ZXR10 ZSR V2 Series Router Product · PDF fileZXR10 ZSR V2 Series Router Product Description ZTE Confidential & Proprietary 1 ZXR10 ZSR V2 Series Router Product Description Version

ZXR10 ZSR V2 Series Router

Product Description

V 2.00.20R3

ZXR10 ZSR V2 Series Router Product Description

ZTE Confidential & Proprietary 1


Version Date Author Reviewer Notes

V1.0 2013/12/06 Xiehuachao Liujumei/Xuqi Not open to the third party, based on

V2.00.10.


V2.00.10R2.


V2.00.20R1.


V2.00.20R2.


V2.00.20R3.

© 2015 ZTE Corporation. All rights reserved.

ZTE CONFIDENTIAL: This document contains proprietary information of ZTE and is not to be disclosed or used

without the prior written permission of ZTE.

Due to update and improvement of ZTE products and technologies, information in this document is subjected to

change without notice.


2 ZTE Confidential & Proprietary

TABLE OF CONTENTS

1 Overview ............................................................................................................ 7

2 Highlights ........................................................................................................... 7

2.1 Strong performance, no bottleneck for network access ........................................ 7

2.2 Wired and wireless, access anytime and anywhere ............................................. 9

2.3 All in one, Lower CAPEX ................................................................................... 10

2.4 Flexible extension, smooth upgrade ................................................................... 10

2.5 Easy provision & maintenance, fast network deployment ................................... 11

2.6 Green and energy saving, bring a nature and serene network ........................... 11

3 Features ........................................................................................................... 12

3.1 IPv4 Routing protocols and IP basic service ...................................................... 12

3.1.1 Unicast routing protocols .................................................................................... 12

3.1.2 IPv4 Multicast route protocol .............................................................................. 14

3.1.3 Policy route and route policy .............................................................................. 17

3.1.4 DHCP ................................................................................................................ 18

3.1.5 DNS ................................................................................................................... 18

3.2 WAN Access ...................................................................................................... 18

3.2.1 PPP ................................................................................................................... 18

3.2.2 ML-PPP ............................................................................................................. 19

3.2.3 HDLC ................................................................................................................. 19

3.2.4 FR 20

3.3 Switching and Routing in One ............................................................................ 20

3.3.1 Broadcasting storm suppression ........................................................................ 21

3.3.2 Spanning Tree Protocol ..................................................................................... 21

3.4 MPLS ................................................................................................................. 22

3.4.1 LDP.................................................................................................................... 22

3.4.2 Static Tunnel ...................................................................................................... 22

3.4.3 MPLS-TE ........................................................................................................... 23

3.5 VPN ................................................................................................................... 24

3.5.1 IPSec VPN ......................................................................................................... 24

3.5.2 IPSec NAT traversal .......................................................................................... 26

3.5.3 GRE VPN .......................................................................................................... 26

3.5.4 L2TP VPN .......................................................................................................... 27

3.5.5 IPSec + GRE ..................................................................................................... 29

3.5.6 MPLS L3 VPN .................................................................................................... 29

3.5.7 MPLS L2 VPN .................................................................................................... 30

3.5.8 Smart Dial Control (SDC) ................................................................................... 30

3.6 QoS Capability ................................................................................................... 32



3.6.1 Flow Classification and Flow Tag ....................................................................... 32

3.6.2 Traffic Monitoring ............................................................................................... 32

3.6.3 Traffic Shaping ................................................................................................... 33

3.6.4 Queue Scheduling ............................................................................................. 33

3.6.5 Congestion Avoidance ....................................................................................... 33

3.6.6 MPLS QoS ......................................................................................................... 33

3.7 Security Features ............................................................................................... 34

3.7.1 ACL.................................................................................................................... 34

3.7.2 Anti-IP source attacks ........................................................................................ 36

3.7.3 Anti-ARP attacks ................................................................................................ 36

3.7.4 Firewall .............................................................................................................. 37

3.7.5 Multiple Security Authentications ....................................................................... 41

3.7.6 URPF ................................................................................................................. 43

3.8 Network Reliability ............................................................................................. 43

3.8.1 Ping Detect ........................................................................................................ 43

3.8.2 BFD ................................................................................................................... 44

3.8.3 FRR ................................................................................................................... 44

3.8.4 VRRP ................................................................................................................. 45

3.9 IPv6 Features .................................................................................................... 46

3.9.1 Basic Function of IPv6 ....................................................................................... 46

3.9.2 IPv6 Unicast Routing Protocol............................................................................ 46

3.9.3 Multicast Routing Protocol ................................................................................. 48

3.9.4 IPv6 Tunnel ........................................................................................................ 49

3.9.5 6PE .................................................................................................................... 52

3.9.6 6VPE ................................................................................................................. 52

3.9.7 NAT64 ............................................................................................................... 53

3.10 NAT ................................................................................................................... 54

3.11 Network Management Features ......................................................................... 55

3.11.1 NetNumen™ Integrated Network Management Platform.................................... 55

3.11.2 NETFLOW ......................................................................................................... 56

3.11.3 Network Layer Inspection ................................................................................... 57

3.12 System Operation and Maintenance .................................................................. 57

3.12.1 Multiple Configuration Methods .......................................................................... 57

3.12.2 System Policing and Maintenance ..................................................................... 57

3.12.3 Diagnosis and Debugging .................................................................................. 59

3.12.4 Version Upgrade ................................................................................................ 59

4 System Architecture ........................................................................................ 60

4.1 Product Appearance .......................................................................................... 60

4.1.1 The Appearance of ZXR10 3800-8 .................................................................... 60

4.1.2 The Appearance of ZXR10 2800-4 .................................................................... 62

4.1.3 The Appearance of ZXR10 1800-2S/2S(G)/2S(W) ............................................. 63



4.1.4 The Appearance of ZXR10 1800-2E/2E(G) ........................................................ 64

4.1.5 The Appearance of ZXR10 2800-3E/3E(G) ........................................................ 66

4.2 Hardware Architecture ....................................................................................... 68

4.2.1 Overall Hardware Architecture ........................................................................... 68

4.2.2 The Working Principle of the Hardware System ................................................. 71

4.2.3 The Introduction to the Hardware Unit ................................................................ 71

4.3 Software Architecture ......................................................................................... 76

4.4 Technical Specifications ..................................................................................... 81

4.5 RFC List ............................................................................................................. 84



FIGURES

Figure 1-1 The view of the ZXR10 ZSR V2 series router .................................................... 7

Figure 3-1 IPSec NAT traversal schematic diagram ...........................................................26

Figure 3-2 L2TP VPN schematic diagram ..........................................................................27

Figure 3-3 IPSec+GRE VPN schematic diagram ...............................................................29

Figure 3-4 Working principle of IPv6 over IPv4 tunnel ........................................................50

Figure 3-5 Working principle of IPv4 (or IPv6) over IPv6 tunnel .........................................51

Figure 3-6 Working principle of ISATAP tunnel ..................................................................52

Figure 3-7 NAT64 Application scenario ..............................................................................53

Figure 4-1 The Front View of the ZXR10 3800-8 ................................................................60

Figure 4-2 The Key Components of the ZXR10 3800-8 .....................................................61

Figure 4-3 The Ichnography of the ZXR10 3800-8 Architecture........................................61

Figure 4-4 The Front View of the ZXR10 2800-4 ................................................................62

Figure 4-5 The Key Components of the ZXR10 2800-4 .....................................................62

Figure 4-6 The Ichnography of the ZXR10 2800-4 Architecture .........................................62

Figure 4-7 The Front View of the ZXR10 1800-2S .............................................................63

Figure 4-8 The Front View of the ZXR10 1800-2S(G)/2S(W) .............................................64

Figure 4-9 The Ichnography of the ZXR10 1800-2S/2S(G)/2S(W) Archtiecture..................64

Figure 4-10 The Front and Real Panel of the ZXR10 1800-2E/2E(G) ................................64

Figure 4-11 The Key Components of the ZXR10 1800-2E/2E(G) .......................................65

Figure 4-12 The Ichnography of the ZXR10 1800-2E/2E(G) Architecture ...........................66

Figure 4-13 The Front and Real Panel of the ZXR10 2800-3E/3E(G) ................................66

Figure 4-14 The Key Components of the ZXR10 2800-3E/3E(G) .......................................67

Figure 4-15 The Ichnography of the ZXR10 2800-3E/3E(G) Architecture ...........................67

Figure 4-16 The Hardware Architecture of the ZXR10 3800-8 ...........................................69

Figure 4-17 The Hardware Architecture of the ZXR10 2800-4 ...........................................69

Figure 4-18 The Hardware Architecture of the ZXR10 1800-2S/2S(G)/2S(W) ....................70

Figure 4-19 The Hardware Architecture of the ZXR10 1800-2E/2E(G) ...............................70

Figure 4-20 The Hardware Architecture of the ZXR10 2800-3E/3E(G) ...............................70



Figure 4-21 Open Service Unit of ZXR10 ZSR V2 .............................................................75

Figure 4-22 The Entire Software Architecture of the ZXR10 ZSR V2 .................................77

TABLES

Table 4-1 The PIUs supported by the ZXR10 ZSR V2 .......................................................73

Table 4-2 Physical Indices of OSU .....................................................................................75

Table 4-3 Physical Indices of ZXR10 ZSR V2 ....................................................................81



1 Overview

ZXR10 ZSR V2 is ZTE’s intelligent multiservice router integrating routing, switching,

wireless, security and VPN. The modular and scalable system structure builds intelligent,

efficient, reliable, flexible and maintainable network.

ZXR10 ZSR V2 series router includes 1800-2S/2S(G)/2S(W), 2800-4, 3800-8, 1800-2E

/2E(G)and 2800-3E/3E(G). They can meet different market demands. Their forwarding

performance ranges from 1Mpps to 5Mpps. They can be applied to VIP access, DCN,

campus network, enterprise network egress gateway, enterprise headquarter/branch

access, mobile office, industry network convergence/access, etc.

The appearance of each product is shown as below:

Figure 1-1 The view of the ZXR10 ZSR V2 series router

2 Highlights

2.1 Strong performance, no bottleneck for network

access

The rise of enterprise application content and network data traffic and the appearance of

video-conference, remote teaching and remote data disaster recovery backup lead to

higher performance requirements for node equipment processing network data.

High-performance multi-core processor + Smart Switching Engine (SSE) ensure



high-performance protocol processing and management control processing as well

as L2/L3 high-speed forwarding of data, increasing the overall system performance

by 10 times than the previous generation of access router. The multilayer distributed

forwarding allocates system resources reasonably in system multiservice overlay to

assure excellent forwarding performance. Single slot has the bus bandwidth of up to

10Gbps.

Support high-speed interface of GE, FE, E1, POS, CPOS, xDSL,

Synchronous/asynchronous serial wire port and 3G/LTE, Wi-Fi wireless port, and the

device Integrated industry's largest fixed-Gigabit interfaces, which can be used as

WAN or LAN access, providing a complete and flexible access capability.

Supports speed, duplex mode auto-negotiation and MDI / MDIX.

The perfect high reliability design. AC/DC power supply 1+1 hybrid redundancy.

Power supply, fans and interface boards hot-swappable. The software modular

design, which can overlay new features flexibility and improve system stability and

flexibility. Perfect OAM detection mechanisms and BFD for everything, FRR, VRRP,

links bundled and other rich reliability technologies to enhance service reliability.

Control plane security technologies include classification of the control plane packets,

multi-level speed restrictions, multi-level scheduling, traffic suppression, protocol

white name, protocol authentication, anti-DDOS attack mechanism and attack trace

functions. The greatest degree to ensure the safety of equipment itself.

Strong ACL, excellent L2/L3 ACL mixed processing algorithms, up to 8K ACLs

capacity (all overlay loads scene, the system performance degradation is less than

30%) and humanization ACL log statistics management function helps users to

easily achieve fine management of various services.

Compact design, 1800-2S adopts the desktop design. 2800-4 and 3800-8 adopt the

front cabling design where operation and maintenance can be fulfilled at single side.

They can be installed into 300mm-deep cabinet to saving the space in equipment

room, and or into outdoor cabinet, vehicle equipment, BS and office locker to cut

O&M cost.



2.2 Wired and wireless, access anytime and anywhere

With wider coverage than conventional network, wireless network can extend network

access scope to supplement wired network. It supports mobile office anytime, anywhere

to resolve the bottleneck of time and space. ZXR10 ZSR V2 is creating the industry’s

first true 4G router ensuring network reliability and increasing bandwidth value.

Support 3G (WCDAM/CDMA/TD-SCDMA) and LTE (TDD / FDD).

Embedded wireless module, PnP USB data card and special interface card are

optional, meeting networking requirements in various scenarios.

When the equipment is deployed in equipment room or office corner with weak

wireless signal, the optional extension feeder solve the problem of signal coverage.

It can detect 3G/LTE signal strength and dynamically monitors link quality to ensure

SLA.

Powerful SDC support smart dial-up achieve link redundancy. Device can dialed the

xDSL or the 3G/LTE link according to the policy, building load balancing and

redundancy protection route, to protect the service.

For the consideration of Internet egress performance and reliability, several Internet

egresses from multiple carriers are often used at the same time. Multilink load

balance technology can monitor the Internet links from multiple carriers and smartly

select the path for data flow accessing the Internet to ensure the fastest and best

Internet access for users.

Create VPN channels in 3G/LTE networks to enhance wireless link security.

Support WIFI access, adjustable 802.11b/g/n RF mode, dynamic adjustment of

access rate according based on environments, Guard Interval to prevent front/back

data interference, WMM (Wi-Fi Multimedia) to provide wireless QoS and assure the

quality of voice and video services, and such verification modes as no verification,

WEP, WPA, WPA2 (TKIP and AES-CCMP) and WAPI hardware encryption.



2.3 All in one, Lower CAPEX

With network application increase, customers often need to connect different devices to

resolve different problems, which increase user investment and increase network fault

points. ZXR10 ZSR V2 integrates multiple functions to meet network requirements in

different scenarios, such as routing, switching, AP NAT gateway, VPN gateway, etc.

L2TP/GRE/IPSec tunnel technology and MPLS VPN over GRE for a variety of

different environments of VPN networking.

Support MPLS, Provide Perfect L2/L3 MPLS solutions which easily extend MPLS to

the network edge. Support PWE3 to bear TDM service.

Support the stateful firewall, which can control access data flow and ensure network

security.

Hardware-based QoS, support HQoS for different users and services to provide a

variety of service level guarantee to meet user multi-service access meticulous

management needs.

2.4 Flexible extension, smooth upgrade

As network applications and traffic rise, processing performance should be upgraded

smoothly. ZXR10 ZSR V2 offers forwarding engines of different performances as well as

on-demand selection and smooth upgrade, protecting user investment and meeting future

network requirements. IPv4 address pool dwindles and IPv6 is the development trend.

An upgradable router is vital to an enterprise because it can extend router lifecycle.

ZXR10 2800-4 and ZXR10 3800-8 have main control forwarding cards supporting

multiple forwarding performances, reducing CAPEX and assuring future

performance upgrade.

Profound accumulation, in early 2000 ZTE began to study the IPv6 technology, and

in global IPv6 next-generation Internet Summit 2010, due to the outstanding

performance in the commercial promotion of IPv6, ZTE was awarded the IPv6

equipment commercial Pioneer Award ". ZXR10 ZSR V2 supports IPv4/IPv6 dual

stack, which can access IPv4 and IPv6 at the same time. It supports 6in4, 6to4 and

6in4 tunnel technologies to transmit data between IPv4 and IPv6 networks, and



NAT444, NAT64 and 6rd technologies to evolve IPv4 network to IPv6.

2.5 Easy provision & maintenance, fast network

deployment

A large number of access routers are deployed in wide range. Traditionally, engineers

need to load and upgrade versions for each router on site. The traditional mode has low

efficiency and may cause optional errors, so it is necessary to provide visual deployment

and maintenance means supporting convenient operation, remote maintenance, and

diagnosis anytime.

Support USB disk to deploy devices, Auto-Config, Network Management batch

version upgrades, zero-touch automatic device configuration and mass deployment.

Support SQA (Service Quality Analyzer). It can dynamically detect and locate

network quality through ICMP-echo, UDP, TCP, FTP, DNS, HTTP and SNMP. It can

adopt VRRP, static route, interface backup, link backup and policy route as well as

ZXNPA to automatically report network performance threshold alarm and fulfill

graphic detection and management.

Support port mirroring, 1:1 netflow sampling, Support the flow characteristics explicit

presentation, Provide an effective means of monitoring to ensure network precisely

controlled and operated.

Support WEB GUI and graphical NMS, provides one-click service creation and

one-click information-gathering tool to help network administrators achieve the rapid

loading of the service and high-maintenance.

2.6 Green and energy saving, bring a nature and serene

network

ZXR10 ZSR V2 adheres to green environmental protection, and takes measures in design,

R&D, manufacturing, logistics and engineering to build a communication network with low

noise, low power consumption and high efficiency.

Advanced 28nm chip increases performance and reduces energy consumption.



The hardware adopts the leading submarine-level quiet technology.

Intelligent fan is automatically adjusted according to system operation status,

reducing power consumption and equipment noise.

Intelligent off Idle service cards, support EEE energy efficient Ethernet specification,

can reduce energy consumption 2/3.

Strict adherence to RoHS standards, using unleaded green material, reducing

carbon dioxide emissions.

3 Features

3.1 IPv4 Routing protocols and IP basic service

3.1.1 Unicast routing protocols

ZXR10 ZSR V2 fully supports a variety of unicast routing protocols, including static routing,

RIP, OSPF, IS-IS and BGP.

3.1.1.1 Static Route

Static route is configured manually by an administrator to simplify network configuration

and improve network performance. It uses a scenario of simple network structure. When a

network failure or topology change happens, static route is not automatically changed, but

it is manually changed by an administrator.

ZXR10 ZSR V2 supports static route configuration based on next hop and egress

interface as well as the correlation between static route and VRF instance.

3.1.1.2 RIP

RIP is a UDP-based distance vector dynamic routing protocol. It periodically broadcasts

route tables to neighbors to maintain the relationship between adjacent routers and

calculate its own route table according to the received routes. RIP runs simply and is

applied to small networks.



ZXR10 ZSR V2 supports the following RIP functions:

Support RIPv1/v2 basic functions such as split horizon, poison reverse, interface

verification, route collection, and route protocol redistribution.

Support RIP load sharing.

Support RIP VPN access.

Support RIP MIB.

3.1.1.3 OSPF

OSPF routing protocol is used for route information exchange between routers in one

Autonomous System (AS), so it is an Interior Gateway Protocol (IGP) based on link status.

OSPF is one of the most widely used IPv4 IGP routing protocols. ZXR10 ZSR V2 supports

the following OSPF functions:

Support OSPF basic functions such as neighbor certification, Virtual Link, STUB,

NSSA, Type-3 LSA aggregation, Type-5 LSA aggregation, and redistribution of other

route protocols.

Support OSPF route load sharing.

Support VPN access and advanced functions such as sham-link.

Support OSPF BFD.

Support OSPF FRR.

Support OSPF-TE.

Support OSPF MIB.

3.1.1.4 IS-IS

IS-IS is a routing protocol drafted by ISO to support Connectionless Network Service

(CLNS). IETF extends the IS-IS to support IP route information. ISIS is also an Interior

Gateway Protocol (IGP) based on link status.

IS-IS is one of the most widely used IPv4 IGP route protocols. ZXR10 ZSR V2 supports

the following IS-IS functions:



Support IS-IS basic functions.

Support IS-IS extension functions such as hostname and overload-bit.

Support IS-IS route load sharing.

Support IS-IS VPN ACCESS.

Support IS-IS BFD.

Support IS-IS FRR.

Support IS-IS-TE.

Support IS-IS MIB.

3.1.1.5 BGP

Border Gateway Protocol (BGP) is an inter-AS routing protocol. It is used for network

reachability information exchange between AS running BGP.

ZXR10 ZSR V2 supports the following BGP functions:

Support BGP basic function and such enhanced functions as session certification,

route oscillation suppression, route reflector, alliance, extension group attribute,

route aggregation, and route filtering.

Support BGP route load sharing.

Support MP-BGP functions such as IPv4 unicast, IPv4 multicast, IPv4

labeled-unicast, IPv4 MDT, IPv6 unicast, IPv6 multicast, IPv6 labeled-unicast,

VPNv4, and other AFIs.

Support BGP BFD.

Support BGP FRR.

Support BGP MIB.

3.1.2 IPv4 Multicast route protocol

The multicast is a point-to-multipoint or multipoint-to-multipoint communications mode,

namely, multiple receivers receive the same information from single source.



Multicast-based applications include video conference, remote teaching, software

allocation, etc.

3.1.2.1 IGMP

The host uses Internet Group Management Protocol (IGMP) to inform the multicast router

on the network which group the router should join or leave. In this way, the multicast router

on the network knows whether a multicast group member is available on the network, and

decides whether to forward multicast packets to the network. When a multicast router

receives a multicast packet, it checks the multicast destination address of the packet, and

forward packets to the interfaces of all group members or downstream routers.

ZXR10 ZSR V2 supports IGMPv1, IGMPv2 and IGMPv3.

3.1.2.2 PIM-SM

Protocol Independent Multicast-Sparse Mode (PIM-SM) is applied to the following

situations:

Group members are extended across a wide scope.

Network bandwidth resource is limited.

PIM-SM is not dependent on a specific unicast routing protocol. Supposed that all routers

on a shared network segment do not need to send multicast packets, the router must take

the initiative to request to join a multicast group before sending and receiving multicast

packets. By setting the RP (Rendezvous Point), PIM-SM sends multicast information to all

routers supporting PIM-SM. In PIM-SM, the router explicitly joins and leaves the multicast

group to reduce the network bandwidth occupied by data packet and control packet.

3.1.2.3 PIM-DM

PIM-DM (PIM-Dense-mode) is a dense-mode multicast route protocol and sends

multicast data in the ‘push’ mode. It usually applies to small network with dense multicast

group members.



3.1.2.4 PIM-SSM

PIM-SSM has all the advantages of PIM-SM, but it can create a source-based shortest

path tree rather than a shared tree. When a group membership report from a particular

source to group is received, the shortest path tree is created directly.

PIM-SSM, a subset of PIM-SM, is suitable for the ‘well known’ source and is valid between

domains and within a domain. PIM-SM uses the MSDP multicasting inter-domain route,

but PIM-SSM does not.

3.1.2.5 Static Multicast

Static route multicast is used when a multicast is expected to be forwarded via the

specified path rather than the best path of unicast route.

Static multicast provides egress and ingress interfaces for the user to configure multicast

route table and form multicast forwarding table according to the configuration. If static

multicast route and dynamic multicast route are available at the same time, static

multicast route is preferred. Static multicast has the logic status equivalent to PIM-SM and

PIM-DM, namely, a special multicast route protocol. Static route multicast has the

following purposes:

Change RPF route: The multicast and unicast generally have the same network

topology structure and data transport path. Multicast static route can be configured to

change the RPF route so as to create a different transport path for multicast data.

Connect RPF route: When a unicast route is blocked, multicast data cannot be

forwarded because a RPF route is unavailable. Multicast static route can be

configured to generate a RPF route so that multicast route table can be created to

guide the forwarding of multicast data.

3.1.2.6 MSDP

Multicast Source Discovery Protocol (MSDP) is a mechanism connecting several PIM

domains. It works on TCP to provide PIM-SM with multicast source information outside

PIM domain.



A MSDP speaker in one PIM-SM domain creates a session with other inter-domain MSDP

neighbors via TCP. When the MSDP speaker knows a new multicast source in the MSDP

domain (through the PIM register mechanism), it generates a Source Active (SA)

message and sends it to all MSDP neighbors.

3.1.3 Policy route and route policy

3.1.3.1 Policy routing

ZXR10 ZSR V2 supports policy routing to forward packets according to the policy

designated by a user. The policy routing provides the packet forwarding policy, and match

object is packet. Match objects is screened according to attribute fields and the set action

is designated. The set is divided into two types: One is route option which changes a

forwarding path, and the other is packet modification option which modifies the attributes

of the screened packet. Policy routing implements traffic engineering to a certain extent,

thus flows of different QoS or data of different types (such as voice and FTP) can take

different paths.

3.1.3.2 Route policy

Route policy is the route distributing and receiving policy. Route protocol selection is

actually a route policy. Route policy means modifying parameters or setting control mode

to change the results of route creation, distribution and selection. ZXR10 ZSR V2

supports RIP, OSPF, IS-IS, BGP and VRF to use route policy.

Control route distribution. Only distribute route information meeting conditions.

Control route receiving. Only receive indispensible, legal route information to control

the capacity of route table and improve network security.

Filtering and control the introduced route.

Only introduce some route information meeting conditions and set some of their

attributes to satisfy protocol requirements.

Set the attribute for the route filtered by route policy.



3.1.4 DHCP

Dynamic Host Configuration Protocol (DHCP) dynamically manages and configures the

users in a centralize way. It adopts client/server communications mode. A client applies to

a server for configuration information (including parameters such as IP address, subnet

mask and default gateway), and the server returns the information according to the policy.

DHCP uses UDP as transport protocol. The host sends a message to port 67 of DHCP

server, and the server returns a message to port 68 of the host.

ZXR10 ZSR V2 supports DHCP Relay, and DHCP Server to accommodate user demands

for DHCP in different scenarios.

3.1.5 DNS

Domain Name System (DNS), a distributed database for TCP/IP applications, copes with

the conversion between domain name and IP address. With the DNS, a user directly

employs an easy-to-remember, meaningful domain name for an application, and the DNS

resolution server in the network resolves it into a proper IP address.

ZXR10 ZSR V2 can work as a DNS client. It sends a DNS resolution request to a DNS

server to request and receive the response message of the DNS server packet, and then

sends the message to the user.

3.2 WAN Access

3.2.1 PPP

PPP (a widely used WAN protocol, achieves router-to-router) and host-to-network

connection across synchronous and asynchronous circuits. It has a set of schemes for

link creation/maintenance/removal, upper-layer protocol negotiation, authentication, and

other functions.

PPP consists of LCP and NCP. It supports the point-to-point interface (such as

E1/T1/POS) link creation by negotiation and link maintenance, and provides a upper-layer

protocol packet with a packet encapsulation format different from Ethernet protocol.



A upper-layer protocol packet (such as IP packets and MPLS packet) is only

encapsulated with two bytes of protocol fields in the front, and is added with a PPP header

with two fixed values, namely, 0xFF03. The header can be removed through negotiation.

The PPP negotiation has three stages: LCP, authentication (optional) and NCP:

The authentication is optional and it is generally used for an access router to

authenticate an access user.

NCP consists of IPCP, IPv6CP, MPLSCP, OSINLCP and BCP. IPCP (supporting

IPv4) must make link negotiation and the rest is selected as needed. After successful

negotiation with IPCP, PPP port is set to UP.

Compared with the Ethernet encapsulation:

PPP has a higher bandwidth utilization ratio, which has a better effect on short packet.

And its header encapsulation is simpler, and complex Ethernet MAC header

encapsulation and decapsulation are removed from packet transceiving mechanism.

But PPP state machine is more complex than Ethernet because PPP interface is set

to UP only after successful negotiation and then the packet is received at the upper

layer.

The default protocol state of a PPP interface is down after creation, and it is UP after

successful PPP link negotiation. Both sides periodically send LCP keep-alive packets to

each other. If there is no ECHO response to continuous N (N>=1) keep-alive request

packets, the link is set to down and the protocol state is set to down to trigger route

recalculation and route update.

3.2.2 ML-PPP

ML-PPP bundles multiple PPP links with a purpose to increase bandwidth. It can be

applied to an interface supporting PPP.

3.2.3 HDLC

High-level Data Link Control (HDLC) is a bit-oriented link-layer protocol. It parallels with

such L2 protocol as PPP and Frame Relay (FR), and offers different services for

upper-level protocols.



The HDLC’s biggest feature is that character set is not required for data, and any bit

stream can be transparently transported.

3.2.4 FR

Frame Relay (FR) is a high-performance WAN protocol running on physical layer and

data link layer of OSI reference model.

The data packet switching technology is a simplified X.25. It removes some complex

functions of X.25 (such as window technology and data retransmission technology) and

relies on high-level protocol to provide error correction. Because FR works on WAN

devices which are better than X.25, these devices has a higher reliability. FR strictly

corresponds to the lowest two layers of the OSI reference model, while X.25 provides L3

services, so FR has a higher performance and more efficient transport efficiency than

X.25

FR WAN equipment is usually divided into data terminal equipment (DTE) and data

circuit-terminating equipment (DCE). At both ends of communications are DTE and DCE,

and the router generally works as a DTE device.

FR provides the connection-oriented communications at data link layer. A communication

link is defined between each pair of devices, and the link has a data link connection

identifier (DLCI). This service needs a permanent virtual circuit (PVC) with a DLCI. The

DLCI value is generally specified by a FR SP. The available DLCI is 16-1007 and the rest

is retained for the protocols.

FR supports both PVC and SVC. PVC is the most frequently used. The manually

configured PVC is particularly suitable for data communication thanks to its simplicity,

high efficiency and multiplexing.

3.3 Switching and Routing in One

Based on the network connection requirements inside enterprise, ZXR10 ZSR V2

promotes high-density Ethernet switching module to implement seamless integration of

router and Ethernet switch.



ZXR10 ZSR V2 supports VLAN, Supervlan, QINQ, SmartGroup, supports Ethernet port

L2/L3 mode switching, L2 switching across the board, L2/L3 configured on the same

interface, supports full Spanning Tree Protocol and broadcast storm suppression , and

other L2 functions.

3.3.1 Broadcasting storm suppression

The broadcasting storm which seriously damages network performance refers to the

disturbed network communication caused by continuous forwarded broadcasting frames.

The broadcasting storm suppression means the user can set the size of the broadcasting

streams that allowed by the port. When the streams exceed the threshold, the system will

discard the exceeding ones to avoid the broadcasting storm.

ZXR10 ZSR V2 support the following storm suppression.

Support the broadcast packet suppression

Support the multicast packet suppression

Support the unknown packet suppression

Speed limit supports two modes bps or pps

3.3.2 Spanning Tree Protocol

Loops in L2 switching networks make the messages cycling and growing in the loop.

Thus, the broadcasting storm which takes up all valid bandwidth and makes network

unavailable is generated.

Under this circumstance, the spanning tree protocol (STP) is generated. As a L2

management protocol, the STP eliminates the L2 loop by blocking redundant links

optionally. At the same time, it is capable of link backup. The same as other

protocols, the STP keeps developing. However, it was initially used as IEEE

802.1D-1998 STP, then generates IEEE 802.1w RSTP(Rapid Spanning Tree

Protocol) and IEEE 802.1s MSTP(Multiple Spanning Tree Protocol).

ZXR10 ZSR V2 supports STP, RSTP and MSTP, and supports transparent

transmission of the above protocols.



3.4 MPLS

3.4.1 LDP

MPLS is a multiple layer switching technology. It combines L2 switching and L3 routing,

uses label to aggregate the messages need forwarding. It works in route layer structure,

supporting multiple upper layer protocols. It can be implemented on multiple physical

platforms.

ZXR10 ZSR V2 supports multi-protocol label switching by supporting the following

functions:

It supports basic functions and label forwarding services of MPLS. It

implements LDP signaling protocol, which takes charge of label distribution,

LSP establishment, and parameters needed in LSP establishment.

It supports Graceful Restart at MPLS signaling protocol layer. It can keep label

data forwarding when protocol is interrupted.

It supports MPLS Ping/Tracert. It uses MPLS echo request and MPLS echo

reply to check the availability of LSP.

It supports LDP FRR. It can takes quick switching of data flow when LSP

interrupts.

It supports MPLS LSP load balancing.

It supports multiple layer label processing.

It supports LSP loop check mechanism.

It supports MPLS CoS and mapping of IP packet from ToS domain to MPLS

packet in EXP domain.

3.4.2 Static Tunnel

Static tunnel is the tunnel configured by the administrator manually. It doesn’t need to be

triggered by MPLS signaling protocol, nor packet control by exchange. Thus it consumes

little resource and suits stable small network with simple topology structure. However, the



tunnel established by static label distribution cannot be dynamically adjusted based on

network topology change. It should be manually configured by the administrator.

Each LSR on the tunnel should be configured with static tunnel command, including head

node, intermediate node and tail node. The services can be guaranteed to normally

forward on LSP of the tunnel only when the tunnel is correctly configured on each node.

3.4.3 MPLS-TE

Network congestion is a major problem that influences backbone network performance.

The local congestion may result from inadequate network resources or unbalanced

resource load. TE (Traffic Engineering) solves the congestion caused by unbalanced

load.

MPLS TE is a technology combining traffic engineering and MPLS. With MPLS TE, the

service provider can precisely control the path that the traffic goes through, so as to avoid

the congested node. It can solve the problem that some paths are overloaded but some

are idle, so as to make full use of the existing bandwidth resources. At the same time,

MPLS TE can reserve the resources during the process of LSP tunnel establishment to

guarantee service quality.

MPLS TE establish link bandwidth resource database at each node in MPLS network by

OSPF TE or IS-IS. It uses CSPF algorithm to calculate tunnel establishment path based

on link bandwidth resource database and tunnel constraint. At last it uses RSVP-TE

signaling protocol to establish TE tunnel on the path that calculated by CSPF algorithm.

ZXR10 ZSR V2 supports the following MPLS TE features:

OSPF TE and IS-IS TE

CSPF (Constrained Shortest Path First)

Basic functions of RSVP-TE: it implements RSVP-TE basic functions defined by

RFC2205 and RFC3209. It can establish and maintain TE tunnel by Path/Resv

message interaction.

RSVP-TE FRR: it implements link protection and node protection of RSVP-TE

FRR protocol functions in Facility defined by RFC4090 to offer LSR RSVP-TE

local protection capability.



RSVP-TE Graceful Restart: it implements Graceful Restart by RFC3473, Draft

‘Extensions to GMPLS RSVP Graceful Restart’, and recovery mechanism for

restart at adjacent multiple nodes defined in the section of ‘failure recovery’.

RSVP-TE MIB.

RSVP-TE expansion: RSVP-TE MBB, re-optimization, preemptive priority,

abstract update, automatic routing, FA, Hot-standby, and authentication.

3.5 VPN

3.5.1 IPSec VPN

IP Security (IPSec) is an IETF-defined IP-layer security framework protocol. It protects

sensitive data transport in an unprotected network (e.g., the Internet). It defines IP packet

formats and related infrastructure for confidentiality, data integrity, anti-replay and

enhanced identity authentication in network communication IP packet transport.

Confidentiality means encrypting user data and sending it in the form of ciphertext.

Data integrity means ensuring no data modification in the transport. IPSec

authenticates the data received to determine whether the packet has been modified.

Anti-replay means comparing the slide window of the target host with the sequence

number of the received packet to identify whether the packet is copied, preventing a

malicious user from intercepting IPSec packets and reinsert them into the session.

Origin certification means identifying the identity of the data sender through a

pre-shared key or RSA signature.

IPSec uses the following framework protocols:

Authentication Header (AH): It provides data origin authentication, data integrity

check and packet anti-replay. AH does not encrypt the protected packet.

Encapsulating Security Payload (ESP) provides both authentication and encryption.

Its authentication functions are almost the same as all AH functions (data integrity

check does not include IP header), and it also encrypts IP packets to improve their

security.



IPSec transmits IP packets in the following modes:

Tunnel mode: AH or ESP is inserted before the original IP header, and a new IP

header is generate and put before the AH or ESP. The mode is applied to the

connection between two security gateways (e.g., routers).

Transfer mode: AH or ESP is inserted after the IP header but before the

transport-layer protocol. The mode is applied to the end-to-end connection between

hosts, and it uses the original IP header address for addressing.

ZXR10 ZSR V2 IPSec has the following features:

Establish a security alliance manually or through IKE dynamic negotiation (isakmp).

Support IKEv1 key negotiation and exchange. IKE support the following security

mechanisms:

Diffie-Hellman (DH) exchange and key distribution: The DH algorithm is a

public key algorithm. Communicating parties send no key but calculate a

shared key through data exchange. The precondition for encrypted is

that both sides for encrypted data exchange must have a shared key.

Perfect Forward Secrecy (PFS): The safety feature means that a cracked

key does not affect the safety of other keys because these keys have no

derivative relationship. The key of the IPSec second stage is derived

from the key of the first phase. If the IKE key of the first phase is stolen,

the attacker may collect enough information to derive the IPSec SA key

of the second stage. PFS implements an additional DH exchange to

ensure the safety of the key of the second phase.

Authentication: It means confirming the identity of communicating parties.

ZXR10 ZSR V2 supports the pre-shared key authentication. An

authenticator generates a key, and Different authenticators cannot

generate the same key on both sides.

Identity protection: After a key is generated, identity data is encrypted for

protection in the transport.

Support AH and ESP protocols and their mixed use.

Transmit a packet in tunnel mode or transfer mode.

Provide two general hash algorithms to ensure that no data is modified in the



transport.

HMAC-MD5: Use 128-bit shared key for hash calculation.

HMAC-SHA-1: Use 160-bit shared key for hash calculation.

Support such encryption algorithms as DES-CBC, 3DES-CBC, AES-128-CBC,

AES-192-CBC, and AES-256-CBC.

Support IPSec DPD detection.

Support IPSec NAT traversal.

Support IPSec+GRE networking.

Support IPSec and VRF association.

3.5.2 IPSec NAT traversal

In network applications, if there is a routing equipment between two IPSec routers, the

IPSec router have to support NAT traversal. The NAT traversal mainly includes NAT-T

negotiation in IKE and using UDP to encapsulate and decapsulate the ESP packet.

Figure 3-1 IPSec NAT traversal schematic diagram

3.5.3 GRE VPN

Generic Routing Encapsulation (GRE) protocol can encapsulate the packets of some

network-layer protocols so that these encapsulated packets can be transmitted in the IPv4

network.



When a router receives an original packet (payload) to be encapsulated and routed, the

payload was first encapsulated by GRE into a GRE packet which is encapsulated by the

IP protocol and then is forwarded at the IP layer. The original packet protocol is called the

passenger protocol, the GRE the encapsulation protocol and the IP protocol the delivery

protocol or transport protocol. It should be noticed that the above processes do not care

about the specific format or content of the passenger protocol.

GRE has the following advantages:

A multiprotocol local network can transport packets via a single-protocol backbone

network.

Connect discontinuous subnets to create VPN.

Expand network scope of work, including the protocol with limited route gateways.

3.5.4 L2TP VPN

L2TP (Layer 2 Tunneling Protocol) is a L2 tunnel protocol based upon point-to-point

protocol PPP. L2TP mainly consists of LAC (L2TP Access Concentrator) and LNS

(L2TP Network Server). LAC supporting client-end L2TP is used to initiate call,

receive call and establish tunnel. LNS is the end of all the tunnels to terminate all

PPP flows.

Figure 3-2 L2TP VPN schematic diagram

LAC: L2TP Access Concentrator is a PPP-initiator system with L2TP protocol

processing capability. Usually, LAC is a network access server (NAS), which

supplies network access service through PSTN/ISDN.



LNS: L2TP Network Server, the logical termination of PPP conversation, is used on

the PPP-end system for processing the software of L2TP protocol server.

Between a pair of LNS and LAC there are two types of connection: one is tunnel

connection, which defines a LNS and LAC pair. The other is session connection,

which is multiplexed on tunnel connection, indicating each PPP session process in

the tunnel. One tunnel connection can bear multiple session connections. L2TP

connection maintenance and PPP data transmission are both implemented by

exchange of L2TP message, which uses UDP port 1701. L2TP message can be

divided into two types: control message and data message. Control message works

to create and maintain tunnel connection and session connection. Data message

works to bear users’ PPP session data packets.

L2TP is featured as follows:

Secure identity authentication mechanism: similar to PPP, L2TP can implement

tunnel endpoint verification. PPP CHAP verification is stipulated to be used.

Internal address distribution support: LNS is deployed behind enterprise network

firewall. It implements dynamic distribution and management of remote user address

and supports DHCP and private address application (RFC1918). Address distributed

for remote user is not Internet address but internal private address of enterprise

network, which facilitates address management and enhances security.

Network accounting flexibility: accounting could be implemented at LAC (usually is

ISP) and LNS (usually is enterprise) at the same time. The former accounting

generates bills and the latter is for payment and auditing. L2TP can provide

accounting data of data transmission such as incoming and outgoing packets

number, bytes number, beginning and ending time for connection.

Reliability: L2TP protocol supports LNS backup. When main LNS is unreachable,

LAC (access server) can re-establish connection with backup LNS to improve VPN

service reliability and error tolerance.

Integrated network management: L2TP protocol has become standard RFC protocol.

Related L2TP standard MIB has been established. In this way SNMP network

management solution can be integrated adopted to implement easy network

maintenance and management.



3.5.5 IPSec + GRE

The IPSec tunnel only supports unicast flow, multicast data can not be protected.GRE can

encapsulate non-IP packets, IP multicast and broadcast packets, so you can use GRE

over IPSec to protect the data in GRE tunnel, thereby protecting the GRE tunnel multicast

data flow.

Figure 3-3 IPSec+GRE VPN schematic diagram

3.5.6 MPLS L3 VPN

MPLS VPN supports ISP data privacy and the use of non-unique private IP address in the

VPN.VPN forwarding table includes a label corresponding to a VPN-IP address. This tag

sends data to the appropriate location. MPLS VPN has the following advantages:

VPN connection configuration is simple and has no pressure on the existing

backbone network.

There is no requirement for existing users. The user does not need to make any

changes, and the user joining VPN configuration is also very simple.

The network is highly scalable.

VPN users can continue to use the dedicated address without any modification,

and the VPN-ID is unique in the backbone network.

It is easy to provide value-added services, such as different COS.

ZXR10 ZSR V2 support the MPLS/BGP-based L3 VPN. It provides users with VPN

service on existing public networks to meet service needs and security requirements in

transmitting private data on public networks. The VPN end-to-end solution satisfies user

service demands in this regard.

Assume the roles of P, PE and CE.



Support dynamic (BGP, RIP, OSPF and IS-IS) and static (static route) VPN

access.

Support such policy control as RT rewriting and SOO.

Support multiple cross-domain VPN modes.

Support VRF route restriction.

Support VPN FRR.

3.5.7 MPLS L2 VPN

ZXR10 ZSR V2 supports the Martini-type MPLS L2VPN and uses VC-Type+VC-ID to

identify a VC.It supports the following functions:

Take LDP as basic signaling.

Support two L2 VPN services: VPWS and VPLS.

Support L2VPN MIB.

Support 129-type FEC code.

VPWS service support PW Class configuration, heterogeneity, Status TLV,

VCCV, control field configuration, etc.

VPLS service support L2VPN reflector.

Support L2VPN Graceful Restart.

Support MAC address filtering and restriction.

Support PWE3.

Support CESoPSN.

Support SAToP.

Support L2 VPN and L3 VPN bridging.

3.5.8 Smart Dial Control (SDC)

Smart Dial Control (SDC) is a dial-on-demand backup technology used for

interconnecting routers via PSTN, ISDN or 3G. The ‘dial-on-demand’: the interconnected

routers in different networks only get communicated via dial-up manner when there are



data to be processed between them. When the link is free, the SDC will disconnect the link

automaitcally. As in some circumstances, the connections and communications between

routers only happen when there is information to be processed, the information under

transmission often features irrelenvant time, abruptness and few data. The SDC service

at this momenet provies flexible economical and highly efficient solutions for this

implementation. In real applications, the SDC which often exists as a backup path keeps

the service running smoothly when the communmication is down due to broken links.

The SDC module often implements the following services:

Dial backup service

The invalid master link (interface) triggers the dial backup: When the master link

(interface) fails for a while, the backup interface will dial up the backup link. When the

master link (interface) recovers, the backup link will be disconnected.

The overload major link (interface) triggers the dial backup: When the major link

(interface) is overloaded, the backup interface will be dialed up. Then the backup link

will be initiated to work together with the master link. When the load of the master link

(interface) returns normal, the backup link will be disconnected then.

Implement link backup service via route interception: When the SDN intercepts that

the particular route items are missing, the dial-up signal will be triggered. Without

asking for preset low-priority static routes to trigger the dial-up signal, this method

which is more flexible actively triggers the signal when the SDC intercepts the loss of

some route items that are going to be backed up. In this way, the backup routes

which go to special destinations will be generated.

Dial-on-Demand (DDR)

Permanent dialing: When the permanent dialing mechnism is set at the dial-up

interface, the dialing will be triggered immediately.

Automatic dialing: After initiation, when the physical dial-up interface turns to up

status, the autoamtic dialing will be triggered.

Manual dialing: The user can implement dialing or turn off the signal by configuring

commands.



Trigger data triggers dialing: The data accessing the router split into two categories:

trigger data and non-trigger data. The trigger data packets will be sent out by the router. If

there’s no connection at that moment, the router will dial the remote router to set up

connections. With non-trigger data, the router won’t dial the remote router.

3.6 QoS Capability

With the popularity of diversified services (data, voice and video) and development of

FMC process, multi-service bearer network is required to provide differentiated services

for different services and users, so as to differentiate services, guarantee user service

QoS based on SLA, realize QoS guarantee in various application models, and provide

E2E QoS. It makes the network sense and manage the services, implement fine operation

of service, and finally improve the service experience of the users.

3.6.1 Flow Classification and Flow Tag

Based on the classification strategies such as destination MAC, source MAC, VLAN ID,

802.1P, ToS/DSCP, and IP 5-tuple (protocol type, destination IP, source IP, destination

port number, source port number), service packets are divided into multiple priorities or

categories. Ethernet packet CoS, ToS or DSCP of IP packet head, and EXP field of MPLS

can be tagged to implement scheduling based on the categories, congestion

management, and traffic shaping. QoS for different service types can be provided.

3.6.2 Traffic Monitoring

Take token bucket algorithm and restrict the traffic enters the network within a proper

range. Manage and punish the exceeding part. For example, drop the packet, color the

packet, or re-set the priority of the packet, in order to protect the network resource and

operators’ benefits. ZXR10 ZSR V2 supports srTCM (single-speed three-color) and

trTCM (dual-speed and three-color) algorithms. It also supports Color-Blind and

Color-Aware coloring mode. ZXR10 ZSR V2 supports port-based and traffic-based

coloring, which can be applied in both incoming and outgoing directions.



3.6.3 Traffic Shaping

Traffic shaping buffers and sends outgoing traffic at an even rate meet the processing

capability of the downstream equipment. ZXR ZSR V2 supports port-based and

queue-based traffic shaping.

3.6.4 Queue Scheduling

Queue scheduling solves the congestion problem at the network node by a series of

scheduling algorithms. By scheduling, the packets with high priority are first forwarded.

The packets with low priority can also fairly get corresponding scheduling opportunity.

ZXR10 ZSR V2 supports queue scheduling of PQ (Priority Queuing), Weighted Fair

Queuing(WFQ) and CBWFQ,etc..

3.6.5 Congestion Avoidance

The network equipment has limited processing capability and buffering capability. The

packets exceed equipment processing capability will cause congestion. Simply dropping

these packets will cause ‘global synchronization’. ZXR10 ZSR V2 adopts RED/WRED to

avoid congestion and improve network quality. WRED can sense the service IP priority,

DSCP and MPLS EXP. It can set different early dropping strategy for packets with

different priorities so as to provide differentiated dropping features for different services.

3.6.6 MPLS QoS

ZXR10 ZSR V2 supports MPLS QoS based on Diff-Serv model. MPLS QoS implements

mapping of priority between MPLS, IP and Ethernet packets. It also differentiate data flow

of different services based on the value of EXP in the tag, so as to realize different

services, guarantee the QoS of voice and video services. ZXR10 ZSR V2 supports

operator MPLS QoS service channels of three standards:

Uniform Tunnel

Pipe Tunnel

Short Pipe Tunnel



ZXR10 ZSR V2 combines MPLS-TE and Diff-Serv to offer IP/MPLS core network with

service identifying capability. Based on this it establishes tunnel to guarantee the

bandwidth of service with high priority. ZXR10 ZSR V2 supports QoS scheduling inside

MPLS VPN. It can implement Diff-Serv scheduling inside VPN and guarantee the key

VPN services are forwarded with priority.

ZXR10 ZSR V2 supports user service-based PW differentiation, and mapping of service

PW to the corresponding MPLS tunnel to realize E2E QoS based on service. It’s easy to

deploy with the bandwidth management plannable. It provides operation guarantee for

service differentiation management and service.

3.6.6.1 H-QoS

With hierarchy, H-QoS implements finer scheduling and provides reliable service support

for multi-service development. ZXR10 ZSR V2 supports H-QoS with the following

features:

It supports to set the multi-level scheduler to achieve multi-level traffic management

to meet the actual network deployment requirements.

It supports multi-user, multi-service, multi-flow classification requirements to

implement congestion avoidance and traffic shaping.

It supports packet tagging feature in the hierarchical QoS queue scheduling.

It supports traffic statistics of service scheduling in hierarchical QoS to realize visual

management of traffic service model and to make maintenance management know

the network better.

3.7 Security Features

3.7.1 ACL

Access control list is used to permit or reject packet based on criteria configured.

The packet filtering criteria determines the type of access control list. Packet filtering

can be defined based on the following conditions:

MAC



VLAN

Source IP address

Destination IP address

Source port number

Destination port number

Protocol number for transmission layer

Type of service (TOS)

Time-range

For router interface, a configured access control list will only take effect when it is

applied on an interface. As data flow passing an interface is bidirectional, the access

control list should be adopted on the interface, simultaneously, which is egress

direction (i.e. data flow moves away from router) and ingress direction (i.e. data flow

enters router)

There are procedures for implementing access control list on an interface:

1. Define access control list

2. Define the interfaces on which the access control list will be implemented

While using ACL, firstly the type of ACL is classified via ACL number, and then

packets are compared with the configured ACL to see if the packets are permitted to

pass through the interface. The rule of ACL processing is, beginning items are given

the highest priority, in other words, as per the sequence of access control list. The

processing will stop when there is one item matching to the configured control list.

Therefore, the sequence is very important when configuring access control list, and

items with high priorities should be put in the beginning. If there is an exact match for

the packet, it will be permitted or denied to pass through the interface according to

the specified fields ‘permit’ or ‘deny’. If there is no exact match for the packet, it will

follow the default filtering principle, i.e. this unmatched packet will be denied to pass

through the interface.

ZXR10 ZSR V2 supports the ACL features are as follows:



Support standard ACL and extended ACL

Support L2 ACL, L3 ACL and L2/L3 hybrid ACL

Support ACL Time-range

Support ACL log statistics

Support statistical Hit rate

Support ACL bulk binding

3.7.2 Anti-IP source attacks

IP+MAC binding

The binding of MAC and IP addresses refers to the connections formed between

special IP addresses and MAC addresses according to the user’s configuration. If the

message sent from this IP address does not match the designated MAC address, it

will be discarded to avoid attacks by fake IP addresses.

ARP scanning service

ARP scanning service triggers in-batch IP+MAC static binding tables.

IP Source Guard service

IPSG means the device working as a L2 device fights against IP source spoofing

attacks via the binding table.

3.7.3 Anti-ARP attacks

Send free ARP messages on a regular basis

Free ARP messages are sent to prevent the user’s message from being blocked or

intercepted.

Anti-ARP spoofing-Strict ARP learning

Fight against the ARP spoofing via strict ARP learning.

Anti-ARP spoofing-ARP entity learning protection



ARP entity learning protection avoids the ARP spoofing.

Anti-ARP spoofing-Dynamic ARP inspection

Dynamic ARP inspection avoids the ARP spoofing.

Anti-ARP message flood-ARP message suppression

ARP message suppression avoids ARP message food.

Anti-ARP message flood-ARP Miss message suppression

ARP Miss message suppression avoids the ARP message flood.

3.7.4 Firewall

3.7.4.1 Configure security domains

Divide security domains, including DMZ domain service. As to firewalls, all security

policies are implemented on the basis of security domains. The related firewalls can

only be configured when security domains are divided. The configurations of the

security domain include: the name of the security domain, priority, interfaces to

access the security domain and the DMZ domain. Usually being a filtration subnet,

the DMZ domain is a security area between the intranet and extranet.

3.7.4.2 Packet filtration firewall-fragment message filtration service

Configure ACL to implement packet message filtration. The filtration is implemented

mainly based upon protocol number, source/destination IP addresses, source/destination

port number and message transmission direction of the upper layer protocol borne by the

IP layer of the data packet.

Setting in the firewall of the device, the packet filtration service compares the header of

the packet got from the packet with the preset ACL rules to decide if the packet will be

forwarded or discarded.

The packet filtration service supports the inspection of fragment messages. The packet

filtration firewall identifies different message types: non-fragment messages, first

fragment messages and follow-up fragment messages. All types of messages are filtered.



3.7.4.3 Stateful firewall

As an extension of the packet filtration firewall, the stateful firewall not only takes the

packet as an independent unit to implement ACL inspection and filtration, but also

considers the relevance between the application layers of the packets. By using all sorts

of stateful tables to monitor TCP/UDP sessions, the stateful firewall makes the ACL table

to decide which session is allowed to be built. Only the packets that related to the

permitted sessions can be forwarded. At the same time, according to the TCP/UDP

session, the stateful firewall analyzes the status of the packet application layer, and filters

the packets which do not match the status of the existing application layer. Combining the

advantages of the packet filtration firewall and proxy firewall, the stateful firewall is not

only fast, but also safe.

SFW (Stateful Firewall) is message filtration based upon the application layer, in other

words, it is a status-based message filtration. As this service can inspect the protocol

sessions which try to pass through the firewall in the application layer by maintaining the

session status, checking the protocol and port number of the session messages, it stops

the messages which do not match the rules from passing through the firewall. For all

connections, the status of each connection maintained by the SFW is used to decide if the

packet is allowed to pass the firewall dynamically. At the same time, the SFW can

monitor the service of different application layer protocols.

3.7.4.4 Black list

Blacklist is a filtration method based upon the source VPN and the source IP address of

the message. As the matching domain is much simpler than the ACL, the blacklist can

implement rapid message filtration. Therefore, it can effectively shield the messages sent

from some particular IP addresses. At the same time, user’s static blacklist and the

firewall-based dynamic blacklist are supported.

In addition to the blacklist made by the user statically, some particular IP addresses which

are found implementing IP scanning attacks or port scanning attacks will be put into the

blacklist actively. If the blacklist has been activated, all the messages coming from this IP

address in a certain period will be filtered. The user can configure the aging time of both

static and dynamic blacklists. Completely ignoring the ACL rules, the firewall discard all

the packets in the blacklist.



Users can export the blacklist to files. Also, the blacklist can be configured by importing

the data on files.

3.7.4.5 White list

If the user puts the VPN and IP address of one host to the white list of the firewall, the

firewall will not launch IP scanning attacks or port scanning attacks of the message sent

by the host. Also, it won’t add the IP address to the blacklist dynamically. What’s more, the

user cannot put the host to the static blacklist.

After receiving a message, the device will check if it came from the white list. If the source

of the message is the white list, the device won’t arrange the IP scanning attack, the port

scanning attack or the generation of a dynamic blacklist containing this source IP address.

However, other security filtrations must be kept to make the firewall safe, e.g. ACL packet

filtration, SFW, traffic statistics and monitoring, etc. The user can configure the aging time

of the white list. The information of the white list can be imported and exported by files.

3.7.4.6 Anti-DDos attack

The network environment is getting more and more complicated. The control layer

processor of router device is the core component to deal with various complicated

protocol data packets. It usually suffers from broadcast storm, PING flooding, and TCP

syn flooding attacks. To avoid the influence on CPU or even service abnormality, pause,

and interruption caused by the attacks, ZXR10 ZSR V2 implements flexible and complete

flow control mechanism for the traffic enters the control layer:

The CPU flow transmitted upwards is divided into multiple queues with priority

to guarantee the important protocol packets such as BGP, OSPF as well as

user customized data packets are transmitted upwards and processed with

priority. Each queue has different threshold values for different packet types.

It supports CAR rate limit of flow transmitted upwards based on physical

ingress.

It supports CAR rate limit of customized packet based on source destination +

protocol type + TCP/UDP port number + CAR rate limit of physical ingress

number.



It supports configuration of number of transmission per second and

transmission priority as a particular rule.

It supports transmission abnormality check based on logical port. It takes rate

measurement of all received packets at the logic port. When the traffic

transmitted at the port is found to reach the specified threshold, close packet

receiving at the port and make certain delay. Then continue to receive the

packets to prevent the port from strong attack which may influence user

services at other ports.

ZXR10 ZSR V2 can effectively guarantee that the important data packets with high priority

can be transmitted first by dividing and differentiation of data packet priority, multi-queue

transmission, configuration of transmission strategy at port, and transmission flow rate

limit. It can effectively block attack from abnormal packets.

3.7.4.7 Anti-DOS attack

ZXR10 ZSR V2 supports the following DOS attack prevention:

LAND attack

Smurf attack

WinNuke attack

SYN Flood attack

ICMP Flood attack

UDP Flood attack

3.7.4.8 Anti-scanning attack

ZXR10 ZSR V2 supports the following anti-scanning attack prevention:

ping-death attack

Large-ICMP attack

ICMP Unreachable attack

ICMP-Redirect attack



ICMP Fragment attack

IP Fragment attack

Teardrop attack

Fraggle attack

Tracert attack

3.7.4.9 Anti abnormal packet attack

ZXR10 ZSR V2 supports the following anti-abnormal attack prevention:

Abnormal TCP packet attack

IP error option attack

Syn Fragment attack

Unknown Protocol attack

IP spoofing attack

IP option packet attack

TCP No-Flag packet attack

TCP Syn Fin packet attack

TCP Fin-No-Ack packet attack

3.7.5 Multiple Security Authentications

ZXR10 ZSR V2 supports the following multiple security authentications:

AAA

ZXR10 ZSR V2 implements complete AAA authentication authorization for different

user access authentication strategy. Based on different access authentication needs,

users can configure different access authentication strategy and take different

Authentication and Authorization for different users.

AAA supports three user authentication types:

Local authentication



RADIUS (Remote Authentication Dial-In User Service) authentication

TACACS+ (Terminal Access Controller Access Control System) authentication

AAA supports four authorization types:

Direct trust authorization: Directly authorized without account.

Local account authorization: make authorization based on locally configured

user account

TACACS+ authorization: TACACS+ can divide authentication and authorization.

TACACS+ server can authorize the users.

Authorization after successful RADIUS authentication: RADIUS protocol

authentication and authorization cannot be divided.

Protocol Security Verification

ZXR10 ZSR V2 implements complete protocol security verification for SSH, PPP, routing

protocol, and SNMP protocols based on different protocol security verification

requirements.

SSH protocol security verification:

It supports MD5-based cipher text authentication

It supports SHA1-based cipher text authentication

PPP access security verification

It supports PAP-based verification

It supports CHAP verification

Routing Protocol security verification

RIP v2, OSPF, and IS-IS support plain text authentication

RIP v2, OSPF, IS-IS, and BGP support MD5-based cipher text authentication

RIPng, OSPFv3, and BGP-4+ support MD5-based cipher text IPSec AH

authentication

RIPng, OSPFv3, and BGP-4+ support SHA1-based cipher text IPSec AH

authentication



SNMP security verification:

SNMPv3 encryption and authentication.

3.7.6 URPF

ZXR10 ZSR V2 supports uRPF (Unicast Reverse Path Forwarding) to prevent network

attack based on source address spoofing. Among the common DoS attacks, there’s one

source address spoofing. The attacker spoofs a source address (usually the address of a

legal network) to get access to the attacked equipment so as to prevent the attacked

equipment from providing normal services. uRPF can effectively prevent this attack.

ZXR10 ZSR V2 supports the following uRPF features:

It supports Strict RPF check

It supports loose RPF check

It supports loose RPF check that ignores default route

It supports ACL check

3.8 Network Reliability

3.8.1 Ping Detect

Ping Detect is also called automatic detect. It uses request/response packet of ICMP to

detect the reachability of the destination, and returns the detect result to the backup

function unit that associated with it, so as to trigger the main/standby switching and

provides backup based on the reachability of network layer application.

Ping Detect solves this problem. Ping Detect uses request/response packet of ICMP to

detect the destination reachability of the network application. The result (reachable or

unreachable destination ICMP) can be returned to the associated unit such as static route

backup, dial backup or VRRP to trigger the corresponding main/standby switching.



3.8.2 BFD

An important function of network equipment is to quickly detect the communication failure

between the adjacent systems, and to create other paths as soon as possible. BFD

(Bidirectional Forwarding Detection) protocol perfectly achieves this goal. The main

function of BFD is to provide a low-load quick failure detection mechanism for the adjacent

forwarding engines. Combining BFD and FRR, ms level link detection and route switching

can be implemented at forwarding layer.

ZXR10 ZSR V2 supports the following BFD features:

version 0 and version 1 BFD check.

BFD for BGP check.

BFD for OSPF check.

BFD for IS-IS check.

BFD for LDP LSP check.

BFD for TE tunnel check.

BFD for static route configuration for next-hop check.

BFD for strategy route check.

BFD for VRRP check.

3.8.3 FRR

When a link or node fails in the network, the packets go through it may be dropped or put

into a loopback. Then there will be inevitable temporary traffic interruption or loopback

until the network re-converge and reckon out a new topology and route. Usually this kind

of interruption will last several seconds. Therefore, to shorten the traffic interruption, a

mechanism should be provided to implement the following functions:

Quick discovery of link failure

Quickly provide a recovery path when link fails

Avoid forwarding ‘micro-loop’ in following-up network recovery.

This is FRR (Fast ReRoute). ZXR10 ZSR V2 FRR covers IP FRR and L3VPN FRR.



3.8.3.1 IP FRR

ZXR10 ZSR V2 product provides IP FRR. The routing protocol unit provides loop-free

main/standby route based on the loop avoiding strategy configured by the user. The

forwarding unit implements traffic forwarding based on main route in the process. At the

same time it checks the port status of the main route. When the port fails, ZXR10 ZSR V2

will quickly switch the traffic to the standby route to reduce traffic switching time and

packet loss.

IP FRR is usually used with routing protocol. ZXR10 ZSR V2 supports IP FRR that

including static route FRR, OSPF FRR, IS-IS FRR, and BGP FRR.

3.8.3.2 L3 VPN FRR

FRR of VPN route is VPN FRR of private network, not including FRR implemented by

public network outer layer label switching. Thus L3VPN FRR is that for pure private

network VPN route. Currently VPN route learning source is mainly different remote PE,

which can form FRR relationship.

3.8.4 VRRP

VRRP implements gateway backup in multiple access LAN (such as Ethernet) by

providing a check and election mechanism. The protocol maintains the unremittance of

the access host service operation by backup of gateway in LAN, that is to say, it takes

backup of next hop equipment on the route of the accessed host.

ZXR10 ZSR V2 supports VRRP with the following features:

Basic functions of VRRP.

VRRP heartbeat.

VRRP and BFD check & binding.

VRRP and PING check & binding.

VRRP check the status of the specified port.

VRRP check the key route information.



VRRP group management implements integrated protocol packet receiving and

transmitting of multiple VRRP groups.

VRRP MIB.

3.9 IPv6 Features

3.9.1 Basic Function of IPv6

ZXR10 ZSR V2 supports IPv4/IPv6 dual-stack:

IPv6 basic protocols: IPv6 protocol and ND (Neighbor Discovery) ,etc.

TELNET6 and SSHv6, easy for users to take remote login and connection.

TCP6, UDP6, and Socket IPv6.

IPv6 DHCP Client/ Relay/Server and DNS6 Client.

PMTU Discovery (Path MTU Discovery) RFC1981.

IPv6 link check such as Ping6 and Trace6.

IPv6 ACL.

IPv6 QoS.

Security functions such as IPv6 VRRP and IPv6 uRPF.

3.9.2 IPv6 Unicast Routing Protocol

ZXR10 ZSR V2 supports unicast routing protocols including IPv6 static route, RIPng,

OSPFv3, IS-ISv6, BGP4+, and IPv6 strategy routing.

3.9.2.1 IPv6 Static Routing

To implement IPv6 static routing, the network administrator configures command and

specifies the routing information in IPv6 routing table. Its routing table is not established

based on routing algorithm like IPv6 dynamic routing.



When dynamic routes are configured, the routers need to exchange their routing tables

frequently to make the router difficult to burden. Then static route can be used to solve the

problem. It can avoid dynamic route usage with configuration of only few.

ZXR10 ZSR V2 supports IPv6 static route configuration of specified next-hop and

specified egress.

3.9.2.2 RIPng

RIPng is based on UDP. It uses port number of 521 to transmit and receive data packet.

ZXR10 ZSR V2 supports RIPng basic protocol, route summarization and route

redistribution, RIPng route load balancing, RIPng MIB, RIPng VRF access instance, and

IPv6 BFD associating RIPng.

3.9.2.3 OSPFv3

OSPFv3 is mainly used to provide routing function in IPv6 network.

ZXR10 ZSR V2 supports OSPFv3 basic protocol, route summarization and route

redistribution, OSPFv3 route load balancing, OSPFv3 authentication, OSPFv3 protocol

MIB, OSPFv3 VRF access instance, and IPv6 BFD associating OSPFv3.

3.9.2.4 IS-ISv6

The working principle of IS-ISv6 is similar to that of IS-ISv4.

ZXR10 ZSR V2 supports IS-ISv6 basic protocol, route summarization and route

redistribution, IS-ISv6 route load balancing, IS-ISv6 route filtering, IS-ISv6 authentication,

IS-ISv6 protocol MIB, IS-ISv6 VRF access instance, and IPv6 BFD associating IS-ISv6.

3.9.2.5 BGP4+

BGP4+ is an expansion of BGP. It inherits the basic message format of BGP4. The

expansion attribute used to transport IPv6 route information.



ZXR10 ZSR V2 supports BGP4+ basic protocols, routing attributes, route summarization,

route redistribution, reflector, and alliance. It supports strategy filtering of BGP4+ route,

BGP4+ route load balancing, BGP4+ authentication, BGP4+ protocol MIB, BGP4+ VRF

access instance and IPv6 BFD associating BGP4+.

3.9.2.6 IPv6 Policy Routing

The concept and principle of Policy routing in IPv6 are the same with those of IPv4. The

only difference is IPv6 address and route are used to complete the configuration.

3.9.3 Multicast Routing Protocol

The biggest difference from IPv4 multicast is that IPv6 multicast address system is greatly

enriched. The other features of IPv6 such as group member management, multicast

packet forwarding and multicast route establishment are the same with IPv4.

3.9.3.1 MLD

MLD protocol is originated from IGMP. MLDv1 is corresponding to IGMPv2, and MLDv2 is

corresponding to IGMPv3. Different from IGMP which adopts packet type with IP protocol

number of 2, MLD protocol adopts ICMPv6 (with IP protocol number of 58) packet type

including MLD query packet (with type value 130), MLDv1 report packet (with type value

131), MLDv1 leave packet (with type value 132), and MLDv2 report packet (with type

value 143). MLD protocol behavior is exactly the same with IGMP except different packet

format. Similarly, MLD Snooping is basically the same with IGMP Snooping.

ZXR10 ZSR V2 supports MLDv1/v2 protocol.

3.9.3.2 IPv6 PIM

Except IP address structure, IPv6 PIM protocol behavior is the same with IPv4 PIM. IPv6

PIM also supports three modes of SM, DM, and SSM.

ZXR10 ZSR V2 supports IPv6 PIM-DM, IPv6 PIM-SM, and IPv6 PIM-SSM protocols.



3.9.4 IPv6 Tunnel

ZXR10 ZSR V2 supports IPv6 tunnel protocols including IPv6 over IPv4 manually

configured tunnel and automatic tunnel, IPv4 over IPv6 tunnel, ISATAP tunnel, and 6rd

etc.

3.9.4.1 IPv6 over IPv4 Tunnel

IPv6 over IPv4 tunnel mechanism is to encapsulate IPv4 packet header to the front of

IPv6 data packet. It enables IPv6 packets to traverse IPv4 network through the Tunnel, so

as to realize the interconnection of separated IPv6 network as shown in Figure:



Figure 3-4 Working principle of IPv6 over IPv4 tunnel

IPv6 over IPv4 tunnel can be established on host-host, host-device, device-host, and

device-device. The terminal of the tunnel could be the final destination of IPv6 packet, or

could be further forwarded. Based on different ways to obtain IPv4 address for terminal of

the tunnel, the tunnel is divided into ‘configured tunnel’ and ‘automatic tunnel’.

If the terminal address of IPv6 over IPv4 tunnel cannot be automatically obtained

from the destination address of IPv6 packet, it should be manually configured. This is

‘configured tunnel’ such as 6in4 and GRE.

If the interface address of IPv6 over IPv4 tunnel uses special IPv6 address with

embedded IPv4 address, IPv4 address of tunnel terminal can be automatically

obtained from the destination address of IPv6 packet. This is ‘automatic tunnel’ such

as 6to4 and ISATAP.

3.9.4.2 IPv4 over IPv6 Tunnel

IPv4 or IPv6 over IPv6 tunnel (RFC2473) protocol encapsulates IPv4 or IPv6 data packets

to enable them to be transmitted in another IPv6 network. The encapsulated data packets

are IPv6 tunnel packets as shown in Figure:



Figure 3-5 Working principle of IPv4 (or IPv6) over IPv6 tunnel

3.9.4.3 ISATAP

ISATAP (the Intra-Site Automatic Tunnel Addressing Protocol) can make the dual-stack

node at IPv4 site get access to IPv6 router by automatic tunnel. It’s permitted not to share

the dual-stack node of one physical link and transmit the data packet to next hop of IPv6

through IPv4 automatic tunnel.

ISATAP transition system uses an IPv6 address with an IPv4 address embedded. No

matter what kind of IPv4 address is used at the site, global or private, IPv6-in-IPv4

automatic tunnel can be used at the site. ISATAP address format can use site unicast

IPv6 address prefix or global unicast IPv6 address prefix. That is to say, it can support

both site and global IPv6 route.

ISATAP tunnel principles cover tunnel encapsulation and de-encapsulation process:

Encapsulation principles: When IPv6 packets are transmitted, the egress is the

tunnel interface. The tunnel type can be decided based on the packets returned by

the interface. If it is ISATAP tunnel, we take IPv4 header encapsulation. ISATAP

tunnel encapsulation format inherits that for 6in4. The destination address of outer

layer V4 is the V4 address embedded in destination address of V6 packet. The

source address of outer layer V4 is the source address configured for ISATAP tunnel.

After the encapsulation common IPv4 packets are transmitted to take the processing.

De-encapsulation principles: the de-encapsulation process of ISATAP tunnel is



exactly the same with that of 6in4. The basic principle works as follows: when IPv4

data packets are received, and the protocol number in IPv4 header is 41, invoke

each protocol number processing function registered to IPv4, and enter 6in4

de-encapsulation. Check the matched tunnel item based on the source address and

destination address of the packet. Peel off the IPv4 header encapsulated by the

tunnel if it is found. The left IPv6 packets are delivered to processing of IPv6 packet

receiving procedure.

Figure 3-6 Working principle of ISATAP tunnel

3.9.5 6PE

6PE implements IPv6/IPv4 dual-stack functions.It exchange labeled IPv6 routes over

MP-BGP sessions running over IPv4.6PE forward IPv6 data over the IPv4-signaled LSP,

outer labels for forwarding packets, inner label for identifying IPv6 packets.

3.9.6 6VPE

6VPE (IPv6 VPN Provider Edge) is a technology that provides IPv6 user network with

BGP MPLS VPN service. The technical principle of 6VPE originates from BGP MPLS

VPN in IPv4. It’s especially an expansion of IPv4 BGP MPLS VPN.6VPE doesn’t restrict

the IP protocol version that the backbone network adopts. In this way IPv6 VPN traffic can

be transmitted by IPv6 tunnel or IPv4 tunnel.

ZXR10 ZSR V2 supports the operation of IPv6 static route, RIPng, OSPFv3, IS-ISv6, and

EBGP protocol between CE and PE.



3.9.7 NAT64

NAT64 technology, one of IPv4-IPv6 transition technologies, satisfies the interconnection

of the IPv6 host and the IPv4 service. As IPv6 transition is the key to the IPv6 network

transition, this technology enables IPv6 users to visit the existing IPv4 services.

Orienting to make the IPv6 Client to initiate IPv4 sessions actively in the future, the NAT64

technology not only simplifies NAT-PT scenario, but also makes the deployment and

maintenance easier.

Figure 3-7 NAT64 Application scenario

NAT64 technology has the following features:

IPv6 host sends a connection request to the IPv4 service initiative.

The NAT64 unit separated from the DNS unit.

NAT64 only supports IPv6 host initiates a session to IPv4 services, the IPv6 network

address mapping of the IPv4 server is relatively simple, and therefore do not need the

between NAT64 unit and DNS to close complex domain name and address associated

management, but also to avoid DNS security issues and DNSSEC compatibility issues.

DNS for NAT64 requires DNS64 function.

A record translated into AAAA records. In addition, when the system does not exist in the

AAAA records to support DNS proxy mode to query A record.

ZXR10 ZSR V2 support NAT64.



3.10 NAT

Network address translation (NAT) can translate an IP address used in one network

into a different IP address in another network. Usually, NAT is used to map IP

addresses used in private network or local enterprise network into one or multiple

addresses in public network or global internet. The features of NAT are:

Restrict the number of IP address requiring IANA registration used by private

network.

Save global IP address space required by intranet (for example, one

organization can use a single IP address for communication on internet)

Keep the confidentiality of LAN as the inner IP is not for public.

ZXR10 ZSR V2 supports the following NAT features:

Support in/out side NAT

Support NAT44 and NAT64

Support NAT multi-outlet

Support static / dynamic NAT

Support mapping mode, filter mode and two modes mix

Support PAT

Support PPPoE NAT(user side NAT)

Supports a variety of ALG applications, including TCP

ALG(FTP/RSTP/H323/PPTP),UDP ALG(DNS/SIP/H323) and ICMP ALG.



3.11 Network Management Features

3.11.1 NetNumen™ Integrated Network Management Platform

3.11.1.1 Network Management Networking

ZTE NetNumen™ is a network management system constructed on the data

communication network. It can take integrated maintenance and management of various

types of network equipment in a wide area and complicated application environment.

In-band management and out-band network management can be adopted between

NetNumen™ network management system and ZXR10 ZSR V2.

In-band management

In-band management means network management information and service data are

transported in one channel. No extra DCN should be built. NetNumen™ network

management system can fulfill its task as long as it’s connected to the nearby network

equipment with related SNMP parameters configured.

Out-band management

Out-band management means network management information is independent from

service data. The network management information is transported inside network

management system. Extra DCN network is needed. NetNumen™ network management

is connected to ZXR10 ZSR V2 via its out-band management interface. Network

management information and service information are transmitted independently and

respectively.

3.11.1.2 NetNumen™ Network Management System

The NetNumen™ U31 (BN) developed by ZTE is a unified network management system

aiming at managing SDH, MSTP, WDM, PTN, OTN and IP device (router and switch, etc.).

It includes the management of the network element, network, and service. The network

management provides the following services:

Fault management ensures stable network operation.



Performance management gives overall picture to the entire network service

situation.

Resource management enables rational network resource adoption.

View management makes the network running obvious.

Configuration management enables fast service deployment.

Security management makes the network safer.

Northbound interface supports third-party systems integration.

3.11.2 NETFLOW

The Netflow technology distinguishes the Flows of different services transfered in the

network rapidly. Each distinguished Netflow can be traced and calculated. It records the

traffic attribute such as the transmission direction and the destination, collect the start and

end time, service type, the data and byte number in the packet. The Netflow send the

original collected traffic and flow direction out on a regular basis. Besides, it can also

analyze the original records and send the results out. The ZXR10 ZSR V2 supports the

following Netflow features:

Be compatible with the industry-leading v5 , v8 and v9 files.

Transfer the message to the server in the manner of IPv4/UDP.

Support automatic message report.

Support the configuration of cache active and non-active aging time.

Support multiple servers.

Support flow-based random sampling.

Support the configuration of the interface traffic sampling.

Ethernet and POS physical interfaces together with its sub-interfaces support

Netflow sampling service.

Support independent interface ingress sampling

Support the independent sampling of multiple services (e.g. unicast/multicast and

MPLS services) in one direction.

Support data stream sampling ratio from 65535:1 to 1:1.



3.11.3 Network Layer Inspection

The ZXR10 ZSR V2 provides multiple network layer inspection services on the basis of

ping and trace, e.g. IP Ping, IP Trace, LSP Ping, LSP Trace, multicast Ping, and multicast

Trace.

3.12 System Operation and Maintenance

3.12.1 Multiple Configuration Methods

The ZXR10 ZSR V2 provides multiple device login and management configuration modes.

So that, the user can chose the best configuration mode as per different scenarios.

Serial port connection configuration

Telnet connection configuration

Secure shell protocol (SSH) connection configuration

SNMP connection configuration

Upgrade version by USB

Auto-config

Upgrade version batch by network management

3.12.2 System Policing and Maintenance

The ZXR10 ZSR V2 supports multiple ways to monitor, manage and maintain the device.

As a result, corresponding approaches are provided for different aberrance. The

specifications in running the device can also be offered.

The device policing includes:

There’re indicators in the power supply, fan, MPFU and all PIUs to show their running

status.

The fan monitoring is handled by the fan module. In addition to inspect the unit

on-board information and the status, it can also support changing the fan speed

intelligently.



The power supply monitoring provides on-board information, status information,

power consumption and DC/AC information.

When the breakdown occurs on the fan, power supply or the temperature, the audio

alarm and software alarm will be generated.

Distributed temperature collection and temperature monitoring are implemented on

the units.

The hot swappable and switchover events of the MPFU are recorded for the user’s

reference.

The version set will be checked automatically in running the system.

The system monitors the software running status. If the aberrance disturbs normal

device operation, the PIU will be restarted.

Device management and maintenance include:

The command line provides flexible online help.

Support the operation carried out by multiple users. Some commands can be used to

decide if other user can take operations at the same time.

Provide multi-level user authority management and automatic record of the user’s

operation log.

Support information center. Provide unified management to the log, alarm and

debugging information.

Run CLI command line to check the basic information of the MPFU, PIU and optical

modules of the device.

The user can decide if the user name and the password are used to get login through

the Console port.

Provide multiple information queries, including software version information,

component status, environment temperature, CPU and memory availability.

The ordinary user supports clear-text password and cipher.

Provide hierarchical device alarm management. Support alarm classification and

alarm filtration services. The alarms can be sent to the remote server.



3.12.3 Diagnosis and Debugging

The ZXR10 ZSR V2 provides many ways for diagnosis and debugging. So that, the user

can be more flexible and knowledgeable in the device debugging. Support special

diagnosis test command mode. Support complete device diagnosis and test services, so

that, it can inspect the device at any time. When the device breaks down, the cause can

be found remotely.

The inspection of the device running status.

Ping and TraceRoute.

Debugging.

3.12.4 Version Upgrade

The ZXR10 ZSR V2 supports the upgrade of the device Boot initiation file and he software

file. The new configuration can only take effect when the router is restarted.

Boot version upgrade: The initiation and drive files saved by the Bootrom storage on

the MPFU in the course of device upload can be upgraded locally or on line via the

remote FTP BOOT version.

Software version upgrade: The original device performance or the software service

can be optimized and enhanced locally or on line via the remote FTP/TFTP software.



4 System Architecture

4.1 Product Appearance

With modular architecture, the ZXR10 ZSR V2 is designed with hot swappable modules

and components, so that it is known for amazing flexibility. The entire device is composed

by chassis, backplane, MPFU, SPIU, PIU, DPIU, power supply unit and fan chassis.

ZXR10 2800-4&3800-8 is made of sheet metal. All the units, fan chassis, and cables

(vertical fiber egress) are installed through the front panel. ZXR10 1800-2S/2S(G)/2S(W)

is 380mm wide, belong to the desktop products, and are installed through the rear panel.

The width of the entire device complies of ZXR10

1800-2E/2E(G)/2800-3E/3E(G)/2800-4/3800-8 with the 19-inch standard in the industry.

So they can be installed in IEC297 standard rack and ETSI standard rack. The entire

device is 200mm deep, which can be put in any regular standard rack.

4.1.1 The Appearance of ZXR10 3800-8

The chassis of ZXR10 3800-8 is 3U (1U=44mm). The size of the device is 442 (W) x132

(H) x200mm (D). The front view of the ZXR10 3800-8 is as shown in the figure.

Figure 4-1 The Front View of the ZXR10 3800-8

The key components of the ZXR10 3800-8 are as shown in the figure:



Figure 4-2 The Key Components of the ZXR10 3800-8

The ichnography of the ZXR10 3800-8 architecture is as shown in the figure:

Figure 4-3 The Ichnography of the ZXR10 3800-8 Architecture

With horizontal slots, ZXR10 3800-8 is designed with 9 service slots, in which the number

0-7 slots are for SPIUs , PIUs and DPIUs, and number 8 slot is for MPFU

According to the size, the ZXR10 3800-8 supports three models of PIU.

DPIU types: This is high-speed interface board, which bandwidth is upto 10 Gbps.

Size (width x height x deep) is: 176 mm x 20 mm x 175 mm (Single-high DPIU) or 40

mm x 176 mm x 176 mm (Double-hight DPIU), in which Single-high DPIU takes up 3

or 7 slots, Double-hight DPIU takes up combination slot 1 and 3 or slot 5 and 7.

PIU types: This is general-speed interface board, bandwidth is 1 Gbps. Size (width x

height x deep) is: 176 mm x 20 mm x 175 mm (Single-high PIU) or 40 mm x 176 mm

x 176 mm (Double-hight PIU), in which Single-high PIU takes up 1, 3, 5 or 7 slots,

Double-hight PIU takes up combination slot 1 and 3 or slot 5 and 7.

SPIU types: This is general-speed interface board, which bandwidth is 1 Gbps. Size

(width x height x deep) is: 77 mm x 20 mm x 182 mm, in which SPIU takes up 0, 2, 4



or 6 slots.

4.1.2 The Appearance of ZXR10 2800-4

The chassis of 2800-4 is 2U (1U=44mm). The size of the device is 442mm (W) x88.1 (H)

x200mm (D). The front view of the ZXR10 2800-4 is as shown in the figure.

Figure 4-4 The Front View of the ZXR10 2800-4

The key components of the ZXR10 2800-4 are as shown in the figure:

Figure 4-5 The Key Components of the ZXR10 2800-4

The ichnography of the ZXR10 2800-4 architecture is as shown in the figure:

Figure 4-6 The Ichnography of the ZXR10 2800-4 Architecture

AC/DC

SPIU

SPIU

PIU

PIU/DPIU FAN

MPFU

AC/DC0 1

32

4



With horizontal slots, ZXR10 2800-4 is designed with 5 service slots, in which the number

0-3 slots are for SPIUs and PIUs, and number 4 is for MPFU.

According to the size, the ZXR10 2800-4 supports three models of PIU.


Size (width x height x deep) is: 176 mm x 20 mm x 175 mm (Single-high DPIU) or 40

mm x 176 mm x 176 mm (Double-hight DPIU), in which Single-high DPIU takes up 3

slot, Double-hight DPIU takes up combination slot 1 and 3.

PIU types: This is general-speed interface board, which bandwidth is 1 Gbps. Size

(width x height x deep) is: 176 mm x 20 mm x 175 mm (Single-high PIU) or 40 mm x

176 mm x 176 mm (Double-hight PIU), in which Single-high PIU takes up 1 or 3 slots,

Double-hight PIU takes up combination slot 1 and 3.


(width x height x deep) is: 77 mm x 20 mm x 182 mm, in which SPIU takes up 0 or 2

slots.

4.1.3 The Appearance of ZXR10 1800-2S/2S(G)/2S(W)

The chassis of 1800-2S/2S(G)/2S(W) is 1U (1U=44mm). The size of the device is 380mm

(W) x43.6 (H) x200mm (D). The front view of the ZXR10 1800-2S/2S(G)/2S(W) is as

shown in the figure.

Figure 4-7 The Front View of the ZXR10 1800-2S



Figure 4-8 The Front View of the ZXR10 1800-2S(G)/2S(W)

The ichnography of the ZXR10 1800-2S/2S(G)/2S(W) architecture is as shown in the

figure:

Figure 4-9 The Ichnography of the ZXR10 1800-2S/2S(G)/2S(W) Archtiecture

AC/DCSPIU

SPIUMPFU

0

1

The ZXR10 1800-2S/2S(G)/2S(W) only supports SPIU. This is general-speed

interface board, which bandwidth is 1 Gbps. Size (width x height x deep) is: 77 mm x

20 mm x 182 mm, in which SPIU takes up 0 or 1 slots.

4.1.4 The Appearance of ZXR10 1800-2E/2E(G)

The chassis of 1800-2E/2E(G) is 1U (1U=44mm). The size of the device is 442mm (W)

x44 (H) x200mm (D). The front view of the ZXR10 1800-2E/2E(G) is as shown in the

figure.

Figure 4-10 The Front and Real Panel of the ZXR10 1800-2E/2E(G)



The key components of the ZXR10 1800-2E/2E(G) are as shown in the figure:

Figure 4-11 The Key Components of the ZXR10 1800-2E/2E(G)

The ichnography of the ZXR10 1800-2E/2E(G) architecture is as shown in the figure:



Figure 4-12 The Ichnography of the ZXR10 1800-2E/2E(G) Architecture

With horizontal slots, ZXR10 1800-2E/2E(G) is designed with 3 service slots, in which the

number 0-1 slots are for SPIUs, and number 2 is for MPFU.

According to the size, the ZXR10 1800-2E/2E(G) supports SPIU.



slots.

4.1.5 The Appearance of ZXR10 2800-3E/3E(G)

The chassis of 2800-3E/3E(G) is 1U (1U=44mm). The size of the device is 442mm (W)

x44(H) x200mm (D). The front view of the ZXR10 2800-3E/3E(G) is as shown in the

figure.

Figure 4-13 The Front and Real Panel of the ZXR10 2800-3E/3E(G)



The key components of the ZXR10 2800-3E/3E(G) are as shown in the figure:

Figure 4-14 The Key Components of the ZXR10 2800-3E/3E(G)

The ichnography of the ZXR10 2800-3E/3E(G) architecture is as shown in the figure:

Figure 4-15 The Ichnography of the ZXR10 2800-3E/3E(G) Architecture

With horizontal slots, ZXR10 2800-3E/3E(G) is designed with 4 service slots, in which the

number 0-2 slots are for SPIUs and PIUs, and number 3 is for MPFU.

According to the size, the ZXR10 2800-3E/3E(G) supports three models of PIU.




Size (width x height x deep) is: 176 mm x 20 mm x 175 mm, in which DPIU takes up

2 slot.

PIU types: This is general-speed interface board, which bandwidth is 1 Gbps. Size

(width x height x deep) is: 176 mm x 20 mm x 175 mm, in which PIU takes up 2 slots.



slots.

4.2 Hardware Architecture

4.2.1 Overall Hardware Architecture

The hardware system of the ZXR10 ZSR V2 is mainly composed by the following service

subunits: management and packet forwarding unit, physical interface unit, high-speed

backplane service unit, power supply unit and fan unit. All the service units connect with

each other via the high-speed serial bus and Ethernet bus.

The hardware system architecture of the ZXR10 3800-8 is as shown in the figure:



Figure 4-16 The Hardware Architecture of the ZXR10 3800-8

The hardware system architecture of the ZXR10 2800-4 is as shown in the figure:

Figure 4-17 The Hardware Architecture of the ZXR10 2800-4

The hardware system architecture of the ZXR10 1800-2S/2S(G)/2S(W) is as shown in the

figure:



Figure 4-18 The Hardware Architecture of the ZXR10 1800-2S/2S(G)/2S(W)

The hardware system architecture of the ZXR10 1800-2E/2E(G) is as shown in the figure:

Figure 4-19 The Hardware Architecture of the ZXR10 1800-2E/2E(G)

The hardware system architecture of the ZXR10 2800-3E/3E(G) is as shown in the figure:

Figure 4-20 The Hardware Architecture of the ZXR10 2800-3E/3E(G)

The ZXR10 ZSR V2 has independent forwarding plane and control plane. The system

focuses on the management and packet forwarding unit (MPFU), and uses the backplane

to communmicate with other components. The multicore engine on the MPFU contains



forwarding core and control core as per different working contents. The forwarding core

and other system components compose a logical forwarding plane to implement message

forwarding and service processing. The control core and other system components make

of a logical control plane, which is used to implement routing protocol interaction, routing

calculation, system amanagement and control message synchronization. The system

archigtecture with the independent forwarding and control planes enables minimum

mutual influence caused in extending the services and performance of the two planes. In

this way, the system is more flexible.

The modular power supply unit and fan unit of the ZXR10 ZSR V2 can connect with the

high-speed backplane in the manner of the chassis, so that the entire device can be

cable-free. For the power supply unit, the ZXR10 ZSR V2 provides AC and DC power

supply modes.

4.2.2 The Working Principle of the Hardware System

The ZXR10 ZSR V2 uses independent control forwarding and control planes, and the two

planes are protected standby. The data packets experience the PIU physical layer chip

processing and frame resolution first. The ordinary services are sent directly to the MPFU.

Then the traffic management unit and the data forwarding unit on the MPFU work together

to send the target PIU interface. As for the protocol message and the control message,

they are processed by the processing unit of the PIU and the management and control

units of the MPFU.

4.2.3 The Introduction to the Hardware Unit

4.2.3.1 MPFU

As the control node of the product, the management and packet forwarding unit (MPFU)

of the ZXR10 ZSR V2 is responsible for data forwarding, management and maintenance.

The MPFU includes message forwarding unit, management and control unit, clock

processing unit and monitoring alarming unit, etc. It implements data forwarding and the

management of the system clock source, control plane, system maitenance plane and the

environment monitoring plane.

Message forwarding unit



Composed by the forwarding core of the multicore processor and other corresponding

chips on the MPFU, it is responsible for message classification, traffic control and

forwarding.

Management and control unit

The management and control unit is composed by the management core and control core

of the multicore processor, and the 1000M Ethernet switch unit. The management core

and the control core are responsible for the processing of the local protocol messages, the

management and configuration of table entries , MPFU chips and PIU chips. The 1000M

Ethernet switch unit switches the control plane messages of the local service card. The

management and control unit has the following services:

Process all sorts of protocol and signaling. Implement system status control and

report. The routing protocl control plane is independent from the configuration

operationg management plane, so that the protocol control plane becomes more

reliable, and the device is more manageable.

System status configuration and maintenance management. implement system data

configuration and upgrade. Provide system running log. Provide serial port and RJ45

interface for the device management and maintenance. SD card interface is offered

for data storage.

Traffic control unit

The traffic management unit is responsible for line-side traffic control, precedence

classification, congestion management, congestion avoidance and discarding policy. It

also supports multiple QoS services, e.g. CAR, Shaping, FQ, PA, WFQ, CBWFQ and

WRED. The traffic control unit as per the stream direction splits into Ingress traffic control

unit and Egress traffic control unit.

Monitoring alarm unit

The environment monitoring alarm unit is resposible for collecting and generating alarms

on the working status of the rack, e.g. the running status of the module, power supply, fan

and the temperature change. Also, via the CLI command and the SNMP real-time network

management display, it gives the admistrator a sound man-machine interface.



4.2.3.2 PIU

The ZXR10 ZSR V2 provides rich PIUs with multiple interface speeds and port densities.

So that, it can satisfy different network and service demands.

According to different sizes, the ZXR10 ZSR V2 supports three types of PIU:

The ZXR10 1800-2S and ZXR10 1800-2E/2E(G) support SPIU only. The ZXR10

2800-4/3800-8/2800-3E/3E(G) support SPIUs, PIUs and DPIUs.

The PIUs supported by the ZXR10 ZSR V2 are as shown in the table:

Table 4-1 The PIUs supported by the ZXR10 ZSR V2

PIU Name PIU Type Description

SPIU, For 1800/2800/3800

RAC-SPIU-04GE SPIU 4-port 100/1000M RJ45 Physical Interface

Unit

RAC-SPIU-02UE1-75 SPIU 2-port E1 Physical Interface Unit (75 ohm)

RAC-SPIU-02UE1-120 SPIU 2-port E1 Physical Interface Unit (120ohm)

RAC-SPIU-02CE1-75 SPIU 2-port E1/Channelized E1 Physical Interface

Unit (75 ohm)

RAC-SPIU-02CE1-120 SPIU 2-port E1/Channelized E1 Physical Interface

Unit (120ohm)

RAC-SPIU-02HS SPIU 2-port Syn./Asyn. Series Port Physical

Interface Unit

PIU, For 2800-4/3800-8/2800-3E/3E(G) (2800-3E/3E(G) does not support

RAC-PIU-16FE1GE-1SFP)

RAC-PIU-LTE PIU FDD/TDD/TD-SCDMA/WCDMA/HSPA+

RAC-PIU-08GE-SFP PIU 8-port GE SFP Physical Interface Unit

RAC-PIU-09GE-8E1SFP PIU 8-port 100/1000M RJ45 and 1-port GE

SFP Physical Interface Unit

RAC-PIU-05GE-4E1SFP PIU 4-port 100/1000M RJ45 and 1-port GE SFP

Physical Interface Unit

RAC-PIU-04GE-SFP PIU 4-port 100/1000M SFP Physical Interface

Unit

RAC-PIU-08FE1GE-1SFP PIU 8-port 100M RJ45 and 1-port GE SFP




PIU Name PIU Type Description

RAC-PIU-16FE1GE-1SFP PIU 16-port 100M RJ45 and 1-port GE SFP


RAC-PIU-16CE1 PIU 16-port E1/Channelized E1 Physical

Interface Unit

RAC-PIU-16CE1-CES PIU

16-port E1/Channelized E1 Physical

Interface Unit, Support Circuit Emulation

Service

RAC-PIU-04UE1-75 PIU 4-port E1 Physical Interface Unit (75 ohm)

RAC-PIU-04UE1-120 PIU 4-port E1 Physical Interface Unit (120ohm)

RAC-PIU-04CE1-75 PIU 4-port E1/Channelized E1 Physical Interface

Unit (75 ohm)

RAC-PIU-04CE1-120 PIU 4-port E1/Channelized E1 Physical Interface

Unit (120ohm)

RAC-PIU-01P12-SFP PIU 1-port OC-12/STM-4 POS Physical Interface

Unit

RAC-PIU-04P3-SFP PIU 4-port OC3c/STM-1c POS SFP Physical

Interface Unit

RAC-PIU-04CP3-SFP PIU 4-port Channelized OC3c/STM-1c POS SFP


RAC-PIU-02P3-SFP PIU 2-port OC3c/STM-1c POS SFP Physical

Interface Unit

RAC-PIU-02CP3-SFP PIU 2-port Channelized OC3c/STM-1c POS SFP


RAC-PIU-01DSLB PIU 1-port xDSL Physical Interface Unit

RAC-PIU-04SHDSL PIU 4-port SHDSL Physical Interface Unit

RAC-PIU-04HS PIU 4-port Syn./Asyn. Series Port Physical

Interface Unit

DPIU, For 2800-4/3800-8/2800-3E/3E(G)(2800-3E/3E(G) does not support

RAC-DPIU-16GE-12SFP4E and OSU)

RAC-DPIU-16GE-12SFP4E DPIU 12-port GE SFP and 4-port 100/1000M

RJ45 Physical Interface Unit

RAC-DPIU-01XGE-SFP+ DPIU 1-port 10GE LAN/WAN SFP Physical

Interface Unit

RAC-DPIU-OSU-A1 OSU ZSR V2 Open Service Unit A1

RAC-DPIU-OSU-A2 OSU ZSR V2 Open Service Unit A2



4.2.3.3 Open Service Unit (OSU)

Open Service Unit is launched by ZTE on ZXR10 ZSR V2 router platform to allow service

provider, enterprise customers, third-party manufacturers and ZTE to independent or

co-develop a variety of value-added services.

Users can install Linux, Windows and other operating systems on the OSU and the

application software installed on the operating system.

Figure 4-21 Open Service Unit of ZXR10 ZSR V2

Table 4-2 Physical Indices of OSU

Feature RAC-DPIU-OSU-A1 RAC-DPIU-OSU-A2

model ZXR10 2800-4/3800-8 ZXR10 2800-4/3800-8

slot 1 DPIU(Dual-height slot) 1 DPIU(Dual-height slot)

CPU Frequency: 1.7GHz

, Quad-core Intel processors

Frequency: 2.4GHz

, Quad-core Intel processors

Memory 1 x 4GB/8GB DDR3 Default: 1 x 4GB/8GB DDR3

Hard disk 1 x 500G/1T 1 x 500G/1T

Interface

4xUSB

1xRS232

1xRJ45

1xVGA

4xUSB

1xRS232

1xRJ45

1xVGA

Dimensions

(HxWxD) 40.24x197.2x175 mm 40.24x197.2x175 mm



4.2.3.4 Power Supply Unit

The ZXR10 ZSR V2 supports 100V-240V AC power supply unit and -38V--72V DC power

supply unit. The ZXR10 1800-2S adopts single power supply mode. The ZXR10

2800-4/ZXR10 3800-8/ZXR10 1800-2E/2E(G)/ZXR10 2800-3E/3E(G) supports dula

power supply units which are in 1+1 rendundancy mode. They support hybrid insertion of

AC and DC power supply units, power supply pluggable.

ZXR10 2800-4 and 3800-8 AC and DC power supply module rated output power is 250W,

size (length x width x deep): 40 mm x 80 mm x 175 mm.

4.2.3.5 FAN Module Unit

ZXR10 ZSR V2 has a vertical fan which draws air to cool the equipment. It can

automatically adjust the speed according to equipment operation, monitor fan status and

report fault alarm. Cooling air enters at one side of the router, passes boards and power

modules and then exits at the other side.

ZXR10 1800-2S/2S(G)/2S(W) fan module includes three fan units, for each fan unit size

(length x width x deep): 40mmx40mmx10mm. ZXR10 2800-4 fan module includes two fan

units, for each fan unit size (length x width x deep): 60 mmx60mmx25mm. ZXR10 3800-8

fan module includes four fan units, for each fan unit size (length x width x deep): 60

mmx60mmx25mm. ZXR10 1800-2E/2E(G)/2800-3E/3E(G) fan module includes seven

fan units, for each fan unit size (length x width x deep): 40mmx40mmx10mm.

4.3 Software Architecture

The software system of the ZXR10 ZSR V2 is made on the basis of the ZXROSng

software platform which has self-owned intellectual property. It satisfifies different

network demands in high-performance and complicated commercial service environment.

This software has the most integrated network features defined by the international

standards. The entire software architecture is as shown in the following figure:



Figure 4-22 The Entire Software Architecture of the ZXR10 ZSR V2

User Management Service Control Subsystem

Distributed Operation System Support Platform

MP

LS

Pro

toco

l

Su

bsyste

m

Hardware & Driver

Ne

two

rk M

an

ag

em

en

t

Su

bsyste

m

L2 Protocol Subsystem

IP Routing Subsystem

SN

MP

Su

bsyste

m

Sta

tistica

l A

larm

Su

bsyste

m

Th

e S

ecu

rity

Su

bsyste

mUnicast Routing

Protocol Subsystem

Multicast Routing

Protocol

Subsystem

Support Protocol

Subsystem

The key services of the subsystems of the ZXR10 ZSR V2 software are:

Hardware drive subsystem: Provide the software drives for the MPFU, the PIU, the

backplane, the fan and the power supply.

Distributed operating system platform: A real-time operating system which is the core

of the ZXR10 ZSR V2 software system is responsible for managing the hardware

system architecture of the entire system and providing a unified operating platform

for all the application programs on the entire software system. It is known for high

reliability, real-time feature, self-healing feature, maintainability and encapsulation.

L2 protocol subsystem: It implements the drive of the switching chip, L2 link control

and management protocols. At the same time, it offers support to the L3 protocols.

IP routing subsystem: It is the core of the router software system. It runs IPv4 and

IPv6 routing protocols, including RIP, OSPF and BGP protocols (the multicast routing

protocol is included). This system is responsible for routing data reception and

storage, entire routing table establishment, route selection, forwarding and

interaction, and routing table maintenance.

Unicast routing protocol subsystem: Via exchanging the information among different

routers in the network, it collects the network topology information, and forms an IP

unicast routing table. In addition, it sends the routing information to the IP forwarding

layer to forward the unicast IP packet.

Multicast routing protocol subsystem: It generates the routing table for the bottom

layer to forward the multicast packets.



Support protocol subsystem: It processes the IP data, ICMP protocol, ARP protocol,

TCP protocol and UDP protocol. In addition, it also implements Telnet process, client

process, and the processing of FTP and TFTP protocols. The support system

provides services for the routing subsystem and the management subsystem.

Security subsystem: It realizes multiple device security protection services. By

providing message filtration, encryption password, authentication, the permission to

change the configuration, multiple VPN technologies, NAT, MD5, user authentication

and the statistic information, it gives 100% security guarantee to the device and the

user’s applications.

MPLS protocol subsystem: It implements LDP, RSVP-TE and L2/L3 VPN. It provides

basic MPLS basic service and label forwarding service.

Statistic alarm subsystem: It maintains all sorts of statistic alarm configuration

information. Also, it saves all the statistical information and offers query interfaces.

System management: It provides file management, device management (power

supply and fan modules), monitoring maintenance and diagnosis commissioning

services. It keeps the device in a reliable running status.

SNMP subsystem: It realizes SNMP AGENT service. Also, it supports all the protocol

operations of the SNMP agent in SNMP V1/V2/V3.

Network management subsystem: By providing device network configuration

management, fault management, performance management and security

management, it finishes the device file system service, version management, the

management of the configuration files and logs.

User management service control subsystem: It implements the existing user access

and management services. It also realizes user service configuration, AAA service,

user management service including PPP user management, IP user management,

VPLS service control and multicast user management.

The ZXROSng platform of the ZXR10 ZSR V2 software system is a multitask distributed

real-time nework operating system. It offers unified IP protocol to all the devices made by

ZTE. The ZXROSng provides mature and stable architecture, so it has been extensively

used by the operators in recent years. The existing ZXROSng platform is an enhanced

version on the basis of the user’s service demands. The new platform gives more



consideration to the costs of the operation and maintenance, and the service scalability

and application capability are both improved in the following ways:

Superior encapsulation

Support multiple operating systems. Support smooth upgrade of the operating

system.

All the devices are configured in the same way, which makes the operation and

maintenance easier.

Powerful monitoring service

Provide monitoring to the aberrance of the process and memory

Provide monitoring to power supply, fan speed, voltage, current and

environment temperature.

Provide fast fault location to make sure highly reliable product version.

Flexible modular component

All software services based upon the ZXROSng platform can be easily

extended and uninstalled. New services are developed quickly on the basis of

the original architecture.

Flexible customization based upon the user’s demands gives quick response to

the user’s requirements.

Extension of the new telecom Ethernet services based upon the unified platform

Support L2/L3 VPN mechanism. Support H-VPLS to satisfy different service

deopolyment. Support the muolticast service in VPN, and realize fast VPN

deployment via the unified network management. Deploy the multicast service

such as user video and IPTV rapidly.

Provide integrated QoS mechanism. Support traffic classification traffic mark,

traffic speed restrain, traffic shaping, congestion management and congestion

avoidance mechanisms.



Support IPv4/IPv6 dual protocol stacks. Support the IPv4/IPv6 transition

mechanism in different application scenarios: universal manual tunnel,

automatic 6To4 tunnel and 6PE, etc.

Sound interaction. Comply with the mainstream protocols and standards.



4.4 Technical Specifications

Table 4-3 Physical Indices of ZXR10 ZSR V2

Item 1800-2E/2E(G) 2800-3E/3E(G)

1800-2S/2S(G)/2S(

W)

2800-4 3800-8

Hardware features

Forwarding

performance 1.5Mpps 5Mpps 1Mpps 1.5M~5Mpps

Fixed

interface

WAN: 2*GE Combo

LAN: 24*GE

-2E(G)/3E(G): 3G/LTE

2*GE Combo+ 4*GE

RJ45

2S(W): WIFI

2S(G): 3G/LTE

2*GE Combo + 4*GE

RJ45/4*GE Combo + 2*GE

RJ45

MAC Address

Table

8k 8k 8k 8k 8k

Maximum

number of

VLAN

1k 1k 1k 1k 1k

Memory 2G 2G 2G 2G 2G

FLASH 1G 4G 1G 4G 4G

Flash

Capacity

Support multiple copies of software and configurations can be kept on the router.

USB 2.0 2 2 2 2 2

Micro USB 1 1 1 0 0

CON(RJ45) 1 1 1 1 1

AUX 1 1 1 1 1

SPIU slot 2 2 2 2 4

PIU slot 0 1 0 2 4

DPIU slot 0 1 0 1 2

OSU slot 0 0 0 1 2



Interface

GE/FE

E1/CE1

V.35/V.24

GE/FE,

E1/CE1,OC-3/ST

M-1 POS/CPOS,

OC-12/STM-4

POS,

ADSL/VDSL,

G.SHDSL,V.35/

V.24,3G/LTE

GE/FE

E1/CE1

V.35/V.24

GE/FE, E1/CE1,OC-3/STM-1

POS/CPOS, OC-12/STM-4

POS, ADSL/VDSL,

G.SHDSL,V.35/ V.24,3G/LTE

OSU

Dimensions

(H×W×D mm) 44×442x440 43.6×380×200

88.1×442×20

0

132.0×442×20

0

Power AC:100V~240V

1+1 Redundant power

AC:100V~240V ,

60Hz

DC: -72V~ -38V

AC:100V~240V/DC: -72V~

-38V

1+1 Redundant power

Maximum

power

consumption

80W 120W 55W 160W 240W

Long-term

environment

al

temperature

-5oC~45

oC

Short-term

environment

al

temperature

-40oC ~ 70

oC

Operating

Environment

Humidity

5% ~ 95%(Non-condensing)

Software features

Protocol

L2: MAC management, VLAN, QinQ, superVLAN, smartgroup , PPP, PPPOE, HDLC, FR,802.1x

IPv4/IPv6: Static routing, RIP/RIPng, OSPF/OSPFv2/OSPFv3, IS-IS/IS-ISv6, BGPv4/BGP4+

Multicast: Static multicast, IGMPv1/v2/v3, PIM-DM, PIM-SM, PIM-SSM, MSDP, PIM-SSM

mapping, MLDv1/v2, 802.1Q

DHCPv4/v6 Relay, DHCPv4/v6 Server, DHCPv4/v6 Snooping

MPLS LDP, MPLS Traffic load sharing, RSVP-TE

MPLS L2/3 VPN, PWE3, Inter-AS Option A/B/C, 6vPE

VPN VPWS, VPLS, HVPLS, 6VPE, GRE, IPSec, L2TP

Transition

technology 6PE, 6VPE, 6in4, 6to4, 4in6, NAT444, NAT64, 6rd

NAT Static NAT, Dynamic NAT, PAT, NAT multi-exports, NAT ALG, NAT syslog



QoS

H-QOS, QPPB, QOS based on time-range. Flow classification, mark, priority inheritance and

mapping, traffic shaping/speed limit. PQ, CQ, WFQ CBWFQ and traffic scheduling based on

physical port

3G/LTE TD-SCDMA, WCDMA/HSPA+

TDD, FDD LTE

Security

State firewalls, control plane safety, CPU safety protection, prevent DOS and DDOS, routing

security, IPSEC encryption. MAC and IP binding, ARP attack prevention, MAC address

filtering/quantity control, the number of the TCP session control. RADIUS and TACACS+

certification, uRPF, SSH

Reliability Power supply redundancy, key components hot drawing

BFD for everything, VRRP, link bound, FRR, pseudo line redundancy, SDC smart dial-up control

OAM

Ethernet OAM, SQA, USB deployment, batch management, temperature monitoring, automatic

fan speed control, port mirror, NetFlow V5/ V9, NetFlow 1:1

SNMPv1/v2/v3, TR069, Telnet, SSHv1/v2, SYSLOG and RMON



4.5 RFC List

The RFC list below contains the RFCs that this equipment can support.

RFC List

Index Title

RFC768 User Datagram Protocol

RFC791 Internet Protocol/Internet Protocol version 4

RFC792 Internet Control Message Protocol(ICMP)

RFC793 Transmission Control Protocol (TCP)

RFC826 Address Resolution Protocol (ARP)

RFC854 Telnet Protocol Specification

RFC855 TELNET OPTION SPECIFICATIONS

RFC1131 OSPF specification

RFC1142 IS-IS Intra-Domain Routing Protocol

RFC1157 A Simple Network Management Protocol (SNMP)

RFC1191 Path MTU Discovery

RFC1213 Management Information Base (MIB) for Network Management of TCP/IP-based

internets:MIB-II.

RFC1215 A Convention for Defining Traps for use with the SNMP

RFC1245 OSPF protocol analysis

RFC1246 Experience with the OSPF protocol

RFC1305 Network Time Protocol (NTP) Version 3

RFC1315 Management Information Base (MIB) for Frame Relay DTEs.

RFC1334 PPP Authentication Protocols

RFC1349 Type of Service in the Internet Protocol Suite

RFC1350 TFTP Version 2

RFC1657 Definitions of Managed Objects for the Fourth Version of the Border Gateway Protocol

(BGP-4) using SMIv2.

RFC1661 The Point-to-Point Protocol (PPP)

RFC1701 Generic Routing Encapsulation (GRE)

RFC1717 The PPP Multilink Protocol (MP)

RFC1721 RIP Version 2 Protocol Analysis

RFC1722 RIP Version 2 Protocol Applicability Statement

RFC1723 RIP version 2 Carrying Additional Information

RFC1724 RIP Version 2 Management Information Base (MIB) Extension.

RFC1745 BGP4/IDRP for IP — OSPF Interaction

RFC1757 Remote Network Monitoring Management Information Base (MIB).

RFC1765 OSPF Database Overflow Specification

RFC1769 Simple Network Time Protocol (SNTP)



RFC1771 Border Gateway Protocol 4

RFC1772 Application of the Border Gateway Protocol in the Internet

RFC1793 Extending OSPF to Support Demand Circuits

RFC1812 Requirements for IP Version 4 Routers

RFC1850 OSPF Version 2 Management Information Base (MIB) Specification

RFC1877 PPP Internet Protocol Control Protocol Extensions for Name Server Addresses

RFC1901 Introduction to Community-based SNMPv2

RFC1902 Structure of Management Information for Version 2 of the Simple Network Management

Protocol (SNMPv2)

RFC1903 Textual Conventions for Version 2 of the Simple Network Management Protocol (SNMPv2)

RFC1904 Conformance Statements for Version 2 of the Simple Network Management Protocol

(SNMPv2)

RFC1905 Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)

RFC1906 Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)

RFC1907 Management Information Base (MIB) for Version 2 of the Simple Network Management

Protocol (SNMPv2).

RFC1918 Address Allocation for Private Internets

RFC1965 BGP4 Confederations

RFC1966 BGP Route Reflection: An Alternative to Full-Mesh IBGP

RFC1981 Path MTU Discover for IPv6

RFC1990 The PPP Multilink Protocol

RFC1994 PPP Challenge Handshake Authentication Protocol (CHAP)

RFC1997 BGP Communities Attribute

RFC2273 SNMPv3 Applications.

RFC2283 Multiprotocol Extensions for BGP-4

RFC2292 Advanced Sockets API for IPv6

RFC2328 OSPF Version 2

RFC2338 Virtual Router Redundancy Protocol

RFC2362 Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification

RFC2370 The OSPF Opaque LSA Option Specification

RFC2373 IP Version 6 Addressing Architecture

RFC2374 An IPv6 Aggregatable Global Unicast Address Format

RFC2375 IPv6 Multicast Address Assignments

RFC2385 Protection of BGP Sessions via the TCP MD5 Signature Option

RFC2401 Security Architecture for the Internet Protocol

RFC2402 IP Authentication Header Specification

RFC2406 IP Encapsulating Security Payload Specification

RFC2407 The Internet Key Exchange Specification

RFC2408 Internet Security Association and Key Management Protocol (ISAKMP)

RFC2409 The Internet IP Security Domain of Interpretation for ISAKMP



RFC2428 FTP Extensions for IPv6 and NATs

RFC2439 BGP Route Flap Damping

RFC2452 IP Version 6 Management Information Base (MIB) for the Transmission Control Protocol.

RFC2453 RIP Version 2

RFC2454 IP Version 6 Management Information Base (MIB) for the User Datagram Protocol.

RFC2460 IPv6 Specifications

RFC2461 Neighbor Discovery for IPv6

RFC2462 IPv6 Stateless Address Auto Configuration

RFC2570 Introduction to Version 3 of the Internet-standard Network Management Framework

RFC2571 An Architecture for Describing SNMP Management Frameworks

RFC2572 Message Processing and Dispatching for the Simple Network Management Protocol

(SNMP)

RFC2573 SNMP Applications

RFC2574 User-based Security Model (USM) for version 3 of the Simple Network Management

Protocol (SNMPv3)

RFC2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol

(SNMP)

RFC2710 Multicast Listener Discovery (MLD) for IPv6

RFC2711 IPv6 Router Alert Option

RFC2863 The Interfaces Group MIB

RFC2865 Remote Authentication Dial In User Service (RADIUS)

RFC2866 RADIUS Accounting

RFC2869 RADIUS Extensions

RFC2890 Key and Sequence Number Extensions to GRE

RFC2893 Transition Mechanisms for IPv6 Hosts and Routers

RFC2918 Route Refresh Capability for BGP-4

RFC3810 Multicast Listener Discovery Version 2 (MLDv2) for IPv6

RFC4601 Protocol Independent Multicast-Sparse Mode (PIM-SM)

Documents

ZXR10 ZSR V2 Series Router Product · PDF fileZXR10 ZSR V2 Series Router Product Description ZTE Confidential & Proprietary 1 ZXR10 ZSR V2 Series Router Product Description Version