CX600 Product Description

Product Description
Quidway CX600 Metro Services Platform
HUAWEI TECHNOLOGIES CO., LTD.

Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service.
Please feel free to contact our local office or company headquarters.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Issue 03 (2009-03-10) Commercial in Confidence Page 2 of 200

Product Description
About This Document
Summary
This document describes the product features, hardware architecture, link features,
software features, operation and maintenance, network management, networking
applications, and technical specifications of the Quidway CX600 Metro Services
platform.
This document includes:
Chapter Details
1 Product Features This chapter introduces the product positioning

and features of the CX600.
2 System Architecture This chapter describes the physical, logical, and

software architecture of the CX600.
3 Hardware Architecture This chapter describes the chassis, fans, power

modules, and board types of the CX600.
4 Link Features This chapter describes the link features of the
CX600.
5 Primary Service Features This chapter describes the service features of the
CX600.
6 Maintenance and Network This chapter describes operation and

Management System maintenance, and network management of the
CX600.
7 Networking Applications This chapter describes the networking applications
of the CX600.
8 Technical Specifications This chapter describes the technical specifications
of the CX600.

Product Description
Contents
1 Product Features............................................................................................................ 9
1.1 Positioning ................................................................................................................................ 10
1.2 Abundant Services .................................................................................................................... 10
1.3 High-Density LPUs .....................................................................................................................11
1.4 Powerful Forwarding Capacity ................................................................................................... 13
1.5 Perfect QoS Mechanism............................................................................................................ 13
1.6 Excellent Security Design .......................................................................................................... 14
1.7 Good IPv4 and IPv6 Compatibility.............................................................................................. 14
1.8 Compatibility and Extensibility.................................................................................................... 15
1.9 High Reliability .......................................................................................................................... 15
2 System Architecture .................................................................................................... 19

2.1 Physical System Architecture..................................................................................................... 20
2.2 Logical System Architecture....................................................................................................... 21
2.3 Software Architecture ................................................................................................................ 22
2.4 VRPv5 Architecture ................................................................................................................... 23
3 Hardware Architecture ................................................................................................. 25

3.1 Chassis ..................................................................................................................................... 26
3.2 Fans.......................................................................................................................................... 31
3.2.1 Ventilation and Heat Dissipation System............................................................................ 31
3.2.2 Fan Module....................................................................................................................... 32
3.3 Power Modules ......................................................................................................................... 33
3.3.1 DC-Input Power Supply..................................................................................................... 34
3.3.2 AC-Input Power Supply ..................................................................................................... 35
3.4 LCD .......................................................................................................................................... 37
3.4.1 Introduction....................................................................................................................... 37
3.4.2 Appearance ...................................................................................................................... 37
3.5 Board Cage ............................................................................................................................... 38
3.5.1 Board Cage ...................................................................................................................... 38
3.5.2 Board Distribution in the Board Cage ................................................................................ 39
3.6 Boards ...................................................................................................................................... 40
3.6.1 SRU.................................................................................................................................. 40
3.6.2 MPU ................................................................................................................................. 41
3.6.3 SFU .................................................................................................................................. 42
3.6.4 LPU .................................................................................................................................. 42

Product Description
3.6.5 SPU.................................................................................................................................. 47
4 Link Features................................................................................................................ 49
4.1 Ethernet Link Features .............................................................................................................. 50
4.1.1 Basic Features.................................................................................................................. 50
4.1.2 Ethernet Bundling ............................................................................................................. 50
4.1.3 Virtual Ethernet Interface................................................................................................... 51
4.2 FR Link Features....................................................................................................................... 51
4.3 POS Link Features .................................................................................................................... 52
4.3.1 SDH/SONENT Encapsulation............................................................................................ 52
4.3.2 POS Interfaces ................................................................................................................. 52
4.3.3 POS Sub-interfaces .......................................................................................................... 52
4.3.4 POS Bundling ................................................................................................................... 52
4.4 CPOS Link Features.................................................................................................................. 53
4.4.1 Channelization .................................................................................................................. 53
4.4.2 PPP/HDLC........................................................................................................................ 54
4.5 ATM Link Features..................................................................................................................... 54
4.5.1 SDH/SONENT Encapsulation............................................................................................ 54
4.5.2 PVP/PVC.......................................................................................................................... 54
4.5.3 IPoA ................................................................................................................................. 54
4.5.4 ATM Sub-interfaces........................................................................................................... 55
4.5.5 ATM OAM ......................................................................................................................... 55
4.5.6 1483B ............................................................................................................................... 55
4.5.7 ATM Cell Relay ................................................................................................................. 56
4.6 CE1/CT1/E3/T3/CT3 Link Features ........................................................................................... 57
5 Primary Service Features ............................................................................................ 59

5.1 Ethernet Features...................................................................................................................... 61
5.1.1 Switched Ethernet Features .............................................................................................. 61
5.1.2 Routed Ethernet Features ................................................................................................. 62
5.1.3 Ethernet Clock Synchronization......................................................................................... 62
5.1.4 PBB-TE ............................................................................................................................ 63
5.1.5 QinQ................................................................................................................................. 66
5.1.6 RRPP Link Features ......................................................................................................... 71
5.1.7 RSTP/MSTP ..................................................................................................................... 73
5.1.8 BPDU Tunnel .................................................................................................................... 73
5.2 IP Features................................................................................................................................ 74
5.2.1 IPv4/IPv6 Dual-Protocol Stacks......................................................................................... 74
5.2.2 IPv4 Features ................................................................................................................... 74
5.2.3 IPv6 Features ................................................................................................................... 75
5.2.4 GRE ................................................................................................................................. 75
5.2.5 IPv4/IPv6 Transition Technologies ..................................................................................... 78
5.3 Routing Protocols ...................................................................................................................... 80

Product Description
5.3.1 Unicast Routing................................................................................................................. 80

5.3.2 Multicast Routing .............................................................................................................. 80
5.4 MPLS Features ......................................................................................................................... 83
5.4.1 Basic Functions................................................................................................................. 83
5.4.2 MPLS TE .......................................................................................................................... 84
5.4.3 MPLS OAM....................................................................................................................... 86
5.5 VPN Features............................................................................................................................ 87
5.5.1 Tunnel Policy .................................................................................................................... 87
5.5.2 VPN Tunnel ...................................................................................................................... 87
5.5.3 MPLS L2VPN.................................................................................................................... 88
5.5.4 BGP/MPLS IP VPN........................................................................................................... 97
5.5.5 L2VPN Accessing L3VPN ............................................................................................... 106
5.5.6 VPN QoS ........................................................................................................................ 108
5.6 IPTN Features.......................................................................................................................... 111
5.7 QoS Features...........................................................................................................................112
5.7.1 DiffServ Model .................................................................................................................113
5.7.2 Traffic Classification .........................................................................................................114
5.7.3 Traffic Policing..................................................................................................................115
5.7.4 Queue Scheduling ...........................................................................................................116
5.7.5 Congestion Management .................................................................................................117
5.7.6 Traffic Shaping.................................................................................................................118
5.7.7 HQoS...............................................................................................................................118
5.7.8 QPPB ..............................................................................................................................118
5.7.9 Ethernet QoS ...................................................................................................................119
5.7.10 ATM QoS ...................................................................................................................... 120
5.7.11 FR QoS......................................................................................................................... 122
5.8 Load Balancing ....................................................................................................................... 123
5.8.1 Equal-Cost Load Balancing ............................................................................................. 124
5.8.2 Unequal-Cost Load Balancing ......................................................................................... 124
5.9 Traffic Statistics ....................................................................................................................... 124
5.9.1 URPF Traffic Statistics..................................................................................................... 124
5.9.2 ACL Traffic Statistics........................................................................................................ 125
5.9.3 CAR Traffic Statistics....................................................................................................... 125
5.9.4 HQoS Traffic Statistics..................................................................................................... 127
5.9.5 Interface-based Traffic Statistics...................................................................................... 127
5.9.6 VPN Traffic Statistics....................................................................................................... 127
5.9.7 TE Tunnel Traffic Statistics .............................................................................................. 127
5.10 IP Compression..................................................................................................................... 127
5.11 MSE Features........................................................................................................................ 129
5.12 Network Security ................................................................................................................... 132
5.12.1 Protocol Security Authentication .................................................................................... 132
5.12.2 RPF/URPF.................................................................................................................... 133

Product Description
5.12.3 MAC Limit ..................................................................................................................... 133

5.12.4 Unknown Traffic Suppression ........................................................................................ 134
5.12.5 DHCP Snooping............................................................................................................ 134
5.12.6 Local Anti-attack............................................................................................................ 135
5.12.7 GTSM ........................................................................................................................... 137
5.12.8 ARP Attack Defense ...................................................................................................... 138
5.12.9 Mirroring ....................................................................................................................... 139
5.12.10 NetStream................................................................................................................... 142
5.12.11 Lawful Interception ...................................................................................................... 144
5.13 Network Reliability................................................................................................................. 145
5.13.1 Backup of Key Modules................................................................................................. 146
5.13.2 High Reliability of the LPU............................................................................................. 146
5.13.3 Alarm Customized Damping .......................................................................................... 147
5.13.4 Ethernet OAM ............................................................................................................... 147
5.13.5 VRRP ........................................................................................................................... 149
5.13.6 GR................................................................................................................................ 151
5.13.7 BFD .............................................................................................................................. 152
5.13.8 FRR.............................................................................................................................. 153
6 Maintenance and Network Management System .................................................... 157

6.1 Maintenance Features and Functions ...................................................................................... 158
6.1.1 System Configuration Mode ............................................................................................ 158
6.1.2 System Management and Maintenance........................................................................... 158
6.1.3 HGMP............................................................................................................................. 158
6.1.4 System Service and Status Tracking ............................................................................... 158
6.1.5 System Test and Diagnosis ............................................................................................. 159
6.1.6 Upgrade Features ........................................................................................................... 159
6.1.7 Miscellaneous Features .................................................................................................. 160
6.2 Network Management ............................................................................................................. 160
6.2.1 NMS ............................................................................................................................... 160
6.2.2 LLDP .............................................................................................................................. 161
7 Networking Applications ........................................................................................... 162

8 Technical Specifications............................................................................................ 164
8.1 Physical Specifications ............................................................................................................ 165
8.2 System Configuration .............................................................................................................. 166
8.3 Specifications of System Features and Service Performances ................................................. 168
8.3.1 Specifications of System Features................................................................................... 168
8.3.2 Specifications of Service Performances........................................................................... 174
A Compliant Standards................................................................................................. 175

A.1 Standards and Telecom Protocols ........................................................................................... 175
A.2 Electromagnetic Compatibility Standards................................................................................. 192

Product Description
A.3 Safty Standards....................................................................................................................... 192

A.4 Environmental Standards ........................................................................................................ 192
A.5 Other Standards...................................................................................................................... 193
B Acronyms and Abbreviations ................................................................................... 194

Product Description
1 Product Features
About This Chapter
The following table shows the contents of this chapter.
Section Description
1.1 Positioning This section describes the positioning of the CX600.

1.2 Abundant Services This section describes services that are supported
by the CX600.
1.3 High-Density LPUs This section describes the types of LPUs supported
by the CX600.
1.4 Powerful Forwarding This section describes the power forwarding

Capacity capability of the CX600.
1.5 Perfect QoS Mechanism This section describes the QoS mechanism on the
CX600.
1.6 Excellent Security This section describes the security design on the
Design CX600.
1.7 Good IPv4 and IPv6 This section describes the IPv4/IPv6 solutions
Compatibility supported by the CX600.
1.8 Compatibility and This section describes the compatibility and

Extensibility scalability of the CX600.
1.9 High Reliability This section describes the reliability of the CX600.

Product Description
1.1 Positioning
Huawei Quidway CX600 Metro services Platform (MSP) is a high end Ethernet
product (hereafter referred to as the CX600). It focuses on carrier-class FMC Ethernet
services access, aggregation and transmission in metro area. It mainly locates at
metro access and aggregation point.
To meet different demands of users, the CX600 provides four types of devices:
CX600-16, CX600-8, CX600-4, and CX600-X3. The CX600-16 supports a maximum
of 16 LPUs, the CX600-8 supports a maximum of 8 LPUs, the CX600-4 supports a
maximum of 4 LPUs, and the CX600-X3 supports a maximum of 3 LPUs. You can
choose either CX600-16, CX600-8, CX600-4, or CX600-X3 according to the
networking demands.
Thanks to its hardware based forwarding mechanism and non-blocking switching
technology, CX600 is Developed on the basis of Huawei proprietary Versatile Routing
Platform (VRP) and it has carrier class reliability, line speed forward capability, perfect
QoS management, abundant services processing and excellent expansibility.
With its Ethernet access, level 2 switching and EoMPLS transmission capability,
CX600 also supports abundant level IP services. It can provide wide band Internet,
Triple Play, IP special line, IP VPN services and etc. CX600 can perfectly co-work with
some Huawei products such as CX200/300, NE80E, CX600, ME60 and MA5200G to
set up a clearly hierarchical metro Ethernet to multiple services.
1.2 Abundant Services

Based on the VRPv5, the CX600 provides the following abundant service features:
l Provides IPv4/IPv6 unicast and multicast routing protocols, multicast Call
Admission Control (CAC) to ensure carrier-class QoS for multicast, complete
MultiProtocol Label Switching (MPLS), MPLS Traffic Engineering (TE), and IP
Telecommunication Network (IPTN) solutions.
l Provides Hot Standby (HSB) of multicast traffic and fast switching.
l Provides complete Virtual Private Network (VPN) services, such as L2VPN,
Virtual Private LAN Service (VPLS), Hierarchy of VPLS (HVPLS), Virtual Leased
Line (VLL), L3VPN, multicast VPN services, Huawei patent Hierarchy of VPN
(HoVPN) services, and multi-role host services.
l Provides complete attack defense features, identifies attack packets and traces
the source of attack packets, and supports local and remote port mirroring, which
improves the reliability of devices.
l Provides complete Multi Service Edge (MSE) features to manage and control the
local access users.
l Provides access management, login and logout control, accounting, and QoS for
DHCP users, static users, Layer 2 dedicated line users, Layer 3 dedicated line
users, and Layer 2 VPN users.
l Provides the Bandwidth on Demand (BOD) service for enterprise users and
DHCP users.
l Provides the web authentication server.

Product Description
l Provides rich Layer 2 service features, such as Layer 2 VLAN, selective QinQ,
QinQ termination, Provider Backbone Bridging-Traffic Engineering (PBB-TE),
Rapid Ring Protection Protocol (RRPP), Spanning Tree Protocol (STP), Rapid
Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP).
1.3 High-Density LPUs

The CX600 provides Line Processing Units (LPUs) and flexible plug-in cards of
various types.
l LAN and MAN Access interfaces:
Ethernet : 10M/100M/1000M/10G interfaces
RPR: 10G RPR/2.5G RPR
l WAN Access interfaces:
POS:155M/622M/2.5G/10G
CPOS:155M
ATM:155M/622M
TDM:CE1/CT1/E1/T1/E3/T3/CT3
Common interfaces that the CX600 supports
Interface Type Quantity per Slot Quantity in the System
10G POS 4 CX600-16:32

CX600-8:16
CX600-4:8
CX600-X3:6
2.5G POS 4 CX600-1664
CX600-832
CX600-416
CX600-X312
622M POS 32 CX600-16:512

CX600-8:256
CX600-4:128
CX600-X3:96
155M POS 32 CX600-16:512
CX600-8:256
CX600-4:128
CX600-X3:96
155M CPOS 8 CX600-16:128
CX600-8:64
CX600-4:32
CX600-X3:24

Product Description
10GE 4 CX600-16:32
CX600-8:16
CX600-4:8
CX600-X3:6
GE 24 CX600-16:384
CX600-8:192
CX600-4:96
CX600-X3:72
FE-TX 96 CX600-16:1536
CX600-8:768
CX600-4:384
CX600-X3:288
FE-SFP 24 CX600-16:384
CX600-8:192
CX600-4:96
CX600-X3:72
155M ATM 16 CX600-16:256
CX600-8:128
CX600-4:64
CX600-X3:48
10G RPR 1 CX600-16:16
CX600-8:8
CX600-4:4
2.5G RPR 4 CX600-16:64
CX600-8:32
CX600-4:16
622M ATM 8 CX600-16:128
CX600-8:64
CX600-4:32
CX600-X3:24
CE1/CT1 96 CX600-16:1536
CX600-8:768
CX600-4:384
CX600-X3:288

Product Description
E3/T3/CT3 16 CX600-16:256
CX600-8:128
CX600-4:64
CX600-X3:48
1.4 Powerful Forwarding Capacity

Designed with the hardware-based forwarding engine, the CX600 carries out
full-duplex forwarding of IPv4, IPv6, MPLS, and Layer 2 packets at line speed on all
interfaces. The CX600 also supports ACL-based forwarding at line speed.
The hardware completes two-level packet replication to forward multicast at line
speed:
l The Switch and Fabric Unit (SFU) replicates multicast packets to the Line
Processing Unit (LPU).
l The forwarding engine of the LPU replicates the multicast packets to its
interfaces.
The LPU supports packet buffer in 200 ms, which ensures that no packets are lost in
the case of burst traffic.
1.5 Perfect QoS Mechanism

The CX600 provides the following Quality of Service (QoS) scheduling and buffer
mechanisms:
l Priority Queue (PQ), Weighted Round Robin (WRR), or Weighted Fair Queuing
(WFQ)
This guarantees fair scheduling and ensures that services of high priority are
performed first and are not interfered.
l Three-level switching network based on Combined Input and Output Queuing
(CIOQ)
This prevents head of line blocking.
l Flow-based scheduling
It facilitates MPLS Traffic Engineering (TE) and supports Differentiated Service
(DiffServ) and Integrated Service (InterServ). It combines MPLS TE and Diffserv,
thus implementing MPLS DS-TE.
l Eight priority queues
This prevents traffic of high priority from being interrupted.
l Hardware-based QoS functions
This ensures that packets are forwarded at line speed even if QoS is enabled.
l Five-level Hierarchical QoS (HQoS) scheduling

Product Description
The perfect QoS mechanism answers the demands of the IP Telephony Network
(IPTN). It provides guaranteed delay, jitter, bandwidth, and packet loss ratio of
different services. It guarantees the launch of carrier-class services such as Voice
over IP (VoIP) and meets the requirements for the development of multi-service IP
networks.
1.6 Excellent Security Design

The CX600 takes multiple security measures to protect the data of Internet Service
Provider (ISP) networks and end users. The measures can prevent Denial of Service
(DoS) attacks, illegal access, and overload of the control plane. The CX600 adopts a
distributed structure and guarantees the separation between the data plane and the
control plane. It provides a security performance leading in the industry.
The CX600 provides the following security features:
l Three user authentication modes: local authentication, RADIUS authentication,
and HWTACACS authentication
l Hardware-based packet filtering and sampling, which guarantees high
performance and high extensibility
l Multiple authentication methods including plain text authentication and Message
Digest 5 (MD5) for upper-layer routing protocols such as Open Shortest Path
First (OSPF), Intermediate System-to-Intermediate System (IS-IS), Routing
Information Protocol (RIP), and Border Gateway Protocol-4 (BGP-4)
l ACL on the forwarding plane and control plane
l Anti-attack features, including:
Defends against TCPIP spoofing attacks.
Traces sources of attacks.
Defends the management and services planes. The CX600 can control
management packets and some service packets on the physical interfaces. A
physical interface can be specified as the management interface.
Supports the application layer cooperation. If a protocol is enabled, the
protocol packets are sent to the CPU for processing. If a protocol is disabled,
the protocol packets are discarded or sent to the CPU at a limited bandwidth.
l Lawful interception or Unicast Reverse Path Forwarding (URPF)
URPF checks the source IP address of the received packets and then discards
the illegal packets.
l DHCP snooping and limit on MAC addresses
l Generalized TTL Security Mechanism (GTSM)
Multi-Service Edge (MSE) that provides dynamic user access, authentication, and
accounting, and HQoS
1.7 Good IPv4 and IPv6 Compatibility

The CX600 fully supports the Internet Protocol version 4 (IPv4) and IP version 6 (IPv6)
dual stack. It can provide all IPv6 features, and offers a good solution to the smooth
transition from IPv4 networks to IPv6 networks.

Product Description
l Supports various IPv6 over IPv4 tunnels and IPv4 over IPv6 tunnels.
l Supports the routing table and the forwarding table with large capacities. This
enables the CX600 to serve as the VPN Provider Edge (PE) and supports future
expansion of services.
l Supports the distributed forwarding of IPv4/IPv6 and Multiprotocol Label
Switching (MPLS).
l Supports IPv4/IPv6 dynamic unicast and multicast routing protocols.
1.8 Compatibility and Extensibility

The CX600 has good compatibility and strong extensibility. It supports smooth
expansion. The CX600 features the following:
l The backplane of the CX600 has a large capacity, which reserves enough
bandwidth for future expansion.
l The CX600 forwards services through the flexibly programmable Network
Processor (NP). Thus, you can install software to carry new services.
l The Traffic Manager (TM) and Packet Forwarding Engine (PFE) are separate.
The two PFEs, Application Specific Integrated Circuit (ASIC) and NP, are flexibly
supported to meet the requirements of different applications.
1.9 High Reliability

Based on the carrier-class design, the chassis of the CX600 supports the hot swap of
boards. The chassis can be installed in an N68E-22/N68E-18 cabinet or a standard
19-inch cabinet.
The CX600 provides a powerful monitoring system. The CX600 manages and
maintains the entire system by using the Switch and Route Processing Unit (SRU)
or .the Main Processing Unit (MPU). The SRU/MPU manages, monitors, and
maintains the boards, fans, and power modules.
The CX600 complies with Electro Magnetic Compatibility (EMC). The modular design
of the system carries out EMC isolation between boards.
The CX600 fully meets the requirements for the high reliability of carrier-class and
high-end routers. The CX600 provides the features described in Table 1-1 to ensure
high reliability.
Table 1-1 Reliability features
Item Description
System The boards, power modules, and fans are hot swappable.
protection
mechanism The SRU/MPUs run in 1:1 backup mode.
The Switch Fabric Units (SFUs) on the CX600-16, CX600-8 and

CX600-4 run in 3+1 load balancing and backup mode.

Product Description
Item Description
The power modules, AC-input or DC-input, work in 1+1 backup

mode. The power modules provide three power input routes and
adopt the switched-mode power supply (SMPS).
The key components such as the clocks and management buses
work in backup mode.
Protections The system restarts automatically when

against abnormalities occur and recovers the work.
abnormalities
The system resets a board when abnormalities
occur on the board and recovers the work.
The system automatically restores the interface
configuration.
The system provides protections against over-current and

over-voltage for power modules and interfaces.
The system provides protection against mis-insertion of boards.

Power alarm The system provides alarm prompt, alarm
monitoring indication, running status query, and alarm status
query.
Voltage and The system provides alarm prompt, alarm

environment indication, running status query, and alarm status
temperature query.
monitoring
Reliability The system adopts distributed hardware-based forwarding.
design
The control channel is separated from the service channel to
provide a non-blocking control channel.
The system provides fault detection for the system and boards,
indicators, and the NMS alarm function.
Reliable The system supports in-service patching.

upgrade
The system supports version rollback.
The system supports in-service upgrading of the BootROM.

The backplane bus supports 8BCP check.
The system supports the Error Checking and Correction (ECC)
Random Access Memory (RAM).
Fault Data backup The system supports hot backup of the data
tolerance between the active and standby units. When
design the active unit fails, the standby unit
automatically takes over the active unit for data
transmission. This ensures that no data is lost.
Synchronization The system supports the synchronization
configuration between the SRU/MPUs and LPUs.

Product Description
Item Description
The system can automatically select and boot correct applications.

The system supports the automatic upgrade and restoration of the
BootROM program.
The system can back up configuration files to the remote File

Transfer Protocol (FTP) server.
The system can automatically select and run correct configuration

files.
The system provides abnormality monitoring for the system
software, automatic restoration, and log record.
Operation The system provides password protection for system operations.

security
The system provides hierarchical protection for commands through
the configuration of login user classes and command levels.
The system can lock the terminal through commands to prevent
illegal use.
The system provides operation and confirmation prompts for some

commands that may degrade the system performance.
Operation The system adopts the generic integrated Network Management
and System platform developed by Huawei.
maintenance
center

Product Description
2 System Architecture
About This Chapter
Section Description
2.1 Physical System This section describes the physical architecture of

Architecture the CX600.
2.2 Logical System This section describes the logical architecture of the
Architecture CX600.
2.3 Software Architecture This section describes the software architecture of

the CX600.
2.4 VRPv5 Architecture This section describes the VRPv5 architecture.

Product Description
2.1 Physical System Architecture

Figure 2-1 shows the CX600 physical architecture with the DC-input power modules
that includes the following systems:
l Power distribution system
l Functional host system
l Heat dissipation system
l Network management system
Figure 2-1 Physical architecture
-48 V -48 V RTN
Integrated
Power distribution system chassis
-48 V RTN
-48 V RTN
-48 V -48 V
Functional host system Monitorbus Fan heat dissipation system
Ethernet
Network management subsystem
RTN indicates Return.
Except the network management system (NMS), all other systems are in the
integrated cabinet. Both the power distribution system is in 1+1 backup mode. The
following introduces only the functional host system.
The functional host system processes data. In addition, it monitors and manages the
whole system, such as the power distribution system, the fan heat dissipation system,
and the NMS through NMS interfaces.
Figure 2-2 shows the functional host system of the CX600.

Product Description
Figure 2-2 Functional host system
Monitoring
Monitoring bus System monitoring
unit
Monitoring unit bus Management Management bus
Management bus switching unit
Management unit bus
(1) MPU
MPU
(Active)
System backplane
POS/Ethernet Monitoring
Physical Forwarding
bus System monitoring
interface unit unit unit
Serial link Management
group Management bus
LPU bus switching unit
(1) MPU
MPU
Monitoring (Slave)
bus Monitoring
Monitoring unit
bus Switching network
Management monitoring unit
Management unit Management
bus Switching network
bus control unit
POS/Ethernet
Physical Forwarding
interface unit unit Switching network
Serial link Serial link
group group
LPU
SFU module
(1): The link connects to management bus switching unit of another MPU
2.2 Logical System Architecture

As shown in Figure 2-3, the CX600 is logically divided into:
l Data plane
l Control and management plane
l Monitoring plane

Product Description
Figure 2-3 Logical architecture

LPU MPU LPU
Monitoring Monitoring
unit unit
Monitoring
plane
System
Monitoring monitoring unit Monitoring
unit unit
Control & Management

management Management unit
unit System
plane control unit
Management Management
unit Switching network unit
control unit
Forwarding Forwarding
unit Switching unit
Data plane network
SFU
Forwarding Forwarding
unit unit
LPU LPU
l The data plane is responsible for high speed processing and non-blocking
switching of data packets. It encapsulates or decapsulates packets, forwards
IPv4/IPv6/MPLS packets, performs QoS and scheduling, completes inner
high-speed switching, and collects statistics.
l The control and management plane is the core of the entire system. It controls
and manages the system. The control and management unit processes protocols
and signals, configures and maintains the system status, reports and controls the
system status.
l The monitoring plane monitors the system environment. It detects the voltage,
controls power-on and power-off of the system, monitors the temperature and
controls the fan. In this way, the security and stability of the system are ensured.
It can isolate the fault promptly in the case of a unit failure to guarantee the
operation of the other parts.
2.3 Software Architecture

Figure 2-4 shows the software architecture of the CX600.

Product Description
Figure 2-4 Software architecture
Fan
Power monitoring
monitoring
RPS RPS
SNMP Active Standby
IPC
FSU FSU FSU
EFU EFU EFU
LPU LPU LPU
In terms of the software, the CX600 consists of the Routing Process System (RPS),
power monitoring module, fan monitoring module, LCD control module, Forwarding
Support Unit (FSU), and Express Forwarding Unit (EFU).
l The RPS is the control and management module that runs on the SRU/MPU. The
RPSs of the active SRU/MPU and the standby SRU/MPU back up each other.
They support IPv4/IPv6, MPLS, LDP, and routing protocols, calculate routes, set
up LSPs and multicast distribution trees, generate unicast, multicast, and MPLS
forwarding tables, and deliver routing information to the LPU.
l The FSU implements the functions of the link layer and IP protocol stacks on an
interface.
l The EFU performs hardware-based IPv4/IPv6 forwarding, multicast forwarding,
MPLS forwarding, and statistics.
2.4 VRPv5 Architecture

The VRPv5 consists of the following parts: system service plane, versatile control
plane, data forwarding plane, service control plane, and system management plane.
l System service plane
It provides such functions as task and memory management, timer, software
loading and patching based on the operating system. It enhances the modular
technology to facilitate system upgrade and customization.
l Versatile control plane

Product Description
It is the core of the VRP data communication platform. It supports link

management, IPv4/v6 protocol stack, and routing protocol processing, MPLS,
MPLS VPN, and MPLS TE. It serves as the basis of security and QoS. It is used
to control the data forwarding plane and carry out various functions of the device.
l Data forwarding plane
It forwards data under the control of the versatile control plane to carry out data
transmission. The VRPv5 supports data forwarding based on software and
hardware. The data forwarding plane is the task executor of the CX600.
l Service control plane
It controls and manages the system as required, including authentication,
authorization, and accounting.
l System management plane
It manages user interfaces and input/output interfaces. It is the basis of the
network management and maintenance.
The VRPv5 has the following characteristics:
l The system structure adopts the modular design.
l The components can be upgraded independently, without affecting the running of
other components.
l The system is easy to maintain and supports smooth service expansion.
l In-service patching offers flexible methods of enhancing service features and
correcting defects. Network reliability is thus guaranteed.
l The system supports the hardware-based structure. Various modules run on
different Central Processing Units (CPUs). The security and reliability are thus
ensured.

Product Description
3 Hardware Architecture
About This Chapter
The following table lists the contents of this chapter.
Section Describes
3.1 Chassis This section describes the chassis of the CX600.
3.2 Fans This section describes the fans of the CX600.
3.3 Power Modules This section describes the power supplies of the
CX600.
3.4 LCD This section describes the board cage of the CX600.
3.5 Board Cage This section describes the boards of the CX600.
3.6 Boards This section describes the chassis of the CX600.

Product Description
3.1 Chassis
The CX600 consists of the components: integrated chassis, including the backplane;
power modules; ventilation and heat dissipation system and board cage.
l The chassis of the CX600-16 is 36 U high with the dimensions of 442 mm x 669
mm x 1600 mm (width x depth x height). The CX600-16 can be mounted in a
standard 19-inch cabinet or an N68E-22 cabinet. Figure 3-1 shows the
appearance of the CX600-16.
mm x 886.2 mm (width x depth x height). The CX600-8 can be mounted in a
standard 19-inch cabinet or an N68E-22/N68E-18 cabinet. Figure 3-2 shows the
mm x 442 mm (width x depth x height). The CX600-4 can be mounted in a
standard 19-inch cabinet or an N68E-22/N68E-18 cabinet. Figure 3-3 shows the
l The dimensions of the CX600-X3 vary with the types of power modules.
The CX600-X3 with DC power modules is 4 U high and the dimensions are
442 mm x 650 mm x 175 mm (width x depth x height). The CX600-X3 can be
mounted in a standard 19-inch cabinet or an N68E-22 cabinet. Figure 3-4
shows the appearance of the CX600-X3.
The CX600-X3 with AC power modules is 5 U high and the dimensions are
442 mm x 650 mm x 220 mm (width x depth x height). The CX600-X3 can be
mounted in a standard 19-inch cabinet or an N68-22E cabinet. Figure 3-4 and
Figure 3-5 show the appearance of the CX600-X3.

Product Description
Figure 3-1 Appearance of the CX600-16
10
8
7
1. LCD 2. Fan module 3, 5. Cabling trough

4. Board cage 6. Air intake frame 7. Plastic panel of the power module
8. Power module 9. Rack-mounting ear 10. Handle

Product Description
1. Panel of the 2. Fan frame 3. Board cage 4. Air intake 5. Plastic panel of the
fan frame frame power module
6. Power 7. Handle 8. Rack-mounting ear 9. Cabling
module trough

Product Description
1. Air intake frame 2. Mouting ear 3. LPU 4. Power supply module

5. Fan module 6. MPU 7.Fan module 8. Air filter

Product Description
Figure 3-4 Appearance of the CX600-X3 (DC power modules)


Product Description
Figure 3-5 Appearance of the CX600-X3 (AC power modules)

3.2 Fans
3.2.1 Ventilation and Heat Dissipation System
Ventilation and heat dissipation are performed from bottom up on the board cage of
the CX600-16 and CX600-8.
Ventilation and heat dissipation are performed from left to right on the board cages of
the CX600-4.
Ventilation and heat dissipation are performed from left to back on the board cages of
the CX600-X3.
l The fans integrated on the power module are located at the bottom of the
chassis.
l The air channels of the power module and the board cage are separated from
each other.
l The air flows from the front of the power module to the back for ventilation and
heat dissipation.

Product Description
3.2.2 Fan Module

The CX600-16 has two fan modules, in either of which there are two centrifugal fans;
the CX600-8 has one fan module, in which there are nine fans; the CX600-4 has one
fan module, in which there are six fans; the CX600-X3 has one fan module, in which
there are ten fans.
l The fan module helps in the air ventilation and heat dissipation of the boards.
l The main Monitorbus module on the SRU/MPU can control the speed of the fans
based on the temperature in the board cage.
Figure 3-6, Figure 3-8, and Figure 3-9 show the appearances of the CX600-16,
CX600-8, CX600-4 and CX600-X3 fan modules respectively.
Figure 3-6 Appearance of the CX600-16 fan module

Product Description
Figure 3-9 Appearance of the CX600-X3 fan module
3.3 Power Modules

The maximum power consumption of the CX600-16, CX600-8, CX600-4, and
CX600-X3 is 4700 W, 2200 W, 1400 W, and 900 W respectively.
The CX600 provides two types of power supply:
l DC-input power supply
l AC-input power supply

Product Description
3.3.1 DC-Input Power Supply

The DC power module of the CX600-16 supports 1+1 backup of the power. The power
module behind the plastic panel inputs DC power and distributes the power. The
power module inputs three channels of the power and adopts the switched-mode
power supply (SMPS). Each of the power modules inputs three channels of the 48 V
DC power at the same time. The three channels of the DC power supply power for
different modules.
The DC power modules of the CX600-8, CX600-4 and CX600-X3 work in 1+1 backup
mode. The power module behind the plastic panel inputs DC power and distributes
the power.
The48 V DC power module of CX600-16, CX600-8 and CX600-4 is designed with
the 3 U high structure.
Figure 3-11 and Figure 3-11 show the appearance of the DC power module on
CX600-16, CX600-8 and CX600-4.
Figure 3-10 Appearance of the DC power module on CX600-16
Figure 3-11 Appearance of the DC power module on CX600-8 and CX600-4

Product Description
The48 V DC power module of CX600-X3 is designed with the 1 U high structure.

Figure 3-12 shows the appearance of the DC power module.
Figure 3-12 Appearance of the DC power module on CX600-X3
The 48 V DC power module outputs:

l Primary straight-through power
l Secondary 48 V DC regulated voltage
The DC power module provides protections against the following:
l Short circuit
l Over-current
l Over-voltage
l Short circuit
It also supports the alarm function.
3.3.2 AC-Input Power Supply

The AC power modules of the CX600 work in 1+1 backup mode. The power module
behind the plastic panel inputs AC power and distributes the power.
The AC power module of CX600-16, CX600-8 and CX600-4 is designed with the 3 U
high structure.
Figure 3-13 and Figure 3-14 show the appearance of the AC power module on
CX600-16, CX600-8 and CX600-4.

Product Description
Figure 3-13 Appearance of the AC power module on CX600-16
Figure 3-14 Appearance of the AC power module on CX600-8 and CX600-4
The AC power module of CX600-X3 is designed with the 1 U high structure.

Figure 3-15 shows the appearance of the AC power module on CX600-X3.
Figure 3-15 Appearance of the AC power module on CX600-X3
The AC power module provides protections against the following:

l Output over-current
l Output over-voltage

Product Description
l Output under-voltage
l Input over-voltage
l Input under-voltage
l Over-temperature
l Short circuit
It also supports the alarm function.
3.4 LCD
The CX600-16 has LCD.
3.4.1 Introduction
The LCD is used to display the information and status of the board, environment, fan
module, and power module.
LCD supports two display modes:
l Idle mode: the default mode. It is used to display the normal status of the system.
l Menu query mode: It can support 3-class menus at most.
3.4.2 Appearance
Figure 3-16 shows the appearance of the LCD.
Figure 3-16 Appearance of the LCD
1. FAN1 indicator 2. FAN2 indicator 3. Push buttons 4. Liquid crystal display

Product Description
3.5 Board Cage

3.5.1 Board Cage
The CX600-16 has two board cages, each of which has 11 slots. The slots can hold
16 LPUs or NetStream SPUs, 4 SFUs, and 2 MPUs. Figure 3-17 is the schematic
diagram.
Figure 3-17 Board cage of the CX600-16

1 2 3 4 17 18 5 6 7 8 9
L L L L M M L L L L L
P P P P P P P P P P P
U U U U U U U U U U U
L L L L S S S S L L L
P P P P F F F F P P P
U U U U U U U U U U U
1 0 11 12 13 19 20 21 22 14 15 16
The CX600-8 has one board cage, which has 12 slots. The slots can hold 8 LPUs, 2
SFUs (sharing one slot), and 2 SRUs.
Figure 3-18 is the schematic diagram.
1 2 3 4 9 11 10 5 6 7 8
S
F
L L L L S U S L L L L
P P P P R R P P P P
U U U U U S U U U U U
F
U
1 2 3 4 9 1210 5 6 7 8
The CX600-4 has one board cage, which has 8 slots. The slots can hold 4 LPUs, 2
SFUs (sharing one slot), and 2 SRUs.

Product Description
SRU 6
SFU SFU 7 8
SRU 5
LPU 4
LPU 3
LPU 2
LPU 1
The CX600-X3 has one board cage, which has 5 slots. The slots can hold 3 LPUs and
2 MPUs.
Figure 3-20 Board cage of the CX600-X3
MPU MPU 45
LPU 3
LPU 2
LPU 1
3.5.2 Board Distribution in the Board Cage

Table 3-1 Board distribution of the CX600-16
Slot Number Quantity Slot Width Remark

116 16 41 mm (1.6 inch) LPUs
17 and 18 2 30 mm (1.3 inch) MPUs in 1:1 hot backup

1922 4 36 mm (1.4 inch) SFUs in 3+1 hot backup
18 8 41 mm (1.6 inch) LPUs

9 and 10 2 36 mm (1.4 inch) SRUs

Product Description
11 and 12 2 36 mm (1.4 inch) SFUs in 3+1 backup
14 4 41 mm (1.6 inch) LPUs

5 and 6 2 36 mm (1.4 inch) SRUs
7 and 8 2 36 mm (1.4 inch) SFUs in 3+1 backup
Table 3-4 Board distribution of the CX600-X3

13 3 41 mm (1.6 inch) LPUs
4 and 5 2 36 mm (1.4 inch) MPUs in 1:1 hot backup
3.6 Boards
The CX600-8 and CX600-4 support SRU.
3.6.1 SRU
The Switch and Route Processing Unit (SRU) is an integrated unit of multiple
functional modules. The SRU provides the functions as described below by
integrating such units as the system control and management unit, the switching unit,
the system clock source, and the maintenance and management unit. The functions
and hardware implementation of each module is independent.
Core Unit for System Control and Management

l Carrying out routing protocols: The SRU is used for packet broadcast, packet
filtering, and download of routing policies from the policy server.
l Managing and communicating the boards: The LAN switch module integrated on
the SRU can carry out the outer band communications among boards. Through
the outer band management bus, it can manage the LPU, the SFU and the
standby SRU, and implement their communications.
l Configuring data: The SRU carries out system data configuration and startup files,
charging, software upgrade and running logs storage. The CF card on the SRU
panel is used to store logs of the system and is hot swappable. The CF card
inside the SRU is used to store system files and is not hot swappable.

Product Description
l Managing and maintaining the system: The management interfaces (serial or

network interfaces) on the SRU carry out management and maintenance of the
system
Part of the SFU

The two SFUs and two switching units on the SRU constitute four forwarding planes
that work in 3+1 load balancing mode.
The SRU, functioning as the synchronization clock unit, ensures clock synchronization
between the SFUs and LPUs.
System Clock Unit

The SRU/MPU provides LPUs with reliable synchronous SDH interface clock signals.
It can provide the downstream devices with 2.048 MHz synchronous clock signals,
and can receive 2.048 MHz or 2.048 Mbit/s external reference clock signals.
The SRU supports IEEE 1588v2.
System Maintenance Unit

The SRU periodically collects the running data of system units through the Monitorbus,
and generates control information based on the running state. For example, the SRU
periodically detects whether each board is in position and adjusts the rotating speed of
the fan module. In addition, the SRU can perform local or remote test or online
upgrade of system units through the JTAG bus.
The main control module, clock module, and LAN switch module work in 1+1 hot backup mode,
and thus improving the reliability of the system.
3.6.2 MPU
The CX600-16 and CX600-X3 support MPU.
The MPU integrates multiple functional modules such as the clock module, LAN
switch module, and Compact Flash (CF) module. As the system clock source and the
management and maintenance unit, the MPU runs as the core of system control and
management. It provides the functions of the control plane and the maintenance plane.
The MPU supports the clock board defined in IEEE 1588v2.
The MPU controls and manages the system. It is designed in 1:1 backup mode. The
MPU is composed of the main control unit, the system monitoring unit, the
management bus switching unit, and the clock unit.
l The main control unit processes network protocols and manages the whole
system. The main control unit of each MPU is connected with the management
bus switching unit of both the master and the slave MPUs. It controls and
manages all the functional units such as MPUs, SFUs, and LPUs. The main
control unit also communicates with the system monitoring unit. The system
monitoring unit reports the status and environment information about the
monitoring plane to the management control plane. And then the management
control plane sends control signals to the monitoring plane.

Product Description
l The system monitoring unit collects the system monitoring information and
interacts with the main control unit. In addition, it monitors the status and
environment of its MPU. It communicates with the monitoring units in the system
or other boards or subsystems through the Monitorbus.
The management bus switching unit carries out the switching of the management bus.
It connects to the control units of two MPUs, all LPUs, and SFUs. Thus, there are two
sets of management buses in the system to perform the master/slave backup
protection no matter which Main_Control_Board is in master mode.
3.6.3 SFU
As the switching network unit of the CX600-16, CX600-8 and CX600-4, the SFU
switches data for the entire system.
On the CX600-16, the four SFUs operate in 3+1 load balancing and backup mode.
They share data processing. The whole system can thus support line-rate switching of
640 Gbit/s Gbit/s traffic.
On the CX600-8 and CX600-4, the two SFUs and the two switching units on the SRU
work in 3+1 load balancing mode. The entire system can thus switch the traffic at wire
speed of 640 Gbit/s.
There is a control channel on the SFU to provide the following functions:
l Detecting voltage, current, and temperature.
l Providing protections against over-voltage, over-current, and over-heat.
3.6.4 LPU
The CX600 provides multiple types of physical interfaces, including GE, POS, CPOS,
ATM, and RPR, and CE1/CT1/E3/T3/CE3/CT3 interfaces. These interfaces can
interconnect various network devices as required.
Function
The LPU consists of the Physical Interface Card (PIC), LPU module, and Fabric
Adaptor (FAD). These components work together to implement fast processing and
forwarding of the service data, and the maintenance and management of the link
protocol and service forwarding table. The main functions of each module are
described in Table 3-5.
Table 3-5 Functions of each module on the LPU
Module Name Function

LPU module l Processes and encapsulates link layer protocols such as
Ethernet_II and Point-to-Point Protocol (PPP).
l Classifies data packets to monitor traffic and filters packets
based on ACLs.
l Manages and schedules data cache.
l Forwards data based on the forwarding table.
l Identifies control protocol packets and forwards packets to the
active CPU through the non-line-rate interface.

Product Description
Module Name Function
FAD module l Traffic management. According to traffic classification, the

FAD carries out queuing, buffer, and scheduling based on the
traffic congestion on the SFU.
l Adaptation of the interface on the SFU. It supports the
switching from the SDH physical interface (SPI4.2) to the
high-speed serial interface on the SFU.
l A part of the SFU. The FAD controls traffic according to the
queuing status to ensure that no data is lost in the SFU.
PIC Performs the function of physical interfaces including

electrical/optical conversion and physical layer processing.
The CX600 provides Common LPUs and flexible cards. CX600-X3 only provides
motherboard LPUF-10, motherboard LPUF-21 and their flexible cards.
Fixed Interface LPUs
Only CX600-16, CX600-8 and CX600-4 provide the fixed interface LPUs.
l Ethernet LPU
Table 3-6 lists the Ethernet LPUs supported by the CX600.
Table 3-6 Ethernet LPUs
LPU Name Remarks
1-port 10G Ethernet optical interface LAN LPU (XFP optical module)
1-port 10G Ethernet optical interface WAN LPU (XFP optical module)
24-port 10M/100M/1000M Ethernet electrical interface LPU

24-port 100M/1000M LPU (SFP optical module)
5/10-port Gigabit Ethernet optical interface LPU (SFP optical module)
The Small Form-Factor Pluggable (SFP) and 10-Gigabit Small Form-Factor Pluggable
transceiver (XFP) are pluggable optical modules.
The 10G Ethernet optical interface LPUs can be classified into WAN LPUs and
LAN LPUs. The differences between the WAN LPUs and LAN LPUs are as
follows:
WAN LPUs need to encapsulate Ethernet frames in SDH/SONET frames
before transmitting them over optical fibers. Interfaces on a WAN LPU can be
connected to interfaces on other WAN LPUs or connected to SDH/SONET
transmission devices. WAN LPUs are mainly used for the Ethernet WAN
interconnection.

Product Description
LAN LPUs implement electro-optic conversions in transmitting Ethernet

frames over optical fibers. Interfaces on a LAN LPU, however, can be
connected to only the interfaces on other LAN LPUs. LAN LPUs are mainly
used for the Ethernet LAN interconnection.
The packets sent by interfaces on WAN LPUs or LAN LPUs can be
transmitted through Dense Wavelength Division Multiplexing (DWDM) lines.
l POS LPU
POS LPUs are used to connect the CX600 with SDH transmission devices or
other devices. Table 3-7 lists the POS LPUs provided by the CX600.
Table 3-7 POS LPUs
LPU Name Remarks
1-port OC-192c/STM-64c POS optical interface LPU (XFP optical

module)
1/2/4-port OC-48c/STM-16c POS optical interface LPU (SFP optical

module)
4-port OC-12c/STM-4c POS optical interface LPU (SFP optical module)
4/8-port OC-3c/STM-1 POS optical interface LPU (SFP optical module)
l RPR optical interface LPU

The RPR optical interface LPU can realize the access function of the RPR ring
network, and provides efficient and reliable RPR networking solutions.
Table 3-8 RPR LPUs
LPU Name Remark
1-port OC-192c/STM-64c RPR Interface LPU (XFP optical

module)
2/4-port OC-48c/STM-16c RPR Interface LPU (SFP optical
module)
Flexible Plug-in Cards

The CX600 provides flexible plug-in cards, which enhances networking flexibility and
provides low-cost and customized solutions as required. In this manner, the needs of
mid-range-and-low-end users can be satisfied. The flexible plug-in motherboard
(hereinafter referred to as motherboard) works with the flexible plug-in card to provide
the flexible plug-in feature; thus, the hardware configuration is flexible.
The CX600 supports two types of motherboards and their flexible plug-in cards.
l Motherboard LPUF-10 and its flexible plug-in cards
The LPUF-10 provides four slots, in which four half-height flexible plug-in cards
and two full-height flexible plug-in cards (requiring two slots) can be inserted. The
LPUF-10 supports a maximum of 10 Gbit/s bandwidth.

Product Description
The flexible plug-in cards supported by the LPUF-10 are hot swappable. They
support automatic configuration restoration and card intermixing.
Table 3-9 Flexible plug-in cards supported by the LPUF-10
Flexible Plug-in Card Name Remarks

1-port OC-192c/STM-64c POS-XFP Flexible It is a full-height card.
Card
1/2/4-port OC-48c/STM-16c POS-SFP Flexible It is a half-height card.

Card
8-port 100/1000Base-X-SFP Flexible Card It is a half-height card. The card

supports Ethernet clock
synchronization. In addition,
ports 0 or 1 support
synchronization of sending and
receiving clock signals
simultaneously; other ports
support only synchronization of
sending clock signals.
2-port OC-12c/STM-4c ATM-SFP Flexible Card It is a half-height card.

4-port OC-3c/STM-1c ATM-SFP Flexible Card It is a half-height card.
4/8-port OC-12c/STM-4c POS-SFP Flexible It is a half-height card.

Card
4/8-port OC-3c/STM-1c POS-SFP Flexible Card It is a half-height card.

2-port OC-3c/STM-1c CPOS-SFP Flexible Card It is a half-height card.
24-port CE1/CT1-100DB Flexible Card It is a half-height card.
4-port E3/CT3-SMB Flexible Card It is a half-height card.
l Motherboard LPUF-21 and its flexible plug-in cards

The motherboard LPUF-21 provides two slots, each of which can hold a flexible
plug-in card of the LPUF-21. The LPUF-21 supports a maximum of 20 Gbit/s
bandwidth.
The motherboard LPUF-21 has two models: LPUF-21-A and LPUF-21-B.
The LPUF-21-A provides all the software features of the CX600.
The LPUF-21-B provides all the software features of the CX600, except
L3VPN, Multicast VPN (MVPN), and IPv6, but LPUF-21B can be upgraded
through licenses to support such features..
Table 3-10 lists the flexible plug-in cards supported by the LPUF-21.

Product Description
1-port 10GBase WAN/LAN-XFP Flexible Card It is a full-height card. You can

configure the interface to run in
LAN or WAN mode through
commands. The interface
supports the synchronization
Ethernet of sending and
receiving clock signals.
12-port 100/1000Base-SFP Optical Interface It is a full-height card. The card

Flexible Card supports Ethernet clock
ports 0 or 1 support the
receiving clock signals; other
ports support only the
synchronization of sending clock
signals.

Flexible Card A supports Ethernet clock
synchronization and IEEE
1588v2.
12-port 10/100/1000Base-RJ45 Electrical It is a full-height card.
Interface Flexible Card
40-Port 100/1000Base-SFP Flexible Card Occupy two sub-slots
40-Port 10/100/1000Base-RJ45 Flexible Card Occupy two sub-slots
4-Port 10GBase WAN/LAN-XFP Flexible Card Occupy two sub-slots
1-port OC-192c/STM-64c POS-XFP Flexible It is a full-height card.

Card
48-port 10/100Base-TX-Delander Flexible Card It is a full-height card.

2-port 10GBase WAN/LAN-XFP Flexible Card It is a full-height card. You can
configure the interface to run in
LAN or WAN mode through
commands. The interface
supports the synchronization
Ethernet of sending and
receiving clock signals.

Product Description

Flexible Card supports Ethernet clock
ports 0 or 1 support the
receiving clock signals; other
ports support only the
synchronization of sending clock
signals.
3.6.5 SPU
The SPU provides no interfaces and performs only integrated processing for specific
services. The CX600 provides multiple SPUs for load balancing.
The SPU provides the following functions:
l Integrated NetStream: The system samples packets on the LPU, and collects the
traffic statistics on the SPU. In this manner, the processing performance is high,
without affecting the forwarding capability. When initiating integrated NetStream
on the SPU, the system must be configured with a NetStream license.
l Integrated MVPN: When proving the integrated MVPN, the system must be
configured with a certain number of SPUs. The number of SPUs is determined by
the requirements of the MVPN performance. In addition, the system must be
configured with a MVPN License for SPU according to the number of SPUs.
l Integrated tunnel: includes the functions of lawful interception, GRE tunnels, and
IPv6 Provider Edge (6PE) tunnels. When starting the integrated tunnel on the
SPU, the system must be configured with the tunnel licenses the number of which
equals that of the SPUs. For example, if the system is mounted with three SPUs,
three tunnel licenses must be configured to enable the integrated tunnel.

Product Description
4 Link Features
About This Chapter
Section Description
4.1 Ethernet Link Features This section describes the features supported by
Ethernet links.
4.2 FR Link Features This section describes the features supported by FR

links.
4.3 POS Link Features This section describes the features supported by
POS links.
4.4 CPOS Link Features This section describes the features supported by
CPOS links.
4.5 ATM Link Features This section describes the features supported by
ATM links.
4.6 CE1/CT1/E3/T3/CT3 This section describes the features supported by

Link Features CE1/CT1/E3/T3/CE3/CT3 links.

Product Description
4.1 Ethernet Link Features

4.1.1 Basic Features
The Ethernet link provided by the CX600 features the following:
l VLAN trunk
l VLANIF interfaces
l VLAN aggregation.
l Inter-VLAN interface isolation
l Ethernet sub-interfaces
l Super-VLAN sub-interfaces
l Ethernet clock synchronization
4.1.2 Ethernet Bundling

Ethernet bundling is a technology that bundles multiple physical Ethernet interfaces
into a logical interface (Eth-Trunk) to increase bandwidth.
Eth-Trunks of the CX600 function as follows:
l Supports the bundling of up to 16 physical Ethernet interfaces. Eth-Trunks
function the same as normal Ethernet interfaces.
l Supports the bundling of interfaces with different rates.
l Supports active/standby mode and performs active/standby switching
automatically in accordance with the link status of interfaces.
The CX600 supports the adding or deleting of member interfaces to or from an
Eth-Trunk. The CX600 can also sense the Up or Down state of member interfaces,
thus dynamically modifying the bandwidth of the Eth-Trunk.
Layer 2 Ethernet Bundling

When running the portswitch command on an Eth-Trunk, you can switch the
Eth-Trunk to the Layer 2 mode. The Eth-Trunk then provides the following features of
the switched Ethernet link:
l VLANIF interfaces
l Inter-VLAN interface isolation
l VLAN aggregation
l VLAN trunk
l VLAN mapping
l QinQ and VLAN stacking
l Layer 2 features such as MSTP and RRPP
Layer 3 Ethernet Bundling

By default, an Eth-Trunk is a Layer 3 Ethernet bundling interface. The Eth-Trunk then
provides the following features of the routed Ethernet link:

Product Description
l IPv4/IPv6 forwarding
l MPLS forwarding
l Multicast forwarding
l L3VPN
l L2VPN
The Layer 3 Eth-Trunk can support the creation of subinterfaces. Each Layer 3
Eth-Trunk can support a maximum of 4000 subinterfaces.
LACP (802.3ad)
The CX600 supports link aggregation in Link Aggregation Control Protocol (LACP)
static mode. Link aggregation in static LACP mode is in contrast with port bundling in
manual mode. Port bundling in manual mode requires neither LACP nor exchange of
protocol packets. The ISP alone decides the binding of ports. Link aggregation in
LACP static mode resorts to LACP and automatically maintains the port status by
exchanging protocol packets. The ISP, however, needs to set up the aggregation
group and add member links. LACP cannot change the configuration information.
The CX600 supports LACP that conforms to IEEE 802.3ad. Administrators can create
an Eth-Trunk, add member ports to the Eth-Trunk, and enable LACP on the Eth-Trunk.
The CX600 negotiates with the peer device to determine the interfaces for data
forwarding by exchanging LACP protocol packets. That is, they negotiate to determine
whether the outbound interfaces are in the selected or standby state.
LACP maintains the link status based on the port status. LACP adjusts or disables link
aggregation in the case of the aggregation changes.
4.1.3 Virtual Ethernet Interface

The CX600 supports virtual Ethernet (VE) interfaces. By mapping the ATM PVC to the
manually-created VE interfaces, Ethernet packets can be transmitted over the ATM
Adaptation Layer (AAL5). The VE interfaces thus provide Layer 2 switched and Layer
3 IP services.
4.2 FR Link Features

Frame Relay (FR) is a fast packet switching technology used to forward and switch
data in a simple manner on the link layer.
FR carries out only functions of the physical layer and data link layer in the Open
Systems Interconnection (OSI) reference model. Flow control and error correction are
implemented by the intelligent terminal. This shortens the period of packet processing,
increases the network throughput, and reduces the delay of transmission.
FR uses virtual circuits (VCs) to make full use of network resources. Therefore, FR
features large throughput and short delay. It is applicable to burst services.
The CX600 provides the following FR features:
l Data Link Control Identifier (DLCI)
l VC: Permanent Virtual Circuit (PVC) and Switching Virtual Circuit (SVC)
l FR address mapping

Product Description
l FR Local Management Interface (LMI)

l FR sub-interfaces
l FR switch PVC backup
l FR compression
l Multilink Frame Relay (MFR)
4.3 POS Link Features

4.3.1 SDH/SONENT Encapsulation
The physical layer of the Packet Over SDH/SONET (POS) link adopts Synchronous
Optical Network (SONET) defined by the American National Standards Institute (ANSI)
or Synchronous Digital Hierarchy (SDH) defined by the International
Telecommunication Union-Telecommunication Standardization Sector (ITU-T). POS
interfaces provide alarms for the physical layer.
4.3.2 POS Interfaces

The CX600 provides POS interfaces at a rate of 155 Mbit/s, 622 Mbit/s, 2.5 Gbit/s, or
10 Gbit/s. POS interfaces support the following protocols on the data link layer:
l Point-to-Point Protocol (PPP)
l High-level Data Link Control (HDLC)
l FR
PPP on POS interfaces supports the following:
l Link Control Protocol (LCP)
l Internet Protocol Control Protocol (IPCP)
l Multi-Protocol Label Switching Control Protocol (MPLSCP)
l Multilink Protocol (MP)
l Password Authentication Protocol (PAP)
l Challenge Handshake Authentication Protocol (CHAP)
4.3.3 POS Sub-interfaces

On the CX600, you can manually create POS sub-interfaces to provide multiple
logical links over a POS link. Then, you need to configure FR on the link layer of POS
sub-interfaces to interwork with the network-layer devices that support POS FR or
with FR switches that support POS interfaces. POS sub-interfaces support
point-to-point (P2P) and point-to-multipoint (P2MP).
4.3.4 POS Bundling

When HDLC is adopted on the link layer of POS interfaces, you can bundle multiple
POS interfaces into a logical interface, that is, an IP-Trunk.
You can configure IP-Trunks to implement routing protocols and carry MPLS and VPN
services. The physical POS interfaces that are bundled into an IP-Trunk are called
member interfaces. All configurations on an IP-Trunk also take effect on the member
interfaces. The member interfaces use the IP address of the IP-Trunk.

Product Description
IP bundling features the following:

l Increased bandwidth: The bandwidth of an IP-Trunk is the total bandwidth of all
member interfaces.
l Improved reliability: When a link fails, traffic is automatically switched to other
links. This ensures the reliability of the connection.
l Load balancing: Load balancing is implemented between different flows. Flows
with different source and destination IP addresses are carried over different links.
The same flow is carried over a same link.
Figure 4-1 IP trunk
Trunk
The CX600 supports:

l Inter-board IP trunk
l IP trunk of channels with different rates
l Dynamic establishment and removing of IP-trunk interfaces
l Binding a physical channel to a trunk through the command line on a physical
interface
4.4 CPOS Link Features

In a network, a great number of access devices are connected to the upstream
convergence devices through the low-speed E1/T1 interfaces. In this case, the
convergence devices need to possess the capability of converging a large amount of
low-speed E1/T1 or POS interfaces. The CPOS interfaces of various rates supported
on the CX600 can answer the preceding requirements.
4.4.1 Channelization
A CPOS interface is a channelized POS interface. In channelization, multiple
independent channels of data are transmitted over an optical fiber by using low speed
tributary STM-N signals. During the transmission, each channel has its own bandwidth,
start and end points, and follows its own monitoring policy. Channelization can make
full use of bandwidth in transmitting multiple channels of low speed signals.
The channelization granularity of CPOS interfaces is as follows:
l A 155-Mbit/s CPOS interface can be channalized into 63 E1 channels, 84 T1
channels, or 1023 N x 64K channels.
l A 155-Mbit/s CPOS interface can be channelized into 3 E3/T3 channels.
The CX600 supports the bundling of E1/T1 channels. Up to 84 channels can be
bundled into a channel-set. A 155-Mbit/s CPOS interface supports up to 168
channel-sets.

Product Description
4.4.2 PPP/HDLC
The CX600 provides CPOS interfaces at a rate of 155 Mbit/s. On the link layer, CPOS
supports the following protocols:
l PPP
l HDLC
PPP on CPOS interfaces supports the following:
l LCP
l IPCP
l MPLSCP
l MP
l PAP
l CHAP
4.5 ATM Link Features

4.5.1 SDH/SONENT Encapsulation
ATM interfaces on the CX600 support SONET/SDH encapsulation and the
SONET/SDH overhead configuration and physical layer alarms.
4.5.2 PVP/PVC
ATM interfaces support PVP/PVC in the following aspects:
l VP/VC-based traffic shaping
l User-to-Network Interface (UNI) signaling
l RFC 1483: Multiprotocol Encapsulation over ATM Adaptation Layer 5
l RFC 1577: Classical IP and ARP over ATM
l F4 or F5 End to End Loopback OAM
l AAL5
l Nonreal-time Variable Bit Rate (nrt_VBR)
l Unspecified Bit Rate (UBR)
l Real-time Variable Bit Rate (rt_VBR)
l Constant Bit Rate (CBR)
4.5.3 IPoA
IP over ATM (IPoA) is a technology that bears IP services over the ATM network. It
inherits the fundamentals of TCP/IP and regards the ATM network as a physical
subnet. For IP protocols, the ATM network is equivalent to the physical subnet such as
the Ethernet. With IPoA applied, users can directly run IP-based network protocols
and applications on the ATM network.
The CX600 supports the following modes in setting up the mapping between PVCs
and the IP address of the peer device:

Product Description
l Static mapping
l Inverse Address Resolution Protocol (InARP)
4.5.4 ATM Sub-interfaces

The CX600 supports ATM sub-interfaces. ATM interfaces support multiple virtual
connections of which the peer networks are in different network segments. In this
manner, ATM sub-interfaces should be created so that the CX600 can communicate
with different peers. Multiple PVCs can be created on an ATM sub-interface.
4.5.5 ATM OAM

ATM OAM provides a mechanism to detect and locate faults, and verify network
performance without interrupting services. OAM provides the network with specific
information by inserting OAM cells with the standard structure into user cell flows.
The CX600 supports the F4 and F5 OAM. OAM functions to detect the Up and Down
status of PVP or PVC links.
4.5.6 1483B
RFC 1483 defines the technological standards of transmitting multi-protocol data units
over the ATM network. The standards are as follows:
l 1484 Bridged
It is applied to the bridged Protocol Data Units (PDUs).
l 1483 Routed
It is applied to the routed PDUs.
It imitates the bridge function of the Ethernet network, so that the terminal devices on
the user side and the bridge devices on the network side are connected.
Figure 4-2 shows the stack protocol of 1483B.

Product Description
Figure 4-2 Stack protocol of 1483B
TCP/UDP
IP
Ethernet
1483B
TCP/UDP AAL5
ATM
IP
Ethernet
Access router CX-A
ATM network
The IPoE Ethernet protocol stack is applied to a device on the user side. After 1483B
is configured on the ingress Router A on the ATM network, Router A can encapsulate
Ethernet packets into ATM cells, so that the received IPoE packets can be transmitted
transparently on the ATM network.
IP over Ethernet over ATM (IPoEoA) is the main application of 1483B supported by
the CX600. IPoEoA indicates that AAL5 bears Ethernet packets and Ethernet bears IP
packets. In this manner, the layer 2 forwarding of IPoEoA packets is implemented
between the Ethernet and PVC. IPoEoA converges the ATM backbone network and
the IP network. IPoEoA supports various Ethernet and IP services.
4.5.7 ATM Cell Relay

The objective of PWE3 is to connect the traditional network resources such as ATM,
FR, and Local Area Network (LAN) through a PSN, and emulates the traditional
services over the PSN. The emulation of the original services to the utmost on the
PSN keeps the end user from feeling differences. In this manner, it protects the settled
investment of users and operators in the network consolidation and establishment.
The Layer 2 emulation service on a PSN passes through the public or private PSN by
setting up P2P tunnels and bearing data packets, cells, and bits flow. PWE3 tries to
emulate the original services between the two PEs that are connected through a PW.
Figure 4-3 shows the encapsulation type of the label for ATM transparent cell
transport through a PSN.

Product Description
Figure 4-3 Network diagram for ATM encapsulation over a PSN
ATM Encapsulation
over PSN
PSN Transport Header Outer MPLS Label
Pseudo-wire Header Inner MPLS Label
MPLS PSN tunnel
identified by outer label ATM Control Word
ATM Service Payload

MPLS
ATM Service Network Pseudo-wire identified
by inner label
PSN Tunnel
L2 L2
Network Network
Pseudo-wire
PE PE
ATM Service
The outer PSN label identifies the PSN tunnel, while the inner label, namely, PW
Header identifies a PW.
In ATM cell transport, the following two kinds of services are transmitted on the PSN:
l The services whose PW payload is ATM cells
l The services whose PW payload is AAL5 SDU/PDU
ATM cell transport can help transfer the earlier ATM or ISP network through the PSN
network without adding new ATM devices and changing the ATM CE configurations.
ATM CE routers consider the ATM cell transport service as the TDM leased line.
The CX600 support ATM cell transport over Permanent Virtual Circuit (PVC) and
Permanent Virtual Path (PVP).
Generally, the CX600 support the following ATM cell transport modes:
l ATM whole port cell transport
l 1-to-1 VCC cell transport
l N-to-1 VCC cell transport
l 1-to-1 VPC cell transport
l N-to-1 VPC cell transport
l ATM AAL5-SDU VCC transport
4.6 CE1/CT1/E3/T3/CT3 Link Features

The CX600 provides CE1, CT1, E3, T3, and CT3 interfaces.
Serial interfaces are channelized from CE1/CT1/E3/T3/CT3 interfaces and support
the following link protocols:

Product Description
l PPP
l HDLC
l FR supported on CE1/CT1 interfaces
PPP on serial interfaces supports the following:
l LCP
l IPCP
l MPLSCP
l MP
l PAP
l CHAP

Product Description
5 Primary Service Features
About This Chapter
Section Description
5.1 Ethernet Features This section describes the Ethernet features
supported by the CX600.
5.2 IP Features This section describes the IP features supported by

the CX600.
5.3 Routing Protocols This section describes the routing protocols

5.4 MPLS Features This section describes the MPLS features supported
by the CX600.
5.5 VPN Features This section describes the VPN features supported
by the CX600.
5.6 IPTN Features This section describes the IPTN features supported
by the CX600.
5.7 QoS Features This section describes the QoS features supported
by the CX600.
5.8 Load Balancing This section describes the load balancing features
5.9 Traffic Statistics This section describes the traffic statistics features
5.10 IP Compression This section describes the IP compression features
5.11 MSE Features This section describes the MSE features supported
by the CX600.
5.12 Network Security This section describes the security features

5.13 Network Reliability This section describes the high reliability features

Product Description

Product Description
5.1 Ethernet Features

5.1.1 Switched Ethernet Features
The Ethernet interfaces on the CX600 can run as switched interfaces to provide VLAN,
VPLS, and QoS services. They can also run on the User Network Interface (UNI) side
to support MPLS VPN.
VLAN Trunk
A trunk is a P2P link between two routers. The interfaces on the connected routers are
called trunk interfaces. One VLAN trunk can transmit data flows from different VLANs
and allow the VLANs to contain the interfaces of many routers. The CX600 can
dynamically add, delete, or modify the VLANs of a VLAN trunk to maintain the
consistency of VLAN configurations in the entire network. The CX600 can also work
with non-Huawei devices for interworking.
VLANIF Interfaces
The CX600 supports VLANIF interfaces. You can assign IP addresses to VLANIF
interfaces and bind VLANIF interfaces to VPNs. This implements the Layer 3 access
of VLANIF interfaces. You can also bind VSIs to VLANIF interfaces to implement the
VPLS access.
VLAN Aggregation
Inter-VLAN routing is involved in the communication between VLANs. If each VLANIF
interface is assigned an IP address, IP address resources will be used up.
You can aggregate a group of VLANs to a super-VLAN. The VLANs in the
super-VLAN are called branch VLANs. A super VLAN is associated with an interface
at the IP layer. In addition, all branch VLANs in the super-VLAN use IP addresses in
the same network segment to improve the utilization of IP addresses.
Interface Isolation in a VLAN

You can configure an interface in a VLAN as an isolated interface. Layer 2 forwarding
is prohibited between isolated interfaces. Layer 2 forwarding, however, is allowed
between an isolated interface and a non-isolated interface in a VLAN.
On the CX600, you can add the interfaces that need to be isolated in a VLAN to
different interface groups. Any two interfaces of different interface groups are isolated
from each other. The interfaces outside the groups are not isolated.
Ethernet Sub-interfaces
The CX600 supports the configuration of sub-interfaces for a switched Ethernet
interface. You can configure Layer 3 services on the sub-interfaces and Layer 2
services on the main interface. In this manner, the switched Ethernet interfaces can
support both Layer 2 and Layer 3 services.

Product Description
5.1.2 Routed Ethernet Features

The Ethernet interfaces on the CX600 can run as routed interfaces to provide
IPv4/IPv6, MPLS, QoS, and multicast services.
Routed Ethernet interfaces can be configured with sub-interfaces. The sub-interfaces
support VLAN encapsulation used to terminate a VLAN.
Ethernet Sub-interfaces
A common Ethernet sub-interface, which can belong to a VLAN only, functions as
follows:
l Terminates enterprise services.
l Supports complete routing protocols.
l Supports MPLS forwarding.
Super-VLAN Sub-interfaces
A super-VLAN sub-interface, which can belong to multiple VLANs, functions to
terminate the individual users' services. It supports the following features to ensure
security:
l DHCP relay
l DHCP binding
l URPF
l ACLs
5.1.3 Ethernet Clock Synchronization

Clock synchronization is a technique that limits the difference in terms of clock
frequency or phase between the network elements (NEs) in digital networks within a
certain range. If the clock frequency deviation and phase deviation exceed the
allowed error range, error codes and jitter may occur. This degrades the transmission
performance.
The LPUF-10 and LPUF-21 on the CX600 provide Ethernet clock synchronization.
The clock quality and stratum can thus be guaranteed.

Product Description
Figure 5-1 Ethernet clock synchronization
MSC- MSC-
SERVER SERVER
NC
RNC PSTN
Mc IP Mc
Iu-CS
IP
Node B Nb
Iu-PS MGW MGW
Iur
IP SS7/TDM IP SS7/IP
HLR SCP
PS
IP IP t
Iu-PS I n ter
e rne
Gi
Node B RNC SGSN GGSN
In a wireless network, Ethernet links have high requirements for clocks. As shown in
Figure 5-1, in the future IP-RAN solution, the IP network runs as the bearer layer
between Node B and the RNC. With Ethernet clock synchronization, clock
transmission in the IP network can be guaranteed.
In addition, Ethernet clock synchronization supports the backup of the clock reference
source to enhance the reliability of links. When an Ethernet link becomes Down, the
system automatically selects the backup Ethernet interface to extract clock
information.
5.1.4 PBB-TE
Provider Backbone Bridging-Traffic Engineering (PBB-TE) is a connection-oriented
Ethernet technology that combines the features of telecom networks. Through
PBB-TE, MANs adopt the Ethernet technology to transmit Ethernet services. PBB-TE
is based on Provider Backbone Bridge (PBB) defined in IEEE 802.1ah, that is, the
MAC-in-MAC technology.
In compliance with IEEE 802.1ah, the CX600 supports the MAC-in-MAC technology.
P2P and MP2MP transmission of services can be carried out based on the
architecture of Ethernet. This implements the Ethernet technology in the MAN, even
the WAN from the access layer, convergence layer, to the core layer.
MAC-in-MAC is a tunneling technique based on MAC stacking. In MAC-in-MAC, the
MAC address of an ISP is encapsulated outside the MAC address of a user Ethernet
frame. Then, the user Ethernet frame is transparently transmitted across the public
network.
Deployed between two MANs, the MAC-in-MAC tunnel functions over the backbone
network of the ISP. For the ISP network, the MAC address of a user is isolated, which
enhances the security of services. In addition, double MAC addresses are applied,
which expands the space of MAC addresses.

Product Description
The MAC-in-MAC tunnel can be set up between the CX600s. It supports fault
detection, fault location, and Automatic Protection Switching (APS). APS controls the
protection switching of tunnels. The CX600 supports 1+1 and 1:1 protection for the
MAC-in-MAC tunnels. The CX600 also supports the revertive mode, hold-off time, and
APS configuration mismatch test. This guarantees the fast recovery of services.
Figure 5-2 Leased line service PBB-TE
Bridge nodes are

In the P2P
configured with static
application, end
forwarding entries
nodes ignore the
user DA
PBB-TE
UPE
Metro(+Core)
CE
CE
Figure 5-3 Convergence service PBB-TE
Bridge nodes are

configured with static
In the P2P forwarding entries
application, end
nodes ignore the
user DA
PBB-TE
Core
Metro
NPE
CE

Product Description
Figure 5-4 Leased line service PBB-TE trunk
In the P2P
application, end
nodes ignore the
user DA
PBB-TE
Trunk
UPE
Metro(+Core)
CE
CE
Figure 5-5 Convergence service PBB-TE trunk
In the P2P
application, end
nodes ignore the
user DA
PBB-TE Core
Trunk
NPE
Metro
CE

Product Description
Figure 5-6 Multipoint-to-multipoint PBB-TE
CE
PE
Metro(+Core)
CE
PE PE
CE
PE
CE
5.1.5 QinQ
The QinQ protocol is a Layer 2 tunneling protocol based on the IEEE 802.1Q
technology. The QinQ technology expands the VLAN space by adding a new tag to a
packet that is already tagged through IEEE 802.1Q. The private VLAN packets are
thus transparently transmitted across the ISP network. This functions the same as a
Layer 2 VPN. The packets transmitted in the public network carry double 802.1Q tags,
one for the public network and the other for the private network. This is called
802.1Q-in-802.1Q, or QinQ for short.
The ISP network only provides one VLAN ID for different VLANs from the same user
network. This saves VLAN IDs of an ISP. Meanwhile, QinQ provides a Layer 2 VPN
solution that is easy to implement for LANs or small-scale MANs.
The QinQ technology can be applied to multiple services in Metro Ethernet solutions.
QinQ features the following:
l Packets from different users in the same VLAN are not transmitted transparently.
l Private networks are separated from the public network.
l The ISP's VLAN IDs are saved to the maximum.
Without being a formal protocol, QinQ is widely applied among carriers because it is
easy to implement. The introduction to selective QinQ (VLAN stacking) makes QinQ
more popular among carriers. With the development of the Metro Ethernet, all device
vendors have put forward their Metro Ethernet solutions. The QinQ technology plays
an important role in the solutions because of its simplicity and flexibility.

Product Description
The CX600 provides rich QinQ features, which satisfies diverse networking
requirements.
Interface-based QinQ
Figure 5-7 shows the networking diagram of applying interface-based QinQ. A user
configures interface-based QinQ on the router. When the user's packets, carrying the
user's VLAN tag, arrive at the router, the router takes the user's packets as untagged
packets and adds a VLAN tag of the ISP outside the existing VLAN tag. The user's
packets then go through the VLAN tunnel of the ISP and reach the remote user. The
VLAN tag of the ISP is stripped from the packets.
Figure 5-7 Typical networking diagram of the interface-based QinQ application
VLAN100
100 100 300

ISP
Network
200 200 300
VLAN200
Interface-based QinQ provides the following functions:

l Access to the VPLS to transparently transmit private VLAN packets
l Access to the L2VPN and PWE3 to transparently transmit private VLAN packets
VLAN-based QinQ
VLAN-based QinQ is also called selective QinQ. Figure 5-8 shows the networking
diagram of applying selective QinQ. With the development of services such as
broadband access, VoIP, and IPTV services, ISPs may want to assign inner VLAN
tags to different services. For example:
l VLANs 10001999: broadband access services
l VLANs 20002999: VoIP services
l VLANs 30003999: IPTV services

Product Description
Figure 5-8 Typical networking diagram of the VLAN-based QinQ application
iManager N2000
IP backbone/MAN VOIP access

VLAN200 VLAN3xxx
Broadband access
IPTV access
VLAN100 VLAN1xxx
VLAN300 VLAN2xxx
Service gateway
VLAN2001 VLAN2002
VLAN3001 VLAN3002
VLAN1001 LAN Switch VLAN1002
PVC1001
PVC2001
PVC3001
PC IPTV Videophone PC IPTV Videophone
Users access the DSLAM through multiple PVCs. The DSLAM transfers PVC IDs to
VLAN IDs. You can enable selective QinQ on the gateway to apply an outer VLAN tag
with the VLAN ID as 100 to broadband access services, an outer VLAN tag with the
VLAN ID as 200 to VoIP services, and an outer VLAN tag with the VLAN ID as 300 to
IPTV services. This breaks the limit of 4094 VLAN IDs for one ISP network. In addition,
services are distributed, which facilitates the ISP's service management.
Services are distributed in one of the following ways:
l Adds different outer VLAN tags based on VLAN ranges, that is, changes packets
with a single tag to packets with double tags. In this manner, services from
different terminals are distributed.
l Adds different outer VLAN tags based on different protocol numbers, that is, adds
a tag to protocol packets. In this manner, services from different terminals are
distributed.
l Changes outer VLAN tags based on the range of inner VLAN tags, that is,
replacing a single tag with another tag. In this manner, services of different use
types are distributed. This is also called VLAN mapping.
VLAN-based QinQ may serve as one of the VPLS modes to allow packets of private
VLANs to be transmitted transparently through the backbone network. It may also
serve as one of the L2VPN or PWE3 modes to allow packets of private VLANs to be
transmitted transparently through the backbone network. Such a QinQ mode is
implemented on switched interfaces.
The differences between VLAN-based QinQ and interface-based QinQ are as follows:
l In interface-based QinQ mode, user packets from the same user side are added
with the same outer VLAN tag on the PE.

Product Description
l In VLAN-based QinQ mode, user packets from the same user side are added
with different outer VLAN tags according to user's VLAN tags.
Therefore, VLAN-based QinQ is more flexible than interface-based QinQ.
VLAN-based QinQ is thus called selective QinQ.
VLAN Stacking
The early QinQ technology is used on switches on Layer 2 networks. With VLAN
stacking, packets are forwarded at Layer 2 by means of the outer VLAN tag. The outer
VLAN usually refers to the VLAN to which an ISP network belongs. VLAN stacking is
usually applied on switched interfaces.
The sub-interfaces for VLAN stacking are deployed on PEs. A sub-interface identifies
a user VLAN and then performs VLAN stacking to user's Layer 2 packets. After that,
packets are forwarded at Layer 2 by means of the outer VLAN tag.
With a sub-interface for VLAN stacking, packets from a batch of user VLANs can be
transparently transmitted. Packets enter an L2VPN based on their outer VLAN tag
after VLAN stacking is implemented. The outer VLAN tag is transparent to the ISP.
User packets from different VLANs can thus be transparently transmitted.
VLAN stacking support the following:
l Access to the VPLS through the sub-interfaces for VLAN stacking
l Access to the VLL/PWE3 through the sub-interfaces for VLAN stacking
QinQ Termination
Sub-interfaces for QinQ VLAN tag termination refer to the sub-interfaces that
terminate the double VLAN tags of users. The difference between the sub-interfaces
for QinQ VLAN tag termination and the sub-interfaces for VLAN stacking is as follows:
For the sub-interfaces for QinQ VLAN tag termination, a PE removes the double
VLAN tags of user packets when they enter the ISP network.
Double VLAN tags for users have specific meanings. For example, the outer VLAN
tag specifies a service and the inner VLAN tag specifies a user. Sub-interfaces for
QinQ VLAN tag termination access the user and identify the service by terminating
double VLAN tags.
Sub-interfaces for QinQ VLAN tag termination are similar to common VLAN
sub-interfaces. In addition, sub-interfaces for QinQ VLAN tag termination are used to
terminate double VLAN tags and provide the following functions:
l IP forwarding
l L3VPN/PWE3/VLL/VPLS access
l Proxy ARP
l Unicast routing protocols
l VRRP
l DHCP server and DHCP relay
Sub-interfaces for QinQ VLAN tag termination terminate double VLAN tags in the
following ways:
l Exact termination
Double VLAN tags of specified VLAN IDs are terminated.

Product Description
l Fuzzy termination
Double VLAN tags of VLAN IDs in a specified range are terminated.
Compatibility of QinQ EType in the Outer Tag

As defined in 802.1Q, the value of the EType field in the Tag Protocol Identifier (TPID)
is fixed to 0x8100. In QinQ encapsulation, the value of the EType field in the TPID in
the inner tag is 0x8100, irrespective of manufacturers. The value of the EType field in
the TPID in the outer tag, however, varies with the manufactures. To connect devices
of different manufacturers, the value of the Etype field in the TPID in the outer tag
must be set to the same. Thus, the devices should be able to identify and encapsulate
such QinQ packets.
In IEEE 802.1ad, the value of the EType field in the TPID is defined as 0x88a8.
Figure 5-9 Compatibility of the Etype of QinQ outer TPIDs
1 00
0x 9
0x9100 Switch A
IP/MPLS
Core
Router A CX 0x 81
00
Router C
As shown in Figure 5-9, the inbound interface on the router needs to identify the
EType value 0x9100 in the outer TPID. The Etype values, such as 0x9100 and
0x8100, of different outer TPIDs can be set for devices of different manufacturers so
that devices of different manufacturers can be set with the same Etype value in the
outer TPID. This ensures communication between devices of different manufacturers.
Application of Multicast QinQ

Figure 5-10 shows the networking diagram of applying multicast QinQ. The multicast
router PE1 and the access device PE2 are connected through interfaces enabled with
QinQ. Users from different VLANs are connected to PE2.

Product Description
Figure 5-10 Typical networking diagram of multicast QinQ application
Internet
/Intranet PE1
Multicast
source QinQ(VLAN1)
PE2
VLAN2 VLAN3
No matter whether multicast data packets or multicast protocol packets are received,
they are not encapsulated by QinQ. Instead, their packets are transmitted according
to the outer P-VLAN IDs. In IGMP snooping, only the P-VLAN ID mapping to the user
host is maintained. In forwarding, the system searches the member host of the
mapped multicast group according to the P-VLAN ID and replaces the P-VLAN tag
with the C-VLAN tag in the packet for forwarding.
5.1.6 RRPP Link Features

The Rapid Ring Protection Protocol (RRPP) is a link protocol exclusively used by
Ethernet rings. When the Ethernet ring is in the normal state, RRPP can avoid
broadcast storm caused by loop. When a link on the Ethernet link is disconnected,
RRPP can promptly enable the standby link to restore the connection.

Product Description
Figure 5-11 Networking of RRPP tangent ring application to the MAN
RRPP Domain
Master CX-B
Node Edge Node
SwitchA
RRPP Sub-Ring 1
RouterA
RRPP Major-Ring
Master Node
Master Assistant Node
Node
Transit Node
RRPP Sub-Ring 2
CX-C
SwitchB
Traditionally, an RRPP domain consists of a group of interconnected switches with the

same domain ID and control VLAN.
An RRPP domain includes the following parts:
l Major ring and sub-ring
l Control VLAN
l Master node and transit node
l Common port and edge port
l Primary port and secondary port
Polling Mechanism
Polling is a mechanism used by the master node on the RRPP ring to detect the
network status.
The master node sends Hello packets periodically from its primary port. The packets
are transmitted by the transit nodes on the ring. If the master node can receive the
packets from its secondary interface, it indicates that the link of the ring is in the
normal state; otherwise, the master node considers that a link fault occurs to the ring.
When the master node that is in the Failed state receives the Hello packets from its
secondary interface, it changes into the Complete state, blocks its secondary interface,
and refreshes the Forwarding Database (FDB).
The master node also sends packets from its primary interface to inform all transit
nodes to release the temporary blocked interface and refresh the FDB.

Product Description
Link Status Notification Mechanism

If a link fault occurs to the ring, the directly connected interface of the link becomes
Down. The transit node informs the master node of the fault by sending Link-Down
packets.
When the master node receives the Link-Down packets, it considers that the ring is in
the abnormal state, enables its secondary interface, and sends packets to inform
other transit nodes to refresh the FDB at the same time. After other transit nodes
refresh the FDB, the traffic is switched back to the normal link.
After link fault recovery, the interface of the transit node becomes Up. The transit node
temporarily blocks the interface that becomes Up. Hello packets sent by the master
node can pass through the blocked interface.
When the secondary interface of the master node receives the Hello packets sent by
itself, it considers that the link becomes normal again. The master node blocks the
secondary interface, sends packets to inform other transit nodes to enable the
blocked interface, and refreshes the FDB.
Channel Status Detection of Sub-Ring Protocol Packets on the Major Ring

Channel status detection of sub-ring protocol packets on the major ring is applied to
the networking in which multiple sub-rings are intersectant with the major ring. When a
fault occurs to the major ring and the master nodes on all the sub-rings enable the
secondary interfaces, a broadcast storm is caused. To avoid this, channel status
detection mechanism of sub-ring protocol packets on the major ring is introduced.
The mechanism requires the cooperation between edge nodes and assistant edge
nodes. Before the master nodes on the sub-rings enable the secondary interfaces,
loop between the sub-rings can be avoided by blocking the interfaces of the edge
nodes. The edge nodes initiate the mechanism. The assistant edge nodes monitor the
channel status and inform the edge nodes of the channel status change on time.
5.1.7 RSTP/MSTP
The Rapid Spanning Tree Protocol (RSTP) is an enhancement of the Spanning Tree
Protocol (STP). RSTP simplifies the processing of the state machine, blocks some
redundant paths with specific algorithms, and reconstructs the networks with loops to
a loop-free network. In this way, the packets are prevented from increasing and
infinitely looping. Compared with STP, RSTP speeds up the Layer 2 loop convergence.
In a Layer 2 network, only one Shortest Path Tree (SPT) is generated.
The Multiple Spanning Tree Protocol (MSTP) is the multi-instance RSTP. MSTP
supports the running of STP based on one or more VLAN. In a Layer 2 network,
MSTP can be generated.
5.1.8 BPDU Tunnel

BPDUs are Layer 2 protocol messages and are transparently transmitted through a
Layer 2 protocol tunnel or a BPDU tunnel across an ISP network.
To transmit BPDUs transparently across an ISP network, ensure that the following
requirements are met:
l All branches of the same user network are able to receive their own BPDUs.
l BPDUs of a user network cannot be processed by the CPU of the ISP network.

Product Description
l BPDUs of different customers must be segregated to prevent them from mutual

access.
The CX600 supports the following types of transparent transmission of BPDUs:
l Transparent transmission of interface-based BPDUs of the same user network
l Transparent transmission of interface-based BPDUs of different user networks
l Transparent transmission of VLAN-based BPDUs
l Transparent transmission of QinQ-based BPDUs
5.2 IP Features
5.2.1 IPv4/IPv6 Dual-Protocol Stacks
Figure 5-12 shows the structure of the IPv4/IPv6 dual-protocol stacks.
Figure 5-12 Dual-protocol stacks structure
IPv4/IPv6 Application
TCP UDP
IPv4 IPv6
Link Layer
5.2.2 IPv4 Features

The CX600 supports the following IPv4 features:
l TCP/IP protocol suite, including ICMP, IP, TCP, UDP, socket (TCP/UDP/Raw IP),
and ARP
l Static DNS and DNS server
l FTP server/client and TFTP client
l DHCP relay agent and DHCP server
l Ping, tracert, and NQA
NQA can probe the status of ICMP, TCP, UDP, DHCP, FTP, HTTP, and SNMP
services and test the response time of the services. The system supports NQA in
UDP jitter and ICMP jitter tests by transmitting and receiving packets on LPUs.
The minimum frequency for transmitting packets can be 10 ms. Each LPU
supports up to 100 concurrent jitter tests. The entire system supports up to 1000
concurrent jitter tests.

Product Description
l IP policy-based routing to specify the next hop based on the attribute of packets
without searching routes in the routing table
5.2.3 IPv6 Features

The CX600 supports the following IPv6 features:
l IPv6 neighbor discovery (ND)
l Path MTU (PMTU) discovery
l TCP6, ping IPv6, tracert IPv6, and socket IPv6
l Static IPv6 DNS and specified IPv6 DNS server
l TFTP IPv6 client
l IPv6 policy-based routing
5.2.4 GRE
Generic Routing Encapsulation (GRE) is used to encapsulate packets of certain
network layer protocols (such as IPX or IP) so that the encapsulated packets can be
transmitted over the network on which another network layer protocol (such as IP) is
applied.
As a Layer 3 tunnel protocol for VPNs, GRE uses the tunneling technology. A tunnel
can be taken as a virtual interface that supports only P2P connections. The tunnel
interface provides a tunnel for datagram forwarding and the packets are encapsulated
and decapsulated at both ends of the tunnel.
GRE is applied to in the following situations.
Multi-Protocol Local Network Transmission Through Single-Protocol

Backbone Network
Figure 5-13 Multi-protocol local network transmission through the single-protocol

backbone network
Novell IPX Novell IPX

group 1 group 2
CX-A CX-B
Internet
Tunnel
IP IP
term 1 term 2
In Figure 5-13, Group 1 and Group 2 are the local networks running Novell IPX. Team
1 and Team 2 are the local networks running the IP protocol.
The tunnel between CX A and CX B adopts the GRE protocol; therefore, Group 1
communicates with Group 2 without affecting the communication between Team 1
and Team 2.

Product Description
Enlarging Operation Scope of the Network with Limited Hops
Figure 5-14 Enlarging the network operation scope
IP network
IP network IP network
Tunnel
PC PC
In Figure 5-14, the IP protocol is run on the network. Assume that the IP protocol limits
the hop count to 255. If the hop count between two PCs is greater than 255, they
cannot communicate. When the tunnel is used in the network, a few hops are hidden.
This enlarges the scope of the network operation.
Connecting Some Discontinuous Sub-Networks to Establish a VPN

GRE tunnels can be used to connect discontinuous sub-networks to implement the
VPN across the WAN.
For example, two VPN sub-networks, Site 1 and Site 2 are in two cities. By setting up
a GRE tunnel between the devices at the network edge, you can connect the two
sub-networks to a continuous VPN network.
GRE can be applied both in L2VPN and L3VPN in two modes as follows:
l As shown in Figure 5-15, the two ends of the GRE tunnel reside on the CE router
in the CPE-based VPN.
Figure 5-15 GRE in the CPE-based VPN
GRE tunnel
VPN VPN
site1 VPN site2
CE PE backbone PE CE
l As shown in Figure 5-16, the two ends of the GRE tunnel reside on the PE router
in the network-based VPN.

Product Description
Figure 5-16 GRE in the network-based VPN
VPN
backbone
VPN VPN
site1 GRE tunnel site2
CE PE PE CE
Usually, the MPLS VPN backbone network uses label switched paths (LSPs) as the
public network tunnel. If the core router P in the backbone network, however, provides
only the IP function without the MPLS function while the PE router at the network edge
has the MPLS function, the LSP cannot be used as the public network tunnel. Then,
you can use the GRE tunnel in place of the LSP to provide Layer 3 or Layer 2 VPN
solutions at the core network.
Accessing of CEs to an MPLS VPN Through GRE Tunnels

The VPN services based on the MPLS backbone network are better than the
traditional IP VPN services. Therefore, most ISPs tend to choose the MPLS VPN
technology. The Internet, however, is based on the IP technology and a great number
of backbone networks based on the IP technology still exist.
In the MPLS VPN, to access a CE to the VPN, a physical link is needed to directly
connect the CE to the PE in the MPLS backbone network, that is, the CE and the PE
must be in the same network. In this networking, you must associate the VPN with the
PE physical interface that is connected to the CE.
In actual networking, not all the CEs and PEs can be directly connected through
physical links. For example, for multiple institutions that are connected to the Internet
or the IP backbone network, their CEs and PEs are geographically dispersed. In this
case, the CEs cannot directly access the PEs in the MPLS backbone network. These
institutions cannot directly access the sites inside the MPLS VPN through the Internet
or the IP backbone network.
Figure 5-17 CEs accessing the MPLS VPN backbone network through the backbone
network based on the IP technology
VPN IP MPLS
network VPN
Site network Site
CE PE PE CE
To connect a CE to the MPLS VPN, you can create a logically direct connection
between the CE and the PE. That is, you can connect the CE and the PE by using the
public network or private network, and create a GRE tunnel between the CE and the
PE. Then, the CE and the PE can be regarded as being directly connected. When
associating the VPN with the PE interface that is connected to the CE, you can regard
the GRE tunnel as a physical interface.

Product Description
5.2.5 IPv4/IPv6 Transition Technologies

IPv6 over IPv4 Tunnel
As shown in Figure 5-18, the IPv6 over IPv4 tunnel technology is used for the
transition from the IPv4 network to the IPv6 network.
Figure 5-18 IPv6 tunnel
Dual Stack Dual Stack

Router Router
IPv4
IPv6 IPv6
Tunnel
IPv6 host IPv6 host

IPv6 Header IPv6 Data
IPv6 Header IPv6 Data
IPv4 Header IPv6 Header IPv6 Data
The CX600 supports the following IPv6 over IPv4 tunnels:

l Manually configured IPv6 tunnel
In this mode, the IPv6 tunnel is manually configured on the two edge routers at
both ends of the tunnel. The source and destination IPv4 addresses of the tunnel
are configured manually. The tunnel is equivalent to a permanent link between
two IPv6 domains over an IPv4 backbone network. The tunnel is used for regular
and secure communication between two edge routers on isolated IPv6 sites.
l IPv6 over IPv4 GRE tunnel
The IPv6 traffic can be carried over IPv4 GRE tunnels. When carrying the IPv6
traffic, the IPv4 GRE tunnels are called IPv6 over IPv4 GRE tunnels (GRE
tunnels for short). The same as the manually configured IPv6 over IPv4 tunnel, a
GRE tunnel is a link between two nodes, with a separate tunnel for each link. The
tunnels carry IPv6 as the passenger protocol and GRE as the carrier protocol.
l Automatically configured IPv4-compatible IPv6 tunnel (automatic tunnel for short)
An IPv4-campatible IPv6 address is needed when an IPv6 over IPv4 automatic
tunnel is created. The low order 32 bits of an IPV4-compatible IPv6 address are
an IPv4 address. It is used to identify the destination address of the automatic
tunnel.
To create an automatic tunnel, you need to specify only the source address of the
tunnel on an edge router or a host. The destination address of the tunnel can be
automatically identified based on the next hop address (an IPv4-compatible IPv6
address) of IPv6 packets.
l 6 to 4 tunnel
A 6 to 4 tunnel connects isolated IPv6 islands to the IPv6 Internet over an IPv4
network.
The difference between the 6 to 4 tunnel and the manually configured tunnel is
that the former can be a point-to-multipoint (P2MP) connection, whereas the
latter is a P2P connection. Therefore, routers of the 6 to 4 tunnel are not
configured in pairs. Similar to the automatic tunnel, the 6 to 4 tunnel can
automatically search the other end of the tunnel. It need not be configured with an

Product Description
IPv4-compatible IPv6 address. The 6 to 4 tunnel uses a type of special IPv6

address, that is, 6 to 4 address.
IPv4 over IPv6 Tunnel

In the post-phase of the transition from the IPv4 network to the IPv6 network, a great
number of IPv6 networks are constructed. Then the isolated IPv4 site may emerge. It
is not economic to connect the isolated sites through the dedicated lines. With the
tunneling technology, tunnels can be created in the IPv6 network; thus the isolated
IPv4 sites can be interconnected. This is similar to the VPN deployment in the IP
network with tunneling. The tunnels that are used to connect the isolated IPv4 sites, in
the IPv6 network, are called IPv4 over IPv6 tunnels.
To set up IPv4 over IPv6 tunnels, IPv4/IPv6 dual stack needs to be enabled on the
router at the edge of the IPv6 network and the IPv4 network.
Figure 5-19 Networking diagram of the IPv4 over IPv6 tunnel
Dual Stack Dual Stack

Router Router
IPv4 IPv6 network IPv4
network network
IPv4 IPv4 over IPv6 Tunnel IPv4

Host Host
IPv6 Header
IPv4 Header IPv4 Header
IPv4 Header
IPv4 Payload IPv4 Payload
IPv4 Payload
6PE
The IPv6 Provider Edge (6PE) router allows communication between the IPv6
isolated CE routers over the IPv4 network. See Figure 5-20. With 6PE routers, ISPs
can provide access services to the IPv6 network of isolated customers over the
existing IPv4 backbone network.

Product Description
Figure 5-20 6PE topology
IPv4/MPLS
Cloud
IBGP
CE P CE
IPv6 Cloud IPv6 Cloud
Customer site Customer site
The 6PE router labels IPv6 routing information and floods them onto ISPs IPv4
backbone network through Internal Border Gateway Protocol (IBGP) sessions. The
IPv6 packets are labeled before flowing into tunnels such as the GRE tunnel and
MPLS LSP on the backbone network.
The IGP protocol used on the ISP network can be OSPF or IS-IS, and the protocol
used between CE routers and 6PE routers can be a static routing protocol, IGP or
EBGP.
When ISPs want to extend their IPv4/MPLS networks with IPv6 traffic exchange
capability, they can just update the PE router. Therefore, using the 6PE feature as an
IPv6 transition mechanism is a cost-effective solution for ISPs.
5.3 Routing Protocols

The CX600 supports various unicast and multicast routing protocols; thus different
networking requirements are satisfied.
5.3.1 Unicast Routing

The CX600 supports the following unicast routing features:
l IPv4 routing protocols: RIP, OSPF, IS-IS, and BGPv4
l IPv6 routing protocols: RIPng, OSPFv3, IS-ISv6, and BGP4+
l Static routes to simplify network configuration and improve network performance
l Large-capacity routing table to support MAN operation effectively
l Determining the optimal route through the routing policy
5.3.2 Multicast Routing

To save network bandwidth and reduce network load, the CX600 supports multicast.
Basic Multicast Functions

The CX600 provides the following multicast functions:

Product Description
l Multicast protocols: Internet Group Management Protocol (IGMP), Protocol

Independent Multicast-Dense Mode (PIM-DM) and Protocol Independent
Multicast-Sparse Mode (PIM-SM), Multicast Source Discovery Protocol (MSDP),
and Multi-protocol Border Gateway Protocol (MBGP).
l RPF check: When a router creates and maintains multicast routing entries, it
performs Reverse Path Forwarding (RPF) check to ensure that the multicast data
is transferred along the correct path.
l PIM-SSM: If the multicast source is specified, a host can join the multicast source
directly, without registering with the Rendezvous Point (RP).
l Anycast RP: Multiple RPs can exist in a domain and they are configured as
MSDP peers. A multicast source can choose the nearest RP for registration, and
the receiver can also choose the nearest RP to join its shared tree. In this manner,
load balancing is carried out among the RPs. When a certain RP fails, its
previous registered sources and receivers choose another nearest RP instead.
This implements the backup of RPs.
l IPv6 multicast routing protocols: PIM-IPv6-DM, PIM-IPv6-SM, and
PIM-IPv6-SSM.
l MLD: MLD is used to set up and maintain the member relationship of groups
between hosts and their directly connected multicast routers. The functions and
principles of MLD are the same as those of the IGMP. MLD has the follow
versions:
MLDv1
MLDv1 is defined in RFC 2710 and derived from IGMPv2. MLDv1 supports
the Any-Source Multicast (ASM) model. With the help of SSM mapping,
MLDv1 can support the Source-Specific Multicast (SSM) model.
MLDv2
MLDv2 is defined in RFC 3810 and derived from IGMPv3. MLDv2 supports
the ASM and SSM models.
l Multicast static routes.
l Configuration of multicast protocols on physical interfaces such as Ethernet and
POS interfaces, and IP-Trunk and Eth-Trunk interfaces.
l When receiving, importing, and advertising multicast routes or forwarding IP
packets, the multicast routing module can filter routes or packets based on
routing policies.
l Multicast VPN: The CX600 adopts the Multicast Domains (MD) scheme to
implement centralized processing.
l Addition and deletion of dummy entries.
IGMP Snooping
The CX600 supports IGMP snooping for Layer 2, Layer 3, and QinQ interfaces, VPLS
PW, STP, and RRPP.
IGMP snooping listens to the IGMP messages between routers and hosts and sets up
the Layer 2 forwarding table for multicast data packets. In this manner, IGMP
snooping controls and manages the forwarding of multicast data packets to carry out
Layer 2 multicast.
IGMP snooping aims to control the flooding of multicast flows, forward packets as
required, and save network resources. For the interface that joins a multicast group

Product Description
without transmitting IGMP Report messages for application, the device does not send
the multicast flow to the interface.
Flow Control of Multicast Traffic

Unknown multicast packets refer to those packets for which no forwarding entries are
found in the multicast forwarding table. The CX600 supports the following measures
to process the unknown multicast packets:
l Discards the packets directly after receiving them.
l Broadcasts the packets in the VLAN to which the receiving interface belongs.
To control multicast traffic, the CX600 also supports the limit to the maximum
percentage of multicast traffic on Ethernet interfaces.
Multicast VLAN
Multicast VLAN refers to the VLAN that converges multicast flows. When users need
certain multicast flows, they send a request to the multicast VLAN. Then, the multicast
VLAN replicates the multicast packets to different user VLANs. This implements the
function of multicast across VLANs.
The CX600 forwards multicast packets through the multicast VLAN and replicates the
packets based on the multicast routing entries. Then, the CX600 sends these packets
to the VLANs of different users. Using the multicast VLAN, the CX600 can converge
the multicast flows of different user VLANs to one or several specified VLANs.
Multicast across VLANs enables the CX600 to send unicast and multicast packets
across different VLANs. This facilitates the management and control of multicast flows.
This can also save bandwidth resources and improve the network security.
1+1 Protection of Multicast Traffic

1+1 protection of multicast traffic is implemented through the multicast across the
VLANs.
The Internet Context Provider (ICP) replicates and sends the multicast packets to two
multicast VLANs. The multicast packets and Continuity Check Messages (CCMs) for
detecting the link status in those two multicast VLANs are then forwarded to the
CX600 on the user side. The CX600 on the user side determines the link status based
on the CCMs received and specifies a multicast VLAN in the good link state to receive
multicast packets.
At present, the CX600 supports only 1+1 protection of multicast traffic in VLANs.
Multicast VPN
With wide applications of Virtual Private Network (VPN), the requirements of users for
operating multicast services over VPNs are increasingly stringent. The CX600 adopts
the MD solution to implement multicast transmission over VPNs.
For details, see Section 5.5 VPN Features."

Product Description
Multicast CAC
The CX600 supports multicast Call Admission Control (CAC). When multicast CAC
rules are configured, the number of multicast groups and bandwidth are restricted for
IGMP snooping on interfaces or the entire system.
Multicast CAC is part of the IPTV multicast solutions. With the development of the
IPTV, the number of program channels is bursting. The bandwidth of the access and
convergence network no longer satisfies the bandwidth requirements of users. The
previous static management is thus outdated. In this manner, the number of users
allowed to access each link must be set on the convergence network.
Multicast CAC restrains the generation of multicast forwarding entries. When the set
threshold is reached, no more forwarding entries are generated. This ensures the
processing capacity of the device and controls link bandwidth.
5.4 MPLS Features

5.4.1 Basic Functions
The CX600 supports MPLS and static and dynamic LSPs. Static LSPs require that the
administrator configure the Label Switch Routers (LSRs) along the LSPs and set up
LSPs manually. Dynamic LSPs are set up dynamically in accordance with the routing
information through Label Distribution Protocol (LDP) and Resource Reservation
Protocol (RSVP-TE).
The CX600 supports the following MPLS functions:
l Basic MPLS functions, service forwarding, and LDP
LDP distributes labels, sets up LSPs, and transfers parameters used for setting
up LSPs.
l LDP
DU and DoD label distribution modes
Independent label distribution control and sequential label control modes
Liberal retention and conservative retention modes
Maximum number of hops and path vector
l MPLS ping and tracert
MPLS Echo Request packets and MPLS Echo Reply packets are transmitted to
detect the availability of an LSP.
l Traffic statistics for LSPs
l LSP loop detection mechanism
l MPLS QoS, mapping of the ToS field in IP packets to the EXP field in MPLS
packets, and MPLS uniform, pipe, and short pipe modes
l Static configuration of LSPs and label forwarding based on traffic classification
l MPLS trap
The CX600 can serve as a Label Edge Router (LER) or an LSR.
l An LER is an edge device on the MPLS network to connect other networks. It
classifies services, distributes labels, encapsulates or removes multi-layer labels.

Product Description
l An LSR is a core router on the MPLS network. It switches and distributes labels.
5.4.2 MPLS TE
Network congestion lowers the performance of the backbone network. The congestion
may be caused by insufficient resources or unbalanced load of network resources.
Traffic Engineering (TE) is introduced to address the congestion caused by
unbalanced load of network resources.
The MPLS TE technology integrates the MPLS technology with traffic engineering. It
can reserve resources by setting up the LSP tunnels to a specified path in an attempt
to avoid network congestion and balance network traffic.
In the case of resource scarcity, MPLS TE can preempt bandwidth resources of the
LSPs with low priorities. This meets the demands of the LSPs with large bandwidth or
for important services. In addition, when an LSP fails or a node is congested, the
MPLS TE can protect the network communication through the backup path and the
fast reroute (FRR) function.
MPLS TE provides the following functions:
l Processing of static LSPs
MPLS TE creates and deletes static LSPs, which require bandwidth but are
manually configured.
l Processing of Constrained Route-Label Switched Path (CR-LSP)
MPLS TE processes various types of CR-LSPs.
The processing of static LSPs is easier. CR-LSPs are classified into the types
described in the following sections.
RSVP-TE
RSVP is designed for the Integrated Service (IntServ) model and used on each node
of a path for resource reservation.
To put it simply, RSVP has the following characteristics:
l Unidirectional.
l Receiver-oriented: The receiver initiates a request for resource reservation and
maintains the resource reservation information.
l It uses a soft state mechanism to maintain the resource reservation information.
RSVP, after being extended, can support MPLS label distribution. It carries resource
reservation information when transmitting label-binding message. The extended
RSVP is called RSVP-TE, used as a signaling protocol to establish LSPs in MPLS TE.
Auto Route
In auto routes, LSPs participate in IGP route calculation as logical links. The tunnel
interface is taken as the outbound interface of packets. In this manner, LSPs are
considered as P2P links. The following describes two types of auto routes:
l IGP shortcut: The LSP is not advertised to the neighboring router. So, other
routers cannot use this LSP.
l Forwarding adjacency: The LSP is advertised to the neighboring router. So, other
routers can use this LSP.

Product Description
Fast Reroute
FRR is a technology in MPLS TE to implement the partial protection of the network.
The switching speed of FRR can reach 50 milliseconds. This minimizes data loss
when the network fails.
FRR is only a temporary protection method. When the protected LSP becomes
normal or a new LSP is established, the traffic is switched back to the original LSP or
the newly established LSP.
After an LSP is configured with FRR, traffic is switched to its protection link and the
ingress node of the LSP attempts to establish a new LSP when a link or a node on the
LSP fails.
Auto FRR
The FRR technology requires that when configuring a protected tunnel, you must
configure a bypass tunnel to bind to it. When a link or a node is Down, the data flow
can be automatically switched to the bypass tunnel.
In the FRR protection, the bypass LSP must be configured manually. If it is not
configured, the protected LSP cannot be protected. The Auto FRR can solve the
preceding problem.
Auto FRR is an extension of MPLS TE FRR. Bypass LSPs can be automatically set
up along the LSP after you configure the attributes of bypass LSPs, global Auto FRR
attributes, and Auto FRR attributes of the interface. In addition, when the primary LSP
changes, the original bypass LSPs can be automatically deleted and new bypass
LSPs are set up.
CR-LSP Backup
The LSP that is used to protect the primary LSP in the same tunnel is called the
backup LSP. When the ingress detects that the primary LSP is unavailable, it switches
traffic to the backup path. After the primary LSP recovers, traffic is switched back to
the backup LSP. In this manner, the traffic on the primary LSP is protected.
The CX600 supports the following methods of backup:
l Hot backup: The backup CR-LSP is established immediately after the primary
CR-LSP is established. When the primary CR-LSP fails, MPLS TE switches traffic
immediately to the backup CR-LSP.
l Ordinary backup: The backup CR-LSP is established when the primary CR-LSP
fails.
LDP over TE
In existing networks, not all devices support MPLS TE. Only the devices in the core of
the network support TE and the devices at the network edge use LDP. The application
of LDP over TE is then put forward. The TE tunnel is considered as a hop of the entire
LDP LSP.
LDP is widely used in MPLS VPNs. To prevent the congestion of VPN traffic on certain
nodes, you can configure LDP over TE.

Product Description
Figure 5-21 Typical application of LDP over TE
10 R3 10
CX1 R2 R5 CX6
20 10
R4
Figure 5-21 shows the MPLS VPN networking. Here, LDP is used as the signaling
protocol.
As the PE router, CX 1 and CX 6 discover that the links between Router 2 and Router
3 are rather congested after a large amount of user access. This also happens
because the traffic between Router 1 and Router 6 must pass through this link. The
link between Router 2 and Router 4 is free. The LSP, however, cannot use the link
between Router 2 and Router 4 for the influence of the IGP cost value.
Establish the TE tunnel passing through Router 4 between R2 and R5, and adjust the
metric value of the IGP shortcut. Thus, the two routes of R2 implement load balancing:
l The physical interface between R2 and R3
l The TE tunnel interface from R2 to R5
LDP establishes the LSP for load balancing to let traffic go along the idle link.
5.4.3 MPLS OAM

MPLS supports multiple Layer 2 and Layer 3 protocols such as IP, FR, ATM, and
Ethernet. It supports an OAM mechanism that is independent of the upper and lower
layers. MPLS OAM provides the following functions:
l Detecting the LSP connectivity
l Measuring the network utility and performance
l Performing the protection switching in the case of a link failure.
l Providing services based on the Service Level Agreement (SLA) signed with the
customers.
With MPLS OAM, you can detect, identify, and locate failures in an MPLS network.
The failure is reported and removed in time. In addition, MPLS OAM provides a
mechanism for triggering protection switching.
MPLS OAM provides the following functions:
l MPLS OAM detection
MPLS OAM sends CV/FFD and BDI packets along the LSPs to be detected and
the reverse channels between the LSP ingress and egress to detect the
connectivity.

Product Description
Figure 5-22 MPLS OAM
CV
F FD /F
FD
C V/
Ingress Egress
LSR LSR
BD I
I BD
l OAM auto protocol function

l Protection switch
1:1, 1+1, sharing protection, and packet-level protection are supported.
5.5 VPN Features

5.5.1 Tunnel Policy
A tunnel policy is used to select a tunnel based on the destination IP address. An
application selects tunnels according to the tunnel policy. If no tunnel policy is
configured, the tunnel management module selects tunnels according to the default
policy.
The CX600 supports the following types of tunnel policies:
l With the tunnel policy in select-sequence mode, you can specify the sequence in
which the tunnel types are used and the number of tunnels carrying out load
balancing. For a tunnel policy in select-sequence mode, tunnels are selected in
sequence. If a tunnel listed earlier is Up, it is selected regardless of whether other
services have selected it. The tunnels listed later are not selected except in cases
of load balancing or when the preceding tunnels are Down.
l VPN tunnel binding refers to the binding of the peer PE on a VPN to an MPLS TE
tunnel on the PE of the VPN backbone network. The VPN data to the peer PE is
always transmitted through the bound TE tunnel. It carries only specified VPN
services rather than other VPN services. This guarantees the QoS of the
specified VPN services.
5.5.2 VPN Tunnel

The CX600 supports the following types of VPN tunnels:
l LSP
When a label is distributed to an FEC on the LSP ingress, traffic is transparently
forwarded along the transit nodes of the LSP according to the label. In this
manner, an LSP can be considered as an LSP tunnel.

Product Description
l GRE tunnel
If the PE router at the edge of the ISP network supports MPLS, whereas the P
router supports only IP, an LSP cannot be used as the public tunnel. In this case,
a GRE tunnel can be used on the VPN backbone network.
l TE tunnel
When reroute is configured or traffic is forwarded through multiple paths, multiple
LSPs may be needed. In TE, this set of LSPs is called a TE tunnel. The TE tunnel
is identified by the tunnel ID and LSP ID. The tunnel ID is used to uniquely define
a TE tunnel.
5.5.3 MPLS L2VPN

The CX600 provides Layer 2 VPN (L2VPN) services on an MPLS network. This
allows the ISP to provide L2VPNs over different media.
VLL
Figure 5-23 shows the networking of a VLL supported by the CX600.
Figure 5-23 MPLS L2VPN
Support dynamic Martini/Kompella L2VPN

Support static CCC/SVC L2VPN
VPN2 site3 Support access to the MPLS

L2VPN through PPP, HDLC, ATM,
VPN1 site1 PE
Eth/VLAN, and Q-in-Q
VPN2 site2 PE Support

internetworking
MPLS
network PE VPN1 site3
VPN1 site2
PE-ASBR
VPN2 site2 PE
Support inter-AS
solutions:
VRF-to-VRF
MP-Multihop EBGP
PE-ASBR
Support MPLS VPN over GRE

and MPLS VPN over TE tunnel
Provide the VPN manager

to manage VPNs among
VPN3 site1 VPN3 site2 devices of different vendors

Product Description
l VLL in Martini mode

The Martini mode uses double labels. The inner label uses the extended LDP as
the signaling protocol to transmit information. The Martini mode conforms to the
draft of draft-martini-l2circuit-trans-mpls.
In the Martini draft, LDP is extended by adding an FEC type (VC FEC) for
exchanging VC labels. In addition, if the two PEs that exchange VC labels are not
directly connected, a remote LDP session must be created on which the VC FEC
and the VC label are transmitted. The PE assigns a VC label to each connection
between CEs. The VLL information that carries the VC is forwarded to the peer
PE of the remote session through the LSP set up through LDP. In this manner, a
VC LSP is set up on the ordinary LSP.
l VLL in Kompella mode
The VLL in Kompella mode is similar to the Layer 3 BGP/MPLS VPN defined in
RFC 2547. They adopt BGP as the switching signaling. Similar to the MPLS
L3VPN, the VLL adopts BGP as the signaling protocol to transmit Layer 2
information and VC labels. It implements VLL in end-to-end (CE-to-CE) mode in
the MPLS network. In the VLL, PEs automatically discover the VLL nodes by
creating BGP sessions. Similar to the BGP/MPLS VPN, the VLL in Kompella
mode also uses VPN targets to control the sending and receiving of the VPN
route, which makes the networking flexible.
The VLL in Kompella mode can support inter-AS VPN solutions.
l VLL in CCC mode
Circuit Cross Connect (CCC) is a technique to implement VLL through static
configurations.
Different from the common VLL, a CCC VLL adopts one label to transmit user
data. Thus, CCC can use LSPs exclusively. The CCC LSP can be used to
transmit the data of only this CCC rather than other VLL links. The LSP also
cannot be used in the BGP/MPLS VPN or to bear common IP packets.
For CCC connections, static LSPs need not be configured for PE routers. If two
PE routers are not directly connected, however, a static LSP must be configured
on the transit routers.
l VLL in SVC mode
An SVC VLL is similar to a Martini VLL. But it does not use LDP as the signaling
protocol for transmitting Layer 2 VC labels and link information. VC labels are
configured manually.
l VLL IP-interworking
If two CEs access the same VLL through different types of links, the VLL
IP-interwoking feature is required.
draft-kompella-ppvpn-l2vpn-03 recommends that when an VLL is set up, the VLL
interface is encapsulated with ip-interworking on the PE to transparently transmit
Layer 3 data, that is, IP packets, in the MPLS network.
When the VLL interworking feature is adopted:
VLL interfaces of PEs at both ends must be encapsulated with IP-interworking.
The PEs begin to establish an VLL connection after VC interfaces become Up.
The PEs allow VLL forwarding when an VLL connection is established. In this
case, the system considers the physical link for transparent transmission
available, irrespective of whether the status of the link layer protocol is Up or
Down.

Product Description
After both the AC and VLL tunnel become Up, the CEs on both ends can
transmit and receive IP packets.
After an VLL connection is established, the IP packets are processed as follows:
After receiving an IP packet from the CE, the PE decapsulates the link layer
encapsulation and transmits the IP packet across the MPLS network.
The IP packet is transparently transmitted to the peer PE across the MPLS
network.
The peer PE re-encapsulates the IP packet according to its link layer protocol
and transmits the packet to its directly connected CE.
The link control packet sent by the CE is processed by the PE without entering
the MPLS network.
All non-IP packets such as MPLS and IPX packets are discarded.
l Inter-AS VLL
The implementation of an inter-AS VLL depends on the actual environment. In
CCC mode, the label is of a single layer. Therefore, the inter-AS can be
implemented after a static LSP is set up between ASBRs. The following
describes the implementation of an inter-AS VLL in comparison with the three
methods of implementing an L3VPN.
The SVC, Martini, and Kompella modes can implement the inter-AS VLL
Option A (VRF-to-VRF). In an inter-AS VLL network, the link type between the
ASBRs must be the same as the VC type. In inter-AS Option A, each ASBR
must reserve a sub-interface for each inter-AS VC. If the number of inter-AS
VCs is small, Option A can be used. Compared with the L3VPN, the inter-AS
Option A of the VLL consumes more resources and requires more
configuration workload, which is not recommended.
Option B requires the exchange of both the inner label and the outer label on
the ASBR. Therefore, Option B is not suitable for the VLL.
Option C is a better solution. The devices on the ISP network only need to set up
the outer tunnel on PEs in different ASs. The ASBR does not need to maintain
information about the inter-AS VLL or provide interfaces for the inter-AS VLL. The
VLL information is exchanged only between PEs. Thus, the resources
consumption and the configuration workload decrease.
VPLS
Figure 5-24 shows the networking of VPLS. Several virtual switches (VSs) can be
created on a PE router. VSs on different PE routers form an L2VPN. LANs at the user
end can access the L2VPN through VSs. In this manner, users can expand their own
LAN over the WAN. VPLS can be taken as the VS across public networks. Like
L3VPN, it establishes LSPs on public networks for traffic transmission.

Product Description
Figure 5-24 VPLS network structure
CE
VLAN1 CE
VLAN1
VSI 1 VSI 1
PE PE
VSI 2 VSI 2
CE
VSI 1 VSI 2 CE
VLAN2
VLAN2
PE
CE CE
VLAN1 VLAN2
VPLS requires that users access the network through Ethernet links. It forwards
packets according to the VLAN ID. For communication with remote users, a Virtual
Channel (VC) that can traverse the public network is established between PE routers,
and the VC is associated with the VLAN ID. Users communicate with each other over
the Layer 2 tunnel through the VC. The VLAN ID is used to identify the users' VPN.
When establishing a VC, the PE router allocates double labels to the VC. The outer
label is the MPLS LSP label of the public network and is allocated by LDP or
RSVP-TE. The inner label is the VC label and is allocated after the negotiation
between the remote LDP sessions on loopback interfaces.
The CX600 supports the following networking models:
l QinQ VPLS
QinQ is a tunnel protocol based on IEEE 802.1Q. In QinQ, the VLAN tag of
private networks is encapsulated in the VLAN tag of public networks. The packets
carry double tags when being transmitted across the ISP's backbone network.
This saves VC resources and provides users with an L2VPN tunnel easy to
implement.
l HVPLS
VPLS requires that PE routers forward Ethernet frames through the full-mesh
Ethernet emulation circuit or Pseudo-Wire (PW). Therefore, all PE routers must
be connected to each other in the same VPLS. If there are N PEs in a VPLS
network, the VPLS has N x (N 1)/2 connections. When the number of PEs
increases, the number of VPLS connections increases by N2.
Hierarchical Virtual Private LAN Service (HVPLS) is thus introduced to address
the full-mesh VPLS.
Figure 5-25 shows the HVPLS model.

Product Description
Figure 5-25 HVPLS model
CE
basic VPLS full mesh
AC SPE
PW
SPE
PW PW
UPE
PW SPE
AC
CE
UPE
The device directly connected with CE routers is called Underlayer PE (UPE).
The UPE only needs to be connected with one of PE routers in the basic
VPLS. The UPE supports routing and MPLS encapsulation. If one UPE is
connected with many CE routers and provides bridging functions, only the
UPE needs to forward the data frame to reduce the burden on the SPE.
SPE
The device connected with the UPE and located in the core of the full-mesh
VPLS is called Superstratum PE (SPE). The SPE is connected with all other
devices in the VPLS. The SPE takes the UPE connected as a CE router. The
PW established between the UPE and the SPE is taken as the AC of the SPE.
The SPE needs to learn the MAC addresses of sites at the UPE side and the
MAC addresses of the UPE interfaces connected with the SPE.
l IGMP snooping
VPLS can isolate users. Each VPN needs to support IGMP snooping, that is, the
multi-instance IGMP snooping.
VPLS learns MAC addresses in the following modes:
Unqualified
The Unqualified mode refers to allowing numerous VLANs in a VSI to share a
MAC address space and a broadcast area. VLANs need be learned.
Qualified
The Qualified mode refers to allowing a VLAN in a VSI to have an independent
MAC address space and broadcast area. VLANs need not be learned.
l mVPLS
mVPLS refers to a management VPLS. The VSIs associated with the mVPLS are
called management VSIs (mVSIs).
The prerequisite to the Up state of an mVSI differs from that to a common VSI
(service VSI) as follows:
Common VSI: has two or more Up AC interfaces, or has both one Up AC
interface and one Up PW.
mVSI: has one Up PW or AC interface.

Product Description
An mVSI can be bound to a common VSI. When an mVSI receives a

gratuitous ARP packet or a BFD Down packet, the mVSI notifies all the
common VSIs bound to it to clear MAC address entries and re-learn MAC
addresses.
l Ethernet loop detection
Virtual Private LAN Service (VPLS) is a significant technology for the
Metropolitan Area Network (MAN). To avoid the impact of single point failures on
services, user networks are connected to the VPLS network of a carrier through
redundant links. The redundant links, however, lead to loops, which further
causes the broadcast storm.
In networking applications, you can deploy the Spanning Tree Protocol (STP) or
common loopback detection technologies to avoid the preceding problems. In
practice, however, STP should be deployed at the user side, and the common
loopback detection technology requires the devices at the user side to allow
special Layer 2 loopback detection packets to pass through.
When user networks cannot be controlled, you can deploy Ethernet loop
detection supported by the CX600 over the carrier network. Ethernet loop
detection need not be deployed at the user side. This also avoids the broadcast
storm caused by loops formed in a VPLS network.
l VPLS/HVPLS equal-cost load balancing
In VPLS/HVPLS services, when there are multiple public tunnels of equal cost
from the local PE to remote PE, the VPLS PW performs the HASH algorithm and
then select one tunnel to forward data flows. Different data flows over the same
PW may be forwarded through different public tunnels.
l Fast switching of multicast traffic
If the VSI in VPLS/HVPLS transmits multicast traffic and when the master TE
tunnel in the public network is faulty, the TE HSB switchover is performed within
500 ms.
PWE3
Pseudo-Wire Emulation Edge to Edge (PWE3) is a technology used to carry
end-to-end Layer 2 services. In the Packet Switched Network (PSN), PWE3 simulates
ATM, Frame Relay (FR), Ethernet, low-speed TDM, and SONET/SDH.
l Classifications of PW
PW can be classified into:
Static PW and dynamic PW in terms of implementation
Single-hop PW and multi-hop PW in terms of networking
LDP-PW and RSVP-PW in terms of signaling
l Control Word
The CW is negotiated at the control plane, and is used for packet sequence
detection, packet fragmentation, and packet reassembly at the forwarding plane.
In the PWE3 protocols, ATM Adaptation Layer Type 5 (AAL5) and FR require the
support for the CW. The negotiation of the CW at the control plane is simple. If
the CW is supported after the negotiation, the negotiation result needs to be
delivered to the forwarding module, which detects the packet sequence and
reassembles the packet.
The CW has the following functions:
Carries the sequence number for forwarding packets

Product Description
If the control plane supports the CW, a 32-bit CW is added before the data
packet to indicate the packet sequence. When the load balancing is supported,
the packets may be out of sequence. The CW can be used to number the
packets so that the peer can reassemble the packets.
Fills the packet to prevent the packet from being too short.
For example, if Ethernet is between PEs and PPP is between PEs and CEs,
the size of the PPP control packet is smaller than the smallest MTU supported
by the Ethernet. Then the PPP negotiation fails. You can avoid this by adding
the CW, that is, by adding the fill bit.
Carries the control information of the Layer 2 frame header.
In certain cases, the frame does not need to be transmitted completely in the
L2VPN packets on the network. The frame header is stripped at the ingress
and added at the egress. This method, however, cannot be used if the
information in the frame header needs to be carried. You can use the CW to
solve this problem. The CW can carry the negotiated information between the
ingress PE and the egress PE.
At the control plane, the negotiation succeeds only when both ends or neither
end supports the CW. At the forwarding plane, the negotiation result at the
control plane determines whether the CW is added to the packet.
l VCCV Ping
VCCV ping is a tool that is used to manually test the connectivity of the virtual
circuit. Similar to ICMP ping and LSP ping, it is realized through the extended
LSP ping. The VCCV defines a series of messages transmitted between PEs to
verify the connectivity of PWs. To ensure that the path of VCCV packets is
consistent with the path of data packets in PWs, the encapsulation type and the
passed tunnel of VCCV packets must be the same as those of PW packets. For
details, refer to draft-ietf-pwe3-vccv and draft-ietf-mpls-lsp-ping.
The CX600 supports the manual detection on the connectivity of LDP PWs on the
U-PE, that is, the VCCV ping, including the detection on the connectivity of static
PWs, dynamic PWs, single-hop PWs, and multi-hop PWs. Figure 5-26 shows the
reference model of the PWE3 VCCV.
Figure 5-26 Reference model of the PWE3 VCCV
Emulate Service
PW1
AC AC
CE1 U-PE1 PW2 U-PE2 CE2
VCCV
The VCCV can be used as a fault detection and diagnostic tool for PWs. The
VCCV can be a combination of one type of CCs and one type of connectivity
verifications (CVs), because the lower layer PSNs are different, such as LSP ping,
L2TPv3, or Internet Control Message Protocol (ICMP) ping.
l PW Template
A PW template is a set of public attributes abstracted from PWs. A PW template
is shared by different PWs. For convenience of expansion, the command mode of

Product Description
the PW template is added to set some public attributes of PWs. When creating a
PW in interface mode, you can use this template.
In the CX600, the PW can be bound with the PW template and can be reset.
l Interconnectivity of heterogeneous media
PWE3 can support:
Interconnectivity of homogenous media and heterogeneous media
Cell relay of data with different encapsulations
At present, the CX600 supports the following data transport by using PWE3:
ATM AAL5 SDU VCC transport
Ethernet
HDLC
ATM n-to-one VCC cell transport
IP Layer 2 transport
ATM one-to-one VCC cell mode
l ATM cell relay
ATM cell relay is a technology to carry ATM cells on the PWE3 virtual circuit.
Label encapsulation for ATM relay through PSN is shown in Figure 5-27.
Figure 5-27 Diagram of ATM relay through PSN
MPLS Label Stack

PSN Transport Header Outer Label
MPLS PSN tunnel Pseudo-wire Header Inner Label

identified by outer label
Control Word (sequencing
& protocol info)
Layer 1/2 Payload

Layer 2 connection
e.g ATM VCC/VPC MPLS Pseudo-wire identified
by inner label
PSN Tunnel
L2 PE Pseudo-wire PE L2
Connection or 'port'
carried On pseudo-wire
A PSN label of the exterior layer identifies a PSN tunnel, while the PW header of
interior layer identifies a PW.
ATM cell relay is used to load the following services on a PSN:
The services whose PW payload is ATM cell
The services whose PW payload is AAL5 SDU
ATM cell relay can also be used to upgrade the former ATM network through a
PSN, with no new ATM devices and no change of the ATM CE configuration. ATM
CE takes ATM cell relay as TDM leased line, and relays cells through a PSN for
ATM interconnection.

Product Description
ATM IWF
The ATM Inter-Working Function (ATM IWF) provides interoperation function
between the ATM link that is accessed through 1483B and the Ethernet link. With the
implementation of L2VPN, you can transparently transmit the ATM packets that are
accessed through 1483B to the Ethernet link. To keep the access information of ATM
(VPI and VCI accessed to a packet), VPI is mapped to be the external VLAN and VCI
is mapped to be the internal VLAN. By adding two layers of VLANs to the frame
header of the data link layer, the router can transmit the ATM packets with VPI/VCI
information to the Ethernet link through the two VLANs.
ATM IWF runs on L2VPN and has two implementation methods according to the
actual networking: the CCC local connection and PW.
l CCC local connection
The CCC is implemented between sub-interfaces of ATM and Ethernet on the
same router.
As shown in Figure 5-28, in the CCC local connection, the CX600 cross transmits
the flow that is based on 1483 encapsulation out of the ATM flow accessed from
devices like DSLAM to the Ethernet link. VPI is mapped to be the external VLAN,
and VCI is mapped to be the internal VLAN. Then, the packets are forwarded
from the Ethernet interface to the access device such as BRAS. The BRAS
distinguishes different DSLAM users based on the labels on the two-layer of
VLAN of a packet.
Figure 5-28 ATM IWF diagram in the CCC local connection
CCC
ATM GE
DSLAM CX-A BRAS
l PW
Through the LSP tunnel of L2VPN, layer 2 transparent transmissions of data
packets of the ATM link and the Ethernet link can be carried out between peer PE
routers.
As shown in Figure 5-29, the ATM flow based on 1483B encapsulation can be
transparently transmitted to the remote Ethernet link through PW (such as
configuring Martini or Kompella L2VPN). In the process, VPI is mapped to be the
external VLAN and VCI is mapped to be the internal VLAN. The ATM packets are
then transparently transmitted to the remote BRAS. The BRAS distinguishes
different DSLAM users based on the labels on the two-layer VLAN of a packet.

Product Description
Figure 5-29 Diagram of ATM IWF in PW
CX-A PW CX-B
ATM GE
ATM
ATM Switch BRAS
5.5.4 BGP/MPLS IP VPN

The CX600 implements BGP/MPLS IP VPN, thus providing carriers with end-to-end
VPN solutions. Carriers can provide VPN service for users as a new value-added
service.
A BGP/MPLS IP VPN is a type of VPN that is implemented based on the extended
Border Gateway Protocol (BGP) and MPLS. A BGP/MPLS IP VPN consists of the
backbone network of carriers and sites of users.
The sites, as the VPN user sites, are isolated from each other and can be
interconnected only through the backbone network. A VPN can be regarded as the
division of sites based on policies. These policies are used to control the connections
between sites. As shown in Figure 5-30, Site 1, Site 2, and Site 3 constitute VPN A,
and Site 4, Site 5, and Site 6 constitute VPN B.

Product Description
Figure 5-30 Networking diagram of a BGP/MPLS IP VPN
VPNA
site1
CE4 CE1
PE1
VPN B VPN B
site4 site5
P1 P2 CE5
Core Edge
CPE
PE3 layer layer
layer
CE2
VPN A
P3
site3 CE3 PE2
VPN A
CE6
site2
VPN B
site6
Table 5-1 Functions of each device in a BGP/MPLS IP VPN
Device Full Name Description
P Provider router It is a core router on a backbone network to

implement MPLS forwarding.
PE Provider Edge It is an edge router on a backbone network. It
router processes VPN routes and mainly implements
MPLS L3VPN.
CE Custom Edge It is an edge router on a user network to advertise

router routes of the user network.
Figure 5-31 shows the networking of a BGP/MPLS IP VPN that the CX600 supports.

Product Description
Figure 5-31 Networking diagram of a BGP/MPLS IP VPN
Support access to MPLS VPN

VPN2 site3 through PPP, HDLC, ATM, Eth/
VLAN, and remote dial-in/tunnel
VPN1 site1 UPE
access
MPLS Support routing protocols between
VPN2 site2 network PEs and CEs, such as static
PE
routing, BGP, RIP, OSPF, and
MP-BGP ISIS
SPE PE VPN1 site3
MPLS
network
VPN1 site2
PE-ASBR
VPN2 site2 UPE Hierarchical
PE
Support inter-AS
Support HoVPN to solutions:
extend the VPN VRF-to-VRF
MP-EBGP
MP-Multihop EBGP
PE-ASBR
Support MPLS VPN over GRE

and MPLS VPN over TE tunnel
Provide the VPN manager

to manage VPNs among
devices of different
VPN3 site1 VPN3 site2
vendors
l As a PE router, it supports access of CE routers through kinds of interfaces such

as Ethernet, POS, and VLAN interfaces.
l It supports static routes and dynamic routing protocols such as BGP, RIP, OSPF,
and IS-IS, between CE routers and PE routers.
l It supports various inter-AS VPN solutions.
Carrier's Carrier
The customer of the BGP/MPLS IP VPN service provider can serve as a service
provider, which is called the networking mode for the carrier's carrier. In this mode, the
BGP/MPLS IP VPN service provider is called the provider carrier or the first carrier.
The customer is called the customer carrier or the second carrier, which serves as a
CE router for the first carrier.
To keep good extensibility, the second carrier adopts the operating mode similar to the
stub VPN. That is, the CE router of the second carrier only advertises the routes
(internal routes) of the VPN where it resides to the PE router of the first carrier. The
CE router does not advertise its customers' routes (external routes). PE routers of the
second carrier exchange external routes through BGP. This greatly reduces the
number of routes maintained on the first carrier network.

Product Description
Inter-AS VPN
The CX600 supports the following three inter-AS VPN solutions represented in RFC
2547bis:
l VPN instance to VPN instance: ASBRs manage VPN routes in between by using
sub-interfaces, which is also called Inter-Provider Backbones Option A.
l EBGP redistribution of labeled VPN-IPv4 routes: ASBRs advertise labeled
VPN-IPv4 routes to each other through MP-EBGP, which is also called
Inter-Provider Backbones Option B.
l Multihop EBGP redistribution of labeled VPN-IPv4 routes: PE routers advertise
labeled VPN-IPv4 routes to each other through Multihop MP-EBGP, which is also
called Inter-Provider Backbones Option C.
Multicast VPN
The CX600 supports multicast BGP/MPLS IP VPN.
Multicast services are deployed in the network shown in Figure 5-32. VPN users in
various sites receive multicast traffic from the local VPN. The PE in the public network
supports multi-instance.
As shown in Figure 5-32, the public network instances on each PE and the P router
implement public network multicast. VPN multicast data is multicast in the public
network.
Figure 5-32 Networking diagram of applying public network multicast
PE1_public-instance
P1
P2
PE3_public-instance
P3
PE2_public-instance
As shown in Figure 5-33, the VPN A instances on each PE and the sites that belong to
the VPN A implement VPN A multicast.

Product Description
Figure 5-33 Networking diagram of applying VPN A multicast
VPNA
site1
CE1
PE1_vpnA-instance
PE3_vpnA-instance MD A
CE2
VPN A
site3 CE3 PE2_vpnA-instance
VPN A
site2
As shown in Figure 5-34, the VPN B instances on PEs and the sites that belong to the
VPN Bs implement VPN B multicast.
Figure 5-34 Networking diagram of applying VPN B multicast
CE4
PE1_vpnB-instance
VPN B VPN B
site4 site5
CE5
MD B
PE2_vpnB-instance
CE6
VPN B
site6
Take VPN A instances as an example. Multicast VPN can be summarized as follows:

l The multicast source S1 belongs to VPN A. S1 sends multicast data to G, a
multicast group.
l Among all possible data receivers, only members of VPN A can receive multicast
data from S1.

Product Description
l Multicast data is multicast in various sites and the public network.

To implement multicast VPN, the following network conditions are required:
l Each site that supports multicast based on VPN instance
l A public network that supports the multicast based on public instance
l A PE device that supports the following multi-instance multicast:
Connecting sites through VPN instance to support multicast based on VPN
instances
Connecting the public network by using public network instances and
supporting multicast based on public network instances
Supporting data switching between public network instances and VPN
instances
IPv6 VPN
The next-generation network protocol IPv6 is an enhancement of IPv4. IPv6 improves
the address space, configuration, maintenance, and security and supports access of
more users and devices to the Internet.
The VPN is an extension of the private network constructed by the shared link or the
public network such as the Internet. The VPN enables the computers across two
areas of a client to transmit data through the shared link or the public network; thus
the function of the P2P private link is realized.
When each site of a VPN supports IPv6, all the sites can be connected to the PE
router of the Service Provider (SP) through an interface or sub-interface with the IPv6
address. In this way, the sites are connected to the backbone network of the SP and
the VPN is called an IPv6 VPN. Simply speaking, IPv6 VPN indicates that a PE router
receives IPv6 packets from a CE router, which is different from the IPv4 VPN.
Currently, the IPv6 VPN services are carried over the IPv4 network of the SP. In this
case, the backbone network runs IPv4 while the user sites use IPv6 addresses. PE
routers need to support the IPv4/IPv6 dual stack, as shown in Figure 5-35. Any
network protocol that bears IPv6 traffic CE routers and PE routers can run between
PE routers and CE routers. The PE routers run IPv6 on the interfaces connecting
clients and IPv4 on the interfaces connecting the public network.

Product Description
Figure 5-35 Networking diagram of the IPv6 VPN over the IPv4 backbone network
IPv6
VPN site2
IPv4 VPN backbone CE
P PE CE
PE IPv6
CE VPN site1
P
IPv6
VPN site1
PE
CE
CE
IPv6 IPv6
VPN site2 VPN site1
The implementation principle of the IPv6 VPN is similar to that of BGP/MPLS IP VPN.
The IPv6 VPN advertises VPN-IPv6 routing information through Multiprotocol
Extensions for BGP-4 (MP-BGP) on the backbone network. The IPv6 VPN triggers
MPLS to allocate labels to identify IPv6 packets, and then transmits data of the private
network across the backbone network through LSP, MPLS TE, or GRE tunnels.
IPv6 VPN networking schemes that the CX600 supports are:
l Intranet VPN
l Extranet VPN
l Hub&Spoke
l Inter-AS or multi-AS backbones VPN
l Carriers' carrier
HoVPN
In BGP/MPLS VPN solutions, the key device, PE router, functions in the following
aspects:
l Provides access functions for users. To achieve this, a PE router needs a great
number of interfaces.
l Manages and advertises VPN routes and processes user packets. This requires
that a PE router have large-capacity memory and high forwarding capabilities.
This causes the PE to becomes a bottleneck. To solve this problem, Huawei launches
the Hierarchy of VPN (HoVPN) solution. In HoVPN, functions of a PE router are
distributed to multiple PEs. Playing different roles in a hierarchical architecture, the
PEs implement functions of a centralized PE router together.

Product Description
The basic architecture of HoVPN is shown in Figure. The device that is directly
connected to users is called the Underlayer PE or User-end PE (hereafter referred to
as the UPE). The device that is connected to the UPE in the internal network is called
the Superstratum PE or Service Provider-end PE (hereafter referred to as the SPE).
Multiple UPEs and a SPE form a hierarchical PE, functioning together as a traditional
PE router.
Figure 5-36 Basic architecture of HoVPN
VPN1 site
HoVPN
PE VPN1 site
VPN2 site
SPE
UPE1
MPLS
network
VPN1 site UPE2
PE VPN2 site
VPN2 site
In the networking of HoVPN, functions of PE routers are implemented hierarchically. Therefore,

the solution is also called Hierarchy of PE (HoPE).
The UPE and SPE provide the following functions:

l The UPE implements user access. It maintains the routes of VPN sites that are
directly connected with it. It does not maintain the routes of other remote sites in
the VPN, or only maintains their summary routes only. The UPE assigns interior
layer labels to the routes of the directly connected sites, and advertises the labels
to the SPE through VPN routes with MP-BGP.
l The SPE manages and advertises VPN routes. It maintains the routes of all the
VPNs that are connected through UPEs, including the routes of local and remote
sites. The SPE does not advertise routes of remote sites to UPEs. It advertises
only the default routes of VPN-instances or summary routes to UPEs with the
label.
Different roles result in different requirements for the SPE and UPE:
l SPE: large capacity of routing table, high forwarding performance, few interface
resources
l UPE: small capacity of routing table, low forwarding performance, high access
capacity

Product Description
The HoVPN takes advantage of the performance of SPEs and access capability of
UPEs.
The HoPE is the same as the traditional PE in appearance. It can exist together with
common PEs in an MPLS network.
HoVPN supports the embedding of HoPE:
l A HoPE can act as a UPE, and compose a new HoPE with another SPE.
l A HoPE can act as an SPE, and compose a new HoPE with multiple UPEs.
l Multiple embedding processes are supported.
The embedding of HoPE can infinitely extend a VPN network in theory.
RRVPN
Resource Reserved VPN (RRVPN) is a tunnel-multiplexing technology. It can provide
end-to-end QoS guarantee for VPN users.
To reserve and isolate resources for a VPN, RSVP-TE tunnels must be used. When
RRVPN is implemented, different VPNs use different tunnels. The resources of
different tunnels with the same tunnel interface, however, are isolated and reserved.
Note that the total bandwidth of the tunnels must not exceed the total bandwidth
reserved for the physical links.
Multi-role Hosts
In a BGP/MPLS IP VPN, the VPN attributes of the packets received by PEs from CEs
are decided by the VPN instance of the incoming interfaces on the PEs. Thus, all the
packets that are forwarded by the same PE interface belong to the same VPN.
In practice, however, a server or terminal is generally required to access multiple
VPNs. For example, a server in a financial system in VPN 1 and a server in an
accounting system in VPN 2 need to communicate. The server is called a multi-role
host.
In a multi-role host model, only the multi-role host can access multiple VPNs; the
non-multi-role hosts can access only the VPN to which the hosts belong.
The implementation principle of a multi-role host is simple. A multi-role host generally
fulfils the following functions:
l Ensures the data stream of the multi-role host can reach the destination VPN
network.
l Ensures the data stream from the destination VPN network can reach the
multi-role host.
As shown in Figure 5-37, the VPN to which the multi-role host PC belongs is VPN1. If
the VPN1 routes and VPN2 routes on PE1 do not import each other, the PC can
access only VPN1 instead of VPN2. The data stream from the PC to VPN2 can be
transmitted only by searching the VPN1 routing table of PE1. If the destination
address of a packet does not exist in the VPN1 routing table, PE1 discards the packet.
To ensure that the data stream of the PC can reach VPN2, configure PBR on PE1
interfaces through which CE1 accesses PE1. After the configuration, if the destination
address of a packet from CE1 does not exist in the VPN1 routing table, the VPN2

Product Description
routing table is searched. The PBR here is generally based on IP addresses and can
guide data streams to access different VPNs.
Figure 5-37 Implementation of a multi-role host
VPN1
PC
Static-Route CE2
PE2
Backbone
VPN1
CE1 PE1
PE3
Policy-Based Routing
VPN2
CE3
To ensure that the data streams from the destination VPN network can return to the
PC, PE1 must be able to search the routes in the VPN1 routing table for the data
streams from VPN2. This is implemented through injecting the static route to the PC
into the VPN2 routing table on PE1. The outgoing interface of the static route is the
PE1 interface that connects CE1.
The functions of a multi-role host are realized mainly on the PE that the CE accesses.
(The multi-role host accesses the CE.)
l Through the PBR on a PE, the data streams from the same VPN can be
transmitted by searching routing tables of different VPNs at the same time.
l Static routes are installed to the routing table of the destination VPN on the PE.
The outgoing interfaces of the static routes are the interfaces that connect the
multi-role host and the VPN.
Note that the IP addresses of the VPN where a multi-role host resides and the VPN
that the host accesses cannot be the same.
5.5.5 L2VPN Accessing L3VPN

At the border between the traditional access network and the bearer network, one
UPE and one NPE are required to work together to implement the access.
l The UPE terminates and accesses the L2VPN (VLL and VPLS).
l The NPE terminates and accesses the L3VPN.

Product Description
Figure 5-38 Traditional access network
The UPE terminates

the L2VPN and The UPE and the The NPE accesses
accesses the L3VPN NPE run as the CE the L3VPN and sets
DSLAM for each other up the L3VPN tunnel DSLAM
UPE UPE NPE NPE UPE UPE

Users access the
L2VPN through ACs
MPLS L3VPN MPLS L2VPN
MPLS L2VPN
User Switch User switch
UPE UPE NPE NPE UPE UPE
The UPE accesses the

L2VPN and sets up the
L2VPN tunnel AC for user access
Users access the L3VPN through the L2VPN
L2VPN tunnel
L3VPN tunnel
MPLS is widely applied on the access network of the ISP because it features high
reliability and security and sound IP-based operating and maintenance capabilities,
and supports QoS. MPLS L2VPN provides MPLS-based VPN services and
transparently transmits Layer 2 data of users on the MPLS network. It thus provides a
channelized path for user services and reduces the LSPs maintained by transit nodes.
MPLS L3VPN services are a kind of common services provided by the ISP over the
bearer network. MPLS L2VPN tunnels enable users to access the MPLS L3VPN of
the bearer network. Users can access MPLS L3VPNs through low-end devices such
as the CXs. In this manner, networking cost is reduced and secure and stable MPLS
L3VPN services are provided for users.
To access L3VPNs through MPLS L2VPN tunnels, two devices that are a PE-AGG
and an NPE need to be deployed at the border between the access network and the
bearer network. In addition, the PE-AGG is used to terminate the L2VPN and the NPE
is used to terminate the L3VPN. The PE-AGG and the NPE run as the CE router for
each other. In this case, if an NPE combines the capability of the PE-AGG, networking
cost can be saved and networking is simplified. The VE interface, which is supported
by the CX600 to access multiple services, can be bound to the L2VPN and L3VPN at
the same time. That is, the VE interface can access and terminate the L2VPN and
L3VPN. In this manner, the CX600 can run as the NPE and PE-AGG at the same
time.

Product Description
Figure 5-39 L2VPN access to the L3VPN
The UNPE terminates the L2VPN,

accesses the L3VPN, and sets up
the L2VPN and L3VPN tunnels
DSLAM DSLAM
UPE
UPE UNPE UNPE

Users access the
L2VPN through the AC
MPLS L3VPN
L2VPN L2VPN
User Switch User switch
UPE UNPE UNPE UPE
The UPE accesses the

L2VPN and sets up
the L2VPN tunnel AC for user access
Users access the L3VPN through the L2VPN
L2VPN tunnel
L3VPN tunnel
Without a dedicated board, the CX600 can associate Layer 2 with Layer 3 VE
interfaces by using a VE group. The CX600 terminates the VLL and the VPLS through
Layer 2 VE interfaces and accesses the L3VPN through Layer 3 VE interfaces. The
UNPE function is thus implemented.
5.5.6 VPN QoS

The ISP provides L2VPN or L3VPN access services for a VPN user and signs the
SLA with the user. The SLA includes the following:
l Total bandwidth used by the user to access the MPLS VPN
l Priority of the user service in the MPLS network
The preceding two points determine the volume of user traffic that can access the ISP
network. After the user's access to the ISP network, a problem, to be faced with, lies in
the type of QoS to be provided for the user.
l The bandwidth for the user traffic to a specified peer PE router is guaranteed.
l Types of services to a specific peer PE router, such as voice, video, important
data, and common network services, require guaranteed bandwidth and delay.
VPN QoS provides a relatively complete L2VPN or L3VPN QoS solution. It resorts to
various QoS features to answer the diversified and delicate QoS demands of VPN
users. The VPN QoS provides QoS in the MPLS DiffServ network and end-to-end
QoS in the MPLS TE network. In the application, you can select the QoS policy as
required.

Product Description
L3VPN with QPPB

The Qos Policy Propagation Through the Border Gateway Protocol (QPPB)
propagates the QoS policy through BGP.
The receiver of BGP routes can do as follows:
l Sets QoS parameters for BGP routes based on the attributes of BGP routes.
l Classifies traffic by matching QoS parameters and sets the QoS policy for the
classified traffic.
l Forwards packets in accordance with the locally-set QoS policy to propagate the
QoS policy through BGP.
In an L3VPN, you can set the QPPB policy for private routes to classify L3VPN traffic,
re-mark the traffic class, and limit the traffic volume.
L2VPN/L3VPN with MPLS DiffServ

In this case, VPN QoS has the following functions:
l On the ingress PE router, VPN QoS classifies VPN traffic according to simple
traffic classification or complex traffic classification. The classified traffic is limited,
re-marked, and scheduled based on the priority level. Traffic classification and
scheduling support uniform and pipe/short pipe modes.
l VPN QoS performs differentiated queue scheduling according to the MPLS EXP
field on the P router.
l On the egress PE router, VPN QoS performs differentiated queue scheduling
based on the EXP field and limit and shape traffic on the outbound interface.
The inherent defect lies in this scheme. That is, the transit nodes perform the QoS
action only according to the predefined PHB. This fails to guarantee the end-to-end
QoS and eradicate network congestion.
L2VPN/L3VPN with MPLS TE

The characteristic of this solution is that the P and PE routers on the MPLS network
reserve bandwidth through the TE signaling protocol. In this manner, the network is
free from blocking, providing end-to-end bandwidth guarantee. But the P routers do
not distinguish service marks inside the tunnel and uniformly process the packets of
various marks. QoS mapping between MPLS packets and IP packets or Layer 2
packets on the PE router supports the pipe/short pipe model.
In this solution, the ingress PE router binds the VPN to a TE tunnel.
l At the network side, the PE router performs queue scheduling based on VPNs,
ensures the bandwidth of VPN services to access the TE tunnel, and guarantees
the total bandwidth of the TE tunnel.
l The P router guarantees the bandwidth of the TE tunnel.
The ingress nodes do not distinguish the priorities of services transmitted on the TE
tunnel. Therefore, services of various priority levels need to be allocated to different
VPNs in the network planning.

Product Description
Figure 5-40 L2VPN/L3VPN with MPLS TE
PE2 VPNA
Backbone
site 3
network
PE1
VPNA
site 1 PE3
VPNA
site 2
Only one type of services in

VPNA
L2VPN/L3VPN with MPLS DS-TE

The characteristic of this scheme is that the P router and PE routers on the MPLS
network reserve bandwidth through the DS-TE signaling protocol for various types of
services. In this manner, the network is free from blocking, providing end-to-end
bandwidth guarantee. Besides, services inside the tunnel are differentiated.
In this scheme, the ingress PE router binds the VPN to the DS-TE tunnel. At the
network side, the PE router schedules queues based on VPNs, ensures the
bandwidth of the VPN services to access the DS-TE tunnel, and ensures the total
bandwidth of the DS-TE tunnel. The P router guarantees the bandwidth of the DS-TE
tunnel.

Product Description
Figure 5-41 L2VPN/L3VPN with MPLS DS-TE
Backbone
network VPNA
site 3
PE2
PE1
VPNA
site 1 PE3
VPNA
site 2
VPNA carries three types of services,
ensuring the QoS for each service in
the same VPN
5.6 IPTN Features

How to provide services with end-to-end QoS guarantee on an IP bearer network has
become an urgent demand for carriers. Therefore, the current Internet needs to be
reconstructed in order to provide better data services. Huawei puts forward the IP
telecommunication network (IPTN) solution to meet the demand. The IPTN solution
aims to provide end-to-end QoS by reconstructing the current IP network. In this
solution, the concept of bearer control layer is addressed between the service control
layer and the bearer layer; resources are applied, kept and released respectively
before, during, and after they are used to improve the transmission efficiency of the
bearer network.
Figure 5-42 shows the scenario in which the CX600 serves as a service router (SR) in
an IPTN network.

Product Description
Figure 5-42 Application scenario of the IPTN
COPS
SR
ISP
User DSLAM
DHCP Server
An IP packet of the user is encapsulated in a QinQ packet with double VLAN tags
through the DSLAM and then accesses the SR. The outer VLAN ID specifies the
DSLAM; the inner VLAN ID specifies the user.
With the DHCP relay function, the SR forwards a DHCP request packet to the DHCP
server when receiving an access request from the user. After the DHCP server returns
an assigned IP address to the user, the SR reports information about the online user
to the COPS server.
The information includes the following:
l Location of the user, that is, CircuitId in the DHCP Option 82 field
l VPN to which the user belongs
l IP address of the user
l MAC address of the user
In addition, the CX600 provides the following functions:
l Supports the three-level limit to the number of users.
l Provides the detection of online users and the processing of the user getting
offline.
l Checks the validity of IPTN users.
l Displays information about online users and forcibly cuts off online users.
5.7 QoS Features

The CX600 provides the QoS features of integrated services including real-time
services. In particular, the CX600 supports DiffServ as follows:
l Traffic classification
l Traffic policing
l Traffic shaping
l Congestion management
l Queue scheduling

Product Description
The CX600 can implement all the eight PHB behaviors of Expedited Forwarding (EF),
Assured Forwarding 1 (AF1), AF2, AF3, AF4, Best-Effort (BE), Class Selector 6 (CS6),
and CS7. With the CX600, network operators can provide users with differentiated
QoS guarantee, and make the Internet an integrated network that can carry data,
voice, and video services at the same time.
Figure 5-43 shows the hierarchical QoS (HQoS) of the CX600.
Figure 5-43 Multi-level scheduling of QoS
Inbound
interface
L1
L2 RED
CAR WRED
L3
......
L4
Receive
packets Classify Congestion Priority
and avoidance scheduling
mark detection PQ
packets CQ
Outbound CBWFQ
interface
......
......
L1
RED L2 VOQ switch
WRED L3 Prevent the head
......
......
SARED L4 packet from blocking

Forward multicast switch
packets Priority Schedule Congestion Mark
scheduling/ traffic avoidance packets
traffic LLS detection according
shaping NLS to the class
PQ PBS
CBWFQ
The following describes the QoS features of the CX600.
5.7.1 DiffServ Model

In the DiffServ model, service traffic is classified into different classes that can be
processed differently. When the network is congested, different classes of traffic are
processed with different priorities. This results in different packet loss ratio, delay, and
jitter.
In the DiffServ model, the following nodes can service as the edge nodes when
DiffServ is implemented:
l Nodes at the convergence layer
l Nodes at the core layer to directly connect the Internet Data Center (IDC)
l Gateway nodes at the core layer
Other nodes at the core layer serve as the core nodes.

Product Description
l On the ingress edge node, the router classifies traffic based on Multi-field (MF)
and then performs traffic policing, Differentiated Services Code Point (DSCP)
mark or re-mark, queue scheduling and management, and traffic shaping based
on user traffic.
l On the egress edge node, the router performs traffic classification, DSCP re-mark
or ToS mark, traffic shaping, queue scheduling and management based on DSCP.
If the downstream domain is a DiffServ domain, service traffic may be re-marked
with the DSCP priority based on the SLA signed between the provider and
customers. If the downstream domain is a CoS domain, service traffic should be
marked with a ToS flag. The traffic shaping performed on the egress allows the
traffic sent to the downstream domain to enjoy the bandwidth and CBS
conforming to the SLA.
The SLA is an agreement reached between the service subscriber and service
provider. The service provider provides services for service subscribers. The SLA
contains the parameters such as the Committed Information Rate (CIR), Peak
Information Rate (PIR), Committed Burst Size (CBS), and Peak Burst Size (PBS)
to monitor and control the incoming traffic. The router performs such behaviors as
Pass, Drop, or Markdown for the traffic exceeding the promised limit. Markdown
means that packets are marked with high drop priority. Markdown packets are
first dropped when network congestion occurs. This ensures that the packets
conforming to the SLA can enjoy the services specified in the SLA.
l On the core node, the router performs traffic classification, queue scheduling and
management based on DSCP.
5.7.2 Traffic Classification

raffic classification consists of the following steps:
l Classifies the traffic based on certain rules.
l Associates the traffic of the same type with certain actions.
l Forms a certain policy.
Then, the policy is applied in the implementation of traffic policing, traffic shaping, and
congestion management, all of which are based on classes of the traffic.
In the following situations, the packets are processed by best effort delivery:
l No QoS needs to be ensured.
l No traffic classification is carried out.
l No rules in the traffic classification are matched by the packets.
The CX600 supports simple and complex traffic classifications.
Complex traffic classification is usually configured on the router at the network edge;
simple traffic classification is configured on the core router.
Simple Traffic Classification

Simple traffic classification means that packets are divided into several priorities or
service classes according to the IP precedence or DSCP field value in IP packets,
EXP field value in MPLS packets, or 802.1p priority in VLAN packets. Traffic policies
based on simple traffic classification are used to map the priority of traffic on one type
of network to another type. This allows traffic to be transmitted in another network
based on the previous priority.

Product Description
At present, the CX600 supports traffic classification on the following interfaces:

l Physical interfaces and sub-interfaces
l Logical interfaces including VLANIF, Ring-If, and trunk interfaces
Complex Traffic Classification

Complex traffic classification means that packets are classified based on the quintuple
of the source and destination addresses, source and destination port numbers, and
protocol type. It is usually applied on the edge of a network. Complex traffic
classification must be associated with specific traffic control or resource allocation
actions. Thus, it can provide differentiated services.
At present, the CX600 supports:
l Classifications based on the source MAC address and destination MAC address
in the Ethernet frame header, protocol number carried over the link layer, and
802.1p priority of tagged packets
l Classifications based on the IP precedence, DSCP, or ToS value of IPv4 packets,
source IP address prefix, destination IP address prefix, protocol number carried
in IP packets, fragmentation flag, TCP SYN flag, TCP/UDP source port number or
range, and TCP/UDP destination port number or range.
The CX600 supports complex traffic classification on:
l Physical interfaces
l Logical interfaces including sub-interfaces, Ring-If interfaces, and trunk
interfaces
5.7.3 Traffic Policing

In traffic policing, the committed access rate (CAR) is used to control traffic. Packets
are classified according to a preset matching rule. If conforming to the rule, the
packets are forwarded by the router. If exceeding the limit specified by the rule, the
packets are then either discarded or forward after their precedence is re-marked.
To control traffic, the token bucket (TB) is introduced to the CAR technology. Figure
5-44 shows the procedure of traffic policing with CAR.
Figure 5-44 Flowchart of traffic policing with CAR

...
Filling the bucket

Tokens
with tokens at a
specified rate
Classifying
Incoming packets Outgoing packets
Passed
Token bucket
Dropped

Product Description
l The tokens are put into the TB at the rate preset by the user. The capacity of the
TB is also preset by users. When the number of tokens reaches the capacity of
the TB, the number does not increase any more.
l On arrival, the packets are classified according to the information such as the IP
precedence, source address, or destination address. The packets that conform to
the preset feature go into the TB for further processing.
l If the TB has enough tokens for sending packets, packets are forwarded.
Meanwhile, the number of tokens is reduced by the packet length. If the TB
contains insufficient tokens or is empty, the packets that are not assigned with
tokens or not assigned with enough tokens are discarded; or the information
about the IP precedence, DSCP, or EXP values are re-marked and the packets
are forward. At this time, the number of tokens in the TB remains unchanged.
The preceding process shows that the CAR technology enables a router to control
traffic, and to mark or re-mark packets.
To limit the traffic rate is the main function of CAR. With the CAR technology, a TB is
used to measure the data traffic that flows through the interfaces of a router so that in
the specified time only the packets that are assigned with tokens go through the router.
In this way, the traffic rate is limited. CAR limits the maximum traffic rates of both
incoming packets at the ingress and outgoing packets at the egress. Meanwhile, the
rate of certain types of traffic can be controlled according to such information as the IP
address, port number, and precedence. These characteristics include the IP address,
port number, and precedence. The traffic not conforming to the present conditions is
not limited in rate; such traffic is forwarded at the original rate.
The CAR technology is used at the network edge to ensure that the core device can
process data normally. The CX600 supports CAR in both the inbound and outbound
directions.
5.7.4 Queue Scheduling

In computerized data communications, communication channels are shared by many
computers. In addition, the bandwidth of a WAN is usually less than that of a Local
Area Network (LAN). As a result, when a computer in one LAN sends data to a
computer in another LAN, data cannot be transmitted over a WAN as fast as over a
LAN because the WAN bottlenecks the data transmission. At this time, some packets
cannot be sent by the router between the LAN and the WAN, that is, the network is
congested.
As shown in Figure 5-45, when LAN 1 sends packets to LAN 2 at the rate of 10 Mbit/s,
traffic congestion occurs on the interface Serial 1 of CX-A.

Product Description
Figure 5-45 Network congestion
Frame Relay/X.25/DDN
CX-B PC2
Serial 1
2 Mbit/s Ethernet
PC1 Serial 1 10 Mbit/s
LAN 2
CX-A
Ethernet Server2
10 Mbit/s
LAN 1
Server1
Congestion management provides means to manage and control traffic when traffic
congestion occurs. The queue scheduling technology is used to handle traffic
congestion. Packets sent from one interface are placed into many queues which are
identified with different priorities. Packets are then sent according to the priorities. A
proper queue scheduling mechanism can provide packets of different types with
reasonable QoS features such as the bandwidth, latency, and jitter. The queue here
refers to the outgoing packet queue. Packets are buffered into queues before the
interface is able to send them. Therefore, the queue scheduling mechanism works
only when an outbound interface is congested. The queue scheduling mechanism can
re-arrange the order of packets except those in First In First Out (FIFO) queues.
Commonly used queue scheduling mechanisms are:
l FIFO
l PQ
l Custom Queuing (CQ)
l WFQ
l Class-based WFQ (CBWFQ)
The CX600 supports FIFO, PQ, and WFQ to realize the queue scheduling on the
interface.
5.7.5 Congestion Management

The CX600 adopts the Weighted Random Early Detection (WRED) congestion control
mechanism.
l The congestion control mechanism can be configured on each port based on the
priority of the queue.
l The CX600 uses a microsecond-level timer to trace the occupation of the shared
memory with the first-order weighted iteration method.
l Consequently, the CX600 can sense the congestion in a timely manner and avoid
network flapping. It drops the packets of different drop preferences at different

Product Description
probabilities within the same traffic stream. This can effectively avoid and control
network congestion.
5.7.6 Traffic Shaping

When the network congestion occurs, the traffic policing (CAR technology) is used to
control the traffic features of the packets and restrain the traffic, so that the packets
that do not conform to the traffic features are dropped. Sometimes, to decrease the
lost packets, the packets that do not conform to the traffic specifications are cached
and then sent at a uniform rate under the control of the token bucket. This is traffic
shaping. Traffic shaping both decreases the lost packets and satisfies the traffic
features of the packets.
A typical application of traffic shaping is to control the flow and burst of outgoing traffic
based on the network connection. Thus, the packets can be sent at a uniform rate.
The traffic shaping adopts the Generic Traffic Shaping (GTS) to shape the traffic that
is irregular or does not conform to the preset traffic features, which is convenient for
the bandwidth match between the network upstream and downstream.
5.7.7 HQoS
Hierarchical QoS (HQoS) is a kind of QoS technology that can control user traffic and
schedule service queues according to the priority level.
The HQoS of the CX600 has the following functions:
l The system provides abundant services with the five-level QoS scheduling
mechanism.
l The system supports PQ and Confirmed Bandwidth Priority Queue (CBPQ).
PQ is based on the absolute priority level. After you configure PQ, the packets
with the highest priority level are permitted; the packets with low priority levels
are discarded, once the network is congested. PQ is unable to configure
bandwidth for packets of all priority levels.
CBPQ is based on bandwidth guarantee. CBPQ makes full use of bandwidth
resources in the case of bandwidth guarantee.
l The system supports the configuration of the parameters of a queue, such as the
maximum queue length, WRED, low delay, SP/WRR weight, committed burst
size (CBS), PBS, and statistics enabling.
l The system supports the configuration of parameters such as the CIR, PIR,
number of queues, and scheduling algorithms between queues for each user.
l The system supports traffic statistics. It enables carriers to view the status of
bandwidth use of each service. The users can thus analyze traffic and properly
allocate bandwidth for services.
l The system supports the HQoS of VPLS, L3VPN, VLL, and TE.
5.7.8 QPPB
QoS policy propagation through the Border Gateway Protocol (QPPB) is a kind of
technology to propagate the QoS policy through BGP.
On the BGP receiver, you can:
l Set QoS parameters for BGP routes, such as IP precedence and traffic behavior,
based on the attributes of the route.

Product Description
l Set the receiver to classify traffic based on QoS parameters, and set a QoS policy
for the classified traffic.
l Set the receiver to forward packets based on the QoS policy to realize QPPB.
On the BGP receiver, you can set QoS parameters, such as IP precedence and traffic
behavior, according to the following attributes of BGP routes:
l ACL
l AS path list
l Community attribute list
l Route cost
l Address prefix list
Figure 5-46 QPPB
Configure a
QoS policy Advertise routing
information
AS100 AS200
Packets filtered by
the QoS policy
In the complex network environment, the policy for route classification needs to be
changed from time to time. QPPB can simplify the change of the policy on the BGP
receiver. Using QPPB, you can change the routing policy on the BGP receiver by
changing that on the BGP sender.
5.7.9 Ethernet QoS

L2 Simple Traffic Classification
The CX600 supports simple traffic classification in accordance with the 802.1p value
in VLAN packets. On the ingress PE router, the 802.1p value in a Layer 2 packet can
be mapped to the precedence field of the upper layer protocol such as the IP DSCP
value or the MPLS EXP value. In this manner, the DiffServ is provided for the packet
in the backbone network. On the egress PE router, the precedence field of the upper
layer protocol is mapped back to the 802.1p value to keep the original Ethernet
precedence.
QinQ Simple Traffic Classification

After QinQ encapsulation, the 802.1p priority in the inner VLAN tag cannot be sensed.
The system adds an outer VLAN tag rather than sense the 802.1p priority in the inner
VLAN tag after QinQ encapsulation. The classes of services are thus not distinguishd.

Product Description
In the process of QinQ implementation, the 802.1p value in the inner VLAN tag needs
to be sensed. You can set the following rules through commands o sense the 802.1p
value:
l Ignore the 802.1p value in the inner VLAN tag and set a new 802.1p value in the
outer VLAN tag.
l Automatically set the 802.1p value in the inner VLAN tag as the 802.1p value in
the outer VLAN tag.
l Set the 802.1p value in the outer VLAN tag according to the 802.1p value in the
inner VLAN tag.
As shown in Figure 5-47, QinQ supports 802.1p remark in the following three modes:
l Setting a value (Pipe mode).
l Using the 802.1p value in the inner VLAN tag (Uniform mode).
l Mapping the 802.1p priority in the inner VLAN tag to a value in the outer VLAN
tag. Multiple values in multiple inner VLAN tags can be mapped to the same
value in the outer VLAN tag, but a value in an inner VLAN tag cannot be mapped
to values in multiple outer VLAN tags.
Figure 5-47 Typical networking diagram of 802.1p Remark supported by QinQ
Q-in-Q Supports
802.1p Remark
ISP
Network
CE PE
5.7.10 ATM QoS

At the edge of the ATM network, the router is responsible for access to the IP network.
Data is encapsulated in AAL5 frames such as IPoA and IPoEoA. Such frames are
decapsulated by the router and are forwarded to other types of interfaces, or are
forwarded to the Ethernet interface as Layer 2 Ethernet frames.
The IP network and the ATM network communicate through the IPoA technology. IPoA,
however, cannot effectively use all ATM functions. In addition, the scalability of ATM
applications is limited because of the use of the fully connected PVCs. As a result, the
IP network with Ethernet interfaces over 10 Gbit/s cannot communicate with the ATM
network; otherwise, traffic congestion may occur and QoS cannot be ensured.
Threfore, to ensure proper traffic planning and traffic policing for the interconnection
between the IP backbone network and the ATM backbone network, ATM QoS is
introduced.
The ATM network possesses the QoS capability. With the transition from the ATM
network to the IP/MPLS network, the QoS capability of the ATM network needs to be
kept. ATM QoS enables ATM cells with higher precedence to transfer with the same
precedence in the IP network. Similarly, it enables IP packets with higher precedence
to transfer with the same precedence in the ATM network.

Product Description
Simple ATM Traffic Classification

When the ATM network is taken as the bearer layer of the IP network, however, the
QoS mechanisms of the ATM network and the IP network must be combined to obtain
end-to-end QoS.
By enabling ATM simple traffic classification on the interface, PVC, or PVP, you can
map the CoS and the CLP value to the internal priority of the router for upstream ATM
cells, and map the internal priority to the CoS and CLP value for downstream ATM
cells. Thus, various QoS services can be transmitted in different ATM networks.
ATM simple traffic classification supports:
l ATM transparent cell transport
l 1483R
l 1483B
The 1483R protocol is used to encapsulate IP packets to carry out IPoA service. The
1483B protocol is used to encapsulate Ethernet packets to carry out IPoEoA service.
Forced ATM Traffic Classification

Although ATM cells in the ATM network hold information about precedence, it is very
difficult to carry out IPoA, transparent cell transport, and IWF simple traffic
classification based on the precedence information. You can adopt forced traffic
classification on the upstream interface. That is, you can use command lines to set the
precedence and color manually for a specific PVC, interface (including the
sub-interface), or PVP, and carry information about the precedence and color to the
downstream interface.
As shown in Figure 5-48, on the upstream ATM interface of Router A, the precedence
and color for a specific flow can be set through command lines. Then the downstream
interface can carry out ATM QoS based on the value of the set precedence and color.
Figure 5-48 Forced ATM traffic classification
The downstream ATM interface

specifies the outgoing queue for
the flow according to the
precedence and color of the flow
BE
Set the packet precedence
and mark the packet on the
upstream ATM interface
AF1
...
EF
CX-A CX-B
CS6
CS7

Product Description
ATM physical interfaces, ATM sub-interfaces, ATM PVCs, and ATM PVPs all support
forcible traffic classification.
5.7.11 FR QoS
FR has its own QoS that can be configured with PVCs to provide flexible services for
customers.
FRTS
Frame Relay Traffic Shaping (FRTS) is used on the outbound interface of the router to
limit the ratio of the packet sent from the VC.
FRTP
Frame Relay Traffic Policing (FRTP) is used on the inbound interface of the router to
monitor traffic received from the VC. If the traffic exceeds the specific value, the
packets are discarded.
FRTP can be used only on the Data Circuit-terminating Equipment (DCE) interface to
monitor traffic from the Data Terminal Equipment (DTE).
FR Congestion Management
The FR packet includes bits used for congestion management:
l Forward Explicit Congestion Notification (FECN)
If it is 1, congestion occurs on the forwarding direction.
l Backward Explicit Congestion Notification (BECN)
If it is 1, congestion occurs on the backward direction. If no backward packet is
forwarded during a period, the router automatically sends Q.922A Test Response
whose BECN tag is 1 to the DTE.
l DE
It specifies whether to discard the packet or not. If it is 1, the packet is discarded
in the case of congestion.
Figure 5-49 Diagram of FR congestion management
Data direction
BECN
Frame Relay
Network
DTE DCE NNI
CX-A CX-B FECN
The system determines congestion based on the proportion of the current queue
length of the FR interface or the VC to the total length of the interface or the queue. If
the proportion exceeds the threshold, it is taken that congestion occurs. The packets
whose DE is 1 are discarded; otherwise, the FECN and BECN are set to 1.

Product Description
You can set the congestion threshold in the following two ways:
l Set the congestion threshold of the interface in the interface view.
l Set the congestion threshold of the FR VC in the FR class view.
FR Queue Management
Normally, an FR interface has a queue while an FR VC has no queue. When the FR
interface is enabled with FR traffic shaping, all the VCs on the interface have their own
queues and the packets sent on the VC join in the queue first.
Figure 5-50 shows the relationship between the VC queue and the interface queue.
Figure 5-50 Diagram of FR queues
Virtual circuit queues
Interface queue
The FR interface supports the following queues:

l First In First Out (FIFO) Queuing
l Priority Queuing (PQ)
l Custom Queuing (CQ)
l Weighted Fair Queuing (WFQ)
l Class-Based Queuing (CBQ)
l Realtime Transport Protocol Priority Queuing (RTPQ)
l PVC Interface Priority Queuing (PVC PQ)
FR Fragmentation
In the process of transmitting voice with data, a large packet takes up the bandwidth
for a long period. As a result, the voice packet may be delayed or discarded and voice
quality is degraded.
FR fragmentation is used to shorten the delay to ensure the real-time voice. After FR
fragmentation configuration, a large data packet is disassembled into fragments and
the voice packet and the fragments can be transmitted alternately. In this way, the
voice packet can be processed on time and delay is shortened.
5.8 Load Balancing

In a scenario where there are multiple equal-cost routes to a same destination, the
CX600 can perform load balancing on traffic among these routes. The CX600
provides equal-cost load balancing and unequal-cost load balancing, which can be
selected as required. In equal-cost load balancing mode, traffic is evenly balanced

Product Description
among different routes. In unequal-cost load balancing mode, traffic is balanced

among different routes based on the proportion of bandwidth of each interface.
5.8.1 Equal-Cost Load Balancing

The CX600 can implement even load balancing on the traffic transmitted through the
member links of an IP-Trunk or an Eth-Trunk. When there are multiple equal-cost
routes to a same destination, the CX600 can implement balanced load balancing on
traffic among these routes.
The load balancing mode can be either session-by-session load balancing or
packet-by-packet load balancing. By default, the session-by-session load balancing is
adopted. The packet-by-packet load balancing can be configured as required.
5.8.2 Unequal-Cost Load Balancing

The CX600 supports the following unequal-cost load balancing modes:
l Load balancing based on routes: When the costs of different direct routes are the
same, you can configure a weight for each route for load balancing.
l Load balancing based on interfaces: For an IP-Trunk or an Eth-Trunk, you can
configure a weight for each member link for load balancing.
l Load balancing based on link bandwidth for IGP: In this mode, unequal-cost
session-by-session load balancing is performed on the outbound interfaces of
paths. The proportion of traffic transmitted along each path is approximate to or
equal to the proportion of bandwidth of each link. This mode fully considers the
link bandwidth. In this manner, the case when links with low bandwidth are
overloaded whereas links with high bandwidth are idle does not exist.
The CX600 can balance traffic between physical interfaces or between physical
interfaces and logical interfaces. In addition, the system can sense the changes of
bandwidth of logical interfaces due to manual configuration or the status changes of
member links. When the bandwidth of logical interfaces changes, traffic is
automatically balanced based on the new bandwidth proportion.
5.9 Traffic Statistics

The CX600 provides types of traffic statistics functions. It can collect statistics on
access traffic of different users.
Traffic statistics have the following functions:
l Helping carriers to analyze the traffic model of the network
l Providing reference data for carriers to deploy and maintain DiffServ TE
l Supporting traffic-based accounting for the users that are not monthly-free
5.9.1 URPF Traffic Statistics

The CX600 collects statistics either on the overall traffic that complies with URPF or
on the discarded traffic that does not comply with URPF.

Product Description
Figure 5-51 URPF traffic statistics
Packets Statistics
Classifier
The default action for
unmatched packets is Pass
Packets that
match rules
Statistics
Perform the
action
Allow the packets complying
with URPF to pass through
Discard the packets without

complying with URPF
Statistics
5.9.2 ACL Traffic Statistics

The CX600 supports the ACL traffic statistics function. When the created ACLs are
applied to QoS and policy-based routing, the CX600 can collect statistics based on
ACLs after the ACL traffic statistics function is enabled. The system also provides
commands to query the number of matched ACL rules and bytes.
5.9.3 CAR Traffic Statistics

The CX600 provides numerous QoS features such as traffic classification, traffic
policing CAR, and queue scheduling. Directed at these QoS features, the CX600
provides the relevant QoS traffic statistics function.
l In traffic classification, the system can collect statistics on the traffic that matches
rules and fails to match rules.

Product Description
Figure 5-52 Traffic statistics in traffic classification
Packets Statistics
Classifier
The default action for
unmatched packets is
Pass
Packets that
match rules
Statistics
Filter, CAR, mirror, redirect,

re-mark, sample, URPF,
Perform the action TTL check
l In traffic policing, the system supports statistics on the following traffic:

Total traffic that matches the CAR rule.
Traffic that is permitted or discarded by the CAR rule.
Figure 5-53 CAR traffic statistics
Packets Statistics
Allow the packets

Bucket C Tokens in bucket C marked green to pass
are enough through
Tokens in
bucket C are
not enough
Process
Statistics packets
Re-mark the packets
according
marked yellow
to the color
marked
Bucket E Tokens in bucket E are
enough
Tokens in
bucket E are Statistics
not enough Discard the packets
marked red
Tokens in bucket E are not

enough
l The system supports interface-based traffic statistics.

Product Description
l When the same traffic policy is applied on various interfaces, the CAR traffic
statistics in the traffic policy is based on the interface.
5.9.4 HQoS Traffic Statistics

The system supports the following statistics on traffic queues:
l Statistics on the number of forwarded packets, bytes, and discarded packets of
the queues of eight priority levels
the user group queue
eight class queues on an interface
5.9.5 Interface-based Traffic Statistics

The system supports traffic statistics on an interface or a sub-interface.
5.9.6 VPN Traffic Statistics

The CX600 supports the following VPN statistics:
l In a VPLS network, the CX600 can collect statistics on incoming and outgoing
traffic of the access L2VPN user when it runs as a PE router.
l In an L3VPN, the CX600 can collect statistics on incoming and outgoing traffic of
access users of various types when it runs as a PE router. The access users
include:
Users that access the network through interfaces including logical interfaces
Multi-role hosts
Users that access the network through the VPLS/VLL
5.9.7 TE Tunnel Traffic Statistics

When the CX600 runs as a PE router in the MPLS TE network, it supports statistics on
incoming and outgoing traffic of the tunnel. When the VPN is statically bound to the TE
tunnel, the system can collect statistics on traffic of each resource-isolated VPN over
the TE tunnel and the total traffic over the TE tunnel.
DS-TE supports the traffic statistics about each CT in a tunnel.
5.10 IP Compression
In the NGN bearer network, some carriers lack transmission resources. The
RTP/UDP/IP packet header, however, contains about 40 bytes in the IP NGN service.
For voice compression algorithms that work well, the voice data in each packet
occupies less than 30 bytes. In this case, the packet header costs much, with low
transmission efficiency. The CX600 provides types of compression algorithms. The
transmission efficiency of the network can thus be improved and the lack of
transmission resources can be solved.

Product Description
CRTP
The Compressed Real-Time Protocol (CRTP) defined in RFC 2508 can compress the
40 byte RTP header including the UDP and IP headers into a header of 24 bytes. In
this manner, the lack of transmission resources is solved.
In the traditional network, voice over IP is supported through RTP, as shown in Figure
5-54.
Figure 5-54 Format of RTP packets
8 bytes 20 bytes 8 bytes 12 bytes 15-30 bytes
PPP IP UDP RTP Voice data
Header encapsulation
In the figure given above, the voice data occupies tens of bytes; the IP, UDP, and RTP
headers contain more than 40 bytes. In a session, half bytes of the header, such as
the source and destination IP addresses and the source and destination port numbers,
remain unchanged. Besides, the length field in the IP/UDP header is unnecessary
because the length can be obtained by calculating the length of the link layer header.
Differential coding can be performed although some fields change. After these
redundant fields are compressed, only 2-4 bytes need to be reserved (normally, two
bytes are kept; four bytes contain the UDP checksum), as shown in Figure 5-55.
Figure 5-55 Format of cRTP packets
8 bytes 2-4 bytes 15-30 bytes
PPP cRTP Voice data
Header encapsulation
ECRTP
ECRTP is short for Enhanced Compression Real-Time Transport Protocol. CRTP has
to send FULL_HEADER packets frequently over the links with high ratio of packet loss,
packet disordering, and long delays. This greatly affects the efficiency of compression.
RFC3545 defines ECRTP to strengthen the CRTP functions and reduce the impact of
link quality on the efficiency of compression.
ECRTP changes the mode in which the compressor requests the decompressor to
update the context. In this manner, CRTP becomes more adaptable to the changes in
link quality in the following aspects:
The compressor regularly sends extended COMPRESSED_UDP packets to update
the context of the decompressor, so the context of the two ends can be synchronized.
The format of the packet is extended to carry more information about the changes in
the header.

Product Description
If no UDP checksum is carried, the field of CRTP head checksum is added. According
to the CRTP head checksum, the decompressor determines whether errors occur
during decompression and makes a second try. This can reduce the packets lost
owing to the asynchronous state between two ends.
The compressor sends N+1 synchronization packets continuously. In this manner, if a
synchronization packet is lost, the context of two ends can remain synchronous. The
value of N can be determined according to the link quality.
CRTP applies to reliable point-to-point links with short delays. ECRTP applies to
low-rate links of poor quality with long delays, high ratio of packet ratio, and packet
disordering. ECRTP is recommended for MPLS networks.
5.11 MSE Features

As a services router, the CX600 provides the Multi Service Edge (MSE) feature to
implement access management and control over DHCP, IPOE, or dedicated line
users.
MSE supports dynamic user access, user management, user-based authentication
and accounting, and user-based QoS. Meanwhile, MSE provides the BOD service for
enterprise users and DHCP users.
AAA
AAA is short for Authentication, Authorization, and Accounting. AAA provides
authentication, authorization, and accounting, which are performed in a domain.
AAA supports the following authentication modes:
l Non-authentication
l Local authentication
l Remote Authentication Dial-In User Service (RADIUS)
In this mode, access users are authenticated by the RADIUS server. The
RADIUS server can work in active/standby mode.
l Huawei Terminal Access Controller Access Control System (HWTACACS)
In this mode, access users are authenticated by the HWTACACS server.
AAA supports the following authorization modes:
l Direct authorization: completely trusts users and directly authorizes them to pass
through.
l Local authorization: authorizes users according to the configured attributes of
user accounts.
l HWTACACS authorization: authorizes users through the HWTACACS server.
l If-authenticated authorization: authorizes users to pass through if they pass the
authentication and the authentication mode is not non-authentication.
AAA supports the following accounting modes:
l Non-accounting: provides free services.
l Remote accounting: supports remote accounting through the RADIUS server or
the HWTACACS server.

Product Description
AAA supports prepaid services based on duration, traffic, or the combination of

duration and traffic. In addition, when the transmission of accounting stop packets fails,
AAA can generate an offline bill based on the accounting information and save the
offline bill to the local device.
If the accounting to be copied to the RADIUS server is configured in the domain, the
accounting information is copied to the server after the accounting packets are sent.
Web Authentication Server

The CX600 provides the web authentication server, that is, the external web server.
The CX600 transparently transmits the response message from the RADIUS server to
the web authentication server. The CX600 allows setting the Portal version number
that is used when the CX600 communicates with the web server. By default, the Portal
version number is V2.0.
In the Web authentication , after a user is successfully connected to the CX600 and
assigned an IP address,It is not authorized to access the Internet before passing the
authentication on a Web page.
DHCP Users, Dedicated Line Users

The CX600 supports the access of DHCP users and Layer 2/Layer 3/Layer 2 VPN
dedicated line users. Ethernet sub-interfaces, GE sub-interfaces, and Eth-Trunk
sub-interfaces can be configured as access interfaces to access users.
For DHCP users, the CX600 supports the DHCP relay mode and the DHCP server
mode. Users can be assigned addresses through the address pool on the local device
or through the DHCP server. The DHCP relay agent supports user access through
triggering.
The CX600 can allocate QoS resources and implement accounting for users
connected through access interfaces in host, location, or CE-VLAN mode. The CX600
also allows configuring the maximum number of users on interfaces.
The CX600 can restrict the number of access users. The CX600 can also enable or
disable the traffic statistics function for the downstream or upstream traffic of domain
users.
The CX600 can record the online or offline failures of users and support the record
query according to the domain name, access location, MAC address, slot number,
user type, or user name. The CX600 also supports the record query according to the
user type, access location, user name, or any combination of them.
Static User
Static users refer to the users whose IP addresses, login interfaces, VLAN IDs, VPN
instances, or MAC addresses are specified by the system. Static users' IP addresses
are permanent instead of being allocated through DHCP.
The CX600 supports a maximum of 1024 static users.
User Login Triggered by ARP or IP Packets

When the link between a user and the CX600 is faulty but the user cannot sense the
fault, the CX600 sends the ARP request packet to the user to detect whether the user

Product Description
is online. If users have gone offline, the CX600 releases resources related to the user
and deletes the user entry.
After the link recovers, the user will resend an ARP request packet if the ARP entry of
the user ages; if the ARP entry does not age, the user sends IP packets.
In this case, to enable the user to log in again, the CX600 supports the user access
triggered by ARP or IP packets. That is, when the CX600 receives an ARP packet but
fails to find the related ARP entry, a process of login and authentication of the user is
triggered.
Backup of User Information

The CX600 can save and restore the information about the users that log off
abnormally.
When a user logs off abnormally, the CX600 records information about the user.
Therefore, when the user logs in again through IP or ARP packet triggering, the
CX600 enables the user to enjoy related services again according to the saved user
information.
Controllable Multicast
The users through the access interface can receive multicast packets only after
passing authentication. Each access user can receive a maximum of four multicast
programs, that is, four multicast streams. Unauthorized programs are not sent to
access users.
QoS policy
The CX600 supports user-based HQoS to bind the configured QoS template to users.
The CX600 can control QoS based on the host, location, or CE-VLAN ID.
The CX600 also supports port-based, VLAN-based, user-based, or service-based
traffic shaping, and HQoS.
CoA or DM Logout
When users go online, the CX600 allows dynamically modifying authorization
information about users, which is known as Change of Authorization (CoA).While
maintaining the online status of users, the network administrator can modify the
service features of the RADIUS server and then dynamically change the services
used by users through the CoA packet. This authorization mode is referred to as
dynamic authorization.
CoA can modify the following user attributes:
l Minimum and maximum bandwidth
l Residual duration
l Residual traffic
l Controllable multicast program template
l Real-time charging interval
l User group
l Idle-cut time

Product Description
When residual traffic or duration is used up, the CX600 can send RADIUS DM
messages through the RADIUS server to inform the device of cutting off users.
BOD
BOD is a dynamic bandwidth allocation service. When users require adjusting
bandwidth, they can dynamically activate or deactivate the BOD service through the
Portal server without need of the intervention of operators. In addition, the BOD
service provides a more flexible service-based accounting mode for operators.
In addition to providing the BOD service for DHCP users, the CX600 provides the
BOD service for different services of enterprise users, including the Internet access
service and L3VPN and L2VPN internetworking.
5.12 Network Security

When the CX600 runs as the security gateway to access the customer's network and
the service system, it can provide the following functions:
l Advanced security system structure
l Abundant security protocols
l Strict service access control
Figure 5-56 Security features
The control plane

Routing protocol Control information Secure VRP
separated from the
MD5 authentication filtering system
forwarding plane
SSH Routing security Bidirectional ACL
RADIUS URPF
TACACS+ Management Forwarding MIRROR

security security
SYSLOG NETSTREAM
NQA Service access SINKHOLE

security
ARP Broadcast/abnormal
Layer 2 limit DHCP snooping Port rate limit
attackproof traffic suppression
The following section describes the security features that the CX600 supports.
5.12.1 Protocol Security Authentication

PPP supports the authentication methods of PAP and CHAP.
Routing protocols including RIPv2, OSPF, IS-IS, and BGP support plain text
authentication and MD5 encrypted text authentication.

Product Description
LDP and RSVP support MD5 encrypted text authentication.

SNMP supports SNMPv3 encryption and authentication.
5.12.2 RPF/URPF
Unicast Reverse Path Forwarding (URPF) functions to prevent network attacks based
on the source address spoofing.
Generally, when receiving a packet, a router obtains the destination address of the
packet and searches the forwarding table for a route to the destination address. If a
route to the destination address is found, the packet is forwarded; otherwise, the
packet is discarded. When a packet is sent to a URPF-enabled interface, URPF
obtains the source address and inbound interface of the packet. URPF then takes the
source address as the destination address to retrieve the corresponding inbound
interface and compares the retrieved interface with the inbound interface. If they do
not match, URPF considers the source address as a spoofing one and discards the
packet. In this way, URPF can effectively prevent malicious attacks that are launched
by changing the source address.
5.12.3 MAC Limit

With abundant MAC limit functions, the CX600 can provide various security solutions
for large-scale Layer 2 networks and VPLS networks.
MAC Address Limit

With the rapid development of the Metro Ethernet, security plays a more important
role on the ingress of the MAN. In the Metro Ethernet, a large number of individual
users access the Internet over Ethernet links and it is common that hackers perform
MAC attacks on the network. MAC address limit supported by the CX600 can
effectively defend the network against the preceding attacks and guarantee the
security of the ISP network.
With the function of limit to MAC address learning, the system can limit the number of
access MAC addresses of a customer to prevent the customer from occupying the
MAC address space of other customers; the system can also discard attack packets
on the ingress and prohibit invalid packets from consuming bandwidth.
MAC address learning is the basic feature of Layer 2 forwarding. It is automatically
carried out and is easy to use. It, however, needs to be deployed with caution to avoid
attacks.
The CX600 supports the following types of limit to MAC address learning:
l Limit to the number of MAC addresses that can be learned
l Limit to the speed of MAC address learning
l Limit to interface-based MAC address learning
l Limit to MAC address learning based on VLAN+port
l Limit to MAC address learning based on port+VSI
l Limit to MAC address learning based on QinQ
MAC address learning limit can be applied to the network environment with fixed
access users and lacking in security, such as the community access or the intranet
without security management. When the number of MAC addresses learnt by an

Product Description
interface exceeds the limited threshold, the MAC address of a new access user is not
learnt. The traffic of this user is thus broadcast at a restricted transmission rate.
MAC Address Entry Deletion

In a VPLS or a Layer 2 network, the MAC address table is the key of forwarding. It,
however, is also vulnerable to attacks though MAC entries are to be aged. MAC
entries need to be deleted to release MAC resources, minimizing the effect on other
services.
The CX600 provides the following types of MAC address entry deletion:
l Deletion of MAC address entries based on port+VSI
l Deletion of MAC address entries based on port+VLAN
l Deletion of MAC address entries based on the trunk interface
l Deletion of MAC address entries based on the outbound QinQ interface
5.12.4 Unknown Traffic Suppression

In the VPLS or Layer 2 network, unknown traffic limit supported by the CX600
functions as follows:
l Manages users' traffic.
l Allocates bandwidth to users.
In this manner, the network bandwidth is efficiently used and network security is
guaranteed.
5.12.5 DHCP Snooping

DHCP snooping, a DHCP security feature, filters untrusted DHCP messages by
creating and maintaining a binding table. The binding table contains the MAC address,
IP address, lease, binding type, VLAN ID, and interface information. DHCP snooping
acts as a firewall between DHCP clients and the DHCP server.
DHCP snooping is mainly used to prevent DHCP Denial of Service (DoS) attacks,
bogus DHCP server attacks, ARP middleman attacks, and IP/MAC spoofing attacks
when DHCP is enabled on the device.
The working mode of DHCP snooping varies with the type of attacks, as shown in
Table 5-2.
Table 5-2 Attack types and DHCP snooping working modes
Attack Type DHCP Snooping Working Mode
DHCP exhaustion attack MAC Address limit

Bogus DHCP server attack Trusted/Untrusted
Middleman attack and IP/MAC DHCP snooping binding table

spoofing attack
DoS attack by changing the value of Check on the CHADDR field in DHCP
the CHADDR messages

Product Description
5.12.6 Local Anti-attack

The CX600 provides a uniform local anti-attack module to maintain and manage the
anti-attack policy of the whole system. An all-around anti-attack solution that is
operable and maintainable is thus provided for users.
Whitelist
The whitelist refers to a group of valid users or users with the high priority. By setting
the whitelist, you can enable the system to protect existing services or user services
with the high priority. You can define the whitelist through Access Control List (ACL)
rules. Then, the packets matching the whitelist are sent to the CPU in preference at a
high rate.
The valid users that normally access the system as confirmed and the users with the
high priority can be added to the whitelist.
Blacklist
The blacklist refers to a group of invalid users. You can define the blacklist through
ACL rules. Then, the packets matching the blacklist are discarded or sent to the CPU
in a low priority.
The invalid users that are involved in attacks as confirmed can be added to the
blacklist.
User-defined Flows
User-defined flows indicate that the user defines ACLs. It is applied when unknown
attacks emerge on the network. The user can flexibly specify the characteristics of the
attack data flows and limit the data flows that match the specified characteristic.
Active Link Protection

The CX600 protects the TCP-based application-layer data such as session data with
the whitelist function. When a session is set up, information about this session is
synchronized to the whitelist. This ensures that all sessions are protected by the
whitelist and are sent with high priority. This feature is called Active Link Protection
(ALP). Through ALP, the running of the existing services can be ensured in the case of
attacks.
When detecting that the session is deleted, the system deletes information about this
session from the whitelist.
Uniform Configuration of CAR Parameters

Committed Access Rate (CAR) is used to set the rate of sending the classified
packets to the CPU. You can set the committed information rate (CIR), the committed
burst size (CBS), and the priority for each type of packets. With different CAR rules set
for various packets, the system can make the packets be free from affecting each
other to protect the CPU.
The CX600 provides convenient methods for configuring CAR parameters:
l Uniform configuration of CAR parameters for different LPUs
l Uniform user interface for configuration

Product Description
l Configuration of CAR parameters with granularity at the protocol level

This makes the configuration interface more user-friendly.
Smallest Packet Compensation

The CX600 can efficiently defend the network against the attacks of small packets
with the smallest packet compensation function. After receiving the packets to be sent
to the CPU, the system detects the packet length.
l When the packet length is smaller than the preset minimum packet length, the
system calculates the sending rate with the preset minimum length.
l When the packet length is greater than the preset minimum packet length, the
system calculates the sending rate with the actual packet length.
Application-layer Service Association

The CX600 supports the application-layer service association. The system
dynamically detects the enabled application-layer information. When detecting that
the application-layer services are started, the system accepts the packets of the
application-layer services and sends them to the CPU; when detecting that the
application-layer services are closed, the system discards the packets of the services
or sends the packets of the services with restricted bandwidth.
Local URPF
URPF detects the packets forwarded and transmitted from the local devices at the
ingress of a network. In large-scale networks, local URPF can be enabled on local
devices to prevent impact on the forwarding performance. This allows URPF to detect
only the validity of source addresses of packets on the local devices. Thus, invalid
packets are discarded. This prevents the source address spoofing attacks.
Management and Service Plane Protection

Interfaces on routers are classified into management interfaces and non-management
interfaces. Management packets can be sent to the routers through management
interfaces. On MANs, the downstream interfaces on routers to connect users are
generally non-management interfaces.
To prevent the devices from being controlled by hackers through non-management
interfaces or by flooding management packets, the CX600 provides management
plane protection. This allows the management packets to be received only from
management interfaces. The management packets are thus controllable.
Defense Against TCP/IP Packet Attacks

In current networks, attacks on TCP/IP networks are increasing, which brings about
great impact. The CX600 provides the following defense measures against attacks on
TCP/IP networks:
l The defective packet attack indicates that the attacker sends a defective IP
packet to a targeted system, causing the system to crash during the processing
of such an IP packet. The system discards the following defective packets after
they are identified through the forwarding engine and software:
IP packets with null load

Product Description
Null IGMP packets

TCPSYN packets whose source and destination IP addresses are the same in
LAND attacks
ICMP Echo Request packets whose destination addresses are broadcast
addresses or subnet broadcast addresses in Smurf attacks
Attacks of the TCP packet flag bit when the six flag bits (URG, ACK, PSH, RST,
SYN, and FIN) are all 1s, the six flag bits are all 0s, or SYN and FIN bits are
both 1s
l The fragmented packet attack indicates that the system cannot handle normal
requests from users or the system becomes Down when the CPU is busy with
fragmented packets. When the fragmented packets are identified by the
forwarding engine and software, the system implements CPCAR to limit the rate
of sending repetitive fragmented packets to the CPU. The software ensures the
correctness of packet reassembly or discards the packets whose reassembly
fails.
Attacks of a huge number of fragments or attacks of the packets that have a
large offset value
Repetitive fragmented packets
Tear Drop, syndrop, nesta, fawx, bonk, NewTear, Rose, Ping of death, and Jolt
attacks
l TCP SYN: The system can identify TCP SYN packet flooding and implement
CAR on LPUs.
l UDP flood: The system can identify packets in Fraggle attacks and attack packets
on UDP diagnosis ports. The system can discard those packets or filter out the
packets on LPUs.
Attack Source Tracing

When the CX600 is attacked, it obtains and stores suspicious packets. After the
packets are formatted, you can use commands or offline tools to view the packets.
This helps to locate the source of attacks easily.
When attacks occur, the system automatically removes the data encapsulated on
upper layers of the transmission layer and then caches the packets in the memory.
When the number of packets in the cache reaches a certain amount, for example,
20000 packets on each LPU, the previous packets are overridden when more packets
are cached.
5.12.7 GTSM
Currently, some attackers on the network simulate valid packets to attack a router. As
a result, the finite resources of the router such as the CPU on the SRU/MPU is heavily
loaded and consumed. For example, the attacker continuously sends simulate BGP
protocol packets to a router. After the LPU of the router receives the packets destined
for the local host, the LPU sends the packets to the BGP processing module of the
CPU on the SRU/MPU instead of identifying the validity of the packets. As a result, the
system is abnormally busy with the high CPU utilization rate when the SRU/MPU of
the router processes these valid packets.
To avoid the preceding attacks, the CX600 provides the GTSM. The GTSM protects
services of the upper layer over the IP layer by checking whether the TTL value in the
IP header is within the specified range. In the application, the GTSM is used to protect

Product Description
the TCP/IP-based control layer such as the routing protocol from the type of
CPU-utilization attacks such as CPU overload.
The CX600 supports the following types of GTSM:
5.12.8 ARP Attack Defense

In the current ISP network, Ethernet is commonly used for access. ARP runs as the
open protocol on the Ethernet, offering chances for malicious attackers. Malicious
attackers attack the network from the perspectives of space and time.
l Space-based attacks indicate that the attacker resorts to the finite ARP buffer of a
router. The attacker sends a large number of simulate ARP request and response
messages to the router. As a result, the ARP buffer is overflowed; normal ARP
entries cannot be buffered. Normal forwarding is thus interrupted.
l Time-based attacks indicate that the attacker resorts to the finity of the
processing capability of a router. The attacker sends a large number of simulate
ARP request, response, or other packets that can trigger the router to perform
ARP processing. As a result, the computation resources of the router are busy
with ARP processing during a long period; other services cannot be processed.
Normal forwarding is thus interrupted.
Interface-based ARP Entry Restriction

The interface-based ARP entry restriction function effectively minimizes the attacked
range when the ARP entry overflow attack occurs. The attacked range is restricted in
the interface. In this manner, other interfaces of the board or the whole system are not
affected.
Timestamp-based Scanning-proof
The timestamp-based scanning-proof function can identify the scanning attack on
time and suppress the processing of the requests generated by the scanning when a
scanning attack occurs, regardless of whether it is an ARP scanning attack or IP
scanning attack. In this way, the CPU is kept away from attacks.
ARP Bidirectional Isolation

As ARP request packets come from the outside of a device and can be initiated at any
time, the device cannot distinguish between normal packets and attack packets when
the ARP request packets carry valid IP addresses.
According to the analysis of actual ARP attacks on some networks, the ARP attack
traffic comprises 50% ARP request packets and 50% ARP response packets.
Therefore, a solution to the attacks of numerous ARP packets must be based on the
two aspects: ARP request packets and ARP response packets.
ARP bidirectional isolation enables a device to process ARP request packets and ARP
response packets separately.
l The device performs stateless responses for ARP request packets. That is, the
device generates neither ARP entries nor relevant states after replying to the
ARP request packets. Without sending the ARP request packets to the CPU for
processing, the device defends the ARP table of the gateway against address
spoofing attacks by ARP request packets.

Product Description
l The device processes only the ARP response packets of the ARP request
packets sent by its CPU. The ARP response packets of the ARP request packets
that are not sent by its CPU are then discarded. The normal ARP request packets
can thus be promptly processed.
Filtering of Invalid ARP Packets

The CX600 filters out the following types of ARP packets:
l Invalid ARP packets such as the ARP request packets with the destination MAC
address as a unicast address, the ARP request packets with the source MAC
address as a non-unicast address, and the ARP reply packets with the
destination MAC address as a non-unicast address
l Gratuitous ARP packets
l ARP request packets whose destination MAC address is not null
You can configure the system to filter out one or more kinds of packets mentioned
above through command lines.
ARP VLAN CAR

ARP VLAN CAR is mainly applied to the scenario where packets are processed based
on the interface number and VLAN ID. This ensures that VLANs are isolated when
attacks occur. The attack against one VLAN does not spread to other VLANs. This
minimizes the impact of attacks on devices and services.
The CX600 can perform CAR twice on the ARP packets sent to the CPU. ARP VLAN
CAR is the second CAR implementation, which can be configured by users.
CAR is implemented for the first time before the ARP packets are sent to the CPU.
When the number of ARP packets to be sent to the CPU exceeds the value set in
CAR rules, the excessive packets are discarded. At the same time, CAR is
implemented for the second time on the remaining ARP packets. If the number of ARP
packets to be sent to the CPU is smaller than the value set in CAR rules, all the ARP
packets are sent to the CPU directly.
5.12.9 Mirroring
Mirroring means that the system copies the received packets on a node in the network
to a specified observing port, without interrupting services. Users can specify the
number of the port to be observed and connect the packet analysis equipment with
the observing port to observe the traffic. In local mirroring, the observing port and
mirroring port reside on the same device. In local mirroring, the observing port and
mirroring port reside on different devices. The CX600 supports both the local mirroring
and remote mirroring.
Mirroring is divided into the following types according to the requirements for the
packets to be copied:
l Port mirroring: The packets received and sent by a mirroring port are completely
copied to a specific observing port.
l Flow mirroring: On the basis of traffic classification, the packets that match
specific rules are copied and other packets are filtered out. By analyzing the
filtered packets that the system does not concern about, the system can control
packets with fine granularity. The efficiency of the packet analysis equipment can
thus be improved.

Product Description
Mirroring is divided into the following types according to the direction in which the
packets are copied:
l Upstream mirroring: All packets or the packets that match specific rules received
by a mirroring port are copied to a specific observing port.
l Downstream mirroring: All packets or the packets that match specific rules to be
sent by a mirroring port are copied to a specific observing port.
Local Mirroring
Figure 5-57 shows the networking diagram of applying local mirroring.
Figure 5-57 Networking diagram of applying local mirroring
Network1 PortA PortB Network2

Inbound Outbound
packets PortC packets
Mirroring
packets
Packet analysis equipment
Network 1 and Network 2 are connected through Router. When the incoming packets
from Network 1 to Port A need to be monitored, you can copy the incoming packets to
Port A as mirroring packets. When the incoming packets are normally forwarded, the
mirroring packets can be forwarded through Port C to the packet analysis equipment
for processing. In certain cases, both the incoming packets and outgoing packets to
and from Network 1 need be monitored. This allows Router to copy the incoming and
outgoing packets on Port A to the observing port.
In local mirroring, a physical observing port and multiple logical observing ports can
be configured on an LPU. Multiple mirroring ports can be configured on an LPU.
l Mirroring ports in local mirroring can be Ethernet interfaces and sub-interfaces,
low-speed serial interfaces channelized from POS interfaces, MFR interfaces, or
MP interfaces.
l Observing ports in local mirroring can be Ethernet interfaces and sub-interfaces,
POS interfaces, Eth-Trunks and Eth-Trunk sub-interfaces, or IP-Trunks.
When the downstream mirroring in local mirroring is implemented, inter-LPU mirroring
is supported. That is, the observing port and mirroring port can be configured on
different LPUs. If the observing port is a logical interface, the system can carry out
CAR to the local mirroring packets.
Remote Mirroring
Compared with local mirroring, remote mirroring features the following:

Product Description
l Network maintenance engineers can analyze mirroring packets from remote

devices rather than being on site.
l A network maintenance engineer can analyze mirroring packets on different sites,
which saves human resources.
Figure 5-58 shows the networking diagram of applying remote mirroring.
Figure 5-58 Networking diagram of applying remote mirroring
CX-C
Customer1 IP/MPLS
Packet analysis
backbone network
equipment
CX-A CX-B
Customer2
CX-D
CX-A and CX-B are edge routers on the IP/MPLS backbone network. Customer 1 and
Customer 2 access the backbone network through CX-C and CX-D respectively. To
maintain the network, analyze attacks, and locate faults, you need to check whether
the protocol packets sent from or received by CX-A are correct; or you need to check
whether the sub-interfaces of a VPN user bound to CX-C are attacked. In this manner,
you need to copy a type of protocol packets received by CX-A, protocol packets sent
from CX-A to CX-C, or packets received by sub-interfaces on CX-A to CX-B. CX-B
then forwards the preceding packets to the packet analysis equipment for analysis.
In remote mirroring, data from the mirroring port is copied and then the copy of data is
sent over a specified tunnel to a remote destination router where the remote
observing port resides. The remote observing port then forwards the copy of data to
the packet analysis equipment. Data transmitted from a mirroring port to a remote
observing port forms a flow. If there are two pieces of data transmitted from two
mirroring ports to a remote observing port, these two pieces of data form two flows.
The CX600 provides MPLS LSPs, MPLS TE tunnels, and GRE tunnels for remote
mirroring.
In remote mirroring, multiple observing ports and mirroring ports can be configured on
an LSP.
l Mirroring ports in remote mirroring can be Ethernet interfaces and sub-interfaces,
Eth-Trunks and Eth-Trunk sub-interfaces, IP-Trunks, low-speed serial interfaces,
MP interfaces, or MFR interfaces.

Product Description
l Observing ports in remote mirroring can be Ethernet interfaces and

sub-interfaces, POS interfaces, Eth-Trunks and Eth-Trunk sub-interfaces, or
IP-Trunks.
In remote mirroring, the mirroring packets can be intercepted.
5.12.10 NetStream
The Internet develops rapidly. This requires more delicate network monitoring and
management while this provides more bandwidth resources. Developing a technology
to answer the preceding demands becomes urgent.
NetStream is a technology that is based on network traffic statistics. It collects
statistics on traffic flows and resource usage in the network accordingly, and monitors
and manages the network based on types of services and resources. NetStream
provides the following functions:
l Accounting
NetStream provides detailed statistics for the resource-occupation-based (such
as links, bandwidth, and time periods) accounting. Statistics such as IP
addresses, number of packets and bytes, transmission time, ToS fields, and
application types are collected. Based on the collected statistics, the ISP can
charge users flexibly based on time periods, bandwidth, application, or QoS;
enterprises can count their expenses or distribute costs to make better use of
resources. The enterprise customer can count the expense of the department or
assign the cost according to the information to make effective use of the
resources.
l Network planning and analysis
NetStream provides key information for advanced network management tools to
optimize the network design and planning. The minimum network operation cost
thus achieves the best network performance and reliability.
l Network monitoring
NetStream realizes the real-time network monitoring. The remote monitoring
(RMON), RMON-2, and flow-based analysis technology visualizedly displays the
flow mode on a single router or routers across the network. This provides the
basis for fault pre-detection and effective fault rectification.
l Application monitoring and analyzing
NetStream provides detailed application statistics about the network. For
example, the network administrator can view the proportion of each application,
such as Web, the File Transfer Protocol (FTP), Telnet, and other TCP/IP
applications to network traffic. The ISP then properly plans and allocates network
application resources to meet the users' requirements according to these
application statistics.
l Abnormal traffic detection
NetStream detects the abnormal traffic such as network attack traffic of various
types in the real-time manner. NetStream ensures network security by means of
alarms of the NMS and the cooperation with devices.
NetStream consists of three devices: NetStream Data Exporter (NDE), NetStream
Collector (NSC), and NetStream Data Analyzer (NDA). The relations among the three
devices are shown in Figure 5-59.

Product Description
Figure 5-59 Diagram of NetStream data collection and analysis
NSC
NDA
NSC
The NDE samples packets and exports the information to the NSC. The NSC is
responsible for analyzing and collecting the statistics data from the NDE. The NDA
analyzes the statistics data and then provides the basis for various services, such as
network accounting, network planning, network monitoring, application monitoring,
and analysis.
The CX600 can run as an NDE to sample packets, aggregate flows, and output flows.
According to the position of sampling packets and processing flows, NetStream on the
CX600 is classified into distributed NetStream and integrated NetStream. Distributed
NetStream supports load balancing among multiple NetStream boards.
l Distributed NetStream: An LPU can sample packets, aggregate flows, and output
flows independently.
l Integrated NetStream: Some LPUs do not support integrated NetStream. They
only sample packets and then send the sampled packets to the NetStream SPU
for integrated processing of flow aggregation and output.
The CX600 provides the following functions from the aspect of sampling:
l Supports sampling in the inbound and outbound interfaces. Some boards support
sampling on the inbound interface.
l Supports interface-based sampling and traffic-classification-based sampling.
l Supports sampling on IPv4 unicast/multicast packets, fragmented packets, MPLS
packets, and MPLS L3VPN packets.
l Supports regular packet sampling, random packet sampling, regular time
sampling, and random time sampling.
l Supports sampling of various physical and logical interfaces such as POS
interfaces, Ethernet interfaces, VLAN sub-interfaces, serial/MP/FR PVC/FR MP
interfaces provided by CPOS interfaces, ATM interfaces, FR interfaces, RPR
interfaces, trunk interfaces, VLANIF interfaces, and GRE interfaces.
The CX600 provides the following functions from the aspect of aggregation and
output:
l IPv4 supports the ten aggregation modes that are as, as-tos, protocol-port,
protocol-port-tos, source-prefix, source-prefix-tos, destination-prefix,
destination-prefix-tos, prefix, and prefix-tos 10.
l Supports aggregation of MPLS packets based on three-layer labels.

Product Description
l Outputs the generated statistics in v5, v8, and v9 formats. When the packets are
output in the v9 format, both the 16-bit and 32-bit indexes are supported, which
can be set through commands as required.
l Each aggregated flow can be output to two NMS servers.
5.12.11 Lawful Interception

Lawful interception indicates that law enforcement agencies lawfully intercept user
information after authorized.
In lawful interception, the following information is intercepted:
l CC: the contents of the communication such as emails and VoIP packets
l IRI: information related to the communication, including the address, time, and
network location
The contents of communication (CC) and intercepted related information (IRI) can be
provided by the network devices of the carrier. The IRI is generally provided by the
AAA server. The CC is provided by the interception device, for example, the CX600.
Figure 5-60 shows the scenario for lawful interception.
In this scenario, the IRI is provided by the AAA server and the CC is provided by the CX600.
Figure 5-60 Scenario for lawful interception
LIG management system
AAA server
HI1
Interception center 1 L1
X1,X2 Carrier
HI2
Interception center 2
... Interception
HI3 X1,X3
management
LIG
center
CX
Interception center N
Lawful interception involves the following roles:

l Interception center
The law enforcement agency intercepts the activities of online users. The
interception center initiates the interception and receives the interception result.
The functions of the interception center are as follows:
Defining the intercepted target
Initiating or terminating the interception
Receiving and recording the interception result

Product Description
Analyzing the interception result

l Interception management center
The interception management center is the agent of the interception centers. The
interception management center receives the interception request from the
interception center, transforms the information in the request to the location and
service identifier, and then delivers the configuration of interception to the
network devices of the carrier.
l LIG
The lawful interception gateway (LIG) acts as the agent between the interception
management center and the devices of the carrier. The LIG plays an important
role in lawful interception. Its functions are as follows:
Receives the interception request from the interception management center
through the L1 and H1 interfaces.
Delivers the configuration of interception to network devices and obtains
intercepted contents through the X interfaces.
Sends the intercepted contents to the interception management center
through the H2 and H3 interfaces.
l LIG management system
The LIG management system receives the interception request from the
interception management center and sends the request to the LIG. A LIG
management system can manage multiple LIGs.
The LIG management system delivers the configuration to the LIG through the L1 interface. The
LIG is located in the network of the carrier. The LIG management system is managed by the
interception management center.
l Carrier
The carrier deploys the lawful interception function on the network devices. The
devices that support lawful interception receive the configuration from the
interception management center, and then send the intercepted traffic to the
interception management center.
5.13 Network Reliability

The CX600 provides all-around reliability techniques. This caters to the requirements
for reliability of the carrier-class network.

Product Description
Figure 5-61 Reliability techniques
Interface Link Routing

Backup NSF BFD FRR
backup reliability optimization
Device reliability 99.999% Network reliability
Active/standby Eth Trunk Customized Grace Fast Fast route IP FRR

MPUs IP Trunk alarm damping Restart detection convergence TE FRR
Multiple SFUs Inter-board of link Loose policy- LDP FRR
Ethernet OAM
port binding fault based routing VLL FRR
Active/standby
power modules RPR interface VPN FRR
ECMP
backup
5.13.1 Backup of Key Modules

The CX600 can work with a single SRU/MPU or two SRU/MPUs in backup mode.
The SRU/MPU of the CX600 supports hot backup. If the device is configured with two
SRU/MPUs for backup, the master SRU/MPU works in active state and the slave
SRU/MPU is in standby state. In addition, users cannot access the management
interface of the slave SRU/MPU, or configure commands on the Console port or the
AUX port. The slave SRU/MPU exchanges information (including heartbeat
messages and data backup) only with the master SRU/MPU.
The system supports active/standby switchover in two ways: automatic switchover
and forcible switchover. The automatic switchover may be triggered by serious faults
or resetting of the master SRU/MPU. The forcible switchover is triggered with
commands. You can forcibly prohibit the active/standby switchover of the SRU/MPU
through the related command.
The CX600 supports backup of management bus and 1+1 backup for the power
module. The LPU, the power module, and the fan module are hot swappable.
These designs enable the system to recover or respond quickly when a severe
abnormality is detected on the device or the network, thereby improving the Mean
Time between Failure (MTBF) and minimizing the impact of unreliable factors on
normal service.
5.13.2 High Reliability of the LPU

The CX600 supports backup of some key service interfaces through protocol
extension.
l The CX600 supports the Virtual Router Redundancy Protocol (VRRP) on the
Ethernet interface. With the extended VRRP, the CX600 enables two interfaces
on one router or on different routers to back up each other, thus ensuring high
reliability of the interfaces.
l On the CX600, the Eth-Trunk and the IP-Trunk support inside backup and outside
backup for member interfaces.

Product Description
l The CX600 supports inter-board trunk bundling.

Users can access different LPUs over double links for inter-board bundling.
This ensures the high reliability of services.
The CX600 realizes the inter-board bundling by the high-performance engine
and forwards packets in load balancing mode at the line rate over multiple
links.
The Hash algorithm based on the source and destination IP addresses carries
out even load balancing to forward traffic over links.
Seamless switchover is performed in the case of a link failure, without
interrupting services.
l The CX600 also provides backup of RPR-based interfaces through the RPR
protocol and RPR networking technologies.
The backup function allows the router to monitor and back up the running status of the
interface when bearing LAN, MAN or WAN services. In this case, the status change of
the interface that is backed up will not affect the routing table and the service at the
interface can be restored quickly.
5.13.3 Alarm Customized Damping

With a higher requirement for device reliabilities posed by the current carrier-class
network, network devices must have the capability of fast fault detection.
After an interface is initiated with fast fault detection, the physical status of the
interface frequently converts between Up and Down because alarm generation is
speeded up. In this case, the network repetitively flaps.
Therefore, generated alarms need be filtered and suppressed to avoid frequent
network flaps.
Alarm damping can effectively filter and suppress alarms, avoiding repetitive flaps of
the interface status; alarm customization enables you to control the impact of alarms
on the interface status.
Alarm customization and alarm damping function as follows:
l Allows you to customize alarms, that is, specify which kinds of alarms that can
trigger the change of the interface status.
l Enables the system to suppress alarms, damping the frequent flaps of a network.
5.13.4 Ethernet OAM

The CX600 supports the Ethernet OAM functions as follows:
l Fault management
l Performance management
With the fault management mechanism, the CX600 can detect the network
connectivity by sending the detection OAM packets periodically or through manual
triggering. This mechanism is similar to the Bidirectional Forwarding Detection (BFD).
The CX600 can also locate faults of Ethernet by using means similar to the ping and
tracert tools on IP networks. The CX600 triggers protection switchover in less than 50
ms.

Product Description
Performance management is used to measure the packet loss ratio, delay, and jitter
during the transmission of packets. It also collects statistics on various kinds of traffic
such as the number of transmitted bytes and the number of errored packets.
Point-to-Point Fault Management for Ethernet

IEEE 802.3ah was brought forward by Ethernet in the First Mile Alliance (EFMA).
IEEE 802.3ah defines the following functions:
l Capability discovery
l Link performance monitoring
l Fault detection and alarm
l Loop test
The PDUs of IEEE 802.3ah OAM are transmitted by a slow protocol. Fault detection
messages are sent every one second.
Conforming to IEEE 802.3ah, the CX600 supports the point-to-point Ethernet fault
management. It can detect faults in the last mile of the direct link at the user side of
the Ethernet. By now, the CX600 supports the following functions defined in IEEE
802.3ah:
l Automatic neighbor discovery
l Link fault monitoring
l Remote fault notification
l Remote loopback configuration
End-to-End Fault Management for Ethernet

This section describes the end-to-end fault management for Ethernet from the
following two aspects:
l Hierarchical MD
The CX600 realizes the end-to-end fault management for Ethernet by conforming
to IEEE 802.1ag or breaking away IEEE 802.1ag.
IEEE 802.1ag is used to test the end-to-end Ethernet connectivity and locate
faults. It provides different levels of management domains. OAM messages with
a low level are not forwarded to the management domain with a high level. This
guarantees security and maintainability of networks.
According to IEEE 802.1ag, the network that bears the Ethernet OAM
mechanism is divided into different Maintenance Domains (MDs). An MD is an
interconnected Ethernet network that is maintained by the same administrator.
Multiple Service Instances (SIs) can be applied on an MD. An SI corresponds to a
VALN. An SI consists of multiple devices. The border port in the SI is called the
Maintenance association End Point (MEP); all the other ports are called the
Maintenance association Internal Point (MIP). MIPs are responsible for
connecting different MEPs. Both MEPs and MIPs are called MP. All the MEPs in
an SI form a Maintenance Association (MA), in which fault detection is carried
out.
Part of the network in an MD might be maintained by another administrator,
namely, the MD might be nested. The MD level is used to differentiate various
levels of OAM that can be carried out in an MA. The MD level is carried in the

Product Description
OAM message. The OAM message with a low level are discarded in the
high-level MP.
l End-to-end fault detection and location
The ISP and Internet Context Provider (ICP) have gradually used fault detection
to guarantee QoS and reduce maintenance expense. Fault detection is realized
by sending and detecting the Continuity Check (CC) message at a scheduled
time.
The CX600 supports the tools of MAC ping and MAC trace by using the Loop
Back (LB) and Link Trace (LT) packet defined in IEEE 802.1ag to locate faults.
MAC ping
MAC ping realized by the LB message is used to test whether a device on the
network is reachable. It acquires the network status and the delay parameter.
To carry out MAC ping between any two devices on the network, the CX600
needs to meet the following requirements:
The originating point is a MEP.
The two points are MPs belonging to the same MA.
The two points are reachable.
MAC trace
MAC trace realized by the LT message is used to test the transmission paths
of messages and the link break point between the two devices.
The requirements for MAC ping also apply to MAC trace.
Ethernet Performance Management

Conforming to ITU-T Y.1731 recommendations, the CX600 supports the Ethernet
performance management. The CX600 can measure the delay, jitter, and packet loss
ratio in transmission. To achieve that, the CX600 inserts the timestamp in the LB
message defined in IEEE 802.1ag. In this way, the CX600 can detect performance
during a specified time period and on a specified network segment to obtain the
performance parameters of an end-to-end service flow. The CX600 can measure the
performance parameter at a scheduled time. The CX600 also combines the
performance parameter with the network management information to output reports.
By using the performance management tools, the ISP can monitor the network status
in real time through the NMS station. The ISP checks whether the forwarding capacity
of the network complies with the SLA signed. Then, faults can be swiftly located. The
ISP need not carry out detection at the user side. This greatly decreases the
maintenance expense.
5.13.5 VRRP
The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. VRRP
realizes route selection among multiple egress gateways by separating the physical
devices from logical devices.
VRRP is applicable to such a LAN that supports multicast or broadcast as the
Ethernet. VRRP uses logical gateways to ensure high availability of transmission links.
This avoids service interruption that results from a gateway device failure, without
changing the configuration of routing protocols.
VRRP combines a group of routers in a LAN into a backup group that functions as a
virtual router. Hosts in the LAN know the IP address of only this virtual router rather

Product Description
than that of a specific router in the backup group. Hosts set the IP address of the
virtual router as their own default next-hop address. Hosts in the LAN thus access
other networks through the virtual router.
In the backup group, only one router is active and called master router; other routers
are in backup state with different priorities and called backup router.
Figure 5-62 shows the typical networking diagram of VRRP.
Figure 5-62 Typical networking diagram of VRRP
10.100.10.2/24 Master
PC
10.100.10.3/24
Backup Internet
Server
Internal network Backup
10.100.10.0/24
Backup group
Virtual IP address
10.100.10.1/24 10.100.10.4/24
VRRP dynamically associates the virtual router with a physical router that undertakes
transmission services. VRRP can select a new router to take over the transmission
when the physical router fails. The entire process is transparent to users, and realizes
non-blocking communication between the internal network and the external network.
mVRRP
The management Virtual Router Redundancy Protocol (mVRRP) refers to a
management VRRP group. The only difference between an mVRRP group and a
common VRRP group is that the mVRRP group can be bound to common VRRP
groups and determine the status of a common VRRP group according to the binding.
An mVRRP group cannot serve as a common VRRP group and be bound to other
mVRRP groups although it can be bound to multiple common VRRP groups.
An mVRRP group can join a VGMP group as a member. After an mVRRP group joins
a VGMP group, you can configure the mVRRP group to monitor the statuses of both
the peer and link BFD sessions. The mVRRP group, however, loses its independence.
Except for the Initialize state, the Backup and Master statuses depend on the status of
the VGMP group that the mVRRP group joins.
VGMP
Some applications require the same come-and-go path of a session. That is, the
packets of the same session must pass through the same devices. In this case, VRRP
has its own limitations. If the master/backup switchover is performed, the
come-and-go path of the same session cannot be ensured the same.

Product Description
To avoid the preceding problem, Huawei develops the VRRP Group Management
Protocol (VGMP) on the basis of VRRP. The VRRP management group set up on the
basis of VGMP uniformly manages the joining VRRP backup groups. On a router, the
interfaces that belong to different VRRP backup groups are thus kept master or
backup simultaneously. In this manner, the VRRP statuses of the router are kept
consistent.
Configure VGMP in the following scenarios:
l The system is configured with a large number of VRRP backup groups.
The system processes the VRRP protocol packets on the SRU/MPU. A large
number of VRRP backup groups may generate many VRRP protocol packets.
These protocol packets compete with other protocol packets for the CPU
resources and the channel as well as the bandwidth of the inter-board
communication. In this case, the system is overloaded.
When you configure a VRRP management group to uniformly manage the VRRP
backup groups, the managed VRRP backup groups do not send protocol packets
independently. In this way, the occupancy of system resources is reduced.
l The router has functions of the firewall, NAT gateway, or proxy server.
These functions require the same come-and-go path of a session. Configuring a
VRRP management group to uniformly manage the VRRP backup groups
ensures the status of the VRRP backup group consistent.
5.13.6 GR
Graceful Restart (GR) is a key technology in implementing HA. The GR switchover
and subsequent restart can be performed by the administrator or triggered by faults.
GR neither deletes the routing information from the routing table or the FIB nor resets
the board during the switchover when faults occur. This prevents the services
interruption of the entire system.
GR has the following advantages:
l Simple and easy to implement. You only need to modify some protocols rather
than changing the current software.
l It does not need to back up the protocol status information.
l Few data needs to be backed up from the AMB to the SMB. The data includes
configuration modification, updated messages and events, interface status
change, and topology information and routing information from neighbors after
restart.
l During the switchover, there is little probability of service interruption.
l The network converges rapidly in normal situations.
The CX600 supports system-based GR and protocol-based GR. The protocol-based
GR includes:
l BGP GR
l OSPF GR
l IS-IS GR
l MPLS LDP GR
l L3VPN GR
l RSVP GR

Product Description
5.13.7 BFD
The BFD is a detection mechanism used in the entire network. It is used to quickly
detect and monitor the connection of links and forwarding state of the IP route in the
network.
Detection packets are transmitted from both ends of the bidirectional link. The CX600
tests the link status from both directions to realize failure detection in milliseconds.
The CX600 supports single-hop BFD and multi-hop BFD.
The following describes the BFD features supported by the CX600.
BFD for VRRP

BFD is used to detect and monitor the connectivity of the link layer or IP layer of the
network and trigger the rapid VRRP switchover.
BFD for FRR

l BFD for LDP FRR
BFD can detect the protected interfaces that can trigger the LDP FRR switching.
l BFD for IP FRR and BFD for VPN FRR
On the CX600, IP FRR and VPN FRR are triggered after BFD reports detection
faults to the upper-layer application.
BFD for Static Routes

Static routes do not have the detection mechanism. When the network fails,
administrator interference is needed.
With the feature of BFD for static routes, the BFD session can be used to detect the
status of the IPv4 static route in the public network. The routing management system
determines whether the static route is available according to the BFD session status.
BFD for IS-IS

The CX600 supports the detection on the IS-IS adjacency by using the BFD session
configured statically.
BFD detects the fault of the link between adjacent IS-IS nodes and rapidly reports the
fault to IS-IS to trigger the fast route convergence of IS-IS.
BFD for OSPF/BGP

The CX600 supports OSPF and BGP in dynamically setting up and deleting the BFD
session.
l When the routing protocol neighbor relation is established successfully, a routing
protocol notifies the establishment of a BFD session through routing
management module and fast detects the neighbor relation of the routing protocol.
The detection parameters of the BFD session are set by the routing protocol.
l When the BFD session detects the fault, the BFD session status becomes Down.
BFD triggers route convergence through the RM module.

Product Description
Generally, routing protocols implement second-level detection based on the Keepalive

mechanism of Hello packets, whereas BFD carries out millisecond-level detection. When the
detection interval is 10 ms and the detection multiplier is 3, BFD can report the protocol failures
in 50 ms. The route convergence thus speeds up.
l When the neighbor status is unreachable, the routing protocol tells BFD to delete
the session through the RM module.
BFD for PIM

PIM BFD is applicable to the shared network segment where routers enabled with
PIM reside. PIM BFD fast detects the fault of the DR or Assert Winner.
PIM BFD uses normal BFD messages. It automatically sets up BFD sessions between
PIM neighbors, monitors the status of the PIM neighbors, and responds to the failure
of the neighbor promptly.
BFD for IP-Trunk and Eth-Trunk

IP-Trunk and Eth-Trunk consist of member links, providing large bandwidth or high
reliability.
When the number of member links being Up reaches a certain value, the
corresponding trunks can keep Up.
On the CX600, BFD can detect a trunk and a trunk member interface independently.
That is, it can detect the connectivity of the trunk and that of an important member link
of the trunk.
BFP for LSP

BFD for LSP indicates that BFD packets are transmitted along the static LSP, the
dynamic LSP, the RSVP-TE tunnel, and the PW. By fast transmitting and receiving of
BFD packets, fast detection of the link fault can be carried out. The carried services
can thus be fast switched for service protection.
BFD for LSP performs fast fault detection of LSPs, TE tunnels, and PWs. In this way,
BFD for LSP realizes fast switchover of MPLS services such as VPN FRR, TE FRR,
and VLL FRR.
5.13.8 FRR
The CX600 provides multiple FRR features. You can deploy FRR as required to
improve network reliability.
IP FRR
FRR can minimize data loss due to network faults. The switching time can reach 50
ms.
The CX600 provides FRR that enables the system to monitor and store the real-time
status of the boards and ports, and check the status of the ports when packets are
forwarded. When abnormality occurs on a port, the system can fast switch traffic to
another preset route. This improves the Mean Time Between Failures (MTBF) and
reduces the amount of lost packets.

Product Description
LDP FRR
The traditional IP FRR cannot effectively protect the traffic in the MPLS network. The
CX600 provides the LDP FRR function and the solution to port protection.
Along an LDP with Downstream Unsolicited (DU) label distribution, ordered label
control and liberal label retention, a Label Switch Router (LSR) saves all label
mapping messages. Only the label mapping messages sent by the next hop
corresponding to the FEC can generate a label forwarding table. With this feature, the
backup LSP is set up if a label forwarding table is produced for the liberal label
mappings.
Normally, a packet is forwarded through the primary LSP. When the outgoing interface
of the primary LSP is Down, the packet is forwarded through the backup LSP. This
ensures continuous traffic follow before network convergence.
Hybrid FRR
The CX600 supports the FRR formed by the combination of IP routes and VPN routes
in a same VPN instance. That is, the CX600 supports hybrid FRR.
In a bearer network, IP FRR is deployed when a CE is dual-homed to PEs. If multiple
voice VPNs are connected to the CE and a POS link is encapsulated between the two
PEs, the POS interface cannot be divided into subinterfaces that can be bound to
different VPNs to provide a backup link for the traffic.
In this case, the BGP VPNv4 peer can be set up between the two PEs. Therefore, the
backup path, in the form of a private route, is exchanged between the two PEs. The
VPNv4 route then serves as a backup of the IP route between the PE and the CE, and
FRR is thus implemented on the CX600. In this manner, the traffic can be switched
within 50 ms.
TE FRR
TE FRR is a technology used in MPLS TE to implement local protection for the
network. Only the interfaces at a speed of over 100 Mbit/s support TE FRR. The
switching time of TE FRR can reach 50ms. It can minimize data loss when network
failures occur.
TE FRR is only a temporary protection method. When the protected LSP becomes
normal or a new LSP is established, the traffic is switched back to the original LSP or
the newly established LSP.
After an LSP is configured with TE FRR, the traffic is switched to its protection link and
the ingress node of the LSP attempts to establish a new LSP when a link or a node on
the LSP fails.
Based on the objects to be protected, FRR is divided into the following two types:
l Link protection: Direct link connection exists between PLR and MP, and primary
LSP passes this link. When this link is out of service, traffic is switched to bypass
LSP. As shown in Figure 5-63, the primary LSP is R1R2R3R4, and the
bypass LSP is R2R6R3.

Product Description
Figure 5-63 Schematic diagram of FRR link protection
PLR MP
R1 R2 R3 R4
Primary LSP
Bypass LSP
R6
l Node protection: PLR is connected with MP through R3, and primary LSP passes
this router. When R3 fails, traffic is switched to bypass LSP. As shown in Figure
5-64, the primary LSP is R1R2R3R4R5, and the bypass LSP is
R2R6R4. R3 is the protected router.
Figure 5-64 Schematic diagram of FRR node protection
PLR MP
R1 R2 R3 R4 R5
Primary LSP
Bypass LSP
R6
VLL FRR
VLL FRR is a technique of realizing network protection in the L2VPN. It fast switches
user traffic to the backup link after a fault occurs to the network. In this way, the
reliability of the L2VPN is improved. VLL FRR is also called VLL redundancy.
VLL FRR in the L2VPN includes fault detection, fault notification, and active/standby
switchover of links.
The CX600 provides kinds of features that can be combined to realize VLL FRR.
l Fault detection
BFD for LSP/PW can fast detect the fault of the LSP/PW at the network side in
an L2VPN.
Ethernet OAM, ATM OAM, PPP, and FR can fast detect the fault at the access
circuit (AC) side in an L2VPN.
l Fault notification
LDP, BGP, or RSVP can notify the remote PE router of the fault of the LSP/PW
or the AC.

Product Description
BFD for LSP/PW can inform the remote PE router of the fault of the LSP/PW
or the AC.
Ethernet OAM, ATM OAM, PPP, and FR can notify the local CE router of the
fault.
l Active/standby switchover of links
In a symmetric network, CE routers perform the active/standby switchover.
In an asymmetric network, PE routers work with CE routers to perform
active/standby switchover.
VPN FRR
In the traditional L3VPN, the local PE router senses the fault of the remote PE router
through the BGP Hello packets. The time taken to sense the fault defaults to 90
seconds. That is, VPN routes on the local PE router converge after the fault of the
remote PE router lasts 90 seconds.
VPN FRR supported by the CX600 can solve the preceding problem. When the CE
router is dual-homed, VPN FRR can fast switch VPN services to the backup tunnel
and PE router after the link between the CE router and the PE router is disconnected
or after the PE router restarts. In this manner, services are restored within a short
period.
l The forwarding engine of the local PE router keeps not only the outer labels of the
remote active PE router and the inner labels distributed to VPN routes, but also
the outer labels of the remote standby PE router and the inner labels distributed
to VPN routes.
l With the end-to-end fault detection mechanisms such as BFD, the local PE router
senses the fault of the remote active PE router within 200 milliseconds and then
switches the outer and inner labels of the remote active and standby PEs at the
same time.
l VPN FRR solves the problem of switchover between inner labels. The switchover
priority level of VPN FRR is lower than that of LDP/MPLS TE FRR. The time
taken by VPN FRR to sense the fault is thus more than that taken by LDP/TE
FRR.

Product Description
6 Maintenance and Network Management

System
About This Chapter
Section Description
6.1 Maintenance Features This section describes the maintenance features and
and Functions functions of the CX600.
6.2 Network Management This section describes the network management

services of the CX600.

Product Description
6.1 Maintenance Features and Functions

6.1.1 System Configuration Mode
The CX600 provides two configuration modes, that is, command line configuration
and NMS configuration.
Command line configuration supports:
l Local configuration through the console port
l Remote configuration through the AUX port with a Modem
l Remote configuration through Telnet
NMS configuration supports the SNMP-based NMS.
6.1.2 System Management and Maintenance

The CX600 provides the following system management and maintenance functions:
l In-service board detection, hot swap detection, Watch Dog, board reset, control
over running and debugging indicators, fan monitoring, power monitoring,
active/standby switchover control, and version query
l Local and remote software upgrading and data loading, upgrade rollback, backup,
storage, and removal
l Hierarchical user authority management, operation log management, online help
and comment for command lines
l Multi-user operation
l Collection of multi-layer information, including port information, Layer 2
information, and Layer 3 information
l Hierarchical management, alarm classification, and alarm filtering
6.1.3 HGMP
The CX600 supports Huawei Group Management Protocol (HGMP), which is a cluster
management protocol developed by Huawei.
HGMP is used to group Layer 2 devices that are connected to the CX600 into a
unified management domain, that is, a cluster. In addition, HGMP supports automatic
collection of network topologies and provides integrated maintenance and
management channels. In this manner, a cluster uses only one IP address for external
communications, simplifying device management and saving IP addresses.
6.1.4 System Service and Status Tracking

The CX600 can track the system service and status as follows:
l Monitors the change of the state machine of routing protocols.
l Monitors the change of the state machine of MPLS LDP.
l Monitors the change of VPN-related state machine.
l Monitors the type of protocol packets sent by the NP to the CPU, and displays
details about the packets with the debugging function.

Product Description
l Monitors and clears the statistics on abnormal packets.

l Displays notification when the processing of the abnormality takes effect.
l Collects the statistics on the resources used by each feature system.
6.1.5 System Test and Diagnosis

The CX600 provides debugging for running services. It can in-service record key
events, packet processing, packet resolution, and state switchover at the specified
period. This helps in device debugging and networking. You can enable or disable the
debugging of a specific service (such as a routing protocol) and a specific interface
(such as the routing protocol information on a specified interface) through the
debugging command.
The CX600 provides the trace function on system operation. It can in-service record
key events such as task switchover, task interruption, queue read-and-write, and
system abnormality. When the system is restarted after a fault occurs, you can read
the trace information for fault location. You can enable or disable the trace function
through the tracert command.
In addition, you can query the CPU usage of the SRU/MPU and the LPU in real time.
The debugging and trace functions of the CX600 classify information. The sensitive
information of different classes is directed to different destinations of output based on
the user configuration. The destinations of output include the console display, Syslog
server, and SNMP Trap trigger alarm.
The CX600 also provides the Network Quality Analysis (NQA) function.
NQA measures the performance of each protocol that runs in the network and helps
the network operator collect network running indexes, such as total delay of HTTP,
delay of a TCP connection, delay of DNS resolution, rate of file transfer, delay of an
FTP connection, and rate of wrong DNS resolution. By controlling these indexes, the
network operator provides users with services of various grades and charges them
differently.
NQA is also an effective tool in diagnosing and locating faults in the network.
6.1.6 Upgrade Features

In-Service Upgrade
The router supports in-service upgrading and patching of the software. Thus, you can
upgrade only the features that require modification.
System Upgrade
The system upgrade optimizes the upgrading process. You can use one command to
complete the upgrading. Thus, you can save time. During the upgrading process, the
progress is displayed. After the upgrading is complete, you can view the results.
Rollback
During the upgrading process, if the new system software cannot start the system,
you can use the previous one that successfully started the system.
The rollback function can protect services against the failure in the system upgrading.

Product Description
License Contrul Policy

The License file dynamically controls the availability of product features. By License
authorization, a new customer can purchase relevant functional modules of services
and resources, lowering the cost; a sold customer can apply for a new License to
expand the capacity and maintain functions.
The CX600 is bearing more software features. Thus, the cost of software gradually
constitutes a larger percentage of the total cost. This mode, however, cannot cater to
users and carriers in the following aspects:
l Common users want to reduce the purchase cost.
l Users that need upgrade the devices want to be able to expand the capacity of
devices and choose the service features as required.
To meet different requirements, the CX600 provides a management platform of
license authorization through newly-developed software to provide flexible
authorization of service features.
This achieves the authorization of service features. In this mode,
l Common users can purchase the service features as required. The purchase
cost is thus reduced.
l Users that need upgrade the devices can expand the capacity of devices and add
new service features by applying for new licenses.
Provided with new software, the CX600 manages the features of L3VPN, MVPN, GRE
tunnels, IPv6 tunnels, 6PE (IPv4 over IPv6) tunnels, Netstream, and PBB-TE.
6.1.7 Miscellaneous Features

The CX600 provides the following additional configuration features:
l Hierarchical protection for configuration commands, ensuring that the
unauthorized users can not access the router.
l Online help available if you type a "?".
l Various debugging information for network troubleshooting.
l DosKey-like function for running a history command.
l Fuzzy search for command lines. For example, you can enter the non-conflicting
key words "disp" for the display command.
6.2 Network Management

6.2.1 NMS
The CX600 adopts the Huawei iManager N2000 NMS. It supports SNMP V1/V2c/V3
and the Client/Server model. The CX600 NMS can operate on multiple operating
systems such as Windows NT/2000/XP and UNIX (SUN, HP, and IBM). The CX600
NMS provides graphic user interfaces in multiple languages.
The iManager N2000 NMS can be seamlessly integrated with the NMS of other
Huawei fixed network telecommunication equipment, for centralized management.

Product Description
The N2000 NMS can also be integrated with other universal NMSs in the industry,
such as HP OpenView, IBM NetView, What's up Gold, and SNMPc. This makes it
possible to perform the unified management on the devices of multiple vendors. The
N2000 NMS provides real-time management on the topology, fault, performance,
configuration tool, equipment log, security and users, QoS policy, and VPN service. In
addition, it can be used to download, save, modify, and upload configuration files, as
well as upgrade the system software.
6.2.2 LLDP
At present, the Ethernet technology is extensively used in the Local Area Network
(LAN) and Metropolitan Area Network (MAN). With the increasing demand for
large-scale networks, the network management capabilities of Ethernet are in great
demand. For example, the network management of Ethernet should address issues
such as automatically obtaining topology of interconnected devices and conflicts in
configurations on different devices.
Recently, the Network Management System (NMS) software adopts the function of
automated discovery to trace changes in topology. Most NMS software, however, can
at best analyze the network layer topology and group devices to different IP subnets.
The NMS provides data only about adding or deleting devices. The NMS cannot
obtain information about the interfaces on a device, which are used to connect
another device. That is, the NMS cannot locate a device or determine its operation
mode.
The Layer 2 Discovery (L2D) protocol can discover precise information about the
interfaces situated on the devices and the interfaces that are used to connect other
devices. The L2D protocol also displays the paths between the client, switch, router,
application server, and network server. The preceding detailed information helps
locate a network fault.
The Link Layer Discovery Protocol (LLDP) is an L2D protocol defined in IEEE 802.1ab.
LLDP specifies that the status information is stored on all the interfaces and the
device can send its status to the neighbor stations. The interfaces can also send
information about changes in the status to the neighbor stations as required. The
neighbor stations then store the received information in the standard Management
Information Base (MIB) of the Simple Network Management Protocol (SNMP). The
NMS can search for the Layer 2 information in the MIB. As specified in IEEE 802.1ab,
the NMS can also find the unreasonable Layer 2 configurations based on the
information provided by LLDP.
When LLDP runs on the devices, the NMS can obtain the Layer 2 information about all
the devices it connects and the detailed network topology information. This expands
the scope of network management. LLDP also helps find unreasonable configurations
on the network and reports the configurations to the NMS. This removes error
configurations timely.

Product Description
7 Networking Applications
As shown in Figure 7-1, the metro Ethernet consists of the core layer, the edge layer,
the aggregation layer, and the access layer. The core layer is responsible for the
high-speed forwarding of service data. The edge layer and the aggregation layer
serve as the access point of various services. The services access the network for
forwarding through the BRAS, the centralized PE, or the aggregation node, based on
the service type. The access layer is responsible for the user access, and the devices
at the access layer include the DSLAM, the converged switch, AG, and NodeB.
Figure 7-1 Metro Ethernet network diagram
Access Ethernet Aggregation Edge Core Application
Distribution I n te rnet
node
BRAS Internet
DSLAM
CMTS Aggregafion
P/PE
Node
P/PE SoftX
VoD ES
Distribution P/PE
node
AccSwitch PE VoD CS
The aggregation layer device accesses and forwards the services through the IP or
MPLS technologies. Individual services are accessed to the aggregation node
through the DSLAM, and corporate services are converged at Layer 2 through a
switch or are directly accessed to the aggregation node.
l DSLAM: refers to the Digital Subscriber Line Access Multiplexer that accesses
the individual services through the permanent virtual circuit (PVC). The DLSAM
adds the VLAN or QinQ tag based on the types of users and services, and is
generally connected to the aggregation node.
l Switch: refers to the access switch that converges the Layer 2 corporate services
to the aggregation node.
l Aggregation node: refers to the distributed service node (PE). The aggregation
node distinguishes the VLAN or QinQ user services, forwards Layer 3 services or
VPN services, or transparently transmits services to the BRAS or the centralized
PE through the IP or MPLS technologies.

Product Description
l Distribution node: refers to the distribution node that converges the services in
the metro Ethernet. The distribution node terminates the IP or MPLS technologies
and transparently transmits the services to the BRAS or the centralized PE.
l BRAS: refers to a device that processes PPPoE login services of individual
users.
l PE: refers to the centralized service node, which can also serve as the
distribution node. PE accesses the services that should be converged and
processed, such as centralized L3VPN services.
l P/PE: refers to the core forwarding node or the edge node on the back bone
network. P or PE rapidly forwards the services or accesses the services to the
backbone network.
The CX600 is applicable for the aggregation node and the distribution node to
guarantee the access of individual services and corporate services.
Individual Services
l HSI service: The DSLAM adds QinQ tags to distinguish user services. The outer
VLAN tag indicates the service type. The CX600 at the aggregation node
transparently transmits the services to the distribution node through EOMPLS
(VLL or VPLS). The distribution node can be the CX600 or the CX600. The
distribution node terminates the transmission and then transparently transmits
the QinQ data to the BRAS.
l VOD/VoIP: The CX600 at the aggregation node terminates the VLAN or QinQ tag
added by the DSLAM, and forwards the services to Layer 3 network or accesses
the services to L3VPN for forwarding.
l BTV: The CX600 at the aggregation node serves as the designated router (DR)
of the Protocol Independent Multicast (PIM). The aggregation node receives the
multicast data distributed through the PIM protocol, and then sends the data to
the DSLAM through multicast VLAN. The user joins or withdraws a group through
IGMP, and the hot channels send data to DR by static route.
Corporate Services
l Corporate dedicated line: The corporate dedicated line is connected to Layer 3
network through the CX600 at the aggregation node.
l E-LINE: The PW, an end-to-end L2VPN tunnel, is set up between the CX600 at
the aggregation node and the peer end. The E-LINE services are transmitted to
the peer end through different tunnels based on the VLAN or QinQ tags identified
at the aggregation node.
l E-LAN: The CX600 at the aggregation node creates the VSI, and forwards the
service data to different VSIs for forwarding after the VLAN or QinQ tag is
identified. The service data can also be accessed to the 2-LAN services through
H-PVLS, during which the VSI is created by the distribution node.
L3VPN: The services are accessed to the Virtual Route Forwarding (VRF) at the
aggregation node, or accessed to the centralized service node for VRF forwarding
through HoVPN.

Product Description
8 Technical Specifications
About This Chapter
Section Description
8.1 Physical Specifications This section describes the physical specifications of

the CX600.
8.2 System Configuration This section describes the system configuration of

the CX600.
8.3 Specifications of This section describes the specification of system

System Features and features and service performance of the CX600.
Service Performances

Product Description
8.1 Physical Specifications

Table 8-1 Physical specifications
Item Description
External dimensions (width x l CX600-16 442 mm x 669 mm x 1600 mm (36
depth x height) U)
l CX600-8: 442 mm x 669 mm x 886 mm (20 U)
l CX600-4: 442 mm x 669 mm x 442 mm (10 U)
l CX600-X3:DC input power module: 442 mm x
650 mm x 175 mm (4 U); AC input power
module: 442 mm x 650 mm x 220 mm (5 U)
Installation Mounted in a 19-inch standard cabinet or an
N68E-22/N68E-18 cabinet
Weight Fully configured:

l CX600-16: 250 kg
l CX600-8: 147 kg
l CX600-4: 87 kg
l CX600-X3:
DC power module: 36 kg
AC power module: 46 kg
Board weight:
CX600-16:
l MPU: 3.8 kg
l SFU: 3.0 kg
l LPU: 5.0 kg
CX600-8/CX600-4:
l SRU: 3.8 kg
l SFU: 1.8 kg
l LPU: 5.0 kg
CX600-X3:
l MPU: 1.5 kg
l LPU: 5.0 kg
Maximum power consumption CX600-16: 6800 W
CX600-8: 2200 W
CX600-X3: 900W
DC input Rated voltage 48 V
voltage
Maximum 72 V to 38 V
voltage range

Product Description
Item Description
AC input Rated voltage 200 V to 240 V

voltage range
Maximum 175 to 275 V
voltage range
Environmental Long-term 0C to 45C

temperature
Short-term 5C to 55C
Remark Restriction on the temperature variation rate:
30C per hour
Storage temperature 40C to 70C
Relative Long-term 5% to 85% RH, non-condensing
environmental
humidity Short-term 0% to 95% RH, non-condensing
Relative storage humidity 0% to 95% RH, non-condensing
Altitude for permanent work Within 3000 meters

Storage altitude Within 5000 meters
8.2 System Configuration

Table 8-2 System configuration list
Item Description Remark
Processing unit Main frequency: 1 GHz

BootROM 1 MB
SDRAM 2 GB
NVRAM 512 KB
Flash 32 MB

Product Description
CF card 1 GB The capacity can be extended.

The CF card is used as a mass
storage device to store data
files.
l The CF card on the
SRU/MPU stores logs and is
hot swappable.
l The CF card inside the
SRU/MPU stores system
files and is not hot
swappable.
Switching capacity CX600-16: 2.56 Tbit/s

CX600-8: 640 Gbit/s
CX600-4: 320 Gbit/s
CX600-X3: 240 Gbit/s
Backplane capacity CX600-16: 4 Tbit/s

(bidirectional)
CX600-8: 2 Tbit/s
(bidirectional)s
CX600-4: 1 Tbit/s
(bidirectional)
CX600-X3: 1.35 Tbit/s
(bidirectional)
Interface capacity CX600-16: 640 Gbit/s
(bidirectional)
CX600-8: 320 Gbit/s
(bidirectional)
CX600-4: 160 Gbit/s
(bidirectional)
CX600-X3: 120 Gbit/s
(bidirectional)
Number of LPU slots CX600-16: 16 LPU (optional)

CX600-8: 8
CX600-4: 4
CX600-X3: 3
Transmitting rate of the 16 kbit/s Bidirectional: sending packets

LPU to the SRU/MPU and receiving
packets from the SRU/MPU
Number of SRU/MPU 2
slots

Product Description
Transmitting rate of the 32 kbit/s Bidirectional: sending packets

SRU/MPU to the LPU and receiving
packets from the LPU
8.3 Specifications of System Features and Service

Performances
8.3.1 Specifications of System Features
Table 8-3 Specifications of the system features
Feature Description
Interworking LAN protocols Ethernet_II
IEEE802.1Q
IEEE802.1p
Link layer PPP, MP
protocols HDLC
FR
ATM
IP over ATM
RPR
RRPP
POS over FR
Ethernet Basic VLAN features
switching VLAN aggregation
VLAN trunk
Dynamic learning between VLAN members
VLANIF interface
Inter-VLAN routing
VLAN translation
VLAN Mapping
STP/RSTP/MSTP
QinQ
VLAN Stacking

Product Description
Feature Description
Network IPv4 Static routes

protocol Dynamic unicast routing protocols:
l RIP-1/RIP-2
l OSPF
l IS-IS
l BGP
Multicast protocols:
l IGMP
l IGMP Snooping
l PIM-DM
l PIM-SM
l PIM-SSM
l MBGP
l MSDP
Multicast VLAN
Multicast VPN
Multicast flow control
Multicast CAC
Routing policies
NQA
IPv6 IPv4-to-IPv6 transition technologies:
l Manually configured tunnel
l GRE
l Automatic tunnel
l 6to4 tunnel
l 6PE
l IPv4 over IPv6 tunnel
IPv6 static unicast routes
IPv6 dynamic unicast routing
l BGP4+
l RIPng
l OSPFv3
l IS-ISv6
IPv6 Multicast protocols:
l MLD
l PIM-IPv6-DM
l PIM-IPv6-SM
l PIM-IPv6-SSM

Product Description
Feature Description
MPLS MPLS basic MPLS forwarding

functions MPLS LDP
MPLS TE
DS-TE
MPLS QoS
MPLS Uniform, Pipe, and Short Pipe
MPLS OAM
IPTN
VPN L2VPN VLL/PWE3 in Martini or Kompella mode
VPLS
QinQ
HVPLS
ATM IWF
L3VPN MPLS/BGP VPN (as the PE router or the P

router)
HoVPN
Multicast VPN
Inter-VPN
Carrier's carrier
RRVPN
Multi-role host
IPv6 L3VPN IPv6 MPLS/BGP VPN (as the PE router or the P
router)
Inter-VPN
Carrier's carrier
User Access user MSE

management management AAA
Domain
RADIUS
HWTACACS
Security AAA CHAP

PAP
RADIUS
HWTACACS
Load Equal-cost load balancing
balancing Unequal-cost load balancing

Product Description
Feature Description
Other security SSH

features Local mirroring
Remote mirroring
Port traffic sampling
Traffic control on the LPU and the SRU/MPU
URPF
Layer 2 limit
ARP anti-attack
Local Attack defense
DHCP Snooping
Lawful interception
Hierarchical commands to defend against unauthorized users'
login
Reliability Hot backup 1:1 backup of SRU/MPUs

3+1 load balancing and backup of SFUs
1+1 backup of power modules
1+1 backup of the system management bus and
data bus
GR Protocol-level GR: IS-ISv4, OSPF, BGP4, LDP,
and VPN
System-level GR
Others IP FRR
LDP FRR
TE FRR
VLL FRR
VPN FRR
IP and VPN hybrid FRR
VRRP
BFD
Dampening control to support Up/Down of
interfaces
Transmission alarm customization and
suppression
QoS Traffic Simple traffic classification
classification Complex traffic classification: based-on port;
based on Layer 2, Layer 3, or Layer 4 packets
Traffic Traffic policing and traffic shaping based on
policing and srTCM or trTCM
shaping DiffServ EF and AF services
GTS

Product Description
Feature Description
Congestion PQ/WFQ
management
Congestion WRED
avoidance
Policy-based Route redirection, MPLS LSP explicit route
routing distribution
QPPB IP precedence
Specific traffic behavior
BGP BGP identifies and classifies the routes through
accounting BGP traffic index to account the traffic on the
basis of classification
VPN QoS QoS that transmits the private network routes

through BGP is an extension of QPPB in the
L3VPN
Supports traffic classification, traffic shaping,
and queue scheduling in the L2VPN and L3VPN
Supports the combination between VPN QoS
and MPLS DiffServ/MPLS TE/MPLS DS-TE
QinQ QoS 802.1p re-mark function supported by QinQ

802.1p and DSCP re-mark function during QinQ
termination
802.1p and EXP re-mark function during QinQ
termination
ATM QoS Simple traffic classification and forcible traffic
classification
FR QoS Traffic shaping, traffic policing, congestion
management, queue management, and FR
fragmentation
HQoS Two-level scheduling mode

Level 1 scheduling ensures bandwidth for each
user and level 2 scheduling ensures bandwidth
for services of each user
L2VPN HQoS
L3VPN HQoS
TE and DS-TE HqoS
HQoS for users

Product Description
Feature Description
Configuration Command Local configuration through the console port

management line interface Local or remote configuration through the AUX
port
Local or remote configuration through Telnet
Local or remote configuration through SSH
Hierarchical commands to defend against
unauthorized users' login
Detailed debugging information for network
faults diagnosis
Network test tools such as tracert and ping
Supports the login to and management of other
routers through Telnet
FTP server and client functions to upload and
download configuration files and applications
TFTP client functions to upload and download
configuration files and applications
Upload and download configuration files and
applications through the XModem protocol
System logs
Virtual file system
Time service Time Zone

Summer Time
NTP server and NTP client
In-service In-service upload

upgrade In-service upgrade
In-service patching
Information Provides three types of information: alarm, log,
center and debugging
Provides eight levels of information: emergency,
alert, critical, error, warning, notification,
informational, and debugging
Information can be output to the log host or user
terminal; log information and alarm information
can be output through the SNMP Agent or the
buffer
Network Supports SNMP v1/v2c/v3

management RMON
NetStream
Traffic statistics

Product Description
8.3.2 Specifications of Service Performances

Table 8-4 Service performance specifications
Attribute Service Feature Technical and Performance

Specifications
IP unicast IPv4/IPv6 forwarding Line-rate forwarding of IPv4/IPv6

packets on high-speed interfaces
IPv4/IPv6 routing entries 1600 K/600 K
IPv4 FIB 1M
Routing convergence speed 10K routing entries/s
Number of IPv6 over IPv4 8000
tunnels
Number of 6PEs 1000

MPLS Label layers 4
Number of LSPs 100 K

Number of LDP neighbors 63 K
MPLS FRR switching time 50 ms

Layer 2 MAC table (dynamic and 256 K
features static)
L2VPN VLL entries 16 K
Number of VPLS VSIs 4K
Number of VPLS PWs 16 K

Number of VRF 2K
QoS Number of traffic 16 K/slot
classification rules
Number of ACLs 8 K/slot
CAR granularity 64 kbit/s

Number of queues 256 K (bidirectional)/LPU
Levels of HQoS scheduling 5 levels
Packet buffer time 200 ms
Multicast Number of multicast routes 8K

Number of multicast static 256
routes
Number of multicast 8K
forwarding table entries

Product Description
A Compliant Standards
A.1 Standards and Telecom Protocols

ARP
RFC1027 Using ARP to implement transparent subnet gateways
ATM
RFC2225 Classical IP and ARP over ATM
RFC2226 IP Broadcast over ATM Networks
RFC2364 PPP Over AAL5
RFC2515 Definitions of Managed Objects for ATM Management
RFC2684 Multiprotocol Encapsulation over ATM Adaptation Layer
5
BFD
draft-ietf-bfd-base-05 Bidirectional Forwarding Detection
draft-ietf-bfd-v4v6-1hop-05 BFD for IPv4 and IPv6 (Single Hop)
draft-ietf-bfd-multihop-04 BFD for Multihop Paths
draft-ietf-bfd-generic-02 Generic Application of BFD
draft-ietf-bfd-mpls-02 BFD For MPLS LSPs
BGP
RFC1105 Border Gateway Protocol BGP
RFC1163 A Border Gateway Protocol (BGP)
RFC1164 Application of the Border Gateway Protocol in the
Internet
RFC1265 BGP Protocol Analysis
RFC1266 Experience with the BGP Protocol
RFC 1267 A Border Gateway Protocol 3 (BGP-3)

Product Description
RFC 1268 Application of the Border Gateway Protocol in the

Internet
RFC1269 Definitions of Managed Objects for the Border Gateway
Protocol:Version 3
RFC1364 BGP OSPF Interaction
RFC1397 Default Route Advertisement in BGP2 and BGP3
Version of the Border Gateway Protocol
RFC1403 BGP OSPF Interaction
RFC1654 A Border Gateway Protocol 4 (BGP-4).
RFC1655 Application of the Border Gateway Protocol in the
Internet
RFC1656 BGP-4 Protocol Document Roadmap and
Implementation Experience
RFC1771 (BGP-4)
RFC1772 BGP basic functions support
RFC1773 obsoletes RFC 1656
RFC1774 BGP-4 Protocol Analysis
RFC1863 A BGP/IDRP Route Server alternative to a full mesh
routing
RFC1930 Guidelines for creation, selection, and registration of an
Autonomous System (AS)
RFC1965 Autonomous System Confederations for BGP
RFC1966 BGP Route-Reflection
RFC1997 BGP Community Attribute
RFC1998 An Application of the BGP Community Attribute
RFC2270 Using a Dedicated AS for Sites Homed to a Single
Provider
RFC2283 Multiprotocol Extensions for BGP-4
RFC2385 TCP MD5
RFC2439 BGP Route Flap Damping
RFC2519 A Framework for Inter-Domain Route Aggregation
RFC2545 BGP suppor IPV6
RFC2547 BGP/MPLS VPNs
RFC2796 BGP Route Reflection
RFC2842 Capabilities Advertisement with BGP-4

Product Description
RFC2918 Route Refresh Capability for BGP-4

RFC3065 Autonomous System Confederations for BGP
RFC3392 Support BGP capabliteis advertisement
RFC3562 Key Management Considerations for the TCP MD5
Signature Option
RFC4271 A Border Gateway Protocol 4 (BGP-4)
RFC4272 BGP Security Vulnerabilities Analysis
RFC4273 Definitions of Managed Objects for the Fourth Version
of Border Gateway Protocol (BGP-4)
RFC4274 BGP-4 Protocol Analysis
RFC4275 BGP-4 MIB Implementation Survey
RFC4276 BGP 4 Implementation Report
RFC4277 Experience with the BGP-4 Protocol
RFC4360 BGP Extended Communities Attribute
RFC4364 BGP/MPLS IP Virtual Private Networks
RFC4382 MPLS/BGP Layer 3 Virtual Private Network (VPN)
Management nformation Base
RFC4456 BGP Route Reflection: An Alternative to Full Mesh
Internal BGP (IBGP)
RFC4486 Subcodes for BGP Cease Notification Message
RFC4724 Graceful Restart Mechanism for BGP
RFC4781 Graceful Restart Mechanism for BGP with MPLS
RFC4798 Connecting IPv6 Islands over IPv4 MPLS using IPv6
Provider Edge Routers (6PE)
draft-ietf-ppvpn-rfc2547bis-01 BGP/MPLS VPN Arch
draft-ietf-idr-restart-08 Supprot Graceful Restart Mechanism for BGP-4
draft-ietf-idmr-bgp-mcast-attr-00 bgp support the multicast
draft-ramachandra-bgp-ext-communities-04 Extended Community Attribute
draft-kato-bgp-ipv6-link-local-00 BGP4+ Peering Using IPv6 Link-local Address
draft-ietf-idr-cap-neg-01 Capabilities Negotiation with BGP4
draft-ietf-mpls-bgp-mpls-restart-03 Graceful Restart Mechanism for BGP with MPLS
draft-ietf-l2vpn-vpls-bgp-02 -
draft-ietf-idr-rfc3065bis-06 Autonomous System Confederations for BGP

Product Description
draft-ooms-v6ops-bgp-tunnel Connecting IPv6 Islands over IPv4 MPLS

using IPv6 Provider Edge Routers (6PE)
Draft-marques-l3vpn-ibgp-01 Internal BGP as PE-CE protocol
draft-marques-l3vpn-ibgp-01
Ethernet
RFC0826 Ethernet Address Resolution Protocol: Or converting
network protocol addresses to 48.bit Ethernet address
for transmission on Ethernet hardware (ARP)
RFC0894 Standard for the transmission of IP datagrams over
Ethernet networks
RFC1042 A Standard for the Transmission of IP Datagrams over
IEEE 802 Networks
IEEE802.1q IEEE Standard for Local and Metropolitan Area
Networks :Virtual Bridged Local Area Networks
IEEE802.2 IEEE Standards for Local Area Networks: Logical Link
Control (LLC)
IEEE802.3 IEEE Standards for Local Area Networks: Carrier Sense
Multiple Access with Collision Detection (CSMA/CD)
Access,Method and Physical Layer Specifications
IEEE802.3af Link Aggregation Control Protocol
IPv6
RFC1886 DNS Extensions to Support IP version 6
RFC1887 An Architecture for IPv6 Unicast Address Allocation
RFC1981 Path MTU Discovery for IP version 6
RFC2373 IP Version 6 Addressing Architecture
RFC2374 An IPv6 Aggregatable Global Unicast Address Format
RFC2375 IPv6 Multicast Address Assignments
RFC2452 MIB for TCP6
RFC2454 MIB for UDP6
RFC2460 Internet Protocol, Version 6 (IPv6) Specification
RFC2461 Neighbor Discovery for IP Version 6 (IPv6)
RFC2462 IPv6 Stateless Address Auto configuration
RFC2463 Internet Control Message Protocol (ICMPv6) for the
Internet Protocol Version 6 (IPv6)Specification
RFC2464 Transmission of IPv6 Packets over Ethernet Networks
RFC2465 Management Information Base for IP Version
RFC2466 MIB for ICMP6

Product Description
RFC2470 Transmission of IPv6 Packets over Token Ring

Networks
RFC2472 IP Version 6 over PPP
RFC2529 Transmission of IPv6 over IPv4 Domains without
Explicit Tunnels
RFC2893 Transition Mechanisms for IPv6 Hosts and Routers
RFC3056 Connection of IPv6 Domains via IPv4 Clouds
RFC3363 Representing Internet Protocol version 6 (IPv6)
Addresses in the Domain Name System (DNS).
RFC3513 IP Version 6 Addressing Architecture
RFC3542 Advanced Sockets API for IPv6
RFC3587 An Aggregatable Global Unicast Address Format
RFC3775 Mobility Support in IPv6
draft-ietf-ngtrans-bgp-tunnel-04 Connecting IPv6 Domains across IPv4 Clouds with
BGP
draft-ietf-l3vpn-bgp-ipv6 BGP-MPLS VPN extension for IPv6 VPN
ISIS
RFC1142 OSI IS-IS Intra-domain Routing Protocol
ISO10598 IS-IS intra-domain routing protocol
RFC1195 Use of OSI Is-Is for Routing in TCP/IP and Dual
Environments
RFC2104 HMAC: Keyed-Hashing for Message Authentication
RFC2763 Dynamic Name-to-systemID mapping support
RFC2966 route leak support
RFC2973 Support IS-IS Mesh Groups
RFC3277 IS-IS Transient Blackhole Avoidance
RFC3373 Three-Way Handshake for Intermediate System to
Intermediate System (IS-IS) Point-to-Point Adjacencies
RFC3567 Intermediate System to Intermediate System (IS-IS)
Cryptographic Authentication
RFC3719 Recommendations for Interoperable Networks using
IS-IS
RFC3784 ISIS TE support
RFC3786 Extending the Number of IS-IS LSP Fragments Beyond
the 256 Limit
RFC3787 Recommendations for Interoperable IP Networks using
IS-IS

Product Description
RFC3847 Restart signaling for IS-IS

RFC4444 Management Information Base for Intermediate System
to Intermediate System (IS-IS)
draft-ietf-isis-admin-tags-01 Policy Control Mechanism in ISIS Using
Administrative Tags
draft-ietf-isis-admin-tags-03 A Policy Control Mechanism in IS-IS Using
Administrative Tags
draft-ietf-isis-ipv6-04 ISIS ipv6 support
draft-ietf-isis-wg-mib-20 Management Information Base for IS-IS
draft-ietf-isis-wg-multi-topology-11 M-ISIS: Multi Topology (MT) Routing in IS-IS
draft-ietf-isis-igp-p2p-over-lan-06 Point-to-point operation over LAN in link-state routing
protocols
draft-ietf-isis-ipv6-06 Routing IPv6 with IS-IS
draft-ietf-isis-link-attr-03 Definition of an IS-IS Link Attribute sub-TLV
draft-ietf-isis-hmac-sha-03 IS-IS Generic Cryptographic Authentication
draft-ietf-isis-wg-multi-topology-07 M-ISIS: Multi Topology (MT) Routing in IS-IS
draft-ietf-bfd-v4v6-1hop-04 BFD for IPv4 and IPv6 (Single Hop)
draft-ietf-isis-3way-03.tx Three-Way Handshake for IS-IS Point-to-Point
Adjacencies
MPLS
RFC1186 Definitions of Textual Conventions (TCs) for
Multiprotocol Label Switching (MPLS) Management
RFC2205 Resource ReSerVation Protocol (RSVP) Version 1
Functional Specification
RFC2209 Resource ReSerVation Protocol (RSVP) -- Version 1
Message Processing Rules
RFC2210 The Use of RSVP with IETF Integrated Services
RFC2430 A Provider Architecture for Differentiated Services and
Traffic Engineering (PASTE).
RFC2702 Requirements for Traffic Engineering Over MPLS
RFC2747 RSVP Cryptographic Authentication
RFC2961 RSVP Refresh Overhead Reduction Extensions
RFC3031 Multiprotocol Label Switching Architecture
RFC3034 Use of Label Switching on Frame Relay Networks
Specification
RFC3035 MPLS using LDP and ATM VC Switching
RFC3036 LDP Specification

Product Description
RFC3037 LDP Applicability

RFC3038 VCID Notification over ATM link for LDP
RFC3063 MPLS Loop Prevention Mechanism
RFC3107 Support BGP carry Label for MPLS
RFC3209 RSVP-TE Extensions to RSVP for LSP Tunnels
RFC3210 Applicability Statement for Extensions to RSVP for
LSP-Tunnels
RFC3212 Constraint-Based LSP setup using LDP (CR-LDP)
RFC3214 LSP Modification Using CR-LDP
RFC3215 LDP State Machine
RFC3270 Multi-Protocol Label Switching (MPLS) Support of
Differentiated Services
RFC3272 Overview and Principles of Internet Traffic Engineering
RFC3443 Time To Live (TTL) Processing in Multi-Protocol Label
Switching (MPLS) Networks
RFC3469 Framework for Multi-Protocol Label Switching
(MPLS)-based Recovery
RFC3478 Graceful Restart Mechanism for LDP
RFC3479 Fault Tolerance for the Label Distribution Protocol
(LDP)
RFC3480 Signalling Unnumbered Links in CR-LDP
(Constraint-Routing Label Distribution Protocol)
RFC3612 Applicability Statement for Restart Mechanisms for the
Label Distribution Protocol (LDP)
RFC4023 Encapsulating MPLS in IP or Generic Routing
Encapsulation (GRE) 2005-12-07
RFC4090 Fast Reroute Extensions to RSVP-TE for LSP Tunnels
RFC4124 Protocol Extensions for Support of DS-TE
RFC4125 Maximum Allocation Bandwidth Constraints Model for
Diffserv-aware MPLS Traffic Engineering
RFC4126 Max Allocation with Reservation Bandwidth Constraints
Model for Diffserv-aware MPLS Traffic Engineering &
Performance Comparisons
RFC4182 Removing a Restriction on the use of MPLS Explicit
NULL
RFC4197 Requirements for Edge-to-Edge Emulation of Time
Division Multiplexed (TDM) Circuits over Packet
Switching Networks

Product Description
RFC4221 Multiprotocol Label Switching (MPLS) Management

Overview
RFC4377 Operations and Management (OAM) Requirements for
MPLS
RFC4379 Detecting Multi-Protocol Label Switched (MPLS) Data
Plane Failures
RFC4446 IANA Allocations for Pseudowire Edge to Edge
Emulation (PWE3)
RFC4447 Pseudowire Setup and Maintenance Using the Label
Distribution Protocol (LDP)
RFC4448 Encapsulation Methods for Transport of Ethernet over
MPLS Networks
RFC4558 Node-ID Based Resource Reservation Protocol (RSVP)
Hello
RFC4561 Definition of a Record Route Object (RRO) Node-Id
Sub-Object
draft-ietf-mpls-ldp-mtu-extensions-00 MTU Signalling Extensions for LDP
draft-ietf-mpls-rsvp-lsp-fastreroute-01 Fast Reroute Extensions to RSVP-TE for LSP Tunnels
draft-ietf-mpls-ftn-mib-05.tx Multiprotocol Label Switching (MPLS) FEC-To-NHLFE
(FTN) Management Information Bas
draft-ietf-mpls-lsr-mib-07 Multiprotocol Label Switching (MPLS) Label Switch
Router (LSR) Management Information Base
draft-ietf-mpls-te-mib-09 Multiprotocol Label Switching (MPLS) Traffic
Engineering Management Information Base
draft-ietf-mpls-lsp-ping-version-09 Detecting Multi-Protocol Label Switched (MPLS) Data
Plane Failures
draft-ietf-tewg-diff-te-mam-04 Maximum Allocation Bandwidth Constraints Model for
Diff-Serv-aware MPLS Traffic Engineering
draft-ietf-mpls-rfc3036bis-04 LDP Specification
draft-ietf-mpls-ldp-typed-wildcard-00 LDP Typed Wildcard FEC
draft-jork-ldp-igp-sync-01 LDP and IGP synchronization technique
draft-chen-mpls-ldpigp-syn-accurate-00 LDP and IGP synchronization technique
draft-ietf-ccamp-inter-domain-framework-04 Mechanisms for Inter-AS or Inter-Domain Traffic
Engineering
draft-kompella-ppvpn-l2vpn-02 Layer 2 VPNs Over Tunnels
draft-rosen-ppvpn-l2vpn-00 An Architecture for L2VPNs
draft-martini-l2circuit-trans-mpls-10 Transport of Layer 2 Frames Over MPLS

Product Description
draft-martini-l2circuit-encap-mpls-04 Encapsulation Methods for Transport of Layer 2 Frames

Over IP and MPLS Networks
draft-ietf-avt-hc-over-mpls-protocol -
ITU-T Y.1710 Requirements for OAM functionality for MPLS networks
ITU-T Y.1711 Operation and maintenance mechanism for MPLS
networks
ITU-T Y.1720 Protection switching for MPLS networks
MSTP
IEEE802.1s Multiple Spanning Trees
IEEE802.1ad Virtual Bridged Local Area Networks - Amendment 4:
Provider Bridges,QinQ
Multicast
RFC1112 Host Extensions for IP Multicasting
RFC2236 Internet Group Management Protocol, Version 2
RFC2362 Protocol Independent Multicast-Sparse Mode
(PIM-SM):Protocol Specification
RFC3376 Internet Group Management Protocol, Version 3
RFC3446 Anycast Rendevous Point (RP) mechanism using
Protocol Independent Multicast (PIM) and Multicast
Source Discovery Protocol (MSDP)
RFC3569 An Overview of Source-Specific Multicast (SSM)
RFC3618 Multicast Source Discovery Protocol (MSDP)
RFC3973 Embedding the Rendezvous Point (RP) Address in an
IPv6 Multicast Address
RFC4541 Considerations for Internet Group Management
Protocol (IGMP)and Multicast Listener Discovery (MLD)
Snooping Switches
RFC4601 Protocol Independent Multicast - Sparse Mode
(PIM-SM): Protocol Specification (Revised)
RFC4604 Using Internet Group Management Protocol Version 3
(IGMPv3) and Multicast Listener Discovery Protocol
Version 2 (MLDv2) for Source-Specific Multicast
RFC4608 Source-Specific Protocol Independent Multicast in
232/8
draft-ietf-pim-sm-bsr-09 Bootstrap Router (BSR) Mechanism for PIM Sparse
Mode
draft-ietf-ssm-arch-01 Source-Specific Multicast for IP
draft-ietf-ssm-overview-04 Source-Specific Multicast for IP

Product Description
draft-ietf-pim-dm-new-v2-02 Protocol Independent Multicast - Dense Mode

(PIM-DM)
draft-ietf-pim-v2-dm-03 Protocol Independent Multicast Version 2 Dense Mode
Specification
draft-rosen-vpn-mcast-08 Multicast in MPLS/BGP VPNs
draft-fenner-traceroute-ipm-01 A : traceroute facility for IP Multicast
draft-ietf-magma-snoop-12 Considerations for Internet Group Management
Protocol (IGMP)and Multicast Listener Discovery (MLD)
Snooping Switches
draft-ietf-msdp-spec-13 Multicast Source Discovery Protocol (MSDP)
NTP
RFC1305 Network Time Protocol (Version 3)
OSPF
RFC1131 OSPF specification
RFC1245 OSPF Protocol Analysis
RFC1246 Experience with the OSPF Protocol
RFC1247 OSPF Version 2
RFC1248 OSPF Version 2 Management Information Base
RFC1587 The OSPF NSSA Option
RFC1765 OSPF Database Overflow
RFC2329 OSPF Standardization Report
RFC2370 The OSPF Opaque LSA Option
RFC2740 OSPF for IPv6 (OSPFv3)
RFC2844 OSPF over ATM and Proxy-PAR
RFC3101 The OSPF NSSA Option
RFC3137 OSPF Stub Router Advertisement
RFC3623 OSPF Graceful Restart
RFC3630 Traffic Engineering Extensions to OSPF
RFC4167 Graceful OSPF Restart Implementation Report

Product Description
draft-katz-yeung-ospf-traffic-09 Ospf TE support

draft-ietf-tewg-diff-te-proto-02 OSPF DS-TE support
draft-rosen-vpns-ospf-bgp-mpls-05 BGP/MPLS VPN support
draft-rosen-ppvpn-ospf2547-area0-01 BGP/MPLS VPN support on AREA 0
Draft-ietf-ospf-ospfv3-mib-04 OSPF for ipv6 mib
draft-ietf-ospf-ospfv3-graceful-restart-04 OSPFv3 Graceful Restart
draft-ietf-ospf-hmac-sha-00 OSPF HMAC-SHA Cryptographic Authentication
PPP
RFC1471 The Definitions of Managed Objects for the IP Network
Control Protocol of the Point-to-Point Protocol
RFC1473 The Definitions of Managed Objects for the IP Network
Control Protocol of the Point-to-Point Protocol.
RFC1570 PPP LCP Extensions
RFC1661 The Point-to-Point Protocol (PPP)
RFC1877 PPP Internet Protocol Control Protocol Extensions for
Name Server Addresses
RFC1990 The PPP Multilink Protocol (MP)
RFC1915 The PPP Connection Control Protocol
RFC1934 Ascend's Multilink Protocol Plus (MP+)
RFC1962 The PPP Compression Control
RFC1974 PPP Stac LZS Compression Protocol
RFC1989 PPP Link Quality Monitoring
RFC1994 PPP Challenge Handshake Authentication Protocol
(CHAP
RFC2364 PPP over AAL5 (PPPoA)
RFC2484 PPP LCP Internationalization Configuration Option

RFC2516 A Method for Transmitting PPP Over Ethernet (PPPoE)
QoS
RFC1144 Compressing TCP/IP Headers for Low-Speed Serial
Links
RFC1349 Type of Service in the Internet Protocol Suite
RFC2309 Recommendations on Queue Management and
Congestion Avoidance in the Internet
RFC2386 A Framework for QoS-based Routing in the Internet
RFC2474 Definition of the Differentiated Services Field (DS Field)
in the IPv4 and IPv6 Headers

Product Description
RFC2475 An Architecture for Differentiated Services

RFC2597 Assured Forwarding PHB Group
RFC2598 An Expedited Forwarding PHB
RFC2697 A Single Rate Three Color Marker.
RFC2698 A Two Rate Three Color Marker
RFC3246 An Expedited Forwarding PHB (Per-Hop Behavior)
RFC3247 Supplemental Information for the New Definition of the
EF PHB
RFC3260 New Terminology and Clarifications for Diffserv
RIP
RFC1058 Routing Information Protocol (RIP)
RFC1389 RIP Version 2 MIB Extension
RFC2082 RIP-2 MD5 Authentication
RFC2091 Triggered Extensions to RIP to Support Demand
Circuits
RFC2453 RIP Version 2
RFC2080 RIPng support
RFC2081 RIPng Protocol Applicability Statement
RMON
RFC2021 Remote Network Monitoring Management Information
Base Version 2 using SMIv2
RFC2819 Remote Network Monitoring Management Information
Base
RSTP
IEEE802.1w Rapid Reconvergence of Spanning Tree (RSTP)
Security
RFC1244 Site Security Handbook
RFC1492 An Access Control Protocol, Sometimes Called
TACACS
RFC1519 Classless Inter-Domain Routing (CIDR): an Address
Assignment and Aggregation Strategy
RFC2267 Network Ingress Filtering: Defeating Denial of Service
Attacks which employ IP Source Address Spoofing
RFC2338 Virtual Router Redundancy Protocol
RFC2365 Administratively Scoped IP Multicast

Product Description
RFC2787 Definitions of Managed Objects for the Virtual Router

Redundancy Protocol
RFC2827 Network Ingress Filtering: Defeating Denial of Service
Attacks which employ IP Source Address Spoofing.
RFC2865 Remote Authentication Dial In User Service (RADIUS)
RFC2866 RADIUS Accounting
RFC2867 RADIUS Accounting Modifications for Tunnel Protocol
Support
RFC2868 RADIUS Attributes for Tunnel Protocol Support
RFC2869 RADIUS Extensions
RFC2903 Generic AAA Architecture
RFC2904 AAA Authorization Framework
RFC2906 AAA Authorization Requirements
RFC3164 The BSD Syslog Protocol
RFC3575 IANA Considerations for RADIUS (Remote
Authentication Dial In User Service)
RFC3619 Extreme Networks' Ethernet Automatic Protection
Switching (EAPS) Version 1
RFC3768 Virtual Router Redundancy Protocol (VRRP)
RFC3826 The Advanced Encryption Standard (AES) Cipher
Algorithm in the SNMP User-based Security Model
draft-grant-tacacs-02 The TACACS+ Protocol Version 1.78
draft-ietf-syslog-transport-udp-09 Transmission of syslog messages over UDP
draft-ietf-syslog-protocol-20 The syslog Protocol
SNMP
RFC1155 Structure and identification of management information
for TCP/IP-based internets
RFC1157 Simple Network Management Protocol (SNMP)
RFC1212 Concise MIB definitions
RFC1214 Definitions of Managed Objects for Data Link Switching
using SMIv2.
RFC1215 A Convention for Defining Traps for use with the SNMP
RFC1901 Introduction to Community-based SNMPv2
RFC1902 Structure of Management Information for Version 2 of
the Simple Network Management Protocol (SNMPv2)
RFC1903 Textual Conventions for Version 2 of the Simple
Network Management Protocol (SNMPv2)

Product Description
RFC1904 Conformance Statements for Version 2 of the Simple

RFC1905 Protocol Operations for Version 2 of the Simple Network
Management Protocol (SNMPv2)
RFC1906 Transport Mappings for Version 2 of the Simple
RFC1907 Management Information Base for Version 2 of the
Simple Network Management Protocol (SNMPv2)
RFC2570 Introduction to Version 3 of the Internet-standard
Network Management Framework
RFC2571 An Architecture for Describing SNMP Management
Frameworks
RFC2572 Message Processing and Dispatching for the Simple
Network Management Protocol (SNMP)
RFC2573 SNMP Applications
RFC2574 User-based Security Model (USM) for version 3 of the
RFC2575 View-based Access Control Model (VACM) for the
Simple Network Management Protocol (SNMP)
RFC2576 Coexistence between Version 1, Version 2, and Version
3 of the Internet-standard Network Management
Framework
RFC2578 Structure of Management Information Version 2
(SMIv2)
RFC2579 Textual Conventions for SMIv2
RFC2580 Conformance Statements for SMIv2
RFC3410 An Architecture for Describing Simple Network
Management Protocol (SNMP) Management
Frameworks
RFC3411 An Architecture for Describing Simple Network
Management Protocol (SNMP) Management
rameworks
RFC3412 Message Processing and Dispatching for the Simple
NetworkManagement Protocol SNMP)
RFC3413 Simple Network Management Protocol (SNMP)
Applications
RFC3414 User-based Security Model (USM) for version 3 of the
RFC3415 View-based Access Control Model (VACM) for the
Simple Network Management Protocol (SNMP)

Product Description
RFC3416 Version 2 of the Protocol Operations for the Simple

Network Management Protocol (SNMP).
RFC3418 Management Information Base (MIB) for the Simple
Network Management Protocol (SNMP).
RFC3512 Configuring Networks and Devices with Simple Network
Management Protocol (SNMP).
SSHV2
RFC1918 Address Allocation for Private Internets
RFC4245 Improved Arcfour Modes for the Secure Shell (SSH)
Transport Layer Protocol
RFC4250 Protocol Assigned Numbers
RFC4251 The Secure Shell (SSH) Protocol Architecture
RFC4252 The Secure Shell (SSH) Authentication Protocol
RFC4253 The Secure Shell (SSH) Transport Layer Protocol
RFC4254 The Secure Shell (SSH) Connection Protocol
RFC4344 The Secure Shell (SSH) Transport Layer Encryption
Modes
System Management
RFC1200 IAB official protocol standards
RFC1537 Common DNS Data File Configuration Errors
RFC1239 Reassignment of experimental MIBs to standard MIBs
RFC1493 Definitions of Managed Objects for Bridges
RFC2096 IP Forwarding Table MIB
RFC2737 Entity MIB (Version 2).
RFC3593 Textual Conventions for MIB Modules Using
Performance History Based on 15 Minute Intervals
RFC3737 IANA Guidelines for the Registry of Remote Monitoring
(RMON) MIB modules
TCP/IP
RFC0768 User Datagram Protocol
RFC0791 INTERNET PROTOCOL DARPA INTERNET
PROGRAM PROTOCOL SPECIFICATION
RFC0792 INTERNET CONTROL MESSAGE PROTOCOL
RFC0793 TRANSMISSION CONTROL PROTOCOL
RFC0950 Internet Standard Subnetting Procedure
RFC1034 Domain Names - Concepts and Facilities

Product Description
RFC1035 Domain Names - Implementation and Specification

RFC1071 Computing the Internet Checksum
RFC1122 Requirements for Internet Hosts -- Communication
Layers
RFC1141 Incremental Updating of the Internet Checksum
RFC1256 ICMP Router Discovery Messages
RFC1323 TCP Extensions for High Performance
RFC1534 Interoperation Between DHCP and BOOTP
RFC1624 Computation of the Internet Checksum via Incremental
Update
RFC1878 Variable Length Subnet Table For IPv4
RFC2131 Dynamic Host Configuration Protocol
RFC2132 DHCP Options and BOOTP Vendor Extensions
RFC2507 IP Header Compression
RFC2508 Compressing IP/UDP/RTP Headers for Low-Speed
Serial Links
RFC2644 Changing the Default for Directed Broadcasts in
Routers
RFC2694 DNS extensions to Network Address Translators
(DNS_ALG)
RFC3046 DHCP Relay Agent Information Option.
RFC3396 Encoding Long Options in the Dynamic Host
Configuration Protocol (DHCPv4)
draft-fenner-traceroute-ipm-01 A "traceroute" facility for IP Multicast
TELNET
RFC0854 TELNET PROTOCOL SPECIFICATION
RFC0857 TELNET ECHO OPTION
RFC0858 TELNET SUPPRESS GO AHEAD OPTION
RFC1091 Telnet Terminal-Type Option
VPN
RFC1701 Generic Routing Encapsulation (GRE)
RFC1702 Generic Routing Encapsulation over IPv4 networks
RFC2764 A Framework for IP Based Virtual Private Networks
RFC2784 Generic Routing Encapsulation (GRE)
RFC3809 Generic Requirements for Provider Provisioned Virtual
Private Networks (PPVPN)

Product Description
RFC3916 Requirements for Pseudo-Wire Emulation

Edge-to-Edge (PWE3).
RFC3985 Pseudo Wire Emulation Edge-to-Edge (PWE3)
Architecture
RFC4110 A Framework for Layer 3 Provider-Provisioned Virtual
Private Networks (PPVPNs).
RFC4659 BGP-MPLS VPN Extension for IPv6 VPN
RFC4664 Framework for Layer 2 Virtual Private Networks
(L2VPNs)
RFC4665 Service Requirements for Layer 2 Provider-Provisioned
Virtual Private Networks
RFC4761 Virtual Private LAN Service (VPLS) Using BGP for
Auto-Discovery and Signaling
RFC4762 Virtual Private LAN Service (VPLS) Using Label
Distribution Protocol (LDP) Signaling
RFC4847 Framework and Requirements for Layer 1 Virtual
Private Networks
draft-ietf-ppvpn-rfc2547bis-01 BGP/MPLS VPN Arch
draft-ietf-ppvpn-mpls-vpn-mib-04 BGP/MPLS VPN Management Information Base
Using SMIv2
draft-ietf-mpls-bgp-mpls-restart-05 Graceful Restart Mechanism for BGP with MPLS
draft-ietf-l3vpn-bgpvpn-auto Using BGP as an Auto-Discovery Mechanism for
Provider-provisioned VPNs
draft-ietf-l3vpn-bgp-ipv6-03 BGP-MPLS VPN extension for IPv6 VPN
draft-ietf-pwe3-hdlc-ppp-encap-mpls-09 Encapsulation Methods for Transport of PPP/HDLC
Over MPLS Networks
draft-ietf-pwe3-vccv-10 Pseudo Wire Virtual Circuit Connectivity Verification
(VCCV)
draft-raggarwa-rsvpte-pw-00 Setup and Maintenance of Pseudowires using
RSVP-TE
(VCCV)
draft-ietf-pwe3-oam-msg-map-04 Pseudo Wire (PW) OAM Message Mapping
(VCCV)
draft-ietf-l2vpn-vpls-bgp-06 Virtual Private LAN Service
draft-ietf-l2vpn-vpls-ldp-02 Virtual Private LAN Services over MPLS
draft-kompella-l2vpn-l2vpn-00 pseudo wires created using BGP as signalling and
auto-discovery protocol

Product Description
draft-ietf-pwe3-MS-PW-arch -
A.2 Electromagnetic Compatibility Standards

l CISPR22 Class A
l CISPR24
l EN55022 Class A
l EN50024
l ETSI EN 300 386 Class A
l CFR 47 FCC Part 15 Class A
l ICES 003 Class A
l AS/NZS CISPR22 Class A
l GB9254 Class A
l VCCI Class A
l CNS 13438 Class A
A.3 Safty Standards

l IEC 60950-1
l IEC/EN41003
l EN 60950-1
l UL 60950-1
l CSA C22.2 No 60950-1
l AS/NZS 60950.1
l BS EN 60950-1
l ITU-T K.20
l GB4943
l FDA rules, 21 CFR 1040.10 and 1040.11
l IEC60825-1, IEC60825-2, EN60825-1, EN60825-2
l GB7247
A.4 Environmental Standards

l RoHS
l GR-63
l GB/T13543-92
l ETS 300 019-2
l GB2423-89
l IEC 60068-2
l GB 4789
l ISTA

Product Description
A.5 Other Standards

l ICNIRP Guideline
l 1999-519-EC
l EN 50385
l OET Bulletin 65
l IEEE Std C95.1
l EN 60215
l ITU-T K.27
l ETSI EN 300 253

Product Description
B Acronyms and Abbreviations
A
AAA Authentication, Authorization and Accounting
AAL5 ATM Adaptation Layer 5
AC Alternating Current
ACL Access Control List
AF Assured Forwarding
ANSI American National Standard Institute
ARP Address Resolution Protocol
ASBR Autonomous System Boundary Router
ASIC Application Specific Integrated Circuit
ATM Asynchronous Transfer Mode
AUX Auxiliary (port)
B
BE Best-Effort
BGP Border Gateway Protocol
BGP4 BGP Version 4
C
CAR Committed Access Rate
CBR Constant Bit Rate
CE Customer Edge
CHAP Challenge Handshake Authentication Protocol
CoS Class of Service

Product Description
CPU Center Processing Unit

CR-LDP Constrained Route - Label Distribution Protocol
D
DC Direct Current
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Server
DS Differentiated Services
E
EACL Enhanced Access Control List
EF Expedited Forwarding
EMC ElectroMagnetic Compatibility
F
FE Fast Ethernet
FEC Forwarding Equivalence Class
FIB Forward Information Base
FIFO First In First Out
FR Frame Relay
FTP File Transfer Protocol
G
GE Gigabit Ethernet
GRE Generic Routing Encapsulation
GTS Generic Traffic Shaping
H
HA High availability
HDLC High level Data Link Control
HTTP Hyper Text Transport Protocol
I
ICMP Internet Control Message Protocol

Product Description
IDC Internet Data Center

IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IGMP Internet Group Management Protocol
IGP Interior Gateway Protocol
IP Internet Protocol
IPoA IP Over ATM
IPTN IP Telephony Network
IPv4 IP version 4
IPv6 IP version 6
IPX Internet Packet Exchange
IS-IS Intermedia System-Intermedia System;
ISP Interim inter-switch Signaling Protocol
International Telecommunication Union - Telecommunication
ITU
Standardization Sector
L
L2TP Layer 2 Tunneling Protocol
LAN Local Area Network
LCD Liquid Crystal Display
LCP Link Control Protocol
LDP Label Distribution Protocol
LER Label switching Edge Router
LPU Line Processing Unit
LSP Label Switched Path
LSR Label Switch Router
M
MAC Media Access Control
MBGP Multiprotocol Border Gateway Protocol
MD5 Message Digest 5
MIB Management Information Base
MP Multilink PPP

Product Description
MPLS Multi-protocol Label Switch;

MSDP Multicast Source Discovery Protocol
MSTP Multiple Spanning Tree Protocol
MTBF Mean Time Between Failures
MTTR Mean Time To Repair
MTU Maximum Transmission Unit
N
NAT Network Address Translation
NLS Network Layer Signaling
NP Network Processor
NTP Network Time Protocol
NVRAM Non-Volatile Random Access Memory
O
OSPF Open Shortest Path First
P
PAP Password Authentication Protocol
PE Provider Edge
PFE Packet Forwarding Engine
PIC Parallel Interference Cancellation
PIM-DM Protocol Independent Multicast-Dense Mode
PIM-SM Protocol Independent Multicast-Sparse Mode
POP Point Of Presence
POS Packet Over SDH/SONET
PPP Point-to-Point Protocol
PQ Priority Queue
PT Protocol Transfer
PVC Permanent Virtual Channel
PWE3 Pseudo Wire Emulation Edge-to-Edge

Product Description
Q
QoS Quality of Service
R
RADIUS Remote Authentication Dial in User Service
RAM Random-Access Memory
RED Random Early Detection
RFC Requirement for Comments
RH Relative Humidity
RIP Routing Information Protocol
RMON Remote Monitoring
ROM Read Only Memory
RP Rendezvous Point
RPR Resilient Packet Ring
RSVP Resource Reservation Protocol
RSVP-TE RSVP-Traffic Engineering
S
SAP Service Advertising Protocol
SCSR Self-Contained Standing Routing
SDH Synchronous Digital Hierarchy
SDRAM Synchronous Dynamic Random Access Memory
SFU Switch Fabric Unit
SLA Service Level Agreement
SNAP SubNet Attachment Point
SNMP Simple Network Management Protocol
SONET Synchronous Optical Network
SP Strict Priority
SPI4 SDH Physical Interface
SSH Secure Shell
STM-16 SDH Transport Module -16
SVC Switching Virtual Connection

Product Description
T
TCP Transfer Control Protocol
TE Traffic Engineering
TFTP Trivial File Transfer Protocol
TM Traffic Manager
ToS Type of Service
TP Topology and Protection packet
U
UBR Unspecified Bit Rate
UDP User Datagram Protocol
UNI User Network Interface
UTP Unshielded Twisted Pair
URPF Unicast Reverse Path Forwarding
V
VBR-NRT Non-Real Time Variable Bit Rate
VBR-RT Real Time Variable Bit Rate
VC Virtual Circuit
VCI Virtual Channel Identifier
VDC Variable Dispersion Compensator
VLAN Virtual Local Area Network
VLL Virtual Leased Line
VPI Virtual Path Identifier
VPLS Virtual Private LAN Service
VPN Virtual Private Network
VRP Versatile Routing Platform
VRRP Virtual Router Redundancy Protocol
W
WAN Wide Area Network
WFQ Weighted Fair Queuing
WRED Weighted Random Early Detection

Product Description
WRR Weighted Round Robin

CX600 Product Description

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CX600 Product Description

Încărcat de

Drepturi de autor:

Formate disponibile

Product Description

Quidway CX600 Metro Services Platform

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Technologies Co., Ltd.

Copyright Huawei Technologies Co., Ltd. 2009. All rights reserved.

Trademarks and Permissions

Issue 03 (2009-03-10) Commercial in Confidence Page 2 of 200

About This Document

1 Product Features This chapter introduces the product positioning

2 System Architecture This chapter describes the physical, logical, and

3 Hardware Architecture This chapter describes the chassis, fans, power

6 Maintenance and Network This chapter describes operation and

Issue 03 (2009-03-10) Commercial in Confidence Page 3 of 200

2 System Architecture .................................................................................................... 19

3 Hardware Architecture ................................................................................................. 25

Issue 03 (2009-03-10) Commercial in Confidence Page 4 of 200

5 Primary Service Features ............................................................................................ 59

Issue 03 (2009-03-10) Commercial in Confidence Page 5 of 200

5.3.1 Unicast Routing................................................................................................................. 80

Issue 03 (2009-03-10) Commercial in Confidence Page 6 of 200

5.12.3 MAC Limit ..................................................................................................................... 133

6 Maintenance and Network Management System .................................................... 157

7 Networking Applications ........................................................................................... 162

A Compliant Standards................................................................................................. 175

Issue 03 (2009-03-10) Commercial in Confidence Page 7 of 200

A.3 Safty Standards....................................................................................................................... 192

B Acronyms and Abbreviations ................................................................................... 194

Issue 03 (2009-03-10) Commercial in Confidence Page 8 of 200

About This Chapter

The following table shows the contents of this chapter.

1.1 Positioning This section describes the positioning of the CX600.

1.4 Powerful Forwarding This section describes the power forwarding

1.8 Compatibility and This section describes the compatibility and

Issue 03 (2009-03-10) Commercial in Confidence Page 9 of 200

1.2 Abundant Services

Issue 03 (2009-03-10) Commercial in Confidence Page 10 of 200

1.3 High-Density LPUs

Interface Type Quantity per Slot Quantity in the System

10G POS 4 CX600-16:32

622M POS 32 CX600-16:512

Issue 03 (2009-03-10) Commercial in Confidence Page 11 of 200

Interface Type Quantity per Slot Quantity in the System

Issue 03 (2009-03-10) Commercial in Confidence Page 12 of 200

Interface Type Quantity per Slot Quantity in the System

1.4 Powerful Forwarding Capacity

1.5 Perfect QoS Mechanism

Issue 03 (2009-03-10) Commercial in Confidence Page 13 of 200

1.6 Excellent Security Design

1.7 Good IPv4 and IPv6 Compatibility

Issue 03 (2009-03-10) Commercial in Confidence Page 14 of 200

1.8 Compatibility and Extensibility

1.9 High Reliability

Table 1-1 Reliability features

The Switch Fabric Units (SFUs) on the CX600-16, CX600-8 and

Issue 03 (2009-03-10) Commercial in Confidence Page 15 of 200

The power modules, AC-input or DC-input, work in 1+1 backup

Protections The system restarts automatically when

The system provides protections against over-current and

The system provides protection against mis-insertion of boards.

Voltage and The system provides alarm prompt, alarm

Reliable The system supports in-service patching.

The system supports in-service upgrading of the BootROM.

Issue 03 (2009-03-10) Commercial in Confidence Page 16 of 200

The system can automatically select and boot correct applications.