Product Description - LANTEL · Product Description Issue 02 ... Huawei has developed the Quidway...

Quidway S9300 Terabit Routing SwitchV100R006C01

Product Description

Issue 02

Date 2012-04-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2012. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respective holders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 02 (2012-04-30) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://www.huawei.com

mailto:[email protected]

About This Document

PurposeThis document describes the product positioning and features, product architecture, link features,service features, application scenarios, operation and maintenance, and technical specificationsof the Quidway S9300 Terabit Routing Switch .

This document provides an overall description of the Quidway S9300 Terabit RoutingSwitch , which helps intended readers get a general understanding of all the product features.

Intended AudienceThis document is intended for:

l Network planning engineers

l Hardware installation engineers

l Commissioning engineers

l Data configuration engineers

l On-site maintenance engineers

l Network monitoring engineers

l System maintenance engineers

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

DANGERIndicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

WARNINGIndicates a hazard with a medium or low level of risk, whichif not avoided, could result in minor or moderate injury.

Quidway S9300 Terabit Routing SwitchProduct Description About This Document


ii

Symbol Description

CAUTIONIndicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize or supplementimportant points of the main text.

Change HistoryUpdates between document issues are cumulative. Therefore, the latest document issue containsall updates made in previous issues.

Changes in Issue 02 (2012-04-30)Based on issue 01 (2011-10-26), the document is updated as follows:

The following information is modified:l Some contents are optimized.

Changes in Issue 01 (2011-10-26)This is the first release.

Quidway S9300 Terabit Routing SwitchProduct Description About This Document


iii

Contents

About This Document.....................................................................................................................ii

1 Introduction....................................................................................................................................11.1 System Overview................................................................................................................................................21.2 System Features..................................................................................................................................................2

2 Architecture....................................................................................................................................82.1 S9300 Series System Structure...........................................................................................................................9

2.1.1 S9303.........................................................................................................................................................92.1.2 S9306.......................................................................................................................................................112.1.3 S9312.......................................................................................................................................................13

2.2 Hardware Layout..............................................................................................................................................152.2.1 Backplane................................................................................................................................................172.2.2 SRU.........................................................................................................................................................172.2.3 MCU........................................................................................................................................................172.2.4 CMU........................................................................................................................................................182.2.5 LPU..........................................................................................................................................................182.2.6 FSU..........................................................................................................................................................202.2.7 VSU.........................................................................................................................................................202.2.8 SPU..........................................................................................................................................................21

2.3 Software Architecture.......................................................................................................................................21

3 Service Features...........................................................................................................................233.1 Ethernet.............................................................................................................................................................25

3.1.1 VLAN Aggregation.................................................................................................................................253.1.2 VLAN Mapping.......................................................................................................................................253.1.3 Selective QinQ.........................................................................................................................................263.1.4 Layer 2 Protocol Transparent Transmission............................................................................................26

3.2 IP Features........................................................................................................................................................263.2.1 IPv4/IPv6 Protocol Stack.........................................................................................................................263.2.2 IPv4 Features...........................................................................................................................................273.2.3 IPv6 Features...........................................................................................................................................273.2.4 IPv4/IPv6 Transition Technologies.........................................................................................................283.2.5 IP Session................................................................................................................................................30

3.3 Multicast...........................................................................................................................................................30

Quidway S9300 Terabit Routing SwitchProduct Description Contents


iv

3.3.1 Multicast Routing Protocol......................................................................................................................303.3.2 IGMP Snooping.......................................................................................................................................313.3.3 Static Multicast........................................................................................................................................323.3.4 Multicast VLAN and Multicast Replication............................................................................................32

3.4 QoS...................................................................................................................................................................323.4.1 Hierarchical Traffic Policing...................................................................................................................333.4.2 Flow Control............................................................................................................................................333.4.3 Re-marking..............................................................................................................................................333.4.4 Queue Scheduling....................................................................................................................................333.4.5 Congestion Avoidance.............................................................................................................................343.4.6 Traffic Shaping........................................................................................................................................34

3.5 Reliability.........................................................................................................................................................343.5.1 Link Aggregation.....................................................................................................................................343.5.2 DLDP.......................................................................................................................................................343.5.3 RRPP and Multi-Instance Technology....................................................................................................353.5.4 Smart Link and Multi-Instance Technology............................................................................................353.5.5 Ethernet OAM.........................................................................................................................................363.5.6 BFD.........................................................................................................................................................363.5.7 LSP Protection Switchover......................................................................................................................363.5.8 Equipment Level Reliability....................................................................................................................36

3.6 Security.............................................................................................................................................................393.6.1 Device Security........................................................................................................................................393.6.2 Service Security.......................................................................................................................................40

3.7 Network Management Features........................................................................................................................423.7.1 LLDP.......................................................................................................................................................423.7.2 NetStream................................................................................................................................................42

3.8 Clock.................................................................................................................................................................443.9 PoE....................................................................................................................................................................443.10 Enterprise Network Features..........................................................................................................................45

3.10.1 NAC.......................................................................................................................................................453.10.2 Firewall..................................................................................................................................................463.10.3 NAT.......................................................................................................................................................473.10.4 Load Balancing......................................................................................................................................473.10.5 WLAN AC.............................................................................................................................................48

3.11 MPLS..............................................................................................................................................................503.11.1 Basic MPLS Functions..........................................................................................................................503.11.2 MPLS TE...............................................................................................................................................503.11.3 MPLS OAM..........................................................................................................................................513.11.4 VLL.......................................................................................................................................................513.11.5 VPLS.....................................................................................................................................................523.11.6 HVPLS...................................................................................................................................................523.11.7 MPLS L3VPN.......................................................................................................................................53



v

4 Application Scenarios.................................................................................................................544.1 Overview..........................................................................................................................................................564.2 MPLS L2VPN..................................................................................................................................................564.3 Dual-homing Protection Using HVPLS...........................................................................................................58

4.3.1 UPE+NPE Network Architecture............................................................................................................594.3.2 UPE+PE-AGG+NPE Network Architecture...........................................................................................59

4.4 RRPP................................................................................................................................................................604.5 Smart Link in Dual-Homing Networking.........................................................................................................624.6 Ethernet OAM..................................................................................................................................................624.7 QoS...................................................................................................................................................................634.8 Selective QinQ..................................................................................................................................................644.9 IPTV Service....................................................................................................................................................65

4.9.1 IPTV Networking....................................................................................................................................654.9.2 IPTV Service Protection..........................................................................................................................67

4.10 NAC................................................................................................................................................................684.11 Firewall...........................................................................................................................................................684.12 Application of the WLAN AC........................................................................................................................71

5 Operation and Maintenance......................................................................................................755.1 Maintenance and Management.........................................................................................................................76

5.1.1 Configuration Modes...............................................................................................................................765.1.2 Management and Monitoring..................................................................................................................765.1.3 Diagnosis and Debugging........................................................................................................................775.1.4 In-Service Software Upgrade and Patching.............................................................................................78

5.2 NMS..................................................................................................................................................................79

6 Technical Specifications.............................................................................................................816.1 Physical Specifications.....................................................................................................................................826.2 System Configuration.......................................................................................................................................836.3 Performance and Capacity................................................................................................................................846.4 List of Software Features..................................................................................................................................89



vi

1 Introduction

About This Chapter

This section describes the features and position of the S9300 series switches.

1.1 System OverviewWith the growing demand for IP-based triple play services, Metropolitan Area Networks(MANs) must meet increasingly higher transmission quality and quantity requirements. In viewof such demand, Huawei has developed the Quidway S9300 Terabit Routing Switch (S9300 forshort), a high-end network device.

1.2 System FeaturesThe S9300 series switches provide high-density Ethernet interfaces. This section describes theircapabilities, features and reliability.

Quidway S9300 Terabit Routing SwitchProduct Description 1 Introduction


1

1.1 System OverviewWith the growing demand for IP-based triple play services, Metropolitan Area Networks(MANs) must meet increasingly higher transmission quality and quantity requirements. In viewof such demand, Huawei has developed the Quidway S9300 Terabit Routing Switch (S9300 forshort), a high-end network device.

The S9300 is mainly used to access, converge, and transmit services across a MAN. As an accessand convergence device, the S9300 provides Fast Ethernet (FE), Gigabit Ethernet (GE), and10GE interfaces that transmit services at line speed.The S9300 can be deployed in enterprisenetworks and data centers, providing high-density interfaces and rich value-added service (VAS)capabilities.

The S9300 comes in three different models: S9303, S9306, and S9312. The S9303 supports amaximum of three line processing units (LPUs); the S9306 supports a maximum of six LPUs;the S9312 supports a maximum of 12 LPUs.

The S9300 operates on Huawei's Versatile Routing Platform (VRP) operating system and useshardware-based forwarding and non-blocking data switching technology. The S9300 featurescarrier-class reliability, line-speed forwarding capability, Quality of Service (QoS), serviceprocessing capabilities, and is highly extensible. The S9300 provides rich enterprise networkfeatures, including firewall, Network Address Translation (NAT), network traffic analysis,IPSec VPN, and load balancing, meeting the requirements of various services on enterprisenetworks.

NOTE

The release in Russia does not provide IPSec VPN.

In addition, the S9300 has versatile network access capabilities in Layer 2 switching andMultiProtocol Label Switching (EoMPLS) Ethernet transmission services. The S9300 alsosupports rich IP services and provides broadband access, triple play, IP leased line, and VirtualPrivate Network (VPN) services. The S9300 can also work in conjunction with S series switches,NE80E, NE40E, ME60, and MA5200G developed by Huawei to set up hierarchical metroEthernets.

1.2 System FeaturesThe S9300 series switches provide high-density Ethernet interfaces. This section describes theircapabilities, features and reliability.

ExtensibilitySystem extensibility includes:

l Service extensibility: The SRU supports FSUA, which can meet future service developmentrequirements.

l Power supply: Currently, the maximum AC power supply module is 800 W and themaximum DC power supply module is 1600 W. The AC power supply module supports 1+1 or 2+2 redundancy. The DC power supply module only supports 1+1 redundancy.Two types of PoE power supply modules are available: 800 W and 2200 W. PoE powersupply modules can work independently, or in 3+1 or 2+2 redundancy mode.



2

Powerful Forwarding CapabilitiesOn the S9300, the hardware carries out two-level packet replication when forwarding multicastpackets. That is, the SFU replicates multicast packets to the LPU, and the LPU's forwardingengine replicates the multicast packets to its interfaces.

Table 1-1 System specifications

Systemspecifications

S9312 S9306 S9303

Switchingcapacity

2 Tbit/s 2 Tbit/s 720 Gbit/s

Backplanecapacity

12 Tbit/s 6 Tbit/s 3 Tbit/s

Forwardingcapacity

1344 Mpps 1152 Mpps 540 Mpps

Functions and Featuresl The S9300 provides the following Layer 2 service features:

– VLAN– Generic Attribute Registration Protocol (GARP)/Generic VLAN Registration Protocol

(GVRP)– Selective QinQ– RRPP– Smart Ethernet Protection (SEP)– Smart Link– STP, RSTP, and MSTP– Link aggregation– DHCP snooping– IGMP snooping– IPV6 ND snooping– MLDv1/v2 snooping– Ethernet OAM

l The S9300 provides the following IP services:– IPv4 unicast routing protocols, including Routing Information Protocol (RIP), Open

Shortest Path First (OSPFv2), Intermediate System-to-Intermediate System (IS-IS),Border Gateway Protocol (BGP), and Multiprotocol Border Gateway Protocol (MBGP)

– IPv6 unicast routing protocols, including RIPng, OSPFv3, ISISv6, and BGP+– Multicast routing protocols, including IGMP, MLD, Multicast Source Discovery

Protocol (MSDP), multicast VLAN, PIM-DM, PIM-SM, and PIM-SSM– VRRP– DHCP relay, DHCP server, and Option82



3

– Distributed and integrated NetStreaml The S9300 provides the following MPLS services:

– MPLS forwarding– LDP– MPLS-TE– MPLS-OAM

l The S9300 provides the following VPN services:– VPLS– VLL– BGP/MPLS IP VPN

l The S9300 provides the following mobile services:– Stratum-3 clock– Ethernet clock synchronization– 1588v2

l The S9300 provides the following intranet features:– The S9300, which functions as the network access device (NAD), supports Web

authentication, 802.1x authentication, and MAC address authentication.– PoE– Service distribution

l Firewall/NATl Load balancingl IPSec VPN

NOTE


l Wireless Local Area Network Access Controller (WLAN AC)

Security DesignThe S9300 uses a distributed structure, guaranteeing the separation between the data plane andthe control plane. This provides users with industry-grade security performance.

The S9300 provides the following security features:

l Three user authentication modes: local authentication, Remote Authentication Dial in UserService (RADIUS) authentication, and Huawei Terminal Access Controller Access ControlSystem (HWTACACS) authentication.

l Hardware-based packet filtering and sampling, which guarantees high performance andhigh scalability

l Multiple authentication methods including plain text authentication and Message Digest 5(MD5) for upper-layer routing protocols such as OSPF, IS-IS, RIP, and BGP-4

l ACL on forwarding plane and control planel Anti-attack features: The S9300's blacklist and CAR functions limit which packets can be

sent to the CPU.l Port security



4

l URPF

l DHCP snooping and DHCP snooping over VPLS

l MAC limit and MAC Forced Forwarding (MFF)

l IP source trail, ARP attack defense, ICMP attack defense, and broadcast traffic suppression

l Blacklist and attack trace: The S9300 filters out blacklisted user traffic and displaysattackers' physical interfaces and VLAN IDs.

l Whitelist: The S9300 uses a user whitelist to provide a high-priority channel for protocolpackets transmitted to the CPU.

Carrier-Class Reliability

Using a single monitoring unit, the S9300 manages and maintains the entire system. Themonitoring unit manages, monitors, and maintains the boards, fans, and power modules.

The S9300 complies with Electro Magnetic Compatibility (EMC) standards, and the S9300'smodular design implements electromagnetic shield between boards.

The S9300 meets carrier-class and high-end device reliability requirements. The S9300 providesthe following reliability features outlined in Table 1-2.

Table 1-2 Carrier-class reliability features

Item Description

Systemprotection

The boards, power modules, and fans are hot swappable.

The monitoring unit is totally independently from the service system.

The system can operate normally for 96 hours after a single fan fails.

The MPUs work in 1+1 backup mode.

The AC power modules work in 1+1 or 2+2 backup mode.The DC power modules work in 1+1 backup mode.

Key components such as the clocks and management buses work in backupmode.

Protectionagainst systemabnormalities

The system can restart automatically and recover datawhen abnormalities occur.

The system resets boards when abnormalities occur andresumes the boards' work.

The system automatically restores interfaceconfigurations.

The system provides protection against over-current and over-voltage forpower modules and interfaces.

The system provides protection against mis-insertion of boards.

Power alarmmonitoring

The system provides alarm prompt, alarm indication,running status query, and alarm status query.



5

Item Description

Voltage andenvironmenttemperaturemonitoring

Reliabilitydesign

The system uses distributed hardware-based forwarding.

The control channel is independent from the service channel, ensuring a non-blocking control channel.

The system features system and board fault detection, alarm indicators, andan NMS.

Upgradability

The system supports in-service patching.

The system supports version rollback.

The system supports online BootROM upgrade.

The system supports Error Checking and Correction (ECC) Random AccessMemory (RAM).

Faulttolerance

Data backup The system supports hot backup of data between activeand standby units. When the active unit fails, the standbyunit automatically takes over data transmission duties toprevent data loss.

Synchronization configuration

The system supports synchronization between MPUs andLPUs.

The system can automatically select and boot applications.

The system supports automatic BootROM upgrade and restoration.

The system can back up configuration files to a remote FTP server.

The system can automatically select and run configuration files.

The system provides abnormality monitoring for the system software,automatic restoration, and log recording.

Operationalsecurity

The system provides password protection for system operations.

The system provides hierarchical command protection using configurationof user login and command levels.

The system can lock the terminal using the command line to prevent illegaluse.

The system provides operation and confirmation prompts for somecommands that may have a negative impact on system performance.

Operationsandmaintenancecenter

The system uses Huawei's generic integrated Network Management Systemplatform.



6

Easy MaintenanceThe S9300 provides the following maintenance features:

l The S9300 supports Ethernet OAM, providing point-to-point Ethernet fault managementwithin the first mile of the directly connected user side Ethernet link. The S9300 supportsautomatic neighbor discovery, link fault monitoring, remote fault notification, and remoteloopback configuration as defined in IEEE 802.3ah, and Connectivity Check (CC) faultdetection, MAC Ping, and MAC Trace as defined in IEEE 802.1ag. The S9300 also supportsY.1731 delay and jitter measurements.

l The S9300 supports MPLS OAM, providing fault detection techniques such as Ping andTraceRoute on MPLS networks.

l The S9300 supports 802.1ag, 802.3ah, BFD session status association, and end-to-endOAM.

l The S9300 supports traffic statistics based on physical interfaces, VLAN IDs, MPLS LSPs,and ACLs.

l By using the U2000, S9300 can handle:– Device management– Interface management– VLAN management– Multicast management– MPLS management– Software upgrading management– Configuration file management

l The S9300 supports different configuration methods such as end-to-end configuration,batch configuration, and configuration wizard. At the same time, it provides correspondingdefault configuration templates.

l The S9300 supports Telnet-based remote maintenance.l The S9300 supports in-service upgrade. When the system is operating normally, it can be

upgraded through FTP or TFTP. In addition, the active/standby switchover function ensuresservices are not interrupted during the upgrade.

l The S9300 supports hot patch, upgrading only the features that need to be optimized, soservices are not interrupted when a patch is being installed.

l The S9300 supports version rollback. If a system software upgrade or patch fails, theS9300 can return to earlier version.



7

2 Architecture

About This Chapter

This section describes the appearance, hardware structure and software architecture of the S9300

2.1 S9300 Series System StructureThis section describes the appearance and component layout.

2.2 Hardware LayoutThis section describes the hardware structure, including the backplane, MCU, SRU, LPU,CMU, FSU and clock board of the S9300.

2.3 Software ArchitectureThis section describes the relationship between the S9300's operating system and its softwarefeatures.

Quidway S9300 Terabit Routing SwitchProduct Description 2 Architecture


8

2.1 S9300 Series System StructureThis section describes the appearance and component layout.

The S9300 uses a distributed hardware architecture, consisting of the following components:

l Chassis

l Backplane

l Power module

l Fan frame

l Switch Routing Unit (SRU) or Main Control Unit (MCU)

l Line Processing Unit (LPU)

l Central Management Unit (CMU)

The S9300 can be installed in either the International Electrotechnical Commission (IEC) 297cabinet or a European Telecommunications Standards Institute (ETSI) cabinet.

NOTE

l The SRU and CMU are applicable only to the S9312 and S9306.

l The MCU is applicable only to the S9303.

2.1.1 S9303

Appearance of the S9303

Figure 2-1 and Figure 2-2 shows the appearance of the S9303.

Figure 2-1 Front view of the S9303

1. Rack-mounting ear 2. Power module 3. MCU

4. LPU 5. PoE module 6. Cable tray

Figure 2-2 shows the appearance of the back of the S9303.



9

Figure 2-2 Rear view of the S9303

1. Air filter 2. Fan module

The dimensions of the S9303 are 442 mm x 476 mm x 175 mm (width x depth x height).

From the front view, the LPUs, MCUs, and power modules are mounted from top to bottom.Ventilation and heat dissipation occur through the rear of the chassis. Handles are on both sidesof the chassis.

Component LayoutFigure 2-3 shows the component layout of the S9303.

Figure 2-3 Component layout of the S9303

MCU

LPU

LPU

LPU

MCU

PoEPower module Power module

l All components of the S9303 are located on the front panel for ease of maintenance. In the

board cage, there are a total of five slots for horizontal boards. The two half-height slots inthe lower half of the chassis are reserved for the MCUs that support 1:1 backup mode. Theother three slots are reserved for the LPUs.

l The fan frame and air filter are located at the rear of the chassis.l Located at the bottom of the chassis, the power modules work in 1+1 backup mode and

support dual power supply networks for power input. The power modules can be either ACor DC.

l The AC power modules provide the PoE function. The PoE power modules of the S9303do not support backup.



10

2.1.2 S9306

Appearance of the S9306Figure 2-4 shows the appearance of the S9306.


1. LPU 2. SRU 3. Rack-mounting ear

4. Cable tray 5. PoE module 6. CMU

7. Power module




11



The dimensions of the S9306 are 442 mm x 476 mm x 441.7 mm (width x depth x height).

From the front view, the LPUs, SRUs, CMUs, and power modules are mounted from top tobottom. Ventilation and heat dissipation occur through the rear of the chassis. Handles are onboth sides of the chassis.

Component Layout of the S9306Figure 2-6 shows the component layout of the S9306.


SRU

LPU

LPU

SRU

LPU

LPU

LPU

CMU

CMU

Pow

erm

odul

e

POE

Pow

erm

odul

e

Pow

erm

odul

e

Pow

erm

odul

e

POE

LPU

POE

POE



12

l In the board cage, there are a total of eight slots for horizontal boards. The two slots in themiddle are reserved for the SRUs that support 1:1 backup mode. The other six slots arereserved for the LPUs.

l The fan frame and air filter are located at the rear of the chassis.

l Located at the bottom of the chassis, the power modules support dual power supplynetworks for power input. The power modules can be either AC or DC. The DC powermodules can work in 1+1 mode, and the AC power modules can work in 1+1 or 2+2 mode.

l Located at the bottom of the chassis, the CMUs work in 1:1 backup mode.

l The AC power modules support the PoE function. Four AC power modules work in 3+1,2+2, or 4+0 mode.

2.1.3 S9312

Appearance of the S9312

Figure 2-7 shows the appearance of the S9312.


1. LPU 2. SRU 3. Rack-mounting ear

4. Cable tray 5. PoE module 6. CMU

7. Power module




13



The dimensions of the S9312 are 442 mm x 476 mm x 663.95 mm (width x depth x height).

From the front view, the LPUs, SRUs, CMUs, and power modules are mounted from top tobottom. Ventilation and heat dissipation occur through the rear of the chassis. Handles are onboth sides of the chassis.

Component Layout of the S9312Figure 2-9 shows the component layout of the S9312.



14


SRU

LPU

LPU

SRU

LPU

LPU

LPU

LPU

LPU

LPU

LPU

LPU

LPU

LPU

CMU

CMU

Pow

erm

odul

ePo

wer

mod

ule

Pow

erm

odul

ePo

wer

mod

ule

POE

POE

POE

POE

l In the board cage, there are a total of 14 slots for horizontal boards. The two slots in the

middle are reserved for the SRUs that support 1+1 backup mode. The other 12 slots arereserved for the LPUs.

l The fan frame and air filter are located at the rear of the chassis.l Located at the bottom of the chassis, the power modules support dual power supply

networks for power input. The power modules can be either AC or DC. The DC powermodules can work in 1+1 mode. The AC power modules can work in 1+1 or 2+2 mode.

l Located at the bottom of the chassis, the CMUs work in 1+1 backup mode.l The AC power module supports the PoE function. Four AC power modules work in 3+1,

2+2, or 4+0 mode.

2.2 Hardware LayoutThis section describes the hardware structure, including the backplane, MCU, SRU, LPU,CMU, FSU and clock board of the S9300.

Figure 2-10 shows the hardware structure of the S9303.



15

Figure 2-10 Hardware layout of the S9303

HighspeedSerdes

backplane

Materialinterfacemodule

Serviceprocessing

module

Main control module

Monitoringmodule

Clockmodule

LPUSystemclockmodule

Control plane communication module


Service layer softwareNMSManagement

layer softwareControl layer

software

System monitoring module

MCU

Figure 2-11 shows the hardware structure of the S9306 and S9312.

Figure 2-11 Hardware structure of the S9306 and S9312

HighspeedSerdes

backplane

Materialinterfacemodule

Serviceprocessing

module

Main control module

Monitoringmodule

Clockmodule

LPU

Switchingnetworkmodule

Systemclockmodule



Service layer softwareNMSManagement

layer softwareControl layer

software

System monitoring module

SRU



16

2.2.1 BackplaneThe S9300 is designed with a passive backplane composed of control buses, management buses,and clock buses that interact between the SRU, MCU and other communication components.

Each S9300 backplane provides two control unit slots. The S9303's backplane provides 3 LPUslots, the S9306's backplane provides 6 LPU slots, and the S9312's backplane provides 12 LPUslots.

2.2.2 SRUThe SRU is the control board of S9306 and S9312. The SRU integrates multiple functionalmodules such as a data switching module, main control module, FSUA, Compact Flash (CF)module, and system monitoring module. The SRU can be expanded to include a clockmodule.As the core of system control and data switching, the SRU switches data, and controlsand monitors the system.

The SRU's control units work in 1:1 backup mode, and the data switching units work in either1+1 load balancing mode or 1:1 backup mode.

The S9300's SRU has the following functions:

l Forwards data on the data plane.

l Processes protocols including STP, MPLS, and various routing protocols.

l Monitors components.

l Manages the system and monitors system performance according to the user's instruction,and provides users with feedback on the system's running status.

Table 2-1 SRU switching capabilities

SRU Service Switching Capability

SRUA 1 Tbit/s

SRUB 2 Tbit/s

2.2.3 MCUThe MCU is the control board of S9303. The MCU integrates the main control module, CFmodule, system monitoring module and clock module.

The S9300's MCU has the following functions:

l Processes protocols including STP, MPLS, and various routing protocols.

l Monitors components, collects running data of each component periodically, and generatescontrol information based on the running status of the components, for example, checkingwhether the boards are available and controlling the running of the switching fabric.

l Manages the system and monitors system performance according to the user's instruction,and provides users with feedback on the system's running status.



17

2.2.4 CMUThe CMU is the monitoring board applied to the S9306 and S9312. The CMU monitors andmanages the power modules, fan modules, and PoE power modules.

The CMU helps monitor and manage the system and facilitates energy savings and emissionsreduction.

2.2.5 LPULPUs are used to process packets and provide service interfaces. The following tables list theLPUs supported by the S9300.

NOTE

The LPUs are classified into S series boards, E series boards, F series boards, B series boards, and POSboards:

l The S series boards are SA boards, for example, 24-port 100M/1000M Ethernet optical LPU (SA,SFP)-32K MAC.

l E series boards include EA, EC, and ED boards, for example, 48-port 100M Ethernet optical LPU(EA, SFP)-32K MAC.

l F series boards include FA and FC boards, for example, 48-port 1000M Ethernet electrical LPU(FA, RJ45)-32K MAC.

l B series boards are BC boards, for example, 48-port 100M/1000M Ethernet optical LPU (BC,SFP)-128K MAC.

l A POS board consists of a WAN card and subcard such as P4CF, P4HF, or P1UF.

Table 2-2 Ethernet LPUs

Name Description

G24CA 24-port 100/1000BASE-X and 8-port 10/100/1000BASE-T interfacecard (SA, SFP/RJ45)

G24SA 24-port 100/1000BASE-X interface card (SA, SFP)-32K MAC

X12SA 12-port 10GBASE-X interface card (SA, SFP+)

G48SA 48-port 100/1000BASE-X interface card (EA, SFP)-32K MAC

G48SC 48-port 100/1000BASE-X interface card (EC, SFP)-128K MAC

G48SD 48-port 100/1000BASE-X interface card (ED, SFP)-512K MAC

G48SBC 48-Port 100/1000BASE-X Interface Card(BC,SFP)-128K MAC

G48SFA 48-port 100/1000BASE-X interface card (FA, SFP)-32K MAC

F48SA 48-port 100BASE-FX interface card (EA, SFP)-32K MAC

F48SC 48-port 100BASE-FX interface card (EC, SFP)-128K MAC

G48TA 48-port 10/100/1000BASE-T interface card (EA, RJ45)-32K MAC

G48TC 48-port 10/100/1000BASE-T interface card (EC, RJ45)-128K MAC

G48TD 48-port 10/100/1000BASE-T interface card (ED, RJ45)-512K MAC



18

Name Description

G48TBC 48-port 10/100/1000BASE-T Ethernet electrical interface card (BC,RJ45)-128K MAC

G48TFA 48-port 10/100/1000BASE-T interface card (FA, RJ45)-32K MAC

G48CEAT 36-Port 10/100/1000BASE-T and 12-Port 100/1000BASE-XInterface Card(EA,RJ45/SFP)-32K MAC

G48VA 48-port 10/100/1000BASE-T PoE interface card (EA, RJ45,PoE)-32K MAC

F48TA 48-port 10/100BASE-T interface card (EA, RJ45)-32K MAC

F48TC 48-port 10/100BASE-T interface card (EC, RJ45)-128K MAC

F48TFA 48-port 10/100BASE-T interface card (FA, RJ45)-32K MAC

X40SFC 40-port 10GE Ethernet optical interface card (FC, SFP+)

S24XA 24-port 100/1000BASE-X and 2-port 10GBASE-X interface card(EA, SFP/XFP)-32K MAC

S24XC 24-Port 100/1000BASE-X and 2-Port 10GBASE-X Interface Card(EC,SFP/XFP)-128K MAC

T24XA 24-port 10/100/1000BASE-T and 2-port 10GBASE-X interface card(EA, RJ45/XFP)-32K MAC

G24CEAS 24-port 100/1000BASE-X and 8-port 10/100/1000BASE-T Combointerface card (EA, SFP/RJ45, 1588)-32K MAC

G24SC 24-port 100/1000BASE-X interface card (EC, SFP)-128K MAC

G24SD 24-port 100/1000BASE-X interface card (ED, SFP)-512K MAC

G24TFA 24-Port 10/100/1000BASE-T Interface Card(FA,RJ45)-32K MAC

X4UXA 4-port 10GBASE-X interface card (EA, XFP)-32K MAC

X4UXC 4-port 10GBASE-X interface card (EC, XFP)-128K MAC

X4UXD 4-port 10GBASE-X interface card (EC, XFP)-512K MAC

X2UXA 2-port 10GBASE-X interface card (EA, XFP)-32K MAC

X2UXC 2-port 10GBASE-X interface card (EC, XFP)-128K MAC

Table 2-3 POS LPUs

Name Description

WMNPA WAN service card

P4CF 4-port OC-3c/STM-1c POS-SFP card (Installed in WAN servicecard)



19

Name Description

P4HF 4-port OC-12c/STM-4c POS-SFP card (Installed in WAN servicecard)

P1UF 1-port OC-48c/STM-16c POS-SFP card (Installed in WAN servicecard)

NOTE

l Small Form-Factor Pluggable (SFP) is a hot pluggable optical module.

l The 10 Gigabit Small Form-Factor Pluggable (XFP) is a 10G hot pluggable optical module.

l The 10 Gigabit Small Form-Factor Pluggable (SFP+) is a 10G hot pluggable optical module. Its caliberis smaller than the caliber of the XFP optical module.

l By default, the transmission rate of an optical interface is 1000M and the 100M/1000M auto-negotiationis not supported. To use the 100M optical interface, you must set it manually.

2.2.6 FSUThe Flexible Service Unit A (FSUA) is applied to the S9306 and S9312. It supports the followingfunctions:

l Hardware-based Ethernet OAMl Hardware-based MPLS OAMl Hardware-based Bidirectional Forwarding Detection (BFD)l DoS attack protection for the SRU's Central Processing Unit (CPU)

NOTE

Software-based Ethernet OAM, MPLS OAM, BFD and NQA functions are available in other LPUs.

FSUA is an optional subcard on the SRU of the S9306 and S9312. Users have the option toinstall the FSUA according to the service requirement.

Table 2-4 FSUA

Name Description

20 Gbit/s FSUA Provides 20 Gbit/s service switching capability.

2.2.7 VSUThe Virtual Switch Unit (VSU) connects multiple devices to form a stack.

On the S9312 and S9306, the VSTSA acts the VSU, and is installed on the SRU. You canconfigure the VSTSA according to service requirements. For the VSTSA, "VS" represents thevirtual switch, "T" represents the electrical interface, "S" represents the standard series, and "A"represents the version.

NOTE

The S9303 does not support stacking.



20

Table 2-5 Stacking cards

Name Description

VSTSA Handles device stacking.

2.2.8 SPUThe Service Process Unit (SPU) is the value-added service card, which does not provide serviceinterfaces.

The SPU used on the S9300 series switches is referred to as the Value Added service Multi-coreProcessor (VAMPA), where "A" represents the version. It supports the following functions:l Firewalll NATl Integrated NetStreaml Load balancingl IPSec VPN

NOTE


l WLAN AC

Table 2-6 SPU

Name Description

VAMPA Processes value-added services.

2.3 Software ArchitectureThis section describes the relationship between the S9300's operating system and its softwarefeatures.

The S9300 runs the latest VRP version (VRPv5), which consists of the following components:

l System service plane, which provides the following functions:– Task management– Memory management– Timer– Software loading and patchingThis enhances the modular technologies, thus facilitating easier system upgrades andcustomization.

l General control planeThe core of the VRP data communication platform. It handles basic security and QoS, andprovides the following functions:



21

– Link management– IP protocol stacking– Routing protocol processingIt controls the data forwarding plane and carries out various device functions.

l Data forwarding planeForwards data under the control of the general control plane. VRPv5 supports dataforwarding based on software and hardware.

l Service control planeControls and manages system data based on users or interfaces. It implementsauthentication, authorization, and accounting (AAA) for users through the DHCP Option82 field. It also implements authentication for access interfaces through IEEE 802.1x.

l System management planeProvides user interfaces and manages input/output ports, acting as the basis of networkmanagement and maintenance.



22

3 Service Features

About This Chapter

This section describes the major service functions of the S9300, including IP features,MPLS,MPLS L2VPN, MPLS L3VPN, QoS, Ethernet, Ethernet OAM, NAC, multicast, reliability,LLDP, security, clock, Web network management, firewall/NAT, load balancing, IPSec VPN,stacking, NetStream, and WLAN AC.

NOTE


3.1 EthernetThis section describes the basics of VLAN mapping, selective QinQ, and BPDU tunneling.

3.2 IP FeaturesThis section describes the IP features supported by the S9300.

3.3 MulticastThis section describes the basics of IGMP snooping, multicast flow control, controllablemulticast, multicast VLAN, and multicast replication.

3.4 QoSThis section describes the basics of QoS supported by the S9300.

3.5 ReliabilityThis section describes the basics of link aggregation, BFD, and HA at the equipment level.

3.6 SecurityThis section describes the security measures for devices and services.

3.7 Network Management FeaturesThe S9300 provides LLDP and NetStream network management functions.

3.8 ClockThis section describes the clock synchronization and calibration mechanisms supported by theS9300.

3.9 PoEOn intranets, PoE can be used to provide centralized power for terminals such as IP phones,Access Points (APs), portable device chargers, POS machines, cameras, and data collectiondevices through the 10Base-T, 100Base-TX, or 1000Base-T Ethernet.

Quidway S9300 Terabit Routing SwitchProduct Description 3 Service Features


23

3.10 Enterprise Network FeaturesThe S9300 provides NAC, firewall, NAT, load balancing and WLAN AC for enterprisenetworks.

3.11 MPLSThis section describes the basics of MPLS, MPLS TE, and MPLS OAM.



24

3.1 EthernetThis section describes the basics of VLAN mapping, selective QinQ, and BPDU tunneling.

3.1.1 VLAN AggregationAs network technologies develop, a greater number of network addresses are required to handlethe growing number of applications and devices. To deal with network address insufficiencies,VLAN aggregation is used to conserve IP addresses.

In VLAN aggregation, a super VLAN is associated with multiple sub-VLANs. A super VLANdoes not contain physical interfaces, but can be configured with a VLANIF interface. A sub-VLAN can contain physical interfaces, but cannot be configured with a VLANIF interface. Allsub-VLAN interfaces use the VLANIF interface address of the super VLAN. The subnet IDs,subnet gateway addresses, and subnet broadcast addresses can be conserved. Different broadcastdomains use the addresses of the same subnet; therefore, addressing becomes flexible and IPaddresses are conserved. In addition to keeping each sub-VLAN as an independent broadcastdomain, VLAN aggregation uses fewer IP addresses than a common VLAN.

3.1.2 VLAN MappingVLAN mapping refers to setting up of a mapping table on the S9300 that dictates how theCustomer VLAN (C-VLAN) interacts with the Service VLAN (S-VLAN). One or multiple C-VLAN IDs can be mapped to a S-VLAN ID.

NOTE

l C-VLANs are the VLANs on the port at the user side. They take effect locally and identify a user or aclass of users.

l S-VLANs are designated by the ISP at the network side. They take effect globally and identify a typeof service.

The S9300 supports VLAN mapping of a single VLAN tag in the following modes, providedthe user side interface has been specified:

l 1:1 VLAN mappingMaps a C-VLAN tag to the S-VLAN tag.

l N:1 VLAN mappingMaps multiple C-VLAN tags to the S-VLAN tag.

The S9300 also supports double-tagged VLAN mappings.

l 2:2 VLAN mappingThe S9300 can map user side double-tagged packets to network side double-tagged packets.Additionally, the S9300 can replace both the outer and inner tags of a packet.

l 2 to 1 VLAN mappingThe S9300 maps the user side outer and inner VLAN tags to the network side outer VLANtag. It can also change the network side outer VLAN tag, but leave the network-side innerVLAN tag unchanged.

In addition, the S9300 supports the CoS-based VLAN mapping. It can map multiple C-VLANtags to the same S-VLAN tag according to the CoS.



25

For details about VLAN Mapping, refer to the section "VLAN" in the Quidway S9300 TerabitRouting Switch Feature Description - Ethernet.

3.1.3 Selective QinQSelective QinQ expands the VLAN tag space, enabling the S9300 to flexibly select outer S-VLAN tags based on the received packets' C-VLAN tags. In this way, various user services cantravel along different paths, improving service deployment. The selective QinQ feature can beapplied to both inbound and outbound interfaces, making networking more flexible.

The S9300 can add a different outer S-VLAN tag based on the VLAN ID of the packets' VLANtags on the port.

The S9300's powerful hardware implements selective QinQ using traffic classification based onACLs, permitting the S9300 to flexibly add S-VLAN tags or modify C-VLAN tags.

For details about selective QinQ, refer to the section "QinQ" in Quidway S9300 Terabit RoutingSwitch Feature Description - Ethernet.

3.1.4 Layer 2 Protocol Transparent TransmissionLayer 2 protocol transparent transmission is a Layer 2 tunneling technology that transparentlytransmits Layer 2 protocol packets from private networks over VLAN VPNs on an ISP network.With this technology, private networks in different areas can calculate a spanning tree. Thespanning trees of private networks and ISP network are independent from each other, andtherefore the network convergence speed is improved.

After Layer 2 protocol transparent transmission is enabled, the S9300 dose not send tagged Layer2 protocol packets to the CPU. Instead, it forwards these packets in matching VLANs as commonLayer 2 data frames or encapsulates them in MPLS packets to forward them on an MPLSnetwork.

Bridge protocol data unis (BPDUs) are commonly used Layer 2 protocol packets. Layer 2protocol transparent transmission provides a BPDU tunnel to transmit BPDUs so that privatenetworks and the ISP network do not interfere with each other.

3.2 IP FeaturesThis section describes the IP features supported by the S9300.

NOTE

To implement IPv6, apply for and purchase the relevant license from the local Huawei vendor.

3.2.1 IPv4/IPv6 Protocol StackThe IPv4/IPv6 protocol stack can communicate with many other protocols and the IPv4/IPv6implementation is simple. Figure 3-1 shows the IPv4/IPv6 protocol stack structure.



26

Figure 3-1 IPv4/IPv6 protocol stack structure

IPv4/IPv6 Application

TCP UDP

Link Layer

IPv4 IPv6

3.2.2 IPv4 FeaturesThe S9300 supports the following IPv4 features:

l TCP/IP protocol stack, including ICMP, IP, TCP, UDP, socket (TCP/UDP/Raw IP), andARP

l Static DNS and specified DNS server

l FTP client/server and TFTP client

l DHCP relay agent and DHCP server

l Ping, tracert, and NQA: NQA can detect the status of ICMP, TCP, UDP, DHCP, FTP,HTTP and SNMP services and test the response time of various services.

NOTE

To implement NQA, apply for and purchase the relevant license from the local Huawei vendor.

l IP policy-based routing: specifies next hop based on packet attributes without searchingthe routing table.

For details about IPv4refer to the section "IPv4" in Quidway S9300 Terabit Routing SwitchFeature Description - IP Service.

3.2.3 IPv6 FeaturesThe S9300 supports the following IPv6 features:

l IPv6 Neighbor Discovery (ND)

l Path MTU Discovery (PMTU)

l TCP6, ping IPv6, tracert IPv6, socket IPv6, UDP6 and RawIP6

l TFTP IPv6 Client

l IPv6 policy-based routing

l DHCPv6 snooping and MLDv1/v2 snooping

l Neighbor Discovery (ND) snooping

For details about IPv6, refer to the section "IPv6"in Quidway S9300 Terabit Routing SwitchFeature Description - IP Service.



27

3.2.4 IPv4/IPv6 Transition Technologies

IPv6 over IPv4 TunnelAs shown in Figure 3-2, the IPv6 over IPv4 tunnel technology is used during the transition froman IPv4 network to an IPv6 network.

Figure 3-2 Network diagram of an IPv6 over IPv4 tunnel

IPv4 Header

IPv6network

IPv6networkIPv6 over IPv4 Tunnel

IPv4 network

Dual StackDevice

Dual Stack Device

IPv6 host IPv6 hostIPv6 Header IPv6 Data

IPv6 Header IPv6 Data

IPv6 Header IPv6 Data

The S9300 supports the following IPv6 over IPv4 tunnels:

l IPv6 manual tunnelAn IPv6 manual tunnel is created manually on routers at both ends of a tunnel by staticallyconfiguring the source and destination IPv4 addresses. The tunnel is a permanent link thatconnects two IPv6 domains through an IPv4 backbone network. It is a fixed channel fortwo edge routers to communicate with each other and can be used by isolated IPv6 sites tocommunicate with each other.

l 6to4 tunnelA 6to4 tunnel can connect multiple isolated IPv6 sites to an IPv6 network through an IPv4network.Compared with a manual tunnel, a 6to4 tunnel can be a P2MP connection, whereas a manualtunnel is a P2P connection. Routers using a 6to4 tunnel are not configured in pairs. Similarto routers on an automatic tunnel, a router on a 6to4 tunnel can search for the other end ofthe tunnel. However, since a 6to4 tunnel uses a special IPv6 address, called a 6to4 address,it is not necessary to specify an IPv4–compatible IPv6 address for a 6to4 tunnel.

IPv4 over IPv6 TunnelDuring the later stage of an IPv4 to IPv6 network transition, a large number of IPv6 networksare deployed; therefore, there may be isolated IPv4 sites. Connecting these isolated sites usingdedicated lines can be very costly, so, instead, a tunnel connecting isolated IPv4 sites can becreated on an IPv6 network. This is similar to deploying a VPN on an IP network using tunneltechnology. The tunnel connecting isolated IPv4 sites on an IPv6 network is called an IPv4 overIPv6 tunnel.

To set up IPv4 over IPv6 tunnels, the IPv4/IPv6 dual stack needs to be enabled on the routersat the edges of the IPv6 network and the IPv4 network.



28

Figure 3-3 Network diagram of an IPv4 over IPv6 tunnel

IPv4 PayloadIPv4 Header

IPv4network

IPv4networkIPv4 over IPv6 Tunnel

IPv6 network

Dual StackRouter

Dual Stack Router

IPv4 host IPv4 host

IPv4 HeaderIPv6 Header

IPv4 Payload

IPv4 Header

IPv4 Payload

6PE

An IPv6 Provider Edge (6PE) router facilitates communication between isolated IPv6 CE routersover an IPv4 network. Figure 3-4 illustrates a simple 6PE network topology. The ISP can usethe IPv4 backbone network to provide services for IPv6 networks with widely distributed users.

Figure 3-4 Network diagram of a basic 6PE network

IPv4/MPSL CloudIBGP

PCE CE

IPv6 Cloud Customer site

IPv6 Cloud Customer site

The 6PE router labels IPv6 routing information and advertises the information onto the ISP'sIPv4 backbone network through Internal Border Gateway Protocol (IBGP) sessions. IPv6packets are labeled before entering the tunnels on the backbone network. The tunnels can beMPLS LSPs.

The IGP protocol used on the ISP network can be OSPF or IS-IS, and the protocol used betweenCE routers and 6PE routers can be a static routing protocol, an IGP, or EBGP.



29

If the IPSs want to use the IPv4/MPLS networks to exchange IPv6 traffic, they can just updatethe PE router. Therefore, using the 6PE feature as an IPv6 transition mechanism is a cost-effective solution for ISPs.

3.2.5 IP SessionThis section describes the IP session feature supported by the S9300.

As shown in Figure 3-5, Switch represents the S9300.

Figure 3-5 Networking diagram of an IP session

DHCP Server

AAA Server

Internet

SwitchDSLAM

The S9300 can assign IP addresses to terminate and authenticate IP sessions.

An STB or VoIP terminal sends a DHCP Request message to which the S9300 either directlyassigns an IP address to the terminal or relays the message to the DHCP server requesting an IPaddress. Before assigning an IP address, the S9300 sends the VLAN (QinQ) information orDHCP Relay Agent information to the AAA server to authenticate the terminal. If theauthentication is successful, the S9300 assigns an IP address to that terminal.

The S9300 can perform scheduling on different types of services or encapsulate service trafficinto different VPNs to separate services.

3.3 MulticastThis section describes the basics of IGMP snooping, multicast flow control, controllablemulticast, multicast VLAN, and multicast replication.

The S9300 supports multicast features including IGMP snooping, IGMP proxy, static multicast,multicast across VLANs.

3.3.1 Multicast Routing ProtocolThe S9300 supports the following multicast routing protocols:

l Internet Group Management Protocol (IGMP), Protocol Independent Multicast-DenseMode (PIM-DM), Protocol Independent Multicast-Sparse Mode (PIM-SM), MulticastSource Discovery Protocol (MSDP), and Multi-protocol Border Gateway Protocol(MBGP).



30

l Protocol Independent Multicast- Source-Specific Multicast (PIM-SSM): When a multicastsource is specified, a host can join the multicast source directly, without registering withthe Rendezvous Point (RP).

l Anycast RP: Multiple RPs can exist in a domain configured as MSDP peers. A multicastsource can register with the nearest RP, and the receiver can also choose the nearest RPand join the RP's shared tree. When an RP expires, the multicast source and receiverregistered on that RP choose another nearby RP to register and join, sharing the load acrossRPs.

l IPv6 multicast routing protocols: PIM-IPv6-DM, PIM-IPv6-SM, and PIM-IPv6-SSM.l Multicast Listener Discovery (MLD): MLD is used to set up and maintain the groups'

member relationships between hosts and their directly connected multicast routers. MLDfunctions and is implemented the same way as IGMP. MLD has the following versions:– MLDv1

MLDv1 is defined in RFC 2710 and derived from IGMPv2. MLDv1 supports the Any-Source Multicast (ASM) model.

– MLDv2MLDv2 is defined in RFC 3810 and derived from IGMPv3. MLDv2 supports the ASM.With the help of SSM mapping, MLDv2 can support the Source-Specific Multicast(SSM) model.

When the multicast routing module receives, imports, and advertises multicast routes, theS9300 can filter the routes based on routing policies. When forwarding IP multicast packets, theS9300 can filter and forward packets based on these policies.

For details about Link Aggregation, refer to the Quidway S9300 Terabit Routing Switch FeatureDescription - Multicast.

3.3.2 IGMP SnoopingLocated between the host and the multicast router, the S9300 can statically configure multicastforwarding entries. In addition, the S9300 maintains the multicast group, the VLAN ID mappingand outbound ports by listening to passing IGMP messages. The S9300 dynamically sets up aLayer 2 forwarding table for multicast packets.

When the S9300 receives a multicast packet, it only forwards the packet to the VLAN membersof that multicast group. Based on the Layer 2 forwarding table, the packet is multicast while inthe VLAN. This reduces the number of packets transmitted over the network to save networkbandwidth, and improves information security.

Prompt Leaving of PortsWhen one of the S9300's ports are attached to only one host, the S9300 directly deletes thatport's corresponding multicast forwarding entry as long as it receives an IGMP Leave messagefrom the host through that port. After that, the S9300 does not forward IGMP Query messagesto that port, saving bandwidth and system resources while ensuring prompt switchover ofservices.

Multicast QuerierOn a Layer 2 network, the S9300 can act as querier for the following multicast functions:

l Run queries.



31

l Establish multicast forwarding tables on Layer 2 networks.

Multicast Packet Suppression

If the S9300 receives a Report packet or Leave packet from users within a short period of time,the S9300 checks whether the same Report packet or Leave packet has been received during thesuppression period. The S9300 then decides whether to send the packets to the router, reducingthe number of IGMP packets handled by the router.

Controllable Multicast

The S9300 can control VLAN users multicast group access by configuring ACL, facilitatingcontrollable multicast communication.

Multicast Call Admission Control (CAC)

Multicast CAC is mainly used to control the number and bandwidth of IPTV channels used inthe Layer 2 IPTV multicast scheme, preventing users from requesting additional channels orbandwidth to ensure high service quality for all users.

3.3.3 Static MulticastA user host receives multicast traffic through a DSLAM. For example, the Set Top Box (STB)receives video programs from Broadband Television (BTV). The S9300 can be deployedbetween multiple DSLAMs and an upstream multicast router. If IGMP is not enabled for someVLANs on the S9300, the S9300 sets up a multicast member relationship statically and sets upmulticast forwarding entries for those VLANs as required.

Each DSLAM supports controllable multicast and can directly control the addition, deletion,and switching of channels from the STB. The S9300 is not involved in IGMP packettransmission; thus the delay generated by images and voices when the number of users switchchannels is greatly reduced.

3.3.4 Multicast VLAN and Multicast ReplicationMulticast VLAN is used to converge and forward the multicast packets from different VLANs.Users join a multicast VLAN when they need multicast packets. The multicast VLAN copiesmulticast packets to different user VLANs, carrying out multicast duplication across VLANs.The S9300 can copy up to 127 copies of multicast packets of different VLANs to each port.

The S9300 forwards multicast packets through the multicast VLAN, and copies the packetsbased on the multicast entries. The S9300 then sends these packets to different users' VLANs.Using the multicast VLAN technique, the S9300 can converge the multicast packets from alluser VLANs into one or several VLANs.

Multicast VLAN enables the S9300 to send unicast packets and multicast packets throughdifferent VLANs, helping to manage and control multicast traffic and conserve the bandwidthresources.

3.4 QoSThis section describes the basics of QoS supported by the S9300.



32

NOTE

For details about Link Aggregation, refer to the Quidway S9300 Terabit Routing Switch FeatureDescription - QoS.

3.4.1 Hierarchical Traffic PolicingThe S9300 supports two-level traffic policing, namely, traffic policing based on users and trafficpolicing based on user groups. It supports bandwidth multiplexing of users and user groups.

Traffic policing is used to monitor service traffic matching traffic classifier rules on an inboundinterface, allowing the interface to be adapted to available network resources such as bandwidth.Traffic policing limits the rate of traffic on the inbound interface, allowing the S9300 to monitorincoming traffic. If the rate is too high, the S9300 chooses to discard packets or reset packetpriorities.

The S9300 supports the two-rate-three-color marker and one-rate-two-color marker,guaranteeing granular bandwidth management.

3.4.2 Flow ControlFlow control is used for congestion management. When a network cannot provide the committedor negotiated performance specifications, such as rate, congestion occurs.

In this case, an Ethernet switch sends pause frames to its peer to inform the peer to stop sendingdata for a while. This helps decrease the volume of traffic on the network. When flow controlis enabled on a port, it applies to all traffic on the port.

3.4.3 Re-markingWith re-marking, the S9300 applies service parameters to packets that match certain ACL rules.Re-marking is implemented as follows:

l The S9300 applies self-defined service parameters to packets.l The S9300 applies service parameters as defined by the mapping table according to packets'

Differentiated Services Code Point (DSCP).l The S9300 applies service parameters as defined by the mapping table according to DSCP

defined by users.l Users assign service parameters to packets.

3.4.4 Queue SchedulingWhen an Ethernet switch forwards multiple packets, these packets may compete for resources.The S9300 uses the following queue scheduling algorithms to address this problem:

l Strict Priority (SP)l Weighted Round Robin (WRR)l SP + WRRl Deficit Round Robin (DRR)l SP + DRR

Outgoing packets on Ethernet switch ports are forwarded differently as decided by the precedingalgorithms.



33

3.4.5 Congestion AvoidanceWhen congestion occurs, a switch immediately discards certain packets to release queueresources. The switch also schedules packets into queues other than those experiencing delay tohelp alleviate congestion.

The S9300 supports the Weighted Random Early Detection (WRED) algorithm. WREDmonitors packets in each queue and compares the queue length to its lower packet drop threshold.Based on this, the S9300 processes packets in queues in the following ways when congestionoccurs.

l When a queue is shorter than the lower threshold, the device does not discard packets.l When the queue length is between the lower threshold and the upper threshold, WRED

begins to discard packets randomly.l When the queue is longer than the upper threshold, the device discards all incoming packets.

3.4.6 Traffic ShapingTraffic shaping controls the outgoing packet transmission rate, ensuring packets are transmittedat an even rate. Traffic shaping is applied to downstream traffic to make its transmission ratethe same as that provided by downstream devices. This prevents packets from being discardedand traffic congestion. The difference between traffic shaping and traffic policing is that trafficshaping is used to buffer packets that exceed the set rate limit and then transmit packets at aneven rate; traffic policing is used to discard packets that exceed the set rate limit. In trafficshaping, packets are delayed for transmission. In traffic policing, however, no delay is addedfor packets.

The S9300 shapes traffic for all VLANs, interfaces and CoSs. Different types of traffic shapingcan be implemented using different parameters.

3.5 ReliabilityThis section describes the basics of link aggregation, BFD, and HA at the equipment level.

3.5.1 Link AggregationThe S9300 can manually bind multiple ports to an Eth-Trunk interface. The S9300 also supportslink aggregation in static mode. That is, the administrator can set up an aggregation group andadd member links, and the Link Aggregation Control Protocol (LACP) will maintain theaggregated link.

When one of the links fail, traffic is balanced among the other links without interruption. TheS9300 can aggregate links on different LPUs, improving service reliability.

For details about Link Aggregation, refer to the section "Trunk" in Quidway S9300 TerabitRouting Switch Feature Description - Ethernet.

3.5.2 DLDPThe S9300 supports Device Link Detection Protocol (DLDP). DLDP monitors the link status ofoptical fibers or copper twisted-pair cables. If a unidirectional link exists, DLDP automaticallyshuts down or notifies users to manually shut down the port on the unidirectional link as required,preventing network faults.



34

For details about DLDP, refer to the section "DLDP" in Quidway S9300 Terabit Routing SwitchFeature Description - Reliability.

3.5.3 RRPP and Multi-Instance TechnologyTo reduce the impact of network scaling on convergence time, Huawei has developed RapidRing Protection Protocol (RRPP), a data link layer protocol used exclusively in Ethernet ringnetworks.

When an Ethernet ring network is complete, RRPP can prevent broadcast storms caused by dataloops. When a link is disconnected, RRPP helps quickly enable the standby link and then restorecommunication between nodes on the ring network.

Compared with other Ethernet ring technologies, RRPP boasts the following features:

l Convergence time is unrelated to the number of nodes on a ring network. Thus, RRPP canbe applied to a network with a great diameter.

l RRPP can prevent broadcast storms caused by loops when an Ethernet ring network iscomplete.

l On an Ethernet ring network, when a link is down, a backup link immediately starts up toresume normal communication between nodes.

On intersecting RRPP rings, when the topology of a ring changes, topology flapping will notoccur on adjacent rings, improving data transmission reliability.

RRPP multi-instance technology applies to ring Ethernet networks, in which different RRPPinstances are applied to different C-VLANs so they may carry out independent topologycalculations and convergence. In addition, multi-instance technology optimizes networks andsimplifies the configurations of complex topologies containing multiple intersecting rings ormultiple rings in multiple domains.

For details about RRPP, refer to the section "RRPP" in Quidway S9300 Terabit Routing SwitchFeature Description - Reliability.

3.5.4 Smart Link and Multi-Instance TechnologyDual-homing networking is one of the most commonly used forms of networking. In most cases,STP is enabled to implement link backup; however, STP cannot meet quick convergencerequirements.

Thus, Smart Link was developed to provide link backup and fast switching between active andstandby link traffic, ensuring fast link convergence. In a dual-homing network, when the activelink fails, the device automatically switches traffic to the standby link. In this manner, theredundant link is blocked and link backup is assured.

Smart Link features are as follows:

l Dedicated to dual-homing networksl Down to sub-second convergence timel Easy to configure and operate

In Smart Link multi-instance, a Smart Link group is configured with multiple instances and eachinstance is configured with a VLAN range. Commands are used to configure some instances totransmit packets through standby links. Thus the VLANs transmit packets through differentpaths to implement load balancing.



35

For details about Smart Link, refer to the section "Smart Link" in Quidway S9300 TerabitRouting Switch Feature Description - Reliability.

3.5.5 Ethernet OAMThis section describes the basics of Ethernet OAM.

The S9300's Ethernet OAM functions include fault management and performance management.

For details about Ethernet OAM, refer to the section "Ethernet OAM" in Quidway S9300 TerabitRouting Switch Feature Description - Reliability.

3.5.6 BFDThe S9300 supports BFD to implement fast detection and monitor the link connectivity.

BFD performs fast link failure detection using the "Hello" protocol. Detection packets aretransmitted periodically from both ends of a bidirectional link. If the S9300 fails to receive adetection packet from the peer end within a certain period of time, it indicates that a segment ofthe bidirectional link has failed. BFD then triggers the switchover mechanism to ensure networkreliability.

BFD supports failure detection in milliseconds. BFD also supports asynchronous detection.

The S9300 supports the following BFD detection methods:

l Link detectionl IP routing connectivity detectionl LSP, CR-LSP, and MPLE TE protection group connectivity detectionl BFD detection on VPLS networks

It also processes diagnostic packets that manage VPLS switchover and performs theswitchover.

The S9300 supports the association among BFD, 802.3ad, and 802.1ag to provide an end-to-end OAM solution.

For details about BFD, refer to the section "BFD" in Quidway S9300 Terabit Routing SwitchFeature Description - Reliability.

3.5.7 LSP Protection SwitchoverThe S9300 supports MPLS OAM and fast detection of LSP faults. A standby LSP can be set forthe active LSP to implement 1+1 LSP backup. When the active LSP fails, services are fastswitched to the standby LSP, greatly improving network reliability.

For details about LSP protection switchover, refer to the section "MPLS OAM" in QuidwayS9300 Terabit Routing Switch Feature Description - MPLS.

3.5.8 Equipment Level Reliability

Hot BackupThe S9300 supports hot backup for its key components including the SRU/MCU, powermodules, and fan modules.



36

l SRU/MCUThe S9300 can be installed with two SRUs/MCUs running in 1+1 backup mode.

l The two SRUs/MCUs in 1+1 backup mode support two types of protection switchover:– Automatic protection switchover

Triggered by the system upon a serious fault or an active SRU/MCU reset.– Forcible protection switchover

Triggered by commands through the console port. You can also prevent the SRU/MCUactive/standby switchover through the console port.

After an active/standby switchover occurs, the standby SRU/MCU immediately takes over allservices, ensuring service continuity and system availability.

l Power modulesThe S9300 can be configured with 4 AC power modules or 4 DC power modules. Bothpower modules work in redundant backup mode.If one of the power modules fails, the other power modules immediately take over serviceswithout interruption.The PoE function is only supported by AC power modules. The S9303 does not supportthe backup of PoE power modules. The S9306 and the S9312 support PoE power modulesworking in M+N mode.

l Fan modulesEach fan frame of the S9300 provides two fan frame layers for backup. If one fan framefails, the other fan frame ensures that the ambient temperature does not exceed 45°C. Asingle fan frame working alone to control ambient temperature can normally work at leastfor a maximum 96 hours.When a fan fails, the system generates an alarm message.

Hot SwapThe SRU, MCU, LPU, CMU, power modules, and fan frames of the S9300 are all hot swappable.

WARNINGFSUA is not hot swappable.

l SRUs/MCUsWhen the S9300 is installed with two SRUs/MCUs working in 1+1 backup mode, hotswapping the standby SRU/MCU does not interrupt services. Hot swapping the active SRU/MCU, however, causes a fast switchover of services to the standby SRU/MCU. The SRU'sdata switching units can also work in 1:1 load balancing mode. In this mode, the dataswitching capability is reduced by half when the SRU is hot swapped.

l LPUsl Power modules

When four power modules are all running on the S9300, hot swapping one or two of themwill not interrupt services.

l Fan frames



37

Hot swapping fan frames will not affect S9300 services.l Air filters

The air filter is not powered and is easily swapped for convenient routine cleaning.

Inter-SIC Eth-TrunkMultiple Ethernet ports, either on the same SIC or different SICs, can be bound to a logical Eth-Trunk interface, creating a backup between ports and implementing traffic load balancing.

When one member port in an Eth-Trunk interface fails, that port's services are automaticallycarried by other ports in the Eth-Trunk interface. In this case, the Eth-Trunk interface can stillhandle services normally, ensuring service transmission is not affected.

Since bound ports belong to different SICs, inter-SIC Eth-Trunk reduces the impact of one SICfault and eliminates single-site faults.

E-Trunk Composed of Ethernet Interfaces on Different DevicesAs an extension to the Link Aggregation Protocol (LACP) that implements link aggregation ona single device, the Enhanced Trunk (E-Trunk) protocol implements link aggregation acrossdifferent devices, improving link reliability.

The E-Trunk is mainly applied to CEs that are dual homed to VPLS, VLL, or PWE3 networks.In these situations, E-Trunk protects the links between the CEs and PEs, preventing faults onPEs. Before the E-Trunk is implemented in a system, a CE can only be connected to a PE throughan Eth-Trunk.

If the Eth-Trunk or the PE fails, the CE cannot communicate with the PE. However, once theE-Trunk implemented, the CE can be dual homed to two PEs, ensuring effective backup betweendevices.

Figure 3-6 Networking diagram of an E-Trunk

PE1

PE2

CEEth-Trunk 10

Eth-Trunk 20

E-Trunk 1

StackingA single switch cannot meet the demands of increasing data center access volume and ensurenetwork reliability. The S9300 uses specialized switch stacking technology to meet thesegrowing demands.

In a CSS, multiple S9300s are connected through dedicated stacking cables to form a logicalswitch.



38

The stacking technology provides operators with the following benefits:l Protecting investments during network capacity expansionl Simplifying configuration and management during capacity expansion: multiple physical

switches form a logical switchl Improving system reliability through switch redundancy and backup

Preventing Hardware AbnormalitiesThe S9300 separates the control channel from the service channel, creating a non-blockingcontrol channel. The S9300 supports the following measures for protecting againstabnormalities:

l Error correction for memory chip faults.l Protection against power input interface mis-insertion.l Fan frames with independent power supply channels, ensuring redundancy.l Over-current and over-voltage protection for power and interface modules.l Protection against board mis-insertion to avoid inserting H-SICs into L-SIC slots.l Monitoring and alarm systems for the power modules, voltage, and ambient temperature.

Operation ProtectionThe S9300 supports the following protection measures:

l In-service BootROM upgrade, in-service patching, and version rollback.l Data hot backup between the active and standby units. The active unit automatically

switches to the standby state when failures occur on the active unit to prevent data loss.l Regular synchronization of configurations between the LPUs and SRUs/MCUs.l VRP system software exception monitoring, including automatic restoration and log

records.l Dying gasp that records key fault information.

The S9300 provides prompt for improper operations. If the commands negatively impactingsystem performance are entered, the system requests users to confirm the operations.

3.6 SecurityThis section describes the security measures for devices and services.

3.6.1 Device Security

Hierarchical Command LinesTo ensure security, the S9300 authenticates users when using Ethernet ports to Telnet into adevice. Users can log in to configure and maintain the device only after they are authenticated.

S9300 commands are divided into 4 levels, and login users are also divided according to these4 levels. After logging in to the S9300, users can only run commands that correspond to theiruser level.



39

The S9300 supports the extension of command levels and user levels, which can be mappedfrom four levels to 16 levels. Command level mapping is an effective means of managing andextending the variety of available user levels.

The S9300 can also lock the terminal through the command line to prevent unauthorized use.

Remote Login Through SSH

The S9300 supports Secure Shell (SSH) v1.5 and v2. On unsecured networks, SSH providespowerful security and authentication services for login users and can help defend against attacks.

Encryption Authentication in SNMP

The S9300 supports SNMPv3 encryption and authentication to authenticate the managementpackets from the NMS.

Authentication, Authorization, and Accounting

The S9300 supports Authentication, Authorization and Accounting (AAA). AAA supports threetypes of user authentication:

l Local authentication

l Remote Authentication Dial-In User Service (RADIUS)

l Huawei Terminal Access Controller Access Control System (HWTACACS) authentication

AAA can authenticate and authorize login users in combination with hierarchical command lineprotection and authenticate NMS administrators, helping the S9300 defend against unauthorizeduser login.

Hierarchical CPU Protection

The S9300 supports two levels of CPU protection:

l LPU level

Based on protocol type, the S9300 performs flow control for protocol packets andmanagement packets sent from the LPU to the SRU's CPU. This protects the channelbetween the LPU and the CPU from being congested with packets caused by Denial ofService (DoS) attacks.

l SRU level

When the CPU receives protocol packets and management packets sent from the LPU, theS9300 performs traffic classification, re-marking, flow control, and the whitelist functionson the packets and implements QoS and rate limit on the CPU. This protects the CPU againstDistributed DoS (DDoS), IP spoofing, and SYN Flood attacks.

3.6.2 Service Security

ACL-based Packet Filtering

Packet filtering is used to filter unauthorized or unwanted packets. By filtering packets, theS9300 can effectively control the passing packets.



40

The S9300 filters packets based on user-defined rules. For example, it can filter packetsaccording to the source or destination address of the packet. Packet filtering does not check thestate of sessions and does not analyze the data.

DHCP Snooping/Option 82When deployed between the server and client of the Dynamic Host Configuration Protocol(DHCP), the S9300 listens to the sent DHCP packets. The S9300 then sets up a table bindingthe IP address with a MAC address according to the monitoring results. This suppressesunauthorized packets from being transmitted. The S9300 can also insert or strip a packet's Option82 field.

l After receiving a request packet from the DHCP client, the S9300 inserts the Option 82field into the packet. The DHCP server then assigns IP addresses by identifying the Option82 field.

l The DHCP server inserts the Option 82 field into the response packet. The S9300 analyzesthe Option 82 field to select the appropriate forwarding port. The S9300 then strips theOption 82 field and forwards the packet to the user.

The Option 82 field records the user circuit's ID number, which can be used to effectively defendagainst DHCP packet tampering.

Similarly, with the IP session feature, the S9300 checks the IP addresses, MAC addresses,interface numbers, and VLAN IDs of packets according to VLAN or Option 82 information toprevent unauthorized users from forging IP addresses.

MAC Address Learning LimitThe S9300 can restrict the maximum number of MAC entries learned by a port. This can defendagainst attacks using forged MAC entries and prevent the MAC table resources from being usedup.

The S9300 scan limit the number of MAC addresses based on the following factors:

l Portsl VLAN IDsl VSIs

When the number of MAC addresses learned by a port exceeds the pre-defined threshold, theS9300 forwards or discards incoming packets with new MAC addresses as configured.

Blackhole MAC EntriesThe S9300 supports blackhole MAC entries. When the S9300 receives a packet, it compares thepacket's destination MAC address with the MAC entries in the blackhole MAC table. If thepacket's MAC address matches an entry in the table, the packet is dropped.

After detecting that certain packets with specific MAC addresses are attack packets, theadministrator can set a blackhole MAC entry to filter these packets based on that MAC address,preventing attacks using that MAC addresses.

MAC+VLAN-based Port BindingTo improve interface security, the S9300 allows network administrators to add static entries tothe MAC address table. Static entries identify mappings between specific MAC addresses,



41

VLAN IDs, and interfaces, binding the S9300 to specific interfaces and preventing MACspoofing attacks.

Broadcast SuppressionThe S9300 can limit the transmission rate of broadcast packets, multicast packets, and unknownunicast packets according to their interfaces.

The S9300 can also limit the maximum traffic percentage of broadcast packets, multicastpackets, and unknown unicast packets to control broadcast packet traffic volume.

3.7 Network Management FeaturesThe S9300 provides LLDP and NetStream network management functions.

3.7.1 LLDPThe S9300 supports the Link Layer Discovery Protocol (LLDP).

LLDP conforms to IEEE 802.1ab. LLDP discovers adjacency relationships between devices onthe link layer and provides interconnected devices with each other's connection information.

Using the LLDP, a local network management station can acquire link layer information for alldevices in the local network. It can also collect detailed information about network topology andtopology changes, expanding the scope of network management.

Ports with LLDP enabled on the S9300 periodically notify neighbors of their status. If the port'sstatus changes, it sends updates of the current state to those neighbors directly connected to it.The neighbors store the port's status in the standard SNMP MIB. The NMS then searches theMIB for the link layer information of the network in order to calculate the network's topology.

3.7.2 NetStreamWith an overall increase in network services and applications, users require detailed statisticalanalysis of network traffic. NetStream provides network administrators with detailed records ofdata network activity.



42

Figure 3-7 Network diagram of NetStream

NDENetStream

NSC NSC

NDA NDA

Traffic

NetStream traffic

traffic

NDE: Netstream Data Exporter NSC: Netstream Collector NDA: Netstream Data Analyzer

NetStream provides the following functions:l Network management and planningl Enterprise accounting and department billingl ISP billing reportl Data storagel Data collection for business

Due to the connectionless-oriented features of IP networks, communication between differenttypes of services are implemented by transmitting IP datagrams from one terminal to another.Such IP datagrams actually constitute a service's data flow across a network. Most data trafficon the network is temporary and bidirectional.

Based on packets' destination IP address, source IP address, destination port number, source portnumber, protocol number, Type of Service (ToS), and incoming or outgoing interface,NetStream identifies different streams and collects statistics for these steams independently.

The NDE regularly sends traffic statistics to the NSC for additional processing and then forwardsthe statistics to the NDA. The report generated based on these analysis results acts as the basisfor accounting and networking planning.

The S9300 supports:l NDEl IPv4/IPV6/MPLS packet samplingl Fix-packet sampling and fix-time sampling



43

l Original traffic, flexible traffic, and aggregation trafficl V5/V8/V9 packet export format

The S9300 supports both distributed NetStream and integrated NetStream.

For details about netstream, refer to the section "NetStream" in Quidway S9300 Terabit RoutingSwitch Feature Description - Network Management.

3.8 ClockThis section describes the clock synchronization and calibration mechanisms supported by theS9300.

The S9300 supports clock synchronization at the physical layer and the IEEE 1588V2 clocksynchronization and calibration mechanisms. These mechanisms ensure precision time-keepingfor mobile communication services.

The S9300 uses clock data from signals transmitted over the physical transport link tosynchronize the physical-layer clock frequency. The S9300 can obtain clock data from thesynchronized Ethernet links.

IEEE 1588V2 is a clock synchronization protocol. The clock is precise down to the microsecond,meeting the 3G service and base station requirements. The S9300 supports the following IEEE1588V2 features:

l Timed clock synchronization and time information synchronizationl Three clock modes, namely, boundary clock, ordinary clock, and transparent clock

(including end-to-end transparent mode and point-to-point transparent mode). An interfacecan be configured with a clock as required.

l Protective clock source switching

For details about clock synchronization at the physical layer, refer to the section"Synchronization Ethernet" in Quidway S9300 Terabit Routing Switch Feature Description -Device Management.

For details about IEEE 1588V2 clock synchronization, refer to the section "PTP" in QuidwayS9300 Terabit Routing Switch Feature Description - Device Management.

3.9 PoEOn intranets, PoE can be used to provide centralized power for terminals such as IP phones,Access Points (APs), portable device chargers, POS machines, cameras, and data collectiondevices through the 10Base-T, 100Base-TX, or 1000Base-T Ethernet.

Terminals are powered when they access the network, so additional indoor power cabling is notrequired.

According to IEEE802.3af and IEEE 802.3at, PoE involves PSEs and PDs.

The PSEs provide power for other devices and are classified as Midspan (the PoE module isinstalled outside the switch) and Endpoint (the PoE module is integrated with the switch) PSEs.IEEE 802.3af and IEEE 802.3at allow Endpoint PSEs to use copper line pairs connected to pins1 and 2 and pins 3 and 6 or pins 4 and 5 and pins 7 and 8 for power supply. Endpoint PSEs arecompatible with 10Base-T, 100Base-TX, and 1000Base-T interfaces, and are more widely usedthan the Midspan PSE.



44

The S9300 is an Endpoint PSE, complying with IEEE 802.3af or IEEE 802.3at. Each interfaceprovides 30 W of power.

On the S9300, each interface supporting PoE provides three power supply priorities for PDs,that is, critical, high, and low. When the power consumption of PDs is greater than the total PSEpower, the PSE first provides power to the PD on the interface with the highest priority. Ifdifferent interfaces have the same priority, the PSE provides power for PDs in descending orderof port numbers; therefore, the PD on the interface with the smallest interface number obtainspower supply first.

For details about PoE, refer to the section "PoE" in Quidway S9300 Terabit Routing SwitchFeature Description - Device Management.

3.10 Enterprise Network FeaturesThe S9300 provides NAC, firewall, NAT, load balancing and WLAN AC for enterprisenetworks.

3.10.1 NACThis section describes the basics of network admission control (NAC).

NAC was developed to protect enterprise intranets against attacks from emerging hackertechnologies such as new viruses and worms. By using NAC, the S9300 only allows authorizedor trusted devices to access the network.

The main components of NAC are as follows:

l NAC agent program installed on each terminall Network access devicel Policy server or AAA serverl Anti-virus serverl Management system

When functioning as a network access device, the S9300 provides the following functions:

l 802.1X access, including port mode and MAC model Portal accessl Relay authentication in which the S9300 obtains user entries through DHCP snooping

In addition, the NAC function is applicable to the following special scenarios:

l Best-effort: Users can access the network when the RADIUS server is Down.l Privileged users and devices without an agent, such as printer and IP phone



45

Figure 3-8 Network diagram containing major NAC components

��

��

Internet

SA

VPN GatewayEnterprise external

networkEnterprise intranet

SA

SA

Pre-authenticationdomain

Third-party anti-virus serverThird-party domain management serverThird-party patch server

Authenticationdomain 1

Authenticationdomain 2

Coreinformation

Commoninformation

SACG

SRS SCSM

SA: Secospace AgentSM : Secospace ManagementSC: Secospace controllerSRS: Secospace repair serverSACG: Security acess control gateway

3.10.2 FirewallThe S9300 provides a distributed firewall with a 10 Gbit/s processing capacity to provide high-performance security for large enterprises, carriers, and data center networks. The S9300supports the external attack defense, internal network security, traffic monitoring, email filtering,Web page filtering, and application layer filtering, effectively ensuring network security.

The S9300 provides the following firewall functions:l Packet filtering firewalll Stateful firewalll ASPFl Blacklistl Whitelistl Port mappingl Traffic statistics and traffic monitoringl Firewall logl Virtual firewall



46

The S9300 supports hot backup of firewalls in a two-node cluster. The session table and statusinformation are backed up in real time between the master and backup firewalls. If the masterfirewall fails, the backup firewall seamlessly takes over the master firewall's responsibilities.

For details about firewall, refer to the section "Firewall" in Quidway S9300 Terabit RoutingSwitch Feature Description - SPU.

3.10.3 NATThe S9300 provides NAT for many-to-one mapping, many-to-many mapping, static networksegment mapping, bidirectional conversion, and DNS mapping for enterprises. It supports theNAT Application Level Gateway (ALG) for NAT transversal between multiple application layerprotocols.

The S9300 provides the following NAT functions:

l NAT address pool

l NAPT

l Static NAT/NAPT

l Easy IP

l NAT server

l Twice NAT

l Source address associated with the VPN before NAT is performed

l NAT server associated with the VPN

l NAT ALG

For details about NAT, refer to the section "NAT" in Quidway S9300 Terabit Routing SwitchFeature Description - SPU.

3.10.4 Load BalancingThe S9300 provides server load balancing for Layers 4 through Layer 7 services and supportsdeployment of multiple applications and server clusters.

The S9300 supports the following load balancing algorithms:

l WRR

l Least connection

l Least bandwidth

l Load-based

l Response time-based

l Source IP address-based

l Destination IP address-based

l Source and destination IP addresses-based

l Layer 4 content-based

l HTTP packet URL-based

l HTTP packet header-based

l Cookie and content-based



47

3.10.5 WLAN ACA Wireless Local Area Network (WLAN) wirelessly links two or more computers or devices,and enabling fast Ethernet access between them. The primary advantage of WLANs is thatterminals can access a network through a wireless medium rather than a physical cable whichfacilitates easier network construction and allows users to move around without interruptingcommunication. Thus WLAN is much more flexible than traditional wired access.

WLAN uses radio as the transmission medium, with a physical range of tens of meters. WLANuses cables on the backbone layer, and subscribers access the WLAN by using one or multiplewireless access points (WAPs). WLANs are popular on campuses and in business centers,airports, and other public areas.

IEEE 802.11 is widely used by WLANs.

S9300 functions as an access controller (AC) and provides the following WLAN functions.

AP Managementl Access points (APs) and ACs can be connected through a Layer 2 or Layer 3 network.

l APs and ACs can communicate through an IPv4 network.

l APs automatically discover reachable ACs.

– APs discover ACs using DHCP Option 43.

– APs discover ACs using DNS.

– APs discover ACs using CAPWAP.

l AC access is controlled.

l AP software can be upgraded.

l APs can download configuration data.

l Huawei APs use the Option 60 field for identification.

l APs can be debugged and maintained.

– ACs can query status information and performance statistics regarding specific APs.

– ACs can query brief information regarding all APs.

– ACs can restore the factory settings of APs.

– ACs can debug AP channels through Telnet.

Control And Provisioning of Wireless Access Points (CAPWAP)l CAPWAP control tunnels and data tunnels are both supported.

l CAPWAP control tunnels can be encrypted by using DTLS, but CAPWAP data tunnelscannot.

l Layer 2 network data can be forwarded directly and forwarded through channels.

l The Layer 3 network data is forwarded through channels.

l CAPWAP packets can be fragmented and reassembled.

l CAPWAP channel supports heartbeat detection and can be re-established afterdisconnection.



48

WLAN User Managementl Dot1X authentication is supported.l Portal authentication is supported.l MAC address authentication is supported.l pre-share-key (PSK) authentication is supported.l EAPOL-Key negotiation mechanism is supported.l User access can be controlled based on APs and SSIDs.l Users can be associated and re-associated.l Users can roam under an AC.l Load balancing is performed based on sessions or flows.l WLAN supports AAA.

WLAN Radio Managementl Country code is supported.l Radio type, transmission rate, and transmit power can be set.l Radio working channels can be configured.l Radio interference can be monitored and eliminated.l Wireless MAC layer parameters can be set.l Radio attributes can be configured and queried.l Performance statistics of radio frequency interfaces can be collected and queried.l Coverage holes can be detected and covered.

WLAN Securityl WEP Open-System link authentication and encryption are supported.l WEP Share-Key link authentication and encryption are supported.l WPA PSK authentication and encryption are supported.l WPA Dot1X authentication and encryption are supported.l WPA2 PSK authentication and encryption are supported.l WPA2 Dot1X authentication and encryption are supported.l WAPI authentication and encryption are supported.l TKIP/CCMP encryption is supported.l HMAC-MD5 algorithm is supported.l Key update can be triggered by multiple conditions.

– Distributed group keys can be updated.– Update of multicast keys can be triggered by a user's offline message.– Update of multicast keys can be carried out by a user manually.

l User blacklist and whitelist are supported.l Unauthorized clients can be detected.l Unauthorized APs can be detected (Rogue AP detection).l Flood attacks can be detected.



49

l Weak IV and spoofing attacks can be detected.

WLAN QOSl WMM (802.11e) is supported.l Wireless-side priority can be mapped to wired-side.l Wireless-side priority can be mapped to the CAPWAP channel.l Bandwidth can be limited based on users.l Bandwidth can be limited based on SSIDs.

AC Reliabilityl The ACs support 1+1 cold backup.l The ACs support load balance.

3.11 MPLSThis section describes the basics of MPLS, MPLS TE, and MPLS OAM.

NOTE

To implement MPLS functions, apply for and purchase the license from the local Huawei vendor.

The S9300 can be used to construct MPLS networks. Services that are external to MPLSnetworks are forwarded based on VLAN IDs and MAC addresses. Services within an MPLSnetwork are transmitted based on MPLS labels. This solves problems concerning VLAN tagcapacity and limits the number of MAC table entries.

The S9300 can act as the PE device or Provider (P) device on an MPLS network.

The S9300 supports multiple MPLS features, including Label Distribution Protocol (LDP) orResource Reservation Protocol for Traffic Engineering (RSVP-TE), MPLS TE, and MPLSOAM.

3.11.1 Basic MPLS FunctionsThe S9300 supports the following basic MPLS functions:

l LDPl Static LSPl Two-layer MPLS labelsl 802.1p priority mapping to the MPLS EXP field

For details about MPLS Functions, refer to the section "MPLS LDP" in Quidway S9300 TerabitRouting Switch Feature Description - MPLS.

3.11.2 MPLS TEThe S9300 supports the MPLS Traffic Engineering (TE). MPLS TE is a technique that integratesTE with MPLS. Using MPLS TE, the S9300 can create an LSP tunnel to a specified path andimplement re-optimization. MPLS TE also provides protection against link or node failures byusing path backup and fast reroute.

The S9300 supports the following MPLS TE features:



50

l TE extension based on IGP protocols including IS-IS and OSPF to collect networkinformation

l Preemption, route pinning, and re-optimization of CR-LSPl Establishment of CR-LSP based on RSVP TE; hot standby backup and basic backup

functions of the MPLS TE tunnelsl Constraint Shortest Path First (CSPF) algorithm used to calculate the shortest path of CR-

LSPl MPLS TE tunnel and the following tunnel features:

– MPLS TE tunnel loop detection– Routing and labeling record– MPLS TE tunnel re-establishment– Tunnel priority

For details about MPLS TE, refer to the section "MPLS TE" in Quidway S9300 Terabit RoutingSwitch Feature Description - MPLS.

3.11.3 MPLS OAMThe S9300 supports MPLS OAM to perform end-to-end tunnel fault detection and promptprotection switchover within 50 ms when an LSP link fails. MPLS OAM conforms to ITU-T Y.1710, Y.1711, and Y.1720 recommendations to provide fast detection of LSP connectivity. TheLSP connectivity detection interval can be adjusted as required.

Using MPLS OAM, the S9300 can rapidly detect, locate, and report faults in MPLS networksby using Connectivity Verification (CV) messages and Fast Failure Detection (FFD) messages.When a fault occurs, the S9300 triggers a protection switchover using a Forward DefectionIndicator (FDI) message and a Backward Defect Indicator (BDI) message.

The S9300 supports 1:1 and N:1 protection switchover of LSPs using an active LSP and a standbyLSP. When the active LSP fails, the S9300 promptly switches services to the standby LSP. Thisgreatly improves the reliability of MPLS networks.

For details about MPLS OAM, refer to the section "MPLS OAM" in Quidway S9300 TerabitRouting Switch Feature Description - MPLS.

3.11.4 VLLVLL is an emulation of a traditional leased line. By emulating a leased line through an IPnetwork, it provides asymmetric, low cost point-to-point virtual leased line services. VLL ismainly applied in the access and convergence layers of a MAN.

The S9300 supports the following four modes of VLL:

l MartiniThe Martini mode uses double labels. The inner label uses the extended LDP as the signalingprotocol to transmit information. The Martini mode conforms to draft-martini-l2circuit-trans-mpls. Martini extends LDP by adding the FEC type in the VC FEC to exchange theVC label.

l KompellaThe Kompella mode uses MP-BGP as the signaling protocol. PEs set up BGP sessions toeach other to discover L2VPN nodes. Kompella uses BGP as the signaling protocol to



51

transmit Layer 2 information and VC labels to establish L2VPN in end-to-end (CE to CE)mode on an MPLS network.

l SVC

The SVC outer label (public network tunnel) functions the same as the Martini mode. Theinner label is manually specified during VC configuration without the need of VC labeltransmission signaling. The network topology and SVC packet interaction are also the sameas in the Martini mode. Thus, the SVC is a simplified version of the Martini.

l CCC

In Circuit Cross Connect (CCC), VCs are statically configured, similar to SVC. Differentfrom the common MPLS L2VPN, CCC uses a single label to transmit user data. This labelis used for label exchange on each Label Switching Router (LSR). Thus, the CCC uses theLSP exclusively. Static LSPs must be configured in both directions.

For details about VLL, refer to the section "VLL" in Quidway S9300 Terabit Routing SwitchFeature Description - VPN.

3.11.5 VPLSVirtual Private LAN Service (VPLS) is used to connect more than one Ethernet LAN segmentthrough a Packet Switched Network (PSN) and have them operate in an environment similar toa LAN. Using VPLS, an ISP can establish multipoint-to-multipoint VPN connections betweenwidely dispersed users. This can even include enterprises located in different cities.

The S9300 functions as the PE device on a VPLS network, transmitting VPLS services byestablishing through-connection between PEs.

The S9300 supports VPLS in the following modes:

l Martini

l Kompella

For details about VPLS, refer to the section "VPLS" in Quidway S9300 Terabit Routing SwitchFeature Description - VPN.

3.11.6 HVPLSVPLS through-connections are required between PEs. For multiple nodes or across a largegeographic area, a large-scale VPLS network is required. This requires twice as many PEs asthere are established connections. In this case, HVPLS is used to establish a large-scale VPLSnetwork.

The S9300 mainly functions as the User Provider Edge (UPE) device on an HVPLS network,converging services from CEs to Network Provider Edges (NPEs) or PE-AGGs (PE-Aggregation).

The S9300 supports HVPLS in Martini mode.

On the VPLS or HVPLS network, the S9300 maps services of different types to different VirtualSwitch Instances (VSIs). The S9300 then transparently transmits these services to NPE or PE-AGG through the VPLS or HVPLS network.

For details about HVPLS, refer to the section "VPLS" in Quidway S9300 Terabit Routing SwitchFeature Description - VPN.



52

3.11.7 MPLS L3VPNThis section describes the basics of MPLS L3VPN.

BGP/MPLS VPN provides Layer 3 VPN services over an MPLS network. MPLS facilitates theimplementation of IP-based VPN services and meets the expansibility and manageabilityrequirements of VPNs. The S9300 supports MPLS VPNs. A single access point can beconfigured with multiple VPNs, each of which identifies a type of services. This allows differenttypes of services to be transmitted in a flexible manner over networks.

For details about MPLS L3VPN, refer to the section "BGP/MPLS IP VPN" in QuidwayS9300 Terabit Routing Switch Feature Description - VPN.



53

4 Application Scenarios

About This Chapter

This section describes the typical networking and applications of the S9300.

4.1 OverviewThis section describes the S9300's position within the access layer and convergence layer in aMAN.

4.2 MPLS L2VPNThis section describes how MPLS VPN can be applied to a network.

4.3 Dual-homing Protection Using HVPLSThis section describes how HVPLS can be applied at the access layer and convergence layer ofa MAN.

4.4 RRPPThis section describes how RRPP implements fast protection switchover on ring networks.

4.5 Smart Link in Dual-Homing NetworkingThis section describes how Smart Link functions in dual-homing networks.

4.6 Ethernet OAMThis section describes how Ethernet OAM is applied in a MAN.

4.7 QoSThis section describes how QoS is applied in a MAN.

4.8 Selective QinQThis section describes how selective QinQ functions on a network.

4.9 IPTV ServiceThis section describes the S9300's networking and application policy for the IPTV service.

4.10 NACThis section describes how the S9300 implements NAC on a network.

4.11 FirewallThis section describes the firewall networking and policy of the S9300.

4.12 Application of the WLAN AC

Quidway S9300 Terabit Routing SwitchProduct Description 4 Application Scenarios


54

This section describes how the S9300 functions as an AC on a WLAN.



55

4.1 OverviewThis section describes the S9300's position within the access layer and convergence layer in aMAN.

The S9300 is deployed at the access layer and convergence layer of a MAN. Figure 4-1 showsa representative networking diagram.

Figure 4-1 Networking diagram of an S9300 deployed in a MAN

IP/MPLSCoreMAN MAN

LAN Switch

DSLAM

UPE UPE

NPE

DSLAM

Acting as the UPE device in a MAN, the S9300 converges Internet, VPN, IPTV, and VoIPservices from downstream devices such as Digital Subscriber Line Access Multiplexer(DSLAM) and LAN switches such as S2300 and S3300.

The S9300 also connects to the upstream NPE devices, such as the Huawei ME60 and NE40E.Additionally, the S9300 can act as a PE-AGG in complex networks to implement multiple levelsof aggregation.

4.2 MPLS L2VPNThis section describes how MPLS VPN can be applied to a network.

The whole S9300 system supports 4K VLL instances and up to 1K VPLS instances.

As shown in Figure 4-2 and Figure 4-3, the S9300 functions as the UPE on a L2VPN network,supporting VLL and VPLS and providing point-to-point and multipoint-to-multipoint VPNservices.



56

Figure 4-2 Network diagram of point-to-point VPN (VLL)

MANIntranet A

Intranet B

VLLVLL

Intranet B

Intranet A

UPE

UPEUPE

UPE

Figure 4-3 Network diagram of multipoint-to-multipoint VPN (VPLS)

MAN

VPLSVLL

Intranet A

Intranet B

Intranet A

Intranet A

Intranet B

UPE

UPE

UPE

UPE

As shown in Figure 4-4, by cooperating with the DSLAM, Access Gateway (AG), and S2300/S3300, the S9300 maps access services to VLL or VPLS services.



57

l Along with the DSLAM/AG, the S9300 maps QinQ tunnels to VLL or VPLS serviceinstances, facilitating Digital Subscriber Line (DSL)-based VLL services.

l Along with Layer 2 switches, the S9300 maps QinQ tunnels and VLL tunnels to VLL orVPLS service instances.

The S9300 handles multiple services at both the access and convergence layers. The S9300 canmap specific personal services such as broadband access and VoIP to VLL or VPLS serviceinstances.

Figure 4-4 Network diagram of an S9300 running VPN services on a CE-supported network

VLL/VPLS

DSLVLLPOTS

Ethernet VLL

DSLAM/AG LAN switch

QinQ QinQVLL

UPE UPE

N P E

UPE

The S9300 provides low-cost VLL or VPLS solutions, allowing MPLS and MPLS VPN to beapplied at the edge convergence layer.

l Solves the issue of pure Ethernet with respect to scalability, carrier-class reliability, andmanageability.

l Lessens the burden on higher-level NPEs and eliminates single-site faults.

l Customizes services through distributed service processing using services implemented bydevices at the edge convergence layer.

4.3 Dual-homing Protection Using HVPLSThis section describes how HVPLS can be applied at the access layer and convergence layer ofa MAN.

The S9300 supports HVPLS for link protection between two NPEs in dual-homing mode. Onan HVPLS network, the S9300 acts as a UPE device to converge services from the CE.

The S9300 supports the following HVPLS network architectures:

l UPE+NPE Network Architecture

l UPE+PE-AGG+NPE Network Architecture



58

4.3.1 UPE+NPE Network Architecture

Figure 4-5 Network diagram of an S9300 running HVPLS on a UPE+NPE network

IP/MPLSCore

UPEH-VPLS

DSLAM DSLAM

BFD for LSPBFD for LSP

LSW

UPE

UPE UPE

NPE NPE

LSW

LSW LSW

As shown in Figure 4-5, on the HVPLS network, the S9300 acts as the UPE device. The HuaweiME60 and NE40E routers can be used as the NPE devices.

l As the UPE device, the S9300 accesses services and classifies traffic using selective QinQ.Different services can be mapped to different VSIs and then transparently transmitted toNPE devices through HVPLS.

l The NPE terminates services on the Pseudo Wire (PW) tunnel and then process servicesbased on VLAN ID and QinQ information.

l Link protection on an HVPLS network is carried out using an MPLS TE protection groupcombined with BFD for LSP.

4.3.2 UPE+PE-AGG+NPE Network ArchitecturePE-AGG devices can be added between UPE and NPE devices. PE-AGG devices aggregateservices, terminate VPLS, and transparently transmit services to NPE devices. The S9300 canserve as the PE-AGG or UPE device as shown in Figure 4-6.



59

Figure 4-6 Network diagram of an S9300 running HVPLS on a UPE+PE-AGG+NPE network

IP/MPLSCore

PE-AGG

NPE

H-VPLS

BFD for LSP

UPE

DSLAM DSLAMLSW

UPE

UPE

UPE

PE-AGG

NPE

LSW LSWLSW

In this networking mode:

l The S9300 functions the same in this network architecture as in "UPE+NPE NetworkArchitecture."

l The S9300 terminates VPLS tunnels and transparently transmits services to NPE devices.

l The NPE devices decapsulate VLAN and QinQ packets.

l Link protection between the S9300 and the NPE device is implemented using BFD for LSP.

4.4 RRPPThis section describes how RRPP implements fast protection switchover on ring networks.

When common Ethernet ring networks are used, RRPP is used instead of MSTP to achieve fastconvergence of network topologies.

Generally, metro Ethernets use two-layer rings:

l The convergence layer lies between PE-AGGs, for example, RRPP Domain 1 shown inFigure 4-7.

l The access layer lies between PE-AGGs and UPEs, for example, RRPP Domain 2 shownin Figure 4-7.



60

Figure 4-7 Network diagram of RRPP applied to intersecting RRPP rings

IP/MPLSCore

Ring 1Domain 1

Ring 2

Domain 2

Switch-A

Switch-D

Switch-E

Switch-BAccess Layer

Aggregation Layer

Switch-FSwitch-G

LSWDSLAM

Switch-C

LSW

As shown in Figure 4-7, Ring 1 belongs to Domain 1; Ring 2 belongs to Domain 2. Ring 1 andRing 2 are tangent at Switch-C.

l On Ring 1, Switch-C is the master node; Switch-C, Switch-E, Switch-F, and Switch-G arePE-AGGs.

l On Ring 2, Switch-C is the master node; Switch-A, Switch-B, and Switch-D are UPEs.

For multiple tangent RRPP rings, a ring failure will not affect other domains. The RRPP ringconvergence process in a domain is the same as that of a single ring.

On RRPP rings, Layer 2 and Layer 3 services can be fast switched in the event of link faults.

l Fast switch of Layer 2 servicesIn normal situations, the data flow travels along Switch-A → Switch-B → Switch-C onRing 2. If the link between Switch-A and Switch-B fails, the data flow switches to anotherpath on the RRPP ring.After the link between Switch-A and Switch-B fails, the master node is notified of the linkfault and immediately unblocks the secondary port.At this time, the network topology changes, the original MAC address tables of the nodescannot correctly direct Layer 2 forwarding. Thus, Layer 2 traffic is interrupted. Afterunblocking the secondary port, the master node immediately requires other nodes on thering to re-learn MAC address entries. The Layer 2 traffic on the RRPP ring is then switchedto travel along Switch-A → Switch-D → Switch-C.

l Fast switch of Layer 3 services



61

In normal situations, the data flow travels along Switch-C → Switch-E → Switch-F onRing 1. If the link between Switch-C and Switch-E fails, the data flow switches to anotherpath on the RRPP ring.After the link between Switch-C and Switch-E fails, the master node is notified of the linkfault and immediately unblocks the secondary port.At this time, the network topology changes, so the original ARPs and FIBs of the nodescannot direct Layer 3 forwarding. After unblocking the secondary port, the master nodeimmediately requires other nodes on the ring to re-learn MAC address entries. The Layer2 traffic on the RRPP ring is then switched to travel along Switch-C → Switch-G →Switch-F.

4.5 Smart Link in Dual-Homing NetworkingThis section describes how Smart Link functions in dual-homing networks.

Generally, Smart Link is used on dual-homing Ethernet networks for fast switching of links.

Figure 4-8 Network diagram of Smart Link deployed in a dual-homing network

Intranet

UPE1

UPE2

PE-AGG1

PE-AGG2

Intranet

SmartLinkGroup

Active linkStandby link

SmartLinkGroup

Core network

IP/MPLS

SmartLinkGroup

SmartLinkGroup

Smart Link can be deployed anywhere on a MAN to provide dual-homing connections. UsingSmart Link, UPE 1 or UPE 2 is dual-homed to PE-AGG 1 and PE-AGG 2.

As shown in the figure, Smart Link group is configured on UPE 1 and UPE 2, and upstreamdevices only need to receive and send Flush packets. In the two uplinks, one link forwards packetswhile the other is blocked. When the active link fails, Smart Link quickly senses the fault andswitches traffic to the standby link.

The Monitor Link group can be configured on PE-AGG 1 and PE-AGG 2 to associate uplinkinterface with downlink interface.

4.6 Ethernet OAMThis section describes how Ethernet OAM is applied in a MAN.

With Ethernet OAM, the S9300 can carry out fault detection and protection switchover within50 ms.



62

Figure 4-9 Network diagram of Ethernet OAM deployed on a MAN

Hotel

Residentialarea

Commercialcenter

EFM OAM (802.3ah)Ethernet in the first mile

……

Ethernet CFM (802.1ag)Access convergence

layer on the MAN

Backbonenetwork

BRAS

Router

IP/MPLScore network

PE-AGG

PE-AGG

UPE

UPE

UPE

UPE

UPECE

CE

CE

CE

CE

Intranet

Ethernet Connectivity Fault Management (CFM) can be applied at the access convergence layeron a MAN. MDs are classified according to the ISP managing the devices. All devices that aremanaged by the same ISP can be added to the same MD. MAs are assigned based on servicetypes and are associated with VLANs. MEPs within an MA periodically exchange CCMs to testnetwork connectivity. After Ethernet CFM detects a connectivity fault, alarms are generated andMAC ping and MAC trace commands are executed to verify and locate the fault.

EFM OAM is enabled on CEs and UPEs. EFM OAM can test link connectivity of user servicesby periodically exchanging OAMPDUs between CEs and NPEs. EFM OAM monitors linkperformance by detecting error frames, error codes, and error frame seconds on the link. Thisprovides transmission services conforming to a Service Level Agreement (SLA). Additionally,EFM OAM provides alarms when faults occur.

4.7 QoSThis section describes how QoS is applied in a MAN.

In Figure 4-10, enterprise A has two subdivisions: enterprise A-1 and enterprise A-2; enterpriseB has two subdivisions: enterprise B-1 and enterprise B-2. Ethernet VLL transmits voice, video,and data services between the subdivisions of each enterprise. Meanwhile, each subdivisionrequires access to the Internet. In Figure 4-10, Switch represents the S9300.



63

Figure 4-10 Network diagram of QoS deployed on a MAN

LSW

Switch

SwitchSwitch

Enterprise A-1

Enterprise A-2

Enterprise B-1

Enterprise B-2

IP/MPLScore

network

VPN of enterprise AVPN of enterprise B

Metro

VoiceVideoData

2 Mbit/s4 Mbit/s4 Mbit/s

10 Mbit/s

VoiceVideoData

2 Mbit/s4 Mbit/s4 Mbit/s

10 Mbit/s

InternetInternetInternetInternet

Enterprise A has the following requirements:

l Ethernet VLL services between enterprise A-1 and enterprise A-2 require a minimum of10 Mbit/s to ensure service quality.– Voice services

2 Mbit/s minimum bandwidth– Video services

4 Mbit/s minimum bandwidth– Data services

4 Mbit/s minimum bandwidth. The remaining idle bandwidth must also be occupied bydata services. Thus, the peak bandwidth requirement is 10 Mbit/s.

Enterprise B has the same requirements as enterprise A.

By applying level-2 traffic management on the Switch, you can meet the above service and usernetwork resource requirements.

4.8 Selective QinQThis section describes how selective QinQ functions on a network.

Selective QinQ networking is demonstrated in Figure 4-11, where Switch represents theS9300.



64

Figure 4-11 Network diagram of selective QinQ

Router

Switch

LSW

DSLAM

VLAN1-500

TMG

Video server

ISP networkVLAN1-1000

User network

VLAN500-700

VLAN700-1000

VLAN1-1000 LSW

v10 v100

v10 v800

v10 v600v30 v450

v30 v850

v30 v650

v450v100

PSTN

BRAS BRAS


v650v600

v850v800

The three enterprise networks shown in Figure 4-11, all need to transmit data, voice, and videoservices. The Switch can append an outer ISP VLAN tag to packets belonging to each kind ofaccess service. For example:

l Add an outer ISP VLAN tag VLAN 10 for data services belonging to VLAN 100, VLAN600, and VLAN800 from the customer networks.

l Add an outer ISP VLAN tag VLAN 30 for video services belonging to VLAN 450, VLAN650, and VLAN850 from the customer networks.

Using selective QinQ, the S9300 can converge services and choose different paths for variousservices to more effectively facilitate network deployment.

4.9 IPTV ServiceThis section describes the S9300's networking and application policy for the IPTV service.

4.9.1 IPTV NetworkingThe S9300 supports IPTV network as outlined in Figure 4-12.



65

Figure 4-12 Network diagram of IPTV implementation

STB

DSLAM

Switch

BRAS BRAS

Router(DR)

Router(BDR)

STB STB

Switch

DSLAM

Video server

IP/MPLS core

Video stream

The S9300's IGMP snooping and multicast VLAN functions allow it to serve as the multicastduplication and control point at the access layer of a MAN to provide large-capacity multicastservices. The multicast traffic can be copied within or across VLANs.

The DSLAM device acts as an IGMP proxy.

In the network diagram shown in Figure 4-12:

l The routers run the PIM protocol and act as either Designated Routers (DRs) or BackupDesignated Routers (BDRs). A DR processes IGMP packets and copies video stream fromthe IPTV server.

l By enabling IGMP snooping on the Switch to listen to IGMP packets, the Switch only sendsan IGMP request packet to join the multicast group. This establishes the multicastforwarding group. Static multicast groups can be created for popular multicast channels.

l The Switch copies multicast data to the DSLAM based on the multicast forwarding table.

In addition, the S9300 supports port prompt-join or prompt-leave, facilitating fast switching inIPTV services.



66

4.9.2 IPTV Service ProtectionAs shown in Figure 4-13, along with NPEs in the network, the S9300 acts as a protectionmechanism for IPTV services.

Figure 4-13 Network diagram of IPTV service protection

STB

DSLAM

Switch

BRAS BRAS

Router(DR)

Router(BDR ->DR)

STB STB

Switch

DSLAM

IPTV server

IP/MPLS core

Video stream

Fault

BFD for PIM

BFD for PIM

The following mechanism provides protection for IPTV services:

1. BFD for PIM is enabled between the two routers to monitor link status.

2. When faults occur on the link, the Switch, or one of the routers, BFD for PIM detects faultswithin 50 ms.

3. The router on the right acts as the BDR swiftly switching to DR when a fault occurs. Thusboth routers become DRs forwarding multicast packets simultaneously.

4. When faults recover, the routers run as DR and BDR again to resume services.



67

4.10 NACThis section describes how the S9300 implements NAC on a network.

In Figure 4-14, Switch represents the S9300.

Figure 4-14 Network diagram of the S9300 implementing NAC

Policy server Patch/anti-virus server

Separated area

Visit area

Work areaPortal server

Switch

ACS/SC

On an enterprise intranet, a personal computer (PC) does not require terminal software. Thecaptive portal server redirects login users to the login page, where users are required to enteruser names and passwords. Then the NAD, namely, the Switch, submits the user name andpassword to the RADIUS server for authentication. Users can only access resources in theseparated area until they are authenticated.

The ACS or SC, which is similar to a RADIUS server, returns a message notifying that the usershave been authenticated.

The PC and ACS set up an HTTP link and the ACS verifies the security of the PC. After thesecurity of the PC is verified, the user can access the common data area or core data areadepending on the user's authority level.

The S9300 provides a Session-Time-Out timer, which allows users to go online temporarily ifthe authentication server, for example, a RADIUS server, does not respond. When a user goesonline in this case, the Session-Time-Out timer starts. However, the user will be requested toauthenticate again when the Session-Time-Out timer expires.

4.11 FirewallThis section describes the firewall networking and policy of the S9300.



68

Enterprise IntranetThe switch that provides the firewall is deployed at the egress of a company's headquarters.When providing external services such as Web, FTP, and email services, the switch preventsinternal resources of the headquarters from being attacked on the Internet. The switch providesNAT for the company's staff who need to access the Internet, and functions as a remote VPNaccess point for other branches. The branch egress is where the firewall is deployed: Theswitch prevents the headquarters' internal resources from being attacked on the Internet andprovides VPN services for the branch staff who need to access the headquarters network. Figure4-15 shows the networking of the firewall on the enterprise intranet.

Figure 4-15 Enterprise intranet firewall network diagram


On-business staff Web Server

Mail Server

FTP Server

Switch（firewall）

Branch

Switch（firewall）

ISP NetworkThe switch that provides the firewall function is deployed at the egress of the ISP. It protectsISP servers and ISP users, prevents attacks from the Internet, and functions as a NAT gatewayallowing users to access the Internet. Figure 4-16 shows the typical ISP network.



69

Figure 4-16 Network diagram of an ISP network firewall


PSTN

Access server

Web server

Switch (firewall)

Data CenterThe switch that provides the firewall function is deployed at the egress of the data center. Itprotects the servers in the data center against attacks from the Internet and protects essential datastored in the data center. The firewall is deployed at the egress of the data center; therefore, youneed to deploy the firewalls in redundancy mode to ensure high availability of the data center.Figure 4-17 shows the typical data center's firewall.



70

Figure 4-17 Network diagram of a data center's firewall


Server farm

Convergence layer

Switch (firewall)Switch (firewall)

Core layer

Access layer

Cashes

Server farm Server farm

Active link

Backup link

4.12 Application of the WLAN ACThis section describes how the S9300 functions as an AC on a WLAN.

S9300 (AC) Functions as GatewayS9300 functions as an AC on a WLAN and as a gateway between the Layer 2 and Layer 3networks. As shown in Figure 4-18:



71

Figure 4-18 Network diagram of an S9300 (AC) functioning as the gateway between Layer 2and Layer 3 networks

L3 network

L2 network

AC

AP AP

Users Users

CAPWA tunnelCAPW

A tunn

el

l The AC and APs are connected through a Layer 2 network. The data packets of APs and

AC are forwarded over the CAPWA tunnel or forwarded directly.l The AC functions as a gateway to terminate Layer 2 packets and forward the packets

through Layer 3.l The AC controls the access and configurations of APs, and controls the access and

authentication process of WLAN users.

S9300 (AC) Functions as a Layer 2 DeviceS9300 functions as an AC on a WLAN and is located in Layer 2 network. As shown in Figure4-19:



72

Figure 4-19 Network diagram of an S9300 (AC) functioning as the Layer 2 device

L2 network

L2 network

AC

AP AP

Users Users

CAPWA tunnelCAPW

A tunn

el

AR

l The AC and APs are connected through a Layer 2 network. The data packets of APs and

AC are forwarded over the CAPWA tunnel or forwarded directly.l The AR functions as a gateway. The AC functions as a Layer 2 device used to terminate

tunnel packets and forward user packets through Layer 2.l The AC controls the access and configurations of APs, and controls the access and


S9300 (AC) Functions as a Layer 3 DeviceThe S9300 functioning as an AC is the wireless data forwarding center located in the centralequipment room. The APs can be located indoors or outdoors. The AC and APs are in differentnetwork segments, as shown in Figure 4-20.



73

Figure 4-20 Network diagram of an S9300 (AC) functioning as a Layer 3 device

L3 network

AC

AP AP

Users Users

CAPWA tunnelCAPW

A tunn

el

l A Layer 3 network exists between the AC and APs, and data packets are transmitted over

tunnels.l The AC controls the access and configurations of APs, and controls the access and




74

5 Operation and Maintenance

About This Chapter

This section describes the tools available for maintenance and management of the S9300 systemand outlines the features of the S9300 network management system.

5.1 Maintenance and ManagementThis section describes configuration and login methods, measures for monitoring devices anddebugging faults, and the software upgrade process and in-service patching.

5.2 NMSThe NMS handles resource management, topology management, configuration management,fault management, performance management, and security management for the S9300.

Quidway S9300 Terabit Routing SwitchProduct Description 5 Operation and Maintenance


75

5.1 Maintenance and ManagementThis section describes configuration and login methods, measures for monitoring devices anddebugging faults, and the software upgrade process and in-service patching.

5.1.1 Configuration Modes

Multiple Maintenance Modes

The S9300 supports the following methods of configuration and management:

l Command line interface (CLI)

Users can configure and manage the S9300 by connecting to the console port or ETH port.

l NMS

Users can use SNMP to configure and manage the S9300 through the network managementstation.

l Web network management

The Web server is embedded in the S9300. Users can configure the S9300 by logging inthrough a web browser.

Flexible Login Modes

The S9300 provides the following ports to support local and remote login:

l Console port

Users connect to the console port through the terminals' RS-232 serial ports.

l ETH port

Users connect to the ETH port through Telnet or SSH.

In addition, users can telnet into the S9300 through other service ports.

To satisfy different security demands, the S9300 offers various measures to authenticate userlogin, including:

l Non-authentication

l Local authentication

l AAA authentication

5.1.2 Management and Monitoring

Hardware Monitoring

The S9300 provides the following hardware monitoring functions:

l MCU, SRU, LPU, CMU, power module, and fan frame panel are equipped with indicatorsto monitor their running status.



76

l In-service board detection, hot swap detection, Watch Dog, board resetting, fan modulemonitoring, power module monitoring, active/standby switchover and log recording forusers' reference.

l Automatic board temperature monitoring to control system temperature.l Statistics on abnormal and error packets.l Statistics on protocol packets to be delivered to the CPU and packet details.l CPU and memory utilization information.

Management and MaintenanceThe S9300 provides the following management and maintenance functions:

l Multi-user operations and user interface (UI) in two languages: Chinese and English.l Flexible online help for command lines. Command line descriptor searches keywords using

a partial match, speeding up command input.l Hierarchical command lines and user authority management, preventing unauthorized users

from logging in.l Alarm classification and filtering.l DosKey-like history command function.l Local and remote software loading and upgrading and version rollback, backup, saving,

and clearing of version information.l Information collection at different layers such as the port, Layer 2, or Layer 3.l Information center that provides uniform management of logs, traps and debugging

information and redirection of information.l Display of system status, version, and environment parameters.

5.1.3 Diagnosis and Debugging

Ping and TraceThe S9300 provides the following tools for testing connectivity and recording packettransmission paths on IP networks:

l Pingl Trace

The S9300 provides the following tools for testing connectivity and recording packettransmission paths on MPLS networks:

l MPLS pingl MPLS trace

The S9300 provides the following tools to check link-layer connectivity of devices on thenetwork and obtain network status and delay information:

l MAC Pingl MAC TraceRoute

DebuggingThe S9300 provides debugging commands for each feature. The debugging information isextensive and detailed to easily diagnose faults. Each debugging command supports multiple



77

parameters. Debugging can be enabled or disabled on specified interfaces for specified servicesthrough the console port.

The debugging commands can display the following information for each feature:

l Critical eventsl Process statusl Packet transmission and processingl Packet resolutionl State switchoverl Error check

TraceThe S9300 supports system trace to carry out advanced software testing and diagnostics. TheS9300 also uses trace to record important events online including task switching, interrupting,queue reading and writing, and system exceptions.

In the event of system failure, the system can refer to the trace information to isolate faults afterrebooting. Users can enable and disable the trace function.

MirroringThe S9300 supports port mirroring and flow mirroring.

l Port mirroringIncoming traffic, outgoing traffic, or both incoming and outgoing traffic is copied from oneport to the port configured to monitor it.

l Traffic mirroringAll traffic from one port is copied from one port to the port configured to monitor it.

By connecting a host with an S9300 port configured to monitor another port and examining thereceived packet, ISPs can observe all packets the S9300 inputs and outputs. The mirroringfunction provides basic traffic detection, fault allocation, and data analysis.

Virtual Cable DetectionVirtual cable detection allows users to monitor the status of cables connected to the S9300'sEthernet interfaces in the following aspects:

l Whether short circuits or open circuits are present on receive or transmit cablesl Length of faulty cable

5.1.4 In-Service Software Upgrade and Patching

In-Service UpgradeThe S9300 supports local and remote system software upgrade.

l Local upgradeWhen the S9300 is booted, the software can be upgraded through the BootROM menu.



78

l Remote upgradeThe S9300 supports active and standby main process units. To ensure uninterrupted serviceswhen upgrading software on the S9300, it is recommended to first upgrade the standbymain process unit before carrying out active/standby switchover. After upgrading thestandby main process unit, upgrade the active main process unit.

In-Service PatchingThe S9300 supports in-service patching. The features of in-service patching are as follows:

l Service is uninterrupted while patches are loaded.l Installed patches can either be confirmed or removed without interrupting services.l Clear step-by-step prompts and status updates are provided for easy installation.

Version RollbackThe S9300 supports version rollback. The features of version rollback are as follows:

l If at some point the upgraded version ceases to function properly, users can restart thesoftware using an earlier version to boot the system.

l If faults occur during the upgrading or patching process, the system can be easily recoveredto its pre-upgrade/patch status.

5.2 NMSThe NMS handles resource management, topology management, configuration management,fault management, performance management, and security management for the S9300.

U2000The Huawei U2000 system acts as a centralized NMS for the S9300, providing a multi-languagegraphical user interface (GUI) for convenient, visualized operations. The U2000 also providesnorthbound interfaces for connecting to a third-party NMS and can be interconnected orintegrated with other carriers' NMSs.

The U2000 uses Simple Network Management Protocol (SNMP) to manage devices andsupports device configuration through CLI. As the core of the Huawei data communicationsnetwork management system, the U2000 manages and maintains the data communicationsnetwork, including managing network elements and certain devices at the network layer. TheU2000 provides the following functions:l Resource managementl Topology managementl Fault managementl Performance managementl Test and diagnosis managementl Network element configuration managementl VPN service managementl LSP service managementl DC management



79

l Syslog managementl Security managementl Operation log managementl Report management

Web Network ManagementTo facilitate maintenance and use of the S9300, the Web network management is introduced.

Web network management is a Web server embedded in the S9300. Users can log in using PCsto manage and maintain the S9300. By using Web network management, maintenance personnelonly need to configure IP addresses and Web-based NMS accounts on the S9300, and then enterIP addresses in the address bar of the Microsoft Internet Explorer. The operations are easy tolearn and perform, and network management efficiency is greatly improved.

eSight Network ManagementThe eSight network management system manages enterprise networks using the followingfeatures:

l Manages other vendors' devices.l Manages specific services by analyzing network flows and focusing on core services.l Manages application software, IT devices (such as servers and printers), and network

devices.l User-oriented operation and maintenance system: Ensures desktop access security by

performing authentication, authorization, and accounting (AAA) on network access users.l Secondary development platform: Provides a secondary development platform for

customizing network management functions.l Northbound integration: Integrates with upper-layer OSS system.



80

6 Technical Specifications

About This Chapter

This section lists the S9300's physical specifications, power supply parameters, andperformance.

6.1 Physical SpecificationsThis section describes the dimensions, power consumption, weight, voltage, and workingenvironment parameters of the S9300.

6.2 System ConfigurationThis section describes the switching capacity, backplane capacity, and forwarding rate of theS9300.

6.3 Performance and CapacityThis section describes the performance specifications of the software and hardware of theS9300.

6.4 List of Software FeaturesThis section describes the software features of the S9300.

Quidway S9300 Terabit Routing SwitchProduct Description 6 Technical Specifications


81

6.1 Physical SpecificationsThis section describes the dimensions, power consumption, weight, voltage, and workingenvironment parameters of the S9300.

Table 6-1 Physical specifications of the S9300

Item S9312 S9306 S9303

Dimensions(width x depthx height,excluding therack-mountingears)

442 mm x 476 mm x663.95 mm (15 U high)

442 mm x 476 mm x441.7 mm (10 U high)

442 mm x 476 mm x175 mm (4 U high)

Cabinet N66E or N68E N66E or N68E N66E or N68E

Maximumpower (fullconfiguration)

1400 W 800 W 350 W

Noise atnormaltemperature

64.6 dB 61.6 db 58.6 db

Weight (fullconfiguration)

70 kg 42 kg 22 kg

DCinput

Ratedvoltage

-48 V/-60 V DC -48 V/-60 V DC -48 V/-60 V DC

Allowedvoltage

-48 V: -38.4 V to -57.6V DC-60 V: -48 V to -72 VDC

-48 V: -38.4 V to -57.6V DC-60 V: -48 V to -72 VDC

-48 V:- 38.4 V to -57.6V DC-60 V:- 48 V to -72 VDC

ACinput

Ratedvoltage

220 V AC, 50/60 Hz 110/220 V AC, 50/60Hz

110/220 V AC, 50/60Hz

Allowedvoltage

200 V to 240 V AC,50/60 Hz

100 V to 120 V and 200V to 240 V AC, 50/60Hz

100 V to 120 V and 200V to 240 V AC, 50/60Hz

PoE Powerinputmode

Built-in. Only the ACpower supply issupported.





82

Item S9312 S9306 S9303

Redundancymodeofpowersupplies

The S9312 supportspower supplies in 3+1,2+2, or 4+0 mode.

The S9306 supportspower supplies in 3+1,2+2, or 4+0 mode.

The S9303 does notsupport backup of ACpower modules.

Outputpowerconsumption

8800 W 8800 W 2200 W

Ambienttemperature

Long-term

0°C to 45°C

Short-term

-5°C to 55°C

Storage

-40°C to 70°C

Humidity

Long-term

5% RH to 85% RH, non-condensing

Short-term


Storage


Altitude

Long-term

< 3000 m

Storage

< 5000 m

NOTE

l The temperature and humidity are measured 1.5 m above the floor and 0.4 m at the front of the cabinet.There should be no protection board at the front or back of the cabinet.

l Short-term means that the continuous operation time does not exceed 48 hours and the accumulatedtime per year does not exceed 15 days.

6.2 System ConfigurationThis section describes the switching capacity, backplane capacity, and forwarding rate of theS9300.



83

Table 6-2 System configuration of the S9300

Item S9312 S9306 S9303 Notes

Processor 700 MHz(Dominantfrequency)

700 MHz(Dominantfrequency)

500 MHz(Dominantfrequency)

-

DDR2SDRAM

1 GB 1 GB 512 MB -

NVRAM 512 KB 512 KB 512 KB Battery supply

Flash 64 MB 64 MB 64 MB -

CF card 512 MB 512 MB 512 MB The CF card serves as amass storage device tosave data files and logs.

Switchingcapacity

2 Tbit/s 2 Tbit/s 720 Gbit/s Bidirectional

Backplanecapacity

12 Tbit/s 6 Tbit/s 3 Tbit/s Bidirectional

Forwardingcapability

1344 Mpps 1152 Mpps 540 Mpps -

Number ofLPU slots

12 6 3 LPU (Optional)

Number ofSRU/MCUslots

2 2 2 S9306/S9312: SRUS9303: full mesh

Maxtransmission rate of anLPU port

48GE,40×10GE

48GE,40×10GE

48GE,40×10GE

-

6.3 Performance and CapacityThis section describes the performance specifications of the software and hardware of theS9300.

Table 6-3 Performance specifications of the S9300

Attribute Service Feature Specifications

Availability Availability 0.99999768

Mean Time Between Failure (MTBF) 24.59 years

Mean Time To Repair (MTTR) 0.5 hours



84


Downtime 1.22 minutes/year

Ethernet Number of MAC addresses supportedby each LPU

l ED board: 512 Kl EC/FC board: 128 Kl EA/SA/FA board: 32 K

Number of VLANs 4 K

Number of trunk groups and number ofinterfaces supported by each trunk group

128 trunk groups, each of whichsupports a maximum of 8 interfaces

MAC address learning rate More than 3000 per second

Number of ARP entries 16 K

Number of ARP entries supported byeach LPU

l EA/EC/ED board: 16 Kl SA/FA/FC board: 8 K

QoS Number of QoS queues on a port 8

CAR l ED/EC/EA/FA/FC board: 8kbit/s

l SA board: 64 kbit/s



85


ACL ACLv4 Number of IPv4 ACLs supportedby each LPU:l ED board: 70K for inbound

traffic; 1000 for outboundtraffic

l EC board: 70K for inboundtraffic; 1000 for outboundtraffic

l EA board: 6000 for inboundtraffic; 1000 for outboundtraffic

l SA (24GE) board: 3000 forinbound traffic; 500 foroutbound traffic

l SA (X12SA) board: 1200 forinbound traffic; 500 foroutbound traffic

l FA (G48SFA/G48TFA/F48TFA)/FC board: 1200 forinbound traffic; 500 foroutbound traffic

l FA (G24CFAT) board: 3000 forinbound traffic; 500 foroutbound traffic

l FC (X40SFC) board: 1200 forinbound traffic; 500 foroutbound traffic



86


ACLv6 Number of IPv6 ACLs supportedby each LPU:l ED board: 67K for inbound

traffic; 250 for outbound trafficl EC board: 35K for inbound

traffic; 250 for outbound trafficl EA board: 3000 for inbound

traffic; 250 for outbound trafficl SA (24GE): 1500 for inbound

traffic; 250 for outbound trafficl SA (X12SA): 250 for inbound

traffic; 120 for outbound trafficl FA (G48SFA/G48TFA/

F48TFA): 250 for inboundtraffic; 120 for outbound traffic

l FA (G24CFAT): 250 forinbound traffic; 120 foroutbound traffic

l FC (X40SFC): 250 for inboundtraffic; 120 for outbound traffic

MPLS Number of LSPs 8 K

Number of LDP neighbors > 256

L2VPN Number of VLL entries 4 K

Number of VSI entries 1 K

L3VPN Number of VRFs 2 K

Number of VPN routes l S9306/S9312: 500 Kl S9303: 140 K

IP session - 8 K on each LPU and 16 K on theentire system

IP unicast IPv4 forwarding IPv4 forwarding at line speed

Number of routing entries l S9306/S9312: 512Kl S9303: 220K

IPv4 FIB l ED board: 512 Kl EC board: 128 Kl EA board: 16 Kl SA/FA board: 12Kl FC board: 8K



87


IPv6 FIB l ED board: 256 Kl EC board: 64 Kl EA board: 8 Kl SA/FA board: 6Kl FC board: 4K

Multicast Number of static multicast routes 256

Number of L2 multicast forwardingentries

1 K

Number of L3 multicast forwardingentries

l ED/EC/EA board: 4 Kl SA/FA board: 2 K

Reliability BFD l BFD sessions: 2 Kl Minimum fault discovery

duration: If no FSU isconfigured, the duration is 3s; ifan FSU is configured, theduration is 50 ms.

Ethernet OAM l 802.1agUp to 64 MDs can be created onthe entire system.The number of MAs on theentire system is as follows:– S9306/S9312: 4 K– S9303: 2 KDetection time: 3.3 ms/10 ms/100 ms/1s/10s/1 min/10 min

l 802.3ahDetection time: 100 ms/1s

l Y1731: delay measurementwithin 1 ms

RRPP l Maximum number of RRPPinstances: 48

l Rings supported by the entiresystem: 64

l Rings supported by each LPU: 5l Maximum number of RRPP

domains: 64



88


VRRP l VRRP backup groups on theentire system: 255

l VRRP backup groups on theentire system: 16

l Virtual IP addresses in eachVRRP backup group: 16

l Switchover time: If no FSU isconfigured, the time is 3s; if anFSU is configured, the time is 50ms.

SmartLink l Maximum number of instanceson the entire system: 48

l The switchover time is less than50 ms.

MSTP l Maximum number of instanceson the entire system: 48

l The switchover time is less than100 ms.

SEP l Maximum number of segmentson the entire system: 256

l The convergence time is lessthan 50 ms

6.4 List of Software FeaturesThis section describes the software features of the S9300.



89

Table 6-4 Software features list of the S9300

Feature Description

Ethernet Ethernet l Supports full-duplex, half-duplex, and auto-negotiation.

l Supports 10/100/1000 Mbit/s and 10 Gbit/s rateEthernet ports.

l Supports Ethernet port rate auto-negotiation.l Supports flow control on ports.l Supports Jumbo packets.l Supports ports bundled into an Eth-trunk.l Supports load balancing among links in the trunk.l Supports port isolation and forwarding

restriction.l Supports broadcast storm suppression.

VLAN l Supports Access, Trunk, Hybrid, and QinQ accessmodes.

l Supports default VLAN.l Supports 1:1 VLAN mapping.l Supports N:1 VLAN mapping.l Supports 802.1p-based VLAN mapping.l Supports QinQ.l Supports selective QinQ.l Supports VLAN switching.

MAC l Supports automatic MAC address learning andaging.

l Supports static, dynamic, and blackhole MACentries.

l Supports MAC address learning limits based onports and VLANs.

ARP l Supports static and dynamic ARP.l Supports ARP in VLAN.l Supports ARP entry aging.

Smart Link l Supports Smart Link.l Supports Smart Link multi-instance.l Supports Monitor Link.

DLDP Supports unidirectional link detection.

LLDP Supports LLDP.

Virtual cable test Supports virtual cable detection.



90

Feature Description

Protectionagainst Ethernetloops

MSTP l Supports STP.l Supports RSTP.l Supports MSTP.l Supports BPDU guard, root guard, and loop

guard.l Supports BPDU tunnel.

RRPP l Supports RRPP.l Supports RRPP multi-instance.

Loop detection l Support loop detection.

IP routing IPv4 unicast l Network management interface supports IPv4unicast data packets.

l Network management interface supports staticIPv4 unicast routes.

l Supports RIP, OSPF, IS-IS, and BGP.l Supports the DHCP server and the DHCP relay.l Supports DHCP snooping.

IPv6 unicast l Supports RIP, OSPFv3, ISISv6, and BGP+.l Supports TCP6, ping IPv6, tracert IPv6, and

socket IPv6.l Supports DHCPv6 snooping.l Supports ND Snooping

IPv4/IPv6transition

l Supports the IPv6 over IPv4 tunnel.l Supports IPv4 over IPv6.l Supports 6FE.

Multicast - l Supports IGMP, MLD, MSDP, PIM-DM, PIM-SM, and PIM-SSM.

l Supports IGMPv1, IGMPv2, IGMPv3 snooping.l Supports MLDv1 snooping.l Supports prompt leave.l Controls multicast traffic.l Supports multicast VLAN.l Supports multicast querier.l Suppresses multicast protocol packets.l Supports multicast ACL.l Supports multicast copy.l Supports multicast VPN



91

Feature Description

MPLS Basic MPLSfunctions

l Supports static LSP.l Supports static mapping between VLAN and

MPLS SVC to provide virtual dedicated Ethernetlines.

l Supports L2VPN and L3VPN.l Supports two-layer MPLS labels.l Supports MPLS over Ethernet.l Maps the 802.1p priority to the EXP field in the

MPLS packet.

MPLS OAM l Supports LSP ping and LSP traceroute.l Supports automatic fault detection.l Supports 1+1 protection of LSP.

MPLS-TE l Supports MPLS-TE tunnels.l Supports MPLS-TE protection group.

VLL/HVPLS l Supports VLL in SVC, Martini, Kompella orCCC mode.

l Supports VPLS in Martini or Kompella mode.l Supports HVPLS in LSP and QinQ mode.l Supports VLL and VPLS after VLAN switching.

Ethernet OAM Ethernet OAM l Supports P2P Ethernet fault management definedin IEEE 802.3ah.

l Supports Ethernet OAM defined in IEEE802.1ag.

l Supports MAC ping and MAC trace.

BFD - l Supports BFD physical link detection.l Supports connectivity detection for IP.l Supports connectivity detection for LSP, CR-

LSP, and MPLS TE protection group.l Supports BFD detection on the VPLS network.l Supports VPLS-based BFD and manages and

processes VPLS switchover diagnosticsinformation.

QoS Trafficclassification

l Supports classification based on Layer 2 protocolheader, Layer 3 protocol, Layer 4 protocol, 802.1ppriority, or combinations.

l Supports C-VID-based QinQ packetclassification.



92

Feature Description

Traffic behavior l Controls access of classified packets.l Supports CAR-based traffic policing.l Supports classifier-based packet re-marking.l Supports classified packet queuing.l Supports mixed use of traffic classification and

traffic behavior.

Queuescheduling

l Supports PQ, WRR, DRR, PQ+WRR, and PQ+DRR scheduling.

Congestionavoidance

l Supports WRED.l Supports tail drop.

Traffic shaping l Supports outbound traffic shaping.

Traffic policing Supports two-level traffic policing.

Clock - l Ethernet clock synchronizationl 1588v2

PoE - l Supports IEEE 802.3af/802.3at.l Each interface provides 30 W of power.

Enterprisenetwork

NAC l Supports 802.1x authentication.l Supports MAC address authentication.l Supports Portal authentication.l Supports MAC address bypass authentication.l Supports direct authentication.

Firewall l Packet filteringl ASPFl Supports attack defense.l Supports transparent firewall.l Supports firewall multi-instance.

NAT l Supports the NAT address pool.l Supports NAPT.l Supports the NAT server.l Supports static NAT/NAPT.l Supports Easy IP.l Supports ALG.l Supports NAT multi-instance.



93

Feature Description

Load balancing l Supports server detection.l Supports session holding.l Supports multiple load balancing algorithms.l Supports server load balancing at Layers 4

through 7.

IPSec VPNNOTE

The release inRussia does notprovide IPSecVPN.

l Supports IKEv1/v2 negotiation.l Supports AH and ESP modes.l Supports detection through Keepalive messages.l Supports NAT traversal.l Supports manual static SA configuration.l Supports multiple encryption algorithms.

Configurationand maintenance

Terminalservices

l Supports CLI configuration.l Supports prompt and help information in English

and Chinese.l Supports terminal services through the Console

port or Telnet.l Supports the Send function, allowing terminals to

communicate with each other.

File system l Supports file system.l Supports directory and file management.l Supports file uploading and downloading through

FTP and TFTP.

Debug andmaintenance

l Supports unified management of logs, traps, anddebugging information.

l Supports electronic labels.l Supports user logs.l Supports detailed debugging information to assist

troubleshooting.l Supports black box.l Supports network testing tools such as

traceroute and ping commands.l Supports port mirroring and traffic mirroring.



94

Feature Description

Availability l Supports 1+1 or 2+2 backup mode for powermodules and N+1 backup mode for fan modules.

l Supports hot swappable SRUs/MCUs, LPUs, fanmodules, and power modules.

l Supports 1:1 backup mode for SRUs/MCUs.l Supports automatic switchover and forcible

switchover for the SRUs/MCUs.l Supports Ethernet port bundling on different

boards.

Softwareupgrade

l Supports in-service VRP system softwareupgrade.

l Supports in-service BootROM upgrade.l Supports in-service patch.l Supports version rollback.

Security andmanagement

System security l Supports hierarchical commands to protectagainst unauthorized users.

l Supports SSH v1.5 and v2.0.l Supports RADIUS and HWTACACS

authentication.l Supports ACL filtering.l Defends against DoS, SYN flood of TCP, UDP

flood, broadcast storms, and large traffic.l Supports MAC address learning limits.l Supports blackhole MAC.l Supports port isolation.l Supports packet filtering.l Supports CPU channel guard.l Supports IP address-based ARP packet

suppression.l Supports blacklist and whitelist.l Supports attack trace.l Supports Automatic Laser Shutdown (ALS)

Networkmanagement

l Supports ping and traceroute functions.l Supports SNMPv1/v2c/v3.l Supports standard MIB.l Supports RMON.



95

Product Description - LANTEL · Product Description Issue 02 ... Huawei has developed the Quidway...

Documents

Transcript of Product Description - LANTEL · Product Description Issue 02 ... Huawei has developed the Quidway...