service; VLL = Virtual Leased Line; HoVPN = Hierarchy of VPN; VLAN = virtual LAN; LAN = Local Area Network; QinQ = 802.1Q in 802.1Q; RRPP = Rapid Ring Protection Protocol; STP = Spanning Tree Protocol; MSTP = Multiple Spanning Tree Protocol
Issue 01 (2007-09-10)
Commercial in Confidence
Page 13 of 154
LAN and MAN interfaces 10M/100M/1000M/10G Ethernet interfaces 10G POS/2.5G POS/GE RPR interfaces
WAN interfaces POS: 155M/622M/2.5G/10G POS interfaces CPOS: 155M/2.5M CPOS interfaces ATM: 155M/622M ATM interfaces TDM: CE1/CT1/E1/T1/E3/T3 TDM interfaces
RPR = Resilient Packet Ring; WAN = Wide Area Network; POS = Packet over SONET/SDH; CPOS = channelized POS; ATM = Asynchronous Transfer Mode; TDM = Time Division Multiplexing
Table 1-1 Interfaces that the NE80E supports Interface Type 10G POS 2.5G POS 622M POS 155M POS 10GE GE 10G RPR 2.5G RPR GE RPR 622M ATM 155M ATM Quantity per Board 2 4 4 16 2 24 1 4 4 8 16 Quantity in the System 32 64 64 256 32 384 16 64 64 128 256
Full-duplex line-rate forwarding that includes IPv4/IPv6/MPLS/Layer 2 forwarding of all interfaces Bidirectional ACL-based line-rate forwarding Line-rate multicasting The hardware completes two-level packet replication:
Issue 01 (2007-09-10)
Commercial in Confidence
Page 14 of 154
The SFU replicates the multicast packets to the LPU. The forwarding engine of the LPU replicates the multicast packets to its interface. A single slot supports the 2 x 10-Gbit/s LPU. The whole system supports up to sixteen 2 x 10-Gbit/s LPUs. The forwarding capacity reaches 2.56Tbit/s and the backplane capacity is 4 Tbit/s. The forwarding engine supports packet buffer in 200 ms. No packet loss is thus ensured in the case of burst traffic.
PQ and WRR/WFQ They guarantee fair dispatching and ensure that high-precedence services are performed first. Three-stage switching network based on the CIOQ It avoids head of line blocking. Flow-based dispatching It facilitates MPLS TE and supports the DiffServ and Inter-Serv. Eight precedence dispatching queues They prevent the high-precedence traffic from being interfered. Hardware-based QoS functions They ensure packet forwarding at the line rate when QoS is enabled. HQoS of five-level scheduling
PQ = Priority Queue; WRR = Weighted Round Robin; WFQ = Weighted Fair Queuing; CIOQ = Combined Input and Output Queuing; DiffServ = Differentiated Service; QoS = Quality of Service; HQoS = Hierarchical QoS
l l
The perfect QoS mechanism answers the demands of the IP Telephony Network (IPTN). It guarantees the delay, jitter, bandwidth, and packet drop ratio of different services. It also guarantees the launch of carrier-class services such as Voice over IP (VoIP).
Three user authentication modes: local authentication, RADIUS authentication, and HWTACACS authentication Hardware-based packet filtering and mirroring without affecting forwarding capacities
Issue 01 (2007-09-10)
Commercial in Confidence
Page 15 of 154
Multiple authentication methods including plain text authentication and MD5 for upper-layer routing protocols such as OSPF, IS-IS, RIP, and BGP-4 ACL on the forwarding plane and control plane Local anti-attack Lawful interception/URPF DHCP snooping and MAC address limit GTSM
RADIUS = Remote Authentication Dial in User Service; MD5 = Message Digest 5; OSPF = Open Shortest Path First; IS-IS = Intermediate System-to-Intermediate System; RIP = Routing Information Protocol; BGP = Border Gateway Protocol; ACL = Access Control List; URPF = Unicast Reverse Path Forwarding; DHCP = Dynamic Host Configuration Protocol; GTSM = Generalized TTL Security Mechanism
The NE80E provides various IPv6 over IPv4 tunnels and IPv4 over IPv6 tunnels. The routing table and the forwarding table with large capacity enable the NE80E to serve as the VPN Provider Edge (PE), and support future expansion of services. The NE80E supports the distributed forwarding of both IPv4/IPv6 and MPLS. Based on its powerful routing capability, the NE80E can be applied on the backbone network. The NE80E supports IPv4/IPv6 dynamic unicast and multicast routing protocols.
The capacity of the backplane of the NE80E is greatness, which reserves enough bandwidth for future capacity expansion. The NE80E forwards services through the NP, which is flexible in programming. You can install software to carry new services. Designed with separated TM from the PFE, the NE80E supports two PFEs, namely ASIC and NP, to realize various applications.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 16 of 154
monitors, and maintains boards, fans, the Liquid Crystal Display (LCD), and the power module. The system complies with Electro Magnetic Compatibility (EMC). The modular design of the system realizes the EMC between boards. The NE80E fully meets the requirements for the high reliability of carrier-class and high-end routers. Table 1-2 lists its reliability specifications. Table 1-2 Reliability specifications Item Availability Mean Time Between Failures (MTBF) Mean Time To Repair (MTTR) Downtime Description 0.99999768 24.59 years 0.5 hour 1.22 minutes/year
The NE80E provides the following features to ensure high reliability. Table 1-3 Reliability features Item System protection mechanism Description Hot swappable boards, power modules, and fans 1:1 backup of the MPUs 3+1 load balancing and backup of the Switch Fabric Units (SFUs) 3+3 power backup and the switched-mode power supply (SMPS) of the DC power module 1+1 backup of the fan modules 1+1 backup of the power modules Backup of clocks and management buses Protections against abnormalities Restarts automatically when abnormalities occur and recovers Resets a board when abnormalities occur on the board and recovers Automatically restores the interface configuration Provides protections against over-current and over-voltage for power and interface modules Provides protection against mis-insertion
Issue 01 (2007-09-10)
Commercial in Confidence
Page 17 of 154
Item
Description Power alarm monitoring Voltage and environment temperature monitoring Provides alarm prompt, alarm indication, running status query and alarm status query Provides alarm prompt, alarm indication, running status query and alarm status query
Reliability design
Applies hardware-based forwarding Separates the control channel from the service channel to provide a non-blocking control channel Provides system and board fault detection, indicators, and NMS alarm function
Reliable upgrade
Supports in-service patching Supports version backoff Supports in-service upgrade of the BootROM The backplane provides 8BCP check Supports Error Checking and Correction (ECC) RAM
Supports data hot backup between active and standby units Supports the synchronization between LPUs and Main_Control_Boards
Automatically selects and boots correct applications Supports the automatic upgrade and restoration of the BootROM program Backs up configuration files to the remote FTP server Automatically selects and runs correct configuration files Provides the abnormality monitoring for system software, such as automatic restoration and log record Operation security Provides password protection for system operations Provides hierarchical commands by the configuration of subscriber levels and command levels Supports configuration terminal locking by commands in case of invalid usage Provides protection and prompt for improper operation, such as the operation and confirmation prompts for some commands which may degrade the system performance
Issue 01 (2007-09-10)
Commercial in Confidence
Page 18 of 154
Description Applies the generic integrated Network Management System (NMS) platform which is developed by Huawei
Issue 01 (2007-09-10)
Commercial in Confidence
Page 19 of 154
2
l l l l
System Architecture
Except the network management system (NMS), all other systems are in the integrated cabinet. The following takes the DC power module for an instance. Figure 2-1 Physical architecture
-48 V -48 V RTN Integrated chassis -48 V RTN -48 V RTN -48 V -48 V
Monitorbus
Issue 01 (2007-09-10)
Commercial in Confidence
Page 20 of 154
Both the power distribution system and the fan heat dissipation system are in 1+1 backup mode. The following introduces only the functional host system.
Monitoring unit Management unit POS/Ethernet Physical interface unit LPU1 Forwarding unit
System monitoring unit Management bus switching unit MPU MPU (Slave)
Monitoring unit Management unit POS/Ethernet Physical interface unit LPU 8 Forwarding unit
Switching network monitoring unit Switching network control unit Switching network
(1): The link connects to management bus switching unit of another MPU
Issue 01 (2007-09-10)
Commercial in Confidence
Page 21 of 154
Monitoring plane
Monitoring unit
Monitoring unit
Management unit
Management
unit
Management unit
Management
unit
control unit
Data plane
Forwarding unit
Issue 01 (2007-09-10)
Commercial in Confidence
Page 22 of 154
Power monitoring
RPS Standby
IPC
FSU
FSU
FSU
EFU LPU
EFU LPU
EFU LPU
In terms of the software, the NE80E consists of the Routing Process System (RPS), power monitoring module, fan monitoring module, LCD control module, Forwarding Support Unit (FSU), and Express Forwarding Unit (EFU).
l
The RPS is the control and management module that runs on the MPU. The RPSs of the active MPU and the standby MPU back up each other. They support IPv4/IPv6, MPLS, LDP, and routing protocols, calculate routes, set up LSPs and the SPT, generate the unicast, multicast, and MPLS forwarding table, and deliver the routing information to the LPU. The FSU realizes the functions of the link layer and IP protocol stacks on an interface. The EFU performs hardware-based IPv4/IPv6 forwarding, multicast forwarding, MPLS forwarding, and statistics.
l l
System service plane It provides such functions as task and memory management, timer, software loading and patching on the basis of the operating system. It uses the modular technology to facilitate system upgrade and customization.
Versatile control plane It is the core of the VRP datacom plane as well as the basis of security and QoS. It supports link management, IPv4/IPv6 protocol stacks, routing protocol
Issue 01 (2007-09-10)
Commercial in Confidence
Page 23 of 154
processing, MPLS, and MPLS VPN TE. It is used to control the data forwarding plane and realize various functions of the device.
l
Data forwarding plane It forwards data under the control of the versatile control platform. The VRPv5 supports data forwarding based on software and hardware. The data forwarding plane is the task executor of the NE80E.
Service control plane It controls and manages the system as required, including authentication, authorization, and accounting.
System management plane It manages user interfaces and Input/Output. It is the basis of network management and maintenance.
The system structure adopts the modular design. The components can be upgraded independently, without affecting the running of other components. The system is easy to maintain and supports smooth service expansion. In-service patching offers flexible methods of enhancing service features and correcting defects. Network reliability is thus guaranteed. The system supports the hardware-based structure. Various modules run on different CPUs. The security and reliability are thus ensured.
CPU = Center Processing Unit.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 24 of 154
3
3.1 Chassis
Hardware Architecture
The NE80E consists of an integrated chassis (with a backplane), power modules, ventilation and heat dissipation system, and boards. The dimensions of the NE80E are 442 mm x 669 mm x 1600 mm (width x depth x height). The NE80E can be mounted in a standard 19-inch cabinet or an N68-22 cabinet. The inner available height of an N68-22 cabinet is 46 U and the dimensions are 600 mm x 800 mm x 2200 mm (width x depth x height). Figure 3-1 shows the appearance of the NE80E.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 25 of 154
2 10
9 5
8 7
Issue 01 (2007-09-10)
Commercial in Confidence
Page 26 of 154
3.2 Fans
3.2.1 Fan Module
There are two fan modules behind the LCD panel in the NE80E. The fan modules help in the air ventilation and heat dissipation of the boards.
l l l l
The fan modules can provide fan fault alarms. The main FAN Control Board (FCB) module in the MPU can control the speed of the fans based on the temperature in the board cage. The operation and failure indicators are on the LCD panel. Each fan module has two centrifugal fans.
Figure 3-2 shows the appearance of the fan module. Figure 3-2 Appearance of the fan module
The fans integrated on the power module are located at the bottom of the chassis. The air channels of the power module and the board cage are separated from each other. The air flows from the front of the power module to the back for ventilation and heat dissipation.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 27 of 154
Issue 01 (2007-09-10)
Commercial in Confidence
Page 28 of 154
Output over-current Output over-voltage Output under-voltage Input over-voltage Input under-voltage Over-temperature Short circuit
3.4 LCD
3.4.1 Introduction
The LCD is used to display the information and status of the board, environment, fan module, and power module. LCD supports two display modes:
l l
Idle mode: the default mode. It is used to display the normal status of the system. Menu query mode: It can support 3-class menus at most.
3.4.2 Appearance
Figure 3-5 shows the appearance of the LCD.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 29 of 154
FAN1
RUN ALM
RUN ALM
FAN2
1. FAN1 indicator
2. FAN2 indicator
3. Push buttons
L L L L M M L L L L L P P P P P P P P P P P U U U UU U U U U U U
1XOC-192c/ST M -64c POS-LC 1X10GBase LAN-LC 1X10GBase W AN-LC
L L L L S S S S L L L P P P P F F F F P P P U U U U U U U U U U U
1 0 11 12 13 19 20 21 22 14 15 16
Issue 01 (2007-09-10)
Commercial in Confidence
Page 30 of 154
3.6 Boards
The boards that the NE80E supports include:
l l l l
3.6.1 MPU
The MPU integrates multiple functional modules such as the clock module, LAN switch module, and Compact Flash (CF) module. As the system clock source and the management and maintenance unit, the MPU runs as the core of system control and management. It provides the functions of the control plane and the maintenance plane. The MPU controls and manages the system. It is designed in 1:1 backup mode. The MPU is composed of the main control unit, the system monitoring unit, the management bus switching unit, and the clock unit.
l
The main control unit processes network protocols and manages the whole system. The main control unit of each MPU is connected with the management bus switching unit of both the master and the slave MPUs. It controls and manages all the functional units such as MPUs, SFUs, and LPUs. The main control unit also communicates with the system monitoring unit. The system monitoring unit reports the status and environment information about the monitoring plane to the management control plane. And then the management control plane sends control signals to the monitoring plane. The system monitoring unit collects the system monitoring information and interacts with the main control unit. In addition, it monitors the status and environment of its MPU. It communicates with the monitoring units in the system or other boards or subsystems through the Monitorbus. The management bus switching unit carries out the switching of the management bus. It connects to the control units of two MPUs, all LPUs, and SFUs. Thus, there are two sets of management buses in the system to perform the
Issue 01 (2007-09-10)
Commercial in Confidence
Page 31 of 154
master/slave backup protection no matter which Main_Control_Board is in master mode. Figure 3-7 Management bus connection
LPU1 Management bus switching unit MPU LPU16 SFU1 MPU (Active)
SFU 4
MPU
(Standby)
3.6.2 SFU
As the switching network unit of the NE80E, the SFU supports service data exchange for the whole system. The SFUs operate in 3+1 load balancing and backup mode. They share data processing. When an SFU is faulty or replaced, the remaining three SFUs automatically carry out load balancing without interrupting services. The NE80E provides the 640 Gbit/s or 160 Gbit/s per SFU. The whole system can thus support line-rate switching of 2.56 Tbit/s or 640 Gbit/s traffic. You can select which type of SFUs to use as required. There is a control channel on the SFU to provide the following functions:
l l
Detecting voltage, current, and temperature Providing protections against over-voltage, over-current, and over-heat
The SFU provides the clock synchronization function. The clock synchronization units of the two SFUs back up each other.
3.6.3 LPU
The NE80E provides types of physical interfaces, such as GE, POS, CPOS, ATM, RPR, and CE1/CT1/E1/T1/E3/T3 interfaces, to interconnect various network devices as required.
Function
The LPU board consists of the Physical Interface Card (PIC), Line Processing Unit (LPU), and Fabric Adaptor (FAD). They work jointly to realize the following functions:
l l
Fast processing and forwarding of service data Maintenance and management of the link protocol and the service forwarding table
Issue 01 (2007-09-10)
Commercial in Confidence
Page 32 of 154
The main functions of each module are described in Table 3-2. Table 3-2 Functions of all modules on the LPU Module Name LPU module Function Description
l
Processing and encapsulation of multiple link protocols (such as Ethernet II, and PPP) Traffic classification of packets and packet filtering for traffic policing and ACL Data buffer management and scheduling Data forwarding based on the forwarding table Identification of control protocol packets and packet forwarding to the active CPU through the non-line-rate interface Traffic management: data queuing and buffer according to the input data traffic classification, and buffered data scheduling based on the congestion of the switching network Switching network interface adaptor: the translation from the parallel port SPI4.2 to the high-speed serial port A part of the switching network: traffic control according to the queuing status to ensure no data loss in the network
l l l
FAD module
PIC
Implementation of the functions of the physical interface, including optical/electro conversion and physical layer control
Common LPUs
l
Ethernet LPU The NE80E supports the Ethernet LPUs shown in Table 3-3.
Table 3-3 Ethernet LPUs LPU Name 1 port 10G Ethernet LAN Optical Interface LPU (XFP optical module) 1-port 10G Ethernet WAN Optical Interface LPU (XFP optical module) 24-port 10M/100M/1000M Ethernet Electrical Interface LPU 24-port Gigabit Ethernet Optical Interface LPU (SFP optical module) 5/10-port Gigabit Ethernet Optical Interface LPU (SFP optical module) Remark ! ! ! ! !
Issue 01 (2007-09-10)
Commercial in Confidence
Page 33 of 154
The 10G Ethernet optical interface LPUs can be classified into WAN and LAN ones. The WAN LPU needs to adapt SDH/SONET when dealing with data packets. Therefore, the interface of a WAN LPU can be connected with the interface of another WAN card or the SDH/SONET transmission device for Ethernet WAN interconnection. The LAN LPU carries out the optical/electro conversion in Ethernet MAC frames and transmits the frames by the optical fiber. The interface of the LAN LPU, however, can be connected with only the interface of another LAN LPU. The packets sent by the interfaces on the WAN and LAN LPUs can be transmitted along the Dense Wavelength Division Multiplexing (DWDM) line.
LAN = Local Area Network; SDH = Synchronous Digital Hierarchy; SONET = Synchronous Optical Network
l
POS LPU POS LPUs are used to connect the NE80E with SDH transmission devices or other devices. The NE80E provides the POS optical interface LPUs shown in Table 3-4.
Table 3-4 POS optical interface LPUs LPU Name 1-port OC-192c/STM-64c POS Optical Interface LPU (XFP optical module) 1/2-port OC-192c/STM-64c POS Optical Interface PIM Card (XFP optical module) Enhanced 4-port OC-48c/STM-16c POS Optical Interface LPU (SFP optical module) 4-port OC-12c/STM-4c POS Optical Interface LPU (SFP optical module) 4/8-port OC-3c/STM-1 POS Optical Interface LPU (SFP optical module) enhanced Remark ! ! ! ! !
RPR optical interface LPU The RPR optical interface LPU can realize the access function of the RPR ring network, and provides efficient and reliable RPR networking solutions. The NE80E provides the RPR LPUs shown in Table 3-5.
Table 3-5 RPR LPUs LPU Name 1-port OC-192c/STM-64c RPR Interface LPU (XFP optical module) Remark !
Issue 01 (2007-09-10)
Commercial in Confidence
Page 34 of 154
LPU Name 2/4-port OC-48c/STM-16c RPR Interface LPU (SFP optical module) 2/4-port GE/STM-16c RPR Interface LPU (SFP optical module)
Remark ! !
Motherboard LPUF and its flexible cards LPUF provides two slots, in which two of the full-height flexible cards listed in Table 3-6 can be inserted.
Table 3-6 Flexible cards supported by LPUF Flexible Card Name 3-port E3 Interface Flexible Card 3-port T3 Interface Flexible Card Remark ! !
Motherboard LPUF-D and its flexible cards LPUF-D provides two slots, in which two of the full-height flexible cards listed in Table 3-7 can be inserted.
Table 3-7 Flexible cards supported by LPUF-D Flexible card Name 8-port CE1 Interface Flexible Card 8-port CT1 Interface Flexible Card 1-port OC-3c/STM-1 CPOS Interface Flexible Card Remark ! ! !
Motherboard LPUF-10 and its flexible cards LPUF-10 provides two slots, in each of which one full-height or two half-height flexible cards can be inserted. The flexible cards supported by LPUF-10 are hot swappable. They support automatic configuration restoration and card intermixing.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 35 of 154
Table 3-8 Flexible cards supported by LPUF-10 Flexible Card Name 1-Port OC-192c/STM-64c POS-XFP Flexible Card 1-Port OC-48c/STM-16c POS-SFP Flexible Card 8-Port 100/1000Base-X-SFP Flexible Card Remark It is a full-height card. It is a half-height card. It is a half-height card. It supports Ethernet clock synchronization. In addition, ports 0 and 1 support synchronization of sending and receiving clock signals simultaneously; other ports support only synchronization of sending clock signals. It is a half-height card. It is a half-height card.
2-Port OC-12c/STM-4c ATM-SFP Flexible Card 4-Port OC-3c/STM-1c ATM-SFP Flexible Card
Motherboard LPUF-20 and its flexible cards When the 40-Gbit/s SFU is used on the NE80E, the system can support LPUF-20. And each motherboard can support 2 daughter cards. Table 3-9 lists the flexible cards that LPUF-20 supports.
Table 3-9 Flexible cards supported by LPU-20 Flexible Card Name 1-Port /2-Port10GBase WAN/LAN-XFP Flexible Card Remark You can configure the interface to run in LAN or WAN mode through commands. The card supports Ethernet clock synchronization. In addition, ports 5 and 6 support synchronization of sending and receiving clock signals simultaneously; other ports support only synchronization of sending clock signals.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 36 of 154
Remark The card supports Ethernet clock synchronization. In addition, ports 5 and 6 support synchronization of sending and receiving clock signals simultaneously; other ports support only synchronization of sending clock signals.
TSU
The Tunnel Service Unit (TSU) is used to process the tunnel services related to Generic Routing Encapsulation (GRE), BFD, lawful interception, and multicast VPN.
NetStream SPU
NetStream enables the system to sample packets according to a certain percentage. The system sets up NetStream flows in accordance with the abstracted information about the packet such as the source IP address, destination IP address, source port number, destination port number, IP protocol type, IP ToS, inbound/outbound interface, TCP flag, and MPLS three-layer labels, and collects flow-based statistics. The NE80E provides the following types of NetStream:
l
Integrated NetStream: The system samples packets on the LPU, and collects traffic statistics on the NetStream SPU. In this manner, the processing performance is high, without affecting the forwarding capability. Independent NetStream: The system samples packets and collects traffic statistics on the LPU.
NetStream Service Processing Units (SPUs) include 2.5-Gbit/s and 10-Gbit/s SPUs. You can select which type of SPUs to use as required. The NE80E provides multiple SPUs for load balancing.
For details on NetStream, see the section "NetStream."
Issue 01 (2007-09-10)
Commercial in Confidence
Page 37 of 154
4
4.1 Ethernet Link Features
4.1.1 Basic Features
l l l l l l l l
Link Features
The Ethernet link provided by the NE80E supports the following: VLAN trunk VLANIF VLAN aggregation Inter-VLAN port isolation Ethernet sub-interface VLAN sub-interface VLAN switch Ethernet clock synchronization
Supports the bundling of up to 16 physical interfaces. The formed Eth-Trunk interface runs as the normal Ethernet interface. Supports the bundling of ports of different rates. Supports active/standby mode and performs active/standby switchover automatically in accordance with the link status of the interface.
VLAN interfaces
Issue 01 (2007-09-10)
Commercial in Confidence
Page 38 of 154
Inter-VLAN port isolation VLAN aggregation VLAN trunk VLAN mapping QinQ and VLAN stacking Layer 2 features such as MSTP and RRPP Switched Ethernet links
LACP (802.3ad)
The NE80E supports link aggregation in Link Aggregation Control Protocol (LACP) static mode. Link aggregation in static LACP mode is in contrast with the link aggregation in manual mode. Port bundling in manual mode requires neither LACP nor exchange of protocol packets. Port aggregation is specified by the administrator. Link aggregation in LACP static mode resorts to LACP and automatically maintains the interface status by exchanging protocol packets. The administrator, however, needs to create the aggregation group and add the member links manually. LACP cannot change the configuration of the administrator. The NE80E supports LACP that conforms to IEEE 802.3ad. The administrator creates the Eth-Trunk interface, adds member ports to it, and enables LACP on the Eth-Trunk interface. The NE80E negotiates which ports to use for data forwarding with the peer device by exchanging LACP protocol packets. That is, they negotiate to determine whether the outbound interface is in the selected or standby state. LACP maintains the link status in accordance with the port status. Once the aggregation conditions change, LACP automatically adjusts or de-aggregates the link.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 39 of 154
FR only realizes functions of the physical layer and the link layer of OSI. Traffic control and error correction are implemented by the intelligent terminal. In this way, system performance is improved. FR uses virtual circuits to make full use of network resources. Therefore, FR features large throughput, short delay. FR is applicable to burst services. The NE80E provides the following FR features:
l l l l l l l l
DLCI VC: PVC and SVC FR address mapping FR LMI FR sub-interfaces FR switch PVC backup FR compression MFR
DLCI = Data Link Connection Identifier; PVC = Permanent Virtual Circuit; SVC = Switching Virtual Circuit; LMI = Local Management Interface; MFR = Multilink Frame Relay
Link Control Protocol (LCP) Internet Protocol Control Protocol (IPCP) Multi-Protocol Label Switching Control Protocol (MPLSCP) Multilink Protocol (MP) Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP)
Issue 01 (2007-09-10)
Commercial in Confidence
Page 40 of 154
4.3.4 IP Trunk
Adopting IP trunk technology, you can bind multiple physical POS interfaces into a logical trunk interface as shown in Figure 4-1. You can configure the trunk interface to implement routing protocols and carry MPLS and VPN services. The physical POS interfaces that are bound to a trunk are called trunk members. All configurations on the trunk interface also take effect on the trunk members. The trunk members use the IP address of the logical trunk interface. The IP trunk technology helps to:
l
Increase bandwidth The bandwidth of the trunk interface is the sum of member bandwidth. Enhance reliability If a member link fails, the traffic of this link is automatically switched to other available links. This can improve the reliability of the whole trunk.
Carry out load sharing Different flows pass through different trunk members.
Trunk
Inter-board IP trunk IP trunk of channels with different rates Dynamic establishment and removing of IP-trunk interfaces Binding a physical channel to a trunk through the command line on a physical interface
Issue 01 (2007-09-10)
Commercial in Confidence
Page 41 of 154
4.4.1 Channelization
A CPOS interface is a channelized POS interface. Channelization is carried out by transmitting multiple independent data flows on an optical fiber through the low-speed branch signals of STM-N. Each data flow has its own bandwidth and monitoring policy. When multiple low-speed signals are sent, bandwidth can be better utilized channelization. The granularity of CPOS interface channelization is as follows:
l l l
The 2.5G CPOS LPU can provide sixteen 155M POS channels. The 155M CPOS LPU can provide 63 E1 channels, 84 T1 channels, or 1023 64K channels. The 155M CPOS LPU can provide 3 E3 or 3 T3 channels.
The NE80E supports binding of E1/T1 channels. Up to 12 channels can be bound in a binding set. Each 155M CPOS LPU supports up to 168 binding sets.
4.4.2 PPP/HDLC
The NE80E provides 155Mbit/s and 2.5Gbit/s CPOS interfaces. On the link layer, CPOS supports:
l l
PPP HDLC
4.5.2 PVP/PVC
ATM interfaces support the PVP/PVC creation:
l l l
Nonreal-time Variable Bit Rate (NRT_VBR) Unspecified Bit Rate (UBR) Permanent Virtual Circuit (PVC)
Issue 01 (2007-09-10)
Commercial in Confidence
Page 42 of 154
Traffic shaping based on VP/VC User-to-Network Interface (UNI) signaling RFC1483: Multiprotocol Encapsulation over ATM Adaptation Layer 5 RFC1577: Classical IP and ARP over ATM F5 End-to-End Loopback OAM ATM Adaptation Layer 5 (AAL5)
4.5.3 IPoA
IP over ATM (IPoA) is a kind of technology to bear IP services on the ATM network. It inherits the fundamentals of TCP/IP and regards the ATM network as a kind of physical subnet. For IP protocols, the ATM network is equivalent to the physical subnet such as the Ethernet. Using IPoA, you can directly run IP protocols and network applications in the ATM network. On the NE80E, you can set up address mapping between PVC and the IP address of the peer device in two ways:
l l
4.5.6 1483B
RFC 1483 defines the technological standards of transmitting multi-protocol data unit on the ATM network, including the following two kinds:
l
The 1483 Bridged It is applied to the bridged protocol data unit. The 1483 Routing It is applied to the routing protocol data unit.
The RFC 1483 Bridged encapsulates the data packet of the network layer in the data link layer. It imitates the bridge function of the Ethernet network, so that the terminal devices at the user side and the bridge devices at the network side are connected. Figure 4-2 shows the stack protocol of 1483B.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 43 of 154
Access router
RouterA
RouterB
ATM network
The IPoE Ethernet stack protocol is used to connect the device at the user side. After 1483B is configured on the ingress Router A on the ATM network, Router A can implement the bridge of Ethernet packets to the ATM cells, so that the received IPoE packets can be transmitted transparently on the ATM network. IPoEoA is the main application of 1483B supported by the NE80E. IPoEoA indicates that AAL5 bears Ethernet packets, and the Ethernet bears IP packets, so that the layer 2 forwarding of IPoEoA packets between the Ethernet and PVC can be implemented. IPoEoA converges the ATM backbone network and the IP network and supports Ethernet protocols and IP protocols.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 44 of 154
The outer PSN label identifies the PSN tunnel, while the inner label, namely, PW Header identifies a PW. In ATM cell transport, the following two kinds of services are transmitted on the PSN:
l l
The services whose PW payload is ATM cells The services whose PW payload is AAL5 SDU/PDU
ATM cell transport can help transfer the earlier ATM or ISP network through the PSN network without adding new ATM devices and changing the ATM CE configurations. ATM CE routers consider the ATM cell transport service as the TDM leased line. The NE80E support ATM cell transport over Permanent Virtual Circuit (PVC) and Permanent Virtual Path (PVP). Generally, the NE80E support the following ATM cell transport modes:
l l l l l l
ATM whole port cell transport 1-to-1 VCC cell transport N-to-1 VCC cell transport 1-to-1 VPC cell transport N-to-1 VPC cell transport ATM AAL5-SDU VCC transport
Issue 01 (2007-09-10)
Commercial in Confidence
Page 45 of 154
An RPR ring adopts the topology of two counter-rotating ringlets. An RPR network consists of Ringlet0, Ringlet1, stations, and spans, as shown in Figure 4-4. Figure 4-4 RPR networking diagram
Station Ringlet0 West East East West West East Span East West East West East West Ringlet1
Domain
As shown in Figure 4-4, each node of the RPR network is connected by two pairs of fibers for ringlet 0 and ringlet 1 transmission and receiving. In the RPR network, the unicast traffic only travels between its source node and destination node, thus improving the bandwidth utilization.
Topology and Protection packet (TP) are broadcast on the whole ring. Topology Checksum (TC) packet are sent or received only between adjacent nodes. Attribute Discovery (ATD) packet is used to update the site information in the topology database except the topology discovery and checksum. Link Round Trip Time (LRTT) packet is used to detect the delay of high-preference control frames among all nodes on the network.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 46 of 154
Pass-Through
Some node failures may stop Layer 3 forwarding temporarily, but the MAC layer can still forward packets. You can set the node in pass-through mode by shutting down the RPR interface. In this case, all packets that reach this node are forwarded in transparent mode and this node is invisible in the RPR network, as shown in Figure 4-5. Figure 4-5 Pass-Through mode
Pass-through
In the wrapping mode, the traffic that is transmitted on the ringlet 0 from A to B is sent to the node adjacent to the failed line, and then to B on the ringlet 1. See Figure 4-6. In the steering mode, the traffic that is previously on the ringlet 0 is directly redirected to the ringlet 1 for transmission. See Figure 4-7.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 47 of 154
B RPR
RPR
The wrapping mode and steering mode in RPR have their respective advantages and disadvantages. The wrapping mode implements fast switchover without data loss, but wastes the bandwidth. The steering mode needs neither loopback nor wrapping, and thus does not waste the bandwidth, but it implements a slow protection with data loss. The RPR designed by Huawei combines the advantages of these two modes, and adopts the "first wrapping and second steering" mode. Providing the failure protection switchover within 50 ms, it implements non-stop services without bandwidth waste to achieve the best performance.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 48 of 154
4.7.1 PPP/HDLC/FR
CE1/CT1/E3/T3 interface supports serial interfaces and the following link protocols are supported:
l l l
Issue 01 (2007-09-10)
Commercial in Confidence
Page 49 of 154
5
5.1 Ethernet Features
VLAN Trunk
Trunk is a P2P link between two routers. The interfaces on the connected routers are called trunk interfaces. One VLAN trunk can transmit data flows of different VLANs and allow the VLAN to contain the interfaces of many routers. The NE80E can dynamically add, delete, or modify the VLANs of a VLAN trunk to maintain the consistency of VLAN configuration in the whole network. The NE80E can also work with non-Huawei devices for interworking.
VLANIF
After setting up a VLAN, you can create VLAN interfaces (VLANIF). A VLAN interface is a virtual interface with Layer 3 (IP layer) features. You can assign IP addresses and enable routing protocols on a VLAN interface to make it equivalent to the routed Ethernet interface. You can also add several switched Ethernet interfaces to a VLAN. On the NE80E, VLANs can be configured and displayed in batch.
VLAN Aggregation
Inter-VLAN routing is involved in the communication between VLANs. If each VLAN interface is assigned an IP address, IP address resources will be used up. You can aggregate a group of VLANs to a super-VLAN. The VLANs in the super VLAN are called branch VLANs. A super VLAN is associated with an interface at the IP layer. In addition, all branch VLANs in the super VLAN use the IP addresses in the same network segment to improve the utilization of the IP addresses.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 50 of 154
Ethernet Sub-interface
A normal Ethernet sub-interface, which can belong to a VLAN only, functions as follows:
l l l
Terminates the enterprise customer's services. Supports routing protocols. Supports MPLS forwarding.
VLAN Sub-interface
A VLAN sub-interface, which can belong to multiple VLANs, functions as follows:
l l
Terminates the individual users' services. Supports DHCP relay, DHCP binding, URPF, and ACLs, ensuring the security.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 51 of 154
Nb MGW
In a wireless network, Ethernet links put high requirements for clocks. As shown in Figure 5-1, in the future IP-RAN solution, the IP network runs as the bearer layer between Node-B and RNC. With the function of Ethernet clock synchronization, the problem of clock transmission in the IP network can be solved. In addition, Ethernet clock synchronization supports the backup of the clock reference source to enhance the reliability of the link. When an Ethernet link goes Down, the system automatically selects the backup Ethernet interface to extract the clock information.
5.1.4 MACinMAC
The NE80E supports the MACinMAC technology that conforms to IEEE 802.1ah. MACinMAC realizes transmission of P2P and multipoint-to-multipoint services. The transmission network is set up on the basis of the Ethernet. In this manner, the Ethernet solution is extended from the access layer and the convergence layer to the core layer in the MAN and even in the WAN. MACinMAC is a tunneling technique based on MAC stacking. MACinMAC means appending a MAC address of the ISP to the MAC address of the user Ethernet frame. This realizes transparent transmission of user Ethernet frames through public networks. When a MACinMAC tunnel is set up between two MANs, it functions over the core network of the ISP. For the ISP network, the MAC address of a user is isolated. This improves the security of services. In addition, double MAC addresses applied expand the space of MAC addresses. The MACinMAC tunnel can be set up between the NE80Es. It supports fault detection, fault location, and the Automatic Protection Switching (APS). APS controls the protection switchover of the tunnel. The NE80E supports 1+1 and 1:1 protection modes of the MAC tunnel. The NE80E also supports the revertive mode, hold-off time, and APS configuration mismatch test. This guarantees fast recovery of services.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 52 of 154
PBT
UPE CE Metro(+Core) CE
Issue 01 (2007-09-10)
Commercial in Confidence
Page 53 of 154
Core
CE
PE
Metro(+Core) CE PE CE PE PE
CE
5.1.5 QinQ
The QinQ technology expands the VLAN space by adding an IEEE 802.1Q tag to a packet already carrying an 802.1Q tag. As a result, private VLANs can transparently transmit packets over the public network. These functions are the same as the Layer 2 VPN. Packets that are forwarded over the backbone network carry two 802.1Q tags, one for the public network and the other for the private network. This is called 802.1Q-in-802.1Q, or QinQ for short.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 54 of 154
The ISP network only provides one VLAN ID for different VLANs from the same user network. This saves VLAN IDs of an ISP. Meanwhile, the QinQ provides a simple Layer 2 VPN solution to a small MAN or a LAN. The QinQ technology has been widely used on ISPs' networks because of its easy application. The QinQ technology can be applied to multiple services in a metropolitan area Ethernet solution. The emergence of flexible QinQ that is VLAN stacking enables QinQ services to widely spread among ISPs. This technology has the following features:
l l l
Packets of the same VLAN from different users are not transmitted transparently. Private networks are effectively segregated from the public network. ISP's VLAN IDs are saved to the maximum.
Without being a formal protocol, QinQ is widely applied by carriers due to its facility and convenience. Especially, the emergence of selective QinQ (VLAN stacking) makes QinQ more popular among carriers. With the development of the metropolitan area Ethernet, all device vendors have put forward their solutions to the metropolitan area Ethernet. The QinQ technology plays an important role in the solutions because of its simplicity and flexibility. The NE80E provides abundant QinQ features. Diverse networking requirements can be satisfied.
Interface-based QinQ
Figure 5-7 is a diagram of typical networking through the interface-based QinQ feature. A user sets the interface-based QinQ feature on the router. When the user's packets, carrying the user's VLAN tag, arrive at the router, the router takes the user's packets as untagged packets and adds a VLAN tag of the ISP over the existing VLAN tag. After the user's packets go over the VLAN tunnel of the ISP and reach the remote user, the VLAN tag of the ISP is stripped away. This function, which is called VLAN stacking, has been realized on the Figure 5-7. Figure 5-7 Typical networking diagram of the interface-based QinQ application
VLAN100
100
Router
100
200
200
300
VLAN200
Access to the VPLS to transparently transmit private VLAN packets Access to the L2VPN and PWE3 to transparently transmit private VLAN packets
Issue 01 (2007-09-10)
Commercial in Confidence
Page 55 of 154
VLAN-based QinQ
VLAN-based QinQ is also called selective QinQ. Figure 5-8 shows the VLAN-based QinQ. With the development of services such as broadband access to the Internet, VOIP and IPTV, ISPs sometimes want to plan inner VLAN tags of the network for different services. For example:
l l l
VLAN 1000 VLAN 1999: broadband access to the Internet VLAN 2000 VLAN 2999: IPTV services VLAN 3000 VLAN 3999: VOIP services
Service gateway
LAN Switch
PC
IPTV Videophone
PC
IPTV Videophone
Users access DSLAM through multiple-PVC mode. DSLAM transfers data from PVC to VLAN. Enable flexible QinQ on a gateway to apply the outer VLAN tag VLAN 100 to the services of broadband access to the Internet, the outer VLAN tag VLAN 200 to the VOIP services and outer VLAN tag VLAN 300 to the IPTV services. This breaks the limit of 4094 VLAN IDs for one ISP network. In addition, services are distributed, which is in favor of ISP's service management. The services are distributed in one of the following three ways:
l l l
Marking outer VLANs with tags of different VLAN intervals, that is, changing one tag into two tags so that services are distributed to different terminals. Marking outer VLANs with tags of different protocol IDs, that is, adding a tag to the protocol packet so that services are distributed to different terminals. Redistributing outer VLAN tags according to inner VLAN intervals, that is, substituting one tag with another tag so that services are distributed according to user types. This is called VLAN mapping.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 56 of 154
VLAN-based QinQ may serve as one of the VPLS modes to let packets of private VLANs be transmitted transparently through the backbone network. It may also serve as one of the L2VPN or PWE3 modes to let packets of private VLANs be transmitted transparently through the backbone network. Such a QinQ mode is realized on the switched interfaces. The difference between VLAN-based QinQ and interface-based QinQ is as follows:
l l
In interface-based QinQ mode, user's packets from the same user side are added with the same outer VLAN tag by the PE router. In VLAN-based QinQ mode, user's packets from the same user side are added with different outer VLAN tags depending on user's VLAN tags.
Therefore, VLAN-based QinQ is more flexible than interface-based QinQ. VLAN-based QinQ is also called flexible QinQ.
QinQ Stacking
The early QinQ technology is used on Layer 2 networks and embodied on switches. With the VLAN stacking, packets are forwarded at Layer 2 by means of the outer VLAN tag. The outer VLAN usually refers to the VLAN of an ISP network. VLAN stacking is usually applied on the switched interface. The sub-interface for VLAN stacking is deployed on a PE router. The sub-interface identifies the user's VLAN and then performs VLAN stacking to user's Layer 2 packets. After that, packets are forwarded at Layer 2 by means of the outer VLAN tag. This technology can also be applied on the interface of a router. The sub-interface for VLAN stacking is used to solve the problem of transmitting transparently packets of many VLANs through one sub-interface. Packets access an L2VPN through the outer VLAN of the stacking. The outer VLAN is transparent to the ISP. User's packets of multiple VLANs can thus be transmitted transparently. QinQ stacking supports the following:
l l
Access to VPLS through the sub-interface for VLAN stacking Access to VLL/PWE3 through the sub-interface for VLAN stacking
Issue 01 (2007-09-10)
Commercial in Confidence
Page 57 of 154
Sub-interfaces for QinQ VLAN tag termination terminate double VLAN tags in the following two ways:
l
Exact termination Double VLAN tags of specified VLAN IDs are terminated. Fuzzy termination Double VLAN tags of VLAN IDs in a specified range are terminated.
IEEE 802.1ad specifies that the Etype value of the outer TPID as 0x88a8.
0x9100
0x81
Switch A
Router B
00
Router C
As shown in Figure 5-9, at receiving packets the interface of Router B needs to recognize the Etype value 0x9100 of outer TPID. The Etype values, such as 0x9100 and 0x8100, of different outer TPIDs can be set on devices according to different manufacturers so that devices of different manufacturers can communicate with each other.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 58 of 154
VLAN2
VLAN3
No matter whether multicast data packets or multicast protocol packets are received, they are not encapsulated by QinQ. Only the outer P-VLAN tag is added to send packets. In IGMP snooping learning, only the P-VLAN ID mapping to the user host is maintained. In forwarding, the system searches for the member host of the mapped group according to the P-VLAN ID and substitutes the P-VLAN with the C-VLAN in the packet for forwarding.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 59 of 154
RRPP Domain Master Node Edge Node SwitchA RRPP Sub-Ring 1 Transit Node RouterA RRPP Major-Ring RouterC Master Node Assistant Node RRPP Sub-Ring 2 SwitchB Transit Node Master Node
RouterB
Traditionally, an RRPP domain consists of a group of interconnected switches with the same domain ID and control VLAN. At present, some routers also support RRPP. An RRPP domain includes the following parts:
l l l l l
Major ring and sub-ring Control VLAN Master node and transit node Common port and edge port Primary port and secondary port
Polling Mechanism
Polling is a mechanism used by the master node on the RRPP ring to detect the network status. The master node sends Hello packets periodically from its primary port. The packets are transmitted by the transit nodes on the ring. If the master node can receive the packets from its secondary interface, it indicates that the link of the ring is in the normal state; otherwise, the master node considers that a link fault occurs to the ring. When the master node that is in the Failed state receives the Hello packets from its secondary interface, it changes into the Complete state, blocks its secondary interface, and refreshes the Forwarding Database (FDB). The master node also sends packets from its primary interface to inform all transit nodes to release the temporary blocked interface and refresh the FDB.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 60 of 154
5.1.7 RSTP/MSTP
The Rapid Spanning Tree Protocol (RSTP) is an enhancement of the Spanning Tree Protocol (STP). RSTP simplifies the processing of the state machine, blocks some redundant paths with specific algorithms, and reconstructs the networks with loops to a loop-free network. In this way, the packets are prevented from increasing and infinitely looping. Compared with STP, RSTP speeds up the Layer 2 loop convergence. In a Layer 2 network, only one Shortest Path Tree (SPT) is generated. The Multiple Spanning Tree Protocol (MSTP) is the multi-instance RSTP. MSTP supports the running of STP based on one or more VLAN. In a Layer 2 network, multiple Shortest Path Trees (SPTs) can be generated.
All branches of the same user network are able to receive their own BPDUs. BPDUs of a user network cannot be processed by the CPU of the ISP network.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 61 of 154
BPDUs of different customers must be segregated to prevent them from mutual access.
Transparent transmission of interface-based BPDUs of the same user network Transparent transmission of interface-based BPDUs of different user networks Transparent transmission of VLAN-based BPDUs Transparent transmission of QinQ-based BPDUs
5.1.9 V-Switch
V-Switch is a construction model of the Ethernet transmission network. V-Switch refers to using VLAN tags as tunnel and service labels (similar to MPLS labels) in the Ethernet network and switching the tags on each network node, in the Ethernet network. The forwarding path is generated on the switch through static configurations or dynamic protocols. Here, the VLAN tags take effect only on the switch. The VLAN tags on different interfaces of the same device can be repeated. V-Switch supports one tag or double tags. In tag switching, the 802.1p precedence remains the same. In the process of forwarding, the system need not search for the MAC address as the VLAN tag uniquely carries the forwarding information. The NE80E supports the switching of one VLAN tag or double VLAN tags. It can also add one VLAN tag or double VLAN tags to the received packets on the specified physical interface.
5.2 IP Features
5.2.1 IPv4/IPv6 Dual-Protocol Stacks
Figure 5-12 shows the structure of the IPv4/IPv6 dual-protocol stacks. Figure 5-12 Dual-protocol stacks structure
IPv4/IPv6 Application
TCP
UDP
IPv4
IPv6
Link Layer
Issue 01 (2007-09-10)
Commercial in Confidence
Page 62 of 154
TCP/IP protocol suite such as ICMP, IP, TCP, UDP, Socket (TCP/UDP/Raw IP), and ARP Static DNS and DNS server FTP server/client and TFTP client DHCP relay agent and DHCP server Ping, tracert, and NQA NQA can detect the status of ICMP, TCP, UDP, DHCP, FTP, HTTP, and SNMP services and test the response time of the services.
IP policy-based routing The system supports specifying the next hop based on the attribute of packets without search for routes in the routing table.
IPv6 neighbor discovery (ND) Path MTU (PMTU) discovery TCP6, ping IPv6, tracert IPv6, and socket IPv6 Static IPv6 DNS and specified IPv6 DNS servers TFTP IPv6 client IPv6 policy routes
5.2.4 GRE
The Generic Routing Encapsulation (GRE) protocol is used to encapsulate packets of certain network layer protocols such as IP and IPX packets so that these encapsulated packets can be transmitted in the network running another network layer protocol such as IP. As the Layer 3 tunnel protocol for VPNs, GRE adopts the tunnel technology. A tunnel can be taken as a virtual interface that supports only P2P connections. The tunnel interface provides a tunnel for data forwarding and the packets are encapsulated and decapsulated at both ends of the tunnel respectively.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 63 of 154
IP Team 2
In Figure 5-13, Group 1 and Group 2 are the local networks running Novell IPX. Team 1 and Team 2 are the local networks running the IP protocol. The tunnel between Router A and Router B adopts the GRE protocol; therefore, Group 1 communicates with Group 2 without affecting the communication between Team 1 and Team 2.
Tunnel
PC
PC
In Figure 5-14, the IP protocol is run on the network. Assume that the IP protocol limits the hop count to 255. If the hop count between two PCs is greater than 255, they cannot communicate. When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the network operation.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 64 of 154
For example, two VPN sub-networks, Site 1 and Site 2 are in two cities. By setting up a GRE tunnel between the devices at the network edge, you can connect the two sub-networks to a continuous VPN network. GRE can be applied both in L2VPN and L3VPN in two modes as follows:
l
As shown in Figure 5-15, the two ends of the GRE tunnel reside on the CE router in the CPE-based VPN.
As shown in Figure 5-16, the two ends of the GRE tunnel reside on the PE router in the network-based VPN.
Usually, the MPLS VPN backbone network uses label switched paths (LSPs) as the public network tunnel. If the core router P in the backbone network, however, provides only the IP function without the MPLS function while the PE router at the network edge has the MPLS function, the LSP cannot be used as the public network tunnel. Then, you can use the GRE tunnel in place of the LSP to provide Layer 3 or Layer 2 VPN solutions at the core network.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 65 of 154
In actual networking, not all the CE routers and PE routers can be directly connected through physical links. For example, for multiple institutes that are connected to the Internet or based on the IP technology, their CE routers and PE routers are geographically dispersed and cannot directly access the PE router in the MPLS backbone network. These institutes cannot directly access the sites inside the MPLS VPN through the Internet or the IP backbone network. Figure 5-17 CEs accessing the MPLS VPN backbone network through the backbone network based on the IP technology
VPN Site CE
IP network PE
MPLS network PE CE
VPN Site
To access a CE router to the MPLS VPN, you can create a direct logical connection between the CE router and the PE router. That is, you can connect the CE router and the PE router by using the public network or private network, and create a GRE tunnel between the CE router and the PE router. Then, the CE router and the PE router can be regarded as being directly connected. When associating the VPN with the PE interface that is connected to the CE router, you can regard the GRE tunnel as a physical interface.
Manually configured IPv6 tunnel The IPv6 tunnel is manually configured on two edge routers at both ends of the tunnel. The source and destination IPv4 addresses of the tunnel are configured manually.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 66 of 154
The tunnel is equivalent to a permanent link between two IPv6 domains over an IPv4 backbone network. The tunnel is used for regular and secure communication between two edge routers on IPv6 islands.
l
IPv6 over IPv4 GRE tunnel The IPv6 traffic can be carried over the IPv4 GRE tunnels. When carrying the IPv6 traffic, the IPv4 GRE tunnels are called IPv6 over IPv4 GRE tunnels (GRE tunnels for short). Like the manually configured IPv6 over IPv4 tunnel, a GRE tunnel is a link between two nodes, with a separate tunnel for each link. The tunnels are not tied to a specific passenger or transport protocol, and only carry IPv6 as the passenger protocol and GRE as the carrier protocol.
Automatically configured IPv4-compatible IPv6 tunnel (automatic tunnel for short) An IPv4-campatible IPv6 address needs to create an IPv6 over IPv4 automatic tunnel. The low order 32 bits of an IPV4-compatible IPv6 address is an IPv4 address. It is used to identify the destination address of the automatic tunnel. To configure an automatic tunnel, you need to specify only the source address of the tunnel on an edge router or a host. The destination address of the tunnel can be automatically recognized according to the next hop address (an IPv4-compatible IPv6 address) of IPv6 packets.
6to4 tunnel A 6to4 tunnel connects isolated IPv6 islands to the IPv6 Internet over an IPv4 network. The difference between the 6to4 tunnel and the manually configured tunnel is that the former can be a point-to-multipoint connection, but the latter is a P2P connection. Hence, routers of the 6to4 tunnel are not configured in pairs. Similar to the automatic tunnel, the 6to4 tunnel can automatically find another end of the tunnel. It need not be configured with an IPv4-compatible IPv6 address. The 6to4 tunnel uses a kind of special IPv6 address, that is, 6to4 address.
ISATAP tunnel The ISATAP tunnel is used when the IPv4/IPv6 host in an IPv4 network accesses an IPv6 network. The ISATAP tunnel can be created between ISATAP hosts, or between an ISATAP host and an ISATAP router. ISATAP enables the IPv4/IPv6 dual-stack nodes in the IPv4 site to automatically access the IPv6 routers. ISATAP uses an IPv6 address embedded with the IPv4 address and the IPv6 over IPv4 automatic tunneling technique can be used, regardless of whether the site uses a public or private IPv4 address. The ISATAP address format can use the site-based unicast IPv6 address prefix or the global unicast IPv6 address prefix. That is, site-based and global IPv6 routes are supported. ISATAP is usually used at the network edge such as the intranet and the access network. ISATAP can also work with the 6to4 technology.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 67 of 154
To set up IPv4 over IPv6 tunnels, IPv4/IPv6 dual stack needs to be enabled on the router at the edge of the IPv6 network and the IPv4 network. Figure 5-19 Networking diagram of the IPv4 over IPv6 tunnel
IPv6 Header IPv4 Header IPv4 Header IPv4 Payload IPv4 Payload IPv4 Payload IPv4 Header
6PE
The IPv6 Provider Edge (6PE) router allows communication between the IPv6 isolated CE routers over the IPv4 network. See Figure 5-20. With 6PE routers, ISPs can provide access services to the IPv6 network of isolated customers over the existing IPv4 backbone network. Figure 5-20 6PE topology
6PE Router 6PE Router
The 6PE router labels IPv6 routing information and floods them onto ISP"s IPv4 backbone network through Internal Border Gateway Protocol (IBGP) sessions. The IPv6 packets are labeled before flowing into tunnels such as the GRE tunnel and MPLS LSP on the backbone network. The IGP protocol used on the ISP network can be OSPF or IS-IS, and the protocol used between CE routers and 6PE routers can be a static routing protocol, IGP or EBGP.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 68 of 154
When ISPs want to extend their IPv4/MPLS networks with IPv6 traffic exchange capability, they can just update the PE router. Therefore, using the 6PE feature as an IPv6 transition mechanism is a cost-effective solution for ISPs.
IPv4 routing protocols: RIP, OSPF, IS-IS, and BGPv4 IPv6 routing protocols: RIPng, OSPFv3, IS-ISv6, and BGP4+ Static routes to simplify network configuration and improve network performance Large-capacity routing table to support MAN operation effectively Determining the optimal route through the routing policy
Multicast protocols: Internet Group Management Protocol (IGMP), Protocol Independent Multicast-Dense Mode (PIM-DM) and Protocol Independent Multicast-Sparse Mode (PIM-SM), Multicast Source Discovery Protocol (MSDP), and Multi-protocol Border Gateway Protocol (MBGP). PIM-SSM: If the multicast source is specified, a host can join the multicast source directly, without registering with the Rendezvous Point (RP). Anycast RP: Multiple RPs can exist in a domain and they are configured as MSDP peers. A multicast source can choose the nearest RP for registration, and the receiver can also choose the nearest RP to join its shared tree. In this way, load balancing is carried out among the RPs. When a certain RP fails, its previous registered sources and receivers chooses another RP instead. The RP thus implements the backup. IPv6 multicast routing protocols: MLD, PIM-IPv6-DM, PIM-IPv6-SM, and PIM-IPv6-SSM. Multicast static routes. When receiving, importing and advertising multicast routes or forwarding IP packets, the multicast routing module can filter the routes or packets based on routing policies. Multicast VPN: The NE80E adopts the Multicast Domains (MD) scheme to implement centralized processing. Addition and deletion of dummy entries.
l l
l l l
l l
Issue 01 (2007-09-10)
Commercial in Confidence
Page 69 of 154
IGMP Snooping
For the NE80E, Layer 2, Layer 3, and QinQ interfaces, VPLS PW, STP, and RRPP support IGMP snooping. IGMP snooping listens to the IGMP messages between routers and hosts and sets up the Layer 2 forwarding table for multicast data packets. In this manner, IGMP snooping controls and manages the forwarding of multicast data packets to carry out Layer 2 multicast. IGMP snooping aims to control the flooding of multicast flows, forward packets as required, and save network resources. For the interface that joins a multicast group without the IGMP report application, the device does not send the multicast flow to the interface.
Discarding the packets directly after receiving them Broadcasting the packets in the VLAN to which the receiving interface belongs
To control multicast traffic, the NE80E also supports the limit to the maximum percentage of multicast traffic on the Ethernet interface.
Multicast VLAN
Multicast VLAN refers to the VLAN that converges multicast flows. When users need certain multicast flows, they send a request to the multicast VLAN. Then the multicast VLAN copies the multicast packets to different user VLANs. This realizes the function of multicast across VLANs. The NE80E forwards multicast packets through the multicast VLAN, and copies the packets based on the multicast routing entries. Then, the NE80E sends these packets to the VLANs of different users. Using the multicast VLAN, the NE80E can converge the multicast flows of different user VLANs to one or several specified VLANs. Multicast across VLANs enables the NE80E to send unicast packets and multicast packets across different VLANs. This helps managing and controlling the multicast flows and saving the bandwidth resource. Network security is thus improved.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 70 of 154
Multicast VPN
With the application of the VPN, the requirements of users for operating multicast services over the VPN are increasingly strict. The VRP adopts the multicast domain (MD) solution to implement multicast transmission over the VPN. MPLS/BGP VPN is a type of VPN, implemented based on the BGP and MPLS expansion. The MPLS/BGP VPN consists of the backbone network of carriers and every site of users. As the VPN user sites, the sites are isolated from each other and can interconnect only through the backbone network. A VPN can be regarded as the division of sites based on policies. These policies are used to control the connections between sites. As shown in Figure 5-21, Site 1, Site 2, and Site 3 constitute VPN A; Site 4, Site 5, and Site 6 constitute VPN B. Figure 5-21 Application of MPLS/BGP VPN
P2
PE3
VPN A site3
CE3
P3 CE6
VPN B site6
Table 5-1 Functions of various devices in MPLS/BGP VPNs Device P PE Full Provider Router Provider Edge Router Custom Edge Router Description As a core router of the backbone network, the router is responsible for MPLS forwarding. As an edge router of the backbone network, the router processes VPN routes and implements MPLS Layer 3 VPN. As an edge router of the user network, the router advertises user network routes.
CE
Issue 01 (2007-09-10)
Commercial in Confidence
Page 71 of 154
The network shown in Figure 5-21 runs multicast. VPN users in various sites receive multicast data in the local VPN. The edge PE router in the public network supports multi-instance. As shown in Figure 5-22, public network instances on each PE router and the P router implement public network multicast. VPN multicast data is multicast in the public network. Figure 5-22 Public network multicast
PE1_public-instance
P1 P2
PE3_public-instance
P3
PE2_public-instance
As shown in Figure 5-23, VPN A instances on each PE router and the sites that belong to VPN A implement VPN A multicast. Figure 5-23 VPN A multicast
PE1_vpnA-instance
PE3_vpnA-instance
MD A
CE2
VPN A site3
CE3
PE2_vpnA-instance
VPN A site2
As shown in Figure 5-24, VPN B instances on each PE router and the sites that belong to VPN B implement VPN B multicast.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 72 of 154
PE1_vpnB-instance
VPN B site4 CE5 VPN B site5
MD B
PE2_vpnB-instance
CE6
VPN B site6
The multicast source S1 belongs to VPN A. S1 sends multicast data to G, a multicast group. Among all possible data receivers, only members of VPN A can receive multicast data from S1. Multicast data is multicast at various sites and on the public network.
Each site that supports multicast based on VPN instance A public network that supports the multicast based on public instances A PE router that supports the following multi-instance multicast: Connecting sites through VPN instance and supporting multicast based on VPN instances Connecting the public network by using public network instances and supporting multicast based on public network instances Supporting information communication and data switching between public network instances and VPN instances
Issue 01 (2007-09-10)
Commercial in Confidence
Page 73 of 154
Basic MPLS functions, service forwarding, and LDP LDP distributes labels, sets up LSPs, and transfers parameters used for setting up LSPs.
LDP DU and DoD label distribution modes Independent label distribution control and sequential label control modes Liberal retention mode and conservative retention mode Maximum hop number and path vector
MPLS ping and tracert MPLS echo requests and MPLS echo replies are used to test the availability of an LSP.
l l l l l
LSP-based traffic statistics LSP loop detection mechanism MPLS QoS, ToS mapping to MPLS EXP value of IP packets, and MPLS uniform, pipe, and short pipe modes Static configuration of LSPs and label forwarding based on traffic classification MPLS TRAP function
The LER is used at the edge of the MPLS network to connect with other networks and to classify services, distribute labels, encapsulate or strip off multi-layer labels. The LSR is the core router of the MPLS network, and it switches and distributes labels.
The NE80E can run MPLS on the POS, Ethernet, RPR, ATM and VLAN interfaces.
5.4.2 MPLS TE
Insufficient network resources and unbalanced load cause congestion in the network. This affects the performance of the backbone network. TE solves this problem. It monitors the traffic and load on the network element dynamically, and adjusts the traffic management, routing and resource constraint parameters in real time. MPLS TE is a technique that integrates TE with MPLS. Through the MPLS TE, you can create an LSP tunnel to a specified path, to reserve resources and implement re-optimization. In case of resource scarcity, MPLS TE helps to preempt the bandwidth resource of the LSP tunnels with a low priority. This meets the demands of the LSPs with large bandwidth or important services. MPLS TE also provides protection against link or node failures through the use of path backup and Fast Reroute (FRR). MPLS TE provides the following functions:
l
Issue 01 (2007-09-10)
Commercial in Confidence
Page 74 of 154
MPLS TE creates and deletes static LSPs, which require bandwidth but are manually configured.
l
Processing of Constrained Route-Label Switched Path (CR-LSP) MPLS TE processes various types of CR-LSPs.
The processing of static LSPs is easier. CR-LSPs are classified into the types described in the following sections.
DS-TE
DiffServ is a QoS solution. It classifies traffic according to the Class of Service (CoS) and provides differentiated QoS based on the CoS. As a traffic engineering solution, MPLS TE optimizes the use of network resources. DiffServ-Aware TE combines the advantages of the preceding two solutions. It can thus optimize the use of network resources according to the CoS. That is, the bandwidth is restricted for traffic of different CoSs. To summarize, DS-TE maps traffic of various CoSs to LSPs and makes the LSP that traffic passes through comply with the relevant TE constraints. DS-TE involves the following concepts:
l
Class type (CT): refers to a collection of links that meet certain bandwidth constraints and is used to assign link bandwidth, execute constraint-based routing and perform access control. For a specified traffic trunk, all the links it passes belong to the same CT. Bandwidth constraints (BC): Different bandwidth constraint models are constructed to control CT. The models are determined by two parts: the maximum BC number (MaxBC) and the relationship between BC and CT.
The NE80E implements DS-TE, and supports two CTs: CT0 and CT1. CT0 and CT1 correspond to the Assured Forwarding (AF) and the Expedited Forwarding (EF) defined in QoS respectively. Their bandwidth constraints are BC0 and BC1 respectively, and each supports eight priorities (with the value ranging from 0 to 7). A total of 16 TE classes are supported. Normal TE tunnels that are not MPLS DiffServ-Aware TE tunnels are mapped to the AF according to CT0.
RSVP-TE
The Resource Reservation Protocol (RSVP) is designed for the Integrated Service (Inter-Serv) model and used on each node on a path for resource reservation. RSVP works on the transport layer, but does not involve the transmission of application data. It is a control protocol on the Internet, similar to ICMP. RSVP has the following characteristics:
l l l
Unidirectional. Receiver-oriented. The receiver initiates a request for resource reservation and maintains the resource reservation information. Uses a soft state mechanism to maintain the resource reservation information.
RSVP, after being extended, supports MPLS label distribution. While transmitting label mapping messages, it also carries the resource reservation information. The extended
Issue 01 (2007-09-10)
Commercial in Confidence
Page 75 of 154
RSVP is called RSVP-TE, as a signaling protocol to establish LSP tunnels in the MPLS TE.
Fast Reroute
FRR is a technique to implement partial protection in MPLS TE. The time spent on FRR fast switchover can reach 50 milliseconds. It minimizes data loss when the network fails. FRR is only a means of temporary protection. After the protected link or node is restored or a new LSP is established, traffic is switched back to the original LSP or the newly established LSP. After the FRR function is configured to the LSP, traffic is switched to the standby link when a certain link or node on LSP is out of service. Meanwhile, the ingress of LSP attempts to establish a new LSP.
Auto FRR
The FRR technology requires that when configuring a protected tunnel, you must configure a bypass tunnel to bind with it. When the link or node is Down, the data flow can be automatically switched to the bypass tunnel. For the FRR protection, the bypass tunnel must be configured manually. If it is not configured, the tunnel cannot be protected. The Auto FRR can solve the preceding problem. Auto FRR is an extension of MPLS TE FRR. Bypass LSPs can be automatically set up along the LSP after you configure the attributes of bypass LSPs, global Auto FRR attributes, and the Auto FRR attributes of the interface. In addition, once the primary LSP changes, the original bypass LSPs can be automatically deleted and new bypass LSPs are set up.
CR-LSP Backup
The CR-LSP backup indicates establishing a backup CR-LSP for a CR-LSP. When the primary CR-LSP fails, the ingress switches the traffic to the backup CR-LSP immediately. It switches to the primary CR-LSP once the primary CR-LSP recovers. The two methods of backup are as follows:
l
Hot-standby backup: The backup CR-LSP is established immediately after the primary CR-LSP is established. MPLS TE switches immediately to the backup CR-LSP when the primary CR-LSP fails. Ordinary backup: The backup CR-LSP is established when the primary CR-LSP fails.
LDP over TE
In current networks, not all devices support MPLS TE. Only the devices in the network core support TE and the devices at the network edge use LDP. The application of LDP over TE is then put forward. The TE tunnel is taken as a hop of the entire LDP LSP. LDP is widely used in MPLS VPN. To avoid the congestion of VPN traffic on nodes, you can configure this feature.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 76 of 154
10
10
R1
R2 20 R4 10
R5
R6
Figure 5-25 shows the MPLS VPN networking. Here, LDP is used as the signaling protocol. As the PE router, Router 1 and Router 6 discover that the links between Router 2 and Router 3 are rather congested after a large amount of user access. This also happens because the traffic between Router 1 and Router 6 must pass through this link. The link between Router 2 and Router 4 is free. The LSP, however, cannot use the link between Router 2 and Router 4 for the influence of the IGP cost value. Establish the TE tunnel passing through Router 4 between R2 and R5, and adjust the metric value of the IGP shortcut. Thus, the two routes of R2 implement load balancing:
l l
LDP establishes the LSP for load balancing to let traffic go along the idle link.
Detecting the LSP connectivity Measuring the network utility and performance Performing the protection switching in the case of a link failure. Providing services based on the Service Level Agreement (SLA) signed with the customers.
With MPLS OAM, you can detect, identify, and locate failures in an MPLS network. The failure is reported and removed in time. In addition, MPLS OAM provides a mechanism for triggering protection switching. MPLS OAM provides the following functions:
l
MPLS OAM detection MPLS OAM sends CV/FFD and BDI packets along the LSPs to be detected and the reverse channels between the LSP ingress and egress to detect the connectivity.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 77 of 154
D FF V/
CV /F F
Ingress LSR
BD
Egress LSR
I BD
l l
OAM auto protocol function Protection switch 1:1, 1+1, sharing protection, and packet-level protection are supported.
For sequential tunnel policies, you can set the sequence to select a tunnel and the number of tunnels for load balancing. The Up tunnel in the front of the queue is always selected to transmit services destined for the same destination. The tunnels at the end of the queue are not selected generally, unless load balancing is required or the tunnels before them are Down. The VPN tunnel binding policy associates a VPN peer with an MPLS TE tunnel on the PE router of the VPN backbone network. The data from the VPN to the peer is transmitted through the special TE tunnel. The TE tunnel bound carries only the specified VPN services. In this way, QoS of the VPN service can be ensured.
LSP tunnels Once a label is distributed to an FEC on the LSP ingress, traffic is transparently forwarded along the transit nodes of the LSP according to the label. In this manner, an LSP can be taken as an LSP tunnel.
GRE tunnels
Issue 01 (2007-09-10)
Commercial in Confidence
Page 78 of 154
If the PE router at the edge of the ISP network supports MPLS while the P router supports only IP, the LSP cannot be used as the public tunnel. In this case, GRE tunnels can substitute the LSP to run as the tunnel in the VPN backbone network.
l
TE tunnels To carry out reroute or transmit traffic over multiple paths, many LSPs may be required. In TE, a group of these kinds of LSPs are called Traffic Engineered (TE) tunnel. These TE tunnels are identified by the tunnel ID or the LSP ID. In addition, the tunnel ID uniquely identifies a TE tunnel.
VLL
Figure 5-27 shows the typical networking diagram of MPLS L2VPN application that the NE80E supports. Figure 5-27 MPLS L2VPN
Support dynamic Martini/Kompella L2VPN Support static CCC/SVC L2VPN VPN2 site3 Support access to the MPLS L2VPN through PPP, HDLC, ATM, Eth/VLAN, and Q-in-Q
PE
PE MPLS network
PE
VPN1 site2 VPN2 site2 PE-ASBR PE Support inter-AS solutions: VRF-to-VRF MP-Multihop EBGP PE-ASBR
Support MPLS VPN over GRE and MPLS VPN over TE tunnel
VPN3 site1
VPN3 site2
Provide the VPN manager to manage VPNs among devices of different vendors
Issue 01 (2007-09-10)
Commercial in Confidence
Page 79 of 154
Martini MPLS L2VPN Martini MPLS L2VPN uses a combination of VC type and VC ID to identify a VC. VC type indicates the type of a VC (ATM, Ethernet, VLAN or PPP). VC ID is used to identify a VC uniquely. Every VC-ID of the same VC-Type on a PE router must be unique. The PE router connecting two CE routers interchanges VC labels through LDP and binds the corresponding CE routers through VC-ID. When an LSP is set up to connect two PE routers successfully and the label exchange and binding are complete at both sides, a VC is set up. Then CE routers can transmit Layer 2 data over the VC. To exchange VC labels between PE routers, the Martini draft extends LDP by adding the forwarding equivalence class (FEC) type in VC FEC. Moreover, because the two PE routers exchanging VC labels may be not connected directly, the LDP must use remote peer to create sessions to transfer VC FEC and VC labels.
Kompella MPLS L2VPN Different from Martini MPLS L2VPN, Kompella MPLS L2VPN does not operate on the connection between CE routers directly. It allocates different VPNs in the whole ISP network and numbers each CE router in a VPN. To set up connections between two CE routers, you only need to configure an ID for the local CE router and an ID for the remote CE router on the PE router, and then specify the circuit ID of the connection which is assigned by the local CED (for instance, ATM VPI or VCI) for this link. In label allocation, Kompella MPLS L2VPN adopts a label block to assign labels for various links at a time. You can specify a local CE range, which indicates how many CE routers can be connected with this CE router. The system will assign a label block for this CE router. The size of this label block is equal to the CE range. In this way, users can distribute some extra labels for VPN for future use. This may waste some label resources, but can reduce VPN deployment and configuration workload in expansion. Kompella MPLS L2VPN can support inter-AS VPN solutions.
CCC MPLS L2VPN Circuit Cross Connect (CCC) is a technique to implement MPLS L2VPN through static configuration. Different from common MPLS L2VPN, CCC MPLS L2VPN adopts a 1-layer label to transfer user data, and so it can use LSPs exclusively. CCC LSP is used to transfer the data of this CCC connection only. It can neither be used for other MPLS L2VPN connections and BGP/MPLS VPN connections nor carry common IP packets. For the CCC connection, the static LSP in the PE routers need not be configured. If two PE routers are not directly connected, the transit static LSP must be configured on the intermediate routers.
SVC MPLS L2VPN Static VC (SVC) is similar to Martini MPLS L2VPN but SVC can transfer Layer 2 VCs and link signaling information without using the LDP. VC labels are configured manually.
L2VPN Interworking If the link types of CE routers at the two ends of an L2VPN are different, use the L2VPN interworking feature.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 80 of 154
According to the recommendation in draft-kompella-ppvpn-l2vpn, IP-interworking should be used as the encapsulation type of the L2VPN interface on the PE router to set up an L2VPN connection. In this case, Layer 3 data (IP packets) can be delivered transparently across the MPLS network. When the L2VPN interworking feature is adopted, You need to encapsulate the L2VPN interface on the PE router at the two ends with IP-interworking. The PE router begins to establish the L2VPN connection after the physical status of the interfaces goes up. The PE router allows L2VPN forwarding once the L2VPN connection is established. In this case, the system considers the physical link for transparent transmission available irrespective of whether the status of the link layer protocol is up or down. After the status of both the AC and L2VPN tunnel goes up, the CE routers at the two ends can transmit and receive IP packets. After the L2VPN connection is established, the IP packets processing is as follows: On receiving an IP packet from the CE router, the PE router decapsulates the link layer packet and delivers the IP packet to the MPLS network. The IP packet is transparently transported to the peer PE router across the MPLS network. The peer PE router re-encapsulates the IP packet according to its own link layer protocol type, and then sends the encapsulated packet to the CE router connected with it. The link layer control packet sent by the CE router is processed by the PE router and does not enter the MPLS network. All non-IP packets (such as MPLS and IPX packets) are discarded and none of them is transferred across the MPLS network.
l
Inter-AS MPLS L2VPN The realization of an inter-AS MPLS L2VPN depends on the actual environment. In CCC mode, the label is of single layer. Therefore, the inter-AS can be realized after the static LSP is set up between the ASBRs. SVC, Martini and Kompella modes can realize the inter-AS Option A (VRF-to-VRF) . In the L2VPN networking, the link type between the ASBRs and that of the VC must be the same. In the inter-AS Option A, each ASBR must reserve a sub-interface for each inter-AS VC. If the number of the inter-AS VCs is small, the Option A can be adopted. Compared with the L3VPN, the inter-AS Option A of the L2VPN consume more resources. Option B requires the switching of both the inner label and the outer label on the ASBR. Therefore, Option B is not suitable for the L2VPN. Option C is a better solution. The SP network devices need only set up the outer tunnel on the PE routers of different ASs. The ASBR needs not maintain information about the inter-AS L2VPN. The ASBR also needs not reserve interfaces for the inter-AS L2VPN. The L2VPN information is exchanged only between PE routers. Thus, the resources consumption decreases.
VPLS
The VPLS network structure is shown in Figure 5-28. Several virtual switches (VSs) can be created on a PE router. VSs on different PE routers form an L2VPN. LANs at
Issue 01 (2007-09-10)
Commercial in Confidence
Page 81 of 154
the user end can access the L2VPN through VSs. In this way, users can expand their own LAN over WAN. VPLS can be regarded as the VS across public networks. Like L3VPN, it establishes LSP tunnels on public networks for traffic exchange. Figure 5-28 VPLS network structure
VLAN1 VLAN1
VS1
VS1
VLAN2
VS2 PE
VS2 PE
VLAN2
VS1
VS2
PE
VLAN1
VLAN2
VPLS requires users to log in through Ethernet links. It directly forwards packets according to VLAN ID. For communication with remote users, a Virtual Channel (VC) that can traverse public network is established between PE routers, and the VC is associated with the VLAN ID. Users communicate with each other over the Layer 2 tunnel through the VC. VLAN ID is used to identify users' VPN. While establishing the VC, the PE router allocates two layers of labels to the VC. The exterior label is the MPLS LSP label of public network and is allocated by LDP. The inner label is the VC label and is allocated by remote LDP session negotiation on the loopback interface.
l
QinQ VPLS QinQ is a tunnel protocol based on IEEE 802.1Q encapsulation. It encapsulates the VLAN tag of private networks in the VLAN tag of public networks. Packets carry two layers of tags to traverse ISPs' backbone networks, thus saving VC resources and providing users with a relatively simple L2VPN tunnel. Figure 5-29 shows the QinQ VPLS.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 82 of 154
HVPLS VPLS needs PE routers to forward the Ethernet frame by the full-mesh Ethernet emulation circuit or Pseudo-Wire (PW). Therefore, all PE routers must be connected with each other in the same VPLS. If the VPLS has N PE routers, the VPLS has N x (N-1)/2 connections. Hierarchical Virtual Private LAN Service (HVPLS) is a networking solution used to realize full-mesh VPLS. Figure 5-30 shows the HVPLS model.
AC
PW AC
SPE
CE
UPE The device directly connected with CE routers is called Underlayer PE (UPE). The UPE only needs to be connected with one of PE routers in the basic VPLS. The UPE supports routing and MPLS encapsulation. If one UPE is connected with many CE routers and provides bridging functions, only the UPE needs to forward the data frame to reduce the burden on the SPE. SPE The device connected with the UPE and located in the core of the full-mesh VPLS is called Superstratum PE (SPE). The SPE is connected with all other devices in the VPLS. The SPE takes the UPE connected as a CE router. The PW established between the UPE and the SPE is taken as the AC of the SPE. The SPE needs to learn the MAC addresses of sites at the UPE side and the MAC addresses of the UPE interfaces connected with the SPE.
l
IGMP snooping VPLS can isolate users. Each VPN needs to support IGMP snooping, that is, the multi-instance IGMP snooping. VPLS learns MAC addresses in the following modes: Unqualified The Unqualified mode refers to allowing numerous VLANs in a VSI to share a MAC address space and a broadcast area. VLANs need be learned. Qualified
Issue 01 (2007-09-10)
Commercial in Confidence
Page 83 of 154
The Qualified mode refers to allowing a VLAN in a VSI to have an independent MAC address space and broadcast area. VLANs need not be learned.
PWE3
Pseudo-Wire Emulation Edge to Edge (PWE3) is a technology used to carry end-to-end Layer 2 services. In the Packet Switched Network (PSN), PWE3 simulates ATM, Frame Relay (FR), Ethernet, low-speed TDM, and SONET/SDH.
l
Classifications of PW PW can be classified into: Static PW and dynamic PW in terms of implementation Single-hop PW and multi-hop PW in terms of networking LDP-PW and RSVP-PW in terms of signaling
Control Word The CW is negotiated at the control plane, and is used for packet sequence detection, packet fragmentation, and packet reassembly at the forwarding plane. In the PWE3 protocols, ATM Adaptation Layer Type 5 (AAL5) and FR require the support for the CW. The negotiation of the CW at the control plane is simple. If the CW is supported after the negotiation, the negotiation result needs to be delivered to the forwarding module, which detects the packet sequence and reassembles the packet. The CW has the following functions: Carries the sequence number for forwarding packets If the control plane supports the CW, a 32-bit CW is added before the data packet to indicate the packet sequence. When the load balancing is supported, the packets may be out of sequence. The CW can be used to number the packets so that the peer can reassemble the packets. Fills the packet to prevent the packet from being too short. For example, if Ethernet is between PEs and PPP is between PEs and CEs, the size of the PPP control packet is smaller than the smallest MTU supported by the Ethernet. Then the PPP negotiation fails. You can avoid this by adding the CW, that is, by adding the fill bit. Carries the control information of the Layer 2 frame header. In certain cases, the frame does not need to be transmitted completely in the L2VPN packets on the network. The frame header is stripped at the ingress and added at the egress. This method, however, cannot be used if the information in the frame header needs to be carried. You can use the CW to solve this problem. The CW can carry the negotiated information between the ingress PE and the egress PE. At the control plane, the negotiation succeeds only when both ends or neither end supports the CW. At the forwarding plane, the negotiation result at the control plane determines whether the CW is added to the packet.
VCCV Ping VCCV ping is a tool that is used to manually test the connectivity of the virtual circuit. Similar to ICMP ping and LSP ping, it is realized through the extended LSP ping. The VCCV defines a series of messages transmitted between PEs to verify the connectivity of PWs. To ensure that the path of VCCV packets is consistent with the path of data packets in PWs, the encapsulation type and the
Issue 01 (2007-09-10)
Commercial in Confidence
Page 84 of 154
passed tunnel of VCCV packets must be the same as those of PW packets. For details, refer to draft-ietf-pwe3-vccv and draft-ietf-mpls-lsp-ping. The NE80E supports the manual detection on the connectivity of LDP PWs on the U-PE, that is, the VCCV ping, including the detection on the connectivity of static PWs, dynamic PWs, single-hop PWs, and multi-hop PWs. Figure 5-31 shows the reference model of the PWE3 VCCV. Figure 5-31 Reference model of the PWE3 VCCV
Emulate Service PW1 AC CE1 U-PE1 PW2 U-PE2 AC CE2
VCCV
The VCCV can be used as a fault detection and diagnostic tool for PWs. The VCCV can be a combination of one type of CCs and one type of connectivity verifications (CVs), because the lower layer PSNs are different, such as LSP ping, L2TPv3, or Internet Control Message Protocol (ICMP) ping.
l
PW Template A PW template is a set of public attributes abstracted from PWs. A PW template is shared by different PWs. For convenience of expansion, the command mode of the PW template is added to set some public attributes of PWs. When creating a PW in interface mode, you can use this template. In the NE80E, the PW can be bound with the PW template and can be reset.
Interconnectivity of heterogeneous media PWE3 can support: Interconnectivity of homogenous media and heterogeneous media Cell relay of data with different encapsulations At present, the NE80E supports the following data transport by using PWE3: ATM AAL5 SDU VCC transport Ethernet HDLC ATM n-to-one VCC cell transport IP Layer 2 transport ATM one-to-one VCC cell mode
ATM cell relay ATM cell relay is a technology to carry ATM cells on the PWE3 virtual circuit. Label encapsulation for ATM relay through PSN is shown in Figure 5-32.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 85 of 154
A PSN label of the exterior layer identifies a PSN tunnel, while the PW header of interior layer identifies a PW. ATM cell relay is used to load the following services on a PSN: The services whose PW payload is ATM cell The services whose PW payload is AAL5 SDU ATM cell relay can also be used to upgrade the former ATM network through a PSN, with no new ATM devices and no change of the ATM CE configuration. ATM CE takes ATM cell relay as TDM leased line, and relays cells through a PSN for ATM interconnection.
ATM IWF
The ATM Inter-Working Function (ATM IWF) provides interoperation function between the ATM link that is accessed through 1483B and the Ethernet link. With the implementation of L2VPN, you can transparently transmit the ATM packets that are accessed through 1483B to the Ethernet link. To keep the access information of ATM (VPI and VCI accessed to a packet), VPI is mapped to be the external VLAN and VCI is mapped to be the internal VLAN. By adding two layers of VLANs to the frame header of the data link layer, the router can transmit the ATM packets with VPI/VCI information to the Ethernet link through the two VLANs. ATM IWF runs on L2VPN and has two implementation methods according to the actual networking: the CCC local connection and PW.
l
CCC local connection The CCC is implemented between sub-interfaces of ATM and Ethernet on the same router. As shown in Figure 5-33, in the CCC local connection, the NE80E cross transmits the flow that is based on 1483 encapsulation out of the ATM flow accessed from devices like DSLAM to the Ethernet link. VPI is mapped to be the external VLAN, and VCI is mapped to be the internal VLAN. Then, the packets are forwarded from the Ethernet interface to the access device such as BRAS. The BRAS
Issue 01 (2007-09-10)
Commercial in Confidence
Page 86 of 154
distinguishes different DSLAM users based on the labels on the two-layer of VLAN of a packet. Figure 5-33 ATM IWF diagram in the CCC local connection
CCC ATM GE
DSLAM
RouterA
BRAS
PW Through the LSP tunnel of L2VPN, layer 2 transparent transmissions of data packets of the ATM link and the Ethernet link can be carried out between peer PE routers. As shown in Figure 5-34, the ATM flow based on 1483B encapsulation can be transparently transmitted to the remote Ethernet link through PW (such as configuring Martini or Kompella L2VPN). In the process, VPI is mapped to be the external VLAN and VCI is mapped to be the internal VLAN. The ATM packets are then transparently transmitted to the remote BRAS. The BRAS distinguishes different DSLAM users based on the labels on the two-layer VLAN of a packet.
ATM
GE
ATM
ATM Switch
BRAS
Issue 01 (2007-09-10)
Commercial in Confidence
Page 87 of 154
VPN2 site3 VPN1 site1 VPN2 site2 MP-BGP MPLS network VPN1 site2 VPN2 site2 PE-ASBR UPE Hierarchical PE SPE PE UPE MPLS network
PE
PE-ASBR Support MPLS VPN over GRE and MPLS VPN over TE tunnel
VPN3 site1
VPN3 site2
Provide the VPN manager to manage VPNs among devices of different vendors
l l l
As a PE router, it supports access of CE routers through kinds of interfaces such as Ethernet, POS, and VLAN interfaces. It supports static routes and dynamic routing protocols such as BGP, RIP, OSPF, and IS-IS, between CE routers and PE routers. It supports various inter-AS VPN solutions.
Carrier's Carrier
The customer of the BGP/MPLS IP VPN service provider can serve as a service provider. In this case, the BGP/MPLS IP VPN service provider is called the provider carrier or the level 1 carrier. The customer is called the customer carrier or the level 2 carrier. This networking model is called carrier's carrier. In this model, the level 2 SP serves as a CE router of the level 1 SP. To keep good extensibility, the level 2 carrier adopts the operating mode similar to the stub VPN. That is, the CE router of the level 2 carrier only advertises the routes (internal routes) of the VPN where it resides to the PE router of the level 1 carrier. It does not advertise its customers' routes (external routes). PE routers in the level 2 carrier exchange external routes by using BGP. This can greatly reduce the number of routes maintained by the level 1 carrier network.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 88 of 154
Inter-AS VPN
The NE80E supports the following three inter-AS VPN solutions represented in RFC 2547bis:
l l
VPN instance to VPN instance: ASBRs manage VPN routes in between by using sub-interfaces, which is also called Inter-Provider Backbones Option A. EBGP redistribution of labeled VPN-IPv4 routes: ASBRs advertise labeled VPN-IPv4 routes to each other through MP-EBGP, which is also called Inter-Provider Backbones Option B. Multihop EBGP redistribution of labeled VPN-IPv4 routes: PE routers advertise labeled VPN-IPv4 routes to each other through Multihop MP-EBGP, which is also called Inter-Provider Backbones Option C.
Multicast VPN
The NE80E supports multicast MPLS/BGP VPN.
IPv6 VPN
The next-generation network protocol IPv6 is an enhancement of IPv4. IPv6 improves the address space, configuration, maintenance, and security and supports access of more users and devices to the Internet. The VPN is an extension of the private network constructed by the shared link or the public network such as the Internet. The VPN enables the computers across two areas of a client to transmit data through the shared link or the public network; thus the function of the P2P private link is realized. When each site of a VPN supports IPv6, all the sites can be connected to the PE router of the Service Provider (SP) through an interface or sub-interface with the IPv6 address. In this way, the sites are connected to the backbone network of the SP and the VPN is called an IPv6 VPN. Simply speaking, IPv6 VPN indicates that a PE router receives IPv6 packets from a CE router, which is different from the IPv4 VPN. Currently, the IPv6 VPN services are carried over the IPv4 network of the SP. In this case, the backbone network runs IPv4 while the user sites use IPv6 addresses. PE routers need to support the IPv4/IPv6 dual stack, as shown in Figure 5-36. Any network protocol that bears IPv6 traffic CE routers and PE routers can run between PE routers and CE routers. The PE routers run IPv6 on the interfaces connecting clients and IPv4 on the interfaces connecting the public network.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 89 of 154
Figure 5-36 Networking diagram of the IPv6 VPN over the IPv4 backbone network
IPv6 VPN site2 IPv4 VPN backbone P PE P PE CE CE IPv6 VPN site2 IPv6 VPN site1 CE PE CE IPv6 VPN site1
The implementation principle of the IPv6 VPN is similar to that of BGP/MPLS IP VPN. The IPv6 VPN advertises VPN-IPv6 routing information through Multiprotocol Extensions for BGP-4 (MP-BGP) on the backbone network. The IPv6 VPN triggers MPLS to allocate labels to identify IPv6 packets, and then transmits data of the private network across the backbone network through LSP, MPLS TE, or GRE tunnels. IPv6 VPN networking schemes that the NE80E supports are:
l l l l l
Intranet VPN Extranet VPN Hub&Spoke Inter-AS or multi-AS backbones VPN Carriers' carrier
HoVPN
In BGP/MPLS VPN solutions, the key device, PE router, functions in the following aspects:
l l
Provides access functions for users. To do this, a PE router needs a great number of interfaces. Manages and advertises VPN routes and processes user packets. Therefore, a PE router needs large-capacity memory and high forwarding capability.
This will make the PE router become a bottleneck. To solve this problem, Huawei initiates Hierarchy of VPN (HoVPN) solution. In HoVPN, functions of a PE router are distributed to multiple devices. Acting as different roles in a hierarchical architecture, the routers fulfill functions of a centralized PE router together.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 90 of 154
The basic architecture of HoVPN is shown in Figure 5-37. The device that is directly connected with users is called Underlayer PE or User-end PE (hereafter referred to as UPE). The device which is connected with UPE in the internal network is called Superstratum PE or Service Provider-end PE (hereafter referred to as SPE). Multiple UPEs and the SPE form the hierarchical PE, functioning together as a traditional PE router. Figure 5-37 Basic architecture of HoVPN
VPN1 site
HoVPN
PE
VPN1 site
VPN2 site
SPE
VPN1 site
PE VPN2 site
In the networking of HoVPN, functions of PE routers are implemented hierarchically. Therefore, the solution is also called Hierarchy of PE (HoPE).
The UPE implements user access. It maintains the routes of VPN sites that are directly connected with it. It does not maintain the routes of other remote sites in the VPN, or only maintains their summary routes only. The UPE assigns interior layer labels to the routes of the directly connected sites, and advertises the labels to the SPE through VPN routes with MP-BGP. The SPE manages and advertises VPN routes. It maintains the routes of all the VPNs that are connected through UPEs, including the routes of local and remote sites. The SPE does not advertise routes of remote sites to UPEs. It advertises only the default routes of VPN-instances or summary routes to UPEs with the label.
Different roles result in different requirements for the SPE and UPE:
l l
SPE: large capacity of routing table, high forwarding performance, few interface resources UPE: small capacity of routing table, low forwarding performance, high access capacity
The HoVPN takes advantage of the performance of SPEs and access capability of UPEs.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 91 of 154
The HoPE is the same as the traditional PE in appearance. It can exist together with common PEs in an MPLS network. HoVPN supports the embedding of HoPE:
l l l
A HoPE can act as a UPE, and compose a new HoPE with another SPE. A HoPE can act as an SPE, and compose a new HoPE with multiple UPEs. Multiple embedding processes are supported.
RRVPN
Resource Reserved VPN (RRVPN) is a tunnel-multiplexing technology. It can provide end-to-end QoS guarantee for VPN users. To implement reserved and isolated resources for VPN, RSVP-TE tunnels must be used. In the process of implementation, different VPNs use various tunnels, but resources of the tunnels that depend on the same tunnel interface are isolated and reserved. Note that, the total bandwidth of the tunnels must not exceed the total bandwidth reserved for the physical link.
Multi-role Hosts
In a BGP/MPLS IP VPN, the VPN attributes of the packets received by PEs from CEs are decided by the VPN instance of the incoming interfaces on the PEs. Thus, all the packets that are forwarded by the same PE interface belong to the same VPN. In practice, however, a server or terminal is generally required to access multiple VPNs. For example, a server in a financial system in VPN 1 and a server in an accounting system in VPN 2 need to communicate. The server is called a multi-role host. In a multi-role host model, only the multi-role host can access multiple VPNs; the non-multi-role hosts can access only the VPN to which the hosts belong. The implementation principle of a multi-role host is simple. A multi-role host generally fulfils the following functions:
l l
Ensures the data stream of the multi-role host can reach the destination VPN network. Ensures the data stream from the destination VPN network can reach the multi-role host.
As shown in Figure 5-38, the VPN to which the multi-role host PC belongs is VPN1. If the VPN1 routes and VPN2 routes on PE1 do not import each other, the PC can access only VPN1 instead of VPN2. The data stream from the PC to VPN2 can be transmitted only by searching the VPN1 routing table of PE1. If the destination address of a packet does not exist in the VPN1 routing table, PE1 discards the packet. To ensure that the data stream of the PC can reach VPN2, configure PBR on PE1 interfaces through which CE1 accesses PE1. After the configuration, if the destination address of a packet from CE1 does not exist in the VPN1 routing table, the VPN2 routing table is searched. The PBR here is generally based on IP addresses and can guide data streams to access different VPNs.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 92 of 154
VPN1 PC Static-Route PE2 VPN1 CE1 PE1 Policy-Based Routing PE3 VPN2 CE3 Backbone CE2
To ensure that the data streams from the destination VPN network can return to the PC, PE1 must be able to search the routes in the VPN1 routing table for the data streams from VPN2. This is implemented through injecting the static route to the PC into the VPN2 routing table on PE1. The outgoing interface of the static route is the PE1 interface that connects CE1. The functions of a multi-role host are realized mainly on the PE that the CE accesses. (The multi-role host accesses the CE.)
l l
Through the PBR on a PE, the data streams from the same VPN can be transmitted by searching routing tables of different VPNs at the same time. Static routes are installed to the routing table of the destination VPN on the PE. The outgoing interfaces of the static routes are the interfaces that connect the multi-role host and the VPN.
Note that the IP addresses of the VPN where a multi-role host resides and the VPN that the host accesses cannot be the same.
The UPE terminates and accesses the L2VPN (VLL and VPLS). The NPE terminates and accesses the L3VPN.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 93 of 154
DSLAM
DSLAM
UPE
UPE
NPE
NPE
UPE
MPLS L2VPN
MPLS L3VPN
The UPE accesses the L2VPN and sets up the L2VPN tunnel
AC for user access Users access the L3VPN through the L2VPN L2VPN tunnel L3VPN tunnel
MPLS is widely applied on the access network of the ISP as it features high reliability and security and sound IP-based operating and maintenance capabilities, and supports QoS. MPLS L2VPN provides MPLS-based VPN services and transparently transmits Layer 2 data of users on the MPLS network. It thus provides a channelized path for user services and reduces the LSPs maintained by transit nodes. MPLS L3VPN services are a kind of common services provided by the ISP over the bearer network. MPLS L2VPN tunnels enable users to access the MPLS L3VPN of the bearer network. Low-end devices such as CXs can be used at the access side of the user. In this manner, networking cost is reduced and secure and stable MPLS L3VPN services are provided for users. To access L3VPN services through MPLS L2VPN tunnels, two devices that are a PE-AGG and an NPE need to be deployed at the border between the access network and the bearer network. In addition, the PE-AGG is used to terminate the L2VPN and the NPE is used to terminate the L3VPN. The PE-AGG and the NPE run as the CE router for each other. In this case, if an NPE combines the capability of the PE-AGG, networking cost can be saved and networking is simplified. The VE interface, which is supported by the NE80E to access multiple services, can be bound to the L2VPN and L3VPN at the same time. That is, the VE interface can access and terminate the L2VPN and L3VPN. In this manner, the NE80E can run as the NPE and PE-AGG at the same time.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 94 of 154
UPE
UNPE
UNPE
UPE The UPE accesses the L2VPN and sets up the L2VPN tunnel
UNPE
UNPE
AC for user access Users access the L3VPN through the L2VPN L2VPN tunnel L3VPN tunnel
Total bandwidth used by the user to access the MPLS VPN Priority level of the user service in the MPLS network
The preceding two points determine the volume of user traffic that can access the ISP network. After the user's access to the ISP network, a problem, to be faced with, lies in the type of QoS to be provided for the user.
l l
The bandwidth for the user traffic to a specified peer PE router is guaranteed. Types of services to a specific peer PE router, such as voice, video, important data, and common network services, require guaranteed bandwidth and delay.
VPN QoS provides a relatively complete L2VPN or L3VPN QoS solution. It resorts to various QoS techniques to answer the diversified and delicate QoS demands of VPN users. The VPN QoS provides QoS in the MPLS DiffServ network and end-to-end QoS in the MPLE TE network. In the application, you can select the QoS policy as required.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 95 of 154
Sets QoS parameters for BGP routes based on the attributes of BGP routes. Classifies traffic by matching QoS parameters and sets the QoS policy for the classified traffic. Forwards packets in accordance with the locally-set QoS policy to propagate the QoS policy through BGP.
In an L3VPN, you can set the QPPB policy for private routes to classify L3VPN traffic, re-mark the traffic class, and limit the traffic volume.
On the ingress PE router, VPN QoS classifies VPN traffic according to simple traffic classification or complex traffic classification. The classified traffic is limited, re-marked, and scheduled based on the priority level. Traffic classification and scheduling support uniform and pipe/short pipe modes. VPN QoS performs differentiated queue scheduling according to the MPLS EXP field on the P router. On the egress PE router, VPN QoS performs differentiated queue scheduling based on the EXP field and limit and shape traffic on the outbound interface.
l l
The inherent defect lies in this scheme. That is, the transit nodes perform the QoS action only according to the predefined PHB. This fails to guarantee the end-to-end QoS and eradicate network congestion.
At the network side, the PE router performs queue scheduling based on VPNs, ensures the bandwidth of VPN services to access the TE tunnel, and guarantees the total bandwidth of the TE tunnel. The P router guarantees the bandwidth of the TE tunnel.
The ingress nodes do not differentiate priority levels of services inside the TE tunnel. Therefore, services of various priority levels need to be allocated to different VPNs in the network planning.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 96 of 154
Backbone network
PE2
VPNA site 3
PE1
VPNA site 1
PE3
Issue 01 (2007-09-10)
Commercial in Confidence
Page 97 of 154
Backbone network
PE1
VPNA site 1
PE3
VPNA site 2 VPNA carries three types of services, ensuring the QoS for each service in the same VPN
It can coexist with the current IP network and does not affect traditional services that have no QoS guarantee. It can bear traditional telecommunication services and support more types of services. It applies for resources before the connection is set up guarantees the quality of service during the connection and releases the resource after the connection is disconnected. Its network structure consists of three layers: logical bearer layer, bearer control layer, and service control layer. Its bearer layer is based on MPLS, which enables the resource of IPTN services to be separated from that of IP services.
l l
Issue 01 (2007-09-10)
Commercial in Confidence
Page 98 of 154
Figure 5-43 shows the basic structure of IPTN. Figure 5-43 Basic structure of IPTN
Soft Switch
VOD server
MCU
RM1 RM3
Service control layer: It consists of the service control platforms that are used to process service requests of users. According to user requests, it decides the parameters required for the service and generates QoS requests to apply for the service path from the bearer control layer. The service control platform can be the Soft Switch, the VOD controller, or the MCU control platform for video conference. It may be provided by the carriers or the ICP or ISP customer of a carrier. The service control platform varies with services, but different service control platforms use the same message format to connect the bearer control layer. Bearer control layer: It manages the network topology and resources in an area through a resource manager (RM). When the RM receives a resource request from a service server, it decides whether to accept the request according to the network topology and usage of resources of the area. It also manages and maintains the network topology and resources of the logical bearer layer. At the same time, it sets up end-to-end bearer paths for received QoS requests from the service control layer. In the IP backbone network, the bearer paths are indicated by MPLS label stacks.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 99 of 154
Basic network layer: also called bearer layer. It consists of the logical bearer network and the basic physical network. It is composed of routers that forward data. It keeps the structure and the underlying physical layer of the current networks but is divided into two logical bearer layers: IPTN and Internet. IPTN is used to bear carrier-class services with end-to-end QoS; Internet is used to bear traditional Internet services.
Traffic classification Traffic policing Traffic shaping Queue management and queue scheduling
The NE80E can implement all the six groups of PHB such as EF, AF1 to AF4, and BE. With the NE80E, network operators can provide users with differentiated QoS guarantee, and make the Internet an integrated network that can carry data, voice, and video services simultaneously. Figure 5-44 shows the hierarchical QoS of the NE80E. Figure 5-44 Multi-level scheduling of QoS
Inbound interface L1 L2 CAR L3 L4 Receive packets RED WRED SARED
Outbound interface
Classify Policy Congestion Priority and traffic avoidance scheduling PQ detection mark CQ packets WFQ
L1 L2 L3 L4
...... ......
VOQ switch Prevent the head packet from blocking multicast switch
......
......
......
Forward packets
Priority Schedule scheduling/ traffic traffic LLS shaping NLS PQ PBS CBWFQ
Issue 01 (2007-09-10)
Commercial in Confidence
Physical interfaces and sub-interfaces Logical interfaces including VLANIF, RINGIF, and trunk interfaces
Issue 01 (2007-09-10)
Commercial in Confidence
Classifications based on the source MAC address prefix, the destination MAC address prefix, the protocol number carried over the link layer, the precedence of the packet with tag Classifications based on the IP precedence/DSCP/ToS value of the IPv4 packet, the source IP address prefix, the destination IP address prefix, the protocol number carried over the IP packet, the fragmentation tag, the TCP SYN label, the TCP/UDP source port number or range, the TCP/UDP destination port number or range
Physical interfaces Logical interfaces including sub-interfaces, ring-if and trunk interfaces
Dropped
The tokens are put into the TB at the rate preset by the user. The capacity of the TB is also preset by users. When the number of tokens reaches the capacity of the TB, the number does not increase any more. On arrival, the packets are classified according to the information such as the IP precedence, source address, or destination address. The packets that conform to the preset feature go into the TB for further processing. If the TB has enough tokens for sending packets, packets are forwarded. Meanwhile, the number of tokens is reduced by the packet length. If the TB contains insufficient tokens or is empty, the packets that are not assigned with tokens or not assigned with enough tokens are discarded; or the information about the IP precedence, DSCP, or EXP values are re-marked and the packets are re-sent. At this time, the number of tokens in the TB remains unchanged.
Issue 01 (2007-09-10)
Commercial in Confidence
The preceding process shows that the CAR technology enables a router to control traffic, and to mark or re-mark packets. To limit the traffic rate is the main function of CAR. With the CAR technology, a TB is used to measure the data traffic that flows through the interfaces of a router so that in the specified time only the packets that are assigned with tokens go through the router. In this way, the traffic rate is limited. CAR limits the maximum traffic rates of both incoming packets at the ingress and outgoing packets at the egress. Meanwhile, the rate of certain types of traffic can be controlled according to such information as the IP address, port number, and precedence. These characteristics include the IP address, port number, and precedence. The traffic not conforming to the present conditions is not limited in rate; such traffic is forwarded at the original rate. The CAR technology is used at the network edge to ensure that the core device can process data normally.
Ethernet
LAN 2 Server2
Server1
Congestion management provides means to manage and control traffic when traffic congestion occurs. The queue scheduling technology is used to handle traffic congestion. Packets sent from one interface are placed into many queues which are identified with different priorities. Packets are then sent according to the priorities. A proper queue scheduling mechanism can provide packets of different types with
Issue 01 (2007-09-10)
Commercial in Confidence
reasonable QoS features such as the bandwidth, latency, and jitter. The queue here refers to the outgoing packet queue. Packets are buffered into queues before the interface is able to send them. Therefore, the queue scheduling mechanism works only when an outbound interface is congested. The queue scheduling mechanism can re-arrange the order of packets except those in First In First Out (FIFO) queues. Commonly used queue scheduling mechanisms are:
l l l l l
The NE80E supports FIFO, PQ, and WFQ to realize the queue scheduling on the interface.
The congestion control mechanism can be configured on each port based on the priority of the queue. The NE80E uses a microsecond-level timer to trace the occupation of the shared memory with the first-order weighted iteration method. Consequently, the NE80E can sense the congestion in a timely manner and avoid network flapping. It drops the packets of different drop preferences at different probabilities within the same traffic stream. This can effectively avoid and control network congestion.
5.7.7 HQoS
Hierarchical QoS (HQoS) is a kind of QoS technology that can control user traffic and schedule service queues according to the priority level. The HQoS of the NE80E has the following functions:
Issue 01 (2007-09-10)
Commercial in Confidence
The system provides abundant services with the five-level QoS scheduling mechanism. The system supports PQ and Confirmed Bandwidth Priority Queue (CBPQ). PQ is based on the absolute priority level. After you configure PQ, the packets with the highest priority level are permitted; the packets with low priority levels are discarded, once the network is congested. PQ is unable to configure bandwidth for packets of all priority levels. CBPQ is based on bandwidth guarantee. CBPQ makes full use of bandwidth resources in the case of bandwidth guarantee.
The system supports the configuration of the parameters of a queue, such as the maximum queue length, WRED, low delay, SP/WRR weight, committed burst size (CBS), PBS, and statistics enabling. The system supports the configuration of parameters such as the CIR, PIR, number of queues, and scheduling algorithms between queues for each user. The system supports traffic statistics. It enables carriers to view the status of bandwidth use of each service. The users can thus analyze traffic and properly allocate bandwidth for services. The system supports the HQoS of VPLS, L3VPN, VLL, and TE.
l l
5.7.8 QPPB
QoS policy propagation through the Border Gateway Protocol (QPPB) is a kind of technology to propagate the QoS policy through BGP. On the BGP receiver, you can:
l l l
Set QoS parameters for BGP routes, such as IP precedence and traffic behavior, based on the attributes of the route. Set the receiver to classify traffic based on QoS parameters, and set a QoS policy for the classified traffic. Set the receiver to forward packets based on the QoS policy to realize QPPB.
On the BGP receiver, you can set QoS parameters, such as IP precedence and traffic behavior, according to the following attributes of BGP routes:
l l l l l
ACL AS path list Community attribute list Route cost Address prefix list
Issue 01 (2007-09-10)
Commercial in Confidence
In the complex network environment, the policy for route classification needs to be changed from time to time. QPPB can simplify the change of the policy on the BGP receiver. Using QPPB, you can change the routing policy on the BGP receiver by changing that on the BGP sender.
Ignore the 802.1p value in the inner VLAN tag and set a new 802.1p value in the outer VLAN tag. Automatically set the 802.1p value in the inner VLAN tag as the 802.1p value in the outer VLAN tag. Set the 802.1p value in the outer VLAN tag according to the 802.1p value in the inner VLAN tag.
As shown in Figure 5-48, QinQ supports 802.1p remark in the following three modes:
l l l
Set a value (Pipe mode). Use the 802.1p value in the inner VLAN tag (Uniform mode). Map the 802.1p value in the inner VLAN tag to a value in the outer VLAN tag. The values in multiple inner VLAN tags can be mapped to the same value in the outer
Issue 01 (2007-09-10)
Commercial in Confidence
VLAN tags. The value in an inner VLAN tag cannot be mapped to different values in multiple outer VLAN tags. Figure 5-48 Typical networking diagram of 802.1p Remark supported by QinQ
Q-in-Q Supports 802.1p Remark
ISP Network
CE PE
The 1483R protocol is used to encapsulate IP packets to carry out IPoA service. The 1483B protocol is used to encapsulate Ethernet packets to carry out IPoEoA service.
Issue 01 (2007-09-10)
Commercial in Confidence
Set the packet precedence and mark the packet on the upstream ATM interface
BE
ATM physical interfaces, ATM sub-interfaces, ATM PVCs, and ATM PVPs all support forcible traffic classification.
5.7.11 FR QoS
FR has its own QoS that can be configured with PVCs to provide flexible services for customers.
FRTS
Frame Relay Traffic Shaping (FRTS) is used on the outbound interface of the router to limit the ratio of the packet sent from the VC.
FRTP
Frame Relay Traffic Policing (FRTP) is used on the inbound interface of the router to monitor traffic received from the VC. If the traffic exceeds the specific value, the packets are discarded.
Issue 01 (2007-09-10)
Commercial in Confidence
FRTP can be used only on the Data Circuit-terminating Equipment (DCE) interface to monitor traffic from the Data Terminal Equipment (DTE).
FR Congestion Management
The FR packet includes bits used for congestion management:
l
Forward Explicit Congestion Notification (FECN) If it is 1, congestion occurs on the forwarding direction. Backward Explicit Congestion Notification (BECN) If it is 1, congestion occurs on the backward direction. If no backward packet is forwarded during a period, the router automatically sends Q.922A Test Response whose BECN tag is 1 to the DTE.
DE It specifies whether to discard the packet or not. If it is 1, the packet is discarded in the case of congestion.
DTE
DCE
Router A
The system judges congestion based on the proportion of the current queue length of the FR interface or the VC to the total length of the interface or the queue. If the proportion exceeds the specified value, it is taken that congestion occurs. The packets whose DE is 1 are discarded; otherwise, the FECN and BECN are set to 1. You can set the congestion threshold in the following two ways:
l l
Set the congestion threshold of the interface in the interface view. Set the congestion threshold of the FR VC in the FR class view.
FR Queue Management
Normally, an FR interface has a queue while an FR VC has no queue. When the FR interface is enabled with FR traffic shaping, all the VCs on the interface have their own queues and the packets sent on the VC join in the queue first. Figure 5-51 shows the relationship between the VC queue and the interface queue.
Issue 01 (2007-09-10)
Commercial in Confidence
First-In First-Out queue Priority queue Custom queue Weighted fair queue Class-based queue Realtime Transport Protocol priority queue PVC interface priority queue
FR Fragmentation
In the process of transmitting voice with data, a large packet takes up the bandwidth for a long period. As a result, the voice packet may be delayed or discarded and voice quality is degraded. FR fragmentation is used to shorten the delay to ensure the real-time voice. After FR fragmentation configuration, a large data packet is disassembled into fragments and the voice packet and the fragments can be transmitted alternately. In this way, the voice packet can be processed on time and delay is shortened.
Helping carriers to analyze the traffic model of the network Providing reference data for carriers to deploy and maintain DiffServ TE Supporting traffic-based accounting for the users that are not monthly-free
Issue 01 (2007-09-10)
Commercial in Confidence
Classifier
In traffic classification, the system can collect statistics on the traffic that matches rules and fails to match rules.
Issue 01 (2007-09-10)
Commercial in Confidence
Classifier The default action for unmatched packets is Pass Packets that match rules Statistics Filter, CAR, mirror, redirect, re-mark, sample, URPF, TTL check
In traffic policing, the system supports statistics on the following traffic: Total traffic that matches the CAR rule. Traffic that is permitted or discarded by the CAR rule.
Statistics
Issue 01 (2007-09-10)
Commercial in Confidence
When the same traffic policy is applied on various interfaces, the CAR traffic statistics in the traffic policy is based on the interface.
Statistics on the number of forwarded packets, bytes, and discarded packets of the queues of eight priority levels Statistics on the number of forwarded packets, bytes, and discarded packets of the user group queue Statistics on the number of forwarded packets, bytes, and discarded packets of eight class queues on an interface
In a VPLS network, the NE80E can collect statistics on incoming and outgoing traffic of the access L2VPN user when it runs as a PE router. In an L3VPN, the NE80E can collect statistics on incoming and outgoing traffic of access users of various types when it runs as a PE router. The access users include: Users that access the network through interfaces including logical interfaces Multi-role hosts Users that access the network through the VPLS/VLL
5.9 IP Compression
In the NGN bearer network, some carriers lack transmission resources. The RTP/UDP/IP packet header, however, contains about 40 bytes in the IP NGN service. For voice compression algorithms that work well, the voice data in each packet occupies less than 30 bytes. In this case, the packet header costs much, with low transmission efficiency. The NE80E provides types of compression algorithms. The transmission efficiency of the network can thus be improved and the lack of transmission resources can be solved.
Issue 01 (2007-09-10)
Commercial in Confidence
cRTP
The Compressed Real-Time Protocol (cRTP) defined in RFC 2508 can compress the 40-byte RTP header including the UDP and IP headers into a header of 2 4 bytes. In this manner, the lack of transmission resources is solved. In the traditional network, voice over IP is supported through RTP, as shown in Figure 5-55. Figure 5-55 Format of RTP packets
8 bytes PPP 20 bytes IP 8 bytes UDP 12 bytes RTP 15-30 bytes Voice data
Header encapsulation
In the figure given above, the voice data occupies tens of bytes; the IP, UDP, and RTP headers contain more than 40 bytes. In a session, half bytes of the header, such as the source and destination IP addresses and the source and destination port numbers, remain unchanged. Besides, the length field in the IP/UDP header is unnecessary because the length can be obtained by calculating the length of the link layer header. Differential coding can be performed although some fields change. After these redundant fields are compressed, only two to four bytes need to be reserved (normally, two bytes are kept; four bytes contain the UDP checksum), as shown in Figure 5-56. Figure 5-56 Format of cRTP packets
8 bytes PPP 2-4 bytes cRTP 15-30 bytes Voice data
Header encapsulation
Issue 01 (2007-09-10)
Commercial in Confidence
compression is thus required to make the transit nodes fail to sense the compression. Relevant devices that are deployed only on the edge nodes of the ISP network can complete the compression. The NE80E supports cRTP over MPLS in the MPLS L3VPN network. Figure 5-57 cRTP over MPLS
PE
PE
FE
PE PE FE
Advanced security system structure Abundant security protocols Strict service access control
Issue 01 (2007-09-10)
Commercial in Confidence
Routing security
Management security
Forwarding security
MIRROR NETSTREAM
SINKHOLE
Layer 2 limit
DHCP snooping
The following section describes the security features that the NE80E supports.
5.10.1 AAA
The NE80E implements a perfect AAA, performing authentication, authorization and accounting for access users based on the policy. AAA supports three types of user authentication:
l l l
Local authentication Remote Authentication Dial-In User Service (RADIUS) Huawei Terminal Access Controller Access Control System (HWTACACS) authentication
Direct authorization: In this mode, users are directly authorized to pass through. Local authorization: In this mode, local users are authorized according to the configured attributes of the user accounts. HWTACACS authorization: In this mode, users are authorized by the HWTACACS server. if-authenticated authorization: In this mode, users are authorized to pass through if they pass the authentication and the authentication mode is not "none".
Issue 01 (2007-09-10)
Commercial in Confidence
5.10.3 URPF
Unicast Reverse Path Forwarding (URPF) can avoid the source address-based network attacks. When a packet is sent to a URPF-enabled interface on the server, the URPF obtains the source address and the inbound interface of the packet. The URPF then takes the source address as the destination address to retrieve the corresponding inbound interface and compares the retrieved one with the inbound interface. If they do not match, the URPF considers the source address as fake and discards the packet. URPF is applicable to the preceding environment and prevents such kind of network attacks.
Limit to the MAC addresses that can be learned Limit to the speed of MAC address learning Limit to interface-based MAC address learning Limit to MAC address learning based on VLAN+port Limit to MAC address learning based on port+VSI Limit to MAC address learning based on QinQ
Limit to MAC address learning can be applied in the network environment with fixed access users and lacking in security, such as the community access or the intranet without security management. When the number of MAC addresses learnt by an interface exceeds the limited threshold, the MAC address of a new access user is not learnt. The traffic of this user is thus broadcast at a restricted transmission rate.
Issue 01 (2007-09-10)
Commercial in Confidence
Deletion of MAC address entries based on port+VSI Deletion of MAC address entries based on port+VLAN Deletion of MAC address entries based on the trunk interface Deletion of MAC address entries based on the outbound QinQ interface
Manages users' traffic. Allocates bandwidth to users. Limits unknown unicast, multicast, and broadcast traffic.
In this way, the network bandwidth is efficiently used and network security is guaranteed.
Issue 01 (2007-09-10)
Commercial in Confidence
CP-CAR
The NE80E provides the following types of CP-CAR:
l
CP-CAR The NE80E classifies the packets sent to the CPU and allows users to set the average rate, the peak rate, and the priority level. By binding various classes of packets to different CAR actions and reducing the interactions between packets, you can set the rate of sending packets to protect the CPU.
CP-TOTAL-CAR The NE80E supports the queue scheduling algorithm to limit the total rate of the redundant packets sent to the CPU.
Extended CAR CP-CAR works with ACLs to realize the extended CAR function. The extended CAR is used for manual anti-attack when unknown attacks emerge in the network.
Smallest packet compensation The NE80E supports the smallest packet compensation function of the CP-CAR. After receiving the packets sent to the CPU, the system measures the packet length. When the packet length is smaller than the preset minimum packet length, the system calculates the sending rate with the preset minimum length. When the packet length is greater than the preset minimum packet length, the system calculates the sending rate with the actual packet length. This function defends the network against the attacks of small packets.
Application-Layer Cooperation
The system dynamically detects the enabled application-layer information. When the application-layer services are started, the system receives the packets of the application-layer services; when the application-layer services are closed, the system discards the packets of the services.
White list The NE80E protects the session-based application-layer data such as BGP session data with the white list function. The data that matches the white list can be sent to the CPU in preference. This function ensures that the existing services are not interrupted in the case of attacks. The white list function also supports the Generalized TTL Security Mechanism (GTSM).
Issue 01 (2007-09-10)
Commercial in Confidence
Black list With the black list function, the NE80E discards specific invalid data such as the data with the TCP or UDP port number that the system does not care about. The system filters out the invalid data with the black list. In this manner, the traffic volume between the forwarding engine and the CPU can be reduced, preventing the invalid data from attacking the system.
5.10.8 GTSM
Currently, some attackers on the network simulate valid packets to attack a router. As a result, the finite resources of the router such as the CPU on the MPU is heavily loaded and consumed. For example, the attacker continuously sends simulate BGP protocol packets to a router. After the LPU of the router receives the packets destined for the local host, the LPU sends the packets to the BGP processing module of the CPU on the MPU rather than identifying the validity of the packets. As a result, the system is abnormally busy with the high CPU utilization rate as the MPU of the router processes these valid packets. To avoid the preceding attack, the NE80E provides the GTSM. The GTSM protects services of the upper layer over the IP layer, by checking whether the TTL value in the IP header is within the specified range. In the application, the GTSM is used to protect the TCP/IP-based control layer such as the routing protocol from the type of CPU-utilization attacks such as CPU overload. The NE80E supports the following types of GTSM:
l l
Space-based attacks indicate that the attacker resorts to the finite ARP buffer of a router. The attacker sends a larger number of simulate ARP request and response messages to the router. As a result, the ARP buffer is overflowed; normal ARP entries cannot be buffered. Normal forwarding is thus interrupted. Time-based attacks indicate that the attacker resorts to the finity of the processing capability of a router. The attacker sends a large number of simulate ARP request, response, or other packets that can trigger the router to perform ARP processing. As a result, the computation resources of the router are busy with ARP processing during a long period; other services cannot be processed. Normal forwarding is thus interrupted.
Issue 01 (2007-09-10)
Commercial in Confidence
the interface. In this manner, other interfaces of the board or the whole system are not affected.
Timestamp-based Scanning-proof
The timestamp-based scanning-proof function can identify the scanning attack on time and suppress the processing of requests generated by the scanning when a scanning attack occurs, regardless of whether it is an ARP scanning attack or IP scanning attack. In this way, the CPU is kept away from attacks.
5.10.10 Mirroring
Mirroring indicates that the system sends a copy of the packet on the current node to a specific packet analysis equipment from an observing port without interrupting services. There are two kinds of mirroring:
l l
Port mirroring: requires that the system copy the received or to-be-sent packet on a port and send the copy to the specified port. Traffic mirroring: combines port mirroring with traffic classification to copy the packets that meet the requirements. In this way, the system can filter the packets to control packet analysis and improve the efficiency of packet analysis.
It supports upstream or downstream port mirroring and flow mirroring. It supports an observing port on an LPU. The whole system supports 16 observing ports. It supports independent mirroring for the packets that are sent to the CPU from a certain interface or LPU.
5.10.11 NetStream
The Internet develops rapidly. This requires more delicate network monitoring and management while this provides more bandwidth resources. Developing a technology to answer the preceding demands becomes urgent. NetStream is a technology that is based on network traffic statistics. It collects statistics on traffic flows and resource usage in the network accordingly, and monitors and manages the network based on types of services and resources. NetStream provides the following functions:
l
Accounting NetStream provides detailed statistics for the resource-occupation-based (such as links, bandwidth, and time periods) accounting. Statistics such as IP addresses, number of packets and bytes, transmission time, ToS fields, and application types are collected. Based on the collected statistics, the ISP can charge users flexibly based on time periods, bandwidth, application, or QoS; enterprises can count their expenses or distribute costs to make better use of resources.
Network planning and analyzing NetStream provides key information for advanced network management tools to optimize the network design and planning. The minimum network operation cost thus achieves the best network performance and reliability.
Issue 01 (2007-09-10)
Commercial in Confidence
Network monitoring NetStream realizes the real-time network monitoring. The remote monitoring (RMON), RMON-2, and flow-based analysis technology visualizedly displays the flow mode on a single router or routers across the network. This provides bases for fault pre-detection and effective fault rectification.
Application monitoring and analyzing NetStream provides detailed application statistics about the network. For example, the network administrator can view the proportion of each application, such as Web, the File Transfer Protocol (FTP), Telnet, and other TCP/IP applications to network traffic. The ISP then properly plans and allocates network application resources to meet the users' requirements according to these application statistics.
Abnormal traffic detecting NetStream detects the abnormal traffic such as network attack traffic of various types in the real-time manner. NetStream ensures network security by means of alarms of the NMS and the cooperation with devices.
Figure 5-59 shows the relationships between the preceding NetStream devices. Figure 5-59 NetStream devices
RouterA
NSC
The NetStream Data Exporter (NDE) samples packets and exports the information to the NSC. The NetStream Collector (NSC) is responsible for analyzing and collecting the statistics data from the NDE. The NetStream Data Analyzer (NDA) analyzes the statistics data and then provides the basis for various services, such as network accounting, network planning, network monitoring, application monitoring, and analysis. The NE80E can run as an NDE to sample packets, aggregate flows, and output flows. According to the position of sampling packets and processing flows, NetStream on the NE80E is classified into independent NetStream and integrated NetStream. Integrated NetStream supports load balancing among multiple NetStream boards.
l
Independent NetStream: An LPU can sample packets, aggregate flows, and output flows independently.
Issue 01 (2007-09-10)
Commercial in Confidence
Integrated NetStream: Some LPUs do not support independent NetStream. They only sample packets and then send the sampled packets to the NetStream SPU for integrated processing of flow aggregation and output.
The NE80E provides the following functions from the aspect of sampling:
l l l l l
Supports sampling in the inbound and outbound directions. Some boards support sampling on the inbound interface. Supports interface-based sampling and traffic-classification-based sampling. Supports sampling on IPv4 unicast/multicast packets, fragmented packets, MPLS packets, and MPLS L3VPN packets. Supports regular packet sampling, random packet sampling, regular time sampling, and random time sampling. Supports sampling of various physical and logical interfaces such as POS interfaces, Ethernet interfaces, VLAN sub-interfaces, serial/MP/FR PVC/FR MP interfaces provided by CPOS interfaces, ATM interfaces, FR interfaces, RPR interfaces, trunk interfaces, VLANIF interfaces, and GRE interfaces.
The NE80E provides the following functions from the aspect of aggregation and output:
l
IPv4 supports the ten aggregation modes that are as, as-tos, protocol-port, protocol-port-tos, source-prefix, source-prefix-tos, destination-prefix, destination-prefix-tos, prefix, and prefix-tos 10. Supports aggregation of MPLS packets based on three-layer labels. Outputs the generated statistics in v5, v8, and v9 formats.
l l
Issue 01 (2007-09-10)
Commercial in Confidence
User
User
Backup
Interface backup
Link reliability
NSF
BFD
Routing optimization
FRR
Device reliability
Network reliability
Grace Restart
Inter-board Ethernet OAM port binding Active/standby power modules RPR interface backup
Issue 01 (2007-09-10)
Commercial in Confidence
The MPU of the NE80E supports hot backup. If the device is configured with two MPUs for backup, the master MPU works in active state and the slave MPU is in standby state. In addition, users cannot access the management interface of the slave MPU, or configure commands on the Console port or the AUX port. The slave MPU exchanges information (including heartbeat messages and data backup) only with the master MPU. The system supports active/standby switchover in two ways: automatic switchover and forcible switchover. The automatic switchover may be triggered by serious faults or resetting of the master MPU. The forcible switchover is triggered with commands. You can forcibly prohibit the active/standby switchover of the MPU through the related command. The NE80E supports backup of management bus and 1+1 backup for the power module. The LPU, the power module, and the fan module are hot swappable. These designs enable the system to recover or respond quickly when a severe abnormality is detected on the device or the network, thereby improving the Mean Time between Failure (MTBF) and minimizing the impact of unreliable factors on normal service.
The NE80E supports the Virtual Router Redundancy Protocol (VRRP) on the Ethernet interface. With the extended VRRP, the NE80E enables two interfaces on one router or on different routers to back up each other, thus ensuring high reliability of the interfaces. On the NE80E, the Eth-Trunk and the IP-Trunk support inside backup and outside backup for member interfaces. The NE80E supports inter-board trunk bundling. Users can access different LPUs over double links for inter-board bundling. This ensures the high reliability of services. The NE80E realizes the inter-board bundling by the high-performance engine and forwards packets in load balancing mode at the line rate over multiple links. The Hash algorithm based on the source and destination IP addresses carries out even load balancing to forward traffic over links. Seamless switchover is performed in the case of a link failure, without interrupting services.
l l
The NE80E also provides backup of RPR-based interfaces through the RPR protocol and RPR networking technologies.
The backup function allows the router to monitor and back up the running status of the interface when bearing LAN, MAN or WAN services. In this case, the status change of the interface that is backed up will not affect the routing table and the service at the interface can be restored quickly.
Issue 01 (2007-09-10)
Commercial in Confidence
The alarm types supported include AUAIS, LAIS, LOF, LOM, LOP, LOS, LRDI, LREI, OOF, PAIS, PRDI, PREI, PSLM, RDOOL, RROOL, SDBERE, SFBERE, TROOL, and B3TCA. The NE80E supports the threshold setting for the SD, SF, and B3 errors. With the customized alarm damping function, the system allows the interface to sense only the customized alarms and triggers the change of the interface status. Alarm damping is used to suppress the continuous conversion of customized alarms. It prohibits the interface status from changing due to the frequent alarm change. As a result, routes are frequently refreshed.
With the fault management mechanism, the NE80E can detect the network connectivity by sending the detection OAM packets periodically or through manual triggering. This mechanism is similar to the Bidirectional Forwarding Detection (BFD). The NE80E can also locate faults of Ethernet by using means similar to the ping and tracert tools on IP networks. The NE80E triggers protection switchover in less than 50 ms. Performance management is used to measure the packet loss ratio, delay, and jitter during the transmission of packets. It also collects statistics on various kinds of traffic such as the number of transmitted bytes and the number of errored packets.
Capability discovery Link performance monitoring Fault detection and alarm Loop test
The PDUs of IEEE 802.3ah OAM are transmitted by a slow protocol. Fault detection messages are sent every one second. Conforming to IEEE 802.3ah, the NE80E supports the point-to-point Ethernet fault management. It can detect faults in the last mile of the direct link at the user side of the Ethernet. By now, the NE80E supports the following functions defined in IEEE 802.3ah:
l l l l
Automatic neighbor discovery Link fault monitoring Remote fault notification Remote loopback configuration
Issue 01 (2007-09-10)
Commercial in Confidence
Hierarchical MD The NE80E realizes the end-to-end fault management for Ethernet by conforming to IEEE 802.1ag or breaking away IEEE 802.1ag. IEEE 802.1ag is used to test the end-to-end Ethernet connectivity and locate faults. It provides different levels of management domains. OAM messages with a low level are not forwarded to the management domain with a high level. This guarantees security and maintainability of networks. According to IEEE 802.1ag, the network that bears the Ethernet OAM mechanism is divided into different Maintenance Domains (MDs). An MD is an interconnected Ethernet network that is maintained by the same administrator. Multiple Service Instances (SIs) can be applied on an MD. An SI corresponds to a VALN. An SI consists of multiple devices. The border port in the SI is called the Maintenance association End Point (MEP); all the other ports are called the Maintenance association Internal Point (MIP). MIPs are responsible for connecting different MEPs. Both MEPs and MIPs are called MP. All the MEPs in an SI form a Maintenance Association (MA), in which fault detection is carried out. Part of the network in an MD might be maintained by another administrator, namely, the MD might be nested. The MD level is used to differentiate various levels of OAM that can be carried out in an MA. The MD level is carried in the OAM message. The OAM message with a low level are discarded in the high-level MP.
End-to-end fault detection and location The ISP and Internet Context Provider (ICP) have gradually used fault detection to guarantee QoS and reduce maintenance expense. Fault detection is realized by sending and detecting the Continuity Check (CC) message at a scheduled time. The NE80E supports the tools of MAC ping and MAC trace by using the Loop Back (LB) and Link Trace (LT) packet defined in IEEE 802.1ag to locate faults. MAC ping MAC ping realized by the LB message is used to test whether a device on the network is reachable. It acquires the network status and the delay parameter. To carry out MAC ping between any two devices on the network, the NE80E needs to meet the following requirements: The originating point is a MEP. The two points are MPs belonging to the same MA. The two points are reachable. MAC trace MAC trace realized by the LT message is used to test the transmission paths of messages and the link break point between the two devices. The requirements for MAC ping also apply to MAC trace.
Issue 01 (2007-09-10)
Commercial in Confidence
5.11.5 VRRP
The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. VRRP realizes route selection among multiple egress gateways by separating the physical devices from logical devices. VRRP is applicable to such a LAN that supports multicast or broadcast as the Ethernet. VRRP uses logical gateways to ensure high availability of transmission links. This avoids service interruption that results from a gateway device failure, without changing the configuration of routing protocols. VRRP combines a group of routers in a LAN into a backup group that functions as a virtual router. Hosts in the LAN know the IP address of only this virtual router rather than that of a specific router in the backup group. Hosts set the IP address of the virtual router as their own default next-hop address. Hosts in the LAN thus access other networks through the virtual router. In the backup group, only one router is active and called master router; other routers are in backup state with different priorities and called backup router. Figure 5-62 shows the typical networking diagram of VRRP. Figure 5-62 Typical networking diagram of VRRP
10.100.10.2/24 PC 10.100.10.3/24 Backup RouterB Server Internal network Backup 10.100.10.0/24 Backup group RouterC Virtual IP address 10.100.10.1/24 10.100.10.4/24 Master RouterA
Internet
Issue 01 (2007-09-10)
Commercial in Confidence
VRRP dynamically associates the virtual router with a physical router that undertakes transmission services. VRRP can select a new router to take over the transmission when the physical router fails. The entire process is transparent to users, and realizes non-blocking communication between the internal network and the external network.
5.11.6 VGMP
Some applications require the same come-and-go path of a session. That is, the packets of the same session must pass through the same devices. In this case, VRRP has its own limitations. If active/standby switchover is performed, the come-and-go path of the same session cannot be ensured the same. To avoid the preceding problem, Huawei develops the VRRP Group Management Protocol (VGMP) on the basis of VRRP. The VRRP management group set up on the basis of VGMP uniformly manages the joining VRRP backup groups. On a router, the interfaces that belong to different VRRP backup groups are thus kept active or standby simultaneously. In this manner, the VRRP statuses of the router are kept consistent. Configure VGMP in the following scenarios:
l
The system is configured with a large number of VRRP backup groups. The system processes the VRRP protocol packets on the MPU. A large number of VRRP backup groups may generate many VRRP protocol packets. These protocol packets compete with other protocol packets for the CPU resources and the channel as well as the bandwidth of the inter-board communication. In this case, the system is overloaded. When you configure a VRRP management group to uniformly manage the VRRP backup groups, the managed VRRP backup groups do not send protocol packets independently. In this way, the occupancy of system resources is reduced.
The router has functions of the firewall, NAT gateway, or proxy server. These functions require the same come-and-go path of a session. Configuring a VRRP management group to uniformly manage the VRRP backup groups ensures the status of the VRRP backup group consistent.
5.11.7 GR
Graceful Restart (GR) is a key technique that provides high availability (HA). The administrator or faults can trigger GR switchover and subsequent restart. GR neither deletes the routing information from the routing table or the FIB nor resets the interface board during the switchover caused by failure. This prevents the services interruption of the whole system. GR has the advantages as follows:
l l l
Simple and easy to complete. You only need to modify some protocols. The status information about the backup protocol is not needed. Only a little information needs to be forwarded from AMB backup to SMB. The information is about the configuration change or update, about the interface status changes, and about the topology or route after restarting. The rate of stopping forwarding packets is rather low when the main board switches. The network can aggregate fast.
l l
Issue 01 (2007-09-10)
Commercial in Confidence
The NE80E supports system-based GR and protocol-based GR. The protocol-based GR includes:
l l l l l l
5.11.8 BFD
To improve network performance, the system must be able to rapidly detect a communication fault, and then set up a backup channel to resume the communication. The BFD provides the following functions:
l l
Provides low-load and short-duration detection for path faults between two adjacent forwarding engines. Uses a single mechanism to perform real-time detection of all media or protocol layers, and supports different detection time and costs.
BFD for LDP FRR The LDP FRR switch is triggered if the BFD session is Down. BFD for IP FRR and BFD for VPN FRR For the NE80E, the IP FRR and the VPN FRR are triggered only after the detected faults are reported to the control plane.
Issue 01 (2007-09-10)
Commercial in Confidence
When peers of OSPF/BGP are set up, OSPF/BGP uses the routing management module to inform the BFD of setting up a session. The BFD session then fast detects the OSPF/BGP peer relationship. The detection parameters of the BFD session are determined by OSPF/BGP. When the BFD detects a fault, its status becomes Down. The BFD uses the routing management module to trigger the route convergence.
The general routing protocol implements the detection of second level according to the Keepalive mechanism of Hello packet. The BFD is of millisecond level. The period of the BFD is 10 ms. If the Detect Mult parameter is set to 3, the BFD can report the protocol fault in 50 ms. The route convergence thus speeds up.
When the peer status is Unreachable, OSPF/BGP uses the routing management module to inform the BFD of deleting the corresponding session.
5.11.9 FRR
The NE80E provides multiple fast reroute (FRR) features. You can deploy FRR as required to improve network reliability.
Issue 01 (2007-09-10)
Commercial in Confidence
IP FRR
FRR can minimize data loss due to network faults. The switch time can achieve less than 50 ms. The NE80E provides the fast reroute function, which enables the system to monitor and store the real-time state of the service card and the port, and check the status of the port during forwarding. When an abnormality occurs on the port, the system can fast switch traffic to the other route (if there is), thereby improving the MTBF and reducing the amount of lost packets.
LDP FRR
The traditional IP FRR cannot protect the MPLS traffic efficiently. Supporting LDP FRR, the NE80E provides a port-based protection solution. When LDP works in the downstream label distribution, sequential label control and liberal retention modes, LSR stores all label mappings received. Only the label map from the next hop of the corresponding route of FEC can generate a label forwarding table. With this feature, if the liberal label map can generate a label forwarding table, the standby LSP is established. When the network runs normally, use the active LSP. If the outbound interface of LSP is down, adopt the standby LSP. You can thus ensure that services are not interrupted before network convergence.
TE FRR
TE FRR is a technology used in the MPLS TE to implement local protection to the network. Only the interface rate of which is up to 100 Mbit/s can support FRR. The switching time of FRR can reach 50 ms, which minimizes packet loss in the case of network fault. FRR is only a temporary measure. Once the protected LSP recovers or a new LSP is established, the traffic is switched to the original LSP or the new LSP. After configuration of FRR for an LSP, when a certain link or node on the LSP becomes invalid, the traffic is switched to the protected link while the ingress of the LSP manages to establish a new LSP. Based on the objects to be protected, FRR is divided into the following two types:
l
Link protection: Direct link connection exists between PLR and MP, and primary LSP passes this link. When this link is out of service, traffic is switched to bypass LSP. As shown in Figure 5-63, the primary LSP is R1#R2#R3#R4, and the bypass LSP is R2#R6#R3.
Issue 01 (2007-09-10)
Commercial in Confidence
R1
R2
R3
R4
R6
Node protection: PLR is connected with MP through R3, and primary LSP passes this router. When R3 fails, traffic is switched to bypass LSP. As shown in Figure 5-64, the primary LSP is R1#R2#R3#R4#R5, and the bypass LSP is R2#R6#R4. R3 is the protected router.
R1
R2
Primary LSP Bypass LSP
R3
R4
R5
R6
VLL FRR
VLL FRR is a technique of realizing network protection in the L2VPN. It fast switches user traffic to the backup link after a fault occurs to the network. In this way, the reliability of the L2VPN is improved. VLL FRR is also called VLL redundancy. VLL FRR in the L2VPN includes fault detection, fault notification, and active/standby switchover of links. The NE80E provides kinds of features that can be combined to realize VLL FRR.
l
Fault detection BFD for LSP/PW can fast detect the fault of the LSP/PW at the network side in an L2VPN. Ethernet OAM, ATM OAM, PPP, and FR can fast detect the fault at the access circuit (AC) side in an L2VPN.
Fault notification LDP, BGP, or RSVP can notify the remote PE router of the fault of the LSP/PW or the AC.
Issue 01 (2007-09-10)
Commercial in Confidence
BFD for LSP/PW can inform the remote PE router of the fault of the LSP/PW or the AC. Ethernet OAM, ATM OAM, PPP, and FR can notify the local CE router of the fault.
l
Active/standby switchover of links In a symmetric network, CE routers perform the active/standby switchover. In an asymmetric network, PE routers work with CE routers to perform active/standby switchover.
VPN FRR
In the traditional L3VPN, the local PE router senses the fault of the remote PE router through the BGP Hello packets. The time taken to sense the fault defaults to 90 seconds. That is, VPN routes on the local PE router converge after the fault of the remote PE router lasts 90 seconds. VPN FRR supported by the NE80E can solve the preceding problem. When the CE router is dual-homed, VPN FRR can fast switch VPN services to the backup tunnel and PE router after the link between the CE router and the PE router is disconnected or after the PE router restarts. In this manner, services are restored within a short period.
l
The forwarding engine of the local PE router keeps not only the outer labels of the remote active PE router and the inner labels distributed to VPN routes, but also the outer labels of the remote standby PE router and the inner labels distributed to VPN routes. With the end-to-end fault detection mechanisms such as BFD, the local PE router senses the fault of the remote active PE router within 200 milliseconds and then switches the outer and inner labels of the remote active and standby PEs at the same time. VPN FRR solves the problem of switchover between inner labels. The switchover priority level of VPN FRR is lower than that of LDP/MPLS TE FRR. The time taken by VPN FRR to sense the fault is thus more than that taken by LDP/TE FRR.
Issue 01 (2007-09-10)
Commercial in Confidence
Local configuration through the Console port Remote configuration through the AUX port with a Modem Remote configuration through Telnet
Board-in-position detection, hot-swap detection, Watch Dog, board reset, control over running and debugging indicators, fan monitoring, power monitoring, active/standby switchover control, and version query Local and remote software upgrading and data loading, upgrade backoff, backup, storage, and removal
Issue 01 (2007-09-10)
Commercial in Confidence
Hierarchical user authority management, operation log management, online help and comment for command line Multi-user operation Collection of multi-layer information, including port information, Layer 2 information, and Layer 3 information Hierarchical management, alarm classification and alarm filtering
Monitors the change of the state machine of routing protocols. Monitors the change of the state machine of the MPLS LDP. Monitors the change of VPN-related state machine. Monitors the type of upstream protocol packets sent by the NP, and displays details about the packets with the debugging function. Monitors and takes account of abnormal packets. Displays notification when processing of the abnormality takes effect. Collects statistics on the resource used by each feature system.
Issue 01 (2007-09-10)
Commercial in Confidence
Hierarchical protection for configuration commands, ensuring that the unauthorized users can not access the router. Online help available if you type a "?". Various debugging information for network troubleshooting. DosKey-like function for running a history command. Fuzzy search for command lines. For example, you can enter the non-conflicting key words "disp" for the display command.
Issue 01 (2007-09-10)
Commercial in Confidence
7
The NE80E can be used:
l l l
Networking Applications
The NE80E is mainly applicable to the IP core/backbone network or the convergence node with heavy traffic. It also acts as a gateway on the data center network with features of a carrier-class device. The NE80E provides multiple services such as IPv4/IPv6 routing and high-speed forwarding, MPLS, and IP multicast. In addition, it provides MPLS TE to solve the traffic problem on the backbone network.
As a core node on the national or provincial backbone network As a Point of Presence (POP) access node on the national or provincial backbone network As a core node on the MAN
Issue 01 (2007-09-10)
Commercial in Confidence
International egress
NE80E
NE5000
IPv4
10G POS
NE80E
!"#
10G POS
NE80E
National backbone
NE80E NE80E NE80E
International egress
NE80E /NE80
Provincial backbone
Provincial backbone
NE80E /NE80
The NE80E can meet the requirements for bearing multiple services on the IP backbone network, with the following features:
l l l l
Fifth-generation service expansion and seamless upgrade Carrier-class stability Perfect compatibility Perfect QoS mechanisms
Issue 01 (2007-09-10)
Commercial in Confidence
SoftX3000
AR NE40E SoftX3000
Directed at the condition of the existing bearer network and positioned on the NGN bearer network and the 3G services, it is necessary for carriers to set up a core bearer network to carry NGN multi-services. In the new market competition environment, with the development of new services and technologies, the newly-built bearer network will become the next-generation multi-service bearer platform that supports voice, data, and video transmission. Specifically, the newly-built bearer network will carry such services as NGN, video conference, video phone, streaming media, enterprise interconnection, and 3G. It will bring about the milestone of network transformation and network convergence for carriers. In this solution, the NE5000E acts as the core router to forward data at a high speed and ensure high reliability; the NE80E/40E acts as the convergence router to access services of NGN voice, signaling, NMS, and customers. This application has the following characteristics:
l l l l l l
The core layer uses double planes. The NE5000Es are connected in full-mesh mode. The NE80E is dual-homed to the NE5000E. Two devices are deployed on an important node to back up each other. MPLS VPN is uniformly planned to realize user isolation and service isolation. VPN FRR is deployed on all PE routers. Such techniques for high reliability as TE FRR, GR, BFD for VRRP, and IGP fast convergence are used on the network.
Issue 01 (2007-09-10)
Commercial in Confidence
NE80E QinQ, 4K x 4K VLANs, isolated unicast services, secure access Multicast replication on the edge, ensuring high efficiency and controllable multicast DSLAM Convergence switch
ES
Selective QinQ, dedicated multicast VLAN!avoiding replication on the gateway Multicast switch, saving reconstruction expense Multicast switch
TV
PC
TV
PC
The NE80E/40E can run as the core-layer router to provide consummate functions of VPN, multicast, and QoS scheduling. The MA5200G/ME60 that is the multi-service control gateway of high performance and large capacity can run as the service-control-layer device. The MA5200G/ME60 supports authentication through PPPoE and DHCP and multicast replication based on VLANs and PPPoE sessions. The MA5200G/ME60 also supports the five-level QoS scheduling. The S8500 switch can run at the convergence layer. The S8500 supports selective QinQ and effectively differentiates services. The S6500 can run as the multicast switch. It supports inter-VLAN multicast replication for attached switches or DSLAMs without the multicast functions.
l l
Issue 01 (2007-09-10)
Commercial in Confidence
The S3000 and S2000 can run as the access switch. They provide multicast features such as multicast VLAN and IGMP snooping/proxy. The Huawei SMARTAX DSLAMs such as MA5100/5300/5600 can run as the access end DSLAM. Based on the ATM structure, the MA5100 supports multicast with the newly added EVM boards. The original network services and new video services can access different networks through various boards. Based on the IP structure, the MA5300/5600 provides abundant multicast functions.
The IPTV bearer network and the original MAN access network use the same platform. The IPTV bearer network is thus integrated in the whole network structure of carriers. At the core layer, the high-end router NE80E/40E is used to build the MPLS VPN and construct the logical plane for various services. Besides, the NE80E/40E forwards data at a high speed and provides high-performance QoS. The BRAS at the service control layer is deployed as follows: In the early phase of the development of IPTV services, normal services and IPTV services access the same BRAS and are distributed. In this manner, little change is performed on the whole network and new services are deployed promptly. With the development of large-scale services, dedicated IPTV BRASs are required. Broadband access services access the original BRAS; IPTV services access the dedicated IPTV BRAS. In this way, IPTV services and other services are free from interacting each other; the requirements of high-traffic of IPTV services are satisfied. Besides, the powerful control capability of the BRAS ensures the secure access of IPTV services. IPTV services and other services are distributed on the convergence-layer device.
Issue 01 (2007-09-10)
Commercial in Confidence
IP MAN
Egress router
BRAS
USR
Access network
Broadband access
Customer service
NGN service
As shown in Figure 7-4, the IP MAN is divided into the core layer, service control layer, and access layer. The NE80E is usually used in the core position on the IP backbone network, IP MAN, and large-scale IP network. In this application, the NE80E can be deployed on the egress of the IP MAN core network. The NE40E is usually deployed as the core or convergence node on the IP MAN. In this application, the NE40E can be deployed as the convergence node on the IP MAN core network. The core layer is responsible for high-performance and large-capacity data forwarding. It requires the simple network structure and secure and reliable transmission of multiple services. Huawei enables IP/MPLS at the core layer and allows a physical network to realize multiple logical service bearer planes through the MPLS VPN technology. To ensure network security and reliability, Huawei adopts many reliability techniques at the core layer, such as device high-reliability, network high-reliability, and inter-AS high-reliability. Huawei provides core-layer devices of large capacity, high-density interfaces, and high forwarding performance, answering the requirements for the core layer. The NE80E/40E provides the following features that can answer the demands of the core layer of the MAN:
l
The NE80E/40E has the powerful switching capacity. The interface capacity of a single system reaches 640 Gbit/s. The NE80E/40E provides line-rate 10-Gbit/s
Issue 01 (2007-09-10)
Commercial in Confidence
interfaces. In addition, the NE40E provides high-density GE interfaces. This meets the requirements for large-capacity and high-performance forwarding of the core network.
l
The NE80E/40E provides the powerful routing capability and various routing protocols. The NE80E/40E supports IP/MPLS and provides multiple VPN solutions such as MPLS/BGP L3VPN and MPLS L2VPN. In this manner, multiple services are carried over the logical bearer plane of the core network. Service isolation and security are thus realized. The NE80E/40E supports inter-AS VPN Option A/B/C. This guarantees the reliable running of inter-AS services. The NE80E/40E provides the carrier-class reliability, such as redundancy of key modules and in-service patching. In addition, the NE80E/40E provides various FRR techniques, such as IP FRR, LDP FRR, and TE FRR.
l l
PE IPv4 Internet
L3 Switch
MA 5200
L2 Switch
SOHO IPv6
SOHO IPv6
As shown in Figure 7-5, the IPv6 application on the backbone network does not impact the original IPv4 services such as IPv4 forwarding and MPLS VPN. The application needs to solve two problems:
l l
Interconnection between IPv6 islands Interworking between IPv6 and IPv4 networks
Issue 01 (2007-09-10)
Commercial in Confidence
All the routers on the backbone network support the IPv4/IPv6 dual-stack. In this case, IPv4 services are forwarded over IPv4, while IPv6 services are forwarded over IPv6. Both problems can be solved. The interconnection between IPv6 islands can be implemented through L3 tunnels, manually configured tunnels or 6to4 tunnels. The core router needs only to support the IPv4 forwarding. You can implement the interworking between IPv6 and IPv4 networks by configuring the NAT-PT on gateways. The interconnection between IPv6 islands can be implemented through MPLS L2 tunnels by applying MPLS L2 VPN techniques such as VPLS and CCC. The core router needs only to support the MPLS forwarding. You can implement the interworking between IPv6 and IPv4 networks by configuring the NAT-PT on gateways.
Issue 01 (2007-09-10)
Commercial in Confidence
8
Item External dimensions (width x depth x height) Installation Weight
Technical Specifications
AC input voltage
Issue 01 (2007-09-10)
Commercial in Confidence
Description 5% to 85% RH, non-condensing 0% to 95% RH, non-condensing 0% to 95% RH, non-condensing Within 3000 meters Within 5000 meters
2 32 kbit/s 4
Issue 01 (2007-09-10)
Commercial in Confidence
20 Gbit/s (uni-directional)
Issue 01 (2007-09-10)
Commercial in Confidence
Description IPv4 routing protocols Static routes Dynamic unicast routing protocols:
l l l l
RIP-1/RIP-2 OSPF IS-IS BGP IGMP IGMP snooping PIM-DM PIM-SM PIM-SSM MBGP MSDP
Multicast protocols:
l l l l l l l
Multicast VLAN Multicast VPN Multicast flow control Routing policies IPv6 IPv4-to-IPv6 transition technologies:
l l l l l l
Manually configured tunnel GRE Automatic tunnel 6to4 tunnel 6PE IPv4 over IPv6 tunnel
Issue 01 (2007-09-10)
Commercial in Confidence
Feature MPLS
Description Basic functions MPLS forwarding MPLS LDP MPLS TE (RSVP-TE/CR-LDP) MPLS QoS MPLS Uniform, Pipe and Short Pipe MPLS OAM IPTN
VPN
L2VPN
VLL/PWE3 (Martini, Kompella) VPLS QinQ HVPLS ATM Inter-Working Function (ATM IWF)
L3VPN
MPLS/BGP VPN (as the PE router or the P router) HoVPN Multicast VPN Inter-VPN Carrier's carrier RRVPN Multi-role host
IPv6 L3VPN
IPv6 MPLS/BGP VPN (as the PE router or the P router) Inter-VPN Carrier's carrier
Security
AAA
SSH Port mirroring Port traffic sampling Traffic control on the LPU and the MPU URPF Layer 2 limit ARP anti-attack Attack defense Lawful interception
Issue 01 (2007-09-10)
Commercial in Confidence
Feature Reliability
Description Hot backup 1:1 backup of MPUs; 3+1 load balancing and backup of SFUs 1+1 backup of the power module 1+1 backup of the system management bus and data bus 1+1 backup of the fan module GR Protocol-level GR: IS-ISv4, OSPF, BGP4, LDP, and VPN System-level GR Other IP FRR LDP FRR TE FRR VLL FRR VPN FRR VRRP BFD Dampening control to support Up/Down of interfaces Customized alarm damping
QoS
Traffic classification
Simple traffic classification Complex traffic classification: based-on port; based on Layer 2, Layer 3 or Layer 4 packets Traffic policing and traffic shaping based on srTCM or trTCM DiffServ EF, AF services GTS
PQ/WFQ RED/WRED Route redirection, MPLS LSP explicit route distribution IP precedence Specific traffic behavior
BGP identifies and classifies the routes through BGP traffic index to account the traffic on the basis of classification QoS that transmits the private network routes through BGP is an extension of QPPB in the L3VPN
Issue 01 (2007-09-10)
Commercial in Confidence
Feature
Description Supports traffic classification, traffic shaping, and queue scheduling in the L2VPN and L3VPN Supports the combination between VPN QoS and MPLS DiffServ/MPLS TE/MPLS DS-TE QinQ QoS 802.1p remark supported by QinQ 802.1p and DSCP Remark During QinQ Termination 802.1p and EXP Remark During QinQ Termination ATM QoS FR QoS Simple traffic classification and forcible traffic classification Traffic shaping, traffic policing, congestion management, queue management, and FR fragmentation Two-level scheduling mode Level 1 scheduling ensures bandwidth for each user and level 2 scheduling ensures bandwidth for services of each user L2VPN HQoS L3VPN HQoS TE and DS-TE HQoS
HQoS
Configuration management
Local configuration through the Console port Local or remote configuration through the AUX port Local or remote configuration by Telnet Local or remote configuration by SSH login Hierarchical commands to defend against unauthorized users' login Detailed debugging information for network faults diagnosis Network test tools such as tracert and ping Supports logging in to and managing other routers by Telnet FTP server and client functions to upload and download configuration files and applications TFTP client functions to upload and download configuration files and applications Upload and download configuration files and applications through the XModem protocol System logs Virtual file system
Issue 01 (2007-09-10)
Commercial in Confidence
Feature
Description Time service Time Zone Summer Time NTP server and NTP client Online services In-service upload In-service upgrade In-service patching Information center Provides three types of information: alarm, log, and debugging Provides eight levels of information: emergency, alert, critical, error, warning, notification, informational, and debugging Information can be output to the log host or user terminal; log information and alarm information can be output through the SNMP Agent or the buffer Network management Supports SNMP v1/v2c/v3 RMON NetStream Traffic statistics
IPv4/IPv6 routing entries Routing convergence speed Number of IPv6 over IPv4 tunnels Number of 6PEs Number of routes or LSPs that carry out load balancing MPLS Label layers Number of LSPs
Issue 01 (2007-09-10)
Commercial in Confidence
A rib ut e !
Service Feature Speed of LSP refreshment Number of LDP neighbors MPLS FRR switching time Forwarding delay
Technical and Performance Speci" cat io ns ! 3000 LSPs/s More than 1000 < 50 ms < 50 us 16 K 8K 16 K/LPU, extendable to 128 K/LPU 64 K 8 k/LPU 5 levels 200 ms 8K 256 8K 10 Gbit/s < 50 us 1024
L2VPN
QoS
Number of traffic classification rules CAR granularity Number of queues Levels of HQoS scheduling Packet buffer time
Multicast
Number of multicast routes Number of multicast static routes Number of multicast forwarding table entries Forwarding rate Forwarding delay Multicast replication ability
Issue 01 (2007-09-10)
Commercial in Confidence