quidway s9300 product description

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Quidway S9300 Terabit Routing Switch

V100R002C00

Product Description Issue 05

Date 2010-01-08

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Huawei Technologies Co., Ltd. provides customers with comprehensive technical support and service. For any assistance, please contact our local office or company headquarters.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Copyright © Huawei Technologies Co., Ltd.2010. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

http://www.huawei.com

mailto:[email protected]

Quidway S9300 Terabit Routing Switch Product Description Contents

Issue 05 (2010-01-08) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

i

Contents

About This Document................................................................................................................ 1

1 Product Overview ................................................................................................................. 1-1 1.1 Introduction............................................................................................................................................ 1-1 1.2 High-Density Interfaces.......................................................................................................................... 1-2 1.3 Flexible Expansibility............................................................................................................................. 1-3 1.4 Powerful Forwarding Capability ............................................................................................................. 1-3 1.5 Rich Service Features ............................................................................................................................. 1-3 1.6 Excellent Security Design....................................................................................................................... 1-4 1.7 Carrier-Class Reliability ......................................................................................................................... 1-5 1.8 Maintainability....................................................................................................................................... 1-7

2 System Architecture.............................................................................................................. 2-1 2.1 System Structure .................................................................................................................................... 2-1

2.1.1 System Structure of the S9303 ....................................................................................................... 2-2 2.1.2 System Structure of the S9306 ....................................................................................................... 2-3 2.1.3 System Structure of the S9312 ....................................................................................................... 2-5

2.2 Hardware Structure................................................................................................................................. 2-8 2.2.1 Backplane ....................................................................................................................................2-10 2.2.2 SRU .............................................................................................................................................2-10 2.2.3 MCU............................................................................................................................................2-10 2.2.4 CMU............................................................................................................................................2-11 2.2.5 LPU .............................................................................................................................................2-11 2.2.6 FSU..............................................................................................................................................2-14 2.2.7 Clock Board .................................................................................................................................2-14

2.3 Software Architecture............................................................................................................................2-15

3 Service Features..................................................................................................................... 3-1 3.1 IP Features ............................................................................................................................................. 3-2

3.1.1 IPv4/IPv6 Protocol Stack ............................................................................................................... 3-2 3.1.2 IPv4 Features................................................................................................................................. 3-3 3.1.3 IPv6 Features................................................................................................................................. 3-3 3.1.4 IPv4/IPv6 Transition Technologies................................................................................................. 3-3

3.2 MPLS .................................................................................................................................................... 3-6 3.2.1 Basic MPLS Functions .................................................................................................................. 3-6

Contents Quidway S9300 Terabit Routing Switch

Product Description

ii Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-01-08)

3.2.2 MPLS TE ...................................................................................................................................... 3-6 3.2.3 MPLS OAM.................................................................................................................................. 3-7

3.3 MPLS L2VPN........................................................................................................................................ 3-7 3.3.1 VLL .............................................................................................................................................. 3-7 3.3.2 VPLS ............................................................................................................................................ 3-8 3.3.3 HVPLS ......................................................................................................................................... 3-8

3.4 MPLS L3VPN........................................................................................................................................ 3-8 3.5 IP Session............................................................................................................................................... 3-9 3.6 QoS........................................................................................................................................................ 3-9

3.6.1 Hierarchical Traffic Policing.........................................................................................................3-10 3.6.2 Flow Control ................................................................................................................................3-10 3.6.3 Re-marking ..................................................................................................................................3-10 3.6.4 Queue Scheduling.........................................................................................................................3-10 3.6.5 Congestion Avoidance ..................................................................................................................3-11 3.6.6 Traffic Shaping.............................................................................................................................3-11

3.7 Ethernet ................................................................................................................................................3-11 3.7.1 VLAN Mapping ...........................................................................................................................3-11 3.7.2 Selective QinQ .............................................................................................................................3-12 3.7.3 BPDU Tunnel...............................................................................................................................3-12

3.8 Ethernet OAM.......................................................................................................................................3-13 3.8.1 Point-to-Point Fault Management for Ethernet ..............................................................................3-13 3.8.2 End-to-End Fault Management for Ethernet ..................................................................................3-13 3.8.3 Ethernet Performance Management...............................................................................................3-15

3.9 NQA .....................................................................................................................................................3-15 3.10 NAC ...................................................................................................................................................3-18 3.11 Multicast .............................................................................................................................................3-20

3.11.1 Multicast Routing Protocol .........................................................................................................3-20 3.11.2 IGMP Snooping..........................................................................................................................3-20 3.11.3 Static Multicast...........................................................................................................................3-22 3.11.4 Multicast VLAN and Multicast Replication.................................................................................3-22

3.12 Reliability ...........................................................................................................................................3-22 3.12.1 Link Aggregation........................................................................................................................3-22 3.12.2 DLDP.........................................................................................................................................3-23 3.12.3 RRPP and the Multi-Instance Technology....................................................................................3-23 3.12.4 Smart Link and the Multi-Instance Technology............................................................................3-23 3.12.5 BFD ...........................................................................................................................................3-24 3.12.6 LSP Protection Switchover .........................................................................................................3-24 3.12.7 High Availability at the Equipment Level ....................................................................................3-24

3.13 LLDP..................................................................................................................................................3-27 3.14 Security...............................................................................................................................................3-27

3.14.1 Security for Devices ...................................................................................................................3-27 3.14.2 Security for Services...................................................................................................................3-28

Quidway S9300 Terabit Routing Switch Product Description Contents


iii

3.15 Clock ..................................................................................................................................................3-30 3.16 NetStream ...........................................................................................................................................3-30

4 Maintenance and Network Management .......................................................................... 4-1 4.1 Maintenance and Management................................................................................................................ 4-1

4.1.1 Configuration Modes ..................................................................................................................... 4-1 4.1.2 Management and Monitoring ......................................................................................................... 4-2 4.1.3 Diagnosis and Debugging .............................................................................................................. 4-3 4.1.4 In-Service Software Upgrade and Patching .................................................................................... 4-4

4.2 U2000 .................................................................................................................................................... 4-5

5 Networking Applications .................................................................................................... 5-1 5.1 Application in the MAN ......................................................................................................................... 5-2 5.2 Application of MPLS L2VPN ................................................................................................................. 5-2 5.3 Application of HVPLS for Dual-homing Protection................................................................................. 5-4

5.3.1 UPE+NPE Network Architecture ................................................................................................... 5-5 5.3.2 UPE+PE-AGG+NPE Network Architecture ................................................................................... 5-6

5.4 Application of RRPP .............................................................................................................................. 5-6 5.5 Application of Smart Link in Dual-Homing Networking.......................................................................... 5-8 5.6 Application of Ethernet OAM................................................................................................................. 5-9 5.7 Application of QoS................................................................................................................................5-10 5.8 Application of Selective QinQ ...............................................................................................................5-11 5.9 Application of the S9300 in IPTV Service..............................................................................................5-12

5.9.1 Networking of IPTV.....................................................................................................................5-12 5.9.2 Protection of IPTV Services..........................................................................................................5-14

5.10 Application of the S9300 in NAC Networking......................................................................................5-15

6 System Specifications........................................................................................................... 6-1 6.1 Technical Specifications ......................................................................................................................... 6-1

6.1.1 Physical Specifications .................................................................................................................. 6-1 6.1.2 System Configuration .................................................................................................................... 6-3

6.2 Performance Specifications..................................................................................................................... 6-4 6.3 Software Features List ............................................................................................................................ 6-7

Quidway S9300 Terabit Routing Switch Product Description Figures


v

Figures

Figure 2-1 Appearance of the S9303 ............................................................................................................ 2-2

Figure 2-2 Appearance of the back of the S9303 .......................................................................................... 2-2

Figure 2-3 Component layout of the S9303.................................................................................................. 2-3







Figure 2-10 Hardware structure of the S9303 ............................................................................................... 2-9

Figure 2-11 Hardware structure of the S9306 and S9312 .............................................................................. 2-9

Figure 3-1 Structure of the IPv4/IPv6 protocol stack .................................................................................... 3-3

Figure 3-2 Schematic diagram of the IPv6 over IPv4 tunnel technology ....................................................... 3-4

Figure 3-3 Networking diagram of the IPv4 over IPv6 tunnel ....................................................................... 3-5

Figure 3-4 6PE topology.............................................................................................................................. 3-5

Figure 3-5 Networking diagram of the IP session ......................................................................................... 3-9

Figure 3-6 Main components and networking of NAC ................................................................................3-19

Figure 5-1 S9300 application in the MAN.................................................................................................... 5-2

Figure 5-2 Point-to-point VPN application (VLL) ........................................................................................ 5-3

Figure 5-3 Multipoint-to-multipoint VPN application (VPLS) ...................................................................... 5-3

Figure 5-4 VPN services realized through the cooperation between the S9300 and CE.................................. 5-4

Figure 5-5 S9300 Application of HVPLS with UPE+NPE network architecture............................................ 5-5

Figure 5-6 S9300 application of HVPLS with UPE+PE-AGG+NPE network architecture............................. 5-6

Figure 5-7 Application of intersectant RRPP rings........................................................................................ 5-7

Figure 5-8 Application of Smart Link........................................................................................................... 5-8

Figure 5-9 Application of Ethernet OAM on the MAN................................................................................. 5-9

Figures Quidway S9300 Terabit Routing Switch

Product Description

vi Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-01-08)

Figure 5-10 S9300 application of QoS ........................................................................................................5-10

Figure 5-11 S9300 application of selective QinQ.........................................................................................5-11

Figure 5-12 S9300 application of IPTV.......................................................................................................5-13

Figure 5-13 S9300 protection for IPTV services..........................................................................................5-14

Figure 5-14 Application of the S9300 in the NAC networking.....................................................................5-15

Quidway S9300 Terabit Routing Switch Product Description Tables


vii

Tables

Table 1-1 Number of interfaces supported by the entire system..................................................................... 1-2

Table 1-2 System parameters of the S9300 ................................................................................................... 1-3

Table 1-3 Carrier-class reliability ................................................................................................................. 1-6

Table 2-1 SRU............................................................................................................................................2-10

Table 2-2 Ethernet LPUs.............................................................................................................................2-11

Table 2-3 FSUA .........................................................................................................................................2-14

Table 3-1 List of NQA diagnosis tools provided by S9300...........................................................................3-15

Table 6-1 Physical specifications of the S9300 ............................................................................................. 6-1

Table 6-2 System configuration of the S9300 ............................................................................................... 6-3

Table 6-3 Performance specifications of the S9300....................................................................................... 6-4

Table 6-4 Software features list of the S9300................................................................................................ 6-7

Quidway S9300 Terabit Routing Switch Product Description About This Document


1

About This Document

Purpose This document describes the product over, system architecture, service features, maintenance and network management system, networking applications, and system specifications of the S9300.

Related Versions The following table lists the product versions related to this document.

Product Name Version

S9300 V100R002C00

Intended Audience This document is intended for:

l Policy planning engineers l Installation and commissioning engineers l NM configuration engineers l Technical support engineers

Organization This document is organized as follows.

Chapter Description

1 Product Overview Describes the technical features of the S9300.

2 System Architecture Describes the structure, hardware, and software of the S9300.

3 Service Features Describes the service features of the S9300.

About This Document Quidway S9300 Terabit Routing Switch

Product Description

2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-01-08)

Chapter Description

4 Maintenance and Network Management

Describes the operation and maintenance of the S9300.

5 Networking Applications Describes the typical networking of the S9300 and the deployment of the network.

6 System Specifications Describes the dimensions and weight of the S9300 and the environment indexes, including currency, voltage, temperature, and humidity.

Conventions

Symbol Conventions The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury.

Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury.

Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results.

Indicates a tip that may help you solve a problem or save time.

Provides additional information to emphasize or supplement important points of the main text.

General Conventions The general conventions that may be found in this document are defined as follows.

Convention Description

Times New Roman Normal paragraphs are in Times New Roman.

Boldface Names of files, directories, folders, and users are in boldface. For example, log in as user root.

Italic Book titles are in italics.



3


Courier New Examples of information displayed on the screen are in Courier New.

Command Conventions The command conventions that may be found in this document are defined as follows.


Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.

&<1-n> The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

GUI Conventions The GUI conventions that may be found in this document are defined as follows.


Boldface Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK.

> Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.

Keyboard Operations The keyboard operations that may be found in this document are defined as follows.

About This Document Quidway S9300 Terabit Routing Switch

Product Description

4 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-01-08)

Format Description

Key Press the key. For example, press Enter and press Tab.

Key 1+Key 2 Press the keys concurrently. For example, pressing Ctrl+Alt+A means the three keys should be pressed concurrently.

Key 1, Key 2 Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.

Mouse Operations The mouse operations that may be found in this document are defined as follows.

Action Description

Click Select and release the primary mouse button without moving the pointer.

Double-click Press the primary mouse button twice continuously and quickly without moving the pointer.

Drag Press and hold the primary mouse button and move the pointer to a certain position.

Update History Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues.

Updates in Issue 05 (2010-01-08) Based on issue 04 (2009-11-10), the document is updated as follows:

The following information is modified:

l Number of IPv4 and IPv6 ACLs supported by each LPU is modified: 6.2 Performance Specifications



l The description of license support for the NQA function is added: 3.1.2 IPv4 Features l The description of license support for the IPv6 function is added: 3.1 IP Features l The description of license support for the MPLS function is added: 3.2 MPLS



5



l Hardware Structure: 2.2 Hardware Structure l LPU: 2.2.5 LPU


The following information is added:

l Hardware Structure: 2.2.7 Clock Board


l Hardware Structure: 2.2.5 LPU l Technical Specifications: 6.1.1 Physical Specifications l System Specifications: 6.2 Performance Specifications

Updates in Issue 01 (2009-07-29) This is the first release.

Quidway S9300 Terabit Routing Switch Product Description 1 Product Overview


1-1

1 Product Overview

About This Chapter This section describes the features of the S9300 and the position of the S9300 on the network.

1.1 Introduction

This section describes the position of the S9300 on the network.

1.2 High-Density Interfaces

This section describes the interface capability of the S9300.

1.3 Flexible Expansibility

This section describes the expansibility of the S9300.

1.4 Powerful Forwarding Capability

This section describes the forwarding capability of the S9300.

1.5 Rich Service Features

This section describes the service features of the S9300.

1.6 Excellent Security Design

This section describes the security features of the S9300.

1.7 Carrier-Class Reliability

This section describes the reliability of the S9300.

1.8 Maintainability

This section describes the maintainability of the S9300.

1.1 Introduction This section describes the position of the S9300 on the network.

With the popularization of the IP network and the trend of triple play services, the Metropolitan Area Network (MAN) is bearing more services, demanding higher requirements on the quality of transmission.

1 Product Overview Quidway S9300 Terabit Routing Switch

Product Description

1-2 Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.

Issue 05 (2010-01-08)

In view of such a demand, Huawei has developed the Quidway S9300 Terabit Routing Switch (hereinafter referred to as the S9300), a high-end network device. The S9300 is mainly used to access, converge, and transmit services on the MAN. As the access and convergence device on the MAN, the S9300 provides Fast Ethernet (FE), Gigabit Ethernet (GE), and 10GE interfaces that transmit services at line speed.

The S9300 provides three models: S9312, S9306, and S9303. The S9312 supports a maximum of 12 Line Processing Units (LPUs); the S9306 supports a maximum of six LPUs; the S9303 supports a maximum of three LPUs. You can choose different models as required.

The S9300 operates on the Versatile Routing Platform (VRP) operating system developed by Huawei and adopts the hardware-based forwarding and non-blocking data switching technology. The S9300 features carrier-class reliability, line-speed forwarding capability, perfect Quality of Service (QoS) mechanism, service processing capability, and good expansibility.

In addition, the S9300 provides strong capabilities in network access, Layer 2 switching, and transmission of Ethernet over MultiProtocol Label Switching (EoMPLS) services. The S9300 also supports rich IP services and provides broadband access, triple play, IP leased line, and Virtual Private Network (VPN) services. The S9300 can also work in conjunction with the S series switches, NE80E, NE40E, ME60, and MA5200G developed by Huawei to set up a hierarchical metro Ethernet that provides rich services for customers.

1.2 High-Density Interfaces This section describes the interface capability of the S9300.

The S9300 provides high-density Ethernet interfaces. Table 1-1 provides the specifications of the boards with highest interface density supported by the S9300, including the interface types, interface density of a board, and interface density of the entire equipment.

Table 1-1 Number of interfaces supported by the entire system

Interface Type Board Density System Density

10GE interface 12 S9312: 144 S9306: 72 S9303: 36

GE interface 48 S9312: 576 S9306: 288 S9303: 144

FE interface 48 S9312: 576 S9306: 288 S9303: 144



1-3

1.3 Flexible Expansibility This section describes the expansibility of the S9300.

To satisfy the increasing requirements for carrier-class network services, the S9300 provides flexible expansibility in the following aspects:

l Services: The Switch Routing Unit (SRU) of the system supports the Flexible Service Unit A (FSUA), which can meet the requirements for service expansion in the future.

l Power supply capability: This version supports the 1600 W power supply capability and working in 1+1 or 2+2 backup mode; the later versions support power module working in 4+4 backup mode.

1.4 Powerful Forwarding Capability This section describes the forwarding capability of the S9300.

Designed with the hardware-based forwarding engine, the S9300 carries out full-duplex forwarding of IPv4, IPv6, MPLS, and Layer 2 packets at line speed on all interfaces. The S9300 also supports forwarding based on Access Control Lists (ACLs) at line speed.

The hardware completes two-level packet replication to forward multicast at line speed:

l The SRU/Main Control Unit (MCU) replicates multicast packets to the Line Processing Unit (LPU).

l The forwarding engine of the LPU replicates the multicast packets to its interfaces.

Table 1-2 System parameters of the S9300

S9312 S9306 S9303

Switching capacity

1 Tbit/s or 2 Tbit/s 1 Tbit/s or 2 Tbit/s 720 Gbit/s

Backplane capacity

4.8 Tbit/s 2.4 Tbit/s 1.2 Tbit/s

10GE port density

144 72 36

FE/GE port density

576 288 144

Forwarding capability

1320 Mpps 1080 Mpps 540 Mpps

1.5 Rich Service Features This section describes the service features of the S9300.

Based on the VRP, the S9300 provides the following service features:


Product Description


Issue 05 (2010-01-08)

l Layer 2 service features, including: − Virtual Local Area Network (VLAN) − Selective QinQ − Rapid Ring Protection Protocol (RRPP) − Smart Link − Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), Multiple

Spanning Tree Protocol (MSTP) − Port aggregation − Dynamic Host Configuration Protocol (DHCP) snooping − Internet Group Management Protocol (IGMP) snooping − Multicast Listener Discovery (MLD) snooping − Ethernet OAM

l Various IP services, including: − IPv4 unicast routing protocols, including Routing Information Protocol (RIP), Open

Shortest Path First (OSPFv2), Open Shortest Path First (ISIS), Border Gateway Protocol (BGP), Multiprotocol Border Gateway Protocol (MBGP).

− IPv6 unicast routing protocol, including RIPng, OSPFv3, ISIS, and BGP+. − Multicast routing protocols, including IGMP, MLD, Multicast Source Discovery

Protocol (MSDP), PIM-DM, PIM-SM, and PIM-SSM. − Virtual Router Redundancy Protocol (VRRP). − DHCP Relay, DHCP Server, Option82. − Netstream

l MPLS services, including: − MPLS forwarding − LDP − MPLS-TE − MPLS-OAM

l Perfect VPN services, including: − Virtual Private LAN Service (VPLS) − Virtual Leased Line (VLL) − BGP/MPLS IP VPN

l Mobile service support, including − Stratum-3 clock − Synchronization Ethernet clock

l Enterprise intranet support − Network Access Control (NAC). The S9300, which functions as the network access

device (NAD), supports web authentication, 802.1x authentication, and MAC address authentication.

− Power On Ethernet (PoE)

1.6 Excellent Security Design This section describes the security features of the S9300.



1-5

The S9300 takes multiple security measures to protect the data of Internet Service Provider (ISP) networks and end users. The measures can protect against Denial of Service (DoS) attacks, illegal access, and overload on the control plane. The S9300 adopts a distributed structure, which guarantees the separation between the data plane and the control plane. It provides a security performance leading in the industry.

The S9300 provides the following security features:

l Three user authentication modes: local authentication, Remote Authentication Dial in User Service (RADIUS) authentication, and Huawei Terminal Access Controller Access Control System (HWTACACS) authentication

l Hardware-based packet filtering and sampling, which guarantees high performance and high scalability

l Multiple authentication methods including plain text authentication and Message Digest 5 (MD5) for upper-layer routing protocols such as Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS), Routing Information Protocol (RIP), and Border Gateway Protocol-4 (BGP-4)

l ACLs on the forwarding plane and control plane l Anti-attack features. The user can configure the blacklist and white list and set CAR to

restrict the packets to be sent to the CPU. l Interface protection function l Unicast Reverse Path Forwarding (URPF) l Dynamic Host Configuration Protocol (DHCP) snooping and DHCP Snooping over

VPLS l Limit the number of Medium Access Control (MAC) addresses the system can learn and

MAC Forced Forwarding (MFF) l Address Resolution Protocol (ARP) attack defense, IP source trail, and traffic

suppression l Blacklist and attack trace: Filter the traffic of the users on the blacklist and display the

physical ports and VLANs of the attackers. l Whitelist: Provide a high-priority channel for the protocol packets transmitted to the

CPU.

1.7 Carrier-Class Reliability This section describes the reliability of the S9300.

Based on the carrier-class design, the S9300 supports hot swap of boards. The S9300 chassis can be installed in an N66-18 or N66-22 cabinet provided by Huawei or a standard 19-inch cabinet of a third party.

The S9300 provides a powerful monitoring system. The S9300 manages and maintains the entire system by using the individual monitoring module. The monitoring module manages, monitors, and maintains the boards, fans, and power modules.

The system complies with Electro Magnetic Compatibility (EMC). The modular design of the system carries out EMC isolation between boards.

The S9300 meets the requirements for the high reliability of carrier-class and high-end devices. The S9300 provides the following features shown in Table 1-3 to ensure high reliability.


Product Description


Issue 05 (2010-01-08)

Table 1-3 Carrier-class reliability

Item Description

The boards, power modules, and fans are hot swappable.

The monitoring module is totally separated from the service system.

The system can operate normally for 96 hours when a single fan fails.

The SRUs run in 1+1 backup mode.

The power modules work in 1+1 or 2+2 backup mode.

The key components such as the clocks and management buses work in backup mode.

The system restarts automatically when abnormalities occur and recovers the work.

The system resets a board when abnormalities occur on the board and recovers the work.

Protections against abnormalities

The system automatically restores the interface configuration.

The system provides protections against over-current and over-voltage for power modules and interfaces.

The system provides protection against mis-insertion of boards.

Power alarm monitoring

The system provides alarm prompt, alarm indication, running status query, and alarm status query.

System protection mechanism

Voltage and environment temperature monitoring

The system provides alarm prompt, alarm indication, running status query, and alarm status query.

The system adopts distributed hardware-based forwarding.

The control channel is separated from the service channel to provide a non-blocking control channel.

Reliability design

The system provides fault detection for the system and boards, indicators, and the Network Management System (NMS) alarm function.

The system supports in-service patching.

The system supports version rollback.

The system supports in-service upgrading of the BootROM.

Reliable upgrade

The system supports the Error Checking and Correction (ECC) Random Access Memory (RAM).

Fault tolerance design

Data backup The system supports hot backup of the data between the active and standby units. When the active unit fails, the standby unit automatically takes over the active unit for data transmission. This ensures that no data is lost.



1-7

Item Description

Synchronization configuration

The system supports the synchronization between the SRUs and LPUs.

The system can automatically select and boot correct applications.

The system supports the automatic upgrade and restoration of the BootROM program.

The system can back up configuration files to the remote File Transfer Protocol (FTP) server.

The system can automatically select and run correct configuration files.

The system provides abnormality monitoring for the system software, automatic restoration, and log record.

The system provides password protection for system operations.

The system provides hierarchical protection for commands through the configuration of login user classes and command levels.

The system can lock the terminal through commands to prevent illegal use.

Operation security

The system provides operation and confirmation prompts for some commands that may degrade the system performance.

Operation and maintenance center

The system adopts the generic integrated NMS platform developed by Huawei.

1.8 Maintainability This section describes the maintainability of the S9300.

Cooperating with the NMS, the S9300 provides performance measurement, alarm management, and fault location. Customers can configure and maintain the device remotely through the NMS. This decreases the management cost of the ISP.

l Supports the point-to-point (P2P) Ethernet fault management defined in Ethernet Operation, Administration, and Maintenance (OAM) to detect faults in the first mile of the direct link on the user side of the Ethernet. The S9300 supports the following functions defined in IEEE 802.3ah: − OAM discovery − Link monitoring − Fault notification − Remote loopback

l In addition, the S9300 supports the following functions defined in IEEE 802.1ag: − Connectivity check − MAC trace


Product Description


Issue 05 (2010-01-08)

− MAC ping l Supports MPLS OAM to provide fault detection and location techniques such as ping

and trace. l Supports the association among 802.1ag, 802.3ah, and BFD to achieve end-to-end OAM. l Supports traffic statistics based on the physical interface, VLAN ID, LSP, and ACL. l Through the U2000, you can operate the S9300 to perform the following management

functions: − Device management − Interface management − VLAN management − Multicast management − MPLS management − VPN management − Software upgrading management − Configuration file management

l The U2000 offers various customized configuration methods, such as: − End-to-end configuration − Batch configuration − Guide configuration The U2000 also provides default configuration templates for different items.

l Supports remote device management. Users can log in to maintain the device through Telnet.

l Supports remote in-service upgrade. When the S9300 runs properly, the software can be upgraded remotely through FTP or TFTP. Along with the active/standby switchover, the S9300 can be upgraded without service interruption.

l Supports in-service patching. It can load patches as required. The services are not interrupted during the loading of patches. The patching can either be confirmed or removed.

l Supports version rollback. The S9300 supports version rollback in the case of an upgrade failure or patching failure. The system can be recovered to the normal status before the upgrading or patch loading.

Quidway S9300 Terabit Routing Switch Product Description 2 System Architecture


2-1

2 System Architecture

About This Chapter This section describes the appearance, hardware structure and software architecture of the S9300

2.1 System Structure

This section describes the appearance and component layout of the S9300.

2.2 Hardware Structure

This section describes the hardware structure, backplane, MCU, SRU, LPU, CMU , FSU and clock board of the S9300.

2.3 Software Architecture

This section describes the relationship between the operating system and software features of the S9300.

2.1 System Structure This section describes the appearance and component layout of the S9300.

The S9300 adopts a distributed hardware architecture.

The S9300 consists of the following components:

l Chassis l Backplane l Power module l Fan frame l Switch Routing Unit (SRU) or Main Control Unit (MCU) l Line Processing Unit (LPU) l Central Management Unit (CMU)

The S9300 can be installed in either the 297 cabinet specified by the International Electrotechnical Commission (IEC) or the cabinet specified by the European Telecommunications Standards Institute (ETSI).

2 System Architecture Quidway S9300 Terabit Routing Switch

Product Description


Issue 05 (2010-01-08)

l The SRU and CMU are applicable only to the S9312 and S9306. l The MCU is applicable only to the S9303.

2.1.1 System Structure of the S9303




Appearance of the S9303 Figure 2-1 shows the appearance of the S9303.

Figure 2-1 Appearance of the S9303

1. Ack-mounting ear 2. Power module 3. MCU

4. LPU 5. PoE module 6. Cabling rack

Figure 2-2 shows the appearance of the back of the S9303.

Figure 2-2 Appearance of the back of the S9303

1. Air filter 2. Fan module

The dimensions of the S9303 are 442 mm x 476 mm x 175 mm (width x depth x height).



2-3

Facing the chassis, the LPUs, MCUs, and power modules are mounted from top to bottom. Ventilation and heat dissipation of the S9303 are performed from the back of the chassis. The handles reside on both sides of the chassis.

Component Layout of the S9303 Figure 2-3 shows the component layout of the S9303.

Figure 2-3 Component layout of the S9303

MCU

LPU

LPU

LPU

MCU

PoEPower module Power module

l All components of the S9303 are located on the front panel for maintenance. There are totally five slots for horizontally inserted boards in the board cage. The two half-height slots in the lower half of the chassis are reserved for the MCUs that support 1+1 backup mode. The other three slots are reserved for the LPUs.

l The fan frame and air filter of the S9303 are located at the back of the chassis. l Located at the bottom of the chassis, the power modules work in 1+1 backup mode and

support double power supply networks for power input. The power modules can be either AC power modules or DC power modules.

l The power modules support PoE. The PoE function supports only the AC power supply and does not support the backup of power modules.




Product Description


Issue 05 (2010-01-08)


1. LPU 2. SRU 3. Ack-mounting ear

4. Cabling rack 5. PoE module 6. CMU

7. Power module




The dimensions of the S9306 are 442 mm x 476 mm x 441.7mm (width x depth x height).



2-5

Facing the chassis, the LPUs, SRUs, CMUs, and power modules are mounted from top to bottom. Ventilation and heat dissipation of the S9306 are performed from the back of the chassis. The handles reside on both sides of the chassis.



SRU

LPU

LPU

SRU

LPU

LPU

LPUCM

UCM

U

Pow

erm

odul

e

POE

Pow

erm

odul

e

Pow

erm

odul

e

Pow

erm

odul

e

POE

LPU

POE

POE

l The board cage of the S9306 provides a total of eight slots for horizontally inserted

boards. The two slots in the middle are reserved for the SRUs that support 1+1 backup mode. The other six slots are reserved for the LPUs.

l The fan frame and air filter of the S9306 are located at the back of the chassis. l Located at the bottom of the chassis, the power modules support double power supply

networks for power input. The power modules can be either AC power modules or DC power modules. The DC power modules can work in 1+1 mode. The AC power modules can work in 1+1 or 2+2 mode.

l Located at the bottom of the chassis, the CMUs work in 1:1 backup mode. l The power modules support Power over Ethernet (PoE). The PoE function supports only

the AC power supply. Four AC power modules work in 3+1, 2+2, or 4+0 (not backup) mode..




Product Description


Issue 05 (2010-01-08)


1. LPU 2. SRU 3. Ack-mounting ear

4.Cabling rack 5. PoE module 6. CMU

7. Power module




2-7



The dimensions of the S9312 are 442 mm x 476 mm x 663.95 mm (width x depth x height).

Facing the chassis, the LPUs, SRUs, CMUs, and power modules are mounted from top to bottom. Ventilation and heat dissipation of the S9312 are performed from the back of the chassis. The handles are on both sides of the chassis.



Product Description


Issue 05 (2010-01-08)


SRU

LPU

LPU

SRU

LPU

LPU

LPU

LPU

LPU

LPU

LPU

LPU

LPU

LPU

CMU

CMU

Pow

erm

odul

ePo

wer

mod

ule

Pow

erm

odul

ePo

wer

mod

ule

POE

POE

POE

POE

l The board cage of the S9312 provides a total of 14 slots for horizontally inserted boards. The two slots in the middle are reserved for the SRUs that support 1+1 backup mode. The other 12 slots are reserved for the LPUs.

l The fan frame and air filter of the S9312 are located at the back of the chassis. l Located at the bottom of the chassis, the power modules support double power supply

networks for power input. The power modules can be either AC power modules or DC power modules. The DC power modules can work in 1+1 mode. The AC power modules can work in 1+1 or 2+2 mode.

l The power modules support PoE. The PoE function supports only the AC power supply. Four AC power modules work in 3+1, 2+2, or 4+0 (not backup) mode..

l Located at the bottom of the chassis, the CMUs work in 1+1 backup mode.

2.2 Hardware Structure This section describes the hardware structure, backplane, MCU, SRU, LPU, CMU , FSU and clock board of the S9300.

Figure 2-10 shows the hardware structure of the S9303.



2-9

Figure 2-10 Hardware structure of the S9303

HighspeedSerdes

backplane

Materialinterfacemodule

Serviceprocessing

module

Main control module

Monitoringmodule

Clockmodule

LPUSystemclockmodule

Control plane communication module


Service layer softwareNMSManagement

layer softwareControl layer

software

System monitoring module

MCU

Figure 2-11 shows the hardware structure of the S9306 and S9312.

Figure 2-11 Hardware structure of the S9306 and S9312

HighspeedSerdes

backplane

Materialinterfacemodule

Serviceprocessing

module

Main control module

Monitoringmodule

Clockmodule

LPU

Switchingnetworkmodule

Systemclockmodule



Service layer softwareNMSManagement

layer softwareControl layer

software

System monitoring module

SRU


Product Description


Issue 05 (2010-01-08)

2.2.1 Backplane

2.2.2 SRU

2.2.3 MCU

2.2.4 CMU

2.2.5 LPU

2.2.6 FSU

2.2.7 Clock Board

2.2.1 Backplane The S9300 is designed with a passive backplane. The backplane provides control buses, management buses, and clock buses between the SRU,MCU and other components for communication.

The backplane of an S9300 provides two slots for the main process unit. In addition, the backplane of an S9303 provides 3 LPU slots, the backplane of an S9306 provides 6 LPU slots, and the backplane of an S9312 provides 12 LPU slots.

2.2.2 SRU The SRU is applicable only to the S9306 and S9312. The SRU integrates multiple functional modules such as the data switching module, main control module, FSUA, Compact Flash (CF) module, and system monitoring module. The SRU can be expanded to provide the clock module. As the core of system control and management and data switching, the SRU switches data, and controls and monitors the system.

The main control units of the SRU work in 1+1 backup mode. The data switching units can work in either 1+1 load balancing mode or 1:1 backup mode.

The SRU of the S9300 performs the following functions:

l Forwards data on the data plane. l Processes protocols including STP, MPLS, and various routing protocols. l Monitors components. l Manages the system and monitors system performance according to the user's instruction,

and provides feedback on the running status of the system for users.

Table 2-1 SRU

Name Note

SRUA Provides 1 Tbit/s service switching capability.

SRUB Provides 2 Tbit/s service switching capability.

2.2.3 MCU The MCU is applicable only to the S9303. The MCU integrates the main control module, CF module, system monitoring module and clock module.



2-11

The MCU of the S9300 performs the following functions:

l Processes protocols including STP, MPLS, and various routing protocols. l Monitors components, collects running data of each component periodically, and

generates control information based on the running status of the components, for example, checking whether the boards are available and controlling the running of the switching fabric.

l Manages the system and monitors system performance according to the user's instruction, and provides feedback on the running status of the system for users.

2.2.4 CMU The CMU monitors and manages the follow devices:

l power modules l fan modules l PoE modules

These help monitor and manage the system and facilitates energy saving and emission reduction.

2.2.5 LPU The LPUs are used to process packets and they provide service interfaces. Table 2-2 lists the LPUs supported by the S9300.

Table 2-2 Ethernet LPUs

Name Short Name

Remarks

48-port 100M Ethernet optical LPU (EA, SFP) -32K MAC

F48SA Not support: l synchronization Ethernet

48-port 100M Ethernet optical LPU (EC, SFP) -128K MAC

F48SC Not support: l synchronization Ethernet

48-port 100M Ethernet electrical LPU (EA, RJ45) -32K MAC

F48TA Not support: l synchronization Ethernet

48-port 100M Ethernet electrical LPU (EC, RJ45) -128K MAC

F48TC Not support: l synchronization Ethernet

48-port 100M/1000M Ethernet optical LPU (EA, SFP) -32K MAC

G48SA Not support: l synchronization Ethernet

48-port 100M/1000M Ethernet optical LPU (EC, SFP) -128K MAC

G48SC Not support: l synchronization Ethernet

48-port 100M/1000M Ethernet optical LPU (ED, SFP) -512K MAC

G48SD Not support: l synchronization Ethernet

48-port 100M/1000M Ethernet optical LPU (EA, RJ45) -32K MAC

G48TA Not support: l synchronization Ethernet


Product Description


Issue 05 (2010-01-08)

Name Short Name

Remarks

48-port 100M/1000M Ethernet optical LPU (EC, RJ45) -128K MAC

G48TC Not support: l synchronization Ethernet

48-port 100M/1000M Ethernet optical LPU (ED, RJ45) -512K MAC

G48TD Not support: l synchronization Ethernet

48-port 100M/1000M Ethernet PoE electrical LPU (EA, RJ45, POE) -32K MAC

G48VA Not support: l synchronization Ethernet

4-port 10GE optical LPU (EA, XFP) -32K MAC

X4UXA Not support: l synchronization Ethernet

4-port 10GE optical LPU (EC, XFP) -128K MAC

X4UXC Not support: l synchronization Ethernet

2-port 10GE optical LPU (EA, XFP) -32K MAC

X2UXA Not support: l synchronization Ethernet

2-port 10GE optical LPU (EC, XFP) -128K MAC

X2UXC Not support: l synchronization Ethernet

24-port 100M/1000M Ethernet optical LPU (SA, SFP) -32K MAC

G24SA Not support : l synchronization Ethernet l MPLS l VPN l Netstream l IP Session l VLAN stacking based on VLAN

priorities l VLAN mapping based on VLAN

priorities l VLAN mapping of double tags l N:1 VLAN mapping l Adding double VLAN tags to

untagged packets l VLAN switching l Sub-interface l Priority mapping (DiffServ) l IPv4 over IPv6 tunnel l IPv6 over IPv4 tunnel

24-port 100M/1000M Ethernet optical LPU (EC, SFP) -128K MAC

G24SC Not support: l synchronization Ethernet



2-13

Name Short Name

Remarks

24-port 100M/1000M Ethernet optical LPU (ED, SFP) -512K MAC

G24SD Not support: l synchronization Ethernet

24-port 100M/1000M Ethernet optical + Combo electrical LPU (SA, SFP/RJ45) -32K MAC

G24CA Not support : l synchronization Ethernet l MPLS l VPN l Netstream l IP Session l VLAN stacking based on VLAN


priorities l VLAN mapping of double tags l N:1 VLAN mapping l Adding double VLAN tags to


12-port GE optical LPU (SA, SFP+) -32K MAC

X12SA Not support : l synchronization Ethernet l MPLS l VPN l Netstream l IP Session l VLAN stacking based on VLAN


priorities l N:1 VLAN mapping l Adding double VLAN tags to



Product Description


Issue 05 (2010-01-08)

Name Short Name

Remarks

24-port 100M/1000M Ethernet electrical and 2-port GE optical LPU (EA, RJ45/XFP) -32K MAC

T24XA Not support: l synchronization Ethernet

24-port 100M/1000M Ethernet optical and 2-port GE optical LPU (EA, SFP/XFP) -32K MAC

S24XA Not support: l synchronization Ethernet

The Small Form-Factor Pluggable (SFP), SFP+, and XFP are pluggable optical modules. The LPUs of the S9300 are classified into S-series boards and E-series boards. E-series boards support more functions than S-series boards. l The S-series boards include SA boards. For example, 24-port 100M/1000M Ethernet optical LPU

(SA, SFP) -32K MAC l The E-series boards include EA boards, EC boards, and ED boards. For example, 48-port 100M

Ethernet optical LPU (EA, SFP) -32K MAC

2.2.6 FSU The Flexible Service Unit A (FSUA) of S9306 and S9312 supports the following functions:

l Hardware-based Ethernet OAM l Hardware-based MPLS OAM l Hardware-based Bidirectional Forwarding Detection (BFD) l Dos attack protection of the Central Processing Unit (CPU) of the SRU

Software-based Ethernet OAM, MPLS OAM, BFD and NQA functions are available in other LPUs.

FSUA is an optional subcard on the SRU of the S9312 and S9306. Users can choose to install the FSUA according to the service requirement.

Table 2-3 FSUA

Name Description

20 Gbit/s FSUA Provides 20 Gbit/s service switching capability.

2.2.7 Clock Board Currently, only one type of clock board is available: CKMB. CKMB is a subcard of the main control board of the S9312, S9306, or S9303. It provides the functions of clock synchronization and time synchronization and has Building Integrated Timing Supply System (BITS) interfaces.

The CKM consists of the following functional units:

l Clock synchronization unit, synchronizing the Ethernet clock or Precision Time Protocol (PTP) clock



2-15

l Time synchronization unit, that is the IEEE 1588 functional module

The functions of the CKM are as follows:

l Providing the 19.44 MHz system clock, sending clock synchronization frames with 8 KB frame headers, and providing external clock signals. The output clock signal complies with the ITU-T G.813 standard.

l Implementing the IEEE 1588 protocol through the logic to ensure synchronization of time on the network. The time is accurate to 0.1 us, which complies with the 1588v2 protocol.

2.3 Software Architecture This section describes the relationship between the operating system and software features of the S9300.

The S9300 runs on the latest VRP version 5 (VRPv5) to provide software features. VRPv5 consists of the following parts:

l System service plane It provides the following functions based on the operating system: − Task management − Memory management − Timer − Software loading and patching This enhances the modular technology to facilitate system upgrade and customization.

l General control plane It is the core of the VRP data communication platform. It functions as the basis of security and QoS, and provides the following functions: − Link management − IP protocol stack − Routing protocol processing It is used to control the data forwarding plane and carry out various functions of the device.

l Data forwarding plane It forwards data under the control of the general control plane to carry out data transmission. VRPv5 supports data forwarding based on software and hardware.

l Service control plane It controls and manages the system based on users or interfaces. It implements the authentication, authorization, and accounting for users through the DHCP Option 82 field. It also implements authentication for access interfaces through IEEE 802.1x.

l System management plane It provides user interfaces and manages input/output ports. It is the basis of network management and maintenance.

Quidway S9300 Terabit Routing Switch Product Description 3 Service Features


3-1

3 Service Features

About This Chapter This section describes the major service functions of the S9300, including IP features,MPLS, MPLS L2VPN, MPLS L3VPN, QoS, Ethernet, Ethernet OAM, NAC,multicast, reliability, LLDP, security, clock and NetStream.

3.1 IP Features

This section describes the IP features supported by the S9300.

3.2 MPLS

This section describes the basics of MPLS, MPLS TE, and MPLS OAM.

3.3 MPLS L2VPN

This section describes the basic of VLL, VPLS, and HVPLS.

3.4 MPLS L3VPN

This section describes the basics of MPLS L3VPN supported by the S9300.

3.5 IP Session

This section describes the IP session feature supported by the S9300.

3.6 QoS

This section describes the basics of QoS supported by the S9300.

3.7 Ethernet

This section describes the basics of VLAN mapping, QinQ, selective QinQ, and BPDU tunnel.

3.8 Ethernet OAM

This section describes the basics of Ethernet OAM.

3.9 NQA

This section describes the basics of NQA supported by the S9300.

3.10 NAC

This section describes the principle of network admission control (NAC).

3 Service Features Quidway S9300 Terabit Routing Switch

Product Description


Issue 05 (2010-01-08)

3.11 Multicast

This section describes the basics of IGMP snooping, multicast flow control, controllable multicast, multicast VLAN, and multicast replication.

3.12 Reliability

This section describes the basics of link aggregation, BFD, and HA at the equipment level.

3.13 LLDP

This section describes the basics of LLDP.

3.14 Security

This section describes the security measures for devices and services.

3.15 Clock

This section describes the clock synchronization and calibration mechanisms supported by the S9300.

3.16 NetStream

This section describes the NetStream function supported by the S9300.

3.1 IP Features This section describes the IP features supported by the S9300.

To implement IPv6 functions, apply for and purchase the license from Huawei local office.

3.1.1 IPv4/IPv6 Protocol Stack

3.1.2 IPv4 Features

3.1.3 IPv6 Features

3.1.4 IPv4/IPv6 Transition Technologies

3.1.1 IPv4/IPv6 Protocol Stack The IPv4/IPv6 protocol stack features good interworking and simplicity. Figure 3-1 shows the structure of the IPv4/IPv6 protocol stack.



3-3

Figure 3-1 Structure of the IPv4/IPv6 protocol stack

IPv4/IPv6 Application

TCP UDP

Link Layer

IPv4 IPv6

3.1.2 IPv4 Features The S9300 supports the following IPv4 features:

l TCP/IP protocol stack, including ICMP, IP, TCP, UDP, socket (TCP/UDP/Raw IP), and ARP

l Static DNS and specified DNS server l FTP server/client and TFTP client l DHCP relay agent and DHCP server l Ping, tracert, and NQA: NQA can detect the status of ICMP, TCP, UDP, DHCP, FTP,

HTTP and SNMP services and test the response time of various services.

To implement NQA functions, apply for and purchase the license from Huawei local office.

l IP policy-based routing: specifies the next hop based on the attribute of packets without searching the routing table for the routes.

3.1.3 IPv6 Features The S9300 supports the following IPv6 features:

l IPv6 Neighbor Discovery (ND) l Path MTU Discovery (PMTU) l TCP6, ping IPv6, tracert IPv6, socket IPv6, UDP6 and RawIP6 l TFTP IPv6 Client l IPv6 policy-based routing l DHCPv6 snooping and MLDv1 snooping

3.1.4 IPv4/IPv6 Transition Technologies

IPv6 over IPv4 Tunnel As shown in Figure 3-2, the IPv6 over IPv4 tunnel technology is used for the transition from the IPv4 network to the IPv6 network.


Product Description


Issue 05 (2010-01-08)

Figure 3-2 Schematic diagram of the IPv6 over IPv4 tunnel technology

IPv4 Header

IPv6network

IPv6networkIPv6 over IPv4 Tunnel

IPv4 network

Dual StackDevice

Dual StackDevice

IPv6 host IPv6 hostIPv6 Header IPv6 Data

IPv6 Header IPv6 Data

IPv6 Header IPv6 Data

The S9300 supports the following IPv6 over IPv4 tunnels:

l IPv6 manual tunnel The IPv6 manual tunnel is created manually on the routers on the two ends of a tunnel. The source and destination IPv4 addresses need to be statically configured. The tunnel is a permanent link that connects two IPv6 domains through an IPv4 backbone network. It is a fixed channel for two edge routers to communicate with each other and can be used by the isolated IPv6 sites to communicate with each other.

l 6to4 tunnel The 6to4 tunnel can connect multiple IPv6 isolated sites to the IPv6 network through the IPv4 network. Compared with the manual tunnel, the 6to4 tunnel can be a P2MP connection. The manual tunnel, however, is a P2P connection. The routers where the 6to4 tunnel is set up are not configured in pairs. Similar to the routers on an automatic tunnel, a router on the 6to4 tunnel can search for the other end of the tunnel; however, you do not need to specify the IPv4-compatible IPv6 address for the 6to4 tunnel. The 6to4 tunnel uses a special IPv6 address, that is, 6to4 address.

IPv4 over IPv6 Tunnel During the later stage of the transition from the IPv4 network to the IPv6 network, a large number of IPv6 networks are deployed; therefore, there may be IPv4 isolated sites. The cost spent on connecting these isolated sites through dedicated lines is very high. You can create a tunnel on the IPv6 network to connect IPv4 isolated sites. This is similar to deploying the VPN on the IP network through the tunnel technology. The tunnel that is used to connect IPv4 isolated sites on the IPv6 network is called an IPv4 over IPv6 tunnel.

To set up IPv4 over IPv6 tunnels, the IPv4/IPv6 dual stack needs to be enabled on the routers at the edge of the IPv6 network and the IPv4 network.



3-5

Figure 3-3 Networking diagram of the IPv4 over IPv6 tunnel

IPv4 PayloadIPv4 Header

IPv4network

IPv4networkIPv4 over IPv6 Tunnel

IPv6 network

Dual StackRouter

Dual StackRouter

IPv4 host IPv4 host

IPv4 HeaderIPv6 Header

IPv4 Payload

IPv4 Header

IPv6 Payload

6PE The IPv6 Provider Edge (6PE) router allows the communication between the IPv6 isolated CE routers over the IPv4 network. Figure 3-4 shows the networking diagram of 6PE topology. The ISP can use the IPv4 backbone network to provide services for the IPv6 networks where users are distributed dispersedly.

Figure 3-4 6PE topology

IPv4/MPSL CloudIBGP

PCE CE

IPv6 CloudCustomer site

IPv6 CloudCustomer site

The 6PE router labels IPv6 routing information and floods the information onto the ISP's IPv4 backbone network through Internal Border Gateway Protocol (IBGP) sessions. The IPv6 packets are labeled before entering the tunnels on the backbone network. The tunnels can be MPLS LSPs.

The IGP protocol used on the ISP network can be OSPF or IS-IS, and the protocol used between CE routers and 6PE routers can be a static routing protocol, an IGP, or EBGP.


Product Description


Issue 05 (2010-01-08)

If the IPSs want to use the IPv4/MPLS networks to exchange IPv6 traffic, they can just update the PE router. Therefore, using the 6PE feature as an IPv6 transition mechanism is a cost-effective solution for ISPs.

3.2 MPLS This section describes the basics of MPLS, MPLS TE, and MPLS OAM.

To implement MPLS functions, apply for and purchase the license from Huawei local office.

The S9300 can be used to construct the MPLS network. Services that are external to the MPLS network are forwarded based on the VLAN ID and MAC addresses. On the MPLS network, services are transmitted based on the MPLS labels. This solves the problem regarding the capacity of the VLAN tag and the limit to the amount of MAC table entries.

The S9300 can act as the PE device or Provider (P) device on the MPLS network.

The S9300 supports multiple MPLS features, including basic MPLS features, the Label Distribution Protocol (LDP) or Resource Reservation Protocol for Traffic Engineering (RSVP-TE), MPLS TE, and MPLS OAM.

3.2.1 Basic MPLS Functions

3.2.2 MPLS TE

3.2.3 MPLS OAM

3.2.1 Basic MPLS Functions The S9300 supports the following basic MPLS functions:

l LDP l Static LSP l Two-layer MPLS labels l Mapping the 802.1p priority to the EXP field of MPLS packets

3.2.2 MPLS TE The S9300 supports the MPLS Traffic Engineering (TE) function. MPLS TE is a technique that integrates TE with MPLS. Through the MPLS TE, the S9300 can create an LSP tunnel to a specified path and implement re-optimization. MPLS TE also provides protection against link or node failures by using path backup and fast reroute.

The S9300 supports the following MPLS TE features:

l Supports TE extension based on the IGP protocols including IS-IS and OSPF to collect network information.

l Supports preemption, route pinning, and re-optimization of CR-LSP. l Supports establishment of CR-LSP based on RSVP TE; supports hot standby backup and

basic backup functions of the MPLS TE tunnel. l Supports the use of the Constraint Shortest Path First (CSPF) algorithm to calculate

appropriate path of CR-LSP. This calculates the shorted path to a node through CSPF. l Supports establishment of the MPLS TE tunnel and the following features of the tunnel:



3-7

− Loop detection on the MPLS TE tunnel − Record of routing and labels − Re-establishment of the MPLS TE tunnel − Configuration of the tunnel priority

3.2.3 MPLS OAM The S9300 supports the MPLS OAM mechanism to perform end-to-end fault detection at the tunnel level and perform prompt protection switchover in 50 ms when an LSP link fails. MPLS OAM conforms to the ITU-T Y.1710, Y.1711, and Y.1720 recommendations to realize fast detection of LSP connectivity. The interval for detecting LSP connectivity can be adjusted as required.

With the MPLS OAM mechanism, the S9300 can rapidly detect, locate, and report the fault in the MPLS network by using the Connectivity Verification (CV) message and the Fast Failure Detection (FFD) message. When a fault occurs, the S9300 triggers protection switchover by using the Forward Defection Indicator (FDI) message and the Backward Defect Indicator (BDI) message.

The S9300 supports 1:1 and N:1 protection switchover of LSPs with an active LSP and a standby LSP. When the active LSP fails, the S9300 can promptly switch services to the standby LSP. This greatly improves the reliability of the MPLS network.

3.3 MPLS L2VPN This section describes the basic of VLL, VPLS, and HVPLS.

The S9300 supports various Virtual Leased Line (VLL) services, VPLS, and hierarchical VPLS (HVPLS).

3.3.1 VLL

3.3.2 VPLS

3.3.3 HVPLS

3.3.1 VLL VLL is an emulation of the traditional leased line. By emulating the leased line through the IP network, it provides asymmetric, low cost point-to-point virtual leased line services. VLL is mainly applied to the access layer and convergence layer of the MAN.

The S9300 supports the following four modes of VLL:

l Martini The Martini mode uses double labels. The inner label takes the extended LDP as the signaling protocol to transmit information. The Martini mode conforms to the draft of draft-martini-l2circuit-trans-mpls. The Martini extends LDP by adding the FEC type in the VC FEC to exchange the VC label.

l Kompella The Kompella mode uses MP-BGP as the signaling protocol. PEs automatically discover L2VPN nodes during the connection of BGP sessions. The Kompella uses BGP as the signaling protocol to transmit Layer 2 information and VC labels to realize L2VPN in end-to-end (CE to CE) mode on the MPLS network.


Product Description


Issue 05 (2010-01-08)

l SVC The setup process of the SVC outer label (public network tunnel) is the same as that of the Martini. The inner label is manually specified during the VC configuration. The transmission signaling of the VC label is not required. The network topology and the packets interaction of the SVC are the same as that of the Martini. Thus, the SVC is a simplified version of the Martini.

l CCC In Circuit Cross Connect (CCC), VCs are statically configured, which is similar to SVC. Different from the common MPLS L2VPN, the CCC adopts one label to transmit user data. This label is used for label exchange on each Label Switching Router (LSR). Therefore, the CCC uses the LSP exclusively. Static LSPs must be configured in both directions.

3.3.2 VPLS Virtual Private LAN Service (VPLS) is used to connect more than one Ethernet LAN segment through the Packet Switched Network (PSN) and make them operate in an environment similar to a LAN. With the VPLS technology, the ISP can establish multipoint-to-multipoint VPN connections between the dispersed users. The dispersed users can be enterprises located in different cities.

The S9300 functions as the PE device on the VPLS network. The S9300 transmit VPLS services by establishing through-connection between PEs.

The S9300 supports VPLS in the following methods:

l Martini l Kompella

3.3.3 HVPLS VPLS through-connection is required between PEs. For multiple nodes or a large geographic area, a large-scale VPLS network is required. This requires that the number of connections established be double the number of PEs. In this case, HVPLS is used to establish a large-scale VPLS network.

The S9300 mainly functions as the User Provider Edge (UPE) device on the HVPLS network. It converges services from CE to Network Provider Edge (NPE) or PE-AGG (PE-Aggregation).

The S9300 supports HVPLS in Martini mode.

On the VPLS or HVPLS network, the S9300 maps services of different types to different Virtual Switch Instances (VSIs). The S9300 then transparently transmits these services to NPE or PE-AGG through the VPLS or HVPLS network.

3.4 MPLS L3VPN This section describes the basics of MPLS L3VPN supported by the S9300.

BGP/MPLS VPN provides Layer 3 VPN services over an MPLS network. MPLS facilitates the implementation of IP-based VPN services and meets the requirements of expansibility and manageability for VPNs. MPLS VPNs provide value-added services. Through configurations, a single access point can be configured with multiple VPNs, each of which identifies a type of



3-9

services. This allows different types of services to be transmitted in a flexible manner over networks.

3.5 IP Session This section describes the IP session feature supported by the S9300.

Figure 3-5 Networking diagram of the IP session

DHCP Server

AAA Server

Internet

The S9300 can terminate and authenticate IP sessions and assign IP addresses to IP sessions.

The STB or VOIP terminal of a family sends a DHCP Request message. Then the S9300 directly assigns an IP address to the terminal or relays the message to the DHCP server requesting an IP address. Before assigning an IP address, the S9300 sends the VLAN (QinQ) information or DHCP Relay Agent information to the AAA server for authenticating the terminal. If the authentication is successful, the S9300 assigns an IP address to the terminal.

The S9300 can perform scheduling on the services of different types or encapsulate service traffic into different VPNs, thus separating services.

3.6 QoS This section describes the basics of QoS supported by the S9300.

QoS provides network services with different qualities as required.

3.6.1 Hierarchical Traffic Policing

3.6.2 Flow Control

3.6.3 Re-marking

3.6.4 Queue Scheduling

3.6.5 Congestion Avoidance

3.6.6 Traffic Shaping


Product Description


Issue 05 (2010-01-08)

3.6.1 Hierarchical Traffic Policing The S9300 supports two-level traffic policing, namely, traffic policing based on users and traffic policing based on user groups. It supports the multiplexing of bandwidths of users and user groups.

Traffic policing is used to monitor the service traffic that matches the traffic classifier rules on the incoming interface. In this manner, the interface can be adapted to the assigned network resources such as bandwidth. Traffic policing limits the rate of the traffic on the incoming interface. In this manner, the S9300 can monitor the traffic entering a network. If the rate is too high, the S9300 chooses to discard the packets or reset the priorities of the packets.

The S9300 supports the two-rate-three-color marker and one-rate-two-color marker. This guarantees granular management of bandwidths.

3.6.2 Flow Control Flow control is used for congestion management. When a network cannot provide the committed or negotiated performance specifications, such as rate, congestion occurs.

In this case, an Ethernet switch sends pause frames to its peer to inform the peer to stop sending data for a while. This helps decrease the volume of traffic on the network. Flow control enabled on a port functions on all the traffic on the port.

3.6.3 Re-marking With re-marking, the S9300 applies parameters about services to the packets that match certain ACL rules. Re-marking is implemented as follows:

l The S9300 applies parameters about services provided by itself to the packets. l The S9300 applies parameters about services drawn upon the mapping table according to

the Differentiated Services Code Point (DSCP) of the packets. l The S9300 applies parameters about services drawn upon the mapping table according to

the DSCP defined by users. l Users assign parameters about services to the packets.

3.6.4 Queue Scheduling When an Ethernet switch forwards multiple packets, these packets may compete for resources. Queue scheduling is thus introduced to address this problem. The S9300 supports the following queue scheduling algorithms:

l Strict Priority (SP) l Weighted Round Robin (WRR) l SP + WRR l Deficit Round Robin (DRR) l SP + DRR

Outgoing packets on the ports of the Ethernet switch are forwarded in different manners as defined in the preceding algorithms.



3-11

3.6.5 Congestion Avoidance When congestion occurs, a switch immediately discards certain packets to release resources of queues. The switch also schedules the packets into queues other than those with long delay. This helps to remove the congestion.

The S9300 supports the Weighted Random Early Detection (WRED) algorithm. WRED monitors packets in each queue and compares the length of the queue with the low threshold for dropping packets. Based on the result, the S9300 processes the packets in queues in the following ways when congestion occurs.

l When a queue is shorter than the minimum threshold, the device does not discard packets.

l When the length of a queue is between the low threshold and the high threshold, WRED begins to discard packets randomly.

l When a queue is longer than the high threshold, the device discards all incoming packets.

3.6.6 Traffic Shaping With traffic shaping, the transmission rate of outgoing packets are controlled and packets are transmitted at an even rate. Traffic shaping is applied to the downstream traffic to make its transmission rate the same as that provided by the downstream devices. This prevents the discarding of packets and traffic congestion. The difference between traffic shaping and traffic policing lies in that traffic shaping is used to buffer packets that exceed the set rate limit and then transmit the packets at an even rate; traffic policing is used to discard packets that exceed the set rate limit. In traffic shaping, packets are delayed for transmission. In traffic policing, however, no delay is added for packets.

The S9300 supports traffic shaping based on interfaces and class of service (CoS), that is, shapes the traffic of all interfaces and CoSs. The two types of traffic shaping can be carried out through different parameters.

3.7 Ethernet This section describes the basics of VLAN mapping, QinQ, selective QinQ, and BPDU tunnel.

3.7.1 VLAN Mapping

3.7.2 Selective QinQ

3.7.3 BPDU Tunnel

3.7.1 VLAN Mapping VLAN mapping refers to the setting up of a mapping table on the S9300 to realize the mapping between the customer VLAN and the service VLAN. One or multiple customer VLAN IDs can be mapped to a service VLAN ID.


Product Description


Issue 05 (2010-01-08)

l Customer VLAN (C-VLAN) is the VLAN of the port at the user side. It is of local significance and

used to identify a user or a class of users. l Service VLAN (S-VLAN) is designated by the ISP at the network side. It is of global significance

and used to identify a type of service.

The S9300 supports VLAN mapping between single VLAN tags in the following ways, given that the port on the user side is specified:

l 1:1 VLAN mapping It is the mapping between one C-VLAN tag and one S-VLAN tag.

l N:1 VLAN mapping It is the mapping between multiple C-VLAN tags to one S-VLAN tag.

The S9300 also supports VLAN mapping between double VLAN tags.

l 2:2 VLAN mapping The S9300 can map the double VLAN tags of packets from the user side to the double VLAN tags of packets from the network side. The S9300 can also switch the outer and inner VLAN tags of a packet.

l 2:1 VLAN mapping The S9300 can map the double VLAN tags of packets from the user side to a single VLAN tag of packets from the network side. In addition, the S9300 supports the CoS-based VLAN mapping. It can map multiple customer-VLAN (C-VLAN) tags to the same service-VLAN (S-VLAN) tag according to the CoS or add a VLAN tag to a packet.

3.7.2 Selective QinQ The S9300 supports the selective QinQ technique. Selective QinQ expands the space of VLAN tags. It enables the S9300 to flexibly select outer S-VLAN tag based on the C-VLAN tag of the received packets. In this case, various user services can travel along different paths. This facilitates deployment of services. The selective QinQ feature can be applied to the incoming and the outgoing interfaces. This makes the networking more flexible.

The S9300 supports the selective QinQ feature in the following ways:

l On the port, the S9300 adds a different outer S-VLAN tag based on the VLAN ID of the C-VLAN tag of the packets.

l On the port, the S9300 changes an inner VLAN tag based on the VLAN ID of the C-VLAN tag of the packets. The S9300 then adds a different outer S-VLAN tag.

The port enabled with QinQ learns the MAC address based on the outer VLAN tag of packets, and forwards the upstream packets and downstream packets based on the destination MAC address of packets.

The S9300 provides powerful hardware, which implements selective QinQ through traffic classification based on ACLs. In this case, the S9300 can flexibly add S-VLAN tags or modify C-VLAN tags.

3.7.3 BPDU Tunnel Bridge Protocol Data Unit(BPDU) tunnel is a Layer 2 tunnel technology. With BPDU tunnel enabled, the BPDUs are transparently transmitted from the customer network through the VLAN VPN specified by the ISP network. In this way, all devices in the customer network



3-13

can calculate the spanning tree. The customer network and ISP network have spanning trees that are independent of each other. Thus the convergence speed is improved.

With BPDU tunnel enabled, the S9300 considers the tagged BPDUs as ordinary frames. Thus, the BPDUs are forwarded within the specified VLAN; or the BPDUs are encapsulated to be MPLS packets and then forwarded within the MPLS network without being dealt with as the BPDUs.

3.8 Ethernet OAM This section describes the basics of Ethernet OAM.

The Ethernet OAM functions of the S9300 include fault management and performance management.

3.8.1 Point-to-Point Fault Management for Ethernet

3.8.2 End-to-End Fault Management for Ethernet

3.8.3 Ethernet Performance Management

3.8.1 Point-to-Point Fault Management for Ethernet Fault management means that the S9300 detects the network connectivity by sending detection packets, which is similar to Bidirectional Forwarding Detection (BFD). The user can set the interval for sending the detection packets or configure the S9300 to send the detection packets at specified time points. In addition, the S9300 provides the fault location methods on the Ethernet, which is similar to the ping or TraceRoute operations on the IP network. With the fault management function, the S9300 can trigger protection switchover, and thus the interrupted service can be restored within 50ms.

IEEE 802.3 ah is introduced by the EFMA. IEEE 802.3 ah includes:

l Capability discovery l Link performance monitoring l Fault detection and alarm l Loopback test

In addition, 802.3ah can detect the faults on the direct Ethernet links, especially the user links. 802.3ah is a slow protocol, which sends the detection packet every 1 second.

Conforming to IEEE 802.3ah, the S9300 supports the point-to-point Ethernet fault management. It can detect faults in the last mile of the direct link on the user side of the Ethernet. By now, the S9300 supports the following functions defined in IEEE 802.3ah:

l OAM discovery l Link monitoring l Remote fault notification l Remote loopback

3.8.2 End-to-End Fault Management for Ethernet IEEE 802.1ag defines the end-to-end Ethernet OAM, which is widely used. 802.1ag is applied to the bridge, which is aware of VLANs, on the virtual bridging network to provide the fault


Product Description


Issue 05 (2010-01-08)

detection, verification, and isolation functions. 802.1ag can detect a fault within 50 ms. The S9300 triggers protective switchover with the fault management mechanism. Service interruption is within 50 ms.

802.1ag provides the following fault management functions to ensure the packet forwarding:

l Fault detection function, that is, continuity check (CC) function. l Fault verification function, that is, loopback test function. l Fault location and isolation, that is, Traceroute function. l Fault notification and alarm suppression function, that is, alarm indication signal (AIS)

function and remote defect indicator (RDI) function. In the current, S9300 does not support AIS.

Hierarchical Maintenance Domain Conforming to IEEE 802.1ag, the S9300 provides the end-to-end fault management for Ethernet.

IEEE 802.1ag is used to test the end-to-end Ethernet connectivity and locate faults. It provides different levels of management domains. OAM messages with low level are not forwarded to the management domain with high level. This guarantees security and maintainability of networks.

According to IEEE 802.1ag, the network that bears the Ethernet OAM mechanism is divided into different Maintenance Domains (MDs). An MD is an interconnected Ethernet network maintained by the same administrator. Multiple Service Instances (SIs) can be applied on an MD. An SI corresponds to a VALN. An SI consists of multiple devices. The border port on the SI is called the Maintenance association End Point (MEP); all the other ports are called the Maintenance association Internal Point (MIP). An MIP is responsible for connecting different MEPs. MEPs and MIPs together are called the Maintenance Points (MPs). All the MEPs in an SI form a Maintenance Association (MA), in which fault detection is carried out.

Part of the network in an MD might be maintained by another administrator, namely, MD might be nested. The MD level is used to differentiate different levels of OAM that can be carried out in an MA. The MD level is carried in the OAM message. The OAM message with low level is discarded in the high-level MP.

End-to-End Fault Detection and Location The ISP and Internet Context Provider (ICP) have gradually used fault detection to guarantee QoS and reduce maintenance expense. Fault detection is realized by sending and detecting the Continuity Check (CC) message at scheduled time.

The S9300 supports the tools of MAC Ping and MAC Trace by using the loopback (LB) and link trace (LT) packet defined in IEEE 802.1ag to locate faults.

l MAC ping MAC ping realized by the LB message is used to test whether a device on the network is reachable. It acquires network state and the delay parameter. To carry out MAC ping between any two devices on the network, the S9300 needs to meet the following requirements: − The originating point is an MEP. − The two points are MPs belonging to a same MA. − The two points are reachable.



3-15

l MAC trace MAC trace utilizes the LT message to test the transmission paths of messages and the link break point between the two devices. The requirements for MAC ping also apply to MAC trace.

3.8.3 Ethernet Performance Management Conforming to ITU-T Y.1731 recommendations, the S9300 supports the Ethernet performance management. The S9300 can measure the delay, jitter and packet loss ratio in transmission. To achieve that, the S9300 inserts the timestamp in the LB message defined in IEEE 802.1ag. In this way, the S9300 can carry out performance detection for specified time period and specified network segment to measure the performance parameters of an end-to-end traffic. The S9300 can measure the performance parameter at scheduled time. The performance parameter and the network management information together output report.

By using the performance management tools, the ISP can monitor the network status in real time through the NMS. The ISP checks whether the forwarding capacity of the network complies with the Service Level Agreement (SLA) signed. Then, faults can be swiftly located. The ISP need not to carry out detection on the user side. This greatly decreases the maintenance expense.

3.9 NQA This section describes the basics of NQA supported by the S9300.

The S9300 provides the NQA function. NQA measures and diagnoses network performance by sending a specified number of packets between multiple sites. In addition, NQA collects the statistics about network performance such as the jitter, delay, and packet loss ratio.

NQA defines the two test ends as the client and the server. An NQA test is initiated by the client. After the test is configured on the client through command lines or after the configurations of the operation are sent by the NMS, NQA places the tests into test queues based on test types.

Table 3-1 List of NQA diagnosis tools provided by S9300

Network Diagnosis Tool Basic Principle

ICMP ping/traceroute tests ICMP ping is implemented by transmitting ICMP Echo packets between gateway addresses. ICMP traceroute can find out the network gateway on the forwarding path through the TTL timeout messages until the TTL is 0.

LSP ping/traceroute tests LSP ping is implemented by transmitting MPLS Echo Request packets and MPLS Echo Reply packets to test the connectivity of an LSP. LSP traceroute can locate the faulty node on the LSP by sending MPLS Echo Request packets with TTL increasing by 1 each time.


Product Description


Issue 05 (2010-01-08)


Virtual Circuit Connectivity Verification (VCCV) ping tests

VCCV ping is implemented through the extended LSP ping.

MAC ping and MAC trace defined in Ethernet OAM tests

MAC ping is implemented by transmitting Loopback (LB) messages defined in IEEE 802.1ag. MAC trace is implemented by transmitting Link Trace (LT) messages defined in IEEE 802.1ag.

DHCP Tests Through the DHCP test, you can get the time taken by the client to obtain its IP address from the DHCP server. After the test is complete, the leased IP address is released. In the DHCP test, you need to configure the source interface that sends the discovery packet to the NQA server.

FTP tests FTP tests are performed to obtain the time taken for the FTP client to set up a connection with the FTP server and the time spent on packet transmission. To set up the connection with the FTP server, you must first enter the IP address, user name, and password on the FTP client. In FTP tests, you can perform the Put operation on a specified file and specify the file size. In the Get operation, the time for downloading the file is recorded, whereas in the Put operation, the time for uploading the file is recorded.

HTTP tests HTTP tests have two request modes: Get and Post. Users can choose either of them. After entering a domain name, the HTTP client must perform the following: Send a DNS packet to the resolver for resolving the domain name into an IP address. Record the time for receiving a response packet from the resolver. Set up an HTTP connection with the HTTP server through "three-handshake"; record the time for setting up the connection. Send a Get or Post packet to the HTTP server. Receive a response packet and record the time. HTTP packets transmission then is complete. The response time during different phases of setting up an HTTP connection is then collected. This is helpful in locating the cause for the delayed response to the HTTP request. NOTE

You can also obtain the time taken for the HTTP client to set up a connection with the HTTP server and the time of packet transmission by directly entering the IP address of the HTTP server.



3-17


DNS tests DNS tests are used to check whether the client can set up a DNS connection with the DNS server and collect the time taken to respond to a DNS request packet. In DNS tests, domain names are resolved into IP addresses. In addition, the time taken to set up a DNS connection and return the response packet is recorded.

TCP tests In TCP tests, you must configure the TCP service on the NQA server. The client then originates a test to the specified IP address and port of the server. This test is used to collect the time taken to set up a TCP connection.

UDP tests In UDP tests, you must configure the UDP service on the NQA server. The client then initiates a test to the specified IP address and port of the server. If the filling character is not configured on the client, the system then generates a packet with the smallest packet size, by default. UDP tests are used to collect the RTT of UDP packets.

SNMP Tests In SNMP tests, SNMPv1, SNMPv2c, and SNMPv3 packets are sent to the SNMP agent simultaneously to query the status of the managed device. The agent returns an SNMP response packet of a certain version. That is, if SNMPv1 is enabled on the agent, an SNMPv1 response packet is returned. You can calculate the interval from the time a query packet is sent to the time a response packet is received, based on the timestamp carried in the packets.

Jitter tests In Jitter tests, the sender periodically sends packets to the remote end, with every packet being marked with a timestamp. After receiving a packet, the remote end also marks the packet with a timestamp based on the local system time and returns the packet to the sender. The sender then calculates the jitter time based on the timestamp carried in the received packet. Jitter tests support the sending of a maximum of 3000 packets continuously to simulate voice traffic. You can adjust the number of packets to be sent through Licenses.

MPing tests The MPing test uses standard ICMP messages. A querier (an S9300 that performs MPing) generates an ICMP Echo Request message. This message is encapsulated in an IP packet with the destination address being a multicast address (a reserved group address or a common group address). In this manner, the querier can check the members of the reserved group on the specified network segment or test the performance of multicast services over the network.


Product Description


Issue 05 (2010-01-08)


MTrace tests The MTrace test uses standard IGMP messages. A querier (an S9300 that performs MTrace) generates an ICMP Echo Request message. This message is encapsulated in an IP packet. In this manner, the querier can trace the RPF path or the multicast path. MTrace is often used to maintain multicast services and locate faults.

PWE3 Ping tests The source end sends an MPLS Echo Request message and forwards the packet through a PW. When the packet reaches the outbound interface, the egress of the MPLS domain returns an MPLS Echo Reply message. If the source end receives the MPLS Echo Reply message, it considers that the PW can be used for data forwarding; otherwise, it considers the PW to be unavailable.

PWE3 Trace tests In PWE3 Trace, MPLS Echo Request messages are sent continuously with the carried TTL value increased by 1. The first sent packet carries the TTL 1. Each node along the LSP returns an MPLS Echo Reply message because the TTL of the received packet times out. In this manner, the egress can collect information about each node along the PW and find the failed node.

LSP Jitter Tests NQA creates an MPLS Echo Request packet and adds the network address 127.0.0.0/8 to the IP header as the destination IP address. The packet is forwarded along the specified LSP within the MPLS network. The egress monitors port 3503 that sends Echo packets. The LSP Jitter test can test the reachability of LSPs. With the information received by the source, the maximum jitter time from the source to the destination, maximum jitter time from the destination to the source, minimum jitter time, and average jitter time are calculated. The network conditions can be well reflected in the calculated results. A maximum of 1000 LSP ping test instances can concurrently run. After the number of ping test instances reaches the upper limit, a new test instance will be delayed.

3.10 NAC This section describes the principle of network admission control (NAC).

The NAC concept is introduced to protect the enterprise intranets against the attacks of emerging hacker technologies such as new viruses and worms. By using the NAC function, the S9300 can allow only the authorized or trusted devices to access the network, for example, personal computers, servers, and PDAs.

The main components of NAC are as follows:



3-19

l Agent program installed on the terminal l Network access device l Policy server or AAA server l Anti-virus server l Management system

When functioning as a network access device, the S9300 provides the following functions:

l 802.1X access, including port mode and MAC mode l Portal access l Relay authentication in which the S9300 obtains user entries through DHCP snooping

In addition, the NAC function is applicable to the following special scenarios:

l Best-effort: Users can access the network when the RADIUS server is Down. l Privileged users and devices without agent, such as printer and IP phone

Figure 3-6 Main components and networking of NAC

üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü

Internet

SA

VPN GatewayEnterprise external

networkEnterprise intranet

SA

SA

Pre-authenticationdomain

Third-party anti-virus serverThird-party domain management serverThird-party patch server

Authenticationdomain 1

Authenticationdomain 2

Coreinformation

Commoninformation

SACG

SRS SCSM

SA: Secospace AgentSM : Secospace ManagementSC: Secospace controllerSRS: Secospace repair serverSACG: Security acess control gateway


Product Description


Issue 05 (2010-01-08)

3.11 Multicast This section describes the basics of IGMP snooping, multicast flow control, controllable multicast, multicast VLAN, and multicast replication.

The S9300 supports rich multicast features including IGMP snooping, IGMP proxy, static multicast, multicast across VLANs, and multicast replication. The S9300 also provides strong multicast duplication capacity and the deployment of multicast services on the VPLS network.

3.11.1 Multicast Routing Protocol

3.11.2 IGMP Snooping

3.11.3 Static Multicast

3.11.4 Multicast VLAN and Multicast Replication

3.11.1 Multicast Routing Protocol The S9300 supports the following multicast routing protocols:

l Internet Group Management Protocol (IGMP), Protocol Independent Multicast-Dense Mode (PIM-DM), Protocol Independent Multicast-Sparse Mode (PIM-SM), Multicast Source Discovery Protocol (MSDP), and Multi-protocol Border Gateway Protocol (MBGP).

l PIM-SSM: When a multicast source is specified, a host can directly join the multicast source, without registering with the Rendezvous Point (RP).

l Anycast RP: Multiple RPs can exist in a domain and they are configured as MSDP peers. A multicast source can register with the nearest RP, and the receiver can also choose the nearest RP and join the shared tree of the RP. When an RP expires, the multicast source and receiver registered on this RP choose another near RP to register and join. Thus loads are shared on the RPs.

l IPv6 multicast routing protocols: PIM-IPv6-DM, PIM-IPv6-SM, and PIM-IPv6-SSM. l Multicast Listener Discovery (MLD): MLD is used to set up and maintain the member

relationship of groups between hosts and their directly connected multicast routers. The functions and implementation of MLD are the same as those of the IGMP. MLD has the follow versions: − MLDv1

MLDv1 is defined in RFC 2710 and derived from IGMPv2. MLDv1 supports the Any-Source Multicast (ASM) model. With the help of SSM mapping, MLDv1 can support the Source-Specific Multicast (SSM) model.

− MLDv2 MLDv2 is defined in RFC 3810 and derived from IGMPv3. MLDv2 supports the ASM and SSM models.

When the multicast routing module receives, imports, and advertises multicast routes, the S9300 can filter the routes based on routing policies. When forwarding IP multicast packets, the S9300 can filter and forward the packets based on policies.

3.11.2 IGMP Snooping Located between the host and the multicast router, the S9300 can statically configure the multicast forwarding entries. In addition, the S9300 maintains the multicast group and the



3-21

mapping of VLAN ID and outbound ports by listening to the passing IGMP messages. The S9300 dynamically sets up a Layer 2 forwarding table for multicast packets.

When the S9300 receives a multicast packet, it forwards the packet to only the VLAN members of that multicast group. Based on the Layer 2 forwarding table, the packet is multicast in the VLAN. This reduces the number of packets transmitted over the network to save network bandwidth, and improves the security of information.

The IGMP snooping function can also be enabled on the VPLS network.

Prompt Leaving of Ports When a port of the S9300 is attached with only one host, the S9300 directly deletes the corresponding multicast forwarding entry of that port as long as it receives an IGMP Leave message from the host through that port. After that, the S9300 does not forward IGMP Query messages to that port. This saves bandwidth and system resources and realizes prompt switchover of services.

Multicast Querier On the Layer 2 network, the S9300 can function as the querier to realize the multicast function in the following ways:

l Runs queries. l Terminates the IGMP packets. l Establishes the multicast forwarding table on the Layer 2 network.

The querier can be configured based on VLAN.

When querier is enabled in the VLAN, the multicast querier of the S9300 performs the following functions:

l Terminates the Report packet from the IGMP of the user, and then establishes the multicast forwarding entry based on the Report packet.

l Terminates the Query packet from the IGMP of the router, and then sends the query packet.

l Broadcasts the Protocol Independent Multicast (PIM) packet in the VLAN. l Terminates the Leave packet from the IGMP of the user. When the user sends a Leave

packet, the querier sends a specific group Query packet to confirm it.

Multicast Packet Repression If the S9300 receives the Report packet or Leave packet from the users within a short period of time, the S9300 checks whether the same Report packet or Leave packet is received in the repression period. The S9300 then determines whether to send the packets to the router. This reduces the number of IGMP packets to be dealt with by the router.

Controllable Multicast The S9300 can control the access of VLAN or VPLS VSI users to a multicast group by configuring ACL. This implements the controllable multicast communication.


Product Description


Issue 05 (2010-01-08)

3.11.3 Static Multicast A user host receives the multicast traffic through a DSLAM. For example, the Set Top Box (STB) receives the video programs from the Broadband Television (BTV). The S9300 can be deployed between multiple DSLAMs and the upstream multicast router. IGMP is not enabled for some VLANs on the S9300. The S9300 sets up the multicast member relationship statically and sets up multicast forwarding entries for those VLANs as required.

Each DSLAM supports the controllable multicast to directly control the addition, deletion, and switching of channels from the STB. The S9300 is not involved in the transmission of IGMP packets. In this way, the delay of images and voices generated when users switch channels is greatly shortened.

3.11.4 Multicast VLAN and Multicast Replication Multicast VLAN is used to converge and forward the multicast packets of different VLANs. The users join the multicast VLAN when they need multicast packets. Multicast VLAN copies the multicast packets to different user VLANs. This realizes the multicast duplication function across VLANs. The S9300 can copy up to 127 copies of multicast packets of different VLANs to a port.

The S9300 forwards multicast packets through the multicast VLAN, and copies the packets based on the multicast entries. The S9300 then sends these packets to the VLANs of different users. Using the multicast VLAN technique, the S9300 can converge the multicast packets in the entire user VLANs to one or several VLANs.

The multicast across VLAN technique enables the S9300 to send unicast packets and multicast packets in different VLANs. This helps to manage and control the multicast traffic and to save the bandwidth resource.

3.12 Reliability This section describes the basics of link aggregation, BFD, and HA at the equipment level.

3.12.1 Link Aggregation

3.12.2 DLDP

3.12.3 RRPP and the Multi-Instance Technology

3.12.4 Smart Link and the Multi-Instance Technology

3.12.5 BFD

3.12.6 LSP Protection Switchover

3.12.7 High Availability at the Equipment Level

3.12.1 Link Aggregation The S9300 can bind multiple ports into an Eth-Trunk interface manually. The S9300 also supports link aggregation in static mode. That is, the administrator sets up the aggregation group and adds member link, and the Link Aggregation Control Protocol (LACP) maintains the aggregated link.



3-23

When one of the links fails, traffic is balanced among the other links without interruption. The S9300 supports the aggregation of links on different LPUs, which improves the reliability of services.

3.12.2 DLDP The S9300 supports the Device Link Detection Protocol (DLDP). DLDP monitors the link status of optical fibers or copper twisted-pair cables. If a unidirectional link exists, DLDP automatically shuts down or notifies users to manually shut down the port on the unidirectional link as required. This prevents network faults.

3.12.3 RRPP and the Multi-Instance Technology To reduce convergence time and remove the impact of network scales on the convergence time, Huawei develops the Rapid Ring Protection Protocol (RRPP) that is a data link layer protocol exclusively used in Ethernet ring networks.

When an Ethernet ring network is complete, RRPP can prevent broadcast storms caused by data loops. When a link is disconnected, RRPP helps to quickly enable the standby link and then recover the communications between nodes on the ring network.

Compared with other Ethernet ring technologies, RRPP boasts of the following features:

l Convergence time is less than 50 milliseconds (ms). l Convergence time bears no relation to the number of nodes on a ring network. Thus,

RRPP can be applied to a network with a great diameter. l RRPP can prevent broadcast storms caused by loops when an Ethernet ring network is

complete. l On an Ethernet ring network, when a link is torn down, a backup link immediately starts

to resume the normal communications between nodes.

On intersectant RRPP rings, when the topology of a ring changes, topology flapping by no means occurs on other rings. Instead, data transmission can be better guaranteed.

The RRPP multi-instance technology applies to ring Ethernet networks. Different RRPP instances are arranged for different C-VLANs to carry out independent calculation and convergence of topologies. In addition, the multi-instance technology optimizes the network and simplifies configurations in complex topologies with multiple intersectant rings or multiple rings in multiple domains.

3.12.4 Smart Link and the Multi-Instance Technology The dual-homing networking is one of the most commonly used networking. In most cases, STP is enabled to implement the backup of links. STP, however, cannot satisfy users that require quick convergence.

Thus, Smart Link is introduced to provide link backup and fast switching of traffic between the active and standby links. This meets the requirements of users for fast convergence of links. In a dual-homing network, when the active link fails, the device automatically switches traffic to the standby link. In this manner, the redundant link is blocked and backup of links is implemented.

The features of Smart Link are as follows:

l It is dedicated to dual-homing networks. l The convergence time can reach sub-seconds.


Product Description


Issue 05 (2010-01-08)

l It is easy to configure and operate.

Multiple Smart Link groups can be configured on an interface to protect different VLANs. This is the Smart Link multi-instance technology. The forwarding status of the interface in the protection VLAN is determined by the status of the Smart Link group to which the interface belongs. To transmit traffic from different VLANs along different forwarding paths, and thus implement load balancing, you must ensure the following:

l An interface is added to different Smart Link groups whose protection VLANs are different.

l The forwarding status of the interface is different in different Smart Link groups.

3.12.5 BFD The S9300 supports the BFD mechanism to implement fast detection and monitor the connectivity of links.

BFD realizes fast detection of link failures by using the "Hello" protocol. Detection packets are transmitted periodically from both ends of a bidirectional link. If the S9300 fails to receive the detection packets from the peer end in a certain period of time, it indicates that certain segment of the bidirectional link fails. BFD then triggers the switchover mechanism to ensure the reliability of the network.

BFD supports failure detection in milliseconds. BFD also supports asynchronous detection.

The S9300 supports the following BFD detection methods:

l Detection of links l Detection of the connectivity of IP routing l Detection of the connectivity of an LSP, a CR-LSP, and an MPLS TE protection group l BFD detection on the VPLS network

It also processes the diagnosis packet that manages the switchover of VPLS and performs the switchover.

The S9300 supports the association among BFD, 802.3ad, and 802.1ag to achieve end-to-end OAM.

3.12.6 LSP Protection Switchover The S9300 supports MPLS OAM and fast detection of LSP faults. A standby LSP can be set for the active LSP to realize 1+1 backup of LSPs. When the active LSP fails, services can be fast switched to the standby LSP. This greatly improves the reliability of the network.

3.12.7 High Availability at the Equipment Level

Hot Backup The S9300 supports hot backup of its key components including the SRU/MCU, power modules, and fan modules.

l SRU/MCU The S9300 can be installed with two SRUs/MCUs that run in 1+1 backup mode.

l The two SRUs/MCUs in 1+1 backup mode support two types of protection switchover: − Automatic protection switchover



3-25

It is triggered by the system upon a serious fault or resetting of the active SRU/MCU. − Forcible protection switchover

It is triggered by commands through the console port. You can also prevent the active/standby switchover of the SRUs/MCUs by using commands through the console port.

After the active/standby switchover is performed, the standby SRU/MCU immediately takes over the entire services. This ensures continuity of services and availability of the system.

l Power modules The S9300 can be configured with 4 AC power modules or 4 DC power modules. The power modules work in redundancy backup mode. The power modules provide power for the S9300 when they are correctly installed and powered on. When one of the power modules fails, the other one immediately takes over the services without interruption. The PoE function supports only the AC power modules. The S9303 does not support the backup of PoE power modules. The S9306 and the S9312 support the PoE power modules working in M+N mode.

l Fan modules Each fan frame of the S9300 provides two layers of fan frames to carry out backup for the system. When any of the fan frames fails, the other fan frame still ensures that the ambient temperature is not higher than 45°C. To ensure that the ambient temperature is not higher than 40°C, a single fan frame can normally work for only 96 hours. When a fan fails, the system generates an alarm message.

Hot Swap The SRU, MCU, LPU, CMU, power modules, and fan frames of the S9300 are hot swappable.

FSUA is not hot swappable.

l Hot swap of the SRU/MCU If the S9300 is installed with two SRUs/MCUs that work in 1+1 backup mode, hot swap of the standby SRU/MCU does not interrupt services. Hot swap of the active SRU/MCU, however, implements fast switchover of services to the standby SRU/MCU. The data switching units can work in 1:1 load balancing mode. In this mode, the data switching capability is reduced by half when the SRU is hot swapped.

l Hot swap of the LPU l Hot swap of power modules

When the S9300 is installed with four power modules that run normally, hot swap of one or two of them does not interrupt services.

l Hot swap of fan frames Hot swap of fan frames does not affect services of the S9300.

l Hot swap of the air filter


Product Description


Issue 05 (2010-01-08)

The air filter is not powered and is swappable as required. It is convenient for routine cleaning.

Inter-SIC Eth-Trunk Multiple Ethernet ports, either on the same SIC or different SICs, of the S9300 can be bound to a logical Eth-Trunk interface. This realizes backup between ports and load balancing of traffic.

When one member port in the Eth-Trunk interface fails, the services on that port are automatically carried by other ports in the Eth-Trunk interface. In this case, the Eth-Trunk interface can still handle services normally. Therefore, service transmission is not affected.

Because the bound ports belong to different SICs, inter-SIC Eth-Trunk reduces the impact of one SIC fault and removes the single-site fault.

Protection Against Abnormity The S9300 separates the control channel from the service channel. This provides a non-blocking control channel. The S9300 supports the following measures for protecting against abnormities:

l Provides error correction for memory chip faults. l Provides protection against mis-insertion on the power input interface. l Provides fan frames with separate power supply channels. The failure of any of the fan

frames does not affect the other. l Provides protections against over-current and over-voltage for power and interface

modules. l Provides protection against mis-insertion of boards to prevent inserting the H-SICs into

the L-SIC slots. l Provides the monitoring and alarm functions for the power modules, voltage and

environment temperature.

Protection in Operation The S9300 supports the following protection measures:

l Supports in-service upgrade of the BootROM, in-service patching, and version rollback. l Supports data hot backup between the active and standby units. The active unit

automatically switches to the standby state when failures occur to the active unit. This prevents loss of data or information.

l Supports timely synchronization of configurations between the LPUs and SRUs/MCUs. l Supports the abnormity monitoring for the VRP system software, such as automatic

restoration and log record. l Supports final records of process status that can be used to locate faults more easily after

an accident.

The S9300 also provides protection and prompt for improper operations. The S9300 provides operation and confirmation prompts for certain commands that may degrade the system performance.



3-27

3.13 LLDP This section describes the basics of LLDP.

The S9300 supports the Link Layer Discovery Protocol (LLDP). LLDP conforms to IEEE 802.1ab. LLDP discovers the adjacency relationships between devices on the link layer. It is used for the interconnected devices to acquire the connection information of each other.

Using the LLDP, the local network management station can acquire the link layer information of all devices in the local network. It also collects detailed information about network topology and topology change. This expands the scope of network management.

The port with LLDP enabled on the S9300 periodically notifies the neighbors of its status. If the status changes, the port sends the updates of the current state to the neighbors directly connected to it. The neighbors then store the status of the port in the standard SNMP MIB. The NMS searches the MIB for the link layer information of the network. Based on search results, the NMS can calculate the network topology.

3.14 Security This section describes the security measures for devices and services.

3.14.1 Security for Devices

3.14.2 Security for Services

3.14.1 Security for Devices

Hierarchical Command Lines The S9300 authenticates login users for safety when users Telnet the device through Ethernet ports. Users can log in to configure and maintain the device only after they pass the authentication.

Commands of the S9300 are divided into 4 levels. Login users are also divided into 4 levels corresponding to these 4 levels. After logging in to the S9300, users can run only the command with the same or lower level than the user level. This mechanism effectively controls the authority of login users.

The S9300 supports the extension of command levels and user levels, which can be mapped from four levels to 16 levels. This level mapping implements effective management on the user levels.

The S9300 can also lock the terminal through commands to prevent illegal use of the terminal.

Remote Login Through SSH The S9300 supports Secure Shell (SSH) of v1.5 and v2. On the network without security guarantee, SSH provides powerful guarantee of security and authentication for login users and can defend against illegal attacks.


Product Description


Issue 05 (2010-01-08)

Encryption Authentication in SNMP The S9300 supports encryption authentication in SNMPv3. It authenticates the validity of the management packets from the NMS.

Authentication, Authorization and Authorization The S9300 supports Authentication, Authorization and Accounting (AAA). AAA supports three types of user authentication:

l Local authentication l Remote Authentication Dial-In User Service (RADIUS) l Huawei Terminal Access Controller Access Control System (HWTACACS)

authentication

It can authenticate and authorize login users in cooperation with hierarchical command line protection. It can also authorize the validity of the NMS administrator. The S9300 can defend against login of illegal users based on AAA.

Hierarchical CPU Protection The S9300 supports two levels of CPU protections.

l Protection at the LPU level The S9300 performs flow control for the protocol packets and management packets sent from the LPU to the CPU of the SRU based on the protocol type. This protects the channel between the LPU and the CPU from being congested with packets through Denial of Service (DoS) attacks.

l Protection at the SRU level When the CPU receives protocol packets and management packets sent from the LPU to the CPU, the S9300 performs traffic classification, re-marking, flow control, and the whitelist function to the packets and implements QoS and rate limit on the CPU. This protects the CPU against Distributed DoS (DDoS), IP spoofing, and SYN Flood attacks.

3.14.2 Security for Services

Packet Filtering Through ACL Packet filtering is used to filter illegal or unwanted packets.

The S9300 filters packets based on user-defined rules. For example, it filters packets by checking the source or destination address of the packet. Packet filtering does not check the state of sessions and does not analyze the data.

By filtering packets, the S9300 can effectively control the packets passing the device.

DHCP Snooping/Option 82 Deployed between the server and client of the Dynamic Host Configuration Protocol (DHCP), the S9300 listens to the sending DHCP packet. The S9300 then sets up a table binding the IP address with the MAC address based on the results of monitoring. This represses illegal packets from being transmitted. The S9300 can also insert or strip the Option 82 field into or off the packet.



3-29

l Receiving the request packet from the DHCP client, the S9300 inserts the Option 82 field into the packet. The DHCP server then assigns IP addresses by identifying the Option 82 field.

l The DHCP server inserts the Option 82 field into the response packet. The S9300 analyzes the Option 82 field to select the forwarding port. The S9300 then strips the Option 82 field and forwards the packet to the user.

The Option 82 field records the ID number of the user circuit, which can effectively defend the attacker from tampering the DHCP packet.

Similarly, with the IP session feature, the S9300 checks the IP addresses, MAC addresses, interface numbers, and VLAN IDs of the packets according to the VLAN or Option 82 information. This prevents unauthorized users from forging IP addresses.

Limit of MAC Address Learning at Ports The S9300 supports the limit of MAC address learning.

The S9300 supports setting the maximum number of MAC entries learnt by a port. This can defend against attacks with forged MAC entries and prevent the MAC table resource of the S9300 from being used up.

The S9300 supports the following three ways to limit the number of MAC addresses:

l Based on ports l Based on VLAN ID l Based on VSI

When the number of MAC addresses learnt by a port exceeds the limited threshold, the S9300 forwards or discards the incoming packets with new MAC addresses according to the configurations.

Blackhole MAC Entries The S9300 supports blackhole MAC entries. When the S9300 receives a packet, it compares the destination MAC addresses of the packet with the MAC entries in the blackhole MAC table. If the MAC address of the packet is identical with the MAC address of a blackhole entry, the packet is dropped.

After detecting that packets with a specific MAC address are attack packets, the administrator can set a blackhole MAC entry to filter the packets with that specific MAC address. This can prevent attacks using MAC addresses.

Port Binding Based on MAC+VLAN To improve the security of interfaces, the S9300 allows the network administrator to add static entries to the MAC address table. The static entries identify the mapping among the specified MAC address, VLAN ID, and interface. This binds the S9300 to the interfaces and thus prevents MAC spoofing attacks.

Broadcast Traffic Suppression The S9300 can limit the transmission rate of broadcast packets, multicast packets, and unknown unicast packets based on interfaces.


Product Description


Issue 05 (2010-01-08)

The S9300 can also limit the maximum traffic percentage of broadcast packets, multicast packets, and unknown unicast packets, thus controlling the traffic volume of broadcast packets.

3.15 Clock This section describes the clock synchronization and calibration mechanisms supported by the S9300.

The S9300 supports the clock synchronization at the physical layer and calibration mechanisms. These mechanisms provide precise clock for mobile communication services.

With the physical-layer clock synchronization mechanism, the S9300 obtains clock data from the signaling over the physical transport link, thus synchronizing clock frequency. The S9300 can obtain clock data from the synchronized Ethernet links.

3.16 NetStream This section describes the NetStream function supported by the S9300.

NetStream is a technology for collecting and releasing information about network streams. NetStream provides detailed statistics for accounting based on the occupation of resources, such as links, bandwidth, and time period. NetStream provides advanced network management tools with the key information. It implements almost realtime networking monitoring function and the traffic mode of the entire network. It also provides the functions such as fault pre-detection, effective fault rectification, and fast problem solution.

NetStream promotes the technical development of network stream analysis and provides data for carriers in charge settlement, network planning, and networking operation and maintenance.

When the NetStream function is enabled on an S9300, the S9300 provides the traffic sampling and statistics output functions, which do not degrade the forwarding performance.

The details about the NetStream function supported by the S9300 are as follows:

l The S9300 can sample and count the IPv4 packets. The sampling interval is calculated by the number of packets. The sampling ratio on a GE interface is 1/10000. The sampling ratio can be set manually, which ranges from 1 to 65535.

l The S9300 supports the Flexible NetStream function. Compared with the sampling based on the seven keys of the original flow, the user can set necessary keys for packets sampling, which greatly saves the flow entry resources of the system. The supported keys include source IP address, destination IP address, protocol, DSCP, L4 source port, and L4 destination port.

l The S9300 supports 10 aggregation flows, including AS, AS+TOS, Protocol+Port, Protocol+Port+TOS, Destination+Prefix, Destination+Prefix+TOS, Source+Prefix, Source+Prefix+TOS, Prefix, and Prefix+TOS.

l The version of the original flow can be V5 or V9. The version of the aggregation flow can be V8 and V9.

l The S9300 can perform sampling and statistics on both the incoming packets and outgoing packets.

l An LPU supports 4k incoming original flows and 4k outgoing original flows.

Quidway S9300 Terabit Routing Switch Product Description 4 Maintenance and Network Management


4-1

4 Maintenance and Network Management

About This Chapter This section describes the method of configuration and login, the measures to monitor devices and debug faults, the process of software upgrade and in-service patching and the functions of network management system for the S9300.

4.1 Maintenance and Management

This section describes the method of configuration and login, the measures to monitor devices and debug faults, and the process of software upgrade and in-service patching.

4.2 U2000

This section describes the functions of the U2000, including managing resources, topology, configurations, faults, performance, and security.

4.1 Maintenance and Management This section describes the method of configuration and login, the measures to monitor devices and debug faults, and the process of software upgrade and in-service patching.

4.1.1 Configuration Modes

4.1.2 Management and Monitoring

4.1.3 Diagnosis and Debugging

4.1.4 In-Service Software Upgrade and Patching

4.1.1 Configuration Modes

Multiple Maintenance Modes The S9300 supports configuration and management in the following ways:

l Through the command line interface (CLI) Users can configure and manage the S9300 by logging in to the device from a terminator through the console port or the ETH interface.

l Through NMS

4 Maintenance and Network Management Quidway S9300 Terabit Routing Switch

Product Description


Issue 05 (2010-01-08)

Users can configure and manage the S9300 based on SNMP through a network management station.

Flexible Login Modes To support local and remote login, the S9300 offers the following interfaces:

l Console port Users can log in to the console port of the S9300 through the RS-232 serial port of a terminal device.

l ETH interface Users can log in to the ETH interface of the S9300 through Telnet or SSH.

In addition, users can also telnet the S9300 through other service ports.

To satisfy different security demands, the S9300 offers various measures to authenticate user login, such as:

l Non-authentication l Local authentication l AAA authentication

4.1.2 Management and Monitoring

Hardware Monitoring The S9300 provides the following hardware monitor functions:

l Provides the MCU, SRU, LPU, CMU, power module, and panel of a fan frame with indicators to indicate their running status.

l Provides in-service board detection, hot swap detection, Watch Dog, board resetting, fan module monitoring, power module monitoring, active/standby switchover and log recording for the users' reference.

l Monitors the temperature of boards automatically when the system is running and controls the temperature.

l Provides statistics on abnormal and error packets. l Provides statistics on the protocol packets to be delivered to the CPU and details of the

packets. l Provides information for querying the utilization of CPU and memory.

Management and Maintenance The S9300 provides the following management and maintenance functions:

l Supports multi-user operations and user interface (UI) in two languages: Chinese and English.

l Provides command lines with flexible online help. Command line descriptor searches keywords with a partial match, which speeds up the input of commands.

l Provides hierarchical command lines and management of user authorities which prevents unauthorized users from logging in to the S9300.

l Provides classification and filtering of alarms. l Provides DosKey-like function to run a history command.



4-3

l Provides local and remote loading and upgrading of software and supports version rollback, backup, storage and purge.

l Supports information collection at different layers such as the port, Layer 2, or Layer 3. l Supports the information center to provide the uniform management of logs, traps and

debugging information and can redirect information as required. l Supports display of system status and version, and environment parameters such as

temperature, utilization of CPU and memory.

4.1.3 Diagnosis and Debugging

Ping and Trace The S9300 supports the following tools for testing the connectivity and recording transmission paths of packets on IP networks:

l Ping l Trace

The S9300 supports the following tools for testing the connectivity and recording transmission paths of packets on MPLS networks:

l MPLS ping l MPLS trace

The S9300 provides the following tools to check the link-layer connectivity of the devices on the network and obtain information about network status and delay:

l MAC Ping l MAC TraceRoute

Debugging The S9300 provides the debugging commands for each feature. The debugging information is extensive and in detail to diagnose faults easily. Each debugging command supports multiple parameters. Debugging can be enabled or disabled on specified interfaces for specified services through the console port.

The debugging commands can display the following information of the feature:

l Critical events l Process running l Packet transmission and processing l Packet resolution l State switchover l Error check

Trace The S9300 supports the system trace function. Trace is used to perform advanced test and diagnose software. The S9300 also uses trace to on-line record important events including the task switching, interrupting, queue reading and writing, and system exception.


Product Description


Issue 05 (2010-01-08)

System can refer to the trace information to locate faults after rebooting in case of failures. Trace can be enabled and disabled by using commands.

Mirroring The S9300 supports port mirroring and flow mirroring.

l Port mirroring Incoming traffic, outgoing traffic, or both incoming and outgoing traffic at the observed port is copied intact to the observing port.

l Flow mirroring Observed flows are copied intact to the observing port.

Connecting a host with the observing port of the S9300 and watching the received packet, the ISPs can observe the packets that the S9300 inputs and outputs. The mirroring function offers a basis of traffic detection, fault allocation, and data analysis.

Virtual Cable Detection Given the virtual cable detection feature, the S9300 allows you to detect the current status of cables connected to the Ethernet interfaces in the following aspects:

l Whether short circuits or open circuits occur on the receive or transmit cables l Length of the faulty cable

4.1.4 In-Service Software Upgrade and Patching

In-Service Upgrade The S9300 supports local and remote upgrading of the system software.

l Local upgrade When the S9300 is booted, the software can be upgraded through the BootROM menu.

l Remote upgrade The S9300 supports the active and standby main process units. To ensure uninterrupted services when upgrading the software on the S9300, it is recommended to upgrade the standby main process unit before carrying out active/standby switchover. After upgrading the standby main process unit, upgrade the active main process unit.

In-Service Patching The S9300 supports in-service patching. The features of in-service patching are as follows:

l The service is not interrupted during the loading of patches. l The patching can either be confirmed or removed. l Prompts of patching status are provided.

Version Rollback The S9300 supports version rollback. The features of version rollback are as follows:

l If the upgraded version becomes unavailable, restart the software of another version to boot the system.



4-5

l If faults occur during the process of upgrading or patching, the system can be recovered to the status before the upgrading or patch loading.

4.2 U2000 This section describes the functions of the U2000, including managing resources, topology, configurations, faults, performance, and security.

The S9300 uses the Huawei iManager U2000 as a centralized NMS. The U2000 supports a multi-language graphical user interface (GUI) for convenient and visualized operations. The U2000 also provides northbound interfaces for connecting to a third-party NMS and can be integrated with other NMSs of carriers.

The U2000 uses Simple Network Management Protocol (SNMP) to manage devices and supports the mode of Command Line Interface (CLI) to manage device configuration. As the basis of Huawei data communication network management system, the U2000 provides solution to manage and maintain the data communication network. The U2000 can manage the network elements and certain devices on the network layer. The details are as follows.

Resource Management The U2000 provides the resource management function, which enables users to collect statistics on and query the resources on the entire network. Therefore, users can quickly learn the structure and changes of the resources on the network.

The major functions of resource management include:

l Managing entities l Managing links l Monitoring resource changes

Topology Management The U2000 provides the topology management function, which enables users to establish and manage the topology of the network. Users can learn the operating status of devices on the topology view.

The major functions of topology management include:

l Providing the topology view that shows the device relations and topology of the networking; providing an entry for users to configure and maintain the devices

l Allowing users to define and create the topology views according to their needs l Marking the nodes in different colors to show their status l Zooming in or out the topology view and providing the aerial view and the full-screen

display l Providing the navigation tree of views, which guides users to the related views quickly l Loading the topology data of the devices that are added manually or discovered

automatically and loading the basic configuration data of the devices added to the topology view, which simplifies configurations

l Polling and updating the status of network devices periodically and mapping the status to the topology view


Product Description


Issue 05 (2010-01-08)

The U2000 updates the topology data by polling the devices so that the data on the NMS is consistent with the data on the devices. Users can learn the operating status of the entire network in real time by viewing the network view.

l Discovering links through the network resource data, including Layer 2 links and IP links, and providing individual views to show the links

Fault Management The U2000 supports centralized alarm management, provides various alarm location methods, supports alarm query and alarm filtering, and provides an alarm knowledge base for sharing experience.

The major functions of alarm management include:

l Collecting alarm information of the managed devices and processing SNMPv1, SNMPv2, and SNMPv3 trap data

l Supporting alarm query, which helps users analyze the causes of alarms l Allowing users to customize alarm levels l Taking statistics on the alarm information according to the conditions set by users l Providing alarm knowledge base for users to share experience l Monitoring alarms on the network in real time by using an alarm board l Filtering alarms and providing alarm filtering templates l Providing alarm sounds l Supporting remote alarm notification

This function is used to notify the alarms to the users who are not on site. The U2000 can send E-mails or short messages to users to notify the users of alarms.

l Supporting alarm location on the topology By selecting an alarm, the user can locate the object that generates this alarm on the topology.

l Supporting manual alarm acknowledgement, manual alarm recovery, redefining of alarm levels, alarm classification, and automatic alarm acknowledgement

l Supporting alarm synchronization The alarms of the devices that support the SNMP and MML protocols can be synchronized on schedule or manually. This improves the reliability of alarms.

l Supporting auto-dump and manual dump of the alarm data l Marking the nodes in different colors to identify the alarm status and alarm levels of the

devices

Supporting the northbound interfaces, which enable the upper layer NMS to carry out second development

Performance Management The U2000 provides the performance monitoring function, which supports the management of network elements and network performance. The U2000 provides the Web pages for users to analyze current and historical data. This enables users to learn the operating status and performance of the network and helps users prevent network accidents, predict network operating status, and plan the network.



4-7

On a large-scale network, the performance management function can be integrated on the distributed collector. Thus the U2000 meets the performance management requirement of the large-scale network through the distributed deployment.

The major functions of performance management include:

l Managing the performance resource l Managing performance instances l Setting performance thresholds l Maintaining data l Querying and analyzing data l Monitoring performance of network elements l Monitoring network traffic l Monitoring quality of service (QoS)

Test and Diagnosis Management The U2000 can test the network connectivity and QoS of the network. Users can diagnose network faults according to the test result and minimize the impact of the faults. This function shortens the time spent on fault location and recovery. The test and diagnosis tools include the following:

l Network scanning l Historical data l Diagnosis result analysis l Test suite l Diagnosis policy

Network Element Configuration The U2000 provides GUIs for users to configure and maintain the network elements. Most configurations on the devices can be performed on GUIs. The major functions of network element configuration includes:

l Managing devices l Managing entities l Managing panels l Managing interfaces l Managing Link Layer Discovery Protocol (LLDP) l Managing Ethernet features l Managing Ethernet OAM l Managing QoS l Managing routes l Managing MPLS l Managing ACLs l Managing BFD l Managing VRRP/VGMP l Managing EPON


Product Description


Issue 05 (2010-01-08)

VPN Service Management The U2000 can uniformly manage the VPN services. Currently, the U2000 can manage the BGP/MPLS VPN, VPLS, and VLL services and provide the functions of service distribution, service monitoring, and service diagnosis.

LSP Service Management LSP service management is used to plan and deploy the services of the entire MPLS network. The carrier can plan, deploy, audit and monitor the end-to-end LSP through service management. Thus the cost spent on running the MPLS network is effectively cut down.

DC Management The U2000 provides the centralized management for configuration files and mapping programs. It stores and restores configuration files and upgrades the mapping program and patches. This function helps administrators manage the configuration files of network devices and the mapping programs.

The major functions of DC management include:

l Backing up configuration files periodically, providing a maximum of 20 copies, and restoring services upon wrong configurations

l Upgrading software versions of the devices periodically and in batches, thus minimizing the impact on services

l Comparing the configuration files and presenting the differences between the files, thus help users find the configuration error quickly

l Discovering and recording the changes of device inventory by polling the device configuration periodically or polling the software mapping periodically

Syslog Management The U2000 provides GUIs to manage system logs. The log data reported by devices complies with the RFC 3164, and the U2000 can present the logs on GUIs for users to query and view. The major functions of syslog management include:

l Managing the logs of the Huawei data communication devices, including sampling and querying the logs, and supporting the log filtering rules and triggering actions, thus facilitating event processing

l Deploying multiple log collectors in distributed manner, thus enabling users to manage large-scale networks

l Setting log filtering rules on each device: discarding the packets matching the rules and storing the packets that do not match the rules

l Setting the log triggering actions to trigger the specified operations when receiving certain logs, thus enabling users to monitor and process key events in time

Security Management The U2000 provides flexible user authorization policies (based on object and operation) that grant rights to users on the basis of actual management responsibility. In addition, the U2000 provides detailed operation logs that are on the basis of users or tasks.

The major functions of security management include:



4-9

l Managing users and user groups l Managing passwords l Encrypting and decrypting data l Managing user authority l Authenticating login users l Authenticating user operations l Disconnecting users forcibly l Supporting automatic client lock and manual client lock l Working with the third-party LDAP server to authenticate users l Supporting ACLs

Operation Log Management The U2000 can record the key operations performed by users and provide a real-time monitoring window for users to trace and audit the operations.

l The network administrator can set the query conditions, for example, user name, time range, operation terminal, operation object, operation result, or the combination of the preceding conditions. Thus the network administrator can know all the operations performed by a user on the NMS. The major functions of operation log management include:

l Supporting the manual deletion and automatic deletion of operation logs l Storing operation logs in txt, HTML, or XLS format l Supporting the output, manual dump, and automatic dump of operation logs

Report Management The U2000 generates, distributes, and manages reports based on Web. It provides a set of flexible and easy report services. The U2000 provides a powerful report system to users to monitor, analyze, and optimize network performance and make decisions.

The report system not only supports manual and periodical generation of reports, but also distributes the reports. It can be integrated with the NMS security management function and present data perfectly.

Quidway S9300 Terabit Routing Switch Product Description 5 Networking Applications


5-1

5 Networking Applications

About This Chapter This section describes the typical networking and applications of the S9300.

5.1 Application in the MAN

This section describes the position of the S9300 at the access layer and convergence layer in the MAN.

5.2 Application of MPLS L2VPN

This section describes the function of MPLS VPN that can be applied in the actual networking.

5.3 Application of HVPLS for Dual-homing Protection

This section describes the function of HVPLS that can be applied at the access layer and convergence layer of the MAN.

5.4 Application of RRPP

This section describes the function of RRPP in implementing fast protection switchover on ring networks.

5.5 Application of Smart Link in Dual-Homing Networking

This section describes the function of Smart Link in dual-homing networks.

5.6 Application of Ethernet OAM

This section describes the application of Ethernet OAM on the MAN.

5.7 Application of QoS

This section describes the application of QoS on the MAN.

5.8 Application of Selective QinQ

This section describes the function of selective QinQ that can be applied in the actual networking.

5.9 Application of the S9300 in IPTV Service

This section describes the networking and application policy of the S9300 in the IPTV service.

5 Networking Applications Quidway S9300 Terabit Routing Switch

Product Description


Issue 05 (2010-01-08)

5.10 Application of the S9300 in NAC Networking

This section describes the application of the S9300 in the NAC networking.

5.1 Application in the MAN This section describes the position of the S9300 at the access layer and convergence layer in the MAN.

The S9300 is deployed at the access layer and convergence layer of the MAN. Figure 5-1 shows the networking diagram.

Figure 5-1 S9300 application in the MAN

IP/MPLSCoreMAN MAN

LAN Switch

DSLAM

UPE UPE

NPE

As the UPE device in the MAN, the S9300 can converge services of Internet, VPN, IPTV, and VoIP from the downstream devices such as Digital Subscriber Line Access Multiplexer (DSLAM) and LAN switches such as the S2300, S3300.

The S9300 then accesses the upstream NPE devices, such as the Huawei ME60 and NE40E. The S9300 can also act as a PE-AGG in complex networks to implement multiple levels of aggregation.

5.2 Application of MPLS L2VPN This section describes the function of MPLS VPN that can be applied in the actual networking.

The S9300 bears a strong capability of MPLS L2VPN.

The whole system supports 4 K VLL instances and 1 K VPLS instances.

As shown in Figure 5-2 and Figure 5-3, the S9300 supports VLL and VPLS and provides the point-to-point VPN application and multipoint-to-multipoint VPN application.



5-3

Figure 5-2 Point-to-point VPN application (VLL)

MANIntranet A

Intranet B

VLL

VLL

Intranet B

Intranet A

Figure 5-3 Multipoint-to-multipoint VPN application (VPLS)

MAN

VPLSVLL

Intranet A

Intranet A

Intranet A

Intranet B

Intranet B


Product Description


Issue 05 (2010-01-08)

As shown in Figure 5-4, cooperating with the DSLAM, Access Gateway (AG), and S2300/S3300, the S9300 realizes the mapping between the access services and the VLL or VPLS services.

l Along with the DSLAM/AG, the S9300 maps the QinQ tunnel to the VLL or VPLS services instances. This realizes the VLL services based on Digital Subscriber Line (DSL).

l Along with the S2300 or S3300, the S9300 maps the QinQ tunnel and VLL tunnel to the VLL or VPLS service instances.

The S9300 bears multiple services at the access layer and convergence layer. The S9300 can map a certain type of personal services such as broadband access and VoIP services, to the VLL or VPLS service instances.

Figure 5-4 VPN services realized through the cooperation between the S9300 and CE

VLL/VPLS

DSLVLLPOTS

Ethernet VLL

DSLAM/AG S2300

QinQQinQVLL

S9300 S9300

NPE

S9300

The S9300 provides the low-cost VLL or VPLS solutions. This allows the application of MPLS and MPLS VPN at the edge convergence layer.

l Solves the problem of pure Ethernet in the aspects of scalability, carrier-class reliability, and manageability.

l Lessens the burden on the higher level NPEs and avoids the problems of overburden and single-site faults.

l Realizes distributed processing of services with services implemented from devices at the edge convergence layer. This makes services customizable.

5.3 Application of HVPLS for Dual-homing Protection This section describes the function of HVPLS that can be applied at the access layer and convergence layer of the MAN.

The S9300 supports HVPLS to realize link protection to the two NPEs in dual-homing mode. On the HVPLS network, the S9300 acts as the UPE device to converge services from the CE.

The S9300 supports the following HVPLS network architecture:



5-5

l UPE+NPE Network Architecture l UPE+PE-AGG+NPE Network Architecture

5.3.1 UPE+NPE Network Architecture

5.3.2 UPE+PE-AGG+NPE Network Architecture

5.3.1 UPE+NPE Network Architecture

Figure 5-5 S9300 Application of HVPLS with UPE+NPE network architecture

UPE

S9300

S9300S9300

ME60

ME60NPE

DSLAM DSLAM

BFD for LSP

S2300 LSWS2300 S2300

IP/MPLSCore

NE40E

H-VPLS

BFD for LSP

S9300

As shown in Figure 5-5, on the HVPLS network, the S9300 acts as the UPE device. The Huawei ME60 and NE40E routers can be used as the NPE devices.

l As the UPE device, the S9300 accesses services and classifies traffic through the selective QinQ. Services of different types can be mapped to different VSIs and then transparently transmitted to NPE devices through HVPLS.

l The NPE terminates services on the Pseudo Wire (PW) tunnel and then process services based on the VLAN ID and QinQ information.

l Link protection is realized through MPLS TE protection group along with BFD for LSP on the HVPLS network.


Product Description


Issue 05 (2010-01-08)

5.3.2 UPE+PE-AGG+NPE Network Architecture On the current network, PE-AGG devices can be added between the UPE and NPE devices. PE-AGG devices aggregate services, terminate VPLS, and transparently transmit services to the NPE device. The S9300 can serve as the PE-AGG or UPE device as shown in Figure 5-6.

Figure 5-6 S9300 application of HVPLS with UPE+PE-AGG+NPE network architecture

IP/MPLSCore

ME60NE40E

ME60

CX600 PE-AGGBFD for LSP

UPES9300

S9300 S9300

DSLAM DSLAMS2300 LSWS2300 S2300

S9300

NPE

H-VPLS

CX600

In this networking mode:

l The S9300 functions the same in this network architecture as that in the "UPE+NPE Network Architecture."

l The S9300 terminates the VPLS tunnel and transparently transmits services to the NPE device.

l The NPE terminate VLAN and QinQ, and then process services. l Link protection is realized through BFD for LSP between the S9300 and the NPE device.

5.4 Application of RRPP This section describes the function of RRPP in implementing fast protection switchover on ring networks.



5-7

In the networking where common Ethernet ring networks are used, RRPP is adopted instead of MSTP to achieve fast convergence of topologies.

Generally, the metro Ethernet uses two-layer rings:

l One layer is the convergence layer between the convergence devices PE-AGGs, for example, RRPP Domain 1 shown in Figure 5-7.

l The other layer is the access layer between PE-AGGs and UPEs, for example, RRPP Domain 2 shown in Figure 5-7.

Figure 5-7 Application of intersectant RRPP rings

IP/MPLSCore

Ring 1Domain 1

Ring 2Domain 2

S9300-A

S9300-C

S9300-D

S9300-E

S9300-BAccess Layer

Aggregation Layer

S9300-FS9300-G

S2300 LSW DSLAM

As shown in Figure 5-7, Ring 1 belongs to Domain 1; Ring 2 belongs to Domain 2. Ring 1 and Ring 2 are tangent at S9300-C.

l On Ring 1, S9300-C is the master node; S9300-C, S9300-E, S9300-F, and S9300-G are PE-AGGs.

l On Ring 2, S9300-C is the master node; S9300-A, S9300-B, and S9300-D are UPEs.

For multiple tangent RRPP rings, the failure of a ring does not affect other domains. The convergence process of RRPP rings in a domain is the same as that of a single ring.

On RRPP rings, Layer 2 and Layer 3 services can be fast switched in the case of link faults.

l Fast switch of Layer 2 services


Product Description


Issue 05 (2010-01-08)

In normal situations, the data flow travels along the path of S9300-A → S9300-B → S9300-C on Ring 2. If the link between S9300-A and S9300-B fails, the data flow is switched to another path on the RRPP ring. After the link between S9300-A and S9300-B fails and then the master node is notified of the link fault, the master node immediately unblocks the secondary port. At this time, the network topology changes, the original MAC address tables of the nodes cannot correctly guide the Layer 2 forwarding. Thus, Layer 2 traffic is interrupted. After unblocking the secondary port, the master node immediately requires other nodes on the ring to re-learn MAC address entries. The Layer 2 traffic on the RRPP ring is switched to the path of S9300-A → S9300-D → S9300-C.

l Fast switch of Layer 3 services In normal situations, the data flow travels along the path of S9300-C → S9300-E → S9300-F on Ring 1. When the link between S9300-C and S9300-E fails, the data flow is switched to another path on the RRPP ring. After the link between S9300-C and S9300-E fails and then the master node is notified of the link fault, the master node immediately unblocks the secondary port. At this time, the network topology changes, the original ARPs and FIBs of the nodes cannot correctly guide the Layer 3 forwarding. After unblocking the secondary port, the master node immediately requires other nodes on the ring to re-learn MAC address entries. The Layer 2 traffic on the RRPP ring is switched to the path of S9300-C → S9300-G → S9300-F.

5.5 Application of Smart Link in Dual-Homing Networking

This section describes the function of Smart Link in dual-homing networks.

Generally, Smart Link is adopted on dual-homing Ethernet networks to implement fast switching of links.

Figure 5-8 Application of Smart Link

Intranet

UPE1

UPE2

PE-AGG1

PE-AGG2

Intranet

SmartLinkGroup

Active linkStandby link

SmartLinkGroup

Corenetwork

IP/MPLS

SmartLinkGroup

SmartLinkGroup



5-9

Smart Link can be deployed anywhere on the MAN to provide the dual-homing connections By adopting Smart Link, UPE 1 or UPE 2 is dual-homed to PE-AGG 1 and PE-AGG 2 .

For example, configure the Smart Link group on UPE 1 and UPE 2. The upstream devices only need to receive and send Flush packets. In the two uplinks, one link forwards packets and the other is blocked. When the active link fails, Smart Link swiftly senses the fault and switches traffic to the standby link.

When the Monitor Link group is configured on PE-AGG 1 and PE-AGG 2, the uplink interface is associated with the downlink interface.

5.6 Application of Ethernet OAM This section describes the application of Ethernet OAM on the MAN.

The S9300 provides Ethernet OAM to implement fault detection and protection switchover in less than 50 ms.

Figure 5-9 Application of Ethernet OAM on the MAN

Hotel

Residentialarea

Commercialcenter

EFM OAM (802.3ah)Ethernet in the first mile

……

Ethernet CFM (802.1ag)Access convergence

layer on the MAN

Backbonenetwork

BRAS

Router

IP/MPLScore network

PE-AGG

PE-AGG

UPE

UPE

UPE

UPE

UPECE

CE

CE

CE

CE

Intranet

Ethernet CFM can be applied at the access convergence layer on the MAN. MDs are classified based on which ISP manages the devices. All the devices that are managed by the same ISP can be configured in the same MD. MAs are classified based on different services. An MA is associated with a VLAN. MEPs within an MA periodically exchange CCMs to test the connectivity on the network. After Ethernet CFM detects a connectivity fault, alarms are generated and MAC ping and MAC trace are provided to verify and locate the fault.


Product Description


Issue 05 (2010-01-08)

EFM OAM is enabled on the CEs and UPEs. EFM OAM can test link connectivity of user services by periodically exchanging OAMPDUs between the CE and NPE. EFM OAM monitors link performance by testing the errored frames, errored codes, and errored frame seconds on the link. This provides transmission services required in the SLA for users. EFM OAM also provides alarms when a fault occurs.

5.7 Application of QoS This section describes the application of QoS on the MAN.

In the networking shown in Figure 5-10, enterprise A has two subdivisions: enterprise A-1 and enterprise A-2; enterprise B has two subdivisions: enterprise B-1 and enterprise B-2. The Ethernet VLL between the subdivisions of an enterprise is used to transmit services of voice, video, and data. Meanwhile, each subdivision requires access to the Internet.

Figure 5-10 S9300 application of QoS

S2300

S9300

S9300S9300

Enterprise A-1

Enterprise A-2

Enterprise B-1

Enterprise B-2

IP/MPLScore

network

VPN of enterprise AVPN of enterprise B

Metro

VoiceVideoData

2 Mbit/s4 Mbit/s4 Mbit/s

10 Mbit/s

VoiceVideoData

2 Mbit/s4 Mbit/s4 Mbit/s

10 Mbit/s

In t ernetIn te rnetIn t ernetIn te rnet

Enterprise A has the following requirements:

l The Ethernet VLL services between enterprise A-1 and enterprise A-2 need a bandwidth of 10 Mbit/s to guarantee bandwidth for different services. − Voice services

The guaranteed bandwidth is 2 Mbit/s. − Video services



5-11

The guaranteed bandwidth is 4 Mbit/s. − Data services

The guaranteed bandwidth is 4 Mbit/s. It is also required that the remaining idle bandwidth can be occupied by data services. Thus, the peak bandwidth is 10 Mbit/s.

Enterprise B has the same requirements as enterprise A.

By applying level-2 traffic management of QoS on the S9300, you can meet the requirements of different services and users for network resources.

5.8 Application of Selective QinQ This section describes the function of selective QinQ that can be applied in the actual networking.

The S9300 provides the selective QinQ function. The networking of selective QinQ is shown in Figure 5-11.

Figure 5-11 S9300 application of selective QinQ

Router

S9300

LSW DSLAM

VLAN1-500

TMGVideo server

ISP network

VLAN1-1000

User network

VLAN500-700

VLAN700-1000

VLAN1-1000 LSW

v10 v100

v10 v800

v10 v600v30 v450

v30 v850v30 v650

v450v100

PSTN

BRAS BRAS

In ternetIn ternetIn ternetIn ternet

v650v600

v850v800


Product Description


Issue 05 (2010-01-08)

The three enterprise networks shown in Figure 5-11, all need to transmit data, voice, and video services. The S9300 can append an outer ISP VLAN tag to the packets of each kind of access services. For example:

l Add an outer ISP VLAN tag VLAN 10 for data services of VLAN 100, VLAN 600, and VLAN800 from the customer networks.

l Add an outer ISP VLAN tag VLAN 30 for video services of VLAN 450, VLAN 650, and VLAN850 from the customer networks.

Offering the selective QinQ function, the S9300 can converge services and choose different paths for various services. This facilitates network deployment.

5.9 Application of the S9300 in IPTV Service This section describes the networking and application policy of the S9300 in the IPTV service.

5.9.1 Networking of IPTV

5.9.2 Protection of IPTV Services

5.9.1 Networking of IPTV The S9300 supports IPTV application as shown in Figure 5-12.



5-13

Figure 5-12 S9300 application of IPTV

IP/MPLSCore

S9300

S9300S9300

DSLAM

H-VPLS

IPTV Server

DSLAM

BFD for PIM over VPLSMulticast traffic

PIM Interface

NPE

Multicast over PW

S9300

STB STB STB

NPEDR BDR

The S9300 provides the IGMP snooping function and multicast across VLANs. It can serve as the duplication and control point for multicast at the access layer of the MAN to meet the demand for large-capacity multicast services. The multicast traffic can be copied within or across VLANs.

The DSLAM device provides the IGMP proxy function.

In the networking shown in Figure 5-12:

l The S9300 acts as the UPE device. The multicast function is applied to the HVPLS network to process IPTV services.

l The NPE runs the PIM protocol. PIM packets can be transparently transmitted through the daisy chain PW. The NPEs run for the Designated Router (DR) or Backup Designated Router (BDR). DR processes the IGMP packets and copies the video stream from the IPTV server to the daisy chain PW.

l Enable the IGMP snooping on the S9300 to listen to IGMP packets. The S9300 only sends an IGMP request packet to join the multicast group. The multicast forwarding group is then established. A static multicast group can be set up with popular channels.


Product Description


Issue 05 (2010-01-08)

l The S9300 copies the multicast data to the DSLAM based on the multicast forwarding table. The S9300 then copies the multicast data to another S9300 through IGMP snooping over VPLS.

In addition, the S9300 supports port prompt-join or prompt-leave. This realizes fast switch of IPTV services.

5.9.2 Protection of IPTV Services As shown in Figure 5-13, along with the NPE in the networking, the S9300 provides a protection mechanism for IPTV services.

Figure 5-13 S9300 protection for IPTV services

IP/MPLSCore

S9300

S9300S9300

NPE

DSLAM

H-VPLS

IPTV Server

DSLAM

BFD for PIM over VPLSMulticast Traffic PIM Interface

S9300

STB STB STB

Fault

NPEBDR DR

The S9300 acts as the UPE device;. A HVPLS is set up between the S9300 and the NPE. The multicast function is applied to the HVPLS network. The two NPE devices run the PIM protocol.

The following mechanism is used to protect the IPTV services:

1. BFD for PIM over VPLS is enabled between the two NPE. The BFD detection packet is transmitted over the HVPLS network.



5-15

2. BFD for PIM over VPLS is used to detect the link status of the multicast link. When faults occur, BDR is switched to DR. The two NPE devices copy the multicast data to PW at the same time. When faults are removed, the NPE devices run for DR/BDR again. The service is back to normal.

3. When faults occur to the link of the daisy chain, or the S9300, or one of the NPE devices, BFD for PIM is used to detect faults in 50 ms.

4. The NPE on the right acts as BDR. BDR swiftly switches to DR. Thus both the NPE devices become DR to forward multicast packets at the same time.

5. When faults recover, the NPE devices run for DR/BDR again. The service is back to normal.

5.10 Application of the S9300 in NAC Networking This section describes the application of the S9300 in the NAC networking.

Figure 5-14 shows the application of the S9300 in the NAC networking.

Figure 5-14 Application of the S9300 in the NAC networking

Policy serverPatch/anti-virus

server

Separatedarea

Visit Area

WorkArea

Portal Server

S9300

ACS/SC

On an enterprise intranet, a personal computer (PC) does not need to be installed with the terminal software program. The user is redirected to the login page by captive portal. The user needs to enter user name and password. Then the NAD, namely, the S9300, submits the user name and password to the RADIUS server for authentication. Before passing the authentication, the user can access only the resources in the separated area.

The ACS or SC, which is similar to a RADIUS server, returns a message notifying that the user passes the authentication.

The PC and the ACS set up an HTTP link and the ACS verifies the security of the PC. After the security of the PC is verified, the user can access the common data area or core data area depending on the user authority.


Product Description


Issue 05 (2010-01-08)

When the Session-Time-Out feature is configured, if the authentication server is unavailable, for example, authentication times out or the RADIUS server does not respond, the user is allowed to go online and access the network. In this case, the Session-Time-Out timer is started and the user is authenticated again when the timer expires.

Quidway S9300 Terabit Routing Switch Product Description 6 System Specifications


6-1

6 System Specifications

About This Chapter This section lists the physical parameters, power supply parameters, specification, and performance indexes of the S9300.

6.1 Technical Specifications

This section describes the appearance, weight, power, input voltage, temperature, and humidity of the S9300.

6.2 Performance Specifications

This section describes the performance specifications of the software and hardware of the S9300.

6.3 Software Features List

This section describes the software features of the S9300.

6.1 Technical Specifications This section describes the appearance, weight, power, input voltage, temperature, and humidity of the S9300.

6.1.1 Physical Specifications

6.1.2 System Configuration

6.1.1 Physical Specifications

Table 6-1 Physical specifications of the S9300

Item Specifications

Dimensions (width x depth x height) without the switching rack-mounting ear

S9303: 442.0 x 476 x 175 S9306: 442 x 476 x 441.7 S9312: 442 x 476 x 663.95

6 System Specifications Quidway S9300 Terabit Routing Switch

Product Description


Issue 05 (2010-01-08)

Item Specifications

Maximum power consumption (fully configured) S9303: 350 W S9306: 800 W S9312: 1400 W

Weight (fully configured) S9303 < 22 kg S9306 < 42 kg S9312 < 70 kg

Rated voltage -48 V/ -60 V DC input voltage

Maximum voltage range -48 V: -38.4 V to -57.6 V -60 V: -48 V to -72 V

Rated voltage S9303/S9306: 110 V/220 V S9312: 220 V

AC input voltage

Maximum voltage range 90 V to 290 V

Power input mode Built-in. Only the AC power supply is supported.

Redundancy mode of power supplies

The S9303 does not support the backup of AC power modules. The S9306 and the S9312 support the power supplies in 3+1, 2+2, or 4+0 (not backup) mode.

PoE

Output power consumption S9303: a maximum of 800 W S9306 and S9312: a maximum of 3200 W

Long-term operation 0°C to 45°C

Short-term operation -5°C to 55°C

Temperature

Storage -40°C to 60°C

Long-term operation 5% RH to 85% RH, non-condensing Relative humidity

Short-term operation 0% RH to 95% RH, non-condensing

Long-term operation Less than 3000 m Altitude for installation

Storage Less than 5000 m



6-3

6.1.2 System Configuration

Table 6-2 System configuration of the S9300

Item Configuration of the S9312

Configuration of the S9306

Configuration of the S9303

Note

Processor 700 MHz (Dominant frequency)

700 MHz (Dominant frequency)

500 MHz (Dominant frequency)

-

DDR2 SDRAM

1 GB 1 GB 512 MB -

NVRAM 512 KB 512 KB 512 KB Battery supply

Flash 64 MB 64 MB 64 MB -

CF card 512 MB 512 MB 512 MB The CF card serves as a mass storage device to save data files and logs.

Switching capacity

2 Tbit/s 2 Tbit/s 720 Gbit/s Bidirectional

Backplane capacity

4.8 Tbit/s 2.4 Tbit/s 1.2 Tbit/s Bidirectional

10GE port density

144 72 36 -

FE/GE port density

576 288 144 -

Forwarding capability

1320 Mpps 1080 Mpps 540 Mpps -

Number of slots for the LPUs

12 6 3 LPU (Optional)

Number of slots for the SRUs/MCUs

2 2 2 S9306/S9312: SRU S9303: full mesh

Max transmission rate on a port of the LPU

48GE, 12 x 10GE

48GE, 12 x 10GE

48GE, 12 x 10GE

-


Product Description


Issue 05 (2010-01-08)

6.2 Performance Specifications This section describes the performance specifications of the software and hardware of the S9300.

Table 6-3 Performance specifications of the S9300

Attribute Service Feature Specifications

Availability 0.99999768

Mean Time Between Failure (MTBF) 24.59 years

Mean Time To Repair (MTTR) 0.5 hours

Availability

Downtime 1.22 minutes/year

Number of MAC addresses supported by each LPU

l ED board: 512 K l EC board: 128 K l EA/SA/12*10GE board: 32 K

Number of VLANs 4 K

Number of trunk groups and number of interfaces supported by each trunk group

128 trunk groups, each of which supports a maximum of 8 interfaces

Rate of learning MAC addresses More than 4000 each second

Number of ARP entries 16 K

Ethernet

Number of ARP entries supported by each LPU

EA/EC/ED board: 16 K SA/12*10GE board: 8 K

Number of QoS queues on a port 8 QoS

CAR ED/EC/EA/12*10GE board: 8 Kbit/s SA board: 64 Kbit/s

ACL ACLv4 Number of IPv4 ACLs supported by each LPU： l ED board: 70K for inbound

traffic; 1000 for outbound traffic l EC board: 70K for inbound

traffic; 1000 for outbound traffic l EA board: 6000 for inbound

traffic; 1000 for outbound traffic l SA board: 3000 for inbound

traffic; 500 for outbound traffic l 12*10GE board: 1200 for

inbound traffic; 500 for outbound traffic



6-5


ACLv6 Number of IPv6 ACLs supported by each LPU： l ED board: 67K for inbound

traffic; 250 for outbound traffic l EC board: 35K for inbound

traffic; 250 for outbound traffic l EA board: 3000 for inbound

traffic; 250 for outbound traffic l SA board: 1500 for inbound

traffic; 250 for outbound traffic l 12*10GE board: 250 for

inbound traffic; 120 for outbound traffic

Number of LSPs 8 K MPLS

Number of LDP neighbors > 256

Number of VLL entries 4 K L2VPN

Number of VSI entries 1 K

Number of VRFs 2 K L3VPN

Number of VPN routes S9306/S9312: 512 K S9303: 230 K

IP Session - 8 K on an LPU and 16 K on the entire equipment

IPv4 forwarding IPv4 forwarding at line speed

Number of routing entries S9306/S9312: 512K S9303: 230K

IPv4 FIB l ED board: 512 K l EC board: 144 K l EA board: 32 K l SA/12*10GE board: 20 K

IP unicast

IPv6 FIB l ED/EC/EA board: 16 K l SA/12*10GE board: 10 K

Number of static multicast routes 256

Number of L2 multicast forwarding entries

1 K

Multicast

Number of L3 multicast forwarding entries

l ED/EC/EA board: 4 K l SA/12*10GE board: 2 K


Product Description


Issue 05 (2010-01-08)


BFD l BFD sessions: 2 K l Minimum fault discovery

duration: If no FSU is configured, the duration is 3s; if an FSU is configured, the duration is 50 ms.

Ethernet OAM 802.1ag Up to 64 MDs can be created on the entire equipment. The number of MAs on the entire equipment is as follows:

− S9312 and S9306: 4 K

− S9303: 2 K

Detection time: 3.3 ms/10 ms/100 ms/1s/10s/1 min/10 min 802.3ah Detection time: 100 ms/1s

RRPP l Maximum number of RRPP instances: 48

l Rings supported by the entire equipment: 64

l Rings supported by an LPU: 5 l Maximum number of RRPP

domains: 64 l link switchover time: less than

50 ms

VRRP l VRRP backup groups on the entire equipment: 255

l VRRP backup groups on the entire equipment: 16

l Virtual IP addresses in each VRRP backup group: 16

l Switchover time: If no FSU is configured, the time is 3s; if an FSU is configured, the time is 50 ms.

Reliability

SmartLink l Maximum number of instances on the entire equipment: 48

l The switchover time is less than 50 ms.



6-7


MSTP l Maximum number of instances on the entire equipment: 48

l The switchover time is less than 100 ms.

6.3 Software Features List This section describes the software features of the S9300.

Table 6-4 Software features list of the S9300

Feature Description

Ethernet Supports operating mode of full-duplex, half-duplex, and auto-negotiation. Supports 10/100/1000 Mbit/s and 10 Gbit/s rate of Ethernet ports. Supports auto-negotiation rate of Ethernet ports. Supports flow control on ports. Supports Jumbo packets. Supports binding ports into Ethernet trunk. Supports load balancing on links in the trunk. Supports port isolation and forwarding restriction. Supports broadcast storm suppression.

VLAN Supports access modes of Access, Trunk, Hybrid, and QinQ. Supports default VLAN. Supports 1:1 VLAN mapping. Supports N:1 VLAN mapping. Supports 802.1p-based VLAN mapping. Supports QinQ. Supports selective QinQ. Supports VLAN switching.

Ethernet features

MAC Supports automatic learning and aging of MAC addresses. Supports static, dynamic, and blackhole MAC entries. Supports limit to MAC address learning based on ports and VLANs.


Product Description


Issue 05 (2010-01-08)

Feature Description

ARP Supports static and dynamic ARP. Supports ARP in VLAN. Supports aging of ARP entries.

Smart Link Supports Smart Link. Supports Smart Link multi-instance. Supports Monitor Link.

DLDP Supports unidirectional link detection.

LLDP Supports LLDP.

Virtual cable test Supports virtual cable detection.

MSTP Supports STP. Supports RSTP. Supports MSTP. Supports BPDU guard, root guard, and loop guard. Supports BPDU tunnel.

RRPP Supports RRPP. Supports RRPP multi-instance.

Protection against Ethernet loops

Loop detection Support loop detection.

IPv4 unicast Network management interface supports IPv4 unicast data packets. Network management interface supports static IPv4 unicast routes. Supports RIP, OSPF, IS-IS, and BGP. Supports the DHCP server and the DHCP relay. Supports DHCP snooping.

IPv6 unicast Supports RIP, OSPFv3, ISISv6, and BGP+. Supports TCP6, ping IPv6, tracert IPv6, and socket IPv6. Supports DHCPv6 snooping.

IP routing

IPv4/IPv6 transition

Supports the IPv6 over IPv4 tunnel. Supports IPv4 over IPv6. Supports 6FE.



6-9

Feature Description

Multicast - Supports IGMP, MLD, MSDP, PIM-DM, PIM-SM, and PIM-SSM. Supports IGMPv1, IGMPv2, IGMPv3 snooping. Supports MLDv1 snooping. Supports fast-leave of users. Controls multicast traffic. Supports multicast VLAN. Supports multicast querier. Suppresses multicast protocol packets. Supports multicast ACL. Supports multicast copy. Supports IGMP snooping over VPLS.

Basic MPLS functions

Supports static LSP. Supports static mapping between VLAN and MPLS SVC to provide virtual dedicated Ethernet lines. Supports L2VPN and L3VPN. Supports two-layer MPLS labels. Supports MPLS over Ethernet. Maps the 802.1p priority to the EXP field in the MPLS packet.

MPLS OAM Supports LSP ping and LSP traceroute. Supports automatic fault detection. Supports 1+1 protection of LSP.

MPLS-TE Supports establishment of MPLS-TE tunnel. Supports MPLS-TE protection group.

MPLS features

VLL/HVPLS Supports VLL in SVC, Martini, Kompella or CCC mode. Supports VPLS in Martini or Kompella mode. Supports HVPLS in LSP and QinQ mode. Supports the VLL access and VPLS access after VLAN switching is performed.

Ethernet OAM Ethernet OAM Supports P2P Ethernet fault management defined in IEEE 802.3ah. Supports Ethernet OAM defined in IEEE 802.1ag. Supports MAC ping and MAC trace.


Product Description


Issue 05 (2010-01-08)

Feature Description

BFD - Supports BFD physical link detection. Supports connectivity detection for IP. Supports connectivity detection for LSP, CR-LSP, and MPLS TE protection group. Supports BFD detection on the VPLS network. Supports BFD detection based on VPLS and protection switchover for the diagnosis packet that manages the switchover of VPLS.

Traffic classification

Supports classification based on Layer 2 protocol header, Layer 3 protocol, Layer 4 protocol, 802.1p priority, or their combination. Supports classification based on C-VID of QinQ packets.

Traffic behavior Controls access of the classified packets. Supports traffic policing based on CAR. Supports packet re-marking according to the classification. Supports queuing of the classified packets. Supports mixed use of traffic classification and traffic behavior.

Queue scheduling

Supports PQ, WRR, DRR, PQ+WRR, and PQ+DRR scheduling.

Congestion avoidance

Supports WRED. Supports tail drop.

Traffic shaping Supports traffic shaping for the outbound traffic.

QoS features

Traffic policing Supports two-level traffic policing.

Clock - synchronization Ethernet

Terminal services

Supports CLI configuration. Supports prompt and help information in English and Chinese. Supports terminal services through the Console port, AUX port, or Telnet. Supports the Send function to make the terminals communicate with each other.

Configuration and maintenance

File system Supports file system. Supports directory and file management. Supports file uploading and downloading through FTP and TFTP.



6-11

Feature Description

Debug and maintenance

Supports unified management of logs, traps, and debugging information. Supports electronic labels. Supports logs of users. Supports detailed debugging information to assist troubleshooting. Supports black box. Supports network testing tools such as traceroute and ping commands. Supports port mirroring and traffic mirroring.

Availability Supports the power modules in 1+1 or 2+2 backup mode and the fan modules in N+1 backup mode. Supports hot swap of the SRUs/MCUs, LPUs, fan modules, and power modules. Supports the SRUs/MCUs in 1+1 backup mode. Supports automatic switchover and forcible switchover of the SRUs/MCUs. Supports the bundling of Ethernet ports on different boards.

Software upgrade

Supports in-service upgrade of VRP system software. Supports in-service upgrade of BootROM. Supports in-service patch. Supports version rollback.

Security and management

System security Supports hierarchical commands to protect against unauthorized users. Supports SSH v1.5 and v2.0. Supports RADIUS and HWTACACS authentication. Supports ACL filtering. Supports defend against attacks of DoS, SYN flood of TCP, UDP flood, broadcast storms, and large traffic. Supports limit to MAC address learning. Supports blackhole MAC. Supports port isolation. Supports packet filtering. Supports CPU channel guard. Supports the suppression of ARP packets based on IP addresses. Supports blacklist and whitelist. Supports attack trace.


Product Description


Issue 05 (2010-01-08)

Feature Description

Network management

Supports ping and traceroute functions. Supports SNMPv1/v2c/v3. Supports standard MIB. Supports RMON.

quidway s9300 product description

Documents