NE80E V300R003 Product Description

Product Description
Quidway NetEngine80E Core Router V300R003
Issue Date
01 2007-09-10
HUAWEI TECHNOLOGIES CO., LTD.
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. Please feel free to contact our local office or company headquarters.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China Website: Email: http://www.huawei.com support@huawei.com
Copyright
Huawei Technologies Co., Ltd. 2007. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.
Issue 01 (2007-09-10)
Commercial in Confidence
Page 3 of 154
Quidway NetEngine80E Core Router V300R003 Product Description
About This Document

Author
Prepared by Reviewed by Approved by Du fang Tian xiao dong, Geng aiju, Lu guang, Wang xiaotang, Li xue Wen zhixiang Date Date Date 2007-07-24 2007-08-10 2007-09-10
Summary
This document describes the product features, hardware architecture, link features, software features, operation and maintenance, network management, networking applications, and technical specifications of the Quidway NetEngine80E core router. This document includes: Chapter 1 Product Features 2 System Architecture 3 Hardware Architecture 4 Link Features 5 Primary Service Features 6 Maintenance and Network Management System 7 Networking Applications Details This chapter introduces the product positioning and features of the NE80E. This chapter describes the physical, logical, and software architecture of the NE80E. This chapter describes the chassis, fans, power modules, and board types of the NE80E. This chapter describes the link features of the NE80E. This chapter describes the service features of the NE80E. This chapter describes operation and maintenance, and network management of the NE80E. This chapter describes the networking applications of the NE80E.
Issue 01 (2007-09-10)
Page 5 of 154
Chapter 8 Technical Specifications
Details This chapter describes the technical specifications of the NE80E.
Issue 01 (2007-09-10)
Page 6 of 154
History
Issue 01 Details Creation Date 2007-09-10 Author Du fang Approved by Wen zhixiang
Issue 01 (2007-09-10)
Page 7 of 154
Contents
1 Product Features.......................................................................................................... 13
1.1 Positioning ................................................................................................................................ 13 1.2 Abundant Services .................................................................................................................... 13 1.3 High-Density LPUs .................................................................................................................... 13 1.4 Powerful Forwarding Capacity ................................................................................................... 14 1.5 Perfect QoS Mechanism............................................................................................................ 15 1.6 Excellent Security Design .......................................................................................................... 15 1.7 Good IPv4 and IPv6 Compatibility.............................................................................................. 16 1.8 Compatibility and Expansion Capacity ....................................................................................... 16 1.9 High Reliability .......................................................................................................................... 16
2 System Architecture .................................................................................................... 20

2.1 Physical System Architecture..................................................................................................... 20 2.2 Logical System Architecture....................................................................................................... 21 2.3 Software Architecture ................................................................................................................ 22 2.4 VRPv5 Architecture ................................................................................................................... 23
3 Hardware Architecture ................................................................................................. 25

3.1 Chassis ..................................................................................................................................... 25 3.2 Fans.......................................................................................................................................... 27 3.2.1 Fan Module....................................................................................................................... 27 3.2.2 Ventilation and Heat Dissipation System............................................................................ 27 3.3 Power Modules ......................................................................................................................... 27 3.3.1 DC-Input Power Supply..................................................................................................... 28 3.3.2 AC-Input Power Supply ..................................................................................................... 28 3.4 LCD .......................................................................................................................................... 29 3.4.1 Introduction....................................................................................................................... 29 3.4.2 Appearance ...................................................................................................................... 29 3.5 Board Cage............................................................................................................................... 30 3.5.1 Board Cage ...................................................................................................................... 30 3.5.2 Board Distribution in the Board Cage ................................................................................ 31 3.6 Boards ...................................................................................................................................... 31 3.6.1 MPU ................................................................................................................................. 31 3.6.2 SFU .................................................................................................................................. 32
Issue 01 (2007-09-10)
Page 8 of 154
Quidway NetEngine80E Core Router V300R003 Product Description 3.6.3 LPU .................................................................................................................................. 32 3.6.4 Service Boards ................................................................................................................. 37
4 Link Features................................................................................................................ 38
4.1 Ethernet Link Features .............................................................................................................. 38 4.1.1 Basic Features.................................................................................................................. 38 4.1.2 Ethernet Bundling ............................................................................................................. 38 4.1.3 Virtual Ethernet Interfaces................................................................................................. 39 4.2 FR Link Features....................................................................................................................... 39 4.3 POS Link Features .................................................................................................................... 40 4.3.1 SDH/SONET..................................................................................................................... 40 4.3.2 POS Interface ................................................................................................................... 40 4.3.3 POS Sub-interface ............................................................................................................ 41 4.3.4 IP Trunk ............................................................................................................................ 41 4.4 CPOS Link Features.................................................................................................................. 41 4.4.1 Channelization .................................................................................................................. 42 4.4.2 PPP/HDLC........................................................................................................................ 42 4.5 ATM Link Features..................................................................................................................... 42 4.5.1 SDH/SONET..................................................................................................................... 42 4.5.2 PVP/PVC.......................................................................................................................... 42 4.5.3 IPoA ................................................................................................................................. 43 4.5.4 ATM Sub-interface............................................................................................................. 43 4.5.5 ATM OAM ......................................................................................................................... 43 4.5.6 1483B ............................................................................................................................... 43 4.5.7 ATM Cell Relay ................................................................................................................. 44 4.6 RPR Link Features .................................................................................................................... 45 4.6.1 RPR Fairness Algorithm .................................................................................................... 46 4.6.2 Protection Mechanism....................................................................................................... 47 4.7 CE1/CT1/E3/T3 Link Features................................................................................................... 48 4.7.1 PPP/HDLC/FR .................................................................................................................. 49 4.7.2 Channelized Links............................................................................................................. 49 4.7.3 Link Binding ...................................................................................................................... 49
5 Primary Service Features ............................................................................................ 50

5.1 Ethernet Features...................................................................................................................... 50 5.1.1 Switched Ethernet Link Features....................................................................................... 50 5.1.2 Routed Ethernet Link Features.......................................................................................... 51 5.1.3 Ethernet Clock Synchronization......................................................................................... 51 5.1.4 MACinMAC....................................................................................................................... 52 5.1.5 QinQ ................................................................................................................................. 54 5.1.6 RRPP Link Features ......................................................................................................... 59 5.1.7 RSTP/MSTP ..................................................................................................................... 61 5.1.8 BPDU Tunnel .................................................................................................................... 61
Issue 01 (2007-09-10)
Page 9 of 154
Quidway NetEngine80E Core Router V300R003 Product Description 5.1.9 V-Switch............................................................................................................................ 62 5.2 IP Features................................................................................................................................ 62 5.2.1 IPv4/IPv6 Dual-Protocol Stacks......................................................................................... 62 5.2.2 IPv4 Features ................................................................................................................... 63 5.2.3 IPv6 Features ................................................................................................................... 63 5.2.4 GRE ................................................................................................................................. 63 5.2.5 IPv4-IPv6 Transition Technologies..................................................................................... 66 5.3 Routing Protocols ...................................................................................................................... 69 5.3.1 Unicast Routing................................................................................................................. 69 5.3.2 Multicast Routing .............................................................................................................. 69 5.4 MPLS Features ......................................................................................................................... 73 5.4.1 Basic Functions................................................................................................................. 73 5.4.2 MPLS TE .......................................................................................................................... 74 5.4.3 MPLS OAM....................................................................................................................... 77 5.5 VPN Features............................................................................................................................ 78 5.5.1 Tunnel Policy .................................................................................................................... 78 5.5.2 VPN Tunnel ...................................................................................................................... 78 5.5.3 MPLS L2VPN.................................................................................................................... 79 5.5.4 MPLS/BGP L3VPN ........................................................................................................... 87 5.5.5 L2VPN Access to the L3VPN ............................................................................................ 93 5.5.6 VPN QoS.......................................................................................................................... 95 5.6 IPTN Features........................................................................................................................... 98 5.7 QoS Features.......................................................................................................................... 100 5.7.1 DiffServ Model ................................................................................................................ 101 5.7.2 Traffic Classification ........................................................................................................ 101 5.7.3 Traffic Policing................................................................................................................. 102 5.7.4 Queue Scheduling .......................................................................................................... 103 5.7.5 Congestion Management ................................................................................................ 104 5.7.6 Traffic Shaping................................................................................................................ 104 5.7.7 HQoS.............................................................................................................................. 104 5.7.8 QPPB ............................................................................................................................. 105 5.7.9 Ethernet QoS.................................................................................................................. 106 5.7.10 ATM QoS ...................................................................................................................... 107 5.7.11 FR QoS......................................................................................................................... 108 5.8 Traffic Statistics ........................................................................................................................110 5.8.1 URPF Traffic Statistics......................................................................................................110 5.8.2 ACL Traffic Statistics......................................................................................................... 111 5.8.3 CAR Traffic Statistics........................................................................................................ 111 5.8.4 HQoS Traffic Statistics......................................................................................................113 5.8.5 Interface-based Traffic Statistics.......................................................................................113 5.8.6 VPN Traffic Statistics........................................................................................................113 5.8.7 TE Tunnel Traffic Statistics ...............................................................................................113
Issue 01 (2007-09-10)
Page 10 of 154
Quidway NetEngine80E Core Router V300R003 Product Description 5.9 IP Compression........................................................................................................................113 5.10 Network Security ....................................................................................................................115 5.10.1 AAA ...............................................................................................................................116 5.10.2 Protocol Security Authentication .....................................................................................116 5.10.3 URPF.............................................................................................................................117 5.10.4 MAC Limit ......................................................................................................................117 5.10.5 Unknown Traffic Limit .....................................................................................................118 5.10.6 DHCP Snooping.............................................................................................................118 5.10.7 Local Anti-attack.............................................................................................................119 5.10.8 GTSM ........................................................................................................................... 120 5.10.9 ARP Anti-attack ............................................................................................................. 120 5.10.10 Mirroring ..................................................................................................................... 121 5.10.11 NetStream ................................................................................................................... 121 5.10.12 Lawful Interception ...................................................................................................... 123 5.11 Network Reliability ................................................................................................................. 124 5.11.1 Backup of Key Modules................................................................................................. 124 5.11.2 High Reliability of the LPU ............................................................................................. 125 5.11.3 Customized Alarm Damping .......................................................................................... 125 5.11.4 Ethernet OAM ............................................................................................................... 126 5.11.5 VRRP............................................................................................................................ 128 5.11.6 VGMP ........................................................................................................................... 129 5.11.7 GR ................................................................................................................................ 129 5.11.8 BFD .............................................................................................................................. 130 5.11.9 FRR .............................................................................................................................. 131
6 Maintenance and Network Management System .................................................... 135

6.1 Maintenance Features and Functions ...................................................................................... 135 6.1.1 System Configuration Mode ............................................................................................ 135 6.1.2 System Management and Maintenance........................................................................... 135 6.1.3 System Service and Status Tracking ............................................................................... 136 6.1.4 System Test and Diagnosis ............................................................................................. 136 6.1.5 Online Debugging ........................................................................................................... 137 6.1.6 In-Service Upgrade ......................................................................................................... 137 6.1.7 Miscellaneous Features .................................................................................................. 137 6.2 Network Management System ................................................................................................. 137
7 Networking Applications ........................................................................................... 138

7.1 Application on the National Backbone Network ........................................................................ 138 7.2 Application on the IP Bearer Network....................................................................................... 139 7.3 Application on the IPTV Bearer Network .................................................................................. 141 7.4 Application on the Multi-Service IP MAN .................................................................................. 143 7.5 Application on the IPv6 Backbone Network .............................................................................. 144
8 Technical Specifications............................................................................................ 146
Issue 01 (2007-09-10)
Page 11 of 154
Quidway NetEngine80E Core Router V300R003 Product Description 8.1 Physical Specifications ............................................................................................................ 146 8.2 System Configuration .............................................................................................................. 147 8.3 Specifications of System Features and Service Performances ................................................. 148 8.3.1 Specifications of System Features................................................................................... 148 8.3.2 Specifications of Service Performances........................................................................... 153
Issue 01 (2007-09-10)
Page 12 of 154
1
1.1 Positioning
l l l l
Product Features
The Huawei Quidway NetEngine80E core router (hereinafter referred to as NE80E) is a high-end router with 10-Gbit/s interfaces designed for core and backbone networks. The NE80E is positioned as the core, edge, or convergence router on the Metropolitan Area Network (MAN). Based on the powerful Versatile Routing Platform (VRP), the NE80E features the following: Abundant services Large capacity High performance High reliability
1.2 Abundant Services

Based on the VRPv5, the NE80E provides the following abundant service features:
l l l
IPv4/IPv6 unicast and multicast routing protocols, MPLS, and MPLS TE Complete VPN services, such as L2 VPN, VPLS, VLL, L3 VPN, and multicast VPN services, HoVPN services, and multi-role host services Abundant Layer 2 service features, such as Layer 2 VLAN, selective QinQ, QinQ termination, MACinMAC, RRPP, and STP/MSTP
IPv4 = Internet Protocol version 4; IPv6 = Internet Protocol version 6; MPLS = MultiProtocol Label Switching; TE = Traffic Engineering; VPN = Virtual Private Network; Virtual Private LAN Service; VLL = Virtual Leased Line; HoVPN = Hierarchy of VPN; VLAN = virtual LAN; LAN = Local Area Network; QinQ = 802.1Q in 802.1Q; RRPP = Rapid Ring Protection Protocol; STP = Spanning Tree Protocol; MSTP = Multiple Spanning Tree Protocol
1.3 High-Density LPUs

The NE80E provides types of interfaces.
Issue 01 (2007-09-10)
Page 13 of 154

l
LAN and MAN interfaces 10M/100M/1000M/10G Ethernet interfaces 10G POS/2.5G POS/GE RPR interfaces
WAN interfaces POS: 155M/622M/2.5G/10G POS interfaces CPOS: 155M/2.5M CPOS interfaces ATM: 155M/622M ATM interfaces TDM: CE1/CT1/E1/T1/E3/T3 TDM interfaces
RPR = Resilient Packet Ring; WAN = Wide Area Network; POS = Packet over SONET/SDH; CPOS = channelized POS; ATM = Asynchronous Transfer Mode; TDM = Time Division Multiplexing
Table 1-1 Interfaces that the NE80E supports Interface Type 10G POS 2.5G POS 622M POS 155M POS 10GE GE 10G RPR 2.5G RPR GE RPR 622M ATM 155M ATM Quantity per Board 2 4 4 16 2 24 1 4 4 8 16 Quantity in the System 32 64 64 256 32 384 16 64 64 128 256
1.4 Powerful Forwarding Capacity

Designed with the hardware-based forwarding engine, the NE80E carries out the following:
l l l
Full-duplex line-rate forwarding that includes IPv4/IPv6/MPLS/Layer 2 forwarding of all interfaces Bidirectional ACL-based line-rate forwarding Line-rate multicasting The hardware completes two-level packet replication:
Issue 01 (2007-09-10)
Page 14 of 154
The SFU replicates the multicast packets to the LPU. The forwarding engine of the LPU replicates the multicast packets to its interface. A single slot supports the 2 x 10-Gbit/s LPU. The whole system supports up to sixteen 2 x 10-Gbit/s LPUs. The forwarding capacity reaches 2.56Tbit/s and the backplane capacity is 4 Tbit/s. The forwarding engine supports packet buffer in 200 ms. No packet loss is thus ensured in the case of burst traffic.
1.5 Perfect QoS Mechanism

The NE80E provides the following QoS scheduling and buffer mechanisms:
l
PQ and WRR/WFQ They guarantee fair dispatching and ensure that high-precedence services are performed first. Three-stage switching network based on the CIOQ It avoids head of line blocking. Flow-based dispatching It facilitates MPLS TE and supports the DiffServ and Inter-Serv. Eight precedence dispatching queues They prevent the high-precedence traffic from being interfered. Hardware-based QoS functions They ensure packet forwarding at the line rate when QoS is enabled. HQoS of five-level scheduling
PQ = Priority Queue; WRR = Weighted Round Robin; WFQ = Weighted Fair Queuing; CIOQ = Combined Input and Output Queuing; DiffServ = Differentiated Service; QoS = Quality of Service; HQoS = Hierarchical QoS
l l
The perfect QoS mechanism answers the demands of the IP Telephony Network (IPTN). It guarantees the delay, jitter, bandwidth, and packet drop ratio of different services. It also guarantees the launch of carrier-class services such as Voice over IP (VoIP).
1.6 Excellent Security Design

The NE80E takes multiple security measures to protect the data of Internet Service Provider (ISP) networks and end users. The measures can prevent denial-of-service attacks, illegal access, and overload of the control plane. The security of the NE80E boasts of separating the data plane from the control plane. The NE80E provides the following security features:
l l
Three user authentication modes: local authentication, RADIUS authentication, and HWTACACS authentication Hardware-based packet filtering and mirroring without affecting forwarding capacities
Issue 01 (2007-09-10)
Page 15 of 154

l l l l l l
Multiple authentication methods including plain text authentication and MD5 for upper-layer routing protocols such as OSPF, IS-IS, RIP, and BGP-4 ACL on the forwarding plane and control plane Local anti-attack Lawful interception/URPF DHCP snooping and MAC address limit GTSM
RADIUS = Remote Authentication Dial in User Service; MD5 = Message Digest 5; OSPF = Open Shortest Path First; IS-IS = Intermediate System-to-Intermediate System; RIP = Routing Information Protocol; BGP = Border Gateway Protocol; ACL = Access Control List; URPF = Unicast Reverse Path Forwarding; DHCP = Dynamic Host Configuration Protocol; GTSM = Generalized TTL Security Mechanism
1.7 Good IPv4 and IPv6 Compatibility

The NE80E fully supports the IPv4 and IPv6 dual protocol stacks. It can provide all IPv6 features, and offers a good solution to the smooth transition from IPv4 networks to IPv6 networks.
l l
The NE80E provides various IPv6 over IPv4 tunnels and IPv4 over IPv6 tunnels. The routing table and the forwarding table with large capacity enable the NE80E to serve as the VPN Provider Edge (PE), and support future expansion of services. The NE80E supports the distributed forwarding of both IPv4/IPv6 and MPLS. Based on its powerful routing capability, the NE80E can be applied on the backbone network. The NE80E supports IPv4/IPv6 dynamic unicast and multicast routing protocols.
1.8 Compatibility and Expansion Capacity

The NE80E provides powerful compatibility and expansion capacity as follows:
l l l
The capacity of the backplane of the NE80E is greatness, which reserves enough bandwidth for future capacity expansion. The NE80E forwards services through the NP, which is flexible in programming. You can install software to carry new services. Designed with separated TM from the PFE, the NE80E supports two PFEs, namely ASIC and NP, to realize various applications.
1.9 High Reliability

On the basis of the carrier-class design, the chassis of the NE80E supports hot swap. It can be installed in an N68-22 or standard 19-inch cabinet. The NE80E provides a powerful monitoring system. With the main control module, the NE80E manages and maintains the whole system. The main control module manages,
Issue 01 (2007-09-10)
Page 16 of 154
monitors, and maintains boards, fans, the Liquid Crystal Display (LCD), and the power module. The system complies with Electro Magnetic Compatibility (EMC). The modular design of the system realizes the EMC between boards. The NE80E fully meets the requirements for the high reliability of carrier-class and high-end routers. Table 1-2 lists its reliability specifications. Table 1-2 Reliability specifications Item Availability Mean Time Between Failures (MTBF) Mean Time To Repair (MTTR) Downtime Description 0.99999768 24.59 years 0.5 hour 1.22 minutes/year
The NE80E provides the following features to ensure high reliability. Table 1-3 Reliability features Item System protection mechanism Description Hot swappable boards, power modules, and fans 1:1 backup of the MPUs 3+1 load balancing and backup of the Switch Fabric Units (SFUs) 3+3 power backup and the switched-mode power supply (SMPS) of the DC power module 1+1 backup of the fan modules 1+1 backup of the power modules Backup of clocks and management buses Protections against abnormalities Restarts automatically when abnormalities occur and recovers Resets a board when abnormalities occur on the board and recovers Automatically restores the interface configuration Provides protections against over-current and over-voltage for power and interface modules Provides protection against mis-insertion
Issue 01 (2007-09-10)
Page 17 of 154
Item
Description Power alarm monitoring Voltage and environment temperature monitoring Provides alarm prompt, alarm indication, running status query and alarm status query Provides alarm prompt, alarm indication, running status query and alarm status query
Reliability design
Applies hardware-based forwarding Separates the control channel from the service channel to provide a non-blocking control channel Provides system and board fault detection, indicators, and NMS alarm function
Reliable upgrade
Supports in-service patching Supports version backoff Supports in-service upgrade of the BootROM The backplane provides 8BCP check Supports Error Checking and Correction (ECC) RAM
Fault tolerance design
Data backup Synchronization configuration
Supports data hot backup between active and standby units Supports the synchronization between LPUs and Main_Control_Boards
Automatically selects and boots correct applications Supports the automatic upgrade and restoration of the BootROM program Backs up configuration files to the remote FTP server Automatically selects and runs correct configuration files Provides the abnormality monitoring for system software, such as automatic restoration and log record Operation security Provides password protection for system operations Provides hierarchical commands by the configuration of subscriber levels and command levels Supports configuration terminal locking by commands in case of invalid usage Provides protection and prompt for improper operation, such as the operation and confirmation prompts for some commands which may degrade the system performance
Issue 01 (2007-09-10)
Page 18 of 154
Item Operation and maintenance center
Description Applies the generic integrated Network Management System (NMS) platform which is developed by Huawei
Issue 01 (2007-09-10)
Page 19 of 154
2
l l l l
System Architecture
2.1 Physical System Architecture

Figure 2-1 shows the NE80E physical architecture that includes the following systems: Power distribution system Functional host system Heat dissipation system Network management system
Except the network management system (NMS), all other systems are in the integrated cabinet. The following takes the DC power module for an instance. Figure 2-1 Physical architecture
-48 V -48 V RTN Integrated chassis -48 V RTN -48 V RTN -48 V -48 V
Power distribution system
Functional host system
Monitorbus
Fan heat dissipation system
Ethernet Network management subsystem
RTN indicates Return.
Issue 01 (2007-09-10)
Page 20 of 154
Both the power distribution system and the fan heat dissipation system are in 1+1 backup mode. The following introduces only the functional host system.
Functional Host System

The functional host system processes data. In addition, it monitors and manages the whole system, such as the power distribution system, the fan heat dissipation system, and the NMS through NMS interfaces. Figure 2-2 shows the functional host system of the NE80E. Figure 2-2 Functional host system
Monitoring bus Management bus System backplane Monitoring bus Management bus (1) Monitoring bus Management bus (1) Monitoring bus Management bus System monitoring unit Management bus switching unit MPU MPU (Active)
Monitoring unit Management unit POS/Ethernet Physical interface unit LPU1 Forwarding unit
Serial link group
System monitoring unit Management bus switching unit MPU MPU (Slave)
Monitoring unit Management unit POS/Ethernet Physical interface unit LPU 8 Forwarding unit
Monitoring bus Management bus
Switching network monitoring unit Switching network control unit Switching network
Serial link group
Serial link group SFU module
(1): The link connects to management bus switching unit of another MPU
2.2 Logical System Architecture

As shown in Figure 2-3, the NE80E is logically divided into:
l l l
Data plane Control and management plane Monitoring plane
Issue 01 (2007-09-10)
Page 21 of 154
Figure 2-3 Logical architecture

LPU Monitoring unit System monitoring unit MPU LPU Monitoring unit
Monitoring plane
Monitoring unit
Monitoring unit
Control & management plane
Management unit
Management
System control unit

Switching network
unit
Management unit
Management
unit
control unit
Data plane
Forwarding unit
Switching network SFU
Forwarding unit Forwarding unit LPU
Forwarding unit LPU
2.3 Software Architecture

Figure 2-4 shows the software architecture of the NE80E.
Issue 01 (2007-09-10)
Page 22 of 154
Figure 2-4 Software architecture

Fan monitoring LCD control
Power monitoring
RPS SNMP Active
RPS Standby
IPC
FSU
FSU
FSU
EFU LPU
EFU LPU
EFU LPU
In terms of the software, the NE80E consists of the Routing Process System (RPS), power monitoring module, fan monitoring module, LCD control module, Forwarding Support Unit (FSU), and Express Forwarding Unit (EFU).
l
The RPS is the control and management module that runs on the MPU. The RPSs of the active MPU and the standby MPU back up each other. They support IPv4/IPv6, MPLS, LDP, and routing protocols, calculate routes, set up LSPs and the SPT, generate the unicast, multicast, and MPLS forwarding table, and deliver the routing information to the LPU. The FSU realizes the functions of the link layer and IP protocol stacks on an interface. The EFU performs hardware-based IPv4/IPv6 forwarding, multicast forwarding, MPLS forwarding, and statistics.
l l
2.4 VRPv5 Architecture

The VRPv5 consists of:
l
System service plane It provides such functions as task and memory management, timer, software loading and patching on the basis of the operating system. It uses the modular technology to facilitate system upgrade and customization.
Versatile control plane It is the core of the VRP datacom plane as well as the basis of security and QoS. It supports link management, IPv4/IPv6 protocol stacks, routing protocol
Issue 01 (2007-09-10)
Page 23 of 154
processing, MPLS, and MPLS VPN TE. It is used to control the data forwarding plane and realize various functions of the device.
l
Data forwarding plane It forwards data under the control of the versatile control platform. The VRPv5 supports data forwarding based on software and hardware. The data forwarding plane is the task executor of the NE80E.
Service control plane It controls and manages the system as required, including authentication, authorization, and accounting.
System management plane It manages user interfaces and Input/Output. It is the basis of network management and maintenance.
The VRPv5 has the following characteristics:

l l l l l
The system structure adopts the modular design. The components can be upgraded independently, without affecting the running of other components. The system is easy to maintain and supports smooth service expansion. In-service patching offers flexible methods of enhancing service features and correcting defects. Network reliability is thus guaranteed. The system supports the hardware-based structure. Various modules run on different CPUs. The security and reliability are thus ensured.
CPU = Center Processing Unit.
Issue 01 (2007-09-10)
Page 24 of 154
3
3.1 Chassis
Hardware Architecture
The NE80E consists of an integrated chassis (with a backplane), power modules, ventilation and heat dissipation system, and boards. The dimensions of the NE80E are 442 mm x 669 mm x 1600 mm (width x depth x height). The NE80E can be mounted in a standard 19-inch cabinet or an N68-22 cabinet. The inner available height of an N68-22 cabinet is 46 U and the dimensions are 600 mm x 800 mm x 2200 mm (width x depth x height). Figure 3-1 shows the appearance of the NE80E.
Issue 01 (2007-09-10)
Page 25 of 154
Figure 3-1 Appearance

1
2 10
9 5
8 7
1. LCD 4. Board cage 8. Power module
2. Fan module 6. Air intake frame 9. Rack-mounting ear
3, 5. Cabling trough 7. Plastic panel of the power module 10. Handle
Issue 01 (2007-09-10)
Page 26 of 154
3.2 Fans
3.2.1 Fan Module
There are two fan modules behind the LCD panel in the NE80E. The fan modules help in the air ventilation and heat dissipation of the boards.
l l l l
The fan modules can provide fan fault alarms. The main FAN Control Board (FCB) module in the MPU can control the speed of the fans based on the temperature in the board cage. The operation and failure indicators are on the LCD panel. Each fan module has two centrifugal fans.
Figure 3-2 shows the appearance of the fan module. Figure 3-2 Appearance of the fan module
3.2.2 Ventilation and Heat Dissipation System

Ventilation and heat dissipation are performed from bottom up on the board cage of the NE80E.
l l l
The fans integrated on the power module are located at the bottom of the chassis. The air channels of the power module and the board cage are separated from each other. The air flows from the front of the power module to the back for ventilation and heat dissipation.
3.3 Power Modules

The NE80E provides two types of power supply:
l l
DC-input power supply AC-input power supply
Issue 01 (2007-09-10)
Page 27 of 154
3.3.1 DC-Input Power Supply

The DC power module of the NE80E supports 3+3 backup of the power. The power module behind the plastic panel inputs DC power and distributes the power. The power module inputs three channels of the power and adopts the switched-mode power supply (SMPS). Each of the power modules inputs three channels of the 48 V DC power at the same time. The three channels of the DC power supply power for different modules. Figure 3-3 Appearance of the DC power module
The 48 V DC power module outputs:

l l
Primary straight-through power Secondary 48 V DC regulated voltage
The DC power module provides protections against the following:

l l l l
Short circuit Over-current Over-voltage Short circuit
It also supports the alarm function.
3.3.2 AC-Input Power Supply

The AC power modules of the NE80E work in 1+1 backup mode. The power module behind the plastic panel inputs AC power and distributes the power. The AC power module is designed with the 3 U high structure. Figure 3-4 shows the appearance of the AC power module.
Issue 01 (2007-09-10)
Page 28 of 154
Figure 3-4 Appearance of the AC power module
The AC power module outputs:

l l
4500 W primary power 500 W secondary power
The AC power module provides protections against the following:

l l l l l l l
Output over-current Output over-voltage Output under-voltage Input over-voltage Input under-voltage Over-temperature Short circuit
It also supports the alarm function.
3.4 LCD
3.4.1 Introduction
The LCD is used to display the information and status of the board, environment, fan module, and power module. LCD supports two display modes:
l l
Idle mode: the default mode. It is used to display the normal status of the system. Menu query mode: It can support 3-class menus at most.
3.4.2 Appearance
Figure 3-5 shows the appearance of the LCD.
Issue 01 (2007-09-10)
Page 29 of 154
Figure 3-5 Appearance of the LCD

4 3
Cancel Menu Enter Mute
FAN1
RUN ALM
RUN ALM
FAN2
1. FAN1 indicator
2. FAN2 indicator
3. Push buttons
4. Liquid crystal display
3.5 Board Cage

3.5.1 Board Cage
The NE80E has two board cages, each of which has 11 slots. The slots can hold 16 LPUs or NetStream SPUs, 4 SFUs, and 2 MPUs. As shown in Figure 3-6, the left is the entity diagram and the right is the schematic diagram. Figure 3-6 Board cage
1 2 3 4 17 18 5 6 7 8 9
L L L L M M L L L L L P P P P P P P P P P P U U U UU U U U U U U
1XOC-192c/ST M -64c POS-LC 1X10GBase LAN-LC 1X10GBase W AN-LC
L L L L S S S S L L L P P P P F F F F P P P U U U U U U U U U U U
1 0 11 12 13 19 20 21 22 14 15 16
Issue 01 (2007-09-10)
Page 30 of 154
3.5.2 Board Distribution in the Board Cage

Table 3-1 shows board distribution in the board cage. Table 3-1 Board distribution Slot Number 1 16 17 and 18 19 22 Quantity 16 2 4 Slot Width 41 mm (1.6 inch) 30 mm (1.3 inch) 36 mm (1.4 inch) Remark LPUs MPUs in 1:1 hot backup SFUs in 3+1 hot backup
3.6 Boards
The boards that the NE80E supports include:
l l l l
MPU SFU LPU Service Boards
3.6.1 MPU
The MPU integrates multiple functional modules such as the clock module, LAN switch module, and Compact Flash (CF) module. As the system clock source and the management and maintenance unit, the MPU runs as the core of system control and management. It provides the functions of the control plane and the maintenance plane. The MPU controls and manages the system. It is designed in 1:1 backup mode. The MPU is composed of the main control unit, the system monitoring unit, the management bus switching unit, and the clock unit.
l
The main control unit processes network protocols and manages the whole system. The main control unit of each MPU is connected with the management bus switching unit of both the master and the slave MPUs. It controls and manages all the functional units such as MPUs, SFUs, and LPUs. The main control unit also communicates with the system monitoring unit. The system monitoring unit reports the status and environment information about the monitoring plane to the management control plane. And then the management control plane sends control signals to the monitoring plane. The system monitoring unit collects the system monitoring information and interacts with the main control unit. In addition, it monitors the status and environment of its MPU. It communicates with the monitoring units in the system or other boards or subsystems through the Monitorbus. The management bus switching unit carries out the switching of the management bus. It connects to the control units of two MPUs, all LPUs, and SFUs. Thus, there are two sets of management buses in the system to perform the
Issue 01 (2007-09-10)
Page 31 of 154
master/slave backup protection no matter which Main_Control_Board is in master mode. Figure 3-7 Management bus connection
LPU1 Management bus switching unit MPU LPU16 SFU1 MPU (Active)
Management bus switching unit MPU
SFU 4
MPU
(Standby)
3.6.2 SFU
As the switching network unit of the NE80E, the SFU supports service data exchange for the whole system. The SFUs operate in 3+1 load balancing and backup mode. They share data processing. When an SFU is faulty or replaced, the remaining three SFUs automatically carry out load balancing without interrupting services. The NE80E provides the 640 Gbit/s or 160 Gbit/s per SFU. The whole system can thus support line-rate switching of 2.56 Tbit/s or 640 Gbit/s traffic. You can select which type of SFUs to use as required. There is a control channel on the SFU to provide the following functions:
l l
Detecting voltage, current, and temperature Providing protections against over-voltage, over-current, and over-heat
The SFU provides the clock synchronization function. The clock synchronization units of the two SFUs back up each other.
3.6.3 LPU
The NE80E provides types of physical interfaces, such as GE, POS, CPOS, ATM, RPR, and CE1/CT1/E1/T1/E3/T3 interfaces, to interconnect various network devices as required.
Function
The LPU board consists of the Physical Interface Card (PIC), Line Processing Unit (LPU), and Fabric Adaptor (FAD). They work jointly to realize the following functions:
l l
Fast processing and forwarding of service data Maintenance and management of the link protocol and the service forwarding table
Issue 01 (2007-09-10)
Page 32 of 154
The main functions of each module are described in Table 3-2. Table 3-2 Functions of all modules on the LPU Module Name LPU module Function Description
l
Processing and encapsulation of multiple link protocols (such as Ethernet II, and PPP) Traffic classification of packets and packet filtering for traffic policing and ACL Data buffer management and scheduling Data forwarding based on the forwarding table Identification of control protocol packets and packet forwarding to the active CPU through the non-line-rate interface Traffic management: data queuing and buffer according to the input data traffic classification, and buffered data scheduling based on the congestion of the switching network Switching network interface adaptor: the translation from the parallel port SPI4.2 to the high-speed serial port A part of the switching network: traffic control according to the queuing status to ensure no data loss in the network
l l l
FAD module
PIC
Implementation of the functions of the physical interface, including optical/electro conversion and physical layer control
The NE80E provides Common LPUs and flexible cards.
Common LPUs
l
Ethernet LPU The NE80E supports the Ethernet LPUs shown in Table 3-3.
Table 3-3 Ethernet LPUs LPU Name 1 port 10G Ethernet LAN Optical Interface LPU (XFP optical module) 1-port 10G Ethernet WAN Optical Interface LPU (XFP optical module) 24-port 10M/100M/1000M Ethernet Electrical Interface LPU 24-port Gigabit Ethernet Optical Interface LPU (SFP optical module) 5/10-port Gigabit Ethernet Optical Interface LPU (SFP optical module) Remark ! ! ! ! !
Issue 01 (2007-09-10)
Page 33 of 154
The SFP and XFP are pluggable.
The 10G Ethernet optical interface LPUs can be classified into WAN and LAN ones. The WAN LPU needs to adapt SDH/SONET when dealing with data packets. Therefore, the interface of a WAN LPU can be connected with the interface of another WAN card or the SDH/SONET transmission device for Ethernet WAN interconnection. The LAN LPU carries out the optical/electro conversion in Ethernet MAC frames and transmits the frames by the optical fiber. The interface of the LAN LPU, however, can be connected with only the interface of another LAN LPU. The packets sent by the interfaces on the WAN and LAN LPUs can be transmitted along the Dense Wavelength Division Multiplexing (DWDM) line.
LAN = Local Area Network; SDH = Synchronous Digital Hierarchy; SONET = Synchronous Optical Network
l
POS LPU POS LPUs are used to connect the NE80E with SDH transmission devices or other devices. The NE80E provides the POS optical interface LPUs shown in Table 3-4.
Table 3-4 POS optical interface LPUs LPU Name 1-port OC-192c/STM-64c POS Optical Interface LPU (XFP optical module) 1/2-port OC-192c/STM-64c POS Optical Interface PIM Card (XFP optical module) Enhanced 4-port OC-48c/STM-16c POS Optical Interface LPU (SFP optical module) 4-port OC-12c/STM-4c POS Optical Interface LPU (SFP optical module) 4/8-port OC-3c/STM-1 POS Optical Interface LPU (SFP optical module) enhanced Remark ! ! ! ! !
RPR optical interface LPU The RPR optical interface LPU can realize the access function of the RPR ring network, and provides efficient and reliable RPR networking solutions. The NE80E provides the RPR LPUs shown in Table 3-5.
Table 3-5 RPR LPUs LPU Name 1-port OC-192c/STM-64c RPR Interface LPU (XFP optical module) Remark !
Issue 01 (2007-09-10)
Page 34 of 154
LPU Name 2/4-port OC-48c/STM-16c RPR Interface LPU (SFP optical module) 2/4-port GE/STM-16c RPR Interface LPU (SFP optical module)
Remark ! !
Flexible Plug-in Boards

The NE80E provides the flexible plug-in motherboard (hereinafter referred to as motherboard) to enhance networking flexibility. The NE80E also provides low-cost and customized solutions as required. The motherboard works with the flexible card to provide the flexible plug-in feature; thus the hardware configuration is flexible. The NE80E supports four types of motherboards and their flexible cards.
l
Motherboard LPUF and its flexible cards LPUF provides two slots, in which two of the full-height flexible cards listed in Table 3-6 can be inserted.
Table 3-6 Flexible cards supported by LPUF Flexible Card Name 3-port E3 Interface Flexible Card 3-port T3 Interface Flexible Card Remark ! !
Motherboard LPUF-D and its flexible cards LPUF-D provides two slots, in which two of the full-height flexible cards listed in Table 3-7 can be inserted.
Table 3-7 Flexible cards supported by LPUF-D Flexible card Name 8-port CE1 Interface Flexible Card 8-port CT1 Interface Flexible Card 1-port OC-3c/STM-1 CPOS Interface Flexible Card Remark ! ! !
Motherboard LPUF-10 and its flexible cards LPUF-10 provides two slots, in each of which one full-height or two half-height flexible cards can be inserted. The flexible cards supported by LPUF-10 are hot swappable. They support automatic configuration restoration and card intermixing.
Issue 01 (2007-09-10)
Page 35 of 154
Table 3-8 Flexible cards supported by LPUF-10 Flexible Card Name 1-Port OC-192c/STM-64c POS-XFP Flexible Card 1-Port OC-48c/STM-16c POS-SFP Flexible Card 8-Port 100/1000Base-X-SFP Flexible Card Remark It is a full-height card. It is a half-height card. It is a half-height card. It supports Ethernet clock synchronization. In addition, ports 0 and 1 support synchronization of sending and receiving clock signals simultaneously; other ports support only synchronization of sending clock signals. It is a half-height card. It is a half-height card.
2-Port OC-12c/STM-4c ATM-SFP Flexible Card 4-Port OC-3c/STM-1c ATM-SFP Flexible Card
Motherboard LPUF-20 and its flexible cards When the 40-Gbit/s SFU is used on the NE80E, the system can support LPUF-20. And each motherboard can support 2 daughter cards. Table 3-9 lists the flexible cards that LPUF-20 supports.
Table 3-9 Flexible cards supported by LPU-20 Flexible Card Name 1-Port /2-Port10GBase WAN/LAN-XFP Flexible Card Remark You can configure the interface to run in LAN or WAN mode through commands. The card supports Ethernet clock synchronization. In addition, ports 5 and 6 support synchronization of sending and receiving clock signals simultaneously; other ports support only synchronization of sending clock signals.
12-Port 100/1000Base-SFP Flexible Card
Issue 01 (2007-09-10)
Page 36 of 154
Flexible Card Name 12-Port 10/100/1000Base-RJ45 Flexible Card
Remark The card supports Ethernet clock synchronization. In addition, ports 5 and 6 support synchronization of sending and receiving clock signals simultaneously; other ports support only synchronization of sending clock signals.
3.6.4 Service Boards

Without interfaces, service boards perform centralized processing of specific services only. At present, the NE80E provides the following types of service processing boards:
l l
TSU NetStream SPU
TSU
The Tunnel Service Unit (TSU) is used to process the tunnel services related to Generic Routing Encapsulation (GRE), BFD, lawful interception, and multicast VPN.
NetStream SPU
NetStream enables the system to sample packets according to a certain percentage. The system sets up NetStream flows in accordance with the abstracted information about the packet such as the source IP address, destination IP address, source port number, destination port number, IP protocol type, IP ToS, inbound/outbound interface, TCP flag, and MPLS three-layer labels, and collects flow-based statistics. The NE80E provides the following types of NetStream:
l
Integrated NetStream: The system samples packets on the LPU, and collects traffic statistics on the NetStream SPU. In this manner, the processing performance is high, without affecting the forwarding capability. Independent NetStream: The system samples packets and collects traffic statistics on the LPU.
NetStream Service Processing Units (SPUs) include 2.5-Gbit/s and 10-Gbit/s SPUs. You can select which type of SPUs to use as required. The NE80E provides multiple SPUs for load balancing.
For details on NetStream, see the section "NetStream."
Issue 01 (2007-09-10)
Page 37 of 154
4
4.1 Ethernet Link Features
4.1.1 Basic Features
l l l l l l l l
Link Features
The Ethernet link provided by the NE80E supports the following: VLAN trunk VLANIF VLAN aggregation Inter-VLAN port isolation Ethernet sub-interface VLAN sub-interface VLAN switch Ethernet clock synchronization
4.1.2 Ethernet Bundling

Link aggregation refers to a method of bundling a group of Ethernet physical interfaces to a logical interface Eth-Trunk to increase the bandwidth. The Eth-Trunk of the NE80E functions as follows:
l l l
Supports the bundling of up to 16 physical interfaces. The formed Eth-Trunk interface runs as the normal Ethernet interface. Supports the bundling of ports of different rates. Supports active/standby mode and performs active/standby switchover automatically in accordance with the link status of the interface.
The NE80E provides link aggregation in two modes:

l l
Port bundling in manual mode Link aggregation in static LACP mode
Layer 2 Ethernet Bundling Interface

When you run the portswitch command for the formed Eth-Trunk interface, the interface becomes a Layer 2 Ethernet bundling interface. The Eth-Trunk interface then provides the following features of the switched Ethernet link:
l
VLAN interfaces
Issue 01 (2007-09-10)
Page 38 of 154

l l l l l l l
Inter-VLAN port isolation VLAN aggregation VLAN trunk VLAN mapping QinQ and VLAN stacking Layer 2 features such as MSTP and RRPP Switched Ethernet links
Layer 3 Ethernet Bundling Interface

By default, the formed Eth-Trunk interface is a Layer 3 Ethernet bundling interface. The Eth-Trunk interface then provides the following features of the routed Ethernet link:
l l l l l
IPv4/IPv6 forwarding MPLS forwarding Multicast forwarding L3VPN L2VPN
LACP (802.3ad)
The NE80E supports link aggregation in Link Aggregation Control Protocol (LACP) static mode. Link aggregation in static LACP mode is in contrast with the link aggregation in manual mode. Port bundling in manual mode requires neither LACP nor exchange of protocol packets. Port aggregation is specified by the administrator. Link aggregation in LACP static mode resorts to LACP and automatically maintains the interface status by exchanging protocol packets. The administrator, however, needs to create the aggregation group and add the member links manually. LACP cannot change the configuration of the administrator. The NE80E supports LACP that conforms to IEEE 802.3ad. The administrator creates the Eth-Trunk interface, adds member ports to it, and enables LACP on the Eth-Trunk interface. The NE80E negotiates which ports to use for data forwarding with the peer device by exchanging LACP protocol packets. That is, they negotiate to determine whether the outbound interface is in the selected or standby state. LACP maintains the link status in accordance with the port status. Once the aggregation conditions change, LACP automatically adjusts or de-aggregates the link.
4.1.3 Virtual Ethernet Interfaces

The NE80E supports virtual Ethernet interfaces. By mapping the ATM PVC to the manually-created virtual Ethernet interface, Ethernet packets can be transmitted over the ATM Adaptation Layer (AAL5). The virtual Ethernet interface thus provides Layer 2 switched and Layer 3 IP services.
4.2 FR Link Features

Frame Relay (FR) is a fast packet switching technology to forward and switch data in a simple way on the link layer.
Issue 01 (2007-09-10)
Page 39 of 154
FR only realizes functions of the physical layer and the link layer of OSI. Traffic control and error correction are implemented by the intelligent terminal. In this way, system performance is improved. FR uses virtual circuits to make full use of network resources. Therefore, FR features large throughput, short delay. FR is applicable to burst services. The NE80E provides the following FR features:
l l l l l l l l
DLCI VC: PVC and SVC FR address mapping FR LMI FR sub-interfaces FR switch PVC backup FR compression MFR
DLCI = Data Link Connection Identifier; PVC = Permanent Virtual Circuit; SVC = Switching Virtual Circuit; LMI = Local Management Interface; MFR = Multilink Frame Relay
4.3 POS Link Features

4.3.1 SDH/SONET
The physical layer of the POS link adopts the Synchronous Optical Network (SONET) defined by the ANSI or the Synchronous Digital Hierarchy (SDH) defined by the ITU-T. POS interfaces provide alarms for the physical layer.
4.3.2 POS Interface

The NE80E provides POS interfaces of 155 Mbit/s, 622 Mbit/s, 2.5 Gbit/s, and 10 Gbit/s. On the link layer, POS supports:
l l l
Point-to-Point Protocol (PPP) High-level Data Link Control (HDLC) FR
PPP on the POS interface supports:

l l l l l l
Link Control Protocol (LCP) Internet Protocol Control Protocol (IPCP) Multi-Protocol Label Switching Control Protocol (MPLSCP) Multilink Protocol (MP) Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP)
Issue 01 (2007-09-10)
Page 40 of 154
4.3.3 POS Sub-interface

On the NE80E, you can manually create POS sub-interfaces, to provide multiple logical links over a POS link. Then, you need to configure FR on the link layer of the POS sub-interface to interwork with the network-layer device that supports POS FR or the FR switch that supports POS interfaces. POS sub-interfaces support point-to-point (P2P) and point-to-multipoint (P2MP).
4.3.4 IP Trunk
Adopting IP trunk technology, you can bind multiple physical POS interfaces into a logical trunk interface as shown in Figure 4-1. You can configure the trunk interface to implement routing protocols and carry MPLS and VPN services. The physical POS interfaces that are bound to a trunk are called trunk members. All configurations on the trunk interface also take effect on the trunk members. The trunk members use the IP address of the logical trunk interface. The IP trunk technology helps to:
l
Increase bandwidth The bandwidth of the trunk interface is the sum of member bandwidth. Enhance reliability If a member link fails, the traffic of this link is automatically switched to other available links. This can improve the reliability of the whole trunk.
Carry out load sharing Different flows pass through different trunk members.
Figure 4-1 IP trunk
Trunk
The NE80E supports:

l l l l
Inter-board IP trunk IP trunk of channels with different rates Dynamic establishment and removing of IP-trunk interfaces Binding a physical channel to a trunk through the command line on a physical interface
4.4 CPOS Link Features

In a network, a great number of access devices are connected to the upstream convergence devices through the low-speed E1/T1 interfaces. In this case, the convergence devices need to possess the capability of converging many low-speed E1/T1 or POS interfaces. On the NE80E, the CPOS interfaces of various rates can answer the requirements mentioned above.
Issue 01 (2007-09-10)
Page 41 of 154
4.4.1 Channelization
A CPOS interface is a channelized POS interface. Channelization is carried out by transmitting multiple independent data flows on an optical fiber through the low-speed branch signals of STM-N. Each data flow has its own bandwidth and monitoring policy. When multiple low-speed signals are sent, bandwidth can be better utilized channelization. The granularity of CPOS interface channelization is as follows:
l l l
The 2.5G CPOS LPU can provide sixteen 155M POS channels. The 155M CPOS LPU can provide 63 E1 channels, 84 T1 channels, or 1023 64K channels. The 155M CPOS LPU can provide 3 E3 or 3 T3 channels.
The NE80E supports binding of E1/T1 channels. Up to 12 channels can be bound in a binding set. Each 155M CPOS LPU supports up to 168 binding sets.
4.4.2 PPP/HDLC
The NE80E provides 155Mbit/s and 2.5Gbit/s CPOS interfaces. On the link layer, CPOS supports:
l l
PPP HDLC
PPP on the CPOS interface supports:

l l l l l l l
LCP IPCP MPLSCP MP LFI PAP CHAP
4.5 ATM Link Features

4.5.1 SDH/SONET
The ATM interfaces of the NE80E support SONET/SDH as well as the SONET/SDH overhead configuration and mapped physical-layer alarms.
4.5.2 PVP/PVC
ATM interfaces support the PVP/PVC creation:
l l l
Nonreal-time Variable Bit Rate (NRT_VBR) Unspecified Bit Rate (UBR) Permanent Virtual Circuit (PVC)
Issue 01 (2007-09-10)
Page 42 of 154

l l l l l l
Traffic shaping based on VP/VC User-to-Network Interface (UNI) signaling RFC1483: Multiprotocol Encapsulation over ATM Adaptation Layer 5 RFC1577: Classical IP and ARP over ATM F5 End-to-End Loopback OAM ATM Adaptation Layer 5 (AAL5)
4.5.3 IPoA
IP over ATM (IPoA) is a kind of technology to bear IP services on the ATM network. It inherits the fundamentals of TCP/IP and regards the ATM network as a kind of physical subnet. For IP protocols, the ATM network is equivalent to the physical subnet such as the Ethernet. Using IPoA, you can directly run IP protocols and network applications in the ATM network. On the NE80E, you can set up address mapping between PVC and the IP address of the peer device in two ways:
l l
Static mapping Inverse Address Resolution Protocol (InARP)
4.5.4 ATM Sub-interface

The NE80E supports the ATM sub-interface. The ATM interface supports multiple virtual connections at the same time, and the peer networks of virtual connections are in different network segments. In this case, you need to create sub-interfaces on the interface to support communications with different peers. You can configure multiple PVCs on one sub-interface.
4.5.5 ATM OAM

ATM Operation, Administration and Maintenance (OAM) checks the fault, locates the fault, and detects the performance, without interrupting services. ATM OAM provides specific information about the network by adding the OAM cell in the standard cell format to the user cell. The NE80E supports the F4 and F5 OAM. The OAM functions to check the statuses of the PVP and PVC links, that is, to check whether the link is Up or Down.
4.5.6 1483B
RFC 1483 defines the technological standards of transmitting multi-protocol data unit on the ATM network, including the following two kinds:
l
The 1483 Bridged It is applied to the bridged protocol data unit. The 1483 Routing It is applied to the routing protocol data unit.
The RFC 1483 Bridged encapsulates the data packet of the network layer in the data link layer. It imitates the bridge function of the Ethernet network, so that the terminal devices at the user side and the bridge devices at the network side are connected. Figure 4-2 shows the stack protocol of 1483B.
Issue 01 (2007-09-10)
Page 43 of 154
Figure 4-2 Stack protocol of 1483B

TCP/UDP IP Ethernet 1483B TCP/UDP IP Ethernet AAL5 ATM
Access router
RouterA
RouterB
ATM network
The IPoE Ethernet stack protocol is used to connect the device at the user side. After 1483B is configured on the ingress Router A on the ATM network, Router A can implement the bridge of Ethernet packets to the ATM cells, so that the received IPoE packets can be transmitted transparently on the ATM network. IPoEoA is the main application of 1483B supported by the NE80E. IPoEoA indicates that AAL5 bears Ethernet packets, and the Ethernet bears IP packets, so that the layer 2 forwarding of IPoEoA packets between the Ethernet and PVC can be implemented. IPoEoA converges the ATM backbone network and the IP network and supports Ethernet protocols and IP protocols.
4.5.7 ATM Cell Relay

PWE3 uses the PNS network to connect the traditional networks such as ATM, FR, or LAN and provides the emulated traditional services. Thus, the existing network and investment of users and carriers are protected and utilized. The Layer 2 emulate services on the PSN set up the P2P tunnel and convey the data packet, cell and bit stream through the public or private PSN. Between the two PE routers of the PW, the original service is emulated. Figure 4-3 shows the label encapsulation used when the PSN transparently transmits the ATM service.
Issue 01 (2007-09-10)
Page 44 of 154
Figure 4-3 Network diagram for ATM encapsulation over a PSN

ATM Encapsulation over PSN PSN Transport Header Pseudo-wire Header MPLS PSN tunnel identified by outer label ATM Control Word ATM Service Payload ATM Service MPLS Network PSN Tunnel L2 Network PE Pseudo-wire PE ATM Service L2 Network Pseudo-wire identified by inner label
Outer MPLS Label Inner MPLS Label
The outer PSN label identifies the PSN tunnel, while the inner label, namely, PW Header identifies a PW. In ATM cell transport, the following two kinds of services are transmitted on the PSN:
l l
The services whose PW payload is ATM cells The services whose PW payload is AAL5 SDU/PDU
ATM cell transport can help transfer the earlier ATM or ISP network through the PSN network without adding new ATM devices and changing the ATM CE configurations. ATM CE routers consider the ATM cell transport service as the TDM leased line. The NE80E support ATM cell transport over Permanent Virtual Circuit (PVC) and Permanent Virtual Path (PVP). Generally, the NE80E support the following ATM cell transport modes:
l l l l l l
ATM whole port cell transport 1-to-1 VCC cell transport N-to-1 VCC cell transport 1-to-1 VPC cell transport N-to-1 VPC cell transport ATM AAL5-SDU VCC transport
4.6 RPR Link Features

The NE80E supports RPR networking. Based on the packet-based optical transport technology, RPR provides access to multiple services. Integrating the broad bandwidth and fast self-healing capability of the optical network, RPR provides cost-effective services for the carriers over the current optical network.
Issue 01 (2007-09-10)
Page 45 of 154
An RPR ring adopts the topology of two counter-rotating ringlets. An RPR network consists of Ringlet0, Ringlet1, stations, and spans, as shown in Figure 4-4. Figure 4-4 RPR networking diagram
Station Ringlet0 West East East West West East Span East West East West East West Ringlet1
Domain
As shown in Figure 4-4, each node of the RPR network is connected by two pairs of fibers for ringlet 0 and ringlet 1 transmission and receiving. In the RPR network, the unicast traffic only travels between its source node and destination node, thus improving the bandwidth utilization.
4.6.1 RPR Fairness Algorithm

RPR controls network congestion through RPR Fairness Algorithm (RPR-FA). If a node is congested, it sends an RPR fairness packet to its upstream node through the counter-clockwise ring. The fairness packet also serves to maintain the link status. According to the information in the packet, the upstream node adjusts its transmission rate to avoid congestions. RPR-FA controls only the transmission of packets with low precedence. The packets with high precedence are not controlled by RPR-FA and are sent as long as there are enough transit buffers. RPR automatic switch is implemented through four kinds of control packets:
l l l l
Topology and Protection packet (TP) are broadcast on the whole ring. Topology Checksum (TC) packet are sent or received only between adjacent nodes. Attribute Discovery (ATD) packet is used to update the site information in the topology database except the topology discovery and checksum. Link Round Trip Time (LRTT) packet is used to detect the delay of high-preference control frames among all nodes on the network.
Issue 01 (2007-09-10)
Page 46 of 154
4.6.2 Protection Mechanism

In the RPR network, if a node fails, the protection mechanism can make the traffic pass through the failed node. If a line fails, the protection mechanism can transfer the traffic to the ring in the opposite direction (in wrapping mode), or change the direction of the traffic (in steering mode). The protection mechanism can implement RPR forward performance monitoring, event detection, fast self-healing and fast recovery of service in case of the node or fiber failure. Thus, the network can detect events and respond to them appropriately to ensure continuous services.
Pass-Through
Some node failures may stop Layer 3 forwarding temporarily, but the MAC layer can still forward packets. You can set the node in pass-through mode by shutting down the RPR interface. In this case, all packets that reach this node are forwarded in transparent mode and this node is invisible in the RPR network, as shown in Figure 4-5. Figure 4-5 Pass-Through mode
Pass-through
Wrapping and Steering

When failures like fiber disconnection occur, the system adopts two self-healing modes, namely wrapping and steering.
l
In the wrapping mode, the traffic that is transmitted on the ringlet 0 from A to B is sent to the node adjacent to the failed line, and then to B on the ringlet 1. See Figure 4-6. In the steering mode, the traffic that is previously on the ringlet 0 is directly redirected to the ringlet 1 for transmission. See Figure 4-7.
Issue 01 (2007-09-10)
Page 47 of 154
Figure 4-6 RPR network in wrapping mode
B RPR
Figure 4-7 RPR network in steering mode

B
RPR
The wrapping mode and steering mode in RPR have their respective advantages and disadvantages. The wrapping mode implements fast switchover without data loss, but wastes the bandwidth. The steering mode needs neither loopback nor wrapping, and thus does not waste the bandwidth, but it implements a slow protection with data loss. The RPR designed by Huawei combines the advantages of these two modes, and adopts the "first wrapping and second steering" mode. Providing the failure protection switchover within 50 ms, it implements non-stop services without bandwidth waste to achieve the best performance.
4.7 CE1/CT1/E3/T3 Link Features

The NE80E provides CE1, CT1, E3, and T3 interfaces.
Issue 01 (2007-09-10)
Page 48 of 154
4.7.1 PPP/HDLC/FR
CE1/CT1/E3/T3 interface supports serial interfaces and the following link protocols are supported:
l l l
PPP HDLC Frame Relay supported by the CE1/CT1 interface
PPP on the serial interface supports:

l l l l l
LCP IPCP MP PAP CHAP
4.7.2 Channelized Links

The CE1/CT1 links can be channelized to 64 K links.
4.7.3 Link Binding

Multiple CE1 or CT1 interfaces can be bundled as a logical interface. Each bundling set contains up to 12 channels. Each CE1 LPU supports a maximum of 168 bundling sets.
Issue 01 (2007-09-10)
Page 49 of 154
5
5.1 Ethernet Features
VLAN Trunk
Primary Service Features
5.1.1 Switched Ethernet Link Features

The Ethernet interfaces of the NE80E can run as switched interfaces to provide VLAN, VPLS, and QoS services. They can also run at the User Network Interface (UNI) side to support MPLS VPN.
Trunk is a P2P link between two routers. The interfaces on the connected routers are called trunk interfaces. One VLAN trunk can transmit data flows of different VLANs and allow the VLAN to contain the interfaces of many routers. The NE80E can dynamically add, delete, or modify the VLANs of a VLAN trunk to maintain the consistency of VLAN configuration in the whole network. The NE80E can also work with non-Huawei devices for interworking.
VLANIF
After setting up a VLAN, you can create VLAN interfaces (VLANIF). A VLAN interface is a virtual interface with Layer 3 (IP layer) features. You can assign IP addresses and enable routing protocols on a VLAN interface to make it equivalent to the routed Ethernet interface. You can also add several switched Ethernet interfaces to a VLAN. On the NE80E, VLANs can be configured and displayed in batch.
VLAN Aggregation
Inter-VLAN routing is involved in the communication between VLANs. If each VLAN interface is assigned an IP address, IP address resources will be used up. You can aggregate a group of VLANs to a super-VLAN. The VLANs in the super VLAN are called branch VLANs. A super VLAN is associated with an interface at the IP layer. In addition, all branch VLANs in the super VLAN use the IP addresses in the same network segment to improve the utilization of the IP addresses.
Issue 01 (2007-09-10)
Page 50 of 154
Interface Isolation in a VLAN

You can configure an interface in a VLAN as an isolated interface. Layer 2 forwarding is prohibited between isolated interfaces, but it is allowed between an isolated interface and a non-isolated interface in a VLAN. On the NE80E, you can add the interfaces that need to be isolated in a VLAN to different interface groups. Any two interfaces of different interface groups are isolated from each other. The interfaces outside the group are not isolated.
5.1.2 Routed Ethernet Link Features

The Ethernet interfaces of the NE80E can run as routed interfaces to provide IPv4/IPv6, MPLS, QoS, and multicast services. GE interfaces and FE interfaces can be configured with sub-interfaces. The sub-interface supports VLAN encapsulation used to terminate a VLAN.
Ethernet Sub-interface
A normal Ethernet sub-interface, which can belong to a VLAN only, functions as follows:
l l l
Terminates the enterprise customer's services. Supports routing protocols. Supports MPLS forwarding.
VLAN Sub-interface
A VLAN sub-interface, which can belong to multiple VLANs, functions as follows:
l l
Terminates the individual users' services. Supports DHCP relay, DHCP binding, URPF, and ACLs, ensuring the security.
5.1.3 Ethernet Clock Synchronization

Clock synchronization refers to restricting the clock frequency deviation and the phase deviation of each network element in the digital network within the allowed error range. If the clock frequency deviation and phase deviation exceed the allowed error range, error codes and jitter occur, degrading the forwarding performance. The flexible cards of the NE80E and the Ethernet interfaces on LPUF-20 provide the function of Ethernet clock synchronization. The clock quality and stratum can thus be guaranteed.
Issue 01 (2007-09-10)
Page 51 of 154
Figure 5-1 Ethernet clock synchronization

MSCSERVER NC RNC IP Node B Iu-PS Iur IP SS7/TDM IP SS7/IP HLR SCP MGW Iu-CS Mc IP Mc PSTN MSCSERVER
Nb MGW
PS IP Node B RNC Iu-PS SGSN IP Gi GGSN

In ternet
In a wireless network, Ethernet links put high requirements for clocks. As shown in Figure 5-1, in the future IP-RAN solution, the IP network runs as the bearer layer between Node-B and RNC. With the function of Ethernet clock synchronization, the problem of clock transmission in the IP network can be solved. In addition, Ethernet clock synchronization supports the backup of the clock reference source to enhance the reliability of the link. When an Ethernet link goes Down, the system automatically selects the backup Ethernet interface to extract the clock information.
5.1.4 MACinMAC
The NE80E supports the MACinMAC technology that conforms to IEEE 802.1ah. MACinMAC realizes transmission of P2P and multipoint-to-multipoint services. The transmission network is set up on the basis of the Ethernet. In this manner, the Ethernet solution is extended from the access layer and the convergence layer to the core layer in the MAN and even in the WAN. MACinMAC is a tunneling technique based on MAC stacking. MACinMAC means appending a MAC address of the ISP to the MAC address of the user Ethernet frame. This realizes transparent transmission of user Ethernet frames through public networks. When a MACinMAC tunnel is set up between two MANs, it functions over the core network of the ISP. For the ISP network, the MAC address of a user is isolated. This improves the security of services. In addition, double MAC addresses applied expand the space of MAC addresses. The MACinMAC tunnel can be set up between the NE80Es. It supports fault detection, fault location, and the Automatic Protection Switching (APS). APS controls the protection switchover of the tunnel. The NE80E supports 1+1 and 1:1 protection modes of the MAC tunnel. The NE80E also supports the revertive mode, hold-off time, and APS configuration mismatch test. This guarantees fast recovery of services.
Issue 01 (2007-09-10)
Page 52 of 154
Figure 5-2 Leased line service MACinMAC

In the P2P application, end nodes ignore the user DA Bridge nodes are configured with static forwarding entries
PBT
UPE CE Metro(+Core) CE
Figure 5-3 Convergence service MACinMAC

Bridge nodes are configured with static forwarding entries
In the P2P application, end nodes ignore the user DA
PBT Core Metro CE NPE
Figure 5-4 Leased line service MACinMAC trunk

PBT Trunk UPE CE Metro(+Core) CE
Issue 01 (2007-09-10)
Page 53 of 154
Figure 5-5 Convergence service MACinMAC trunk

PBT Trunk NPE CE Metro
Core
Figure 5-6 Multipoint-to-multipoint MACinMAC
CE
PE
Metro(+Core) CE PE CE PE PE
CE
5.1.5 QinQ
The QinQ technology expands the VLAN space by adding an IEEE 802.1Q tag to a packet already carrying an 802.1Q tag. As a result, private VLANs can transparently transmit packets over the public network. These functions are the same as the Layer 2 VPN. Packets that are forwarded over the backbone network carry two 802.1Q tags, one for the public network and the other for the private network. This is called 802.1Q-in-802.1Q, or QinQ for short.
Issue 01 (2007-09-10)
Page 54 of 154
The ISP network only provides one VLAN ID for different VLANs from the same user network. This saves VLAN IDs of an ISP. Meanwhile, the QinQ provides a simple Layer 2 VPN solution to a small MAN or a LAN. The QinQ technology has been widely used on ISPs' networks because of its easy application. The QinQ technology can be applied to multiple services in a metropolitan area Ethernet solution. The emergence of flexible QinQ that is VLAN stacking enables QinQ services to widely spread among ISPs. This technology has the following features:
l l l
Packets of the same VLAN from different users are not transmitted transparently. Private networks are effectively segregated from the public network. ISP's VLAN IDs are saved to the maximum.
Without being a formal protocol, QinQ is widely applied by carriers due to its facility and convenience. Especially, the emergence of selective QinQ (VLAN stacking) makes QinQ more popular among carriers. With the development of the metropolitan area Ethernet, all device vendors have put forward their solutions to the metropolitan area Ethernet. The QinQ technology plays an important role in the solutions because of its simplicity and flexibility. The NE80E provides abundant QinQ features. Diverse networking requirements can be satisfied.
Interface-based QinQ
Figure 5-7 is a diagram of typical networking through the interface-based QinQ feature. A user sets the interface-based QinQ feature on the router. When the user's packets, carrying the user's VLAN tag, arrive at the router, the router takes the user's packets as untagged packets and adds a VLAN tag of the ISP over the existing VLAN tag. After the user's packets go over the VLAN tunnel of the ISP and reach the remote user, the VLAN tag of the ISP is stripped away. This function, which is called VLAN stacking, has been realized on the Figure 5-7. Figure 5-7 Typical networking diagram of the interface-based QinQ application
VLAN100
100
Router
100
300 ISP Network
200
200
300
VLAN200
Interface-based QinQ provides the following functions:

l l
Access to the VPLS to transparently transmit private VLAN packets Access to the L2VPN and PWE3 to transparently transmit private VLAN packets
Issue 01 (2007-09-10)
Page 55 of 154
VLAN-based QinQ
VLAN-based QinQ is also called selective QinQ. Figure 5-8 shows the VLAN-based QinQ. With the development of services such as broadband access to the Internet, VOIP and IPTV, ISPs sometimes want to plan inner VLAN tags of the network for different services. For example:
l l l
VLAN 1000 VLAN 1999: broadband access to the Internet VLAN 2000 VLAN 2999: IPTV services VLAN 3000 VLAN 3999: VOIP services
Figure 5-8 Typical networking diagram of the VLAN-based QinQ application
iManager N2000 IP backbone/MAN

VLAN200 Broadband access VLAN100 VLAN2001 VLAN3001 VLAN1001 VLAN1xxx VLAN300 VOIP access VLAN3xxx IPTV access VLAN2xxx VLAN2002 VLAN3002 VLAN1002
Service gateway
LAN Switch
PVC1001 PVC2001 PVC3001
PC
IPTV Videophone
PC
IPTV Videophone
Users access DSLAM through multiple-PVC mode. DSLAM transfers data from PVC to VLAN. Enable flexible QinQ on a gateway to apply the outer VLAN tag VLAN 100 to the services of broadband access to the Internet, the outer VLAN tag VLAN 200 to the VOIP services and outer VLAN tag VLAN 300 to the IPTV services. This breaks the limit of 4094 VLAN IDs for one ISP network. In addition, services are distributed, which is in favor of ISP's service management. The services are distributed in one of the following three ways:
l l l
Marking outer VLANs with tags of different VLAN intervals, that is, changing one tag into two tags so that services are distributed to different terminals. Marking outer VLANs with tags of different protocol IDs, that is, adding a tag to the protocol packet so that services are distributed to different terminals. Redistributing outer VLAN tags according to inner VLAN intervals, that is, substituting one tag with another tag so that services are distributed according to user types. This is called VLAN mapping.
Issue 01 (2007-09-10)
Page 56 of 154
VLAN-based QinQ may serve as one of the VPLS modes to let packets of private VLANs be transmitted transparently through the backbone network. It may also serve as one of the L2VPN or PWE3 modes to let packets of private VLANs be transmitted transparently through the backbone network. Such a QinQ mode is realized on the switched interfaces. The difference between VLAN-based QinQ and interface-based QinQ is as follows:
l l
In interface-based QinQ mode, user's packets from the same user side are added with the same outer VLAN tag by the PE router. In VLAN-based QinQ mode, user's packets from the same user side are added with different outer VLAN tags depending on user's VLAN tags.
Therefore, VLAN-based QinQ is more flexible than interface-based QinQ. VLAN-based QinQ is also called flexible QinQ.
QinQ Stacking
The early QinQ technology is used on Layer 2 networks and embodied on switches. With the VLAN stacking, packets are forwarded at Layer 2 by means of the outer VLAN tag. The outer VLAN usually refers to the VLAN of an ISP network. VLAN stacking is usually applied on the switched interface. The sub-interface for VLAN stacking is deployed on a PE router. The sub-interface identifies the user's VLAN and then performs VLAN stacking to user's Layer 2 packets. After that, packets are forwarded at Layer 2 by means of the outer VLAN tag. This technology can also be applied on the interface of a router. The sub-interface for VLAN stacking is used to solve the problem of transmitting transparently packets of many VLANs through one sub-interface. Packets access an L2VPN through the outer VLAN of the stacking. The outer VLAN is transparent to the ISP. User's packets of multiple VLANs can thus be transmitted transparently. QinQ stacking supports the following:
l l
Access to VPLS through the sub-interface for VLAN stacking Access to VLL/PWE3 through the sub-interface for VLAN stacking
Sub-interface for QinQ VLAN Tag Termination

Sub-interfaces for QinQ VLAN tag termination refer to the sub-interfaces that terminate the double VLAN tags of users. The difference between the sub-interface for QinQ VLAN tag termination and the sub-interface for QinQ stacking is as follows: Double VLAN tags for customers have specific meanings. For example, the outer VLAN tag specifies a service and the inner VLAN tag specifies a customer. Sub-interfaces for QinQ VLAN tag termination access the customer and identify the service by terminating double VLAN tags. Sub-interfaces for QinQ VLAN tag termination are similar to normal VLAN sub-interfaces. In addition, sub-interfaces for QinQ VLAN tag termination are used to terminate double VLAN tags and provide the following functions:
l l l l
IP forwarding VPLS PWE3/VLL ARP agent
Issue 01 (2007-09-10)
Page 57 of 154

l l
VRRP Routing protocols
Sub-interfaces for QinQ VLAN tag termination terminate double VLAN tags in the following two ways:
l
Exact termination Double VLAN tags of specified VLAN IDs are terminated. Fuzzy termination Double VLAN tags of VLAN IDs in a specified range are terminated.
Compatibility of the Etype of QinQ Outer TPIDs

According to IEEE 802.1Q, the Etype value of the tag protocol identifier (TPID) is 0x8100, as shown in Figure 5-9. In QinQ encapsulation, the Etype value of the inner TPID used by vendors is 0x8100. The Etype value of the outer TPID is different among router manufacturers. Intercommunication between devices of different manufacturers demands compatibility of the Etype of the TPID. For this reason, the devices should be able to identify and encapsulate such QinQ packets.
IEEE 802.1ad specifies that the Etype value of the outer TPID as 0x88a8.
Figure 5-9 Compatibility of the Etype of QinQ outer TPIDs

0x 9 100
IP/MPLS Core Router A
0x9100
0x81
Switch A
Router B
00
Router C
As shown in Figure 5-9, at receiving packets the interface of Router B needs to recognize the Etype value 0x9100 of outer TPID. The Etype values, such as 0x9100 and 0x8100, of different outer TPIDs can be set on devices according to different manufacturers so that devices of different manufacturers can communicate with each other.
Application of Multicast QinQ

Figure 5-10 shows the typical networking diagram of multicast QinQ application. QinQ runs between the multicast router PE1 and the access device PE2. At the user side of PE2, different VLANs are attached.
Issue 01 (2007-09-10)
Page 58 of 154
Figure 5-10 Typical networking diagram of multicast QinQ application
Internet /Intranet Multicast source
PE1 QinQ(VLAN1) PE2
VLAN2
VLAN3
No matter whether multicast data packets or multicast protocol packets are received, they are not encapsulated by QinQ. Only the outer P-VLAN tag is added to send packets. In IGMP snooping learning, only the P-VLAN ID mapping to the user host is maintained. In forwarding, the system searches for the member host of the mapped group according to the P-VLAN ID and substitutes the P-VLAN with the C-VLAN in the packet for forwarding.
5.1.6 RRPP Link Features

The Rapid Ring Protection Protocol (RRPP) is a link protocol exclusively used by Ethernet rings. When the Ethernet ring is in the normal state, RRPP can avoid broadcast storm caused by loop. When a link on the Ethernet link is disconnected, RRPP can promptly enable the standby link to restore the connection.
Issue 01 (2007-09-10)
Page 59 of 154
Figure 5-11 Networking of RRPP tangent ring application to the MAN
RRPP Domain Master Node Edge Node SwitchA RRPP Sub-Ring 1 Transit Node RouterA RRPP Major-Ring RouterC Master Node Assistant Node RRPP Sub-Ring 2 SwitchB Transit Node Master Node
RouterB
Traditionally, an RRPP domain consists of a group of interconnected switches with the same domain ID and control VLAN. At present, some routers also support RRPP. An RRPP domain includes the following parts:
l l l l l
Major ring and sub-ring Control VLAN Master node and transit node Common port and edge port Primary port and secondary port
Polling Mechanism
Polling is a mechanism used by the master node on the RRPP ring to detect the network status. The master node sends Hello packets periodically from its primary port. The packets are transmitted by the transit nodes on the ring. If the master node can receive the packets from its secondary interface, it indicates that the link of the ring is in the normal state; otherwise, the master node considers that a link fault occurs to the ring. When the master node that is in the Failed state receives the Hello packets from its secondary interface, it changes into the Complete state, blocks its secondary interface, and refreshes the Forwarding Database (FDB). The master node also sends packets from its primary interface to inform all transit nodes to release the temporary blocked interface and refresh the FDB.
Issue 01 (2007-09-10)
Page 60 of 154
Link Status Notification Mechanism

If a link fault occurs to the ring, the directly connected interface of the link becomes Down. The transit node informs the master node of the fault by sending Link-Down packets. When the master node receives the Link-Down packets, it considers that the ring is in the abnormal state, enables its secondary interface, and sends packets to inform other transit nodes to refresh the FDB at the same time. After other transit nodes refresh the FDB, the traffic is switched back to the normal link. After link fault recovery, the interface of the transit node becomes Up. The transit node temporarily blocks the interface that becomes Up. Hello packets sent by the master node can pass through the blocked interface. When the secondary interface of the master node receives the Hello packets sent by itself, it considers that the link becomes normal again. The master node blocks the secondary interface, sends packets to inform other transit nodes to enable the blocked interface, and refreshes the FDB.
Channel Status Detection of Sub-Ring Protocol Packets on the Major Ring

Channel status detection of sub-ring protocol packets on the major ring is applied to the networking in which multiple sub-rings are intersectant with the major ring. When a fault occurs to the major ring and the master nodes on all the sub-rings enable the secondary interfaces, a broadcast storm is caused. To avoid this, channel status detection mechanism of sub-ring protocol packets on the major ring is introduced. The mechanism requires the cooperation between edge nodes and assistant edge nodes. Before the master nodes on the sub-rings enable the secondary interfaces, loop between the sub-rings can be avoided by blocking the interfaces of the edge nodes. The edge nodes initiate the mechanism. The assistant edge nodes monitor the channel status and inform the edge nodes of the channel status change on time.
5.1.7 RSTP/MSTP
The Rapid Spanning Tree Protocol (RSTP) is an enhancement of the Spanning Tree Protocol (STP). RSTP simplifies the processing of the state machine, blocks some redundant paths with specific algorithms, and reconstructs the networks with loops to a loop-free network. In this way, the packets are prevented from increasing and infinitely looping. Compared with STP, RSTP speeds up the Layer 2 loop convergence. In a Layer 2 network, only one Shortest Path Tree (SPT) is generated. The Multiple Spanning Tree Protocol (MSTP) is the multi-instance RSTP. MSTP supports the running of STP based on one or more VLAN. In a Layer 2 network, multiple Shortest Path Trees (SPTs) can be generated.
5.1.8 BPDU Tunnel

BPDUs are Layer 2 protocol messages and are transparently transmitted through a Layer 2 protocol tunnel or a BPDU tunnel across an ISP network. To transmit BPDUs transparently across an ISP network, ensure that the following requirements are met:
l l
All branches of the same user network are able to receive their own BPDUs. BPDUs of a user network cannot be processed by the CPU of the ISP network.
Issue 01 (2007-09-10)
Page 61 of 154

l
BPDUs of different customers must be segregated to prevent them from mutual access.
The NE80E supports the following types of transparent transmission of BPDUs:

l l l l
Transparent transmission of interface-based BPDUs of the same user network Transparent transmission of interface-based BPDUs of different user networks Transparent transmission of VLAN-based BPDUs Transparent transmission of QinQ-based BPDUs
5.1.9 V-Switch
V-Switch is a construction model of the Ethernet transmission network. V-Switch refers to using VLAN tags as tunnel and service labels (similar to MPLS labels) in the Ethernet network and switching the tags on each network node, in the Ethernet network. The forwarding path is generated on the switch through static configurations or dynamic protocols. Here, the VLAN tags take effect only on the switch. The VLAN tags on different interfaces of the same device can be repeated. V-Switch supports one tag or double tags. In tag switching, the 802.1p precedence remains the same. In the process of forwarding, the system need not search for the MAC address as the VLAN tag uniquely carries the forwarding information. The NE80E supports the switching of one VLAN tag or double VLAN tags. It can also add one VLAN tag or double VLAN tags to the received packets on the specified physical interface.
5.2 IP Features
5.2.1 IPv4/IPv6 Dual-Protocol Stacks
Figure 5-12 shows the structure of the IPv4/IPv6 dual-protocol stacks. Figure 5-12 Dual-protocol stacks structure
IPv4/IPv6 Application
TCP
UDP
IPv4
IPv6
Link Layer
Issue 01 (2007-09-10)
Page 62 of 154
5.2.2 IPv4 Features

The NE80E supports the following IPv4 features:
l l l l l
TCP/IP protocol suite such as ICMP, IP, TCP, UDP, Socket (TCP/UDP/Raw IP), and ARP Static DNS and DNS server FTP server/client and TFTP client DHCP relay agent and DHCP server Ping, tracert, and NQA NQA can detect the status of ICMP, TCP, UDP, DHCP, FTP, HTTP, and SNMP services and test the response time of the services.
IP policy-based routing The system supports specifying the next hop based on the attribute of packets without search for routes in the routing table.
5.2.3 IPv6 Features

The IPv6 features include:
l l l l l l
IPv6 neighbor discovery (ND) Path MTU (PMTU) discovery TCP6, ping IPv6, tracert IPv6, and socket IPv6 Static IPv6 DNS and specified IPv6 DNS servers TFTP IPv6 client IPv6 policy routes
5.2.4 GRE
The Generic Routing Encapsulation (GRE) protocol is used to encapsulate packets of certain network layer protocols such as IP and IPX packets so that these encapsulated packets can be transmitted in the network running another network layer protocol such as IP. As the Layer 3 tunnel protocol for VPNs, GRE adopts the tunnel technology. A tunnel can be taken as a virtual interface that supports only P2P connections. The tunnel interface provides a tunnel for data forwarding and the packets are encapsulated and decapsulated at both ends of the tunnel respectively.
Issue 01 (2007-09-10)
Page 63 of 154
Multi-Protocol Local Network Transmission Through Single-Protocol Backbone Network

Figure 5-13 Multi-protocol local network transmission through the single-protocol backbone network
Novell IPX Group 1 Internet GRE tunnel IP Team 1 RouterA RouterB
Novell IPX Group 2
IP Team 2
In Figure 5-13, Group 1 and Group 2 are the local networks running Novell IPX. Team 1 and Team 2 are the local networks running the IP protocol. The tunnel between Router A and Router B adopts the GRE protocol; therefore, Group 1 communicates with Group 2 without affecting the communication between Team 1 and Team 2.
Enlarging Operation Scope of the Network with Limited Hops

Figure 5-14 Enlarging the network operation scope
IP network IP network IP network
Tunnel
PC
PC
In Figure 5-14, the IP protocol is run on the network. Assume that the IP protocol limits the hop count to 255. If the hop count between two PCs is greater than 255, they cannot communicate. When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the network operation.
Connecting Some Discontinuous Sub-Networks to Establish a VPN

GRE tunnels can be used to connect discontinuous sub-networks to implement the VPN across the WAN.
Issue 01 (2007-09-10)
Page 64 of 154
For example, two VPN sub-networks, Site 1 and Site 2 are in two cities. By setting up a GRE tunnel between the devices at the network edge, you can connect the two sub-networks to a continuous VPN network. GRE can be applied both in L2VPN and L3VPN in two modes as follows:
l
As shown in Figure 5-15, the two ends of the GRE tunnel reside on the CE router in the CPE-based VPN.
Figure 5-15 GRE in the CPE-based VPN
GRE tunnel VPN site1 CE PE VPN backbone VPN site2 PE CE
As shown in Figure 5-16, the two ends of the GRE tunnel reside on the PE router in the network-based VPN.
Figure 5-16 GRE in the network-based VPN

VPN backbone VPN site1 CE PE GRE tunnel PE CE VPN site2
Usually, the MPLS VPN backbone network uses label switched paths (LSPs) as the public network tunnel. If the core router P in the backbone network, however, provides only the IP function without the MPLS function while the PE router at the network edge has the MPLS function, the LSP cannot be used as the public network tunnel. Then, you can use the GRE tunnel in place of the LSP to provide Layer 3 or Layer 2 VPN solutions at the core network.
CE Access to MPLS VPN Through GRE Tunnels

The VPN service based on the MPLS backbone network provides services for customers better than the traditional IP VPN services. Therefore, the operators tend to choose the MPLS VPN technology. The Internet, however, is based on the IP technology and a great number of backbone networks based on the IP technology still exist. In the MPLS VPN, to access a Customer Edge (CE) router to the VPN, a physical link is needed to directly connect the CE router to the PE router in the MPLS backbone network, that is, the CE router and the PE router must be in the same network. In this networking, you must associate the VPN with the PE physical interface that is connected to the CE router.
Issue 01 (2007-09-10)
Page 65 of 154
In actual networking, not all the CE routers and PE routers can be directly connected through physical links. For example, for multiple institutes that are connected to the Internet or based on the IP technology, their CE routers and PE routers are geographically dispersed and cannot directly access the PE router in the MPLS backbone network. These institutes cannot directly access the sites inside the MPLS VPN through the Internet or the IP backbone network. Figure 5-17 CEs accessing the MPLS VPN backbone network through the backbone network based on the IP technology
VPN Site CE
IP network PE
MPLS network PE CE
VPN Site
To access a CE router to the MPLS VPN, you can create a direct logical connection between the CE router and the PE router. That is, you can connect the CE router and the PE router by using the public network or private network, and create a GRE tunnel between the CE router and the PE router. Then, the CE router and the PE router can be regarded as being directly connected. When associating the VPN with the PE interface that is connected to the CE router, you can regard the GRE tunnel as a physical interface.
5.2.5 IPv4-IPv6 Transition Technologies

IPv6 over IPv4 Tunnel
As shown in Figure 5-18, the IPv6 tunnel is a technology used for transition from the IPv4 network to the IPv6 network. Figure 5-18 IPv6 tunnel
Dual Stack Router IPv6 IPv6 host
IPv6 Header IPv6 Data IPv4 Header IPv6 Header IPv6 Data
Dual Stack Router IPv4

Tunnel
IPv6 IPv6 host

IPv6 Header IPv6 Data
The NE80E uses the following IPv6 tunnels:

l
Manually configured IPv6 tunnel The IPv6 tunnel is manually configured on two edge routers at both ends of the tunnel. The source and destination IPv4 addresses of the tunnel are configured manually.
Issue 01 (2007-09-10)
Page 66 of 154
The tunnel is equivalent to a permanent link between two IPv6 domains over an IPv4 backbone network. The tunnel is used for regular and secure communication between two edge routers on IPv6 islands.
l
IPv6 over IPv4 GRE tunnel The IPv6 traffic can be carried over the IPv4 GRE tunnels. When carrying the IPv6 traffic, the IPv4 GRE tunnels are called IPv6 over IPv4 GRE tunnels (GRE tunnels for short). Like the manually configured IPv6 over IPv4 tunnel, a GRE tunnel is a link between two nodes, with a separate tunnel for each link. The tunnels are not tied to a specific passenger or transport protocol, and only carry IPv6 as the passenger protocol and GRE as the carrier protocol.
Automatically configured IPv4-compatible IPv6 tunnel (automatic tunnel for short) An IPv4-campatible IPv6 address needs to create an IPv6 over IPv4 automatic tunnel. The low order 32 bits of an IPV4-compatible IPv6 address is an IPv4 address. It is used to identify the destination address of the automatic tunnel. To configure an automatic tunnel, you need to specify only the source address of the tunnel on an edge router or a host. The destination address of the tunnel can be automatically recognized according to the next hop address (an IPv4-compatible IPv6 address) of IPv6 packets.
6to4 tunnel A 6to4 tunnel connects isolated IPv6 islands to the IPv6 Internet over an IPv4 network. The difference between the 6to4 tunnel and the manually configured tunnel is that the former can be a point-to-multipoint connection, but the latter is a P2P connection. Hence, routers of the 6to4 tunnel are not configured in pairs. Similar to the automatic tunnel, the 6to4 tunnel can automatically find another end of the tunnel. It need not be configured with an IPv4-compatible IPv6 address. The 6to4 tunnel uses a kind of special IPv6 address, that is, 6to4 address.
ISATAP tunnel The ISATAP tunnel is used when the IPv4/IPv6 host in an IPv4 network accesses an IPv6 network. The ISATAP tunnel can be created between ISATAP hosts, or between an ISATAP host and an ISATAP router. ISATAP enables the IPv4/IPv6 dual-stack nodes in the IPv4 site to automatically access the IPv6 routers. ISATAP uses an IPv6 address embedded with the IPv4 address and the IPv6 over IPv4 automatic tunneling technique can be used, regardless of whether the site uses a public or private IPv4 address. The ISATAP address format can use the site-based unicast IPv6 address prefix or the global unicast IPv6 address prefix. That is, site-based and global IPv6 routes are supported. ISATAP is usually used at the network edge such as the intranet and the access network. ISATAP can also work with the 6to4 technology.

In the post-phase of the transition from the IPv4 network to the IPv6 network, a great number of IPv6 networks are constructed. Then the isolated IPv4 site may emerge. It is not economic to connect the isolated sites through the dedicated lines. With the tunneling technology, tunnels can be created in the IPv6 network; thus the isolated IPv4 sites can be interconnected. This is similar to the VPN deployment in the IP network with tunneling. The tunnels that are used to connect the isolated IPv4 sites, in the IPv6 network, are called IPv4 over IPv6 tunnels.
Issue 01 (2007-09-10)
Page 67 of 154
To set up IPv4 over IPv6 tunnels, IPv4/IPv6 dual stack needs to be enabled on the router at the edge of the IPv6 network and the IPv4 network. Figure 5-19 Networking diagram of the IPv4 over IPv6 tunnel
Dual Stack Router IPv4 network IPv4 Host IPv6 network
Dual Stack Router IPv4 network IPv4 Host
IPv6 Header IPv4 Header IPv4 Header IPv4 Payload IPv4 Payload IPv4 Payload IPv4 Header
6PE
The IPv6 Provider Edge (6PE) router allows communication between the IPv6 isolated CE routers over the IPv4 network. See Figure 5-20. With 6PE routers, ISPs can provide access services to the IPv6 network of isolated customers over the existing IPv4 backbone network. Figure 5-20 6PE topology
6PE Router 6PE Router
IPv4/MPLS Cloud IBGP
CE IPv6 Cloud Customer site
CE IPv6 Cloud Customer site
The 6PE router labels IPv6 routing information and floods them onto ISP"s IPv4 backbone network through Internal Border Gateway Protocol (IBGP) sessions. The IPv6 packets are labeled before flowing into tunnels such as the GRE tunnel and MPLS LSP on the backbone network. The IGP protocol used on the ISP network can be OSPF or IS-IS, and the protocol used between CE routers and 6PE routers can be a static routing protocol, IGP or EBGP.
Issue 01 (2007-09-10)
Page 68 of 154
When ISPs want to extend their IPv4/MPLS networks with IPv6 traffic exchange capability, they can just update the PE router. Therefore, using the 6PE feature as an IPv6 transition mechanism is a cost-effective solution for ISPs.
5.3 Routing Protocols

The NE80E supports various unicast and multicast routing protocols; thus different networking requirements are satisfied.
5.3.1 Unicast Routing

The NE80E supports the following unicast routing features:
l l l l l
IPv4 routing protocols: RIP, OSPF, IS-IS, and BGPv4 IPv6 routing protocols: RIPng, OSPFv3, IS-ISv6, and BGP4+ Static routes to simplify network configuration and improve network performance Large-capacity routing table to support MAN operation effectively Determining the optimal route through the routing policy
5.3.2 Multicast Routing

To save network bandwidth and reduce network load, the NE80E supports multicast.
Basic Multicast Functions

The NE80E provides the following multicast functions:
l
Multicast protocols: Internet Group Management Protocol (IGMP), Protocol Independent Multicast-Dense Mode (PIM-DM) and Protocol Independent Multicast-Sparse Mode (PIM-SM), Multicast Source Discovery Protocol (MSDP), and Multi-protocol Border Gateway Protocol (MBGP). PIM-SSM: If the multicast source is specified, a host can join the multicast source directly, without registering with the Rendezvous Point (RP). Anycast RP: Multiple RPs can exist in a domain and they are configured as MSDP peers. A multicast source can choose the nearest RP for registration, and the receiver can also choose the nearest RP to join its shared tree. In this way, load balancing is carried out among the RPs. When a certain RP fails, its previous registered sources and receivers chooses another RP instead. The RP thus implements the backup. IPv6 multicast routing protocols: MLD, PIM-IPv6-DM, PIM-IPv6-SM, and PIM-IPv6-SSM. Multicast static routes. When receiving, importing and advertising multicast routes or forwarding IP packets, the multicast routing module can filter the routes or packets based on routing policies. Multicast VPN: The NE80E adopts the Multicast Domains (MD) scheme to implement centralized processing. Addition and deletion of dummy entries.
l l
l l l
l l
Issue 01 (2007-09-10)
Page 69 of 154
IGMP Snooping
For the NE80E, Layer 2, Layer 3, and QinQ interfaces, VPLS PW, STP, and RRPP support IGMP snooping. IGMP snooping listens to the IGMP messages between routers and hosts and sets up the Layer 2 forwarding table for multicast data packets. In this manner, IGMP snooping controls and manages the forwarding of multicast data packets to carry out Layer 2 multicast. IGMP snooping aims to control the flooding of multicast flows, forward packets as required, and save network resources. For the interface that joins a multicast group without the IGMP report application, the device does not send the multicast flow to the interface.
Multicast Flow Control

Unknown multicast packets refer to those packets for which no forwarding entry is found in the multicast forwarding table. The NE80E supports the following measures to deal with the unknown multicast packets:
l l
Discarding the packets directly after receiving them Broadcasting the packets in the VLAN to which the receiving interface belongs
To control multicast traffic, the NE80E also supports the limit to the maximum percentage of multicast traffic on the Ethernet interface.
Multicast VLAN
Multicast VLAN refers to the VLAN that converges multicast flows. When users need certain multicast flows, they send a request to the multicast VLAN. Then the multicast VLAN copies the multicast packets to different user VLANs. This realizes the function of multicast across VLANs. The NE80E forwards multicast packets through the multicast VLAN, and copies the packets based on the multicast routing entries. Then, the NE80E sends these packets to the VLANs of different users. Using the multicast VLAN, the NE80E can converge the multicast flows of different user VLANs to one or several specified VLANs. Multicast across VLANs enables the NE80E to send unicast packets and multicast packets across different VLANs. This helps managing and controlling the multicast flows and saving the bandwidth resource. Network security is thus improved.
1+1 Protection of Multicast Flows

1+1 protection of multicast flows is realized through the multicast across VLANs. The Internet Context Provider (ICP) copies and sends the multicast packets to two multicast VLANs. The multicast packets and the Continuity Check Message (CCM) for checking the link status in those two multicast VLANs are then forwarded to the NE80E at the user side. The NE80E at the user side judges the link status based on the CCM received and specifies a multicast VLAN in the good link state to receive multicast packets. At present, the NE80E supports only VLAN-based 1+1 protection.
Issue 01 (2007-09-10)
Page 70 of 154
Multicast VPN
With the application of the VPN, the requirements of users for operating multicast services over the VPN are increasingly strict. The VRP adopts the multicast domain (MD) solution to implement multicast transmission over the VPN. MPLS/BGP VPN is a type of VPN, implemented based on the BGP and MPLS expansion. The MPLS/BGP VPN consists of the backbone network of carriers and every site of users. As the VPN user sites, the sites are isolated from each other and can interconnect only through the backbone network. A VPN can be regarded as the division of sites based on policies. These policies are used to control the connections between sites. As shown in Figure 5-21, Site 1, Site 2, and Site 3 constitute VPN A; Site 4, Site 5, and Site 6 constitute VPN B. Figure 5-21 Application of MPLS/BGP VPN
VPNA site1 CE4 PE1 CE1
VPN B site4 P1 Core Layer
VPN B site5 CE5 Edge Layer CPE layer CE2
P2
PE3
VPN A site3
CE3
P3 CE6
PE2 VPN A site2
VPN B site6
Table 5-1 Functions of various devices in MPLS/BGP VPNs Device P PE Full Provider Router Provider Edge Router Custom Edge Router Description As a core router of the backbone network, the router is responsible for MPLS forwarding. As an edge router of the backbone network, the router processes VPN routes and implements MPLS Layer 3 VPN. As an edge router of the user network, the router advertises user network routes.
CE
Issue 01 (2007-09-10)
Page 71 of 154
The network shown in Figure 5-21 runs multicast. VPN users in various sites receive multicast data in the local VPN. The edge PE router in the public network supports multi-instance. As shown in Figure 5-22, public network instances on each PE router and the P router implement public network multicast. VPN multicast data is multicast in the public network. Figure 5-22 Public network multicast
PE1_public-instance
P1 P2
PE3_public-instance
P3
PE2_public-instance
As shown in Figure 5-23, VPN A instances on each PE router and the sites that belong to VPN A implement VPN A multicast. Figure 5-23 VPN A multicast
VPNA site1 CE1
PE1_vpnA-instance
PE3_vpnA-instance
MD A
CE2
VPN A site3
CE3
PE2_vpnA-instance
VPN A site2
As shown in Figure 5-24, VPN B instances on each PE router and the sites that belong to VPN B implement VPN B multicast.
Issue 01 (2007-09-10)
Page 72 of 154
Figure 5-24 VPN B multicast

CE4
PE1_vpnB-instance
VPN B site4 CE5 VPN B site5
MD B
PE2_vpnB-instance
CE6
VPN B site6
Take VPN A instance as an example. Multicast VPN refers to the following:

l l l
The multicast source S1 belongs to VPN A. S1 sends multicast data to G, a multicast group. Among all possible data receivers, only members of VPN A can receive multicast data from S1. Multicast data is multicast at various sites and on the public network.
To implement multicast VPN, the following network conditions are required:

l l l
Each site that supports multicast based on VPN instance A public network that supports the multicast based on public instances A PE router that supports the following multi-instance multicast: Connecting sites through VPN instance and supporting multicast based on VPN instances Connecting the public network by using public network instances and supporting multicast based on public network instances Supporting information communication and data switching between public network instances and VPN instances
5.4 MPLS Features

5.4.1 Basic Functions
The NE80E supports MPLS, static LSPs, and dynamic LSPs. The static LSP requires the administrator to configure the Label Switch Routers (LSRs) along the LSP and set up LSPs manually. The dynamic LSP indicates that the Label Distribution Protocol (LDP) and RSVP-TE dynamically set up the LSPs in accordance with the routing information.
Issue 01 (2007-09-10)
Page 73 of 154
The NE80E supports the following MPLS functions:

l
Basic MPLS functions, service forwarding, and LDP LDP distributes labels, sets up LSPs, and transfers parameters used for setting up LSPs.
LDP DU and DoD label distribution modes Independent label distribution control and sequential label control modes Liberal retention mode and conservative retention mode Maximum hop number and path vector
MPLS ping and tracert MPLS echo requests and MPLS echo replies are used to test the availability of an LSP.
l l l l l
LSP-based traffic statistics LSP loop detection mechanism MPLS QoS, ToS mapping to MPLS EXP value of IP packets, and MPLS uniform, pipe, and short pipe modes Static configuration of LSPs and label forwarding based on traffic classification MPLS TRAP function
The NE80E can work as a Label Edge Router (LER) or an LSR.

l
The LER is used at the edge of the MPLS network to connect with other networks and to classify services, distribute labels, encapsulate or strip off multi-layer labels. The LSR is the core router of the MPLS network, and it switches and distributes labels.
The NE80E can run MPLS on the POS, Ethernet, RPR, ATM and VLAN interfaces.
5.4.2 MPLS TE
Insufficient network resources and unbalanced load cause congestion in the network. This affects the performance of the backbone network. TE solves this problem. It monitors the traffic and load on the network element dynamically, and adjusts the traffic management, routing and resource constraint parameters in real time. MPLS TE is a technique that integrates TE with MPLS. Through the MPLS TE, you can create an LSP tunnel to a specified path, to reserve resources and implement re-optimization. In case of resource scarcity, MPLS TE helps to preempt the bandwidth resource of the LSP tunnels with a low priority. This meets the demands of the LSPs with large bandwidth or important services. MPLS TE also provides protection against link or node failures through the use of path backup and Fast Reroute (FRR). MPLS TE provides the following functions:
l
Processing of static LSPs
Issue 01 (2007-09-10)
Page 74 of 154
MPLS TE creates and deletes static LSPs, which require bandwidth but are manually configured.
l
Processing of Constrained Route-Label Switched Path (CR-LSP) MPLS TE processes various types of CR-LSPs.
The processing of static LSPs is easier. CR-LSPs are classified into the types described in the following sections.
DS-TE
DiffServ is a QoS solution. It classifies traffic according to the Class of Service (CoS) and provides differentiated QoS based on the CoS. As a traffic engineering solution, MPLS TE optimizes the use of network resources. DiffServ-Aware TE combines the advantages of the preceding two solutions. It can thus optimize the use of network resources according to the CoS. That is, the bandwidth is restricted for traffic of different CoSs. To summarize, DS-TE maps traffic of various CoSs to LSPs and makes the LSP that traffic passes through comply with the relevant TE constraints. DS-TE involves the following concepts:
l
Class type (CT): refers to a collection of links that meet certain bandwidth constraints and is used to assign link bandwidth, execute constraint-based routing and perform access control. For a specified traffic trunk, all the links it passes belong to the same CT. Bandwidth constraints (BC): Different bandwidth constraint models are constructed to control CT. The models are determined by two parts: the maximum BC number (MaxBC) and the relationship between BC and CT.
The NE80E implements DS-TE, and supports two CTs: CT0 and CT1. CT0 and CT1 correspond to the Assured Forwarding (AF) and the Expedited Forwarding (EF) defined in QoS respectively. Their bandwidth constraints are BC0 and BC1 respectively, and each supports eight priorities (with the value ranging from 0 to 7). A total of 16 TE classes are supported. Normal TE tunnels that are not MPLS DiffServ-Aware TE tunnels are mapped to the AF according to CT0.
RSVP-TE
The Resource Reservation Protocol (RSVP) is designed for the Integrated Service (Inter-Serv) model and used on each node on a path for resource reservation. RSVP works on the transport layer, but does not involve the transmission of application data. It is a control protocol on the Internet, similar to ICMP. RSVP has the following characteristics:
l l l
Unidirectional. Receiver-oriented. The receiver initiates a request for resource reservation and maintains the resource reservation information. Uses a soft state mechanism to maintain the resource reservation information.
RSVP, after being extended, supports MPLS label distribution. While transmitting label mapping messages, it also carries the resource reservation information. The extended
Issue 01 (2007-09-10)
Page 75 of 154
RSVP is called RSVP-TE, as a signaling protocol to establish LSP tunnels in the MPLS TE.
Fast Reroute
FRR is a technique to implement partial protection in MPLS TE. The time spent on FRR fast switchover can reach 50 milliseconds. It minimizes data loss when the network fails. FRR is only a means of temporary protection. After the protected link or node is restored or a new LSP is established, traffic is switched back to the original LSP or the newly established LSP. After the FRR function is configured to the LSP, traffic is switched to the standby link when a certain link or node on LSP is out of service. Meanwhile, the ingress of LSP attempts to establish a new LSP.
Auto FRR
The FRR technology requires that when configuring a protected tunnel, you must configure a bypass tunnel to bind with it. When the link or node is Down, the data flow can be automatically switched to the bypass tunnel. For the FRR protection, the bypass tunnel must be configured manually. If it is not configured, the tunnel cannot be protected. The Auto FRR can solve the preceding problem. Auto FRR is an extension of MPLS TE FRR. Bypass LSPs can be automatically set up along the LSP after you configure the attributes of bypass LSPs, global Auto FRR attributes, and the Auto FRR attributes of the interface. In addition, once the primary LSP changes, the original bypass LSPs can be automatically deleted and new bypass LSPs are set up.
CR-LSP Backup
The CR-LSP backup indicates establishing a backup CR-LSP for a CR-LSP. When the primary CR-LSP fails, the ingress switches the traffic to the backup CR-LSP immediately. It switches to the primary CR-LSP once the primary CR-LSP recovers. The two methods of backup are as follows:
l
Hot-standby backup: The backup CR-LSP is established immediately after the primary CR-LSP is established. MPLS TE switches immediately to the backup CR-LSP when the primary CR-LSP fails. Ordinary backup: The backup CR-LSP is established when the primary CR-LSP fails.
LDP over TE
In current networks, not all devices support MPLS TE. Only the devices in the network core support TE and the devices at the network edge use LDP. The application of LDP over TE is then put forward. The TE tunnel is taken as a hop of the entire LDP LSP. LDP is widely used in MPLS VPN. To avoid the congestion of VPN traffic on nodes, you can configure this feature.
Issue 01 (2007-09-10)
Page 76 of 154
Figure 5-25 Typical application of LDP over TE

R3
10
10
R1
R2 20 R4 10
R5
R6
Figure 5-25 shows the MPLS VPN networking. Here, LDP is used as the signaling protocol. As the PE router, Router 1 and Router 6 discover that the links between Router 2 and Router 3 are rather congested after a large amount of user access. This also happens because the traffic between Router 1 and Router 6 must pass through this link. The link between Router 2 and Router 4 is free. The LSP, however, cannot use the link between Router 2 and Router 4 for the influence of the IGP cost value. Establish the TE tunnel passing through Router 4 between R2 and R5, and adjust the metric value of the IGP shortcut. Thus, the two routes of R2 implement load balancing:
l l
The physical interface between R2 and R3 The TE tunnel interface from R2 to R5
LDP establishes the LSP for load balancing to let traffic go along the idle link.
5.4.3 MPLS OAM

MPLS supports multiple Layer 2 and Layer 3 protocols such as IP, FR, ATM, and Ethernet. It supports an OAM mechanism that is independent of the upper and lower layers. MPLS OAM provides the following functions:
l l l l
Detecting the LSP connectivity Measuring the network utility and performance Performing the protection switching in the case of a link failure. Providing services based on the Service Level Agreement (SLA) signed with the customers.
With MPLS OAM, you can detect, identify, and locate failures in an MPLS network. The failure is reported and removed in time. In addition, MPLS OAM provides a mechanism for triggering protection switching. MPLS OAM provides the following functions:
l
MPLS OAM detection MPLS OAM sends CV/FFD and BDI packets along the LSPs to be detected and the reverse channels between the LSP ingress and egress to detect the connectivity.
Issue 01 (2007-09-10)
Page 77 of 154
Figure 5-26 MPLS OAM
D FF V/
CV /F F
Ingress LSR
BD
Egress LSR
I BD
l l
OAM auto protocol function Protection switch 1:1, 1+1, sharing protection, and packet-level protection are supported.
5.5 VPN Features

5.5.1 Tunnel Policy
The tunnel policy (TP) selects tunnels according to the destination IP address. Proper tunnels need to be selected for each type of service according to the TP. If no TP is set, the tunnel management module selects tunnels based on the default TP. The NE80E supports two kinds of tunnel policies:
l
For sequential tunnel policies, you can set the sequence to select a tunnel and the number of tunnels for load balancing. The Up tunnel in the front of the queue is always selected to transmit services destined for the same destination. The tunnels at the end of the queue are not selected generally, unless load balancing is required or the tunnels before them are Down. The VPN tunnel binding policy associates a VPN peer with an MPLS TE tunnel on the PE router of the VPN backbone network. The data from the VPN to the peer is transmitted through the special TE tunnel. The TE tunnel bound carries only the specified VPN services. In this way, QoS of the VPN service can be ensured.
5.5.2 VPN Tunnel

The NE80E supports the following kinds of VPN tunnels:
l
LSP tunnels Once a label is distributed to an FEC on the LSP ingress, traffic is transparently forwarded along the transit nodes of the LSP according to the label. In this manner, an LSP can be taken as an LSP tunnel.
GRE tunnels
Issue 01 (2007-09-10)
Page 78 of 154
If the PE router at the edge of the ISP network supports MPLS while the P router supports only IP, the LSP cannot be used as the public tunnel. In this case, GRE tunnels can substitute the LSP to run as the tunnel in the VPN backbone network.
l
TE tunnels To carry out reroute or transmit traffic over multiple paths, many LSPs may be required. In TE, a group of these kinds of LSPs are called Traffic Engineered (TE) tunnel. These TE tunnels are identified by the tunnel ID or the LSP ID. In addition, the tunnel ID uniquely identifies a TE tunnel.
5.5.3 MPLS L2VPN

The NE80E provides Layer 2 VPN services based on MPLS. It supports VPLS, Martini MPLS L2VPN, Kompella MPLS L2VPN, CCC MPLS L2VPN, and SVC MPLS L2VPN to carry VLL services.
VLL
Figure 5-27 shows the typical networking diagram of MPLS L2VPN application that the NE80E supports. Figure 5-27 MPLS L2VPN
Support dynamic Martini/Kompella L2VPN Support static CCC/SVC L2VPN VPN2 site3 Support access to the MPLS L2VPN through PPP, HDLC, ATM, Eth/VLAN, and Q-in-Q
VPN1 site1 VPN2 site2
PE
PE MPLS network
Support internetworking VPN1 site3
PE
VPN1 site2 VPN2 site2 PE-ASBR PE Support inter-AS solutions: VRF-to-VRF MP-Multihop EBGP PE-ASBR
Support MPLS VPN over GRE and MPLS VPN over TE tunnel
VPN3 site1
VPN3 site2
Provide the VPN manager to manage VPNs among devices of different vendors
Issue 01 (2007-09-10)
Page 79 of 154

l
Martini MPLS L2VPN Martini MPLS L2VPN uses a combination of VC type and VC ID to identify a VC. VC type indicates the type of a VC (ATM, Ethernet, VLAN or PPP). VC ID is used to identify a VC uniquely. Every VC-ID of the same VC-Type on a PE router must be unique. The PE router connecting two CE routers interchanges VC labels through LDP and binds the corresponding CE routers through VC-ID. When an LSP is set up to connect two PE routers successfully and the label exchange and binding are complete at both sides, a VC is set up. Then CE routers can transmit Layer 2 data over the VC. To exchange VC labels between PE routers, the Martini draft extends LDP by adding the forwarding equivalence class (FEC) type in VC FEC. Moreover, because the two PE routers exchanging VC labels may be not connected directly, the LDP must use remote peer to create sessions to transfer VC FEC and VC labels.
Kompella MPLS L2VPN Different from Martini MPLS L2VPN, Kompella MPLS L2VPN does not operate on the connection between CE routers directly. It allocates different VPNs in the whole ISP network and numbers each CE router in a VPN. To set up connections between two CE routers, you only need to configure an ID for the local CE router and an ID for the remote CE router on the PE router, and then specify the circuit ID of the connection which is assigned by the local CED (for instance, ATM VPI or VCI) for this link. In label allocation, Kompella MPLS L2VPN adopts a label block to assign labels for various links at a time. You can specify a local CE range, which indicates how many CE routers can be connected with this CE router. The system will assign a label block for this CE router. The size of this label block is equal to the CE range. In this way, users can distribute some extra labels for VPN for future use. This may waste some label resources, but can reduce VPN deployment and configuration workload in expansion. Kompella MPLS L2VPN can support inter-AS VPN solutions.
CCC MPLS L2VPN Circuit Cross Connect (CCC) is a technique to implement MPLS L2VPN through static configuration. Different from common MPLS L2VPN, CCC MPLS L2VPN adopts a 1-layer label to transfer user data, and so it can use LSPs exclusively. CCC LSP is used to transfer the data of this CCC connection only. It can neither be used for other MPLS L2VPN connections and BGP/MPLS VPN connections nor carry common IP packets. For the CCC connection, the static LSP in the PE routers need not be configured. If two PE routers are not directly connected, the transit static LSP must be configured on the intermediate routers.
SVC MPLS L2VPN Static VC (SVC) is similar to Martini MPLS L2VPN but SVC can transfer Layer 2 VCs and link signaling information without using the LDP. VC labels are configured manually.
L2VPN Interworking If the link types of CE routers at the two ends of an L2VPN are different, use the L2VPN interworking feature.
Issue 01 (2007-09-10)
Page 80 of 154
According to the recommendation in draft-kompella-ppvpn-l2vpn, IP-interworking should be used as the encapsulation type of the L2VPN interface on the PE router to set up an L2VPN connection. In this case, Layer 3 data (IP packets) can be delivered transparently across the MPLS network. When the L2VPN interworking feature is adopted, You need to encapsulate the L2VPN interface on the PE router at the two ends with IP-interworking. The PE router begins to establish the L2VPN connection after the physical status of the interfaces goes up. The PE router allows L2VPN forwarding once the L2VPN connection is established. In this case, the system considers the physical link for transparent transmission available irrespective of whether the status of the link layer protocol is up or down. After the status of both the AC and L2VPN tunnel goes up, the CE routers at the two ends can transmit and receive IP packets. After the L2VPN connection is established, the IP packets processing is as follows: On receiving an IP packet from the CE router, the PE router decapsulates the link layer packet and delivers the IP packet to the MPLS network. The IP packet is transparently transported to the peer PE router across the MPLS network. The peer PE router re-encapsulates the IP packet according to its own link layer protocol type, and then sends the encapsulated packet to the CE router connected with it. The link layer control packet sent by the CE router is processed by the PE router and does not enter the MPLS network. All non-IP packets (such as MPLS and IPX packets) are discarded and none of them is transferred across the MPLS network.
l
Inter-AS MPLS L2VPN The realization of an inter-AS MPLS L2VPN depends on the actual environment. In CCC mode, the label is of single layer. Therefore, the inter-AS can be realized after the static LSP is set up between the ASBRs. SVC, Martini and Kompella modes can realize the inter-AS Option A (VRF-to-VRF) . In the L2VPN networking, the link type between the ASBRs and that of the VC must be the same. In the inter-AS Option A, each ASBR must reserve a sub-interface for each inter-AS VC. If the number of the inter-AS VCs is small, the Option A can be adopted. Compared with the L3VPN, the inter-AS Option A of the L2VPN consume more resources. Option B requires the switching of both the inner label and the outer label on the ASBR. Therefore, Option B is not suitable for the L2VPN. Option C is a better solution. The SP network devices need only set up the outer tunnel on the PE routers of different ASs. The ASBR needs not maintain information about the inter-AS L2VPN. The ASBR also needs not reserve interfaces for the inter-AS L2VPN. The L2VPN information is exchanged only between PE routers. Thus, the resources consumption decreases.
VPLS
The VPLS network structure is shown in Figure 5-28. Several virtual switches (VSs) can be created on a PE router. VSs on different PE routers form an L2VPN. LANs at
Issue 01 (2007-09-10)
Page 81 of 154
the user end can access the L2VPN through VSs. In this way, users can expand their own LAN over WAN. VPLS can be regarded as the VS across public networks. Like L3VPN, it establishes LSP tunnels on public networks for traffic exchange. Figure 5-28 VPLS network structure
VLAN1 VLAN1
VS1
VS1
VLAN2
VS2 PE
VS2 PE
VLAN2
VS1
VS2
PE
VLAN1
VLAN2
VPLS requires users to log in through Ethernet links. It directly forwards packets according to VLAN ID. For communication with remote users, a Virtual Channel (VC) that can traverse public network is established between PE routers, and the VC is associated with the VLAN ID. Users communicate with each other over the Layer 2 tunnel through the VC. VLAN ID is used to identify users' VPN. While establishing the VC, the PE router allocates two layers of labels to the VC. The exterior label is the MPLS LSP label of public network and is allocated by LDP. The inner label is the VC label and is allocated by remote LDP session negotiation on the loopback interface.
l
QinQ VPLS QinQ is a tunnel protocol based on IEEE 802.1Q encapsulation. It encapsulates the VLAN tag of private networks in the VLAN tag of public networks. Packets carry two layers of tags to traverse ISPs' backbone networks, thus saving VC resources and providing users with a relatively simple L2VPN tunnel. Figure 5-29 shows the QinQ VPLS.
Figure 5-29 QinQ VPLS
UPE User ISP
NPE Backbone NE80E/ NE40E
Issue 01 (2007-09-10)
Page 82 of 154

l
HVPLS VPLS needs PE routers to forward the Ethernet frame by the full-mesh Ethernet emulation circuit or Pseudo-Wire (PW). Therefore, all PE routers must be connected with each other in the same VPLS. If the VPLS has N PE routers, the VPLS has N x (N-1)/2 connections. Hierarchical Virtual Private LAN Service (HVPLS) is a networking solution used to realize full-mesh VPLS. Figure 5-30 shows the HVPLS model.
Figure 5-30 HVPLS model
CE basic VPLS full mesh SPE SPE UPE

PW PW PW
AC
PW AC
SPE
CE
UPE The device directly connected with CE routers is called Underlayer PE (UPE). The UPE only needs to be connected with one of PE routers in the basic VPLS. The UPE supports routing and MPLS encapsulation. If one UPE is connected with many CE routers and provides bridging functions, only the UPE needs to forward the data frame to reduce the burden on the SPE. SPE The device connected with the UPE and located in the core of the full-mesh VPLS is called Superstratum PE (SPE). The SPE is connected with all other devices in the VPLS. The SPE takes the UPE connected as a CE router. The PW established between the UPE and the SPE is taken as the AC of the SPE. The SPE needs to learn the MAC addresses of sites at the UPE side and the MAC addresses of the UPE interfaces connected with the SPE.
l
IGMP snooping VPLS can isolate users. Each VPN needs to support IGMP snooping, that is, the multi-instance IGMP snooping. VPLS learns MAC addresses in the following modes: Unqualified The Unqualified mode refers to allowing numerous VLANs in a VSI to share a MAC address space and a broadcast area. VLANs need be learned. Qualified
Issue 01 (2007-09-10)
Page 83 of 154
The Qualified mode refers to allowing a VLAN in a VSI to have an independent MAC address space and broadcast area. VLANs need not be learned.
PWE3
Pseudo-Wire Emulation Edge to Edge (PWE3) is a technology used to carry end-to-end Layer 2 services. In the Packet Switched Network (PSN), PWE3 simulates ATM, Frame Relay (FR), Ethernet, low-speed TDM, and SONET/SDH.
l
Classifications of PW PW can be classified into: Static PW and dynamic PW in terms of implementation Single-hop PW and multi-hop PW in terms of networking LDP-PW and RSVP-PW in terms of signaling
Control Word The CW is negotiated at the control plane, and is used for packet sequence detection, packet fragmentation, and packet reassembly at the forwarding plane. In the PWE3 protocols, ATM Adaptation Layer Type 5 (AAL5) and FR require the support for the CW. The negotiation of the CW at the control plane is simple. If the CW is supported after the negotiation, the negotiation result needs to be delivered to the forwarding module, which detects the packet sequence and reassembles the packet. The CW has the following functions: Carries the sequence number for forwarding packets If the control plane supports the CW, a 32-bit CW is added before the data packet to indicate the packet sequence. When the load balancing is supported, the packets may be out of sequence. The CW can be used to number the packets so that the peer can reassemble the packets. Fills the packet to prevent the packet from being too short. For example, if Ethernet is between PEs and PPP is between PEs and CEs, the size of the PPP control packet is smaller than the smallest MTU supported by the Ethernet. Then the PPP negotiation fails. You can avoid this by adding the CW, that is, by adding the fill bit. Carries the control information of the Layer 2 frame header. In certain cases, the frame does not need to be transmitted completely in the L2VPN packets on the network. The frame header is stripped at the ingress and added at the egress. This method, however, cannot be used if the information in the frame header needs to be carried. You can use the CW to solve this problem. The CW can carry the negotiated information between the ingress PE and the egress PE. At the control plane, the negotiation succeeds only when both ends or neither end supports the CW. At the forwarding plane, the negotiation result at the control plane determines whether the CW is added to the packet.
VCCV Ping VCCV ping is a tool that is used to manually test the connectivity of the virtual circuit. Similar to ICMP ping and LSP ping, it is realized through the extended LSP ping. The VCCV defines a series of messages transmitted between PEs to verify the connectivity of PWs. To ensure that the path of VCCV packets is consistent with the path of data packets in PWs, the encapsulation type and the
Issue 01 (2007-09-10)
Page 84 of 154
passed tunnel of VCCV packets must be the same as those of PW packets. For details, refer to draft-ietf-pwe3-vccv and draft-ietf-mpls-lsp-ping. The NE80E supports the manual detection on the connectivity of LDP PWs on the U-PE, that is, the VCCV ping, including the detection on the connectivity of static PWs, dynamic PWs, single-hop PWs, and multi-hop PWs. Figure 5-31 shows the reference model of the PWE3 VCCV. Figure 5-31 Reference model of the PWE3 VCCV
Emulate Service PW1 AC CE1 U-PE1 PW2 U-PE2 AC CE2
VCCV
The VCCV can be used as a fault detection and diagnostic tool for PWs. The VCCV can be a combination of one type of CCs and one type of connectivity verifications (CVs), because the lower layer PSNs are different, such as LSP ping, L2TPv3, or Internet Control Message Protocol (ICMP) ping.
l
PW Template A PW template is a set of public attributes abstracted from PWs. A PW template is shared by different PWs. For convenience of expansion, the command mode of the PW template is added to set some public attributes of PWs. When creating a PW in interface mode, you can use this template. In the NE80E, the PW can be bound with the PW template and can be reset.
Interconnectivity of heterogeneous media PWE3 can support: Interconnectivity of homogenous media and heterogeneous media Cell relay of data with different encapsulations At present, the NE80E supports the following data transport by using PWE3: ATM AAL5 SDU VCC transport Ethernet HDLC ATM n-to-one VCC cell transport IP Layer 2 transport ATM one-to-one VCC cell mode
ATM cell relay ATM cell relay is a technology to carry ATM cells on the PWE3 virtual circuit. Label encapsulation for ATM relay through PSN is shown in Figure 5-32.
Issue 01 (2007-09-10)
Page 85 of 154
Figure 5-32 Diagram of ATM relay through PSN

MPLS Label Stack PSN Transport Header MPLS PSN tunnel identified by outer label Pseudo-wire Header Control Word (sequencing & protocol info) Layer 1/2 Payload MPLS PSN Tunnel L2 PE Pseudo-wire PE L2 Pseudo-wire identified by inner label Outer Label Inner Label
Layer 2 connection e.g ATM VCC/VPC
Connection or 'port' carried On pseudo-wire
A PSN label of the exterior layer identifies a PSN tunnel, while the PW header of interior layer identifies a PW. ATM cell relay is used to load the following services on a PSN: The services whose PW payload is ATM cell The services whose PW payload is AAL5 SDU ATM cell relay can also be used to upgrade the former ATM network through a PSN, with no new ATM devices and no change of the ATM CE configuration. ATM CE takes ATM cell relay as TDM leased line, and relays cells through a PSN for ATM interconnection.
ATM IWF
The ATM Inter-Working Function (ATM IWF) provides interoperation function between the ATM link that is accessed through 1483B and the Ethernet link. With the implementation of L2VPN, you can transparently transmit the ATM packets that are accessed through 1483B to the Ethernet link. To keep the access information of ATM (VPI and VCI accessed to a packet), VPI is mapped to be the external VLAN and VCI is mapped to be the internal VLAN. By adding two layers of VLANs to the frame header of the data link layer, the router can transmit the ATM packets with VPI/VCI information to the Ethernet link through the two VLANs. ATM IWF runs on L2VPN and has two implementation methods according to the actual networking: the CCC local connection and PW.
l
CCC local connection The CCC is implemented between sub-interfaces of ATM and Ethernet on the same router. As shown in Figure 5-33, in the CCC local connection, the NE80E cross transmits the flow that is based on 1483 encapsulation out of the ATM flow accessed from devices like DSLAM to the Ethernet link. VPI is mapped to be the external VLAN, and VCI is mapped to be the internal VLAN. Then, the packets are forwarded from the Ethernet interface to the access device such as BRAS. The BRAS
Issue 01 (2007-09-10)
Page 86 of 154
distinguishes different DSLAM users based on the labels on the two-layer of VLAN of a packet. Figure 5-33 ATM IWF diagram in the CCC local connection
CCC ATM GE
DSLAM
RouterA
BRAS
PW Through the LSP tunnel of L2VPN, layer 2 transparent transmissions of data packets of the ATM link and the Ethernet link can be carried out between peer PE routers. As shown in Figure 5-34, the ATM flow based on 1483B encapsulation can be transparently transmitted to the remote Ethernet link through PW (such as configuring Martini or Kompella L2VPN). In the process, VPI is mapped to be the external VLAN and VCI is mapped to be the internal VLAN. The ATM packets are then transparently transmitted to the remote BRAS. The BRAS distinguishes different DSLAM users based on the labels on the two-layer VLAN of a packet.
Figure 5-34 Diagram of ATM IWF in PW

RouterA PW RouterB
ATM
GE
ATM
ATM Switch
BRAS
5.5.4 MPLS/BGP L3VPN

The NE80E implements BGP/MPLS L3VPN, and thus provides carriers with end-to-end VPN solutions. Carriers can provide VPN service for users as a new value-added service. Figure 5-35 shows the application of MPLS/BGP L3VPN that the NE80E supports.
Issue 01 (2007-09-10)
Page 87 of 154
Figure 5-35 MPLS/BGP L3VPN

Support access to MPLS VPN through PPP, HDLC, ATM, Eth/ VLAN, and remote dial-in/tunnel access Support routing protocols between PEs and CEs, such as static routing, BGP, RIP, OSPF, and ISIS VPN1 site3
VPN2 site3 VPN1 site1 VPN2 site2 MP-BGP MPLS network VPN1 site2 VPN2 site2 PE-ASBR UPE Hierarchical PE SPE PE UPE MPLS network
PE
Support HoVPN to extend the VPN
Support inter-AS solutions: VRF-to-VRF MP-EBGP MP-Multihop EBGP
PE-ASBR Support MPLS VPN over GRE and MPLS VPN over TE tunnel
VPN3 site1
VPN3 site2
Provide the VPN manager to manage VPNs among devices of different vendors
l l l
As a PE router, it supports access of CE routers through kinds of interfaces such as Ethernet, POS, and VLAN interfaces. It supports static routes and dynamic routing protocols such as BGP, RIP, OSPF, and IS-IS, between CE routers and PE routers. It supports various inter-AS VPN solutions.
Carrier's Carrier
The customer of the BGP/MPLS IP VPN service provider can serve as a service provider. In this case, the BGP/MPLS IP VPN service provider is called the provider carrier or the level 1 carrier. The customer is called the customer carrier or the level 2 carrier. This networking model is called carrier's carrier. In this model, the level 2 SP serves as a CE router of the level 1 SP. To keep good extensibility, the level 2 carrier adopts the operating mode similar to the stub VPN. That is, the CE router of the level 2 carrier only advertises the routes (internal routes) of the VPN where it resides to the PE router of the level 1 carrier. It does not advertise its customers' routes (external routes). PE routers in the level 2 carrier exchange external routes by using BGP. This can greatly reduce the number of routes maintained by the level 1 carrier network.
Issue 01 (2007-09-10)
Page 88 of 154
Inter-AS VPN
The NE80E supports the following three inter-AS VPN solutions represented in RFC 2547bis:
l l
VPN instance to VPN instance: ASBRs manage VPN routes in between by using sub-interfaces, which is also called Inter-Provider Backbones Option A. EBGP redistribution of labeled VPN-IPv4 routes: ASBRs advertise labeled VPN-IPv4 routes to each other through MP-EBGP, which is also called Inter-Provider Backbones Option B. Multihop EBGP redistribution of labeled VPN-IPv4 routes: PE routers advertise labeled VPN-IPv4 routes to each other through Multihop MP-EBGP, which is also called Inter-Provider Backbones Option C.
Multicast VPN
The NE80E supports multicast MPLS/BGP VPN.
IPv6 VPN
The next-generation network protocol IPv6 is an enhancement of IPv4. IPv6 improves the address space, configuration, maintenance, and security and supports access of more users and devices to the Internet. The VPN is an extension of the private network constructed by the shared link or the public network such as the Internet. The VPN enables the computers across two areas of a client to transmit data through the shared link or the public network; thus the function of the P2P private link is realized. When each site of a VPN supports IPv6, all the sites can be connected to the PE router of the Service Provider (SP) through an interface or sub-interface with the IPv6 address. In this way, the sites are connected to the backbone network of the SP and the VPN is called an IPv6 VPN. Simply speaking, IPv6 VPN indicates that a PE router receives IPv6 packets from a CE router, which is different from the IPv4 VPN. Currently, the IPv6 VPN services are carried over the IPv4 network of the SP. In this case, the backbone network runs IPv4 while the user sites use IPv6 addresses. PE routers need to support the IPv4/IPv6 dual stack, as shown in Figure 5-36. Any network protocol that bears IPv6 traffic CE routers and PE routers can run between PE routers and CE routers. The PE routers run IPv6 on the interfaces connecting clients and IPv4 on the interfaces connecting the public network.
Issue 01 (2007-09-10)
Page 89 of 154
Figure 5-36 Networking diagram of the IPv6 VPN over the IPv4 backbone network
IPv6 VPN site2 IPv4 VPN backbone P PE P PE CE CE IPv6 VPN site2 IPv6 VPN site1 CE PE CE IPv6 VPN site1
CE IPv6 VPN site1
The implementation principle of the IPv6 VPN is similar to that of BGP/MPLS IP VPN. The IPv6 VPN advertises VPN-IPv6 routing information through Multiprotocol Extensions for BGP-4 (MP-BGP) on the backbone network. The IPv6 VPN triggers MPLS to allocate labels to identify IPv6 packets, and then transmits data of the private network across the backbone network through LSP, MPLS TE, or GRE tunnels. IPv6 VPN networking schemes that the NE80E supports are:
l l l l l
Intranet VPN Extranet VPN Hub&Spoke Inter-AS or multi-AS backbones VPN Carriers' carrier
HoVPN
In BGP/MPLS VPN solutions, the key device, PE router, functions in the following aspects:
l l
Provides access functions for users. To do this, a PE router needs a great number of interfaces. Manages and advertises VPN routes and processes user packets. Therefore, a PE router needs large-capacity memory and high forwarding capability.
This will make the PE router become a bottleneck. To solve this problem, Huawei initiates Hierarchy of VPN (HoVPN) solution. In HoVPN, functions of a PE router are distributed to multiple devices. Acting as different roles in a hierarchical architecture, the routers fulfill functions of a centralized PE router together.
Issue 01 (2007-09-10)
Page 90 of 154
The basic architecture of HoVPN is shown in Figure 5-37. The device that is directly connected with users is called Underlayer PE or User-end PE (hereafter referred to as UPE). The device which is connected with UPE in the internal network is called Superstratum PE or Service Provider-end PE (hereafter referred to as SPE). Multiple UPEs and the SPE form the hierarchical PE, functioning together as a traditional PE router. Figure 5-37 Basic architecture of HoVPN
VPN1 site
HoVPN
PE
VPN1 site
VPN2 site
UPE1 MPLS network
SPE
VPN1 site
UPE2 VPN2 site
PE VPN2 site
In the networking of HoVPN, functions of PE routers are implemented hierarchically. Therefore, the solution is also called Hierarchy of PE (HoPE).
The UPE and SPE provide the following functions:

l
The UPE implements user access. It maintains the routes of VPN sites that are directly connected with it. It does not maintain the routes of other remote sites in the VPN, or only maintains their summary routes only. The UPE assigns interior layer labels to the routes of the directly connected sites, and advertises the labels to the SPE through VPN routes with MP-BGP. The SPE manages and advertises VPN routes. It maintains the routes of all the VPNs that are connected through UPEs, including the routes of local and remote sites. The SPE does not advertise routes of remote sites to UPEs. It advertises only the default routes of VPN-instances or summary routes to UPEs with the label.
Different roles result in different requirements for the SPE and UPE:
l l
SPE: large capacity of routing table, high forwarding performance, few interface resources UPE: small capacity of routing table, low forwarding performance, high access capacity
The HoVPN takes advantage of the performance of SPEs and access capability of UPEs.
Issue 01 (2007-09-10)
Page 91 of 154
The HoPE is the same as the traditional PE in appearance. It can exist together with common PEs in an MPLS network. HoVPN supports the embedding of HoPE:
l l l
A HoPE can act as a UPE, and compose a new HoPE with another SPE. A HoPE can act as an SPE, and compose a new HoPE with multiple UPEs. Multiple embedding processes are supported.
The embedding of HoPE can infinitely extend a VPN network in theory.
RRVPN
Resource Reserved VPN (RRVPN) is a tunnel-multiplexing technology. It can provide end-to-end QoS guarantee for VPN users. To implement reserved and isolated resources for VPN, RSVP-TE tunnels must be used. In the process of implementation, different VPNs use various tunnels, but resources of the tunnels that depend on the same tunnel interface are isolated and reserved. Note that, the total bandwidth of the tunnels must not exceed the total bandwidth reserved for the physical link.
Multi-role Hosts
In a BGP/MPLS IP VPN, the VPN attributes of the packets received by PEs from CEs are decided by the VPN instance of the incoming interfaces on the PEs. Thus, all the packets that are forwarded by the same PE interface belong to the same VPN. In practice, however, a server or terminal is generally required to access multiple VPNs. For example, a server in a financial system in VPN 1 and a server in an accounting system in VPN 2 need to communicate. The server is called a multi-role host. In a multi-role host model, only the multi-role host can access multiple VPNs; the non-multi-role hosts can access only the VPN to which the hosts belong. The implementation principle of a multi-role host is simple. A multi-role host generally fulfils the following functions:
l l
Ensures the data stream of the multi-role host can reach the destination VPN network. Ensures the data stream from the destination VPN network can reach the multi-role host.
As shown in Figure 5-38, the VPN to which the multi-role host PC belongs is VPN1. If the VPN1 routes and VPN2 routes on PE1 do not import each other, the PC can access only VPN1 instead of VPN2. The data stream from the PC to VPN2 can be transmitted only by searching the VPN1 routing table of PE1. If the destination address of a packet does not exist in the VPN1 routing table, PE1 discards the packet. To ensure that the data stream of the PC can reach VPN2, configure PBR on PE1 interfaces through which CE1 accesses PE1. After the configuration, if the destination address of a packet from CE1 does not exist in the VPN1 routing table, the VPN2 routing table is searched. The PBR here is generally based on IP addresses and can guide data streams to access different VPNs.
Issue 01 (2007-09-10)
Page 92 of 154
Figure 5-38 Implementation of a multi-role host
VPN1 PC Static-Route PE2 VPN1 CE1 PE1 Policy-Based Routing PE3 VPN2 CE3 Backbone CE2
To ensure that the data streams from the destination VPN network can return to the PC, PE1 must be able to search the routes in the VPN1 routing table for the data streams from VPN2. This is implemented through injecting the static route to the PC into the VPN2 routing table on PE1. The outgoing interface of the static route is the PE1 interface that connects CE1. The functions of a multi-role host are realized mainly on the PE that the CE accesses. (The multi-role host accesses the CE.)
l l
Through the PBR on a PE, the data streams from the same VPN can be transmitted by searching routing tables of different VPNs at the same time. Static routes are installed to the routing table of the destination VPN on the PE. The outgoing interfaces of the static routes are the interfaces that connect the multi-role host and the VPN.
Note that the IP addresses of the VPN where a multi-role host resides and the VPN that the host accesses cannot be the same.
5.5.5 L2VPN Access to the L3VPN

At the border between the traditional access network and the bearer network, one UPE and one NPE are required to work together to realize the access.
l l
The UPE terminates and accesses the L2VPN (VLL and VPLS). The NPE terminates and accesses the L3VPN.
Issue 01 (2007-09-10)
Page 93 of 154
Figure 5-39 Traditional access network

The UPE terminates the L2VPN and accesses the L3VPN The UPE and the NPE run as the CE for each other The NPE accesses the L3VPN and sets up the L3VPN tunnel
DSLAM
DSLAM
Users access the L2VPN through ACs User Switch
UPE
UPE
NPE
NPE
UPE MPLS L2VPN
UPE
MPLS L2VPN
MPLS L3VPN
User switch UPE UPE NPE NPE UPE UPE
The UPE accesses the L2VPN and sets up the L2VPN tunnel
AC for user access Users access the L3VPN through the L2VPN L2VPN tunnel L3VPN tunnel
MPLS is widely applied on the access network of the ISP as it features high reliability and security and sound IP-based operating and maintenance capabilities, and supports QoS. MPLS L2VPN provides MPLS-based VPN services and transparently transmits Layer 2 data of users on the MPLS network. It thus provides a channelized path for user services and reduces the LSPs maintained by transit nodes. MPLS L3VPN services are a kind of common services provided by the ISP over the bearer network. MPLS L2VPN tunnels enable users to access the MPLS L3VPN of the bearer network. Low-end devices such as CXs can be used at the access side of the user. In this manner, networking cost is reduced and secure and stable MPLS L3VPN services are provided for users. To access L3VPN services through MPLS L2VPN tunnels, two devices that are a PE-AGG and an NPE need to be deployed at the border between the access network and the bearer network. In addition, the PE-AGG is used to terminate the L2VPN and the NPE is used to terminate the L3VPN. The PE-AGG and the NPE run as the CE router for each other. In this case, if an NPE combines the capability of the PE-AGG, networking cost can be saved and networking is simplified. The VE interface, which is supported by the NE80E to access multiple services, can be bound to the L2VPN and L3VPN at the same time. That is, the VE interface can access and terminate the L2VPN and L3VPN. In this manner, the NE80E can run as the NPE and PE-AGG at the same time.
Issue 01 (2007-09-10)
Page 94 of 154
Figure 5-40 L2VPN access to the L3VPN

The UNPE terminates the L2VPN, accesses the L3VPN, and sets up the L2VPN and L3VPN tunnels DSLAM UPE DSLAM
Users access the L2VPN through the AC User Switch
UPE
UNPE
UNPE
MPLS L3VPN L2VPN L2VPN User switch UPE
UPE The UPE accesses the L2VPN and sets up the L2VPN tunnel
UNPE
UNPE
AC for user access Users access the L3VPN through the L2VPN L2VPN tunnel L3VPN tunnel
5.5.6 VPN QoS

The ISP provides L2VPN or L3VPN access services for a VPN user and signs the SLA with the user. The SLA includes the following:
l l
Total bandwidth used by the user to access the MPLS VPN Priority level of the user service in the MPLS network
The preceding two points determine the volume of user traffic that can access the ISP network. After the user's access to the ISP network, a problem, to be faced with, lies in the type of QoS to be provided for the user.
l l
The bandwidth for the user traffic to a specified peer PE router is guaranteed. Types of services to a specific peer PE router, such as voice, video, important data, and common network services, require guaranteed bandwidth and delay.
VPN QoS provides a relatively complete L2VPN or L3VPN QoS solution. It resorts to various QoS techniques to answer the diversified and delicate QoS demands of VPN users. The VPN QoS provides QoS in the MPLS DiffServ network and end-to-end QoS in the MPLE TE network. In the application, you can select the QoS policy as required.
L3VPN with QPPB

The Qos Policy Propagation Through the Border Gateway Protocol (QPPB) propagates the QoS policy through BGP. The receiver of BGP routes can do as follows:
Issue 01 (2007-09-10)
Page 95 of 154

l l l
Sets QoS parameters for BGP routes based on the attributes of BGP routes. Classifies traffic by matching QoS parameters and sets the QoS policy for the classified traffic. Forwards packets in accordance with the locally-set QoS policy to propagate the QoS policy through BGP.
In an L3VPN, you can set the QPPB policy for private routes to classify L3VPN traffic, re-mark the traffic class, and limit the traffic volume.
L2VPN/L3VPN with MPLS DiffServ

In this case, VPN QoS has the following functions:
l
On the ingress PE router, VPN QoS classifies VPN traffic according to simple traffic classification or complex traffic classification. The classified traffic is limited, re-marked, and scheduled based on the priority level. Traffic classification and scheduling support uniform and pipe/short pipe modes. VPN QoS performs differentiated queue scheduling according to the MPLS EXP field on the P router. On the egress PE router, VPN QoS performs differentiated queue scheduling based on the EXP field and limit and shape traffic on the outbound interface.
l l
The inherent defect lies in this scheme. That is, the transit nodes perform the QoS action only according to the predefined PHB. This fails to guarantee the end-to-end QoS and eradicate network congestion.
L2VPN/L3VPN with MPLS TE

The characteristic of this scheme is that the P and PE routers on the MPLS network reserve bandwidth through the TE signaling protocol. In this manner, the network is free from blocking, providing end-to-end bandwidth guarantee. But the P routers do not differentiate service types inside the tunnel and uniformly process the packets of various types. QoS mapping between MPLS packets and IP packets or Layer 2 packets on the PE router supports the pipe/short pipe model. In this scheme, the ingress PE router binds the VPN to the TE tunnel.
l
At the network side, the PE router performs queue scheduling based on VPNs, ensures the bandwidth of VPN services to access the TE tunnel, and guarantees the total bandwidth of the TE tunnel. The P router guarantees the bandwidth of the TE tunnel.
The ingress nodes do not differentiate priority levels of services inside the TE tunnel. Therefore, services of various priority levels need to be allocated to different VPNs in the network planning.
Issue 01 (2007-09-10)
Page 96 of 154
Figure 5-41 L2VPN/L3VPN with MPLS TE
Backbone network
PE2
VPNA site 3
PE1
VPNA site 1
PE3
VPNA site 2 Only one type of services in VPNA
L2VPN/L3VPN with MPLS DS-TE

The characteristic of this scheme is that the P router and PE routers on the MPLS network reserve bandwidth through the DS-TE signaling protocol for various types of services. In this manner, the network is free from blocking, providing end-to-end bandwidth guarantee. Besides, services inside the tunnel are differentiated. In this scheme, the ingress PE router binds the VPN to the DS-TE tunnel. At the network side, the PE router schedules queues based on VPNs, ensures the bandwidth of the VPN services to access the DS-TE tunnel, and guarantees the total bandwidth of the DS-TE tunnel. The P router guarantees the bandwidth of the DS-TE tunnel.
Issue 01 (2007-09-10)
Page 97 of 154
Figure 5-42 L2VPN/L3VPN with MPLS DS-TE
Backbone network
VPNA site 3 PE2
PE1
VPNA site 1
PE3
VPNA site 2 VPNA carries three types of services, ensuring the QoS for each service in the same VPN
5.6 IPTN Features

How to provide services with end-to-end QoS guarantee on the IP bearer network has become an urgent demand. Therefore, the current Internet needs to be upgraded in order to provide better data services. To meet this demand, Huawei puts forward the IP telecommunication network (IPTN) solution. The IPTN solution aims to provide end-to-end QoS on the current IP network. In this solution, the concept of bearer control layer is addressed between the service control layer and the bearer layer; resources are applied, kept, and released respectively before, during, and after they are used to improve the transmission efficiency of the bearer network. Based on IP networks, IPTN can guarantee end-to-end QoS, decrease investment of carriers, and add values to them. The main characteristics of IPTN include:
l l l
It can coexist with the current IP network and does not affect traditional services that have no QoS guarantee. It can bear traditional telecommunication services and support more types of services. It applies for resources before the connection is set up guarantees the quality of service during the connection and releases the resource after the connection is disconnected. Its network structure consists of three layers: logical bearer layer, bearer control layer, and service control layer. Its bearer layer is based on MPLS, which enables the resource of IPTN services to be separated from that of IP services.
l l
Issue 01 (2007-09-10)
Page 98 of 154
Figure 5-43 shows the basic structure of IPTN. Figure 5-43 Basic structure of IPTN
Soft Switch
VOD server
MCU
Service control layer
RM1 RM3
Bearer control layer
RM2 MA3 MA1 MA2
Logical bearer network

MA3 MA1 MA2
Basic physical network
MA: Management Area
RM: Resource Manager
The basic structure of IPTN consists of the following three layers:

l
Service control layer: It consists of the service control platforms that are used to process service requests of users. According to user requests, it decides the parameters required for the service and generates QoS requests to apply for the service path from the bearer control layer. The service control platform can be the Soft Switch, the VOD controller, or the MCU control platform for video conference. It may be provided by the carriers or the ICP or ISP customer of a carrier. The service control platform varies with services, but different service control platforms use the same message format to connect the bearer control layer. Bearer control layer: It manages the network topology and resources in an area through a resource manager (RM). When the RM receives a resource request from a service server, it decides whether to accept the request according to the network topology and usage of resources of the area. It also manages and maintains the network topology and resources of the logical bearer layer. At the same time, it sets up end-to-end bearer paths for received QoS requests from the service control layer. In the IP backbone network, the bearer paths are indicated by MPLS label stacks.
Issue 01 (2007-09-10)
Page 99 of 154

l
Basic network layer: also called bearer layer. It consists of the logical bearer network and the basic physical network. It is composed of routers that forward data. It keeps the structure and the underlying physical layer of the current networks but is divided into two logical bearer layers: IPTN and Internet. IPTN is used to bear carrier-class services with end-to-end QoS; Internet is used to bear traditional Internet services.
5.7 QoS Features

The NE80E provides the QoS features of integrated services including real-time services. In particular, the NE80E supports DiffServ as follows:
l l l l
Traffic classification Traffic policing Traffic shaping Queue management and queue scheduling
The NE80E can implement all the six groups of PHB such as EF, AF1 to AF4, and BE. With the NE80E, network operators can provide users with differentiated QoS guarantee, and make the Internet an integrated network that can carry data, voice, and video services simultaneously. Figure 5-44 shows the hierarchical QoS of the NE80E. Figure 5-44 Multi-level scheduling of QoS
Inbound interface L1 L2 CAR L3 L4 Receive packets RED WRED SARED
Outbound interface
Classify Policy Congestion Priority and traffic avoidance scheduling PQ detection mark CQ packets WFQ
RED WRED SARED
L1 L2 L3 L4
...... ......
VOQ switch Prevent the head packet from blocking multicast switch
......
......
......
Forward packets
Priority Schedule scheduling/ traffic traffic LLS shaping NLS PQ PBS CBWFQ
Mark Congestion avoidance packets detection according to the class
Issue 01 (2007-09-10)
Page 100 of 154
The following describes the QoS features of the NE80E.
5.7.1 DiffServ Model

After entering a network, service traffic is classified, regulated, and distributed to different behavior aggregates (BAs). A BA is identified by a DSCP code. At the core of the network, the packets are forwarded in accordance with the per-hop behavior (PHB) identified by the DSCP code. The advantage of DiffServ is that many service flows converge at a BA and are forwarded according to the same PHB on the router. In this way, the service processing and storage are simplified. In the DiffServ core network, packet-based QoS ignores the signaling processing.
5.7.2 Traffic Classification

Traffic classification refers to classifying traffic on the basis of a certain rule and associating a certain behavior with the traffic of the same type to constitute a policy. Traffic policing, traffic shaping, congestion avoidance based on classes are carried out after traffic classification. If no QoS guarantee or traffic classification is required, or there are no rules to match packets after traffic classification, the device processes the packets with the Best-Effort (BE) service. The NE80E supports simple and complex traffic classifications. Complex traffic classification is usually configured on the router at the network edge; simple traffic classification is configured on the core router.
Simple Traffic Classification

Simple traffic classification means dividing packets into several priorities or service classes according to the IP precedence of IP packet, EXP field of MPLS packets, or 802.1p field of VLAN packets. Traffic policy based on simple traffic classification is used to map the priority of traffic on one type of network to another type. That is, transmit the traffic in the other network according to the previous priority. In this way, the mapping between the external precedence and the internal precedence is carried out. Currently the NE40E supports traffic classification on:
l l
Physical interfaces and sub-interfaces Logical interfaces including VLANIF, RINGIF, and trunk interfaces
Complex Traffic Classification

Complex traffic classification means classifying packets based on quintuple (source IP address, destination IP address, source port number, destination port number and protocol type). It is usually applied to the edge of the network and must be associated with specific traffic control or resource allocation actions. It is used to provide differentiated services. Currently, the NE80E supports:
Issue 01 (2007-09-10)
Page 101 of 154

l
Classifications based on the source MAC address prefix, the destination MAC address prefix, the protocol number carried over the link layer, the precedence of the packet with tag Classifications based on the IP precedence/DSCP/ToS value of the IPv4 packet, the source IP address prefix, the destination IP address prefix, the protocol number carried over the IP packet, the fragmentation tag, the TCP SYN label, the TCP/UDP source port number or range, the TCP/UDP destination port number or range
The NE80E supports complex traffic classification on:

l l
Physical interfaces Logical interfaces including sub-interfaces, ring-if and trunk interfaces
5.7.3 Traffic Policing

In traffic policing, the committed access rate (CAR) is used to control traffic. Packets are classified according to a preset matching rule. If conforming to the rule, the packets are forwarded by the router. If exceeding the limit specified by the rule, the packets are then either discarded or re-sent after their precedence is re-marked. To control traffic, the token bucket (TB) is introduced to the CAR technology. Figure 5-45 shows the procedure of traffic policing with CAR. Figure 5-45 Flowchart of traffic policing with CAR
... Filling the bucket with tokens at a specified rate Tokens
Classifying Incoming packets
Outgoing packets Passed Token bucket
Dropped
The tokens are put into the TB at the rate preset by the user. The capacity of the TB is also preset by users. When the number of tokens reaches the capacity of the TB, the number does not increase any more. On arrival, the packets are classified according to the information such as the IP precedence, source address, or destination address. The packets that conform to the preset feature go into the TB for further processing. If the TB has enough tokens for sending packets, packets are forwarded. Meanwhile, the number of tokens is reduced by the packet length. If the TB contains insufficient tokens or is empty, the packets that are not assigned with tokens or not assigned with enough tokens are discarded; or the information about the IP precedence, DSCP, or EXP values are re-marked and the packets are re-sent. At this time, the number of tokens in the TB remains unchanged.
Issue 01 (2007-09-10)
Page 102 of 154
The preceding process shows that the CAR technology enables a router to control traffic, and to mark or re-mark packets. To limit the traffic rate is the main function of CAR. With the CAR technology, a TB is used to measure the data traffic that flows through the interfaces of a router so that in the specified time only the packets that are assigned with tokens go through the router. In this way, the traffic rate is limited. CAR limits the maximum traffic rates of both incoming packets at the ingress and outgoing packets at the egress. Meanwhile, the rate of certain types of traffic can be controlled according to such information as the IP address, port number, and precedence. These characteristics include the IP address, port number, and precedence. The traffic not conforming to the present conditions is not limited in rate; such traffic is forwarded at the original rate. The CAR technology is used at the network edge to ensure that the core device can process data normally.
5.7.4 Queue Scheduling

In computerized data communications, communication channels are shared by many computers. In addition, the bandwidth of a WAN is usually less than that of a Local Area Network (LAN). As a result, when a computer in one LAN sends data to a computer in another LAN, data cannot be transmitted over a WAN as fast as over a LAN because the WAN bottlenecks the data transmission. At this time, some packets cannot be sent by the router between the LAN and the WAN, that is, the network is congested. As shown in Figure 5-46, when LAN 1 sends packets to LAN 2 at the rate of 10 Mbit/s, traffic congestion occurs on the interface Serial 1 of Router 1. Figure 5-46 Network congestion
Frame Relay/X.25/DDN Router2 Serial 1 PC2
2 Mbit/s PC1 Serial 1 10 Mbit/s
Ethernet
Router1 Ethernet 10 Mbit/s LAN 1
LAN 2 Server2
Server1
Congestion management provides means to manage and control traffic when traffic congestion occurs. The queue scheduling technology is used to handle traffic congestion. Packets sent from one interface are placed into many queues which are identified with different priorities. Packets are then sent according to the priorities. A proper queue scheduling mechanism can provide packets of different types with
Issue 01 (2007-09-10)
Page 103 of 154
reasonable QoS features such as the bandwidth, latency, and jitter. The queue here refers to the outgoing packet queue. Packets are buffered into queues before the interface is able to send them. Therefore, the queue scheduling mechanism works only when an outbound interface is congested. The queue scheduling mechanism can re-arrange the order of packets except those in First In First Out (FIFO) queues. Commonly used queue scheduling mechanisms are:
l l l l l
FIFO PQ Custom Queuing (CQ) WFQ Class-based WFQ (CBWFQ)
The NE80E supports FIFO, PQ, and WFQ to realize the queue scheduling on the interface.
5.7.5 Congestion Management

The NE80E adopts the Weighted Random Early Detection (WRED) congestion control mechanism.
l l l
The congestion control mechanism can be configured on each port based on the priority of the queue. The NE80E uses a microsecond-level timer to trace the occupation of the shared memory with the first-order weighted iteration method. Consequently, the NE80E can sense the congestion in a timely manner and avoid network flapping. It drops the packets of different drop preferences at different probabilities within the same traffic stream. This can effectively avoid and control network congestion.
5.7.6 Traffic Shaping

When the network congestion occurs, the traffic policing (CAR technology) is used to control the traffic features of the packets and restrain the traffic, so that the packets that do not conform to the traffic features are dropped. Sometimes, to decrease the lost packets, the packets that do not conform to the traffic specifications are cached and then sent at a uniform rate under the control of the token bucket. This is traffic shaping. Traffic shaping both decreases the lost packets and satisfies the traffic features of the packets. A typical application of traffic shaping is to control the flow and burst of outgoing traffic based on the network connection. Thus, the packets can be sent at a uniform rate. The traffic shaping adopts the Generic Traffic Shaping (GTS) to shape the traffic that is irregular or does not conform to the preset traffic features, which is convenient for the bandwidth match between the network upstream and downstream.
5.7.7 HQoS
Hierarchical QoS (HQoS) is a kind of QoS technology that can control user traffic and schedule service queues according to the priority level. The HQoS of the NE80E has the following functions:
Issue 01 (2007-09-10)
Page 104 of 154

l l
The system provides abundant services with the five-level QoS scheduling mechanism. The system supports PQ and Confirmed Bandwidth Priority Queue (CBPQ). PQ is based on the absolute priority level. After you configure PQ, the packets with the highest priority level are permitted; the packets with low priority levels are discarded, once the network is congested. PQ is unable to configure bandwidth for packets of all priority levels. CBPQ is based on bandwidth guarantee. CBPQ makes full use of bandwidth resources in the case of bandwidth guarantee.
The system supports the configuration of the parameters of a queue, such as the maximum queue length, WRED, low delay, SP/WRR weight, committed burst size (CBS), PBS, and statistics enabling. The system supports the configuration of parameters such as the CIR, PIR, number of queues, and scheduling algorithms between queues for each user. The system supports traffic statistics. It enables carriers to view the status of bandwidth use of each service. The users can thus analyze traffic and properly allocate bandwidth for services. The system supports the HQoS of VPLS, L3VPN, VLL, and TE.
l l
5.7.8 QPPB
QoS policy propagation through the Border Gateway Protocol (QPPB) is a kind of technology to propagate the QoS policy through BGP. On the BGP receiver, you can:
l l l
Set QoS parameters for BGP routes, such as IP precedence and traffic behavior, based on the attributes of the route. Set the receiver to classify traffic based on QoS parameters, and set a QoS policy for the classified traffic. Set the receiver to forward packets based on the QoS policy to realize QPPB.
On the BGP receiver, you can set QoS parameters, such as IP precedence and traffic behavior, according to the following attributes of BGP routes:
l l l l l
ACL AS path list Community attribute list Route cost Address prefix list
Issue 01 (2007-09-10)
Page 105 of 154
Figure 5-47 QPPB
Configure a QoS policy
NE80E-B Advertise routing information AS200
AS100 Packets filtered by NE80E-A the QoS policy
In the complex network environment, the policy for route classification needs to be changed from time to time. QPPB can simplify the change of the policy on the BGP receiver. Using QPPB, you can change the routing policy on the BGP receiver by changing that on the BGP sender.
5.7.9 Ethernet QoS

L2 Simple Traffic Classification
The NE80E supports simple traffic classification in accordance with the 802.1p value in VLAN packets. On the ingress PE router, the 802.1p value in a Layer 2 packet can be mapped to the precedence field of the upper layer protocol such as the IP DSCP value or the MPLS EXP value. In this manner, the DiffServ is provided for the packet in the backbone network. On the egress PE router, the precedence field of the upper layer protocol is mapped back to the 802.1p value to keep the original Ethernet precedence.
QinQ Simple Traffic Classification

After QinQ encapsulation, the 802.1p value in the inner VLAN tag cannot be sensed. Therefore, services cannot be differentiated according to the priority. In the process of QinQ implementation, the 802.1p value in the inner VLAN tag needs to be sensed. You can set rules to sense the 802.1p value through commands as follows:
l l l
Ignore the 802.1p value in the inner VLAN tag and set a new 802.1p value in the outer VLAN tag. Automatically set the 802.1p value in the inner VLAN tag as the 802.1p value in the outer VLAN tag. Set the 802.1p value in the outer VLAN tag according to the 802.1p value in the inner VLAN tag.
As shown in Figure 5-48, QinQ supports 802.1p remark in the following three modes:
l l l
Set a value (Pipe mode). Use the 802.1p value in the inner VLAN tag (Uniform mode). Map the 802.1p value in the inner VLAN tag to a value in the outer VLAN tag. The values in multiple inner VLAN tags can be mapped to the same value in the outer
Issue 01 (2007-09-10)
Page 106 of 154
VLAN tags. The value in an inner VLAN tag cannot be mapped to different values in multiple outer VLAN tags. Figure 5-48 Typical networking diagram of 802.1p Remark supported by QinQ
Q-in-Q Supports 802.1p Remark
ISP Network
CE PE
5.7.10 ATM QoS

At the edge of the ATM network, the router is responsible for access to the IP network. Data is encapsulated in AAL5 frames such as IPoA, IPoEoA, and PPPoEoA. Such frames are decapsulated by the router and are forwarded to other types of interfaces, or are forwarded to the Ethernet interface as Layer 2 Ethernet frames. The IP network and the ATM network communicate through the IPoA technology. IPoA, however, cannot make full use of all ATM functions. Therefore, the IP network with Ethernet interfaces over 10 Gbit/s cannot communicate with the ATM network; otherwise, traffic congestion may occur and QoS cannot be ensured. To solve the problem, ATM QoS is addressed. The ATM network possesses the QoS capability. With the transition from the ATM network to the IP/MPLS network, the QoS capability of the ATM network needs to be kept. ATM QoS enables ATM cells with higher precedence to transfer with the same precedence in the IP network. Similarly, it enables IP packets with higher precedence to transfer with the same precedence in the ATM network.
ATM Simple Traffic Classification

When the ATM network is taken as the bearer layer of the IP network, however, the QoS mechanisms of the ATM network and the IP network must be combined to obtain end-to-end QoS. By enabling ATM simple traffic classification on the interface, PVC, or PVP, you can map the CoS and the CLP value to the internal priority of the router for upstream ATM cells, and map the internal priority to the CoS and CLP value for downstream ATM cells. Thus, various QoS services can be transmitted in different ATM networks. ATM simple traffic classification supports:
l l l
Transparent transmission of ATM cells 1483R traffic 1483B traffic
The 1483R protocol is used to encapsulate IP packets to carry out IPoA service. The 1483B protocol is used to encapsulate Ethernet packets to carry out IPoEoA service.
Issue 01 (2007-09-10)
Page 107 of 154
ATM Forcible Traffic Classification

Although ATM cells in the ATM network hold information about precedence, it is very difficult to carry out IPoA, transparent transmission of cells, and IWF simple traffic classification based on the precedence information. You can adopt forcible traffic classification on the upstream interface. That is, you can use command lines to set the precedence and color manually for a specific PVC, interface (including the sub-interface), or PVP, and carry information about the precedence and color to the downstream interface. As shown in Figure 5-49, you can set the precedence and color for a specific flow on the upstream ATM interface of Router A by using command lines. Then the downstream interface can carry out ATM QoS based on the value of the set precedence and color. Figure 5-49 ATM forcible traffic classification
The downstream ATM interface specifies the outgoing queue for the flow according to the precedence and color of the flow
Set the packet precedence and mark the packet on the upstream ATM interface
BE
AF1 ... EF RouterB RouterA CS6 CS7
ATM physical interfaces, ATM sub-interfaces, ATM PVCs, and ATM PVPs all support forcible traffic classification.
5.7.11 FR QoS
FR has its own QoS that can be configured with PVCs to provide flexible services for customers.
FRTS
Frame Relay Traffic Shaping (FRTS) is used on the outbound interface of the router to limit the ratio of the packet sent from the VC.
FRTP
Frame Relay Traffic Policing (FRTP) is used on the inbound interface of the router to monitor traffic received from the VC. If the traffic exceeds the specific value, the packets are discarded.
Issue 01 (2007-09-10)
Page 108 of 154
FRTP can be used only on the Data Circuit-terminating Equipment (DCE) interface to monitor traffic from the Data Terminal Equipment (DTE).
FR Congestion Management
The FR packet includes bits used for congestion management:
l
Forward Explicit Congestion Notification (FECN) If it is 1, congestion occurs on the forwarding direction. Backward Explicit Congestion Notification (BECN) If it is 1, congestion occurs on the backward direction. If no backward packet is forwarded during a period, the router automatically sends Q.922A Test Response whose BECN tag is 1 to the DTE.
DE It specifies whether to discard the packet or not. If it is 1, the packet is discarded in the case of congestion.
Figure 5-50 Diagram of FR congestion management

Data direction BECN Frame Relay Network
DTE
DCE
Router A
NNI Router B FECN
The system judges congestion based on the proportion of the current queue length of the FR interface or the VC to the total length of the interface or the queue. If the proportion exceeds the specified value, it is taken that congestion occurs. The packets whose DE is 1 are discarded; otherwise, the FECN and BECN are set to 1. You can set the congestion threshold in the following two ways:
l l
Set the congestion threshold of the interface in the interface view. Set the congestion threshold of the FR VC in the FR class view.
FR Queue Management
Normally, an FR interface has a queue while an FR VC has no queue. When the FR interface is enabled with FR traffic shaping, all the VCs on the interface have their own queues and the packets sent on the VC join in the queue first. Figure 5-51 shows the relationship between the VC queue and the interface queue.
Issue 01 (2007-09-10)
Page 109 of 154
Figure 5-51 Diagram of FR queues

Virtual circuit queues Interface queue
The FR interface supports the following queues:

l l l l l l l
First-In First-Out queue Priority queue Custom queue Weighted fair queue Class-based queue Realtime Transport Protocol priority queue PVC interface priority queue
FR Fragmentation
In the process of transmitting voice with data, a large packet takes up the bandwidth for a long period. As a result, the voice packet may be delayed or discarded and voice quality is degraded. FR fragmentation is used to shorten the delay to ensure the real-time voice. After FR fragmentation configuration, a large data packet is disassembled into fragments and the voice packet and the fragments can be transmitted alternately. In this way, the voice packet can be processed on time and delay is shortened.
5.8 Traffic Statistics

The NE80E provides types of traffic statistics functions. It can collect statistics on access traffic of different users. Traffic statistics have the following functions:
l l l
Helping carriers to analyze the traffic model of the network Providing reference data for carriers to deploy and maintain DiffServ TE Supporting traffic-based accounting for the users that are not monthly-free
5.8.1 URPF Traffic Statistics

The NE80E collects statistics either on the overall traffic that complies with URPF or on the discarded traffic that does not comply with URPF.
Issue 01 (2007-09-10)
Page 110 of 154
Figure 5-52 URPF traffic statistics

Packets Statistics
Classifier
The default action for unmatched packets is Pass
Packets that match rules Statistics
Perform the action
Allow the packets complying with URPF to pass through
Discard the packets without complying with URPF Statistics
5.8.2 ACL Traffic Statistics

The NE80E supports the ACL traffic statistics function. When the created ACLs are applied to QoS and policy-based routing, the NE80E can collect statistics based on ACLs after the ACL traffic statistics function is enabled. The system also provides commands to query the number of matched ACL rules and bytes.
5.8.3 CAR Traffic Statistics

The NE80E provides numerous QoS features such as traffic classification, traffic policing CAR, and queue scheduling. Directed at these QoS features, the NE80E provides the relevant QoS traffic statistics function.
l
In traffic classification, the system can collect statistics on the traffic that matches rules and fails to match rules.
Issue 01 (2007-09-10)
Page 111 of 154
Figure 5-53 Traffic statistics in traffic classification

Packets Statistics
Classifier The default action for unmatched packets is Pass Packets that match rules Statistics Filter, CAR, mirror, redirect, re-mark, sample, URPF, TTL check
Perform the action
In traffic policing, the system supports statistics on the following traffic: Total traffic that matches the CAR rule. Traffic that is permitted or discarded by the CAR rule.
Figure 5-54 CAR traffic statistics

Packets Statistics Allow the packets marked green to pass through
Bucket C Tokens in bucket C are not enough
Tokens in bucket C are enough
Statistics
Process packets according to the color marked
Re-mark the packets marked yellow
Bucket E Tokens in bucket E are not enough
Tokens in bucket E are enough Statistics
Discard the packets marked red
Tokens in bucket E are not enough
The system supports interface-based traffic statistics.
Issue 01 (2007-09-10)
Page 112 of 154

l
When the same traffic policy is applied on various interfaces, the CAR traffic statistics in the traffic policy is based on the interface.
5.8.4 HQoS Traffic Statistics

The system supports the following statistics on traffic queues:
l l l
Statistics on the number of forwarded packets, bytes, and discarded packets of the queues of eight priority levels Statistics on the number of forwarded packets, bytes, and discarded packets of the user group queue Statistics on the number of forwarded packets, bytes, and discarded packets of eight class queues on an interface
5.8.5 Interface-based Traffic Statistics

The system supports traffic statistics on an interface or a sub-interface.
5.8.6 VPN Traffic Statistics

The NE80E supports the following VPN statistics:
l l
In a VPLS network, the NE80E can collect statistics on incoming and outgoing traffic of the access L2VPN user when it runs as a PE router. In an L3VPN, the NE80E can collect statistics on incoming and outgoing traffic of access users of various types when it runs as a PE router. The access users include: Users that access the network through interfaces including logical interfaces Multi-role hosts Users that access the network through the VPLS/VLL
5.8.7 TE Tunnel Traffic Statistics

When the NE80E runs as a PE router in the MPLS TE network, it supports statistics on incoming and outgoing traffic of the tunnel. When the VPN is statically bound to the TE tunnel, the system can collect statistics on traffic of each resource-isolated VPN over the TE tunnel and the total traffic over the TE tunnel.
5.9 IP Compression
In the NGN bearer network, some carriers lack transmission resources. The RTP/UDP/IP packet header, however, contains about 40 bytes in the IP NGN service. For voice compression algorithms that work well, the voice data in each packet occupies less than 30 bytes. In this case, the packet header costs much, with low transmission efficiency. The NE80E provides types of compression algorithms. The transmission efficiency of the network can thus be improved and the lack of transmission resources can be solved.
Issue 01 (2007-09-10)
Page 113 of 154
cRTP
The Compressed Real-Time Protocol (cRTP) defined in RFC 2508 can compress the 40-byte RTP header including the UDP and IP headers into a header of 2 4 bytes. In this manner, the lack of transmission resources is solved. In the traditional network, voice over IP is supported through RTP, as shown in Figure 5-55. Figure 5-55 Format of RTP packets
8 bytes PPP 20 bytes IP 8 bytes UDP 12 bytes RTP 15-30 bytes Voice data
Header encapsulation
In the figure given above, the voice data occupies tens of bytes; the IP, UDP, and RTP headers contain more than 40 bytes. In a session, half bytes of the header, such as the source and destination IP addresses and the source and destination port numbers, remain unchanged. Besides, the length field in the IP/UDP header is unnecessary because the length can be obtained by calculating the length of the link layer header. Differential coding can be performed although some fields change. After these redundant fields are compressed, only two to four bytes need to be reserved (normally, two bytes are kept; four bytes contain the UDP checksum), as shown in Figure 5-56. Figure 5-56 Format of cRTP packets
8 bytes PPP 2-4 bytes cRTP 15-30 bytes Voice data
Header encapsulation
cRTP over MPLS

cRTP saves the overhead bytes and improves the bandwidth utilization rate. All the transit nodes that a packet passes through, however, forward the packet after compressing/decompressing the packet, degrading the performance of the transit nodes. cRTP over MPLS refers to implementing cRTP on the MPLS tunnel. In a cRTP over MPLS network, an MPLS tunnel (cRTP tunnel) is set up between two PE routers to simulate the normal cRTP on the P2P link between the two connected devices. In this manner, the P router in the MPLS network is free from the processing of compression/decompression. Packets are compressed only on the ingress PE router of the MPLS tunnel and decompressed on the egress PE router. The processing capability of the network is thus improved. Besides, cRTP is a kind of value-added service. The bearer network of the ISP may not support cRTP and re-deploying the network is impossible. End-to-end
Issue 01 (2007-09-10)
Page 114 of 154
compression is thus required to make the transit nodes fail to sense the compression. Relevant devices that are deployed only on the edge nodes of the ISP network can complete the compression. The NE80E supports cRTP over MPLS in the MPLS L3VPN network. Figure 5-57 cRTP over MPLS
PE
MPLS bearer network PE FE
PE
FE
PE PE FE
5.10 Network Security

When the NE80E runs as the security gateway to access the customer's network and the service system, it can provide the following functions:
l l l
Advanced security system structure Abundant security protocols Strict service access control
Issue 01 (2007-09-10)
Page 115 of 154
Figure 5-58 Security features

Routing protocol MD5 authentication The control plane separated from the forwarding plane Control information filtering Secure VRP system
SSH RADIUS TACACS+ SYSLOG NQA
Routing security
Bidirectional ACL URPF
Management security
Forwarding security
MIRROR NETSTREAM
Service access security ARP attackproof
SINKHOLE
Layer 2 limit
DHCP snooping
Port rate limit
Broadcast/abnormal traffic suppression
The following section describes the security features that the NE80E supports.
5.10.1 AAA
The NE80E implements a perfect AAA, performing authentication, authorization and accounting for access users based on the policy. AAA supports three types of user authentication:
l l l
Local authentication Remote Authentication Dial-In User Service (RADIUS) Huawei Terminal Access Controller Access Control System (HWTACACS) authentication
AAA supports four authorization modes:

l l l l
Direct authorization: In this mode, users are directly authorized to pass through. Local authorization: In this mode, local users are authorized according to the configured attributes of the user accounts. HWTACACS authorization: In this mode, users are authorized by the HWTACACS server. if-authenticated authorization: In this mode, users are authorized to pass through if they pass the authentication and the authentication mode is not "none".
5.10.2 Protocol Security Authentication

PPP supports PAP and CHAP authentication modes. Routing protocols including RIPv2, OSPF, IS-IS, and BGP support plain text authentication and MD5 encrypted text authentication. SNMP supports SNMPv3 encryption and authentication.
Issue 01 (2007-09-10)
Page 116 of 154
5.10.3 URPF
Unicast Reverse Path Forwarding (URPF) can avoid the source address-based network attacks. When a packet is sent to a URPF-enabled interface on the server, the URPF obtains the source address and the inbound interface of the packet. The URPF then takes the source address as the destination address to retrieve the corresponding inbound interface and compares the retrieved one with the inbound interface. If they do not match, the URPF considers the source address as fake and discards the packet. URPF is applicable to the preceding environment and prevents such kind of network attacks.
5.10.4 MAC Limit

With the abundant MAC limit functions, the NE80E can provide various security solutions for the large-scale Layer 2 network and the VPLS network.
MAC Address Limit

With the rapid development of the Metro Ethernet, security plays a more and more important role on the ingress of the MAN. In the Metro Ethernet, a large number of individual users access the Internet over Ethernet links and it is common that hackers perform MAC attacks on the network. MAC address limit that is supported by the NE80E can effectively defend the network against the preceding attacks and guarantee the security of the ISP network. With the function of MAC address limit, the system can limit the number of access MAC addresses of a customer to prevent the customer from crushing the MAC address space of other customers; the system can also discard attack packets on the ingress and prohibit invalid packets from consuming bandwidth. MAC address learning is the basic feature of Layer 2 forwarding. It is automatically carried out and is easy to use. It, however, needs to be deployed with caution to avoid attacks. The NE80E supports the following types of limit to MAC address learning:
l l l l l l
Limit to the MAC addresses that can be learned Limit to the speed of MAC address learning Limit to interface-based MAC address learning Limit to MAC address learning based on VLAN+port Limit to MAC address learning based on port+VSI Limit to MAC address learning based on QinQ
Limit to MAC address learning can be applied in the network environment with fixed access users and lacking in security, such as the community access or the intranet without security management. When the number of MAC addresses learnt by an interface exceeds the limited threshold, the MAC address of a new access user is not learnt. The traffic of this user is thus broadcast at a restricted transmission rate.
Issue 01 (2007-09-10)
Page 117 of 154
MAC Address Entry Deletion

In a VPLS or Layer 2 network, the MAC address table is the key of forwarding. It, however, is also vulnerable to attacks although the MAC entries are to be aged. MAC entries need to be deleted to release MAC resources, minimizing the effect on other services. The NE80E provides the following types of MAC address entry deletion:
l l l l
Deletion of MAC address entries based on port+VSI Deletion of MAC address entries based on port+VLAN Deletion of MAC address entries based on the trunk interface Deletion of MAC address entries based on the outbound QinQ interface
5.10.5 Unknown Traffic Limit

In the VPLS or Layer 2 network, unknown traffic limit supported by the NE80E functions as follows:
l l l
Manages users' traffic. Allocates bandwidth to users. Limits unknown unicast, multicast, and broadcast traffic.
In this way, the network bandwidth is efficiently used and network security is guaranteed.
5.10.6 DHCP Snooping

DHCP snooping, a DHCP security feature filters untrusted DHCP messages by creating and maintaining a binding table for DHCP snooping. This binding table contains the VRF ID, VSI Index, PVLAN, CVLAN, binding type, and lease about untrusted interfaces. DHCP snooping acts as a firewall between clients and DHCP servers. DHCP snooping prevents DHCP Denial of Service (DOS) attacks, bogus DHCP server attacks, ARP middleman attacks, and IP/MAC spoofing attacks when DHCP is enabled on the device. DHCP snooping provides various working modes to prevent different types of attacks. Table 5-2 shows the types of attacks and the corresponding working modes of DHCP snooping. Table 5-2 Attack types and DHCP snooping working modes A ack T y pe ! DHCP exhaustion attack Bogus DHCP server attack Middleman attack or IP/MAC address attack Attack by changing CHADDR value DHCP Snooping Working Mode MAC address limitation Trusted/Untrusted Binding table of DHCP snooping Check on CHADDR of DHCP messages
Issue 01 (2007-09-10)
Page 118 of 154
5.10.7 Local Anti-attack

The NE80E provides a uniform local anti-attack module to maintain and manage the anti-attack policy of the whole system. An all-around anti-attack solution that is operable and maintainable is thus provided for users.
CP-CAR
The NE80E provides the following types of CP-CAR:
l
CP-CAR The NE80E classifies the packets sent to the CPU and allows users to set the average rate, the peak rate, and the priority level. By binding various classes of packets to different CAR actions and reducing the interactions between packets, you can set the rate of sending packets to protect the CPU.
CP-TOTAL-CAR The NE80E supports the queue scheduling algorithm to limit the total rate of the redundant packets sent to the CPU.
Extended CAR CP-CAR works with ACLs to realize the extended CAR function. The extended CAR is used for manual anti-attack when unknown attacks emerge in the network.
Smallest packet compensation The NE80E supports the smallest packet compensation function of the CP-CAR. After receiving the packets sent to the CPU, the system measures the packet length. When the packet length is smaller than the preset minimum packet length, the system calculates the sending rate with the preset minimum length. When the packet length is greater than the preset minimum packet length, the system calculates the sending rate with the actual packet length. This function defends the network against the attacks of small packets.
Application-Layer Cooperation
The system dynamically detects the enabled application-layer information. When the application-layer services are started, the system receives the packets of the application-layer services; when the application-layer services are closed, the system discards the packets of the services.
Session Attack Defense

The NE80E provides the following session attack defense functions:
l
White list The NE80E protects the session-based application-layer data such as BGP session data with the white list function. The data that matches the white list can be sent to the CPU in preference. This function ensures that the existing services are not interrupted in the case of attacks. The white list function also supports the Generalized TTL Security Mechanism (GTSM).
Issue 01 (2007-09-10)
Page 119 of 154

l
Black list With the black list function, the NE80E discards specific invalid data such as the data with the TCP or UDP port number that the system does not care about. The system filters out the invalid data with the black list. In this manner, the traffic volume between the forwarding engine and the CPU can be reduced, preventing the invalid data from attacking the system.
5.10.8 GTSM
Currently, some attackers on the network simulate valid packets to attack a router. As a result, the finite resources of the router such as the CPU on the MPU is heavily loaded and consumed. For example, the attacker continuously sends simulate BGP protocol packets to a router. After the LPU of the router receives the packets destined for the local host, the LPU sends the packets to the BGP processing module of the CPU on the MPU rather than identifying the validity of the packets. As a result, the system is abnormally busy with the high CPU utilization rate as the MPU of the router processes these valid packets. To avoid the preceding attack, the NE80E provides the GTSM. The GTSM protects services of the upper layer over the IP layer, by checking whether the TTL value in the IP header is within the specified range. In the application, the GTSM is used to protect the TCP/IP-based control layer such as the routing protocol from the type of CPU-utilization attacks such as CPU overload. The NE80E supports the following types of GTSM:
l l
BGP GTSM OSPF GTSM
5.10.9 ARP Anti-attack

In the current ISP network, Ethernet is commonly used for access. ARP runs as the open protocol on the Ethernet, offering chances for malicious attackers. Malicious attackers attack the network from the perspectives of space and time.
l
Space-based attacks indicate that the attacker resorts to the finite ARP buffer of a router. The attacker sends a larger number of simulate ARP request and response messages to the router. As a result, the ARP buffer is overflowed; normal ARP entries cannot be buffered. Normal forwarding is thus interrupted. Time-based attacks indicate that the attacker resorts to the finity of the processing capability of a router. The attacker sends a large number of simulate ARP request, response, or other packets that can trigger the router to perform ARP processing. As a result, the computation resources of the router are busy with ARP processing during a long period; other services cannot be processed. Normal forwarding is thus interrupted.
The NE80E provides the following functions to avoid ARP attacks:

l l
Interface-based ARP entry restriction Timestamp-based scanning-proof
Interface-based ARP Entry Restriction

The interface-based ARP entry restriction function effectively minimizes the attacked range when the ARP entry overflow attack occurs. The attacked range is restricted in
Issue 01 (2007-09-10)
Page 120 of 154
the interface. In this manner, other interfaces of the board or the whole system are not affected.
Timestamp-based Scanning-proof
The timestamp-based scanning-proof function can identify the scanning attack on time and suppress the processing of requests generated by the scanning when a scanning attack occurs, regardless of whether it is an ARP scanning attack or IP scanning attack. In this way, the CPU is kept away from attacks.
5.10.10 Mirroring
Mirroring indicates that the system sends a copy of the packet on the current node to a specific packet analysis equipment from an observing port without interrupting services. There are two kinds of mirroring:
l l
Port mirroring: requires that the system copy the received or to-be-sent packet on a port and send the copy to the specified port. Traffic mirroring: combines port mirroring with traffic classification to copy the packets that meet the requirements. In this way, the system can filter the packets to control packet analysis and improve the efficiency of packet analysis.
The NE80E provides the following mirroring functions:

l l l
It supports upstream or downstream port mirroring and flow mirroring. It supports an observing port on an LPU. The whole system supports 16 observing ports. It supports independent mirroring for the packets that are sent to the CPU from a certain interface or LPU.
5.10.11 NetStream
The Internet develops rapidly. This requires more delicate network monitoring and management while this provides more bandwidth resources. Developing a technology to answer the preceding demands becomes urgent. NetStream is a technology that is based on network traffic statistics. It collects statistics on traffic flows and resource usage in the network accordingly, and monitors and manages the network based on types of services and resources. NetStream provides the following functions:
l
Accounting NetStream provides detailed statistics for the resource-occupation-based (such as links, bandwidth, and time periods) accounting. Statistics such as IP addresses, number of packets and bytes, transmission time, ToS fields, and application types are collected. Based on the collected statistics, the ISP can charge users flexibly based on time periods, bandwidth, application, or QoS; enterprises can count their expenses or distribute costs to make better use of resources.
Network planning and analyzing NetStream provides key information for advanced network management tools to optimize the network design and planning. The minimum network operation cost thus achieves the best network performance and reliability.
Issue 01 (2007-09-10)
Page 121 of 154

l
Network monitoring NetStream realizes the real-time network monitoring. The remote monitoring (RMON), RMON-2, and flow-based analysis technology visualizedly displays the flow mode on a single router or routers across the network. This provides bases for fault pre-detection and effective fault rectification.
Application monitoring and analyzing NetStream provides detailed application statistics about the network. For example, the network administrator can view the proportion of each application, such as Web, the File Transfer Protocol (FTP), Telnet, and other TCP/IP applications to network traffic. The ISP then properly plans and allocates network application resources to meet the users' requirements according to these application statistics.
Abnormal traffic detecting NetStream detects the abnormal traffic such as network attack traffic of various types in the real-time manner. NetStream ensures network security by means of alarms of the NMS and the cooperation with devices.
NetStream devices involve the following:

l l l
NDE NSC NDA
Figure 5-59 shows the relationships between the preceding NetStream devices. Figure 5-59 NetStream devices
RouterA
NSC
NDA RouterB NSC
The NetStream Data Exporter (NDE) samples packets and exports the information to the NSC. The NetStream Collector (NSC) is responsible for analyzing and collecting the statistics data from the NDE. The NetStream Data Analyzer (NDA) analyzes the statistics data and then provides the basis for various services, such as network accounting, network planning, network monitoring, application monitoring, and analysis. The NE80E can run as an NDE to sample packets, aggregate flows, and output flows. According to the position of sampling packets and processing flows, NetStream on the NE80E is classified into independent NetStream and integrated NetStream. Integrated NetStream supports load balancing among multiple NetStream boards.
l
Independent NetStream: An LPU can sample packets, aggregate flows, and output flows independently.
Issue 01 (2007-09-10)
Page 122 of 154

l
Integrated NetStream: Some LPUs do not support independent NetStream. They only sample packets and then send the sampled packets to the NetStream SPU for integrated processing of flow aggregation and output.
The NE80E provides the following functions from the aspect of sampling:
l l l l l
Supports sampling in the inbound and outbound directions. Some boards support sampling on the inbound interface. Supports interface-based sampling and traffic-classification-based sampling. Supports sampling on IPv4 unicast/multicast packets, fragmented packets, MPLS packets, and MPLS L3VPN packets. Supports regular packet sampling, random packet sampling, regular time sampling, and random time sampling. Supports sampling of various physical and logical interfaces such as POS interfaces, Ethernet interfaces, VLAN sub-interfaces, serial/MP/FR PVC/FR MP interfaces provided by CPOS interfaces, ATM interfaces, FR interfaces, RPR interfaces, trunk interfaces, VLANIF interfaces, and GRE interfaces.
The NE80E provides the following functions from the aspect of aggregation and output:
l
IPv4 supports the ten aggregation modes that are as, as-tos, protocol-port, protocol-port-tos, source-prefix, source-prefix-tos, destination-prefix, destination-prefix-tos, prefix, and prefix-tos 10. Supports aggregation of MPLS packets based on three-layer labels. Outputs the generated statistics in v5, v8, and v9 formats.
l l
Each kind of aggregation flow can be output to two NMS servers.
5.10.12 Lawful Interception

Lawful interception indicates that law enforcement agencies intercept public telecommunications services based on national legislation and public telecommunications regulations after they are authorized. Lawful interception needs support from service providers such as carriers. Its implementation must be authorized and completed by means of the cooperation between the law enforcement agencies and service providers. Lawful interception is indispensable to the public communication network and of great significance for national security. It is thus widely applied in the following domains:
l l l l
Fixed communication Data communication Mobile communication Satellite communication
The NE80E supports lawful interception, as shown in Figure 5-60.
Issue 01 (2007-09-10)
Page 123 of 154
Figure 5-60 Model of lawful interception

Real-time interception Radius/DHCP server 2, The LIG receives the request NE80E LIG 3, The LIG notifies the NE80E to set the intercepting rules 4, The NE80E copies user traffic to the LIG 1, A user sends a login request 4, The user logs in and sends traffic Access device Access device
User
User
5.11 Network Reliability

The NE80E provides all-around reliability techniques. This caters to the requirements for reliability of the carrier-class network. Figure 5-61 Reliability techniques
Backup
Interface backup
Link reliability
NSF
BFD
Routing optimization
FRR
Device reliability
99.999% Customized alarm damping
Network reliability
Active/standby MPUs Multiple SFUs
Eth Trunk IP Trunk
Grace Restart
Inter-board Ethernet OAM port binding Active/standby power modules RPR interface backup
Fast detection of link fault
Fast route convergence Loose policybased routing ECMP
IP FRR TE FRR LDP FRR VLL FRR VPN FRR
5.11.1 Backup of Key Modules

The NE80E can work with a single MPU or two MPUs in backup mode.
Issue 01 (2007-09-10)
Page 124 of 154
The MPU of the NE80E supports hot backup. If the device is configured with two MPUs for backup, the master MPU works in active state and the slave MPU is in standby state. In addition, users cannot access the management interface of the slave MPU, or configure commands on the Console port or the AUX port. The slave MPU exchanges information (including heartbeat messages and data backup) only with the master MPU. The system supports active/standby switchover in two ways: automatic switchover and forcible switchover. The automatic switchover may be triggered by serious faults or resetting of the master MPU. The forcible switchover is triggered with commands. You can forcibly prohibit the active/standby switchover of the MPU through the related command. The NE80E supports backup of management bus and 1+1 backup for the power module. The LPU, the power module, and the fan module are hot swappable. These designs enable the system to recover or respond quickly when a severe abnormality is detected on the device or the network, thereby improving the Mean Time between Failure (MTBF) and minimizing the impact of unreliable factors on normal service.
5.11.2 High Reliability of the LPU

The NE80E supports backup of some key service interfaces through protocol extension.
l
The NE80E supports the Virtual Router Redundancy Protocol (VRRP) on the Ethernet interface. With the extended VRRP, the NE80E enables two interfaces on one router or on different routers to back up each other, thus ensuring high reliability of the interfaces. On the NE80E, the Eth-Trunk and the IP-Trunk support inside backup and outside backup for member interfaces. The NE80E supports inter-board trunk bundling. Users can access different LPUs over double links for inter-board bundling. This ensures the high reliability of services. The NE80E realizes the inter-board bundling by the high-performance engine and forwards packets in load balancing mode at the line rate over multiple links. The Hash algorithm based on the source and destination IP addresses carries out even load balancing to forward traffic over links. Seamless switchover is performed in the case of a link failure, without interrupting services.
l l
The NE80E also provides backup of RPR-based interfaces through the RPR protocol and RPR networking technologies.
The backup function allows the router to monitor and back up the running status of the interface when bearing LAN, MAN or WAN services. In this case, the status change of the interface that is backed up will not affect the routing table and the service at the interface can be restored quickly.
5.11.3 Customized Alarm Damping

Customized alarm damping enables the customized alarm damping on the SDH/SONET interface.
Issue 01 (2007-09-10)
Page 125 of 154
The alarm types supported include AUAIS, LAIS, LOF, LOM, LOP, LOS, LRDI, LREI, OOF, PAIS, PRDI, PREI, PSLM, RDOOL, RROOL, SDBERE, SFBERE, TROOL, and B3TCA. The NE80E supports the threshold setting for the SD, SF, and B3 errors. With the customized alarm damping function, the system allows the interface to sense only the customized alarms and triggers the change of the interface status. Alarm damping is used to suppress the continuous conversion of customized alarms. It prohibits the interface status from changing due to the frequent alarm change. As a result, routes are frequently refreshed.
5.11.4 Ethernet OAM

The NE80E supports the Ethernet OAM functions as follows:
l l
Fault management Performance management
With the fault management mechanism, the NE80E can detect the network connectivity by sending the detection OAM packets periodically or through manual triggering. This mechanism is similar to the Bidirectional Forwarding Detection (BFD). The NE80E can also locate faults of Ethernet by using means similar to the ping and tracert tools on IP networks. The NE80E triggers protection switchover in less than 50 ms. Performance management is used to measure the packet loss ratio, delay, and jitter during the transmission of packets. It also collects statistics on various kinds of traffic such as the number of transmitted bytes and the number of errored packets.
Point-to-Point Fault Management for Ethernet

IEEE 802.3ah was brought forward by Ethernet in the First Mile Alliance (EFMA). IEEE 802.3ah defines the following functions:
l l l l
Capability discovery Link performance monitoring Fault detection and alarm Loop test
The PDUs of IEEE 802.3ah OAM are transmitted by a slow protocol. Fault detection messages are sent every one second. Conforming to IEEE 802.3ah, the NE80E supports the point-to-point Ethernet fault management. It can detect faults in the last mile of the direct link at the user side of the Ethernet. By now, the NE80E supports the following functions defined in IEEE 802.3ah:
l l l l
Automatic neighbor discovery Link fault monitoring Remote fault notification Remote loopback configuration
Issue 01 (2007-09-10)
Page 126 of 154
End-to-End Fault Management for Ethernet

This section describes the end-to-end fault management for Ethernet from the following two aspects:
l
Hierarchical MD The NE80E realizes the end-to-end fault management for Ethernet by conforming to IEEE 802.1ag or breaking away IEEE 802.1ag. IEEE 802.1ag is used to test the end-to-end Ethernet connectivity and locate faults. It provides different levels of management domains. OAM messages with a low level are not forwarded to the management domain with a high level. This guarantees security and maintainability of networks. According to IEEE 802.1ag, the network that bears the Ethernet OAM mechanism is divided into different Maintenance Domains (MDs). An MD is an interconnected Ethernet network that is maintained by the same administrator. Multiple Service Instances (SIs) can be applied on an MD. An SI corresponds to a VALN. An SI consists of multiple devices. The border port in the SI is called the Maintenance association End Point (MEP); all the other ports are called the Maintenance association Internal Point (MIP). MIPs are responsible for connecting different MEPs. Both MEPs and MIPs are called MP. All the MEPs in an SI form a Maintenance Association (MA), in which fault detection is carried out. Part of the network in an MD might be maintained by another administrator, namely, the MD might be nested. The MD level is used to differentiate various levels of OAM that can be carried out in an MA. The MD level is carried in the OAM message. The OAM message with a low level are discarded in the high-level MP.
End-to-end fault detection and location The ISP and Internet Context Provider (ICP) have gradually used fault detection to guarantee QoS and reduce maintenance expense. Fault detection is realized by sending and detecting the Continuity Check (CC) message at a scheduled time. The NE80E supports the tools of MAC ping and MAC trace by using the Loop Back (LB) and Link Trace (LT) packet defined in IEEE 802.1ag to locate faults. MAC ping MAC ping realized by the LB message is used to test whether a device on the network is reachable. It acquires the network status and the delay parameter. To carry out MAC ping between any two devices on the network, the NE80E needs to meet the following requirements: The originating point is a MEP. The two points are MPs belonging to the same MA. The two points are reachable. MAC trace MAC trace realized by the LT message is used to test the transmission paths of messages and the link break point between the two devices. The requirements for MAC ping also apply to MAC trace.
Issue 01 (2007-09-10)
Page 127 of 154
Ethernet Performance Management

Conforming to ITU-T Y.1731 recommendations, the NE80E supports the Ethernet performance management. The NE80E can measure the delay, jitter, and packet loss ratio in transmission. To achieve that, the NE80E inserts the timestamp in the LB message defined in IEEE 802.1ag. In this way, the NE80E can detect performance during a specified time period and on a specified network segment to obtain the performance parameters of an end-to-end service flow. The NE80E can measure the performance parameter at a scheduled time. The NE80E also combines the performance parameter with the network management information to output reports. By using the performance management tools, the ISP can monitor the network status in real time through the NMS station. The ISP checks whether the forwarding capacity of the network complies with the SLA signed. Then, faults can be swiftly located. The ISP need not carry out detection at the user side. This greatly decreases the maintenance expense.
5.11.5 VRRP
The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. VRRP realizes route selection among multiple egress gateways by separating the physical devices from logical devices. VRRP is applicable to such a LAN that supports multicast or broadcast as the Ethernet. VRRP uses logical gateways to ensure high availability of transmission links. This avoids service interruption that results from a gateway device failure, without changing the configuration of routing protocols. VRRP combines a group of routers in a LAN into a backup group that functions as a virtual router. Hosts in the LAN know the IP address of only this virtual router rather than that of a specific router in the backup group. Hosts set the IP address of the virtual router as their own default next-hop address. Hosts in the LAN thus access other networks through the virtual router. In the backup group, only one router is active and called master router; other routers are in backup state with different priorities and called backup router. Figure 5-62 shows the typical networking diagram of VRRP. Figure 5-62 Typical networking diagram of VRRP
10.100.10.2/24 PC 10.100.10.3/24 Backup RouterB Server Internal network Backup 10.100.10.0/24 Backup group RouterC Virtual IP address 10.100.10.1/24 10.100.10.4/24 Master RouterA
Internet
Issue 01 (2007-09-10)
Page 128 of 154
VRRP dynamically associates the virtual router with a physical router that undertakes transmission services. VRRP can select a new router to take over the transmission when the physical router fails. The entire process is transparent to users, and realizes non-blocking communication between the internal network and the external network.
5.11.6 VGMP
Some applications require the same come-and-go path of a session. That is, the packets of the same session must pass through the same devices. In this case, VRRP has its own limitations. If active/standby switchover is performed, the come-and-go path of the same session cannot be ensured the same. To avoid the preceding problem, Huawei develops the VRRP Group Management Protocol (VGMP) on the basis of VRRP. The VRRP management group set up on the basis of VGMP uniformly manages the joining VRRP backup groups. On a router, the interfaces that belong to different VRRP backup groups are thus kept active or standby simultaneously. In this manner, the VRRP statuses of the router are kept consistent. Configure VGMP in the following scenarios:
l
The system is configured with a large number of VRRP backup groups. The system processes the VRRP protocol packets on the MPU. A large number of VRRP backup groups may generate many VRRP protocol packets. These protocol packets compete with other protocol packets for the CPU resources and the channel as well as the bandwidth of the inter-board communication. In this case, the system is overloaded. When you configure a VRRP management group to uniformly manage the VRRP backup groups, the managed VRRP backup groups do not send protocol packets independently. In this way, the occupancy of system resources is reduced.
The router has functions of the firewall, NAT gateway, or proxy server. These functions require the same come-and-go path of a session. Configuring a VRRP management group to uniformly manage the VRRP backup groups ensures the status of the VRRP backup group consistent.
5.11.7 GR
Graceful Restart (GR) is a key technique that provides high availability (HA). The administrator or faults can trigger GR switchover and subsequent restart. GR neither deletes the routing information from the routing table or the FIB nor resets the interface board during the switchover caused by failure. This prevents the services interruption of the whole system. GR has the advantages as follows:
l l l
Simple and easy to complete. You only need to modify some protocols. The status information about the backup protocol is not needed. Only a little information needs to be forwarded from AMB backup to SMB. The information is about the configuration change or update, about the interface status changes, and about the topology or route after restarting. The rate of stopping forwarding packets is rather low when the main board switches. The network can aggregate fast.
l l
Issue 01 (2007-09-10)
Page 129 of 154
The NE80E supports system-based GR and protocol-based GR. The protocol-based GR includes:
l l l l l l
BGP GR OSPF GR ISIS GR MPLS LDP GR L3VPN GR RSVP GR
5.11.8 BFD
To improve network performance, the system must be able to rapidly detect a communication fault, and then set up a backup channel to resume the communication. The BFD provides the following functions:
l l
Provides low-load and short-duration detection for path faults between two adjacent forwarding engines. Uses a single mechanism to perform real-time detection of all media or protocol layers, and supports different detection time and costs.
The NE80E supports BFD as follows.
BFD for VRRP

The BFD detects and monitors the link or IP routes forwarding at a fast pace. So VRRP fast switch is implemented.
BFD for Fast Reroute

l
BFD for LDP FRR The LDP FRR switch is triggered if the BFD session is Down. BFD for IP FRR and BFD for VPN FRR For the NE80E, the IP FRR and the VPN FRR are triggered only after the detected faults are reported to the control plane.
BFD for Static Routes

Static routes do not have detection mechanism. When a fault occurs on the network, an administrator is needed. Through the BFD for IS-IS, you can use the BFD session to detect the status of the public network IPv4 static routes. Based on the status of the BFD session, the routing management system can determine whether the static route can be used.
BFD for IS-IS

In the NE80E, the statically configured BFD session is used to detect the IS-IS peer relationship. The BFD detects the link fault between IS-IS peer nodes, and fast reports it to IS-IS. The IS-IS fast convergence is thus triggered.
Issue 01 (2007-09-10)
Page 130 of 154
BFD for OSPF/BGP

In the VRP, the OSPF and the BGP can dynamically set up and delete a BFD session.
l
When peers of OSPF/BGP are set up, OSPF/BGP uses the routing management module to inform the BFD of setting up a session. The BFD session then fast detects the OSPF/BGP peer relationship. The detection parameters of the BFD session are determined by OSPF/BGP. When the BFD detects a fault, its status becomes Down. The BFD uses the routing management module to trigger the route convergence.
The general routing protocol implements the detection of second level according to the Keepalive mechanism of Hello packet. The BFD is of millisecond level. The period of the BFD is 10 ms. If the Detect Mult parameter is set to 3, the BFD can report the protocol fault in 50 ms. The route convergence thus speeds up.
When the peer status is Unreachable, OSPF/BGP uses the routing management module to inform the BFD of deleting the corresponding session.
BFD for PIM

PIM BFD is applicable to the shared network segment where routers enabled with PIM reside. PIM BFD fast detects the fault of the DR or Assert Winner. PIM BFD uses normal BFD messages. It automatically sets up BFD sessions between PIM neighbors, monitors the status of the PIM neighbors, and responds to the failure of the neighbor promptly.
BFD for IP-Trunk and Eth-Trunk

Both IP-Trunk and Eth-Trunk consist of multiple member links. They provide higher transmission rate and enhance the reliability of a link. Only when the number of the member links in the Up state is up to the certain value, the corresponding trunk can keep the Up state. In the VRP, the BFD detects the trunk link and the trunk member link respectively. As a result, BFD can detect the interconnection of the entire trunk and detect the interconnection of an important link member.
BFP for LSP

BFD for LSP refers to sending BFD messages over static LSPs, dynamic LDP LSPs, RSVP-TE tunnels, and PWs. By fast transceiving BFD messages, BFD for LSP completes the fast fault detection of these tunnels. It thus triggers the fast switchover for the carried services, protecting services. BFD for LSP performs fast fault detection of LSPs, TE tunnels, and PWs. In this way, BFD for LSP realizes fast switchover of MPLS services such as VPN FRR, TE FRR, and VLL FRR.
5.11.9 FRR
The NE80E provides multiple fast reroute (FRR) features. You can deploy FRR as required to improve network reliability.
Issue 01 (2007-09-10)
Page 131 of 154
IP FRR
FRR can minimize data loss due to network faults. The switch time can achieve less than 50 ms. The NE80E provides the fast reroute function, which enables the system to monitor and store the real-time state of the service card and the port, and check the status of the port during forwarding. When an abnormality occurs on the port, the system can fast switch traffic to the other route (if there is), thereby improving the MTBF and reducing the amount of lost packets.
LDP FRR
The traditional IP FRR cannot protect the MPLS traffic efficiently. Supporting LDP FRR, the NE80E provides a port-based protection solution. When LDP works in the downstream label distribution, sequential label control and liberal retention modes, LSR stores all label mappings received. Only the label map from the next hop of the corresponding route of FEC can generate a label forwarding table. With this feature, if the liberal label map can generate a label forwarding table, the standby LSP is established. When the network runs normally, use the active LSP. If the outbound interface of LSP is down, adopt the standby LSP. You can thus ensure that services are not interrupted before network convergence.
TE FRR
TE FRR is a technology used in the MPLS TE to implement local protection to the network. Only the interface rate of which is up to 100 Mbit/s can support FRR. The switching time of FRR can reach 50 ms, which minimizes packet loss in the case of network fault. FRR is only a temporary measure. Once the protected LSP recovers or a new LSP is established, the traffic is switched to the original LSP or the new LSP. After configuration of FRR for an LSP, when a certain link or node on the LSP becomes invalid, the traffic is switched to the protected link while the ingress of the LSP manages to establish a new LSP. Based on the objects to be protected, FRR is divided into the following two types:
l
Link protection: Direct link connection exists between PLR and MP, and primary LSP passes this link. When this link is out of service, traffic is switched to bypass LSP. As shown in Figure 5-63, the primary LSP is R1#R2#R3#R4, and the bypass LSP is R2#R6#R3.
Issue 01 (2007-09-10)
Page 132 of 154
Figure 5-63 Schematic diagram of FRR link protection

PLR MP
R1
R2
R3
R4
Primary LSP Bypass LSP
R6
Node protection: PLR is connected with MP through R3, and primary LSP passes this router. When R3 fails, traffic is switched to bypass LSP. As shown in Figure 5-64, the primary LSP is R1#R2#R3#R4#R5, and the bypass LSP is R2#R6#R4. R3 is the protected router.
Figure 5-64 Schematic diagram of FRR node protection

PLR MP
R1
R2
Primary LSP Bypass LSP
R3
R4
R5
R6
VLL FRR
VLL FRR is a technique of realizing network protection in the L2VPN. It fast switches user traffic to the backup link after a fault occurs to the network. In this way, the reliability of the L2VPN is improved. VLL FRR is also called VLL redundancy. VLL FRR in the L2VPN includes fault detection, fault notification, and active/standby switchover of links. The NE80E provides kinds of features that can be combined to realize VLL FRR.
l
Fault detection BFD for LSP/PW can fast detect the fault of the LSP/PW at the network side in an L2VPN. Ethernet OAM, ATM OAM, PPP, and FR can fast detect the fault at the access circuit (AC) side in an L2VPN.
Fault notification LDP, BGP, or RSVP can notify the remote PE router of the fault of the LSP/PW or the AC.
Issue 01 (2007-09-10)
Page 133 of 154
BFD for LSP/PW can inform the remote PE router of the fault of the LSP/PW or the AC. Ethernet OAM, ATM OAM, PPP, and FR can notify the local CE router of the fault.
l
Active/standby switchover of links In a symmetric network, CE routers perform the active/standby switchover. In an asymmetric network, PE routers work with CE routers to perform active/standby switchover.
VPN FRR
In the traditional L3VPN, the local PE router senses the fault of the remote PE router through the BGP Hello packets. The time taken to sense the fault defaults to 90 seconds. That is, VPN routes on the local PE router converge after the fault of the remote PE router lasts 90 seconds. VPN FRR supported by the NE80E can solve the preceding problem. When the CE router is dual-homed, VPN FRR can fast switch VPN services to the backup tunnel and PE router after the link between the CE router and the PE router is disconnected or after the PE router restarts. In this manner, services are restored within a short period.
l
The forwarding engine of the local PE router keeps not only the outer labels of the remote active PE router and the inner labels distributed to VPN routes, but also the outer labels of the remote standby PE router and the inner labels distributed to VPN routes. With the end-to-end fault detection mechanisms such as BFD, the local PE router senses the fault of the remote active PE router within 200 milliseconds and then switches the outer and inner labels of the remote active and standby PEs at the same time. VPN FRR solves the problem of switchover between inner labels. The switchover priority level of VPN FRR is lower than that of LDP/MPLS TE FRR. The time taken by VPN FRR to sense the fault is thus more than that taken by LDP/TE FRR.
Issue 01 (2007-09-10)
Page 134 of 154
Maintenance and Network Management System

The NE80E provides various maintenance functions such as software download, online upgrade, operation detection, diagnosis and real-time query. This greatly facilitates the system maintenance. The NE80E adopts Huawei Quidway network management system (NMS). It supports the Simple Network Management Protocol (SNMP) V1/V2c/V3 and the Client-Server architecture. The NE80E NMS can operate on multiple operating systems such as Windows NT/2000/XP and UNIX (SUN, HP, and IBM). The NE80E NMS provides graphic user interfaces in multiple languages.
6.1 Maintenance Features and Functions

6.1.1 System Configuration Mode
The NE80E provides two configuration modes, that is, command line configuration and NMS configuration. Command line configuration supports:
l l l
Local configuration through the Console port Remote configuration through the AUX port with a Modem Remote configuration through Telnet
NMS configuration supports the SNMP-based NMS.
6.1.2 System Management and Maintenance

The NE80E provides the following system management and maintenance functions:
l
Board-in-position detection, hot-swap detection, Watch Dog, board reset, control over running and debugging indicators, fan monitoring, power monitoring, active/standby switchover control, and version query Local and remote software upgrading and data loading, upgrade backoff, backup, storage, and removal
Issue 01 (2007-09-10)
Page 135 of 154

l l l l
Hierarchical user authority management, operation log management, online help and comment for command line Multi-user operation Collection of multi-layer information, including port information, Layer 2 information, and Layer 3 information Hierarchical management, alarm classification and alarm filtering
6.1.3 System Service and Status Tracking

The NE80E can track the system service and status as follows:
l l l l l l l
Monitors the change of the state machine of routing protocols. Monitors the change of the state machine of the MPLS LDP. Monitors the change of VPN-related state machine. Monitors the type of upstream protocol packets sent by the NP, and displays details about the packets with the debugging function. Monitors and takes account of abnormal packets. Displays notification when processing of the abnormality takes effect. Collects statistics on the resource used by each feature system.
6.1.4 System Test and Diagnosis

The NE80E provides debugging for running services. It can in-service record key events, packet processing, packet resolution and state switchover at the specified period. This helps in device debugging and networking. You can enable or disable the debugging of a specific service (such as a routing protocol) and a specific interface (such as the routing protocol information on the specified interface) through the debugging command. The NE80E provides the trace function on system operation. It can in-service record key events such as task switchover, task interruption, queue read-and-write, and system abnormality. When the system is restarted after a fault occurs, you can read the trace information for fault location. You can enable or disable the trace function through the tracert command. In addition, you can query the CPU usage of the SFU and the LPU in real time. The debugging and trace functions of the NE80E classify the information. The sensitive information of different classes is directed to different destinations of output based on the user configuration. The destinations of output include the Console display, Syslog server, and SNMP Trap trigger alarm. The NE80E also provides the Network Quality Analysis (NQA) function. NQA measures the performance of each protocol run in the network and helps the network operator collect network running indexes, such as total delay of HTTP, delay of a TCP connection, delay of DNS resolution, rate of file transfer, delay of an FTP connection and rate of wrong DNS resolution. Through controlling these indexes, the network operator provides users with services of various grades and charges them differently. NQA is also an effective tool in diagnosing and locating faults in the network.
Issue 01 (2007-09-10)
Page 136 of 154
6.1.5 Online Debugging

The NE80E provides the port mirroring function which is used to map the specified traffic to a monitored port so that maintenance personnel can debug and analyze the operation status of the network.
6.1.6 In-Service Upgrade

The NE80E provides in-service upgrade for system software. If the upgraded software fails, the system restarts and resorts to the original version. In addition, the NE80E provides in-service patching to upgrade some specific features only. If errors occur after the upgrade of a patch, the system can restore the original version. The NE80E supports online upgrade of the MPU and the LPU. To upgrade them, you need reset only the board to be upgraded. In addition, the NE80E supports the concurrent upgrade of multiple LPUs. After the upgrade, the system backs up the original version of the program. The online download of programs does not affect the normal operation of the system.
6.1.7 Miscellaneous Features

The NE80E provides the following additional configuration features:
l l l l l
Hierarchical protection for configuration commands, ensuring that the unauthorized users can not access the router. Online help available if you type a "?". Various debugging information for network troubleshooting. DosKey-like function for running a history command. Fuzzy search for command lines. For example, you can enter the non-conflicting key words "disp" for the display command.
6.2 Network Management System

The NE80E adopts Huawei iManager N2000 NMS. It supports SNMP V1/V2c/V3 and the Client-Server architecture. The NE80E NMS can operate on multiple operating systems such as Windows NT/2000/XP and UNIX (SUN, HP, and IBM). The NE80E NMS provides graphic user interfaces in multiple languages. The iManager N2000 NMS can be seamlessly integrated with the NMS of other Huawei fixed network telecom equipments, for centralized management. The N2000 NMS can also be integrated with other universal NMSs in the industry, such as HP OpenView, IBM NetView, What's up Gold and SNMPc. This makes it possible to perform the unified management on the devices of multiple vendors. The N2000 NMS provides real-time management on topology, fault, performance, configuration tool, equipment log, security and users, QoS policy, and VPN service. Besides, it can be used to download, save, modify, and upload configuration files, as well as upgrade the system software.
Issue 01 (2007-09-10)
Page 137 of 154
7
The NE80E can be used:
l l l
Networking Applications
The NE80E is mainly applicable to the IP core/backbone network or the convergence node with heavy traffic. It also acts as a gateway on the data center network with features of a carrier-class device. The NE80E provides multiple services such as IPv4/IPv6 routing and high-speed forwarding, MPLS, and IP multicast. In addition, it provides MPLS TE to solve the traffic problem on the backbone network.
As a core node on the national or provincial backbone network As a Point of Presence (POP) access node on the national or provincial backbone network As a core node on the MAN
7.1 Application on the National Backbone Network

As shown in Figure 7-1, the national backbone network adopts the partial net topology. It is upstream connected to the international egress, and downstream connected to provincial backbone networks. It is also connected with other ISP networks through the Network Access Point (NAP). The NE80E can work as a core node of the national backbone network because of its large capacity, powerful routing and high-speed forwarding capability.
Issue 01 (2007-09-10)
Page 138 of 154
Figure 7-1 Application on the national backbone network

NAP
International egress
NE80E
NE5000
IPv4
10G POS
NE80E
!"#
10G POS
NE80E
National backbone
NE80E NE80E NE80E
International egress
NE80E /NE80
Provincial backbone
NE80E /NE80 NE80E /NE80
Provincial backbone
NE80E /NE80
The NE80E can meet the requirements for bearing multiple services on the IP backbone network, with the following features:
l l l l
Fifth-generation service expansion and seamless upgrade Carrier-class stability Perfect compatibility Perfect QoS mechanisms
7.2 Application on the IP Bearer Network

Figure 7-2 shows the application on the IP bearer network.
Issue 01 (2007-09-10)
Page 139 of 154
Figure 7-2 Application on the IP bearer network

PJ1 XA1 SD1 NJ1 SH1 WH1 CR NE5000E BR NE80E GZ1 Access layer Core layer SY1 Convergence layer
SoftX3000
AR NE40E SoftX3000
Directed at the condition of the existing bearer network and positioned on the NGN bearer network and the 3G services, it is necessary for carriers to set up a core bearer network to carry NGN multi-services. In the new market competition environment, with the development of new services and technologies, the newly-built bearer network will become the next-generation multi-service bearer platform that supports voice, data, and video transmission. Specifically, the newly-built bearer network will carry such services as NGN, video conference, video phone, streaming media, enterprise interconnection, and 3G. It will bring about the milestone of network transformation and network convergence for carriers. In this solution, the NE5000E acts as the core router to forward data at a high speed and ensure high reliability; the NE80E/40E acts as the convergence router to access services of NGN voice, signaling, NMS, and customers. This application has the following characteristics:
l l l l l l
The core layer uses double planes. The NE5000Es are connected in full-mesh mode. The NE80E is dual-homed to the NE5000E. Two devices are deployed on an important node to back up each other. MPLS VPN is uniformly planned to realize user isolation and service isolation. VPN FRR is deployed on all PE routers. Such techniques for high reliability as TE FRR, GR, BFD for VRRP, and IGP fast convergence are used on the network.
Issue 01 (2007-09-10)
Page 140 of 154
7.3 Application on the IPTV Bearer Network

Figure 7-3 shows the application on the IPTV bearer network. Figure 7-3 Application on the IPTV bearer network
CS NMS
DiffServ, multicast fast convergence, Anycast RP provides reliability BAS
Core bearer network
Dynamic IP+MAC+VLAN binding, strict URPF, ensuring access security
NE80E QinQ, 4K x 4K VLANs, isolated unicast services, secure access Multicast replication on the edge, ensuring high efficiency and controllable multicast DSLAM Convergence switch
ES
Selective QinQ, dedicated multicast VLAN!avoiding replication on the gateway Multicast switch, saving reconstruction expense Multicast switch
End switch Home gateway Home gateway
TV
PC
TV
PC
In this application, the devices are recommended as follows:

l l
The NE80E/40E can run as the core-layer router to provide consummate functions of VPN, multicast, and QoS scheduling. The MA5200G/ME60 that is the multi-service control gateway of high performance and large capacity can run as the service-control-layer device. The MA5200G/ME60 supports authentication through PPPoE and DHCP and multicast replication based on VLANs and PPPoE sessions. The MA5200G/ME60 also supports the five-level QoS scheduling. The S8500 switch can run at the convergence layer. The S8500 supports selective QinQ and effectively differentiates services. The S6500 can run as the multicast switch. It supports inter-VLAN multicast replication for attached switches or DSLAMs without the multicast functions.
l l
Issue 01 (2007-09-10)
Page 141 of 154

l l
The S3000 and S2000 can run as the access switch. They provide multicast features such as multicast VLAN and IGMP snooping/proxy. The Huawei SMARTAX DSLAMs such as MA5100/5300/5600 can run as the access end DSLAM. Based on the ATM structure, the MA5100 supports multicast with the newly added EVM boards. The original network services and new video services can access different networks through various boards. Based on the IP structure, the MA5300/5600 provides abundant multicast functions.
This application has the following characteristics:

l
The IPTV bearer network and the original MAN access network use the same platform. The IPTV bearer network is thus integrated in the whole network structure of carriers. At the core layer, the high-end router NE80E/40E is used to build the MPLS VPN and construct the logical plane for various services. Besides, the NE80E/40E forwards data at a high speed and provides high-performance QoS. The BRAS at the service control layer is deployed as follows: In the early phase of the development of IPTV services, normal services and IPTV services access the same BRAS and are distributed. In this manner, little change is performed on the whole network and new services are deployed promptly. With the development of large-scale services, dedicated IPTV BRASs are required. Broadband access services access the original BRAS; IPTV services access the dedicated IPTV BRAS. In this way, IPTV services and other services are free from interacting each other; the requirements of high-traffic of IPTV services are satisfied. Besides, the powerful control capability of the BRAS ensures the secure access of IPTV services. IPTV services and other services are distributed on the convergence-layer device.
Issue 01 (2007-09-10)
Page 142 of 154
7.4 Application on the Multi-Service IP MAN

Figure 7-4 Application on the multi-service IP MAN
Backbone network
Internet backbone network IP bearer network
IP MAN
Egress router
ASBR-PE MAN core network
BRAS
USR
Service control layer
IP broadband access network
Access network
Customer and NGN access network
Broadband access
Customer service
NGN service
As shown in Figure 7-4, the IP MAN is divided into the core layer, service control layer, and access layer. The NE80E is usually used in the core position on the IP backbone network, IP MAN, and large-scale IP network. In this application, the NE80E can be deployed on the egress of the IP MAN core network. The NE40E is usually deployed as the core or convergence node on the IP MAN. In this application, the NE40E can be deployed as the convergence node on the IP MAN core network. The core layer is responsible for high-performance and large-capacity data forwarding. It requires the simple network structure and secure and reliable transmission of multiple services. Huawei enables IP/MPLS at the core layer and allows a physical network to realize multiple logical service bearer planes through the MPLS VPN technology. To ensure network security and reliability, Huawei adopts many reliability techniques at the core layer, such as device high-reliability, network high-reliability, and inter-AS high-reliability. Huawei provides core-layer devices of large capacity, high-density interfaces, and high forwarding performance, answering the requirements for the core layer. The NE80E/40E provides the following features that can answer the demands of the core layer of the MAN:
l
The NE80E/40E has the powerful switching capacity. The interface capacity of a single system reaches 640 Gbit/s. The NE80E/40E provides line-rate 10-Gbit/s
Issue 01 (2007-09-10)
Page 143 of 154
interfaces. In addition, the NE40E provides high-density GE interfaces. This meets the requirements for large-capacity and high-performance forwarding of the core network.
l
The NE80E/40E provides the powerful routing capability and various routing protocols. The NE80E/40E supports IP/MPLS and provides multiple VPN solutions such as MPLS/BGP L3VPN and MPLS L2VPN. In this manner, multiple services are carried over the logical bearer plane of the core network. Service isolation and security are thus realized. The NE80E/40E supports inter-AS VPN Option A/B/C. This guarantees the reliable running of inter-AS services. The NE80E/40E provides the carrier-class reliability, such as redundancy of key modules and in-service patching. In addition, the NE80E/40E provides various FRR techniques, such as IP FRR, LDP FRR, and TE FRR.
l l
7.5 Application on the IPv6 Backbone Network

Figure 7-5 Application on an IPv6 backbone network
PE PE NE80E IPv6/IPv4 NE5000E/80E IPv6 Core PE IPv6 NE5000E/80E NE80E NE80E PE IPv6 Internet
NE5000E/80E NE80E/40E NE80E/40E IPv6 EDGE L3 Switch
PE IPv4 Internet
L3 Switch
MA 5200
L2 Switch
SOHO IPv6
SOHO IPv6
PE: Provider Edge
PT: Protocol Translation NAT: Network Address Translation
As shown in Figure 7-5, the IPv6 application on the backbone network does not impact the original IPv4 services such as IPv4 forwarding and MPLS VPN. The application needs to solve two problems:
l l
Interconnection between IPv6 islands Interworking between IPv6 and IPv4 networks
Issue 01 (2007-09-10)
Page 144 of 154
The NE80E brings forward the following solutions based on IPv6:

l
All the routers on the backbone network support the IPv4/IPv6 dual-stack. In this case, IPv4 services are forwarded over IPv4, while IPv6 services are forwarded over IPv6. Both problems can be solved. The interconnection between IPv6 islands can be implemented through L3 tunnels, manually configured tunnels or 6to4 tunnels. The core router needs only to support the IPv4 forwarding. You can implement the interworking between IPv6 and IPv4 networks by configuring the NAT-PT on gateways. The interconnection between IPv6 islands can be implemented through MPLS L2 tunnels by applying MPLS L2 VPN techniques such as VPLS and CCC. The core router needs only to support the MPLS forwarding. You can implement the interworking between IPv6 and IPv4 networks by configuring the NAT-PT on gateways.
Issue 01 (2007-09-10)
Page 145 of 154
8
Item External dimensions (width x depth x height) Installation Weight
Technical Specifications
8.1 Physical Specifications

Table 8-1 Physical specifications Description 442 mm x 669 mm x 1600 mm(36U) Mounted in a 19-inch standard cabinet or an N68-22 cabinet 250 kg (fully configured); 85 kg (empty) 3.8 kg (MPU) 3.0 kg (SFU) 4.8 kg (LPU) Maximum power DC input voltage Rated voltage Maximum voltage range Rated voltage range Maximum voltage range Environmental temperature Long-term Short-term Remark Storage temperature 5000 W 48 V 72 V to 38 V 170 V to 275 V 180 V to 264 V 0$C to 45$C 5$C to 55$C Restriction on the temperature variation rate: 30$C per hour 40$C to 70$C
AC input voltage
Issue 01 (2007-09-10)
Page 146 of 154
Item Relative environmental humidity Long-term Short-term
Description 5% to 85% RH, non-condensing 0% to 95% RH, non-condensing 0% to 95% RH, non-condensing Within 3000 meters Within 5000 meters
Relative storage humidity Altitude for permanent work Storage altitude
8.2 System Configuration

Table 8-2 System configuration list Item Processing unit BootROM SDRAM NVRAM Flash CF card Switching capacity Backplane capacity Interface capacity Number of LPU slots Interface capacity per slot Forwarding rate per chassis Transmitting rate of the LPU Number of MPU slots Transmitting rate of the MPU Number of SFU slots Description Main frequency: 1 GHz 1 MB 1 GB 512 KB 32 MB 512 MB 2.56 Tbit/(bidirectional) 4 Tbit/s (bidirectional) 640 Gbit/s (bidirectional) 16 40 Gbit/s (bidirectional) 800Mpps 16 kbit/s Remark ! ! It can be extended to 2 GB. ! ! The capacity can be extended. ! ! ! LPU (optional) Can be upgraded to 80 Gbit/s (bidirectional) Can be upgraded to 1600Mpps Bidirectional: sending packets to the MPU and receiving packets from the MPU MPU Bidirectional: sending and receiving SFU
2 32 kbit/s 4
Issue 01 (2007-09-10)
Page 147 of 154
Maximum port rate supported by LPUs
20 Gbit/s (uni-directional)
Can be upgraded to 40 Gbit/s (uni-directional)
8.3 Specifications of System Features and Service Performances

8.3.1 Specifications of System Features
Table 8-3 Specifications of the system features Feature Interworking Description LAN protocols Ethernet_II IEEE802.1Q IEEE802.1p Link layer protocols PPP, MP HDLC FR ATM IP over ATM RPR RRPP Ethernet switching Basic VLAN features VLAN aggregation VLAN trunk Dynamic learning between VLAN members VLANIF Inter-VLAN routing VLAN translation VLAN stacking/VLAN mapping STP/RSTP/MSTP QinQ
Issue 01 (2007-09-10)
Page 148 of 154
Feature Network protocol
Description IPv4 routing protocols Static routes Dynamic unicast routing protocols:
l l l l
RIP-1/RIP-2 OSPF IS-IS BGP IGMP IGMP snooping PIM-DM PIM-SM PIM-SSM MBGP MSDP
Multicast protocols:
l l l l l l l
Multicast VLAN Multicast VPN Multicast flow control Routing policies IPv6 IPv4-to-IPv6 transition technologies:
l l l l l l
Manually configured tunnel GRE Automatic tunnel 6to4 tunnel 6PE IPv4 over IPv6 tunnel
IPv6 static routing IPv6 dynamic unicast routing

l l l l
BGP4+ RIPng OSPFv3 IS-ISv6 MLD PIM-IPv6-DM PIM-IPv6-SM PIM-IPv6-SSM
IPv6 Multicast protocols:

l l l l
Issue 01 (2007-09-10)
Page 149 of 154
Feature MPLS
Description Basic functions MPLS forwarding MPLS LDP MPLS TE (RSVP-TE/CR-LDP) MPLS QoS MPLS Uniform, Pipe and Short Pipe MPLS OAM IPTN
VPN
L2VPN
VLL/PWE3 (Martini, Kompella) VPLS QinQ HVPLS ATM Inter-Working Function (ATM IWF)
L3VPN
MPLS/BGP VPN (as the PE router or the P router) HoVPN Multicast VPN Inter-VPN Carrier's carrier RRVPN Multi-role host
IPv6 L3VPN
IPv6 MPLS/BGP VPN (as the PE router or the P router) Inter-VPN Carrier's carrier
Security
AAA
CHAP PAP RADIUS HWTACACS
Other security features
SSH Port mirroring Port traffic sampling Traffic control on the LPU and the MPU URPF Layer 2 limit ARP anti-attack Attack defense Lawful interception
Hierarchical commands to defend against unauthorized users' login
Issue 01 (2007-09-10)
Page 150 of 154
Feature Reliability
Description Hot backup 1:1 backup of MPUs; 3+1 load balancing and backup of SFUs 1+1 backup of the power module 1+1 backup of the system management bus and data bus 1+1 backup of the fan module GR Protocol-level GR: IS-ISv4, OSPF, BGP4, LDP, and VPN System-level GR Other IP FRR LDP FRR TE FRR VLL FRR VPN FRR VRRP BFD Dampening control to support Up/Down of interfaces Customized alarm damping
QoS
Traffic classification
Simple traffic classification Complex traffic classification: based-on port; based on Layer 2, Layer 3 or Layer 4 packets Traffic policing and traffic shaping based on srTCM or trTCM DiffServ EF, AF services GTS
Traffic policing and shaping
Congestion management Congestion avoidance Policy-based routing QPPB
PQ/WFQ RED/WRED Route redirection, MPLS LSP explicit route distribution IP precedence Specific traffic behavior
BGP accounting VPN QoS
BGP identifies and classifies the routes through BGP traffic index to account the traffic on the basis of classification QoS that transmits the private network routes through BGP is an extension of QPPB in the L3VPN
Issue 01 (2007-09-10)
Page 151 of 154
Feature
Description Supports traffic classification, traffic shaping, and queue scheduling in the L2VPN and L3VPN Supports the combination between VPN QoS and MPLS DiffServ/MPLS TE/MPLS DS-TE QinQ QoS 802.1p remark supported by QinQ 802.1p and DSCP Remark During QinQ Termination 802.1p and EXP Remark During QinQ Termination ATM QoS FR QoS Simple traffic classification and forcible traffic classification Traffic shaping, traffic policing, congestion management, queue management, and FR fragmentation Two-level scheduling mode Level 1 scheduling ensures bandwidth for each user and level 2 scheduling ensures bandwidth for services of each user L2VPN HQoS L3VPN HQoS TE and DS-TE HQoS
HQoS
Configuration management
Command line interface
Local configuration through the Console port Local or remote configuration through the AUX port Local or remote configuration by Telnet Local or remote configuration by SSH login Hierarchical commands to defend against unauthorized users' login Detailed debugging information for network faults diagnosis Network test tools such as tracert and ping Supports logging in to and managing other routers by Telnet FTP server and client functions to upload and download configuration files and applications TFTP client functions to upload and download configuration files and applications Upload and download configuration files and applications through the XModem protocol System logs Virtual file system
Issue 01 (2007-09-10)
Page 152 of 154
Feature
Description Time service Time Zone Summer Time NTP server and NTP client Online services In-service upload In-service upgrade In-service patching Information center Provides three types of information: alarm, log, and debugging Provides eight levels of information: emergency, alert, critical, error, warning, notification, informational, and debugging Information can be output to the log host or user terminal; log information and alarm information can be output through the SNMP Agent or the buffer Network management Supports SNMP v1/v2c/v3 RMON NetStream Traffic statistics
8.3.2 Specifications of Service Performances

Table 8-4 Service performance specifications A rib ut e ! IP unicast Service Feature IPv4/IPv6 forwarding Technical and Performance Speci" cat io ns ! Line-rate forwarding of IPv4/IPv6 packets on the high-speed interface More than 3200000 or more than 2600000 < 1000 ms 8000 1000 16 6 1M
IPv4/IPv6 routing entries Routing convergence speed Number of IPv6 over IPv4 tunnels Number of 6PEs Number of routes or LSPs that carry out load balancing MPLS Label layers Number of LSPs
Issue 01 (2007-09-10)
Page 153 of 154
A rib ut e !
Service Feature Speed of LSP refreshment Number of LDP neighbors MPLS FRR switching time Forwarding delay
Technical and Performance Speci" cat io ns ! 3000 LSPs/s More than 1000 < 50 ms < 50 us 16 K 8K 16 K/LPU, extendable to 128 K/LPU 64 K 8 k/LPU 5 levels 200 ms 8K 256 8K 10 Gbit/s < 50 us 1024
L2VPN
VLL entries VSI entries
QoS
Number of traffic classification rules CAR granularity Number of queues Levels of HQoS scheduling Packet buffer time
Multicast
Number of multicast routes Number of multicast static routes Number of multicast forwarding table entries Forwarding rate Forwarding delay Multicast replication ability
Issue 01 (2007-09-10)
Page 154 of 154

NE80E V300R003 Product Description

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NE80E V300R003 Product Description

Uploaded by

Copyright:

Available Formats

Product Description

Quidway NetEngine80E Core Router V300R003

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Technologies Co., Ltd.

Huawei Technologies Co., Ltd. 2007. All rights reserved.

Trademarks and Permissions

Quidway NetEngine80E Core Router V300R003 Product Description

About This Document

Quidway NetEngine80E Core Router V300R003 Product Description

Chapter 8 Technical Specifications

Details This chapter describes the technical specifications of the NE80E.

Quidway NetEngine80E Core Router V300R003 Product Description

Quidway NetEngine80E Core Router V300R003 Product Description

2 System Architecture .................................................................................................... 20

3 Hardware Architecture ................................................................................................. 25

5 Primary Service Features ............................................................................................ 50

6 Maintenance and Network Management System .................................................... 135

7 Networking Applications ........................................................................................... 138

8 Technical Specifications............................................................................................ 146

Quidway NetEngine80E Core Router V300R003 Product Description

1.2 Abundant Services

1.3 High-Density LPUs

Quidway NetEngine80E Core Router V300R003 Product Description

1.4 Powerful Forwarding Capacity

Quidway NetEngine80E Core Router V300R003 Product Description

1.5 Perfect QoS Mechanism

1.6 Excellent Security Design

Quidway NetEngine80E Core Router V300R003 Product Description

1.7 Good IPv4 and IPv6 Compatibility

1.8 Compatibility and Expansion Capacity

1.9 High Reliability

Quidway NetEngine80E Core Router V300R003 Product Description

Quidway NetEngine80E Core Router V300R003 Product Description

Fault tolerance design

Data backup Synchronization configuration

Quidway NetEngine80E Core Router V300R003 Product Description

Item Operation and maintenance center

Quidway NetEngine80E Core Router V300R003 Product Description

2.1 Physical System Architecture

Power distribution system

Functional host system

Fan heat dissipation system

Ethernet Network management subsystem

RTN indicates Return.

Quidway NetEngine80E Core Router V300R003 Product Description

Functional Host System

Serial link group

Monitoring bus Management bus

Serial link group

Serial link group SFU module

2.2 Logical System Architecture

Data plane Control and management plane Monitoring plane

Quidway NetEngine80E Core Router V300R003 Product Description

Figure 2-3 Logical architecture

Control & management plane

System control unit

Switching network SFU

Forwarding unit Forwarding unit LPU

Forwarding unit LPU

2.3 Software Architecture

Quidway NetEngine80E Core Router V300R003 Product Description

Figure 2-4 Software architecture

RPS SNMP Active

2.4 VRPv5 Architecture