Manual ZTE ZXR10-ZSR-Router

ZXR10 ZSR Intelligent Integrated Multi-Service Router Technical Specification ZXR10 ZSR Intelligent Integrated Multi-service RouterTechnical Specification ZXR10 ZSR Intelligent Integrated MultiService Router Technical Specification About the Document Version Date Author Approved By Remarks V1.00 20070508 Not open to the Third Party V1.1 20080307 zhuhaidong Product update V1.2 20080313 zhuhaidong Product update Copyright © 2007 ZTE Corporation Shenzhen P. R. China ZTE CONFIDENTIAL: This document contains proprietary information of ZTE Corporation and is not to be disclosed or used except in accordance with applicable agreements. Due to update and improvement of ZTE products and technologies, information of the document is subjected to change without notice. ZTE Confidential Proprietary I ZXR10 ZSR Intelligent Integrated Multi-service RouterTechnical Specification Table of Contents 1 Overview............................................................................................................................................ 1 1.1 System Description................................................................................................................... 1 1.2 System Architecture ................................................................................................................. 2 1.2.1 System Outward Appearance......................................................................................... 2 1.2.2 Performance ................................................................................................................... 3 1.2.3 System Features ............................................................................................................. 6 1.2.4 Types of Network Interface ........................................................................................... 7 1.2.5 Operating Envirnoment.................................................................................................. 8 1.3 Technical Advantages .............................................................................................................. 8 1.3.1 Modular System Architecture ........................................................................................ 8 1.3.2 High Level of Integration............................................................................................... 8 1.3.3 Data Encryption Protection Feature ............................................................................... 9 1.3.4 Convergence of Narrowband and Broadband ................................................................ 9 1.3.5 Convergence of IP and Non-IP ...................................................................................... 9 1.3.6 Rich End-to-End QOS Support.................................................................................... 10 1.3.7 Rich Security Features ................................................................................................. 10 1.3.8 Multi-Function and Multi-Service Platform ................................................................ 10 1.3.9 Dual IPv4/IPv6 Stacks ................................................................................................. 10 1.3.10 Routing Protocol Software........................................................................................... 10 1.3.11 MPLS Routing and Switching Technology ................................................................. 11 1.3.12 High-Performance NAT and NAT-PT Support ........................................................... 11 1.3.13 Secure, Easy to Manage and Maintain......................................................................... 11 2 Hardware Architecture .................................................................................................................. 12 2.1 Overview ................................................................................................................................ 12 2.2 General Hardware Architecture.............................................................................................. 12 2.3 Architecture and Technology ................................................................................................. 14 2.3.1 181x/182x series: ......................................................................................................... 14 2.3.2 184x/284x/384x/288x/388x Series............................................................................... 15 3 Key Services and Features Description ........................................................................................ 19 3.1 ZXR10 ZSR Network Address Translation(NAT)................................................................. 19 3.1.1 Translation of Internal Source Address........................................................................ 19 3.1.2 Internal Global Address Overlapping .......................................................................... 20 3.2 ZXR10 ZSR Access Control List ........................................................................................... 20 3.2.1 Features and Basic Format of Access Control List ...................................................... 21 3.2.2 Implementation of Access Control List ....................................................................... 22 3.3 ZXR10 ZSR V-Switch ........................................................................................................... 22 3.3.1 Transparent Transmission of PPPoE Packet ................................................................ 23 3.3.2 Untagging and Tagging a Layer of VLAN .................................................................. 23 3.4 ZXR10 ZSR VPN................................................................................................................... 24 3.4.1 ZXR10 ZSR VPWS ..................................................................................................... 24 ZTE Confidential Proprietary II ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 3.5 3.4.2 ZXR10 ZSR VPLS Feature.......................................................................................... 25 3.4.3 ZXR10 ZSR L2TP VPN .............................................................................................. 26 3.4.4 ZXR10 IPSEC VPN..................................................................................................... 27 Security Function of ZXR10 ZSR.......................................................................................... 28 3.5.1 TCP monitoring and interception function................................................................... 28 3.5.2 Aggregates-Oriented Multi-Levels Anomaly traffic Control System (A.M.A.T)........ 31 4 Operation, Administration and Maintenance (OAM)................................................................. 33 4.1 Overview ................................................................................................................................ 33 4.2 Simple Network Management Protocol (SNMP)................................................................... 33 4.3 SNMP MIB (Management Information Base) ....................................................................... 34 4.4 Remote Network Monitoring (RMON).................................................................................. 34 4.5 Statistics and Alarm Management Function........................................................................... 35 4.6 Log Management Function..................................................................................................... 36 4.7 Unified NM Function ............................................................................................................. 36 4.7.1 Foreground Software Module ...................................................................................... 36 4.7.2 Background Unified NM Platform (NetNumen) ......................................................... 37 5 Typical Networking Application ................................................................................................... 38 5.1 ISP private line access from large enterprise.......................................................................... 38 5.2 ISP Access from residential broadband areas......................................................................... 38 5.3 Private networks such as big enterprise/government information network and data communications network (DCN) etc............................................................................ 39 5.4 L2TP function application...................................................................................................... 39 5.4.1 L2TP networking solution deployed by carriers .......................................................... 39 5.4.2 L2TP networking solution deployed by the enterprises............................................... 40 6 Appendix-Abbreviations ................................................................................................................ 41 ZTE Confidential Proprietary III ZXR10 ZSR Intelligent Integrated Multi-service RouterTechnical Specification Figures and Tables Figures Figure 1 Front panel of ZXR10 ZSR1800 series ................................................. 2 Figure 2 Rear panel of ZXR10 ZSR1800 series .................................................. 2 Figure 3 Front panel of ZXR10 ZSR series 4-slot chassis................................... 3 Figure 4 Rear panel of ZXR10 ZSR series 4-slot chassis.................................... 3 Figure 5 Front panel of ZXR10 ZSR 28 & 38 series 8-slot chassis..................... 3 Figure 6 Rear panel of ZXR10 ZSR 28 & 38 series 8-slot chassis...................... 3 Figure 7 General architecture of ZXR10 ZSR intelligent integrated multiservice router ...................................................................................................... 9 Figure 8 General architecture of ZXR10 ZSR intelligent integrated multiservice router .................................................................................................... 13 Figure 9 The front view of 181x/182x series products ...................................... 14 Figure 10 Top view of 181x/182x series products............................................... 14 Figure 11 Rear view of 181x/182x series products.............................................. 14 Figure 12 The front display of 184x/284x/384x series entire equipment ............ 16 Figure 13 The side view of 184x/284x/384x series entire equipment ................. 16 Figure 14 The back display of 184x/284x/384x entire equipment....................... 16 Figure 15 The top display of 184x/284x/384x entire equipment (up layer) ........ 17 Figure 16 The top display of 184x/284x/384x entire equipment (down layer)... 17 Figure 17 184x/284x/384x series fan module...................................................... 17 Figure 18 The internal source address is translated into external source address 20 Figure 19 Internal global address overlapping..................................................... 20 Figure 20 V-Switch implements transparent transmission of PPPoE packet....... 23 Figure 21 V-Switch untags and tags a layer of VLAN ........................................ 24 Figure 22 VPWS networking............................................................................... 25 Figure 23 ZXR10 ZSR series TCP interception module working principles figure (1)........................................................................................................... 29 Figure 24 ZXR10 ZSR series TCP interception module working principles figure (2)........................................................................................................... 30 Figure 25 ZXR10 ZSR series TCP interception module working principles figure (3)........................................................................................................... 30 Figure 26 ZXR10 ZSR series TCP interception module working principles figure (4)........................................................................................................... 31 Figure 27 A.M.A.T system principles.................................................................. 32 Figure 28 Management Model of the SNMP....................................................... 34 Figure 29 Private line access from large enterprise ............................................. 38 Figure 30 Access from residential broadband areas ............................................ 38 Figure 31 big enterprise/government information network and DCN ................. 39 Figure 32 Topology figure for L2TP deployed by carriers.................................. 39 Figure 33 Topology figure for L2TP deployed by enterprises ............................ 40 ZTE Confidential Proprietary IV ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Tables Table 1 Table 2 Table 3 Table 4 Table 5 ZTE Confidential Proprietary ZXR10 series routers ............................................................................. 1 Key parameters of ZXR10 1800 series routers...................................... 3 Key Parameters of ZXR10 2800 series routers ..................................... 5 Key Parameters of ZXR10 3800 series routers ..................................... 6 Operating Envirnoment of ZXR10 ZSR router ..................................... 8 V ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 1 OVERVIEW 5 Routing technology integrates modern communications, computer, networking, microelectronic chip, large-scaled integrated circuit, optoelectronic technology, and optical communication technologies. It is an important symbol for evaluating the development of national sciences and technology. 10 ZTE router family, ranging from high-end to entry-level product series, from core products to access products, plays an important in the industry. With complete routing protocol support, rich interfaces and reliable carrier-class design, ZXR10 routers has won multiple awards within China and has attained excellent results in various International events and inter-operability tests. Table 1 ZXR10 series routers Model English Name ZXR10 T1200 Carrier-class High-end router ZXR10 T600 Carrier-class High-end router ZXR10 T128 Carrier-class High-end router ZXR10 T64E Carrier-class High-end router ZXR10 GER General Excellent Router ZXR10 ZSR Intelligent Integrated Multi-Services Router This document mainly introduces ZXR10 ZSR Intelligent Integrated Multi-Service Router. 1.1 15 20 25 30 35 System Description ZXR10 ZSR (Intelligent Integrated Multi-service Router) is another important innovation from ZTE based on ZXR10 GAR platform and technology. As an integrated and advanced networking platform, ZXR10 ZSR is more than a router by providing users with routing, voice, high QoS assurance and service applications features. It provides multiple secure access methods for users and integrates multiple service applications. By supporting additional intelligent application modules, ZXR10 ZSR provides easy configuration and provisioning, flexible service management and plentiful services. With the fast development of broadband access technologies, there are more and more kinds of network edge access and requirements for network access port bandwidth. To meet the requirements of SME for multiple types of access, ZXR10 ZSR intelligent integrated multi-service router supports all network modules of GAR series (including synchronized/asynchronous serial port, E1/T1, FE, GE, OC3/ STM-1 POS) plus fixed Gigabit Ethernet Combo interfaces supporting 10/100/1000Mbps Ethernet electrical or GE SFP interface. ZXR10 ZSR introduces high-density Ethernet Switching module in order to meet the requirement of interconnection between enterprise internal networks. It provides seamless integration of router and switch, and reduces bottleneck bandwidth and security problems caused by external interconnections. As per specific requirement for network security, ZXR10 ZSR provides complete security solution, data encryption feature and intelligent security guard system ZTE Confidential Proprietary 1 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification “AMAT” (Aggregate-oriented Multi-level Anomaly Traffic control system) based on ZTE self-owned intellectual property. Embedded in routers, AMAT system is a built-in module in the router for controlling multi-level abnormal traffic based upon traffic aggregation for filtering anomaly traffic. As an anti-attack functional submodule embedded in router data forwarding module, it is responsible for generating AMAT rules according to received packets from data forwarding module. It implements matching and traffic filtering as per the rules to avoid network attacks. The processing by AMAT module does not affect normal traffic forwarding. With embedded hardware-based encryption acceleration engine, ZXR10 ZSR provides users with high-performance IPSec data encryption feature at low cost. Specifically designed for the data forwarding engine, the embedded hardware encryption accelerated engine enables ZXR10 ZSR to offer users with efficient IPSec encryption, including voice encryption etc. In addition, it also supports RSA and DH public key generation algorithms, as well as MD5, SHA-1, HMAC-MD5, HMAC-SHA-1 signature algorithms. So it can fully guarantee information security for government and financial institutions etc. 5 10 15 ZXR10 ZSR intelligent integrated multi-service product provides complete QoS feature, including CAR, queuing technologies (PQ, CQ, WFQ, CBWFQ//LLQ), congestion avoidance technologies (RED and WRED), scheduling technologies (SP, WRR), hierarchical QoS and SLA, etc. 20 ZXR10 ZSR intelligent integrated multi-service router has innovatively applied multi-core CPU technology in access router, which greatly enhances the processing capability of access router and the density of high-speed ports. ZXR10 ZSR series routers supports up to 4 fixed gigabit interfaces and performs wire-speed forwarding which surpass similar products from other vendors of the industry. Therefore, it becomes a new standard of processing capability and port density of access router. 25 By integration multiple technologies and products into one platform, together with ZTE-patented AMAT technology, ZXR10 ZSR intelligent integrated multi-service routers provide customers with a unified communications platform by integrating routing, voice, video, security and high QoS assurance for next generation services. 30 1.2 System Architecture 1.2.1 System Outward Appearance 1. ZXR10 ZSR 1800 series Physical Appearance 1) Front panel diagram 35 Figure 1 Front panel of ZXR10 ZSR1800 series 2) Rear panel diagram Figure 2 Rear panel of ZXR10 ZSR1800 series 40 2. ZXR10 ZER series 4-slot chassis Physical Appearance 1) Front panel diagram ZTE Confidential Proprietary 2 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Figure 3 Front panel of ZXR10 ZSR series 4-slot chassis 2) Rear panel diagram Figure 4 Rear panel of ZXR10 ZSR series 4-slot chassis 5 3. ZXR10 ZSR 28 & 38 series 8-slot chassis Physical Appearance 1) Front panel drawing Figure 5 Front panel of ZXR10 ZSR 28 & 38 series 8-slot chassis 2) Rear panel drawing 10 Figure 6 Rear panel of ZXR10 ZSR 28 & 38 series 8-slot chassis 1.2.2 15 Performance As per different processing capability, ZXR10 ZSR series routers mainly consist of three categories including more than 20 products to meet different requirements, in order to enterprises with various network scale, performance, and service feature requirement etc. Table 2 Key parameters of ZXR10 1800 series routers Description Model Fixed interface 1822 RA-1822-AC RA-1842-AC RA-1822-DC RA-1842-DC 1×Console port 1×Console port 1×AUX port 1×AUX port 2×USB2.0 interface 2×USB2.0 interface 2 × 10/100M Ethernet port ZTE Confidential Proprietary 1842 fast 2 × GE Combo port (10/100/1000M electrical interface 3 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Description 1822 1842 or 1000M SFP module) Number of interface card slot 2 4 Internal AIM slot number 1 2 Internal extended Switch slot Non-support 1 CPU type and main frequency RISC 266Mhz RISC 400Mhz BootRom 512k 1M(dual Bootrom) NVRAM 256k 512k FLASH 32MB 64MB SDRAM(default) 256M SDRAM 256M DDR SDRAM(maximum) 512MB 2GB DDR Forwarding capability 75kpps 150kpps Capacity of route forwarding table 64K/256K 64K/256K MPLS VPN 64K/256K 64K/256K Dimensions (W×D×H) 442×44×320mm 442×86.1×420mm Weight 5kg 10kg Power supply AC rated pressure100 ～ 240V, AC maximum pressure 90264V； Maximum power consumption 150W DC rated pressure -48V,DC maximum pressure ZTE Confidential Proprietary -40～-57V 240W 4 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Table 3 Key Parameters of ZXR10 2800 series routers Description 2842 2884 RA-2842-AC RA-2884-AC RA-2842-DC RA-2884-DC 1×Console port 1×Console port 1×AUX port 1×AUX port 2×USB2.0 interface 2×USB2.0 interface 2×GE Combo port (10/100/1000Melectrical interface or 1000M SFP module) 2×10/100M fast Ethernet port (electrical interface) + 2×GE Combo port (10/100/1000Melectrical interface or 1000M SFP module) Number of interface card slot 4 8 AIM slot number 2 2 Internal extended Switch slot 1 1 CPU type and main frequency RISC 533Mhz RISC 833Mhz BootRom 1M(dual Bootrom) 1M(dual Bootrom) NVRAM 512k 512k FLASH 64MB 64MB SDRAM(default) 256M DDR 256M DDR SDRAM(maximum ) 2GB DDR 2GB DDR Forwarding capability 220kpps 280kpps Capacity of route forwarding table 128k/256K 128k/256K MPLS VPN 128k/256K 128k/256K Dimensions (W×H×D) 442×86.1×420mm 442×130.5×420mm Weight 10kg 15kg Model Fixed interface Power supply Maximum power consumption ZTE Confidential Proprietary AC rated pressure100 ～ 240V, AC maximum pressure 90-264V； DC rated pressure -48V,DC maximum pressure 240W -40～-57V 260W 5 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Table 4 Key Parameters of ZXR10 3800 series routers Description 3844 3884 RA-3844-AC RA-3884-AC RA-3844-DC RA-3884-DC 1×Console port 1×Console port 1×AUX interface 1×AUX interface 2×USB2.0 interface 2×USB2.0 interface 2×10/100M fast Ethernet port (electrical interface) + 2×GE Combo port (10/100/1000Melectrical interface or 1000M SFP module) 2×10/100M fast Ethernet port (electrical interface) + 2×GE Combo port (10/100/1000Melectrical interface or 1000M SFP module) Number of interface card slot 4 8 AIM slot number 2 2 Internal extended Switch slot 1 1 CPU type and main frequency RISC 1Ghz RISC 1 Ghz BootRom 1M(dual Bootrom) 1M(dual Bootrom) NVRAM 512k 512k FLASH 64MB 64MB SDRAM(default) 256M DDR 512M DDR SDRAM(maximu m) 2GB DDR 2GB DDR Forwarding capability 400kpps 600kpps Capacity of route forwarding table 256K 256K MPLS VPN 256K 256K Dimensions (W×H×D) 442×86.1×420mm 442×130.5×420mm Weight 10kg 15kg Maximum power consumption 240W 260W Model Fixed interface Power supply 1.2.3 5 AC rated pressure100 ～ 240V, AC maximum pressure 90-264V； DC rated pressure -48V,DC maximum pressure -40～-57V System Features • Link-layer protocols supported: ETHERNET, PPP, MPPP, Frame Relay, HDLC, IPoA, etc. • Network layer protocol supported: IPv4/IPv6 dual stack • Transport layer protocol supported: TCP,UDP, etc ZTE Confidential Proprietary 6 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification • Routing protocols supported: RIP/RIPng, OSPFv1/v2/v3, IS-ISv4/v6, BGP4/BGP4+, etc. • Application-layer protocols supported: Telnet, FTP, TFTP, etc. • Security applications supported: ACL-based firewall, IPSec, anti-DOS attack, uRPF and policy routing etc. • Support 802.1Q • Network-layer control applications supported: NAT, NAT-PT, IPv4/IPv6 ACL etc. • Network management protocols supported: SNMPv1/v2/v3 • QoS support: DiffServ QOS model, IPv4/IPv6 QOS • Multicast support: IGMP, DVMRP, PIM-DM, PIM-SM • MPLS support: LDP, MP-BGP/MPLS VPN • Tunneling protocols supported：GRE, L2TPv1/v2 etc. • Supports Radius Client • Supports DHCP Relay/DHCP Server • MPLS L2 VPN supported: VPWS, VPLS, Multi-VRF • AUX supported: remote maintenance • Supports LFAP • NetNumen unified network management system with GUI interface supported • In-band and out-of-band network management supported 5 10 15 20 1.2.4 25 30 35 Types of Network Interface • 8-port channelized/non-channelized E1 interface card (support balanced and unbalanced connections) • 8-port channelized/non-channelized T1 interface card • 4-port channelized/non-channelized E1 interface card (support balanced and unbalanced connections) • 4-port channlized/non-channelized T1 interface card • 2-port channelized/non-channelized E1 interface card (support balanced and unbalanced connections) • 2-port channelized/non-channelized T1 interface card • 1-port channelized/non-channelized E1 interface (support balanced and unbalanced connections) • 1-port channelized/non-channelized T1 interface card • 1-port non-channelized POS3 interface card • 1-port 10/100Mbps Ethernet interface card supporting optical interface • 2-port 10/100Mbps Ethernet interface card ZTE Confidential Proprietary 7 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification • 1.2.5 1-port gigabit Ethernet interface Operating Envirnoment Table 5 Operating Envirnoment of ZXR10 ZSR router Temperature Short-term envirnoment 15~30℃ -5~40℃ working Long-term envirnoment 40~65% working Short-term working envirnoment 10~90% AC or DC power supply can be provided as per different requirement. For some series, dual power supplies are supported. 5 1.3 Technical Advantages 1.3.1 Modular System Architecture ZXR10 ZSR supports the integration fixed interface and modular interface cards in order to meet users’ requirement for performance and network interfaces. ZXR10 ZSR can provide up to 4 gigabit Ethernet interfaces as fixed interfaces and 8 expansion slots. The fixed interfaces provided by ZXR10 ZSR can meet users’ basic requirements, while the expansion slots can provide customized services for users. 10 With modular design, each expansion slot of ZXR10 ZSR direct connection to all switching bus within the system so that various services can be deployed without any restriction. It helps to avoid many typical problems for products from other vendors, such as too many types of interface modules and special restriction for each slot. ZXR10 ZSR provides 2 AIM slots and 1 Ethernet Switching slot for voice processing feature enhancement, data encryption and Ethernet Switching. With modular design for voice data processing module, Ethernet switching module and data security encryption module, users can purchase corresponding modules as per different demands. With the development of service application, users can enhance the capability and performance of the entire system by upgrading the related module(s), which makes the whole system more scalable. 15 20 25 Long-term working envirnoment Humidity 1.3.2 High Level of Integration Compared with existing products in the industry, ZXR10 ZSR 18/28/38 integrates more fixed interfaces and service application modules. ZXR10 ZSR 18 series products integrate two 10/100Mbps fast Ethernet interfaces, and 28/38 series routers can provide four 10/100/1000Mbps Ethernet Combo (optical / electrical) interfaces. 30 ZTE Confidential Proprietary 8 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Figure 7 General architecture of ZXR10 ZSR intelligent integrated multi-service router The intelligent switching fabric V-BUS system of ZXR10 ZSR integrates multiple system bus, including fast PCIx bus, CBUS, USB bus, Ethernet Switching bus and TDM voice switching bus etc. With the support from intelligent switching fabric, all these buses can help various service modules to implement fast forwarding seamlessly. ZXR ZSR system integrates RISC-based packet processing engine, hardware data encryption/acceleration engine, Ethernet switching engine, QoS engine, application service engine and voice processing engine, etc. These engines and service units which connect to each other provide users with effective and secure Triple-Play services of Data, Voice, and Video simultaneously. 5 10 1.3.3 Embedded with a hardware-based encryption acceleration engine, ZXR10 ZSR can provide users with high-performance IPSec data encryption at a low cost. The embedded hardware-based encryption engine, designed specifically for the data forwarding engine of ZXR10 ZSR, offers users with effective IPSec encryption features, including voice encryption etc. Via ZXROS software and the embedded hardware-based encryption acceleration engine, it supports encryption/decryption of data and voice, IPSec IKE negotiation, encryption algorithms including DES-CBC, 3DES-CBC, AES-CBC, public key generation algorithms including RSA, DH, as well as signature algorithms such as MD5, SHA-1, HMAC-MD5 and HMAC-SHA1, which can guarantee the information security for government and financial institutes. 15 20 25 1.3.4 Convergence of Narrowband and Broadband ZXR10 ZSR provides users with rich interface types and interface rates, including low-speed synchronous/asynchronous serial interface, high-speed synchronous/ asynchronous serial interface, E1/CE1, E3/CE3, T1/CT1, T3/CT3, OC-3/STM-1c POS, fast Ethernet interface and gigabit Ethernet interface. With the capability of supporting different interface speed ranging from low-speed V24 (asynchronous) 300bps to gigabit Ethernet 1000Mbps on the same platform, it helps users to implement the convergence of narrowband and broadband. 30 1.3.5 35 Data Encryption Protection Feature Convergence of IP and Non-IP In addition to providing multiple IP-based services, ZXR10 ZSR, an intelligent integrated multi-service router, allow users to reuse their traditional non-IP network resources. To save users’ investment in fundamental network implementation and traditional network operation, ZXR10 ZSR provides circuit emulation service to ZTE Confidential Proprietary 9 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification realize transparent TDM over IP transmission. Users can deploy circuit emulation service with ZXR10 ZSR at the edge of traditional network to connect any two isolated traditional networks via IP network and tunneling service of ZXR10 ZSR. Traditional services can be operated on IP network via deploying TDM over IP for 2G mobile networks and traditional fixed networks. On one hand, this method saves transmission resources; on the other hand, it allows carrier-independent and location-independent network operations. 5 Through circuit emulation service, ZXR10 ZSR implements the convergence of IP and non-IP, which not only protects users’ investment in existing traditional network, but also helps users to step forward to all-IP network. 10 1.3.6 ZXR10 ZSR intelligent integrated multi-service router provides complete QoS features, including CAR, queuing technologies (PQ, CQ, WFQ, CBWFQ/LLQ), congestion-avoidance technologies (RED, WRED), scheduling technologies (SP WRR), and hierarchical QoS, etc. 15 ZXR10 ZSR supports DiffServ for differentiated service, providing IP QoS to meet the requirements of traffic management; streams can be classified based on interface, VLAN, 802.1p, source/destination IP address, TOS protocol type, and port number. Traffic engineering based upon MPLS TE is supported for network traffic engineering, making network operation more stable and offering carriers the most profitable bandwidth; it supports RSVP protocol to provide sound SLA application. 20 1.3.7 Rich Security Features ZTE intelligent security protection system --- “AMAT: Aggregates-Oriented MultiLevels Anomaly traffic Control System” --- implements automatic trigger of anomaly traffic processing within enterprise network, intelligent identification of network attacks, intelligent generation and activation of attack response policy to ensure the security of enterprise network in a smart way. Via the integration of AMAT system, firewall and IDS/IPS technology, ZXR10 ZSR platform can intelligently realize network defense and protection. 25 30 Rich End-to-End QOS Support 1.3.8 Multi-Function and Multi-Service Platform ZXR10 ZSR is designed based upon ZXROSTM general routing software platform with ZTE self-owned intellectual property. This platform provides various router features and services, supporting IPv4/IPv6 dual stacks, abundant routing protocols e.g. BGP, PIM, MPLS and MPLS L2/L3 VPN technology, as well as QOS applications, such as CAR, etc. 35 1.3.9 Dual IPv4/IPv6 Stacks ZXR10 router series is a new generation router series from ZTE with the first IPv4/v6 dual stacks certification in China. It supports various IPv4/v6 protocols and applications, e.g. OSPFv3 routing protocol, and IPv6 multicasting, IPv6 ACL, IPv6 QOS application, etc. 40 It supports multiple IPv6 transition mechanisms including manual tunnel configuration, auto tunnel configuration, 6to4 tunnel, hardware-based NAT-PT etc. 1.3.10 Routing Protocol Software Support RIP/RIPng,OSPFv1/v2/v3,IS-ISv4/v6,BGP4/BGP4+ routing protocols. ZTE Confidential Proprietary 10 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Support IGMP, DVMRP, PIM-DM, PIM-SM multicast protocols. Huge system capacity and various protocol features enable the construction of largescale network. Carrier-class routing protocol software with industry-leading stability. Good scalability which enables system expansion to be in line with network development. 5 1.3.11 MPLS Routing and Switching Technology Support end-to-end MPLS VPN service via virtual routing technology. Advanced virtual private wire service (VPWS) enables flexible and customized services. 10 1.3.12 High-Performance NAT and NAT-PT Support Support large-capacity NAT and IPv6 NAT-PT address mapping. Support bidirectional NAT-PT. 1.3.13 15 Secure, Easy to Manage and Maintain Carrier-class reliability with 1+1 power supply module redundancy. Support VRRP. Support 8-link simultaneous load sharing to ensure network reliability Reliable routing software and security certification mechanisms of routing protocol ensure secure operation of network. 20 IPSec support which ensures the security of user information and the irreversibility of the operation. Comprehensive policy-based packet filtering feature for avoiding DOS attack. Permission-based command configuration for secure router operation. 25 Complete environmental sensor system, including overheating, etc. Complete log management. Convenient operation maintenance interface and multiple operation maintenance modes. ZTE Confidential Proprietary 11 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 2 H ARDWARE ARCHITECTURE 2.1 Overview ZXR10 ZSR hardware architecture integrates voice, security, data compression, L2 switching, USB intelligent service and large-capacity network storage is a new series of equipment introduced by ZTE with considerations for the market requirement for service integration. 5 ZXR10 ZSR hardware is designed to realize different working modes as per users’ different configuration requirements via related hardware and software. Compared to similar products on the market, ZXR10 ZSR not only implements modular design, but also support wide range of interface speed from low-end 1200bit/s to high-end 1000Mbit/s, which can satisfy users’ requirement for broadband upgrade. 10 The architecture and technology design is done with considerations for radiation and EMC (Electromagnetic Compatibility) of modules and the entire equipment. The three series of ZXR ZSR router are designed to be hardware compatible with each other. Considering the trend towards network service integration nowadays, powerful hardware foundation for equipment service expansion has been created via advanced V-BUS architecture: 15 1. 20 2. 3. 25 4. 5. 6. 30 7. 2.2 35 Advanced V-BUS architecture ensures real-time wire-speed concurrency of multiple services and solves system performance bottleneck of traditional router caused by single bus. Industry-leading high-performance RISC processor provides powerful drive to network service processing. Large-capacity and high-performance system memory and flash provides network service deep processing with stable foundation Embedded high-performance hardware security module fully meets users’ security requirements. High-performance USB2.0 interface module is adopted in considering the future application expansion. Dual Bootroms and power supply modules are supplied to enhance maximum equipment reliability. Modular hardware architecture is completely compatible with the interface cards of ZXR10 GAR series products, which saves users’ investment. General Hardware Architecture The core processing system of ZXR10 ZSR router adopts high-performance RISC CPU and propriety ASIC architecture based upon V-BUS multi-bus architecture. With modular design, it meets users’ different demands by corresponding hardware or software. The relationships between all functional modules are as follows: ZTE Confidential Proprietary 12 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Figure 8 General architecture of ZXR10 ZSR intelligent integrated multi-service router 5 10 15 20 According to system hardware architecture, ZXR10 ZSR series routers can be divided into the following hardware processing modules: Central Processing module: It adopts high-performance single-core/multi-core CPU of up to speed of 1.5GHz. The system uses high-performance DDR2 Memory module to provide memory throughput of up to 30Gbps to fit the requirements of network service processing. With embedded hardware-based encryption module and data compression module in CPU, the implementation of system encryption and data compression service have been greatly improved. By using fast internal switching between CPU and hardware modules, the bus bottleneck caused by using external bus encryption and module compression can be avoided, which improves service processing efficiency greatly. Ethernet Switching Unit: The system is embedded with Ethernet switching unit to offer non-blocking Ethernet switching capability of up to 24Gbps. Ethernet switching unit enables the fast interconnection between all the slots avoiding interexchange between Ethernet modules that other equipment has. Ethernet switching unit provides L3 to L7 services with a fast data tunnel via high-speed data bus and system internal switching modules. It solves the problems in L2 data service Data Security Processing Unit: The built-in data security processing center module of the system can implement hardware-based IDS and IPS network security features. 25 Data Service Processing Unit: The system can implement hardware-based largecapacity IPv4/v6 NAT feature trough the embedded data service processing center module. Large-capacity Data Memory Unit: Via data interaction realized by high-speed bus, large-capacity data memory unit module offers sufficient built-in memory space ZTE Confidential Proprietary 13 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification for network security and service expansion applications, such as equipment log alarm, anomaly traffic log, real-time memory of anomaly traffic, NAT log, customized voice memory and FTP server, which solves local data memory problems existing in traditional equipment. USB Service Expansion Module: The system provides USB2.0 interface to reserve adequate space for the service expansion. 5 Fixed Interface Module: The basic system is designed to provide 2/4 10/100/1000M Ethernet WAN interfaces. 10 2.3 Architecture and Technology 2.3.1 181x/182x series: 1. Dimensions of 181x/182x series Overall dimensions：442mm(W)×45mm(H)×320mm(D)； Main board dimensions：260mm(W)×163mm(H)×2mm (D); Rear board dimension：175(W)×40.3H)×3.5(D)； 15 Power supply dimension：82(W)×35(H)×211(D)； Dust filter dimension：15(W)×45(H)×300(D) 2. The entire equipment consists of cabinet, plug-ins, main board, power supply module and dust filter, etc. as the figure below shows, as it is put on the table independently; the bottom plane is designed with blocks. 20 Figure 9 The front view of 181x/182x series products Figure 10 Top view of 181x/182x series products 25 Figure 11 Rear view of 181x/182x series products ZTE Confidential Proprietary 14 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 3. 5 4. 10 5. 15 2.3.2 Interfaces for assembly: the overall interfaces include the interfaces linking power supply and fan to main board, the interfaces for connecting power supply and external power supply, and the interfaces that interface board and main board used to link the interface of back plane. The cables consist of the cables of power supply and fan. In order to guarantee the reliability of the system, grounding design must be implemented to the system. On the bottom board of the cabinet, there are earth spikes designed for system grounding tandem. Out of the cabinet, there are M5 grounding nuts and ESD mounting hole on the left. In this way, the system will not have electrostatic; also the reference potential of this system is the same as other systems. Security design of entire device: Cover and exterior materials have been conducted good-for-security processing; after chassis fully deployed, only ventilation slots are exposed, and therefore, preventing the rats etc from getting into the chassis; for the bottom-board and cover of device, all of which are provided with effective connections so as to guarantee the ESD function after device is fully assembled. 184x/284x/384x/288x/388x Series 1. 184x/284x/384x series Overall dimensions：442(W)×86.1(H)×420(D)； 20 Rear board dimension：390(W)×76(H)×30.5(D)； Dimensions of fan plug-in box：40(W)×77.5(H)×392.5(D)； User board dimension：173.15(W)×20(H)×151(D)； Main board dimension: 350(W)×35(H)×242.5(D)； Dimension of the bridging card of the main board: 375.15(W)×20(H)×151(D)； 25 Power supply dimension : 201(W)×43.3(H)×278(D)； 2. 288x/388x series Overall dimensions：442(W)×130.5(H)×420(D)； Rear board dimension：：390(W)×120(H)×30.5(D)； Dimensions of fan plug-in 40(W)×121.5(H)×392.5(D)； 30 box ： 288x/388x series ： User board dimension: 173.15(W)×20(H)×151(D)； Main board dimension: 350(W)×35(H)×242.5(D)； Dimension of the bridging card of the main board: 375.15(W)×20(H)×151(D)； Power supply dimension : 201(W)×43.3(H)×278(D)； 35 3. 40 184x/284x/384x and 288x/388x series is composed of system chassis, fan module, network module, power module, system control and bridge module and dust filters. The height of 184x/284x/384x series is 2U, and 4 interface boards can be plugged in under maximum configuration. The height of 288x/388x series is 3U, and 8 interface boards can be plugged in under maximum configuration. The front view of 288x/388x series overall system structure is shown in Figure12. Its side view is shown in Figure13. The rear view is shown in Figure14. And the layout from top is shown in Figure15 and Figure16. It is divided into 2 layers. The upper 1U space is for system control ZTE Confidential Proprietary 15 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 5 and bridge module. The lower 2U space is for power and interface board. Its AC power supply is compatible with 100-240 voltage with the same in shape and size as with DC power supply, where AC power supply can be interchanged with DC power supply and vice versa. Fan module layout is shown as Figure13. Considering the router may or may not be mounted in rack, flanges and blocks are pre-packaged as accessories. 4 blocks need to be installed at the bottom of the desktop. When put on shelf, they need to be installed with flanges on the sides. Installation method is decided based on whether they are desktops or put on shelf. 10 Figure 12 The front display of 184x/284x/384x series entire equipment Figure 13 The side view of 184x/284x/384x series entire equipment 15 Figure 14 The back display of 184x/284x/384x entire equipment ZTE Confidential Proprietary 16 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Figure 15 The top display of 184x/284x/384x entire equipment (up layer) Figure 16 The top display of 184x/284x/384x entire equipment (down layer) ZTEÖ Ð Ë ZXR10 3880 5 Figure 17 184x/284x/384x series fan module 4. In order to guarantee the reliability of the system, grounding design must be implemented to the system. On the bottom board of the cabinet, there are earth ZTE Confidential Proprietary 17 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 5 10 5. spikes designed for system grounding tandem. Out of the cabinet, there are M5 grounding nuts and ESD mounting hole on the left. In this way, the system will not have electrostatic problem, also the reference potential of this system is the same as other systems. Security design of entire device: Cover and exterior materials have been conducted good-for-security processing; after chassis fully deployed, only ventilation slots are exposed, and therefore, preventing the rats etc from getting into the chassis; for the bottom-board and cover of device, all of which are provided with effective connections so as to guarantee the ESD function after device is fully assembled. ZTE Confidential Proprietary 18 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 3 KEY SERVICES AND FEATURES DESCRIPTION 3.1 ZXR10 ZSR Network Address Translation(NAT) Network address translation (NAT) can translate an IP address used in one network into a different IP address in another network. Usually, NAT is used to map IP addresses used in private network or local enterprise network into one or multiple addresses in public network or global internet. The features of NAT are: 5 10 3.1.1 25 Restrict the number of IP address requiring IANA registration used by private network. • Save global IP address space required by intranet (for example, one organization can use a single IP address for communication on internet) • Keep the confidentiality of LAN as the inner IP is not for public. For using NAT, local network would be assigned as internal network, while the global internet would be assigned as external network. In addition, ZXR10 routers also support port address translation (PAT) for dynamic or static binding of port address. 15 20 • Translation of Internal Source Address When communicating to external network, this feature can translate internal IP address into a global IP address from an IP address pool. The following methods can be used to configure static or dynamic internal source address translation 1. Static translation creates one-to-one mapping between internal local address and internal global address. When an internal host should be accessed by a specified external address, static translation will help the specified external address to access the internal host. 2. Dynamic translation establishes dynamic mapping between internal local address and the external address pool. The following figure illustrates a NAT router translates an internal network source address into external network source address. ZTE Confidential Proprietary 19 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Privat e Public Source Address 3 SA 2.2.2. 2 5 DA 1.1.1. 1 SA 1.1.1. 1 1 1.1.1.2 Internet Host B 9.6.7.3 Public interface Private interface 1.1.1.1 Destinatio n Address 4 DA 2.2.2. 2 2 NAT table Private local IP 1.1.1.2 1.1.1.1 Public global IP 2.2.2.3 2.2.2.2 Figure 18 The internal source address is translated into external source address 3.1.2 Internal Global Address Overlapping The router can share one global address for multiple local addresses, for which the mapping will be stored in the interal global address pool. When address overlapping is configured, the router would keep appropriate information from higher-level protocols (e.g. TCP or UDP port numbers) and translates the global address into correct local addresses. When multiple local addresses are mapped to one global address, the TCP or UDP port number of each host between local addresses is distinguishable. The following figure shows corresponding NAT operation when an inside global address is on behalf of multiple inside local addresses. TCP port number is used for discrimination 5 10 Inside 1.1.1.2 Outside Destination IP 5 DA 1.1.1. 1 SA 1.1.1. Sourc e IP 1 1 Source IP 3 SA 2.2.2. 2 1.1.1.1 Protocol TCP TCP 2 NAT Table Inside local Inside IP global IP 1.1.1.2:172 2.2.2.2:102 3 4 1.1.1.1:102 2.2.2.2:102 4 5 Destination IP 4 DA 2.2.2. 2 Host B 9.6.7.3 Internet 4 DA 2.2.2. 2 Destination IP Outside global IP 6.5.4.7:23 9.6.7.3:23 Host B 6.5.4.7 Figure 19 Internal global address overlapping 15 3.2 ZXR10 ZSR Access Control List Access control list is used to permit or reject packet based on criteria configured. The packet filtering criteria determines the type of access control list. Packet filtering can be defined based on the following conditions: 20 • Source IP address • Destination IP address ZTE Confidential Proprietary 20 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification • Source port number • Destination port number • Type of service (TOS) Highlights of ZXR10 ZSR ACL feature are: 5 • For upper-layer protocols, it filters source and destination addresses and supports multiple filtering conditions; • For lower-layer forwarding, it defines the maximum and minimum threshold for source and destination addresses, so flows within this exclusive range can be forwarded. By using the same scope for restricting all ports on the same line card, it allows the lower-layer microcode software to be executed efficiently; • Support three types of access control list: standard access control list, extended access control list and lower-layer IP-forwarding access control list; • Currently, name-based access control list is not yet supported, only numberbased access control list is support. Access control lists numbered from 1 to 199 are standard access control lists; Number <100-199> ones are extended access lists, and number <200-209> ones are lower-layer IP-forwarding access control lists. 10 15 3.2.1 20 Features and Basic Format of Access Control List 1. Standard access control list Standard access control list is only allowed to filter source address, and features are limited. The basic format of standard access control list is: (no) access-list list-number {permit|deny} source [source-wildcard] 25 30 The list-number is from 1 to 99, which indicates this access control list is a numberbased standard access list. The key words “permit” and “deny” are used to show if packets that fits access control list should be permitted to pass the interface or to be filtered. The source address is the IP address of the host or a subnet in dotted decimal notation. In practice, IP address in subnet mode is based using wildcard mask. Source-wildcard, the wildcard mask of source address, has the opposite working mechanism to subnet mask, i.e. binary “0” refers to a “matched” condition, and binary 1 means an “unconcerned” condition. 2. 35 Extended Access Control List Extended access control list permits the filtering of source address, destination address and data in application transmission. The basic format of extended access control list is: (no) access-list list-number {permit|deny} protocol source source-wildcard destination destination-wildcard 40 The list-number is from 100 to 199, which shows this access control list is a number-based extended access list. The key words “permit” and “deny “are used to show if packets that fits access control list should be permitted to pass the interface or to be filtered. ZTE Confidential Proprietary 21 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Protocol defines the protocol type that requires filtering, for example IP, TCP, UDP, and ICMP, etc. The features of source and source-wildcard address are the same as the features listed in the standard access control list. The destination address is the IP address of a host or a destination subnet in dotted decimal notation. In practice, the IP address in subnet mode should be used based using wildcard mask. 5 Destination-wildcard, the wildcard mask of destination address, has the opposite working mechanism to subnet mask. 10 3.2.2 Implementation of Access Control List For router interface, a configured access control list will only take effect when it is applied on an interface. As data flow passing an interface is bidirectional, the access control list should be adopted on the interface in one specific direction, which is egress direction (i.e data flow moves away from router) or ingress direction (i.e. data flow enters router) 15 There are three procedures for implementing access control list on an interface: 1. 2. 3. Define access control list Define the interfaces on which the access control list will be implemented Define the direction in which the access control list will be implemented on the interface. While using ACL, firstly the type of ACL is classified via ACL number, then packets are compared with the configured ACL to see if the packets are permitted to pass through the interface. The rule of ACL processing is, beginning items are given the highest priority, in other words, as per the sequence of access control list. The processing will stop when there is one item matching to the configured control list. Therefore, the sequence is very important when configuring access control list, and items with high priorities should be put in the beginning. If there is an exact match for the packet, it will be permitted or denied to pass through the interface according to the specified fields “permit” or “deny”. If there is no exact match for the packet, it will follow the default filtering principle, i.e. this unmatched packet will be denied to pass through the interface. 20 25 30 3.3 35 40 45 ZXR10 ZSR V-Switch In this way of “Router + BAS” networking, routers have two functions: one is to forward PPPoE data packets to BAS equipment; the other is to perform data aggregation for providing large customers’ access (VPN), QoS, NAT and multicast services. Therefore, ZXR10 ZSR implements data packet L2 transmission via static V-Switch forwarding. The advantages of V-Switch are as follows: • As L2 packets can pass routers selectively, networking design can become more flexible. • Compared with Ethernet switch, V-Switch can limit broadcast packets. • As VLAN ID is changeable, the planning of MAN VLAN can be more flexible. The equipment implements L2 packet switching via specified port as per the forwarding table created based on configuration in a specified format. This specified format refers to VLAN ID modification, untagging a layer of VLAN ID, and tagging a layer of VLAN ID, etc. ZXR10 ZSR can encapsulate VLAN packets in ZTE Confidential Proprietary 22 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification ETHERNET, POS, E1, so it supports VLAN switching over ETHERNET, POS and E1. 3.3.1 Transparent Transmission of PPPoE Packet As the following figure shows, fei_1/3 interface of ZXR10 ZSR connects with client end of BAS, and fei_1/4 interface links to network end of BAS. The fei_1/1 interface of ZXR10 ZSR links to PPPoE user, and fei_1/2 interface links to private line user. VLAN ID of PPPoE user is ranging from 10 to 19, and the VLAN IDs of BAS users are from 20 to 29; the VLAN IDs of private line users are from 30 to 31. 5 Internet ZXR10 ZXR10 Fei_1/4 Fei_1/3Fei_1/1 BAS Fei_1/2 Switch PPPoE Switch PPPoE Leased line Leased line Figure 20 V-Switch implements transparent transmission of PPPoE packet 10 Via V-Switch feature, PPPoE user’s PPPoE authentication message can be transferred between BAS and Switch. 3.3.2 15 20 25 Untagging and Tagging a Layer of VLAN AS the following figure shows, ZSR-1 links to many switches, and each switch has many VLANs. However, there is only one link between ZSR-1 and ZSR-2, but it has to guarantee all PPPoE users’ authentication messages can reach BAS. At this moment, packets from FEI_1/1 and FEI_1/2 can be encapsulated with another layer of VLAN ID, i.e. QinQ encapsulation, for example, the VLAN ID of packets from FEI_1/1 is (1-4095), after encapsulation, VLAN ID changes to ((1,1)---(1,4095). The VLAN ID of packets from FEI_1/2 is (1-4095) which will change to ((2,1)--(2,4095)) after encapsulation. When((1,1)---(1,4095)) received by ZSR-2 goes out from FEI-1/3, it will untag the outer VLAN and return to (1-4095). The received ((2,1)---(2,4095)) will untag outer VLAN and return to (1-4095) while passing out from FEI_1/3. in this way, ZSR-1 and ZSR-2 use one link to implement transparent transmission of L2 packets of the two FE links. ZTE Confidential Proprietary 23 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Figure 21 V-Switch untags and tags a layer of VLAN 3.4 ZXR10 ZSR VPN Virtual Private Network (VPN) refers to private network built on top of public network. “Virtual” indicates that this is a logical private network. As VPN is used by a specified enterprise or group, the resource of VPN is isolated from the lower-layer public network. On the other hand, VPN provide sufficient security to prevent VPN from external attacks. ZXR10 ZSR series routers provide complete VPN features which offer reliable security and service quality to branch offices, remote users, traveling staffs, partners and headquarters. 5 10 ZXR10 ZSR series routers contain various features, including BGP/MPLS VPN, L2 MPLS VPN (VPLS/VPWS), L2TP VPN, IPSEC VPN, and GRE VPN. 3.4.1 15 20 ZXR10 ZSR VPWS VPWS (Virtual Private Wire Service) is L2 VPN service based on interface forwarding. It transfers L2 PDU data in an IP/MPLS backbone network to realize emulated point-to-point service. The L2 transparent transmission of VPWS over MPLS create a “one network with multiple services” service mode which changes the tradition that L2 link can only be created over switching network. It enables carriers to provide both L2 and L3 services in one MPLS network. The following advantages can be obtained by providing VPWS feature: • A unified network supported by MPLS; • Enjoy the advantages of traffic engineering and QoS of MPLS network; • Make full use of existing network resource; ZTE Confidential Proprietary 24 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Created based upon MPLS network, VPWS provides high-speed transparent transmission between a pair of ports from two routers. VPWS mainly consists of PE router, label distribution protocol (LDP) and MPLS tunnel (LSP Tunnel) As the figure shows: 5 Figure 22 VPWS networking PE routers between CEs are used to create PW (Pseudo-wire). PE router contains and maintains the link information of L2 transparent transmission circuit. PE routers are responsible for tagging and untagging labels for common data packets from VPN customers, therefore, PE routers must be edge label switching routers 10 The two ports used between two PE routers for implementing L2 transparent transmission must be of the same type, for example, Ethernet VLAN, HDLC or PPP. Each pair of this port is identified by an unique virtual channel identifier (VCID) LSP tunnels over MPLS network should be pre-configured between the two PE routers. LSP tunnel provides Tunnel Label for transparent transmission of data between two PE routers. At the same time, direct label distribution protocol should also be defined between the two PE routers to transfer virtual link information. The most important part is to distribute VC label by matching VCID. 15 When data packet enters PE router via L2 transparent transmission port, PE routers can find the corresponding tunnel label and VC label by matching VCID. PE routers will tag two layers of label to the packet. The outer label is the tunnel label, indicating the path from this PE router to the destination PE router; the inner label is VC label, indicating the corresponding router port of VCID on the destination PE router Note the PE router should perform L2 status monitoring protocol for each port, for example LMI of frame relay. When fault occurs, label distribution protocol is used to remove path information, so that L2 transparent transmission will be disconnected to avoid useless unidirectional data packets. 20 25 3.4.2 30 35 40 ZXR10 ZSR VPLS Feature VPLS (Virtual Private LAN Service), a type of VPN, can implement multi-site connections as a signaled bridge domain from a carrier’s IP/MPLS network. Independent from the location, all customers within VPLS appears to be in the same LAN. As VPLS uses Ethernet interface to link end-users, it simplifies the border of LAN/WAN, which enables fast and flexible services. When using VPLS, customers fully control routing information by themselves. What is more, because all routers from a customer belongs to the same LAN in VPLS, a simplified IP addressing plan can be done. Especially when compared with the networks composed by many different point-to-point links, this advantage is even more obvious. The carrier can also benefit form more simplified management of VPLS service. The advantages of VPLS are: • By providing users with a dedicated virtual Ethernet broadcast domain, VPLS enables the integration of the inner LAN and WAN (wide area network) within the enterprise, which greatly lowers customer’ cost. • As a kind of L2 VPN, it is very flexible in networking. ZTE Confidential Proprietary 25 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification • For customers, the maintenance of network becomes very easy. After setting up meshed LSP, VPLS instance of the specified PE can receive Ethernet frame from customer station, and it encapsulates these Ethernet frame as per MAC addresses, then sends them to a LSP. Similar to the MAC address learning and forwarding mechanisms in a switch, PE creates MAC address table for each VPLS instance. When customer’s Ethernet frame accesses PE, it will search for destination MAC address in MAC address table. If the MAC address table contains this MAC address, this data frame will be sent to LSP which can deliver this data frame to remote PE. If there is no matched MAC address in this MAC address table, this Ethernet frame will be replicated and broadcasted to all ports except the ingress port of the VPLS instance. Once the port of one host containing this MAC address responds, the MAC address table of this PE will be updated. When PE encapsulates Ethernet frame in MPLS packet, the header of MPLS packet contains two layers of labels, which forms a pseudo wire encapsulation format. The outer label, namely Tunnel Label, is used to bearer MPLS LSP, and the inner label that is VC Label is on behalf of virtual circuit, i.e. different VPLS traffic. As a result, when destination PE equipment terminates LSP and pops up outer label, VC label will be used to determine which VPLS instance traffic it belongs to. 10 15 20 25 3.4.3 35 As VPLS is a link-layer based VPN technology, it is transparent to L3 protocols. It can support all protocols on the network layer in a secure way. VPLS, virtual private LAN service, its basic mechanism is to divided service provider’s network into one or multiple LANs for different types of enterprises as different VPNs, namely, VPLS domain. Each VPLS domain consists of a certain number of PE. Create full-meshed MPLS LSP between PEs, and encapsulate L2 Ethernet frame via MPLS, then forward user’s Ethernet traffic between PEs through MPLS, in this way, a point to multi-point Ethernet VPN is created. 5 30 • ZXR10 ZSR L2TP VPN L2TP (Layer 2 Tunneling Protocol) is a L2 tunnel protocol based upon point-topoint protocol PPP. L2TP mainly consists of LAC (L2TP Access Concentrator) and LNS (L2TP Network Server). LAC supporting client-end L2TP is used to initiate call, receive call and establish tunnel; LNS is the end of all the tunnels to terminate all PPP flows. LAC: L2TP Access Concentrator is a PPP-initiator system with L2TP protocol processing capability. Usually, LAC is a network access server (NAS) for network service access. LNS: L2TP Network Server, the logical termination of PPP conversation, is used on the PPP-end system for processing the software of L2TP protocol server. The features of ZXR10 ZSR L2TP are: As LAC equipment: 40 • Support ID verification mechanisms, e.g. CHAP and PAP • Support Radius authentication • Support proxy authentication and secondary authentication • Support multiple protocols access, such as PPP access and PPPoE access. As L2TP LNS equipment: 45 • Support multiple tunnels ZTE Confidential Proprietary 26 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 5 3.4.4 10 15 20 • Support LNS redirection • Support tunnel hello and time close-up. • Support bandwidth control feature to provide bandwidth to each user. • Support L2TP ＋ IP Sec • Support remote connection from PC using L2TP/IPsec VPN client software to set up L2TP network. ZXR10 IPSEC VPN IPsec, a fundamental technology for IP security, creats a secure IP packet forwarding tunnel by configuring certain policies between network peer entities. Via IPsec technology, enterprises can create their Intranets and Extranets via public networks, which effectively reduce the cost of network construction and operation. In fact, IPsec has become the security standard of IP layer IPsec is a complete security architecture consisting of control protocol (IKE), data encryption authentication protocol (AH/ESP),,as well as other policy configuration protocols etc. According to different IPsec applications, it can be divided into transport mode and tunneling mode. Presently, IPsec is the optimal method to guarantee IP security. IPsec technology is mainly used to create tunnel-based VPN (Virtual Private Network). However, IPsec technology can do more than creating VPN (IPsec also allows many applications in transport mode). Compared with other VPN solutions, VPN of IPsec has the following features: • Data privacy protection: IPsec sender encrypts the packets before they are sent to the public network. • Data integrity verification; IPsec receiver verifies the authentication of the packets sent by the sender to ensure that the data is not tampered during the transmission. • Anti data-replay: IPsec receiver can verify and refuse reproduced packets • Data source authentication: IPsec receiver authenticates the source address of IPsec packets. This service is based on data integrity service. • Automatic key management and security association management: This ensures that virtual network policies of the company can be implemented conveniently and accurately on the extended network with a little or even no manual configuration. • Network layer-based security protection: IPsec protects all data forwarded between terminal sites no matter what type of network application is. IPsec can actually “put” remote users virtually inside the enterprise network to provide them with the same authority and operating function with those of users of internal network. • Higher security level: IPsec is a end-to-end service which put any specific requirement on the backbone network for bearing service-related functions. IPsec requires properly installing and configuring IPsec cleint-side software and access equipment at the remote access user-end, which will greatly improve the security level because the access is controlled by specific access 25 30 35 40 ZTE Confidential Proprietary 27 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification equipment, user software, user verification mechanism and pre-defined security rules. • Quick response: It can quickly response to market changes, and can be deployed over any existing IP network. Users can use it at any location. ZXR 10 ZSR switch series adopts kernel hardware encryption technology, which improves the system encryption performance and provides good performance for IPsec VPN function application. IPsec VPN is implemented via two security protocols of AH (Authentication Header) and ESP (Encapsulating Security Payload). ZXR 10 ZSR router series can provide IPsec with automatic negotiation key exchange; establish and maintain security association service via manual key configuration or IKE (Internet Key Exchange) to simplify the usage and management of IPsec. 5 10 AH (Authentication Header) is packet header authentication protocol. The functions it provides include data source authentication, data integrity check and packet replay protection. AH protocol by itself does not encrypt data packets. 15 ESP (Encapsulating Security Payload) protocol can provide not only authentication function but also encryption function. It not only provides authentication function basically similar to all functions of AH protocol, but also provides IP packet encryption function, which can improve the privacy of data packets IKE performs dynamic negotiation with SA on behalf of IPsec and updates the SADB database. IKE uses two phases of ISAKMP. In the first phase, IKE security association is established; in the second phase, this fixed security association is utilized to negotiate specific security association for IPsec. The final result for IKE exchange is an authenticated key and security service based on mutual agreement, which is called “IPsec SA (IPsec security association)”. 20 25 The authentication algorithms supported by ZXR10 ZSR router series are: 1. 2. 30 HMAC-MD5: MD5 produces 128 bit information hash from any data input of any length. HMAC-SHA-1: SHA-1 produces 160bit information from any data input with of length less than 264 bit. The encryption algorithms support by ZXR10 ZSR router series are: 1. 2. 3. 35 40 45 DES (Data Encryption Standard): Encrypt a 64bit clear text block using a 56bit key. 3DES (Triple DES): Encrypt a clear text using three 56bit DES key. AES (Advanced Encryption Standard): ZXR10 ZSR implements the AES algorithm for key length of 128bit/192bit/256bit. 3.5 Security Function of ZXR10 ZSR 3.5.1 TCP monitoring and interception function DoS (Denial of Service) attack is a common attacking method in the network used by an illegitimate user to consume all or too much network resource via legitimate service requests, which will make the requests and services of other legitimate users cannot be satisfied; and creates network congestion or the resource of the attacked host to be fully consumed. Based on consequences caused by typical DoS attacks, they can be divided into the following two types: resource depletion (grab and occupy resource) and resource ZTE Confidential Proprietary 28 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 5 10 overload (too much network bandwidth is grabbed and occupied). SYN flooding is a kind of resource depletion attack. It does so by sending out large quantity of halfopened TCP sessions which cannot build up three-way handshake. Since the host needs to allocate a time to monitor each TCP connection, once it encounter SYN flooding attacks, it will need to maintain large quantity of half-opened sessions and allocate resource and monitor in a short time, which will make the host unable to work normally. TCP interception is a network security protection mechanism created to defense SYN Flood attacks. It can provide functions of monitoring, statistics, and alarm etc. to ensure that the protected resource is working well. SYN Flood is one of the most effective and popular way of DoS attack. It takes advantage of the defect of three-way handshake mechanism in TCP and send large quantity of SYN connecting requests with false source addresses to the targeted host, in order to consume the resource of target server. 15 TCP interception module of ZXR10 ZSR router series has two working modes: interception mode and monitoring mode. They can be freely configured by the users. The principles of these two working modes are as follows: 1. 20 25 Interception mode In interception mode, when ZXR10 ZSR router series receives TCP connection requests from external network to the protected internal server, it will save them without forwarding them to internal server immediately. It will generate a TCP connection record and ZSR will respond to the TCP connection request on behalf of the protected internal server. If the request put forward by an external host is a normal one, an acknowledgement packet will be sent after ZXR10 ZSR router series ACK packet is received to complete three-way handshake. If the request put forward by an external host is a SYN attack, acknowledgement packet will not be sent. Figure 23 ZXR10 ZSR series TCP interception module working principles figure (1) 30 If the access from the external network is a normal one, ZXR10 ZSR router series will again use the saved TCP connection request and use itself on behalf of the external server to connect to the protected internal server to build TCP connection by three-way handshake. When the connection is successful, ZXR10 ZSR router series still keep the TCP connection records, however the recorded TCP state will change. ZTE Confidential Proprietary 29 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Figure 24 ZXR10 ZSR series TCP interception module working principles figure (2) 5 10 If the access from an external host is a SYN attack, ZXR10 ZSR router series will delete the TCP connection record if it hasn’t received acknowledgement packet from external host after waiting for it for a while. In this way internal network server will not receive the half-open TCP connections caused by SYN attack packets. The number of TCP interception permitted by the router is limited. If the current connections are all full load (suppose there are n sessions), when the n+1 TCP connection packet arrives, in normal circumstance, the router will refuse this connection request; when under attack, the router will delete the oldest half-open item. Figure 25 ZXR10 ZSR series TCP interception module working principles figure (3) 2. 15 20 monitoring mode In monitoring mode, ZXR10 ZSR router series record TCP connections which meets conditions configured by the user, which records the state of three-way handshakes. Once it finds there is no acknowledgement packet for TCP connection from external network host, ZXR10 ZSR router series will send reset packet for this TCP connection to internal network server to ensure that internal network server would not have too many TCP half-open connections waiting to be processed. ZTE Confidential Proprietary 30 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Figure 26 ZXR10 ZSR series TCP interception module working principles figure (4) 3.5.2 Aggregates-Oriented Multi-Levels Anomaly traffic Control System (A.M.A.T) 5 A.M.A.T provides a kind of policy and method to detect and prevent anomaly traffic from routers against DoS attack in a network. It uses traffic intensity aggregate and anomaly mode aggregate technologies to perform flow statistics and classification for anomaly IP streams. It has good detection efficiency and accuracy which enables it to protect the users’ network. 10 With the continuous development of network, DoS attack which aims to consume network bandwidth and resource are becoming popular, which brings large economic loss to users. The flooding of DoS attack in the network has caused lots of waste on network resource. Legitimate users can’t get access to normal services and even the whole system will break down. A.M.A.T uses technology different from traditional network security, it is implemented on the routers by detecting and filtering the three kinds of attacking packets of TCP, UDP and ICMP in DoS attacks. It can also flexibly control mutant TCP, UDP and ICMP attacks; effectively protect users from the maclicious traffic. 15 20 25 30 Aiming to improve the security ability of data network and routers, A.M.A.T technology analyses the pattern of network traffic, and implements anomaly traffic capture, analysis and filtering policy on the routers. A.M.A.T uses real-time analysis strategy. The foreground collects the packets, and directly analyzes the data traffic intensity aggregate and anomaly mode aggregate. This multi-level aggregate stream analysis strategy based on target IP address further identifies aggregates with traffic attack. It directly filters attacking traffic on the routers, effectively reduces bandwidth wasted from attacking traffic, improves the utilization of the routers and network bandwidth, and protects the users’ network. A.M.A.T system can be divided into three sub-systems including: anomaly traffic identification, automatic generation of anomaly traffic classification rules, and anomaly traffic matching and rejecting method implementation. The structure is shown in the following figure: ZTE Confidential Proprietary 31 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Figure 27 A.M.A.T system principles 1. 5 10 15 20 25 Anomaly traffic identification This sub-system performs packets sampling for different environments, and performs address aggregate via traffic intensity aggregate, enhancement algorithm and CUSUM algorithm. This sub-system uses advanced identification algorithm, and history information table to increase the accuracy of attack identification, and at the same time uses anti-jitter algorithm together with address aggregate algorithm. It uses accumulated value to judge the anomalies and improve its identification ability of impulse attack. 2. Anomaly traffic classification This sub-system mainly includes aggregate mode design, anomaly mode aggregate algorithm, packets categorizing, and hash-based data management algorithm. Based on statistic pattern for each protocol, multiple aggregate modes are provided for anomaly traffic classification. Because it method is based on the statistic patterns. this method has good resistance to various kinds of attacks. In fact, aggregate of different protocols helps to create a separation for each protocol. That is to say, attack against one protocol will not affect the traffic of other protocols. Several kinds of different classification modes are provided for TCP, U\DP and ICMP packets. 3. Anomaly traffic matching and rejecting In “anomaly traffic classification” module, the attacker’s IP address is aggregated via anomaly mode; the attacker’s IP address packets are counted; A.M.A.T rule is analyzed, and the traffic is matched or rejected based on these rules. A.M.A.T rule is a dynamic rule whose implementation results are continuously self-updated by the system to well filter the anomaly traffic. For those anomaly traffic which cannot form effective rules, the system will limit the rate of the attacking traffic. ZTE Confidential Proprietary 32 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 4 OPERATION, ADMINISTRATION AND M AINTENANCE (OAM) 4.1 Overview As a telecom-class high-end router, ZXR10 ZSR supports complete OAM features, which are implemented via the operation and NM module. The Operation and NM module of the ZXR10 ZSR consist of operation and maintenance, SNMP, alarm statistics and database subsystems. The database, as a part of the operation and NM module, provide storage for data from other subsystems; it also enables data active/standby synchronization and data management features. 5 10 This chapter will introduce OAM functions implemented on ZXR10 ZSR as a managed object in the network management system. The OAM functions include simple network management protocol (SNMP), fault diagnosis, log management, unified NM, and alarm management. 15 20 4.2 Simple Network Management Protocol (SNMP) SNMP (Simple Network Management Protocol) is a protocol on application layer; it is used to exchange management information between network equipments. It is a part of the TCP/IP protocol suit; it is used to ensure the normal opreation of network protocols and equipments. It enables the administrator to detect network problems and make adjustment according to the commands exchanged between the client terminal and the server. The SNMP runs on top of UDP. Network management model of the SNMP comprises four key elements: 25 1. 2. 3. 4. Management workstation Management agent Management information base Network management protocol The following figure shows the relationship among the four elements. ZTE Confidential Proprietary 33 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Figure 28 Management Model of the SNMP SNMP will not provide any network information or allow modifications in the configurations of network equipments without any kind of security. In fact, the SNMP agent on the network equipment requires SNMP management workstation to send a special community password together with each message. In this way, SNMP agent can authenticate whether the workstation is authorized to access MIB information. Such a command is called the SNMP Community. Some SNMP agents can adopt Community in different security levels. For example, management agent can define a community name; the workstation can use it to send Get-Request and Get-Next-Request messages and to access some read-only MIB information. At the same time, management agent can define a community name; management workstation can use it to send Get-Request, Get-Next-Request and SetRequest messages and to access some MIB information requiring the reading and writing authority. This mode of defining SNMP community names can further improve the security of SNMP operations. 5 10 15 4.3 SNMP MIB (Management Information Base) MIB is a set of information which adopts a hierarchical structure. Network management protocols (such as SNMP) can be adopted to access the MIB. MIB is consisted of managed objects and is identified by object identifiers. Information described in SNMP MIB is of 8 types, including: 20 1. 2. 25 3. 4. 30 5. 6. 35 7. 8. 40 4.4 45 System: Describes the host or router operation system; it includes information such as guided time of the server, description of running equipment, equipment location and contact person. Interface: Describes each network interface. Included items of MTU size, transmission rate, number of packets discarded for various reasons, number of transmitted and received bytes, interface type and interface descriptions. Address Translation: Contains a table used to transform IP addresses to specified addresses. IP: Describes Internet protocol related information. Maintained information includes default time-to-live value of IP packet, number of discarded data packets, number of re-assembled data packets, and routing table. ICMP: Describes information related to ICMP protocol; it contains various counters that trace the number of control messages sent by ICMP. TCP: Contains items including time-out value, connection number, current sent and received connection window pointer, maximum number of parallel connections, source and destination IP address using TCP, and failed connection attempts. UDP: Contains items including number of sent, discarded or received data packets, and IP addresses using the UDP entity. EGP: This protocol is adopted to exchange information between two autonomous networks in Internet. Similar to other types, this MIB maintains counters that record the number of sent and received EGP messages. Remote Network Monitoring (RMON) RMON is Remote Network Monitoring, which can monitor information such as overall traffic of Ethernet and token ring networks. RMON is an important enhancement for SNMP. In RFC, RMON is a MIB definition (RFC1757), and the ZTE Confidential Proprietary 34 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification defined MIB has been further enhanced to MIB-II. In this way, overall traffic information of each specified sub-network can be obtained. ZXR10 RMON function module implements all functions of nine groups defined by RFC1757. By properly configuring related functions, it can help network administrators to master and analyze running status of the network, and get to know the network alarm timely to maintain the network better. 5 ZXR10 ZSR RMON includes the following system-class functions: 1. 10 2. 15 3. 20 4. 5. 25 6. 7. 30 8. 35 9. 40 4.5 Statistics configuration: to monitor basic traffic information of a specified subnetwork. The traffic information indicates traffic in the sub-network during the period from start to the time of query. History configuration: Record traffic information on an specified sub-network during a specified period. Generally in one sub-network we can configure a history function with a short sampling period to see burst traffic changes of a sub-network. We can configure a history function with a long sampling period to see the long-term traffic state of the sub-network. Alarm configuration: with corresponding event function, we can observe the changes of specific variables. For example, if an alarm item is configured, an alarm will be generated when more than 500CRC errors (i.e. threshold is 500) occur in 5 minutes. If a corresponding event action is configured as sending trap, then a trap will be sent to trap server when the above situation occurs. Host statistics configuration: can collect the basic traffic information on each host in specified sub-network. HostTopN configuration: under the circumstance that corresponding host statistics function is activated, top n hosts information listed according to the variable of certain traffic can be observed during a period of time. Host Matrix statistics configuration: can record the traffic information between every two hosts in the specified sub-network. Filter configuration: can observe the selected packets on specified interface or sub-network. Filtering function includes two parts: filtering logic definition and filtering channel definition. Filtering includes data filtering and state filtering; whose logic is the same: implementing packets filtering. While the channel comprises of a set of filtered definition and the corresponding handling (such as counting, generating an event, etc.) by the channel when packets go through the channel. Capture configuration: can buffer packets which meet the filtering requirements to be analyzed in details. Event configuration: can record or/and send trap to deal with the alarm information to allow network administrator to learn about the system situation timely. Statistics and Alarm Management Function Statistics and alarm management system informs network administrators about network and equipment operation information. It provides the following information: 45 1. Collect traffic data for network traffic analysis 2. Detailed log files 3. Various configuration and operation information The system can save real-time statistics and alarms information. In case when the router is failed, it can quickly find the cause and solve the problem. In warning ZTE Confidential Proprietary 35 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification alarms, according to the requirement of the administrator and working with diagnosis and testing program, it can diagnose failed alarm spots, implement testing and record the testing for the reference of the administrator. 4.6 Log management mainly records configuration commands on the routers implemented by users that logs on to the routers. It facilitates query of history configuration commands on the router. This function can help to analyze fault causes in the router and provide supports for system security. 5 In addition to record configuration command, operation log module of ZXR10 ZSR also enables management on operation logs; it provides users with log addition function; it also enables record query and storage according to user name, time, log terminal number, and log address. 10 The addition function is that the system can guarantee the addition whenever user wants to add an operation log. A key point in this function is that in case the memory buffer is full, the system should actively release some spaces to ensure the addition of current logs. 15 The log query function is used when the administrator is to trace the system operations and configurations. It enables fuzzy search on operation logs and returns the results to the administrator. The storage function is to store the user configuration information and access the previous configurations into the system after system restarting; in this way, the continuity of configurations can be enabled. 20 For errors, the operation log module adopts the simple discarding mode. As the operation log module only stores the operation log information specified by the user while the user does not concern the storage result, the operation log module does not return the error processing information to the user but simply discards the current error. In terms of testability, as the operation log module exists in the system as a unit, basic unit testing methods can be adopted in testability design, including the module interface test and the module boundary condition test. In specific applications, the program schedules the operation module to implement testing on the operation log module. 25 30 The operation log module does not guarantee the correctness of contents; it only ensures the complete saving of configuration information of the users, having no confirmation on the information contents. This can reduce the operational association of the system so that the system is in the loose coupling state. The security and scalability of the system can be guaranteed. 35 4.7 Unified NM Function The unified NM function is to gather all data products of ZTE to be under the management of a unified NM platform. This function is implemented via the foreground software module and the background unified NM platform software (NetNumen) of the data products. 40 4.7.1 45 Log Management Function Foreground Software Module The unified NM foreground software module of the ZXR10 ZSR is a sub-module in the OAM module. It enables the obtainment of router configuration information via SNMP. Via this module, the system can get to know network module operation ZTE Confidential Proprietary 36 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification state, router resource usage, router operation alarm information, and router environment information. Via private MIB files, the module provides a unified NM software interface to the background, via which the background unified NM platform software can manage multiple routers, obtain information or set commands. The unified NM foreground software module provides two normalized interface: SNMP operational interface and SNMP-TRAP operational interface. 5 4.7.2 10 15 20 25 30 35 Background Unified NM Platform (NetNumen) ZTE NetNumen N31 data product NMS is a management platform with high customization, telecom-class, and platform-crossing infrastructure. It is designed with the bottom-up idea, providing the carrier with a scalable and high-performance NMS to satisfy network developments and support the needs of each operation system and platform. It provides a cross-platform web-based development platform for NM application programs; and necessary infrastructure and a whole set of Javabased cross-platform development tools, frames, modules and cross-platform APIs (programming interfaces). The NetNumen system caters to various requirements of the users: telecom carriers and equipment manufacturers can establish the NE and NMS; service providers can set up the network management and operation support system (OSS); enterprises and independent software vendors (ISV) can set up application programs to manage solutions. The NetNumen system implements management of the IP equipments on the backbone layer, convergence layer and access layer; it enables management of the access servers, multi-service routing switch, routers, soft switching system and IP telephone system of ZTE. The system covers the four layers in TMN management hierarchy: the NE layer, NE management layer, NM layer and service management layer. The NetNumen system integrates various kinds of advanced technologies such as Java Beans, JFC, XML, JMX, HTTP, JSP, JDBC, CORBA, SNMP, and TL1; it establishes Web-based and convenient NM solutions; it also provides safe and convenient information access mode. The system supports Solaris and Windows NT/2000 operation systems; Functions enabled in the system include security management, network view, network resource base, network events, alarm, MIB browse, performance management, rack diagram, user log, strategy and operation log. Note: The NetNumen data product NMS is an independent product. It is optional for the contract. For detailed introductions about the product, please refer to the documentation of the “NetNumen Data Product Integrated Network Management System---Technical Manual”, “NetNumen System Installation Manual”, and “Netnumen_ZXR10 Operation and Maintenance Manual”. ZTE Confidential Proprietary 37 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 5 TYPICAL NETWORKING APPLICATION 5.1 ISP private line access from large enterprise Figure 29 Private line access from large enterprise As equipment in access layer, ZXR10 ZSR has various interfaces and supports various link layer protocols. 5 The channelized/non-channelized E1 interface can implement N*E1 private line connection and provide a good private line access platform for ISP together with channelized POS3. 10 5.2 ISP Access from residential broadband areas Figure 30 Access from residential broadband areas 15 As the aggregation router of broadband residential areas, ZXR10 ZSR provides high-density FE interfaces and at the same time provides GE interface as up-link interface. Together with ZTE Ethernet switch series it create a broadband residential area solution. ZTE Confidential Proprietary 38 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 5.3 Private networks such as big enterprise/government information network and data communications network (DCN) etc. Figure 31 big enterprise/government information network and DCN 5 With various interfaces, several ZXR10 ZSR can be used to build up private networks such as big enterprise/government information network, and data communications network (DCN) etc via DDN private line with dial-up connection. 5.4 ZXR10 ZSR products can support L2TP networking solution not only by carriers, but also deployed by the enterprises. It also supports the networking solution of L2TP+IPsec. 10 5.4.1 15 20 L2TP function application L2TP networking solution deployed by carriers VPDN private line access network connection deployed by the carriers generally adopts the two-level hierarchy of “enterprise – metro-level aggregation – provincelevel aggregation”; in which enterprise user access to local network, and is then connected to provincial backbone network after aggregation as shown in the following figure: Figure 32 Topology figure for L2TP deployed by carriers ZTE Confidential Proprietary 39 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification ZTE data products can provide complete solutions for carriers’ L2TP network including enterprise VPDN gateway products, VPDN aggregation/access router of various level, and core router and switch. ZTE data products support various kinds of authentication and charging services. 5 10 5.4.2 L2TP networking solution deployed by the enterprises With the improvement of enterprise users’ network security awareness, some large enterprises adopt the solution of deploying L2TP network by themselves. There are many kinds of existing L2TP VPN client-end software can be installed in PC. For example, Microsoft provides L2TP/IPsec VPN Client software for free for its existing operational system platform. ZTE data products can implement L2TP network solution cooperating with related L2TP/IPsec VPN Client software. Figure 33 Topology figure for L2TP deployed by enterprises ZTE Confidential Proprietary 40 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification 6 APPENDIX-ABBREVIATIONS Abbr. Full name ABR Area Border Router ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router ASN Abstract Syntax Notation BIC Bridge interface & Alarm monitor card BGP Border Gateway Protocol BTSR Back plane for Terabit Switch Router BTSRD Back plane for Terabit Switch Router D CE1 Channelized E1 CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter-Domain Routing COS Class of Service CRC Cyclic Redundancy Check CSN Cryptographic Sequence Number DDN Digit Data Network DNS Domain Name System EBGP External Border Gateway Protocol EGP Exterior Gateway Protocol FDDI Fiber Distributed Data Interface SFEC Fast Ethernet Electric Card SFEO Fast Ethernet Optical Card FIFO First In and First Out FPGA Field Programmable Gate Array FTP File Transfer Protocol HDLC High-Level Data Link Control ICMP Internet Control Message Protocol IETF Internet Engineering Task Force IGMP Internet Group Management Protocol IGP Interior Gateway Protocol IP Internet Protocol IS-IS Intermediate System -to- Intermediate System LAN Local Area Network LSA Link State Advertisement MAC Media Access Control MD5 Message Digest 5 MIB Management Information Base MTU Maximum Transmission Unit NIC Network Information Unit ZTE Confidential Proprietary 41 ZXR10 ZSR Intelligent Integrated Multi-service Router Technical Specification Abbr. Full name NLRI Network Layer Reachable Information NMS Network Management System NP Network Processing OID Object ID OSI Open Systems Interconnection OSPF Open Shortest Path First PAP Password Authentication Protocol PCB Process Control Block POS Packet over SDH PPP Point-to-Point Protocol PRT Process Registry Table QOS Quality of Service RFC Request For Comments RARP Reverse Address Resolution Protocol RIP Routing Information Protocol RLE Route lookup engine RMON Remote Monitoring SDH Synchronous Digital Hierarchy SFC Switch Fabric Card SGE Gbit Ethernet Electric Card SCE1 Channelized E1 interface Card SCE3 Channelized E3/T3 interface Card SP3 OC-3c/STM-1c POS155 Interface Card SP12 OC-12c POS Interface Card for SFP SP48 OC-48c/STM-16c POS Interface Card SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol TCP Transmission Control Protocol TFTP Trivial File Transfer Protocol TOS Type Of Service TELNET Telecommunication Network Protocol TTL Time-To-Live UDP User Datagram Protocol UPC Ultra Protocol processor control card VLSM Variable Length Subnet Mask WAN Wide Area Network WWW World Wide Web ZTE Confidential Proprietary 42

Manual ZTE ZXR10-ZSR-Router

Related documents

Products

Support

Manual ZTE ZXR10-ZSR-Router

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib