Advanced IGP Features

Foreword

⚫ Both Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (IS-
IS) are link-state-based Interior Gateway Protocols (IGPs). Routers that run them
synchronize link state databases (LSDBs) and use the shortest path first (SPF) algorithm to
calculate optimal routes.
⚫ In response to network topology changes, OSPF and IS-IS support multiple fast convergence
and protection mechanisms, which minimize traffic loss caused by network faults.
⚫ To control the size of a routing table, OSPF and IS-IS support route selection and routing
information control.
⚫ This course describes the advanced features of OSPF and IS-IS, including fast convergence,
routing control, and other features.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe various fast convergence techniques of OSPF and IS-IS.
 Perform configurations for OSPF and IS-IS equal-cost routes.
 Configure OSPF and IS-IS to advertise default routes.
 Describe the application scenarios of OSPF and IS-IS multi-process.
 Describe graceful restart (GR) and non-stop routing (NSR) fundamentals of OSPF and
IS-IS.
 Describe the application scenarios of OSPF forwarding addresses (FAs).
 Describe the fundamentals of IS-IS LSP fragment extension.

2 Huawei Confidential
 Contents

1. OSPF Fast Convergence

2. OSPF Route Control

3. Other OSPF Features

4. Advanced IS-IS Features

3 Huawei Confidential
 Overview PRC Intelligent FRR BFD
Timer Association

Overview of OSPF Fast Convergence

⚫ OSPF fast convergence is an extended feature of OSPF to speed up route convergence. It features
partial route calculation (PRC) and the intelligent timer.
⚫ In addition, OSPF supports fast convergence upon fault rectification. For example, OSPF IP fast reroute
(FRR) can be used to implement fast traffic switchover to a backup link, and OSPF can also be
associated with BFD to implement fast fault detection.

4 Huawei Confidential
 Overview PRC Intelligent FRR BFD
Timer Association

PRC
⚫ PRC only calculates routes that have been changed on a network.
⚫ PRC does not calculate nodes. Instead, it updates routes based on the shortest path tree (SPT)
calculated using the SPF algorithm.
• Scenario description:
R1 (root) ▫ OSPF runs on a network. The figure shows the SPT with R1 as the root after network
convergence. When R1 accesses R5, traffic is sent to the destination based on [outbound
interface of R1's downlink, IP address of R3's uplink interface].
▫ OSPF is enabled on Loopback0 of R5. This means that a new network segment is added to
R2 R3 the OSPF network.
• PRC:
▫ R5 floods a new LSA on the entire network.
R4 R5 ▫ After receiving the LSA, R1 creates a new route that inherits the original path and next
hop used when R1 accesses R5. In this case, the SPT remains unchanged, and only a leaf is
added to R5.
▫ Therefore, when R1 accesses Loopback0 of R5, traffic is sent to the destination based on
Loopback0: A directly connected [outbound interface of R1's downlink, IP address of R3's uplink interface].
network segment is added.
• Benefits:
In route calculation, a node represents a ▫ PRC focuses only on routes that are changed due to the addition of network segments to
router, and a leaf represents a route. PRC an OSPF network, thereby speeding up route calculation.
processes only the changed leaf information.

5 Huawei Confidential

• Note: On Huawei devices, OSPF PRC is enabled by default.

 Overview PRC Intelligent FRR BFD
Timer Association

Intelligent Timer
⚫ The intelligent timer is used for SPF calculation and LSA generation.
⚫ It can quickly respond to a small number of external incidents and prevent excessive CPU consumption.

Controlling LSA Generation and Reception Controlling Route Calculation

• To prevent network connections or frequent route flapping • When a network changes, the OSPF LSDB changes, and
from consuming excessive device resources, OSPF complies the shortest path needs to be recalculated. If a network
with the following rules: changes frequently, the shortest path is calculated
▫ After an LSA is generated, it cannot be generated accordingly, which results in excessive consumption of
again within 1s. The interval for updating LSAs is 5s. system resources and compromises device efficiency.

▫ The interval for receiving LSAs is 1s. • You can configure the intelligent timer to set a proper
interval for SPF calculation in order to prevent excessive
• On a stable network where routes need to be fast consumption of a router's memory and bandwidth
converged, the intelligent timer can be used to set the resources.
interval for updating LSAs to 0s in order to cancel this
interval. In this manner, topology or route changes can be
immediately advertised to the network through LSAs or be
immediately detected, thereby speeding up route
convergence on the network.

6 Huawei Confidential

• If the interval for triggering route calculation is long, the network convergence
speed is affected.
• The first timeout period of the intelligent timer is fixed. Before the intelligent
timer expires, if an event that triggers the timer occurs, the next timeout period
of the intelligent timer becomes longer.
 Overview PRC Intelligent FRR BFD
Timer Association

Basic Intelligent Timer Configuration Commands (1)

1. Set an interval for updating OSPF LSAs.

[Huawei-ospf-1] lsa-originate-interval { 0 | { intelligent-timer max-interval start-interval hold-

interval | other-type interval } }

By default, the intelligent timer is enabled; the maximum interval, initial interval, and hold interval at which
LSAs are updated are 5000 ms, 500 ms, and 1000 ms, respectively.

⚫ After the intelligent timer is used:

 The initial interval for updating LSAs is specified by start-interval.
 The interval at which LSAs are updated for the nth (n ≥ 2) time equals hold-interval x 2(n – 2).
 When the interval specified by hold-interval x 2(n – 2) reaches the maximum interval specified by max-interval,
OSPF updates LSAs at the maximum interval for three consecutive times. Then, OSPF returns to the first step
and updates LSAs at the initial interval specified by start-interval.

7 Huawei Confidential

• Command: [Huawei-ospf] lsa-originate-interval { 0 | { intelligent-timer max-

interval start-interval hold-interval | other-type interval } }
▫ 0: sets the interval for updating LSAs to 0s, that is, cancels the interval of 5s
for updating LSAs.
▫ intelligent-timer: uses the intelligent timer to set the update interval for
router-LSAs and network-LSAs.
▫ max-interval: specifies the maximum interval for updating OSPF LSAs. The
value is an integer ranging from 1 to 120000, in milliseconds. The default
value is 5000.

▫ start-interval: specifies the initial interval for updating OSPF LSAs. The value
is an integer ranging from 0 to 60000, in milliseconds. The default value is
500.
▫ hold-interval: specifies the hold interval for updating OSPF LSAs. The value
is an integer ranging from 1 to 60000, in milliseconds. The default value is
1000.

▫ other-type: sets an update interval for OSPF LSAs except router-LSAs and
network-LSAs.

▫ interval: specifies the interval for updating LSAs. The value is an integer
ranging from 0 to 10, in seconds. The default value is 5.
 Overview PRC Intelligent FRR BFD
Timer Association

Basic Intelligent Timer Configuration Commands (2)

2. Set an interval for receiving OSPF LSAs.

[Huawei-ospf-1] lsa-arrival-interval { interval | intelligent-timer max-interval start-interval hold-interval }

By default, the intelligent timer is enabled; the maximum interval, initial interval, and hold interval at which
LSAs are received are 1000 ms, 500 ms, and 500 ms, respectively.

⚫ After the intelligent timer is used:

 The initial interval for receiving LSAs is specified by start-interval.
 The interval at which LSAs are received for the nth (n ≥ 2) time equals hold-interval x 2(n – 2).
 When the interval specified by hold-interval x 2(n – 2) reaches the maximum interval specified by max-interval,
OSPF receives LSAs at the maximum interval for three consecutive times. Then, OSPF returns to the first step
and receives LSAs at the initial interval specified by start-interval.

8 Huawei Confidential

• Command: [Huawei-ospf-1] lsa-arrival-interval { interval | intelligent-timer

max-interval start-interval hold-interval }
▫ interval: specifies the interval for receiving LSAs. The value is an integer
ranging from 0 to 10000, in milliseconds.
▫ intelligent-timer: uses the intelligent timer to set the receive interval for
LSAs.
▫ max-interval: specifies the maximum interval for receiving OSPF LSAs. The
value is an integer ranging from 1 to 120000, in milliseconds. The default
value is 1000.

▫ start-interval: specifies the initial interval for receiving OSPF LSAs. The value
is an integer ranging from 0 to 60000, in milliseconds. The default value is
500.
▫ hold-interval: specifies the hold interval for receiving OSPF LSAs. The value
is an integer ranging from 1 to 60000, in milliseconds. The default value is
500.
 Overview PRC Intelligent FRR BFD
Timer Association

Basic Intelligent Timer Configuration Commands (3)

3. Set an interval for OSPF route calculation.
[Huawei-ospf-1] spf-schedule-interval { interval1 | intelligent-timer max-interval start-interval hold-
interval | millisecond interval2 }
By default, the intelligent timer is enabled; the maximum interval, initial interval, and hold interval for SPF
calculation are 10000 ms, 500 ms, and 1000 ms, respectively.

⚫ After the intelligent timer is used, the interval for SPF calculation is as follows:
 The initial interval for SPF calculation is specified by start-interval.
 The interval for SPF calculation for the nth (n ≥ 2) time equals hold-interval x 2(n – 2)..
 When the interval specified by hold-interval x 2(n – 2). reaches the maximum interval specified by max-interval,
OSPF performs SPF calculation at the maximum interval for three consecutive times. Then, OSPF returns to the
first step and performs SPF calculation at the initial interval specified by start-interval.

9 Huawei Confidential

• Command: [Huawei-ospf-1] spf-schedule-interval { interval1 | intelligent-timer

max-interval start-interval hold-interval | millisecond interval2 }
▫ interval1: specifies an interval for OSPF SPF calculation. The value is an
integer ranging from 1 to 10, in seconds.
▫ intelligent-timer: uses the intelligent timer to set the interval for OSPF SPF
calculation.
▫ max-interval: specifies the maximum interval for OSPF SPF calculation. The
value is an integer ranging from 1 to 120000, in milliseconds. The default
value is 10000.

▫ start-interval: specifies the initial interval for OSPF SPF calculation. The
value is an integer ranging from 1 to 60000, in milliseconds. The default
value is 500.
▫ hold-interval: specifies the hold interval for OSPF SPF calculation. The value
is an integer ranging from 1 to 60000, in milliseconds. The default value is
1000.

▫ millisecond interval2: specifies an interval for OSPF SPF calculation. The

value is an integer ranging from 1 to 10000, in milliseconds.
 Overview PRC Intelligent FRR BFD
Timer Association

OSPF IP FRR
⚫ OSPF IP fast reroute (FRR) is a dynamic IP FRR technology that uses the loop-free alternate (LFA)
algorithm to pre-calculate a backup path and saves it in the forwarding table. If the primary link fails,
traffic is rapidly switched to the backup link, ensuring traffic continuity and achieving traffic protection.
OSPF IP FRR can reduce the fault recovery time to less than 50 ms.
⚫ The LFA algorithm calculates a backup link based on the following principles:
 A device uses the SPF algorithm to calculate shortest paths to the destination, with each neighbor that provides
a backup link as a root node. The device then uses the inequality to calculate a loop-free backup link with the
minimum cost.

10 Huawei Confidential
 Overview PRC Intelligent FRR BFD
Timer Association

Networking of OSPF IP FRR

Distance_opt (X, Y)
⚫ OSPF IP FRR protects traffic against either a link failure or a node-and-link failure. indicates the shortest path
from node X to node Y.

Link protection Node-and-link protection

Link protection inequality: Link protection inequality:

Distance_opt (N, D) < Distance_opt (N, S) + Distance_opt (S, D) Distance_opt (N, D) < Distance_opt (N, S) + Distance_opt (S, D)
This ensures that the traffic from node N to node D does not pass through Node protection inequality:
node S. That is, this ensures that no loop occurs.
Distance_opt (N, D) < Distance_opt (N, E) + Distance_opt (E, D)
S R1 D
Cost = 10 Cost = 5 This ensures that the traffic from node N to node D does not pass through
nodes S and E. That is, this ensures that no loop occurs.
S E D
S: source node
Cost = 10 Cost = 5
D: destination node
N: node along the
backup link
N S: source node
D: destination node
Traffic flows from node S to node D. The link cost satisfies the link N: node along the
protection inequality. If the primary link fails, node S switches the traffic backup link
N E: faulty node
to the backup link. This ensures that the traffic interruption time is less
than 50 ms. Node-and-link protection must meet the preceding two inequalities.

11 Huawei Confidential

• Node-and-link protection:
▫ As shown in the right figure, traffic flows from node S to node D. The link
cost satisfies the node-and-link protection inequality. If the primary link
fails, node S switches the traffic to the backup link. This ensures that the
traffic interruption time is less than 50 ms.

• OSPF IP FRR protects traffic against either a link failure or a node-and-link

failure.

▫ Link protection takes effect when the traffic to be protected flows along a
specified link.

▫ Node-and-link protection takes effect when the traffic to be protected

flows along a specified device. Node-and-link protection takes precedence
over link protection.
 Overview PRC Intelligent FRR BFD
Timer Association

Basic OSPF IP FRR Configuration Commands

1. Enable OSPF IP FRR.

[Huawei-ospf-1] frr
[Huawei-ospf-1-frr]

Create OSPF FRR and enter its view.

[Huawei-ospf-1-frr] loop-free-alternate

After OSPF IP FRR is enabled, the device uses the LFA algorithm to calculate the next hop and outbound
interface for a backup link.

2. (Optional) Disable OSPF IP FRR on an interface.

[Huawei-GigabitEthernet0/0/1] ospf frr block

OSPF IP FRR can be disabled on an interface of a specific device that is running important services and resides
on an FRR backup link. This setting prevents the device connected to this interface from being a part of a
backup link and being burdened after FRR switches traffic to the backup link.

12 Huawei Confidential
 Overview PRC Intelligent FRR BFD
Timer Association

Example for Configuring OSPF IP FRR

If the link between R1 and R3 fails, traffic forwarded by R1 can be

R1 R3 R4 quickly switched to the backup link and forwarded by R2.
Cost = 10 Cost = 5
GE0/0/0 GE0/0/1 1. Assign an IP address to each interface and configure OSPF on
each device. (The configuration details are not provided here.)
2. Configure an OSPF cost for each device. The following example
uses the command output on R1.
OSPF
area 0 [R1] interface GigabitEthernet 0/0/0
R2 [R1-GigabitEthernet 0/0/0] ospf cost 10
[R1-GigabitEthernet 0/0/0] quit
Device Router ID Interface IP Address
[R1] interface GigabitEthernet 0/0/1
GE0/0/0 10.1.13.1/24 [R1-GigabitEthernet 0/0/1] ospf cost 10
R1 10.1.1.1 [R1-GigabitEthernet 0/0/1] quit
GE0/0/1 10.1.12.1/24
GE0/0/1 10.1.12.2/24 3. Enable OSPF IP FRR on R1.
R2 10.1.2.2
GE0/0/2 10.1.23.2/24 [R1] ospf
[R1-ospf-1] frr
GE0/0/0 10.1.13.3/24
[R1-ospf-1-frr] loop-free-alternate
R3 10.1.3.3 GE0/0/1 10.1.34.3/24 [R1-ospf-1-frr] quit
[R1-ospf-1] quit
GE0/0/2 10.1.23.3/24
R4 10.1.4.4 GE0/0/1 10.1.34.4/24 The cost configurations of R2, R3, and R4 are similar to the configuration of R1.

13 Huawei Confidential
 Overview PRC Intelligent FRR BFD
Timer Association

Checking the OSPF IP FRR Configuration

R1 R3 R4
Cost = 10 Cost = 5
GE0/0/0 GE0/0/1

Check information about the route from R1 to GE0/0/1 of R4.

[R1]display ospf routing 10.1.34.4
OSPF
OSPF Process 1 with Router ID 10.1.1.1
area 0 R2 Destination : 10.1.34.0/24
AdverRouter : 10.1.4.4 Area : 0.0.0.0
Device Router ID Interface IP Address Cost : 15 Type : Transit
GE0/0/0 10.1.13.1/24 NextHop : 10.1.13.3 Interface : GigabitEthernet0/0/0
R1 10.1.1.1 Priority : Low Age : 00h01m59s
GE0/0/1 10.1.12.1/24 Backup Nexthop : 10.1.12.2 Backup Interface:GigabitEthernet0/0/1
Backup Type : LFA LINK
GE0/0/1 10.1.12.2/24
R2 10.1.2.2
GE0/0/2 10.1.23.2/24
GE0/0/0 10.1.13.3/24 You can find that OSPF generates
R3 10.1.3.3 GE0/0/1 10.1.34.3/24 a backup link after OSPF IP FRR is
GE0/0/2 10.1.23.3/24 enabled on R1.
R4 10.1.4.4 GE0/0/1 10.1.34.4/24

14 Huawei Confidential
 Overview PRC Intelligent FRR BFD
Timer Association

BFD for OSPF

⚫ A link fault or a topology change causes devices to recalculate routes. Fast and efficient routing
protocol convergence is necessary to improve network availability.
⚫ BFD for OSPF associates BFD with OSPF. If a fault occurs on the link between a device and its neighbor,
BFD can rapidly detect the link fault to speed up OSPF's response to network topology changes.

BFD The working principle of BFD for OSPF is as follows:

R1 S1 R2
▫ OSPF neighbor relationships are established between R1, R2, and R3.
When the neighbor relationships enter the Full state, BFD is
instructed to set up a BFD session.

▫ If a fault occurs on the link between R1 and R2, BFD detects the
fault and notifies R1. R1 processes the BFD session down event and
R3 recalculates the route. The new path is R1-R3-R2.
OSPF

15 Huawei Confidential

• OSPF periodically sends Hello packets to neighbors to detect faults. It takes more
than 1s to detect a fault. By default, when the OSPF Dead timer expires, the
neighbor is considered invalid. The default value of the OSPF Dead timer is 40s.
With the development of technologies, voice, video, and video on demand (VOD)
services are widely used. These services are sensitive to the packet loss rate and
delay. When the traffic rate reaches gigabit per second (Gbit/s), long-time fault
detection causes a large number of packets to be lost. This cannot meet high
reliability requirements of the carrier-class network.
• BFD for OSPF is introduced to resolve this problem. After BFD for OSPF is
configured in a specified process or on a specified interface, the link status can be
rapidly detected and fault detection can be completed in milliseconds. This
speeds up OSPF convergence when the link status changes.
 Overview PRC Intelligent FRR BFD
Timer Association

Basic BFD for OSPF Configuration Commands

1. Configure BFD for OSPF.

[Huawei-ospf-1] bfd all-interfaces enable

Enable BFD in an OSPF process.

[Huawei-ospf-1] bfd all-interfaces { min-rx-interval receive-interval | min-tx-interval transmit-

interval | detect-multiplier multiplier-value | frr-binding }
Configure BFD session parameters.

2. Configure BFD on a specified interface.

[Huawei-GigabitEthernet0/0/1] ospf bfd enable

Enable BFD on an OSPF interface.

[Huawei-GigabitEthernet0/0/1] ospf bfd { min-rx-interval receive-interval | min-tx-interval transmit-

interval | detect-multiplier multiplier-value | frr-binding }
Configure BFD session parameters on the OSPF interface.

16 Huawei Confidential

• Prerequisites:
▫ Before using BFD to quickly detect link faults, run the bfd command in the
system view to enable BFD globally.
• The BFD configuration on an interface takes precedence over that in a process. If
BFD is enabled on an interface, the BFD parameters on the interface are used to
establish BFD sessions.
• OSPF IP FRR can be associated with BFD.
▫ During the OSPF IP FRR configuration, the underlying layer needs to fast
respond to a link status change so that traffic can be switched to the
backup link immediately.
▫ OSPF IP FRR and BFD can be bound to rapidly detect link faults. This
ensures that traffic is rapidly switched to the backup link in the case of link
failures.
• Command: [Huawei-ospf-1] bfd all-interfaces { min-rx-interval receive-
interval | min-tx-interval transmit-interval | detect-multiplier multiplier-
value | frr-binding }
▫ min-rx-interval receive-interval: specifies an expected minimum interval for
receiving BFD packets from the peer. The value is an integer ranging from
10 to 2000, in milliseconds. The default value is 1000.
▫ min-tx-interval transmit-interval: specifies a minimum interval for sending
BFD packets to the peer. The value is an integer ranging from 10 to 2000, in
milliseconds. The default value is 1000.
▫ detect-multiplier multiplier-value: specifies a local detection multiplier.
The value is an integer ranging from 3 to 50. The default value is 3.
▫ frr-binding: binds the BFD session status to the link status of an interface.
If a BFD session goes down, the physical link of the bound interface also
goes down, triggering traffic to be switched to the backup link.
 Contents

1. OSPF Fast Convergence

2. OSPF Route Control

3. Other OSPF Features

4. Advanced IS-IS Features

17 Huawei Confidential
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Overview of OSPF Route Control

⚫ OSPF route control includes:
 Adjusting the OSPF interface cost
 Setting the maximum number of equal-cost routes for load balancing
 Importing external routes
 Configuring route summarization

Configuring default route advertisement
 Configuring filter-policies
 Configuring OSPF to filter outgoing LSAs
 Configuring an ABR to filter Type 3 LSAs
 Setting the maximum number of External LSAs in the LSDB

18 Huawei Confidential

• This course describes only equal-cost routes, default routes, and LSA filtering. For
other information, see HCIP-Datacom-Core Technology.
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Equal-Cost Route
⚫ If the destinations and costs of the multiple routes discovered by one routing protocol are the same,
these routes are equal-cost routes and can participate in load balancing.
⚫ The device sends packets to the same destination address through multiple equal-cost routes in load
balancing mode.
⚫ Set the maximum number of equal-cost routes for load balancing.
[Huawei-ospf-1] maximum load-balancing number

19 Huawei Confidential

• Command: [Huawei-ospf-1] maximum load-balancing number

▫ number: specifies the maximum number of equal-cost routes for load
balancing. The value range varies according to the device model. For
details, see the product documentation of the corresponding device.
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Example for Configuring the Number of Equal-Cost Routes

for Load Balancing
R1 R3 It is required that R1 can access the loopback interface address of R3
Cost = 10
GE0/0/0 through the path R1 -> R3 or the path R1 -> R2 -> R3.
1. Assign an IP address to each interface and configure OSPF
on each device. (Details are not provided here.)

OSPF 2. Configure the maximum number of OSPF equal-cost routes for

Area 0 R2 load balancing on R1.
[R1] ospf
Device Interface IP Address [R1-ospf-1] maximum load-balancing 2
GE 0/0/0 10.1.13.1/24
R1 3. Verify the configuration.
GE 0/0/1 10.1.12.1/24
[R1]display ip routing-table
GE 0/0/1 10.1.12.2/24 Route Flags: R - relay, D - download to fib
R2
GE 0/0/2 10.1.23.2/24 -------------------------------------------------------------------------------------------
Loopback0 10.1.3.3/32
Destination/Mask Proto Pre Cost Flags NextHop Interface
R3 GE 0/0/0 10.1.13.3/24 10.1.3.3/32 OSPF 10 10 D 10.1.13.3 GigabitEthernet0/0/0
GE 0/0/2 10.1.23.3/24 OSPF 10 10 D 10.1.12.2 GigabitEthernet0/0/1

20 Huawei Confidential
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Default Route
⚫ On the area border and AS border of an OSPF network generally reside multiple routers for egress
backup or traffic load balancing. In this case, a default route can be configured to reduce the number
of routing entries in the routing table and ensure high availability of the network.
⚫ OSPF default routes are generally applied to the following scenarios:
 An ABR advertises Type 3 LSAs carrying the default route so that routers in an area forward inter -area packets
accordingly.
 An ASBR advertises Type 5 or Type 7 LSAs carrying the default route so that routers in an AS forward AS -
external packets. Advertised
Area Type Trigger Condition LSA Type Flooding Scope
by

Common area The default-route-advertise command is run. ASBR Type 5 LSA Common area

Stub area and totally

Automatically generated ABR Type 3 LSA Stub area
stubby area
The nssa [ default-route-advertise ]
NSSA ASBR Type 7 LSA NSSA
command is run.
Totally NSSA Automatically generated ABR Type 3 LSA NSSA

21 Huawei Confidential

• Default routes have all 0s as the destination address and mask. A device uses a
default route to forward packets when no matching route is available.
Hierarchical management of OSPF routes prioritizes the default route carried in
Type 3 LSAs over the default route carried in Type 5 or Type 7 LSAs.
• Common area:

▫ By default, routers in a common OSPF area do not generate default routes.

To enable a router in a common OSPF area to advertise a default route to
OSPF, run the default-route-advertise command on the router. After the
command is run, the router generates a default ASE LSA (Type 5 LSA) and
advertises it to the entire OSPF AS.
• Stub area:

▫ Type 5 LSAs cannot be advertised within a stub area. All routers within a
stub area can learn AS external routes only through an ABR.

▫ The ABR in a stub area automatically generates a default Type 3 LSA and
advertises it to the entire stub area. The ABR uses the default route to
divert traffic destined for a destination outside the AS to itself and then
forwards the traffic.
• Totally stub area:
▫ Neither Type 3 nor Type 5 LSAs can be advertised within a totally stub area.
All routers within a totally stub area can learn AS external routes and other
areas' routes only through an ABR.
▫ The ABR in a totally stub area automatically generates a default Type 3 LSA
and advertises it to the entire stub area. The ABR uses the default route to
divert traffic destined for a destination outside the AS to itself and then
forwards the traffic.
• NSSA:
▫ To enable packets destined for routers outside an AS to be sent by way of
an ASBR in an NSSA, and other packets destined for routers outside the AS
to be sent by way of an ABR in the NSSA, configure the ABR to generate a
default Type 7 LSA and advertise this LSA within the entire NSSA. In this
case, a default Type 7 LSA will be generated on the ABR, regardless of
whether the default route 0.0.0.0 exists in the routing table.

▫ To enable all packets destined for routers outside the AS to be sent by way
of an ASBR in the NSSA, run the nssa [default-route-advertise] command
on the ASBR so that the ASBR generates a default NSSA LSA (Type 7 LSA)
and advertises it to the entire NSSA. In this case, a default Type 7 LSA is
generated only when the default route 0.0.0.0 exists in the routing table on
the ASBR.
▫ Note: Default routes are flooded only within the local NSSA and are not
flooded within the entire OSPF AS. If routers in the local NSSA have no
routes to the outside of the AS, the routers can forward packets outside of
the AS through an ASBR. However, packets of other OSPF areas cannot be
sent outside the AS through this ASBR. An ABR does not translate default
Type 7 LSAs into default Type 5 LSAs for flooding in the entire AS.

• Totally NSSA:
▫ The ABR in a totally NSSA automatically advertises the default route
through a Type 3 LSA to the NSSA. The ASBR in a totally NSSA, however,
does not automatically advertise default routes. In this scenario, the routers
in the area can reach the corresponding external network segments
through the external routes imported by the ASBR and reach other network
segments through the default routes delivered by the ABR.

▫ If you want routers in a totally NSSA to select an ASBR (rather than an ABR)
as the default egress, you need to configure the ASBR to deliver the default
route.
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Configuring Default Route Advertisement to OSPF Areas

1. Configure default route advertisement to common OSPF areas.
[Huawei-ospf-1] default-route-advertise [ [ always | permit-calculate-other ] | cost cost | type type | route-
policy route-policy-name [ match-any ] ]

By default, OSPF devices in a common OSPF area do not generate default routes.

2. Configure default route advertisement through a Type 3 summary LSA and set a cost for the route.
[Huawei-ospf-1] default-route-advertise summary cost cost
⚫ Note:

The import-route (OSPF) command cannot import the default route of another routing protocol. To enable a router to advertise
the default route of another routing protocol, run the default-route-advertise command on an ASBR so that the default route is
advertised to all common OSPF areas.

Before advertising a default route, OSPF compares the preferences of default routes in an OSPF area and then advertises a
default route with the highest preference. If a static default route is configured on an OSPF device, ensure that the preference of
the static default route is lower than that of the default route to be advertised by OSPF. This ensures that the default route
advertised by OSPF will be added to the routing table of the OSPF device.

23 Huawei Confidential

• Command: [Huawei-ospf-1] default-route-advertise [[always | permit-

calculate-other] | cost cost | type type | route-policy route-policy-name
[match-any]]
▫ always: An LSA that describes the default route is generated and advertised
regardless of whether the local device has an active default route that does
not belong to the current OSPF process.
▪ If always is configured, the device does not calculate the default
routes from other devices.
▪ If always is not configured, an LSA that describes the default route
can be generated only if an active default route that does not belong
to the current OSPF process exists in the routing table of the local
device.
▫ permit-calculate-other: An LSA that describes the default route is
generated and advertised only if the device has an active default route that
does not belong to the current OSPF process, and the device still calculates
the default routes from other devices.
▫ type type: specifies the type of an external route. The value is 1 or 2. The
default value is 2.
▪ 1: Type 1 external route
▪ 2: Type 2 external route
▫ route-policy route-policy-name: specifies the name of a route-policy. The
device advertises default routes according to the configuration of the route-
policy when the routing table of the device contains a default route that
matches the route-policy but does not belong to the current OSPF process.
The value is a string of 1 to 40 case-sensitive characters. If spaces are used,
the string must start and end with double quotation marks (").
 ▫ match-any: The device advertises default routes according to the
configuration of the route-policy when the routing table contains routes
that match the route-policy.

• Command: [Huawei-ospf-1] default-route-advertise summary cost cost

▫ summary: Advertises the Type 3 summary LSA of the specified default
route. Before specifying this parameter, ensure that a VPN is enabled.
Otherwise, routes cannot be advertised.

▫ cost cost: specifies the cost of the LSA. The value is an integer ranging from
0 to 16777214. The default value is 1.
• always:
▫ If the ASBR has a default route, the default-route-advertise command
enables the ASBR to advertise the default route 0.0.0.0 to all OSPF areas.

▫ If the ASBR has no default route, the default-route-advertise always

command or the default-route-advertise command can be used as required:

▪ With always configured, the ASBR can advertise the default route
0.0.0.0 even if there is no default route, and the ASBR does not
calculate the default routes sent by other devices.

▪ Without always configured, the ASBR generates the LSA of the default
route only when the local routing table contains an active default
route (non-BGP route) that does not belong to the current OSPF
process.

• match-any:

▫ If a route-policy is configured with match-any, and multiple routes match

the policy, a default LSA will be generated based on the optimal route. The
rules for optimal route selection are as follows:

▪ A route configured with type takes precedence over that not

configured with type. A route configured with a smaller type value
takes precedence over that configured with a larger type value.

▪ A route configured with cost takes precedence over that not

configured with cost. A route configured with a smaller cost value
takes precedence over that configured with a larger cost value.

▪ A route configured with tag takes precedence over that not

configured with tag. A route configured with a smaller tag value takes
precedence over that configured with a larger tag value.
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Configuring OSPF to Filter Outgoing LSAs

⚫ When multiple links exist between two routers, you can enable the function to filter outgoing LSAs,
preventing them from being sent to particular links. This function can help reduce unnecessary
retransmission of LSAs and reduce bandwidth consumption.
⚫ Filtering the outgoing LSAs on a specified OSPF interface can prevent unwanted LSAs from being sent
to neighbors, thus reducing the LSDB sizes of the neighbors and speeding up network convergence.
⚫ To filter outgoing LSAs on an OSPF interface, run the following command:
[Huawei-GigabitEthernet0/0/1] ospf filter-lsa-out { all | { summary [ acl { acl-number | acl-name } ]
| ase [ acl { acl-number | acl-name } ] | nssa [ acl { acl-number | acl-name } ] } }

The command configuration does not take effect for the LSAs that have been sent out before the command is
run. The aging time of such an LSA is still 3600 seconds.

25 Huawei Confidential

• Command: [Huawei-GigabitEthernet0/0/1] ospf filter-lsa-out { all | { summary

[ acl { acl-number | acl-name } ] | ase [ acl { acl-number | acl-name } ] | nssa [
acl { acl-number | acl-name } ] } }

▫ all: filters all outgoing LSAs, except grace LSAs.

▫ summary: filters outgoing network-summary-LSAs (Type 3).

▫ ase: filters outgoing AS-external-LSAs (Type 5).

▫ nssa: filters outgoing NSSA-LSAs (Type 7).

▫ acl acl-number: specifies the number of a basic ACL. The value is an integer
ranging from 2000 to 2999.

▫ acl acl-name: specifies the name of an ACL. The value is a string of 1 to 32

case-sensitive characters. It cannot contain spaces and must start with a
letter (a to z or A to Z).
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Configuring OSPF to Filter ABR Type 3 LSAs

⚫ Configure filtering policies for incoming and outgoing ABR Type 3 LSAs (network-summary-LSAs) in an
area, allowing only those that pass the filtering to be sent and accepted.
⚫ Filtering Type 3 LSAs in a specified OSPF area can prevent unwanted LSAs from being sent to
neighbors, thus reducing the LSDB sizes and speeding up network convergence.
⚫ To filter outgoing Type 3 LSAs in an OSPF area, run the following command:
[Huawei-ospf-1-area-0.0.0.1] filter { acl-number | acl-name acl-name | ip-prefix ip-prefix-name | route-
policy route-policy-name } export

⚫ To filter incoming Type 3 LSAs in an OSPF area, run the following command:
[Huawei-ospf-1-area-0.0.0.1] filter { acl-number | acl-name acl-name | ip-prefix ip-prefix-name | route-
policy route-policy-name } import

26 Huawei Confidential

• Command: [ Huawei-ospf-1-area-0.0.0.1 ] filter { acl-number | acl-name acl-

name | ip-prefix ip-prefix-name | route-policy route-policy-name } export
▫ acl-number: specifies the number of a basic ACL. The value is an integer
ranging from 2000 to 2999.
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Overview of OSPF Database Overflow

⚫ The LSDBs of OSPF devices in the same area are synchronized after routes are converged. However,
achieving such a state can be difficult as the number of routes on a network continuously increases,
causing some devices to be unable to carry excess routing information due to limited system resources.
This is called an OSPF database overflow.
⚫ One way to solve such an issue is to configure stub areas or NSSAs, which reduces the amount of
routing information on devices. However, such an approach cannot prevent an OSPF database overflow
caused by a sharp increase in dynamic routes. To resolve this issue, set the maximum number of non-
default external LSAs allowed in the LSDB of a device to dynamically control the LSDB size.
⚫ Set the maximum number of non-default external LSAs allowed in the LSDB.
[Huawei-ospf-1] lsdb-overflow-limit number

27 Huawei Confidential

• When the number of external LSAs (Type 5 and Type 7) imported by OSPF
exceeds the maximum number supported, excessive external LSAs cannot be
processed properly and are discarded. To address this issue, you can set a proper
upper limit for the number of non-default external LSAs in the LSDB, so as to
adjust and optimize the OSPF network.

• Command: [Huawei-ospf-1] lsdb-overflow-limit number

▫ number: specifies the maximum number of non-default external LSAs
allowed in the LSDB. The value is an integer ranging from 1 to 1000000.
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Preventive Measures for OSPF Database Overflows

⚫ Setting the maximum number of non-default external routes on a router can prevent OSPF database overflows.
⚫ Set the same maximum number for all routers on an OSPF network. When the number of non-default external
routes on a router reaches the maximum number, the router enters the Overflow state and starts the Overflow
state timer (default timeout period: 5s). After the timer expires, the router automatically exits the Overflow state.

Overflow Phase OSPF Processing

• Deletes all non-default external routes generated by the router
Enters the Overflow
Enters the Overflow itself.
state.
state. • Starts the Overflow state timer.

Enters the Overflow

the timer.
Restarts

• Does not generate non-default external routes.

state again.
• Discards newly received non-default external routes and does not
reply with LSAck packets.
Stays in the Overflow Stays in the
• Checks whether the number of external routes still exceeds the
state. Overflow state.
maximum number when the overflow state timer expires.
▪ If not, the router exits the Overflow state.
▪ If so, the router restarts the Overflow state timer.
Exits the Overflow • Deletes the Overflow state timer.
state. Exits the Overflow
• Generates non-default external routes.
• Accepts newly received non-default external routes and replies with
state.
LSAck packets.
• Gets ready to enter the Overflow state again.

28 Huawei Confidential
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Example for Configuring OSPF Route Control (1)

1. Assign an IP address to each interface and

R1 R2 R3 configure OSPF on each device. (omitted).
Area0 Area1
2. Configure R2 to filter Type 3 LSAs.
[R2] acl 2000
OSPF [R2-acl-basic-2000] rule deny
[R2-acl-basic-2000] quit
Type 3 LSA [R2] ospf
[R2-ospf-1] area 1
[R2-ospf-1-area-0.0.0.1] filter 2000 import
⚫ To reduce the number of LSAs on R3 and ensure
that R3 can properly communicate with routers 3. Configure R2 to advertise default routes.
in other areas, check that the following [R2] ospf
[R2-ospf-1] default-route-advertise always
requirements are met:
 R2 does not inject Type 3 LSAs into Area 1.
 R2 advertises default routes.

29 Huawei Confidential
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Example for Configuring OSPF Route Control (2)

1. Check the LSDB of R3.
[R3]display ospf lsdb
R1 R2 R3 OSPF Process 1 with Router ID 10.1.23.3
Area0 Area1 Link State Database
Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 10.1.23.3 10.1.23.3 731 48 80000004 1
Router 10.1.12.2 10.1.12.2 406 36 80000008 1
OSPF
Network 10.1.23.2 10.1.12.2 730 32 80000002 0

Type 3 LSA AS External Database

Type LinkState ID AdvRouter Age Len Sequence Metric
External 0.0.0.0 10.1.12.2 406 36 80000001 1
• The LSDB of R3 in Area1 does not contain
Type 3 LSAs but contains a default Type 5 LSA. 2. Check the routing table of R3.
• R3 can access devices in other areas through [R3]dis ip routing-table
the default route. Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 9 Routes : 9
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 O_ASE 150 1 D 10.1.23.2 GigabitEthernet0/0/1
……

30 Huawei Confidential
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

OSPF Route Control Case Analysis

⚫
Network deployment:

Finance server Marketing server

 An enterprise network is divided into two networks, one for the finance
department and the other for the marketing department.
Static
routing  The enterprise network uses OSPF to allow internal network connectivity.
Border-1 Border-2 The backbone network is deployed in area 0, clients of the finance
department's network are deployed in area 1, and clients of the marketing
department's network are deployed in area 2.
OSPF
Area 0
 Border devices access department servers through static routes, which are
Core-1 Core-2
imported to the OSPF process.

⚫ Requirements:
 As long as the border-1 router and its uplink work properly, the data flows
AGG-1 AGG-2
of the finance department are forwarded only through the border-1 router.
OSPF
OSPF Area 2  As long as the core-1 router and its uplink work properly, the data flows of
Area 1
the finance department are forwarded only through the core-1 router.
 For details about the data forwarding requirements of the marketing
Finance Marketing Data flow of the department, see the comment of this slide.
department client department client finance department

31 Huawei Confidential

• Data forwarding requirements of the marketing department:

▫ As long as the border-2 router and its uplink work properly, the data flows
of the marketing department are forwarded only through the border-2
router.
▫ As long as the core-2 router and its uplink work properly, the data flows of
the marketing department are forwarded only through the core-2 router.
• This case uses the data forwarding path of the finance department as an
example. The data forwarding path of the marketing department is not described
here.
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Requirement Analysis
1. Controlling the network egress for data forwarding:
Finance server Marketing server ▫ Data of the finance department is always forwarded
through border-1.
▫ Data of the marketing department is always forwarded
Border-1 Border-2 through border-2.

To ensure that fixed ASBRs are used to forward data, the

internal network changes must be ignored. That is, the internal

Core-1 Core-2 route cost is not calculated.

—Use Type 2 external routes of OSPF.

2. Controlling the precise internal path of data flows:

AGG-1 AGG-2
▫ Load-balancing path should not exist.

Data needs to be sent to a specific ASBR along the planned

path on the network.
—Adjust the internal path cost.
Finance Marketing Data flow of the
department client department client finance department

32 Huawei Confidential

• Type 2 external route:

▫ Because a Type 2 external route offers low reliability, its cost is considered
to be much greater than the cost of any internal route to an ASBR.

▫ Cost of a Type 2 external route = Cost of the route from an ASBR to the
destination
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Traffic Egress Control

Imported Imported
⚫ Implementation:
finance finance
department Finance server Marketing server department  Import static routes destined for the finance department
routes routes
Type: Type 2 Type: Type 2
server to the OSPF processes of R1 (border-1) and R2
Cost: 100 Cost: 200 (border-2) to implement egress backup through route-
Border-1 Border-2
R1 R2
policies.
 Set the type of the imported external route to Type 2.
 On R1, set the cost of the external route to 100; on R2, set
Core-1 Core-2
the cost of the external route to 200.

⚫ Configuration result:
AGG-1 AGG-2 
When there are two Type 2 external routes with different
costs on the same network segment, the network device
prefers the route with a smaller cost. In this case, each
network device preferentially selects R1 as the egress.

Finance Marketing
department client department client

33 Huawei Confidential

• The internal path cost to each ASBR is not considered during traffic egress
control.
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Controlling Internal Paths

⚫ Network requirement analysis:
Finance server Marketing server  If the network is running properly, S3 (AGG-1)
selects path 1.
Border-1 Border-2  If the link between S1 (core-1) and R1 fails, S3
R1 R2
selects path 2.

Core-1 Core-2
 If S1 fails, S3 selects path 3.
S1 S2
1 2 3 ⚫ Implementation:
 Path 1-cost < Path 2-cost < Path 3-cost
AGG-1 AGG-2
S3 S3

Finance Marketing Data flow of the

department client department client finance department

34 Huawei Confidential
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Controlling Internal Paths: Adjusting the Cost Between

Aggregation Devices and Core Devices
⚫ If the link between S1 and R1 fails, S3
Finance server Marketing server
preferentially selects path 1 and then path 2
because S1 is working properly.
Border-1 Border-2
R1 R2 ⚫ Implementation:
Cost=10  Path 1-cost < Path 2-cost, that is:
Core-1 Core-2
S1 Cost=10 S2 [Cost(S3-S1) + Cost(S1-S2) + Cost(S2-R1)] < [Cost(S3-S2) + Cost(S2-R1)]

1 2  Path 1 can be achieved by adjusting the path cost

Cost=10

AGG-1 AGG-2 between aggregation devices and core devices.

S3 Cost=50 S3

Finance Marketing
department department Data flow of the
client client finance department

35 Huawei Confidential
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Controlling the Internal Path: Adjusting the Cost Between

Core Devices and Boundary Devices
⚫ If the link between S3 and S1 fails, S3
Finance server Marketing server
preferentially selects path 1 and then path 2
because S1 is working properly.
Border-1 Border-2
R1 R2 ⚫ Implementation:
Cost=10
2  Path 1-cost < Path 2-cost, that is:
Core-1 1 Core-2
S1 Cost=10 S2 [Cost(S3-S2) + Cost(S2-S1) + Cost(S1-R1)] < [Cost(S3-S2) + Cost(S2-R1)]

 Path 1 can be preferentially selected by adjusting

Cost=10
AGG-1 AGG-2 the path cost between core devices and boundary
S3 Cost=50 S3
devices.

Finance Marketing
department department Data flow of the
client client finance department

36 Huawei Confidential
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Example for Configuring OSPF Route Control (1)

192.168.10.0/24 192.168.20.0/24
Configure a route-policy on R1 and set the cost to 100.
Finance server Marketing server [R1] acl 2000
Imported Imported finance
[R1-acl-basic-2000] rule permit source 192.168.10.0 0.0.0.255
Static
finance department routes [R1-acl-basic-2000] quit
department routing
Type: Type 2
routes Cost: 200 [R1] route-policy static2ospf permit node 10
Type: Type 2
Cost: 100 Border-1 Border-2 [R1-route-policy] if-match acl 2000
R1 R2 [R1-route-policy] apply cost 100
OSPF [R1-route-policy] quit
Area 0 [R1] route-policy static2ospf permit node 20
Core-1 Core-2
S1 S2 [R1-route-policy] quit

AGG-1 AGG-2 Import static routes to the OSPF process on R1.

S3 S4 [R1] ospf
OSPF OSPF
[R1-ospf-1] import-route static route-policy static2ospf type 2
Area 1 Area 2

Finance Marketing
department client department client

37 Huawei Confidential
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Example for Configuring OSPF Route Control (2)

192.168.10.0/24 192.168.20.0/24
Configure a route-policy on R2 and set the cost to 200.
Finance server Marketing server [R2] acl 2000
Imported Imported finance
[R2-acl-basic-2000] rule permit source 192.168.10.0 0.0.0.255
Static
finance department routes [R2-acl-basic-2000] quit
department routing
Type: Type 2
routes Cost: 200 [R2] route-policy static2ospf permit node 10
Type: Type 2
Cost: 100 Border-1 Border-2 [R2-route-policy] if-match acl 2000
R1 R2 [R2-route-policy] apply cost 200
OSPF [R2-route-policy] quit
Core-1
Area 0
Core-2
[R2] route-policy static2ospf permit node 20
S1 S2 [R2-route-policy] quit

AGG-1 AGG-2 Import static routes to the OSPF process on R2.

S3 S4 [R2] ospf
OSPF OSPF
[R2-ospf-1] import-route static route-policy static2ospf type 2
Area 1 Area 2

Finance Marketing
department client department client

38 Huawei Confidential
 Overview Equal-Cost Default LSA Configuration
Route Route Filtering Case

Example for Configuring OSPF Route Control (3)

192.168.10.0/24 192.168.20.0/24

Finance server Marketing server

Set the OSPF cost of an interface (GE0/0/1 of R1 is used as
an example).
Static
routing [R1] interface GigabitEthernet 0/0/1
[R1-GigabitEthernet0/0/1] ospf cost 50

Border-1 Border-2
R1 R2
Cost=10 OSPF
Core-1 Area 0 Core-2
S1 Cost=10 S2

Cost=10

AGG-1 AGG-2
S3 Cost=50 S4
OSPF OSPF
Area 1 Area 2

Finance Marketing
department client department client

39 Huawei Confidential
 Contents

1. OSPF Fast Convergence

2. OSPF Route Control

3. Other OSPF Features

4. Advanced IS-IS Features

40 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

OSPF Multi-Process
⚫ OSPF supports multiple processes that can separately run on the same device and do not affect each
other. Route exchange between different OSPF processes is similar to route exchange between different
routing protocols.
⚫ An interface on a router can belong to only one OSPF process.
[PE] ospf 100 vpn-instance VPN1
[PE-ospf-100] quit
• Usage scenario:
CE1 [PE] ospf 200 vpn-instance VPN2
▫ A typical application of OSPF multi-process is in the VPN VPN1 [PE-ospf-200] quit
scenario. Site1

▫ As shown in the figure, a PE connects to two different VPN PE

customers, and OSPF is deployed between the PE and CEs.
CE2
Therefore, multiple processes can be deployed on the PE to VPN2
isolate the VPN customers. Site2

41 Huawei Confidential

• VPN: virtual private network

• If a VPN instance is specified for an OSPF process that is to be created, the OSPF
process belongs to this instance. Otherwise, the OSPF process belongs to the
global instance.
 Multi- Association Forwarding GR NSR
Process with BGP Address

Association Between OSPF and BGP (1)

⚫ When a new device is added or a device is restarted, network traffic may be lost during BGP
convergence. This is because IGP route convergence is faster than BGP route convergence.

AS 100 R2 AS 101 1. If R2 fails, traffic is switched to the path R1 -> R3 -> R4 -> R5.
3
2 10.1.5.5/32 2. After R2 recovers, OSPF converges first because IGP route
convergence is faster than BGP route convergence. If R1 needs
1
EBGP to access 10.1.5.5/32, it searches for a BGP route with the next
R1 R4 R5
hop being R5. R2 then searches for the IGP route and sends
R3 traffic to R2 over the route.
IBGP
3. After receiving the traffic, R2 searches for the BGP route.
OSPF runs on R1, R2, R3, and R4 and full-mesh IBGP Because BGP route convergence is not complete, R2 does not
connections are established. R3 is the backup device of R2. find a route to 10.1.5.5/32 and therefore does not forward

When the network is stable, the traffic from R1 to 10.1.5.5/32 traffic. As a result, traffic is lost.

passes through the path R1 -> R2 -> R4 -> R5.

42 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

Association Between OSPF and BGP (2)

⚫ OSPF-BGP synchronization can be enabled to prevent traffic loss.
⚫ After OSPF-BGP synchronization is enabled on a device, the device remains as a stub router within the
set synchronization period. That is, the link metric in the LSA advertised by the device is the maximum
value 65535. Therefore, the device instructs other OSPF devices not to use it for data forwarding.
Configure it as
Configure the stub router.
a stub router.
AS 100 R2 AS 101 [Huawei-ospf-1] stub-router [ on-startup [ interval ] ]
10.1.5.5/32 • Configuring a stub router is a special route selection
method. The path with a stub router configured is not
EBGP preferred.
R1 R4 R5
• The implementation is to set the metric to the maximum
R3 value (65535) to prevent data from being forwarded
IBGP
through the router. It is used to protect the link of the
Enable BGP association on R2. In this way, R1 continues to forward traffic
through R3, but does not forward traffic to R2 until BGP route convergence router and is usually used in maintenance scenarios, such as
on R2 is complete. upgrade.

43 Huawei Confidential

• Command: [Huawei-ospf-1] stub-router [ on-startup [ interval ] ]

▫ on-startup [ interval ]: specifies the interval for a device to remain as a
stub router when the device restarts or fails. The value is an integer ranging
from 5 to 65535, in seconds. The default value is 500s.

▪ If on-startup is not configured, the device is always a stub router. That

is, the cost of all routes sent by this device is 65535.

▪ If on-startup is specified, the device remains as a stub router only

when it restarts or fails. The duration is determined by interval. If
interval is not specified, the default value of 500s is used.
 Multi- Association Forwarding GR NSR
Process with BGP Address

OSPF Forwarding Address

⚫ Forwarding address (FA):
 The FA is the address to which a data packet is forwarded before the packet reaches the advertised destination
address. If the forwarding address is 0.0.0.0, the packet is forwarded to the originating ASBR.
 Type 5 AS-External LSAs and Type 7 NSSA LSAs:

LS Age Options LS Type

Link State ID
Advertising Router
LS Sequence Number
LS Checksum Length
Network Mask OSPF Type 5 and Type 7 LSAs contain a special
E 0 Metric
FA field. The introduction of FA enables OSPF to
Forwarding Address
avoid the sub-optimal path problem in some
External Route Tag
special scenarios.
……

44 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

Problem Occurring When No FA Is Used

10.1.1.1/32
⚫
OSPF runs on R2, R3, and R4 that are deployed in Area 0. OSPF
R1 is enabled on GE0/0/1 of R2 and GE0/0/1 of R3, and OSPF
adjacencies are established between the two routers. However,
GE0/0/1
10.1.123.1 no OSPF adjacencies are established between R1 and the two
routers.
1 Static route to 10.1.1.1/32
The next hop is 10.1.123.1.  Configure a static route destined for 10.1.1.1/32 on R2, with
10.1.123.1 as the next hop.
10.1.123.2 10.1.123.3
GE0/0/1 GE0/0/1  R2 imports the static route to OSPF and generates a Type 5 LSA to

R2 R3 be flooded in the area.

2 Imports Type 5 LSA
the route 10.1.1.1/32 3
 After R3 receives the Type 5 LSA from R2, it calculates an external
to OSPF. route to 10.1.1.1/32 and sets the next-hop address of the route to R2
(10.1.123.2).

OSPF
⚫ The path from a router (for example, R4) in the OSPF domain
R4
to 10.1.1.1/32 is R4 -> R3 -> R2 -> R1, which is the sub-optimal
path.

45 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

Using FA to Solve the Suboptimal Path Problem

10.1.1.1/32
⚫
When advertising an external route destined for 10.1.1.1/32 in
R1 the OSPF area, R2 sets the FA of the corresponding Type 5 LSA
to 10.1.123.1, which is the next hop of the external route.
GE0/0/1
10.1.123.1 ⚫ When R3 receives the LSA, it calculates the route to 10.1.1.1/32
1 Static route to 10.1.1.1/32 Data packets sent and finds that the FA is not 0. Therefore, R3 considers that the
The next hop is 10.1.123.1. to 10.1.1.1/32 next hop to 10.1.1.1/32 is the address specified by the FA, that
10.1.123.2 10.1.123.3 is, 10.1.123.1.
GE0/0/1 GE0/0/1
R2 R3
2 Imports Type 5 LSA
the route 10.1.1.1/32 3
to OSPF. FA=10.1.123.1

OSPF R4

46 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

FA Values
⚫ When an ASBR imports external routes, if the FA field in the Type 5 LSA is 0, the router considers that the data
packets destined for the destination network segment should be sent to the ASBR. If the FA field in a Type 5 LSA is
not 0, the router considers that the data packet destined for the destination network segment should be sent to the
device identified by the FA.
⚫ The FA field can be set to a non-zero value only when all the following conditions are met:

The ASBR activates OSPF on the interface (outbound interface of the external route) connected to the external network.

The preceding interface is not configured as a silent interface.

The OSPF network type of such an interface is broadcast or NBMA.

The IP address of the interface is within the network segment specified by the network command in the OSPF configuration.
 The route to the FA must be an OSPF intra-area route or an inter-area route. In this manner, the router that receives the
external LSA can add the LSA into the routing table. The next hop of the route generated using the loaded external LSA is the
same as the next hop to the FA.

47 Huawei Confidential

• Type 7 LSAs in an NSSA are translated into Type 5 LSAs.

▫ To advertise external routes imported by an NSSA to other areas, Type 7
LSAs must be translated into Type 5 LSAs. By default, the translator is the
ABR with the largest router ID in an NSSA.
▫ The propagate bit (P-bit) in the Options field of an LSA header is used to
notify a translator whether the Type 7 LSA needs to be translated into a
Type 5 LSA. A Type 7 LSA can be translated into a Type 5 LSA only when
the P-bit is set to 1 and the FA is not 0.

▫ The P-bit is not set for Type 7 LSAs generated by an ABR.

• Note: All OSPF LSAs have the same LSA header, and the P-bit is in the Options
field of the LSA header.
 Multi- Association Forwarding GR NSR
Process with BGP Address

Case: Typical FA Application in NSSA Scenarios

⚫ When multiple ABRs exist in an NSSA, the system automatically selects an ABR as a translator to translate Type 7
LSAs into Type 5 LSAs. Other ABRs do not perform LSA translation.

⚫ As shown in the figure, if the FA is not considered, R1 considers that the packet must pass through the ABR (R3) to
reach the destination because the router ID of R3 is greater than that of R2. In this way, traffic is diverted to the
low-bandwidth link R1 -> R3 -> R4 -> R5.
Router ID 10.1.3.3
R3

Area 0 NSSA Import direct

Type7 LSA external routes.
10.1.5.0/24
FA=10.1.45.5

R1 10.1.5.0/24
10.1.45.5
R4 R5

After the FA is introduced, traffic Data sent to 10.1.5.0/24 Route transfer

is transmitted to the destination
Path without the FA used
network segment through a R2
high-bandwidth link. Router ID 10.1.2.2 Path with the FA used

48 Huawei Confidential

• As shown in the figure:

▫ Configure R5 to import direct external routes and set the IP address of the
FA to 10.1.45.5, which is used by R5 to access the destination network
segment 10.1.5.0/24.
▫ R3 translates Type 7 LSAs into Type 5 LSAs and the LSAs continue to carry
the FA 10.1.45.5.
▫ Upon receipt, R1 searches its OSPF routing table for a route to the FA and
uses the next hop address of the route as the next hop address of the
external route.

▫ Therefore, R1 will finally access the destination network segment

10.1.5.0/24 through the path R1 -> R2 -> R4 -> R5.
 Multi- Association Forwarding GR NSR
Process with BGP Address

OSPF GR
⚫ During a device restart, GR ensures uninterrupted data forwarding in the forwarding plane and prevents actions
such as neighbor relationship reestablishment and route calculation in the control plane from affecting functions in
the forwarding plane. This prevents service interruption caused by route flapping, ensures the data forwarding of
key services, and improves the reliability of the entire network.
Type 9 Opaque LSAs (Grace-LSAs) are added. ⚫ TLV types:
 Grace Period TLV: This TLV indicates the maximum hold time for
• OSPF implements GR through Grace-LSAs. a neighbor to remain in the GR Helper state. The Type value of the
TLV is 1, and the length is 4 bytes. If the GR Restarter has not
• Such LSAs are used to inform neighbors of information such completed the GR process when the timer expires, the neighbor no
as the GR time, reason, and interface address when the GR longer functions as a GR Helper. (Mandatory)
starts and exits.  Graceful Restart Reason TLV: This TLV notifies a neighbor of the
GR Restarter's restart reason. The Type value of the TLV is 2, and
the length is 1 byte. (Mandatory)
LS Age Options LS Type=9
◼ The value 0 indicates that the reason is unknown.
Opaque
0 ◼ The value 1 indicates that the software is restarted.
Type=3
◼ The value 2 indicates that the software is reloaded or upgraded.
Advertising Router
◼ The value 3 indicates that the GR Restarter performs an
LS Sequence Number active/standby switchover.
 IP Interface Address TLV: This TLV is used to notify the IP address
LS Checksum Length of the interface that sends Grace-LSAs. The IP address uniquely
TLVs (Type-Length-Value) identifies a restarted device on the network. The Type value of the
TLV is 3, and the length is 4 bytes.

49 Huawei Confidential

• GR is a fault-tolerant redundancy technique and has been widely used to ensure

non-stop forwarding of key services during an active/standby switchover or
system upgrade.
• GR reasons:
▫ Unknown: GR is triggered for an unknown reason.
▫ Software restart: GR is triggered by a command.
▫ Software reload/upgrade: GR is triggered by a software reloading or
upgrade.
▫ Switch to redundant control processor: GR is triggered by an unexpected
active/standby switchover.
• GR classification:
▫ Totally GR: When a neighbor of a router does not support GR, the router
exits the GR state.
▫ Partial GR: When a neighbor does not support GR, only the interface
associated with this neighbor exits GR, whereas the other interfaces
perform GR processing normally.
▫ Planned GR: Triggered by a command, a device is restarted or performs an
active/standby switchover. Before the device restarts or performs an
active/standby switchover, the Restarter sends Grace-LSAs.
▫ Unplanned GR: Different from the implementation of a planned GR, the
implementation of an unplanned GR is as follows: A router restarts or
performs an active/standby switchover due to a fault or other reasons,
without sending Grace-LSAs first, and enters GR after the original standby
main control board goes up. The following procedure is the same as that in
a planned GR.
 Multi- Association Forwarding GR NSR
Process with BGP Address

OSPF GR Process
⚫ GR process: Concepts related to GR
R1 R2
GR Session • GR Restarter: indicates a device that performs a
protocol restart triggered by the administrator or a
fault. A GR Restarter must support GR. A device can
GR Restarter GR Helper be configured to support totally GR or partial GR.
• GR Helper: indicates a neighbor of the GR Restarter.
Before an active/standby Grace-LSA A GR Helper helps the GR Restarter maintain a
Enter Helper
switchover stable routing relationship. Therefore, the GR Helper
Active/standby switchover must support GR. The Helper can be configured to
LSAck LSAcks are sent to
End of the active/standby acknowledge received support planned GR or unplanned GR or selectively
switchover LSAs. support GR through policies.
The original standby main Grace-LSA
• GR session: indicates a session, through which a GR
control board goes up.
Enter GR After other Grace LSAs Restarter and a GR Helper learn each other's GR
Grace-LSAs are received, only the capabilities and negotiate GR capabilities. A GR
Hello packets are exchanged for GR period is updated. session involves implementations such as protocol
neighbor negotiation, and DD restart notification and information exchanges
packets are exchanged for LSDB Helps the Restarter during a protocol restart.
Adjacency: Full synchronization. complete LSDB
synchronization. • GR duration: The maximum GR duration is 1800s. A
GR exits normally, routes Flush Grace-LSAs device can exit GR regardless of whether GR
Helper exits normally, and
are calculated, and LSAs succeeds or fails, without waiting for GR to expire.
are generated. Router-LSAs are generated.

50 Huawei Confidential

• On the Restarter:
▫ In planned GR mode, after a command is run to trigger an active/standby
switchover on the Restarter, the Restarter sends a Grace-LSA to each
neighbor to notify them of the GR period and reason, and then performs an
active/standby switchover. This prevents an interruption of the neighbor
relationships due to the long time taken for the original standby main
control board to go up, which would otherwise cause a GR failure.
▫ After the original standby main control board goes up, the router notifies
the routing management (RM) module that the GR starts. After the
interfaces previously enabled with OSPF on the original standby main
control board recover, a Grace-LSA is sent immediately to notify neighbors
that the local device has started a GR. Then, another five Grace-LSAs are
sent consecutively to each neighbor to ensure reception. This
implementation is defined by vendors, but not in the protocol. The router
does not age FIB entries in this case. Therefore, the communication is
normal. If GR is not supported, the router directly ages FIB entries. As a
result, routing is interrupted. In this case, the router restarts normally (non-
GR process). The Grace-LSAs sent by the Restarter are used to notify
neighbors that the Restarter enters GR. During GR, the neighbors retain
neighbor relationships with the Restarter so that other routers are unaware
of the switchover on the Restarter.
▫ The Restarter negotiates with its neighbors to enter the standard adjacency
establishment process. The neighbor states change as follows: Down → Init
→ Exstart. Then, DD packets are exchanged to complete LSDB
synchronization. During the update of LSAs, if the LSAs (Type 1 LSAs and
Type 2 LSAs) received from a Helper do not contain the link to the local
device, it indicates that the network topology has changed or the neighbor
does not support the Helper mode. In this case, GR fails, and the local
router exits GR and restarts normally.
 ▫ Each time the neighbor relationship between the router and a neighbor
enters the Full state, the router calculates routes and updates its routing
table. The router, however, does not update FIB entries immediately.

▫ If the GR timer expires, GR fails, and the router exits GR and restarts
normally.

▫ The router checks whether the neighbor relationships with all its neighbors
reach the Full state. If so, the router floods all Grace-LSAs (with the LSA
age being 3600s).
▫ GR exits normally. The router regenerates Router-LSAs and sends them to
all the areas to which the router belongs. If some interfaces are DRs, the
router regenerates Network-LSAs on the corresponding network segments.
The router then recalculates routes and updates its routing table. The
router updates its FIB and deletes invalid routing entries.

• On the Helper:
▫ After receiving a Grace-LSA from the Restarter, the device enters the Helper
mode if the LSAs exchanged between the two ends have no change and the
received Grace-LSA matches a filtering policy. If the network topology
changes, the received Grace-LSA is aged, or the device is in the Restarter
state, the device cannot enter the Helper mode.

▫ The Helper continues to send Hello packets to the Restarter to keep the
state of the adjacency between them unchanged. At this time, the
Restarter's neighbor state is Exstart, and therefore the Restarter implements
LSDB synchronization with the Helper. After receiving a DD packet from the
Restarter, the Helper generates a SeqMismatch event. This is because the
Helper is not expected to receive any DD packet when the neighbor state is
Full. When the neighbor state of the Helper changes from Full to Exstart,
the Helper starts to exchange DD packets with the other end to synchronize
LSDBs. The DD packet sent by the Restarter does not carry complete LSAs,
whereas the Helper has complete LSAs. Therefore, the neighbor state of the
Helper quickly changes from Exstart to Exchange and then to Full. The
Helper sends its LSAs to the Restarter for synchronization. If the Helper
continues to receive Grace-LSAs with different GR periods, it updates only
the GR period.
▫ If the GR timer expires, the GR Helper exits the Helper mode.

▫ When the Helper receives flooded Grace-LSAs, it indicates that the GR is

complete. In this case, the Helper exits the Helper state.
▫ The Helper regenerates a Router-LSA on the network segment connected to
the Restarter. If the Helper is a DR, it generates a Network-LSA.
 Multi- Association Forwarding GR NSR
Process with BGP Address

OSPF GR Exit
⚫ Reasons why a device exits GR:
GR Execution
GR Restarter GR Helper
Result
• Before GR expires, the Restarter re-establishes • When the GR Helper receives the Grace-LSA with
GR succeeds. neighbor relationships with all its pre- the age being 3600s from the Restarter, the
active/standby switchover neighbors. neighbor relationship with the Restarter is Full.
• GR expires, and neighbor relationships have not • The GR Helper has not received any Grace-LSA
recovered completely. from the Restarter when the neighbor
• The Router-LSA or Network-LSA sent by the relationship expires.
Helper causes a failure in the bidirectional check • The status of the Helper's interface changes.
on the Restarter. • The GR Helper receives LSAs, which are different
• The status of the GR Restarter's interface from the LSAs in its own LSDB, from other
GR fails. changes. routers. You can configure the GR Helper not to
• The Restarter receives a Grace-LSA generated by perform a strict LSA check to avoid this issue.
another router on the same network segment. • On the same network segment, the GR Helper
Only one router can perform a GR on the same receives Grace-LSAs from two routers at the same
network segment at the same time. time.
• The topology of neighbors on the same network • The neighbor relationships between the GR
segment with the Restarter changes. Helper and other routers change.

52 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

Configuring OSPF GR (1)

1. Enable the opaque LSA capability.

[Huawei-ospf-1] opaque-capability enable

This command enables the opaque LSA capability so that the OSPF process can generate opaque LSAs and
receive opaque LSAs from neighbors. To use the OSPF GR function, which is implemented through Type 9 LSAs,
the opaque LSA capability must be enabled first.

2. Enable OSPF GR and configure GR session parameters on the Restarter.

[Huawei-ospf-1] graceful-restart [ period period | planned-only | partial ]

period period: specifies a GR period. The value is an integer ranging from 1 to 1800, in seconds. The default
value is 120.
planned-only: indicates that the router supports only planned GR. By default, a router supports both planned
GR and unplanned GR.
partial: indicates that the router supports partial GR. By default, a router supports totally GR.

53 Huawei Confidential

• Before configuring OSPF GR, complete the following tasks:

▫ Configure an IP address for each involved interface to ensure that
neighboring devices can communicate with each other at the network layer.

▫ Configure basic OSPF functions.

 Multi- Association Forwarding GR NSR
Process with BGP Address

Configuring OSPF GR (2)

3. (Optional) Configure the GR Helper mode and set GR session parameters on the Helper.

[Huawei-ospf-1] graceful-restart [ period period | partial | planned-only ] * helper-role { { [ ip-prefix ip-

prefix-name | acl-number acl-number | acl-name acl-name ] | ignore-external-lsa | planned-only } * | never }
period period: specifies a GR period. The value is an integer ranging from 1 to 1800, in seconds. The default value is 120.
planned-only: indicates that the device supports only planned GR. By default, a device supports both planned GR and
unplanned GR.
partial: indicates that the device supports partial GR. By default, the device supports totally GR.
ip-prefix ip-prefix-name: specifies the name of an IP prefix list.
acl-number acl-number: specifies the number of a basic ACL. An ACL can be used to configure a filtering policy, and the device
enters the Helper mode only after received packets match the filtering policy.
acl-name acl-name: specifies the name of an ACL.
ignore-external-lsa: configures the Helper not to check Type 5 LSAs or Type 7 LSAs. By default, a Helper checks external LSAs.
never: indicates that the device does not support the Helper mode.

4. Check OSPF GR configurations and OSPF GR information.

[Huawei] display ospf [ process-id ] graceful-restart [ verbose ]

54 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

Example for Configuring OSPF GR (1)

R1 R3 1. Assign an IP address to each involved interface and configure
10.1.13.0/30 OSPF on each device. The configuration details are omitted.
.1 GE0/0/0 .3
.1

OSPF area 0 2. Enable OSPF GR on R1, R2, and R3.

OSPF area 1
10.1.12.0/30
GE0/0/1

[R1] ospf 1
[R1-ospf-1] opaque-capability enable
[R1-ospf-1] graceful-restart
.2

[R2] ospf 1
[R2-ospf-1] opaque-capability enable
[R2-ospf-1] graceful-restart
R2
⚫ Routers R1, R2, and R3 each are equipped with two main [R3] ospf 1
[R3-ospf-1] opaque-capability enable
control boards, which back up each other. The routers
[R3-ospf-1] graceful-restart
interwork through OSPF and support GR.

⚫ It is required that traffic forwarding be not interrupted when

R1 restarts an OSPF process or performs an active/standby
switchover in GR mode.

55 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

Example for Configuring OSPF GR (2)

3. Check the OSPF GR status on each router. The following
R1 R3 example uses the command output on R1.
10.1.13.0/30 <R1> display ospf 1 graceful-restart
.1 GE0/0/0 .3
.1

OSPF area 0 OSPF Process 1 with Router ID 10.1.13.1

OSPF area 1
10.1.12.0/30

Graceful-restart capability : enabled

GE0/0/1

Graceful-restart support : planned and un-planned, totally

Helper-policy support : planned and un-planned, strict lsa check
Current GR state : normal
Graceful-restart period : 120 seconds
.2

Number of neighbors under helper:

Normal neighbors :0
R2 Virtual neighbors :0
⚫ Routers R1, R2, and R3 each are equipped with two main Sham-link neighbors : 0
Total neighbors :0
control boards, which back up each other. The routers
interwork through OSPF and support GR. Number of restarting neighbors : 0

⚫ It is required that traffic forwarding be not interrupted when Last exit reason:
R1 restarts an OSPF process or performs an active/standby On graceful restart : none
On Helper : none
switchover in GR mode.

56 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

Example for Configuring OSPF GR (3)

4. Run the reset ospf process graceful-restart command in the
R1 R3 user view of R1 to restart OSPF process 1, and run the display
10.1.13.0/30 ospf peer command on R2 to check the OSPF neighbor
.1 GE0/0/0 .3 relationship with R1.
.1

OSPF area 0 <R1> reset ospf 1 process graceful-restart

OSPF area 1
10.1.12.0/30

<R2> display ospf 1 peer

GE0/0/1

OSPF Process 1 with Router ID 10.1.12.2

Neighbors
.2

Area 0.0.0.1 interface 10.1.12.2(GigabitEthernet0/0/0)'s neighbors

Router ID: 10.1.13.1 Address: 10.1.12.1 GR State: Doing GR
R2 State: Full Mode: Nbr is Master Priority: 1
DR: 10.1.12.1 BDR: 10.1.12.2 MTU: 0
⚫ Routers R1, R2, and R3 each are equipped with two main Dead timer due in 32 sec
control boards, which back up each other. The routers Retrans timer interval: 5
Neighbor is up for 00:00:13
interwork through OSPF and support GR.
Authentication Sequence: [ 0 ]
⚫ It is required that traffic forwarding be not interrupted when The OSPF neighbor state on R2 is Full,
R1 restarts an OSPF process or performs an active/standby indicating that the neighbor relationship
between R1 and R2 is not interrupted when R1
switchover in GR mode. restarts the OSPF process in GR mode.

57 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

Example for Configuring OSPF GR (4)

5. Check the OSPF GR state on the routers. According to the following command outputs, R1 has exited the GR state
normally, and R2 has exited from the Helper state normally.

<R1> display ospf 1 graceful-restart <R2> display ospf 1 graceful-restart

OSPF Process 1 with Router ID 10.1.13.1 OSPF Process 1 with Router ID 10.1.12.2
Graceful-restart capability : enabled Graceful-restart capability : enabled
Graceful-restart support : planned and un-planned, totally Graceful-restart support : planned and un-planned, totally
Helper-policy support : planned and un-planned, strict lsa check Helper-policy support : planned and un-planned, strict lsa check
Current GR state : normal Current GR state : normal
Graceful-restart period : 120 seconds Graceful-restart period : 120 seconds

Number of neighbors under helper: Number of neighbors under helper:

Normal neighbors : 0 Normal neighbors :0
Virtual neighbors :0 Virtual neighbors :0
Sham-link neighbors : 0 Sham-link neighbors : 0
Total neighbors :0 Total neighbors :0

Number of restarting neighbors : 0 Number of restarting neighbors : 0

Last exit reason: Last exit reason:

On graceful restart : successful exit On graceful restart : none
On Helper : none On Helper : successful exit

58 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

NSR
⚫ High-reliability solutions include non-stop forwarding (NSF) and non-stop routing (NSR).
NSF NSR
• The GR mechanism ensures that service forwarding is not • The protocol backup mechanism ensures that routing in
interrupted during an active/standby switchover. the control plane and services in the forwarding plane are
▫ If a fault occurs in the system, services in the not interrupted during an active main board
forwarding plane are not interrupted during a system (AMB)/standby main board (SMB) switchover.
restart. • Routing is not interrupted during the AMB/SMB
▫ After the system recovers, it re-establishes neighbor switchover because:
relationships, obtains routing information from ▫ Neighbor and topology information is not lost.
neighbors, and rebuilds its routing table. ▫ Neighbor relationships are not interrupted.
• Advantages:
▫ This solution does not depend on or affect the peer
device. Therefore, there is no interworking problem.
▫ Route convergence in NSR is faster than that in NSF.
⚫ NSR is a reliability technology used on a device with an AMB and SMB. It ensures that neighbor relationships
are not affected when the AMB fails.

59 Huawei Confidential

• NSR and GR:

▫ The system in which an AMB/SMB switchover is performed supports two
types of high-reliability protection: NSR and GR.

▫ NSR and GR, however, are mutually exclusive. That is, for a specific
protocol, only one of them can be used after a switchover.

▫ When NSR is deployed on a device, the device can still function as a GR

Helper to support the GR process of its neighbor, ensuring high reliability of
services on all nodes on the network to the greatest extent.

• Application scenario:

▫ NSF can be used if a network has low requirements for the packet loss rate
and route convergence.

▫ NSR can be used if a network has high requirements for the packet loss
rate and route convergence.
• System-level NSR is triggered in the following situations:
▫ A system fault triggers an AMB/SMB switchover.

▫ The network administrator manually triggers an AMB/SMB switchover

during a software upgrade or maintenance.

• Note: NSR fundamentals are the same in OSPF, IS-IS, and BGP. This course uses
OSPF as an example.
 Multi- Association Forwarding GR NSR
Process with BGP Address

NSR Fundamentals
1 2 ⚫
NSR is implemented in three phases:
 Batch backup: After NSR is enabled and the SMB restarts, the AMB
AMB SMB AMB SMB
sends routing and forwarding information in batches to the SMB for
NSR
Packet sending Packet sending backup. Batch backup is performed before real-time backup. An
switchover
AMB/SMB switchover cannot be performed during batch backup in
LPU LPU NSR.
 Real-time backup: Real-time backup starts after batch backup is
complete. All updates in the control and forwarding planes are
backed up from the AMB to the SMB in real time. In this phase, the
SMB can take over services from the AMB at any time.
Neighbor Neighbor
node node  AMB/SMB switchover: If the AMB fails in the NSR system in which
backup has been completed, the SMB detects the failure through
1 The routing protocols in the control plane back up routing hardware status detection and becomes the new AMB. The new AMB
information in real time.
instructs LPUs to send packets to itself. The AMB/SMB switchover is
2 The hardware channel detects the exception on the AMB,
the SMB is instructed to become the new AMB, and LPUs completed rapidly, with routing between the local node and its
are instructed to send packets to the new AMB. neighbor nodes uninterrupted.

60 Huawei Confidential

• High availability (HA): implements data backup from the AMB to the SMB.
• AMB and SMB: implement control plane processes.
• Line processing unit (LPU): implements forwarding plane processes.
 Multi- Association Forwarding GR NSR
Process with BGP Address

NSR Switchover Phase: Batch Backup

⚫ After NSR is enabled and the SMB restarts, the service

1
AMB SMB process on the AMB receives a message indicating that
OSPF OSPF
BGP 2 BGP the SMB goes online. Service processes then start to
APPCFG APPCFG back up internal data in batches.
Packet
3
Packet

After batch backup is complete, the device enters the
Packet sending redundancy protection state. If the AMB fails in this case,
the SMB becomes the new AMB based on the data backed
LPU
up from the original AMB and restores services.

1. The SMB completes startup. 

If the AMB fails before batch backup is complete, the SMB
2. Service processes start backing up service data such may fail to become the new AMB due to incomplete

as routes in batches through the HA channel. The service data. As a result, an NSR switchover cannot be
performed; in this case, the device restarts and restores the
system enters the batch backup phase.
pre-fault status.
3. After service processes complete batch backup, the
system enters the redundancy protection state.

61 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

NSR Switchover Phase: Real-Time Backup

⚫ After batch backup is complete, the device enters the

AMB SMB
real-time backup phase. If the neighbor status or
OSPF 2 OSPF
routing information changes in this phase, the AMB
BGP BGP
3 backs up the updated information to the SMB in real
Packet Packet
time.
Packet sending

LPU

1 1

1. The neighbor status or routing information changes.

2. The AMB backs up updated information to the SMB
through the HA channel.
3. The SMB sends an acknowledgement to the AMB.

62 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

NSR Switchover Phase: AMB/SMB Switchover

⚫ After the batch backup is complete, the system enters

AMB 1 AMB SMB
the redundancy protection state. If a software or
OSPF OSPF OSPF
BGP BGP BGP hardware fault occurs on the AMB, the SMB detects the
IFNET IFNET 3 IFNET
fault on the AMB through underlying hardware
Forwarding Forwarding Forwarding
Plane Plane Plane detection and automatically becomes the new AMB.
2 Packet sending ⚫ The new AMB uses the data backed up from the
IFNET original AMB to process services. At the same time,
Forwarding LPU
LPUs send the information updated during the
Plane
switchover to the new AMB. Routing and traffic
1. The hardware channel detects the exception on forwarding are not interrupted in this case.
the AMB, the SMB is instructed to become the new
AMB, and LPUs are instructed to send packets to
the new AMB.
2. After the original SMB becomes the new AMB, 3. After the switchover is complete, the new AMB
LPUs send the information updated during the performs NSR backup to the new SMB.
switchover to the new AMB.

63 Huawei Confidential
 Multi- Association Forwarding GR NSR
Process with BGP Address

Configuring NSR
1. Enable NSR.

[Huawei] switchover mode { nonstop-routing | nonstop-forwarding }

This command is used to set an HA working mode. The default HA working mode is NSF.
nonstop-routing: sets the HA working mode to NSR. In NSR mode, the system can process routes and forward
services without interruption.
nonstop-forwarding: sets the HA working mode to NSF. The NSF mode greatly reduces the service interruption
time.

2. Verify the configuration.

[Huawei] display switchover mode

Check the HA working mode of the current system.
[Huawei] display ip routing-table [ vpn-instance vpn-instance-name ] [ verbose ]
Check post-AMB/SMB switchover routing information.
[Huawei] display fib [ slot-id ] [ vpn-instance vpn-instance-name ] [ verbose ]
Check post-AMB/SMB switchover forwarding information.
64 Huawei Confidential
 Contents

1. OSPF Fast Convergence

2. OSPF Route Control

3. Other OSPF Features

4. Advanced IS-IS Features

65 Huawei Confidential
 Fast Routing Other
Convergence Control Features

Overview of IS-IS Fast Convergence

⚫ IS-IS fast convergence is an extended feature designed to speed up route convergence. It provides a
series of functions, covering incremental SPF (I-SPF), PRC, intelligent timer, and LSP fast flooding.
⚫ IS-IS supports fast convergence after a fault is rectified. For example, IS-IS auto FRR can be used to
quickly switch traffic to a backup link, and IS-IS can be associated with BFD to quickly detect faults.

66 Huawei Confidential

• The functions, including PRC, intelligent timer, and FRR of IS-IS are similar to
those of OSPF and therefore not detailed here.
 Fast Routing Other
Convergence Control Features

I-SPF
⚫ I-SPF implementation: When the network topology changes, I-SPF recalculates routes only for affected
nodes instead of all nodes, speeding up route calculation.

R1 (root) • Scenario description:

▫ On an IS-IS network, an SPT with R1 as the root is calculated after route
convergence, as shown in the left figure. When R1 accesses R5, the traffic of
R1 is forwarded to R5 based on [the outbound interface of R1's downlink and
R2 R3
the IP address of the inbound interface of R3's uplink].
▫ R6 is added as a downstream device of R5. IS-IS is enabled on R6, meaning
that there is a new network node on the IS-IS network.
R4 R5
• I-SPF calculation:
▫ R5 and R6 both flood LSPs carrying information about their neighbor
relationship on the entire network.
R6 (new)
▫ After receiving such an LSP, R1 performs I-SPF calculation only for R5 and R6
to generate a new SPT.

In route calculation, a node represents a router, ▫ Therefore, when R1 accesses R5 and R6, the traffic of R1 is forwarded to R5
and a leaf represents a route. I-SPF processes and R6 based on [the outbound interface of R1's downlink and the IP address
the information of only changed nodes. of the inbound interface of R3's uplink].

67 Huawei Confidential

• SPF for route calculation: If a node on a network changes, SPF recalculates routes
for all the nodes on the network, which takes a long time, consumes a large
number of CPU resources, and consequently reduces the network-wide
convergence speed.
• I-SPF is an improvement of SPF. Unlike SPF that calculates all nodes, I-SPF
calculates only affected nodes. The SPT generated using I-SPF is the same as that
generated using SPF. This significantly decreases CPU usage and speeds up
network convergence.
• I-SPF and PRC are used together on an IS-IS network.
▫ If the SPT calculated by I-SPF changes, PRC processes all the leaves (routes)
of only the changed node.

▫ If the SPT calculated by I-SPF does not change, PRC processes only the
changed leaves (routes). For example, if IS-IS is newly enabled on an
interface of a node, the SPT on the network remains unchanged. In this
case, PRC updates only the routes of this interface, which consumes less
CPU resources.
 Fast Routing Other
Convergence Control Features

LSP Fast Flooding

⚫ LSP fast flooding: speeds up the flooding of LSPs.
 Generally, when an IS-IS router receives new or updated LSPs from other routers, it updates the local LSDB and
periodically floods the involved LSPs.
 LSP fast flooding speeds up LSDB synchronization because it allows a device to flood a number of LSPs (not
exceeding the upper limit) before route calculation when the device receives one or more new or updated LSPs.
This flooding mode significantly speeds up the network-wide convergence speed.
 Enable LSP fast flooding.

[Huawei-isis-1] flash-flood [ lsp-count | max-timer-interval interval | [ level-1 | level-2 ] ]

Note: You can specify the maximum number of LSPs to be flooded at a time. Once specified, the number takes
effect on all IS-IS interfaces. The actual number of LSPs that can be sent at a time is limited to the number
specified by lsp-count.

68 Huawei Confidential

• Command: [Huawei-isis-1] flash-flood [ lsp-count | max-timer-interval interval

| [ level-1 | level-2 ] ]
▫ lsp-count: specifies the maximum number of LSPs that can be flooded on
each interface at a time. The value is an integer ranging from 1 to 15. The
default value is 5.

▫ max-timer-interval interval: specifies the maximum interval at which LSPs

are flooded. The value is an integer ranging from 10 to 50000, in
milliseconds. The default value is 10.

▫ level-1: enables the LSP flash-flood function in the Level-1 area. If no level
is specified in the command, this function is enabled in both Level-1 and
Level-2 areas.

▫ level-2: enables the LSP flash-flood function in the Level-2 area. If no level
is specified in the command, this function is enabled in both Level-1 and
Level-2 areas.
 Fast Routing Other
Convergence Control Features

Overview of IS-IS Route Control

⚫ In real-world applications, IS-IS routes calculated using SPF sometimes cannot meet network planning
and traffic management requirements, which may lead to various problems, such as slow table lookup
due to a large number of routing entries in routing tables and unbalanced link usage on a network. To
optimize IS-IS networks and facilitate traffic management, more precise route control is required. You
can use any of the following methods to implement the control:
 Adjusting the IS-IS preference
 Adjusting the IS-IS interface cost
 Configuring equal-cost routes
 Configuring IS-IS route leaking
 Configuring default route advertisement
 Importing external routes
 Configuring filter-policies

69 Huawei Confidential

• This course involves only equal-cost and default routes. For details about other
control methods, see HCIP-Datacom-Core Technology.
 Fast Routing Other
Convergence Control Features

Equal-Cost Route
⚫ If there are multiple redundant links on an IS-IS network, multiple equal-cost routes to the same
destination may exist. In this case, you can use either of the following methods to configure equal-cost
routes:
 Configure load balancing so that traffic is evenly distributed to relevant links.
◼ This method improves link utilization and reduces the possibility of congestion caused by overloaded links. However,
because traffic will be randomly forwarded, this method may make traffic management difficult.

 Configure a preference for each equal-cost route so that the route with the highest preference is preferentially
selected and the others function as backups.
◼ This method is used to specify the preferred route among multiple equal-cost routes, without the need to modify original
configurations. It facilitates traffic management and improves network reliability.
◼ Note: After preferences are configured for equal-cost routes, IS-IS devices forward traffic to the next hop with the highest
preference, instead of forwarding traffic in load balancing mode.

70 Huawei Confidential
 Fast Routing Other
Convergence Control Features

Configuration of Equal-Cost IS-IS Routes

1. Configure load balancing among equal-cost IS-IS routes.
[Huawei-isis-1] maximum load-balancing number
Configure the maximum number of equal-cost routes that participate in load balancing.

2. Configure preferences for equal-cost IS-IS routes.

[Huawei-isis-1] nexthop ip-address weight value
By default, no preferences are configured for equal-cost IS-IS routes. A smaller value indicates a higher
preference.

⚫ If the number of equal-cost routes is greater than the number specified using the maximum load-balancing
command, routes are selected for load balancing according to the following rules in sequence:
 Route preference: Routes with smaller preference values (higher preferences) are selected for load balancing.
 Next-hop system ID: If all equal-cost routes have the same preference, routes with smaller next-hop system IDs are selected for
load balancing.

Local outbound interface index: If all equal-cost routes have the same preference and next-hop system ID, routes with smaller
local outbound interface indexes are selected for load balancing.
71 Huawei Confidential

• Command: [Huawei-isis-1] maximum load-balancing number

▫ number: specifies the maximum number of equal-cost routes that
participate in load balancing. The value varies according to the device
model.
• Command: [Huawei-isis-1] nexthop ip-address weight value

▫ ip-address: specifies the IP address of the next hop. The value is in dotted
decimal notation.

▫ weight value: specifies the weight of the next hop. A smaller value
indicates a higher preference. The value is an integer ranging from 1 to 254.
 Fast Routing Other
Convergence Control Features

Example for Configuring Equal-Cost Routes (1)

⚫ On the network shown in the figure, IS-IS runs on R1, R2, and R3. It
R1 R3
Cost=10 is required that R1 be able to access the loopback interface address
GE0/0/0
of R3 through path R1 -> R3 or R1 -> R2 -> R3.

1. Assign IP addresses to device interfaces and configure IS-IS on each device.

(Omitted)

IS-IS R2 2. Configure the number of IS-IS equal-cost routes for load balancing on R1.
[R1] isis
Device Interface IP Address [R1-isis-1] maximum load-balancing 2
GE0/0/0 10.1.13.1/24
R1 3. Verify the configuration.
GE0/0/1 10.1.12.1/24
[R1]display ip routing-table
GE0/0/1 10.1.12.2/24 Route Flags: R - relay, D - download to fib
R2 -------------------------------------------------------------------------------------------
GE0/0/2 10.1.23.2/24
Loopback0 10.1.3.3/32 Destination/Mask Proto Pre Cost Flags NextHop Interface
R3 GE0/0/0 10.1.13.3/24 10.1.3.3/32 ISIS-L2 15 10 D 10.1.13.3 GigabitEthernet0/0/0
ISIS-L2 15 10 D 10.1.12.2 GigabitEthernet0/0/1
GE0/0/2 10.1.23.3/24

72 Huawei Confidential
 Fast Routing Other
Convergence Control Features

Example for Configuring Equal-Cost Routes (2)

⚫ On the network shown in the figure, IS-IS runs on R1, R2, and R3. It
R1 R3
Cost=10 is required that R1 be able to access the loopback interface address
GE0/0/0
of R3 through path R1 -> R3 or R1 -> R2 -> R3.

1. Assign IP addresses to device interfaces and configure IS-IS on each device.

(Omitted)

IS-IS R2 2. (Optional) Configure preference for equal-cost routes on R1.

[R1] isis
Device Interface IP Address [R1-isis-1] nexthop 10.1.13.3 weight 1
[R1-isis-1] nexthop 10.1.12.2 weight 2
GE0/0/0 10.1.13.1/24
R1
GE0/0/1 10.1.12.1/24 3. Verify the configuration.
GE0/0/1 10.1.12.2/24 [R1]display ip routing-table
R2 Route Flags: R - relay, D - download to fib
GE0/0/2 10.1.23.2/24
-------------------------------------------------------------------------------------------
Loopback0 10.1.3.3/32
R3 GE0/0/0 10.1.13.3/24 Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.3.3/32 ISIS-L2 15 10 D 10.1.13.3 GigabitEthernet0/0/0
GE0/0/2 10.1.23.3/24

73 Huawei Confidential
 Fast Routing Other
Convergence Control Features

Default Route
⚫ IS-IS allows you to control the generation and advertisement of default routes using the following methods:
 On Level-1-2 devices, configure a rule for setting the attached (ATT) bit in Level-1 LSPs.
 Configure Level-1 devices not to automatically generate default routes even if they receive Level-1 LSPs with the ATT bit set to
1.

Configure devices to advertise default routes to the IS-IS routing domain.

⚫ LSP packet format:


The ATT bit is generated by a Level-1-2 router to identify whether the originating router connects to other areas. Note that the
ATT field has four bits, and Huawei datacom products use only one of the four bits.

PDU Length
Remaining Lifetime
PDU Common Header
LSP ID
PDU Specific Header
Sequence Number
Variable Length Fields（TLV）
Checksum
P ATT OL IS Type

74 Huawei Confidential
 Fast Routing Other
Convergence Control Features

Setting the ATT Bit to Control the Generation of Default

Routes
⚫ In IS-IS, if a Level-1-2 device determines based on LSDB information that it can reach more areas
through a Level-2 area than through a Level-1 area, the device sets the ATT bit to 1 in Level-1 LSPs
before advertising these LSPs. Upon receipt, Level-1 devices generate default routes destined for this
Level-1-2 device.
⚫ The preceding rules are applied by default. The ATT bit can be set as required on a live network.

1. (Level-1-2 device) Configure a rule for setting the ATT bit in LSPs.
[Huawei-isis-1] attached-bit advertise { always | never }
By default, the Level-1-2 device sets the ATT bit in LSPs following the default rules.

2. (Level-1 device) Configure the device not to generate a default route after it receives LSPs carrying ATT bit 1.
[Huawei-isis-1] attached-bit avoid-learning
By default, a Level-1 device generates a default route after it receives LSPs carrying ATT bit 1.

75 Huawei Confidential

• Command: [Huawei-isis-1] attached-bit advertise { always | never }

▫ always: indicates that the ATT bit is set to 1. After receiving an LSP with
ATT bit 1, a Level-1 device generates a default route.

▫ never: indicates that the ATT bit is set to 0. This prevents the Level-1 device
from generating default routes and reduces the size of the routing table.

• Although the ATT bit is defined in both Level-1 and Level-2 LSPs, it is set to 1
only in Level-1 LSPs advertised by Level-1-2 devices. Therefore, this command
takes effect only on Level-1-2 devices.

• To prevent Level-1 devices from advertising default routes to their routing tables,
perform either of the following operations:

▫ Run the attached-bit advertise never command on Level-1-2 devices to

disable them from advertising LSPs with ATT bit 1.
▫ Run the attached-bit avoid-learning command on Level-1 devices that
connect to Level-1-2 devices.
• The difference between the preceding commands lies in that the attached-bit
avoid-learning command applies to specified Level-1 devices.
 Fast Routing Other
Convergence Control Features

Configuring Devices to Advertise Default Routes to the IS-IS

Routing Domain
⚫ After the default-route-advertise command is run on a boundary device in the IS-IS domain, the device advertises
default route 0.0.0.0/0 to the IS-IS routing domain. After that, all traffic destined for other routing domains is
forwarded to this boundary device first, and the device then forwards the traffic outside the IS-IS routing domain.

⚫ Generally, if other routing protocols are configured in addition to IS-IS, use the following two methods to forward
traffic in the IS-IS routing domain to other routing domains:
 Configure boundary devices to advertise default routes to the IS-IS routing domain. This method is simple and does not require
external route learning.

Configure boundary devices to import routes of other routing protocols into IS-IS.

Configure an IS-IS device to generate a default route.

[Huawei-isis-1] default-route-advertise [ always | match default | route-policy route-policy-name ]
[ cost cost | tag tag | [ level-1 | level-1-2 | level-2 ] ] [ avoid-learning ]
By default, an IS-IS device does not generate the default route.

76 Huawei Confidential

• Command: [Huawei-isis-1] default-route-advertise [ always | match default |

route-policy route-policy-name ] [ cost cost | tag tag | [ level-1 | level-1-2 |
level-2 ] ] [ avoid-learning ]

▫ always: configures an IS-IS device to unconditionally advertise the default

route and set itself as the next hop in the route.

▫ match default: advertises the default route generated by another routing

protocol or IS-IS process through LSPs if such a route already exists in the
routing table.

▫ route-policy route-policy-name: specifies the name of the route-policy. A

Level-1-2 device advertises the default route to the IS-IS routing domain
only when external routes matching the route-policy exist in the routing
table of the device. This prevents routing blackholes caused by the
advertisement of the default route when link faults make some important
external routes unavailable. This route-policy does not affect the import of
external routes into IS-IS. The value is a string of 1 to 40 case-sensitive
characters, spaces not supported. If spaces are used, the string must start
and end with double quotation marks (").
▫ cost cost: specifies the cost of the default route. The value is an integer. The
value range depends on cost-style. When cost-style is narrow, narrow-
compatible, or compatible, the value ranges from 0 to 63. When cost-style
is wide or wide-compatible, the value ranges from 0 to 4261412864.
 ▫ tag tag: specifies the tag value of the default route to be advertised. The
advertised LSPs carry the tag value only when the IS-IS cost type is wide,
wide-compatible, or compatible. The value is an integer ranging from 1 to
4294967295.
▫ level-1: sets the level of the default route to be advertised to Level-1. If the
level is not specified, a Level-2 default route is generated by default.
▫ level-2: sets the level of the default route to be advertised to Level-2. If the
level is not specified, a Level-2 default route is generated by default.
▫ level-1-2: sets the level of the default route to be advertised to Level-1-2. If
the level is not specified, a Level-2 default route is generated by default.

▫ avoid-learning: prevents an IS-IS process from learning default routes or

adding them to the routing table. If a default route exists in the routing
table and is in the active state, set the route to inactive.
• After this command is run on a device, all traffic in the IS-IS routing domain will
be forwarded by this device to a destination outside the domain. Compared with
configuring a static default route on each router in an IS-IS routing domain,
running this command simplifies configurations, because this command only
needs to be run on boundary routers in the IS-IS routing domain. In addition, the
default-route-advertise command enables dynamic default route advertisement,
and you can specify different parameters to allow the default route to be
advertised in different ways.
• If this command is run on a Level-1 device, the device advertises the default
route only to the Level-1 area.
 Fast Routing Other
Convergence Control Features

Example for Configuring Default Routes

1. Assign an IP address to each interface and configure

R1 R2 L2 R3 L2 OSPF/IS-IS on each device.
Loopback0： GE0/0/1 GE0/0/2
10.1.1.1/32 10.1.12.0/24 10.1.23.0/24
2. Configure R2 to advertise the default route to the IS-IS
routing domain.

OSPF IS-IS [R2] isis

[R2-isis-1] default-route-advertise always

3. Configure R2 to advertise the default route to the OSPF

⚫ As shown in the figure, OSPF runs on GE0/0/1 and routing domain.
Loopback0 of R1 and GE0/0/1 of R2, and IS-IS runs on [R2] ospf
[R2-ospf-1] default-route-advertise always
GE0/0/2 of R2 and R3.
4. Check routing entries on R3.
⚫ To enable R3 to access the OSPF network, configure R2
[R3]display ip routing-table
to advertise the default route to the IS-IS routing Route Flags: R - relay, D - download to fib
---------------------------------------------------------------------------------------
domain. Routing Tables: Public
Destinations : 8 Routes : 8
⚫ Similarly, R2 also needs to advertise the default route Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 ISIS-L2 15 10 D 10.1.23.2 GigabitEthernet0/0/2
to the OSPF routing domain. ……

78 Huawei Confidential
 Fast Routing Other
Convergence Control Features

IS-IS Multi-Instance and Multi-Process

⚫ In IS-IS multi-instance, multiple IS-IS processes are created on the same router, with each process associated with
one VPN instance.

⚫ In IS-IS multi-process, multiple IS-IS processes are created in the same VPN instance (or in the same public network
instance). These IS-IS processes are independent of each other. IS-IS processes function similarly to different routing
protocols in route exchange.
⚫ A network may carry different services, which need to be isolated for security. You can bind each IS-IS process to a
different VPN instance. [PE] isis 100 vpn-instance VPN1
[PE-isis-100] quit
⚫ Application scenarios: [PE] isis 200 vpn-instance VPN2
CE1
▫ IS-IS multi-instance and multi-process are typically used in VPN1 [PE-isis-200] quit
Site1
VPN scenarios.

▫ As the figure shown, a PE is connected to two VPNs, each PE

belonging to a different customer, and IS-IS is deployed CE2
between the PE and CEs. You can configure multiple IS-IS VPN2
Site2
processes on the PE to isolate the VPN customers.

79 Huawei Confidential

• IS-IS multi-process and multi-instance have the following characteristics:

▫ In IS-IS multi-process, processes share the same global routing table. IS-IS
multi-instance, however, uses the routing tables of VPNs, with each VPN
having a separate routing table.
▫ IS-IS multi-process allows a set of interfaces to be associated with a
specified IS-IS process. This ensures that the protocol operations in the
specified IS-IS process are confined only to this set of interfaces. In this way,
multiple IS-IS processes can work on a single router, with each process
responsible for a unique set of interfaces.
▫ When creating an IS-IS process, you can bind it to a VPN instance. The IS-IS
process then accepts and processes only the events related to the VPN
instance. When the bound VPN instance is deleted, the IS-IS process is also
deleted.

• Command: [Huawei] isis [ process-id ] [ vpn-instance vpn-instance-name ]

▫ process-id: specifies the ID of an IS-IS process. If no IS-IS process is
specified, IS-IS process 1 is started. The value is an integer ranging from 1
to 65535. The default value is 1.
▫ vpn-instance vpn-instance-name: specifies the name of a VPN instance. If
this parameter is not specified, no VPN instance is associated with the IS-IS
process. The value is a string of 1 to 31 case-sensitive characters. If spaces
are used, the string must start and end with double quotation marks (").
 Fast Routing Other
Convergence Control Features

LSP Fragment
⚫ When a PDU to be advertised by IS-IS contains too much information, an IS-IS router generates LSP
fragments to carry the information.
⚫ LSP packet format

PDU Common Header PDU Length System ID (6 bytes)

PDU Specific Header Remaining Lifetime Pseudonode ID (1 byte)
Variable Length Fields（TLV） LSP ID LSP Number (1 byte)
Sequence Number
Checksum
P ATT OL IS Type

⚫ An IS-IS LSP fragment is identified by the 1-byte LSP Number field in LSP ID. So, an IS-IS process can
generate a maximum of 256 LSP fragments, which means only limited information can be carried.

80 Huawei Confidential
 Fast Routing Other
Convergence Control Features

Basic Concepts of LSP Fragment Extension

⚫ You can configure a virtual system ID for IS-IS to generate virtual IS-IS LSPs to carry routing information.
 Originating system: a router that actually runs IS-IS. A single IS-IS process can advertise LSPs like multiple virtual routers, and
the originating system refers to the "actual" (not virtual) IS-IS process.

Normal system ID: system ID of the originating system.

Virtual system: system identified by an additional system ID to generate extended LSP fragments. These fragments carry
additional system IDs in their LSP IDs.

Additional system ID: system ID of a virtual system. It is assigned by a network administrator to identify a virtual system. A
maximum of 256 extended LSP fragments can be generated for each additional system ID.

TLV 24 (IS Alias ID TLV): carried in LSP fragments and describes the relationship between the originating and virtual systems.
Type=24
Length
Value：
Normal System-ID

81 Huawei Confidential

• After LSP fragment extension is configured, the system prompts you to restart
the IS-IS process if information is lost because LSPs overflow. After the IS-IS
process is restarted, the originating system loads as much routing information as
possible to its LSPs. The information that cannot be loaded is placed in the LSPs
of virtual systems for transmission. The originating system then notifies other
routers of its relationship with the virtual systems through TLV 24.

• Note: the additional and normal system IDs must be unique throughout a routing
domain.
 Fast Routing Other
Convergence Control Features

Implementation of LSP Fragment Extension

⚫ In IS-IS, each normal system ID identifies a system, which can generate a maximum of 256 LSP fragments. With
additional system IDs, up to 50 virtual systems can be configured, and an IS-IS process can then generate a
maximum of 13,056 LSP fragments.

⚫ LSP fragment extension can work in two modes.

Mode-1 Mode-2
• Used when some routers on the network do not support LSP • Used when all the routers on the network support LSP fragment
fragment extension. extension.
Calculates routes R1-1 Considers received LSP- R1-1
separately for the LSP R1 virtual 1 and LSP-2 both the LSP R1 virtual
received LSP-1 and LSP-2. system routing information of system
R1 and calculates routes
R2 R1 R1-2 uniformly. R2 R1 R1-2
Does not support LSP R1 virtual R1 virtual
fragment extension. system system

• As the figure shown, R1 loads some routing information to the LSPs • As the figure shown, R1 loads some routing information to the LSPs
of R1-1 and R1-2 for transmission. When R2 receives the LSPs from of R1-1 and R1-2 for transmission. When R2 receives LSPs from R1-1
R1, R1-1, and R1-2, it considers that there are three independent and R1-2, it knows that their originating system is R1 based on TLV
routers at the peer end and calculates routes as normal. The costs of 24. R2 then considers information advertised by R1-1 and R1-2 as
the routes from R1 to R1-1 and from R1 to R1-2 are both 0, meaning information of R1.
that the routes from R2 to R1 and from R2 to R1-1/R1-2 share the
same cost.

82 Huawei Confidential

• Mode-1 implementation:
▫ Virtual systems participate in SPF calculation. The LSPs advertised by the
originating system contain information about links to each virtual system.
Similarly, the LSPs advertised by each virtual system contain information
about links to the originating system. In this way, virtual systems function
like physical routers that connect to the originating system.
▫ Mode-1 is a transitional mode used to support earlier versions that are
incapable of LSP fragment extension. In these earlier versions, IS-IS cannot
identify TLV 24. As a result, the LSPs sent by a virtual system must look like
LSPs sent by an originating system.
▫ Precautions:
▪ The LSPs sent by a virtual system must contain the same area address
and overload bit as those in LSPs sent by an originating system. Other
TLVs must also be the same.
▪ The neighbor of a virtual system must point to an originating system,
and the metric is the maximum value minus 1. The neighbor of the
originating system must point to the virtual system, and the metric
must be 0. This ensures that the virtual system is the downstream
node of the originating system when other routers calculate routes.
• Mode-2 implementation:
▫ Virtual systems do not participate in SPF calculation. All the routers on the
network know that the LSPs generated by the virtual systems actually
belong to the originating system.
▫ IS-IS working in mode-2 can identify TLV 24, which is used as the basis for
calculating an SPT and routes.
• Note: In both modes, the originating system and virtual systems must include
TLV 24 in their LSPs whose LSP Number is 0 to indicate which is the originating
system.
 Fast Routing Other
Convergence Control Features

Basic Configuration Commands of LSP Fragment Extension

1. Enable LSP fragment extension for an IS-IS process.

[Huawei-isis-1] lsp-fragments-extend [ [ level-1 | level-2 | level-1-2 ] | [ mode-1 | mode-2 ] ]

By default, LSP fragment extension is disabled for IS-IS processes.
If no mode or level is specified during the configuration of LSP fragment extension, mode-1 and level-1-2 are
used by default.

2. Configure a virtual system.

[Huawei-isis-1] virtual-system virtual-system-id
By default, no virtual system is configured.
To enable a device to generate extended LSP fragments, you must configure at least one virtual system ID. This
ID must be unique throughout a routing domain.
An IS-IS process can be configured with up to 50 virtual system IDs.

⚫ Note: The preceding two commands must be used together. The configured virtual system ID takes effect only after
LSP fragment extension is enabled and the IS-IS process is restarted using the reset isis all command.

83 Huawei Confidential

• Command: [Huawei-isis-1] lsp-fragments-extend [ [ level-1 | level-2 | level-1-

2 ] | [ mode-1 | mode-2 ] ]
▫ level-1: enables LSP fragment extension in Level-1.

▫ level-2: enables LSP fragment extension in Level-2.

▫ level-1-2: enables LSP fragment extension in Level-1-2.

▫ mode-1: allows routers to be compatible with other routers running earlier

versions that are incapable of LSP fragment extension.

▫ mode-2: requires all routers to support LSP fragment extension.

• Command: [Huawei-isis-1] virtual-system virtual-system-id

▫ virtual-system-id: specifies a virtual system ID of an IS-IS process. The

length is 6 bytes (48 bits), and the format is XXXX.XXXX.XXXX.
 Fast Routing Other
Convergence Control Features

IS-IS GR
⚫ IS-IS GR is a high-reliability technology that supports GR and can ensure non-stop data forwarding.
⚫ To implement GR, IS-IS uses the TLV (Restart TLV) with the Type value 211 and three timers: T1, T2, and T3.
Restart TLV Timers

• The Restart TLV is included in the extension part of an IS-to-IS Hello • T1 timer: If the GR Restarter has sent an IIH packet with RR being set
(IIH) PDU. All IIH packets of a device that supports IS-IS GR contain the but has not received any IIH packet in which the Restart TLV is
Restart TLV. The Restart TLV carries some parameters for the protocol carried and RA is set from the GR Helper when the T1 timer expires,
restart. the GR Restarter resets the T1 timer and continues to send IIH
packets with the Restart TLV. If an acknowledgement packet is
Type = 211
received or the T1 timer expires three times, the T1 timer is canceled.
Length
The default value of the T1 timer is 3s.
Reserved SA RA RR
• T2 timer: It indicates the period from the time when the GR Restarter
Remaining Time restarts to the time when the LSDBs of all devices of the same level
are synchronized. T2 is the maximum time that the system waits for
• SA: is short for Suppress Adjacency Advertisement. synchronization of all LSDBs. T2 is generally 60 seconds.
• RA: is short for Restart Acknowledgment.
• T3 timer: It indicates the maximum time allowed for the GR Restarter
• RR: is short for Restart Request.
to complete GR successfully. The initial value of the T3 timer is
• Remaining Time: indicates the remaining time before the neighbor resets
65535s. If the T3 timer expires, GR fails.
the adjacency.

84 Huawei Confidential

• Background:
▫ After an active/standby switchover is performed on a device, because the
device has not stored any information about the neighbor relationships
established before the restart, the initial Hello packets sent by the device
carry an empty neighbor list. After receiving the Hello packets, a neighbor
(Helper device) performs the two-way neighbor relationship check. After
the neighbor detects that it is not in the neighbor list in the Hello packets
sent by the Restarter, the neighbor tears down the neighbor relationship.
The neighbor then generates new LSPs and floods the topology changes to
all other devices in the area. The other devices in the area then calculate
routes based on their new LSDBs, leading to routing interruptions or
routing loops.
▫ The IETF defined the GR standard (RFC 3847) for IS-IS. The protocol
restarts in which the FIB is retained and the protocol restarts in which the
FIB is not retained are both processed, preventing route flapping and traffic
interruptions caused by protocol restarts.
• TLV with Type value 211:
▫ Type: indicates the TLV type and is 1 byte long. Type value 211 indicates the
Restart TLV.

▫ Length: indicates the length of the TLV value and is 1 byte long.
▫ SA: is used to suppress adjacency advertisement and is 1 bit long. It is used
by a starting device to request its neighbors to suppress the broadcast of
the neighbor relationships with the starting device to prevent routing black
holes.
▫ RA: is used for restart acknowledgment and is 1 bit long. If a device sends
to a neighbor a Hello packet in which RA is set, the packet is used to notify
the neighbor that the device has received a packet in which RR is set.

▫ RR: indicates the restart request bit and is 1 bit long. If a device sends to a
neighbor a Hello packet in which RR is set, the packet is used to notify the
neighbor that the device is restarting or starting and to request the
neighbor to retain the current IS-IS adjacency and respond with CSNPs.

▫ Remaining Time: indicates the remaining time before the neighbor resets
the adjacency. The value is in seconds. This field is 2 bytes long. When RA is
reset, this field is mandatory.
• Supplementary description of the timers:

▫ T1 timer: Each interface in a process enabled with IS-IS GR maintains a T1

timer. On a Level-1-2 router, broadcast interfaces maintain a T1 timer for
each level.
▫ T2 timer: Level-1 and Level-2 LSDBs each have a T2 timer maintained.

▫ T3 timer: The initial value of the T3 timer is 65535s. After the IIH packets in
which RA is set are received from neighbors, the T3 value is changed to the
smallest value of the Remaining Time field in the IIH packets. The entire
system maintains one T3 timer.
 Fast Routing Other
Convergence Control Features

IS-IS GR Process (Restarting) (1)

⚫ The GR process triggered by an active/standby switchover or the restart of an IS-IS process is referred to as
restarting, in which the FIB remains unchanged.
R1 R2 1. After performing a protocol restart, the GR Restarter performs the following
GR Session actions:
 Starts T1, T2, and T3 timers.
 Sends IIH packets that contain the Restart TLV through all interfaces. In
GR Restarter GR Helper the packets, RR is set, and RA and SA are cleared.
2. After receiving an IIH packet, the GR Helper performs the following actions:
Active/standby  Maintains the neighbor relationship and updates the current Holdtime.
switchover IIH (Restart TLV:  Replies with an IIH packet containing the Restart TLV. In the packet, RR is
RR=1, RA=0, SA=0) cleared, RA is set, and Remaining Time indicates the period from the
Starts T1, T2, and T3 current moment to the timeout of the Holdtime.
timers. IIH (Restart TLV:  Sends CSNPs and all LSPs to the GR restarter.
RR=0, RA=1, SA=0) 3. After receiving the IIH packet, in which RR is 0 and RA is 1, from the neighbor,
Resets the T3 timer.
the GR Restarter performs the following actions:
 Compares the current value of the T3 timer with the value of Remaining
CSNP
Cancels the T1 timer. Time in the packet. The smaller value is used as the value of the T3 timer.
 Cancels the T1 timer maintained by the interface when the interface
LSPs receives an acknowledgement and CSNPs.
Cancels the T2 timer.  Resets the T1 timer and resends the IIH packet that contains the Restart
TLV when the T1 timer expires but the interface has not received any
Cancels the T3 timer. LSP flooding acknowledgement or CSNPs. The reset may be performed multiple times.
Updates the FIB.
Updates the FIB. If the expiry count of the T1 timer exceeds the threshold value, the GR
Restarter forcibly cancels the T1 timer and starts normal IS-IS processing.

86 Huawei Confidential

• Notes:
▫ In Step 2, if the neighbor does not have the GR Helper capability, it ignores
the Restart TLV and resets the adjacency with the GR Restarter according to
normal IS-IS processing.
▫ In Step 3, the Restarter sets the value of the T3 timer to the Holdtime of
the neighbor, preventing neighbor disconnection during the GR, which
would otherwise cause routes to be recalculated on the whole network.
 Fast Routing Other
Convergence Control Features

IS-IS GR Process (Restarting) (2)

⚫ The GR process triggered by an active/standby switchover or the restart of an IS-IS process is referred to as
restarting, in which the FIB remains unchanged.
R1 R2
GR Session 4. After the GR Restarter cancels the T1 timers on all interfaces, clears the
CSNP list, and collects all LSPs, it considers the synchronization with all
neighbors complete and cancels the T2 timer.
GR Restarter GR Helper 5. The cancellation of the T2 timer indicates that LSDBs of the corresponding
level are synchronous.
Active/standby  In the case of a single-level device, the SPF calculation is triggered
switchover IIH (Restart TLV: directly.
RR=1, RA=0, SA=0)
Starts T1, T2, and T3  In the case of a Level-1-2 device, the device checks whether the T2 timer
timers. IIH (Restart TLV: of the other level is also canceled. If the T2 timers of both levels are
RR=0, RA=1, SA=0) canceled, SPF calculation is triggered. Otherwise, the device waits for the
Resets the T3 timer. T2 timer of the other level to expire.
6. After the T2 timers of both levels are canceled, the GR Restarter cancels the
CSNP T3 timer and updates its FIB. The GR Restarter re-generates the LSPs of each
Cancels the T1 timer.
level and floods them. During synchronization, if the GR Restarter receives
the LSPs that were generated by itself before the restarting, it deletes them.
LSPs
Cancels the T2 timer. 7. At this point, the IS-IS restarting of the GR Restarter is complete.

Cancels the T3 timer. LSP flooding

Updates the FIB.
Updates the FIB.

87 Huawei Confidential

• During the restarting, the Restarter starts the T1, T2, and T3 timers at the same
time after the protocol restart. The value of the T1 timer indicates the longest
time during which the GR Restarter waits for the Hello packet used for GR
acknowledgement from the GR Helper. The value of the T2 timer indicates the
longest time during which the system waits for the LSDB synchronization. The
value of the T3 timer indicates the longest time allowed for a GR. The device
cancels the T3 timer after synchronization of Level-1 and Level-2 LSDBs
completes during the GR. If LSDB synchronization has not completed when the
T3 timer expires, the GR fails.
 Fast Routing Other
Convergence Control Features

IS-IS GR Process (Starting) (1)

⚫ The GR process triggered by a device restart is referred to as starting, in which the FIB is updated.
R1 R2
GR Session As a starting device does not retain its FIB, it wants the neighbors with
which the adjacencies are up before the device starts, to reset the
adjacencies and suppress advertisement of the adjacencies in a period.
GR Restarter GR Helper
Starting IIH (Restart TLV: 1. After the GR Restarter starts, it performs the following actions:
RR=0, RA=0, SA=1)
Starts the T2 timer.
 Starts one T2 timer for synchronization of LSDBs at each level.

Adjacency reestablishment  Sends IIH packets that contain the Restart TLV through all interfaces. In
Starts the T1 timer. the packets, RR is cleared, and SA is set.
IIH (Restart TLV:
RR=1, RA=0, SA=1) 2. After receiving an IIH packet that carries the Restart TLV, a neighbor
performs the following actions based on whether GR is supported:
IIH (Restart TLV:
RR=0, RA=1, SA=0)  If GR is supported, the neighbor re-initiates the adjacency.

Cancels the T1 timer.

 If GR is not supported, the neighbor ignores the Restart TLV and resets
CSNP
Starts to synchronize the adjacency with the GR Restarter.
LSDBs.
LSPs 3. After adjacencies are re-initiated, the GR Restarter re-establishes them with
Cancels the T2 timer. . neighbors on each interface. When an adjacency goes up, the GR Restarter
.
. starts the T1 timer for the interface.
LSP flooding
Updates the FIB. Updates the FIB.

88 Huawei Confidential

• Additional remarks for Step 1:

▫ If RR is cleared, starting has completed.
▫ The IIH packet in which SA is set indicates that the Restarter requests its
neighbor to suppress the advertisement of their adjacency until the
neighbor receives an IIH packet in which SA is cleared from the Restarter.

• Additional remarks for Step 2:

▫ If GR is supported, the neighbor re-initiates the adjacency with the GR
Restarter and deletes the description of the adjacency from the LSPs to be
sent. In addition, the neighbor ignores the link connected to the GR
Restarter when performing SPF calculation until it receives an IIH packet in
which SA is cleared from the GR Restarter.

▫ If GR is not supported, the neighbor ignores the Restart TLV, resets the
adjacency with the GR Restarter, replies with an IIH packet that does not
contain the Restart TLV, and returns to normal IS-IS processing. In this case,
the neighbor does not suppress the advertisement of the adjacency with the
GR Restarter. In the case of a P2P link, the neighbor also sends a CSNP.
 Fast Routing Other
Convergence Control Features

IS-IS GR Process (Starting) (2)

⚫ The GR process triggered by a device restart is referred to as starting, in which the FIB is updated.
R1 R2
GR Session 4. When the T1 timer expires, the GR Restarter sends an IIH packet in which
both RR and SA are set.
5. After the neighbor receives the IIH packet in which both RR and SA are set, it
GR Restarter GR Helper replies with an IIH packet, in which RR is cleared and RA is set, and sends a
Starting IIH (Restart TLV: CSNP.
RR=0, RA=0, SA=1) 6. After receiving the IIH packet used for acknowledgement and CSNP from the
Starts the T2 timer. neighbor, the GR Restarter cancels the T1 timer.
Adjacency reestablishment 7. If the GR Restarter does not receive an IIH packet or CSNP, it constantly
Starts the T1 timer. resets the T1 timer and resends the IIH packet in which RR and SA are set. If
IIH (Restart TLV: the expiry count of the T1 timer exceeds the threshold value, the GR
RR=1, RA=0, SA=1) Restarter forcibly cancels the T1 timer and starts normal IS-IS processing to
perform LSDB synchronization.
IIH (Restart TLV: 8. After receiving the CSNP from the Helper, the GR Restarter starts LSDB
RR=0, RA=1, SA=0)
synchronization.
Cancels the T1 timer. 9. After LSDBs of a level are synchronized, the GR Restarter cancels the
CSNP
Starts to synchronize corresponding T2 timer.
LSDBs. 10. After all T2 timers are canceled, SPF calculation is started and LSPs are
LSPs
Cancels the T2 timer. regenerated and flooded.
.
. 11. At this point, the IS-IS starting of the GR Restarter is complete.
.
LSP flooding
Updates the FIB. Updates the FIB.

89 Huawei Confidential
 Fast Routing Other
Convergence Control Features

Configuring IS-IS GR (1)

1. Enable IS-IS GR.
[Huawei-isis-1] graceful-restart

2. Configure the device to remain the IS-IS neighbor Holdtime unchanged in GR scenarios.
[Huawei-isis-1] graceful-restart no-impact-holdtime

By default, after IS-IS GR is enabled, the IS-IS neighbor Holdtime is automatically changed to 60s if it is less
than 60s, and the Holdtime remains unchanged if it is greater than or equal to 60s.

3. (Optional) Configure a value for the T3 timer used in an IS-IS GR.

[Huawei-isis-1] graceful-restart interval interval-value

By default, the GR T3 timer is 300s.

4. (Optional) Configure a value for the T2 timer used in an IS-IS GR.

[Huawei-isis-1] graceful-restart t2-interval interval-value

By default, the GR T2 timer is 60s.

90 Huawei Confidential

• Usage scenario of the graceful-restart no-impact-holdtime command:

▫ On an IS-IS network, if GR is configured on a device, its IS-IS neighbors may
automatically update corresponding neighbor Holdtimes. Specifically, the
Holdtimes are changed to 60s if they are less than 60s, and remain
unchanged if they are greater than or equal to 60s. Consequently, the
minimum Holdtime value is 60s after the update. If one of the neighbors
fails in non-GR scenarios, it takes at least 60s for the other end to detect
the failure. As a result, a large number of packets may be discarded within
this period, reducing network security and reliability.
▫ To resolve this problem, you can run the graceful-restart no-impact-
holdtime command so that the Holdtimes of neighbors remain unchanged
in an IS-IS GR scenario. In this way, neighbor status can be fast detected,
implementing rapid network convergence.

• graceful-restart interval interval-value and graceful-restart t2-interval

interval-value commands
▫ interval interval-value: specifies a value of the GR T3 or T2 timer. The value
is an integer that ranges from 30 to 1800, in seconds.
▫ It is recommended that the value of the T3 timer is greater than that of the
T2 timer. Otherwise, the GR may fail.
 Fast Routing Other
Convergence Control Features

Configuring IS-IS GR (2)

5. (Optional) Configure the GR Restarter to suppress the SA bit in the Restart TLV.
[Huawei-isis-1] graceful-restart suppress-sa

6. Display the IS-IS GR status.

[Huawei] display isis process-id graceful-restart status [ level-1 | level-2 ]

[Huawei] display isis graceful-restart status [ level-1 | level-2 ] [ process-id | vpn-instance vpn-instance-
name ]

level-1: displays the Level-1 IS-IS GR status.

level-2: displays the Level-2 IS-IS GR status.
process-id: displays the IS-IS GR status of a specified IS-IS process. The value is an integer ranging from 1 to
65535.
vpn-instance vpn-instance-name: displays the IS-IS GR status of a specified VPN instance in an IS-IS multi-
instance process. The value is a string of 1 to 31 case-sensitive characters. It cannot contain spaces. The
character string can contain spaces if it is enclosed with double quotation marks (").

91 Huawei Confidential

• Usage scenario of the graceful-restart suppress-sa command:

▫ A router does not maintain the forwarding status when it starts for the first
time (excluding the post-GR cases). If it is not the first time that a router
has started, the LSPs generated when the router ran last time may still exist
in the LSP database of other routers on the network.

▫ Because the sequence numbers of LSP fragments are also reinitialized when
the router starts, the LSP copies stored on other routers seem to be newer
than the LSPs generated after the local router starts. This leads to a
temporary "blackhole" on the network, and the blackhole persists until the
router regenerates its own LSPs and advertises them with the largest
sequence number.

▫ If the neighbors of the router are suppressed from advertising adjacencies

to the router during the startup of the router until the router advertises
updated LSPs, the preceding problem can be prevented. Therefore, you can
run the graceful-restart suppress-sa command to suppress the SA bit in
the Restart TLV.
 Fast Routing Other
Convergence Control Features

Example for Configuring IS-IS GR (1)

R1 R2 1. Assign an IP address to each involved interface and

10.1.12.0/30
.1 GE0/0/0 .2 configure IS-IS on each device. The configuration details
are omitted.
IS-IS area 10

2. Enable IS-IS GR on R1 and R2.

⚫
Routers R1 and R2 each are equipped with two main control [R1] isis 1
boards, which back up each other. The routers interwork [R1-isis-1] graceful-restart
[R1-isis-1] graceful-restart no-impact-holdtime
through IS-IS and support GR.
⚫
It is required that traffic forwarding be not interrupted when [R2] isis 1
[R2-isis-1] graceful-restart
R1 restarts an IS-IS process or performs an active/standby [R2-isis-1] graceful-restart no-impact-holdtime
switchover in GR mode.

92 Huawei Confidential
 Fast Routing Other
Convergence Control Features

Example for Configuring IS-IS GR (2)

R1 R2 3. Check the IS-IS GR status on R2.

10.1.12.0/30
.1 GE0/0/0 .2 <R2> display isis 1 graceful-restart status
IS-IS area 10
Restart information for ISIS(1)
-------------------------------

⚫
Routers R1 and R2 each are equipped with two main control IS-IS(1) Level-1 Restart Status
Restart Interval: 300
boards, which back up each other. The routers interwork
SA Bit Supported
through IS-IS and support GR. Total Number of Interfaces = 1
Restart Status: RESTART COMPLETE
⚫
It is required that traffic forwarding be not interrupted when
R1 restarts an IS-IS process or performs an active/standby IS-IS(1) Level-2 Restart Status
Restart Interval: 300
switchover in GR mode. SA Bit Supported
Total Number of Interfaces = 1
Restart Status: RESTART COMPLETE

93 Huawei Confidential
 Fast Routing Other
Convergence Control Features

Example for Configuring IS-IS GR (3)

4. Run the reset isis all graceful-restart command in the

R1 R2
10.1.12.0/30 user view of R1 to restart IS-IS process 1, and run the
.1 GE0/0/0 .2 display isis peer command on R2 to check the IS-IS
adjacency with R1.
IS-IS area 10
<R1> reset isis 1 all graceful-restart

<R2> display fib

⚫
Routers R1 and R2 each are equipped with two main control Route Flags: G - Gateway Route, H - Host Route, U - Up Route
boards, which back up each other. The routers interwork S - Static Route, D - Dynamic Route, B - Black Hole Route
L - Vlink Route
through IS-IS and support GR. --------------------------------------------------------------------------------
FIB Table:
⚫
It is required that traffic forwarding be not interrupted when Total number of Routes : 7
R1 restarts an IS-IS process or performs an active/standby
Destination/Mask Nexthop Flag TimeStamp Interface TunnelID
switchover in GR mode. 10.1.12.3/32 127.0.0.1 HU t[15] InLoop0 0x0
10.1.12.2/32 127.0.0.1 HU t[15] InLoop0 0x0
255.255.255.255/32 127.0.0.1 HU t[3] InLoop0 0x0
When R1 restarts the IS-IS process in GR 127.255.255.255/32 127.0.0.1 HU t[3] InLoop0 0x0
mode, the FIB remains unchanged, 127.0.0.1/32 127.0.0.1 HU t[3] InLoop0 0x0
ensuring uninterrupted data forwarding. 127.0.0.0/8 127.0.0.1 U t[3] InLoop0 0x0
10.1.12.0/30 10.1.12.2 U t[15] GE0/0/0 0x0

94 Huawei Confidential
 Quiz

1. (Multiple-answer question) Which of the following fast convergence mechanisms

are supported by OSPF? ( )
A. PRC

B. LSP fast flooding

C. Intelligent timer

D. OSPF IP FRR

2. (True or false) The FA field in Type 5 LSAs of OSPF must be 0.0.0.0. ( )

A. True

B. False

95 Huawei Confidential

1. ACD
2. B
 Quiz

3. (True or false) On an IS-IS network, if a device runs mode-2 LSP fragment

extension, virtual systems do not participate in SPF calculation. All routers on the
network know that the LSPs generated by the virtual systems actually belong to
the originating system. ( )
A. True

B. False

96 Huawei Confidential

3. A
 Summary
⚫
To better adapt to network topology changes, OSPF and IS-IS support multiple fast convergence modes. I-SPF and PRC
algorithms speed up route calculation; FRR enables fast traffic switching to the backup link; and intelligent timers
allow you to control the speeds at which link state information is generated and routes are calculated.
⚫
To control the size of routing tables and improve network performance, OSPF and IS-IS support route filtering, equal-
cost routes, and delivery of default routes. To isolate protocol routing tables, OSPF and IS-IS support multi-process
deployment on the same device. Routing tables of different processes are independent of each other.
⚫
To prevent a suboptimal route from being selected when external routes are imported, OSPF uses the FA in Type 5 or
Type 7 LSAs to guide data packet forwarding. To carry more routing information, IS-IS supports LSP fragment
extension.
⚫
To ensure that key services are not interrupted during a device restart, OSPF and IS-IS also support GR and NSR.

⚫ Thanks to the preceding features, OSPF and IS-IS are widely and flexibly used on live networks.

97 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
• As shown in the figure:

▫ R1 and R2 reside in AS 101, and establish an IBGP peer relationship with

each other. R3 and R4 reside in AS 102, and each establishes an EBGP peer
relationship with R2.

▫ R1 is directly connected to three subnets: Net1, Net2, and Net3. R1

advertises routes to the three subnets to its BGP routing table.

▫ R2 can filter out the Net2 route through BGP route control so that R2's BGP
routing table does not contain the Net2 route.

▫ R3 and R4 can implement BGP route control by modifying the attributes of

the Net1 and Net3 routes, respectively. In this way, when a device in AS 102
accesses Net1, R3 is preferentially selected as the egress device; when the
device accesses Net3, R4 is preferentially selected as the egress device.

• Note: For details about the ACL, IP prefix list, filter-policy, route-policy, and BGP
path attributes, see the "HCIP-Datacom-Core Technology" course.
• A regex has the following functions:

▫ Checks and obtains the sub-character string that matches a specific rule in
the character string.

▫ Replaces the character string based on matching rules.

• Note: The parentheses () can be used to define the scope and priority of an
operator. For example, gr(a|e)y is equivalent to gray|grey.
• Type 1:

▫ ^a.$: matches a character string that starts with the character a and ends
with any single character, for example, a0, a!, ax, and so on.

▫ ^100_: matches a character string starting with 100, for example, 100, 100
200, 100 300 400, and so on.

▫ ^100$: matches only 100.

▫ 100$|400$: matches a character string ending with 100 or 400, for example,
100, 1400, 300 400, and so on.

▫ ^\(65000\)$: matches (65000) only.

• Type 2:

▫ abc*d: matches the character c zero or multiple times, for example, abd,
abcd, abccd, abcccd, abccccdef, and so on.

▫ abc+d: matches the character c once or multiple times, for example, abcd,
abccd, abcccd, abccccdef, and so on.

▫ abc?d: matches the character c zero times or once, for example, abd, abcd,
abcdef, and so on.

▫ a(bc)?d: matches the character string bc zero times or once, for example,
ad, abcd, aaabcdef, and so on.
• The AS_Path attribute is a well-known mandatory attribute of BGP. All BGP
routes must carry this attribute. This attribute records the numbers of all the ASs
that a BGP route traversed during transmission.

• The value of the AS_Path attribute can be 0, 1, or a set of multiple AS numbers.

• Multiple matching rules (each in permit or deny mode) can be specified in an
AS_Path filter. These rules are in the OR relationship, which means that if a route
matches one of the matching rules, the route is considered to match the AS_Path
filter.

• Command: [Huawei] ip as-path-filter {as-path-filter-number | as-path-filter-

name} {deny | permit} regular-expression
▫ as-path-filter-number: specifies the number of an AS_Path filter. The value
is an integer ranging from 1 to 256.

▫ as-path-filter-name: specifies the name of an AS_Path filter. The value is a

string of 1 to 51 case-sensitive characters. It cannot be comprised of only
digits. If spaces are used, the string must start and end with double
quotation marks (").

▫ deny: sets the matching mode of the AS_Path filter to deny.

▫ permit: sets the matching mode of the AS_Path filter to permit.

▫ regular-expression: specifies a regex for the AS_Path filter. The value is a

string of 1 to 255 characters and can contain spaces.

• The default behavior of an AS_Path filter is deny. That is, if a route is not
permitted in a filtering, the route fails to match the AS_Path filter. If all matching
rules in an AS_Path filter work in deny mode, all BGP routes are denied by the
filter. To prevent this problem, configure a matching rule in permit mode after
one or more matching rules in deny mode so that the routes except for those
denied by the preceding matching rules can be permitted by the filter.
• The community attribute is an optional transitive attribute. It can identify the
routes with the same characteristics, regardless of the scattered route prefixes
and various AS numbers. That is, a specific community value can be assigned to
some routes so that these routes can be matched against the community value
instead of the network number or mask. Then, a corresponding routing policy
can be applied to the matched routes.
• Command: [Huawei-route-policy] apply community { community-number |
aa:nn | internet | no-advertise | no-export | no-export-subconfed } [ additive ]

▫ community-number | aa:nn: specifies a community number for a

community attribute. A maximum of 32 community numbers can be
specified at a time using this command. The value of community-number is
an integer ranging from 0 to 4294967295. The values of aa and nn are also
integers ranging from 0 to 65535.

▫ internet: allows the matched routes to be advertised to any peers. By

default, all routes belong to the Internet community.

▫ no-advertise: prevents the matched routes from being advertised to any

peer. After a device receives a route with this attribute, it cannot advertise
this route to any other BGP peers.

▫ no-export: prevents the matched routes from being advertised outside the
local AS but allows them to be advertised to other sub-ASs in the local AS.
After a device receives a route with this attribute, it cannot advertise this
route outside the local AS.

▫ no-export-subconfed: prevents the matched routes from being advertised

outside the local AS or to other sub-ASs in the local AS. After a device
receives a route with this attribute, it cannot advertise this route to any
other sub-ASs.

▫ additive: adds community attributes to the routes that match the filtering
conditions.
• Command: [Huawei] ip community-filter { basic comm-filter-name | basic-
comm-filter-num } { permit | deny } [ community-number | aa:nn | internet |
no-export-subconfed | no-advertise | no-export ]
▫ basic comm-filter-name: specifies the name of a basic community filter.
The value is a string of 1 to 51 case-sensitive characters. It cannot be
comprised of only digits.
▫ basic-comm-filter-num: specifies the number of a basic community filter.
The value is an integer ranging from 1 to 99.
▫ deny: sets the matching mode of the community filter to deny.
▫ permit: sets the matching mode of the community filter to permit.
▫ community-number: specifies a community number. The value is an integer
ranging from 0 to 4294967295.
▫ aa:nn: specifies a community number. A maximum of 20 community
numbers can be specified at a time using this command. The values of aa
and nn are integers ranging from 0 to 65535.
▫ internet: allows the matched routes to be advertised to any peers.
▫ no-export-subconfed: prevents the matched routes from being advertised
outside the local AS. If a confederation is used, the matched routes will not
be advertised to the other sub-ASs in the confederation.
▫ no-advertise: prevents the matched routes from being advertised to any
other peers.
▫ no-export: prevents the matched routes from being advertised outside the
local AS. If a confederation is used, the matched routes will not be
advertised outside the confederation but will be advertised to the other
sub-ASs in the confederation.
• Command: [Huawei-route-policy] if-match community-filter { basic-comm-
filter-num [ whole-match ] | adv-comm-filter-num }
• Command: [Huawei-route-policy] if-match community-filter comm-filter-name
[ whole-match ]

▫ basic-comm-filter-num: specifies the number of a basic community filter.

The value is an integer ranging from 1 to 99.

▫ adv-comm-filter-num: specifies the number of an advanced community

filter. The value is an integer ranging from 100 to 199.

▫ comm-filter-name: specifies the name of a community filter. The value is a

string of 1 to 51 case-sensitive characters. It cannot be comprised of only
digits. If spaces are used, the string must start and end with double
quotation marks (").

▫ whole-match: indicates complete matching. That is, all the community

attributes in the specified community filter must be matched. This
parameter applies only to basic community filters.
• Command: [R1] route-policy Community permit node 20

• Run this command to allow the route 10.1.2.2/32 to be advertised properly.

• Command: [Huawei-bgp-af-ipv4] peer { group-name | ipv4-address } ip-prefix
ip-prefix-name { import | export }

▫ import: applies the routing policy to the routes received from the peer or
peer group.

▫ export: applies the routing policy to the routes to be advertised to the peer
or peer group.
• Command: [Huawei-bgp] peer { group-name | ipv4-address } capability-
advertise orf [ non-standard-compatible ] ip-prefix { both | receive | send }
[ standard-match ]

▫ non-standard-compatible: indicates that the ORF capability supported by

the Huawei device is compatible with that supported by a non-Huawei
device.

▫ both: enables the local device to both send and accept ORF packets.

▫ receive: enables the local device to only accept ORF packets.

▫ send: enables the local device to only advertise ORF packets.

▫ standard-match: matches routes according to the prefix matching rules

defined in an RFC standard.
• Each peer in a peer group can be configured with its own policies for route
advertisement and acceptance.
• Command: [Huawei-bgp] group group-name [ external | internal ]

▫ group-name: specifies the name of a peer group. The value is a string of 1

to 47 case-sensitive characters. If spaces are used, the string must start and
end with double quotation marks (").

▫ external: creates an EBGP peer group.

▫ internal: creates an IBGP peer group.

• As shown in the figure, assume that static routes are used or OSPF is used to
ensure internal network reachability in AS 102. The configuration details are not
provided here.
• BGP uses TCP as its transport layer protocol and considers a TCP packet valid
only if the source IP address, destination IP address, source port number,
destination port number, and TCP sequence number in the packet are correct.
Most of the preceding parameters in a TCP packet can be obtained by attackers
without much difficulty. To protect BGP from attacks, use MD5 authentication or
keychain authentication between BGP peers to reduce the possibility of attacks.

▫ The MD5 algorithm is easy to configure and generates a single password,

which can only be manually changed.

▫ The keychain algorithm is complex to configure and generates a set of

passwords. Keychain authentication allows passwords to be changed
automatically based on configurations. Therefore, keychain authentication
is applicable to networks requiring high security.

• Note: BGP MD5 authentication and BGP keychain authentication are mutually
exclusive.
• As shown in the figure, if BGP GTSM is not enabled, the device finds that the
received numerous bogus BGP messages are destined for itself, and directly sends
them to the control plane for processing. As a result, the control plane has to
process a large number of bogus messages, causing the CPU usage to go
excessively high and the system to be unexpectedly busy.
• Command: [Huawei-bgp] peer { group-name | ipv4-address | ipv6-address }
keychain keychain-name

▫ keychain-name: specifies the name of a keychain. The value is a string of 1

to 47 case-insensitive characters. It cannot contain question marks (?). If
spaces are used, the string must start and end with double quotation marks
(").
• Command: [Huawei-bgp] peer { group-name | ipv4-address | ipv6-address }
valid-ttl-hops [ hops ]

▫ hops: specifies the number of TTL hops to be checked. The value is an

integer ranging from 1 to 255. The default value is 255. If you specify hops,
the valid range of TTL values in the messages to be checked is [255 – hops
+ 1, 255].

• Command: [Huawei] gtsm default-action { drop | pass }

▫ drop: indicates that the messages that do not match the GTSM policy
cannot pass filtering and are dropped.

▫ pass: indicates that the messages that do not match the GTSM policy can
pass filtering.

• Command: [Huawei] gtsm log drop-packet all

▫ all: indicates all boards.

• As shown in the figure:

▫ Assume that static routes are used or OSPF is used to ensure internal
network reachability in AS 101. The configuration details are not provided
here.

▫ R1 advertises the route destined for the IP address of its loopback0

interface to the BGP routing table.
• 4-byte AS numbers are extended from 2-byte AS numbers. BGP peers use a new
capability code and new optional transitive attributes to negotiate the 4-byte AS
number capability and transmit 4-byte AS numbers. This mechanism enables
communication between new speakers as well as between old speakers and new
speakers.

▫ To support 4-byte AS numbers, an open capability code 0x41 is defined in a

standard protocol for BGP connection capability negotiation. 0x41 indicates
that the BGP speaker supports 4-byte AS numbers.

▫ In addition, two new optional transitive attributes AS4_Path and

AS4_Aggregator are defined in the standard protocol to transmit 4-byte AS
information in old sessions.

▫ To set up a BGP connection between a new speaker with an AS number

greater than 65535 and an old speaker, the peer AS number on the old
speaker must be set to AS_TRANS, which is a reserved AS number with the
value being 23456.

• NetEngine 8000 series routers support configuration of 4-byte AS numbers in

either format. The formats of 4-byte AS numbers displayed in the configuration
file are the same as those used by users during configuration.
• Note: When transmitting routing information to an old speaker, a new speaker
encapsulates both the AS_Path and AS4_Path attributes to help transmit 4-byte
AS numbers. The AS4_Path attribute is transitive. Therefore, when the old
speaker receives the AS4_Path attribute, it transmits the AS4_Path attribute to
other speakers.
• When a new speaker sends an Update message carrying an AS number greater
than 65535 to an old speaker, the new speaker uses the AS4_Path attribute to
assist the AS_Path attribute in transferring 4-byte AS numbers. The AS4_Path
attribute is transparent to the old speaker.

▫ On the network shown in this figure, before the new speaker in AS 2.2
sends an Update message to the old speaker in AS 65002, the new speaker
replaces each 4-byte AS number (1.1 and 2.2) with 23456 (AS_TRANS) in
AS_Path; therefore, the AS_Path carried in the Update message is (23456,
23456, 65001), and the carried AS4_Path is (2.2, 1.1, 65001). Upon receiving
the Update message, the old speaker in AS 65002 transparently transmits
AS4_Path (2.2, 1.1, 65001) to another AS.

• When a new speaker receives an Update message carrying the AS_Path and
AS4_Path attributes from an old speaker, the new speaker obtains the actual
AS_Path attribute based on the reconstruction algorithm.

▫ In the figure, after the new speaker in AS 65003 receives an Update

message carrying AS_Path (65002, 23456, 23456, 65001) and AS4_Path (2.2,
1.1, 65001) from the old speaker in AS 65002, the new speaker obtains the
actual AS_Path (65002, 2.2, 1.1, 65001) through reconstruction.
• In the figure:

▫ Assume that static routes are configured or OSPF is used to ensure internal
network reachability in AS 1.1. The configuration details are not provided
here.

▫ Configure R1 to advertise the route to Loopback0's address to BGP. The

configuration details are not provided here.

• Notes:

▫ This slide uses NetEngine 8000 series routers as an example. For the 4-byte
AS number configuration on any other type of product, see the
corresponding product documentation.

▫ If you adjust the display format of 4-byte AS numbers, the matching results
in the case of filtering using AS_Path regular expressions or extended
community filters are affected. Specifically, after the display format of 4-
byte AS numbers is changed when an AS_Path regular expression or
extended community filter has been used in an export or import policy, the
AS_Path regular expression or extended community filter needs to be
reconfigured. If reconfiguration is not performed, routes may fail to match
the export or import policy, leading to a network fault.
• RR-related roles:
▫ RR: BGP device that reflects the routes learned from an IBGP peer to other
IBGP peers. An RR is similar to the designated router (DR) on an OSPF
network.
▫ Client: IBGP peer whose routes are reflected by the RR to other IBGP peers.
In an AS, clients only need to be directly connected to the RR.
▫ Non-client: IBGP device that is neither an RR nor a client. In an AS, full-
mesh connections still must be established between non-clients and RRs,
and between all non-clients.
▫ Originator: device that originates routes in an AS. The Originator_ID
attribute is used to prevent routing loops in a cluster.
▫ Cluster: a set of RRs and their clients. The Cluster_List attribute is used to
prevent routing loops between clusters.
• When configuring a BGP router as an RR, you also need to specify a client of the
RR. A client does not need to be configured because it is not aware that an RR
exists on the network.
• Rules for an RR to advertise routes:
▫ After learning routes from non-clients, the RR selects and advertises the
optimal route to all its clients.
▫ After learning routes from clients, the RR selects and advertises the optimal
route to all its non-clients and clients (except the originating client).
▫ After learning routes learned from EBGP peers, the RR selects and
advertises the optimal route to all its clients and non-clients.
• The route advertisement rules for hierarchical RR networking are the same as
those for single-cluster RR networking.

• The following factors need to be considered for hierarchical RR design:

▫ Size of the top-layer full-mesh topology: If the number of full-mesh IBGP

connections has exceeded the management capacity, hierarchical RR
networking can be deployed.

▫ Number of alternate paths: This factor affects load balancing and resource
consumption. More layers reduce the number of links for load balancing
but require fewer router resources.
1. D
2. A

3. A
Network Security Technologies
 Foreword
⚫
Currently, Ethernet technologies are widely used on networks. Network attacks often occur, for example, attacks based
on the Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol (DHCP). Such attacks cause
authorized users' failure to access network resources and threaten network information security. In this situation,
Ethernet switching security becomes increasingly important.
⚫
On networks of large- and medium-sized enterprises, firewalls are usually deployed in hot standby mode to ensure
that the standby firewall can smoothly take over services of the active firewall when the active firewall fails, ensuring
service continuity. The virtual system feature allows a physical firewall to be logically divided into multiple
independent virtual systems. Each virtual system functions as a real device.
⚫
This course describes common Ethernet switching security technologies, including port isolation, port security, MAC
address flapping detection, storm control, interface rate limiting, MAC address table security, DHCP snooping, and IP
source guard; and advanced firewall features, including hot standby and virtual system.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe types and configurations of port isolation.
 Illustrate the working mechanism of port security.
 Describe MAC address flapping detection.
 Explain traffic suppression and storm control functions of switches.
 Describe application scenarios of DHCP snooping.
 Illustrate the working mechanism of IP source guard.
 Describe the working scenarios of firewall hot backup.

2 Huawei Confidential
 Contents

1. Ethernet Switching Security

◼ Port Isolation

▫ MAC Address Table Security

▫ Port Security

▫ MAC Address Flapping Prevention and Detection

▫ MACsec

▫ Traffic Control

▫ DHCP Snooping

▫ IP Source Guard

2. Advanced Firewall Features

3 Huawei Confidential
Background of Port Isolation
⚫ On an Ethernet switching network, to implement Layer 2 isolation between packets, users usually add different interfaces to
different VLANs to isolate Layer 2 broadcast domains.
⚫
On a large-scale network, there are various service requirements. Simply using VLANs to implement Layer 2 isolation of packets
wastes limited VLAN resources.
⚫
As shown in the following figure, although PC1 and PC2 belong to the same VLAN, they cannot communicate with each other at
Layer 2 but can communicate with each other at Layer 3. PC1 and PC3 cannot communicate with each other in any case. How is this
problem solved?
Switch

PC1 PC2 PC3 PC4 PC5 PC6

VLAN 2 VLAN 3

4 Huawei Confidential
Overview of Port Isolation
⚫ Port isolation can isolate interfaces in a VLAN. That is, you only need to add interfaces to a port
isolation group to implement Layer 2 isolation between these interfaces. Port isolation provides secure
and flexible networking schemes for customers.
Router

1. By default, PC1 and PC2 in the same VLAN can

Port isolation group
communicate with each other at Layer 2.
Port-isolate Group Switch
2. After GE0/0/1 and GE0/0/2 are added to the same
GE0/0/1 GE0/0/3 port isolation group, PC1 and PC2 cannot

GE0/0/2
communicate at Layer 2.

PC1 PC2 PC3

IP: 10.1.1.1/24 IP: 10.1.1.2/24 IP: 10.1.1.3/24
VLAN 2

5 Huawei Confidential
 Working Mechanism of Port Isolation

Interfaces in a port isolation group are isolated from each other, but
interfaces in different port isolation groups can communicate. Port isolation
Bidirectional applies only to interfaces on the same device and cannot isolate interfaces
isolation on different devices.
Isolation
type
To isolate interfaces in different port isolation groups, configure
Unidirectional unidirectional isolation between these interfaces. By default, unidirectional
isolation isolation is disabled.

Port
isolation

Isolation at Layer 2 and Broadcast packets in the same VLAN are isolated, but users connected to
interworking at Layer 3 different interfaces can communicate with each other at Layer 3. By default,
interfaces are isolated at Layer 2 but can communicate at Layer 3.
Isolation
mode
Layer 2 and Layer 3 Users on different ports in the same VLAN are isolated at Layer 2 and Layer 3
isolation and cannot communicate with each other.

6 Huawei Confidential

• When Layer 2 isolation and Layer 3 interworking are used, you can enable intra-
VLAN proxy ARP on the VLANIF interface and configure arp-proxy inner-sub-
vlan-proxy enable to implement communication between hosts in the same
VLAN.
Port Isolation Configuration Commands
1. Enable port isolation.

[Huawei-GigabitEthernet0/0/1] port-isolate enable [ group group-id ]

By default, port isolation is disabled on an interface. If group-id is not specified, an interface is added to port isolation group 1
by default.

2. (Optional) Configure a port isolation mode.

[Huawei] port-isolate mode { l2 | all }

By default, the port isolation mode is Layer 2 isolation and Layer 3 interworking.
l2: Layer 2 isolation and Layer 3 interworking
all: Layer 2 and Layer 3 isolation

3. Configure unidirectional isolation.

[Huawei-GigabitEthernet0/0/1] am isolate {interface-type interface-number }&<1-8>

This command is used to unidirectionally isolate the current interface from a specified interface. If interface A is isolated from
interface B unidirectionally, packets sent from interface A cannot reach interface B, but packets sent from interface B can reach
interface A. By default, unidirectional isolation is disabled.

7 Huawei Confidential
Example for Configuring Port Isolation
Router
Switch configuration:
[Switch] vlan 2
[Switch] port-isolate mode all
Switch [Switch] interface GigabitEthernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
GE0/0/1 GE0/0/3 [Switch-GigabitEthernet0/0/1] port default vlan 2

GE0/0/2
[Switch-GigabitEthernet0/0/1] port-isolate enable group 2
[Switch] interface GigabitEthernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 2
[Switch-GigabitEthernet0/0/2] port-isolate enable group 2
[Switch] interface GigabitEthernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
PC1 PC2 PC3 [Switch-GigabitEthernet0/0/3] port default vlan 2
IP: 10.1.1.1/24 IP: 10.1.1.2/24 IP: 10.1.1.3/24
VLAN 2

⚫ As shown in the figure, PC1, PC2, and PC3 belong to VLAN 2. After port isolation is configured,
PC3 can communicate with PC1 and PC2, but PC1 and PC2 cannot communicate with each other.

8 Huawei Confidential
Verifying the Configuration

1. Run the display port-isolate group group- 2. Verify that hosts in the same port isolation
number command to check interfaces in the group cannot communicate with each other.
port isolation group.

[SW]display port-isolate group 2 PC1>ping 10.1.1.2

The ports in isolate group 2: Ping 10.1.1.2: 32 data bytes, Press Ctrl_C to break
GigabitEthernet0/0/1 GigabitEthernet0/0/2 From 10.1.1.1: Destination host unreachable
From 10.1.1.1: Destination host unreachable
From 10.1.1.1: Destination host unreachable
From 10.1.1.1: Destination host unreachable
From 10.1.1.1: Destination host unreachable
--- 10.1.1.2 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss

9 Huawei Confidential
 Contents

1. Ethernet Switching Security

▫ Port Isolation
◼ MAC Address Table Security

▫ Port Security

▫ MAC Address Flapping Prevention and Detection

▫ MACsec

▫ Traffic Control

▫ DHCP Snooping

▫ IP Source Guard

2. Advanced Firewall Features

10 Huawei Confidential
 Types of MAC Address Entries
⚫ MAC address entries fall into the following types:

Dynamic MAC address entries are obtained by learning source
Switch
MAC addresses of packets received on an interface, and will age
GE0/0/1 GE0/0/3 out. After a device resets or an interface board is hot swapped or
GE0/0/2
resets, dynamic MAC address entries on the device or interface
board are lost.

Static MAC address entries that are manually configured by
users and delivered to each interface card. Static MAC address
PC1 PC2 PC3 entries will never age out. After a device resets or an interface
0021-0000-0001 0021-0000-0002 0021-0000-0003 board is hot swapped or resets, the static MAC address entries
saved on the device or interface board are not lost. After an
interface is statically bound to a MAC address, other interfaces
MAC Address VLAN Interface Type
discard packets originating from that source MAC address.
0021-0000-0001 10 GE0/0/1 Static 
Blackhole MAC address entries that are manually configured by
0021-0000-0002 10 GE0/0/2 Blackhole users and delivered to each interface card. Blackhole MAC address
entries will never age out. After blackhole MAC address entries
0021-0000-0003 10 GE0/0/3 Dynamic are configured, packets with the source or destination MAC
addresses being the blackhole MAC addresses are discarded.

11 Huawei Confidential

• A MAC address table is used by the switch to record the mappings between
learned MAC addresses of other devices and interfaces on which MAC addresses
are learned, as well as VLANs to which the interfaces belong.

• When performing Layer 2 switching, the device searches the MAC address table
according to the destination MAC address of the packet. If the MAC address table
contains the entry corresponding to the destination MAC address of the packet
and the interface that receives the packet is different from the interface
corresponding to the entry, the packet is directly forwarded through the
outbound interface in the entry. If they are the same, the packet is discarded.
• If the MAC address table does not contain the entry matching the destination
MAC address of the packet, the device broadcasts the packet through all the
interfaces in the VLAN except the interface that receives the packet.
 MAC Address Table Security

You can configure MAC address entries of fixed uplink devices or MAC
Static MAC address entry addresses of trusted user terminals as static MAC address entries to ensure
communication security.

Blackhole MAC To prevent hackers from attacking the network through MAC addresses, the
address entry switch discards the packets from or to blackhole MAC addresses.

Measures to You can configure an aging time for dynamic MAC address entries to
Dynamic MAC address entry prevent explosive growth of MAC address entries.
ensure security
of the MAC
address table If the network environment is fixed or the forwarding path has been specified,
Disabling MAC you can disable MAC address learning to prevent untrusted users from accessing
address learning the network and prevent MAC address attacks, improving network security.

Limiting the number of On an insecure network, you can limit the number of learned MAC addresses
learned MAC addresses to prevent attackers from changing MAC addresses to initiate attacks.

12 Huawei Confidential

• To prevent unauthorized users from modifying MAC address entries of some key
devices (such as servers or uplink devices), you can configure the MAC address
entries of these devices as static MAC address entries. Static MAC address entries
take precedence over dynamic MAC address entries and can hardly be modified
by unauthorized users.
• To prevent useless MAC address entries from occupying the MAC address table
and prevent hackers from attacking user devices or networks using MAC
addresses, you can configure untrusted MAC addresses as blackhole MAC
addresses. In this way, when the device receives a packet with the destination or
source MAC address as the blackhole MAC address, the device discards the
packet without modifying the original MAC address entry or adding a MAC
address entry.
• To reduce manual configuration of static MAC address entries, Huawei S series
switches are enabled with dynamic MAC address learning by default. The aging
time needs to be set properly for dynamic MAC address entries so that the switch
can delete unneeded MAC address entries.
• To improve network security and prevent the device from learning invalid MAC
addresses and incorrectly modifying the original MAC address entries in the MAC
address table, you can disable MAC address learning on a specified interface or
all interfaces in a specified VLAN so that the device does not learn new MAC
addresses from these interfaces.
• You can limit the number of MAC address entries that can be learned on the
device. When the number of learned MAC address entries reaches the limit, the
device does not learn new MAC address entries. You can also configure an action
to take when the number of learned MAC address entries reaches the limit. This
prevents MAC address entries from being exhausted and improves network
security.
Configuring MAC Address Entries

1. Configure a static MAC address entry.

[Huawei] mac-address static mac-address interface-type interface-number vlan vlan-id

The specified VLAN must have been created and added to the bound interface. The specified MAC address must
be a unicast MAC address and cannot be a multicast or broadcast MAC address.

2. Configure a blackhole MAC address entry.

[Huawei] mac-address blackhole mac-address [ vlan vlan-id ]

The device discards the received packets originating from or destined for blackhole MAC addresses.

3. Set an aging time for a dynamic MAC address entry.

[Huawei] mac-address aging-time aging-time

13 Huawei Confidential
Disabling MAC Address Learning

1. Disable MAC address limiting on an interface.

[Huawei-GigabitEthernet0/0/1] mac-address learning disable [ action { discard | forward } ]

By default, MAC address learning is enabled on an interface.

▫ By default, the device takes the forward action after MAC address learning is disabled. That is, the device
forwards packets according to the MAC address table.
▫ When the action is set to discard, the device looks up the source MAC address of the packet in the MAC
address table. If the interface and MAC address match the MAC address entry, the device forwards the
packet according to the destination MAC address. If the interface and MAC address do not match the MAC
address entry, the device discards the packet.
2. Disable MAC address learning in a VLAN.

[Huawei-vlan2] mac-address learning disable

By default, MAC address learning is enabled in a VLAN.

If both interface-based and VLAN-based MAC address learning is disabled, the latter takes effect.

14 Huawei Confidential
Limiting the Number of Learned MAC Address Entries
1. Limit the number of MAC address entries learned on an interface.
[Huawei-GigabitEthernet0/0/1] mac-limit maximum max-num

By default, the number of MAC address entries learned on an interface is not limited.

2. Configure an action for the device to take when the number of learned MAC addresses reaches the limit.

[Huawei-GigabitEthernet0/0/1] mac-limit action { discard | forward }

By default, the device discards packets with new MAC addresses when the number of learned MAC address
entries reaches the limit on the interface.
3. Configure the device whether to generate an alarm when the number of learned MAC addresses reaches the limit.

[Huawei-GigabitEthernet0/0/1] mac-limit alarm { disable | enable }

By default, the device generates an alarm when the number of learned MAC address entries reaches the limit.

4. Limit the number of MAC address entries learned in a VLAN.

[Huawei-vlan2] mac-limit maximum max-num

By default, the number of MAC address entries learned in a VLAN is not limited.

15 Huawei Confidential
Example for Configuring a MAC Address Table
Internet Switch3 configuration:
Switch3 Method 1: Interface view
GE0/0/1 GE0/0/2 # Disable MAC address learning on GE0/0/1.
[Switch3-GigabitEthernet0/0/1] mac-address learning disable action discard
GE0/0/2 # Set the maximum number of MAC address entries learned on GE0/0/2, and
GE0/0/2
configure the device to generate an alarm and set the action to discard when
Switch1 the number of learned MAC address entries reaches the limit.
Switch2
[Switch3-GigabitEthernet0/0/2] mac-limit maximum 100
GE0/0/1 GE0/0/1 [Switch3-GigabitEthernet0/0/2] mac-limit alarm enable
[Switch3-GigabitEthernet0/0/2] mac-limit action discard
User User
network 1 network 2

Method 2: VLAN view

⚫ Requirements:

The basic configuration of the network topology is # Disable MAC address learning in VLAN 10.
[Switch3-vlan10] mac-address learning disable
complete. User network 1 belongs to VLAN 10, and user
# Set the maximum number of MAC address entries learned in VLAN 20, and
network 2 belongs to VLAN 20. configure the device to generate an alarm when the number of learned MAC
address entries reaches the limit.

Switch3 is disabled from learning MAC addresses from user [Switch3-vlan20] mac-limit maximum 100 alarm enable
network 1.
 The maximum number of MAC addresses on user network
2 learned by Switch3 is set.

16 Huawei Confidential
Verifying the Configuration
⚫ Run the display mac-limit command in any view to check whether MAC address limiting rules are
configured successfully.

[Switch3]display mac-limit
MAC Limit is enabled
Total MAC Limit rule count : 2

PORT VLAN/VSI/SI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------------------------------
GE0/0/2 - - 100 - discard enable
- 20 - 100 - forward enable

VLAN-based MAC address limiting

Interface-based MAC address limiting

17 Huawei Confidential
 Contents

1. Ethernet Switching Security

▫ Port Isolation

▫ MAC Address Table Security

◼ Port Security

▫ MAC Address Flapping Prevention and Detection

▫ MACsec

▫ Traffic Control

▫ DHCP Snooping

▫ IP Source Guard

2. Advanced Firewall Features

18 Huawei Confidential
Background of Port Security
⚫
An enterprise requires that each access switch interface connected to terminals allow only one PC to access the network (the number
of MAC address entries is limited). If an employee attempts to connect a small switch or hub to an interface, this behavior should be
detected or prohibited, as shown in the figure on the left.
⚫
In addition, some enterprises may require that only data frames sent by terminals with trusted MAC addresses can be forwarded to
the upper-layer network by the switch. Employees cannot change their locations (change access interfaces of the switch), as shown
in the figure on the right.
⚫
Port security of the switch can solve the problems.
Switch1 Switch Port MAC
GE0/0/1 0011-0022-0033

GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2

Switch2

PC1 PC1
PC1 PC2 PC3 MAC:0011-0022-0033 MAC:0011-0022-0033

19 Huawei Confidential
Introduction to Port Security
⚫ You can configure port security on a specified interface of a switch to limit the number of MAC address
entries learned by the interface and configure a punishment action when the number of learned MAC
address entries exceeds the threshold.
⚫ Port security converts dynamic MAC addresses learned on an interface into secure MAC addresses
(including dynamic and static secure MAC addresses, and sticky MAC addresses). This function prevents
unauthorized users from communicating with the switch using this interface and therefore enhances
device security.

20 Huawei Confidential
 Working Mechanism of Port Security
⚫ Secure MAC addresses are classified into the following types.

Type Definition Characteristics

After a device restarts, dynamic secure MAC addresses
Secure dynamic MAC address that is converted on an interface with are lost and need to be relearned. By default, dynamic
MAC address port security enabled but sticky MAC disabled. secure MAC addresses are not aged out, and can be
aged out only when the aging time is set.
Secure static MAC address that is manually configured on an Secure static MAC addresses are not aged out and are
MAC address interface with port security enabled. not lost after a device restart.
Sticky MAC MAC address that is converted on an interface with Sticky MAC addresses are not aged out and are not lost
address both port security and sticky MAC enabled. after a device restart.

⚫ Secure MAC addresses are usually used together with security protection actions. Common security protection
actions are as follows:

Restrict: Discards packets with a nonexistent source MAC address and sends a trap.

Protect: Discards packets with a nonexistent source MAC address but does not send a trap.

Shutdown: Sets the interface state to error-down and generates an alarm.

21 Huawei Confidential

• Dynamic secure MAC addresses can be aged out using two modes: absolute
aging and relative aging.
▫ Absolute aging time: If the absolute aging time is set to 5 minutes, the
system calculates the lifetime of each MAC address every minute. If the
lifetime is larger than or equal to 5 minutes, the secure dynamic MAC
address is aged immediately. If the lifetime is smaller than time minutes,
the system determines whether to delete the secure dynamic MAC address
after 1 minute.
▫ Relative aging time: If the value is set to 5 minutes, the system checks
whether there is traffic from a specified dynamic secure MAC address every
1 minute. If no traffic is received from the secure dynamic MAC address,
this MAC address is aged out 5 minutes later.
• By default, an interface in error-down state can be restored only after the restart
command is run in the interface view.
• To enable an interface in error-down state to automatically go Up after a period
of time, run the error-down auto-recovery cause port-security interval
interval-value command in the system view. In this command, interval-value
specifies the period of time after which an interface in error-down state can
automatically go Up.
• When port security or sticky MAC address is enabled or disabled on an interface,
the MAC address on the interface changes as follows:
▫ Port security

▪ After port security is enabled on an interface, dynamic MAC address

entries that have been learned on the interface are deleted.
Subsequent MAC address entries are converted into dynamic secure
MAC address entries.

▪ After port security is disabled on an interface, existing dynamic secure

MAC address entries on the interface are deleted. The interface
relearns dynamic MAC address entries.

▫ Sticky MAC address

▪ After the sticky MAC address function is enabled on an interface,

existing dynamic secure MAC address entries and subsequent MAC
address entries are converted into sticky MAC address entries.

▪ After the sticky MAC sticky MAC address function is disabled on an

interface, sticky MAC address entries on the interface are converted
dynamic secure MAC address entries.
 Application of Port Security
Intranet To ensure security of the aggregation
device and limit the number of access
GE0/0/1 GE0/0/3 users, configure port security on the
aggregation device and set the maximum
GE0/0/2
number of secure MAC addresses.

...
Department A Department B Department C

Change the MAC addresses of a Configure MAC addresses of a Convert MAC addresses of
large number of fixed users to small number of fixed users as frequent access users into
sticky MAC addresses. After the secure static MAC addresses. dynamic secure MAC addresses,
device is restarted, bound MAC After the device is restarted, so it is easy to delete bound MAC
address entries are not lost. bound MAC address entries are address entries.
not lost.

23 Huawei Confidential

• You can configure port security and set the maximum number of secure MAC
addresses learned by an interface on networks demanding high access security.
Port security enables the switch to convert MAC addresses learned by an
interface into secure MAC addresses and to stop learning new MAC addresses
after the maximum number of learned MAC addresses is reached. In this case,
the switch can only communicate with devices with learned MAC addresses. If
the switch receives packets with a nonexistent source MAC address after the
number of secure MAC addresses reaches the limit, the switch considers that the
packets are sent from an unauthorized user, regardless of whether the
destination MAC address of packets is valid, and takes the configured action on
the interface. This prevents untrusted users from accessing these interfaces,
improving security of the switch and the network.
• Port security enables the switch to convert MAC addresses learned by an
interface into secure MAC addresses and to stop learning new MAC addresses
after the maximum number of learned MAC addresses is reached. In this case,
the switch can only communicate with devices with learned MAC addresses. If
the number of access users changes, you can restart the device or set the aging
time of secure MAC address entries to update the MAC address entries. If you do
not want to change the MAC address entries of stable access users, you can
enable the sticky MAC function on the interface. After the configuration is saved,
the MAC address entries will not be updated or lost.
 Port Security Configuration Commands (1)
1. Enable port security on an interface.

[Huawei-GigabitEthernet0/0/1] port-security enable

By default, port security is disabled on an interface.

2. Set the maximum number of secure MAC addresses learned by an interface is set.

[Huawei-GigabitEthernet0/0/1] port-security max-mac-num max-number

By default, the maximum number of secure MAC addresses learned by an interface is 1.

3. (Optional) Configure a static secure MAC address entry.

[Huawei-GigabitEthernet0/0/1] port-security mac-address mac-address vlan vlan-id

4. (Optional) Configuring a Protection Action on an Interface

[Huawei-GigabitEthernet0/0/1] port-security protect-action { protect | restrict | shutdown }

By default, the restrict action is used.

24 Huawei Confidential

• The port-security protect-action command configures the protection action to be

used when the number of learned MAC addresses on an interface exceeds the
upper limit or static MAC address flapping is detected.

▫ protect

▪ Discards packets with new source MAC addresses when the number
of learned MAC addresses exceeds the limit.

▪ When static MAC address flapping occurs, the interface discards the
packets with this MAC address.

▫ restrict

▪ Discards packets with new source MAC addresses and sends a trap
message when the number of learned MAC addresses exceeds the
limit.

▪ When static MAC address flapping occurs, the interface discards the
packets with this MAC address and sends a trap.
▫ shutdown

▪ Sets the interface state to error-down and generates a trap when the
number of learned MAC addresses exceeds the limit.

▪ Sets the interface state to error-down and generates a trap when

static MAC address flapping occurs.
 Port Security Configuration Commands (2)
5. (Optional) Configure an aging time for dynamic secure MAC address entries learned by the interface.

[Huawei-GigabitEthernet0/0/1] port-security aging-time time [ type { absolute | inactivity } ]

By default, dynamic secure MAC address entries learned by an interface are not aged out.

6. Enable the sticky MAC address function on an interface.

[Huawei-GigabitEthernet0/0/1] port-security mac-address sticky

By default, the sticky MAC address function is disabled on an interface.

7. Set the maximum number of sticky MAC addresses that can be learned by an interface.

[Huawei-GigabitEthernet0/0/1] port-security max-mac-num max-number

By default, an interface enabled with the sticky MAC address function can learn only one sticky MAC address.

8. (Optional) Configure a sticky MAC address entry.

[Huawei-GigabitEthernet0/0/1] port-security mac-address sticky mac-address vlan vlan-id

25 Huawei Confidential

• Check secure MAC addresses.

▫ Run the display mac-address security [ vlan vlan-id | interface-type
interface-number ] * [ verbose ] command to check dynamic secure MAC
address entries.
▫ Run the display mac-address sec-config [ vlan vlan-id | interface-type
interface-number ] * [ verbose ] command to check static secure MAC
address entries.

▫ Run the display mac-address sticky [ vlan vlan-id | interface-type

interface-number ] * [ verbose ] command to check sticky MAC address
entries.
Example for Configuring Port Security - Secure Dynamic
MAC Addresses
Switch1
Switch1 configuration:
GE0/0/1 GE0/0/3
[Switch1] interface GigabitEthernet 0/0/1
GE0/0/2 [Switch1-GigabitEthernet 0/0/1] port-security enable
[Switch1-GigabitEthernet 0/0/1] port-security max-mac-num 1
[Switch1-GigabitEthernet 0/0/1] port-security protect-action restrict
Switch2 [Switch1] interface GigabitEthernet 0/0/2
PC2 [Switch1-GigabitEthernet 0/0/2] port-security enable
PC1 [Switch1-GigabitEthernet 0/0/2] port-security max-mac-num 1
[Switch1-GigabitEthernet 0/0/2] port-security protect-action restrict
[Switch1] interface GigabitEthernet 0/0/3
[Switch1-GigabitEthernet 0/0/3] port-security enable
⚫ Requirements: PC3 PC4 [Switch1-GigabitEthernet 0/0/3] port-security max-mac-num 2
[Switch1-GigabitEthernet 0/0/3] port-security protect-action shutdown

Configure port security on Switch1.

Set the maximum number of MAC addresses learned by GE0/0/1 and GE0/0/2 to 1. When the interface is connected to multiple
PCs, Switch1 needs to send an alarm. In addition, interfaces can still forward data frames from authorized PCs.

Set the maximum number of MAC addresses that can be learned by GE0/0/3 to 2. When the number of learned MAC addresses
exceeds the maximum number, the switch generates an alarm and shuts down GE0/0/3.

26 Huawei Confidential
Verifying the Configuration
⚫ Run the display mac-address security command to check dynamic secure MAC address entries.

[Switch1]display mac-address security

MAC address table of slot 0:
----------------------------------------------------------------------------------------------------------------
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
----------------------------------------------------------------------------------------------------------------
5489-98ac-71a9 1 - - GE0/0/3 security -
5489-98b1-7b30 1 - - GE0/0/1 security -
5489-9815-662b 1 - - GE0/0/2 security -
----------------------------------------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 3

27 Huawei Confidential
Configuring Port Security - Sticky MAC Addresses
Switch configuration:
[Switch] interface GigabitEthernet 0/0/1
Switch [Switch-GigabitEthernet 0/0/1] port-security enable
[Switch-GigabitEthernet 0/0/1] port-security max-mac-num 1
GE0/0/1 GE0/0/3
[Switch-GigabitEthernet 0/0/1] port-security mac-address sticky
[Switch] interface GigabitEthernet 0/0/2
GE0/0/2
[Switch-GigabitEthernet 0/0/2] port-security enable
[Switch-GigabitEthernet 0/0/2] port-security max-mac-num 1
[Switch-GigabitEthernet 0/0/2] port-security mac-address sticky
[Switch] interface GigabitEthernet 0/0/3
[Switch-GigabitEthernet 0/0/3] port-security enable
PC1 PC2 PC3
[Switch-GigabitEthernet 0/0/3] port-security max-mac-num 1
[Switch-GigabitEthernet 0/0/3] port-security mac-address sticky
[Switch-GigabitEthernet 0/0/3] port-security mac-address sticky
⚫ Requirements: 5489-98ac-71a9 vlan 1


Configure port security on the switch. Enable port security on GE0/0/1 through GE0/0/3.

Set the maximum number of MAC addresses that can be learned by GE0/0/1 and GE0/0/2 to 1 and convert secure dynamic MAC
addresses learned by GE0/0/1 and GE0/0/2 to sticky MAC addresses.

On GE0/0/3, set the maximum number of MAC addresses that can be learned to 1, manually create a sticky MAC address entry
for the interface, and bind the interface to MAC address 5489-98ac-71a9. Retain the default penalty on each interface.

28 Huawei Confidential
Verifying the Configuration
⚫ Run the display mac-address sticky command to check sticky MAC address entries.

[Switch1]display mac-address sticky

MAC address table of slot 0:
-------------------------------------------------------------------------------------------------------
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------------------------------
5489-98ac-71a9 1 - - GE0/0/3 sticky -
5489-98b1-7b30 1 - - GE0/0/1 sticky -
5489-9815-662b 1 - - GE0/0/2 sticky -
-------------------------------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 3

29 Huawei Confidential
 Contents

1. Ethernet Switching Security

▫ Port Isolation

▫ MAC Address Table Security

▫ Port Security
◼ MAC Address Flapping Prevention and Detection

▫ MACsec

▫ Traffic Control

▫ DHCP Snooping

▫ IP Source Guard

2. Advanced Firewall Features

30 Huawei Confidential
MAC Address Flapping Detection
⚫ MAC address flapping occurs when a MAC address is learned by two interfaces in the same VLAN on a
switch and the MAC address entry learned later overrides the earlier one.
⚫ When a MAC address frequently switches between two interfaces, MAC address flapping occurs.
⚫ MAC address flapping frequently occurs on networks where loops or network attacks occur.

GE0/0/2

GE0/0/1 GE0/0/1 GE0/0/2

Network loop Network attack

PC1 PC2
MAC address forged by an attacker
MAC: 0011-0022-0033 MAC: 0011-0022-0033 MAC:0011-0022-0033

31 Huawei Confidential
 MAC Address Flapping Prevention
⚫
If MAC address flapping is caused by loops, deploy loop prevention technologies, such as STP, to eliminate Layer 2 loops. If MAC
address flapping is caused by network attacks or other reasons, you can use the following MAC address flapping prevention
measures.
Preventing MAC address entries from being overridden on
Configuring a MAC address learning priority for an interface
interfaces with the same priority

If the same MAC address is learned on interfaces that have different priorities, If the interface connected to a bogus network device has the same priority
the MAC address entry on the interface with the highest priority overrides that as the interface connected to an authorized device, the MAC address entry of
on the other interfaces. the bogus device learned later does not override the original correct MAC
address entry. undo mac-learning priority 0 allow-flapping

GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2

mac-learning priority 5 mac-learning priority 0

1 2

PC1 PC2 PC1 PC2

Secure network MAC address forged by an attacker Secure network MAC address forged by an attacker
MAC: 0011-0022-0033 MAC: 0011-0022-0033 MAC: 0011-0022-0033 MAC: 0011-0022-0033

32 Huawei Confidential

• By default, the MAC address learning priority of an interface is 0. A larger priority

value indicates a higher MAC address learning priority. If the same MAC address
is learned on interfaces that have different priorities, the MAC address entry on
the interface with the highest priority overrides that on the other interfaces.
• When the device is configured to prevent MAC address entries from being
overridden on interfaces with the same priority, if the authorized device is
powered off, the MAC address entry of the bogus device is learned. After the
authorized device is powered on again, its MAC address cannot be learned.
Exercise caution when using this feature. If a switch interface is connected to a
server, when the server is powered off, other interfaces can learn the same MAC
address as the server. When the server is powered on again, the switch cannot
learn the correct MAC address.
 MAC Address Flapping Detection
⚫ The switch supports the following MAC address flapping detection mechanisms.
 VLAN-based MAC address flapping detection
◼
After MAC address flapping detection is configured in a VLAN, the switch can detect MAC address flapping in a specified
VLAN.
◼
You can configure an action to take on an interface when MAC address flapping is detected on an interface, for example,
sending a trap or blocking the interface or MAC address.

 Global MAC address flapping detection

◼ The global MAC address flapping detection function detects all MAC addresses on the device.
◼
If MAC address flapping occurs, the device will send a trap to the NMS.
◼
You can also specify an action to take when MAC address flapping is detected, for example, shutting down the interface or
removing the interface from the VLAN.

33 Huawei Confidential

• Whether all Huawei switches support MAC address flapping detection depends
on the switch model.
 VLAN-based MAC Address Flapping Detection
⚫ When VLAN-based MAC address flapping detection is
configured and detects MAC address flapping on an
GE0/0/1 GE0/0/2
interface, you can configure one of the following
SW1 actions:

Trap sending: The device only sends a trap to the NMS.

Interface blocking: The interface is blocked for a specified
SW2 period of time and the interface is disabled from sending
PC1 and receiving packets.
MAC: 0011-0022-0033
 MAC address blocking: The device blocks only the current
MAC address but not the physical interface.
Communication of other MAC addresses on the current
interface is not affected.
PC2 PC3
Attacker
MAC: 0011-0022-0033
VLAN 2

34 Huawei Confidential

• After MAC address flapping occurs, the following actions are performed: 1. A trap
is generated and reported. 2. GE0/0/2 on SW1 is disabled from sending and
receiving packets. 3. GE0/0/2 on SW1 is disabled from sending and receiving
packets with a specified MAC address.
• When an interface is blocked:

▫ When detecting MAC address flapping in VLAN 2, the device blocks the
interface where MAC address flapping occurs.

▫ The interface will be blocked for 10s (specified by the block-time keyword).
The blocked interface cannot receive or send data.

▫ After 10 seconds, the interface is unblocked and starts to send and receive
data. If MAC address flapping is not detected within 20 seconds, the
interface is unblocked. If MAC address flapping is detected again on the
interface within 20 seconds, the switch blocks the interface again. If the
switch still detects MAC address flapping on the interface, the switch
permanently blocks the interface. The retry-times parameter specifies the
number of times that MAC address flapping is detected.
 Global MAC Address Flapping Detection
⚫ When a switch detects MAC address flapping, it only reports a trap by default and does not take other actions. In
practice, you can define the following actions after MAC address flapping is detected:

error-down
◼ When an interface configured with MAC address flapping detection detects MAC address flapping, the interface is set to enterthe Error-Down
state and does not forward data.
 quit-vlan
◼ When an interface configured with MAC address flapping detection detects MAC address flapping, the interface is removed fromthe VLAN to
which the interface belongs.

GE0/0/1 GE0/0/2 Error-down GE0/0/1 GE0/0/2 Quit-vlan

1 2 1 2

VLAN 10
PC1 PC2 PC1 PC2
Secure network MAC address forged by an attacker Secure network MAC address forged by an attacker
MAC: 0011-0022-0033 MAC: 0011-0022-0033 MAC: 0011-0022-0033 MAC: 0011-0022-0033

35 Huawei Confidential

• By default, global MAC address flapping detection is enabled on a Huawei switch.

Therefore, the switch performs MAC address flapping detection in all VLANs by
default.

• In some scenarios, MAC address flapping detection needs to be disabled in some

VLANs. You can configure a VLAN whitelist for MAC address flapping detection.

• If an interface is set to enter the Error-Down state due to MAC address flapping,
the interface does not automatically restore to the Up state by default.

• To enable an interface in Error-Down state to automatically go Up, run the

error-down auto-recovery cause mac-address-flapping interval time-value
command in the system view.
• If MAC address flapping occurs on an interface and the interface is removed from
the VLAN, you can run the following command in the system view to implement
automatic recovery of the interface:

▫ mac-address flapping quit-vlan recover-time time-value

Configuration Commands of MAC Address Flapping
Prevention and Detection (1)
1. Configure a MAC address learning priority for an interface.

[Huawei-GigabitEthernet0/0/1] mac-learning priority priority-id

By default, the MAC address learning priority of an interface is 0. A larger priority value indicates a higher MAC address
learning priority.

2. Configure the device to discard packets when the device is configured to prohibit MAC address flapping.

[Huawei-GigabitEthernet0/0/1] mac-learning priority flapping-defend action discard

By default, the action is forward when the device is configured to prohibit MAC address flapping.

3. Configure the device to prevent MAC address entries from being overridden on interfaces with the same priority.

[Huawei] undo mac-learning priority priority-id allow-flapping

By default, MAC address flapping between interfaces with the same priority is allowed.

4. Configuring MAC Address Flapping Detection.

[Huawei-vlan2] mac-address flapping detection

36 Huawei Confidential
 Configuration Commands of MAC Address Flapping
Prevention and Detection (2)
5. (Optional) Configure a VLAN whitelist for MAC address flapping detection.

[Huawei] mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

By default, the device performs MAC address flapping detection in all VLANs.

6. (Optional) Configure the action for the device to take after MAC address flapping is detected on an interface.

[Huawei-GigabitEthernet0/0/1] mac-address flapping action { quit-vlan | error-down }

By default, the device discards packets with new MAC addresses when the number of learned MAC address entries reaches the
limit on the interface.
7. (Optional) Set an aging time for flapping MAC addresses.

[Huawei] mac-address flapping aging-time aging-time

8. Configure MAC address flapping detection.

[Huawei-vlan2] loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-times | alarm-only }

37 Huawei Confidential

• Insecure networks are vulnerable to MAC address attacks. If attackers send large
numbers of forged packets with different source MAC addresses to the switch, its
MAC address table will be filled with unwanted address entries. As a result, the
device is unable to learn the source MAC addresses of valid packets.
• You can limit the number of MAC address entries that can be learned on the
device. When the number of learned MAC address entries reaches the limit, the
device does not learn new MAC address entries. You can also configure an action
to take when the number of learned MAC address entries reaches the limit. This
prevents MAC address entries from being exhausted and improves network
security.
 Example for Configuring MAC Address Flapping Prevention
and Detection
GE0/0/1 1. Set the MAC address learning priority of GE0/0/1 that connects
Switch1 Server
Switch1 to the server to be higher than that of other
GE0/0/2 interfaces. The default MAC address learning priority is 0.
GE0/0/3 [Switch1] interface GigabitEthernet 0/0/1
Switch2 [Switch1-GigabitEthernet 0/0/1] mac-learning priority 3
GE0/0/1 GE0/0/2 2. Configure MAC address flapping detection on Switch2 and
configure an action to taken when MAC address flapping is
detected on an interface.

Switch3 Switch4 [Switch2] mac-address flapping detection

[Switch2] mac-address flapping aging-time 500
⚫ Requirements: [Switch2-GigabitEthernet0/0/1] mac-address flapping action
error-down

Basic network configurations are complete, but an
[Switch2-GigabitEthernet0/0/2] mac-address flapping action
incorrect connection of a network cable between Switch3 error-down
and Switch4 causes a loop on the network. [Switch2] error-down auto-recovery cause mac-address-

Configure MAC address flapping prevention on GE0/0/1 of flapping interval 500
Switch1 to prevent attacks from unauthorized users.

Configure MAC address flapping detection on Switch2 to
detect loops on the network and rectify the faults.

38 Huawei Confidential

• When Switch3 and Switch4 are incorrectly connected, the MAC address of
GE0/0/1 on Switch2 is learned by GE0/0/2, causing GE0/0/2 to enter the Error-
Down state.

• You can run the display mac-address flapping record command to check MAC
address flapping records.
Verifying the Configuration
⚫ When the MAC address of GE0/0/1 on Switch2 is learned by GE0/0/2, GE0/0/2 is shut down. You can
run the display mac-address flapping record command to check MAC address flapping records.
[Switch2] display mac-address flapping record
S : start time
E : end time
(Q) : quit vlan
(D) : error down
---------------------------------------------------------------------------------------------------
Move-Time VLAN MAC-Address Original-Port Move-Ports MoveNum
---------------------------------------------------------------------------------------------------
S:XXXX-XX-22 17:22:36 1 5489-9815-662b GE0/0/1 GE0/0/2(D) 83
E:XXXX-XX-22 17:22:44
---------------------------------------------------------------------------------------------------
Total items on slot 0: 1

39 Huawei Confidential
 Contents

1. Ethernet Switching Security

▫ Port Isolation

▫ MAC Address Table Security

▫ Port Security

▫ MAC Address Flapping Prevention and Detection

◼ MACsec

▫ Traffic Control

▫ DHCP Snooping

▫ IP Source Guard

2. Advanced Firewall Features

40 Huawei Confidential
MACsec Provides Secure Layer 2 Data Transmission
Background

Most data is transmitted in plain text on LAN links, posing security risks in scenarios
demanding high security.

Site 1 Overview of MACsec

Internet IPsec Media Access Control Security (MACsec), in compliance with 802.1AE, defines an
Ethernet-based data security communication method. It encrypts data hop by hop to
Site 2 ensure data transmission security.

Data integrity Identity

Data encryption Replay protection
check authentication

Typical Application Scenarios

• MACsec is deployed between switches to ensure data security. For example,

MACsec is deployed between access switches and uplink aggregation or core
switches.
• When transmission devices exist between switches, MACsec can be deployed to
ensure data security.

41 Huawei Confidential
 Working Mechanism of MACsec
⚫ When the device runs point-to-point MACsec, a network administrator pre-configures the same Secure Connectivity Association Key
(CAK) on the two devices using commands. The two devices use the MACsec Key Agreement (MKA) to elect a key server. The key
server determines the encryption scheme, uses an encryption algorithm to generate a Secure Association Key (SAK) based on
parameters such as the CAK, and distributes the SAK to the peer device. In this way, the two devices have the same SAK, which can
be used to encrypt and decrypt MACsec data packets.

Access switch Aggregation switch

Pre-configured CAK
1
(obtaining the CAK)

MKA key negotiation 1. Elect the key server

2 (generating a data key SAK)
2. Generate data key SAK
3. Send SAK to the peer end

MACsec data encryption and decryption

3 (using the SAK to encrypt data)

42 Huawei Confidential

• A CAK is not directly used to encrypt data packets. Instead, the CAK and other
parameters derive the encryption key of data packets. The CAK can be delivered
during 802.1X authentication or statically configured.

• MKA is used for negotiation of MACsec data encryption keys.

• The SAK is derived based on the CAK using an algorithm and is used to encrypt
data transmitted over secure channels. The MKA limits the number of packets
that can be encrypted by each SAK. When the PNs encrypted by a SAK are
exhausted, the SAK is updated. For example, on a 10 Gbit/s link, the SAK can be
updated every 4.8 minutes.
• The key server determines the encryption scheme and the MKA entity that
distributes the key.
 Contents

1. Ethernet Switching Security

▫ Port Isolation

▫ MAC Address Table Security

▫ Port Security

▫ MAC Address Flapping Prevention and Detection

▫ MACsec
◼ Traffic Control

▫ DHCP Snooping

▫ IP Source Guard

2. Advanced Firewall Features

43 Huawei Confidential
 Traffic Suppression Storm Control

Overview of Traffic Suppression

Internet
⚫ Issues on networks:
 In normal situations, when a Layer 2 Ethernet interface receives
broadcast, unknown multicast, or unknown unicast packets, it
forwards the packets to other Layer 2 Ethernet interfaces in the same
VLAN. As a result, traffic flooding occurs and the forwarding
performance of the device deteriorates.

 When an Ethernet interface on the device receives known multicast

or unicast packets, heavy traffic of a certain type of packets may
affect the processing of other services on the switch.

⚫
Solution:
 Traffic suppression can rate-limit the broadcast, unknown multicast,
unknown unicast, known multicast, and known unicast packets by
VLAN 2 setting thresholds. This prevents traffic flooding caused by broadcast,

Broadcast, multicast, and unknown multicast, and unknown unicast packets and the impact
unknown unicast packets incurred by a large number of known multicast and known unicast
Known multicast and packets.
known unicast packets

44 Huawei Confidential
 Traffic Suppression Storm Control

Working Mechanism of Traffic Suppression (1)

⚫ In the inbound direction of an interface, the switch can suppress broadcast, unknown multicast, unknown unicast,
known multicast, and known unicast packets based on the percentage, packet rate, and bit rate. The device
monitors the rate of various types of packets on an interface and compares the rate with the threshold. When the
traffic rate on the interface in the inbound direction reaches the threshold, the device discards excess traffic.

80 Threshold

Internet
50 Switch 50 Router
80 80
100 80

xx Packets/Rate

45 Huawei Confidential

• In the outbound direction of an interface, the device can block broadcast packets,
unknown multicast packets, and unknown unicast packets.
 Traffic Suppression Storm Control

Working Mechanism of Traffic Suppression (2)

⚫ In the VLAN view, the device can rate-limit broadcast packets by the bit rate. The device monitors the rate of
broadcast packets in the same VLAN and compares the rate with the threshold. When the traffic rate in the VLAN
reaches the threshold, the device discards excess traffic.
80 Threshold

Switch1

Switch2 Switch3

VLAN 10 VLAN 10
VLAN 20 VLAN 20
VLAN 30 VLAN 30
Broadcast
xx packets/Rate

46 Huawei Confidential

• Traffic suppression can also rate-limit ICMP packets by setting a threshold. A

large number of ICMP packets may be sent to the CPU without traffic
suppression. When this happens, other service functions may become abnormal.
 Traffic Suppression Storm Control

Application of Traffic Suppression

⚫ Traffic suppression limits the rate at which packets are sent by taking different measures for different
types of packets. It involves the following situations:
 In the inbound direction of a switch interface, for example, in the inbound direction of GE0/0/1 on SW1, traffic
suppression can be used to limit the rate at which any packet is sent.
 In the outbound direction of a switch interface, for example, in the outbound direction of GE0/0/1 on SW1,
traffic suppression can be used to block broadcast, unknown multicast, and unknown unicast packets.
 In the VLAN view of the switch, configure traffic suppression in a VLAN to limit the number of broadcast
packets in the VLAN.

Layer 2 GE0/0/1 Layer 3

network network
SW1 Router

47 Huawei Confidential

• The threshold can be configured for incoming packets on interfaces. The system
discards the traffic exceeding the threshold and forwards the traffic within the
threshold. In this way, the system limits the traffic rate in an acceptable range.

• Note that traffic suppression can also block outgoing packets on interfaces.
• In storm control, rate thresholds are configured for incoming packets only on
interfaces. When the traffic exceeds the threshold, the system rejects the packets
of this particular type on the interface or shuts down the interface.
 Traffic Suppression Storm Control

Traffic Suppression Configuration Commands

1. (Optional) Configure a traffic suppression mode.

[Huawei] suppression mode { by-packets | by-bits }

By default, the suppression mode is packets. In bits mode, traffic suppression is more fine-grained and accurate.

2. Configure traffic suppression.

[Huawei-GigabitEthernet0/0/1] { broadcast-suppression | multicast-suppression | unicast-suppression} {
percent-value | cir cir-value [ cbs cbs-value ] | packets packets-per-second }

The traffic suppression mode configured on an interface must be the same as the global traffic suppression mode.

3. Configure the interface to block outgoing broadcast packets.

[Huawei-GigabitEthernet0/0/1] { broadcast-suppression | multicast-suppression | unicast-suppression }

block outbound

4. Set the rate limit for broadcast packets in a VLAN.

[Huawei-vlan2] broadcast-suppression threshold-value

48 Huawei Confidential

• Run the display flow-suppression interface interface-type interface-number

command to check the traffic suppression configuration.
• When traffic suppression is configured in both the interface view and VLAN view,
the configuration in the interface view takes precedence over the configuration in
the VLAN view.
 Traffic Suppression Storm Control

Example for Configuring Traffic Suppression

GE0/0/1 GE0/0/2
Layer 2 Layer 3
network network
Switch Router Switch configuration:
⚫ Requirements:
[Switch]suppression mode by-packets
 Configure traffic suppression in the view of GE0/0/1 to
[Switch-GigabitEthernet0/0/1] unicast-suppression 80
limit the capability of forwarding broadcast, unknown
[Switch-GigabitEthernet0/0/1] multicast-suppression 70
multicast, and unknown unicast packets on the Layer 2
[Switch-GigabitEthernet0/0/1] broadcast-suppression 60
network.

Set the bandwidth percentage for broadcast packets to
60%.

Set the bandwidth percentage for unknown multicast
packets to 70%.

Set the bandwidth percentage for unknown unicast
packets to 80%.

49 Huawei Confidential
 Traffic Suppression Storm Control

Verifying the Configuration

⚫ Run the display flow-suppression interface command to check the traffic suppression configuration.

[Switch]dis flow-suppression interface GigabitEthernet 0/0/1

storm type rate mode set rate value
-------------------------------------------------------------------------------
unknown-unicast percent percent: 80%
multicast percent percent: 70%
broadcast percent percent: 60%
-------------------------------------------------------------------------------

50 Huawei Confidential
 Traffic Suppression Storm Control

Overview of Storm Control

SW2 SW3 ⚫ Issues on networks:

 In normal situations, when a Layer 2 Ethernet interface
receives broadcast, unknown multicast, or unknown unicast
packets, it forwards the packets to other Layer 2 Ethernet
SW1 SW4
interfaces in the same VLAN. As a result, traffic flooding
occurs and the forwarding performance of the device
deteriorates.

⚫ Solution:

Storm control blocks broadcast, unknown multicast, and
VLAN 2 VLAN 2
unknown unicast packets by disabling related interfaces.

Broadcast, multicast, and

unknown unicast packets

51 Huawei Confidential
 Traffic Suppression Storm Control

Working Mechanism of Storm Control

⚫ Storm control prevents broadcast storms caused by broadcast packets, unknown multicast packets, and unknown unicast packets.
Within the storm detection interval, the device compares the average rate of the three types of packets received on the monitoring
interface with the configured maximum threshold. When the packet rate reaches the threshold, the device configured with storm
control blocks packets on the interface or shuts down the interface according to the configured action.

80 Threshold 80 Threshold

Block Error-down

Switch1 Switch1

Switch2 Switch3 Switch2 Switch3

50 Broadcast packets/Average rate

80 Unknown multicast packets/Average rate
120 Unknown unicast packets/Average rate

52 Huawei Confidential

• The difference between traffic suppression and storm control is as follows: The
storm control function can take the punishment action (block or shutdown) for
an interface, whereas the traffic suppression function only limits the traffic on an
interface.
 Traffic Suppression Storm Control

Application of Storm Control

⚫ Compared with traffic suppression, storm control monitors the average rates of broadcast packets, unknown
multicast packets, and unknown unicast packets on an interface, and then blocks packets on the interface or shuts
down the physical interface according to the threshold.
⚫ As shown in the figure, the switch is connected to a Layer 2 network and a router. To limit the rates of broadcast
packets, unknown multicast packets, and unknown unicast packets forwarded by the Layer 2 network, configure
storm control on the Layer 2 Ethernet interface GE0/0/1 of the switch.

Layer 2 GE0/0/1 Layer 3

network network
Switch Router

53 Huawei Confidential

• In traffic suppression, rate thresholds are configured for incoming packets on

interfaces. When the traffic exceeds the threshold, the system discards excess
traffic and allows the packets within the threshold to pass through. In this way,
the traffic is limited within a proper range. Note that traffic suppression can also
block outgoing packets on interfaces.

• In storm control, rate thresholds are configured for incoming packets only on
interfaces. When the traffic exceeds the threshold, the system rejects the packets
of this particular type on the interface or shuts down the interface.
 Traffic Suppression Storm Control

Storm Control Configuration Commands

1. Configure storm control on an interface.
[Huawei-GigabitEthernet0/0/1] storm-control { broadcast | multicast | unicast } min-rate min-rate-value
max-rate max-rate-value

Storm control is performed on broadcast packets, multicast packets, or unknown unicast packets on the interface.
2. Configure a storm control action.
[Huawei-GigabitEthernet0/0/1] storm-control action { block | error-down }

3. Set the storm detection interval.

[Huawei-GigabitEthernet0/0/1] storm-control interval interval-value

4. Enable automatic recovery of the interface status.

[Huawei-GigabitEthernet0/0/1] error-down auto-recovery cause storm-control interval interval-value

Enable the interface in Error-Down state to go Up and set the auto recovery delay.

5. (Optional) Add specified protocol packets to the traffic suppression and storm control whitelist.
[Huawei] storm-control whitelist protocol { arp-request | bpdu | dhcp | igmp | ospf }*

54 Huawei Confidential
 Traffic Suppression Storm Control

Example for Configuring Storm Control

GE0/0/1
Layer 2 Layer 3
network network Switch configuration:
Switch Router
[Switch] storm-control whitelist protocol arp-request
[Switch] interface gigabitethernet0/0/1
[Switch-GigabitEthernet0/0/1] storm-control broadcast min-rate
⚫ Requirements 1000 max-rate 2000
[Switch-GigabitEthernet0/0/1] storm-control multicast min-rate

The switch is required to prevent broadcast storms caused 1000 max-rate 2000
by broadcast packets, unknown multicast packets, and [Switch-GigabitEthernet0/0/1] storm-control unicast min-rate 1000
max-rate 2000
unknown unicast packets forwarded on the Layer 2 [Switch-GigabitEthernet0/0/1] storm-control interval 90
network. [Switch-GigabitEthernet0/0/1] storm-control action block
[Switch-GigabitEthernet0/0/1] storm-control enable trap
⚫ Configuration roadmap: # Enable the trap function for storm control.


Configure storm control on GE0/0/1 to prevent broadcast
storms on the Layer 2 network.

55 Huawei Confidential
 Traffic Suppression Storm Control

Verifying the Configuration

⚫ Run the display storm-control interface command to check the storm control configuration on GE0/0/1.

[Switch]display storm-control interface GigabitEthernet 0/0/1

PortName Type Rate Mode Action Punish- Trap Log Int Last-
(Min/Max) Status Punish-Time
----------------------------------------------------------------------------------------------------------
GE0/0/1 Multicast 1000 Pps Block Normal On Off 90
/2000
GE0/0/1 Broadcast 1000 Pps Block Normal On Off 90
/2000
GE0/0/1 Unicast 1000 Pps Block Normal On Off 90
/2000

56 Huawei Confidential
 Contents

1. Ethernet Switching Security

▫ Port Isolation

▫ MAC Address Table Security

▫ Port Security

▫ MAC Address Flapping Prevention and Detection

▫ MACsec

▫ Traffic Control

◼ DHCP Snooping

▫ IP Source Guard

2. Advanced Firewall Features

57 Huawei Confidential
 Working Mechanism of DHCP
No DHCP relay agent is deployed A DHCP relay agent is deployed

DHCP client DHCP server DHCP client DHCP relay agent DHCP server

Discovery stage: The DHCP client Discovery stage: DHCP The DHCP relay agent unicasts
1 broadcasts a DHCP Discover message. 1 Discover message a DHCP Discover message.

Offer stage: The DHCP server unicasts Offer stage: DHCP The DHCP server unicasts a
2 2
or broadcasts a DHCP Offer message. Offer message DHCP Offer message.

Request stage: The DHCP client Request stage: DHCP The DHCP relay agent unicasts
3 broadcasts a DHCP Request message. 3
Request message a DHCP Request message.

Acknowledgment stage: The DHCP Acknowledgment stage: DHCP The DHCP server unicasts
4 4 ACK message
server unicasts a DHCP ACK message. a DHCP ACK message.

58 Huawei Confidential

• No DHCP relay agent is deployed:

▫ In the discovery stage, the DHCP client broadcasts a DHCP Discover
message to discover DHCP servers. Information carried in a DHCP Discover
message includes the client's MAC address (Chaddr field), parameter
request list (Option 55), and broadcast flag (Flags field, determining
whether the response should be sent in unicast or broadcast mode).
▫ In the offer stage, a DHCP server selects an address pool on the same
network segment as the IP address of the interface receiving the DHCP
Discover message, and selects an idle IP address from the address pool. The
DHCP server then sends a DHCP Offer message carrying the allocated IP
address to the DHCP client.
▫ In the request stage, if multiple DHCP servers reply with a DHCP Offer
message to the DHCP client, the client accepts only the first received DHCP
Offer message. The client then broadcasts a DHCP Request message
carrying the selected DHCP server identifier (Option 54) and IP address
(Option 50, with the IP address specified in the Yiaddr field of the accepted
DHCP Offer message). The DHCP Request message is broadcast so as to
notify all the DHCP servers that the DHCP client has selected the IP address
offered by a DHCP server. Then the other servers can allocate IP addresses
to other clients.
▫ In the acknowledgement stage, after receiving the DHCP ACK message, the
DHCP client broadcasts a gratuitous ARP packet to check whether any
other terminal on the network segment uses the IP address allocated by the
DHCP server.
• A DHCP relay agent is deployed:
▫ After receiving the DHCP Discover message broadcast by the DHCP client,
the DHCP relay agent checks the GIADDR field in the message. Otherwise,
the DHCP relay agent does not change the field and proceeds to the next
step. The GIADDR field indicates the gateway IP address. If the DHCP server
and client are not on the same network segment and multiple DHCP relay
agents are deployed, the first DHCP relay agent fills its IP address in the
GIADDR field of the DHCP Request message by the client. Subsequent
DHCP relay agents do not modify this field. The DHCP server determines
the network segment where the client resides based on the GIADDR field
and assigns an IP address on this network segment to the client.

▫ The DHCP relay agent changes the destination IP address of the DHCP
Discover message to the IP address of the DHCP server or the next-hop
DHCP relay agent, and changes the source IP address to the IP address of
the interface connecting the DHCP relay agent to the client. The message is
then unicast to the DHCP server or the next-hop DHCP relay agent.

• For details about DHCP, see HCIP-Datacom-Core Technology.

Overview of DHCP Snooping
⚫ DHCP snooping is equivalent to a firewall between DHCP clients and the DHCP server to defend against DHCP
attacks on the network, ensuring security for communication services.
⚫ DHCP snooping ensures that DHCP clients obtain IP addresses only from authorized DHCP servers and a DHCP
snooping-enabled device records mappings between IP addresses and MAC addresses of DHCP clients, preventing
DHCP attacks on the network.
⚫ Some attacks are launched based on DHCP. These attacks include the bogus DHCP server attack, DHCP server DoS
attack, and bogus DHCP message attack.
⚫ DHCP snooping uses the DHCP snooping trusted interface and DHCP snooping binding table to ensure DHCP
network security.

60 Huawei Confidential
 DHCP Snooping Trust Function
Unauthorized
⚫ The DHCP snooping trust function ensures that DHCP
DHCP Client 1 DHCP server clients obtain IP addresses from authorized DHCP
servers.
⚫ DHCP snooping involves two interface roles: trusted
interface and untrusted interface.

DHCP ACK messages, NAK messages, and Offer messages
Authorized are received from the trusted interface.
DHCP server

In addition, the device only forwards DHCP Request
DHCP Client 2 messages from DHCP clients to the authorized DHCP
DHCP snooping trusted interface
server through the trusted interface.
DHCP snooping untrusted interface
Interface enabled with DHCP snooping.

DHCP ACK messages, NAK messages, and Offer messages
Valid DHCP Offer, ACK, and NAK messages are discarded on untrusted interfaces.
Invalid DHCP Offer, ACK, and NAK messages
Request message from the DHCP client

61 Huawei Confidential

• After the dhcp snooping enable command is run on an interface, the interface
forwards received DHCP Request messages to all trusted interfaces and discards
received DHCP Reply messages.

• After an interface on which the dhcp snooping trusted command is run receives a
DHCP Request message, it forwards the message to all other trusted interfaces. If
there are no other trusted interfaces, it discards the message. After receiving a
DHCP Reply message, it forwards the message only to the interfaces that are
connected to clients and have the dhcp snooping enable command configured. If
such interfaces cannot be found, it discards the DHCP Reply message.
 DHCP Snooping Binding Table
⚫ The Layer 2 access device enabled with DHCP snooping obtains required information, such as the PC's MAC address, IP address, and
address lease, from the DHCP ACK messages, learns information (interface number and VLAN ID) about the DHCP snooping-enabled
interface connected to the PC, and generates a DHCP snooping binding entry for the PC.
⚫
The DHCP snooping binding table records the mapping between IP addresses and MAC addresses of DHCP clients. The device can
check DHCP messages against the DHCP snooping binding table to prevent attacks initiated by unauthorized users.

DHCP Client 1 DHCP ACK

192.168.1.98/24
GE0/0/1 IP MAC VLAN Interface Lease
MAC-1
GE0/0/3 192.168.1.98 MAC-1 1 GE0/0/1 1
GE0/0/2 DHCP Server
192.168.1.99 MAC-2 1 GE0/0/2 1

DHCP Client 2
192.168.1.99/24
MAC-2

62 Huawei Confidential

• DHCP snooping binding entries are aged out when the DHCP release expires, or
the entries are deleted when users send DHCP Release messages to release IP
addresses.
DHCP Starvation Attacks
⚫ An attacker continuously applies to the DHCP server for a large number of IP addresses until the IP addresses in the address pool of
the DHCP server are exhausted. As a result, the DHCP server cannot allocate IP addresses to authorized users.
⚫
Vulnerability analysis: When the DHCP server allocates IP addresses to clients, it cannot distinguish authorized and unauthorized
users.
Source Mac = Mac-B DHCP REQUEST CHADDR = B

Source Mac = Mac-C DHCP REQUEST CHADDR = C

DHCP ACK CHADDR = B IP Address 10.1.1.1
Source Mac = Mac-D DHCP REQUEST CHADDR = D
DHCP ACK CHADDR = C IP Address 10.1.1.2
An attacker keeps sending bogus DHCP
Discover messages with different source MAC DHCP ACK CHADDR = D IP Address 10.1.1.3
Attacker addresses to apply for IP addresses from the DHCP NAK CHADDR = A IP Address 0.0.0.0
DHCP server.

Switch DHCP server

The DHCP server allocates IP addresses to

clients based on the CHADDR field in DHCP
DHCP REQUEST CHADDR = A Source Mac = Mac-A Request messages. In this situation, the IP
addresses requested by the attacker are
DHCP client An authorized client requests an IP address exhausted. When the authorized client requests
from the DHCP server. an IP address, no IP address is available.

63 Huawei Confidential
Defense Against DHCP Starvation Attacks
⚫ Solution: Configure MAC address limiting of DHCP snooping to prevent starvation attacks. This function limits the
maximum number of MAC addresses that can be learned on an interface of a switch to prevent a large number of
DHCP Request messages with variable MAC addresses from being sent.
Source Mac = Mac-B DHCP REQUEST CHADDR = B

Source Mac = Mac-C DHCP REQUEST CHADDR = C

Source Mac = Mac-D DHCP REQUEST CHADDR = D

The device enabled with DHCP snooping
An attacker keeps sending bogus DHCP limits the number of MAC addresses
Request messages with different source MAC learned on an interface to prevent bogus
Attacker
addresses to apply for IP addresses from the DHCP packets from being used to request
DHCP server. IP addresses.

Switch DHCP server

DHCP REQUEST CHADDR = A Source Mac = Mac-A

DHCP client An authorized client requests an IP address

from the DHCP server.

64 Huawei Confidential
 DoS Attacks by Changing the CHADDR Field
⚫ An attacker continuously applies to the DHCP server for a large number of IP addresses until the IP addresses in the address pool of
the DHCP server are exhausted. As a result, the DHCP server cannot allocate IP addresses to authorized users.
⚫
Vulnerability analysis: When the DHCP server allocates IP addresses to clients, it cannot distinguish authorized and unauthorized
users.
Source Mac = Mac-B DHCP REQUEST CHADDR = B

Source Mac = Mac-B DHCP REQUEST CHADDR = C

DHCP ACK CHADDR = B IP Address 10.1.1.1
Source Mac = Mac-B DHCP REQUEST CHADDR = D
DHCP ACK CHADDR = C IP Address 10.1.1.2
An attacker keeps forging DHCP
DHCP ACK CHADDR = D IP Address 10.1.1.3
Attacker Request messages with different
CHADDR values to apply for IP DHCP NAK CHADDR = A IP Address 0.0.0.0
addresses from the DHCP server.

Switch DHCP server

The DHCP server allocates IP addresses to

DHCP REQUEST CHADDR = A Source Mac = Mac-A clients based on the CHADDR field in DHCP
Request messages. In this situation, the IP
An authorized client requests an IP addresses requested by the attacker are
DHCP client exhausted. When the authorized client requests
address from the DHCP server.
an IP address, no IP address is available.

65 Huawei Confidential

• In a DHCP starvation attack, an attacker continuously applies for a large number

of IP addresses from the DHCP server to exhaust IP addresses in the address pool
of the DHCP server. As a result, the DHCP server cannot allocate IP addresses to
authorized users. The DHCP message contains the Client Hardware Address
(CHADDR) field. This field is filled in by a DHCP client, indicating the hardware
address of the client, that is, the MAC address of the client. The DHCP server
assigns IP addresses based on the CHADDR field, and assigns different IP
addresses if values of the CHADDR field are different. The DHCP server cannot
distinguish valid CHADDR field. By exploiting this vulnerability, an attacker fills a
different value in the CHADDR field of a DHCP message each time the attacker
applies for an IP address. In this way, the attacker forges different users to
request IP addresses.
 Defense Against DHCP DoS Attacks Initiated by Changing
the CHADDR Field
⚫
Solution: To prevent an attack from changing the CHADDR field, you can enable the DHCP snooping function to check the CHADDR
field in DHCP Request messages. If the CHADDR field matches the source MAC address in the data frame header, the device
forwards the DHCP Request message. If the CHADDR field does not match the source MAC address in the data frame header, the
device discards the DHCP Request message. This ensures that authorized users can access network services.
Source Mac = Mac-E DHCP REQUEST CHADDR = B

Source Mac = Mac-E DHCP REQUEST CHADDR = C

Source Mac = Mac-E DHCP REQUEST CHADDR = D The device checks whether the source MAC
address in the DHCP Request message is the
An attacker keeps sending bogus DHCP Discover
same as the CHADDR value. If so, the device
Attacker messages with different CHADDR values to apply
forwards the message. If not, the device
for IP addresses from the DHCP server.
discards the message.

Switch DHCP server

DHCP REQUEST CHADDR = A Source Mac = Mac-A DHCP REQUEST CHADDR = A Source Mac = Mac-A

An authorized client requests an IP address

from the DHCP server.
DHCP client

66 Huawei Confidential

• In a DHCP starvation attack, an attacker continuously applies for a large number

of IP addresses from the DHCP server to exhaust IP addresses in the address pool
of the DHCP server. As a result, the DHCP server cannot allocate IP addresses to
authorized users. The DHCP message contains the Client Hardware Address
(CHADDR) field. This field is filled in by a DHCP client, indicating the hardware
address of the client, that is, the MAC address of the client. The DHCP server
assigns IP addresses based on CHADDR values. The DHCP server cannot
distinguish valid CHADDR values. By exploiting this vulnerability, an attacker fills
a different value in the CHADDR field of a DHCP message each time the attacker
applies for an IP address. In this way, the attacker forges different users to
request IP addresses.

• To prevent starvation attacks, DHCP snooping checks whether the source MAC
address of a DHCP Request message is the same as the CHADDR value on an
interface. If they are the same, the interface forwards the DHCP Request
message. If they are different, the interface discards the message. To check the
consistency between the source MAC address and the CHADDR field on an
interface, run the dhcp snooping check dhcp-chaddr enable command on the
interface.
• An attacker may continuously change both the MAC address and CHADDR value
simultaneously, and uses the same CHADDR value as the MAC address each
time. In this way, the consistency check between the source MAC address and the
CHADDR can be avoided.
 Man-in-the-Middle Attacks
⚫ An attacker uses the ARP mechanism to enable a client to learn the mapping between the DHCP server's IP address and attacker's
MAC address, and enable the server to learn the mapping between the client's IP address and attacker's MAC address. In this way, all
IP packets exchanged between the client and server traverse the attacker's device.
⚫
Vulnerability analysis: The man-in-the-middle attack is a spoofing IP/MAC attack. This attack uses the mapping between the forged
IP address and MAC address to deceive the DHCP client and server.
Attacker
PC2
(MAC2 IP2)
A man-in-the-middle sends a packet with
The man-in-the-middle acts as a forged
its own MAC address and the DHCP
client, sending packets that carry its
server's IP address to a DHCP client. The
MAC address and client's IP address to
DHCP client learns the MAC address of
the server. As a result, the server also
the man-in-the-middle and DHCP
learns the MAC address and IP address
server's IP address, and considers the
of the man-in-the-middle.
man-in-the-middle as the DHCP server.

(MAC1 IP1) (Mac-S IP-S) Direction of the IP packet sent

from the server to PC1

DHCP client Switch DHCP server Direction of the IP packet sent

from PC1 to the server
PC1 Server

67 Huawei Confidential

• As shown in the figure, the attacker uses the ARP mechanism to enable PC1 to
learn the mapping between IP-S and MAC2 and enable the server to learn the
mapping between IP1 and MAC2. When PC1 sends an IP packet to the DHCP
server, the destination IP address is IP-S and the source IP address is IP1. The
destination MAC address of the frame in which the IP packet is encapsulated is
MAC2 and the source MAC address is MAC1, so the frame reaches PC2 first. After
receiving the frame, the attacker changes the destination MAC address to MAC-S
and the source MAC address to MAC2, and then sends the frame to the server.
When the DHCP server sends an IP packet to PC1, the destination IP address is
IP1 and the source IP address is IP-S. The destination MAC address of the frame
in which the IP packet is encapsulated is MAC2 and the source MAC address is
MAC-S, so the frame reaches PC2 first. After receiving the frame, the attacker
changes the destination MAC address to MAC1 and the source MAC address to
MAC2, and then sends the frame to PC1.
• The IP packets transmitted between PC1 and the DHCP server traverse the
attacker's device (man-in-the-middle). Therefore, the attacker can easily obtain
some information in the IP packets and use the information to perform other
damage operations. The attacker can easily tamper with the DHCP messages
transmitted between PC1 and the DHCP server. These messages are encapsulated
in UDP packets, and UDP packets are encapsulated in IP packets. In this way, the
attacker can directly attack the DHCP server.
 Defense Against DHCP Man-in-the-Middle Attacks
⚫ Solution: To defend against man-in-the-middle attacks and IP/MAC spoofing attacks, configure the DHCP snooping binding table.
When an interface receives an ARP or IP packet, the interface matches the source IP address and source MAC address in the ARP or
IP packet against the DHCP snooping binding table. Packets that match entries are forwarded, whereas packets that do not match
entries are discarded.
PC2 Attacker
The device checks the source IP address and
(MAC2 IP2) source MAC address in the ARP Request
packet and finds that the IP-MAC mapping
does not match any entry in the DHCP
snooping binding table. Therefore, the device
IP-S MAC2 IP-C MAC2 discards the ARP Request packet.

(MAC1 IP1) (MAC-S IP-S)

PC1 Server
DHCP Client Switch DHCP Server

IP MAC VLAN Interface Lease

IP1 MAC1 - - -

IP2 MAC2 - - -

68 Huawei Confidential

• A DHCP man-in-the-middle attack is a spoofing IP/MAC attack. Preventing DHCP

man-in-the-middle attacks is equivalent to preventing spoofing IP/MAC attacks.
• The switch running DHCP snooping listens to DHCP messages exchanged
between the client and the DHCP server, and obtains the MAC address of the
client from the DHCP messages. The MAC address (value of the CHADDR field in
the DHCP messages, client's IP address (IP address allocated by the DHCP server
to the corresponding CHADDR), and other information are stored in a database,
which is also called the DHCP snooping binding table. The switch running DHCP
snooping creates and dynamically maintains the DHCP snooping binding table.
The binding table contains the MAC address, IP address, IP address lease, and
VLAN ID of each client.

• As shown in the figure, if the DHCP server assigns IP address IP1 to PC1 and IP
address IP2 to PC2, IP1 is bound to MAC1 and IP2 is bound to MAC2. These
bindings are stored in the DHCP snooping binding table. To enable the server to
learn the mapping between IP1 and MAC2, the attacker sends an ARP Request
packet in which the source IP address is set to IP1 and the source MAC address is
set to MAC2. After receiving the ARP Request packet, the switch checks the
source IP address and source MAC address in the packet and finds that the IP-
MAC (IP1-MAC2) mapping does not match any entry in the DHCP snooping
binding table. Therefore, the switch discards the ARP Request packet, this
effectively prevents spoofing IP/MAC attacks.
• To prevent IP/MAC spoofing attacks, run the arp dhcp-snooping-detect enable
command in the system view of the switch.
DHCP Snooping Configuration Commands (1)
1. Enable DHCP snooping globally.
[Huawei] dhcp snooping enable [ ipv4 | ipv6 ]

2. Enable DHCP snooping in the VLAN view.

[Huawei-vlan2] dhcp snooping enable
If you run this command in the VLAN view, the command takes effect for all DHCP messages in a specified
VLAN received by all the interfaces on the device.

3. Configure an interface as the trusted interface in the VLAN view.

[Huawei-vlan2] dhcp snooping trusted interface interface-type interface-number
If you run this command in the VLAN view, the command takes effect only for the DHCP messages received by
the interface in the VLAN that the interface belongs to.

69 Huawei Confidential
DHCP Snooping Configuration Commands (2)
4. Enable DHCP snooping in the interface view.

[Huawei-GigabitEthernet0/0/1] dhcp snooping enable

5. Configure an interface as the trusted interface in the interface view.

[Huawei-GigabitEthernet0/0/1] dhcp snooping trusted

By default, all interfaces are untrusted interfaces.

6. (Optional) Configure the device to discard DHCP Request messages with non-0 GIADDR field.

[Huawei] dhcp snooping check dhcp-giaddr enable vlan { vlan-id1 [ to vlan-id2 ] }

Enable the device to check whether the GIADDR field in a DHCP Request message is 0. This command can be
run in both the VLAN view and interface view.
If you run this command in the VLAN view, the command configuration takes effect for the DHCP messages
received by all interfaces on the device from the specified VLAN. If you run this command in the interface view,
the command configuration takes effect for all DHCP messages on the specified interface.

70 Huawei Confidential
Examples for Configuring DHCP Snooping
Method 1: Interface view
[Switch] dhcp snooping enable ipv4
[Switch] interface GigabitEthernet 0/0/1
[Switch-GigabitEthernet0/0/1] dhcp snooping enable
[Switch] interface GigabitEthernet 0/0/2
DHCP client 1 GE0/0/1 [Switch-GigabitEthernet0/0/2] dhcp snooping enable
VLAN 2 [Switch] interface GigabitEthernet 0/0/3
GE0/0/3
[Switch-GigabitEthernet0/0/3] dhcp snooping enable
[Switch-GigabitEthernet0/0/3] dhcp snooping trusted
Switch DHCP server
GE0/0/2

DHCP client 2
VLAN 2
Method 2: VLAN view
⚫ As shown in the figure, basic DHCP and VLAN
[Switch] dhcp snooping enable ipv4
configurations are complete, and DHCP snooping is [Switch] vlan 2
configured on the switch. [Switch-vlan2] dhcp snooping enable
[Switch] interface GigabitEthernet 0/0/3
[Switch-GigabitEthernet0/0/3] dhcp snooping trusted

71 Huawei Confidential
Verifying the Configuration
⚫ Run the display dhcp snooping interface command to check DHCP snooping information on an interface.

[Switch]display dhcp snooping interface GigabitEthernet 0/0/3

DHCP snooping running information for interface GigabitEthernet0/0/3 :
DHCP snooping : Enable
Trusted interface : Yes
Dhcp user max number : 1024 (default)
Current dhcp user number :0
Check dhcp-giaddr : Disable (default)
Check dhcp-chaddr : Disable (default)
Alarm dhcp-chaddr : Disable (default)
Check dhcp-request : Disable (default)
Alarm dhcp-request : Disable (default)
----- more ------

72 Huawei Confidential
 Contents

1. Ethernet Switching Security

▫ Port Isolation

▫ MAC Address Table Security

▫ Port Security

▫ MAC Address Flapping Prevention and Detection

▫ MACsec

▫ Traffic Control

▫ DHCP Snooping
◼ IP Source Guard

2. Advanced Firewall Features

73 Huawei Confidential
 Overview of IPSG
⚫ Some attackers forge IP addresses of authorized users to obtain network access rights and access networks. As a
result, authorized users are unable to access networks or sensitive information may be intercepted. IP source guard
(IPSG) provides a mechanism to effectively defend against IP address spoofing attacks.
⚫ IPSG is a Layer 2 interface-based source IP address filtering technology. It prevents unauthorized hosts from using IP
addresses of authorized hosts or specified IP addresses to access or attack a network.

Requirement:
Authorized Only hosts at 10.1.1.1 and
host 1 10.1.1.2 are allowed to
Authorized hosts 1 and 2 can access IP: 10.1.1.1 access the Internet.
the Internet, but they are shut down.

Authorized
The IP address of the unauthorized host 2 Internet
host is 10.1.1.10, and the host cannot IP: 10.1.1.2
access the Internet. After the IP Switch Router
address is changed to 10.1.1.1, the
host can access the Internet. Unauthorized
host Configure IPSG on the user-side interface or
IP: 10.1.1.10
VLAN of the switch.

74 Huawei Confidential

• If the unauthorized host forges the IP address of an authorized host to obtain

network access rights, configure IPSG on the switch's user-side interface or VLAN.
The switch then checks the IP packets received by the interface and discards the
packets from unauthorized hosts to prevent IP address spoofing attacks.
• Generally, IPSG is configured on the interfaces or VLANs of the access device
connected to users.
 Working Mechanism of IPSG
⚫ IPSG checks IP packets on Layer 2 interfaces against a binding table that contains the bindings of source IP
addresses, source MAC addresses, VLAN IDs, and inbound interfaces. Only packets that match the binding table are
forwarded, and packets that do not match the binding table are discarded. Binding tables include static and
dynamic DHCP snooping binding tables. Data
10.1.1.1 Permit packets if the
VLAN 1 packets match the Requirement:
Authorized host binding table
5489-98C2- Only the host at
IP: 10.1.1.1 1486 10.1.1.1 is allowed to
MAC: 5489-98C2-1486 access the Internet.
Switch binding table GE0/0/1

IP MAC VLAN Interface

Internet
10.1.1.1 5489-98C2-1486 1 GE0/0/1 GE0/0/3
Switch Router
10.1.1.10 5489-98AB-22A7 1 GE0/0/2 GE0/0/2

Unauthorized host Data Forge the IP address of an

SIP:10.1.1.1 authorized host
Discard packets if the
IP: 10.1.1.10 VLAN 1
packets do not match the
MAC: 5489-98AB-22A7 5489-98AB- binding table
22A7 IPSG-enabled interface

75 Huawei Confidential

• After the binding table is generated, the IPSG-enabled device delivers ACL rules
to the specified interface or VLAN according to the binding table, and then
checks all IP packets against the ACL rules. The switch forwards the packets from
hosts only when the packets match binding entries, and discards the packets that
do not match binding entries. When the binding table is modified, the IPSG-
enabled device delivers the ACL rules again.
• By default, if IPSG is enabled in the scenario where no binding table is generated,
the switch rejects all IP packets except DHCP Request messages.
• A static binding entry contains the MAC address, IP address, VLAN ID, and
inbound interface. IPSG checks received packets against all options in a static
binding entry.
• A dynamic binding entry contains the MAC address, IP address, VLAN ID, and
inbound interface. You can specify the options to be checked, and IPSG filters the
packets received by interfaces according to the specified options. By default, the
IPSG-enabled device checks packets against all the four options.
▫ Common check items:
▪ Source IP address
▪ Source MAC address
▪ Source IP address + Source MAC address
▪ Source IP address + Source MAC address + Interface
▪ Source IP address + Source MAC address + Interface + VLAN
Application of IPSG
⚫ IPSG prevents PCs from changing their own IP
Internet
addresses.

PCs can only use the IP addresses allocated by the DHCP
server or static IP addresses configured by an administrator
to access the network. If a PC changes its IP address
without permission, the PC cannot access the network. This
prevents PCs from obtaining network rights without

Access switch permission.

⚫ If IP addresses on a small-scale network are statically

allocated, IPSG can be used to prevent unauthorized
PCs from accessing the network.

PC1 PC2 PC3 PC4 PC5 PC6

 Users cannot access the intranet with their own computers.
This prevents intranet resource leaks.
Trusted interface

IPSG-enabled interface

76 Huawei Confidential
IPSG Configuration Commands
1. Configure a static binding table.
[Huawei] user-bind static { { { ip-address | ipv6-address } { start-ip [ to end-ip ] } &<1-10> | ipv6-prefix
prefix/prefix-length } | mac-address mac-address } * [ interface interface-type interface-number ] [ vlan vlan-
id [ ce-vlan ce-vlan-id ] ]
The IPSG-enabled device matches packets against the static binding table.
2. Enable IPSG.

[Huawei-GigabitEthernet0/0/1] ip source check user-bind enable

The configuration of IP packet check in the VLAN view is the same as that in the interface view.
3. Enable the alarm function of IP packet check.
[Huawei-GigabitEthernet0/0/1] ip source check user-bind alarm enable

4. Set the alarm threshold for IP packet check.

[Huawei-GigabitEthernet0/0/1] ip source check user-bind alarm threshold threshold

After this alarm function is configured, the switch generates an alarm if the number of discarded IP packets
exceeds the threshold.

77 Huawei Confidential
Example for Configuring IPSG
Switch1 configuration:
Internet
# Configure a static binding table on the access switch.
[Switch1] user-bind static ip-address 10.1.1.1 mac-address 5489-98C2-1486
[Switch1] user-bind static ip-address 10.1.1.10 mac-address 5489-98AB-22A7
Switch2
# Enable IPSG and configure the alarm function of IP packet check on
GE0/0/1.
GE0/0/3 [Switch1] interface GigabitEthernet 0/0/1
Switch1 [Switch1-GigabitEthernet0/0/1] ip source check user-bind enable
[Switch1-GigabitEthernet0/0/1] ip source check user-bind alarm enable
GE0/0/1 GE0/0/2 [Switch1-GigabitEthernet0/0/1] ip source check user-bind alarm threshold
100
# The configuration of GE0/0/2 is similar to that of GE0/0/1.

PC1 PC2
IP:10.1.1.1/24 IP:10.1.1.10/24
MAC:5489-98C2-1486 MAC:5489-98AB-22A7

⚫ As shown in the figure, PCs are configured with static IP addresses for unified management. IPSG is configured on
the access switch to prevent hosts from changing their own IP addresses to access the network.

Configure a static binding table.

Enable IPSG and configure the alarm function.

78 Huawei Confidential
Verifying the Configuration
⚫ Run the display dhcp static user-bind all command on the switch to check the static binding table.
⚫ PC1 and PC2 can access the Internet using statically configured IP addresses, and cannot access the Internet after
changing their IP addresses.

[Switch1] display dhcp static user-bind all

DHCP static Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
IP Address MAC Address VSI/VLAN(O/I/P) Interface
-------------------------------------------------------------------------------------------------
10.1.1.1 5489-98C2-1486 -- /-- /-- --
10.1.1.10 5489-98AB-22A7 -- /-- /-- --
-------------------------------------------------------------------------------------------------
Print count: 2 Total count: 2

79 Huawei Confidential
 Contents

1. Ethernet Switching Security

2. Advanced Firewall Features

◼ Hot Standby
▫ Virtual System

80 Huawei Confidential
 Problems Facing the Deployment of Firewalls in Hot
Standby Mode
External External
network network

VRRP VRID100 No matching

10.1.1.1 session entry is
Standby Active
• The two firewalls run found, and the
FW1 FW2 independently and FW1 FW2 return packets
need to be configured are discarded.
and maintained Active Standby
separately. When the VRRP group
VRRP VRID1
status is inconsistent,
192.168.1.1 • Multiple Virtual Router the forward and
Redundancy Protocol reverse paths of traffic
(VRRP) groups are may be inconsistent.
independent of each As a result, the return
other. traffic is discarded.
Intranet Intranet

81 Huawei Confidential

• With the rapid development of services such as mobile office, online shopping,
instant messaging, Internet finance, and Internet education, the network needs to
carry a growing number of services and the services carried are more and more
important. As such, uninterrupted transmission of service data urgently needs to
be fulfilled in the network development process.

• In this example, the firewall is deployed at the egress of the enterprise network,
and services between the intranet and external network are forwarded by the
firewall. Such services will be all interrupted if the firewall is faulty. Therefore, if
only one device is deployed in a key position of the network, the network may be
interrupted due to a single point of failure, regardless of the reliability of this
single device. Therefore, in network architecture design, a key position on the
network usually has two network devices planned for high availability.
• A firewall is a stateful inspection device. It inspects the first packet of a flow and
establishes a session to record packet status information (including the source IP
address, source port number, destination IP address, destination port number,
and protocol). Subsequent packets of the flow are then forwarded according to
the session entry. Only those matching this entry will be forwarded. Packets that
do not match this entry will be discarded by the firewall.
• If two independent firewalls are deployed at the network egress, the two
firewalls run independently and need to be configured and maintained
separately. Assuming that VRRP is deployed in the upstream and downstream
directions of the firewalls, the two VRRP groups are independent of each other,
which may lead to inconsistent master/backup status. In this case, the paths of
the incoming and outgoing traffic from the intranet to the external network are
inconsistent. When the return traffic reaches FW2, FW2 does not have matching
session entries and therefore discards the traffic. To avoid this problem, when
firewalls are deployed in hot standby mode, consider backup of status
information such as session entries on the two firewalls.
Hot Standby Overview

External Firewalls working in hot standby mode

network
• Hot standby requires two firewalls with the same hardware and software
configurations to form a hot standby system. The firewalls are connected through
an independent link (heartbeat link) to learn about the health status of each other
and back up configurations and entries (such as session entries and IPsec SA
Back up status information information) to each other.
and synchronize configuration • If a firewall fails, service traffic can be smoothly switched to the other firewall,
commands.
preventing service interruption.

Heartbeat link
Service Deployment requirements
traffic
• Currently, hot standby can be implemented only between two devices.
• The active and standby devices must have the same product model and version.
• The active and standby devices must have the same numbers and types of cards
installed in the same arrangement. Otherwise, the information synchronized from
the active device does not match the physical configuration of the standby device.
Intranet As a result, faults occur after an active/standby switchover.

83 Huawei Confidential
 Key Components of Firewall Hot Standby

External Virtual Router Redundancy Protocol (VRRP)

network
VRRP is a fault-tolerant protocol. It ensures that when the next-hop router (default
gateway) of a host is faulty, the backup router can automatically replace the faulty
router to forward packets, thus ensuring the continuity and reliability of network
communication.
VRRP VRID100
10.1.1.1 VRRP Group Management Protocol (VGMP)
HRP
Active Standby All VRRP groups on a firewall are added to a VGMP group for centralized status
Heartbeat link monitoring and management. When detecting a status change in one VRRP group,
the VGMP group forces all VRRP groups to perform status switchover, ensuring the
VRRP VRID1 status consistency among them.
192.168.1.1

Huawei Redundancy Protocol (HRP)

HRP implements backup of dynamic status data and key configuration commands
between the active and standby firewalls.
Intranet
VGMP group
status

84 Huawei Confidential

• Each firewall has a VGMP group. A VGMP group can be in any of the following
states:
▫ Initialize: indicates the temporary initial status of a VGMP group after hot
standby is enabled.
▫ Load Balance: When the priority of the local VGMP group is the same as
that of the peer VGMP group, the VGMP groups at both ends are in the
Load Balance state.

▫ Active: When the priority of the local VGMP group is higher than that of the
peer VGMP group, the local VGMP group is in Active state.

▫ Standby: When the priority of the local VGMP group is lower than that of
the peer VGMP group, the local VGMP group is in Standby state.

• After two firewalls are deployed in hot standby mode, the VGMP groups on them
have the same priority, and both are in Load Balance state. In this case, the two
firewalls are in load balancing state.
• You can configure VRRP or manually specify a standby device to enable the two
firewalls to work in active/standby mode. The VRRP configuration method applies
to networks where the firewalls connect to Layer 2 switches, and the method of
manually specifying a standby device applies to other hot standby networks.

• A firewall has an initial VGMP group priority. When an interface or a card on the
firewall becomes faulty, the initial VGMP group priority is decreased by a specific
value.
• This course uses USG6000 V500R001 as an example.
Key Components of Firewall Hot Standby: VRRP and VGMP

External External
• VGMP is used to • When the status
network network
manage VRRP of a VGMP
groups in a group changes,
unified manner. the status of all
• The status of the VRRP member
VGMP group interfaces in the
VRRP VRRP VRRP
Master Backup determines the Master VGMP group is
status of all VRRP forcibly
Active Standby Standby Active
member changed.
VRRP VRRP interfaces. VRRP VRRP • Consistent
Master Backup Backup Master
status ensures
that the
incoming and
outgoing service
traffic is
Intranet Intranet forwarded along
VGMP group
status the same path.

85 Huawei Confidential
 Key Components of Firewall Hot Standby: HRP and
Heartbeat Link
External
network
• To ensure successful switchover, key configuration commands and status
information must be synchronized between the active and standby firewalls.
• Configurations that can be backed up are as follows:

Backs up configuration

Policies: security policy, NAT policy (including the NAT address pool), and
VRRP and status information. VRRP NAT Server
Master Backup

Objects: address, region, service, application, and user
Active Standby

Network: security zone, DNS, IPsec, and SSL VPN
VRRP VRRP
Master Backup

System: administrator, virtual system, and log configuration
• Status information that can be backed up is as follows:

Session table, server mapping table, blacklist/whitelist, port mapping table in
PAT mode, address mapping table in NO-PAT mode, Layer 2 forwarding
table (static MAC address backup), AAA user table (default user admin is
Intranet not backed up), online user monitoring table, PKI certificate, and IPsec
VGMP group
status

86 Huawei Confidential

• To ensure successful switchover, key configuration commands and status

information (such as session table information) must be synchronized between
the active and standby firewalls.

• To achieve this, Huawei firewalls use HRP to back up dynamic status data and
key configuration commands between the active and standby firewalls.

• In active/standby backup mode, the active firewall synchronizes configuration

commands and status information to the standby firewall.

• In load balancing mode, both firewalls are active. Therefore, if both firewalls
synchronize commands to each other, command overwrite or conflict problems
may occur. To centrally manage the configurations of the two firewalls, you need
to configure the designated active and standby devices.
Typical Networking Scenarios of Firewall Hot Standby
Hot standby is deployed in in-line mode and connects to Hot standby is deployed in in-line mode and connects to
Layer 2 devices. Layer 3 devices.

SW3 SW4 R3 R4

VRRP VRID100
OSPF

FW1 FW2 FW1 FW2

VRRP VRID1 OSPF

SW1 SW2 R1 R2

• The service interfaces of the firewalls work at Layer 3 and connect to • The service interfaces of the firewalls work at Layer 3 and connect to
switches in the upstream and downstream directions. routers in the upstream and downstream directions.
• The default gateway of the terminal can be set to the virtual IP • OSPF runs between firewalls and routers. When a service interface of
address of VRRP VRID1. When configuring the return route on FW1 is faulty, FW1 becomes the standby device, and FW2 becomes the
SW3/SW4, you can set the next hop to the virtual IP address of VRRP active device. The cost of the routes advertised by FW1 is automatically
VRID100. changed to 65500. After the routes are re-converged, traffic is
forwarded through FW2.

87 Huawei Confidential
 Contents

1. Ethernet Switching Security

2. Advanced Firewall Features

▫ Hot Standby
◼ Virtual System

88 Huawei Confidential
Application Scenarios of the Firewall Virtual System
Network isolation for large and medium-sized
Security gateway for cloud computing centers
enterprises
The virtual systems of the firewall isolate the R&D, finance, and With virtual system technology, you can deploy a firewall at the egress of
administrative departments. The departments can access each other a cloud computing center and create virtual systems for each customer to
based on the permissions assigned to them, and their administrators have isolate and protect the traffic of different tenants. Such a firewall
different permissions. functions as the security gateway.

Internet Internet

Physical Physical
firewall firewall
Virtual Virtual Virtual Virtual Virtual
system system system system system
(R&D) (Finance) (Administration) (A) (B)

Enterprise Cloud
intranet computing
center
R&D Finance Administrative Tenant A Tenant B
department department department

89 Huawei Confidential
 Firewall Virtual System Overview
What is a virtual system Virtual system and firewall virtualization

Virtual system

Virtual system
Virtual system
Interface Interface Interface

N
A

B
Independent resources
Independent configuration
Public system Virtual Virtual
Independent security system B system N
functions
Independent routing table
The virtual systems of a firewall are classified into two types:
Virtual
• Public system (Public) system A
Interface Interface Interface
A special virtual system that exists by default. By default,
configuring a firewall is equivalent to configuring the public
system.
The public system manages other virtual systems and provides To ensure that services of each virtual system can be correctly forwarded,
communication services between them. independently managed, and isolated from each other, the firewall
implements virtualization in the following aspects: resource virtualization,
• Virtual system (vSYS)
configuration virtualization, security function virtualization, and route
An independent logical system created on a firewall. virtualization.

90 Huawei Confidential

• The firewall implements virtualization in the following aspects:

▫ Resource virtualization: Each virtual system has dedicated resources,
including interfaces, VLANs, policies, and sessions. The resources are
assigned by the public system administrator and managed by virtual system
administrators.

▫ Configuration virtualization: Each virtual system has its own virtual system
administrator and configuration interface. Virtual system administrators can
only manage their own virtual systems.

▫ Security function virtualization: Each virtual system has independent

security policies and other security functions, which apply only to packets of
the virtual system.

▫ Route virtualization: Virtual systems maintain separate routing tables,

independent and isolated from each other. Currently, only static routes can
be virtualized.
• With the preceding virtualization techniques, each virtual system can function as
a dedicated firewall that is exclusively managed by its administrator.
 Virtual Interface

• Virtual systems communicate with each other through

Virtual system Virtual-if
C Virtual link
virtual interfaces.

Virtual-if3 • Virtual interfaces are logical interfaces used for inter-

virtual system communication. After a virtual system is
created, the device automatically creates a virtual
Virtual-if0
interface for the virtual system.

Virtual-if1 Public system Virtual-if2 • A virtual interface can work properly only after it is
assigned an IP address and added to a security zone.
Virtual system Virtual system
A B • Virtual interfaces are named in the format of Virtual-if+
Interface number, with the virtual interface of the public
system numbered 0 (Virtual-if0). Other virtual interfaces
are automatically numbered from 1.

91 Huawei Confidential

• As shown in the figure, virtual interfaces of virtual systems and the public system
are connected to form virtual links. You can consider virtual systems and the
public system as independent devices, and virtual interfaces as communication
interfaces between them. Virtual systems can communicate with each other and
with the public system after their virtual interfaces are added to security zones
and routes and policies are configured for device communications.
 Virtual System Communication with the Public System
⚫ Users on network segment 10.3.0.0/24 in virtual system A access the Internet server 3.3.3.3 through GE1/0/1 of the
public system.
Destination Outbound Next Destination Outbound Next
IP Address Interface Hop IP Address Interface Hop
0.0.0.0/0 Virtual-if0 0.0.0.0 0.0.0.0/0 GE1/0/1 1.1.1.254
10.3.0.0/24 GE1/0/2 10.1.1.2 ... ... ...
... ... ... ... ... ...

Routing table of virtual system A Routing table of the public system

Forwards data based on the routing Forwards data based on the routing
table and establishes a session. table and establishes a session.

Source 2 3 Destination
10.3.0.0/24
Data 1 4
3.3.3.3/24

10.1.1.2 GE1/0/2 Virtual-if1 Virtual-if0 GE1/0/1 1.1.1.254

Virtual Public
system A system

92 Huawei Confidential

• Communication between a virtual system and the public system involves two
scenarios: from a virtual system to the public system, and from the public system
to a virtual system. The packet forwarding processes in the two scenarios are
slightly different.
• This slide uses the access from a virtual system to the public system as an
example. Packets are processed in both the virtual system and public system
according to the firewall's packet forwarding process. As such, you must perform
key configurations such as security policies and routes in both the virtual system
and public system.
 Direct Communication Between Two Virtual Systems
⚫ Users on network segment 10.3.0.0/24 in virtual system A access server 3.3.3.3 in virtual system B.

Destination Outbound Next Destination Outbound

Next Hop
IP Address Interface Hop IP Address Interface
3.3.3.3/24 Virtual-if2 0.0.0.0 3.3.3.3/24 GE1/0/1 1.1.1.254
10.3.0.0/24 GE1/0/2 10.1.1.2 ... ... ...
... ... ... ... ... ...

Routing table of virtual system A Routing table of virtual system B

Forwards data based on the routing Forwards data based on the routing
table and creates a session. table and creates a session.

Source 2 3 Destination
10.3.0.0/24 Data 1 4 3.3.3.3/24

10.1.1.2 GE1/0/2 Virtual-if1 Virtual-if2 GE1/0/1 1.1.1.254

Virtual Virtual
system A system B

93 Huawei Confidential

• On a firewall, virtual systems are isolated by default. As such, hosts attached to

different virtual systems cannot communicate with each other. To enable
communication between two hosts attached to different virtual systems,
configure security policies and routes. In this example, virtual system A initiates
an access request to virtual system B. The request packet enters virtual system A,
which then processes the packet according to the firewall's packet forwarding
process. Then, the request packet enters virtual system B, which also processes
the packet according to the firewall's forwarding process.
• As both virtual systems need to process the packet according to the firewall's
packet forwarding process, you must perform key configurations such as security
policies and routes in both virtual systems.
 Example for Configuring Communication Between Virtual
Systems (1)

Configure the route for communication between virtual systems

Trust Firewall Trust vsysa and vsysb in the public system.
GE1/0/3
10.3.0.1/24 GE1/0/4
<FW> system-view
10.3.0.0/24 10.3.1.1/24 10.3.1.0/24
vsyb [FW] ip route-static vpn-instance vsysa 10.3.1.0 24 vpn-instance vsysb
vsya
10.3.0.3/24 10.3.1.3/24

⚫
As shown in the figure, users in vsysa need to access
the server in vsysb.

⚫ The configuration procedure is as follows:

 Configure the route for communication between
virtual systems vsysa and vsysb in the public system.

 Configure a security policy in vsysa.

 Configure a security policy in vsysb.

94 Huawei Confidential

• The preceding configuration allows only the unidirectional communication from

vsysa to vsysb. If hosts in vsysb need to access hosts in vsysa, you must configure
the routes and security policies for access from vsysb to vsysa.
Example for Configuring Communication Between Virtual
Systems (2)
Set an IP address for vsysa's virtual interface Virtual-if1 and add
the interface to the Untrust zone. The IP address can be any value
Trust Firewall Trust as long as it does not conflict with the IP address on any other
GE1/0/3 interface.
10.3.0.1/24 GE1/0/4
10.3.0.0/24 10.3.1.1/24 10.3.1.0/24 [FW-vsysa] interface Virtual-if 1
vsya vsyb [FW-vsysa-Virtual-if1] ip address 172.16.1.1 24
10.3.0.3/24 10.3.1.3/24 [FW-vsysa-Virtual-if1] quit
[FW-vsysa] firewall zone untrust
[FW-vsysa-zone-untrust] add interface Virtual-if1
[FW-vsysa-zone-untrust] quit
⚫
As shown in the figure, users in vsysa need to access
the server in vsysb. Configure a policy for users in vsysa to access the server in vsysb.
[FW-vsysa] security-policy
⚫ The configuration procedure is as follows: [FW-vsysa-policy-security] rule name to_server
[FW-vsysa-policy-security-rule-to_internet] source-zone trust
 Configure the route for communication between virtual [FW-vsysa-policy-security-rule-to_internet] destination-zone untrust
systems vsysa and vsysb in the public system. [FW-vsysa-policy-security-rule-to_internet] source-address 10.3.0.0 24
[FW-vsysa-policy-security-rule-to_internet] destination-address 10.3.1.3 32
 Configure a security policy in vsysa. [FW-vsysa-policy-security-rule-to_internet] action permit
[FW-vsysa-policy-security-rule-to_internet] quit
 Configure a security policy in vsysb. [FW-vsysa-policy-security] quit

95 Huawei Confidential
Example for Configuring Communication Between Virtual
Systems (3)
Set an IP address for vsysb's virtual interface Virtual-if2 and add the interface
to the Untrust zone. The IP address can be any value as long as it does not
conflict with the IP address on any other interface.
Trust Firewall Trust
GE1/0/3 [FW-vsysb] interface Virtual-if 2
10.3.0.1/24 GE1/0/4 [FW-vsysb-Virtual-if1] ip address 172.16.2.1 24
10.3.0.0/24 10.3.1.1/24 10.3.1.0/24 [FW-vsysb-Virtual-if1] quit
vsya vsyb [FW-vsysb] firewall zone untrust
10.3.0.3/24 10.3.1.3/24 [FW-vsysb-zone-untrust] add interface Virtual-if2
[FW-vsysb-zone-untrust] quit
Configure a policy for users in vsysa to access the server in vsysb.
⚫
As shown in the figure, users in vsysa need to access [FW-vsysb] security-policy
[FW-vsysb-policy-security] rule name vsysa_to_server
the server in vsysb. [FW-vsysb-policy-security-rule-vsysa_to_vsysb] source-zone untrust
[FW-vsysb-policy-security-rule-vsysa_to_vsysb] destination-zone trust
⚫ The configuration procedure is as follows: [FW-vsysb-policy-security-rule-vsysa_to_vsysb] source-address 10.3.0.0 24
[FW-vsysb-policy-security-rule-vsysa_to_vsysb] destination-address 10.3.1.3
 Configure the route for communication between virtual 32
[FW-vsysb-policy-security-rule-vsysa_to_vsysb] action permit
systems vsysa and vsysb in the public system.
Verify the configuration.
 Configure a security policy in vsysa.
PC>ping 10.3.1.3
 Configure a security policy in vsysb. Ping 10.3.1.3: 32 data bytes, Press Ctrl_C to break
From 10.3.1.3: bytes=32 seq=1 ttl=127 time=79 ms

96 Huawei Confidential
 Quiz

1. (Multiple-answer question) DHCP snooping is a DHCP security feature. Which of the

following attacks can DHCP snooping defend against? ( )
A. Starvation attacks by changing the CHADDR field

B. Bogus DHCP server attacks

C. TCP flag attacks

D. Man-in-the-middle attacks and IP/MAC spoofing attacks

2. (True or false) On a firewall, virtual systems are isolated by default. Hosts in different
virtual systems cannot communicate with each other. ( )
A. True

B. False

97 Huawei Confidential

1. ABD
2. A
 Summary
⚫ Port isolation can isolate interfaces in a VLAN. Two port isolation modes are available: Layer 2 isolation and Layer 3 interworking, and
Layer 2 and Layer 3 isolation.
⚫ MAC address entries of a switch are classified into static, blackhole, and dynamic MAC address entries.
⚫ Port security enables a switch to convert dynamic MAC addresses learned by an interface into secure MAC addresses. Secure MAC
addresses are usually used together with security protection actions.
⚫ Enabling MAC address flapping detection on a switch helps engineers quickly troubleshoot loops on the switch.
⚫ MACsec defines a method for secure data communication based on Ethernet and ensures data transmission security through hop-by-hop
data encryption between devices.
⚫ The difference between traffic suppression and storm control is that traffic suppression only limits the rate of various packets and discards
excess packets, whereas storm control takes different actions, such as shutting down an interface or blocking packets based on the packet
rate.
⚫ DHCP snooping plays an important role in preventing network attacks on terminals that automatically obtain IP addresses on the
Ethernet. You can configure the DHCP snooping trusted interface and DHCP snooping binding table to prevent DHCP-based network
attacks.
⚫ An IPSG-enabled switch checks packets against the binding table to prevent IP spoofing attacks.
⚫ Deploying firewalls in hot standby mode can improve network reliability, and deploying firewall virtual systems can logically divide
physical devices to improve resource utilization.

98 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
• MPLS is derived from the Internet Protocol version 4 (IPv4). Core MPLS
technologies can be extended to support multiple network protocols, such as the
Internet Protocol version 6 (IPv6), Internet Packet Exchange (IPX), Appletalk,
DECnet, and Connectionless Network Protocol (CLNP). MPLS uses label-based
forwarding to replace IP forwarding. A label is a short connection identifier of
fixed length that is meaningful only to a local end.
• MPLS label operations will be introduced in following courses.
• In traditional IP forwarding that uses the longest match algorithm, all packets
that match the same route belong to the same FEC.

• In MPLS, the most common example of FEC is: Packets whose destination IP
addresses match the same IP route are considered to belong to the same FEC.
• An LSP is composed of an ingress LSR, an egress LSR, and a variable number of
transit LSRs. Therefore, an LSP can be considered as an ordered set of these LSRs.

• An LSP must be established before a packet is forwarded; otherwise, the packet

fails to traverse an MPLS domain.

• LSPs can be established in static or dynamic mode.

• An LSP is a unidirectional path from the start point to the end point. If
bidirectional data communication is required, an LSP for return traffic needs to
be established between the two ends.
• The EXP field is defined in early MPLS standards and is an experimental field.
Actually, this field is mainly used for CoS. To avoid ambiguity, this field is
renamed Traffic Class in RFC 5462.
• When the upper layer is the MPLS label stack, the Type field in the Ethernet
header is 0x8847, and the Protocol field in the PPP header is 0x8281.
• The label spaces of different LSRs are independent of each other, indicating that
each router can use the entire label space.
• If the ingress LSRs of packets belonging to the same FEC are different, the LSPs
for forwarding the packets are different.

• An LSR uses the same way to process packets in the same FEC, regardless of
where the packets' inbound interfaces are the same.

• An LSP is composed of the forwarding actions of LSRs, and the label forwarding
table determines the forwarding action. Therefore, establishing a label
forwarding table can also be considered as establishing an LSP.

• As shown in the figure, the three packets belong to the same FEC, FEC1, because
they have the same destination. However, as their ingress LSRs are different, the
packets are forwarded along different LSPs (LSP1, LSP2, and LSP3, respectively).
The labels assigned by different LSRs to the same FEC can be the same or
different, because labels are valid only on their local LSRs.
• Control plane:

▫ The control plane is connectionless. It generates and maintains routing and

label information.

▫ The control plane includes:

▪ Routing information base (RIB): stores static routes, direct routes, and
routes generated by IP routing protocols. Routes can be selected from
the RIB to guide packet forwarding.

▪ Label information base (LIB): stores and manages labels statically

configured and dynamically generated by label switching protocols
(such as LDP and RSVP).

• Forwarding plane

▫ The forwarding plane, also called the data plane, is connection-oriented. It

forwards common IP packets and MPLS labeled packets.

▫ The forwarding plane includes:

▪ Forwarding information base (FIB): stores forwarding information

that is generated based on the routing information extracted from
the RIB. The forwarding information is used to guide common IP
packet forwarding.

▪ Label forwarding information base (LFIB): stores label-based

forwarding information to guide MPLS labeled packet forwarding.
• Static LSP:

▫ A static LSP is meaningful only to the local node, and the local node cannot
be aware of the entire LSP.

• Dynamic LSP:

▫ Other label distribution protocols:

▪ Resource Reservation Protocol-Traffic Engineering (RSVP-TE): an

extension based on RSVP. RSVP-TE is used to establish constraint-
based routed LSPs (CR-LSPs). Unlike LDP LSPs, CR-LSPs support
parameters, such as bandwidth reservation requests, bandwidth
constraints, link colors, and explicit paths.

▪ Multiprotocol Border Gateway Protocol (MP-BGP): an extension based

on BGP. MP-BGP distributes labels to MPLS VPN routes and inter-AS
VPN labeled routes.
• Tunnel ID: an ID automatically allocated to a tunnel, providing a unified interface
for upper-layer applications (such as VPN and route management) that use the
tunnel. A tunnel ID is 32 bits long and is valid only on the local device. During
MPLS forwarding, LSRs find matching FIB entries, ILMs, and NHLFEs based on
tunnel IDs.
• An ingress LSR searches the FIB table (to learn FTN information) and NHLFE
table to guide packet forwarding.

• When an IP packet enters an MPLS domain, the ingress searches the FIB to check
whether the tunnel ID corresponding to the destination IP address is 0x0.

▫ If the tunnel ID is 0x0, the ingress LSR performs IP forwarding for the
packet.

▫ If the tunnel ID is not 0x0, the ingress LSR performs MPLS forwarding for
the packet.
• A transit LSR searches for ILMs and NHLFEs to guide MPLS packet forwarding.
• The egress LSR searches the ILM table to guide MPLS packet forwarding.
• An outgoing label occupies the label space of the downstream LSR, but the label
distribution mode used by the downstream space is uncertain. As such, the value
of an outgoing label ranges from 16 to 1048575.

• An incoming label occupies the label space of the current LSR. When a static LSP
is used, the value of an incoming label ranges from 16 to 1023.
1. AC

2. B
MPLS LDP Fundamentals and Configuration
 Foreword

⚫ Multiprotocol Label Switching (MPLS) implements data forwarding based on short and
fixed-length labels carried in packets.
⚫ A fundamental concept in MPLS is that two LSRs must agree on the meaning of the labels
used to forward traffic between them. The Label Distribution Protocol (LDP) can be used by
an LSR to send its label binding information to other LDP-capable LSRs, helping implement
correct forwarding of labeled packets.
⚫ This course describes the principles, features, and basic configurations of LDP.

1 Huawei Confidential

• LDP mentioned in this course refers to that defined in RFC 3036 for the first time.
This protocol has been replaced by RFC 5036.
• Other label distribution protocols include MP-BGP and RSVP.
 Objectives

⚫ On completion of this course, you will be able to:

 Understand LDP's basic concepts and working mechanisms.
 Describe the MPLS label distribution control mode, advertisement mode, and
retention mode.
 Perform basic LDP configurations.

2 Huawei Confidential
 Contents

1. Basic LDP Concepts

2. LDP Principles

3. Basic LDP Configurations

3 Huawei Confidential
LDP Overview
⚫ LDP is an MPLS control protocol, which is similar to a signaling protocol on a traditional network. LDP is responsible
for FEC classification, label distribution, and LSP establishment and maintenance. LDP defines the messages used in
label distribution as well as the message processing procedures.
⚫ The working process of LDP involves:

LDP session establishment between LSRs

Dynamic exchange of FEC-label mapping information between LSRs over LDP sessions, as well as LSP establishment based on
label information FEC: FEC:
192.168.3.0/24 192.168.3.0/24
Incoming label: Incoming label:
1024 1025

192.168.1.0/24 LDP session LDP session 192.168.3.0/24

FEC: FEC:
R1 R2 R3
192.168.1.0/24 192.168.1.0/24
Incoming label: Incoming label:
1024 1026

4 Huawei Confidential
LDP Session, Adjacency, and Peer
⚫ An LDP session must be established before LSRs can exchange label binding information. LDP sessions are classified
into the following types:

Local LDP session: can be established between two LSRs that are directly connected.
 Remote LDP session: can be established between two LSRs that are directly or indirectly connected.

⚫ An adjacency is established between two LSRs after they exchange Hello messages.
⚫ After an adjacency is established between two LSRs, they exchange LDP session messages to establish an LDP
session. An LDP peer relationship is then established between them.
Label distribution

Label distribution Label distribution

192.168.1.0/24 192.168.3.0/24

R1 R2 R3

Local LDP session Remote LDP session

5 Huawei Confidential
 LSR ID and LDP ID
⚫ Each LDP-capable LSR must have an LDP ID, in addition to an LSR ID.
 An LDP ID is 48 bits long and consists of a 32-bit LSR ID and a 16-bit label space ID.
 An LDP ID is presented in the format of "LSR ID:Label space ID", for example, 2.2.2.2:0.

⚫ The meaning of a label space ID varies according to its value:

 0: indicates a device-based label space.
 Non-zero value: indicates an interface-based label space.

LSR ID (32 bits):Label space ID (16 bits)

LSR ID 1.1.1.1 LSR ID 2.2.2.2

LDP ID 1.1.1.1:0 LDP ID 2.2.2.2:0

GE0/0/0 GE0/0/0
R1 10.0.12.1/24 10.0.12.2/24 R2

6 Huawei Confidential

• This course takes the device-based label space as an example.

 LDP Messages
⚫ LDP-capable LSRs exchange LDP messages to discover peers, establish and maintain sessions, and manage labels.

Transport Layer
Message Type Message Name Function
Protocol
Discovery message Hello UDP Advertises local LSRs and discovers peers in the LDP discovery process.

Initialization Negotiates parameters in an LDP session establishment process.

Session message
KeepAlive Monitors the TCP connection integrity of LDP sessions.

Address Advertises interface addresses.

Address Withdraw Withdraws interface addresses.

Label Mapping Advertises FEC-label mapping information.

Advertisement TCP
Label Request Requests label mappings for FECs.
message
Label Abort Request Aborts undone Label Request messages.

Label Withdraw Withdraws FEC-label mappings.

Label Release Releases labels.

Notification message Notification Informs LDP peers of errors.

7 Huawei Confidential

• LDP messages are classified into four types by function: discovery, session,
advertisement, and notification.
▫ Discovery messages: announce and maintain the presence of LSRs on a
network. Hello messages belong to this category.
▫ Session messages: establish, maintain, and terminate sessions between LDP
peers. Initialization and KeepAlive messages belong to this category.
▫ Advertisement messages: generate, change, and delete label mappings for
FECs.

▫ Notification messages: provide advisory information and signal error

information.

• LDP messages are carried over UDP or TCP, with the port number being 646.
Discovery messages, which are used to discover peers, are carried over UDP.
Other LDP messages must be transmitted in a reliable and ordered manner.
Therefore, LDP uses TCP to establish sessions. Session, advertisement, and
notification messages are transmitted over TCP.
 LDP Packet Encapsulation
⚫ An LDP packet consists of an LDP header and an LDP message.
 An LDP header carries information such as the LDP version and packet length.
 An LDP message carries information such as the message type and message length.

10 bytes Variable length

IP Header TCP/UDP Header LDP Header LDP Message

2 bytes 2 bytes 6 bytes

Version PDU Length LDP Identifier

1 bit 2 bytes 2 bytes 4 bytes Variable length Variable length

Message
U Type Message ID Mandatory Parameters Optional Parameters
Length

8 Huawei Confidential

• An LDP header is 10 bytes long. It consists of three parts: Version, PDU Length,
and LDP Identifier.
▫ The Version field occupies 2 bytes. It indicates the LDP version number. The
current version number is 1.
▫ The PDU Length field occupies 2 bytes. It indicates the packet length in
bytes, excluding the Version and PDU Length fields.
▫ The LDP Identifier field (that is, LDP ID) occupies 6 bytes. The first 4 bytes
uniquely identify an LSR, and the last 2 bytes identify the label space of the
LSR.
• An LDP message consists of five parts.
▫ The U field occupies 1 bit, which is an unknown message. When an LSR
receives an unknown message, the LSR returns a notification message to
the message originator if the U field is 0, but ignores the message and does
not respond with a notification message if the U field is 1.
▫ Message Length occupies 2 bytes. It indicates the total length of Message
ID, Mandatory Parameters, and Optional Parameters, in bytes.
▫ Message ID occupies 32 bits. It identifies a message.
▫ Each of the Mandatory Parameters and Optional Parameters fields has a
variable length.
▫ Message Type indicates a specific message type. Currently, common
messages defined by LDP include Notification, Hello, Initialization,
KeepAlive, Address, Address Withdraw, Label Mapping, Label Request, Label
Abort Request, Label Withdraw, and Label Release.
 Contents

1. Basic LDP Concepts

2. LDP Principles
◼ LDP Session Establishment
▫ LDP-based Label Distribution
▫ LDP Working Process

3. Basic LDP Configurations

9 Huawei Confidential
 LDP Session State Machine
⚫ LDP uses five states to describe the LDP session state machine.
1
A received message is not a Non-Existent
KeepAlive message, or no
A received message is not an Initialization
message is received. TCP connection message, or no message is received.
Action: Sends an NAK setup
message.
2 Active LSR
The passive LSR receives an acceptable Action: Sends an Initialization
Initialization message.
Initialized
message. A received message is not an
Action: Sends Initialization and Initialization message, or no
KeepAlive messages. message is received.
Action: Sends an NAK message.

3 3
OpenRec OpenSent

An acceptable Initialization message is received.

Action: Sends a KeepAlive message.

A KeepAlive message is received.

Action: none 4
Operational
A received message is a Shutdown message , or no message is received.
Action: Sends a Shutdown message.
All other LDP messages

10 Huawei Confidential

• The LDP session negotiation process can be described through the state machine.
As shown in the figure, there are five states. They are Non-Existent, Initialized,
OpenRec, OpenSent, and Operational.

▫ Non-Existent: It is the initial state of an LDP session. In this state, both LSRs
send Hello messages to elect the active LSR. After a TCP connection
establishment success event is received, the state changes to Initialized.
▫ Initialized: In this state, the active LSR sends an Initialization message to the
passive LSR, sets the session state to OpenSent, and waits for an
Initialization message. The passive LSR waits for the Initialization message
sent by the active LSR. If the parameters in the received Initialization
message are accepted, the passive LSR sends Initialization and KeepAlive
messages, and sets the session state to OpenRec. When the active and
passive LSRs receive any non-initialization message or the waiting period
times out, both of them set the session state to Non-Existent.

▫ OpenSent: It is a state after the active LSR sends an Initialization message.

In the OpenSent state, the active LSR waits for the passive LSR to respond
to the Initialization and KeepAlive messages. If the parameters in the
received Initialization message are accepted, the active LSR sets the session
state to OpenRec. However, if the parameters are not accepted or the
Initialization message times out, the active LSR tears down the TCP
connection and sets the session state to Non-Existent.
 ▫ OpenRec: In this state, both the active and passive LSRs wait for a
KeepAlive message from the peer end after they send KeepAlive messages.
An LSR sets the session state to Operational state after receiving a
KeepAlive message, but sets the session state to Non-Existent if a non-
KeepAlive message is received or the KeepAlive message times out.

▫ Operational: This state indicates that an LDP session is established

successfully. In this state, all other LDP messages can be sent and received.
The state changes to Non-Existent if a KeepAlive message times out, a
notification message indicating a fatal error (such as a Shutdown message)
is passively received, or a Shutdown message is actively sent to terminate
the current session.

• The LDP state change information can be viewed using the debug mpls ldp
session command.
 LDP Session Establishment: Peer Discovery and TCP Session
Establishment
R1 GE0/0/0 GE0/0/0 R2 Discovery phase
10.0.12.1 10.0.12.2
• An LSR periodically sends LDP Link Hello messages
Transport address: Transport address: to implement the basic LDP discovery mechanism.
1.1.1.1 2.2.2.2 • LDP Link Hello messages are encapsulated in UDP
packets, with the destination address being a
Hello (UDP) multicast address 224.0.0.2. If an LSR receives LDP
10.0.12.1:646 -> 224.0.0.2:646 Link Hello messages on an interface, it indicates
Discovery
that this interface has established LDP peer
Phase Hello (UDP) relationships.
224.0.0.2:646 <-10.0.12.2 :646
Non-Existent
TCP SYN
1.1.1.1:646 <- 2.2.2.2:22139 TCP Connection Establishment Phase
TCP • A Hello message carries a transport address, which
connection TCP SYN ACK The LSR with a larger
will be used to establish an LDP session.
establishm 1.1.1.1:646 -> 2.2.2.2:22139 transport address initiates a
TCP connection request. • The LSR with a larger transport address is the
ent phase
active LSR and initiates a TCP connection request.
TCP ACK • After the TCP three-way handshake, a TCP
2.2.2.2:22139 -> 1.1.1.1:646 connection will be established.
Initialized

12 Huawei Confidential

• In addition to the basic discovery mechanism, the extended discovery mechanism

is supported, which can be used to discover indirectly connected remote
adjacencies. For details, see RFC5036.

• LDP transport addresses are used to establish TCP connections with peers.
▫ Before establishing an LDP session, two LSRs need to establish a TCP
connection to exchange LDP packets.
▫ A transport address of an LSR is contained in LDP Hello messages, through
which an LSR can learn the transport addresses of its peers.

▫ After two LSRs discover each other and learn each other's transport address
through Hello messages, the LSRs attempt to perform the TCP three-way
handshake (based on the transport addresses), and exchange LDP
Initialization messages, Label Mapping messages, and so on. All these
messages use the transport addresses of the two ends as source and
destination IP addresses.
▫ An LSR must have a route to the transport address of its peer.

▫ By default, the transport address for a device on a public network is the LSR
ID of the device, and the transport address for a device on a private
network is the primary IP address of an interface on the device.

▫ The mpls ldp transport-address command can be run in the interface view
to change a transport address.
LDP Session Establishment - Session Establishment and
Maintenance
R1 GE0/0/0 GE0/0/0 R2 • After a TCP connection is established, R2
10.0.12.1 10.0.12.2 (active LSR with a larger transport address)
sends an LDP Initialization message to
Transport address: Transport address: negotiate parameters related to LDP session
1.1.1.1 Completion of peer discovery 2.2.2.2 establishment.
and TCP three-way handshake • These parameters include the LDP version,
label distribution mode, KeepAlive timer value,
Initialization maximum PDU length, and label space.
Sends an Initialization message to
• After R1 receives the Initialization message, it
negotiate related parameters.
OpenSent replies with a KeepAlive message if it accepts
R2's parameters. To improve transmission
Initialization + KeepAlive
efficiency, R1 also sends an Initialization
LDP session Replies with a KeepAlive message if the peer's
message.
establishme parameters are accepted,
nt phase and initiates an Initialization message. • After R2 receives the Initialization message, it
KeepAlive replies with a KeepAlive message if it accepts
Sends a KeepAlive message if these R1's parameters.
parameters are accepted. • After both ends receive each other's KeepAlive
OpenRec
message, the session is established
successfully. They periodically send KeepAlive
The LDP session enters the Operational state. messages to maintain the session.

13 Huawei Confidential
LDP Peer State

LSR ID 1.1.1.1 LSR ID 2.2.2.2

Transport address: 1.1.1.1 Transport address: 2.2.2.2

GE0/0/0 GE0/0/0
R1 10.0.12.1/24 10.0.12.2/24 R2

<R1>display mpls ldp peer ⚫ PeerID: LDP ID of the peer

LDP Peer Information in Public network 
2.2.2.2: LSR ID of the peer
A '*' before a peer means the peer is being deleted.
----------------------------------------------------------------------- 
0: device-based label space
PeerID TransportAddress DiscoverySource
----------------------------------------------------------------------- ⚫ TransportAddress: transport address of the peer
2.2.2.2:0 2.2.2.2 GigabitEthernet0/0/0
----------------------------------------------------------------------- 
2.2.2.2: IP address used to establish a TCP connection
TOTAL: 1 Peer(s) Found.

14 Huawei Confidential
 LDP Session States

LSR ID 1.1.1.1 LSR ID 2.2.2.2

Transport address: 1.1.1.1 Transport address: 2.2.2.2

GE0/0/0 GE0/0/0
R1 10.0.12.1/24 10.0.12.2/24 R2
⚫ Status: state of the LDP session
<R1>display mpls ldp session 
Operational: The LDP session is established successfully.
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge
⚫ LAM: label advertisement mode:
Unit(DDDD:HH:MM) 
There are two label advertisement modes: DU and DoD
A '*' before a session means the session is being deleted.
---------------------------------------------------------------------------- (described later).
PeerID Status LAM SsnRole SsnAge KASent/Rcv
----------------------------------------------------------------------------

This example uses the DU mode.
2.2.2.2:0 Operational DU Passive 0000:00:33 133/133 
SsnRole: role that an LSR plays in an LDP session:
----------------------------------------------------------------------------
TOTAL: 1 session(s) Found. 
Active and Passive indicate the active role and passive
role in LDP session establishment, respectively.

15 Huawei Confidential

• LDP session states:

▫ NonExistent: initial state of an LDP session. In this state, the two ends send
Hello messages to each other. After the TCP connection establishment
success event is triggered, the session enters the Initialized state.
▫ Initialized: The LDP session is being initialized.

▫ OpenSent: The active LSR sends an Initialization message to the passive LSR
and waits for a reply.

▫ Open Recv: LDP peers at both ends of the LDP session wait for a KeepAlive
message from each other after the session enters the initialization state. If
they receive each other's KeepAlive message, the LDP session enters the
Operational state.

▫ Operational: The LDP session is established successfully.

 Contents

1. Basic LDP Concepts

2. LDP Principles
▫ LDP Session Establishment
◼ LDP-based Label Distribution
▫ LDP Working Process

3. Basic LDP Configurations

16 Huawei Confidential
Label Advertisement and Management
⚫ On an MPLS network, a downstream LSR determines the bindings between labels and FECs and advertises the bindings to its
upstream LSR.
⚫
To establish LSPs, LDP sends Label Request and Label Mapping messages to advertise the bindings between labels and FECs.
⚫ Label advertisement and management are determined by the label advertisement mode, label distribution control mode, and label
retention mode.
Default
Item Mode Description
Mode
Downstream unsolicited An LSR assigns and distributes labels to a FEC without receiving Label Request messages
Label Yes
(DU) from its upstream LSR.
advertisement
mode Downstream on demand An LSR assigns and distributes labels to a FEC only after receiving Label Request
No
(DoD) messages from its upstream LSR.
A local LSR assigns and binds a label to a FEC and then advertises the binding to the
Independent No
upstream LSR, without waiting for the label distributed by the downstream LSR.
Label distribution
control mode An LSR sends the label mapping of a FEC to its upstream device only if the LSR has
Ordered Yes received Label Mapping messages from the next hop of the FEC or if the LSR is the
egress of the FEC.
An LSR retains all label mappings received from a peer, regardless of whether the peer is
Label retention Liberal Yes
its next hop.
mode
Conservative No An LSR retains the label mappings received from a peer only if the peer is its next hop.

17 Huawei Confidential
Upstream and Downstream
⚫ MPLS determines the upstream and downstream relationships based on the data forwarding direction. Labeled
packets are sent from an upstream LSR, and received and processed by a downstream LSR.
⚫ As shown in the figure, for the LSP to 192.168.3.0/24, R3 is the downstream LSR of R2, and R1 is the upstream LSR
of R2.

Data transmission direction

MPLS Domain

192.168.3.0/24
R1 R2 R3

18 Huawei Confidential
 Label Advertisement Mode - DU
⚫ DU mode
 An LSR assigns and distributes labels to a FEC without having to receive Label Request messages from its
upstream LSR.
 An LSR actively advertises the labels of a FEC to its upstream peer without having to receive Label Request
messages from the peer.

Advertises label mappings Advertises label mappings

to the upstream node. to the upstream node.

192.168.3.0/24
R1 R2 R3

19 Huawei Confidential

• Label assignment: An LSR assigns a label from the local label space and binds it
with a FEC.
• Label distribution: An LSR notifies the upstream LSR of the binding between
labels and FECs.
• When the DU label advertisement mode is used, an LSR can assign labels to all
its peers by default. Specifically, each LSR can distribute label mappings to all its
peers, regardless of whether the LSR is an upstream or a downstream one. If an
LSR distributes labels only to upstream peers, it must identify its upstream and
downstream nodes based on routing information before sending Label Mapping
messages. An upstream node cannot send Label Mapping messages to its
downstream node.
 Label Advertisement Mode - DoD
⚫ DoD mode
 An LSR assigns and distributes labels to a FEC only after receiving Label Request messages from its upstream
LSR.
 Generally, a Label Request message is triggered when an access request to a particular FEC arises.

Advertises label mappings Advertises label mappings

to the upstream node. to the upstream node.

192.168.3.0/24
R1 Requests R2 Requests R3
labels. labels.
R1 requires to access the
192.168.3.0/24 network segment.

20 Huawei Confidential

• An LSR advertises label mappings to an upstream peer only after receiving Label
Request messages from the upstream peer.
 Label Distribution Control Mode - Independent
⚫ Independent mode
 A local LSR assigns and binds a label to a FEC and then advertises the binding to the upstream LSR, without
waiting for the label distributed by the downstream LSR.

Unordered
DU Advertises label mappings Advertises label mappings
to the upstream node. to the upstream node.
+
192.168.4.0/24
Independent
R1 R2 R3 R4

Unordered
Advertises label mappings Advertises label mappings
DoD to the upstream node. to the upstream node.
+
192.168.4.0/24
Independent
R1 Requests R2 Requests R3 R4
labels. labels.

21 Huawei Confidential

• The label distribution control mode works with the label advertisement mode:
▫ If the network shown in the figure uses the DU label advertisement mode,
R2 and R3 can actively notify the upstream LSR of the label binding for the
FEC 192.168.4.0/24 even if the upstream LSR does not send Label Request
messages and R2 and R3 do not receive label binding information from the
downstream LSR.
▫ If the network uses the DoD label advertisement mode, R2 and R3 can
notify the upstream LSR of the label binding for the FEC 192.168.4.0/24
given that R2 and R3 have received Label Request messages from the
upstream LSR, regardless of whether R2 and R3 have received label binding
information from the downstream LSR.
 Label Distribution Control Mode - Ordered
⚫ Ordered mode
 An LSR sends the label mapping of a FEC to its upstream device only if the LSR has received Label Mapping
messages from the downstream of the FEC or if the LSR is the egress of the FEC.
3 2 1
Advertises label mappings Advertises label mappings Advertises label mappings
DU to the upstream node. to the upstream node. to the upstream node.
+
192.168.4.0/24
Ordered
R1 R2 R3 R4
Egress LSR
6 5 4
Advertises label mappings Advertises label mappings Advertises label mappings
DoD to the upstream node. to the upstream node. to the upstream node.
+
192.168.4.0/24
Ordered
R1 Requests R2 Requests R3 Requests R4
labels. labels. labels. Egress LSR
1 2 3

22 Huawei Confidential

• In ordered label distribution control mode, an LSR can send a Label Mapping
message to its upstream node only when the LSR receives Label Mapping
messages of a FEC from the downstream of the FEC or when the LSR is the
egress of an LSP.
▫ If the network shown in the figure uses the DU label advertisement mode,
an LSR sends the label binding information of the FEC 192.168.4.0/24 to its
upstream node only after the LSR receives the label binding information of
the FEC from its downstream node, even if the upstream node has sent
Label Request messages. Therefore, the initiator for LSP establishment must
be an egress LSR (R4 in this example).
▫ If the network uses the DoD label advertisement mode, an LSR advertises
the label binding information of the FEC 192.168.4.0/24 to the upstream
node only after the LSR receives Label Request messages from the
upstream node as well as the label binding information of the FEC from the
downstream node. Therefore, a Label Request message can be initiated by
the ingress LSR (R1) only. After a Label Request is sent hop by hop to the
egress LSR (R4), R4 advertises a Label Mapping message to the upstream
LSR to establish an LSP.
 Label Retention Mode - Liberal
⚫ Liberal mode
 An LSR can receive label mappings from its next hop or non-next hop nodes.
 An LSR retains all label mappings received from a peer, regardless of whether the peer is its next hop.

Advertises label mappings

to the upstream node.
R1 R2 R3 R4
192.168.1.0/24
Next hop

Not next hop

R5

23 Huawei Confidential

• If MPLS is deployed on an IP network, an LSR uses the IP routing table to

determine whether a label mapping is received from the next hop.
• In liberal mode, a new LSP can be quickly established when routes change,
because all received labels are retained, which is the biggest advantage of this
mode. The disadvantage is that unnecessary label mappings are distributed and
maintained.
▫ In DU label advertisement mode, if the liberal label retention mode is used,
R3 retains the labels of the FEC 192.168.1.0/24 sent by all LDP peers (R2
and R5 in this example), regardless of whether R2 and R5 are the next hops
of the routes to 192.168.1.0/24 in the IP routing table.
▫ In DoD label advertisement mode, if the liberal label retention mode is
used, an LSR requests labels from all LDP peers. However, the DoD label
advertisement mode is generally used together with the conservative label
retention mode.
 Label Retention Mode - Conservative
⚫ Conservative
 An LSR retains the label mappings received from a peer only if the peer is its next hop.

Assume that the next hop of

the IP route from R3 to
192.168.1.0/24 is R2.
Advertises label mappings
to the upstream node.
R1 R2 R3 R4
192.168.1.0/24

Not retained

R5

24 Huawei Confidential

• The advantage of the conservative mode is that only the labels that will be used
to forward data are retained and maintained, thereby saving the label space.
▫ In DU label advertisement mode, an LSR may receive Label Mapping
messages for the same network segment (FEC) from multiple LDP peers. As
shown in the figure, R3 receives Label Mapping messages for the network
segment 192.168.1.0/24 from both R2 and R5. If the conservative label
retention mode is used, R3 retains only the label sent by the next hop R2
and discards the label sent by the non-next hop R5.
▫ In DoD label advertisement mode, an LSR uses routing information to
determine its next hop and requests labels only from the next hop.
• If the next hop of a FEC changes, either of the following situations occurs:

▫ In liberal label retention mode, the LSR can use an existing label advertised
by a non-next hop LSR to quickly establish an LSP. The liberal mode
requires more memory and label space.
▫ In conservative label retention mode, the LSR retains the labels advertised
by the next hop only. This mode saves memory and label space but
consumes more time to reestablish the LSP.
▫ An LSR that has a limited label space usually uses the conservative mode
and DoD mode.
 PHP
Label IP Packet

To To To To
1033
192.168.3.3 192.168.3.3 192.168.3.3 192.168.3.3

192.168.3.0/24
192.168.3.0/24 192.168.3.0/24
R1 Label=1033 R2 Label=3 R3
MPLS Domain

⚫ Penultimate hop popping (PHP): If PHP is enabled, an egress assigns a special label (3), to a local
route. This label is called an implicit null label. When an LSR forwards a labeled packet and finds that
the outgoing label value is 3, the LSR removes the top label from the packet and forwards the inner
data to the downstream LSR.

25 Huawei Confidential

• During label advertisement, R3 is the egress of the FEC 192.168.3.0/24. During

label distribution, R3 assigns label 3 to the FEC and advertises the label binding
information to R2.

• During data forwarding, R2, as the penultimate hop to 192.168.3.0, finds that the
outgoing label value is 3. Then, R2 removes the label header and forwards the IP
packet to R3. R3 only needs to query the FIB once to obtain the corresponding
forwarding information, improving the forwarding efficiency.
Implicit Null Label and Explicit Null Label (1)
⚫ By default, an egress assigns implicit null labels, that is, label 3, to the penultimate hop.
⚫ However, if QoS is deployed, after the label is popped out, the priority in the label is lost.

The label is popped out

on the penultimate hop.
QoS information is lost.

R1 R2 R3 R4
10.0.12.2/24 10.0.23.3/24 10.0.34.4/24
192.168.1.0/24 192.168.4.0/24
10.0.12.1/24 10.0.23.2/24 10.0.34.3/24
200 To 300 To To
EXP 192.168.4.4 EXP 192.168.4.4 192.168.4.4

26 Huawei Confidential
 Implicit Null Label and Explicit Null Label (2)
⚫ In the explicit null label mechanism, an egress assigns label 0 to the penultimate hop.
⚫ When R3 forwards a labeled packet of which the outgoing label is 0, R3 does not pop out the label header, and
therefore QoS information is retained. When R4 receives a packet with label 0, it directly pops out the label without
searching for an ILM entry.
⚫ By default, an egress assigns implicit null labels. You can run the label advertise explicit-null command to enable
the egress to assign explicit null labels to the penultimate hop.

QoS information
is retained.
R1 R2 R3 R4
10.0.12.2/24 10.0.23.3/24 10.0.34.4/24
192.168.1.0/24 192.168.4.0/24
10.0.12.1/24 10.0.23.2/24 10.0.34.3/24

200 To 300 To 0 To
EXP 192.168.4.4 EXP 192.168.4.4 EXP 192.168.4.4

27 Huawei Confidential

• Run the label advertise { explicit-null | implicit-null | non-null } command in the

MPLS view to configure the label to be assigned to the penultimate hop.
• You can specify one of the following parameters:

▫ implicit-null: is the default value. If this parameter is set, an egress assigns

an implicit null label with the value of 3 to the penultimate hop.

▫ explicit-null: If this parameter is set, an egress assigns an explicit null label

with the value of 0 to the penultimate hop. The explicit-null parameter can
be set if MPLS QoS attributes need to be used.

▫ non-null: If this parameter is set, an egress assigns a common label with a

value greater than or equal to 16 to the penultimate hop.
 Contents

1. Basic LDP Concepts

2. LDP Principles
▫ LDP Session Establishment
▫ LDP-based Label Distribution
◼ LDP Working Process

3. Basic LDP Configurations

28 Huawei Confidential
 Networking Overview
⚫ OSPF has been deployed on the network, and devices can learn routes from each other.
⚫ MPLS and LDP have been enabled on devices and interfaces, and local LDP sessions have been established between
neighboring devices.

⚫ All LSRs use the DU + Independent + Liberal modes.

Destination/Mask Proto Cost NH
R2
Destination/Mask Proto Cost NH 192.168.4.0/24 OSPF 1 R4

192.168.4.0/24 OSPF 2 R2

R1 R4
OSPF
LDP 192.168.4.0/24

Destination/Mask Proto Cost NH

Destination/Mask Proto Cost NH 192.168.4.0/24 Direct 0 -
192.168.4.0/24 OSPF 10 R4 R3

29 Huawei Confidential

• Currently, Huawei devices use the DU + Ordered + Liberal modes by default.

• For a packet that enters the MPLS domain from R1 and is destined for
192.168.4.0/24, R1 is the ingress LSR, and R4 is the egress LSR.
 Label Distribution - Egress LSR
⚫ R4 is directly connected to the network segment 192.168.4.0/24. R4 actively assigns labels, such as 1041, to routes
destined for this network segment and advertises label mapping information to its LDP peers (R2 and R3) through
LDP packets.

Destination/Mask Proto Cost NH

192.168.4.0/24 OSPF 1 R4
R2

R1 R4
OSPF
LDP 192.168.4.0/24/24

Destination/Mask Proto Cost NH LDP label mapping

advertisement
192.168.4.0/24 OSPF 10 R4 R3

30 Huawei Confidential

• Note: By default, 32-bit host IP routes are used to trigger LSP establishment. You
can manually trigger the establishment of an LSP with non-32-bit host IP routes.
Label Distribution - Transit LSR
⚫ Take R2 as an example. In its routing table, the next hop of the route 192.168.4.0/24 is R4. When R2 receives a
Label Mapping message for the route 192.168.4.0/24 from R4, R2 assigns label 1021 to the route because the
message is sent by a downstream LDP peer, and advertises the label mapping to the LDP peer, for example, R1. This
process also applies to R3.
Destination/Mask Proto Cost NH

192.168.4.0/24 OSPF 1 R4
R2

R1 R4
OSPF
LDP 192.168.4.0/24

Destination/Mask Proto Cost NH LDP label mapping

advertisement
192.168.4.0/24 OSPF 10 R4
R3

31 Huawei Confidential
 Label Distribution - Ingress LSR
⚫ After R1 receives the label mappings for the route 192.168.4.0/24 advertised by R2 and R3, R1 stores both of the
label mappings. However, R1 only uses label 1021 advertised by R2, because the next hop of the route to
192.168.4.0/24 is R2, as shown in R1's routing table.

R2
Destination/Mask Proto Cost NH

192.168.4.0/24 OSPF 2 R2

R1 R4
OSPF
LDP 192.168.4.0/24

LDP label mapping

R3 advertisement

32 Huawei Confidential

• Note: If R2 fails, OSPF routes re-converge. The next hop of the route
192.168.4.0/24 in the routing table of R1 is switched to R3. In this case, R1 uses
the label advertised by R3 for 192.168.4.0/24.
 Label-based Forwarding - Ingress LSR
⚫ As an ingress LSR, R1 pushes a label into each received IP packet, and forwards packets based on
labels.

Routing table of R1

Destination/Mask Proto Cost NH

R2
192.168.4.0/24 OSPF 2 R2
4
FIB of R1 2
R1 R4
Destination/Mask Proto Cost NH Tunnel ID
LSP
OSPF
192.168.4.0/24
192.168.4.0/24 OSPF 2 R2 0x12 LDP

NHLFE 3 1
table of R1
To 192.168.4.1
Tunnel ID Out intf OPER NH Out Label
R3
0x12 GE0/0/0 push R2 1021 LSP

33 Huawei Confidential

• When R1 receives an IP packet destined for 192.168.4.1, it searches the FIB for a
forwarding entry matching the destination IP address of the packet, and finds
that the tunnel ID in the matching entry is not 0. As such, R1 continues to search
for an NHLFE matching the tunnel ID, pushes a label to the IP packet, and
forwards the packet. The outbound interface is GE 0/0/0, the next hop is R2, and
the outgoing label is 1021. Therefore, R1 adds a label header to the packet and
forwards the packet.
 Label-based Forwarding - Transit LSR
⚫ As a transit LSR, R2 needs to swap labels in received IP packets and forward the packets.

1 4
ILM table of R2 2 R2
In Label Tunnel ID
1021 0x12
R1 R4
NHLFE table 3 OSPF
192.168.4.0/24
of R2 LDP

Tunnel ID Out intf OPER NH Out Label

0x12 GE0/0/1 Swap R4 1041

R3
LSP

34 Huawei Confidential

• When R2 receives a packet with label 1021, it searches for a matching ILM entry
and an NHLFE matching the ILM entry. Then, R2 changes the label of the packet
to 1041 and forwards the packet through the matching outbound interface.
 Label-based Forwarding - Egress LSR
⚫ As an egress LSR, R4 needs to perform the pop operation on received IP packets to remove labels and
forward the packets through IP.

ILM table of R4 2
1

In Label Tunnel ID Out intf OPER NH Out Label R2

1041 0x12 GE0/0/0 Pop - Null

R1 R4
OSPF
192.168.4.0/24
LDP
GE0/0/0

3 To 192.168.4.1

R3
LSP

35 Huawei Confidential

• When R4 receives a packet with label 1041, it searches for a matching ILM entry
and finds that the operation type is pop. R4 then performs a pop operation to
remove the outer label from the packet. The packet then becomes a standard IP
packet, and therefore R4 performs the standard IP forwarding on the packet.
• When R4 forwards the packet, it searches the LFIB and FIB. How can the
forwarding efficiency be improved on the egress LSR (R4)?
Summary of an LDP-Capable LSR's Operations on an MPLS
Network
⚫ An LSR runs an IGP (such as OSPF or IS-IS) to construct a routing table and FIB.
⚫ LDP assigns labels to route prefixes (FECs) in the routing table based on the label assignment mode it uses.

⚫ LDP advertises the labels assigned to the route prefixes to LDP peers through LDP Label Mapping messages based
on the label advertisement mode it uses.
⚫ An LSR stores the labels that it assigns to route prefixes and the labels that LDP peers advertise to the route
prefixes, and associates the labels with information such as outbound interfaces and next-hop addresses (label
forwarding entries).
⚫ When an LSR forwards a labeled packet destined, the LSR always uses the outgoing label advertised by the
downstream LDP peer. The downstream peer is the next-hop device to the destination network in the routing table.

36 Huawei Confidential
 Contents

1. Basic LDP Concepts

2. LDP Principles

3. Basic LDP Configurations

37 Huawei Confidential
Basic LDP Configuration Commands (1)
1. Enable LDP.

[Huawei] mpls ldp

The mpls ldp command enables LDP and displays the LDP view.
[Huawei-GigabitEthernet0/0/0] mpls ldp

Enable LDP on an interface. Before running this command, enable LDP globally.

2. Configure a remote LDP peer.

[Huawei] mpls ldp remote-peer remote-peer-name

The mpls ldp remote-peer command creates a remote peer and displays the remote peer view.
[Huawei-mpls-ldp-remote-PeerName] remote-ip ip-address

Set the remote-ip ip-address parameter to the IP address of a remote LDP peer.

38 Huawei Confidential
 Basic LDP Configuration Commands (2)
3. Configure a policy for triggering LSP establishment.

[Huawei-mpls] lsp-trigger { all | host | ip-prefix ip-prefix-name | none }

The lsp-trigger command configures the routes (static and IGP routes) that are used to trigger LSP establishment, which are
IP routes with a 32-bit mask by default.
• all: All static and IGP routes are used to trigger LSP establishment. If this parameter is set, a significant of LSPs will be
established, consuming label resources excessively and slowing down network-wide LSP convergence. Therefore, setting this
parameter is not recommended.
• host: IP routes with a 32-bit mask are used to trigger LSP establishment.
• ip-prefix ip-prefix-name: Routes matching a specified IP prefix list are used to trigger LSP establishment.
• none: LSP establishment cannot be triggered.
4. Configure a label advertisement mode.
[Huawei-GigabitEthernet0/0/0] mpls ldp advertisement { dod | du }
The default label advertisement mode is downstream unsolicited (DU).
• If the label advertisement mode is DU, the label retention mode is liberal.
• If the label advertisement mode is DoD, the label retention mode is conservative.

39 Huawei Confidential

• BGP routes can also be used to trigger LDP LSP establishment. This trigger policy
is not covered in this course.
Basic LDP Configuration Commands (3)
5. Configure an LDP label distribution control mode.

[Huawei-mpls-ldp] label distribution control-mode { independent | ordered }

The default LDP label distribution control mode is ordered.

6. Configure PHP.
[Huawei-mpls] label advertise { explicit-null | implicit-null | non-null }
By default, an egress distributes implicit null labels to a penultimate hop.
• explicit-null: An egress assigns explicit null label to the penultimate hop.
• implicit-null: An egress assigns implicit null labels to the penultimate hop.
• non-null: An egress assigns common labels to the penultimate hop.

40 Huawei Confidential
Configuration Examples
R1 GE0/0/0 R2 GE0/0/1 R3 GE0/0/1 R4
10.0.12.1/24 10.0.23.2/24 10.0.34.3/24
GE0/0/0 GE0/0/0 GE0/0/0
10.0.12.2/24 10.0.23.3/24 10.0.34.4/24

Loopback0 Loopback0 Loopback0 Loopback0

PC1 10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 10.4.4.4/32
PC2
IP:192.168.1.1/24 IP:192.168.4.1/24
GW:192.168.1.254 GW:192.168.4.254

Scenario: R1, R2, R3, and R4 run an IGP to implement IP interworking.

Requirement: Configure MPLS and LDP to implement mutual access between the network segments 192.168.1.0/24
and 192.168.4.0/24 through MPLS forwarding.

41 Huawei Confidential
Configuration Procedure (1)
R1 GE0/0/0 R2 GE0/0/1 R3 GE0/0/1 R4
10.0.12.1/24 10.0.23.2/24 10.0.34.3/24
GE0/0/0 GE0/0/0 GE0/0/0
10.0.12.2/24 10.0.23.3/24 10.0.34.4/24

Loopback0 Loopback0 Loopback0 Loopback0

PC1 10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 10.4.4.4/32
PC2
IP:192.168.1.1/24 IP:192.168.4.1/24
GW:192.168.1.254 GW:192.168.4.254
Enable basic MPLS and LDP functions on the devices. The following example uses R1.
[R1]mpls
[R1-mpls]quit
[R1]mpls ldp
[R1-mpls-ldp]quit
[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]mpls
[R1-GigabitEthernet0/0/0]mpls ldp
[R1-GigabitEthernet0/0/0]quit

42 Huawei Confidential
Configuration Procedure (2)
R1 GE0/0/0 R2 GE0/0/1 R3 GE0/0/1 R4
10.0.12.1/24 10.0.23.2/24 10.0.34.3/24
GE0/0/0 GE0/0/0 GE0/0/0
10.0.12.2/24 10.0.23.3/24 10.0.34.4/24

Loopback0 Loopback0 Loopback0 Loopback0

PC1 10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 10.4.4.4/32
PC2
IP:192.168.1.1/24 IP:192.168.4.1/24
GW:192.168.1.254 GW:192.168.4.254
Because 192.168.1.0/24 is not a route with a 32-bit mask, you need
to configure a policy for trigging LSP establishment.

[R1]ip ip-prefix ldp permit 192.168.1.0 24

[R1]ip ip-prefix ldp permit 192.168.4.0 24
[R1-mpls]lsp-trigger ip-prefix ldp

Perform similar configuration on R4.

[R4]ip ip-prefix ldp permit 192.168.1.0 24

[R4]ip ip-prefix ldp permit 192.168.4.0 24
[R4-mpls]lsp-trigger ip-prefix ldp

43 Huawei Confidential
Checking the Configuration - Checking LSP Information

# Check information about the LDP LSPs created on R1.

[R1]display mpls ldp lsp
LDP LSP Information
-------------------------------------------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------------------------------------------
10.0.2.2/32 1024/3 10.0.2.2 10.0.12.2 GE0/0/0
10.0.3.3/32 1025/1025 10.0.2.2 10.0.12.2 GE0/0/0
192.168.1.0/24 3/NULL 10.0.2.2 192.168.1.254 GE0/0/1
*192.168.1.0/24 Liberal/1027 DS/10.0.2.2
192.168.4.0/24 1027/1028 10.0.2.2 10.0.12.2 GE0/0/0

44 Huawei Confidential
 Quiz
1. (Single-answer question) Which of the following commands can be used to display a label distributed for a specific
FEC? ( )
A. display mpls ldp

B. display mpls ldp interface

C. display mpls lsp

D. display mpls ldp session

2. (Single-answer question) What is the default combination of label advertisement mode, label distribution control
mode, and label retention mode on Huawei devices? ( )
A. DU + Independent + Conservative

B. DU + Ordered+ Liberal

C. DoD + Independent+ Liberal

D. DoD + Ordered + Conservative

45 Huawei Confidential

1. C
2. B
 Summary
⚫ MPLS supports multiple label distribution protocols, among which LDP is widely used.
⚫ LDP is a process in which LSRs negotiate the meaning of labels. LDP uses discovery, session,
advertisement, and notification packets to establish sessions and distribute labels.

⚫ LDP determines label advertisement and management based on the label advertisement mode, label
distribution control mode, and label retention mode. By default, Huawei datacom devices use the DU
label advertisement mode + ordered label distribution control mode + liberal label retention mode.
⚫ LDP can directly map network-layer routing information to label information in order to establish LSPs.
LSRs are connected according to the incoming label, next hop, and outgoing label corresponding to a
specified FEC in the local forwarding table. In this manner, the LSP crossing the entire MPLS domain
can be formed.

46 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
• Unless otherwise specified, MPLS VPN refers to BGP/MPLS IP VPN.
• MPLS VPN backbone networks can also be constructed by enterprises themselves,
with technical implementation similarly to that of carriers. This course focuses on
the scenario where enterprises purchase MPLS VPN services from carriers.
• CE: an edge device on a user network. A CE provides interfaces that are directly
connected to a carrier network. A CE can be a router, switch, or host. CEs are
usually unaware VPNs and do not need to support MPLS.
• PE: an edge device on a carrier network and directly connected to a CE. On an
MPLS network, PEs process all VPN services, and therefore PEs must have high
performance.
• P: a backbone router on a carrier network and not directly connected to a CE. P
devices need only to provide basic MPLS forwarding capabilities and do not
maintain VPN information.
• The meaning of a site can be understood from the following aspects:
▫ A site is a group of IP systems that can communicate without using carrier
networks.
▫ Sites are classified based on topological relationships between devices
rather than the geographical locations of devices. In the preceding figure,
the networks in provinces X and Y of company A need to communicate
through the backbone network of the carrier. Therefore, the two networks
are considered as two sites. If a physical private line is added between the
CEs on the networks of provinces X and Y, the two networks can
communicate without the need of the carrier network. In this case, the two
networks are considered as one site.
• Relationship between sites and VPNs:
▫ Sites connected to the same service provider network can be classified into
different collections based on configured policies. Only sites that belong to
the same collection can access each other, and this collection is defined as a
VPN.
▫ Devices at a site can belong to multiple VPNs. In other words, a site can
belong to more than one VPN.
• Multiprotocol Extensions for BGP (MP-BGP): an extended BGP protocol that
supports multiple address families. For details, see related courses.
• MPLS traffic engineering (MPLS TE): steers traffic to constrained LSPs for
forwarding so that the traffic is transmitted along specified paths. MPLS TE fully
uses network resources and provides bandwidth and QoS guarantee without the
need for hardware upgrades. It minimizes network costs.
• Intranet networking is the simplest and most typical MPLS VPN networking
scheme. The following technical implementation of MPLS VPN will be described
based on this networking scheme.
• A VPN is a private network. Different VPNs independently manage their own
address ranges, which are also called address spaces. Address spaces of different
VPNs may overlap. For example, in the preceding figure, both user X and user Y
use 192.168.1.0/24, indicating that the address spaces overlap. VPNs can use
overlapping address spaces in the following situations:

▫ They do not share the same site.

▫ They share a same site, but devices at the site do not communicate with
devices using overlapping address spaces at the other sites of the VPNs.
• For details about VRFs, see the related HCIP-Datacom-Core course.
• When configuring an RD, you need to specify only the Administrator and
Assigned Number subfields in the RD.

• Four types of RD configuration formats are available. The following two types are
commonly used:

▫ 16-bit AS number:32-bit user-defined number (for example 100:1)

▫ 32-bit IPv4 address:16-bit user-defined number (for example, 172.1.1.1:1)

• The RD structure enables each carrier to allocate RDs independently. In some

application scenarios, however, RDs must be globally unique to ensure normal
routing.
• NLRI: Network Layer Reachability Information
• For the values of address families, see RFC 3232 (Assigned Numbers).
• MP_REACH_NLRI is used to advertise reachable routes and next hop information.
It consists of one or more 3-tuples <Address Family Information, Next Hop
Network Address Information, NLRI>.
▫ Address Family Information: consists of a 2-byte Address Family Identifier
(AFI) and a 1-byte Subsequent Address Family Identifier (SAFI).
▪ The AFI identifies the network layer protocol, corresponding to the
address family value defined by "Address Family Number" in RFC
3232. For example, 1 indicates IPv4 and 2 indicates IPv6.
▪ The SAFI indicates the NLRI type. If the AFI value is 1 and the SAFI
value is 128, the address in the NLRI is an MPLS-labeled VPN-IPv4
address.
▫ Next Hop Network Address Information: consists of the 1-byte length of the
next hop network address and the variable-length next hop network
address.
▫ NLRI: consists of one or more 3-tuples <length, label, prefix>. This part will
be described in detail in the following slides.
• MP_UNREACH_NLRI is used to instruct a peer to delete unreachable routes. The
format of this attribute is as follows:
▫ AFI: same as that in the MP_REACH_NLRI attribute
▫ SAFI: NLRI type, same as that in the MP_REACH_NLRI attribute
▫ Withdrawn Routes: an unreachable route list, consisting of one or more
NLRI fields A BGP speaker can withdraw a route by adding the NLRI same
as that in a previously advertised reachable route to the Withdrawn Routes
field.
• Similar to an RD, an RT consists of three fields: Type, Administrator, and Assigned
Number. The length of an RT is also 8 bytes.

• When configuring a VPN target, you need to specify only the Administrator and
Assigned Number subfields in the VPN target. VPN targets have the same
configuration formats as RDs.
• A PE device distributes MPLS labels in either of the following ways:

▫ One label per route: Each route in a VRF is assigned one label. When many
routes exist on the network, the Incoming Label Map (ILM) maintains these
entries, requiring high router capacity.

▫ One label per instance: Each VPN instance is assigned one label. All the
routes of a VPN instance share the same label, reducing the number of
labels required.

• VPN route leaking: a process of matching VPNv4 routes against the VPN targets
of local VPN instances. After a PE receives a VPNv4 route, the PE directly matches
the route against the VPN targets of local VPN instances, without selecting the
optimal route or checking whether a desired tunnel exists.

• Tunnel recursion: A public network tunnel is required to transmit VPN traffic from
one PE to the other PE over the public network. After VPN route leaking, the
route must be successfully recursed to an LSP based on the destination IPv4
prefix before the route is added to the routing table of the corresponding VPN
instance. This means that the next hop of the IPv4 route must match an LSP.
• By default, only the peer relationships in the BGP IPv4 unicast address family
view are automatically enabled. In other words, after the peer as-number
command is run in the BGP view, the system automatically configures the peer
enable command. In other address family views, however, peering must be
enabled manually.
1. A

2. ABCD
MPLS VPN Deployment and Application
 Foreword

⚫ BGP/MPLS IP VPN is widely used on WAN transport because it supports address

space overlapping, flexible networking, good scalability, and MPLS traffic
engineering (TE).
⚫ MPLS VPN deployment modes vary according to customers' service requirements
and networking.
⚫ This course describes several common usage scenarios of MPLS VPN and how to
deploy MPLS VPN in these scenarios. In addition, this course describes the
extended functions of Open Shortest Path First (OSPF) for MPLS VPN.

1 Huawei Confidential

• Note: Unless otherwise specified, MPLS VPN in this document indicates

BGP/MPLS IP VPN.
 Objectives

⚫ Upon completion of this course, you will be able to:

 Understand the usage scenarios and networking types of MPLS VPN.
 Deploy the intranet solution with MPLS VPN.
 Deploy the MPLS VPN Hub&Spoke solution.
 Understand extended functions of OSPF for MPLS VPN.

2 Huawei Confidential
 Contents

1. MPLS VPN Applications and Networking Overview

2. Typical Usage Scenarios and Deployment of MPLS VPN

3. OSPF VPN Extension

3 Huawei Confidential
Basic MPLS VPN Networking: Intranet
⚫ When the intranet networking solution is used, all users in a VPN are in a user group isolated from the
users of other VPNs and can forward traffic to each other. Users in a VPN cannot communicate with
users outside the VPN. The sites of a VPN usually belong to the same organization.
VPN1 (RD: 1:1) VPN1 (RD: 1:2)
Import RT: 100:1 Import RT: 100:1
Export RT: 100:1 Export RT: 100:1
VPN1 VPN1
• A PE needs to create a VPN instance
Site 1 Site 2
for each site and set a unique route
CE CE
distinguisher (RD) for each site.
PE P PE • Import and export route targets (RTs)
are set on PEs to prevent mutual
Site 3 Site 4
communication between sites in
CE CE different VPNs.
VPN2 VPN2
VPN2 (RD: 2:1) VPN2 (RD: 2:2)
Import RT: 200:1 Import RT: 200:1
Export RT: 200:1 Export RT: 200:1

4 Huawei Confidential
Basic MPLS VPN Networking: Extranet
⚫ When the extranet networking solution is used, VPN users can share network resources in some sites
with other VPN users.

VPN1（RD: 1:1） VPN1（RD: 1:2） As shown in the figure, site 2 is a shared

Import RT: 100:1 Import RT: 100:1，200:1 site that can be accessed by VPN1 and
Export RT: 100:1 Export RT: 100:1，200:1 VPN2 users. The following requirements
VPN1
must be met:
Site 1 VPN1 ▫ PE2 can receive VPNv4 routes advertised
by PE1 and PE3.
CE PE1
Site 2 ▫ PE1 and PE3 can accept VPNv4 routes
PE2 CE advertised by PE2.
P
▫ PE2 advertises neither VPNv4 routes
Site 3 received from PE1 to PE3 nor VPNv4
CE PE3 routes received from PE3 to PE1.
VPN2
VPN2（RD: 2:1）
Import RT: 200:1
Export RT: 200:1

5 Huawei Confidential
Basic MPLS VPN Networking: Hub&Spoke (1)
⚫ In the Hub&Spoke solution, one site can be configured as the hub site, and the other sites can be configured as
spoke sites. Mutual access between sites must pass through the hub site. Data transmission between sites is
centrally managed and controlled by the hub site.
• A spoke site needs to advertise routes to a
VPN VPN_in hub site, and then the hub site advertises the
Import RT: Hub Import RT: routes to other spoke sites. Spoke sites do
Export RT: Spoke Spoke not directly exchange routing information.
VPN1
• For Spoke-PEs, set the export RT to "Spoke"
VPN1 and the import RT to "Hub."
Site 1
Spoke-CE1 Spoke-PE1 • The Hub-PE needs to use two interfaces or
Site 2 sub-interfaces (bound to two VPN instances
P Hub-PE Hub-CE that are created). One interface or sub-
interface is used to receive the routes from
Site 3
the Spoke-PE, and the import RT of the VPN
Spoke-CE2 Spoke-PE2 VPN_out instance is "Spoke." The other is used to
VPN1 Export RT: advertise routes to Spoke-PEs, and the
VPN Hub export RT of the VPN instance is "Hub."
Import RT: Hub
Export RT: Spoke

6 Huawei Confidential
Basic MPLS VPN Networking: Hub&Spoke (2)
⚫ The process of advertising routes from site 1 to site 2 is as follows:

VPN
Import RT: Hub VPN_in 1. Spoke-CE1 advertises the route to Spoke-PE1.
Export RT: Spoke Import RT:
Spoke 2. Spoke-PE1 advertises the route to the Hub-PE
1 through IBGP.
VPN1
3 3. The Hub-PE imports the route into the VPN_in
2
Site 1 VPN1 routing table through the import RT attribute
of the VPN instance (VPN_in) and advertises
Spoke-CE1 Spoke-PE1 the route to the Hub-CE.
Site 2
6 4. The Hub-CE learns the route and advertises the
P Hub-PE Hub-CE
route to the VPN instance (VPN_out) of the
Site 3 4 Hub-PE.
5
Spoke-CE2 Sopke-PE2 5. The Hub-PE advertises the route to Spoke-PE2
VPN_out
VPN1 Export RT: with the export RT attribute of VPN_out.
VPN Hub 6. Spoke-PE2 advertises the route to Spoke-CE2.
Import RT: Hub
Export RT: Spoke

7 Huawei Confidential
MCE Networking
⚫ When a private network is divided into VPNs based on services or networks, services of different VPN
users must be completely isolated. In this case, configuring a CE for each VPN increases device and
maintenance costs.
⚫ A multi-VPN-instance CE (MCE) device can function as a CE for multiple VPN instances on an MPLS
VPN network, reducing the investment on network devices.

Site A • The MCE device extends some functions of the PE to

the CE. By binding different interfaces to VPNs, the
MCE creates and maintains an independent routing
PE
Site B and forwarding table (multi-VRF) for each VPN.
P PE MCE
• The MCE can be connected to the corresponding PE
MPLS VPN
backbone network Site C through physical interfaces, sub-interfaces, or logical
PE
interfaces. On the PE, these interfaces must be

... bound to the corresponding VPN instances.

8 Huawei Confidential
 Inter-AS MPLS VPN Networking
⚫ With the wide application of the MPLS VPN solution, the number and geographical scope of terminal users are
increasing. The number of sites in an enterprise is increasing. It is common to connect a geographical location to
another service provider, for example, between different MANs of a carrier, the backbone networks of the carriers
that cooperate with each other may span different autonomous systems (ASs).
⚫ Generally, the MPLS VPN architecture runs in an AS. The routing information of any VPN can only be flooded in one
AS as needed. The inter-AS MPLS VPN solution is used to deploy the MPLS VPN between ASs.

Site A Site B

AS100 AS200

9 Huawei Confidential

• RFC2547 defines three inter-AS VPN solutions:

▫ Inter-AS VPN Option A (inter-provider backbones Option A) mode: The
inter-AS VPN manages its own VPN routes through dedicated interfaces
between AS boundary routers (ASBRs). This mode is also called VRF-to-VRF.
▫ Inter-AS VPN Option B (inter-provider backbones Option B) mode: ASBRs
use MP-EBGP to advertise labeled VPNv4 routes. This mode is also called
EBGP redistribution of labeled VPN-IPv4 routes.

▫ Inter-AS VPN Option C (inter-provider backbones Option C): PEs use multi-
hop MP-EBGP to advertise VPNv4 routes, which are also called multi-hop
EBGP redistribution of labeled VPN-IPv4 routes.
Networking for Route Import Between Instances
⚫ In BGP/MPLS IP VPN networking, VPN users cannot communicate with public network users. In addition, users in
one VPN can communicate with those in another VPN only if the two VPNs have matching VPN targets. To enable
communication in both cases, configure route import between instances. Route import between instances is
classified into the following types:

Route import between VPN and public network instances

Route import between VPN instances

VPNA VPNB
Public network
CE1 CE1
P

PE1 PE2
VPNA CE1 PE1
VPNB VPNA

CE2 CE2

10 Huawei Confidential
 Contents

1. MPLS VPN Applications and Networking Overview

2. MPLS VPN Deployment in Typical Scenarios

◼ Intranet Scenario
▫ Hub&Spoke Scenario
▫ Route Import Between VPN Instances Scenario

3. OSPF VPN Extension

11 Huawei Confidential
 Deploying MPLS VPN in the Intranet Scenario
⚫ As shown in the figure, customer X and customer Y have two sites each. The two sites need to be
interconnected through MPLS VPN, which corresponds to VPNX and VPNY, respectively.
⚫ Interconnection interfaces, AS numbers, and IP addresses are shown in the figure. CEs and PEs
exchange routing information using the protocol or method shown in the figure.

Loopback0 Loopback0
CE1 GE0/0/0 1.1.1.1/32 3.3.3.3/32 GE0/0/0 CE2
192.168.100.1/24 192.168.200.1/24
192.168.1.0/24 192.168.2.0/24

Site A of Site B of
GE0/0/0 GE0/0/0
customer X 10.0.23.3/24 customer X
10.0.12.1/24
GE0/0/0 GE0/0/1
Site C of PE2 Site D of
PE1 10.0.12.2/24 P 10.0.23.2/24
customer Y customer Y
192.168.1.0/24 192.168.2.0/24
GE0/0/0 GE0/0/0
AS 100 CE3 192.168.100.1/24 AS 123 192.168.200.1/24 CE4

12 Huawei Confidential

• Note: This course describes only the non-inter-AS MPLS VPN deployment.
Deploying OSPF Between PEs and CEs (1)
CE1 GE0/0/0 AS 123 GE0/0/0 CE2
192.168.100.1/24 192.168.200.1/24
192.168.1.0/24 192.168.2.0/24

Site A of Site B of
customer X customer X

PE1 P PE2
The interface has been bound
to the corresponding VRF.

[CE1] ospf 1
[CE1-ospf-1] area 0
[CE1-ospf-1-area-0.0.0.0] network 192.168.100.0 0.0.0.255
[CE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

The OSPF configuration on CE1 is similar to the traditional

OSPF configuration. CE1 does not need to support VRF.

13 Huawei Confidential
Deploying OSPF Between PEs and CEs (2)
CE1 GE0/0/0 AS 123 GE0/0/0 CE2
192.168.100.1/24 192.168.200.1/24
192.168.1.0/24 192.168.2.0/24

Site A of Site B of
customer X customer X

PE1 P PE2
The interface has been bound
to the corresponding VRF.
[PE1] ospf 1 vpn-instance VPNX [PE1] bgp 123
[PE1-ospf-1] area 0 [PE1-bgp] ipv4-family vpn-instance VPNX
[PE1-ospf-1-area-0.0.0.0] network 192.168.100.0 0.0.0.255 [PE1-bgp] import-route ospf 1
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] import bgp

The OSPF process used by PE1 to interconnect with CE1 must be Import the OSPF routes learned by OSPF process 1 in
bound to the corresponding VPN instance. the routing table of VPNX on PE1 to BGP. Then, convert
Import the BGP routes in the routing table of VPNX on PE1 (mainly the customer routes destined for site A to BGP VPNv4
the customer routes learned by PE1 through BGP and destined for routes and advertise them to PE2.
site B) into OSPF so that these routes can be advertised to CE1
through OSPF.

14 Huawei Confidential
Deploying Static Routes Between PEs and CEs
CE1 GE0/0/0 AS 123 GE0/0/0 CE2
192.168.100.1/24 192.168.200.1/24
192.168.1.0/24 192.168.2.0/24

Site A of Site B of
customer X customer X

PE1 P PE2
The interface has been bound
to the corresponding VRF.

[CE2] ip route-static 192.168.1.0 24 192.168.200.2 [PE2] ip route-static vpn-instance VPNX 192.168.2.0 24 192.168.200.1
[CE2] ip route-static 192.168.100.0 24 192.168.200.2
A static route to each network segment at site B needs to be
A static route to each network segment at site A needs configured on PE2.
to be configured on CE2. [PE2] bgp 123
[PE2-bgp] ipv4-family vpn-instance VPNX
[PE2-bgp] import-route static

Import the static route in the routing table of VPNX on PE2 to BGP so
that the static route can be converted into a BGP VPNv4 route and
advertised to PE1.

15 Huawei Confidential
Deploying EBGP Between PEs and CEs
GE0/0/0 GE0/0/0
10.0.12.1/24 10.0.23.3/24
GE0/0/0 GE0/0/1
Site C of PE2 Site D of
PE1 10.0.12.2/24 P 10.0.23.2/24
customer Y customer Y

192.168.1.0/24 192.168.2.0/24
GE0/0/0 GE0/0/0
AS 100 CE3 192.168.100.1/24 AS 123 192.168.200.1/24 CE4
The interface has been bound
to the corresponding VRF.

[CE3] bgp 100 [PE1] bgp 123

[CE3-bgp] peer 192.168.100.2 as-number 123 [PE1-bgp] ipv4-family vpn-instance VPNY
[CE3-bgp] network 192.168.1.0 24 [PE1-bgp-VPNY] peer 192.168.100.1 as-number 100

CE3 only needs to perform common BGP configurations When a PE and a CE use BGP to exchange customer routes,
and does not need to support VRF. you do not need to manually import routes on the PE. In this
example, after PE1 learns a customer route from CE3 using
BGP, PE1 automatically converts the route to a VPNv4 route
and advertises the route to PE2. After PE1 learns the route to
site D from PE2 using BGP, PE1 automatically converts the
route to an IPv4 route and advertises the IPv4 route to CE3.

16 Huawei Confidential
BGP Configuration in Special Scenarios: AS Number Replacement
⚫ In an MPLS VPN scenario, if EBGP runs between a PE and a CE to exchange routing information, the AS numbers of
the two sites may be the same.

Site 1 Site 2
EBGP EBGP
GE0/0/0
AS CE1 192.168.100.1/24 PE1 P PE2 CE2 AS
65001 AS123 65001

• If CE1 sends a VPN route to PE1 through EBGP and PE2 forwards the route to CE2, CE2 will discard
the route due to repetitive AS numbers. As a result, site 1 and site 2 that belong to the same VPN
cannot communicate with each other.
• You can run the peer substitute-as command on each PE to enable the AS number replacement
function. That is, the PE replaces the AS number of the VPN site where the CE resides in the
received private network route with the local AS number. The peer CE then does not discard the
route with the repetitive AS number.
When sending a BGP route to CE1, PE1 replaces 65001 with
[PE1] bgp 123
the local AS number 123 if the AS_Path attribute contains
[PE1-bgp] ipv4-family vpn-instance vpn1
65001. Therefore, if a route is transmitted from CE2 to PE2
[PE1-bgp-vpn1] peer 192.168.100.1 substitute-as
and then from PE2 to PE1, the AS_Path attribute of the BGP
route is {123,123} when PE1 transmits the route to CE1.

17 Huawei Confidential
 BGP Configuration in Special Scenarios: SoO
⚫ In a CE multi-homing scenario, if BGP AS number replacement is enabled, routing loops may occur. Therefore, the site of origin (SoO)
feature is required to prevent the routing loops.
 Both CE1 and CE3 belong to site 1. CE2 belongs to site 2. The AS numbers of sites 1 and 2 are both 65001. EBGP runs between PEs and CEs. To ensure
that the PEs and CEs learn routes from each other, configure AS number replacement on PE1 and PE2.
 CE1 transmits an intra-site route to PE1, and PE1 transmits the route to CE3. Because AS number replacement is configured, CE3 receives the route,
which may cause a routing loop.
After the SoO attribute is configured for the BGP peer:
[PE1] bgp 123 • When a BGP route is received from a peer, the SoO
[PE1-bgp] ipv4-family vpn-instance vpn1 attribute is carried in the path attribute and advertised
[PE1-bgp-vpn1] peer 192.168.100.1 soo 200:1 to other BGP peers.
[PE1-bgp-vpn1] peer 192.168.200.1 soo 200:1 • Before advertising a BGP route to a peer, the device
checks whether the SoO attribute of the route is the
same as the configured SoO value. If the SoO attribute
of the route is the same as the configured SoO value,
CE3 the device does not advertise the route to prevent loops.
Site 1 Site 2
CE1
EBGP
EBGP PE1 P PE2 CE2
AS AS
65001 AS123 65001

18 Huawei Confidential

• Note: 192.168.100.1 and 192.168.200.1 are the IP addresses of the interfaces on

CE1 and CE3, respectively, that are used to set up the BGP peer relationship with
PE1.
Deploying IS-IS Between PEs and CEs
GE0/0/0 GE0/0/0
10.0.12.1/24 10.0.23.3/24
GE0/0/0 GE0/0/1
Site C of PE2 Site D of
PE1 10.0.12.2/24 P 10.0.23.2/24
customer Y customer Y
192.168.1.0/24 192.168.2.0/24
GE0/0/0 GE0/0/0
AS 100 CE3 192.168.100.1/24 AS 123 192.168.200.1/24 CE4

[CE4] isis 1
[PE2] isis 1 vpn-instance VPNY
[CE4-isis-1] network-entity 49.0001.0000.0000.1111.00
[PE2-isis-1] network-entity 49.0002.0000.0000.2222.00
[CE4-isis-1] is-level level-2
[PE2-isis-1] is-level level-2
[CE4-isis-1] quit
[PE2-isis-1] import-route bgp level-2
[CE4] interface GigabitEthernet 0/0/0
[PE2-isis-1] quit
[CE4-GigabitEthernet0/0/0] isis enable 1
[PE2] interface GigabitEthernet 0/0/2
[CE4-GigabitEthernet0/0/0]quit
[PE2-GigabitEthernet0/0/2] isis enable 1
[CE4] interface GigabitEthernet 0/0/1
[PE2] bgp 123
[CE4-GigabitEthernet0/0/1] isis enable 1
[PE2-bgp] ipv4-family vpn-instance VPNY
# GE0/0/1 is the interface connected to network segment
[PE2-bgp] import-route isis 1
192.168.2.0/24.

19 Huawei Confidential
 Contents

1. MPLS VPN Applications and Networking Overview

2. MPLS VPN Deployment in Typical Scenarios

▫ Intranet Scenario
◼ Hub&Spoke Scenario
▫ Route Import Between VPN Instances Scenario

3. OSPF VPN Extension

20 Huawei Confidential
Deploying MPLS VPN in the Hub&Spoke Scenario
⚫ Hub&Spoke networking solutions are as follows:

Method 1: EBGP runs between the Hub-CE and Hub-PE, and between the Spoke-PE and Spoke-CE.

Method 2: An IGP runs between the Hub-CE and Hub-PE, and between the Spoke-PE and Spoke-CE.

Method 3: EBGP runs between the Hub-CE and Hub-PE, and an IGP runs between the Spoke-PE and Spoke-CE.

⚫ The Hub-CE and Hub-PE cannot use an IGP when the Spoke-PE and Spoke-CE using EBGP to deploy the MPLS VPN
in the Hub&Spoke networking.
Loopback0
1.1.1.1/32
Site 1 GE0/0/1
192.168.100.2/24
Spoke-CE1 Loopback0
GE0/0/0
3.3.3.3/32 GE0/0/0 GE0/0/0 Site 3
192.168.100.1/24 Spoke-PE1
192.168.31.2/24 192.168.31.1/24
Loopback0 Hub-CE
Site 2 2.2.2.2/32 GE0/0/1 GE0/0/1
GE0/0/1 P Hub-PE 192.168.32.2/24 192.168.32.1/24
192.168.200.2/24
Spoke-CE2 GE0/0/0
192.168.200.1/24 Spoke-PE2
AS 123

21 Huawei Confidential
VRF Configuration
⚫ Create a VPN instance on the Spoke-PE. The RT configuration is shown in the figure.
⚫ Create VPN_in and VPN_out on the Hub-PE to import private network routes and export private network routes to
the Spoke-PE, respectively. The RT configuration is shown in the figure.
VPN VPN_out
Import RT: 300:1 Export RT:
Export RT: 100:1 300:1
Site 1
EBGP
Spoke-CE1
Spoke-PE1 Site 3
Hub-CE
Site 2
P Hub-PE
Spoke-CE2
EBGP
Sopke-PE2 VPN_in
Import RT:
VPN 100:1, 200:1
Import RT: 300:1
Export RT: 200:1

22 Huawei Confidential
 Deployment Method 1: Route Advertisement Process
⚫ Spoke-CEs and Spoke-PEs exchange routing information through EBGP. After an EBGP connection is set
up, Spoke-CEs and Spoke-PEs advertise routes to BGP.
⚫ Two EBGP connections are set up between the Hub-PE and Hub-CE to separately advertise and accept
private network routes.

Site 1
EBGP
Spoke-CE1
EBGP
Spoke-PE1 Site 3
VPN_in
Hub-CE
Site 2 EBGP
P Hub-PE
Spoke-CE2
EBGP VPN_out
Sopke-PE2

23 Huawei Confidential

• The process of advertising routes from Spoke-CE1 to Spoke-CE2 is as follows:

▫ Spoke-CE1 advertises a route to Spoke-PE1 through EBGP.
▫ Spoke-PE1 advertises the route to the Hub-PE through IBGP.

▫ The Hub-PE imports the route into the VPN_in routing table through the
import RT attribute of the VPN instance (VPN_in), and then advertises the
route to the Hub-CE through EBGP.
▫ The Hub-CE learns the route through the EBGP connection and advertises
the route to the VPN instance (VPN_out) of the Hub-PE through another
EBGP connection.

▫ The Hub-PE advertises the route with the export RT attribute of VPN_out to
all Spoke-PEs.

▫ Spoke-PE2 advertises the route to Spoke-CE2 through EBGP.

Deployment Method 1: Configuration Between Hub-PE and
Hub-CE
⚫ The Hub-PE advertises the routes learned from spoke sites to the hub site through the EBGP connection
corresponding to VPN_in.
⚫ Hub-CE advertises the routes to spoke sites through EBGP corresponding to VPN_out.
EBGP
GE0/0/0 VPN_in GE0/0/0 Site 3
192.168.31.2/24 192.168.31.1/24
Hub-PE Hub-CE
# Set up two EBGP connections between the Hub-CE and
GE0/0/1 GE0/0/1
Hub-PE. AS
192.168.32.2/24 192.168.32.1/24
[Hub-CE] bgp 65001 AS 123 EBGP 65001
[Hub-CE-bgp] peer 192.168.31.2 as-number 123 VPN_out
[Hub-CE-bgp] peer 192.168.32.2 as-number 123
# Establish two EBGP connections between the Hub-PE and
Because the routes that the Hub-CE sends to the Hub-PE Hub-CE.
through the EBGP connection corresponding to VPN_out [Hub-PE] bgp 123
may contain AS 123, these routes will be discarded by the [Hub-PE-bgp] ipv4-family vpn-instance VPN_in
Hub-PE. To prevent such a problem, the Hub-PE must be [Hub-PE-bgp-VPN_in] peer 192.168.31.1 as-number 65001
manually configured to allow repetitive local AS numbers. [Hub-PE-bgp-VPN_in]quit
[Hub-PE-bgp] ipv4-family vpn-instance VPN_out
[Hub-PE-bgp-VPN_out] peer 192.168.32.1 as-number 65001
[Hub-PE-bgp-VPN_out] peer 192.168.32.1 allow-as-loop

24 Huawei Confidential
 Deployment Method 2: Route Advertisement Process
⚫ The following example uses OSPF as an IGP.
 Spoke-CEs and Spoke-PEs exchange routing information through OSPF process 100.
 The Hub-PE uses two OSPF processes to establish OSPF neighbor relationships with the Hub-CE, which
separately advertise and accept private network routes.

Site 1
OSPF 100
Spoke-CE1
OSPF 100
Spoke-PE1 VPN_in Site 3
Hub-CE
Site 2 OSPF 200
P Hub-PE
Spoke-CE2
OSPF 100 VPN_out
Sopke-PE2

25 Huawei Confidential

• The process of advertising routes from Spoke-CE1 to Spoke-CE2 is as follows:

▫ Spoke-CE1 advertises a route to Spoke-PE1 through OSPF 100.
▫ Spoke-PE1 advertises the route to the Hub-PE through IBGP.

▫ The Hub-PE imports the route to the VPN_in routing table through the
import RT attribute of the VPN instance (VPN_in). After the BGP route is
imported into OSPF 100, the route transmitted from Spoke-PE1 is
advertised to the Hub-CE.

▫ The Hub-CE receives the route through OSPF 100. After route import is
configured, the route is advertised to OSPF 200, and then OSPF 200
advertises the route to the Hub-PE.

▫ The VPN instance (VPN_out) of the Hub-PE imports the route of OSPF 200
multi-instance and advertises the route with the export RT attribute to all
Spoke-PEs.

▫ Spoke-PE2 advertises the route to Spoke-CE2 through OSPF 100.

Deployment Method 2: Configuration Between the Hub-PE
and Hub-CE
⚫ The Hub-PE advertises the routes learned from the spoke site to the hub site through OSPF process 100
corresponding to VPN_in.
⚫ The Hub-CE advertises the route to the Hub-PE through OSPF (process 200) corresponding to VPN_out, and then
advertises the route to all spoke sites. OSPF 100
Site 3
VPN_in
Hub-PE Hub-CE
OSPF 200
AS 123 VPN_out
# Configure OSPF and BGP to import routes from each # Import routes from OSPF 200 to OSPF 100 on the Hub-CE.
other on the Hub-PE. [Hub-CE]OSPF 200
[Hub-PE] OSPF 100 vpn-instance VPN_in [Hub-CE-ospf-200]import-route OSPF 100
[Hub-PE-ospf-100]import-route bgp
[Hub-PE-ospf-100]quit
[Hub-PE]bgp 100
[Hub-PE-bgp]ipv4-family vpn-instance VPN_out
[Hub-PE-bgp-VPN_out]import-route ospf 200

26 Huawei Confidential
 Deployment Method 3: Route Advertisement Process
⚫ Use OSPF as an example. The Spoke-CEs and Spoke-PEs exchange routing information through an
OSPF neighbor relationship (process 100).
⚫ Establish two EBGP connections between the Hub-PE and Hub-CE to accept and advertise private
network routes, respectively. The configurations of the Hub-PE and Hub-CE are similar to those in
method 1.

Site 1
OSPF 100
Spoke-CE1
EBGP
Spoke-PE1 Site 3
VPN_in
Hub-CE
Site 2
P Hub-PE EBGP
Spoke-CE2
OSPF 100 VPN_out
Sopke-PE2

27 Huawei Confidential

• The process of advertising routes from Spoke-CE1 to Spoke-CE2 is as follows:

▫ Spoke-CE1 advertises a route to Spoke-PE1 through OSPF 100.
▫ Spoke-PE1 advertises the route to the Hub-PE through IBGP.

▫ The Hub-PE imports the route into the VPN_in routing table through the
import RT attribute of the VPN instance (VPN_in), and then advertises the
route to the Hub-CE through EBGP.
▫ The Hub-CE learns the route through the EBGP connection and advertises
the route to the VPN instance (VPN_out) of the Hub-PE through another
EBGP connection.

▫ The Hub-PE advertises the route with the export RT attribute of VPN_out to
Spoke-PE2.

▫ Spoke-PE2 advertises the route to Spoke-CE2 through OSPF 100.

 Why Is There No Method 4?
⚫ The Hub-CE and Hub-PE cannot use an IGP, when the Spoke-PE and Spoke-CE cannot use EBGP to
deploy the MPLS VPN in the Hub&Spoke networking.

192.168.1.0/24
AS_Path{65001} 192.168.1.0/24
192.168.1.0/24
AS_Path{ }
Site 1
EBGP
Spoke-CE1
OSPF 100
Spoke-PE1 Site 3
VPN_in
AS 65001
Hub-CE
Site 2
P Hub-PE OSPF 200
Spoke-CE2
EBGP VPN_out
Sopke-PE2

28 Huawei Confidential

• The following takes the advertisement of the route destined for 192.168.1.0/24
from Spoke-CE1 to Spoke-CE2 as an example. The process is as follows:
▫ Spoke-CE1 advertises a route to Spoke-PE1 through EBGP.

▫ Spoke-PE1 advertises the route to the Hub-PE through IBGP.

▫ The Hub-PE imports the route to the VPN_in routing table through the
import RT attribute of the VPN instance (VPN_in) and advertises the route
to the Hub-CE through OSPF 100.

▫ Hub-CE learns the route through OSPF 100 and advertises the route to the
Hub-PE through OSPF 200.

▫ The VPN instance (VPN_out) of the Hub-PE imports the route of OSPF 200
and advertises the route with the export RT attribute of VPN_out to all
Spoke-PEs.
▫ The VPN instance on Spoke-PE2 imports the route based on the import RT.
Spoke-PE2 advertises the route to Spoke-CE2 through EBGP.
• The VPN instance (VPN_out) on the Hub-PE advertises the route to Spoke-PE2
and Spoke-PE1 at the same time with the export RT. The route is imported by the
Hub-PE through an IGP (OSPF 200). Because the IGP route does not carry the
AS_Path attribute, the AS_Path attribute is null. The AS_Path of the route
destined for 192.168.1.0/24 from Spoke-CE1 is not null. Therefore, the route
returned by the Hub-PE takes precedence over the route from Spoke-CE1. As a
result, route flapping occurs.
• The process is as follows:
▫ The route advertised by Spoke-CE1 becomes a non-optimal route because
of the AS_Path attribute.

▫ Spoke-PE1 sends an Update message to the Hub-PE to withdraw the route

to 192.168.1.0/24.
▫ The Hub-PE withdraws the route sent to the Hub-CE (by withdrawing the
corresponding OSPF LSAs).

▫ The Hub-CE withdraws the route sent to the Hub-PE (the implementation is
the same as the preceding implementation).
▫ The Hub-PE advertises the Update message to withdraw the route sent to
Spoke-PE1.

• Therefore, the route from Spoke-CE1 becomes the optimal route on Spoke-PE1.
Spoke-PE1 advertises the route to the Hub-PE through IBGP. The Hub-PE then
returns the route, and the route from Spoke-CE1 becomes a non-optimal route.
This process repeats.
 Contents

1. MPLS VPN Applications and Networking Overview

2. MPLS VPN Deployment in Typical Scenarios

▫ Intranet Scenario
▫ Hub&Spoke Scenario
◼ Route Import Between VPN Instances Scenario

3. OSPF VPN Extension

30 Huawei Confidential
Configuring Interworking Between VPN and Public Network
Instances
1 ⚫
Import different types of VPN routes to the public network

VPNA CE1 2 instance's corresponding routing tables.

PE1 Public P
network
[Huawei] ip import-rib vpn-instance vpn-instance-name protocol { static
| isis process-id | ospf process-id } [ valid-route ] [ route-policy route-
policy-name | route-filter route-filter-name ]

1. Configure the PE to import VPN routes to the local public routing table.
2. Configure the PE to import the local public routing table into other
routing protocols so that the P device can obtain routing information.
⚫
Import different types of routes from the public network
1
2 instance to a VPN instance's corresponding routing tables.
VPNA CE1 PE1 Public P
network [Huawei-vpn-instance-VPNA-af-ipv4] import-rib public protocol { direct |
vlink-direct-route | { static | isis process-id | ospf process-id } [ valid-
route ] } [ route-policy route-policy-name ]

1. Configure the PE to import public routes to the local VPN routing table.
2. Configure the PE to import the local private routing table into other
routing protocols so that the CE device can obtain routing information.

31 Huawei Confidential
Example for Configuring Interworking Between VPN and
Public Network Instances

VPNA CE1 PE1 Public P

network
GE0/0/0 GE0/0/0
10.0.12.0/24 10.0.23.0/24
3. Verify the configuration: The P device can successfully ping the
OSPF interface address of CE1 in a specified VPN instance.

<P>ping 10.0.12.1
1. Import routes of a specified VPN instance to the public PING 10.0.12.1: 56 data bytes, press CTRL_C to break
network instance. Reply from 10.0.12.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 10.0.12.1: bytes=56 Sequence=2 ttl=255 time=4 ms
[PE1]ip import-rib vpn-instance VPNA protocol direct Reply from 10.0.12.1: bytes=56 Sequence=3 ttl=255 time=3 ms
[PE2]ospf 1 Reply from 10.0.12.1: bytes=56 Sequence=4 ttl=255 time=5 ms
[PE1-ospf-1]import-route direct Reply from 10.0.12.1: bytes=56 Sequence=5 ttl=255 time=4 ms
2. Import routes of the public network instance to a specified VPN
instance.

[PE1]ip vpn-instance VPNA

[PE1-vpn-instance-VPNA]ipv4-family
[PE1-vpn-instance-VPNA-af-ipv4] import-rib public protocol ospf 1

32 Huawei Confidential
Configuring Interworking Between VPN Instances

1
VPNA CE1 PE1 VPNB CE2

1. Configure the PE to import routes of VPNA to VPNB.

2. Configure the PE to import routes of VPNB to VPNA.

⚫
Configure route import between VPN instances.

[Huawei-vpn-instance-VPNA-af-ipv4] import-rib vpn-instance vpn-instance-name protocol { direct| { static | isis process-id | ospf process-id } [ valid-
route ] } [ route-policy route-policy-name | route-filter route-filter-name ]

33 Huawei Confidential
Example for Configuring Interworking Between VPN Instances

VPNA CE1 PE1 VPNB CE2

3. Verify the configuration: CE2 can successfully ping the
GE0/0/0 GE0/0/0 interface address of CE1 in a specified VPN instance.
10.0.12.0/24 10.0.23.0/24
<CE2>ping 10.0.12.1
PING 10.0.12.1: 56 data bytes, press CTRL_C to break
Reply from 10.0.12.1: bytes=56 Sequence=1 ttl=255 time=5 ms
Reply from 10.0.12.1: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 10.0.12.1: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 10.0.12.1: bytes=56 Sequence=4 ttl=255 time=5 ms
1. Import private routes of VPNA to VPNB. Reply from 10.0.12.1: bytes=56 Sequence=5 ttl=255 time=4 ms
[PE1]ip vpn-instance VPNB
[PE1-vpn-instance-VPNB]ipv4-family
[PE1-vpn-instance-VPNB-af-ipv4] import-rib vpn-instance VPNA protocol direct

2. Import private routes of VPNB to VPNA.

[PE1]ip vpn-instance VPNA
[PE1-vpn-instance-VPNA]ipv4-family
[PE1-vpn-instance-VPNA-af-ipv4] import-rib vpn-instance VPNB protocol direct

34 Huawei Confidential
 Contents

1. MPLS VPN Applications and Networking Overview

2. MPLS VPN Deployment in Typical Scenarios

3. OSPF VPN Extension

◼ Interoperability Between OSPF and BGP
▫ OSPF Loop Prevention

▫ OSPF Sham Link

35 Huawei Confidential
 OSPF/BGP in MPLS VPN
⚫ When OSPF is deployed between the PE and CE to exchange routing information, if the standard BGP/OSPF
exchange process (BGP/OSPF interoperation for short) is used on the PE to exchange routing information, the
remote PE directly generates Type 5 LSAs when importing BGP into the OSPF process of the VPN instance. Different
sites consider the routes of other sites as AS external routes (AS_external).
⚫ To solve the problem of OSPF routing information loss caused by standard BGP/OSPF interoperability, BGP and
OSPF are extended accordingly.

PE1 imports the OSPF route PE2 imports the BGP route
advertised by CE1 into BGP and advertised by PE1 into OSPF and
advertises the route to PE2. advertises the route to CE2.

BGP
Site 1 Site 2
OSPF OSPF
AS CE1 PE1 P PE2 CE2 AS
65001 AS123 65001

Route advertisement from site 1 to site 2

36 Huawei Confidential

• In actual applications, if two sites that need to communicate are in the same AS,
each site should consider the route of the other site as an inter-area route rather
than an AS external route.
BGP Extended Community Attributes
⚫ To retain OSPF routing information, BGP adds some community attributes that can carry
OSPF routing information.
 Domain ID: identifies a domain.
 Route Type: contains the area ID and route type of the OSPF route imported to BGP.
◼ Area-ID: ID of the VRF OSPF process of the PE that establishes an adjacency with a CE.
◼ Route Type: type of the imported OSPF route:
− 1 or 2: intra-area route, that is, the route calculated by the PE based on Type 1 and Type 2 LSAs

− 3: inter-area route

− 5: OSPF external route, that is, the route calculated by the PE through Type 5 LSAs. When the value of the Route Type
field is 5, the value of the Area-ID field must be 0.0.0.0.

− 7: NSSA route, that is, the route calculated by the PE through Type 7 LSAs

37 Huawei Confidential
 Domain ID
⚫ When OSPF routes are imported into BGP on a PE, the PE adds the domain ID attribute to the BGP routes according
to the local configuration. The domain ID is transmitted as the extended community attribute of BGP.
⚫ When a PE imports a BGP route to OSPF, if the domain ID carried in the BGP route is the same as the local domain
ID, the two sites belong to the same OSPF routing domain. If they are different, they are considered not in the same
routing domain.

Type Domain ID Area-ID

Carry OSPF routing information in BGP Update messages.

Site 1 Site 2
OSPF OSPF
Domain ID CE1 PE1 P PE2 CE2 Domain ID
234 AS123 234

Route advertisement from site 1 to site 2

38 Huawei Confidential

• The domain ID can be configured using the domain-id command in the view of
the OSPF process bound to the VRF instance.
▫ By default, the domain ID is 0 (NULL). If different OSPF domains use NULL
as the domain ID, these OSPF domains cannot be distinguished.
Consequently, the routes between different OSPF domains are considered
as intra-area routes.
▫ If an OSPF domain is configured with a non-zero domain ID, NULL is no
longer the domain ID of the OSPF domain.

• It is recommended that all OSPF instances related to the same VPN use the same
domain ID or the default domain ID.
Domain ID and Route Type
⚫ Based on the domain ID and route type in the BGP route, a PE generates different types of OSPF LSAs
and advertises them to the OSPF process of the VRF.

Whether the domain ID is the

Route Type Types of OSPF LSAs generated by PEs
same as the local domain ID
1, 2, 3 3
Yes
5, 7 5, 7
No 1, 2, 3, 5, 7 5, 7

Generates different types of OSPF LSAs based on

the extended attributes in BGP routes.
Site 1 Site 2
OSPF OSPF
Domain ID CE1 PE1 P PE2 CE2 Domain ID
234 AS123 234

Route advertisement from site 1 to site 2

39 Huawei Confidential
 Contents

1. MPLS VPN Applications and Networking Overview

2. MPLS VPN Deployment in Typical Scenarios

3. OSPF VPN Extension

▫ Interoperability Between OSPF and BGP
◼ OSPF Loop Prevention

▫ OSPF Sham Link

40 Huawei Confidential
 Type 3 Routing Loop Prevention: Case
⚫ The following figure shows an example of Type 3 LSA routing loops.
 Site 1 and site 2 belong to VPN1.
 Site 1 is connected to PE1 on the backbone network through OSPF area 0.
 Site 2 is connected to PE2 and PE3 on the backbone network through OSPF area 0 (in the dual-homing load
balancing scenario).

PE2
Type 3 LSA

192.168.1.0/24 OSPF CE2

OSPF Area 0
CE1 PE1 P
Area 0
Site 1 Site 2

VPNv4 PE3

41 Huawei Confidential

• The loop generation process is as follows:

▫ CE1 at site 1 advertises a route destined for 192.168.1.0/24 to PE1 using a
Type 3 LSA.

▫ PE1 imports the route of the OSPF VPN1 process to BGP and advertises the
route to PE2 and PE3 through MP-IBGP.

▫ PE2 is configured to import routes from BGP to OSPF. Therefore, PE2

generates Type 3 LSAs and sends them to CE2. CE2 then advertises the Type
3 LSAs received from PE2 to PE3.

▫ PE3 receives two routes destined for 192.168.1.0/24. One is advertised by

PE1, and the other is imported by PE2. By default, IGP (OSPF) routes have a
higher priority than IBGP routes. Therefore, PE3 selects OSPF routes.

▫ PE3 advertises the optimal route learned from OSPF to PE1 through MP-
IBGP.

▫ In this case, PE1 has two routes to the destination network segment
192.168.1.0/24. One is learned from CE1 through OSPF, and the other is
learned from PE3 through MP-IBGP. The following problems may occur:
▪ PE1 withdraws the route to 192.168.1.0/24. If the link between PE1
and PE2 is blocked, BGP Update messages cannot be sent to PE2. As a
result, the route sent by PE3 to PE1 still exists. (In normal cases, the
route is withdrawn when PE1 sends Update messages to PE2.) The
next hop of the route from PE1 to 192.168.1.0/24 is PE3. Routing
loops occur.

▪ If the priority of the MP-IBGP route on PE1 is higher than that of the
OSPF route, PE1 preferentially selects the BGP route advertised by PE3.
In this case, PE1 needs to withdraw the BGP route advertised to PE2.
As a result, PE3 withdraws the BGP route advertised to PE1, and PE1
preferentially selects the OSPF route again. As a result, route flapping
occurs.
 Type 3 Routing Loop Prevention: DN Bit
⚫ To prevent Type 3 LSA loops, the OSPF multi-instance process uses an unused bit in the LSA Options
field as a flag bit, which is called the DN bit. The DN bit is used to prevent Type 3 LSA loops.
⚫ When performing SPF calculation, the OSPF instance process on a PE ignores Type 3 LSAs with the DN
bit being 1.
PE2
Type 3 LSA

192.168.1.0/24 CE2
OSPF LSA calculation is
CE1 PE1 P not performed.
Area 0
Site 1 Site 2

VPNv4 PE3

43 Huawei Confidential

• By default, the DN bit in LSAs generated by OSPF is set to 1. You can run the dn-
bit-set disable command to disable OSPF from setting the DN bit in LSAs.
 Type 5/7 Routing Loop Prevention: Case
⚫ The following figure shows an example of a Type 5 LSA routing loop.
 Site 1 and site 2 belong to VPN1.
 Site 1 is connected to PE1 on the backbone network through EBGP.
 Site 2 is connected to PE2 and PE3 on the backbone network through OSPF.

PE2

192.168.1.0/24 EBGP
CE2

AS CE1 PE1 P
65001 Site 1 Site 2

VPNv4 PE3

44 Huawei Confidential

• The loop generation process is as follows:

▫ CE1 advertises a route destined for 192.168.1.0/24 to PE1 through EBGP.
The AS_Path of the route is 65001.
▫ PE1 advertises the route to PE2 and PE3 through MP-IBGP.
▫ PE2 imports BGP routes to the OSPF VPN1 process and advertises a Type 5
LSA destined for 192.168.1.0/24 to CE2.
▫ CE2 advertises the Type5 LSA to PE3.
▫ PE3 preferentially selects an OSPF route (the OSPF route has a higher
priority than the IBGP route) and advertises an Update message to PE1
through MP-IBGP.
▫ PE1 receives the MP-IBGP Update message from PE3. The MP-IBGP route
advertised by PE3 has a higher priority than the EBGP route advertised by
CE1 because the MP-IBGP route is an IGP (OSPF) route imported by BGP on
PE3 and its AS_Path is null. PE1 prefers the route advertised by PE3.
▫ In this case, a routing loop is formed: PE3 -> CE2 -> PE2 -> PE1 -> PE3.
• Because PE1 does not preferentially select the route learned from CE1, PE1
withdraws the route advertised to PE2. The imported BGP route is also
withdrawn in the OSPF VPN instance process on PE2. Then, both CE2 and PE3
withdraw the OSPF routes. The BGP route advertised by PE3 to PE1 is also
withdrawn. On PE1, the route learned from CE1 becomes the optimal route. As a
result, route flapping occurs.
• The generation and elimination of Type 7 LSA-related loops are similar to those
of Type 5 LSA-related loops, and are not described here.
 Type 5/7 Route Loop Prevention: VPN Route Tag
⚫ A VPN route tag can be used to prevent Type 5 and Type 7 routing loops.
⚫ When a PE generates Type 5 or Type 7 LSAs based on received BGP VPN routes, the LSAs carry VPN
route flags. If a PE finds that the VPN route tag in an LSA is the same as the locally configured one, the
PE ignores the LSA. This prevents routing loops.

PE2

192.168.1.0/24 EBGP
CE2
LSA calculation is
AS CE1 PE1 P not performed.
65001 Site 1 Site 2

VPNv4 PE3

45 Huawei Confidential

• The VPN route tag is not transmitted in the BGP extended community attribute.
The VPN route tag is valid only on the PEs that receive BGP routes and generate
OSPF LSAs.

• By default, the VPN route tag is calculated based on the AS number of BGP. If
BGP is not configured, the default value is 0.

• You can run the route-tag command to set a VPN route tag.
 Contents

1. MPLS VPN Applications and Networking Overview

2. MPLS VPN Deployment in Typical Scenarios

3. OSPF VPN Extension

▫ Interoperability Between OSPF and BGP
▫ OSPF Loop Prevention
◼ OSPF Sham Link

46 Huawei Confidential
Sham Link Usage Scenarios
⚫ Generally, BGP peers use BGP extended community attributes to carry routing information on the MPLS VPN
backbone network. OSPF running on the peer PE can use the information to generate Type 3 LSAs from the PE to
CE. These Type 3 LSAs are inter-area routes.
⚫ If a backdoor link is added between CE1 and CE2 and OSPF is run to exchange routes, the route learned through
the backdoor link is an intra-area route.
⚫ Because intra-area routes take precedence over inter-area routes, the backdoor link is preferentially selected. To
allow the backdoor link as a backup link, use the sham link.

Site 1 PE1 P PE2 Site 2

AS123

GE0/0/0 GE0/0/0 192.168.1.0/24

CE1 Backdoor CE2
OSPF

47 Huawei Confidential
 Working Mechanism of Sham Link
⚫ The sham link creates an intra-area link between two PEs. When LSAs are flooded on a sham link, all OSPF route
types remain unchanged and are not changed to Type 3 or 5 LSAs.
⚫ A sham link is considered as a link between two VPN instances. The addresses of the two ends of the link are the
addresses of the PEs, which are used as the source and destination addresses of the connection. The source and
destination addresses of a sham link are loopback interface addresses with 32-bit masks. The loopback interface
must be bound to a VPN instance and advertised through BGP.

sham link
L0:1.1.1.1/32 L0:2.2.2.2/32

Site 1 PE1 P PE2 Site 2

AS123

GE0/0/0 GE0/0/0 192.168.1.0/24

CE1 Backdoor CE2
OSPF

48 Huawei Confidential

• Multiple sham links of the same OSPF process can share the same endpoint
address, but different OSPF processes cannot have two sham links with the same
endpoint address.
 Sham Link Configuration Example

1. Create an interface on the PE to set up a sham link. The configuration of PE2 is similar to that of PE1.

[PE1]interface LoopBack0
[PE1-LoopBack0] ip binding vpn-instance VPNA
[PE1-LoopBack0]ip address 1.1.1.1 32
# Advertise the routes in the BGP VPN address family.
[PE1-bgp-VPNA]network 1.1.1.1 32

2. Configure the sham link on PE1. The configuration of PE2 is similar to that of PE1.
[PE1-ospf-1]area 0
[PE1-ospf-1-area-0.0.0.0]sham-link 1.1.1.1 2.2.2.2

3. Adjust the cost value to ensure that the cost value of the backdoor link is greater than that of the sham link.
[CE1-GigabitEthernet0/0/0]ospf cost 1000

49 Huawei Confidential

• When configuring a sham link, you can specify the route cost of the sham link.
The default value is 1.
Verifying the Configuration of the Sham Link
1. For details about common OSPF VPN configurations, see the preceding configuration examples.
<PE1>display ospf sham-link area 0

OSPF Process 1 with Router ID 1.1.1.1

Sham-Link: 1.1.1.1 --> 2.2.2.2

Neighbor ID: 2.2.2.2 , State: Full , GR status: Normal
Area: 0.0.0.0
Cost: 1 , State: P-2-P , Type: Sham
Timers: Hello 10 , Dead 40 , Retransmit 5 , Transmit Delay 1

2. Check OSPF routes on CE1. The command output shows that the peer route has been learned as an intra-area route.

<CE1>display ospf routing

Routing for Network

Destination Cost Type NextHop AdvRouter Area
1.1.1.1/32 0 Stub 1.1.1.1 10.1.12.1 0.0.0.0
10.1.12.0/24 1 Transit 10.1.12.1 10.1.12.1 0.0.0.0
192.168.1.0/24 3 Stub 10.0.12.1 2.2.2.2 0.0.0.0
10.1.23.0/24 3 Transit 10.1.12.2 10.1.23.2 0.0.0.0

50 Huawei Confidential
 Quiz

1. (Multiple-answer question) On an MPLS VPN network, when a PE imports VPN routes

learned from other PEs to OSPF, which of the following LSAs may be generated? ( )
A. Type 1 LSA

B. Type 3 LSA

C. Type 5 LSA

D. Type 7 LSA

2. (True or false) When a CE transmits routes to a PE through BGP, the routes may carry the
SoO attribute. ( )
A. True

B. False

51 Huawei Confidential

1. BCD
2. B
 Summary
⚫ MPLS VPN has different networking solutions in different scenarios. The common networking solutions
are intranet, extranet, and Hub&Spoke. In addition, MPLS VPN networking can be classified into inter-
AS and intra-AS networking based on whether the MPLS VPN backbone network is an inter-AS
network.
⚫ PEs and CEs can use static, OSPF, IS-IS, or BGP routes to exchange routing information. OSPF provides
the following extended features for MPLS VPN:

Domain ID: identifies whether the routes imported to a VPN instance belong to the same OSPF domain.

DN bit: used to prevent routing loops because of Type 3 LSAs.

VPN route tag: is used to prevent routing loops caused by Type 5 or Type 7 LSAs.

Sham link: controls OSPF route selection in special scenarios.

52 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Inter-AS MPLS L3VPN
 Foreword
⚫ As the MPLS VPN solution has been widely adopted, the user quantity and network scale are increasing
rapidly, and the number of sites in an enterprise keeps increasing. Sites in different geographical
locations or autonomous systems (ASs) need to be interconnected across ASs.
⚫ To support the exchange of VPN routing information between ASs, the existing protocol needs to be
extended and the MPLS VPN architecture needs to be modified to provide an interconnection model
different from the basic MPLS VPN architecture, that is, the inter-AS MPLS VPN.
⚫ RFC4364 proposed three inter-AS VPN solutions: inter-AS VPN Option A, inter-AS VPN Option B, and
inter-AS VPN Option C.
⚫ This document describes the fundamentals and configurations of the three inter-AS MPLS VPN
solutions.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the fundamentals of the three inter-AS VPN solutions.
 Perform basic configurations of the three inter-AS VPN solutions.
 Illustrate the application scenarios of the three inter-AS VPN solutions.

2 Huawei Confidential
 Contents

1. Background of Inter-AS VPN Solutions

2. Fundamentals and Configurations of Inter-AS VPN Option A

3. Fundamentals and Configurations of Inter-AS VPN Option B

4. Fundamentals and Configurations of Inter-AS VPN Option C

3 Huawei Confidential
Fundamentals of Intra-AS MPLS VPN: Route Advertisement
and Label Distribution
The following example MPLS backbone network
describes how CE1
advertises routes to CE2.
PE1 FEC: PE1 P FEC: PE1 PE2
Label: T1 Label: T2
IPv4 routing 4 LDP 4 LDP IPv4 routing
CE1 IPv4: Net1 IPv4: Net1 CE2
Site1 2 MP-IBGP Site2
NH: CE1 NH: PE2
VPNv4: RD1+Net1
VPNv4 routing
1 IGP/BGP NH: PE1 3 IGP/BGP
VPN Label: V1
1. CE1 and PE1 run IGP/BGP to exchange routing information (IPv4 routes).
2. After PE1 receives a route from CE1, PE1 converts the route into a VPNv4 route, advertises the VPNv4 route to PE2
using MP-IBGP, and allocates a VPN label V1 to the route.
3. After PE2 receives the VPNv4 route, PE2 converts the route into an IPv4 route and advertises the route to CE2
using IGP/BGP.
4. PEs and the P on the MPLS backbone network run LDP to allocate tunnel labels. Assume that the labels allocated
by PE1 and allocated by P to PE1 are T1 and T2 respectively.
Only PEs are aware of VPN routing information, while the P device is not.
The backbone network uses MPLS tunnel forwarding to avoid routing blackholes.

4 Huawei Confidential
Fundamentals of Intra-AS MPLS VPN: Data Forwarding
MPLS backbone network The following example
describes how CE2 sends a
data packet to CE1.

PE1 P PE2
IP MPLS MPLS IP

Net1 4 Net1 3 Net1 2 Net1 1

CE1 V1 V1 CE2
Site1 T1 T2 Site2

1. CE2 sends an IPv4 packet with the destination address Net1.

2. After PE2 receives the packet, it encapsulates the packet with a VPN label V1 and then an outer label T2 and
forwards the packet to the P device.
3. The P device swaps the outer label T2 with T1 and forwards the packet to PE1.
IPv4
4. PE1 removes all labels from the packet and forwards the packet to CE1.
VPN
LDP LSP

5 Huawei Confidential
 Background of Inter-AS MPLS VPN Solutions
⚫ As the enterprise scale keeps increasing, enterprise sites in different locations may belong to different ASs. As shown in the figure,
when CEs in two different ASs need to communicate with each other, the inter-AS VPN technology is required.

PE1 P PE2 PE1 P PE2

CE1 AS100 CE3 CE4 AS200 CE2

Devices in ASs communicate using

EBGP or static routing.

EBGP or static routing

PE1 P1 ASBR-PE1 ASBR-PE2 P2 PE2

AS100 AS200
CE1 CE3 CE4 CE2

6 Huawei Confidential

• To facilitate understanding, the devices connecting ASs in the original AS are

called ASBR-PEs, and P devices are numbered differently. In addition, CE3 and
CE4 will not be discussed.
Problems Caused by Inter-AS MPLS VPN

New backbone network

PE1 P1 ASBR-PE1 ASBR-PE2 P2 PE2

CE1 AS100 AS200 CE2

⚫ Compared with intra-AS MPLS VPN, inter-AS MPLS VPN has similar fundamentals but faces the following problems:

LDP does not run between ASs, as a result of which, outer tunnels cannot be established between ASs.

PEs do not run IGP, cannot establish BGP peer relationships between each other by default, and so cannot directly advertise
VPNv4 routes to each other.

⚫ The solutions to the preceding problems are as follows:

 ASBRs exchange IPv4 routes and forward IPv4 data packets. This solution is easy to understand. Option A
Option B
 ASBRs exchange VPNv4 routes and forward packets carrying one MPLS label.
Option C

PEs exchange VPNv4 routes and forward packets carrying multiple MPLS labels.

7 Huawei Confidential
Inter-AS MPLS VPN Solutions
⚫ The following describes three inter-AS MPLS VPN solutions:
 Inter-Provider Backbones Option A (inter-AS VPN Option A)
◼
VPN instances spanning multiple ASs are bound to dedicated interfaces of ASBRs to manage their own VPN routes. This
solution is also called VRF-to-VRF.
◼
The configuration is simple, without requiring MPLS to run between ASBRs.

 Inter-Provider Backbones Option B (inter-AS VPN Option B)

◼
ASBRs advertise labeled VPNv4 routes to each other using MP-EBGP. This solution is also called EBGP redistribution of
labeled VPNv4 routes.
◼
With this solution, you do not need to create a different interface for each VPN.

 Inter-Provider Backbones Option C (inter-AS VPN Option C)

◼
PEs or route reflectors (RRs) advertise labeled VPNv4 routes to each other using multi-hop MP-EBGP. This solution is also
called multi-hop EBGP redistribution of labeled VPNv4 routes.
◼
The configuration is complex because ASBRs do not maintain or advertise VPNv4 routes.

8 Huawei Confidential
 Contents

1. Background of Inter-AS VPN Solutions

2. Fundamentals and Configurations of Inter-AS VPN Option A

◼ Fundamentals
▫ Basic Configurations

3. Fundamentals and Configurations of Inter-AS VPN Option B

4. Fundamentals and Configurations of Inter-AS VPN Option C

9 Huawei Confidential
Inter-AS VPN Option A Overview
⚫ As a basic BGP/MPLS IP VPN application in the inter-AS scenario, Option A does not need special configurations and MPLS does not
need to run between ASBRs. In this mode, ASBRs of two ASs directly connect to each other and function as PEs in the ASs. Each ASBR
views the peer ASBR as its CE and advertises IPv4 routes to the peer ASBR using EBGP.

EBGP

PE1 P1 ASBR-PE1 Each VPN instance uses a different ASBR-PE2 P2 PE2

logical link.
ASBRs exchange IPv4 routes.

AS100 AS200
CE1 CE2

PE1 P1 ASBR-PE1 ASBR-PE2 P2 PE2

ASBR ASBR
ASBR-PE1 views ASBR-PE2 views
ASBR-PE2 as its CE. -PE2 -PE1 ASBR-PE1 as its CE. AS200
CE1 AS100 CE2 CE1 CE2

10 Huawei Confidential
Inter-AS VPN Option A Topology
⚫ Two ASBR-PEs are connected through multiple physical interfaces (or sub-interfaces), each interface is bound to a VPN, and each
ASBR-PE views the peer ASBR-PE as a CE. Therefore, the interfaces connecting the two ASBR-PEs need to be bound to VRFs, and
VPNv4 routes need to be converted into common IPv4 routes using EBGP and transmitted from one AS to another AS. Therefore, the
two ASBRs need to be interconnected, but MPLS does not need to be enabled.

IP/MPLS IP/MPLS
MP-IBGP MP-IBGP
AS100 AS200

P1 EBGP P2
PE1 PE2
ASBR-PE1 ASBR-PE2

CE1 CE2

IPv4
VPN
LDP LSP

11 Huawei Confidential
 Inter-AS VPN Option A: Control Plane
1. CE1 sets the next hop of an IPv4 route
IP/MPLS IP/MPLS to itself and advertises the route to PE1.
MP-IBGP MP-IBGP
2. PE1 converts the IPv4 route into a
AS100 AS200
VPNv4 route, sets the next hop of the
route to PE1, allocates a VPN label V1
to the route, and advertises the route to
P1 P2 ASBR-PE1.
PE1 PE2
ASBR-PE1 ASBR-PE2 3. PE1 and P1 allocate tunnel labels T1
and T2 respectively to the routes
destined for PE1.
Tunnel Tunnel Tunnel Tunnel
4. ASBR-PE1 converts the VPNv4 route into
label label label label CE2
Net1 CE1 an IPv4 route, sets the next hop to
3 3 6 6 ASBR-PE1, and advertises the route to
FEC: PE1 FEC: PE1 FEC: ASBR-PE2 FEC: ASBR-PE2 ASBR-PE2.
Label: T1 Label: T2 Label: T3 Label: T4
5. ASBR-PE2 converts the IPv4 route into a
VPNv4 route, sets the next hop of the
IPv4 routing VPNv4 routing IPv4 routing VPNv4 routing IPv4 routing route to ASBR-PE2, allocates a VPN
1 2 4 5 7 label V2 to the route, and advertises the
IPv4: Net1 IPv4: Net1 IPv4: Net1 route to PE2.
NH: CE1 VPNv4: RD1+Net1 NH: ASBR-PE1 VPNv4: RD2+Net1 NH: PE2 6. ASBR-PE2 and P2 allocate tunnel labels
NH: PE1 NH: ASBR-PE2
T3 and T4 respectively to the routes
VPN label: V1 VPN label: V2
destined for ASBR-PE2.

The following example describes how CE1 7. PE2 converts the VPNv4 route into an
IPv4 route, sets the next hop to PE2, and
advertises a route to CE2.
advertises the route to CE2.

12 Huawei Confidential

• The numbers in this example are only for ease of understanding, and do not
represent the actual processing sequence on the devices.
 Inter-AS VPN Option A: Forwarding Plane
1. CE2 sends an IP packet destined
IP/MPLS IP/MPLS for Net1 to PE2.
MP-IBGP MP-IBGP 2. After PE2 receives the IP packet, it
AS100 AS200 encapsulates the packet with a
VPN label V2 and then an outer
P1 label T4 and forwards the packet
P2
to P2.
PE1 PE2 3. P2 swaps the outer label T4 with
ASBR-PE1 ASBR-PE2
T3 and forwards the packet to
Site1 Site2 ASBR-PE2.
4. ASBR-PE2 removes all labels from
Net1 CE1 CE2 the packet and forwards the
7 6 5 4 3 2 1 packet to ASBR-PE1.
5. After ASBR-PE1 receives the IP
IP MPLS MPLS IP MPLS MPLS IP
packet, it encapsulates the packet
Net1 Net1 Net1 Net1 Net1 Net1 Net1 with a VPN label V1 and then an
outer label T2 and forwards the
V1 V1 V2 V2
packet to P1.
T1 T2 T3 T4 6. P1 swaps the outer label T2 with
T1 and forwards the packet to
PE1.
7. PE1 removes all labels from the
packet and forwards the packet to
CE1.

13 Huawei Confidential

• The LDP PHP behavior is not considered in data forwarding.

Inter-AS VPN Option A Characteristics
⚫ Inter-AS VPN Option A is easy to configure and understand.
⚫ When there are a small number of VPNs on a network, inter-AS VPN Option A is applicable.

⚫ An ASBR views the peer ASBR as a CE and uses a VRF interface to connect to the peer ASBR. ASBRs in two ASs
exchange VPNv4 routes.
⚫ At the data layer, VPN user data is exchanged between ASBRs in two ASs in the form of IP packets, that is, packets
do not carry any label header.

⚫ The scalability of inter-AS VPN Option A is poor. ASBRs need to manage all VPN routes, and a VPN instance needs
to be configured for each VPN. This results in numerous VPN-IPv4 routes on the ASBRs. In addition, because
common IP forwarding is implemented between ASBRs, each inter-AS VPN requires a different interface, which can
be a sub-interface, physical interface, or bundled logical interface. This poses high requirements for ASBRs. If a VPN
spans multiple ASs, the intermediate ASs must support VPN services. This requires complex configurations and
greatly affects the intermediate ASs. If only a few inter-AS VPN instances are used, inter-AS VPN Option A is
recommended.

14 Huawei Confidential
 Contents

1. Background of Inter-AS VPN Solutions

2. Fundamentals and Configurations of Inter-AS VPN Option A

▫ Fundamentals
◼ Basic Configurations

3. Fundamentals and Configurations of Inter-AS VPN Option B

4. Fundamentals and Configurations of Inter-AS VPN Option C

15 Huawei Confidential
Inter-AS VPN Option A Configuration Example (1)

AS100 GE2/0/0 AS200 ⚫ Configuration roadmap:

10.0.34.0/24
P1 ASBR-PE1 ASBR-PE2 P2  Configure basic MPLS capabilities and MPLS LDP on the MPLS
PE1 PE2 backbone network to establish LDP LSPs in each AS. (The
configuration details are not provided here.)
 Establish an MP-IBGP peer relationship between the PE and ASBR-PE
CE1 CE2 in each AS to exchange VPN routing information. (The configuration
192.168.1.1/24 192.168.2.1/24 details are not provided here.)

 Configure a VPN instance on the PE connected to the CE in each AS

⚫ CE1 and CE2 belong to the same VPN named vpna. CE1 and and establish EBGP peer relationships between the PE and CE to
CE2 need to communicate with each other using Option A. exchange VPN routing information. (The configuration details are
not provided here.)
Device Loopback0 RD RT
 Create a VPN instance on each ASBR-PE, bind the instance to the
PE1 10.0.1.1/32 100:1 1:1
interface connected to the other ASBR-PE (viewed as a CE), and
ASBR-PE1 10.0.3.3/32 100:3 1:1 Data plan
establish an EBGP peer relationship between the ASBR-PEs to
ASBR-PE2 10.0.4.4/32 200:4 2:2 exchange VPN routing information.
PE2 10.0.6.6/32 200:6 2:2

16 Huawei Confidential
Inter-AS VPN Option A Configuration Example (2)
1. Take ASBR-PE1 as an example to create a VPN instance and
bind it to the interface connected to ASBR-PE2.
AS100 GE2/0/0 AS200
[ASBR-PE1] ip vpn-instance vpna
10.0.34.0/24 [ASBR-PE1-vpn-instance-vpna] ipv4-family
P1 ASBR-PE1 ASBR-PE2 P2 [ASBR-PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:3
PE1 PE2 [ASBR-PE1-vpn-instance-vpna-af-ipv4] vpn-target 1:1 both
[ASBR-PE1-vpn-instance-vpna-af-ipv4] quit
[ASBR-PE1-vpn-instance-vpna] quit
[ASBR-PE1] interface gigabitethernet 2/0/0
CE1 CE2 [ASBR-PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpna
[ASBR-PE1-GigabitEthernet2/0/0] ip address 10.0.34.3 24
192.168.1.1/24 192.168.2.1/24 [ASBR-PE1-GigabitEthernet2/0/0] quit

3. Take ASBR-PE1 as an example to establish an MP-IBGP peer 2. Take ASBR-PE1 as an example to establish an EBGP peer
relationship between ASBR-PE1 and PE1. relationship between ASBR-PE1 and ASBR-PE2.
[ASBR-PE1] bgp 100 [ASBR-PE1] bgp 100
[ASBR-PE1-bgp] peer 10.0.1.1 as-number 100 [ASBR-PE1-bgp] ipv4-family vpn-instance vpna
[ASBR-PE1-bgp] peer 10.0.1.1 connect-interface loopback 0 [ASBR-PE1-bgp-vpna] peer 10.0.34.4 as-number 200
[ASBR-PE1-bgp] ipv4-family vpnv4 [ASBR-PE1-bgp-vpna] import-route direct
[ASBR-PE1-bgp-af-vpnv4] peer 10.0.1.1 enable [ASBR-PE1-bgp-vpna] quit
[ASBR-PE1-bgp-af-vpnv4] quit [ASBR-PE1-bgp] quit
[ASBR-PE1-bgp] quit
ASBR-PE1 views ASBR-PE2 as a CE and establishes an EBGP
ASBR-PE1 establishes a VPNv4 peer relationship with PE1 to peer relationship with ASBR-PE2 in the VPN instance address
transmit VPNv4 routes. family view to transmit IPv4 routes.

17 Huawei Confidential
Verifying the Configuration (1)
1. Check CE1's routing information on PE1.
<PE1>display bgp vpnv4 all routing-table
AS100 GE2/0/0 AS200 Total number of routes from all PE: 1
Route Distinguisher: 100:1
10.0.34.0/24 Network NextHop MED LocPrf PrefVal Path/Ogn
P1 ASBR-PE1 ASBR-PE2 P2 *> 192.168.1.0 10.0.11.1 0 0 65000i
3
PE1 PE2 VPN-Instance vpna, Router ID 10.0.12.1:
2
Total Number of Routes: 1
1 Network NextHop MED LocPrf PrefVal Path/Ogn
*> 192.168.1.0 10.0.11.1 0 0 65000i
CE1 CE2 The next hop is CE1.
192.168.1.1/24 192.168.2.1/24 2. Check CE1's routing information on ASBR-PE1.
3. Check CE1's routing information on ASBR-PE2. <ASBR-PE1>display bgp vpnv4 all routing-table 192.168.1.0
Total routes of Route Distinguisher(100:1): 1
<ASBR-PE2>display bgp vpnv4 all routing-table 192.168.1.0 BGP routing table entry information of 192.168.1.0/24:
Total routes of Route Distinguisher(100:4): 1 Label information (Received/Applied): 1026/NULL
BGP routing table entry information of 192.168.1.0/24: From: 10.0.1.1 (10.0.1.1)
Label information (Received/Applied): NULL/1027 Route Duration: 00h05m07s
From: 10.0.34.3 (10.0.3.3) Relay IP Nexthop: 10.0.23.2 The next hop is PE1.
Route Duration: 00h13m13s Relay token: 0x1
Direct Out-interface: GigabitEthernet0/0/1 Original nexthop: 10.0.1.1
Original nexthop: 10.0.34.3 The label of the received route is null, Ext-Community:RT <1 : 1>
Ext-Community:RT <2 : 2> indicating that the route is an IPv4 route. AS-path 65000, origin igp, MED 0, localpref 100, pref-val 0, valid,
internal, best, select, pre 255, IGP cost 2
The next hop is ASBR-PE1.

18 Huawei Confidential
Verifying the Configuration (2)
4. Check CE1's routing information on PE2.
<PE2>display bgp vpnv4 all routing-table 192.168.1.0
AS100 GE2/0/0 AS200 Total routes of Route Distinguisher(100:4): 1
BGP routing table entry information of 192.168.1.0/24:
10.0.34.0/24 Label information (Received/Applied): 1027/NULL
P1 ASBR-PE1 ASBR-PE2 P2 From: 10.0.4.4 (10.0.4.4)
3
PE1 4 PE2 Relay IP Nexthop: 10.0.56.5
2
Relay IP Out-Interface: GigabitEthernet0/0/1
1 5 Relay Tunnel Out-Interface: GigabitEthernet0/0/1
Relay token: 0x1
CE1 CE2 Original nexthop: 10.0.4.4 ASBR-PE2 allocates
Qos information : 0x0 label 1027 to the route.
192.168.1.1/24 192.168.2.1/24 Ext-Community:RT <2 : 2>

5. Check CE1's routing information on CE2.

Ping 192.168.1.1 from CE2.
<CE2>display bgp routing-table 192.168.1.0
<CE2>ping -a 192.168.2.1 192.168.1.1 BGP local router ID : 10.0.26.2
PING 192.168.1.1: 56 data bytes, press CTRL_C to break Local AS number : 65001
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=250 time=100 ms Paths: 1 available, 1 best, 1 select
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=250 time=60 ms BGP routing table entry information of 192.168.1.0/24:
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=250 time=50 ms From: 10.0.26.6 (10.0.6.6)
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=250 time=60 ms Direct Out-interface: GigabitEthernet0/0/0
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=250 time=60 ms Original nexthop: 10.0.26.6
AS-path 200 100 65000, origin igp, pref-val 0, valid, external, best, select,

The next hop is PE2.

19 Huawei Confidential
 Contents

1. Background of Inter-AS VPN Solutions

2. Fundamentals and Configurations of Inter-AS VPN Option A

3. Fundamentals and Configurations of Inter-AS VPN Option B

◼ Fundamentals
▫ Basic Configurations

4. Fundamentals and Configurations of Inter-AS VPN Option C

20 Huawei Confidential
Inter-AS VPN Option B Overview
⚫ Compared with Option A, Option B does not require VPN instances to be created on ASBR-PEs and does not require
interfaces to be bound.
⚫ In Option B, two ASBRs use MP-EBGP to exchange VPNv4 routes received from the PEs in their respective ASs.

⚫ By default, a PE stores only the VPN routes that match the VPN targets of its local VPN instances. Therefore, ASBRs
can be configured not to filter routes based on RTs.

⚫ On a large-scale network, RRs can be deployed to transmit user-side VPN routes.

MP-EBGP

PE1 P1 ASBR-PE1 VPNv4 route ASBR-PE2 P2 PE2

transmission

AS100 AS200
CE1 CE2
If ASBRs are not directly connected to CEs, VPN instances do not need to be created.
To disable VPN target-based filtering for received VPN routes, run the undo policy vpn-target command.
Interfaces connecting two ASBRs must support MPLS forwarding.

21 Huawei Confidential
Inter-AS VPN Option B Topology
⚫ A PE uses MP-IBGP to advertise a VPNv4 route to the ASBR-PE or VPN RR (with the ASBR-PE as the
client) in the same AS. The ASBR-PE uses MP-EBGP to advertise the VPNv4 route to the peer ASBR-PE
in another AS, and then the peer ASBR-PE advertises the VPNv4 route to the PE in the same AS.

IP/MPLS IP/MPLS
MP-IBGP MP-IBGP
AS100 AS200
EBGP

P1 P2
PE1 ASBR-PE2 PE2
ASBR-PE1

Site1 Site2

CE1 CE2

22 Huawei Confidential
Inter-AS VPN Option B: Control Plane Without RRs
1. CE1 advertises an IPv4 route to PE1.
MP-IBGP MP-IBGP
2. PE1 converts the IPv4 route into a
AS100 AS200 VPNv4 route, sets the next hop of the
EBGP
route to PE1, allocates the VPN label
V1 to the route, and advertises the
PE1 P1 P2 PE2 route to ASBR-PE1.
3. ASBR-PE1 changes the next hop of the
ASBR-PE1 ASBR-PE2 route to itself, allocates a new VPN
label V2 to the route, and uses MP-
Site1 5 5 6 6 Site2 EBGP to advertise the route for the
Tunnel Tunnel Tunnel Tunnel prefix Net1 to ASBR-PE2.
label label label label CE2
Net1 CE1
4. ASBR-PE2 sets the next hop of the
route to itself, allocates the VPN label
FEC: ASBR- FEC: ASBR- V3 to the route, and uses MP-IBGP to
FEC: PE1 FEC: PE1
PE2 PE2 advertise the route for the prefix Net1
Label: T1 Label: T2 Label: T3 Label: T4
1 3 7 to PE2.
VPNv4 routing 5. PE1 and P1 allocate tunnel labels T1
IPv4 routing 2 VPNv4 routing 4 VPNv4 routing IPv4 routing and T2 respectively to the routes
destined for PE1.
IPv4: Net1 VPNv4: IPv4: 6. ASBR-PE2 and P2 allocate tunnel labels
VPNv4: RD1+Net1 VPNv4: RD1+Net1 Net1 T3 and T4 respectively to the routes
NH: CE1 RD1+Net1
NH: ASBR-PE1 NH: ASBR-PE2 NH: PE2 destined for ASBR-PE2.
NH: PE1
VPN label: V1 VPN label: V2 VPN label: V3 7. PE2 converts the VPNv4 route into an
IPv4 route, sets the next hop to PE2,
and advertises the route to CE2.

23 Huawei Confidential
 Inter-AS VPN Option B: Control Plane with RRs
⚫ When there are a large number of VPN instances, RRs can be deployed. As shown in the figure, the PEs and ASBRs in ASs establish
MP-BGP peer relationships only with RRs, and the RRs are responsible for reflecting routes. The PEs and ASBRs do not need to
establish BGP peer relationships with each other.
⚫
The RRs are responsible only for transmitting VPNv4 routes on the control plane. During data forwarding, traffic does not pass
through the RRs.

Reflects routes
without RR1 P1 P2 RR2
forwarding
data.
PE1 PE2
ASBR-PE1 ASBR-PE2

Site1 Site2

Net1 CE1 CE2

EBGP
MP-IBGP

24 Huawei Confidential

• In the inter-AS VPN scenario, it is recommended that independent RRs be

deployed to transmit routes only without forwarding traffic.
Inter-AS VPN Option B: Forwarding Plane
IP/MPLS IP/MPLS 1. CE2 sends an IP packet destined for
MP-IBGP MP-IBGP Net1 to PE2.
AS100 AS200
2. After PE2 receives the IP packet, it
EBGP
encapsulates the packet with a VPN
label V3 and then an outer label T4
PE1
P1 P2 PE2 and forwards the packet to P2.
3. P2 swaps the outer label T4 with T3
ASBR-PE1 ASBR-PE2 and forwards the packet to ASBR-
PE2.
Site1 Site2
4. ASBR-PE2 removes the outer label,
swaps the VPN label V3 with V2,
Net1 CE1 CE2 and forwards the packet to ASBR-
7 6 5 4 3 2 1 PE1. In this case, the packet carries
only one VPN label.
IP MPLS MPLS MPLS MPLS MPLS IP
5. ASBR-PE1 swaps the VPN label V2
with V1, adds the outer label T2 to
Net1 Net1 Net1 Net1 Net1 Net1 Net1
the packet, and forwards the packet
V1 V1 V2 V3 V3 to P1.
T1 T2 T3 T4 6. P1 swaps the outer label T2 with T1
and forwards the packet to PE1.
7. PE1 removes all labels from the
packet and forwards the packet (a
common IP packet) to CE1.

25 Huawei Confidential
Inter-AS VPN Option B Characteristics
⚫ The advantage of Option B is that all traffic is forwarded by ASBRs. In this way, traffic is controllable,
but the loads on the ASBRs are heavy because the ASBRs need to save a large number of VPNv4
routes. BGP routing policies, such as VPN target-based filtering policies, can be configured on ASBRs, so
that ASBRs only save some of VPNv4 routes.
⚫ The disadvantage is that VPN routing information is stored on and forwarded by ASBRs. If a large
number of VPN routes exist, the overloaded ASBRs tend to become faulty points. Therefore, in
scenarios where MP-EBGP is used, ASBRs that maintain VPN routing information generally do not
perform IP forwarding on the public network.
⚫ Option B is better than Option A when a large number of VRF instances need to communicate with
each other.

26 Huawei Confidential
 Contents

1. Background of Inter-AS VPN Solutions

2. Fundamentals and Configurations of Inter-AS VPN Option A

3. Fundamentals and Configurations of Inter-AS VPN Option B

▫ Fundamentals
◼ Basic Configurations

4. Fundamentals and Configurations of Inter-AS VPN Option C

27 Huawei Confidential
Inter-AS VPN Option B Configuration Example (1)
⚫
Configuration roadmap
AS100 GE2/0/0 AS200
10.0.34.0/24  Configure basic MPLS capabilities and MPLS LDP on the MPLS
P1 ASBR-PE1 ASBR-PE2 P2 backbone network to establish LDP LSPs in each AS. (The
PE1 PE2 configuration details are not provided here.)
 Establish an MP-IBGP peer relationship between the PE and ASBR-PE
in each AS to exchange VPN routing information. (The configuration
CE1 CE2
details are not provided here.)
192.168.1.1/24 192.168.2.1/24
 Configure a VPN instance on the PE connected to the CE in each AS
and establish EBGP peer relationships between the PE and CE to
⚫
CE1 and CE2 belong to the same VPN named vpna. CE1 and
exchange VPN routing information. (The configuration details are
CE2 need to communicate with each other using Option B. not provided here.)
Device Loopback0 RD RT  Enable MPLS on the interfaces connecting the ASBRs, establish an
PE1 10.0.1.1/32 100:1 1:1 Data plan MP-EBGP peer relationship between the ASBRs, and configure the
ASBR-PE1 10.0.3.3/32 / / ASBRs not to filter received VPNv4 routes based on RTs.

ASBR-PE2 10.0.4.4/32 / / RT values of PE1 and

PE2 10.0.6.6/32 200:6 1:1 PE2 must match.

28 Huawei Confidential
Inter-AS VPN Option B Configuration Example (2)
1. Take ASBR-PE1 as an example to establish an MP-EBGP peer relationship
between ASBR-PE1 and ASBR-PE2, configure ASBR-PE1 not to filter
received VPNv4 routes based on the VPN target, and enable ASBR-PE1 to
AS100 GE2/0/0 AS200 allocate labels based on the next hop.
10.0.34.0/24 [ASBR-PE1] bgp 100
P1 ASBR-PE1 ASBR-PE2 P2 [ASBR-PE1-bgp] peer 10.0.34.4 as-number 200
PE1 PE2 [ASBR-PE1-bgp] ipv4-family vpnv4
[ASBR-PE1-bgp-af-vpnv4] peer 10.0.34.4 enable
[ASBR-PE1-bgp-af-vpnv4] undo policy vpn-target
[ASBR-PE1-bgp-af-vpnv4] apply-label per-nexthop
CE1 CE1 [ASBR-PE1-bgp-af-vpnv4] quit
[ASBR-PE1-bgp] quit
192.168.1.1/24 192.168.2.1/24
By default, an ASBR allocates a label to each VPNv4 route to be
advertised to its MP-BGP peers. After this command is run, ASBR-PE1
allocates a label to the routes with the same next hop and outgoing label.
3. Take ASBR-PE1 as an example to establish an MP-IBGP peer relationship
between ASBR-PE1 and PE1.
2. Take ASBR-PE1 as an example to enable MPLS on the interfaces
[ASBR-PE1] bgp 100
connecting ASs.
[ASBR-PE1-bgp] peer 10.0.1.1 as-number 100
[ASBR-PE1-bgp] peer 10.0.1.1 connect-interface loopback 0 [ASBR-PE1] interface gigabitethernet 2/0/0
[ASBR-PE1-bgp] ipv4-family vpnv4 [ASBR-PE1-GigabitEthernet2/0/0] mpls
[ASBR-PE1-bgp-af-vpnv4] peer 10.0.1.1 enable [ASBR-PE1-GigabitEthernet2/0/0] quit
[ASBR-PE1-bgp-af-vpnv4] quit
[ASBR-PE1-bgp] quit To differentiate between VPN instances, ASBRs advertise VPNv4 routes
to each other. Because the VPNv4 routes carry label information, the
interfaces connecting ASBRs must support label forwarding.

29 Huawei Confidential
Verifying the Configuration (1)
1. Check CE1's routing information on ASBR-PE1.
<ASBR-PE1>display bgp vpnv4 all routing-table 192.168.1.0
AS100 GE2/0/0 AS200 BGP local router ID : 10.0.3.3
Local AS number : 100
10.0.34.0/24 Total routes of Route Distinguisher(100:1): 1
P1 ASBR-PE1 ASBR-PE2 P2 BGP routing table entry information of 192.168.1.0/24:
PE1 PE2 Label information (Received/Applied): 1026/1026
From: 10.0.1.1 (10.0.1.1)
Route Duration: 00h07m32s
Relay IP Nexthop: 10.0.23.2
CE1 CE2 Relay IP Out-Interface: GigabitEthernet0/0/0
Relay Tunnel Out-Interface: GigabitEthernet0/0/0
192.168.1.1/24 192.168.2.1/24 Relay token: 0x2
Original nexthop: 10.0.1.1
Qos information : 0x0
⚫
The process of transmitting intra-area routing information is Ext-Community:RT <1 : 1> # The export RT value must match the
import RT value of PE2.
not described here. This example describes only the key AS-path 65000, origin igp, MED 0, localpref 100, pref-val 0, valid,
procedure of transmitting routing information. internal, best, select, pre 255, IGP cost 2
Advertised to such 1 peers:
10.0.34.4

PE1 allocates the label 1026 to the route. When routes are transmitted
between ASs, ASBR-PE1 changes the next hop to itself. Therefore, ASBR-
PE1 re-allocates the label 1026 when advertising routes to ASBR-PE2.
MPLS labels are local to a device, so different devices can allocate the
same label.

30 Huawei Confidential
Verifying the Configuration (2)
2. Check CE1's routing information on ASBR-PE2.
<ASBR-PE2>display bgp vpnv4 all routing-table 192.168.1.0
BGP local router ID : 10.0.4.4
Local AS number : 200
Total routes of Route Distinguisher(100:1): 1
BGP routing table entry information of 192.168.1.0/24:
Label information (Received/Applied): 1026/1032
From: 10.0.34.3 (10.0.3.3)
Route Duration: 00h02m18s
Relay Tunnel Out-Interface: GigabitEthernet0/0/1
AS100 GE2/0/0 AS200 Relay token: 0x1
Original nexthop: 10.0.34.3
10.0.34.0/24 Qos information : 0x0
P1 ASBR-PE1 ASBR-PE2 P2 Ext-Community:RT <1 : 1>
PE1 PE2 AS-path 100 65000, origin igp, pref-val 0, valid, external, best, select, pre
2
55
Advertised to such 1 peers:
CE1 CE2 10.0.6.6

192.168.1.1/24 192.168.2.1/24
ASBR-PE1 allocates the label 1026 to the route. When
advertising the route to PE2, ASBR-PE2 changes the next hop of
the route to itself and re-allocates the label 1032 to the route.

31 Huawei Confidential
Verifying the Configuration (3)

AS100 GE2/0/0 AS200

10.0.34.0/24 3. Ping 192.168.1.1 from CE2.
P1 ASBR-PE1 ASBR-PE2 P2 <CE2>ping -a 192.168.2.1 192.168.1.1
PE1 PE2 PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=250 time=60 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=250 time=50 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=250 time=60 ms
CE1 CE2 Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=250 time=60 ms

192.168.1.1/24 192.168.2.1/24

32 Huawei Confidential
 Contents

1. Background of Inter-AS VPN Solutions

2. Fundamentals and Configurations of Inter-AS VPN Option A

3. Fundamentals and Configurations of Inter-AS VPN Option B

4. Fundamentals and Configurations of Inter-AS VPN Option C

◼ Fundamentals

▫ Basic Configurations

33 Huawei Confidential
Inter-AS VPN Option C Overview
⚫
In Option C, ASBRs do not store VPNv4 routes or advertise VPNv4 routes to each other. This is different from the implementation in
Option A and Option B.
⚫ In Option C, PEs in different ASs establish a multi-hop EBGP connection with each other to exchange VPNv4 routes. Two solutions
are available to enable PEs to communicate with each other:
 Solution 1: An ASBR uses BGP to send the routes destined for a PE in another AS to the local PE.
 Solution 2: An ASBR imports the routes destined for a PE in another AS to an IGP.
⚫
ASBRs do not have VPNv4 routes. To prevent routing blackholes during packet forwarding, PEs need to transmit packets over tunnels
so that non-PE devices are unaware of VPN encapsulation information. Therefore, both the solutions require ASBRs to advertise
labeled routes to set up outer forwarding tunnels between ASs.

An ASBR uses BGP to An ASBR imports the

advertise the routes routes destined for
destined for the peer PE. Solution 2 the peer PE to an IGP.
Solution 1
EBGP
Advertise
PE1 P1 ASBR1 labeled ASBR2 P2 PE2
routes

CE1 AS100 AS200 CE2

MP-EBGP

34 Huawei Confidential
 Solution 1 Solution 2

Inter-AS VPN Option C Topology (Solution 1)

⚫
ASBRs do not maintain or advertise VPNv4 routes. ASBRs only need to maintain labeled routes destined for PEs and use EBGP to
advertise these labeled routes to the peer ASBRs in other ASs. ASBRs in the transit AS also need to use EBGP to advertise labeled
IPv4 routes. In this way, a VPN LSP needs to be established between the ingress and egress PEs so that a multi-hop MP-EBGP
connection can be established between the PEs to advertise VPNv4 routes.
⚫
To further improve performance, a multi-hop MP-EBGP session can be established between VPN RRs in different ASs. When these
VPN RRs advertise VPNv4 routes, the next-hop information of these routes remains unchanged. PEs establish MP-IBGP sessions only
with VPN RRs.
EBGP

AS100 AS200

PE1 P1 P2 PE2
ASBR1 ASBR2

Site1 Site2

CE1 CE2

IPv4
VPN
LDP LSP
BGP LSP

35 Huawei Confidential

• If the P device of each AS knows the routes to the PEs of other ASs, the data
forwarding process will be relatively simple. But if the P device does not know
these routes, then when a PE receives VPN data from a CE, the PE will add three
labels. The bottom label is the VPN label that is allocated by the peer PE and
associated with VPN routes, the middle label is the label allocated by an ASBR
and associated with the route to the peer PE, and the outer label is the label
associated with the route to the next-hop ASBR.

• Note: For convenience, as shown in the figure above, a symmetric LSP is used for
illustration, but in fact, in the working process of the control plane and the data
plane, the LSP of the ASs at both ends is asymmetric.
 Solution 1 Solution 2

Inter-AS VPN Option C (Solution 1): Without RRs

EBGP 1. CE1 advertises an IPv4 route to PE1.
IP/MPLS IP/MPLS
2. PE1 converts the IPv4 route into a
AS100 AS200 VPNv4 route, sets the next hop of the
route to PE1, allocates the VPN label
V1 to the route, and advertises the
P1 P2 route to PE2.
PE2
PE1 3. ASBR1 advertises a labeled IPv4 route
ASBR1 ASBR2
destined for PE1 to ASBR2 through an
5 5 6 6 EBGP session. The next hop of the
Site1 Site2 route is ASBR1, and the label is the
Tunnel Tunnel Tunnel Tunnel
label label label label BGP label B1.
Net1 CE1 CE2 4. ASBR2 advertises a labeled IPv4 route
FEC: PE1 FEC: PE1 FEC: ASBR2 FEC: ASBR2 destined for PE1 to PE2 through a BGP
Label: T1 Label: T2 Label: T3 Label: T4 session. The next hop of the route is
3 ASBR2, and the label is the BGP label
BGP labeled IPv4 4 BGP labeled IPv4 B2.

NLRI: PE1 NLRI: PE1 5. PE1 and P1 allocate tunnel labels T1

NH: ASBR1 NH: ASBR2 and T2 respectively to the routes
Label: B1 Label: B2 destined for PE1.
1 7
IPv4 routing 2 VPNv4 routing IPv4 routing 6. ASBR2 and P2 allocate tunnel labels
T3 and T4 respectively to the routes
destined for ASBR2.
IPv4: Net1 VPNv4: RD1+Net1 IPv4: Net1
NH: CE1 NH: PE1 NH: PE2 7. PE2 converts the VPNv4 route into an
VPN label: V1 IPv4 route, sets the next hop to PE2,
and advertises the route to CE2.

36 Huawei Confidential
 Solution 1 Solution 2

Inter-AS VPN Option C (Solution 1): With RRs

⚫ The local PE establishes a VPNv4 peer relationship only with the local RR, and the local RR establishes a VPNv4 peer
relationship with the peer RR to transmit inter-AS VPN routes.
⚫ ASBRs and PEs establish BGP unicast IPv4 peer relationships with RRs.

An ASBR learns the route destined for the peer RR's loopback interface from the peer ASBR and transmits the route to the local
RR so that the local RR can establish a VPNv4 peer relationship with the peer RR.

An ASBR learns the routes destined for the peer RR and PE's loopback interfaces from the peer ASBR and transmits the routes to
the local RR, which then transmits the routes to the local PE. In this way, the local PE can establish a BGP LSP with the peer PE
in another AS.

Reflects routes
without RR1 P1 P2 RR2
forwarding
data.
PE1 PE2
ASBR1 ASBR2

Site1 Site2
Unicast BGP peer relationship
Net1 CE1 MP-BGP CE2

37 Huawei Confidential
 Solution 1 Solution 2

Inter-AS VPN Option C (Solution 1): Forwarding Plane

MP-EBGP 1. CE2 sends an IP packet destined for
IP/MPLS IP/MPLS Net1 to PE2.

AS100 AS200 2. After receiving the IP packet, PE2

encapsulates the packet with the
following three labels in sequence: the
P1 P2 VPN label V1, the BGP label B2
allocated by ASBR2, and the outer label
PE1 ASBR1 ASBR2 PE2 T4.

Site1 Site2 3. P2 swaps the outer label T4 with T3 and

forwards the packet to ASBR2.

CE2 4. ASBR2 removes the outer label, swaps

Net1 CE1
the BGP label B2 with B1, and forwards
IP MPLS MPLS MPLS MPLS MPLS IP the packet to ASBR1.

Net1 Net1 Net1 Net1 Net1 Net1 Net1 5. After receiving the packet, ASBR1
removes the BGP label B1 and checks its
V1 V1 V1 V1 V1 forwarding table. It finds the label T2
T1 T2 B1 B2 B2 associated with the route destined for
T3 T4 PE1, adds T2 to the top of the label
stack, and forwards the packet to P1.
7 6 5 4 3 2 1
6. P1 swaps the outer label T2 with T1 and
forwards the packet to PE1.
7. PE1 removes all labels from the packet
and forwards the packet to CE1.

38 Huawei Confidential
 Solution 1 Solution 2

Inter-AS VPN Option C (Solution 1) FAQ (1)

⚫ Why does ASBR2 allocate labels to the routes destined

for PE1? (P2 is not considered at present.)
ASBR1 ASBR2 P2 PE2 CE2 
ASBR2 is unaware of VPN routes. Therefore, when a
MPLS IP packet carrying only the VPN label (allocated by PE1)
arrives at ASBR2, ASBR2 cannot identify the packet and
Net1 Net1 discards it.
V1

⚫ Why does ASBR1 allocate labels to the routes destined

for PE1?
ASBR1 ASBR2 P2 PE2 CE2
 ASBR1 is unaware of VPN routes. Therefore, when a packet
IP MPLS IP
carrying only the VPN label (allocated by PE1) arrives at
Net1 Net1 Net1
ASBR1, ASBR1 cannot identify the packet and discards it.
V1 V1
B2

39 Huawei Confidential
 Solution 1 Solution 2

Inter-AS VPN Option C (Solution 1) FAQ (2)

⚫ Let's review the basic characteristics of VPN.

Private: It provides the same private network as a
traditional private network. Resources between the VPN
ASBR1 ASBR2 P2 PE2 CE2 and the underlying bearer network are independent, that
is, resources in a VPN are not used by users who do not
MPLS IP belong to the VPN or non-VPN users. In addition, VPN
security can be fully guaranteed to protect internal
Net1 Net1
information of the VPN against external interference.
V1
B2

Virtual: VPN users communicate over a public network,
which is also used by other non-VPN users. That is, a VPN
user obtains a logical private network. A public network
⚫ Why does P2 allocate labels to ASBR2? that carries a VPN is called a VPN backbone network.
⚫ To achieve the two characteristics, only PEs are aware
 P2 does not identify the routing information of
of VPN routing information. To prevent packet loss
PE1. Therefore, when a VPN packet carrying the caused by routing blackholes during data forwarding,
outer BGP label (allocated by ASBR2) arrives at P2, VPN data needs to be carried over various types of
tunnels.
P2 cannot identify the outer label B2 and discards
⚫ Common tunneling technologies include MPLS, GRE,
the packet. and Segment Routing over IPv6 (SRv6).

40 Huawei Confidential
 Solution 1 Solution 2

Inter-AS VPN Option C (Solution 2)

⚫ Solution 2 is similar to solution 1.
⚫ Three labels (VPN label, BGP LSP label, and tunnel LSP label) are used in solution 1, whereas only two
labels (VPN label and tunnel label) are used in solution 2.
⚫ In solution 1, a policy needs to be configured on the local ASBR to generate a new label. After the local
ASBR receives a labeled BGP route from the peer ASBR, the local ASBR allocates a new label to the
BGP route and advertises the route to the PE or RR in the same AS so that a complete BGP LSP can be
established. In solution 2, MPLS needs to be configured on an ASBR to allocate labels to labeled BGP
routes. On the PE in the same AS as the ASBR, you can view the LDP LSP to the peer PE instead of a
BGP LSP.
⚫ RRs can be deployed in both solution 1 and solution 2.

41 Huawei Confidential
 Solution 1 Solution 2

Inter-AS VPN Option C (Solution 2) Topology

⚫
Solution 2: ASBRs do not maintain or advertise VPNv4 routes. ASBRs only need to maintain labeled routes destined for PEs and use
EBGP to advertise these labeled routes to the peer ASBRs. After the peer ASBR receives a labeled BGP route, LDP triggers the
generation of a label for the route and transmits the label between LDP peers in the same AS. Therefore, on a PE, you can view the
LDP LSP to the peer PE.
⚫
To further improve performance, a multi-hop MP-EBGP session can be established between VPN RRs in different ASs. A PE in an AS
only needs to establish an MP-IBGP peer relationship with an RR in the AS. When advertising VPNv4 routes, the VPN RRs do not
change the next-hop information. In this manner, when the peer PE forwards traffic, the traffic can be recursed to the correct tunnel.
EBGP
AS100 AS200

PE1 P1 P2 PE2
ASBR1 ASBR2

Site1 Site2

CE1 CE2

IPv4
VPN
LDP LSP
BGP LSP

42 Huawei Confidential
 Solution 1 Solution 2

Inter-AS VPN Option C (Solution 2): Without RRs

IP/MPLS IP/MPLS 1. CE1 advertises an IPv4 route to PE1.
2. PE1 converts the IPv4 route into a
AS100 AS200
VPNv4 route, sets the next hop of
the route to PE1, allocates the VPN
P1 P2 PE2 label V1 to the route, and
PE1 advertises the route to PE2.
ASBR1 ASBR2
3. PE1 and P1 allocate tunnel labels
3 3
Site1 Site2 T1 and T2 respectively to the routes
Tunnel Tunnel
destined for PE1.
label label
Net1 CE1 CE2
FEC: PE1 FEC: PE1
4. ASBR1 advertises the labeled IPv4
Label: T1 Label: T2 route destined for PE1 to ASBR2
4 5 5 through an EBGP session. The next
BGP labeled IPv4 Tunnel label Tunnel label hop of the route is ASBR1, and the
label is the BGP label B1.
NLRI: PE1 FEC: PE1 FEC: PE1
NH: ASBR1 Label: T3 Label: T4 5. ASBR2 and P2 allocate tunnel labels
Label: B1 T3 and T4 respectively to the routes
1 6
IPv4 routing 2 VPNv4 routing IPv4 routing destined for PE1.
6. PE2 converts the VPNv4 route into
IPv4: Net1 VPNv4: RD1+Net1 IPv4: Net1 an IPv4 route, sets the next hop to
NH: CE1 NH: PE1 NH: PE2
PE2, and advertises the route to
VPN label: V1
CE2.

43 Huawei Confidential
 Solution 1 Solution 2

Inter-AS VPN Option C (Solution 2): Control Plane with RRs

⚫ The local PE establishes a VPNv4 peer relationship only with the local RR, and the local RR establishes a VPNv4 peer
relationship with the peer RR to transmit inter-AS VPN routes.
⚫ The RRs are responsible only for transmitting VPNv4 routes on the control plane. Traffic on the forwarding plane
does not pass through the RRs.

Reflects routes
without RR1 P1 P2 RR2
forwarding data.

PE1 PE2
ASBR1 ASBR2

Site1 Site2
Unicast BGP peer relationship
CE2
Net1 CE1 MP-BGP peer relationship

44 Huawei Confidential
 Solution 1 Solution 2

Inter-AS VPN Option C (Solution 2) Forwarding Plane

1. CE2 sends an IP packet destined for
IP/MPLS IP/MPLS Net1 to PE2.
2. After receiving the IP packet, PE2
AS100 AS200
encapsulates the packet with the VPN
label V1. Because the next hop (PE1)
of the packet destined for Net1 is not a
P1 P2
directly connected neighbor, PE2 finds
PE1 ASBR1 ASBR2 PE2 that the label of the packet destined
for PE1 is T4 and encapsulates the
Site1 Site2 packet with the label T4.
3. P2 swaps the outer label T4 with T3
CE2 and forwards the packet to ASBR2.
Net1 CE1 4. ASBR2 removes the outer label, swaps
IP MPLS MPLS MPLS MPLS MPLS IP the label T3 with B1, and forwards the
packet to ASBR1.
Net1 Net1 Net1 Net1 Net1 Net1 Net1 5. After receiving the packet, ASBR1
removes the label B1 and checks its
V1 V1 V1 V1 V1
forwarding table. It finds the label T2
T1 T2 B1 T3 T4 associated with the route destined for
PE1, adds T2 to the top of the label
7 6 5 4 3 2 1 stack, and forwards the packet to P1.
6. P1 swaps the outer label T2 with T1
and forwards the packet to PE1.
7. PE1 removes all labels from the packet
and forwards the packet to CE1.

45 Huawei Confidential
Inter-AS VPN Option C Characteristics
⚫ VPN routes are directly exchanged between the ingress and egress PEs. The routes do not need to be
stored or forwarded by intermediate devices.
⚫ Only PEs maintain VPN routing information, and Ps and ASBRs are only responsible for packet
forwarding. This means that the intermediate devices only need to support MPLS forwarding instead of
MPLS VPN services. ASBRs are no longer bottlenecks. Option C, therefore, is suitable for VPNs spanning
multiple ASs.
⚫ MPLS VPN load balancing is easy to implement using Option C.
⚫ The disadvantage of Option C is that it costs too much to manage an end-to-end connection between
PEs.

46 Huawei Confidential
Comparison of Three Inter-AS VPN Solutions
Inter-AS
VPN Description
Solution
• Easy configuration: MPLS is not required between ASBRs, and no special configuration is required for inter-AS
connections.
• Poor scalability: ASBRs need to manage all VPN routes, and a VPN instance needs to be configured for each VPN.
This results in numerous VPNv4 routes on the ASBRs. In addition, because common IP forwarding is implemented
Option A
between ASBRs, each inter-AS VPN requires a different interface, which can be a sub-interface, physical interface,
or bundled logical interface. This poses high requirements for ASBRs. If a VPN spans multiple ASs, the intermediate
ASs must support VPN services. This requires complex configurations and greatly affects the intermediate ASs. If
only a few inter-AS VPN instances are used, Option A is recommended.
• Unlike Option A, Option B is not restricted by the number of links between ASBRs.
• If a large number of VPN routes exist, the overloaded ASBRs tend to become faulty points. Therefore, in scenarios
Option B
where MP-EBGP is used, ASBRs that maintain VPN routing information generally do not perform IP forwarding on
the public network.
• VPN routes are directly exchanged between the ingress and egress PEs. The routes do not need to be stored or
forwarded by intermediate devices.
• Only PEs maintain VPN routing information, and Ps and ASBRs are only responsible for packet forwarding. This
Option C means that the intermediate devices only need to support MPLS forwarding instead of MPLS VPN services. ASBRs
are no longer bottlenecks. Option C, therefore, is suitable for VPNs spanning multiple ASs.
• MPLS VPN load balancing is easy to implement using Option C.
• The disadvantage of Option C is that it costs too much to manage an end-to-end BGP LSP between PEs.

47 Huawei Confidential
 Contents

1. Background of Inter-AS VPN Solutions

2. Fundamentals and Configurations of Inter-AS VPN Option A

3. Fundamentals and Configurations of Inter-AS VPN Option B

4. Fundamentals and Configurations of Inter-AS VPN Option C

▫ Fundamentals
◼ Basic Configurations

48 Huawei Confidential
 Solution 1 Solution 2

Option C (Solution 1) Configuration Example (1)

⚫
Configuration roadmap
AS100 GE2/0/0 AS200
 Configure basic MPLS capabilities and MPLS LDP on the MPLS
10.0.34.0/24
backbone network to establish LDP LSPs in each AS. (The
P1 ASBR-PE1 ASBR-PE2 P2 configuration details are not provided here.)
PE1 PE2  Configure a VPN instance on the PE connected to the CE in each AS
and establish EBGP peer relationships between the PE and CE to
exchange VPN routing information. (The configuration details are
not provided here.)
CE1 CE2
 Establish an MP-IBGP peer relationship between the PE and ASBR-PE
192.168.1.1/24 192.168.2.1/24 in each AS to exchange labeled IPv4 routes.
 Enable each ASBR-PE to exchange labeled IPv4 routes with the peer
⚫
CE1 and CE2 belong to the same VPN named vpna. CE1 and ASBR PE.
CE2 need to communicate with each other using Option C  Configure route-policies on each ASBR-PE, so that it can allocate
(solution 1). MPLS labels to the routes to be advertised to the peer ASBR and
allocate new MPLS labels to the labeled IPv4 routes to be advertised
Device Loopback0 RD RT to the PE in the same AS.
PE1 10.0.1.1/32 100:1 1:1 Data plan  Establish an MP-EBGP peer relationship between PEs in different ASs
ASBR-PE1 10.0.3.3/32 / / and set the maximum number of hops between the PEs.

ASBR-PE2 10.0.4.4/32 / / RT values of PE1 and

PE2 10.0.6.6/32 200:6 1:1 PE2 must match.

49 Huawei Confidential
 Solution 1 Solution 2

Option C (Solution 1) Configuration Example (2)

1. On ASBR-PE1, create route-policies.

[ASBR-PE1] route-policy policy1 permit node 1

AS100 GE2/0/0 AS200 [ASBR-PE1-route-policy] apply mpls-label
10.0.34.0/24 [ASBR-PE1-route-policy] quit
P1 ASBR-PE1 ASBR-PE2 P2 [ASBR-PE1] route-policy policy2 permit node 1
[ASBR-PE1-route-policy] if-match mpls-label
PE1 PE2 [ASBR-PE1-route-policy] apply mpls-label
[ASBR-PE1-route-policy] quit
The route-policy policy1 is used to advertise labeled
routes to ASBR-PE2.
CE1 CE2
The route-policy policy2 is used to allocate BGP labels
192.168.1.1/24 192.168.2.1/24 to the labeled routes received from ASBR-PE2.
2. On ASBR-PE1, enable MPLS on the interface connected to ASBR-PE2.
4. On ASBR-PE1, apply the route-policy policy2 to the routes advertised to
PE1 and enable the capability to exchange labeled IPv4 routes with PE1. [ASBR-PE1] interface gigabitethernet 2/0/0
[ASBR-PE1-GigabitEthernet2/0/0] mpls # Interfaces between ASBRs
[ASBR-PE1] bgp 100 support MPLS.
[ASBR-PE1-bgp] peer 10.0.1.1 route-policy policy2 export [ASBR-PE1-GigabitEthernet2/0/0] quit
[ASBR-PE1-bgp] peer 10.0.1.1 label-route-capability
3. On ASBR-PE1, apply the route-policy policy1 to the routes advertised to
[ASBR-PE1-bgp] quit
ASBR-PE2 and enable the capability to exchange labeled IPv4 routes with
ASBR-PE2.
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] peer 10.0.34.4 route-policy policy1 export
In this example, the configuration of ASBR-PE1 is provided [ASBR-PE1-bgp] peer 10.0.34.4 label-route-capability
for your reference. [ASBR-PE1-bgp] quit

50 Huawei Confidential
 Solution 1 Solution 2

Option C (Solution 1) Configuration Example (3)

5. Configure ASBR-PE1 to advertise the route destined for PE1's

loopback interface to ASBR-PE2, which then advertises the
route to PE2.
[ASBR-PE1] bgp 100
[ASBR-PE1-bgp] network 10.0.1.1 32
AS100 GE2/0/0 AS200 [ASBR-PE1-bgp] quit
10.0.34.0/24
6. On PE1, enable it to establish an MP-EBGP peer relationship
P1 ASBR-PE1 ASBR-PE2 P2
with PE2.
PE1 PE2
[PE1] bgp 100
[PE1-bgp] peer 10.0.6.6 as-number 200
[PE1-bgp] peer 10.0.6.6 connect-interface LoopBack 1
[PE1-bgp] peer 10.0.6.6 ebgp-max-hop 10
CE1 CE2
[PE1-bgp] ipv4-family vpnv4
192.168.1.1/24 192.168.2.1/24 [PE1-bgp-af-vpnv4] peer 10.0.6.6 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit

If there is no directly connected physical link between EBGP peers, the

peer ebgp-max-hop command must be run to configure EBGP peers
to establish TCP connections across multiple hops.

51 Huawei Confidential
 Solution 1 Solution 2

Verifying the Configuration (1)

1. Check CE1's routing information on PE2.
<PE2>display bgp vpnv4 all routing-table 192.168.1.0
AS100 GE2/0/0 AS200 BGP local router ID : 10.0.6.6
Local AS number : 200
10.0.34.0/24 Total routes of Route Distinguisher(100:1): 1
P1 ASBR-PE1 ASBR-PE2 P2 BGP routing table entry information of 192.168.1.0/24:
PE1 PE2 Label information (Received/Applied): 1029/NULL
From: 10.0.1.1 (10.0.1.1)
Route Duration: 00h00m14s
1 Relay IP Nexthop: 10.0.56.5
CE1 CE2 Relay IP Out-Interface: GigabitEthernet0/0/1
PE1 directly sends the VPNv4 Relay Tunnel Out-Interface: GigabitEthernet0/0/1
192.168.1.1/24 route to PE2. 192.168.2./24 Relay token: 0x9
Original nexthop: 10.0.1.1
Qos information : 0x0
Ext-Community:RT <1 : 1>
AS-path 100 65000, origin igp, pref-val 0, valid, external, best, select, pre
255, IGP cost 2

PE1 allocates the label 1029 to the route.

52 Huawei Confidential
 Solution 1 Solution 2

Verifying the Configuration (2)

2. Check information about routes destined for 10.0.1.1 on PE2.
<PE2>display bgp routing-table 10.0.1.1
AS100 GE2/0/0 AS200 BGP local router ID : 10.0.6.6
Local AS number : 200
10.0.34.0/24 Paths: 1 available, 1 best, 1 select
P1 ASBR-PE1 ASBR-PE2 2 P2 BGP routing table entry information of 10.0.1.1/32:
PE1 PE2 Label information (Received/Applied): 1032/NULL
From: 10.0.4.4 (10.0.4.4)
Route Duration: 00h07m52s
1 Relay IP Nexthop: 10.0.56.5
CE1 CE2 Relay IP Out-Interface: GigabitEthernet0/0/1
Relay Tunnel Out-Interface: GigabitEthernet0/0/1
192.168.1.1/24 192.168.2.1/24 Relay token: 0x1
Original nexthop: 10.0.4.4
Qos information : 0x0
AS-path 100, origin igp, MED 2, localpref 100, pref-val 0, valid, internal,
bes
t, select, active, pre 255, IGP cost 2
Not advertised to any peer yet

ASBR-PE2 allocates the BGP label 1032 to the route

destined for 10.0.1.1.
The next hop of the route to 10.0.1.1 is 10.0.4.4. Therefore,
PE2 performs recursive query again.

53 Huawei Confidential
 Solution 1 Solution 2

Verifying the Configuration (3)

3. Check information about routes destined for 10.0.4.4 on PE2.
<PE2>display fib 10.0.4.4
AS100 GE2/0/0 AS200 Route Entry Count: 1
Destination/Mask Nexthop Interface TunnelID
10.0.34.0/24 3 10.0.4.4/32 10.0.56.5 GE0/0/1 0x1
P1 ASBR-PE1 ASBR-PE2 2 P2 <PE2>display tunnel-info tunnel-id 1
PE1 PE2 Tunnel ID: 0x1
Tunnel Token: 1 Packets are transmitted to
Type: lsp 10.0.4.4 over tunnel 1.
1 Destination: 10.0.4.4
CE1 CE2 Out Interface: GigabitEthernet0/0/1
Out Label: 1024
192.168.1.1/24 192.168.2.1/24 Next Hop: 10.0.56.5
Lsp Index: 6144
<PE2>display mpls lsp out-label 1024 verbose
Based on steps 1, 2, and 3, the packets sent by PE2 should carry the
No : 1
following labels: Fec : 10.0.4.4/32
Nexthop : 10.0.56.5
Label Allocation In-Label : NULL
Label Value Type FEC Out-Label : 1024
Device
In-Interface : ----------
1029 VPN label 192.168.1.0/24 PE1 Out-Interface : GigabitEthernet0/0/1
1032 BGP label 10.0.1.1/32 ASBR-PE2 LspIndex : 6144
Token : 0x1 The label 1024 needs to be added
1024 LDP label 10.0.4.4/32 P2 LsrType : Ingress to the packets reaching 10.0.4.4.
Label Operation : PUSH
Note: Other devices are not described here.

54 Huawei Confidential
 Solution 1 Solution 2

Verifying the Configuration (4)

AS100 GE2/0/0 AS200

10.0.34.0/24 4. Ping 192.168.1.1 from CE2.
P1 ASBR-PE1 ASBR-PE2 P2
<CE2>ping -a 192.168.2.1 192.168.1.1
PE1 PE2 PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=250 time=60 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=250 time=50 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=250 time=60 ms
CE1 CE2 Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=250 time=60 ms
192.168.1.1/24 192.168.2.1/24

55 Huawei Confidential
 Solution 1 Solution 2

Summary of Key Configurations for Inter-AS VPN Option C

(Solution 1)

AS100 GE2/0/0 AS200 Device Key Points

10.0.34.0/24 Enable PEs to exchange labeled IPv4 routes with the ASBR-
P1 ASBR-PE1 ASBR-PE2 P2 PE1 PEs in the same AS.
PE1 PE2 PE2 Enable PEs to establish multi-hop MP-EBGP peer
relationships with the PEs in other ASs.
Enable ASBR-PEs to exchange labeled IPv4 routes with
ASBR-PEs in other ASs.
ASBR-PE1
CE1 CE2 Enable ASBR-PEs to exchange labeled IPv4 routes with the
ASBR-PE2
PEs in the same AS.
192.168.1.1/24 192.168.2.1/24 Enable MPLS on the interfaces connecting ASBRs.

56 Huawei Confidential
 Solution 1 Solution 2

Option C (Solution 2) Configuration Example (1)

AS100 GE2/0/0 AS200

⚫ Configuration roadmap
10.0.34.0/24
 Configure basic MPLS capabilities and MPLS LDP on the MPLS
P1 ASBR-PE1 ASBR-PE2 P2 PE2 backbone network to establish LDP LSPs in each AS. (The
configuration details are not provided here.)
PE1
MP-EBGP  Configure a VPN instance on the PE connected to the CE in each AS
RR1 RR2 and establish EBGP peer relationships between the PE and CE to
Device Loopback0 exchange VPN routing information.
CE1 RR1 10.0.7.7/32 CE2  Advertise the routes of a PE in an AS to the peer PE: Configure the
local ASBR-PE to advertise the routes of a PE in the local AS to the
192.168.1.1/24 RR2 10.0.8.8/32 192.168.2.1/24 peer ASBR-PE using BGP, import BGP routes into an IGP on the peer
ASBR-PE so that the peer PE can use an IGP to learn the routes of
the PE in the same AS.
⚫
CE1 and CE2 belong to the same VPN named vpna. CE1 and CE2  Enable ASBR-PE1 and ASBR-PE2 to exchange labeled IPv4 routes.
need to communicate with each other using Option C (solution 1).
RR1 and RR2 reflect routes but do not forward traffic.
 Configure ASBR-PEs to establish LDP LSPs for labeled BGP routes of
the public network.
Device Loopback0 RD RT  Establish an MP-EBGP peer relationship between RRs in different ASs
and set the maximum number of hops between the RRs.
PE1 10.0.1.1/32 100:1 1:1
ASBR-PE1 10.0.3.3/32 / /
ASBR-PE2 10.0.4.4/32 / /
PE2 10.0.6.6/32 200:6 1:1

57 Huawei Confidential
 Solution 1 Solution 2

Option C (Solution 2) Configuration Example (2)

1. On RR1, configure RR1 to establish VPNv4 peer relationships with RR2
and PE1, and configure RR1 not to change the next hops of routes.
[RR1] bgp 100
AS100 GE2/0/0 AS200 [RR1-bgp] peer 10.0.8.8 as-number 200
10.0.34.0/24 [RR1-bgp] peer 10.0.8.8 connect-interface LoopBack 1
P1 ASBR-PE1 ASBR-PE2 P2 PE2 [RR1-bgp] peer 10.0.8.8 EBGP-max-hop 100
[RR1-bgp] peer 10.0.1.1 as-number 100
PE1 [RR1-bgp] peer 10.0.1.1 connect-interface LoopBack 1
MP-EBGP
[RR1-bgp] ipv4-family vpnv4
RR1 RR2
[RR1-bgp-af-vpnv4] undo policy vpn-target
[RR1-bgp-af-vpnv4] peer 10.0.8.8 enable
CE1 CE2 [RR1-bgp-af-vpnv4] peer 10.0.8.8 next-hop-invariable
[RR1-bgp-af-vpnv4] peer 10.0.1.1 enable
192.168.1.1/24 192.168.2.1/24 [RR1-bgp-af-vpnv4] peer 10.0.1.1 next-hop-invariable
[RR1-bgp-af-vpnv4] quit
[RR1-bgp] quit
2. On ASBR-PE1, create a route-policy.
Configure RR1 not to change the next hops of routes so that traffic does
[ASBR-PE1] route-policy policy1 permit node 1 not pass through RR1. That is, RR1 only reflects routes without
[ASBR-PE1-route-policy] apply mpls-label forwarding traffic.
[ASBR-PE1-route-policy] quit 4. On ASBR-PE1, advertise the routes destined for the loopback interfaces of
3. On ASBR-PE1, apply the route-policy to the routes advertised to ASBR- PE1 and RR1 to ASBR-PE2.
PE2 and enable the capability to exchange labeled IPv4 routes with ASBR- [ASBR-PE1] bgp 100
PE2. [ASBR-PE1-bgp] network 10.0.1.1 32 # Required for data forwarding
[ASBR-PE1] bgp 100 [ASBR-PE1-bgp] network 10.0.7.7 32
[ASBR-PE1-bgp] peer 10.0.34.4 route-policy policy1 export [ASBR-PE1-bgp] quit
[ASBR-PE1-bgp] peer 10.0.34.4 label-route-capability
Enable RR2 to learn the route to RR1 and establish a
[ASBR-PE1-bgp] quit
VPNv4 neighbor relationship.
58 Huawei Confidential
 Solution 1 Solution 2

Option C (Solution 2) Configuration Example (3)

5. On ASBR-PE1, import BGP routes into an IGP.

AS100 GE2/0/0 AS200
10.0.34.0/24 [ASBR-PE1] ospf 1
P1 ASBR-PE1 ASBR-PE2 P2 PE2 [ASBR-PE1-ospf-1] import-route bgp
[ASBR-PE1-ospf-1] quit
PE1

RR1 RR2 6. On ASBR-PE1, establish LDP LSPs for labeled BGP routes of the
public network.
CE1 CE2
[ASBR-PE1] mpls
192.168.1.1/24 192.168.2.1/24 [ASBR-PE1-mpls] lsp-trigger bgp-label-route
[ASBR-PE1-mpls] quit

59 Huawei Confidential
 Solution 1 Solution 2

Verifying the Configuration (1)

1. Check CE1's routing information on PE2.

<PE2>display ip routing-table vpn-instance vpna 192.168.1.0 verbose
AS100 GE2/0/0 AS200 Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
10.0.34.0/24 Routing Table : vpna
P1 ASBR-PE1 ASBR-PE2 P2 PE2
Summary Count : 1
PE1 Destination: 192.168.1.0/24
Protocol: IBGP Process ID: 0
RR1 RR2 Preference: 255 Cost: 0
NextHop: 10.0.1.1 Neighbour: 10.0.8.8
CE1 CE2 State: Active Adv Relied Age: 00h00m05s
Tag: 0 Priority: low
192.168.1.1/24 192.168.2.1/24 Label: 1028 QoSInfo: 0x0
IndirectID: 0x12
RelayNextHop: 10.0.56.5 Interface: GigabitEthernet0/0/1
TunnelID: 0xe Flags: RD

The route is learned from RR2 and its

next hop is 10.0.1.1.

60 Huawei Confidential
 Solution 1 Solution 2

Verifying the Configuration (2)

2. Check information about routes destined for 10.0.1.1 (PE1) on PE2.
<PE2>display fib 10.0.1.1
AS100 GE2/0/0 AS200 Route Entry Count: 1
10.0.34.0/24 Destination/Mask Nexthop Interface TunnelID
P1 ASBR-PE1 ASBR-PE2 P2 PE2 10.0.1.1/32 10.0.56.5 GE0/0/1 0xe
<PE2>display tunnel-info tunnel-id e
PE1 Tunnel ID: 0xe
Tunnel Token: 14
RR1 RR2
Type: lsp
Destination: 10.0.1.1
CE1 CE2 Out Interface: GigabitEthernet0/0/1
Out Label: 1028
192.168.1.1/24 192.168.2.1/24 Next Hop: 10.0.56.5
Lsp Index: 6151
Based on steps 1 and 2, the packets sent by PE2 should carry the <PE2>display mpls lsp out-label 1028 verbose
following labels: No : 1
Fec : 10.0.1.1/32
Label Allocation Nexthop : 10.0.56.5
Label Value Type FEC In-Label : NULL
Device
Out-Label : 1028
1028 VPN label 192.168.1.0/24 PE1 LspIndex : 6151
Token : 0xe
1028 LDP label 10.0.1.1/32 P2 LsrType : Ingress
Label Operation : PUSH

61 Huawei Confidential
 Solution 1 Solution 2

Verifying the Configuration (3)

3. Check information about routes destined for 10.0.1.1 (PE1)
on ASBR-PE2.
AS100 GE2/0/0 AS200 <ASBR-PE2>display bgp routing-table 10.0.1.1 32
10.0.34.0/24 BGP local router ID : 10.0.4.4
P1 ASBR-PE1 ASBR-PE2 P2 PE2 Local AS number : 200
Paths: 1 available, 1 best, 1 select
PE1 BGP routing table entry information of 10.0.1.1/32:
Label information (Received/Applied): 1025/NULL
RR1 RR2 From: 10.0.34.3 (10.0.3.3)
Route Duration: 01h30m31s
CE1 CE2 Direct Out-interface: GigabitEthernet0/0/1
Relay Tunnel Out-Interface: GigabitEthernet0/0/1
192.168.1.1/24 192.168.2.1/24 Relay token: 0x1
Original nexthop: 10.0.34.3
Based on steps 1 and 3, the packets sent by ASBR-PE2 should carry Qos information : 0x0
AS-path 100, origin igp, MED 2, pref-val 0, valid, external, best, select,
the following labels:
active, pre 255
Label Allocation
Label Value Type FEC Label allocated by ASBR-PE1 to the
Device
route destined for 10.0.1.1
1028 VPN label 192.168.1.0/24 PE1

1025 BGP label 10.0.1.1/32 ASBR-PE2

62 Huawei Confidential
 Solution 1 Solution 2

Verifying the Configuration (4)

AS100 GE2/0/0 AS200 4. Ping 192.168.1.1 from CE2.

10.0.34.0/24
P1 ASBR-PE1 ASBR-PE2 P2 PE2 <CE2>ping -a 192.168.2.1 192.168.1.1
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
PE1 Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=250 time=60 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=250 time=50 ms
RR1 RR2
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=250 time=60 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=250 time=60 ms
CE1 CE2

192.168.1.1/24 192.168.2.1/24

63 Huawei Confidential
 Solution 1 Solution 2

Summary of Key Configurations for Inter-AS VPN Option C

(Solution 2)

Device Key Points

AS100 GE2/0/0 AS200
PE1 Enable PEs to establish MP-IBGP peer relationships with RRs
10.0.34.0/24
P1 ASBR-PE1 ASBR-PE2 P2 PE2 PE2 in the local AS.

PE1 Enable RRs to establish MP-EBGP peer relationships with

RR1 RRs in other ASs and not to change the next hops of routes.
RR1 RR2 RR2 Enable RRs to establish MP-IBGP peer relationships with PEs
in the same AS and not to change the next hops of routes.
CE1 CE2 Enable ASBR-PEs to exchange labeled IPv4 routes with
ASBR-PEs in other ASs.
192.168.1.1/24 192.168.2.1/24 ASBR-PE1
Enable ASBR-PEs to establish LDP LSPs for labeled BGP
ASBR-PE2
routes of the public network.
Enable MPLS on the interfaces connecting ASBRs.

64 Huawei Confidential
 Quiz

1. (Single-answer question) Which of the following inter-AS VPN solutions does not require ASBRs to
save CE-side routing information? ( )
A. Option A

B. Option B

C. Option C

2. (Single-answer question) When only LDP or BGP is used to allocate labels, which of the following
inter-AS VPN solutions may use three types of labels during packet forwarding? ( )
A. Option A

B. Option B

C. Option C

65 Huawei Confidential

1. C
2. C
 Summary
⚫ When VPN routing information is exchanged between ASs, three inter-AS VPN solutions are
proposed in related standards:
 Option A: It features simple configurations as MPLS does not need to run between ASBRs. It is
applicable to the scenario with a small number of VPNs.
 Option B: It does not require interfaces to be created for each inter-AS VPN. All traffic is forwarded
by ASBRs, facilitating traffic control but burdening ASBRs. When there are a large number of VPN
routes, ASBRs are overloaded and may become a bottleneck.
 Option C: It does not require ASBRs to maintain or advertise VPN-IPv4 routes because these routes
are directly exchanged between PEs. Option C is applicable to scenarios where multiple ASs are
spanned. The disadvantage of Option C is that it costs too much to manage an end-to-end BGP LSP
between PEs.

66 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
EVPN Fundamentals and Configuration
 Foreword
⚫ Virtual Private LAN Service (VPLS) is a point-to-multipoint (P2MP) L2VPN service provided over a
public network.

⚫ VPLS cannot implement load balancing, simplify network deployment, provide flexible L2VPN
deployment, or improve link efficiency in CE multi-homing scenarios. Ethernet Virtual Private Network
(EVPN) solves these problems.
⚫ Defined in RFC7432, EVPN introduces the control plane to control MAC address learning. EVPN has
been continuously expanded to support both L2VPN and L3VPN.
⚫ EVPN has been widely used in various scenarios, such as WANs, data centers (DCs), and campus
networks.
⚫ This document describes the background, fundamentals, typical route types, and application scenarios
of EVPN.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the background of EVPN.
 Know how EVPN solves VPLS problems.
 Understand the fundamentals and typical route types of EVPN.
 Describe the fundamentals of inter-AS EVPN.
 Describe the typical application scenarios of EVPN.

2 Huawei Confidential
 Contents

1. EVPN Background and Terms

2. EVPN Fundamentals

3. Inter-AS EVPN

4. Typical EVPN Application Scenarios

5. Basic EVPN Configurations

3 Huawei Confidential
VPLS Overview
⚫ VPLS is an Ethernet-based L2VPN technology. It provides services similar to LAN services on an MPLS network and
allows users to access the network from multiple geographical locations and communicate with each other.
⚫ Implementing VPLS involves three steps: creating tunnels and pseudo wires (PWs), creating virtual switch instances
(VSIs), and binding PWs and attachment circuits (ACs) to VSIs.
Enterprise Enterprise
A CE1 A CE2

CE1 and CE2 of enterprise A belong to the

same Layer 2 network.
192.168.1.1 192.168.1.2

Enterprise PE1 PE2 Enterprise

B CE3 B CE4
CE3 and CE4 of enterprise B belong to the
same Layer 2 network.

192.168.2.1 192.168.2.2

4 Huawei Confidential
VPLS Fundamentals: Creating Tunnels and PWs
⚫ To implement VPLS, you need to establish a tunnel between PE1 and PE2 and then create PWs to carry
services of different enterprise customers.

Enterprise Enterprise
A CE1 A CE2
PW A carries enterprise A's services.

192.168.1.1 192.168.1.2

PW A PW A
Tunnel
PW B PW B
PE1 PE2
Enterprise Enterprise
B CE3 PW B carries enterprise B's services. B CE4

192.168.2.1 192.168.2.2

5 Huawei Confidential
VPLS Fundamentals: Creating VSIs
⚫ A VSI is an independent virtual switching unit for each VPLS service. A VSI stores an independent MAC
address table, forwards packets, and terminates PWs.

Enterprise Enterprise
A CE1 A CE2

VSI A VSI A
192.168.1.1 192.168.1.2
MAC A MAC A

PE1 PE2
Enterpris Enterprise
e B CE3 VSI B VSI B B CE4
MAC B MAC B

192.168.2.1 192.168.2.2

6 Huawei Confidential
 VPLS Fundamentals: Binding PWs and ACs to VSIs
⚫ An attachment circuit (AC) is a link between a CE and a PE. After a PW and an AC are bound to a VSI,
the VSI works like a switch. The VSI records the MAC addresses learned by different interfaces and
generates MAC address entries.
Enterprise Enterprise
A CE1 A CE2
Bind the AC and PW
to the VSI.
AC
VSI A VSI A
192.168.1.1 192.168.1.2
MAC A MAC A
PW A PW A
Tunnel
PW B PW B
PE1 PE2
Enterprise Enterprise
B CE3 VSI B VSI B B CE4
MAC B MAC B

192.168.2.1 192.168.2.2

7 Huawei Confidential

• Common VPLS PW creation modes:

▫ Static configuration: A large number of manual configurations are required.
▫ LDP signaling (Martini)

▫ BGP signaling (Kompella)

VPLS Packet Forwarding
⚫ VPLS emulates a switch. MAC address learning depends on flooding on the data plane without involving the control plane.

⚫
The forwarding behavior is determined by examining the MAC address table. If packets match an entry in the MAC address table,
packets are forwarded according to the table. Otherwise, packets are flooded for forwarding.

Enterprise Enterprise
A CE1 A CE2
Access from 192.168.1.1 to 192.168.1.2

VSI A VSI A
192.168.1.1 192.168.1.2
MAC A MAC A
PW A PW A
Tunnel
CE1 sends an PE1 PE2 PE2 forwards the
1 ARP request. Outbound 4 ARP request.
Outbound MAC
MAC Interface
Interface
DMAC ALL 1-1-1 Port1 1-1-1 PWA DMAC ALL
SMAC 1-1-1 SMAC 1-1-1
DIP 192.168.1.2 2 PE1 generates a MAC 3 PE2 receives the ARP DIP 192.168.1.2
SIP 192.168.1.1 address entry and floods the request and generates SIP 192.168.1.1
received ARP request to all a MAC address entry in
ARP request the PWs bound the VSI. the VSI. ARP request

8 Huawei Confidential
VPLS Challenge 1: Uneven Load Balancing Due to Single-
Active Access
⚫
In VPLS, if a ring topology is achieved when a CE is dual-homed to two PEs, the loop-free forwarding path is formed by blocking a
port. This is the same as the loop prevention technology (STP) of switches. Therefore, VPLS access works in active/standby mode.
⚫ There is only one link between the CE and PE for traffic forwarding, and multiple paths cannot be formed between PEs. As a result,
some links may be congested.

PE1 P PE3

CE1 CE2

PE2 P PE4
1 The standby link between the CE and 2 Multiple paths cannot be formed
PE does not forward data. between PEs.

9 Huawei Confidential
VPLS Challenge 2: Slow Fault Convergence
⚫ After detecting a link fault, PE3 sends a MAC Withdraw message to the peer PE, instructing the peer PE to delete
the MAC address of PE3. PE4 changes the standby link to the active state. After receiving the Withdraw message,
PE1 clears the corresponding MAC address and learn MAC addresses again. The fault convergence time is closely
related to the number of MAC addresses.
PE1 receives the MAC Withdraw message, clears PE3 detects a fault and sends a MAC
3 the corresponding MAC address, and learns MAC 1 Withdraw message to instruct PE1 to clear
addresses again for about 10 seconds. the MAC address of PE3 (within subseconds).
PE1 P PE3

CE1 CE2

PE2 P PE4 2 The link between PE4 and

PE2 becomes the active link.

10 Huawei Confidential
EVPN Overview
⚫ EVPN changes the traditional MAC address learning mode on the L2VPN data plane. It introduces the control plane to learn MAC
addresses and IP addresses for data forwarding, implementing forwarding-control separation.
⚫
EVPN implements active-active, fast convergence, and simplified O&M, resolving typical problems of traditional L2VPNs.
⚫ EVPN uses Multiprotocol Border Gateway Protocol (MP-BGP) on the control plane and supports multiple types of tunnels on the
data plane, such as MPLS tunnels, GRE tunnels, and Segment Routing over IPv6 (SRv6) tunnels. In this course, MPLS is used as the
outer tunnel forwarding technology.
Control plane: PEs exchange BGP EVPN packets to transmit MAC addresses and IP addresses.

⚫ Other advantages of EVPN:

PE1 PE3  All-active access of CEs to PEs
 Automatic PE discovery
 Loop prevention

PE4
 Broadcast traffic optimization
CE1 PE2 CE2
 Equal-cost multi-path routing
(ECMP)
EVPN peer relationship

Data plane: Data forwarding paths are formed by IP tunnels or MPLS label forwarding paths. The data plane
is only responsible for forwarding data and does not need to broadcast packets to learn MAC addresses.

11 Huawei Confidential
 EVPN Terms
⚫ An Ethernet segment (ES) is a group of Ethernet links that connect a user site (device or network) to a PE. An ES is
identified by an Ethernet Segment Identifier (ESI).
⚫ An EVPN instance (EVI) identifies an EVPN client.

⚫ A MAC-VRF table is a MAC address table that belongs to an EVI on a PE.

⚫ A route distinguisher (RD) is the unique identifier of an EVPN and identifies an EVI.
⚫ Route targets (RTs) are used to control the import of EVPN routes.
⚫ In a CE multi-homing scenario, only the PE that is elected as a designated forwarder (DF) forwards broadcast,
unknown unicast, and multicast (BUM) traffic to CEs.
⚫ ESI Label is an extended community attribute carried in an EVPN Type 1 route. It implements fast convergence and
split horizon in multi-homing scenarios.

⚫ BUM labels are carried in EVPN Type 3 routes to forward BUM traffic.
⚫ Unicast labels are carried in Type 2 routes to forward unicast traffic.

12 Huawei Confidential

• For details about the terms, see RFC7432.

EVPN terms: ES and ESI
⚫ An ES is a group of Ethernet links that connect a user site (device or network) to a PE. An ES is
identified by an ESI.
⚫ An ESI is 10 bytes long and is unique on the entire network.
⚫ Dual-homing PEs on the same ES must have the same ESI. For example, PE1 and PE2 must be
configured with the same ESI (for example, 1).

PE1 PE3

ES ES
CE1 CE2

PE2 PE4

13 Huawei Confidential
 ESI Format
T ype ESI Value
(1 byte) (9 bytes)
Static ESI configuration example.
⚫ Type 0: The ESI is manually configured by the
[*PE1] interface eth-trunk 10
administrator. [*PE1-Eth-Trunk10] esi 0000.1111.2222.1111.1111
⚫ Type 1: If LACP is used between a PE and a CE, the View ESI information.
ESI is the CE LACP System MAC address (6 bytes) +
<PE1> display bgp evpn all esi
CE LACP Port Key (2 bytes) + 0x00 (1 byte). Number of ESI for EVPN address family: 1
ESI IFName/Bridge-domain
⚫ Type 2: The ESI is automatically generated by MSTP. 0000.1111.2222.1111.1111 Eth-Trunk10

⚫ Type 3: The ESI is system MAC address plus local

discriminator.
⚫ Type 4: The ESI is router ID plus local discriminator.

⚫ Type 5: The ESI is AS number plus local discriminator.

14 Huawei Confidential

• Currently, ESIs of Type 2, Type 3, Type 4 and Type 5 are not used on Huawei
devices.
Basic EVPN Terms: EVI and MAC-VRF
⚫ An EVI identifies an EVPN client.
⚫ A MAC-VRF table is a MAC address table that belongs to an EVI on a PE.

PE1 PE3

ES ES
CE1 CE2

PE2 PE4
EVI 1
EVI 1 and EVI 2 have independent MAC
MAC-VRF
address tables, which can be used to
EVI 2
MAC-VRF distinguish different services or customers.

15 Huawei Confidential
Basic EVPN Terms: RD and RT
⚫ An RD is the unique identifier of an EVPN and identifies an EVI.
⚫ RTs are used to label routes to control the import of EVPN routes.
PE1 PE3

ES ES
CE1 CE2

PE2 PE4
RD 1:1 identifies EVI 1. EVI 1(RD 1:1, RT 10:10)
MAC-VRF

RD 2:2 identifies EVI 2. EVI 2(RD 2:2, RT 20:20)

MAC-VRF

16 Huawei Confidential
 Contents

1. EVPN Background and Terms

2. EVPN Fundamentals
◼ EVPN Route Overview and Interaction Process
▫ EVPN Route Types
▫ EVPN Access Principles

3. Inter-AS EVPN

4. Typical EVPN Application Scenarios

5. Basic EVPN Configurations

17 Huawei Confidential
EVPN Routes
⚫ EVPN defines a new BGP network layer reachability information (NLRI), which is known as EVPN NLRI,
to carry all EVPN routes.
⚫ EVPN NLRI is carried by MP-BGP. MP-BGP supports multi-protocol extensions. In MP-BGP, the Address
Family Identifier (AFI) defining EVPN is 25 and the Subsequent Address Family Identifier (SAFI) is 70.

1. Ethernet A-D route

2. MAC/IP advertisement route
1 byte Route Type
3. Inclusive multicast route
1 byte Length
4. Ethernet segment route
Variable Route Type Specific
The Route Type field defines four types of
EVPN NLRI format common EVPN routes.

18 Huawei Confidential
 Functions of Four Types of EVPN Routes
⚫ RFC7432 defines four types of EVPN routes: Type 1 to Type 4. With the development of the EVPN
protocol, more and more routes are redefined. The following describes four types of EVPN routes.

Route Type Function Benefits

Aliasing
Loop prevention
MAC address withdrawal in batches
(Type 1) Ethernet A-D route Fast convergence
All-active indication
Load balancing
ESI label advertisement
MAC address learning and
advertisement ARP suppression
(Type 2) MAC/IP advertisement route
MAC/IP binding Host migration
MAC address mobility
Auto-discovery of multicast tunnel
(Type 3) Inclusive multicast route BUM traffic forwarding
endpoints & multicast types
ES member auto-discovery Support for both all-active
(Type 4) Ethernet segment route
DF election and single-active modes

19 Huawei Confidential

• Up to now, 11 route types have been defined in the RFC and draft. Type 1 to
Type 5 are relatively mature. Type 5 is in the draft phase. Type 6 to Type 11 are
used for multicast traffic optimization and are not mature.
 EVPN Working Process
⚫ The EVPN process is divided into two phases:

Startup phase
◼ EVPN peers exchange EVPN Type 3 routes to establish the BUM traffic forwarding table.
◼ EVPN peers exchange Type 4 routes to complete ES discovery and DF election (in ES multi-homing scenarios).
◼ EVPN peers exchange Type 1 routes and ESI labels to implement split horizon and aliasing.


Traffic forwarding phase: CE-side traffic triggers a PE to advertise the MAC address through a Type 2 route. The route carries
assigned label information. The PE then forwards unicast traffic based on the label.
PE1 P PE3 BUM traffic forwarding table
setup (Type 3)

DF election (Type 4)

CE1 CE2 ESI label advertisement (Type 1)

Aggregated
port
PE2 P PE4 EVPN traffic forwarding (Type 2)

20 Huawei Confidential

• The CE all-active access scenario uses Huawei NE series routers as an example.

An Eth-Trunk is configured on CE1 to connect to PE1 and PE2, and an inter-
device link aggregation enhanced trunk (E-Trunk) needs to be configured on PE1
and PE2. E-Trunk will not be marked in the following figures.
EVPN Entry Overview
⚫ EVPN maintains three tables to guide traffic forwarding: MAC-VRF table, BUM traffic forwarding table, and ES
member table.

The MAC-VRF table is used to record the forwarding of known unicast traffic.
 The BUM traffic forwarding table is used to guide the forwarding of broadcast, unknown unicast, and multicast traffic.
 The ES member table is used to record information about the PEs that users access.

⚫ The following describes the generation process and functions of the three tables.

PE1 is used as an example.

MAC-VRF BUM traffic forwarding table ES member table

Next Peer Label
MAC ESI Label No. ESI Member Label
hop
PE2 102
1-1-1 ESI 1 Port1 NULL
0 ESI 1 PE2 202
2-2-2 ESI 2 PE3 303 PE3 103
2-2-2 ESI 2 PE4 304 PE4 104 1 ESI 1 PE1 201

21 Huawei Confidential
 Creating an EVPN Instance Locally
⚫ Create an EVPN instance on each PE and configure an RD and an RT for the instance. EVPN is then activated locally
on the PE, and the MAC-VRF table with empty content is generated.

EVI 1 EVI 1
MAC-VRF MAC-VRF

PE1 PE3
CE1 CE2
P
PE2 PE4

EVI 1 EVI 1
MAC-VRF MAC-VRF

MPLS backbone
network

22 Huawei Confidential

• The backbone network consisting of P devices involves only outer tunnel

forwarding, which will not be described in later sections.
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

BUM Traffic Forwarding Table (1)

⚫ Establish peer relationships between the PEs. Take PE1 as an example. It sends Type 3 routes to discover
neighbors and allocates labels.

EVI 1 EVI 1
PE1 Type 3 route
MAC-VRF RD = rd1 MAC-VRF
Label = 101

PE1 PE3
CE1 CE2
PE2 PE4

EVI 1 EVI 1
MAC-VRF MAC-VRF

23 Huawei Confidential
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

BUM Traffic Forwarding Table (2)

⚫ PE2, PE3, and PE4 each generate a BUM traffic forwarding table.

EVI 1 EVI 1 BUM traffic

PE1 Type 3 route forwarding table
MAC-VRF RD = rd1 MAC-VRF Peer Label
Label = 101 PE1 101

PE1 PE3
CE1 CE2
PE2 PE4

EVI 1 BUM traffic BUM traffic

forwarding table EVI 1 forwarding table
MAC-VRF Peer Label MAC-VRF Peer Label
PE1 101 PE1 101

24 Huawei Confidential
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

BUM Traffic Forwarding Table (3)

⚫ In this process, all PEs send Type 3 routes to generate a stable BUM traffic forwarding table.

BUM traffic BUM traffic

EVI 1 forwarding table EVI 1 forwarding table
Peer Label Peer Label
MAC-VRF PE2 102 MAC-VRF PE1 101
PE3 103 PE2 102
PE4 104 PE4 104
PE1 Type 3 route PE3 Type 3 route
RD = rd1 RD = rd3
Label = 101 Label = 103
PE1 PE3
CE1 CE2
PE2 PE4
BUM traffic BUM traffic
EVI 1 forwarding table forwarding table
Peer Label EVI 1 Peer Label
MAC-VRF PE1 101 MAC-VRF PE1 101
PE3 103 PE2 102
PE4 104 PE3 103
PE2 Type 3 route PE4 Type 3 route
RD = rd2 RD = rd4
Label = 102 Label = 104

25 Huawei Confidential
Binding an Interface to an EVPN Instance
⚫ A CE is dual-homed to PEs in active-active mode. Bind the interface connecting to the CE to the EVPN instance on
each PE. Packets received by the interface are then sent to the EVPN instance.
BUM traffic BUM traffic
EVI 1 forwarding table EVI 1 forwarding table
MAC-VRF Peer Label MAC-VRF Peer Label
PE2 102 PE1 101
PE3 103 PE2 102
PE4 104 PE4 104

PE1 PE3
CE1 CE2
PE2 PE4
BUM traffic BUM traffic
EVI 1 forwarding table EVI 1 forwarding table
MAC-VRF Peer Label Peer Label
MAC-VRF
PE1 101 PE1 101
PE3 103 PE2 102
PE4 104 PE3 103

26 Huawei Confidential
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

Configuring ESIs for PEs' Interfaces Connected to CEs

⚫ Configure ESIs for PEs' interfaces connected to CEs. PEs exchange Type 4 routes to advertise ESIs and elect a DF.

EVI 1 EVI 1
MAC-VRF MAC-VRF

ESI 1 ESI 2
PE1 Type 4 route PE3 Type 4 route
RD = rd1 RD = rd3
ESI = ESI 1 ESI = ESI 2

PE1 PE3
CE1 CE2
PE2 PE4

EVI 1 EVI 1
ESI 1 MAC-VRF MAC-VRF ESI 2

PE2 Type 4 route PE4 Type 4 route

RD = rd2 RD = rd4
ESI = ESI 1 ESI = ESI 2

27 Huawei Confidential
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

DF Election (1)
⚫ When a CE is multi-homed to multiple PEs, only one PE forwards BUM traffic to the CE. The process of selecting
such a PE is DF election.

EVI 1 EVI 1
MAC-VRF MAC-VRF

ESI 1 ES member table ES member table ESI 2

No. ESI Member Label No. ESI Member Label
0 ESI 1 PE2 0 ESI 2 PE3
1 ESI 1 PE1 1 ESI 2 PE4
PE1 PE3
CE1 CE2
PE2 PE4

EVI 1 EVI 1
ESI 1 MAC-VRF MAC-VRF ESI 2
ES member table ES member table
No. ESI Member Label No. ESI Member Label
0 ESI 1 PE2 0 ESI 2 PE3
1 ESI 1 PE1 1 ESI 2 PE4

28 Huawei Confidential
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

DF Election (2)
⚫ PEs use a specific algorithm to elect a DF. In this example, PE2 and PE3 are elected as DFs, and only PE2 and PE3
are allowed to forward BUM traffic to CEs.

EVI 1 EVI 1
MAC-VRF MAC-VRF

ESI 1 ES member table ES member table ESI 2

No. ESI Member Label No. ESI Member Label
Non-DF 0 ESI 1 PE2 DF 0 ESI 2 PE3
1 ESI 1 PE1 1 ESI 2 PE4
PE1 PE3
CE1 CE2
PE2 PE4

EVI 1 EVI 1
ESI 1 MAC-VRF MAC-VRF ESI 2
ES member table ES member table
No. ESI Member Label No. ESI Member Label
DF Non-DF
0 ESI 1 PE2 0 ESI 2 PE3
1 ESI 1 PE1 1 ESI 2 PE4

29 Huawei Confidential

• The DF election mode can be set to interface-based or VLAN-based DF election

on Huawei devices. By default, interface-based DF election is enabled, which may
cause traffic unbalance among multi-homing links. You can configure VLAN-
based DF election so that BUM traffic from a PE to a CE can be evenly distributed
to multi-homing links based on VLANs.
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

ESI Label Distribution: Split Horizon (1)

⚫ PEs distribute ESI labels through Type 1 routes. ESI labels are used for split horizon to prevent traffic from an ES
from being sent back to the ES.

EVI 1 EVI 1
PE1 Type 1 route
MAC-VRF RD = rd1 MAC-VRF
ESI = ESI 1
ESI 1 ESI Label = 201 ES member table ESI 2
No. ESI Member Label
Non-DF DF 0 ESI 2 PE3
1 ESI 2 PE4
PE1 PE3
CE1 CE2
PE2 PE4

EVI 1 EVI 1
ESI 1 MAC-VRF MAC-VRF ESI 2
ES member table ES member table
No. ESI Member Label No. ESI Member Label
DF Non-DF
0 ESI 1 PE2 0 ESI 2 PE3
1 ESI 1 PE1 1 ESI 2 PE4

30 Huawei Confidential
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

ESI Label Distribution: Split Horizon (2)

⚫ In this process, all PEs send Type 1 routes to generate a complete ES member table.

EVI 1 EVI 1
MAC-VRF MAC-VRF
ES member table ES member table
ESI 1 ESI 2
No. ESI Member Label No. ESI Member Label
0 ESI 1 PE2 202 0 ESI 2 PE3 203
Non-DF DF
1 ESI 1 PE1 201 1 ESI 2 PE4 204

PE1 PE3
CE1 CE2
PE2 PE4

EVI 1 EVI 1
ESI 1 MAC-VRF MAC-VRF ESI 2
ES member table ES member table
No. ESI Member Label No. ESI Member Label
DF 0 ESI 1 PE2 202 Non-DF 0 ESI 2 PE3 203
1 ESI 1 PE1 201 1 ESI 2 PE4 204

31 Huawei Confidential
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

Summary of the EVPN Startup Phase

⚫ During EVPN startup, the MAC-VRF table, BUM traffic forwarding table, and ES member table are generated. In this
case, the MAC-VRF table contains empty entries.
BUM traffic BUM traffic
EVI 1 forwarding table EVI 1 forwarding table
Peer Label Peer Label
MAC-VRF PE2 102 MAC-VRF PE1 101
PE3 103 PE2 102
ESI 1 PE4 104 PE4 104 ESI 2
ES member table ES member table
Non-DF No. ESI Member Label DF No. ESI Member Label
0 ESI 1 PE2 202 0 ESI 2 PE3 203
1 ESI 1 PE1 201 1 ESI 2 PE4 204
PE1 PE3
CE1 CE2
BUM traffic BUM traffic
PE2 forwarding table PE4 forwarding table
Peer Label Peer Label
EVI 1 PE1 101 EVI 1 PE1 101
PE3 103 PE2 102
ESI 1 MAC-VRF PE4 104 MAC-VRF PE3 103 ESI 2
ES member table ES member table
No. ESI Member Label No. ESI Member Label
DF 0 ESI 1 PE2 202 Non-DF 0 ESI 2 PE3 203
1 ESI 1 PE1 201 1 ESI 2 PE4 204

32 Huawei Confidential
EVPN Traffic Forwarding Phase
⚫ The EVPN traffic forwarding phase starts when the CE-side user traffic is initiated.
⚫ CE1 and CE2 are unaware of EVPN packet exchange between PEs.
⚫ In this example, the service process of CE1 accessing CE2 is as follows:

CE1 broadcasts an ARP request to

1 request the MAC address of CE2.

IP: 192.168.1.1 IP: 192.168.1.2

CE2 responds with a unicast ARP reply.
MAC: 1-1-1 2 MAC: 2-2-2

CE1 CE2

3 CE1 forwards traffic to CE2.

33 Huawei Confidential
 Local MAC Address Learning
⚫ CE1 sends an ARP request to access CE2. PE1 receives the packet and generates a local MAC address entry.

DMAC All EVI 1

SMAC 1-1-1 MAC-VRF EVI 1
ARP request Next
MAC ESI
Hop
Label MAC-VRF
1-1-1 ESI 1 Port1 NULL
Port 1 Port 3
ESI 1 ESI 2
Non-DF DF

PE1 PE3
CE1 CE2
PE2 PE4

EVI 1 EVI 1
MAC-VRF MAC-VRF Port 4
Port 2
ESI 2
ESI 1
DF Non-DF

34 Huawei Confidential

• The data packets sent by the CEs do not carry any label. Therefore, the incoming
label in the MAC-VRF table of PEs is NULL.
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

MAC Address Advertisement (1)

⚫ PE1 EVPN generates a Type 2 route based on the local MAC address entry, carrying label 301 assigned by PE1.

DMAC All EVI 1

MAC-VRF
PE1 Type 2 route
SMAC 1-1-1 RD = rd1 EVI 1
ARP request Next
MAC ESI
Hop
Label ESI = ESI 1 MAC-VRF
1-1-1 ESI 1 Port1 NULL MAC = 1-1-1
Port 1 MPLS Label = 301 Port 3
ESI 1 ESI 2
Non-DF DF

PE1 PE3
CE1 CE2
PE2 PE4

EVI 1 EVI 1
MAC-VRF MAC-VRF Port 4
Port 2
ESI 2
ESI 1
DF Non-DF

35 Huawei Confidential
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

MAC Address Advertisement (2)

⚫ The peer PE learns the EVPN route through MP-BGP and generates a MAC address entry.

DMAC All EVI 1 EVI 1

MAC-VRF
PE1 Type 2 route MAC-VRF
SMAC 1-1-1 RD = rd1
ARP request Next Next
MAC ESI Label ESI = ESI 1 MAC ESI Label
Hop Hop
1-1-1 ESI 1 Port1 NULL MAC = 1-1-1 1-1-1 ESI 1 PE1 301
Port 1 MPLS Label = 301 Port 3
ESI 1 ESI 2
Non-DF DF

PE1 PE3
CE1 CE2
PE2 PE4
EVI 1 EVI 1
MAC-VRF MAC-VRF
Next Next
MAC ESI Label MAC ESI Label
Port 2 Hop Hop Port 4
1-1-1 ESI 1 PE1 301 1-1-1 ESI 1 PE1 301 ESI 2
ESI 1
DF Non-DF

36 Huawei Confidential
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

MAC Address Advertisement (3)

⚫ EVPN allows CEs to access PEs in all-active mode. PE2 detects that it is directly connected to CE1, updates the
optimal MAC address entry, and generates and advertises a Type 2 route.
DMAC All EVI 1 EVI 1
SMAC 1-1-1 MAC-VRF MAC-VRF
ARP request Next Next
MAC ESI Label MAC ESI Label
Hop Hop
1-1-1 ESI 1 Port1 NULL 1-1-1 ESI 1 PE1 301
Port 1 Port 3
ESI 1 ESI 2
Non-DF DF

PE1 PE3
CE1 CE2
PE2 PE4
EVI 1 PE2 Type 2 route EVI 1
MAC-VRF RD = rd2 MAC-VRF
Next ESI = ESI 1 Next
MAC ESI Label MAC ESI Label
Port 2 Hop MAC = 1-1-1 Hop Port 4
1-1-1 ESI 1 Port2 NULL MPLS Label = 302 1-1-1 ESI 1 PE1 301 ESI 2
ESI 1
DF Non-DF

37 Huawei Confidential
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

Remote MAC Address Learning

⚫ Because PE1 and PE2 allocate different MPLS labels, PE3 and PE4 each will have two paths to CE1.

DMAC All EVI 1 EVI 1

SMAC 1-1-1 MAC-VRF MAC-VRF
ARP request Next Next
MAC ESI Label MAC ESI Label
Hop Hop
1-1-1 ESI 1 Port1 NULL 1-1-1 ESI 1 PE1 301
Port 1 Port 3
1-1-1 ESI 1 PE2 302
ESI 1 ESI 2
Non-DF DF

PE1 PE3
CE1 CE2
PE2 PE4
EVI 1 PE2 Type 2 route EVI 1
MAC-VRF RD = rd2 MAC-VRF
Next ESI = ESI 1 Next
MAC ESI Label MAC ESI Label
Port 2 Hop MAC = 1-1-1 Hop Port 4
1-1-1 ESI 1 Port2 NULL MPLS Label = 302 1-1-1 ESI 1 PE1 301 ESI 2
ESI 1 1-1-1 ESI 1 PE2 302
DF Non-DF

38 Huawei Confidential
ARP Broadcast Forwarding
⚫ The ARP request sent by CE1 reaches PE1. PE1 learns the MAC address of CE1 through the data plane and sends the
MAC address to all neighbors through a Type 2 route.
⚫ After the control plane behavior is completed, PE1 performs the data plane behavior, that is, forwards the ARP
broadcast request. Because PE3 is the DF, it forwards the ARP broadcast packet to CE2.
1 The control plane of PE1 advertises the MAC address.
2 The data plane of PE1 forwards the ARP packet.
3 PE3 forwards the ARP packet.
PE1 PE3

DF

ARP broadcast
CE1 CE2

PE2 PE4

39 Huawei Confidential
 ARP Broadcast Forwarding: from PE1 to PE3
⚫ The ARP packet carrying label 103 from PE1 to PE3 is forwarded based on the BUM traffic forwarding table. PE3
functions as the DF and forwards the packet through Port3.
BUM traffic Tunnel BUM traffic
DMAC All DMAC All
SMAC 1-1-1 EVI 1 forwarding table 103 EVI 1 forwarding table SMAC 1-1-1
Peer Label DMAC All Peer Label
ARP request MAC-VRF MAC-VRF ARP request
PE2 102 SMAC 1-1-1 PE1 101
PE3 103 ARP request PE2 102
ESI 1 PE4 104 PE4 104 ESI 2
ES member table ES member table
Non-DF No. ESI Member Label DF No. ESI Member Label
0 ESI 1 PE2 202 0 ESI 2 PE3 203
1 ESI 1 PE1 201 1 ESI 2 PE4 204
PE1 PE3
CE1 CE2
BUM traffic BUM traffic
PE2 forwarding table PE4 forwarding table
Peer Label Peer Label
EVI 1 PE1 101 EVI 1 PE1 101
PE3 103 PE2 102
ESI 1 MAC-VRF PE4 104 MAC-VRF PE3 103 ESI 2
ES member table ES member table
No. ESI Member Label No. ESI Member Label
DF 0 ESI 1 PE2 202 Non-DF 0 ESI 2 PE3 203
1 ESI 1 PE1 201 1 ESI 2 PE4 204

40 Huawei Confidential

• PE1 forwards the ARP packet to all members based on the BUM traffic
forwarding table.
 ARP Broadcast Forwarding: from PE1 to PE4
⚫ Traffic from PE1 to PE4 carries label 104. PE4 determines that the traffic is BUM traffic based on the label and
discards the traffic because PE4 is a non-DF.
DMAC All BUM traffic BUM traffic DMAC All
forwarding table Tunnel
SMAC 1-1-1 EVI 1 EVI 1 forwarding table SMAC 1-1-1
Peer Label 104 Peer Label
ARP request MAC-VRF MAC-VRF ARP request
PE2 102 DMAC All PE1 101
PE3 103 SMAC 1-1-1 PE2 102
ESI 1 PE4 104
ARP request PE4 104 ESI 2
ES member table ES member table
Non-DF No. ESI Member Label DF No. ESI Member Label
0 ESI 1 PE2 202 0 ESI 2 PE3 203
1 ESI 1 PE1 201 1 ESI 2 PE4 204
PE1 PE3
CE1 CE2
BUM traffic BUM traffic
PE2 forwarding table PE4 forwarding table
Peer Label Peer Label
EVI 1 PE1 101 EVI 1 PE1 101
PE3 103 PE2 102
ESI 1 MAC-VRF PE4 104 MAC-VRF PE3 103 ESI 2
ES member table ES member table
No. ESI Member Label No. ESI Member Label
DF 0 ESI 1 PE2 202 Non-DF 0 ESI 2 PE3 203
1 ESI 1 PE1 201 1 ESI 2 PE4 204

41 Huawei Confidential

• Only the router that is elected as the DF forwards BUM traffic to CEs.
 ARP Broadcast Forwarding: from PE1 to PE2
⚫ Because PE1 and PE2 belong to the same ES, traffic from PE1 to PE2 carries both the ESI label 202 and the BUM
label 102. After receiving the packet, PE2 finds that the packet carrying the label 202 and discards the packet.
DMAC All BUM traffic BUM traffic DMAC All
SMAC 1-1-1 EVI 1 forwarding table EVI 1 forwarding table SMAC 1-1-1
Peer Label Peer Label
ARP request MAC-VRF MAC-VRF ARP request
PE2 102 Tunnel PE1 101
PE3 103 102 PE2 102
ESI 1 PE4 104 202 PE4 104 ESI 2
ES member table DMAC All ES member table
Non-DF No. ESI Member Label SMAC 1-1-1 DF No. ESI Member Label
0 ESI 1 PE2 202 ARP request 0 ESI 2 PE3 203
1 ESI 1 PE1 201 1 ESI 2 PE4 204
PE1 PE3
CE1 CE2
BUM traffic BUM traffic
PE2 forwarding table PE4 forwarding table
Peer Label Peer Label
Split horizon is
EVI 1 PE1 101
implemented EVI 1 PE1 101
PE3 103 PE2 102
ESI 1 MAC-VRF PE4 104
using the ESI MAC-VRF PE3 103 ESI 2
labels assigned to
ES member table Type 1 routes. ES member table
No. ESI Member Label No. ESI Member Label
DF 0 ESI 1 PE2 202 Non-DF 0 ESI 2 PE3 203
1 ESI 1 PE1 201 1 ESI 2 PE4 204

42 Huawei Confidential

• ESI labels are used to prevent CE traffic from being looped back.
Unicast ARP Reply
⚫ CE2 sends a unicast ARP reply. PE3 learns the MAC address of CE2 and sends a Type 2 route to trigger
the EVPN control plane behavior. PE3 searches the MAC address table to forward the unicast ARP
packet to PE1. Finally, PE1 forwards the ARP packet to CE1.

3 PE3 forwards the ARP packet on the data plane.

2 PE3 learns the MAC address of CE2 and triggers

4 PE1 forwards the ARP packet. MAC address learning on the EVPN control plane.
PE1 PE3

1 CE2 sends an ARP reply.

Unicast ARP reply

CE1 CE2

PE2 PE4

43 Huawei Confidential
Unicast ARP Reply: Local MAC Address Learning
⚫ CE2 sends a unicast ARP reply. PE3 learns the MAC address of CE2 through the data plane and generates a local
MAC-VRF entry.
EVI 1 EVI 1 DMAC 1-1-1
MAC-VRF MAC-VRF SMAC 2-2-2
MAC ESI Next Hop Label MAC ESI Next Hop Label ARP reply
1-1-1 ESI 1 Port1 NULL
1-1-1 ESI 1 PE1 301
Port 1 1-1-1 ESI 1 PE2 302 Port 3
ESI 1 2-2-2 ESI 2 Port 3 NULL ESI 2
Non-DF DF
PE1 PE3
CE1 CE2
PE2 PE4
EVI 1 EVI 1
MAC-VRF MAC-VRF
MAC ESI Next Hop Label MAC ESI Next Hop Label
Port 2 1-1-1 ESI 1 Port2 NULL 1-1-1 ESI 1 PE1 301 Port 4
1-1-1 ESI 1 PE2 302 ESI 2
ESI 1
DF Non-DF

44 Huawei Confidential
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

Unicast ARP Reply: MAC Address Advertisement (1)

⚫ PE3 generates and advertises a Type 2 route. After receiving the Type 2 route, the other PEs update their local MAC
address entries.
EVI 1 EVI 1 DMAC 1-1-1
MAC-VRF MAC-VRF SMAC 2-2-2
MAC ESI Next Hop Label MAC ESI Next Hop Label ARP reply
1-1-1 ESI 1 Port1 NULL 1-1-1 ESI 1 PE1 301
Port 1 2-2-2 ESI 2 PE3 303 1-1-1 ESI 1 PE2 302 Port 3
2-2-2 ESI 2 Port 3 NULL
ESI 1 ESI 2
Non-DF PE3 Type 2DF
route
RD = rd3
PE1 ESI = ESI 2
PE3
MAC = 2-2-2
CE1 MPLS Label = 303 CE2
PE2 PE4
EVI 1 EVI 1
MAC-VRF MAC-VRF
MAC ESI Next Hop Label MAC ESI Next Hop Label
Port 2 1-1-1 ESI 1 Port2 NULL 1-1-1 ESI 1 PE1 301 Port 4
2-2-2 ESI 2 PE3 303 1-1-1 ESI 1 PE2 302 ESI 2
ESI 1
2-2-2 ESI 2 PE3 303

DF Non-DF

45 Huawei Confidential
 Type 3 Route Type 4 Route Type 1 Route Type 2 Route

Unicast ARP Reply: MAC Address Advertisement (2)

⚫ The interface of PE4 belongs to ESI 2, so PE4 updates its MAC address table, and generates as well as advertises a
Type 2 route.
EVI 1 EVI 1 DMAC 1-1-1
MAC-VRF MAC-VRF SMAC 2-2-2
MAC ESI Next Hop Label MAC ESI Next Hop Label ARP reply
1-1-1 ESI 1 Port1 NULL 1-1-1 ESI 1 PE1 301
Port 1 2-2-2 ESI 2 PE3 303 1-1-1 ESI 1 PE2 302 Port 3
2-2-2 ESI 2 PE4 304 2-2-2 ESI 2 Port 3 NULL
ESI 1 ESI 2
Non-DF DF
PE1 PE3
CE1 CE2
PE4 Type 2 route
PE2 PE4
RD = rd4
EVI 1 EVIESI1 = ESI 2
MAC-VRF MAC = 2-2-2
MAC ESI Next Hop Label MPLS Label = 304
Port 2 1-1-1 ESI 1 Port2 NULL MAC-VRF Port 4
2-2-2 ESI 2 PE3 303 MAC ESI Next Hop Label ESI 2
ESI 1
2-2-2 ESI 2 PE4 304 1-1-1 ESI 1 PE1 301
Non-DF 1-1-1 ESI 1 PE2 302
DF
2-2-2 ESI 2 Port 4 NULL

46 Huawei Confidential
 Unicast ARP Reply: Data Plane Forwarding
⚫ PE3 uses a load balancing algorithm to find a next hop (for example, PE1) for sending packets carrying label 301.
After receiving the packet, PE1 forwards the packet through Port1.
Tunnel
DMAC 1-1-1 EVI 1 EVI 1 DMAC 1-1-1
MAC-VRF 301
SMAC 2-2-2 MAC-VRF SMAC 2-2-2
MAC ESI Next Hop Label DMAC 1-1-1
ARP reply MAC ESI Next Hop Label ARP reply
SMAC 2-2-2
1-1-1 ESI 1 Port1 NULL 1-1-1 ESI 1 PE1 301
ARP reply
Port 1 2-2-2 ESI 2 PE3 303 1-1-1 ESI 1 PE2 302 Port 3
2-2-2 ESI 2 PE4 304 2-2-2 ESI 2 Port 3 NULL
ESI 1 ESI 2
Non-DF DF
PE1 PE3
CE1 CE2
PE2 PE4
EVI 1 EVI 1
MAC-VRF MAC-VRF
MAC ESI Next Hop Label MAC ESI Next Hop Label
Port 2 1-1-1 ESI 1 Port2 NULL 1-1-1 ESI 1 PE1 301 Port 4
2-2-2 ESI 2 PE3 303 1-1-1 ESI 1 PE2 302 ESI 2
ESI 1
2-2-2 ESI 2 PE4 304 2-2-2 ESI 2 Port 4 NULL

DF Non-DF

47 Huawei Confidential

• PE3 searches the MAC-VRF table based on the destination MAC address (1-1-1)
of the packet and finds that there are two next hops: PE1 and PE2. PE3 uses a
load balancing algorithm to select an appropriate next hop (for example, PE1)
for packet forwarding.
• After receiving the ARP reply, PE1 searches the MAC-VRF table and sends the
packet through Port1.
Summary: EVPN Solves the Problems Brought by the Active-
Active Mode
⚫ ESIs carried in Type 1 routes prevent loops on the CE side. Type 4 routes are used for DF election, preventing
multiple copies of broadcast traffic from being sent to CEs.

Port 1 ES member table ES member table Port 3

No. ESI Member Label No. ESI Member Label
ESI 1 0 ESI 1 PE2 202 0 ESI 2 PE3 203 ESI 2
Non-DF DF
1 ESI 1 PE1 201 1 ESI 2 PE4 204

PE1 PE3
CE1 CE2
PE2 PE4

Port 2 ES member table ES member table

Port 4
No. ESI Member Label No. ESI Member Label ESI 2
ESI 1
0 ESI 1 PE2 202 0 ESI 2 PE3 203
DF 1 ESI 1 PE1 201
BUM Traffic
Non-DF 1 ESI 2 PE4 204

48 Huawei Confidential
 Summary: EVPN Implements Load Balancing
⚫ EVPN implements full-path load balancing.

Data 1
EVI 1 MAC-VRF EVI 1 MAC-VRF
Data 2 Next Next
MAC ESI Label MAC ESI Label Data 1
Data 3 Hop Hop
1-1-1 ESI 1 Port1 NULL 1-1-1 ESI 1 PE1 301
Data 3
Data 4 2-2-2 ESI 2 PE3 303 1-1-1 ESI 1 PE2 302
Non-DF 2-2-2 ESI 2 PE4 304 DF 2-2-2 ESI 2 Port 3 NULL

PE1 PE3
CE1 CE2
PE2 PE4

EVI 1 MAC-VRF EVI 1 MAC-VRF

Next Next
MAC ESI Label MAC ESI Label
Hop Hop Data 2
1-1-1 ESI 1 PE1 301
1-1-1 ESI 1 Port2 NULL
2-2-2 ESI 2 PE3 303 1-1-1 ESI 1 PE2 302 Data 4
2-2-2 ESI 2 Port 4 NULL
2-2-2 ESI 2 PE4 304
DF Non-DF

49 Huawei Confidential

• CE1 sends traffic to PE1 and PE2 over two active paths for load balancing.
Because PE1 and PE2 each have established two paths to CE2, traffic can be load
balanced between the two paths. Finally, four service data flows are sent to CE2
over different paths.
 Summary: EVPN Achieves Fast Convergence
⚫ After detecting a link fault on CE2, PE3 deletes the local MAC address entry and sends a Type 1 route to instruct
other PEs to withdraw all the MAC addresses associated with an ES.
EVI 1 MAC-VRF EVI 1 MAC-VRF
MAC ESI Next Hop Label MAC ESI Next Hop Label
1-1-1 ESI 1 Port1 NULL 1-1-1 ESI 1 PE1 301
2-2-2 ESI 2 PE3 303 1-1-1 ESI 1 PE2 302
2-2-2 ESI 2 PE4 304 2-2-2 ESI 2 Port 3 NULL
PE3 Type 1 route
Non-DF DF
RD = rd3
ESI = ESI 2
PE1 PE3
CE1 CE2
PE2 PE4
EVI 1 MAC-VRF EVI 1 MAC-VRF
MAC ESI Next Hop Label MAC ESI Next Hop Label
1-1-1 ESI 1 Port2 NULL 1-1-1 ESI 1 PE1 301
2-2-2 ESI 2 PE3 303 1-1-1 ESI 1 PE2 302
2-2-2 ESI 2 PE4 304 2-2-2 ESI 2 Port 4 NULL

DF Non-DF become the DF

50 Huawei Confidential

• After receiving the Type 1 route, PE4 becomes a DF.

• After receiving the Type 1 route, PE1 and PE2 update their MAC labels and
withdraw the MAC routes to ES2. Traffic is automatically switched to PE4.

• If a CE is connected to multiple PEs and a connectivity fault occurs between a

specific PE and the CE, the PE must send an Ethernet A-D per ES route to
withdraw all the MAC addresses previously advertised.
 Contents

1. EVPN Background and Terms

2. EVPN Fundamentals
▫ EVPN Route Overview and Interaction Process
◼ EVPN Route Types
▫ EVPN Access Principles

3. Inter-AS EVPN

4. Typical EVPN Application Scenarios

5. Basic EVPN Configurations

51 Huawei Confidential
EVPN Route Review
⚫ The EVPN working process describes the functions of Type 1 to Type 4 routes. This section will continue
to describe the packets and application scenarios of EVPN routes.
Route Type Function Benefits
Aliasing
Loop prevention
MAC address withdrawal in batches
(Type 1) Ethernet A-D route Fast convergence
All-active indication
Load balancing
ESI label advertisement
MAC address learning and Policy based on each MAC
advertisement address
(Type 2) MAC/IP advertisement route
MAC/IP binding ARP suppression
MAC address mobility Host migration
Auto-discovery of multicast tunnel
(Type 3) Inclusive multicast route BUM traffic forwarding
endpoints & multicast types
ES member auto-discovery Support for both all-active
(Type 4) Ethernet segment route
DF election and single-active modes

52 Huawei Confidential
Key Parameters Carried in EVPN Routes
⚫ The functions of the four types of EVPN routes are closely related to the parameters carried in the routes.

Type 1 routes carry ESI labels to implement split horizon.

Type 2 routes carry unicast labels to guide unicast traffic forwarding.

Type 3 routes carry BUM labels to guide BUM traffic forwarding, but Type 3 routes do not carry ES information.

Type 4 routes carry ESIs for DF election but do not carry any label information.

Parameter Originating Router's MAC/IP

RD ESI Ethernet Tag ID MPLS Label
Route Type IP Address Address

Type 1 √ √ √ ESI Label

Type 2 √ √ √ √ √

Type 3 √ √ √ BUM Label

Type 4 √ √ √

53 Huawei Confidential
 Type 1 Type 2 Type 3 Type 4

Ethernet A-D Route

⚫ Ethernet Auto-Discovery (A-D) routes are classified into two types:
 Ethernet A-D per ES route: used for fast convergence, redundancy mode, and split horizon.
 Ethernet A-D per EVI route: used for aliasing.

NLRI Format Field Description

In an Ethernet A-D per ES route, this field contains the source IP address configured on a PE, for
Route Distinguisher (8 bytes)
example, X.X.X.X:0. In an Ethernet A-D per EVI route, this field is the RD of an EVPN instance.

This field uniquely identifies connections between PEs and a CE.

Ethernet Segment Identifier (10 bytes) In an Ethernet A-D per ES route, this field is all Fs. In an Ethernet A-D per EVI route, this field identifies
different sub-broadcast domains of an ES. If this field is all 0s, the EVI has only one broadcast domain.

This field identifies an Ethernet tag. According to the RFC recommendation, the last 20 bits of this field
Ethernet Tag ID (4 bytes)
can be the VLAN ID.

In an Ethernet A-D per ES route, the field is all 0s. In an Ethernet A-D per EVI route, this field is the
MPLS Label (3 bytes)
MPLS label used to forward EVPN unicast traffic in load balancing mode.

54 Huawei Confidential
 Type 1 Type 2 Type 3 Type 4

ESI Label Extended Community Attribute

⚫ ESI Label is an extended community attribute carried in an EVPN Type 1 route.
⚫ In a multi-homing scenario, Type 1 routes must carry this community attribute to implement split horizon.

Extended Community Attribute Field Description

Type (1 byte) This field has a fixed value of 0x06.

Sub-Type (1 byte) This field has a fixed value of 0x01.

The lowest bit of this field is defined as the single-active bit. The value 0 indicates
Flag (1 byte)
the multi-active scenario.

Reserved (2 bytes) This field is reserved and all 0s.

ESI Label (3 bytes) This field is used by a PE to identify each ES for split horizon.

55 Huawei Confidential
 Type 1 Type 2 Type 3 Type 4

Fast Convergence
⚫ In EVPN, MAC address learning is controlled by BGP. On a large-scale complex network, route convergence takes a
long time. To address this issue, EVPN defines a mechanism to efficiently instruct peer PEs to update their
forwarding tables. Specifically, PEs advertise Ethernet A-D per ES routes for all ESs.
⚫ When a PE detects a fault on the connected CE, the PE withdraws the corresponding MAC address entry and sends
an Ethernet A-D per ES route to instruct other PEs to withdraw the corresponding MAC address entry.
⚫ An Ethernet A-D per ES route must carry the ESI Label extended community attribute.
PE1 BGP Update message:
Ethernet A-D per ES route

PE3

Site 1 Site 2

CE1 CE2

PE2
56 Huawei Confidential
 Type 1 Type 2 Type 3 Type 4

Split Horizon
⚫ When a CE is multi-homed to PEs, if the links of the CE work in all-active mode, BUM packets sent by the CE to a PE may be looped
back by another PE. This problem needs to be solved using split horizon.
⚫
All PEs advertise Ethernet A-D per ES routes that carry the ESI Label extended community attribute to implement split horizon. As
shown in the following figure, PE2 (DF) assigns an ESI label to identify ES1 and advertises the label to PE1 (non-DF) through an
Ethernet A-D per ES route. PE1 adds this label to a BUM packet before sending the packet to PE2. After receiving the packet, PE2
finds that the label is assigned by itself and does not forward the packet to ES1.
When sending BUM traffic to PE2, PE1 adds Label1 and then the BUM label
PE1 assigned by PE2 to the traffic.
2 Before sending BUM traffic to PE3, PE1 adds the BUM label assigned by PE3
to the traffic.
BUM
4 PE3 forwards the BUM traffic to CE2.
PE3

Site 1 Site 2

CE1 CE2

PE2 identifies Label1 and does not forward 1PE2 allocates an MPLS label, for example, Label1, to ES1.
3 the BUM traffic to CE1, but sends the traffic PE2
to other ESs in the EVPN instance. DF
57 Huawei Confidential
 Type 1 Type 2 Type 3 Type 4

Aliasing
⚫ When a CE is multi-homed to PEs in all-active mode, some PEs may fail to learn the MAC address of the CE. As a result, the peer PE
receives MAC/IP advertisement routes from only one PE, failing to implement load balancing among paths between PEs. Aliasing
solves this problem using Ethernet A-D per EVI routes. Aliasing ensures that a PE is reachable even if the PE does not learn MAC
addresses from the EVI/ES.
⚫
In this example, CE1 is dual-homed to PE1 and PE2. If PE1 has learned the address of Site1 but PE2 has not, PE1 sends a MAC/IP
route carrying detailed information to PE2, and PE2 advertises reachability through an Ethernet A-D per EVI route. Therefore, PE3
considers that PE1 and PE2 at Site 1 are reachable.

PE1 BGP Update message: MAC/IP Advertise routes

advertisement route destined for Site 1.

PE3

Site 1 Site 2

CE1 CE2

BGP Update message: Ethernet Advertise the

A-D per EVI route reachability to Site 1.
PE2

58 Huawei Confidential

• When a peer PE receives a MAC/IP advertisement route, it needs to check

whether the advertised MAC address is reachable through other PEs. Therefore,
the PE checks the address reachability based on the Ethernet A-D per EVI route.

• Note: The peer PE may first receive the Ethernet A-D per EVI route and then the
Ethernet A-D per ES route. To prevent this problem, the peer PE forwards traffic
only when it receives the Ethernet A-D per EVI route and Ethernet A-D per ES
route at the same time.

• When a CE is multi-homed to PEs in single-active mode, the PE establishes a

backup path using the Ethernet A-D per EVI route and Ethernet A-D per ES route.
 Type 1 Type 2 Type 3 Type 4

MAC/IP Advertisement Route

⚫ MAC/IP advertisement routes are used to advertise MAC and IP addresses.

NLRI Format Field Description

Route Distinguisher (8 bytes) This field indicates the RD of an EVPN instance.

Ethernet Segment Identifier (10 bytes) This field uniquely identifies connections between PEs and a CE.

Ethernet Tag ID (4 bytes) This field is the VLAN ID configured on the device.

MAC Address Length (1 byte) This field is set to 48 bits.

MAC Address (6 bytes) This field indicates the host MAC address carried in the route.

IP Address Length (1 byte) This field is optional and can be set to 32 or 128 bits.

IP Address (0, 4, or 16 bytes) This field is optional and indicates the host IP address carried in the route.

MPLS Label1 (3 bytes) This field is assigned by the downstream router to forward Layer 2 service traffic.

MPLS Label2 (0 or 3 bytes) This field is optional and used to forward Layer 3 service traffic.

59 Huawei Confidential
 Type 1 Type 2 Type 3 Type 4

MAC Mobility Extended Community Attribute

⚫ MAC Mobility is an extended community attribute carried in an EVPN Type 2 route.
⚫ The least significant bit in the Flag field is defined as the Sticky/static bit. If this bit is 1, the MAC
address is fixed and cannot be moved.

Extended Community Attribute Field Description

Type (1 byte) This field has a fixed value of 0x06.

Sub-Type (1 byte) This field has a fixed value of 0x00.

The least significant bit of this field is defined as the Sticky/static bit.
Flag (1 byte)
If this bit is 0, the MAC address can be moved.

Reserved (1 byte) This field is reserved and all 0s.

This field ensures that a PE has correct MAC/IP advertisement routes

Sequence Number (4 bytes)
when multiple update messages are received.

60 Huawei Confidential

• MAC address migration will be described based on VXLAN in the following

sections.
 Type 1 Type 2 Type 3 Type 4

Inclusive Multicast Route

⚫ Inclusive multicast routes are used to process BUM traffic. BUM traffic includes broadcast, multicast, and unknown
unicast traffic.
⚫ After a BGP peer relationship is established between PEs, the PEs transmit inclusive multicast routes to each other.
An inclusive multicast route carries the RD and RTs of the EVPN instance on the local PE, source IP address (usually
the loopback address of the local PE), and Provider Multicast Service Interface (PMSI). The PMSI and RT are carried
in route attribute information while the RD and source IP address are carried in NLRI information.

NLRI Format Field Description

Route Distinguisher (8 bytes) This field indicates the RD of an EVPN instance.

Ethernet Tag ID (4 bytes) This field is the VLAN ID configured on the device.

This field indicates the length of the source IP address

IP Address Length (1 byte)
configured on a PE.

Originating Router's IP Address (4 or 16 bytes) This field indicates the source IP address configured on a PE.

61 Huawei Confidential
 Type 1 Type 2 Type 3 Type 4

PMSI Attribute
⚫ The PMSI attribute carries the tunnel type (ingress replication or MLDP) and tunnel label information used for
transmitting multicast packets.
⚫ A PE forwards the multicast traffic that it receives to other PEs in P2MP mode. The PEs can establish a tunnel to
transmit multicast traffic through inclusive multicast routes.
⚫ The PMSI attribute is defined in RFC6514. In the EVPN scenario, the Leaf bit in the Flags field is 0 and the tunnel
type is 6 (ingress replication).

PMSI Attribute Field Description

Flags (1 byte) The last bit of this field is the Leaf bit.

Tunnel Type (1 byte) The value of this field is typically 6 (ingress replication) in EVPN.

MPLS Label (3 bytes) This field is an MPLS label.

Tunnel Identifier (variable length) This field is the IP address of the tunnel end.

62 Huawei Confidential
 Type 1 Type 2 Type 3 Type 4

Ethernet Segment Route

⚫ Ethernet segment routes are mainly used for DF election.
⚫ Ethernet segment routes carry the ESI, source IP address, and RD (source IP address:0) of the local PE. PEs
connecting to the same CE use Ethernet segment routes to discover each other.

NLRI Format Field Description

Route Distinguisher (8 bytes) This field indicates the RD of an EVPN instance.

This field is the unique identifier of the connection between local and
Ethernet Segment Identifier (10 bytes)
peer devices.

IP Address Length (1 byte) This field indicates the IP address length.

Originating Router's IP Address (4 or 16 bytes) This field indicates the source address configured on a PE.

63 Huawei Confidential
 Type 1 Type 2 Type 3 Type 4

ES-Import Route Target

⚫ ES-Import RT is an extended community attribute newly defined in EVPN and carried in Type 4 routes.
⚫ In an EVPN multi-homing scenario, the ES routes advertised by BGP EVPN must carry the ES-Import RT attribute for
ES route filtering.

⚫ ES route filtering: ES-Import RT allows only PEs connected to the same site to import Type 4 routes. RTs are used to
import Ethernet segment routes to all the PEs connected to the same site.

Extended Community Attribute Field Description

Type (1 byte) This field has a fixed value of 0x06.

Sub-Type (1 byte) This field has a fixed value of 0x02.

The least significant bit of this field is defined as the Single-Active bit. The
ES-Import (2 bytes)
value 0 indicates the multi-homing scenario.

ES-Import Cont'd (4 bytes) This field is reserved and all 0s.

64 Huawei Confidential
 Type 1 Type 2 Type 3 Type 4

DF Election
⚫ In a CE multi-homing scenario, an ES may be configured with multiple Ethernet tags, and only one PE
is elected as a designated forwarder (DF). DF election is implemented using Type 4 routes that carry
the ES-Import attribute. A DF provides the following functions:
 Sends multicast and broadcast traffic to the CEs on the specified ES.
 Floods unknown unicast traffic to CEs.
PE1

BUM
DF PE3

Site 1 Site 2

CE1 non-DF CE2

PE2

65 Huawei Confidential

• DF election rules:
▫ A PE discovers the ES and ESI of the local connection and advertises the
Type 4 route carrying the ES-Import.

▫ The PE starts the timer. The default value of the timer is 3 seconds, within
which ES routes can be received.

▫ After the timeout, the PE generates an ordered list. The list contains the IP
addresses of all PEs and information about their connections to the ES. The
sequence number of the list starts from 0 in ascending order. The sequence
number is used to determine the DF.

▫ The PE elected as the DF forwards BUM traffic to CEs. When a link fault
occurs, the PE withdraws its ES routes, which triggers a re-election process.
New EVPN Routes
⚫ EVPN is not limited to L2VPN applications. With the increase of EVPN route types, more applications,
such as L3VPN, are supported.
Route Type Function Benefits
Aliasing
Loop prevention
MAC address withdrawal in batches
(Type 1) Ethernet A-D route Fast convergence
All-active indication
Load balancing
ESI label advertisement
MAC address learning and Policy based on each MAC
advertisement address
(Type 2) MAC/IP advertisement route
MAC/IP binding ARP suppression
MAC address mobility Host migration
Auto-discovery of multicast tunnel
(Type 3) Inclusive multicast route BUM traffic forwarding
endpoints & multicast types
ES member auto-discovery Support for both all-active
(Type 4) Ethernet segment route
DF election and single-active modes

(Type 5) IP prefix route IP prefix advertisement Support for L3VPN

66 Huawei Confidential
 IP Prefix Route
⚫ IP prefix routes are used to advertise a host IP address received from an access network or the network
segment where the host IP address resides.

NLRI Format Field Description

Route Distinguisher (8 bytes) This field indicates the RD of an EVPN instance.

Ethernet Segment Identifier (10 bytes) This field uniquely identifies connections between PEs and a CE.

Ethernet Tag ID (4 bytes) Currently, this field can only be set to 0.

IP Prefix Length (1 byte) This field indicates the mask length of the IP prefix carried in the route.

IP Prefix (4 or 16 bytes) This field indicates the IP prefix carried in the route.

GW IP Address (4 or 16 bytes) This field indicates the default gateway address.

MPLS Label (3 bytes) This field indicates the label used for Layer 3 service traffic forwarding.

67 Huawei Confidential

• For more details about Type 5 routes, see the RFC draft.
Typical Application Scenarios of IP Prefix Routes
⚫ Type 5 routes are advertised to an EVPN instance to implement interworking between the EVPN
instance and external networks.

EVI: RD 100:1 RT 10:10

10.0.0.0/8

EVPN peer
PE1 PE2

BGP Update message

RT: 10:10

Type 5 route

RD = 100:1
Network segment: 10.0.0.0/8

68 Huawei Confidential
EVPN Protocol Standards

draft-ietf-bess-
IP Prefix
RFC 8365 evpn-inter-
Control RFC 7432 A Network subnet-
Advertisement in
BGP MPLS-Based EVPN
plane Virtualization Overlay forwarding
Ethernet VPN draft-ietf-bess-evpn-
Solution using EVPN Integrated Routing and prefix-advertisement
Bridging in EVPN

RFC 7348 RFC 7432

(Virtual eXtensible Local Area Network) (BGP MPLS-Based Ethernet VPN)
Data
plane

VXLAN (IP overlay) MPLS

69 Huawei Confidential
 Contents

1. EVPN Background and Terms

2. EVPN Fundamentals
▫ EVPN Route Overview and Interaction Process
▫ EVPN Route Types
◼ EVPN Access Principles

3. Inter-AS EVPN

4. Typical EVPN Application Scenarios

5. Basic EVPN Configurations

70 Huawei Confidential
EVPN Access Overview
⚫ Multiple Ethernet VPN instances (EVIs) can be configured on PEs at the edge of an EVPN, with each EVI
connecting to one or more user networks. EVPN allows user network access in various service modes,
as described in the following table.

Service Mode Application Scenario

The physical interface connected to a user network is directly bound to a common EVI. This
Port-based mode
service mode is used to carry only Layer 2 services.
The physical interface connected to a user network is divided into different sub-interfaces.
VLAN-based mode Each sub-interface is bound to a specific EVI. One EVI is required per user. This service
mode is used to carry Layer 2 or Layer 3 services.
Users are divided based on VLANs. Each VLAN is bound to a specific EVI. This service mode
VLAN bundle mode
is used to carry Layer 2 or Layer 3 services.

Users are divided based on VLANs. The VLANs are bound to the same EVI. This service
VLAN-aware bundle mode
mode is used to carry Layer 2 or Layer 3 services.

71 Huawei Confidential
Port-based Mode
⚫ In port-based mode, an interface is used only by a single user. Specifically, the physical interface
connected to a user network is bound to a common EVI and has no sub-interfaces created. This service
mode is used only to carry Layer 2 services.

[~PE] interface GigabitEthernet 1/0/0

EVPN A [*PE-GigabitEthernet1/0/0] evpn binding vpn-instance evpna
[*PE-GigabitEthernet1/0/0] commit
[~PE-GigabitEthernet1/0/0] quit
GE1/0/0
PE

72 Huawei Confidential
 VLAN-based Mode
⚫ In VLAN-based mode, the physical interfaces connected to user networks each have different sub-interfaces created.
Each sub-interface is associated with a unique VLAN and added to a specific BD, and each BD is bound to a specific
EVI. This service mode is used to carry Layer 2 or Layer 3 services. In this example, User1 and User2 access the
network through different sub-interfaces.

User1 EVPN A configuration example:

GE1/0/0.1 [~PE] bridge-domain 10
VLAN 10 BD 10 EVPN A [*PE-bd10] evpn binding vpn-instance evpna
[*PE-bd10] quit
VLAN 20 BD 20 EVPN B [*PE] interface GigabitEthernet 1/0/0.1 mode l2
[*PE-G1/0/0.1] encapsulation dot1q vid 10
GE1/0/0.2
[*PE-G1/0/0.1] bridge-domain 10
User2 PE
[*PE-G1/0/0.1] commit

User1's service packets are tagged with VLAN 10

and transmitted through GE1/0/0.1.
User2's service packets are tagged with VLAN 20
and transmitted through GE1/0/0.2.

73 Huawei Confidential

• In this service mode, the sub-interface, VLAN, BD, and EVI are exclusively used by
a user to access the network, and a separate MAC forwarding table is used on
the forwarding plane for each user. Although this mode effectively ensures
service isolation, it consumes a large amount of EVI resources because each user
requires one EVI.
VLAN Bundle Mode
⚫ In VLAN bundle mode, an EVI connects to multiple users who are divided by VLAN, and the EVI is bound to a BD. In
this service mode, the users connected to the same EVI share a MAC forwarding table, requiring each user on the
network to have a unique MAC address. This service mode is used to carry Layer 2 or Layer 3 services.

User1
GE1/0/0.1 EVPN A configuration example:
VLAN 10 [~PE] bridge-domain 10
BD 10 EVPN A [*PE-bd10] evpn binding vpn-instance evpna
VLAN 20 [*PE-bd10] quit
GE1/0/0.2 [*PE] interface GigabitEthernet 1/0/0.1 mode l2
PE [*PE-G1/0/0.1] encapsulation dot1q vid 10
User2
[*PE-G1/0/0.1] bridge-domain 10
[*PE-G1/0/0.1] commit
User1's service packets are tagged with VLAN 10
and transmitted through GE1/0/0.1.
User2's service packets are tagged with VLAN 20
and transmitted through GE1/0/0.2.

74 Huawei Confidential
 VLAN-Aware Bundle Mode
⚫ In VLAN-aware bundle mode, an EVI connects to multiple users divided by VLAN. Additionally, the EVI can be bound
to multiple BDs. In this service mode, users connected to the same EVI use separate forwarding entries. During
traffic forwarding, the system uses the BD tag carried in packets to locate the corresponding BD MAC forwarding
table and searches the table for a forwarding entry based on a MAC address.

User1
GE1/0/0.1 EVPN A configuration example:
VLAN 10 BD 10 [~PE] bridge-domain 10
EVPN A [*PE-bd10] evpn binding vpn-instance evpna bd-tag 10
VLAN 20 BD 20 [*PE-bd10] quit
GE1/0/0.2 [*PE] interface GigabitEthernet 1/0/0.1 mode l2
PE [*PE-G1/0/0.1] encapsulation dot1q vid 10
User2
[*PE-G1/0/0.1] bridge-domain 10
[*PE-G1/0/0.1] commit
User1's service packets are tagged with VLAN 10
and transmitted through GE1/0/0.1.
User2's service packets are tagged with VLAN 20
and transmitted through GE1/0/0.2.

75 Huawei Confidential

• When EVPN peers send routes to each other, a BD tag is encapsulated into the
Ethernet Tag ID field of Ethernet A-D route packets, MAC/IP advertisement route
packets, and inclusive multicast route packets.
 Contents

1. EVPN Background and Terms

2. EVPN Fundamentals

3. Inter-AS EVPN

4. Typical EVPN Application Scenarios

5. Basic EVPN Configurations

76 Huawei Confidential
 Inter-AS EVPN Overview
⚫ Typically, an EVPN architecture runs in an autonomous system (AS). Routing information of
any EVPN can be flooded only in the local AS. In some complex scenarios, an enterprise may
have multiple ASs. In this case, the existing EVPN architecture needs to be extended to
provide an inter-AS EVPN.
⚫ Inter-AS EVPN can be implemented in the following ways, similar to inter-AS MPLS VPN:
 Option A
 Option B
 Option C

77 Huawei Confidential

• This course describes inter-AS EVPN L3VPN.

Inter-AS EVPN: Option A
⚫ In inter-AS EVPN Option A, EVPN peer relationships need to be established between PEs and ASBRs, and EVPN does
not need to run between ASBRs.
⚫ Multiple sub-interfaces are created between ASBRs and bound to VPN instances to transmit IP routes.

⚫ In Option A, intra-AS traffic has two labels, and inter-AS traffic has no label.

AS1 AS2
EVPN EVPN

CE1 PE1 ASBR1 ASBR2 PE2 CE2

IP IP IP IP IP
Eth Eth Eth Eth Eth
EVPN Label EVPN Label
Tunnel Label Tunnel Label
Eth Eth

78 Huawei Confidential
Inter-AS EVPN: Option B
⚫ In inter-AS EVPN Option B, EVPN peer relationships need to be established between PEs and ASBRs, and between
ASBRs.
⚫ After receiving a MAC/IP advertisement route, an ASBR changes the next hop to itself, allocates a new label to the
route, and sends the route to the ASBR in another AS.
⚫ In Option B, intra-AS traffic has two labels, and inter-AS traffic has one label (EVPN label).
AS1 AS2

Site 1 PE1 ASBR1 ASBR2 PE2 Site 2

EVPN EVPN EVPN

IP IP IP IP IP
Eth Eth Eth Eth Eth
EVPN Label 1 EVPN Label 2 EVPN Label 3
Tunnel Label Eth Tunnel Label
Eth Eth

79 Huawei Confidential
Inter-AS EVPN: Option C
⚫ In inter-AS EVPN Option C, an E2E BGP LSP needs to be established between the PEs at different sites (Site 1 and
Site 2 in this example).
⚫ PE1 and PE2 establish an EVPN peer relationship. ASBRs are unaware of MAC/IP advertisement routes.

⚫ In Option C, intra-AS traffic has three labels, and inter-AS traffic has two labels (EVPN label and BGP label).

AS1 AS2

Site 1 PE1 ASBR1 ASBR2 PE2 Site 2

EVPN
IBGP EBGP IBGP

IP IP IP IP IP
Eth Eth Eth Eth Eth
EVPN Label EVPN Label EVPN Label
Tunnel Label BGP Label 2 BGP Label 3
Eth Eth Tunnel Label
Eth

80 Huawei Confidential
 Contents

1. EVPN Background and Terms

2. EVPN Fundamentals

3. Inter-AS EVPN

4. Typical EVPN Application Scenarios

5. Basic EVPN Configurations

81 Huawei Confidential
 EVPN Application on a WAN

E-LAN E-Line E-Tree L3VPN

Without VPLS
VPLS VPWS ETREE L3VPN
EVPN

EVPN EVPN EVPN

EVPN ETREE
VPWS L3VPN
RFC7432 RFC8214 RFC8317 draft-ietf-bess-
With EVPN Basic Standard
evpn-prefix-
PBB- advertisement-11
EVPN
RFC7623

82 Huawei Confidential

• E-Line, E-Tree, and E-LAN are three types of Ethernet virtual connection (EVC),
which are point-to-point EVC, multipoint-to-multipoint EVC, and rooted-
multipoint EVC.

▫ E-Line: A point-to-point EVC associates two user-network interfaces (UNIs).

▫ E-LAN: A multipoint-to-multipoint EVC can associate two or more UNIs.
Users or carriers can add any number of UNIs to the EVC or delete some
UNIs from the EVC without affecting other UNIs.

▫ E-Tree: This EVC is similar to the hub-spoke model in L3VPN. It consists of

one or more root UNIs and several leaf UNIs. The root UNI can directly
communicate with all UNIs in the EVC, whereas a leaf UNI can only directly
communicate with the root UNI in the EVC. Two leaf UNIs cannot
communicate with each other directly.
EVPN Application in a DC
⚫ In a cloud DC, the EVPN Network Virtualization Overlay (NVO) solution (RFC8365) can be used.
⚫ It is recommended that the data plane use VXLAN encapsulation and the control plane use EVPN to construct a
flexible DC overlay network.

Spine

• All services in the DC are carried over the VXLAN

VXLAN/EVPN
overlay network.
• The underlay network consisting of spine and leaf
Leaf nodes is responsible for high-speed forwarding.

Server cluster VAS resource pool Egress router

83 Huawei Confidential
EVPN Application on a Campus Network
⚫ Similar to the cloud DC solution, the campus network virtualization solution can also use EVPN NVO (RFC8365).
⚫ On different underlying networks, VXLAN encapsulation is used together with EVPN on the control plane to build a
flexible campus overlay network.

Virtual network (VN) 1 VN 2 VN 3

Overlay (virtual network layer)

LSW LSW LSW

Internet/
WAN

AP LSW LSW NGFW

84 Huawei Confidential
EVPN Application in SD-WAN
⚫ SD-WAN is a next-generation enterprise branch interconnection solution that supports features such as intelligent
traffic steering, zero touch provisioning (ZTP), and visualization.
⚫ In the SD-WAN solution, EVPN can be deployed between the route reflector (RR) and CPE to transmit SD-WAN
overlay VPN routes on the control plane. The data plane uses IPsec VPN to build a secure forwarding channel.

RR

BGP EVPN route BGP EVPN route

IPsec VPN

Transport
network-1
1.1.1.1 1.1.1.2
2.2.2.1 2.2.2.2
Transport
Site Site1 network-2 Site2 Site
(CPE) (CPE)
information information
IPsec VPN

85 Huawei Confidential
 Contents

1. EVPN Background and Terms

2. EVPN Fundamentals

3. Inter-AS EVPN

4. Typical EVPN Application Scenarios

5. Basic EVPN Configurations

◼ Configuring an EVPN to Carry Layer 2 Services
▫ Configuring an EVPN to Carry Layer 3 Services

86 Huawei Confidential
 Configuring BD EVPN Functions
1. Configure an EVPN instance in BD mode.
[Huawei] evpn vpn-instance evpna bd-mode
[Huawei-evpn-instance-evpna] route-distinguisher 100:1
[Huawei-evpn-instance-evpna] vpn-target 1:1 [ both | export-extcommunity | import-extcommunity ]

An EVPN instance named evpna is created, the EVPN instance view is displayed, and the RD and RT are set to 100:1 and 1:1,
respectively.
2. Configure an EVPN source address.
[Huawei] evpn source-address ip-address

The EVPN source address is part of EVPN route information and can be used to identify a PE on an EVPN. Configuring EVPN
source addresses is a mandatory task for EVPN configuration.

3. Configure an ESI.
[Huawei-Eth-Trunk10] esi

Perform this configuration if a VLAN is used to access an EVPN. For details about other configurations, see the product manual
of the corresponding product.

87 Huawei Confidential

• This example describes the configuration commands on Huawei NE20E-S2

(V800R012C10) series routers. For the configuration commands of other models,
see the corresponding product manuals.
Configuring a BD and Binding an EVPN Instance to the BD
1. Configure an EVPN instance.
[Huawei] bridge-domain 10
[Huawei-bd10] evpn binding vpn-instance evpna [ bd-tag bd-tag ]

In MPLS forwarding, bind a BD to the EVPN instance named evpna. In this example, the BD ID is 10. By specifying different bd-
tag values, you can bind multiple BDs with different VLANs to the same EVPN instance and isolate services in these BDs.

2. Add a Layer 2 sub-interface to the BD so that the sub-interface can transmit data packets in this BD.
[Huawei] interface Eth-Trunk10.1 mode l2
[Huawei-Eth-Trunk10.1] encapsulation dot1q vid 2
[Huawei-Eth-Trunk10.1] rewrite pop single
[Huawei-Eth-Trunk10.1] bridge-domain 10

The Layer 2 sub-interface is added to a BD so that it can transmit data packets in this BD. In this example, the sub-interface ID is Eth-
Trunk10.1.
The rewrite pop { single | double } command removes single or double VLAN tags from received packets. For single-tagged packets
that a Layer 2 sub-interface receives, specify single to remove the tags from these packets. If the encapsulation type of packets has
been set to QinQ in the previous step, specify double to remove double VLAN tags from the received packets.

88 Huawei Confidential
 Example for Configuring Eth-Trunk Sub-interfaces to Access
a BD EVPN (Dual-Homing Active-Active)
Loopback0
10.0.1.1/32 ⚫ Configuration roadmap
PE1  Configure an IGP on the backbone network to allow the PEs to
GE0/2/0 communicate with each other. (The configuration details are not
CE1 CE2 provided here.)
VLAN 2 VLAN 2  Configure basic MPLS functions and enable MPLS LDP to establish
PE3
192.168.1.1/24 Loopback0 192.168.1.2/24 LDP LSPs on the backbone network. (The configuration details are not
10.0.3.3/32 provided here.)
Loopback0  Configure a BD EVPN instance on PEs.
10.0.2.2/32
PE2  Configure an ESI and E-Trunk to implement dual-homing active-active
⚫
EVPN needs to be configured on the network to implement networking.
Layer 2 communication.  Configure local-remote fast reroute (FRR) for MAC routes.
 CE1 is dual-homed to PE1 and PE2 and works in active-active mode  Establish BGP EVPN peer relationships.
through an E-Trunk.
 Configure a CE to access the PEs through an Eth-Trunk interface.
 The ESI of CE1 is 0000.1111.2222.1111.1111.
 Verify the configuration.
 IP addresses of CE1 and CE2 are 192.168.1.1/24 and 192.168.1.2/24
respectively.
 The EVPN instance name is evpna.
 On PE1, PE2, and PE3, the RDs of the EVPN instance evpna are 100:1,
200:1, and 300:1 respectively and the RTs are 1:1.

89 Huawei Confidential

• The features required in an EVPN dual-homing scenario, such as fast

convergence, split horizon, and DF election, all become invalid in a single-homing
scenario. In such a scenario, configuring an ESI is optional on a single-homing PE.
Example for Configuring Eth-Trunk Sub-interfaces to Access
a BD EVPN (1)
Loopback0
10.0.1.1/32 The following uses PE1 as an example to configure
PE1 an EVPN instance.
[~PE1] evpn vpn-instance evpna bd-mode
GE0/2/0
CE1 CE2 [*PE1-evpn-instance-evpna] route-distinguisher 100:1
[*PE1-evpn-instance-evpna] vpn-target 1:1
VLAN 2 PE3 VLAN 2
192.168.1.2/24 [*PE1-evpn-instance-evpna] quit
192.168.1.1/24 Loopback0
[*PE1] bridge-domain 10
10.0.3.3/32
Loopback0 [*PE1-bd10] evpn binding vpn-instance evpna
10.0.2.2/32 [*PE1-bd10] quit
PE2
[*PE1] commit
⚫
Configure a BD EVPN instance on PEs.
The following uses PE1 as an example to configure
⚫
Configure an ESI and E-Trunk to implement
a source address.
dual-homing active-active networking.
⚫
Configure local-remote FRR for MAC routes. [~PE1] evpn source-address 1.1.1.1
[*PE1] commit
⚫
Establish BGP EVPN peer relationships.
⚫ Configure a CE to access the PEs through the
Eth-Trunk interface.
⚫
Verify the configuration.

90 Huawei Confidential
 Example for Configuring Eth-Trunk Sub-interfaces to Access
a BD EVPN (2)
Loopback0 The following uses PE1 as an example to configure an ESI and E-
10.0.1.1/32 Trunk for dual-homing active-active networking.
PE1 [~PE1] lacp e-trunk system-id 00e0-fc00-0000
[*PE1] lacp e-trunk priority 1
GE0/2/0 [*PE1] e-trunk 1
CE1 CE2 [*PE1-e-trunk-1] peer-address 2.2.2.2 source-address 1.1.1.1
VLAN 2 [*PE1-e-trunk-1] quit
VLAN 2 PE3
192.168.1.2/24 [*PE1] interface eth-trunk 10
192.168.1.1/24 Loopback0 [*PE1-Eth-Trunk10] mode lacp-static
10.0.3.3/32 [*PE1-Eth-Trunk10] e-trunk 1
Loopback0 [*PE1-Eth-Trunk10] e-trunk mode force-master
10.0.2.2/32 [*PE1-Eth-Trunk10] esi 0000.1111.2222.1111.1111
PE2
[*PE1-Eth-Trunk10] quit
⚫
Configure a BD EVPN instance on PEs. [*PE1] interface eth-trunk 10.1 mode l2
[*PE1-Eth-Trunk10.1] encapsulation dot1q vid 2
⚫
Configure an ESI and E-Trunk to implement [*PE1-Eth-Trunk10.1] rewrite pop single
dual-homing active-active networking. [*PE1-Eth-Trunk10.1] bridge-domain 10
[*PE1-Eth-Trunk10.1] quit
⚫
Configure local-remote FRR for MAC routes.
[*PE1] interface gigabitethernet 0/1/0
⚫
Establish BGP EVPN peer relationships. [*PE1-GigabitEthernet0/1/0] eth-trunk 10
[*PE1-GigabitEthernet0/1/0] quit
⚫ Configure a CE to access the PEs through the [*PE1] commit
Eth-Trunk interface.
⚫
Verify the configuration. The E-Trunk system ID of PE2 must be the same as that of PE1.

91 Huawei Confidential

• For details about the E-Trunk configuration, see the corresponding product
documentation.
Example for Configuring Eth-Trunk Sub-interfaces to Access
a BD EVPN (3)
Loopback0
10.0.1.1/32
The following uses PE1 as an example to configure
PE1 local-remote FRR for MAC routes.
GE0/2/0
CE1 CE2 [~PE1] evpn
[*PE1-evpn] vlan-extend private enable
VLAN 2 PE3 VLAN 2
[*PE1-evpn] vlan-extend redirect enable
192.168.1.1/24 Loopback0 192.168.1.2/24
[*PE1-evpn] local-remote frr enable
10.0.3.3/32
Loopback0
[*PE1-evpn] quit
10.0.2.2/32 [*PE1] commit
PE2
⚫
Configure a BD EVPN instance on PEs.
In CE multi-homing scenarios, MAC route redirection
enables all PEs connected to the same CE to redirect the
⚫
Configure an ESI and E-Trunk to implement outbound interfaces of MAC routes destined for the CE to
dual-homing active-active networking.
local AC interfaces. This function shortens forwarding
⚫
Configure local-remote FRR for MAC routes. paths and improves forwarding efficiency.
⚫
Establish BGP EVPN peer relationships. If the AC interface on one of the PEs fails, the outbound
interface of the associated MAC route can be quickly
⚫ Configure a CE to access the PEs through the
Eth-Trunk interface. redirected so that traffic can be forwarded through
another active PE, improving reliability.
⚫
Verify the configuration.

92 Huawei Confidential
Example for Configuring Eth-Trunk Sub-interfaces to Access
a BD EVPN (4)
Loopback0
10.0.1.1/32
The following uses PE1 as an example to establish
PE1 BGP EVPN peer relationships.
GE0/2/0 [~PE1] bgp 100
CE1 CE2
[*PE1-bgp] peer 10.0.2.2 as-number 100
VLAN 2 PE3 VLAN 2 [*PE1-bgp] peer 10.0.2.2 connect-interface loopback 1
192.168.1.1/24 Loopback0 192.168.1.2/24 [*PE1-bgp] peer 10.0.3.3 as-number 100
10.0.3.3/32 [*PE1-bgp] peer 10.0.3.3 connect-interface loopback 1
Loopback0 [*PE1-bgp] l2vpn-family evpn
10.0.2.2/32
PE2 [*PE1-bgp-af-evpn] peer 10.0.2.2 enable
[*PE1-bgp-af-evpn] peer 10.0.3.3 enable
⚫
Configure a BD EVPN instance on PEs.
[*PE1-bgp-af-evpn] quit
⚫
Configure an ESI and E-Trunk to implement [*PE1-bgp] quit
dual-homing active-active networking. [*PE1] commit
⚫
Configure local-remote FRR for MAC routes.
⚫
Establish BGP EVPN peer relationships.
⚫ Configure a CE to access the PEs through the
Eth-Trunk interface.
⚫
Verify the configuration.

93 Huawei Confidential
Example for Configuring Eth-Trunk Sub-interfaces to Access
a BD EVPN (5)
Loopback0
10.0.1.1/32
The following uses CE1 as an example to configure it to
PE1
access the PEs through the Eth-Trunk interface.
GE0/2/0
CE1 CE2 [~CE1] VLAN 2
[*CE1-vlan2] quit
VLAN 2 PE3 VLAN 2
[*CE1] interface Eth-Trunk10
192.168.1.1/24 Loopback0 192.168.1.2/24
[*CE1-Eth-Trunk10] portswitch
10.0.3.3/32
Loopback0
[*CE1-Eth-Trunk10] port link-type trunk
10.0.2.2/32 [*CE1-Eth-Trunk10] port trunk allow-pass VLAN 2
PE2 [*CE1-Eth-Trunk10] mode lacp-static
⚫
Configure a BD EVPN instance on PEs. [*CE1-Eth-Trunk10] quit
[*CE1] interface gigabitethernet0/1/0
⚫
Configure an ESI and E-Trunk to implement [*CE1-GigabitEthernet0/1/0] eth-trunk 10
dual-homing active-active networking. [*CE1-GigabitEthernet0/1/0] quit
⚫
Configure local-remote FRR for MAC routes. [*CE1] interface gigabitethernet0/2/0
[*CE1-GigabitEthernet0/2/0] eth-trunk 10
⚫
Establish BGP EVPN peer relationships. [*CE1-GigabitEthernet0/2/0] quit
⚫ Configure a CE to access the PEs through [*CE1] commit
the Eth-Trunk interface.
⚫
Verify the configuration.

94 Huawei Confidential
Verifying the Configuration (1)
Check Type 3 routes on PE3.
Loopback0
10.0.1.1/32 <PE3>display bgp evpn all routing-table inclusive-route
Local AS number : 100
PE1 EVPN address family:
GE0/2/0 Number of Inclusive Multicast Routes: 3
CE1 CE2 Route Distinguisher: 100:1
VLAN 2 Network(EthTagId/IpAddrLen/OriginalIp) NextHop
VLAN 2 PE3
192.168.1.1/24 192.168.1.2/24 *>i 0:32:10.0.1.1 10.0.1.1
Loopback0
10.0.3.3/32
Route Distinguisher: 200:1
Loopback0 Network(EthTagId/IpAddrLen/OriginalIp) NextHop
10.0.2.2/32 *>i 0:32:10.0.2.2 10.0.2.2
PE2
Route Distinguisher: 300:1
Network(EthTagId/IpAddrLen/OriginalIp) NextHop
Check the BGP EVPN peer relationship on PE3. *> 0:32:10.0.3.3 127.0.0.1
[~PE3]display bgp evpn peer EVPN-Instance evpna:
BGP local router ID : 10.0.3.3 Number of Inclusive Multicast Routes: 3
Local AS number : 100 Network(EthTagId/IpAddrLen/OriginalIp) NextHop
Total number of peers : 2 Peers in established state : 2 *>i 0:32:10.0.1.1 10.0.1.1
Peer AS State PrefRcv *>i 0:32:10.0.2.2 10.0.2.2
10.0.1.1 100 Established 4 *> 0:32:10.0.3.3 127.0.0.1
10.0.2.2 100 Established 4
PE3 receives Type 3 routes from PE1 and PE2 to
forward BUM traffic.

95 Huawei Confidential
Verifying the Configuration (2)
Check Type 4 routes on PE3.
Loopback0
10.0.1.1/32 <PE3>display bgp evpn all routing-table es-route
Local AS number : 100
PE1 EVPN address family:
GE0/2/0 Number of ES Routes: 3
CE1 CE2 Route Distinguisher: 10.0.1.1:0
VLAN 2 Network(ESI) NextHop
VLAN 2 PE3
192.168.1.1/24 192.168.1.2/24 *>i 0000.1111.2222.1111.1111 10.0.1.1
Loopback0
10.0.3.3/32
Route Distinguisher: 10.0.2.2:0
Loopback0 Network(ESI) NextHop
10.0.2.2/32 *>i 0000.1111.2222.1111.1111 10.0.2.2
PE2
Route Distinguisher: 10.0.3.3:0
Network(ESI) NextHop
*> 014c.1fcc.f95d.e30a.3100 127.0.0.1
EVPN-Instance evpna:
Number of ES Routes: 1
Network(ESI) NextHop
*> 014c.1fcc.f95d.e30a.3100 127.0.0.1

Type 4 routes sent by PE1 and PE2 carry the same ESI.

96 Huawei Confidential
Verifying the Configuration (3)
Check Type 2 routes on PE3.
Loopback0
<PE3>display bgp evpn all routing-table mac-route
10.0.1.1/32
Local AS number : 100
PE1 BGP Local router ID is 10.0.3.3
EVPN address family:
GE0/2/0 Number of Mac Routes: 2
CE1 CE2 Route Distinguisher: 100:1
VLAN 2 Network(EthTagId/MacAddrLen/MacAddr/IpAddrLen/IpAddr) NextHop
VLAN 2 PE3
192.168.1.2/24 *>i 0:48:4c1f-cccf-6675:0:0.0.0.0 10.0.1.1
192.168.1.1/24 Loopback0 Route Distinguisher: 300:1
10.0.3.3/32 Network(EthTagId/MacAddrLen/MacAddr/IpAddrLen/IpAddr) NextHop
Loopback0 *> 0:48:4c1f-ccf9-5de3:0:0.0.0.0 0.0.0.0
10.0.2.2/32
PE2
EVPN-Instance evpna:
Number of Mac Routes: 2
Network(EthTagId/MacAddrLen/MacAddr/IpAddrLen/IpAddr) NextHop
*>i 0:48:4c1f-cccf-6675:0:0.0.0.0 10.0.1.1
*> 0:48:4c1f-ccf9-5de3:0:0.0.0.0 0.0.0.0

PE1 sends the MAC address of CE1 to PE3.

97 Huawei Confidential
Verifying the Configuration (4)
Check Type 1 routes on PE3.
Loopback0
10.0.1.1/32 <PE3>display bgp evpn all routing-table ad-route
Local AS number : 100
PE1 BGP Local router ID is 10.0.3.3
GE0/2/0 EVPN address family:
CE1 CE2 Number of A-D Routes: 5
VLAN 2 Route Distinguisher: 100:1
VLAN 2 PE3
192.168.1.1/24 192.168.1.2/24 Network(ESI/EthTagId) NextHop
Loopback0
10.0.3.3/32
*>i 0000.1111.2222.1111.1111:0 10.0.1.1
Loopback0 Route Distinguisher: 200:1
10.0.2.2/32 Network(ESI/EthTagId) NextHop
PE2
*>i 0000.1111.2222.1111.1111:0 10.0.2.2
EVPN-Instance evpna:
Number of A-D Routes: 4
Network(ESI/EthTagId) NextHop
*>i 0000.1111.2222.1111.1111:0 10.0.1.1
i 10.0.2.2
*> 014c.1fcc.f95d.e30a.3100:0 127.0.0.1

PE1 and PE2 advertise Type 1 routes to implement

split horizon.

98 Huawei Confidential
Verifying the Configuration (5)
Check the MAC address table of evpna on PE3.
Loopback0
<PE3>display evpn mac routing-table evpn-instance evpna verbose
10.0.1.1/32
MAC Flag: D - download to fib
PE1 -----------------------------------------------------------------------------EVPN
name: evpna
GE0/2/0 MACs: 2 Entries: 3
CE1 CE2 MAC Address: 4c1f-cccf-6675
VLAN 2 Protocol: BGP VLAN/BD: 10
VLAN 2 PE3
192.168.1.2/24 State: Active Age: 00h13m01s
192.168.1.1/24 Loopback0 Type: Dynamic Label: 48002
10.0.3.3/32 IndirectID: 0x1000080 PeerIP: 10.0.1.1
Loopback0 Flag: D
10.0.2.2/32 TunnelID: 0x0000000001004c4b82 Interface: Ethernet1/0/0
PE2
MAC Address: 4c1f-cccf-6675
Check the ARP table on CE2 and ping CE1 from CE2. Protocol: BGP VLAN/BD: 10
State: Active Age: 00h13m01s
<CE2>display arp Type: Dynamic Label: 48002
IP ADDRESS MAC ADDRESS INTERFACE IndirectID: 0x100007D PeerIP: 10.0.2.2
-------------------------------------------------------------------- Flag: D
192.168.1.2 4c1f-ccf9-5de3 Vlanif2 #MAC address of CE2 TunnelID: 0x0000000001004c4b81 Interface: Ethernet1/0/1
192.168.1.1 4c1f-cccf-6675 Eth-Trunk10 #MAC address of CE1
<CE2>ping 192.168.1.1 MAC address of Label allocated by
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=10 ms
CE1 PE1 to CE1
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=50 ms

99 Huawei Confidential
 Contents

1. EVPN Background and Terms

2. EVPN Fundamentals

3. Inter-AS EVPN

4. Typical EVPN Application Scenarios

5. Basic EVPN Configurations

▫ Configuring an EVPN to Carry Layer 2 Services
◼ Configuring an EVPN to Carry Layer 3 Services

100 Huawei Confidential

Configuring an EVPN to Carry Layer 3 Services
1. Configure an L3VPN instance.

[Huawei] ip vpn-instance vpna

[Huawei-vpn-instance-vpna] route-distinguisher route-distinguisher
[Huawei-vpn-instance-vpna] vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ] evpn
Create an L3VPN instance named vpna, enter the L3VPN instance view, and configure an RD and an RT. The keyword evpn needs to be
appended to the RT.

2. Enable EVPN to generate and advertise IP prefix routes and IRB routes.

[Huawei-vpn-instance-vpna] evpn mpls routing-enable

In an EVPN L3VPN scenario, when MPLS or SR-MPLS tunnels are used as public network tunnels, enable EVPN to generate and advertise IP prefix
routes and IRB routes so that the local device can advertise IP prefix routes and IRB routes to EVPN peers. If non-MPLS tunnels, such as VXLAN and
SRv6 tunnels, are used as public network tunnels, you do not need to run this command.

3. Configure IP prefix route advertisement.

[Huawei-bgp-vpna] advertise l2vpn evpn

By default, locally leaked routes in a VPN instance are not sent to an EVPN instance. To support mutual access between different VPN instances, enable
the function of advertising locally leaked routes from a VPN instance to an EVPN instance so that these routes can be sent to the remote device through
a BGP EVPN peer relationship.

101 Huawei Confidential

Example for Configuring an EVPN to Carry Layer 3 Services:
Requirement Description
Loopback0 Loopback0 Loopback0
⚫ Configuration roadmap
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32

Configure an IGP on the backbone network to allow the
GE0/1/0 GE0/2/0
CE1 CE2 PEs to communicate. (The configuration details are not
192.168.1.1/24 PE1 P1 PE2 192.168.2.1/24 provided here.)

Configure basic MPLS functions and enable MPLS LDP to
establish MPLS LSPs on the backbone network. (The
⚫ Configure EVPN on the network to implement Layer 3 configuration details are not provided here.)
communication. 
Configure an L3VPN instance on PEs.

The gateway address of CE1 is 192.168.1.254/24. 
Establish BGP EVPN peer relationships.

The gateway address of CE2 is 192.168.2.254/24. 
Configure CEs to access PEs and advertise routes.

The L3VPN instance name is vpna. 
Verify the configuration.

On PE1 and PE2, the RDs of the L3VPN instance vpna are
100:1 and 200:1 respectively and the RTs are 1:1.

102 Huawei Confidential

Example for Configuring an EVPN to Carry Layer 3 Services (1)
The following uses PE1 as an example to configure
an L3VPN instance.
Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 [~PE1] ip vpn-instance vpna
GE0/1/0 GE0/2/0 [*PE1-vpn-instance-vpna] ipv4-family
CE1 CE2 [*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
192.168.1.1/24 192.168.2.1/24 [*PE1-vpn-instance-vpna-af-ipv4] vpn-target 1:1 both evpn
PE1 P1 PE2 [*PE1-vpn-instance-vpna-af-ipv4] evpn mpls routing-enable
[*PE1-vpn-instance-vpna-af-ipv4] quit
[*PE1-vpn-instance-vpna] quit
⚫
Configure an IGP on the backbone network to allow the [*PE1] commit
PEs to communicate. (The configuration details are not
The following uses PE1 as an example to establish BGP
provided here.) EVPN peer relationships.
⚫
Configure basic MPLS functions and enable MPLS LDP to [~PE1] bgp 100
establish MPLS LSPs on the backbone network. [*PE1-bgp] peer 10.0.3.3 as-number 100
⚫ Configure an L3VPN instance on PEs. [*PE1-bgp] peer 10.0.3.3 connect-interface loopback 0
[*PE1-bgp] l2vpn-family evpn
⚫
Establish BGP EVPN peer relationships. [*PE1-bgp-af-evpn] peer 10.0.3.3 enable
⚫
Configure CEs to access PEs and advertise routes. [*PE1-bgp-af-evpn] quit
[*PE1-bgp] quit
⚫ Verify the configuration. [*PE1] commit

103 Huawei Confidential

Example for Configuring an EVPN to Carry Layer 3 Services (2)

The following uses PE1 as an example to configure

Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 CEs to access PEs.
GE0/1/0 GE0/2/0 [~PE1] interface GigabitEthernet 0/1/0
CE1 CE2
[*PE1-GigabitEthernet0/1/0] ip binding vpn-instance vpna
192.168.1.1/24 PE1 P1 PE2 192.168.2.1/24 [*PE1-GigabitEthernet0/1/0] ip address 192.168.1.254
255.255.255.0
[*PE1-GigabitEthernet0/1/0] quit
[*PE1] commit
⚫
Configure an IGP on the backbone network to allow the
PEs to communicate. (The configuration details are not The following uses PE1 as an example to configure CE-side
provided here.) route advertisement.
⚫
Configure basic MPLS functions and enable MPLS LDP to [~PE1] bgp 100
establish MPLS LSPs on the backbone network. [~PE1-bgp] ipv4-family vpn-instance vpna
[~PE1-bgp-vpna] import-route direct
⚫ Configure an L3VPN instance on PEs. [~PE1-bgp-vpna] advertise l2vpn evpn
⚫
Establish BGP EVPN peer relationships. [~PE1-bgp-vpna] quit
[~PE1-bgp] quit
⚫
Configure CEs to access PEs and advertise routes. [~PE1] commit
⚫ Verify the configuration.

104 Huawei Confidential

Verifying the Configuration (1)

Check Type 5 routes on PE1.

Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32
<PE1>display bgp evpn all routing-table prefix-route
GE0/1/0 GE0/2/0 Local AS number : 100
CE1 CE2
BGP Local router ID is 10.0.1.1
192.168.1.1/24 PE1 P1 PE2 192.168.2.1/24 EVPN address family:
Number of Ip Prefix Routes: 2
Route Distinguisher: 100:1
Network(EthTagId/IpPrefix/IpPrefixLen) NextHop
⚫
Configure an IGP on the backbone network to allow the
*> 0:192.168.1.0:24 0.0.0.0
PEs to communicate. (The configuration details are not Route Distinguisher: 200:1
provided here.) Network(EthTagId/IpPrefix/IpPrefixLen) NextHop
*>i 0:192.168.2.0:24 10.0.3.3
⚫ Configure basic MPLS functions and enable MPLS LDP to
establish MPLS LSPs on the backbone network.
⚫
Configure an L3VPN instance on PEs. This is the Type 5 route
⚫ Establish BGP EVPN peer relationships. advertised by PE3.
⚫
Configure CEs to access PEs and advertise routes.
⚫
Verify the configuration.

105 Huawei Confidential

Verifying the Configuration (2)

Check detailed information about Type 5 routes on PE1.

Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 [~PE1]display bgp evpn all routing-table prefix-route 0:192.168.2.0:24
BGP local router ID : 10.0.1.1
GE0/1/0 GE0/2/0 Local AS number : 100
CE1 CE2
Total routes of Route Distinguisher(200:1): 1
192.168.1.1/24 PE1 P1 192.168.2.1/24 BGP routing table entry information of 0:192.168.2.0:24:
PE2
Label information (Received/Applied): 48005/NULL
From: 10.0.3.3 (10.0.13.3)
Route Duration: 0d01h29m51s
⚫
Configure an IGP on the backbone network to allow the Relay IP Nexthop: 10.0.13.3
Relay Tunnel Out-Interface: LDP LSP #The outer tunnel is an LDP
PEs to communicate. (The configuration details are not tunnel.
Original nexthop: 10.0.3.3
provided here.) Qos information : 0x0
⚫
Configure basic MPLS functions and enable MPLS LDP to Ext-Community: RT <1 : 1>
AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid, intern
establish MPLS LSPs on the backbone network. al, best, select, pre 255, IGP cost 1
⚫
Configure an L3VPN instance on PEs. Route Type: 5 (Ip Prefix Route)
Ethernet Tag ID: 0, IP Prefix/Len: 192.168.2.0/24, ESI:
⚫
Establish BGP EVPN peer relationships. 0000.0000.0000.0000.000
0, GW IP Address: 0.0.0.0
⚫ Configure CEs to access PEs and advertise routes. Not advertised to any peer yet
⚫ Verify the configuration.
This label is allocated by PE3.

106 Huawei Confidential

Verifying the Configuration (3)

Check the routing table of vpna on PE1.

Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 <PE1>display ip routing-table vpn-instance vpna
GE0/2/0 ------------------------------------------------
GE0/1/0
CE1 CE2 Routing Table : vpna
Destination/Mask Proto NextHop Interface
192.168.1.1/24 PE1 P1 PE2 192.168.2.1/24 192.168.1.0/24 Direct 192.168.1.254 GigabitEthernet0/1/0
192.168.2.0/24 IBGP 10.0.3.3 GigabitEthernet0/2/0

⚫
Configure an IGP on the backbone network to allow the Ping 192.168.2.1 from CE1.
PEs to communicate. (The configuration details are not <CE1>ping 192.168.2.1
provided here.) PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=126 time=30 ms
⚫
Configure basic MPLS functions and enable MPLS LDP to Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=126 time=10 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=126 time=50 ms
establish LDP LSPs on the backbone network. Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=126 time=40 ms
⚫ Configure an L3VPN instance on PEs. Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=126 time=50 ms
--- 192.168.2.1 ping statistics ---
⚫
Establish BGP EVPN peer relationships. 5 packet(s) transmitted
5 packet(s) received
⚫
Configure CEs to access PEs and advertise routes.
0.00% packet loss
⚫ Verify the configuration. round-trip min/avg/max = 10/36/50 ms

107 Huawei Confidential

 Quiz
1. (Single-answer question) Which of the following route types is used by EVPN to implement fast
convergence? ( )
A. Type 1
B. Type 2
C. Type 3
D. Type 4
2. (Single-answer question) Which of the following types of routes carries the MPLS label used for
forwarding unicast data? ( )
A. Type 1
B. Type 2
C. Type 3
D. Type 4

108 Huawei Confidential

1. A
2. B
 Summary
⚫ EVPN uses BGP extensions to implement MAC address learning and advertisement on the control plane
instead of the data plane. EVPN allows a device to manage MAC addresses in the same way as it
manages routes, implementing load balancing between EVPN routes with the same destination MAC
address but different next hops. In addition, EVPN supports the deployment of BGP RRs, significantly
reducing network complexity.
⚫ EVPN uses the labels carried in Type 3 routes to guide BUM traffic forwarding, uses the labels carried in
Type 2 routes to guide unicast traffic forwarding, uses Type 1 routes to implement split horizon and
fast convergence, and uses Type 4 routes to implement DF election and automatic ES member
discovery. EVPN also supports the advertisement of IP prefix routes through Type 5 routes.
⚫ With the enrichment of application scenarios and extension of protocols, EVPN can be used in various
scenarios, including WAN, DC, and campus network scenarios.

109 Huawei Confidential

Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
• IPv6 static routes and IPv4 static routes differ mainly in destination and next-hop
IP addresses. IPv6 static routes use IPv6 addresses, whereas IPv4 static routes use
IPv4 addresses.
• [Huawei] ipv6 route-static dest-ipv6-address prefix-length { interface-type
interface-number [ nexthop-ipv6-address ] | nexthop-ipv6-address | vpn-instance
vpn-destination-name nexthop-ipv6-address } [ preference
preference][ permanent | inherit-cost ] [ description text ]
▫ preference preference: specifies a preference value for the route. The value
is an integer ranging from 1 to 255. The default value is 60.

▫ permanent: enables the function of permanently advertising the IPv6 static

route.

▫ inherit-cost: enables the static route to inherit the cost of the recursive
route.

▫ description text: specifies a description for the static route. The value is a
string of 1 to 80 characters and can contain spaces.

• [Huawei] ipv6 route-static vpn-instance vpn-instance-name dest-ipv6-address

prefix-length { [ interface-type interface-number [ nexthop-ipv6-address ] ] |
nexthop-ipv6-address [ public ] | vpn-instance vpn-destination-name nexthop-
ipv6-address } [ preference preference ] [ permanent | inherit-cost ]
[ description text ]

▫ public: indicates that nexthop-ipv6-address is a public network address

instead of an address in the source VPN instance.
• Similarities also include support for special areas, support for virtual links, and
multi-process support.

• For details, see the "HCIP-Datacom-Core Technology" course.

• On broadcast, NBMA, P2P, and P2MP networks, OSPFv2 uses IPv4 interface
addresses to identify neighbors. On virtual-link networks, however, OSPFv2 uses
router IDs to identify neighbors.
• IPv6 emphasizes the link concept. Multiple IPv6 prefixes that indicate different IP
subnets can be allocated to the same link. Different from IPv4, IPv6 allows two
nodes on the same link to communicate even if they do not have the same IPv6
prefix. This greatly changes the OSPF behavior.

• In OSPFv3, the concepts "link" and "prefix" are frequently used, which however
are independent of each other. The terms "network" and "subnet" used in
OSPFv2 should be replaced with the term "link" when OSPFv3 is discussed.
• In multi-instance, each instance is differentiated by adding a specific instance ID
to the OSPFv3 packet header. If an instance is assigned a specific instance ID, the
OSPFv3 packets that do not match the instance ID are discarded.
• IPv6 implements neighbor discovery and automatic configuration using link-local
addresses. Routers running IPv6 do not forward IPv6 packets whose destination
addresses are link-local addresses. Such packets are valid only on the local link.

• OSPFv3 is a routing protocol running on IPv6 and uses link-local addresses to

send OSPFv3 packets.

▫ OSPFv3 assumes that each router has been assigned a link-local address on
each link. All OSPFv3 interfaces except virtual-link interfaces use the
associated link-local addresses as the source addresses to send OSPFv3
packets.

▫ A router learns the link-local addresses of all the other routers attached to
the same link and uses these addresses as the next-hop addresses to
forward packets.

▫ Note: Description of link-local addresses is only contained in link-LSAs (new

type of LSA supported in OSPFv3).

• Note: On a virtual link, the global unicast address or a site's local address must
be used as the source address of OSPFv3 packets.
• OSPFv3 packets have the following functions:

▫ Hello packet: Hello packets are sent periodically to discover, establish, and
maintain OSPFv3 neighbor relationships.

▫ DD packet: A DD packet describes the summary of a local LSDB and is used

for LSDB synchronization between two devices.

▫ LSR packet: An LSR packet is used to request the required LSAs from a
neighbor. An OSPFv3 device sends LSR packets to its neighbor only after DD
packets have been successfully exchanged between them.

▫ LSU packet: An LSU packet is sent to a neighbor to provide required LSAs.

▫ LSAck packet: An LSAck packet is used to acknowledge the received LSAs.

• Version: indicates the OSPF version, and occupies 1 byte. For OSPFv3, the value is
3.

• Type: indicates the type of an OSPFv3 packet and occupies 1 byte. The following
types are available:

▫ 1: Hello packet

▫ 2: DD packet

▫ 3: LSR packet

▫ 4: LSU packet

▫ 5: LSAck packet

• Packet length: indicates the total length of an OSPFv3 packet, including the
packet header. The field occupies 2 bytes.

• Router ID: indicates the router ID of the router that originates the packet, and
occupies 4 bytes.

• Area ID: indicates the area in which the packet is sent, and occupies 4 bytes.

• Checksum: indicates the standard 16-bit IPv6 checksum and occupies 2 bytes.

• 0: Occupying 1 byte, this field is reserved and must be set to 0.

• Rot Pri: indicates the router's router priority, which is used for DR election. This
field occupies 1 byte, and the default value is 1. If it is set to 0, the router cannot
participate in DR or BDR election.

• Options: indicates the optional capabilities supported by the router and occupies
3 bytes.

▫ AT: indicates whether OSPFv3 authentication is supported. This option

occupies 1 bit. If the AT bit is 1, an authentication tail field containing
authentication information is added to the OSPFv3 packet.

▫ DC: indicates whether the capability of processing demand circuits is

supported. This option occupies 1 bit.

▫ R: indicates whether the originator is a valid router. This option occupies 1

bit.

▫ NP: indicates whether the area to which the originating router interface
belongs is a not-so-stubby area (NSSA). This option occupies 1 bit.

▫ MC: indicates whether multicast data packets can be forwarded. This option
occupies 1 bit.

▫ E: indicates whether external routes are supported. This option occupies 1

bit.

▫ V6: indicates whether the router or link can participate in route calculation.
This option occupies 1 bit. If it is set to 0, the router or link does not
participate in IPv6 route calculation.
• LS Age: indicates the time elapsed since the LSA was generated, in seconds. This
field occupies 2 bytes. The value of this field continually increases regardless of
whether the LSA is transmitted over a link or saved in an LSDB.

• LS Type: indicates the LSA type. This field occupies 2 bytes. The high-order three
bits of this field identify generic properties of the LSA, whereas the remaining bits
identify the LSA's specific function.

▫ The U-bit indicates how to process an unknown LSA, that is, how a router
that does not recognize an LSA's function code should process this LSA.

▪ 0: The LSA is treated as if it had the link-local flooding scope.

▪ 1: The LSA is stored and flooded as if its type had been understood.

▫ The S2 and S1 bits indicate the flooding scope of the LSA.

▪ S2 S1 = 0 0: link-local flooding scope. The LSA is flooded only on the

originating link.

▪ S2 S1 = 0 1: area flooding scope. The LSA is flooded to all routers in

the originating area.

▪ S2 S1 = 1 0: AS flooding scope. The LSA is flooded to all routers in the

local AS.

▪ S2 S1 = 1 1: reserved.
• As shown in the figure, the U-bit in the LS Type field of the OSPFv3 LSA header is
0 by default. Except the Type 5 and Type 8 LSAs, the other types of LSAs all have
the area flooding scope (S2 S1 = 0 1).

▫ Link-local flooding scope: LSAs, including link-LSAs, are flooded only on the
local link.

▫ Area flooding scope: The following types of LSAs are flooded in a single
OSPF area: router-LSA, network-LSA, inter-area-prefix-LSA, inter-area-
router-LSA, NSSA-LSA, and intra-area-prefix-LSA.

▫ AS flooding scope: LSAs, including AS-external-LSAs, are flooded in an

entire routing domain (AS).
• The fields in an OSPFv3 router-LSA are described as follows:

▫ W: wildcard receiver. The value 1 indicates that the router supports

multicast routes.

▫ V: virtual link. The value 1 indicates that the router that generates the LSA
is at one end of the virtual link.

▫ E: external. The value 1 indicates that the router that generates the LSA is
an ASBR.

▫ B: border. The value 1 indicates that the router that generates the LSA is an
ABR.

▫ Options: indicates the optional capabilities supported by the router and

occupies 3 bytes.

▪ DC: indicates whether the capability of processing demand circuits is

supported. This option occupies 1 bit.

▪ R: indicates whether the originator is a valid router. This option

occupies 1 bit.

▪ NP: indicates whether the area to which the originating router

interface belongs is a not-so-stubby area (NSSA). This option occupies
1 bit.
• The fields in an OSPFv3 network-LSA are described as follows:

▫ Options: same as the Options field in a router-LSA.

• The fields in an OSPFv3 inter-area-prefix-LSA are described as follows:

▫ Metric: indicates the cost of the route to the destination address and
occupies 3 bytes.

▫ PrefixOptions: Each prefix advertised by an LSA has its own PrefixOptions

field.

▪ P-bit: propagate bit. This bit needs to be set to 1 if the prefix of an

NSSA needs to be advertised by an ABR.

▪ MC-bit: multicast bit. If this bit is set to 1, the prefix is used for
multicast route calculation. Otherwise, the prefix is not used for
multicast route calculation.

▪ LA-bit: local address capability bit. If this bit is set to 1, the prefix is an
interface address of the router.

▪ NU-bit: no unicast capability bit. If this bit is set to 1, the prefix is not
used for IPv6 unicast route calculation.

• Note: The prefix length of the default route is 0. An ABR can also originate an
inter-area Type 3 LSA to advertise a default route to a stub area.
• The fields in an OSPFv3 inter-area-router-LSA are described as follows:

▫ Options: This field describes the optional capabilities supported by the

destination router instead of those supported by the source router.
Therefore, the value of this field should equal that of the Options field in
the router-LSA generated by the destination router.

▫ Metric: indicates the cost of the route to the destination address and
occupies 3 bytes.
• The fields in an OSPFv3 AS-external-LSA are described as follows:
▫ Bit E: indicates the cost type of an AS external route and occupies 1 bit.
▪ The value 1 indicates the cost of a Type 2 external route. This cost
does not increase during route transmission.
▪ The value 0 indicates the cost of a Type 1 external route. This cost
increases during route transmission.
▫ Bit F: occupies 1 bit. The value 1 indicates that the Forwarding Address field
(optional) is included.
▫ Bit T: occupies 1 bit. The value 1 indicates that the External Route Tag field
(optional) is included.
▫ Metric: indicates the cost of the route to the destination address and
occupies 3 bytes.
▫ PrefixLength, PrefixOptions, and Address Prefix are triplets that describe a
prefix and have the same meanings as those in an inter-area-prefix-LSA.
▫ Forwarding Address: is an optional 128-bit IPv6 address and occupies 4
bytes. This field is included if bit F is 1. In this case, a data packet needs to
be forwarded to this address before reaching its destination.
▫ External Route Tag: an optional flag, which occupies 4 bytes. It can be used
for communication between ASBRs. In a typical scenario where each of two
ASBRs imports an AS external route, the imported routes can be tagged
differently to facilitate route filtering.
▫ Referenced Link State ID: occupies 4 bytes. This field is included if the
Referenced LS Type field is not 0, indicating the link state ID of the
referenced LSA.
• The fields in an OSPFv3 link-LSA are described as follows:

▫ Rtr Pri: indicates the router priority of the interface attaching the
originating router to the link and occupies 1 byte.

▫ Options: indicates a collection of Options bits that the router sets in the
network-LSA and occupies 3 bytes.

▫ Number of Prefixes: indicates the number of IPv6 address prefixes carried in

the LSA, and occupies 4 bytes.

▫ PrefixLength, PrefixOptions, and Address Prefix are triplets that describe a

prefix and have the same meanings as those in an inter-area-prefix-LSA.
• The fields in an OSPFv3 intra-area-prefix-LSA are described as follows:
▫ Number of Prefixes: indicates the number of IPv6 address prefixes carried in
the LSA, and occupies 4 bytes. If necessary, prefixes can be carried in
multiple intra-area-prefix-LSAs to limit the size of each Type 9 LSA.
▫ Referenced LS Type: indicates whether the LSA references a router-LSA or a
network-LSA, and occupies 4 bytes.
▪ Type=1: A router-LSA is referenced.
▪ Type=2: A network-LSA is referenced.
▫ Referenced Link State ID: 4 bytes.
▪ If the LSA references a router-LSA, this field is set to 0.
▪ If the LSA references a network-LSA, this field is set to the interface ID
of the DR on the attached link.
▫ Referenced Advertising Router: 4 bytes.
▪ If the LSA references a router-LSA, this field is set to the router ID of
the associated router.
▪ If the LSA references a network-LSA, this field is set to the router ID
of the DR on the attached link.
▫ PrefixLength, PrefixOptions, and Address Prefix are triplets that describe a
prefix and have the same meanings as those in an inter-area-prefix-LSA.
▫ Metric: indicates the prefix cost and occupies 2 bytes. This field has the
same unit as the interface cost of a router-LSA.
• In OSPFv3, when a link or its prefix changes, the attached router sends an intra-
area-prefix-LSA, which however does not trigger SPF calculation.
• As shown in the figure, R1, R2, R3, and R4 run OSPFv3 and are all deployed in the
backbone area.

• After the network becomes stable, check the LSDB of R2. The command output
shows information about the following types of LSAs: router-LSA (Type 1),
network-LSA (Type 2), Link-LSA (Type 8), and intra-area-prefix-LSA (Type 9).
• The command output is described as follows:

▫ LS Age: aging time of the LSA.

▫ LS Type: LSA type, which can be any of the following:

▪ Router-LSA, Network-LSA, Inter-Area-Prefix-LSA, Inter-Area-Router-

LSA, AS-external-LSA, NSSA-LSA, Link-LSA, or Intra-Area-Prefix-LSA

▫ Link State ID: link state ID in the LSA header.

▫ Originating Router: router that generates the LSA.

▫ LS Seq Number: sequence number of the LSA. This field is carried in the LSA
header.

▫ Checksum: checksum of the LSA.

▫ Length: length of the LSA.

▫ Priority: priority of the interface attached to the link.

▫ Options: optional capabilities of the link.

▫ Link-Local Address: link-local address.

▫ Number of Prefixes: number of IPv6 prefixes contained in the LSA.

▫ Prefix: IPv6 prefix.

▫ Prefix Options: optional capabilities associated with the prefix.

• The configuration commands and methods of OSPFv3 are similar to those of
OSPFv2. For details, see the "HCIP-Datacom-Core Technology" course.
• [Huawei] display ospfv3 [ process-id ] lsdb [ area area-id ] [ originate-router
advertising-router-id | self-originate ] [ { router | network | inter-router [ asbr-
router asbr-router-id ] | { inter-prefix | nssa } [ ipv6-address prefix-length ] |
link | intra-prefix | grace } [ link-state-id ]]

▫ process-id: specifies the ID of an OSPFv3 process. The value is an integer

ranging from 1 to 65535.

▫ area area-id: specifies the ID of an area. The area ID can be a decimal

integer or in the IPv4 address format. For a decimal integer, the value
ranges from 0 to 4294967295. For the IPv4 address format, the value is in
dotted decimal notation.

▫ external: displays information about AS-external LSAs in the LSDB.

▫ inter-prefix: displays information about inter-area-prefix LSAs in the LSDB.

▫ inter-router: displays information about inter-area-router LSAs in the

LSDB.

▫ intra-prefix: displays information about intra-area-prefix LSAs in the LSDB.

▫ nssa: displays information about NSSA LSAs in the LSDB.

▫ link: displays information about link-LSAs in the LSDB.

▫ network: displays information about network-LSAs in the LSDB.

▫ router: displays information about router-LSAs in the LSDB.

▫ link-state-id: specifies a link state ID. The value is in dotted decimal

notation.
• You can run the display ospf peer command to check OSPFv2 neighbor
information.

• By comparing OSPFv2 neighbor information and OSPFv3 neighbor information,

you will find that the elected DR and BDR are the same, indicating that the DR
election modes between OSPFv2 and OSPFv3 are the same.
• You can run the display ospf routing command to check the routing information
on the OSPFv2 network.

• By comparing OSPFv2 routing information and OSPFv3 routing information, you

will find that the paths to the same network segment are the same, indicating
that the route calculation methods between OSPFv2 and OSPFv3 are the same.
• You can run the display ospf lsdb command to check the OSPFv2 LSDB. You will
find that the LSDB contains the Type 1, Type 2, and Type 3 LSAs.
• Fields in TLV 232 (IPv6 Interface Address) are described as follows:
▫ Type: indicates the TLV type and occupies 8 bits. The value is 232 (0xE8).
▫ Length: indicates the length of the Value field in the TLV and occupies 8
bits.
▫ Interface Address: indicates a 128-bit IPv6 address.
• Fields in TLV 236 (IPv6 Reachability) are described as follows:
▫ Type: indicates the TLV type and occupies 8 bits. The value is 236 (0xEC).
▫ Length: indicates the length of the Value field in the TLV and occupies 8
bits.
▫ Metric: a 32-bit field indicating the cost.
▫ U: up/down bit. This 1-bit field indicates whether the prefix is advertised
from a higher level to a lower level.
▫ X: external original bit. This 1-bit field indicates whether the prefix was
imported into IS-IS from another routing protocol.
▫ S: sub-TLV present bit. This 1-bit field is optional.
▫ R: This 5-bit field is reserved.
▫ Prefix Length: indicate the prefix length and occupies 8 bits.
▫ Prefix: indicates an IPv6 address prefix.
▫ Sub-TLV Length: indicates the length of a sub-TLV and occupies 8 bits. If
the S-bit is set to 1, this field is included.
▫ Sub-TLV: If the S-bit is set to 1, this field is included.
• IS-IS single-topology has the following disadvantages:

▫ Network deployment is not suitable for topology separation.

▫ To maintain the same topology, each interface must run both IS-IS (IPv4)
and IS-IS (IPv6), which is not flexible.

▫ IPv4 areas cannot be used to connect different IPv6 areas. That is, IPv4
networks cannot be used to address IPv6 network isolation.
• The IS-IS MT feature can overcome the disadvantages of IS-IS single topology.
• To support MT, IS-IS defines multiple types of TLVs, including Multi-Topology
TLV, MT Intermediate Systems TLV, Multi-Topology Reachable IPv4 Prefixes TLV,
and Multi-Topology Reachable IPv6 Prefixes TLV. This course focuses on the
Multi-Topology TLV and does not elaborate on the other ones.

• Multi-Topology TLV:

▫ This TLV is contained only in IIH PDUs and fragment zero LSPs.

▫ Reserved MT IDs:

▪ MT ID=0, equivalent to the standard IPv4 topology.

▪ MT ID=2, reserved for the IPv6 routing topology.

• The basic configuration commands and methods of IS-IS (IPv6) are the same as
those of IS-IS (IPv4). For details, see the "HCIP-Datacom-Core Technology"
course.

• [Huawei-isis-1] ipv6 enable [ topology { ipv6 | standard } ]

▫ topology: sets a network topology type.

▫ ipv6: sets the topology type to IPv6. That is, the IPv6 capability for the IS-IS
process is enabled in an IPv6 topology. Links on the network can be
configured as IPv4 or IPv6 links. SPF calculation is performed separately in
IPv4 and IPv6 topologies.

▫ standard: sets the topology type to standard. That is, the IPv6 capability for
the IS-IS process is enabled in an integrated topology. A network
administrator must ensure that all links on the network support the same
topology type. By default, the standard type is used when the IPv6
capability is enabled for an IS-IS process.
• To support IPv6, BGP needs to map IPv6 routing information to the NLRI
attributes.
• Update message:

▫ An Update message can be used to advertise multiple routes with the same
path attribute. These routes are stored in the NLRI attribute. An Update
message can also carry multiple unreachable routes, which are stored in the
Withdrawn Routes field, to instruct peers to withdraw these routes.
• Fields in the MP_REACH_NLRI attribute are described as follows:

▫ Address Family Information: consists of a 2-byte address family identifier

(AFI) and a 1-byte subsequent address family identifier (SAFI).

▫ Length of Next Hop Network Address: indicates the length of the next-hop
address and occupies 1 byte. Generally, the value is 16.

▫ Network Address of Next Hop: The length is variable and depends on the
preceding field. Generally, the value is a global unicast address.

▫ Reserved: 1 byte. The value must be 0.

▫ Network Layer Reachability Information: contains information about the

routes with the same attributes. The value 0 indicates the default route.

• Fields in the MP_UNREACH_NLRI field are described as follows:

▫ Withdrawn Routes: indicates the routes to be withdrawn. The value is in the

<mask length, route prefix> format. If the mask length is 0, the associated
route is a default route.
• The basic configuration commands and methods of BGP4+ are the same as those
of BGP. For details, see the "HCIP-Datacom-Core Technology" course.

• [Huawei-bgp] ipv6-family [ unicast | vpnv6 | vpn-instance vpn-instance-name ]

▫ unicast: enters the IPv6 unicast address family view.

▫ vpnv6: enters the BGP-VPNv6 address family view.

▫ vpn-instance vpn-instance-name: associates a specified VPN instance with

the IPv6 address family and enters the BGP-VPN instance IPv6 address
family view. The value is a string of 1 to 31 case-sensitive characters. If
spaces are used, the string must start and end with double quotation marks
(").

• [Huawei-bgp-af-ipv6] network ipv6-address prefix-length [ route-policy route-

policy-name ]
▫ ipv6-address: specifies the IPv6 address advertised by BGP. The value is a
32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.

▫ prefix-length: specifies the prefix length of the IPv6 address advertised by

BGP. The value is an integer ranging from 0 to 128.

▫ route-policy route-policy-name: specifies the name of the route-policy

applied to route advertisement. The value is a string of 1 to 40 case-
sensitive characters. If spaces are used, the string must start and end with
double quotation marks (").
1. ABD

2. A
IPv6 Transition Technologies
 Foreword

⚫ As shortage of IPv4 addresses becomes severer, IPv4-to-IPv6 transition has become

the focus of network development. Although IPv6 is the ultimate solution to this
problem, IPv4 networks will be retained for a long period of time to meet service
continuity requirements. During the IPv4-to-IPv6 transition, it is inevitable that
IPv4 and IPv6 addresses coexist on networks.
⚫ This course describes the transition technologies used when IPv4 and IPv6 coexist,
including IPv6 over IPv4 tunneling, IPv6 Provider Edge (6PE), IPv6 VPN Provider
Edge (6VPE), IPv4 over IPv6 tunneling, Network Address Translation IPv6-to-IPv4
(NAT64), and IVI.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe IPv6 transition technologies and their implementations, and complete
the configuration.

2 Huawei Confidential
 Contents

1. IPv6 Transition Technologies

3 Huawei Confidential
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Introduction to IPv6 Transition Technologies

⚫
Currently, different regions in the world have different requirements for IPv6 deployment, and IPv4 networks are still the
mainstream. Therefore, IPv6 and IPv4 will coexist in a certain period of time. The dual-stack, tunneling, and translation technologies
can be used to implement interworking between IPv4 and IPv6 services.
IPv4/IPv6 dual stack Tunneling technologies Translation technologies
• Devices support IPv4/IPv6. IPv4 and IPv6 are • IPv6 over IPv4 tunneling: • IPv4 traffic is translated into IPv6 traffic (mainly
independently deployed and coexist for a ▫ IPv6 packets are encapsulated with IPv4 IP header modification), or IPv6 traffic is
period of time. This technology has little headers and are transmitted over IPv4 tunnels. translated into IPv4 traffic. This technology
impact on existing IPv4 services. This technology connects isolated IPv6 implements communication between native
• The evolution solution is simple and easy to networks through an IPv4 network. IPv4 and IPv6 networks.
understand. The workload of network planning ▫ Including manual tunnels, automatic tunnels, • A network address translation (NAT) or domain
and design is relatively low. 6PE, and 6VPE. name system (DNS) device must be deployed
on a network.
IPv6 host IPv4 • Translation technologies include NAT64 and IVI.
Dual-stack Dual-stack IPv6 IPv6
device device IPv6 Tunnel
DNS
• IPv4 over IPv6 tunneling:
▫ IPv4 packets are encapsulated with IPv6
headers and are transmitted over IPv6 tunnels.
IPv4 IPv6 IPv4
This technology connects isolated IPv4
IPv4 host networks through an IPv6 network. NAT64/IVI gateway
▫ Including manual tunnels, IPv6 VXLAN tunnels,
and SRv6 tunnels.

IPv6 data IPv6

IPv4 data IPv4 IPv4
Tunnel

4 Huawei Confidential

• IPv4 address exhaustion fuels the urgency to transition to IPv6, but this requires
existing IPv4 devices to be replaced as these devices are incompatible with IPv6
networks. The main issue is that replacing a large number of IPv4 devices will
incur huge costs and interrupt services on the live networks. Therefore, the
transition from IPv4 to IPv6 must be a gradual process. During the early stage of
IPv4-to-IPv6 transition, IPv6 networks are scattered across a large number of IPv4
networks. Therefore, IPv6 transition technologies are required to implement IPv6
service interworking.
• Note: The VXLAN and SRv6 technologies will be described in detail in subsequent
courses.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Tunneling Technology: IPv6 over IPv4

⚫ IPv6 over IPv4 tunneling enables interconnection between isolated IPv6 networks over an IPv4 network.
⚫ Fundamentals of IPv6 over IPv4 tunneling:

Source IPv4 address Destination IPv4 1. IPv4/IPv6 dual stack is enabled on border
of the tunnel address of the tunnel devices (R1 and R2), and an IPv6 over IPv4
IPv6 host Loopback 0 IPv4 Loopback 0 IPv6 host tunnel is configured.
2. When receiving an IPv6 packet from the
IPv6 IPv6 over IPv4 tunnel IPv6 connected IPv6 network, R1 encapsulates it into
Tunnel 1 Tunnel 1 an IPv4 packet by attaching an IPv4 header to
R1 R2
(dual-stack) (dual-stack) the IPv6 packet. This is done only if the IPv6
IPv6 Header IPv6 Data IPv6 Header IPv6 Data packet is not destined for R1 and has a tunnel
interface as the next hop.
Next hop: IPv6 address of
3. R1 transmits the resulting IPv4 packet to R2
the peer interface Tunnel 1
IPv4 Header IPv6 Header IPv6 Data over the IPv4 network.
Source IPv4: source IPv4 address of the tunnel 4. R2 decapsulates the IPv4 packet by removing
Destination IPv4: destination IPv4 address of the tunnel the IPv4 header, and sends the resulting IPv6
packet to the destination IPv6 network.
⚫ Classification of IPv6 over IPv4 tunnels:

For an IPv6 over IPv4 tunnel, the source IPv4 address must be manually specified, and the destination IPv4 address can be
manually or automatically determined. From this perspective, IPv6 over IPv4 tunnels are classified into manual tunnels and
automatic tunnels.

5 Huawei Confidential
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Manual Tunnel
⚫ For a manual tunnel, the destination IPv4 address must be manually specified, as border devices cannot
automatically obtain this address.
Manual IPv6 over IPv4 tunnel IPv6 over IPv4 GRE tunnel

• A manual tunnel provides a point-to-point connection, and • An IPv6 over IPv4 GRE tunnel uses the standard GRE
its source and destination addresses need to be manually tunneling technology to provide a point-to-point
specified. In a manual tunnel, an IPv6 packet is connection. Addresses need to be specified for both ends
encapsulated into an IPv4 packet, with itself as the of the tunnel.
payload of the IPv4 packet.

IPv4
IPv4
IPv6 GRE tunnel IPv6
IPv6 IPv6 over IPv4 tunnel IPv6
Border device Border device
Border device Border device (dual-stack) (dual-stack)
(dual-stack) (dual-stack)
IPv4 Header GRE Header IPv6 Header IPv6 Data
IPv4 Header IPv6 Header IPv6 Data

• A manual tunnel is created between two border routers to

connect IPv6 networks that are isolated by IPv4 networks,
or created between a border router and a host to enable
the host to access an IPv6 network.

6 Huawei Confidential

• Manual IPv6 over IPv4 tunnel:

▫ Devices at both ends of a tunnel must support the IPv4/IPv6 dual stack.
Other devices only need to support a single protocol stack.

▫ The source and destination addresses of a manual tunnel are manually

configured on devices. If a border device needs to establish tunnels with
several devices, manually configuring multiple tunnels on the device is
complex. Therefore, manual tunnels apply when two border routers connect
only two IPv6 networks.

▫ Tunnel forwarding mechanism: When receiving a packet from an IPv6

network, a border device searches its routing table for an entry matching
the destination address of the IPv6 packet. If the outbound interface is a
virtual tunnel interface, the border device encapsulates the IPv6 packet into
an IPv4 packet based on the source and destination IPv4 addresses
configured on the interface. The resulting IPv4 packet is then forwarded to
the remote end of the tunnel over an IPv4 network. When receiving this
IPv4 packet, the remote end decapsulates the packet to obtain the original
IPv6 packet and processes it using the IPv6 protocol stack.
• IPv6 over IPv4 GRE tunnel:
▫ Tunnel forwarding mechanism: Same as that of the manual IPv6 over IPv4
tunnel.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Automatic Tunnel
⚫ For an automatic tunnel, you only need to configure the source IPv4 address of the tunnel, and the destination IPv4 address of the
tunnel is automatically generated by the device. To automatically generate a destination IPv4 address, a tunnel interface on the
device uses a special IPv6 address that contains an IPv4 address. The device obtains an IPv4 address from the destination IPv6
address of an IPv6 packet, and uses this IPv4 address as the destination address of the tunnel.
Automatic IPv4-compatible IPv6 tunnel 6to4 tunnel ISATAP tunnel
• The destination address (special IPv6 address • A 6to4 tunnel uses special IPv6 addresses that • An Intra-Site Automatic Tunnel Addressing
used by the automatic tunnel) of an IPv6 contain IPv4 addresses as the network prefix. Protocol (ISATAP) tunnel uses special IPv6
packet is an IPv4-compatible IPv6 address. The • 6to4 address format: addresses that contain IPv4 addresses as the
first 96 bits of the address are all 0s, and the interface ID.
last 32 bits are an IPv4 address. • ISATAP interface ID format:
IPv4
FP TLA SLA ID Interface ID IPv4
Address 000000ug00000000 0101111011111110
IPv4 Header IPv6 Header IPv6 Data Address
Source IPv4: 10.1.1.1 Source IPv6: ::A01:101
Destination IPv4: Destination IPv6: ::A01:102 3 bits 13 bits 32 bits 16 bits 64 bits 16 bits 16 bits 32 bits
10.1.1.2 Tunnel 1
10.1.1.1/24 10.1.1.2/24 LLA: FE80::5EFE:A01:101
10.1.1.1/24 10.1.1.2/24
GUA: 1::5EFE:A01:101
IPv4 IPv4
IPv4
IPv6 IPv6 6to4 6to4 tunnel 6to4
IPv6 ISATAP tunnel
R1 IPv4-compatible R2 6to4 router 6to4 router
Tunnel 1 IPv6 tunnel Tunnel 1 Host 1 ISATAP router Host 2
Tunnel 1 Tunnel 1
::A01:101/96 ::A01:102/96 3::8
2002:A01:101::1/48 2002:A01:102::1/48 GE0/0/1:10.1.1.1/24

7 Huawei Confidential

• The data forwarding process of an automatic IPv4-compatible IPv6 tunnel is as

follows:
▫ When receiving an IPv6 packet, R1 searches for an IPv6 route destined for
::A01:102 and finds that the next hop of the route is a virtual tunnel
interface.

▫ R1 encapsulates the IPv6 packet into an IPv4 packet. The source address of
the IPv4 packet is the source IPv4 address 10.1.1.1 of the tunnel, and the
destination IPv4 address is the last 32 bits (10.1.1.2) of the IPv4-compatible
IPv6 address ::A01:102.
▫ R1 sends the resulting IPv4 packet out from its tunnel interface. Then, the
packet is routed to the destination node R2 at 10.1.1.2 over the IPv4
network. When receiving this packet, R2 decapsulates the packet to obtain
the original IPv6 packet, and processes the IPv6 packet using the IPv6
protocol stack.
▫ The response packet returned by R2 is processed in a similar way as the
IPv6 packet sent by R1.

• 6to4 tunnel:
▫ The network prefix of a 6to4 address is 64 bits long.

▪ The first 48 bits (2002: a.b.c.d) are determined by the IPv4 address
assigned to a router and cannot be changed.

▪ The last 16 digits (SLA) are defined by users.

 ▫ Fields in a 6to4 address:

▪ FP: indicates the format prefix of aggregatable GUAs. The value is

001.

▪ TLA: indicates the top level aggregator. The value is 0x0002.

▪ SLA: indicates the site level aggregator.
• ISATAP tunnel:

▫ First 64 bits of an ISATAP address: The device at one end of a tunnel

obtains the first 64 bits by sending a request to the ISATAP router through
NDP, and automatically generates an ISATAP IPv6 address accordingly.

▫ ISATAP interface ID:

▪ When the IPv4 address is globally unique, the "u" bit is set to 1;
otherwise, the "u" bit is set to 0. ISATAP tunnels are typically applied
within sites. Therefore, the IPv4 addresses in interface IDs do not need
to be globally unique.

▪ The "g" bit is an IEEE group/individual bit and its value is fixed at 0.
▫ As shown in the figure, Host 2 on the IPv4 network supports the IPv4/IPv6
dual stack and has a private IPv4 address (10.1.1.2/24). You can perform
the following operations on Host 2 to enable the ISATAP function:
1. Configure an ISATAP tunnel interface. Then, Host 2 generates an
ISATAP interface ID based on its IPv4 address, and generates an
ISATAP link-local IPv6 address (FE80::5EFE:A01:102) based on the
interface ID, so that it can access the IPv6 network on the local link.

2. Configure Host 2 to automatically obtain an IPv6 GUA

(1::5EFE:A01:102). When Host 2 communicates with another IPv6
host, it uses the IPv4 address in the next-hop IPv6 address as the
destination address in an IPv4 header, and sends the packet out
through its tunnel interface.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Tunneling Technology: 6PE

⚫ To provide IPv6 services for users, carriers do not need to build new IPv6 backbone networks; instead, they can use
existing IPv4 networks to connect isolated IPv6 sites. IPv6 Provider Edge (6PE) is designed based on this concept.
⚫ The 6PE solution connects isolated IPv6 networks using multiprotocol label switching (MPLS) tunnels over IPv4
networks. 6PE implements IPv4/IPv6 dual stack on provider edges (PEs) of Internet service providers (ISPs), and uses
the Multiprotocol Extensions for Border Gateway Protocol (MP-BGP) to assign labels to IPv6 routes. In this way,
isolated IPv6 networks are connected through IPv4 tunnels between PEs.

Dual-stack Dual-stack
CE1 6PE1 IPv4 6PE2 CE2
IPv6 link IPv6 link
IPv4 tunnel (MPLS)

CEs and PEs use IPv6 PEs use IPv4 routing protocols to
routing protocols such exchange IPv4 routes with P devices
as IGP, EBGP, and and other PEs.
static routing to Tunnels are established between PEs to
exchange IPv6 routes. transparently transmit IPv6 packets.

9 Huawei Confidential

• Advantages of 6PE:
▫ Easy maintenance: All configurations are performed on PEs. IPv6 services
are carried over the existing IPv4 networks, simplifying network
maintenance. Additionally, users on IPv6 networks are unaware of the IPv4
networks.

▫ Low network construction costs: Carriers can provide IPv6 services to

users over existing MPLS networks without upgrading the networks. 6PE
devices can also provide various types of services, such as IPv6 VPN and
IPv4 VPN.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Intra-AS 6PE
⚫ Isolated IPv6 networks can connect to the same autonomous system (AS). PEs in the AS exchange IPv6 routes by
establishing MP-IBGP peer relationships.
⚫ The following figure shows how CE2 sends a route to CE1 and how CE1 sends a packet to CE2 in an intra-AS 6PE
scenario.

I-L is the inner label (MP-IBGP label), which is assigned by MP-BGP. It indicates the outbound interface or CE to which the
packet should be forwarded.

O-L is the outer tunnel label (MPLS Label), which is assigned by MPLS. It directs the packet to the BGP next hop.
1::1/128 I-L1
6PE1 6PE2 1::1/128 Next hop: 6PE2 1::1/128
IPv4 IBGP CE1 6PE1 6PE2 CE2
MPLS LSP IPv6 EBGP IPv4 IBGP IPv6 EBGP
1::1/128

Data Data Data Data

Push Pop
I-L1
O-L1
IPv6 data
IPv4 data
CE1 CE2 Route

10 Huawei Confidential

• The route transmission process in an intra-AS 6PE scenario is as follows:

1. CE2 sends an intra-AS IPv6 route to its EBGP peer 6PE2.
2. Upon receipt, 6PE2 changes the next hop of the IPv6 route to itself, and
assigns an inner label to the IPv6 route. Then, 6PE2 sends the labeled IPv6
route to its IBGP peer 6PE1.

3. When receiving the labeled IPv6 route, 6PE1 recurses the route to a tunnel,
and adds the route to the local forwarding table. Then, 6PE1 changes the
next hop of the IPv6 route to itself, removes the label from the route, and
sends the route to its EBGP peer CE1.

• The packet transmission process in an intra-AS 6PE scenario is as follows:

1. CE1 sends an ordinary IPv6 packet to 6PE1 over an IPv6 link on the public
network.
2. Upon receipt of the IPv6 packet, 6PE1 looks up the destination address of
the packet in its forwarding table, and encapsulates the packet with inner
and outer labels. Then, 6PE1 sends the resulting IPv6 packet to 6PE2 over a
public network tunnel.
3. When receiving the IPv6 packet, 6PE2 removes the inner and outer labels
and forwards the resulting IPv6 packet to CE2 based on the destination
address over an IPv6 link.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Explicit Null Label Shared by 6PE Routes

⚫ In a 6PE networking, by default, each 6PE route to be sent to 6PE peers is assigned a label. This will cause a large
number of label resources to be consumed if many 6PE routes need to be sent.
⚫ After 6PE routes are configured to share the same explicit null label, all 6PE routes to be sent to 6PE peers share
the explicit null label 2. The number of required labels is irrelevant to the number of 6PE routes to be sent. This
greatly saves label resources on 6PE devices.
⚫ Explicit null label 2 is a special label that must be popped out on the egress PE, and packets must be forwarded
based on IPv6.
1::1/128 I-L1
1::1/128 Next hop: PE2 1::1/128
CE1 6PE1 6PE2 CE2
IPv6 EBGP IPv4 IBGP IPv6 EBGP
1::1/128

Data Data Data Data

Push Pop
2
O-L1

11 Huawei Confidential

• When 6PE routes are configured to share the same explicit null label on 6PE2,
6PE2 advertises 6PE routes with an explicit null label to 6PE1 without applying
for labels for the routes.

• When forwarding data to 6PE2, 6PE1 adds two labels to the data. The outer label
is distributed by LDP pointing to 6PE2, and the inner label is an explicit null label
distributed by MP-BGP.
• When the IPv6 data packet arrives at 6PE2, 6PE2 pops out the explicit null label
and forwards the packet to CE2.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Tunneling Technology: 6VPE

⚫ All IPv6 services connected through 6PE run in the same VPN and cannot be logically isolated. Therefore, 6PE can
be used only for open and unprotected IPv6 network interconnection. To isolate the connected IPv6 services
logically, that is, to implement IPv6 VPNs, use the IPv6 VPN Provider Edge (6VPE) technology.
⚫ 6VPE is an extension of BGP/MPLS IPv6 VPN. It transmits IPv6 VPN services over an IPv4 MPLS backbone network.

VPN1 VPN1
Site Site • 6VPE uses MP-BGP to advertise VPNv6 routes on an IPv4 MPLS
Dual-stack Dual-stack backbone network, uses MPLS to assign labels to identify IPv6
6VPE1 IPv4 MPLS 6VPE2
CE (IPv6) CE (IPv6) packets, and uses tunneling mechanisms such as LSP and MPLS
BGP/MPLS IPv6 VPN TE to transmit private network data on the backbone network.
CE (IPv6) CE (IPv6) • If the backbone network is an IPv4 network, IPv4 addresses are
used to establish VPNv6 peer relationships between PEs to
A BGP/MPLS IPv6 VPN transmit IPv6 VPN routes. For these routes, IPv4 tunnels on the
VPN2 VPN2
tunnel is established
Site between PEs to transmit Site backbone network can be selected to transmit IPv6 VPN services.
IPv6 VPN routes. • Except the routing protocols running between PEs and CEs,
implementation of 6VPE is the same as that of IPv4 VPN.
CEs and PEs use IPv6 routing protocols
such as IGP, EBGP, and static routing to
exchange IPv6 routes.

12 Huawei Confidential

• In 6VPE, IPv6 routing protocols run between PEs and CEs. The following IPv6
routing protocols can be used to provide IPv6 VPN services:
▫ BGP4+

▫ Static IPv6 routing

▫ OSPFv3

▫ IS-IS for IPv6

 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Configuring 6VPE (1)

1. Configure a VPN instance.
[HUAWEI] ip vpn-instance vpn-instance-name

[HUAWEI-vpn-instance-vpna] ipv6-family
[HUAWEI-vpn-instance-vpna-af-ipv6] route-distinguisher route-distinguisher
[HUAWEI-vpn-instance-vpna-af-ipv6] vpn-target vpn-target [ both | export-extcommunity | import-
extcommunity ]

A route distinguisher (RD) and VPN target extended community are configured for the VPN instance IPv6 address
family.

2. Bind the VPN instance to an interface.

[HUAWEI-GigabitEthernet0/0/1] ip binding vpn-instance vpn-instance-name
[HUAWEI-GigabitEthernet0/0/1] ipv6 enable
[HUAWEI-GigabitEthernet0/0/1] ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

13 Huawei Confidential

• Note: This course uses a Huawei NetEngine 8000 series router as an example to
describe how to configure 6VPE.
• Command: <HUAWEI>system-view [ immediately ]

▫ immediately: indicates that the configuration takes effect immediately.

 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Configuring 6VPE (2)

3. Configure MP-IBGP between PEs to transmit VPNv6 routes.
[HUAWEI] bgp as-number
[HUAWEI-bgp] peer ipv4-address as-number as-number
[HUAWEI-bgp] peer ipv4-address connect-interface interface-number
The remote PE is configured as an IBGP peer in the BGP view.

[HUAWEI-bgp] ipv6-family vpnv6

[HUAWEI-bgp-af-ipv6] peer ipv4-address enable
The BGP VPNv6 address family view is enabled and displayed, and the ability to exchange VPNv6 routes with
peers is enabled in this view.

14 Huawei Confidential
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Configuring 6VPE (3)

4. Configure route exchange between PEs and CEs. (A static route is used as an example. The configuration on CEs
is the same as that of an ordinary IPv6 static route, and is not mentioned here.)
[PE] ipv6 route-static vpn-instance vpn-instance-name dest-ipv6-address prefix-length { interface-type
interface-number [ nexthop-ipv6-address ] | vpn-instance vpn-destination-name nexthop-ipv6-address |
nexthop-ipv6-address } [ preference preference ]
An IPv6 static route is configured for the VPN instance enabled with the IPv6 address family.

[PE-bgp] ipv6-family vpn-instance vpn-instance-name

[PE-bgp-bgp6-vpnb] import-route static [ med med | route-policy route-policy-name ]
The BGP-VPN instance IPv6 address family view is displayed, and the configured static route is imported to the
routing table of the BGP-VPN instance IPv6 address family.
• med med: specifies the MED of the imported route. The value is an integer in the range from 0 to
4294967295.
• route-policy route-policy-name: specifies a route-policy for filtering routes and modifying route attributes
when routes of other routing protocols are imported.

15 Huawei Confidential

• Note: For details about route exchange between PEs and CEs, see the
corresponding product documentation.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Example of Configuring 6VPE (1)

AS 200 PE1 GE0/0/2 PE2 1. Configure IPv4 and IPv6 addresses for interfaces. (The
Loopback 0 10.0.0.1/30 Loopback 0
configuration details are not provided here.)
2.2.2.2/32 GE0/0/2 3.3.3.3/32
GE0/0/1 10.0.0.2/30 GE0/0/1 2. Configure IS-IS on PE1 and PE2 so that they can learn routes
2001:DB8:1::2/64 2001:DB8:2::2/64 to each other's interface (loopback 0). (The configuration
details are not provided here.)
AS 100 AS 300
GE0/0/1 GE0/0/1 3. Enable MPLS and MPLS LDP on the backbone network, and
2001:DB8:1::1/64 2001:DB8:2::1/64 enable PEs to establish an LDP LSP.
Loopback 1 Loopback 1 [PE1] mpls lsr-id 2.2.2.2
2001:DB8:5::5/128 2001:DB8:6::6/128
[PE1] mpls
CE1 CE2 [PE1-mpls] quit
vpna vpna
[PE1] mpls ldp
[PE1-mpls-ldp] quit
⚫
Configuration requirements: [PE1] interface GigabitEthernet0/0/2
 Users at different sites desire IPv6 data communication between [PE1-GigabitEthernet2/0/0] mpls
each other across a public network without having the internal [PE1-GigabitEthernet2/0/0] mpls ldp
route information known to the public network, and also
implement service isolation.
 As shown in the figure, CE1 and CE2 belong to vpna. It is required
that 6VPE be configured to allow sites in vpna to communicate
with each other through an MPLS backbone network, and PEs The configuration on PE2 is similar to
and CEs exchange static routes. that on PE1, and is not provided here.

16 Huawei Confidential
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Example of Configuring 6VPE (2)

AS 200 PE1 GE0/0/2 PE2 4. Create a VPN instance supporting the IPv6 address family
Loopback 0 10.0.0.1/30 Loopback 0
on each PE, and bind the VPN instance to the PE's
2.2.2.2/32 GE0/0/2 3.3.3.3/32 interface connected to a CE.
GE0/0/1 10.0.0.2/30 GE0/0/1
[PE1] ip vpn-instance vpna
2001:DB8:1::2/64 2001:DB8:2::2/64
[PE1-vpn-instance-vpna] ipv6-family
[PE1-vpn-instance-vpna-af-ipv6] route-distinguisher 100:1
AS 100 AS 300
[PE1-vpn-instance-vpna-af-ipv6] vpn-target 22:22 both
GE0/0/1 GE0/0/1
2001:DB8:1::1/64 2001:DB8:2::1/64
Loopback 1 Loopback 1
[PE1] interface GigabitEthernet0/0/1
2001:DB8:5::5/128 2001:DB8:6::6/128 [PE1-GigabitEthernet0/0/1] ip binding vpn-instance vpna
CE1 CE2
[PE1-GigabitEthernet0/0/1] ipv6 enable
vpna vpna [PE1-GigabitEthernet0/0/1] ipv6 address 2001:DB8:1::2 64

⚫ Configuration requirements:
 Users at different sites desire IPv6 data communication between
each other across a public network without having the internal
route information known to the public network, and also
implement service isolation.
 As shown in the figure, CE1 and CE2 belong to vpna. It is required
that 6VPE be configured to allow sites in vpna to communicate
with each other through an MPLS backbone network, and PEs The configuration on PE2 is similar to
and CEs exchange static routes. that on PE1, and is not provided here.

17 Huawei Confidential
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Example of Configuring 6VPE (3)

AS 200 PE1 GE0/0/2 PE2 5. Enable PEs to establish a VPNv6 peer relationship.
Loopback 0 10.0.0.1/30 Loopback 0
2.2.2.2/32 GE0/0/2 3.3.3.3/32 [PE1] bgp 200
10.0.0.2/30 [PE1-bgp] peer 3.3.3.3 as-number 200
GE0/0/1 GE0/0/1
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 0
2001:DB8:1::2/64 2001:DB8:2::2/64
[PE1-bgp] ipv6-family vpnv6
[PE1-bgp-af-vpnv6] peer 3.3.3.3 enable
AS 100 AS 300
GE0/0/1 GE0/0/1
2001:DB8:1::1/64 2001:DB8:2::1/64 [PE2] bgp 200
Loopback 1 Loopback 1 [PE2-bgp] peer 2.2.2.2 as-number 200
2001:DB8:5::5/128 2001:DB8:6::6/128 [PE2-bgp] peer 2.2.2.2 connect-interface loopback 0
CE1 CE2 [PE2-bgp] ipv6-family vpnv6
vpna vpna [PE2-bgp-af-vpnv6] peer 2.2.2.2 enable

⚫ Configuration requirements:
 Users at different sites desire IPv6 data communication between
each other across a public network without having the internal
route information known to the public network, and also
implement service isolation.
 As shown in the figure, CE1 and CE2 belong to vpna. It is required
that 6VPE be configured to allow sites in vpna to communicate
with each other through an MPLS backbone network, and PEs
and CEs exchange static routes.

18 Huawei Confidential
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Example of Configuring 6VPE (4)

AS 200 PE1 GE0/0/2 PE2 6. Configure static routes on PEs and CEs, and import the
Loopback 0 10.0.0.1/30 Loopback 0
static routes to the routing table of the BGP-VPN instance
2.2.2.2/32 GE0/0/2 3.3.3.3/32 IPv6 address family on each PE.
10.0.0.2/30
GE0/0/1 GE0/0/1 [PE1] ipv6 route-static vpn-instance vpna 2001:DB8:5:: 64
2001:DB8:1::2/64 2001:DB8:2::2/64 2001:DB8:1::1
[PE1] bgp 200
AS 100 AS 300 [PE1-bgp] ipv6-family vpn-instance vpna
GE0/0/1 GE0/0/1 [PE1-bgp6-vpna] import-route static
2001:DB8:1::1/64 2001:DB8:2::1/64
Loopback 1 Loopback 1 [CE1] ipv6 route-static :: 0 2001:DB8:1::2
2001:DB8:5::5/128 2001:DB8:6::6/128
CE1 CE2
vpna vpna [PE2] ipv6 route-static vpn-instance vpna 2001:DB8:6:: 64
2001:DB8:2::1
[PE2] bgp 200
⚫
Configuration requirements:
[PE2-bgp] ipv6-family vpn-instance vpna
 Users at different sites desire IPv6 data communication between [PE2-bgp6-vpna] import-route static
each other across a public network without having the internal
route information known to the public network, and also
implement service isolation. [CE2] ipv6 route-static :: 0 2001:DB8:2::2
 As shown in the figure, CE1 and CE2 belong to vpna. It is required
that 6VPE be configured to allow sites in vpna to communicate
with each other through an MPLS backbone network, and PEs
and CEs exchange static routes.

19 Huawei Confidential
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Verifying the Configuration

1. On PEs, check whether a VPNv6 peer relationship is established.
[PE1]display bgp vpnv6 all peer
BGP local router ID : 10.0.0.1
Local AS number : 200
Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

3.3.3.3 4 200 19 19 0 00:12:25 Established 1
2. Check whether CE1 can ping the loopback 1 interface of CE2.
[CE1]ping ipv6 -a 2001:db8:5::5 2001:db8:6::6
PING 2001:db8:6::6 : 56 data bytes, press CTRL_C to break
Request time out
Reply from 2001:DB8:6::6
bytes=56 Sequence=2 hop limit=62 time = 50 ms
Reply from 2001:DB8:6::6
bytes=56 Sequence=3 hop limit=62 time = 40 ms
Reply from 2001:DB8:6::6
bytes=56 Sequence=4 hop limit=62 time = 30 ms
Reply from 2001:DB8:6::6
bytes=56 Sequence=5 hop limit=62 time = 30 ms

--- 2001:db8:6::6 ping statistics ---

5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 30/37/50 ms

20 Huawei Confidential
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Tunneling Technology: IPv4 over IPv6

⚫ In the late stage of IPv4-to-IPv6 transition, IPv6 networks have been widely deployed, and IPv4 networks are siloed
sites scattered among IPv6 networks. Connecting these isolated IPv4 networks using private lines is costly, so a
general practice is to leverage tunneling technology, just as IPv4 over IPv6 tunneling does.
⚫ With IPv4 over IPv6 tunneling, tunnels can be created on IPv6 public networks to enable communication between
isolated IPv4 networks.
• An IPv4 over IPv6 tunnel is manually configured between
border routers connecting two IPv4 networks to an IPv6
R1 R2
network, with the source addresses or interfaces and the
IPv4 host 1 (dual-stack) IPv6 (dual-stack) IPv4 host 2
destination addresses statically specified.
IPv4 IPv4 over IPv6 tunnel IPv4 • In the figure, packets passing through the IPv4 over IPv6
tunnel are processed on border nodes R1 and R2, and all

IPv4 Header IPv4 Data IPv4 Header IPv4 Data the other nodes (Host 1, Host 2, and nodes between R1
and R2) are unaware of the tunnel. IPv4 packets are
IPv6 Header IPv4 Header IPv4 Data transmitted between Host 1 and R1 and between R2 and
Host 2, and IPv6 packets are transmitted between R1 and
R2. Therefore, R1 and R2 must be able to process both IPv4
and IPv6 packets; that is, IPv4/IPv6 dual stack must be
enabled on both R1 and R2.

21 Huawei Confidential

• Packet processing on an IPv4 over IPv6 tunnel:

1. IPv4 packet forwarding: Host 1 sends an IPv4 packet destined for Host 2 to
R1.

2. Tunnel encapsulation: When receiving the IPv4 packet from Host 1, R1

discovers that the destination address of the IPv4 packet is not its own and
the next hop is a tunnel interface, so R1 attaches an IPv6 header to the
IPv4 packet. Specifically, in the IPv6 header, R1 encapsulates both its own
and R2's IPv6 addresses into the Source Address and Destination Address
fields, respectively, sets the Version field to 6 and the Next Header field to
4, and encapsulates the fields that ensure effective transmission of the
packet along the tunnel based on the configuration.

3. Tunnel forwarding: R1 searches its IPv6 routing table for an entry

matching the destination address in the IPv6 header, and forwards the
IPv6 packet to R2. Other nodes on the IPv6 network are unaware of the
tunnel and process the IPv6 packet as an ordinary IPv6 packet.

4. Tunnel decapsulation: Upon receipt of the IPv6 packet, R2 discovers that

the destination address is its own IPv6 address and the encapsulated
packet is an IPv4 packet based on the Next Header field, and then
decapsulates the IPv6 packet by removing the IPv6 header based on the
Version field.
5. IPv4 packet forwarding: R2 searches its IPv4 routing table for an entry
matching the destination address of the IPv4 packet and forwards the
packet to Host 2.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Translation Technology: NAT64

⚫ NAT64 is a network address translation technology that translates IPv6 addresses into IPv4 addresses.
⚫ A node on an IPv4 network cannot directly communicate with a node on an IPv6 network, because the two protocol
stacks are not compatible. To enable communication between them, a NAT64-capable device can be deployed to
implement translation between IPv6 and IPv4.
IPv6 server
⚫ To determine whether to perform NAT64 on a data packet, a
DNS64
NAT64 device checks whether the destination address of the
packet contains an IPv6 prefix predefined for NAT64.
IPv6 Internet  If so, the packet is destined for an IPv4 network, and the device
performs NAT64 on the packet and forwards it to the IPv4 network.
IPv6  If not, the packet is destined for an IPv6 network, and the device
IPv6 user directly forwards the packet to the IPv6 network without performing
NAT64
IPv4 Internet NAT64 on the packet.

IPv6 data
IPv4 data IPv4 server

22 Huawei Confidential

• Scenario where IPv6 users access IPv4 servers:

▫ At the early stage of IPv4-to-IPv6 evolution, carriers provide users with
single-stack IPv6 access. However, lots of Internet servers still use IPv4 and
do not support dual stack. This requires carriers to provide NAT64 devices
for single-stack IPv6 users to access IPv4 servers.

▫ The carriers only need to assign IPv6 addresses to users, with

communication between IPv6 devices implemented based on IPv6 routes.
Access from IPv6 users to IPv4 services is implemented through NAT64
devices that support dual stack.
▫ There are two NAT64 modes: static and dynamic. Static NAT64 is
recommended when a small number of IPv6 users use fixed IP addresses,
while dynamic NAT64 is recommended when a large number of IPv6 users
use unfixed IP addresses.

• Scenario where IPv4 users access IPv6 servers:

▫ At the late stage of IPv4-to-IPv6 evolution, many service providers have
begun to provide IPv6 services. However, there are still many single-stack
IPv4 users on the Internet. To retain these users, the service providers
deploy NAT64 devices, which allow these users to access IPv6 servers.
▫ In this scenario, service providers only need to assign IPv6 addresses to
servers, without the need to upgrade access devices. NAT64 devices, which
must support dual stack, are deployed at the egresses, and communication
between IPv6 devices is implemented based on IPv6 routes. IPv4-to-IPv6
access is implemented using the static NAT64 technology.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

NAT64 Prefixes
⚫ The device determines whether to perform NAT64 on an IPv6 packet by checking whether the IPv6 packet contains
a NAT64 prefix.
⚫ There are two types of NAT64 prefixes:
 Well-known prefix: 64:FF9B::/96, which exists by default and does not need to be configured.
 Predefined prefix: a prefix with the length of 32, 40, 48, 56, 64, or 96 bits.

⚫ Where an IPv4 address is embedded in an IPv6 address depends on the length of the predefined NAT64 prefix, as
shown in the following figure.
 In a predefined NAT64 prefix, PL indicates the length of the prefix, suffix is a random value (the device does not process this
field), and U is the reserved octet whose value must be set to 0.
PL
• If an IPv4 address is 192.168.0.1 and the NAT prefix is 2001:DB8::/64,
32 Prefix (32) V4 (32) U Suffix
40 Prefix (40) V4 (24) U (8) Suffix the IPv6 address corresponding to this IPv4 address is
48 Prefix (48) (16) U (16) Suffix 2001:0DB8:0000:0000:00C0:A800:0100:0000, which can be
56 Prefix (56) (8) U V4 (24) Suffix abbreviated to 2001:DB8::C0:A800:100:0.
64 Prefix (64) U V4 (32) Suffix • When you configure a DNS64 server, ensure that it has the same
96 Prefix (96) V4 (32) NAT64 prefix and prefix length as the NAT64 device.

23 Huawei Confidential

• NAT64 types:
▫ PAT-based NAT64: translates both addresses and port numbers by mapping
[IPv6 address, port number] into [IPv4 address, port number]. Multiple
IPv6 addresses can be translated into the same IPv4 address. The mappings
are differentiated by port number. This mode is commonly used.

▫ No-PAT–based NAT64: translates only addresses by mapping [IPv6

address] into [IPv4 address]. There are one-to-one mapping relationships
between IPv6 and IPv4 addresses.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Dynamic NAT64
⚫ Dynamic NAT64 applies to the scenarios where a large number of IPv6 users use unfixed IP addresses. When an IPv6 user accesses
an IPv4 server, a NAT64 device dynamically translates the IPv6 address in the user packet into an IPv4 address from an address pool,
converts the IPv6 packet into an IPv4 packet, and then sends the IPv4 packet to the IPv4 server.
⚫
The NAT64 device then creates a session table for the IPv6-to-IPv4 traffic and records the address mapping. The NAT64 device
forwards the IPv4-to-IPv6 traffic that matches an entry in the session table to the corresponding IPv6 user based on the address
64:FF9B::0101:0101 1.1.1.1
mapping.
DNS64
96 bits 32 bits

IPv4 Address Pool

2.1.1.10/24 IPv4 server
2
1 example.huawei.com
DNS AAAA Request NAT64 1.1.1.1
IPv4 Internet
IPv6 user 3 HTTP Request 4 HTTP Request Session table on the NAT64 firewall
2001:DB8::2/64 SA/Port: 2001:DB8::2/90 SA/Port: 2.1.1.10/190 IN_SA/Port IN_DA/Port OUT_SA/Port OUT_DA/Port
DA/Port: 64:FF9B::101:101/80 DA/Port: 1.1.1.1/80
2001:DB8::2 64:FF9B::101:101 2.1.1.10 1.1.1.1
6 HTTP Reply 5 HTTP Reply /90 /80 /190 /80
IPv6 data SA/Port: 64:FF9B::101:101/80 SA/Port: 1.1.1.1/80
IPv4 data DA/Port: 2001:DB8::2/90 DA/Port: 2.1.1.10/190

24 Huawei Confidential

• Dynamic NAT64 mapping process:

1. A single-stack IPv6 user sends an AAAA DNS request for a remote service
(example.huawei.com).
2. After receiving the request, the DNS64 server parses the AAAA request. If
no IPv6 address is found, it sends an A request, and parses the received
reply packet to obtain the service IPv4 address (1.1.1.1). The DNS64 server
then combines the IPv4 address and the preconfigured NAT64 prefix 64::/n
(64:FF9B::/96) into the IPv6 address 64:FF9B::101:101, and sends this IPv6
address to the user.
3. When receiving the DNS64 reply from the DNS64 server, the user sends a
packet with the IPv6 address as the destination address to the remote
server.
4. After receiving the IPv6 packet from the user, the NAT64 device extracts
the IPv4 address (1.1.1.1) from the IPv6 packet using the address
translation algorithm, changes the destination address of the packet to
this IPv4 address, changes the source address of the packet to an IPv4
address (2.1.1.10) from the NAT address pool based on the address
mapping configured in the NAT64 policy, and converts the IPv6 packet into
an IPv4 packet. The NAT64 device then sends the IPv4 packet to the
remote server on the IPv4 network, and generates a session table with the
address mapping.
5. Upon receipt of the IPv4 packet, the IPv4 server returns a reply packet.
6. After receiving the reply packet from the IPv4 server, the NAT64 device
converts the IPv4 packet into an IPv6 packet according to the session table,
and sends the IPv6 packet to the IPv6 user.
• DNS AAAA and A records:
▫ AAAA record: maps a host name or domain name to an IPv6 address.
▫ A record: maps a domain name to an IPv4 address.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Static NAT64
⚫ Static NAT64 allows for static mappings between IPv6 and IPv4 addresses. These mappings will not be updated or age and will
always exist unless you delete them. Both IPv6-to-IPv4 traffic and IPv4-to-IPv6 traffic can trigger the creation of session tables. In
this way, not only IPv6 users can access IPv4 servers, but also IPv4 users can access IPv6 servers.
⚫
When users access services of a different protocol stack (IPv4-to-IPv6 or IPv6-to-IPv4), the device translates the destination address
in packets between protocol stacks according to the corresponding static address mapping.
Static mapping: The relationship between the domain
DNS name and address has been registered.
2001:DB8::2 <-----> 2.1.1.10
Prefix64:
64:FF9B::/96 2

example.huawei.com IPv4 user

1 DNS A Request
2001:DB8::2/64 NAT64 1.1.1.1/24
IPv4 Internet

4 HTTP Request 3 HTTP Request Session table on the NAT64 firewall

SA/Port: 64:FF9B::101:101/80 SA/Port: 1.1.1.1/80 OUT_DA/Port OUT_SA/Port IN_DA/Port IN_SA/Port
DA/Port: 2001:DB8::2/90 DA/Port: 2.1.1.10/190
2001:DB8::2 64:FF9B::101:101 2.1.1.10 1.1.1.1
5 HTTP Reply 6 HTTP Reply /90 /80 /190 /80
IPv6 data SA/Port: 2001:DB8::2/90 SA/Port: 2.1.1.10/190
IPv4 data DA/Port: 64:FF9B::101:101/80 DA/Port: 1.1.1.1/80

25 Huawei Confidential

• Static NAT64 mapping process:

1. An IPv4 user sends request A (example.huawei.com) to the DNS server.
2. After receiving the request, the DNS server parses the request to obtain the
IPv4 address (2.1.1.10) corresponding to the domain name, and sends a
reply containing the IPv4 address to the user. In this scenario, the mapping
between the domain name and IPv4 address has been predefined on the
DNS server. If the DNS A request does not contain any IPv4 address, the
packet is discarded.

3. After receiving the DNS reply, the user sends a packet with the obtained
IPv4 address as the destination address to the remote server.
4. Upon receipt of the IPv4 packet, the NAT64 device translates the
destination IPv4 address into an IPv6 address (2001:DB8::2) according to
the preconfigured static address mapping (based on which a server
mapping table is generated), combines the source IPv4 address and the
preconfigured NAT64 prefix into a source IPv6 address (64:FF9B::101:101),
and converts the IPv4 packet into an IPv6 packet. The NAT64 device then
sends the IPv6 packet to the remote server on the IPv6 network, and
generates a session table.
5. Upon receipt of the IPv6 packet, the server returns a reply packet.

6. After receiving the reply packet from the IPv6 server, the NAT64 device
converts the IPv6 packet into an IPv4 packet according to the session table,
and sends the IPv4 packet to the IPv4 user.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Configuring a NAT64 Prefix

1. Enable NAT64 globally or on an interface.
[HUAWEI] nat64 enable
[HUAWEI-GE1/0/1] nat64 enable
When NAT64 is enabled globally, it takes effect on all interfaces.

2. Configure a NAT64 prefix.

[HUAWEI] nat64 prefix prefix prefix-length
• prefix: specifies the prefix of an IPv6 address. The value is in the format X:X:X:X:X:X:X:X.
• prefix-length: specifies the prefix length. The value can be 32, 40, 48, 56, 64, or 96.

3. Check the NAT64 prefix configuration.

[HUAWEI] display nat64 prefix

26 Huawei Confidential

• NAT64 prefix configuration:

▫ A NAT64 prefix must be different from the IPv6 address prefix of any
interface on the device. Otherwise, the device considers the packets whose
destination IPv6 addresses are on the same network segment as the
interfaces to be NAT64 packets, and starts NAT64 processing for these
packets.
▫ When multiple NAT64 prefixes are configured and dynamic NAT64 is used,
all of these NAT64 prefixes can be used for NAT64 translation of IPv6-to-
IPv4 traffic. On the other hand, if static NAT64 is used, the device randomly
selects one of these prefixes.
• Note: This course uses a Huawei USG6000 series firewall as an example to
describe how to configure NAT64.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Configuring Dynamic NAT64

1. Configure a NAT address pool.
[HUAWEI] nat address-group group-name [ group-number ]
[HUAWEI-address-group-nataddr] mode { pat | full-cone { global | local } [ no-reverse ] }
The address pool mode is configured. By default, the PAT mode is used.

[HUAWEI-address-group-nataddr] section section-id start-address [ end-address ]

IP address segments in the IP address pool are configured.

2. Configure a NAT policy.

[HUAWEI] nat-policy
[HUAWEI-policy-nat] rule name rule-name
[HUAWEI-policy-nat-rule-abc] nat-type nat64
The NAT policy type is configured.
Other configurations are similar to the NAT
configuration on a firewall and are not provided here.

27 Huawei Confidential

• Command: mode { pat | full-cone { global | local } [ no-reverse ] }

▫ pat: specifies the PAT mode.
▫ full-cone: specifies the 3-tuple NAT mode.

▫ global: specifies the global 3-tuple NAT mode. The generated server
mapping table does not contain security zone parameters and is not subject
to restrictions of interzone relationships.
▫ local: specifies the local 3-tuple NAT mode. The generated server mapping
table contains security zone parameters and is subject to restrictions of
interzone relationships.

▫ no-reverse: specifies that no reverse server mapping table will be

generated.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Configuring Static NAT64

1. Configure static NAT64.
[HUAWEI] nat64 static ipv6-address ipv4-address [ route ]
Static NAT64 mapping for a specified IPv6 address is configured.

[HUAWEI] nat64 static protocol icmp ipv6-address ipv4-address [ route ]

Static NAT64 mapping for ICMP is configured.

[HUAWEI] nat64 static protocol { tcp | udp } ipv6-address [ ipv6-port ] ipv4-address [ipv4-port ] [ route ]
Static NAT64 mapping for TCP or UDP is configured.

28 Huawei Confidential
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Example for Configuring Dynamic NAT64 (1)

DNS64 1. Configure IPv4 and IPv6 addresses for Firewall 1 and
configure security zones. (The configuration details are
not provided here.)

2. Configure a security policy.

Untrust Trust
[FW1] security-policy
IPv6 network [FW1-policy-security] rule name sec1
GE1/0/1 GE1/0/2
[FW1-policy-security-rule-sec1] source-zone untrust
2001:DB8::2/64 1.1.1.1/24
Firewall 1 IPv4 server
[FW1-policy-security-rule-sec1] destination-zone trust
IPv6 PC
1.1.1.2/24 [FW1-policy-security-rule-sec1] source-address 2001:db8:: 64
2001:DB8::1/64
[FW1-policy-security-rule-sec1] action permit

⚫ Configuration requirements: 3. Enable NAT64 on GE1/0/1 of Firewall 1.


Firewall 1 supports the IPv4/IPv6 dual stack and is [FW1] interface GigabitEthernet 1/0/1
connected to an IPv4 network and an IPv6 network. [FW1-GigabitEthernet1/0/1] nat64 enable


The IPv6 network has a large number of PCs using unfixed
IP addresses. These PCs need to access the server on the 4. Set the NAT64 prefix to 2001:db8:1::/96 (a predefined prefix).
IPv4 network through the domain name [FW1] nat64 prefix 2001:db8:1:: 96
example.huawei.com.

29 Huawei Confidential
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Example for Configuring Dynamic NAT64 (2)

DNS64
5. Configure a NAT64 address pool.
[FW1] nat address-group pool1
[FW1-address-group-pool1] mode pat
[FW1-address-group-pool1] section 1 1.1.1.6 1.1.1.10
Untrust Trust

IPv6 network 6. Configure dynamic NAT64.

GE1/0/1 GE1/0/2
2001:DB8::2/64 1.1.1.1/24 [FW1] nat-policy
Firewall 1 IPv4 server
IPv6 PC [FW1-policy-nat] rule name nat64
2001:DB8::1/64 1.1.1.2/24
[FW1-policy-nat-rule-nat64] nat-type nat64
[FW1-policy-nat-rule-nat64] source-zone untrust
⚫ Configuration requirements: [FW1-policy-nat-rule-nat64] destination-zone trust
[FW1-policy-nat-rule-nat64] source-address 2001:db8:: 64

Firewall 1 supports the IPv4/IPv6 dual stack and is [FW1-policy-nat-rule-nat64] action source-nat address-
group pool1
connected to an IPv4 network and an IPv6 network.
 The IPv6 network has a large number of PCs using unfixed
IP addresses. These PCs need to access the server on the
IPv4 network through the domain name
example.huawei.com.

30 Huawei Confidential

• The destination address of IPv6 packets sent by the IPv6 PC is the NAT64 address
2001:DB8:1::101:102/96.
• Other configurations:

▫ Configure the DNS64 server.

▪ Set the IPv6 prefix of the DNS64 server to 2001:DB8:1::/96, which is

the NAT64 prefix of Firewall 1.

▪ Configure reachable routes from the DNS64 server to the PC and

server.
▫ Configure the IPv6 address, route, and DNS server for the PC. (The method
of configuring an IPv6 address and a route for the PC varies according to
the PC operating system. The detailed configuration procedure is not
provided here.)

▪ Set the PC IPv6 address to 2001:DB8::1/64, which is on the same

network segment as GE1/0/1 of Firewall 1.

▪ Configure a static route from the PC to the destination network

segment 2001:db8:1::/96, with the next hop address set to 2001:db8::2.

▪ Configure the DNS64 server IPv6 address on the PC.

▫ Configure an IPv4 address for the server. (The configuration method varies
according to the server operating system. The detailed configuration
procedure is not provided here.)

▪ Set the IPv4 address of the server to 1.1.1.2/24, which is on the same
network segment as GE1/0/2 of Firewall 1.
 Overview IPv6 over IPv4 6PE 6VPE IPv4 over IPv6 NAT64 IVI

Translation Technology: IVI

⚫ The IVI stateless address translation technology translates an IPv4 address segment (IVI4 addresses) reserved by
carriers into a special IPv6 address segment (IVI6 addresses embedded with IPv4 addresses).
⚫ Users with IVI6 addresses can directly access the global IPv6 network, and access the global IPv4 network after their
IVI6 addresses are translated into IVI4 addresses by an IVI gateway.
IPv6 server
⚫ IVI6 address format:
IVI DNS

0 31 39 71 127
IVI Prefix FF IPv4 Address Suffix IPv6 Internet
IVI6
address
• The first 32 bits are an IVI prefix, which is an IPv6 address IPv6
prefix, and the last eight bits are fixed at FF. IPv6 user IVI6 IVI
• The 41st to 72nd bits are an embedded IPv4 address. address gateway IPv4 Internet
• The value of Suffix is all 0s.

IPv6 data
IPv4 data IPv4 server

31 Huawei Confidential

• IVI supports communication requests initiated by both IPv6 and IPv4 hosts.
• The following uses access from an IVI6 host to a global IPv4 host as an example:
1. In this scenario, stateless IPv6 address autoconfiguration cannot be used
due to the special IVI6 address format. Therefore, the IVI6 host obtains the
IVI6 address, default gateway address, and DNS server address through
static configuration or DHCPv6 Options.
2. The IVI6 host sends an AAAA query request to the dual-stack IVI DNS
server. This DNS server stores the IVI4 addresses of IVI servers and their
corresponding IVI6 addresses. When receiving the AAAA query request, the
IVI DNS server sends an AAAA query request to the target network. If no
AAAA record exists, the IVI DNS server sends an A query request, converts
the obtained A record into an AAAA record according to the IVI mapping
rule, and returns the AAAA record to the IVI6 host.

3. The IVI6 host sends a data packet. When receiving this data packet, the IVI
gateway statelessly converts the packet into an IPv4 packet. During
address translation, the IPv4 address embedded in the IVI6 address is
extracted and used as the source address in the IPv4 header. During
header encapsulation, the Stateless IP/ICMP Translation (SIIT) algorithm is
used.

4. The resulting IPv4 data packet is routed to the IPv4 network, thereby
implementing access from the IVI6 host to the IPv4 host.

• IVI restrictions: The IPv6 addresses of hosts and servers must be planned and
configured in compliance with the IVI format.
 Quiz

1. (Multiple-answer question) Which of the following technologies can be used to

carry IPv6 service traffic on an IPv4 WAN? ( )
A. GRE tunneling

B. 6PE

C. NAT64

D. 6VPE

32 Huawei Confidential

1. ABD
 Summary
⚫ IPv6 can provide a large number of network address resources, making it a key to implementing
Internet of Everything (IoE) and promoting the digital, network-based, and intelligent development of
production and life. The IPv6-based next-generation Internet is an inevitable trend of Internet evolution
and upgrade.
⚫ In the early stage of IPv4-to-IPv6 transition, IPv4 networks are widely deployed, whereas IPv6 networks
are siloed networks scattered around the world. Tunneling technologies can be used to create tunnels
over IPv4 networks, so as to connect these siloed IPv6 networks. Address translation technologies can
also be used to translate between IPv6 and IPv4 addresses and protocols for bidirectional
communication.
⚫ This course mainly describes the fundamentals and applications of transition technologies during IPv6
network evolution, including IPv6 over IPv4 tunneling, 6PE, 6VPE, IPv4 over IPv6 tunneling, NAT64, and
IVI.
33 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
QoS Fundamentals
 Foreword
⚫ With continuous development of networks, the network scale and traffic types increase continuously.
As a result, Internet traffic increases sharply, network congestion occurs, the forwarding delay
increases, and even packet loss occurs. In this case, the service quality deteriorates or even services are
unavailable. To deploy real-time and non-real-time services on the IP network, network congestion
must be resolved. The commonly used solution is to increase the network bandwidth. However, this
solution is not ideal considering the network construction cost.
⚫ Quality of service (QoS) is introduced in this situation. At limited bandwidth, QoS uses a "guaranteed"
policy to manage network traffic and provides different priority services for different traffic.

⚫ This course describes QoS fundamentals.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the QoS background.
 Describe QoS types.
 Describe the implementation of the QoS DiffServ model.
 Describe application scenarios of different QoS functions.
 Describes basic configuration of QoS.
 Describe HQoS fundamentals.
 Describe basic configuration of HQoS.

2 Huawei Confidential
 Contents

1. Introduction to QoS

2. Traffic Classification and Marking

3. Traffic Limiting Technology

4. Congestion Avoidance Technology

5. Congestion Management Technology

6. Introduction to HQoS

3 Huawei Confidential
 "Best-Effort" Traditional Network
⚫ When the IP network emerges, there is no QoS guarantee.
⚫ You only know that the packets have been sent out. Whether the packets can be received
and when the packets can be received are unknown.

Undifferentiated
treatment
First In First Out (FIFO)

4 Huawei Confidential

• On the traditional IP network, each network device handles all packets in an

undifferentiated manner and follows the First In First Out (FIFO) rule to transmit
packets. The devices transmit packets to the destination in best-effort (BE) mode,
but the BE mode cannot ensure the performance such as delay and reliability.
 QoS Background
⚫ With continuous technology improvement and fierce product competition, users have
increasingly higher requirements on the network quality.

High-definition image quality Poor image quality, low network

and high network speed speed, and frame freezing
Good signal quality Poor signal quality

5 Huawei Confidential

• With the emergence of new applications on IP networks, new requirements are

raised to QoS of IP networks.
 Overview of QoS

Live QoS:
streaming
QoS is designed to provide different service
quality according to networking requirements.
Video
communication

Factors affecting QoS:

Email

Bandwidth Latency Jitter Packet Availability

FTP loss rate

6 Huawei Confidential

• To support voice, video, and data services of different requirements, the network
is required to distinguish different communication types before providing
corresponding QoS.
▫ For example, real-time services such as Voice over IP (VoIP) demand shorter
latency. A long latency for packet transmission is unacceptable. Email and
the File Transfer Protocol (FTP) services are comparatively insensitive to the
latency.

• To support voice, video, and data services of different requirements, the network
is required to distinguish different communication types before providing
corresponding QoS.
▫ The BE mode of traditional IP networks cannot identify and distinguish
various communication types on the networks. This distinguishing capability
is the premise for providing differentiated services. The BE mode cannot
satisfy application requirements, so QoS is introduced.
• What is QoS?
• QoS is designed to provide different service quality according to networking
requirements. Example:
▫ The bandwidth used by FTP on the backbone network can be limited, and
database access can be given a higher priority.

▫ For an ISP, its users may transmit voice, video, or other real-time services.
QoS enables the ISP to differentiate these packets and provide different
services.

▫ QoS can provide bandwidth and low delay guarantee for time-sensitive
multimedia services, and other services on the network do not affect these
time-sensitive services.
• Which factors affect QoS?

▫ Bandwidth: indicates the transfer speed of IP packets on a network. It can

be the average value or peak value. — Bandwidth competition can be
resolved by increasing the bandwidth. However, the bandwidth cannot be
increased infinitely.

▫ Latency: indicates the round trip time (RTT) of an IP packet between two
nodes on a network. — Delay-sensitive traffic, such as video and voice
traffic

▫ Jitter: indicates the change in the latencies of different packets which are in
the same data stream and transferred in the same direction. — It is related
to the latency. If the latency is short, the jitter range is small, which has a
great impact on real-time services such as voice and video services.
▫ Packet loss rate: indicates the allowed maximum packet loss rate when a
service is transmitted on a network. — It is used to measure the network
reliability. A small number of lost packets have little impact on services, but
a large number of lost packets severely affect the transmission efficiency.

▫ Availability: indicates the availability of a connection between a user and

the IP service, including the connection setup time and holding time.
QoS Service Models

Best-Effort (BE) model

QoS provides
three Integrated Services (IntServ)
service models: model

Differentiated Services
(DiffServ) model

8 Huawei Confidential
 BE Model
⚫ An application can send any number of packets at any time.
⚫ The network then makes the best effort to transmit the packets.

！ No guarantee of performance in
terms of delay and reliability

Undifferentiated
treatment
FIFO

9 Huawei Confidential

• The BE model is the simplest service model in which an application can send any
number of packets at any time without obtaining approval or notifying the
network.

• The network then makes the best effort to transmit the packets but provides no
guarantee of performance in terms of delay and reliability.
• The BE model is the default service model for the Internet and applies to various
network applications, such as the File Transfer Protocol (FTP) and email. It uses
FIFO queues.
 IntServ Model
⚫ Before sending packets, an application needs to apply for specific services through signaling.
⚫ After receiving a resource request from an application, the network reserves resources for
each information flow by exchanging RSVP signaling information.

！Complex implementation
and waste of resources
I require 1 Mbit/s
bandwidth.

Live
streaming Reserve 1 Mbit/s Reserve 1 Mbit/s
bandwidth bandwidth
Video
communication

……

10 Huawei Confidential

• The IntServ model is a comprehensive service model to meet various QoS

requirements.
• Before sending packets, an application needs to apply for specific services
through signaling. This request is sent through RSVP. RSVP applies for network
resources for an application before the application starts to send packets.
• Once the network determines to allocate resources to the application, the
network maintains a state for each flow (determined by IP addresses, port
numbers, and protocol numbers at both ends), and performs packet
classification, traffic policing, queuing, and scheduling based on the state. After
receiving the acknowledgment message from the network (the application
confirms that the network has reserved resources for the packets of the
application), the application starts to send packets. As long as packets of the
application are controlled within the range described by traffic parameters, the
network promises to meet QoS requirements of the application.
• Example: If you want to reserve a vehicle, you need to apply for a service in
advance and reserve resources when resources are sufficient.
• However, the vehicle service vendor has to maintain a large number of booking
information.
• Disadvantage: The implementation of the IntServ model is complex. When no
traffic is transmitted, the bandwidth is still exclusively occupied, and the usage is
low. This solution requires that all end-to-end nodes support and run the RSVP
protocol.
 DiffServ Model
⚫ Traffic on a network is classified into multiple classes, and a corresponding processing
behavior is defined for each class, so that the traffic has different forwarding priorities,
packet loss rates, and delays.

Live 1
Traffic classification Live
3
streaming and marking Queue streaming
scheduling

Video Video
communication DS edge node DS node communication
CoS Mapping DS domain
2

FTP FTP
Branch HQ

11 Huawei Confidential

• DiffServ is a multi-service model and can satisfy different QoS requirements.

Currently, this model is widely used on IP networks.
• Before sending a packet, the application does not need to notify the network to
reserve resources for it. In the DiffServ model, the network does not need to
maintain the status of each flow. Instead, it provides specific services based on
precedence fields of packets (for example, the DS field in the IP header).

• The DiffServ model classifies network traffic into multiple classes for
differentiated processing. To be specific, the DiffServ model implements traffic
classification first and allocates different identifiers to different classes of packets.
After a network node receives these packets, it simply identifies these identifiers
and processes packets based on the actions corresponding to these identifiers.

• There is an analogy between the DiffServ model and train ticket service system. A
train ticket marks the service that you book: soft sleeper, hard sleeper, hard seat,
or no seat. You get on a train and enjoy the specific service marked in your ticket.
On an IP network, an identifier is to a packet as a train ticket is to a passenger.

• In addition to traffic classification and marking, the DiffServ model provides the
queuing mechanism. When network congestion occurs on a device, the device
buffers packets in queues. The device sends the packets out of queues when
network congestion is relieved.
 Common QoS Technologies (DiffServ Model)

Traffic limiting
Traffic policing and traffic shaping are used to
monitor the rate of traffic entering the network
and limit the usage of traffic and resources.

Congestion avoidance
Common It adjusts the network traffic to relieve
technologies network overload.

Congestion management
It adjusts the scheduling sequence of packets
to meet high QoS requirements of delay-
sensitive services.

12 Huawei Confidential

• Rate limiting: Traffic policing and traffic shaping monitor the rate of traffic
entering the network to limit the traffic and resource usage, providing better
services for users.

• Congestion avoidance and congestion management: When congestion occurs on

a network, the device determines the sequence in which packets are forwarded
according to a certain scheduling policy so key services are processed first. Or, the
device proactively adjusts traffic to relieve network overload by discarding
packets.
 QoS Data Processing (DiffServ Model)

Token

Video
Queue 0
Inbound interface

Outbound interface
Scheduling
Queue 1
Other
Traffic Re-
Token CAR processing WRED GTS
classification marking Queue 2
bucket …
Voice …
Congestion Traffic
Traffic policing
avoidance shaping
Queue N

Congestion management

Data

13 Huawei Confidential

• QoS technology provides the following functions:

▫ Traffic classification and marking: identify objects based on certain

matching rules, which is the prerequisite for implementing differentiated
services. They are usually applied to the inbound direction of an interface.

▫ Token bucket: is used to check whether traffic meets packet forwarding

conditions.

▫ Traffic policing: monitors the volume of specific data traffic that arrives at
network devices, and is usually applied to incoming traffic. When the traffic
volume exceeds the maximum value, traffic limiting or punishment
measures are taken to protect business interests and network resources of
service providers.

▫ Congestion avoidance: Excessive congestion may damage network

resources. Congestion avoidance monitors the usage of network resources.
When congestion aggravates, congestion avoidance proactively adjusts
traffic to relieve network overload by discarding packets. Congestion
avoidance is generally applied to the outbound direction of an interface.

▫ Congestion management: is taken to solve the problem of resource

competition. Packets are buffered in queues and a scheduling algorithm is
used to determine the forwarding sequence of packets. Congestion
management is usually applied to the outbound direction of an interface.
▫ Traffic shaping: is a traffic control measure that initiatively adjusts the
output speed of traffic. Traffic shaping enables the traffic to adapt to the
network resources that can be provided by the downstream device to
prevent packet loss and congestion. Traffic shaping is usually applied to the
outbound direction of an interface.
 Quiz

1. (Multiple-answer question) Which of the following service models are provided by

QoS?（ ）
A. DiffServ model

B. IntServ model
C. BE model

D. Network service model

15 Huawei Confidential

1. ABC
 Section Summary

⚫ QoS service models include the DiffServ, IntServ, and BE models.

⚫ The DiffServ model is the most commonly used QoS model. It provides rate
limiting, congestion avoidance, and congestion management.

16 Huawei Confidential
 Contents

1. Introduction to QoS

2. Traffic Classification and Marking

3. Traffic Limiting Technology

4. Congestion Avoidance Technology

5. Congestion Management Technology

6. Introduction to HQoS

17 Huawei Confidential
 QoS Data Processing

Token

Video
Queue 0
Inbound interface

Outbound interface
Scheduling
Queue 1
Other
Traffic Re-
CAR processing WRED GTS
classification marking Queue 2
…
Voice …

Queue N

Data

18 Huawei Confidential

• Traffic classification and marking: identify objects based on certain matching

rules, which is the prerequisite for implementing differentiated services. They are
usually applied to the inbound direction of an interface.
 Why Are Traffic Classification and Traffic Marking Required?
⚫ Traffic classification and marking are the basis of QoS and the prerequisite for implementing
differentiated services.

Traffic marking
Packets with different Queue
Video priorities
Inbound interface

Traffic
classification

Voice

Data

19 Huawei Confidential

• To implement differentiated services, the traffic entering a DS domain needs to

be classified according to certain rules, and then different services are provided
for different types of traffic.
• After packets are classified at the DS domain edge, intermediate nodes provide
differentiated services for classified packets. The downstream node can accept
the classification result of its upstream node or classifies packets based on its
own criteria.
• Traffic classification and marking are prerequisites for differentiated services.
▫ Traffic classification technology classifies packets into different types, and
does not modify the data packets.

▫ Marking technology marks packets with different priorities, and modifies

the data packets. Marking is classified into internal and external marking.

▪ Internal marking

▪ Sets the CoS and drop precedence of packets for internal processing
on a device so that packets can be placed directly in specific queues.

▪ Setting the drop precedence of packets is also called coloring packets.

When traffic congestion occurs, packets in the same queue are
provided with differentiated buffer services based on colors.
▪ External marking

▪ Sets or modifies the priority of packets so that the downstream device

can provide services based on the changed priority. Modifying the
packet priorities is also called re-marking.
 Behavior Aggregate Classification

BA classification Uplink direction

SFU
VLAN packet 802.1p
Service class
MPLS packet MPLS EXP Mapping Color

IP packet DSCP 802.1p

Service class
Mapping MPLS EXP
Color
DSCP

Downlink direction
Packet header
Service class Color
priority
Different packets
CoS Drop priority
use
of packets of packets
different QoS
on the device on the device
priorities.

External priority Internal priority Drop priority

21 Huawei Confidential

• BA classification allows the device to classify packets based on related values as

follows: IP priority or DSCP value of IPv4 packets, TC value of IPv6 packets, EXP
value of MPLS packets, and 802.1p value of VLAN packets. It is used to simply
identify the traffic that has the specific priority or service classes for mapping
between external and internal priorities.
• BA classification confirms that the priority of incoming packets on a device is
trusted and mapped to the service class and color based on a priority mapping
table. The service class and color of outgoing packets are then mapped back to
the priority.

• Packets carry different types of precedence field depending on the network type.
For example, packets carry the 802.1p value on a VLAN network, the EXP value
on an MPLS network, and the DSCP value on an IP network. To provide
differentiated services for different packets, the device maps the QoS priority of
incoming packets to the scheduling precedence (also called service class) and
drop precedence (also called color), and then performs congestion management
based on the service-class and congestion avoidance based on the color. Before
forwarding packets out, the device maps the service class and color of the
packets back to the QoS priority, which provides a basis for other devices to
process the packets.
 External Priority: VLAN Packet

BA classification Uplink direction Downlink direction

SFU
VLAN packet 802.1p
Service class
MPLS packet MPLS EXP Mapping Color

IP packet DSCP 802.1p

Service class
Mapping MPLS EXP
Color
DSCP

Packet header VLAN packet

priority
Different
Dest add Sour add 802.1Q (PRI) Length/Type Data FCS
packets
use different
QoS priorities.
TPID PRI (3 bits) CFI VLAN ID
External priority
Value range: 0–7

22 Huawei Confidential

• Eight service priorities (PRIs) are defined in the VLAN tag of the Ethernet frame
header.
 External Priority: MPLS Packet

BA classification Uplink direction Downlink direction

SFU
VLAN packet 802.1p
Service class
MPLS packet MPLS EXP Mapping
Color

IP packet DSCP 802.1p

Service class
Mapping MPLS EXP
Color
DSCP

Packet header MPLS packet

priority
Different
Link layer header Label (EXP) Layer 3 header Layer 3 payload
packets
use different
QoS priorities
Label EXP (3 bits) S TTL
External priority
Value range: 0–7

23 Huawei Confidential

• The EXP field in the label is used as the external priority of MPLS packets to
differentiate service classes of data traffic.
 External Priority: IP Packet

BA classification Uplink direction Downstream direction

SFU
VLAN packet 802.1p
Service Class
MPLS packet MPLS EXP Mapping
Color

IP packet DSCP 802.1p

Service Class
Mapping MPLS EXP
Color
DSCP

Packet header IP packet

priority
Different ToS (IP
Version Len … Protocol FCS IP-SA IP-DA Data
packets Precedence/DSCP)
use different
QoS priorities. IP precedence 7 6 5 4 3 2 1 0 Value range: 0–7

External priority
DSCP 7 6 5 4 3 2 1 0 Value range: 0–63

24 Huawei Confidential

• Eight IP service types are defined in the Precedence field of the ToS field in an
IPv4 packet header.
• The ToS field in the IPv4 packet header is redefined as the Differentiated Services
(DS) field. That is, the IP Precedence field is extended.
Mapping Between External Priorities

802.1P MPLS Exp IP-Precedence DSCP DSCP Name

7 7 7 56-63 CS7 (56)
descending order

CS
6 6 6 48-55 CS6 (48)
Priority in

5 5 5 40-47 EF EF (46)
4 4 4 32-39 AF4 AF41 (34) AF42 (36) AF43 (38)
3 3 3 24-31 AF3 AF31 (26) AF32 (28) AF33 (30)
AF
2 2 2 16-23 AF2 AF21 (18) AF22 (20) AF23 (22)
1 1 1 8-15 AF1 AF11 (10) AF12 (12) AF13 (14)
0 0 0 0-7 BE BE (0)

25 Huawei Confidential
 Service Class
BA classification Uplink direction Downlink direction
SFU
VLAN packet 802.1p
Service class
MPLS packet MPLS EXP Mapping
Color

IP packet DSCP 802.1p

Service Class
Mapping MPLS EXP
Color
DSCP

Queue CS7
Service class CS

Priority in descending order

CS6

Service class EF EF Service class

of packets determines the types of queues
AF4
on the device to which packets belong.
AF3
AF
AF2
Internal priority
AF1
BE BE

26 Huawei Confidential

• Service class, that is, queue

• Service classes refer to the internal priorities of packets. Eight service class values
are available: class selector 7 (CS7), CS6, expedited forwarding (EF), assured
forwarding 4 (AF4), AF3, AF2, AF1, and best-effort (BE). Service classes determine
the types of queues to which packets belong.
• The priority of queues with a specific service class is calculated based on
scheduling algorithms.

▫ If queues with eight service classes all use priority queuing (PQ) scheduling,
queues are displayed in descending order of priority: CS7 > CS6 > EF > AF4
> AF3 > AF2 > AF1 > BE.
▫ If the BE queue uses PQ scheduling (this configuration is rare on live
networks) but all the other seven queues use weighted fair queuing (WFQ)
scheduling, the BE queue is of the highest priority.
▫ If the queues of eight service classes all use WFQ scheduling, their priorities
are the same.
 Color
BA classification Uplink direction Downlink direction
SFU
VLAN packet 802.1p
Service class
MPLS packet MPLS EXP Mapping
Color

IP packet DSCP 802.1p

Service class
Mapping MPLS EXP
Color
DSCP

Color

Priority in descending order

Green
Drop priority Color
of packets The color of packets determines the order in
on the device Yellow which packets are dropped in a congested queue.

Red

27 Huawei Confidential

• Color, referring to the drop priority of packets on a device, determines the order
in which packets in one queue are dropped when traffic congestion occurs.
• As defined by the Institute of Electrical and Electronics Engineers (IEEE), the color
of a packet can be green, yellow, or red.
• Drop priorities are compared based on the configured parameters. For example,
if a maximum of 50% of the buffer is configured to store packets colored green,
whereas a maximum of 100% of the buffer is configured to store packets colored
red, the drop priority of packets colored green is higher than that of packets
colored red.
 Mapping
BA classification Uplink direction Downlink direction
SFU
VLAN packet 802.1p
Service class
MPLS packet MPLS EXP Mapping
Color
IP packet DSCP 802.1p
Service class
Mapping MPLS EXP
Color
DSCP

Uplink mapping Downlink mapping

DSCP Service Class/Color Service Class/Color DSCP

32-39 34 36 38 AF41 AF42 AF43 AF41 AF42 AF43 32-39 34 36 38

24-31 26 28 30 AF31 AF32 AF33 AF31 AF32 AF33 24-31 26 28 30
AF AF
16-23 18 20 22 AF21 AF22 AF23 AF21 AF22 AF23 16-23 18 20 22
8-15 10 12 14 AF11 AF12 AF13 AF11 AF12 AF13 8-15 10 12 14

• Mapping from external priorities to internal priorities • Mapping from internal priorities to external priorities

28 Huawei Confidential

• A device maps the QoS priority to the service class and color for incoming
packets and maps the service class and color back to the QoS priority for
outgoing packets.
 Multi-field Classification
Real-time services such
as voice and video
services are given the
highest priority.
Live streaming Live streaming

Video Video
communication communication
DS edge node

MF classification Configure a traffic

classifier
FTP FTP
MF classification classifies packets based on complex
HQ rules in a fine-grained manner, such as the 5-tuple Configure a traffic Branch
behavior
(source IP address, source port number, protocol number,
destination address, and destination port number). Configure a traffic
policy
Template-based QoS
Apply the traffic
policy

29 Huawei Confidential

• As networks rapidly develop, services on the Internet become increasingly

diversified. Various services share limited network resources. In particular,
multiple services use port number 80. Because of this increasing demand,
network devices are required to possess a high degree of sensitivity for services,
including an in-depth parsing of packets and a comprehensive understanding of
any packet field at any layer. This level of sensitivity rises far beyond what BA
classification can offer. MF classification can be deployed to help address this
sensitivity deficit.

• MF classification classifies packets based on complex rules in a fine-grained

manner, such as the 5-tuple (source IP address, source port number, protocol
number, destination address, and destination port number).
Traffic Policy Overview
⚫ Modular QoS command line interface (MQC) uses traffic policies.
⚫ A traffic policy is often bound to traffic classifiers and traffic behaviors. A traffic classifier is used to
match data packets, and a traffic behavior is used to modify data packets.
Execution in sequence

Traffic policy Traffic policy 1 Traffic policy 2

Traffic classifier Traffic behavior Traffic classifier Traffic behavior

OR Modification in OR Modification in
sequence sequence
Traffic matching Traffic modification Traffic matching Traffic modification
rule 1 rule 1 rule 1 rule 1
Data flow
Traffic matching Traffic modification Traffic matching Traffic modification
rule 2 rule 2 rule 2 rule 2

Traffic matching Traffic modification Traffic matching Traffic modification

rule 3 rule 3 rule 3 rule 3

30 Huawei Confidential
 Traffic Classification Process
Real-time services such
as voice and video
services are given the
highest priority.

Live streaming MF BA Live streaming

classification classification

Video Video
communication communication
DS edge node DS node DS node DS edge node

FTP FTP

HQ Branch

31 Huawei Confidential

• Requirement: The highest forwarding priority must be provided for real-time

services such as voice and video services.
• Implementation: The DS edge node obtains service traffic such as voice and video
traffic through MF classification and maps the traffic to the corresponding
priorities. It processes the remaining traffic through BA classification.
Configuring MF Classification
DS edge node DS node system-view
traffic classifier [classifier-name] //Create a traffic classifier.
if-match [acl | vlan-id | …. ] //Match traffic based on traffic
DS domain characteristics.

• Typically, the traffic received by the DS edge system-view

node is not classified, so complex traffic traffic behavior [behavior-name] //Create a traffic behavior.
remark [dscp-name | 8021p-value | EXP | … ] //Re-mark the
classification is configured on the DS edge node. QoS field of traffic.
The configuration roadmap is as follows:
system-view
▫ Configure a traffic classifier to match traffic.
traffic policy [policy-name] //Create a traffic policy.
▫ Configure a traffic behavior to define an action taken classifier [classifier-name] behavior [behavior-name] //Bind
the traffic classifier to the traffic behavior.
on the matched traffic.

▫ Bind the traffic classifier and traffic behavior to a system-view

traffic policy. interface [interface-type interface-num] //Enter the interface
view.
▫ Apply the traffic policy to the inbound direction of traffic-policy [policy-name] [inbound | outbound] //Apply the
the interface on the DS edge node. traffic policy to the inbound direction of an interface.

32 Huawei Confidential
Checking the MF Classification Configuration
⚫ After MF classification is configured, you can run the following commands to check the configuration.

system-view
display traffic classifier user-defined [ classifier-name ] //Check the traffic classifier configuration.
display traffic behavior [ system-defined | user-defined ] [ behavior-name ] //Check the traffic behavior configuration.
display traffic policy user-defined [ policy-name ] classifier [classifier-name ] //Check the traffic policy configuration.
display traffic-policy applied-record [ policy-name ] //Check the record of the specified traffic policy.

33 Huawei Confidential
(Optional) Modifying the BA Classification Configuration
⚫ Specify the packet priority trusted on an
DS edge node DS node
interface.
system-view
interface [interface-type interface-num] //Enter the
DS domain
interface view.
trust [8021p | dscp] //Specify the priority to be trusted.
• Based on the priority mapping table, BA
classification maps data with the specific QoS ⚫ Configure a priority mapping table.
system-view
field to the internal priority. qos map-table [ dot1p-dot1p | dot1p-dscp | dot1p-lp | dscp-
dot1p | dscp-dscp | dscp-lp ] //Enter the priority mapping table
• The priority mapping table can be modified as view.
input [input-value1] output [output-value] //Configure
required. The roadmap is as follows: mappings in the priority mapping table.

▫ Specify the packet priority trusted on an interface.

▫ Configure a priority mapping table.

34 Huawei Confidential
Checking the Priority Mapping Configuration
⚫ After the priority mapping configuration is modified, you can run the following commands to check the
configuration.
system-view
display qos map-table [ dot1p-dot1p | dot1p-dscp | dot1p-lp | dscp-dot1p | dscp-dscp | dscp-lp ]
//Check the mapping between priorities.

35 Huawei Confidential
 Quiz

1. (True or false) MF classification is generally deployed in the inbound direction of the DS

edge node.( )
A. True

B. False

2. (Multiple-answer question) Which of the following parameters are used to mark the QoS
priority of data packets?( )
A. EXP

B. 802.1p

C. DSCP

D. IP precedence

36 Huawei Confidential

1. A

2. ABCD
 Section Summary

⚫ The DiffServ model must mark packets for differentiating them. Generally, MF
classification is used to mark incoming traffic on edge devices in a DS domain, and
BA classification is used to mark incoming traffic on devices in a DS domain.
⚫ Tags can be added to multiple types of data packet headers.
 The Pri bit (802.1p priority) in the VLAN header is used to mark the QoS priority.

The EXP bit in the MPLS header is used to mark the QoS priority.
 The TOS bit (DSCP/IP precedence) in the IP header is used to mark the QoS priority.

37 Huawei Confidential
 Contents

1. Introduction to QoS

2. Traffic Classification and Marking

3. Traffic Limiting Technology

4. Congestion Avoidance Technology

5. Congestion Management Technology

6. Introduction to HQoS

38 Huawei Confidential
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

QoS Data Processing

Video Queue 0

Outbound interface
Inbound interface

Scheduling
Queue 1
Other
Traffic
CAR Re-marking processing WRED GTS
classification Queue 2
…
Voice …
Traffic policing Traffic
Queue N shaping

Data

Traffic policing Traffic shaping

• Function
Monitors the traffic Controls the rate of
• Monitor network traffic at the network edge.
entering the device outgoing packets so
• Specify the bandwidth usage for different
to ensure that that packets are sent
incoming and outgoing traffic so that different
network resources at an even rate.
services are allocated different bandwidths.
are not abused.

39 Huawei Confidential

• This course describes two rate limiting technologies: traffic policing and traffic
shaping.
• Traffic policing: If the traffic rate of a connection exceeds the specifications on an
interface, traffic policing allows the interface to drop excess packets or re-mark
the packet priority to protect network resources and protect carriers' profits. An
example of this process is restricting the rate of HTTP packets to 50% of the
network bandwidth.
• Traffic shaping: allows the traffic rate to match that on the downstream device.
When traffic is transmitted from a high-speed link to a low-speed link or a traffic
burst occurs, the inbound interface of the low-speed link is prone to severe data
loss. To prevent this problem, traffic shaping must be configured on the
outbound interface of the device connecting to the high-speed link.
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

Traffic Limiting Technology

Video Queue 0

Outbound interface
Inbound interface

Scheduling
Queue 1
Other
Traffic Re-
CAR processing WRED GTS
classification marking Queue 2
…
Voice …
Traffic
Traffic policing
shaping
Queue N

Data Token bucket

technology
Token

Token
bucket

40 Huawei Confidential

• Both traffic policing and traffic shaping use the token bucket technology.

▫ Token bucket: A token bucket is used to check whether traffic meets packet
forwarding conditions.
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

Single-Rate-Single-Bucket Mechanism
• Committed Information Rate (CIR):
 indicates the rate at which tokens are put into
bucket C, in kbit/s.
Token
• Committed burst size (CBS):
Discard packets
 indicates the maximum volume of burst traffic that
in the case of
bucket C allows before the rate of some traffic CIR overflow
exceeds the CIR, that is, the capacity of bucket C.
The value is expressed in bytes.

Initial
Bucket CBS number of
• The single-rate-single-bucket mechanism does C tokens (Tc)
not allow burst traffic. Only committed traffic is = CBS
allowed. The data packet is marked green
Yes (Tc = Tc-B) and forwarded by default.
B < Tc?
Size of an arriving
packet (B) No (Tc remains unchanged)
The data packet is marked red
and discarded by default.

41 Huawei Confidential

• When a packet arrives, the device compares the packet with the number of
tokens in the bucket. If there are sufficient tokens, the packet is forwarded (one
token is associated with 1-bit forwarding permission). If there are no enough
tokens, the packet is discarded or buffered.

• Tc and Te refer to the numbers of tokens in buckets C and E, respectively. The

initial values of Tc and Te are respectively the CBS and EBS.

• In color-blind mode (B indicates the size of an arriving packet):

▫ If B is less than or equal to Tc, the packet is marked green, and Tc

decreases by B.
▫ If B is greater than Tc, the packet is marked red, and Tc remains
unchanged.
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

Single-Rate-Two-Bucket Mechanism
• Initial number of tokens
CIR:
Token Bucket C: Tc = CBS
 Indicates the rate at which tokens are put into Bucket E: Te = EBS
bucket C, in kbit/s. Token overflow
• CBS: CIR
 Indicates the maximum volume of burst traffic that
bucket C allows before the rate of some traffic
exceeds the CIR, that is, the capacity of bucket C.
The value is expressed in bytes. Bucket Bucket
CBS EBS
C E

• Excess burst size (EBS):

 Indicates the maximum volume of excess burst The data packet is marked green
traffic that bucket E allows. The value is expressed Yes (Tc = Tc-B) and forwarded by default.
in bytes. B < Tc ?

Size of an arriving The data packet is marked yellow

packet (B) No
• The single-rate-two-bucket mechanism allows and forwarded by default.
Yes (Te = Te-B)
transient burst traffic. Tc<B<Te?

No (Tc and Te remain unchanged)

The data packet is marked red
and discarded by default.

42 Huawei Confidential

• When a packet arrives, the device compares the packet with the number of
tokens in the bucket. If there are sufficient tokens, the packet is forwarded (one
token is associated with 1-bit forwarding permission). If there are no enough
tokens, the packet is discarded or buffered.

• Tc and Te refer to the numbers of tokens in buckets C and E, respectively. The

initial values of Tc and Te are respectively the CBS and EBS.

• In color-blind mode (B indicates the size of an arriving packet):

▫ If B is less than or equal to Tc, the packet is marked green and Tc decreases
by B.
▫ If B is greater than Tc and less than or equal to Te, the packet is marked
yellow and Te decreases by B.

▫ If B is greater than Te, the packet is marked red, and Tc and Te remain
unchanged.
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

Two-Rate-Two-Bucket Mechanism
• Peak Information Rate (PIR): Initial number of tokens
 Indicates the rate at which tokens are put into Token Token Bucket P: Tp = PBS
Bucket C: Tc = CBS
bucket P, that is, the maximum traffic rate that Discard packets in the
bucket P allows. The PIR is greater than the CIR. The PIR case of overflow Discard packets in the
value is expressed in kbit/s. case of overflow
• Peak burst size (PBS): CIR
 Indicates the capacity of bucket P, that is, the
maximum volume of burst traffic that bucket P
allows. The PBS is greater than the CBS. The value is
Bucket Bucket
expressed in bytes. PBS CBS
P C

• CIR:
 Indicates the rate at which tokens are put into Yes (Tc and Tp The data packet is marked red
bucket C, in kbit/s. remain unchanged) and discarded by default.
B > Tp?
• CBS:
 Indicates the maximum volume of burst traffic that Size of an arriving The data packet is marked
packet (B) No
bucket C allows before the rate of some traffic Yes (Tp = Tp-B) yellow and forwarded by default.
exceeds the CIR, that is, the capacity of bucket C.
Tp > B > Tc?
The value is expressed in bytes.

No (Tc = Tc-B)
• The two-rate-two-bucket mechanism allows
The data packet is marked green
long-term burst traffic. and forwarded by default.

43 Huawei Confidential

• The two rate three color marker (trTCM) algorithm focuses on the traffic burst
rate and checks whether the traffic rate conforms to the specifications. Therefore,
traffic is measured based on bucket P and then bucket C.

• Tc and Tp refer to the number of tokens in buckets C and P, respectively. The

initial values of Tc and Tp are respectively the CBS and PBS.
• In color-blind mode (B indicates the size of an arriving packet):

▫ If B is greater than Tp, the packet is marked red and Tc and Tp remain
unchanged.

▫ If B is greater than Tc and less than or equal to Tp, the packet is marked
yellow and Tp decreases by B.
▫ If B is less than or equal to Tc, the packet is marked green, and Tp and Tc
decrease by B.
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

What Is Traffic Policing?

• Traffic policing
Data flow:
100 Mbit/s • By monitoring the specifications of a certain type of
LAN WAN traffic that enters the network, you can limit the traffic
High- Low-
speed link speed link within an allowed range. If the traffic of a connection is
Configure traffic policing too heavy, the packets are discarded or the priority of the
Interface
in the inbound direction bandwidth is packets is re-set to protect network resources. Traffic
of the interface. only 2 Mbit/s. policing can be configured in inbound and outbound
directions of an interface.
When traffic policing is used,
packets exceeding the rate
Packet rate limit may be discarded or their
priorities may be lowered.
Traffic policing
• Implementation of traffic policing
not configured
• Traffic policing uses the committed access
CIR rate (CAR) to control traffic. CAR uses the
token bucket algorithm to evaluate the
traffic rate and implements preset policing
actions based on the evaluation result.
Time

44 Huawei Confidential

• In the figure:

▫ An edge network device connects a wide area network (WAN) and a local
area network (LAN). The LAN bandwidth (100 Mbit/s) is higher than the
WAN bandwidth (2 Mbit/s).
▫ When a LAN user attempts to send a large amount of data to a WAN, the
edge network device is prone to traffic congestion. Traffic policing can be
configured on the edge network device to restrict the traffic rate,
preventing traffic congestion.

• Characteristics of traffic policing:

▫ Drops excess traffic over the specifications or re-marks such traffic with a
lower priority.

▫ Consumes no additional memory resources and brings no delay or jitter.

▫ Packet loss may result in packet retransmission.
▫ Traffic can be re-marked.
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

CAR
⚫ CAR uses token buckets to measure traffic and determines whether a packet conforms to the specification.
Packets are forwarded at the original rate.
(Traffic policing is not required.)

Traffic policing actions

Packets do not match rules.

Packets Remark
match rules.
Compliant Forward
Traffic
Arriving packets classification
Discard
Token bucket

• Token bucket modes • The device marks the packet red, yellow, or green based on
the metering result using the token bucket.
1. Single-rate-single-bucket
1. Green indicates that the packets comply with the specifications
2. Single-rate-two-bucket
and are directly forwarded.
3. Two-rate-two-bucket
2. Yellow indicates that temporary burst traffic is allowed although it
does not comply with specifications. After the traffic is re-marked,
the priority is reduced and the traffic is forwarded in BE mode.
3. Red indicates that the packet rate is high and does not comply
with the specifications. Therefore, the packets are discarded.

45 Huawei Confidential

• Traffic policing uses CAR to control traffic. CAR uses token buckets to measure
traffic and determines whether a packet conforms to the specification.
• CAR has the following two functions:

▫ Rate limiting: Only packets allocated enough tokens are allowed to pass so
that the traffic rate is restricted.

▫ Traffic classification: Packets are marked internal priorities, such as the

service class and drop priority, based on the measurement performed by
token buckets.

• CAR process:
▫ When a packet arrives, the device matches the packet against matching
rules. If the packet matches a rule, the device uses token buckets to meter
the traffic rate.
▫ The device marks the packet red, yellow, or green based on the metering
result using the token bucket. Red indicates that the traffic rate exceeds the
specifications. Yellow indicates that the traffic rate exceeds the
specifications but is within an allowed range. Green indicates that the
traffic rate is conforming to the specifications.
▫ The device drops packets marked red, re-marks and forwards packets
marked yellow, and forwards packets marked green.
• Three token bucket modes can be used.
▫ To control the traffic rate, use single-rate-single-bucket.

▫ To differentiate traffic bursts at limited bandwidth, use the single-rate-two-

bucket mechanism. Note that traffic marked yellow must be processed
differently from traffic marked green. Otherwise, the implementation of the
single-rate-two-bucket mechanism is the same as that of the single-rate-
single-bucket mechanism.

▫ To control the traffic rate and check whether the traffic rate exceeds the
CIR or PIR, use two-rate-two-bucket. Note that traffic marked yellow must
be processed differently from traffic marked green. Otherwise, the
implementation of the two-rate-two-bucket mechanism is the same as that
of the single-rate-single-bucket mechanism.
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

Application Scenario of Traffic Policing

It is generally used to control incoming

traffic and prevent excess traffic from
entering the device.
It is recommended for delay-sensitive
traffic (such as video and voice traffic).
App 1
Video
Traffic
• Application of traffic policing direction

1. Interface-based traffic policing LAN WAN

2. Class-based traffic policing Voice
Configure traffic policing
Data in the inbound direction
of the interface.

47 Huawei Confidential

• Voice, video, and data services are transmitted on an enterprise network. When a
large amount of traffic enters the network, congestion may occur due to
insufficient bandwidth. Different guaranteed bandwidth must be provided for the
voice, video, and data services in descending order of priority. In this situation,
traffic policing can be configured to provide the highest guaranteed bandwidth
for voice packets and lowest guaranteed bandwidth for data packets. This
configuration ensures preferential transmission of voice packets during
congestion.

• Interface-based traffic policing

▫ Interface-based traffic policing controls all traffic that enters an interface

and does not identify the packet types. (based on the interface)

• Class-based traffic policing

▫ Class-based traffic policing controls the rate of one or more types of
packets that enter an interface. (based on traffic classification)
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

Configuring Interface-based Traffic Policing

⚫ Configure interface-based traffic policing.
DS edge device DS node

DS domain
system-view
interface [interface-type interface-num] //Enter the
interface view.
• Typically, traffic policing is performed in the inbound qos car [ inbound | outbound ] [ acl acl-number |
direction of a device. Traffic policing can be deployed destination-ip-address | source-ip-address ] cir [cir-value] [ pir pir-
value ] [ cbs cbs-value pbs pbs-value ] //Configure traffic
on the terminal side or in the inbound direction of an policing for specific traffic in the inbound or outbound direction of
an interface. The CIR must be configured. The CIR indicates the
egress device as required. Traffic policing can be maximum committed rate of traffic policing. If the PIR is not
configured based on interfaces or MQC. configured, it is equal to the CIR. In this case, the traffic rate
cannot be higher than the CIR.
• The configuration roadmap of interface-based traffic
policing is as follows:

▫ Set the maximum bandwidth for traffic policing on an

interface, select the traffic to be policed, and adjust the
behavior to be taken on the excess traffic.

48 Huawei Confidential
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

Configuring MQC-based Traffic Policing

DS edge device DS node system-view
traffic classifier [classifier-name] //Create a traffic
DS domain classifier.
if-match [acl | vlan-id | …. ] //Match traffic based on
• MQC can be used to implement traffic policing in traffic characteristics.

a more refined manner. The device can control system-view

traffic and allocate different bandwidths based traffic behavior [behavior-name] //Create a traffic
behavior.
on the 5-tuple and QoS value of the data packet. car cir [cir-value] [ pir pir-value ] [ cbs cbs-value pbs pbs-
value ] //Set the CIR and PIR.
• The configuration roadmap is as follows:
system-view
▫ Configure a traffic classifier to match traffic.
traffic policy [policy-name] //Create a traffic policy.
▫ Configure a traffic behavior to define actions taken classifier [classifier-name] behavior [behavior-name]
//Bind the traffic classifier to the traffic behavior.
for packets.

▫ Bind the traffic classifier and traffic behavior to a system-view

interface [interface-type interface-num] //Enter the
traffic policy. interface view.
traffic-policy [policy-name] [inbound | outbound] //Apply
▫ Apply the traffic policy to an interface.
the traffic policy to the inbound direction of an interface.

49 Huawei Confidential
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

Checking the Traffic Policing Configuration

⚫ After interface-based traffic policing is configured, you can run the following commands to check the
configuration.
system-view
display qos car statistics interface [interface-type interface-num] [inbound | outbound] //Check statistics on forwarded and
discarded packets on the interface.

⚫ After MQC-based traffic policing is configured, you can run the following commands to check
the configuration.

system-view
display traffic classifier user-defined [ classifier-name ] //Check the traffic classifier configuration.
display traffic behavior [ system-defined | user-defined ] [ behavior-name ] //Check the traffic behavior configuration.
display traffic policy user-defined [ policy-name ] classifier [classifier-name ] //Check the traffic policy configuration.
display traffic-policy applied-record [ policy-name ] //Check the record of the specified traffic policy.

50 Huawei Confidential
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

What Is Traffic Shaping?

Outbound direction
of the interface • Traffic shaping
Data flow: Traffic shaping
100 Mbit/s • Traffic shaping is a measure to adjust the traffic rate
LAN WAN sent from an interface.
High- Low-speed
• Traffic shaping is configured on the outbound interface
speed link link
Interface Interface of an upstream device so that irregular traffic can be
bandwidth bandwidth transmitted at an even rate, preventing transient traffic
is 1 Gbit/s. is only 2 Mbit/s.
congestion on the downstream device.

Packet rate Traffic shaping

not deployed • Implementation of traffic shaping
• Traffic shaping is implemented using the
Traffic shaping
deployed buffer and token bucket.
CIR
• Token bucket mode: single-rate-single-bucket
• Assessment result: compliant (green),
non-compliant (red)
Time

51 Huawei Confidential

• Generic Traffic Shaping (GTS)

▫ When traffic is transmitted from a high-speed link to a low-speed link or a

traffic burst occurs, the inbound interface of the low-speed link is prone to
severe data loss. To prevent this problem, configure traffic shaping on the
outbound interface of the device connecting to the high-speed link.
▫ When packets are sent at a high speed, they are cached and then evenly
sent through the token bucket.

• Characteristics of traffic shaping:

▫ Buffers excess traffic over the specifications.

▫ Consumes memory resources for buffering excess traffic and brings delay
and jitter.

▫ Packet loss rarely occurs, so packets are seldom retransmitted.

▫ Traffic re-marking is not supported.
• Token bucket mode: single-rate-single-bucket — The evaluation result can be
either green or red.
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

Implementation of Traffic Shaping (1)

Queue-based traffic shaping

• Queue-based traffic shaping

• Applies to each queue on an

Scheduling
Leave a No outbound interface.
Queue queue Shaping? Forward

Yes

Compliant
Token bucket The data packets
that are leaving
queues are still
forwarded.
When packets in a queue are Exceeding
transmitted at a rate exceeding the
specifications, the queue is marked
unscheduled and will be scheduled
when the bandwidth is available.

52 Huawei Confidential

• When packets leave queues, the packets that do not need to be shaped are
forwarded. The packets that need to be shaped are measured against token
buckets.

▫ If the packet rate conforms to the rate limit, the packet is marked green
and forwarded.
▫ If the rate of a data packet exceeds the threshold, the data packet is still
forwarded. In this case, the status of the queue where the data packet is
located is changed to unscheduled, and the queue is scheduled when the
token bucket is filled with new tokens. After the queue is marked
unscheduled, more packets can be put into the queue, but excess packets
over the queue capacity are dropped. Therefore, traffic shaping allows
traffic to be sent at an even rate but does not provide zero-packet-loss
guarantee.
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

Implementation of Traffic Shaping (2)

Interface-based traffic shaping

• Interface-based traffic shaping
• Limits the total rate of all packets sent by
Queue 1
Token bucket an interface. Traffic shaping is performed
All queues on

Queue 2 on the outbound interface, regardless of

Scheduling
an interface

Leave a packet priorities.

Queue 3 queue
…
Forward the packet if
Queue N the packet conforms
to the rate limit

If the packet rate exceeds the rate limit,

the interface stops scheduling and waits
for sufficient tokens to continue
scheduling.

53 Huawei Confidential

• When packets leave queues, all queues are measured together against token
buckets.
▫ If the packet rate conforms to the rate limit, the packet is marked green
and forwarded.
▫ If the packet rate exceeds the threshold (that is, tokens in the token bucket
are insufficient), the packet is marked red. In this case, the interface stops
scheduling and continues to schedule the packets when there are sufficient
tokens.
 Traffic Limiting Token Bucket Traffic Policing Traffic Shaping

Application Scenario of Traffic Shaping

⚫ On an enterprise network, the enterprise headquarters is connected to branches through private lines on an ISP network. Branches connect to the Internet
through the headquarters.

⚫ If all branches connect to the Internet at the same time, a large amount of web traffic sent from the headquarters to the Internet causes network
congestion. As a result, some web traffic is discarded.. As shown in the figure, to prevent web traffic loss, traffic shaping can be configured before traffic
sent from enterprise branches enters the enterprise headquarters.

Uplink mapping
Traffic direction

Configure
traffic shaping in the
Branch 1 outbound direction of
an interface.

ISP HQ Internet

Branch 2

• Traffic shaping is generally used in the outbound direction of an interface and is mainly used to limit the traffic rate. It
is recommended for packet loss-sensitive traffic (such as Internet access and service download).

54 Huawei Confidential
Configuring Interface-based Traffic Shaping
⚫ Configure interface-based traffic shaping.
DS edge node DS node
system-view
DS domain interface [interface-type interface-num] //Enter the
interface view.
qos gts cir [cir-value] [ cbs cbs-value ] //Configure traffic
shaping in the outbound direction of an interface. The CIR
• Traffic shaping can be configured only in the indicates the maximum traffic shaping rate. You can configure the
CBS as required to control the size of the token bucket. The CIR
outbound direction of a device. It falls into interface-
must be configured.
based, queue-based, and MQC-based traffic shaping.

• Interface-based traffic shaping has a large

granularity. The configuration roadmap is as follows:
▫ Deploy traffic shaping in the outbound direction of an
interface and configure the maximum bandwidth.

55 Huawei Confidential
Configuring Queue-based Traffic Shaping
⚫ Create a queue profile and configure queue shaping.
DS edge node DS node
system-view
interface [interface-type interface-num] //Enter the
DS domain interface view.
qos queue-profile [queue-profile-name] //Create a queue
profile.
• To shape packets in each queue on an interface, queue [start-queue-index] to [end-queue-index ] gts cir
[cir-value] [ cbs cbs-value ] //Configure traffic shaping for a
configure a queue profile and apply it to the interface. specified queue in the outbound direction and set the CIR.

• You can set different traffic shaping parameters for ⚫ Apply the queue profile to an interface.
queues with different priorities to provide system-view
differentiated services. The configuration roadmap is interface [interface-type interface-num] //Enter the
interface view.
as follows: qos queue-profile [queue-profile-name] //Apply the queue
profile to the interface.
▫ Create a queue profile.

▫ Configure queue shaping.

▫ Apply the queue profile to an interface.

56 Huawei Confidential
Configuring MQC-based Traffic Shaping
DS edge node DS node system-view
traffic classifier [classifier-name] //Create a traffic
classifier.
DS domain if-match [acl | vlan-id | …. ] //Match traffic based on
traffic characteristics.

system-view
• MQC-based traffic policing uses traffic classifiers to traffic behavior [behavior-name] //Create a traffic
implement differentiated services. behavior.
gts cir [cir-value] | pct [pct-value] //Configure traffic shaping
based on the maximum traffic rate or the percentage of the
• The configuration roadmap is as follows:
occupied interface bandwidth.
▫ Configure a traffic classifier to match traffic. system-view
traffic policy [policy-name] //Create a traffic policy.
▫ Configure a traffic behavior to define an action for packets.
classifier [classifier-name] behavior [behavior-name]
▫ Bind the traffic classifier and traffic behavior to a traffic //Bind the traffic classifier to the traffic behavior.
policy. system-view
interface [interface-type interface-num] //Enter the
▫ Apply the traffic policy to an interface in the outbound interface view.
direction. traffic-policy [policy-name] [inbound | outbound] //Apply
the traffic policy to the interface in the outbound direction.

57 Huawei Confidential
Checking the Traffic Shaping Configuration
⚫ After queue-based traffic shaping is configured, you can run the following commands to check the
configuration.
system-view
display qos queue-profile [ queue-profile-name ] //Check the queue profile configuration.

⚫ After MQC-based traffic shaping is configured, you can run the following commands to check the
configuration.
system-view
display traffic classifier user-defined [ classifier-name ] //Check the traffic classifier configuration.
display traffic behavior [ system-defined | user-defined ] [ behavior-name ] //Check the traffic behavior configuration.
display traffic policy user-defined [ policy-name ] classifier [classifier-name ] //Check the traffic policy configuration.
display traffic-policy applied-record [ policy-name ] //Check the record of the specified traffic policy.

58 Huawei Confidential
 Quiz

1. (True or false) Traffic shaping caches excess traffic by default, and traffic policing discards
excess traffic by default.( )
A. True

B. False

2. (Multiple-answer question) How many modes of token buckets are used to measure
traffic?( )
A. Single-rate-single-bucket

B. Three-rate-two-bucket

C. Single-rate-two-bucket

D. Two-rate-two-bucket

59 Huawei Confidential

1. A

2. ACD
 Section Summary
⚫ There are two traffic limiting technologies: traffic policing and traffic shaping.
⚫ Traffic policing discards excess traffic by default. It can be deployed in inbound and outbound
directions of a device.
⚫ Traffic shaping caches excess traffic by default. It can be deployed only in the outbound direction of a
device.

⚫ The device uses token buckets to measure traffic. There are three modes of token buckets:
 The single-rate-single-bucket mechanism can be used together with traffic policing and traffic shaping.
 The single-rate-two-bucket mechanism can be used only with traffic policing, and is mainly used in scenarios where
burst traffic occurs occasionally.

The two-rate-two-bucket can be used only with traffic policing, and is mainly used in scenarios with long-term
burst traffic.

60 Huawei Confidential
 Contents

1. Introduction to QoS

2. Traffic Classification and Marking

3. Traffic Limiting Technology

4. Congestion Avoidance Technology

5. Congestion Management Technology

6. Introduction to HQoS

61 Huawei Confidential
 Background of Congestion Occurrence

Bandwidth mismatch
100 Mbit/s 10 Mbit/s

WAN High- Low-speed

speed link link

Congestion point
Aggregation problem
Data flow
10 Mbit/s

100 Mbit/s 100 Mbit/s

LAN LAN

62 Huawei Confidential

• Traffic congestion occurs when multiple users compete for the same resources
(such as the bandwidth and buffer) on the shared network.
▫ For example, a user on a LAN sends data to a user on another LAN through
a WAN. The WAN bandwidth is lower than the LAN bandwidth. Therefore,
data cannot be transmitted at the same rate on the WAN as that on the
LAN. Traffic congestion occurs on the router connecting the LAN and WAN.

• Congestion often occurs in the following situations:

▫ Traffic rate mismatch: Packets are transmitted to a device through a high-

speed link and are forwarded out through a low-speed link.
▫ Traffic aggregation: Packets are transmitted from multiple interfaces to a
device and are forwarded out through a single interface without enough
bandwidth.
 Impact of Congestion

• Traffic congestion has the following adverse impacts on network traffic:

1. Traffic congestion intensifies delay and jitter.
2. Overlong delays lead to packet retransmission.
Impact 3. Traffic congestion lowers the network throughput and damages network resources.
4. Intensified traffic congestion consumes a large number of network resources
(especially storage resources). Unreasonable resource allocation may cause
resources to be locked and the system to break down.

1. Congestion avoidance
Solution
2. Congestion management

63 Huawei Confidential

• Impact of congestion:

▫ Congestion prevents traffic from obtaining resources immediately, which

causes service deterioration. However, congestion often occurs in a complex
networking environment where packet transmission and provisioning of
various services are both required. Therefore, effective methods are
required to avoid congestion or prevent congestion from aggravating.

• Solutions:

▫ The solutions need to make full use of network resources on the premise of
meeting users' requirements for service quality. Congestion management
and congestion avoidance are commonly used to relieve traffic congestion.
▫ Congestion management provides means to manage and control traffic
when traffic congestion occurs.
▫ Congestion avoidance is a flow control technique used to relieve network
overload. By monitoring the usage of network resources in queues or
memory buffer, a device automatically drops packets on the interface that
shows a sign of traffic congestion. Congestion avoidance prevents queues
from being overflowed due to network overload. The following will
introduce congestion avoidance technology.
Congestion Avoidance Technology
⚫ Congestion avoidance is a flow control technique used to relieve network overload. By monitoring the
usage of network resources for queues or memory buffers, a device automatically drops packets that
shows a sign of traffic congestion.

Data sending queue

Monitor
Queue 0

Queue 1
1. Tail drop: traditional processing
Congestion Drop
avoidance Queue 2 2. Random Early Detection (RED)
policies
… 3. Weighted Random Early Detection (WRED)

Queue N

• If congestion becomes severe, the packets that

do not enter queues are discarded.

64 Huawei Confidential
 Policy 1: Tail Drop
⚫ When the length of a queue reaches the maximum value, the device enabled with tail drop discards all
new packets buffered at the tail of the queue.

Six packets per second Four packets per second

6 5 4 3 2 1

Subsequent packets sent to the The queue is full.

queue are directly discarded.

65 Huawei Confidential

• Due to the limited length of each queue, when a queue is full, the traditional
processing method discards all the packets sent to the queue until the congestion
is relieved. This processing method is called tail drop.
 Disadvantage 1: Global TCP Synchronization
⚫ When the length of a queue reaches the maximum value, the device enabled with tail drop discards all
new packets buffered at the tail of the queue.
Problem
Global TCP
synchronization
The TCP connection
cannot be established.
• Process:
Traffic
1. TCP starts.
2. Traffic is too heavy. As a result, the queue is full and tail
2
3 drop occurs.
Maximum 3. The TCP ACK packet returned by the server is discarded
value due to congestion. Therefore, the sender does not receive
the TCP ACK packet and considers that the network is
4 congested. In this case, the TCP sliding window size is
reduced, and the overall traffic is also reduced.
4. At this time, network congestion is eliminated, and the
sender can receive the TCP ACK packet. Therefore, the
sender considers that the network is not congested, and
1
Time enters the TCP slow start process. This process is repeated.

66 Huawei Confidential

• As shown in the following figure, three colors indicate three TCP connections.

• Global TCP synchronization:

▫ In tail drop mechanism, all newly arrived packets are dropped when
congestion occurs, causing all TCP sessions to simultaneously enter the slow
start state and the packet transmission to slow down.

▫ When packets of multiple TCP connections are discarded in a queue, TCP

connections enter the congestion avoidance and slow start state to adjust
and reduce traffic. This is called TCP global synchronization. Then all TCP
sessions restart their transmission at roughly the same time and then
congestion occurs again, causing another burst of packet drops, and all TCP
sessions enter the slow start state again. The behavior cycles constantly,
severely reducing the network resource usage.
 Disadvantage 2: Undifferentiated Drop
⚫ When the length of a queue reaches the maximum value, the device enabled with tail drop
discards all new packets buffered at the tail of the queue.

Problem
Undifferentiated drop

• Tail drop may cause a large amount of

non-key data to be forwarded and a large
Key Key Key Non-key Key amount of key data to be discarded.
Non-key Non-key
data data data data data • Cause:
data 4 data 3
7 6 5 2 1
 Tail drop cannot differentiate traffic.

All subsequent packets sent to the queue The queue is full.

will be discarded.

67 Huawei Confidential

• Tail drop cannot differentiate services and discard traffic in the same way.
Policy 2: RED
⚫ Random early detection (RED) randomly discards data packets.

Drop probability
• Process:
No drop Random drop Tail drop 1. When the queue length is less than the lower
100% Drop probability curve threshold, no packets are discarded.

3 2. When the queue length is between the upper

Maximum threshold and the lower threshold, newly
drop
probability arrived packets are randomly discarded. The
longer the queue is, the higher the drop
2 probability is.
Actual
queue length 3. All coming packets are discarded if the queue
1 Lower Upper Maximum
threshold threshold queue length length is greater than the upper threshold.

68 Huawei Confidential
 Relieving Global TCP Synchronization
⚫ RED randomly discards packets so that rates of TCP connections are reduced at different
times. This prevents global TCP synchronization.

Traffic

Maximum • Symptom:
value
Global TCP 
Global TCP synchronization may still occur,
synchronization but the link usage is greatly increased.

• Disadvantage:

RED cannot distinguish traffic.

Time

69 Huawei Confidential

• RED is used to avoid global TCP synchronization that occurs with tail drop. It
does this by randomly discarding packets so that the transmission speed of
multiple TCP connections is not reduced simultaneously. This results in more
stable rates of TCP traffic and other network traffic. — Do not adjust TCP sliding
window sizes simultaneously.
 Policy 3: WRED
⚫ Weighted Random Early Detection (WRED) sets different drop policies for data packets or
queues with different priorities to discard different types of traffic.
Drop • Example:
probability (%)
1. The lower threshold is 20 and the upper threshold
is 40 for the traffic whose IP precedence is 0.
100%
2. The lower threshold is 35 and the upper threshold
is 40 for the traffic whose IP precedence is 2. The
Maximum traffic whose IP precedence is 2 is discarded later
drop probability
than the traffic whose IP precedence is 0.
1 2
• Advantage:
Actual
queue
1. Do not adjust TCP sliding window sizes
20 30 35 40 length simultaneously to avoid global TCP
IP precedence used as an example: synchronization.
The corresponding precedences are Traffic 1
as follows: 0 1 2 Traffic 2
2. Different traffic is discarded based on weights.

Traffic 3

70 Huawei Confidential

• The device provides WRED based on RED technology.

• WRED discards packets in queues based on DSCP priorities or IP priorities. The

upper and lower thresholds, and drop probability can be set for each priority.
When the number of packets of a priority reaches the lower threshold, the device
starts to discard packets. When the number of packets reaches the upper
threshold, the device discards all the packets. As the queue length increases, the
packet loss rate increases. The maximum packet loss rate does not exceed the
preset packet loss rate. WRED discards packets in queues based on the drop
probability, thereby preventing congestion to a certain degree. — Do not adjust
TCP sliding window sizes simultaneously.
 Curve of the WRED Drop Probability

Drop Differentiated drop

probability for different traffic
Color/Drop Probability
100%
Example: AF AF41 AF42 AF43
Red packet discard
Lower threshold 70 50 30 probability
Yellow packet
Upper threshold 80 60 40 discard probability
Green packet
Drop probability 70% 80% 90% discard probability

Actual
Red Red Yellow Yellow Green Green Maximum queue length
Lower Upper Upper Upper Upper Upper queue
threshold threshold threshold threshold threshold threshold length

71 Huawei Confidential

• Color：

▫ The color of packets determines the order in which packets are dropped in
a congested queue.

• Application:
▫ The WRED lower threshold is recommended to start from 50% and change
with the drop priority. The lowest drop probability and highest lower and
upper thresholds are recommended for green packets; a medium drop
probability and medium lower and upper thresholds are recommended for
yellow packets; the highest drop probability and smallest lower and upper
thresholds are recommended for red packets.
▫ When traffic congestion aggravates, red packets are first dropped due to
the smallest lower threshold and high drop probability. As the queue length
increases, the device drops green packets at last. If the queue length
reaches the upper threshold for red/yellow/green packets, red/yellow/green
packets start to be tail dropped.
 Application of Congestion Avoidance

Traffic direction

Configure congestion
avoidance
in the outbound
direction of the interface
Video flow Video

Voice flow Voice

Data flow
Data
LAN WAN LAN

72 Huawei Confidential

• Example:

▫ Users in different LANs may upload data to the same server, so data
exchanged between users and the server passes the WAN. Because WAN
bandwidth is lower than LAN bandwidth, congestion may occur on the
edge device between the WAN and LANs. Congestion avoidance can be
configured on the edge device to discard low-priority packets such as data
packets, reducing network overload and ensuring forwarding of high-
priority services.
Configuring Queue-based WRED
DS edge device DS node
system-view
drop-profile [drop-profile-name] //Create a drop profile.
DS domain wred [dscp | ip-precedence] //Configure a WRED drop
profile based on DSCP or IP priorities.
dscp [dscp-value] low-limit [low-limit-percentage] high-limit
[high-limit-percentage] discard-percentage [discard-percentage]
• The device supports WRED based on DSCP priorities or //Configure WRED parameters based on DSCP priorities.
IP priorities. The configuration roadmap is as follows: ip-precedence [ip-precedence-value] low-limit [low-limit-
percentage] high-limit [high-limit-percentage] discard-
▫ Configure a drop profile. percentage [discard-percentage] //(Optional) Configure WRED
parameters based on IP priorities.
▫ Configure WRED parameters. qos queue-profile [queue-profile-name] //Enter the queue
profile view.
▫ Reference the drop profile to a queue profile. queue [queue-index] drop-profile [drop-profile-name]
//Bind the drop profile to the specified queue in the queue profile.
▫ Apply the queue profile to the outbound direction of the interface [interface-type interface-num] //Enter the
interface. interface view.
qos queue-profile [queue-profile-name] //Apply the queue
profile to the interface.

73 Huawei Confidential
Configuring MQC to Implement Congestion Avoidance (1)
DS edge device DS node
system-view
drop-profile [drop-profile-name] //Create a drop profile.
DS domain wred [dscp | ip-precedence] //Configure a WRED drop
profile based on DSCP or IP priorities.
• After a drop profile is bound to a traffic behavior, dscp [dscp-value] low-limit [low-limit-percentage] high-limit
[high-limit-percentage] discard-percentage [discard-percentage]
associate the traffic behavior with the corresponding //Configure WRED parameters based on DSCP priorities.
traffic classifier in the traffic policy and apply the ip-precedence [ip-precedence-value] low-limit [low-limit-
percentage] high-limit [high-limit-percentage] discard-
traffic policy to an interface to implement percentage [discard-percentage] //(Optional) Configure WRED
congestion avoidance for traffic matching the traffic parameters based on IP priorities.

classifier. The configuration roadmap is as follows:

▫ Configure a drop profile.

▫ Configure a traffic classifier and a traffic behavior.

▫ Bind the traffic classifier and traffic behavior to a traffic

policy.

▫ Apply the traffic policy to the outbound direction of the

device interface.

74 Huawei Confidential
Configuring MQC to Implement Congestion Avoidance (2)
DS edge device DS node system-view
traffic classifier [classifier-name] //Create a traffic
DS domain
classifier.
if-match [acl | vlan-id | …. ] //Match traffic based on
• After a drop profile is bound to a traffic behavior, traffic characteristics.

associate the traffic behavior with the corresponding system-view

traffic behavior [behavior-name] //Create a traffic
traffic classifier in the traffic policy and apply the
behavior.
traffic policy to an interface to implement drop-profile [drop-profile-name] //Bind the created drop
profile to the traffic behavior.
congestion avoidance for traffic matching the traffic
classifier. The configuration roadmap is as follows: system-view
traffic policy [policy-name] //Create a traffic policy.
▫ Configure a drop profile. classifier [classifier-name] behavior [behavior-name]
//Bind the traffic classifier to the traffic behavior.
▫ Configure a traffic classifier and a traffic behavior.
system-view
▫ Bind the traffic classifier and traffic behavior to a traffic interface [interface-type interface-num] //Enter the
policy. interface view.
traffic-policy [policy-name] outbound //Apply the traffic
▫ Apply the traffic policy to the outbound direction of the policy to the outbound direction of the interface.
device interface.

75 Huawei Confidential
Checking the Congestion Avoidance Configuration
⚫ Checking the queue-based congestion avoidance configuration
system-view
interface [interface-type interface-num]
display this //Check the queue profile bound to the interface.
qos queue-profile [queue-profile-name]
display this //Check the drop profile bound to the queue profile.
display drop-profile [ drop-profile-name ] //Check the drop profile configuration.

⚫ Checking the MQC-based congestion avoidance configuration

system-view
display traffic classifier user-defined [ classifier-name ] //Check the traffic classifier configuration.
display traffic behavior [ system-defined | user-defined ] [ behavior-name ] //Check the traffic behavior configuration.
display traffic policy user-defined [ policy-name ] classifier [classifier-name ] //Check the traffic policy configuration.
display traffic-policy applied-record [ policy-name ] //Check the record of the specified traffic policy.

76 Huawei Confidential
 Quiz

1. (Multiple-answer question) Which of the following mechanisms are used by QoS

to proactively discard packets?( )
A. Tail drop

B. RED
C. MRED

D. WRED

77 Huawei Confidential

1. ABD
 Section Summary

⚫ Congestion avoidance technology cannot avoid congestion, but prevents

problems caused by congestion. For example, tail drop causes global TCP
synchronization, interface traffic is unstable, and UDP traffic preempts the
bandwidth used by TCP traffic.
⚫ RED/WRED randomly discards data packets to prevent problems such as
global TCP synchronization.

78 Huawei Confidential
 Contents

1. Introduction to QoS

2. Traffic Classification and Marking

3. Traffic Limiting Technology

4. Congestion Avoidance Technology

5. Congestion Management Technology

6. Introduction to HQoS

79 Huawei Confidential
 Congestion Management Technology
⚫ Congestion management technology manages and controls different types of service traffic
when network congestion occurs.
⚫ It uses queue scheduling technology to handle traffic congestion.

Data sending queue Congestion

management
Queue 0

Queue 1
Scheduling

Queue 2 • Packets are scheduled based on the

… priority of each queue.

Queue N

80 Huawei Confidential

• Congestion Management Technology

• Congestion management defines a policy that determines the order in which

packets are forwarded and specifies drop principles for packets. The queuing
technology is used.
• The queue scheduling algorithm determines the order in which packets are
leaving a queue and the relationships between queues.

• Queuing technology

• Packets sent from one interface are placed into many queues which are identified
with different priorities. The packets are then sent based on the priorities.
Different queue scheduling mechanisms are designed for different situations and
lead to varying results.
 What Is a Queue?
⚫ The queuing technology orders packets in the buffer.

• Each interface has eight downlink queues, which are

Queue called class queues (CQs) or port queues.
• They are EF, AF1, AF2, AF3, AF4, BE, CS6, and CS7.

81 Huawei Confidential

• What is a queue?

▫ The queuing technology orders packets in the buffer. When the packet rate
exceeds the interface bandwidth or the bandwidth configured for packets,
the packets are buffered in queues and wait to be forwarded.
▫ Each interface on the NE20E or NE40E stores eight downlink queues, which
are called CQs or port queues. The eight queues are BE, AF1, AF2, AF3, AF4,
EF, CS6, and CS7.
 Queue Scheduling Algorithms
⚫ Congestion management uses the queuing technology.

1. First In First Out (FIFO)

Queue
scheduling 2. Strict Priority (SP)
algorithms 3. Weighted Fair Queuing (WFQ)

82 Huawei Confidential

• Queuing technology places packets sent from one interface into multiple queues
with different priorities. These packets are then sent based on the priorities.
Different queue scheduling mechanisms are designed for different situations and
lead to varying results.
 FIFO
⚫ The FIFO mechanism is used to transfer packets in a queue. Resources used to forward
packets are allocated based on the arrival order of packets.

FIFO FIFO
Enter a queue Leave a queue

Scheduling
FIFO
Packet 3 Packet 2 Packet 1 Queue Packet 3 Packet 2 Packet 1

83 Huawei Confidential

• FIFO does not classify packets.

• FIFO allows the packets that come earlier to enter the queue first. On the exit of
a queue, FIFO allows the packets to leave the queue in the same order as that in
which the packets enter the queue.
• Characteristics:

▫ Advantage: The implementation mechanism is simple and the processing

speed is fast.

▫ Disadvantage: Packets with different priorities cannot be processed in

differentiated ways.
 SP
⚫ SP schedules packets strictly based on queue priorities.

Packet 6 Packet 5 Packet 4 Packet 3 Packet 2 Packet 1

Classifica
tion
Enter a queue

High-priority queue Packet 6 Packet 2

Leave a

Scheduling
queue
Packet 1 Packet 5 Packet 4 Packet 3 Packet 6 Packet 2

SP
Medium-priority queue Packet 5 Packet 4 Packet 3

Low-priority queue Packet 1

84 Huawei Confidential

• SP: Packets in queues with a low priority can be scheduled only after all packets
in queues with a higher priority are scheduled.
• As shown in the figure, three queues with a high, medium, and low priorities
respectively are configured with SP scheduling. The number indicates the order in
which packets arrive.
• When packets leave queues, the device forwards the packets in descending order
of priority. Packets in the higher-priority queue are forwarded preferentially. If
packets in the higher-priority queue come in between packets in the lower-
priority queue that is being scheduled, the packets in the high-priority queue are
still scheduled preferentially. This implementation ensures that packets in the
higher-priority queue are always forwarded preferentially. As long as there are
packets in the high-priority queue, no other queue will be served.
• Characteristics:
▫ Advantage: High-priority packets are preferentially forwarded.
▫ Disadvantage: Low-priority queues may be starved out. That is, when
congestion occurs, packets in lower-priority queues are not processed until
all the higher-priority queues are empty. As a result, a congested higher-
priority queue causes all lower-priority queues to starve out.
 WFQ
⚫ WFQ allocates outbound bandwidth to flows on an interface based on weights of queues.

Packet 6 Packet 5 Packet 4 Packet 3 Packet 2 Packet 1

Classific
ation
Enter a queue

High-priority queue: 50% 4-bit packet

Leave a
Bit-by-bit

Scheduling
queue

WFQ
Medium-priority queue: 25% 6-bit packet

Packet assembly
Low-priority queue: 25% 8-bit packet

8-bit packet 6-bit packet 4-bit packet

Leaving packet

85 Huawei Confidential

• WFQ allocates bandwidths to flows based on weights of queues. In addition, to

fairly allocate bandwidths to flows, WFQ schedules packets bit by bit.
• Characteristics:
▫ Advantages:

▪ Packets in different queues are scheduled fairly, and the flow delays
have slight differences.

▪ If many large and small packets in different queues need to be sent,

small packets are scheduled first, reducing the total jitter of each
flow.

▪ The smaller the weight, the less the allocated bandwidth. Flows with
larger weights are allocated higher bandwidth.

▫ Disadvantage: Low-latency services cannot be scheduled in a timely

manner. User-defined classification rules cannot be implemented.
• The bit-by-bit scheduling mode, however, is an ideal one. The NE40E performs
WFQ scheduling based on a certain granularity, such as 256 bytes and 1 Kbytes.
Different cards support different granularities.
 Queue Scheduling Mode of an Interface
⚫ You can configure SP scheduling or WFQ scheduling for eight queues on an interface.
⚫ Eight queues can be classified into three groups, priority queuing (PQ) queues, WFQ queues,
and low priority queuing (LPQ) queues, based on scheduling algorithms.

Eight interface 1. PQ queue: uses the SP scheduling algorithm.

queues
are classified into 2. WFQ queue: uses the WFQ scheduling algorithm.
three groups 3. LPQ queue: uses the SP scheduling algorithm.

87 Huawei Confidential

• PQ queue
▫ SP scheduling applies to PQ queues. Packets in high-priority queues are
scheduled preferentially. Therefore, services that are sensitive to delays
(such as VoIP) can be configured with high priorities.

▫ In PQ queues, however, if the bandwidth of high-priority packets is not

restricted, low-priority packets cannot obtain bandwidth and are starved
out.
▫ Generally, services that are sensitive to delays are put into PQ queues.
• WFQ queue
▫ WFQ queues are scheduled based on weights. The WFQ scheduling
algorithm can be used to allocate the remaining bandwidth based on
weights.
• LPQ queue
▫ LPQ is a queue scheduling mechanism that is implemented on a high-speed
interface (such as an Ethernet interface). LPQ is not supported on a low-
speed interface (such as a serial interface or MP-group interface).
▫ SP scheduling applies to LPQ queues. The difference is that when
congestion occurs, the PQ queue can preempt the bandwidth of the WFQ
queue whereas the LPQ queue cannot. After packets in the PQ and WFQ
queues are all scheduled, the remaining bandwidth can be assigned to
packets in the LPQ queue.
 ▫ In practice, BE flows can be put into LPQ queues. When the network is
overloaded, BE flows can be limited so that other services can be processed
preferentially.
• WFQ, PQ, and LPQ can be used separately or jointly for eight queues on an
interface.
 Scheduling Order of Three Types of Queues
Interface queue scheduling order Interface queue scheduling process

Queue 1
SP Start
PQ ……
scheduling
queue
Queue m
Is the PQ No Perform a round of
queue empty? PQ scheduling

Destination
Queue 1

interface
Yes
WFQ SP
WFQ …
scheduling scheduling
queue No
Is the WFQ Perform a round of
Queue i queue empty? WFQ scheduling

Yes

Queue 1 Is the LPQ No Perform a round of

queue empty? LPQ scheduling
LPQ … SP
queue scheduling
Yes
Queue k

89 Huawei Confidential

• Interface queue scheduling order:

▫ If PQ, WFQ, and LPQ queues use SP scheduling. PQ, WFQ, and LPQ queues
are scheduled in sequence.

• Interface queue scheduling process:

▫ Packets in PQ queues are preferentially scheduled, and packets in WFQ
queues are scheduled only when no packets are buffered in PQ queues.
When all PQ queues are empty, WFQ queues start to be scheduled. Packets
in PQ queues are preferentially scheduled,

▫ and packets in WFQ queues are scheduled only when no packets are
buffered in PQ queues. Bandwidths are preferentially allocated to PQ
queues to guarantee the PIR of packets in PQ queues.

▫ Packets in LPQ queues are scheduled only after all packets in WFQ queues
are sent.

• Scheduling result:

▫ The PIR of PQ queues is guaranteed first, and the remaining bandwidth is

allocated among WFQ queues based on weights.
▫ When the PIR of all WFQ queues is guaranteed, the remaining bandwidth is
allocated to LPQ queues.
 Application of Congestion Management

Traffic direction

Configure congestion
management
in the outbound
direction of the
interface
Video flow Video

Voice flow Voice

Data flow Data

90 Huawei Confidential

• Example:

▫ On a network, when multiple services compete for the same resources

(such as the bandwidth and buffer), traffic congestion may occur and high-
priority services may be not processed in a timely manner. Packets can be
sent to different queues according to the priority mapping result, as shown
in the figure. Different scheduling modes are set in the outbound direction
to implement differentiated services.
Configuring Queue-based Congestion Management
DS edge device DS node system-view
qos queue-profile [queue-profile-name] //Create a queue
DS domain profile.
schedule pq [queue-index] | wfq [queue-index] //Configure
scheduling modes for queues on a WAN interface.
• WAN interfaces support three scheduling interface [interface-type interface-num] //Enter the
interface view.
modes: PQ, WFQ, and PQ+WFQ. The qos queue-profile [queue-profile-name] //Apply the queue
profile to the interface.
configuration roadmap is as follows:
▫ Create a queue profile.

▫ Configure scheduling modes.

▫ Apply the queue profile to the interface.

91 Huawei Confidential
 Configuring MQC to Implement Congestion Management
(1)
DS edge device DS node system-view
traffic classifier [classifier-name] //Create a traffic
classifier.
DS domain if-match [acl | vlan-id | …. ] //Match traffic based on
• MQC provides three types of queues: traffic characteristics.

▫ Assured Forwarding (AF) queues system-view

traffic behavior [behavior-name] //Create a traffic
▫ Expedited Forwarding (EF) or LLQ queues behavior.
queue af bandwidth [bandwidth | pct percentage]
▫ BE queues //Configure the minimum bandwidth for AF queues in the traffic
behavior.
• The configuration roadmap is as follows: queue ef bandwidth [bandwidth | pct percentage]
//Configure the minimum bandwidth for EF queues in the traffic
▫ Configure a traffic classifier and a traffic behavior.
behavior.
▫ Bind the traffic classifier and traffic behavior to a traffic queue llq bandwidth [bandwidth | pct percentage]
//Configure the maximum bandwidth for LLQ queues in the traffic
policy. behavior.
queue wfq queue-number [total-queue-number]
▫ Apply the traffic policy to the outbound direction of the //Configure WFQ scheduling parameters for BE queues in the
device interface. traffic behavior.

92 Huawei Confidential

• AF queue: AF queues ensure that service traffic is forwarded when the traffic rate
does not exceed the minimum bandwidth.
• EF/LLQ queue: After packets matching certain rules enter EF or LLQ queues, they
are scheduled in SP mode. Packets in other queues are scheduled only after all
the packets in EF or LLQ queues are scheduled. In addition, EF queues can use
the available bandwidth in AF or BE queues. The latency of LLQ queues is lower
than that of common EF queues.

• BE queue: The remaining packets that do not enter AF or EF queues enter BE

queues. BE queues are scheduled using the WFQ algorithm.
• The total bandwidth used by AF queues and EF queues cannot exceed 100% of
the interface bandwidth.

• EF queues are provided with bandwidth preferentially. AF queues share the

remaining bandwidth based on their weights.
 Configuring MQC to Implement Congestion Management
(2)
DS edge device DS node system-view
traffic policy [policy-name] //Create a traffic policy.
classifier [classifier-name] behavior [behavior-name]
DS domain
//Bind the traffic classifier to the traffic behavior.
• MQC provides three types of queues:
▫ AF queues system-view
interface [interface-type interface-num] //Enter the
▫ EF/LLQ queues interface view.
traffic-policy [policy-name] outbound //Apply the traffic
▫ BE queues policy to the outbound direction of the interface.

• The configuration roadmap is as follows:

▫ Configure a traffic classifier and a traffic behavior.

▫ Bind the traffic classifier and traffic behavior to a traffic

policy.

▫ Apply the traffic policy to the outbound direction of the

device interface.

93 Huawei Confidential

• AF queue: AF queues ensure that service traffic is forwarded when the traffic rate
does not exceed the minimum bandwidth.
• EF/LLQ queue: After packets matching certain rules enter EF or LLQ queues, they
are scheduled in SP mode. Packets in other queues are scheduled only after all
the packets in EF or LLQ queues are scheduled. In addition, EF queues can use
the available bandwidth in AF or BE queues. The latency of LLQ queues is lower
than that of common EF queues.

• BE queue: The remaining packets that do not enter AF or EF queues enter BE

queues. BE queues are scheduled using the WFQ algorithm.
• The total bandwidth used by AF queues and EF queues cannot exceed 100% of
the interface bandwidth.

• EF queues are provided with bandwidth preferentially. AF queues share the

remaining bandwidth based on their weights.
Checking the Congestion Management Configuration
⚫ Checking the queue-based congestion management configuration
system-view
interface [interface-type interface-num]
display this //Check the queue profile bound to the interface.
display qos queue-profile [queue-profile-name] //Check the queue profile configuration.

⚫ Checking the traffic classifier-based congestion management configuration

system-view
display traffic classifier user-defined [ classifier-name ] //Check the traffic classifier configuration.
display traffic behavior [ system-defined | user-defined ] [ behavior-name ] //Check the traffic behavior
configuration.
display traffic policy user-defined [ policy-name ] classifier [classifier-name ] //Check the traffic policy
configuration.
display traffic-policy applied-record [ policy-name ] //Check the record of the specified traffic policy.

94 Huawei Confidential
 Quiz
1. (Single-answer question) How many queues are there on an interface?( )
A. 6
B. 7
C. 8
D. 9

2. (Multiple-answer question) Which of the following is a queue scheduling technology?( )

A. PQ
B. WFQ
C. WRED
D. FIFO

95 Huawei Confidential

1. C

2. ABD
 Section Summary

⚫ After a data packet enters a queue, the device sends the data packet
according to the queue scheduling mechanism.
⚫ Common queue scheduling technologies include FIFO, PQ, and WFQ.
⚫ PQ scheduling is performed before WFQ scheduling and FIFO. Queues
scheduled in WFQ mode can transmit data only when queues scheduled in
PQ mode have no data to transmit. The queue scheduled in FIFO mode can
transmit data only when queues scheduled in PQ and WFQ mode have no
data to transmit.

96 Huawei Confidential
 Contents

1. Introduction to QoS

2. Traffic Classification and Marking

3. Traffic Limiting Technology

4. Congestion Avoidance Technology

5. Congestion Management Technology

6. Introduction to HQoS

97 Huawei Confidential
Limitations of QoS
⚫ Traditional QoS distributes a flow into only eight queues for scheduling and control. Therefore, it has great limitations in multi-
tenant scenarios.
QoS limitations in home broadband scenarios

14 households rent
different bandwidths
and services.

Internet

User-based QoS cannot

be implemented on the
egress. Only eight
queues can be used to
differentiate traffic.

• In home broadband scenarios, different families may rent different network bandwidths and network services.
Therefore, QoS cannot manage these families in a refined manner.

98 Huawei Confidential
HQoS Overview
⚫ Traditional QoS schedules traffic based on interfaces. An interface can only differentiate service
priorities. The traffic of the same priority uses the same interface queue and competes for the same
queue resources. Therefore, traditional QoS technology cannot provide differentiated services based on
types of traffic and users.
⚫ HQoS meets this requirement by implementing hierarchical scheduling based on multiple levels of
queues, differentiating both services and users to provide refined QoS guarantee.
⚫ Different devices provide different HQoS features. This section describes HQoS features supported by
the CPE (AR series router).

99 Huawei Confidential
 Introduction to HQoS Queues
⚫ The CPE supports three-level queues: flow queue (level 3), subscriber queue (level 2), and port queue
(level 1).

Voice flow Level 3 flow queue

Level 2 subscriber queue

…
Video flow Level 3 flow queue
Tenant 1
Sub-
interface
Level 1 port queue

…
and
tunnel
Internet interface
access traffic Physical

…
interface
Gaming flow
Tenant 2
…

Video flow

Other traffic
Tenant N

100 Huawei Confidential

• Flow queue

▫ The same type of services of a user is taken as a service flow. HQoS

schedules queues based on service flows. Flow queues correspond to service
types and are classified into EF, AF, and BE queues. You can set scheduling
modes for flow queues.
• Subscriber queue

▫ Services from a user are placed into a subscriber queue. HQoS allows all
services in the subscriber queue to share the bandwidth.

• Port queue
▫ Each port corresponds to a queue and port queues are scheduled in RR
mode. You can configure only interface-based traffic shaping, but cannot
configure scheduling modes.
 Introduction to HQoS Queue Scheduling
⚫ The flow queue and subscriber queue support PQ scheduling, WFQ scheduling, and PQ+WFQ
scheduling. The port queue uses RR scheduling.
HQoS queue scheduling

PQ/WFQ
…

Level 2 subscriber
queue Level 1 port queue

PQ/WFQ
Level 3 flow
…

...
queue

RR
...
PQ/WFQ
…

101 Huawei Confidential

• HQoS deployment for enterprise users is used as an example. Enterprise users

have VoIP, video conference, and data services. Each subscriber queue
corresponds to one enterprise user and each flow queue corresponds to a type of
services. By deploying HQoS, the device can control the following items:

▫ Traffic scheduling among three types of services of a single enterprise user

▫ Total bandwidth of three types of services of a single enterprise user

▫ Bandwidth allocation between multiple enterprise users

▫ Total bandwidth of multiple enterprise users

Introduction to HQoS Traffic Shaping
⚫ The HQoS shaper buffers packets and limits the rate of packets. The device supports three levels of
shapers, that is, flow queue shaper, subscriber queue shaper, and port queue shaper. After packets
enter the device, the device buffers the packets in queues and sends the packets at the limited rate.
Shapers can ensure the CIR and limit the maximum rate of packets by using the rate limiting
algorithm.
Level 3 flow queue shaping Level 2 subscriber queue Level 1 port queue shaping
shaping
…

Data from multiple Data from multiple

flow queues is subscriber queues is
buffered in a buffered in a port
subscriber queue and queue and waits to be
Data is buffered in
waits to be sent. sent.
a flow queue and
waits to be sent.

102 Huawei Confidential

Introduction to the HQoS Dropper
⚫ The HQoS dropper discards packets based on a drop policy before packets are sent to queues.
⚫ The three types of queues supported by HQoS support different drop modes. The port queue and
subscriber queue support tail drop; the flow queue supports tail drop and WRED.

Level 3 flow queue Level 2 subscriber Level 1 port queue

queue

WRED or … Tail Tail

tail drop drop drop

Discard
packets Discard packets based
Discard packets based
based on on drop policies
drop on drop policies
policies

103 Huawei Confidential

HQoS Application Example
⚫ Assume that there are three families in a building. Family A purchases 10 Mbit/s bandwidth and enables the VoIP,
IPTV, and High Speed Internet (HSI) services. Family B purchases 20 Mbit/s bandwidth and enables the IPTV and
HSI services. Family C purchases 30 Mbit/s bandwidth and enables only the HSI service. HQoS can meet these
requirements.
HQoS deployment solution

VoIP (PQ scheduling)

Family A Total bandwidth of
IPTV (PQ scheduling)
family A (10 Mbit/s)
HSI (WFQ scheduling)
Level 1 port queue
IPTV (PQ scheduling)
Total bandwidth of Total bandwidth of the

WFQ
family B (20 Mbit/s) building (60 Mbit/s)
Family B Deploy HSI (WFQ scheduling)
HQoS at Level 2 subscriber queue
the egress Level 3 flow queue

Total bandwidth of
HSI (WFQ scheduling) family C (30 Mbit/s)
Family C

104 Huawei Confidential

HQoS Configuration Roadmap
⚫ The HQoS configuration is complex. Generally, the MQC mode is used.
⚫ When HQoS is configured, the policy nesting mode is used.

The parent traffic policy differentiates users, and the child traffic policy differentiates traffic.

A parent traffic policy can have multiple child traffic policies.
 A parent traffic policy applies to an interface.

Level 3 flow queue Level 2 subscriber queue Level 1 port queue

Child traffic policy Parent traffic policy Interface or sub-interface queue

105 Huawei Confidential

Configuring a Child Traffic Policy
system-view
traffic classifier [classifier-name] //Create a traffic
Internet classifier.
if-match [acl | vlan-id | …. ] //Match traffic based on
service characteristics.

system-view
traffic behavior [behavior-name] //Create a traffic
• Child traffic policies are used to differentiate services. You can behavior.
configure multiple child traffic policies based on services when queue [af | ef | llq] bandwidth [bandwidth | pct percentage]
//Configure AF, EF, or LLQ queue parameters in the traffic
configuring HQoS. behavior.
drop-profile [drop-profile-name] //Bind the created drop
• The configuration of HQoS child traffic policies is the same as
profile to the traffic behavior.
that of common MQC. The configuration roadmap is as follows:
system-view
▫ Configure a traffic classifier where traffic is matched based on service
traffic policy [policy-name] //Create a traffic policy.
characteristics. classifier [classifier-name] behavior [behavior-name]
▫ Configure a traffic behavior where the queue scheduling mode and
//Bind the traffic classifier to the traffic behavior.
queue bandwidth are defined.

▫ Bind the traffic classifier and traffic behavior to a traffic policy.

106 Huawei Confidential

Configuring a Parent Traffic Policy
system-view
traffic classifier [classifier-name] //Create a traffic
Internet classifier.
if-match [acl | vlan-id | …. ] //Match traffic based on user
characteristics.

system-view
• A parent traffic policy is used to differentiate users. When traffic behavior [behavior-name] //Create a traffic
behavior.
configuring HQoS, you can bind multiple child traffic policies queue [af | ef | llq] bandwidth [bandwidth | pct percentage]
to a parent traffic policy. //(Optional) Configure AF, EF, or LLQ queue parameters in the
traffic behavior.
• The configuration roadmap is as follows: traffic-policy [policy-name] //Bind the sub traffic policy to
the traffic behavior.
▫ Configure a traffic classifier to match traffic based on user
characteristics.
system-view
▫ Configure a traffic behavior that needs to invoke a child traffic policy. traffic policy [policy-name] //Create a parent traffic policy.
▫ Bind the traffic classifier and traffic behavior to a traffic policy. classifier [classifier-name] behavior [behavior-name]
//Bind the traffic classifier to the traffic behavior.

107 Huawei Confidential

Applying the Parent Traffic Policy
system-view
interface [interface-type interface-num] //Enter the
Internet interface view.
traffic-policy [policy-name] outbound //Apply the parent
traffic policy to the outbound direction of the interface.

• After configuring a parent traffic policy, bind it to an interface or

sub-interface.

• If the parent traffic policy is bond to a sub-interface, traffic

between different sub-interfaces is sent from the physical
interface in polling mode.

• The configuration roadmap is as follows:

▫ Apply the parent traffic policy to the outbound direction of the interface.

108 Huawei Confidential

Checking the HQoS Configuration
⚫ After configuring HQoS, you can run the following commands to check the configuration.

system-view
display traffic classifier user-defined [ classifier-name ] //Check the traffic classifier configuration.
display traffic behavior [ system-defined | user-defined ] [ behavior-name ] //Check the traffic behavior configuration.
display traffic policy user-defined [ policy-name ] classifier [classifier-name ] //Check the traffic policy configuration.
display traffic-policy applied-record [ policy-name ] //Check the record of the specified traffic policy.

109 Huawei Confidential

 Quiz

1. (True or false) HQoS cannot distinguish users or services.( )

A. True

B. False

2. (Multiple-answer question) What are three types of HQoS queues?( )

A. Flow queue

B. Subscriber queue

C. Data queue

D. Port queue

110 Huawei Confidential

1. B

2. ABD
 Section Summary

⚫ HQoS can ensure services with finer granularities.

⚫ HQoS has three levels of queues: flow queue, subscriber queue, and port
queue. Traffic shaping can be deployed for the three types of queues. Flow
queues are scheduled in PQ+WFQ mode, subscriber queues are scheduled
in PQ+WFQ mode, and interface queues are scheduled in RR mode.

111 Huawei Confidential

 Summary

⚫ QoS is an important means to ensure service quality. Generally, the

DiffServ model is used on the live network.
⚫ This model uses rate limiting, congestion avoidance, and congestion
management.
⚫ HQoS is used in complex scenarios with finer granularity. Flow queues,
subscriber queues, and port queues can be used to distinguish different
users and different services of the same user.

112 Huawei Confidential

Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
• Maintenance is also called "O&M", "operation", or "operation and maintenance."

• Network planning is the starting point of a project. Complete and detailed

planning will lay a solid foundation for subsequent project implementation.
Specific tasks in network planning are as follows:

▫ In the project planning phase, investigate and understand the project

background. Properly prepare for project implementation, which ensures
the smooth progress of the project.

▫ In the project planning phase, the implementation scope of the network

project must be specified.

▫ Draw up the project budget based on the project objective, project scope,
and work content.

▫ In the project planning phase, the network design guidelines must be

specified to provide guidance and basis for subsequent network design.
• A proper running environment is the prerequisite for the proper running of a
device.

• Temperature and humidity easily affect the proper running of devices. Standard
equipment rooms should be equipped with thermometers and hygrometers, and
check and record of the temperature and humidity should be performed on a
daily basis.

• The cleanness and neatness of the equipment room also affect the proper
running of the equipment.

▫ Cleanness affects heat dissipation.

▫ Tidiness refers to the proper layout of devices and cables. Devices must be
installed and cables must be routed according to installation and
deployment requirements. However, during network operation, temporary
adjustments, such as temporary jumper tests, are often made. After such
activities are taken for a period of time, the equipment room becomes
disordered. The purpose of checking the equipment environment is to find
out and rectify these problems in time.

• For nonstandard equipment rooms, checking the equipment environment more

carefully. For example, check the cleanness and heat dissipation of equipment
rooms on floors.

• The preceding check items may vary according to devices. For details, see the
product documentation of each type of device.
• Software version running on a device:

▫ The running software version of a device should be confirmed in project

implementation. In normal cases, the version information does not change.
Pay attention to any change in version information. This situation is usually
caused by nonstandard management.

▫ If a device is newly added, the software version may be different from the
existing software version. Some devices may be upgraded or downgraded
due to other reasons. Especially on a large-scale network, the same type of
device may run different versions. In this case, verify that different versions
can meet the same network function requirements.

• Startup information:

▫ Multiple software packages of different versions or configuration files may

be stored on a device. In this case, changing startup information may cause
great risks to the proper running of the network. Once the device is
restarted (for example, if power supply is faulty), the running of the entire
network may be adversely affected.

• License information:

▫ License rules vary according to devices. The licenses of some devices have
validity periods.
• You can configure information output rules as needed to control the output of
various types and levels of information along information channels in different
output directions.

• A remote terminal is used to log in to a device through a VTY interface to receive

logs, traps, and debugging information, facilitating remote maintenance.
• Enable a device to send information to a log host.

▫ [HUAWEI] info-center loghost ip-address { source-ip source-ip-address } |

transport { udp | tcp ssl-policy policy-name } ]
• To facilitate display, the debugging information displayed on this page is
adjusted.

• The content of the Hello packet sent by R1 through GE 0/0/0 is as follows:

<R1>

YY-MM-DD10:14:21.751.1-08:00 R1 RM/6/RMDEBUG:

FileID: 0xd0178025 Line: 559 Level: 0x20

OSPF 1: SEND Packet. Interface: GigabitEthernet0/0/0

<R1>YY-MM-DD 10:14:21.751.2-08:00 R1 RM/6/RMDEBUG: Source Address:

10.0.12.1

<R1>YY-MM-DD 10:14:21.751.3-08:00 R1 RM/6/RMDEBUG: Destination

Address: 224.0.0.5

<R1>YY-MM-DD 10:14:21.751.4-08:00 R1 RM/6/RMDEBUG: Ver# 2, Type: 1

(Hello)

<R1>YY-MM-DD 10:14:21.751.5-08:00 R1 RM/6/RMDEBUG: Length: 48,

Router: 10.0.12.1

<R1>YY-MM-DD10:14:21.751.6-08:00 R1 RM/6/RMDEBUG: Area: 0.0.0.0,

Chksum: ae94

<R1>YY-MM-DD 10:14:21.751.7-08:00 R1 RM/6/RMDEBUG: AuType: 00

<R1>YY-MM-DD10:14:21.751.8-08:00 R1 RM/6/RMDEBUG: Key(ascii): * * * * * *

**
• Only one packet information obtaining instance can run at a time. That is, if a
previous process is not complete, a next process cannot be started.

• The rate of packets whose information is to be obtained is limited. If burst traffic

exceeds the rate limit configured for obtained packet information, packet loss
may occur.

• The capture-packet command obtains header information in the service packets

that match the configured rules and sends the obtained information to the
terminal for display or saves the obtained information on a local device.

▫ capture-packet interface interface-type interface-number [ acl acl-number ]

destination { terminal | file file-name } * [ car cir car-value | time-out time |
packet-num number | packet-len { length | total-packet } ] *

▪ terminal: sends the obtained information to the terminal for display.

▪ file file-name: saves the obtained information in a specified file.

1. ABD
1. B

2. B
Network Troubleshooting
 Foreword
⚫ Digital transformation of medium- and large-sized enterprises is implemented using multiple technologies, such as
cloud computing, big data, artificial intelligence (AI), and Internet of Things (IoT). These technologies are all
supported by data communications networks. A stable data communications network requires fully prepared
network design, construction, and maintenance.
⚫ An enterprise data communications network accommodates various types of devices that are connected by multiple
types of physical links. In addition, to accurately forward data packets, the devices run multiple protocols. Network
devices, cables, and protocols may encounter faults. How to quickly rectify faults is a basic skill of senior network
engineers.
⚫ This course describes common network faults, how to troubleshoot them in an effort to help network engineers
build capabilities of troubleshooting faults in various scenarios.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Understand the troubleshooting methods.
 Analyze loop faults.
 Analyze failures to establish neighbor relationships of routing protocols.
 Write a troubleshooting guide.

2 Huawei Confidential
 Contents

1. Troubleshooting Data Communication Network Faults

◼ Overview of Network Faults

▫ Structured Troubleshooting Process

▫ Core Ideas and Methods of Network Troubleshooting

2. Troubleshooting Common Network Faults

3 Huawei Confidential
 What Is a Network Fault?
⚫ A network fault refers to the phenomenon that a network loses a specific function and adversely affects services due to some
reasons.
⚫ From the perspective of users, any phenomenon that adversely affects services can be defined as a fault.
⚫ The common fault symptoms and categories are as follows:
Service Transient
Symptom Service Protocol Protocol Route
Alarm Loop Forwarding Service Packet Loss
Category Interruption Anomaly Flapping Anomaly
Failure Interruption

Hardware √ √ √
Configuration √ √ √ √
Network √ √ √ √ √ √ √ √
Performance √ √ √ √ √
Software √ √
Interconnection √ √ √
Others √ √ √ √ √

4 Huawei Confidential

• Mapping between the preceding fault symptoms and categories varies according to
scenarios.
 Contents

1. Troubleshooting Data Communication Network Faults

▫ Overview of Network Faults
◼ Troubleshooting Process

▫ Core Ideas and Methods of Network Troubleshooting

2. Troubleshooting Common Network Faults

5 Huawei Confidential
 Structured Network Troubleshooting Process
Fault report

Fault confirmation Structured network troubleshooting

Information collection

Identification and analysis

Cause listing

Fault assessment

Step-by-step troubleshooting

No
Is fault rectified? The network recovers.
Yes
Fault resolving Wrap-up work

6 Huawei Confidential

• If an unstructured network troubleshooting is carried out, steps are performed repeatedly,

leading to low efficiency even though a solution to the fault is found.

• In a complex network environment, a new fault may be caused due to an unstructured

network fault rectification process, making network fault rectification more difficult.
 Fault Fault Information Identification Cause Fault Step-by-Step Fault Wrap-up
Report Confirmation Collection and Analysis Listing Assessment Troubleshooting Resolving Work

Fault Report
⚫ An enterprise has multiple departments, such as finance, human
resource, logistics, marketing, and R&D departments. These
departments need to communicate. To properly guarantee network
operations, enterprises may take the following measures:
 Large- and medium-sized enterprises set up network maintenance
Cloud/ departments to build professional network teams.
Network O&M area
Data
center  To reduce expenses, small-sized enterprises do not set up an independent
network maintenance department. Instead, they entrust their networks to
professional network maintenance companies.
 Contact device manufacturers for after-sales service.

⚫ Generally, the person who first percepts network faults is from a

department related to services, rather than a network maintenance
engineer. Network engineers often receive calls for help, such as "the
computer suddenly cannot access the Internet", "the web page cannot
be displayed normally", and "the game is stuck".

7 Huawei Confidential
 Fault Fault Information Identification Cause Fault Step-by-Step Fault Wrap-up
Report Confirmation Collection and Analysis Listing Assessment Troubleshooting Resolving Work

Fault Report: Proactive Communication and Confirmation

⚫ Ask a user for the preceding information through a phone and record the information in a troubleshooting report.

Name, department, position, work content, computer location (floor, room, wireless or wired access),
Fault reporter
and website that the computer attempts to access.

Fault frequency Check whether the fault occurs suddenly, occasionally, or frequently.

Operations performed by a user on a terminal before and after a fault occurs. For example, the IP
User operation address and DNS parameters are changed, desktop firewall software is installed, and security control
software is installed.

8 Huawei Confidential

• Why do we need to know the positions and work content of users?

▫ In an enterprise environment, network access permissions to be granted vary

according to positions. Even users of the same position may have only the permission
to use network services related to their work content.
 Fault Fault Information Identification Cause Fault Step-by-Step Fault Wrap-up
Report Confirmation Collection and Analysis Listing Assessment Troubleshooting Resolving Work

Fault Confirmation
⚫ Four factors for determining a fault:
 Subject: network service that becomes faulty
 Symptom: symptom of the fault
 Time: the time when a fault was found and the fault occurrence time estimated by professional personnel
 Location: network component that becomes faulty

⚫ Describe the fault symptom accurately.

⚫ Ultimately, check whether the fault is within the responsibility scope, that is, whether related permissions have been
granted to rectify the fault.

9 Huawei Confidential

• Why do we need to confirm a fault?

▫ The user description may be ambiguous, and the reported fault may not be the
actual faulty point. In this situation, experienced engineers have to confirm the fault.
 Fault Fault Information Identification Cause Fault Step-by-Step Fault Wrap-up
Report Confirmation Collection and Analysis Listing Assessment Troubleshooting Resolving Work

Information Collection
⚫ Which information needs to be collected?
 In the information collection phase, fault-related information, such as documents and network changes, is collected.

⚫ How to collect the information:

 Run commands on an involved device. Use information collection tools, such as the packet information obtaining tool and network management
software.

⚫ Obtaining permissions:
 In a network environment that poses high requirements on information security, information collection must be authorized. Sometimes, a
written authorization file must be signed.

⚫ Risk assessment in the information collection phase:

 Some information collection operations, such as running a debug command on a router or switch, may cause high CPU usage. In worse cases, a
device may even stop responding to instructions, causing more faults. When collecting information, you must evaluate risks, balance the risks of
introducing new faults and the urgency of rectifying existing faults, and notify users of the risks. Then, users determine whether to collect
information in case of high risks.

10 Huawei Confidential
 Fault Fault Information Identification Cause Fault Step-by-Step Fault Wrap-up
Report Confirmation Collection and Analysis Listing Assessment Troubleshooting Resolving Work

Identification and Analysis

⚫ In the identification and analysis phase, the collected information is analyzed and sorted.
 By summarizing the fault, maintenance, and version-specific change information and using team (or personal)
experience, you can obtain the list of possible causes for network faults.

Fault information Identification and analysis

Maintenance information
Cause listing
Change information

Team experience

11 Huawei Confidential
 Fault Fault Information Identification Cause Fault Step-by-Step Fault Wrap-up
Report Confirmation Collection and Analysis Listing Assessment Troubleshooting Resolving Work

Cause Listing
⚫ In the cause listing phase, you must list all possible fault causes, sort out the most likely causes, and exclude the
least possible causes to narrow down the troubleshooting scope.

Cause listing
Information filtering
Possible cause 1 Cause 1 to be located

Possible cause 2 Cause 2 to be located

Possible cause 3

Possible cause 4
Causes excluded
...

12 Huawei Confidential
 Fault Fault Information Identification Cause Fault Step-by-Step Fault Wrap-up
Report Confirmation Collection and Analysis Listing Assessment Troubleshooting Resolving Work

Fault Assessment
⚫ Fault assessment must be performed before each check.

Cause listing

Fault assessment

Step-by-step
troubleshooting
Cause 1 to be located
Root cause
Fault cause 2 to be located

13 Huawei Confidential

• A temporary network environment may need to be built for fault evaluation.

▫ If a complex network fault cannot be rectified within a short period of time after
being evaluated and a user wants to immediately restore network availability, you
advise the user to temporarily skip the faulty node and build an alternative network
environment.

▫ When building a temporary network environment, fully consider the urgency of

solving problems and the risk of bypassing certain security restrictions. Fully
communicate with users and implement the environment only after obtaining
permissions.
 Fault Fault Information Identification Cause Fault Step-by-Step Fault Wrap-up
Report Confirmation Collection and Analysis Listing Assessment Troubleshooting Resolving Work

Step-by-Step Troubleshooting
⚫ In the phase of step-by-step troubleshooting, the conflict between the urgency of solving problems and the risk of
introducing new faults must be balanced. Therefore, users must be clearly informed of the risks that may be induced
the process. Perform the check only after being authorized.
⚫ In some cases, network changes may be involved in the verification process. In this case, a complete emergency plan
and rollback preparations must be made.

Emergency plan

Rollback preparations

Step-by-step troubleshooting

Cause 1 to be located
Root cause
Cause 2 to be located

14 Huawei Confidential
 Fault Fault Information Identification Cause Fault Step-by-Step Fault Wrap-up
Report Confirmation Collection and Analysis Listing Assessment Troubleshooting Resolving Work

Fault Resolving
⚫ After the root cause is found and the fault is rectified, the troubleshooting is complete.
⚫ In a complex network environment, you have to observe the network for a period of time after the fault symptom
disappears. On the one hand, you can confirm that the fault reported by the user has been rectified. On the other
hand, you can confirm that no new fault is introduced during the troubleshooting process.

Fault resolving

Continual observation
Step-by-step troubleshooting Root cause
Wrap-up work

15 Huawei Confidential
 Fault Fault Information Identification Cause Fault Step-by-Step Fault Wrap-up
Report Confirmation Collection and Analysis Listing Assessment Troubleshooting Resolving Work

Wrap-up Work
⚫ Wrap-up work involves arranging related documents and sending notifications. Back up all changed configurations or
software in the previous network troubleshooting process, and sort out and hand over troubleshooting documents.
To prevent the same fault from occurring again, provide improvement suggestions for users in this phase.

Wrap-up work
Troubleshooting process documents

Troubleshooting summary report

Document handover
Change backup and maintenance
suggestions

Affected parties

Authorizing party in each phase

of troubleshooting Information notification

Others: vendors and service providers

16 Huawei Confidential
 Contents

1. Troubleshooting Data Communication Network Faults

▫ Overview of Network Faults

▫ Troubleshooting Process
◼ Core Ideas and Methods of Network Troubleshooting

2. Troubleshooting Common Network Faults

17 Huawei Confidential
Service Traffic Path-Centric Troubleshooting Ideals
⚫ The path along which service traffic passes is usually designed in the network planning phase. You merely need to
know the round-trip path of service traffic adversely affected by a network fault, trace the path, and rectify the fault
step by step.

Other
Finance OA Production
services

Service

Network

18 Huawei Confidential
Determining a Service Traffic Path: Network Layer
⚫ Multiple paths may exist during packet forwarding. Therefore, you need to determine the path over which service
traffic is transmitted based on the packet forwarding process.

Path 1

IP header TCP header Data

Path 2

19 Huawei Confidential
Determining a Service Traffic Path: Data Link Layer
⚫ Check how data frames of service traffic are forwarded by switches on a Layer 2 network.

Path 1

Path 2

Ethernet header IP header TCP header Data FCS

20 Huawei Confidential
Layered Troubleshooting Approach
⚫ The layered troubleshooting approach is simple, because all working models follow a simple rule: the upper-layer
structure of any model can work properly as long as the lower-layer structure is working properly.

Application layer

Presentation layer

Session layer

Transport layer Check whether TCP connections are correctly established and whether TCP and UDP ports are enabled.
Check whether routes are available and whether a routing protocol is working properly.
Network layer
Check whether data link layer encapsulation is correct, whether an interface protocol is up, and whether Layer 2
Data link layer addressing is normal.

Physical layer Check whether the physical status of an interface is up and whether cables and connectors are securely connected.

21 Huawei Confidential
Configuration Comparison Approach
⚫ Compare configurations, software versions, and hardware models in normal and faulty states to find differences.
⚫ Network troubleshooting personnel with less experience will use this method more frequently in practice.

# #
sysname r1 sysname r1
# #
isis 1 Compare isis 1
network-entity 49.0001.1000.0000.0001.00 network-entity 49.0001.1000.0000.0001.00
#
them #
interface Serial4/0/0 interface Serial4/0/0
link-protocol ppp link-protocol ppp
ip address 10.0.12.1 255.255.255.0 ip address 10.0.12.1 255.255.255.0
isis enable 1 isis enable 1
isis timer hello 30 isis timer hello 120
# #
interface LoopBack0 interface LoopBack0
ip address 10.0.1.1 255.255.255.255 ip address 10.0.1.1 255.255.255.255
isis enable 1 isis enable 1
# #

22 Huawei Confidential
Block-based Troubleshooting Approach
⚫ The configuration files of Huawei network devices, such as switches and routers, are edited in a clear structure.
⚫ If a fault occurs, you can narrow down the fault locating scope by classifying the fault into one or several categories:
 Management (router name, password, service, and log)
 Ports (address, encapsulation, cost, and authentication)
 Routing protocols (static route, OSPF, BGP, and route import)
 Policies (routing policy, policy-based routing, and security configuration)
 Access (console port login, Telnet login, dial-up)
 Applications (DNS, DHCP, and VPN configuration)

23 Huawei Confidential
Block-based Troubleshooting Approach: Example
⚫ After the display ip routing-table command is run, only direct routes are displayed. What are possible causes?
<R2>display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 16 Routes : 16

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.0.12.1/32 Direct 0 0 D 10.0.12.1 Serial4/0/0
10.0.12.2/32 Direct 0 0 D 127.0.0.1 Serial4/0/0
10.0.12.255/32 Direct 0 0 D 127.0.0.1 Serial4/0/0
10.0.23.0/24 Direct 0 0 D 10.0.23.2 GigabitEthernet0/0/0
10.0.23.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0
10.0.23.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet0/0/0

⚫ The fault is related to the following blocks: routing protocols, policies, and ports. If no routing protocol is configured or a routing
protocol is incorrectly configured, the routing table may be empty. If an ACL is incorrectly configured, route update may be
adversely affected. If the IP address, mask, or authentication configuration of an interface is incorrect, the routing table may be
incorrect.

24 Huawei Confidential
Segment-based Troubleshooting Approach
⚫ Since data packets may pass through multiple routers and physical links, each segment may encounter a fault. In this
situation, the segment-based approach applies.

PC Access switch Aggregation switch Core switch Internet

Segment 1 Segment 2 Segment 3 Segment 4

25 Huawei Confidential
Replacement Approach
⚫ The replacement approach is one of the most common methods for checking hardware problems.
⚫ If a network cable may be faulty, replace it with another one in good condition. If an interface module may fail,
replace it with another interface module that is working properly.

Replacing Replacing Replacing

a terminal a cable a device

26 Huawei Confidential
Requirements for Network Maintenance and Management
Personnel
⚫ Have an in-depth understanding of protocol requirements.
⚫ Be able to guide a customer to describe the fault symptom and related information in detail.
⚫ Fully understand the networks managed and maintained.
⚫ Record troubleshooting documents and summarize troubleshooting experience.
⚫ Be familiar with network troubleshooting approaches and combine them flexibly.

27 Huawei Confidential
 Quiz

1. (Multiple-answer question) In the wrap-up work of a structured network troubleshooting process,

which of the following parties should be notified of information? ( )
A. Related parties affected by the fault

B. Authorizing parties in each phase of troubleshooting

C. Manufacturer and service providers

D. Other irrelevant personnel who are interested in the root cause

2. (True or false) On a large-scale network, the comparison approach is the most effective method for
troubleshooting faults. ( )
A. True

B. False

28 Huawei Confidential

1. ABC

2. False
 Contents

1. Troubleshooting Data Communication Network Faults

2. Troubleshooting Common Network Faults

◼ LAN Faults

▫ Route Faults

▫ Service Faults

29 Huawei Confidential
Troubleshooting Common Network Faults: Topology (1)
• During network maintenance, network engineers may
R1 R2 R3
OSPF IS-IS
encounter various network faults, such as login, route, and
GE0/0/0 GE0/0/1 IP service faults. The left figure shows a part of the network

GE0/0/2
IBGP IBGP
architecture, which is used as an example to describe how to
troubleshoot common network faults.
Static Static
SW3
GE0/0/3
SW4 SW5 • Routing protocol overview:
▫ OSPF: runs between R1 and R2. OSPF is enabled on all interfaces

GE0/0/4
GE0/0/4
GE0/0/4

of R1, and GE 0/0/0 belongs to area 0.

GE0/0/3
▫ IS-IS: runs between R2 and R3.
SW1 SW2 SW6
▫ BGP: R1 and R3 establish IBGP peer relationships with R2 and
function as clients of R2, namely, the RR.

▫ Static route: SW3, SW4, and SW5 use static routes to connect to
routers.
PC1 PC2 PC13 PC14 PC5 Server6

30 Huawei Confidential
 Troubleshooting Common Network Faults: Topology (2)
• IP address planning:
R1 R2 R3 ▫ Loopback0: are 10.0.1.1/32, 10.0.2.2/32, and 10.0.3.3/32 on R1, R2, and R3,
10.0.12.0/24 10.0.23.0/24 respectively.
.1 .2 .2 .3
▫ Interconnection interfaces: The network segment is shown in
the preceding figure, and the decimal number of the right-most octet in an IP
VLAN 35
10.0.35..0/24 address is a device ID.

▫ Terminals: The network segment is shown in the figure. A gateway has the
SW3 SW4 SW5 largest IP address on a network segment. PC5 obtains an IP address using
DHCP, and R3 functions as a DHCP server. Other terminals use static IP
MSTP
Instance 12 vlan 12 addresses, with the decimal number of the right-most octet in an IP address
Instance 34 vlan 34 indicating a device ID.

• Route advertisement planning:

SW1 SW2 SW6
▫ On R2, configure OSPF and IS-IS to import routes from each other, so that
Loopback0 addresses on R1, R2, and R3 are reachable.
VLAN 12 VLAN 34 VLAN 56
192.168.12.0/24 192.168.34.0/24 192.168.56.0/24 ▫ R1 imports static routes destined for 192.168.12.0/24 and 192.168.34.0/24
into the BGP routing table.

▫ R3 imports the static route destined for 192.168.56.0/24 into the BGP
PC1 PC2 PC13 PC14 PC5 Server6 routing table.

31 Huawei Confidential

• R3 and SW5 are connected through Layer 3 sub-interfaces.

Troubleshooting Common Network Faults: Topology (3)
• MSTP planning:
R1 R2 R3
10.0.12.0/24 10.0.23.0/24 Root
.1 .2 .2 .3 Instance ID VLAN ID Backup Bridge
Bridge

VLAN 35 Instance 12 VLAN 12 SW3 SW4

10.0.35..0/24
Instance 34 VLAN 34 SW4 SW3

SW3 SW4 SW5

MSTP • VRRP planning:

Instance 12 vlan 12
Instance 34 vlan 34
Master Backup
Network Segment VRID Virtual IP
Gateway Gateway
SW1 SW2 SW6 192.168.12.0/24 SW3 SW4 1 192.168.12.254

192.168.34.0/24 SW4 SW3 2 192.168.34.254

VLAN 12 VLAN 34 VLAN 56
192.168.12..0/24 192.168.34..0/24 192.168.56..0/24

• The Telnet username and password for login are Huawei

PC1 PC2 PC13
and Huawei@123, respectively.
PC14 PC5 Server6

32 Huawei Confidential
Common Network Troubleshooting: Symptom
• The following symptoms are found:
R1 R2 R3 ▫ PC1 and PC13 cannot communicate.
OSPF IS-IS
▫ Server 6 provides the FTP service, but PC1 cannot use
this service.
IBGP IBGP
▫ PC5 cannot communicate with any host.
Static Static
SW3 SW4 SW5 • There are multiple possible causes. The preceding
MSTP
Instance 12 vlan 12
approaches are used to demonstrate how to
Instance 34 vlan 34
troubleshoot the three faults.

SW1 SW2 SW6 • Assume that the symptoms have been confirmed.
Skip the following steps in the subsequent
troubleshooting: fault report, fault confirmation,
information collection, and wrap-up work.
PC1 PC2 PC13 PC14 PC5 Server6

33 Huawei Confidential
 PC1 and PC13 Cannot Communicate (1)

Simplified topology: • The figure on the left shows the planned path for PC1-to-PC13
traffic. Use the layered, segment-based, and forwarding path-
SW3 SW4
GE0/0/3 centric approaches to analyze the faults. PC1 and PC13 fail to

GE0/0/4
GE0/0/4

MSTP communicate due to the following causes:

▫ Physical link fault
GE0/0/3
SW1 SW2 ▫ Incorrectly configured IP address
GE0/0/10

GE0/0/10

▫ VLAN configuration error

▫ Loop

▫ VRRP fault
PC1 PC13

Planned traffic path

34 Huawei Confidential

• This section describes common troubleshooting methods and tools, providing guidance for
network maintenance personnel. The processing sequence in actual scenarios can be
different from that in the example.
 PC1 and PC13 Cannot Communicate (2)
• On PC1 and PC13, choose Control Panel > Network and Internet > Network Connection >
Ethernet Cable to check Ethernet cables and ensure that the physical cable connections to
the PCs are correct. (The preceding path varies according to an operating system and version.)
• Check the physical interface status on each involved switch (SW1, for example). If the physical
Physical link fault status of an interface is not up, use another interface to connect the switch to a PC.

SW3 SW4
GE0/0/3 <SW1>display interface brief | include up
Incorrectly Interface PHY Protocol InUti OutUti inErrors outErrors

GE0/0/4
GE0/0/4
configured GigabitEthernet0/0/3 up up 0% 0% 0 0
IP address GigabitEthernet0/0/4 up up 0% 0% 0 0
GigabitEthernet0/0/10 up up 0% 0% 0 0
GigabitEthernet0/0/11 up up 0% 0% 0 0
VLAN GE0/0/3
SW1 SW2 • Ping 192.168.34.13 from PC1 and check whether the number of packets sent and received by
configuration
the interface increases. If so, the physical link is working properly. If not, use another interface
error
GE0/0/10

GE0/0/10
or replace the network cable.

<SW1>display interface GigabitEthernet 0/0/10

Description:
Loop Switch Port, PVID : 12, TPID : 8100(Hex), The Maximum Frame Length is 9216
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 4c1f-cc69-6d7b
Hardware address is 4c1f-cc69-6d7b
PC1 PC13
Last 300 seconds input rate 0 bytes/sec, 0 packets/sec
Last 300 seconds output rate 0 bytes/sec, 0 packets/sec
VRRP fault Input: 430 bytes, 6 packets
Output: 197137 bytes, 1659 packets

35 Huawei Confidential

• This section uses the Windows 10 OS as an example to describe how to check the physical
connection status of a PC.

• InUti: input bandwidth utilization

• OutUti: output bandwidth utilization

PC1 and PC13 Cannot Communicate (3)
• Check that PC1's physical IP address is set to 192.168.12.1 and the gateway address is set to
192.168.12.254.

• Check the IP addresses on SW3 and SW4 and ensure that the IP addresses are correctly
Physical link fault configured. (A VLANIF interface without an IP address assigned will not go up and cannot
implement Layer 3 forwarding.)
SW3 SW4
GE0/0/3 <SW3>display ip interface brief
Incorrectly

GE0/0/4
GE0/0/4
configured IP Interface IP Address/Mask Physical Protocol
address MEth0/0/1 unassigned down down
NULL0 unassigned up up(s)
Vlanif1 unassigned up down
VLAN GE0/0/3 Vlanif12 192.168.12.3/24 up up
SW1 SW2 Vlanif34 192.168.34.3/24 up up
configuration
error
GE0/0/10

GE0/0/10
<SW4>display ip interface brief

Interface IP Address/Mask Physical Protocol

MEth0/0/1 unassigned down down
Loop NULL0 unassigned up up(s)
Vlanif1 unassigned up down
PC1 PC13 Vlanif12 192.168.12.4/24 up up
Vlanif34 192.168.34.4/24 up up

VRRP fault • The preceding information indicates that the IP addresses of the interfaces on SW3 and SW4
have been correctly configured.

36 Huawei Confidential
 PC1 and PC13 Cannot Communicate (4)
• Query the switch port and VLAN configuration.

[SW1]display vlan
The total number of vlans is : 3
Physical link fault --------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
SW3 SW4 #: ProtocolTransparent-vlan; *: Management-vlan;
GE0/0/3
Incorrectly --------------------------------------------------------------------------------
VID Type Ports

GE0/0/4
GE0/0/4
configured IP
--------------------------------------------------------------------------------
address 12 common TG:GE0/0/11(U) TG:GE0/0/10(U)
34 common TG:GE0/0/11(U) TG:GE0/0/10(U)
GE0/0/3 VID Status Property MAC-LRN Statistics Description
VLAN SW1 SW2 --------------------------------------------------------------------------------
configuration 12 enable default enable disable VLAN 0012
error
GE0/0/10

GE0/0/10
34 enable default enable disable VLAN 0034

• According to the preceding information, VLAN configurations of GE 0/0/10 and GE 0/0/11

on SW1 are incorrect. Correct VLAN configuration errors. Repeat the preceding step to verify
Loop
the configurations on the other three switches.

PC1 PC13 • After the VLAN is correctly configured on the switches, check whether PC1 can
communicate with other IP addresses on the same network segment. For example, run the
VRRP fault ping 192.168.12.13 command on PC1. The command output shows that packet loss occurs
and the delay is long.

37 Huawei Confidential

• GE 0/0/10 belongs to VLAN 12 and VLAN 34 and works in tagged mode, indicating that the
interface is configured as a trunk interface and the PVID is not 12.
 PC1 and PC13 Cannot Communicate (5)
• Check the MSTP status on each switch. All ports on SW4 are in the Forwarding state.

<SW4>display stp brief

MSTID Port Role STP State
Physical link fault 0 GigabitEthernet0/0/2 DESI FORWARDING NONE
0 GigabitEthernet0/0/3 DESI FORWARDING NONE
0 GigabitEthernet0/0/4 DESI FORWARDING NONE
SW3 SW4
GE0/0/3 12 GigabitEthernet0/0/2 DESI FORWARDING NONE
Incorrectly 12 GigabitEthernet0/0/3 DESI FORWARDING NONE

GE0/0/4
GE0/0/4
configured IP 12 GigabitEthernet0/0/4 DESI FORWARDING NONE
address 34 GigabitEthernet0/0/2 DESI FORWARDING NONE
34 GigabitEthernet0/0/3 DESI FORWARDING NONE
34 GigabitEthernet0/0/4 DESI FORWARDING NONE
VLAN GE0/0/3
SW1 SW2 • MSTP faults may be caused by an incorrect domain name setting, incorrect binding
configuration
between instances and VLANs, or incorrect binding between ports and VLANs. Check the
error
GE0/0/10

GE0/0/10
MSTP configuration on SW4.
<SW4>display current-configuration | begin region-configuration
stp region-configuration
Loop region-name TEST //The correct domain name is test, not TEST.
instance 12 vlan 12
PC13 instance 34 vlan 34
PC1
active region-configuration
#
VRRP fault
• Correct the domain name on SW4. Ping 192.168.12.13 from PC1. As a result, packet loss
occurs now and then.

38 Huawei Confidential

• A Layer 2 loop causes the following failures:

▫ An attempt to remotely log in to a device fails.

▫ An interface receives a large number of broadcast packets, which can be viewed in

the display interface command output.

▫ An attempt to log in to a device through the serial port is time consuming.

▫ CPU usage exceeds 70%.

▫ High packet loss occurs when a ping command is used.

▫ The indicator of the VLAN interface with the loop occurring frequently blinks.

▫ A PC receives a large number of broadcast packets.

▫ A loop alarm is generated if loop detection is configured on a switch.

 PC1 and PC13 Cannot Communicate (6)
• Check whether packet loss is caused by the loop. Check whether MAC address flapping
detection is enabled on each involved switch and whether MAC address flapping is detected.

[SW3]display mac-address flapping

Physical link fault Mac-address Flapping Configurations :
-------------------------------------------------
Flapping detection : Enable
SW3 SW4 Aging time(sec) : 300
GE0/0/3
Incorrectly Quit-vlan Recover time(min) : 10

GE0/0/4
GE0/0/4 Exclude vlan-list :-
configured IP
address -------------------------------------------------
<SW3>display mac-address flapping record
Info: The mac-address flapping record does not exist.
VLAN GE0/0/3 • After observing for a while, find that the fault occurs during working hours. When the fault
SW1 SW2
configuration occurs, check the MAC address table, and find that the MAC address table is unstable.
error Then check STP statistics.
GE0/0/10

GE0/0/10
<SW3>display stp tc-bpdu statistics
-------------------------- STP TC/TCN information ---------------
Loop MSTID Port TC(Send/Receive) TCN(Send/Receive)
12 GigabitEthernet0/0/1 13/56 -/-
12 GigabitEthernet0/0/3 22/18 -/-
PC1 PC13 12 GigabitEthernet0/0/4 29/66 -/-

• During working hours, a switch port frequently alternates between up and down, and
VRRP fault
sends a large number of TC BPDUs. In this case, configure the switch port connected to the
PC as an edge port.

39 Huawei Confidential

• After receiving STP TC BPDUs, the STP-enabled switch clears the MAC address table and re-
learns MAC addresses. During this period, data forwarding is interrupted for a short period,
causing packet loss.
 PC1 and PC13 Cannot Communicate (7)
• Shut down SW3's GE 0/0/4. PC1 cannot ping PC13, causing a large number of packets to be
discarded in a short period. After SW3 is restarted, the following alarm is generated on SW3:

Physical link fault

<SW3>
SW3 SW4 ARP/4/ARP_DUPLICATE_IPADDR(l)[0]:Received an
GE0/0/3
Incorrectly ARP packet with a duplicate IP address from the interface.
(IpAddress=192.168.12.254, InterfaceName=Vlanif12, MacAddress=0000-5e00-

GE0/0/4
GE0/0/4
configured IP 0101)
address
• The IP address is a virtual IP address. VRRP may be defective. Obtain packet information

VLAN GE0/0/3 on SW1's GE 0/0/10 and SW2's GE 0/0/3. The addresses marked bold are source MAC and
SW1 SW2
configuration IP addresses.
error

GE0/0/10
GE0/0/10

[SW1]capture-packet interface GigabitEthernet 0/0/10 destination terminal

Packet: 6
-------------------------------------------------------
Loop 00 00 5e 00 01 03 54 89 98 1f 5a 8d 81 00 00 0c
08 00 45 00 00 3c 39 aa 40 00 80 01 11 b8 c0 a8
PC1 PC13 0c 01 c0 a8 22 0d 08 00 f9 d1 82 3b 0a 71 08 09
0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19
Port that obtains packet 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27
VRRP fault information -------------------------------------------------------

40 Huawei Confidential

• The capture-packet command obtains information in service packets that match a

configured rule. The obtained information is saved in a local file.

▫ capture-packet { interface interface-type interface-number | acl acl-number } * [ vlan

vlan-id | cvlan cvlan-id ] * destination terminal [ car cir car-value | time-out time-
out-value | packet-num number | packet-len length ] *

▫ Information in packets on the management interface cannot be obtained.

▫ This command can only obtain information received by an interface, not information
sent by an interface.
 PC1 and PC13 Cannot Communicate (8)
• The destination MAC address is 00 00 5e 00 01 03. The VRRP ID is 3, which should have
been 1 as planned. Check the VRRP status and configuration of SW3.

Physical link fault <SW3>display vrrp

Vlanif12 | Virtual Router 3
SW3 SW4 State : Master
GE0/0/3 Virtual IP : 192.168.12.254
Incorrectly Master IP : 192.168.12.3

GE0/0/4
GE0/0/4
configured IP PriorityRun : 100
address PriorityConfig : 100
MasterPriority : 100
Virtual MAC : 0000-5e00-0103
VLAN GE0/0/3 <SW3>display current-configuration interface Vlanif 12
SW1 SW2
configuration #
error interface Vlanif12

GE0/0/10
GE0/0/10

ip address 192.168.12.3 255.255.255.0

vrrp vrid 3 virtual-ip 192.168.12.254

Loop • According to the preceding analysis, a VRRP dual-master fault occurs because the VRID is
incorrectly set. As a result, packet loss occurs during a VRRP switchover. Correct the
PC1 PC13
configuration of SW3.

VRRP fault • Carry out a reliability test again. Find that no packet loss occurs during the switchover.
Then, the fault is rectified.

41 Huawei Confidential

• The VRRP group numbers on SW3 and SW4 are different. After the VRRP group on SW3
detects a downlink fault, the VRRP status on SW4 does not change. The VRRP status on
SW4 remains in the Master state. In this situation, sending gratuitous ARP messages is not
triggered for an ARP entry update on the terminal.

• The destination MAC address of data frames sent from PC1 to a gateway is still 00 00 5e 00
01 03.

• After the link between SW1 and SW3 is disconnected, SW1 cannot forward packets to SW2,
because SW1 does not have the MAC address entry of 00 00 5e 00 01 03.
 Contents

1. Troubleshooting Data Communication Network Faults

2. Troubleshooting Common Network Faults

▫ LAN Faults
◼ Route Faults

▫ Service Faults

42 Huawei Confidential
PC1 Cannot Use the FTP Service (1)

Simplified topology: • In the preceding example, measures are taken to ensure no fault occurs
between PC1 and SW3 and between server 6 and SW5.
R1 R2 R3
OSPF IS-IS
• As shown in the figure on the left, possible causes for an FTP failure on PC1
GE0/0/0 GE0/0/1 are as follows:
IBGP IBGP ▫ Physical link fault (done)
Static Static
▫ Route faults
SW3 SW5
▪ Static route

▪ OSPF
SW1 SW6
▪ BGP

▪ IS-IS

▫ Traffic control fault

PC1 Server6
▫ Server fault (done)

Planned traffic path • This section describes how to troubleshoot route.

43 Huawei Confidential
PC1 Cannot Use the FTP Service (2)
• Data packets are forwarded hop by hop. All routing devices along a
path must have routes to the destination. First, check whether routes
Static route destined for server 6 exist on all devices through which data packets
sent from PC1 to server 6 pass.
R1 R2 R3
OSPF IS-IS
OSPF • Check the static route configuration on SW3.
GE0/0/0 GE0/0/1
▫ When configuring a static route, specify only the outbound interface
name for a P2P interface. For a broadcast interface, also specify a next-
Static Static
hop IP address.
IS-IS
SW3 SW5 <SW3>display ip routing-table protocol static
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
BGP Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 10.0.13.1 Vlanif13

• The command output indicates that the static route has been
Planned traffic path correctly configured on SW3.

44 Huawei Confidential
PC1 Cannot Use the FTP Service (3)
• Check the routing table on R1.
<R1>display ip routing-table 192.168.56.0

• The command output shows that R1 does not have a route to 192.168.56.0.
Static route Check whether a BGP peer relationship is properly established between R1 and
R2.
R1 R2 R3 <R1>display bgp peer
OSPF IS-IS BGP local router ID : 10.0.1.1
OSPF Local AS number : 100
GE0/0/0 GE0/0/1
Total number of peers : 1 Peers in established state : 0
Peer AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.0.2.2 100 0 0 0 0:00:05 Idle 0
Static Static
IS-IS • The preceding command output shows that the BGP peer relationship fails to
be established. Possible causes are as follows:
SW3 SW5
▫ The loopback0 interface of the remote device is unreachable.
▫ The AS number of the local or remote device is incorrect.
BGP ▫ The peer ebgp-max-hop command used to allow the establishment of an indirect EBGP
peer relationship is not run.
▫ Router IDs on both ends are the same.

• According to the command output, the numbers of sent and received BGP
Planned traffic path packets are 0, indicating that the loopback0 interface on the remote device
may be unreachable.

45 Huawei Confidential
PC1 Cannot Use the FTP Service (4)
• On R1, check the route destined for the BGP peer.

<R1>display ip routing-table 10.0.2.2

Static route
• The command output shows that R1 does not have a route to 10.0.2.2. Check whether an
OSPF neighbor relationship is properly established between R1
R1 R2 R3
OSPF and R2.
IS-IS
OSPF GE0/0/0 GE0/0/1 <R1>display ospf peer
OSPF Process 1 with Router ID 10.0.1.1

Static Static • The preceding command output shows that the OSPF neighbor relationship
IS-IS fails to be established. Possible causes are as follows:
▫ Router IDs on both ends are the same.
SW3 SW5
▫ Area IDs do not match on both ends.
▫ Network masks do not match on both ends.
BGP
▫ MTUs do not match on both ends.
▫ On an MA network, DR priorities of all devices are set to 0.
▫ Authentication passwords do not match on both ends.

Planned traffic path ▫ An interface is configured as a silent interface.

▫ Time parameters do not match on both ends.

46 Huawei Confidential
PC1 Cannot Use the FTP Service (5)
• Check OSPF error information on R1.
[R1]display ospf error
Static route General packet errors:
0 : IP: received my own packet 0 : Bad packet
0 : Bad version 0 : Bad checksum
R1 R2 R3 0 : Bad area id 0 : Drop on unnumbered interface
OSPF IS-IS 0 : Bad virtual link 0 : Bad authentication type
OSPF 0 : Bad authentication key 0 : Packet too small
GE0/0/0 GE0/0/1
0 : Packet size > ip length 0 : Transmit error
0 : Interface down 0 : Unknown neighbor
0 : Bad net segment 0 : Extern option mismatch
Static Static 133 : Router id confusion
IS-IS
• The preceding command output shows that a router ID conflict may cause a
SW3 SW5
failure to establish an OSPF neighbor relationship. To accurately locate the
fault, enable OSPF debugging on R1.
BGP
<R1>terminal debugging
Info: Current terminal debugging is on.
<R1>debugging ospf packet interface GigabitEthernet 0/0/0

Planned traffic path

47 Huawei Confidential
 PC1 Cannot Use the FTP Service (6)
• Check the configuration of the local OSPF protocol.
<R1>display ospf interface GigabitEthernet 0/0/0 verbose
OSPF Process 1 with Router ID 10.0.1.1
Interface: 10.0.12.1 (GigabitEthernet0/0/0)
Static route Cost: 1 State: DR Type: Broadcast MTU: 1500
Designated Router: 10.0.12.1
Backup Designated Router: 0.0.0.0
R1 R2 R3 Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1
OSPF IS-IS IO Statistics
OSPF Type Input Output
GE0/0/0 GE0/0/1
Hello 36 36
• Check OSPF error information in the debugging information on R1.
Static : Source Address: 10.0.12.2
IS-IS : Destination Address: 224.0.0.5
: Ver# 2, Type: 1 (Hello)
SW3 SW5 : Length: 44, Router: 10.0.1.1
: Area: 0.0.0.0, Chksum: db9c
: AuType: 00
BGP : Key(ascii): * * * * * * * *
: Net Mask: 255.255.255.0
: Hello Int: 10, Option: _E_
: Rtr Priority: 1, Dead Int: 40

Planned traffic path • After comparison, it is found that the interval at which Hello packets are sent, mask, and
authentication information on one end matches those on the other end, and only the
router ID conflict occurs.

48 Huawei Confidential

• The debugging information on R1 shows that the OSPF router ID carried in the Hello
packets sent from 10.0.12.2 is the same as the OSPF router ID on R1.
PC1 Cannot Use the FTP Service (7)
• Log in to R2 and change the OSPF router ID. However, the attempt to use Telnet to log
in to R2 fails.
• Common causes of Telnet login failures are as follows:
R1 R2
Static route ▫ A route is unavailable, and a TCP connection cannot be established between the client and
OSPF
server.
GE0/0/0
▫ Telnet is disabled on the server.
▫ The number of users logging in to a device reaches a specified upper limit.
OSPF Telnet ▫ An ACL is bound to a VTY user interface.
▫ An access protocol configured in the VTY user interface view is incorrect. If the protocol inbound
ssh command is used, the attempt to use Telnet for login fails.

• Log in to R2 through the console port and check whether Telnet is enabled.
IS-IS
[R2]display telnet server status
TELNET IPV4 server :Enable
TELNET IPV6 server :Enable
TELNET server port :23
BGP • Check whether Telnet is allowed in the VTY view.
[R2-ui-vty0-4]display this
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
• Modify the configuration of R2 to support Telnet in the VTY user interface view. The test result
shows that the attempt to log in to R2 is successful.

49 Huawei Confidential
PC1 Cannot Use the FTP Service (8)
• Change the OSPF router ID on R2, restart the OSPF process to make the
router ID take effect, and check the OSPF neighbor relationship status.
Static route
<R2>display ospf peer
R1 R2 R3 OSPF Process 1 with Router ID 10.0.12.2
OSPF IS-IS Neighbors
GE0/0/0 GE0/0/1 Area 0.0.0.0 interface 10.0.12.2(GigabitEthernet0/0/0)'s neighbors
OSPF Router ID: 10.0.1.1 Address: 10.0.12.1
State: Full Mode:Nbr is Slave Priority: 1
DR: 10.0.12.2 BDR: 10.0.12.1 MTU: 0
Static Static Dead timer due in 35 sec
Retrans timer interval: 5
IS-IS Neighbor is up for 00:09:17
SW3 SW5 Authentication Sequence: [ 0 ]

• Check whether the route to 10.0.2.2 exists on R1.

BGP <R1>display ip routing-table 10.0.2.2
Route Flags: R - relay, D - download to fib
------------------------------------------------------------
Planned traffic path Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.2.2/32 OSPF 10 1 D 10.0.12.2 GE0/0/0

50 Huawei Confidential
 PC1 Cannot Use the FTP Service (9)
• Check the BGP peer relationship status on R1.
<R1>display bgp peer
BGP local router ID : 10.0.1.1
Local AS number : 100
Static route
Total number of peers : 1 Peers in established state : 1
R1 R2 R3
Peer AS MsgRcvd MsgSent Up/Down State
OSPF IS-IS 10.0.2.2 100 25 26 0:19:22 Established
GE0/0/0 GE0/0/1
OSPF • Check whether the BGP routing table of R1 contains a route destined for 192.168.56.0/24.

<R1>display bgp routing-table

BGP Local router ID is 10.0.1.1
Deploy Total Number of Routes: 2
IS-IS. SW3 SW5 Network NextHop MED LocPrf Path/Ogn
*>192.168.12.0/24 0.0.0.0 0 0 ?

• R1 still does not have an available route. As R1 should have get the route from R3, check
BGP whether the route is imported into the BGP routing table on R3.
<R3>display bgp routing-table
BGP Local router ID is 10.0.3.3
Planned traffic path Total Number of Routes: 1
Network NextHop MED LocPrf Path/Ogn
*> 192.168.56.0 0.0.0.0 0 0 ?

51 Huawei Confidential

• On R3, the command output shows that the route to 192.168.56.0/24 has been imported
into the BGP routing table.
 PC1 Cannot Use the FTP Service (10)
• Check the BGP peer status on R3.
<R3>display bgp peer
Static route BGP local router ID : 10.0.3.3
Local AS number : 100
R1 R2 R3 Total number of peers : 1 Peers in established state : 0
OSPF IS-IS Peer AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
GE0/0/0 GE0/0/1 10.0.2.2 100 0 0 0 0:00:05 Idle 0
OSPF
• The BGP peer relationship is not established between R3 and R2. Check
whether a route destined for 10.0.2.2/32 exists on R3.
IS-IS
SW3 SW5 <R3>display ip routing-table 10.0.2.2

• R3 does not have the route to 10.0.2.2/32. As IS-IS runs between R2 and R3,
check whether an IS-IS neighbor relationship is properly established between
BGP
R3 and R2.
<R3>display isis peer
Planned traffic path Peer information for ISIS(1)
SystemId Interface CircuitId State Type PRI
0100.0000.2002 GE0/0/1 0100.0000.2002.01 Up L2 64

52 Huawei Confidential

• Possible causes for the failure to establish an IS-IS neighbor relationship are as follows:

▫ Area IDs do not match on both ends. (The inconsistency adversely affects only level-1
neighbor relationships.)

▫ IS-IS levels do not match on both ends. (Note that on Huawei devices if the system
level differs from the interface circuit level, the system level takes effect.)

▫ Interface authentication settings do not match on both ends.

▫ System ID lengths do not match or system ID conflict occurs.

▫ The IP addresses are on different network segments. (Source check is enabled for IS-
IS on a broadcast network, and can be disabled.)
PC1 Cannot Use the FTP Service (11)
• The IS-IS neighbor relationship is properly established, but R3 cannot obtain
the route to 10.0.2.2/32. Possible causes are as follows:
Static route ▫ IS-IS is not enabled on an interface.

R1 R2 R3 ▫ Cost styles do not match on both ends.

OSPF IS-IS ▫ A routing policy is configured on the device.
GE0/0/0 GE0/0/1
OSPF ▫ Network types do not match on both ends.

• Check information about an IS-IS interface on R2.

<R2>display isis interface
Interface information for ISIS(1)
IS-IS
SW3 SW5
Interface Id IPV4.State MTU Type DIS
GE0/0/1 1 Up 1497 L1/L2 No/Yes
Loop0 1 Up 1500 L1/L2 --
BGP
• Check the IS-IS configuration on R2.
isis 1
is-level level-2
Planned traffic path
cost-style wide
network-entity 49.0001.0100.0000.2002.00
import-route ospf 1

53 Huawei Confidential
PC1 Cannot Use the FTP Service (12)
• Check the IS-IS configuration on R3.
isis 1
is-level level-2
network-entity 49.0001.0100.0000.3003.00
Static route #
• The following information shows that the cost style of R2 does not match that of R3.
R1 R2 R3
OSPF IS-IS Change the cost style of R3 to wide. Then, check whether R3 has a route to 10.0.2.2/32.
GE0/0/0 GE0/0/1
OSPF <R3>display ip routing-table 10.0.2.2
Route Flags: R - relay, D - download to fib
--------------------------------------------------------------
Destination/Mask Proto Pre Cost Flags NextHop Interface
Deploy 10.0.2.2/32 ISIS-L2 15 10 D 10.0.23.2 GE0/0/1
IS-IS. SW3 SW5 • Check whether the BGP peer relationship on R3 is restored and check the BGP routing
table of R3.
<R3>display bgp peer
BGP local router ID : 10.0.23.3
BGP Peer AS MsgRcvd MsgSent Up/Down State
10.0.2.2 100 8 7 0:04:42 Established
<R3>display bgp routing-table
Total Number of Routes: 2
Planned traffic path
Network NextHop MED LocPrf Path/Ogn
*>I 192.168.12.0 10.0.1.1 0 100 ?
*> 192.168.56.0 0.0.0.0 0 0 ?

54 Huawei Confidential
PC1 Cannot Use the FTP Service (13)
• R3 has correctly advertised routes and learned the route to 192.168.12.0/24.
Check whether R1 has a route to 192.168.56.0/24.

Static route
<R1>display bgp routing-table
R1 R2 R3 BGP Local router ID is 10.0.1.1
OSPF IS-IS Network NextHop MED LocPrf Path/Ogn
GE0/0/0 GE0/0/1 *> 192.168.12.0 0.0.0.0 0 0 ?
OSPF i 192.168.56.0 10.0.3.3 0 100 ?
• R1 has received the BGP route from R3, but the route is unavailable. The
possible cause is that the next hop is unreachable. On R1, check whether
there is a route to 10.0.3.3/32.
Deploy
IS-IS. SW3 SW5 <R1>display ip routing-table 10.0.3.3

• The command output shows that the routing table of R1 does not contain the
route to 10.0.3.3/32. This route should have been imported by R2 from IS-IS
BGP into the OSPF routing table. Possible causes are as follows:
▫ A routing policy is configured on R1.
▫ R2 does not import IS-IS routes into the OSPF routing table.
Planned traffic path ▫ Type 5 LSAs are filtered out in the outbound direction of R2's interface.

55 Huawei Confidential
 PC1 Cannot Use the FTP Service (14)
• Check the LSDB of R1.
<R1>display ospf lsdb
OSPF Process 1 with Router ID 10.0.1.1
Area: 0.0.0.0
Static route Type LinkStateID AdvRouter Age Len Sequence Metric
Router 10.0.2.2 10.0.2.2 5 48 80000003 1
R1 R2 R3 Router 10.0.1.1 10.0.1.1 3 48 8000000D 1
OSPF IS-IS Network 10.0.12.1 10.0.1.1 3 32 80000002 0
GE0/0/0 GE0/0/1 • R1 does not have Type 5 LSAs. Check whether R1 imports IS-IS routes into the OSPF
OSPF
routing table.
<R2>display current-configuration configuration ospf
#
ospf 1 router-id 10.0.2.2
Deploy area 0.0.0.0
IS-IS. SW3 SW5 network 10.0.2.2 0.0.0.0
network 10.0.12.2 0.0.0.0
#
• Modify the configuration of R2, import IS-IS routes into the OSPF routing table, and then
BGP check the routing table of R1.

<R1>display ip routing-table
Route Flags: R - relay, D - download to fib
Planned traffic path ------------------------------------------------------------
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.3.3/32 O_ASE 150 1 D 10.0.12.2 GE0/0/0
192.168.56.0/24 IBGP 255 0 RD 10.0.3.3 GE0/0/0

56 Huawei Confidential

• After the configuration of R2 is modified, the route to 10.0.3.3/32 is displayed on R1.

 PC1 Cannot Use the FTP Service (15)
• Run the traceroute 192.168.56.6 command on PC1.

traceroute to 192.168.56.6, 8
1 192.168.12.3 63 ms 46 ms 47 ms
2 10.0.13.1 78 ms 63 ms 62 ms
Static route 3 10.0.12.2 94 ms 63 ms 78 ms
4 10.0.23.3 94 ms 62 ms 63 ms
R1 R2 R3
5 * * *
OSPF IS-IS
GE0/0/0 GE0/0/1 • R3 does not respond to the received data packets. Enable traffic statistics collection on
OSPF R3's GE 0/0/2 and check whether R3 sends the data packets through GE0/0/2.

GE0/0/2
[R3] acl 3000
[R3-acl-adv-3000]rule 5 permit ip source 192.168.12.1 0 destination 192.168.56.6
Deploy
0
IS-IS. SW3 SW5 [R3-acl-adv-3000]quit
[R3]traffic classifier trafficSta
[R3-classifier-trafficSta]if-match acl 3000
[R3-classifier-trafficSta]quit
BGP [R3]traffic behavior trafficSta
[R3-behavior-trafficSta]statistic enable
[R3-behavior-trafficSta]quit
[R3]traffic policy trafficSta
Planned traffic path [R3-trafficpolicy-trafficSta]classifier trafficSta behavior trafficSta
[R3-trafficpolicy-trafficSta]quit
[R3]interface GigabitEthernet0/0/2.35
[R3-GigabitEthernet0/0/2.35]traffic-policy trafficSta outbound

57 Huawei Confidential

• After R1 learns the route, PC1 still cannot access the FTP service provided by server 6. In
this case, run the traceroute command to check connectivity between R1 and server 6.
• Based on traffic statistics, the analysis is as follows:
▫ Check whether the traffic reaches the inbound interface of the device and determine
whether packet loss occurs on the upstream device.
▫ Check whether the traffic is forwarded to the outbound of the device and determine
whether packet loss occurs on the device.
▫ Check whether Layer 2 and Layer 3 information about traffic on the inbound
interface of the device is correct and determine whether the upstream device
forwards and encapsulates packets properly.
▫ Check whether the Layer 2 and Layer 3 information about the outbound interface is
correct and determine whether the device forwards and encapsulates packets
properly.
▫ Check whether transient traffic flapping occurs due to MAC address flapping, route
changes, or IP address conflicts.
• Procedure for configuring traffic statistics collection:
▫ Configure an ACL rule to match traffic to be collected.
▫ Configure a traffic classifier.
▫ Configure a traffic behavior and configure traffic statistics collection in the traffic
behavior.
▫ Configure a traffic policy; bind the traffic classifier and behavior to the traffic policy;
apply the traffic policy to the inbound direction of the switch to collect statistics on
packets of different users.
PC1 Cannot Use the FTP Service (16)
• Check traffic statistics on R3. No packet loss occurs on R3.

<R3> display traffic policy statistics interface GigabitEthernet0/0/2.35 outbound

Interface:GigabitEthernet0/0/2.35
Static route Traffic policy inbound: trafficSta
Rule number: 1
R1 R2 R3 Current status: OK!
OSPF IS-IS Item Sum(Packets/Bytes)
GE0/0/0 GE0/0/1 -----------------------------------------
OSPF Matched 50/400
Passed 50/400

GE0/0/2
Dropped 0/0

• Check the routing table of SW5 in the direction where server 6 sends data packets.
IS-IS
SW3 SW5
[SW5]display ip routing-table
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.0.35.0/24 Direct 0 0 D 10.0.35.5 Vlanif35
BGP 192.168.56.0/24 Direct 0 0 D 192.168.56.5 Vlanif56

• SW5 does not have a static route to PC1. Configure a static route on SW5.
• Check whether PC1 and server 6 can communicate and use the FTP
Planned traffic path service properly.
• After the preceding operations are complete, the troubleshooting is complete.

58 Huawei Confidential
PC1 Cannot Use the FTP Service Summary
• The following faulty points are involved in the
R1 R2 R3 troubleshooting:
OSPF IS-IS
GE0/0/0 GE0/0/1 ▫ Incorrect static route configuration

IBGP IBGP ▫ Failure to establish an OSPF neighbor relationship

Static Static
▫ Incorrect IS-IS route calculation
SW3 SW5
▫ Failure to establish a BGP peer relationship

SW1 SW6 ▫ Incorrect BGP route selection

▫ Telnet login failure

• The following tools are used:

PC1 Server6
▫ Traffic statistics collection tool
Planned traffic path
▫ Tracert

59 Huawei Confidential
 Contents

1. Troubleshooting Data Communication Network Faults

2. Troubleshooting Common Network Faults

▫ LAN Faults

▫ Route Faults
◼ Service Faults

60 Huawei Confidential
 PC5 Cannot Communicate with Any Host (1)
• PC5 cannot communicate with any host. The possible cause is that the physical link to PC5 is
abnormal, or PC5's IP address is incorrect.
⚫ Simplified topology:
• Check the IP address of PC5. PC5 fails to obtain an IP address.
PC>ipconfig
IPv4 address 0.0.0.0
R3 DHCP server Subnet mask 0.0.0.0
Gateway 0.0.0.0
Physical address 54-89-98-39-22-B7
GE0/0/2

DNS server 0.0.0.0

• PC5 obtains an IP address using DHCP. The common causes of DHCP faults are as
SW5 DHCP relay agent
follows:
GE0/0/4

▫ The link between the client and server becomes faulty.

▫ The DHCP function is disabled on a device.

▫ The DHCP address allocation mode is not selected on a VLANIF interface.

SW6
▫ No IP address is available in an address pool.
GE0/0/10

PC5

61 Huawei Confidential

• If the client and server are on different network segments and a relay agent is deployed
between them

▫ The link between the DHCP relay agent and server becomes faulty.

▫ The DHCP function is not enabled globally on a device. As a result, the DHCP function
does not take effect.

▫ No DHCP server is specified on the DHCP relay agent.

▫ The DHCP relay agent and server are unreachable.

PC5 Cannot Communicate with Any Host (2)
• Check whether the physical link to PC5 is normal.

• Check whether a Layer 2 loop occurs on SW6 and check the VLAN configuration.

DHCP server <SW6>display stp brief

MSTID Port Role STPState
R3 0 GigabitEthernet0/0/4 ROOT FORWARDING
0 GigabitEthernet0/0/10 DESI FORWARDING
GE0/0/2

0 GigabitEthernet0/0/11 DESI FORWARDING

<SW6>display vlan
The total number of vlans is : 2
DHCP
----------------------------------------------------------------
relay SW5 56 common TG:GE0/0/4(U) GE0/0/10(U) UT: GE0/0/11(U)
agent
• The preceding information shows that the physical status of GE 0/0/10 is normal, but GE 0/0/10 is configured as a
GE0/0/4

trunk interface. Modify the configuration on SW6 to configure GE 0/0/10 as an access interface and set the VLAN
ID to 56.

SW6 • After the modification, check whether PC5 can properly obtain an IP address.
PC>ipconfig
GE0/0/10

VLAN IPv4 address 0.0.0.0

Subnet mask 0.0.0.0
Gateway 0.0.0.0
Physical address 54-89-98-39-22-B7
PC5 DNS server 0.0.0.0

62 Huawei Confidential
PC5 Cannot Communicate with Any Host (3)
• SW5 is a DHCP relay agent. Query the global configuration of SW5.
<SW5>display current-configuration
DHCP server dhcp enable
#
R3 interface Vlanif35
ip address 10.0.35.5 255.255.255.0
dhcp select relay
GE0/0/2

dhcp relay server-ip 10.0.35.3

#

DHCP • The DHCP service has been enabled on SW5 and the DHCP relay agent has been
relay SW5 configured. However, after the data packets sent by PC5 pass through SW6, SW6 adds
agent
the tag with VLAN ID 56 to the packets before forwarding them. As a result, the DHCP
GE0/0/4

relay interface configured on SW5 is incorrect.

• Modify the configuration of SW5:

SW6
[SW5]interface Vlanif 56
GE0/0/10

VLAN [SW5-Vlanif56]dhcp select relay

[SW5-Vlanif56]dhcp relay server-ip 10.0.35.3

• After the modification, PC5 still cannot obtain an IP address.

PC5

63 Huawei Confidential
PC5 Cannot Communicate with Any Host (4)
• Query the DHCP relay status of SW5.
[SW5]display dhcp relay statistics
The statistics of DHCP RELAY:
DHCP packets received from clients : 11
DHCP server DHCP DISCOVER packets received : 11
DHCP REQUEST packets received :0
R3 DHCP RELEASE packets received :0
DHCP INFORM packets received :0
DHCP DECLINE packets received :0
GE0/0/2

DHCP packets sent to clients :0

DHCP packets received from servers :0
DHCP packets sent to servers : 11
DHCP
relay SW5 • SW5 has sent packets to the DHCP server, but does not receive any responses.
agent
• Check the DHCP server configuration on R3.
GE0/0/4

<R3>display current-configuration
dhcp enable
#
SW6 ip pool test
gateway-list 192.168.56.254
GE0/0/10

VLAN network 192.168.56.0 mask 255.255.255.0

excluded-ip-address 192.168.56.6
dns-list 192.168.1.1
#
interface GigabitEthernet0/0/2
PC5
dhcp select global

64 Huawei Confidential
PC5 Cannot Communicate with Any Host (5)
• R3 and SW5 are connected through sub-interfaces. Therefore, enable the DHCP server service on a
sub-interface, instead of the physical interface GE0/0/2.

[R3]interface GigabitEthernet 0/0/2.35

DHCP server
[R3-GigabitEthernet0/0/2.35]dhcp select global
R3 • After the preceding configurations are complete on R3, check the status of the DHCP server on R3.
<R3>display dhcp server statistics
GE0/0/2

DHCP Server Statistics:

Client Request 2
Dhcp Discover 1
DHCP Dhcp Request 1
relay SW5 Server Reply 2
agent Dhcp Offer 1
Dhcp Ack 1
GE0/0/4

Bad Messages 0
• Check the IP address on PC5.

SW6 PC>ipconfig
IPv4 address 192.168.56.253
Subnet mask 255.255.255.0
GE0/0/10

VLAN
Gateway 192.168.56.254
Physical address 54-89-98-39-22-B7
DNS server 192.168.1.1
• PC5 has obtained an IP address and can use it to communicate with all hosts. The troubleshooting is
PC5
complete.

65 Huawei Confidential
 Quiz
1. (Multiple-answer question) Which of the following causes are possible for a failure to establish an OSPF neighbor relationship? ( )
A. Router ID conflict
B. Area ID inconsistency
C. Interface mask inconsistency
D. Process ID inconsistency
2. (True or false) If the level of an interface on an IS-IS router is different from the global router level, the level of the interface takes
effect. ( )
A. True
B. False
3. (Multiple-answer question) Which of the following faults may occur in case of a Layer 2 loop? ( )
A. An attempt to remotely log in to a device fails.
B. An interface receives a large number of broadcast packets, which can be viewed in the display interface command output.
C. An attempt to log in to a device through the serial port is time consuming.
D. CPU usage exceeds 70%.

66 Huawei Confidential

1. ABC

2. B

3. ABCD
 Summary
⚫ The structured troubleshooting process involves fault report, fault confirmation, information collection, identification and analysis,
cause listing, assessment, step-by-step troubleshooting, fault resolving, and wrap-up work.

⚫ The purpose of troubleshooting is to restore the proper service running status. First, determine a service traffic path before
troubleshooting. The layered, comparison, block-based, segment-based, and replacement approaches are used.

⚫ On a LAN, the commonly used methods are to replace hardware to rectify link or device faults and to use STP to rectify LAN loops.

⚫ Network-layer faults are mainly caused by unavailable routes. This course describes the causes and troubleshooting procedures for
the failures to establish OSPF and IS-IS neighbor relationships and BGP peer relationships.

⚫ Troubleshooting personnel must have abundant knowledge and be skilled in using multiple troubleshooting approaches.
Troubleshooting experience summary also matters.

67 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
• The optical distribution frame (ODF) is mainly used on backbone networks,
metropolitan area networks (MANs), and optical fiber and cable networks. It
connects, terminates, distributes, splits, and schedules backbone optical cables.
• Time arrangement preparation:

▫ Negotiate the time arrangement with the customer and obtain customer's
approval.

▫ Make an overall time schedule.

▫ Specify actions to be performed in each time segment.

▫ In the migration phase, time arrangement should be accurate to minutes.

▫ Reserve some time for major operations to avoid engineering accidents due
to timeout.

▫ Do not perform migration in peak hours (such as holidays and off-duty

time).
• Type A service: service demanding low latency and bandwidth. These services are
carried over leased lines.

• Type B service: service that has low requirements on the latency but occupies
much bandwidth. These services are carried over IPsec VPNs.

• Static return routes are manually specified for the headquarters, and NQA is used
to switch services to the standby path upon faults. This case focuses on the
branch network and does not involve the headquarters network.
1. We can set up a local pilot office and simulate the customer's network to verify
the feasibility of the entire migration solution.

2. The configuration of the live network needs to be backed up. To verify the
network status before and after the migration, collect dynamic data of the live
network, including the port status, traffic, status of each routing protocol,
number of routes, STP status, and ARP/MAC address entries of each port.
Enterprise Network Introduction
 Foreword
⚫ Nowadays, data has become a new production factor and important asset of enterprises.
Enterprise networks, as the infrastructure, promote the efficient transmission of various data
and accelerate the digital transformation of thousands of industries.
⚫ Enterprise networks are classified into campus networks, wide area networks (WANs), and
data center networks (DCNs). The three types of networks are used to meet different
service requirements and have different network architectures.
⚫ This course introduces the general enterprise network architecture, enterprise networks in
typical industries, and Huawei enterprise network solutions for specific scenarios.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Understand the overall architecture of enterprise networks.
 Understand the typical enterprise network architectures of different industries.

 Understand the relationship between Huawei datacom certification and

enterprise networks.

 Understand Huawei enterprise network solutions.

2 Huawei Confidential
 Contents

1. Enterprise Network Overview

2. Trends and Challenges of Enterprise Networks

3. Huawei Enterprise Network Solutions

3 Huawei Confidential
“Power Grid” in the Digital World : Data Communication
Network
⚫ The symbol of industrialization is "electricity", transmitting electricity through the power grid.
⚫ The symbol of digitalization is "cloudification", transmitting computing power through the cloud network.

Wind Hydro Coal e-Government Public Private

power power power cloud cloud cloud
Power generation system Data center

Power grid Data communication network

Manufacturing Transportation Public Office Production Home Terminal

services Enterprise Individual
Power consumption end

4 Huawei Confidential
Enterprise Networks in the Digital Society

Online meeting Office Manufacturing Internet Private line Computing Storage

Campus network WAN DCN

O&M Security

Other enterprise or personal networks

After more than 30 years of development, networks have laid a solid foundation for the intelligent
society. With the acceleration of enterprise digitalization, enterprise networks need to carry more
and more key services, playing an important role in the digitalization process.

5 Huawei Confidential
Enterprise Campus Network Overview
A campus network is used to implement terminal access in a small range
Internet WAN
and interworking within an enterprise. Campus networks can be classified
into small, midsize, and large ones based on the number of terminal users
or NEs. A typical large campus network consists of the following modules:
Egress zone • Egress zone: the border between the campus internal network and external
Management network. It is used for internal users to access the public network and for external
DC
and O&M zone users to remotely access the internal network.
• Core layer: the core of campus data switching that connects all components of the
campus network, such as the DC, management and O&M zone, and campus egress.
Core layer • Aggregation layer: forwards horizontal traffic between users and vertical traffic to
the core layer. The aggregation layer can function as the switching core of a
department or area and can connect more terminals to the network.
Aggregation layer
• Access layer: provides various access modes for users and is the first network layer
to which terminals connect.
• Terminal layer: involves various terminals that access the campus network, such as
PCs, printers, IP phones, mobile phones, and cameras.

Access layer • DC: deploys servers and application systems to provide data and application services
for internal and external users of an enterprise.

Terminal layer • Management and O&M zone: deploys the network management system (such as
the NMS and authentication server) and O&M system.
iStack/CSS link

6 Huawei Confidential
Enterprise WAN Overview
WAN • An enterprise WAN connects the enterprise headquarters,
backbone branches, and data center for interconnection.
network
• By users, enterprise WANs can be classified into self-built
Provincial core
for internal use and self-built for external use.
▫ Self-built, for internal use: To meet the interconnection
requirements of the headquarters, branches, and data centers in
a large span, various industries such as large enterprise,
Municipal core
government, finance, and electric power need to build their own
WANs.
▫ Self-built, for external use: Carriers build WANs to provide WAN
connection services for enterprises, including the Internet, MPLS
District/County core
private lines, and transmission private lines.

• Generally, a WAN uses a hierarchical structure. For

example, a WAN can be divided into the county-level MAN,
County-level MAN
municipal MAN, provincial core network, and backbone
network. MANs at different levels provide access for
networks in the current area and connect to the upper-
WANs in the government, finance, electric power, railway, and level MAN or backbone network through the core network.
civil aviation industries

7 Huawei Confidential
 Enterprise DCN Overview
• A DCN connects general-purpose
WAN computing, storage, and high-
performance computing resources, carries
WAN access Campus access
communication between internal
zone zone
resources of the DC, and implements
Internet Extranet
communication between the DC and
access zone access zone
external networks.
• A mainstream DCN uses the spine-leaf
architecture. Switches are connected
Production Non-production through Layer 3 interfaces, and the
Switching
extranet core extranet core underlay network runs a dynamic routing
Management and core
O&M zone protocol. Traffic can be load balanced
Border-Leaf Border-Leaf Border-Leaf Border-Leaf between spine and leaf nodes through
equal-cost multi-path routing (ECMP),
VXLAN VXLAN VXLAN VXLAN implementing a DCN that features high-
Spine Spine Spine Spine
FW domain FW domain FW domain FW domain bandwidth, non-blocking forwarding, and
Leaf Leaf Leaf Leaf fast network convergence upon faults.
• To isolate services and tenants, VXLAN
and EVPN technologies are deployed in
Production environment Production environment Test environment Test environment DCs to build virtualized networks.
zone 1 zone 2 zone 1 zone 2
VTEP

8 Huawei Confidential

• DCNs do not have a fixed zone division mode. Different industries and enterprises
have different area division modes.
• The zone division in the slide uses the financial industry as an example:

▫ WAN access zone: connects to the WAN built by the enterprise.

▫ Campus access zone: accesses traffic from enterprise campus users.
▫ Extranet access zone: connects to external networks, such as networks of
other enterprises and partners.

▫ Internet access zone: accesses user traffic from the Internet.

▫ Production environment zone: runs services.
▫ Test environment zone: provides services for external systems informally.
Before a service is brought online to the production environment zone, the
service is developed, tested, and verified in the test environment zone.
 Network Security Overview
Internet
• To improve efficiency and productivity,
Network DMZ enterprises need more open ICT systems to
egress
support sharing and collaboration, which also
Production Production Test Anti-DDoS
causes security vulnerabilities and information
environment 1 environment 2 environment 2
IPS Firewall Flow probe WAF leakage risks.
Firewall • An enterprise network can use multiple
methods to ensure its security. Common
Data center Sandbox network security devices include anti-distributed
denial of service (anti-DDoS) devices, HiSec
Insight (security situational awareness system),
Campus access O&M management area and firewall, of which the firewall is the most
common network security device. A firewall
provides security features such as access
Host antivirus
NAC Log auditing O&M auditing control, identity authentication, data encryption,
software
VPN technology, and NAT. Users can configure
complex security policies based on their
SecoManager network environments to prevent unauthorized
Security controller access and protect their networks.
Administration R&D Marketing Guest

9 Huawei Confidential

• Different network security solutions can be used to cope with different network
security problems.
▫ Deploying firewalls in the server area of a data center: implements security
isolation, access control, and intrusion prevention between servers and VMs
in the data center.
▫ Deploying Web Application Firewalls (WAFs) in the server area of a data
center: protects website servers and prevents website text and images from
being tampered with.

▫ Deploying anti-DDoS abnormal traffic detecting and cleaning devices:

mitigates various DDoS attacks from the Internet.
▫ Deploying egress firewalls: performs security protection, such as NAT,
application protocol identification and control, security isolation, and access
control, to prevent unauthorized access.
▫ Implementing O&M auditing in the management area: centrally manages
and controls accounts, authentication, authorization, and audit of various IT
resources such as core service systems, hosts, databases, and network
devices to comply with related laws and standards and implement unified
access management and O&M audit of core resources.
 ▫ Deploying Network Admission Control (NAC) for campus network access:
performs authentication, authorization, and accounting (online behavior
recording) on users who access the network, preventing unauthorized users
from accessing core assets.
▫ Deploying HiSec Insight to work with multiple devices such as network
devices, security devices, and flow probe devices: implements multi-
dimensional closed-loop threat handling and prevents the threat scope
from being expanded.
• For more information about network security, see the Huawei Security
certification series.
 Typical Enterprise Network: Education Industry
Internet CERNET Internet • Take the campus network of a university in
China as an example.
Main campus Branch campus
• The campus network is a computer network that
Digital Distance Mobile Virtual provides teaching, scientific research, and
library education learning experiment
comprehensive information services for teachers
and students (including their family members
School campus Private line or VPN link
and visitors).
DC
• The higher education campus network refers to
School campus the campus network of higher education
network management
center institutions.
• The higher education campus network is
generally divided into dormitories, living areas,
teaching areas, and public areas. It provides
wired and wireless network access services to
help the campus enter the digital era and
improve talent cultivation and innovation
Multimedia Teaching
Lecture hall Library Dormitory capabilities.
classroom building

11 Huawei Confidential

• China Education and Research Network (CERNET): a nationwide education and

research computer network that is funded by the Chinese government and
directly managed by the Chinese Ministry of Education. It is constructed and
operated by Tsinghua University and the other leading Chinese universities.
Typical Enterprise Network: Financial Industry
DC B

DC A DC N
Financial backbone
P network P
P
• To meet their own business development and operation
management requirements, financial enterprises generally
build their own backbone networks across the country to
Level-1 support the development of enterprise informatization and
branch
core services.

• The DC and its branches are connected through the

backbone network. Network services are mainly centralized
in the DC. Users are widely distributed inside and outside
Level-2
branch the banks. Branches access the DC of the head office
through the backbone network.

Sub-branch

12 Huawei Confidential
 Typical Enterprise Network: Transportation Industry
Head office • The railway system in China is used as an example.
node • In the railway system, the network provides unified transmission services
for signaling, dispatching, ticketing, integrated services, and GSM-R
Backbone
network services.
• The railway data communications network uses a two-layer
Regional Regional Regional architecture:
node 1 node 2 node N
▫ A backbone network consisting of multiple high-performance core
routers located at regional nodes and railway bureaus.
▫ A regional network set by each railway bureau. The regional
Core node
network is connected to the backbone network through the
Regional
Aggregation backbone network's regional node of the local railway bureau to
network
node implement communication between railway bureaus.
Access • As an independent autonomous system, the backbone network forwards
node traffic between the head office and railway bureaus and between
railway bureaus.
• Each railway bureau is configured with a backbone network access node
and multiple backbone network forwarding nodes. The head office node
Ticket hall Video OA PIS CTC/RBC/TCC GSM- functions as the service aggregation node of the entire railway system
conferencing R/wireless
and does not forward traffic.

13 Huawei Confidential

• Generally, the regional nodes of the backbone network are deployed in the
equipment rooms of each railway bureau.
• GSM-R: Global System for Mobile Communications - Railway

• CTC: Centralized Traffic Control

• RBC: Radio Block Center
• PIS: Passenger Information System
• TCC: Track Communications Center
Typical Enterprise Network: Electric Power Industry
• The electric power industry in China is as an example.
DR • The electric power industry network is divided into two independent
DR P center P DR
center P center networks based on the carried services: dispatching network and
Core layer integrated data network.
• The dispatching network, as one of the core networks for electric power
Backbone P P
network informatization, mainly carries power-related service control systems.
P Backbone
• The integrated data network carries applications such as OA, production
layer
management, lightning weather information, and remote monitoring of
Provincial unmanned substations. It is physically independent and parallel with the
PE
border power dispatching network.
• The integrated data network adopts a multi-level architecture, including
Provincial DC the national backbone network, provincial integrated data network, and
PE PE
Provincial Municipal municipal integrated data network. The national backbone network is
access network access network divided into the core layer (consisting of multiple core nodes deployed in
CE CE
the country) and the backbone layer (consisting of backbone nodes
distributed in provincial companies in the country).
• The data networks of provincial companies and branches are connected
to the provincial border nodes of the backbone network to implement
Provincial companies, subordinate organizations, municipal companies,
county access networks, MANS of municipal companies, and so on communication between provincial networks.

14 Huawei Confidential
Huawei Datacom Certification and Enterprise Network
HCIE-Datacom
• HCIP-Datacom-Campus Network Planning and Deployment
• HCIP-Datacom-SD-WAN Planning and Deployment
Capability
convergence • HCIP-Datacom-WAN Planning and Deployment
• HCIP-Datacom-Enterprise Network Solution Design

Scenario-based Advanced
network datacom
planning, capabilities • HCIP-Datacom-Advanced Routing Switching Technology
construction,
maintenance, • HCIP-Datacom-Network Automation Developer
and optimization
capabilities

• HCIA-Datacom
Basic datacom capabilities • HCIP-Datacom-Core Technology

15 Huawei Confidential
 Contents

1. Enterprise Network Overview

2. Trends and Challenges of Enterprise Networks

3. Huawei Enterprise Network Solutions

16 Huawei Confidential
 Campus Network DC WAN

Industry Digital Transformation, Improving Production

Efficiency and Customer Satisfaction
Digital OA Digital education Digital manufacturing
All-wireless access, OA anytime and Change from stuffing the duck to Always-online mass terminals/sensors, real-
anywhere, one-click conference scheduling immersion, high-quality teaching resources time production data collection, and
using an app, and automatic adjustment of on demand, and real-world teaching automatic and precise control
lighting and temperature

Source: IDC's 2018 manufacturing industry

Source: According to Worldwide Digital Source: Gartner's 2019 CIO Agenda: Higher survey results shows that 84.9%
Transformation 2019 Predictions released by Education Industry Insights reveals that 86% manufacturing enterprises are undergoing
IDC, "at least 55% of organizations will be of higher education CIOs would regard IT as digital transformation, driving business
digitally determined by 2020." a key factor in enabling education business model innovations and reshaping the
transformation. business ecosystem.

17 Huawei Confidential
 Campus Network DC WAN

In the Digital Era, How Campus Networks Support Digital

Transformation Across Industries?
Ubiquitous On-demand Perceptible
Easy O&M
connectivity services experience

• Access anytime, • Quick service • Accurate measurement and • Service-based

anywhere deployment and evaluation of user experience configuration delivery
• High-quality service adjustment • AI-powered automatic • Quick and accurate fault
transport • Rapid rollout of value- adjustment of resource allocation locating
added applications

18 Huawei Confidential
 Campus Network DC WAN

Service Requirements and Challenges of Large- and

Medium-Sized Campus Networks
Converged transport User experience awareness Network automation

Requirements: Requirements: Requirements:

Access terminals and services are Network O&M needs to be automated Networks need to be automated to cope
diversified, and a converged transport and intelligent to perceive user with the complexity of deployment and
network is required. experience anytime and anywhere. policies caused by the surge of
Challenges: Challenges: applications and services.

• Wi-Fi and IoT services are • Service faults cannot be detected in a Challenges:
independently planned, deployed, and timely manner. • The workload is repetitive and heavy,
managed. The overall network • After a fault occurs, the fault cause is and manual configuration is complex.
construction cost is high. determined based on the O&M • New services need to be configured
• The workload of network experience of professional personnel, on devices one by one, which is time-
management and O&M is heavy. and the fault cannot be quickly consuming and costly.
located. • The workload of network policy
• The network cannot be automatically deployment and adjustment is heavy.
optimized.

19 Huawei Confidential
 Campus Network DC WAN

Service Requirements and Challenges of Small- and

Medium-Sized Campus Networks
Plug-and-play network devices, Centralized O&M on the cloud, Open APIs, accelerating integration of
improving deployment efficiency simplifying O&M of multiple sites business applications

Unified management and centralized Centralized management of multiple branches Open and big data analytics capability
configuration on the cloud and remote automatic O&M

Cloud
management
Sites' network devices platform
Site network 2

Site network 1 Site network Site network

Plug-and-play,
on-demand expansion Site network N Site network
• The network configurations of multiple Scattered campus branch networks are With open APIs and big data analytics
sites are centrally delivered, reducing onsite centrally managed on the cloud through the capabilities, multiple management systems
configuration and commissioning workload Internet, and automation tools for can be combined and interconnected to
and improving deployment efficiency. troubleshooting, monitoring, and other achieve unified network management. More
management operations are integrated, value-added applications are available,
• The network is plug-and-play and able to
be expanded on demand, requiring low implementing remote automated O&M. leading enterprises into digital
transformation.
costs for upgrades.

20 Huawei Confidential
 Campus Network DC WAN

Development of Enterprise SD-WAN Technologies

Migration of enterprise services to Emergence of Software defined
High-speed development of the Internet
the cloud networking (SDN)

Enterprise services are migrated to Unified management and centralized Rapidly narrowing gap between the
the cloud, and enterprise egress configuration quality of the Internet and
traffic increases sharply. traditional private lines

80% Traditional
carrier private
20% lines/MPLS

2016 2020
Internet
Proportion of egress
traffic to total traffic on
the enterprise network Source: IDC SDN introduces a new role, that is, the The coverage and network performance of
centralized controller, so that it can not only the Internet are continuously improving, and
understand the network requirements the gap between the quality of the Internet
proposed by the administrator, but also fully and traditional private lines is narrowing
manage and configure the physical network, rapidly. As such, more and more enterprises
Intelligence Cloudification Video Mobility implementing automatic deployment and fast and organizations are using the Internet for
provisioning of applications on the network. interconnection.

21 Huawei Confidential
 Campus Network DC WAN

Service Requirements and Challenges of Multi-Campus

Network Interconnection
Branch Service provisioning
Service experience Management and O&M Unified management
interconnection cost period
Requirements: Requirements: Requirements: Requirements: Requirements:

The cost of WAN The network deployment The application Visualized O&M is required LAN-side and WAN-side
interconnection between efficiency needs to be identification capability to simplify management services need to be
branches needs to be improved and the service needs to be enhanced to and O&M. managed in a unified
reduced. provisioning period needs to ensure key service manner.
Challenges:
Challenges: be shortened. experience. Challenges:
• CLI-based O&M is
Carriers' transmission Challenges: Challenges: inefficient and lacks • Unified configuration
private lines or MPLS VPN • It takes a long time to • Different enterprise visualized O&M methods. management and O&M
private lines are of high provision traditional applications have cannot be implemented.
• If an enterprise has a
quality but expensive. private lines. different requirements on
large number of
link quality.
• Service provisioning is branches, onsite O&M
mainly performed by • Traditional private lines will increase costs.
network engineers on cannot detect the
site, which has high skill application status and
requirements and low cannot guarantee key
efficiency. services at any time.

22 Huawei Confidential
 Campus Network DC WAN

Cloud + Intelligence, Accelerating HPC

21.8% -> 90% 13 years -> 1 day 500 days -> 100 days
Weather forecast Gene sequencing New drug R&D and
accuracy duration identification

Weather
Life science Drug R&D
forecast
• Supercomputing — the core of high-performance computing
(HPC) — provides the computing power needed to drive
development of the digital economy and plays a key role in
numerous scientific and technological fields.
Supercomputing
center

• Speed is still the primary factor in supercomputing realizing High-performance

Cloud computing Intelligence
faster and more accurate computing and simulation. This is
where cloud and intelligence come in. In addition, the
supercomputing of cloudification and artificial intelligence is
Network Cloud-network synergy High-speed Zero delay
gradually integrated, which poses higher requirements on the requirements Fast deployment interconnection Low packet loss rate

DCN that carries supercomputing services.

23 Huawei Confidential
 Campus Network DC WAN

Three IT transformations, Driving Full Ethernet Evolution of

DCNs
AS-IS TO-BE
IT architecture
100x Server Ethernet
Centralized -> Distributed
Scale interconnection
Centralized Distributed

Computing unit 100x

PCIE
Performance Ethernet Ethernet CPU/GPU Ethernet
PCIe is removed interconnection
IB or Ethernet

All-flash storage
Ethernet
Storage media 1000x interconnection
SCSI Capacity NVMe
HDD -> SSD
FC (32G) RoCE (400G)
• With the development of enterprise digital transformation, data has become a key production factor. DCs are responsible for data computing, storage, and
forwarding, and are the most critical digital infrastructure in the new infrastructure. The IT architecture, computing, and storage of DCs are undergoing
significant changes, driving DCNs to evolve from the multi-protocol mode to the full-Ethernet mode.

24 Huawei Confidential

• InfiniBand (IB): an input/output (I/O) switching technology that uses a central

InfiniBand switch to establish a single link between remote storage devices,
networks, and servers as well as to direct traffic. It has a compact structure,
greatly improving system performance, reliability, and effectiveness, and relieving
data traffic congestion between hardware devices.
• Remote Direct Memory Access over Converged Ethernet (RoCE): a network
protocol that allows remote direct memory access (RDMA) over the Ethernet.
There are two RoCE versions: RoCEv1 and RoCEv2. RoCEv1 is a data link layer
protocol that allows any two hosts in the same Ethernet broadcast domain to
communicate with each other. RoCEv2 is a network layer protocol and its packets
can be routed.
 Campus Network DC WAN

Three Challenges Facing DCN Full-Ethernet Evolution

Zero packet loss required for Zero packet loss required for More complex for large-
high-performance computing dual-active storage scale network O&M

0.2–0.3% packet loss rate 1000 nodes, million-level configuration

0.15%

>70 km
0.02%
DC A DC B

The packet loss rate increases The delay increases in intra-city Traditional Ethernet lacks effective
exponentially with the (long distance) transmission, and it O&M methods,
increase of network nodes on is difficult to perform flow control and the network is too complex to
traditional Ethernet. across DCNs on traditional Ethernet. be handled manually.

25 Huawei Confidential
 Campus Network DC WAN

5G + Cloud, Increasingly Complex WAN Transport Services

4K

WAN

MANs at all levels

Enterprise campus, DC, and branch

• With the advent of the 5G and cloud era, various innovative services such as VR/AR, live streaming, and
autonomous driving are emerging. The traffic on the entire network increases explosively, and the
dynamic complexity of services also increases the complexity of the entire network.

26 Huawei Confidential
 Campus Network DC WAN

Service Requirements and Challenges Facing the WAN

Slow service provisioning High SLA requirements Complex O&M
L3VPN
10s L2VPN
Service requirements

Failover time < 1s

Network policy

The network passively adapts to various With the development of new services As the network scale and complexity
new services, such as enterprise private such as enterprise application migration increase, the O&M complexity also
line services. Service provisioning is to the cloud, network traffic in carriers' increases. Carriers urgently need to
time-consuming and customer response pipes is more dynamic and deploy automation measures to reduce
is slow. unpredictable. Traditional network the skill requirements for O&M
planning and optimization have poor personnel and effectively control the
adaptability, and service SLA assurance OPEX in the long term.
faces great challenges.

27 Huawei Confidential

• Service Level Agreement (SLA): an agreement between a service provider and a

user. The SLA defines the service type and quality provided by the service provider
for the user, and the commitment to the performance and reliability of the user
assurance service. For example, the SLA ensures that the service reliability is
higher than 99.99%, the fault response time is within 30 minutes.
• Operating Expense (OPEX): the sum of the maintenance cost, marketing expense,
labor cost, and depreciation expense during the enterprise operations.
 Contents

1. Enterprise Network Overview

2. Trends and Challenges of Enterprise Networks

3. Huawei Enterprise Network Solutions

28 Huawei Confidential
Huawei Intelligent Cloud-Network Solution

Intra-cloud
interconnection
Hyper-converged DCN
CloudFabric 3.0 All-Ethernet-based high-
Network security
performance computing
(HPC) and storage General
Storage HPC
HiSec
computing
Inter-cloud
CloudWAN interconnection
CloudWAN 3.0 Flexible migration to
the cloud
SLA experience
assurance
Cloud-network-
Cloud access AR Switch AP security collaboration
CloudCampus
CloudCampus 3.0 All-wireless campus Campus
High-quality experience

29 Huawei Confidential
Four Engines + Platform for Manager, Controller, and
Analyzer Convergence
iMaster NCE
Management, control, and
analysis convergence platform

AirEngine CloudEngine NetEngine HiSecEngine

WLAN Switch Router Network security

30 Huawei Confidential
 Campus
DC WAN
network

Huawei CloudCampus Solution: CloudCampus 3.0

Intelligent O&M
• iMaster NCE-CampusInsight supports user
experience visualization.
• LAN/WAN wired intelligent O&M enables fault
Network-wide automation | AI- locating within minutes.
powered intelligent O&M
Cloud management
• iMaster NCE supports auto scaling and can
Public/Private
manage up to 200,000 NEs concurrently.
cloud
• A single controller supports end-to-end SDN
SD-WAN automation for the WAN, LAN, and WLAN.

One global network

• SD-WAN intelligent traffic steering technology,
improving link utilization.
• SRv6 technology, one-hop connection to the cloud.

Wired network All-wireless networking

as a supplement ... • The AirEngine 8760 supports 16T16R, with
no coverage holes and no frame freezing.
Branch • The PCC optical/electrical hybrid cable
provides ultra-high bandwidth.
HQ

31 Huawei Confidential

• In the campus network scenario, iMaster NCE-Campus is used as the iMaster NCE
controller.
 Campus
DC WAN
network

Huawei Hyper-Converged DCN Solution: CloudFabric 3.0

Network-wide
intelligent O&M
Complaints reduced by 75%
Multi-cloud

Full-lifecycle automation
TTM reduced by 90%
Analyzer

Manager Controller
Active-active all-Ethernet
Automation Intelligence
storage network
Cross-DC links reduced by 90%

Hyper-converged DCN
All-Ethernet HPC network
Unleashes 100% of computing power

General Storage
HPC
Computing

32 Huawei Confidential

• In the data center scenario, iMaster NCE-Fabric is used as the iMaster NCE
controller.
 Campus
DC WAN
network

Huawei CloudWAN Solution: CloudWAN 3.0

Network as a service
Integrated cloud-network- • Network as a service, one-stop provisioning
security operations of cloud-network products
• OSS and BSS streamlining, easy to integrate
Network as a service
Qiankun security cloud Cloud management
service platform Flexible multi-cloud connection
Cloud-network
Cloud-network- Flexible multi-cloud • Pre-connection to multiple clouds
management
security collaboration and control connection • End-to-end SRv6, access to the cloud upon
network access
Deterministic experience
Government Deterministic experience
• Slices for deterministic SLAs
Education • One network for multiple industries with
Intelligent MAN Intelligent cloud secure isolation
backbone
Healthcare
Cloud-network-security
Manufacturing collaboration
• Four-dimensional integrated security protection
"Added" for "connectivity" "Adjusted" for "quality" "Born" for "cloud"
• AI-powered threat correlation detection

33 Huawei Confidential

• In this scenario, iMaster NCE-IP is used as the iMaster NCE controller.

What Is iMaster NCE?
SDN-based automatic service Unified data base Full lifecycle management
configuration/deployment Centralized detection Simulation/Verification/Monitoring
AI-powered intelligent and locating /Optimization
analysis/prediction/troubleshooting
Plan + Construct +
Automated + Intelligent Manage + Control + Analyze Maintain + Optimize

2 3 4

Autonomous driving
Network management system Controller Analyzer
network system

Network =

iMaster NCE is a network automation platform that integrates management, control, analysis, and AI capabilities.

34 Huawei Confidential
All-New iMaster NCE

DC iMaster NCE-Fabric

Enterprise
iMaster NCE-Campus
campus

SD-WAN iMaster NCE-WAN

IP WAN iMaster NCE-IP

WAN
iMaster NCE-T
transmission

35 Huawei Confidential
 Quiz

1. (Multiple-answer question) Which of the following controllers have the SD-

WAN feature? ( )
A. iMaster NCE-Campus

B. iMaster NCE-WAN
C. iMaster NCE-IP

D. iMaster NCE-SD-WAN

36 Huawei Confidential

1. AB
 Summary

⚫ This course briefly introduces the overall enterprise network architecture and the
campus networks, DCNs, and WANs in different scenarios.
⚫ With the continuous development of services and new technologies, enterprise
networks are facing great challenges. Therefore, Huawei provides corresponding
solutions for networks in different scenarios. These contents will be described in
more details in subsequent courses.

37 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Enterprise Campus Network Overview
 Foreword

⚫ Campuses are everywhere in our cities. Some examples of campuses include factories,
government buildings and facilities, shopping malls, office buildings, school campuses, and
parks. According to statistics, 90% of urban residents work and live in campuses, 80% of
gross domestic product (GDP) is created in campuses, and each person stays in campuses
for 18 hours every day. Campus networks, as the infrastructure for campuses to connect to
the digital world, are an indispensable part of campus construction and play an increasingly
important role in daily working, R&D, production, and operation management.
⚫ This course describes campus networks, common architectures and technologies of campus
networks, and typical applications of these technologies. This information helps readers
better understand the campus network design.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe what a campus network is like.
 Describe the typical architecture of a campus network.
 Describe the trends and challenges of campus networks.
 Describe Huawei CloudCampus Solution.
 Understand common technologies used on campus networks.
 Understand typical applications of campus network technologies.

2 Huawei Confidential
 Contents

1. Introduction to Campus Networks

2. Campus Network Challenges and Huawei CloudCampus Solution

3. Typical Campus Network Technologies

4. Typical Applications of Campus Network Technologies

3 Huawei Confidential
Campuses Are Everywhere
90%+
of city residents work and
live in campuses.

5 h & 22 h 80%+
spent in using smart of GDP is created in
terminals & staying in the campuses.
campus every day

90%+
of innovations are
made in campuses.

4 Huawei Confidential
Overview of a Campus Network

⚫ A campus network generally refers to the internal network

of an enterprise or organization, which is connected to the
wide area network (WAN) and data center network.
⚫ A campus network is built to ensure that key enterprise
services are running more efficiently.
⚫ Campus networks can be classified into large- and medium-
sized campus networks and small- and medium-sized
campus networks by scale.
⚫ Some enterprises have branches dispersed in different
geographical locations. Each branch network can be
considered as a single campus network.

5 Huawei Confidential
Campus Network Classification (1)
• Users: internal personnel only
⚫ Number of terminals > 2000
• Security requirements: network access control and
⚫ Number of NEs > 100
external threat defense

Large
campus Closed
network campus
network

Served
Scale
objects

Midsize Small Open

Classified by the Classified by
campus campus campus
number of served objects of
network network network
terminals or NEs campus networks

⚫ Number of terminals: 200–2000 ⚫ Number of terminals < 200 ⚫ Users: including external personnel, such as the public
⚫ Number of NEs: 25–100 ⚫ Number of NEs < 25 ⚫ Security requirements: access control, identity
identification, behavior control, security protection, etc.

Networks of different scales have different requirements and pain points. A running campus network usually has both closed and open subnets.

6 Huawei Confidential
Campus Network Classification (2)
⚫ Each device accessing a network must be connected to the
⚫ Single services preset network port through a network cable.
⚫ Simple network architecture ⚫ The architecture is structured and hierarchical, and the logic is
clear, so faults are easy to locate.
Single-
service Wired
campus campus
network network

Access
Service
mode
Multi- Wireless
service Classified by Classified by
campus
campus services carried on network campus network
network campus networks access modes

⚫ The network needs to carry a large number of services, and the ⚫ The network is based on the 802.11 protocol (Wi-Fi) and is also called WLAN.
network scale is large. Different services need to be isolated ⚫ AP deployment and installation affect the coverage effect. Interference and
and guaranteed. conflicts exist, so the network needs to be optimized periodically.
⚫ The campus network architecture is becoming complex and virtualized. ⚫ Faults are difficult to locate.
The complexity of the campus network architecture depends on the Currently, most campus networks are a mix of wired and wireless
complexity of services carried on the campus network. networks.

7 Huawei Confidential
Campus Network Classification (3)
To meet requirements of different industries, the campus network architecture is designed based on the characteristics of the industries
that campus networks serve, ultimately building industry-specific campus network solutions.

Enterprise campus network School campus network Government campus network Business campus network

⚫ It refers to the Ethernet-based ⚫ School campus networks are ⚫ It usually refers to the internal ⚫ This type of campus networks apply
enterprise office network. classified into primary/secondary network of a government agency. to shopping malls, supermarkets,
⚫ The enterprise campus network education and higher education ⚫ High security is required. hotels, and parks.
focuses on network reliability and campus networks. Generally, the internal network ⚫ Such networks mainly serve
advancement, continuously ⚫ Higher education campus and external network are isolated consumers. In addition, they include
improves employees' office networks are complex and usually to ensure high security of subnets for internal office work.
experience, and ensures the have teaching and research confidential information. ⚫ Such networks provide Internet
efficiency and quality of operation networks, student networks, and access services and help build
and production. operational dormitory networks. business intelligence (BI) systems
⚫ There are high requirements on for a better user experience, lower
network manageability and O&M cost, higher efficiency, and
security, and specific requirements value transfer.
on network advancement.

8 Huawei Confidential
Typical Physical Architecture of a Campus Network
⚫ Egress zone: serves as the border between the campus internal network and the
Internet WAN
external network. Through this egress zone, internal users can access the public
network and external users (including customers, partners, branch users, and
remote users) can access the internal network. Firewalls can be deployed at the
egress zone to ensure the security of the internal network.
Egress zone
Data ⚫ Core layer: serves as the core of data switching on the campus network. It
center O&M zone
connects various parts of the campus network, such as the data center, O&M
zone, and egress zone.
⚫ Aggregation layer: forwards not only horizontal traffic between users, but also
Core layer
vertical traffic to the core layer. It can also function as the switching core for a
department or zone and further extend the quantity of access terminals.
Aggregation layer ⚫ Access layer: provides various access modes for users and is the first layer of the
network to which a terminal accesses.
⚫ Terminal layer: has terminals deployed to connect to the campus network.
Terminals include computers, printers, IP phones, mobile phones, and cameras.
Access layer ⚫ Data center: has servers and application systems deployed to provide data and
application services for internal and external users of the enterprise.
Terminal layer
⚫ O&M zone: manages network servers such as the NMS and authentication server.
iStack/CSS link

9 Huawei Confidential
 Contents

1. Introduction to Campus Networks

2. Campus Network Challenges and Huawei CloudCampus Solution

3. Typical Campus Network Technologies

4. Typical Applications of Campus Network Technologies

10 Huawei Confidential
 Industry Digital Transformation Improves Efficiency and
Customer Satisfaction
Digital workspace Digital education Digital manufacturing
• All-wireless access • Shift from spoon-feeding education to • Always-on mass terminals/sensors
• Anytime, anywhere workstyles immersive education • Real-time collection of production data
• One-click conference reservation via an • On-demand access to high-quality • Automated and precise control
app teaching
• Auto-adjustable lighting and temperature • Practical-scene teaching

"At least 55% of the organizations will be "86% of higher education CIOs will regard IT "84.9% of manufacturing enterprises are
firm advocates of digitalization by 2020.“ as a key factor in enabling education going digital, driving business model
Source: IDC FutureScape: Worldwide Digital business transformation.“ innovations and reshaping the business
Transformation 2019 Predictions Source: 2019 Higher Education Industry ecosystem.“
Insights, Gartner Source: IDC's 2018 manufacturing industry
survey

11 Huawei Confidential

• CIO: Chief Information Officer

In the Digital Era, How Should Campus Networks Support
Digital Transformation Across Industries?

Ubiquitous On-demand Perceptible and visible Efficient and

connectivity services experience intelligent O&M

• Access anytime, • Quick service deployment • Precise measurement and • Configuration delivery based
anywhere and adjustment evaluation of user experience on services
• High-quality service • Rapid rollout of value- • AI-powered automatic adjustment • Fast and accurate fault
support added applications of resource allocation locating

12 Huawei Confidential
 Constantly Evolving Campus Network

Late 1980s Early 1990s Mid 2000s Today and Future

• Autonomous driving
• Intelligent O&M
1st generation 2nd generation 3rd generation
• Intelligent connectivity
From "sharing" to Layer 3 routed Multi-service
• Intelligent ultra-
"switching" switching converged support broadband
•…
⚫ Today, we stand on the cusp of the fourth industrial revolution, as represented by AI. It is foreseeable that new ICT
will lead us from the information era to the intelligence era. As a key engine of the fourth industrial revolution, AI
will drive the progress and development of all industries around the world. Data networks, which are a key driving
force in the IT era, will be developed and optimized first with AI.
⚫ Campus networks gradually become intelligent and provide simplified service deployment and network O&M
capabilities for customers.

13 Huawei Confidential

• 1st-generation campus network:

▫ In 1980, IEEE released the IEEE 802.3 standard, signaling the birth of
Ethernet technology. By using twisted pair connections, Ethernet was more
cost-effective and easier to implement than previous networking
technologies. Consequently, Ethernet quickly became the mainstream
technology for campus networks. During the early days, campus networks
used hubs as access devices. A hub was a shared-medium device that
worked at the physical layer. It was limited in the number of users it could
support for concurrent access. If many users connected to a hub
simultaneously, network performance degraded severely due to the
expanded collision domain. In the late 1980s, Ethernet switches emerged.
Due to their more advantageous working scheme than hubs, Ethernet
switches therefore quickly replaced hubs to become the standard
components of campus networks.
• 2nd-generation campus network:
▫ In the 1990s, the growing popularity of World Wide Web (WWW) and
instant messaging software posed great bandwidth challenges for campus
networks. This, however, could not be met on a router-based campus
backbone network. Against this backdrop, Layer 3 switches were developed
in 1996. A Layer 3 switch is also called a routed switch because it integrates
both Layer 2 switching and Layer 3 routing functions. Such a switch came
with a simple and efficient Layer 3 forwarding engine designed and
optimized for campus scenarios. Its Layer 3 routing capabilities were
approximately equivalent to Layer 2 switching performance. Layer 3
switches allow computers to access the campus network, provide high-
performance network connections, and meet the requirements of various
WWW-based multimedia services and office systems.
• 3rd-generation campus network
▫ As we all know, smart mobile terminals first emerged in 2007. Since then,
they quickly became popular and reached a wide audience. Driven by this,
Wi-Fi technology also developed rapidly. Wi-Fi has subsequently become
deeply integrated into and a typical feature of campus networks. SDN has
also been introduced to campus networks in order to simplify services. This
generation of campus networks generally meets the requirements of
enterprises that are in the early stages of wireless transformation. However,
Wi-Fi networks cannot deliver a high enough service quality, and therefore
can only be used as a supplement to wired networks.

• Campus networks have constantly evolved and made dramatic improvements in

terms of bandwidth, scale, and service convergence. However, they face new
challenges in connectivity, experience, O&M, security, and ecosystem as digital
transformation sweeps across all industries. For example, IoT services require
ubiquitous connections; HD video, Augmented Reality (AR), and Virtual Reality
(VR) services call for high-quality networks; and a huge number of devices
require simplified service deployment and network O&M. To address these
challenges, industry vendors gradually introduce new technologies such as
Artificial Intelligence (AI) and big data to campus networks, and they also launch
a series of new solutions.
Service Requirements and Challenges of Large- and
Medium-Sized Campus Networks
Converged transport User experience awareness Network automation

Requirements: Requirements: Requirements:

Access terminals and services are Network O&M needs to be automated Networks need to be automated to cope
diversified, and a converged transport and intelligent to perceive user with the complexity of deployment and
network is required. experience anytime and anywhere. policies caused by the surge of
Challenges: Challenges: applications and services.

• Wi-Fi and IoT services are • Service faults cannot be detected in a Challenges:
independently planned, deployed, and timely manner. • The workload is repetitive and heavy,
managed. The overall network • After a fault occurs, the fault cause is and manual configuration is complex.
construction cost is high. determined based on the O&M • New services need to be configured
• The workload of network experience of professional personnel, on devices one by one, which is time-
management and O&M is heavy. and the fault cannot be quickly consuming and costly.
located. • The workload of network policy
• The network cannot be automatically deployment and adjustment is heavy.
optimized.

15 Huawei Confidential
Service Requirements and Challenges of Small- and
Medium-Sized Campus Networks
Plug-and-play network devices, Centralized O&M on the cloud, Open APIs, accelerating integration of
improving deployment efficiency simplifying O&M of multiple sites business applications

Unified management and centralized Centralized management of multiple branches Open and big data analytics capability
configuration on the cloud and remote automatic O&M

Cloud
management
Sites' network devices platform
Site network 2

Site network 1 Site network Site network

Plug-and-play,
on-demand expansion Site network N Site network
• The network configurations of multiple Scattered campus branch networks are With open APIs and big data analytics
sites are centrally delivered, reducing onsite centrally managed on the cloud through the capabilities, multiple management systems
configuration and commissioning workload Internet, and automation tools for can be combined and interconnected to
and improving deployment efficiency. troubleshooting, monitoring, and other achieve unified network management. More
• The network is plug-and-play and able to management operations are integrated, value-added applications are available,
implementing remote automated O&M. leading enterprises into digital
be expanded on demand, requiring low
transformation.
costs for upgrades.

16 Huawei Confidential
Service Requirements and Challenges of Multi-Campus
Network Interconnection
Branch Service provisioning
Service experience Management and O&M Unified management
interconnection cost period
Requirements: Requirements: Requirements: Requirements: Requirements:

The cost of WAN The network deployment The application Visualized O&M is required LAN-side and WAN-side
interconnection between efficiency needs to be identification capability to simplify management services need to be
branches needs to be improved and the service needs to be enhanced to and O&M. managed in a unified
reduced. provisioning period needs to ensure key service Challenges: manner.
Challenges: be shortened. experience. Challenges:
• CLI-based O&M is
Carriers' transmission Challenges: Challenges: inefficient and lacks • Unified configuration
private lines or MPLS VPN • It takes a long time to • Different enterprise visualized O&M methods. management and O&M
private lines are of high provision traditional applications have cannot be implemented.
• If an enterprise has a
quality but expensive. private lines. different requirements on
large number of
link quality.
• Service provisioning is branches, onsite O&M
mainly performed by • Traditional private lines will increase costs.
network engineers on cannot detect the
site, which has high skill application status and
requirements and low cannot guarantee key
efficiency. services at any time.

17 Huawei Confidential
CloudCampus: One-Stop Autonomous Driving Solution for
Campus Networks
Analysis One-stop management platform Automated network design, accurately aligning with service intents

Control • The one-stop management platform can accurately convert service

Management intents into configuration commands.
Design Deployment Policy
Automated network deployment, provisioning services in minutes

• Plug-and-play devices and automatic deployment of physical networks.

Large- and medium- NETCONF/YANG Small- and medium-
sized campus sized campus • Network resource pooling, multi-purpose network, and automatic
Campus
service provisioning.
interconnection
• Fine-grained control using intelligent policies (covering access policies,
OA VN bandwidth, priorities, etc.) based on virtual networks, security groups,
WAN/ and applications.
Internet
R&D VN Automated intelligent O&M, improving network-wide performance

⚫ Real-time visualized experience: Visualized network experience for

each user in each area at each moment.
Security Security Security ⚫ Precise fault analysis: Proactively identifying typical network issues
OA VN group 1 group 2 group 3 • Access policy
and providing remediation suggestions.
• Bandwidth ⚫ Intelligent network optimization: Predictive optimization of
Security Security • Priority
R&D VN wireless networks based on historical data.
group 4 group 5

18 Huawei Confidential
Full Scenarios: Full Coverage from Simple-Service Campuses
to Multi-Branch Interconnection Campuses
Simple-service campus Multi-service campus Multi-branch interconnection campus

VN 1
Internet VN 2
Internet
VN 3

Store Primary/ Hotel Small/Midsize MPLS

Secondary education enterprise Higher education, large enterprise

Simple-service Campus Multi-service Campus Multi-branch Interconnection Campus

Small scale, simple services Multiple branch sites, which need to

Network Large scale, complex services, and
Large numbers of sites, with similar communicate with each other through hybrid
characteristics coexistence of multiple services
models WAN links

Multi-branch and small/midsize Higher education institutions,

Typical
enterprise campuses, such as hotels and governments, large enterprise campuses, Large enterprises, financial branches, etc.
scenarios
primary/secondary schools etc.

19 Huawei Confidential
Full Lifecycle: Planning, Deployment, O&M, and
Optimization
Planning (Day 0) Deployment (Day 1-2) O&M (Day N) Optimization (Day N)

Wireless network Network

Hardware installation Network monitoring
planning optimization
WLAN Planner Manual installation
Routine device
Wired network Physical network maintenance
planning deployment
Manual planning System maintenance
(controller)
Virtual network
Site design
deployment User experience
visibility

Network resource Service policy Exception

planning provisioning identification

Fault demarcation

The green part indicates the network lifecycle management service provided by iMaster NCE-Campus.

20 Huawei Confidential
 Full Convergence: One Controller Manages Both LAN and
WAN
Regional controller
WAN Control
plane
WAN side GUI
IPsec VPN EVPN
LAN side (large or Forwarding
small/midsize campus) Centralized management plane

Central management of the control plane

One set of controller manages only LAN or implements flexible control while improving
GUI, flexible networking, plug-and-play devices
manages both LAN and WAN. scalability
Easy deployment Simplified configuration Forwarding-control separation

Private
Internet
line
WAN side Real-time Topology Various Intelligent WAN side
monitoring visualization reports analysis LAN side
LAN side
Wired Wireless
Visibility into network service data, thereby easily monitoring and analyzing Services provided by the carrier can be extended from WAN to LAN and
the status of the entire network. even value-added services.
Simple O&M Value extension

21 Huawei Confidential

• Huawei CloudCampus Solution integrates service configuration and management

models across LAN and WAN. It achieves LAN-WAN convergence by not only
configuring and managing LAN services, but also managing WAN interconnection
services.
 Contents

1. Introduction to Campus Networks

2. Campus Network Challenges and Huawei CloudCampus Solution

3. Typical Campus Network Technologies

4. Typical Applications of Campus Network Technologies

22 Huawei Confidential
 VLAN

⚫ Virtual Local Area Network (VLAN) technology logically

Core switch divides a physical LAN into multiple broadcast domains, each
of which is called a VLAN.

⚫ All devices in a VLAN belong to the same broadcast domain.

Different VLANs specify different broadcast domains. Devices
in a VLAN can directly communicate with each other, whereas
Access Access
devices in different VLANs cannot communicate directly, but
switch 1 switch 2
require a Layer 3 device for mutual communication.
⚫
Typically, a VLAN is a logical subnet.
⚫
Members of a VLAN are assigned based on interfaces of a
Terminal 1 Terminal 2 Terminal 3 Terminal 4 switch. After an interface of a switch is added to a VLAN, the
1.1.1.1/24 1.1.1.2/24 1.1.1.3/24 2.2.2.1/24
VLAN 20 device connected to the interface is also added to this VLAN.
VLAN 10 (office) (monitoring)

23 Huawei Confidential

• In addition to interface-based VLAN assignment, you can also use the following
methods to assign VLANs:
▫ MAC address-based assignment: assigns VLANs based on the source MAC
addresses of frames. This mode applies to small-scale networks where
physical locations of user terminals frequently change but their network
adapters seldom change.
▫ IP subnet-based assignment: assigns VLANs based on the source IP
addresses of frames. This mode applies to scenarios where there are high
requirements for mobility and simplified management and low
requirements for security.
▫ Protocol-based assignment: assigns VLANs based on the protocol (suite)
types and encapsulation formats of frames. This mode applies to networks
running multiple protocols.

▫ Policy-based assignment: assigns VLANs based on a specified policy, which

means VLANs are assigned based on combinations of interfaces, MAC
addresses, and IP addresses. This mode applies to complex networks.
 Voice VLAN
⚫ Multiple types of flows are usually transmitted on a network simultaneously. Packet loss and delay seriously affect voice
communication quality. Users are more sensitive to the quality of the voice service than to the quality of data and video services.
Therefore, voice data flows must be preferentially transmitted when there is limited bandwidth available.
⚫
A voice VLAN is used to exclusively transmit voice data.
⚫
After a voice VLAN is configured on a switch, the switch can identify voice data flows, transmit the voice data flows in the voice
VLAN, and provide QoS guarantee for the voice data flows.

Typical networking of voice VLAN technology

Network Network

PC IP Phone Switch IP phone Switch

You can use a single interface of a switch to transmit An IP phone is connected to a switch independently.
both voice and data services.

24 Huawei Confidential

• A device configured with voice VLAN can identify voice flows in either of the
following modes:
▫ MAC address-based identification: A device identifies voice flows based on
the source MAC addresses of received data packets. If a source MAC
address of a packet matches the organizationally unique identifier (OUI) of
a voice device, the packet is considered a voice packet. OUIs must be
preconfigured and are used in scenarios where IP phones send untagged
voice packets.
▫ VLAN-based identification: Configuring OUIs for a large number of IP
phones is time-consuming. In this case, you can configure a switch to
identify voice packets based on VLAN IDs. If the VLAN ID of a received
packet matches the configured voice VLAN ID, the packet is considered a
voice packet. This simplifies configuration when a large number of IP
phones are connected to the switch. However, the IP phones must be able
to obtain voice VLAN information from the switch.
 Spanning Tree Protocol (STP)
⚫
On a switching network with physical loops, switches running
SW1 (root bridge) STP automatically generate a loop-free working topology, which
is also called an STP tree. Each node of an STP tree is a specific
D D
switch, and each branch is a specific link.
⚫
STP transmits configuration BPDUs between switches to elect
the root switch (or root bridge) and determine the role and
status of each switch port.
R R
SW2 D SW3 ⚫
Each switch proactively sends configuration BPDUs during
initialization. After the network topology becomes stable, only
the root bridge periodically sends configuration BPDUs. Other

R Root port D Designated Non-designated Configuration switches send their own configuration BPDUs only after
port port BPDU
receiving configuration BPDUs from upstream devices.

BPDU Root Bridge Port Message Max Hello Forward

PID PVI Flag RPC
Type ID ID ID Age Age Time Delay

Format of a configuration BPDU

25 Huawei Confidential

• How is an STP tree generated?

▫ STP compares four parameters: root bridge ID, root path cost (RPC), bridge
ID (BID), and port ID (PID). A smaller value indicates a higher priority. All
these parameters are BPDU fields.

▪ Root bridge election: The device with the smallest root bridge ID is
elected as the root bridge.

▪ Root port election: A device compares the RPC, peer BID, peer PID,
and local PID of its ports in sequence. The port with the smallest
value is elected as the root port.

▪ Designated port election: A device compares the RPC, local BID, and
local PID of its ports in sequence. The port with the smallest value is
elected as the root port.

▪ After the root port and designated port are determined, all the non-
root ports and non-designated ports on the switch will be blocked.
Rapid Spanning Tree Protocol (RSTP)
⚫
As LANs are increasing in scale, the problem of slow STP topology
SW1 (root bridge)
convergence is becoming more prominent. To address this problem, the
D D IEEE released the 802.1w standard in 2001 that defined the RSTP
protocol. RSTP is an enhanced version of STP and implements rapid
convergence of the switching network.
⚫
RSTP makes the following improvements over STP:
R R  Defines more port roles, making the spanning tree protocol easier to understand
SW2 D A SW3
and configure.
D B E E
 Eliminates the listening state, reducing the number of port states from 5 to 3.
 Uses the Flags field of STP configuration BPDUs to define port roles.
 Processes configuration BPDUs differently from STP. For example, it allows non-
root bridges to proactively generate and send configuration BPDUs, and reduces
R Root port D Designated A Alternate B Backup E Edge port the BPDU timeout interval to three times that of the Hello Time.
port port port  Provides rapid convergence mechanisms, such as the Proposal/Agreement (PA)
mechanism and edge port mechanism.
 Provides protection mechanisms to ensure the stability of the switching network.

26 Huawei Confidential
Multiple Spanning Tree Protocol (MSTP)
⚫ Defined in IEEE 802.1s and compatible with STP and RSTP, MSTP
implements fast convergence while providing multiple redundant
paths for forwarding data, effectively load balancing traffic for VLANs.
SW1 SW2 ⚫
An MSTP network is composed of one or more MST regions, and each
Data traffic MST region contains one or more multiple spanning tree instances
(MSTIs). An MSTI is a tree network that consists of switches running
STP, RSTP, or MSTP.
SW3
⚫
The switches in the same MST region share the following
characteristics:

Have MSTP enabled.
Instance 1: Instance 2:  Have the same region name.
VLAN 1, 2, 3 ... 10 VLAN 11, 12, 13 ... 20

Have the same VLAN-to-MSTI mappings.

Have the same MSTP revision level.

27 Huawei Confidential
OSPFv2
On a large-scale enterprise network, the aggregation layer may consist of
Area 0
Layer 3 devices, such as routers and switches. In such scenarios, static routes
are not flexible because the configuration is complex and they cannot quickly
respond to topology changes. Therefore, a dynamic routing protocol —
typically OSPF in IGP — can be deployed on the enterprise intranet.
⚫
The aggregation devices are divided into different non-backbone OSPF
areas based on the network structure.
⚫
Core devices, network egress devices, and uplink interfaces of aggregation
devices belong to Area 0. The downlink interfaces of aggregation devices
and the access devices are added to Area X.
⚫
Redundancy links and the OSPF triggered update mechanism are used to
Area 1 Area 2
implement backup of intranet paths.
⚫
Aggregation devices function as area border routers (ABRs) to execute
route filtering policies.

28 Huawei Confidential
 Policy-Based Routing (PBR)
In the conventional routing and forwarding process, devices search their IP routing tables for
Internet
routes based on packets' destination addresses and then forward the packets accordingly.
However, more and more users require packet routing based on user-defined policies.

② ④
Traffic classifier
Configure a traffic classifier for matching interested Traffic behavior
data flows. Redirects interested packets.
③ ① Matching criteria: VLAN ID, source or destination MAC You can set the next-hop IP address or
address, Ethernet protocol type, DSCP priority, IP outbound interface for redirection.
precedence, inbound or outbound interface, ACL rule

Traffic policy
Traffic classifier > Traffic behavior
Enterprise intranet
Apply the traffic policy
⚫ Apply the traffic policy to the inbound direction of an interface.
PBR can be configured using the modular
⚫ Apply the traffic policy to the incoming packets that belong to the VLAN and
QoS command line interface (MQC) or an
match the criteria defined in the traffic classifier.
ACL-based simplified traffic policy. ⚫ Apply the traffic policy globally or to a card.

29 Huawei Confidential

• PBR is used in agile campus service orchestration, multi-egress, and anti-DDoS

off-path deployment scenarios.
• MQC: Modular QoS Command Line Interface
WLAN Network Architectures (1)
Fat AP AC + Fit AP

Internet
AC

Fat AP

Fit AP

⚫ Networking characteristics: A Fat AP works independently ⚫ Networking characteristics: A Fit AP provides a wide range of functions and is
and needs to be configured separately. It provides only used with an AC. Fit APs are managed and configured by an AC in a unified
simple functions and is cost-effective. manner, posing high requirements on skills of maintenance personnel.

⚫ Application scenarios: families or mini-stores ⚫ Application scenarios: medium- and large-sized enterprises

30 Huawei Confidential
WLAN Network Architectures (2)
Leader AP Agile distributed AP

AC
Internet

Central AP Central AP

Leader AP
RU RU

Room1 Room2 Room3 RoomN Room1 Room2 Room3 RoomN

⚫ Networking characteristics: A leader AP can work ⚫ Networking characteristics: The agile distributed architecture divides APs into
independently or manage a small number of common APs to central APs and remote units (RUs). A central AP can manage multiple RUs, and
implement basic roaming functions. A leader AP has a low this architecture provides good coverage and reduces costs. RUs can be used in the
price and low requirements for maintenance skills. Fat AP, AC + Fit AP, and cloud management architectures.

⚫ Application scenarios: small and micro enterprises ⚫ Application scenarios: scenarios where rooms are densely distributed

31 Huawei Confidential
WLAN Network Architectures (3)
Cloud management mode

Internet ⚫
Networking characteristics: APs are centrally managed and
configured on iMaster NCE-Campus. They provide rich functions and
support plug-and-play.
⚫
Application scenarios: small- and medium-sized enterprises

Cloud AP

32 Huawei Confidential
WLAN Network Architectures (4)
Native AC

Internet WAN

Egress zone ⚫
Networking characteristics: This architecture
Data
center
uses the native AC function of switches to

Native Native manage APs on a network, implementing

O&M zone
AC AC wired and wireless network convergence. This
Core layer architecture also leverages big data and AI
technologies to implement simplified, smart,
Aggregation layer and secure campus networks.
⚫
Application scenarios: large- and medium-
Access layer sized enterprises

iStack/CSS link

33 Huawei Confidential
 VRRP
Basic VRRP application Typical application of MSTP+VRRP

VRRP VRRP

Aggregation Aggregation VLANIF11-20 VRRP Master VLANIF11-20 VRRP Backup

switch 1 switch 2 VLANIF21-30 VRRP Backup VLANIF21-30 VRRP Master
MSTP MSTP
MSTI 10 Primary root bridge MSTI 10 Secondary root bridge
Virtual router MSTI 20 Secondary root bridge MSTI 20 Primary root bridge
192.168.1.254
Aggregation Aggregation
VRRP
switch 1 switch 2

Access switch

⚫ Redundancy Access switch

IP address:
⚫ Load balancing 192.168.1.1/24
Default gateway: VLANs 11, 12... 20 VLANs 21, 12... 30
⚫ Association 192.168.1.254
VRRP and MSTP are used together to implement gateway redundancy, load
balancing, Layer 2 loop prevention, and reliability.

34 Huawei Confidential

• Generally, all hosts on the same network segment are configured with the same
default route with the gateway address as the next-hop address. The hosts use
the default route to send packets to the gateway, which then forwards the
packets to other network segments, enabling hosts to communicate with external
networks. If the gateway fails, hosts using this gateway address as the next hop
of their default route cannot communicate with external networks.
• The Virtual Router Redundancy Protocol (VRRP) virtualizes several routing
devices into a virtual router and uses the IP address of the virtual router as the
default gateway address for the communication between users and external
networks. If a gateway fails, VRRP selects another gateway to forward traffic,
thereby ensuring reliable communication.
▫ Redundancy: Multiple routing devices enabled with VRRP constitute a VRRP
group and the VRRP group is used as the default gateway. When a single
point of failure (SPOF) occurs, services are transmitted through the backup
link. This reduces the possibility of network faults and ensures non-stop
transmission of services.
▫ Load balancing: VRRP enables multiple available routers to share the load,
reducing the traffic burden on the master.
▫ Association: VRRP can monitor faults on uplinks. When the uplink interface
or uplink is faulty, the priority of the original master decreases, and an
optimal backup becomes the master, ensuring proper traffic forwarding.
Association between VRRP and BFD speeds up the active/standby
switchover. To speed up the active/standby switchover in the VRRP group,
configure a BFD session between the master and backup and associate the
BFD session with the VRRP group. This is because BFD can fast detect
faults. When the link between the master and backup becomes Down, the
backup immediately switches to the master and takes over traffic.
Link Aggregation, iStack, and CSS

Network ⚫
Ethernet link aggregation, also known as Eth-Trunk, bundles
iStack/CSS Link multiple physical links into a logical link to increase link
bandwidth, without having to upgrade hardware.
Eth-Trunk
CSS ⚫
Intelligent stack (iStack) enables multiple stacking-capable
switches to function as a single logical switch. iStack is
applicable to Huawei fixed switches.

⚫
A cluster switch system (CSS), also known as a cluster,
iStack combines two clustering-capable switches into a single logical
switch. CSS is applicable to Huawei modular switches.

⚫
Link aggregation can be used with iStack/CSS to implement
link-level and device-level reliability and increase network
bandwidth.
iStack iStack

35 Huawei Confidential
 Network Quality Analysis (NQA)
⚫ To visualize the quality of network services and allow users to
check whether the quality of network services meets
requirements, the following measures must be taken:
 Enable the device to provide network service quality information.

TCP test
 Deploy probe devices to monitor network service quality.

DNS test ⚫
The preceding measures require devices to provide statistical
NQA test instance
parameters such as the delay, jitter, and packet loss ratio and
ICMP test
require dedicated probe devices. These requirements increase
HTTP test
investments on devices.
Network
⚫
NQA can precisely test the network operating status and
NQA client NQA server
output statistics without using dedicated probe devices,
effectively reducing costs.
⚫
NQA measures network performance and collects statistics on
the delay, jitter, and packet loss ratio in real time.

36 Huawei Confidential

• NQA measures the performance of various protocols running on networks, which

helps users collect statistics about network operation indexes in real time.
 Port Isolation
Requirements
Core switch
⚫ Users in the same VLAN are isolated to enhance user communication security and prevent invalid
broadcast packets from affecting services.
⚫ Data exchanged between different users in the same VLAN can be forwarded by the upper-layer
device in a centralized manner.

Access switch 1 Solution

⚫ Port isolation can isolate ports in the same VLAN.

⚫ To implement Layer 2 isolation between ports, simply add these ports to a port isolation group.
⚫ There are two port isolation modes: Layer 2 isolation and Layer 3 interworking, and Layer 2 and
Layer 3 isolation.

Terminal 1 Terminal 2 Terminal 3

 To isolate broadcast packets in the same VLAN but allow users connected to different
1.1.1.1/24 1.1.1.2/24 1.1.1.3/24 interfaces to communicate at Layer 3, you can set the port isolation mode to Layer 2 isolation
VLAN 10 (office VLAN) and Layer 3 interworking.
 To prevent interfaces in the same VLAN from communicating at both Layer 2 and Layer 3,
Enable port isolation and add the ports to
you can set the port isolation mode to Layer 2 and Layer 3 isolation.
the same port isolation group

37 Huawei Confidential

• Port isolation provides more secure and flexible networking solutions.

• In some scenarios, data exchanged between terminals in a VLAN needs to be
forwarded by an upper-layer device instead of an access switch. This ensures that
traffic is forwarded by the upper-layer device instead of the access switch, so that
traffic management and control policies can be deployed on the upper-layer
device. This mode is called centralized forwarding mode. In this mode, port
isolation is configured for all downstream Layer 2 devices. Therefore, proxy ARP
should be configured on the gateway. In most cases, intra-VLAN proxy ARP is
used.
 Ethernet Port Security
Requirements
⚫ An enterprise requires that each access switch interface connected to
terminals allow only one PC to access the network so as to limit the
number of MAC addresses.
⚫ If an employee attempts to connect a small switch or hub to an
Core switch
interface to increase the number of Internet access interfaces, this
behavior should be detected and prohibited.

Access Access ⚫ Some enterprises may require that a switch forward only data frames
switch 1 switch 2
sent by terminals with trusted MAC addresses to the upper-layer
network. Employees are not allowed to change their locations, that is,
change access interfaces of the switch.

Solution
Terminal 1 Terminal 2 Terminal 3 Terminal 4
Port security converts the dynamic MAC addresses learned on an interface
into secure MAC addresses (including dynamic and static secure MAC
addresses, and sticky MAC addresses). This function prevents unauthorized
Point where port security can be configured
users from using this interface to communicate with the switch, thereby
enhancing device security.

38 Huawei Confidential

• Configuring port security on an interface of a switch can limit the number of

MAC addresses learned by the interface. Then punishment measures can be
taken when a violation occurs.

• The interface configured with port security can convert the learned MAC
addresses into secure MAC addresses, preventing devices with other MAC
addresses from accessing the network through the interface.
Media Access Control Security (MACsec)
Background

Most data is transmitted in plaintext on LAN links, failing to meet security requirements in
scenarios demanding high security.

Site 1
MACsec overview
IPsec
Internet
Media Access Control Security (MACsec), in compliance with the IEEE 802.1AE standard,
defines a method for secure data communication based on the Ethernet. It provides hop-
Site 2
by-hop encryption to secure data transmission.
Data source
Data integrity User data
authenticity Replay protection
check encryption
verification

Typical application scenarios

⚫ MACsec is deployed between switches to ensure data security. For example, MACsec is
deployed between access switches and uplink aggregation or core switches.
⚫ When transmission devices exist between switches, MACsec can be deployed to ensure
data security.

39 Huawei Confidential
 DHCP Snooping

Authorized
DHCP server ⚫ Some attacks are launched against DHCP on the
2
network, including bogus DHCP server attacks, DHCP
Invalid DHCP ACK, NAK, server DoS attacks, and bogus DHCP message attacks.
and Offer messages
2 ⚫ DHCP snooping ensures that DHCP clients obtain IP
Unauthorized addresses from authorized DHCP servers and records
DHCP server
1 mappings between IP addresses and MAC addresses
3 Obtain an of DHCP clients, preventing DHCP attacks on the
incorrect IP
DHCP client address DHCP client network.

40 Huawei Confidential

• The DHCP snooping-enabled device forwards DHCP Request messages of users

(DHCP clients) to an authorized DHCP server through the trusted interface, and
then generates DHCP snooping binding entries based on the DHCP ACK
messages received from the DHCP server. When receiving DHCP messages from
users through the DHCP snooping-enabled interfaces, the device checks the
messages against the binding table, thereby preventing attacks initiated by
unauthorized users. In addition, DHCP snooping supports multiple security
features, such as limiting the rate for sending DHCP messages.
 Dynamic ARP Inspection (DAI)
⚫ ARP attacks are frequently launched on networks. A man-in-the-
Authorized DHCP server
middle (MITM) attack is a common ARP spoofing attack.
⚫
To defend against MITM attacks, configure DAI on a switch.
⚫ DAI defends against MITM attacks using a DHCP snooping
ARP packet: binding table. When a switch receives an ARP packet, it compares
Sender IP address: 1.1.1.1
Sender MAC address: the source IP address, source MAC address, VLAN ID, and
0000-0000-2222
interface number of the ARP packet with those in DHCP snooping
binding entries.
 If the ARP packet matches a binding entry, the switch considers the ARP
PC1 PC2
packet valid and allows the packet to pass through.
with MAC 0000-0000-1111 with MAC 0000-0000-2222
obtains IP address 1.1.1.1/24 obtains IP address 1.1.1.2/24  If the ARP packet does not match any binding entry, the switch considers
the ARP packet invalid and discards the packet.
IP Address MAC Address VLAN ID Interface
1.1.1.1 0000-0000-1111 10 GE0/0/1
1.1.1.2 0000-0000-2222 10 GE0/0/2

DHCP snooping binding table

41 Huawei Confidential

• An MITM attacker establishes independent connections with two parties that

intend to communicate and relays messages between them. The two parties
consider that they are directly communicating with each other over a private
connection, but the entire conversation is in fact controlled by the attacker. In an
MITM attack, the attacker can intercept all packets exchanged between the two
parties and insert new ones.
• To defend against MITM attacks, configure DAI on a switch.
▫ DAI defends against MITM attacks using a DHCP snooping binding table.
When the switch receives an ARP packet, it compares the source IP address,
source MAC address, VLAN ID, and interface number of the ARP packet
with those in DHCP snooping binding entries. If the ARP packet matches a
binding entry, the switch considers the ARP packet valid and allows the
packet to pass through. If the ARP packet does not match any binding
entry, the switch considers the ARP packet invalid and discards the packet.
▫ DAI is available only when DHCP snooping is configured. A DHCP snooping-
enabled switch automatically generates DHCP snooping binding entries
when DHCP users go online. If a user is configured with a static IP address,
you need to manually configure a static binding entry for the user.
▫ When an attacker connected to the DAI-enabled switch sends bogus ARP
packets, the switch detects the attack based on the binding entries and
discards the bogus ARP packets. If the packet discarding alarm function is
also enabled on the DAI-enabled switch, the switch will generate an alarm
when the number of ARP packets discarded due to failure to match any
binding entry exceeds the alarm threshold.
 IP Source Guard (IPSG)
The switch identifies and
discards invalid traffic based on ⚫ IPSG implements source IP address filtering based on
4 the binding table.
Binding table
Layer 2 interfaces. IPSG prevents malicious hosts from
IP VLAN simulating authorized hosts using forged IP addresses.
MAC Address Interface
Address ID
In addition, IPSG prevents unauthorized hosts from
1.1.1.1 0000-0000-1111 10 GE0/0/1
1.1.1.2 0000-0000-2222 10 GE0/0/2
accessing or attacking networks using forged IP
GE0/0/1 GE0/0/2 addresses.

3 The unauthorized terminal sends data. ⚫ IPSG checks IP packets on Layer 2 interfaces against a
binding table that contains the bindings of source IP
An unauthorized terminal accesses
Unauthorized 2 the network using authorized addresses, source MAC addresses, VLAN IDs, and
terminal 1's IP address.
terminal
1.1.1.2/24 inbound interfaces. Only packets matching the binding
0000-0000-FFFF
table are forwarded, and other packets are discarded.

1 The authorized terminal is powered off.

Authorized
terminal 1
1.1.1.2/24
0000-0000-2222

42 Huawei Confidential

• As networks continue to increase in scale, a growing number of attackers are

forging source IP addresses to initiate network attacks (IP address spoofing
attacks). Some attackers forge IP addresses of authorized users to obtain
network access rights and access networks. As a result, authorized users are
unable to access networks or sensitive information may be intercepted.

• IPSG provides a mechanism to effectively defend against IP address spoofing

attacks.

▫ The binding table can be a static binding table or a dynamic DHCP

snooping binding table.
▫ IPSG only checks the IP packets from hosts. It does not check non-IP
packets such as ARP packets.
Using VRF for VN Isolation
Requirements

⚫ Multiple logical networks, such as the office network and monitoring

network, can be built on a simple physical campus network.

⚫ The office network is completely isolated from the monitoring network.

VXLAN Solution

⚫ Deploying ACLs: ACLs can be used to isolate traffic between VLANs.

However, ACL configuration is complex and ACLs do not apply to all
scenarios.
⚫ Build independent physical networks: Separate physical networks can
be built for office and monitoring purposes, so services can be isolated.

Terminal 1 Terminal 4 Terminal 3 Terminal 4 However, this increases network construction costs.
1.1.1.1/24 2.2.2.1/24 1.1.1.2/24 2.2.2.2/24 ⚫ Virtual Routing and Forwarding (VRF): It is also called a VPN instance,
which is similar to a virtual device. A VPN instance uses a routing table
Isolation Isolation Isolation
independent of the root device to completely isolate the VPN instance
VN1 (office) VN2 (monitoring) from the root device, without increasing hardware costs.

43 Huawei Confidential
 Network Admission Control (NAC)

Internet WAN
Authentication server

Authentication
device
Data
center O&M zone
User terminal

AC AC
• NAC is an end-to-end security technology that authenticates clients and
users to ensure network security.

• NAC provides three authentication modes: 802.1X authentication, MAC

address authentication, and Portal authentication.

• How to ensure that terminals are valid and secure?

• How to ensure that authorized terminals are authorized correctly?

44 Huawei Confidential

• In addition to using NAC to authenticate access users and control their rights, a
campus network also needs to authenticate and control rights of administrators
(also called login users) who can log in to devices through FTP, HTTP, SSH,
Telnet, or console ports.
 DHCP
Using DHCP to automatically configure IP addresses Typical application of DHCP on a large-scale campus network

DHCP server

DHCP client Layer 2 switch DHCP server

The DHCP client broadcasts Layer 3 gateway Layer 3 gateway
a DHCP Discover message. enabled with enabled with
1 DHCP relay DHCP relay
Search for the DHCP
server on the network
The DHCP server responds with
a DHCP Offer message.
2
Provide information such as
the IP address
The DHCP client broadcasts
a DHCP Request message.
3
Specify the IP address DHCP client DHCP client
provided by a DHCP server
The DHCP server responds with
⚫ DHCP is widely used on various campus networks to implement automatic IP address
a DHCP ACK message. configuration for wired or wireless terminals.
4
Allocate the specified IP address ⚫ A DHCP relay agent forwards DHCP messages between a DHCP server and DHCP clients
to help the DHCP server to dynamically allocate network parameters to the DHCP clients.

45 Huawei Confidential

• DHCP dynamically configures and uniformly manages IP addresses of hosts.

DHCP is defined in RFC 2131 and uses the client/server communication mode. A
DHCP client requests configuration information from a DHCP server, and the
DHCP server returns the configuration information allocated to the DHCP client.
▫ Instead of statically specifying an IP address for a host, DHCP enables a
host to obtain an IP address dynamically.
▫ DHCP can allocate other configuration parameters, such as the startup
configuration file of a client, so that the client can obtain all the required
configuration information by using only one message.
▫ DHCP supports dynamic and static IP address allocation. A network
administrator can select different address allocation modes for hosts as
required.
▪ Dynamic allocation: DHCP allocates an IP address with a limited
validity period (known as a lease) to a client. This mechanism applies
to scenarios where hosts temporarily access the network or the
number of idle IP addresses is less than the total number of hosts that
do not require permanent connections.
▪ Static allocation: DHCP allocates fixed IP addresses to clients.
Compared with manual IP address configuration, DHCP static
allocation prevents manual configuration errors and enables unified
maintenance and management.
• DHCP has the following benefits:
▫ Reduced client configuration and maintenance cost.
▫ Centralized management of limited IP addresses.
DHCP Options
Options field in DHCP messages

• The Options field stores control information and parameters allocated to a

DHCP server DHCP client.

• A DHCP message can carry multiple options.

• DHCP predefines a large number of options for various purposes, for

example, setting the gateway address and DNS server address.

IP address assigned to a DHCP client Typical application scenarios

DHCP…Offer
• The Options field can be used to set the IP address of the NTP server.
Options
• The Options field can be vendor-defined. For example, the CloudCampus
solution uses Option 148 to implement plug-and-play of network devices.
The information is used to notify the DHCP client of controller information
so that the device can obtain the controller address and port number.

• Option 43 is used to register an AP with an AC that resides on a different

DHCP client network segment from the AP in WLAN scenarios.

46 Huawei Confidential
Network Time Protocol (NTP)
Primary ⚫ NTP is an application layer protocol in the TCP/IP suite that synchronizes time
time server
Stratum 1 between time servers and clients. NTP is implemented based on IP and UDP. NTP

SwitchA packets are transmitted over UDP using port 123.

Clock source
⚫ Key concepts in the NTP network architecture:
SwitchB SwitchD
Stratum-2 Stratum-2  Synchronization subnet: consists of the primary time server, stratum-2 time
time server time server
Stratum 2 Stratum 2 servers, PC clients, and transmission paths connecting them.

Stratum-2  Primary time server: directly synchronizes its clock with a standard reference
Stratum-2
time server SwitchC SwitchE time server clock through a cable or radio. Typically, the standard reference clock is either
Stratum 3 Stratum 3
a radio clock or the Global Positioning System (GPS).

 Stratum-2 time server: synchronizes its clock with either the primary time
server or other stratum-2 time servers on the network. Stratum-2 time servers
use NTP to transmit time information to other hosts in a LAN.

Host1 Host2 Host3 Host4

 Stratum: is a hierarchical standard for clock synchronization. It represents the
precision of a clock. The value of a stratum ranges from 1 to 16. A smaller
value indicates higher precision. The value 1 indicates the highest clock
precision, and the value 16 indicates that the clock is not synchronized.

47 Huawei Confidential
SNMP

NMS (SNMP server) Overview of SNMP

Example: iMaster NCE
⚫
SNMP is a network management protocol widely
used on TCP/IP networks.
⚫
SNMP provides a method for managing devices
through a central computer that runs network
management software — known as a network
management station (NMS).
Agent ⚫
Using in-band management, SNMP achieves
efficient and batch network device management. In
MIB addition, SNMP enables unified management of
Managed device (SNMP client)
Example: routers and switches different types of network devices from different
vendors.

48 Huawei Confidential
 Network Configuration Protocol (NETCONF)
⚫ NETCONF provides a set of mechanisms for managing network devices. To be specific, users can use
NETCONF to add, modify, and delete configurations of network devices, as well as obtain
configurations and status of network devices.

NETCONF has three objects:

Management SDN controller
 NETCONF client platform
 NETCONF server NETCONF Client

 NETCONF message
NETCONF Network

NETCONF Server
Device
Device 1 Device 2 Device 3

49 Huawei Confidential

• The plug-and-play of a device is implemented by establishing a NETCONF session

between the device and the controller, so that the controller can deliver
configurations to the device.
Basic Operations of NETCONF
⚫ NETCONF defines a series of operations:
Scenario Operation Function
<get-config> Queries configuration data.
Query data
<get> Queries the current configuration and status data of the device.
Edit data <edit-config> Creates, modifies, or deletes configuration data.
<copy-config> Exports configuration data, or replaces one configuration datastore with another configuration datastore.
Backup/Restoration
<delete-config> Deletes the configuration datastore and clears the startup configuration.
<lock> Exclusively occupies the permission to modify the configuration datastore.
Locking/Unlocking
<unlock> Releases the exclusive permission to modify the configuration datastore.
<commit> Copies the candidate configuration to the device's running configuration.

Transactional <cancel-commit> Cancels an ongoing confirmed commit.

operations <discard-changes> Discards uncommitted changes to the candidate configuration.
<validate> Checks whether the syntax and semantics of the specified configuration data are correct.
<close-session> Normally ends the NETCONF session.
Session operations Forcibly terminates other NETCONF sessions. You must have the administrator permission to perform
<kill-session>
this operation.

50 Huawei Confidential
 LLDP
Network management requirements and overview of LLDP Application of LLDP in Huawei CloudCampus solution

⚫ Most network management systems (NMSs) can detect

SW1 Layer 3 network topologies, but cannot detect detailed
Layer 2 topologies or configuration conflicts.
⚫ LLDP provides a standard link-layer discovery method.
It can:
SW2
 Obtain the topology status of the connected devices. The device reports
2 LLDP information
 Display paths between devices. to the controller.
 Detect configuration conflicts between devices and The controller restores and
3 displays the network topology
GE1/0/1

queries network failure cause.

based on the LLDP information
⚫ You can use an NMS to monitor the link status on reported by devices.

devices running LLDP and quickly locate network faults. 1

SW3

[SW3] display lldp neighbor brief

Local Intf Neighbor Dev Neighbor Intf Exptime(s)
GE1/0/1 SW2 GE1/0/1 101

51 Huawei Confidential

• LLDP is a standard Layer 2 topology discovery protocol defined in IEEE 802.1ab.

LLDP collects local device information including the management IP address,
device ID, and port ID and advertises the information to neighboring devices.
Neighboring devices save the received information in their management
information bases (MIBs). The NMS can query required information in MIBs to
determine link status.

• As networks grow in scale, network devices are increasing in diversity with

complex configurations, posing higher requirements on network management
capabilities. Most NMSs can detect Layer 3 network topologies, but they cannot
detect detailed Layer 2 topologies or configuration conflicts. To address the
network management problems, a standard protocol is required to exchange
Layer 2 information between network devices.
• LLDP provides a standard link-layer discovery method. By obtaining Layer 2
information from devices, LLDP allows users to detect the topology of
neighboring devices, and display paths between clients, switches, routers,
application servers, and network servers. The information also helps detect
configuration conflicts between network devices and identify causes of network
failures. Enterprise users can use an NMS to monitor the link status on devices
running LLDP and quickly locate network faults.
Telemetry
⚫ Telemetry, also called network telemetry, is a technology that remotely collects data from physical or virtual devices
at a high speed. Devices periodically send information such as interface traffic statistics, CPU usage, and memory
usage to collectors in push mode. Compared with the conventional pull mode (request-response interaction), the
push mode provides faster and real-time data collection.

Analyzer

Telemetry-based
data reporting Collector Controller

Device

52 Huawei Confidential
Network Address Translation (NAT)
Web server
Internet 200.1.2.3

⚫ NAT technology translates IP addresses in IP data packets. It

is widely used on live networks and is usually deployed on
network egress devices, such as routers or firewalls.
Egress router ⚫ Typical application scenarios:
Private network 
When users with private IP addresses attempt to access the
Internet, NAT deployed on the egress device of the campus
network can translate the source IP addresses of data packets sent
Source IP: Source IP:
192.168.1.10 200.1.2.3 from the intranet to the Internet into specific public IP addresses.
Destination IP: Destination IP:
200.1.2.3 192.168.1.10 
The campus network provides some services for Internet users.
1 4 When Internet users access these services using public IP
addresses, NAT can translate the destination IP addresses of data
packets from the Internet.
PC
192.168.1.10/24

53 Huawei Confidential
Generic Routing Encapsulation (GRE)
Source IP 1.1.1.1
Destination IP 2.2.2.2
⚫ GRE is a protocol that encapsulates data packets of some network
GRE header layer protocols, such as IPX, IPv6, and IPv4. The encapsulated data
Source IP 2001:0DB8:0:0::1 packets can then be transmitted over a network using a different
Destination IP 2001:0DB8:0:1::1 network layer protocol, such as IPv4 and IPv6.
Payload Data
⚫
GRE is a Layer 3 tunneling technology that transparently transmits
packets over GRE tunnels. It solves the transmission problems on the
R1 1.1.1.1 2.2.2.2 R2 network that uses different network-layer protocols.
GRE tunnel  GRE is easy to implement and increases only a few loads on devices at both
ends of a tunnel.
2001:0DB
Source IP  GRE sets up tunnels over an IPv4 network to connect networks running
8:0:0::1
Source IP 2001:0DB8:0:0::1 different protocols, reusing the original network architecture and reducing
Destination 2001:0DB
Destination IP 8:0:1::1 costs.
2001:0DB8:0:1::1
IP Payload Data  GRE connects non-contiguous subnets and sets up VPNs to ensure secure
Payload Data
connections between the enterprise headquarters and branches.
 GRE provides only simple password authentication and does not provide the

PC1 PC2 encryption function.

2001:0DB8:0:0::1/64 2001:0DB8:0:1::1/64

54 Huawei Confidential
IPsec VPN
Source IP 1.1.1.1
Destination IP 2.2.2.2
Security protocol header
Source IP 192.168.1.1
⚫ Internet Protocol Security (IPsec) is a set of open network
Destination IP 172.16.1.1 security protocols defined by the Internet Engineering Task
Payload Data Force (IETF) to secure data transmission and reduce the
risk of information leakage.
R1 1.1.1.1 2.2.2.2 R2 ⚫
Through encryption and authentication, IPsec ensures
IPsec VPN tunnel secure service data transmission over the Internet from the
following dimensions:
 Data source authentication
Source IP 192.168.1.1
Destination  Data encryption
Source IP 192.168.1.1 172.16.1.1
IP
Destination IP 172.16.1.1 Payload Data
 Data integrity verification
Payload Data  Anti-replay

PC1 PC2
192.168.1.1/24 172.16.1.1/24

55 Huawei Confidential
L2TP VPN

⚫
Layer 2 Tunneling Protocol (L2TP) extends the application of the
Enterprise Point-to-Point Protocol (PPP). It is a VPN tunneling protocol that
branch LAC
LAC allows traveling employees or enterprise branches to remotely
Remote
OA user
access intranet resources.
⚫
The L2TP network architecture includes an L2TP access

L2TP VPN tunnel

concentrator (LAC) and an L2TP network server (LNS).
External network  An LAC provides PPP and L2TP processing capabilities, and establishes an
L2TP tunnel with the LNS. LACs can be different devices in different
networking environments, for example, an LAC can be a gateway or a
terminal. An LAC can initiate requests for establishing multiple L2TP
tunnels to isolate data flows.
LNS  An LNS is the peer of an LAC. That is, an L2TP tunnel is established
between the LAC and the LNS. The LNS is located at the border between
the private network of the enterprise headquarters and public network,
Enterprise and is usually the gateway of the enterprise headquarters.
headquarters

56 Huawei Confidential
 SSL VPN
⚫
Secure Shell (SSL) VPN is an SSL-based remote access VPN
technology. It allows mobile users (referred to as remote users in SSL
VPN) to securely and conveniently access enterprise intranets and
Remote
OA user intranet resources, improving work efficiency.
⚫
SSL VPN uses the browser/server (B/S) architecture. Remote users can
External directly use a web browser to access intranet resources securely and

SSL VPN tunnel

network quickly, without the need to install extra client software. SSL VPN
provides the following functions:
 Fine-grained permission control based on the type of intranet resources
DMZ accessed by remote users.
 Flexible identity authentication.
 Host check policies that check whether the operating systems, ports,
Server processes, and antivirus software of remote users' devices meet security
requirements. It also provides anti-nested remote desktop connection and

Intranet anti-snapshot functions to eliminate security risks from remote users' devices.

57 Huawei Confidential

• B/S: Browser/Server
 Contents

1. Introduction to Campus Networks

2. Campus Network Challenges and Huawei CloudCampus Solution

3. Typical Campus Network Technologies

4. Typical Applications of Campus Network Technologies

58 Huawei Confidential
Case 1 - Traditional Campus Network
Network requirements
Internet WAN
⚫ There are about 3000 wireless and wired terminals in total, so the campus
network needs to provide both wireless and wired access services.
⚫ Network segments are divided based on departments and services. The gateways
are configured on aggregation switches, and terminal addresses are
Egress zone automatically allocated.
Data
⚫ Network devices are centrally managed and monitored.
center O&M zone ⚫ Unified policy control is implemented for access users, and the intranet is
protected from attacks from external networks.
⚫ Network reliability must be ensured.

Solution
Core layer
⚫ Access, aggregation, and core switches are stacked or set up a CSS, and Eth-
Trunks are configured on uplinks to ensure reliability.
Aggregation layer
⚫ The AC + Fit AP wireless networking mode is used, and hot standby is configured
between ACs to ensure wireless network reliability. VLANs are configured on
access switches to differentiate users on different service network segments, and
IP addresses are allocated to these users by the corresponding aggregation
switches through DHCP. Single-area OSPF is deployed on aggregation devices
and upper-layer devices.
⚫ Access authentication is deployed for all users on the network, and
Access layer corresponding policies are configured using ACLs.
⚫ Firewalls are deployed in the egress zone and security zones are configured to
control traffic.
Terminal layer ⚫ SNMP is enabled on all devices on the network, and the network management
iStack/CSS link software is used to manage and maintain network devices in a unified manner.

59 Huawei Confidential
Case 2 - Virtualized Campus Network
Internet WAN Network requirements
⚫ Reliability and security requirements similar to those of traditional
campus networks.
⚫ Plug-and-play and centralized management of network devices, and
flexible provisioning of service configurations and policies.
Egress zone
Data
⚫ Isolation of multiple services on the campus network.
center O&M zone
⚫ Access control of terminals, and consistent network access rights and
experience for users while they are moving within the campus so long as
their identities remain unchanged.

Core layer Solution

VN 1 ⚫ iMaster NCE-Campus is used to manage network-wide devices. Protocols
such as NETCONF and Telemetry are used to implement unified
Aggregation layer management and maintenance of network devices as well as quick
VN 2
onboarding of devices.
⚫ VXLAN, BGP EVPN, and VRF technologies are used to divide VNs based on
VN 3 service requirements. iMaster NCE-Campus implements simplified
deployment of the underlay and overlay networks as well as VN isolation.
⚫ iMaster NCE-Campus is used to authenticate users on the entire network.
Access layer Free mobility is deployed to define different user groups or resources on
the network as different security groups and implement policy control
based on security groups.
Terminal layer
iStack/CSS link

60 Huawei Confidential
 Case 3 - Small- and Medium-Sized Cloud Managed Campus
Network
Advertisement push ESL Network requirements
⚫ There are a large number of stores, most of which use wireless networks and
have simple network topologies. In addition, onsite personnel do not have
network O&M skills.
⚫ There are many types of wireless terminals, including common wireless terminals
and IoT terminals such as electronic shelf labels (ESLs).
⚫ The stores want to push product discounts and promotion activity advertisements
to customers who are connecting to the Wi-Fi network in the stores.
Internet

Solution
⚫ Deployment by scanning barcodes achieves minute-level AP onboarding and
quick provisioning of wireless network services. The cloud management platform
provides one-stop management of the entire lifecycle (from planning and
construction to maintenance and optimization) of all store networks.
⚫ Deploy IoT APs and use the IoT slots built in the IoT APs to implement co-site
deployment of IoT and Wi-Fi, unified planning, and shared network for data
backhaul. The ESL management system connects to and interacts with the
supermarket management and ERP systems to dynamically display real-time
price changes and issue out-of-stock warnings.
⚫ Customers access the network through Portal authentication, and can view
Store 1 Store 2 Store N customized advertisements displayed on the authentication page.

61 Huawei Confidential

• ERP: Enterprise Resource Planning

 Quiz

1. (Multiple-Answer Question) Which of the following technologies can be used to improve

network reliability? ( )
A. STP

B. Eth-Trunk

C. iStack

D. CSS

2. (True or False) On an MSTP network, devices in the same MST region must be configured
with the same VLAN-to-MSTI mappings. ( )
A. True

B. False

62 Huawei Confidential

1. BCD
2. A
 Summary

⚫ This course provides the definition of campus networks, common technologies

used in campus networks, and application scenarios of these technologies.
⚫ In subsequent courses, we will discuss how to design networks based on customer
requirements, which requires a comprehensive and in-depth understanding of
campus network technologies. Due to limited space, this document cannot list
every technology used on campus networks. To better understand subsequent
courses, you can read related documents for more campus network technologies
and a deeper understanding of the key technologies discussed in this course.

63 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
VXLAN and Campus Network Virtualization
 Foreword

⚫ Virtual eXtensible Local Area Network (VXLAN), defined in RFC 7348, is a Network
Virtualization over L3 (NVO3) technology that uses MAC-in-User Datagram
Protocol (MAC-in-UDP) encapsulation.
⚫ VXLAN has been widely used on data center networks (DCNs). As campus
networks have increasingly flexible service requirements and growing virtualization
and network automation requirements, VXLAN is introduced to campus networks
and works with the SDN controller to provide more benefits for customers.
⚫ This course describes basic concepts and fundamentals of VXLAN and how to use
VXLAN to build a multi-purpose campus network.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the network requirements of VM live migration in the data center (DC)
scenario and how VXLAN meets these requirements.
 Describe basic concepts of VXLAN.
 Describe fundamentals of VXLAN.
 Describe the application of VXLAN in campus network virtualization scenarios.
 Describe the application of BGP EVPN in campus network virtualization
scenarios and how BGP EVPN works with VXLAN.

2 Huawei Confidential
 Contents

1. Overview of VXLAN and Campus Network Virtualization

2. Basic Concepts and Fundamentals of VXLAN

3. BGP EVPN

4. Campus Network Virtualization

3 Huawei Confidential
Technical Background: Virtualization Are Widely Deployed
by Enterprises
⚫ Virtualization technologies reduce IT costs, improve service deployment flexibility, and reduce O&M costs. More and
more enterprises choose to use cloud computing or virtualization technologies in their DCs or campus IT
infrastructure.
⚫ After an enterprise chooses the virtualization architecture, services are deployed on VMs in server clusters.
Services are deployed on VMs in server clusters.

Web 1 DB APP Web 2 DB APP

Guest OS Guest OS Guest OS Guest OS Guest OS Guest OS

Hypervisor Hypervisor

Server Cluster Server

Physical network

4 Huawei Confidential
 New Network Requirement: Layer 2 Extension
⚫ VMs in a virtualization or cloud computing cluster can be migrated flexibly. As a result, VMs running the same
service (on the same network segment) may run on different servers, or the same VM (with the same IP address)
may run on different servers (physical locations) at different times.
⚫ Physical servers may be located in equipment rooms with long geographical distances. Therefore, Layer 3
interconnection is required.
Layer 2 communication over a Layer 3 network
Layer 2 communication is required for the same service.

Web 1 DB APP Web 2 DB APP

Guest OS Guest OS Guest OS Guest OS Guest OS Guest OS

Hypervisor Hypervisor

Server Cluster Server

Physical network (Layer 3)

5 Huawei Confidential

• After servers are virtualized, services are encapsulated in VMs. VMs can be live
migrated to any host in a cluster. One of the features of live migration is that the
network status does not change. As a result, the IP addresses of service VMs may
be in different network locations. Therefore, a large Layer 2 network is required
to solve this problem.
New Network Requirement: Multi-Tenant Isolation
⚫ In cloud-based scenarios, multi-tenancy is supported, that is, different tenants share physical resources. This poses
two requirements on the network: inter-tenant isolation and intra-tenant communication.

Inter-tenant isolation: Tenants may be configured with the same MAC address and IP address. Therefore, physical network
isolation needs to be considered. In addition, a large number of potential tenants need to be isolated.

Intra-tenant communication: VMs on the same network segment of a tenant require Layer 2 communication, which is irrelevant
to physical locations.
Intra-tenant Layer 2 communication Inter-tenant network isolation

Tenant 1 Tenant 2 Tenant 3 Tenant 1 Tenant 2 Tenant 3

Guest OS Guest OS Guest OS Guest OS Guest OS Guest OS

Hypervisor Hypervisor

Server Cluster Server

Physical network (Layer 3)

6 Huawei Confidential
 Challenges Facing Traditional Networks
VM quantity limited by entry specifications of Limited VM migration scope
Limited network isolation capabilities
devices

• Server virtualization leads to an exponential • The VLAN ID field has only 12 bits. • VM migration must be performed on a Layer 2
growth of the number of VMs, compared • The number of tenants is much greater than network.
with physical servers. However, the MAC the number of available VLANs in large • VM migration on a traditional Layer 2 network
address table size of a Layer 2 device at the virtualization and cloud computing service is limited to a small scope.
access side is incapable to meet this scenarios.
change.
• VLANs on traditional Layer 2 networks
cannot adapt to dynamic network
adjustment. 802.1Q-tagged frame VMs can be migrated only within a VLAN.
The number of VLANs is limited.
Destination Source 802.1Q Length/
Payload FCS
MAC MAC Tag Type

Each device must have a The 12-bit VLAN IDs can represent
End-to-end
large MAC address table. only 4096 logical units.
VLAN

The number of tenants supported by a

Large numbers of VMs large DC is much greater than 4096.
DC Migration

7 Huawei Confidential

• VXLAN is used to meet requirements of DCNs. On traditional enterprise campus

networks, VXLAN is used to construct virtual networks instead of solving some
urgent problems.
 Contents

1. Overview of VXLAN and Campus Network Virtualization

2. Basic Concepts and Fundamentals of VXLAN

◼ Basic Concepts
▫ Fundamentals
▫ Basic Configuration

3. BGP EVPN

4. Campus Network Virtualization

8 Huawei Confidential
 Overview of VXLAN
⚫ VXLAN is essentially a virtual private network (VPN) technology and can be used to build a Layer 2 virtual network
over any networks with reachable routes. VXLAN uses VXLAN gateways to implement communication within a
VXLAN network and communication between a VXLAN network and a non-VXLAN network.
⚫ VXLAN utilizes MAC-in-UDP encapsulation to extend Layer 2 networks. It encapsulates Ethernet packets into IP
packets for these Ethernet packets to be transmitted over routes, without considering the MAC addresses of VMs. In
addition, the routed network has no limitation on the network structure and supports large-scale expansion. As
such, VM migration is not constrained by the network architecture.

Local LAN
Overlay
Local LAN

Local LAN Underlay

VXLAN tunnel

9 Huawei Confidential

• VXLAN solves the following problems on traditional networks:

▫ For VM quantity limited by entry specifications of devices.
▪ VXLAN encapsulates original data packets sent from VMs in the same
domain into UDP packets, with the IP and MAC addresses used on the
physical network in outer headers. Devices on the VXLAN network are
aware of only the encapsulated parameters but not the inner data.
▪ Except VXLAN edge devices, other devices on the network do not need
to identify MAC addresses of VMs. This reduces the burden of learning
MAC addresses and improves device performance.
▫ For limited network isolation capabilities.
▪ VXLAN uses a VXLAN Network Identifier (VNI) field similar to the
VLAN ID field to identify users. The VNI field has 24 bits and can
identify up to 16 million VXLAN segments, effectively isolating a large
number of tenants.
▫ For limited VM migration scope.
▪ VMs using IP addresses in the same network segment are in a Layer 2
domain logically, even if they are on different physical Layer 2
networks. VXLAN technology constructs a virtual large Layer 2
network over a Layer 3 network.
• Underlay network: a physical network, which serves as the basic layer of the
upper-layer logical network.
• Overlay network: a logical network established on the underlay network using
tunneling technologies.
Application of VXLAN in DCs
⚫ VXLAN can be applied to a DCN that uses a spine-leaf two-layer physical architecture.
⚫ Spine nodes forward traffic based on routes and are unaware of the VXLAN tunnel during traffic forwarding. Leaf
nodes provide network access for device resources such as servers, and perform VXLAN encapsulation and
decapsulation.
⚫ All services in the DC are carried by the VXLAN network.
Spine Spine

Layer 3 interconnection links without Layer 2 loops On-demand

Dynamic routing protocols for network reachability VXLAN VXLAN tunnel
Leaf Leaf Leaf establishment

Physical network Spine-leaf architecture and VXLAN Upper-layer service network

10 Huawei Confidential
 Using VXLAN to Build a Multi-Purpose Campus Network
Internet Multiple services carried on one network Internet

VXLAN VN2 VN3

VN1
OA VN Videoconferencing Security
VN protection VN

Videoconferencing OA Security Videoconferencing OA Security OA Videoconferencing Security protection

protection protection

11 Huawei Confidential

• The virtualization technology is introduced to create multiple virtual networks

(VNs) on a physical network on a campus network. Different VNs are used for
different services, such as OA, videoconferencing, and security protection.
Why VXLAN Is Used to Implement Campus Network
Virtualization?
Overlay Configuration and Carrying User Networking
Technology Underlay Network
Network Management Group Information Requirements
Widely supported by
VLAN Layer 2 Layer 2 CLI or controller-based None
devices.
Carrier-level technology End-to-end MPLS must
MPLS VPN Layer 3 Layer 2/Layer 3 None
requirements be supported.
Layer 2/Layer 3
Nodes at both ends of a
VXLAN Built on any Layer 2/Layer 3 CLI or controller-based Supported
tunnel support VXLAN.
physical network

VXLAN works with the SDN controller to

A VXLAN network can be built on any
Layer 3 virtual network supported implement centralized deployment and
complex Layer 3 network.
automation. There are successful practices.

12 Huawei Confidential
 VXLAN Packet Format

VXLAN encapsulation Original data frame

Outer Inner
Outer UDP VXLAN Inner
Ethernet Ethernet Payload
IP header header header IP header
header header

• Source IP address: IP
address of the source VTEP
of a VXLAN tunnel
VXLAN Flags
Reserved VNI Reserved
• Destination IP address: IP (00001000)
address of the destination
8 bits 24 bits 24 bits 8 bits
VTEP of a VXLAN tunnel

Source UDP port Destination UDP

Length Checksum
(Hash value) port (4789)

13 Huawei Confidential

• The preceding packet format is a standard VXLAN packet format. Huawei

CloudEngine S series switches use customize reserved fields based on the
standard one.
 NVE VTEP VNI and BD VAP Border and Edge Gateway

Basic Concepts of VXLAN: NVE

⚫ Network Virtualization Edge (NVE):
 A network entity that implements network virtualization functions. A physical or software switch can work as an
NVE.
 NVEs run VXLAN and construct a Layer 2 virtual network over a Layer 3 network. SW1 and SW2 in the figure
are NVEs.

IP network

PC1 PC2
192.168.1.1/24 192.168.1.2/24

VXLAN tunnel

SW1 (NVE) SW2 (NVE)

14 Huawei Confidential
 NVE VTEP VNI and BD VAP Border and Edge Gateway

Basic Concepts of VXLAN: VTEP

⚫ VXLAN tunnel endpoint (VTEP):
 A VTEP is located on an NVE and encapsulates and decapsulates VXLAN packets.
 In the outer IP header of VXLAN packets, the source IP address is the IP address of the source VTEP, and the
destination IP address is the IP address of the destination VTEP.

PC1 PC2
192.168.1.1/24 192.168.1.2/24
SW1 SW2

VXLAN tunnel
VTEP VTEP
1.1.1.1/32 2.2.2.2/32

Ethernet IP Ethernet IP VXLAN Original data Ethernet IP

Payload UDP header Payload
header header header header header frame header header

Original data frame Source IP address: 1.1.1.1

Destination IP address: 2.2.2.2

15 Huawei Confidential

• A pair of VTEP IP addresses identifies a VXLAN tunnel.

• The source VTEP encapsulates packets and sends the encapsulated packets to the
destination VTEP through the VXLAN tunnel. After receiving the encapsulated
packets, the destination VTEP decapsulates the packets.
• Generally, the IP address of a loopback interface on a device is used as the VTEP
address.
 NVE VTEP VNI and BD VAP Border and Edge Gateway

Basic Concepts of VXLAN: VNI and BD

⚫ VXLAN Network Identifier (VNI): ⚫ Bridge domain (BD):

VNIs are similar to VLAN IDs and are used to differentiate 
VLANs are used to divide broadcast domains on a
VXLAN segments. VMs in different VXLAN segments traditional network. Similarly, BDs are used to divide
cannot communicate with each other at Layer 2. broadcast domains on a VXLAN network. A BD identifies a
large Layer 2 broadcast domain on a VXLAN network.

A tenant can have one or more VNIs. The VNI field has 24
bits.  VNIs are mapped to BDs in 1:1 mode. Terminals in the
same BD can communicate with each other at Layer 2.

PC1 BD 20 BD 20 PC2
192.168.1.1/24 VNI 2000 SW1 192.168.1.2/24
SW2 VNI 2000

VXLAN tunnel

Ethernet IP Ethernet IP VXLAN Original data Ethernet IP

Payload UDP header Payload
header header header header header frame header header

Original data frame VNI: 2000

16 Huawei Confidential
 NVE VTEP VNI and BD VAP Border and Edge Gateway

Basic Concepts of VXLAN: VAP

⚫ Virtual access point (VAP):
 A VAP implements VXLAN service access. A VAP can be configured in Layer 2 sub-interface mode or VLAN
binding mode:
◼
Layer 2 sub-interface: In this example, a Layer 2 sub-interface is created on SW1 and associated with BD 10, indicating that
only specific traffic on the sub-interface is forwarded to BD 10.
◼
VLAN binding: In this example, VLAN 10 is configured on SW2 and associated with BD 10, indicating that all traffic from
VLAN 10 is forwarded to BD 10.

PC1 PC2
192.168.1.1/24 192.168.1.2/24
SW1 SW2
1
VXLAN tunnel
G0/0/1.1
Bind it to BD 10 2
BD 10
Bind it to VLAN 10

17 Huawei Confidential

• After traffic from a traditional network enters a VXLAN network, a Layer 2 sub-
interfaces or VLAN is bound to a BD. A VXLAN VNI is specified in the BD to
implement mapping from the traditional VLAN network to the VXLAN network.
 NVE VTEP VNI and BD VAP Border and Edge Gateway

Basic Concepts of VXLAN: Border and Edge Nodes

VXLAN network

Edge Edge Border

External network

⚫ Edge: an edge access device on a VXLAN network, through which traffic from a traditional network enters the
VXLAN network.
⚫ Border: a node for communication between a VXLAN network and an external network. It is used for external traffic
to enter the VXLAN network or internal traffic to access the external network. It is usually connected to devices
(such as routers and firewalls) that have Layer 3 forwarding capabilities.

18 Huawei Confidential
 NVE VTEP VNI and BD VAP Border and Edge Gateway

Basic Concepts of VXLAN: Layer 2 and Layer 3 VXLAN

Gateways
Border
Border Layer 3 gateway

Edge1 Edge2 Edge1 Edge2

Layer 2 VXLAN tunnel Layer 2 Layer 2 Layer 2
gateway gateway gateway gateway

PC1 PC2 PC1 PC2

192.168.1.1/24 192.168.1.2/24 192.168.1.1/24 192.168.2.2/24

Layer 2 gateway: forwards traffic to a VXLAN Layer 3 gateway: is used for inter-subnet
network or is used for intra-subnet communication communication on a VXLAN network and allows access
on the same VXLAN network. to an external network (non-VXLAN network).

19 Huawei Confidential
 NVE VTEP VNI and BD VAP Border and Edge Gateway

Basic Concepts of VXLAN: VBDIF Interface

SW3
VBDIF 10 Layer 3 gateway VBDIF 20
192.168.1.254 192.168.2.254

PC1 SW1 SW2 PC2

192.168.1.1/24 Layer 2 gateway Layer 2 gateway 192.168.2.2/24

⚫ VLANIF interfaces are used for communication between broadcast domains on a traditional network. Similarly,
VBDIF interfaces are used for communication between BDs on a VXLAN network.
⚫ A VBDIF interface is a Layer 3 logical interface created for a BD on a Layer 3 VXLAN gateway.
⚫ IP addresses can be configured for VBDIF interfaces to implement communication between different VXLAN
segments and between VXLAN and non-VXLAN networks, and to connect a Layer 2 network to a Layer 3 network.

20 Huawei Confidential
 NVE VTEP VNI and BD VAP Border and Edge Gateway

Basic Concepts of VXLAN: Distributed and Centralized

Gateways
Centralized gateway Distributed gateways

Layer 3
gateway
Layer 2 Layer 2
gateway gateway
Layer 2/Layer Layer 2/Layer
3 gateway 3 gateway

PC1 PC2 PC3 PC1 PC2 PC3

192.168.1.1/24 192.168.2.1/24 192.168.1.3/24 192.168.1.1/24 192.168.2.1/24 192.168.1.3/24

The Layer 3 gateway is deployed on one device. All inter-subnet traffic is VTEPs function as both Layer 2 and Layer 3 gateways. Non-gateway
forwarded by the gateway to implement centralized traffic management. nodes are unaware of VXLAN tunnels and only forward VXLAN packets.

21 Huawei Confidential

• Centralized gateway:
▫ Advantage: Inter-subnet traffic is managed in a centralized manner,
simplifying gateway deployment and management.

▫ Disadvantage: The forwarding path is not optimal. The ARP entry

specification is a bottleneck. Because a centralized Layer 3 gateway is
deployed, ARP entries must be generated on the gateway for terminals
whose traffic is forwarded through the gateway.

• Distributed gateways:

▫ Advantage: VTEPs only need to learn ARP entries of terminals connected to

them, which eliminates the ARP entry specification bottleneck in the
centralized Layer 3 gateway scenario and improves the network scalability.

▫ Disadvantage: Gateway deployment in this scenario is more complex than

that in the centralized gateway scenario.
 Contents

1. Overview of VXLAN and Campus Network Virtualization

2. Basic Concepts and Fundamentals of VXLAN

▫ Basic Concepts
◼ Fundamentals
▫ Basic Configuration

3. BGP EVPN

4. Campus Network Virtualization

22 Huawei Confidential
 Tunnel Establishment MAC Address Learning Data Frame Forwarding

VXLAN Tunnel Establishment Modes

⚫ A VXLAN tunnel is identified by a pair of VTEP IP addresses. Packets are encapsulated on VTEPs and
then transmitted based on routes in the VXLAN tunnel. After a VXLAN tunnel is configured, it can be
established successfully as long as the VTEPs at both ends of the tunnel have reachable routes to each
other's IP address at Layer 3.
⚫ VXLAN tunnels are classified into the following types based on the VXLAN tunnel creation mode:
 Static tunnel: You need to manually configure local and remote VNIs, VTEP IP addresses, and ingress replication
list.
 Dynamic tunnel: VXLAN tunnels are dynamically established using BGP Ethernet Virtual Private Network
(Ethernet VPN). When BGP EVPN is used to dynamically establish a VXLAN tunnel, the local and remote VTEPs
first establish a BGP EVPN peer relationship before exchanging BGP EVPN routes to learn the VNIs and VTEP IP
addresses from each other.

23 Huawei Confidential
 Tunnel Establishment MAC Address Learning Data Frame Forwarding

Static VXLAN Tunnel

⚫ A static VXLAN tunnel is not a stateful tunnel (for example, an IPsec VPN tunnel). It is similar to a GRE VPN tunnel for data
transmission.
⚫
The address in the ingress replication list is the tunnel destination address that is encapsulated when VXLAN packets are
encapsulated and transmitted over the VXLAN tunnel.
interface nve 1
source 3.3.3.3
vni 100 head-end peer-list 1.1.1.1
PC3
VTEP3 172.16.1.3/24
PC1
3.3.3.3/32
172.16.1.1/24

VTEP1
1.1.1.1/32
PC2 VTEP2
172.16.2.2/24 2.2.2.2/32 PC4
interface nve 1
source 1.1.1.1 interface nve 1 172.16.2.4/24
vni 100 head-end peer-list 3.3.3.3 source 2.2.2.2
vni 200 head-end peer-list 2.2.2.2 vni 200 head-end peer-list 1.1.1.1

24 Huawei Confidential
 Tunnel Establishment MAC Address Learning Data Frame Forwarding

VXLAN MAC Address Entries

⚫ VXLAN implements Layer 2 forwarding on the overlay network. Unicast data frames are forwarded based on MAC address entries.

⚫
When a VTEP receives a data frame from the local device in a BD, the VTEP adds the source MAC address of the data frame to the
MAC address table of the BD and sets the outbound interface to the interface that receives the data frame.
⚫ This entry is used to guide the forwarding of data frames sent to a device connected to the VTEP.

PC1
172.16.1.1/24
0000-0000-000A

<S1>display mac-address bridge-domain 10

-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0000-0000-000a -/-/10 GE1/0/1.10 dynamic

<S1>display mac-address bridge-domain 20

PC2 -------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
172.16.2.2/24
0000-0000-000B -------------------------------------------------------------------------------
0000-0000-000b -/-/20 GE1/0/1.20 dynamic
How are data frames forwarded to a device
connected to a remote VTEP?

25 Huawei Confidential
 Tunnel Establishment MAC Address Learning Data Frame Forwarding

Dynamic MAC Address Learning (1)

⚫ Before forwarding data frames of a device connected to a remote VTEP, the local VTEP needs to learn the MAC
address of the remote VTEP.
⚫ This process is similar to the traditional MAC address table generation process and depends on packet exchange
between hosts. Generally, MAC address entries are generated through ARP packet exchange.
SW1 learns the MAC address of PC1. SW2 learns the MAC address of PC1.
2 MAC Address BD Learned From 4 MAC Address BD Learned From
0000-0000-000A 10 Port1 0000-0000-000A 10 1.1.1.1

VTEP 1.1.1.1/32 VTEP 2.2.2.2/32

Port1 VXLAN tunnel (VNI 1000) Port1

PC1 SW1 (Layer 2 gateway) SW2 (Layer 2 gateway) PC2

192.168.1.1/24 192.168.1.2/24
0000-0000-000A 0000-0000-000B

PC1 broadcasts an ARP SW1 performs VXLAN encapsulation for the ARP packet, and SW2 forwards the ARP
Request packet. floods the VXLAN-encapsulated ARP packet to all VTEPs. packet to PC2.
1 3 5
Ethernet ARP Ethernet IP VXLAN Original data Ethernet ARP
UDP header
header packet header header header frame header packet

26 Huawei Confidential

• Communication between PC1 and PC2 is as follows:

1. To communicate with PC2, PC1 broadcasts an ARP Request packet to
obtain the MAC address of PC2.

2. After receiving the packet, SW1 determines the BD ID, destination VXLAN
tunnel, and VNI of the traffic based on VAP information. In addition, SW1
learns the MAC address of PC1 and records the BD ID and the interface
that receives the packet in the corresponding MAC address entry.

3. SW1 performs VXLAN encapsulation for the ARP Request packet and
forwards the encapsulated packet based on the ingress replication list.

4. After receiving the VXLAN packet, SW2 decapsulates the packet to obtain
the original data frame. In addition, SW2 learns the MAC address of PC1
and records the BD ID and the VTEP address of SW1 in the corresponding
MAC address entry.

5. SW2 floods the ARP packet in the local BD. PC2 then receives the packet
and learns the ARP information of PC1.
 Tunnel Establishment MAC Address Learning Data Frame Forwarding

Dynamic MAC Address Learning (2)

SW1 learns the MAC address of PC2. SW2 learns the MAC address of PC2.
9 MAC Address BD Learned From 7 MAC Address BD Learned From
0000-0000-000A 10 Port1 0000-0000-000A 10 1.1.1.1
0000-0000-000B 10 2.2.2.2 0000-0000-000B 10 Port1

VTEP 1.1.1.1/32 VTEP 2.2.2.2/32

Port1 VXLAN tunnel (VNI 1000) Port1

SW1 (Layer 2 gateway) SW2 (Layer 2 gateway)

PC1 PC2
172.16.1.1/24 172.16.1.2/24
0000-0000-000A 0000-0000-000B
SW2 searches the MAC address table, encapsulates the ARP
SW1 forwards the ARP packet according to the MAC address entry {0000-0000-000A, PC2 sends a unicast ARP
packet to PC1. 10, 1.1.1.1}, and sends the packet to 1.1.1.1. Reply packet.
10 8 6
Ethernet ARP Ethernet IP VXLAN Original data Ethernet ARP
UDP header
header packet header header header frame header packet

PC1 and PC2 have learned ARP entries of each other, and SW1 and SW2 have learned MAC addresses of PC1 and PC2. This
process is called flood and learn.

27 Huawei Confidential

6. PC2 sends a unicast ARP Reply packet.

7. SW2 has the MAC address entry of PC1; therefore, SW2 unicasts the packet
and learns the source MAC address of PC2 in the MAC address entry.

8. SW2 encapsulates the ARP Reply packet with a VXLAN header and sends it
to the remote VTEP at 1.1.1.1.

9. After SW1 receives the VXLAN packet, it decapsulates the packet and
records the source MAC address of PC2 in the MAC address table. The
outbound interface is the remote VTEP.

10. SW1 forwards the packet to PC1.

• By doing this, PC1 and PC2 learn ARP entries of each other, and SW1 and SW2
learn MAC addresses of each other.
 Tunnel Establishment MAC Address Learning Data Frame Forwarding

Intra-Subnet Forwarding of Unicast Packets with Known

Destination Addresses
MAC Address BD Learned From MAC Address BD Learned From
AAAA-0000-0001 10 Port1 AAAA-0000-0001 10 1.1.1.1
AAAA-0000-0002 10 2.2.2.2 AAAA-0000-0002 10 Port1
SW1 searches its MAC address SW2 searches its MAC address
2 table for the MAC address of PC2 4 table for the MAC address of PC2
and finds the matching entry. and finds the matching entry.
VTEP 1.1.1.1/32 VTEP 2.2.2.2/32

Port1 VXLAN tunnel (VNI 1000) Port1

SW1 (Layer 2 gateway) SW2 (Layer 2 gateway)

PC1 PC2
192.168.1.1/24 192.168.1.2/24
AAAA-0000-0001 AAAA-0000-0002
SW1 performs VXLAN encapsulation for the packet and adds a
PC1 sends a unicast new IP header to the packet. The destination IP address of the SW2 forwards the
frame to PC2. packet is 2.2.2.2, which is the IP address of the remote VTEP SW2. packet to PC2.
1 3 5
Ethernet Ethernet IP VXLAN Original data Ethernet
Payload UDP header Payload
header header header header frame header

• Source IP address: 1.1.1.1

• Destination IP address: 2.2.2.2

28 Huawei Confidential
 Tunnel Establishment MAC Address Learning Data Frame Forwarding

BUM Traffic Forwarding

⚫ When transmitting broadcast, unknown, and multicast (BUM) traffic, the VTEP replicates the traffic
and sends multiple copies to the remote VTEP in the ingress replication list. In this way, BUM traffic is
flooded on the overlay network.
PC2
VTEP3 172.16.2.2/24
2 3.3.3.3/32
1

PC1
172.16.2.1/24 VTEP1
1.1.1.1/32
VTEP2
2.2.2.2/32 PC3
BUM traffic 172.16.2.3/24
VXLAN header
UDP
IP Src 1.1.1.1, IP Dst 2.2.2.2

29 Huawei Confidential
 Tunnel Establishment MAC Address Learning Data Frame Forwarding

Inter-Subnet Forwarding
Routing table of SW3
Outbound
Destination/Mask Next Hop
SW3 Interface
Layer 3 192.168.1.0/24 VBDIF10 192.168.1.254
VBDIF 10 VBDIF 20
gateway 3
192.168.1.254 192.168.2.254 192.168.2.0/24 VBDIF20 192.168.2.254
00AB-09FF-1111 00AB-09FF-2222
PC1 192.168.1.1/24 SW1 SW2 Server2 192.168.2.1/24
Default gateway: Layer 2 Layer 2 Default gateway:
192.168.1.254 gateway VTEP 3.3.3.3/32 gateway 192.168.2.254
4

VTEP 1.1.1.1/32 VTEP 2.2.2.2/32

1 5
PC1 sends a unicast frame to PC2.
Ethernet Ethernet
Payload Payload
header header
2
Ethernet IP UDP VXLAN Original Ethernet IP UDP VXLAN Original
header header header header data frame header header header header data frame

• Source IP address: 1.1.1.1 VNI: 1000 • Source IP address: 3.3.3.3 VNI: 2000
• Destination IP address: 3.3.3.3 • Destination IP address: 2.2.2.2

30 Huawei Confidential

• PC1 wants to communicate with Server2. When finding that Server2 is on a

different subnet, PC1 sends the packet to the gateway.
• PC1 sends a data packet to Server2. The destination MAC address of the data
packet is 00AB-09FF-1111 (gateway MAC address). After receiving the data
packet, SW1 searches the Layer 2 forwarding table and finds that the outbound
interface is a remote VTEP (Layer 3 gateway). Therefore, SW1 adds a VXLAN
header (VNI = 1000) to the data packet. Then the packet is sent to SW3.

• After receiving the packet, SW3 decapsulates the VXLAN packet and finds that
the destination MAC address of the internal original data packet is 00AB-09FF-
1111, which is the MAC address of its own interface VBDIF10. Then SW3 needs to
search the Layer 3 forwarding table.

• SW3 searches the routing table and finds that the destination IP address
192.168.2.1 matches the direct route generated by VBDIF 20. SW3 then searches
the ARP table for the destination MAC address of the packet and searches the
MAC address table for the outbound interface of the packet. On SW3, the
outbound interface for the MAC address corresponding to 192.168.2.1 is the
remote VTEP at 2.2.2.2. SW3 encapsulates the packet into a VXLAN packet and
sends it to SW2.
• After receiving the packet, SW2 decapsulates the VXLAN packet and finds that
the destination MAC address is not the MAC address of any local interface. SW2
then searches the Layer 2 forwarding table and forwards the packet through the
local interface based on the MAC address table.
 Contents

1. Overview of VXLAN and Campus Network Virtualization

2. Basic Concepts and Fundamentals of VXLAN

▫ Basic Concepts
▫ Fundamentals
◼ Basic Configuration

3. BGP EVPN

4. Campus Network Virtualization

31 Huawei Confidential
VXLAN Configuration (1)
1. Create a BD.

[Huawei] bridge-domain bd-id

Create a BD in the system view and enter the BD view. The value ranges from 1 to 16777215.

2. Create a VNI.
[Huawei-bd100] vxlan vni vni-id

Create a VNI in the BD view and associate the VNI with the BD. The value ranges from 1 to 16777215.

3. Create an NVE interface.

[Huawei] interface nve nve-number

Create an NVE interface and enter its view. The NVE interface number must be 1.

4. Configure an IP address for the source VTEP.

[Huawei-Nve1] source ip-address

Configure an IP address for the source VTEP. A loopback interface's address is recommended.

32 Huawei Confidential
VXLAN Configuration (2)
5. Configure an ingress replication list.

[Huawei-Nve1] vni vni-id head-end peer-list ip-address &<1-10>

Configure a VNI in the NVE view and specify the IP addresses of multiple remote VTEPs to create an ingress replication list. The
local NVE replicates and forwards packets based on the list.
6. Configure an encapsulation mode on a sub-interface.
[Huawei-GE1/0/1.1] encapsulation { dot1q [ vid low-vid [ to high-vid ] ] | default | untag | qinq [ vid id ]}

Configure an encapsulation mode to determine the type of data packet that can pass through the Layer 2 sub-interface.
7. Bind a VLAN to the BD.
[Huawei-bd] l2 binding vlan vlan-id
This command is configured in the BD view. Before binding a global VLAN to a BD, ensure that the global VLAN has been
created and interfaces have been added to the global VLAN.
8. Configure a Layer 3 gateway.

[Huawei] interface vbdif bd-id

Create a VBDIF interface in the system view, enter the VBDIF interface view, and configure a gateway IP address in the VBDIF
interface view.

33 Huawei Confidential
Configuration Example: Intra-Subnet Communication (1)
Configure a Configure service SW1 configuration:
VXLAN tunnel access
[SW1] bridge-domain 100
BD 100 [SW1-bd100] vxlan vni 10000
VNI 10000
SW1 SW2
VTEP [SW1] interface Nve 1
GE1/0/10 VTEP
1.1.1.1/32 [SW1-Nve1] source 1.1.1.1
2.2.2.2/32
[SW1-Nve1]vni 10000 head-end peer-list 2.2.2.2
GE1/0/1

SW2 configuration:
[SW2] bridge-domain 100
[SW2-bd100] vxlan vni 10000
IP1 IP2 IP3
192.168.1.1/24 192.168.1.2/24 192.168.1.3/24
[SW2] interface Nve 1
[SW2-Nve1] source 2.2.2.2
• Configure a VXLAN tunnel between the two switches to [SW2-Nve1]vni 10000 head-end peer-list 1.1.1.1

enable the three PCs on the same network segment to

communicate with each other.

34 Huawei Confidential
 Configuration Example: Intra-Subnet Communication (2)
Configure a Configure SW1 configuration:
VXLAN tunnel service access
[SW1]interface GigabitEthernet 1/0/1.1 mode l2
BD 100 [SW1-GigabitEthernet1/0/1.1]encapsulation untag
VNI 10000 [SW1-GigabitEthernet1/0/1.1]bridge-domain 100
SW1 SW2 [SW1]interface GigabitEthernet 1/0/2.1 mode l2
VTEP GE1/0/10 VTEP [SW1-GigabitEthernet1/0/2.1]encapsulation untag
1.1.1.1/32 2.2.2.2/32 [SW1-GigabitEthernet1/0/2.1]bridge-domain 100
GE1/0/1

SW2 configuration:
[SW2] bridge-domain 100
IP1 IP2 IP3 [SW1-bd100] l2 binding vlan 1
192.168.1.1/24 192.168.1.2/24 192.168.1.3/24

Question 1: What is the difference between

• Configure a VXLAN tunnel between the two switches to access modes of SW2 and SW1?
enable the three PCs on the same network segment to Question 2: How is the gateway
communicate with each other. 192.168.1.254 configured?

35 Huawei Confidential

1. SW1 provides Layer 2 sub-interface access, and SW2 uses the VLAN binding
mode.
2. Create a VBDIF interface as the gateway for terminals in the BD.
 Configuration Example: Inter-subnet Communication
(Centralized Gateway) (1)
Configure a Configure Configure a SW1 configuration:
VXLAN tunnel service access gateway
[SW1] bridge-domain 100
[SW1-bd100] vxlan vni 10000
BD 100 VTEP BD 200
SW3
VNI 10000 3.3.3.3/32 VNI 20000 [SW1] interface Nve 1
192.168.1.1 192.168.2.1 [SW1-Nve1] source 1.1.1.1
[SW1-Nve1]vni 10000 head-end peer-list 3.3.3.3

VTEP VTEP
SW1 SW2
1.1.1.1/32 2.2.2.2/32 SW2 configuration:
GE1/0/1 GE1/0/1 [SW2] bridge-domain 200
[SW2-bd100] vxlan vni 20000

[SW2] interface Nve 1

192.168.1.10/24 192.168.2.10/24 [SW2-Nve1] source 2.2.2.2
[SW2-Nve1] vni 20000 head-end peer-list 3.3.3.3
• VXLAN tunnels are configured between the three switches to
implement mutual access between two PCs on different network
segments. The centralized VXLAN gateway is deployed on SW3. Question: How is SW3 configured?

36 Huawei Confidential

• On SW3, configure NVE interfaces to connect to SW1 and SW2, and create VBDIF
100 and VBDIF 200 as gateways of terminals in BD 100 and BD 200.
 Configuration Example: Inter-subnet Communication
(Centralized Gateway) (2)
Configure a Configure Configure a
VXLAN tunnel service access gateway
SW1 configuration:
[SW1] interface GigabitEthernet 1/0/1.1 mode l2
BD 100 VTEP BD 200 [SW1-GigabitEthernet1/0/1.1] encapsulation untag
SW3
3.3.3.3/32 VNI 20000
VNI 10000 [SW1-GigabitEthernet1/0/1.1] bridge-domain 100
192.168.1.1 192.168.2.1

VTEP VTEP SW2 configuration:

SW1 1.1.1.1/32 SW2
2.2.2.2/32
[SW1] interface GigabitEthernet 1/0/1.1 mode l2
GE1/0/1 GE1/0/1
[SW1-GigabitEthernet1/0/1.1] encapsulation untag
[SW1-GigabitEthernet1/0/1.1] bridge-domain 200

192.168.1.10/24 192.168.2.10/24

• VXLAN tunnels are configured between the three switches to If traffic from 192.168.2.10 carries VLAN 20,
how do we configure SW2?
implement mutual access between two PCs on different network
segments. The centralized VXLAN gateway is deployed on SW3.

37 Huawei Confidential

• Configure GE1/0/1 of SW2 as a trunk interface to allow packets from VLAN 20 to

pass through (you can also configure the interface as an access interface and the
default VLAN as VLAN 20), and bind VLAN 20 to BD 200.
Configuration Example: Inter-subnet Communication
(Centralized Gateway) (3)
SW3 configuration:
Configure a Configure Configure a
VXLAN tunnel service access gateway [SW3] bridge-domain 100
[SW3-bd100] vxlan vni 10000

BD 100 VTEP BD 200

SW3
VNI 10000 3.3.3.3/32 VNI 20000 [SW3] bridge-domain 200
192.168.1.1 192.168.2.1 [SW3-bd200] vxlan vni 20000

VTEP [SW3] interface Nve 1

VTEP
SW1 1.1.1.1/32 SW2
2.2.2.2/32 [SW3-Nve1] source 3.3.3.3
[SW3-Nve1]vni 10000 head-end peer-list 1.1.1.1
GE1/0/1 GE1/0/1 [SW3-Nve1]vni 20000 head-end peer-list 2.2.2.2

[SW3] interface Vbdif100

192.168.1.10/24 192.168.2.10/24 [SW3-Vbdif100] ip address 192.168.1.1 24

• VXLAN tunnels are configured between the three switches to

[SW3] interface Vbdif200
implement mutual access between two PCs on different network [SW3-Vbdif200] ip address 192.168.2.1 24
segments. The centralized VXLAN gateway is deployed on SW3.

38 Huawei Confidential
 Contents

1. Overview of VXLAN and Campus Network Virtualization

2. Basic Concepts and Fundamentals of VXLAN

3. BGP EVPN
◼ Basic Concepts
▫ BGP EVPN Routes

▫ BGP EVPN Features

4. Campus Network Virtualization

39 Huawei Confidential
 Using BGP EVPN as the Control Plane Protocol
BGP EVPN not used BGP EVPN used as the control plane protocol

• BGP EVPN is enabled on devices. BGP EVPN peer

relationships are established between devices.
VXLAN tunnel • Devices exchange BGP EVPN routes to complete VXLAN
control plane operations.
• VXLAN tunnels are automatically established through BGP
EVPN, and forwarding entries are dynamically updated
Problem 1: A total of N x (N-1)/2 tunnels need to be created for N through BGP EVPN.
nodes, causing heavy configuration workload.
Route reflector (RR)

Traffic flooding BGP EVPN

peer
relationship

Problem 2: The flood and learn mechanism is used to learn MAC In practice, RRs can be used to further reduce the number of BGP EVPN
addresses. As a result, a large amount of traffic is flooded. peer relationships.

40 Huawei Confidential

• The static VXLAN solution does not have a control plane. VTEP discovery and
learning of host information (including IP addresses, MAC addresses, VNIs, and
gateway VTEP IP addresses) are performed through traffic flooding on the data
plane. As a result, there is a lot of flooded traffic on VXLAN networks. To address
this problem, VXLAN uses EVPN as the control plane protocol. EVPN allows VTEPs
to exchange BGP EVPN routes to implement automatic VTEP discovery and host
information advertisement, preventing unnecessary traffic flooding.

• Problems in configuring VXLAN in static mode:

▫ If N devices need to establish VXLAN tunnels, you need to manually
configure the ingress replication list a maximum of N(N-1)/2 times.
▫ A static VXLAN tunnel only has the data forwarding plane.

▫ Remote MAC addresses can be learned only through broadcast ARP

packets.
 Overview of BGP EVPN
⚫ EVPN extends BGP to define several types of BGP EVPN routes (the MP_REACH_NLRI attribute defines
several new NLRIs, which are called EVPN NLRIs).
⚫ The BGP EVPN routes can be used to transmit VTEP addresses and host information. EVPN is applied to
VXLAN networks to move VTEP discovery and host information learning from the data plane to the
control plane.
BGP EVPN peer relationship

SW1 SW2

• Type 2 routes (MAC/IP routes): are used to advertise host MAC addresses, ARP entries, and IP routes.

• Type 3 routes (inclusive multicast routes): are used to transmit Layer 2 VNI (L2VNI) and VTEP IP address information, implement
automatic VTEP discovery, dynamic VXLAN tunnel establishment, and BUM packet forwarding.

• Type 5 routes (IP prefix routes): are used to advertise host MAC addresses, ARP entries, IP routes, and external network routes.

41 Huawei Confidential

• In a network virtualization overlay (NVO) scenario, BGP EVPN is used together

with VXLAN as the control plane protocol for VXLAN.
EVPN NLRI
⚫ EVPN NLRI is carried in the path attribute MP_REACH_NLRI. The address family identifier (AFI) is 25,
indicating L2VPN; the sub-address family identifier (SAFI) is 70.

Path Attribute - MP_REACH_NLRI

Flags: Optional, Non-transitive
Type Code: MP_REACH_NLRI (14)
Length
Address family identifier (AFI): Layer-2 VPN (25)
Subsequent address family identifier (SAFI): EVPN (70)
Next hop network address (4 Bytes)
Route Type (1 octet)
Length (1 octet) EVPN NLRI
Route Type specific (variable)

42 Huawei Confidential
 Extended Community
⚫ BGP EVPN is similar to MPLS VPN. To control the sending and receiving of routes, BGP EVPN uses the EVPN
instance, which is the same as the traditional IP VPN instance. An EVPN instance has RD and RT values. When
routes are transmitted, the extended community attribute is used to carry the RT value of the EVPN instance.
⚫ In addition to the RT value, BGP EVPN adds some new sub-types to the extended community attribute: MAC
Mobility and EVPN Router's MAC Extended Community.

Path Attribute - EXTENDED_COMMUNITIES

Flags: Optional, Transitive
Type Code: EXTENDED_COMMUNITIES (16)
Length
Route Target (RT)
MAC Mobility Extended Community

EVPN Router's MAC Extended Community

43 Huawei Confidential

• For details about the RD and RT, see the HCIP-Advanced Routing Switching - 08
MPLS VPN Principles and Configuration.
EVPN VPN Instance
⚫ After an EVPN instance is bound to a BD, MAC address entries of the BD are transmitted through BGP EVPN routes, carrying the ERT
of the EVPN instance bound to the BD. After receiving the EVPN routes, the remote end compares the ERT carried in the EVPN
routes with the IRT of the local EVPN instance and adds the EVPN routes to the routing table of the EVPN instance. The remote end
parses the EVPN routing table to obtain MAC address entries and adds them to the MAC address table of the BD bound to the EVPN
instance.
BGP Update message

EVPN RT = 202:1
EVPN route

VTEP 1.1.1.1/32 VTEP 2.2.2.2/32

VXLAN tunnel
PC1 SW1 SW2 PC2

EVPN RD: 20:1 If the ERT and IRT values are not specified EVPN RD: 20:1
EVPN ERT: 202:1 and only the RT value is available, the ERT EVPN ERT: 200:1
EVPN IRT: 200:1 and IRT values are the same. EVPN IRT: 202:1

44 Huawei Confidential
 Contents

1. Overview of VXLAN and Campus Network Virtualization

2. Basic Concepts and Fundamentals of VXLAN

3. BGP EVPN
▫ Basic Concepts
◼ BGP EVPN Routes

▫ BGP EVPN Features

4. Campus Network Virtualization

45 Huawei Confidential
 Type 2 Route Type 3 Route Type 5 Route

MAC/IP Route (1)

⚫ Type 2 routes (MAC/IP routes): are used to advertise host MAC addresses, ARP entries, and IP routes.

Format of a MAC/IP route Field description

Route Distinguisher (8 bytes) Route distinguisher (RD) of an EVPN instance.

Ethernet Segment Identifier (10 bytes) Unique ID for defining the connection between local and remote devices.

Ethernet Tag ID (4 bytes) VLAN ID configured on the device.

MAC Address Length (1 byte) Length of the host MAC address carried in the route.

MAC Address (6 bytes) Host MAC address carried in the route.

IP Address Length (1 byte) Mask length of the host IP address carried in the route

IP Address (0, 4, or 16 bytes) Host IP address carried in the route.

MPLS Label1 (3 bytes) L2VNI carried in the route.

MPLS Label2 (0 or 3 bytes) L3VNI carried in the route.

46 Huawei Confidential
 Type 2 Route Type 3 Route Type 5 Route

MAC/IP Route (2)

⚫ In different scenarios, Type 2 routes carry different contents.

MAC address advertisement ARP advertisement IP route advertisement

Route Distinguisher Route Distinguisher Route Distinguisher
Ethernet Segment Identifier Ethernet Segment Identifier Ethernet Segment Identifier
Ethernet Tag ID Ethernet Tag ID Ethernet Tag ID
MAC Address Length MAC Address Length MAC Address Length
MAC Address MAC Address MAC Address
IP Address Length IP Address Length IP Address Length
IP Address IP Address IP Address
MPLS Label1 = L2VNI MPLS Label1 = L2VNI MPLS Label1 = L2VNI
MPLS Label2 MPLS Label2 MPLS Label2 = L2VNI

When hosts on the same subnet In a centralized gateway scenario, ARP IRB routes are advertised when inter-
communicate with each other, the host routes are advertised, including host IP subnet mutual access is deployed in a
MAC address is advertised, including the addresses, MAC addresses, and L2VNIs. distributed gateway scenario. The
host MAC address and L2VNI. routes carry MAC addresses, IP
addresses, L2VNIs, and L3VNIs of hosts.

47 Huawei Confidential

• The first three fields (RD, Ethernet Segment Identifier, and Ethernet Tag ID) of a
Type 2 route are the same in different scenarios, and only the last six fields are
different.
 Type 2 Route Type 3 Route Type 5 Route

MAC Address Advertisement

⚫ This slide shows how BGP EVPN uses Type 2 routes to implement dynamic MAC address learning. This
function is used to implement intra-subnet communication through VXLAN.
MAC Address BD Learned From MAC Address BD Learned From
2 0000-0000-0001 10 Port1 4 0000-0000-0001 10 1.1.1.1
Learn the MAC
address of PC1 VTEP 1.1.1.1/32 VTEP 2.2.2.2/32

VXLAN tunnel

SW1 (Layer 2 gateway) SW2 (Layer 2 gateway)

PC1 172.16.1.1/24 PC2
0000-0000-0001 3 BGP Update message
BD 10 BD 10
L2 VNI 10 L2 VNI 10
1 RD 10:1 EVPN RT = 10:1 RD 20:1
Send traffic
ERT 10:1 IRT 10:1
Type 2 route

RD = 10:1
MAC address = 0000-0000-0001
VNI = 10

MAC address ARP IP route

advertisement advertisement advertisement

48 Huawei Confidential

• Intra-subnet host MAC address advertisement:

1. PC1 generates data traffic and sends the traffic to SW1.
2. SW1 obtains the MAC address of PC1 and creates an entry in the MAC
address table to record the MAC address, BD ID, and inbound interface.
3. SW1 generates a BGP EVPN route based on this entry and sends the route
to SW2. The route carries the RT value of the local EVPN instance and Type
2 route (MAC route). In the MAC route, the MAC address of PC1 is stored
in the MAC Address field and the L2VNI is stored in the MPLS Label1 field.

4. After receiving the BGP EVPN route from SW1, SW2 checks the RT (similar
to the RT concept in MPLS VPN) carried in the route. If the RT is the same
as the import RT of the local EVPN instance, SW2 accepts the route.
Otherwise, SW2 discards the route. After accepting the route, SW2 obtains
the MAC address of PC1 and the mapping between the BD ID and the
VTEP IP address (next hop network address in MP_REACH_NLRI) of SW1,
and generates the MAC address entry of PC1 in the local MAC address
table. Based on the next hop, the outbound interface of the MAC address
entry recurses to the VXLAN tunnel destined for SW1.
 Type 2 Route Type 3 Route Type 5 Route

ARP Advertisement
⚫ This slide describes how BGP EVPN uses Type 2 routes to advertise host ARP entries.

VTEP 1.1.1.1/32 VTEP 2.2.2.2/32

VXLAN tunnel

SW1 (Layer 3 gateway) SW2 (Layer 3 gateway)

PC1 172.16.1.1/24
BGP Update message
0000-0000-0001 BD 10 BD 10
L2 VNI 10 L2 VNI 10
RD 10:1 2 EVPN RT = 10:1 RD 20:1
ERT 10:1 Type 2 route IRT 10:1

RD = 10:1 3
1
MAC address =0000-0000-0001
SW1 learns the ARP IP address = 172.16.1.1 The Layer 3 gateway
entry of PC1. L2VNI = 10 SW2 obtains ARP
information of PC1.

When BGP EVPN is used in a centralized gateway scenario, the inter-subnet packet forwarding process is similar to that in a
static VXLAN scenario.
MAC address ARP IP route
advertisement advertisement advertisement

49 Huawei Confidential

• A MAC/IP route can carry both the MAC and IP addresses of a host, and
therefore can be used to advertise ARP entries between VTEPs. The MAC Address
and MAC Address Length fields identify the MAC address of the host, whereas
the IP Address and IP Address Length fields identify the IP address of the host.
This type of MAC/IP route is called the ARP route. ARP advertisement applies to
the following scenarios:
▫ ARP broadcast suppression. After a Layer 3 gateway learns the ARP entries
of a host, it generates host information that contains the host IP and MAC
addresses, Layer 2 VNI, and gateway's VTEP IP address. The Layer 3
gateway then transmits an ARP route carrying the host information to a
Layer 2 gateway. When the Layer 2 gateway receives an ARP request, it
checks whether it has the host information corresponding to the
destination IP address of the packet. If such host information exists, the
Layer 2 gateway replaces the broadcast MAC address in the ARP request
with the destination unicast MAC address and unicasts the packet. This
implementation suppresses ARP broadcast packets.
▫ VM migration in distributed gateway scenarios. After a VM migrates from
one gateway to another, the new gateway learns the ARP entry of the VM
(after the VM sends gratuitous ARP packets) and generates host
information that contains the host IP and MAC addresses, Layer 2 VNI, and
gateway's VTEP IP address. The new gateway then transmits an ARP route
carrying the host information to the original gateway. After the original
gateway receives the ARP route, it detects a VM location change and
triggers ARP probe. If ARP probe fails, the original gateway withdraws the
ARP and host routes of the VM.
• ARP advertisement is mainly used in the centralized VXLAN gateway+BGP EVPN
scenario. In BGP EVPN, ARP or IRB advertisement to peers is mutually exclusive.
Only one of these routes can be configured to advertise. Generally, ARP
advertisement is selected in the centralized VXLAN gateway+BGP EVPN scenario,
in the distributed VXLAN gateway+BGP EVPN scenario, IRB routes are advertised.
 Type 2 Route Type 3 Route Type 5 Route

Inter-Subnet Communication in a Distributed Gateway

Scenario
Inter-subnet forwarding in a VLAN through a VLANIF interface Inter-BD forwarding in a VLAN through a VLANIF interface

2 Routing
VBDIF 10 VBDIF 10
VBDIF 20 VBDIF 20

VLANIF 10 VLANIF 20

1 Bridge 3 Bridge VXLAN tunnel

PC1 PC2
172.16.2.1/24 VTEP1 VTEP2 172.16.1.2/24

PC1 PC2 In distributed gateway networking, VBDIF 10 and VBDIF 20 can be

172.16.10.1/24 172.16.20.2/24
MAC 1 MAC 3 created on both VTEP1 and VTEP2. How do we implement routing
between VBDIF interfaces during inter-subnet communication?

MAC address ARP IP route

advertisement advertisement advertisement

50 Huawei Confidential

• In distributed gateway networking, VTEPs function as both Layer 2 and Layer 3

gateways. In this networking, inter-subnet communication is implemented in
multiple modes. According to the processing mode of ingress VTEPs, inter-subnet
communication can be implemented through asymmetric and symmetric
Integrated Routing and Bridging (IRB).

• Inter-subnet forwarding in a VLAN through a VLANIF interface:

▫ Based on the local IP address, local mask, and peer IP address, PC1 finds
that the destination device PC2 is on a different network segment from
itself. Therefore, PC1 determines Layer 3 communication and sends the
traffic destined for PC2 to the gateway. In the data packet sent by PC1, the
source MAC address is MAC1 and the destination MAC address is MAC2.

▫ After receiving the packet sent from PC1 to PC2, the switch decapsulates
the packet and finds that the destination MAC address is the MAC address
of VLANIF 10. Therefore, the switch considers that the packet is sent to
itself and sends the packet to the routing module for further processing.

▫ The routing module parses the packet and finds that the destination IP
address is 192.168.20.2, which is not the IP address of the local interface.
Therefore, the routing module needs to forward the packet at Layer 3.
When the routing module searches the routing table, it matches the direct
route generated by VLANIF 20 against the packet.
 ▫ Because the direct route is matched, the packet has reached the last hop.
Therefore, the switch searches the ARP table for 192.168.20.2, obtains the
MAC address corresponding to 192.168.20.2, and sends the packet to the
switching module to re-encapsulate the packet into a data packet.
▫ The switching module searches the MAC address table to determine the
outbound interface of the packet and whether the packet needs to carry a
VLAN tag. In the data packet sent by the switching module, the source MAC
address is MAC2, the destination MAC address is MAC3, and the VLAN tag
is None.
• In the preceding forwarding process, the switch determines whether the packet is
forwarded at Layer 3 based on the destination MAC address of the data packet.
If the destination MAC address is the MAC address of the switch, the switch
forwards the packet based on the Layer 3 forwarding table. Otherwise, the switch
forwards the packet based on the Layer 2 forwarding table. This process is
involved in both symmetric and asymmetric IRB scenarios.

• Ingress VTEP: VTEP through which traffic enters a VXLAN network.

• Egress VTEP: VTEP through which traffic goes out of a VXLAN network.
 Type 2 Route Type 3 Route Type 5 Route

Asymmetric IRB
⚫ Asymmetric IRB: The ingress VTEP performs both Layer 3 and Layer 2 table lookup, and the egress VTEP only needs to perform Layer
2 table lookup and forwarding. This is called asymmetric forwarding because the operations performed by the ingress VTEP and
egress VTEP are different.
Outer IP

UDP
VBDIF 10 VBDIF 10
VXLAN header (VNI 100)
VBDIF 20 VBDIF 20
VTEP1 Source MAC: MAC address of VBDIF 10 VTEP2
1.1.1.1 Destination MAC: MAC B 2.2.2.2
6 VTEP2 sends the data
1 VTEP1 sends the data packet to VTEP2
PC1 sends a unicast packet to PC2.
4 through the VXLAN tunnel.
packet to PC2.
VXLAN tunnel

BD 20 BD 10 3 VBDIF 10 queries the MAC BD 10

VNI 200 VNI 100 address table of BD 10 and finds VNI 100
that the destination MAC address
(learned through a Type 2 route) PC2
PC1 is that of the remote VTEP. 5 VTEP2 searches the Layer
172.16.1.2/24
172.16.2.1/24 2 table in BD 10
VBDIF 20 searches the routing table MAC B
MAC A 2 corresponding to VNI 100.
and sends the packet to VBDIF 10.
MAC address ARP IP route
advertisement advertisement advertisement

52 Huawei Confidential

• During asymmetric IRB, VTEPs do not transmit host IP routes between each
other. That is, VTEP1 and VTEP2 do not transmit the 32-bit host route (generated
through an ARP entry) of the connected PC. Therefore, VTEP1 searches the
routing table in step 2, and matches the packet against the direct route
generated by VBDIF 10.

• In step 5, VTEP2 decapsulates the VXLAN packet and finds that the destination
MAC address is not the MAC address of the local VBDIF interface corresponding
to the BD. Therefore, VTEP2 searches the Layer 2 forwarding table for the MAC
address entry of the corresponding BD based on the VNI carried in the packet
and then forwards the packet at Layer 2.
 Type 2 Route Type 3 Route Type 5 Route

Symmetric IRB
⚫ Symmetric IRB: Both the ingress and egress VTEPs perform Layer 3 table lookup and forwarding.

⚫
Compared with asymmetric IRB, symmetric IRB adds an IP VPN instance and its bound L3VNI. In asymmetric IRB mode, the VNI in
the VXLAN header of packets transmitted between VTEPs is the L2VNI. The VBDIF interface needs to be bound to an IP VPN
instance. In this case, route learning and data forwarding are restricted to the IP VPN instance, which is similar to MPLS VPN.
VTEP1 VTEP2
1.1.1.1 2.2.2.2

VXLAN tunnel

VBDIF 20 VBDIF 10
IP Bind VPN-Instance VPN1 In this case, IRB routes (additional L3VNI) are IP Bind VPN-Instance VPN1
BD 20 BD 10
transmitted between VTEPs. The learning of IRB
routes between BD 20 of VTEP1 and BD 10 of
IP VPN-Instance VPN1 IP VPN-Instance VPN1
VTEP2 is controlled by the RT values carried in
VXLAN VNI 1000 (L3VNI) VXLAN VNI 1000 (L3VNI)
RD 203:1 the routes. This mechanism is similar to the RD 103:1
RT 10:1 MPLS VPN VPNv4 route learning mechanism. RT 10:1

MAC address ARP IP route

advertisement advertisement advertisement

53 Huawei Confidential

• On Huawei devices, Symmetric IRB is used.

 Type 2 Route Type 3 Route Type 5 Route

EVPN RT and IP VPN RT (1)

⚫ After an IP VPN instance is added, the RT value carried in the Type 2 route transmitted by BGP EVPN is
still the EVPN RT value. The only difference is that the remote end processes the received route
differently.
 If the RT carried in the route is the same as the IRT of the local EVPN instance, the route is accepted. After the
EVPN instance obtains IRB routes, it can extract ARP routes from the IRB routes to implement ARP
advertisement.
 If the RT carried in the route is the same as the IRT of the local EVPN instance, the route is accepted. Then, the
L3VPN instance obtains the IP prefix type route carried in the route, extracts the host IP address and L3VNI, and
saves the host IP route of Host1 to the routing table. The outbound interface is recursed based on the next hop
of the route and is the VXLAN tunnel to the VTEP.

MAC address ARP IP route

advertisement advertisement advertisement

54 Huawei Confidential

• In a BGP EVPN scenario, if you want to control the sending and receiving of EVPN
routes based on the RT value of the IP VPN instance, run the vpn-target evpn
command to configure the RT value. In this case, the ERT is carried in EVPN
routes and sent to the remote BGP EVPN peer, the IRT matches the RT carried in
an EVPN route to determine which EVPN routes can be added to the routing
table of the local VPN instance address family.

• Note: The RT configured using the vpn-target evpn command is called an RT

(EVPN), which is different from common RTs.
 Type 2 Route Type 3 Route Type 5 Route

EVPN RT and IP VPN RT (2)

⚫ A route is discarded only when its RT is different from the EVPN IRT and IP VPN IRT (EVPN).

BGP Update message

BD 20
1 EVPN RT = 20:1
EVPN IRT 20:1
EVPN route

VBDIF 20

IP VPN IRT 20:1

VTEP1 VTEP2
BD 20 The RT carried in the
EVPN ERT 20:1 EVPN route 3 route is the same as the

2 The RT carried in the IRT of the IP VPN

route is the same as the instance.

IRT of the EVPN

instance.
EVPN route Host IP route

MAC address ARP IP route BGP EVPN routing table IP VPN routing table
advertisement advertisement advertisement

55 Huawei Confidential

• VTEP1 sends a Type 2 BGP EVPN route (IRB type), which carries the ERT (20:1) of
the EVPN instance bound to the BD.
• After receiving the BGP Update message, VTEP2 checks the RT value (20:1)
carried in the BGP Update message and compares it with the IRT in the local
EVPN instance and the IRT (EVPN) in the IP VPN instance. VTEP2 finds that the
IRT of the EVPN instance bound to BD 20 and IRT of the IP VPN instance bound
to VBDIF 20 are the same, adds the EVPN routes to the EVPN routing table of BD
20, and adds the IP routes contained in the EVPN routes to the routing table of
the IP VPN instance bound to VBDIF 20.
 Type 2 Route Type 3 Route Type 5 Route

Symmetric IRB: Host IP Route Advertisement (IRB Route)

VTEP2 2.2.2.2
VTEP1 1.1.1.1 Router MAC: MAC B

VXLAN tunnel

PC1 172.16.2.1/24 SW1 (Layer 3 gateway) SW2 (Layer 3 gateway)

MAC D BGP Update message PC2 172.16.1.2/24
MAC A
Next Outbound IP VPN-Instance VPN1
Destination/Mask L3VNI EVPN RT: 10:1
Hop Interface 2 VXLAN VNI 1000 (L3VNI) 1
Router MAC: MAC B
RD 103:1
VXLAN RT 10:1 SW2 learns the ARP
172.16.1.2/32 1000 2.2.2.2 Type 2 route
tunnel --------------------------- entry of PC2 and
BD 10 generates an IRB route.
3 SW1 obtains the host route to PC1 and RD 10:1
Host route = 172.16.1.2/32 EVPN VPN-Instance
the router MAC address of VTEP1.
MAC address = MAC A BD_10
L2VNI = 100 RD 10:1
L3VNI = 1000 L2 VNI 100
RT 10:1

BGP EVPN uses the EVPN Router's MAC Extended Community attribute to transmit the VTEP's router MAC address, which is the MAC
address of an NVE interface.

MAC address ARP IP route

advertisement advertisement advertisement

56 Huawei Confidential
 Type 2 Route Type 3 Route Type 5 Route

Symmetric IRB: Communication Process

Outer IP

UDP
VXLAN header (L3VNI 1000)
Source MAC address: MAC
VTEP1 address of VBDIF 20 VTEP2 2.2.2.2
1.1.1.1 Destination MAC address: MAC B Router MAC: MAC B
1 VTEP2 sends the
PC1 sends a unicast VTEP1 sends the data packet to VTEP2 5
3 data packet to PC2.
packet to PC2. through the VXLAN tunnel.
VXLAN tunnel

IP VPN instance IP VPN instance

VPN1 VPN1
BD 20 BD 10
L3VNI 1000 L3VNI 1000
PC2
PC1 VBDIF 20 searches routes in the routing 4 VTEP2 searches for the route in the 172.16.1.2/24
2
172.16.2.1/24 table of the IP VPN instance VPN1. It routing table of the IP VPN MAC A
MAC D finds that the next hop of the matched instance corresponding to VNI 1000
route (32-bit host route) is the remote and finds the direct route
VTEP of the VXLAN tunnel. generated by the local VBDIF
interface. VTEP2 then performs
Layer 2 table lookup in the
MAC address ARP IP route corresponding BD.
advertisement advertisement advertisement

57 Huawei Confidential

• In symmetric IRB mode, VTEPs transmit 32-bit host routes generated using ARP
entries. Therefore, VTEP1 matches the 32-bit host routes transmitted from VTEP2
during route lookup. Even if VTEP1 has the direct route generated by VBDIF 10, it
still forwards packets based on 32-bit host routes according to the longest match
rule.

• In step 4, VTEP2 decapsulates the VXLAN packet and finds that the destination
MAC address of the inner data of a packet is the router MAC address (MAC B) of
VTEP2. VTEP2 determines that it needs to forward the packet based on the
routing table, finds the corresponding IP VPN instance based on VNI 1000, and
searches the routing table of the IP VPN instance for the route, finds the direct
route generated by VBDIF 10, searches the local MAC address table, and sends
the packet to PC2.
 Type 2 Route Type 3 Route Type 5 Route

Type 3 Route
⚫ Type 3 route (inclusive multicast route)

This type of route is used on the VXLAN control plane for automatic VTEP discovery and dynamic VXLAN tunnel establishment.

VTEPs that function as BGP EVPN peers exchange inclusive multicast routes to transfer L2VNIs and VTEPs' IP addresses.

The Originating Router's IP Address field identifies the local VTEP's IP address; the MPLS Label field identifies the L2VNI.

Route Distinguisher (8 bytes) RD value of an EVPN instance.

Ethernet Tag ID (4 bytes) VLAN ID on the device. The value is all 0s in this type of route.
NLRI format IP Address Length (1 byte) Mask length of the local VTEP's IP address carried in the route.
Originating Router's IP Address (4 or 16 bytes) Local VTEP's IP address carried in the route.

Flags (1 byte) This field is inapplicable in VXLAN scenarios.

PMSI attribute Tunnel Type (1 byte) The value can only be 6, representing Ingress Replication in VXLAN
scenarios.
MPLS Label (3 bytes) = L2VNI
L2VNI carried in the route.
Tunnel Identifier (variable)
This field is the local VTEP's IP address in VXLAN scenarios.

58 Huawei Confidential

• The Provider Multicast Service Interface (PMSI) is an optional transitive BGP

attribute. In VXLAN scenarios, Tunnel Type has a fixed value of 6, which is used
to carry the VTEP's IP address and L2VNI of the sender.
 Type 2 Route Type 3 Route Type 5 Route

VXLAN Tunnel Establishment

⚫ VTEPs exchange L2VNIs and VTEP IP addresses through Type 3 routes. If there are reachable routes
between the local and remote VTEPs' IP addresses, a VXLAN tunnel is established between the VTEPs.
Additionally, if the local and remote VNIs are the same, an ingress replication list is created for BUM
packet forwarding.

VTEP 1.1.1.1/32 BGP EVPN peer relationship VTEP 2.2.2.2/32

SW1 BGP Update message BGP Update message SW2

1

Type 3 route Type 3 route

VTEP address = VTEP address =
1.1.1.1 2.2.2.2
VNI = 1000 VNI = 1000

59 Huawei Confidential
 Type 2 Route Type 3 Route Type 5 Route

Type 5 Route
⚫ Type 5 route (IP prefix route)

The IP Prefix Length and IP Prefix fields in an IP prefix route can identify a host IP address or network segment.

If the IP Prefix Length and IP Prefix fields in an IP prefix route identify a host IP address, the route is used for IP route
advertisement in distributed VXLAN gateway scenarios, which functions the same as an IRB route on the VXLAN control plane.

If the IP Prefix Length and IP Prefix fields in an IP prefix route identify a network segment, the route allows hosts on a VXLAN to
access external networks.
Format of an IP prefix route Field description

Route Distinguisher (8 bytes) RD value of an EVPN instance.

Ethernet Segment Identifier (10 bytes) Unique ID for defining the connection between local and remote devices.
Ethernet Tag ID (4 bytes) VLAN ID configured on the device.
IP Prefix Length (1 byte) Length of the IP prefix carried in the route.
IP Prefix (4 or 16 bytes) IP prefix carried in the route.
GW IP Address (4 or 16 bytes) Default gateway address. This field is inapplicable in VXLAN scenarios.
MPLS Label (3 bytes) L3VNI carried in the route.

60 Huawei Confidential
 Type 2 Route Type 3 Route Type 5 Route

Application Scenarios of IP Prefix Route Advertisement

⚫ For a non-VXLAN network, a VTEP can advertise external routes to the entire VXLAN network through
Type 5 routes, instructing hosts on the VXLAN network to access the external network.

Non-VXLAN VTEP 1.1.1.1/32 VTEP 2.2.2.2/32

network
1.2.3.0/24
VNI 88

SW1 (Layer 3 gateway) SW2 (Layer 3 gateway)

Static route BGP Update message 2 3

1.2.3.0/24
SW2 obtains the route
Type 5 route to 1.2.3.0/24.
1
Import the static route to BGP Prefix = 1.2.3.0/24
L3VNI = 88

61 Huawei Confidential

• Similar to Type 2 IRB routes, Type 5 routes carry the router MAC address of the
VTEP through the EVPN router's MAC extended community attribute during
route transmission. In addition, Type 5 routes carry only the L3VNI. Therefore, the
forwarding process is also called IRB forwarding.
 Contents

1. Overview of VXLAN and Campus Network Virtualization

2. Basic Concepts and Fundamentals of VXLAN

3. BGP EVPN
▫ Basic Concepts
▫ BGP EVPN Routes
◼ BGP EVPN Features

4. Campus Network Virtualization

62 Huawei Confidential
 ARP Broadcast Suppression
⚫ BGP EVPN Type 2 routes enable VTEPs to learn MAC addresses without depending on communication between
hosts. However, ARP entries between hosts still need to be flooded and forwarded on the VXLAN overlay, which
consumes a large number of network resources.
⚫ To reduce broadcast traffic, configure ARP broadcast suppression using BGP EVPN routes.
Query the ARP broadcast
suppression table of BD 20
2 IP Address MAC VTEP
172.16.2.2 MAC B 2.2.2.2

VXLAN tunnel

PC1 PC2
172.16.2.1/24 VTEP1 VTEP1 changes the destination MAC address of the VTEP2 172.16.2.2/24
MAC A 1.1.1.1 ARP packet from all Fs to MAC B, and sends the ARP 2.2.2.2 MAC B
packet to VTEP2 through VXLAN encapsulation.
1 3 4
PC1 sends an ARP IP UDP VXLAN Original data VTEP2 unicasts the
Request packet to ARP ARP packet to PC2.
header header header packet
request the ARP
entry of PC2.
• Source IP address: 1.1.1.1 • Source MAC address: MAC A • Source MAC: MAC A
• Destination IP address: 2.2.2.2 • Destination MAC address: MAC B • Destination MAC: MAC B

63 Huawei Confidential

• ARP broadcast suppression is an effective method to relieve the burden of a

gateway in processing ARP packets. When receiving an ARP Request packet, the
gateway searches the ARP broadcast suppression table for the mapping between
the IP address and MAC address of the destination device. If the ARP Request
packet matches an entry in the table, the gateway replaces the broadcast MAC
address in the ARP Request packet with the MAC address of the destination
device. Then, the gateway sends the ARP Request packet through the interface
corresponding to the destination MAC address.
 Host Information Collection
⚫ When ARP broadcast suppression is enabled on a device, the device generates the ARP broadcast suppression table.
ARP broadcast suppression entries are originated from Type 2 routes (IRB routes and host ARP advertisement)
carried in BGP EVPN packets.
⚫ By default, a Layer 3 gateway does not generate BGP EVPN routes based on local ARP information. You need to
manually enable BGP EVPN host information collection. The VTEP then generates IRB routes based on ARP entries.
ARP entry of VBDIF 20 (Layer 3 gateway)
IP Address MAC
172.16.2.1 MAC A

VXLAN tunnel
PC1 PC2
172.16.2.1/24 VTEP1 VTEP2 172.16.2.2/24
MAC A 1.1.1.1 2.2.2.2 MAC B
Transmit ARP entries through
Type 2 IRB routes
1 2 3 VTEP2 uses IRB routes
Enable BGP EVPN host to generate an IRB
information collection host information table
to generate IRB routes

64 Huawei Confidential

• An ARP route carries the following valid information: host MAC address, host IP
address, and L2VNI. An IRB route carries the following valid information: host
MAC address, host IP address, L2VNI, and L3VNI. As a result, an IRB route
includes an ARP route and can be used to advertise both the host IP route and
host ARP entry.
 Local Proxy ARP (1)
⚫ After BGP EVPN host information collection is enabled on the entire network, the Layer 3 gateway learns the 32-bit
host routes of all hosts. In this way, the Layer 3 gateway can use the symmetric IRB mode to forward traffic
between hosts in the same BD.
⚫ In this case, you can enable local proxy ARP on the VBDIF interface of the Layer 3 gateway. The VBDIF interface
responds to the ARP Request packet sent by a downstream host to an IP address on the same network segment.
Then the Layer 3 gateway performs Layer 3 forwarding on the same network segment.
1
PC1 sends an ARP Request VBDIF 20
packet to request the ARP MAC C
entry of PC2. 172.16.2.254
arp-proxy local enable
2
VBDIF 20 is enabled local
proxy ARP to respond to
ARP Reply packets.

VXLAN tunnel
PC1 PC2
172.16.2.1/24 VTEP1 VTEP2 172.16.2.2/24
MAC A 1.1.1.1 2.2.2.2 MAC B

65 Huawei Confidential

• On a VXLAN network, a bridge domain (BD) is a Layer 2 broadcast domain. After

a VTEP receives BUM packets, it broadcasts the packets in the BD. To reduce
broadcast traffic, a network administrator usually configures access-side isolation
or port isolation to isolate access users in a BD. However, as services become
more diverse and keep increasing, users have growing needs for intra-BD
communication. To allow isolated users in a BD to communicate, configure local
proxy ARP on the VBDIF interface of the BD.
Local Proxy ARP (2)

VBDIF 20
ARP entry of PC1 MAC C
172.16.2.254
IP Address MAC
172.16.2.2 MAC C

VXLAN tunnel
PC1 PC2
172.16.2.1/24 VTEP1 VTEP2 172.16.2.2/24
MAC A 1.1.1.1 2.2.2.2 MAC B
VTEP1 finds that the destination MAC address is
its own MAC address, searches the routing table
Data packet sent from for the host route, and forwards the packet to
PC1 to PC2 VTEP2 through VXLAN.
3 4
Ethernet
Payload
header

• Source MAC address: MAC A With the local proxy ARP mechanism, ARP packets are suppressed on the local VTEP,
• Destination MAC address: MAC C and unnecessary traffic exchange between VTEPs is reduced.

66 Huawei Confidential
 Distributed Gateway
⚫ When local proxy ARP is enabled, a VTEP only needs to maintain local ARP entries. ARP information
transmitted by other VTEPs through BGP EVPN routes is not used during forwarding. In this case, the
VTEP does not need to maintain ARP entries learned from other VTEPs.
⚫ After distributed gateway is enabled, the VTEP processes only the ARP packets received from the user-
side host and deletes the learned network-side ARP entries.
VTEP1's ARP entry

IP Address MAC
172.16.2.1 MAC A
172.16.2.2 MAC B

VXLAN tunnel
PC1 PC2
172.16.2.1/24 VTEP1 VTEP2 172.16.2.2/24
MAC A 1.1.1.1 2.2.2.2 MAC B

67 Huawei Confidential

• Generally, the same MAC address is configured for VBDIF interfaces with the
same interface number on different VTEPs. After the distributed gateway function
is enabled, VBDIF interfaces with the same IP address and MAC address do not
report ARP conflicts. In addition, when hosts and VMs are migrated to different
VTEPs, the gateway does not need to resolve ARP entries again.
MAC Mobility (1)

2 For the BGP EVPN route,

MAC Mobility - Seq 0
the sequence number of
Prefix = 172.16.2.1/24
the extended community
MAC B
attribute MAC Mobility is 0.
Next hop: VTEP1 (1.1.1.1)

VTEP1 VTEP2 VTEP3

1.1.1.1 2.2.2.2 VTEP2 detects VM2 3.3.3.3
4
1 VTEP1 learns the ARP based on the ARP
entry of VM1 and entry and generates a
generates and new IRB route, which is
advertises an IRB route. the same as the route
transmitted by VTEP1.

VM1 3 VM1 is migrated to VTEP2.

172.16.2.1/24
MAC B

68 Huawei Confidential
 MAC Mobility (2)

MAC Mobility - Seq 1 5 For the BGP EVPN route, the

Prefix = 172.16.2.1/24 sequence number of the
MAC B extended community attribute
Next hop: VTEP2 (2.2.2.2) MAC Mobility is 1.

VTEP1 VTEP2 VTEP3

6 After VTEP1 receives the BGP 1.1.1.1 2.2.2.2 3.3.3.3
route update, VTEP1 detects
that the VM has been
migrated based on the
sequence number carried in
the MAC Mobility field and
sends a BGP Update message
to withdraw the previously
sent route update. VM1
172.16.2.1/24
MAC B

69 Huawei Confidential

• The MAC Mobility extended attribute is used to announce the location change of
a host or VM when the host or VM is migrated from one VTEP to another VTEP.
 Contents

1. Overview of VXLAN and Campus Network Virtualization

2. Basic Concepts and Fundamentals of VXLAN

3. BGP EVPN

4. Campus Network Virtualization

70 Huawei Confidential
 Layers and Concepts of a VXLAN-based Virtualized Campus
Network
• Multiple VNs can be created based on service
requirements to implement service isolation.
• VXLAN is used to implement Layer 2 and Layer 3
VN 1 VN 2 VN 3 communication.

Overlay (virtual network layer)

• A virtualization technology is used to construct a

Edge Access logical topology based on any physical topology.
• A service network is created in the fabric and
Border
decoupled from the physical network.
Fabric Edge Access

• Physical network established by physical devices.

• Interoperability for all services on the campus network.

Underlay (physical network layer) • Basic bearer network for service data forwarding.

71 Huawei Confidential

• VXLAN allows a virtual Layer 2 or Layer 3 network (overlay network) to be built

over a physical network (underlay network). The overlay network transmits
packets between different sites through Layer 3 forwarding paths provided by the
underlay network.
• In technical applications, different overlay networks are created for different
services. Services are aware of the overlay network only. The underlay network is
transparent to services.
 Architecture Overview: Network Nodes

⚫ Firewall: is required when L4-L7 security policies are deployed.

It can be deployed in off-path mode or at the campus egress.
⚫ Border node: used to implement communication between the
Firewall
fabric and external networks. It is usually a core switch.
Border node
⚫ Edge node: a fabric edge device that connects user-side devices
to the fabric. Data packets from wired users are encapsulated
Transparent into VXLAN packets on edge nodes.
node
Fabric domain
⚫ Transparent node: a transparent transmission node in the
(VXLAN) fabric. It does not need to support VXLAN.
⚫ Access node: is also known as an extended node. It is an access
Edge node node for wired users and is optional. It provides network access
Access for users and does not need to support VXLAN.
domain
Access node
⚫ AP: wireless access node, through which users access the
wireless network and finally access the fabric.
AP

72 Huawei Confidential

• L4-L7 security policy: The firewall supports security control from Layer 4 to Layer
7.
What Are an Underlay Network and a Fabric?
Underlay network Fabric
The underlay network is the foundation of the entire virtualized campus A campus fabric is a network resource pool that is abstracted from
network. It is a physical network consisting of physical network devices, physical network devices on the underlay network, creating a multiple-
which provides interoperability for all services on a campus network. purpose network.

Interconnection VLAN Loopback

Interconnection IP address

Edge Access
Border
IGP (OSPF) Edge Access

Interconnection VLAN
Interconnection IP address

• Multi-layer architecture (core, aggregation, and access layers) The fabric consists of the following resource pools:
• Multiple topologies (such as tree, ring, and mesh topologies) • Overlay network resource pool (BD IDs and VNIs) for terminal access
• Underlay information includes device interconnection VLANs, • VLAN ID pool for terminal access
interconnection IP addresses, and an IGP. • Access point pool (switch ports for wired access or SSIDs for wireless
access) for terminal access
These resource pools can be used to create multiple VNs.

73 Huawei Confidential
 What Is an Overlay Network?
Underlay and overlay in our daily life Underlay and overlay networks on a virtualized campus network

VXLAN encapsulation

Service A Service A

A vehicle carrying passengers VXLAN encapsulation

Service B Service B
Overlay network

Interconnection VLAN Fabric Interconnection VLAN

Interconnection IP address Interconnection IP address
Easy access from
all directions

Urban roads (infrastructure) Underlay network

74 Huawei Confidential

• An overlay network is a logical network that is constructed based on a physical

network using a tunneling technology and with separated forwarding and control
planes.
What Is a VN?
Internet
• VXLAN can be used to construct multiple VNs on the underlay network.
• A VN is considered as an overlay network.
• Service data of each VN is encapsulated using VXLAN in the fabric so
that the VN services are isolated on the forwarding plane. The control
plane uses BGP EVPN to establish VXLAN tunnels and exchange overlay
routing information.

Border Each VN has the following parameters:

IoT VN • Network service resources (such as the DHCP server and third-party
RADIUS/Portal server)
AP
R&D VN • (Optional) External networks
OA VN • User IP address segments, VLANs, and gateway address

• Wired access ports and/or wireless access points (APs)

Host1 Host2 Host3 Host4
Sales R&D IoT device Guest
• Other parameters
employee employee

75 Huawei Confidential
Creating a VN
Internet
VN settings
• User gateway location
1
• External network
• Network service resources
• User subnet and gateway

Border Wired access

2 • Access sites, devices, and ports
• Authentication mode
• VLAN information
AP

OA VN

3 Wireless access
Host1 Host2 Host3 Host4 • Access sites and devices

76 Huawei Confidential
Typical Case Analysis: Requirements
Firewall DHCP server
Fabric requirements:
Internet
• Build a fabric based on the physical network.
• Use the distributed gateway solution.

VN requirements:
• Create two VNs, one for OA and the other for
R&D.
• By default, the two VNs are completely isolated,
and intra-subnet and inter-subnet communication
can be implemented in each VN.
• Devices in both VNs can access the external
network connected to the firewall.
• Terminals in the two VNs can obtain IP addresses
Sales R&D Sales R&D from the DHCP server.
employee employee employee employee

77 Huawei Confidential
Typical Case Analysis: Fabric Management (1)
Firewall DHCP server Fabric creation and configuration:

Internet 1. You can add physical devices (core, aggregation,

and access switches) to the fabric based on
service requirements.
2. You can specify a switch as a border node or an
Border edge node.
3. iMaster NCE-Campus automatically specifies a
border node as an RR to optimize the logical
network architecture and BGP peer relationship
model.
4. You can predefine two external networks for two
Edge Edge VNs to access the Internet.
5. You can define a network service resource, which
is used by terminals to obtain IP addresses from
the DHCP server in the resource.

78 Huawei Confidential
Typical Case Analysis: Fabric Management (2)
Firewall DHCP server
Automatic deployment of the fabric and underlay
network:
1. Based on the discovered physical network topology
and the user-defined fabric, iMaster NCE-Campus
Interconnection IP Interconnection IP
address/VLAN Border address/VLAN automatically orchestrates the network. (You can
OSPF RR OSPF
select multiple OSPF areas or a single OSPF area.)
Transparent Transparent 2. iMaster NCE-Campus automatically delivers
Interconnection Interconnection underlay network configurations to devices based
IP address/VLAN IP address/VLAN
OSPF BGP EVPN peer OSPF on the network orchestration result so that the
relationship
devices have reachable routes to each other's IP
Edge Edge address.
3. iMaster NCE-Campus automatically delivers fabric
configurations to devices, and BGP EVPN peer
relationships are established between devices.

79 Huawei Confidential
Typical Case Analysis: VN Management
Firewall DHCP server

Network service
External resource
network 2
External
network 1
VN creation:
1. You can create OA and R&D VNs and specify the IP
network segments/VLANs, gateway addresses,
OA VN
VLAN 10: 10.1.10.0/24
associated external networks and network service
R&D VN
VLAN 20: 10.1.20.0/24 VLAN 30: 10.1.30.0/24 resources, and terminal access points for the VNs.
VLAN 40: 10.1.40.0/24
2. iMaster NCE-Campus translates user intents into
configurations and delivers the configurations to
Access devices Access devices network devices.
and ports and ports

80 Huawei Confidential
Typical Case Analysis: Tunnel Establishment
Firewall DHCP server

Automatic VXLAN tunnel establishment

1. BGP EVPN advertises information used to establish
VXLAN tunnels between peers.
2. VXLAN tunnels are established between devices to
prepare for subsequent data forwarding.
VXLAN tunnel

Sales employee Sales employee

81 Huawei Confidential
Typical Case Analysis: Address Obtaining
Firewall DHCP server
Address obtaining:
1.2.3.0/24
1. After sales employee A accesses the network, the
Border user is authenticated. After the authentication
DHCP message exchange succeeds, the authentication point Edge1 obtains
3.3.3.3 the authorization result of the user and assigns
the user to the corresponding VLAN.
2. Host A sends a DHCP Request message. After
receiving the Request message, the gateway
1.1.1.1 Edge1 relays the Request message to the border
node through the VXLAN tunnel.
Edge1 Edge2 3. The border node decapsulates the VXLAN packet
and forwards the DHCP Request message to the
DHCP server.
Sales employee A
4. The DHCP server assigns an IP address to host A.

82 Huawei Confidential
Typical Case Analysis: Intra-Subnet Communication
Firewall DHCP server

Intra-subnet communication on the same VN:

1. Sales employees A and B pass the access
Border
authentication and access the campus network.
BGP Update message
Next_Hop = 2.2.2.2 2. For example, Edge2 advertises the MAC address
Route MAC/IP route of host B to the border node through a BGP
reflection MAC address = AAAA-0000-0002
L2VNI = 1000 Update message, and the border node (RR)
advertises the MAC address to Edge1.

1.1.1.1 2.2.2.2
3. Edge1 learns the MAC address AAAA.0000.0002.
VXLAN tunnel (L2VNI)
4. When host A sends data packets to host B, Edge1
Edge1 Edge2 encapsulates the data packets into VXLAN
packets and forwards them to Edge2. Edge2
performs VXLAN decapsulation and sends the
Sales employee A Sales employee B
10.1.10.1/24 10.1.10.2/24 decapsulated packets to the destination.
AAAA-0000-0001 AAAA-0000-0002

83 Huawei Confidential
Typical Case Analysis: Inter-Subnet Communication
Firewall DHCP server
Inter-subnet communication on the same VN:
1. Sales employee C passes the access authentication
Border and accesses the campus network.
BGP Update message
2. Edge2 advertises the host route of host C to the
MAC/IP route (IRB)
Route Host route = 10.1.20.1/32 border node through a BGP Update message. The
reflection L3VNI = 10 border node (RR) advertises the host route to Edge1.
Next_Hop = 2.2.2.2
3. Edge1 learns the route to 10.1.20.1/32. The next hop
of the route is 2.2.2.2, and the outbound interface is
1.1.1.1 2.2.2.2
VXLAN tunnel (L3VNI) the VXLAN tunnel interface.

Edge1 Edge2 4. When host A sends data packets to host C, Edge1

encapsulates the data packets into VXLAN packets
and forwards them to Edge2. Edge2 performs VXLAN
Sales employee A Sales employee C decapsulation and sends the decapsulated packets to
10.1.10.1/24 10.1.20.1/24 the destination.

84 Huawei Confidential
Typical Case Analysis: Accessing the External Network
Firewall DHCP server

1.2.3.0/24 External route 1.2.3.0/24

Next-hop firewall
Border

BGP Update message Accessing the external network:

3.3.3.3 Next_Hop = 3.3.3.3
IP prefix route 1. After you associate the external network
Prefix = 1.2.3.0/24
BGP route
(destination network segment 1.2.3.0/24) with the
L3VNI = 88
advertisement OA VN, iMaster NCE-Campus redistributes the
Route: 1.2.3.0/24
Next hop: 3.3.3.3 external route to BGP and advertises the route to
1.1.1.1
Edge1 and Edge2.

Edge1 Edge2 2. When host A sends data packets to 1.2.3.0/24,

Edge1 encapsulates the data packets into VXLAN
packets and sends them to the border node. The
Sales employee A border node decapsulates the VXLAN packets and
10.1.10.1/24 forwards the IP packets to the firewall.

85 Huawei Confidential
 Quiz

1. (True or false) BGP EVPN Type 2 host IP routes can be used to transmit ARP information.
( )
A. True

B. False

2. (Single-answer question) Which of the following statements about BGP EVPN is false?
( )
A. MP_REACH_NLRI is used to carry routes.

B. The extended community attribute is used to carry routes.

C. MP_REACH_NLRI is used to carry L2VNIs and L3VNIs.

D. The Next_Hop attribute is used to carry routes.

86 Huawei Confidential

1. A
2. D
 Summary

⚫ VXLAN uses a Layer 3 routed network as the underlay network and uses tunnels to
build an overlay network, supporting large-scale tenant networks.
⚫ VXLAN does not define the control plane. To prevent BUM traffic flooding, use
other protocols on the control plane to optimize BUM traffic forwarding.
⚫ BGP EVPN defines several new types of BGP EVPN routes by extending BGP. These
BGP EVPN routes can be used to transmit VTEP addresses, host information, and
routing information, effectively controlling flooding of BUM traffic.

87 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Network Admission Control
 Foreword

⚫ Campus networks are faced with an increasing number of information security threats, such
as viruses, Trojan horses, spyware, and malicious attacks. On a traditional campus network,
the intranet is considered secure and threats come from the extranet. However, research
shows that roughly 80% of security threats come from the intranet. Network faults caused
by the intranet threats will lead to a broad range of serious damage. Even worse, the service
system and network will break down.
⚫ The Network Admission Control (NAC) solution integrates terminal security with access
control and takes check, isolation, hardening, and audit measures to improve the proactive
protection capabilities of terminals. This solution ensures security of each terminal and the
entire campus network.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe basic concepts in NAC.
 Learn about typical authentication technologies and their working mechanisms
and application scenarios.
 Configure basic user access authentication functions.
 Learn about the functions and working mechanism of policy association.

2 Huawei Confidential
 Contents

1. Overview of NAC

2. User Authentication Technologies

3. User Authorization and Logout

4. NAC Configuration

5. Policy Association

3 Huawei Confidential
 Technical Background of NAC
⚫ Unauthorized users may access a campus
network, which compromises information security
Intranet FTP server
on the campus network.
⚫ Various types of terminals are connected to a
Unauthorized campus network, and it is difficult to control user
access
Virus spreading behaviors on the campus network.

Campus network
⚫ For security purposes, a campus network cannot
Guest Virus-infected host grant access rights to all terminals.
Virus spreading Authentication must be performed based on user
identities and terminal status. The terminals that
do not meet certain conditions are not allowed to
access the campus network.

4 Huawei Confidential

• Currently, the intranets of most campus networks are faced with the following
security issues:
▫ Antivirus software is not managed in a centralized manner, and patch
management is disordered. Even if enterprises purchase antivirus software,
it is difficult to ensure that the virus signature databases of all terminals are
the latest. As a result, once a terminal is infected with viruses or malicious
code, the virus will soon spread on the intranet.

▫ User identities cannot be verified. Therefore, unauthorized access cannot be

prevented, posing security risks to the network.
▫ Access control for terminals is not implemented. A user can access all
network resources as long as the user successfully connects to the network.
 Overview of NAC
⚫ An important design idea of NAC is to allow only authorized users and secure terminals to access
networks. NAC provides user authentication, permission management, security check, repair, and
upgrade functions to improve the overall terminal security protection capabilities on a campus network.
NAC system architecture ⚫
User terminal
User terminals Admission devices Admission servers
 Various terminals such as PCs, mobile phones, printers, and cameras
that access the network.
⚫ Admission device
 An admission device is an authentication control point that
authenticates access users and executes campus security policies to
implement access control (for example, allowing or denying user
access).
 Admission devices can be switches, routers, APs, VPN gateways, or
security devices.
⚫
Admission server
 An admission server authenticates and authorizes users. It verifies the
user identities of terminals that attempt to access the network, and
grants network access rights to authenticated terminals.
... ...  An admission server is typically an authentication server (such as a
RADIUS server) or a user data source server that stores user identity
information.

5 Huawei Confidential

• A terminal agent (also known as client software) is usually installed on a user

terminal. It works with an admission server to implement user identity
authentication, terminal security check, system repair and upgrade, and terminal
behavior monitoring and audit.
• Admission devices, which can be switches, routers, APs, or other network devices,
provide the following functions:
▫ User identity verification.
▫ User authentication. Admission devices can implement the commonly used
802.1X authentication, MAC address authentication, and Portal
authentication by working with the client software and admission server.
▫ User permission control.
• Admission servers include the security control server, security management
server, virus signature database server, and patch server.
▫ A security control server authenticates users, performs security audit,
executes security policies, and works with admission devices to deliver user
permissions.
▫ A security management server manages user information (including adding,
deleting, or modifying user permissions and departments), and defines and
manages security policies.
▫ A virus signature database server controls automatic update of the virus
signature database in antivirus software on terminals.
▫ A patch server controls patch installation and update for terminals'
operating systems and applications.
 Fundamentals of NAC
1. User identity authentication request
User identity
verification

An admission device exchanges packets with a terminal to
3 obtain the user credential.
Admission server
2. User identity authentication

2 4 
The admission device sends the user credential to the

authentication
User identity
Campus network User policy admission server for authentication.
authorization
3. User identity verification

The admission server verifies the identity of the terminal
Admission device
User identity and delivers the verification result and corresponding
authentication policy to the admission device.
request 1
Terminal
4. User policy authorization
 The admission device executes the policy based on the
authorization result received from the admission server.

6 Huawei Confidential

• User identity authentication request: A terminal sends the user credential to an

admission device.
• User identity authentication: The admission device sends the user credential to
the admission server for authentication.
• User identity verification: The admission server stores user identity information
and provides user management functions. After receiving the user credential, the
admission server determines whether the terminal identity is valid and delivers
the verification result and corresponding policy to the admission device.

• User policy authorization: The admission device executes the policy based on the
authorization result received from the admission server. For example, the
admission device permits or denies access from the terminal. The admission
device can also perform more complex policy-based control on the terminal, for
example, increasing or decreasing the forwarding priority or limiting the network
access rate.
Policy-based Control in NAC

FTP server Web server Email server ⚫ Policy-based control

Internet
 Even if a terminal is authenticated and successfully
accesses the network, it does not mean that the
terminal can access all resources on the network.
Rather, policies are used to grant terminals
Campus different network access rights based on user
network
identities.

Authenticated employees Authenticated guests

7 Huawei Confidential
 Policy-based Authorization in NAC
User terminals Admission devices Pre-authentication domain

Before authentication
…

Admission DHCP DNS

server server server

Isolation domain
Access
Upon authentication failures …
Virus signature Patch server
database
server

Post-authentication domain
After successful
authentication Intranet

Office data R&D data Marketing

... ... data
Internet
…

8 Huawei Confidential

• The basic NAC process is as follows:

1. User can access the network and have the pre-authentication domain
network permission before authentication, including access to the access
control server, DHCP, and DNS.
2. After terminals are successfully authenticated, the admission server
delivers network access rights to the admission device to allow users to
access resources in the post-authentication domain. For authorized but
insecure users, they are granted the rights to access resources in the
isolation domain. Only after network vulnerabilities on the terminals are
fixed, the admission server grants the rights to access resources in the
post-authentication domain to the users. In the isolation domain, users can
access resources in the pre-authentication domain to install and upgrade
terminal agent software, patches, and antivirus software.

3. Unauthorized users and users who have not completed authentication are
allowed to access resources only in the pre-authentication domain or
isolation domain.
 Contents

1. Overview of NAC

2. User Authentication Technologies

3. User Authorization and Logout

4. NAC Configuration

5. Policy Association

9 Huawei Confidential
 802.1X MAC Portal Multi-mode

Overview of 802.1X Authentication

Introduction
Authentication server
• 802.1X authentication is a port-based network access control technology.
That is, user identities are verified and network access rights are
controlled on ports of access devices.
• 802.1X authentication uses the Extensible Authentication Protocol over
LAN (EAPoL) to exchange authentication information between the client,
access device, and authentication server.
802.1X client Access device Network resources
Networking mode
• 802.1X clients are usually user terminals. A user triggers 802.1X
authentication using client software.
• An access device is usually a network device that supports 802.1X
authentication. It provides a physical or logical interface for clients to
access the LAN.
• An authentication server, which is typically a RADIUS server, carries out
authentication, authorization, and accounting on users.

Application scenario
802.1X authentication applies to office users who have high security
requirements.

10 Huawei Confidential

• The EAP packets transmitted between the client and access device are
encapsulated in EAPoL format and transmitted across the LAN.
• Users can determine the authentication mode between the access device and
authentication server based on the client support and network security
requirements.

▫ EAP termination mode: The access device terminates EAP packets and
encapsulates them into RADIUS packets. The authentication server then
uses the standard RADIUS protocol to implement authentication,
authorization, and accounting.
▫ EAP relay mode: The access device directly encapsulates the received EAP
packets into EAP over RADIUS (EAPoR) packets, and then transmits these
packets over a complex network to the authentication server.
• EAPoL defines EAP encapsulation on IEEE 802 (such as 802.3 and 802.11)
networks. EAPoL only transmits EAP packets between 802.1X clients and access
devices, and does not implement authentication.

• Typical EAP authentication protocols include Extensible Authentication Protocol

Transport Layer Security (EAP-TLS), EAP Tunneled Transport Layer Security (EAP-
TTLS), EAP Protected Extensible Authentication Protocol (EAP-PEAP), and EAP
Message-Digest Algorithm 5 (EAP-MD5).
 802.1X MAC Portal Multi-mode

802.1X Authentication Modes

⚫ An access device can process EAPoL packets sent by 802.1X clients in EAP relay or EAP
termination mode.

EAP relay mode EAP termination mode

802.1X client Access device Authentication server 802.1X client Access device Authentication server

EAPoL EAPoR EAPoL RADIUS

(EAP over RADIUS)

• The access device directly encapsulates EAPoL packets • The access device extracts information from EAPoL
sent from the 802.1X client into RADIUS packets without packets, encapsulates the information into RADIUS
processing data in the EAPoL packets. packets, and sends the RADIUS packets to the
• This mode has high requirements on the authentication authentication server.
server. • This mode has high requirements on access devices.

11 Huawei Confidential

• EAP relay mode

▫ This mode simplifies the processing on the access device and supports
various authentication methods. However, the authentication server must
support EAP and have high processing capability.
▫ The commonly used authentication modes include EAP-TLS, EAP-TTLS, and
EAP-PEAP. EAP-TLS has the highest security because it requires a certificate
to be loaded on both the client and authentication server. EAP-TTLS and
EAP-PEAP are easier to deploy since the certificate needs to be loaded only
on the authentication server, but not the client.
• EAP termination mode
▫ This mode is advantageous in that mainstream RADIUS servers support PAP
authentication and CHAP authentication, eliminating the need of server
upgrade. However, the workload on the access device is heavy because it
needs to extract the client authentication information from the EAP packets
sent by the client and encapsulate the information using the standard
RADIUS protocol. In addition, the access device does not support other EAP
authentication methods except MD5-Challenge.
▫ The major difference between PAP and CHAP is that passwords in CHAP
authentication are transmitted in cipher text, whereas passwords in PAP
authentication are transmitted in plain text. In this aspect, CHAP provides
higher security and is recommended.
 802.1X MAC Portal Multi-mode

802.1X Authentication Process

User terminal Access device Authentication server

Authentication triggering modes

1. EAPoL-Start
The user initiates authentication. • Triggered by a client: When a user starts the client and enters the user
name and password, the client sends an EAP packet to the access device
2. EAP-Request/identity to trigger authentication.
What's your user name?
• Triggered by an access device: When receiving a DHCP or ARP packet
3. EAP-Response/identity from a user terminal, the access device proactively enables the user
My user name is Hello. terminal to display the client page and prompt the user to enter the user
4. RADIUS Access-request name and password. After the user name and password are entered,
authentication is started.
5. RADIUS Access-challenge
Generate a random number.
6. EAP Request/MD5 challenge 802.1X access control
7. EAP-Response/MD5 challenge response
Cipher text calculated using the password • Port-based access control: allows subsequent users on a port to access
and random number the network once a user has been authenticated on the port. When the
first user goes offline, all the other users cannot use network resources.
8. RADIUS Access-request
• MAC address–based access control: requires each user on a port to be
9. RADIUS accept authenticated separately before granting them access to the network.
10. EAP-Success When a user goes offline, other users are not affected.

Port in authorized state

EAP-MD5 authentication in EAP relay mode is used as an example.

12 Huawei Confidential

• EAP relay authentication process:

1. When a user needs to access an external network, the user starts the
802.1X client, enters the applied and registered user name and password,
and initiates a connection request. The client then sends an authentication
request packet (EAPoL-Start) to the access device to start the
authentication process.
2. After receiving the authentication request packet, the access device returns
an EAP-Request/Identity packet, requesting the client to send the
previously entered user name.
3. In response to the request sent by the access device, the client sends an
EAP-Response/Identity packet containing the user name to the access
device.
4. The access device encapsulates the EAP-Response/Identity packet into a
RADIUS Access-Request packet and sends the RADIUS packet to the
authentication server.

5. After receiving the user name forwarded by the access device, the RADIUS
server searches the user name table in the local database for the
corresponding password, encrypts the password with a randomly
generated MD5 challenge, and sends a RADIUS Access-Challenge packet
containing the MD5 challenge to the access device.
 6. The access device forwards the MD5 challenge received from the RADIUS
server to the client.
7. Upon receipt of the MD5 challenge, the client encrypts the password with
the MD5 challenge, generates an EAP-Response/MD5-Challenge packet,
and sends the packet to the access device.

8. The access device encapsulates the EAP-Response/MD5-Challenge packet

into a RADIUS Access-Request packet and sends the RADIUS packet to the
RADIUS server.
9. The RADIUS server compares the received encrypted password with the
locally encrypted password. If the two passwords match, the user is
considered valid and the RADIUS server sends a packet indicating
successful authentication (RADIUS Access-Accept) to the access device.

10. After receiving the RADIUS Access-Accept packet, the access device sends a
packet indicating successful authentication (EAP-Success) to the client,
changes the port state to authorized, and allows the user to access the
network through the port.
• In EAP termination mode, the MD5 challenge for encrypting the user password is
randomly generated by the access device, instead of the authentication server in
EAP relay mode. Besides, in EAP termination mode, the access device
encapsulates the user name, password encrypted by the client, and MD5
challenge into standard RADIUS packets, and sends the packets to the
authentication server for authentication. In EAP relay mode, in contrast, the
access device is only responsible for encapsulating EAP packets into RADIUS
packets and transparently transmitting them to the authentication server.
 802.1X MAC Portal Multi-mode

Basic 802.1X Authentication Configuration (1)

1. Create an 802.1X access profile and enter the 802.1X access profile view.

[Huawei] dot1x-access-profile name access-profile-name

The device uses 802.1X access profiles to uniformly manage all 802.1X access configurations. By default, the device has a built-in
802.1X access profile named dot1x_access_profile.

2. Configure an authentication mode for 802.1X users.

[Huawei-dot1x-access-profile-ProfileName] dot1x authentication-method { chap | pap | eap }

In 802.1X authentication, the device supports two authentication modes:
• EAP termination: The device parses EAP packets, encapsulates user authentication information into RADIUS packets, and sends
the packets to the RADIUS server for authentication. You can specify the chap or pap parameter to configure the
authentication mode between the device and RADIUS server.
• EAP relay: The device directly encapsulates the received EAP packets containing user authentication information into RADIUS
packets, and sends the RADIUS packets to the RADIUS server. This mechanism is also known as EAP over RADIUS (EAPoR).

14 Huawei Confidential
 802.1X MAC Portal Multi-mode

Basic 802.1X Authentication Configuration (2)

3. Configure the type of packets that can trigger 802.1X authentication.
[Huawei-dot1x-access-profile-ProfileName] authentication trigger-condition { dhcp | arp | dhcpv6 | nd | any-l2-packet }
After 802.1X authentication is enabled, DHCP, DHCPv6, ND, and ARP packets can trigger 802.1X authentication by default.

4. Configure Layer 2 transparent transmission of 802.1X authentication packets.

[Huawei] l2protocol-tunnel user-defined-protocol protocol-name protocol-mac protocol-mac group-mac group-mac

[Huawei-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol protocol-name enable

In the 802.1X authentication scenario, if there is a Layer 2 switch between the 802.1X-enabled access device and users, Layer 2
transparent transmission of 802.1X authentication packets must be enabled on the Layer 2 switch; otherwise, users cannot be
successfully authenticated.
• The l2protocol-tunnel user-defined-protocol command defines Layer 2 protocol packets, including the protocol name,
multicast destination MAC address (specified by protocol-mac), and replacement multicast MAC address (group-mac). For
802.1X authentication, values of the protocol-mac and group-mac parameters are 0180-c200-0003 and 0100-0000-0002,
respectively.
• The l2protocol-tunnel enable command enables Layer 2 protocol tunneling on an interface.

15 Huawei Confidential
 802.1X MAC Portal Multi-mode

Summary of 802.1X Authentication

⚫ 802.1X authentication is a port-based network access control technology that encapsulates
protocol packets in EAPoL format.
⚫ You can set 802.1X authentication parameters based on the actual network requirements or
device capabilities:
 802.1X access control: interface-based or MAC address–based
 Authentication mode: EAP termination or EAP relay
 Authentication triggering mode: triggered by a client or access device
 Authentication protocol: EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-MD5

16 Huawei Confidential
 802.1X MAC Portal Multi-mode

Overview of MAC Address Authentication

Introduction

• MAC address authentication controls network access rights of

MAC address authentication process users based on interfaces and user MAC addresses.
Authentication • User terminals are authenticated by the authentication server
Dumb terminal Access device based on their MAC addresses.
server
• By default, the switch triggers MAC address authentication on
users after receiving DHCP, ARP, DHCPv6, or ND packets. You
1. ARP, DHCP, ND, or
can also configure the switch to trigger MAC address
DHCPv6 packet, triggering 2. RADIUS authentication authentication after receiving any data frame.
MAC address authentication request packet containing the
user name and password Networking mode
3. Authentication success The authentication client, access device, and authentication
server are deployed.

Port in authorized state

Application scenario

• User terminals do not require any client software.

• MAC address authentication applies to dumb terminals such
as IP phones and printers.

17 Huawei Confidential

• Dumb terminal: Compared with other terminals, dumb terminals have limited
functions and simple interaction modes. In this document, dumb terminals refer
to terminals whose authentication information such as user names and
passwords cannot be entered.
• By default, a MAC address without hyphens (-) is used as the user name and
password for MAC address authentication, for example, 0005e0112233.
• Passwords of MAC address authentication users can be processed using PAP or
CHAP. The following MAC address authentication process uses PAP as an
example:
1. When a terminal accesses the network, the access device detects and
learns the MAC address of the terminal, triggering MAC address
authentication.
2. The access device generates a random value (MD5 challenge), arranges
the user MAC address, password, and random value in sequence, encrypts
them using the MD5 algorithm, encapsulates the encryption results into a
RADIUS authentication request packet, and sends the packet to the
RADIUS server.
3. The RADIUS server arranges the user MAC address, password saved in the
local database, and received random value in sequence, and uses the
random value to encrypt them using the MD5 algorithm. If the encrypted
password is the same as that received from the access device, the RADIUS
server sends an authentication accept packet to the access device,
indicating that MAC address authentication is successful and the terminal
is allowed to access the network.
• Different from PAP, CHAP arranges CHAP ID，the user MAC address, and
random value in sequence, encrypts them using the MD5 algorithm.
 802.1X MAC Portal Multi-mode

MAC Address Authentication Configuration (1)

1. Create a MAC access profile and enter the MAC access profile view.

[Huawei] mac-access-profile name access-profile-name

The device uses MAC access profiles to uniformly manage access configurations of MAC address
authentication users. By default, the device has a built-in MAC access profile named mac_access_profile.

2. Configure an authentication mode for MAC address authentication users.

[Huawei-mac-access-profile-ProfileName] mac-authen authentication-method { chap | pap }

By default, PAP authentication is used.
During MAC address authentication, the access device and authentication server exchange RADIUS packets
in either PAP or CHAP mode. CHAP is more secure than PAP.

3. Configure the type of packets that can trigger MAC address authentication.

[Huawei-mac-access-profile-ProfileName] authentication trigger-condition { dhcp | arp | dhcpv6 | nd | any-l2-

packet }
By default, DHCP, ARP, DHCPv6, and ND packets can trigger MAC address authentication.

18 Huawei Confidential
 802.1X MAC Portal Multi-mode

MAC Address Authentication Configuration (2)

4. Configure the user name format for MAC address authentication.

[Huawei-mac-access-profile-ProfileName] mac-authen username { fixed username [ password cipher password

] | macaddress [ format { with-hyphen | without-hyphen } [ password cipher password ] ]}
• fixed username specifies a fixed user name for MAC address authentication. If no password is configured,
users can log in without a password, which is not recommended.
• macaddress specifies the MAC addresses of users as user names for MAC address authentication. If no
password is configured, the MAC address of a user is used as the password. When local authentication is used,
a password must be configured.
▫ with-hyphen: indicates that the MAC address contains delimiters.
▫ without-hyphen: indicates that the MAC address does not contain delimiters.

19 Huawei Confidential
 802.1X MAC Portal Multi-mode

Overview of Portal Authentication

Introduction
Portal server
• Portal authentication is also known as web authentication. Users enter
their user names and passwords on the web authentication page for
identity authentication.
• Users can access the authentication page in either of the following
ways:
▫ Proactive authentication: Users proactively access the Portal
authentication website through browsers.
Client Access device Authentication
server ▫ Redirect authentication: When the access address entered by a user
is not the address of the Portal authentication website, the access
device forcibly redirects the user to the Portal authentication website.

Networking mode
The authentication client, access device, Portal server, and authentication
server are deployed.

Application scenario

Portal authentication does not require dedicated client software.

Therefore, it is primarily used in access scenarios without client software
or guest access scenarios.

20 Huawei Confidential

• Client: In most cases, a client is a host where an HTTP/HTTPS-capable browser is

installed.
• Access device: a network device such as a switch or router, which provides the
following functions:
▫ Redirects all HTTP and HTTPS requests of users on authentication subnets
to the Portal server before authentication is performed.
▫ Interacts with the Portal server and authentication server to implement user
authentication, authorization, and accounting.

▫ Grants users access to specified network resources upon successful

authentication.

• Portal server: a server system that receives authentication requests from clients,
provides Portal services and authentication pages, and exchanges client
authentication information with access devices.

• Authentication server: interacts with access devices to implement user

authentication, authorization, and accounting.
• Portal authentication has the following advantages:
▫ Ease of use: In most cases, Portal authentication authenticates a user on a
web page, without any additional software required on the client.

▫ Convenient operations: Portal authentication allows for value-added

services on the web page, including advertisement push and enterprise
publicity.

▫ Mature technology: Portal authentication has been widely used on

networks of carriers, fast food chains, hotels, and schools.
▫ Flexible deployment: Portal authentication implements access control at the
access layer or at the ingress of key data.
▫ Flexible user management: Portal authentication can be performed on users
based on the combination of user names and any one of VLANs, IP
addresses, and MAC addresses.
 802.1X MAC Portal Multi-mode

Overview of the Portal Authentication Process

Authentication
Client Portal server Access device server Portal authentication modes
• When the client and access device are connected
through a Layer 2 network, configure Layer 2 Portal
1. Establish a pre-connection (required authentication.
only for Layer 2 networking). • When the client and access device are connected
2. Send an HTTP connection request. through a Layer 3 network, configure Layer 3 Portal
authentication.
3. Redirect the HTTP request to the Portal server.
Portal access protocols
4. Send an HTTP connection request.
The HTTP/HTTPS protocol is used between the client and
5. Return the Portal page. Portal server.

6. Send a Portal
authentication request.
Portal authentication protocols
7. Perform authentication using either protocol. • The Portal protocol is used between the Portal server
Portal-based Portal and access device.
authentication
• The HTTP/HTTPS protocol is used between the client and
HTTP/HTTPS-based Portal authentication access device.

22 Huawei Confidential

• Select a Portal authentication mode based on the actual network requirements.

▫ When Layer 2 authentication is used, the device can learn users' MAC
addresses and identify the users based on their MAC addresses and IP
addresses. Layer 2 authentication provides a simple authentication process
while ensuring high security. However, users must be in the same network
segment as the access device, causing inflexible networking.
▫ When Layer 3 authentication is used, the device cannot obtain the MAC
address of a client, so it identifies the user based only on the client IP
address. Layer 3 authentication allows for flexible networking and
facilitates remote control. However, users can only be identified based on
their IP addresses, leading to poor security.

• The Portal authentication process is as follows:

1. Before authentication, the client establishes a pre-connection with the
access device. The access device creates a user online entry for the client
and grants the client access to certain network resources. The Layer 3
authentication process is similar to the Layer 2 authentication process,
except that no pre-connection is established between the client and access
device.
2. The client initiates an HTTP connection request.
3. Upon receipt of the HTTP connection request packet, the access device
determines whether to permit the packet. If the HTTP packet is destined
for the Portal server or a publicly available network resource, the access
device permits the packet. If the HTTP packet is destined for other
addresses, the access device sends the uniform resource locator (URL) of
the Portal authentication page to the client.
4. The client sends an HTTP connection request to the Portal server based on
the obtained URL.

5. The Portal server returns the Portal authentication page to the client.
6. The user enters the user name and password on the Portal authentication
page. The client then sends a Portal authentication request to the Portal
server.

7. The parameters such as the user name and password are transmitted
according to the protocol interaction process defined by different
authentication protocols.
 802.1X MAC Portal Multi-mode

Portal Authentication Process: Using the Portal Protocol

Client Portal server Access device Authentication server

6. Send a Portal
authentication request. Authentication protocol: Portal
Portal-based Portal • The Portal protocol is used between the Portal server and
authentication access device for transmitting parameters such as the
7. Send a Portal user name and password. Generally, the Portal protocol is
challenge request. recommended.
8. Return a Portal • This protocol has the following features:
challenge response.
▫ Adopts the client/server model and runs based on UDP.
9. Send a Portal
authentication ▫ Supports CHAP authentication (more secure) and PAP
request. 10. Exchange RADIUS authentication.
authentication and ▫ Uses packets with attribute information such as the
11. Send the Portal accounting information.
user name, password, and MAC address encapsulated
authentication result. in TLV format.
12. Notify the user of the
authentication result.
13. Acknowledge the
authentication result.

24 Huawei Confidential

• The following uses CHAP authentication as an example to describe the Portal-

based Portal authentication process:
7. After receiving the Portal authentication request, the Portal server sends a
Portal challenge request packet to the access device. This step is performed
only when CHAP authentication is used between the Portal server and
access device. If PAP authentication is used, steps 7 and 8 are not
performed.

8. The access device sends a Portal challenge response packet to the Portal
server.
9. The Portal server encapsulates the entered user name and password into a
Portal authentication request packet and sends the packet to the access
device.
10. The access device and RADIUS server exchange user information to
authenticate the user, including:

▪ The access device encapsulates the entered user name and password
into a RADIUS authentication request packet and sends the packet to
the RADIUS server.
 ▪ The RADIUS server authenticates the user name and password. If
authentication succeeds, the RADIUS server sends an authentication
accept packet to the access device. If authentication fails, the RADIUS
server sends an authentication reject packet to the access device. The
authentication accept packet also contains user authorization
information because RADIUS authorization is combined with
authentication.

▪ The access device permits or denies the user access according to the
authentication result. If the user access is permitted, the access device
sends an accounting start request packet to the RADIUS server.

▪ The RADIUS server replies with an accounting start response packet,

starts accounting, and adds the user to the local online user list.

11. The access device sends the Portal authentication result to the Portal
server and adds the user to the local online user list.
12. The Portal server sends the Portal authentication result to the client to
inform the client of successful authentication and adds the user to the
local online user list.
13. The Portal server sends an authentication acknowledgment packet to the
access device.

• Note: If the built-in Portal server function of an access device is used for Portal
authentication, only the Portal protocol is supported.
 802.1X MAC Portal Multi-mode

Portal Authentication Process: Using the HTTP/HTTPS

Protocol
Client Portal server Access device Authentication server

Authentication protocol: HTTP/HTTPS

6. Send a Portal
authentication
• The HTTP/HTTPS protocol is used between a client and
request. an access device for transmitting parameters such as the
user name and password. If the Portal server does not
HTTP/HTTPS-based Portal authentication support the Portal protocol, use HTTP/HTTPS as the
7. Instruct the client to send authentication protocol.
an authentication request to
the access device.
• The client directly sends user information to the access
device in HTTP request mode. Currently, the POST and
8. Send an authentication request GET request methods are supported.
(HTTP/HTTPS).
http://Portal.example.com/login?userName=
▫ POST (supported by default): The requested data is
test&password=Huawei@123 stored in the body of an HTTP request packet and is
not a part of a URL.
9. Exchange RADIUS
authentication and ▫ GET: The requested data is appended to a URL and
accounting information. separated from the URL by a question mark (?). The
10. Return the Portal authentication result. data is a part of the URL, so it is visible to all users.

26 Huawei Confidential

• HTTPS is a secure HTTP and also known as HyperText Transfer Protocol over
Transport Layer Security (HTTP over TLS) or HyperText Transfer Protocol over
Secure Socket Layer (HTTP over SSL). HTTPS uses HTTP for communication and
SSL/TLS for data encryption.
• A URL is a concise representation of the location and access method of a
resource that can be obtained from the Internet. It is the address of a standard
resource on the Internet. Each file on the Internet has a unique URL. The URL
contains information about the location of the file and how a browser should
process the file.
• When HTTP/HTTPS-based Portal authentication is used, the authentication
process is as follows:
1. The Portal server instructs the client to send a Portal authentication
request to the access device.
2. The client sends a Portal authentication request to the access device.
3. After receiving the Portal authentication request, the access device parses
the packet according to parameter names to obtain parameters such as
the user name and password, and then sends the obtained user name and
password to the RADIUS server for authentication. The process is similar to
the Portal-based Portal authentication.
4. The access device returns the Portal authentication result to the client and
adds the user to the local online user list.
• As shown in the figure, an HTTP request is sent in Get mode:
http://Portal.example.com/login?userName=test&password=Huawei@123. You
can see that the user name and password are in plain text and are separated
from the URL by a question mark (?).
 802.1X MAC Portal Multi-mode

Portal Authentication Configuration - Configuring an

External Portal Server (1)
1. Enables Portal interconnection using the HTTP/HTTPS protocol.

[Huawei] portal web-authen-server { http | https ssl-policy policy-name } [ port port-number ]

When HTTP/HTTPS-based Portal authentication is used, you need to enable Portal interconnection using the HTTP/HTTPS protocol
on the device. If HTTPS is used, you also need to specify an SSL policy name.

2. Create a Portal server template and enter the Portal server template view.

[Huawei] web-auth-server server-name

A Portal server template is used to uniformly configure parameters of an external Portal server, such as the IP address and URL of
the Portal server.

3. Configure the protocol used for Portal authentication.

[Huawei-web-auth-server-ServerName] protocol { http [ password-encrypt { none | uam } ] | portal }

You can configure the HTTP/HTTPS or Portal protocol for Portal authentication based on your network requirements.

27 Huawei Confidential
 802.1X MAC Portal Multi-mode

Portal Authentication Configuration - Configuring an

External Portal Server (2)
4. Configure parameters for the Portal server when the Portal protocol is used for Portal authentication.

[Huawei-web-auth-server-ServerName] server-ip server-ip-address &<1-10>

[Huawei-web-auth-server-ServerName] source-ip ip-address

[Huawei-web-auth-server-ServerName] shared-key cipher key-string

[Huawei-web-auth-server-ServerName] url url-string

Command functions:
• server-ip: configures the IP address of the Portal server.
• source-ip: configures the IP address used by the device to communicate with the Portal server.
• shared-key: configures the shared key used by the device to exchange information with the Portal server.
• url: configures a redirect URL or pushed URL to be sent to access terminals.

5. Configure parameters for the Portal server when the HTTP/HTTPS protocol is used for authentication.

[Huawei-web-auth-server-ServerName] url url-string

Only the URL of the Portal server needs to be configured.

28 Huawei Confidential
 802.1X MAC Portal Multi-mode

Portal Authentication Configuration - Configuring a Portal

Access Profile
1. Create a Portal access profile and enter the Portal access profile view.

[Huawei] portal-access-profile name access-profile-name

The device uses Portal access profiles to uniformly manage all access configurations of Portal users.
By default, the device has a built-in Portal access profile named portal_access_profile.

2. Configure a Portal server template used by the Portal access profile.

[Huawei-portal-acces-profile-ProfileName] web-auth-server server-name { direct | layer3 }
When a user in the Portal access profile accesses restricted network resources, the HTTP request of the user is forcibly redirected
to the authentication page of the Portal server for Portal authentication.
• If there is no Layer 3 forwarding device between the user and device (authentication point), specify the direct parameter to
enable Layer 2 Portal authentication. In this mode, the device identifies users based on their IP addresses and MAC addresses.
• When a Layer 3 forwarding device exists between the user and device, specify the layer3 parameter to enable Layer 3 Portal
authentication. In this mode, the device identifies users based only on their IP addresses.

29 Huawei Confidential
 802.1X MAC Portal Multi-mode

Comparison Between User Authentication Technologies

⚫ Huawei NAC solution supports various user authentication technologies, including 802.1X
authentication, MAC address authentication, and Portal authentication. Authentication points can be
flexibly deployed on network devices such as access switches, aggregation switches, access controllers
(ACs), routers, and firewalls to implement NAC by working with iMaster NCE-Campus.
Item 802.1X Authentication Portal Authentication MAC Address Authentication

Client software Required Not required Not required

Advantage High security Flexible deployment Client software not required

MAC address registration required,

Disadvantage Inflexible deployment Low security
making management complicated

New network with concentrated Access authentication of dumb

Application Scenario with scattered and
users and high requirements for terminals such as printers and fax
scenario moving users
security machines

30 Huawei Confidential
 802.1X MAC Portal Multi-mode

MAC Address Bypass Authentication

⚫ 802.1X authentication, MAC address authentication, and Portal authentication have their own
characteristics. You can use multi-mode authentication to meet authentication requirements in
different scenarios.

Terminals Access device Authentication server • Dumb terminals such as printers and fax machines
do not support 802.1X authentication. When both
PCs and dumb terminals are connected to an
1. Send traffic.
interface of an access device, you can configure
2. Trigger 802.1X MAC address bypass authentication to allow the
3. Perform 802.1X authentication.
authentication. dumb terminals to access the network using MAC
address authentication.
802.1X authentication times out, and MAC • MAC address bypass authentication takes a longer
address authentication is performed.
period of time than MAC address authentication
4. Perform MAC address because it has an 802.1X authentication stage
authentication.
additionally.

31 Huawei Confidential
 802.1X MAC Portal Multi-mode

MAC Address-Prioritized Portal Authentication

Terminal Access device Portal server RADIUS server
Background
If a user who has passed Portal authentication
disconnects from the network, the user needs to enter
1. Send HTTP traffic when the user name and password again to reconnect to
a user browses a web page. the network. This results in low user experience.
2. Perform MAC address
3. Redirect the user's HTTP authentication, which fails.
request to the Portal MAC address-prioritized Portal authentication
authentication page.
• MAC address-prioritized Portal authentication is
4. Perform Portal authentication, which succeeds. introduced to resolve this problem. With this
function, users no longer need to enter their user
names and passwords again to reconnect to the
5. The user logs out. network within the validity period of terminal
6. The user continues to MAC addresses.
access the network 7. Perform MAC address
• To use this function, configure MAC address
within the validity period authentication, which succeeds
because the user's MAC address has authentication and Portal authentication on the
of the MAC address.
been cached on the RADIUS server. access device, and enable MAC address-prioritized
8. The user accesses the Portal authentication and set the MAC address
network without the need validity period on the authentication server.
of re-authentication.

32 Huawei Confidential

• After passing Portal authentication, terminals may be disconnected from the

wireless network when they move from one wireless signal coverage area to
another or when the wireless signal is unstable. In this case, users need to enter
their user names and passwords for identity authentication every time the
terminals go online, leading to poor network access experience. MAC address-
prioritized Portal authentication is used to resolve this problem. Generally, there
is no need to enable MAC address-prioritized Portal authentication on wired
networks that provide stable signals.
 Contents

1. Overview of NAC

2. User Authentication Technologies

3. User Authorization and Logout

4. NAC Configuration

5. Policy Association

33 Huawei Confidential
 User Authorization User Logout

Authorization After Successful Authentication

⚫ Authentication checks whether the identity of a user who attempts to access the network is valid. Authorization
specifies the network access rights that the authorized user can have, that is, the accessible resources.
⚫ Using RADIUS server authorization as an example, the typical authorization information includes:
 VLAN: To prevent unauthenticated users from accessing restricted network resources, the restricted network resources and
unauthenticated users are divided into different VLANs. After a user is authenticated, the RADIUS server delivers an authorized
VLAN to the user.

ACL: After a user is authenticated, the RADIUS server assigns an authorized ACL to the user. Then, the access device controls the
user packets according to the ACL.
 UCL group: A User Control List (UCL) group is a collection of network terminals such as PCs and smartphones. The
administrator can add users who have the same network access requirements to one UCL group, and configure network access
policies for the UCL group. Compared with the solution in which access control policies are deployed for each user, the UCL
group–based access control solution greatly reduces the administrator's workload.

34 Huawei Confidential

• When the RADIUS server is used, the authentication accept packet also contains
user authorization information because RADIUS authorization is combined with
authentication.

• VLAN-based authorization by the RADIUS server:

▫ After a user is authenticated, the RADIUS server delivers an authorized
VLAN to the user. The access device then changes the VLAN to which the
user belongs to the authorized VLAN, with the interface configuration
remaining unchanged. The authorized VLAN has a higher priority than the
VLAN configured on the interface. That is, the authorized VLAN takes effect
after the authentication succeeds, and the configured VLAN takes effect
when the user is offline.

• The RADIUS server can assign an authorized ACL to a user in either of the
following modes:

▫ Static ACL assignment: The RADIUS server uses the standard RADIUS
attribute Filter-Id to assign an ACL ID to the user. In this mode, the ACL
and corresponding rules are configured on the access device in advance.

▫ Dynamic ACL assignment: The RADIUS server uses the Huawei extended
RADIUS attribute HW-Data-Filter to assign an ACL ID and corresponding
rules to the user. In this mode, the ACL ID and ACL rules are configured on
the RADIUS server.
• The RADIUS server assigns an authorized UCL group to a user in either of the
following modes:
▫ Assigns the UCL group name through the standard RADIUS attribute Filter-
Id.
▫ Assigns the UCL group ID through the Huawei extended RADIUS attribute
HW-UCL-Group.

▫ You must configure the UCL group and corresponding network access
policies on the access device in advance, regardless of which UCL group
authorization mode is used.
• RADIUS is a fully extensible protocol. The No. 26 attribute (Vendor-Specific)
defined in RFC 2865 can be used to extend RADIUS to implement the functions
not supported by standard RADIUS attributes. For details about Huawei extended
RADIUS attributes, see the product documentation.
• For more information, see the Free Mobility course.
 User Authorization User Logout

Authentication-Free and Authentication Event Authorization

Authentication-free (free-rule) Authentication event authorization
Before being authenticated, users need to obtain some network Users require certain rights when encountering different
access rights to meet basic network access requirements such as events (such as pre-authentication, authentication failure,
downloading the 802.1X client and updating the virus signature and authentication server failure) during authentication.
database.
VLAN: Users are granted the permission to access
resources in a specified VLAN.
Method 1: common authentication-free
Authorization User group (UCL group): Network access rights are
Authentication-free rule, which is determined by parameters
such as the IP address, MAC address, parameters assigned to a user group with members having the
rule profile same network access requirements.
source interface, and VLAN.
(free-rule-template)
Service scheme: Parameters such as the UCL group,
Method 2: Associate an ACL.
VLAN, and QoS profile can be bound to a service
scheme.

Able to access Able to access Virus signature

192.168.1.1 Software server 192.168.1.1 when database server
Terminal without Access device 192.168.1.1 Terminal authentication Access device 192.168.1.1
authentication fails

Users are allowed to access 192.168.1.1 to download Users are allowed to access 192.168.1.1 to update the
client software before being authenticated virus signature database even when authentication fails.

36 Huawei Confidential

• When an authentication-free rule is configured using an ACL, the ACL number is

in the range from 6000 to 6031.
• The NAC escape mechanism grants specified network access rights to users when
the authentication server is Down or to users who fail the authentication or are
in pre-connection state. The escape solutions vary according to the
authentication modes. Some escape solutions are shared by all authentication
modes, while some are supported only in specific authentication modes. For
details, see "NAC Escape Mechanism" in the product documentation.
 User Authorization User Logout

User Logout
⚫ When users go offline but the access device, RADIUS server, and Portal server do not detect the user logout events,
the following problems may occur:

The RADIUS server still performs accounting for the users, causing incorrect accounting.
 Unauthorized users may spoof IP addresses and MAC addresses of authorized users to access the network.
 If there are many offline users, these users are still counted as access users of the device. As a result, other users may fail to
access the network.

⚫ The access device needs to detect user logout immediately, delete the user entry, and request the RADIUS server to
stop accounting.
⚫ User logout may occur in the following situations:

A client logs out proactively.

An access device controls user logout.

The server forces a user to go offline.

37 Huawei Confidential

• Note:
▫ MAC address authentication supports only user logout control by the access
device and server.

▫ Portal authentication allows both the authentication server and Portal

server to control user logout.
 Contents

1. Overview of NAC

2. User Authentication Technologies

3. User Authorization and Logout

4. NAC Configuration

5. Policy Association

38 Huawei Confidential
 User Access Authentication Configuration Roadmap
1 Configure an access profile.
2 Configure an authentication profile.
Bind the access
802.1X access profile (dot1x-access-profile) profile to an
authentication Authentication mode (including
profile. the access profile)
MAC access profile (mac-access-profile) Apply the
User authorization 3 authentication profile
… to enable NAC.
Portal access profile (portal-access-profile)

Authenticate users in the Interface or VAP profile

Configure AAA.
corresponding domain.
Authentication profile
AAA schemes
...
Authentication scheme Configure a
RADIUS server
template or a Bound to Domain
Authorization scheme
local user.

Accounting scheme Extended functions

39 Huawei Confidential

• VAP indicates a virtual access point.

• VAP profile: Configure WLAN parameters in a VAP profile, and bind the VAP
profile to an AP group or AP. Then, a VAP is generated on the AP to provide
wireless access services for STAs.
Authentication Profile Configuration (1)
1. Create an authentication profile and enter the authentication profile view.

[Huawei] authentication-profile name authentication-profile-name

You can configure parameters in an authentication profile to implement varying access control for different users on the device.
After configuring an authentication profile, apply it to an interface or a VAP profile to enable NAC.

2. Bind an access profile to an authentication profile.

[Huawei-authen-profile-ProfileName] dot1x-access-profile access-profile-name

[Huawei-authen-profile-ProfileName] mac-access-profile access-profile-name

[Huawei-authen-profile-ProfileName] portal-access-profile access-profile-name

You can bind an access profile of the required type to an authentication profile. When more than one access profile is bound to an
authentication profile, multi-mode authentication is used. There is no limitation on the sequence of binding access profiles. The
device triggers authentication of a specific type based on the authentication packet received. You can bind one 802.1X access
profile, one MAC access profile, and one Portal access profile to the same authentication profile at most.

40 Huawei Confidential
Authentication Profile Configuration (2)
3. Enable MAC address bypass authentication.

[Huawei-authen-profile-ProfileName] authentication dot1x-mac-bypass

MAC address bypass authentication combines 802.1X authentication and MAC address authentication. Before enabling this
function in an authentication profile, ensure that an 802.1X access profile and a MAC access profile have been bound to the
authentication profile.

4. Configure a default domain or forcible domain for users.

[Huawei-authen-profile-ProfileName] access-domain domain-name [ dot1x | mac-authen | portal ] * [ force ]

The device manages users in domains. force configures a forcible domain. If this parameter is not specified, a default domain is
configured. The dot1x, mac-authen, and portal parameters specify the type of users for whom a default domain or forcible
domain is configured.
• When a default domain is configured, the device authenticates users based on the domain names contained in the user names. If a user name does
not contain any domain name, the device authenticates the user in the default domain.

• When a forcible domain is configured, the device authenticates users in the forcible domain, regardless of whether the user names contain domain
names.

41 Huawei Confidential
 Extended Function: Configuring Static Users
⚫ During network deployment, static IP addresses are assigned to dumb terminals such as printers, which
can be configured as static users for flexible authentication.
1. Configure parameters such as the IP address range, domain name, connected interface, and VLAN for a static user.
[Huawei] static-user start-ip-address [ end-ip-address ] [ domain-name domain-name | interface interface-type interface-
number | mac-address mac-address | vlan vlan-id ] *

2. Configure parameters such as the user name and password of the static user.
[Huawei] static-user username macaddress format { with-hyphen [ normal ] [ colon ] | without-hyphen } [ uppercase ] [
password-with-macaddress ]

[Huawei] static-user username format-include { ip-address | mac-address | system-name }

[Huawei] static-user password cipher password

⚫ After a static user is configured, you can enable 802.1X authentication, MAC address authentication, or
Portal authentication on the interface connected to the user. Then, the device uses static user
information such as the user IP address as the user name for authentication.
42 Huawei Confidential

• After a static user is configured, the device preferentially uses the user name and
password of the static user to authenticate the user when detecting that the user
information matches the parameters such as the IP address range and domain
name configured for the static user. If the authentication fails, the device
performs 802.1X, MAC address, or Portal authentication on the user.

• You can run the static-user username macaddress format command to specify
the MAC address of a terminal as the user name and password for
authentication, as well as the user name format. This command has a higher
priority than the static-user username format-include and static-user
password cipher password commands.
• The static-user username format-include and static-user password commands
are used to configure the user name and password of a static user respectively.
• By default (the S5731 is used as an example):

▫ The user name of a static user is a combination of [system-name] and [ip-

address]. For example, when the system name of an access device is
huawei and the user IP address is 1.1.1.1, then the static user name is
huawei1.1.1.1.
▫ The password of a static user is not configured.
Applying NAC
⚫ An authentication profile is used to manage NAC configurations in a unified manner. To enable NAC,
apply an authentication profile to an interface or VAP profile. This implements access control on users
connected to the corresponding interface or VAPs.
⚫ The authentication method for users is determined by the access profile bound to the authentication
profile.

1. Enter the interface view or VAP profile view.

2. Apply the configured authentication profile. The following uses GE0/0/1 as an example.

[Huawei-GigabitEthernet0/0/1] authentication-profile authentication-profile-name

The authentication-profile command applies an authentication profile to an interface or VAP profile.
By default, no authentication profile is applied to an interface or VAP profile. Different types of interfaces or VAP profiles
may support different NAC functions. For details, see the product documentation.

43 Huawei Confidential
Configuration Example: Networking Requirements and
Authentication Planning
Authentication server
192.168.100.100 Networking requirements
Campus
egress To enhance network security, an enterprise requires that all
terminals (such as PCs, printers, and IP phones) be authenticated
before accessing the network.
The enterprise network has the following characteristics:
SW1 Intranet
• Access switches do not support 802.1X authentication.
• The enterprise network is small in scale and does not have any
branches.
Intranet server cluster • The enterprise has no more than 1000 employees. A maximum
GE0/0/3 192.168.101.0/24 of 2000 terminals, including guest terminals, access the
network every day.
SW2 • Dumb terminals, such as IP phones and printers, are connected
to the enterprise network.
GE0/0/1 GE0/0/2

GE0/0/1 GE0/0/1 Authentication planning

• Deploy 802.1X authentication control points on the aggregation
SW3 SW4
switch.
GE0/0/2 GE0/0/3 GE0/0/2 GE0/0/3 • Deploy MAC address authentication for access of dumb
terminals.
• The authenticated users can access the intranet server cluster.

44 Huawei Confidential
Configuration Example: Data Plan

Item Data
RADIUS server IP address: 192.168.100.100

Intranet server cluster Network segment: 192.168.101.0/24

• VLAN to which the uplink interface GE0/0/3 belongs: VLAN 100
Aggregation switch (SW2)
• VLAN to which downlink interfaces GE0/0/1 and GE0/0/2 belong: VLAN 200
Access switches (SW3 and SW4) User VLAN ID: 200
• Authentication server IP address: 192.168.100.100
• Authentication server port number: 1812
• Accounting server IP address: 192.168.100.100
RADIUS scheme
• Accounting server port number: 1813
• Shared key of the RADIUS server: Huawei@123
• Authentication domain: nac
ACL number of the post-
3001
authentication domain

45 Huawei Confidential
 Configuration Example: Procedure (1)
Authentication server 1. Enable network connectivity.
192.168.100.100
Campus 2. Configure transparent transmission of 802.1X packets. SW3 is
egress used as an example.
[SW3] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-
c200-0003 group-mac 0100-0000-0002
SW1 Intranet [SW3] interface gigabitethernet 0/0/1
[SW3-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1X
enable
[SW3-GigabitEthernet0/0/1] bpdu enable
Intranet server cluster
[SW3-GigabitEthernet0/0/1] quit
GE0/0/3 192.168.101.0/24 [SW3] interface gigabitethernet 0/0/2
[SW3-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol 802.1X
SW2 enable
[SW3-GigabitEthernet0/0/2] bpdu enable
GE0/0/1 GE0/0/2
[SW3-GigabitEthernet0/0/2] quit
[SW3] interface gigabitethernet 0/0/3
GE0/0/1 GE0/0/1 [SW3-GigabitEthernet0/0/3] l2protocol-tunnel user-defined-protocol 802.1X
enable
SW3 SW4 [SW3-GigabitEthernet0/0/3] bpdu enable
GE0/0/2 GE0/0/3 GE0/0/2 GE0/0/3 [SW3-GigabitEthernet0/0/3] quit

46 Huawei Confidential

• In this example, SW3 and SW4 are deployed between the authentication switch
SW2 and users. Therefore, transparent transmission of 802.1X packets must be
configured on SW3 and SW4 so that SW2 can perform 802.1X authentication on
users.
Configuration Example: Procedure (2)
Authentication server 3. Configure a RADIUS server template.
192.168.100.100 [SW2] radius-server template rd1
Campus [SW2-radius-rd1] radius-server authentication 192.168.100.100 1812
egress [SW2-radius-rd1] radius-server accounting 192.168.100.100 1813
[SW2-radius-rd1] radius-server shared-key cipher Huawei@123
[SW2-radius-rd1] quit

SW1 Intranet
4. Configure an AAA authentication scheme, accounting
scheme, and an authentication domain.
Intranet server cluster [SW2] aaa
GE0/0/3 192.168.101.0/24 [SW2-aaa] authentication-scheme a1
[SW2-aaa-authen-a1] authentication-mode radius
SW2 [SW2-aaa-authen-a1] quit
[SW2-aaa] accounting-scheme a2
GE0/0/1 GE0/0/2 [SW2-aaa-accounting-a2] accounting-mode radius
[SW2-aaa-accounting-a2] quit
GE0/0/1 GE0/0/1 [SW2-aaa] domain nac
[SW2-aaa-domain-nac] authentication-scheme a1
SW3 SW4 [SW2-aaa-domain-nac] accounting-scheme a1
[SW2-aaa-domain-nac] radius-server rd1
GE0/0/2 GE0/0/3 GE0/0/2 GE0/0/3 [SW2-aaa-domain-nac] quit
[SW2-aaa] quit

47 Huawei Confidential
Configuration Example: Procedure (3)
Authentication server
192.168.100.100 5. Configure an 802.1X access profile.
Campus
egress [SW2] dot1x-access-profile name d1
[SW2-dot1x-access-profile-d1] dot1x authentication-method eap
[SW2-dot1x-access-profile-d1] quit

SW1 Intranet

6. Configure a MAC access profile.

Intranet server cluster [SW2] mac-access-profile name m1
GE0/0/3 192.168.101.0/24 [SW2-mac-access-profile-m1] mac-authen username macaddress
[SW2-mac-access-profile-m1] quit
SW2
GE0/0/1 GE0/0/2
7. Configure an authentication profile.
GE0/0/1 GE0/0/1 [SW2] authentication-profile name p1
[SW2-authen-profile-p1] mac-access-profile m1
SW3 SW4 [SW2-authen-profile-p1] dot1x-access-profile d1
GE0/0/2 GE0/0/3 GE0/0/2 GE0/0/3 [SW2-authen-profile-p1] access-domain nac force
[SW2-authen-profile-p1] quit

48 Huawei Confidential
Configuration Example: Procedure (4)
Authentication server
192.168.100.100 8. Apply the authentication profile to interfaces.
Campus
egress [SW2] interface gigabitethernet 0/0/1
[SW2-Gigabitethernet0/0/1] authentication-profile p1
[SW2-Gigabitethernet0/0/1] quit
[SW2] interface gigabitethernet 0/0/2
SW1 Intranet [SW2-Gigabitethernet0/0/2] authentication-profile p1
[SW2-Gigabitethernet0/0/2] quit

Intranet server cluster

GE0/0/3 192.168.101.0/24
9. Configure the authorized ACL to be delivered upon
SW2 successful user authentication.
[SW2] acl 3001
GE0/0/1 GE0/0/2
[SW2-acl-adv-3001] rule 1 permit ip destination 192.168.101.0 0.0.0.255
[SW2-acl-adv-3001] rule 2 deny ip destination any
GE0/0/1 GE0/0/1 [SW2-acl-adv-3001] quit

SW3 SW4
GE0/0/2 GE0/0/3 GE0/0/2 GE0/0/3
10. Create user accounts on the RADIUS server and configure
corresponding rights.

49 Huawei Confidential
 Contents

1. Overview of NAC

2. User Authentication Technologies

3. User Authorization and Logout

4. NAC Configuration

5. Policy Association

50 Huawei Confidential
Technical Background (1)
⚫ Deploying authentication at the access layer helps implement fine-grained permission management
and high network security. As the network scale expands, some problems emerge.

Problems faced when access devices are used as

authentication points
Core layer

• A large number of devices are deployed at the access

layer, causing heavy configuration workload and
difficult O&M.
Aggregation
layer • The large number of access devices increases the load
of the AAA server.
• Users must access the network at fixed locations.

Access layer

Authentication points

51 Huawei Confidential
 Technical Background (2)
⚫ One solution is to move user authentication points from the access layer to the aggregation or core
layer. In this way, authentication information on the entire network is centralized, the number of
authentication points is greatly reduced, and the configuration and maintenance workload is reduced.

Problems faced when authentication points are

Core layer moved upwards

• Devices at the access layer must transparently transmit

BPDUs. Otherwise, 802.1X authentication fails.
Aggregation • Authentication points cannot control mutual access
layer
between users in the same VLAN on an access device.
• An administrator does not know the access positions of
users, making fault locating difficult.
Access layer
• The gateway cannot detect user logout in real time.

Authentication points

52 Huawei Confidential

• Devices at the access layer must transparently transmit BPDUs. Otherwise, 802.1X
authentication fails. The reason is as follows:
▫ EAP packets transmitted in 802.1X authentication are BPDUs. By default,
Huawei switches do not perform Layer 2 forwarding for BPDUs. If a Layer 2
switch exists between the 802.1X-enabled device and users, Layer 2
transparent transmission must be enabled on the Layer 2 switch. Otherwise,
the EAP packets sent by users cannot reach the 802.1X-enabled device,
causing authentication failures.
 Overview of Policy Association
⚫ Policy association provides a solution to contradiction between policy strengths and complexity on
large campus networks. In the solution, user access policies are centrally managed on the gateway and
executed by the gateway and access devices. Roles in the policy association solution
• Terminals: provide human-machine interfaces for user
authentication and resource access. The terminals include
PCs, laptops, tablets, and dumb terminals.
• Authentication access device: an authentication execution
Authentication point that executes network access policies for users.
control devices
• Authentication control device: an authentication control
point that authenticates users and controls their access
Authentication policies.
access devices
• A Control And Provisioning of Wireless Access Points
(CAPWAP) tunnel is established between an authentication
control point and an authentication execution point.
• Authentication control devices and authentication access
Terminals
devices use CAPWAP tunnels to associate users, transmit
Authentication Authentication messages, deliver user authorization policies, and
CAPWAP tunnel synchronize user information.
control point execution point

53 Huawei Confidential

• After policy association is configured, access devices can transparently transmit

BPDUs and report user logout and user access positions in real time. In addition,
authentication control devices request authentication access devices to execute
user access policies, thus controlling user access to the network.
• Roles involved in policy association:

▫ Authentication access device: an authentication execution point that

executes network access policies for users. When an authenticated user
accesses the network, the device executes the corresponding access policy,
such as a policy defining the VLAN, ACL, or UCL group to which the user
belongs.
▫ Authentication control device: an authentication control point that
authenticates users and controls their access policies. The device
authenticates the identities of users who attempt to access the network and
specifies their network access rights, that is, accessible resources.
 Implementation of Policy Association
Authentication Authentication
execution point control point
User (access device) (control device)
Typical scenarios of policy association

• User access: When a user accesses the network, the

1. Establish a CAPWAP tunnel. authentication execution point creates a user
2. A user accesses the
association entry. The user and authentication control
network.
point exchange authentication information. After the
3. Send a user association authentication is successful, the authentication
request.
control point delivers authorization information to
4. Send a user association the authentication execution point.
response.
• User logout: When a user is disconnected from the
5. Perform user authentication. access device, the authentication execution point
notifies the authentication control point of the user
6. Send a user authorization
logout through the CAPWAP tunnel in real time. The
request.
authentication control point then deletes the user
7. Send a user authorization entry.
response.
• User movement: When a user moves and connects
8. The user starts to access
resources.
to a new network, the user is re-authenticated.

54 Huawei Confidential

• User login process:

1. The control device and access device establish a CAPWAP tunnel with each
other.

2. When detecting the access of a new user, the access device creates a user
association entry to record basic information such as the user and access
interface.
3. The access device sends a user association request to the control device.

4. The control device creates a user association entry to save the mapping
between the user and access device, and returns a user association
response to notify the access device of successful association.

5. The user initiates an authentication request to the control device. The

access device forwards the authentication packets between the user and
control device.

6. The control device deletes the user association entry. When the
authentication succeeds, the control device generates a complete user
entry, and sends a user authorization request to the access device, and
delivers the network access policy of the user to the access device.

7. The access device updates the user association entry, grants the specified
network access rights to the user, and sends a user authorization response
to the control device.
8. The user accesses the specified network resources.
 Comparison Between Policy Association and Authentication
Transmit the user
credential to the
2 authentication module.
Authentication

Interface
Authentication
module
1 Send the user 3 Forward the user
User credential. credential to the Authentication
authentication server. server
Authentication
point
Policy execution interface

Policy execution interface

Transmit the user Transmit the user credential
credential through a to the authentication CAPWAP tunnel
Policy association

2 CAPWAP tunnel. 3 module.

Interface

Interface
Authentication
module 4 Forward the user
1 Send the user
User credential. credential to the Authentication
authentication server
Authentication Authentication server.
execution point control point

55 Huawei Confidential

• Authentication:
▫ The user exchanges information with the authentication point. The
authentication point directly exchanges authentication information with the
authentication server. When the authentication succeeds, the authentication
server delivers the user rights to the authentication point. The interface on
the authentication point then executes the corresponding user policy.
• Policy association:

▫ The user exchanges information with the authentication execution point.

The authentication execution point transmits the user credential to the
authentication control point through a CAPWAP tunnel. The authentication
control point exchanges authentication information with the authentication
server.
▫ When the authentication succeeds, the authentication server delivers user
rights to the authentication control point, which further forwards the user
rights to the authentication execution point through the CAPWAP tunnel.
Finally, the interface on the authentication execution point executes the
corresponding user policy.
Policy Association Configuration Roadmap
⚫ Policy association controls network access of ⚫ Policy association needs to be configured on both
users. Before configuring policy association, control devices and access devices in any sequence.
complete the following tasks:
Configure an access device.
1 Configure the user access
authentication mode. Establish a CAPWAP tunnel.

802.1X, MAC, or Portal Configure an interface as an

access point.

2 Configure user authentication, Configure a control device.

authorization, and accounting.
Establish a CAPWAP tunnel.
Authentication mode
Configure an interface as a
User authorization control point.
... Configure access authentication
for access devices.

Configure user authorization

information.

56 Huawei Confidential
 Policy Association Configuration: Configuring an Access
Device
1. Establish a CAPWAP tunnel.

[Huawei] as access interface vlanif vlan-id

The source interface for establishing a CAPWAP tunnel is configured on the access device.

[Huawei] as access controller ip-address ip-address

The IP address of a control device is configured on the access device.

2. Configure an interface as the access point (authentication execution point).

[Huawei-GigabitEthernet0/0/1] authentication access-point [ open ]

Remote access control is enabled on an interface of the access device.

57 Huawei Confidential

• [Huawei-GigabitEthernet0/0/1] authentication access-point [ open ]

▫ open: Disables right control of the access point.
 Policy Association Configuration: Configuring a Control
Device (1)
1. Establish a CAPWAP tunnel.

[Huawei] capwap source interface { loopback loopback-number | vlanif vlan-id }

The source interface for establishing a CAPWAP tunnel is configured on the control device.

2. Configure an interface as the authentication control point.

[Huawei-GigabitEthernet0/0/1] authentication control-point [ open ]

An interface on the control device is configured as the authentication control point.

3. Configure access authentication for access devices.

[Huawei] as-auth
The access device authentication view is displayed.

[Huawei-as-auth] auth-mode none

The access device authentication mode is set to none authentication.

58 Huawei Confidential

• [Huawei-GigabitEthernet0/0/1] authentication control-point [ open ]

▫ open: Enables the forwarding function of the control point.
• Configure access authentication for access devices.

▫ By default, access devices can connect to a control device only after passing
authentication. The control device authenticates access devices using a
blacklist and whitelist. Blacklisted access devices cannot connect to the
control device, whereas whitelisted access devices can. The control device
does not authenticate access devices out of the blacklist and whitelist, and
you need to manually specify allowed access devices. You can also
configure none authentication for access devices. As a result of this
configuration, an access device can connect to the control device regardless
of whether the access device is in the blacklist or whitelist.
▫ For details about how to configure this function, see the product
documentation.
Policy Association Configuration: Configuring a Control
Device (2)
4. Configure user authorization information to be delivered to the access device and control device.

[Huawei-aaa] service-scheme service-scheme-name

A service scheme is created and the service scheme view is displayed.

[Huawei-aaa-service-huawei] remote-authorize { acl | car | ucl-group }

User authorization information to be delivered to the access device is configured.

[Huawei-aaa-service-huawei] local-authorize { none | { acl | car | priority | ucl-group | vlan } }

User authorization information to be delivered to the control device is configured.

59 Huawei Confidential
Configuration Example: Networking Requirements and
Authentication Planning
RADIUS server User VLAN: VLAN 10 Networking requirements
192.168.4.30 Management VLAN: VLAN 20
Large campus networks have many access devices, so user access
policy deployment is time-consuming and the policies are difficult
Intranet to modify.
The customer requires that NAC authentication and user access
VLAN 30
policies be configured on the gateway and the access policies be
GE0/0/3 executed on access devices to simplify device deployment at the
access layer.
SW1 (gateway)
GE0/0/1 Authentication planning

VLAN 10, VLAN 20 • Configure the gateway SW1 as the control device and SW2
as the access device.
GE0/0/1
• Configure the control device to authenticate users and the
SW2 (access) access device to execute user access policies.
GE0/0/2 GE0/0/3 • Configure VLAN 10 as the user VLAN and VLAN 20 as the
VLAN 10
management VLAN of the CAPWAP tunnel. In this example,
802.1X authentication is used.

60 Huawei Confidential
Configuration Example: Data Plan

Item Data
RADIUS server IP address: 192.168.4.30
• VLAN to which the uplink interface GE0/0/3 belongs: VLAN 30
Gateway switch (control device, SW1) • VLAN to which downlink interface GE0/0/1 belongs: VLAN 10 (user VLAN),
VLAN 20 (management VLAN)
Access switch (SW2) VLAN to which users belong: VLAN 10
• Authentication server IP address: 192.168.4.30
• Authentication server port number: 1812
RADIUS scheme
• Shared key of the RADIUS server: Huawei@123
• Authentication domain: nac
ACL number of the post-
3001
authentication domain
Access permission Prohibit access to resources on the 192.168.5.0/24 network segment.

61 Huawei Confidential
Configuration Example: Procedure (1)
RADIUS Server
192.168.4.30 User VLAN: VLAN 10 1. Create VLANs and configure the allowed VLANs
Management VLAN: VLAN 20
on interfaces.
2. On the control device, configure an interface
Intranet address pool on VLANIF 10 to assign IP addresses
to users.
VLAN 30 [SW1] dhcp enable
GE0/0/3 [SW1] interface vlanif 10
[SW1-Vlanif10] ip address 192.168.1.1 255.255.255.0
SW1 (gateway) [SW1-Vlanif10] dhcp select interface
[SW1-Vlanif10] quit
GE0/0/1
VLAN 10, VLAN 20

GE0/0/1

SW2 (access)
GE0/0/2 GE0/0/3
VLAN 10

62 Huawei Confidential
Configuration Example: Procedure (2)
RADIUS Server
192.168.4.30 User VLAN: VLAN 10 3. Configure the control device and access device to
Management VLAN: VLAN 20
establish a CAPWAP tunnel.
[SW1] interface vlanif 20
[SW1-Vlanif20] ip address 192.168.2.1 255.255.255.0
Intranet
[SW1-Vlanif20] dhcp select interface
[SW1-Vlanif20] dhcp server option 43 ip-address 192.168.2.1
VLAN 30 [SW1-Vlanif20] quit
[SW1] capwap source interface vlanif 20
GE0/0/3 [SW1] as-auth
[SW1-as-auth] auth-mode none
SW1 (gateway)
[SW1-as-auth] quit
GE0/0/1
VLAN 10, VLAN 20 [SW2] interface vlanif 20
[SW2-Vlanif20] ip address dhcp-alloc
GE0/0/1 [SW2-Vlanif20] quit
[SW2] as access interface vlanif 20
SW2 (access)
GE0/0/2 GE0/0/3
VLAN 10

63 Huawei Confidential
Configuration Example: Procedure (3)
RADIUS Server
192.168.4.30 User VLAN: VLAN 10 4. On the control device, create and configure a
Management VLAN: VLAN 20
RADIUS server template, an AAA authentication
scheme, and an authentication domain.
Intranet [SW1] radius-server template rd1
[SW1-radius-rd1] radius-server authentication 192.168.4.30 1812
[SW1-radius-rd1] radius-server shared-key cipher Huawei@123
VLAN 30 [SW1-radius-rd1] quit
GE0/0/3
[SW1] aaa
SW1 (gateway) [SW1-aaa] authentication-scheme abc
[SW1-aaa-authen-abc] authentication-mode radius
GE0/0/1 [SW1-aaa-authen-abc] quit
VLAN 10, VLAN 20 [SW1] domain nac
[SW1-aaa-domain-isp1] authentication-scheme abc
GE0/0/1
[SW1-aaa-domain-isp1] radius-server rd1
SW2 (access) [SW1-aaa-domain-isp1] quit
[SW1-aaa] quit
GE0/0/2 GE0/0/3
VLAN 10 [SW1] domain nac
# Configure a global default domain named nac.

64 Huawei Confidential
Configuration Example: Procedure (4)
RADIUS Server
192.168.4.30 User VLAN: VLAN 10 5. Configure the control device as the control point
Management VLAN: VLAN 20
and the access device as the access point.
[SW1] interface gigabitethernet 0/0/1
[SW1-GigabitEthernet0/0/1] authentication control-point
Intranet [SW1-GigabitEthernet0/0/1] quit

VLAN 30 [SW2] interface gigabitethernet 0/0/2

GE0/0/3 [SW2-GigabitEthernet0/0/2] authentication access-point
[SW2-GigabitEthernet0/0/2] quit
SW1 (gateway) [SW2] interface gigabitethernet 0/0/3
[SW2-GigabitEthernet0/0/3] authentication access-point
GE0/0/1 [SW2-GigabitEthernet0/0/3] quit
VLAN 10, VLAN 20

GE0/0/1

SW2 (access)
GE0/0/2 GE0/0/3
VLAN 10

65 Huawei Confidential
Configuration Example: Procedure (5)
RADIUS Server
192.168.4.30 User VLAN: VLAN 10 6. Configure the control device to deliver ACL-based
Management VLAN: VLAN 20
authorization information to the access device,
and bind the AAA service scheme asd to the
Intranet authentication domain nac.
[SW1] aaa
VLAN 30 [SW1-aaa] service-scheme asd
[SW1-aaa-service-asd] remote-authorize acl
GE0/0/3 [SW1-aaa-service-asd] quit
[SW1-aaa] domain nac
SW1 (gateway) [SW1-aaa-domain-nac] service-scheme asd
GE0/0/1 [SW1-aaa-domain-nac] quit
[SW1-aaa] quit
VLAN 10, VLAN 20

GE0/0/1

SW2 (access)
GE0/0/2 GE0/0/3
VLAN 10

66 Huawei Confidential
Configuration Example: Procedure (6)
RADIUS Server
192.168.4.30 User VLAN: VLAN 10 7. Configure ACLs and ACL rules for authorization on the
Management VLAN: VLAN 20 control device and access device.
[SW1] acl 3001
[SW1-acl-adv-3001] rule deny ip destination 192.168.5.0 0.0.0.255
Intranet [SW1-acl-adv-3001] quit

[SW2] acl 3001

VLAN 30 [SW2-acl-adv-3001] rule deny ip destination 192.168.5.0 0.0.0.255
[SW2-acl-adv-3001] quit
GE0/0/3

SW1 (gateway)
8. Configure 802.1X authentication on the control device
GE0/0/1 and access device, and configure an authentication-free
rule on the control device to allow packets from the
VLAN 10, VLAN 20 management VLAN of the CAPWAP tunnel to pass
through. (The 802.1X authentication configuration is not
GE0/0/1
mentioned here.)
SW2 (access) [SW1] free-rule-template name default_free_rule
GE0/0/2 GE0/0/3 [SW1-free-rule-default_free_rule] free-rule 1 source vlan 20
VLAN 10 [SW1-free-rule-default_free_rule] quit

67 Huawei Confidential
 Quiz

1. (Single-answer question) When PCs and dumb terminals such as printers and fax
machines are connected to an interface of an access device, which authentication
mode can be used to ensure network security and allow dumb terminals to
access the network? ( )
A. MAC address authentication

B. 802.1X authentication

C. Portal authentication

D. MAC address bypass authentication

68 Huawei Confidential

1. D
 Quiz

2. (Multiple-answer question) Based on which of the following can a Huawei device

deliver user access rights to a successfully authenticated user? ( )
A. VLAN

B. IP address

C. ACL

D. UCL group

69 Huawei Confidential

2. ACD
 Summary

⚫ User access control is the first line of defense to protect a network, where you can
deploy user authentication, such as MAC address authentication, 802.1X
authentication, and Portal authentication, to ensure security.
⚫ The implementation modes and application scenarios of these technologies are
different. You need to select and deploy them based on network characteristics
and requirements.
⚫ iMaster NCE-Campus can be used together with network products to provide an
advanced NAC solution that implements powerful functions such as terminal type
identification and policy automation.

70 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Free Mobility
 Foreword
⚫ On a campus network, different network access policies can be deployed for users on access devices to
meet diverse network access requirements.

⚫ On a traditional campus network, users' network access rights are controlled using the Network
Admission Control (NAC) technology, in conjunction with VLAN and ACL technologies. However, this
solution has many defects. For example, the association between ACLs and users takes effect only on
authentication points, resulting in poor flexibility; VLANs and ACLs need to be configured on a large
number of switches that function as authentication points in advance, causing a heavy deployment and
maintenance workload.
⚫ Mobile working requires that these defects be removed and employees access the network from any
place, any VLAN, or any IP network segment with controlled network access rights. To implement these,
the free mobility solution is introduced.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the requirements of large-scale campus networks for policy control.
 Describe the differences between free mobility and traditional technologies or
solutions.
 Describe the basic functions and working mechanism of free mobility.
 Understand the relationship between free mobility and campus network access
authentication.
 Describe the typical application solution of free mobility.

2 Huawei Confidential
 Contents

1. Technical Background and Basic Concepts of Free Mobility

2. Working Mechanism of Free Mobility

3. Free Mobility Solution Design

3 Huawei Confidential
 Mobility Requirements of Users on the Network

Scenario description

1. User mobility requirements, such as mobile working, are common on large-

scale campus networks.
2. To ease campus network management, it is required that users obtain the
same network access policy regardless of their locations and IP addresses.

Solution challenges

1. How to ensure that users can access the campus network from any place?
2. How to ensure the security of user access to the campus network?
3. Can user information be managed in a centralized manner?
Move
4. Are the network configuration and configuration delivery simple enough?
5. Is it easy to adjust policies?
User A User A

4 Huawei Confidential

• With the construction and promotion of wireless networks, the boundaries of

enterprise campus networks are disappearing, and office locations of enterprise
employees become more flexible.

• The large-scale movement of employees' access locations improves enterprise

production efficiency, but also brings challenges to enterprise network
management and security. Mobile working causes the IP addresses of employees'
hosts to change frequently. However, traditional campus networks cannot adapt
to this change because employees' rights are controlled based on their IP
addresses.
 Traditional Solution: Using NAC Together with VLANs and
ACLs
⚫ On a traditional campus network, users' network access rights are controlled using the NAC technology
together with VLANs and ACLs. However, this solution has the following defects.
The association between ACLs and Employees are required to access the
users takes effect only on network and go online through a
authentication points. specified switch, VLAN, or network
For non-authentication points, policies segment.
must be configured based on IP
addresses.

ACLs need to be configured in advance.

The deployment and maintenance At least the range of destination IP
workload is heavy. addresses to which users are permitted or
VLANs and ACLs need to be configured denied access must be defined in ACLs.
on a large number of switches that Therefore, if IP addresses of users are not
function as authentication points in fixed, ACLs are not suitable for controlling
advance. traffic sent from or destined for these users.

5 Huawei Confidential

• Mobile working requires that these defects be removed and employees obtain
consistent network access rights when accessing the network from any place, any
VLAN, or any IP network segment. In addition, administrators want to have a
simple policy control approach that is decoupled from network topologies and IP
addresses.
 Overview of Free Mobility
⚫ The free mobility solution allows a user to obtain the same network access policy regardless of the
user's location and IP address on a campus network. iMaster NCE-Campus and switches work together
to enable network access rights to automatically move with users, improving mobile working
experience. Free mobility resolves the problems faced by traditional campus
networks in three aspects
1. Decoupling of service policies from IP addresses.
2. Centralized management of user information.
3. Centralized policy management.

Advantages of free mobility

1. Simplified network planning: Administrators no longer need

Move to consider user IP addresses when configuring policies.
2. Enhanced control capability: User authentication
Free mobility information can be synchronized between network devices.
3. Improved management efficiency: Administrators no longer
User A User A need to configure devices one by one.

6 Huawei Confidential

• Decoupling of service policies from IP addresses

▫ Using iMaster NCE-Campus, administrators can divide users and resources
on the entire network into different security groups based on diverse
dimensions. In addition, network devices in the free mobility solution use an
innovative software and hardware design. Such a device can match source
and destination security groups based on the source and destination IP
addresses of packets, and then find the matching inter-group policy based
on these security groups.
▫ Through the innovative designs, all the user- and IP address–based service
policies on traditional networks can be transformed into security group–
based policies. When predefining service policies, administrators no longer
need to consider user IP addresses. This achieves decoupling of service
policies from IP addresses.
• Centralized management of user information
▫ Administrators can use iMaster NCE-Campus to centrally manage user
authentication and login information and obtain the mappings between
network-wide users and their IP addresses.
• Centralized policy management
▫ iMaster NCE-Campus is not only the authentication center on a campus
network, but also the management center of service policies. Administrators
can use iMaster NCE to centrally manage service policies on policy
enforcement devices on the entire network. After being configured for once,
service policies can be automatically delivered to policy enforcement devices
on the campus network. These policies include permission control policies
(for example, group A is forbidden to access group B) and experience
guarantee policies (for example, the bandwidth and priority for forwarding
traffic of group A are controlled).
 Implementation of Free Mobility
⚫ Free mobility implements policy management and permission control based on security groups.

Sales user R&D user Server resource

security group security group security group 1. Security groups are defined, each representing a
1 group of users who have the same network
Permission control policies access requirements.

2. Permission control policies are defined based on

2 Deliver security
groups and policies security groups and are delivered to network
devices.

4 Campus 3. Users obtain authorized security groups after

network they are successfully authenticated.

4. After user traffic enters a network, network

3 NAC NAC NAC devices enforce policies based on the source and
destination security groups of the traffic.
User A User B User C

7 Huawei Confidential

• Free mobility introduces the concept of security group. Security groups are
related only to user identities and are completely decoupled from network
information such as user VLANs and IP addresses.

• User policy management and permission control are implemented based on

security groups.
Traditional Solution vs. Free Mobility Solution
Customer Requirement Traditional Solution Free Mobility Solution

Network access policies are decoupled from IP addresses.

The "dynamic VLAN + static ACL" solution is used. Administrators divide security groups based on user identities
Consistent network
The configuration planning is complex, the pre-configuration on iMaster NCE-Campus, and use a policy control matrix to
access rights in the
workload is heavy, ACL maintenance is difficult, and manage policies in a unified manner. This simplifies
mobile working scenario
consistent network access rights cannot be ensured for users. configuration and maintenance, and ensures that users can
obtain the same network access rights as they move.

The "Layer 2 VLAN isolation + Layer 3 ACL isolation" solution

is used. The "Layer 2 port isolation + inter-group isolation based on
Service-based user In the mobile working scenario, the configuration planning is security groups" solution is used. Inter-group isolation policies
isolation complex, the pre-configuration workload is heavy, ACL are decoupled from IP addresses, simplifying configuration
maintenance is difficult, and user isolation is hard to and maintenance and effectively achieving user isolation.
implement.

A large number of rules such as VLANs and ACLs need to be Based on security groups (UCL groups), only several user
Simplified configuration planned based on IP addresses during network design. These groups and inter-group policies need to be defined, greatly
and management rules are complex to configure and difficult to understand, simplifying planning and configuration. In addition, the policy
causing inconvenience in subsequent maintenance. control matrix is easy to understand and maintain.

8 Huawei Confidential
 Basic Concepts in Free Mobility: Authentication and Policy
Enforcement

Policy enforcement
Core Core
Authentication point Policy enforcement point
Policy control center

Authentication Authentication

Access Access

User A User B User A User B

• Authentication point: authenticates terminals and obtains authorization • Policy enforcement point: obtains the policy control matrix from iMaster
results (containing the security groups to which terminals belong) from NCE-Campus, and enforces policies based on the source and destination
iMaster NCE-Campus. security groups to which the source and destination IP addresses of the
• iMaster NCE-Campus: serves as the authentication server and the policy received traffic belong. If the policy allows the traffic to pass through, the
policy enforcement point forwards the traffic. Otherwise, the traffic is
control center to maintain the policy control matrix, which defines
dropped.
policies for controlling access between network-wide security groups.

9 Huawei Confidential

• Additional information about the policy enforcement point:

▫ The policy enforcement point is responsible for enforcing security group–
based service policies. To enforce these policies, the policy enforcement
point must be able to identify the source and destination security groups of
packets. It can obtain the mappings between IP addresses and security
groups during the authentication process or from iMaster NCE-Campus.
▫ The authentication point and policy enforcement point are two device roles.
Based on the administrator's configuration and device capabilities, a
physical device can play either or both of the two roles.
 Basic Concepts in Free Mobility: Security Group (1)
⚫ A security group is an abstracted and logical set of communicating objects on a network.
⚫ An administrator can add the users requiring the same access control policy to the same security
group, and configure an access control policy for the group.
Classification of security groups Special security groups

• Security group members can be network terminals such as PCs • Unknown (default): Users or resources that are not
and smartphones. They can be added by an administrator or dynamically or statically added to any security group belong
dynamically added upon successful authentication. to this group by default.
• Any (default): All users and resources belong to this group. It
▫ Static security group: It is a security group defined by
is typically used to configure default rules, and can be
statically binding IP addresses.
configured as the destination group only.
▫ Dynamic security group: Users who meet specified • Bypass security group (user-defined): When the IP-security
conditions are authorized a specific security group. group channel between the policy enforcement point and
• A dynamic security group has a higher priority than a static iMaster NCE-Campus is disconnected, unknown traffic is
controlled based on the policy configured for the bypass
security group. For example, a user with IP address 1 is
security group. Only one bypass security group can be
statically bound to security group 1, and the user is dynamically
configured, and members must be statically added to this
added to security group 2 upon successful RADIUS
group.
authentication. Eventually, the user belongs to security group 2.

10 Huawei Confidential

• Security group:
▫ An administrator can define security groups on iMaster NCE-Campus to
describe and organize the sources or destinations of network traffic, and
then configure policies to control mutual access between the security
groups.

▫ An administrator can add network objects that have the same access
requirements to the same security group, and configure a policy for this
security group. In this way, these network objects obtain the same
permissions as configured for the security group. For example, an
administrator can define the following security groups: R&D group (a
collection of individual hosts), printer group (a collection of printers), and
database server group (a collection of server IP addresses and ports).
Compared with the solution in which access control policies are deployed
for each user, the security group–based access control solution greatly
reduces the administrator's workload.
 Basic Concepts in Free Mobility: Security Group (2)
Group Type Group Name Group ID Dynamic security group
Dynamic Sales 1
Dynamic Guest 2 • The IP addresses of users in dynamic security groups are not
Static Server 3 fixed, and are dynamically bound to security groups after the
users are authenticated. After users log out, the bindings are
dynamically canceled. These mappings remain valid only when
Dynamic security groups Static security groups
users are online.
• Network devices can obtain such mappings from iMaster NCE-
Campus or when they function as authentication points.
Sales Guest Server
group group group

Static security group

Campus network
• IP addresses of static resources are fixed, and are statically
bound to security groups by an administrator through
configuration.
802.1X MAC Portal • In the pre-deployment phase, when iMaster NCE-Campus is
used to deploy control policies on network devices through
NETCONF, iMaster NCE-Campus will synchronize the bindings
Host 1 Host 2 Host 3 between security groups and IP addresses to all policy
Sales user Sales user Guest
enforcement points.

11 Huawei Confidential

• Classification of security groups:

▫ A security group can be both a dynamic security group and a static security
group. That is, it is bound to both multiple authorization rules to represent
dynamic users and multiple IP addresses or IP network segments to
represent static resources. The differences are as follows:

▪ The IP addresses of users in dynamic security groups are not fixed,

and are dynamically bound to security groups after the users are
authenticated. After users log out, the bindings are dynamically
canceled. These mappings remain valid only when users are online.
Network devices can obtain the mappings between IP addresses and
security groups (also known as IP-security group entries) by acting as
authentication points, or iMaster NCE-Campus delivers the mappings
to network devices.

▪ The IP addresses of static resources are fixed. An administrator needs

to bind these IP addresses to static security groups on iMaster NCE-
Campus, which then synchronizes the bindings to policy enforcement
points. Static security group members can be any network objects that
use fixed IP addresses, such as terminals, servers, interfaces of
network devices, and authentication-free users.

▫ If an IP address is added to different groups both in static mode and upon

successful authentication, the dynamic security group assigned during
authentication takes effect.
▫ An IP address can belong to only one security group.
Basic Concepts in Free Mobility: UCL Group
⚫ User Control List (UCL) group:
 UCL groups identify user types. An administrator can add the users requiring the same network access policy to
the same UCL group, and configure a network access policy for the group. Compared with the solution in which
network access policies are deployed for each user, the UCL group–based access control solution greatly reduces
FTP server Web server Email server
the administrator's workload.
 A UCL group is called a security group on iMaster NCE-Campus.

⚫ UCL group configuration on a switch:

 Create a UCL group. Campus network
[Huawei] ucl-group group-index [ name group-name ]

 Configure a static UCL group.

[Huawei] ucl-group ip ip-address { mask-length | ip-
mask } { group-index | name group-name }

Sales users (UCL group) Guests (UCL group)

12 Huawei Confidential
 Basic Concepts in Free Mobility: Resource Group
Disadvantages of security groups

• Administrators can bind static IP addresses of servers to static security groups, and iMaster NCE-Campus
delivers these bindings to devices through NETCONF.
• However, such static security groups cannot distinguish different services that use the same IP addresses.

Resource group
is a way out

Resource group • The server with IP address 192.168.1.1

192.168.1.1 provides both DNS and HTTP services.
HTTP server • Resource groups can be deployed to
• IP addresses specified in resource groups can overlap.
DNS server distinguish the two types of services.
• During the configuration of the policy control matrix, Campus
a resource group can only be specified as the network
destination group (not a source group) of a policy.
• When policies are delivered to switches, the policies Resource groups:
are decomposed into corresponding IP addresses, Group Type Group Name IP Address
instead of using the security group (UCL group) Resource group DNS 192.168.1.1
model.
Guests Resource group HTTP 192.168.1.1

13 Huawei Confidential

• Dumb terminals, data center server resources, and authentication-free users do

not need to be authenticated when accessing the network. Therefore, they
cannot be authorized by the AAA server. In this case, you can bind their static IP
addresses to resource groups.
• Note: When resource groups are used, a policy enforcement point generates a
policy by IP address, instead of based on each resource group. As such, the device
may have a large number of policies.
 Basic Concepts in Free Mobility: Policy Control Matrix
⚫ After security groups are defined, administrators can define inter-group policies on the entire network.
⚫ A policy control matrix is used to configure inter-group policies to control access from source groups to
destination groups.
FTP server Web server Email server

Policy control matrix

Destination
Sales Guest Server
Source Group Group

Sales

Campus network Guest

Server

Sales users (security group) Guests (security group)

14 Huawei Confidential

• When multiple policies are configured to control access from a source security
group to multiple destination groups, an administrator needs to configure
priorities of the policies to determine the sequence in which policies are matched.
For example, if the destination groups are resource groups with overlapping IP
addresses, the administrator can set a high priority for a policy so that the policy
can be matched preferentially.
• For unknown users:
▫ If a policy enforcement device does not find any security group
corresponding to an IP address, it considers that the IP address belongs to
the default security group named unknown, and enforces the matching
security group policy (default policy: permit).
• The following uses the traffic from the sales group to the server group as an
example to describe policy matching in the policy control matrix:
▫ The device (policy enforcement point) first searches for the policy of
controlling access from the sales group to the server group. If no such inter-
group policy is found in the policy control matrix, the device continues
matching policies.
▫ The device then searches for the policy of controlling access from the sales
group to the any group. If no such inter-group policy is found in the policy
control matrix, the device continues matching policies.
▫ Finally, the device matches traffic with the policy of controlling access from
the any group to the any group. By default, this policy exists in the policy
control matrix and defines the permit action. That is, traffic is permitted by
default if no policy is matched.
 Basic Concepts in Free Mobility: IP-Security Group Entry
Subscription
IP-security group entry subscription IP-security group entry
IP Security Group
• If the authentication point and policy enforcement point are 192.168.1.1 Group1
located on different devices, the IP-security group entries of
authenticated users need to be pushed to the specified policy Core 192.168.2.1 Group2
enforcement point. Authentication Point
• An administrator can configure subscription on iMaster NCE-
Campus to specify the entries of which network segments or 2. IP-security
group entry push Policy control center
security groups to be pushed to which policy enforcement points. 1. Identity
authentication

Subscription procedure Access

Policy
enforcement
• After the authentication point authenticates a user through the point
RADIUS server, the RADIUS server authorizes the corresponding
security group and creates an IP-security group entry for the user.
User A User B
• The RADIUS server reports this IP-security group entry to the IP- 192.168.1.1 192.168.2.1
security group component through an HTTP/2.0 channel, which
Authentication Point
then delivers this entry to specific policy enforcement points.
Policy enforcement point

15 Huawei Confidential

• A policy enforcement point can obtain IP-security group entries in either of the
following ways:
▫ The policy enforcement point obtains IP-security group entries during user
authentication when it is located on the same device as the authentication
point.

▫ iMaster NCE-Campus pushes IP-security group entries to the policy

enforcement point through an HTTP/2.0 channel. This scenario is known as
IP-security group entry subscription.

• In the IP-security group entry subscription scenario, iMaster NCE-Campus must

have already generated IP-security group entries during user authentication.
Therefore, IP-security group entry subscription has the following requirements:

▫ iMaster NCE-Campus functions as the RADIUS server to perform end user

authentication. In this way, it can generate IP-security group entries during
user authentication, and synchronize the entries to the free mobility
component.

▫ iMaster NCE-Campus functions as a RADIUS relay agent when a third-party

RADIUS server is used for user authentication. In this way, iMaster NCE-
Campus can obtain security group information during the authentication
process to generate IP-security group entries.
 Contents

1. Technical Background and Basic Concepts of Free Mobility

2. Working Mechanism of Free Mobility

3. Free Mobility Solution Design

16 Huawei Confidential
 Working Mechanism of Free Mobility: Overview
Authentication 1. Create users and security groups.
User point & policy
terminal enforcement point ▫ An administrator defines security groups on iMaster NCE-Campus.
▫ The administrator creates user accounts on iMaster NCE-Campus, and
Intranet configures authorization rules and results to bind the users to security
groups.

1. An administrator 2. Define and deploy a policy control matrix.

defines user security ▫ The administrator specifies a policy enforcement point on iMaster NCE-
groups and inter- Campus and defines a policy control matrix.
group policies.
▫ iMaster NCE-Campus automatically delivers inter-group policies to the
2. Deliver security groups policy enforcement point.
and inter-group policies.
3. A user initiates authentication.
3. Initiate ▫ A user accesses the network, and iMaster NCE-Campus verifies the user
authentication. 3. Verify the user identity identity.
and associate the user
with a security group. ▫ iMaster NCE-Campus associates the user with the corresponding
security group based on the user login information, and delivers the
4. The user accesses authorization result containing the security group to which the user
network resources, and the belongs to the authentication point.
policy enforcement point
enforces the corresponding 4. The user accesses network resources.
inter-group policy. ▫ The policy enforcement point identifies the source and destination
groups of packets based on the mapping between the user's IP address
(In this example, the authentication point and policy and security group, and then matches and enforces an inter-group
enforcement point are located on the same device.) policy.

17 Huawei Confidential

• Free mobility deployment based on iMaster NCE-Campus:

▫ Create users and security groups.

▪ An administrator can define users and security groups on iMaster

NCE-Campus in a unified manner. Security groups can be defined
based on network services for configuring inter-group control policies.

▫ Define and deploy a policy control matrix.

▪ The administrator defines inter-group policies in a policy control

matrix on iMaster NCE-Campus, and delivers the policy control matrix
to policy enforcement points.

▫ A user initiates authentication.

▪ When a user is being authenticated, iMaster NCE-Campus associates

the user with a security group based on the user login information.
After the user is authenticated successfully, iMaster NCE-Campus
delivers the authorization result containing the security group to
which the user belongs to the authentication point. During 802.1X
authentication, if a terminal has not obtained an IP address, the
authentication point automatically detects the actual IP address of the
user after the user is successfully authenticated and obtains an IP
address, and reports the user's actual IP address to iMaster NCE-
Campus. iMaster NCE-Campus collects IP addresses of all online users
and synchronizes all user information to policy enforcement points.
 ▪ If the authentication point and policy enforcement point are located
on different devices, the policy enforcement point needs to obtain the
mappings between user IP addresses and security groups (that is, IP-
security group entries) to identify the source and destination groups
of traffic during policy enforcement. Therefore, the administrator
needs to subscribe to the required IP-security group entries.
▫ The user accesses network resources.

▪ A user sends service traffic. When a packet reaches the policy

enforcement point, the device identifies the security groups that
match the source and destination IP addresses of the packet, and
enforces the corresponding inter-group policy.
Working Mechanism of Free Mobility (1)
Create users on iMaster NCE-Campus.
Server User Password
Firewall
10.1.1.1/24 User1 ***
User2 ***

Create security groups, bind the server IP address to the

Core server security group, and configure authorization rules and
results to bind User1 and User2 to security groups Group1
and Group2, respectively.
Group Group Group
Type Name ID
Dynamic Group1 1 Dynamic authorization (User1)
Dynamic Group2 2 Dynamic authorization (User2)
Static Server 3 Static binding <- 10.1.1.1/32 (server)
User1 User2
192.168.1.1/24 192.168.2.1/24

19 Huawei Confidential
 Working Mechanism of Free Mobility (2)

Define a policy control matrix (inter-group policies) on

Server
Firewall iMaster NCE-Campus and specify the policy enforcement
10.1.1.1/24
point device (Core).
Destination
Group Group1 Group2 Server
Source Group
Core
Group1

Group2

Server

User1 User2
192.168.1.1/24 192.168.2.1/24

Policy enforcement point

20 Huawei Confidential

• To manually specify a device as a policy enforcement point managed by iMaster

NCE-Campus, enable the free mobility function by running the following
command:

• [HUAWEI] group-policy controller ip-address1 [ port-number1 ] password

password [ src-ip ip-address2 ]
▫ ip-address1 [ port-number1 ]: specifies the IP address of a controller and
the port number used by the device to exchange packets with the controller.
If no port number is configured, the default port number 5222 is used.

▫ password password: specifies the password used by the device to connect

to the controller. The password configured on the device must be the same
as that configured on the controller.

▫ src-ip ip-address2: specifies the source IP address used by the device to

communicate with the controller. If this parameter is not configured, the
device selects one of its own IP addresses to communicate with the
controller.
Working Mechanism of Free Mobility (3)
iMaster NCE-Campus
pushes inter-group Policy control matrix
Server
Firewall policies to the policy
10.1.1.1/24 enforcement point. Destination
Group Group1 Group2 Server
Source Group

Group1
Core
Group2

Server

User1 User2
192.168.1.1/24 192.168.2.1/24

Policy enforcement point

21 Huawei Confidential
Working Mechanism of Free Mobility (4)

Server 1. User1 attempts to access the network. The core switch

Firewall
10.1.1.1/24 functioning as the authentication point exchanges user
Authorization result:
Group1 authentication information with iMaster NCE-Campus.
3
3 2. iMaster NCE-Campus checks the login information of User1
Online user entry
Core and associates User1 with the corresponding security group
Security 2
MAC IP (Group1) in the authorization policy.
Group
MAC-X 192.168.1.1 Group1 3. After User1 is authenticated, iMaster NCE-Campus associates
the user IP address with Group1 and records the association in
an IP-security group entry. In addition, the iMaster NCE-
Campus notifies the authentication point of the security group
1 Authentication to which the user belongs, and the core device at the
packets authentication point generates an online user entry.
4. The preceding process also applies to User2.
5. After receiving a service packet from a terminal, the core
User1 User2 switch that also functions as the policy enforcement point
192.168.1.1/24 192.168.2.1/24 identifies the security group that matches the source and
MAC-X MAC-Y destination IP addresses of the packet and enforces the
Authentication Point corresponding inter-group policy.
Policy enforcement point

22 Huawei Confidential
Working Mechanism of Free Mobility (5)
Online user entry 4
Security
MAC IP
Group
MAC-X 192.168.1.1 Group1 1. User1 attempts to access the network. The core switch
Firewall
functioning as the authentication point exchanges user
MAC-Y 192.168.2.1 Group2
authentication information with iMaster NCE-Campus.
Policy (permission control):
2. iMaster NCE-Campus checks the login information of User1
Source Destination
Action Core and associates User1 with the corresponding security group
Group Group
(Group1) in the authorization policy.
Group1 Group2 Deny
3. After User1 is authenticated, iMaster NCE-Campus associates
Group1 Server Permit the user IP address with Group1 and records the association in
Discard
... ... ... an IP-security group entry. In addition, the iMaster NCE-
Campus notifies the authentication point of the security group
5
to which the user belongs, and the core device at the
IP packet
authentication point generates an online user entry.
Source: 192.168.1.1
Destination: 192.168.2.1 4. The preceding process also applies to User2.
5. After receiving a service packet from a terminal, the core
User1 User2 switch that also functions as the policy enforcement point
192.168.1.1/24 192.168.2.1/24 identifies the security group that matches the source and
MAC-X MAC-Y destination IP addresses of the packet and enforces the
Authentication Point corresponding inter-group policy.
Policy enforcement point

23 Huawei Confidential
 Contents

1. Technical Background and Basic Concepts of Free Mobility

2. Working Mechanism of Free Mobility

3. Free Mobility Solution Design

24 Huawei Confidential
Security Group Design
Dynamic security group (users) Static security group (network resources)
Users and terminals that can access the network only after being Terminals or network segments that use fixed IP addresses, such as
authenticated. servers and the Internet.
In most cases, dynamic security groups can be defined based on user Static security groups are defined based on service types provided by
identities, such as students and teachers in schools. In addition, network resources. For example, the school web server, the data
dynamic security groups can be customized based on 5W1H conditions. server for storing student information, and the exam resource server
can be divided into different static security groups.

• Who: identity of a user, for example, a corporate executive, employee, or guest;

• Where: user access location, for example, local (within a campus) or remote access;
• What: type of the access terminal, for example, a mobile phone, PC, or laptop;
• When: time range when a user accesses the network, for example, in the daytime or
at night;
• Whose: device owner, for example, a company-issued terminal or BYOD terminal;
• How: user access mode, for example, wired or wireless access.

The most important rule for defining a dynamic security group is to add users with the same network access
requirements to one security group.

25 Huawei Confidential
 Permission Control Design
Define dynamic and static security groups for free mobility based on service requirements, and create a policy
control matrix based on the required network access rights.

Dynamic security group Policy control matrix:

Destination Ward-
• Hospital administrator Healthcare Case Hospital
round Internet Doctor Nurse Patient
system database administrator
• Doctor Source system
Hospital
• Nurse Permit Permit Permit Permit Permit Permit Deny
administrator
• Patient Doctor Permit Permit Permit Deny Permit Permit Deny
Nurse Deny Permit Deny Deny Permit Permit Deny
Static security group Patient Deny Deny Deny Permit Deny Deny Deny

• Ward-round system server

In addition to the overall policy control matrix, the administrator can further control user
• Medical system server
permissions based on applications. For example, allow patients to access the Internet, but
• Case database server
disallow them to use applications such as shopping apps.
• Internet

26 Huawei Confidential

• A security group policy reflects whether two security groups can communicate
with each other. The administrator can configure policies to permit or deny
communication between every two security groups in a policy control matrix on
iMaster NCE-Campus. If no control policy is created for a source group and a
destination group, they can communicate with each other by default.

• When planning security group policies, pay attention to the direction of policies.
Generally, packets are transmitted in both directions between two terminals.

▫ For Huawei switches, traffic from switch A to switch B and traffic from
switch B to switch A match different policies. Whether traffic is permitted or
denied depends on the source and destination groups of the traffic. If the
permit action is configured for the A-to-B traffic and the deny action for
the B-to-A traffic, all packets sent from switch A to switch B are allowed to
pass through, but the packets sent from switch B to switch A are discarded,
regardless of which device initiates the request. If no matching policy is
found, a switch performs the default action — permit.

• Generally, network access involves bidirectional communication. Therefore, to

simplify management, you only need to consider the access permissions from
user security groups to other users and servers when designing permission
control policies.

▫ To prevent users from accessing a security group, you only need to

configure a unidirectional deny rule.
▫ To allow users to access a security group, you only need to configure a
unidirectional permit rule.
User Authentication Design
⚫ The free mobility solution involves the same user authentication process as the traditional solution.
⚫ After a user is successfully authenticated, authorization information such as ACLs and VLANs is
delivered in the traditional solution, whereas security group (UCL group) information is delivered in the
free mobility solution.
Authentication modes supported by free mobility Recommended locations of authentication points
Recommended Authentication Device Role Location
Authentication Mode
Scenario
802.1X authentication Wired user authentication Core switch
User authentication point
Portal authentication Aggregation switch
Portal MAC address- Wireless user authentication
authentication prioritized Portal
authentication
Authentication for dumb
MAC address authentication
terminals (such as printers)
Authentication for education
PPPoE authentication
campus users

27 Huawei Confidential
 Locations of Authentication Points and Policy Enforcement
Points
⚫ Typically, a user gateway functions as both the authentication point and policy enforcement point for
the following major reasons:
 There are a large number of access switches on a network. Configuring the authentication function on each
access switch requires a heavy workload and leads to difficulties in management.
 iMaster NCE-Campus needs to synchronize permission control policies to policy enforcement points. If access
switches act as both authentication points and policy enforcement points, there will be a great number of policy
enforcement points. This increases the workload and difficulties of device management on iMaster NCE-Campus
and prolongs the policy synchronization time.

⚫ To prevent users on a Layer 2 network connected to an upstream user gateway from communicating
with each other, configure Layer 2 isolation. In this way, communication traffic of the users must pass
through the user gateway.

28 Huawei Confidential

• If the authentication point and policy enforcement point are located on different
devices, the IP-security group entries of authenticated users need to be pushed to
the specified policy enforcement point. An administrator can configure
subscription on iMaster NCE-Campus to specify the entries of which network
segments or security groups to be pushed to which policy enforcement points.
Typical Free Mobility Solution
(Recommended) Core switch functioning as the user gateway,
authentication point, and policy enforcement point
Internet
• The core switch is used as the Layer 3 gateway and authentication
point for wired and wireless users, as well as the policy
enforcement point in the free mobility solution.
• As the policy enforcement point is deployed at the upper layer,
Core switch Intranet server
(user gateway) configure port isolation on access and aggregation switches to
prevent traffic from being directly transmitted through the access
or aggregation switches without passing through the core switch.
Aggregation switch • The policy enforcement points control mutual access between
users and access from users to network resources such as servers,
and are deployed on core switches.
Access switch
• When 802.1X authentication is used, configure transparent
transmission of 802.1X packets on the access and aggregation
Authentication point
switches if the authentication point is located on a core switch.
Policy enforcement point

29 Huawei Confidential
 Quiz

1. (True or false) In the free mobility solution, a policy enforcement point must be
an authentication point and is typically deployed on a user gateway. ( )
A. True

B. False

2. (True or false) Free mobility implements policy management and permission

control based on security groups. Rules such as VLANs and ACLs need to be
planned during network design. ( )
A. True

B. False

30 Huawei Confidential

1. B
2. B
 Summary

⚫ Free mobility transforms IP-based policies into security group–based policies, which
are easier to understand and decouple policies from IP addresses. This allows
network administrators to implement policy control between security groups
without considering the IP addresses of users.
⚫ Network objects of the same type and with the same permissions are added to one
security group. Members in a security group can be PCs, mobile phones, printers,
and servers. After network objects are divided into different security groups,
administrators can define security group policies to determine the network services
that each security group can use, including access rights and application control.

31 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Large- and Medium-Sized Virtualized
Campus Network Design
 Foreword

⚫ Huawei CloudCampus 3.0 Solution (hereafter referred to as Huawei CloudCampus Solution)

adopts a new philosophy of Intent-Driven Network (IDN), and introduces big data analytics
and Artificial Intelligence (AI) technologies into cloud and software-defined networking
(SDN). It helps enterprises build intelligent, simplified, converged, open, and secure
networks.
⚫ This course describes the planning and design process for large- and medium-sized
virtualized campus networks that use the CloudCampus Solution, including the network
architecture design, underlay network design, fabric and overlay network design, admission
control and free mobility design, WLAN design, egress network design, network security and
QoS design, as well as O&M design.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the network layers and network architecture of large- and medium-sized
virtualized campus networks.
 Complete the network architecture design and underlay network design for a virtualized
campus network based on actual requirements.
 Complete the fabric and overlay network design for a virtualized campus network based
on actual requirements.
 Complete the admission control design, free mobility design, WLAN design, egress
network design, network security and QoS design, and O&M design for a virtualized
campus network based on actual requirements.
2 Huawei Confidential
 Contents

1. CloudCampus Solution and Virtualized Campus Network Overview

2. Network Architecture Design

3. Underlay Network Design

4. Fabric and Overlay Network Design

5. Admission Control and Free Mobility Design

6. WLAN Design

7. Egress Network Design

8. Network Security and QoS Design

9. O&M Design

3 Huawei Confidential
Large- and Medium-Sized Campus Networks
⚫ Different from the wide area network (WAN) and data center
network, a campus network typically refers to the internal
network of an enterprise or organization. A campus network is
built for more efficient running of key enterprise services.
⚫ In terms of network scale, campus networks can be classified
into large- and medium-sized campus networks as well as small-
and medium-sized campus networks. A large- or medium-sized
campus network typically has:

Over 2,000 end users

Over 100 network elements (NEs)

⚫ Some enterprises have branches dispersed across different areas,

and each branch network can be considered a single campus
network.

4 Huawei Confidential
Service Requirements and Challenges of Large- and
Medium-Sized Campus Networks
⚫ Enterprises' campus networks are the cornerstone of their digital transformation. Nowadays, mobile office, cloud
computing, SDN, Internet of Things (IoT), artificial intelligence (AI), and big data are gaining momentum. Driven by
this, new technologies and applications are constantly emerging and are making inroads to enterprise campus
networks, which poses many new challenges for the campus networks.
Converged network Automated network deployment User experience awareness
Requirements:
Requirements: Requirements:
Network deployment should be automated to
Diversified access terminals and services require Network O&M should become automated and
address the growing complexity in deployment
a converged campus network. intelligent, with insights into user experience
and policies due to the surge in applications and
Challenges: anytime, anywhere.
services.
• Wi-Fi and IoT services are independently Challenges:
Challenges:
planned, deployed, and managed, resulting in • Manual configuration is repetitive, complex, • Service faults cannot be detected in a timely
high network construction costs. and labor-intensive. manner.
• The network management and O&M • New service rollout requires configuring • Fault locating heavily relies on the O&M skills
workload is heavy. devices one by one, which is time-consuming and experience of professionals, so faults
and costly. cannot be quickly located.
• The workload of network policy deployment • The network cannot be self-optimized.
and adjustment is heavy.

5 Huawei Confidential
Huawei CloudCampus 3.0 Solution (CloudCampus Solution)
Rapid network provisioning, improving deployment efficiency
One-stop management
Analysis platform • Device plug-and-play: simplified device deployment, scenario-specific
Control guided configuration, template-based configuration
Management
• Simplified network deployment: network resource pooling, multi-
purpose network, automatic service provisioning
Design Deployment Policy
Fast service provisioning, improving user experience
• Free mobility: GUI-based policy configuration; access anytime anywhere,
Large- and medium- NETCONF/YANG Small- and medium- with consistent permission and experience during roaming
sized campus Campus sized campus • Intelligent terminal identification: anti-spoofing for terminal access,
interconnection with the accuracy of intelligent terminal identification reaching over 95%
• Intelligent HQoS: application-based traffic scheduling and shaping and
OA VN fine-grained bandwidth management ensure service experience of VIP
WAN/
users
Internet
R&D VN Quick intelligent O&M, improving network performance
• Real-time experience visualization: uses Telemetry for network
experience visualization at any moment, for any user, and in any area
Security Security Security • Precise fault analysis: proactively identifies typical network issues and
OA VN group 1 group 2 group 3 • Access policy provides suggestions; compares and analyzes real-time data to predict
• Bandwidth faults
Security Security • Priority • Intelligent network optimization: predictive optimization of wireless
R&D VN networks based on historical data, improving overall network performance
group 4 group 5

6 Huawei Confidential
CloudCampus Highlights: Simplified Deployment
Physical and virtual network automation User policy automation

• Automated deployment of a physical network: Devices can be pre- • Centering on users, services, and experience, policies can migrate with
configured for plug-and-play. users, ensuring a consistent service experience.
▫ iMaster NCE-Campus provides a GUI for automated deployment of ▫ The free mobility solution uses iMaster NCE-Campus to plan security
devices, as well as route orchestration and interworking configuration of groups and inter-group policies and automatically deliver policies to
underlay networks. network devices.
• Automated provisioning of virtual networks: Virtual networks can be ▫ When an authenticated user accesses the network using different
automatically created to achieve "one network for multiple purposes". terminals at different locations, iMaster NCE-Campus automatically
▫ With iMaster NCE-Campus, fabric networks can be deployed, and VXLAN identifies the user and delivers relevant user policies to the corresponding
tunnels can be automatically set up based on the BGP EVPN control policy enforcement device on the network. This achieves consistent and
assured user access experience. A user can have consistent policies and
plane, so as to achieve automated virtual network construction,
centralized service configuration, and automatic service provisioning. service experience, irrespective of the access location.

VXLAN VXLAN

Overlay (virtual
network layer)
OSPF
Move
Underlay (physical network layer) User A User A

7 Huawei Confidential
 CloudCampus Highlights: Wired and Wireless Convergence
⚫ Huawei campus switches integrate the WLAN access controller (AC) functionality to implement wired
and wireless convergence, providing unified management and experience for wired and wireless users.
NM Area
Unified forwarding
Wired and wireless traffic is centrally processed
by the core switch before being forwarded.
Native AC
Unified authentication
The core switch functions as the unified
CAPWAP authentication point and Layer 3 gateway for
both wired and wireless users.

Unified policy execution

The core switch is the policy enforcement point
for both wired and wireless users.

8 Huawei Confidential

• By integrating the user authentication, user management, and policy association

functions, the CloudCampus Solution provides unified authentication and access
policy control for both wired and wireless users. Administrators can have a
consistent user management experience, with simplified O&M for wired and
wireless networks.
CloudCampus Highlights: WLAN and IoT Convergence
⚫ Huawei APs integrate IoT modules to provide functions of IoT base stations, implementing Wi-Fi and IoT convergence as well as
simplified management.
Scenarios and challenges
ESL Healthcare Health Asset
management IoT management management
• Scenarios: retail, healthcare, education, enterprise, and other campuses where
IoT service innovative digital services need to be provided based on IoT.
management platform • Challenges: Wi-Fi and IoT (such as Bluetooth and RFID) networks are deployed
separately. Numerous wireless networks are deployed, resulting in high costs and
Internet inflexible service expansion. There is also radio interference between these
wireless networks, affecting service experience.

Store Huawei IoT AP

Bluetooth
• Wi-Fi & IoT converged architecture.
RFID
IoT AP • Converged site for the AP and IoT base station, reducing auxiliary resources
ZigBee (such as access and power supply management) by 50%.
• Cloud-based management and plug-and-play, facilitating service configuration.
• Wi-Fi and IoT configuration association, allowing automatic Wi-Fi channel
switching when a conflict is detected.

2.4 GHz (Wi-Fi) 2.4 GHz (RFID)

Wi-Fi Wi-Fi Bluetooth RFID IoT Wristband Channel-6 Channel-11
Terminal Tag Tag Tag Sensor

9 Huawei Confidential
 CloudCampus Highlights: LAN and WAN Convergence (1)
LAN management SD-WAN Integrated GUI, improving deployment
Site Access Route Intelligent
configuration authentication management traffic steering and O&M efficiency
Resource Integrated deployment, integrated policy,
Campus VXLAN Free mobility WAN VPN
management
integrated O&M
Site management

Diverse SD-WAN policies, improving

application experience
MPLS One-stop Internet Identification of 6000+ applications, application-
management
based intelligent traffic steering, application-
specific fine-grained QoS scheduling
CPE1 CPE2 CPE3

One platform, reducing user investment

iMaster NCE-Campus can be deployed in a
HQ Branch 1 Branch 2
Multi-service campus Simple-service Simple-service single-node system or a cluster.
campus campus

10 Huawei Confidential

• CPE: Customer Premises Equipment

• GUI: Graphical User Interface
 CloudCampus Highlights: LAN and WAN Convergence (2)

LAN-WAN interconnection solution

• The CloudCampus Solution provides two technologies for campus egress interconnection: IPsec VPN and SD-WAN EVPN.
▫ IPsec VPN is a static VPN technology that creates a VPN tunnel by setting up an IPsec tunnel between sites. It diverts
traffic to a VPN tunnel based on the configured static network segments so that the sites can access each other through
the VPN tunnel.
▫ SD-WAN EVPN is a dynamic VPN technology that establishes tunnels between sites on demand and dynamically advertises
routes. EVPN creates VPN tunnels between sites by setting up GRE tunnels between them. It supports IPsec encryption on
the GRE tunnels, securing data transmission.
• Application experience optimization policies provided on the WAN side:
▫ Application identification, intelligent traffic steering, QoS, NAT policy, application optimization, etc.

11 Huawei Confidential

• Application identification:
▫ Precise identification of applications on a network is the prerequisite and
basis for network services such as intelligent traffic steering, QoS,
application optimization, and security. Service policies can be applied in
subsequent service processes only after applications are identified.

▫ Two application identification methods are available in the SD-WAN EVPN

Interconnection Solution: first packet inspection (FPI) and service awareness
(SA).

• Intelligent traffic steering:

▫ The SD-WAN EVPN Interconnection Solution supports traffic steering based

on the application quality, load balancing, application priority, and
bandwidth.
• QoS:
▫ QoS is a mainstream function that implements differentiated services. With
this function, data packets are classified into different priorities or multiple
class of services (CoSs) through traffic classification. These priorities and
CoSs are the prerequisite and basis for the differentiated service (DiffServ)
model. Different traffic policies can be configured based on packet priorities
and CoSs to provide different services.

▫ The SD-WAN EVPN Interconnection Solution supports traffic classification

based on the IP 5-tuple, application group, and DSCP, and supports QoS
policies such as queue priority-based scheduling, traffic policing, and traffic
shaping. It also supports QoS functions such as multi-dimensional
bandwidth allocation and DSCP re-marking through HQoS.

• NAT policy:

▫ Network Address Translation (NAT) translates the IP address in an IP

packet header into another IP address.

▫ Huawei SD-WAN EVPN Interconnection Solution supports two types of NAT

policies: dynamic NAT and static NAT.
• Application optimization:
▫ Huawei SD-WAN EVPN Interconnection Solution uses the forward error
correction (FEC) technology to mitigate audio and video packet loss. FEC
uses a proxy to obtain data flows with specified 5-tuple information, adds
verification information to packets, and verifies the packets at the receive
end. If a packet is lost or damaged on the network, the verification
information can be used to recover it.
 Three Deployment Modes of CloudCampus

On-Premise Huawei Public Cloud MSP-owned Cloud

Huawei operates the public cloud and MSPs purchase software, such as the
Customers purchase and own software
Scenario customers do not need to purchase the controller and analyzer, for operational
entities, such as the controller and analyzer,
definition controller or analyzer software. Instead, purposes. The software can be deployed in
which can be deployed in their data centers
customers just purchase Huawei's cloud their data centers or on the public cloud
or on the public cloud platform.
managed network service. platform.

Customers in industries such as government, Customers in industries such as

Target customer education, large enterprise, retail, and government, education, large MSP, carrier
financial services enterprise, retail, and financial services

Operations entity Customer Huawei MSP, carrier

Software
Perpetual license + SnS SaaS mode TBL subscription mode
transaction mode

13 Huawei Confidential

• Managed service provider (MSP): delivers and manages network-based services,

applications, and devices. The serviced objects include enterprises, residential
areas, and other service providers.

• Perpetual license + SnS: The perpetual license is sold together with SnS services,
such as software patches, software upgrades (including new features of new
releases), and remote support. In the perpetual license + SnS mode, a customer
needs to pay SnS fee for a certain period of time, in addition to purchasing the
license upon the first purchase. If the customer does not renew the SnS annual
fee after it expires, the customer can only use functions provided in the license
for the current version and cannot use the service functions covered in the SnS
annual fee.

• SaaS mode: MSPs are responsible for deploying or leasing hardware

infrastructure, and O&M and management of the hardware and software.
Software is provided for customers as cloud services and customers need to
periodically pay for the cloud services.

• Term Based License (TBL) mode: This mode differs from the perpetual license +
SnS mode in that the licenses purchased by customers have limited validity
periods. If a customer does not renew the subscription after the license expires,
the customer can no longer use the software product.

• SnS: refers to Subscription and Support. It consists of two parts: software support
and software subscription. The complete software charging mode consists of the
annual software SnS fee and software license fee.
• Note: This course uses the on-premise deployment as an example.
CloudCampus Solution Components: iMaster NCE-Campus
⚫ iMaster NCE-Campus is the configuration and management platform used in the CloudCampus
Solution. It provides a portal for CloudCampus service configuration, O&M, and monitoring.

Application service layer

• SDN-based automatic service
MDM e-Schoolbag
Health Asset
...
Intelligent Automated + configuration/deployment
management management OAM
Intelligent • AI-powered intelligent
analysis/prediction/troubleshooting

Management-
control-analysis layer • Unified data base
Converged Manage + Control
• Centralized
+ Analyze detection/locating/processing

• Full lifecycle management

Infrastructure layer Plan + Construct +
• Simulation/Verification/Monitoring/
Maintain + Optimize Optimization

iMaster NCE-Campus, an autonomous driving campus network management and control system

14 Huawei Confidential
 CloudCampus Solution Components: iMaster NCE-
CampusInsight
AS-IS: Device-centric network management TO-BE: User experience-centric AI-powered intelligent O&M

• Topology • Visualized experience

management management
• Performance • User journey playback
Traditional NMS
management • Identification of
• Alarm management potential faults
SNMP • Configuration Telemetry • Location of root causes
Network data collection management Network data collection • Predictive network
within minutes within seconds optimization

• Experience visibility: Telemetry-based second-level data collection, enabling

visible experience for each client, in each application, and at each moment.
• Identification of potential faults and location of root causes within minutes:
• Device-centric management: User experience cannot ▫ Identification of potential faults based on dynamic baselines and big data
correlation analysis.
be perceived.
• Passive response: Potential faults cannot be identified. ▫ KPI correlation analysis and protocol trace, helping accurately locate root causes
of faults.
• Professional engineers locate faults on site.
• Predictive network optimization: intelligently analyzes load trends of APs
through AI algorithms, implementing predictive optimization of wireless networks.

15 Huawei Confidential

• Using algorithms to improve efficiency and leveraging scenario-specific

continuous learning and expert experience, intelligent O&M frees O&M personnel
from nerve-wracking alarms and noises, making O&M automated and intelligent.
 CloudCampus Solution Components: WLAN Planner
⚫ WLAN Planner is an efficient WLAN network planning tool. It simulates signals to determine APs'
deployment positions and signal coverage.

16 Huawei Confidential

• Efficiently supports WLAN network planning:

▫ No installation: Cloud-based tool, without the need of software installation.
▫ All-scenario: All scenarios supported, including indoor, outdoor, agile
distributed, and high-density scenarios.
▫ Efficient: Improved simulation efficiency when compared with the
traditional standalone deployment.
▫ High quality: Supports tens of thousands of WLAN projects.

• For more information about the WLAN, such as WLAN planning, SSID planning,
and radio calibration, see the Small- and Medium-Sized Cloud-Managed Campus
Network Design or HCIX-WLAN series courses.
CloudCampus Solution Components: Network Hardware
Products
CloudEngine S series switches NetEngine AR routers

Campus egress routers

Integrate routing, switching, Wi-Fi,
High-performance campus switches
5G, and security functions

AirEngine Wi-Fi 6 APs HiSecEngine AI firewalls

Campus APs Firewalls

Models that apply to all scenarios: indoor settled, indoor wall Provide comprehensive and integrated network
plate, agile distributed, and outdoor AP models security protection capabilities

17 Huawei Confidential
 Network Architecture of the CloudCampus Solution (VXLAN-
based Virtualized Campus Network)
⚫ The following figure shows the typical network architecture of the CloudCampus Solution, which consists of the
network layer, management layer, and application layer.
Health Asset Intelligent
Application layer AAA MDM e-Schoolbag …
management management OAM

Open APIs

Management layer
SNMP
NETCONF/ Telemetry
YANG
VN 1 VN 3
VN 2
Virtual network

Network layer Switch

Switch Switch Internet/
WAN
Native AC
AP Switch Switch Firewall Physical network

18 Huawei Confidential

• Network layer
▫ Virtualization technologies are introduced to divide the network layer into a
physical network and a virtual network.

▪ Physical network: is also called the underlay network and provides

basic connection services for a campus network. To meet access
requirements of multiple types of terminals, the physical network
provides converged access for three networks, allowing simultaneous
access of wired, wireless, and IoT terminals.

▪ Virtual network: is also called the overlay network. Virtualization

technology is used to construct one or more overlay networks on top
of the underlay network. Service policies are deployed on the overlay
networks and are separated from the underlay network, decoupling
services from networks. Multiple overlay networks can serve different
services or customer segments.
• Management layer
▫ The management layer provides management capabilities, such as
configuration management, service management, maintenance and fault
detection, as well as security threat analysis. Traditional campus networks
use a network management system (NMS) for network management.
Although the NMS can display the network status, it lacks flexibility and
automatic management capability. Once service requirements change, the
network administrator needs to re-plan services and manually modify
configurations on network devices (including routers, switches, and
firewalls), which is inefficient and error-prone. Therefore, maintaining
network flexibility is critical in rapidly changing service environments, which
requires the use of automation tools to assist in network and service
management. Huawei's CloudCampus Solution uses iMaster NCE-Campus
to implement automatic network and service provisioning.
▫ iMaster NCE-Campus abstracts network devices and applications, and
rapidly develops and automatically deploys applications through
orchestration and by invoking abstract models. iMaster NCE-Campus
illustrates the entire network but not independent devices (such as
switches, routers, and APs) or discrete configurations (such as access
control, QoS, and routing policies) on devices.

• Application layer
▫ Based on iMaster NCE-Campus, Huawei CloudCampus Solution provides
open standards-compliant APIs, through which various information
including user identities, network resources, service quality, location
information, and network topology, is opened up to upper-layer services.
Third parties can use these APIs to customize innovative service applications
based on service demands, meeting service requirements in multiple fields
such as education, commerce, enterprise, and government.
 Architecture of a Virtualized Campus Network
Network Network
egress services

VRF+VNI VRF+VNI IP/VLAN

Virtual network (VN): a logically isolated virtual network
Access
instance that is constructed by instantiating a fabric. One
point
VN 1 VN N Fabric instantiation VN corresponds to one isolated network (service
Overlay (virtual network layer) network), for example, R&D network.

Network
Wired access
service
resources Edge
VXLAN Fabric: a network with pooled resources abstracted from
Edge
External the underlay network. When creating an instantiated VN,
Border Wireless
network
Fabric access you can select network resources on the fabric.

Core Underlay: a physical topology consisting of physical

Aggregation Access
OSPF network devices (such as switches, APs, firewalls, and
routers) that provide interconnection capabilities for all
Underlay (physical network layer) Aggregation Access services on the campus network. It is the basic bearer
network for campus service data forwarding.

20 Huawei Confidential

• On a large- or medium-sized campus network, the virtualization solution may

need to be used to decouple services from the network, so as to build a multi-
purpose network and achieve flexible, fast service deployment without changing
the basic network infrastructure. Using such a solution means that the virtualized
campus network architecture must be different from the traditional network
architecture.

• This slide presents the virtualized campus network architecture. The underlay is
the physical network layer, and the overlay is the virtual network layer
constructed on top of the underlay using the Virtual Extensible LAN (VXLAN)
technology.
 Network Nodes on a Virtualized Campus Network
• Egress gateway: is an egress device of the campus network,
which can be an AR router or a firewall.
• Firewall node: This node is required when Layer 4 to Layer 7
Egress gateway
security policies are deployed. It can be deployed in off-path
Firewall node mode or at the campus egress.
• Border node: implements communication between the fabric
Border node
and external networks. It is typically a core switch.
• Transparent node: It does not need to support VXLAN.

Transparent node • Edge node: is a fabric edge device that connects user-side
Fabric domain
devices to the fabric. Data packets from wired users enter the
(VXLAN)
VXLAN network through edge nodes.
• Access node: is typically an access switch (wired access node) or
Edge node an AP (wireless access node). Wired access nodes can function
as edge nodes, that is, VXLAN is deployed across core and access
Access domain
nodes. If wired access nodes do not need to support VXLAN,
Access node aggregation nodes can function as edge nodes — that is, VXLAN
is deployed across core and aggregation nodes — in which
scenario policy association can be deployed on wired access
VXLAN-capable nodes nodes and edge nodes.

21 Huawei Confidential

• On a fabric network, a VXLAN tunnel endpoint (VTEP) can function as either a

border or edge node:
▫ Border node: It corresponds to a physical network device and forwards data
between the fabric and external networks. In most cases, border nodes are
VXLAN-capable core switches.

▫ Edge node: It corresponds to a physical network device. User traffic enters

the fabric from the edge node. Typically, edge nodes are VXLAN-capable
access or aggregation switches.

• Policy association:

▫ Policy association provides a solution to contradiction between policy

strengths and complexity on large campus networks. In the solution, user
access policies are centrally managed on the gateway devices and enforced
by gateway and authentication access devices.

▫ After policy association is configured, authentication access devices can

transparently transmit BPDUs and report user logout and user access
positions in real time. In addition, the authentication control device requests
authentication access devices to enforce user access policies, thus
controlling user access to the network.
Key Technologies in CloudCampus: DHCP-based Plug-and-
Play of Network Devices
1 Core switch

⚫ The network administrator has

deployed the DHCP service on the 3 DHCP response: includes the IP
network. (It is recommended that address, DNS, working mode,
the DHCP service be deployed on DHCP request 2 and Option 148 (containing the
the core switch.) iMaster NCE-Campus IP
⚫
In addition to delivering an IP address and port number)

address to the device to be

4
deployed, the DHCP server uses The switch proactively initiates a
DHCP Option 148 to notify the registration request to iMaster
device of the iMaster NCE-Campus Switch to be deployed NCE-Campus.
IP address and port number.

Devices supported: AR routers, switches, APs

22 Huawei Confidential
 Key Technologies for Virtualized Campus: Admission
Authentication
User identity
verification
3
Egress Built-in server of iMaster NCE-Campus
RADIUS server & Portal server
Core Border
2 4
Transfer of User policy
user identity authorization
Aggregation VXLAN credential

Access Edge Edge AP

Request for
user identity
authentication 1

Sales Phone Guest

(802.1X) (MAC) (Portal) Authentication point Service traffic

23 Huawei Confidential

1. Request for user identity authentication: The terminal sends its identity
credential to the admission device.
2. User identity authentication: The admission device sends the identity credential
to the admission server for identity authentication.
3. User identity verification: The admission server stores user identity information
and manages users. After receiving the identity credential of the terminal, the
admission server verifies the identity of the terminal, determines whether the
terminal identity is valid, and delivers the verification result and policy to the
admission device.
4. User policy authorization: As a policy enforcement device, the admission device
implements policy control over the terminal based on the authorization result
provided by the admission server, for example, permitting or denying network
access, or performing more complex policy control on the terminal. Complex
policy control can be increasing or decreasing the forwarding priority of the
terminal, or restricting the network access rate of the terminal.
 Key Technologies for Virtualized Campus: Policy Association
⚫ If access switches do not support VXLAN, policy association can be
Egress deployed between access and aggregation switches (gateways). The
gateway manages user access policies in a unified manner, and the
Core Border access switch enforces user access policies.
 Authentication control points and enforcement points are connected
through CAPWAP tunnels (which are the management tunnels used by
policy association).
VXLAN
 CAPWAP tunnels implement user association, message transmission, user
authorization policy delivery, user information synchronization, and other
Edge Edge Edge
functions.
L3
Aggregation
L2  After policy association is configured, authentication enforcement points
can transparently transmit BPDUs, report user logout and access locations
Policy Policy in real time, and enforce user access policies, thereby controlling user
association association access to the network.
AP
Access Access Access
Authentication control point Authentication enforcement point

CAPWAP tunnel Link aggregation CSS/iStack

24 Huawei Confidential

• CAPWAP: Control and Provisioning of Wireless Access Points

 Key Technologies for Virtualized Campus: Free Mobility
⚫ Free mobility manages policies and controls permissions based on security groups. Regardless of user locations and
IP addresses in use, this technology ensures that users can obtain consistent network permissions and corresponding
policies can be enforced on the users.
1. Create security groups. A security group is a
Sales user R&D user Server
security group security group resource group group of users or network resources that have
1 the same network access policies.
Permission control policies
2. Define permission control policies based on
2 Security group and
policy delivery security groups and deliver the policies to
network devices.

3. Authorized security groups are assigned to the

4 Campus
network users who pass admission authentication.

4. After user traffic enters the network, network

Admission Admission Admission
3 authentication authentication authentication devices enforce policies based on the
corresponding source and destination security
User A User B User C
groups of the traffic.

25 Huawei Confidential

• Free mobility introduces the concept of security group. Security groups are
related only to user identities and are completely decoupled from network
information such as user VLANs and IP addresses.

• User policy management and permission control are performed based on security
groups.
 Key Technologies in CloudCampus: Terminal Identification
Requirements and challenges Terminal identification and policy automation

Terminal fingerprint
Example: higher education database Proactive
scanning
institution

50+ types of smart terminals

Data of smart terminals
collected by level-2
departments. Information
Difficult and error-prone MAC reporting
address collection.

>>
Example: an enterprise
Terminal type-based Terminal type-based Terminal type-based
10+ authentication faults
reported per day Automatic authentication Automatic authorization Bogus terminal detection
Recognized as a printer Recognized as a camera Recognized as an IP phone first
Difficult to locate bogus Automatic MAC address Automatically added to a video and then a PC
terminals. authentication, without the need surveillance group. Report a bogus terminal alarm.
of manual MAC address input.

26 Huawei Confidential

• On large- and medium-sized campus networks, access terminals include smart

terminals (such as PCs and mobile phones) and dumb terminals (such as IP
phones, printers, and IP cameras). Currently, terminal management on campus
networks faces the following challenges:
▫ The network management system (NMS) can only display the IP and MAC
addresses of access terminals, but cannot identify the specific terminal type.
As a result, the NMS cannot provide refined management for network
terminals.
▫ Network service configurations and policies vary according to the terminal
type. Consequently, administrators need to manually configure different
services and policies for each type of service terminals, complicating service
deployment and operations.
• To address these challenges, Huawei provides the automatic terminal
identification and policy delivery solution, which delivers the following functions:
▫ iMaster NCE-Campus can display the network-wide terminal types and
operating systems, for example, dumb terminals including printers, IP
cameras, smart all-in-one card, and access control system. iMaster NCE-
Campus can also collect statistics and display traffic by terminal type.
▫ Administrators do not need to manually configure different services and
policies for different types of dumb terminals such as IP phones, printers,
and IP cameras on the campus network. Instead, iMaster NCE-Campus can
automatically identify these terminals and deliver the corresponding
admission policies and service configurations to them.
 Terminal Identification Modes
Proactive scanning and Passive fingerprint- Fingerprint matching against
identification based identification the fingerprint database
4

Policy 4 Policy
3 6 5
delivery delivery
Identification Identification
result display Administrator result display Administrator
Scan-
1
and- 3 Fingerprint
detect Fingerprint reporting
collection 2
2 Information
reporting

Traffic sent from 1

the terminal

• Terminal visibility: collects terminal type statistics (by vendor and OS), displays the relationship between terminals and access ports,
queries access policies (VLAN, QoS, and authentication mode), and exports reports.
• Terminal policy automation:

Supports automatic terminal access based on terminal types, thereby achieving automatic MAC address authentication of dumb
terminals.

Authorizes policies (covering VLAN, security group, access permission, and QoS) on a per-terminal group basis; supports IPv4/IPv6
dual-stack terminals.

27 Huawei Confidential

• Passive fingerprint-based identification: Network devices collect fingerprints of

packets sent by terminals and report the fingerprints to iMaster NCE-Campus,
which matches the fingerprints against its fingerprint database for terminal type
identification. In this mode, terminals can be identified through a MAC
organizationally unique identifier (OUI), HTTP User-Agent, DHCP Option, LLDP,
and multicast DNS (mDNS).

• Proactive scanning and identification: iMaster NCE-Campus proactively detects or

scans terminals, and identifies terminal types based on fingerprint information of
the terminals. In this mode, terminals can be identified through SNMP query or
network mapper (Nmap).
 Terminal Identification Methods
⚫ The terminal management function of iMaster NCE-Campus can help identify terminals and display the terminal
type, operating system, and manufacturer.
⚫ The following table describes terminal identification methods.
Identification
Type Method Description Application Scenario
Method
The first three bytes of a MAC address represent
MAC OUI Identifies the device manufacturer only.
the manufacturer.
A browser's User-Agent string contains the
Mobile phones, tablets, PCs, workstations, smart audio
HTTP User-Agent manufacturer, terminal type, operating system,
and video terminals.
Passive fingerprint- browser type, and other information.
based identification
Some options of a terminal's DHCP packets can
(information Mobile phones, tablets, PCs, workstations, IP cameras,
DHCP Option be used to classify terminals, for example, DHCP
reporting) IP phones, printers, etc.
options 55, 60, and 12.
LLDP LLDPDUs carry device model information. IP phones, IP cameras, network devices, etc.
mDNS packets contain terminal model and
mDNS Printers, IP cameras, etc.
service information.
Obtains identification information by querying
SNMP Query Network devices, printers, etc.
Proactive scanning device information-related SNMP MIB objects.
and identification Scans the OS and services of terminals to detect
Nmap PCs, workstations, printers, phones, IP cameras, etc.
the terminal model and OS information.

28 Huawei Confidential

• When terminals access the network, network devices can collect terminal
information and report the information to iMaster NCE-Campus. Alternatively,
iMaster NCE-Campus can proactively scan terminals to identify the terminal type,
OS, and manufacturer.
Process of Automatic Policy Delivery Based on Terminal
Types
The administrator enables terminal
1
identification and configures terminal policies.
iMaster NCE-Campus matches the 1. On the iMaster NCE-Campus GUI, an administrator enables
terminal's fingerprint information
against the fingerprint database and the terminal identification function, selects terminal types, and
The network identifies the terminal type. specifies the corresponding policies.
device reports 4
terminal 3 2. iMaster NCE-Campus delivers terminal identification
fingerprint configurations to network devices.
information. 3. When terminals access the network, network devices collect
2 iMaster NCE-Campus
delivers configurations the fingerprint information of the terminals and report the
to network devices. information to iMaster NCE-Campus.
4. iMaster NCE-Campus automatically matches the terminals'
fingerprint information against the fingerprint database to
5 iMaster NCE-
identify the terminal types.
Campus delivers
admission and 5. iMaster NCE-Campus automatically delivers admission and
authorization policies authorization policies to the terminals based on the policies
for the terminal to
the network device. defined by the administrator.

29 Huawei Confidential
 Key Technologies for Virtualized Campus: VXLAN-based
Multi-purpose Network
• Multiple services carried on one physical network
Internet Internet
• Automated physical network deployment
• Automated VN provisioning
• Automated service policy delivery

VXLAN VN3
VN1 VN2 Security
OA VN VC VN protection VN

OA VC Security OA VC Security OA VC Security protection

protection protection

30 Huawei Confidential

• Using virtualization technologies, multiple virtual networks (VNs) can be created

on top of a physical network. Different VNs are used for different services, such
as OA, videoconferencing, and security protection.

• VC: Video Conference

Overview of Large- and Medium-Sized Virtualized Campus
Network Design
Virtualized campus
network design

Network Underlay Overlay Admission control Egress Network

WLAN
architecture network Fabric design network and network security and O&M design
design
design design design free mobility design design QoS design
Networking and Egress Infrastructure
Basic service User management Networking Egress
node VN design networking network
design design scheme security
design design O&M design
LAN External network
Admission control Hot standby Intranet Intelligent
automation interconnection Policy design
design design security O&M design
design design
Network service Egress
VN access
resource Free mobility design routing QoS design
design
planning design

Access
Terminal Security zone
management
identification design design
design

Security
policy design

31 Huawei Confidential
 Contents

1. CloudCampus Solution and Virtualized Campus Network Overview

2. Network Architecture Design

3. Underlay Network Design

4. Fabric and Overlay Network Design

5. Admission Control and Free Mobility Design

6. WLAN Design

7. Egress Network Design

8. Network Security and QoS Design

9. O&M Design

32 Huawei Confidential
 Network Architecture Design Overview
Internet WAN

⚫ Overall design principles:

Egress zone  Tree and ring(Core devices) network topologies

DC
⚫ Reliability considerations:

O&M zone 
High reliability of nodes: CSS, iStack, and hot standby (AC,
Core layer firewall, etc.)

High reliability of links: redundant links and Eth-Trunk
Aggregation
layer
⚫ Network layer design principles:

Two-layer networking: The network layers are simple, and
faults are easy to locate.

Access layer  Three-layer networking: applies to campuses with multiple

buildings or regions.
Terminal
layer
iStack/CSS link

33 Huawei Confidential

• Large- and medium-sized campus networks often use the tree topology with the
core layer as the root, as shown in the figure. This topology is stable and easy to
expand and maintain. A campus network can be divided into the following layers:
access layer, aggregation layer, core layer, and multiple zones including the
egress zone, DC zone, and O&M zone. Internal changes within a module have
limited impact on other modules, facilitating fault location.
• Terminal layer
▫ The terminal layer involves various types of terminals that access the
campus network, such as PCs, printers, IP phones, mobile phones, and
cameras.
• Access layer
▫ The access layer provides various access modes for users and is the first
network layer for terminals to access a campus network. The access layer is
usually composed of access switches. There are a large number of access
switches that are sparsely distributed in different places on the network. In
most cases, an access switch is a simple Layer 2 switch. If the terminal layer
has wireless terminals, the access layer provides APs that access the
network through access switches.
• Aggregation layer
▫ The aggregation layer connects the access layer to the core layer. The
aggregation layer forwards horizontal traffic between users and forwards
vertical traffic to the core layer. It can also function as the switching core
for a department or zone and connect the department or zone to the
exclusive server zone. In addition, the aggregation layer can further extend
the quantity of access terminals.
• Core layer
▫ The core layer is the core for data exchange on a campus network. It
connects various components of a campus network, such as the DC zone,
aggregation layer, and egress zone. The core layer is responsible for high-
speed interconnection of the entire campus network. High-performance
core switches need to be deployed to implement high bandwidth utilization
and fast convergence upon network faults. It is recommended that the core
layer be deployed if a campus has more than three departments. For a
wireless network, the core layer includes ACs. After a wireless terminal
accesses the network through an AP, the AP communicates with an AC
using a CAPWAP tunnel.

• Egress zone

▫ The campus egress is the boundary between a campus network and an

external network. Internal users of the campus network can access the
external network through the campus egress zone, and external users can
access the internal network through the campus egress zone. The campus
egress zone typically has routers and firewalls deployed. The routers enable
interconnection between internal and external networks, and the firewalls
provide border security protection.

• DC zone

▫ In the DC zone, service servers such as the file server and email server are
managed, and services are provided for internal and external users.
• O&M zone

▫ In the O&M zone, network servers such as the network management

system and authentication server are managed. The standard NMS interacts
with network devices through the Simple Network Management Protocol
(SNMP) and provides configuration, management, and maintenance
functions. For example, it provides network topology and port display
management, network device configuration management, network fault
diagnosis and alarm, as well as network performance and status analysis.
Huawei CloudCampus Solution provides intelligent O&M based on
NETCONF and telemetry.
• In addition to these, a campus may have a demilitarized zone (DMZ). The DMZ
contains public servers that can be accessed by guests (non-employees),
therefore the access permission to this zone is strictly controlled.
 Network Architecture Design (1)
⚫ In actual applications, you can choose the three-layer or two-layer architecture based on the network scale or service requirements.

Three-layer architecture Two-layer architecture

Core layer Core layer

• Layered design
• Modular design
Aggregation
layer
• Redundancy
design
Access layer Access layer • Symmetric design

Block 1 Block N

Application scenario: large campus networks with a large Application scenario: small- and medium-sized campus
number of users or involving multiple buildings (for networks involving only one building
example, campus networks of high education institutions)

35 Huawei Confidential

• Layered design:
▫ Each layer can be considered a well-structured module with specific roles
and functions. This layered structure is easy to expand and maintain,
reducing the design complexity and difficulty.
• Modular design:

▫ Each module corresponds to a department, function, or service area.

Modules can be expanded flexibly based on the network scale, and
adjustment in a department or area does not affect other departments or
areas, which facilitates fault locating.

• Redundancy design:

▫ Dual-node redundancy design can ensure device-level reliability.

Appropriate redundancy improves reliability, but excessive redundancy
makes O&M difficult. If dual-node redundancy cannot be implemented, you
may consider card-level redundancy, such as dual main control boards or
switch fabric units (SFUs), for modular core switches or egress routers. In
addition, Eth-Trunk can be deployed for important links to ensure link-level
reliability.
• Symmetric design:

▫ A symmetric network structure makes the topology clearer and facilitates

service deployment, protocol design and analysis.
 Network Architecture Design (2)
⚫ During network design, you can use the bottom-up method to determine the type of architecture based on the network scale.

1. Determine the number of access ports 4. Select aggregation switches

If a single port corresponds to a single user or a specific Select the appropriate aggregation switches based on the
number of users, you can determine the number of required uplink port rates of access switches.
access ports based on the network scale.

2. Select access switches 5. Calculate the number of uplinks of access switches

Determine the appropriate access switches (including access 1. Quantity = Required network bandwidth/Uplink port
capability, port density, and uplink mode) based on the port rate of an access switch
rates of terminals' NICs. 2. Quantity = (Number of access ports x Access port rate x
Bandwidth oversubscription ratio)/Uplink port rate of an
access switch
3. Calculate the number of access switches 6. Calculate the number of aggregation switches
Quantity = Number of access ports/Number of downlink Quantity = Number of uplinks of access switches/Number of
ports on a switch downlink ports of an aggregation switch

Single-layer N Y Y Three-layer
Quantity > 1? Quantity > 1?
architecture architecture

N Two-layer
architecture

36 Huawei Confidential

• Design method of the hierarchical model for common network architectures:

1. Determine the number of access switch ports based on the network scale.
Typically, one port corresponds to one terminal or one network access
point (for example, AP).
2. Select switches based on the port rates of terminals' NICs.

3. Calculate the number of access switches.

▪ Number of access switches required = Number of access

ports/Number of downlink ports on a switch

▪ If the calculation result is greater than 1, aggregation switches need

to be deployed. Otherwise, use the single-layer architecture.

4. Select aggregation switches based on the uplink port rates of access

switches.
5. Calculate the number of uplinks of access switches using either of the
following methods:

▪ Based on the network bandwidth: Number of uplinks = Network

bandwidth/Uplink port rate of an access switch

▪ Based on the network scale: Number of uplinks = (Number of access

ports x Access port rate x Bandwidth oversubscription ratio)/Uplink
port rate of an access switch
 6. Calculate the number of aggregation switches.

▪ Number of aggregation switches required = Number of uplinks of

access switches/Number of downlink ports of an aggregation switch

▪ If the result is greater than 1, select the three-layer architecture.

Otherwise, use the two-layer architecture.
• Notes:

▫ In the preceding calculations, the calculation results need to be rounded up.

▫ Bandwidth oversubscription ratio = Actual downlink bandwidth of a

service/Maximum physical bandwidth provided by a single switch

▪ Traffic of the service may exhaust the maximum physical bandwidth.

However, this probability is low in most cases. Generally, network
planning focuses on service experience in common situations. That is,
certain bandwidth redundancy is designed when actual possible
bandwidth is met.

▪ Before designing a network traffic oversubscription ratio, we need to

understand the service applications and features to be deployed on
the network and determine the network services and traffic models.
Additionally, the volume and ratio of traffic must be thoroughly
considered before designing an oversubscription ratio and selecting
devices.
 Contents

1. CloudCampus Solution and Virtualized Campus Network Overview

2. Network Architecture Design

3. Underlay Network Design

4. Fabric and Overlay Network Design

5. Admission Control and Free Mobility Design

6. WLAN Design

7. Egress Network Design

8. Network Security and QoS Design

9. O&M Design

38 Huawei Confidential
Underlay Network Design Outline

1. Basic service design 2. LAN automation design

VLAN planning Network deployment design

IP address planning Underlay network automation

DHCP service design

Routing design

39 Huawei Confidential
 VLAN IP Address DHCP Routing Network Deployment Underlay Network Automation

VLAN Design
⚫ You are advised to assign consecutive VLAN IDs to ensure proper use of VLAN resources.

⚫
You are advised to reserve a certain number of VLANs for future expansion.
⚫
VLANs are classified into service VLANs, management VLANs, and interconnection VLANs.
⚫
Typically, VLANs are assigned based on interfaces. According to different design principles, interfaces of access switches are added to
different VLANs so that users of different service types can be isolated.

Service VLAN design Management VLAN design

VLANIF 100
VLAN assignment based on 192.168.100.254
geographical areas

VLAN assignment based on VLAN assignment based on VLANIF 100 VLANIF 100
Management
logical areas the personnel structure 192.168.100.1 192.168.100.2
VLAN 100

In most cases, a Layer 2 switch uses the VLANIF interface's IP address as

VLAN assignment based on
service types the management IP address. It is recommended that all Layer 2
switches use the same management VLAN and their management IP
addresses be on the same network segment.

40 Huawei Confidential

• Service VLAN:
▫ Assign VLANs by logical area, geographical area, personnel structure, or
service type.

▪ Assign VLANs by logical area. For example, VLANs 100 to 199 are
used in the core network zone, VLANs 200 to 999 are used in the
server zone, and VLANs 2000 to 3499 are used on the access network.

▪ Assign VLANs by geographical area. For example, VLANs 2000 to 2199

are used in area A, and VLANs 2200 to 2399 are used in area B.

▪ Assign VLANs by personnel structure. For example, department A uses

VLANs 2000 to 2009, and department B uses VLANs 2010 to 2019.

▪ Assign VLANs by service type. For example, VLANs 200 to 299 are
used in the web server zone, VLANs 300 to 399 are used in the app
server zone, and VLANs 400 to 499 are used in the database server
zone.
▫ If users are sensitive to the voice latency, the voice service must be
preferentially guaranteed. It is recommended that the voice VLAN be
planned for the voice service. Huawei switches can automatically identify
voice data, transmit voice data in the voice VLAN, and perform QoS
guarantee. When network congestion occurs, voice data can be
preferentially transmitted.
 ▫ If different users have the same multicast data service, you are advised to
plan a multicast VLAN and bind the user VLANs to the multicast VLAN. This
prevents the upstream gateway from copying multicast data in multiple
user VLANs.
▫ Do not use VLAN 1 as a service VLAN.

• Management VLAN:

▫ It is recommended that the management VLAN be planned for a Layer 2

switch and the VLANIF interface of the management VLAN be used as the
management interface, through which the NMS manages the switch. It is
recommended that all Layer 2 switches use the same management VLAN.

▫ It is recommended that service interfaces be used as management

interfaces of Layer 3 devices (gateways and their upstream devices), and no
management VLAN needs to be planned for these devices.
• Interconnection VLAN:
▫ An interconnection VLAN is usually configured between two Layer 3
switches or between a Layer 3 switch and a router. Create VLANIF
interfaces for Layer 3 interconnection.
 VLAN IP Address DHCP Routing Network Deployment Underlay Network Automation

IP Address Design
⚫ IP addresses of a campus network are classified into service, management, and interconnection IP addresses.
Management IP address Service and interconnection IP addresses

VLANIF 100 VLANIF 200: 192.168.200.1/30

Interconnection VLAN 200
192.168.100.254
VLANIF 40: 192.168.40.254
VLANIF 200: 192.168.200.2/30 VLANIF 50: 192.168.50.254
VLANIF 100: 192.168.100.254
VLANIF 100 Management VLANIF 100
192.168.100.1 192.168.100.2 Service VLAN 40/50/100
VLAN 100

Employee Partner Guest

192.168.40.0/24 192.168.50.0/24 192.168.100.0/24
Service IP addresses are the IP addresses of servers, hosts, and gateways.
• It is recommended that gateway IP addresses have the same last octet,
A Layer 2 device uses the VLANIF interface's IP address as the for example, .254.
management IP address. It is recommended that all Layer 2 switches • The IP address range of each service must be clearly differentiated. The IP
connected to a gateway be on the same network segment. addresses for each type of service terminals must be contiguous and can
be aggregated.
• You are advised to use IP address segments with a 24-bit mask.
It is recommended that the interconnection IP address use a 30-bit mask.
The core device uses an IP address with a small host address.

42 Huawei Confidential

• IP address planning complies with the following principles:

▫ Unique: Each host on an IP network must have a unique IP address.
▫ Contiguous: Node addresses of the same service must be contiguous to
facilitate route planning and summarization. Contiguous addresses facilitate
route summarization, thereby reducing the size of the routing table and
speeding up route calculation and convergence.
▫ Scalable: Some IP addresses need to be reserved at each layer, so that no
address segments or routing entries need to be added when the network is
expanded.

▫ Easy to maintain: Device and service address segments need to be clearly

distinguished from each other, facilitating subsequent statistics monitoring
and security protection based on address segments. IP addresses can be
planned based on VLANs.
• Pay attention to the following points when designing the three types of IP
addresses:
▫ Service IP address:

▪ Considering the scope of a broadcast domain and easy planning, it is

recommended that an IP address segment with a 24-bit mask be
reserved for each service. If the number of service terminals exceeds
200, another IP address segment with a 24-bit mask is reserved.

▫ Management IP address:

▪ It is recommended that a Layer 3 device use a Layer 3 interface for

management and deployment. The interface address is used as the
management IP address for local login and communication with
iMaster NCE-Campus.

▫ Interconnection IP address:

▪ Interconnection addresses are usually aggregated before being

advertised. Therefore, you need to use contiguous and aggregatable
addresses during planning.

• In addition, if devices at the aggregation and access layers are interconnected,

you need to plan IP addresses for policy association in some cases. The IP
addresses must be planned based on the entire CloudCampus network and
cannot conflict with other service IP addresses.
 VLAN IP Address DHCP Routing Network Deployment Underlay Network Automation

Terminal-Oriented DHCP Service Design

⚫
Plan an independent DHCP server to allocate IP addresses to terminals.
⚫
You are advised to configure DHCP snooping on access devices to
defend against attacks.
DHCP server ⚫ Network administrators can use either of the two mechanisms to assign
IP addresses to hosts based on network requirements:
 Dynamic IP address assignment: An IP address is assigned to a host with a
lease. This mode applies to scenarios where hosts require temporary access or
IP addresses are insufficient, for example, portable computers of traveling
employees and mobile terminals in cafes.
 Static IP address assignment: Fixed IP addresses are assigned to specified hosts
or servers such as DNS servers.

⚫
When planning an address pool, filter out static IP addresses.
⚫
The lease needs to be planned based on the online duration of a client.
⚫
On a large or midsize campus network, the DHCP server and hosts are
usually not on the same network segment. Therefore, you need to
DHCP clients enable the DHCP relay function on the gateway.

44 Huawei Confidential
 VLAN IP Address DHCP Routing Network Deployment Underlay Network Automation

Routing Design
Three-layer networking: scenario 1 Three-layer networking: scenario 2

CSS/iStack link OSPF area 0 CSS/iStack link

Core (border) Core (border)

Aggregation Aggregation

OSPF area 0
OSPF area 1 OSPF area 2

Access (edge) Access (edge)

⚫
Three-layer networking:
 Scenario 1 (multi-area): The interconnection links between core switches belong to OSPF area 0, and the links connecting the core switch to each
aggregation switch belong to an independent OSPF area.
 Scenario 2 (single-area): Core, aggregation, and access switches all work in OSPF area 0. If the number of switches to be deployed in a network area
is fewer than 100, scenario 2 is recommended.
⚫
Two-layer networking:
 OSPF runs only between core switches and access switches. In this case, only OSPF area 0 needs to be planned on the entire network.

45 Huawei Confidential

• The routing design includes internal and egress routing design for a campus
network.
▫ Internal routing design:

▪ The routing design must support communication between devices,

between terminals, and between devices and terminals on the campus
network, as well as communication between these devices/terminals
and the external network.

▪ It is recommended that you design internal routes based on the

gateway location.

− If gateways are deployed at the aggregation layer, routes need

to be deployed at core and aggregation layers. Routing tables
can be dynamically updated along with network topology
changes, so an Interior Gateway Protocol (IGP), such as Open
Shortest Path First (OSPF), is recommended.
− If gateways are deployed at the core layer, you only need to
configure routes at the core layer. It is recommended that static
routes be used preferentially.
 ▫ Egress routing design:

▪ Egress routes must enable internal terminals to access the Internet

and WAN.

▪ A large or medium-sized campus network usually has a large number

of branches. The egress needs to support multiple links for Internet
access and mutual communication between enterprise branches. For
this purpose, a large number of routes need to be imported to the
campus network. Therefore, you are advised to plan a dynamic
routing protocol such as OSPF.
• It is recommended that OSPF be planned for a campus network. The OSPF design
precautions are as follows:

▫ You are advised to use the IP addresses of loopback interfaces as the router
IDs.
▫ Areas are divided according to the core, aggregation, and access layers. It is
recommended that egress routers and core switches be deployed in the
backbone area. The design of non-backbone areas depends on the
geographical location and performance of devices.
• Note:
▫ This slide describes the routing design in the scenario when VXLAN is
deployed across core and access layers.

▫ In the scenario where VXLAN is deployed across core and aggregation

layers, the routing design (for example, OSPF area division) is the same as
when VXLAN is deployed across core and access layers. The only difference
is that the aggregation device is the border of the routing domain.
 VLAN IP Address DHCP Routing Network Deployment Underlay Network Automation

Network Deployment Design

Traditional deployment
(via CLI or web system):
• Egress router
Traditional deployment
• Egress firewall
Core • Core switch
• Standalone AC

Aggregation
Plug-and-play:
Plug-and-play • Aggregation switch
Access • Access switch
• AP

CSS/iStack link Native AC

47 Huawei Confidential

• Typically, egress and core devices on large- and medium-sized campus networks
are centrally deployed in a core equipment room. Services transmitted on these
devices are complex and their locations on the network are important. In most
cases, network engineers need to commission devices onsite during the
deployment. Therefore, you are advised to use the web system or CLI to deploy
devices at the core layer and upper layers (including core devices, standalone ACs
connected in off-path mode, and egress devices).

• A large number of devices (including aggregation devices, access devices, and

APs) are deployed at lower layers of the core layer, and service configurations of
these devices are similar. Therefore, you are advised to use the DHCP option
mode to achieve plug-and-play of devices, thereby simplifying the deployment.

• Note: Core switches obtain basic configurations such as IP addresses using the
CLI. Once they establish management channels with iMaster NCE-Campus,
iMaster NCE-Campus will automatically deliver services to them.
 VLAN IP Address DHCP Routing Network Deployment Underlay Network Automation

DHCP-based Plug-and-Play Deployment Process

⚫ A device to be deployed obtains the NETCONF enabling status and iMaster NCE-Campus address from the DHCP
server as follows:
1. The administrator deploys the DHCP server function on the core device and
configures DHCP Option 148, including the NETCONF enabling status of the
device and the URL/IP address and port number of iMaster NCE-Campus. 1
2. After the device to be deployed (SW1 in the figure) starts with empty Core
configuration, it sends a request packet to the DHCP server through VLAN 1 DHCP server

(VLAN 1 is the PnP VLAN of a switch by default). 4 3 2

3. Upon receiving the request, the DHCP server sends a DHCP packet
SW1
containing Option 148 to SW1. Device to be deployed

4. SW1 registers with iMaster NCE-Campus and gets onboarded based on the
information carried in Option 148 (NETCONF enabling status, URL/IP address
and port number of iMaster NCE-Campus).

48 Huawei Confidential
 VLAN IP Address DHCP Routing Network Deployment Underlay Network Automation

PnP VLAN
⚫ The Plug-and-Play VLAN (PnP VLAN) is defined for plug-and-play of switches. The default PnP VLAN of a switch is VLAN 1.

⚫
PnP VLANs consist of wired and wireless PnP VLANs, which are uniformly maintained by iMaster NCE-Campus. After a core
switch registers with iMaster NCE-Campus, iMaster NCE-Campus automatically delivers the PnP VLANs preconfigured on it to
the core switch.
 The wired PnP VLAN is used to apply for the management IP PnP VLAN of a device to be deployed is not 1
address of a switch. 1. The core switch registers with iMaster NCE-
Campus and get onboarded. iMaster NCE-
 The wireless PnP VLAN is used to configure the management Campus delivers the PnP VLANs of the devices to
VLAN of an AP. When a switch has an AP connected, the switch be deployed to the core switch.
automatically changes the PVID of the interface connected to Core
the AP to the wireless PnP VLAN ID. DHCP server

 For a switch, wired and wireless PnP VLANs can be different, 2. The core switch sends the
but they are negotiated at the same time. If only a wired PnP PnP VLAN (not VLAN 1) to
SW1 through LLDP.
VLAN is configured, the PVID of the switch interface connected
to an AP is changed to the wired PnP VLAN ID. SW1
Device to be deployed
3. SW1 communicates with
the core switch through the
PnP VLAN and registers AP
with iMaster NCE-Campus. Device to be deployed

49 Huawei Confidential

• The DHCP server pushes PnP VLAN information to its downstream devices
through LLDP. Note that:
▫ If NETCONF is not enabled on the core switch (DHCP server), the core
switch cannot be onboarded on iMaster NCE-Campus. In this case, the
administrator needs to manually configure the PnP VLAN on the core
switch. Then the switch to be deployed can negotiate with the core switch
through LLDP to obtain the configured PnP VLAN.

• Note: The PnP VLAN and management VLAN of a switch can be the same or
different.
• LLDP: Link Layer Discovery Protocol
 VLAN IP Address DHCP Routing Network Deployment Underlay Network Automation

Network Deployment Process: Device Onboarding Before

Planning
Preparations
Internet
• An administrator deploys the DHCP server function on the core switch and configures DHCP Option 148.
• The administrator creates a campus site on iMaster NCE-Campus.
• The administrator imports switch information (ESN, device model, etc.) to iMaster NCE-Campus. (Batch
Egress gateway import is supported.)
• The administrator configures the core switch so that it can be managed by iMaster NCE-Campus.

Device onboarding process

Core (native AC)
DHCP server 1. After an aggregation switch is powered on, it obtains an IP address and Option 148 from the DHCP
server using the PnP VLAN ID (for example VLAN 1). The aggregation switch registers with iMaster
NCE-Campus based on the iMaster NCE-Campus information obtained from the DHCP server.

Aggregation 2. After an access switch is powered on, it follows a similar process as the aggregation switch (step 1).
Device to be 3. The access switch identifies that its downstream device is an AP and changes the PVID of the interface
deployed connected to the AP to the wireless PnP VLAN ID. The AP obtains the AC address through DHCP Option
43. After the AP is associated with the AC and VLANIF 1 is configured as the CAPWAP source interface,
the AP gets onboarded on the AC.
Access 4. Switches use LLDP to discover the network topology and report their topology information to iMaster
Device to be NCE-Campus through NETCONF. iMaster NCE-Campus then discovers the network topology based on
deployed the received topology information.
AP
Device to be deployed 5. The administrator performs network planning and configuration provisioning on iMaster NCE-Campus.

50 Huawei Confidential

• This deployment process applies to scenarios with scattered installation time.

 VLAN IP Address DHCP Routing Network Deployment Underlay Network Automation

Network Deployment Process: Planning Before Device

Onboarding
Internet Preparations

• An administrator deploys the DHCP server function on the core switch and configures DHCP Option 148.
• The administrator creates a campus site on iMaster NCE-Campus.
Egress gateway • The administrator plans the network topology using the template (an Excel file) provided by iMaster
NCE-Campus and then imports the template containing the planned data to iMaster NCE-Campus.
• The administrator configures the core switch so that it can be managed by iMaster NCE-Campus.
Core (native AC)
DHCP server
Device onboarding process
1. After the aggregation switch, access switch, and AP are powered on, they each complete PnP VLAN
Aggregation negotiation and DHCP message exchange processes, and then register with iMaster NCE-Campus.
Device to be 2. The aggregation switch, access switch, and AP are then managed by iMaster NCE-Campus and report
deployed their LLDP neighbor information to iMaster NCE-Campus. Subsequently, iMaster NCE-Campus compares
the received LLDP information with that in the network topology planning document uploaded by the
administrator. If any inconsistency is found, it reports an error. In this way, the administrator can correct
Access the topology error as prompted.
Device to be 3. The administrator performs offline device pre-configuration on iMaster NCE-Campus. The devices
deployed automatically obtain their configurations after they are onboarded.
AP
Device to be deployed

51 Huawei Confidential

• This deployment process is applicable to scenarios with concentrated installation

time. The administrator is advised to plan the network before onboarding
devices. If the network cannot be planned in advance, the administrator can
onboard devices first and then determine the network topology.
• Network planning before device deployment and onboarding.

▫ During network deployment, the administrator plans the network topology

by entering device ESNs and specifying stack members and aggregated
links on iMaster NCE-Campus.

▫ Alternatively, the administrator can import the preceding planning

information in batches using a template. Using a template to import data
in batches simplifies operations and is therefore recommended.

▫ Then, the administrator uses the recommended method to deploy and

onboard devices.

▫ After devices register with iMaster NCE-Campus, iMaster NCE-Campus

automatically checks whether the actual topology of the devices is the
same as the planned one. If cables are incorrectly connected during
installation, iMaster NCE-Campus immediately notifies the administrator.
• Note: Parameters can be planned for an Eth-Trunk interface. After a device is
onboarded, it automatically obtains the corresponding Eth-Trunk configuration.
 VLAN IP Address DHCP Routing Network Deployment Underlay Network Automation

Underlay Network Automation

Border
Complete automatic deployment of the underlay network on
2
1 iMaster NCE-Campus.

• The administrator specifies

roles of fabric nodes on
iMaster NCE-Campus.
• iMaster NCE-Campus
Edge Edge
automatically discovers the
network topology.

Border OSPF adjacency

When enabling automatic routing domain configuration,

OSPF Area 0 you can define OSPF areas (single-area or multi-area)
and configure the packet authentication function.

Edge 3 Edge
Automatically completes OSPF configuration.

52 Huawei Confidential

• Automatic routing domain configuration: After this function is enabled, the

underlay network can be automatically configured. You can specify sites for
automatic routing domain configuration and specify OSPF routing parameters.
Currently, the following parameters are supported:
▫ Area: In the single-area scenario, all devices belong to Area 0. In the multi-
area scenario, border nodes belong to Area 0, and each edge node and its
connected border node belong to an area.

▫ Network type: You can set the OSPF network type to broadcast, P2MP, or
P2P.
▫ Encryption: You can set the encryption mode between adjacent devices to
HMAC-SHA256, MD5, or none.

▫ OSPF GR: You can enable OSPF GR.

• Before enabling the automatic routing domain configuration function, you need
to plan network resources required for underlay network automation.
▫ Underlay devices (corresponding network scope of the fabric) are
connected through VLANIF interfaces at Layer 3, and you need to assign a
VLAN to each interconnection link.

▫ The VLANIF interfaces for connecting devices are automatically assigned

interconnection IP addresses with a 30-bit subnet mask.
 Contents

1. CloudCampus Solution and Virtualized Campus Network Overview

2. Network Architecture Design

3. Underlay Network Design

4. Fabric and Overlay Network Design

5. Admission Control and Free Mobility Design

6. WLAN Design

7. Egress Network Design

8. Network Security and QoS Design

9. O&M Design

53 Huawei Confidential
 Fabric Design Overlay Design

Fabric Design Overview

VN External Network service Fabric design

IP/VLAN segment network resource
External network A campus fabric is a resource pooling network abstracted from the
Network service
underlay network. The fabric virtualizes underlay network
resource resources into a resource pool to create a multi-purpose network.
Access point Fabric
The fabric design involves the following:
Wired access Wireless access • Fabric network resource planning
Fabric • Fabric networking and node design
• Design for the interconnection between the fabric and external
network
• Fabric network service resource planning
• Fabric access management design

Underlay (physical network layer)

54 Huawei Confidential

• Fabric network resource planning:

• Before creating virtual networks (VNs), you need to configure global resources,
including the VLANs, VXLAN Network Identifiers (VNIs), and bridge domains
(BDs). When creating a VN, iMaster NCE-Campus automatically allocates
resources from the resource pools.

▫ Interconnection VLAN: When creating the external network resource for a

fabric, configure an interconnection VLAN to interconnect the fabric with
the egress network. When creating the network service resource on a fabric,
configure an interconnection VLAN to interconnect the fabric with the
network management zone.
▫ BD: BDs are used to create Layer 2 broadcast domains in a VN. Typically,
BDs have a one-to-one mapping relationship with service VLANs. Therefore,
a sufficient number of BD resources need to be planned to match the
number of service VLANs. The default BD range is 1-4095.
▫ VNI: VNIs are similar to VLAN IDs. They are used to identify VXLAN
segments and range from 1 to 4095 by default.
 Fabric Design Overlay Design

Fabric Networking Scenarios

⚫ In Layer 2 or Layer 3 networking, border or edge nodes can function as gateways.
 Centralized gateway: A border node functions as the gateway to implement centralized management and simplify O&M.
 Distributed gateway: Edge nodes function as gateways to facilitate network expansion.

⚫
Recommended networking scenarios:
 Centralized gateway, VXLAN deployed across core and aggregation layers, native AC deployed on the core device, or standalone AC attached to the
core device in off-path mode.

 Distributed gateways, VXLAN deployed across core and aggregation layers, native AC deployed on the core device, or standalone AC attached to the
core device in off-path mode.

Networking Border Node Location Edge Node Location AC Deployment Mode Recommended
Native AC on the core device No
Access
Centralized Standalone AC attached to the core device in off-path mode No
Core
gateway Native AC on the core device Yes
Aggregation
Standalone AC attached to the core device in off-path mode Yes
Native AC on the core device Yes
Distributed Aggregation
Core Standalone AC attached to the core device in off-path mode Yes
gateway
Access Standalone AC attached to the core device in off-path mode No

55 Huawei Confidential
 Fabric Design Overlay Design

Fabric Networking Design: VXLAN Coverage Range

Core layer

CAPWAP VXLAN
Aggregation layer VXLAN CAPWAP

VXLAN not VXLAN not

Access layer supported supported

VXLAN range VXLAN across core and access layers VXLAN across core and aggregation layers
• Existing access switches on the live network need to be
• Automatic end-to-end service deployment is reused. Alternatively, low-cost Huawei switches that do
Application
required on the entire network. not support VXLAN need to be deployed at the access
scenarios
• Recommended: Number of switch nodes < 1,000 layer to reduce costs.
• Recommended: Number of switch nodes < 3,000
Network Compared with the VXLAN solution from the core Compared with the VXLAN solution from the core layer to
construction layer to the aggregation layer, this solution has the access layer, this solution has lower network
costs higher network construction costs. construction costs.

56 Huawei Confidential
 Fabric Design Overlay Design

Fabric Networking Design: Centralized and Distributed

Gateways
Centralized gateway (recommended) Distributed gateway

Layer 3
gateway
Layer 2 Layer 2 Layer 2/3 Layer 2/3
gateway gateway gateway gateway

PC1 PC2 PC3 PC1 PC2 PC3

192.168.1.1/24 192.168.2.1/24 192.168.1.3/24 192.168.1.1/24 192.168.2.1/24 192.168.1.3/24
The Layer 3 gateway is deployed on a single device. All inter-subnet Layer 3 gateways are deployed on multiple devices, and VTEPs function
traffic is forwarded by the gateway to implement centralized traffic as both Layer 2 and Layer 3 gateways.
management.
Advantage: The forwarding path of inter-subnet traffic is optimal.
Advantage: Inter-subnet traffic is managed in a centralized manner, Disadvantage: Gateway deployment, fault locating, and network O&M
simplifying gateway deployment and management. of the distributed gateway networking are more complex than those of
Disadvantage: The forwarding path is not optimal. the centralized gateway networking. VTEPs need to exchange and
maintain host routes.

57 Huawei Confidential

• In large- and medium-sized campus networks, the virtualization solution is

classified into the centralized gateway solution and distributed gateway solution
based on the user gateway location. You can select a gateway solution when
creating a fabric on iMaster NCE-Campus.
• In the centralized gateway solution, a border node functions as the gateway of
all users, and all inter-subnet traffic is forwarded by the border node. In the
distributed gateway solution, multiple edge nodes function as user gateways, and
inter-subnet traffic is forwarded through these edge nodes.
 Fabric Design Overlay Design

Fabric Networking Design: Gateway Solution Selection

Core layer

VXLAN CAPWAP VXLAN

Aggregation layer
CAPWAP

VXLAN not VXLAN not VXLAN not VXLAN not

Access layer
supported supported supported supported

Item Centralized Gateway Distributed Gateway

User gateway
Border Edge
location
Recommended
Aggregation switch Aggregation switch
edge location
Multiple edge nodes function as user gateways. This ensures that only
The border node functions as the gateway of all users, and
O&M part of the network is affected upon the failure of one gateway and
the native AC function is typically enabled on the border
deployment facilitates network expansion. The native AC function is enabled on the
node to support wireless services.
border node to support wireless services.
≤ 50000 (calculated based on the number and specifications ≤ 100000 (calculated based on the number and specifications of
Terminal scale of centralized gateways). This solution is recommended distributed gateways). This solution is recommended when the number
when the number of terminals does not exceed 50000. of terminals exceeds 50000.

58 Huawei Confidential

• When designing the CloudCampus network virtualization solution, first determine

the gateway solution to be used. Then you can perform end-to-end design for
the entire campus network based on the selected gateway solution.

• The centralized gateway solution supports only one border node, whereas the
distributed gateway solution supports multiple border nodes.
 Fabric Design Overlay Design

Fabric Node Design: Single-Border Networking

⚫
Core layer design:
DHCP
Egress zone  Deploy a cluster of core switches or a single core switch. It is
server
recommended that large-capacity modular switches set up a cluster and
S12700E series switches be used as core switches.

Server zone
 It is recommended that ENP cards be used for interconnection with
aggregation switches and that Eth-Trunk be deployed.
Core layer Border
⚫
Aggregation layer design:
 Deploy a stack of aggregation switches or a single aggregation switch. It is
recommended that a cluster of modular switches or a stack of fixed
switches be deployed. Large-capacity switches (S12700E or S6700 series
switches) are recommended.
Aggregation
layer  Eth-Trunk is recommended for interconnection with the core layer and
access layer.
⚫
Access layer design:
 Wired access node: Each node can be a stack or a single device.
Access layer
 Wireless access node: Fit AP
⚫
Server zone design:
 It is recommended that iMaster NCE-Campus, analyzer, and DHCP server
CSS/iStack link be connected to the campus network through switches in the server zone.

59 Huawei Confidential

• An Ethernet Network Processor (ENP) card is embedded with the Huawei-

developed ENP. The card can function as a common LPU to provide data access
and switching services and also as a WLAN AC to provide wireless access control
functions. In this way, the card achieves wired and wireless convergence.
 Fabric Design Overlay Design

Fabric Node Design: Dual-Border Networking

DHCP ⚫ Core layer design:
Egress zone
server
 Core switches are two logical devices. Large-capacity switches (S12700E
series switches) are recommended. It is recommended that ENP cards be
Server zone used for interconnection with aggregation switches and that Eth-Trunk
Border Border be deployed.
Core layer
⚫
Aggregation layer design:
Load Load Load  It is recommended that aggregation switches set up a stack to
balancing balancing balancing implement load balancing with core switches.
Aggregation
layer ⚫
Access layer design:
 The design is similar to that in the single-border networking scenario.

⚫
Server zone design:
Access layer
 It is recommended that iMaster NCE-Campus, analyzer, and DHCP server
be connected to the campus network through switches in the server
zone.

CSS/iStack link

60 Huawei Confidential
 Fabric Design Overlay Design

Fabric Node Design: Single/Dual-Border Networking

Selection
Single-Border Networking Dual-Border Networking
The core switch is a logical device, which
Core switches are two logical devices, which can be two standalone
Description can be a physical standalone device or a
physical devices or two CSS/iStack systems.
CSS/iStack system.
• Easy management, configuration, and
maintenance. • Complex management, configuration, and maintenance.
Characteristics
• Services may be affected during the • The upgrade of core switches has little impact on services.
device upgrade.
• The device upgrade has little impact on services.
Application Simple network management, configuration,
• Core switches do not support clustering or stacking due to some
scenario and maintenance are required.
reasons (such as the deployment distance).
There is no restriction. The single-border
networking design is applicable to both The dual-border networking design is applicable only to distributed
Restrictions
centralized and distributed VXLAN gateway VXLAN gateway networking.
networking.

61 Huawei Confidential
 Fabric Design Overlay Design

Design for the Interconnection Between the Fabric and

External Network
L3 shared egress L3 exclusive egress L2 shared egress

Trust zone Red zone

Trust zone Trust zone User gateway
(User-defined zone)

Border Border Border L2 shared port

VRF Shared
VRF

VRF VRF VRF VRF

Green VRF Red VRF Green VRF Red VRF Edge1 Edge2
VN1 VN2 VN1 VN2
Application scenario: Application scenario: Application scenario:
Multiple VNs on a fabric share a Layer 3 egress, Each VN on the fabric network exclusively The border node does not function as the user
through which they communicate with the occupies a Layer 3 egress, through which it gateway, and the user gateway must be located
egress device, and these VNs use the same communicates with the egress device, and each outside the fabric.
security policies. VN uses differentiated security policies.

62 Huawei Confidential

• When the campus intranet needs to communicate with an external network, for
example, the Internet, data center, or another branch, traffic must pass through
the border node.
• There are three interconnection modes between the fabric network and egress
device:
▫ L3 shared egress:
▪ The external gateway connects to and accesses external networks via
VLANIF or VBDIF interfaces. VNs can access the public network or
private network specified by another site through the shared VRF
egress, and service traffic can be diverted to the firewall through the
shared VRF egress. When configuring a multi-border fabric, you can
configure multiple core devices in one external network.
▪ The L3 shared egress mode is applicable to the scenario where the
firewall does not need to perform security check on VNs, there are
low requirements on security control policies between VNs, and traffic
of all VNs is transmitted in the same security zone.
▪ To enable communication between VNs and external networks, you
must configure return routes to service subnets on the firewall. As a
result, service subnets of different VNs can communicate with each
other on the firewall. To isolate VNs on the firewall, configure policies
based on service network segments in the VNs.
▪ As shown in the figure, a shared VRF is created on the border node,
the shared L3 egress is bound to the VRF, and routes are configured
to enable the communication with external networks.
 ▫ L3 exclusive egress:

▪ The external gateway connects to and accesses external networks via

VLANIF or VBDIF interfaces. The service VRF (VRF corresponding to a
VN) is used as the egress VRF of the external gateway. Tenant traffic
is directly sent out through the service VRF. When configuring a multi-
border fabric, you can configure multiple core devices in one external
network.

▪ The L3 exclusive egress mode applies to scenarios where the firewall

needs to perform security check on VNs, there are high requirements
on security control policies between VNs, and VN traffic is transmitted
in multiple security zones.

▪ In this scenario, multiple security zones can be configured on the

firewall, each corresponding to one L3 exclusive egress. Thus, the
traffic of service subnets of different VNs is isolated when reaching
the firewall. To enable inter-VN communication through the firewall,
you can configure inter-zone security policies to control the
application ports used for the communication and limit the
bandwidth.

▪ As shown in the figure, a VRF on the border node is associated with a

VN. The VRF for the VN that needs to access an external network is
bound to an L3 egress, and routes are configured for each VN that
needs to access an external network to enable the communication
between the VN and external network.

▫ L2 shared egress:

▪ The user gateway is located outside the fabric. Service traffic is

transparently transmitted from the fabric to external networks
through the L2 shared egress. That is, the border node connects to
the egress device through a Layer 2 interface, and the user gateway is
deployed on the egress device for access to external networks.

▪ The L2 shared egress mode applies to the scenario where the user
gateway is located outside the fabric. In higher education scenarios, if
a Broadband Remote Access Server (BRAS) is used as the user
authentication point and PPPoE dialup is required on the network, the
L2 shared egress mode can be used.

• Communication between a fabric and external network can be implemented

through static routes, BGP routes, BGP4+ routes, or OSPF routes.
 Fabric Design Overlay Design

Network Service Resource Planning for a Fabric

⚫ In the network service resource design for the fabric, network service resources are created on the border node so that service
terminals on the campus intranet can access service resources, such as the DHCP server and NAC server, in the network
management zone.
⚫
Three models are available for the network service resource design, depending on the resource deployment location.
DHCP server deployed on an
Directly connected to a server Directly connected to a switch
external network
The border node is directly connected to the The border node is connected to the network The border node is connected to the network
network service resource, and the interconnection service resource through a switch, and the service resource over an external network.
interface on the border node is added to the interconnection interface on the border node is
interconnection VLAN in untagged mode. added to the interconnection VLAN in tagged mode.

Border Egress Border Egress External network/

Network service resource
VN1 VN1 Border Egress
VN1
DHCP Server
DHCP Server

DHCP Server Gateway in the network

Access port Trunk port management zone

64 Huawei Confidential

• Multiple network service resources can be created, or a network service resource

can have access addresses for multiple network service resources.
• When the border node is directly connected to a server:

▫ As shown in the figure, a VRF on the border node is allocated to each

network service resource. After a network service resource is selected during
VN creation, a static route pointing to the network service resource address
will be created on the border node, with the next hop being the network
service resource address.

• When the border node is directly connected to a switch:

▫ If the DHCP server, iMaster NCE-Campus, and other network service

resources are all deployed in the network management zone, the border
node communicates with these network service resources through the
directly connected switch (gateway) in the network management zone. If
only a small number of network service resources are deployed, it is
recommended that these resources be planned in the same network service
resource model. This saves interconnection VLAN and IP address resources
and simplifies route configuration in the network management zone.
▫ As shown in the figure, a VRF on the border node is allocated to each
network service resource. After a network service resource is selected during
VN creation, a static route pointing to the network service resource address
will be created on the border node, with the next hop being the address of
the gateway in the network management zone.
 ▫ Note: Routes on the border node are automatically delivered when network
service resources are created on iMaster NCE-Campus. To configure routes
on the gateway in the network management zone, log in to the web system
or CLI of the gateway device.
• When the DHCP server is deployed on an external network:

▫ This network service resource model is mainly used for obtaining the DHCP
server address. When this model is used, the gateway of the VN subnet can
function as the DHCP relay agent and automatically configure the DHCP
server address after the gateway is created.
▫ As shown in the figure, after the external network and network service
resource are selected during VN creation, the Layer 3 egress on the border
node is bound to the VRF of the VN, and a route pointing to the external
network is created, enabling the VN to access the network service resource.

• Note: The models shown on this page are logical connectivity diagrams. The
actual connections are subject to the actual networking.
 Fabric Design Overlay Design

Access Management Design for a Fabric

⚫ When creating a fabric, you need to design authentication control points for user access, including planning access point resource
pools. Wired access point resources refer to switch interfaces to which terminals connect, whereas wireless access point resources
refer to SSIDs with which terminals associate. In the centralized gateway solution:
 You are advised to deploy authentication control points for wired users on the edge nodes and plan this during access managem ent configuration for a
fabric.

 The authentication control points for wireless users are deployed on the ACs. The design and planning for this type of authentication control point
depend on the AC type.
Border
Access interface design

• During access management configuration for a fabric, three

Edge VXLAN Edge connection types are defined for access interfaces on a switch.
▫ Fabric extended AP: The interface connects to a Huawei Fit AP.
▫ Fabric extended switch: The interface connects to a Huawei switch.
Fabric extended ▫ Terminal (PCs, phones, dumb terminals, and non-fabric extended
switch
access switches or APs): The interface connects to a terminal or
switch/AP (when policy association is not deployed).
Fabric extended
Terminal
AP

66 Huawei Confidential

• "Fabric extended AP" and "Fabric extended switch": The two types of connections
are used to enable communication between the authentication control point and
authentication enforcement point through the policy association management
VLAN. In this scenario, the fabric extended switch functions as the authentication
enforcement point and can be connected to fabric extended APs and terminals.

• Terminal (PCs, phones, dumb terminals, and non-fabric extended access

switches/APs): If this type of interface is connected to a terminal, you can
associate an authentication profile specific to that terminal type with the
terminal based on the user authentication mode design in the access control
design. Binding the authentication profile facilitates access control of the
terminal.
 Fabric Design Overlay Design

VN Design Process
1 VN design

Create multiple VNs based on the fabric. VN3: production

VN1: OA network VN2: R&D network
network

Fabric
2 Policy design
Security groups Security groups Security groups
• Divide users into security groups and VIP Sales Server Programmer Server Operations
define inter-group policies (policy
Marketing Guest Testing Code library … …
control matrix).
• Define inter-VN access policies based on VN3: production
VN1: OA network VN2: R&D network
network
the policy control matrix.

3 VN access design 5W1H 5W1H

• Plan the mapping between VLANs of 5W1H

physical networks and BDs of VNs.
• Plan terminal access modes. VN3: production
VN1: OA network VN2: R&D network network

67 Huawei Confidential

• VN design:
▫ VNs are generally divided based on services on a campus network. An
independent service is assigned a VN, and VNs are isolated from each other
by default. For example, on a school campus network, guest, teaching, IoT,
and video surveillance services can each be assigned a separate VN. On an
enterprise campus network, office network services, production network
services, and R&D services can be allocated to different VNs.

• Policy design:

▫ Some isolation requirements caused by different user roles can be fulfilled

by deploying policy control technologies (such as free mobility).
▫ VNs are isolated by default. To enable mutual access between user groups
within a VN, additional VN interworking configuration is required.
• VN access design:

▫ Service data enters from a physical network to a VN through an edge node.

Service data of users enters different VNs depending on the VLANs to which
users belong. Therefore, during network design, you need to plan the
mappings between VLANs of physical networks and BDs of VNs, and
configure VLANs for wired and wireless users.
• 5W1H:
▫ Who: identity of an access user, for example, a company leader, a common
employee, or a guest.

▫ Where: user access location, for example, access from within the campus, or
remote access.
▫ What: type of the terminal used by the access user, for example, mobile
phone or PC/laptop.

▫ When: time when a user accesses the network, for example, whether the
user accesses the network in the daytime or at night.
▫ Whose: device owner, for example, whether the device is company-issued or
BYOD.

▫ How: access mode of a user, for example, wired or wireless access.

 Fabric Design Overlay Design

VN Design
1. Network service abstraction
VRF+VNI VRF+VNI VRF+VNI Physical network resources are pooled through orchestration,
and the network is abstracted into Fabric as a Service (FaaS). A
VN 1 VN 2 VN 3 VN is a FaaS instance and includes:
• IP/VLAN segment
Overlay (virtual network layer)
• External network
External Network service
VN • Network service resource: The IP/VLAN segment is the
network resource
IP/VLAN segment capability provided by the VN for clients to use network
External network resources.
Network service resource • Access point: Terminals access VNs through access points.
Access point Fabric
Deploy VNs
Wired access Wireless access
Fabric
2. Network service orchestration
Deliver • Deliver the mappings between VNIs and BDs.
configurations
• Deliver the mappings between BDs and VLANs.
• Deliver the IP address segments corresponding to VBDIF
interfaces.
Underlay (physical network layer) • Deliver VRFs and bind them to VBDIF interfaces.

69 Huawei Confidential
 Fabric Design Overlay Design

VN Access Design
⚫ Service data enters from a physical network to VNs through the edge node. Service data of different users enters different VN s depending on the VLANs to
which the users belong.

⚫ Wired user traffic is directly transmitted to VNs based on VLANs. After wireless user traffic is forwarded to the native AC, the native AC decapsulates
CAPWAP packets and forwards the packets to the corresponding BDs based on the VLANs.
Static VLANs Dynamically authorized VLANs

Deliver the Deliver the

static Deliver the authorized
service VLAN authorized user VLAN
user VLAN

VN1 VN2
VN1 VN2

Configure a
static VLAN Native AC Native AC

• A static VLAN is configured for wired users on an interface of an • Authorized VLANs of wired users are delivered to the corresponding
access switch. authentication points, which then send received user traffic to different VLANs.
• A static service VLAN is configured for wireless users on an SSID. • Authorized VLANs of wireless users are delivered to the corresponding native
ACs, which then send received user traffic to different VLANs.

70 Huawei Confidential

• Application scenarios:
▫ The static VLAN mode applies when terminals access the network at fixed
locations and do not need to be authenticated. This access mode is more
secure but lacks flexibility. When the locations of terminals change, you
need to configure static VLANs for them again.
▫ The dynamically authorized VLAN mode applies when terminals need to
access the network from any place and need to be authenticated based on
the VLAN information delivered during user authentication. This access
mode is flexible and the configuration does not need to be modified when
the locations of terminals change. Dynamic access is more automated, easy
to manage and use, and is therefore recommended.
• VN access design for wireless users:
▫ If distributed gateways are used and the border nodes have the native AC
function deployed, traffic of wireless users is forwarded to the native AC
through CAPWAP tunnels. After the native AC decapsulates CAPWAP
packets, the decapsulated packets enter different VNs depending on the
VLANs to which the wireless users belong.
▫ If centralized gateways are used and the border nodes have the native AC
function deployed, it is recommended that traffic of wireless users be
directly forwarded to the native AC through CAPWAP tunnels. After the
native AC decapsulates CAPWAP packets, the decapsulated packets enter
different VNs depending on the VLANs to which the wireless users belong.
The administrator needs to configure different VLAN ranges for wired and
wireless terminals. The VLANs of wired terminals are bound to BDs on the
edge nodes, whereas the VLANs of wireless terminals are bound to BDs on
the border nodes.
• Note: 802.1X authentication and MAC address authentication both support
dynamically authorized VLANs.
 Fabric Design Overlay Design

Inter-VN Communication Design

Inter-VN communication through a border node
Inter-VN communication through an external gateway
(centralized gateway scenario)
VRF1 and VRF2 on the border
node import each other's Border Firewall
network segment routes.

Border
VRF1 VRF2 VRF1 VRF2
VTEP1 VTEP2 VTEP1 VTEP2
(L3VNI 1000) (L3VNI 1001) (L3VNI 1000) (L3VNI 1001)
1.1.1.1 2.2.2.2 1.1.1.1 2.2.2.2
VBDIF 10.1.1.254 VBDIF 10.2.2.254 VBDIF 10.1.1.254 VBDIF 10.2.2.254

Host 1 Host 2 Host 1 Host 2

10.1.1.1/24 10.2.2.2/24 10.1.1.1/24 10.2.2.2/24
• Traffic for inter-VN communication is forwarded through the border node. • Traffic for inter-VN communication is forwarded to the border node and
VRFs on the border node need to import routes from each other. then diverted to the external gateway. Subsequently, the external gateway
• This mode applies to the scenario where two VNs belong to the same performs a security check or forwards the traffic back to the border node,
security zone and there are low security control requirements. which then forwards the traffic to the destination.
• This mode applies to the scenario where two VNs belong to different
security zones and there are high security control requirements (for
example, application-based policy control).

71 Huawei Confidential

• Inter-VN communication can be implemented through a border node or an

external gateway.
▫ Through a border node

▪ If two VNs belong to the same security zone and have low security
control requirements, devices on the two VNs can directly
communicate with each other through a border node. In addition,
permission control can be implemented based on the free mobility
policy. To implement communication between VNs, the border node
needs to import their respective network segment routes that are
reachable to each other.
▫ Through an external gateway

▪ If two VNs belong to different security zones and have high security
control requirements, it is recommended that devices on the two VNs
communicate through an external gateway (a firewall) and that a
security zone policy be configured on the firewall for permission
control.
 Fabric Design Overlay Design

Mapping Between the Logical Network and Physical

Network
Router VNs
OA Production R&D
Router

IP packet
FW
IP packet
Border Public Zone4

Security policy
IP packet
V V V Zone1
Border R R R IP packet
F F F Zone2
1 2 3 IP packet
Zone3

VXLAN Tunnel VBDIF: Layer 3

VXLAN gateway
interface
Edge

Edge Edge VLAN VLAN VLAN VLAN VLAN VLAN

Traffic of end users

72 Huawei Confidential

• Each VN corresponds to a VRF.

• Each VN corresponds to multiple subnets, and each subnet corresponds to a BD
and VNI.

• Traffic from a terminal enters the VN based on the VLAN to which the terminal
belongs.
 Contents

1. CloudCampus Solution and Virtualized Campus Network Overview

2. Network Architecture Design

3. Underlay Network Design

4. Fabric and Overlay Network Design

5. Admission Control and Free Mobility Design

6. WLAN Design

7. Egress Network Design

8. Network Security and QoS Design

9. O&M Design

73 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

User Management Solution Design

⚫ User management solution design involves confirming the user data source server. Typical user data
source servers of enterprises include RADIUS, AD, and LDAP servers.

If an enterprise has no data source server, it is recommended that

RADIUS server
Huawei iMaster NCE-Campus be used as the data source server.

If an enterprise has used the AD/LDAP server as the user data

Confirm the user data source server, the enterprise can continue to use the legacy
AD server
source server AD/LDAP server. iMaster NCE-Campus can synchronize user data
with such a server and finally perform network authorization.

LDAP server Same principles as the AD server

74 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

User Authentication Technology Selection

⚫ Common authentication technologies include 802.1X, MAC address, and Portal authentication. The following table
compares these authentication methods.
Item 802.1X Authentication MAC Address Authentication Portal Authentication
Client required or not Required Not required Not required
Advantage High security No need to install a client Flexible deployment
MAC addresses need to be registered,
Disadvantage Inflexible deployment Low security
complicating management
Access authentication of dumb Network authentication of guests who
Network authentication of office users
Application scenario terminals such as printers and fax move frequently and use different types
with high security requirements
machines of terminals

⚫
On large- and medium-sized campus networks, 802.1X authentication is recommended for employees, Portal authentication for
guests, and MAC address authentication for dumb terminals.
⚫
If a customer wants to use more than one authentication method on the same access point, a combination of authentication
methods (hybrid authentication) can be used. After hybrid authentication is configured, terminals can access the network after
passing any authentication in the combination. This mode is applicable to scenarios where one port provides access for multiple
types of users. For example, if a PC is connected upstream to an IP phone, you can configure hybrid authentication (MAC address
authentication + 802.1X authentication). In this way, the IP phone uses MAC address authentication, and the PC uses 802.1X
authentication.

75 Huawei Confidential

• If 802.1X or MAC address authentication (Layer 2 authentication technologies) is

used, the authentication point must be on the same network segment as the user
host. It is recommended that the access device function as the authentication
point.
▫ If a large number of access devices are deployed, the aggregation or core
device needs to be deployed as the authentication point. You can also
deploy policy association. The gateway functions as the authentication
control point, and the access device functions as the authentication
enforcement point, thereby simplifying policy deployment.
• If Portal authentication is used, the authentication point can be deployed
anywhere as long as it is routable to the user host. Layer 2 Portal authentication
is recommended.
 User Management User Authentication Policy Control Terminal Identification

Association Between Authenticated Users and VNs

2. Authenticated users obtain authorized VLANs and are
1. Create VNs on iMaster NCE-Campus.
then associated with VNs based on the VLANs.

The administrator creates VNs and specifies the IP

network segments and VLANs for the VNs.

OA VN R&D VN 2 3
VLAN 10: 10.1.10.0/24 VLAN 30: 10.1.30.0/24 Send an Issue the authorization
authentication result (VLAN 10) after
VLAN 20: 10.1.20.0/24 VLAN 40: 10.1.40.0/24
request. successful user
authentication.

The administrator configures user authentication rules,

authorization results, and authorization rules, so that
users can obtain corresponding VLANs after being User test attempts to access
1 the network.
authenticated. For example, the administrator configures
User Test accesses
user test to obtain the authorized VLAN 10 after passing 4
the OA VN.
test
802.1X authentication.

76 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

Multi-Level Design for Access Policies

⚫ Network access policies can be logically
divided into two levels:
Fabric 
VN-level access policy: By default, VNs cannot
communicate with each other, and service

OA VN data of each VN is isolated. The CloudCampus

R&D VN
Solution enables VNs to communicate within
Internet a fabric or through an external network.
HR group
 Security group-level access policy: Users and
R&D group 1 R&D code
HR server library network resources are divided into different
R&D group resource group resource group
security groups for efficient management and
control of inter-group traffic. The free
R&D group 2
OA server Sensitive data mobility policy enforcement point executes
Guest group resource group resource group
inter-group access policies.

77 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

Policy Design: Create Security Groups

⚫ Dynamic security groups: Terminals and users accessing the network are divided into different security
groups through NAC authorization.
 Define security groups for enterprise employees based on the enterprise organizational structure.

Hardware Software Testing Dept.

development Dept. development Dept.

Marketing Dept. Financial Dept. Human

resources Dept.
 Define a security group for a special group of people in the organizational structure, such as the VIP group.
 Define a security group for non-employees that access the network, such as the guest group.
 Define a security group for dumb terminals connected to the network, such as printers and access control
devices.
Dynamic security groups are authorized based on the 5W1H principle.

78 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

Policy Design: Create Resource Groups

⚫ Static resource groups: Configure a group of IP address resources as a static resource group.
 Define security groups, such as the OA resource group and R&D resource group, for intranet resources based on
security requirements.
 If Internet access control is required, define an Internet resource group.

Internet Internet resource group

General office resources, such as OA resource group

websites and email addresses

Internal private applications, R&D resource group

files, code, etc.

Aggregate the IP addresses of dispersed data center applications into a resource group, thereby simplifying
deployment.

79 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

Policy Design: Design the Policy Control Matrix

Create dynamic and static security groups for free mobility based on actual requirements, and design the policy
control matrix based on network access permissions.

Dynamic security groups

• HR
Policy control matrix:
• R&D
Destination R&D Marketing
• OA
Sales code document Internet HR R&D Sales Guest
server
Source library library
• Guest
HR Permit Deny Deny Permit Permit Permit Deny
R&D Permit Permit Deny Permit Permit Permit Deny
Static security groups Sales Permit Deny Permit Permit Permit Permit Deny
Guest Deny Deny Deny Permit Deny Deny Deny
• OA server
• R&D code library
• Marketing document library
• Internet

80 Huawei Confidential

• An inter-group policy directly reflects whether two security groups can

communicate with each other. When planning an inter-group policy, simply set
the inter-group policy to permit or deny based on whether the two groups can
communicate with each other. The administrator can configure inter-group
policies through an intuitive policy control matrix on iMaster NCE-Campus. If no
inter-group policy is created between source and destination security groups, the
default policy between them is permit.

• Take the policy direction into account when planning inter-group policies.
Typically, packets are transmitted in two directions between two terminals.
▫ Huawei switches consider that traffic from A to B is unrelated to traffic
from B to A, so they match policies for the two types of traffic separately
and determine whether to forward the traffic based on the corresponding
policies. This means that a Huawei switch enforces policies on a packet by
considering only the source and destination security groups of that packet.
For example, the policy "A ->B permit, B -> A deny" means that all packets
sent from A to B will be permitted, whereas all packets sent from B to A
will be discarded, regardless of whether A or B initiates the access. The
default inter-group policy on a switch is permit.
 User Management User Authentication Policy Control Terminal Identification

Location Selection for Authentication Points and Policy

Enforcement Points
⚫ Typically, the user gateway functions as both an authentication point and policy enforcement point, on
which the free mobility function is deployed, due to the following considerations:
 There are a large number of access switches. Configuring the authentication function on each access switch
brings a heavy workload and leads to difficulties in management.
 iMaster NCE-Campus needs to synchronize permission control policies to policy enforcement points. If access
switches are used as authentication points, the number of policy enforcement points will increase significantly
due to the large number of access switches. This increases the workload and difficulty in device management on
iMaster NCE-Campus and prolongs the policy synchronization time as well.

⚫ To prevent users connected to the same upstream user gateway from communicating with each other
at Layer 2, you can configure Layer 2 isolation. In this way, traffic between these users must pass
through the user gateway.

81 Huawei Confidential

• If an authentication point and policy enforcement point are deployed on different

devices, the IP-security group entries of authenticated users need to be pushed to
the specified policy enforcement point. To achieve this, the administrator needs
to configure IP-security group entry subscription, that is, specify to which policy
enforcement point the IP-security group entries of a certain network segment or
security group need to be pushed.
 User Management User Authentication Policy Control Terminal Identification

IP-Security Group Entry Synchronization

Technical background IP-security group entry synchronization principle
iMaster NCE-Campus synchronizes the mappings between user IP addresses and
Free mobility supported security groups to the switches functioning as policy enforcement points. In this
Free mobility not
way, authentication points and policy enforcement points can be separated,
supported
thereby implementing flexible networking. In addition, hybrid networking with
third-party devices can be easily achieved. Generate an IP-
3 security group entry.
IP Group
1.1.1.1 Group1
2.2.2.2 Group2
4 Proactively synchronize
User IP-security group entries
These devices do not support free mobility, so how to realize free 2 through HTTP/2.
authentication
mobility if a solution includes these devices? 5
• Switches that do not support free mobility
Enforce the
• ACs Third-party device inter-group
• Routers policy when
the traffic
• Third-party devices (non-Huawei) User access 1 arrives.

PC1 1.1.1.1 PC2 2.2.2.2

82 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

Free Mobility Solution (1)

Security group Security group-based policy control matrix Scenario description
Group Group Sales R&D Marketing … • Centralized authentication point + centralized policy enforcement point.
Name ID
Sales √ × √ …
Sales 1 • The authentication point and policy enforcement point are combined on
R&D × √ √ … the core device.
R&D 2
Marketing 3 Marketing √ √ √ … • Devices do not support VXLAN.
… … … … … … … Scenario characteristics
• The core device functions as the centralized authentication point for both
Core
wired and wireless users on the entire network.

• The core device also works as the policy enforcement point for free
mobility.

• The core device stores authentication information about all users on the
AGG1 AGG2
network. After traffic is forwarded to the core device, it enforces policies
based on the policy control matrix defined by the administrator.

Access1 Access2 • The network does not need to support or deploy VXLAN.

Authentication point Policy enforcement point

PC1 1.1.1.1 PC2 2.2.2.2 PC3 3.3.3.3 Security group and policy
Sales user R&D user Marketing user control matrix delivery

83 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

Free Mobility Solution (2)

IP-security group
Security group Security group-based policy control matrix Scenario description
mapping table
Group Group Sales R&D Marketing … IP Group • Distributed authentication points + centralized policy
Name ID Address ID enforcement point.
Sales √ × √ …
Sales 1 1.1.1.1 1
• Authentication points are separated from the policy
R&D × √ √ …
R&D 2 2.2.2.2 2 enforcement point.
Marketing 3 Marketing √ √ √ … 3.3.3.3 3
• Devices do not support VXLAN.
… … … … … … … … …
Scenario characteristics
Device enabled with Core
IP-security group • Multiple authentication points exist on the entire network,
entry subscription for example, distributed on aggregation switches.

• The core device functions as the centralized policy

enforcement point for free mobility.
AGG1 AGG2 Authentication point • iMaster NCE-Campus synchronizes IP-security group entries
Policy enforcement point to the core device. After traffic is forwarded to the core
device, it enforces policies based on the policy control matrix
Access1 Access2 defined by the administrator.

• The network does not need to support or deploy VXLAN.

PC1 1.1.1.1 PC2 2.2.2.2 PC3 3.3.3.3 Synchronize IP-security Security group and policy
Sales user R&D user Marketing user group entries control matrix delivery

84 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

Free Mobility Solution (3)

Security group Security group-based policy control matrix Scenario description
Group Group Sales R&D Marketing … • VXLAN-based virtualized campus network, with automatic service
Name ID
Sales √ × √ … provisioning.
Sales 1
R&D × √ √ … • Distributed authentication points + policy enforcement points.
R&D 2
Marketing 3 Marketing √ √ √ … Scenario characteristics
… … … … … … … • Multiple authentication points exist on the entire network, for example,
distributed on aggregation switches.
Core
• Aggregation switches support VXLAN and function as policy enforcement
points.

• The policy for traffic exchanged between users on the same aggregation
switch is enforced by the aggregation switch itself.
AGG1 AGG2
VXLAN • Traffic exchanged between users on different aggregation switches is
encapsulated using VXLAN. The source security group ID is encapsulated
into VXLAN-encapsulated traffic. Policies are enforced on the peer
Access1 Access2
aggregation switch.
Authentication point Policy enforcement point
PC1 1.1.1.1 PC2 2.2.2.2 PC3 3.3.3.3 Security group and policy
Sales user R&D user Marketing user control matrix delivery

85 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

Free Mobility Solution (4)

Generate an IP-security
Scenario description
group entry. • VXLAN-based virtualized campus network.
3
• Distributed authentication points + policy enforcement points.
4 Deliver the • The third-party device functions as a user authentication point.
IP-security
group entry.
Scenario characteristics
• A third-party switch exists on the network and functions as a user
Enforce the authentication point.
inter-group
policy when the • Aggregation switches support VXLAN and function as policy enforcement
VXLAN
traffic arrives. points.
5 A-Agg B-Agg
• The policy for traffic exchanged between users on the same aggregation
Device enabled with
switch is enforced by the aggregation switch itself.
2 Authenticate IP-security group
the user. entry subscription AP • Traffic exchanged between users on different aggregation switches is
A-Access B-Access encapsulated using VXLAN. The source security group ID is encapsulated
A terminal attempts to (third party) into VXLAN-encapsulated traffic. Policies are enforced on the peer
1 go online and initiates aggregation switch.
authentication.
Authentication point Policy enforcement point
Host1 Host4 Synchronize IP-security Security group and policy
Sales user Guest group entries control matrix delivery

86 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

Free Mobility Solution (5)

Scenario description
• VXLAN-based virtualized campus network

• The AC functions as the authentication point for wireless users, and the
Core core switch functions as the gateway for wireless users.
Device enabled with
IP-security group AC Scenario characteristics
entry subscription
• The AC functions as the authentication point for wireless users and
interacts with iMaster NCE-Campus to complete user authentication.

• The core switch functions as the free mobility policy enforcement point, to

VXLAN which iMaster NCE-Campus synchronizes IP-security group entries.

Authentication point Policy enforcement point

Synchronize IP-security Security group and policy
group entries control matrix delivery

87 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

Free Mobility Solution (6)

Scenario description
• VXLAN-based virtualized campus network.
• The third-party device (BRAS) functions as the user authentication point, and
terminals need to access the external network after PPPoE authentication. Free
mobility is supported.
Scenario characteristics
Core
Device enabled with • The third-party BRAS functions as the user authentication point and interacts with
IP-security group iMaster NCE-Campus to complete user authentication.
entry subscription
Third-party BRAS • iMaster NCE-Campus automatically provisions VXLAN configurations, so that
VXLAN tunnels can be created for transmitting user authentication data to the
BRAS, thereby enabling Layer 2 communication between terminals and the BRAS.

• The L2 shared egress mode is configured on the core switch through iMaster
VXLAN
NCE-Campus for the connection between the fabric and the external network, so
that the core switch can communicate with the third-party BRAS.
• The core switch functions as the free mobility policy enforcement point, to which
iMaster NCE-Campus synchronizes IP-security group entries.
Authentication point Policy enforcement point
Synchronize IP-security Security group and policy
PPPoE authentication group entries control matrix delivery

88 Huawei Confidential

• L2 shared egress mode: The border node is not the user gateway, and the user
gateway is a device outside the fabric. The border node connects to the egress
device through a Layer 2 interface, and the user gateway is deployed on the
egress device for access to the external network.
 User Management User Authentication Policy Control Terminal Identification

Terminal Identification Method Design (1)

⚫ iMaster NCE-Campus allows you to view brief information about terminals on the entire campus network, such as terminal types
and operating systems, thereby enabling multi-dimensional refined management of terminals. For dumb terminals such as IP
phones, printers, and IP cameras on the campus network, automatic access based on terminal identification results can be
implemented, thus reducing the configuration workload of administrators.
1 Network analysis 2 Traverse items in the following table one by one
To view terminal types and perform Based on the collected information, traverse the items listed in the following table one by one and select the
network management based on the required terminal identification methods. (All the identification methods that meet requirements must be enabled.)
terminal type through iMaster NCE-
Campus, a network administrator needs Identification Method Identifiable Terminal Type Application Scenario
to perform the following operations: All IP terminals (identifying only the device
MAC OUI General scenarios
• Collect the types of terminals on the manufacturer)
network, such as PCs, mobile phones,
Mobile phones, tablets, PCs, workstations, Only scenarios where Portal
printers, IP cameras, and access HTTP User-Agent
smart audio and video terminals authentication is used for terminals
control devices.
Mobile phones, tablets, PCs, workstations, IP Only scenarios where IP addresses of
• Determine whether Portal DHCP Option
cameras, IP phones, printers, etc. terminals are dynamically assigned
authentication is deployed on the
network. LLDP IP phones, IP cameras, network devices, etc. General scenarios
• Check whether the IP addresses of mDNS Printers, IP cameras, etc. General scenarios
terminals are DHCP-assigned or SNMP Query Network devices, printers On-premises scenario
statically configured.
PCs, workstations, printers, phones, IP
Nmap On-premises scenario
cameras, etc.

89 Huawei Confidential

• In this slide, "general scenarios" refer to authentication, non-authentication, and

dynamic/static IP address assignment scenarios.
• In non-authentication scenarios, iMaster NCE-Campus can display information
about wired terminals only after the ARP snooping function is enabled on access
devices.
 User Management User Authentication Policy Control Terminal Identification

Terminal Identification Method Design (2)

3 Enable the terminal identification function
Identification Method Operation On iMaster NCE-Campus Operation on the Network Side
MAC OUI Enable the terminal identification function. -
HTTP User-Agent Enable the terminal identification function. Enable the terminal identification information reporting function.
1. Enable the terminal identification information reporting function.
DHCP Option Enable the terminal identification function.
2. Enable DHCP snooping.
LLDP Enable the terminal identification function. Terminal identification is enabled by default.
1. Enable the terminal identification information reporting function.
mDNS Enable the terminal identification function.
2. Enable mDNS snooping.
1. Enable the terminal identification function.
SNMP Query -
2. Enable the SNMP scanning function.
1. Enable the terminal identification function.
Nmap -
2. Install the Nmap plug-in.

⚫
If the network administrator cannot determine the terminal identification method to be used, the following passive fingerprint-based
identification methods are recommended: MAC OUI, HTTP User-Agent, DHCP Option, LLDP, and mDNS.
⚫
It is recommended that Nmap be disabled by default because this identification takes a long time. If the passive fingerprint-based
identification methods cannot meet requirements, enable Nmap.

90 Huawei Confidential
 User Management User Authentication Policy Control Terminal Identification

Terminal Policy Design

⚫ The network administrator can use iMaster NCE-Campus to automatically deliver policies to terminals, eliminating
the need to manually configure different policies for each type of service terminals.
⚫ Terminal policies can be delivered based on the terminal type, operating system, or vendor.
1 Perform policy design. 3 Sort out the types of terminals that require automatic policy
delivery on the network, design corresponding authorization
policies, and configure the policies on iMaster NCE-Campus.
• Enable terminal-type-based automatic policy delivery,
so that policies are authorized based on the admission Item Admission Policy Authorization Policy
authentication result. Operating system: Android User admission Authorized ACL 1
• Deploy admission authentication on access switches Operating system: iOS User admission Authorized ACL 2
and APs. Terminal type: printer Automatic admission Authorized VLAN 10
• Enable MAC address authentication on access switches Terminal type: IP camera Automatic admission Authorized VLAN 20
and APs when dumb terminals are deployed. Authorized VLAN 30;
Terminal type: IP phone Automatic admission
DSCP 48
Terminal type: access
2 Automatic admission Authorized VLAN 40
control device
Enable the terminal identification function on the network.
Vendor: ABC User admission Authorized ACL 100

91 Huawei Confidential

• It is recommended that admission and authorization policies be automatically

delivered to dumb terminals (such as printers, IP phones, and IP cameras) based
on terminal types. This helps implement automatic service provisioning and plug-
and-play for dumb terminals.
 Contents

1. CloudCampus Solution and Virtualized Campus Network Overview

2. Network Architecture Design

3. Underlay Network Design

4. Fabric and Overlay Network Design

5. Admission Control and Free Mobility Design

6. WLAN Design

7. Egress Network Design

8. Network Security and QoS Design

9. O&M Design

92 Huawei Confidential
 WLAN Service Solution
⚫ On a large- or medium-sized campus network, the WLAN typically uses the "AC + Fit AP" networking architecture.
⚫ An AC can be deployed in in-path or off-path mode, depending on its location. A native AC (integrated on a switch)
must be deployed in in-path mode, whereas a standalone AC can be deployed in either in-path or off-path mode
(off-path mode is recommended).
Native AC solution Standalone AC solution
• Switches provide the native AC function. • Standalone AC (connected to the core switch in off-path mode).
• Free mobility is supported. Policies for wired and wireless users are • The free mobility solution is supported for wireless users, but it must be
centrally enforced on the switches. used together with the IP-security group entry synchronization solution.
• Unified management of wired and wireless users. • Separate management for wired and wireless users.

Native AC AC AC

93 Huawei Confidential

• Control packets between an AC and AP are forwarded through a CAPWAP tunnel.

APs forward service packets of wireless users to the wired side in tunnel
forwarding (centralized forwarding) or direct forwarding (local forwarding)
mode.
▫ Tunnel forwarding:

▪ Application scenario: Service packets of wireless users are centrally

processed and forwarded by the AC.

▪ Advantages: The AC centrally forwards service traffic, ensuring high

security and facilitating centralized traffic management and control.

▪ Disadvantages: Service packets must be forwarded by the AC,

resulting in low forwarding efficiency and a heavy load on the AC.

▫ Direct forwarding:

▪ Application scenario: Service packets of wireless users are directly

forwarded without passing through the AC, saving link bandwidth
between the AP and AC.

▪ Advantages: Service packets are forwarded without passing through

the AC, which is efficient and reduces the load on the AC.

▪ Disadvantages: Service data is difficult to manage and control in a

centralized manner.

▫ The tunnel forwarding mode is recommended for the native AC solution.

 Native AC Solution Deployment on a VXLAN-based
Virtualized Campus Network
Centralized gateway scenario Distributed gateway scenario
Native AC Native AC
CAPWAP tunnel Border CAPWAP tunnel Border
Layer 3 gateway

Edge Edge Edge Edge

Layer 3 gateway Layer 3 gateway

• Scenario 1: The switch used as the border node provides the native AC • Scenario 2: The switch used as the border node provides the native AC
function to manage network-wide APs. function to manage network-wide APs.
▫ It is recommended that the native AC function be deployed on the ▫ When the number of wireless users on the entire network exceeds
border node and the tunnel forwarding mode be used on APs. 50,000, the distributed gateway solution is recommended. In this
▫ Traffic of wireless users enters into VNs through the native AC, and the scenario, the tunnel forwarding mode is recommended for APs.
border node functions as the gateway of wireless users. ▫ Traffic of wireless users enters into VNs through the native AC, and the
▫ Free mobility is supported, and free mobility policies for wireless user border node functions as the gateway of wireless users.
groups are enforced on the border node. ▫ Free mobility is supported, and free mobility policies for wireless user
groups are enforced on the border node.

94 Huawei Confidential

• Description of the centralized gateway scenario:

▫ User gateway: border node
▫ Authentication point: edge node for wired users; border node (native AC)
for wireless users
▫ Forwarding model:

▪ Wired traffic: Traffic enters VNs through the edge node, and free
mobility policies are enforced on the edge node.

▪ Wireless traffic: Free mobility policies are enforced on the border

node. The tunnel forwarding mode is recommended. Traffic enters
VNs through the border node (native AC).

• Description of the distributed gateway scenario:

▫ User gateway: edge node for wired users; border node for wireless users

▫ Authentication point: edge node for wired users; border node (native AC)
for wireless users
▫ Forwarding model:

▪ Wired traffic: Traffic enters VNs through the edge node, and free
mobility policies are enforced on the edge node.

▪ Wireless traffic: Free mobility policies are enforced on the border

node. The tunnel forwarding mode is recommended. Traffic enters
VNs through the border node (native AC).
 Standalone AC Solution Deployment on a VXLAN-based
Virtualized Campus Network
Centralized gateway scenario Distributed gateway scenario

CAPWAP tunnel Border CAPWAP tunnel Border

Layer 3 gateway Standalone AC Layer 3 gateway Standalone AC
for wireless users for wireless users

Edge Edge
Edge Edge Layer 3 gateway Layer 3 gateway
for wired users for wired users

• The AC centrally manages APs. The tunnel forwarding mode is used. • The AC centrally manages APs. The tunnel forwarding mode is used.
Traffic of wireless users is encapsulated by the AP using the CAPWAP Traffic of wireless users is encapsulated by the AP using the CAPWAP
protocol and then sent to the AC. After being decapsulated by the AC, the protocol and then sent to the AC. After being decapsulated by the AC,
traffic enters the VN through the border node. the traffic enters the VN through the border node.
• The border node functions as the gateway for wireless users. • The border node functions as the gateway for wireless users.
• Free mobility is supported, and free mobility policies for wireless user • Free mobility is supported, and free mobility policies for wireless user
groups are enforced on the border node. groups are enforced on the border node.

95 Huawei Confidential

• Description of the centralized gateway scenario:

▫ User gateway: border node
▫ Authentication point: edge node for wired users; standalone AC for wireless
users
▫ Forwarding model:

▪ Wired traffic: Traffic enters VNs through the edge node, and free
mobility policies are enforced on the edge node.

▪ Wireless traffic: Free mobility policies are enforced on the border node
(the border node needs to subscribe to IP-security group entries). The
tunnel forwarding mode is recommended. Traffic enters VNs through
the border node (traffic is forwarded from the standalone AC to the
border node and then enters VNs).
• Description of the distributed gateway scenario:
▫ User gateway: edge node for wired users; border node for wireless users
when tunnel forwarding mode is used

▫ Authentication point: edge node for wired users; AC for wireless users
 ▫ Forwarding model:

▪ Wired traffic: Traffic enters VNs through the edge node, and free
mobility policies are enforced on the edge node.

▪ Wireless traffic: The tunnel forwarding mode is recommended. Traffic

enters VNs through the border node, and the border node enforces
free mobility policies (the border node needs to subscribe to IP-
security group entries).

• Note: By default, port isolation is configured by the controller on the interfaces

for connecting the border nodes to the standalone ACs. Therefore, when
standalone ACs work in VRRP-based hot standby mode, a heartbeat link needs to
be deployed between the active and standby ACs, and the switch ports connected
to the ACs need to be configured to allow packets from the management VLAN
of the ACs.
Deployment of WLAN Deployment Solutions on a VXLAN-
based Virtualized Campus Network
⚫ The following table lists the recommended WLAN deployment solutions for centralized and distributed gateway
networking.
Gateway for AP Wireless Traffic Number of
Networking
AC Wireless Forwarding Virtualization Terminals Applicable Scenario
Type
Terminals Mode Location Supported
Recommended when the number of
Native AC on Tunnel terminals does not exceed 50,000 and
Border node Border node ≤ 50,000
the border node forwarding centralized forwarding is implemented for
Centralized wireless terminals.
gateway Standalone AC Recommended when the wired network is
connected to the Tunnel reconstructed first and centralized
Border node Border node ≤ 50,000
border node in forwarding forwarding is implemented for wireless
off-path mode terminals.
Recommended when the number of
Distributed Native AC on Tunnel terminals exceeds 50,000 and centralized
Border node Border node 50,000~100,000
gateway the border node forwarding forwarding is implemented for wireless
terminals.

⚫ In new deployment scenarios or wired and wireless network reconstruction scenarios, the native AC is
recommended and tunnel forwarding mode is preferentially selected for APs.

97 Huawei Confidential
 Contents

1. CloudCampus Solution and Virtualized Campus Network Overview

2. Network Architecture Design

3. Underlay Network Design

4. Fabric and Overlay Network Design

5. Admission Control and Free Mobility Design

6. WLAN Design

7. Egress Network Design

8. Network Security and QoS Design

9. O&M Design

98 Huawei Confidential
Network Egress Design Overview
⚫ As the boundary between a campus network and external networks
Internet WAN
(including the Internet and WAN), the egress zone is responsible for
communication and security protection between internal and external
Egress zone
networks.
⚫
The requirements for the egress zone design are as follows:
DC
O&M zone  Network connectivity: Internal users can access external networks. If the
Core layer campus network provides access for external users, external users should be able
to access the internal network.

Aggregation  Network security: To ensure that the campus network is secure and controllable,
layer especially border security, firewalls and the Intrusion Prevention System (IPS)
devices need to be configured. Security components are selected based on
Access layer security requirements and investment scales.
 Flexible access modes: Various access modes are provided, including LAN-side
and WAN-side access.
Terminal layer  Strong service control capability: Service deployment and isolation are easy to
implement, and various VPN access modes are provided, including IPsec VPN, SSL
iStack/CSS link VPN, and MPLS VPN.

99 Huawei Confidential
Egress Network Service Scenarios (1)

Internet WAN Service

Sub-scenario Description
Applicable
Scenario Network
interconnection

interconnection
Remote access

A firewall uses security zones to divide networks and identify

Multi-campus

Multi-campus
Internet
packet forwarding paths. When a packet is transmitted between
Security

Security
Firewall and leased
NAT

security zones, the firewall can perform a security check and

line
Security enforce corresponding security policies.
URL filtering controls internal users' access to external URLs. It
URL filtering allows or forbids users to access certain web page resources, Internet
thereby regulating online behaviors.
Intranet users usually use private IP addresses to access the
Source NAT Internet. To ensure successful access to Internet services, private Internet
IP addresses must be translated into public IP addresses.
NAT Servers deployed on the campus network, such as the file
server, can be mapped to the Internet using public IP addresses
Egress zone NAT server Internet
or public IP addresses and port numbers through the NAT
server, so that they can be accessed from the Internet.

100 Huawei Confidential

Egress Network Service Scenarios (2)

Internet WAN Service

Sub-scenario Description
Applicable
Scenario Network
interconnection

interconnection
Remote access

The SSL VPN gateway connects to the Internet and provides

Multi-campus

Multi-campus
SSL VPN services for mobile office users (employees on
Security

Security
NAT

business trips). After a mobile user uses a terminal (such as

Remote access SSL VPN access a laptop or smart phone) to establish an SSL VPN tunnel Internet
with the gateway, the user can remotely access intranet
resources such as the web server, file server, and mail server
through the SSL VPN tunnel.
Traditional
MPLS VPN CE devices can be connected to the MPLS VPN network. Leased line
interconnection
Multi-campus
interconnection IPsec VPN tunnels are established between multiple Internet
IPsec VPN
campuses to ensure secure data transmission on a low- and leased
interconnection
Egress zone security bearer network. line

101 Huawei Confidential

 WAN-side Connection Design
Internet2 WAN WAN LTE
Internet Internet WAN Internet1 Internet Internet
/WAN
Router as egress

Must be ARs

Optional Optional Optional Optional Optional

Single router and Single router and Dual routers and Dual routers and Dual routers and
single egress dual egresses single egress dual egresses multiple egresses

The following factors need to be

Internet2 Internet2 considered during the WAN-side
Internet Internet WAN Internet1 Internet1 connection design:
/WAN /WAN
Firewall as egress

• Egress link type

• SD-WAN requirements
• Protocol interconnection
requirements

Hot standby heartbeat link

Single firewall Single firewall Dual firewalls Dual firewalls
and single egress and dual egresses and single egress and dual egresses

102 Huawei Confidential

• To ensure reliability, routers and firewalls are usually deployed in redundancy

mode. It is recommended that devices be deployed in redundancy mode at the
egress of a large- or medium-sized campus network.

• WAN-side connection design:

▫ Egress link type

▪ Ethernet: Select routers (NE or AR series) or firewalls as egress

devices.

▪ For non-Ethernet links, such as EI, CE1, and CPOS links, select routers
as egress devices.

▫ SD-WAN requirements:

▪ If there are SD-WAN requirements, select AR routers as egress

devices.

▪ If there is no SD-WAN requirement, select firewalls or NE routers as

egress devices.
▫ Protocol interconnection requirements:

▪ If BGP runs between egress devices and external networks, it is

recommended that routers be used as the egress devices. This is
because routers have a larger number of routing table entries and
higher performance and many routing policies need to be deployed
on egress devices.
LAN-side Connection Design
LAN-side connection design
• It is recommended that core switches be deployed in cluster or
stack mode to form a logical switch, thereby ensuring reliability of
CSS CSS
core switches.
• Egress gateways are usually deployed in a two-node cluster to meet
A single firewall is Two firewalls are Two firewalls are reliability requirements. Different types of gateways differ slightly in
connected to a connected to a CSS of connected to a CSS of
their two-node cluster deployment capabilities. For example, the
single core switch core switches in square- core switches in dual-
looped mode homed mode link between the active and standby firewalls in a two-node cluster
is used only for heartbeat and entry synchronization, and not for
traffic forwarding. The link between routers functioning as
gateways can be used for service interconnection and for
synchronizing and backing up information between them.
• It is recommended that egress gateways and core switches be
CSS CSS connected in dual-homed mode and link aggregation be used to
enhance the link-level reliability and forwarding bandwidth
A single router is Two routers are Two routers are between devices.
connected to a connected to a CSS of connected to a CSS of
Hot standby heartbeat link
single core switch core switches in core switches in dual-
square-looped mode homed mode
CSS
Link aggregation

103 Huawei Confidential

Firewall Hot Standby
⚫ When firewalls function as egress devices, you are advised to deploy HSB to improve firewall reliability.

Active Standby Active firewall Standby

firewall firewall fails firewall

Hot standby Hot standby

CSS/iStack
Link aggregation
Core switch
Service packet

⚫ As shown in the figures, the firewalls act as egress devices of the campus network and are directly connected to the core switches.
The two firewalls are configured to work in HSB mode, and the Eth-Trunk links connecting the firewalls and core switches work in
active/standby mode. When the active firewall is faulty, the standby firewall takes over services from it and forwards service packets.

104 Huawei Confidential

Off-Path Deployment of Firewalls

Deploying firewalls in off-path mode

Internet WAN
• In addition to in-path deployment, firewalls can be deployed in off-
path mode. Generally, off-path deployment of firewalls is selected
based on the following principles:
 Whether traffic passes through a firewall can be flexibly defined.
 Expansion is easy, for example, in the network reconstruction
scenario.
 A firewall fault has little impact on services.
• On a campus network:
 If a firewall is used as the egress gateway, the firewall usually
provides functions such as security policies, NAT, and VPN
gateway. If the north-south traffic must pass through the firewall
and if scalability is not considered, in-path deployment is
recommended for the firewall.
HSB heartbeat link  If a router is used as the egress gateway and the firewall only
OA PC1 OA PC2 RD PC3 provides advanced security functions, such as intrusion prevention,
CSS/iStack
antivirus, and URL filtering, off-path deployment can be used for
Two firewalls connected to the Link aggregation the firewall.
border node in off-path mode Traffic from PC1 to the Internet
Traffic from PC2 to PC3

105 Huawei Confidential

 Egress Routing Design: In-Path Firewall Deployment
⚫ Routes between a firewall and core switch include routes from the campus intranet to external networks on the core switch as well
as return routes from external networks to the campus intranet on the firewall.
⚫
If a firewall is deployed in in-path mode, you are advised to configure static routes for communication between the core switch
and firewall.
Virtual interface
Internet Logical interface Route design for intranet users to access the Internet
1.2.3.4 Physical interface • Routes for traffic from Intranet users to the Internet:
GE0/0/1 1.2.3.3 User traffic
1. Border: default static VPN route, with the next hop
FW Public being the IP address of the private network interface
VLANIF11 of vsys1.
Virtual-if0
2. vsys1: default static route, with the next hop being
Virtual-if1 Virtual-if2 Public, which directs traffic from intranet users to the
Internet to the public system.
vsys1 vsys2
3. FW: default static route, with the next hop being the
public network gateway address.
10.11.0.1 VLANIF11 VLANIF12 10.12.0.1
• Return route:
10.11.0.254 VLANIF11 VLANIF12 10.12.0.254 ▫ vsys1: static route, with the next hop being the IP
address of the Layer 3 interface corresponding to VRF1
VRF1 VRF2 Note: In this example, the on the border node, which diverts return traffic from the
border node is interconnected Internet to users in vsys1 to the intranet.
with external networks in L3
Border exclusive egress mode.

106 Huawei Confidential

• Routes for the traffic from intranet users to the Internet:

▫ [Border] ip route-static vpn-instance vpn1 0.0.0.0 0 10.11.0.1
▫ [vsys1] ip route-static 0.0.0.0 0 public

▫ [FW] ip route-static 0.0.0.0 0 1.2.3.4

• Return route:
▫ [vsys1] ip route-static 10.11.0.0 24 10.11.0.254
▫ Note: No return route needs to be configured for the return traffic in the
public system. After a return packet matches the session table in the public
system, the packet is directly forwarded to vsys1 for processing.
 Egress Routing Design: Off-Path Firewall Deployment
⚫ In the scenario where the firewall is deployed in off-path mode:
 It is recommended that static routes be configured for communication between the core switch and firewall.
 It is recommended that a dynamic routing protocol (OSPF) be configured for communication between the core switch and egress router.

Route design for intranet users to access the Internet

Virtual interface
Internet
Logical interface • Routes for traffic from Intranet users to the Internet:
1.2.3.4 1. Border: default static VPN route, with the next hop being
GE0/0/1 1.2.3.3 Physical interface
the IP address of the private network interface VLANIF11 of
User traffic vsys1.
AR
2. vsys1: default static route, with the next hop being Public,
GE0/0/2 10.2.0.1 which directs traffic from intranet users to the Internet to
the public system.
GE0/0/2 10.2.0.254 3. FW: default static route, with the next hop being the address
VLANIF10 of VLANIF10 on the border node.
Border Public Public Virtual-if0
10.10.0.254 10.10.0.1 4. Border: Deploy a dynamic routing protocol between the
VLANIF11 border node and AR to implement interworking and enable
VRF1 vsys1 Virtual-if1
10.11.0.254 10.11.0.1 access the Internet.
VLANIF12 • Return routes:
VRF2 vsys2 Virtual-if2 ▫ Border: static route, with the next hop being the address of
10.12.0.254 10.12.0.1
FW VLANIF10 on the FW.
▫ vsys1: static route, with the next hop being the IP address of
Note: In this example, the
Physical interface: the Layer 3 interface corresponding to VRF1 on the border
border node is interconnected
GE0/0/1 node, which diverts return traffic from the Internet to users
with external networks in L3
in vsys1 to the intranet.
exclusive egress mode.

107 Huawei Confidential

• Routes for the traffic from intranet users to the Internet:

▫ [Border] ip route-static vpn-instance vpn1 0.0.0.0 0 10.11.0.1
▫ [vsys1] ip route-static 0.0.0.0 0 public

▫ [FW] ip route-static 0.0.0.0 0 10.10.0.254

• Return routes:
▫ [Border] ip route-static 10.11.0.0 24 10.10.0.1
▫ [vsys1] ip route-static 10.11.0.0 24 10.11.0.254

▫ Note: No return route needs to be configured for the return traffic in the
public system. After a return packet matches the session table in the public
system, the packet is directly forwarded to vsys1 for processing.
 Security Zone Design
⚫ A security zone, also known as a zone, is a collection of networks connected through one or more interfaces, where users have the
same security attributes. There are typically three types of security zones: Trust, DMZ, and Untrust.
 The Trust zone is a security zone with a high security level. It is typically used to define the zone where intranet users are located.
 The DMZ is a security zone with a medium security level. It is typically used to define the zone where the servers that need to provide services for
external networks are located.

 The Untrust zone is a security zone with a low security level. It is typically used to define insecure networks such as the Internet.

Untrust
Internet WAN Security zone planning
DMZ
• A campus intranet is considered secure, but is faced with
Data center
Trust security threats from the outside. Therefore, assign the Internet
to the Untrust zone and the campus intranet to the Trust zone.
Deploy security devices at the campus network egress to
Fabric isolate the intranet from the Internet and defend the intranet
against external threats. Allocate the data center to the DMZ,
and deploy firewalls in the DMZ to isolate traffic between the
campus intranet and servers in the data center.

108 Huawei Confidential

• On a virtualized campus network, when the user gateways are located inside the
fabric, each Layer 3 egress interface for connecting the fabric to an external
network corresponds to a Layer 3 logical interface on the firewall. Each logical
interface can be bound to a security zone. If the user gateways are located
outside a fabric, you need to bind the gateways to security zones based on the
security policies of these gateways.

• Most security policies are implemented based on security zones. Each security
zone identifies a network, and a firewall connects networks. Firewalls use security
zones to divide networks and mark the routes of packets. When packets travel
between security zones, security check is triggered and corresponding security
policies are enforced. Security zones are isolated by default.
 Security Policy Design
⚫ After security zones are created on the firewall, these security zones are isolated from each other by default. To
enable communication between security zones (for example, the campus intranet accesses the Internet), you need
to configure Layer 3 connectivity and security policies on the firewall.

Security policy 2 Recommended security policy design for common zones:

• Intrusion detection Internet
• Antivirus Destination Recommended
• URL filtering Traffic Source Trust Level
Zone Security Policies
External users Untrusted Intrusion
DMZ DMZ Untrust Internet detection, URL
Employees on the go Medium filtering, antivirus
Firewall URL filtering,
WAN Enterprise branch Medium
antivirus
VN1-Trust VN2-Trust Enterprise employees High URL filtering,
Intranet
Guests Low antivirus
Security policy 1
• Intrusion detection
• Antivirus

VN1 VN2
Path for traffic from the Internet to DMZ
Path for traffic from VN1 to VN2

109 Huawei Confidential

• As shown in the figure, after security policies are configured, VNs on the intranet
can communicate with each other, and the external networks can access servers
in the DMZ. In addition, different security protection policies can be applied to
traffic in different security zones.
 Contents

1. CloudCampus Solution and Virtualized Campus Network Overview

2. Network Architecture Design

3. Underlay Network Design

4. Fabric and Overlay Network Design

5. Admission Control and Free Mobility Design

6. WLAN Design

7. Egress Network Design

8. Network Security and QoS Design

9. O&M Design

110 Huawei Confidential

 Network Security QoS

Overall Security Design

⚫ Campus network security design principles

Egress zone

There is no absolutely secure network but only more
Egress
security comprehensive protection measures.
Server zone 
Security is changing dynamically. Different networks have
Core layer different security requirements. Therefore, on-demand
network security design is the best choice.
 Security is a system issue. Security design is required in
all aspects of the network. In addition to egress security,
Aggregation
layer Intranet campus networks also need to consider intranet security
security
and security compliance.

⚫ Campus network security system

Access layer
 Egress security

Intranet security: wired network security and wireless
CSS/iStack link network security

111 Huawei Confidential

• On a traditional campus network, the intranet is often considered secure, and

threats mainly come from external networks. Firewalls are often deployed to
ensure security on campus borders. As security challenges increase, border
defense at the egress cannot meet requirements. The security model needs to
shift from passive into proactive and the security scope needs to be expanded
from external networks to the intranet to solve security problems from the
source (terminals), improving enterprise-wide information security level.
 Network Security QoS

Egress Network Security Design

⚫ Network services provided by the campus intranet to external networks, such as the enterprise website access service and email
service, may have potential security risks, threatening the security of the campus intranet. It is recommended that the following
security services be deployed on the egress firewall of the campus network to protect the network border:
 Assign networks for the employees, server networks, and external networks to different security zones, so as to inspect and protect inter-zone traffic.
 Enable the content security protection functions based on the type of network services provided for external networks by an enterprise. For example,
enable antivirus and intrusion prevention for all servers.

 If employees need to access an external network, enable functions such as URL filtering and antivirus to defend against external threats and prevent
information leakage, thereby ensuring enterprise network security.
⚫
Egress security solution design: ⚫
Security protection functions:
 Dedicated security devices, such as firewalls and intrusion Function Description
prevention systems, are recommended.
Compares traffic against the intrusion prevention signature
Intrusion
Routers with the abovementioned security functions can also be database to prevent application-layer attacks, such as buffer
 prevention
overflows, Trojan horses, backdoor attacks, and worms.
used.
Inspects files transmitted on the network for viruses to protect
Antivirus intranets from data breaches and system crashes caused by
viruses.
URL Permits or denies access to URLs to control the online behavior
filtering of users.

112 Huawei Confidential

 Network Security QoS

Wired Network Security Design

Security Risk Protection Measure

Broadcast storm Enable traffic suppression and storm control.
DHCP attack Enable DHCP snooping and configure uplink interfaces as trusted interfaces.
Impersonating legitimate users Enable IP source guard (IPSG) and dynamic ARP inspection (DAI).
Mutual access Enable port isolation.
CPU attack Enable CPU attack defense.
Enable attack source tracing.
Denial of service (DoS) attack Enable port attack defense.
Enable user-level rate limiting.

113 Huawei Confidential

• Security measures:
▫ Enable traffic suppression and storm control.
▪ Control broadcast, multicast, and unknown unicast packets to prevent
broadcast storms. Traffic suppression limits the traffic using the
configured threshold, and storm control blocks the traffic by shutting
down interfaces.
▫ Enable DHCP snooping and configure uplink interfaces as trusted interfaces.
▪ DHCP snooping defends against bogus DHCP server attacks, DHCP
server DoS attacks, bogus DHCP packet attacks, and other DHCP
attacks. DHCP snooping allows administrators to configure trusted
and untrusted interfaces, so DHCP clients can obtain IP addresses
from authorized DHCP servers. A trusted interface forwards the DHCP
packets it receives, whereas an untrusted interface discards the DHCP
ACK packets and DHCP Offer packets received from a DHCP server.
▪ An interface directly or indirectly connected to the DHCP server
trusted by the administrator needs to be configured as a trusted
interface, and other interfaces are configured as untrusted interfaces.
This ensures that DHCP clients obtain IP addresses only from
authorized DHCP servers and prevents bogus DHCP servers from
assigning IP addresses to DHCP clients.
▫ Enable IPSG and DAI.
▪ IPSG prevents unauthorized hosts from using IP addresses of
authorized hosts or specified IP addresses to access or attack the
network.
 ▪ You can configure DAI to defend against man-in-the-middle (MITM)
attacks and prevent theft of authorized user information. When a
device receives an ARP packet, it matches the source IP address,
source MAC address, VLAN ID, and interface number of the ARP
packet against binding entries. If a match is found, the device
considers the ARP packet valid and allows it to pass through.
Otherwise, the device discards the packet.
▫ Enable port isolation.
▪ You are advised to configure port isolation on the interfaces
connecting an access switch to terminals. This configuration secures
user communication and prevents invalid broadcast packets from
affecting user services.
▫ Enable CPU attack defense.
▪ CPU attack defense limits the rate of packets sent to the CPU so that
only a limited number of packets are sent to the CPU within a certain
period of time. This ensures that the CPU can properly process
services.
▪ Control Plane Committed Access Rate (CPCAR) is the core of CPU
attack defense. CPCAR limits the rate of protocol packets sent to the
control plane to ensure security of the control plane.
▫ Enable attack source tracing.
▪ Attack source tracing defends against DoS attacks. A device enabled
with attack source tracing analyzes packets sent to the CPU, collects
statistics on the packets, and allows a user to set a packet rate
threshold for the packets. Packets sent at a threshold-crossing rate
are considered as attack packets. The device finds the source user
address or source interface of the attacker by analyzing the attack
packets and generates logs or alarms to alert a network
administrator. The network administrator then takes measures to
defend against the attack or configure the device to discard packets
sent by the attack source.
▫ Enable port attack defense.
▪ Port attack defense is an anti-DoS attack method. It defends against
attacks based on ports and prevents protocol packets on ports from
occupying bandwidth and causing other packets to be discarded.
▪ By default, port attack defense is enabled on the device for common
user protocol packets, such as ARP, ICMP, DHCP, and IGMP packets. If
a user attack occurs, the device restricts the attack impact within the
port, reducing the impact on other ports.
▫ Enable user-level rate limiting.
▪ User-level rate limiting identifies users based on MAC addresses, and
rate-limits specified protocol packets, such as ARP, ND, DHCP
Request, DHCPv6 Request, IGMP, 802.1X, and HTTPS-SYN packets. If a
user undergoes a DoS attack, other users are not affected.
▪ Host CAR is the core of user-level rate limiting. By default, user-level
rate limiting is enabled.
 Network Security QoS

Overview of Wireless Network Security Design

⚫ On a WLAN, service data is transmitted through radio signals. Such open channels are vulnerable to service data interception and
tampering during transmission, such as rogue STAs, spoofing APs, and DoS attacks of malicious terminals.
⚫
In addition to the security risks of wired networks, wireless networks also face security risks of wireless air interfaces. Therefore, the
security risks of wireless networks mainly involve the security of wireless air interfaces.

Egress zone
⚫
WLAN security design involves the following:

Air interface security: identifies and defends against
attacks such as rogue APs, rogue STAs, unauthorized
Core layer ad-hoc networks, and DoS attacks.
Illegal data theft
 STA access security: ensures the validity and security
Aggregation layer
of STAs' access to the WLAN.

Access layer

Service security: protects service data of authorized
users from being intercepted by unauthorized users
Rogue AP during transmission.
A rogue STA STAs access
goes online through a
rogue AP CSS/iStack link
Rogue STA

115 Huawei Confidential

 Network Security QoS

Wireless Network Security Design

⚫ Wireless air interface security design: ⚫ STA access security design:
Security Risk Defense Measure Security Risk Defense Measure
WIDS Air interface encryption WPA/WPA2
Wireless attack and and access
WIPS authentication WAPI
spoofing
Attack detection Terminal access security STA blacklist and whitelist
Unencrypted Protected management frame Brute-force attack defense and
Brute-force cracking
management frames (PMF) dynamic blacklist

⚫ Wireless service security design:


The wired network between APs and ACs also faces common security threats, for example, interception, tampering, and
spoofing, on IP networks.

To improve data transmission security, CAPWAP tunnels between APs and ACs support Datagram Transport Layer Security
(DTLS) encryption, including DTLS encryption of CAPWAP tunnels for management packets, DTLS encryption of CAPWAP
tunnels for service data packets, encryption of sensitive information, and integrity check.

116 Huawei Confidential

• Wireless air interface security design:

▫ The Wireless Intrusion Detection System (WIDS) can detect rogue and
interfering APs, bridges, and STAs, as well as ad-hoc devices.

▫ The Wireless Intrusion Prevention System (WIPS) can disconnect authorized

users from rogue APs, disconnect rogue and interfering devices from the
WLAN, and contain such devices.
▫ Attack detection: The WIDS and WIPS can also detect attacks such as flood
attacks, weak initialization vector (IV) attacks, spoofing attacks, brute force
WPA/WPA2/WAPI pre-shared key (PSK) cracking, and brute force WEP
shared key cracking in a timely manner. The two systems then record logs,
statistics, and alarms to notify network administrators of such attacks. The
WLAN device adds devices that initiate flood attacks and brute force key
cracking attacks to the dynamic blacklist and rejects packets from such
devices within the aging time of the dynamic blacklist.
▫ PMF: Management frames on a WLAN are not encrypted, which may cause
security problems. The PMF standard is released by the Wi-Fi Alliance based
on IEEE 802.11w. It aims to apply security measures defined in WPA2 to
unicast and multicast management action frames to improve network
trustworthiness.
• STA access security design:
▫ Four WLAN security policies are available: Wired Equivalent Privacy (WEP),
Wi-Fi Protected Access (WPA), WPA2, and WLAN Authentication and
Privacy Infrastructure (WAPI). Each security policy has a series of security
mechanisms, including link authentication used to establish a wireless link,
user authentication used when users attempt to connect to a wireless
network, and data encryption used during service transmission.
▪ WEP uses a shared key to authenticate users and encrypt service
packets. Since the shared key is easy to decipher, the WEP security
policy is not recommended due to its low security.
▪ WLAN devices support the STA blacklist and whitelist function to filter
access requests from STAs based on specified rules, allowing
authorized STAs to access the WLAN and rejecting unauthorized STAs.
▪ When a WLAN uses WPA/WPA2-PSK, WAPI-PSK, or WEP-Shared-Key
as the security policy, attackers can use the brute force method to
decrypt the password. Defense against brute-force key cracking can
prolong the time needed to decrypt passwords.
▫ The STA access security design is to properly plan and design the access
policies of STAs, securing and facilitating STA access.
▫ The following is an example of the STA access authentication policy. The
following access authentication modes are recommended on enterprise
wireless networks:
▪ Enterprise employees: WPA/WPA2-802.1X authentication
▪ Guests: WPA/WPA2-PPSK or Portal authentication
▪ Dumb terminals: MAC address authentication
▫ In addition, if users do not need to communicate with each other, it is
recommended that user isolation be configured.
• Wireless service security design:
▫ Sensitive information encryption: When sensitive information is transmitted
between an AP and an AC, the information can be encrypted to ensure
security. Sensitive information includes the FTP user name, FTP password,
AP login user name, AP login password, and service configuration key.
During inter-AC roaming, the sensitive information encryption function can
also be configured to protect data transmitted between ACs.
▫ Integrity check: When CAPWAP packets are transmitted between an AP and
an AC, these packets may be forged or tampered with or attackers may
construct malformed packets to launch attacks. Integrity check can protect
CAPWAP packets between the AP and AC. If the AP and AC are both
located on the intranet, this function does not need to be enabled. It is
recommended that this function be enabled when the AP is connected to
the AC across the Internet or the ACs are distributed across the Internet.
 Network Security QoS

QoS Design
⚫ In addition to traditional data services such as web, email, and FTP services, large and medium-sized campus
networks also transmit services such as video surveillance, video conferencing, voice call, and production scheduling,
which have specific requirements on bandwidth, latency, and jitter. For example, video surveillance and video
conferencing require high bandwidth, low latency, and low jitter. The voice service does not require high bandwidth,
but requires low latency. When congestion occurs, the voice service must be processed first.
⚫ Quality of Service (QoS) is designed to provide different levels of service quality during transmission of data flows
to meet requirements of different services for performance indicators such as bandwidth, latency, jitter, packet loss
ratio, and throughput. A variety of QoS technologies can be used to improve the network service quality, such as
priority mapping, traffic policing, traffic shaping, queue scheduling, and congestion avoidance. These technologies
enable the network to deliver an optimal user experience with limited resources.
⚫ The QoS design process consists of requirement survey and analysis, traffic classification design, and scheduling
policy design.

118 Huawei Confidential

 Network Security QoS

Requirement Survey and Analysis

⚫ Before deploying QoS, you must be familiar with various services as well as the traffic model and QoS requirements
of each service. This helps correctly design QoS policies, so that QoS guarantee can be provided for each service.
⚫ Content and purpose of QoS requirement survey:
Requirement
Key Points of Requirement Survey Survey Purpose
Type
Traffic models of various services and E2E forwarding paths of each service, including To determine the location for QoS
Current forwarding paths in normal and abnormal conditions. policy deployment.
network
situations Bandwidth bottleneck points on the network and interface bandwidth of each bandwidth To determine whether to deploy QoS
bottleneck point. policies or expand the network capacity.
Control services, multimedia services, and other important services that need special
attention.
Characteristics of various types of traffic that can be identified by network devices.
For example, check whether voice traffic uses a proprietary protocol such as SIP or H.323,
whether traffic is originated from or destined for a specific interface of a specific server, and
QoS whether traffic is originated from or destined for a specific host network segment. To understand traffic types and QoS
requirements Bandwidth requirements of important services. requirements of each traffic type.
For example, multimedia services from different vendors at different bit rates require different
bandwidths so that the audio or video services can be smoothly transmitted.
Processing policies for different multimedia applications.
For example, some enterprises require that online videos on intranets be guaranteed and
work-irrelevant online videos on the Internet not be guaranteed.

119 Huawei Confidential

 Network Security QoS

Traffic Classification Design (1)

⚫ Services carried on a large- or medium-sized campus network include voice, video, and data services as well as network protocol
control signaling required for transmitting the service data.
⚫
QoS counters of these services include the bandwidth, packet loss rate, latency, and jitter. Bandwidth can be controlled by
configuring parameters, but the packet loss rate, latency, and jitter cannot.
⚫
Characteristics and QoS requirements of common services:
Service Packet Loss Latency Jitter
Typical Application or Protocol
Category Tolerance Tolerance Tolerance
Network Link-layer loop prevention protocols, routing protocols, multicast group management
Low Low Allowed
protocols protocols, and other protocols designed for network connectivity and interoperability.
Management Protocols used by network administrators for monitoring network devices, delivering
Low Low Allowed
protocols configurations, and diagnosing faults.
Real-time voice calls over IP networks. The network must provide low latency and low
VoIP data flow Very low Very low Very low
jitter to ensure service quality.
Signaling protocols for controlling VoIP calls and establishing communication channels.
Voice signaling Signaling protocols have a lower priority than VoIP data flows because intermittent Low Low Allowed
voices are often considered worse than call failure.
Multiple parties share camera feeds and screens over IP networks. In addition, the
Multimedia protocols or applications provide the adaptive bit rate capability. When the network Low or
Very low Low
conferencing quality is poor, the system automatically decreases the bit rate and image quality to medium
ensure smooth video communication.

120 Huawei Confidential

• Service category examples:

▫ Network protocols: STP, OSPF, IGMP, etc.
▫ Management protocols: ICMP, SNMP, Telnet, etc.

▫ Voice signaling: signaling protocols such as SIP, H.323, H.248, and Media
Gateway Control Protocol (MGCP).
 Network Security QoS

Traffic Classification Design (2)

⚫ Characteristics and QoS requirements of common services (continued):
Service Packet Loss Latency Jitter
Typical Application or Protocol
Category Tolerance Tolerance Tolerance
The network is required to provide online interactive applications with a low packet loss
Gaming Low Very low Low
rate, low latency, and low jitter to ensure fast and accurate response during gaming.
Online audio and video streaming. Audio and video programs are made in advance and
Streaming Low or
then cached on local terminals before being played. Therefore, they have lower Medium Allowed
media medium
requirements for network delay, packet loss, and jitter.
Unlike streaming media, data of online live telecasting is sent and received in real time.
Online live Though terminals provide the cache mechanism, the network is required to provide a
Very low Medium Low
telecasting low packet loss rate and jitter to meet real-time requirements and ensure good
experience.
Low-latency
Low or
data Data services for which users are waiting for output. Low Allowed
medium
services
Bandwidth-
Network services that involve the transmission of a large amount of data for a long Medium or
intensive Low Allowed
period of time. high
services
Common Basic services that are not so important and have no special requirements on enterprise No special No special No special
services networks. requirements requirements requirements
Low-priority
Services that of no concern or importance to enterprises. High High Allowed
services

121 Huawei Confidential

• Service category examples:

▫ Gaming: for example, online games that transmit operation instructions
through RTP or UDP, which poses higher requirements on the network.

▫ Low-latency data services: for example, long delay on an online ordering

system may reduce the revenue and efficiency of enterprises.

▫ Large-volume data services: for example, FTP, database backup, and file
dump.

▫ Common services: for example, mail and web browsing.

▫ Low-priority services: for example, network applications irrelevant to work,
such as social networking and entertaining videos.
 Network Security QoS

Scheduling Policy Design

⚫ The design of traditional QoS scheduling policies covers both wired networks and WLANs. The design for WLANs
focuses on policies related to STA services.

Scheduling policy design for wired networks Scheduling policy design for WLANs

• The basic principle of traditional QoS design for wired • The network efficiency of WLANs is lower than that of wired
networks is to mark or re-mark packets at boundaries of networks, and STAs are more sensitive to user experience.
different DiffServ domains and perform bandwidth control. Therefore, you are advised to consider the following when
• Devices in the same DiffServ domain only need to schedule designing the QoS policies for STAs:
packets in queues based on the priorities marked on  User bandwidth
boundary nodes.  Channel preemption
• Service deployment typically involves the following:  Signal strength of APs to which STAs are associated
 Traffic identification at the access layer  Multicast service experience
 DiffServ deployment at the aggregation or core layer  VIP user experience
 Bandwidth control on the egress firewall

122 Huawei Confidential

• Scheduling policy design for wired networks:

▫ Traffic identification at the access layer: Access switches function as
boundary switches. The switches identify, classify, and mark data flows at
the user side. In actual deployments, different interfaces on access switches
are connected to different terminals, and different priorities can be
allocated to different services on the access switches. Then traffic of the
services can be scheduled based on the priorities.

▫ DiffServ deployment at the aggregation or core layer: Interfaces on

aggregation and core switches are configured to trust DSCP or 802.1p
priorities and enforce QoS policies based on priorities marked at the access
layer. This ensures that high-priority services are scheduled first. A switch
interface trusts 802.1p priorities by default.
▫ Bandwidth control on the egress device: Egress devices are also located in
the DiffServ domain and are configured to trust DSCP or 802.1p priorities of
packets and implement QoS policies. Due to egress bandwidth limits, you
need to consider differences when setting bandwidth parameters for WAN
interfaces of egress devices. Additionally, QoS policies of egress devices vary
according to the enterprise WAN construction mode.
 ▪ WAN QoS policies can be managed by an enterprise itself in the
following scenarios: enterprise-built WAN, private line built using
leased fibers, and customized enterprise QoS policies applied to the
carrier WAN. In these scenarios, egress or PE devices do not need to
re-mark traffic.

▪ WAN QoS policies are not controlled by an enterprise itself in the

following scenarios: The enterprise leases the private line network of a
carrier, and the carrier does not trust the packet marking on the
enterprise network or the two parties have different definitions for the
same packet marking. Thus, egress devices on the campus network
need to re-mark traffic.

• Scheduling policy design for WLANs:

▫ The maximum bandwidth of a single user can be limited based on service

requirements. If multiple SSIDs are planned, the total bandwidth of non-
critical SSIDs can be limited.

▫ In high-density scenarios, many users preempt channel resources. As a

result, the Internet access service of each user deteriorates. You are advised
to enable the following functions in these scenarios:

▪ Call admission control (CAC): This function controls STA access based
on the radio channel utilization and the number of online STAs or
signal-to-noise ratio (SNR), thereby ensuring the Internet access
service quality of online STAs.

▪ Dynamic adjustment of enhanced distributed channel access (EDCA)

parameters: This function allows APs to adjust EDCA parameters
flexibly by detecting the number of STAs to reduce the possibility of
collision and improve throughput, thereby enhancing user experience.

▫ To enable STAs (especially sticky STAs) to re-associate with or roam to APs

with stronger signals, enable the function of quickly disconnecting STAs to
force low-SNR or low-rate STAs to go offline.
▫ In scenarios that have high requirements on multicast service experience,
you are advised to enable the multicast-to-unicast conversion function to
prevent low-rate STAs from affecting multicast services, thus improving
multicast service experience (for example, HD VoD service).
▫ In scenarios where VIP user experience needs to be guaranteed, you are
advised to enable preferential access of VIP users to ensure preferential
access, scheduling, and bandwidth guarantee for VIP users.
 Network Security QoS

Suggestions on Scheduling Policy Design

⚫ The definition of important data services varies with enterprises. For a portal website, Internet access and gaming traffic is
important; for the financial industry, real-time transaction is more important than voice services, and Internet access and gaming
traffic is unwanted. Therefore, QoS policies must be designed and deployed based on actual service types and QoS requirements of
each enterprise.
⚫
Recommended scheduling policy design:
Scheduling Maximum
Application Type Typical Application or Protocol CoS Queue (Priority)
Algorithm Bandwidth
• Routing protocols
Signaling and control • Network management protocols CS6 6 PQ Unlimited
• Multimedia protocol signaling
• VoIP Available
Real-time interactive • Multimedia conferencing interface
EF 5 PQ
multimedia • Online gaming bandwidth x
• Desktop cloud 30%
• Online video
• Video live telecasting or multicast
On-demand subscription of DRR: with
• Delay-sensitive and mission-critical AF 4 Unlimited
multimedia or key services weight being 20
enterprise services that require real-time
interaction, such as online ordering
• Common Internet access services such as DRR: with
Other services BE 0 Unlimited
email and web browsing weight being 20

124 Huawei Confidential

 Contents

1. CloudCampus Solution and Virtualized Campus Network Overview

2. Network Architecture Design

3. Underlay Network Design

4. Fabric and Overlay Network Design

5. Admission Control and Free Mobility Design

6. WLAN Design

7. Egress Network Design

8. Network Security and QoS Design

9. O&M Design

125 Huawei Confidential

Challenges Facing Campus Network O&M

Precise detection Experience perception Fault identification

Traditional O&M is based on SNMP In traditional O&M systems, only device During traditional O&M, network faults
and therefore data collection takes metrics are monitored. User experience can be detected only after receiving
minutes. Once a fault occurs, data may be poor even if the metrics are clients' complaints. As a result, faults
generated at the time when the fault normal. In addition, traditional O&M cannot be effectively and proactively
occurred cannot be obtained in real systems do not provide correlative identified and analyzed.
time. In addition, no convenient analysis for clients and networks.
backtracking method is available.

Key requirements: Telemetry-based Key requirements: client & network Key requirements: intelligent
precise detection profiling, experience perception fault identification

126 Huawei Confidential

Campus Network O&M Panorama
Visualized management and monitoring Intelligent troubleshooting

NE management Device Fault locating

management
Packet header Device diagnosis
Alarm management Log management obtaining and test
File/Configuration Packet path
SLA management
management tracing

Network Service quality

management monitoring
Wireless network
Link management Fault analysis
monitoring
CloudCampus
Terminal Terminal APP
Issue analysis Access analysis
management management
Customer flow Performance
User management Protocol trace
analysis analysis

Network health Device dimension Network optimization

Controller User access User roaming Radio calibration

dimension dimension
Analyzer User throughput User application
dimension dimension

127 Huawei Confidential

Basic Network O&M Design
⚫ In the large- and medium-sized virtualized campus network solution, iMaster NCE-Campus provides comprehensive
basic network management, network element (NE) management, service management, and system management
functions for managed devices. These functions include user, log, resource, topology, alarm, and performance
management. In addition, protocols involved in traditional network O&M can also be applied on iMaster NCE-
Campus.
Protocol Name Configurations Supported on iMaster NCE-Campus

Interconnection between network devices and an SNMP server can be configured on iMaster NCE-Campus.
SNMP
iMaster NCE-Campus can manage traditional devices (NETCONF-incapable devices) using SNMP.

NTP Interconnection between network devices and an NTP server can be configured on iMaster NCE-Campus.

Interconnection between iMaster NCE-Campus and a Syslog server can be configured. After they are interconnected, iMaster NCE-
Syslog Campus uploads the logs obtained from network devices to the Syslog server.
Interconnection between network devices and a Syslog server can be configured on iMaster NCE-Campus.

Local accounts for SSH-based login can be configured on network devices.

SSH
SSH can be used to log in to the CLI of a network device from iMaster NCE-Campus.

LLDP can be enabled for network devices on iMaster NCE-Campus. LLDP is enabled on iMaster NCE-Campus by default. iMaster NCE-
LLDP
Campus can obtain network topology information through LLDP.

128 Huawei Confidential

Intelligent O&M Design
⚫ Huawei's intelligent O&M solution uses Telemetry technology to send O&M data (such as device performance indicators and
terminal logs) on network devices to Huawei iMaster NCE-CampusInsight. iMaster NCE-CampusInsight then uses big data
technology, AI algorithms, and other advanced analysis technologies to digitize user experience on the network, helping customers
promptly detect network problems and ultimately improve user experience.
⚫
O&M functions provided by iMaster NCE-CampusInsight:
Category Function
Wireless network health
Network visualization Wired network health
Integrated topology
Issue analysis
Access analysis
Campus service analysis
Performance analysis
Protocol tracing
Intelligent radio calibration
Intelligent wireless network
WLAN topology
User application experience Application analysis

129 Huawei Confidential

Deployment Design for the Intelligent O&M Solution
⚫ The deployment process for Huawei intelligent O&M solution involves the following:

Interconnection between iMaster NCE-Campus and iMaster NCE-CampusInsight: iMaster NCE-Campus can perform unified O&M
and management, and iMaster NCE-CampusInsight can be invoked as a proxy service. iMaster NCE-Campus can synchronize site
and device information to iMaster NCE-CampusInsight.

Collection of data such as syslogs and performance data of network devices: The network devices must be enabled to collect
O&M data and report the data to iMaster NCE-CampusInsight.

⚫ The intelligent O&M solution consists of iMaster NCE-CampusInsight, iMaster NCE-Campus, and devices. Currently,
iMaster NCE-CampusInsight can manage Huawei cloud switches and APs, and intelligently analyzes their data.

Network bandwidth design Deployment location design

Devices need to periodically report data to iMaster NCE-CampusInsight and iMaster NCE-Campus can be
iMaster NCE-CampusInsight. Therefore, the deployed at different locations. They can collaborate with
campus network needs to reserve bandwidth for each other as long as network connectivity is achieved. To
data reporting. The average bandwidth avoid instability of the intermediate network, you are advised
consumed by each device is 3 kbit/s. to deploy them in the same location, for example, a same
data center.

130 Huawei Confidential

Precautions for Intelligent O&M Design

Network deployment design Protocol trace function design

During network deployment, ensure that there are reachable routes

To identify DHCP-related connectivity issues and
between network devices and the analyzer iMaster NCE-CampusInsight
implement protocol trace, you need to use the AC as
so that the network devices can send KPI data and log information to
the DHCP server or enable DHCP snooping on the AC.
iMaster NCE-CampusInsight.

During network deployment, ensure that devices are clock-

synchronized with iMaster NCE-CampusInsight. You are advised to Audio and video quality analysis function design
deploy an NTP server to synchronize the system clocks on the network.
The audio and video quality analysis function requires
Intelligent radio calibration function design devices to send related log information to iMaster
NCE-CampusInsight. You are advised to configure the
Intelligent radio calibration and traditional radio calibration cannot be same log sending interval for switches and WLAN
both deployed on APs in the same region. devices. The maximum difference between the log
sending intervals cannot exceed 20s.

131 Huawei Confidential

 Quiz

1. (Multiple-answer question) For a large-scale campus network with approximately 10,000

terminals, the recommended fabric networking mode is ( ). In this networking mode,
the gateway is located on the ( ), and the ( ) functions as the edge node.
A. Centralized gateway

B. Distributed gateway

C. Edge

D. Border

E. Access switch

F. Aggregation switch

132 Huawei Confidential

1. ADF
 Summary

⚫ To meet requirements of digital transformation, campus networks need to be

reconstructed systematically. Based on the IDN concept, Huawei CloudCampus 3.0
Solution helps enterprises build intelligent, simplified, converged, open, and secure
networks.
⚫ This course focuses on large- and medium-sized campus networks, illustrates the
solution architecture and technical solutions used for such networks, and provides
suggestions on engineering design and O&M design. With this information, this
course helps trainees understand Huawei CloudCampus 3.0 Solution technologies
and design the optimal campus network solution.

133 Huawei Confidential

 Recommendations

⚫ Huawei's CloudCampus Solution V100R020C10 Product Documentation

 https://support.huawei.com/hedex/hdx.do?docid=DOC1100797422&lang=en

134 Huawei Confidential

Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Virtualized Campus Network Deployment
Guide
 Foreword

⚫ Different from traditional campus networks that focus on standalone devices, a virtualized
campus network focuses on the overall service experience of the entire network and uses
iMaster NCE-Campus and virtual extensible local area network (VXLAN) technology to
flexibly schedule network resources. Virtualization technologies group physical network
resources into a network-wide resource pool that can be flexibly adjusted by the service
layer and allocated by iMaster NCE-Campus. A physical network is virtualized into multiple
logically independent virtual networks that carry various services and have independent
network resources. This virtualization decouples services from networks and facilitates
service management.
⚫ This course describes the deployment process and typical deployment cases of the VXLAN-
based virtualized campus network solution.
1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the deployment process of the CloudCampus VXLAN-based virtualized
campus network solution.
 Deploy a typical CloudCampus VXLAN-based virtualized campus network
solution.
 Configure iMaster NCE-Campus to manage and maintain the CloudCampus
VXLAN-based virtualized campus network.

2 Huawei Confidential
 Contents

1. VXLAN-based Virtualized Campus Network Deployment Plan

2. VXLAN-based Virtualized Campus Network Deployment Process and Guide

▫ Deployment Process
▫ Preparations for Deployment
▫ Deployment Guide

3 Huawei Confidential
 Three Deployment Modes of CloudCampus

On-Premise Huawei Public Cloud MSP-owned Cloud

Huawei operates the public cloud and MSPs purchase software, such as the
Customers purchase and own software
Scenario customers do not need to purchase the controller and analyzer, for operational
entities, such as the controller and analyzer,
definition controller or analyzer software. Instead, purposes. The software can be deployed in
which can be deployed in their data centers
customers just purchase Huawei's cloud their data centers or on the public cloud
or on the public cloud platform.
managed network service. platform.

Customers in industries such as government, Customers in industries such as

Target customer education, large enterprise, retail, and government, education, large MSP, carrier
financial services enterprise, retail, and financial services

Operations entity Customer Huawei MSP, carrier

Software
Perpetual license + SnS SaaS mode TBL subscription mode
transaction mode

4 Huawei Confidential

• Managed service provider (MSP): delivers and manages network-based services,

applications, and devices. The serviced objects include enterprises, residential
areas, and other service providers.

• Perpetual license + SnS: The perpetual license is sold together with SnS services,
such as software patches, software upgrades (including new features of new
releases), and remote support. In the perpetual license + SnS mode, a customer
needs to pay SnS fee for a certain period of time, in addition to purchasing the
license upon the first purchase. If the customer does not renew the SnS annual
fee after it expires, the customer can only use functions provided in the license
for the current version and cannot use the service functions covered in the SnS
annual fee.

• SaaS mode: MSPs are responsible for deploying or leasing hardware

infrastructure, and O&M and management of the hardware and software.
Software is provided for customers as cloud services and customers need to
periodically pay for the cloud services.

• Term Based License (TBL) mode: This mode differs from the perpetual license +
SnS mode in that the licenses purchased by customers have limited validity
periods. If a customer does not renew the subscription after the license expires,
the customer can no longer use the software product.

• SnS: refers to Subscription and Support. It consists of two parts: software support
and software subscription. The complete software charging mode consists of the
annual software SnS fee and software license fee.
• Note: This course uses the on-premise deployment as an example.
Review: Virtualized Campus Network Architecture
Network Network
egress services
⚫ Underlay: a physical topology consisting of physical
VRF+VNI VRF+VNI IP/VLAN
network devices, such as switches, access points (APs),
Access point firewalls, and routers, to provide interconnection
Virtual network 1 Virtual network N Fabric instantiation capabilities for all services on the campus network,
Overlay (virtual network layer) building the basic bearer network for campus service
data forwarding.
Network
service Wired access ⚫ Fabric: a network with pooled resources abstracted from
resources
Edge
VXLAN the underlay network. When creating an instantiated
External Edge
networks Border Wireless virtual network, you can select the pooled network
Fabric access
resources on the fabric.

⚫
Virtual network: a logically isolated virtual network
Core instance that is constructed by instantiating a fabric. One
Aggregation Access
OSPF
virtual network corresponds to one isolated network
(service network), for example, research network.
Underlay (physical network layer) Aggregation Access

5 Huawei Confidential
 Review: Network Nodes on a Virtualized Campus Network
⚫
Egress gateway: is an egress device of the campus network, which
can be an AR router or a firewall.

Egress gateway
⚫
Border node: implements communication between the fabric and
external networks. It is typically a core switch.
⚫
Edge node: is a fabric edge device that connects user-side devices to
Border node the fabric. Data packets from wired users are encapsulated into
VXLAN packets on edge nodes.

⚫
Transparent node: is a transparent device on the fabric, and does
Transparent
node Fabric domain not need to support VXLAN.
(VXLAN)
⚫
Access node: is typically an access switch (wired access node) or an
AP (wireless access node). Wired access nodes can be combined
Edge node with edge nodes, that is, VXLAN is deployed to the access layer. If
wired access nodes do not need to support VXLAN, aggregation
Access domain
nodes can be combined with edge nodes, that is, VXLAN is deployed
Access node
to the aggregation layer, and policy association is deployed on wired
access nodes and VXLAN edge nodes.
VXLAN-capable nodes

6 Huawei Confidential

• On a fabric, VXLAN tunnel endpoints (VTEPs) are further divided into the
following roles:
▫ Border: is a physical network device and provides data forwarding between
the fabric and external networks. In most cases, VXLAN-capable core
switches function as border nodes.

▫ Edge: is a physical network device. Access user traffic enters the fabric from
an edge node. Generally, VXLAN-capable access or aggregation switches
function as edge nodes.
Lab: Requirements
⚫
To implement multi-service convergence on a campus network, virtual
HQ
networks are deployed and configured on the campus network through
AR3
iMaster NCE-Campus. This enables different virtual networks on the
GE0/0/1
same physical network to be divided based on services.
Border
GE0/0/23 GE0/0/24
⚫
Using the VXLAN technology, virtual networks meet the following
requirements:
GE0/0/1 GE0/0/1
Edge_1 Edge_2
 Network devices support DHCP-based plug-and-play provisioning.

GE0/0/24 GE0/0/24  Multiple services on the campus network share the same physical network, but
GE0/0/1 GE0/0/1 AP1 are logically isolated. Mutual access control can be implemented among these
ACC_1 ACC_2 services.
GE0/0/24
GE0/0/24 GE0/0/23  Service configuration is automated, and virtual network configurations are
delivered by iMaster NCE-Campus, removing the need to log in to devices to
manually configure them.
PC1 PC2 PC3
 Users can access virtual networks from anywhere on the campus network,
implementing flexible user authentication, onboarding, and free mobility.

7 Huawei Confidential
Lab: Gateway Solution Selection
⚫ When designing the virtualized campus network solution, first determine the gateway solution to be
used. After the gateway solution is determined, you can perform end-to-end design on the entire
campus network based on the selected gateway solution.

Item Centralized Gateway Distributed Gateway

User gateway
Border Edge
location

Multiple edge nodes function as user gateways. This

A border node functions as the gateway of all users, ensures that only part of the network is affected upon
O&M and the native AC function is typically enabled on the the failure of one gateway and facilitates network
deployment border node to support wireless services, simplifying expansion. The native AC function is enabled on the
O&M deployment. border node to support wireless services. The O&M
deployment is complex.

≤ 50,000 (This solution is recommended if the number 50,000 to 100,000 (This solution is recommended when
Terminal scale
of terminals does not exceed 50,000.) the number of terminals exceeds 50,000.)

8 Huawei Confidential
 Lab: Physical and VXLAN Networking
⚫ HQ: ACC_1 and ACC_2 function as access devices that connect
GE0/0/24 to wired terminals and provide network services for wired users.
AR_Server_SW AP1 is connected to ACC_2 to provide network services for
GE0/0/3
wireless users. Edge_1 and Edge_2 serve as aggregation devices,
HQ GE0/0/9
and the Border functions as the core device. AR3 works as both
AR3
the campus egress and the DHCP server, which allocates IP
GE0/0/1 addresses to other devices and user terminals at the HQ. OSPF
Border is used for communication on the underlay network at the HQ.
GE0/0/23 GE0/0/24
⚫ Cloud: AR_Server_SW is used to simulate the cloud. It connects
GE0/0/1 VXLAN GE0/0/1
the HQ and iMaster NCE-Campus, and also functions as the
Edge_1 Edge_2
gateway of iMaster NCE-Campus.
GE0/0/24 GE0/0/24
GE0/0/1 GE0/0/1 AP1 ⚫
VXLAN network (fabric): The network topology for this lab
ACC_1 ACC_2 uses a distributed gateway model, in which VXLAN is deployed
GE0/0/24
GE0/0/24 GE0/0/23 across core and aggregation layers. Edge_1 and Edge_2
function as the edge nodes of the VXLAN network, whereas
PC1 PC2 PC3 Border functions as the border node of the VXLAN network.

9 Huawei Confidential

• Note: In this lab, the native AC is deployed on the border node to manage APs.
The border node also serves as the DHCP server to allocate IP addresses to APs.
Lab: Virtual Network
External networks Network service ⚫ Virtual network (VN): Two virtual networks are defined
resource
for access of different end users.
OA RD  OA VN: for access of sales personnel (Sales_Wired and
DHCP_Email
(Internet) (Internet)
(DHCP/Other) Sales_Wireless security groups) and marketing personnel
(Market_Wired and Market_Wireless security groups)

AR3  RD VN: for access of R&D personnel (RD security group)

GE0/0/1
HQ GE0/0/1
⚫
External network: Two external networks are defined for
Border the two virtual networks, so different end users can access
GE0/0/23 GE0/0/24 different external networks.
Edge_1 Edge_2  OA external network: accessible to sales and marketing
personnel.
RD VN
 RD external network: accessible to R&D personnel.
OA VN AP1
ACC_1 ACC_2
⚫
Network service resource: One network service resource
named DHCP_Email is defined to function as both a DHCP
server and an email server. It allocates IP addresses to all
PC1 PC2 PC3
end users in the two virtual networks.

10 Huawei Confidential
 Lab: Security Group and Policy Control Matrix
Fabric Security group-based policy control matrix ⚫ Security group: Five security groups are defined to identify different end users.

▫ Sales_Wired and Sales_Wireless: security groups to which sales personnel are

RD assigned after they pass 802.1X or Portal authentication.
Sales_ Sales_ Market_ Market_ security
Wired Wireless Wired Wireless group ▫ Market_Wired and Market_Wireless: security groups to which marketing

OA_VN RD_VN personnel are assigned after they pass 802.1X or Portal authentication.

▫ RD: security group to which R&D personnel are assigned after they pass
802.1X authentication.
⚫ Resource group: One resource group is defined, indicating the email server.
Sales_ Sales_ Market_ Market_ RD
Wired Wireless Wired Wireless (802.1X)
(802.1X) (Portal) (802.1X) (Portal)

Policy control matrix:

Destination Group
Sales_Wired Sales_Wireless Market_Wired Market_Wireless RD E_mail
Source Group
Sales_Wired Deny Deny Deny
Sales_Wireless Deny Deny Deny
Market_Wired Deny Deny
Market_Wireless Deny Deny Deny
RD Deny Deny Deny Deny

11 Huawei Confidential

• Policy Control Matrix:

▫ Sales personnel and marketing personnel cannot communicate with each
other. Only marketing personnel using wired terminals and R&D personnel
can communicate with each other.
▫ R&D personnel cannot access the E_mail resource group.

▫ In the policy control matrix, only the communication that is allowed should
be permitted and other communication should be denied.
 Contents

1. VXLAN-based Virtualized Campus Network Deployment Plan

2. VXLAN-based Virtualized Campus Network Deployment Process and

Guide
◼ Deployment Process

▫ Preparations for Deployment

▫ Deployment Guide

12 Huawei Confidential
 Virtualized Campus Network Deployment Flowchart
Server and Network
Network device License Basic network
Start software Site creation service End
installation activation configurations
installation configurations

Install network Obtain the ESN Create an Configure network Configure access
Install servers.
devices. of iMaster NCE- administrator. resources. control.
Campus.

Connect Obtain licenses Configure the Configure

Connect cables. Create sites.
cables. of iMaster NCE- underlay network. security services.
Campus.

Power on Power on Add devices, stacks,

Load licenses. Configure a fabric. Configure QoS.
servers. devices. or AC groups.

Install iMaster Configure device Configure virtual Configure O&M

NCE-Campus. management. networks. management.

Configure physical Configure the

links. WLAN.

Configure the
egress network.

13 Huawei Confidential

• VXLAN-based large- and medium-sized virtualized campus networks have

complex services. Therefore, the deployment process is complex. The deployment
process provided in this slide is the general process for you reference.

• The following part of this course focuses on key operations in the deployment
process.
 Contents

1. VXLAN-based Virtualized Campus Network Deployment Plan

2. VXLAN-based Virtualized Campus Network Deployment Process and

Guide
▫ Deployment Process
◼ Preparations for Deployment
▫ Deployment Guide

14 Huawei Confidential
Installing Servers and Software (1)
Installing iMaster NCE-Campus Installing iMaster NCE-CampusInsight

• iMaster NCE-Campus can be deployed in the on- • iMaster NCE-CampusInsight can be deployed
premises scenario, Huawei public cloud scenario, and independently or integrated with iMaster NCE-Campus.
MSP-owned cloud scenario. • It is recommended that iMaster NCE-CampusInsight be
• Large- and medium-sized campuses typically adopt the integrated with iMaster NCE-Campus in the
on-premises deployment mode, in which enterprises CloudCampus Solution.
install iMaster NCE-Campus by themselves. • For more information, see iMaster NCE-CampusInsight
• For more information, see iMaster NCE-Campus Product Product Documentation.
Documentation.

15 Huawei Confidential
Installing Servers and Software (2)

Installing the CloudCampus APP

• When installing APs, upload information about their actual installation

locations to iMaster NCE-Campus for efficient O&M and value-added services
based on terminal locations. The CloudCampus APP can record and upload AP
information.
• In addition to the deployment function, the CloudCampus APP also provides
the Wi-Fi experience testing, speed testing, and video testing.
• The CloudCampus APP can be obtained in either of the following methods:

▫ Android system: Search for CloudCampus on Huawei AppGallery and

Huawei AppGallery install the CloudCampus APP.

▫ Scan the QR code to download the CloudCampus APP.

16 Huawei Confidential
Preconfiguring Devices

GE0/0/24
AR_Server_SW
GE0/0/3

HQ GE0/0/9
AR3 Task Preconfiguration Plan
GE0/0/1
1. Complete basic configurations such as assigning
Border
VLANs, creating VLANIF interfaces, and configuring
GE0/0/23 GE0/0/24
IP routing.
Preconfigure
GE0/0/1 GE0/0/1
2. Configure the DHCP server for plug-and-play of
VXLAN AR3.
devices at the site.
Edge_1 Edge_2 3. Configure the DHCP server for end user access.
GE0/0/24 GE0/0/24 4. Simulate the OA and RD external networks.
GE0/0/1 GE0/0/1 AP1
ACC_1 ACC_2
GE0/0/24
GE0/0/24 GE0/0/23

PC1 PC2 PC3

17 Huawei Confidential
 Contents

1. VXLAN-based Virtualized Campus Network Deployment Plan

2. VXLAN-based Virtualized Campus Network Deployment Process and

Guide
▫ Deployment Process

▫ Preparations for Deployment

◼ Deployment Guide

18 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Creating Sites and Adding Devices

HQ ⚫ To enable network devices within the same

Border
management scope to be centrally managed on
iMaster NCE-Campus, you can create a site on
Edge_1 Edge_2 iMaster NCE-Campus and add these network
VXLAN
devices to the site.
AP1
ACC_1 ACC_2 ⚫ You can add devices when creating a site or after
a site is created.

PC1 PC2 PC3

19 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

How to Create Sites and Add Devices

Creating sites one by one Creating sites in a batch

1 Download a template (an Excel file) from

Create sites one by one.
iMaster NCE-Campus.

2 Fill in the template with site and device information.

Site Campus Device Device Device Device Device

Name Device Type role Model Type ESN Name
S5731-
HQ LSW, AC CORE LSW … Border
H24P4XC
S5731-
HQ LSW, AC AGG LSW .. Edge_1
H24P4XC
… … … … … … …
… … … … … … …

Add devices manually. 3 Import the template to iMaster NCE-Campus.

Create sites and import devices in a batch.

20 Huawei Confidential

• When creating sites, pay attention to the following points:

▫ To facilitate device management and improve service deployment
efficiency, add devices on the same network of a tenant to the same site.

▫ You can create sites on iMaster NCE-Campus for unified O&M

management. Two methods are available to create sites:

▪ Create sites one by one: You can create sites one by one when a small
number of sites need to be added.

▪ Create sites in a batch: You can create sites in a batch when a large
number of sites need to be added.

• When adding devices, pay attention to the following points:

▫ On a VXLAN-based virtualized campus network, managed devices are

typically LSWs (switches) and ACs (wireless access controllers).
▫ To add devices manually, select By Model or By ESN.
▫ On large- and medium-sized virtualized campus networks, the WLAN
typically adopts the architecture of "AC + Fit AP". In this architecture, Fit
APs are centrally managed and configured by the native AC. After the
native AC is managed by iMaster NCE-Campus, you can be redirected from
iMaster NCE-Campus to the web platform of the native AC to manage Fit
APs.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Site, Adding Devices, and Configuring the

Plug-and-Play Function
AR3
⚫ Site creation and device addition
（DHCP Server）

On iMaster NCE-Campus, create a single site to create the HQ site.

Add devices (Border, Edge_1, Edge_2, ACC_1, ACC_2, and AP1) one
by one based on the device model or ESN.
1
2 Border
HQ ⚫ Device plug-and-play (onsite operation)

Connect and power on the switches and APs on the network.

Devices to be 
The switches obtain IP addresses and iMaster NCE-Campus
Edge_1 managed by Edge_2
address/port through AR3, and initiate registration requests to
iMaster NCE-
Campus iMaster NCE-Campus. They are managed by iMaster NCE-Campus
AP1
once registered.
ACC_1 ACC_2
⚫ Device management (by iMaster NCE-Campus)

Check the device registration status.

1 DHCP Offer 2 Devices proactively register with iMaster NCE-Campus. 

Check the physical network topology.

21 Huawei Confidential

• Device plug-and-play:
▫ Customer pain points: In traditional network deployment, engineers need to
commission network devices one by one onsite, resulting in heavy
configuration workload and low efficiency.
▫ Solution:

▪ This lab demonstrates the plug-and-play function of network devices

in the CloudCampus Solution. The DHCP Option solution is used to
implement plug-and-play of switches. In this example, the DHCP
service and related parameters must be preconfigured on AR3.

▪ In this step, switches on the campus network can be directly deployed

using factory settings and get managed by iMaster NCE-Campus,
greatly reducing the configuration workload.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Configuring Resource Pools: Global Resource Pool for the

Fabric
⚫ Before creating a fabric, plan a global resource pool for the fabric, which contains VLAN, bridge domain (BD),
VXLAN network identifier (VNI) resources.
Network
External
service
network
resources
VLAN VLAN Task Resource Pool Plan
HQ Border ⚫ Configure VLAN resources, including service VLANs (access
VLANs for end users) used during virtual network creation,
VLANs whose packets are transparently transmitted between
Configure a global the access and aggregation devices, interconnection VLANs
resource pool for used when external networks and network service resources
BD/VNI the fabric. are created for the fabric, and management VLAN for policy
Edge_1 Edge_2 association.
⚫ Configure BDs and VNIs for Layer 2 broadcast domain isolation
VLAN VLAN in virtual networks.

ACC_1 ACC2

VLAN VLAN

VXLAN tunnel

22 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Configuring a Fabric Global Resource Pool

⚫ Choose Fabric Network > Network Plan. On the resource pool configuration page that is displayed,
click Fabric Global Resource Pool, set parameters, and click +. iMaster NCE-Campus provides the logical
topology view to help users understand the
meanings of parameters.

23 Huawei Confidential

• Parameters in the fabric global resource pool:

▫ VLAN: Configure a service VLAN pool when you need to configure VLANs
for connecting to external networks, VLANs for connecting to network
service resources, CAPWAP management VLAN, and terminal access VLANs.
▫ Bridge Domain (BD): On a VXLAN network, VNIs can be mapped to BDs in
1:1 mode so that a BD can function as a VXLAN network entity to transmit
traffic. A BD is a Layer 2 broadcast domain used to forward data packets on
a VXLAN network.

▫ VXLAN Network Identifier (VNI): A VNI is similar to a VLAN ID and

identifies a VXLAN.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Configuring Resource Pools: Underlay Automation Resource

Pool
⚫ The underlay automation resource pool defines the interconnection VLANs, interconnection IP
addresses, and loopback interface IP addresses used for routing domain orchestration on the underlay
network.
Task Resource Pool Plan
HQ
1. Configure interconnection VLANs, which cannot conflict
Border
with the fabric global resource pool and service VLANs
Interconnection VLAN Interconnection VLAN
Interconnection IP Interconnection IP
for user access.
address address 2. Configure interconnection IP addresses, which cannot
OSPF conflict with the fabric global resource pool and service
Edge_1 Edge_2 Configuring an
IP addresses for user access.
underlay
Interconnection Interconnection 3. Configure loopback interface IP addresses. As the VXLAN
VLAN VLAN
automation
control plane uses BGP EVPN, loopback interface IP
resource pool.
ACC_1 ACC_2 addresses are required for establishing BGP EVPN peer
relationships between border and edge nodes.

The preceding resources are used for automatic

orchestration of routing domains on the underlay network.

24 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Configuring an Underlay Automation Resource Pool

⚫ On iMaster NCE-Campus, choose Fabric Network > Network Plan. On the resource pool configuration
page that is displayed, click Underlay Automation Resource Pool, set related parameters, and click +.

iMaster NCE-Campus provides the logical

topology view to help users understand the
meanings of parameters.

25 Huawei Confidential

• Parameters for configuring the underlay automation resource pool:

▫ Interconnection VLAN: Configure an interconnection VLAN pool when
border and edge nodes on a fabric need to communicate on the underlay
network.
▫ Interworking IP address: Configure an interconnection IP address pool when
border and edge nodes on a fabric need to communicate on the underlay
network.

▫ Loopback interface IP: If automatic routing domain configuration is

required on a fabric, configure an IP address pool for the loopback
interfaces.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Configuring Policy Template Resources: User Access

Authentication
⚫ In the large- and medium-sized virtualized campus
Controller built-in server
network solution, you need to specify the RADIUS server & Portal server
HQ
authentication templates to be bound to wired and
Border
wireless access points during fabric access
management. The authentication templates need to be
planned. Edge_1 Edge_2

⚫ The policy template resources configured on iMaster

AP1
NCE-Campus typically include the RADIUS server ACC_1 ACC_2

template, Portal server template, and user

authentication template.
Sales_ Market_ RD Sales_ Market_
Wired Wired (802.1X) Wireless Wireless
(802.1X) (802.1X) (Portal) (Portal)
Authentication point
Wired traffic
Wireless traffic

26 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Configuring User Authentication Templates

⚫ On iMaster NCE-Campus, choose Fabric Network > Network Planning > Policy Template, and create
and configure a RADIUS server template, a Portal server template, and user authentication templates.

Task Procedure

1. Select a RADIUS server type. The iMaster NCE-Campus built-in RADIUS server is recommended.
Create a RADIUS server
2. Configure the RADIUS server IP address. If the iMaster NCE-Campus built-in RADIUS server is used,
template.
you do not need to configure the RADIUS server IP address.

1. Select a Portal server type. The iMaster NCE-Campus built-in Portal server is recommended.
2. Configure the Portal server IP address. If the iMaster NCE-Campus built-in Portal server is used, you
Create a Portal server
do not need to configure the Portal server IP address.
template.
3. Configure the Portal server URL. If the iMaster NCE-Campus built-in Portal server is used, you do
not need to configure the Portal server URL.

Create user 1. Select a user authentication mode, which is typically 802.1X authentication, MAC address
authentication authentication, or Portal authentication. A template can contain multiple authentication modes.
templates. 2. Select the RADIUS server template or Portal server template to be bound.

27 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Configuring a Fabric
⚫ A fabric is a virtual network built on top of a physical network using the VXLAN technology, and has all
resources pooled.
Network
External
service
network
resources
Task Procedure
1. Create a fabric and complete automatic deployment of an underlay
HQ network.
Border 2. Create an external network, that is, configure the connectivity
between the fabric and external networks (including the
interconnection port, interconnection VLAN, interconnection IP
address, peer address, and route).
Fabric Configure a 3. Configure network service resources, that is, configure the
Edge_1 Edge_2 fabric. connectivity between the fabric and network service resources
(DHCP server, RADIUS server, Portal server, and other servers). The
connectivity configuration includes the device IP address,
AP1 interconnection VLAN, interconnection IP address, peer IP address,
ACC_1 ACC_2 and interconnection port.
4. Configure access management, that is, configure an interface on an
access device to invoke an authentication template.

28 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Configuring a Fabric: Creating a Fabric

⚫ You need to create a fabric and then complete basic networking configurations for the fabric, including
selecting border and edge nodes as well as configuring BGP EVPN of the VXLAN control plane.
⚫ In addition, you need to enable automatic routing domain configuration of the underlay network when
creating a fabric.
Task Procedure
1. Select a networking type: centralized or distributed gateway.
2. Select the WAC location: edge node, border node, standalone WAC, or None.
3. Enable the automatic routing domain configuration function of the underlay network.
4. Configure an AS number, that is, configure BGP EVPN and set an RR cluster ID.
Create a 5. (Optional) Configure storm suppression on the fabric. To mitigate the risks caused by network storms, you are
fabric. advised to enable storm suppression.
6. (Optional) Enable the function of reporting terminal identification information. You need to enable this function
when the terminal identification function is configured.
7. Add devices to the fabric and specify the devices as border and edge nodes. If VXLAN is deployed across core
and aggregation layers on the fabric, you need to configure access switches as extended nodes.

29 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Fabric (1)

Create a fabric on the iMaster NCE-Campus GUI and set the
networking type.

HQ
Border

Fabric
Edge_1 Edge_2
Define the
networking type.

ACC_1 ACC_2 AP1

Specify the WAC
location.
Distributed gateway networking with VXLAN Enable automatic
deployed across core and aggregation layers routing domain
configuration and
automatically
deploy BGP EVPN.

30 Huawei Confidential

• A fabric consists of core, aggregation, and access devices. An access device

supports access of different network services, reducing costs while improving
network device utilization.

• A virtualized campus network uses the overlay virtualization technology (VXLAN)

to create multiple virtual networks on the same fabric and allow flexible service
deployment.
• The networking type specifies the network deployment mode of a fabric:

▫ Centralized: The fabric uses a centralized gateway, which transmits traffic

accessing external networks and the intranet. In this networking mode, only
the border node can function as the centralized gateway.
▫ Distributed: The fabric uses distributed gateways. Traffic accessing external
networks and the intranet passes through different gateways. In this
networking mode, both border nodes and edge nodes can function as
gateways.
• iMaster NCE-Campus allows you to specify a BGP route reflector (RR) and
automatically deploy BGP EVPN configurations on all edge nodes in a fabric.
▫ AS number: specifies the BGP AS number used in a fabric.

▫ RR cluster ID: specifies the cluster ID of an RR. If there are multiple RRs in a
fabric, for example, if two RRs are configured on a dual-border network,
you need to configure a cluster ID for the RRs to prevent BGP routing loops.
The value is an integer ranging from 1 to 4294967295 or an IPv4 address.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Fabric (2)

Add devices to the fabric and specify device roles.

HQ
Border

Specify the roles of the

Fabric devices in the fabric.
Edge_1 Edge_2

ACC_1 ACC_2 AP1

Distributed gateway networking with VXLAN

deployed across core and aggregation layers

31 Huawei Confidential

• Role: specifies the role of a device in the fabric, including the border node, edge
node, and extended node. By default, the role of a device is an extended node.
• Route reflector: In a fabric, border devices are typically used as route reflectors,
which simplify full-mesh connections required by IBGP and reduce network and
CPU loads.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Fabric (3)

Complete automatic deployment of the underlay network on iMaster

NCE-Campus.
HQ
Border

OSPF
Area 0
Edge_1 Edge_2

ACC_1 ACC_2 AP1

Configuring a single OSPF area

• Enable automatic routing domain configuration.

• Define OSPF areas and packet authentication.

32 Huawei Confidential

• Automatic routing domain configuration: After this function is enabled, the

underlay network is automatically configured. You can specify sites for automatic
routing domain configuration and specify OSPF route parameters. Currently, the
following parameters are supported:
▫ Domain: In single-domain mode, all devices belong to area 0. In multi-
domain mode, all edge nodes are located in their respective non-backbone
areas, and border nodes are interconnected through the backbone area
(area 0).
▫ Network type: You can specify the OSPF network type to broadcast, P2MP,
or P2P.
▫ Encryption: You can set the encryption mode between adjacent devices to
HMAC-SHA256, MD5, or None.
▫ Key: It refers to the authentication key ID used for ciphertext authentication
on an interface, and must be consistent with that of the peer device. The
value is an integer in the range from 1 to 255.

▫ Password: It specifies the ciphertext authentication key. The value is a

string of 1 to 255 characters and cannot contain spaces.
▫ Confirm password: You need to enter the ciphertext authentication key
again for confirmation.

▫ OSPF graceful: You can enable OSPF GR.

 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Fabric (4)

HQ
Configure BGP EVPN on iMaster NCE-Campus.
Border

BGP EVPN
Edge_1 Edge_2

ACC_1 ACC_2 AP1

Define BGP EVPN parameters.

⚫ After this step is complete, a fabric is successfully created based on the physical network, and the underlay network
configuration (such as interconnection between network devices and OSPF configuration) is automatically
completed on iMaster NCE-Campus, laying a foundation for creating virtual networks.

33 Huawei Confidential

• After a fabric is created, the underlay network can be automatically deployed,

and configurations such as VLANIF interfaces, loopback interfaces, VTEP IP
addresses, and routes required for establishing a BGP EVPN can be automatically
provisioned. iMaster NCE-Campus allocates resources from the fabric global
resource pool and underlay automation resource pool to devices.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Configuring a Fabric: Creating an External Network

⚫ In the fabric resource model design, external networks are created on border nodes so that terminals on the
campus network can access external networks such as the Internet.
⚫ Three types of external network resources are defined: Layer 3 shared egress, Layer 3 exclusive egress, and Layer 2
shared egress. If the user gateway is located in the fabric, the Layer 3 shared egress or Layer 3 exclusive egress is
used.

Layer 3 shared egress: Multiple virtual networks on the fabric share a Layer 3 egress to communicate with the egress device. The
Layer 3 shared egress helps save interconnection VLAN and IP resources and applies to scenarios where there are low
requirements on security control policies between virtual networks.
 Layer 3 exclusive egress: Each virtual network on the fabric exclusively uses a Layer 3 egress to communicate with the egress
device. In this case, multiple security zones are typically configured on the firewall, each corresponding to one Layer 3 exclusive
egress. The traffic of different virtual networks to the firewall is isolated from each other.
Task Procedure
1. Select the type of the connection with the external network.
2. Select an external network resource type.
Create an external network.
3. Configure interconnection physical interfaces, VLANs, and IP addresses.
4. Configure a routing protocol for interconnection.

34 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating an External Network (1)

Create an external network for the fabric and select the egress

Network
connection mode.
External
service
network
resources

HQ
Border

Edge_1 Fabric Edge_2

ACC_1 ACC_2 AP1

35 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating an External Network (2)

Complete basic configurations of the external network, including specifying
Network
External the external network name, determining whether to connect the external
service
network network to the Internet (whether to use the default route as the external
resources
route), and configuring the external route.

HQ
Border

Edge_1 Fabric Edge_2

ACC_1 ACC_2 AP1

Define the external route to

the external network.

36 Huawei Confidential

• Basic information:
▫ If Internet connection is enabled, iMaster NCE-Campus uses a default
route to direct traffic to the corresponding external network. If Internet
connection is disabled, you need to specify a route prefix.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating an External Network (3)

Configure interconnection information for the external network.

Network
External
service
network
resources
Peer IP address
HQ
• External route
• Port Border
• Local IP
address
• VLAN

Edge_1 Fabric Edge_2 Configure routing information for the external network.

ACC_1 ACC_2 AP1

37 Huawei Confidential

• Interconnection information:
▫ Select the border device to be connected to the external network, and
select the interconnection interface, interconnection IP address, and
interconnection VLAN.
▫ Note: The configured interconnection IP address cannot conflict with IP
addresses in the underlay automation resource pool. The configured
interconnection VLAN belongs to the global resource pool of the fabric.

• Routing information:

▫ After you click Apply, iMaster NCE-Campus creates a static route to the
external network for the border device. (The static route is delivered to the
border device only when the external network is invoked by the virtual
network.)
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Configuring a Fabric: Creating Network Service Resources

⚫ In the fabric resource model design, network service resources are created on a border node so that service
terminals on the campus network can access service resources, such as the DHCP server and NAC server, in the
network management zone.
⚫ You can create multiple network service resources or add IP addresses for accessing multiple network service
resources to a network service resource model.
⚫ If only a few service resources in the network management zone need to be accessed, you are advised to plan these
resources in the same network service resource model. This saves interconnection VLANs and IP addresses and
simplifies routing configuration in the network management zone.

Task Procedure
1. Select a server type, which can be DHCP server, third-party RADIUS server, and third-party Portal server.
2. Configure the IP addresses for accessing network service resources, such as the DHCP service address and iMaster NCE-
Create network
Campus southbound IP address.
service resources.
3. Select an interconnection scenario, which can be directly connected to a server or directly connected to a switch.
4. Configure interconnection physical interfaces, VLANs, and IP addresses.

38 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating Network Service Resources (1)

Create a network service resource for the fabric and configure the
External
Network server, including defining the name, type, and IP address of the
service
network
resources connected server.

HQ
Border Define the server type.

Define the server IP address.

Edge_1 Fabric Edge_2

ACC_1 ACC_2 AP1

Define the device IP address
segment for interconnection
with the server.

39 Huawei Confidential

• Server configuration:
▫ Server type: server resource specified by the network service resource. In
this example, the defined network service resource are a DHCP server and a
E-mail server.
▫ DHCP server: IPv4 and/or IPv6 address of a DHCP server.

▫ Server interconnection address pool: If an IPv6 address pool is configured

for the DHCP server, this parameter is mandatory. If only an IPv4 address
pool is configured for the DHCP server, this parameter is optional.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating Network Service Resources (2)

Complete device configurations, including selecting the scenario
Network and configuring interconnection information.
External
service Select an
network
resources interconnection
Peer IP address scenario.

HQ
Border • Interconnection port
• Interconnection VLAN
• Interconnection IP
address
Configure
Edge_1 Fabric Edge_2 interconnection
information.

ACC_1 ACC_2 AP1

40 Huawei Confidential

• Device configuration:
▫ If Directly connected to a switch is selected, the border node adds the
interconnection port to the interconnection VLAN in tagged mode to
connect to network resources. If Directly connected to a server is selected,
the switch adds the interconnection port to the interconnection VLAN in
untagged mode.
▫ Interconnection device: Select the border node (Border). The device
functions as a border node that connects the fabric to the external network
service resource.
▫ Interconnection port: Select the port used by the border node to connect
to the network service resource.

▫ Interconnection VLAN: Select the VLAN used by the border node to

connect to the network service resource.

▫ Interconnection IPv4 address: Select the IP address of the port used by the
border node to connect to the network service resource.

▫ Peer IPv4 address: Select the IP address of the peer device.

▫ Mask: Select the network mask.
• Note: The configured interconnection IP address cannot conflict with the IP
address in the underlay automation resource pool. The configured
interconnection VLAN belongs to the fabric global resource pool.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Configuring a Fabric: Configuring Access Management

⚫ Access control needs to be deployed on the campus network to authenticate access users, including 802.1X
authentication, MAC address authentication, and Portal authentication. The implementation of 802.1X
authentication and MAC address authentication requires the use of the RADIUS server, whereas the implementation
of Portal authentication requires the use of the RADIUS server and Portal server.
⚫ Configuring access management for the fabric is to configure authentication control points and plan access point
resources, which will be used during virtual network creation.
⚫ Wired access point resources refer to switch interfaces connected to terminals, and wireless access point resources
refer to SSIDs connected to terminals.

During access management configuration for the fabric, three connection types are defined for access ports of switches:
◼ Extended AP: Huawei Fit APs, which can be managed by iMaster NCE-Campus.
◼ Extended access switch: Huawei switches, which can be managed by iMaster NCE-Campus.
◼ Terminal (PCs, phones, dumb terminals, and non-fabric extended access switches or APs): user terminals, switches and APs that cannot be
managed by iMaster NCE-Campus, and switches that can be managed by iMaster NCE-Campus but do not support fabric extension.

⚫ Access management configuration for the fabric varies depending on the gateway solution.

41 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Configuring Fabric Access Management (1)

Configure access management on Edge_1 and activate authentication on
the switch interface. Configure an
authentication
control point.

HQ
Border

Edge_1 Fabric Edge_2

Policy Configure an
association authentication
ACC_1 ACC_2 AP1 enforcement point.

Authentication control point

Authentication enforcement point

42 Huawei Confidential

• Policy association:
▫ Configure the management VLAN and management IP address for policy
association.

▫ The configured management IP address cannot conflict with the IP

addresses in the underlay automation resource pool. The configured
management VLAN belongs to the global resource pool of the fabric.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Configuring Fabric Access Management (2)

Configure access management on Edge_2 and activate authentication on
the switch interface. Configure an
authentication
control point.

HQ
Border

Edge_1 Fabric Edge_2

Policy Configure an
association authentication
ACC_1 ACC_2 AP1 enforcement point.

Authentication control point

Authentication enforcement point

43 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Logical Network
⚫ After a fabric is created, you can select network resources in the fabric to create virtual network instances.
⚫ To enable access users in different virtual networks to communicate with each other, you need to configure virtual
network interworking.
Network Task Procedure
External
service
network 1. Create virtual networks. Different virtual networks
resources
represent services of different users and can be
Logical used to isolate services of these users.
HQ network 2. Configure virtual network interworking to ensure
Border that there are reachable underlay network routes
between users in different virtual networks.
RD VN

OA VN VN Access User
Edge_1 Edge_2 Sales_Wired: 172.17.10.0/24
Sales_Wireless: 172.17.11.0/24
AP1 OA
Market_Wired: 172.17.20.0/24
ACC_1 ACC_2 Market_Wireless: 172.17.21.0/24
RD RD: 172.17.30.0/24

PC1 PC2 PC3

44 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Fabric Resource Pools and Resource Invoking During Virtual

Network Creation
How to Invoke Resources in the Resource Pool During Virtual
Fabric Resource Pool
Network Creation
VLAN resource pool, which is used in scenarios where terminals are
connected to virtual networks and virtual networks communicate with When creating a user gateway in a virtual network, select a resource from
external networks. The VLAN resource pool is planned during the the fabric global resource pool to configure a user VLAN.
configuration of the fabric global resource pool.
BD and VNI resource pools, which are used to divide Layer 2 broadcast
When a user gateway is created in a virtual network, resources in the BD and
domains in a virtual network and configure VBDIF interfaces as the gateway
VNI resource pools are automatically invoked to create a BD and the
interfaces of user subnets. The BD and VNI resource pools are planned during
corresponding VBDIF interface.
the configuration of the fabric global resource pool.
User access point resource pool, which is planned during fabric access
When configuring user access in a virtual network, you can select planned
management configuration. This resource pool includes the authentication
access point resources.
modes that can be configured on access points.
Egress pool, which contains the external resources that can be used by virtual
networks. Two types of external resources are created during fabric
configuration: When creating a virtual network, you can select external networks and
• External networks: used for virtual networks to communicate externally network service resources.
• Network service resources: used for virtual networks to communicate
with the authentication server and DHCP server, etc.

45 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Creating a Virtual Network

⚫ Creating a virtual network is to create a VPN instance to isolate different services.

Task Procedure
1. (Optional) Select network service resources for communication between the virtual network and network service
resources (this step is typically performed).
2. (Optional) Select an external network for communication between the virtual network and external network
Create a (this step is typically performed).
virtual 3. Configure a user gateway, which can be manually specified or automatically allocated.
network. 4. Configure wired access: Select the access ports configured during fabric access management configuration, and
add the ports to the service VLAN configured on the user gateway.
5. Configure wireless access: Select the AC that connects to the wireless user subnet. Then the service VLAN
configured on the user gateway will be delivered to the AC.

46 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Virtual Network (1)

Create a virtual network, define the virtual network name and
user gateway location, and configure the external network and
Network
External network service resources that the virtual network can access.
service
network
resources

HQ
Border

RD VN

OA VN
Edge_1 Edge_2

AP1
ACC_1 ACC_2

PC1 PC2 PC3

47 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Virtual Network (2)

Define user gateways for the virtual network. User gateways can
be manually created one by one by the network administrator or
Network created in a batch through automatic allocation.
External
service
network
resources

HQ
Border

RD VN

OA VN
Edge_1 Edge_2

AP1
VN Access User
ACC_1 ACC_2
Sales_Wired: 172.17.10.0/24
Sales_Wireless: 172.17.11.0/24
OA
Market_Wired: 172.17.20.0/24
PC1 PC2 PC3 Market_Wireless: 172.17.21.0/24
RD RD: 172.17.30.0/24

48 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Virtual Network (3)

Configure wired access.

Network
External
service
network
resources

HQ
Border

RD VN

OA VN
Edge_1 Edge_2

AP1
ACC_1 ACC_2

PC1 PC2 PC3

49 Huawei Confidential

• User access is configured on the access points of the current virtual network.
• Wired access: Users on the OA virtual network need to access the network
through ACC_1 and ACC_2 and they all need to be authenticated. Therefore, in
the wired access configuration, you need to select the interfaces on which
authentication has been enabled on the two switches.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Virtual Network (4)

Network Configure wireless access.

External
service
network
resources

HQ
Border

RD VN

OA VN
Edge_1 Edge_2

AP1
ACC_1 ACC_2

PC1 PC2 PC3

50 Huawei Confidential

• Wireless access: Select the border device in the wireless access configuration. The
border device is a switch that provides the native AC, through which it manages
APs and provides the wireless access service.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Communication Between Virtual Networks

⚫ By default, virtual networks are isolated from each other. However, in some scenarios, they may need
to communicate with each other, so reachable routes must be configured between them.
⚫ Configuring communication between virtual networks is to create static routes for VPN instances so
that access users in different virtual networks can communicate with each other.

Task Procedure
Configure 1. Select interconnection devices.
communication 2. Select the interworking mode, including full interworking and partial interworking.
between virtual 3. Configure the source virtual network, source IPv4 prefix, destination virtual
networks. network, and destination IPv4 prefix.

51 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Configuring Virtual Network Interworking

Access the VN Interwork page, and click Add to configure interworking

between virtual networks.

Fabric Reachable routes

OA_VN RD_VN

Market_Wired RD
172.17.20.0/24 172.17.30.0/24

52 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Service Deployment
⚫ On large campus networks, users are usually allowed access from any location, any VLAN, and any IP
network segment with controlled network access rights.

E_mail

Security group-based
Fabric policy control matrix Task Procedure
1. Configure free mobility, including creating
security groups, resource groups, and a policy
Sales_ Sales_ Market_ Market_ control matrix.
Wired Wireless Wired Wireless RD Service
2. Configure access authentication, including
deployment
creating user authentication accounts,
OA_VN RD_VN
authentication rules, authorization results, and
authorization rules, as well as page management.

Sales_ Sales_ Market_ Market_ RD

Wired Wireless Wired Wireless (802.1X)
(802.1X) (Portal) (802.1X) (Portal)

53 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Security Group

⚫ A security group is an entity unit for permission control. Users are assigned to different security groups,
and access permissions are configured between security groups to implement user permission
management on the network.
Fabric

Sales_ Sales_ Market_ Market_

RD
Wired Wireless Wired Wireless

OA_VN RD_VN

Sales_ Sales_ Market_ Market_ RD

Wired Wireless Wired Wireless (802.1X)
(802.1X) (Portal) (802.1X) (Portal)

54 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Resource Group

⚫ Different network service resources can be allocated to different resource groups. You can configure
access permissions from security groups (source) to resource groups (destination) to manage the
access to network service resources.

E_mail

Fabric

Sales_ Sales_ Market_ Market_

RD
Wired Wireless Wired Wireless

OA_VN RD_VN

Sales_ Sales_ Market_ Market_ RD

Wired Wireless Wired Wireless (802.1X)
(802.1X) (Portal) (802.1X) (Portal)

55 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Policy Control Matrix (1)

⚫ Administrators can define network-wide permission control policies based on security groups. An inter-
group policy controls access between groups.
Select policy enforcement
points for free mobility.

HQ
Border

Fabric
Edge_1 Edge_2

AP1
ACC_1 ACC_2

PC1 PC2 PC3

Policy enforcement point

56 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a Policy Control Matrix (2)

⚫ Administrators can define network-wide permission control policies based on security groups. An inter-
group policy controls access between groups.
Policy control matrix: enables visualized
E_mail management of communication policies
between security groups on a campus network.
Security group-based
Fabric policy control matrix

Sales_ Sales_ Market_ Market_

RD
Wired Wireless Wired Wireless

OA_VN RD_VN

Sales_ Sales_ Market_ Market_ RD

Wired Wireless Wired Wireless (802.1X)
(802.1X) (Portal) (802.1X) (Portal)

57 Huawei Confidential

• When multiple policies are configured to control access from a source security
group to multiple destination groups, the sequence in which these policies are
matched can be determined based on the policy priority. For example, if the
destination groups are resource groups, in which case the destination IP
addresses may be the same, you need to manually adjust the policy priorities to
ensure that a specific policy is matched first.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Access Authentication
802.1X authentication Portal authentication
⚫ 802.1X is a port-based network access control protocol. It verifies user ⚫ Portal authentication is also known as web authentication, and websites
identities and controls access permissions of users on ports of LAN access for Portal authentication are referred to as web portals. When a user
devices. accesses the network, the user must be authenticated on the web portal.
If the user fails the authentication, the user can access only specified
⚫ When iMaster NCE-Campus functions as a RADIUS server, 802.1X
network resources. The user can access other network resources only
authentication configuration on the server is illustrated in the following
after being authenticated successfully.
table:
⚫ When iMaster NCE-Campus functions as the Portal server and RADIUS
Task Procedure server, Portal authentication configuration on the server is illustrated in
the following table:
1. Create user authentication accounts.
Configure 802.1X 2. Configure authentication rules. Task Procedure
authentication. 3. Configure authorization results and
1. Create user authentication accounts.
authorization rules.
Configure Portal 2. Configure authentication rules.
authentication. 3. Configure authorization results and
authorization rules.
To enable a user client to be exempt from
(Optional) Configure authentication based on its MAC address within a
a MAC authentication period after the client passes Portal authentication
exemption policy. for the first time, configure a MAC authentication
exemption policy in the user control policy.

58 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Creating a User Group and Account

⚫ In the enterprise employee access scenario, user name and password authentication can be used to implement end
user access.
⚫ During 802.1X and Portal authentication, users need to enter account information for authentication.
 Account: includes the user name and password. It is created by the administrator on iMaster NCE-Campus in advance.

1. Create a 2. Create an
user group account in the
to which the matching user
user belongs. group.

59 Huawei Confidential

• For example, when creating an account named kris (RD user), deselect Change
password upon next login. As this user belongs to the RD user group, which
does not require Portal authentication, deselect Portal in the Available login
mode area.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Configuring Authentication Rules

⚫ You can configure authentication rules to authenticate clients and users who access the network, ensuring network
security.
⚫ iMaster NCE-Campus has a default authentication rule named Default. According to the rule, the local data source
is used for authentication.

60 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Configuring Authorization Results

⚫ When configuring access authentication, you need to
configure the rights obtained by users after they pass
authentication.
⚫ In the authorization result, you can define the rights to
be authorized to users, such as ACLs, security groups,
URL filtering policies, and VLANs.

61 Huawei Confidential

• After configuring authorization results, you need to bind the results to created
sites.
• iMaster NCE-Campus provides two default authorization results: permit access
and deny access. Once selected, the default authorization result takes effect for
all sites and cannot be modified or deleted.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Configuring an Authorization Rule (1)

⚫ When authorizing a user who passes the authentication, the system matches the user against an authorization rule
and grants specific permissions (called authorization results) to the user based on the matching rule.
1. Configure the
authorization rule name,
authentication mode,
and access mode.

62 Huawei Confidential

• An authorization rule defines authorization conditions. A user that matches the

conditions can obtain the corresponding authorization result. That is, an
authorization result specifies the permissions that a user can be granted after the
user is authenticated successfully.
• iMaster NCE-Campus provides a default authorization rule named default, in
which the authorization result is deny access. The default authorization result can
be modified to allow the use of another authorization result.
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Configuring an Authorization Rule (2)

2. Match users by user
group information.

3. Bind the
authorization result to
the authorization rule.

63 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

WLAN Service
⚫ In the distributed gateway solution, if the fabric uses a networking model where VXLAN is deployed across the core
and aggregation layers and the border device provides the native AC function, APs need to go onboarded and get
managed by the border device. APs on the campus need to broadcast an SSID for wireless access, and STAs that
have associated with this SSID need to undergo Portal authentication.

Task Procedure
HQ
1. Add APs to the HQ site and associate the APs with the
Border Management IP address: border device.
Native AC 172.16.20.254 2. Create a management network segment and a
Management VLAN: VLAN 2 AP onboarding management VLAN for AP onboarding.
3. Configure the PnP management VLAN for wireless devices.
VXLAN 4. Configure the source interface for the CAPWAP tunnel on
Edge_1 Edge_2 the border device.
Wireless service
1. Create wireless authentication and configure Portal
AP1 configuration on the
authentication information.
ACC_1 ACC_2 controller
1. Configure an SSID profile.
Wireless service delivery
2. Configure a VAP profile, and bind the SSID profile and
(Web UI of the border
authentication profile to it.
device)
3. Bind the VAP profile to an AP group.
PC1 PC2 PC3

64 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: AP Onboarding (1)

⚫ Choose Design > Device Management, and manually add a device to the HQ site. Set the protocol type to
NETCONF, and add an AP by entering its ESN. As the AP is not onboarded, it is in the unregistered state.

⚫ Choose Provision > Site Configuration, select the Fit AP Management function of the switch, click the border
device, and click Add to associate AP1 with the border device.

65 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: AP Onboarding (2)

⚫ Choose Provision > Site Configuration, select the Subnet function of the switch, and create a subnet for AP
onboarding. Through this subnet, the AP can obtain the IP addresses of the AC and controller.

2. Enable the DHCP function, set

the AP working mode to Fit AP,
1. Set the subnet name and management VLAN ID,
and enable the controller address
select the method of obtaining the IP address of the AP, auto-negotiation and AC address
and set the management network segment of the AP.
auto-negotiation functions.

66 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: AP Onboarding (3)

⚫ Choose Provision > Site Configuration, select the Management VLAN function of the site, and set the wireless
PnP VLAN ID of the border device.

⚫ Then set the source address of the CAPWAP tunnel on the web UI of the border node. The AP can then obtain its
own IP address, AC address, and controller address from the address pool of the VLANIF2 interface and successfully
register with the border device and controller. After the registration, the AP status changes to normal.

67 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Wireless Service Configuration on the Controller (1)

⚫ Choose Provision > Site Configuration, select the Wireless Authentication function of the switch, and
configure wireless authentication.
2. Set the page push
mode, and select the
Portal and RADIUS servers.

1. Set the wireless

authentication name and
SSID name, and select the
authentication mode.

68 Huawei Confidential

• This example shows the wireless service configuration of sales personnel.

 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Wireless Service Configuration on the Controller (2)

3. Select an authentication policy.

69 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Wireless Service Configuration on the Controller (3)

4. Select a security
authentication policy.

5. Select a wireless
authentication device.

70 Huawei Confidential
 Site Device Network Fabric Logical Service WLAN
Management Management Planning Network Network Deployment Service

Lab: Wireless Service Delivery

⚫ Choose Design > Device Management, select the HQ site, and click the border device to access the border device
management page.

⚫ Click Device Configuration to access the web UI of the border device.

The WLAN service configuration on the web UI of the border device is not provided here.

71 Huawei Confidential
 Quiz

1. (Short-answer question) What site creation methods are supported by iMaster

NCE-Campus?
2. (Multiple-answer question) Which of the following parameters can be entered in
the fabric global resource pool? ( )
A. VLAN

B. Loopback interface IP address

C. Bridge domain (BD)

D. VXLAN network identifier (VNI)

72 Huawei Confidential

1. Create sites one by one or in a batch.

▫ Create sites one by one: This mode applies when a small number of sites
need to be added.

▫ Create sites in a batch: This mode applies when a large number of sites
need to be added.

2. ACD
 Summary

⚫ This course introduces the process of deploying a virtualized campus

network, and provides hands-on labs to help trainees understand the
functions of the CloudCampus Solution and develop skills required for
deploying a virtualized campus network.
⚫ Upon completion of this course, you will be able to deploy the virtualized
campus network solution on your own and perform network O&M and
management.

73 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Small- and Medium-Sized Cloud-Managed
Campus Network Design
 Foreword
⚫
With the development of technologies and digitalization of industries, services in small- and medium-scale scenarios,
such as chain stores and branch offices, are gradually connected to the enterprise intranet through cloud-managed
networks. A report of IDC reveals the radical difference between traditional products and cloud-based products in
terms of annual growth rate from 2014 to 2018. For example, the annual growth rate of traditional Wi-Fi was only
5%, while that of cloud Wi-Fi was 38%. And the annual growth rate of traditional switches and access routers was just
2%, whereas that of cloud switches and access routers was as high as 61%. The above-mentioned data shows that
cloud-managed networks have become the trend in constructing small- and medium-sized campus networks. Cloud-
based solutions help enterprises improve management efficiency and build networks that can quickly support the
development of new services. Huawei's CloudCampus Solution uses cloud computing technology to implement
automatic and centralized network management, and provides data collection and analysis capabilities that are
unavailable on traditional networks, so as to achieve network (LAN/WLAN) as a service (NaaS).

⚫ This document mainly describes the design and planning methods of small- and medium-sized campus networks in
terms of the solution architecture, technical solution comparison, engineering design suggestions, and O&M.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the architecture of Huawei's CloudCampus Solution for small- and
medium-sized campus networks.
 Describe typical networking schemes for small- and medium-sized campus
networks.
 Independently design the CloudCampus solution for small- and medium-sized
campus networks based on user requirements, including networking design,
physical network design, site deployment design, basic network service design,
WLAN design, and admission control design.

2 Huawei Confidential
 Contents

1. Small- and Medium-Sized Campus Network Trends and Challenges

2. Overview of Huawei's CloudCampus Cloud-Managed Network Solution for

Small- and Medium-Sized Campus Networks

3. Design of Small- and Medium-Sized Campus Networks with Huawei's

CloudCampus Cloud-Managed Network Solution

3 Huawei Confidential
Challenges Faced by Small- and Medium-Sized Campus
Networks
Accelerated industry changes Problems in traditional deployment and management solutions

Network cloudification brings rapid development in new ICT technologies, Low deployment efficiency, which slows down service provisioning
such as cloud computing, cloud security, big data, and IoT, leading to
• Site survey, planning, deployment, software commissioning,
tremendous changes in all industries.
configuration, and optimization must be completed onsite by
• Traditional retailers such as shopping malls and supermarkets offer free professional IT personnel.
Wi-Fi as a way to attract and retain customers, and they also use
Complex network management and high OPEX
wireless positioning and customer flow analytics to carry out precision
• Local professional O&M results in low O&M efficiency and high labor
marketing.
costs. The network management system (NMS), policy control server,
• In the education sector, e-classrooms are becoming more and more
charging system, and data analysis platform are deployed independently,
popular, and diversified multimedia teaching methods further stimulate
causing high management and maintenance costs.
students' interest in learning.
Poor network openness
• Smart healthcare enables hospitals and other healthcare institutions to
connect to each other through networks. This implements unified • The open data provided by multiple management systems on the
management and analysis of medical data and facilitates medical traditional network needs to be further integrated. In addition, due to
treatment. the incompatibility of API, the network and applications are connected at
a slower speed than application development.
As a pipe that carries upper-layer services and data, the network is
becoming more and more complex with a growing number of nodes.

4 Huawei Confidential
Service Requirement Analysis for Small- and Medium-Sized
Campus Networks
Plug-and-play network devices improve Cloud-based centralized O&M simplifies Open APIs accelerate business
deployment efficiency multi-site O&M application integration
Unified management and Centralized cloud management of multiple Openness and big data
centralized configuration branches and remote automatic O&M analytics capability

Cloud
management
Site platform
Network devices at a site network 2
Site
Site network Site network
network 1 Site
Plug-and-play and on- Site network
network N
demand expansion
• With open APIs and big data analytics
• Configurations of multiple sites are centrally • Geographically dispersed campus branch
capabilities, the cloud management platform
delivered, reducing onsite configuration and networks are centrally managed on the cloud
can interconnect with multiple management
commissioning workload and improving through the Internet.
systems to achieve unified network
deployment efficiency. • Troubleshooting and monitoring tools as well management.
• Network devices are plug-and-play and able as many other automation tools are
• It is also able to provide diversified value-
to be expanded on demand, requiring low integrated for remote automatic O&M.
added applications to lead enterprises into
cost for upgrades.
digital transformation.

5 Huawei Confidential
Small- and Medium-Sized Campus Network Trends

Network cloudification Cloud security IoT

• Due to evolution to the cloud architecture, • Cloud security become more important than • The rise of IoT leads to a huge increase in
enterprises can focus more on their mission- ever. the number and types of terminals accessing
critical services, without paying too much • Facing cloudification, enterprises are the network, and these terminals generate a
attention to IT architecture construction. vulnerable to attacks that are fundamentally large amount of data.
• To support service cloudification, enterprises different from those on traditional networks • Diversified IoT sensing networks need to be
need to create a ubiquitous, intelligent, when providing various services. smoothly connected to the existing campus
controllable, and on-demand network. • Security has shifted from passive defense to network.
• The network needs to become more a service proactive defense. • The types of terminals connected to the
than a solution. • Detection and response have become as campus network are more complex than
important as defense. ever. As a result, the campus network
becomes a converged network that
accommodates multiple types of terminals
and media.

6 Huawei Confidential
 Contents

1. Small- and Medium-Sized Campus Network Trends and Challenges

2. Overview of Huawei's CloudCampus Cloud-Managed Network

Solution for Small- and Medium-Sized Campus Networks

3. Design of Small- and Medium-Sized Campus Networks with Huawei's

CloudCampus Cloud-Managed Network Solution

7 Huawei Confidential
 Huawei CloudCampus Cloud-Managed Network Solution
Ultra-broadband connection, improving network and application quality
Value-added
Industry-specific applications • All-scenario WLAN: large bandwidth, high concurrency, and low latency.
SaaS platform
• Secure, reliable platform and network: in compliance with the laws and
regulations of the industry and countries concerned.
• Open APIs: key driver of industry-specific applications and digital
transformation.
Cloud Simplified management, reducing OPEX
management
platform • Online network planning platform for both indoor and outdoor scenarios:
customized network planning templates; support for automatic generation
of network planning reports.
• Diversified scenario-specific configuration packages: one-stop configuration
of topologies as well as related device models and parameters.
• O&M based on GIS maps, logical topologies, and an easy-to-use mobile app
• Online centralized inspection of multiple branches; automatic inspection
report generation.
Multi-tenant
network AI-powered cloud-based Intelligent O&M

• Intelligent network O&M: proactively predicts potential faults, ensuring user

and application access experience.
• SD-WAN: intelligently ensures WAN interconnection of mission-critical
services, delivering ultimate experience to branches.

8 Huawei Confidential

• In this slide, CloudCampus Network refers to Huawei's CloudCampus Cloud-

Managed Network Solution for Small- and Medium-Sized Campus Networks.
 Architecture of Huawei's Cloud-Managed Network Solution
Value-added Customer flow
Big data analytics ESL App ...
SaaS platform analysis

RESTful API

Cloud Huawei public MSP-owned On-premises

management cloud scenario cloud scenario scenario
platform
Cloud-based Cloud-based Cloud-based Cloud-based
network planning deployment O&M inspection

Internet Internet Internet Internet

Firewall Firewall AR Firewall

DCN Switch Switch Switch WAC

Multi-tenant AP AP Central AP AP AR
network

RU

Shopping center, Mini-store

Supermarket/Shopping mall Hotel
primary/secondary school

9 Huawei Confidential

• Huawei's CloudCampus Solution applies to three deployment scenarios: Huawei

public cloud, MSP-owned cloud, and on-premises. The on-premises scenario
applies to large- and medium-sized campus networks. The Huawei public cloud
and MSP-owned cloud scenarios apply to small- and medium-sized campus
networks. This document focuses on the Huawei public cloud scenario, which is a
cloud management scenario.

• Huawei's CloudCampus Solution for small- and medium-sized campus networks

uses cloud computing technology to implement automatic and centralized
network management, and provides data collection and analysis capabilities that
are unavailable on traditional networks, so as to achieve network (LAN/WLAN)
as a service (NaaS).

• There are three layers in the architecture of Huawei CloudCampus Solution for
small- and medium-sized campus networks: multi-tenant network, cloud
management platform, and value-added SaaS platform.

• Multi-tenant network: It consists of over one hundred network devices, including

APs, switches, firewalls, and ARs, and is deployed at the customer side to provide
user access.
• Cloud management platform: iMaster NCE-Campus — an SDN controller — is
the core component of the CloudCampus Solution. It is also a cloud-based
network management, O&M, and control system. In addition to offering basic
management and configuration for cloud-based devices, remote O&M and
monitoring, and user admission control, iMaster NCE-Campus can implement
various value-added services based on the big data platform. iMaster NCE-
CampusInsight is an intelligent network analysis engine and provides intelligent
O&M services for user networks. It integrates AI to the O&M. Based on data such
as device performance indicators and terminal logs, iMaster NCE-CampusInsight
digitalizes user experience on the network through big data analytics, AI
algorithms, and more advanced analysis technologies, helping customers detect
network problems in a timely manner and improve user experience.
• Value-added SaaS platform: iMaster NCE-Campus provides open interfaces to
interconnect with other service systems (such as the big data platform) to offer
tenants a variety of value-added application services, such as customer flow
analysis, business portal push, electronic shelf label (ESL), asset management,
and medical IoT.
 Components of Huawei's CloudCampus Network Solution

Huawei support
ESDP platform PKI platform Huawei's support website ServiceTurbo-
system
(for licenses) (for device certificates) (for software versions & patches) Cloud

Cloud management
platform Registration center

Cloud
Deployment
environment Huawei public cloud

Cloud-managed devices
and a mobile app (for Firewall AR Switch AP WAC Central AP RU Mobile app
remote O&M)

11 Huawei Confidential

• ServiceTurbo-Cloud (https://serviceturbo-cloud.huawei.com/) is an enterprise tool

service cloud platform. It provides one-stop tool services for Huawei, partners,
and customer service engineers in government and enterprise service scenarios.
Solution Component: iMaster NCE-Campus
⚫ iMaster NCE-Campus is a main configuration and management platform in the CloudCampus Solution.
It is a main portal for CloudCampus service configuration, O&M, and monitoring.

Application service layer

• SDN-based automatic service
Health Asset Intelligent Automated + configuration/deployment
MDM e-Schoolbag …
management management OAM Intelligent • AI-powered intelligent
analysis/prediction/troubleshooting

Management,
control, and analysis
Management + • Unified data base
layer All-in-one Control + Analysis • Centralized detection/locating/processing

Plan + Construct • Full-lifecycle management

Infrastructure layer + Maintain + • Simulation/Verification/Monitoring/Opti
Optimize mization

iMaster NCE-Campus, an autonomous driving campus network management and control system.

12 Huawei Confidential
Solution Component: Registration Center

Synchronizes device
Devices are already preset with the registration center
information (ESN and Huawei Work out of
domain (register.naas.huawei.com) before factory
MAC address) the box
registration center delivery. No additional configuration is required.

Secure Bidirectional authentication and encryption are performed

transmission for query channels based on HTTP/2, ensuring that user
Initiate a registration device information is not disclosed.
request after obtaining Internet Query the IP address and
the cloud management port number of the cloud
2 1
platform address management platform Wide Multiple registration centers are deployed around the
coverage world.

Network devices at branches

Quick The smart DNS returns the address of the registration
response center server nearest to devices, ensuring fast query.

At branches, devices can automatically go online on the cloud management platform without additional
configuration.

13 Huawei Confidential
 Solution Component: iMaster NCE-CampusInsight
AS-IS: device-centric network management TO-BE: AI-powered intelligent O&M centered on user experience

• Visualized experience
• Topology management
mgmt. • User journey playback
• Performance • Potential fault
Traditional NMS mgmt. identification
• Alarm mgmt. • Root cause identification
• Configuration Telemetry • Predictive network
SNMP mgmt. Second-level network optimization
Minute-level network data collection
data collection

Visualized experience: Telemetry-based second-level data collection, visualizing

experience of any user, in any application, at any moment
Minute-level identification and root cause locating for potential faults
• Device-centric, lacking insights into user experience
• Identifies potential faults based on dynamic baselines and big data correlation
• Passive response, unable to identify potential faults analysis.
• Heavy reliance on onsite fault locating by • Accurately locates root causes using KPI correlation analysis and protocol trace.
experienced engineers
Predictive network optimization: AI is used to intelligently analyze the load trends of
APs so as to complete predictive optimization of wireless networks.

In addition to using algorithms to improve efficiency, intelligent O&M leverages scenario-based continuous learning and accumulated
expert experience to free O&M personnel from complex alarms and alerts, making O&M more automated and intelligent.

14 Huawei Confidential

• AS-IS: the current status

• TO-BE: future ideal status
 Solution Component: WLAN Planner

The WLAN Planner is an efficient WLAN network planning tool. It enables signal simulation, helping determine AP
deployment locations and signal coverage results.

15 Huawei Confidential

• Efficiently supports WLAN network planning:

▫ No installation: Cloud-based tool, without the need of software installation.
▫ All-scenario: All scenarios supported, including indoor, outdoor, agile
distributed, and high-density scenarios.
▫ Efficient: Improved simulation efficiency when compared with the
traditional standalone deployment.
▫ High quality: Supports tens of thousands of WLAN projects.
Solution Component: CloudCampus APP
Mobile APP that covers full lifecycle
management for campus networks
Site Connects to the cloud-based WLAN Planner to record photos
survey and texts based on drawings.

Connects to the cloud-based WLAN Planner to display network

Network
planning results, heat maps, and AP attributes anytime
planning
anywhere.

Deployment Deployment by scanning barcode

One-click test, single service test, project test

Acceptance Deployment position acceptance based on the cloud-based
network planning project

Mobile O&M, device and application monitoring

O&M AP access through Bluetooth/management VAP, AP offline
diagnosis

E2E simplicity from planning and deployment, all the way to O&M.

16 Huawei Confidential
Solution Component: Hardware Products
CloudEngine S series switches NetEngine ARs

Campus egress routers

High-performance campus switches (integrating routing, switching, Wi-Fi, 5G, and
security functions)

AirEngine Wi-Fi 6 APs HiSecEngine AI firewalls

Campus APs Firewalls

(e.g., indoor settled APs, indoor wall plate APs, agile (providing comprehensive network security
distributed APs, and outdoor APs) protection capabilities)

17 Huawei Confidential
Solution Technology: Plug-and-Play of Devices

Simplified network deployment

• The time and labor costs for initial device installation and
configuration as well as upgrade are reduced.
Internet Internet Internet • After devices on the campus are powered on and connected
to the Internet, they can obtain the IP address of the
controller iMaster NCE and register with it through multiple
methods. All subsequent operations can be performed on
Firewall AP AR
the controller, without the need of onsite visits.
• Services are deployed on the iMaster NCE in advance,
Site network Site network Site network greatly shortening the deployment time.
• The configuration error rate is reduced due to GUI-based
operations.

18 Huawei Confidential
Plug-and-Play of Devices (1)
Through CloudCampus APP (barcode scanning) Through registration center

Administrator records
4 1 device information.
Tenant: Tenant X
Synchronize device information.
Site: Site Y Huawei
2 registration
Device: AP (ESN...) 1.1.1.1:8080
center
3
Register and
Internet Report AP Tenant: Tenant X
get managed. 3 information.
5 Register and 6
get managed. Internet iMaster NCE: 1.1.1.1:18008
Device: AP (ESN...)

Scan barcode 1
Automatically initiate a
Proactively initiate query request to Huawei
2 a registration registration center to
request to iMaster 5 4 obtain the IP address and
The CloudCampus APP obtains
NCE. port number of iMaster
the ESN and MAC address of
Site network the AP. Site network NCE.

Devices supported: AP Devices supported: AR, firewall, switch, AP

19 Huawei Confidential
Plug-and-Play of Devices (2)
Through web system Through CLI

Register and Internet Register and Internet

get managed. get managed.
2 2

Web CLI

1 1
In the web system, configure Internet On the CLI, configure Internet access
access parameters and IP address/URL parameters and IP address/URL and
and port number of iMaster NCE. port number of iMaster NCE.
Site network Site network

Devices supported: AR, firewall, switch, AP Devices supported: AR, firewall, switch, AP

20 Huawei Confidential
Plug-and-Play of Devices (3)
Through DHCP Option 148

Internet

1 AR
• The network administrator has deployed the
4 Proactively initiate a
DHCP service on the network in advance (by DHCP response
deploying the DHCP service on the egress 3 carrying Option registration request to iMaster
DHCP request 2 NCE.
device or deploying an independent DHCP 148
server.)
• In addition to delivering IP addresses to the
devices to be deployed, the DHCP server uses Switch to be deployed
DHCP Option 148 to notify the devices of the Site network
iMaster NCE IP address and port number.

Devices supported: AR, switch, AP

21 Huawei Confidential
Plug-and-Play of Devices (4)
Email-based deployment

1. The network administrator configures ZTP and selects the email-based

1
deployment mode on iMaster NCE.
Network
administrator 2. iMaster NCE packs the deployment configuration into a series of character
2 strings and sends them to the email address specified by the administrator.
5
Internet

Email server 3. The site deployment personnel log in to the email box on a PC at the site and
receive the deployment email.

Site network
4. During site deployment, the site deployment personnel connect the PC to the
AR AR in wired or wireless mode and click the hyperlink in the email body. The PC
then automatically logs in to the AR, parses the parameters in the hyperlink to

Site deployment
obtain the deployment configuration of the AR, and writes the configuration
personnel 4 into the AR.
3
3 5. The AR connects to the Internet and automatically sends a registration request
to iMaster NCE.
Devices supported: AR

22 Huawei Confidential
Solution Technology: Cloud Management
WLAN User
experience management
Higher management and O&M efficiency
Site Customer flow
Inter-site VPN
management analysis

Device Analysis Portal page • After devices go online, iMaster NCE provisions all required
management customization
configurations and services. iMaster NCE delivers
Management Control
One-stop management platform
configurations to devices at the branch sites through
NETCONF, without the need of CLI-based operations. This
NETCONF/YANG simplifies network O&M.
Internet Internet • iMaster NCE performs intelligent analysis and display of the
operating status of branch sites, presenting intuitive insights
Firewall AR
into site health.
Switch Small- and • iMaster NCE provides operating status monitoring,
AP Firewall AP AR medium-
sized intelligent analysis, and remote O&M, so that O&M
campus
personnel do not need to visit sites. This improves O&M
network
efficiency and reduces O&M costs.

23 Huawei Confidential
Highlights of Huawei CloudCampus Solution for Small- and
Medium-Sized Campus Networks
⚫ Automatic deployment: Devices can be easily and quickly deployed.
⚫ Cloud-based network planning and mobile O&M: WLAN design and device O&M are simplified.
⚫ Diversified product portfolios: Huawei provides different product portfolios, including full series of
network devices (switches, firewalls, ARs, and APs), meeting diversified network requirements of
tenants.
⚫ Dual-working-mode: All network devices used in this solution can work in either cloud-based or
traditional management mode. Tenants can implement cloud management of traditional devices after
devices are upgraded.
⚫ VASs: Terminal behavior analysis is a value-added application of iMaster NCE-Campus. More VASs can
be developed based on terminal behavior analysis.

24 Huawei Confidential
 Contents

1. Small- and Medium-Sized Campus Network Trends and Challenges

2. Overview of Huawei's CloudCampus Cloud-Managed Network Solution for

Small- and Medium-Sized Campus Networks

3. Design of Small- and Medium-Sized Campus Networks with Huawei's

CloudCampus Cloud-Managed Network Solution

25 Huawei Confidential
Overall Design Process

Overall
Network management mode Network O&M mode License scheme
design

Networking
Network architecture Networking scheme Reliability WAN interconnection
design

Network basic services Network deployment WLAN NAC

Service
design
VAS and O&M

26 Huawei Confidential
 Choose the Network Management Mode
⚫ Which management mode to use: cloud management or on-premises?
Huawei's CloudCampus Solution

On-Premises Huawei Public Cloud MSP-owned Cloud

Customers purchase and own software Customers purchase Huawei public MSPs purchase cloud management
such as the controller and analyzer, and cloud management services and platform software, such as the controller
Scenario deploy the software in their data center or manage their networks using the and analyzer, and deploy the software in
definition on a public cloud IaaS platform to manage cloud management SaaS services their data center or on a public cloud IaaS
their own networks. They do not provide deployed on Huawei public cloud platform to provide network management
network management services. platform. services.

Target
Large- and medium-sized campus Small- and medium-sized campus Small- and medium-sized campus
application
networks networks networks
scenario

Small- and medium-sized campus networks are small in scale and are sensitive to CAPEX and OPEX. Therefore, the public cloud management mode
is recommended for such networks. In this mode, Huawei or MSPs provide SaaS services to manage the networks.

27 Huawei Confidential

• The public cloud management mode can be Huawei public cloud management
mode or MSP-owned cloud management mode. The two modes are essentially
the same. The only difference lies in the operational entity and the provider that
offers cloud management services.
• Unless otherwise specified, the Huawei public cloud management mode is used
as an example in this document.
 Choose the Network O&M Mode
⚫ Which O&M mode to use: enterprise-managed O&M (enterprises perform O&M by themselves) or MSP-managed
O&M (enterprises authorize network O&M to MSPs)?

The network O&M mode is closely related to the network management mode. If an enterprise manages the network by itself,
O&M is also performed by the enterprise. This is called enterprise-managed O&M. If an enterprise authorizes network O&M to
an MSP, this is called MSP-managed O&M.

Huawei's CloudCampus Solution supports both enterprise-managed O&M and MSP-managed O&M. Enterprises can flexibly
choose either of them as required. Platform operator
Enterprises themselves have Enterprises require managing
O&M capabilities or their own networks

MSP 1
Enterprise-managed O&M
Authorizing network Authorizing network
O&M to MSP O&M to MSP
Enterprises have many branches and
Enterprises themselves do Tenant 1 Tenant 2 Tenant N
authorize MSPs to construct and
not have O&M capabilities or
maintain their networks

MSP-managed O&M Site Site Site Site

28 Huawei Confidential

• With certain IT capabilities, a tenant administrator can deploy and maintain a

campus network. This scenario is called tenant-managed construction and
maintenance. The tenant administrator is the main implementer, and the MSP
administrator only provides simple deployment assistance. The tenant
administrator can apply to the MSP for the managed construction and
maintenance services. After being authorized, the MSP constructs and maintains
the campus network for the tenant. This scenario is called MSP-managed
construction and maintenance, in which the MSP administrator is the main
implementer.

• The following lists the differences between the deployment processes in the
tenant-managed construction and maintenance and MSP-managed construction
and maintenance scenarios:
• Tenant-managed construction and maintenance:

▫ The tenant administrator installs cloud managed devices onsite and

registers the cloud managed devices.

▫ The tenant administrator logs in to iMaster NCE using their own account
and deploys services.
• MSP-managed construction and maintenance:
▫ The MSP administrator helps the tenant install cloud managed devices
onsite and register the cloud managed devices.

▫ The tenant administrator logs in to iMaster NCE using their own account,
chooses System > System Management > Tenant Information,
enables Authorize MSP, and sets the authorization scope. Alternatively,
when creating a tenant administrator, the MSP administrator can
enable Authorize MSP. By default, the permission of the tenant
administrator role is granted.
▫ The MSP administrator logs in to iMaster NCE using their own account.
In Tenant List on the home page, the MSP administrator selects a tenant
who applies for MSP-managed construction and maintenance and has been
authorized. The Authorization status column is displayed as Authorized.

▫ Click the tenant name to access the page for MSP-managed construction
and maintenance. The MSP administrator helps the tenant deploy services.
Choose the License Transaction/Purchase Mode
⚫ Select the cloud management deployment scenario (Huawei public cloud or MSP-owned cloud), then select the
license transaction or purchase mode accordingly.
Scenario 1: Huawei public cloud Scenario 2: MSP-owned cloud

• Licenses control the available resources of tenants. • Licenses control the available resources of the CloudCampus cloud
management platform, but not the available resources of tenants.
• Online transaction mode is supported. That is, licenses can be
purchased online from HUAWEI CLOUD. License pooling is not • Only offline transaction mode is supported. The license file needs to
supported in this mode. be loaded on the CloudCampus cloud management platform. License
pooling and co-termination are supported in this mode.
• Offline transaction mode is also supported. License activation codes
need to be loaded on the CloudCampus cloud management platform. License transaction mode Offline transaction
License pooling and co-termination
Offlineare supported in this mode.
License transaction mode Online transaction
transaction
Huawei's customer (MSP) MSP, carrier

Offline
Huawei's customer Strategic/ Channel purchase Retail
(tenant) Core NAs partners customers CloudCampus cloud management platform

CloudCampus cloud management platform MSP's customer (tenant) Tenant 1 Tenant N

30 Huawei Confidential
 Choose the License Consumption and Termination Modes
⚫ In the Huawei public cloud scenario, both the co-termination and non-co-termination licensing models are
supported.

Non-co-termination licensing mode

Co-termination licensing mode
• Licenses are pooled and shared by device type. License
• Licenses are pooled and shared by all devices, and co-
resources are exclusive to devices of one type and not shared
terminate for all devices.
by devices of other types.
• Co-termination of licenses cannot be undone. Therefore, the
• Licenses for different types of devices terminate separately,
license termination time must be properly designed.
while licenses for devices of the same type co-terminate.

31 Huawei Confidential

• For small- and medium-sized campus networks, the co-termination licensing

model is recommended, facilitating device management and operations. If the
license validity periods of devices of different types need to be precisely
controlled, use the non-co-termination licensing model.
Overall Design Process

Overall
Network management mode Network O&M mode License scheme
design

Networking
Network architecture Networking scheme Reliability WAN interconnection
design

Network basic services Network deployment WLAN NAC

Service
design
VAS and O&M

32 Huawei Confidential
Network Architecture Design: Intranet Architecture (1)

Internet

Internet
Firewall
or AR
Internet Internet Internet
Firewall Aggregation Switch
or AR layer

Access Access
layer layer
AP AR Firewall AP Switch AP AP Switch AP

Single-device networking Single-layer networking Two-layer networking

architecture architecture architecture
33 Huawei Confidential
Network Architecture Design: Intranet Architecture (2)
Link aggregation

Stack link
(Note: Unless otherwise
specified, the symbol
indicates stacking.)
Internet Internet Internet

Firewall Firewall or AR
or AR
Core Switch Core layer Switch
layer

Aggregation Switch Aggregation layer Switch

layer

Access Access layer

layer
AP Switch AP AP Switch AP

Three-layer networking Highly reliable networking

architecture architecture

34 Huawei Confidential
 Network Architecture Design: WAN Interconnection

Hub
HQ HQ HQ

Branch1 Branch2 Branch3 Branch1 Branch2 Branch3 Branch1 Branch2 Branch3

Spoke Spoke Spoke

Hub-spoke networking Full-mesh networking Partial-mesh networking

35 Huawei Confidential

• Hub-spoke: Generally, the enterprise headquarters or DC functions as a hub site.

Each branch site of an enterprise can communicate with the hub site and can
communicate with other branch sites through the hub site. This model is
applicable to scenarios where traffic between all branch sites of an enterprise
must pass through the headquarters for centralized security monitoring.

• Full-mesh: All sites of an enterprise can communicate with each other. If traffic
needs to be transmitted between the headquarters and branches or between
branches, data is directly exchanged without traversing an intermediate node.
This model is applicable to scenarios where all sites of an enterprise need to
directly access each other. This model eliminates the delay caused by traffic
transmission through the headquarters.

• Partial-mesh: Most sites of an enterprise can directly communicate with each

other. However, the underlay WAN networks of a small number of sites cannot
directly communicate with each other. For example, in the figure, branch 1 and
branch 3 need to communicate with each other through the headquarters.
Network Architecture Design Considerations
Determine the network architecture layers based on the
number of access terminals or device capabilities.
1
Determine the device model at each layer and the mapping

Determine the between upper-layer and lower-layer devices.

intranet
• Single-device networking architecture
architecture
• Single-layer networking architecture Determine the highly reliable networking model
• Two-layer networking architecture 3 based on the device type and capability
(Optional)
• Three-layer networking architecture • Firewalls are deployed in hot standby mode
Determine
reliability • Switch stacking
requirements
2 • Eth-Trunk
Determine the WAN interconnection model based on the
(Optional) communication requirements between sites.
Determine the
WAN • Hub-spoke networking
interconnection
model • Full-mesh networking

• Partial-mesh networking

36 Huawei Confidential
Overall Design Process

Overall
Network management mode Network O&M mode License scheme
design

Networking
Network architecture Networking scheme Reliability WAN interconnection
design

Network basic services Network deployment WLAN NAC

Service
design
VAS and O&M

37 Huawei Confidential
Single-Device Networking
Overview
• Applicable to single stores and small stores (such as agent stores and gas
stations)
• A single device provides gateway features, such as PPPoE dialup, DHCP, and
NAT.
Network scale < 50 terminals; area < 50 m2
• An AP is deployed if only wireless access is required and only one wired
Internet egress is available.
• An AR is deployed if wired access is needed and multiple uplinks, especially
a 3G/4G backup link, are required.
Networking AP AR Firewall • A firewall is deployed if security-sensitive stores, such as small logistics,
type office, and finance organizations, require advanced security features,
including URL filtering, security protection, and antivirus.
Internet Internet Internet
Constraints
• Wireless features such as roaming and load balancing are not supported.
3G/4G • The AP supports only one Internet link.
• The AP and AR support wired user access, but do not support wired user
authentication.
• The AR supports wireless user authentication in only Open, PSK, and Portal
authentication modes, but not 802.1X or MAC address authentication
mode. The firewall provides wired user authentication and supports only
Portal authentication.
• Currently, no firewall model supports Wi-Fi and LTE, and therefore it is not
recommended in actual deployments.

38 Huawei Confidential
Egress Gateway + AP
Overview
Network scale < 200 terminals; area < 300 m²
• Applies to small- and medium-sized clothing stores, supermarkets,
shopping malls, etc.
Networking AR + AP Firewall + AP
• The egress gateway provides features such as PPPoE, DHCP, NAT, and
type LTE.
Internet Internet • This networking mode supports continuous coverage of multiple APs,
as well as multiple uplinks, including a 3G/4G backup uplink.
• APs support mesh networking.
3G/4G
• A firewall is deployed at the egress for scenarios where advanced
security features, including URL filtering, security protection, and
antivirus, need to be met.

Constraints
• The AP and AR support wired user access, but do not support wired
user authentication.
• The firewall provides wired user authentication and supports only
Portal authentication.
• If the AR or firewall does not support PoE, the AP can use an external
PoE power adapter.

39 Huawei Confidential
Egress Gateway + Layer 2 Switch + AP
Network scale < 2000 terminals; area < 3000 m²
Overview
Networking type • Applies to small- and medium-sized clothing stores, retail stores, etc.
AR + Layer 2 switch + AP Firewall + Layer 2 switch + AP
• The egress gateway provides features, such as WAN access, DHCP, and
NAT.
Internet Internet
• The Layer 2 switch provides PoE extended access and wired terminal
access functions.

3G/4G • APs provide access services for wireless terminals at the site.
• APs support mesh networking.
• A firewall is deployed at the egress for scenarios where advanced
security features, including URL filtering, security protection, and
antivirus, need to be met.

Constraints
• The AR and firewall in cloud management mode do not support Eth-
Trunks and cannot connect to the switch through Eth-Trunks.
• If switches need to be stacked, it is recommended to deploy multiple
layers of switches.
• The AR can be deployed only in a single-node system.

40 Huawei Confidential
Egress Gateway + Layer 2 Switch + Distributed AP
Network scale < 2000 terminals; area < 3000 m² Overview
Networking type • Applies to dense-room building scenarios, such as dormitories and
hotels, where network planning is not required and each room
AR + Layer switch + Firewall + Layer switch + transmits signals separately.
distributed AP distributed AP • The AR functions as the egress gateway and provides features, such as
WAN access, DHCP, and NAT.
Internet Internet
• The Layer 2 switch provides PoE extended access and wired terminal
access functions.

3G/4G • APs provide access services for wireless terminals at the site.
• APs support mesh networking.
• A firewall is deployed at the egress for scenarios where advanced
security features, including URL filtering, security protection, and
antivirus, need to be met.

Constraints
• The AR and firewall in cloud management mode do not support Eth-
Trunks and cannot connect to the switch through Eth-Trunks.
• If switches need to be stacked, it is recommended to deploy multiple
layers of switches.
• The AR can be deployed only in a single-node system.

41 Huawei Confidential
 Summary of Typical Networking Schemes (1)
Deployment
Network Scale Key Networking Requirements Networking Model Remarks
Scenario
Single store; wireless access only; single Internet
AP /
egress
Single store; mainly wireless access; Ethernet or LTE
AR /
< 50 terminals; uplink Singe-device
area < 50 m 2 networking
Single store; wired and wireless authentication and
Currently, firewalls
access; multiple Internet uplinks and LTE uplinks;
Firewall have no Wi-Fi/LTE
high security requirements (URL
models.
Many branches, filtering/IPS/security protection/antivirus)
where they are Wireless access only; multiple Internet uplinks and Currently, ARs and
no demands for AR + AP
LTE uplinks firewalls do not
branch < 200 terminals; Egress gateway have PoE models.
interconnection area < 300 m² Wired and wireless authentication and access; + AP APs need to
multiple Internet uplinks; high security requirements Firewall + AP connect to external
(URL filtering/IPS/security protection/antivirus) power supplies.
Wired and wireless access; multiple Internet uplinks AR + Layer 2
/
and LTE uplinks Egress gateway switch + AP
< 2000 terminals;
Wired and wireless authentication and access; + Layer 2 switch
area < 3000 m² Firewall + Layer 2
multiple Internet uplinks; high security requirements + AP /
switch + AP
(URL filtering/IPS/security protection/antivirus)

42 Huawei Confidential

• Cloud management for small- and medium-sized campus networks applies to

small- and medium-sized enterprises (SMEs) and branches, such as shopping
malls/supermarkets, retail stores, hotels, educational institutions, and financial
services organizations. Different networking models are used based on different
network scales.
Summary of Typical Networking Schemes (2)

Deployment
Network Scale Key Networking Requirements Networking Model Remarks
Scenario
Dense-room scenarios such as hotels and AR + Layer 2
Many branches, dormitories; wired and wireless access; multiple switch + central /
where they are Internet uplinks and LTE uplinks Egress gateway AP + RU
< 2000 terminals;
no demands for Dense-room scenarios such as hotels and + Layer 2 switch
area < 3000 m² Firewall + Layer 2
branch dormitories; wired and wireless access; multiple + distributed AP
interconnection switch + central /
Internet uplinks; high security requirements (URL
AP + RU
filtering/IPS/security defense/antivirus)
Same as that in the Only basic communication between branches and AP/AR/firewall as
Multiple IPsec VPN
"many branches, the headquarters is required. Third-party VPN the egress /
branches, interconnection
branches, where gateways may be deployed at the headquarters. gateway
where there are
they are no
demands for
demands for Multiple links are deployed between the
communication SD-WAN AR as the egress
branch headquarters and branches, and intelligent traffic /
with the Interconnection gateway
interconnection" steering is required.
headquarters
scenario

43 Huawei Confidential
Overall Design Process

Overall
Network management mode Network O&M mode License scheme
design

Networking
Network architecture Networking scheme Reliability WAN interconnection
design

Network basic services Network deployment WLAN NAC

Service
design
VAS and O&M

44 Huawei Confidential
Network Reliability Design

⚫ Networking reliability refers to the reliability design of the

tenant network. You can add devices or links in any typical
Internet Internet
networking scheme to enhance network reliability. Network
reliability design can be classified into three levels based on
Firewall or AR
the involved scope:

Core layer Switch


Link-level reliability design

Device-level reliability design
Aggregation Switch 
Network-level reliability design (which combines link and device
layer
reliability)
Access layer

AP Switch AP

Highly reliable networking architecture

45 Huawei Confidential
Link-Level Reliability Design (1)

Intranet link reliability

• Multiple links can be deployed between switches and bonded using Eth-Trunks to improve link reliability.
• When switches are stacked, it is recommended that Eth-Trunks be used across switches to ensure link reliability.

Stacking Stacking Stacking

Stacking Stacking

46 Huawei Confidential
Link-Level Reliability Design (2)

Egress link reliability

Multiple links are deployed at the campus egress and work in active/standby mode. The networking scheme is as follows:

• The "single device, multiple egress links" scheme or the "multiple devices, at least one egress link for each device" scheme can
be used. The latter scheme is recommended.
• To further improve reliability, it is recommended that different egress links be connected to different carrier networks.

ISP 1 ISP 2

ISP 1 ISP 2 ISP 1 ISP 2 ISP 1 ISP 2

Heartbeat
link
Single device, dual egress links Dual devices, dual egress links

47 Huawei Confidential
 Device-Level Reliability Design

Egress firewalls in hot standby Dual AR egress gateways Switch stacking

ISP 1 ISP 2 ISP 1 ISP 2

Switch
Stacking

Stacking Switch
Heartbeat
link

Switch

48 Huawei Confidential

• Device reliability: Fixed-configuration devices are generally used on small- and

medium-sized campus networks.
• Device reliability design includes the following two aspects:

• Redundant components are used to improve device reliability.

▫ In addition to selecting devices with high reliability, you can further improve
the reliability of the devices by using dual power supplies or redundant
components (e.g. boards).

• Joint networking is used to provide device reliability.

▫ Multiple devices are deployed together to improve device reliability, for
example, active/standby or stacking.

▫ Two devices are deployed in the egress zone of the campus network to
work in active/standby mode. Currently, in a two-node system, firewalls
support only the hot standby mirroring mode. ARs support dual-CPE
networking, and the two devices and two egress links can work
concurrently.

▫ Intranet network devices, such as LAN switches at the core or aggregation

layer, are stacked to implement device-level backup. Currently, only
switches can be stacked.
Network-Level Reliability Design

Typically, Eth-Trunk and stacking technologies

are used in dual-device and multi-link scenarios
to improve network-wide reliability.
Internet Internet
Egress reliability design:
• Dual-device: active/standby, load balancing
AR
• Multi-link, multi-carrier network

Core layer Stacking Switch

Aggregation layer Stacking Switch

Intranet reliability design: switch networking
• Dual-/multi-device: stacking
Access layer • Dual-/multi-link: Eth-Trunk

AP Switch AP

49 Huawei Confidential
Overall Design Process

Overall
Network management mode Network O&M mode License scheme
design

Networking
Network architecture Networking scheme Reliability WAN interconnection
design

Network basic services Network deployment WLAN NAC

Service
design
VAS and O&M

50 Huawei Confidential
 CloudCampus WAN Interconnection Solution
Static IPsec VPN SD-WAN interconnection

IPsec VPN tunnel GRE or GRE over

IPsec tunnel

MPLS

Internet
Internet
Branch HQ Branch HQ

• An IPsec VPN is a type of static VPN, in which IPsec tunnels are • EVPN can be used to establish tunnels between sites and dynamically
established between devices at different sites to create VPN tunnels. advertise routes on demand. The forwarding plane supports GRE or
Traffic is diverted to the VPN tunnels based on the configured static GRE over IPsec. In addition, high-quality links can be selected based on
routes to implement inter-site communication. applications and policies for data transmission, implementing
• Egress devices can be APs, ARs, or firewalls (firewalls can be deployed application- and policy-based intelligent traffic steering.
in standalone or hot standby mode). • The egress devices must be ARs (in standalone or hot standby mode).

51 Huawei Confidential

• The multi-campus network interconnection solution is a sub-solution provided in

the CloudCampus Solution for the interconnection between branch campuses and
between branches and the HQ or DCs. With the SD-WAN solution integrated, the
multi-campus network interconnection solution provides two models for WAN
interconnection: static IPsec VPN and EVPN.

• An IPsec VPN is a type of static VPN, in which IPsec tunnels are established
between devices at different sites to create VPN tunnels. Traffic is diverted to the
VPN tunnels based on the configured static routes so that services between sites
can be accessed through the VPN tunnels.
• An EVPN is a type of dynamic VPN that can establish tunnels between sites and
dynamically advertise routes on demand. EVPN establishes GRE tunnels between
sites to establish VPN tunnels and supports IPsec encryption on GRE tunnels to
ensure tunnel encryption security. In addition, the EVPN solution offers
application- and policy-based intelligent traffic steering, allowing high-quality
links to be selected based on applications and policies for data transmission.
IPsec VPN Interconnection Networking Model
Network interconnection model
• The hub-spoke and full-mesh models are supported.
• The hub-spoke model is applicable when data traffic is mainly transmitted between
branches and the HQ. In this model, branches can also communicate with each other
through the HQ.
• If branches are of similar scales and a large amount of traffic is transmitted between
the branches, the full-mesh model can be used. In this case, all egress devices must
Hub-spoke Full-mesh use public IP addresses, and only firewalls support this model. In the full-mesh model,
the number of sites is limited (32 at most). Therefore, the hub-spoke model is
Network interconnection model
recommended for IPsec interconnection.
Site networking Site networking
• APs, ARs, or firewalls can be used as egress devices based on site requirements.
Internet Internet Internet Internet Internet
• In some scenarios requiring high reliability, two egress links can be deployed. In
scenarios requiring wireless uplinks, the egress gateway must be an LTE-capable
AP AR Firewall device.
• For large campus networks, the egress gateways can be deployed in hot standby mode
to ensure high reliability. Currently, only firewalls support hot standby.
Internet • In the hub-spoke model, the hub site is usually the HQ or DC site, which requires high-
Heartbeat link performance devices, rich policies, and security configurations. Currently, the cloud
management mode supports only a few security and policy features. Therefore, it is
Internet recommended that the traditional management mode be configured for devices at the
hub site, and the devices work in hot standby mode.

52 Huawei Confidential
SD-WAN Solution Overview (1)
iMaster NCE Solution overview
• The EVPN interconnection mode of the SD-WAN solution is applicable
UI
to the scenarios where a large number of branches communicate with
Site configuration VN O&M the HQ/DC (hub site). This mode can meet the networking
requirements of multiple HQs/regional centers. In this mode, the
Southbound NE layer
branches can communicate with the HQ through multiple links. In
addition, this mode supports application- and quality-based intelligent

RR traffic steering, QoS scheduling, and link quality display.

• The hub-spoke, full-mesh, and partial-mesh networking models are

supported.
Branch
Data center MPLS • Hub sites can work in active/standby mode to improve network access
reliability at the HQ.

• Multi-VPN (VRF) and WAN-side multi-VPN interconnection are

Internet supported.
HQ
• In scenarios requiring high security, such as the finance industry, both
Branch firewalls and ARs can be deployed at sites.

Solution constraints
Management Control plane: BGP
GRE/IPsec VPN
channel EVPN peer relationship • ARs deployed at the HQ and branches must support SD-WAN.

53 Huawei Confidential
 SD-WAN Solution Overview (2)
Network model design Physical network design

Select a network model based on the site scale and data access model. • A single AR and a single egress link can be deployed at a
small branch site.
• Single-layer model
• Multi-link and dual-AR networking can be deployed at
▫ WAN sites of an enterprise can be directly connected or connected through one or
sites that require highly reliable egress links and gateways.
more hub sites. Typically, this model is used by small- and medium-sized enterprises
as well as large enterprises with fewer than 100 sites. • In network reliability-sensitive scenarios, it is
recommended that the RR be deployed independently. In
▫ This model can be further classified into hub-spoke, full-mesh, and partial-mesh.
network reliability-insensitive scenarios, the RR can be co-
• Hierarchical model
deployed with the AR at the HQ.
▫ This model is applicable to large enterprises that span multiple areas. In this model,
the entire overlay network is divided into multiple areas. Traffic between sites in
different areas is forwarded through a border site. The hub-spoke, full-mesh, or
partial-mesh topology can be used in an area.

54 Huawei Confidential

• The single-layer network model is also called the flat network model. In this
model, WAN sites of an enterprise can be directly connected or connected
through one or more hub sites. Typically, this model is used by small- and
medium-sized enterprises as well as large enterprises with fewer than 100 sites.
The single-layer network model can be further classified into hub-spoke, full-
mesh, and partial-mesh.

• The hierarchical network model is applicable to large enterprises that span

multiple areas. In this model, the entire overlay network is divided into multiple
areas. Traffic between sites in different areas is forwarded through a border site.
The hub-spoke, full-mesh, or partial-mesh topology can be used in an area.
SD-WAN Solution: Service Design
⚫ VPN planning: A network can be divided into multiple VPNs based on services or departments. Policies can be
independently configured for services of each VPN, and VPNs can be isolated from each other.
⚫ Intelligent traffic steering: Traffic policies can be defined (based on network segments or applications) to design
intelligent traffic steering, so that high-reliability links (such as MPLS links) are preferentially selected for high-
priority applications (such as audio and video services) and low-priority links are selected to transmit common data.
⚫ QoS application: Multi-level QoS scheduling, such as three-level QoS scheduling for ports, VPNs, and applications.
⚫ Security: ACL-based traffic filtering, URL filtering, firewall, and IPS are configured to ensure traffic security.
⚫ Site-to-Internet access: The local Internet access, centralized Internet access, and hybrid Internet access modes are
supported. If the Internet egress link is available, local Internet access can be configured. If centralized traffic
policing is required, centralized Internet access will suffice.
⚫ Interworking with traditional networks: The solution supports interworking with traditional networks.

55 Huawei Confidential
Overall Design Process

Overall
Network management mode Network O&M mode License scheme
design

Networking
Network architecture Networking scheme Reliability WAN interconnection
design

Network basic services Network deployment WLAN NAC

Service
design
VAS and O&M

56 Huawei Confidential
VLAN Planning
⚫ Classify VLANs into service VLANs, management VLAN Assignment Example
VLANs, and interconnection VLANs.
• Core network area: VLANs 100–199
• Server area: VLANs 200–999 (VLANs 1000–
⚫ Allocate consecutive VLAN IDs to ensure proper VLAN assignment by
1999 are reserved.)
logical area
use of VLAN resources. • Access network area: VLANs 2000–3499
• Service network area: VLANs 3500–3999
⚫ Reserve a specific number of VLANs for future
VLAN assignment by • Area A: VLANs 2000–2199
use. geographic area • Area B: VLANs 2200–2399

⚫ Typically, VLANs are divided based on interfaces. VLAN assignment by • Department A in area A: VLANs 2000–2009
personnel structure • Department B in area A: VLANs 2010–2019
According to different design principles,
interfaces of access switches are added to • Web server area: VLANs 200–299
VLAN assignment by
• Application server area: VLANs 300–399
service type
different VLANs so that users of different service • Database server area: VLANs 400–499
types can be isolated.

57 Huawei Confidential
IP Address Planning (1)
Management IP address Service IP address

192.168.1.254
VLANIF 100 192.168.5.254
192.168.100.254 192.168.100.254

VLANIF 100 Management VLANIF 100

192.168.100.1 VLAN 100 192.168.100.2

A Layer 2 device uses the VLANIF interface's IP address as the

management IP address. It is recommended that all Layer 2 switches Shop assistant Partner Guest
192.168.1.0/24 192.168.5.0/24 192.168.100.0/24
connected to a gateway be on the same network segment.
The service IP address is the IP address of a server, host, or gateway.
• It is recommended that the gateway addresses use the same
Interconnection IP address rightmost three digits, such as .254.
• The IP address range of each service must be clearly distinguished.
It is recommended that the interconnection IP address use a 30-bit The IP addresses of each type of service terminals must be
mask. The core device uses a smaller host IP address. contiguous and can be aggregated.
• You are advised to use an IP address segment with a 24-bit mask.

58 Huawei Confidential
IP Address Planning (2)
Egress gateway Devices such as servers and printers

It is recommended that servers and special terminals (such as punch-

card machines, printing servers, and IP video surveillance devices) use
Internet static IP addresses.
Carrier CPE
End user

IP addresses of WAN interfaces: assigned Internet

in static, DHCP, or PPPoE mode
Egress
gateway Egress
gateway
It is recommended that end
users be assigned IP
IP addresses of WAN interfaces on egress gateways are assigned by
AP addresses in DHCP mode and
the carrier in static, DHCP, or PPPoE mode. The IP addresses of these
the gateway provide the
interfaces need to be obtained from the carrier in advance.
DHCP service.

59 Huawei Confidential
IP Address Planning (3)
LAN-side devices

Internet Internet

Egress Egress
gateway gateway
Layer 3
interconnection
Layer 3 switch

AP

When the egress gateway interconnects with a Layer It is recommended that the DHCP server be
3 switch, it is recommended that the interconnection deployed on the gateway to dynamically
IP addresses be manually configured in static mode. allocate IP addresses to APs.

60 Huawei Confidential
Routing Design

Internet

• Static routes are recommended for small- and medium-sized campus

networks.
Egress gateway • Internal routing design of the campus network:

▫ APs: After an AP obtains an IP address through DHCP, a default route is

generated by default.
Layer 2 switch
▫ Switches and gateways: Static routes can be used to meet requirements.
No complex routing protocol needs to be deployed.
• Routing design for the campus egress:
AP AP
▫ You are advised to configure static routes on the egress device.

61 Huawei Confidential
Overall Design Process

Overall
Network management mode Network O&M mode License scheme
design

Networking
Network architecture Networking scheme Reliability WAN interconnection
design

Network basic services Network deployment WLAN NAC

Service
design
VAS and O&M

62 Huawei Confidential
 Network Deployment and Automated Device Registration
Automated network deployment
• Huawei's Cloud-Managed Network Solution supports device plug-
and-play. If the following prerequisites are met, a device can
automatically connect to a given cloud management platform after
MSP/Tenant Huawei being powered on and obtain complete service configurations from
administrator registration center
the platform, achieving device plug-and-play and fast service
provisioning.

Prerequisites for implementing device plug-and-play

Internet
• The administrator has registered the device ESN on the cloud
management platform (by scanning the barcode or manually
entering the ESN) and bound a valid license authorization package
to the device.
• The administrator has pre-configured the device or device group
offline on the cloud management platform.
• The device has obtained a valid IP address and DNS service through
On-site the DHCP server (another cloud managed device or deployed by the
deployment customer), and the IP address can be used to communicate with the
personnel
Internet.

63 Huawei Confidential

• Traditional network deployment requires the participation of engineering

installation personnel and network commissioning personnel. This results in long
installation and commissioning periods and slow service provisioning, and
consumes a large amount of manpower. The CloudCampus Cloud-Managed
Network Solution supports automated network deployment.
Device Registration
⚫ Enterprise network scenarios are complex, and different device registration modes are required in different
scenarios. Huawei devices support multiple registration modes to meet complex networking requirements. The
registration model also varies with device model. The following table lists the registration modes of different
devices:
Registration Mode
Device
Registration Center DHCP Option USB Flash Drive Mobile App Web/CLI Email

AP √ √ √ √

Firewall √ √ √

Switch √ √ √

AR √ √ √ √ √

⚫ On the same network, devices at different locations may use different registration modes. Typically, devices to be
registered on a network are classified into:

Egress gateway

Intranet (LAN-side) device

64 Huawei Confidential
Egress Gateway Registration
⚫ Egress line configuration of the egress gateway usually depends on the carrier network. Therefore, the registration
mode is complex.
⚫ In the CloudCampus Solution, ARs, firewalls, and APs can function as egress gateways.

⚫ The registration modes of egress gateways vary with scenarios. For details, see the following table.
⚫ If a DHCP server exists on the live network, the egress gateway can be registered using the DHCP option only when
the DHCP server supports DHCP Option 148.

⚫ In LAN-WAN convergence scenarios, ARs support email-based and DHCP option-based registration modes. However,
in the DHCP option-based registration mode, the DHCP server must support DHCP Option 148.
Recommended Egress Gateway Registration Mode
Networking Scenario
AR Firewall AP
Huawei public The egress gateway cannot automatically obtain an IP address. Web system Web system CloudCampus APP
cloud scenario The egress gateway can automatically obtain an IP address. Registration center
MSP-owned The egress gateway cannot automatically obtain an IP address. Web system Web system CloudCampus APP
cloud scenario The egress gateway can automatically obtain an IP address. DHCP option Web system DHCP option
LAN-WAN convergence scenario (where the SD-WAN function needs to be Email --- ---
configured on the egress gateway)

65 Huawei Confidential
Intranet (LAN-Side) Device Registration
⚫ A LAN-side network refers to the network under the egress gateway, which is mainly built on LAN
switches and APs.
⚫ In Huawei public cloud scenarios, the Huawei registration center-based registration mode is
recommended.
⚫ If an enterprise does not want to synchronize device information to the registration center, the DHCP
option-based registration mode can be used.
LAN-Side Device Registration Mode
Networking Scenario
LAN Switch AP

Huawei public DHCP options cannot be configured on the network. Registration center
cloud scenario DHCP options can be configured on the network. Registration center or DHCP option

MSP-owned cloud DHCP options cannot be configured on the network. Web system CloudCampus APP
scenario DHCP options can be configured on the network. Registration center or DHCP option

66 Huawei Confidential
 Scenario-Specific Automated Deployment

Solution overview
• The scenario-specific automated deployment function is provided to
further simplify network deployment.
• Network configurations, such as SSIDs, can be automatically generated
based on the industry scenario selected by a customer. This means that
users do not need to plan or configure the network in advance,
eliminating the need for complex configuration design and planning. In
addition, users can customize a scenario template to plan the site
network so that the site network configuration can be quickly
generated for deployment.
• Currently, templates for small- and medium-sized office scenarios are
preset in the solution. Templates for other scenarios will be added in
the future.
Key design points:
• Select a service scenario, that is, select a scenario template.
• Select related devices and network topologies.
• Confirm the related configuration or adjust the preset configuration.

67 Huawei Confidential

• A scenario template includes the following contents and functions related to

network deployment:
▫ Various networking modes: typical networking models of small- and
medium-sized campus networks.
▫ Automated DHCP server configuration.

▫ Dual uplinks (active/standby mode by default) on the firewall egress for

higher reliability.

▫ Automated Eth-Trunk configuration.

▫ Automated configuration of network services, including SSID, PSK password,
QoS, access authentication, traffic monitoring, and application monitoring.
Overall Design Process

Overall
Network management mode Network O&M mode License scheme
design

Networking
Network architecture Networking scheme Reliability WAN interconnection
design
WLAN Networking SSID Radio
Roaming
Planning Planning Planning Calibration

Network basic services Network deployment WLAN NAC

Service
design
VAS and O&M

68 Huawei Confidential
 WLAN Planning Network Planning SSID Planning Roaming Radio Calibration

WLAN Planning: Wireless Signal Coverage (1)

Field strength reference
Coverage Area Field Strength Requirements Typical Scenario
Dormitory room, library, hotel room, lobby, conference room, office, and
Key coverage area –40 to –65 dBm
exhibition hall

Common coverage area > –75 dBm Corridor, kitchen, storeroom, and dressing room

Areas that have limitations on or do not allow coverage or installation due to

Special coverage area N/A
considerations such as service security or property management

Physical coverage reference

Scenario Coverage Recommendation

Indoor scenario Plan the coverage radius of 15–20 m for each AP.

Outdoor scenario Plan the coverage radius of 50–80 m for each AP.

Indoor high-density Use small-angle directional antennas. During network planning, select AP positions and spacing based on the
scenario antenna angle.

To guarantee a good access and roaming experience, you need to plan proper signal coverage depending on different
application scenarios; select proper AP models based on signal coverage demands and AP capabilities; and design a proper
WLAN using the WLAN Planner.

69 Huawei Confidential
 WLAN Planning Network Planning SSID Planning Roaming Radio Calibration

WLAN Planning: Wireless Signal Coverage (2)

⚫ Observe the following rules when deploying APs:
 When installing an AP, try to reduce the number of obstacles that signals pass through.
 Ensure that the front side of an AP faces the target coverage area for good coverage.
 Place APs away from interference sources, such as electronic devices. Do not deploy microwave
ovens, wireless cameras, wireless phones, or other electronic devices in the coverage area.
 For areas with roaming requirements, keep a 10% to 15% signal overlap between the coverage
areas of neighboring APs to ensure smooth STA roaming between APs.

70 Huawei Confidential
 WLAN Planning Network Planning SSID Planning Roaming Radio Calibration

WLAN Planning: AP Deployment Planning

1 Obtain the floor plan.

2 Log in to Huawei cloud-based WLAN

Planner.
https://serviceturbo-cloud-
cn.huawei.com/serviceturbocloud/dist/#/toolapp
market

1. Environment setting

2. Region setting 3
With Huawei cloud-based WLAN
3. Device deployment Planner, users can complete
WLAN planning in just five steps. • Use the network planning report to
4 provide guidance for onsite construction.
4. Signal simulation
• The network planning result can be
imported into iMaster NCE.
5. Report export

71 Huawei Confidential

• After WLAN signal coverage requirements are determined based on scenarios, AP

deployment can be planned using the WLAN Planner.
▫ This tool can be used to create network planning projects based on
drawings or Amap.
▫ This tool supports region settings, obstacle generation, automated or
manual AP deployment with one click, and WLAN signal coverage
simulation.

▫ This tool can generate network planning files and allows users to export the
files. Users can import network planning results on the tenant management
page of iMaster NCE to display AP locations and help tenants install APs.
▫ CampusInsight allows users to import network planning files. After network
deployment, users can view the actual signal heatmap of the network.
 WLAN Planning Network Planning SSID Planning Roaming Radio Calibration

Network Planning

Internet

• Number of APs: Determine the number of APs based on the WLAN planning result.
Egress gateway
• Access switch selection: PoE switches are recommended. Select switches based on the
number of APs and PoE power supply requirements of APs.

Layer 2 switch • Number of access switches: Determine the number of access switches based on the
number of APs, access relationships, and the number of ports on the selected switches.

AP AP

72 Huawei Confidential
 WLAN Planning Network Planning SSID Planning Roaming Radio Calibration

SSID Planning
SSID service planning
• An SSID represents a type of services. Plan the number of SSIDs based on project requirements. Different authentication modes can
be deployed for different SSIDs.
• SSIDs can also be used to distinguish different groups of users or different services/permissions. For example, employees and guests
are configured with different SSIDs.

Authentication and encryption modes for an SSID

• Different authentication and encryption modes can be deployed for office users and guests who have different security requirements.
• 802.1X and MAC address authentication can be configured for enterprise offices that have high security requirements. For an SSID
that is not intended for end users, for example, the SSID planned for printers and scanners, you can hide this SSID to prevent it from
being detected by end users.
• Open, PSK, Portal, or social media authentication can be configured for guests or open access users.

SSID parameter settings

• Effective scope of SSIDs: Select the effective radio (2.4/5 GHz by default) and effective APs (all APs at the site by default).
• Plan the service VLAN corresponding to the SSID, and configure the corresponding gateway and IP address.
• Advanced service parameters: band steering, user isolation, and SSID hiding
• Advanced application functions: rate limiting, ACL application, application filtering, and URL filtering

73 Huawei Confidential

• SSIDs are used to represent WLANs. They are WLAN names displayed on a STA
such as a mobile phone when you search for WLANs available for access on the
STA. You can select an SSID to access the corresponding WLAN.

• Generally, SSIDs are planned based on user roles or services. Different

authentication modes, network access rights, and control policies can be
deployed for different SSIDs.
• Portal authentication can be used on open networks (for example, networks for
external user access). PSK or PPSK authentication can be used on semi-open
networks (such as guest room networks of hotels). 802.1X authentication can be
used on secure networks (such as office networks). MAC address authentication
can be used for dumb terminals such as printers.

• For an SSID that is not intended for end users, for example, the SSID planned for
printers and scanners, you can hide this SSID to prevent it from being detected by
end users.
 WLAN Planning Network Planning SSID Planning Roaming Radio Calibration

Roaming: Layer 2 Roaming Design

Signal coverage
of AP1 Definition of Layer 2 roaming
• When a STA moves between APs, the STA smoothly switches from the
Signal coverage
of AP2
Network original AP to a new AP. This process is called roaming. The SSID, service
VLAN, and gateway of the STA remain unchanged before and after roaming.
• Roaming neighbor: An AP detects neighboring APs at the same site through
the air interface. If SSIDs of the detected APs are the same as that of the
local AP, these APs then are considered roaming neighbors of the local AP.
Implementation of Layer 2 roaming
AP1 AP2
• In Layer 2 roaming, traffic of STAs does not detour and is directly forwarded
by the foreign AP (FAP).
Design points of Layer 2 roaming
• The service VLANs for the SSIDs of APs must be the same, and the uplink
192.168.1.25 192.168.1.25 switch must allow traffic from the service VLANs to pass through.
• Roaming neighbors are discovered through the air interface, which has high
Guest SSID Guest SSID
VLAN 100 VLAN 100 requirements on AP deployment. APs in the continuous roaming area must be
able to detect each other.

74 Huawei Confidential

• Definition of Layer 2 roaming: When a STA moves between APs, the STA
smoothly switches from the original AP to a new AP. This process is called
roaming. The SSID, service VLAN, and gateway of the STA remain unchanged
before and after roaming.
• Implementation of Layer 2 roaming:

▫ Roaming neighbor: An AP detects neighboring APs at the same site through

the air interface. If SSIDs of the APs are the same as that of the local AP,
and they can detect each other, these APs are considered roaming
neighbors of the local AP. (An AP can establish a maximum of 64 roaming
neighbors.).
▫ Each AP establishes a wired CAPWAP tunnel (control plane tunnel) with a
roaming neighbor to transmit roaming information.
▫ The establishment of roaming neighbors is irrelevant to the calibration
group. The calibration group is divided based on the management VLAN.
Layer 2 roaming neighbors are established based on whether service VLANs
are the same.
 ▫ When a STA goes online through an AP, the AP synchronizes information
such as the STA's MAC address to all roaming neighbors of the AP. If the
STA roams to a new AP (FAP), the AP checks whether the STA roams from
another AP, and synchronizes the STA entry from the home AP (HAP). The
entry includes the VLAN, IP address, authentication result, and
authorization group of the STA. The FAP then generates the STA entry. In
this case, identity authentication does not need to be performed for the
STA again. After roaming completes, the FAP notifies its neighboring APs to
prepare for the STA's subsequent roaming. In addition, after roaming is
complete, the HAP deletes the STA entry.
▫ In Layer 2 roaming, traffic of STAs does not detour and is directly
forwarded by the FAP.

• Design points of Layer 2 roaming:

▫ The service VLANs for the SSIDs of APs must be the same, and the uplink
switch must allow traffic from the service VLANs to pass through.

▫ Roaming neighbors are discovered through the air interface, which has high
requirements on AP deployment. APs in the continuous roaming area must
be able to detect each other.
 WLAN Planning Network Planning SSID Planning Roaming Radio Calibration

Roaming: Layer 3 Roaming Design (1)

VLAN 100
VLAN 200
Network

Roaming neighbors
of the AP through
which the STA goes
online for the first Definition of Layer 3 roaming
time • Layer 3 roaming: The service VLANs for the SSIDs before and after STA
roaming are different and correspond to different gateways. In this case,
to keep the IP address of the roaming STA unchanged, the STA traffic
needs to be detoured to an AP that resides on the same network segment
as the AP through which the STA goes online for the first time.
HAP • AP through which the STA goes online for the first time: AP that the
STA first associates with in a mobility group
AP through which the • Home AP (HAP): is selected using the hash algorithm from the neighbors
STA goes online for that belong to the same Layer 2 roaming domain as the AP through
the first time FAP
which the STA goes online for the first time. Once selected, the HAP
Guest SSID Guest SSID forwards Layer 3 roaming traffic of the STA.
VLAN 100 VLAN 200
192.168.1.25 192.168.1.25

76 Huawei Confidential
 WLAN Planning Network Planning SSID Planning Roaming Radio Calibration

Roaming: Layer 3 Roaming Design (2)

VLAN 100
VLAN 200
Network
Implementation of Layer 3 roaming
Roaming neighbors
of the AP through • When a STA goes online, the network uses the hash algorithm to select an
which the STA goes AP from the candidate HAPs as the HAP for the STA. When the STA roams
online for the first
at Layer 3, Layer 3 roaming traffic is forwarded to the HAP. This solution
time
avoids traffic from being sent to the same AP after Layer 3 roaming,
preventing performance bottlenecks.
• As shown in the figure, the STA roams from the HAP to the foreign AP
(FAP). The FAP obtains STA information and corresponding HAP
information from the AP through which the STA goes online for the first
HAP
time. In addition, the FAP establishes a CAPWAP data tunnel with the HAP.
When the STA sends data packets, the packets are forwarded to the HAP
AP through which the through the CAPWAP data tunnel. If the STA roams back to the Layer 2
STA goes online for domain where it goes online for the first time, the STA traffic does not
the first time FAP
need to be forwarded to the HAP. Instead, the traffic is directly forwarded
Guest SSID Guest SSID by the new AP (FAP).
VLAN 100 VLAN 200
192.168.1.25 192.168.1.25

77 Huawei Confidential

• Design points of Layer 3 roaming

▫ Layer 3 roaming traffic will be detoured to the HAP. Therefore, a large
Layer 2 domain needs to be planned at the entrance of the entrance hall so
that the detoured traffic can be distributed to different APs during roaming.
▫ Each AP supports up to 64 Layer 3 roaming STAs. When there are a large
number of Layer 3 roaming STAs, the roaming fails and the STAs need to
go offline and go online again. (In actual deployment scenarios, you are
advised to deploy Layer 2 roaming on the same floor or in the same area
based on the service VLAN planning.)
 WLAN Planning Network Planning SSID Planning Roaming Radio Calibration

Radio Calibration: AP Grouping Design

⚫ The number of APs that the leader AP can manage is limited.

⚫
If the number of APs exceeds the management capability of a leader AP, network planning is required. Management VLANs need to
be planned for AP grouping. When there are a large number of APs in a management VLAN, the APs are automatically divided into
multiple groups.
⚫
Radio calibration is performed on WLANs in a continuous area. Therefore, it is recommended that APs be grouped by geographic
location such as by floor to ensure that APs in a group are in the same area. This maximizes the calibration effect.
Random grouping Grouping based on management VLANs
VLAN 1000
F1 F1

VLAN 1001
F2 F2

VLAN 1002
F3 F3

If manual intervention is not performed when the number of APs In a continuous area (such as adjacent APs or APs on the same
exceeds the upper limit, APs are randomly grouped, affecting the floor), management VLANs are planned for AP grouping. A leader
calibration effect. AP is elected in each group.

78 Huawei Confidential

• A cloud AP is essentially a Fat AP and is independent of each other. Some WLAN

services, such as radio calibration, need to be processed centrally. However, no
WAC is deployed. To ensure high network reliability and performance and meet
local computing requirements, a global control role similar to a WAC is required.
• A leader AP is an AP with strong capabilities in an AP group. It is responsible for
global calibration of the entire group (automatically elected in a Layer 2 domain).
• The calibration region is automatically divided based on the management VLAN.
On a small network, a leader AP can manage all APs (no more than 128 high-
performance APs and no more than 50 low-performance APs). In this case, only
one management VLAN needs to be planned for APs.
• When the number of APs exceeds the management specifications of the leader
AP, you can divide multiple management VLANs to manage the network. You are
advised to plan management VLANs based on floors or physical continuous
coverage areas to ensure the continuity of the calibration regions.
• Port isolation cannot be configured on the uplink access switch of the cloud AP.
(The calibration group is negotiated through wired-side broadcasting.)
 WLAN Planning Network Planning SSID Planning Roaming Radio Calibration

Radio Calibration: Calibration Mode Selection

⚫
iMaster NCE supports three radio calibration modes:
 Automatic mode: APs periodically perform global calibration based on the
calibration time and interval.
 Manual mode: APs do not proactively perform radio calibration, and you need
to manually perform global or local calibration for APs at the site on iMaster
iMaster NCE delivers the
1 calibration command. NCE.

The leader AP
 Scheduled mode: APs perform global calibration at a scheduled time every day.
delivers the
Campus calibration result.
⚫
APs perform calibration detection according to the configured mode
and switch to other channels to scan neighboring APs. The scanning
5 lasts for 15 minutes.
⚫
During the detection, the APs report the detected data to the leader AP
2 every 10s.
All APs perform
detection. 4 3 ⚫
The leader AP performs computing and calibration every 5 minutes and
The leader AP The APs report
performs computing detection data. performs computing for three times to achieve algorithm convergence.
and calibration. ⚫
The leader AP delivers the calibration result to each AP in the group,
including the calculated channel and power.

79 Huawei Confidential

• During scheduled radio calibration, you can enable intelligent radio calibration
and use the analyzer to analyze historical data of the WLAN and predict
interference sources on the network. During network optimization, APs can avoid
possible interference sources on the network in advance to improve the quality of
the entire WLAN.

• During deployment, you are advised to perform manual calibration to

automatically plan the channels and power of APs after APs are deployed and go
online.
 WLAN Planning Network Planning SSID Planning Roaming Radio Calibration

Radio Calibration: Channel and Frequency Bandwidth

Selection

AP channel selection Frequency bandwidth selection

• 2.4 GHz frequency band: Channel sets 1, 6, and 11 are • 2.4 GHz frequency band: Only the 20 MHz
recommended. If APs are densely deployed, channel sets 1, frequency bandwidth can be selected.
5, 9, and 13 are recommended. • 5 GHz frequency band: The 40 MHz
• 5 GHz frequency band: When an AP uses a single 5 GHz frequency bandwidth is recommended. The
radio, it is recommended that high and low frequency 80 or 160 MHz frequency bandwidth can
channels of neighboring APs be staggered. When an AP be used in bandwidth-hungry scenarios.
uses dual 5 GHz radios, it is recommended that two 5 GHz
radios be planned at low and high frequencies respectively.

80 Huawei Confidential
Overall Design Process

Overall
Network management mode Network O&M mode License scheme
design

Networking
Network architecture Networking scheme Reliability WAN interconnection
design

Network basic services Network deployment WLAN NAC

Service
design
VAS and O&M

81 Huawei Confidential
 Access Control Scenarios (1)
iMaster NCE functions as an authentication server iMaster NCE interconnects with a third-party Portal server

API
Relay agent
Third-party
(HTTP/HTTPS)
Portal server
Internet Internet

Authentication point Authentication point

• Authentication type: HACA Portal, 802.1X, and MAC address • Authentication type: HACA Portal relay solution
authentication • Scenario description: A Portal server has been deployed, and
• Scenario description: iMaster NCE functions as an interconnects with iMaster NCE through APIs. iMaster NCE
authentication server. functions as a relay agent.

82 Huawei Confidential

• Deployment mode recommendation:

▫ It is recommended that iMaster NCE functions as an authentication server
to implement authentication and policy control.

▫ If an enterprise has its own authentication server, the authentication server

can interconnect with a third-party server in proxy mode. In addition,
iMaster NCE can also implement user management and some policy
management functions.

▫ If an enterprise uses a third-party authentication server to provide the

access authentication function, the device that functions as an
authentication point can directly interconnect with the third-party
authentication server.
Access Control Scenarios (2)
The authentication point directly interconnects with a third-
iMaster NCE interconnects with a third-party RADIUS server
party authentication server

Relay agent RADIUS

Third-party
RADIUS server
Internet
Internet
Third-party
authentication server
(Portal + RADIUS)
Authentication point Authentication point

• Authentication type: HACA Portal-to-RADIUS solution • Authentication type: Portal, HTTPS Portal, 802.1X, and MAC
• Scenario description: A RADIUS server has been deployed, address authentication
and interconnects with iMaster NCE through RADIUS. iMaster • Scenario description: The network device that functions as
NCE functions as a RADIUS relay agent. an authentication point directly interconnects with a third-
party server. (Note: HTTPS Portal is configured using CLIs.)

83 Huawei Confidential
Authentication Solution Deployment
Terminal Role Guest Enterprise employee Dumb terminal
Access Mode Wireless Wireless/Wired Wired
• Portal authentication (recommended for
Authentication Portal wireless users) MAC address
Type authentication • 802.1X authentication (optional for both authentication
wireless and wired users)
Internet
Access devices are recommended as authentication points. This has the following
advantages:
• Multiple access devices perform user authentication separately, reducing the
authentication load.
Authentication • Authentication points are closer to terminals, improving authentication security.
Point • The configuration planning is simple. If authentication points are deployed at the
upper layer, the following factors must be considered: performance specifications
of the devices acting as authentication points, Layer 2 isolation at the access layer,
and configuration for transparent transmission of 802.1X protocol packets at the
access layer.
Authentication Single-device networking: The authentication point is the local device, and Portal
point for wireless authentication is recommended. (In the cloud management scenario, ARs and
users Networking firewalls do not support 802.1X or MAC address authentication.)
Scenario Other networking scenarios:
Authentication • APs are used as authentication points for wireless users.
point for wired • Access switches are used as authentication points for wired users.
users

84 Huawei Confidential
Overall Design Process

Overall
Network management mode Network O&M mode License scheme
design

Networking
Network architecture Networking scheme Reliability WAN interconnection
design

Network basic services Network deployment WLAN NAC

Service
design
VAS and O&M

85 Huawei Confidential
 Panorama of Open Cloud Management Capabilities
MSP Business Education Manufacturing Healthcare OA • Focus on mainstream
▪ Log analysis ▪ Marketing reach ▪ e-Schoolbag ▪ AGV navigation ▪ Baby ▪ Asset application scenarios.
Application wristband management • All network service data is
layer open, meeting data
monetization and operational
Provided by partners requirements.

Infrastructure API VAS API Third-party LBS API

Basic service authentication • Provides four types of APIs.
App data API API
Platform API • Supports the industry's standard
Policy service network interconnection
layer IoT API HTTPS + RADIUS AP RSSI API
API protocols.

NETCONF/Telemetry/Syslog/SNMP/NetStream • Supports multiple open interfaces

IoT card such as NETCONF and Telemetry,
Bluetooth improving device manageability.
Network • Third-party IoT cards can be
RFID
layer ZigBee installed on APs to provide IoT
Firewall AR Switch AP
functions.
• Supports access of IoT terminals
Terminal (such as ZigBee, RFID, and BLE).
ESL Asset tag Baby wristband Smart wrist strap • Supports access of wired and
layer
wireless terminals.

86 Huawei Confidential

• Open capabilities at all layers, for all services, and in all scenarios help MSPs, VAS
application partners, and customers quickly implement system interconnection,
service convergence, and data monetization.
Network Management Design: Management Level
Key points of network management design:
Platform carrier • Management level design is performed to determine whether multiple or
multi-level organizations are needed to manage different sites. Huawei's
Cloud-Managed Network Solution supports the design of multiple or
MSP 1
multi-level organizations for a tenant, which meets the requirements of
managing large branches. Each organization can manage multiple sites or
sub-organizations.
Tenant 1 Tenant 2 • (Optional) Organization planning and design: A large organization with
multiple branches needs to be managed by area. That is, the organization
is divided into multiple areas to manage the branches on demand.
Organization Organization
1 n • Site planning: A network with independent network management
services is managed as a site. It can be an independent campus/branch
network, or a relatively independent network on a campus/branch
Site Site Site Site network, for example, a network of a building or even a floor. Sites can be
flexibly planned based on actual management requirements.
• Rights- and domain-based management of network administrators' rights
is adopted.

87 Huawei Confidential
Network Management Design: Rights- and Domain-Based
Management
Authorization Scope Tenant Level MSP Level
• The super administrator can grant different rights
to tenant administrators.
• The super administrator can assign different
• To facilitate rights assignment and management,
Rights-based: controls rights to MSP administrators.
the system presets three roles with different
the functions that can be • Similarly, there are three types of roles:
rights: Monitor, Open API Operator, and Tenant
performed Monitor, Open API Operator, and MSP
Administrator.
Administrator.
• Tenant administrators authorize MSP
administrators based on the preceding three roles.
• The minimum granularity of domain-based
management is site. That is, tenant administrators
perform authorization by site. Different tenant
Domain-based management cannot be configured
Domain-based: controls administrators can manage devices at different
for MSPs at different levels. Once a tenant
the range of devices that sites.
authorizes an MSP administrator, the MSP
an administrator can • When a tenant administrator authorizes an MSP
administrator can manage all devices of the
manage administrator to manage its network, domain-
tenant whatever level the MSP administrator is at.
based management is not supported. Instead, the
MSP administrator can manage all sites of the
tenant.

88 Huawei Confidential
O&M Function Panorama of CloudCampus
Visualized management and monitoring Intelligent troubleshooting

NE management Device Fault locating

management
Packet header Device diagnosis
Alarm management Log management obtaining and test
File/Configuration Packet path
SLA management
management tracing

Network Service quality

management monitoring
Wireless network Fault analysis
Link management
monitoring
CloudCampus
Terminal Terminal Issue analysis Access analysis APP
management management
Performance
Customer flow Protocol trace
User management analysis
analysis
Network optimization
Network health Device dimension

Controller Radio calibration

User access User roaming
dimension dimension
Analyzer User throughput User application
dimension dimension

89 Huawei Confidential
 Quiz

1. (Multiple-answer question) Which of the following device deployment solutions can be

used on small- and medium-sized campus networks to ensure device reliability? ( )
A. Deploy firewalls in hot standby mode.

B. Deploy two ARs as egress gateways.

C. Deploy switches in stacking mode.

D. Deploy multi-chassis link aggregation.

2. (True or false) 802.1X authentication is recommended for Wi-Fi networks deployed in

stores. ( )
A. True

B. False

90 Huawei Confidential

1. ABC
2. B
 Summary

⚫ This course describes how to use Huawei's CloudCampus Cloud-Managed Network

Solution to design small- and medium-sized campus networks. Key design points
include the overall design (network management mode design, network O&M
mode design, and license scheme design), networking design (network architecture
design, networking solution design, WAN interconnection design, and reliability
design), and service design (network basic service design, network deployment
design, WLAN design, NAC design, security design, QoS design, VAS design, as well
as network O&M design).

91 Huawei Confidential
 Recommendations

⚫ Huawei's CloudCampus Solution V100R020C10 Product Documentation

 https://support.huawei.com/hedex/hdx.do?docid=DOC1100797422&lang=en

92 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
CampusInsight Intelligent O&M
 Foreword
⚫ In the Big Data era, traditional O&M based on specified rules cannot meet network O&M requirements,
and the lack of automatic O&M becomes increasingly prominent. It is becoming an emergency to use a
large amount of data generated on the network to perform intelligent O&M and improve the O&M
efficiency.
⚫ Huawei iMaster NCE-CampusInsight, an intelligent network O&M platform, overrides traditional
resource monitoring methods and applies AI to the O&M domain. Based on existing O&M data (such as
device metrics and client logs), big data, AI algorithms, and more advanced analysis technologies,
CampusInsight digitizes user experience on the network to help customers detect network access issues
in a timely manner, improving user experience.
⚫ iMaster NCE-CampusInsight uses the Telemetry technology to collect metrics and logs of network
devices and detects network exceptions based on real service traffic. The big data platform supports
centralized data collection, storage, and analysis to process big data efficiently.
1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the pain points and requirements of intelligent O&M of campus
networks.
 Describe the logical architecture and external interfaces of CampusInsight.
 Describe the application scenarios and deployment modes of CampusInsight.
 Describe the main functions and applications of CampusInsight.
 Complete major operations on CampusInsight.

2 Huawei Confidential
 Contents

1. CampusInsight Overview

2. CampusInsight Functions and Demonstration

▫ Telemetry
▫ Visibility
▫ Analysis

▫ Optimization

▫ Assurance

3 Huawei Confidential
Challenges Facing Campus Network O&M

Precise detection Experience detection Issue identification

Traditional O&M is based on SNMP During traditional O&M, only device During traditional O&M, network faults
and data is collected in minutes. metrics are monitored. However, can be detected only after receiving
Once a fault occurs, data at the fault user experience may be poor when clients' complaints. As a result, faults
occurrence time cannot be obtained the metrics are normal. Traditional cannot be effectively and proactively
in real time and no convenient O&M lacks means of correlatively identified and analyzed.
backtracking method is available. analyzing the client and network.

Difficult fault locating and analysis Difficult user experience measurement Difficult to proactively identify problems

4 Huawei Confidential
 Campus Network O&M Requirements: AI-Powered
Intelligent O&M
Device-Centric Network Management User Experience-Centric AI-Powered Intelligent O&M

• Topology • Visible experience

management management
• Performance • Client journey tracing
Traditional NMS • Identification of
management
• Alarm management potential faults
SNMP • Configuration Telemetry • Location of root causes
Network data collection management Network data collection • Intelligent network
within minutes within seconds optimization
To-BE

• Experience visibility: Telemetry-based data collection within seconds, enabling visible

experience for each client, in each application, and at each moment.
• Identification of potential faults and location of root causes:
▫ Identification of potential faults based on the dynamic baseline and big data
• Device-centric management: User experience cannot correlation.
be perceived. ▫ KPI correlation analysis and protocol tracing, helping accurately locate root
• Passive response: Potential faults cannot be identified. causes of faults.
• Network optimization and self-healing: Continuous learning and predictive analysis
• Professional engineers locate faults on site. through AI algorithms, implementing predictive optimization of wireless networks.

5 Huawei Confidential

• Customer benefits: The transformation is to improve efficiency by using

algorithms. With scenario-based continuous learning and expert experience,
intelligent O&M frees O&M personnel from complex alarms and noises, making
O&M more automatic and intelligent.
CampusInsight: Improving User and Service Experience
Based on Prediction and AI
Real-time Experience Visibility Fault Locating Within Minutes Intelligent Network Optimization

• Each region: Intuitively display the • Proactive issue identification: Proactively • Real-time simulation feedback:
network status and user experience on identify 85% of potential network issues Evaluate channel conflicts on wireless
the entire network or in each region through the AI algorithms that are continuously networks in real time and provide
through multi-dimensional evaluation of trained via Huawei's 200,000+ terminals. optimization suggestions based on the
wired and wireless network health. • Fault locating within minutes: Locate issues neighbor relationship and radio
• Each client: Display network experience within minutes, identify the root causes of information of devices on each floor.
(who, when, which AP to connect, issues, and provide effective fault rectification • Predictive optimization: Identify edge
experience, and issue) of all clients in real suggestions based on the fault reasoning APs, predict the load trend of APs,
time throughout the journey. engine. perform predictive optimization on
• Each application: Perceive experience of • Intelligent fault prediction: Learn historical wireless networks, and compare the
audio and video applications in real time, data through AI to dynamically generate a gains before and after the optimization
demarcate faulty devices quickly and baseline, and compare and analyze the baseline based on historical data analysis. This
intelligently, and analyze the root cause with real-time data to predict possible faults. practice improves the network-wide
of poor quality. performance by 50%+ (Tolly-verified).

6 Huawei Confidential
CampusInsight: Enabling Exclusive Full-Stack Intelligent
O&M
Exclusive full-stack intelligent O&M for services, users, applications, and
Smart brain of networks
networks

User Network Application

Real-time Visualization of and
Client Terminal Network Spectrum
experience visibility traffic analysis for 1000+
journey dialing test health analysis
mainstream applications
Telemetry-based real-
time data collection
Individual fault analysis Group fault analysis
Fault locating in Mainstream Poor- Wireless Wired
Protocol
minutes application QoE user group fault group fault
tracing
analysis analysis analysis analysis
Branch Branch
Intelligent network
Intelligent radio calibration
optimization
HQ
High-quality
R&D Center Branch Wireless location
service assurance

7 Huawei Confidential
CampusInsight: Logical Architecture
Business Services: Data analysis service based on scenarios
• Issue identification: intelligent identification of connection, air interface
performance, roaming, and device issues.
Issue Connection Performance
Service Client Application • Access analysis & performance experience: analysis of connection and
analysis analysis experience
performance experience issues.
• User and network profiles: client journey retrospection and AP details
APIs analysis.
• Application analysis: audio and video quality detection.
Intelligent analysis system
Analysis: Big data platform common
AI engine
Campus- services Data Analysis: Big data platform and data analysis service
Insight Machine learning
Spark Druid Kafka HDFS • Data storage: real-time preprocessing flow, offline distributed processing
algorithm library
Performance Machine learning flow, and data storage service.
Syslog data
counter data framework • Data analysis: mode identification, AI engine, and data aggregation and
query.
Information Reporting

Data Collection: Second-level performance counter and log

collection
Campus • Data collection: multi-dimensional data related to client, radios, APs, and
client logs.

8 Huawei Confidential
 CampusInsight: External Interfaces
⚫ The CampusInsight southbound interface implements interconnection between CampusInsight and
devices, enabling CampusInsight to manage devices. CampusInsight supports the following southbound
interface types: SNMP, HTTP2+ProtoBuf, Syslog.
SNMP HTTP2+ProtoBuf Syslog

• Supports standard SNMPv2c and • CampusInsight uses HTTP2+ProtoBuf • The Syslog protocol is a standard for
SNMPv3. interfaces to collect device metric packets. forwarding system logs on an IP
network.
• SNMP can be used to connect • The security layer of the HTTP2 protocol uses
CampusInsight to network devices. SSL and TLS to authenticate and encrypt • Industry standard protocol used to

• SNMP is an application-layer network communication channels. record device logs.

management protocol based on • ProtoBuf is a data serialization protocol • CampusInsight receives log data
TCP/IP. It uses UDP as the transport- developed by Google (similar to XML, JSON, reported by devices through the
layer protocol to manage network and hessian). ProtoBuf can serialize data and Syslog protocol.
devices that support proxy processes. is widely used in data storage and
communication protocols.

9 Huawei Confidential

• ProtoBuf: Protocol Buffers

CampusInsight: Data Processing Flowchart
Distribution/ Analysis/
Subscription Collection Storage
Buffering AI computing

Device Analyzer
Syslog Collection service Kafka Spark Druid/HDFS
User log Streaming
Raw data
Real-time data
Telemetry processing
Device/User Spark
performance counters Aggregated data
Offline data
Data processing
SNMP
distribution/ AI Analyzed data
Device management Data receiving
buffering algorithm

After data subscription, the collection service collects data in seconds. After the data is buffered and distributed by a high-
throughput distributed message system, each application service completes data analysis and computing based on AI
algorithms and expert experience, and saves processed data to a fast and column-based distributed data storage system.
Then pages can access the data to display related functions.

10 Huawei Confidential
CampusInsight Deployment Scenario: Independent
Deployment (Local Deployment)
Scenario Description
Internet

• CampusInsight is deployed independently on the network.

• Supports intelligent analysis of wireless and wired network devices in
campus enterprises.

SW AC
Network Description

The following networking modes are supported:

• All ACs (including standalone ACs, native ACs, and ACUs) + Fit AP
• All ACs (including standalone ACs, native ACs, and ACUs) + central AP + RU
AP AP
• Hybrid networking of switches and WLAN devices

11 Huawei Confidential
CampusInsight Deployment Scenario: CloudCampus
Deployment (Local Deployment)
Scenario Description

Internet
• CampusInsight is co-deployed with iMaster NCE-Campus.
• An enterprise purchases the Huawei cloud management platform (iMaster NCE-
Campus and CampusInsight) and deploys the platform in the enterprise data center.
O&M personnel of the enterprise maintains the cloud management platform and
enterprise network. The platform is used within the enterprise. The enterprise
SW AC
purchases related licenses from the Huawei service team.

Network Description

• Management and intelligent analysis are supported for Huawei cloud switches, cloud

AP AP ACs, and cloud APs. For details about supported device models, see the iMaster NCE-
CampusInsight Specifications List.
• An enterprise deploys CampusInsight and iMaster NCE-Campus in the enterprise data
center, and manages devices through iMaster NCE-Campus. CampusInsight
synchronizes device management information from iMaster NCE-Campus.

12 Huawei Confidential
 CampusInsight Deployment Scenario: CloudCampus
Deployment (Huawei Public Cloud Scenario)
Scenario Description
Huawei
• In the Huawei public cloud scenario, the cloud management platform (iMaster
NCE-Campus and CampusInsight) is uniformly managed by the cloud
management and operations team of Huawei and provides the SaaS service for
Internet end users.
• Tenant network devices are connected to the Huawei cloud management
platform through the carrier network.

Network Description
AC AC
SW SW • Management and intelligent analysis are supported for Huawei cloud switches,
cloud ACs, and cloud APs. For details about supported device models, see the
Tenant 1 Tenant N iMaster NCE-CampusInsight Specifications List (CloudCampus).
• Huawei cloud management and operations team deploys CampusInsight and
iMaster NCE-Campus on Huawei data public cloud, and manages devices through
AP AP AP AP the iMaster NCE-Campus. CampusInsight synchronizes device management
information from iMaster NCE-Campus.

13 Huawei Confidential

• SaaS: software as a service

 CampusInsight Deployment Scenario: CloudCampus
Deployment (MSP Self-built Cloud Scenario)
Scenario Description
MSP

• MSPs purchase the controller (iMaster NCE-Campus) and analyzer

(iMaster NCE-CampusInsight) for operational purposes. Software can
Internet
be deployed in their data centers or on the public cloud IaaS.
• MSPs develop their tenants and provide SaaS services for tenants.
• Tenant network devices connect to the MSP data center or public
cloud IaaS through the carrier network.
AC AC
SW SW
Network Description
Tenant 1 Tenant N
• Management and intelligent analysis are supported for Huawei cloud
switches, cloud ACs, and cloud APs. For details about supported device
AP AP AP AP models, see the iMaster NCE-CampusInsight Specifications List
(CloudCampus).

14 Huawei Confidential

• IaaS: infrastructure as a service

 Contents

1. CampusInsight Overview

2. CampusInsight Functions and Demonstration

◼ Telemetry
▫ Visibility
▫ Analysis

▫ Optimization

▫ Assurance

15 Huawei Confidential
Meeting Real-Time Analysis Requirements Based on the
Telemetry Technology
SNMP Telemetry

Traditional NMS

SNMP Telemetry

• Protocol development stagnation --- SNMP is designed for • Based on HTTP2 and ProtoBuf.
limited processing capabilities. • Subscription-based release and on-demand use.
• Polling technology --- The minute-level polling cycle • Efficient encoding and decoding technology to obtain
cannot meet the service requirements of real-time multiple data records at a time, implementing second-
management. level data acquisition.
• Rigid data structure --- Fixed data structures are defined, The quasi-real-time data acquisition capability is the key
and multiple data requests are required to complete each dependency for the analyzer to mine data.
effective data collection.

16 Huawei Confidential
 Monitoring Telemetry Metrics on Wireless Networks
⚫ Monitor key metrics on wireless networks based on the telemetry technology, display the wireless
network quality from the AP, radio, and client dimensions, and proactively identify air interface
performance issues, such as weak-signal coverage, high interference, and high channel utilization.
Real-time data display Automatic issue identification
Display key metrics on wireless networks and Automatically identify air interface performance issues based on AI algorithms,
single out abnormal metric status. correlative analysis, and exception modes.

Telemetry metric collection on wireless networks

Measured
Measurement Metric Supported Device Type Default Collection Period
Object
AP CPU usage, memory usage, and number of online clients AP 1 minute

Number of online clients, channel utilization, noise,

Radio AP 1 minute
traffic, backpressure queue, interference rate, and power

Client RSSI, negotiated rate, packet loss rate, and latency AP 1 minute

17 Huawei Confidential

• RSSI: Received Signal Strength Indicator

Monitoring Telemetry Metrics on Wired Networks
⚫ Analyze telemetry metric data of devices, interfaces, and optical links collected through Telemetry on
wired networks, and proactively monitor and predict network issues.
Real-time display of key metrics Exception detection based on dynamic baselines
Display key metrics on wired networks in real Use AI algorithms to predict the baselines of key metrics, such as the
time, including top N devices and historical trend. CPU/memory usage. Identify network metric deterioration before service
interruptions through comparison with dynamic baselines.

Telemetry metric collection on wired networks

Measured Default
Measurement Metric Supported Device Type
Object Collection Period
CPU usage Switch and AC 1 minute
Device/
Card Memory usage Switch and AC 1 minute

Number of received/sent packets, number of received/sent broadcast

packets, number of received/sent multicast packets, number of
Interface Switch and AC 1 minute
received/sent unicast packets, number of received/sent packets that
are discarded, and number of received/sent error packets

18 Huawei Confidential
 Contents

1. CampusInsight Overview

2. CampusInsight Functions and Demonstration

▫ Telemetry
◼ Visibility
▫ Analysis

▫ Optimization

▫ Assurance

19 Huawei Confidential
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Campus Health: Intuitive Insights into the Network Quality

Campus Health
Wireless Wired
Continuously guides network optimization Detect and handle faults in a timely
based on KQIs/KPIs manner based on accurate issue reporting

Wireless Network Health Wired Network Health

• Access success rate, access duration • Network status

Major Portal for Routine O&M
• Roaming success rate, roaming duration • Network performance

• Signal and interference • Centralized wired/wireless network • Device capacity

• Air interface capacity monitoring

• Device environment
• Intuitive, clear, and efficient display
• Air interface throughput
of buildings

• Intuitive insights into campus network health based on multi-faceted wired and wireless network health monitoring, implementing intelligent,
simplified campus network O&M.
• Network health topology as a uniform portal for rapidly handling network and device problems in local buildings, simplifying network O&M.

20 Huawei Confidential

• KQI: key quality indicator

 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Building Topology: Displaying Key KPI and Network Issues

Based on Buildings
Intuitive, clear problem display from
the building perspective

• Your network is abnormal.

Device off-boarding, intermittent port
disconnection, AP off-boarding.

• An Access fault occurs on your

network.
Users fail to be authenticated in a
batch.

• Traffic congestion occurs on your

network.
Port or queue congestion.

• Packet error occurs on your network.

The number of error packets on a
network port exceeds the threshold, or
the number of error packets keeps
increasing.

21 Huawei Confidential
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Multi-Dimensional Network Health Evaluation Model,

Comprehensively Evaluating Network Experience
Wireless network health evaluation model Wired network health evaluation model
Displays wireless network quality from 3 dimensions and 6 sub-categories. Analyzes 10+ types of monitored objects and 30+ indicators to intuitively
display the wired network quality.
Check whether the status of
Access Check whether users can access Device
physical components is
Experience the network properly. Environment
abnormal.

Check whether device

Device
resources or capacities are
Capacity
Check whether network sufficient.
Roaming
experience is smooth without
Experience
frame freezing when users move.

Network Check whether the status of

Status network ports is abnormal.

Check whether interference

Throughput exists on the wireless network
Data transmission is
Experience and whether capacity expansion Network
abnormal, affecting the
is required. Performance
throughput.

22 Huawei Confidential

• Wireless Network Health Evaluation Model:

▫ Access Experience

▪ Access success rate: Association/Authentication/DHCP success rate.

▪ Access duration: Association/Authentication/DHCP duration.

▫ Roaming Experience

▪ Roaming fulfillment rate: Roaming success rate/Roaming duration.

▫ Throughput Experience

▪ Signal and interference: STA signal strength and interference rate.

▪ Capacity fulfillment rate: Channel utilization/Number of users.

▪ Throughput fulfillment rate: Interference rate/Non-5G-prior access/Air

interface congestion fulfillment rate.

• Wired Network Health Evaluation Model:

▫ Device Environment: Fault of a device, board, fan, power supply, or file
system.
▫ Device Capacity: ARP/MAC/FIB entry capacity, ACL resources, storage
capacity.

▫ Network status: Intermittent port disconnection, port suspension, optical

module exception.
▫ Network performance: Port congestion, queue congestion, port error
packets.
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Case 1: Wireless Network Health (1)

Case: Using the wireless health of CampusInsight, O&M personnel at a site find that the network quality of Shenzhen campus is much
lower than that of other campuses. The access success rate, coverage, and throughput fulfillment rate of Shenzhen campus are below
the industry benchmark. By drilling down data, O&M personnel successfully locate the cause and rectify the fault.

1. Choose Health > Wireless 2. In fulfillment rate rankings, the 3. Check data of the multiple dimensions. It is
Health. fulfillment rate of Shenzhen campus is found that the quality evaluation result of the
lower than that of other campuses. Click coverage is Good, which is below the industry
Shenzhen. The quality evaluation data of benchmark. Click the RSSI fulfillment rate metric
Shenzhen campus is displayed. to drill down data for analysis.

23 Huawei Confidential
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Case 1: Wireless Network Health (2)

Case: Using the wireless health of CampusInsight, O&M personnel at a site find that the network quality of Shenzhen campus is much
lower than that of other campuses. The access success rate, coverage, and throughput fulfillment rate of Shenzhen campus are below
the industry benchmark. By drilling down data, O&M personnel successfully locate the cause and rectify the fault.

4. On the RSSI fulfillment rate analysis page, two weak-signal coverage issues are detected. Click
the link in the Issue Name column to go to the issue details page and check the specific issue.

24 Huawei Confidential
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Case 2: Wired Network Health

Case: The O&M personnel at a site use CampusInsight to check the wired network health and find that the network performance is
abnormal. The O&M personnel view the anomaly details, find the abnormal monitoring item, go to the corresponding issue analysis
page to view the root cause, and rectify the anomaly.
1. Choose Health > Wired Health. 2. If Network Performance is abnormal, click View Details.

3. View the abnormal monitoring item. Click Issues to go to the issue analysis page,
view the root cause and rectification suggestions, and resolve the anomaly.

25 Huawei Confidential
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Real-Time or Periodic Quality Evaluation Reports,

Facilitating Optimization
Network Overview Indicator Details Rectification Suggestions
Get a full picture of network-wide Rank sites by multiple metrics of the Identify root causes of top network problems
information, including resources, users, and network health, presenting the site quality and provide rectification suggestions for
quality statistics. trend. continuously improving network quality.

26 Huawei Confidential

• CampusInsight provides professional evaluation report services. Specifically,

network quality evaluation reports on the network overview, indicator details,
and rectification suggestions are generated in real time or periodically. These
deliver measurable network experience.
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Case 3: Quality Evaluation Reports

1. Choose Health. On the Wireless Health page that is displayed, click Report Export in the upper right corner.

3. Immediate Sending: Set Report Start and End Time and Receiving Mode for the
2. Scheduled Sending: Set Send Time and Notify User report. The report then is generated immediately. (Download immediately: The
Group for the report. The report then is sent to the
report can be directly downloaded from the browser. Send by email: The report is
specified email boxes at the specified interval. immediately sent to the specified email boxes.)

27 Huawei Confidential
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Radio Heat Map: Visualizing Network Coverage Simulation

Comparison with planning: Is the coverage of the deployed
wireless network consistent with the planning? Simulation of signal strength, rate,
Simulate the coverage based on the actual radio power and power and channel distribution wireless
after the network is deployed. signal coverage in a floor.

Impact: Is there any impact on the network if an isolation wall

needs to be added?
Simulate the impact on wireless coverage by adding faulty objects.
Reflect signal coverage and strength variation
Less interference: Do device configurations need to be modified to based on floors, check coverage holes, and display
interfere with other devices? the network coverage status of enterprise buildings.
After device configurations such as power and channel are modified,
Set obstacles to enhance
simulate whether interference occurs between devices in real time.
environment simulation.

Ability Description
Wi-Fi signal strength at each location of the
By RSSI
simulation floor.
Indicates the attainable Wi-Fi access rate at each
By rate
location of the simulation floor.
Simulate the signal strength and conflict of each Detect and rectify weak signal coverage
By Channel areas in a timely manner due to obstacles.
floor on the specified channel.

28 Huawei Confidential

• The service topology collects statistics on the status, access, congestion, and error
packet issues, displays the number of clients and traffic volume based on sites,
regions, buildings, and floors. This allows administrators to quickly search for and
view the buildings that users pass by, helping administrators quickly identify
campus network issues.

• In the Service Topology of CampusInsight, you can access WLAN Topology to

view the radio heat map of the network.
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Case 4: Radio Heat Map (1)

Case: A company has insufficient conference room resources and need to partition the office area to form some conference rooms. The
construction design personnel consult the company's IT department about whether this practice affects the office Wi-Fi. The IT
personnel edit the coverage obstacles such as conference room walls and glass doors based on the radio heat map, and fill coverage
holes or adjust APs based on the simulation result.
1. Choose Service Topology 2. Select Shenzhen > N10 > 3. Switch to editing state, right-
> WLAN Topology. N10-1F from the left click and select Add Obstacle.
navigation tree.

Switch to the editing modes

29 Huawei Confidential
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Case 4: Radio Heat Map (2)

4. Set Shape to PolyLine and 5. Draw a conference room on the topology (as 6. Enter the monitoring state, select By RSSI, and
Type to Brick wall 1 or shown by the quadrate in the figure), double- click Refresh to check whether there are coverage
Wooden door. click the left button of the mouse to exit the holes. Perform operations according to the
obstacle drawing view, and click Save. simulation result.

Switch to the monitor modes

Save

Use Case Benefits

Using radio heat map, CampusInsight can simulate Wi-Fi coverage based on the radio signal transmission model upon changes of the radio
environment or signal configuration. In this manner, CampusInsight can proactively identify coverage holes and areas affected by conflicts,
and provide references for filling coverage holes and adjusting network configurations

30 Huawei Confidential
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Spectrum Analysis (1)

⚫ With spectrum analysis, CampusInsight monitors the status of all channels based on APs and intuitively displays the
usage of each channel, which is more concise and easy to understand.

Status monitoring of all channels

31 Huawei Confidential

• The Spectrum Analysis tab page displays the channel status and surrounding
interference of APs, including the channel utilization, current working channel,
historical trend of channel status, non-Wi-Fi interference sources, Wi-Fi
interference sources, and Wi-Fi interference source distribution, facilitating device
status analysis.

• The spectrum analysis process is as follows:

1. APs scan all channels in real time, including co-channel interference, non-
Wi-Fi interference, and normal usage ratio of channels.

2. The APs report channel scanning data to CampusInsight.

3. CampusInsight monitors the status of all channels by AP in real time and

allows administrators to view the historical trend chart, non-Wi-Fi
interference source types, and RSSI.
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Spectrum Analysis (2)

Historical trend chart by channel

List of detected Wi-Fi/non-Wi-Fi interference sources

32 Huawei Confidential
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Terminal Dialing Test (1)

⚫ With terminal dialing test, CampusInsight displays the overall WLAN experience quality from the perspective of
users based on multiple metrics collected from the CloudCampus APP.
You can filter dialing test records based on the dialing test region, vendor, SSID, BSSID, and terminal MAC address.

The changes of
dialing test
metrics are
displayed in
different colors.

Dialing Test Type Content

Signal strength, bandwidth, ping delay, ping packet loss rate, and
Wi-Fi network metric
AP association performance

Wi-Fi service metric

Website connectivity, intranet speed test, intranet file download CloudCampus APP
speed, Internet performance test, and video experience

33 Huawei Confidential

• Note: Intranet servers are required for testing the intranet speed, intranet file
download rate, and video experience.
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Terminal Dialing Test (1)

Dialing test details: After clicking a metric, you can view the historical trend chart of the metric.

34 Huawei Confidential
 Health Quality Evaluation Radio Heat Spectrum Terminal
Reports Map Analysis Dialing Test

Dialing Test Report

Evaluation
result
Deployment solution overview

Huawei public cloud/ On-premises

Metrics
overview

Gateway

AP

Test
details
Dialing test terminal
(with CloudCampus APP installed)

35 Huawei Confidential

• CampusInsight provides comparison reports of networks built by different

vendors, comprehensively evaluate the overall user experience of Wi-Fi networks,
analyze network issues, and provide network optimization guidance.

• Zero-cost rapid deployment:

▫ Network reachability can be tested.

▫ Analysis reports are immediately generated.

 Contents

1. CampusInsight Overview

2. CampusInsight Functions and Demonstration

▫ Telemetry
▫ Visibility
◼ Analysis

▫ Optimization

▫ Assurance

36 Huawei Confidential
CampusInsight: Individual and Group Issue Analysis
During campus network O&M, administrators encounter the following types of issues:
1. Individual issues: for example, access failures caused by incorrect client configurations.
2. Group issues: for example, group authentication failures caused by authentication server faults and group weak-signal
coverage issues caused by insufficient AP coverage.

Solution to Individual Issues

1. Each metric: Collect data within seconds and detect issues.

2. Each client: Analyze the protocol-level access process, trace the client journey
and analyze experience, and detect audio and video application quality.

Solution to Group Issues

Issue identification: Intelligently identify connection, air interface performance,

roaming issues, and device issues.

37 Huawei Confidential
CampusInsight: Fault Reasoning
Fault analysis Precise root cause analysis
Symptom: Client access fails at the
authentication phase.
⚫ Accurate matching of fault scenarios
Data collection The authentication mode is 802.1x
⚫ Automatic identification of root causes
Fault occurring authentication.
Telemetry ⚫ Optimal rectification suggestions
Syslog ⚫ 140+ fault reasoning rules
The last packet for protocol interaction
is EAP-Failure.

Rule matching The packet before the EAP-Failure

packet is sent from the client to the AP.
Fault knowledge base
Long-lasting expert-level The interval between the EAP-Failure
O&M expertise of Rule 1 packet and the previous packet is less
Huawei engineers than 2 seconds.
Rule 2
Failure cause: The user name or
password is incorrect or the certificate is
Continuous inputs from Rule 3 installed incorrectly, causing the
fault troubleshooting at rejection by the authentication server.
real sites Rule 4
Rectification suggestion: Check
whether the user name and password of
the client are correct and whether the
certificate is installed correctly.

38 Huawei Confidential
 Individual Issue Group Issue

CampusInsight: Intelligently Analyze Individual Issues from

Four Aspects
Challenges Requirements

1. Unable to analyze the phase where access failures occur Identify network experience issues of individual
2. Unable to analyze client locations and experience clients in E2E mode and analyze the root causes
3. Unable to effectively detect application quality of the issues.

Solution and Customer Benefits

CampusInsight analyzes individual issues encountered

Journey Analysis Access Analysis
during network O&M from the access network, client
Client journey Protocol tracing
(wireless + wired networks) (wireless + wired networks) journey, experience, and application detection dimensions,

and implements protocol process analysis, visible client

journey tracing, correlative analysis of poor experience,
Experience Analysis Application Analysis
and audio and video application quality detection,
Correlative analysis of poor- Application experience
experience clients awareness and assurance helping administrators maintain networks and ensure the
(wireless networks) (wireless + wired networks) experience of VIP clients.

39 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Client Journey: Real-Time Experience Visibility for Each

Client at Each Moment (1)
Step1 Experience Overview
Check the overall experience metrics.

40 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Client Journey: Real-Time Experience Visibility for Each

Client at Each Moment (2)
Step2 Experience Trend
Check for experience trend changes or deterioration.

41 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Client Journey: Real-Time Experience Visibility for Each

Client at Each Moment (3)
Step3 Client Journey
Check APs that connect to the network at each moment, their experience, and issues that occur.

High packet loss rate, poor signal quality, and weak-signal coverage issue.

42 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Case 5: Wi-Fi User Experience Visibility (1)

Case: A VIP user reports that the Wi-Fi experience is poor. O&M personnel use the client journey function and find that the packet loss
rate is high and the signal quality is poor in the cafe. In addition, the weak-signal coverage issue occurs.

1. Click Clients. 2. Enter l0***14 in the search box, and click Search.

3. Click the MAC address to go to the client journey page. (For detailed operations, see the next slide.)

43 Huawei Confidential

• Note: The process of viewing wired user experience visibility is the same as that
of viewing wireless user experience visibility.
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Case 5: Wi-Fi User Experience Visibility (2)

1. Check the experience overview and find that the average packet loss rate is high (15%) among Wi-Fi experience metrics.

2. Check the experience metric trend. The client experience deteriorates significantly after a period of connecting to the
Wi-Fi, with poor signal quality (< -65 dBm) and a high packet loss rate (> 5%).

44 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Case 5: Wi-Fi User Experience Visibility (3)

3. When the client accesses the AP N10-2F-3, the weak-signal coverage issue occurs. In this case, the signal
quality is poor and the packet loss rate is high.

Use Case Benefits

Using client journey, CampusInsight focuses on the real Wi-Fi experience of clients and accurately traces the entire Wi-Fi access process of
each client (regarded as a sensor). The traced information includes: client, time, location, connected AP, experience, and issue.

45 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Protocol Tracing: Locating the Root Cause of Access Faults

Within Minutes
Step 1 Identify the access status by session.
3 simple steps to resolve connection issues

Step 2 Display protocol

Status: Check terminal connections interaction details between the
1 terminals, authentication points,
Check the session access result to determine and authentication server.
whether access issues occur.

Interaction: Check protocol interaction

2 Check the association, authentication, and
DHCP phases to determine the abnormal phase.

Intuitive display of
abnormal phases.
Root Cause: Check root causes
3
Check possible causes and rectification Step 3 Analyze the root causes of issues based
suggestions. on the characteristics of protocol packets.

46 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Case 6: Locating Wireless Access Issues (1)

Case: Clients at a site report that the Wi-Fi cannot be connected. Using protocol tracing on CampusInsight, O&M personnel detect that the DHCP address pool
is full, causing the failure to assign IP addresses to mobile phones. After the available IP address range is expanded for the DHCP address pool, the fault is
rectified.

1. Click Protocol Trace. 2. Click the Switch Client icon. 3. Enter l0***14 in the search box, and click Select.

4. Related data is displayed. (For detailed operations, see the next slide.)

47 Huawei Confidential

• Note: The procedure for locating wired access problems is the same as that for
locating wireless access problems.
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Case 6: Locating Wireless Access Issues (2)

1. Confirm that access failures occur. Click a session that encounters an access failure 2. Check the client access process. It is
in the session list. found that the association and
authentication phases are successful, but
the DHCP phase is abnormal. Click DHCP
to check the DHCP interaction process.

3. During the DHCP interaction, the client sends a DHCP request to the DHCP
server, but the DHCP server sends back a NAK packet.

4. The most possible root cause of the fault is that the DHCP
address pool does not have available IP addresses. It is
recommended that the range of available IP addresses in the
address pool be expanded.

48 Huawei Confidential

• Use Case Benefits:

▫ Using protocol tracing, CampusInsight can analyze the protocol interaction
details in the three phases (association, authentication, and DHCP) for a
client to access the wireless network in a fine-grained manner, and provide
root causes and rectification suggestions. This facilitates the resolution of
connection issues.
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Correlation Analysis for Wi-Fi Experience Deterioration (1)

Step1 AI Identification
Use the AI algorithm to
detect outliers and identify
clients with deteriorated Wi-
Fi experience.

Step2 AI Analysis
Use the correlation analysis
algorithm to analyze the
network metric with the
highest relevance and locate
the root cause.

49 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Correlation Analysis for Wi-Fi Experience Deterioration (2)

Step3 AI Closed-loop
Management
Provide the most reasonable
rectification suggestions
based on Huawei's
accumulated O&M expertise.

50 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Application Analysis: Application-Based E2E Experience

Awareness and Assurance
Quality awareness

Every Every
Every user
moment application

Real-time application quality awareness

• Use the application identification Use the exclusive eMDI technology and AI Use iPCA 2.0 to demarcate faults for
technology to accurately identify algorithms to detect the quality of poor-QoE application flows.
1000+ mainstream applications. mainstream communication and office
• Air interface issues: Analyzes the
• Collect multi-dimensional application applications in real time and identify poor- correlation of air interface metrics.
traffic statistics. quality of experience (QoE) applications,
including: • Wired-side issues on the campus
network: Demarcates the location
• Non-encrypted RTP applications
where packet loss occurs.
• TCP applications such as live streaming • Issues outside the campus
network: Proves that no network
issue occurs on the campus network.

Application-centric refined O&M solution

51 Huawei Confidential

• Application analysis:
▫ Application analysis monitors network-wide applications and supports
NetStream and service awareness (SA) data sources. This module displays
overview data such as the number of applications and traffic, and sorts
applications by traffic in ascending or descending order. In wired scenarios,
SA can be configured only on access switches, and the incoming and
outgoing traffic displayed on the page is the incoming and outgoing traffic
over the data reporting devices.
• eMDI: Enhanced Media Delivery Index
• RTP: Real-time Transport Protocol
• iPCA: Packet Conservation Algorithm for Internet
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Application Identification and Traffic Analysis (1)

⚫ Analyze the network-wide application traffic and the number of users based on applications.

52 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Application Identification and Traffic Analysis (2)

⚫ Analyze the network-wide application traffic and the number of users based on applications.

53 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Application Identification and Traffic Analysis (3)

⚫ Display the traffic usage of applications based on interfaces, devices, and hosts.

⚫ Retrospect the application usage based on client journey. (For details, see "Journey Analysis".)

54 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Application Experience Awareness and Poor-QoE Analysis

⚫ Detect experience of mainstream communication and office applications and identify poor-QoE
applications to ensure VIP user experience.
⚫ Support path analysis and fault demarcation for poor-QoE application flows.

55 Huawei Confidential

• The application details page displays the application experience awareness and
poor-QoE analysis.
▫ The Metric Overview area displays the average packet loss rate, average
jitter, disorder rate, packet rate, and byte rate of the session.
▫ If the device role is correctly set on the resource side and LLDP is enabled,
the Analysis and Demarcation area displays the full link topology of the
session from the initiator to the responder. You can view devices such as
APs, switches, and ACs that the session passes through. When a device is
faulty, the device is marked in red and displayed as a poor-quality device.
▫ Application quality and air interface: You can click a device to view the
performance metrics of the device and its interface or air interface in the
session.

▪ The device metrics include the MOS value, packet loss rate, maximum
number of consecutively lost packets, jitter, disorder rate, and
deterioration time ratio.

▪ The metrics of an interface or air interface include the signal strength,

channel utilization, interference rate, latency, and retransmission rate.
• MOS: Mean opinion score. It is used to measure quality of voices, especially
voices over the Internet, at the line termination.
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Case 7: Application Experience Awareness and Fault

Demarcation (1)
Case: O&M personnel at a site are responsible for guaranteeing important video conferences attended by Huawei executives and proactively inspect the
conference application quality of the executives. If a conferencing quality issue is found, the application troubleshooting function can be used to quickly
demarcate the packet loss location of application flows and rectify the issue.

1. Choose Clients. 2. In the VIP view, click the MAC address hyperlink of user d0***06.

56 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Case 7: Application Experience Awareness and Fault

Demarcation (2)
3. On the client journey page, check the experience analysis result of the Xi***an application at 7:00 AM, and find that a
receive poor-QoE issues occurs in the application flows of the client at that time point. Click YES and click Detail to view
details about the issue.

57 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Case 7: Application Experience Awareness and Fault

Demarcation (3)
⚫ Basic application information and quality overview: View basic information about application flows, such as the 5-
tuple information, and obtain the network quality overview, such as packet loss, disorder, and jitter.

⚫ Analysis and demarcation: Check the physical topology paths of application flows and actual application paths. The
location where air interface quality is poor is marked using a yellow line. The issue is suspected to be on AP4.

58 Huawei Confidential
 Individual Issue Journey Analysis Access Analysis Experience Analysis Application Analysis

Case 7: Application Experience Awareness and Fault

Demarcation (4)
⚫ Indicator details: Click the device to view the packet loss trend of application flows on the port as well as KPIs of the
port, in order to facilitate fault locating.

59 Huawei Confidential

• Use Case Benefits:

▫ Application quality awareness and fault demarcation allow administrators
to view the quality of specific application flows. If an application encounters
a poor-QoE issue, the system can directly demarcate the issue. If the issue
occurs inside the campus network, and we could troubleshoot it based on
the packet loss location. If the issue occurs outside the campus network,
who is responsible can be clarified.
 Individual Issue Group Issue

CampusInsight: Intelligent Identification of Four Types of

Group Issues
Scenario and Requirements

1. In the digital era, passive O&M performed after events occur cannot ensure service experience.
2. More intelligent methods are required to automatically identify potential faults and accurately locate root causes to reduce the fault response time.

Identify potential faults: The fault response time is reduced from hours to minutes.

Connection Air Interface Performance

⚫ Association failure ⚫ Slow authentication ⚫ Weak-signal coverage ⚫ Dual band capable clients
⚫ Slow association ⚫ DHCP connection failure ⚫ High channel utilization prefer 2.4 GHz
⚫ Authentication failure ⚫ Slow DHCP connection ⚫ High interference ⚫ Client capacity
⚫ Authentication timeout ⚫ Client gateway unreachable ⚫ Air interface congestion

Roaming Device
⚫ Network status: Switch port error-down, Intermittent port
⚫ Repeated roaming disconnection, etc.
⚫ Roaming exception ⚫ Network performance: Layer 2 loop, Port congestion, etc.
⚫ Device environment: Device offline, Switch LPU fault, etc. Wireless
⚫ Device capacity: Abnormal switch ARP entry increasing,
Switch CPU threshold exceeded, etc. Wired

60 Huawei Confidential
 Individual Issue Group Issue

CampusInsight: Intelligent Identification of Four Typical

Issues (1)
Type Description Issue
Authentication failure (wireless + wired networks)
Authentication timeout (wireless + wired networks)
CampusInsight quickly identifies a variety of network Slow authentication (wireless + wired networks)
access issues, such as group authentication failure
and slow authentication, that occur at the Association failure
association, authentication, and DHCP phases.
Connection Issues Slow association
CampusInsight quickly and accurately identifies the
root causes of each issue based on the fault DHCP failure (wireless + wired networks)
knowledge base and provides troubleshooting
suggestions accordingly. Slow DHCP (wireless + wired networks)
Unreachable user gateway
User Offline

CampusInsight monitors air interface performance Weak-signal coverage

data in real time. On the basis of real-time High interference
performance monitoring and Huawei's expertise in
Performance WLAN field, CampusInsight intelligently identifies six High channel utilization
Issues classes of air interface issues that affect network Air interface congestion
access experience after users get connected to the
wireless network and provides troubleshooting Dual band capable client prefers 2.4G
suggestions accordingly. Client capacity

61 Huawei Confidential
 Individual Issue Group Issue

CampusInsight: Intelligent Identification of Four Typical

Issues (2)
Type Description Issue

CampusInsight analyzes the process when a user Repeated roaming

roams between APs to intelligently identify network
Roaming Issues
access experience issues when the user moves and
Roaming exception
provides troubleshooting suggestions accordingly.
Network status:
Switch interconnection port's protocol status was down,Intermittent
port disconnection, Switch port error-down, Switch physical port
suspended, Suspected optical link fault
Network performance:
Layer 2 loop, Port congestion, Queue congestion,Abnormal high
Intelligently identifies network status, network number of error packets on the port, CPCAR packet loss
Device Issues performance, device environment, and device
capacity issues and provides rectification suggestions. Device environment:
Management channel interruption,Device offline, Repeated device
restarts, Switch LPU fault, Switch SFU fault, Switch MPU fault, etc.
Device capacity:
Abnormal switch ARP entry increasing,Abnormal switch MAC entry
increasing, Abnormal switch FIB4 entry increasing, Switch CPU
threshold exceeded, Switch CPU threshold exceeded, etc.

62 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Connection Issue Analysis (1)

Key Technologies
Section A Section B Section C
• Exception detection: Detection of network access exceptions.
The wireless Exclude impacts A large number
▫ Normal connection failure (no fault, as shown by section A in the network access of individual of access
right figure): The wireless network access failure persists, but the failure persists terminal factors failures
failure is not caused by a network fault.

Access failure rate

Number of clients
▫ Noise reduction for abnormal terminals (as shown by section B in
the right figure): Exclude impacts of individual terminal factors.
The access failure rate increases due to faulty terminals.
Although the access failure rate already exceeds the threshold,
but it does not indicate that a network fault occurs.
▫ Intelligent fault identification (as shown by section C in the right
Time axis
figure): Intelligently identify group issues with large impact Green curve: number of users
scopes (issues with a large number of failed clients and a large Blue curve: access failure rate
failure rate). Gray shadow: failure rate baseline

63 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Connection Issue Analysis (2)

Key Technologies

• Pattern identification: Causes may be different for issues with the

same symptom. Through identifying patterns, CampusInsight can locate
possible causes. In addition, CampusInsight abstracts features of clients
with access failures and performs group analysis using aggregation
algorithms.
• Root cause analysis: Analyze possible root causes based on client
Fault mode
online logs and provide rectification suggestions, helping O&M personnel
resolve issues.

Root cause analysis and rectification suggestions

64 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Case 8: Connection Issue Analysis (1)

Case: At noon of a day, O&M personnel at a site received a complaint from the customer that mobile phones failed to access the network during working
hours in the morning. The IT personnel found that the RADIUS server had poor performance and could not process a large number of authentication requests
in peak hours. As a result, the authentication failed. The fault was rectified after the legacy RADIUS server was replaced wi th a server with higher performance.

1. Click Issue Analysis. 2. Click the connection issue tab and click Timed Out Authentication.
The page of authentication failure issues is displayed.

3. Click Statistics and view the statistical analysis chart "Number of Clients & Authentication Failure Ratio".
(For the analysis details, see the next slide.)

65 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Case 8: Connection Issue Analysis (2)

3. (Following step 3 in the previous slide) Click Statistics and view the statistical
chart "Number of Clients & Authentication Failure Ratio".

4. Under Original Issue List, click the issue-specific hyperlink to navigate to the
issue details page.

66 Huawei Confidential

• The statistics of the "Number of Clients & Authentication Failure Ratio”:

▫ Noise reduction for abnormal terminals: The authentication failure rate
increases sharply in some time periods. The analysis result shows that the
abnormal terminals initiate a large number of authentication requests, and
the failure rate is 100%. This issue is not caused by network faults, and
noise data needs to be removed. (The client revisit shows that these clients
are new employees and the terminals are not installed with Huawei Wi-Fi
certificate. In this manner, frequent re-authentication causes a large
number of failure events.)
▫ Intelligent identification of issues with a large number of failed clients and
a large failure rate: When the number of wireless access users increases
sharply at 6:00 a.m., the authentication failure rate reaches 30%. (The
RADIUS server cannot respond to authentication requests in a timely
manner due to its limited performance.) This is a typical issue with a large
number of failed clients and a large failure rate, indicating that a group
fault occurs.
▫ Connection failure but not a fault: Due to the instability of wireless client
access (for example, when a client moves or passes through a coverage
hole), the user authentication failure persists in each time segment, but
does not affect user experience. The fault is rectified after the user
automatically accesses the network again.
 Group Issue Connection Issues Performance Issues Device Issues

Case 8: Connection Issue Analysis (3)

5. View the failure event and possible cause.

Failure cause: The response from

the RADIUS server times out.

Possible cause provided by the analyzer: The server is abnormal or the

connection between the access controller and server is abnormal.
You are advised to log in to the authentication server for further check.

67 Huawei Confidential

• Use Case Benefits:

▫ Due to factors such as signal coverage, obstacles in physical environments,
and radio interference, user access failures persist on the wireless network.
CampusInsight analyzes client access data to identify abnormal clients and
eliminate invalid failure events. In addition, CampusInsight uses the
machine learning algorithm to intelligently identify issues with a large
number of failed clients and a large failure rate, accurately identify group
connection faults on the network in a timely manner, and provide proper
rectification suggestions based on expert experience.
 Group Issue Connection Issues Performance Issues Device Issues

Weak-Signal Coverage Issue Analysis

Step1 Issue Identification
Intelligent identification of weak-signal
coverage issues

Step2 Issue Analysis

Extensive information for issue analysis

Remote clients are associated with high-power radio.

Step3 Cause Locating

Troubleshooting based on suggestions

Intelligently identify and remotely cope with weak-signal coverage issues

68 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Case 9: Weak-Signal Coverage Issue Analysis (1)

Case: On CampusInsight, O&M personnel at a site detect multiple weak-signal coverage issues. The issue details show that many remote clients are associated
with this high-power radio and therefore most clients have a low RSSI. O&M personnel perform troubleshooting based on the rectification suggestions. The
fault is rectified.

1. Click Issue Analysis. 2. Click the air interface issue tab and click Weak-Signal Coverage. The page of weak-signal coverage
issues is displayed.

3. Click Original Issue List. In the issue list, click the first issue. The issue details page is displayed. (For
detailed operations, see the next slide.)

69 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Case 9: Weak-Signal Coverage Issue Analysis (2)

1. The N10-2F-3 AP encounters the
weak-signal coverage issue. Check
the RSSI distribution of clients under
the AP. It is found that the RSSI of
more than 80% clients is abnormal
(< –65 dBm) during the period of
the issue. (According to Huawei's
accumulated IT O&M expertise, user
experience will be affected if the
RSSI is lower than –65 dBm.)

2. Check the radio power of the AP.

It is found that the 5G radio power
of the AP is set to 30 during the
period of the issue. (According to
Huawei's accumulated IT O&M
expertise, the 5G radio power is
generally set to 13.) If the power is
too high, remote clients will be
associated with the AP, causing the
weak-signal coverage issue.

3. CampusInsight provides the

possible cause of the issue (high
radio power of the AP) and
suggestions (reducing the radio
power).

70 Huawei Confidential

• Use Case Benefits:

▫ Weak-signal coverage issues easily occur on Wi-Fi networks due to
improper network planning and configuration. Such issues lead to poor RSSI
of clients and deteriorate Wi-Fi experience. Using weak-signal coverage
issue analysis, CampusInsight can automatically identify weak-signal
coverage issues, analyze data such as the RSSI and radio power, and
provide possible causes and rectification suggestions.
 Group Issue Connection Issues Performance Issues Device Issues

High Interference Issue Analysis (1)

Step1 Intelligent
Identification
Proactively identify high
interference issues on the Find the neighboring AP with the highest relevance based on the correlation algorithm.
network.

Step2 Correlation Analysis

Correlation analysis on metrics
related to high interference
Co-channel interference caused by the neighboring AP
issues.

71 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

High Interference Issue Analysis (2)

Step3 Fault Diagnosis
Locate the root cause and rectify the fault based on
possible causes and rectification suggestions.

Passive O&M is changed to proactive O&M.

72 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Case 10: High Interference Issue Analysis (1)

Case: On CampusInsight, O&M personnel at a site detect a co-channel interference issue caused by the neighboring AP through correlation analysis. Then they
perform troubleshooting based on the rectification suggestions. The fault is rectified.

1. Click Issue Analysis. 2. Click the air interface issue tab and click High Interference. The page of high interference issues is displayed.

3. Click Original Issue List. In the issue list, click the first issue. The issue details page is displayed.
(For detailed operations, see the next slide.)

73 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Case 10: High Interference Issue Analysis (2)

1. The N5-2F-1 AP encounters the high interference issue. The interference rate of an AP is closely related to the
channel utilization and RSSI of the neighboring AP that causes interference to the AP. CampusInsight uses the
correlation analysis algorithm to automatically identify the neighboring AP (N5-2F-3) that causes interference to the AP.

74 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Case 10: High Interference Issue Analysis (3)

2. According to the analysis of the interference rate, the neighboring AP N5-2F-3 is configured with the same channel
(channel 1), causing interference to N5-2F-1.

3. CampusInsight provides the possible cause (co-channel interference by neighboring AP N5-2F-3) and suggestions
(radio calibration).

75 Huawei Confidential

• Use Case Benefits:

▫ High interference issues easily occur on Wi-Fi networks. These issues affect
user experience and cause problems such as long network delay and
congested network access. As a result, user experience on the Wi-Fi network
deteriorates. Using correlation analysis and big data analytics,
CampusInsight can detect high interference issues on the network, find the
most possible causes, and provide rectification suggestions.
 Group Issue Connection Issues Performance Issues Device Issues

Layer 2 Loop Issue

• Monitors KPIs and exception logs of all ports based on the Telemetry + Syslog mechanism, identifies Layer 2 loop
ports, and quickly locates them.
• Displays the list and locations of loop ports.
• Works together with the controller to eradicate loops.

76 Huawei Confidential

• Key Technologies:
▫ To improve network reliability, redundant devices and links are usually used
on an Ethernet switching network. However, due to network adjustment,
configuration modification, upgrade, and cutover, data or protocol packets
are often forwarded in a ring, which inevitably leads to loops.

▫ Topology-based loop path display: Restores the loop path of a Layer 2 loop
based on the switch neighbor relationship.
 Group Issue Connection Issues Performance Issues Device Issues

Case 11: Layer 2 Loop Issue Analysis (1)

Case: On a campus network, the traffic on a device port surged, causing the port load to increase rapidly. As a result, the services on the port were interrupted,
and therefore the fault needed to be located and rectified as soon as possible.
An O&M engineer used CampusInsight to rapidly locate the fault, and found that a Layer 2 loop occurred on the port. Services were quickly restored after the
port was isolated.

1. Choose Health > Pending Issues. This displays existing issues. From this list, we can see that a Layer 2 loop occurred. Expand the list
to view further details.
Issue details: Displayed the ports where the loop occurred, loop occurrence time, and issue status.

Topology restoration: Displayed information about the ports where the loop occurred, and
restored the devices and ports affected by the loop based on the topology.

77 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Case 11: Layer 2 Loop Issue Analysis (2)

2. This displays existing issues. From this list, we can see that a Layer 2 loop occurred. Expand the list to view further
details. (Continued)

Impact analysis: Detected a broadcast packet surge caused by the loop, which severely affected services.

78 Huawei Confidential

• Use Case Benefits:

▫ The Layer 2 loop issue function of CampusInsight proactively detects Layer
2 loops on the network, restores the loop topology based on switch link
information, and locates the loop location.
 Group Issue Connection Issues Performance Issues Device Issues

Port Packet Error Issue

⚫ Service impact: Service packets will be directly discarded on a port with error packets, leading to slow file
downloads, multicast artifacts, or voice blurring.
⚫ Issue Identification:
 Outlier detection algorithm: Compares with other ports to identify exceptions in the space dimension.
 Time series anomaly detection algorithm: Compares with the port itself to identify exceptions in the time dimension.

Outlier detection

Time series anomaly detection algorithm

79 Huawei Confidential

• Issue Identification:
▫ Outlier detection algorithm typical scenario: The negotiated rate supported
by a terminal is different from that supported by the switch port connected
to the terminal. As a result, the bit error rate of the port is significantly
higher than that of other switch ports.

▫ Time series anomaly detection algorithm typical scenario: Aged physical

components such as Ethernet cables and RJ45 connectors can cause the bit
error rate to gradually and continuously increase over a long period of time.

• Root cause analysis

1. Check whether error packets are caused by inconsistent configurations

(such as the negotiated rate) at both ends of a link.

2. Guide customers to test port cables in order to figure out whether error
packets are caused by cable aging or internal crosstalk.
 Group Issue Connection Issues Performance Issues Device Issues

Cass 12: Port Packet Error Issue Analysis (1)

Case: Jack is an O&M engineer in a company. Just this morning he viewed the health topology for building of Shenzhen Area on CampusInsight and discovered
that error packets were detected on the network. Jack visited his colleague Sam who accessed the network through the faulty port. According to Sam's
feedback, frame freezing occurred during video playback, and this affected routine office work.
By using CampusInsight, Jack was able to rapidly locate the fault and pinpoint that continuous error packets occurred on the faulty port. This was because the
Ethernet cable connected to the port aged out. The fault was rectified and services were restored after the Ethernet cable was replaced.

1. Choose Service Topology. 2. Error packets are detected on the network of Shenzhen.
Directly click the issue to bring up further details.

80 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Cass 12: Port Packet Error Issue Analysis (2)

3. Click Issue Analysis and then expand the displayed page to view details about Port error packets exceeding threshold.

Skewness analysis: According to the historical big data Exception identification: Check the number of error
analysis and the skewness algorithm, the number of error packets on the port and discover that error packets
packets on the faulty port is significantly greater than that on on the port are persistent in each period.
other ports. This indicates that the port is faulty.

81 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Cass 12: Port Packet Error Issue Analysis (3)

3. Click Issue Analysis and then expand the displayed page to view details about Port error packets exceeding threshold. (Continued)

Root cause analysis: Troubleshooting suggests that the virtual-cable-test command is run on the device to test the
Ethernet cable. Crosstalk is discovered on the network and is rectified after the Ethernet cable is replaced.

82 Huawei Confidential

• Use Case Benefits:

▫ CampusInsight continuously monitors the number of error packets on ports,
detects any substantial increase in error packets based on the dynamic
baseline, and automatically generates corresponding issues. This approach
accurately identifies error packet issues on the network in a timely manner,
and provides expert suggestions.
 Group Issue Connection Issues Performance Issues Device Issues

Frequent Port Up/Down Issue

⚫ Service impact: A device port frequently alternates between Up and Down states. As a result, the port is
physically disconnected, interrupting services.
⚫ Issue identification: Monitor the Up and Down events of each port. If a port frequently alternates
between Up and Down states in a short period of time, an exception occurs.
⚫ Root cause analysis:
 Correlation analysis: Check whether the port status changes after/upon port negotiation to determine whether
the port frequently alternates between Up and Down states due to inconsistent duplex modes and speeds
negotiated between the local and peer ports.
 Port cable test: Guide customers to test port cables in order to figure out whether the port repeatedly
negotiates with the peer port due to damaged internal wires of the cable's RJ45 connector.

83 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Case 13: Frequent Port Up/Down Issue (1)

Case: George is a company employee. He turned on his laptop to work and found that the laptop frequently disconnected from the network.
He contacted an O&M engineer who used CampusInsight to rapidly locate the fault, and discovered that the wired port that was connecting George to the
network frequently alternated between Up and Down states. A further check indicated that the internal wires of the Ethernet cable's RJ45 connector were
damaged, and this was rectified after the Ethernet cable was replaced.

1. Choose Health > Pending Issues.

2. On the Pending Issues page, the port of Edge-1 device frequently alternates between Up and Down states.

84 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Case 13: Frequent Port Up/Down Issue (2)

3. Click the Port alternates between Up and Down states issue to expand the issue details.

Issue analysis: According to the statistics on port Down events, the port frequently alternates between Up and Down
states and this symptom persists for a long period of time.

85 Huawei Confidential
 Group Issue Connection Issues Performance Issues Device Issues

Case 13: Frequent Port Up/Down Issue (3)

3. Click the Port alternates between Up and Down states issue to expand the issue details. (Continued)

Test output of the faulty Ethernet cable

86 Huawei Confidential

• Root cause analysis:

▫ When the port alternates between Up and Down states, the negotiated rate
of the port changes multiple times. As a result, the port repeatedly
performs rate negotiation, causing intermittent disconnection.
▫ Troubleshooting suggests that the virtual-cable-test command is run to
check the Ethernet cable connected to the port. The command output
indicates that the Ethernet cable has only 4 wires in 2 pairs. (A typical
Ethernet cable has 8 wires in 4 pairs.) As a result, the port rate changes,
causing intermittent disconnection. A further check indicates that the RJ45
connector of the Ethernet cable is faulty. The fault is rectified after the RJ45
connector is remade.

• Use Case Benefits:

▫ CampusInsight continuously monitors the Down event of each port and can
accurately detect any intermittent port disconnection on the network in a
timely manner, providing expert suggestions.
 Contents

1. CampusInsight Overview

2. CampusInsight Functions and Demonstration

▫ Telemetry
▫ Visibility
▫ Analysis
◼ Optimization

▫ Assurance

87 Huawei Confidential
 AI-powered Intelligent Radio Calibration Improves Network-
wide Performance

Scenario 1: manual calibration Scenario 2: automatic calibration

About 20% of customers choose to manually plan channels. About 80% of customers choose automatic calibration.
However, they may face the following challenges: However, they may face the following challenges:

Channels planned in manual Load balancing is not considered

mode are not the optimal ones. during load sharing calibration

Real-time network awareness is Only the current network status

not supported. can be detected.
The network environment is complex Unable to detect historical loads and
and interference changes rapidly. interference.

Real-time Simulation Feedback Predictive Calibration

Provide prediction and simulation tools based on real-time feedback Provide the service weight balancing and optimization capability
of environment changes to drive network optimization. based on big data analytics and AI.

88 Huawei Confidential

• Simulation feedback: CampusInsight evaluates the radio score and the number of
APs waiting for calibration based on the radio and neighbor information of APs,
displays the calibration simulation effect through the AI algorithm, and provides
channel adjustment suggestions. The APs with this function must be deployed on
the floor.

• Intelligent radio calibration: Historical big data is analyzed using the AI algorithm.
Network devices periodically request big data and the analytics results based on
the calibration policy to implement intelligent radio calibration.
Scenario 1: Providing Optimal Channel Planning Suggestions
Based on Neural Network Simulation Feedback (1)

Problem Challenge

An IT engineer optimizes the network in the area where a Expert experience-based optimization, high professional
fault is reported. However, faults are reported in requirements; heavy analysis workload; wireless network not
surrounding areas after the optimization. The optimization planned from the entire network perspective in manual
is performed multiple times in several days, but the mode.
optimization result is not satisfactory, and the network
stability becomes worse.

89 Huawei Confidential
Scenario 1: Providing Optimal Channel Planning Suggestions
Based on Neural Network Simulation Feedback (2)
Technical Root Cause Wireless Network Simulation Feedback Solution

Reinforcement learning
11 11 11 11 Opti mal i teration benefi ts
6 11 11 6 6 6
1 1 1 1 Real time data Input
Output
6 6 11 11 11 11 C onfi guration Signal
Configuration
6 6 6 6 and nei ghbor
C hannel
i nformati on AI
Interference between APs caused Two APs using channel 1 are too
by improper channel planning close to each other. As a result, the
two APs interfere with each other. Neural network reasoning Optimized benefit forecast
C onfi guration Quali ty scoring
recommendati on by
Technical root cause: The impact of inter-AP interference, probabi li ty
surrounding interference, and distance must be fully
Expected result: network-wide optimal reasoning to properly allocate
considered during AP configuration. In most cases,
air interface resources; simulation capability (customers evaluate the
optimization can only ensure that the local network is at its
simulation result based on network scores and determine whether to
optimal state, and comprehensive network-wide evaluation
deliver the simulation result).
cannot be provided.

90 Huawei Confidential
Scenario 2: AI-Powered Predictive Calibration
Challenge: How to efficiently use spectrum resources based on AP load data?

On a wireless network, APs are busy to different extents. How to accurately predict the load trend of each AP and perform differentiated predictive
calibration on the entire network?

Solution: Integrates multiple prediction models to accurately predict AP loads and implement differentiated radio calibration.

Load Trend Optimization Time Differentiated radio calibration: APs with heavy
loads preferentially select clean channels.

AI-powered predictive calibration: AI-powered intelligent algorithm

based on predicted values
Historical data in the Baseline
Load prediction
past 7 days training

Report data Guide device optimization

Traditional calibration:
based on historical data Device
Yesterday Today “Tomorrow” Data

91 Huawei Confidential
Case 14: AI-Powered Predictive Calibration (1)
Case: The wireless network office area of a company was upgraded and reconstructed. Employees were temporarily moved to building C4for centralized office.
As a result, the number of employees in building C4 increased, and the network load also increased. Employees complained that the wireless network response
was getting slower. Using the intelligent radio calibration, CampusInsight automatically identified high-load areas in building C4 and accordingly adjusted APs'
frequency bandwidth, thereby improving client bandwidth and network experience.
1. Choose Intelligent Radio 2. Enable intelligent radio calibration. You are advised to enable this function in
Calibration and Big Data Calibration. advance to improve the data training accuracy.

Enable intelligent radio calibration

92 Huawei Confidential
Case 14: AI-Powered Predictive Calibration (2)
3. Click Next. On the Load Optimization page, many high-load APs are identified by 4C-3F.

93 Huawei Confidential
Case 14: AI-Powered Predictive Calibration (3)
4. On the second day after big data calibration is enabled, the bandwidth of the APs on the third floor of building C4 is
increased to 252 Mbps (by 50%) and the average channel utilization is reduced to 4% (by 50%).

94 Huawei Confidential
 Case 14: AI-Powered Predictive Calibration (4)
5. Check the calibration details. The 5 GHz frequency band of the high-load APs on the third floor of building 4C is
changed from 20 MHz to 40 MHz. The Internet access experience is improved and no frame freezing occurs.
Note: If the frequency band of APs increases, the client bandwidth will also increase.

95 Huawei Confidential

• Use Case Benefits:

▫ Using intelligent radio calibration, CampusInsight continuously collects
massive data of real clients, identifies high-load APs and edge APs through
AI algorithms, and provides decision-making data for differentiated system
optimization, enabling the network to follow clients.
 Contents

1. CampusInsight Overview

2. CampusInsight Functions and Demonstration

▫ Telemetry
▫ Visibility
▫ Analysis

▫ Optimization
◼ Assurance

96 Huawei Confidential
 RSSI-Based Wireless Location and Fine-Tuned O&M Based
on Terminal Locations
Upper-layer applications
Application layer ……
Location
provided by partners.
(provided by a third party) Customer flow IT service
analysis statistics collection system

CampusInsight provides the

location capability.

Northbound API interconnection

• Map information
• Wi-Fi terminal location

… Supported functions
• Walkable Path, Heat Map of
Pedestrian Flow, Interference,
Network layer Terminal Display

Major scenarios
Terminal layer • Shopping malls, supermarkets,
office spaces

97 Huawei Confidential

• Note:
▫ This version supports only RSSI-based wireless location, and other location
methods are not supported.

▫ Wireless location is applicable only to indoor scenarios.

▫ Location accuracy: within 10 m, 60% of accuracy (independent RF scanning),
50% of accuracy (non-independent RF scanning); location delay: within 20s.
▫ Wireless location data can be stored for up to 7 days.
Interference Source Locating
⚫ CampusInsight supports location of Wi-Fi interference sources and non-Wi-Fi interference sources (such as
Bluetooth, microwave, and audio/video devices).

98 Huawei Confidential
Case 15: Wireless Location (1)
Case: During the pandemic, a scenic spot wishes to strictly control personnel contact to reduce the pandemic spreading risks. The wireless location function
enables administrators to check the client heat map in a specified period of time and identify crowded areas. In this manner, the scenic spot managers can
perform crowd dispersing in advance and reduce contact risks.

1. Choose Service Topology > Enter 2. Select Shenzhen > N5 > N5-2F from the left navigation tree, and click Wireless Location.
WLAN Topology.

Click Wireless Location.

Select a floor for wireless location.

99 Huawei Confidential
 Case 15: Wireless Location (2)
3. On the Settings page, enable Heat 4. Check the Heat Map of Pedestrian Flow. The crowded location can be identified by
Map of Pedestrian Flow, and click OK. switching the time segment.

Switch the time segment and view

the heat map of pedestrian flows.

Adjust the heat map

effect (optional)

Basic location capability: Allows users

to view the Walkable Path, Heat Map
of Pedestrian Flow, Interference, and
Terminal Display.

100 Huawei Confidential

• CampusInsight supports the display of heat maps, terminal locations, and

walking paths.
▫ Displays the people distribution heat map based on the specified time
period.
▫ Displays the locations of all Wi-Fi-enabled terminals, the location of a
single user, and the walking path within a specified time segment.
▫ Supports terminal MAC address anonymization.
Case 16: Interference Source Locating
Case: Employees of a company department report that the network quality is poor near their office seats,and file downloading and email exchange are very
slow, deteriorating their work efficiency. The issue analysis result shows that the APs to which employees get connected are experiencing high interference, and
the network quality becomes poor due to external interference sources. After interference source locating, it is found that there are rogue APs near the

employees' office seats. The fault is rectified after the interference sources are eliminated.

1. Choose Issue Analysis > High Interference, click Original Issue List and click the issue.
2. On the high-interference issue analysis page, query the specific interference source information.

An AP in red indicates an interfered AP.

Display the interference sources and their locations.

101 Huawei Confidential

 Quiz

1. (Multiple-answer question) Which of the following functions can CampusInsight

provide?( )
A. Network Health Evaluation

B. Wired-user Experience Visualization

C. Protocol Tracing for Locating Wireless Access Issues

D. Minute-level Fault Locating

102 Huawei Confidential

1. ABCD
 Summary

⚫ CampusInsight is a campus network analyzer launched by Huawei. It uses big data

analytics technologies and machine learning algorithms to provide excellent
network service assurance experience by analyzing data of each user at any time.
⚫ CampusInsight can implement real-time experience visualization, minute-level
fault locating, and intelligent network optimization. This course describes the main
functions and application cases of CampusInsight, including wired and wireless
network health, individual and massive fault analysis, intelligent optimization,
Wireless Location, and Interference Source Locating.

103 Huawei Confidential

Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
WAN Interconnection Solution and
Technology Overview
 Foreword

⚫ Wide area networks (WANs) have undergone a long history, and the technologies
used on WANs have been updated many times. Enterprises have more diversified
requirements over WANs than campus networks. In addition, the requirements for
network connection mode, reliability, and security vary with enterprises.
⚫ To meet the interconnection requirements of different enterprises, a variety of
WAN interconnection technologies are developed.
⚫ This course will focus on the WAN interconnection technologies and their
application scenarios.

2 Huawei Confidential
 Objectives

⚫ Upon completion of this course, you will be able to:

 Describe the basic architecture of a typical WAN interconnection solution.
 Describe WAN interconnection networking technologies and their application scenarios.
 Describe WAN interconnection reliability technologies and their application scenarios.
 Describe WAN interconnection optimization technologies and their application scenarios.

3 Huawei Confidential
 Contents

1. Basic Architecture of a Typical WAN Interconnection Solution

2. Networking Technologies and Their Applications of WAN Interconnection

3. Reliability Technologies and Their Applications of WAN Interconnection

4. Optimization Technologies and Their Applications of WAN Interconnection

4 Huawei Confidential
 What Is a WAN?
⚫ WANs provide interconnection services across regions, cities, and countries. A WAN usually spans a
long distance (dozens or even thousands of kilometers). To meet long-distance transmission
requirements on a WAN, optical fibers are often used as the interconnection media.
LAN WAN LAN

DC
Branch

ISP

HQ Residents

5 Huawei Confidential

• LAN

▫ A local area network (LAN) is a computer network that connects

computers, peripheral devices, databases, and other devices in a limited
geographical area (such as a campus, factory, or organization) within
thousands of meters.

• WAN

▫ WANs provide wider coverage than LANs and metropolitan area networks
(MANs). The communication subnet of a WAN mainly uses the packet
switching technology. The communication subnet of a WAN can use the
public packet switching network, satellite communication network, and
wireless packet switching network to interconnect the LANs or computer
systems in different areas for resource sharing.

▫ The Internet is the largest WAN in the world.

• Relationship between the LAN and WAN:

▫ A LAN is located in an area, whereas a WAN spans a larger area. For

example, the headquarters of a large company is located in Beijing, and its
branches are distributed all over the country. If the company connects all its
branches through a network, a branch is a LAN, and the company network
is a WAN.
▫ Typical WAN rates range from 56 kbit/s to 155 Mbit/s. Currently, 622
Mbit/s, 2.4 Gbit/s, and even higher rates are available. The transmission
delay ranges from several milliseconds to hundreds of milliseconds (when
satellite channels are used).
WAN and Enterprise WAN Interconnection
⚫ Enterprise WAN interconnection refers to
the interconnection between nodes at
Branch
different levels, such as the headquarters site
Branch
(HQ), data centers (DCs), branches, fixed site
offices, and mobile offices within HQ

enterprises. Branch
site Enterprise WAN
⚫ Generally, enterprise WAN interconnection

interconnection depends on a carrier-built

or self-built WAN. Carrier
network/Self-built
network

WAN

7 Huawei Confidential
 Major Enterprise WAN Interconnection Modes
⚫ Generally, enterprise WANs can be interconnected in the Enterprise WAN interconnection networking
following modes:
 Carriers' transmission or MPLS private lines are used to connect
regional networks. This mode is expensive and is applicable to HQ HQ
enterprises with high SLA requirements.

 The carrier Internet + VPN technology is used for connection. This

mode is applicable to small- and medium-sized branches that do not
have high SLA requirements.

 Carriers' point-to-point (P2P) private lines are used to implement

Transmission MPLS Self-built
cross-city or cross-border connections. This mode is mainly used for 4G/5G Internet
private line private line private line
connections between DCs, headquarters, or important branches, and is
expensive.

 Industries such as electric power and transportation build network

connections through self-built private lines.

⚫ Usually, enterprise WANs are interconnected using a Branch site Branch site Branch site
combination of the preceding modes.

8 Huawei Confidential

• SLA is an agreement between the network service provider and the customer. It
defines terms such as service type, service quality, and customer payment.

• According to the SLA requirements, the service provider uses multiple

technologies and solutions to monitor and manage the network performance
and traffic so as to meet the requirements defined in the SLA and generate
reports about customers' network performance.
Enterprise WAN Interconnection Technologies: Carriers'
Private Lines
⚫ To ensure network reliability and security, enterprises Leasing private lines from carriers
lease transmission or MPLS private lines from carriers
when constructing enterprise WANs. Enterprise Enterprise
HQ HQ
 Transmission private lines are expensive, but data is carried
on dedicated lines, ensuring service quality and security.
 MPLS private lines are cheaper than transmission private
lines and can ensure service security. However, service Transmission
private line MPLS private line
reliability is not as good as that of transmission private lines.
Bare fiber/SDH/MSTP/WDM MPLS L2VPN/L3VPN
 A small number of enterprises (such as transportation and
electric power enterprises) can deploy optical fibers and build
their own backbone networks.

Branch site Branch site Branch site Branch site

9 Huawei Confidential
Enterprise WAN Interconnection Technologies: Internet and
VPN
⚫ With the development of the Internet, some enterprise services can be Internet and VPN technologies
carried over the Internet.

⚫ The Internet has security risks, so VPN technology is used to provide secure
Enterprise Enterprise
and reliable connections. HQ HQ
⚫ Virtual Private Dial-up Network (VPDN) technologies, such as Point-to-Point
Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Point-to-
Point Protocol over Ethernet (PPPoE), allow terminal users or branches to
dial up to the carrier network or HQ network.

⚫ Typically, Internet Protocol security virtual private network (IPsec VPN)

Internet
technology is used to build network connections between enterprise PPTP/L2TP/SSL VPN/IPsec VPN/DSVPN/A2A VPN
branches or between enterprise branches and the HQ.

⚫ To simplify IPsec configuration on large-scale networks, technologies such as

Dynamic Smart VPN (DSVPN) and Any to Any (A2A) VPN have been
developed and widely used.
Branch site Branch site Branch site

10 Huawei Confidential
Common Application Scenarios of Enterprise WAN
Interconnection Networking
⚫ Enterprise WAN interconnection needs to be deployed based on enterprise requirements. For example, in the financial service
industry, most enterprises lease transmission or MPLS private lines to guarantee network reliability and security. Considering network
costs, other enterprises usually lease MPLS private lines as primary lines and Internet + VPN lines as backup lines.

WAN interconnection in the financial service industry WAN interconnection for a wine enterprise

Enterprise
Core backbone network
HQ
Enterprise HQ
SDH/MSTP/MPLS
Branch service
network
Level-1 branch
Branch LAN MPLS (primary) Internet (backup)
SDH/MSTP/MPLS
GRE over IPsec
Level-2 Level-2
Branch LAN
branch branch

SDH/MSTP/MPLS

Sub- Sub- Sub- Branch in Branch in Branch in

ATM area A area B area C
branch branch branch

11 Huawei Confidential
 Contents

1. Basic Architecture of a Typical WAN Interconnection Solution

2. Networking Technologies and Their Applications of WAN Interconnection

◼ WAN Interconnection Networking Solution

▫ Private Line Technologies and Their Applications

▫ VPN Technologies and Their Applications

3. Reliability Technologies and Their Applications of WAN Interconnection

4. Optimization Technologies and Their Applications of WAN Interconnection

12 Huawei Confidential
Enterprise WAN Interconnection Networking Solution
⚫ There are many interconnection modes for enterprise WANs. Generally, one or more interconnection
modes are used based on different enterprise requirements.
Bare
fiber/SDH/WDM/
Enterprise MSTP Transmission
branch private line

CE PE PE HQ
Enterprise MPLS VPN MPLS private
branch line

CE
Enterprise
branch

Internet
CE
Enterprise
branch 4G/5G

13 Huawei Confidential
Comparison Between Private Line and VPN Technologies
⚫ Private lines were introduced very early. They can meet interconnection requirements of enterprises and ensure high network
reliability and security. However, private lines are expensive.

⚫ As networks develop, VPN technologies start to occupy more market shares. However, some industries demanding high security and
reliability, such as the financial service industry, still prefer private line technologies.

⚫ Selecting private line or VPN technologies depend on enterprises' services. The following table compares the two technologies.

Item Private Line Technology VPN Technology

Very high: Data is encrypted before being transmitted and
Security Relatively high: depending on ISPs
security control is in the hands of users.
Reliability High: depending on ISP network reliability Comparatively high: depending on reliability of Internet lines
Based on TCP/IP technology, the access mode is flexible. A
Scalability Medium: depending on ISPs
network can be scaled out as long as it is reachable.
The private line expense is very high and needs to be paid
One-off device expense is invested, so there is no need to pay
Investment cost every month. In addition, the device expense needs to be
monthly operating expenses.
invested in the initial period of network construction.
Mobile users can only connect to the network to which
Support for mobile Internal mobile users can use the Internet for secure access,
private lines are reachable, and internal mobile users
users eliminating geographical differences.
leaving a LAN cannot access a private network.
Transmission
Leased bandwidth is low because of the high price. The Internet is cheap, and the leased bandwidth is high.
bandwidth

14 Huawei Confidential
Overview of Carriers' Private Lines
⚫ Carriers have a large number of line resources and launch different private line services based on different industries and scenarios.

⚫ Carriers' high-quality transmission private line services mainly include SDH, MSTP, and bare fiber services, which are expensive but
deliver excellent performance.

⚫ MPLS VPN is another type of private line services provided by carriers. MPLS VPN private lines provide slightly lower performance
than transmission private lines but are less expensive.

Carrier's private line (private line network in the financial service industry) Carrier's private line (MPLS VPN network of a provincial library)

Branch service City City

network The financial
library library
Level-1 branch service industry
leases carriers'
Branch LAN MSTP/SDH private GRE over IPsec (enterprise-built) MPLS VPN (ISP)
MSTP/SDH line services to
ensure high
Level-2 Level-2 network reliability. County County County
Branch LAN
branch branch library library library

MPLS VPN (ISP)

MSTP/SDH

Community Community Community Community

Sub- Sub- Sub-
ATM library library library library
branch branch branch

15 Huawei Confidential
Overview of Enterprise-Built Private Line and VPN
⚫ Enterprises can establish VPNs, such as SSL VPN, DSVPN, and IPsec VPN, through carriers' networks.

⚫ Some large enterprises can lay out optical fibers by themselves and set up private lines. However, only few enterprises can lay out
optical fibers by themselves.

⚫ VPNs built by enterprises are more and more widely used because they are cost-effective, easy to expand, and controllable.

Enterprise-built VPN (VPN of a provincial library) Enterprise-built private line (MPLS VPN network of the energy industry)

Municipal Municipal
National backbone
library library
network

GRE over IPsec MPLS VPN (ISP) MPLS VPN (self-built)

County County County Provincial Provincial

library library library backbone network backbone network

MPLS VPN (ISP) MPLS VPN (self-built)

Community Community Community Community Municipal Municipal Municipal Municipal

library library library library service network service network service network service network

16 Huawei Confidential
 Contents

1. Basic Architecture of a Typical WAN Interconnection Solution

2. Networking Technologies and Their Applications of WAN Interconnection

▫ WAN Interconnection Networking Solution
◼ Private Line Technologies and Their Applications

▫ VPN Technologies and Their Applications

3. Reliability Technologies and Their Applications of WAN Interconnection

4. Optimization Technologies and Their Applications of WAN Interconnection

17 Huawei Confidential
Overview of Private Line Technologies
⚫ Private line technologies were introduced very early. As networks develop, many private line
technologies, such as frame relay (FR) and ATM, are no longer used. Currently, the following
private line technologies are widely used:
 Bare fiber: Carriers provide bare fibers along which no intermediate device is deployed. Therefore,
bare fibers are expensive.
 SDH/MSTP/WDM: Transmission private lines use transmission devices to build hard pipes over
optical fibers, ensuring good performance. The price of such private lines is lower than that of bare
fibers.
 MPLS VPN: MPLS private lines use Ethernet for network access and do not have hard pipes. The
performance of MPLS VPN is poorer than that of transmission private lines, but MPLS VPN is the
cheapest among all types of private lines.

18 Huawei Confidential
Overview of Bare Fibers
⚫ A carrier provides a bare fiber line along with no intermediate device is deployed. The network capacity
depends on the enterprise devices at both ends of the bare fiber.
⚫ Bare fibers are charged based on the distance. A longer distance indicates a higher cost. Generally, the
maximum transmission distance of a hop of an optical fiber is 300 km. If the distance between two
sites exceeds 300 km, a regeneration device needs to be deployed.

Enterprise branch Carrier Enterprise HQ

Optical network

Transmission device Transmission device

19 Huawei Confidential
Exemplary Application Scenario of Bare Fibers
Application scenario of bare fibers

Main
campus ISP1 ISP2

Lease carriers' Branch campus

bare fibers

• Carriers' bare fibers can be leased to build network connections between the main campus and branch campus in the
same city. This practice simplifies network management and access authentication management.

20 Huawei Confidential
 Overview of SDH/MSTP/WDM Private Lines
⚫ Enterprises that require long-distance transmission and high network reliability and security can lease
SDH/MSTP/WDM private lines.
⚫ This type of private line is a transmission private line. Tenants exclusively occupy part of the bandwidth of the
transmission private line. Because multiple users share the transmission private line, its price is lower than that of
bare fibers. Although transmission private lines are shared by tenants, they exclusively occupy bandwidth and use
hard pipes. Therefore, they deliver high network reliability and security.
⚫ MSTP and WDM private lines are widely used on the live network, and SDH private lines are still used in a few
areas.
Enterprise branch Carrier Enterprise HQ
SDH/MSTP/ SDH/MSTP/
WDM WDM
device device
Transport network

21 Huawei Confidential

• SDH is a TDM system and a traditional circuit scheduling mode.

• The multi-service transport platform (MSTP) receives, processes, and transmits

TDM, ATM, and Ethernet services.

• WDM uses multiple lasers to transmit multiple beams of lasers with different
wavelengths over a single optical fiber. The transmission bandwidth of WDM
devices is high, and the live-network bandwidth can reach up to 8 Tbit/s.
Exemplary Application Scenario of SDH/MSTP/WDM Private
Lines
Application scenario of SDH/MSTP/WDM private lines

HQ

MSTP/SDH

Branch Branch

MSTP/SDH MSTP/SDH
Sub-branch Sub-branch

• To ensure high reliability and security, MSTP or SDH private lines are used for interconnection between financial service branches.

22 Huawei Confidential
MPLS VPN Private Line
⚫ MPLS VPN technology is widely used in enterprise interconnection scenarios. MPLS L2VPN or MPLS
L3VPN can be deployed based on enterprise requirements. MPLS VPN makes a compromise between
the cost and performance, so it is very popular.
⚫ For enterprises that can build their own WANs, such as railways and electric power companies, MPLS
VPN is an easy-to-manage and low-cost VPN technology. For enterprises that cannot build their own
WANs, MPLS VPN is expensive.
⚫ The enterprises that require high network reliability and security can use the MPLS VPN private line as
the primary link and the GRE over IPsec line as the backup link.

MPLS VPN P

PE PE
Branch Backbone HQ
CE CE

23 Huawei Confidential
 Exemplary Application Scenario of MPLS VPN
Application scenario of MPLS VPN

RR RR

Provincial
Provincial
backbone network PE ASBR ASBR RR ASBR ASBR PE backbone network

Enterprise A
Enterprise
A
Core backbone network
Enterprise B Enterprise
B

PE ASBR ASBR RR ASBR ASBR PE

RR RR
VPNv4 peer
MPLS L3VPN traffic

• The MPLS L3VPN solution is widely used on the live network. Some large networks may use inter-AS MPLS L3VPN.

24 Huawei Confidential

• There are three types of inter-AS MPLS L3VPN solutions: Option A, Option B, and
Option C.

• Option A applies to small inter-AS MPLS L3VPNs. Option B applies to midsize and
large inter-AS MPLS L3VPNs. Option C applies to large or super-large inter-AS
MPLS L3VPNs.
 Contents

1. Basic Architecture of a Typical WAN Interconnection Solution

2. Networking Technologies and Their Applications of WAN Interconnection

▫ WAN Interconnection Networking Solution

▫ Private Line Technologies and Their Applications

◼ VPN Technologies and Their Applications

3. Reliability Technologies and Their Applications of WAN Interconnection

4. Optimization Technologies and Their Applications of WAN Interconnection

25 Huawei Confidential
 Overview of VPN Technologies
⚫ VPN technologies are widely used in scenarios where enterprises build their own Internet.
⚫ VPN technologies can be classified into the following three types based on the service usage:
 Access VPN (virtual private network for remote access): also called dial-up VPN or VPDN. Generally,
L2TP VPN technology is used.
 Intranet VPN (internal virtual private network of an enterprise): connects gateways and connects
resources of the same company through the company's network architecture. Generally, GRE or
DSVPN technology is used.
 Extranet VPN (extended internal virtual private network of an enterprise): is used to build an
extranet with the enterprise network of a partner. Generally, SSL VPN technology is used.

26 Huawei Confidential

• By service usage:

▫ Access VPN: enables mobile employees, remote office employees, and

remote small offices to establish private network connections with
enterprise intranet and extranet through a public network. There are two
types of access VPN connections: client-initiated and NAS-initiated.

▫ Intranet VPN: Intranet VPN is an extension or replacement of traditional

private lines or other enterprise networks to connect distribution points
within an enterprise through a public network.

▫ Extranet VPN: extends enterprise networks to suppliers, partners, and even

clients over a public network.

• According to the layers of tunnels in the OSI model:

▫ Layer 2 tunneling protocol: encapsulates PPP frames into a tunnel. Layer 2

tunneling protocols include the Point-to-Point Tunneling Protocol (PPTP),
Layer 2 Forwarding (L2F), and Layer 2 Tunneling Protocol (L2TP).

▫ Layer 3 tunneling protocol: Only Layer 3 packets are carried in a tunnel.

Existing Layer 3 tunneling protocols include Generic Routing Encapsulation
(GRE) and IPsec. IPsec includes the Authentication Header (AH) protocol
and Encapsulating Security Payload (ESP) protocol.
 Access VPN Intranet VPN Extranet VPN
Overview Overview Overview

Access VPN Overview

⚫ Access VPN uses virtual private dial-up network (VPDN) technology, and is a type of VPN service based
on dial-ups. It can be used for enterprise interconnection or remote access to enterprise networks.

RADIUS server RADIUS server

PC PC
Enterprise NAS
branch (LAC) Enterprise HQ
Dial-up
network
PC PC
LNS
Dialing user
VPDN tunnel

VPDN tunnel

VPDN

27 Huawei Confidential

• VPDN is implemented by using a tunneling technology. That is, data of an

enterprise network is encapsulated in a tunnel for transmission. On an interface
between the source LAN and public network, the tunneling technology
encapsulates data as a payload in a data format that can be transmitted on a
public network. On an interface between the destination LAN and the public
network, it decapsulates data to extract the payload. The logical path through
which encapsulated data packets are transmitted on the Internet is called a
tunnel. To ensure that data is encapsulated, transmitted, and decapsulated
smoothly, the communication protocol is the core.

• VPDN provides three common tunneling technologies:

▫ Point-to-Point Tunneling Protocol (PPTP)

▫ Layer 2 Forwarding (L2F)

▫ Layer 2 Tunneling Protocol (L2TP)

 Access VPN Intranet VPN Extranet VPN
Overview Overview Overview

PPTP Overview
⚫ PPTP is a type of VPN protocol and has a history of more than 20 years. This protocol relies on
encryption, authentication, and Point-to-Point Protocol (PPP) for negotiation. It requires only the user
name, password, and server address for connection setup.
⚫ PPTP is fast, but has weak encryption. Among all VPN protocols, PPTP has the lowest encryption level
and must be based on IP networks.

PPTP tunnel

Internet
PC PPTP PPTP PC
client client

28 Huawei Confidential
 Access VPN Intranet VPN Extranet VPN
Overview Overview Overview

L2TP Overview
⚫ L2TP, an open standard of IETF, combines advantages of PPTP. L2TP is especially suitable for setting up
an access VPN and has become a de facto industry standard.
⚫ L2TP is only a tunneling protocol and does not provide encryption or privacy protection. Therefore,
L2TP is usually used together with IPsec.
⚫ L2TP is one of commonly used enterprise interconnection technologies. When L2TP is used, an AAA
server is required. L2TP is a good choice for constructing an L2VPN.

L2TP client
LNS
(LAC)
L2TP tunnel

Enterprise branch
Internet Enterprise HQ

29 Huawei Confidential
 Access VPN Intranet VPN Extranet VPN
Overview Overview Overview

Live-Network Application of Access VPN

⚫ Access VPN is mainly used for remote access of intranet users, and L2TP over IPsec is most widely used.
⚫ PPTP requires the support of the Windows operating system. In addition, the IP address of the
Windows server on the intranet needs to be mapped through NAT for extranet access. Therefore, PPTP
is difficult to deploy and is seldom used.

Live-network application of L2TP over IPsec

Traveling
employee

LNS Enterprise HQ
Internet
Traveling
employee

• L2TP connections can also be used between branch sites. However, L2TP cannot transmit multicast data or advertise
routes between the HQ and branches. Therefore, L2TP is mainly used for remote user access on the live network.

30 Huawei Confidential
 Access VPN Intranet VPN Extranet VPN
Overview Overview Overview

Intranet VPN Overview

⚫ Intranet VPN technology is used to construct a VPN between gateways based on the Internet. GRE and
DSVPN technologies are mainly used.
⚫ GRE and DSVPN technologies are used to establish VPNs between enterprise branches and the HQ.

PC
PC
Enterprise Enterprise HQ
branch

PC
PC
Internet

PC
Enterprise
branch

PC

31 Huawei Confidential

• Intranet VPN mainly uses the following technologies:

▫ GRE

▫ GRE over IPsec

▫ DSVPN

▫ DSVPN IPsec
 Access VPN Intranet VPN Extranet VPN
Overview Overview Overview

GRE Overview
⚫ Generic Routing Encapsulation (GRE) is used to encapsulate packets of some network-layer protocols
(such as IP, IPX, and AppleTalk) so that the encapsulated packets can be transmitted over the network
on which another network-layer protocol is applied.
⚫ GRE is typically used on networks with a few branch sites.

Flags Protocol Type

Link layer IP GRE IP Payload

PC
Enterprise GRE packet Enterprise PC
branch HQ
Internet
GRE Tunnel
Internet
PC
RTA RTB PC

32 Huawei Confidential

• GRE is a Layer 3 tunneling technology. A GRE tunnel is a virtual P2P connection

that transmits encapsulated data packets.

• The two ends of a GRE tunnel are tunnel interfaces which encapsulate and
decapsulate data packets. The tunnel interface that sends encapsulated packets is
called the tunnel source interface, and the one that receives these packets on the
peer end is called the tunnel destination interface.

• The packet encapsulation process in the figure is as follows:

▫ After receiving an IP packet, RTA's interface that connects to the enterprise

branch sends a packet to the IP protocol module.

▫ The IP protocol module checks the destination address in the packet header
to determine how to forward this packet. If the packet is destined for the
other end of the GRE tunnel, the IP protocol module sends the packet to
the tunnel interface.

▫ After receiving the packet, the tunnel interface encapsulates the packet
using GRE and delivers the packet to the IP protocol module.
 ▫ The IP protocol module encapsulates the GRE packet using a new IP packet
header. The source address is the address of the tunnel source interface,
and the destination address is the address of the tunnel destination
interface. Then the IP protocol module forwards the encapsulated IP packet
from the WAN interface (tunnel source interface) based on the destination
address and routing table.

• As the reverse of encapsulation, the decapsulation process is as follows:

▫ RTB receives an IP packet from its physical interface connected to the

Internet and checks the destination address. If the destination is RTB and
the protocol ID in the IP packet header is 47 (indicating GRE packet), RTB
removes the IP packet header and sends the packet to the GRE module.

▫ The GRE module verifies the checksum and key fields, removes the GRE
header, and sends the packet to the IP protocol module.

▫ The IP protocol module forwards the packet to the enterprise HQ.

 Access VPN Intranet VPN Extranet VPN
Overview Overview Overview

GRE over IPsec Overview

⚫ GRE does not support encryption. IPsec supports only the IP protocol and does not support
multicast.
⚫ GRE over IPsec combines advantages of both GRE and IPsec, and offsets their disadvantages.
⚫ GRE over IPsec is a point-to-point VPN technology commonly used by enterprises.

PC
PC

Internet
IPsec tunnel GRE tunnel
PC
PC
IPsec tunnel GRE tunnel
(external) (internal)

34 Huawei Confidential

• GRE encapsulates multicast data to allow data to be transmitted through GRE

tunnels. Currently, IPsec can encrypt only unicast data. If multicast data, such as
routing protocol, voice, and video data, needs to be transmitted over IPsec
tunnels, a GRE tunnel can be established to encapsulate multicast data, and then
IPsec encrypts the encapsulated packets. In this way, multicast data is encrypted
and transmitted in the IPsec tunnel.

• GRE over IPsec combines advantages of both GRE and IPsec. It enables a network
to support multiple upper-layer protocols and multicast packets, as well as
packet encryption, identity authentication, and data integrity check.

• GRE over IPsec encapsulates packets using GRE, and then IPsec.

• GRE over IPsec supports the following encapsulation modes:

▫ Tunnel mode

▫ Transport mode
 Access VPN Intranet VPN Extranet VPN
Overview Overview Overview

DSVPN Overview
⚫ DSVPN overcomes defects of GRE over IPsec and enables
enterprises with a large number of branches to easily build
VPNs.
Hub Dynamic mGRE tunnel
⚫ DSVPN is a technology that dynamically establishes GRE Static mGRE tunnel
tunnels. It uses the Next Hop Resolution Protocol (NHRP) to Data between spokes
dynamically collect, maintain, and advertise information such
as the public IP address of each spoke, allowing the source
branch to obtain the public IP address of the destination Internet
branch.
⚫ DSVPN uses mGRE technology to enable VPN tunnels to
Spoke Spoke
transmit multicast and broadcast packets, and a tunnel
interface can establish VPN tunnels with multiple peers. Spoke
⚫ The GRE tunnel established by DSVPN can still use IPsec
technology to ensure tunnel security.
35 Huawei Confidential

• DSVPN resolves the following defects of GRE over IPsec:

▫ All traffic must pass through the hub.

▫ The hub configuration needs to be modified when a site is added.

▫ If spokes use dynamic addresses, problems may occur when P2P GRE is
deployed.
 Access VPN Intranet VPN Extranet VPN
Overview Overview Overview

Live-Network Application of Intranet VPN

⚫ On the live network, intranet VPN is mainly used for interconnection between enterprise branches and the HQ or
between branches.
⚫ GRE over IPsec is widely used on the live network. For enterprises with many branches, Efficient VPN can be used to
simplify the branch configuration. IPsec link redundancy can be deployed to ensure GRE reliability.
Live-network application of GRE over IPsec

Branch
Enterprise HQ
Internet

Branch

• DSVPN is seldom used on the live network due to the following reasons: 1. Many enterprises expect that traffic
between branches can pass through the HQ to facilitate management. 2. Enterprise O&M personnel just have a
basic understanding of DSVPN, which is inconvenient for O&M.

36 Huawei Confidential
 Access VPN Intranet VPN Extranet VPN
Overview Overview Overview

Extranet VPN Overview

⚫ Extranet VPN is mainly used to deliver secure network access between customers or suppliers. Traveling
employees can also use extranet VPN to access the enterprise network.
⚫ Extranet VPN mainly uses SSL VPN and L2TP.

PC
Enterprise HQ

PC
Customer PC
SSL VPN/L2TP
Internet
PC

37 Huawei Confidential
 Access VPN Intranet VPN Extranet VPN
Overview Overview Overview

SSL VPN Overview

⚫ SSL VPN is mainly used to enable traveling employees to remotely access the enterprise intranet, which
is an extension of the enterprise intranet on the WAN.
⚫ SSL VPN authenticates and controls users based on HTTP. Users do not need to configure SSL VPN,
which is easy to use.

SSL VPN SSL VPN

client gateway Web page proxy
Internet File sharing
Port forwarding
SSL VPN tunnel Network extension

38 Huawei Confidential

• SSL VPN is a VPN remote access technology based on SSL. Mobile users (referred
to as remote users in SSL VPN) can use SSL VPN to securely and conveniently
access enterprise intranets and intranet resources, improving work efficiency.

• Before SSL VPN is developed, VPN technologies such as IPsec and L2TP are used
to enable remote user access. However, these VPN technologies have the
following disadvantages:

▫ Remote users need to install specific client software on their terminals,

leading to difficult network deployment and maintenance.

▫ The IPsec or L2TP VPN configuration is complex.

▫ Network management personnel cannot perform fine-tuned control over

the remote users' access permission to enterprise intranet resources.
 Access VPN Intranet VPN Extranet VPN
Overview Overview Overview

Exemplary Application Scenario of Extranet VPN

⚫ It is convenient for external users to access the intranet through SSL VPN. They can directly access the intranet after
passing web page authentication, without having to install a client. In addition, there are many SSL VPN service
options, such as web page proxy, file sharing, port forwarding, and network extension.

Application scenario of SSL VPN

Partner Email server

Mobile
Partner
user OA Network
extension
SSL VPN
ERP
gateway
Branch Internet HQ
Web page
user Web page proxy
server
Port 443
FTP server File sharing

Remote Port forwarding

NMS
office
• SSL VPN is easy to use. You can use a browser to access the enterprise intranet. However, not all routers support SSL VPN. For routers that do
not support SSL VPN, you can use L2TP to establish connections between the extranet and intranet.

39 Huawei Confidential
 Contents

1. Basic Architecture of a Typical WAN Interconnection Solution

2. Networking Technologies and Their Applications of WAN Interconnection

3. Reliability Technologies and Their Applications of WAN Interconnection

◼ Link Detection Technologies and Their Applications

▫ Network and Service Reliability Technologies and Their Applications

4. Optimization Technologies and Their Applications of WAN Interconnection

40 Huawei Confidential
Overview of Link Detection
⚫ Fluctuation of network link quality affects service quality. How to quickly detect the link quality
fluctuation is the first step in improving link quality.
⚫ There are many protocols and technologies for detecting link quality, which are classified into two
types: BFD, EFM, and
CFM are used to
 Link connectivity detection technologies: detect network
link connectivity.
BFD, EFM,
◼ Bidirectional Forwarding Detection (BFD) CFM
◼ Ethernet in the First Mile (EFM)
◼ Connectivity Fault Management (CFM)
NQA and IP FPM
 Link quality detection technologies: are used to
detect network
quality.
◼ Network Quality Analysis (NQA)
NQA, IP FPM
◼ IP Flow Performance Measurement (IP FPM)
⚫ On the live network, BFD is typically used to detect link connectivity,
and NQA or IP FPM is typically used to detect link quality.
41 Huawei Confidential
 Overview of BFD
⚫ BFD provides a universal, standardized, media-independent, and protocol-independent fast failure detection
mechanism. It has the following advantages:
 Provides low-overhead and fast failure detection for channels between adjacent forwarding engines.
 Performs uniform detection for all media and protocol layers in real time.

⚫ BFD is a simple Hello protocol. Two systems establish a BFD session channel and periodically send BFD packets to
each other. If one system does not receive BFD packets from the other system within a certain period, the system
considers that a fault occurs on the channel.
BFD session
detection
Application layer Application layer
Transport layer Transport layer
Network layer Network layer
Data link layer Data link layer
Physical layer Physical layer

42 Huawei Confidential

• Only one BFD session can be established in a data path. If different applications
need to use different BFD parameters on the same data path, use the BFD
parameters that can meet the requirements of all applications to configure a
unique BFD session and enable the status changes of the BFD session to be
reported to all the applications bound with the BFD session.
 Overview of NQA
⚫ To visualize the quality of network services and allow users to check whether the quality of network services meets
requirements, the following measures must be taken:
 Enable devices to provide network service quality information.
 Deploy probe devices to monitor network service quality.

⚫ The preceding measures require devices to provide statistical parameters such as the delay, jitter, and packet loss
rate and require dedicated probe devices. These requirements increase investments on devices.
⚫ When NQA is deployed on devices, dedicated probe devices do not need to be deployed, effectively reducing costs.
NQA can accurately test the network running status and output statistics.
⚫ NQA measures network performance and collects statistics about the response time, network jitter, and packet loss
rate in real time. TCP delay detection

DNS delay detection NQA test

Total HTTP delay detection

NQA client NQA server

43 Huawei Confidential

• Additionally, NQA measures the performance of different protocols running on

the network. This facilitates real-time collection of network performance
counters, such as the total HTTP connection delay, TCP connection delay, DNS
resolution delay, file transfer rate, FTP connection delay, and DNS resolution
error rate.
 Overview of IP FPM
⚫ With the advent of the cloud computing era, end-to-end service performance measurement becomes essential. However, the
commonly used NQA technology has the following defects in end-to-end network performance measurement scenarios:
 NQA simulates service packet forwarding on the network by constructing service packets. Therefore, the collected performance statistics are not
accurate.
 NQA does not support end-to-end performance measurement across network layers, and cannot monitor or measure network performance in a
multipath scenario of IP networks.
⚫ IP flow performance measurement (IP FPM) can effectively solve these problems. It is a general IP network performance
measurement solution. IP FPM can directly measure service packets, and the measurement data can reflect the performance of IP
networks. In addition, IP FPM can monitor the changes of services carried by IP networks online and accurately reflect the running
status of services.
MCP NMS/Controller
1
IP FPM colors
data packets. 4
The MCP summarizes 5
(Optional) The MCP
the statistics and
IP Header Data reports results to the
calculates the packet IP Header Data
NMS or controller.
loss rate and delay.

TLP DCP DCP

The DCP sends the The DCP sends the TLP
2 statistics collected by statistics collected by 2
The TLP calculates The TLP calculates
the TLP to the MCP. the TLP to the MCP.
the number of 3 3 the number of
colored packets. colored packets.

44 Huawei Confidential

• TLP is short for Target Logical Port.

▫ TLPs are interfaces on the edge nodes of the network and provide the
following functions:

▪ Collect statistics about the packet loss rate and delay.

▪ Generate statistics, such as the number of packets sent and received,

volume of traffic sent and received, and timestamp.

▫ An In-Point-TLP collects statistics about service flows it receives. An Out-

Point-TLP collects statistics about service flows it sends.

• DCP is short for Data Collecting Point.

▫ DCPs are edge nodes on the network and provide the following functions:

▪ Manage and control TLPs.

▪ Collect the statistics generated by TLPs.

▪ Report the statistics to an MCP.

• MCP is short for Measurement Control Point.

▫ MCPs are intermediate nodes on the network and provide the following
functions:

▪ Collect the statistics reported by DCPs.

▪ Summarize and calculate the statistics.

▪ Report the statistics to user terminals or the NMS.

Exemplary Application Scenarios of Link Detection
Common link quality detection scenario E2E link quality detection

The primary ISP1

path is ISP1 and ISP1 Incoming Outgoing
BFD or NQA is
used to monitor traffic traffic
the link.
IP routing-table
Net1 60 ISP1 Track BFD/NQA
Net1 100 ISP2 IP FPM is used to ISP2 IP FPM is used to
test incoming and test incoming and
The backup path is outgoing traffic. outgoing traffic.
ISP2.

ISP2 • IP FPM colors and marks data packets to help ingress and
egress devices measure the packet loss or jitter of specific
traffic.
• NQA and BFD are usually associated with floating routes.
• IP FPM can measure end-to-end network quality. Therefore, it
• When NQA or BFD detects a link fault, the high-priority route
can measure the actual network quality of different links in
becomes invalid and the backup route is used.
the multi-link egress scenario.

46 Huawei Confidential
 Contents

1. Basic Architecture of a Typical WAN Interconnection Solution

2. Networking Technologies and Their Applications of WAN Interconnection

3. Reliability Technologies and Their Applications of WAN Interconnection

▫ Link Detection Technologies and Their Applications
◼ Network and Service Reliability Technologies and Their Applications

4. Optimization Technologies and Their Applications of WAN Interconnection

47 Huawei Confidential
Overview of Network Reliability
⚫ If a fault occurs on the network, the fault may not be detected or rectified in a timely manner. To
resolve this issue, redundancy technologies are required.
⚫ Common redundancy technologies include stack, link aggregation, and VRRP.
⚫ VRRP is the most widely used network redundancy technology on egress devices or gateways.

VRRP

Stack

Link aggregation

48 Huawei Confidential
Overview of VRRP
⚫ Hosts are connected to external networks through gateways. If a single gateway fails, services will be interrupted
for a long time. Adding egress gateways is a common method to improve system reliability. In this case, route
selection among multiple egresses becomes essential.
⚫ VRRP groups multiple routing devices into a single virtual routing device. If a gateway fails, VRRP selects a new
gateway to transmit data traffic, ensuring high network reliability.
The backup device
Only one device becomes the new
Internet provides services Internet
master device, and
externally. traffic is switched to it.

VRRP VRRP
Master Backup The master device fails. Master Backup -> Master

The master device The backup The downlink of the master

forwards the traffic device does not device is disconnected, so
sent by hosts. transmit traffic. the master device cannot
provide gateway services.

PC1 PC2 PC1 PC2

49 Huawei Confidential
Service Reliability
⚫ In the cloud computing era, network reliability cannot meet user requirements. Users want to
understand the live network status based on applications and adjust the network based on the
application status.
⚫ Such requirements pose the following challenges to traditional networks:
 Traditional networks cannot accurately identify applications.
 Traditional networks cannot be adjusted based on applications.

⚫ To cope with the challenges, two technologies are developed:

 Smart Application Control (SAC): This technology can flexibly identify applications.
 Smart Policy Routing (SPR): This technology can switch forwarding paths based on the network or application
status.

50 Huawei Confidential
 Overview of SAC
⚫ Typically, routing and switching devices cannot identify application-layer information. Therefore, it is difficult to manage networks
based on applications. SAC technology helps routing and switching devices identify classified applications.

⚫ SAC uses service awareness (SA) and first packet identification (FPI) technologies to detect and identify Layer 4 to Layer 7
information (such as HTTP and RTP) in packets.

SAC application identification process

Service traffic
Network device
Application
Download
identification record
Traffic is directly forwarded
Signature at Layer 3 if the application
matching has been identified.
SAC identification

FPI signature Voice Forwarding

database table
Web page
Signature
matching

SA signature Video
database

51 Huawei Confidential

• After a packet enters an SAC-enabled device, the device determines whether the
corresponding application has been identified based on the 5-tuple information
carried in the packet. If the application has been identified, the device forwards
the packet at Layer 3 without identifying the application again. If the application
has not been identified, the device performs SAC application identification. The
device then processes the packet based on the SAC identification result and
forwards the packet at Layer 3. The SAC application identification process is as
follows: The device identifies an application based on the ACL rules defined in FPI.
If the application cannot be identified, the device identifies the application based
on the DNS entries defined in FPI. If the application still cannot be identified, the
device identifies the application based on the protocol and port mapping table
defined in FPI. If the application still cannot be identified, the device starts the SA
identification process.
Overview of SPR
⚫ In the cloud computing era, more users shift their attention from network connectivity to service
availability, such as service response speed and service quality. However, traditional networks cannot
detect link quality and service requirements, resulting in poor user experience.
⚫ SPR addresses this problem. It actively detects the link quality and matches service requirements to
select an optimal link to forward service data. SPR prevents network blackholes and flappings.

SRP deployment
HQ
Branch
SRP deployment

52 Huawei Confidential
Exemplary Application Scenario of Service Reliability
Technologies
⚫ Deploying both SAC and SPR can ensure the reliability of specific services on the network.
 SAC uses the SA signature database and FPI signature database to identify applications and group traffic.
 SPR determines the link quality and forwarding path based on the probe packets.

Application scenario of service reliability technologies

Application Application-based
identification Video application traffic steering MPLS

SAC function Audio SPR function

module application module

Internet access Internet

53 Huawei Confidential
 Contents

1. Basic Architecture of a Typical WAN Interconnection Solution

2. Networking Technologies and Their Applications of WAN Interconnection

3. Reliability Technologies and Their Applications of WAN Interconnection

4. Optimization Technologies and Their Applications of WAN Interconnection

◼ QoS Technology and Its Application

▫ FEC Technology and Its Application

54 Huawei Confidential
 QoS Overview
⚫ Quality of Service (QoS) defines a service provider's ability to guarantee a certain level of performance required by
customers. The QoS-enabled device controls enterprise network traffic, implements congestion management and
congestion avoidance, reduces the packet loss rate, and provides dedicated bandwidth for enterprise users or
differentiated services (such as audio, video, and data services).

QoS implementation

Token
Video traffic
Queue 0

Scheduling
Other

Outbound
Queue 1
interface
Inbound

interface
Traffic processing
CAR Remark WRED GTS
classification Token methods Queue 2
Audio traffic bucket ... ...
Congestion Traffic
Traffic policing avoidance Queue N shaping

Congestion management

Data traffic

55 Huawei Confidential

• To meet SLA requirements of different services (such as audio, video, and data
services), the network is required to distinguish different communication modes
before providing corresponding QoS guarantee.

▫ For example, real-time services such as voice over IP (VoIP) demand a

shorter delay. A long delay for packet transmission is unacceptable. Email
and File Transfer Protocol (FTP) services are comparatively insensitive to
the delay.

▫ Conventional IP networks provide the best-effect mode, which cannot help

identify or differentiate the communication types on the network. The
capability of differentiating communication types is the prerequisite for
providing differentiated services. Therefore, the best-effect mode cannot
meet the requirements of the emerging applications. This is where QoS
comes in.

• QoS is designed to provide differentiated services based on application

requirements. For example:

▫ The bandwidth used by the FTP service on the backbone network can be
limited, and a higher priority can be assigned to database access.
▫ An Internet service provider (ISP) can transmit real-time services such as
audio or video services. With QoS technology, the ISP can differentiate the
packets and provide differentiated services for users.

▫ High bandwidth and short delays can be guaranteed for the time-sensitive
multimedia services. If other services are available on the network, these
time-sensitive services are not affected.
QoS Application Example
⚫ In the enterprise WAN interconnection scenario, QoS is typically deployed on the egress link.
⚫ QoS technology is used to ensure high network bandwidth and short delays for high-value services.

Application scenario of QoS

QoS is deployed in the

outbound direction of the
interface to rate-limit traffic
and preferentially schedule
Video stream high-priority traffic. Video

Audio stream Audio

Data stream Data

LAN WAN LAN

57 Huawei Confidential
Overview of HQoS
⚫ Conventional QoS schedules traffic based on interfaces. Interfaces themselves can only differentiate service priorities. Traffic of the
same priority uses the same interface queue and compete for the same queue resources. Therefore, conventional QoS is unable to
provide differentiated services based on the types of traffic and users.

⚫ HQoS implements hierarchical scheduling based on multiple levels of queues, differentiating both services and users to provide fine-
tuned QoS guarantee.

QoS limitations in multi-tenant scenarios

14 families rent different network

bandwidths and services.

User-based QoS cannot be

implemented at the egress,
and up to eight queues can be
used to differentiate traffic.

Internet
• Three tenants: 20 Mbit/s bandwidth, IPTV service
• Three tenants: 50 Mbit/s bandwidth, VoIP service

• In home broadband scenarios, different families may lease different network bandwidths and network services. QoS cannot be used to implement
fine-tuned management of these families.

58 Huawei Confidential
 HQoS Application Example
⚫ HQoS is mainly used in multi-tenant scenarios. For example, there are three families in a building. Family A has purchased 10 Mbit/s
bandwidth and subscribed to VoIP, IPTV, and HSI services. Family B has purchased 20 Mbit/s bandwidth and subscribed to IPTV and
HSI services. Family C has purchased 30 Mbit/s bandwidth and subscribed to the HSI service. These three families have different
requirements. HQoS is the best choice for this scenario.

HQoS application example

VoIP (PQ scheduling)

Family A Total bandwidth of
IPTV (PQ scheduling)
family A: 10 Mbit/s

HSI (WFQ scheduling)

Level 1 port queue

IPTV (PQ scheduling)

Total bandwidth of Total bandwidth of the
family B: 20 Mbit/s WFQ building: 60 Mbit/s
Family B Deploy HSI (WFQ scheduling)
HQoS at
Level 2 subscriber queue
the egress
Level 3 flow queue

Total bandwidth of
HSI (WFQ scheduling)
family C: 30 Mbit/s
Family C

59 Huawei Confidential

• VoIP: voice over IP service

• IPTV: Internet protocol TV service

• HSI: high-speed Internet service

 Contents

1. Basic Architecture of a Typical WAN Interconnection Solution

2. Networking Technologies and Their Applications of WAN Interconnection

3. Reliability Technologies and Their Applications of WAN Interconnection

4. Optimization Technologies and Their Applications of WAN Interconnection

▫ QoS Technology and Its Application
◼ FEC Technology and Its Application

60 Huawei Confidential
 Overview of FEC
⚫ An IP video call often encounters image distortion or audio interruption due to packet loss. To prevent this, error control
technologies are required.

⚫ Forward error correction (FEC) is such a technology. The sender attaches FEC redundant packets to the data to be transmitted. If an
error is detected, the receiver can correct the data based on the redundant packets.

⚫ FEC is applicable to networks where random packet loss occurs or the RTT is large.

FEC implementation

Data packet loss

Key traffic 2
Add FEC
redundant packets P 4 3 1

Key traffic
Key traffic
4 3 2 1 MPLS
P 4 3 2 1

FEC restoration
Internet

61 Huawei Confidential

• Error control technologies are classified into forward error correction (FEC) and
backward error correction (BEC).

▫ Automatic repeat request (ARQ) is an on-demand retransmission

mechanism. The sender uses a "sending-acknowledgement" mechanism to
detect whether the receiver receives data packets. If the sender does not
receive any acknowledgment packet from the receiver, the sender
retransmits the corresponding packet. In this error correction mode, packets
need to be sent repeatedly. As a result, an extra delay is introduced. In this
mode, the sender retransmits packets to implement error correction. This is
why this mode is called BEC.

▫ In FEC, both FEC redundant packets and data packets are sent to the
receiver. If an error is found, the receiver directly restores the lost data
packets by using the FEC redundant packets. In this mode, error correction
is performed on the receiver. This is why this mode is called FEC.

▪ The error correction capability of FEC is limited. For example, if three

out of four packets are lost, FEC cannot restore these three packets
based on the remaining packet.
Overview of A-FEC
⚫ In terms of FEC, the ratio of the original data to FEC redundant packets is fixed. If burst packet loss occurs, the original data may fail
to be restored based on the redundant packets. Considering this, FEC is not applicable to the network where burst packet loss may
occur. In addition, since FEC will add redundant packets, the bandwidth utilization will decrease. This is where adaptive-FEC (A-FEC)
technology comes in.

⚫ A-FEC technology can flexibly add redundant packets based on the live network quality.
 When the network quality is good, A-FEC adds a few redundant packets or even does not add any redundant packet to improve bandwidth utilization.

 When the network quality is poor, A-FEC adds more redundant packets to prevent data restoration failures caused by burst packet loss.

Add a few FEC P 4 3 2 1

redundant packets.
Good network
quality MPLS

Poor network Internet

quality
Add a large number of P 4 3 P 2 1
FEC redundant packets.

62 Huawei Confidential
Exemplary Application Scenario of FEC/A-FEC
⚫ FEC or A-FEC can be used to guarantee mission-critical video applications and reduce frame freezing
and artifacts.
Application scenario of FEC or A-FEC

Add a few FEC

P 4 3 2 1
redundant packets.
Good network
quality MPLS

Video server Multimedia terminal

Poor network quality Internet

Add a large number of P 4 3 P 2 1

FEC redundant packets.

• The A-FEC algorithm is used to flexibly increase redundant packets at the transmit end based on the application and link quality to
prevent continuous packet loss on the network. This helps prevent mission-critical video applications from frame freezing or
artifacts even when the packet loss rate reaches up to 20%.

63 Huawei Confidential
 Quiz
1. (Multiple-answer question) Which of the following are private line technologies? ( )
A. SDH

B. L2TP

C. MPLS VPN

D. IPsec VPN

2. (True or false) SRP technology can flexibly select egress links based on the link quality. ( )
A. True

B. False

64 Huawei Confidential

1. AC

2. A
 Summary
⚫ There are two WAN interconnection modes: private line and VPN.
⚫ To ensure WAN reliability, the link quality needs to be detected first, and then specific
technologies are used to select a proper egress or egress link based on the link quality.
⚫ There are many WAN optimization methods. Typically, QoS is used to control egress traffic
and FEC is used to ensure reliable data forwarding on WANs.

65 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Key Technologies of WAN Interconnection
 Foreword
⚫ Wide area interconnection technologies are diverse, and different technologies have
different application scenarios and backgrounds.
⚫ On the live network, GRE and L2TP are used as WAN interconnection technologies. To
ensure the security of GRE and L2TP tunnels, IPsec is used as an auxiliary technology.
⚫ On the live network, some WAN interconnection devices are located behind NAT devices.
Therefore, NAT traversal can be used in many WAN interconnection scenarios.
⚫ To ensure WAN interconnection reliability, multiple links are generally deployed in the
uplink. Multi-link routing is also an important WAN interconnection technology.
⚫ This course describes common technologies used in WAN interconnection scenarios.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the working principles of common WAN interconnection technologies.
 Describe the working principles of IPsec.
 Describe the common solutions and basic principles of NAT traversal.
 Describe how Wide Area Interconnect intelligent traffic steering works

2 Huawei Confidential
 Contents

1. Common Networking Technologies in WAN Interconnection

▪ GRE Fundamentals and Application Scenarios

▫ L2TP Fundamentals and Application Scenarios

2. Security Technologies in WAN Interconnection

3. NAT Traversal Technologies in WAN Interconnection

4. Intelligent Traffic Steering Technologies in WAN Interconnection

3 Huawei Confidential
 GRE Fundamentals GRE Security Mechanisms GRE Application Scenarios

GRE Background
⚫ With the development of enterprises, more and more enterprises need to communicate between branches and headquarters. Private
lines (such as MPLS and SDH/MSTP private lines) need to be leased for communication between the headquarters and branches.
However, private lines are expensive. For small- and medium-sized enterprises or cross-border companies, the cost is high.

⚫ With the development of the Internet, the Internet has sufficient bandwidth and coverage. Therefore, it is more feasible to
implement communication on the intranet between the headquarters and branches through the Internet. GRE is proposed in this
background.
⚫
Through GRE tunnels, the enterprise network can be Branch
established between the branch and headquarters based on site
Branch
the Internet. site
HQ

Branch
site Interconnection between
branches and HQ

Internet

Internet

4 Huawei Confidential
 GRE Fundamentals GRE Security Mechanisms GRE Application Scenarios

Introduction to Tunneling Technologies

⚫ GRE is one of tunneling technologies. A tunnel is similar to a bridge. Forwarding channels are established on the underlying network
(for example, Internet). Users can establish a tunnel network by themselves without the intervention of the underlying network
provider (for example, an ISP).

⚫ There are many tunneling technologies, such as MPLS, GRE, Layer 2 Tunneling Protocol (L2TP), and Virtual Extensible LAN (VXLAN).
The following figure shows the implementation of tunnel data forwarding.

Tunnel data Tunnel

Inner Header Data Inner Header Data
forwarding Internet
Branch HQ

Inner Header Data The device forwards the

Encapsulate the
packet on the underlying
outer header
network based on the
outer header. The
Outer Header Inner Header Data
underlying network is
Implementation unaware of the inner data.
of tunnel data
forwarding Outer Header Inner Header Data

Inner Header Data

Decapsulate the
outer header

5 Huawei Confidential
 GRE Fundamentals GRE Security Mechanisms GRE Application Scenarios

Basic Concepts of GRE

⚫ As a Layer 3 tunneling technology, GRE encapsulates packets of a protocol into packets of another protocol to
transparently transmit packets over GRE tunnels. This technology enables packet transmission between the HQ and
branches.

⚫ GRE tunnels can transmit IPv4/IPv6 unicast, multicast, and broadcast packets.
⚫ GRE packet format:
L2 Header New IP Header GRE Header Raw IP Header Payload

C 0 K 0 0 Recursion Flags Version Protocol Type

Checksum (Option) 0

Key (Option)

32 bits

6 Huawei Confidential

• Description of fields in a GRE header:

Field Description
Checksum verification bit.
The value 1 indicates that the Checksum field is inserted into the GRE
C header.
The value 0 indicates that the GRE header does not contain the
checksum field.
Key bit.
The value 1 indicates that the Key field is inserted into the GRE header.
K
The value 0 indicates that the GRE header does not contain the
keyword field.
Number of layers where GRE packets are encapsulated. The value of
this field is increased by 1 after one GRE encapsulation is complete. If
Recursion the number of encapsulation layers is greater than 3, the packet is
discarded. This field is used to prevent packets from being encapsulated
continuously.
Flags Reserved field. The value must be 0.
Version Version. The value must be 0.
Type of the passenger protocol. A common passenger protocol is the
Protocol
IPv4 protocol, with the value of 0800.
Type
The protocol number of Ethernet over GRE is 0x6558.
Checksum Checksum of the GRE header and the payload.
Key Key used to authenticate the packet at the receive end.
 GRE Fundamentals GRE Security Mechanisms GRE Application Scenarios

GRE Fundamentals
⚫ The GRE tunnel is a Layer 3 tunnel and mainly carries IPv4/IPv6 packets. GRE encapsulates the outer IP header so
that data can be transmitted on the public network. In this way, enterprise branches and the headquarters can
communicate with each other.

⚫ The following figure shows the process of forwarding packets over a GRE tunnel.

IPA IPB
IP1 Branch GRE tunnel HQ IP2

S: IP1, D: IP2 Data Encapsulate the

outer header The device forwards
GRE tunnel the packet on the
interface S: IPA, D: IPB GRE S: IP1, D: IP2 Data underlying network
based on the outer
IP header.
GRE tunnel
S: IPA, D: IPB GRE S:IP1，D:IP2 Data interface

S: IP1, D: IP2 Data

Decapsulate the
outer header

7 Huawei Confidential
 GRE Fundamentals GRE Security Mechanisms GRE Application Scenarios

Keepalive Detection
⚫ The current GRE protocol does not have the link status detection function. If the remote interface is unreachable, the GRE tunnel
cannot be terminated immediately. As a result, the source continuously forwards packets to the peer. The peer, however, cannot
receive packets because the tunnel is unreachable. In this case, traffic is interrupted.

⚫ The keepalive detection function monitors tunnel status to check whether the remote end is reachable.

⚫
Keepalive timeout interval = Sending interval (5s by default) x Retry count (3 by default)

GRE tunnel

GRE Keepalive
Timeout timer

GRE Keepalive
Reply with a keepalive
message within the
timeout interval.

The keepalive message

does not expire and the
tunnel status is normal.

8 Huawei Confidential

• Keepalive detection functions as follows:

▫ After being enabled on the source end of a GRE tunnel, the source end starts a
timer to periodically send and count keepalive messages. The number of sent
keepalive messages increases by one each time a keepalive message is sent.
▫ The destination end sends a response message to the source end each time it
receives a keepalive message from the source end.
▫ If the source end receives a reply packet before the counter value reaches the
preset value, it considers the remote end reachable. If the source end does not
receive any response message before the counter reaches the preset value,
specifically, the retry count, the source end considers the peer end unreachable
and resets the counter. Then, the source end terminates the tunnel connection.
In this case, the source interface still sends Keepalive messages to the remote
interface. When the remote interface becomes Up, the source interface
becomes Up and sets up a tunnel with the remote interface.
 GRE Fundamentals GRE Security Mechanisms GRE Application Scenarios

Security Threats to GRE Tunnels

⚫ GRE tunnels are used to transmit data between branches and the HQ. Data is not encrypted and may be tampered with.

⚫
There are potential risks in GRE tunnel establishment. Attackers can forge IP addresses to establish GRE tunnels between authorized
and unauthorized devices.

GRE data tampering Unauthorized GRE tunnel setup

GRE tunnel GRE tunnel

Outer Header GRE Payload

Data tampering

Outer Header GRE Payload

9 Huawei Confidential
 GRE Fundamentals GRE Security Mechanisms GRE Application Scenarios

GRE Data Check and Verification

⚫ Checksum verification is an end-to-end check on encapsulated packets.

⚫
If the C bit in the GRE header is set to 1, the checksum is valid. The sender calculates the checksum based on the GRE header and
payload. Then it sends out the packet that carries the checksum. After receiving the packet, the receiver also calculates the checksum
and compares the result with the checksum carried in the packet. If they are the same, the receiver further processes the packet.
Otherwise, it discards the packet. Data verification used to prevent data tampering

GRE tunnel
Outer Header GRE Header Inner Header Payload

C=1,Checksum=A

Outer Header GRE Payload Verification fails

and data is
Data tampering discarded.
C 0 K 0 0 Recursion Flags Version Protocol Type
Outer Header GRE Payload
Checksum (Option) 0

Key (Option) C=1,Checksum=B

Inconsistent checksum

10 Huawei Confidential

• You can enable or disable checksum verification on both ends of a tunnel in

actual applications. If checksum verification is enabled on the local end and
disabled on the remote end, the local end does not check checksum values of
received packets, but checks checksum values of packets to be sent. If checksum
verification is disabled on the local end and enabled on the remote end, the local
end checks checksum values of received packets, but does not check checksum
values of packets to be sent.
 GRE Fundamentals GRE Security Mechanisms GRE Application Scenarios

GRE Key
⚫ Key authentication is used to verify validity of a tunnel interface. This security mechanism prevents tunnel interfaces
on two devices at both ends of a GRE tunnel from incorrectly identifying and receiving packets from other devices.
⚫ If the K bit in the GRE header is set to 1, a four-byte Key field is inserted into the GRE header. Both the receiver and
the sender need to authenticate the key. The GRE key is used to prevent unauthorized GRE tunnel
establishment.

GRE Key=10 GRE Key=10

Outer Header GRE Header Inner Header Payload GRE tunnel

The tunnel cannot

C 0 K 0 0 Recursion Flags Version Protocol Type be established
because the keys
Checksum (Option) 0 are inconsistent.

Key (Option) GRE Key=20

11 Huawei Confidential

• This field identifies traffic in a tunnel. Packets of the same traffic use the same
key. During packet decapsulation, GRE identifies data packets of the same traffic
based on the key. Packets will pass verification only when the two ends of the
tunnel use the same Key field. If packets fail the verification, they will be
discarded. Successful authentication requires that both ends are either configured
with the same Key field or not configured with the Key field.
 GRE Fundamentals GRE Security Mechanisms GRE Application Scenarios

Using GRE to Build an Intranet Between the HQ and Branches

⚫ GRE tunnels can transmit IPv4/IPv6 unicast, multicast, and broadcast packets. Dynamic routing neighbor
relationships can be configured between branches and the HQ through GRE tunnels, facilitating intranet
interconnection between branches and the HQ.

OSPF area 1

Branch 1 GRE tunnel HQ OSPF area 0

Branch 2

12 Huawei Confidential
 GRE Fundamentals GRE Security Mechanisms GRE Application Scenarios

GRE Over IPsec

⚫ GRE is simple. However, data is transmitted over a GRE tunnel in cleartext and can be easily obtained. On the live
network, GRE is usually used together with IPsec. The GRE technology is used to establish the internal network
connection between the branch and headquarters, and the IPsec technology is used to encrypt GRE tunnel packets.

GRE over IPsec data encapsulation

IPsec tunnel GRE tunnel

Internet
IPsec tunnel

IP data IPsec data IP data

13 Huawei Confidential
 GRE Fundamentals GRE Security Mechanisms GRE Application Scenarios

Limitations of MPLS VPN Networking

⚫ To connect a CE to an MPLS VPN, you must use a physical link to directly connect the CE to a PE on the MPLS
backbone network.
⚫ In actual networking, however, not all CEs and PEs can be directly connected through physical links. For example,
for multiple organizations that connect to the Internet or IP backbone network, their CEs may be far away from the
PEs on the MPLS backbone network; therefore, they cannot be connected directly. Devices in these organizations
cannot directly access the internal sites of the MPLS VPNs through the Internet or IP backbone network.

Branch egress DC1 egress

Branch1 Indirectly VPN1
connected link PE
Branch
Internet aggregation MPLS
PE

Branch2 PE
Branch egress The VPN to which VPN2
traffic belongs DC2 egress
cannot be
identified.

14 Huawei Confidential
 GRE Fundamentals GRE Security Mechanisms GRE Application Scenarios

Connecting to the MPLS VPN Through GRE Tunnels

⚫ To enable a CE to access the MPLS VPN and ensure data transmission security, you can connect the CE and a PE
through a public or private network, create a GRE tunnel between the CE and the PE, and associate the VPN with
the GRE tunnel interface on the PE.

Branch egress DC1 egress

Branch1 VPN1
PE
Branch
aggregation
Internet MPLS
PE
Branch2 PE
Branch egress VPN2
DC2 egress

GRE tunnel VRF1 MPLS VPN tunnel

GRE tunnel VRF2 MPLS VPN tunnel

15 Huawei Confidential
 Contents

1. Common Networking Technologies in WAN Interconnection

▫ GRE Fundamentals and Application Scenarios
▪ L2TP Fundamentals and Application Scenarios

2. Security Technologies in WAN Interconnection

3. NAT Traversal Technologies in WAN Interconnection

4. Intelligent Traffic Steering Technologies in WAN Interconnection

16 Huawei Confidential
 Fundamentals Application Scenarios

L2TP Overview
⚫ By combining the advantages of the Layer 2 Forwarding (L2F) and Point-to-Point Tunneling
Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) is an industry standard defined by the
IETF. L2TP is a virtual private dialup network (VPDN) tunneling protocol that extends Point-
to-Point Protocol (PPP) applications. It is an important VPN technology that provides access
services for employees on the go to remotely access intranet resources.

17 Huawei Confidential
 Fundamentals Application Scenarios

Basic Architecture of L2TP

⚫ NAS
HQ

A network access server (NAS) is maintained by an ISP and
connects to a dialup network.
LNS
⚫ LAC

An L2TP access concentrator (LAC) provides PPP and L2TP
processing capabilities on a packet switched network.

⚫ LNS

An L2TP network server (LNS) is the peer device of an LAC.
NAS Client
That is, an L2TP tunnel is established between them. (LAC) (LAC)
Dialup
⚫ Tunnel and session network
L2TP client

An L2TP tunnel is established between an LAC and an LNS. (LAC)
Multiple L2TP tunnels can be established between an LAC Enterprise L2TP tunnel
branch
and an LNS, and an L2TP tunnel can contain multiple L2TP
L2TP session
PPP terminal
sessions.

18 Huawei Confidential

• NAS
▫ A network access server (NAS) is maintained by an ISP and connects to a
dialup network. It is the nearest access point for PPP terminals. An NAS is
used on a traditional dialup network. An ISP deploys an LAC on an NAS to
provide L2TP services for remote dialup users and to establish tunnel
connections with the enterprise headquarters.
• LAC
▫ An L2TP access concentrator (LAC) provides PPP and L2TP processing
capabilities on a packet switched network. An LAC establishes an L2TP
tunnel connection with an L2TP network server (LNS) based on the user
name or domain name carried in PPP packets to extend PPP negotiation to
the LNS. Different networking environments can have different devices
functioning as an LAC.
▪ NAS-initiated scenario: On a traditional dialup network, an ISP deploys
an LAC on an NAS. Alternatively, on the Ethernet of an enterprise
branch, the ISP deploys a gateway for PPP terminals. The gateway
functions as both a PPPoE server and an LAC.
▪ L2TP client-initiated scenario: In an enterprise branch, an L2TP client
functioning as an LAC is configured on the gateway to initiate an L2TP
tunnel establishment request to an LNS. In this case, no dialup is
required in the remote system to trigger L2TP tunnel establishment.
▪ Client-initiated scenario: An employee on the go uses a PC or mobile
terminal to access the Internet and uses the L2TP dialup software on the
PC or mobile terminal. In this scenario, the PC or mobile terminal
functions as an LAC.
▫ An LAC can establish multiple L2TP tunnels to isolate data flows. That is, it
can carry multiple L2TP connections.
• LNS
▫ An LNS terminates PPP sessions. After being authenticated by the LNS,
remote users successfully set up PPP sessions with the LNS and can access
resources in the enterprise headquarters. For L2TP negotiation, the LNS is
the peer device of the LAC. That is, an L2TP tunnel is established between
the LAC and the LNS. For PPP, the LNS is the logical endpoint of a PPP
session. That is, a point-to-point virtual link is set up between the PPP
terminal and the LNS.

▫ An LNS, located at the border between the enterprise headquarters' private

network and the public network, is usually a gateway of the enterprise
headquarters. If necessary, the LNS also provides the network address
translation (NAT) function to translate private IP addresses on the
enterprise headquarters network into public IP addresses.
 Fundamentals Application Scenarios

Message Structure of L2TP

⚫ L2TP contains two types of messages: control messages and data messages.
 Control messages are used to establish, maintain, and tear down L2TP tunnels and sessions.
 Data messages encapsulate PPP data frames and are transmitted over L2TP tunnels.

Original IP UDP L2TP L2TP

Control message structure Header Header Header Control Data

New IP UDP L2TP PPP Original IP Traffic

Data message structure Header Header Header Header Header Data

NAS
(LAC) LNS
Enterprise Dialup Enterprise
branch network HQ

IP packet PPP encapsulation L2TP encapsulation

20 Huawei Confidential

• Control message
▫ Control messages are used to establish, maintain, and tear down L2TP tunnels
and sessions. During the transmission of control messages, mechanisms such
as retransmission of lost messages and periodic detection of tunnel
connectivity are used to ensure the reliability of control message transmission.
Traffic control and congestion control on control messages are supported.
▫ Control messages are transmitted over an L2TP control channel. The control
channel encapsulates control messages with L2TP headers and transmits them
over an IP network.
• Data message
▫ Data messages are used to encapsulate PPP frames, which are transmitted
over tunnels, but such tunnels are unreliable. That is, a lost data message is
not retransmitted, and traffic control and congestion control on data
messages are not supported.
▫ Data messages carrying PPP frames are transmitted over unreliable data
channels. PPP frames are encapsulated using L2TP and then transmitted over
the IP network.
 Fundamentals Application Scenarios

Working Process of L2TP

⚫ L2TP can be used to transmit data. The working process of L2TP is as follows:
RADIUS server DNS server RADIUS server
 Establishing an L2TP tunnel
5. LNS IP
 Establishing an L2TP session address
10.
4. Authentication result resolution Authentication
result Enterprise HQ
 Transmitting PPP packets Enterprise Dialup
branch network
NAS (LAC) LNS
1. Call connection setup
2. PPP LCP negotiation
3. PAP/CHAP authentication
6. L2TP tunnel establishment
7. L2TP session establishment
8. PPP negotiation message
9. (Optional) CHAP re-authentication
11. IP address allocation after a successful L2TP connection

12. Communication between the enterprise branch and headquarters

21 Huawei Confidential

• Establishing an L2TP tunnel

▫ After receiving a PPP negotiation request from a remote user, the LAC sends
an L2TP tunnel establishment request to the LNS. The LAC and the LNS
exchange L2TP control messages to negotiate the tunnel ID and tunnel
authentication information. After the negotiation succeeds, an L2TP tunnel is
established between them and identified by the tunnel ID.
• Establishing an L2TP session

▫ If an L2TP tunnel exists, the LAC and the LNS exchange control messages to
negotiate the session ID. If no L2TP tunnel exists, the LAC and the LNS
establish an L2TP tunnel first. The L2TP session carries LCP negotiation
information and user authentication information of the LAC. After
authenticating such information, the LNS notifies the LAC of the session
establishment. The L2TP session is identified by a session ID.

• Transmitting PPP packets

▫ After the L2TP session is established, the PPP terminal sends data packets to
the LAC. The LAC encapsulates the L2TP packets based on information such as
the L2TP tunnel and session ID and sends the packets to the LNS. The LNS
decapsulates the L2TP packets and sends the packets to the destination host
based on the routing and forwarding table.
 Fundamentals Application Scenarios

Mobile Office
⚫ Employees on the go connect to the intranet through L2TP. The LNS can authenticate access
users and assign private IP addresses to them. If ACLs are configured, the LNS can also
manage access rights of access users.

Employee on the go PC
(L2TP software) LNS
Enterprise HQ

L2TP encapsulation

22 Huawei Confidential

• Employees on the go may need to communicate with the headquarters and

access intranet resources of the headquarters at any time. Although they can
access the headquarters gateway through the Internet, the headquarters
gateway cannot identify and manage access users. To address this issue,
configure the headquarters gateway as an LNS, so that virtual point-to-point
connections can be established between the employees on the go and the
headquarters gateway when the employees use the L2TP dialup software on the
PC to initiate L2TP connections.
 Fundamentals Application Scenarios

Interconnection Between Branches and the Headquarters

⚫ An enterprise sets up a VPN to connect its branch network to its headquarters network. After IP
packets from branch users reach the L2TP client, the L2TP client forwards the packets to the virtual
dialup interface. The virtual dialup interface forwards the packets to the LNS, which then forwards the
packets to the destination host.

L2TP
PC Enterprise client LNS Enterprise PC
branch HQ

L2TP encapsulation

23 Huawei Confidential

• An enterprise has some branches located in other cities, and its branches use the
Ethernet and have gateways deployed for branch users to access the Internet.
The headquarters provides access services for branches. VPDN connections need
to be established between branches and the headquarters gateway. Any branch
user is allowed to access the headquarters network, and only the branch
gateways need to be authenticated. In this case, the headquarters gateway
functions as the LNS, and the branch gateways function as the L2TP clients.
Virtual dialup is created on the branch gateways to trigger L2TP tunnel
connections to the headquarters network. A virtual point-to-point connection is
established between an L2TP client and the LNS. After IP packets of branch users
reach an L2TP client, the L2TP client forwards the packets to the virtual dialup
interface. The virtual dialup interface forwards the packets to the LNS, which
then forwards the packets to the destination host.
 Fundamentals Application Scenarios

Interconnection Between Employees in Branches and the

Headquarters
⚫ Branch employees use PPPoE dialup software to connect to the headquarters network, and the branch
gateway functions as the PPPoE server and LAC to forward call requests from branch users to the
headquarters network.

L2TP
client LNS Enterprise
PC
Enterprise
branch HQ

PPPoE
PPP terminal
(PPPoE client)
L2TP encapsulation

24 Huawei Confidential

• An enterprise has some branches located in other cities, and its branches use the
Ethernet and have gateways deployed for branch users to access the Internet.
Headquarters users need to communicate with branch users, and the
headquarters uniformly manages access of branch users. Therefore, L2TP is used
to deploy the headquarters gateway as an LNS. Dialup packets of branch users
cannot be transmitted directly over the Ethernet. Therefore, PPPoE dialup
software needs to be deployed as a PPPoE client on the terminal that initiates the
dialup packets, and the branch gateway functions as a PPPoE server and an LAC
to forward call requests of branch users to the headquarters.
 Contents

1. Common Networking Technologies in WAN Interconnection

2. Security Technologies in WAN Interconnection

▪ Basic Concepts of IPsec

▫ IPsec Fundamentals
▫ IPsec Application Scenarios

3. NAT Traversal Technologies in WAN Interconnection

4. Intelligent Traffic Steering Technologies in WAN Interconnection

25 Huawei Confidential
 IPsec Overview IPsec Framework

IPsec Background
⚫ Enterprise branches often need to communicate with each other. They can communicate using many methods, for example, using
private lines or Internet links.

⚫
Considering costs and requirements, some enterprises choose to use Internet links for interconnection. However, data may be
intercepted when being transmitted on the Internet, posing security risks.

⚫
IPsec technology encrypts data packets to secure enterprise interconnections.

Branch
site
Branch
site

HQ
Branch
site Enterprise WAN
interconnection

Carrier network

WAN

26 Huawei Confidential
 IPsec Overview IPsec Framework

IPsec Overview
⚫ The IPsec protocol suite is a series of security protocols developed by the Internet Engineering Task Force (IETF). It provides a
cryptology-based, interoperable, and high-quality security protection mechanism for end-to-end IP packet exchange.

⚫
IPsec encrypts and authenticates data to ensure secure data transmission on the Internet.
⚫
IPsec VPN technology can be used with multiple VPN technologies to provide flexible and secure enterprise interconnections.

GRE over IPsec

Data Data
encryption and GRE tunnel encryption and
IPsec tunnel
authentication authentication
Carrier network
Enterprise
IPsec tunnel HQ
branch
Enterprise Enterprise
egress egress

Data is encrypted

• On the live network, GRE over IPsec technology is typically used for interconnection between branch sites. IPsec technology

ensures secure data transmission, and GRE technology ensures interconnection between enterprise intranets.

27 Huawei Confidential
 IPsec Overview IPsec Framework

Data Encryption
⚫ Data encryption prevents data from being leaked during data forwarding. Two data encryption methods are available:
 Symmetric encryption: The same password is used for encryption and decryption, which is highly efficient. However, the key may be intercepted during
key exchange.

 Asymmetric encryption: The public key is used for encryption and the private key is used for decryption. Data security is high but the data encryption
and decryption efficiency is low.

Symmetric encryption Asymmetric encryption

RT1 RT2

RT1 RT2
The device automatically generates
a public key and a private key
The same key is
preconfigured or Key pair
transmitted in advance Public Private
Data Key A Key A Data Public key key B key B
Key exchange transmission
Encryption Decryption
Data Public key B Private key B Data
Encrypted Data forwarding Encrypted Public key Private key
data data encryption decryption
Encrypted Data forwarding Encrypted
data data

28 Huawei Confidential

• The symmetric encryption algorithm is also called traditional cryptographic

algorithm, in which the encryption key can be calculated from the decryption key.
The sender and receiver share the same key, which is used for both encryption
and decryption. Symmetric key encryption is an effective method for encrypting a
large amount of data. There are many algorithms for symmetric key encryption,
and all of them aim to convert between cleartext (unencrypted data) and
ciphertext. Because symmetric key encryption uses the same key for data
encryption and decryption, data security depends on whether unauthorized users
obtain the symmetric key. If two communicating parties want to use the
symmetric key to encrypt data, they must exchange the key securely before
exchanging the encrypted data.

• An asymmetric algorithm is also called public key algorithm, in which a public

key is used for encryption and a private key for decryption. The two keys are
mathematically related. In public key encryption, the public key can be publicly
transmitted between two communicating parties or released in the public
repository, but the private key is confidential. The data encrypted using the public
key can be decrypted only using the private key. The data encrypted using the
private key can be decrypted only using the public key.
 IPsec Overview IPsec Framework

Data Authentication
⚫ The main purpose of data authentication is to check whether data is tampered with. Data authentication is mainly
based on the hash algorithm.
 A unique hash value is calculated based on the hash algorithm and then carried in the data before being forwarded to the peer device.
 The peer device hashes the data again to obtain the hash value. It then compares the received hash value with the calculated one. If they are the same,
the data is not tampered with.

RT1 RT2

Hash algorithm Hash algorithm Hash value B

Hash
calculation
Hash Compare hash values
calculation
Data forwarding
Data Hash value A Data Hash value A

29 Huawei Confidential
 IPsec Overview IPsec Framework

IPsec Encryption
⚫ IPsec uses both symmetric encryption and asymmetric encryption, ensuring data security and performance.
 Uses an asymmetric algorithm to encrypt and transmit the key used for symmetric encryption.

Uses the exchanged symmetric key to encrypt data.

IPsec encryption and decryption

IPsec device IPsec device

IPsec tunnel

Symmetric key Asymmetric encryption 1 Exchange the symmetric key Asymmetric encryption Symmetric key

Use the public key to encrypt data After the symmetric key is Use the public key to encrypt data
Use the private key to decrypt data exchanged, the symmetric key is Use the private key to decrypt data
used to encrypt and decrypt data.

User data Symmetric encryption 2 Exchange user data Symmetric encryption User data

Encrypt and decrypt data Encrypt and decrypt data

using the symmetric key using the symmetric key

30 Huawei Confidential
 IPsec Overview IPsec Framework

SA
⚫ A security association (SA) is an agreement between two IPsec peers on certain elements. For example, Data
Encryption Standard (DES) is used as the encryption algorithm, Message Digest Algorithm 5 (MD5) is used as the
authentication algorithm, and tunnel is used as the encapsulation mode.

⚫ An IPsec SA can be established manually or through Internet Key Exchange (IKE) negotiation.

Establishing IPsec SAs manually Establishing IPsec SAs through IKE negotiation

Authenticat IKE SA negotiation Authenticati

ion policy 1 IKE IKE on policy 2
Encryption module module Encryption
policy 1 IPsec SA negotiation policy 2
Authenticat Authenticati Key 1 Key 2
ion policy 1 ... Unified encryption and ...
on policy 1
Encryption Encryption authentication elements
Manual configuration after negotiation
policy 1 policy 1
Key 1 Key 1 IPsec SA
... ... Authentication
and encryption
policy 1
Key 1
...

31 Huawei Confidential

• IPsec technology supports multiple data encryption, authentication, and

encapsulation algorithms. When devices at both ends use IPsec for secure
communication, they must use the same encryption and authentication
algorithms. Therefore, a mechanism is required to help the devices negotiate
these parameters.

• An IPsec SA can be established in either of the following ways:

▫ Manual configuration: The management cost of manually established IPsec
SAs is high. This is because the encryption and authentication modes need to
be manually configured, SAs need to be manually updated, and SA
information permanently exists, resulting in low security. This mode applies to
small-scale networks.

▫ IKE negotiation: The management cost of IPsec SAs established through IKE
negotiation is low. The encryption and authentication modes are generated
using the Diffie-Hellman (DH) algorithm, SA information is generated
periodically, and SAs are dynamically updated. This mode applies to small-,
medium-, and large-sized networks.

• An SA is uniquely identified by three parameters: security parameter index (SPI),

destination IP address, and security protocol ID (AH or ESP).
• An IKE SA is used to establish a secure channel for exchanging IPsec SAs.
 IPsec Overview IPsec Framework

Key Exchange
⚫ On the live network, the Internet Key Exchange (IKE) protocol is typically used to exchange symmetric keys.
⚫ IKE is a UDP-based application-layer protocol. It is built upon the framework defined by the Internet Security
Association and Key Management Protocol (ISAKMP). IPsec uses IKE for key auto-negotiation and IPsec SA
establishment, simplifying IPsec configuration and maintenance.

IKE using ISAKMP for SA exchange

IPsec device IPsec device

IPsec tunnel

IKE module SA negotiation IKE module

IP Header UDP:500 ISAKMP Data

The IKE module exchanges IP Header UDP:500 ISAKMP Data

SA information through
ISAKMP messages.

32 Huawei Confidential

• IKE supports the following authentication algorithms including MD5, Secure Hash
Algorithm 1 (SHA1), SHA2-256, SHA2-384, SHA2-512, and Senior Middle 3
(SM3).

• IKE supports the following encryption algorithms: DES, 3DES, AES-128, AES-192,
AES-256, SM1, and SM4.

• ISAKMP is defined in RFC 2408, which defines the procedures for negotiating,
establishing, modifying, and deleting SAs and defines the ISAKMP message
format. ISAKMP provides a general framework for SA attributes and the methods
of negotiating, modifying, and deleting SAs, without defining the specific SA
format.
• ISAKMP messages can be transmitted using UDP or TCP through port 500. In
most cases, ISAKMP messages are transmitted using UDP.
 IPsec Overview IPsec Framework

Data Encryption and Authentication

⚫ IPsec provides two security mechanisms: authentication and encryption.
 IPsec uses symmetric encryption algorithms to encrypt and decrypt data. These algorithms require that the sender and receiver use the same key (a
symmetric key) to encrypt and decrypt data.

 IPsec uses the Hash-based Message Authentication Code (HMAC) function to compare digital signatures to check data integrity andauthenticity.

Data encryption, decryption, and authentication

Discard
No ICV

Yes Whether
User Encryption algorithm Encrypted Authentication algorithm
they are
packet (decryption) packet (HMAC)
consistent
Encrypted
ICV
Symmetric key

Symmetric key
packet
exchange

exchange
Manually configured or
Manually configured or
automatically
negotiated through IKE automatically
negotiated through IKE

User Encryption algorithm Encrypted Authentication algorithm Encrypted

ICV
packet (encryption) packet (HMAC) packet

33 Huawei Confidential

• Integrity check value (ICV) is used by the receiver for integrity check. Available
authentication algorithms are MD5, SHA1, SHA2, and SM3.
• Common symmetric encryption algorithms used by IPsec include Data Encryption
Standard (DES), Triple Data Encryption Standard (3DES), Advanced Encryption
Standard (AES), and algorithms approved by State Cryptography Administration,
such as SM1 and SM4. DES and 3DES are not recommended because they are
insecure and pose security risks.

• Common authentication algorithms used by IPsec include MD5, SHA1, SHA2, and
SM3. MD5 and SHA1 are not recommended because they are insecure and pose
security risks.
• IPsec encryption cannot verify the authenticity or integrity of information after
decryption. IPsec uses the HMAC function to compare digital signatures to check
integrity and authenticity of data packets. In most cases, encryption and
authentication are used together. The IPsec sender uses the authentication
algorithm and symmetric key to generate a digital signature for the encrypted
packet and sends the IP packet and digital signature to the receiver. The receiver
uses the same authentication algorithm and symmetric key to process the
encrypted packet and then generates a digital signature. Then the receiver
compares the received and generated digital signatures to verify the data
integrity and authenticity. If the packet passes the verification, the receiver
decrypts it. Otherwise, the receiver discards it.
 IPsec Overview IPsec Framework

Security Protocols
⚫ IPsec provides two transport layer protocols for authentication or encryption: Authentication Header (AH) and
Encapsulating Security Payload (ESP).

AH provides only authentication but no encryption capabilities.

ESP provides both authentication and encryption.

AH header format ESP header format

Security Parameters Index (SPI)

Next Header Payload Len Reserved ESP
Header
Sequence Number

Authentication
Security Parameters Index (SPI)
Payload Data (Variable)

Encrypted
Sequence Number Padding
(0-255 Octets) ESP
Authentication Data (Variable) Trailer
Integrity Check Value (ICV) Pad Len Next Header

Authentication Data (Variable) ESP

32 bits Authentication
Integrity Check Value (ICV)
32 bits

34 Huawei Confidential

• AH provides only authentication but no encryption capabilities. According to the

AH protocol, an AH header is appended to the standard IP header in each packet.
The sender performs hash calculation on packets and an authentication key.
After packets carrying the calculation result arrive at the receiver, the receiver
also performs hash calculation and compares the calculation result with the
received calculation result. Any changes to the data during transmission will
make the calculation result invalid. This implements data origin authentication
and integrity verification. AH provides data integrity check on an entire IP packet.
• ESP provides both authentication and encryption. An ESP header is appended to
the standard IP header in each data packet, and the ESP Trailer and ESP Auth
data fields are appended to each data packet. In contrast to AH, ESP encrypts the
payload before encapsulating it into a data packet to ensure data confidentiality,
and protects the IP header only in tunnel mode.

• Key fields:

▫ Sequence Number: This field is a counter that monotonically increases from 1.

It uniquely identifies a packet to prevent replay attacks.

▫ SPI: This field uniquely identifies an IPsec SA.

▫ Authentication Data: This field contains the Integrity Check Value (ICV) and is
used by a receiver for data integrity check. Available authentication algorithms
are MD5, SHA1, SHA2, and SM3.
 IPsec Overview IPsec Framework

Encapsulation Modes
⚫ IPsec encapsulation is a process of adding AH or ESP fields to original IP packets for packet authentication and
encryption. This process is implemented in transport or tunnel mode.
⚫ On the live network, the tunnel mode is often used for encapsulation.

Tunnel mode Transport mode

New IP AH Raw IP IP AH
AH Data AH Data
Header Header Header Header Header
Authenticated Authenticated

New IP ESP Raw IP ESP ESP IP ESP ESP ESP

ESP Data ESP Data
Header Header Header Trailer Auth data Header Header Trailer Auth data
Encrypted Encrypted
Authenticated Authenticated

New IP AH ESP Raw IP ESP ESP IP AH ESP ESP ESP

AH-ESP Data AH-ESP Data
Header Header Header Header Trailer Auth data Header Header Header Trailer Auth data
Encrypted Encrypted
ESP authenticated ESP authenticated
AH authenticated AH authenticated

35 Huawei Confidential

• In transport mode, an AH or ESP header is added between an IP header and a

transport-layer protocol (TCP, UDP, or ICMP) header to protect the TCP, UDP, or
ICMP payload. As no additional IP header is added, IP addresses in the original
packets are visible in the IP header of the post-encrypted packet.
• In tunnel mode, an AH or ESP header is added before the raw IP header and then
encapsulated into a new IP packet with a new IP header to protect the IP header
and payload.
 Contents

1. Common Networking Technologies in WAN Interconnection

2. Security Technologies in WAN Interconnection

▫ Basic Concepts of IPsec
▪ IPsec Fundamentals

▫ IPsec Application Scenarios

3. NAT Traversal Technologies in WAN Interconnection

4. Intelligent Traffic Steering Technologies in WAN Interconnection

36 Huawei Confidential
 IPsec Mechanism
IPsec mechanism
IPsec device IPsec device

IPsec tunnel

IKE negotiation IKE SA negotiation

phase 1 IKE SA
IKE IKE
module module
IKE negotiation
phase 2 IPsec SA negotiation

Encrypts IPsec SA
negotiation packets
based on IKE SA
IPsec SA IPsec SA

User Encryption and Encryption and User

Exchange user data
data authentication module authentication module data
The device encrypts Encrypts, decrypts, and
and decrypts authenticates user data
protected flows based on IPsec SA

37 Huawei Confidential

• The IPsec mechanism is as follows:

▫ An IKE SA is negotiated in the first phase of IKE negotiation.
▫ The IKE SA is used to encrypt the packets in the second phase of IKE
negotiation. That is, IPsec SAs are negotiated in the second phase of IKE
negotiation.

▫ IPsec SAs are used to encrypt data.

 IKEv1 IKEv2 Defining IPsec-Protected Data Flows

IKEv1
⚫ IKEv1 negotiation goes through two phases: In phase 1, two IPsec peers negotiate and establish a
secure tunnel (an IKE SA). In phase 2, the two IPsec peers establish a pair of IPsec SAs for secure data
transmission through the secure tunnel established in phase 1.

IKEv1 negotiation process

IKE negotiation IKE SA negotiation

phase 1 IKE SA
IKE IKE
module module
IKE negotiation SA negotiation
IPsec
phase 2
Encrypts IPsec SA
negotiation packets
based on IKE SA

38 Huawei Confidential
 IKEv1 IKEv2 Defining IPsec-Protected Data Flows

IKEv1 Negotiation Phase (1)

⚫ In phase 1 of IKEv1 negotiation, an IKE SA is established. After an IKE SA is established, all the ISAKMP messages transmitted
between two IPsec peers will be encrypted and authenticated. The secure tunnel established in phase 1 enables IPsec peers to
communicate securely in phase 2.

⚫ Phase 1 of IKEv1 negotiation supports two negotiation modes: main mode and aggressive mode.

Main mode Aggressive mode

Sends an IKE Searches for a

1 Initiator Responder
proposal matching IKE proposal
Sends IKE proposals, Searches for matching
Accept the IKE Sends an acknowledged information for key algorithms, generates
2 1
proposal IKE proposal generation, and keys, and
identity information authenticates identity
Sends information
3 Generates keys Sends key generation
for key generation
Initiator Responder Accepts the proposal information, identity
and generates keys 2 information, and
4 Sends information for
Generates keys authentication data
key generation
Sends authentication Verifies exchanged
Sends identity and Verifies identity and 3
5 data. data.
authentication data exchanged data

Verifies identity and Sends identity and Encrypted

6
exchanged data authentication data data

39 Huawei Confidential

• The main mode requires three exchanges between the peers, totaling six ISAKMP
messages. The three exchanges are described as follows:
▫ Messages 1 and 2 are used for IKE proposal exchange.
▪ The initiator sends one or more IKE proposals to the responder. The
responder searches for the first matching IKE proposal and then sends it to
the initiator. IKE proposals of the initiator and responder match if they have
the same encryption algorithm, authentication algorithm, authentication
method, and DH group identifier.
▫ Messages 3 and 4 are used for key information exchange.
▪ The initiator and responder exchange the DH public value and nonce value
to generate the IKE SA authentication key and encryption key.
▫ Messages 5 and 6 are used for identity and authentication information
exchange. (Both parties use the generated keys to exchange information.)
▪ The initiator and responder use the generated keys to authenticate each
other and the information exchanged in main mode.
• The aggressive mode uses only three messages. Messages 1 and 2 are used to
negotiate IKE proposals and exchange the DH public value, mandatory auxiliary
information, and identity information. Message 2 also contains the identity
information sent by the responder to the initiator for authentication. Message 3
is used by the responder to authenticate the initiator.
• Compared with the main mode, the aggressive mode reduces the number of
exchanged messages and speeds up the negotiation. However, the aggressive
mode does not encrypt identity information.
 IKEv1 IKEv2 Defining IPsec-Protected Data Flows

IKEv1 Negotiation Phase (2)

⚫ In IKEv1 phase 2, IPsec SAs need to be established and keys needs to be generated for securely transmitting data.
⚫ This phase uses the quick mode. This mode uses the keys generated in phase 1 to verify the integrity of ISAKMP
messages and identities of the initiator and responder, and to encrypt ISAKMP messages, ensuring exchange
security.

Quick mode

Initiator Responder

Sends IPsec proposals, Searches for a matching

identity, and 1 IPsec proposal and
authentication data generates keys

Sends the acknowledged

Accepts the proposal 2 IPsec proposal, identity,
and generates keys
and authentication data

Sends acknowledged
3 Accepts the information.
data
Encrypted data

40 Huawei Confidential

• In IKEv1 phase 2, two IPsec SAs are established through three ISAKMP messages:
▫ Message 1 is used by the initiator to send local security parameters and
identity authentication information to the responder.

▪ Security parameters include protected data flows and parameters to be

negotiated, such as an IPsec proposal. Identity authentication information
includes the keys generated in phase 1 and keying materials generated in
phase 2, and can be used to authenticate the peer again.

▫ Message 2 is used by the responder to send acknowledged security

parameters and identity authentication information, and to generate new
keys.

▪ The encryption key and authentication key used for secure data
transmission over IPsec SAs are generated based on the keys generated in
phase 1 and parameters such as the SPI and protocol. This ensures that
each IPsec SA has unique encryption and authentication keys.
▫ Message 3 is used by the initiator to send acknowledged information to
communicate with the responder. IKEv1 negotiation then ends and IPsec SAs
are established.
 IKEv1 IKEv2 Defining IPsec-Protected Data Flows

IKEv2
⚫ The process of establishing SAs through IKEv2 negotiation is much simpler than that through IKEv1
negotiation. In normal cases, IKEv2 can establish a pair of IPsec SAs through only four messages in two
exchanges. One additional Create_Child_SA Exchange can be used to establish another pair of IPsec SAs
if required, during which only two messages are exchanged.
⚫ IKEv2 defines three exchanges: Initial Exchanges, Create_Child_SA Exchange, and Informational
Exchange.

41 Huawei Confidential
 IKEv1 IKEv2 Defining IPsec-Protected Data Flows

IKEv2 Initial Exchanges

⚫ IKEv2 establishes the first pair of IPsec SAs through Initial Exchanges. Initial Exchanges involves four
messages in two exchanges.

Initial Exchanges process

Initiator Responder

Sends IKE SA Searches for matching

1
parameters IKE SA parameters

2
Sends the matching IKE
Accepts the parameters
SA parameters

Sends identity Verifies identity and

3
information exchanged data

Verifies identity and Sends identity

4 Encrypted data
exchanged data information

42 Huawei Confidential

• Messages 1 and 2 are used in exchange 1 (called IKE_SA_INIT). In exchange 1,

IKE SA parameters are negotiated in plain text, including the encryption key,
authentication key, random number, and DH key. After IKE_SA_INIT is complete,
shared keying material is generated, from which all keys used by IPsec SAs are
derived.

• Messages 3 and 4 are used in exchange 2 (called IKE_AUTH). In exchange 2,

identities of the two parties and the first two messages are authenticated, and
IPsec SA parameters are negotiated. IKEv2 supports Rivest-Shamir-Adleman
(RSA) signature authentication, pre-shared key (PSK) authentication, and
Extensible Authentication Protocol (EAP) authentication. The initiator omits the
AUTH payload in message 3 to indicate that EAP authentication is required.
 IKEv1 IKEv2 Defining IPsec-Protected Data Flows

IKEv2 Create_Child_SA Exchange

⚫ After one pair of IPsec SAs is established based on an IKE SA, Create_Child_SA Exchange can be
performed to negotiate more pairs of IPsec SAs. In addition, Create_Child_SA Exchange can be
performed for IKE SA re-negotiation.
⚫ Create_Child_SA Exchange involves two messages in one exchange and corresponds to IKEv1 phase 2.
The initiator in Create_Child_SA Exchange can be the initiator or responder in Initial Exchanges.

Create_Child_SA Exchange process

Initiator Responder

Sends identity Verifies identity and

1
information exchanged data

Verifies identity and Sends identity

2 Encrypted data
exchanged data information

43 Huawei Confidential
 IKEv1 IKEv2 Defining IPsec-Protected Data Flows

IKEv2 Informational Exchange

⚫ IKEv2 peers perform Informational Exchange to exchange control information, including error
information and notifications.
⚫ Informational Exchange must be performed under the protection of an IKE SA. Specifically,
Informational Exchange is performed after Initial Exchanges are complete. Control information may
belong to an IKE SA or a child SA. Therefore, Informational Exchange must be protected by the IKE SA
or the IKE SA based on which the child SA is established accordingly.
Informational Exchange process

Initiator Responder

Performs operations based

Sends control information 1
on control information

Responds to control
Accepts the information 2
information Encrypted data

44 Huawei Confidential
 IKEv1 IKEv2 Defining IPsec-Protected Data Flows

Defining IPsec-Protected Data Flows

⚫ The data flows to be protected by IPsec can be defined using either of the following
methods:
 Use ACLs.
◼ ACLs can be configured to define the data flows to be protected by an IPsec tunnel. The packets matching
permit clauses in the ACLs will be protected.

 Use routes.
◼ Routes can be configured to define the data flows to be protected by an IPsec tunnel established through IPsec
tunnel interfaces. All packets routed to these interfaces will then be protected.

⚫ On the live network, GRE over IPsec typically defines protected flows based on routes.

45 Huawei Confidential

• The method of using routes has the following advantages:

▫ Simplifies the IPsec configuration: IPsec-protected data flows are routed to
tunnel interfaces, without the need to use ACLs to define the characteristics of
traffic to be encrypted or decrypted.
▫ Supports dynamic routing protocols.

▫ Protects multicast traffic through GRE over IPsec.

 Contents

1. Common Networking Technologies in WAN Interconnection

2. Security Technologies in WAN Interconnection

▫ Basic Concepts of IPsec
▫ IPsec Fundamentals
▪ IPsec Application Scenarios

3. NAT Traversal Technologies in WAN Interconnection

4. Intelligent Traffic Steering Technologies in WAN Interconnection

46 Huawei Confidential
 GRE over IPsec
⚫ Leveraging advantages of GRE and IPsec, GRE over IPsec encapsulates multicast, broadcast, and non-IP
packets into ordinary IP packets and then securely transmits these IP packets through IPsec.
⚫ GRE over IPsec encapsulates packets using GRE and then IPsec.

GRE over IPsec data encapsulation (ESP)

IPsec tunnel GRE tunnel

Internet
IPsec tunnel

IP data IPsec data IP data

GRE over IPsec packet in transport mode

Public IP ESP Header GRE Header Private IP Data

GRE over IPsec packet in tunnel mode

Public IP ESP Header Public IP GRE Header Private IP Data

47 Huawei Confidential

• GRE over IPsec supports encapsulation in both tunnel and transport modes. An
IPsec header needs to be added to packets if GRE over IPsec in tunnel mode is
used, resulting in longer packets. In this case, packets are more likely to be
fragmented. Therefore, GRE over IPsec in transport mode is recommended.
• In the IP header added during IPsec encapsulation, the source and destination
addresses are the IP addresses of the local interface and remote interface to
which an IPsec policy is applied.

• IPsec protects data flows from the GRE tunnel source to the GRE tunnel
destination. In the IP header added during GRE encapsulation, the source and
destination addresses are the source and destination addresses of a GRE tunnel.
 L2TP over IPsec
⚫ Layer 2 Tunneling Protocol (L2TP) over IPsec encapsulates packets using L2TP and then IPsec. It uses
L2TP for user authentication and address allocation and uses IPsec for secure communication. L2TP
over IPsec ensures that branches or traveling employees are securely connected to the headquarters.

L2TP over IPsec data encapsulation (ESP)

IPsec tunnel L2TP tunnel

IPsec tunnel
Internet
PPP data IPsec data PPP data

L2TP over IPsec packet in transport mode

Public IP ESP Header UDP Header L2TP Header PPP Header Private IP Data

L2TP over IPsec packet in tunnel mode

Public IP ESP Header Public IP UDP Header L2TP Header PPP Header Private IP Data

48 Huawei Confidential

• L2TP encapsulation and then IPsec encapsulation are performed on packets

transmitted over an L2TP over IPsec tunnel. In the IP header added during IPsec
encapsulation, the source and destination addresses are the IP addresses of the
local interface and remote interface to which an IPsec policy is applied.
• IPsec needs to protect the data flows from the L2TP tunnel source to the L2TP
tunnel destination. In the IP header added to packets during L2TP encapsulation,
the source and destination addresses are the source and destination addresses of
an L2TP tunnel. When a branch connects to the headquarters, the source address
of the L2TP tunnel is the IP address of the outbound interface on the L2TP access
concentrator (LAC), and the destination address is the IP address of the inbound
interface on the L2TP network server (LNS).
• A public IP header is added to packets during L2TP encapsulation, and another
public IP header is added to packets if L2TP over IPsec in tunnel mode is used,
resulting in longer packets, which are prone to being fragmented. Therefore,
L2TP over IPsec in transport mode is recommended.
• The L2TP over IPsec negotiation process and packet encapsulation process are
similar when traveling employees are remotely connected to the headquarters
and when branch employees are connected to the headquarters. The difference is
that, L2TP and IPsec encapsulation is performed on clients when traveling
employees are remotely connected to the headquarters. The L2TP tunnel source
address is the private address assigned to a client and can be any address in the
IP address pool configured on the LNS. The L2TP tunnel destination address is the
address of the inbound interface on the LNS.
 Contents

1. Common Networking Technologies in WAN Interconnection

2. Security Technologies in WAN Interconnection

3. NAT Traversal Technologies in WAN Interconnection

▪ NAT Fundamentals

▫ NAT Types

▫ NAT Traversal Technologies

4. Intelligent Traffic Steering Technologies in WAN Interconnection

49 Huawei Confidential
Motivation Behind NAT
⚫ Network address translation (NAT) was proposed in 1994. NAT can be used when some hosts on a
private network have been assigned local IP addresses (that is, dedicated IP addresses used only on the
private network) and want to communicate with hosts on the Internet (without encryption).
⚫ NAT resolves the problem of insufficient public IP addresses and protects internal devices against
external attacks.
NAT for access from a private network to the Internet

SIP: private NAT SIP: public

Data Data
IP address IP address

Private network
Internet
NAT device
DIP: private DIP: public
Data Data
IP address IP address
NAT

50 Huawei Confidential
 NAPT
⚫ Network address and port translation (NAPT) translates both IP addresses and port numbers for addresses in an address pool. In this
way, 1:n mapping between public and private addresses is implemented, which effectively improves public address utilization.
⚫
Easy IP is a special type of NAPT. It maps all private network sessions to an egress address. That is, Easy IP can be understood as
NAPT with one address in the NAT address pool. NAT mapping table

NAT address pool Private IP Address:Port Public IP Address:Port

122.1.2.2 Source 192.168.1.1:10321 122.1.2.2:1025
122.1.2.3
Destination 200.1.2.3:80 --------
Private network
Source address + source port translation

SIP: 192.168.1.1 S Port: 10321 SIP: 122.1.2.2 S Port: 1025

Data Data
DIP: 200.1.2.3 D Port: 80 DIP: 200.1.2.3 D Port: 80

Internet
122.1.2.1
192.168.1.2/24 192.168.1.1/24
NAT Web server
SIP: 200.1.2.3 S Port: 80 SIP: 200.1.2.3 S Port: 80 200.1.2.3
Data Data
DIP: 192.168.1.1 D Port: 10321 DIP: 122.1.2.2 D Port: 1025

Destination address + destination

port translation (return packets)

51 Huawei Confidential

• NAPT enables a public IP address to map multiple private IP addresses through

ports. In this mode, both IP addresses and transport-layer ports are translated so
that different private IP addresses with different source port numbers are
mapped to the same public IP address with different source port numbers.
• Due to a limited number of TCP/UDP ports (0–65535), an address can be
mapped to a limited number of private network sessions. Based on the NAT
address pool, NAPT can randomly map a private network session to an address in
the address pool, reducing the number of private network sessions.
• A NAT mapping entry is triggered by the first packet. When no traffic is
transmitted for a period of time, the NAT mapping entry is automatically deleted
to ensure security.

• NAPT and Easy IP are also known as source NAT because they change only the
source address and port number of a packet.
NAT Server
⚫ NAT Server maps an internal server to a public network through a one-to-one mapping between a [public IP
address:port number] and a [private IP address:port number]. This function is used when the internal server
needs to provide services for the public network.
⚫ An external host proactively accesses the [public IP address:port number] to communicate with the internal
server. NAT mapping table
Private IP Public IP
Address:Port Address:Port
Private network Destination address + 192.168.1.10:80 122.1.2.1:8080
destination port translation
SIP: 200.1.2.3 S Port: 1025 SIP: 200.1.2.3 S Port: 1025
Data Data
DIP: 192.168.1.10 D Port: 80 DIP: 122.1.2.1 D Port: 8080

122.1.2.1 Internet
Web server NAT 200.1.2.3
192.168.1.10
SIP: 192.168.1.10 S Port: 80 SIP: 122.1.2.1 S Port: 8080
Data Data
DIP: 200.1.2.3 D Port: 1025 DIP: 200.1.2.3 D Port: 1025

Source address + source port translation

(return packets)

52 Huawei Confidential
Route Advertisement in a NAT Address Pool
⚫ In some cases, the NAT device may not be the egress device, so the return traffic needs to be diverted to the NAT
device. To achieve this, you can import user network routes (UNRs) to a routing protocol.
⚫ UNRs are generated by non-interface IP addresses and do not exist on any interface. In a NAT scenario, the device
creates UNRs for addresses in the NAT address pool. For example, if the NAT address pool has addresses 122.1.2.2
and 122.1.2.3, the device automatically creates UNRs 122.1.2.2/32 and 122.1.2.3.3/32.

IP routing table
122.1.2.2/32 UNR NH: Local
122.1.2.3/32 UNR NH: Local
Routes are transmitted
NAT address R1 through OSPF.
After an address pool is
pool
configured, 32-bit UNRs are
122.1.2.2 IP routing table
automatically generated.
122.1.2.3 NAT device 122.1.2.2/32 OSPF NH: R1
122.1.2.3/32 OSPF NH: R1

Internet
Egress device Web server
OSPF

53 Huawei Confidential
 Security Risks of the NAT Mapping Table
⚫ After forwarding a data packet, the NAT device generates a NAT mapping table. When receiving a return packet, the NAT device
considers the packet valid and forwards it only when a matching NAT mapping entry is found.
⚫
If an external host uses the public IP address and port number in the NAT mapping table to send a packet, will the data be
forwarded? NAT address pool NAT mapping table
122.1.2.2 Private IP Public IP
122.1.2.3
Address:Port Address:Port
Source 192.168.1.1:10321 122.1.2.2:1025 DIP: 122.1.2.2 D Port: 1025 Data
Destination 200.1.2.3:80 --------
External host
Source address +
Private network source port number translation
SIP: 192.168.1.1 S Port: 10321 SIP: 122.1.2.2 S Port: 1025
Data Data
DIP: 200.1.2.3 D Port: 80 DIP: 200.1.2.3 D Port: 80
PC2 PC1
Internet
NAT 122.1.2.1
192.168.1.2/24 192.168.1.1/24
Web server
SIP: 200.1.2.3 S Port: 80 SIP: 200.1.2.3 S Port: 80 200.1.2.3
Data Data
DIP: 192.168.1.1 D Port: 10321 DIP: 122.1.2.2 D Port: 1025

Destination address + destination port

number translation (return packets)

54 Huawei Confidential

• There are four types of NAT:

▫ Full cone NAT
▫ Restricted cone NAT

▫ Port restricted cone NAT

▫ Symmetric NAT
 Contents

1. Common Networking Technologies in WAN Interconnection

2. Security Technologies in WAN Interconnection

3. NAT Traversal Technologies in WAN Interconnection

▫ NAT Fundamentals
▪ NAT Types

▫ NAT Traversal Technologies

4. Intelligent Traffic Steering Technologies in WAN Interconnection

55 Huawei Confidential
 Basic Concepts of NAT Types
⚫ NAT can be classified into two types: cone NAT and symmetric NAT.
⚫ Cone NAT is further classified into full cone NAT, restricted cone NAT, and port restricted cone NAT.

⚫ Concepts related to NAT types


Internal tuple: a 2-tuple consisting of the private address and port number of an internal host, that is, the source address and
source port number of a packet sent by the internal host.

External tuple: a 2-tuple consisting of the public address and port number obtained after an internal tuple is translated using
NAT, that is, the post-NAT source address and source port number of a packet received by an external host.

Target tuple: a 2-tuple consisting of the address and port number of an external host, that is, the destination address and
destination port number of a packet sent by an internal host.

Source address + source

Internal tuple NAT mapping table
port number translation External tuple
Private IP Public IP
SIP: 192.168.1.1 S Port: 10321 SIP: 122.1.2.2 S Port: 1025 Internal tuple Address:Port Address:Port
Data Data
DIP: 200.1.2.3 D Port: 80 DIP: 200.1.2.3 D Port: 80
Source 192.168.1.1:10321 122.1.2.2:1025
Target tuple Target tuple Destination 200.1.2.3:80 -------- External tuple
Target tuple

56 Huawei Confidential

• NAPT and Easy IP are also known as source NAT because they change only the
source address and port number of a packet.
Full Cone NAT
⚫ One internal tuple is translated into one external tuple by NAT. Any external host can send packets with the address and port
number in the external tuple as the destination. When receiving such packets, the NAT device forwards them to the device
corresponding to the mapping internal tuple. Full cone NAT is simple but has security risks.

Full cone NAT

NAT address pool NAT mapping table DIP: 122.1.2.2 D Port: 1025 Data
122.1.2.2
122.1.2.3 Internal tuple Private IP Public IP External host
Address:Port Address:Port 202.2.2.1
External tuple
Private network Source 192.168.1.1:10321 122.1.2.2:1025
Destination 200.1.2.3:80 --------
Target tuple
PC2 PC1

122.1.2.1 Internet
192.168.1.2/24 192.168.1.1/24
NAT Web server
200.1.2.3

• After PC1 on a private network communicates with the web server, the NAT device generates a NAT mapping table. If full cone N AT is used and
an attacker sends a packet with the external tuple (122.1.2.2:1025) as the destination, the NAT device forwards this packet to PC1.

57 Huawei Confidential
Restricted Cone NAT
⚫ Restricted cone NAT is a restricted version of full cone NAT. When receiving a packet from an external host, the NAT device with
restricted cone NAT enabled no only checks whether the destination address and port number of the packet are the same as those in
the external tuple but also checks whether the source IP address of the packet is the same as the IP address in the target tuple. If
both conditions are met, the packet is forwarded.
Restricted cone NAT

SIP: 200.1.2.3 S Port：2050

Data
NAT address pool DIP: 122.1.2.2 D Port: 1025
NAT mapping table
122.1.2.2 External host
122.1.2.3 Internal tuple Private IP Public IP
Address:Port Address:Port 200.1.2.3
Private network External Tuple
Source 192.168.1.1:10321 122.1.2.2:1025
Destination 200.1.2.3:80 --------
PC2 PC1 Target tuple

122.1.2.1 Internet
192.168.1.2/24 192.168.1.1/24
NAT Web server
200.1.2.3

• After PC1 on a private network communicates with the web server, the NAT device generates a NAT mapping table. If restricted cone NAT is used
and an attacker sends a packet with the external tuple (122.1.2.2:1025) as the destination, the NAT device forwards this packet to PC1 only when
the source address of this packet is the IP address (200.1.2.3) in the target tuple.

58 Huawei Confidential
Port Restricted Cone NAT
⚫ Port restricted cone NAT is a restricted version of restricted cone NAT. When receiving a packet from an external host, the NAT device with port restricted
cone NAT enabled not only checks whether the source IP address and port number of the packet are the same as those in the external tuple but also
checks whether the destination IP address and port number of the packet are the same as those in the target tuple. If both conditions are met, the packet
is forwarded. This type of NAT is highly secure.

Port restricted cone NAT

SIP: 200.1.2.3 S Port：80
Data
NAT address pool NAT mapping table DIP: 122.1.2.2 D Port: 1025
122.1.2.2 Private IP Public IP External host
122.1.2.3 Internal tuple
Address:Port Address:Port 200.1.2.3
External tuple
Private network Source 192.168.1.1:10321 122.1.2.2:1025
Destination 200.1.2.3:80 --------
Target tuple
PC2 PC1
Internet
122.1.2.1
192.168.1.2/24 192.168.1.1/24
NAT Web server
200.1.2.3

• After PC1 on a private network communicates with the web server, the NAT device generates a NAT mapping table. If port restri cted cone NAT is
used and an attacker sends a packet with the external tuple (122.1.2.2:1025) as the destination, the NAT device forwards this packet to PC1 only
when the source address and source port number of this packet are those in the target tuple (200.1.2.3:80).

59 Huawei Confidential
Symmetric NAT
⚫ When symmetric NAT is used, the same internal tuple and the same target tuple are translated into the same external tuple. However, if the internal or
target tuple is different, they are translated into different external tuples. The NAT device with symmetric NAT enabled processes returned packets in a
similar way to that with port restricted cone NAT enabled. Such a NAT device checks whether the source IP address + port number and the destination IP
address + port number of a return packet are the same as those in the external tuple and target tuple, respectively.

Symmetric NAT
NAT mapping table
Private IP Public IP SIP: 200.1.2.3 S Port: 53
Internal tuple Data
Address:Port Address:Port DIP: 122.1.2.3 D Port: 1025

Source 192.168.1.1:10321 122.1.2.2:1025 External host

200.1.2.3
NAT address pool Destination 200.1.2.2:80 --------
External
Private network 122.1.2.2 Source 192.168.1.1:10321 122.1.2.3:2231 tuple
122.1.2.3 Web server
Destination 200.1.2.3:53 -------- 200.1.2.2
PC2 PC1 Target tuple
Internet
122.1.2.1 DNS server
192.168.1.2/24 192.168.1.1/24
NAT 200.1.2.3
• When PC1 on a private network communicates with the web server and DNS server, the NAT device generates different NAT mappingentries for
different targets, even if the source IP addresses and port numbers are the same. If symmetric NAT is used and an attacker sends a packet with
the external tuple (122.1.2.2:1025) as the destination, the NAT device forwards this packet to PC1 only when the source address and source port
number of this packet is the target tuple (200.1.2.3:53).

60 Huawei Confidential
NAT Application Scenarios
⚫ On the live network, NAPT or Easy IP generally uses symmetric NAT.
⚫ When NAT traversal is required on the live network, cone NAT can be used.

Application scenarios of NAT traversal

Full cone
NAT

NAT device PC

Internet

Full cone
NAT
NAT device PC

61 Huawei Confidential
 Contents

1. Common Networking Technologies in WAN Interconnection

2. Security Technologies in WAN Interconnection

3. NAT Traversal Technologies in WAN Interconnection

▫ NAT Fundamentals
▫ NAT Types
▪ NAT Traversal Technologies

4. Intelligent Traffic Steering Technologies in WAN Interconnection

62 Huawei Confidential
Motivation Behind NAT Traversal
⚫ Although NAT enables users on a private network to access a public network, it has the following defects:
 NAT generates NAT mapping entries for the traffic from the private network to the public network. These entries have aging ti me. If a session between
the two ends is silent for a long time, the connection is interrupted.
 The private IP addresses of users are translated into the same public IP address by NAT. However, because servers may restrict the access frequency of
the same IP address to prevent DoS attacks, some users may fail to access the servers. Besides, some applications cannot effectively trace the original IP
devices, making it difficult for network management and fault locating.

⚫
Multiple NAT traversal technologies are developed to solve the problems encountered by end-to-end IP applications in the NAT
environment.

NAT traversal

Private Private
network Internet network

NAT device NAT device

63 Huawei Confidential
Existing NAT Traversal Technologies
⚫ Currently, the mainstream NAT traversal technologies are as follows:
 Universal Plug and Play (UPnP)
 Application Level Gateway (ALG)
 Middlebox Communications (MIDCOM)
 Full Proxy
 Session Traversal Utilities for NAT (STUN)
 Traversal Using Relay NAT (TURN)
 Interactive Connectivity Establishment (ICE)
 STUN and TCP too (STUNT)

⚫ This course describes ALG and STUN.

64 Huawei Confidential
Motivation Behind NAT ALG
⚫ Servers that provide various services (such as HTTP, DNS, and FTP) on the live network are usually deployed on a private network. Therefore, the NAT
Server function needs to be deployed on the NAT device so that external users can access these services. However, some services use multi-channel
protocols, such as FTP, DNS, and SIP. Deploying NAT Server cannot allow external users to access these services. For these multi-channel protocols, you can
use NAT ALG to solve the problem.

Challenges of multi-channel protocols to NAT (FTP)

Passive FTP NAT mapping table

Private IP Public IP
Address:Port Address:Port The management
channel is established,
Destination IP4:21 IP3:21 and the client is
NAT device Internet notified of the port
NAT device
used by the data
IP1 IP2 IP3 IP4 channel.

DIP: IP3 D Port: 21 Data DIP: IP3 D Port: 21 Data DIP: IP4 D Port: 21 Data
The management channel is The management channel is
established and FTP control established and FTP control
packets are exchanged. packets are exchanged.
DIP: IP3 D Port: 1025 Data DIP: IP3 D Port: 1025 Data No related information exists in the
Random target NAT mapping table, and the data
port allocated by channel fails to be established.
the FTP server
• NAT cannot enable external users to access the FTP server because FTP is a multi-channel protocol, regardless of whether active or passive FTP is used.

65 Huawei Confidential
Fundamentals of NAT ALG
⚫ NAT ALG can parse the payload of packets, identify and translate important information (such as the destination port of the FTP data channel) in the
payload, and generate NAT mapping entries based on the important information to enable external hosts to access the servers on a private network.

Challenges of multi-channel protocols to NAT (FTP)

Passive FTP NAT ALG reads the FTP control NAT mapping table
packet, learns that the Private IP Public IP
destination port of the FTP data Address:Port Address:Port
The management
channel is 1025, and generates Destination IP4:21 IP3:21 channel is
a NAT mapping entry.
Destination IP4:1025 IP3:1025 established, and the
client is notified of
NAT device Internet NAT device the port used by the
NAT ALG data channel.
IP1 IP2 IP3 IP4
enabled

DIP: IP3 D Port: 21 Data DIP: IP3 D Port: 21 Data DIP: IP4 D Port: 21 Data
The management channel is
The management channel is
established and FTP control
established and FTP control packets are exchanged.
Random target
packets are exchanged.
port allocated by IP header FTP control packets
the FTP server
DIP: IP3 D Port: 1025 Data DIP: IP3 D Port: 1025 Data DIP: IP4 D Port: 1025 Data

Data channel Data channel

established established

66 Huawei Confidential
Disadvantages of NAT ALG
⚫ NAT ALG needs to read protocol packets. For new protocols, the NAT ALG feature needs to
be upgraded to support them. NAT ALG does not support proprietary multi-channel
protocols.
⚫ A large number of devices on the live network do not support NAT ALG. As a result, the
deployment cost is high.
⚫ NAT ALG solves the problems facing multi-channel protocols in the NAT Server scenario, but
does not support the communication between hosts on private networks.

67 Huawei Confidential
 Overview of STUN
⚫ In addition to NAT ALG, cone NAT can also be used for NAT traversal. It creates NAT mapping entries on NAT
devices in advance and establish connections between private networks based on the NAT mapping entries.
⚫ STUN is mainly used to obtain the mapping between the private IP address + port and the post -NAT public IP
address + port on the NAT device. The data channel for NAT traversal needs to be established in other modes.

NAT traversal

NAT mapping table NAT mapping table

Private IP Public IP Private IP Public IP
Address:Port Address:Port Address:Port Address:Port
IP1:Port1 IP2:Port2 IP4:Port4 IP3:Port3
Private Private
network IP2 Internet IP3 network
IP1 Port2 Port3 IP4
Port1 NAT device NAT device Port4

68 Huawei Confidential

• In RFC 3489, STUN is a complete NAT traversal solution and its full name is
Simple Traversal of UDP Through NATs.
• In the new RFC 5389 revision, STUN is positioned to provide a tool for NAT
traversal rather than a complete solution. The full name of STUN is changed to
Session Traversal Utilities for NAT. Besides the full name difference, STUN in RFC
5389 differs from STUN in RFC 3489 in that STUN in RFC 5389 supports NAT
traversal for TCP.
Fundamentals of STUN
⚫ STUN uses the client/server model. The STUN client and STUN server exchange packets to discover the NAT device and determine
the IP address and port number allocated by the NAT device.

STUN fundamentals
NAT mapping table Reads the source IP
Private IP Public IP address and source
Address:Port Address:Port port number of the
data packet and adds
IP1:Port1 IP2:Port2
them to the STUN
STUN binding Address STUN binding binding response.
SIP: IP1 S Port: Port1 translation SIP: IP2 S Port: Port2
request request
Private
network IP1 IP2 Internet
STUN server
Port1 Port2
STUN client NAT device
STUN binding STUN binding
DIP: IP1 D Port: Port1 DIP: IP2 D Port: Port2
response Address response
translation
The STUN client records the
mapping between the private IP
address + port number and the IP=IP2, Port=Port2
public IP address + port number.
IP1:Port1 <-> IP2:Port2

69 Huawei Confidential
 Application Example of STUN
⚫ In an SD-WAN scenario, STUN can be used to interconnect post-NAT devices and establish data channels.

NAT traversal example

STUN server

1 1
Private NAT device NAT device Private
network IP1 IP2 Internet IP3 IP4 network
Port1 Port2 Port3 Port4
STUN client 2 2 STUN client

Private IP Public IP Private IP Public IP

Address:Port Address:Port Address:Port Address:Port
IP1:Port1 IP2:Port2 3 Learn the peer NAT information through BGP. IP4:Port4 IP3:Port3

4 Send a STUN binding request.

5 Respond to the STUN binding request.
6 Establish a data channel for NAT traversal.

70 Huawei Confidential

• A STUN client sends a STUN binding request to the STUN server.

• After receiving the STUN binding request, the STUN server obtains the source IP
address and port number, constructs a STUN binding response, and sends the
response to the client.
• The STUN client obtains an IP address and port number from the binding
response, and compares the obtained IP address and port number with the
source IP address and port number carried in the binding request. If they are
different, a NAT device is used in front of the STUN client.

• STUN clients use BGP to learn each other's NAT information (IP addresses and
port numbers before and after NAT).
• The local STUN client uses the local pre-NAT IP address and port number and the
pre-NAT IP address and port number of the peer STUN client to construct a
STUN binding request and sends it to the peer STUN client. In addition, the local
STUN client uses the local pre-NAT IP address and port number and the post-
NAT IP address and port number of the peer STUN client to construct a STUN
binding request and sends it to the peer STUN client. The peer STUN client
performs the same operations.
• After receiving the STUN binding request, the peer STUN client sends a STUN
binding response to the local STUN client. The local STUN client performs the
same operations.
• After the preceding STUN messages are exchanged, a data channel is established
between the STUN clients so that packets can traverse the NAT devices.
 Contents

1. Common Networking Technologies in WAN Interconnection

2. Security Technologies in WAN Interconnection

3. NAT Traversal Technologies in WAN Interconnection

4. Intelligent Traffic Steering Technologies in WAN Interconnection

▪ SAC

▫ SRP

71 Huawei Confidential
Service Reliability
⚫ In the cloud computing era, network reliability cannot meet user requirements. Users want
to understand the live network status based on applications and adjust the network based
on the application status.
⚫ Such requirement poses the following challenges to traditional networks:
 Traditional networks cannot accurately identify applications.
 Traditional networks cannot be adjusted based on applications.
⚫ To cope with the challenges, two technologies are developed:
 Smart Application Control (SAC): This technology can flexibly identify applications.
 Smart Policy Routing (SPR): This technology can switch forwarding paths based on the network or
application status.

72 Huawei Confidential
Overview of SAC
⚫ Traditional networks are managed based on traffic. However, in the cloud computing era,
services are becoming increasingly important. Networks need to be managed and monitored
based on applications instead of Five-tuple information.
⚫ Traditional routing and switching devices cannot identify application-layer information.
Therefore, it is difficult to manage networks based on applications. Smart Application
Control (SAC) technology helps routing and switching devices identify classified applications.
⚫ SAC uses service awareness (SA) and first packet identification (FPI) technologies to detect
and identify Layer 4 to Layer 7 information (such as HTTP and RTP) in packets.

73 Huawei Confidential
 SAC Signature Database
⚫ Signature identification is a basic function of SA technology. Different applications typically use different protocols,
and different application protocols have their own signatures. A signature that can identify a protocol is known as a
signature code. The system analyzes service flows passing through a device, and compares the analysis result with
the signature database on the device. It identifies an application by detecting the signature code in data packets.
⚫ SAC signature databases include FPI and SA signature databases. FPI signatures refer to signatures for identifying
FPI applications, and SA signatures refer to signatures for identifying SA applications.
⚫ SAC working mechanism
QoS policy

Service traffic
Matching the web
SAC detection Traffic policy
page service

Signature matching

Audio/Video
Signature optimization
database

74 Huawei Confidential

• The SAC signature database file can only be updated through upgrades and
cannot be manually modified.
• The SAC signature database can be updated in either of the following modes:

▫ Online update: The SAC signature database can be updated through the
security center platform or intranet update server.

▫ Local update: The upgrade package is downloaded from the security center
platform and uploaded to the device through FTP for the update of the SAC
signature database.
 SAC Application Identification Process
⚫ During SAC application identification, the system checks whether an application is identified. If the application is not
identified, the system checks the FPI signature database and SA signature database in sequence.

Network device
Service traffic
Application
Download
identification record

Traffic is directly forwarded at

Signature Layer 3 if the application has
matching been identified.

Forwarding table
Voice
SAC detection FPI signature
database Web page
Signature
matching

SA signature Video
database

75 Huawei Confidential

• After a packet enters the device, the device determines whether the
corresponding application has been identified based on the 5-tuple information
carried in the packet. If the application has been identified, the device forwards
the packet at Layer 3 without identifying the application again. If the application
has not been identified, the device performs the SAC application identification
process. The device then processes the packet based on the SAC identification
result and forwards the packet at Layer 3. The SAC application identification
process is as follows: The device identifies an application based on the ACL rules
defined in FPI. If the application cannot be identified, the device identifies the
application based on the DNS entries defined in FPI. If the application still cannot
be identified, the device identifies the application based on the protocol and port
mapping table defined in FPI. If the application still cannot be identified, the
device starts the SA identification process.
SA
⚫ After receiving data, the device can use service awareness (SA) technology to match applications.

⚫
SA uses the SA signature database to detect services. The existing SA signature database is embedded with more than 6000
applications, ensuring a high identification rate for public applications. In most cases, the SA signature database can only be updated
online or locally and cannot be manually modified.

Signature
matching Voice
Service traffic
SA behavior
SAC detection Video
signature matching

Web page

Matching conditions Application

Domain name, server IP
Voice
address, and protocol
Domain name, server IP
Web page
address, and protocol
Domain name, server IP
Video
address, and protocol

76 Huawei Confidential
 FPI
⚫ There is a problem in matching applications based on the SA signature code. That is, the application corresponding to the first
several packets may fail to be identified based on the SA signature code. As a result, the processing on the first and subsequent
packets may be inconsistent. First packet identification (FPI) enables a device to identify an application by matching the first packet
of a flow.
⚫
FPI identifies applications based on 5-tuple information, DSCP values, protocols, and DNS domain names. The system provides a
predefined FPI signature database to help SAC identify applications. You can also define FPI applications to identify new applications.

Signature
matching Voice
Service traffic
FPI signature
SAC detection Video
database

Web page

Matching
Application
conditions
Destination IP1, EF Voice
Destination Port1,
Web page
protocol number 6
Destination IP2, AF4 Video

77 Huawei Confidential

• FPI applications are classified into the following types:

▫ Predefined and user-defined FPI applications based on the protocol and port
number: These two types of applications are identified using entries that are
generated based on the protocol and port number carried in packets. The
difference is as follows: Packets of a predefined FPI application contain
common protocols and port numbers, while packets of a user-defined FPI
application contain the protocols and ports that you define.
▫ Predefined and user-defined FPI applications based on the DNS domain name:
These two types of applications are identified using DNS entries generated
through association between FPI and DNS. The difference is as follows:
Packets of a predefined FPI application contain common DNS domain names,
while packets of a user-defined FPI application contain the DNS domain
names that you define.
▫ User-defined FPI application based on 5-tuple and DSCP information. This
application is identified based on the user-defined 5-tuple and DSCP
information using advanced ACL rules.
• Identification process of FPI applications based on the DNS domain name
▫ FPI applications based on the DNS domain name are identified using DNS
entries generated through association between FPI and DNS. The FPI signature
database contains the mappings between domain names and applications.
DNS response packets contain the mappings between domain names and IP
addresses. Based on the mappings, a device generates DNS entries, which
contain the mappings between IP addresses and applications. The device
searches for DNS entries based on the IP address carried in the application
protocol packets to identify the corresponding application.
 Contents

1. Common Networking Technologies in WAN Interconnection

2. Security Technologies in WAN Interconnection

3. NAT Traversal Technologies in WAN Interconnection

4. Intelligent Traffic Steering Technologies in WAN Interconnection

▫ SAC
▪ SRP

78 Huawei Confidential
Overview of SPR
⚫ In the cloud computing era, more users shift their attention from network connectivity to service availability, such
as service response speed and service quality. However, traditional networks cannot detect link quality and service
requirements, resulting in poor user experience.

⚫ Smart Policy Routing (SPR) addresses this problem. It actively detects the link quality and matches service
requirements to select an optimal link to forward service data. SPR prevents network blackholes and flappings.

SRP deployment
HQ Branch

SRP deployment

79 Huawei Confidential
 SPR Service Differentiation
⚫ SPR differentiates traffic based on the protocol type, packet application, and packet information.
⚫ Different link quality parameter thresholds can be set for different services. You can set the delay (D), jitter (J),
packet loss rate (L), and composite measure indicator (CMI).
⚫ CMI is calculated based on the delay, jitter, and packet loss rate.
⚫ SPR selects routes based on the CMI.

Based on the protocol type TCP, UDP, GRE…

Based on the packet application DSCP, VPN, TCP-flag… SPR module Branch

Based on packet
Source IP, Source Port, Destination IP…
information

80 Huawei Confidential

• SPR classifies services based on the following attributes:

▫ Protocol types: IP, TCP, UDP, GRE, IGMP, IPINIP, OSPF, and ICMP
▫ Packet applications: DSCP, ToS, IP precedence, fragment, VPN, and TCP-flag

▫ Packet fields: Source IP Address, Destination IP Address, Protocol, Source Port,

Destination Port, Source IP Prefix, Destination IP Prefix

• When SPR selects routes for services based on the NQA detection result, the CMI
is calculated using the following formula:

▫ CMI = 9000 – CMI-method. The default value of CMI-method is D + J + L.

▫ If NQA is used, a larger CMI value indicates better link quality.

• When SPR selects routes for services based on the IP FPM detection result, the
CMI is calculated using the following formula:

▫ CMI = D + J + L
▫ If IP FPM is used, a smaller CMI value indicates better link quality.
SPR Detection Link and Link Group
⚫ SPR obtains quality indicators of detection links through probes (NQA or IP FPM) and then selects an optimal link.
⚫ A link group can contain one or more detection links.
⚫ SPR defines three roles for links: primary link group, backup link group, and best-effort link. When no suitable link is
available in the primary and backup link groups, SPR activates the best-effort link to forward service data.

Primary
link group
Internet

Network
device MPLS

LTE
Backup
link group

81 Huawei Confidential
 SPR Link Selection
⚫ SPR periodically obtains the NQA or IP FPM detection result to determine whether a link meets service requirements. If the link does
not meet service requirements, a link switchover is triggered.

⚫
The SPR link selection process is as follows:
Link selection based on the NQA test result Link selection based on the IP FPM test result
The NQA detection
result is read. The IP FPM detection
result is read.
Is there a primary link Yes The link with the optimal
whose quality meets CMI in the primary link Is there a primary link The link with the optimal
service requirements? group is used. Yes
whose quality meets CMI in the primary link
No service requirements? group is used.
Is there a backup link Yes The link with the optimal No
whose quality meets CMI in the backup link Is there a backup link Yes The link with the optimal
service requirements? group is used.
whose quality meets CMI in the backup link
No
service requirements? group is used.
Is the CMI of the No The link with the optimal
No
primary and backup link CMI in the primary and
groups 0? backup link groups is used. Is the CMI of the No The link with the optimal
primary and backup link CMI in the primary and
Yes groups 9000? backup link groups is used.
The best-effort link is
started. Yes
End
End

82 Huawei Confidential

• When a network is unstable, SPR triggers link switchovers frequently, which

degrades service experience. SPR provides the flapping suppression function to
address this problem.

• The flapping suppression function is disabled by default, and the flapping

suppression period is configurable. After traffic is switched to a new link, SPR
starts the flapping suppression timer. Within a flapping suppression period, SPR
does not perform a link switchover even if it does not obtain the NQA test result
indicating that the link meets service requirements within a switchover period.
After the flapping suppression timer expires, if SPR still does not obtain the NQA
test result indicating that the link meets service requirements within a switchover
period, SPR performs a link switchover. If SPR obtains the NQA test result
indicating that the link meets service requirements within a switchover period,
SPR retains traffic on the link without performing a link switchover.
Using iMaster NCE to Implement SPR
⚫ During SPR deployment through iMaster NCE, to improve the site specifications on the entire network, separation between sites and
application policies and traffic-triggered link selection are used together.

⚫
iMaster NCE maintains site adjacency information and application policies, and SPR is configured on routers. Traffic-triggered link
selection allows for on-demand generation of SPR configurations. This prevents a large number of configurations from being created
on the device and reduces the impact of link selection (based on IP FPM) on the CPU, significantly reducing the burden on the
device.
⚫
iMaster NCE can use SAC to classify service traffic based on applications.

Network device
Site adjacency list Site adjacency list

Generated dynamically Triggering IP FPM IP FPM link

iMaster NCE Site policy table
link selection selection

Application policy Application policy

table table

83 Huawei Confidential
 Quiz

1. (Multiple-answer question) Which of the following are private line technologies? ( )

A. SDH

B. L2TP

C. MPLS VPN

D. IPsec VPN

2. (True or false) SRP technology can flexibly select egress links based on the link quality.
( )
A. True

B. False

84 Huawei Confidential

1. AC
2. A
 Summary
⚫ GRE over IPsec is used for WAN interconnection, and L2TP over IPsec is used for remote
intranet access.
⚫ Based on IKE SA information, IPsec SA information can be securely transmitted on the
public network. Based on IPsec SA information, service data can be securely transmitted on
the public network.
⚫ To establish a WAN connection between two private network devices, you need to use a
NAT traversal technology. The common NAT traversal technology is STUN.
⚫ To ensure WAN reliability, the link quality needs to be detected first, and then a proper
egress or egress link is selected based on the link quality through specific technologies.

85 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
SD-WAN Solution Planning and Design
 Foreword
⚫ After years of development and evolution, WAN interconnection has undergone significant
changes. In the past, WAN interconnection was centered on the network, and there were
few applications. As the main component of WAN interconnection, the network took the
most important position. However, with the rise of cloud computing, the potential of
applications is fully exploited, and WAN interconnection gradually become application-
centric.
⚫
To address the challenges posed by cloud computing to WAN interconnection, Huawei
launches the SD-WAN Solution.
⚫ This course will provide insights into the functions available in the SD-WAN Solution and
the design scheme for this solution.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the challenges faced by enterprise WAN interconnection.
 Describe the architecture and functions of Huawei SD-WAN Solution.
 Describe the SD-WAN networking design scheme.
 Describe the SD-WAN service design scheme.
 Describe the SD-WAN reliability design scheme.
 Describe the SD-WAN security design scheme.

2 Huawei Confidential
 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution

4. Service Design for Huawei SD-WAN Solution

5. Reliability and Security Design for Huawei SD-WAN Solution

3 Huawei Confidential
Challenges Brought by Cloud Computing to Enterprise WAN
Interconnection
⚫ Before cloud computing is widely used, there are only a
small number of network applications. The network
service quality depends only on the bandwidth, and
service traffic does not need to be managed in a
refined manner. The Internet is built on a network- HQ
centric design.
⚫ The advent of the cloud computing era leads to a
significant increase in the number of network
WAN
applications. Enterprises have difficulty in striking a
balance between the line price and service quality in Growing services of
the enterprise
the face of soaring traffic.

Branch site Branch site Branch site

4 Huawei Confidential
Challenges Brought by Multiple Services to Enterprise WAN
Interconnection
⚫
Enterprises are unable to detect service quality in real time and therefore cannot effectively guarantee key services. In addition,
enterprises cannot monitor service traffic in real time, and therefore are unable to quickly adjust service traffic.
Difficulty in managing key services such as voice, video, and SaaS
No application visibility, causing difficulty in traffic scheduling
applications

MPLS primary link: congested Priority conflict: Key applications

during peak hours cannot be identified and therefore have a low

600+ scheduling priority.

Unknown Bandwidth conflict: During peak

application hours, the burst traffic is three to five times
Cross-WAN application the average traffic, affecting key applications.
HQ (An enterprise)
SaaS application traffic diverted
through HQ, causing high delay Cloud
Cloud

Unknown
application

Internet backup link: low

bandwidth utilization
Smooth video conference when Bandwidth conflict leads to frame
idle bandwidth is available freezing in video conferences

5 Huawei Confidential
Challenges Brought by Large Numbers of Branches to
Enterprise WAN Interconnection
⚫
With the development of an enterprise, it will have more and more cross-city, cross-province, and cross-country branches, causing
the following problems in managing branch site networks:
 Too many branches result in high O&M costs.
 It takes a long time to provision new services in branches.
 It is difficult to rectify faults on branch networks.

Difficult troubleshooting on branch networks, resulting in high

Time-consuming service provisioning in branches
O&M costs

Network Device Approval On-site Hardware Hardware Software

planning selection process survey transportationinstallationcommissioning
(2~5 days)(1~3 days)(2~5 days)(1~3 days) (2~5 days) (1~3 days) (1~3 weeks)

Branch 1

Branch site
Branch 2 Branch site
Branch site
Branch site
…
Branch n

6 Huawei Confidential
 Emergence of SD-WAN
⚫ Software Defined Wide Area Network (SD-WAN) technology can better address the challenges faced
by enterprise WAN interconnection in the cloud computing era.
⚫ SD-WAN is a combination of software-defined technology and WAN technology. It leverages SDN to
reshape WANs by applying the SDN architecture and concepts to WANs.

⚫ Uses Zero Touch Provisioning (ZTP) to implement fast

Top 10 SD-WAN requirements defined
deployment and provisioning of branches, improving

Characteristics of SD-WAN
by ONUG
deployment efficiency.
⚫
Dynamically adjusts traffic paths by application type,
SD-WAN characteristics defined by making traffic steering more flexible and convenient.
Gartner
⚫
Provides automatic and intelligent O&M capabilities to
implement centralized management and control and
network-wide status visualization.
SD-WAN characteristics defined by MEF
⚫
Provides value-added services (VASs) such as WAN
optimization and security to implement fast service
provisioning.

7 Huawei Confidential

• ONUG: refers to Open Networking User Group. ONUG is an influential user

organization led by large enterprises and comprised mainly of IT users. It was
founded by IT technical executives of well-known large enterprises in North
America and is dedicated to driving IT implementation and network technology
transformation for large enterprises. ONUG members include large enterprises in
industries such as finance, insurance, medical care, and retail. ONUG serves as a
platform for high-end customers in North America to discuss and communicate
IT requirements.

• Gartner: It is the world's most authoritative IT research and advisory company. Its
research scope covers all IT industries. It provides objective and fair
demonstration reports and market research reports for customers in terms of IT
research, development, evaluation, application, and market, thereby assisting
customers in market analysis, technology selection, project demonstration, and
investment decision-making.
• The Metro Ethernet Forum (MEF) is a non-profit organization dedicated to
solving the technical problems of the Metro Ethernet. It aims to widely apply the
Ethernet technology to the construction of the Metro Ethernet as switching and
transmission technology. The objective of MEF is to promote the implementation
of existing and new standards, Ethernet service definitions, test procedures, and
technical specifications, developing Ethernet-based MANs into carrier-class
networks. The major tasks of MEF also include providing LSO-based solutions
(LSO is short for Lifecycle Service Orchestration) and architectures for carriers'
managed service markets and defining northbound interfaces (NBIs) to enable
multi-vendor interoperability.
 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

▪ Huawei SD-WAN Solution

▫ Major Functions of Huawei SD-WAN Solution

▫ Application Scenarios of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution

4. Service Design for Huawei SD-WAN Solution

5. Reliability and Security Design for Huawei SD-WAN Solution

9 Huawei Confidential
Overview of Huawei SD-WAN Solution
Customer Benefits Key Technologies
5G uplink: 5G supported by all CPE series
Benefits for Enterprises ... products
• Lower O&M cost • Large bandwidth: 230 Mbit/s for uplink, 900
Cloud applications Self-service portal Mbit/s for downlink
• Higher WAN utilization
• Minute-level service provisioning • Support for all network generations: 5G/4G/3G/2G
(location independent) networks
• Improved O&M efficiency, cloud High performance: no congestion during
Optimization
management & automation forwarding
• Increased revenue Subscription O&M • CPU+NP heterogeneous forwarding architecture
Develop new B2B business fields: VAS, Optimal experience: application-based intelligent
connectivity, Managed LAN traffic steering, ensuring experience of key
Deployment Adjustment applications
• Smooth evolution, openness, and quick
integration Automation Insights Visualization • Application-based intelligent traffic steering,
RESTful API, CPE/vCPE enabling on-demand 5G+fiber scheduling.
Simplified O&M: full-process automation and
plug-and-play
Hybrid WAN • Visibility of application, branch, device, and link
status, and centralized management
Public
Branch 1 cloud
Internet Edge
Edge xDSL/Ethernet ERP, HQ/DC
/LTE...
Edge video... site
MPLS
Branch 2 Edge LTE Legacy
IWG network

10 Huawei Confidential
 Architecture of Huawei SD-WAN Solution
Self-developed portal or third-party BSS/OSS
Product
RESTful API
Role Funcation
Management layer Form
1) Network service orchestration
2) Network performance
Management iMaster
monitoring and visualization
layer NCE
Control layer 3) Network O&M
4) Network device management
RR NETCONF/SSH 1) Routing and tunnel information
distribution
Telemetry RR (AR
Control layer 2. IPsec key exchange
BGP/DTLS Router)
Network layer 3) VPN topology definition
4) NAT Stun service
1) EDGE: egress CPEs at enterprise
Public
cloud site branches, headquarters, DCs, and
Network
Branch Internet cloud sites AR Router
site
EDGE layer
2) GW: multi-tenant gateway
EDGE HQ/DC
device
Branch site
site MPLS EDGE
EDGE MPLS
legacy site
GW

11 Huawei Confidential

• The overall architecture of the SD-WAN solution consists of the network layer,
control layer, and orchestration layer. The layers are associated with each other
through standard interfaces and communication protocols.

▫ Layer: The Agile Controller-Campus manages enterprise interconnection

services in a refined manner. The Agile Controller-Campus manages
network devices through NETCONF in the southbound direction. The Agile
Controller-Campus provides standard RESTful interfaces to interwork with
third-party applications in the northbound direction.

▫ Control layer: The controller works with distributed control components to

transfer routes between sites in an area and implement inter-area network
interconnection.

▫ Network layer: Cost-effective network devices and overlay technologies are

used between branches, headquarters, and cloud platforms to build on-
demand full-network connections based on any link, such as the Internet
and traditional private lines.

• iMaster NCE-WAN/iMaster NCE-Campus can be used as Huawei SD-WAN

controllers.
• Enterprise branches, headquarters, data centers, and IT infrastructure deployed
on the cloud are collectively referred to as enterprise sites.
Architecture of Huawei iMaster NCE-WAN
VASs OSS/BSS Analysis system Other applications

Northbound
RESTful SNMP Trap Syslog
interfaces

Visualized
Service functions Plug-and-play Traffic policy Security policy
O&M

Cluster Multi-tenant Tunnel Device

management management management configuration
Basic functions
Log Alarm
Device upgrade Network PMI
management management

Southbound
NETCONF HTTP/2
interfaces

Network devices CPE vCPE

12 Huawei Confidential
 Network Layer Overview
⚫ An enterprise SD-WAN network can be divided into two layers: physical network (underlay) and virtual network
(overlay), which are completely decoupled from each other.

Physical network: refers to the underlay WAN provided by a carrier or built by the enterprise, including the private line network
and the Internet.
 Virtual network: also called the overlay network. Huawei SD-WAN Solution uses the IP overlay virtualization technology to build
one or more virtual overlay networks on top of the physical network. Service policies are deployed on virtual networks and are
decoupled from the physical network, thereby separating services from the WAN.
GW
Legacy
site
EDGE
Branch
site EDGE/RR
HQ
EDGE
Branch
site Overlay
Virtual network

Carrier network/
Self-built network
Underlay
Physical network

13 Huawei Confidential

• Multiple virtual networks can be deployed to provide different services for the
same tenant (for example, services for multiple departments) or provide different
services for different tenants.

• In terms of network device functions, the network layer of the SD-WAN Solution
consists of two types of NEs: CPE and gateway (GW).
EDGE Overview
⚫ A EDGE is essentially an edge node of the SD-WAN network. EDGEs are interconnected using the IP overlay tunneling technology.

⚫
Traditional hardware EDGEs are typically used on the HQ and branch sites, and virtual devices can be deployed at sites on the public
cloud.
⚫
All SD-WAN EDGEs of an enterprise are centrally managed and maintained in iMaster NCE-WAN by the tenant administrator.

Central
management
VPC/vNet
EDGE
Branch
Virtual site
Device(vCPE) EDGE
Branch
site EDGE/RR
HQ
EDGE
Hardware Branch
Device (CPE) site
Overlay
Virtual network

14 Huawei Confidential
 RR Overview
⚫ A route reflector (RR) is used to transmit BGP routes.
⚫ In Huawei SD-WAN Solution, RRs also control routes
and network topologies. Therefore, RRs are also called
Filter overlay routes
Control overlay topology regional controllers in this solution.
RR
Regional
controller
⚫ Both RRs and EDGEs at edge sites are managed by
Branch
site
iMaster NCE-WAN.
MPLS EDGE
⚫ Control channels are established between RRs as well as
HQ/DC site
between RRs and edge sites.
EDGE
Internet
⚫ RRs are managed by iMaster NCE-WAN and control
Branch route sending and receiving at edge sites based on the
site
EDGE overlay network topology model. In this way, sites can
communicate with each other based on the user-
Management channel BGP EVPN peer relationship
configured overlay topology model.

15 Huawei Confidential

• RR site: The CPE at the site functions as an RR and distributes EVPN routes
between CPE gateways at edge sites based on VPN topology policy.
• If the tenant administrator assigns the role of "gateway + RR" to an egress CPE
when adding the CPE, the site where the CPE resides is an RR site. If no device at
a site is assigned the "gateway + RR" role, the site is an edge site.
• An edge site can establish IBGP peer relationships with two RRs that back up
each other.

• Multiple RRs can be deployed for a tenant. All RRs are connected in full-mesh
mode on the control plane.
 Gateway Overview
⚫ New SD-WAN sites of an enterprise need to communicate with its legacy sites or third-party services.
Some legacy sites are interconnected through MPLS VPN, and SD-WAN sites are interconnected
through IP overlay tunnels. Therefore, the legacy network and SD-WAN network cannot directly
communicate with each other.
⚫ An SD-WAN gateway can connect to both the SD-WAN and legacy networks. It can function as an
intermediate gateway to implement interconnection between SD-WAN and legacy networks.

PE
Enterprise 1 Enterprise 1
Gateway
MPLS SD-WAN
network Enterprise 2
ASBR-PE
Enterprise 2
PE
Enterprise 3
Legacy MPLS domain SD-WAN domain

16 Huawei Confidential

• A gateway has different roles in different service scenarios. For example, a

gateway connected to a legacy site may be referred to as an interworking
gateway (IWG), and a gateway connected to the cloud may be called a cloud
gateway. These gateways can extend functions by interconnecting with each
other to establish a Point of Presence (PoP) network, where these gateways are
referred to as PoP gateways.
Huawei CPE Devices: NetEngine AR Routers
HQ/Large branch NetEngine AR6300
NetEngine AR6280
NetEngine
AR6300/AR6200
series
SRU-400H/SRU-600H SRU-400H/SRU-600H

Branches in small or
midsize enterprises EDGE
AR6120 series AR6140 series
NetEngine An AR
AR6100 series
router can
RR
be used as a
Small enterprise EDGE, RR,
NetEngine AR650 series or gateway.
AR650 series
Gateway

SOHO
NetEngine AR610 series
AR610 series

17 Huawei Confidential
 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

▫ Huawei SD-WAN Solution
▪ Major Functions of Huawei SD-WAN Solution

▫ Application Scenarios of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution

4. Service Design for Huawei SD-WAN Solution

5. Reliability and Security Design for Huawei SD-WAN Solution

18 Huawei Confidential
 Major Functions of Huawei SD-WAN Solution
⚫ Huawei SD-WAN Solution provides the following functions:

ZTP, enabling service provisioning to be completed within 1 hour
Visualized
RR O&M

Forwarding-control separation, enabling flexible networking
Forwarding-
Control control

Application optimization, enabling service controllability and visibility separation
channel
 Complete security protection system, eliminating security risks
EDGE
ZTP Branch
 Visualized O&M for quick fault locating Security
site hardening
EDGE
Branch
site EDGE
HQ
EDGE
Branch
site Overlay
Virtual network

Carrier network/
Self-built network
Underlay
Physical network

19 Huawei Confidential

• ZTP: Multiple ZTP modes are available to enable EDGEs to quickly register with
iMaster NCE-WAN.
• Forwarding-control separation enables flexible networking: Each EDGE
establishes a management channel with iMaster NCE-WAN through NETCONF,
and iMaster NCE-WAN delivers configurations to EDGEs to establish IP overlay
tunnels between the EDGEs.

• Application optimization for service controllability and visibility: The service

awareness (SA) technology is used to identify applications. TCP Flow
Performance Measurement (FPM) and IP FPM technologies are used to
implement application-based quality measurement. The IP FPM technology can
also be used for link quality measurement. Smart Policy Routing (SPR)
technology provides intelligent link switchover based on the application quality.
• Complete security protection system ensures service security: Multiple VPN
technologies, such as IPsec and MPLS, are leveraged to provide end-to-end
protection. The firewall function is supported to provide comprehensive security
protection at the hardware, pipe, and application levels.

• Visualized O&M for quick fault locating: iMaster NCE-WAN collects network-wide
data and displays key indicators, helping O&M personnel quickly locate faults.
 ZTP Flexible networking Application optimization Security

ZTP Overview
⚫ With the development of network technologies such as SDN and cloud computing, a growing number of enterprise
networks are using cloud-based management mode, but most sites still need to be deployed by technical engineers
onsite, leading to high deployment costs and long deployment periods. To address these problems, Huawei
develops the Zero Touch Provisioning (ZTP) function.

ZTP process

Network Transfer the ZTP 2

configuration file Site deployment
administrator through an email or a
USB flash drive. personnel

1 Configure the
ZTP file. 3
Log in to
the PC.
Internet/MPLS

EDGE PC for site

Deploy ZTP
deployment
The EDGE registers
5
configurations.
with iMaster NCE-WAN. 4

20 Huawei Confidential

• Huawei SD-WAN Solution supports the following ZTP modes:

▫ Email-based deployment

▫ DHCP-based deployment

▫ USB-based deployment
 ZTP Flexible Networking Application Optimization Security

ZTP Modes
⚫ Huawei SD-WAN Solution supports the following ZTP modes:

Multi-tenant Subscription
management and self-service

MSP/Carrier Enterprise

Devices are operated This mode applies No high skill

in batches in a to networks where requirements are
warehouse and then multiple access imposed for onsite
centrally deployed. USB-based modes are used, Email-based deployment DHCP-based
deployment achieving one-click deployment personnel. deployment
deployment.

ZTP configuration files are

transferred in different ways
depending on the deployment mode.

21 Huawei Confidential

• Files for USB-based, email-based, and DHCP-based deployment can be generated

through iMaster NCE-WAN.
• For details about each deployment mode, learn the course Management and
O&M.
 ZTP Flexible Networking Application Optimization Security

Flexible Networking Overview

⚫ The primary function of SD-WAN is to provide flexible
and reliable networking for enterprise WANs.
⚫ Huawei SD-WAN Solution leverages the IP overlay
1
technology together with traditional network

(management channel)
technologies — such as Layer 2 switching, Layer 3 RR

NETCONF
routing, and VPN isolation — to achieve on-demand, 2
flexible, and automatic connections between
enterprise branches, DCs, and the cloud, with full
management support provided by iMaster NCE-WAN. MPLS

3
⚫ Huawei SD-WAN Solution uses the following HQ/DC site GRE/GRE over IPsec (data channel) Branch site
channels to implement flexible networking: EDGE EDGE

 Management channel Internet

 Control channel Management channel Control channel Data channel

NETCONF BGP EVPN GRE/GRE over IPsec
 Data channel
22 Huawei Confidential

• Management channel:

▫ iMaster NCE-WAN sets up management channels with all devices through

NETCONF, so as to manage NEs and orchestrate services on the entire
network.
• Control channel:

▫ EDGEs set up control channels with the RR.

▫ The RR centrally controls and distributes service routes between branch
sites.

▫ The enhanced BGP EVPN protocol is used to implement separate

transmission of tenants' VPN route and next hop information, and IPsec SA
negotiation.

• Data channel:
▫ EDGEs set up data channels with each other.
▫ EDGEs forward data based on GRE or GRE over IPsec tunnels. The extended
GRE header carries VN IDs to differentiate tenants or departments, thereby
transmitting data of multiple VNs over the same tunnel.
 ZTP Flexible Networking Application Optimization Security

Management Channel
⚫ Huawei iMaster NCE-WAN establishes management Service presentation layer
Site
channels with CPEs through NETCONF. NTP configuration
IPsec
interconnection
configuration
configuration
⚫ iMaster NCE-WAN delivers configurations through Wireless network Wired network IP service
configuration configuration configuration
control channels to achieve the following functions: Routing protocol Routing policy
…
configuration configuration
 Unified management of CPEs, automatic service
delivery, and unified control of overlay networks Configure parameters
Network
on iMaster NCE-WAN.
administrator 1
 Application visualization and automatic application
Control
optimization layer

 Network security services NETCONF Deliver configurations

(management through NETCONF.
channel) 2
Network
layer
CPE

23 Huawei Confidential
 ZTP Flexible Networking Application Optimization Security

Control Channel
⚫
After iMaster NCE-WAN delivers configurations to a CPE through the management channel, the CPE establishes a control channel with an RR
through BGP EVPN.

⚫
The control channel is used to transmit transport network port (TNP) information, IPsec SA information, and service routes.

⚫
After the control channel is established, iMaster NCE-WAN controls route transmission and overlay topology establishment by deploying
policies on the RR.
Control layer
NETCONF Deliver configurations
Network layer (management channel) through NETCONF.
1
4 Control route
Establish a BGP EVPN peer
transmission relationship with the RR
based on policies. based on configurations. 2

MPLS

3
Transmit TNP, IPsec SA, and Internet
service route information
through BGP EVPN.

24 Huawei Confidential

• A TNP is a WAN port on a CPE used for connecting to a transport network. The
key TNP information includes the site ID, CPE router ID, transport network ID,
public IP address, private IP address, and tunnel encapsulation mode.
 ZTP Flexible Networking Application Optimization Security

Data Channel
⚫ Huawei SD-WAN Solution uses GRE or GRE over IPsec to establish data channels.
⚫ CPEs establish GRE or GRE over IPsec tunnels based on the TNP and IPsec SA information transferred through BGP
EVPN.
⚫ CPEs forward data based on the service routes transferred through BGP EVPN.

Network layer

TNP BGP EVPN

TNP
(control channel)
IPsec SA
IPsec SA
Service route MPLS
Service route

Service Service
network GRE or GRE over IPsec (data channel) network
segment segment
Internet

25 Huawei Confidential
 ZTP Flexible Networking Application Optimization Security

Application Optimization Overview

⚫ The traditional WAN has the following disadvantages that make it unable to meet network requirements:

Applications of different values are carried on the same link.

Dynamic path selection cannot be implemented when link quality deteriorates.

No effective measure is available when link quality deteriorates.

⚫ To address these problems, Huawei SD-WAN Solution provides the application experience optimization solution
that offers the following functions:
Typical application optimization process
 Application identification

Intelligent traffic steering

QoS EDGE
 Packet loss mitigation
Application Intelligent
Receive Packet loss Forward
identificati traffic QoS
packets mitigation packets
on steering

26 Huawei Confidential
 ZTP Flexible Networking Application Optimization Security

Application Identification and Traffic Steering

⚫ Huawei SD-WAN Solution uses Smart Application Control (SAC) to identify applications and uses SPR to implement
application-based traffic steering.

SAC enables a device to identify applications and groups application traffic through SA and first-packet identification (FPI).

SPR enables a device to measure the link quality based on link quality detection packets and determine forwarding paths for traffic.

Application identification and traffic steering processes

2 Application-
1 Application based traffic
Video steering
identification MPLS
applications
SAC SPR
Voice
functional functional
module applications module

Internet access Internet

services

27 Huawei Confidential

• For details about SAC and SPR, learn the course HA Technologies.
 ZTP Flexible Networking Application Optimization Security

QoS and WAN Optimization

⚫ Huawei SD-WAN Solution uses HQoS for bandwidth control and scheduling, and uses Forward Error Correction (FEC) or Adaptive
FEC (A-FEC) for WAN traffic optimization.
 HQoS implements hierarchical scheduling based on multi-level queues and differentiates services and users, implementing refined QoS.
 FEC or A-FEC optimization enables the local device to adjust related parameters based on packet loss on the network to generate redundant packets.
The peer device then verifies and reassembles the packets.

QoS and WAN optimization process

Packet
2 loss
Add FEC Key traffic 2
redundancy
packets. P 4 3 1

Key traffic 1
HQoS Key traffic
4 3 2 1 MPLS
P 4 3 2 1
Application
identification and
traffic steering
Restore packets
Internet
3 through FEC.

28 Huawei Confidential
 ZTP Flexible Networking Application Optimization Security

Security Overview
⚫ The advent of SD-WAN stimulates the transition
of the enterprise WAN architecture from the
traditional closed architecture to an open one.
This increases the attack surface and brings new
Security hardening
security challenges, such as unauthorized access,

(management channel)
for iMaster NCE-
WAN 1
data leakage, and network attacks.
1

NETCONF
Management RR
⚫ The security of Huawei SD-WAN Solution channel
security Control 1
involves two aspects: channel
security
1. System security: includes inter-component security 1 Security
hardening
and component security. MPLS for EDGEs

2. Service security: includes firewall, IPS, and URL

filtering. HQ/DC site GRE/GRE over IPsec (data channel) Branch site
EDGE 2 1 EDGE
Service traffic Internet Data channel
security security

29 Huawei Confidential
 ZTP Flexible Networking Application Optimization Security

SD-WAN System Security Hardening

⚫ SD-WAN system security includes:

Inter-component security: security of management, control, and forwarding channels

Component security: security of iMaster NCE-WAN and CPEs
Authentication and
authorization ensure
the security of iMaster
NCE-WAN.
2

(management channel)
NETCONF over SSH
RR
1 SSH ensures the IPsec ensures the 1
management control channel
channel security. security. Local attack defense,
2
authentication, and
other features ensure
MPLS the CPE security.

HQ/DC site GRE or GRE over IPsec (data channel) Branch site

CPE CPE
Internet IPsec ensures the 1
data channel security.

30 Huawei Confidential
 ZTP Flexible Networking Application Optimization Security

SD-WAN Service Security

⚫ From the perspective of traffic, SD-WAN
services are classified into the following types: 3
Interconnect with
 Site-to-site access service a third-party
security gateway.
◼
IPsec ensures security of site-to-site access services. Internet
service server Third-party
security SaaS
 Site-to-Internet access service gateway
◼ The built-in firewall, IPS, and URL filtering 3 Control the third-party
functions of CPEs ensure the security of site-to- security gateway to
establish an IPsec
Internet access services. 2 tunnel with the CPE.
The firewall, IPS, and URL
filtering functions ensure
 Site-to-cloud access service security of site-to-
Internet access services.
◼ iMaster NCE-WAN is interconnected with a third-
party security gateway and controls this gateway to
GRE or GRE over IPsec
provide security services.
CPE IPsec ensures security of CPE
1 site-to-site access services.

31 Huawei Confidential
Visualized O&M Overview
Quickly obtain Quickly locate faulty Optimize WAN investment
abnormal traffic devices or sites and configuration policies

Real-time alarm monitoring Visualized topology status 45+ customized views

• Customized dashboard (by role or • Displays topology based on sites and Site, link, application, device, and
preference) links health status views
• Network-wide real-time alarms • Provides real-time status and • Bandwidth • Top N
(minute-level) performance of sites and links utilization for a site applications by
traffic
• Top N sites by
throughput • Link throughput
trend...

32 Huawei Confidential
 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

▫ Huawei SD-WAN Solution

▫ Major Functions of Huawei SD-WAN Solution

▪ Application Scenarios of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution

4. Service Design for Huawei SD-WAN Solution

5. Reliability and Security Design for Huawei SD-WAN Solution

33 Huawei Confidential
SD-WAN Business Model: Enterprise-Built
iMaster NCE-WAN
Products
Functions
Involved
RR
As the core of the SD-WAN Solution, it
iMaster centrally manages CPEs, automatically
CPE Enterprise NCE-WAN delivers services, and uniformly controls
CPE HQ/DC the overlay network.
It is the distributed control component
MPLS RR that distributes VPN routes between
EDGEs based on VPN topology policies.
Internet LTE Egress EDGEs of enterprise branches,
Cloud EDGE
headquarters, and DCs.
CPE An intermediate gateway device that
Enterprise SD-WAN
branch connects an SD-WAN network with a
SD-WAN Legacy gateway
non-SD-WAN network.
gateway site

⚫
SD-WAN: iMaster NCE-WAN is deployed on the WAN to centrally manage EDGEs and implement ZTP, thereby shortening the
service provisioning time. This helps enterprises cope with challenges brought by cloud services and change services on demand.

⚫ Large enterprises with a vast number of branches, such as financial institutions, retail chains, and gas stations, can deploy iMaster
NCE-WAN at the headquarters to set up SD-WAN networks and manage SD-WAN services on their own.

34 Huawei Confidential
SD-WAN Business Model: MSP Resale
iMaster NCE-WAN

RR

Enterprise
HQ/DC
EDGE

EDGE Internet
Internet
MSP's multi-PoP LTE
LTE
backbone network MPLS
MPLS
Enterprise branch
PoP PoP
⚫
A managed service provider (MSP) provides a unified SD-WAN controller (iMaster NCE-WAN) to offer SD-WAN services for multiple
enterprises. The MSP builds a PoP backbone network, to which an enterprise can connect through the nearest PoP provided by the
MSP, thereby achieving high-quality enterprise interconnection. A PoP supports multiple tenants and provides PoP access for
multiple enterprises at the same time.

⚫ Enterprises, as tenants, lease SD-WAN services provided by MSPs. An enterprise tenant can manage the SD-WAN services of all sites
belonging to it, but it cannot view the SD-WAN services of other tenants.

35 Huawei Confidential
SD-WAN Business Model: Carrier Resale
Carrier DC ⚫ A carrier provides SD-WAN services for multiple
Carrier's management center enterprises through iMaster NCE-WAN.
iMaster NCE-WAN

RR RR
⚫ Enterprises, as tenants, lease SD-WAN services provided

Carrier's backbone
by carriers. An enterprise tenant can manage the SD-
network WAN services of all sites belonging to it, but it cannot
Carrier network
SD-WAN gateway
SD-WAN gateway SD-WAN gateway view the SD-WAN services of other tenants. Enterprises
either manage and control their SD-WAN services
Retail company Retail company
HQ/DC HQ/DC based on the tenant permissions assigned by carriers, or
EDGE EDGE
they can entrust their SD-WAN services to carriers for
Enterprise network
management and control.
Internet
MPLS Internet
LTE ⚫ SD-WAN gateways are used to implement flexible
interconnection and fast compatibility between SD-

EDGE EDGE EDGE EDGE WAN networks and carriers' legacy backbone networks.

36 Huawei Confidential
 Section Summary
⚫ SD-WAN solves the problems of difficult management, and expensive construction and maintenance
costs in multi-branch interconnection scenarios. It also guarantees the quality of key services.
⚫ Huawei SD-WAN Solution provides the following functions:

ZTP, enabling service provisioning to be completed within 1 hour
 Forwarding-control separation, enabling flexible networking
 Application optimization, enabling service controllability and visibility

Complete security protection system, eliminating security risks

Visualized O&M for quick fault locating

⚫ Huawei SD-WAN Solution is offered in three business models: enterprise-built, MSP resale, and carrier
resale.

37 Huawei Confidential
 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution
▪ SD-WAN Networking Design Overview

▫ SD-WAN Site Design

▫ SD-WAN Tunnel Design

▫ SD-WAN VPN Design

4. Service Design for Huawei SD-WAN Solution

5. Reliability and Security Design for Huawei SD-WAN Solution

38 Huawei Confidential
Overview of Networking Design for Huawei SD-WAN
Solution
⚫ SD-WAN networking design includes site design, tunnel design, and VPN design.

VPN1

EDGE Tunnel design EDGE/RR

Branch Standby
Site design site DC

VPN design
EDGE EDGE/RR VPN2
Branch
site Active DC

Overlay
(virtual network)
Carrier network/
enterprise-built network

Underlay
(physical network)

39 Huawei Confidential
Networking Design Process for Huawei SD-WAN Solution

1. Site design 2. Tunnel design 3. VPN design

WAN-side network design RR networking design Topology design

LAN-side network design Data tunnel design VPN design

Dual-CPE interconnection
NAT traversal design VPN route design
design

Specifications-exceeded
network design

40 Huawei Confidential
 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution
▫ SD-WAN Networking Design Overview

▪ SD-WAN Site Design

▫ SD-WAN Tunnel Design

▫ SD-WAN VPN Design

4. Service Design for Huawei SD-WAN Solution

5. Reliability and Security Design for Huawei SD-WAN Solution

41 Huawei Confidential
Site Design Panorama
⚫ SD-WAN sites refer to sites for which SD-WAN is deployed for interconnection, and are
managed and monitored by iMaster NCE-WAN. EDGE/RR EDGE/RR RR2
RR1 Hub
⚫ Site design generally covers:
 WAN-side network design
 LAN-side network design MPLS Internet
 Dual-CPE interconnection design
WAN-side Dual-CPE
network interconnection
design design

EDGE EDGE EDGE

LAN-side
network
design

Branch site Branch site

42 Huawei Confidential
 WAN-Side Network Design LAN-Side Network Design Dual-CPE Interconnection Design

WAN-Side Networking Model

Single-device networking

MPLS
/Internet MPLS Internet MPLS Internet LTE/5G

Enterprise Enterprise Enterprise

intranet intranet intranet

Dual-device networking

MPLS Internet MPLS Internet MPLS Internet MPLS Internet LTE/5G

Enterprise Enterprise Enterprise Enterprise

intranet intranet intranet intranet

43 Huawei Confidential

• An SD-WAN site can be deployed with a single CPE or dual CPEs. For small sites,
a single CPE can be deployed. For sites with high reliability requirements, dual
CPEs are recommended to provide device-level redundancy.

• It is recommended that multiple links be deployed on the WAN side of a CPE.

These links can back up each other, offering link-level reliability. In addition,
services can easily select the active and standby links among these WAN-side
links with differentiated quality.

• A maximum of 10 WAN links can be deployed for each CPE at an SD-WAN site.
During actual deployments, to enhance reliability and facilitate O&M, it is
recommended that a maximum of three WAN links be deployed for a single CPE
at a site, and a maximum of six WAN links be deployed for a site with two CPEs.
 WAN-Side Network Design LAN-Side Network Design Dual-CPE Interconnection Design

Typical WAN-Side Networking

Single-CPE multi-link networking Dual-CPE multi-link networking
Primary path for non-
Non-critical services critical services
Internet Internet
Backup path for
Enterprise critical services
Enterprise
intranet
intranet
Backup path for
MPLS MPLS non-critical services
Critical services Primary path for
critical services
• For small and midsize sites or branch sites with low reliability • In large sites or branch sites with high reliability
requirements, only one CPE needs to be deployed. Multiple requirements, dual CPEs are generally deployed. To ensure
WAN links can be deployed and enterprise application traffic service transmission reliability, at least two WAN links are
of different importance is transmitted over different links. deployed for each CPE.
• Typically, one MPLS link and one Internet link are deployed • Two CPEs are deployed at a branch site. The MPLS link is
on the WAN side. The MPLS link has guaranteed SLA and is deployed for one CPE, and the Internet link is deployed for
used to carry enterprises' critical applications. Non-critical the other CPE. To ensure reliability, an interlink is deployed
applications are carried on the Internet link. between the two CPEs to prevent data forwarding failures
when a CPE fails.

44 Huawei Confidential
 WAN-Side Network Design LAN-Side Network Design Dual-CPE Interconnection Design

WAN-Side Underlay Route Design

BGP used to access WANs

Internet

Enterprise
intranet
CPE

MPLS

• WAN interfaces of CPEs support OSPF, EBGP, and static routing protocols. The routing protocol to be used must be the
same as that of the LAN-side network device.
• On the live network, if static routes are used, services may be interrupted because WAN network faults on indirect links
cannot be detected.

45 Huawei Confidential
 WAN-Side Network Design LAN-Side Network Design Dual-CPE Interconnection Design

LAN-Side Networking Model

LAN side connected to Layer 2 networks

VRRP
VRRP

Layer 2 switch Terminal Layer 2 switch Layer 2 switch

LAN side connected to Layer 3 networks

BGP BGP BGP

BGP
OSPF OSPF OSPF
OSPF
Direct Direct Direct
Direct
Static route Static route Static route
Static route

Layer 3 switch Layer 3 switch Layer 3 switch Layer 3 switch

46 Huawei Confidential

• LAN side connected to Layer 2 networks:

▫ At small sites with a simple intranet structure, and CPEs typically connect to
the intranet of the site at Layer 2.

• LAN side connected to Layer 3 networks:

▫ In Layer 3 interconnection scenarios, SD-WAN routers support the direct
connection, dual-homing, and partial-ring networking.
▫ In such scenarios, routing protocols simply need to be configured for CPEs
based on the requirements of the LAN device.
 WAN-Side Network Design LAN-Side Network Design Dual-CPE Interconnection Design

Typical Scenario for Connecting the LAN Side to Layer 2

Networks
Single CPE: LAN side connected to a Layer 2 network Dual CPEs: LAN side connected to a Layer 2 network

CPE CPE CPE CPE

VRRP

AP Layer 2 switch Layer 2 switch

• In the single-CPE architecture, LAN-side interfaces can be • In a dual-CPE architecture, VRRP is usually deployed.
directly connected to terminals at small sites. • Switches can be deployed on the LAN side to form a
• If the number of required LAN-side interfaces is beyond stack.
the CPE specifications, access switches can be connected • An interlink needs to be established between CPEs to
to the CPE. forward service packets between CPEs.

47 Huawei Confidential

• In the single-CPE structure, the LAN connection is simple.

▫ For small sites, for example, SOHO sites, LAN-side interfaces can be directly
connected to terminals at the sites.

▫ If the number of required LAN-side interfaces is beyond the CPE

specifications, access switches can be connected to the CPE. In this case,
access switches can be connected to the CPE in one-armed mode.

• In the dual-CPE architecture, VRRP is usually configured for the CPEs to prevent
the dual-CPE architecture from affecting the LAN side.

▫ Multiple switches can be deployed on the LAN side to form a stack. If two
CPEs are deployed at a site, they can be interconnected directly or through
the LAN.

▫ CPEs can be directly connected through an Eth-Trunk link. In addition, an

interlink needs to be established between the active and standby CPEs to
forward service packets between the CPEs.
 WAN-Side Network Design LAN-Side Network Design Dual-CPE Interconnection Design

Typical Scenario for Connecting the LAN Side to Layer 3

Networks
Single or dual CPEs: LAN side connected to a Layer 3 network

CPE CPE CPE

Static route Static route

OSPF OSPF
BGP BGP
Layer 3 Layer 3
switch switch

• In the Layer 3 interconnection scenario, if only one CPE is deployed, the network structure is
simple. In such a scenario, only the routing protocol needs to be configured on the LAN side
based on requirements of LAN-side devices.

48 Huawei Confidential

• For large enterprise sites, the network structure is complex as Layer 3 core
devices are deployed on the network. Therefore, egress routers must support
interconnection with Layer 3 devices. They can be connected to a Layer 3 network
directly or in dual-homing mode. BGP, OSPF, and static routes are supported.

• In the Layer 3 interconnection scenario, if only one CPE is deployed, the network
structure is simple. In such a scenario, only the routing protocol needs to be
configured on the LAN side based on requirements of LAN-side devices.
 WAN-Side Network Design LAN-Side Network Design Dual-CPE Interconnection Design

Dual-CPE Interconnection Networking Model

⚫ In dual-CPE dual-link networking, if an uplink fails, the
interlink between CPEs is used to transmit data.
⚫ In addition to exchanging routes between two CPEs at a site,
the interlink is also used to synchronize key information
MPLS Internet
between the two CPEs, including link information, tunnel
connection information, SLA information about tunnel
connections, IPsec SA, and application identification result.
Interlink
⚫ With such information, resources on the two CPEs at each SD- CPE1 CPE2

WAN site can be regarded as a whole. Then services such as

cross-device traffic steering can be implemented.
LAN
Site A

49 Huawei Confidential
 WAN-Side Network Design LAN-Side Network Design Dual-CPE Interconnection Design

Dual-CPE Interconnection Networking Solution

Dual-CPE interconnection networking solution 1 Dual-CPE interconnection networking solution 2

MPLS Internet MPLS Internet

Interlink
CPE1 CPE2 CPE1 CPE2
Interlink

LAN LAN
Site A Site A

• A direct link is used as the interlink for interconnection. If

service traffic of a site is heavy and CPE interfaces are • If CPE interface resources are limited, the interlink can be
sufficient, using two interlink interfaces is recommended. established between Layer 2 service interfaces on the
iMaster NCE-WAN automatically orchestrates the two LAN side of CPEs.
interlink interfaces into an Eth-Trunk interface to increase
the interlink bandwidth and ensure interlink reliability.

50 Huawei Confidential

• Solution 1 is recommended. In this solution, the interlink and service links are
independent of each other. When WAN-side links are adjusted, the interlink will
not be affected, and the service flow direction is clear.
 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution
▫ SD-WAN Networking Design Overview

▫ SD-WAN Site Design

▪ SD-WAN Tunnel Design

▫ SD-WAN VPN Design

4. Service Design for Huawei SD-WAN Solution

5. Reliability and Security Design for Huawei SD-WAN Solution

51 Huawei Confidential
Tunnel Design Overview
⚫ Tunnels in the SD-WAN Solution can be classified into: management tunnel, control tunnel,
and data tunnel. Control tunnels are established between RRs and EDGEs, and data tunnels
are established between EDGEs. Data tunnels carry services.
EDGE/RR EDGE/RR
Hub
⚫ Tunnel design generally covers: Specifications-exceeded
network design
RR design
RR1 RR2
 Data tunnel design
 RR design
 NAT traversal design
MPLS Internet
 Specifications-exceeded network design
Data tunnel
NAT device
design
NAT traversal
EDGE EDGE CPE design

Branch Branch

52 Huawei Confidential
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

Basic Concepts of Tunnels

HQ site Site-ID: AAA • Transport network (TN): a carrier-provided WAN network that
1.1.1.1 2.2.2.2 implements branch interconnection of enterprises over WANs.
(CPE router ID) (CPE router ID)
• Routing domain (RD): If different TNs are reachable to each other
CPE1 CPE2 (for example, the Internet provided by ISP B and ISP C in the left
figure can communicate with each other), they are considered to be
GE0 GE1 GE0
in the same RD.
TNP • Site ID: global unique identifier of a tenant site, which is allocated
by iMaster NCE-WAN.
• CPE router ID: global unique identifier of a CPE at a site. A site can
MPLS-ISP-A Internet- Internet-
contain one or two CPEs. Generally, the device loopback address is
(TN) ISP-B (TN) ISP-C (TN)
used as the CPE router ID.

RD: MPLS
• WAN link: a link connecting to a WAN interface. A WAN link has a
RD: Internet
one-to-one mapping with a WAN interface. The IP address
obtaining mode, link negotiation rate, and bandwidth can be
GE0 GE1
configured for a WAN link.
GE0 GE1
• Transport network port (TNP): WAN interface through which a
CPE4 CPE5 CPE connects to a TN. Key information includes the site ID, CPE
CPE3
3.3.3.3 4.4.4.4 5.5.5.5 router ID, transport network ID, public IP address, private IP
(CPE router ID) (CPE router ID) (CPE router ID) address, and tunnel encapsulation.
Branch site 1 Site ID: BBB Site ID: CCC Branch site 2

53 Huawei Confidential

• The TN and RD are used to set up overlay tunnels in enumerated mode.

• The site ID is used as the next hop of a routing entry.

• The CPE router ID is used to establish BGP peer relationships between different
sites.
• TNPs are used to establish tunnels.
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

TNP
⚫ A TNP mainly describes WAN link information of a site and is mainly used to establish control and data
tunnels.
⚫ The main information about a TNP is as follows: RD: RD1
TNP Information Example Description
MPLS-ISPA Internet-
Site ID 111 Site of the TNP. (TN1) ISPB (TN2)

CPE router ID 1.1.1.1 CPE to which the TNP belongs.

GE0
TNP ID 1 2 TNP ID. 202.2.2.1/30
Carrier's
Transport network TN1 TN2 TN to which the TNP belongs. NAT device

Routing Domain RD1 RD1 RD to which the TNP belongs.

GE0 GE1
WAN-side public IP address 10.2.1.1/30 10.2.2.1/30
Public IP 10.2.1.1 202.2.2.1
(post-NAT).
CPE1
WAN-side private IP address
Private IP 10.2.1.1 10.2.2.1
(pre-NAT). 1.1.1.1
(CPE router ID)
Encapsulation GRE GRE Encapsulation mode.
Site ID: 111

54 Huawei Confidential

• TNs and RDs are mainly used to enumerate tunnels.

▫ Tunnel enumeration: All tunnels that can be established are enumerated.

• Router IDs are mainly used to establish control channels.

• A site ID is used as the next hop for data forwarding.

• A TNP ID can be considered as the interface number.

• The public and private IP addresses are used as the source or destination IP
addresses of control and data channels.

▫ Some CPEs are deployed behind the NAT device. To establish data channels
between CPEs, you need to know the post-NAT public IP address.

▪ CPEs typically use the Session Traversal Utilities for NAT (STUN)
technology to detect public IP addresses.
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

Tunnel Enumeration
⚫ CPEs enumerate tunnels based on the RD and TN in
TNP information.
CPE1 CPE2
⚫ Tunnel enumeration ensures SD-WAN network GE0 GE1 GE0

reliability and guarantees service quality.

⚫ Tunnel enumeration rules:
MPLS-ISPA Internet- Internet-
 Connections can be enumerated only between TNPs in (TN) ISPB (TN) ISPC (TN)
the same RD. Full-mesh connections are set up between
RD: MPLS RD: Internet
interfaces of the same RD.
Full-mesh connections are
 Connections cannot be enumerated between TNPs in set up between interfaces
different RDs. GE0 GE1 of the same RD.

CPE3

55 Huawei Confidential

• Data tunnels are enumerated before being established to ensure that all
available data tunnels are established.
• Tunnels can be enumerated only when the following conditions are met:

▫ The CPE has learned service routes of the peer site.

▫ The CPE has learned the TNP information of the peer site.
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

SD-WAN Tunnel Establishment Process

⚫ The process of establishing SD-WAN tunnels is as follows:
Data channel establishment + data
Management channel establishment Control channel establishment
forwarding
RR
1 TNP 1 TNP
1
Network NETCONF
administrator (management 3 IPsec SA IPsec SA
channel) 2
3 Service route Service route

Installation 3
engineer Data channel
TNP
2 2
EDGE/RR EDGE EDGE
IPsec SA
EDGE EDGE
1. The administrator configures WAN link
parameters for EDGEs or RRs on iMaster 1. After iMaster NCE-WAN delivers 1. EDGEs reflect their respective TNP and
NCE-WAN. configurations to EDGEs and RRs through IPsec SA information through RRs.
2. The installation engineer delivers the the management channel, the EDGEs and 2. EDGEs reflect their service routes through
configuration to EDGEs or RRs through RRs establish a DTLS management channel RRs.
ZTP. with iMaster NCE-WAN. 3. After the TNP and IPsec SA information is
3. EDGEs or RRs proactively register with 2. EDGEs exchange TNP and IPsec SA advertised, a data channel is established
iMaster NCE-WAN and establish a information with RRs. through routes.
NETCONF channel (management channel) 3. A BGP EVPN control channel is established
with iMaster NCE-WAN. based on TNP and SA information.

56 Huawei Confidential

• The management channel is used to establish control channels and deliver basic
configurations.
• Control channels are used to establish data channels.

▫ Datagram Transport Layer Security (DTLS) is a security protocol for the

packet transport layer, which is used to ensure TCP data security.

• Data channels are used to transfer user data.

• TNP information is exchanged twice:

▫ During the control channel establishment phase, TNP information is

exchanged to exchange information about channel establishment between
RRs and EDGEs.

▫ During the data channel establishment phase, TNP information is

exchanged to exchange information about channel establishment between
EDGEs.
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

Tunnel Networking Model

Network in the same RD, different
Different RDs Different TNs, same RD
RDs created logically

TN RD Site A TN RD Site A TN RD
Site A
MPLS-A RD1 Internet-A RD1 Internet-A RD1

Internet-A RD2 Internet-B RD1 Internet-B RD2

MPLS-A Internet-A Internet-A Internet-B Internet-A Internet-B

Site B Site B Site B

• Sites A and B are connected through two • Sites A and B are connected through two • Sites A and B are connected through two
links and are isolated on the underlay links and can communicate with each other links and can communicate with each other
network. Different RDs are planned. Two on the underlay network. They are planned on the underlay network. They are planned
tunnels are established between the sites. in the same RD and set up a full-mesh in different RDs. Two tunnels are
network. established between the sites.

57 Huawei Confidential
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

Tunnel Networking Reliability

Different TNs, same RD Different RDs and TNs

Fault scenario A Fault scenario B Fault scenario A Fault scenario B

Site A Site A Site A Site A

MPLS-A Internet-A MPLS-A Internet-A MPLS-A Internet-A MPLS-A Internet-A

Site B Site B Site B Site B

• Same RD for different TNs: The networking reliability is • Different RDs for different TNs: The number of
enhanced, but more virtual connection resources of the connections is reduced, and the networking scale is
device are consumed. expanded. However, the networking is less reliable.

58 Huawei Confidential
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

RR Deployment Mode
Method 1: co-deployment of the RR Method 2: independent deployment Method 3: deployment of RRs in
and EDGE of RRs multiple areas

Area A
HQ/DC RR site HQ/DC
EDGE RR EDGE
(RR) EDGE

RR

MPLS Internet MPLS Internet MPLS Internet

Area B Area C

RR RR

EDGE EDGE EDGE EDGE EDGE EDGE

Branch 1 Branch 2 Branch 1 Branch 2

• A site that functions as an RR not only • Sites that function as RRs do not have • Multiple areas are created, in each of which
implements control on the control layer LAN-side networks and do not function at least one pair of RRs are deployed. RRs in
but also forwards service traffic of the as hubs for other sites to communicate different areas establish BGP EVPN peer
site on the forwarding layer. with each other. The RR does not relationships with each other to advertise
process service data and only performs and learn VPN routes of different areas.
control-layer operations.

59 Huawei Confidential

• RR deployment suggestions are as follows:

▫ To prevent site network adjustment from affecting the stability of RRs, you
are advised to use method 2, that is, independent deployment of RRs.

▫ Use high-performance devices as RRs. For details about the devices that can
function as RRs, see the specifications list.

▫ Configure a public IP address for an RR, or deploy a NAT device before the
RR. Only 1:1 static NAT is supported.

▫ An EDGE site can connect to a maximum of two RR sites. Two EDGEs can
be deployed at each RR site deployed for a tenant. If there are a large
number of EDGEs, multiple RRs can be deployed, and each RR serves some
EDGE sites.

▫ When one EDGE is connected to two RR sites, the EDGE establishes a BGP
connection with each RR at the RR sites.

▫ If a branch site has a standby link, for example, the branch or the RR has a
standby link, and the active link is normal, no control channel is established
for the standby link. When all active links from the branch site to the RR
are down, the standby link is involved in the establishment of control
channels.
▫ It is not recommended that standby links be established at RR sites.
▫ If the number of EDGEs on the network exceeds the RR control
specification, you are advised to assign sites to different areas. An
independent RR is deployed in each area, and BGP peer relationships are
established between RRs in each area to exchange routes between areas.
▫ When deploying RRs, consider the total number of routes on the LAN side
of each site to prevent the route specifications of the RR from being
exceeded.
▫ The BGP peer relationship is established between the EDGE and RR using
the loopback address. If multiple tunnel connections are available between
the EDGE and RR, a random connection is used to establish the BGP peer
relationship. When a WAN link fails, BGP automatically switches services to
another link, and services between sites are not affected. When all RRs are
faulty, the connections with EDGEs are unavailable, interrupting services
between sites. Therefore, RR reliability must be ensured during actual
deployment. For example, deploy two EDGEs at an RR site, specify two RR
sites for the edge, and use distributed RR sites (each RR site is responsible
for some EDGEs). This prevents network-wide service interruption caused
because the only RR deployed on the network is faulty.
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

RR Deployment Principles
Co-deployment of ⚫ Considering the importance of RRs, follow the principles
the RR and EDGE
Independent below when deploying RRs:
RR deployment EDGE/RR
Hub EDGE/RR 
Redundancy must be implemented for RRs. That is, at least two
RR1 RR2
RRs must be deployed on the live network. This prevents
network-wide services from being interrupted because the only
RR deployed on the network fails.
 An edge site must be connected to two RRs to implement egress
MPLS Internet
backup.

It is recommended that RRs be independently deployed to ensure
stability.
 If RRs cannot be deployed independently, select routers at core
EDGE EDGE EDGE
positions as RRs and ensure that the device performance can
Branch Branch
meet the requirements.
 Use the RR models recommended in the specifications list.

61 Huawei Confidential

• A EDGE can be connected to a maximum of two RR sites (four RRs).

• For small networks (for example, a network with fewer than 50 sites), RRs and
hubs can be deployed in co-located mode.

• RRs require strong BGP connection capabilities (number of BGP peers), large
number of EVPN connections, and high route reflection capability and efficiency.
In actual deployments, select the RR models recommended in the specifications
list, for example, AR6300/AR6280.
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

Typical RR Networking: Enterprise-Built

Co-deployment of the RR and EDGE Independent RR deployment

Hub RR site Hub

EDGE
(RR) RR EDGE

MPLS Internet MPLS Internet

EDGE EDGE EDGE EDGE

Branch 1 Branch 2 Branch 1 Branch 2

• Small and midsize enterprises have a small number of • Large enterprises have a large number of sites. If these
branch sites. If the traffic between branches and the enterprises have high network reliability requirements,
HQ/DC is not heavy, it is recommended that the RR be independent RR deployment is recommended.
co-deployed with the EDGE. The hub site functions as the
RR to carry the control plane.

62 Huawei Confidential
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

Typical RR Networking: Carrier/MSP Resale

RR access RR access ⚫ In the carrier/MSP resale scenario, it is
area 1 area 2
Carrier/MSP recommended that RRs be deployed
DC independently. The MSP administrator creates
RRs, divides access areas, and allocates RRs to
the corresponding access area for management.

Enterprise A
⚫ Advantages:
Enterprise B
HQ/DC HQ/DC  The control plane of SD-WAN networks of all
EDGE EDGE
enterprise customers is centrally managed.
 RRs can be flexibly allocated to different
MPLS Internet MPLS Internet
tenants.
 In addition to RRs deployed by MSPs, carriers
EDGE EDGE EDGE EDGE
or MSPs can provide multi-tenant gateway
Branch 1 Branch 2 Branch 1 Branch 2 access services for enterprise customers.

63 Huawei Confidential

• An MSP administrator deploys independent RRs as a service provided by carriers

or MSPs for enterprise users to access. Two RR service modes are available:
sharing and exclusive. In sharing mode, one RR is shared by multiple tenants. In
exclusive mode, one RR is exclusively used by a tenant.

▫ MSP RR sharing by multiple tenants: For small and midsize enterprises, it is

recommended that one RR be shared by multiple tenants, if there are a
small number of sites. Sites of different enterprise tenants are connected to
the same multi-tenant RR, which carries the control plane.

▫ MSP RR exclusive to a tenant: Carriers can specify an independent RR in an

access area for a large enterprise with a large number of sites to use
exclusively. Based on actual scenarios, carriers or MSPs can deploy RRs in
co-deployment mode, independently, and based on areas for tenants.
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

NAT Traversal
⚫ On the live network, some enterprise branches use home broadband to access the network.
 In this case, traffic needs to pass through the NAT device. Therefore, tunnels cannot be directly established for such enterprise branches.

⚫
In SD-WAN scenarios, NAT traversal technology is required for interconnection between such enterprise branches.

Establishing a data channel for NAT traversal

RR (STUN server)

1 1
Private Private
network IP1 IP2 Internet IP3 IP4 network
Port1 Port2 Port3 Port4
EDGE NAT device NAT device EDGE
(STUN client) STUN binding response STUN binding response (STUN client)
2 2
Private IP Address: Public IP Address: Private IP Address: Public IP Address:
Port Number Port Number Port Number Port Number
IP1:Port1 IP2:Port2 IP4:Port4 IP3:Port3

3 Learn the peer TNP and routes through BGP.

4 Establish a data channel for NAT traversal.

64 Huawei Confidential
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

NAT Traversal: Connection Between EDGEs and iMaster

NCE-WAN
⚫ A EDGE proactively sends a registration request to iMaster NCE-WAN. To implement
this, the southbound IP address of iMaster NCE-WAN must be reachable.
⚫
On the live network, iMaster NCE-WAN may be deployed behind a NAT device. In
Configure a public IP NAT device
address and deploy a
this case, the NAT Server needs to be deployed on the NAT device and the following
NAT server. ports need to be mapped:
 10020: southbound port, which is used by devices to register with iMaster NCE-WAN.

Internet  10031: southbound port, which is used by devices to connect to iMaster NCE-WAN through
HTTP.
NAT device NAT device  18008: northbound port, which is used for web login.
 80: northbound port, which is used for web login.

EDGE EDGE  18018: northbound port, which is used by PCs to upload files to iMaster NCE-WAN.

Branch Branch
 18021: file server port, which is used by iMaster NCE-WAN to update files.

⚫ The NAT Server can be deployed. Therefore, NAT traversal is not involved in this
scenario.

65 Huawei Confidential
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

NAT Traversal: Connection Between EDGEs and RRs

RR
⚫ An RR must have a public IP address or be
configured with 1:1 static NAT. Therefore, NAT
RR
traversal is not involved in communication
NAT device
The RR uses a
public IP address.
between CPEs and RRs.
Configure a public IP
address for the NAT device
and deploy 1:1 static NAT.

Internet

NAT device NAT device

EDGE EDGE

Branch Branch

66 Huawei Confidential
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

NAT Traversal: Connection Between EDGEs

⚫ A data channel is established between EDGEs, and traffic
STUN server between sites is transmitted through the data channel. If

STUN session
a EDGE is deployed on the private network behind the
NAT device, NAT traversal is required for communication
with another EDGE, especially in scenarios where two
Internet
EDGEs at two sites are deployed on the private network
NAT device NAT device
behind the NAT device.
NAT traversal
EDGE EDGE

Branch Branch

67 Huawei Confidential
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

Networking Specification Calculation

⚫ When planning a network, consider the device performance
specifications. In the SD-WAN Solution, the number of BGP
HQ/DC peers, number of tunnels, and bandwidth also need to be
Hub(RR) considered.
⚫ Networking specification calculation

Number of BGP peers of hubs/RRs = Number of sites with dual
gateways x 2 + Number of sites with a single gateway
◼ Number of BGP peers = 200 x 2 + 100 = 500
 Number of hub tunnels = Total number of tunnels of each gateway at
LTE
MPLS Internet a hub site
(standby link)
◼ The two hubs at a dual-hub site share the tunnel specification. For example, if a
single EDGE supports 1000 tunnels, the two hubs at a dual-hub site share the
tunnel specification.
◼ Number of hub tunnels = 300 x 4 = 1200

Network bandwidth of a hub site = Number of branch sites x
Bandwidth required by sites
Spoke ◼ Total network bandwidth required by the hub = 300 x 10 Mbps = 3 Gbps

Area 1 Area 2 Area 3 Area 4  iMaster NCE-WAN can manage a large number of sites. In most cases,
you do not need to pay attention to the networking specification
30 170 15 85 calculation.

68 Huawei Confidential

• Different device models have different BGP peer specifications and tunnel
specifications.
• For details about the product specifications, see the product documentation.
 Basic Concepts of Data Tunnel RR NAT Traversal Specifications-Exceeded
Tunnels Design Design Design Network Design

Specifications-Exceeded Network Design

⚫ When there are a large number of branches on the network, the specifications of the hub device are easy to exceed, regardless of whether the flattened
topology or hierarchical topology is used. To solve this problem, the following two solutions are available:

Area-based networking Tenant-based networking

MSP administrator
Area1 Area2
Tenant 1 Tenant 2
HQ HQ
EDGE Hub EDGE EDGE EDGE HQ
Hub HQ
EDGE Hub EDGE EDGE EDGE
Hub

RR RR RR RR
RR RR RR RR
MPLS MPLS
/Internet /Internet MPLS MPLS
/Internet /Internet

EDGE EDGE EDGE

EDGE
Branch Branch Branch Branch

• If the specifications are exceeded at the hub site, multiple hub • If the specifications are exceeded at the hub site and rights- and
sites can be deployed, and multiple areas can be created within a domain-based management is required, networks can be created
tenant, forming the area-based networking. based on tenants and centrally managed by the MSP
administrator.

69 Huawei Confidential

• Area-based networking:

▫ Multiple areas are created under a tenant, and multiple hub sites are
deployed in the HQ/DC. Each area is associated with one or two hub sites.

▫ Branch sites are added to corresponding hub sites by area.

▫ RRs can be independently deployed. Each pair of RRs are associated with
sites in an area.
▫ Traffic between inter-area sites is transmitted through the LAN side of the
hub.

• Tenant-based networking:
▫ The MSP administrator creates multiple tenants, and multiple hub sites are
deployed in the HQ/DC. Each tenant is associated with one or two hub
sites.
▫ Branch sites are grouped by their geographical areas and are added to
different tenants.

▫ RRs can be independently deployed. Each pair of RRs are associated with
sites in an area.
▫ Traffic between inter-area sites is transmitted through the LAN side of the
hub.
 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution
▫ SD-WAN Networking Design Overview

▫ SD-WAN Site Design

▫ SD-WAN Tunnel Design

▪ SD-WAN VPN Design

4. Service Design for Huawei SD-WAN Solution

5. Reliability and Security Design for Huawei SD-WAN Solution

70 Huawei Confidential
VPN Design Panorama
⚫ The SD-WAN Solution uses VPNs to isolate services for multiple departments of a single tenant. In this
case, the network of each department under a tenant is an independent service VPN.
⚫ VPN design generally covers: VPN design
VPN1 VPN2
 VPN design
Topology design
 Topology design
 VPN route design
RR
Core switch EDGE VPN route design

Branch EDGE Core switch

Core switch EDGE

HQ

Overlay
Branch
(virtual network)

71 Huawei Confidential
 VPN Design Topology Design VPN Route Design

SD-WAN VPN
⚫ VPN is short for virtual private network on SD-
WAN. Each VPN is an independent IP Layer 3
VPN1 VPN2 private network. Multiple VPNs are logically
isolated from each other, from the tunnel
established at a site to the EDGE at the site.
Therefore, these VPNs cannot directly
Virtual network (overlay network)
communicate with each other.
HQ Branch
edge MPLS edge  Each VPN can use an independent topology model,
including hub-spoke, full-mesh, partial-mesh, and
Branch Internet Branch hierarchical networking.
edge edge
 Service policies, such as traffic steering policies and
Physical network (underlay network)
QoS policies, can be independently configured for
each VPN.

72 Huawei Confidential
 VPN Design Topology Design VPN Route Design

VPN Planning and Design

⚫ VPN planning suggestions:
Data tunnel  Determine the number of departments, for example,
WAN-side
physical R&D department, finance department, and marketing
interface
department, whose services need to be isolated based
CPE

VPN1 R&D dept VPN2 Finance

dept on service isolation requirements.
Traffic Traffic
steering policy steering policy  Assign LAN-side physical interfaces and VLANs to
QoS policy QoS policy different departments. One department can have an
independent LAN-side physical interface, or all
Security policy Security policy
departments share one physical interface and are
... ...
isolated through VLANs.

LAN-side
 Plan initial policies for different departments, including
VLANIF physical
interface traffic steering policies, Internet access policies, QoS
interface
policies, legacy site access policies, and URL, IPS, and
firewall policies.
73 Huawei Confidential
 VPN Design Topology Design VPN Route Design

Overlay Topology Design

Hub-spoke networking topology Full-mesh networking topology

HQ/DC HQ/DC

Site4 Site4

Site1 Site1
Site3
Site3
Site2 Site2

Partial-mesh networking topology Hierarchical networking topology

HQ/DC HQ/DC

Site4 Border 2
Border 1
Site1
Site3 Site4
Site1 Site2
Site3
Site2

74 Huawei Confidential

• Hub-spoke:

▫ Generally, the enterprise HQ/DC functions as a hub site, and enterprise

branches function as spoke sites. Server applications deployed in the HQ/DC
are accessed through the WAN in a centralized manner.
• Full-mesh:

▫ In the topology, different branches can directly communicate with each other,
without the need to divert traffic through intermediate nodes.

• Partial-mesh:

▫ Partial-mesh can be considered as a special type of full-mesh networking. If

an underlay network is available between two sites, traffic can be directly
transmitted between the two sites. Otherwise, the two sites communicate with
each other through a redirect site.
• Hierarchical networking:
▫ The hierarchical networking model can be considered as the combination of
the single-layer networking model. A WAN is divided into multiple areas,
which are interconnected through a centralized backbone area to implement
inter-area communication between sites.
 VPN Design Topology Design VPN Route Design

Hub-Spoke Networking
⚫ Solution Overview

Generally, the enterprise HQ/DC functions as a hub site, and enterprise branches
function as spoke sites. Server applications deployed in the HQ/DC are accessed
HQ/DC through the WAN in a centralized manner.
Hub

If branches of an enterprise need to communicate with each other, traffic
between them is transmitted through the hub site. All external access traffic of
branch sites is first sent to the hub site.

MPLS Internet ⚫ Application Scenario


This mode is generally applicable to enterprises where traffic is mainly sent from
branch sites to the hub site.

Spoke 
Enterprise applications are centrally stored on servers at the HQ/DC. The main
Branch Branch service traffic is from branch sites to the hub site.


Only small traffic is transmitted between branch sites.


A typical example is chain stores. The major traffic of a chain store is destined to
the HQ/DC, and there is almost no traffic between chain stores.

75 Huawei Confidential
 VPN Design Topology Design VPN Route Design

Full-Mesh Networking
• Solution Overview

 In the full-mesh topology, branches can directly communicate with each

other, without the need to divert traffic through intermediate nodes.
HQ/DC
• Application Scenario
Edge

The full-mesh topology is applicable to small enterprises with a small
number of sites or large enterprises whose branches need to collaborate
with each other.
MPLS Internet

Collaborative services, for example, high-value applications including VoIP
and video conferencing, have stringent requirements on network
performance such as the packet loss rate, delay, and jitter. To meet
requirements of such services, branches are recommended to directly
Edge
communicate with each other.
Branch Branch
 The full-mesh topology is simple, and service communication is efficient.
However, the full-mesh topology has average network scalability and
applies to a network with 10 to 100 branch sites.

76 Huawei Confidential
 VPN Design Topology Design VPN Route Design

Partial-Mesh Networking
• Solution Overview

A partial-mesh network can be considered a type of special full-mesh
network. If direct underlay network connections are available between
HQ/DC
sites, traffic is directly transmitted between the sites. Otherwise, traffic
Edge
between sites is forwarded through a redirect site, to which both sites
(Redirect)
are connected.
• Application Scenario
MPLS Internet 
Branch sites cannot directly communicate with each other over the
underlay network and use a redirect site for communication instead.

 In full-mesh networking, branch sites directly communicate with each

other over the underlay network. To enhance reliability, a redirect site
Edge
can be deployed. When the underlay network is faulty and sites cannot
Branch Branch Branch directly communicate with each other, traffic between branch sites is
transmitted through the redirect site.

77 Huawei Confidential
 VPN Design Topology Design VPN Route Design

Hierarchical Networking
• Solution Overview
Edge 
The hierarchical networking model can be considered as the
combination of the single-layer networking model. A WAN is
divided into multiple areas, which are interconnected through a
Level-1 MPLS Internet centralized backbone area to implement inter-area communication
network between a large number of sites.

For example, a multinational enterprise can be divided into
Border multiple areas (China, Europe, America, etc.) based on its
management structure. Each area uses a single-layer networking
Level-2 model, which can be hub-spoke or full-mesh. In addition, each area
uses one or more sites as their border sites. The border sites of
network
each area form the backbone area for interconnection between
MPLS Internet MPLS Internet areas, that is, the level-1 network. In this way, border sites connect
to both the level-2 area network and level-1 network.
• Application Scenario
 The hierarchical networking is applicable to enterprises with a
large number of sites or multinational enterprises with widely
Edge
distributed sites. The hierarchical networking has a clear network
structure and good network scalability.

78 Huawei Confidential
 VPN Design Topology Design VPN Route Design

VPN Route Design

⚫ The VPN routes of the local EDGE are collected using the LAN-

BGP, OSPF
side routing protocol and then sent to the peer EDGE through
EDGE Direct, static route the BGP EVPN protocol of the WAN.
RR
 LAN-side routes: LAN-side interfaces of EDGEs support OSPF, BGP,
HQ and static routing protocols. The routing protocol to be used must be
the same as that of the LAN-side network device.
MPLS Internet  WAN-side overlay routes: Generally, BGP EVPN is deployed to
establish BGP peer relationships with RRs and advertise overlay
Branch network domain routes. The configuration is automatically
orchestrated by the controller.

EDGE BGP, OSPF

 LAN- and WAN-side routes can be filtered using routing policies.
Direct, static route

79 Huawei Confidential
 Section Summary

⚫ SD-WAN networking design includes site design, tunnel design, and VPN
design.
 Site design: includes WAN/LAN networking design and dual-CPE design.
 Tunnel design: includes data tunnel design, RR design, NAT design, and
specifications-exceeded network design.
 VPN design: includes VPN design, topology design, and VPN route design.

80 Huawei Confidential
 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution

4. Service Design for Huawei SD-WAN Solution

▪ SD-WAN Service Design Overview

▫ SD-WAN Application Service Design

▫ SD-WAN Network Service Design

5. Reliability and Security Design for Huawei SD-WAN Solution

81 Huawei Confidential
Overview of Service Design for Huawei SD-WAN Solution
⚫ SD-WAN service design includes application service design and network service design.

Service 1: SLA: delay: 50 ms; jitter: 5%; packet loss rate:

Application 5%; TN1 preferred
service design Service 2: SLA: delay: 150 ms; jitter: 10%; packet loss rate:
10%; TN2 preferred

EDGE EDGE/RR
Branch Standby
site DC

EDGE EDGE/RR
Branch
site Active DC

Internet Overlay
Legacy (virtual
GW
Network service design
network network)

82 Huawei Confidential
Service Design Process for Huawei SD-WAN Solution

1. Application service design 2. Network service design

Intelligent traffic steering

Internet access design
design

QoS design Legacy site access design

Packet loss optimization

design

83 Huawei Confidential
 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution

4. Service Design for Huawei SD-WAN Solution

▫ SD-WAN Service Design Overview
▪ SD-WAN Application Service Design

▫ SD-WAN Network Service Design

5. Reliability and Security Design for Huawei SD-WAN Solution

84 Huawei Confidential
Application Service Design Panorama
⚫ Enterprises have diverse applications, such as production, coordination, and entertainment applications. Different
applications have different requirements on bandwidth and link quality.
⚫ Application service design generally covers:
 Intelligent traffic steering design

QoS design

Packet loss optimization design
Application
identification

Based on Intelligent traffic

TCP, UDP, GRE, etc. steering design
protocol types MPLS

Based on packet DSCP, VPN, TCP-flag… SPR module QoS design

applications Branch
Based on packet Source IP, source port, destination
Internet
information IP, etc.

4 3 1 Packet loss
optimization design
2

85 Huawei Confidential
 Application Identification
⚫ Traditional routing and switching devices cannot identify application-layer information. Therefore, it is difficult to
manage networks based on applications. Smart Application Control (SAC) technology helps routing and switching
devices identify and classify applications.
⚫ SAC first checks whether an application has been identified. If an application has not been identified, SAC checks
the first-packet inspection (FPI) signature database and service awareness (SA) signature database in sequence.
Network device
Service traffic
Application
identification Download
record
Layer 3 forwarding for
Signature identified applications

Forwarding table
matching
Voice
FPI signature
database Web
browsing
SAC

Signature
matching

SA signature Video
database

86 Huawei Confidential

• After a packet enters the device, the device determines whether the
corresponding application has been identified based on the 5-tuple information
carried in the packet. If the application has been identified, the device forwards
the packet at Layer 3 without identifying the application again. If the application
has not been identified, the device performs the SAC application identification
process. The device then processes the packet based on the SAC identification
result and forwards the packet at Layer 3.

• SAC identifies an application as follows: SAC first identifies an application

according to ACL rules in FPI. If the application fails to be identified, the
application is identified according to the DNS association table in FPI. If the
application fails to be identified, the device identifies the application based on the
protocol port table in the FPI. If the application still fails to be identified, the
device attempts to identify the application using SA.
 Intelligent Traffic Steering Design QoS
QoS Design Packet
Packet Loss Optimization
Optimization Design
Design

Intelligent Traffic Steering Design: Link Quality-based Traffic

Steering
⚫ Different applications have different requirements on link quality. For example, voice and video services have
stringent requirements on the delay and packet loss rate. Generally, the delay must be within 150 ms and the
packet loss rate must be less than 1% for these services.
⚫ To guarantee voice and video services, the MPLS link that offers good quality can be configured as the active link
for the services, with the Internet link functioning as the standby link. In addition, you can configure SLA
requirements for the services to implement traffic steering based on the link SLA.
Link quality
deterioration
3 2 1

High-quality link High-quality link

3 2 1
5 4 5 4
Link quality Dynamic
Branch HQ deterioration Branch switchover HQ
EDGE EDGE EDGE EDGE
Low-quality link Low-quality link

5 4

87 Huawei Confidential
 Intelligent Traffic Steering Design QoS
QoS Design Packet
Packet Loss Optimization
Optimization Design
Design

Intelligent Traffic Steering Design: Load Balancing-based

Traffic Steering
⚫ If an enterprise with multiple links wants to fully utilize the link bandwidth resources and steer traffic in load
balancing mode based on the link bandwidth, load balancing-based traffic steering can be configured.
⚫ For example, the two MPLS links can be configured as primary links for the voice service. If the quality of both links
meets the SLA requirements of the voice service, voice service flows can be carried over the two MPLS links in load
balancing mode. Through real-time bandwidth utilization monitoring, the bandwidth utilization can reach 85%,
fully utilizing the link bandwidth.
4 3 2 1

4 3 2 1

High-bandwidth link

Branch HQ
EDGE EDGE
Low-bandwidth link

4 3 2 1

88 Huawei Confidential
 Intelligent Traffic Steering Design QoS
QoS Design Packet
Packet Loss Optimization
Optimization Design
Design

Intelligent Traffic Steering Design: Application Priority-based

Traffic Steering
⚫ If multiple types of service packets are transmitted on the same link, application priority-based traffic steering can
be used, so that traffic of high-priority applications is preferentially processed when congestion occurs, ensuring
experience of high-priority applications.
⚫ For example, voice, video, and file transfer services are carried on an MPLS link. If the link bandwidth is insufficient,
the experience of the voice and video services is preferentially guaranteed.

High-priority High-priority
3 2 1
applications applications
5 4 5 4
3 2 1 5 4
5 4 3 2 1
5 4
Low-priority High-quality link High-quality link
Low-priority
applications applications 3 2 1
Traffic switching
Network
of low-priority
Branch HQ congestion Branch HQ
applications
EDGE EDGE EDGE EDGE
Low-quality link Low-quality link

5 4

89 Huawei Confidential
 Intelligent Traffic Steering Design QoS Design Packet
Packet Loss Optimization
Optimization Design
Design

QoS Design: HQoS

QoS at the Overlay local breakout Interface-based ⚫
Multiple applications within a department
service layer traffic measurement rate limiting
 Enterprise applications have different link requirements and different
importance. The experience of important applications should be
VoIP
Overlay preferentially guaranteed if the egress link bandwidth is limited.

Email 60%
VPN1 ⚫
Multiple departments of an enterprise
40%
Local
 An enterprise usually has multiple departments of different
SaaS
breakout importance. Traffic of each department needs to be isolated, and
40% WAN different bandwidths need to be allocated to each department.
interface
100 Mbit/s ⚫ Solution
VoIP
Overlay
70%
 Different HQoS policies, including queue scheduling, CAR, and
Email VPN2 shaping, can be configured for each VPN based on applications.
60%
Local  The ratio of the minimum guaranteed bandwidth can be specified for
SaaS
breakout each VPN. This prevents failures of services in some VPNs when
30%
bandwidth resources of these VPNs are preempted by other VPNs
with heavy traffic upon network congestion.

Child traffic policy Parent traffic Bind the parent policy

policy to an interface.

90 Huawei Confidential

• An enterprise usually has multiple departments of different importance. Traffic of

each department needs to be isolated, and different bandwidths need to be
allocated to each department.

▫ A specified bandwidth quota is assigned to each department to meet its

service requirements.
▫ If some departments do not fully use their bandwidth quotas, the idle
bandwidth resources can be used by other departments with insufficient
bandwidth.

▫ Internet access traffic and traffic for communication with legacy sites needs
to be controlled separately.
 Intelligent Traffic Steering Design QoS
QoS Design Packet Loss Optimization Design

Packet Loss Optimization Design

⚫ Forward error correction (FEC) technology can mitigate packet loss. During data transmission, FEC adds redundant
packets carrying check information at the transmit end and performs check at the receive end. If a packet is lost or
damaged on the network, the redundant packet can be used to recover it.
⚫ The following FEC modes are supported:
 Adaptive forward error correction (A-FEC): A CPE automatically detects the packet loss rate and adjusts the number of redundant
packets in real time based on the packet loss rate. This mode reduces the number of redundant packets and saves bandwidth
when the packet loss rate is low. When the packet loss rate increases, redundant packets are increased to improve the packet loss
mitigation performance. However, if the packet loss rate suddenly increases greatly, it takes a period of time for the CPE to detect
the event and adjust the number of redundant packets. As a result, packet loss occurs for a short period of time.
 Determined forward error correction (D-FEC): The number of redundant packets is calculated based on the configured packet loss
rate. This mode can recover the lost packets within the configured maximum packet loss rate. Although the redundancy of this
mode is greater than that of A-FEC, packet loss does not occur when the packet loss rate suddenly changes.

⚫ After FEC is deployed and the network runs for a period of time, you can view the packet loss mitigation effect on
iMaster NCE-WAN to determine whether the FEC design is proper.

91 Huawei Confidential
 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution

4. Service Design for Huawei SD-WAN Solution

▫ SD-WAN Service Design Overview

▫ SD-WAN Application Service Design

▪ SD-WAN Network Service Design

5. Reliability and Security Design for Huawei SD-WAN Solution

92 Huawei Confidential
Network Service Design Panorama
⚫ SD-WAN sites may also need to access the Internet or legacy sites. Therefore, specific
network services need to be deployed.
⚫ Network service design generally covers: HQ Gateway
EDGE Legacy site
Internet
 Internet access design resources
Legacy site
 Legacy site access design access design

Internet
access design
Internet

EDGE EDGE

Branch Branch

93 Huawei Confidential
 Internet Access Design Legacy Site Access Design

Internet Access Solution

⚫ The SD-WAN Solution provides the following Internet access

HQ
modes:

EDGE

Local Internet access: The Internet access traffic of a site is routed from
Internet
resources the local EDGE to the Internet.
Centralized  Centralized Internet access: The Internet access traffic of all sites is
Internet access
diverted to the centralized Internet access site and then to the Internet.
Local Internet Hybrid Internet access: combination of local Internet access and
Internet 
access
centralized Internet access.
◼ Local Internet access (default) + centralized Internet access: By default, all Internet
access traffic is routed out from the local device. When the local Internet access
interface is faulty, Internet access traffic is forwarded through the centralized
EDGE EDGE gateway.

Branch Branch ◼ Centralized Internet access (default) + Local Internet access for specified traffic: By
default, Internet traffic is routed out through the centralized Internet access site.
Traffic of some specified services is directly routed to the Internet through the local
WAN-side link.

94 Huawei Confidential
 Internet Access Design Legacy Site Access Design

Local Internet Access Design

Application scenario
• Local Internet access is applicable to small enterprises or scenarios where centralized
security control is not required for Internet access traffic and links for accessing the Internet
are available on the WAN side.

IWG
Description
MPLS Internet • The Internet access traffic of a site is routed out from the local Internet link to the Internet.
• Local Internet access policies can be configured on a per-department and per-site basis.
• Local Internet access can be implemented in the following modes:
1. All Internet access traffic is routed out from the local device to the Internet.
2. Internet access traffic of specified applications is routed out from the local device to the
Internet.
EDGE1 EDGE2
• Outbound interfaces must be configured for local Internet access. A maximum of three
outbound interfaces can be configured. If multiple outbound interfaces are configured, they
back up each other, and the outbound interface is selected based on the priority.
• In local Internet access mode, whether to enable the NAT function can be configured based
Branch Branch on the outbound interface. Currently, NAT in Easy IP mode is provided. That is, the IP
address of the outbound interface is used as the post-NAT public IP address.

95 Huawei Confidential

• Traffic cannot be transmitted to the Internet through multiple links in load

balancing mode. The links can work only in active/standby mode based on their
priorities.

• If local Internet access is configured for specified application traffic and

centralized Internet access is also configured, local Internet access for specified
application traffic is implemented by orchestrating policy-based routing (PBR).

• If local Internet access is enabled, the default route on the underlay WAN needs
to be configured. The default route can be a static route (mainly for Internet
access through the Internet network interface) or BGP/OSPF route (mainly for
Internet access through the MPLS network interface).
 Internet Access Design Legacy Site Access Design

Centralized Internet Access Design

Application scenario
• This mode is applicable to scenarios where no link is available for a site to access the
Internet or centralized security control is required for Internet access traffic. A
centralized Internet access gateway is configured so that traffic from other sites can be
forwarded to the centralized Internet access gateway through the overlay network.

Description
MPLS Internet
• All sites of a tenant access the Internet through a centralized Internet access site.
• Either of the following solutions can be used for Internet access through the centralized
gateway site:

 If the centralized Internet access site has the Internet egress on the LAN side, all
Internet access traffic is routed out through the LAN side of the centralized Internet
EDGE1 EDGE2
access site. In this mode, you need to configure a default route or dynamic routing
protocol on the LAN side so that the default route can be learned from the LAN side.

 If the centralized Internet access site accesses the Internet through the WAN-side
interface, all Internet access traffic is transmitted to the Internet through the WAN
Branch side of the centralized Internet access site. (Note: For the site that functions as a
HQ (centralized
centralized gateway, the local Internet access function must also be enabled.)
Internet access
gateway)

96 Huawei Confidential
 Internet Access Design Legacy Site Access Design

Hybrid Internet Access Design: Local Internet Access

(Default) + Centralized Internet Access
Application scenario
• This mode applies to small enterprises or scenarios where Internet access
traffic does not need to be centrally managed.
• The WAN side of the site has links to access the Internet, and the site has high
requirements on Internet access reliability.
MPLS Internet
Description
• Both local Internet access and centralized Internet access are configured on the
SD-WAN network.
• Local Internet access is configured for all traffic at a site.
EDGE1 EDGE2
• If a site has two Internet access links, that is, one for local Internet access and
one for centralized Internet access, the link for local Internet access has a
higher default route preference.
• By default, all Internet access traffic is routed out from the local Internet
HQ Branch access interface. When the local Internet access interface is faulty, Internet
access traffic is diverted to the centralized gateway and then routed out.

97 Huawei Confidential
 Internet Access Design Legacy Site Access Design

Hybrid Internet Access Design: Centralized Internet Access

(Default) + Local Internet Access for Specified Traffic
Application scenario
• This mode applies to the scenario where a site has Internet access links,
most Internet access traffic needs to be centrally managed, and traffic of
some applications can be directly routed out to meet SLA requirements.
MPLS Internet
Description
• Configure both local Internet access and centralized Internet access on
the SD-WAN network.
• Local Internet access is configured at the centralized Internet access site,
EDGE1 EDGE2 where all traffic is routed out in local Internet access mode.
• Local Internet access is enabled at other sites and is configured for
specified applications.
• By default, Internet access traffic is routed out through the centralized
Internet access site, and specific experience-sensitive service traffic is
HQ Branch directly transmitted to the Internet through the local WAN-side link.

98 Huawei Confidential
 Internet Access Design Legacy Site Access Design

Internet Access Link Reliability

• Standby link solution design:
 Links for Internet access are configured on a per-site
basis. A maximum of three WAN links can be configured
for Site-to-Internet access.

 A priority is configured for each WAN link. Currently,

Internet 1 Internet 2 Internet 3
each link has a unique priority. That is, only one WAN
link is used as the active link for accessing the Internet
Priority = 1 Priority = 2 Priority = 3 at a time.

 When a WAN link with the highest priority fails, traffic

EDGE2 to the Internet is automatically switched to the link with
the second highest priority.

 The standby link and hybrid Internet access mode can be

used together.
Branch

99 Huawei Confidential
 Internet Access Design Legacy Site Access Design

Legacy Site Communication Solution

⚫ Before deploying the SD-WAN Solution, enterprises may have legacy sites that are interconnected through
traditional WAN private lines (such as MPLS). After the SD-WAN Solution is deployed, SD-WAN sites and legacy
sites may need to communicate with each other. To implement this, a solution for communication with legacy sites
must be deployed.
⚫ Communication between SD-WAN sites and legacy sites involves the following scenarios:
 Communication through enterprise sites: Enterprise sites are directly connected to legacy networks. Two communication solutions
are available in this scenario:
◼ Communication through dedicated lines
◼ Local access


Communication through the IWG: Carriers use this mode to provide communication with legacy sites for multiple enterprises.
Generally, three communication solutions are available in this scenario:
◼ Inter-AS Option B
◼ Inter-AS Option A (Layer 3 VXLAN)
◼ Inter-AS Option A (Layer 3 VLAN)

100 Huawei Confidential

 Internet Access Design Legacy Site Access Design

Communication Through Enterprise Sites: Communication

Through Dedicated Lines
⚫ When the underlay network connected to an SD-WAN site cannot communicate with a legacy MPLS network, select
an SD-WAN CPE and a legacy CPE, which are logically considered as a gateway site.
Communication through dedicated lines

Legacy network VPN1 Gateway site SD-WAN network

Legacy CPE SD-WAN CPE

MPLS 1 VPN2 Routes are MPLS 2

transmitted
through OSPF/BGP.

Legacy CPE SD-WAN CPE

Legacy Legacy SD-WAN SD-WAN
site site site site
• When an enterprise has multiple VPNs and users on the SD-WAN and legacy networks belong to the same VPN, multiple logical
links can be created on the dedicated link of a gateway site and added to the VRFs corresponding to different VPNs. In this way,
back-to-back communication between multiple VPNs is implemented.

101 Huawei Confidential

• A dedicated link is established between user-side interfaces on both the legacy

CPE and SD-WAN CPE. The dedicated link runs a protocol such as BGP or OSPF
to exchange routes between the legacy MPLS network and SD-WAN network. In
this way, users on the two networks can communicate with each other through
the dedicated link.
 Internet Access Design Legacy Site Access Design

Communication Through Enterprise Sites: Local Access

⚫ When the underlay network connected to an SD-WAN site is the legacy MPLS network or can communicate with
the legacy MPLS network, local breakout technology can be used to transmit user traffic of the SD-WAN site to the
underlay MPLS network. Then the traffic is transmitted to the legacy sites over the underlay network.
Local access design

Legacy network SD-WAN network

Legacy CPE SD-WAN CPE

Legacy SD-WAN
site site

MPLS 1
Local breakout

Legacy SD-WAN
site site

• In the local access solution, only traffic of users in one SD-WAN VPN can be transmitted to users of the VPN at the
corresponding legacy sites on the underlay network through local breakout.

102 Huawei Confidential

• Multiple traffic models are supported in this scenario, and you can choose one
based on your service requirements.
▫ Distributed local access: This model applies if all SD-WAN sites can access
legacy sites over the underlay MPLS network through local breakout. In this
model, traffic of each site is directly forwarded through the local site,
without the need of being forwarded through overlay tunnels.

▫ Centralized local access: If some SD-WAN sites cannot access legacy sites
through local breakout, you can configure a site that can communicate
with the legacy sites as the centralized access site. Traffic from other SD-
WAN sites is sent to the centralized access site through overlay tunnels, and
then forwarded to the legacy sites through local breakout.

▫ Hybrid local access: The SD-WAN Solution enables multi-link sites using the
distributed local access model to use local access preferentially, with
centralized local access as a backup. This enhances reliability. Traffic from a
site that uses the distributed local access model is preferentially transmitted
to a legacy site through local breakout. If the MPLS link for local access
fails, traffic is automatically switched to the overlay tunnel of another link
and transmitted to the centralized access site. The centralized access site
then forwards the traffic to legacy sites.
 Internet Access Design Legacy Site Access Design

IWG
⚫ The IWG can connect both SD-WAN sites and legacy MPLS VPN sites for multiple enterprise tenants. Each time a
tenant is added, only one MP-EBGP peer needs to be configured to interconnect with the peer ASBR-PE.s

Solution design for multiple tenants to communicate with legacy sites

Tenant 1:
Legacy network VPN 1 SD-WAN network
ASBR-PE IWG

MPLS 1 Tenant 2: Establish MPLS 2

VPN 2 BGP peer
relationships
PE

Legacy CPE Legacy CPE SD-WAN CPE

Enterprise A Enterprise B Enterprise A Enterprise B

103 Huawei Confidential

 Internet Access Design Legacy Site Access Design

Communication Through the IWG: Inter-AS Option B

⚫ Similar to the inter-AS Option B solution in MPLS VPN, in the inter-AS Option B solution in SD-WAN, MP-EBGP is
used between the IWG and ASBR-PE on legacy networks to exchange labeled VPN-IPv4 routes received from PEs in
their respective ASs.
Inter-AS Option B

Legacy network ASBR-PE IWG VRF1 SD-WAN network

VRF2

MPLS 1 MP-BGP
MPLS 2

PE

Legacy CPE Legacy CPE SD-WAN CPE

Enterprise A Enterprise B Enterprise A Enterprise B

• A pair of public interfaces are configured on the IWG and ASBR-PE, and MPLS is enabled. MP-EBGP is used to exchange labeled
VPN-IPv4 routes. BGP is used to transmit inter-AS labels. Therefore, LDP is not required between the IWG and ASBR-PE.

104 Huawei Confidential

 Internet Access Design Legacy Site Access Design

Communication Through the IWG: Inter-AS Option A (Layer

3 VXLAN)
⚫ Similar to the inter-AS Option A solution in MPLS VPN, in the inter-AS Option A solution for SD-WAN, IWGs are
interconnected with ASBR-PEs through Layer 3 VXLAN tunnels, and the EBGP or IBGP peer relationship is
established at both ends of VXLAN tunnels to exchange routes between SD-WAN sites and legacy sites.
Inter-AS Option A (Layer 3 VXLAN) solution design

Legacy network ASBR-PE IWG VRF1 SD-WAN network

VRF2

MPLS 1 VXLAN Establish MPLS 2

tunnel BGP peer
relationships
PE

Legacy CPE Legacy CPE SD-WAN CPE

Enterprise A Enterprise B Enterprise A Enterprise B

105 Huawei Confidential

 Internet Access Design Legacy Site Access Design

Communication Through the IWG: Inter-AS Option A (Layer

3 VLAN)
⚫ Between the IWG of the SD-WAN network and the PE of the legacy MPLS network, a pair of specific interfaces (VLANIF interfaces or
Ethernet sub-interfaces) are configured for each user VPN and are added to the corresponding VRF. In addition, EBGP is configured
based on the VPN instance to exchange routes between the SD-WAN and MPLS domains.

Inter-AS Option A (Layer 3 VLAN) solution design

VPN1
Legacy network SD-WAN network
ASBR-PE IWG

MPLS 1 VPN2 Establish MPLS 2

BGP peer
relationships
PE

Legacy CPE Legacy CPE SD-WAN CPE

Enterprise A Enterprise B Enterprise A Enterprise B

106 Huawei Confidential

 Section Summary

⚫ SD-WAN service design includes application service design and network

service design.
 Application service design: includes intelligent traffic steering design, QoS
design, and packet loss optimization design.
 Network service design: includes Internet access design and legacy site access
design.

107 Huawei Confidential

 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution

4. Service Design for Huawei SD-WAN Solution

5. Reliability and Security Design for Huawei SD-WAN Solution
▪ Reliability and Security Design Overview

▫ Site Reliability Design

▫ Controller Reliability Design

▫ Security Design

108 Huawei Confidential

Overview of Reliability and Security Design for Huawei SD-
WAN Solution
⚫ Reliability and security design for Huawei SD-WAN Solution mainly includes three parts: site reliability design,
controller reliability design, and security design.
iMaster NCE-WAN Site reliability
EDGE/RR Hub EDGE/RR design
Controller
reliability design
Site reliability
RR1 RR2 design

IWG MPLS Internet

MPLS
NAT device
Security
Site reliability
design
design
EDGE EDGE EDGE
Legacy site
Branch Branch

109 Huawei Confidential

Reliability and Security Design Process for Huawei SD-WAN
Solution
1. Site reliability design 2. Controller reliability design 3. Security design

Controller deployment
Hub site reliability design System security design
reliability design

Controller networking
RR site reliability design Service security design
reliability design

IWG site reliability design

110 Huawei Confidential

 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution

4. Service Design for Huawei SD-WAN Solution

5. Reliability and Security Design for Huawei SD-WAN Solution
▫ Reliability and Security Design Overview

▪ Site Reliability Design

▫ Controller Reliability Design

▫ Security Design

111 Huawei Confidential

Site Reliability Design Overview
⚫ SD-WAN sites are typically classified into edge sites, hub sites, and RR sites, as well as gateway sites connected to
traditional networks. In Huawei SD-WAN Solution, hub sites, RR sites, and gateway sites are key sites, and their
reliability greatly affects the reliability of the entire SD-WAN network.
Hub site
⚫ Site reliability design generally covers: EDGE/RR EDGE/RR reliability
Hub1 EDGE/RR Hub2 EDGE/RR
design
 Hub site reliability design
 RR site reliability design RR site 1 RR site 2


IWG site reliability design

Active IWG MPLS Internet

RR site
reliability design
NAT device
MPLS

Standby IWG
EDGE EDGE EDGE
IWG site
Legacy site reliability Branch Branch
design

112 Huawei Confidential

 Hub Site Reliability RR Site Reliability IWG Site
Design Design Reliability Design

Hub Site Reliability Design

Active-active hub site networking based on service network
Active-active hub site networking based on spoke sites
segments

Office services Production services

Region A Region B

DCI
DCI DC DC
DC DC
Hub1 Hub2
Hub1 Hub2

Branch services
Office services Production Internet Branch services in
in Region A are MPLS
are mainly MPLS Internet services are mainly Region B are mainly
mainly destined
destined for Hub1. destined for Hub2. destined for Hub2.
for Hub1.

Spoke Spoke
Spoke
Primary Primary
path Branch Branch path
Branch Branch
Backup Backup
Office Production path path
services services

113 Huawei Confidential

• Active-active hub site networking based on service network segments:

▫ If branch sites' access to DCs can be distinguished based on service network

segments, active-active hub sites can be implemented based on the service
network segments. Each of the hub sites functions as the active hub site for
one service or standby hub site for another different service.
• Active-active hub site networking based on spoke sites:

▫ If an enterprise's WAN spans a large physical distance and the enterprise's

two DCs are far away from each other, active-active hub sites based on
spoke sites are recommended. Each spoke site connects to both hub sites
deployed in the DCs and preferentially accesses the nearer hub site for a
better DC service access experience. The nearer hub site is the primary one,
while the farther hub site is the backup one.
 Hub Site Reliability RR Site Reliability IWG Site
Design Design Reliability Design

RR Site Reliability Design: RR Redundancy

⚫ One EDGE can be connected to two RR sites (four RRs) at most. The following figures from left to right show the
RR site deployment modes in three scenarios, where reliability is enhanced in ascending order.

One RR site, two RRs at such site Two RR sites, one RR at each site Two RR sites, two RRs at each site
RR site RR site RR site RR site RR site

MPLS Internet MPLS Internet MPLS Internet

EDGE EDGE EDGE EDGE EDGE EDGE

Branch Branch Branch Branch Branch Branch

Enhanced reliability in ascending order

114 Huawei Confidential

 Hub Site Reliability RR Site Reliability IWG Site
Design Design Reliability Design

RR Site Reliability Design: RR Link Redundancy

⚫ The edge site needs to be dual-uplinked to the RR site.
Single link Multi-link (topology 1) Multi-link (topology 2)

RR site RR site RR site

MPLS Internet MPLS Internet MPLS Internet

EDGE EDGE EDGE EDGE EDGE EDGE

Branch Branch Branch Branch Branch Branch

• Low reliability: If one RR is faulty, some • Multiple links are deployed on the RR side. • Multiple links are deployed at the branch site.
branch sites will lose connection with the RR This ensures reliable connections between This ensures reliable connections between
site, causing service interruptions. EDGEs and RRs. EDGEs and RRs.

115 Huawei Confidential

 Hub Site Reliability RR Site Reliability IWG Site
Design Design Reliability Design

IWG Reliability Design

⚫ Branch sites are specified with active and standby IWGs to establish IWG tunnels. On the active and standby IWGs,
BGP routing policies are automatically orchestrated to control the preference of BGP routes originated from the
legacy network.
⚫ The preference of BGP routes on the active IWG is higher than that of BGP routes on the standby IWG.
SD-WAN network Legacy network
EDGE
Branch Active
IWG ASBR-PE
MPLS

PE CE
MPLS
Branch
Standby
IWG ASBR-PE
Internet
EDGE
Branch

116 Huawei Confidential

 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution

4. Service Design for Huawei SD-WAN Solution

5. Reliability and Security Design for Huawei SD-WAN Solution
▫ Reliability and Security Design Overview

▫ Site Reliability Design

▪ Controller Reliability Design

▫ Security Design

117 Huawei Confidential

Controller Reliability Design Overview
⚫ The controller iMaster NCE-WAN is the core component of Huawei SD-WAN Solution. All services in Huawei SD-
WAN Solution are orchestrated through the controller. Therefore, controller reliability directly affects network
services.
⚫ Controller reliability design generally covers:
 Controller deployment reliability design Controller
deployment
 Controller networking reliability design iMaster NCE-WAN reliability design iMaster NCE-WAN
cluster (active) cluster (standby)
Primary DC Backup DC

Egress device Egress device

Controller
networking
reliability design

Internet/MPLS

118 Huawei Confidential

 Controller Deployment Controller Networking
Reliability Design Reliability Design

Controller Deployment Design in a Site

Controller deployment in distributed cluster architecture • The controller is deployed in distributed cluster architecture to provide
high reliability and load balancing capabilities. When a node in the
cluster is faulty, other nodes take over services, without affecting services.
Physical server
• Northbound load balancing: External requests are distributed to all
nodes in the cluster instead of being centrally processed on just one node.
Doing so fully utilizes cluster capabilities and improves reliability.
Service processing • Southbound load balancing: Controller nodes are dynamically assigned
cluster
to network devices based on the loads of each controller node.

Cluster Function Description

Virtual machine

Data processing
Service Provides service processing capabilities, such as CPE
cluster
processing management, overlay network configuration delivery, and
cluster traffic policy configuration.
Data processing Provides functions such as CPE performance data storage
Nginx cluster
cluster and data aggregation.
Serves as a high-performance HTTP proxy server that
Nginx cluster forwards concurrent connection requests and implements
Linux Virtual L4-L7 load balancing for northbound traffic.
Server (LVS) Works as a load balancing component and implements L1-
LVS
L4 load balancing for southbound and northbound traffic.

119 Huawei Confidential

 Controller Deployment Controller Networking
Reliability Design Reliability Design

Controller DR Deployment Design

⚫ The geo-redundant disaster recovery (DR) system consists of two sets of iMaster NCE-WAN, which are
deployed at two geo-redundant sites.
⚫ Geo-redundant DR ensures backup between two controller clusters.
The number of nodes in the active cluster must be the same as that
Primary site Backup site in the standby cluster.
⚫ The active and standby controller clusters are both running.
Heartbeat link However, only the active cluster can provide services, while the
Controller cluster

Controller cluster
standby cluster does not provide services. Data in the active cluster
is synchronized to the standby cluster in real time to ensure data
consistency.
⚫ The same domain name solution is used for northbound and
southbound interfaces of the active and standby controller clusters.
Data replication link
Tenants and devices access the active controller cluster through this
unified domain name. After active/standby switchover, this domain
name is mapped to the new active controller cluster.
⚫ Active/standby switchover is performed manually and can be
completed within 10 minutes. In the case of component-level faults
in the controller cluster, services are still guaranteed through
reliability technologies, including clustering and fault tolerance.
⚫ Geo-redundant DR network requirements: latency ≤ 20 ms;
bandwidth ≥ 125 Mbit/s.

120 Huawei Confidential

 Controller Deployment Controller Networking
Reliability Design Reliability Design

Reliability Design for Single-Controller Networking

⚫ To ensure the reliability of SD-WAN management channels, dual gateways and dual links generally need to be deployed for highly
reliable communication between EDGEs/RRs and the controller.
Hybrid networking (public and private network) Single-network-type networking

CPE CPE

Private
CPE Internet CPE line/Public
NAT GW network
Branch HQ DC Branch HQ DC
Private
Private line/Public
line network

CPE CPE

• The controller is deployed inside the HQ DC, and uses public IP • The controller is deployed inside the HQ DC.
addresses to provide services for CPEs. • The private line network needs to send the network segment where
• 1:1 static NAT is deployed on the public network egress device at HQ. the controller resides to VPN networks.
• NAT-related public IP addresses need to be advertised into the private • On the public network, 1:1 static NAT must be deployed on the public
line network. network egress device. Static NAT uses the same public IP address.
• Communication between CPEs and the controller through the public
network or private line must traverse the NAT device on the public
network.

121 Huawei Confidential

 Controller Deployment Controller Networking
Reliability Design Reliability Design

Reliability Design for Active and Standby Controller

Networking
⚫ In active and standby controller scenarios, communication between CPEs and the active and standby controllers is regulated by
controlling route priorities.
Single-network-type networking
CPE
Active controller

Primary
CPE DC Use the same southbound
High
Private and northbound IP addresses.
Branch priority
line/Internet Low
priority
Backup
DC Standby controller

CPE
• On a pure private line network, the southbound and northbound IP addresses of the active and standby controllers need to be a dvertised to the private
line network through EBGP peers. Additionally, routing policies are used to ensure the route destined for the active controller is preferentially selected.
• On a pure public network, 1:1 static NAT needs to be deployed for southbound and northbound IP addresses, and the NAT configurations on the two
egress gateways must be the same. Routes related to NAT addresses are advertised to the public network through EBGP, and routing policies are used to
ensure the NAT-related route destined for the primary DC is preferentially selected.

122 Huawei Confidential

• The active controller is deployed in the primary DC, and the standby controller in
the backup DC. A heartbeat tunnel is established between the active and standby
controllers to synchronize data and verify the controller status.

• The active and standby controllers use the same southbound and northbound IP
addresses. In public network scenarios, the same NAT address must also be
configured.
 Contents

1. Development Trends and Challenges Facing Enterprise WAN Interconnection

2. Overview of Huawei SD-WAN Solution

3. Networking Design for Huawei SD-WAN Solution

4. Service Design for Huawei SD-WAN Solution

5. Reliability and Security Design for Huawei SD-WAN Solution
▫ Reliability and Security Design Overview

▫ Site Reliability Design

▫ Controller Reliability Design

▪ Security Design

123 Huawei Confidential

Security Design Overview
⚫ Security design for Huawei SD-WAN Solution
generally covers:

Controller security 1. System security: The security requirements of the SD-

(management
NETCONF

hardening
WAN Solution must be met. In this way, the entire
channel)

1
RR system can run securely and stably.
1 2. Service security: The security requirements of services
1 Control channel
Management security carried by the SD-WAN Solution must be met.
channel security 1
CPE security Appropriate security protection measures are flexibly
MPLS hardening
selected as required, thereby ensuring secure and
reliable running of user services.
HQ/DC site GRE or GRE over IPsec (data channel) Branch site
2 Data 1
EDGE Service EDGE
Internet channel
traffic security
security

124 Huawei Confidential

 System Security Design Service Security Design

System Security Design: Inter-Component Communication

Security
⚫
The communication channels between components of Huawei SD-WAN Solution are classified into three types: management
channels, control channels, and data channels. EDGEs/RRs communicate with the controller through management channels, CPEs
communicate with RRs through control channels, and EDGEs communicate with each other through data channels.
⚫
The components of Huawei SD-WAN Solution use secure communication protocols to establish management, control, and data
channels, thereby ensuring inter-component communication data security.
 Security mechanisms for management channels and
control channels are enabled by default. You do not

(management channel)
need to configure them.

NETCONF Over SSH

 Security mechanisms for data channels need to be RR
designed flexibly as required.
Using SSH to secure
management Using IPsec to
channels secure control
channels

MPLS

HQ/DC site GRE or GRE over IPsec (data channel) Branch site

EDGE Using IPsec to EDGE

secure the
Internet
forwarding plane

125 Huawei Confidential

 System Security Design Service Security Design

System Security Design: Data Channel Security

⚫ Data channels are overlay tunnels established between EDGEs. IPsec is used on such tunnels to ensure
data confidentiality and integrity during transmission.
 IPsec must be deployed when data channels are established over the Internet.
 IPsec can be deployed as required when data tunnels are established over MPLS or private networks.

GRE
tunnel
MPLS

HQ/DC site Branch site

EDGE EDGE
Internet
GRE
tunnel
IPsec
tunnel

126 Huawei Confidential

 System Security Design Service Security Design

System Security Design: Administrator Authentication and

Authorization
⚫ The system supports local and remote authentication for administrators. Strict identity authentication ensures that only authorized
administrators can log in to the system.
⚫
When a tenant administrator logs in to iMaster NCE-WAN, two-factor authentication (account/password + SMS verification code) is
supported. The tenant administrator can be authenticated in either of the following modes:
 Local authentication: When a tenant administrator logs in to iMaster NCE-WAN, iMaster NCE-WAN authenticates the tenant administrator.

 LDAP server authentication: iMaster NCE-WAN connects to an LDAP server (such as a general-purpose LDAP server or Windows AD server). When a
tenant administrator logs in to iMaster NCE-WAN, the LDAP server authenticates the tenant administrator.

⚫
When a device administrator logs in to a CPE through the CLI, the device administrator can be authenticated in either of the
following modes:
 Local authentication: The tenant administrator can set passwords for device administrators on iMaster NCE-WAN, which then delivers the passwords to
CPEs. When a device administrator logs in to a CPE, the CPE authenticates the device administrator.
 TACACS authentication: A CPE connects to a TACACS server through the underlay network. When a device administrator logs in to the CPE, the TACACS
server authenticates the device administrator.

127 Huawei Confidential

 System Security Design Service Security Design

System Security Design: CPE Security

⚫ A CPE must have a secure system architecture and support multiple security protection measures for defending against various
security threats.
⚫
A CPE must have multiple security protection capabilities on the control plane, management plane, and forwarding plane, including
but not limited to the following:
 Physical security: A CPE must be able to disable the service ports, serial ports, and services that are not in use, thereby preventing attacks.

 Data security: A CPE must be able to encrypt sensitive information, such as service data, user names, and passwords, to prevent sensitive information
leakage. A CPE must also control data access permissions to prevent unauthorized access to data.

 Authentication: A CPE must provide system permission control and account permission management functions to implement strict identity
authentication and permission control on login behaviors. It also must support security mechanisms such as account/password protection, password
complexity check, and anti-brute force cracking of passwords.

 Attack defense: A CPE must be able to defend against various network attacks, such as IP flood attacks, ICMP flood attacks, m alformed packet attacks,
and fragment attacks.

 Security audit: A CPE must have a comprehensive log system to log all configuration operations and abnormal status during sys tem running for future
audit.

128 Huawei Confidential

 System Security Design Service Security Design

Service Security Design: Internet Access Security

⚫ Huawei SD-WAN Solution uses the built-in security capabilities of CPEs — including ACL filtering, firewall, IPS, and URL filtering —
to ensure service security, thereby flexibly meeting service security requirements in different scenarios.

Centralized Internet access Local Internet access

MPLS Internet MPLS Internet

Overlay traffic Underlay traffic

Underlay traffic

EDGE EDGE EDGE EDGE

Branch HQ Branch HQ

• Internet access traffic from all branch sites is diverted to the HQ site • Internet access traffic from the branch site and HQ site directly goes
and then goes to the Internet. to the Internet through their respective local CPE.
• Enable the firewall function on the CPE at the HQ site to isolate • Enable the firewall function on the CPEs at the branch site and HQ
internal and external networks. site to isolate internal and external networks.

129 Huawei Confidential

 System Security Design Service Security Design

Service Security Design: VAS Advanced Security

⚫ In the centralized Internet access scenario, when a site accesses the Internet through a WAN-side outbound interface, a physical
firewall can be deployed in off-path mode to provide VAS-based advanced security protection functions.

VAS advanced security

Firewall
HQ • A physical firewall is deployed in off-path mode. It
Physical firewall provides advanced security protection functions for
EDGE deployed in off-
path mode centralized Internet access traffic from the site.
• After VASs are deployed, centralized Internet
access traffic is diverted to the physical firewall on
MPLS Internet the LAN side of the HQ CPE. After being processed
by the firewall, centralized Internet access traffic
then goes to the Internet through the underlay
network.
EDGE EDGE

Branch Branch

130 Huawei Confidential

 System Security Design Service Security Design

Service Security Design: Third-Party Cloud Security

⚫ Huawei SD-WAN Solution can connect to third-party cloud security gateways (Zscaler and Forcepoint). In this way, enterprises'
public cloud access traffic and SaaS traffic are sent to such gateways. Third party cloud security gateways perform security check for
the traffic and provide access control, threat prevention, and data protection functions, implementing security protection.

Application scenario

iMaster NCE-WAN
• To improve network reliability, the third-party cloud
security gateway generally provides two access points to
EDGE Third-party cloud establish tunnels with the EDGE, and the EDGE uses GRE
security gateway
Branch tunnels to connect to such access points.
 Single-gateway scenario
Internet One CPE establishes two GRE tunnels (active and standby) with
the two access points of the third-party cloud security gateway.
 Dual-gateway scenario
SaaS cloud
applications Two CPEs establish four GRE tunnels (active and standby) with
Branch
the two access points of the third-party cloud security gateway.
EDGE

131 Huawei Confidential

 Section Summary

⚫ Reliability and security design for Huawei SD-WAN Solution covers site
reliability design, controller reliability design, and security design.
 Site reliability design: hub site reliability design, RR site reliability design, and
IWG site reliability design.
 Controller reliability design: controller deployment reliability design and
controller networking reliability design.
 Security design: system security design and service security design.

132 Huawei Confidential

 Quiz

1. (Multiple-answer question) Which of the following overlay network topology types are
supported by Huawei SD-WAN Solution? ( )
A. Hub-spoke

B. Full-mesh

C. Partial-mesh

D. Hierarchical networking

2. (True or false) The intelligent traffic steering function can dynamically adjust data
forwarding links based on link quality. ( )
A. True

B. False

133 Huawei Confidential

1. ABCD

2. A
 Summary

⚫ Huawei SD-WAN Solution efficiently addresses the challenges facing today's WANs.
⚫ Huawei SD-WAN Solution provides abundant functions, including ZTP, flexible
networking, intelligent traffic steering, and service security.
⚫ Design for Huawei SD-WAN Solution mainly covers three parts:
 Networking design: site design, tunnel design, and VPN design
 Service design: application service design and network service design
 Reliability and security design: site reliability design, controller reliability design, and
security design

134 Huawei Confidential

Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Enterprise Bearer WAN Solution
 Foreword

⚫ A wide area network (WAN) is a computer network that connects local area networks
(LANs) or metropolitan area networks (MANs) in different regions. A WAN allows
information and network resources to be shared in a large scope.
⚫ An enterprise IP bearer WAN is a backbone WAN used to implement cross-region
communication inside an enterprise. In enterprise network scenarios, various sectors, such as
government, finance, education, and power, widely use IP bearer WANs to connect sites and
clouds in different geographical locations, facilitating digitalization.
⚫ This course first describes basic WAN concepts and the evolution of WAN bearer
technologies, and then introduces Huawei's CloudWAN solution and key technologies.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the basic concepts of the WAN.
 Describe the trend, challenges, and evolution of the IP bearer WAN.
 Describe Huawei's CloudWAN solution.
 Describe the key technologies of Huawei's CloudWAN solution.
 Describe the typical industry application scenarios of Huawei's CloudWAN
solution.

2 Huawei Confidential
 Contents

1. Enterprise IP Bearer WAN Overview

2. CloudWAN Solution Overview

3. Typical Application Scenarios of the CloudWAN Solution

3 Huawei Confidential
Enterprise WAN Overview
Enterprise Enterprise WAN Cloud
Public
cloud

Industry
Enterprise cloud
HQ

Private
Enterprise
cloud
branch

Data
center

Enterprise WAN definition

Classification by purpose
• The enterprise WAN is used to implement cross-region
• Self-built, for internal use
communication inside an enterprise.
• Self-built, for external use
• The enterprise WAN provides interconnection between the
enterprise HQ and branches, between the enterprise and
clouds, and between clouds.

4 Huawei Confidential
Enterprise IP bearer WAN
Network Network
egress egress
Enterprise IP bearer
WAN
Public
cloud

Enterprise Industry
HQ cloud

Enterprise Private
branch cloud

Built by the Data

center
enterprise or carrier

Enterprise WAN = Enterprise network egress + enterprise IP bearer WAN (built by the enterprise
or carrier)

5 Huawei Confidential
 Three Types of WAN Connections Provided by Carriers
⚫ Carriers provide three types of WAN connections for enterprises: Internet, MPLS private lines, and transmission
private lines.
Internet MPLS private line Transmission private line

• • Provides MPLS L3VPN and L2VPN • Provides transmission private lines, such
Provides Internet access services for
common users and enterprises. services for large enterprises. as SDH, MSTP, bare fiber, and
WDM/OTN private lines, for large
enterprises. Enterprises build their own
IP bearer networks over transmission
private lines.

Internet
L3VPN

Dial-up xDSL, xPON MPLS network Enterprise's self-built

BGP
line backbone network

L2VPN
Individual Enterprise Data
Transmission private line
user campus center

6 Huawei Confidential

• Internet:
▫ Site-to-Internet private line: Ethernet private line/xPON private line/xDSL
private line. The access is restricted by geographic locations. It applies to
inter-enterprise communication over Internet-based encrypted tunnels.
▫ Dial-up connection: low bandwidth and low tariff. The access is not
restricted by geographical locations. It applies to individual users.
▫ BGP: applies to data center Internet egresses.

• As technologies are constantly developing, historical WAN technologies such as

T1/E1, PSTN, ATM, and frame relay are not described here.
Typical Logical Architecture of the Enterprise IP Bearer WAN
⚫ The typical architecture of the enterprise bearer WAN is divided into three layers: access layer, aggregation layer,
and core layer.
Access layer (CE-PE):
• Provides access for data centers in
Aggregation layer (PE-P):
different cities.
• Provides access for branches in Access layer • Aggregates and transmits
different cities. different types of services to
• Provides access for external Aggregation layer the core layer based on
services in different cities.
physical locations.

Core layer
Core layer (P):
• Generally adopts the Full-mesh
+ dual-plane architecture.
• It forwards traffic between
different regions over stable,
reliable, and service quality-
guaranteed connections.

7 Huawei Confidential
Typical Bearer Technologies of the Enterprise IP Bearer WAN

IP bearer MPLS bearer

• All services are carried over the same IP network, and IP • Data is encapsulated into MPLS packets and forwarded
addresses are used to differentiate services. based on labels.
• This bearer mode applies to small- and medium-sized • VPNs are used to differentiate services. Service isolation
enterprises or networks that do not have specific service and SLA assurance are supported.
isolation, differentiated SLA, or traffic engineering • The WAN VPN architecture consists of the data plane
requirements. and control plane. The data plane uses MPLS, and the
control plane uses MP-BGP. This bearer mode applies
to large enterprises.

IP traffic forwarding MP-BGP

IGPs such as OSPF

PE PE
Transmission MPLS domain
line
Transmission
line

8 Huawei Confidential
Enterprise IP Bearer WAN Moving Towards the IPv6+ Era

IPv6 + protocol innovation + AI

Intelligent IP
Internet IP All IP
5G & cloud era

IPv4 MPLS IPE

Best effort, manual O&M

Static policy, semi-
automatic O&M
Connectivity of everything, flexible
connections, intelligent O&M

9 Huawei Confidential
 Enterprise IP Bearer WAN Technologies Evolving Towards
SRv6
⚫ With the development of technologies and service requirements, VPN becomes the mainstream bearer technology adopted by the
WAN. The control and forwarding plane technologies of the WAN keep evolving.
⚫
The bearer WAN continuously evolves towards segment routing (SR) and IPv6.

MPLS SR-MPLS SRv6

BGP (L3 service) BGP for service
BGP for service
Control RSVP-TE
BGP-LU (inter-AS) Continuing control IGP + SR extension
Simplifying the
plane LDP control plane plane simplification
IGP + SR extension
IGP

MPLS labels MPLS labels IPv6 header + SRH

Forwarding
VXLAN/GRE/L2TP, etc. VXLAN/GRE/L2TP, etc. Payload
plane
Payload Payload
Evolvable

10 Huawei Confidential

• BGP Labeled Unicast (BGP-LU) (RFC 3017) is both an inter-AS and an intra-AS
routing protocol.
 Contents

1. Enterprise IP Bearer WAN Overview

2. CloudWAN Solution Overview

3. Typical Application Scenarios of the CloudWAN Solution

11 Huawei Confidential
Two Major Changes Brought by Digital Transformation
1. Cloudification of millions of enterprises 2. IP-based production network

Cloud adoption by Multi-cloud adoption by Multiple TDM private networks > One IP bearer network
IEC and UIC propose IP-based transformation for power and
enterprises enterprises transportation sectors, respectively.
Local processing > Private cloud > Hybrid cloud
Service cloudification Power relay • Multicast
• Delay < 5 ms
protection technology
Public Power Traditional relay
cloud cloud protection > Wide-
area relay protection
Financial Financial Government • Bandwidth > • Clock precision
cloud cloud cloud 100 Mbit/s
Train control and < 3 µs
dispatching
Manual monitoring > Over-
the-horizon monitoring

Finance Transportation • Any access, flexible connection

Government Power Fuel pipe safety
detection
Manual inspection >
UAV inspection

12 Huawei Confidential
3 Challenges Facing the WAN in the Cloud Era
Cloudification of millions of Production service bearer Connection scale x 100 ↑
enterprises
Can IP provide deterministic How can O&M be simpler and
How can networks be as experience? networks more reliable?
agile as clouds?

DC1 DC2 Relay

protection
Public 200 µs
10 ms
cloud One-way delay
Two-way
delay variation Connection x 100
A failure to meet these requirements
may mean a protection failure,
incurring accidents.

Branch Branch Branch

Train 10 ms 50 ms 0 artifact, 0 24/7

control One-way Failover frame freezing online
Service deployment time delay duration

Dozens of days < 1 hour A failure to meet these requirements

may mean train out-of-control.

13 Huawei Confidential
CloudWAN 3.0: Leading WANs into the Intelligent Cloud-
Network Era
One-hop cloud access: flexible cloud-network connection
• SRv6 enables service provisioning within minutes and agile service
Manager Controller Analyzer
cloudification.

IFIT NETCONF/YANG
One-fiber multipurpose transport: deterministic experience
• Hierarchical slicing
• Patented fingerprint-based slicing technology, simplifying deployment

SRv6
One-click fast scheduling: cloud-network coordinated
scheduling
FlexE-based slicing • SDN + intelligent cloud-map algorithm, improving cloud-network
resource utilization

One-network wide connection: network digitalization

DC • Hop-by-hop detection technology, real-time visualization of network-
wide status, troubleshooting within minutes

Integrated security, all-round security protection

Township/ County/Tier-2 Prefecture/Tier-1 Province/ • Qiankun security cloud service, proactively identifying cyber security
outlet branch branch Ministry/HQ threats

IPv6+ lays the foundation for the digital infrastructure.

14 Huawei Confidential
CloudWAN 3.0: Management, Control, and Analysis Platform
+ Intelligent Universal Service Routers for the Cloud Era

Network
iMaster NCE = U2000 (management) + Controller (control) + uTraffic (analysis)
management

NetEngine 9000 NetEngine 40E universal service router

NetEngine 8000 Smart router
Backbone router

Metro router
NetEngine 8000 NetEngine 8000
M8 M6

NetEngine 8000 NetEngine 8000

NetEngine 9000-20 NetEngine40E-X16A NetEngine40E-X8A F1A M1A/M1C

15 Huawei Confidential
CloudWAN 3.0: Management, Control, and Analysis Platform
iMaster NCE-IP

Management
• NE management: topology, alarm, configuration, and
inventory management
• Service management: tunnel and VPN service management
Manager Controller Analyzer

NETCONF/YANG Telemetry
• Centralized path computation: path computation based on

Controller
multiple constraints
• Logical topologies: cost, delay, and bandwidth topologies

E2E SRv6 • Network optimization: service path adjustment and optimization

Backbone

Analysis
Metro Metro • Basic network analysis: display and analysis of performance,
Simplified architecture, intelligent traffic, and quality
connection, intelligent O&M • Analysis-based prediction: traffic, fault, and exception prediction

16 Huawei Confidential
 One-Hop Cloud Access: SRv6-based Fast, Simplified Service
Provisioning Across Domains
• Siloed networks, isolated data islands • Multi-cloud data convergence
• Layered and segmented networks, and sharing
difficult for cloud access • SRv6-based one-hop cloud
access, enabling fast provisioning
Education Healthcare Government
Education, healthcare,
data data data • Protocol simplification: replacement of
government...
multiple original network protocols with
SRv6 + IGP/BGP
• E2E connection: E2E service provisioning
MPLS

MPLS

MPLS

across domains, overcoming the limits of

AS AS AS Cloudification AS AS AS
MPLS-based segment-by-segment service
of numerous
provisioning
Government private

industries
Education private

Healthcare private

• Automatic provisioning: Controller + SRv6,

network

network
MPLS

MPLS

MPLS

enabling automatic service provisioning

SRv6
SRv6

SRv6
network

AS AS AS AS AS AS
within minutes
MPLS

MPLS

MPLS

AS AS AS AS AS AS

Education Healthcare Government Education Healthcare Government

17 Huawei Confidential

• In the past, most of our networks were siloed private networks, such as education,
healthcare, and government private networks. These networks were independent
physical private networks and could not communicate with each other. The
handling of some services may involve multiple private networks. Moreover, a
service may be deployed segment by segment even on one private network. For
example, multiple ASs may exist on a network due to the division of
administrative domains, and one network service may be deployed across ASs
(on a common network, service data is generally carried over MPLS). In this
situation, a large number of device configurations and personnel communication
are required. The network administrator needs to perform a large number of
configurations on AS boundary devices, and it takes a long time to migrate the
service to the cloud. The acceleration of enterprise digital transformation drives
alignment between networks and clouds.
• Now, increasingly more industries are deploying data to the cloud, making it
easier to converge or share data. The introduction of SRv6 can remove process
barriers and accelerate service provisioning. Simply put, SRv6 can be deployed on
both ends of an SRv6 tunnel to implement one-hop cloud access.
• In the MPLS era, a large number of control-plane protocols, such as IGP, BGP,
LDP, and RSVP-TE, are required to carry VPN services on a network or implement
traffic engineering. On the forwarding plane, there are protocols such as MPLS,
GRE, and L2TP or native IP. The network configuration and configuration
modification are complex. Huawei's CloudWAN solution simplifies network
deployment by replacing multiple network protocols with SRv6+IGP/BGP. SRv6
uses IPv6 as the forwarding plane protocol. On a WAN where IPv6 is deployed, it
is easy to deploy an end-to-end tunnel, even in inter-AS scenarios. The SDN
controller can be used to implement automated SRv6 service provisioning within
minutes.
 One Fiber Multipurpose Transport: Hierarchical Slicing for
Refined, Deterministic Experience Assurance
Security protection Media
video cloud cloud
• Hierarchical slicing:
Collaboration implements flexible bearer of
cloud
multiple services and reduces
network construction costs.
Production private network

Office private network

• Differentiated network
10+ private networks >
1 network with N slices services: provide differentiated
Good balance SLAs for diversified service
Multi-network
convergence requirements.
Private network • Slice lifecycle management:
experience
One private uses the controller for slice
network
planning, construction,
maintenance, and optimization.
Remote Video Enterprise Remote Video Enterprise
control surveillance office control surveillance office

18 Huawei Confidential

• Huawei uses the hierarchical slicing technology to power IP-based production

networks, ensuring deterministic SLAs for production services.
• In the past, production and office services were carried over multiple independent
private networks. Repeated network construction resulted in high investment
costs and complex O&M of multiple networks. By deploying multiple slices on
one IP bearer network, production services such as remote industrial control and
video surveillance are directly isolated from office services, delivering 100%
bandwidth guarantee for mission-critical services.
 One-Network Wide Connection: Providing a Service-Level
SLA Measurement Solution with Higher Precision
Packet loss • Hop-by-hop delay
Delay (ms) Jitter (ms) 3 Analysis
rate • Packet loss location
Service 1 500 300 0.0001%
• Path restoration
Service 2 100 30 0
Service 3 10 10 0
Telemetry
Telemetry Telemetry

1 Coloring: service
identification
Counting and
2 timestamping

Easy deployment
10-6 high precision and real services • On-demand hop-by-hop measurement (for
E2E/hop-by-hop KPI measurement
• Measurement based on real service flows purposes such as detection of E2E KPI
• KPIs: delay, packet loss, jitter
threshold-crossing events)
• High precision: packet loss measurement
• Service mode: MPLS/SR/SRv6/L3VPN/EVPN
precision as high as 10-6 • Complete configurations are required only
on the ingress and egress.

19 Huawei Confidential

• iFIT integrates the RFC 8321 coloring technology and in-band detection
technology to directly measure service packets. It works with second-level
telemetry data collection and iMaster NCE for unified management, computation,
and visualization. In this way, it implements real-time visualization and proactive
monitoring of network quality SLAs and fast fault demarcation and locating.
One-Click Fast Scheduling: Cloud-Network Coordinated
Scheduling, Improving Cloud-Network Resource Utilization
Unbalanced cloud-network Cloud-network coordinated optimization for
loads, wasting investments efficient utilization of cloud-network resources
Cost Bandwidt
Cloud access Intelligent cloud- h
12% 50% map algorithm
based on cloud
Cloud resource Cloud Network
factors
2 information
Storage factors factors Reliability
DC2 DC2
Cloud management
platform Computing Delay
90% 45%
power
25% 47%
• The intelligent cloud-map algorithm
combines the cloud and network
factors.
DC1 DC3 DC1 DC3
• Load balancing is performed based
on service conditions and cloud
loads. Services are intelligently
scheduled to the most appropriate
cloud based on SRv6 and SDN
1 Traffic technologies.
optimization
based on
network
Before Now factors

20 Huawei Confidential
 Contents

1. Enterprise IP Bearer WAN Overview

2. CloudWAN Solution Overview

3. Typical Application Scenarios of the CloudWAN Solution

21 Huawei Confidential
 e-Government Extranet of a Certain Province
Before Now
Cloud-network separation: difficult for Cloud-network integration:
the network to match cloud agility multi-cloud access through
one network Integrated digital government
Provincial platform
government Policing

89.9%
Provincial Policing System
Surveillance government cloudification rate
Municipal
government Municipal SDN + SRv6
Surveillance
government
Service cloudification time

Weeks Hours
HRSS Healthcare Civil affairs HRSS Healthcare Civil affairs

• Silos: uncoordinated cloud-network resource • Coordination: cloud-network synergy and

scheduling coordinated cloud-network services
• Slow provisioning: cross-domain configuration • Fast provisioning: automatic cross-domain Average daily visits to
and service provisioning within weeks provisioning within hours cloud services: 40,000+
• Poor experience: network congestion upon • Optimal experience: optimized services for
traffic bursts user experience assurance

22 Huawei Confidential

• Quick Network Adjustment upon Cloud Changes, Integrated Service Provisioning,

Cloud-based Data Sharing.
Intelligent Traffic Optimization on an Enterprise WAN
Service scenarios Solution

1. The average traffic between the HQ and

branches increases by about 20% Before Now
annually, but the annual private line
leasing budget is only allowed to increase
by 5%.
The average private line utilization is only Automatic
about 25%. SRv6 Policy
2. Enterprise data synchronization services Per-hop configuration configuration DC2 Beijing
Beijing DC2
run at night and require ultra-large IP policy-based routing
bandwidth. On traditional networks,
traffic load balancing is difficult to
Beijing Beijing Shanghai
implement due to the shortest path first Shanghai
principle.
DC1 DC1 DC
DC
Utilization: Utilization:
60% 5%

Branch 1 Branch 2 Branch 3 Branch 1 Branch 2 Branch 3

"We hope that traffic optimization can be 1. Policy-based routing is manually configured hop by hop. A single
automatically or manually triggered based on optimization operation takes more than 2 hours and is prone to errors.
factors such as time range, traffic threshold, 2. Traffic optimization often needs to be performed at night and requires the
and traffic burst." attendance of dedicated personnel.
— Senior network architect

23 Huawei Confidential
Multi-Service Bearer Through Network
Office service
Physical network slicing: TDM-
DCN based FlexE divides a physical
network into multiple slices on
Campus Various office demand to isolate different services
surveillance services FlexE slice 1 and ensure service SLAs.
Office
automation
Flexible, convenient service
Customer
FlexE slice 2 deployment
service
Video surveillance
Office phone Production and
Unified bearer: NCE is used to deploy
O&M
network resources in a unified
FlexE slice 3
Production manner for power service transport,
service Dispatch phone achieving intelligent optimization.

Video
surveillance FlexE slice 4 Support for network evolution over the
Production Relay protection next 10 years:
and O&M Smooth upgrade to 100/200 Gbit/s
Smooth evolution to SRv6/SR/EVPN
WAMS
Dispatch
phone
Relay
protection

24 Huawei Confidential
 Quiz

1. (Single-answer question) In Huawei's CloudWAN solution, which of the following

technologies can absolutely ensure the bandwidth of key services?( )
A. SRv6 Policy

B. FlexE-based network slicing

C. iFIT

D. Telemetry

25 Huawei Confidential

1. B
 Summary
⚫ An enterprise IP bearer WAN is a backbone WAN used to implement cross-region
communication inside an enterprise. In enterprise network scenarios, various sectors, such as
government, finance, education, and power, widely use IP bearer WANs to connect sites and
clouds in different geographical locations, facilitating digitalization.
⚫ Bearer WAN technologies evolve from MPLS to SRv6. In the cloud era, networks are
expected to meet requirements regarding visualization, awareness, optimization,
deterministic delay, openness, and programmability.
⚫ Huawei's CloudWAN solution meets all the preceding requirements. We will explore more
about this solution in subsequent learning.

26 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Enterprise Bearer WAN Architecture and
Key Technologies
 Foreword

⚫ The IP bearer WAN, which usually covers a country, is a data communication

network that provides interconnection between multiple LANs or branch networks
across regions.
⚫ This course introduces the concepts, principles, and applications of the enterprise
bearer WAN's typical architecture, bearer technologies, VPN services, traffic
optimization, SLA, reliability, and network management and analysis. To introduce
these key aspects, this course uses a large enterprise with three data centers in
two cities and multiple branches in different regions as an example.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the typical architecture of the bearer WAN.
 Describe the basic concepts of Multiprotocol Label Switching (MPLS), Segment Routing-
Multiprotocol Label Switching (SR-MPLS), and Segment Routing IPv6 (SRv6).
 Describe the principles of WAN traffic optimization.
 Describe the SLA model and packet processing flow.
 Describe the network reliability design.
 Describe the key protocols for network management and analysis.

2 Huawei Confidential
 Contents

1. Bearer WAN Architecture

2. Bearer WAN Basics

3. VPN Service

4. Network Traffic Optimization

5. SLA

6. Network Reliability

7. Network Management and O&M

3 Huawei Confidential
 Typical Architecture of the Bearer WAN
Data
DC-CE center
• DC-P: builds a high-speed
interconnection network with
DC-PE the two-city three-center
architecture.
• DC-PE: aggregates data center
DC-P City B or intra-city services.
• DC-CE: functions as the data
center access device.
DC-CE DC-PE DC-P DC-P DC-PE DC-CE • WAN-P: aggregates traffic from
Data Data
the uplinks of provincial
center center branches.
• RR: reflects regional routes on
the bearer WAN.
• BR-PE: functions as the branch
RR RR edge device on the bearer WAN.
City A WAN-P WAN-P WAN-P City A • BR-CE: functions as the branch
access device.

BR-PE BR-PE * Note: It is recommended that two

WAN-Ps be deployed for the dual-plane
City C City D bearer WAN. Here, only one WAN-P is
Enterprise
displayed in the topology.
Enterprise
BR-CE BR-CE
branch branch

4 Huawei Confidential

• The Ps for intra-city data center are directly connected using WDM or bare
optical fibers. The link bandwidth can reach 10 Gbit/s. To reduce costs, consider
connecting local data centers with remote data centers through carriers' MSTP
links.
Typical Architecture of the Bearer WAN
⚫ The typical architecture of a bearer WAN is divided into three layers: access layer, aggregation layer,
and core layer.

Access layer (CE-PE):

• Provides access for data Aggregation layer (PE-P):
Access layer
centers in different cities. • Aggregates and transmits
• Provides access for branches Aggregation layer different types of services to
in different cities. the bearer WAN based on
• Provides access for external physical locations.
services in different cities. Core layer
Core layer (P):
• Generally adopts the full-mesh +
dual-plane architecture.
• Provides stable, reliable high-
speed traffic forwarding
between regions.

5 Huawei Confidential
Technologies Used by the Typical Bearer WAN Architecture
Service tunnels are established between PEs for
VPN service recursion. For example:
• MPLS LDP tunnels
• MPLS TE tunnels
For CEs accessing the same PE, • SR-MPLS BE/TE tunnels
VPNs are used to isolate services: • SRv6 BE tunnels
• L2VPN: Layer 2 communication Data forwarding:
• L3VPN: Layer 3 communication • MPLS or IPv6 forwarding

P P PE
Service 1 Service 1
CE CE

Service 2 PE Service 2
CE P P PE CE
Bearer WAN

6 Huawei Confidential
 Contents

1. Bearer WAN Architecture

2. Bearer WAN Basics

3. VPN Service

4. Network Traffic Optimization

5. SLA

6. Network Reliability

7. Network Management and O&M

7 Huawei Confidential
 MPLS SR-MPLS SRv6

MPLS Overview
⚫ MPLS is located between the data link layer and the network layer in the TCP/IP protocol stack and can
provide services for all network layers.
⚫ An MPLS header is added between a data-link-layer header and a network-layer header, and data can
be forwarded quickly based on the MPLS header.

MPLS label-based forwarding MPLS label-based forwarding IP-based forwarding

IP network IP network

Ethernet MPLS IP
header header packet

8 Huawei Confidential
 MPLS SR-MPLS SRv6

MPLS Terms (1)

⚫ MPLS domain: consists of a series of consecutive network devices that run MPLS.

⚫
Label switching router (LSR): a routing device, such as a router or switch, that runs MPLS. An LSR that resides at the edge of an
MPLS domain and connects to a non-MPLS network is called a label edge router (LER). An LSR that resides inside an MPLS domain is
called a core LSR.
⚫
The path that MPLS packets take in an MPLS network is called a label switched path (LSP). The LSP is a unidirectional path that
transmits traffic from the ingress to the egress.
⚫
The start node of an LSP is called the ingress, an intermediate node of the LSP is called the transit node, and the end node of the
LSP is called the egress. An LSP has one ingress, one egress, and zero, one, or multiple transit nodes.

Ingress Transit Egress

IP network IP network

LER Core LSR LER

MPLS domain

Ethernet header MPLS header IP packet

9 Huawei Confidential
 MPLS SR-MPLS SRv6

MPLS Terms (2)

⚫
Forwarding equivalence class (FEC): a set of packets with similar or identical characteristics and forwarded in the same way by LSRs.
In traditional IP forwarding that uses the longest match algorithm, all packets that match the same route belong to the same FEC.
⚫ An LSP is composed of an ingress LSR, an egress LSR, and a variable number of transit LSRs. Therefore, an LSP can be considered as
an ordered set of these LSRs.
⚫
An LSP must be established before a packet is forwarded; otherwise, the packet fails to traverse an MPLS domain.
⚫
An LSP is a unidirectional path from the start point to the end point. If bidirectional data communication is required, an LSP for
return traffic needs to be established between the two ends.

LSP1

R4 R5
Purpose: 10.0.1.1
MPLS domain
IP network IP network
10.0.1.0/24
10.0.2.0/24
R1 R2 R3
Purpose: 10.0.2.1

IP network

R6 R8 LSP2 R7
Ethernet header IP packet

10 Huawei Confidential

• For more information about MPLS, see HCIP-Datacom-Advanced Routing &

Switching Technology.
 MPLS SR-MPLS SRv6

MPLS Terms (3)

⚫ LSPs can be statically configured or dynamically established.
⚫ There are two common protocols for dynamically establishing LSPs: LDP and Resource Reservation Protocol-Traffic
Engineering (RSVP-TE).

LDP: used to establish common LSPs RSVP-TE: used to establish CR-LSPs

⚫ LDP distributes labels from downstream routers to upstream routers ⚫ RSVP-TE establishes tunnels by applying for and reserving tunnel
based on the routing table to set up common LSPs. resources end to end.
⚫ A common LSP is usually the shortest path calculated by an IGP, which ⚫ An LSP that is set up based on bandwidth or path constraints is called
does not factor in aspects such as bandwidth, tunnel protection, and a constraint-based routed label switched path (CR-LSP).
traffic optimization.

MPLS TE tunnel (CR-LSP)

MPLS LSP
R1 R2 R3
R1 R2 R3

Tunnel resource Tunnel resource

reservation reservation
Downstream-to-upstream Hop-by-hop resource reservation
label distribution and label distribution

11 Huawei Confidential
 MPLS SR-MPLS SRv6

MPLS LDP Overview

⚫ LDP is a control protocol of MPLS and provides functions such as FEC classification, label distribution, and LSP
establishment and maintenance. LDP defines the messages used in label distribution as well as the message
processing procedures.
⚫ LDP is easy to configure and maintain and is widely used to create LSPs in BGP/MPLS IP VPN scenarios. As shown in
the figure, the carrier builds a bearer WAN for MPLS VPNs to provide inter-provincial L3VPN services for customers.
⚫ MPLS LDP LSPs are established based on the shortest IP paths and do not support the planning of tunnel
forwarding paths.

Company A Company A
Network in province X Network in province Y

Company B Company B
Bearer WAN for MPLS VPNs
Network in province X Network in province Z

12 Huawei Confidential
 MPLS SR-MPLS SRv6

MPLS TE Overview
⚫ MPLS TE, as its name suggests, is a combination of MPLS and TE. It provides functions such as path planning, traffic
optimization, and fault protection for MPLS VPN services.
⚫ Compared with MPLS LDP, MPLS TE enhances VPN traffic control and protection.

Path planning Traffic optimization Fault protection

• Traffic is evenly distributed to idle

• Different paths are • Fast protection switching is
links when unbalanced traffic
planned for different performed in the case of a device
distribution occurs due to major
services. or link fault.
events, such as live broadcast.

13 Huawei Confidential
 MPLS SR-MPLS SRv6

MPLS TE Tunnel
⚫ MPLS TE often associates multiple LSPs with a virtual tunnel interface, and such a group of LSPs is
called an MPLS TE tunnel.
⚫ An MPLS TE tunnel provides SLA assurance, but requires complex configuration and manual planning.

[R1] interface tunnel1

[R1-Tunnel1] ip address …
[R1-Tunnel1] tunnel-protocol mpls te
[R1-Tunnel1] destination R4 R2
[R1-Tunnel1] mpls te bandwidth 50M
…
R1 R4
MPLS TE

Primary path
R3
Backup path

14 Huawei Confidential
 MPLS SR-MPLS SRv6

Issues with MPLS LDP and RSVP-TE

MPLS LDP RSVP-TE

R2 R2

R1 R1

R3 R3
R4 R4

• RSVP-TE is complex to configure and does not support load

• LDP itself does not have the path computation capability and balancing.
requires an IGP for path computation. • To implement TE, devices need to exchange a large number of RSVP
• Both the IGP and LDP need to be deployed for the control plane, packets to maintain neighbor relationships and path states, wasting
and devices need to exchange a large number of packets to link bandwidth and device resources.
maintain neighbor relationships and path states, wasting link • RSVP-TE uses a distributed architecture, so that each device only
bandwidth and device resources. knows its own state and needs to exchange signaling packets with
• If LDP-IGP synchronization is not achieved, data forwarding may fail. other devices.

15 Huawei Confidential
 MPLS SR-MPLS SRv6

SR-MPLS Overview
⚫ SR is designed to forward data packets on a network using the source routing model.
⚫ SR-MPLS, as its name suggests, is SR based on MPLS label forwarding.

400 600 • Source routing:

Label stack
R2 R4 R6

The source node selects a path and pushes an
400
ordered label stack into the packet.
600 2
800

Other nodes on the network forward the packet
according to the label stack encapsulated into the
1 packet.
3
• SR has the following characteristics:

Extends existing protocols (e.g. IGP) to facilitate
network evolution.
R1 R8
800

Supports both centralized controller-based control
and distributed forwarder-based control, providing
a balance between the two control modes.
R3 R5 R7 
Enables networks to quickly interact with upper-
layer applications through the source routing
500 700
technology.

16 Huawei Confidential
 MPLS SR-MPLS SRv6

SR-MPLS BE and SR-MPLS TE

⚫ The SR-MPLS tunneling technology can be implemented in either SR-MPLS BE or SR-MPLS TE mode.

SR-MPLS BE SR-MPLS TE

• Forwarding path: Similar to an MPLS LDP LSP, an SR-MPLS BE LSP is • Forwarding path: An SR-MPLS TE path is created using SR based on TE
calculated using the IGP shortest path first (SPF) algorithm. An SR- constraints. An SR-MPLS TE tunnel generally uses multiple layers of
MPLS BE LSP has only one label layer (destination node). labels to implement path control and supports primary and backup
• In the production environment, SR-MPLS BE is generally used as the paths.
DR solution for SR-MPLS TE. For example, if a controller fault causes a • SR-MPLS TE is usually used with a controller. After the controller
tunnel delivery failure, the IGP can be used to generate forwarding globally computes a path, it delivers a label stack to the corresponding
tunnels. ingress.

Label stack 400 Label stack 400

500 400 Backup path
600 Shortest path
Packet 600
600 Packet 600

SR-MPLS TE Tunel

500 500
Constrained path Primary path

17 Huawei Confidential
 MPLS SR-MPLS SRv6

SR-MPLS Policy
⚫ The SR-MPLS Policy, also called the SR-MPLS TE Policy, is one of the mainstream SR-MPLS implementation modes.
⚫ As defined in the corresponding RFC, an SR Policy is identified by <headend, color, endpoint> and contains multiple
candidate paths.
SR Policy model SR Policy application scenario
⚫ A candidate path can contain multiple segment lists, and ⚫
The controller collects information such as the global
load balancing can be implemented among these segment topology, network bandwidth, and link delay. After
lists based on weights. computing an SR Policy path based on service
⚫
Candidate paths work in primary/backup mode based on requirements, the controller uses BGP to deliver the path
their preferences. to the ingress.
Segment list 1
Primary path
Weight
Controller
SR Policy Candidate path 1 Segment list 2
<Headend, Preference 200 Weight BGP SR Policy
color,
endpoint>
Candidate path 2 Segment list 1 Green
Preference 100 Weight
Backup path

18 Huawei Confidential

• Based on MPLS and IPv6 forwarding technologies, SR Policies can be classified

into SR-MPLS and SRv6 Policies.
 MPLS SR-MPLS SRv6

SRv6 Overview
⚫ SRv6 is designed to forward data packets on an IPv6 network using the source routing model.
⚫ Both SRv6 and SR-MPLS comply with the SR architecture. Their main difference lies in data plane instructions. The
former is based on the IPv6 network and uses IPv6 addresses as instructions. In contrast, the latter is based on the
MPLS network and uses MPLS labels as instructions.

Label stack FC00::4 FC00::6

FC00::4 R2 R4 R6
FC00::6 2
FC00::8 Source routing:

• The source node selects a path and pushes an

1 3 ordered label stack into the packet.

• Other nodes on the network forward the packet

R1 R8 according to the label stack encapsulated into
FC00::8 the packet.

R3 R5 R7
FC00::5 FC00::7

19 Huawei Confidential
 MPLS SR-MPLS SRv6

SRv6 Extension Header

⚫ SRv6 adds a segment routing header (SRH) to IPv6 packets. The SRH contains an explicit IPv6 address
stack. During the forwarding process, SRv6 nodes continuously update the destination address and
offset the address stack to complete hop-by-hop forwarding.
IPv6 SRH (IPv6 Extension IPv6
IPv6 Header
Header) Payload

Version Traffic Class Flow Label

Payload Length Next=43 Hop Limit The next-hop IPv6 address is
Source Address changed based on the pointer.
Destination Address
Routing Segments
Next Header Hdr Ext Len
Type=4 Left Offset pointer: The value
Last Entry Flags Tag decrements by 1 hop by hop
from bottom to top.
Segment List[0] (128-bit IPv6 address)
Segment List[1] (128-bit IPv6 address)
IPv6 address stack
Segment List[2] (128-bit IPv6 address)
Optional TLV Objects (Variable)
IPv6 Payload

20 Huawei Confidential
 MPLS SR-MPLS SRv6

Summary: WAN Bearer Technologies

Data
DC-CE center

DC-PE
Enterprise bearer WANs can be
Bearer WAN
DC-P roughly classified into two
types: MPLS network and IPv6
DC-CE DC-PE DC-P DC-P DC-PE DC-CE
network.
Data Data
• MPLS network:
center center

MPLS LDP

MPLS TE
RR RR  SR-MPLS
WAN-P WAN-P WAN-P
• IPv6 network:

SRv6
BR-PE BR-PE

Enterprise Enterprise
BR-CE BR-CE
branch branch

21 Huawei Confidential
 Contents

1. Bearer WAN Architecture

2. Bearer WAN Basics

3. VPN Service
◼ WAN VPN Overview

▫ Tunnel Management Overview

4. Network Traffic Optimization

5. SLA

6. Network Reliability

7. Network Management and O&M

22 Huawei Confidential
 VPN Classification
⚫ The VPN technology is widely used as a virtual private tunneling technology. VPN can be classified into various
types from different perspectives. For example, VPN can be classified into Layer 3 VPN (L3VPN), Layer 2 VPN
(L2VPN), and Virtual Private Dial-up Network (VPDN) by implementation layer.
⚫ VPWS, VPLS, and BGP/MPLS IP VPN are more widely used on bearer WANs.
⚫ GRE VPN and IPsec VPN, which are mainly used on the Internet, are beyond the scope of this course.

VPWS

L2 VPN
VPLS

VPN
VPDN BGP/MPLS IP
Classification
VPN

L3VPN GRE VPN

Covered in
IPsec VPN
this course

23 Huawei Confidential

• Traditional switching networks, such as asynchronous transfer mode (ATM) and

frame relay (FR) networks, are integrated with IP or MPLS networks. As a result,
Layer 2 virtual private network (L2VPN) emerges. L2VPN includes Virtual Pseudo
Wire Service (VPWS) and Virtual Private LAN Service (VPLS):
▫ VPWS is a P2P L2VPN technology that emulates the basic behaviors and
characteristics of services such as ATM and frame relay.
▫ VPLS provides P2MP L2VPN services so that sites are connected as if they
were on the same LAN.

• Virtual Private Dial-up Network (VPDN) is a virtual private network constructed

on the public network. It uses a dedicated network encryption communication
protocol to provide access services for international organizations and mobile
workforce of enterprises. There are multiple VPDN tunneling protocols, among
which Layer Two Tunneling Protocol (L2TP) is the most widely used. Strictly
speaking, L2TP is also a type of L2VPN, but its network structure and protocol
design are quite different from those of other types of L2VPN. In addition, L2TP
uses the dial-up mode. Therefore, L2TP is classified as VPDN.

• L3VPN is also called Virtual Private Routing Network (VPRN), including RFC
2547-based BGP/MPLS IP VPN as well as IPsec VPN and GRE VPN carried over
IPsec or GRE tunnels.
 WAN VPN Service Overview
⚫ An enterprise establishes a bearer WAN to provide wide-area interconnection for its internal and external services, such as
production, office, external connection, and test services. These services are logically isolated but share the same physical network
resources. Therefore, these services are called WAN VPN services.
⚫
WAN VPN can be classified into L2VPN and L3VPN.

Traditional L2VPN and L3VPN technologies EVPN

⚫
Traditional L2VPN includes VPLS and VPWS, which can use ⚫
EVPN provides both Layer 2 and Layer 3 capabilities and
LDP or BGP to establish virtual links. functions as a control plane protocol to transmit Layer 2
and Layer 3 information (MAC/IP addresses). EVPN can be
⚫
Traditional L3VPN uses VPN instances to isolate services and
used together with the traditional VPN technology.
uses BGP VPNv4/v6 to transmit Layer 3 information.
⚫
EVPN supports EVPN VPLS, EVPN VPWS, EVPN L3VPN, etc.

BGP VPNv4 BGP VPNv6 BGP EVPN

L3VPN L3VPN

PE L2VPN PE L2VPN
PE PE
BGP l2vpn-ad BGP EVPN

24 Huawei Confidential

• A traditional L2VPN does not have any control plane and does not transmit
service route information (MAC addresses). It uses BGP as the signaling protocol
to establish VCs.

• For details about VPN classification, see the book SRv6 Network Programming:
Ushering in a New Era of IP Networks.
 Traditional WAN L2VPN Overview
⚫ The traditional WAN L2VPN is based on the MPLS network. VPWS provides a point-to-point Layer 2 network, and
VPLS provides a point-to-multipoint Layer 2 network.
⚫ The basic MPLS L2VPN architecture is composed of the attachment circuit (AC), VC, and tunnel.
 AC: independent physical or virtual circuit connecting a CE and a PE. An AC interface can be either a physical or logical interface.
 VC: logical connection between two PEs. A VC is established using a signaling protocol, such as BGP AD.
 Tunnel: used to transparently transmit service data. Typical tunnels include MPLS LDP tunnels and MPLS TE tunnels.

⚫ VPLS and VPWS are widely used on carrier networks to provide MPLS Layer 2 private line services for enterprises.

MPLS domain
VC
AC AC

Tunnel
CEA PEA PEB CEB
P

25 Huawei Confidential

• VCs are also called pseudo wires (PWs) in some documents.

Traditional WAN L3VPN Overview
⚫ Traditional WAN L3VPN generally refers to BGP/MPLS L3VPN.
⚫ It distinguishes the control plane from the data plane. The control plane uses MP-BGP to advertise VPN routes, and
the data plane uses MPLS LSPs to forward VPN packets.

⚫ BGP/MPLS L3VPN is widely used on carrier networks to provide MPLS Layer 3 private line services for enterprises.
Route transmission
Control plane 1 through BGP

Data plane 2 MPLS packet forwarding

192.168.1.0/24 MPLS domain 192.168.2.0/24

Site A of user X Site B of user X

CE1 PE1 P PE2 CE2

26 Huawei Confidential
WAN EVPN Overview
⚫ EVPN was initially designed as an L2VPN technology based on BGP extensions. With the development of protocol
extensions, EVPN can also support L3VPN now.
⚫ EVPN can well serve as the control plane protocol for WAN VPN. It can be used with traditional VPN technologies
to provide EVPN VPLS, EVPN VPWS, and EVPN L3VPN.

Traditional WAN VPN VPLS VPWS L3VPN

EVPN EVPN EVPN

VPLS VPWS L3VPN
RFC7432 draft-ietf-bess-evpn-prefix-
RFC8214
Basic Standard advertisement-05

EVPN

• The EVPN standard is gradually maturing, unifying all services on the control plane.

27 Huawei Confidential
WAN EVPN Application
⚫ On a WAN, EVPN can be used with multiple tunneling technologies to support multiple application scenarios.
⚫ EVPN, as a control plane protocol, can work with MPLS LDP, MPLS TE, SR-MPLS, and SRv6 tunnels, as shown in the
figure.

⚫ On Huawei devices, EVPN L2VPN and L3VPN services share the same address family.

[Router] bgp 100 EVPN L3VPNv4

[Router-bgp] l2vpn-family evpn EVPN L3VPNv6
…
EVPN VPLS
EVPN VPWS

SRv6

SR-MPLS

CE MPLS TE
PE P P PE CE
MPLS LDP

WAN

28 Huawei Confidential
Summary: WAN VPN
⚫ The VPN technology is widely used in various enterprise scenarios. VPNs can be built over either the
Internet or a private network.
⚫ L2VPN (VPLS and VPWS), L3VPN (BGP/MPLS IP VPN), and L2/L3 EVPN can be deployed on a bearer
WAN built by an enterprise.
⚫ EVPN, as a control plane protocol, can work with different bearer technologies (such as MPLS LDP,
MPLS TE, SR-MPLS, and SRv6) to provide integrated and unified VPN services for enterprises.
⚫ When multiple tunneling technologies are deployed on an enterprise bearer WAN, VPNs must recurse
to tunnels based on tunnel policies.

29 Huawei Confidential
 Contents

1. Bearer WAN Architecture

2. Bearer WAN Basics

3. VPN Service
▫ WAN VPN Overview
◼ Tunnel Management Overview

4. Network Traffic Optimization

5. SLA

6. Network Reliability

7. Network Management and O&M

30 Huawei Confidential
 Tunnel Management
⚫ Huawei devices use a tunnel management (TNLM) module to manage tunnels. It selects a certain tunnel for an
application according to specific configurations and notifies the application of the tunnel's status.
⚫ Common VPN tunnels include LSPs (MPLS LDP), MPLS TE tunnels, GRE tunnels, SR-MPLS Policies, and SRv6 Policies.

⚫ Tunnel management configuration includes two parts: configuring a tunnel policy and applying a tunnel policy to a
VPN.

Application
VPN1 SRv6

Tunnel policy 1 SR-MPLS

MPLS TE
Application
MPLS LDP
VPN2

Tunnel policy 2

31 Huawei Confidential

• GRE: GRE can be applied to both L2VPN and L3VPN. Generally, the bearer WAN
for MPLS VPN uses LSPs as public network tunnels. If the bearer WAN (P devices)
has only IP functions but not MPLS functions, and the PEs at the network edge
have MPLS functions, the LSPs cannot be used as public network tunnels. In this
case, GRE tunnels can be used to replace LSPs to provide L3VPN or L2VPN
solutions on the bearer WAN.

• SR-MPLS Policy: a type of SR-MPLS tunnel.

• SRv6 Policy: a type of SRv6 tunnel.

• You can configure tunnel policies or tunnel policy selectors for tunnel
management. This course uses tunnel policy configuration as an example. Tunnel
policy selectors apply to inter-AS VPN scenarios. For details, see the product
documentation for NetEngine products.
 Configuring a Tunnel Policy
⚫
A tunnel policy determines the types and sequence of tunnels to be selected.
⚫
By default, a VPN service recurses only to one LSP. If multiple LSPs are available, a tunnel policy can be used for load balancing
among these LSPs.
⚫
In this example, to implement load balancing between MPLS LDP LSPs and TE tunnels, you need to configure a tunnel policy for the
VPN and apply the tunnel policy to the VPN. The tunnel policy policy1 requires tunnels to be selected in the sequence of first CR-
LSPs and then LSPs, and the number of tunnels for load balancing is 2. The system preferentially selects two CR-LSPs. If only one or
no CR-LSP is available on the network, the system selects one or two LSPs, respectively, for service transmission. In the scenario
where only one CR-LSP is available, it works together with the selected LSP.

[PE1] tunnel-policy policy1

[PE1-tunnel-policy-policy1] tunnel select-seq cr-lsp lsp load-balance-number 2

MPLS TE

MPLS LDP

PE1 PE2

32 Huawei Confidential

• The configuration of tunnel policy parameters involves many details. For example,
CR-LSP-based tunnels include RSVP-TE tunnels and SR-MPLS TE tunnels. The
system determines the priorities of these tunnels based on their up time. For
details, see "VPN Tunnel Management Configuration" in the product
documentation for Huawei NetEngine routers.
 Applying a Tunnel Policy to a VPN
⚫ After being configured, a tunnel policy needs to be applied to a VPN. The mode in which a tunnel
policy is applied to a VPN varies according to the VPN type.
⚫ This example shows how to apply a tunnel policy to an L3VPNv4 instance.

[PE1] ip vpn-instance vpn1

[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] tnl-policy policy1

MPLS TE

MPLS LDP

PE1 PE2

33 Huawei Confidential

• For the application of other types of VPN, such as VPNv6, L2VPN, and EVPN, see
the product documentation for NetEngine routers.
 Extension: SR Policy-based Traffic Diversion
⚫ Tunnel policies are designed by Huawei for VPN service recursion in the MPLS era. They effectively decouple tunnel establishment
from tunnel selection. In this way, the traffic of a VPN can be directed to multiple tunnels for load balancing. After the SR
technology is introduced, the implementation mode changes. SR Policies integrate tunnel establishment (SR forwarding path) and
tunnel policies (color-based traffic diversion by default). SR Policies cannot be selected together with other types of tunnels.
⚫
An SR Policy is identified by <headend, color, endpoint> and can contain multiple forwarding paths. A VPN service selects an SR
Policy based on the color attribute.

<R1, Blue, R4>

⚫
There are two SR Policies (blue and green)
between R1 and R4.
VPN route
(Blue) ⚫
R1 queries its VPN routing table after
receiving traffic from the CE.
⚫ If the color of the corresponding VPN route
is Blue, R1 selects an SR Policy with the
CE R1 R4 same color for route recursion.

<R1, Green, R4>

34 Huawei Confidential

• For details, see "SR Policy" in 2. Terminology in RFC 8402.

• SR Policy traffic diversion can be based on the binding SID, color, and DSCP value.
Details are not provided here.
 Contents

1. Bearer WAN Architecture

2. Bearer WAN Basics

3. VPN Service

4. Network Traffic Optimization

5. SLA

6. Network Reliability

7. Network Management and O&M

35 Huawei Confidential
Network Congestion Background
Drawback of fixed bandwidth-based route selection and
Drawback of sequenced tunnel establishment and related solution
related solution
Tunnels are established in the following sequence: A-E > A-G > C-H.
A B
Tunnel C-H, however, fails to be established due to insufficient
1G/5G bandwidth.
2 3
2G/10G B C D

C
6G/5G A F G H E
Used bandwidth/Total 1
D E
bandwidth
The network computes forwarding paths based on Global path computation for optimal tunnel path adjustment:
bandwidth. The link from Router C to Router D is the
shortest forwarding path. The rate of service traffic from
2 C
Router C to Router D exceeds the link bandwidth, and B D
packet loss occurs. Although other links are idle, the
3
algorithm still selects the shortest path for traffic
A 1 F G H E
forwarding. From a global perspective, the optimal
traffic forwarding path is C -> A -> D in this situation.

36 Huawei Confidential
Network Traffic Optimization Overview
⚫
Network traffic optimization is to perform global analysis on network congestion, obtain the path computation result based on a
proper optimization policy (ensuring the SLA of critical services), and apply the computation result to the network for congestion
elimination.
⚫
Network traffic optimization can be divided into three phases: network information collection, path computation for network traffic
optimization, and optimization result delivery.
2. Path computation for network traffic 3. Optimization result delivery
1. Network information collection
optimization
The controller collects global network The controller computes paths based on the The controller delivers the
information, including: optimization target. Optimization targets include: computation result to network
devices in any of the following
⚫ Network topology ⚫ Least path cost
modes:
⚫ Network bandwidth ⚫ Shortest path delay ⚫ NETCONF
⚫ Link delay ⚫ Maximum link bandwidth utilization ⚫ PCEP
⚫ Network traffic and other ⚫ ... ⚫ BGP SR Policy
information
...

37 Huawei Confidential
 Network Information Collection
⚫ The collection of network information, including the network topology, interface bandwidth, link delay, and traffic
statistics, is the prerequisite for network traffic optimization.
Network topology and interface bandwidth collection
• In the industry, SNMP is generally used to collect basic
Collector, controller, and analyzer network topology and device information.
• BGP-LS is used to collect IGP and TE topology information
(including interface bandwidth).
• SNMP • PCEP and BGP SR Policy are used to collect TE tunnel
• BGP-LS information.
• PCEP
• Telemetry Link delay collection
… • The link delay is collected using TWAMP, flooded in the IGP
domain, and then reported to the controller through BGP-LS.

Traffic statistics collection

• To determine bandwidth sufficiency and perform traffic
optimization, the controller needs to collect interface and
tunnel traffic statistics in real time.
• Mainstream traffic statistics collection technologies include
SNMP, telemetry, and NetStream.

38 Huawei Confidential

• Different collection protocols may be used in different solutions. For example,

PCEP is used to collect TE tunnel information on Huawei MPLS networks, and
BGP SR Policy is used to collect TE tunnel information on SRv6 networks.
 Network Optimization Computation
⚫ Network optimization computation refers to the computation of global or local optimal paths based on service requirements
through the corresponding algorithms.
⚫
When computing paths, the controller needs to ensure that computed paths meet the related constraints. If the constraints cannot
be met, the controller retains the original paths. The following table lists some constraints.

Constraint Description

This constraint specifies the priorities of different types of tunnels

Computation results
Priority and enables a tunnel with a higher priority to preempt the
bandwidth resources of a tunnel with a lower priority. Least-cost path
Meeting
This constraint requires paths to be computed based on tunnel
Bandwidth
bandwidth requirements.
constraints
Shortest-delay path
This constraint requires paths to be computed based on hop count
Hop count requirements. For example, the path length of an SR-TE tunnel is
limited by the maximum stack depth (MSD) of the ingress node.
Bandwidth-
balanced path
This constraint requires paths to be computed in either strict or loose
Explicit path mode. You can specify the links or nodes that are to be included or Maximum-
excluded. availability path
This constraint requires paths to be computed within the threshold
Delay threshold
range specified for path computation.
This constraint supports the include-all, include-any, and exclude
Affinity
modes.

39 Huawei Confidential

• Bandwidth-balanced path: path with more remaining bandwidth among all paths
that meet the constraints and have the same cost.
• Maximum-availability path: path with the maximum availability among all paths
that meet the constraints.
Optimization Result Delivery
⚫ After the controller computes a network path, you can choose whether to apply the computation result to the
network. There are multiple implementation modes:
1 NETCONF/YANG
• The controller delivers the computation result to
Controller network devices as configurations.
• The YANG model is standardized and provides good
compatibility with different vendors.

1. NETCONF/YANG 2 PCEP
2. PCEP Computation
• The controller delivers PCEP messages to create or update
3. BGP SR Policy result delivery LSPs.
• The PCEP standard does not define a tunnel model, and
vendor-specific protocols cannot interoperate with each other.

3 BGP SR Policy
• The controller uses BGP extensions to deliver tunnels.
• The RFC defines the tunnel model and data packet
structure in a unified manner, facilitating product
interoperability between different vendors.

40 Huawei Confidential
 Contents

1. Bearer WAN Architecture

2. Bearer WAN Basics

3. VPN Service

4. Network Traffic Optimization

5. SLA

6. Network Reliability

7. Network Management and O&M

41 Huawei Confidential
New Requirements for Bearer Network SLA Assurance
⚫
An SLA is a formal commitment between a service provider and a customer. In the WAN service field, in addition to basic
connectivity requirements, the SLA also focuses on deterministic delay, bandwidth, reliability, and isolation (security).
⚫
Generally, a bearer path carries the traffic of multiple types of services. When different types of service traffic are transmitted on the
same path, differentiated bearer needs to be provided based on SLA requirements. Traditional QoS uses statistical multiplexing to set
different priorities for specific services to ensure smooth experience of high-priority services. However, QoS falls short of meeting the
isolation and deterministic delay requirements.
⚫
Network slicing can divide a bearer network into virtual networks of different service levels and provide dedicated logical channels
for services with high quality and security requirements.

Delay

Bandwidth ⚫
For example, fund settlement services between
QoS
requirements financial enterprises require high security and
Jitter
stable delay; the file transfer service within an
Packet loss rate enterprise requires high bandwidth; and
enterprise voice services require low jitter.
Deterministic delay
Service
requirements Isolation

42 Huawei Confidential
Slice-based Bearer Network: One Network for Multiple
Purposes (Carrying Multiple Services), Lowering Costs
⚫ The IP network uses statistical multiplexing to greatly improve network utilization and reduce per-bit transmission costs. However,
statistical multiplexing brings uncertainty to the quality assurance levels of different services. Moreover, it is inappropriate to prepare
resources based on the highest SLA requirements to meet the requirements of all types of private lines and customers. The
converged bearer network needs to balance multi-service isolation and statistical multiplexing to meet the SLA requirements of each
service.
⚫
Slice resource reservation technologies, such as FlexE, channelized sub-interfaces, and QoS queues, can be used to direct services to
respective service slices. These slices are isolated from each other and do not affect each other, providing different SLA levels.

Controller

Slice 1 (50 Mbit/s)

Slice 2 (50 ms)

Non-slice pipe (for

common services)

43 Huawei Confidential
 QoS Channelized Sub-interface FlexE

QoS Overview
⚫ QoS provides differentiated service quality for different applications.
⚫ Generally, QoS provides three service models: best-effort service, integrated service (IntServ), and
differentiated service (DiffServ).
⚫ DiffServ is the most widely used QoS model on IP networks.
• Applications can send any number of packets at
Best-effort service any time.
• The network tries its best to send packets and
does not provide delay or reliability guarantee.

• An application needs to apply for specific services

Three QoS
IntServ before sending packets.
service • The network reserves network resources for the
models application using a protocol such as RSVP.

• Traffic on the network is divided into multiple classes.

A processing behavior is defined for each class, so that
DiffServ each class has a different forwarding priority, packet
loss rate, and delay.
• It is most widely used on IP networks.

44 Huawei Confidential
 QoS Channelized Sub-interface FlexE

DiffServ Model-based QoS Components

⚫ DiffServ model-based QoS consists of four components: traffic classification and marking, traffic policing and shaping, congestion
management, and congestion avoidance.
 Traffic classification and marking: Dividing data packets into different classes or configuring different priorities for packets is the prerequisite for
implementing differentiated services. This component classifies data packets into different types, with each type of traffic being a traffic class. Traffic
classification does not change the original data packets. In comparison, marking, which sets different priorities for data pa ckets, changes the original
data packets.

 Rate limiting (traffic policing and shaping): This component limits the rate of service traffic. It does this by discarding excess traffic when the service
traffic exceeds the rate limit. Traffic policing controls the traffic receiving rate, and traffic shaping controls the traffi c sending rate.
 Congestion management: This component buffers packets in queues upon network congestion and determines the forwarding order using a specific
scheduling algorithm.
 Congestion avoidance: This component monitors network resource use. When congestion becomes severe, some packets are discarded to prevent
network overload.

⚫ Traffic classification and marking is the prerequisite and foundation for implementing differentiated services.

⚫
Traffic policing, traffic shaping, congestion management, and congestion avoidance are used to control network traffic from different
aspects.

45 Huawei Confidential
 QoS Channelized Sub-interface FlexE

QoS Processing Sequence on Huawei Devices

⚫ QoS involves four major components: traffic classification and marking (behavior aggregate classification and multi-field classification), traffic rate limiting
(CAR and traffic shaping), congestion management (queue scheduling), and congestion avoidance (drop policy). These four components work in a certain
sequence on Huawei devices. Queue entering: congestion
avoidance
Uplink interface board Queue leaving: traffic shaping

Service
packets Receiving Behavior Searching the
Parsing Multi-field
optical/electr aggregate forwarding CAR ...
packets classification
ical signals classification table
Interface Queue Scheuding Queue
card Packet forwarding engine (PFE) entering leaving
TM
SFU

Receiving Encaps Behavior Obtaining

Multi-field
optical/electr ulating aggregate CAR encapsulation ...
classification
ical signals packets classification information
Interface Queue Scheuding Queue

card PFE entering leaving

TM
Downlink interface board

46 Huawei Confidential

• For the basic packet forwarding process, see HCIP-Datacom-Core Technology-01

Introduction to Network Devices.
• Behavior aggregate classification: Packets are roughly classified based on the IP
precedence or DSCP value of IP packets, TC value of IPv6 packets, EXP value of
MPLS packets, and 802.1p value of VLAN packets to identify traffic with different
priorities or service levels and implement internal-external priority mapping for
the traffic.

• Multi-field classification elaborately classifies packets based on complex rules,

such as the 5-tuple (source address, source port number, protocol number,
destination address, and destination port number).
• Packet Forwarding Engine (PFE): After a router is powered on, it runs a routing
protocol to learn the network topology and generate a routing table. If the
interface board registers successfully, the main control board can generate
forwarding entries according to the routing table and deliver entries to the
interface board. In this manner, the router can forward packets according to the
forwarding table. The component that forwards data packets is a chip located on
an interface board and is called a packet forwarding engine (PFE).
• Traffic Management (TM): The interface board of a Huawei high-end router has
a TM chip, which has a high-speed cache. In the case of congestion, data packets
are temporarily stored in the cache in the form of queues. Then, the TM
schedules the data packets out of the queue according to certain rules and sends
the data packets to the switched network. If the cache capacity is exceeded,
packets are discarded based on certain rules.
• Committed access rate (CAR): The CAR ensures that the traffic does not exceed
the bandwidth allowed by the inbound or outbound interface. Excess packets are
directly discarded. Currently, CAR is used for traffic policing. CAR is implemented
by the PFE. CAR can be implemented on the uplink PFE to ensure that the traffic
rate does not exceed the bandwidth of the inbound interface. You can also
perform CAR on the downlink PFE to ensure that the traffic rate does not exceed
the bandwidth of the outbound interface.
• Obtaining encapsulation information: On the downlink interface board, the
obtained encapsulation information varies according to the forwarding
technology. For example, the destination MAC address is obtained for IP
forwarding, and the label information is obtained for MPLS forwarding.
 QoS Channelized Sub-interface FlexE

Behavior Aggregate Classification

⚫ Behavior aggregate classification allows a device to roughly classify packets based on simple rules.
Behavior
aggregate
classification Uplink direction SFU
VLAN
802.1P
packets
MPLS Service
MPLS EXP
packet
class 802.1p
IP precedence Mapping
IP packet Service
Color
class Mapping MPLS EXP
DSCP
Color DSCP

Packet header Downlink direction

Service class Color
priority
Different Internal drop
Service class of
packets use priority of a
a packet on
different QoS packet on the
the device
priorities. device
External Internal Drop
priority priority priority

48 Huawei Confidential
 QoS Channelized Sub-interface FlexE

DSCP/IP Precedence/ 802.1p/EXP Value Mapping

802.1P MPLS Exp IP-Precedence DSCP DSCP Name

descending order

7 7 7 56-63 CS7 (56)

Priorities in

CS
6 6 6 48-55 CS6 (48)
5 5 5 40-47 EF EF (46)
4 4 4 32-39 AF4 AF41 (34) AF42 (36) AF43 (38)
3 3 3 24-31 AF3 AF31 (26) AF32 (28) AF33 (30)
AF
2 2 2 16-23 AF2 AF21 (18) AF22 (20) AF23 (22)
1 1 1 8-15 AF1 AF11 (10) AF12 (12) AF13 (14)
0 0 0 0-7 BE BE (0)

49 Huawei Confidential
 QoS Channelized Sub-interface FlexE

Traffic Policing and Traffic Shaping

⚫
Both traffic policing and traffic shaping are traffic rate limiting technologies. The former monitors the incoming traffic of a device
and limits the incoming traffic rate to a permitted range. If the traffic rate is too high, excess packets are discarded or the packet
priorities are re-set. Traffic shaping controls the rate of outgoing packets, so that packets can be sent at an even rate.
⚫
Both traffic policing and traffic shaping use the token bucket algorithm to evaluate the traffic rate.
Token bucket
technology
Token A token bucket evaluates
traffic and determines
whether packets meet
forwarding conditions.
Token
bucket

Congestion
management
Queue 0
Incoming

Scheduling
Outgoing
traffic Traffic Traffic Other Queue 1 traffic
classification policing processing. Queue 2
and marking (CAR) .. ...
Queue N
Traffic
Congestion avoidance shaping

50 Huawei Confidential
 QoS Channelized Sub-interface FlexE

Congestion Management and Congestion Avoidance

⚫ Congestion management uses the queuing technology to handle network congestion. It buffers packets in different
queues, groups the queues, and applies scheduling algorithms to process packets with different priorities.
⚫ Congestion avoidance is a flow control mechanism used to avoid queue congestion. It monitors the use of queues
or memory buffers. When congestion occurs or aggravates, it discards packets newly entering queues to adjust the
incoming traffic rate, alleviating network overload. Queue scheduling algorithms:
• First In First Out (FIFO)
• Strict Priority (SP)
Incoming packet
• Weighted Fair Queuing (WFQ)
drop policy:
...
• Tail drop
• WRED
Congestion management

Queue 0

Scheduling
Incoming Other Queue 1 Outgoing traffic
Traffic Traffic
traffic processing
policing classification Queue 2
(CAR) and marking ... ... Traffic
Congestion Queue N shaping
avoidance

51 Huawei Confidential

• Weighted Random Early Detection (WRED): The system discards packets based
on the drop policies configured for data packets or queues with different
priorities. WRED is a congestion avoidance mechanism used to discard packets to
prevent queues from being congested. For details, see the product
documentation for Huawei NetEngine products.

• FIFO: FIFO does not classify packets. FIFO allows packets to be queued and
forwarded in the same order as they arrive at an interface.

• SP: Queues are scheduled strictly according to their priorities. Packets in queues
with a low priority can be scheduled only after all packets in queues with a
higher priority are scheduled.
• WFQ: The egress bandwidth is allocated to each flow according to the queue
weight.
• Other scheduling algorithms, such as RR polling, WRR weighted polling, and DRR
differential polling, are not described here.
 QoS Channelized Sub-interface FlexE

Queue Group Scheduling Sequence

⚫
Each interface has eight queues, which are divided into three groups (PQ, WFQ, and LPQ). Scheduling algorithms can be applied to
these queue groups respectively.
⚫ If PQ, WFQ, and LPQ queues use SP scheduling, PQ queues are scheduled first, then WFQ queues, and finally LPQ queues.
Port queue Queue scheduling
scheduling sequence process

Queue 1
PQ Start
queue ... SP

Queue m Perform a
Is the PQ No
round of PQ
queue empty?
scheduling.

Destination
interface
WFQ Queue 1 Yes
... WFQ SP Perform a round
queue Is the WFQ No
of WFQ
Queue i queue empty?
scheduling.
Yes
Perform a round
Is the LPQ No of LPQ
Queue 1 queue empty?
LPQ scheduling.
queue ... SP
Yes
Queue k

52 Huawei Confidential

• PQ queue
▫ PQ queues use the SP scheduling algorithm. That is, the packets in the
queue with the highest priority are scheduled first. In this way, an absolute
priority can be provided for different service data, the delay of delay-
sensitive applications such as VoIP can be guaranteed, and the use of
bandwidth by high-priority services can be absolutely prioritized.
▫ Disadvantage: If the bandwidth of high-priority packets is not limited, low-
priority packets may fail to obtain bandwidth and be scheduled.

▫ Generally, only delay-sensitive services enter PQ queues.

• WFQ queue

▫ WFQ queues are scheduled based on weights. The WFQ scheduling

algorithm can be used to allocate the remaining bandwidth based on
weights.
• LPQ queue
▫ LPQ is a queue scheduling mechanism implemented on a high-speed link
(Ethernet) interface. Low-speed links (such as serial and MP-Group links)
do not support LPQ queues.
▫ Similar to PQ queues, SP scheduling is also used between LPQ queues. The
difference lies in that PQ queues can preempt the bandwidth of WFQ
queues in the case of congestion, whereas LPQ queues cannot do so. After
PQ and WFQ queue scheduling is complete, the remaining bandwidth is
allocated to LPQ queues.
▫ In actual applications, BE flows can be scheduled into LPQ queues. In this
way, when the network load is heavy, BE flows can be completely contained
to preferentially meet the requirements of other services.

• All the eight queues on an interface can be configured as WFQ queues, PQ

queues, LPQ queues, or a combination of WFQ and LPQ queues.
 QoS Channelized Sub-interface FlexE

WAN QoS Application: Flow Marking

⚫
WAN QoS is mainly applied to WAN links. A WAN link has much lower bandwidth than a local link and is often a congestion point
for traffic forwarding. The purpose of deploying QoS on the WAN is to ensure the SLAs of different services.
⚫
It is recommended that CEs or the downstream devices of CEs mark DSCP priorities for service flows on the WAN. Then only
behavior aggregate classification needs to be deployed on the VPN access interfaces of PEs.

Data
center
Data Data
City A center City B
center
WAN-P
Behavior aggregate classification is
deployed on the VPN access interfaces of
WAN-P WAN-P PEs for different services. Packets are
mapped to queues based on DSCP values
and then redirected to different tunnels
on the WAN.
BR-PE BR-PE

City C City D

The CE changes the DSCP values of

different service flows to complete traffic
classification.
Enterprise Enterprise
BR-CE BR-CE
branch branch

54 Huawei Confidential

• If the CE or the downstream device of the CE does not have the traffic marking
capability, deploy multi-field classification on the ingress PE on the bearer WAN
to mark traffic for queuing. This, however, affects the forwarding performance of
the bearer WAN.
 QoS Channelized Sub-interface FlexE

WAN QoS Application: Flow Scheduling

⚫
The WAN's forwarding bottleneck lies in the egress WAN link in each region. For example, remote sites are interconnected through a
carrier's MSTP private line, which has limited bandwidth. To prevent service flows from being discarded due to rate limiting after
entering WAN links on the carrier network, deploy traffic shaping on egress WAN links to ensure that the traffic entering the
carrier's MSTP private line does not exceed the rate limit.
⚫
Properly design QoS policies for enterprises' internal services. For example, deploy high-priority PQ scheduling for core production
services or services with high QoS requirements and WFQ scheduling for services insensitive to packet loss and delay (only basic
bandwidth for service continuity is needed in this case).

QoS design for an enterprise

Service Type Importance Priority Scheduling Mode

Protocol packet High CS7/CS6 PQ
Core service High EF PQ
Video service High AF4 PQ
External service High AF3 WFQ
Office and test
Medium AF2 WFQ
services
Others Low BE WFQ

55 Huawei Confidential
 QoS Channelized Sub-interface FlexE

QoS Limitations
⚫ QoS itself cannot solve the congestion problem or provide isolation and deterministic delay assurance for services:

QoS involves only single-hop behaviors and does not change the network topology.

QoS does not change service behaviors. If the bursty traffic of a single flow is too heavy, congestion still occurs.

The number of QoS queues is small, and SLA assurance cannot be provided for specific users. As a result, deterministic delay
assurance cannot be provided.

The QoS mechanism is an experience system for resource management and cannot provide independent resources for users.

QoS is configured hop by hop. It cannot

change forwarding paths, distinguish
users, or provide independent resources.

56 Huawei Confidential
 QoS Channelized Sub-interface FlexE

HQoS: Providing Scheduling and Bandwidth Guarantee for

Users
⚫ On the basis of QoS, hierarchical quality of service (HQoS) provides finer-grained and more hierarchical scheduling and management of interface resources
to implement fine-grained allocation and management of interface resources. Every scheduling queue can provide bandwidth guarantee, but the entire
mechanism is based on QoS and cannot meet the deterministic delay and isolation requirements either.

QoS HQoS

Service Service User

scheduling scheduling scheduling
Physical port

1 Flow queue (FQ)

2 Subscriber queue (SQ)

3 Group queue (GQ)

4 Virtual interface (VI) queue

Multi-level service 5 Dummy port queue (DQ)
scheduling

57 Huawei Confidential
 QoS Channelized Sub-interface FlexE

HQoS: Providing User-Level Bandwidth Guarantee When the

CIR of Each Scheduler Does Not Exceed the Upper Limit
⚫
HQoS adds hierarchical schedulers such as SQ, GQ, and VI. Each scheduler has two attributes (CIR and PIR) and uses SP scheduling
for flows whose rates are between the CIR and PIR. The CIR is preferentially guaranteed.
⚫ HQoS guarantees bandwidth through strict CIR deduction and shaping. The sum of the CIRs of all schedulers is less than the
interface bandwidth.
Shaping Queue CS7
Shaping Queue CS6 SQ1
802.1p Shaping Queue EF DW
GQ1 VI
Shaping Queue AF4 RR
DSCP
Shaping Queue AF3 DW
SQ2 DP
Shaping Queue AF2 RR
Shaping Queue AF1 DW
802.1p VI
RR
Shaping Queue BE
DSCP Shaping Queue CS7
802.1p Shaping SQ3
Queue AF4
Shaping Queue BE DW
DSCP GQ2
Shaping RR
Queue CS7
Shaping SQ4
Queue AF4
Shaping
Queue BE

58 Huawei Confidential
 QoS Channelized Sub-interface FlexE

Channelized Sub-interfaces Providing Management Entities

on the Basis of HQoS to Provide SLA Assurance
⚫ Bandwidth guarantee: Channelized sub-interfaces use HQoS-based hierarchical scheduling to implement flexible and refined
resource management. Each channelized scheduling tree has independent buffer resources and bandwidth resources, providing
bandwidth guarantee.
⚫
Delay guarantee: Because the resources for channelized sub-interface are strictly guaranteed, the delay can be guaranteed within a
certain range.
Scheduling tree of a ⚫
Channelized sub-interfaces use the HQoS mechanism and
FQ 1-8
channelized sub-interface 200M exclusively occupy the HQoS VI/GQ scheduling trees and
bandwidth to implement strict scheduling isolation.
SQ GQ/VI
⚫ Remaining bandwidth of a main interface = Total interface
Each channelized sub- bandwidth – Total bandwidth of all channelized sub-
interface exclusively interfaces. Bandwidth is automatically deducted during the
occupies a VI/GQ queue.
WRR DP channelized sub-interface enabling process, simplifying the
HQoS application model.
FQ 1-8 Default scheduling tree 1000 M ⚫ Channelized sub-interfaces provide management entities and
of a main interface can work with the controller for resource management and
SQ GQ/VI E2E resource reservation, meeting the SLA assurance
requirements of P2MP services.
1000M – 200M = 800M

59 Huawei Confidential
 QoS Channelized Sub-interface FlexE

FlexE: Delivering Isolation and Deterministic Delay

Assurance Based on Independent Resources
⚫
Flexible Ethernet (FlexE) is a new technology introduced between the MAC and PHY layers. It is a lightweight enhanced technology
for IP networks and is compatible with the existing Ethernet standard and QoS capabilities.
⚫
It provides isolated FlexE interface links, enabling one network to carry different types of services.
⚫ It provides an independent P2P time division multiplexing (TDM) tunnel for each service, meeting isolation and deterministic delay
requirements.

delay bandwidth
Statistical

High
IP
IP 80G multiplexing

multiplexing
QoS

Statistical
QoS scheduling PHY PHY scheduling

Deterministic Low
MAC Statistical FlexE
100G 100G 10G multiplexing
PHY
PHY

delay
TDM MAC
10G switching

QoS FlexE

60 Huawei Confidential
 QoS Channelized Sub-interface FlexE

Basic FlexE Architecture

⚫ FlexE decouples the MAC layer from the PHY layer by introducing the FlexE shim layer on the basis of
IEEE 802.3, thereby providing flexible rates.
⚫ FlexE adopts the client/group architecture and allows client interfaces at different rates to coexist in a
FlexE group. FlexE group Client: corresponds to various user interfaces on a
network. Each FlexE client can flexibly apply for
bandwidth from the resource pool of a FlexE group,
adjust the bandwidth, and transfer data flows to the

FlexE shim
FlexE shim

FlexE shim layer as 64B-/66B encoded bit streams.

FlexE client
FlexE client

Group: consists of various Ethernet PHY layers defined in

IEEE 802.3 and divides the PHY bandwidth into 1G
timeslots (supported by Huawei devices) or 5G timeslots.
Shim: an extra logical layer inserted between the MAC
and PHY layers of the traditional Ethernet architecture. It
implements key FlexE functions through calendar
timeslot distribution.

61 Huawei Confidential
Comparison of Slicing Technologies

PIC QoS: All traffic shares eight queues. QoS schedules resources
SQ GQ VI DP TM
CS7 in a unified manner to maximize the statistical multiplexing
MAC PHY
BE capability. It cannot differentiate users, and so cannot
Channelized sub-interface provide independent resource reservation for different users.
SQ GQ VI TM PIC
CS7
BE Channelized sub-interface: Queue resources are isolated.
DP Hierarchical scheduling is used to implement flexible and
Channelized sub-interface
...

MAC PHY
refined management of interface resources, provide
SQ GQ VI
CS7 bandwidth guarantee, and work with the controller to
BE
provide E2E resource reservation.
TM PIC
SQ DP
CS7 FlexE: Queue and interface resources are isolated. Every
FlexE client
BE
resource is divided by TDM timeslot. This meets the
...

MAC FlexE shim PHY requirements for exclusive resource use and resource
SQ DP
CS7 FlexE client isolation and provides flexible and refined management of
BE
interface resources.

62 Huawei Confidential
Slicing Technology Implementation Modes
Interface
Usage Scenario and Feature Description
Name
A physical interface in standard Ethernet mode has fixed bandwidth. FlexE, however, can enable one or more physical interfaces to work in
FlexE mode and add them to a group. The total bandwidth of this group can be allocated on demand to logical interfaces in the group. The
group to which physical interfaces are added is referred to as a FlexE group. The logical interfaces that share bandwidth of the physical
interfaces in the FlexE group are called FlexE interfaces (also referred to as FlexE service interfaces).
FlexE sub- FlexE interface bandwidth varies, which allows services to be isolated. Compared with traditional technologies, FlexE technology permits bit-
interface (also level interface bundling, which solves uneven per-flow or per-packet hashing that challenges traditional trunk technology. In addition, each
called client FlexE interface has a specific MAC address, and forwarding resources between interfaces are isolated. This prevents head-of-line (HOL)
interface) blocking that occurs when traditional logical interfaces such as VLAN sub-interfaces are used for forwarding.
FlexE interface technology especially fits scenarios in which high-performance interfaces are required for converged bearer, such as mobile
bearer, home broadband, and private line access. Services of different types are carried on different FlexE interfaces and are assigned
bandwidth based on FlexE interfaces. In this way, FlexE achieves service-specific bandwidth control, meeting network slicing requirements in
5G scenarios.
A channelized interface can strictly isolate interface bandwidth. A VLAN channelized sub-interface is a channelization-enabled sub-interface
VLAN
of an Ethernet physical interface. Different types of services are carried on different channelized sub-interfaces and assigned bandwidth based
channelized
on channelized sub-interfaces. This implementation strictly isolates bandwidth among different channelized sub-interfaces on the same
sub-interface
physical interface and achieves service-specific bandwidth control, preventing bandwidth preemption among different sub-interfaces.

An Ethernet sub-interface is a virtual interface configured on a main interface and has Layer 3 features. You can configure an IP address for
an Ethernet sub-interface to implement inter-VLAN communication. The main interface can be either a physical interface or a logical
Ethernet sub-
interface. The sub-interface inherits the physical layer parameters of the main interface but has its own link layer and network layer
interfaces
parameters. You can activate or deactivate the sub-interface, without affecting the performance of the main interface. The change of the
main interface status, however, affects the sub-interface.

63 Huawei Confidential
 Network Slicing Solution Example: SRv6 & Slice ID
Slice service 1 Slice service 1
VLAN VRF1 VRF1 VLAN
⚫
Slice ID description
Slice service 2 Slice service 2
VLAN VRF2 VRF2 VLAN  Globally unique network slice identifier.
 Corresponding to all forwarding resources on the
Slice service 3 Slice service 3
slice plane
VLAN VRF3 VRF3 VLAN
 Slice ID carried in packets on the forwarding plane
Physical main interface Slice tunnel 1 end to end
SliceID1
Default slice + Each forwarding node matching a set of slice
IPv6 Header = Slice tunnel 2

SRH


Service slice Slice ID2 forwarding resources based on the corresponding

Control slice ID hop by hop
Service slice Slice ID3 Slice tunnel 3 plane
⚫
Simplified configuration
ETH ETH
IPv6 Header (VPN IPv6 Header (VPN  Leveraging the existing SRv6 network, slices do not
SID) SID) require IP address configuration.
SRv6 BE
HBH SliceID HBH SliceID ETH  During slice deployment, IGP/BGP configurations do
ETH IP Head IP Header VLAN not need to be modified, exerting little impact on
VLAN Payload Payload IP Header the live network.
IP Header ETH ETH GTP
Payload SRv6 IPv6 Header IPv6 Header Payload ⚫ Elastic scaling
HBH Slice ID HBH Slice ID
Policy  Support for 1000+ network slices
SRH SRH
IP Header IP Header
 Support for bearer of slices over SRv6 Policies in
Forwarding
Payload Payload loose explicit path mode
plane

64 Huawei Confidential

• Different VLANs are used for service access. Logical interfaces correspond to VPN
instances VRF1, VRF2, VR3... on the network slice.
• The ingress PE encapsulates the VPN SID and SRv6 Policy information into the
service flow on the network slice with the slice ID being 2, and inserts an
extension header with the Hop By Hop Slice ID being 2 between the IPv6 header
and SRH of each packet.
• Each transit node queries the SRv6 SID in the SRH hop by hop to obtain the
physical outbound interface, and then queries the specific "resource reservation"
sub-interface of the physical outbound interface based on the slice ID. The Hop
By Hop Slice ID remains unchanged throughout this process.
• The egress PE pops the Hop By Hop extension header and forwards the packet to
the AC interface of the corresponding VPN instance based on the VPN SID.
• By default, the slice ID is 0, and the IPv6 Hop By Hop extension header does not
need to be inserted. The packet format on the forwarding plane is the same as
that of traditional L3VPN over SRv6 Policy.
 Contents

1. Bearer WAN Architecture

2. Bearer WAN Basics

3. VPN Service

4. Network Traffic Optimization

5. SLA

6. Network Reliability

7. Network Management and O&M

65 Huawei Confidential
 WAN Reliability Overview
⚫ WAN reliability covers two parts: device reliability and network reliability.
⚫ Device reliability: includes router reliability and controller reliability.
 Controller reliability is implemented through cluster deployment and disaster recovery
(DR) system deployment.
 Router reliability can be implemented using device features such as non-stop routing
(NSR). These features are beyond the scope of this course.
⚫ Network reliability: reduces the impact of link and node faults on services through
fast detection and convergence mechanisms at each layer.

66 Huawei Confidential

• Because different WAN VPN technologies use different terms, this section briefly
describes various protection mechanisms, but does not describe specific
protection technologies.
 TE Tunnel Protection Technology Basics
⚫
MPLS TE tunnel protection can be provided from two perspectives: local protection and E2E protection. TE tunnels, including MPLS
TE tunnels, SR-MPLS TE tunnels, and SR-MPLS Policies can all be protected from the two perspectives, but their technical
implementation is slightly different.

E2E protection Local protection

⚫
E2E protection: establishes multiple CR-LSPs between the ⚫
Fast reroute (FRR), also called local protection, is a
ingress and egress of a tunnel, with each CR-LSP traversing temporary protection measure. If a transit node/link fails,
a different path. When detecting that the primary CR-LSP is local protection is triggered. A backup CR-LSP is then
faulty, the ingress switches traffic to the backup CR-LSP. established locally for traffic switching. In addition, the
tunnel ingress is instructed to recompute a path and switch
⚫
In E2E protection, path switching is slow. Therefore, E2E
traffic to the backup path in a timely manner.
protection needs to be used with a detection mechanism for
fast path switching.
Path 1: Primary CR-LSP
primary path

MPLS TE tunnel
Configuring FRR
R1 R2 Triggering local
protection Local backup CR-LSP
Path 2: backup path

67 Huawei Confidential

• MPLS TE E2E protection is classified into HSB and ordinary backup. In HSB
protection, the backup path and primary path are created at the same time.
• Segment Routing adopts Topology Independent-Loop Free Alternate (TI-LFA), an
enhancement of FRR, for local protection.
• Fast detection mechanism: Fast detection mechanisms represented by BFD
support fast detection of communication faults between devices.
 TI-LFA FRR
⚫ TI-LFA FRR provides link and node protection for SR tunnels. If a link or node fails, traffic is rapidly
switched to the backup path.
Limitations of the traditional LFA algorithm TI-LFA algorithm
• The traditional LFA algorithm has topological limitations. As • Using the source routing capability of SR, TI-LFA computes a
shown in the figure, SIP traffic is forwarded to the DIP backup path on each node to protect the failure point. When
through R1. If the R1-R3 link fails, R1 forwards the traffic to a node detects a failure, traffic is rapidly switched to the
R2. However, no backup path can be formed before R2 backup path.
detects the failure. Primary R1-R3 path: 4.4.4.4; segment list: R1, R3
SIP: 1.1.1.1 Backup R1-R3 path: 4.4.4.4; segment list: R1, R2, R4, R3
R1 R2
SIP: 1.1.1.1 R1 R2
Cost=10 Cost=10

Cost =100 Cost =100

Cost =10 Cost =10
DIP: 4.4.4.4
DIP: 4.4.4.4

Cost=10 Cost=10
R3 R4 R3 R4

68 Huawei Confidential

• In a distributed network architecture, each device independently calculates paths,

and there is no consensus on the shortest path when a fault occurs. As a result,
traditional LFA cannot form a backup path.
Limitations of E2E Protection
⚫ Technologies such as HSB can protect E2E paths, but cannot rectify faults on PEs.
⚫ In this example, a TE tunnel with both primary and backup paths is established
between PE1 and PE2. If PE2 is faulty, the backup path cannot solve the problem.

Primary path

P1 P2 PE2
MPLS TE tunnel

CE1 PE1 CE2

P3 Backup path P4 PE3

69 Huawei Confidential
VPN FRR
⚫ VPN FRR sets the primary and backup forwarding paths pointing to the active and standby PEs on the
remote PE in advance. It works with fast PE fault detection to accelerate fault-triggered E2E service
convergence in scenarios where a CE is dual-homed to two PEs.
Primary path of tunnel 1
Tunnel 1
Backup path of tunnel 1
Primary path
Tunnel 2 Primary path of tunnel 2
of tunnel 1

P1 P2 PE2

Backup path of
CE1 PE1 tunnel 1 CE2

P3 P4 PE3
VPN FRR backup path (primary path of tunnel 2)

70 Huawei Confidential
IP FRR
⚫ If the link between PE2 and CE2 fails but PE2 still functions properly, the tunnel between PE1 and PE2
is still available. In this case, E2E tunnel switching is not required. PE2 selects PE3 as the backup next
hop. If the link between PE2 and CE2 or CE2 fails, IP FRR is implemented to rapidly switch IP traffic.
⚫ IP FRR is applicable to the IP network between CEs and PEs.
Primary path of tunnel 1
Tunnel 1
Backup path of tunnel 1
Primary path
Tunnel 2 Primary path of tunnel 2 of tunnel 1

P1 P2 PE2 CE2
IP FRR

CE1 PE1

P3 P4 PE3 CE3

71 Huawei Confidential
Summary: Multi-Level Network Protection
⚫ To sum up, different protection measures are taken to ensure tunnel reliability based on the locations
of faults on E2E paths.
⚫ From the perspective of E2E forwarding paths, it is recommended that multi-level protection be used:
Protection against faults on
Protection against Tunnel egress Protection against
the intermediate links and
CE access faults protection remote CE faults
nodes of tunnels

E2E path

PE1 P1 P2 PE3 CE2

CE1

PE2 P3 P4 PE4 CE3

72 Huawei Confidential
 Contents

1. Bearer WAN Architecture

2. Bearer WAN Basics

3. VPN Service

4. Network Traffic Optimization

5. SLA

6. Network Reliability

7. Network Management and O&M

73 Huawei Confidential
 WAN Management and O&M
⚫ Among mainstream WAN solutions provided by different vendors, the SDN solution is preferred. The SDN controller
centrally manages and delivers WAN services to forwarders.
⚫ In Huawei's solution, the controller not only provides "control" functions, but also provides "management" and
"analysis" functions.
Network analysis
(Management+control+
• The AI algorithm is used to obtain network analysis
analysis)
results based on massive amounts of network
performance and monitoring data.
NETCONF Telemetry, SNMP, BGP-LS
Network
collection/management
Ingress Transit Transit Egress
• Multiple protocols and channels are used to collect network
configuration data, performance data, and monitoring data.
• Efficient network configuration management is provided.

Network measurement
TWAMP
• Network performance indicators, such as the delay,
iFIT
jitter, and packet loss rate, are measured.

74 Huawei Confidential

• This figure does not show protocols related to tunneling and traffic statistics
collection.
SNMP

NMS (SNMP server) SNMP overview

e.g.: iMaster NCE

• Simple Network Management Protocol (SNMP)

is a network management standard widely used
on TCP/IP networks.
SNMP Agent process
• It provides a method for managing devices
through a central computer that runs network
management software — known as a network
MIB management station (NMS).
• By employing the "network management over
networks" mode, SNMP implements efficient
and batch network device management. In
addition, SNMP enables unified management
of network devices of different types and from
different vendors.
Managed device (SNMP client)
e.g.: router, switch...

75 Huawei Confidential
NETCONF
SNMP's drawbacks

SNMP is not a configuration-oriented protocol. On a large-

NMS (NETCONF client) sized network with a complex topology, SNMP cannot
e.g.: iMaster NCE meet network management requirements, especially the
configuration management requirements.

NETCONF
Managed device NETCONF overview
(NETCONF server)

• The Network Configuration Protocol (NETCONF)

Data model
provides a mechanism for the NMS to communicate
with network devices.
YANG • To be specific, the network administrator can use this
mechanism to add, modify, and delete the
configurations of network devices as well as obtain the
configurations and status of network devices.
• NETCONF uses a YANG file to describe the data model
of a device. A YANG file has a more hierarchical
structure than a MIB file.

76 Huawei Confidential
Telemetry
⚫ Telemetry, also known as network telemetry, is mainly used to monitor networks, including packet check and analysis, intrusion and
attack detection, intelligent data collection, and application performance management. Generally, it is used together with NETCONF.
The analyzer analyzes the data collected by telemetry and then instructs the controller to automatically modify device configurations
based on analysis results.
⚫
Advantages of telemetry:
 Is developed based on the YANG model. Analyzer
 Collects a wide variety of data with high precision to fully reflect network status.

 Continuously reports data with only one-time data subscription. Collector Controller
 Locates faults rapidly and accurately.
NETCONF-
Telemetry-
based
Subseconds based data
configuration
uploading
delivery

Network device
YANG model

77 Huawei Confidential
BGP-LS
⚫ BGP-LS introduces new NLRI into BGP. The NLRI carries link, node, topology prefix, and other information, and is also referred to as
the link state NLRI.
⚫
BGP-LS can aggregate network-layer topology, bandwidth, delay, and other information and send the information to the controller
for path computation.

Controller
BGP-LS aggregates information collected
BGP-LS BGP-LS
by various network layer protocols,
(topology, bandwidth, delay) including:
⚫ IGP: IGP information of each AS
⚫ TWAMP: measurement information, such
as interface delay
IGP TWAMP TE SR
⚫ TE: TE information, such as bandwidth
⚫ SR: SR information, such as SR labels

78 Huawei Confidential
 TWAMP
⚫ Two-Way Active Measurement Protocol (TWAMP) measures the two-way delay, jitter, and packet loss rate between
devices on an IP network. It performs negotiation over a TCP connection and uses UDP data packets as
measurement packets.

⚫
Control-Client: establishes, starts, and stops a test session and
TWAMP communication model
also collects statistics.
⚫
Server: responds to the Control-Client's request for establishing,
Test plane
Session-Sender Session-Reflector starting, or stopping a test session
Test
⚫ Session-Sender: proactively sends probes for performance
statistics after being notified by the Control-Client.
⚫
Session-Reflector: replies to the probes sent by the Session-
Control
Control-Client Server Sender with response probes after being notified by the Server.
Control plane

79 Huawei Confidential

• TWAMP Light is a lightweight version of TWAMP defined based on standard

protocols. Compared with TWAMP, TWAMP Light simplifies the control protocol
used to establish performance measurement sessions.
 TWAMP Light
⚫ As the light version of TWAMP, TWAMP Light eliminates the necessity of the TWAMP-Control protocol, and moves the control plane
from the Responder to the Controller so that TWAMP control modules can be centrally deployed on the Controller. Therefore,
TWAMP Light greatly relaxes its requirements on the Responder performance, allowing the Responder to be rapidly deployed.
⚫
The Control-Client, Server, and Session-Sender are deployed on the same host and function as the Controller. Therefore, the control
session establishment process in the standard architecture can be ignored in the performance detection process. The Session-
Reflector is deployed on another host as the Responder.

1. The Controller sends test packets to the Responder, and the

Responder functions as the Session-Reflector to reflect the test
Controller Responder packets.
No control
2. The Session-Reflector does not need to learn Session status.
Server plane
After receiving the test packets, the Session-Reflector copies
negotiation
Control-Client Session-Reflector the necessary information, generates a test packet sequence
TWAMP test number and timestamp, and returns the test packets to the
Session-Sender
Controller.
3. Upon receiving the reflected test packets, the Controller
collects the indicators in both path directions.

80 Huawei Confidential

• The standard TWAMP version uses TCP for control plane negotiation, and test
packets are based on UDP. The reflector needs to know the session status so that
devices of different vendors can communicate with each other.

• TWAMP Light does not involve control plane negotiation, and test packets are
also based on UDP. The implementation and configuration are simple, and the
reflector does not need to know the session status.
TWAMP Application Scenarios
⚫ With TWAMP, NEs do not need to generate or maintain IP network performance statistics. The performance
management system can easily obtain statistics about the entire network by managing only the TWAMP clients
initiating statistics collection requests. In this way, IP performance statistics are collected quickly and flexibly.
⚫ TWAMP is used on enterprise WANs to measure the delay, jitter, and packet loss rate between any two nodes,
providing a reference for troubleshooting and traffic optimization.

1. The Controller instructs network devices to establish

performance measurement sessions. For example,
R1 functions as the Control-Client to initiate IP
1
2 performance measurement.
3
Performance R1 R2 2. R1 and R2 initiate a TWAMP measurement session.
management
system 3. R1 reports the measurement result to the
Controller.

81 Huawei Confidential
 iFIT
Traditional out-of-band measurement principles
iFIT
(ping, traceroute, TWAMP...)
Test packet path • Link delay = Receiving time of the local node – Sending time of the
upstream node
Ingress Egress • Packet loss location: Telemetry reports information about each node
and compares the information to obtain the packet loss location.
Coloring Coloring
period T1 T2 Controller period T1 T2

Actual traffic path

1 1 1 0 0 0 1 1 1 0 0
• Test packets are not actual service data and may be
transmitted along different paths.
Timestamp t1 Telemetry Timestamp t2
Traditional out-of-band measurement principles
(Y.1731, Y.1711...)

Ingress Egress

Segment KPI Segment KPI Segment KPI

E2E KPI
Sampled • Per-flow: Service packets are checked to reflect the actual
packets • Only pipe-based detection is available.
Service-level detection is not supported. service path and delay information.
• Packets are sent at intervals, and the • Per-packet: Packets are checked one by one, accurately
sampling precision is low. reflecting service packet loss.

82 Huawei Confidential

• iFIT measures E2E service packets to obtain performance indicators of an IP

network, such as the packet loss rate and delay. iFIT adds a color flag to the
packet header in the service flow. Telemetry is used to periodically collect
information. Features such as E2E delay measurement and packet loss
measurement are supported.
 iFIT for VPN over SRv6 Scenario
⚫ Basic SRv6 scenario:

The ingress inserts the SRH between the IPv6 header and payload. The SRH carries the SRH basic header and iFIT extension
header.

SRv6-capable nodes can report iFIT statistics in either E2E or hop-by-hop mode.

A node that does not support SRv6 but supports IPv6 forwarding can properly forward service packets carrying iFIT information.
iMaster NCE-IP
Telemetry

VRF 100
END.DT4 SID: B::1:1:D100

PE1 P1 P3 PE2
ETH ETH ETH ETH
ETH
Payload DA: B::1:1:D100 DA: B::1:1:D100 Payload
DA: B::1:1:D100
SRH basic header SRH basic header
SRH basic header
iFIT (E2E/Trace) iFIT (E2E/Trace)
iFIT (E2E/Trace)
Payload Payload
Payload

83 Huawei Confidential

• An End.DT4 SID (PE endpoint SID) identifies an IPv4 VPN instance on a network.
• For MPLS packets, the iFIT header is inserted between the MPLS label and MPLS
payload.
iFIT for SRv6 Policy Scenarios
⚫ In an SRv6 Policy scenario:

The iFIT extension header is encapsulated into the Optional TLV field of the SRH.

SRv6-capable nodes can report iFIT statistics in either E2E or hop-by-hop mode.

A node that does not support SRv6 but supports IPv6 forwarding can properly forward service packets carrying iFIT information.

iMaster NCE-IP
Telemetry

VRF 100
END.DT4 SID: B::1:1:D100

PE1 P1 P3 PE2
ETH ETH ETH ETH ETH
Payload DA: P1 DA: P3 DA: PE2 Payload
SRH basic header SRH basic header SRH basic header
(PE2,P3,P1)SL=2 (PE2,P3,P1)SL=1 (PE2,P3,P1)SL=0
iFIT (E2E/Trace) iFIT (E2E/Trace) iFIT (E2E/Trace)
Payload Payload Payload

84 Huawei Confidential
iFIT-based Service Path Display
⚫ In each measurement period, a device reports the flow direction, interface number, and TTL information when
reporting packet statistics.
⚫ iMaster NCE-IP restores the path information of the flow based on the information reported by each node.

⚫ The implementation is independent of the tunnel type (SRv6/SRv6 Policy/SR-MPLS TE/SR-MPLS BE/MPLS...).

Path restoration
iMaster NCE-IP

GE 1/0/2 GE 1/0/0
GE 1/0/0 R2 R4 GE 1/0/2
TTL=254 TTL=253

TTL=255 R1 R6 TTL=252
R3 R5

85 Huawei Confidential
iFIT-based Fault Locating
⚫ Path aggregation is performed based on the physical topology, end nodes of poor-QoE services, and
the built-in AI algorithm of iMaster NCE-IP to determine the minimum area that causes poor service
quality, helping further locate and demarcate faults.

1. Find out poor-QoE services, such as services 1 to 3, on the

entire network.
iMsater NCE-IP
2. Intelligently compute the common paths of the three services.
3. Select a service for iFIT-based fault detection. Service 1 is used
as an example here.
R2 R4 4. Determine the faulty device R5 based on per-hop iFIT
R6 measurement.
R3 R5
R1 Service 1 iMaster NCE-IP
Service 2
iFIT
Service 3
Service 1

R1 R3 R5 R6

86 Huawei Confidential
 Quiz

1. (True or False) An SR Policy is identified by <headend, color, endpoint> and contains

multiple candidate paths. ( )
A. True

B. False

2. (Multiple-answer question) Which of the following are WAN bearer technologies? ( )

A. SR-MPLS

B. SRv6

C. MPLS LDP

D. MPLS TE

87 Huawei Confidential

1. A
2. ABCD
 Summary

⚫ This course introduces the concepts and principles of the enterprise bearer WAN's
typical architecture, bearer technologies, VPN services, traffic optimization, SLA,
reliability, and network management and analysis. To introduce these key aspects,
this course uses a large enterprise with three data centers in two cities and
multiple branches in different regions as an example.
⚫ On a real production network, engineers need to determine the network
architecture and technical applications based on the live network conditions and
enterprises' services.

88 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Segment Routing
 Foreword

⚫ Segment Routing (SR) is designed to forward data packets on a network

using the source routing model.
⚫ This document describes the source routing model of SR, segment
definition, differences between SR-MPLS and SRv6, and scenario-specific
SR-MPLS applications for Huawei NetEngine series routers.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the background of SR.
 Describe the technical advantages of SR.
 Describe the basic concepts involved in SR.
 Describe the forwarding fundamentals of SR.
 Master basic SR-MPLS configurations.

2 Huawei Confidential
 Contents

1. Segment Routing Overview

2. Segment Routing Fundamentals

3. Segment Routing Tunnel Protection and Detection Technologies

4. Typical Usage Scenarios of Segment Routing

5. Basic Configurations of Segment Routing

3 Huawei Confidential
 Problems in MPLS LDP and RSVP-TE
MPLS LDP RSVP-TE

R2 R2

R1 R1

R3 R3
R4 R4

• LDP itself does not have the path computation capability and • RSVP-TE configuration is complex and load balancing is not
requires an IGP for path computation. supported.
• Both the IGP and LDP need to be deployed for the control plane, • To implement TE, devices need to exchange a large number of
and devices need to exchange a large number of packets to RSVP packets to maintain neighbor relationships and path states,
maintain neighbor relationships and path states, wasting link wasting link bandwidth and device resources.
bandwidth and device resources. • RSVP-TE uses a distributed architecture, so that each device only
• If LDP-IGP synchronization is not achieved, data forwarding may knows its own state and needs to exchange signaling packets with
fail. other devices.

4 Huawei Confidential

• In essence, MPLS is a tunneling technology used to guide data forwarding and

has complete tunnel creation, management, and maintenance mechanisms. For
the preceding mechanisms, networks are driven by network operation and
management requirements, not by applications.
 Service-Driven Network: Services Define the Network
Architecture
⚫ The development of 5G and cloud services has changed the attributes and scope of network connections. More
requirements are raised on connections, such as requiring better SLA guarantee, deterministic latency, or more
information to be carried in packets.
⚫ In this situation, the model that requires networks to adapt to services cannot keep up with rapid service
development and even complicates network deployment and maintenance.
⚫ To address this issue, the service-driven network model can be used, so that the network architecture is defined by
services. Specifically, after an application raises requirements (e.g. latency, bandwidth, and packet loss rate), a
controller is used to collect information (e.g. network topology, bandwidth usage, and latency) and compute an
explicit path according to the requirements.
High bandwidth
Download service
Low latency Service-driven
Video service
Low packet loss rate network
Voice service

5 Huawei Confidential

• Traditionally, IP data packet forwarding is implemented based on IP addresses

reachable to the destination over the shortest path. To meet the reliability
requirements of services such as voice, online gaming, and video conferencing,
the FRR technology is introduced. To meet the high bandwidth requirements of
private line services such as group customer services, the TE technology is
introduced. These technologies all represent network adaptation to services.

• The increasing types of services pose a variety of network requirements. For

example, real-time Unified Communications and Collaboration (UC&C)
applications usually prefer to paths with low latency and jitter, and big data
applications prefer to high-bandwidth tunnels with a low packet loss rate. In this
situation, the model that requires networks to adapt to services cannot keep up
with rapid service development and even complicates network deployment and
maintenance.

• The solution to this issue is to enable services to drive networks and define the
network architecture. Specifically, after an application raises requirements (e.g.
latency, bandwidth, and packet loss rate), a controller is used to collect
information (e.g. network topology, bandwidth usage, and latency) and compute
an explicit path according to the requirements.
SR Roadmap
⚫ Simplifies protocols and extends existing protocols.
Service-defined 
The extended IGP/BGP supports label distribution.
Controller network
Therefore, LDP is not required on the network, achieving
protocol simplification. In addition, devices require only
software upgrades instead of hardware replacement,
protecting the investment on the live network.

The source routing mechanism is introduced.

The specific forwarding policy is instantiated as a label list
R2
on the ingress to control the traffic forwarding path.

IGP/BGP
⚫ Enables networks to be defined by services.

After an application raises requirements (e.g. latency,
R1 R3
bandwidth, and packet loss rate), a controller is used to
R4
collect information (e.g. network topology, bandwidth
usage, and latency) and compute an explicit path
according to the requirements.

6 Huawei Confidential
SR Solution
⚫ After services raise network requirements (e.g. latency, bandwidth, and packet loss rate), a controller
computes an explicit path in a centralized manner and delivers an SR path to carry the services.
Controller Service Explicit
requirement path

PCEP/NETCONF/BGP
High-bandwidth path

Low-latency path
Data download

Video

Voice

Low-packet-loss-rate path

7 Huawei Confidential
 SR Overview
⚫ SR is designed to forward data packets on a network using the source routing model.
⚫ SR divides a network path into several segments and assigns a segment ID (SID) to each segment and forwarding
node. The segments and nodes are sequentially arranged into segment lists to form a forwarding path.

⚫ SR encapsulates segment list information that identifies a forwarding path into the packet header for transmission.
After a node receives the packet, it parses the segment list information. If the top SID in the segment list identifies
the local node, the node removes the SID and executes the follow-up procedure. Otherwise, the node forwards the
packet to the next hop in equal cost multiple path (ECMP) mode.
⚫ SR has the following characteristics:

Extends existing protocols (e.g. IGP) to facilitate network evolution.

Supports both controller-based centralized control and forwarder-based distributed control, providing a balance between the
two control modes.

Enables networks to quickly interact with upper-layer applications through the source routing technology.

8 Huawei Confidential

• https://datatracker.ietf.org/doc/rfc8402/
SR Advantages
Simplified control • SR uses a controller or IGP to uniformly compute paths and allocate labels, without the need to use
plane of the MPLS tunneling protocols such as RSVP-TE and LDP.
network • SR can be directly used in the MPLS architecture, without requiring changes to the forwarding plane.

Efficient TI-LFA • SR works with remote loop-free alternate (RLFA) FRR to provide efficient topology-independent loop-free
FRR protection alternate (TI-LFA) FRR.
against path • TI-LFA FRR offers node and link protection for all topologies, addressing the weakness in traditional
failures tunnel protection technologies.

• MPLS TE is a connection-oriented technology. To maintain connection states, devices need to exchange

and process numerous keepalive packets, straining the control plane.
Enhanced network
• SR can control any service path by merely performing label operations for packets on the ingress. It does
capacity expansion
not require transit nodes to maintain path information, thereby freeing up the control plane. Moreover,
capability
the SR label quantity is the sum of the node quantity and local adjacency quantity on the entire network,
meaning that it is related only to the network scale, rather than the tunnel quantity or service volume.

• As SR is designed based on the source routing model, the ingress controls packet forwarding paths.
Smoother
• SR can work with the centralized path computation module to flexibly and easily control and adjust paths.
evolution to SDN
• SR supports both traditional networks and SDN networks and is compatible with existing devices, ensuring
networks
smooth evolution to SDN networks.

9 Huawei Confidential
 Contents

1. Segment Routing Overview

2. Segment Routing Fundamentals

3. Segment Routing Tunnel Protection and Detection Technologies

4. Typical Usage Scenarios of Segment Routing

5. Basic Configurations of Segment Routing

10 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Basic Concept: Segment

⚫ A segment represents an instruction to be
executed by a node for a received data
packet, and the instruction is encapsulated
R2 R4 R6
in the packet header.
2
GE0/0/2 ⚫ For example:
1 3 
Instruction 1: Forward the packet to R4 over
the shortest path (ECMP supported).
 Instruction 2: Forward the packet through
R1 1 R8
GE0/0/2 of R4.
 Instruction 3: Forward the packet to R8 over
R3 R5 R7 the shortest path.

11 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Basic Concept: Segment ID

⚫ Segment IDs (SIDs) identify segments. The SID
format depends on the specific technical
implementation. For example, SIDs can be
400
MPLS labels, indexes in an MPLS label space, or
R2 R4 R6
2 IPv6 addresses.
GE0/0/2
⚫ A segment list is an ordered list of one or more
1046
1 3 SIDs.
⚫ For example:
R1 1 R8 
Instruction 1 (400): Forward the packet to R4 over
800 the shortest path (ECMP supported).

Instruction 2 (1046): Forward the packet through
R3 R5 R7
GE0/0/2 of R4.

Instruction 3 (800): Forward the packet to R8 over
the shortest path (ECMP supported).

12 Huawei Confidential

• The label values used in this course are only examples. For details about the label
allocation scope, see the corresponding product documentation.
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Basic Concept: Source Routing

400
400 R2 R4 R6
1046 2
800 GE0/0/2 ⚫ Source routing: The source node selects a
1046
1 3 forwarding path and encapsulates an
ordered segment list into a packet. After
receiving the packet, other nodes forward
R1 1 R8
800 it based on the segment list information.

R3 R5 R7

13 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Basic Concept: Segment Classification

100 200 300
Loopback1 Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32

10.1.1.0/24 10.2.2.0/24
16001 1001 1002 16002
R1 R2 R3

Category Description
Identifies the prefix of a destination address on a network.
Generation mode: manual configuration
Prefix segment Prefix segments are propagated to other devices through an IGP. They are visible to and
effective on all the devices.
Node segments are special prefix segments.
Identifies an adjacency on a network.
Generation mode: dynamic allocation by the ingress through a protocol
Adjacency segment
Adjacency segments are propagated to other devices through an IGP. They are visible to all the
devices but effective only on the local device.

Prefix SID Node SID Adjacency SID Note: SIDs are identified in the same way in the following parts.

14 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Basic Concept: Prefix Segment

Similar to the destination
address in an IP route
100 200 300
Loopback1 Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32 Similar to the destination
address in an IP route

10.1.1.0/24 10.2.2.0/24
16001 16002
R1 R2 R3

Prefix Segment
• Identifies the prefix of a destination address on a network. Prefix segments are propagated to other devices through an
IGP. They are visible to and effective on all the devices.

• Prefix segments are identified using prefix SIDs.

• A prefix SID is an offset value within the Segment Routing global block (SRGB) range advertised by the advertising end.
The receiving end calculates the actual label value based on its own SRGB to generate an MPLS forwarding entry.

• Node segments are special prefix segments used to identify specific nodes.
• When an IP address is configured as a prefix for a node's loopback interface, the prefix SID of the node is the node SID.

15 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Basic Concept: SRGB

⚫
Segment Routing global block (SRGB): a set of user-
specified global labels reserved for SR-MPLS.

Incoming label Incoming label Incoming label ⚫

Each device advertises its SRGB through an extended
16000+30=16030 12000+30=12030 20000+30=20030
routing protocol.
⚫
After a node advertises the prefix SID index through
Index
SRGB SRGB SRGB an extended routing protocol, each device receiving
30
16000–17000 12000–13000 20000–21000 Loopback1
the index calculates the incoming and outgoing SIDs
3.3.3.3/32 based on the SRGB.
⚫
In actual deployment, it is recommended that devices
use the same SRGB.
R1 R2 R3 ⚫
Why is SRGB required?

12030 Swap 20030  SR requires prefix SIDs to be globally valid.

Payload Payload  In MPLS, some label space of a device may be occupied
by other protocols, such as LDP. Therefore, a specific
space must be specified for global SR labels.

16 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Basic Concept: Adjacency Segment

100 200 300

Similar to the
Loopback1 Loopback1 outbound interface Loopback1
1.1.1.1/32 2.2.2.2/32 information in an 3.3.3.3/32
IP route

10.1.1.0/24 10.2.2.0/24
16001 16002
R1 1001 R2 1002 R3

Adjacency Segment
Identifies an adjacency on a network. Adjacency segments are propagated to other devices
through an IGP. They are visible to all the devices but effective only on the local device.

• Adjacency segments are identified using adjacency SIDs.

• Adjacency SIDs are local SIDs that are not in the SRGB range.

17 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Intra-AS Propagation of Node SIDs and Adjacency SIDs

⚫ SR-MPLS uses an IGP to advertise topology, prefix, SRGB, and label information. This is achieved by
extending the TLVs of protocol packets for the IGP.

100 200 300

Loopback1 Loopback1 Loopback1
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32

10.1.1.0/24 10.2.2.0/24
16001 16002
R1 1001 R2 1002 R3

Extended IGP Extended IGP

(e.g. IS-IS/OSPF) (e.g. IS-IS/OSPF)

18 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

OSPF for SR-MPLS

Name Function Carried In

SR-Algorithm TLV Advertises the algorithm that is used. Type 10 Opaque LSA

Advertises the SR-MPLS SID or MPLS

SID/Label Range TLV Type 10 Opaque LSA
label range.
Advertises the priority of an NE
SRMS Preference TLV Type 10 Opaque LSA
functioning as an SR mapping server.

SID/Label Range TLV

Advertises SR-MPLS SIDs or MPLS OSPFv2 Extended Prefix TLV and OSPF Extended Prefix Range
SID/Label Sub-TLV
labels. TLV in OSPFv2 Extended Prefix Opaque LSA

OSPFv2 Extended Link TLV in OSPFv2 Extended Link Opaque LSA

OSPFv2 Extended Prefix TLV and OSPF Extended Prefix Range

Prefix SID Sub-TLV Advertises SR-MPLS prefix SIDs.
TLV in OSPFv2 Extended Prefix Opaque LSA
Advertises SR-MPLS adjacency SIDs on
Adj-SID Sub-TLV OSPFv2 Extended Link TLV in OSPFv2 Extended Link Opaque LSA
a P2P network.
Advertises SR-MPLS adjacency SIDs on
LAN Adj-SID Sub-TLV OSPFv2 Extended Link TLV in OSPFv2 Extended Link Opaque LSA
a LAN.

19 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

IS-IS for SR-MPLS

Name Function Carried In
IS-IS Extended IPv4 Reachability TLV-135
IS-IS Multitopology IPv4 Reachability TLV-235
Prefix-SID Sub-TLV Advertises SR-MPLS prefix SIDs. IS-IS IPv6 IP Reachability TLV-236
IS-IS Multitopology IPv6 IP Reachability TLV-237
SID/Label Binding TLV
IS-IS Extended IS reachability TLV-22
IS-IS IS Neighbor Attribute TLV-23
Advertises SR-MPLS adjacency SIDs on a P2P
Adj-SID Sub-TLV IS-IS inter-AS reachability information TLV-141
network.
IS-IS Multitopology IS TLV-222
IS-IS Multitopology IS Neighbor Attribute TLV-223
IS-IS Extended IS reachability TLV-22
IS-IS IS Neighbor Attribute TLV-23
LAN-Adj-SID Sub-TLV Advertises SR-MPLS adjacency SIDs on a LAN. IS-IS inter-AS reachability information TLV-141
IS-IS Multitopology IS TLV-222
IS-IS Multitopology IS Neighbor Attribute TLV-223
SID/Label Sub-TLV Advertises SR-MPLS SIDs or MPLS labels. SR-Capabilities Sub-TLV and SR Local Block Sub-TLV
SID/Label Binding TLV Advertises the mapping between prefixes and SIDs. IS-IS LSP
SR-Capabilities Sub-TLV Advertises SR-MPLS capabilities. IS-IS Router Capability TLV-242
SR Local Block Sub-TLV Advertises the range of labels reserved for local SIDs. IS-IS Router Capability TLV-242

20 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Basic Concept: SR Policy

⚫ According to RFC 8402, an SR Policy is an ordered list of segments. In addition, it defines a
framework for SR technologies used to calculate/generate/maintain the segment list and
steer traffic. Currently, SR Policy is the mainstream SR implementation mode.
⚫ Traffic is steered into an SR Policy by the headend. The involved segment list is accurately
encapsulated as a label stack to guide traffic forwarding. It is calculated based on a series of
optimization objectives and constraints, such as latency, affinity, and SRLG. The calculation
can be performed locally or by a controller and then applied to the network.

21 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR Policy Example

100 200 300

10.1.1.0/24 10.2.2.0/24
16001 16002
R1 1012 R2 1002 R3

100
1012
1002
1 Traffic 16002 2 Tunnel-based forwarding
steering SR Policy

SR Policy:
• Can be generated using different modes, such as CLI, NETCONF, PCEP, and BGP SR Policy.
• Contains segment lists to guide traffic steering and forwarding.

22 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Basic Concept: SR-MPLS and SRv6

SR-MPLS SRv6

IP IPv6
packet R2 packet R2

R1 R1

R3 R3
R2 R2

• Data forwarding plane: based on MPLS • Data forwarding plane: based on IPv6
• MPLS labels are used as SIDs. • IPv6 addresses are used as SIDs.
• Segment list information is encoded as a label stack. The segment • Segment list information is encoded as a label stack and carried using
to be processed is at the stack top. Once a segment is processed, the IPv6 Segment Routing header (SRH).
the corresponding label is removed from the label stack.

23 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Label Stack, Stitching Label, and Stitching Node

Label Stack Stitching Label and Stitching Node

1013 1024
R2 R4 100 1045 Stitching
1032 label
1024 1013 1056
1046 1032 R2 R4
1024 100
R1 R6 1024
1032 1045
R1 R6

1032
R3 R5

R3 R5
• A label stack is an ordered set of labels used to identify a complete
LSP.
• Each adjacency label in the label stack identifies an adjacency, and the • If the label stack depth exceeds the maximum depth supported by
entire label stack identifies all adjacencies along the LSP. forwarders, the controller needs to allocate multiple label stacks to the
• During packet forwarding, a node searches for the corresponding forwarders and a special label to an appropriate node to stitch these
adjacency according to each adjacency label in the label stack, label stacks, thereby implementing segment-by-segment forwarding.
removes the label, and then forwards the packet. After all the • This special label is called a stitching label, and this appropriate node is
adjacency labels in the label stack are removed, the packet traverses called a stitching node. The controller allocates a stitching label to the
the entire LSP and reaches the tunnel destination. stitching node and pushes it to the bottom of the label stack.

24 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

How Are SIDs Used

⚫ Combining prefix (node) and adjacency SIDs in sequence can construct any network path.
⚫ Every hop on a path identifies the next hop based on the top SID in the label stack.
⚫ SID information is stacked in sequence at the top of the data header.
⚫ If the top SID identifies another node, the receive node forwards the data packet to that
node in ECMP mode.
⚫ If the top SID identifies the local node, the receive node removes the top SID and proceeds
with the follow-up procedure.
⚫ In real-world applications, prefix segments and adjacency segments can be used separately
or together.

25 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Scenario 1: Prefix Segment-based Forwarding Path

Cost=1 Cost=1

100 Path with the minimum cost

Loopback1
R1 2.2.2.2/32
Prefix SID=100
R2

Cost=10 Cost=10

A prefix segment-based forwarding path is computed by an IGP using the SPF algorithm.
1. After the prefix SID (100) of R2 is propagated using an IGP, all devices in the IGP domain learn the SID.
2. R1 is used as an example (the implementation for other devices is similar to this). It runs SPF to compute
the shortest path to R2.
Prefix segment-based forwarding paths are not fixed, and the ingress cannot control the entire packet
forwarding path.

26 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Scenario 2: Adjacency Segment-based Forwarding Path

1034
1056
1078
1023
1034
1056 1023
1078

1056 Loopback1
R1 1034
1078 2.2.2.2/32
R2
1078

1056

An adjacency segment is allocated to each adjacency on the network, and a segment list
containing multiple adjacency segments is defined on the ingress.

This method can be used to specify any strict explicit path, facilitating SDN implementation.

27 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Scenario 3: Adjacency Segment+Node Segment-based

Forwarding Path
101
1034
100 Node SID=101
101
1034 1023
100

Loopback1
R1 1034 2.2.2.2/32
100
Prefix SID=100
R2
100

Adjacency and node segments can be used together. An adjacency segment can be specified to force a
path to traverse an adjacency. The node corresponding to a node segment can run SPF to compute the
shortest path that supports ECMP.
Paths established in this mode are not strictly fixed, and therefore, they are also called loose explicit paths.

28 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS BE

606
Packet

R1 R2 R3 SR-MPLS BE

• In SR-MPLS best effort (BE) mode, SIDs are used to

guide data forwarding over the shortest path.
• In this example, node SID 606 of R6 is used to instruct
data to be forwarded over the shortest path to R6. The
shortest path is computed through a routing protocol
and supports ECMP.
R6 • SR-MPLS BE is a new solution that replaces the
606 LDP+IGP solution.
R4 R5

6.6.6.0/24
16002

29 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS TE

202
1025
606
Packet 202
R1 R2 R3 SR-MPLS TE

⚫ In SR-MPLS TE mode, multiple SIDs are combined to

guide data forwarding based on constraints, thereby
1025 meeting traffic engineering requirements.
⚫ Methods of combining SIDs:

Combine multiple node SIDs.
 Combine multiple adjacency SIDs.

Combine node and adjacency SIDs, as shown in the
R6 figure.
606
R4 R5

6.6.6.0/24
16002

30 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS BE LSP
⚫ An SR-MPLS BE LSP is a label forwarding path established using the SR technology. It uses a
prefix or node segment to guide packet forwarding.
⚫ An SR-MPLS BE LSP is the optimal SR LSP computed by an IGP using the SPF algorithm.
⚫ The creation and data forwarding of SR-MPLS BE LSPs are similar to those of LDP LSPs. SR-
MPLS BE LSPs do not have tunnel interfaces.
SRGB SRGB SRGB SRGB
20000-65535 30000-65535 40000-65535 50000-65535
Loopback1
4.4.4.4/32
Prefix index 100
R1 R2 R3 R4
Advertise the Advertise the Advertise the
prefix SID and prefix SID and prefix SID and
SRGB SRGB SRGB

Incoming label 20100 Incoming label 30100 Incoming label 40100

Incoming label 50100
Outgoing label 30100 Outgoing label 40100 Outgoing label 50100

31 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS BE LSP Creation

⚫ LSP creation involves the following operations:

Network topology reporting (required only in controller-based LSP creation) and label allocation
 Path computation
⚫ SR-MPLS BE LSPs are created primarily based on prefix labels. Specifically, the destination node runs an IGP to
advertise a prefix SID. After receiving the packet carrying the SID, forwarders parse the packet to obtain the SID and
compute label values based on their own SRGBs. Then, using the IGP-collected topology information, each node
runs the SPF algorithm to compute a label forwarding path, and delivers the computed next hop and outgoing label
(OuterLabel) information to the forwarding table to guide data packet forwarding.
SRGB SRGB SRGB SRGB
20000–65535 30000–65535 40000–65535 50000–65535
Loopback1
4.4.4.4/32
Prefix SID=100
R1 R2 R3 R4
Advertise the Advertise the Advertise the
prefix SID and prefix SID and prefix SID and
SRGB SRGB SRGB

Incoming label 20100 Incoming label 30100 Incoming label 40100

Incoming label 50100
Outgoing label 30100 Outgoing label 40100 Outgoing label 50100

32 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Data Forwarding Process

⚫ Push: When a packet enters an LSP, the ingress adds a label between the Layer 2 and IP headers of the
packet or adds a new label on top of the existing label stack.
⚫ Swap: After receiving a packet forwarded within the SR domain, a node uses the label allocated by the
next hop to replace the top label according to the label forwarding table.
⚫ Pop: When a packet leaves the SR domain, the egress searches for the outbound interface according to
the top label in the packet and then removes the top label.

SRGB SRGB SRGB SRGB

20000–65535 30000–65535 40000–65535 50000–65535
Loopback1
4.4.4.4/32
Index 100
R1 R2 R3 R4

Push Swap Swap Pop

30100 40100 50100

Packet Packet Packet Packet Packet

33 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Traffic Engineering
⚫ Traffic engineering (TE) is one of the most important network services. The traditionally popular TE
technology is based on MPLS and therefore is called MPLS TE. It can accurately control the path
through which traffic passes, maximizing bandwidth utilization.

Path Planning Traffic Optimization Fault Protection

• Different paths are • When traffic is unbalanced • A fast protection switching

planned for different due to major events, traffic is performed in the case of
services. is evenly distributed to idle a device or link fault.
links.

34 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Traditional Distributed MPLS TE Architecture

⚫ MPLS TE uses the distributed architecture, in which the ingress computes paths according to constraints and uses
RSVP-TE signaling to establish constraint-based LSPs.
⚫ MPLS nodes are used to maintain a complete TE architecture through four components: information advertisement
component, path computation component, path establishment component (or signaling component), and packet
forwarding component.
1. The extended IS-IS/OSPF carries
Network device
TE information, advertises IGP
Path selection 2. Path selection
component
and TE information in the
component
LSP (IGP computation) (LSP computation) LSP domain, and generates a TEDB.
establishment 3. Signaling establishment
TE
LSDB database component 2. The CSPF algorithm is used to
(RSVP)
compute a path that meets
Information Information constraints based on the TEDB.
advertisement 1. Information advertisement advertisement
component: IS-IS/OSPF 3. RSVP-TE is used to establish LSPs.
Packet Packet
entering leaving 4. Data is forwarded based on MPLS
4. Packet forwarding component
labels.

35 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Centralized SR-MPLS TE Architecture

⚫ Segment Routing-MPLS Traffic Engineering (SR-MPLS TE) is a new TE tunneling technology that uses SR as the
control protocol. SR-MPLS TE supports the centralized architecture, in which the controller collects global network
topology and TE information, computes paths in a centralized manner, and delivers path computation results to
network devices.
⚫ SR-MPLS TE also supports manual configuration. Centralized SR-MPLS TE:
2. Centralized path 1. The extended IS-IS/OSPF carries
3. Signaling computation component 1. Information TE information, advertises IGP
component collection component and TE information in the
Global TE
(PCEP/BGP)
database (BGP-LS) domain, and generates a TEDB.
Controller 2. BGP-LS is used to collect network
information and establish a
Network device global TE database.
Signaling Local TE Information reporting 3. The controller globally computes
component database component paths based on constraints.
Information Information 4. PCEP or BGP SR Policy is used to
advertisement advertisement deliver path computation results
Information advertisement
component: IS-IS/OSPF to devices.
Packet
entering Packet leaving
4. Packet forwarding component

36 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Comparison Between SR-MPLS TE and RSVP-TE

Item SR-MPLS TE RSVP-TE
Labels are allocated and propagated using RSVP
Labels are allocated and propagated using IGP extensions. Each extensions. Each LSP is allocated with a label. When
Label link is allocated with only one label. All LSPs traversing a link there are multiple LSPs, multiple labels need to be
allocation share the label of this link, reducing label resource consumption allocated to the same link, occupying a large
and the workload in label forwarding table maintenance. number of label resources and increasing the
workload of maintaining the label forwarding table.

Control IGP extensions are used for signaling control, reducing the RSVP-TE needs to be used as the MPLS control
plane number of required protocols. protocol, complicating the control plane.

As transit nodes are unaware of tunnels and use packets to carry

Tunnel state information and forwarding entries
Scalability tunnel information, they only need to maintain forwarding
need to be maintained, resulting in poor scalability.
entries instead of tunnel state information, enhancing scalability.

Transit nodes are unaware of tunnels. The service path can be

controlled only by performing label operations on the packet
Path sent from the ingress, eliminating the need of hop-by-hop Configurations need to be delivered node by node
adjustment configuration delivery. regardless of whether the path is adjusted in
and control If a node in the path fails, the controller re-computes a path and normal or fault scenarios.
updates the label stack of the ingress to complete path
adjustment.

37 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS TE: Network Topology Collection

Network Topology Collection Using an IGP Network Topology Reporting Using BGP-LS

Controller Controller

BGP-LS
IGP
R1 R2 R3 R1 R2 R3

IGP IGP IGP IGP

R4 R5 R6 R4 R5 R6

The IGP configured on forwarders is used to collect network BGP-LS is used to report TE information and network
topology information, SR adjacency labels, and node labels. topology information with SR labels to the controller.

38 Huawei Confidential

• For SR-capable IGP instances, all IGP-enabled outbound interfaces are allocated
with SR adjacency labels, which are propagated to the entire network through an
IGP.

• In Huawei's early solutions, an IGP can also be used to collect network topology
information. Due to IGP area-related restrictions, BGP-LS is mainly used at
present.
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS TE: Label Allocation

Controller

BGP-LS

In SR-MPLS TE, labels are allocated through the IGP

R1 R2 R3
configured on forwarders and reported to a controller
through BGP-LS.
⚫ SR-MPLS TE mainly uses adjacency labels and can
IGP IGP also use node labels.
⚫ Adjacency labels are allocated by the ingress, and
1045 are valid locally and unidirectional.
GE0/0/1
GE0/0/2
1054
R4 R5 R6

39 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Label Allocation Example

⚫
IGP SR is enabled on each device. For SR-capable IGP instances,
Controller
all IGP-enabled outbound interfaces are allocated with SR
adjacency labels.
BGP-LS ⚫ Adjacency labels are propagated to the entire network through
an IGP SR extension.
R1 R2 R3
⚫ Taking R4 as an example, the process of label allocation
through an IGP is as follows:
1. R4 allocates a local dynamic label to an adjacency through an IGP.
For example, adjacency label 1045 is allocated to the R4->R5
adjacency.
2. R4 propagates the adjacency label to the entire network through
IGP IGP the IGP.
3. R4 generates a label forwarding entry corresponding to the
1045 adjacency label.
GE0/0/1
4. Other nodes learn the R4-propagated adjacency label through the
GE0/0/2 IGP but do not generate label forwarding entries.
1054
R4 R5 R6 • Other devices allocate and propagate adjacency labels in the
same way as R4 and generate label forwarding entries. BGP-LS
is used to report TE information and network topology
Label Outbound Interface Next Hop
information with SR labels to the controller.
1045 GE0/0/1 R5

40 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS TE LSP Creation

⚫ SR-MPLS TE tunnels are created using the SR protocol based on TE constraints. The figure shows two
LSPs working in primary/backup mode. The two LSPs correspond to the same SR-MPLS TE tunnel with
a specified ID.

Path 1: primary path

R1 SR-MPLS TE tunnel
R2
Path 2: backup path

⚫ SR-MPLS TE tunnel creation involves tunnel attribute configuration and tunnel establishment.

41 Huawei Confidential

• Before SR-MPLS TE tunnel creation, IS-IS/OSPF neighbor relationships must be

established between forwarders to implement network layer connectivity,
allocate labels, and collect network topology information. In addition, the
forwarders need to report label and network topology information to a controller
for path computation. If no controller is available, CSPF can be enabled on the
ingress of the SR-MPLS TE tunnel so that forwarders can compute paths using
CSPF.
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS TE Tunnel Attribute Configuration

⚫ SR-MPLS TE tunnel attributes must be configured before tunnel establishment. An SR-MPLS TE tunnel can be
configured on a controller or forwarder.
⚫ Tunnel configuration on a controller: After an SR-MPLS TE tunnel is configured on a controller, the controller uses
NETCONF to deliver tunnel attributes to a forwarder, which then uses PCEP to delegate the tunnel to the controller
for management.
⚫ Tunnel configuration on a forwarder: After an SR-MPLS TE tunnel is configured on a forwarder, the forwarder
delegates the tunnel to the controller for management.

Manual Configuration of a Tunnel with an Explicit Path NETCONF-based Tunnel Configuration Delivery by a Controller

[R1] interface tunnel1 [R1] interface tunnel1

[R1-Tunnel1] ip address unnumbered interface LoopBack0 [R1-Tunnel1] ip address unnumbered interface LoopBack0
[R1-Tunnel1] tunnel-protocol mpls te [R1-Tunnel1] tunnel-protocol mpls te
[R1-Tunnel1] destination 3.3.3.3 [R1-Tunnel1] destination 3.3.3.3
[R1-Tunnel1] mpls te tunnel-id 1 [R1-Tunnel1] mpls te tunnel-id 1
[R1-Tunnel1] mpls te signal-protocol segment-routing [R1-Tunnel1] mpls te signal-protocol segment-routing
[R1-Tunnel1] mpls te path explicit-path p1 # A path is manually [R1-Tunnel1] mpls te pce delegate # The tunnel is delegated to the PCE
specified. server.

SR-MPLS TE tunnels are established and managed using tunnel interfaces. As such, you need to configure a
tunnel interface on the ingress of each SR-MPLS TE tunnel.

42 Huawei Confidential

• For SR-MPLS TE tunnel configuration on a forwarder, in addition to manually

specifying an explicit path, you can also use the function of path computation by
the ingress.
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS TE Tunnel Establishment (Path Computation by

the Controller)
Controller If a configured service (e.g. VPN service) needs to be bound to
an SR-MPLS TE tunnel, the tunnel can be established as
follows:
NETCONF
BGP-LS 1. Based on SR-MPLS TE tunnel constraints, the controller
PCEP uses the path computation element (PCE) to compute a
path similar to a common TE tunnel and generates a label
1034 stack (path computation result).
1056 2. The controller uses NETCONF and PCEP to deliver tunnel
1078 configurations and the tunnel stack, respectively, to
forwarders.
1023 3. The forwarders establish an SR-MPLS TE tunnel with a
specific LSP based on the tunnel configurations and label
stack delivered by the controller.
1056
R1 1078 1034
BGP-LS: used to report labels and network topology
R2 information by forwarders.
1023
1034 1078 PCEP: used to deliver a label stack by a controller and report
1056 LSP states by forwarders.
1078 1056 NETCONF: used to deliver tunnel configurations by a controller.

43 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Advantages of Controller-based SR-MPLS TE Tunnel

Establishment
⚫
Bandwidth calculation and resource reservation are supported.
⚫
The optimal path can be computed from a global perspective.
⚫
The controller can work with applications. After applications raise network
requirements, the controller can compute forwarding paths as required,
Controller achieving a service-driven network.
⚫
The workload of manual configuration is reduced, facilitating large-scale
network deployment.

NETCONF
High-bandwidth path
PCEP

Data Low-latency path

download
Video

44 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS TE Data Forwarding

⚫ Forwarders perform label operations on packets according to the label stacks corresponding to a
specific SR-MPLS TE tunnel's LSP and search for outbound interfaces hop by hop according to the top
label to guide packet forwarding to the destination. Data can be forwarded based on adjacency labels
or a combination of node and adjacency labels.
⚫ Forwarding based on adjacency labels
 Forwarding based on adjacency labels is also called strict-path forwarding. The label stack strictly determines
the forwarding path and does not support load balancing.

⚫ Forwarding based on a combination of node and adjacency labels

 Forwarding based on a combination of node and adjacency labels is also called loose-path forwarding. When
processing node labels, a device can forward packets along the shortest path or perform load balancing because
the path is not strictly fixed in this case.

45 Huawei Confidential

• Currently, the mainstream solution is strict-path forwarding based on adjacency

labels.
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS BE and SR-MPLS TE Traffic Steering

⚫ Traffic steering: After an SR tunnel is established, service traffic needs to be steered to it.
⚫ SR-MPLS BE (without tunnel interfaces) traffic steering
 Tunnel policy: Use a tunnel type prioritizing policy to select an SR-BE tunnel.

Static route: Specify the next hop of a static route as the destination address of an SR-BE tunnel and recurse traffic to the tunnel
based on the next hop.

Recursion based on the next hop of a route: Recurse a public network route (e.g. BGP route) to an SR-BE tunnel based on the
route's next hop.

⚫ SR-MPLS TE (with tunnel interfaces) traffic steering


Tunnel policy: Use a tunnel type prioritizing policy to select an SR-TE tunnel.

Static route: When configuring a static route, specify the outbound interface of the route as an SR-TE tunnel interface.

Auto route: Use an SR-TE tunnel as a logical link in IGP route calculation.

Policy-based routing (PBR): Specify an SR-TE tunnel interface as an outbound interface in the involved clause.

46 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS TE Disadvantages in the Early Stage

⚫ SR-MPLS TE in the early stage inherits the tunnel interface concept of RSVP-TE and uses tunnel
interfaces to implement SR.
[R1] interface tunnel1
[R1-Tunnel1] ip address unnumbered interface LoopBack0
[R1-Tunnel1] tunnel-protocol mpls te
[R1-Tunnel1] destination 3.3.3.3
[R1-Tunnel1] mpls te tunnel-id 1
[R1-Tunnel1] mpls te signal-protocol segment-routing
...

⚫ Using tunnel interfaces to implement SR is simple and easy to understand, but has the following disadvantages:
 Tunnel interfaces and traffic steering are implemented separately, leading to complex traffic steering and
low performance.
 Tunnels need to be configured and deployed in advance, imposing a restriction in scenarios where the tunnel
destination cannot be determined.
 The application scenarios of tunnel interface-based ECMP are limited.

47 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR Policy Overview
⚫ An SR Policy uses a segment list to specify a forwarding path, without the need to use tunnel
interfaces.
⚫ SR Policies are classified into SR-MPLS Policies and SRv6 Policies based on segments. This document
focuses on SR-MPLS Policies.
⚫ The controller computes paths based on the color attribute that represents SLAs and delivers the
computation results to forwarders to form SR-MPLS Policies. (In this example, the forwarder's tunnel
information is different from SR-TE tunnel information.) According to the color attribute and next hop
of the involved service route, the headend recurses the route to the corresponding SR-MPLS Policy for
service forwarding.
<PE1>display tunnel-info all
Tunnel ID Type Destination Status
----------------------------------------------------------------------------------------
0x0000000001004c4c04 ldp 1.0.0.12 UP
0x000000002900000004 srbe-lsp 1.0.0.12 UP
0x000000000300002001 sr-te 1.0.0.12 UP
0x00000000320000c001 srtepolicy 1.0.0.12 UP
0x000000003400002001 srv6tepolicy FC01::12 UP

48 Huawei Confidential

• https://datatracker.ietf.org/doc/draft-ietf-spring-segment-routing-policy/
• An SR Policy is a framework that enables instantiation of an ordered list of
segments on a node for implementing a source routing policy with a specific
intent for traffic steering from that node.
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS Policy Tuple

⚫ An SR-MPLS Policy is identified by the tuple <headend, color, endpoint>.
⚫ For an SR-MPLS Policy with a specified node, it is identified only using <color, endpoint>.
 Headend: node where an SR-MPLS Policy is originated. Generally, it is a globally unique IP address.
 Color: 32-bit extended community attribute. It is used to identify a service intent (e.g. low latency).
 Endpoint: destination address of an SR-MPLS Policy. Generally, it is a globally unique IP address.

⚫ Color and endpoint are used to identify a forwarding path on the specific headend of an SR-
MPLS Policy.

49 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS Policy Standards

⚫ According to RFC draft-ietf-spring-segment-routing-policy, BGP multi-protocol extension
supports the BGP SR Policy (SAFI = 73) address family for delivering SR-MPLS Policies:
Controller

BGP-LS/BGP SR Policy ⚫ The controller uses BGP to deliver a

combination of SR SIDs to the ingress.
A TE tunnel carrying the policy color
and destined for the egress is then
created on the ingress.
Color ⚫ If the tunnel needs to be referenced,
you can locate the tunnel based on the
policy color.
Ingress Egress

50 Huawei Confidential

• There are three mainstream methods for SR Policy implementation.

▫ BGP: BGP-LS is used to collect topology information, so that no new
interface protocol needs to be introduced for customer-developed
controllers. BGP SR Policy is used to deliver route information.
▫ PCEP: PCEP is a mature southbound protocol used in SR-MPLS TE scenarios.
However, the tunnel implementation models of vendors are different and
cannot interwork, and the interaction process of PCEP is more complex than
that of BGP. As such, BGP extension is recommended.

▫ NETCONF/YANG: delivers tunnel paths to forwarders as configurations. This

method is not recommended because it delivers configurations in essence
and offers the poorest performance. In a comprehensive solution, NETCONF
is used to deliver configurations other than tunnel configurations.
• For details about SR Policy, see [I-D.ietf-spring-segment-routing-policy].
(https://datatracker.ietf.org/doc/draft-ietf-idr-segment-routing-te-policy/)
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS Policy Solution Architecture

Controller
Huawei SR-MPLS Policy solution architecture
involves three key protocols: BGP-LS, BGP SR
1. BGP-LS Policy, and NETCONF.
2. BGP SR Policy 1. BGP-LS collects information (e.g. tunnel topology,
bandwidth, and link latency) and reports it to the
3. NETCONF
controller, which then computes SR Policy paths and
displays tunnel status based on the information.

2. BGP SR Policy is used by the controller to deliver SR

Color Policy information (e.g. color, headend, and

endpoint).

3. NETCONF is used to deliver other configurations,

Ingress Egress such as service interfaces and route-policies (with
the color attribute).

51 Huawei Confidential

• BGP-LS connection:
▫ Collects tunnel topology information for SR Policy path computation.
▫ BGP-LS supports the collection of SR Policy status information, based on
which the controller displays tunnel status.
https://datatracker.ietf.org/doc/draft-ietf-idr-te-lsp-distribution/

▫ BGP-LS supports SRLB information encapsulation and decapsulation, so

that the controller can obtain the SRLB information for binding SID
allocation. (The backup path of each SR Policy corresponds to a binding
SID.)

• BGP SR Policy connection:

▫ The controller delivers SR Policy information to forwarders to generate SR

Policies.
▫ BGP routes delivered by the controller carry the color community attribute,
and this attribute can be transmitted. The ingress finds a matching BGP
route and recurses it to an SR Policy based on the color and endpoint
information.
▫ In the SR Policy solution, path computation constraints of each application
need to be planned in a unified manner on the controller based on SLAs,
different colors are used to identify SR Policies. An SR Policy is uniquely
identified by <headend, color, endpoint>. The BGP route of services to be
steered into an SR Policy needs to carry the corresponding color attribute.
• Huawei SR-MPLS Policy solution also uses PCEP for tunnel status query.
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS Policy Model

⚫ An SR-MPLS Policy can contain multiple candidate paths with the preference attribute. The valid
candidate path with the highest preference functions as the primary path of the SR-MPLS Policy, and
the valid candidate path with the second highest preference functions as the backup path.
⚫ A candidate path is an SR-MPLS Policy's segment list sent to the headend through PCEP or BGP SR
Policy. Segment list 1

Primary Weight
path SR policy P1 <headend, color, endpoint>
Candidate-path CP1 <Protocol-Origin, Originator,
SR Policy Candidate path 1 Segment list 2 Discriminator>
Preference 200
<headend, Preference 200 Weight Weight W1, SID-List1 <SID11...SID1i>
color, Weight W2, SID-List2 <SID21...SID2j>
endpoint>
Candidate-path CP2 <Protocol-Origin, Originator,
Candidate path 2 Segment list 1 Discriminator>
Preference 100
Preference 100 Weight
Weight W3, SID-List3 <SID31...SID3i>
Backup Weight W4, SID-List4 <SID41...SID4j>
path

52 Huawei Confidential

• An SR Policy can contain multiple candidate paths (e.g. CP1 and CP2). Each of
the paths is uniquely determined by the triplet <Protocol-Origin, Originator,
Discriminator>.

• CP1 is the primary path because it is valid and has the highest preference. The
two SID lists of CP1 are delivered to the forwarder, and traffic is balanced
between the two paths based on weights. For SID-List <SID11...SID1i>, traffic is
balanced according to W1/(W1+W2). In the current mainstream implementation,
a candidate path has only one segment list.
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Binding SID
⚫ To achieve better scalability, network opacity, and service independence, the binding SID (BSID) mechanism is
introduced to SR. (RFC 8402-5.Binding Segment) A BSID can be defined for each candidate path.
⚫ Similar to RSVP-TE tunnels, SR-MPLS TE tunnels can also function as forwarding adjacencies. If an SR-MPLS TE
tunnel is used as a forwarding adjacency and an adjacency SID is allocated to it, this SID is called a BSID. A BSID
identifies an SR-MPLS TE tunnel.

Static BSID Configuration

sr-te policy P1
Only one BSID can be configured for an SR-MPLS Policy. It can be
binding-sid 200
used for SR-MPLS TE path computation as other types of SIDs.
endpoint 5.5.5.5 color 100

53 Huawei Confidential

• Source of BSIDs: SRLB or SRGB

• Each candidate path of an SR Policy has a BSID. The BSIDs of different candidate
paths of the same SR Policy are generally the same. The BSIDs of different SR
Policies must be different. Generally, the BSID range needs to be planned and
cannot be shared with other services.

• The headend of an SR Policy forwards packets over the SR Policy based on the
BSID. For example, when the headend receives a packet carrying a BSID, it uses
the corresponding SR Policy to forward the packet.

• BSIDs are used in label-based traffic steering scenarios, especially label stitching
scenarios and tunnel protocol interworking scenarios, such as LDP over SR.
• For details, see draft-ietf-spring-segment-routing-policy-6.Binding SID.
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR-MPLS Policy Service Process: Information Collection

Controller ⚫ Background: R3 functions as the egress and

advertises the route 5.5.5.5/32 to the ingress
BGP-LS R1. Finally, an SR Policy is established between
2.2.2.2 3.3.3.3 Prefix: 5.5.5.5/32 R1 and R3. The figure shows the associated
20002 20003
path. The specified color is green.
1. BGP-LS collects information (e.g. topology,
1.1.1.1
20001 R3: bandwidth, and link latency) and reports it to the
Egress
Green controller, which then computes SR Policy paths
and displays tunnel status based on the
R1:
information.
Ingress

4.4.4.4 20004

54 Huawei Confidential

• Preparations:
1. Controller planning: You can plan the color attribute and the mapping
between the color attribute and SR tunnels' SLA requirements (path
computation constraints) on the controller based on the SLA requirements
of services.

2. Enable SR on involved devices.

3. Create a BGP session between the ingress and egress to advertise BGP VPN
route information.

4. Check that the BGP peer relationship is established successfully and a

reachable route carrying the color attribute exists between the ingress and
egress.
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR Policy Service Process: Route Coloring

Controller ⚫ Background: R3 functions as the egress and

advertises the route 5.5.5.5/32 to the ingress
NETCONF
R1. Finally, an SR Policy is established
Prefix: 5.5.5.5/32
2.2.2.2 3.3.3.3 between R1 and R3. The figure shows the
Color: Green
20002 20003 NHP: 3.3.3.3 associated path. The specified color is green.

1.1.1.1 2. The controller uses NETCONF to deliver a VPN

20001 R3: or BGP export route-policy to the egress. The
Egress
Green color attribute (green) is set for the route
prefix 5.5.5.5/32, and the next hop of the route
R1:
Ingress is R3 address 3.3.3.3.

4.4.4.4 20004
55 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR Policy Service Process: Route Advertisement

Controller ⚫ Background: R3 functions as the egress and

advertises the route 5.5.5.5/32 to the
MP-BGP ingress R1. Finally, an SR Policy is
2.2.2.2 3.3.3.3 Prefix: 5.5.5.5/32
20002 20003 Color: Green established between R1 and R3. The figure
NHP: 3.3.3.3
shows the associated path. The specified
1.1.1.1 color is green.
20001 R3:
Egress 3. The egress advertises the colored route
Green
5.5.5.5/32 to the ingress through MP-BGP.
R1:
Ingress

4.4.4.4 20004

56 Huawei Confidential
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR Policy Service Process: SR Policy Delivery

⚫ Background: R3 functions as the egress and
advertises the route 5.5.5.5/32 to the ingress R1.
Finally, an SR Policy is established between R1 and
BGP SR Policy
R3. The figure shows the associated path. The
SR Policy: specified color is green.
Color: Green Controller
Tunnel Encap 4. The controller delivers the SR Policy to the headend, as
... shown in the following. R1 receives the BGP route
Prefix:
5.5.5.5/32 from R3. In subsequent forwarding, the
2.2.2.2 3.3.3.3 5.5.5.5/32
route is recursed to the SR Policy based on its color
20002 20003 Color: Green
and next hop.
NHP: 3.3.3.3

BGP SR Policy Route:

1.1.1.1
20001 R3: SR Policy:
Egress Color: Green
Green Endpoint: 3.3.3.3
Attribute:
R1: BSID: 30028
Candidate path count: 1
Ingress
Preference:100
SegmentList:
label: 20004, 20003
4.4.4.4 20004

57 Huawei Confidential

• The steps in this document do not represent the actual configuration sequence.
They are only used to help you understand the implementation process. In real-
world situations, the controller may deliver SR Policies and use NETCONF to
deliver configurations at the same time.
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

SR Policy Service Process: Traffic Steering and Packet

Forwarding
Background: R3 functions as the egress and
BGP SR Policy
advertises the route 5.5.5.5/32 to the ingress
SR Policy:
Controller R1. Finally, an SR Policy is established between
Color: Green
Tunnel Encap R1 and R3. The figure shows the associated
... Prefix:
2.2.2.2 3.3.3.3 5.5.5.5/32 path. The specified color is green.
20002 20003 Color: Green
NHP: 3.3.3.3
5. The ingress generates a forwarding-plane
tunnel based on the SR Policy. In this
1.1.1.1 example, it completes traffic steering and
20001 R3:
Egress forwarding based on the color attribute.
Green
 Other traffic steering modes, such as
R1:
DSCP-based traffic steering, are also
Ingress
supported.

4.4.4.4 20004

58 Huawei Confidential

• DSCP-based traffic steering does not support color-based route recursion.

Instead, it recurses a route to an SR-MPLS Policy based on the next-hop address
in the route. Specifically, it searches for the SR-MPLS Policy group matching
specific endpoint information and then finds the corresponding SR-MPLS Policy
based on the DSCP value of packets. For details, see the corresponding product
documentation.
 Basic Concept Fundamentals SR-MPLS BE SR-MPLS TE SR-MPLS Policy

Summary: SR-MPLS Path Generation Modes

⚫ SR is a technology that allows route selection on the ingress without depending on
hop-by-hop signaling exchange (LDP/RSVP-TE). SR-MPLS paths are composed of
segments advertised through an IGP. SR-MPLS paths support the following
generation modes:
 Forwarder-based path computation (SPF/CSPF)
 Static explicit path configuration (CLI/NETCONF)
 Controller-based path computation (PCEP/BGP SR Policy)
⚫ Currently, BGP SR Policy is the mainstream path delivery mode.

59 Huawei Confidential

• Path Computation Element Communication Protocol (PCEP) Extensions for SR:

https://datatracker.ietf.org/doc/rfc8664/?include_text=1
 Contents

1. Segment Routing Overview

2. Segment Routing Fundamentals

3. Segment Routing Tunnel Protection and Detection Technologies

4. Typical Usage Scenarios of Segment Routing

5. Basic Configurations of Segment Routing

60 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

Overview of SR-MPLS Protection Technologies

⚫ TE tunnel protection is classified into local protection and E2E protection. These protection mechanisms
are inherited and also enhanced for SR-MPLS TE.

Egress
Local
protection TI-LFA FRR

⚫ Fast switching Anycast FRR

⚫ Only links and Ingress
nodes protected

E2E
protection Egress
⚫ Detection-dependent
fast switching
Hot Standby
⚫ E2E paths protected
Ingress

61 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

TI-LFA FRR
⚫ Topology-independent loop-free alternate (TI-LFA) FRR provides link and node protection for SR tunnels. If a link or
node fails, traffic is rapidly switched to the backup path.

Limitations of the Traditional LFA Algorithm TI-LFA Algorithm

⚫
The traditional LFA algorithm has topological limitations. ⚫
Using the source routing capability of SR, TI-LFA
As shown in the figure, SIP traffic is forwarded to the DIP computes a backup path on each node to protect the
through R1. If the R1-R3 link fails, R1 forwards the traffic failure point. When a node detects a failure, traffic is
to R2. However, no backup path can be formed before R2 rapidly switched to the backup path.
detects the failure.
Primary R1-R3 path: 4.4.4.4; segment list: R1, R3
SIP: 1.1.1.1
R1 R2 Backup R1-R3 path: 4.4.4.4; segment list: R1, R2, R4, R3
Cost=10 SIP: 1.1.1.1 R1 R2
Cost=10

Cost =10 Cost =100 Cost =10 Cost =100

DIP: 4.4.4.4
DIP: 4.4.4.4

Cost=10
R3 R4 Cost=10
R3 R4

62 Huawei Confidential

• In a distributed network architecture, each device independently computes a

path, and there is no consensus on the shortest path when a fault occurs. As a
result, a backup path cannot be formed using traditional LFA.
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

TI-LFA FRR Protection Path Computation

⚫ TI-LFA FRR protects services against both link and node failures. TI-LFA preferentially computes a node
protection path because this path can definitely protect services against a link failure.

Link Node
High priority
protection protection

Protection Protection
SIP: 1.1.1.1 R1 R2 SIP: 1.1.1.1 R1 R2
path path

Original Original
path path
DIP: 4.4.4.4 DIP: 4.4.4.4

R3 R4 R3 R4

63 Huawei Confidential

• For details about TI-LFA FRR, see the "TI-LFA FRR" section in NE series product
documentation.
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

TI-LFA FRR Usage Scenarios and Configuration

⚫ To protect the entire path, you need to enable TI-LFA FRR local protection for the IGP processes of
multiple nodes.

[Router] isis 1
[Router-isis-1] frr
[Router-isis-1-frr] loop-free-alternate level-2
[Router-isis-1-frr] ti-lfa level-2

IS-IS 1 Level-2

64 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

Limitations of TI-LFA FRR

⚫ TI-LFA cannot provide protection if a specified explicit node (ingress, egress, or constraint node) along an SR tunnel
fails. For example, on the SR path shown in the following figure, TI-LFA cannot generate protection paths for
explicit nodes R1, R4, and R6.

Packet
TI-LFA cannot protect services
16006 against explicit node failures.
16004
16002 16004 16006

16001 R2 R4 R6

R1 16003 16005

R3 R5

65 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

Anycast FRR
⚫ Anycast FRR can protect services against failures of specified nodes.
⚫ Assume that R4 and R5 advertise the same SID. This SID is called an anycast SID. The anycast SID is advertised in
the IGP, with the next hop pointing to the nearest node on the path, such as R4. In this case, R4 is the optimal node
of the anycast SID, and R5 is the backup node.
Set the same SID (anycast SID) for
different devices.

16002 16100 16006

16001 R4 Optimal R6
R2
node

R1 16003

Backup
R3 R5 node

66 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

Anycast FRR Protection

⚫ Anycast FRR constructs a virtual node for SID advertisement and uses the TI-LFA algorithm to compute
the backup next hop of the virtual node.
⚫ If R4 fails, TI-LFA continues to forward traffic through R5 along the computed backup path.
Packet
16006

16100
16002 16006

16001
R2 16100 R4 R6
Virtual
node
R1 16003

Backup
R3 R5 path

67 Huawei Confidential

• The cost values of the links from R4 and R5 to the virtual node are both 0.
However, the cost values of the links from the virtual node to R4 and R5 are
infinite.
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

Hot Standby
⚫ SR hot standby enables the controller to compute a backup path that is different from the primary
path to implement E2E path protection.
⚫ For SR-MPLS Policies, the primary and backup candidate paths implement hot standby protection. The
primary and backup candidate paths belong to the same SR-MPLS Policy.
Candidate path 1 Primary
SR-MPLS Policy
Candidate path 2 candidate path
16002 16004 16006

16001 P1 P2 PE2

CE1 PE1 16003 16005 16007 CE2

P3 Backup P4 PE3
candidate path

68 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

Hot Standby Implementation for SR-MPLS Policy

Primary
candidate path
<headend, color, endpoint> Candidate path 1 Segment list
Preference 200
SR-MPLS Policy

Candidate path 2 Segment list

Preference 100

Backup
candidate path
⚫ Multiple candidate paths of an SR-MPLS Policy
SR policy P1 <headend, color, endpoint>
Candidate-path CP1 <Protocol-Origin, Originator, Discriminator>
implement hot standby protection. If a segment list
Preference 200 fails, a failover is triggered.
SID-List <SID11...SID1i>
Candidate-path CP2 <Protocol-Origin, Originator, Discriminator> ⚫ SR-MPLS Policy fault detection depends on
Preference 100
SID-List <SID21...SID2i> detection mechanisms such as BFD or SBFD.

69 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

Limitations of Hot Standby

⚫ Hot standby can protect E2E paths but does not apply to scenarios where the egress PE of a tunnel
fails. In this example, PE1 receives the routes advertised by PE2 and PE3 at the same time and
preferentially selects the route advertised by PE2. If PE2 fails, services can recover only through route
convergence.
Candidate path 1
SR-MPLS Policy
Candidate path 2 Primary
candidate path
16002 16004 16006

16001 P1 P2 PE2
Backup
candidate
CE1 PE1 16003 path 16005 16007 CE2

P3 P4 PE3

70 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

VPN FRR
⚫ VPN FRR uses the VPN route-based fast switching technology. It presets primary and backup forwarding paths
pointing to the master and backup PEs, respectively, on the ingress PE and implements fast PE failure detection to
reduce E2E service convergence time when a PE failure occurs in an MPLS VPN scenario where a CE is dual-homed
to two PEs.
Candidate path 1
SR-MPLS Policy 1
Candidate path 2
SR-MPLS Policy 2 - Candidate path 1 Primary candidate path of SR-MPLS Policy 1

16002 16004 16006

16001 P1 P2 PE2
Backup candidate path
of SR-MPLS Policy 1
CE1 PE1 16003 16005 16007 CE2

P3 P4 PE3
VPN FRR backup path (SR-MPLS Policy 2)

71 Huawei Confidential

• In traditional TE tunnel protection technologies, if a PE fails, services can recover

only through E2E route convergence and LSP convergence. The service
convergence time is closely related to the number of internal MPLS VPN routes
and the number of hops on the bearer network. The greater the number of VPN
routes, the longer the service convergence time.

• In VPN FRR, service convergence time depends on only the time required to
detect remote PE failures and change tunnel status, making service convergence
time irrelevant to the number of VPN routes on the bearer network.
• In this example, VPN FRR primary and backup paths exist from PE1 to PE3. They
are not all displayed in the figure.
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

VPN FRR Failover Example

⚫ In this example, when TI-LFA FRR, hot standby, and VPN FRR are used together, the protection
switching is implemented as follows:
Segment list TI-LFA

16002 16003 TI-LFA FRR

Candidate path 1 16004 160042 PE1-P1 link on the
protection path
16006
SR-MPLS Policy 1
16003
Hot Standby
Candidate path 2 16005
If a node or link on the primary
16004 path fails, traffic is switched to
VPN FRR the backup path.
16006

16003 VPN FRR

If PE2 fails, SR-MPLS Policy 1 becomes unavailable,
SR-MPLS Policy 2 -- Candidate path 1 16005 triggering VPN FRR switching to SR-MPLS Policy 2.

Note: Candidate path 1 of SR-MPLS Policy 1 is the primary path. 16007

72 Huawei Confidential

• Fault detection in hot standby and VPN FRR scenarios depends on detection
mechanisms such as BFD or SBFD.
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

SR Microloop Avoidance Overview

⚫ Each node independently calculates the IGP LSDB, which may lead to a loop during unordered convergence. This
may in turn result in microloops, a kind of transient loop that disappears after all the nodes on the forwarding path
have converged.
⚫ On the network shown in the following figure, TI-LFA FRR is working properly. After detecting that P2 fails, P1
enters the TI-LFA FRR switching process. Specifically, it inserts the repair list <16005, 16057> into the packet to
forward the packet to 16006 through 16005.
TI-LFA
16002 16004 16006

16001 P1 P2 PE2

PE1 16003 16005 16007

16057

P3 P4 PE3

73 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

SR Local Microloop Avoidance in a Traffic Switchover

Scenario
⚫ Devices converge at different time points, leading to a microloop. For example, the route of P1 does not carry a
repair list after convergence. In this case, the next hop of the route to 16006 is P3. If P3 has not converged, the next
hop pointing to 16006 is still P1, causing a local microloop in a traffic switchover scenario.
⚫ After microloop avoidance is enabled, P1 starts the T1 timer during which the packet is still forwarded according to
the TI-LFA policy <16005, 16057> and waits for other nodes to converge.
[P1] isis 1
TI-LFA [P1-isis-1] avoid-microloop frr-protected

16002 16004 16006

Converged
16001 P1 P2 PE2

PE1 16003 Not 16005 16007

converged
16057

P3 P4 PE3

74 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

SR Local Microloop Avoidance in a Traffic Switchback

Scenario
⚫ A microloop may also occur during traffic switchback implemented after fault rectification. Assume that P2 recovers. If P1 has not
converged and forwards traffic to P3 that has converged, traffic will be forwarded back to P1, resulting in a local microloop.
⚫
With microloop avoidance enabled, after P3 converges, it computes the microloop avoidance segment list <16002, 16024>. PE1
forwards the packet to P1. As P1 has not converged, it forwards the packet to P3. P3 inserts the segment list into the packet and
forwards the packet to P2 through P1 and finally to PE2.
[P3] isis 1
TI-LFA [P3-isis-1] avoid-microloop frr-protected

16002 16004 16006

16024
Not
16001 P1 converged P2 PE2

PE1 16003 Converged 16005 16007

P3 P4 PE3

75 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

SR Remote Microloop Avoidance

⚫ Traffic switching may cause not only a local microloop but also a microloop between remote nodes (that is, a remote microloop).

⚫
As shown in the figure, the link between PE2 and PE3 fails. If P2 has converged but P1 has not, a loop occurs between P1 and P2.
⚫
With remote microloop avoidance enabled, after P2 converges, it computes the microloop avoidance segment list <16003,16037> for
traffic accessing PE3. In this case, P1 still forwards traffic from P3 to PE3 even if P1 has not converged.

[P2] isis 1
[P2-isis-1] avoid-microloop segment-routing

16002 16004 16006

16001
P1 P2 PE2

16003 16007
PE1
16037

P3 PE3

76 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

Summary: Comparison Between TI-LFA and Microloop

Avoidance

TI-LFA Microloop Avoidance

⚫ Purpose: to locally compute a backup ⚫ Purpose: to prevent temporary loops

path for the destination address. during the update of the primary path.
⚫ Trigger condition: link or node failure ⚫ Trigger condition: primary path update.
on the primary path.

77 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

SBFD Overview
⚫ If BFD detects a large number of links, the negotiation time of the state machine is prolonged, which is not suitable for SR. To
address this issue, seamless bidirectional forwarding detection (SBFD), which is a simplified BFD mechanism, is introduced to detect
SR tunnels. With a simplified BFD state machine, SBFD shortens the negotiation time and improves network-wide flexibility.

BFD SBFD
Initiator negotiation Initiator Initiator negotiation Reflector

Down Down

BFD Down
Reflection only
Down -> Init Down -> Init Down
BFD Down Multiple
Down -> Up initiators share
Down -> Up Down -> Up one reflector.

78 Huawei Confidential
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

SBFD Implementation
Initiator Reflector

SBFD state
Admin Down machine of the
(Timer) Up
SBFD Control Packet initiator

SBFD Control Packet Before link

Up
detection
Down Up
SBFD Echo Packet
Admin Down
Down (Timer)
During link ⚫ The loopback packet constructed by the reflector carries the
Down -> Up detection
Admin Down or Up field.
⚫ After receiving a reflected packet carrying the Up state, the
initiator sets the local state to Up. After receiving a reflected
packet carrying the Admin Down state, it sets the local state to
⚫ Before link detection, both ends exchange SBFD control packets to notify Down. It also sets the local state to Down if it does not receive
SBFD description information. any reflected packet before the timer expires.
⚫ During link detection, the initiator proactively sends an SBFD Echo packet,
and the reflector loops back the packet based on local conditions. The
initiator determines the local status based on the reflected packet.

79 Huawei Confidential

• Because the state machine has only Up and Down states, the initiator can send
packets carrying only the Up or Down state and receive packets carrying only the
Up or Admin Down state. The initiator starts by sending an SBFD packet carrying
the Down state to the reflector. The destination and source port numbers of the
packet are 7784 and 4784, respectively; the destination IP address is a user-
configured address on the 127 network segment; the source IP address is the
locally configured LSR ID.

• The reflector runs no SBFD state machine or detection mechanism. For this
reason, it does not proactively send SBFD Echo packets. Instead, it only reflects
back received SBFD packets. The destination and source port numbers in the
looped-back SBFD packet are 4784 and 7784, respectively; the source IP address
is the locally configured LSR ID; the destination IP address is the source IP
address of the initiator.
 TI-LFA FRR Anycast FRR Hot-Standby VPN FRR Microloop Avoidance SBFD BFD

One-Arm BFD
⚫
BFD/SBFD requires that devices at both ends support this function. If a Huawei device needs to communicate with a BFD-incapable
device, you can configure one-arm BFD (also called one-arm BFD echo) for the Huawei device. A one-arm BFD Echo session can be
established on the BFD-capable device. After receiving a BFD Echo packet, the BFD-incapable device immediately loops back the
packet for quick link detection.
⚫
One-arm BFD Echo does not require Echo negotiation capabilities at both ends; that is, BFD can be configured on only one end. The
device with one-arm Echo enabled sends special BFD packets (source and destination IP addresses in the IP header are the IP address
of the local device, and the local and remote discriminators in the BFD packet are the same). After receiving the packets, the peer
device directly loops them back to the local device to check whether the link is normal. This function equips Huawei devices with a
stronger adaptability to low-end devices.
BFD-capable BFD-incapable
Router A Router B

BFD SIP=A, DIP=A, MD=A, YD=A

SIP: source IP address

DIP: destination IP address Forwarding to the source
MD: my discriminator device according to DIP=A
YD: your discriminator BFD SIP=A, DIP=A, MD=A, YD=A

80 Huawei Confidential
 Contents

1. Segment Routing Overview

2. Segment Routing Fundamentals

3. Segment Routing Tunnel Protection and Detection Technologies

4. Typical Usage Scenarios of Segment Routing

5. Basic Configurations of Segment Routing

81 Huawei Confidential
Intra-AS SR-MPLS BE
MP-IBGP ⚫ SR-MPLS BE applies to services that do not
have strict SLA requirements or require path
planning.
⚫ Downstream routers allocate SIDs to
IGP (OSPF or IS-IS)
SR upstream routers to form SR-MPLS forwarding
PE1 PE2
MPLS MPLS MPLS
paths.
P1 P2 ⚫ MP-BGP is used on the control plane to
advertise VPN labels.
SID SID SID
advertisement advertisement advertisement ⚫ SR-MPLS BE can be used as a backup solution
CE1 CE2 for SR-MPLS TE services on a production
network.

82 Huawei Confidential
Intra-AS SR-MPLS TE
⚫ SR-MPLS TE applies to scenarios that have strict SLA requirements and require path planning, such as DCI scenarios.

⚫
SR labels are advertised by an IGP. The controller uses BGP-LS to collect information (e.g. network topology, bandwidth, latency, and
label information).
⚫ The controller computes qualified forwarding paths based on constraints and delivers path computation results to forwarders
through PCEP or NETCONF. Engineers can also manually configure strict forwarding paths and delegate the paths to the controller
through PCEP.

Controller

BGP-LS, NETCONF, and PCEP

IDC 1 IGP IDC 2

83 Huawei Confidential
 Intra-AS SR-MPLS Policy
⚫ SR-MPLS Policy applies to scenarios that have strict SLA requirements and require path planning.

⚫
SR labels are advertised by an IGP. The controller uses BGP-LS to collect information (e.g. network topology, bandwidth, latency, and
label information).
⚫ The controller computes qualified forwarding paths based on constraints and delivers path computation results to forwarders
through BGP SR Policy or PCEP. Engineers can also manually configure strict forwarding paths and delegate the paths to the
controller through PCEP.
Controller

BGP-LS, NETCONF,
and BGP SR Policy/PCEP

IGP

84 Huawei Confidential

• PCEP was first proposed in the optical transport field. It is seldom deployed on
enterprises' production networks due to its few applications on IP networks,
difficult interoperability between vendors, and poor performance. Therefore, BGP
SR-Policy is recommended on an SR-MPLS network.
Inter-AS E2E SR-MPLS TE (1)
⚫ In inter-AS access scenarios, it is recommended that the controller perform centralized computation and deliver E2E
SR-MPLS TE paths.
⚫ BGP egress peer engineering (EPE) is configured on ASBRs for them to allocate a BGP peer SID to each other.

⚫ The ASBRs then use BGP-LS to report the BGP EPE-generated labels and network topology information.

Controller

BGP peer SID reporting

through BGP-LS
BGP EPE

SID 304 SID 403

AS 100 ASBR ASBR AS 200

PE1 PE2

85 Huawei Confidential
Inter-AS E2E SR-MPLS TE (2)
⚫ Before an E2E SR-MPLS TE tunnel is created, the controller needs to create intra-AS SR-MPLS TE
tunnels.
⚫ To reduce the label stack depth, you can configure a BSID for each intra-AS tunnel.
⚫ In this example, BSID 1000 is configured for the tunnel from PE1 to one ASBR, and BSID 2000 for the
tunnel from PE2 to the other ASBR. Controller
BSID 1000 BSID 2000

BGP EPE

SID 304 SID 403

AS 100 ASBR ASBR AS 200

PE1 PE2

86 Huawei Confidential
Inter-AS E2E SR-MPLS TE (3)
⚫ The controller performs global computation, integrates path labels into a label stack, and then delivers
it to forwarders.
⚫ In this example, the label stack for the path from PE1 to PE2 is <1000, 304, 2000>.
⚫ In the label stack, 1000 and 2000 are BSIDs, which will be replaced with corresponding SR label stacks
during intra-AS forwarding.
BSID 1000 Controller BSID 2000

SID 304 SID 403

AS 100 ASBR ASBR AS 200

PE1 PE2

87 Huawei Confidential
 Contents

1. Segment Routing Overview

2. Segment Routing Fundamentals

3. Segment Routing Tunnel Protection and Detection Technologies

4. Typical Usage Scenarios of Segment Routing

5. Basic Configurations of Segment Routing

◼ SR-MPLS BE
▫ SR-MPLS TE
▫ SR-MPLS Policy
88 Huawei Confidential
L3VPN over SR-MPLS BE (1)
AS 100
Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32
VPN: vpna VPN: vpna
PE1 P PE2
10.0.12.0/24 10.0.23.0/24 Configuration roadmap:
.1 .2 .2 .3
1. Configure interface IP addresses and OSPF. (Configuration
10.0.14.0/24 10.0.35.0/24 details are not provided.)
Loopback1 Loopback1 2. Enable MPLS, configure SR, and establish SR LSPs on the
10.1.4.4/32 10.1.5.5/32
backbone network.
CE1 AS 65000 AS 65001 CE2
3. Establish an MP-BGP peer relationship between PE1 and PE2.
Networking requirements: 4. Enable the VPN instance IPv4 address family on each PE.
5. Configure a tunnel policy for the PEs to preferentially select
1. Connect PE1 and PE2 to different CEs that belong to VPN
SR LSPs.
instance vpna.
6. Verify the configuration.
2. Deploy L3VPN service recursion to SR-MPLS BE tunnel on
the backbone network so that CE1 and CE2 can
communicate through Loopback1.

89 Huawei Confidential
 L3VPN over SR-MPLS BE (2)
AS 100
Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32
VPN: vpna VPN: vpna PE1 configurations are as follows: (P and PE2
PE1 P PE2
10.0.12.0/24 10.0.23.0/24 configurations are not provided.)
.1 .2 .2 .3
[~PE1] ospf 1
10.0.14.0/24 10.0.35.0/24 [*PE1-ospf-1] opaque-capability enable
[*PE1-ospf-1] quit
Loopback1 Loopback1 [~PE1] mpls lsr-id 10.0.1.1
10.1.4.4/32 10.1.5.5/32 [*PE1] mpls
[~PE1-mpls] quit
CE1 AS 65000 AS 65001 CE2
[~PE1] segment-routing
[*PE1-segment-routing] quit
Configuration roadmap: [*PE1] ospf 1
1. Configure interface IP addresses and OSPF. (Configuration details [*PE1-ospf-1] segment-routing mpls
are not provided.) [*PE1-ospf-1] segment-routing global-block 16000 23999
2. Enable MPLS, configure SR, and establish SR LSPs on the [*PE1-ospf-1] quit
[*PE1] interface loopback 0
backbone network. [*PE1-LoopBack1] ospf prefix-sid index 1 Configure the
3. Establish an MP-BGP peer relationship between PE1 and PE2. [*PE1-LoopBack1] quit same SRGB.
4. Enable the VPN instance IPv4 address family on each PE. [*PE1] commit
5. Configure a tunnel policy for the PEs to preferentially select SR LSPs.
6. Verify the configuration. P: index 2
PE2: index 3

90 Huawei Confidential

• Before configuring an SR-MPLS BE tunnel, you need to enable MPLS on each

device in the SR-MPLS domain. The configuration procedure is as follows:
▫ Run the system-view command to enter the system view.

▫ Run the mpls lsr-id lsr-id command to configure an LSR ID for the local
device.

▪ Note the following during LSR ID configuration:

− Configuring LSR IDs is the prerequisite for all MPLS
configurations.
− LSRs do not have default LSR IDs, and such IDs must be
manually configured.

− Using the address of a loopback interface as the LSR ID is

recommended for an LSR.
▫ Run the mpls command to enable MPLS.
• Basic SR-MPLS BE function configurations mainly involve enabling SR globally,
specifying an SRGB, and configuring an SR prefix SID.

▫ Enable SR globally.

▪ Run the system-view command to enter the system view.

▪ Run the segment-routing command to enter the Segment Routing
view.

▪ Run the commit command to commit the configuration.

▪ Run the quit command to return to the system view.
▫ Specify an SRGB.

▪ Run the ospf process-id command to enter the OSPF view.

▪ Run the opaque-capability enable command to enable the opaque

LSA capability.

▪ Run the segment-routing mpls command to enable SR for the

corresponding OSPF topology.

▪ Run the segment-routing global-block begin-value end-value

command to specify an OSPF SRGB.

▪ Run the commit command to commit the configuration.

▪ Run the quit command to return to the system view.

▫ Configure an SR prefix SID.

▪ Run the interface loopback loopback-number command to create a

loopback interface and enter the interface view.

▪ Run the ospf enable [ process-id ] area area-id command to enable

OSPF on the interface.

▪ Run the ip address ip-address { mask | mask-length } command to

configure an IP address for the loopback interface.

▪ Run the ospf prefix-sid { absolute sid-value | index index-value }

[ node-disable ] command to configure an SR prefix SID for the IP
address of the interface.
L3VPN over SR-MPLS BE (3)

AS 100 PE1 configurations are as follows: (PE2 configurations are

Loopback0 Loopback0 not provided.)
Loopback0
10.0.1.1/32 10.0.3.3/32
VPN: vpna 10.0.2.2/32 VPN: vpna [~PE1] bgp 100
PE1 P PE2 [~PE1-bgp] peer 10.0.3.3 as-number 100
.1 10.0.12.0/24 .2 .2 10.0.23.0/24 .3 [*PE1-bgp] peer 10.0.3.3 connect-interface loopback 0
[*PE1-bgp] ipv4-family vpnv4
10.0.14.0/24 10.0.35.0/24 [*PE1-bgp-af-vpnv4] peer 10.0.3.3 enable
[*PE1-bgp-af-vpnv4] commit
Loopback1 Loopback1 [~PE1-bgp-af-vpnv4] quit
10.1.4.4/32 10.1.5.5/32 [~PE1-bgp] quit
CE1 AS 65000 AS 65001 CE2
PE1 configurations are as follows: (PE2 configurations are
Configuration roadmap: not provided.)
1. Configure interface IP addresses and OSPF. (Configuration details [~PE1] ip vpn-instance vpna
are not provided.) [*PE1-vpn-instance-vpna] ipv4-family
2. Enable MPLS, configure SR, and establish SR LSPs on the backbone [*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
network. [*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
3. Establish an MP-BGP peer relationship between PE1 and PE2. [*PE1-vpn-instance-vpna-af-ipv4] quit
4. Enable the VPN instance IPv4 address family on each PE. [*PE1-vpn-instance-vpna] quit
[*PE1]bgp 100
5. Configure a tunnel policy for the PEs to preferentially select SR LSPs. [*PE1-bgp]ipv4-family vpn-instance vpna
6. Verify the configuration. [*PE1-bgp-vpna]peer 10.0.14.4 as-number 65000

92 Huawei Confidential
 L3VPN over SR-MPLS BE (4)
PE1 configurations are as follows: (PE2 configurations are
AS 100 not provided.)
Loopback0 Loopback0 Loopback0
[~PE1] tunnel-policy p1
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32
VPN: vpna VPN: vpna [*PE1-tunnel-policy-p1] tunnel select-seq sr-lsp load-balance-number 2
PE1 P PE2 [*PE1-tunnel-policy-p1] quit
.1 10.0.12.0/24 .2 .2 10.0.23.0/24 .3 [*PE1] commit
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv4-family
10.0.14.0/24 10.0.35.0/24 [*PE1-vpn-instance-vpna-af-ipv4] tnl-policy p1
[*PE1-vpn-instance-vpna-af-ipv4] quit
Loopback1 Loopback1
[*PE1-vpn-instance-vpna] quit
10.1.4.4/32 10.1.5.5/32
[*PE1] commit
CE1 AS 65000 AS 65001 CE2
Configuration roadmap: Run the display tunnel-info all command on PE1 to
1. Configure interface IP addresses and OSPF. (Configuration check SR LSP information.
details are not provided.) <PE1>display tunnel-info all
2. Enable MPLS, configure SR, and establish SR LSPs on the Tunnel ID Type Destination Status
backbone network. -------------------------------------------------------------------------------
3. Establish an MP-BGP peer relationship between PE1 and PE2. 0x000000002900000042 srbe-lsp 10.0.3.3 UP
4. Enable the VPN instance IPv4 address family on each PE. 0x000000002900000043 srbe-lsp 10.0.2.2 UP
5. Configure a tunnel policy for the PEs to preferentially
select SR LSPs. ID of the tunnel to PE2
6. Verify the configuration.

93 Huawei Confidential

• Configure a tunnel policy and tunnel selection sequence.

▫ Run the system-view command to enter the system view.
▫ Run the tunnel-policy policy-name command to create a tunnel policy and
enter the tunnel policy view.
▫ Run the tunnel select-seq sr-lsp load-balance-number load-balance-
number [ unmix ] command to configure a tunnel selection sequence and
the number of tunnels for load balancing.

▫ Run the commit command to commit the configuration.

▫ Run the quit command to return to the system view.

• Configure BGP L3VPN service recursion to SR-MPLS BE tunnels.

▫ Run the ip vpn-instance vpn-instance-name command to enter the VPN
instance view.

▫ Run the ipv4-family command to enter the VPN instance IPv4 address
family view.
▫ Run the tnl-policy policy-name command to apply a tunnel policy to the
VPN instance IPv4 address family.
▫ Run the commit command to commit the configuration.
L3VPN over SR-MPLS BE (5)

AS 100
Loopback0 Loopback0 Loopback0 Check VPNv4 routing information on PE1.
Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 <PE1>display bgp vpnv4 all routing-table 10.1.5.5
VPN: vpna VPN: vpna 10.0.3.3/32
PE1 P PE2
BGP local router ID : 10.0.1.1
.1 10.0.12.0/24 .2 .2 10.0.23.0/24 .3 Local AS number : 100

10.0.14.0/24 10.0.35.0/24 Total routes of Route Distinguisher(100:1): 1

BGP routing table entry information of 10.1.5.5/32:
Loopback1 Loopback1 Label information (Received/Applied): 48122/NULL
10.1.4.4/32 10.1.5.5/32 From: 10.0.3.3 (10.0.3.3)
CE1 AS 65000 AS 65001 CE2 Route Duration: 0d00h39m18s
Relay IP Nexthop: 10.0.12.2
Configuration roadmap: Relay IP Out-Interface: GigabitEthernet0/3/1
1. Configure interface IP addresses and OSPF. (Configuration Relay Tunnel Out-Interface: GigabitEthernet0/3/1
Original nexthop: 10.0.3.3
details are not provided.)
Qos information : 0x0
2. Enable MPLS, configure SR, and establish SR LSPs on the Ext-Community: RT <111 : 1>
backbone network. AS-path 65001, origin incomplete, MED 0, localpref 100, pref-val 0,
3. Establish an MP-BGP peer relationship between PE1 and PE2. valid, internal, best, select, pre 255, IGP cost 2
4. Enable the VPN instance IPv4 address family on each PE. Not advertised to any peer yet
5. Configure a tunnel policy for the PEs to preferentially
select SR LSPs. Label allocated by PE2 to 10.1.5.5/32
6. Verify the configuration.

94 Huawei Confidential
L3VPN over SR-MPLS BE (6)

AS 100 Check vpna's routing information on PE1.

Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 <PE1>display ip routing-table vpn-instance vpna 10.1.5.5 verbose
VPN: vpna VPN: vpna Route Flags: R - relay, D - download to fib, T - to vpn-instance
PE1 P PE2 ------------------------------------------------------------------------------
.1 10.0.12.0/24 .2 .2 10.0.23.0/24 .3 Routing Table : vpna
Summary Count : 1
10.0.14.0/24 10.0.35.0/24
Destination: 10.1.5.5/32
Loopback1 Loopback1 Protocol: IBGP Process ID: 0
10.1.4.4/32 10.1.5.5/32 Preference: 255 Cost: 0
NextHop: 10.0.3.3 Neighbour: 10.0.3.3
CE1 AS 65000 AS 65001 CE2 State: Active Adv Relied Age: 00h35m03s
Configuration roadmap: Tag: 0 Priority: low
Label: 48122 QoSInfo: 0x0
1. Configure interface IP addresses and OSPF. (Configuration IndirectID: 0x100013A Instance:
details are not provided.) RelayNextHop: 10.0.12.2 Interface: GigabitEthernet0/3/1
2. Enable MPLS, configure SR, and establish SR LSPs on the TunnelID: 0x000000002900000042 Flags: RD
backbone network.
3. Establish an MP-BGP peer relationship between PE1 and PE2.
4. Enable the VPN instance IPv4 address family on each PE.
5. Configure a tunnel policy for the PEs to preferentially
select SR LSPs. The VPNv4 label and SR LSP are combined to
6. Verify the configuration. guide packet forwarding.

95 Huawei Confidential
L3VPN over SR-MPLS BE (7)

AS 100
Loopback0 Loopback0 Loopback0 Tracert the SR LSP on PE1.
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 <PE1>tracert lsp segment-routing ip 10.0.3.3 32
VPN: vpna VPN: vpna
PE1 P PE2 LSP Trace Route FEC: SEGMENT ROUTING IPV4 PREFIX 10.0.3.3/32 ,
press CTRL_C to break.
.1 10.0.12.0/24 .2 .2 10.0.23.0/24 .3 TTL Replier Time Type Downstream
0 Ingress 10.0.12.2/[16003 ]
10.0.14.0/24 10.0.35.0/24 1 10.0.12.2 8 ms Transit 10.0.23.3/[3 ]
2 10.0.3.3 9 ms Egress
Loopback1 Loopback1
10.1.4.4/32 10.1.5.5/32
CE1 AS 65000 AS 65001 CE2 Question: How are the labels computed?

Configuration roadmap:
1. Configure interface IP addresses and OSPF. (Configuration Verify the configuration on CE1.
details are not provided.)
<CE1>ping -a 10.1.4.4 10.1.5.5
2. Enable MPLS, configure SR, and establish SR LSPs on the PING 10.1.5.5: 56 data bytes, press CTRL_C to break
backbone network. Reply from 10.1.5.5: bytes=56 Sequence=1 ttl=254 time=1 ms
3. Establish an MP-BGP peer relationship between PE1 and PE2. Reply from 10.1.5.5: bytes=56 Sequence=2 ttl=254 time=1 ms
4. Enable the VPN instance IPv4 address family on each PE. Reply from 10.1.5.5: bytes=56 Sequence=3 ttl=254 time=1 ms
5. Configure a tunnel policy for the PEs to preferentially Reply from 10.1.5.5: bytes=56 Sequence=4 ttl=254 time=1 ms
Reply from 10.1.5.5: bytes=56 Sequence=5 ttl=254 time=1 ms
select SR LSPs.
6. Verify the configuration.

96 Huawei Confidential
 Contents

1. Segment Routing Overview

2. Segment Routing Fundamentals

3. Segment Routing Tunnel Protection and Detection Technologies

4. Typical Usage Scenarios of Segment Routing

5. Basic Configurations of Segment Routing

▫ SR-MPLS BE
◼ SR-MPLS TE
▫ SR-MPLS Policy
97 Huawei Confidential
L3VPN over SR-MPLS TE (1)

AS 100
Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32
VPN: vpna VPN: vpna
PE1 P PE2 Configuration roadmap:
.1 10.0.12.0/24 .2 .2 10.0.23.0/24 .3
1. Configure interface IP addresses and OSPF. (Configuration
10.0.14.0/24 10.0.35.0/24 details are not provided.)
Loopback1 Loopback1 2. Enable MPLS, configure SR, and establish SR-MPLS TE LSPs
10.1.4.4/32 10.1.5.5/32
on the backbone network.
CE1 AS 65000 AS 65001 CE2
3. Establish an MP-BGP peer relationship between PE1 and PE2.
Networking requirements: 4. Enable the VPN instance IPv4 address family on each PE.

1. Connect PE1 and PE2 to different CEs that belong to VPN 5. Establish an MP-IBGP peer relationship between the PEs.

instance vpna. 6. Configure a tunnel policy for the PEs to preferentially select
SR-MPLS TE LSPs.
2. Deploy L3VPN service recursion to SR-MPLS TE tunnel on
7. Verify the configuration.
the backbone network so that CE1 and CE2 can
communicate through Loopback1.

98 Huawei Confidential
 L3VPN over SR-MPLS TE (2)

AS 100 Configure basic SR-MPLS TE functions. PE1

Loopback0 Loopback0 Loopback0 configurations are as follows: (P and PE2
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 configurations are not provided.)
VPN: vpna VPN: vpna
PE1 P PE2
.1 10.0.12.0/24 .2 .2 10.0.23.0/24 .3 [~PE1] mpls lsr-id 10.0.1.1
[*PE1] mpls
[*PE1-mpls] mpls te
10.0.14.0/24 10.0.35.0/24 [*PE1-mpls] quit
[~PE1] segment-routing
Loopback1 Loopback1 [*PE1-segment-routing] quit
10.1.4.4/32 10.1.5.5/32 [~PE1] ospf 1
CE1 AS 65000 AS 65001 CE2 [*PE1-ospf-1] opaque-capability enable
[*PE1-ospf-1] segment-routing mpls
Configuration roadmap: [*PE1-ospf-1] segment-routing global-block 16000 23999
1. Configure interface IP addresses and OSPF. (Configuration details are not [*PE1-ospf-1] area 0
[*PE1-ospf-1-area-0.0.0.0] mpls-te enable
provided.)
[*PE1-ospf-1-area-0.0.0.0] quit
2. Enable MPLS, configure SR, and establish SR-MPLS TE LSPs on the [*PE1] interface loopback 0
backbone network. [*PE1-LoopBack1] ospf prefix-sid index 1
3. Establish an MP-BGP peer relationship between PE1 and PE2. [*PE1-LoopBack1] quit
4. Enable the VPN instance IPv4 address family on each PE.
5. Establish an MP-IBGP peer relationship between the PEs.
6. Configure a tunnel policy for the PEs to preferentially select SR-MPLS TE LSPs.
7. Verify the configuration.

99 Huawei Confidential

• Before configuring an SR-MPLS TE tunnel, you need to enable MPLS TE on each

device in the SR-MPLS domain.
▫ Run the system-view command to enter the system view.

▪ Run the mpls lsr-id lsr-id command to configure an LSR ID for the
local device.

▪ Run the mpls command to enter the MPLS view.

▪ Run the mpls te command to enable MPLS TE globally on the local

device.
▫ (Optional) Enable interface-specific MPLS TE. In a scenario where the
controller or ingress performs path computation, interface-specific MPLS TE
must be enabled. In a static explicit path scenario, this step can be ignored.

▪ Run the quit command to return to the system view.

▪ Run the interface interface-type interface-number command to enter

the view of an interface on an MPLS TE link.

▪ Run the mpls command to enable MPLS on the interface.

▪ Run the mpls te command to enable MPLS TE on the interface.

▫ Run the commit command to commit the configuration.
• SR-MPLS TE supports both strict and loose explicit paths. Strict explicit paths
mainly use adjacency SIDs, while loose explicit paths use both adjacency and
node SIDs. Before configuring an SR-MPLS TE tunnel, perform the following steps
to generate adjacency and node SIDs:
▫ Specify an SRGB.
▪ Run the system-view command to enter the system view.
▪ Run the ospf process-id command to enter the OSPF view.
▪ Run the opaque-capability enable command to enable the opaque
LSA capability.
▪ Run the segment-routing mpls command to enable SR for the
corresponding OSPF topology.
▪ Run the segment-routing global-block begin-value end-value
command to specify an OSPF SRGB.
▪ Run the area area-id command to enter the OSPF area view.
▪ Run the mpls-te enable [ standard-complying ] command to enable
TE in the current OSPF area.
▫ Configure an SR prefix SID.
▪ Run the interface loopback loopback-number command to create a
loopback interface and enter the interface view.
▪ Run the ospf enable [ process-id ] area area-id command to enable
OSPF on the interface.
▪ Run the ip address ip-address { mask | mask-length } command to
configure an IP address for the loopback interface.
▪ Run the ospf prefix-sid { absolute sid-value | index index-value }
[ node-disable ] command to configure an SR prefix SID for the IP
address of the interface.
▫ (Optional) Configure an adjacency SID.
▪ Adjacency SIDs are dynamically generated after OSPF SR is enabled.
To disable this, run the segment-routing auto-adj-sid disable
command. Dynamically generated adjacency SIDs may change after a
device restart. If an explicit path uses such an adjacency SID and the
associated device is restarted, the adjacency SID needs to be
reconfigured. You can also manually configure an adjacency SID to
facilitate the use of an explicit path.
▪ Run the segment-routing command to enter the Segment Routing
view.
▪ Run the ipv4 adjacency local-ip-addr local-ip-address remote-ip-
addr remote-ip-address sid sid-value command to configure a static
SR adjacency SID.
 L3VPN over SR-MPLS TE (3)

AS 100 Configure an SR-MPLS TE explicit path. PE1

Loopback0 Loopback0 Loopback0 configurations are as follows: (P and PE2
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32
VPN: vpna VPN: vpna configurations are not provided.)
PE1 P PE2
[~PE1]explicit-path te1
.1 10.0.12.0/24 .2 .2 10.0.23.0/24 .3
[*PE1-explicit-path-te1]next sid label 16002 type prefix
[*PE1-explicit-path-te1]next sid label 16003 type prefix
10.0.14.0/24 10.0.35.0/24 [*PE1-explicit-path-te1]commit

Loopback1 Loopback1
10.1.4.4/32 10.1.5.5/32
Configure an SR-MPLS TE tunnel interface. PE1
configurations are as follows: (PE2 configurations
CE1 AS 65000 AS 65001 CE2 are not provided.)
Configuration roadmap: [*PE1] interface tunnel1
1. Configure interface IP addresses and OSPF. (Configuration [*PE1-Tunnel1] ip address unnumbered interface LoopBack1
details are not provided.) [*PE1-Tunnel1] tunnel-protocol mpls te
2. Enable MPLS, configure SR, and establish SR-MPLS TE [*PE1-Tunnel1] destination 10.0.3.3
LSPs on the backbone network. [*PE1-Tunnel1] mpls te tunnel-id 1
3. Establish an MP-BGP peer relationship between PE1 and PE2. [*PE1-Tunnel1] mpls te signal-protocol segment-routing
[*PE1-Tunnel1] mpls te path explicit-path te1
4. Enable the VPN instance IPv4 address family on each PE. [*PE1-Tunnel1] commit
5. Establish an MP-IBGP peer relationship between the PEs. [~PE1-Tunnel1] quit
6. Configure a tunnel policy for the PEs to preferentially select
SR-MPLS TE LSPs.
7. Verify the configuration.

101 Huawei Confidential

• In this example, an explicit path is established by specifying prefix SIDs.

• An explicit path is a vector path comprised of a series of nodes that are arranged
in the configuration sequence. The path through which an SR-MPLS TE LSP
passes can be planned by specifying next-hop labels or next-hop IP addresses on
an explicit path. Generally, the IP addresses involved in an explicit path are
interface IP addresses. An explicit path that is in use can be updated. To configure
an explicit path, perform the following steps:

▫ Run the system-view command to enter the system view.

▫ Run the explicit-path path-name command to create an explicit path and

enter the explicit path view.
▫ Run the next sid label label-value type { adjacency | prefix | binding-sid }
command to specify a next-hop SID for the explicit path.
▫ Run the commit command to commit the configuration.
• SR-MPLS TE tunnels are established and managed using tunnel interfaces. As
such, you need to configure a tunnel interface on the ingress of each SR-MPLS TE
tunnel.

▫ Run the system-view command to enter the system view.

▫ Run the interface tunnel tunnel-number command to create a tunnel
interface and enter the tunnel interface view.

▫ Configure an IP address for the tunnel interface.

▪ Run the ip address unnumbered interface interface-type interface-

number command to specify an unnumbered IP address for the
tunnel interface.

▪ An SR-MPLS TE tunnel is unidirectional and does not need a peer IP

address. A separate IP address for the tunnel interface is not
recommended. The LSR ID of the ingress is generally used as the
tunnel interface's IP address.
▫ Run the tunnel-protocol mpls te command to configure MPLS TE as the
tunneling protocol.

▫ Run the destination ip-address command to configure a destination

address for the tunnel. Generally, the destination address of a tunnel is the
LSR ID of the egress.

▪ Different types of tunnels have different requirements for the

destination address. When the tunneling protocol is changed to MPLS
TE from another type, the configured destination address is
automatically deleted and needs to be reconfigured.

▫ Run the mpls te tunnel-id tunnel-id command to configure a tunnel ID.

▫ Run the mpls te signal-protocol segment-routing command to set the
signaling protocol of the TE tunnel to SR.
▫ Run the mpls te path explicit-path path-name [ secondary ] command to
specify an explicit path for the tunnel.
▫ The value of path-name must be the same as the name of the explicit path
created using the explicit-path path-name command.
L3VPN over SR-MPLS TE (4)
AS 100 PE1 configurations are as follows: (PE2
Loopback0 Loopback0 Loopback0
configurations are not provided.)
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32
VPN: vpna VPN: vpna
PE1 P PE2 [~PE1] bgp 100
10.0.12.0/24 10.0.23.0/24 [~PE1-bgp] peer 10.0.3.3 as-number 100
.1 .2 .2 .3 [*PE1-bgp] peer 10.0.3.3 connect-interface loopback 0
[*PE1-bgp] ipv4-family vpnv4
10.0.14.0/24 10.0.35.0/24 [*PE1-bgp-af-vpnv4] peer 10.0.3.3 enable
[*PE1-bgp-af-vpnv4] commit
Loopback1 Loopback1 [~PE1-bgp-af-vpnv4] quit
10.1.4.4/32 10.1.5.5/32 [~PE1-bgp] quit
CE1 AS 65000 AS 65001 CE2
PE1 configurations are as follows: (PE2
Configuration roadmap:
configurations are not provided.)
1. Configure interface IP addresses and OSPF. (Configuration details
are not provided.) [~PE1] ip vpn-instance vpna
2. Enable MPLS, configure SR, and establish SR-MPLS TE LSPs on [*PE1-vpn-instance-vpna] ipv4-family
the backbone network. [*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
3. Establish an MP-BGP peer relationship between PE1 and PE2.
[*PE1-vpn-instance-vpna-af-ipv4] quit
4. Enable the VPN instance IPv4 address family on each PE. [*PE1-vpn-instance-vpna] quit
5. Establish an MP-IBGP peer relationship between the PEs. [*PE1]bgp 100
6. Configure a tunnel policy for the PEs to preferentially select SR- [*PE1-bgp]ipv4-family vpn-instance vpna
MPLS TE LSPs. [*PE1-bgp-vpna]peer 10.0.14.4 as-number 65000
7. Verify the configuration.

103 Huawei Confidential

L3VPN over SR-MPLS TE (5)
PE1 configurations are as follows: (PE2 configurations
AS 100
Loopback0 Loopback0 Loopback0 are not provided.)
10.0.1.1/32 VPN: vpna 10.0.2.2/32 VPN: vpna 10.0.3.3/32 [~PE1] tunnel-policy p2
PE1 P PE2 [*PE1-tunnel-policy-p2] tunnel select-seq sr-te load-balance-number 1
.1 10.0.12.0/24 .2 .2 10.0.23.0/24 .3 [*PE1-tunnel-policy-p2] quit
[*PE1] commit
[~PE1] ip vpn-instance vpna
10.0.14.0/24 10.0.35.0/24 [*PE1-vpn-instance-vpna] ipv4-family
[*PE1-vpn-instance-vpna-af-ipv4] tnl-policy p2
Loopback1 Loopback1
[*PE1-vpn-instance-vpna-af-ipv4] quit
10.1.4.4/32 10.1.5.5/32 [*PE1-vpn-instance-vpna] quit
CE1 AS 65000 AS 65001 CE2 [*PE1] commit
Configuration roadmap: Run the display tunnel-info all command on PE1 to check
1. Configure interface IP addresses and OSPF. (Configuration SR LSP information.
details are not provided.)
2. Enable MPLS, configure SR, and establish SR-MPLS TE LSPs Tunnel ID Type Destination Status
-----------------------------------------------------------------------------------
on the backbone network. 0x000000000300000001 sr-te 10.0.3.3 UP
3. Establish an MP-BGP peer relationship between PE1 and PE2. 0x000000002900000042 srbe-lsp 10.0.3.3 UP
4. Enable the VPN instance IPv4 address family on each PE. 0x000000002900000043 srbe-lsp 10.0.2.2 UP
5. Establish an MP-IBGP peer relationship between the PEs.
6. Configure a tunnel policy for the PEs to preferentially
select SR-MPLS TE LSPs. ID of the SR-TE tunnel to PE2
7. Verify the configuration.

104 Huawei Confidential

L3VPN over SR-MPLS TE (6)
AS 100
Loopback0 Loopback0 Loopback0 Check vpna's routing information on PE1.
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 [~PE1]display ip routing-table vpn-instance vpna 10.1.5.5 verbose
VPN: vpna VPN: vpna
PE1 P PE2 Route Flags: R - relay, D - download to fib, T - to vpn-instance, B -
.1 10.0.12.0/24 .2 .2 10.0.23.0/24 .3 black hole route
------------------------------------------------------------------------------
Routing Table : vpna
10.0.14.0/24 10.0.35.0/24 Summary Count : 1
Loopback1 Loopback1
Destination: 10.1.5.5/32
10.1.4.4/32 10.1.5.5/32 Protocol: IBGP Process ID: 0
CE1 AS 65000 AS 65001 CE2 Preference: 255 Cost: 0
NextHop: 10.0.3.3 Neighbour: 10.0.3.3
Configuration roadmap: State: Active Adv Relied Age: 00h04m18s
1. Configure interface IP addresses and OSPF. (Configuration Tag: 0 Priority: low
details are not provided.) Label: 48122 QoSInfo: 0x0
2. Enable MPLS, configure SR, and establish SR-MPLS TE LSPs IndirectID: 0x100013D Instance:
on the backbone network. RelayNextHop: 0.0.0.0 Interface: Tunnel1
3. Establish an MP-BGP peer relationship between PE1 and PE2. TunnelID: 0x000000000300000001 Flags: RD
4. Enable the VPN instance IPv4 address family on each PE.
5. Establish an MP-IBGP peer relationship between the PEs. The VPNv4 label and SR TE LSP are combined to
6. Configure a tunnel policy for the PEs to preferentially select guide packet forwarding.
SR-MPLS TE LSPs.
7. Verify the configuration.

105 Huawei Confidential

L3VPN over SR-MPLS TE (7)
AS 100
Loopback0 Loopback0 Loopback0 Tracert the SR LSP on PE1.
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 <PE1>tracert lsp segment-routing te Tunnel 1
VPN: vpna VPN: vpna
PE1 P PE2 LSP Trace Route FEC: SEGMENT ROUTING TE TUNNEL IPV4 SESSION
10.0.12.0/24 10.0.23.0/24 QUERY Tunnel1 , press CTRL_C to break.
.1 .2 .2 .3 TTL Replier Time Type Downstream
0 Ingress 10.0.12.2/[16003 ]
10.0.14.0/24 10.0.35.0/24 1 10.0.12.2 21 ms Transit 10.0.23.3/[3 ]
2 10.0.3.3 9 ms Egress
Loopback1 Loopback1
10.1.4.4/32 10.1.5.5/32
CE1 AS 65000 AS 65001 CE2 Question: How are the labels computed?

Configuration roadmap:
1. Configure interface IP addresses and OSPF. (Configuration Verify the configuration on CE1.
details are not provided.)
<CE1>ping -a 10.1.4.4 10.1.5.5
2. Enable MPLS, configure SR, and establish SR-MPLS TE LSPs
PING 10.1.5.5: 56 data bytes, press CTRL_C to break
on the backbone network. Reply from 10.1.5.5: bytes=56 Sequence=1 ttl=254 time=1 ms
3. Establish an MP-BGP peer relationship between PE1 and PE2. Reply from 10.1.5.5: bytes=56 Sequence=2 ttl=254 time=1 ms
4. Enable the VPN instance IPv4 address family on each PE. Reply from 10.1.5.5: bytes=56 Sequence=3 ttl=254 time=1 ms
5. Establish an MP-IBGP peer relationship between the PEs. Reply from 10.1.5.5: bytes=56 Sequence=4 ttl=254 time=1 ms
6. Configure a tunnel policy for the PEs to preferentially select Reply from 10.1.5.5: bytes=56 Sequence=5 ttl=254 time=1 ms
SR-MPLS TE LSPs.
7. Verify the configuration.

106 Huawei Confidential

 Contents

1. Segment Routing Overview

2. Segment Routing Fundamentals

3. Segment Routing Tunnel Protection and Detection Technologies

4. Typical Usage Scenarios of Segment Routing

5. Basic Configurations of Segment Routing

▫ SR-MPLS BE
▫ SR-MPLS TE
◼ SR-MPLS Policy
107 Huawei Confidential
L3VPN over Static SR-MPLS Policy (1)

AS 100
Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32
VPN: vpna VPN: vpna
PE1 P PE2
Configuration roadmap:
.1 10.0.12.0/24 .2 .2 10.0.23.0/24 .3
1. Configure interface IP addresses and OSPF. (Configuration
10.0.14.0/24 10.0.35.0/24 details are not provided.)
Loopback1 Loopback1 2. Enable MPLS and configure an SR-MPLS Policy on the
10.1.4.4/32 10.1.5.5/32
backbone network.
CE1 AS 65000 AS 65001 CE2
3. Establish an MP-BGP peer relationship between PE1 and PE2.
Networking requirements: 4. Enable the VPN instance IPv4 address family on each PE.

1. Connect PE1 and PE2 to different CEs that belong to VPN 5. Configure the color attribute for routes on the PEs and

instance vpna. enable the PEs to exchange routing information.

6. Configure a tunnel policy on the PEs.
2. Deploy L3VPN service recursion to static SR-MPLS Policy
7. Verify the configuration.
on the backbone network so that CE1 and CE2 can
communicate through Loopback1.

108 Huawei Confidential

 L3VPN over Static SR-MPLS Policy (2)
AS 100 Configure basic SR-MPLS functions. PE1 configurations are as
Loopback0 Loopback0 Loopback0 follows: (P and PE2 configurations are not provided.)
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32
VPN: vpna VPN: vpna [~PE1] mpls lsr-id 10.0.1.1
PE1 P PE2 [*PE1] mpls
330012 330021 330023 330032
[*PE1-mpls] mpls te
[*PE1-mpls] quit
[~PE1] segment-routing
10.0.14.0/24 10.0.35.0/24 [*PE1-segment-routing] ipv4 adjacency local-ip-addr 10.0.12.1 remote-
Loopback1 Loopback1 ip-addr 10.0.12.2 sid 330012
10.1.4.4/32 10.1.5.5/32 [*PE1-segment-routing] quit
[~PE1] ospf 1
CE1 AS 65000 AS 65001 CE2 [*PE1-ospf-1] opaque-capability enable
Configuration roadmap: [*PE1-ospf-1] segment-routing mpls
[*PE1-ospf-1] segment-routing global-block 16000 23999
1. Configure interface IP addresses and OSPF. (Configuration [*PE1-ospf-1-area-0.0.0.0] quit
details are not provided.) [*PE1] interface loopback 0
2. Enable MPLS and configure an SR-MPLS Policy on the [*PE1-LoopBack1] ospf prefix-sid index 1
backbone network. [*PE1-LoopBack1] quit
3. Establish an MP-BGP peer relationship between PE1 and PE2.
4. Enable the VPN instance IPv4 address family on each PE. In scenarios where SR-MPLS Policies are statically
5. Configure the color attribute for routes on the PEs and configured, you are advised to use statically configured
enable the PEs to exchange routing information. adjacency SIDs.
6. Configure a tunnel policy on the PEs.
7. Verify the configuration.

109 Huawei Confidential

• In this example, adjacency SIDs are configured statically. The values of adjacency
SIDs are shown in the figure.
 L3VPN over Static SR-MPLS Policy (3)
AS 100 Configure an SR-MPLS Policy. PE1 configurations are as
Loopback0 Loopback0 Loopback0 follows: (P and PE2 configurations are not provided.)
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32
VPN: vpna VPN: vpna [~PE1] segment-routing
PE1 P PE2 [~PE1-segment-routing] segment-list pe1
330012 330021 330023 330032
[*PE1-segment-routing-segment-list-pe1] index 10 sid label 330012
[*PE1-segment-routing-segment-list-pe1] index 20 sid label 330023
[*PE1-segment-routing-segment-list-pe1] quit
10.0.14.0/24 10.0.35.0/24 [*PE1-segment-routing] sr-te policy policy100 endpoint 10.0.3.3 color 100
Loopback1 Loopback1 [*PE1-segment-routing-te-policy-policy100] binding-sid 115
10.1.4.4/32 10.1.5.5/32 [*PE1-segment-routing-te-policy-policy100] mtu 1000
[*PE1-segment-routing-te-policy-policy100] candidate-path preference 200
CE1 AS 65000 AS 65001 CE2 [*PE1-segment-routing-te-policy-policy100-path] segment-list pe1
Configuration roadmap: [*PE1-segment-routing-te-policy-policy100-path] quit
1. Configure interface IP addresses and OSPF. (Configuration [*PE1-segment-routing-te-policy-policy100] quit
[*PE1-segment-routing] quit
details are not provided.) [*PE1] commit
2. Enable MPLS and configure an SR-MPLS Policy on the
backbone network.
3. Establish an MP-BGP peer relationship between PE1 and PE2.
4. Enable the VPN instance IPv4 address family on each PE. Configure a destination address and color for
5. Configure the color attribute for routes on the PEs and the SR-MPLS Policy.
enable the PEs to exchange routing information.
6. Configure a tunnel policy on the PEs.
7. Verify the configuration.

110 Huawei Confidential

• SR-MPLS Policies are used to direct traffic to traverse an SR-MPLS TE network.

Each SR-MPLS Policy can have multiple candidate paths with different
preferences. A valid candidate path with the highest preference is selected as the
primary path, and a valid candidate path with the second highest preference as
the backup path. The SR-MPLS Policy configuration procedure is as follows:

▫ Configure a segment list.

▪ Run the system-view command to enter the system view.

▪ Run the segment-routing command to enable SR globally and enter

the Segment Routing view.

▪ Run the segment-list (Segment Routing view) list-name command to

configure a segment list for an SR-MPLS TE candidate path and enter
the segment list view.

▪ Run the index index sid label label command to specify a next-hop
SID for the segment list.
− You can run the command multiple times. The system generates
a label stack for the segment list by index in ascending order. If
a candidate path in an SR-MPLS Policy is preferentially selected,
traffic is forwarded using the segment list of the candidate path.
A maximum of 10 SIDs can be configured for each segment list.
▫ Configure an SR-MPLS Policy.

▪ Run the system-view command to enter the system view.

▪ Run the segment-routing command to enable SR globally and enter

the Segment Routing view.

▪ Run the sr-te policy policy-name [ endpoint ipv4-address color

color-value ] command to create an SR-MPLS Policy with the specified
endpoint and color and enter the SR-MPLS Policy view.

▪ (Optional) Run the binding-sid label-value command to configure a

binding SID for the SR-MPLS Policy.

▪ The value of label-value must be within the range defined using the
local-block begin-value end-value command.

▪ (Optional) Run the mtu mtu command to configure an MTU for the
SR-MPLS Policy.

▪ Run the candidate-path preference preference command to

configure a candidate path and its preference for the SR-MPLS Policy.

▪ Each SR-MPLS Policy supports multiple candidate paths. A larger

preference value indicates a higher candidate path preference. If
multiple candidate paths are configured, the one with the highest
preference takes effect.

▪ Run the segment-list (candidate path view) list-name command to

reference the specified segment list of the corresponding SR-MPLS TE
candidate path.

▪ The segment list must have been created using the segment-list
(Segment Routing view) command.
 L3VPN over Static SR-MPLS Policy (4)
PE1 configurations are as follows: (PE2 configurations
AS 100 are not provided.)
Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 [~PE1] ip vpn-instance vpna
VPN: vpna VPN: vpna
PE1 P PE2 [*PE1-vpn-instance-vpna] ipv4-family
330012 330021 330023 330032 [*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[*PE1] interface loopback1
10.0.14.0/24 10.0.35.0/24 [*PE1-LoopBack1] ip binding vpn-instance vpna
[*PE1-LoopBack1] ip address 10.1.4.4 24
Loopback1 Loopback1 [*PE1-LoopBack1] quit
10.1.4.4/32 10.1.5.5/32 [~PE1] route-policy color100 permit node 1
CE1 AS 65000 AS 65001 CE2 [*PE1-route-policy] apply extcommunity color 0:100
[~PE1] bgp 100
Configuration roadmap: [~PE1-bgp] peer 10.0.3.3 as-number 100
1. Configure interface IP addresses and OSPF. (Configuration details [*PE1-bgp] peer 10.0.3.3 connect-interface loopback 0
are not provided.) [*PE1-bgp] ipv4-family vpnv4
2. Enable MPLS and configure an SR-MPLS Policy on the backbone [*PE1-bgp-af-vpnv4] peer 10.0.3.3 enable
[*PE1-bgp-af-vpnv4] peer 10.0.3.3 route-policy color100 import
network.
[~PE1-bgp-af-vpnv4] quit
3. Establish an MP-BGP peer relationship between PE1 and PE2. [*PE1-bgp]ipv4-family vpn-instance vpna
4. Enable the VPN instance IPv4 address family on each PE. [*PE1-bgp-vpna]import-route direct
5. Configure the color attribute for routes on the PEs and [*PE1-bgp-vpna]commit
enable the PEs to exchange routing information.
6. Configure a tunnel policy on the PEs.
7. Verify the configuration. Add the color attribute to the received route.

112 Huawei Confidential

• The color attribute is added to a route through a route-policy. This enables the
route to recurse to an SR-MPLS Policy based on the color value and next-hop
address in the route.

▫ Configure a route-policy.

▪ Run the system-view command to enter the system view.

▪ Run the route-policy route-policy-name { deny | permit } node node

command to create a route-policy and enter the route-policy view.

▪ (Optional) Configure if-match clauses for the route-policy. The

community attributes of routes can be added or modified only if the
routes match specified if-match clauses.

▪ Run the apply extcommunity color color command to configure a

BGP extended community, that is, the color attribute.

▪ Run the commit command to commit the configuration.

▫ Apply the route-policy to the specified BGP VPNv4 peer.

▪ Run the system-view command to enter the system view.

▪ Run the bgp as-number command to enter the BGP view.

▪ Run the peer { ipv4-address | group-name } as-number { as-number-

plain | as-number-dot } command to create a BGP peer.
▪ Run the ipv4-family vpnv4 command to enter the BGP VPNv4
address family view.

▪ Run the peer { ipv4-address | group-name } enable command to

enable the BGP VPNv4 peer relationship.

▪ Run the peer { ipv4-address | group-name } route-policy route-

policy-name { import | export } command to configure a BGP import
or export route-policy.

▪ Run the commit command to commit the configuration.

L3VPN over Static SR-MPLS Policy (5)
PE1 configurations are as follows: (PE2 configurations are
not provided.)
AS 100
Loopback0 Loopback0 Loopback0 [~PE1] tunnel-policy p3
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 [*PE1-tunnel-policy-p3] tunnel select-seq sr-te-policy load-balance-
VPN: vpna VPN: vpna
PE1 P PE2 number 1 unmix
330012 330021 330023 330032 [*PE1-tunnel-policy-p3] quit
[*PE1] commit
[~PE1] ip vpn-instance vpna
10.0.14.0/24 10.0.35.0/24 [*PE1-vpn-instance-vpna] ipv4-family
[*PE1-vpn-instance-vpna-af-ipv4] tnl-policy p3
Loopback1 Loopback1 [*PE1-vpn-instance-vpna-af-ipv4] quit
10.1.4.4/32 10.1.5.5/32 [*PE1-vpn-instance-vpna] quit
CE1 AS 65000 AS 65001 CE2 [*PE1] commit

Configuration roadmap: Run the display tunnel-info all command on PE1 to

1. Configure interface IP addresses and OSPF. (Configuration check SR LSP information.
details are not provided.)
<PE1>display tunnel-info all
2. Enable MPLS and configure an SR-MPLS Policy on the
Tunnel ID Type Destination Status
backbone network. -------------------------------------------------------------------------------
3. Establish an MP-BGP peer relationship between PE1 and PE2. 0x000000000300000001 sr-te 10.0.3.3 UP
4. Enable the VPN instance IPv4 address family on each PE. 0x000000002900000042 srbe-lsp 10.0.3.3 UP
5. Configure the color attribute for routes on the PEs and 0x000000002900000043 srbe-lsp 10.0.2.2 UP
enable the PEs to exchange routing information. 0x000000003200000001 srtepolicy 10.0.3.3 UP
6. Configure a tunnel policy on the PEs.
7. Verify the configuration. Tunnel ID of the SR-TE Policy destined for PE2

114 Huawei Confidential

L3VPN over Static SR-MPLS Policy (6)
AS 100 Check vpna's routing information on PE1.
Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 [~PE1]display ip routing-table vpn-instance vpna 10.1.5.5 verbose
VPN: vpna VPN: vpna
PE1 P PE2 Route Flags: R - relay, D - download to fib, T - to vpn-instance, B -
330012 330021 330023 330032 black hole route
------------------------------------------------------------------------------
Routing Table : vpna
10.0.14.0/24 10.0.35.0/24 Summary Count : 1

Loopback1 Loopback1 Destination: 10.1.5.5/32

10.1.4.4/32 10.1.5.5/32 Protocol: IBGP Process ID: 0
CE1 AS 65000 AS 65001 CE2 Preference: 255 Cost: 0
NextHop: 10.0.3.3 Neighbour: 10.0.3.3
Configuration roadmap: State: Active Adv Relied Age: 00h01m04s
1. Configure interface IP addresses and OSPF. (Configuration Tag: 0 Priority: low
details are not provided.) Label: 48122 QoSInfo: 0x0
2. Enable MPLS and configure an SR-MPLS Policy on the IndirectID: 0x100013F Instance:
RelayNextHop: 0.0.0.0 Interface: policy100
backbone network.
TunnelID: 0x000000003200000001 Flags: RD
3. Establish an MP-BGP peer relationship between PE1 and PE2.
4. Enable the VPN instance IPv4 address family on each PE.
5. Configure the color attribute for routes on the PEs and The VPNv4 label and SR-TE Policy LSP are combined to
enable the PEs to exchange routing information. guide packet forwarding.
6. Configure a tunnel policy on the PEs.
7. Verify the configuration.

115 Huawei Confidential

L3VPN over Static SR-MPLS Policy (7)
AS 100 Tracert the SR LSP on PE1.
Loopback0 Loopback0 Loopback0
10.0.1.1/32 10.0.2.2/32 10.0.3.3/32 <PE1>tracert lsp sr-te policy endpoint-ip 10.0.3.3 color 100
VPN: vpna VPN: vpna
PE1 P PE2 sr-te policy's segment list:
330012 330021 330023 330032 Preference: 200; Path Type: primary; Protocol-Origin: local; Originator:
0, 0.0.0.0; Discriminator: 200; Segment-List ID: 65; Xcindex: 2000065
TTL Replier Time Type Downstream
10.0.14.0/24 10.0.35.0/24 0 Ingress 10.0.12.2/[330023 ]
1 10.0.12.2 24 ms Transit 10.0.23.3/[3 ]
Loopback1 Loopback1 2 10.0.3.3 113 ms Egress
10.1.4.4/32 10.1.5.5/32
CE1 AS 65000 AS 65001 CE2 Question: How are the labels computed?
Configuration roadmap:
1. Configure interface IP addresses and OSPF. (Configuration Verify the configuration on CE1.
details are not provided.)
<CE1>ping -a 10.1.4.4 10.1.5.5
2. Enable MPLS and configure an SR-MPLS Policy on the
PING 10.1.5.5: 56 data bytes, press CTRL_C to break
backbone network. Reply from 10.1.5.5: bytes=56 Sequence=1 ttl=254 time=1 ms
3. Establish an MP-BGP peer relationship between PE1 and PE2. Reply from 10.1.5.5: bytes=56 Sequence=2 ttl=254 time=1 ms
4. Enable the VPN instance IPv4 address family on each PE. Reply from 10.1.5.5: bytes=56 Sequence=3 ttl=254 time=1 ms
5. Configure the color attribute for routes on the PEs and Reply from 10.1.5.5: bytes=56 Sequence=4 ttl=254 time=1 ms
enable the PEs to exchange routing information. Reply from 10.1.5.5: bytes=56 Sequence=5 ttl=254 time=1 ms
6. Configure a tunnel policy on the PEs.
7. Verify the configuration.

116 Huawei Confidential

 Quiz

1. (Single-answer question) Which of the following types of LSAs is used by OSPF to

carry node IDs? ( )
A. Type 1

B. Type 2

C. Type 7

D. Type 10

117 Huawei Confidential

1. D
 Quiz

2. (Multiple-answer question) Which of the following ports are used by SBFD

packets by default? ( )
A. 4784

B. 3784

C. 6784

D. 7784

118 Huawei Confidential

2. AD
 Summary
⚫
SR is designed to forward data packets on a network using the source routing model. Compared with LDP and RSVP-
TE, SR-MPLS simplifies the control plane of an MPLS network, enabling information such as labels to be carried only
through IGP extensions. It provides higher scalability, freeing transit nodes from maintaining path information. The
packet forwarding path can be controlled only by using the ingress. In addition, SR-MPLS can work with the
centralized path computation module to flexibly and easily control and adjust paths, achieving smoother evolution to
SDN.

⚫
SR-MPLS supports three types of LSPs: SR-MPLS BE, SR-MPLS TE, and SR-MPLS Policy. SR-MPLS provides multiple
detection and protection mechanisms for these different LSPs, such as TI-LFA FRR, anycast FRR, hot standby, VPN FRR,
microloop avoidance, BFD, and SBFD.

⚫
SR-MPLS supports both traditional and SDN networks, is compatible with existing devices, and supports multiple
scenarios such as inter-AS interconnection. To facilitate understanding, this course provides examples for configuring
SR-MPLS using commands. In the following courses, we will introduce how to use the controller to configure SR-MPLS.

119 Huawei Confidential

Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
SRv6 Fundamentals and Configuration
 Foreword

⚫ At the beginning of the Segment Routing (SR) architecture design, two

implementation modes were designed for the data plane. One is Segment
Routing-Multiprotocol Label Switching (SR-MPLS), which reuses the MPLS
data plane and can be incrementally deployed on the existing IP/MPLS
network. The other is Segment Routing IPv6 (SRv6), which uses the IPv6
data plane and implements extension based on the IPv6 Routing header.
⚫ This document describes the concepts and fundamentals of SRv6 and its
applications for Huawei NetEngine series routers.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the background of SRv6.
 Describe the technical advantages of SRv6.
 Describe the basic concepts and fundamentals of SRv6.
 Describe the concepts and fundamentals of SRv6 high reliability.
 Describe how to configure SRv6 BE and static SRv6 Policies.
 Describe how to deploy SRv6 using iMaster NCE-IP.

2 Huawei Confidential
 Contents

1. SRv6 Overview

2. SRv6 Fundamentals

3. SRv6 High Reliability

4. Basic SRv6 Configuration

5. SRv6 Deployment Using iMaster NCE-IP

3 Huawei Confidential
 IP/MPLS Network Introduction
⚫ As a Layer 2.5 technology that runs between Layer 2 and Layer 3, MPLS adds connection-oriented attributes to connectionless IP
networks. Traditional MPLS label-based forwarding improves the forwarding efficiency of IP networks. However, as hardware
capabilities continue to improve, MPLS no longer features distinct advantages in forwarding efficiency. Nevertheless, MPLS provides
good QoS guarantee for IP networks through connection-oriented label forwarding and also supports TE, VPN, and FRR.
⚫ IP/MPLS networks have gradually replaced dedicated networks, such as ATM, frame relay (FR), and X.25. Ultimately, MPLS is applied
to various networks, including IP backbone, metro, and mobile transport, to support multi-service transport and implement the
Internet's all-IP transformation.

IP header-based MPLS label-based MPLS label-based IP header-based

forwarding forwarding forwarding forwarding
Destination:
IP network 10.1.1.1 IP network
10.1.1.0/24

IP/MPLS network

Ethernet MPLS IP
Header Header Packet

4 Huawei Confidential

• In the initial stage of network development, multiple types of networks, such as

X.25, FR, ATM, and IP, co-existed to meet different service requirements. These
networks could not interwork with each other, and on top of that, also
competed, with mainly ATM and IP networks taking center stage. ATM is a
transmission mode that uses fixed-length cell switching. It establishes paths in
connection-oriented mode, and can provide better QoS capabilities than IP. The
design philosophy of ATM involves centering on networks and providing reliable
transmission, and its design concepts reflect the reliability and manageability
requirements of telecommunications networks. This is the reason why ATM was
widely deployed on early telecommunications networks. The design concepts of
IP differ greatly from those of ATM. To be more precise, IP is a connectionless
communication mechanism that provides the best-effort forwarding capability,
and the packet length is not fixed. On top of that, IP networks mainly rely on the
transport-layer protocols (e.g., TCP) to ensure transmission reliability, and the
requirement for the network layer involves ease of use. The design concept of IP
networks embodies the "terminal-centric and best-effort" notion of the computer
network, enabling IP to meet the computer network's service requirements. The
competition between the two can essentially be represented as a competition
between telecommunications and computer networks. As the network scale
expanded and network services increased in number, ATM networks became
more complex than IP networks, while also bearing higher management costs.
Within the context of costs versus benefits for telecom carriers, ATM networks
were gradually replaced by IP networks.
• Although IP is more suitable for the development of computer networks than
ATM, computer networks require a certain level of QoS guarantee. To
compensate for the IP network's insufficient QoS capabilities, numerous
technologies integrating IP and ATM, such as local area network emulation
(LANE) and IP over ATM (IPoA), have been proposed. However, these
technologies only addressed part of the issue, until 1996 when MPLS technology
was proposed to provide a better solution to this issue.
Issues with MPLS LDP and RSVP-TE
MPLS LDP RSVP-TE

R2 R2

R1 R1

R3 R3
R4 R4

• RSVP-TE configuration is complex and load balancing is

• LDP itself does not have the path computation capability not supported.
and requires an IGP for path computation. • To implement TE, devices need to exchange a large
• Both the IGP and LDP need to be deployed for the control number of RSVP packets to maintain neighbor
plane, and devices need to exchange a large number of relationships and path states, wasting link bandwidth and
packets to maintain neighbor relationships and path device resources.
states, wasting link bandwidth and device resources. • RSVP-TE uses a distributed architecture, so that each
• If LDP-IGP synchronization is not achieved, data device only knows its own state and needs to exchange
forwarding may fail. signaling packets with other devices.

6 Huawei Confidential
 SR Origin and Solution
⚫ The SDN concept has a great impact on the network industry, and many protocols used for SDN implementation
emerge in the industry, including OpenFlow, Protocol Oblivious Forwarding (POF), Programming Protocol-
independent Packet Processors (P4), and SR. Compared with revolutionary protocols, SR considers compatibility with
the existing network and smooth evolution, and also provides programmability. It is a de facto SDN standard.

Advantages Disadvantages Solutions

ECMP Lack of the path planning

IP capability SR-MPLS
Incremental deployment on the
Simple LDP-IGP synchronization existing IP/MPLS network
configuration issue
Label-based LDP Lack of the load balancing
forwarding capability
Bandwidth Complex
reservation
RSVP-TE
configuration/maintenance SRv6
No support for large-scale Extension based on the
Path planning IPv6 Routing header
deployment

7 Huawei Confidential

• SR resolves many issues on IP/MPLS networks through two solutions: SR-MPLS

(based on MPLS forwarding) and SRv6 (based on IPv6 forwarding).
 From MPLS to SRv6
⚫ MPLS causes isolated network islands. SRv6 provides a unified forwarding plane and has advantages
such as simplified protocols, high scalability, and programmability.

Classic MPLS SR-MPLS SRv6

LDP
Control IGP + SR extension IGP + SR extension
RSVP-TE
plane
IGP

Forwarding
plane Push Swap Pop Push Continue Next
MPLS 2004 MPLS 1368 MPLS 222
MPLS 1949 MPLS 1949 MPLS 111 MPLS 111 IPv6 + SRH IPv6 + SRH
Payload Payload Payload Payload Payload Payload Payload Payload Payload Payload Payload Payload

✓ Simplified protocols
✓ High scalability
Control plane simplification Forwarding plane simplification ✓ Programmability

8 Huawei Confidential

• Although MPLS plays an important role in the all-IP transformation of networks,

it causes isolated network islands. On the one hand, it increases the complexity of
cross-domain network interconnection. For example, solutions such as the MPLS
VPN Option A/B/C solution are complex to deploy and involve difficult E2E
service deployment. On the other hand, as the Internet and cloud computing
develop, more and more cloud data centers are built. To meet tenants'
networking requirements, multiple overlay technologies have been proposed,
among which VXLAN is a typical example. In the past, quite a few attempts were
made to provide VPN services by introducing MPLS to data centers. However,
these attempts all wound up in failure due to multiple factors, including
numerous network boundaries, complex management, and insufficient scalability.
As such, the traffic from an end user to a service in a data center may typically
need to pass through the VLAN, IP network, IP/MPLS network, and VXLAN
network.
• The combination of MPLS and SR is intended to provide programmability for
networks as a practice of SDN implementation. However, this cannot satisfy
services (such as SFC and IOAM) that need to carry metadata, as MPLS
encapsulation has poor scalability. Nowadays, the IPv4 address space is almost
exhausted. IPv6 and SR are combined, promoting the advent of SRv6.
Technical Benefits of SRv6
⚫ SRv6 simplifies existing network protocols and network management. In addition, SRv6 supports native IPv6 and provides the
network programming capability, making SRv6 more advantageous.
 Thanks to the native IPv6 attribute, SRv6 can better promote cloud-network convergence, be compatible with existing networks, and improve inter-AS
experience.

 Thanks to the network programming capability, SRv6 can not only better implement path programming to meet service SLAs but also connect
networks and applications to build intelligent cloud-networks. Promotion of
Controller cloud-network
Compatibility convergence
with existing
networks
Path programming
to meet service
Common IPv6 router SLAs

SRv6 router
Data
download Improved
Video inter-AS
experience
Ingress

AS 65000 AS 65001

9 Huawei Confidential
 Contents

1. SRv6 Overview

2. SRv6 Fundamentals
◼ Basic Concepts of SRv6
▫ SRv6 Policy Path Establishment and Traffic Steering
▫ Typical SRv6 Applications

3. SRv6 High Reliability

4. Basic SRv6 Configuration

5. SRv6 Deployment Using iMaster NCE-IP

10 Huawei Confidential
SRv6 Fundamentals
⚫ SRv6 adds a Segment Routing header (SRH) to data on the ingress to guide data forwarding.
⚫ Without changing the original encapsulation format of IPv6 packets, SRv6 packets are still IPv6 ones and can be
identified by common IPv6 devices. As such, SRv6 is a native IPv6 technology.
⚫ SRv6's native IPv6 attribute enables SRv6 devices to interwork with common IPv6 devices, offering excellent
compatibility on an existing network. IPv6 Header IPv6 Header
D D
SRH C C
IPv6 Header
B B
D
Payload Payload
C
B
IPv6 Header Payload
Payload B C

Ingress D

11 Huawei Confidential
 SRv6 SRH SRv6 Node SRv6 Forwarding

IPv6 SRH
⚫ RFC 8754 defines the IPv6 SRH added to IPv6 packets. The SRH format is as follows:

IPv6 SRH (IPv6 Extension IPv6

IPv6 Header The value 43 indicates a routing extension header.
Header) Payload

The recommended value of Routing Type for a routing extension

header is 4, indicating an SR header (called SR extension header or
Version Traffic Class Flow Label SRH).
Payload Length Next=43 Hop Limit
Source Address
⚫ An SRH contains the following fields:

Destination Address
 Segment List: an ordered list of SRv6 segment identifiers
(SIDs).
Routing Segments
Next Header Hdr Ext Len  Segments Left (SL): number of remaining SRv6 segments. The
Type=4 Left SL value is decremented and the destination IP address (DIP)
Last Entry Flags Tag is changed to an active SID to complete traffic forwarding
segment by segment.
Segment List [0] (128-bit IPv6 address)
Active  Tag: tags a packet as part of a class or group of packets to
Segment List [1] (128-bit IPv6 address) segment implement group-based policies.
Segment List [2] (128-bit IPv6 address)  SRH TLVs (e.g. NSH metadata, HMAC TLV, and Padding TLV):
Optional TLV objects (variable) can be used as global parameters of SIDs in segment lists.
IPv6 Payload

12 Huawei Confidential

• The biggest difference between SRv6 and SR-MPLS lies in the IPv6 SRH. SRv6
uses IPv6 extension headers to implement Segment Routing.
• For details, see https://datatracker.ietf.org/doc/rfc8754.
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 Segment
⚫ SRv6 segments are expressed using IPv6 addresses and usually called SRv6 SIDs.
⚫ As shown in the figure, an SRv6 SID usually consists of three fields: Locator, Function, and Arguments.
They are expressed in the Locator:Function:Arguments format. Note that the total length (Locator +
Function + Arguments) is less than or equal to 128 bits. If the total length is less than 128 bits, the
reserved bits are padded with 0.
⚫ If the Arguments field does not exist, the format is Locator:Function. The Locator field occupies the
most significant bits of an IPv6 address, and the Function field occupies the remaining part of the IPv6
address.
IPv6 SRH (IPv6 Extension Header)
IPv6 Header IPv6 Payload
128 bits 128 bits 128 bits

SRv6 segment: IPv6

Locator Function Arguments
address format

13 Huawei Confidential
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 Segment: Locator

128 bits Locator Function Arguments

IPv6 prefix
⚫ The Locator field identifies the location of a network node, and is used for other nodes to route and forward
packets to this identified node so as to implement network instruction addressing.

⚫ A locator has two important characteristics: routable and aggregatable. After a locator is configured for a node, the
system generates a locator route and propagates the route throughout the SR domain using an IGP, allowing other
nodes to locate the node based on the received locator route information. In addition, all SRv6 SIDs advertised by
the node are reachable through the route.
⚫ In the following example, a locator with the 64-bit prefix 2001:DB8:ABCD:: is configured for a Huawei device.

[Huawei] segment-routing ipv6

[Huawei-segment-routing-ipv6] locator srv6_locator1 ipv6-prefix 2001:DB8:ABCD:: 64

14 Huawei Confidential

• The locator is routable and therefore usually unique in an SR domain. In some

scenarios, such as an anycast protection scenario, multiple devices may be
configured with the same locator.
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 Segment: Function & Arguments

128 bits Locator Function Arguments

Opcode Optional

⚫ The Function field identifies the forwarding behavior to be performed. In SRv6 network programming, forwarding
behaviors are identified using different functions. For example, RFC defines End, End.X, End.DX4, and End.DX6
behaviors.

⚫ An End.X SID is similar to an adjacency SID in SR-MPLS and is used to identify a link. A configuration example is as
follows:

[Huawei-segment-routing-ipv6] locator srv6_locator1 ipv6-prefix 2001:DB8:ABCD:: 64

[Huawei-segment-routing-ipv6] opcode ::1 end-x interface G3/0/0 next-hop 2001:DB8:200::1

⚫
The opcode corresponding to the function is ::1. In this example, the Arguments field is not carried,
and the SRv6 SID is 2001:db8:abcd::1.
⚫
This function guides packet forwarding from the specified interface (G3/0/0) to the corresponding
neighbor (2001:DB8:200::1).

15 Huawei Confidential

• In some scenarios, an SRv6 endpoint behavior may require additional actions. In

this case, the Arguments field must be encapsulated. For example, in an EVPN
VPLS scenario where CE multi-homing is deployed for BUM traffic forwarding,
the Function field is set to End.DT2M, and the Arguments field is used to provide
local ESI mapping to implement split horizon.
• The Function and Arguments fields can both be defined by engineers, resulting in
an SRv6 SID structure that improves network programmability. In most scenarios,
the Arguments field is not configured.
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 Segment Types

Category Function Description Protocol Type
Indicates an endpoint SID that identifies a destination node. The corresponding function is to update Path
End IGP
the IPv6 DA and then search the IPv6 forwarding information base (FIB) for packet forwarding. SID
Indicates a Layer 3 cross-connect endpoint SID that identifies a link. The corresponding function is to
Path
End.X update the IPv6 DA and then forward packets through the outbound interface bound to the End.X IGP
SID
SID.
Indicates a PE-specific endpoint SID that identifies an IPv4 VPN instance. The corresponding function
Service
End.DT4 is to decapsulate packets and then search the routing table of the involved IPv4 VPN instance for BGP
SID
packet forwarding. This SID is equivalent to an IPv4 VPN label and used in L3VPNv4 scenarios.
Indicates a PE-specific endpoint SID that identifies an IPv6 VPN instance. The corresponding function
Service
End.DT6 is to decapsulate packets and then search the routing table of the involved IPv6 VPN instance for BGP
SID
packet forwarding. This SID is equivalent to an IPv6 VPN label and used in L3VPNv6 scenarios.
Indicates a PE-specific Layer 3 cross-connect endpoint SID that identifies an IPv4 CE. The
corresponding function is to decapsulate packets and then forward the resulting IPv4 packets Service
End.DX4 BGP
through the Layer 3 interface bound to the SID. This SID is equivalent to a label identifying an SID
adjacency to a CE and used in L3VPNv4 scenarios.
Indicates a PE-specific Layer 3 cross-connect endpoint SID that identifies an IPv6 CE. The
corresponding function is to decapsulate packets and then forward the resulting IPv6 packets Service
End.DX6 BGP
through the Layer 3 interface bound to the SID. This SID is equivalent to a label identifying an SID
adjacency to a CE and used in L3VPNv6 scenarios.

16 Huawei Confidential

• In addition to L3VPN services, SRv6 can carry L2VPN services. L2VPN-related SIDs
are as follows:
▫ End.DX2: Indicates a Layer 2 cross-connect endpoint SID that identifies an
endpoint. The corresponding function is to decapsulate packets, remove the
IPv6 header (along with all its extension headers), and then forward the
remaining packet data to the outbound interface associated with the SID.
This SID can be used in EVPN VPWS scenarios. If a bypass tunnel exists on
the network, an End.DX2L SID is generated automatically.

▫ End.DT2U: Indicates a Layer 2 cross-connect endpoint SID that requires

unicast MAC table lookup and identifies an endpoint. If a bypass tunnel
exists on the network, an End.DT2UL SID is generated automatically. This
SID can be used to guide unicast traffic forwarding over the bypass tunnel
when a CE is dual-homed to PEs. The corresponding function is to remove
the IPv6 header (along with all its extension headers), search the MAC
address table for a MAC entry based on the exposed destination MAC
address, and then forward the remaining packet data to the corresponding
outbound interface based on the entry. This SID can be used in EVPN VPLS
unicast scenarios.
 ▫ End.DT2M: Indicates a Layer 2 cross-connect endpoint SID that requires
broadcast-based flooding and identifies an endpoint. The corresponding
function is to remove the IPv6 header (along with all its extension headers)
and then broadcast the remaining packet data in the Bridge Domain (BD).
This SID can be used in EVPN VPLS BUM scenarios.

• SRv6 SID mainly used for SRv6 O&M:

▫ End.OP (OAM Endpoint with Punt): Indicates an OAM SID. The
corresponding function is to send OAM packets to the OAM process. This
SID is mainly used in ping/tracert scenarios.
 SRv6 SRH SRv6 Node SRv6 Forwarding

Naming Rules for SRv6 Segments

⚫ SRv6 segments are named according to certain rules. You can quickly determine the corresponding instruction
function based on the naming rule combination.

End: the most basic instruction executed by a segment endpoint node, directing the node to terminate the current instruction
and start the next instruction. The corresponding forwarding behavior is to decrement the SL field by 1 and copy the SID pointed
by the SL field to the DA field in the IPv6 header.
 X: forwards packets through one or a group of Layer 3 outbound interfaces.
 T: searches a specified routing table and forwards packets.

D: decapsulates packets by removing the IPv6 header and related extension headers.
 V: searches a specified table for packet forwarding based on virtual local area network (VLAN) information.

U: searches a specified table for packet forwarding based on unicast MAC address information.

M: searches a Layer 2 forwarding table for multicast forwarding.
 B6: applies a specified SRv6 Policy.
 BM: applies a specified SR-MPLS Policy.

18 Huawei Confidential
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 Segment Examples

⚫ An End SID identifies a destination node. It is similar to a node SID in SR-MPLS. After an End SID is generated on a node, the node propagates the SID to
all the other nodes in the SRv6 domain through an IGP. All nodes in the SRv6 domain know how to implement the instruction bound to the SID.

⚫ An End.X SID is a Layer 3 cross-connect endpoint SID that identifies a link. It is similar to an adjacency SID in SR-MPLS. After an End.X SID is generated on
a node, the node propagates the SID to all the other nodes in the SRv6 domain through an IGP. Although the other nodes can all obtain the SID, only the
node generating the SID knows how to implement the instruction bound to the SID.

⚫ An End.DT4 SID is a PE-specific endpoint SID that identifies an IPv4 VPN instance. The instruction bound to the End.DT4 SID is to decapsulate packets and
search the routing table of the corresponding IPv4 VPN instance for packet forwarding. The End.DT4 SID is equivalent to an IPv4 VPN label and used in
L3VPNv4 scenarios. It can be either manually configured or automatically allocated by BGP within the dynamic SID range of the specified locator.

End SID End SID End SID

2001:DB8:1000::111 2001:DB8:2000::222 2001:DB8:3000::333
PE1 P PE2
End.X SID End.X SID End.X SID End.X SID
2001:DB8:1000::12 2001:DB8:2000::21 2001:DB8:2000::23 2001:DB8:3000::32

VPNA: End.DT4 SID AS 65000 VPNA: End.DT4 SID

2001:DB8:1000::1:0:1E 2001:DB8:3000::1:0:1E

Loopback1 Loopback1
10.1.4.4/32 10.1.5.5/32
CE1 AS 65001 AS 65002 CE2

19 Huawei Confidential
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 Flavors
⚫ Flavors are additional behaviors defined for SRv6 segment enhancement. These behaviors are optional
and used to enhance SRv6 segment-based actions in order to meet diverse service requirements.
⚫ SRv6-Network-Programming defines the following additional behaviors: penultimate segment pop of
the SRH (PSP), ultimate segment pop of the SRH (USP), and ultimate segment decapsulation (USD).

Flavor Function Description Attached End Instruction

End, End.X, End.DT2, End.DT4,

PSP Removes the SRH on the penultimate endpoint node.
and End.DT6

End, End.X, End.DT2, End.DT4,

USP Removes the SRH on the ultimate endpoint node.
and End.DT6

Decapsulates the outer IPv6 header on the ultimate End, End.X, End.DT2, End.DT4,
USD
endpoint node. and End.DT6

20 Huawei Confidential

• Different flavors can be combined. For example, if an End SID carries PSP and
USP flavors, the PSP action is performed on the penultimate node, and the USD
action is performed on the ultimate node.
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 Locator Configuration Commands

1. Enable SRv6 and enter the SRv6 view.
[Huawei] segment-routing ipv6
After running the segment-routing ipv6 command, you can configure a locator and SRv6 SID in the SRv6 view so
that an SRv6 local SID forwarding entry can be generated.
2. Configure an SRv6 SID locator.
[Huawei-segment-routing-ipv6] locator locator-name [ ipv6-prefix ipv6-address prefix-length [ [ static static-
length ] | [ args args-length ] ] * ]

An SRv6 SID is a 128-bit IPv6 address expressed in the Locator:Function:Arguments format.

• The Locator field corresponds to the ipv6-prefix ipv6-address parameter and its length is determined by the
prefix-length parameter.
• The Function field is also called opcode, which can be dynamically allocated using an IGP or be configured
using the opcode command. When configuring a locator, you can use the static static-length parameter to
specify the static segment length, which determines the number of static opcodes that can be configured in
the locator. In dynamic opcode allocation, the IGP allocates opcodes outside the range of the static segment,
so that no SRv6 SID conflict occurs.
• The Args field is determined by the args args-length parameter. It is optional in SRv6 SIDs and depends on
command configurations.

21 Huawei Confidential

• static static-length: specifies the static segment length in the Function field. This
length determines the number of static opcodes that can be configured in the
specified locator.

• args args-length: specifies the length of the Arguments field. The Arguments
field is located at the end of a SID. If args args-length is configured, the
Arguments field is reserved and will not be occupied by configured static SIDs or
generated dynamic SIDs.
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 SID Configuration Commands

1. Configure a static End SID opcode.

[Huawei-segment-routing-ipv6-locator] opcode func-opcode end [no-flavor | psp | psp-usp-usd ]

An End SID identifies an SRv6 node.

2. Configure a static End.X SID opcode.

[Huawei-segment-routing-ipv6-locator] opcode func-opcode end-x interface {interface-name | interface-type

interface-number} nexthop nexthop-address [no-flavor | psp | psp-usp-usd]

An End.X SID identifies a Layer 3 adjacency of an SRv6 node. Therefore, you need to specify an interface and the
next hop address of the interface during the configuration.

22 Huawei Confidential
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 Locator Configuration Example

⚫ SRv6 SIDs can be statically configured or dynamically allocated. In dynamic allocation mode, only the locator command needs to be
run, and the required opcode is dynamically allocated by an IGP. In static configuration mode, you need to manually configure an
opcode for the SIDs of the corresponding type.
⚫
The relationship of parameters in the locator command is as follows:

|--Locator--|--Dynamic Opcode--|--Static Opcode--|--Args--|

[Huawei-segment-routing-ipv6] locator srv6_locator1 ipv6-prefix 2001:DB8:ABCD:: 64 static 32

⚫ In static configuration mode, SIDs occupy only the static segment with values starting from 1, and the dynamic segment is set to 0.
In dynamic allocation mode, SIDs occupy both the dynamic segment and static segment. The values in the dynamic segment start
from 1, and those in the static segment start from 0.

⚫ In this example, the locator 2001:DB8:ABCD:: is configured, and its length is 64 bits. The static segment occupies 32 bits, the dynamic
segment 32 bits, and the Args field 0 bits. The value range is as follows:
 Static segment: The start value is 2001:DB8:ABCD:0000:0000:0000:0000:0001, and the end value is 2001:DB8:ABCD:0000:0000:0000: FFFF:FFFF.
 Dynamic segment: The start value is 2001:DB8:ABCD:0000:0000:0001:0000:0000, and the end value is 2001:DB8:ABCD:0000:FFFF:FFFF:FFFF:FFFF.

Statically configuring End and End.X SIDs is recommended. Dynamically allocated SIDs will change
after a device restart, adversely affecting maintenance.

23 Huawei Confidential
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 Node
⚫ RFC 8754 defines three types of SR nodes:
 SR source node: a source node that encapsulates packets with SRv6 headers.
 Transit node: an IPv6 node that forwards SRv6 packets but does not perform SRv6 processing.

SRv6 segment endpoint node: a node that receives and processes SRv6 packets in which the
destination IPv6 address is a local SID or local interface address of the node.

Source Node Transit Node Endpoint Node Endpoint Node

FC01:: /96 FC02:: /96 FC03:: /96 FC04:: /96
FC01::1 FC02::2 FC03::3 FC04::4

CE2: End.DT4
CE1 R1 R2 R3 R4 FC04::400 CE2

FC01:: /96 Locator

FC01::1 End SID

24 Huawei Confidential
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 Source Node

⚫ An SRv6 source node steers a packet using an SRv6 segment list. If the SRv6 segment list contains only
one SID, and no Type Length Value (TLV) or other information needs to be added to the packet, the
DA field of the packet is set to this SID.
⚫ An SRv6 source node can be either an SRv6-capable host where IPv6 packets originate or an edge
device in an SRv6 domain.
Source Node Transit Node Endpoint Node Endpoint Node
FC01:: /96 FC02:: /96 FC03:: /96 FC04:: /96
FC01::1 FC02::2 FC03::3 FC04::4

CE2: End.DT4
CE1 R1 R2 R3 R4 FC04::400 CE2
IPv6 Header
SRH (SL = 2) FC01:: /96 Locator
FC04::400 FC04::4 FC03::3 FC01::1 End SID
Payload

SRv6 Policy

25 Huawei Confidential
 SRv6 SRH SRv6 Node SRv6 Forwarding

Source Node Behaviors

⚫ An SRv6 source node steers packets into an SRv6 Policy and, if possible, encapsulates SRHs into the
packets. The following table lists the behaviors of an SRv6 source node.
Source Node
Function Description
Behavior
Inserts an SRH into a received IPv6 packet and searches the IPv6 Header
H.Insert
corresponding routing table for packet forwarding. IPv6 Header Insert
SRH
Payload
Inserts a reduced SRH into a received IPv6 packet and searches Payload
H.Insert.Red
the corresponding routing table for packet forwarding.

Encapsulates an outer IPv6 header and SRH for a received IP

H.Encaps packet, and searches the corresponding routing table for packet
forwarding.
IPv6 Header
Encapsulates an outer IPv6 header and reduced SRH for a IPv6 Header Encaps
SRH
H.Encaps.Red received IP packet, and searches the corresponding routing table Payload
for packet forwarding. IPv6 Header

Encapsulates an outer IPv6 header and SRH for a received Layer Payload
H.Encaps.L2 2 frame, and searches the corresponding routing table for
forwarding.
Encapsulates an outer IPv6 header and reduced SRH for a
H.Encaps.L2.Red received Layer 2 frame, and searches the corresponding routing
table for forwarding.

26 Huawei Confidential

• The difference between a reduced SRH and an SRH is that the segment list in a
reduced SRH does not contain the first segment in an existing IPv6 DA.
 SRv6 SRH SRv6 Node SRv6 Forwarding

Transit Node
⚫ A transit node is an IPv6 node that does not participate in SRv6 processing on the SRv6 packet forwarding path.
That is, the transit node just performs ordinary IPv6 packet forwarding.
⚫ After receiving an SRv6 packet, the node parses the IPv6 DA field in the packet. If the IPv6 DA is neither a locally
configured SRv6 SID nor a local interface address, the node considers the SRv6 packet as an ordinary IPv6 packet
and searches the routing table for packet forwarding without processing the SRH.

⚫ A transit node can be either an ordinary IPv6 node or an SRv6-capable node.

Source Node Transit Node Endpoint Node Endpoint Node
FC01:: /96 FC02:: /96 FC03:: /96 FC04:: /96
FC01::1 FC02::2 FC03::3 FC04::4

CE2: End.DT4
CE1 R1 R2 R3 R4 FC04::400 CE2

IPv6 Header
FC01:: /96 Locator
SRH (SL = 2)
FC01::1 End SID
FC04::400 FC04::4 FC03::3
Payload

27 Huawei Confidential
 SRv6 SRH SRv6 Node SRv6 Forwarding

Endpoint Node
⚫ An endpoint node is a node that receives an SRv6 packet destined for itself (a packet of which the IPv6 destination address is a local
SID).
⚫
For example, R3 searches its local SID table based on the IPv6 DA FC03::3 of the packet and finds a matching End SID. Then, R3
decrements the SL value by 1, uses the SID whose SL value is 1 as the destination IPv6 address, searches the routing table, and
forwards the packet.

⚫ There may be multiple endpoint nodes on the data forwarding path. Each endpoint node provides services such as packet
forwarding, encapsulation, and decapsulation.
Source Node Transit Node Endpoint Node Endpoint Node
FC01:: /96 FC02:: /96 FC03:: /96 FC04:: /96
FC01::1 FC02::2 FC03::3 FC04::4
CE2: End.DT4
FC04::400
CE1 R1 R2 R3 R4 CE2
IPv6 Header
SRH (SL = 1)
FC01:: /96 Locator
FC04::400 FC04::4 FC03::3
FC01::1 End SID
Payload

28 Huawei Confidential

• Each SRv6 node maintains a local SID table that contains all SRv6 SIDs generated
on the node, and an SRv6 FIB can be generated based on the table. The local SID
table provides the following functions:

▫ Defines locally generated SIDs, such as End.X SIDs.

▫ Specifies instructions bound to the SIDs.

▫ Stores forwarding information related to the instructions, such as outbound

interface and next hop information.
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 Forwarding Modes

⚫ SRv6 supports two forwarding modes: SRv6 Policy and SRv6 BE.
 In addition to implementing traffic engineering, SRv6 Policy can work with a controller to meet differentiated
service requirements more effectively, achieving a service-driven network.
 SRv6 BE is a simplified implementation of SRv6. Typically, it can provide only best-effort forwarding and does
not involve SRHs.

⚫ In the initial phase of SRv6 deployment, SRv6 BE can be used to quickly provision services based on
IPv6 route reachability, offering unparalleled advantages. During future evolution, transit nodes can be
upgraded on demand and SRv6 Policy can be deployed to meet the requirements of high-value
services.

29 Huawei Confidential
 SRv6 SRH SRv6 Node SRv6 Forwarding

SRv6 Locator Information Propagation

⚫ No matter whether traffic is forwarded in SRv6 BE or SRv6 Policy mode, a router can forward SRv6
packets only after obtaining SRv6 locator-related routing information.
⚫ SRv6 nodes usually use an extended IGP (extended OSPFv3 or IS-IS) to propagate locator-related
routing information to network nodes, including the source, transit, and endpoint nodes.
Source Node Transit Node Endpoint Node Endpoint Node Endpoint Node
FC01:: /96 FC02:: /96 FC03:: /96 FC04:: /96 FC05:: /96
FC01::1 FC02::2 FC03::3 FC04::4 FC05::5

IGP IGP IGP IGP

R1 R2 R3 R4 R5
IPv6 Routing Table IPv6 Routing Table IPv6 Routing Table IPv6 Routing Table IPv6 Routing Table
Dest Len NHP Dest Len NHP Dest Len NHP Dest Len NHP Dest Len NHP
FC01:: 96 Local FC01:: 96 R1 FC01:: 96 R2 FC01:: 96 R3 FC01:: 96 R4
FC03:: 96 R2 FC03:: 96 R3 FC03:: 96 Local FC03:: 96 R3 FC03:: 96 R4
FC04:: 96 R2 FC04:: 96 R3 FC04:: 96 R4 FC04:: 96 Local FC04:: 96 R4
FC05:: 96 R2 FC05:: 96 R3 FC05:: 96 R4 FC05:: 96 R5 FC05:: 96 Local

FC01:: /96 Locator

FC01::1 End SID

30 Huawei Confidential
 SRv6 SRH SRv6 Node SRv6 Forwarding

Forwarding in SRv6 BE Mode

⚫ Traditional MPLS involves two control protocols: LDP and RSVP-TE. The former uses IGP path
computation results to establish LDP LSPs and guide traffic forwarding, but it does not support traffic
engineering. Similar to LDP, SRv6 BE uses only one service SID to guide packet forwarding on an IP
network in best-effort mode.
⚫ In SRv6 BE mode, the forwarding path is computed based on the IGP cost.
Source Node Transit Node Endpoint Node Endpoint Node Endpoint Node
FC01:: /96 FC02:: /96 FC03:: /96 FC04:: /96 FC05:: /96
FC01::1 FC02::2 FC03::3 FC04::4 FC05::5

R1 R2 R3 R4 R5
DIPv6: FC05::5 DIPv6: FC05::5 DIPv6: FC05::5 DIPv6: FC05::5
SIPv6: FC01::1 SIPv6: FC01::1 SIPv6: FC01::1 SIPv6: FC01::1
Payload Payload Payload Payload
FC01:: /96 Locator
FC01::1 End SID

31 Huawei Confidential
 SRv6 SRH SRv6 Node SRv6 Forwarding

Forwarding in SRv6 Policy Mode

⚫ In SRv6 forwarding, each time a packet passes through an SRv6 endpoint node, the SL field is decremented by 1 and the IPv6 DA in
the IPv6 header changes. The SL and Segment List fields are both used to determine an IPv6 DA.
Source Node Transit Node Endpoint Node Endpoint Node Endpoint Node
FC01:: /96 FC02:: /96 FC03:: /96 FC04:: /96 FC05:: /96
FC01::1 FC02::2 FC03::3 FC04::4 FC05::5

R1 R2 R3 R4 R5
DIPv6: FC03::3 DIPv6: FC03::3 DIPv6: FC04::4 DIPv6: FC05::5 DIPv6: FC05::5
SIPv6: FC01::1 SIPv6: FC01::1 SIPv6: FC01::1 SIPv6: FC01::1 SIPv6: FC01::1
SRH (SL = 2) SRH (SL = 2) SRH (SL = 1) SRH (SL = 0) Payload
FC05::5 FC05::5 FC05::5 FC05::5
FC04::4 FC04::4 FC04::4 FC04::4 If the type of the SID whose SL
FC03::3 FC03::3 FC03::3 FC03::3 value is 0 is End, End.X, or End.DT,
the SRH is removed on the
Payload Payload Payload Payload
penultimate segment by default.
FC01:: /96 Locator
FC01::1 End SID
⚫ Different from SR-MPLS label processing, SRv6 SRH processing is implemented from the bottom up, and segments in the SRv6 SRH
are not popped after being processed by a node. Therefore, the SRv6 header can be used for path backtracking.

32 Huawei Confidential

• In MPLS, different removal options are defined using the Implicit-Null and Non-
null options. Penultimate hop popping (PHP) in the MPLS data plane refers to
the process in which the outermost label of the MPLS label stack is removed by
an LSR before the packet reaches the adjacent label edge router (LER). If PHP is
not enabled on the MPLS network, the LER is responsible for removing the label.
• These behaviors are defined as two functions in SRv6: PSP and USP.
 Contents

1. SRv6 Overview

2. SRv6 Fundamentals
▫ Basic Concepts of SRv6
◼ SRv6 Policy Path Establishment and Traffic Steering
▫ Typical SRv6 Applications

3. SRv6 High Reliability

4. Basic SRv6 Configuration

5. SRv6 Deployment Using iMaster NCE-IP

33 Huawei Confidential
 SRv6 Policy Overview
⚫ SRv6 Policy is a new traffic steering technology developed based on SRv6.
⚫ An SRv6 Policy is a set of candidate paths consisting of one or more segment lists,
that is, SID lists. Each SID list identifies an E2E path from the source to the
destination, instructing a device to forward traffic through the path rather than the
shortest path computed using an IGP.
⚫ If a packet is steered into an SRv6 Policy, the headend adds a SID list into the
packet, and other devices receiving the packet execute the instructions encapsulated
into the list.

34 Huawei Confidential

• https://datatracker.ietf.org/doc/draft-ietf-spring-segment-routing-policy/
 SRv6 Policy Identification
⚫ An SRv6 Policy is identified by the tuple <headend, color, endpoint>.
⚫ For an SRv6 Policy with a specified headend, it is identified only using <color, endpoint>.
 Headend: node where an SRv6 Policy is originated. Generally, it is a globally unique IP address.
 Color: 32-bit extended community attribute. It is used to identify a type of service intent (e.g. low delay).
 Endpoint: destination address of an SRv6 Policy. Generally, it is a globally unique IPv6 address.

⚫ On the specified headend, the color and endpoint are used to identify the forwarding path of the
corresponding SRv6 Policy.
Color 15
SRv6 Policy 1 <color 15, endpoint 1>
Color 20 Endpoint 1

SRv6 Policy 2 <color 20, endpoint 2>

Color 20 Endpoint 2
SRv6 Policy 3 <color 25, endpoint 2>
Color 25

35 Huawei Confidential

• An endpoint in an SRv6 Policy is different from an endpoint node in SRv6.

▫ The endpoint node in SRv6 refers to the type of the device that processes
the SRH.

▫ The endpoint in an SRv6 Policy refers to the policy's egress, which is

generally expressed using an IPv6 address.
 SRv6 Policy Path Establishment Traffic Steering to SRv6 Policies

SRv6 Policy Path Model

⚫ One SRv6 Policy may contain multiple candidate paths with the preference attribute. The valid candidate path with the highest
preference functions as the primary path of the SRv6 Policy, and the valid candidate path with the second highest preference
functions as a backup path.
⚫
A candidate path is an SRv6 Policy's basic unit that is manually configured or is sent to the headend through BGP IPv6 SR Policy.

⚫ Weights can be configured for segment lists to control load balancing among SRv6 paths.

Segment list 1
SR Policy P1 <headend, color, endpoint>
Weight Candidate-path CP1 <Protocol-Origin, Originator,
Primary path Discriminator>
SRv6 Policy Candidate path 1 Segment list 2 Preference 200
Weight W1, SID-List1 <SID11...SID1i>
Preference 200 Weight Weight W2, SID-List2 <SID21...SID2j>
<Headend, color,
Candidate-path CP2 <Protocol-Origin, Originator,
endpoint>
Discriminatorr>
Candidate path 2 Segment list 1 Preference 100
Weight W3, SID-List3 <SID31...SID3i>
Preference 100 Weight Weight W4, SID-List4 <SID41...SID4j>
Backup path

36 Huawei Confidential

• SR Policy P1 is uniquely determined by the triplet <headend, color, endpoint>.

• An SR Policy can contain multiple candidate paths (e.g. CP1 and CP2). Each of
the paths is uniquely determined by the triplet <Protocol-Origin, Originator,
Discriminator>.
• CP1 is the primary path because it is valid and has the highest preference. The
two SID lists of CP1 are delivered to the forwarder, and traffic is balanced
between the two paths based on weights. For the SID list <SID11...SID1i>, traffic
is balanced according to W1/(W1+W2).
 SRv6 Policy Path Establishment Traffic Steering to SRv6 Policies

Overview of SRv6 Policy Path Establishment

⚫ In Huawei's SRv6 Policy solution architecture, the controller (iMaster NCE-IP) is used to establish SRv6 Policy paths.
 The controller uses BGP-LS to collect topology information collected through an extended IGP to compute SRv6 Policy paths and display state
information.

 The controller uses BGP IPv6 SR Policy to deliver SRv6 Policy information (e.g. headend, color, and endpoint) to the headend.

⚫ Huawei's SRv6 Policy solution also uses NETCONF to deliver other configurations, such as service interfaces and route-policies (with
the color attribute).
⚫
In addition to delivering SRv6 Policies through iMaster NCE-IP, you can also manually deploy SRv6 Policies.

Extended IS-IS
1. BGP-LS
Color
2. BGP IPv6 SR Policy

3. NETCONF
Headend Endpoint

37 Huawei Confidential

• Mainstream methods for SRv6 Policy implementation:

▫ BGP: BGP-LS is used to collect topology information, so that no new

interface protocol needs to be introduced for customer-developed
controllers. BGP IPv6 SR Policy is used to deliver route information.
▫ PCEP: is a mature southbound protocol used in SR-MPLS TE scenarios.
However, the tunnel implementation models of vendors are different and
cannot interwork, and the interaction process of PCEP is more complex than
that of BGP. As such, BGP extension is recommended.

▫ NETCONF/YANG: delivers tunnel paths to forwarders as configurations. This

method is not recommended because it delivers configurations in essence
and offers the poorest performance. In a comprehensive solution, NETCONF
is used to deliver configurations other than tunnel configurations.
• Huawei devices mainly use BGP to deploy SRv6 Policies.
 SRv6 Policy Path Establishment Traffic Steering to SRv6 Policies

Information Collection Through BGP-LS

⚫ In Huawei's SRv6 Policy solution architecture, BGP-LS mainly provides the following functions:
 Advertises the topology, prefix, SRv6 locator, and SID information collected by IS-IS/OSPFv3 to iMaster NCE-IP through BGP-LS routes.
 Advertises the SRv6 Policy status through BGP-LS routes.

[~PE1]display bgp link-state unicast routing-table

Total Number of Node Routes: 36

BGP-LS *> Network : [NODE][ISIS-LEVEL-2][IDENTIFIER0][LOCAL[as65001][bgp-ls-
IS-IS System ID identifier1.0.0.1][ospf-area-id0.0.0.0][igp-router-id0010.0000.0001.00]] //Topology node
0010.0000.0001.00 information
PE1 RR PE3
*> Network : [LINK][ISIS-LEVEL-2][IDENTIFIER0][LOCAL[as65001][bgp-ls-
identifier1.0.0.1][ospf-area-id0.0.0.0][igp-router-
Color 16 id0010.0000.0001.00]][REMOTE[as65001][bgp-ls-identifier1.0.0.1][ospf-area-
id0.0.0.0][igp-router-id0010.0000.0002.00]][LINK[if-address10.0.0.26][peer-
address10.0.0.25][if-address::][peer-address::]] //Topology link information

*> Network : [SRV6-SID][ISIS-LEVEL-2][IDENTIFIER0][LOCAL[as65001][bgp-ls-

identifier1.0.0.1][ospf-area-id0.0.0.0][igp-router-id0010.0000.0006.00]][SID[mt-
PE2 P1 PE4 id2][sidFC00:6::1]] //SRv6 SID information
IS-IS System ID End SID Loopback
0010.0000.0002.00 FC00:6::1 FC01::4 *> Network : [TEPOLICY][SEGMENT-ROUTING][IDENTIFIER0][LOCAL[as65001][bgp-
ls-identifier1.0.0.1][bgp-router-id1.0.0.1][ipv4-router-id0.0.0.0][ipv6-router-
SRv6 Policy idFC01::1]][TE[protocol-origin2][Flag128][endpointFC01::4][color16][originator-
BGP-LS peer as65001][originator-address172.21.17.102][discriminator49]] //SRv6 Policy status

38 Huawei Confidential

• BGP-LS connection:

▫ Collects tunnel topology information for SR Policy path computation.

▫ BGP-LS supports the collection of SR Policy status information, based on

which the controller displays tunnel status.
https://datatracker.ietf.org/doc/draft-ietf-idr-te-lsp-distribution/

▫ BGP-LS supports SRLB information encapsulation and decapsulation, so

that the controller can obtain the SRLB information for binding SID
allocation. (The backup path of each SR Policy corresponds to a binding
SID.)
▫ BGP-LS also needs to be deployed on the headend to advertise the SRv6
Policy status.
 SRv6 Policy Path Establishment Traffic Steering to SRv6 Policies

Path Delivery Through BGP IPv6 SR Policy

⚫ iMaster NCE-IP can deliver an SRv6 Policy to the specified headend through the BGP IPv6 SR Policy peer
relationship.
⚫ An SRv6 Policy is represented as [distinguisher][color][endpoint] in the BGP routing table.
[~PE1]display bgp sr-policy ipv6 routing-table [49][16][FC01::4]

BGP local router ID : 1.0.0.1

End SID Local AS number : 65001
FC00:5::1 Paths: 2 available, 1 best, 1 select, 0 best-external, 0 add-path
PE1 RR PE3 BGP routing table entry information of [49][16][FC01::4]:
Headend ...
Tunnel Encaps Attribute (23):
DIPv6: FC00:5::1 Color 16 Tunnel Type: SR Policy (15)
SIPv6: FC00:1::1 Preference: 10
SRH (SL = 2) Binding SID: FC00:1::1:1, s-flag(0), i-flag(0)
End.X SID
FC00:6::1:60 Segment List
FC00:6::1:60 Weight: 1
FC00:6::1
FC00:5::1 Path MTU: 9600
PE2 P1 PE4 Segment: type:2, SID: FC00:5::1
Payload End SID Loopback Segment: type:2, SID: FC00:6::1
FC00:6::1 FC01::4 Segment: type:2, SID: FC00:6::1:60
Template ID: 4294967278
SRv6 Policy Not advertised to any peer yet
BGP SR-Policy peer

39 Huawei Confidential

• BGP IPv6 SR Policy connection:

▫ The controller delivers SRv6 Policy information to forwarders for SRv6

Policy generation.

▫ BGP routes delivered by the controller carry the color community attribute,
which can be transmitted. The headend finds a matching BGP route and
recurses it to the corresponding SRv6 Policy based on the color and
endpoint information.

▫ In Huawei's SRv6 Policy solution, path computation constraints of each

application need to be uniformly planned on the controller based on SLAs,
and different colors are used to identify SRv6 Policies. An SRv6 Policy is
uniquely identified by <headend, color, endpoint>. The BGP route of
services to be steered into an SRv6 Policy needs to carry the corresponding
color attribute.
• Binding SIDs are mainly used for path stitching.
 SRv6 Policy Path Establishment Traffic Steering to SRv6 Policies

Inter-AS SRv6 Policy Path Establishment

⚫ SRv6 devices need to obtain network-wide SIDs to implement E2E data forwarding.

⚫
In an AS, devices can use an extended IGP (extended OSPFv3 or IS-IS) to obtain intra-AS SID information. In inter-AS scenarios,
however, BGP egress peer engineering (EPE) needs to be used to transmit SID information.

IGP route (carrying BGP route (carrying

Mutual route SRv6-related route Mutual route IGP route (carrying
SRv6-related route import between import between
information) information) SRv6-related route
IS-IS and BGP IS-IS and BGP information)
processes BGP EPE processes
AS 65001 IS-IS IS-IS AS 65002
FC02::1B FC03::1B

FC02::1C FC03::1C
FC01::1 FC02::2 FC03::3 FC04::4

DIPv6: FC02::2 DIPv6: FC02::1C DIPv6: FC03::3 DIPv6: FC04::4

SIPv6: FC01::1 SIPv6: FC01::1 SIPv6: FC01::1 SIPv6: FC01::1
SRH (SL = 3) SRH (SL = 2) SRH (SL = 1) SRH (SL = 0)
FC04::4 FC04::4 FC04::4 FC04::4
FC03::3 FC03::3 FC03::3 FC03::3
FC02::1C FC02::1C FC02::1C FC02::1C FC02::1C End.X SID
FC02::2 FC02::2 FC02::2 FC02::2
FC02::2 End SID
Payload Payload Payload Payload

40 Huawei Confidential

• BGP EPE can allocate BGP peer SIDs to inter-AS paths. Peer SIDs are classified
into the following types:
▫ A Peer-Node SID identifies a peer node. The peers at both ends of each BGP
session are allocated with Peer-Node SIDs. An EBGP peer relationship
established based on loopback interfaces may traverse multiple physical
links. In this case, the Peer-Node SID of a peer is mapped to multiple
outbound interfaces. Peer-Node SIDs are End SIDs.

▫ A Peer-Adj SID identifies an adjacency to a peer. An EBGP peer relationship

established based on loopback interfaces may traverse multiple physical
links. In this case, each adjacency is allocated with a Peer-Adj SID. Only the
specified link (mapped to the specified outbound interface) can be used for
forwarding. Peer-Adj SIDs are End.X SIDs.
• BGP EPE allocates SIDs only to BGP peers and links, but cannot be used to
construct a forwarding path. BGP peer SIDs must be used with IGP SIDs to form
an E2E path.
 SRv6 Policy Path Establishment Traffic Steering to SRv6 Policies

SRv6 Policy Path Stitching (1)

⚫ Due to the restrictions on the stack depth in the SRv6 SRH, SRv6 path stitching can be deployed on large networks.

⚫
Path stitching is mainly implemented using stitching SIDs and nodes.
 A stitching SID (also called binding SID) can be used to represent an SRv6 Policy's forwarding path.
 A stitching node, which is generally an ABR or ASBR, is responsible for processing the binding SID and adding SRH information.
Assume that the
stack depth CE1 PE1 AS 65001 ASBR1 ASBR2 AS 65002 PE2 CE2
supported by FC03::1C
The stack depth
the device is 4. FC04::100
cannot FC02::1C FC03::100
accommodate the
CE1->CE2 FC01::1 E2E segment list. FC02::2 FC03::3 FC04::4 CE1->CE2

IPv6 Header IPv6 Header IPv6 Header IPv6 Header IPv6 Header
SRH (SL = 3) SRH (SL = 3) SRH (SL = 1) SRH (SL = 0)
SRH (SL = 2) SRH (SL = 0)
Segment List (0)
Stack FC04::100 FC04::100 FC04::100 FC04::4 FC04::100
Segment List (1) FC03::100 FC03::100 FC03::100
depth FC03::100
Segment List (2) SRH (SL = 0)
FC02::1C FC02::1C FC02::1C FC02::1C
Segment List (3) FC04::100
FC02::2 FC02::2 FC02::2 FC02::2
FC03::100
FC02::1C End.X SID CE1->CE2 CE1->CE2 CE1->CE2 FC02::1C CE1->CE2
FC03::4 End SID FC02::2
Internal Internal Internal
FC03::100 Binding SID Sent from PE1 processing on processing on CE1->CE2 processing on
ASBR1 ASBR1 Sent from PE2 Insert mode
FC04::100 End.DT4 SID
ASBR2

41 Huawei Confidential

• On a large network, the SRv6 SRH may be of a large size. Considering device
limitations and forwarding efficiency, the number of SIDs in the SRH must be
limited.

• Generally, there are two methods for reducing the SRH size:
▫ SRv6 header compression

▪ Huawei mainly uses the G-SRv6 solution for SRv6 header

compression, reducing the SRH size and improving the forwarding
efficiency without sacrificing SID information.

▪ This course will not cover relevant header compression technologies.

▫ SRv6 path stitching

▪ Binding SIDs are used to stitch different SRv6 paths together, so that
the SRH of each SRv6 path is not too large.
• The SRv6 stack depth is generally determined by device capabilities.
• SRv6 mainly supports the following four types of binding SIDs:
▫ End.B6.Insert

▫ End.B6.Insert.Red
▫ End.B6.Encaps
▫ End.B6.Encaps.Red
 SRv6 Policy Path Establishment Traffic Steering to SRv6 Policies

SRv6 Policy Path Stitching (2)

⚫ Main encapsulation modes supported by SRv6 stitching labels:
 Insert mode: inserts an SRH after the original IPv6 header so that the packet is forwarded based on the original IPv6 header and the new SRH.
 Encaps mode: inserts an outer IPv6 header and SRH before the original IPv6 header so that the packet is forwarded based on the outerIPv6 header
Assumeand SRH.
that the
stack depth ASBR1 ASBR2
CE1 PE1 AS65001 AS65002 PE2 CE2
supported by the
device is 4. The stack depth FC03::1C
FC04::100
cannot FC02::1C FC03::100
accommodate the
FC01::1 FC04::4
CE1->CE2 E2E segment list. FC02::2 FC03::3 CE1->CE2

IPv6 Header IPv6 Header IPv6 Header IPv6 Header IPv6 Header
SRH (SL = 3) SRH (SL = 3) SRH (SL = 1) SRH (SL = 0)
SRH (SL = 2) SRH (SL = 0)
Segment List (0)
Stack FC04::100 FC04::100 FC04::100 FC04::4 FC04::100
Segment List (1) FC03::100 FC03::100 FC03::100
depth FC03::100
Segment List (2) IPv6 Header
FC02::1C FC02::1C FC02::1C FC02::1C
Segment List (3) FC02::2 FC02::2 SRH (SL = 0) FC02::2
FC02::2
FC02::1C End.X SID FC04::100
CE1->CE2 CE1->CE2 CE1->CE2 CE1->CE2
FC03::100
FC03::4 End SID Internal Internal FC02::1C Internal
FC03::100 Binding SID Sent from PE1 processing on processing on FC02::2 processing on
FC04::100 ASBR1 ASBR1 PE2
End.DT4 SID CE1->CE2 Encaps mode
Sent from
ASBR2

42 Huawei Confidential

• The End.B6.Encaps instruction used in Encaps mode can be disassembled into End
+ B6 + Encaps, where B6 indicates the application of an SRv6 Policy and Encaps
indicates the encapsulation of an outer IPv6 header and SRH. This instruction
includes the following operations: decrements the SL value of the inner SRH by 1,
copies the SID to which the SL field is pointing to the DA field of the inner IPv6
header, encapsulates an IPv6 header and SRH (including segment lists), sets the
source address to the address of the current node and the destination address to
the first SID of the involved SRv6 Policy, sets other fields in the outer IPv6 header,
looks up the corresponding table, and forwards the new IPv6 packet accordingly.
 SRv6 Policy Path Establishment Traffic Steering to SRv6 Policies

Color-based Traffic Steering to SRv6 Policies

⚫ SRv6 Policies support color-based traffic steering, enabling traffic to be steered to an SRv6 Policy
through route recursion that is implemented based on the color value and destination address in the
route. BGP Route
Use route-policies to specify
Prefix NHP Ext-Community
color values (extended
Net1 PE2 0:15
community attribute) for
Net2 PE2 0:20
specific BGP routes.
Alternatively,
IGP Route deploy an IGP Route
Alternatively,
Prefix NHP import route- Color: 15 deploy an export Prefix NHP
Net1 PE1 policy. route-policy. Net1 CE2
Net2 PE1 Net2 CE2

When forwarding a packet, the PE

DIP: Net1 determines the SRv6 Policy to which the
corresponding route recurses based on
DIP: Net2 the destination address of the packet
CE1 PE1 and the next hop of the route. PE2 CE2
Alternatively, PE1
specify color
values for VRF1 15 SRv6 Policy
specific VRFs.
VRF2 20 SRv6 Policy Color: 20

43 Huawei Confidential

• Configure a tunnel policy on PE1. After receiving the BGP routes (Net1 and Net2),
PE1 recurses the routes to different SRv6 Policies based on the color values (0:15
and 0:20) and the next hop (PE2). Before forwarding packets to specified subnets
(Net1 and Net2), PE1 adds specific SRv6 SID stacks to the packets.

• The color attribute in route entries can be modified before the local router (for
example, PE2) sends routes or after the peer router (for example, PE1) receives
routes.

• You can also directly configure the color attribute for the VPN instance of the
originating router (for example, PE1), so that all traffic of the VPN instance is
forwarded over the specified SRv6 Policy.
 SRv6 Policy Path Establishment Traffic Steering to SRv6 Policies

DSCP-based Traffic Steering to SRv6 Policies

⚫ Color-based traffic steering causes different traffic (such as HTTP and FTP traffic) destined for the same address to
recurse to the same forwarding path, leading to a failure to implement refined traffic control. In this case, DSCP-
based traffic steering can be performed to recurse traffic to different forwarding paths.
BGP Route Use a route-policy to specify a
Alternatively, PE1 color value (extended
Prefix NHP Ext-Community community attribute) for the
specify a color VRF1 1000 SRv6 Policy Alternatively, Net1 PE2 0:1000 specific BGP route.
value for the
deploy an
specific VRF. Alternatively, IGP Route
IGP Route import route- Color: 15
policy. deploy an export Prefix NHP
Prefix NHP route-policy. Net1 CE2
Net1 PE1
FTP
PE1 finds a matching mapping
service
policy (color 1000) based on the
DIP: Net1, DSCP: 46
packet destination address and Net1
next hop, and then recurses the
DIP: Net1, DSCP: 23 HTTP
CE1 packets to different forwarding CE2
PE1 paths based on DSCP values. PE2 service

PE1 DSCP 24 SRv6 Policy 1

Destination (Color 15)
Mapping policy
address
(Color 1000) Color: 20
Next hop
SRv6 Policy 2
DSCP 28 (Color 20)

44 Huawei Confidential

• In DSCP-based traffic steering, the color attribute in route entries is mainly used
to find a matching mapping policy.
• The color attribute in route entries can be modified in the outbound direction of
the originating router (for example, PE2) or in the inbound direction of the
receiving router (for example, PE1).
• You can also directly configure the color attribute for the VPN instance of the
originating router (for example, PE1), so that all traffic of the VPN instance is
forwarded over the specified SRv6 Policy.
 Contents

1. SRv6 Overview

2. SRv6 Fundamentals
▫ Basic Concepts of SRv6

▫ SRv6 Policy Path Establishment and Traffic Steering

◼ Typical SRv6 Applications

3. SRv6 High Reliability

4. Basic SRv6 Configuration

5. SRv6 Deployment Using iMaster NCE-IP

45 Huawei Confidential
 L3VPN over SRv6 Policy
⚫ If an SRv6 Policy is used to carry VPN traffic, the last-hop SRv6 device processes data in a way slightly different
from that of a common SRv6 device. MP-BGP Route
Prefix NHP Ext-Community
IGP Route Net2 PE2 FC03::300 + 0:15 + RT IGP Route
Prefix NHP 65000 Prefix NHP
Net2 PE1 FC01:: /96 FC02:: /96 FC03:: /96 Net2 CE2
FC01::1 FC02::2 FC03::3
Net2
End.DT4
VPNA FC03::300 VPNA
Color 15
CE1 PE1 P1 PE2 CE2
DIP: Net2 DIPv6: FC02::2 Forwards the DIPv6: FC03::3 DIPv6: FC03::300 DIP: CE2
SIP: CE1 SIPv6: FC01::1 packet based on SIPv6: FC01::1 SIPv6: FC01::1 SIP: CE1
the outer IPv6
Payload SRH (SL = 2) header. SRH (SL = 1) SRH (SL = 0) Payload
FC03::300 FC03::300 FC03::300
Removes the outer
FC03::3 FC03::3 FC03::3
Forwards the IP packet FC02::2 IPv6 header and
FC02::2 FC02::2
over the corresponding forwards the packet
SRv6 Policy based on DIP: Net2 DIP: Net2 DIP: Net2 as a common IP one.
the color value. SIP: CE1 SIP: CE1 SIP: CE1
Payload Payload Payload
The last-hop SRv6 router looks FC01:: /96 Locator
up the routing table twice. FC01::1 End SID

46 Huawei Confidential

• Route advertisement process:

▫ SRv6 and SRv6 VPN are configured on each PE, and IPv6 or SRv6 is enabled
on the transit node.
▫ PE2 advertises an SRv6 locator route to PE1.
▫ CE-to-PE route advertisement: CE2 advertises its route to PE2. Either a static
route or a routing protocol (RIP, OSPFv3, IS-IS, or BGP) can be deployed
between the CE and PE.
▫ After learning the route advertised by CE2, PE2 installs it in the routing
table of the corresponding VPN instance and converts the route into an
MP-BGP one.
▫ Inter-PE route advertisement: Configure a BGP or VPN export policy on PE2
(or a BGP or VPN import policy on PE1), and set a color value for the route
(next hop: PE2). Then, configure PE2 to send routing information to PE1
through a BGP peer relationship using update messages with RT and SRv6
VPN SID attributes.
▫ After PE1 receives the VPN route, if the next hop in the route is reachable
and the route matches the BGP import policy, PE1 performs a series of
actions to determine whether to install the route in the routing table of the
corresponding VPN instance. These actions include VPN route leaking, route
recursion to an SRv6 path, and route selection. In this example, PE1 installs
the VPN route, which is associated with the SRv6 VPN SID.
▫ PE-to-CE route advertisement: CE1 can learn the VPN route from PE1
through a static route or a routing protocol (RIP, OSPFv3, IS-IS, or BGP).
The route advertisement process is similar to that from CE2 to PE2.
• Packet forwarding process:
▫ After receiving a common unicast packet from CE1, PE1 searches the
routing table of the corresponding VPN instance and finds that the
outbound interface of the route is an SRv6 Policy interface. PE1 then inserts
an SRH carrying the SID list of the SRv6 Policy and encapsulates an IPv6
header into the packet. After completing these operations, PE1 forwards the
packet to P1.

▫ The transit node P1 forwards the packet hop by hop based on SRH
information.
▫ After receiving the packet, the endpoint PE2 searches the My Local SID
Table and finds an End SID that matches the IPv6 DA FC03::3 in the packet.
According to the instruction bound to the SID, PE2 decrements the SL value
of the packet by 1 and updates the IPv6 DA to the VPN SID FC03::300.
▫ Based on the VPN SID FC03::300, PE2 searches the My Local SID Table and
finds a matching End.DT4 SID. According to the instruction bound to the
SID, PE2 decapsulates the packet, removes the SRH and IPv6 header,
searches the routing table of the VPN instance corresponding to the VPN
SID FC03::300 according to the DA in the inner packet, and forwards the
packet to CE2.
 L3VPN over SRv6 BE
⚫ When SRv6 BE is used to carry VPN traffic, the P between PEs does not function as an endpoint.

MP-BGP Route
Prefix NHP Ext-Community
Net2 PE2 FC03::300 + RT
IGP Route IGP Route
Prefix NHP 65000 Prefix NHP
Net2 PE1 FC01:: /96 FC02:: /96 FC03:: /96 Net2 CE2
FC01::1 FC02::2 FC03::3
Net2
End.DT4
VPNA FC03::300 VPNA
CE1 PE1 P1 PE2 CE2
DIP: Net2 DIPv6: FC03::300 DIPv6: FC03::300 DIP: Net2
SIP: CE1 SIPv6: FC01::1 SIPv6: FC01::1 SIP: CE1
Forwards the
Payload DIP: Net2 packet based on DIP: Net2 Payload
SIP: CE1 the outer IPv6 SIP: CE1
Forwards the IP header. PE2 removes the
Payload Payload
packet over an outer IPv6 header
SRv6 Policy. and forwards the FC01:: /96 Locator
packet as a
FC01::1 End SID
common IP one.

48 Huawei Confidential

• Route advertisement process:

▫ SRv6 and SRv6 VPN are configured on each PE, and IPv6 is enabled on the
transit node.
▫ PE2 advertises an SRv6 locator route to PE1.
▫ CE-to-PE route advertisement: CE2 advertises its route to PE2. Either a static
route or a routing protocol (RIP, OSPFv3, IS-IS, or BGP) can be deployed
between the CE and PE.
▫ After learning the route advertised by CE2, PE2 installs it in the routing
table of the corresponding VPN instance and converts the route into an
MP-BGP one.
▫ Inter-PE route advertisement: PE2 advertises the VPN route to egress node
PE1 through MP-BGP using update messages with RT and SRv6 VPN SID
attributes.
▫ After PE1 receives the VPN route, if the next hop in the route is reachable
and the route matches the BGP import policy, PE1 performs a series of
actions to determine whether to install the route in the routing table of the
corresponding VPN instance. These actions include VPN route leaking, route
recursion to an SRv6 BE path, and route selection. In this example, PE1
installs the VPN route, which is associated with the SRv6 VPN SID.
▫ PE-to-CE route advertisement: CE1 can learn the VPN route from PE1
through a static route or a routing protocol (RIP, OSPFv3, IS-IS, or BGP).
The route advertisement process is similar to that from CE2 to PE2.
• Packet forwarding process:
▫ After receiving a common unicast packet from CE1, PE1 searches the
routing table of the corresponding VPN instance and finds that the
outbound interface of the route is an SRv6 Policy interface. PE1 then inserts
an SRH carrying the SID list of the SRv6 Policy and encapsulates an IPv6
header into the packet. After completing these operations, PE1 forwards the
packet to P1.

▫ The transit node P1 forwards the packet hop by hop based on SRH
information.
▫ After receiving the packet, the endpoint PE2 searches the My Local SID
Table and finds an End SID that matches the IPv6 DA FC03::3 in the packet.
According to the instruction bound to the SID, PE2 decrements the SL value
of the packet by 1 and updates the IPv6 DA to the VPN SID FC03::300.
▫ Based on the VPN SID FC03::300, PE2 searches the My Local SID Table and
finds a matching End.DT4 SID. According to the instruction bound to the
SID, PE2 decapsulates the packet, removes the SRH and IPv6 header,
searches the routing table of the VPN instance corresponding to the VPN
SID FC03::300 according to the DA in the inner packet, and forwards the
packet to CE2.
 Native IPv6 over SRv6 Policy
⚫ Common IPv6 data can also be carried using SRv6.
BGP Route
Prefix NHP Ext-Community
Net2 PE2 0:15
IGP Route IGP Route
Prefix NHP 65000 Prefix NHP
Net2 PE1 FC01:: /96 FC02:: /96 FC03:: /96 Net2 CE2
FC01::1 FC02::2 FC03::3
Net2

Color 15
CE1 PE1 P1 PE2 CE2
DIPv6: Net2 DIPv6: FC02::2 Forwards the DIPv6: FC03::3 DIPv6: Net2 DIPv6: Net2
SIPv6: CE1 SIPv6: CE1 packet based on SIPv6: CE1 SIPv6: CE1 SIPv6: CE1
the outer IPv6
Payload SRH (SL = 2) SRH (SL = 1) SRH (SL = 0) Payload
header.
Net2 Net2 Net2
Removes the SRH
Forwards the IPv6 FC03::3 FC03::3 FC03::3
FC02::2 FC02::2 FC02::2 and forwards the
packet over the packet as a common
corresponding SRv6 Payload Payload Payload IPv6 one.
Policy based on the
color value.
FC01:: /96 Locator
FC01::1 End SID

50 Huawei Confidential

• Route advertisement process:

▫ SRv6 and SRv6 VPN are configured on each PE, and IPv6 or SRv6 is enabled
on the transit node.

▫ PE2 advertises an SRv6 locator route to PE1.

▫ CE-to-PE route advertisement: CE2 advertises its route to PE2. Either a static
route or a routing protocol (RIP, OSPFv3, IS-IS, or BGP) can be deployed
between the CE and PE.

▫ Inter-PE route advertisement: Configure a BGP export policy on PE2 (or a

BGP import policy on PE1), and set a color value for the route (next hop:
PE2). Then, configure PE2 to send routing information to PE1 through a
BGP peer relationship.

▫ After PE1 receives the IPv6 route, if the next hop in the route is reachable
and the route matches the BGP import policy, PE1 performs a series of
actions, including route recursion to an SRv6 path and route selection.
▫ PE-to-CE route advertisement: CE1 can learn the IPv6 route from PE1
through a static route or a routing protocol (RIP, OSPFv3, IS-IS, or BGP).
The route advertisement process is similar to that from CE2 to PE2.
• Packet forwarding process:
▫ After receiving a unicast IPv6 packet from CE1, PE1 searches the IPv6
routing table and finds that the outbound interface of the route is an SRv6
Policy interface. PE1 then inserts an SRH carrying the SID list of the SRv6
Policy and encapsulates an IPv6 header into the packet. After completing
these operations, PE1 forwards the packet to P1.
▫ The transit node P1 forwards the packet hop by hop based on SRH
information.
▫ After receiving the packet, the endpoint PE2 searches the My Local SID
Table and finds an End SID that matches the IPv6 DA FC03::3 in the packet.
According to the instruction bound to the SID, PE2 decrements the SL value
of the packet by 1 and updates the IPv6 DA to the End SID Net2.

▫ Based on the End SID Net2, PE2 searches the My Local SID table, finds a
matching End SID, removes the SRH and IPv6 header, and forwards the
packet to CE2.
 Contents

1. SRv6 Overview

2. SRv6 Fundamentals

3. SRv6 High Reliability

◼ Overview of SRv6 High Reliability
▫ SRv6 Tunnel Status Detection and Tunnel Protection
▫ SRv6 Egress Protection and Access Protection

4. Basic SRv6 Configuration

5. SRv6 Deployment Using iMaster NCE-IP

52 Huawei Confidential
WAN Bearer Networks' Requirements for High Reliability
⚫ Fault recovery within 50 ms has become a basic requirement of WAN bearer networks.

Voice services: have high requirements for real-time performance. If fault recovery is completed within milliseconds, the fault is
imperceptible or only slightly perceptible to users, without much impacts on services. However, if the fault recovery time reaches
seconds, the corresponding session is interrupted.

IPTV services: If fault recovery is completed within milliseconds, IPTV services may encounter transient pixelation.

Voice user
experience
Impact of network faults on voice services Impact of network faults on IPTV services

GOP
Imperceptible
Slightly
perceptible Obviously I B B P B B P B B I
perceptible Session
interrupted
0 50 ms 500 ms 2s
Reference standard: I-frame damage caused by packet loss is the key cause of erratic display.
YD/T 1071-2000 <IP Telephone Gateway technical specification>

53 Huawei Confidential
Overview of Multi-Layer Reliability Solutions
⚫ WAN bearer networks require high reliability to be provided at device, network, and service layers to
achieve E2E high availability of 99.999% and fast protection switching of all services within 50 ms.
• VPN FRR
EVPN L3VPN

Service layer

• TI-LFA, midpoint protection (TE FRR),

SRv6 tunnel and candidate path protection (HSB)

Tunnel layer IGP

• Highly reliable hardware architecture: Key
components, such as main control boards, SFUs,
interface boards, power supply modules, and
fans, adopt redundancy design.
• Highly reliable networking architecture: effective
redundant paths, reliable networking mode (e.g.
Physical layer ring, spine-leaf, or dual-plane networking), and
sufficient protection bandwidth reserved.

54 Huawei Confidential
Overview of Reliability Technologies for Multi-Layer
Networks
Detection Protection
Detection Object Technology Technology

BFD for VPN FRR

VPN
locator

HSB
SBFD for
LSP SRv6 Policy
Mixed VPN FRR

Midpoint
BFD for IGP protection
IGP

TI-LFA

BFD for
Physical link Microloop
interface
avoidance

55 Huawei Confidential
Usage Scenarios of Reliability Technologies for Multi-Layer
Networks
CE PE P P PE CE

Access network
6 8 10

Access network
2 4
1 3 5 7 9 11

CE PE P P PE CE
Intermediate network
Bearer network
Service Protection
Tunnel Type Failure Point Detection Technology Protection Technology Specification
Category Type
1. TI-LFA (SRv6 BE + SRv6 Policy)
Local 4 to 8 BFD for interface 50 ms
2. Midpoint TI-LFA (SRv6 Policy)
Common protection, E2E SRv6 BE,
services protection SRv6 Policy 3 and 9 BFD for locator VPN FRR 50 ms
1, 2, 10, and 11 BFD for interface VPN mixed FRR, IP FRR 50 ms
4 to 8 SBFD for SRv6 Policy HSB 50 ms
Services with Local
high SLA protection, E2E SRv6 Policy 3 and 9 SBFD for SRv6 Policy VPN FRR 200 ms/50 ms
requirements protection
1, 2, 10, and 11 BFD for interface VPN mixed FRR, IP FRR 50 ms

56 Huawei Confidential
 Contents

1. SRv6 Overview

2. SRv6 Fundamentals

3. SRv6 High Reliability

▫ Overview of SRv6 High Reliability
◼ SRv6 Tunnel Status Detection and Tunnel Protection
▫ SRv6 Egress Protection and Access Protection

4. Basic SRv6 Configuration

5. SRv6 Deployment Using iMaster NCE-IP

57 Huawei Confidential
 SRv6 Tunnel Detection Technologies
⚫ SRv6 tunnel connectivity can be detected using multiple technologies, such as SBFD, ping, and tracert.

SBFD Ping/Tracert

Tracert

SBFD
SRv6 tunnel

SRv6 tunnel

Ping

• SBFD can be used to detect tunnel connectivity in an E2E • SRv6 SID ping is mainly used to check network connectivity
manner. and host reachability.
• However, SBFD cannot detect the specific fault location on  Ping tests are classified into segment-by-segment tests and non-
the network. As such, it is usually used with HSB or VPN segment-by-segment tests.
FRR. • In addition to checking network connectivity and host
reachability, SRv6 SID tracert can be used to analyze the
specific fault location on the network.

58 Huawei Confidential

• Seamless bidirectional forwarding detection (SBFD) is a simplified BFD

mechanism. With a simplified BFD state machine, SBFD shortens the negotiation
time and improves network-wide flexibility.

▫ The IPv6 address of the SBFD reflector must be the same as the endpoint of
the corresponding SRv6 Policy.
• As SRv6 simply adds a new type of routing extension header to implement
forwarding based on the IPv6 data plane, ICMPv6 ping and tracert can be directly
used on an SRv6 network for connectivity check based on common IPv6
addresses, without requiring any changes to hardware or software. ICMPv6 ping
and tracert both support packet forwarding to a destination address over the
shortest path, thereby checking the reachability to the destination. If the
destination address is an SRv6 SID, the check can be performed through either
ICMPv6 ping & tracert or SRv6 OAM extensions. Currently, SRv6 OAM can be
extended in either of the following ways:

▫ Set the O-bit (OAM bit) in the SRH.

▫ Insert an End.OP SID into the SRH.

 SBFD Implementation

Detection end SBFD State Machine

(Initiator) Reflector on the Initiator
Admin Down
(Timer) Up

SBFD Control packet

Down Up
Down Up
Down -> Up
Admin Down
(Timer)
SBFD Control packet

• The loopback packet constructed by the reflector carries the Admin

Down or Up field.
• Before link detection, an SBFD initiator and an SBFD reflector exchange • After receiving a reflected packet carrying the Up state, the initiator
SBFD Control packets to notify each other of SBFD parameters (for sets the local state to Up. After receiving a reflected packet carrying
example, discriminators). In link detection, the initiator proactively sends the Admin Down state, it sets the local state to Down. It also sets
an SBFD packet, and the reflector loops this packet back. The initiator then the local state to Down if it does not receive any reflected packet
determines the local status based on the looped packet. before the timer expires.

59 Huawei Confidential

• Because the state machine has only Up and Down states, the initiator can send
packets carrying only the Up or Down state and receive packets carrying only the
Up or Admin Down state. The initiator starts by sending an SBFD packet carrying
the Down state to the reflector. The destination and source port numbers of the
packet are 7784 and 4784, respectively; the destination IP address is a user-
configured address on the 127 network segment; the source IP address is the
locally configured LSR ID.

• The reflector does not have any SBFD state machine or detection mechanism. For
this reason, it does not proactively send SBFD Echo packets, but rather, it only
reflects SBFD packets. The destination and source port numbers in the looped-
back packet are 4784 and 7784, respectively; the source IP address is the locally
configured LSR ID; the destination IP address is the source IP address of the
initiator.
 Introduction to SRv6 Ping and Tracert

Version Traffic Class Flow Label

Format of the
Flags Field
Payload Length Next Header=43 Hop Limit
O Reserved Solution 2: End.OP SID
IPv6 source address (SA) The End.OP SID can instruct data
00100000 IPv6 destination address (DA)
packets to be sent to the control
plane for OAM processing.
Solution 1:
O-bit in the SRH Next Header Hdr Ext Len Routing Type=4 Segments Left=2
In the case of an SRv6 Policy test,
Because the O-bit is the headend encodes an End.OP
Last Entry Flags Tag
carried in the SRH, each
SID into the segment list.
SRv6 endpoint node Segment List [0]
needs to process and
Because only the SRv6 endpoint
respond to ICMPv6 ping Segment List [1]
that has generated an End.OP
and tracert requests. SID can process ICMPv6 ping and
Segment List [2]
Therefore, segment-by- tracert request packets, E2E tests
segment tests can be Optional TLV objects can be implemented based on
implemented based on End.OP SIDs.
the O-bit. L2/L3 Payload

60 Huawei Confidential

• Currently, SRv6 ping and tracert can be implemented using the following two
methods:
▫ One method is to use the O-bit (OAM bit) in the SRH. Because the O-bit is
carried in the SRH, each SRv6 endpoint node needs to process and respond
to ICMPv6 ping and tracert requests. Therefore, segment-by-segment tests
can be implemented based on the O-bit. You can run the ping ipv6-sid and
tracert ipv6-sid commands to initiate tests based on one or more SIDs.

▫ The other method is to introduce End.OP SIDs, which instruct data packets
to be sent to the control plane for OAM processing. In the case of an SRv6
Policy test, the headend encodes an End.OP SID into the segment list.
Because only the SRv6 endpoint that has generated an End.OP SID can
process ICMPv6 ping and tracert request packets, E2E tests can be
implemented based on End.OP SIDs.

▪ For SID stack-based tests, specify one or more End.OP SIDs in the
ping ipv6-sid and tracert ipv6-sid commands.

▪ For SRv6 Policy-based tests, specify the end-op parameter in the ping
srv6-te policy and tracert srv6-te policy commands.
 SRv6 Ping Implementation
⚫ SRv6 ping can be classified into segment-by-segment ping and non-segment-by-segment
ping.
PE1 P1 PE2 PE1 P1 PE2
FC01::1 FC02::2 FC03::3 FC01::1 FC02::2 FC03::3

DIPv6: FC02::2 DIPv6: FC03::3 DIPv6: FC02::2 DIPv6: FC03::3

SIPv6: FC01::1 SIPv6: FC01::1 SIPv6: FC01::1 SIPv6: FC01::1
SRH (SL = 1) SRH (SL = 0) SRH (SL = 1) SRH (SL = 0)
FC03::3 FC03::3 FC03::3 FC03::3
FC02::2 FC02::2 FC02::2 FC02::2
ICMPv6 Request ICMPv6 Request ICMPv6 Request ICMPv6 Request

DIPv6: FC01::1 DIPv6: FC01::1

SIPv6: FC02::2 SIPv6: FC03::3
ICMPv6 Reply ICMPv6 Reply

DIPv6: FC01::1
SIPv6: FC03::3
Segment-by-segment ICMPv6 Reply Non-segment-by-segment
ping test ping test

61 Huawei Confidential

• For a segment-by-segment test:

▫ PE1 initiates a ping operation to PE2. Specifically, it constructs an ICMPv6

Request packet carrying the SRv6 SIDs (End and End.X SIDs) of P1 and the
End SID of PE2 and then forwards the packet.
▫ After receiving the ICMPv6 Request packet, P1 sends an ICMPv6 Reply
packet to PE1 and forwards the ICMPv6 Request packet to PE2.

▫ After receiving the ICMPv6 Request packet, PE2 sends an ICMPv6 Reply
packet to PE1.

• For a non-segment-by-segment test:

▫ PE1 initiates a ping operation to PE2. Specifically, it constructs an ICMPv6
Request packet carrying the End SID of PE2 and then forwards the packet.

▫ After receiving the ICMPv6 Request packet, P1 forwards it to PE2.

▫ After receiving the ICMPv6 Request packet, PE2 sends an ICMPv6 Reply
packet to PE1. In this case, you can view detailed information about the
ping operation on PE1.
 SRv6 Tracert Implementation
⚫ SRv6 tracert can be classified into overlay tracert and non-overlay tracert.
PE1 P1 PE2
FC01::1 FC02::2 FC03::3
PE1 P1 PE2
FC01::1 FC02::2 FC03::3
DIPv6: FC02::2
SIPv6: FC01::1
DIPv6: FC02::2 DIPv6: FC03::3 TTL=0
SIPv6: FC01::1 SIPv6: FC01::1 SRH (SL = 1)
TTL=63 TTL=62 FC03::3
SRH (SL = 1) SRH (SL = 0) FC02::2
FC03::3 FC03::3 UDP DIPv6: FC01::1
FC02::2 FC02::2 SIPv6: FC02::2
UDP UDP ICMPv6 Time Exceeded
DIPv6: FC02::2 DIPv6: FC03::3
DIPv6: FC01::1
SIPv6: FC01::1 SIPv6: FC01::1
SIPv6: FC02::2
TTL=1 TTL=0
ICMP Port-Unreachable
SRH (SL = 1) SRH (SL = 0)
DIPv6: FC01::1 FC03::3 FC03::3
FC02::2 FC02::2
SIPv6: FC03::3
UDP UDP DIPv6: FC01::1
ICMP Port-Unreachable
Overlay Non-overlay SIPv6: FC03::3

tracert test tracert test ICMP Port-Unreachable

62 Huawei Confidential

• For an overlay test:

▫ PE1 initiates a tracert operation to PE2. Specifically, it constructs a UDP

packet carrying the SRv6 SIDs (End and End.X SIDs) of P1 and the End SID
of PE2, encapsulates an SRH into the packet, and then forwards the packet.
In this case, the value of the Hop Limit field (equal to the TTL field in IPv4)
in the IPv6 header is set to 64 and decrements by 1 each time the packet
passes through a device. When the value of the Hop Limit field is 0, the
packet is discarded, and then an ICMPv6 Time Exceeded message is sent to
PE1.

▫ After receiving the UDP packet, P1 changes the value of the Hop Limit field
to 63, sends an ICMPv6 Port Unreachable message to PE1, and forwards
the UDP packet to PE2.
▫ After receiving the UDP packet, PE2 changes the value of the Hop Limit
field to 62 and sends an ICMPv6 Port Unreachable message to PE1.
• For a non-overlay test:
▫ PE1 initiates a tracert operation to PE2. Specifically, it constructs a UDP
packet carrying the SRv6 SID of P1 and the End SID of PE2, encapsulates an
SRH into the packet, and then forwards the packet. In this case, the value
of the Hop Limit field in the IPv6 header is set to 1 and decrements by 1
each time the packet passes through a device. When the value of the Hop
Limit field is 0, the packet is discarded, and then an ICMPv6 Time Exceeded
message is sent to PE1.
▫ After receiving the UDP packet, P1 changes the value of the Hop Limit field
to 0 and sends an ICMPv6 Time Exceeded message to PE1.

▫ After receiving the ICMPv6 Time Exceeded message from P1, PE1
increments the value of the Hop Limit field by 1 (the value now becomes 2)
and continues to send the UDP packet.
▫ After receiving the UDP packet, P1 changes the value of the Hop Limit field
to 1 and forwards the packet to PE2.

▫ After receiving the UDP packet, PE2 changes the value of the Hop Limit
field to 0, determines that the SID type is End SID, and checks whether the
upper-layer protocol header is a UDP or an ICMPv6 header.
Overview of Tunnel Protection Technologies
⚫ SRv6 tunnel protection can be classified into local protection and E2E protection.

Egress
TI-LFA FRR
Local Protection Midpoint TI-LFA FRR
• Fast switching Microloop avoidance
• Only links and Ingress
nodes protected

E2E protection
Egress
• Detection-dependent HSB
fast switching
• E2E paths protected ECMP

Ingress Best-effort path

64 Huawei Confidential
 Local Protection Technology E2E Protection Technology

TI-LFA FRR
⚫ TI-LFA FRR provides link and node protection for SRv6 tunnels. It enables traffic to be rapidly switched to the
backup path if a link or node failure occurs.
PE1 PE2 ⚫ As shown in the figure, the shortest path from PE1 to PE2 is PE1 -> P1 ->
DIPv6: FC05::5 FC01::1 FC06::6 DIPv6: FC06::6 P4 -> PE2, which is the primary path. P1 needs to compute a TI-LFA backup
SIPv6: FC01::1 SIPv6: FC01::1 path to PE2 through the following operations:
SRH (SL = 1) SRH (SL = 0) 1. Excludes the primary next hop (link P1 -> P4) and computes the post-
FC06::6 FC06::6 convergence shortest path: P1 -> P2 -> P3 -> P4 -> PE2.
FC05::5 FC05::5
2. Computes the P space and Q space, which are (P1, P2) and (P3, P4, PE2),
FC02::2 FC05::5 Payload respectively.
Payload P1 P4
3. Computes the TI-LFA backup path. In this case, any path can be
DIPv6: FC05::5 represented as a multi-segment path (source node <-> P <-> Q <->
SIPv6: FC01::1 destination node). Both the segments from the source node to the P
DIPv6: FC03::C4 node and from the Q node to the destination node are loop-free. The P-
SIPv6: FC01::1 P2 FC03::3 FC04::4 P3 SRH (SL = 1) to-Q path is expressed using a strict explicit path (End.X SID), ensuring
SRH (SL = 0) FC06::6 that the entire TI-LFA strict explicit path is loop-free. To simplify repair
FC03::C4 End.X FC05::5 path computation, P2 (which is farthest from the source node and
P space FC03::C4 Q space Payload resides in the P space), P3 (which is farthest from the destination node
SRH (SL = 1) and resides in the Q space), and a link between the P and Q spaces are
FC06::6 DIPv6: FC05::5
selected.
FC05::5 SIPv6: FC01::1
4. After detecting that the P1-to-PE2 link goes down, P1 uses backup
Payload SRH (SL = 1) forwarding entries and encapsulates a new SRH into the packet, with the
FC06::6 segment list being <FC03::C4, FC06::6>. In addition, the node changes the
FC05::5 IPv6 destination address to FC03::C4 and then forwards the packet to the
Payload backup outbound interface in the B-to-C direction.

65 Huawei Confidential

• P space and Q space:

▫ P space: is a set of nodes reachable from the source node of a protected

link using the shortest path tree (SPT) rooted at the source node without
traversing the protected link.
▫ Extended P space: is a set of nodes reachable from all the neighbors of a
protected link's source node using SPTs rooted at the neighbors without
traversing the protected link.

▫ Q space: is a set of nodes reachable from the destination node of a

protected link using the reverse SPT rooted at the destination node without
traversing the protected link.
• Advantages of TI-LFA:

▫ Provides protection for all topologies, preventing cost planning from

affecting protection path computation.

▫ Simplifies deployments. Backup paths are computed based on an IGP,

eliminating the need to deploy additional protocols for reliability purposes.

▫ Preferentially uses the post-convergence path as the backup path, reducing

the number of path switchovers and facilitating bandwidth planning.
• TI-LFA computation rules
▫ Priority: SRLG disjoint > Node protection > Link protection > Minimum cost

▫ TI-LFA computes a backup path that meets both the SRLG disjoint and
node protection conditions. If multiple backup paths meet the two
conditions, TI-LFA selects the path with the minimum cost.
▫ If no qualified backup path is available, TI-LFA computes a backup path
that meets both the SRLG disjoint and link protection conditions. If multiple
backup paths meet the two conditions, TI-LFA selects the path with the
minimum cost.
▫ If no qualified backup path is available, TI-LFA computes a backup path
that meets the node protection condition with the minimum cost.

▫ If no qualified backup path is available, TI-LFA computes a backup path

that meets the link protection condition with the minimum cost.
 Local Protection Technology E2E Protection Technology

Limitations of TI-LFA FRR

⚫ In SRv6 Policy scenarios, the forwarding path of data packets usually needs to be constrained by specifying the
nodes or links they need to traverse. However, if some nodes or links that must be traversed are faulty, TI-LFA FRR
cannot provide protection.
DIPv6: FC03::3
SIPv6: FC01::1
Using TI-LFA, P1
SRH (SL = 1)
computes the backup P2 fails, causing a
FC06::6
path to P3: P1 -> P2 - data forwarding
FC03::3
> P4 -> P3. failure.
Payload
PE1 P2
FC01::1 FC02::2 P1 FC03::3

Cost: 10
DIPv6: FC04::C4
SIPv6: FC0::1
SRH (SL = 1) Cost: 10 Cost: 10
FC03::3
FC04::C4
SRH (SL = 1) FC04::4 FC05::5 FC06::6
Cost: 100 Backup path
FC06::6
FC03::3
End.X FC04::C4 Primary path
P3 P4 PE2
Payload

67 Huawei Confidential
 Local Protection Technology E2E Protection Technology

Overview of Midpoint Protection

⚫ In SRv6 Policy scenarios, strict node constraints may result in a TI-LFA FRR protection failure. To resolve this issue, a proxy
forwarding node (a node upstream to the failed midpoint) takes over from the failed midpoint to complete the forwarding.
⚫
Specifically, after detecting that the next-hop interface of the packet fails, the next-hop address is the destination address of the
packet, and the SL value is greater than 0, the proxy forwarding node performs the End behavior on behalf of the midpoint. The
behavior involves decrementing the SL value by 1, copying the next SID to the DA field in the outer IPv6 header, and then
forwarding the packet according to the instruction bound to the SID. In this way, the failed midpoint is bypassed, achieving SRv6
midpoint protection. FC01::1 PE1 FC02::2 P1
P2
FC03::3

Cost: 10
DIPv6: FC03::3
SIPv6: FC01::1
SRH (SL = 1) Cost: 10 Cost: 10
FC06::6
FC03::3
Payload FC04::4 FC05::5 FC06::6
Cost: 100 Backup path

Proxy Primary path

forwarding node P3 P4 PE2
The backup path
does not pass
through P2.

68 Huawei Confidential
 Local Protection Technology E2E Protection Technology

Midpoint Protection Implementation

DIPv6: FC03::3
⚫
Midpoint protection is implemented as follows:
SIPv6: FC01::1 Backup path  Typically, P1 computes the shortest IGP path and TI-LFA backup path
SRH (SL = 1) Primary path to each node, such as PE2.
FC06::6  After midpoint TI-LFA is configured for P1 and P2 fails, P1 detects
FC03::3
PE1 P1 P2 that the outbound interface of P2 is faulty. The destination address
FC01::1 Payload of the packet is P2, which is a neighbor directly connected to P1. In
addition, the SL value in the SRH is greater than 0. In this case, the
DIPv6: FC06::6 FC02::2 FC03::3 midpoint TI-LFA action is triggered.
SIPv6: FC01::1  P1 performs proxy forwarding. Specifically, it decrements the SL
value by 1, copies the next SID FC06::6 to the IPv6 destination
SRH (SL = 0)
address, and forwards the traffic to PE2 based on the destination
FC06::6
address. In this way, the traffic can successfully reach PE2 through
FC03::3
the P1 -> P3 -> P4 path.
TI-LFA is Payload FC04::4 FC05::5
implemented
 If P1 finds that the next hop to PE2 is still P2 after performing proxy
again. forwarding, P1 forwards the traffic to the TI-LFA backup path. In
DIPv6: FC06::6 other words, after implementing midpoint TI-LFA, P1 implements
SIPv6: FC01::1 P3 P4 basic TI-LFA processing to enable the traffic to be switched to the
DIPv6: FC06::6 correct backup path.
SRH (SL = 1)
FC06::6 SIPv6: FC01::1  After completing IGP convergence, PE1 deletes the FIB entries
FC04::C4 SRH (SL = 0) PE2 destined for P2. In this case, if iMaster NCE-IP delivers the segment
FC06::6 list of a new policy, PE2 also performs proxy forwarding:
SRH (SL = 0)
FC03::3 decrementing the SL value by 1, using the next SID FC06::6 as the
FC06::6
IPv6 destination address, and forwarding the traffic to PE2.
FC03::3 Payload FC06::6
Payload

69 Huawei Confidential
 Local Protection Technology E2E Protection Technology

Microloop Introduction
⚫ TI-LFA FRR and midpoint protection can maintain data forwarding for a short time before IGP convergence is
complete. After IGP convergence, however, data is forwarded through IGP routes instead of FRR (tunnel mode).
⚫ However, the convergence speed of devices on the live network may be different. As a result, a temporary loop,
which is called a microloop, may be generated. The loop disappears only after all routers on the forwarding path
complete convergence. PE1 PE2
DIP: A
SIP: B P1 completes IGP
convergence and
Payload If the primary path does not forward
fails, traffic is traffic based on
DIPv6: C forwarded along P1 P4
FRR.
SIPv6: A the FRR path. P1 considers that the
SRH (SL=1) DIP: PE2 packet destined for PE2
FRR path D should be sent to P2, but
SIP: PE1
C P2 considers that the
After IGP Payload packet destined for PE2
Payload
convergence, data should be sent to P1.
P2 does not
is forwarded Cost: 1000
DIP: A complete IGP P2 P3
along the primary
SIP: B convergence and
path.
forwards data based
Payload on the original
routing table.

70 Huawei Confidential
 Local Protection Technology E2E Protection Technology

Local Microloop in a Traffic Switchover Scenario

⚫ In a traffic switchover scenario, a local microloop
occurs when a node adjacent to the failed node
converges earlier than the other nodes on the network.
PE1 PE2

When the link between P1 and P4 fails, traffic is first
P1 completes
IGP convergence forwarded along the TI-LFA backup path.
and does not
forward traffic  After P1 completes convergence, the next hop becomes P2,
P1 P4
based on FRR.
P1 considers that the so that P1 forwards the traffic to P2 along the post-
packet destined for PE2
DIP: PE2
should be sent to P2, but
convergence path.
SIP: PE1
P2 considers that the
Payload packet destined for PE2

Because P2 and other nodes on the network have not
should be sent to P1. converged, the next hop for the traffic from P2 to PE2 is
P2 does not
complete IGP P2 P3 still P1. In this case, a loop is formed between P1 and P2
Cost: 1000
convergence and
until P2 completes convergence.
forwards data based
on the original
routing table.

71 Huawei Confidential
 Local Protection Technology E2E Protection Technology

Local Microloop Avoidance in a Traffic Switchover Scenario

⚫ The microloop avoidance measure is to deliver the corresponding

PE1 PE2
forwarding path after the involved node has already completed
FC01::1 FC06::6 convergence for a period of time. This prevents the loop caused by

DIPv6: FC06::6 DIPv6: FC06::6 IGP convergence on the node adjacent to the failed node. The
SIPv6: FC01::1 SIPv6: FC01::1 detailed process is as follows:
Payload Payload
 After P1 detects the fault of the link connected to P4, it enters the TI-LFA
FC02::2 FC05::5 process and forwards the packet to PE2 along the TI-LFA backup path.
P1 P4
DIPv6: FC03::C4
The P1 continues to  P1 starts a timer. Before the timer expires, the forwarding table retains
SIPv6: FC01::1 DIPv6: FC06::6
forward traffic unchanged, and the TI-LFA backup path continues to be used for packet
SRH (SL = 1) along the TI-LFA SIPv6: FC01::1
FC06::6 backup path before forwarding.
Payload
FC03::C4 the timer expires.  When the timer expires, other nodes on the network have completed
Payload FC03::3 FC04::4
convergence. P1 can now perform convergence and then forward the
P2 P3
End.X FC03::C4 packet along the post-convergence path.

DIPv6: FC06::6 ⚫ Because each TI-LFA backup path is loop-free, the packet can be
SIPv6: FC01::1
forwarded along a TI-LFA backup path for a period of time, and
Payload
then the TI-LFA process can exit after the other nodes complete
convergence.

72 Huawei Confidential
 Local Protection Technology E2E Protection Technology

Remote Microloop in a Traffic Switchover Scenario

⚫ If a remote fault occurs, a loop may also be formed between nodes.
⚫ A loop may occur if the node closer to the failure point converges
PE1 PE2
P1 does not complete earlier than the node farther from the failure point on the packet
IGP convergence and
forwards data based
forwarding path.
on the original
routing table.
 After detecting a fault on the P3 -> P4 link, a node (for example, P3)
P1 P5
Cost: 1000 performs delayed convergence and forwards traffic along a TI-LFA
DIP: PE2
backup path. In this case, only P3 performs delayed convergence, and the
SIP: PE1
Payload other nodes on the network still perform normal IGP convergence.

P2 completes IGP P2

P2 converges first and computes the P2 -> P1 -> P5 -> PE2 path as the
convergence and new path to PE2. As such, after arriving at P2, the traffic is sent back to
forwards data based
on the post- P1 instead of being forwarded to P3.
convergence routing P3 P4
table.  Because P1 has not completed convergence, it still forwards the traffic
along the P1 -> P2 -> P3 -> P4 -> P5 -> PE2 path. As a result, the traffic
is sent back to P2, forming a loop.

73 Huawei Confidential
 Local Protection Technology E2E Protection Technology

Remote Microloop Avoidance in a Traffic Switchover

Scenario
⚫ A network node can pre-compute a loop-free backup path only when a directly connected link or node fails. That is, no loop-free path can be pre-
computed against any other potential fault on the network. As such, a loop-free path needs to be computed after node convergence is completed, thereby
resolving the microloop issue.

⚫ As shown in the following figures, the loop-free TI-LFA path P2 -> P1 -> P5 -> PE2 is computed after P2 converges. The loop-free path computed by P3 can
be either a strict explicit one or a loose one. PE1 PE2
PE1 PE2 FC01::1 FC07::7
FC01::1 FC07::7 DIPv6: FC07::7
DIPv6: FC07::7 SIPv6: FC01::1
SIPv6: FC01::1
Payload FC02::2 FC06::6
Payload FC02::2 FC06::6 End.X FC02::C4
End.X FC02::C4 P1 P5
P1 P5
DIPv6: FC03::C4
DIPv6: FC03::C4 SIPv6: FC01::1
FC03::C4

SIPv6: FC01::1
SRH (SL = 1)
End.X

SRH (SL = 2) FC07::7 P2

FC07::7 P2 FC02::C4 FC03::3
FC02::C4 FC03::3
FC03::C4 Payload
FC04::4 FC05::5 FC04::4 FC05::5
Payload
P3 P4 P3 P4

Strict explicit path Loose path

74 Huawei Confidential
 Local Protection Technology E2E Protection Technology

Microloop in a Traffic Switchback Scenario

⚫ Due to the lack of a convergence order in distributed
computing, a microloop may occur in a traffic switchback
PE1 PE2 scenario.
The faulty
P1 does not complete link  Assume that the link between P1 and P4 fails, and the path
convergence and recovers.
considers that the from PE1 to PE2 is PE1 -> P1 -> P2 -> P3 -> P4 -> PE2.
traffic destined for PE2 P1 P4
should be sent to P2.  If the link between P1 and P4 recovers and P2 completes
A loop is
DIP: PE2 convergence, the path from P2 to PE2 is P2 -> P1 -> P4 ->
formed
SIP: PE1
between P1 PE2. In this case, P2 forwards traffic to P1.
Payload and P2.

P2 completes Cost: 1000

 If P1 has not completed IGP convergence due to some
P2 P3
convergence and reasons, for example, a large number of services are
considers that the
traffic destined for PE2 running or CPU usage is high, the node still forwards the
should be sent to P1.
traffic back to P2 through the original path, forming a loop.

75 Huawei Confidential
 Local Protection Technology E2E Protection Technology

Microloop Avoidance in a Traffic Switchback Scenario

⚫ The method of microloop avoidance in a traffic switchback scenario is similar to that of remote microloop avoidance in a traffic
switchover scenario.
⚫
As shown in the following figures, after P2 completes convergence, it encapsulates a new SRH into the packet, enabling traffic to be
forwarded along the post-convergence path (which is a strict explicit path) to the destination address. After P1 converges, it
forwards the traffic to PE2 along the post-convergence path.
PE1 PE2 PE1 PE2
FC01::1 FC06::6 FC01::1 FC06::6
DIPv6: FC06::6 DIPv6: FC06::6
The faulty
SIPv6: FC01::1 SIPv6: FC01::1 The faulty
link recovers.
link recovers.
Payload FC02::2 FC05::5 Payload FC02::2 FC05::5
End.X End.X
P1 P4 P1 P4
FC02::C4 FC02::C4
DIPv6: FC03::C4 DIPv6: FC03::C4
SIPv6: FC01::1 SIPv6: FC01::1
SRH (SL = 2) SRH (SL = 1)
FC06::6 FC06::6
FC03::C4

FC02::C4 FC02::C4
End.X

FC03::C4
Payload
Payload FC03::3 FC04::4 FC03::3 FC04::4
P2 P3 P2 P3

Strict explicit path Loose path

76 Huawei Confidential
 Local Protection Technology E2E Protection Technology

SRv6 Policy HSB

⚫ E2E SRv6 Policy protection can be implemented by configuring two candidate paths with different preferences for an SRv6 Policy.
The path with a higher preference is the primary and that with a lower preference is the backup. SBFD is enabled for the two paths.
⚫
When SBFD on the primary path detects a fault, traffic is switched from the primary path to the backup path.
⚫
If some devices on an SRv6 network do not support SRv6, local protection cannot be implemented. In this case, HSB can be used to
provide high reliability.
SRv6 policy PE1toPE3
endpoint PE3 color 100
candidate-path preference 200 //Primary
segment-list <PE1.End, PE3.End>
candidate-path preference 100 //Backup
segment-list <PE2.End, P2.End, PE4.End, PE3.End >
PE1 P1 P3 PE3

SRv6-
incapable
CE1 CE2

Primary path

Backup path
PE2 P2 P4 PE4

77 Huawei Confidential
 Local Protection Technology E2E Protection Technology

SRv6 Policy ECMP

⚫ During SRv6 Policy deployment, two segment lists can be configured in a candidate path to implement
SRv6 Policy load balancing. In this way, data is load balanced between two paths.
⚫ If one of the paths fails, data can still be forwarded over the other path.

SRv6 policy PE1toPE3

endpoint PE3 color 100
candidate-path preference 200
segment-list <PE1.End, PE3.End> //ECMP
segment-list <PE2.End, P2.End, PE4.End , PE3.End > //ECMP
PE1 P1 P3 PE3

CE1 CE2

ECMP path
PE2 P2 P4 PE4

78 Huawei Confidential
 Local Protection Technology E2E Protection Technology

Best-Effort Paths for SRv6 Policies

⚫ If SBFD on PE1 detects that both the primary and backup paths fail, PE1 forwards traffic over an SRv6
BE tunnel.

BGP 100
ipv6-family vpn-instance vpn1
segment-routing ipv6 traffic-engineer best-effort

PE1 P1 P3 PE3

The primary
path fails. The backup
CE1 CE2
path fails.

Primary path
PE2 P2 P4 Traffic is carried PE4
Backup path
over SRv6 BE.
Best-effort path

79 Huawei Confidential
 Contents

1. SRv6 Overview

2. SRv6 Fundamentals

3. SRv6 High Reliability

▫ Overview of SRv6 High Reliability
▫ SRv6 Tunnel Status Detection and Tunnel Protection
◼ SRv6 Egress Protection and Access Protection

4. Basic SRv6 Configuration

5. SRv6 Deployment Using iMaster NCE-IP

80 Huawei Confidential
 Overview of SRv6 Egress Protection
⚫ The tunnels of an SRv6 Policy have the same headend. In this case, the specific tunnel is determined using <Color, Endpoint>. If the
endpoint of the tunnel fails, data cannot be sent to the destination network segment.
⚫
As such, local protection and E2E protection technologies commonly used for SRv6 tunnels can protect only the source PE and transit
nodes (Ps), but not the SRv6 endpoint.

⚫ If a fault occurs on the endpoint, it is mainly rectified through VPN FRR. In addition, it can also be rectified through anycast FRR or
mirror protection.
A fault on a transit link or node
can be rectified through both local A fault on the endpoint
protection and E2E protection. cannot be rectified
through local protection
PE1 P1 P3 PE3 or E2E protection.

Local
CE1 protection path CE2

Primary path

Local protection path

PE2 P2 E2E protection P4 PE4
path E2E protection path

81 Huawei Confidential

• Anycast FRR and mirror protection technologies are complex and therefore rarely
used on live networks.
VPN FRR
⚫ VPN FRR helps rectify endpoint faults by directly forming VPN backup routes. It is implemented as follows:

The source PE pre-computes primary and backup routes based on the two learned VPN routes with different next-hop PEs and
then delivers the computed routes to the FIB table. In addition, after detecting a remote PE fault through BFD, the source PE
switches VPN traffic to the backup path before VPN route convergence.

BGP Route
Prefix NHP
PE1's BGP Route Net2 PE2
Prefix NHP
Net2 PE2
Backup PE3
P1 PE2

PE1 Net2
CE1 CE2
P2 PE3

BGP Route Primary path

Prefix NHP
Net2 PE3 Backup path

82 Huawei Confidential
 Anycast FRR
⚫ Anycast FRR implements SRv6 egress protection by deploying the same locator and VPN SID on the PEs
to which a CE is dual-homed. P1 where TI-LFA is
DIPv6: FC05::100 deployed pre-
SIPv6: FC01::1 computes a backup
path to FC05:: /96.
Payload PE3
PE1 P1 FC05:: /96
FC01:: /96

CE1 CE2

Payload: Payload:
CE1 -> CE2 CE1 -> CE2
End.X
PE2 P2 FC04::C4 FC05:: /96
DIPv6: FC04::C4 PE4
SIPv6: FC01::1
SRH (SL = 1) Primary path
FC05::100
FC04::C4 Local protection path
Payload

83 Huawei Confidential

• Anycast FRR can be used in both egress protection and local protection scenarios.

• Although anycast FRR can provide protection against PE failures, it has the
following drawbacks:

▫ VPN SIDs must be manually configured to ensure that the two PEs
configured with the same VPN instance have the same VPN SID.

▫ Only IGP route selection (not VPN route selection) can be performed. For
example, if VPN services need to be load-balanced between PE3 and PE4 or
the route advertised by PE3 needs to be preferentially selected, VPN route
selection cannot be performed if the route advertised by PE4 is
preferentially selected through an IGP on the path to FC05::.
▫ If there is a PE-CE link interface failure, such as a failure on the link
between PE3 and CE2, traffic is still forwarded to PE3 and then to PE4,
resulting in a traffic loop that cannot be eliminated.
SRv6 Access Protection
⚫ When a CE is dual-homed to PEs, if the link between the CE and endpoint PE fails, traffic may be lost. In this case,
mixed FRR can be used to resolve this problem.
PE2's BGP Route
Prefix NHP Out-Int
Net2 CE2 PE2 -> CE2 link interface
When the path from PE2
Backup PE3 SRv6 Tunnel
to CE2 fails, the
forwarding path becomes
PE2 -> PE3 -> CE2.
P1 PE2
PE3
CE1 PE1 advertises a Net2
VPN route to
PE2. CE2
P2 PE3 CE2 advertises Primary path
common routes to
PE2 and PE3. Backup path
⚫ PE2 receives a VPN route from CE2 and another VPN route from PE3, forming FRR protection. When the link
between PE2 and CE2 fails, PE2 detects the fault and steers all relevant traffic to the backup path to PE3. In this
case, the next hop of the primary path is an access interface and the backup path is an SRv6 tunnel, forming mixed
FRR protection.

84 Huawei Confidential
 Contents

1. SRv6 Overview

2. SRv6 Fundamentals

3. SRv6 High Reliability

4. Basic SRv6 Configuration

◼ SRv6 BE
▫ SRv6 Policy

5. SRv6 Deployment Using iMaster NCE-IP

85 Huawei Confidential
 L3VPNv4 over SRv6 BE (1)

AS 100
Loopback0 Loopback0 Loopback0
2001:DB8:1::1/128 2001:DB8:2::2/128 2001:DB8:3::3/128
PE1 P PE2 Configuration roadmap:
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3
1. Configure interface IPv6 addresses and IS-IS. (Configuration
10.0.14.0/24 10.0.35.0/24 details are not provided.)
Loopback1 Loopback1 2. Establish an MP-BGP peer relationship between PE1 and PE2.
10.1.4.4/32 10.1.5.5/32 3. Enable SR and establish an SRv6 BE path on the backbone
CE1 AS 65000 AS 65001 CE2
network.
Networking requirements: 4. Enable the VPN instance IPv4 address family on each PE.
5. Establish an MP-IBGP peer relationship between the PEs for
1. Connect PE1 and PE2 to different CEs that belong to VPN
them to exchange routing information.
instance vpna.
6. Verify the configuration.
2. Deploy L3VPN service recursion to SRv6 BE paths on the
backbone network to enable CE1 and CE2 to communicate
through Loopback1.

86 Huawei Confidential

• The experiment configuration is based on the NE20E-S2F (software version:

NE20E V800R012C10SPC300). The configuration roadmaps for different devices
are similar. For details, see the corresponding product documentation.
L3VPNv4 over SRv6 BE (2)

AS 100
Loopback0 Loopback0 Loopback0 Establish an MP-IBGP peer relationship between the PEs.
2001:DB8:1::1/128 2001:DB8:2::2/128 2001:DB8:3::3/128 The configuration on PE1 is used as an example.
PE1 P PE2 [~PE1] bgp 100
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 [~PE1-bgp] peer 2001:DB8:3::3 as-number 100
[*PE1-bgp] peer 2001:DB8:3::3 connect-interface loopback 0
10.0.14.0/24 10.0.35.0/24 [*PE1-bgp] ipv4-family vpnv4
[*PE1-bgp-af-vpnv4] peer 2001:DB8:3::3 enable
Loopback1 Loopback1 [*PE1-bgp-af-vpnv4] commit
10.1.4.4/32 10.1.5.5/32 [~PE1-bgp-af-vpnv4] quit
[~PE1-bgp] quit
CE1 AS 65000 AS 65001 CE2
Check the VPNv4 peer relationship on PE1.
Configuration roadmap:
1. Configure interface IPv6 addresses and IS-IS. (Configuration <PE1>display bgp vpnv4 all peer
details are not provided.)
BGP local router ID : 10.0.1.1
2. Establish an MP-BGP peer relationship between PE1 and PE2. Local AS number : 100
3. Enable SR and establish an SRv6 BE path on the backbone Total number of peers : 1 Peers in established state : 1
network.
4. Enable the VPN instance IPv4 address family on each PE. Peer V AS MsgRcvd MsgSent Up/Down State
5. Establish an MP-IBGP peer relationship between the PEs for 2001:DB8:3::3 4 100 3 4 00:00:04 Established
them to exchange routing information.
6. Verify the configuration.

87 Huawei Confidential
 L3VPNv4 over SRv6 BE (3)

AS 100
Loopback0 Loopback0 Loopback0 Establish an SRv6 BE path between the PEs. PE1 configurations are
2001:DB8:1::1/128 2001:DB8:2::2/128 2001:DB8:3::3/128 as follows: (PE2 configurations are not provided here, and the P
does not require such configurations.)
PE1 P PE2
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 [~PE1] segment-routing ipv6
[*PE1-segment-routing-ipv6] encapsulation source-address
2001:DB8:1::1
10.0.14.0/24 10.0.35.0/24 [*PE1-segment-routing-ipv6] locator as100 ipv6-prefix 2001:DB8:100::
Loopback1 Loopback1 64 static 32
10.1.4.4/32 10.1.5.5/32 [*PE1-segment-routing-ipv6-locator] quit
[*PE1-segment-routing-ipv6] quit
CE1 AS 65000 AS 65001 CE2 [*PE1] bgp 100
Configuration roadmap: [*PE1-bgp] ipv4-family vpnv4
[*PE1-bgp-af-vpnv4] peer 2001:DB8:3::3 prefix-sid
1. Configure interface IPv6 addresses and IS-IS. (Configuration
[*PE1-bgp-af-vpnv4] quit
details are not provided.) [~PE1-bgp] quit
2. Establish an MP-BGP peer relationship between PE1 and PE2. [~PE1] isis 1
3. Enable SR and establish an SRv6 BE path on the backbone [~PE1-isis-1] segment-routing ipv6 locator as100
network. [*PE1-isis-1] commit
4. Enable the VPN instance IPv4 address family on each PE. [~PE1-isis-1] quit
5. Establish an MP-IBGP peer relationship between the PEs for
them to exchange routing information.
6. Verify the configuration.

88 Huawei Confidential

• Configure basic SRv6 functions as follows:

1. Run the segment-routing ipv6 command to enable SRv6 and enter the
SRv6 view.
2. Run the encapsulation source-address ipv6-address [ ip-ttl ttl-value ]
command to configure a source address for SRv6 VPN encapsulation.
▪ When traffic enters an SRv6 VPN tunnel, the address configured using
this command functions as the source address in the IPv6 header. The
source address must be an existing interface address on the device.
3. Run the locator locator-name [ ipv6-prefix ipv6-address prefix-length [
static static-length | args args-length ] * ] command to configure an SRv6
locator.
▪ The Locator field corresponds to the ipv6-prefix ipv6-address
parameter and its length is determined by the prefix-length
parameter. A locator identifies an IPv6 subnet on which all IPv6
addresses can be allocated as SRv6 SIDs. After a locator is configured
for a node, the system generates a locator route through which other
nodes can locate this node. In addition, all SIDs advertised by the
node are reachable through the route.
▪ The Function field is also called opcode, which can be dynamically
allocated using an IGP or be configured using the opcode command.
When configuring a locator, you can use the static static-length
parameter to specify the static segment length, which determines the
number of static opcodes that can be configured in the locator. In
dynamic opcode allocation, the IGP allocates opcodes outside the
range of the static segment, so that no SRv6 SID conflict occurs.
 4. (Optional) Run the opcode func-opcode end-dt4 vpn-instance vpn-
instance-name command to configure a static SID opcode.
▪ An End.DT4 SID can be dynamically allocated by BGP or be manually
configured. If you want to use the segment-routing ipv6 locator
locator-name command to enable dynamic End.DT4 SID allocation by
BGP in the future, skip this step.
5. Run the quit command to exit the SRv6 locator view.
6. Run the quit command to exit the SRv6 view.
• Enable IS-IS SRv6.
1. Run the isis [ process-id ] command to enter the IS-IS view.
2. Run the ipv6 enable topology ipv6 command to enable the IPv6
capability for the IS-IS process in the IPv6 topology.
3. Run the segment-routing ipv6 locator locator-name [ auto-sid-disable ]
command to enable IS-IS SRv6.
▪ segment-routing ipv6 locator locator-name: enables IS-IS SRv6 and
dynamic SID allocation. SIDs must be allocated within the locator
range.
▪ segment-routing ipv6 locator locator-name auto-sid-disable:
enables IS-IS SRv6 and disables dynamic SID allocation so that SIDs
are statically allocated within the locator range.
▪ During SRv6 SID allocation, if a static opcode is configured, the static
opcode is preferentially used to form a static SID. If no static opcode
is configured, a SID is dynamically allocated. The process of dynamic
SRv6 SID allocation using IS-IS is as follows:
▪ Configure a locator in the SRv6 view, and run the segment-routing
ipv6 locator command in the IS-IS process view to enable SRv6 and
reference the locator. An IS-IS process can reference multiple locators.
However, only one locator can be used to advertise End/End.X SIDs.
▪ IS-IS allocates an End SID to each locator in the range of the dynamic
segment based on locator configurations. Both PSP and non-PSP SIDs
can be allocated.
▪ Configure IPv6 addresses for interfaces and enable IS-IS IPv6. IS-IS
allocates both PSP and non-PSP End.X SIDs to the interfaces in the
range of the dynamic segment based on locator configurations.
4. Run the quit command to exit the IS-IS view.
• Configure the device to add SIDs to VPN routes.
▫ Run the peer ipv6-address prefix-sid command to enable the device to
exchange IPv4 prefix SID information with the specified IPv6 peer.
 L3VPNv4 over SRv6 BE (4)

AS 100
Loopback0 Loopback0 Loopback0 Enable the VPN instance IPv4 address family on each PE.
2001:DB8:1::1/128 2001:DB8:2::2/128 2001:DB8:3::3/128 PE1 configurations are as follows: (PE2 configurations
are not provided.)
PE1 P PE2
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 [~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv4-family
10.0.14.0/24 10.0.35.0/24 [*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
Loopback1 Loopback1 [*PE1-vpn-instance-vpna-af-ipv4] quit
10.1.4.4/32 10.1.5.5/32 [*PE1-vpn-instance-vpna] quit
[~PE1] bgp 100
CE1 AS 65000 AS 65001 CE2
[*PE1-bgp] ipv4-family vpn-instance vpna
[*PE1-bgp-vpna] peer 10.0.14.4 as-number 65000
Configuration roadmap: [*PE1-bgp-vpna] segment-routing ipv6 best-effort
1. Configure interface IPv6 addresses and IS-IS. (Configuration [*PE1-bgp-vpna] segment-routing ipv6 locator as100
details are not provided.) [*PE1-bgp-vpna] commit
2. Establish an MP-BGP peer relationship between PE1 and PE2. [~PE1-bgp-vpna] quit
[~PE1-bgp] quit
3. Enable SR and establish an SRv6 BE path on the backbone
network.
4. Enable the VPN instance IPv4 address family on each PE.
5. Establish an MP-IBGP peer relationship between the PEs for
them to exchange routing information.
6. Verify the configuration.

90 Huawei Confidential

• Configure VPN routes to recurse to SRv6 BE paths based on the carried SIDs.

1. Run the bgp { as-number-plain | as-number-dot } command to enter the

BGP view.

2. Run the ipv4-family vpn-instance vpn-instance-name command to enter

the BGP-VPN instance IPv4 address family view.

3. Run the segment-routing ipv6 best-effort command to enable VPN route

recursion based on the SIDs carried by routes.

4. Run the segment-routing ipv6 locator locator-name [ auto-sid-disable ]

command to enable the device to add SIDs to VPN routes.
5. If auto-sid-disable is not specified, dynamic SID allocation is supported. If
there are static SIDs in the range of the locator specified using locator-
name, the static SIDs are used. Otherwise, dynamically allocated SIDs are
used. If auto-sid-disable is specified, BGP does not dynamically allocate
SIDs.
6. Run the commit command to commit the configuration.
L3VPNv4 over SRv6 BE (5)

AS 100
Loopback0 Loopback0 Loopback0 Check the local SID table containing all types of SRv6 SIDs on PE2.
2001:DB8:1::1/128 2001:DB8:2::2/128 2001:DB8:3::3/128 <PE2>display segment-routing ipv6 local-sid forwarding
PE1 P PE2
My Local-SID Forwarding Table
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 -------------------------------------
SID : 2001:DB8:300::1:0:0/128 FuncType : End
10.0.14.0/24 10.0.35.0/24 LocatorName: as100 LocatorID: 2

Loopback1 Loopback1 SID : 2001:DB8:300::1:0:1/128 FuncType : End

10.1.4.4/32 10.1.5.5/32 LocatorName: as100 LocatorID: 2
CE1 AS 65000 AS 65001 CE2
SID : 2001:DB8:300::1:0:2/128 FuncType : End.X
LocatorName: as100 LocatorID: 2
Configuration roadmap:
1. Configure interface IPv6 addresses and IS-IS. (Configuration SID : 2001:DB8:300::1:0:3/128 FuncType : End.X
details are not provided.) LocatorName: as100 LocatorID: 2
2. Establish an MP-BGP peer relationship between PE1 and PE2.
3. Enable SR and establish an SRv6 BE path on the backbone SID : 2001:DB8:300::1:0:20/128 FuncType : End.DT4
network. LocatorName: as100
4. Enable the VPN instance IPv4 address family on each PE.
5. Establish an MP-IBGP peer relationship between the PEs for PE2 locally generates an End.DT4 SID and advertises the SID
them to exchange routing information. to PE1.
6. Verify the configuration.

91 Huawei Confidential
L3VPNv4 over SRv6 BE (6)

AS 100
Loopback0 Loopback0 Loopback0 Check VPNv4 routing information on PE1.
2001:DB8:1::1/128 2001:DB8:2::2/128 2001:DB8:3::3/128 <PE1>display bgp vpnv4 al routing-table 10.1.5.5
PE1 P PE2 BGP local router ID : 10.0.1.1
Local AS number : 100
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 Total routes of Route Distinguisher(100:1): 1
BGP routing table entry information of 10.1.5.5/32:
10.0.14.0/24 10.0.35.0/24 Label information (Received/Applied): 3/NULL
From: 2001:DB8:3::3 (10.0.3.3)
Loopback1 Loopback1 Route Duration: 0d00h15m54s
10.1.4.4/32 10.1.5.5/32 Relay IP Nexthop: FE80::DE99:14FF:FE7A:C301
CE1 AS 65000 AS 65001 CE2 Relay IP Out-Interface: GigabitEthernet0/3/0.12
Relay Tunnel Out-Interface:
Original nexthop: 2001:DB8:3::3
Configuration roadmap: Qos information : 0x0
1. Configure interface IPv6 addresses and IS-IS. (Configuration Ext-Community: RT <111 : 1>
details are not provided.) Prefix-sid: 2001:DB8:300::1:0:20
2. Establish an MP-BGP peer relationship between PE1 and PE2. AS-path Nil, origin incomplete, MED 0, localpref 100, pref-val 0, valid,
3. Enable SR and establish an SRv6 BE path on the backbone internal, best, select, pre 255, IGP cost 20
network. Not advertised to any peer yet
4. Enable the VPN instance IPv4 address family on each PE.
5. Establish an MP-IBGP peer relationship between the PEs for IPv6 address of the peer; SID corresponding to 10.1.5.5
them to exchange routing information. (the same as that locally allocated on PE2)
6. Verify the configuration.

92 Huawei Confidential
L3VPNv4 over SRv6 BE (7)

AS 100
Loopback0 Loopback0 Loopback0 Check vpna's routing information on PE1.
2001:DB8:1::1/128 2001:DB8:2::2/128 2001:DB8:3::3/128 <PE1> display ip routing-table vpn-instance vpna 10.1.5.5 verbose
PE1 P PE2 Route Flags: R - relay, D - download to fib, T - to vpn-instance, B -
black hole route
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 ------------------------------------------------------------------------------
Routing Table : vpna
10.0.14.0/24 10.0.35.0/24 Summary Count : 1

Loopback1 Loopback1 Destination: 10.1.5.5/32

10.1.4.4/32 10.1.5.5/32 Protocol: IBGP Process ID: 0
CE1 AS 65000 AS 65001 CE2 Preference: 255 Cost: 0
NextHop: 2001:DB8:300::1:0:20 Neighbour: 2001:DB8:3::3
State: Active Adv Relied Age: 00h17m40s
Configuration roadmap:
Tag: 0 Priority: low
1. Configure interface IPv6 addresses and IS-IS. (Configuration Label: 3 QoSInfo: 0x0
details are not provided.) IndirectID: 0x1000177 Instance:
2. Establish an MP-BGP peer relationship between PE1 and PE2. RelayNextHop: 2001:DB8:300::1:0:20 Interface: SRv6 BE
3. Enable SR and establish an SRv6 BE path on the backbone TunnelID: 0x0 Flags: RD
network.
4. Enable the VPN instance IPv4 address family on each PE. Interface type: SRv6 BE
5. Establish an MP-IBGP peer relationship between the PEs for
them to exchange routing information. PE1 uses this IPv6 address as the next-hop address to
6. Verify the configuration. forward packets destined for 10.1.5.5.

93 Huawei Confidential
L3VPNv4 over SRv6 BE (8)

AS 100
Loopback0 Loopback0 Loopback0
2001:DB8:1::1/128 2001:DB8:2::2/128 2001:DB8:3::3/128 Verify the configuration on CE1.
<CE1>ping -a 10.1.4.4 10.1.5.5
PE1 P PE2
PING 10.1.5.5: 56 data bytes, press CTRL_C to break
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 Reply from 10.1.5.5: bytes=56 Sequence=1 ttl=254 time=1 ms
Reply from 10.1.5.5: bytes=56 Sequence=2 ttl=254 time=1 ms
10.0.14.0/24 10.0.35.0/24 Reply from 10.1.5.5: bytes=56 Sequence=3 ttl=254 time=1 ms
Reply from 10.1.5.5: bytes=56 Sequence=4 ttl=254 time=1 ms
Loopback1 Loopback1 Reply from 10.1.5.5: bytes=56 Sequence=5 ttl=254 time=1 ms
10.1.4.4/32 10.1.5.5/32
CE1 AS 65000 AS 65001 CE2

Configuration roadmap:
1. Configure interface IPv6 addresses and IS-IS. (Configuration
details are not provided.)
2. Establish an MP-BGP peer relationship between PE1 and PE2.
3. Enable SR and establish an SRv6 BE path on the backbone
network.
4. Enable the VPN instance IPv4 address family on each PE.
5. Establish an MP-IBGP peer relationship between the PEs for
them to exchange routing information.
6. Verify the configuration.

94 Huawei Confidential
 Contents

1. SRv6 Overview

2. SRv6 Fundamentals

3. SRv6 High Reliability

4. Basic SRv6 Configuration

▫ SRv6 BE
◼ SRv6 Policy

5. SRv6 Deployment Using iMaster NCE-IP

95 Huawei Confidential
L3VPNv4 over SRv6 Policy (1)

AS 100
Loopback0 Loopback0 Loopback0
2001:DB8:1::1/128 2001:DB8:2::2/128 2001:DB8:3::3/128 Configuration roadmap:
PE1 P PE2
1. Configure interface IPv6 addresses and IS-IS.
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3
(Configuration details are not provided.)
10.0.14.0/24 10.0.35.0/24 2. Establish an MP-BGP peer relationship between PE1
Loopback1 Loopback1 and PE2.
10.1.4.4/32 10.1.5.5/32
3. Enable SR and establish an SRv6 Policy on the
CE1 AS 65000 AS 65001 CE2
backbone network.
Networking requirements: 4. Enable the VPN instance IPv4 address family on each

1. Connect PE1 and PE2 to different CEs that belong to VPN PE and establish an MP-IBGP peer relationship between

instance vpna. the PEs for them to exchange routing information.

5. Configure a tunnel policy and import VPN traffic.
2. Deploy L3VPN service recursion to SRv6 Policies on the
6. Verify the configuration.
backbone network to enable CE1 and CE2 to communicate
through Loopback1.

96 Huawei Confidential
 L3VPNv4 over SRv6 Policy (2)

AS 100
End End End Establish an MP-IBGP peer relationship between the PEs.
2001:DB8:1000::111 2001:DB8:2000::222 2001:DB8:3000::333 [~PE1] bgp 100
PE1 P PE2 [~PE1-bgp] peer 2001:DB8:3::3 as-number 100
[*PE1-bgp] peer 2001:DB8:3::3 connect-interface loopback 0
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 [*PE1-bgp] ipv4-family vpnv4
[*PE1-bgp-af-vpnv4] peer 2001:DB8:3::3 enable
10.0.14.0/24 10.0.35.0/24 [*PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit
Loopback1 Loopback1 [~PE1-bgp] quit
10.1.4.4/32 10.1.5.5/32
CE1 AS 65000 AS 65001 CE2 Check the VPNv4 peer relationship on PE1.
Configuration roadmap: <PE1>display bgp vpnv4 all peer
1. Configure interface IPv6 addresses and IS-IS. (Configuration
BGP local router ID : 10.0.1.1
details are not provided.) Local AS number : 100
2. Establish an MP-BGP peer relationship between PE1 and PE2. Total number of peers : 1 Peers in established state : 1
3. Enable SR and establish an SRv6 Policy on the backbone
network. Peer V AS MsgRcvd MsgSent Up/Down State
4. Enable the VPN instance IPv4 address family on each PE and 2001:DB8:3::3 4 100 3 4 00:00:04 Established
establish an MP-IBGP peer relationship between the PEs for
them to exchange routing information.
5. Configure a tunnel policy and import VPN traffic.
6. Verify the configuration.

97 Huawei Confidential

• The SIDs of PE1, the P, and PE2 are 2001:DB8:1000::111, 2001:DB8:2000::222, and
2001:DB8:3000::333, respectively.
• In this experiment, the SRv6 Policy is established based on specified End SIDs.
 L3VPNv4 over SRv6 Policy (3)

AS 100
End End End Configure an SRv6 SID. PE1 configurations are as follows:
2001:DB8:1000::111 2001:DB8:2000::222 2001:DB8:3000::333 (P and PE2 configurations are not provided.)
PE1 P PE2 [~PE1] segment-routing ipv6
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 [*PE1-segment-routing-ipv6] encapsulation source-address
2001:DB8:1::1
[*PE1-segment-routing-ipv6] locator as1000 ipv6-prefix
10.0.14.0/24 10.0.35.0/24 2001:DB8:1000:: 64 static 32
[*PE1-segment-routing-ipv6-locator] opcode ::111 end
Loopback1 Loopback1
[*PE1-segment-routing-ipv6-locator] quit
10.1.4.4/32 10.1.5.5/32 [*PE1-segment-routing-ipv6] quit
CE1 AS 65000 AS 65001 CE2 [*PE1] bgp 100
[*PE1-bgp] ipv4-family vpnv4
Configuration roadmap: [*PE1-bgp-af-vpnv4] peer 2001:DB8:3::3 prefix-sid
1. Configure interface IPv6 addresses and IS-IS. (Configuration [*PE1-bgp-af-vpnv4] quit
details are not provided.) [~PE1-bgp] quit
2. Establish an MP-BGP peer relationship between PE1 and PE2. [~PE1] isis 1
3. Enable SR and establish an SRv6 Policy on the backbone [~PE1-isis-1] segment-routing ipv6 locator as1000 auto-sid-disable
[*PE1-isis-1] commit
network. [~PE1-isis-1] quit
4. Enable the VPN instance IPv4 address family on each PE and
establish an MP-IBGP peer relationship between the PEs for
Manually configure an SRv6 End SID.
them to exchange routing information.
5. Configure a tunnel policy and import VPN traffic.
6. Verify the configuration.

98 Huawei Confidential

• SRv6 paths are established using SIDs. Static SRv6 SIDs are recommended. The
configuration procedure is as follows:
1. Run the locator locator-name [ ipv6-prefix ipv6-address prefix-length [
static static-length | args args-length ] * ] command to configure an SRv6
locator.
2. Run the opcode func-opcode end command to configure a static End SID
opcode.

3. Run the opcode func-opcode end-x interface interface-name nexthop

nexthop-address [ no-psp ] command to configure a static End.X SID
opcode.
4. Run the quit command to exit the SRv6 locator view.
 L3VPNv4 over SRv6 Policy (4)
Configure an SRv6 Policy. PE1 configurations are as follows:
AS 100 (PE2 configurations are not provided.)
End End End
2001:DB8:1000::111 2001:DB8:2000::222 2001:DB8:3000::333 [~PE1] segment-routing ipv6
[~PE1-segment-routing-ipv6] segment-list list1
PE1 P PE2 [*PE1-segment-routing-ipv6-segment-list-list1] index 5 sid ipv6
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 2001:DB8:2000::222
[*PE1-segment-routing-ipv6-segment-list-list1] index 10 sid ipv6
2001:DB8:3000::333
10.0.14.0/24 10.0.35.0/24
[*PE1-segment-routing-ipv6-segment-list-list1] commit
Loopback1 Loopback1 [~PE1-segment-routing-ipv6-segment-list-list1] quit
10.1.4.4/32 10.1.5.5/32 [~PE1-segment-routing-ipv6] srv6-te-policy locator as1000
[*PE1-segment-routing-ipv6] srv6-te policy policy1 endpoint
CE1 AS 65000 AS 65001 CE2 2001:DB8:3::3 color 101
Configuration roadmap: [*PE1-segment-routing-ipv6-policy-policy1] binding-sid
2001:DB8:1000::100
1. Configure interface IPv6 addresses and IS-IS. (Configuration
[*PE1-segment-routing-ipv6-policy-policy1] candidate-path preference
details are not provided.) 100
2. Establish an MP-BGP peer relationship between PE1 and PE2. [*PE1-segment-routing-ipv6-policy-policy1-path] segment-list list1
3. Enable SR and establish an SRv6 Policy on the backbone [*PE1-segment-routing-ipv6-policy-policy1-path] commit
network. [~PE1-segment-routing-ipv6-policy-policy1-path] quit
4. Enable the VPN instance IPv4 address family on each PE and [~PE1-segment-routing-ipv6-policy-policy1] quit
[~PE1-segment-routing-ipv6] quit
establish an MP-IBGP peer relationship between the PEs for
them to exchange routing information. Specify SRv6 End SIDs for the P and PE2 in sequence.
5. Configure a tunnel policy and import VPN traffic.
6. Verify the configuration. Specify the color and endpoint.

99 Huawei Confidential

• Configure a segment list.

1. Run the system-view command to enter the system view.

2. Run the segment-routing ipv6 command to enable SRv6 and enter the
SRv6 view.
3. Run the segment-list list-name command to configure a segment list (an
explicit path) for an SRv6 Policy candidate path and enter the segment list
view.

4. Run the index index sid ipv6 ipv6address command to specify a next-hop
SID for the segment list.

▪ You can run the command multiple times. The system generates a SID
stack for the segment list by index index in ascending order. If a
candidate path in the SRv6 Policy is preferentially selected, traffic is
forwarded using the segment lists of the candidate path. A maximum
of 10 SIDs can be configured for each segment list.
5. Run the commit command to commit the configuration.
• Configure an SRv6 Policy.
1. Run the system-view command to enter the system view.

2. Run the segment-routing ipv6 command to enable SRv6 and enter the
SRv6 view.
3. Run the srv6-te-policy locator locator-name command to associate a
locator with the SRv6 Policy to be created. This configuration allows you to
specify a binding SID for the SRv6 Policy in the locator range.

4. Run the srv6-te policy name-value endpoint endpoint-ip color color-value

command to create an SRv6 Policy and enter the SRv6 Policy view.
5. (Optional) Run the binding-sid binding-sid command to configure a
binding SID for the SRv6 Policy.

▪ The value of binding-sid must be within the range of the static

segment specified using the locator locator-name [ ipv6-prefix ipv6-
address prefix-length [ static static-length | args args-length ] * ]
command.

6. Run the candidate-path preference preference command to configure a

candidate path and its preference for the SRv6 Policy.

▪ Each SRv6 Policy supports multiple candidate paths. A larger

preference value indicates a higher candidate path preference. If
multiple candidate paths are configured, the one with the highest
preference takes effect.
7. Run the segment-list list-name [ weight weight-value | path-mtu mtu-
value ] * command to configure a segment list for the candidate path of
the SRv6 Policy.

▪ The segment list must have been created using the segment-list
(SRv6 view) command.

8. Run the commit command to commit the configuration.

 L3VPNv4 over SRv6 Policy (5)

AS 100 Enable the VPN instance IPv4 address family on each PE.
End End End
2001:DB8:1000::111 2001:DB8:2000::222 2001:DB8:3000::333 PE1 configurations are as follows: (PE2 configurations are
not provided.)
PE1 P PE2
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 [~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv4-family
10.0.14.0/24 10.0.35.0/24 [*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
Loopback1 Loopback1 [*PE1-vpn-instance-vpna-af-ipv4] quit
10.1.4.4/32 10.1.5.5/32 [*PE1-vpn-instance-vpna] quit
CE1 AS 65000 AS 65001 CE2 [*PE1-bgp] ipv4-family vpn-instance vpna
[*PE1-bgp-vpna] segment-routing ipv6 traffic-engineer best-effort
Configuration roadmap: [*PE1-bgp-vpna] segment-routing ipv6 locator as1000
1. Configure interface IPv6 addresses and IS-IS. (Configuration [*PE1-bgp-vpna] commit
details are not provided.) [~PE1-bgp-vpna] quit
[~PE1-bgp] quit
2. Establish an MP-BGP peer relationship between PE1 and PE2.
3. Enable SR and establish an SRv6 Policy on the backbone
network.
4. Enable the VPN instance IPv4 address family on each PE
and establish an MP-IBGP peer relationship between the
PEs for them to exchange routing information.
5. Configure a tunnel policy and import VPN traffic.
6. Verify the configuration.

101 Huawei Confidential

• segment-routing ipv6 traffic-engineer best-effort //If an SRv6 BE path exists

on the network, you can set the best-effort parameter, allowing the SRv6 BE
path to function as a best-effort path in the case of an SRv6 Policy fault.
L3VPNv4 over SRv6 Policy (6)

AS 100
End End End Configure a tunnel policy and import VPN traffic. PE1
2001:DB8:1000::111 2001:DB8:2000::222 2001:DB8:3000::333 configurations are as follows: (PE2 configurations are
not provided.)
PE1 P PE2
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3
[~PE1] route-policy p1 permit node 10
10.0.14.0/24 10.0.35.0/24 [*PE1-route-policy] apply extcommunity color 0:101
[*PE1-route-policy] quit
Loopback1 Loopback1 [*PE1] bgp 100
10.1.4.4/32 10.1.5.5/32 [*PE1-bgp] ipv4-family vpnv4
CE1 AS 65000 AS 65001 CE2 [*PE1-bgp-af-vpnv4] peer 2001:DB8:3::3 route-policy p1 import
[*PE1-bgp-af-vpnv4] quit
Configuration roadmap: [*PE1-bgp] quit
1. Configure interface IPv6 addresses and IS-IS. (Configuration [*PE1] tunnel-policy p1
details are not provided.) [*PE1-tunnel-policy-p1] tunnel select-seq ipv6 srv6-te-policy load-
2. Establish an MP-BGP peer relationship between PE1 and PE2. balance-number 1
3. Enable SR and establish an SRv6 Policy on the backbone [*PE1-tunnel-policy-p1] quit
[*PE1] ip vpn-instance vpna
network. [*PE1-vpn-instance-vpna] ipv4-family
4. Enable the VPN instance IPv4 address family on each PE and [*PE1-vpn-instance-vpna-af-ipv4] tnl-policy p1
establish an MP-IBGP peer relationship between the PEs for [*PE1-vpn-instance-vpna-af-ipv4] commit
them to exchange routing information. [~PE1-vpn-instance-vpna-af-ipv4] quit
5. Configure a tunnel policy and import VPN traffic. [~PE1-vpn-instance-vpna] quit
6. Verify the configuration.

102 Huawei Confidential

L3VPNv4 over SRv6 Policy (7)

AS 100
End End End Check SRv6 Policy information on PE1.
2001:DB8:1000::111 2001:DB8:2000::222 2001:DB8:3000::333 <PE1>display srv6-te policy
PE1 P PE2 PolicyName : policy1
Color : 101 Endpoint : 2001:DB8:3::3
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 TunnelId :1 Binding SID : 2001:DB8:1000::100
TunnelType : SRv6-TE Policy DelayTimerRemain :
10.0.14.0/24 10.0.35.0/24 Policy State : Up
Admin State : UP Traffic Statistics : Disable
Loopback1 Loopback1 Candidate-path Count : 1
10.1.4.4/32 10.1.5.5/32 Candidate-path Preference : 100
CE1 AS 65000 AS 65001 CE2 Path State : Active Path Type : Primary
Protocol-Origin : Configuration(30) Originator : 0, 0.0.0.0
Configuration roadmap: Discriminator : 100 Binding SID : 2001:DB8:1000::100
1. Configure interface IPv6 addresses and IS-IS. (Configuration GroupId :1 Policy Name : policy1
details are not provided.) DelayTimerRemain :- Segment-List Count : 1
2. Establish an MP-BGP peer relationship between PE1 and PE2. Segment-List : list1
Segment-List ID :1 XcIndex :1
3. Enable SR and establish an SRv6 Policy on the backbone List State : Up DelayTimerRemain : -
network. Weight :1 BFD State :-
4. Enable the VPN instance IPv4 address family on each PE and SID :
establish an MP-IBGP peer relationship between the PEs for 2001:DB8:2000::222
them to exchange routing information. 2001:DB8:3000::333
5. Configure a tunnel policy and import VPN traffic.
6. Verify the configuration. Color of the specified SRv6 Policy

103 Huawei Confidential

L3VPNv4 over SRv6 Policy (8)

AS 100
End End End Check VPNv4 routing information on PE1.
2001:DB8:1000::111 2001:DB8:2000::222 2001:DB8:3000::333 <PE1> display bgp vpnv4 all routing-table 10.1.5.5
PE1 P PE2 BGP local router ID : 10.0.1.1
Local AS number : 100
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 Total routes of Route Distinguisher(100:1): 1
BGP routing table entry information of 10.1.5.5/32:
10.0.14.0/24 10.0.35.0/24 Label information (Received/Applied): 3/NULL
From: 2001:DB8:3::3 (10.0.13.3)
Loopback1 Loopback1 Route Duration: 0d00h03m30s
10.1.4.4/32 10.1.5.5/32 Relay IP Nexthop: FE80::DE99:14FF:FE7A:C301
CE1 AS 65000 AS 65001 CE2 Relay IP Out-Interface: GigabitEthernet0/3/0.12
Relay Tunnel Out-Interface:
Configuration roadmap: Original nexthop: 2001:DB8:3::3
1. Configure interface IPv6 addresses and IS-IS. (Configuration Qos information : 0x0
details are not provided.) Ext-Community: RT <111 : 1>, Color <0 : 101>
Prefix-sid: 2001:DB8:3000::1:0:1E
2. Establish an MP-BGP peer relationship between PE1 and PE2.
AS-path 65000, origin incomplete, MED 0, localpref 100, pref-val 0,
3. Enable SR and establish an SRv6 Policy on the backbone network. valid, internal, best, select, pre 255, IGP cost 20
4. Enable the VPN instance IPv4 address family on each PE and Not advertised to any peer yet
establish an MP-IBGP peer relationship between the PEs for them
to exchange routing information.
5. Configure a tunnel policy and import VPN traffic. The route recurses to the
6. Verify the configuration. corresponding SRv6 Policy based on
the color attribute.

104 Huawei Confidential

L3VPNv4 over SRv6 Policy (9)

AS 100 Check vpna's routing information on PE1.

End End End
2001:DB8:1000::111 2001:DB8:2000::222 2001:DB8:3000::333 <PE1>display ip routing-table vpn-instance vpna 10.1.5.5 verbose
PE1 P PE2 Routing Table : vpna
Summary Count : 1
:1 2001:DB88:12::/96 :2 :2 2001:DB88:23::/96 :3 Destination: 10.1.5.5/32
Protocol: IBGP Process ID: 0
10.0.14.0/24 10.0.35.0/24 Preference: 255 Cost: 0
NextHop: 2001:DB8:3::3 Neighbour: 2001:DB8:3::3
Loopback1 Loopback1 State: Active Adv Relied Age: 00h08m38s
10.1.4.4/32 10.1.5.5/32 Tag: 0 Priority: low
CE1 AS 65000 AS 65001 CE2 Label: 3 QoSInfo: 0x0
IndirectID: 0x1000174 Instance:
Configuration roadmap: RelayNextHop: :: Interface: policy1
1. Configure interface IPv6 addresses and IS-IS. (Configuration TunnelID: 0x000000003400000001 Flags: RD
details are not provided.)
2. Establish an MP-BGP peer relationship between PE1 and PE2. The outbound interface is
Verify the configuration on CE1. an SRv6 Policy interface.
3. Enable SR and establish an SRv6 Policy on the backbone
network. <CE1>ping -a 10.1.4.4 10.1.5.5
4. Enable the VPN instance IPv4 address family on each PE and PING 10.1.5.5: 56 data bytes, press CTRL_C to break
Reply from 10.1.5.5: bytes=56 Sequence=1 ttl=254 time=1 ms
establish an MP-IBGP peer relationship between the PEs for Reply from 10.1.5.5: bytes=56 Sequence=2 ttl=254 time=1 ms
them to exchange routing information. Reply from 10.1.5.5: bytes=56 Sequence=3 ttl=254 time=1 ms
5. Configure a tunnel policy and import VPN traffic. Reply from 10.1.5.5: bytes=56 Sequence=4 ttl=254 time=1 ms
6. Verify the configuration. Reply from 10.1.5.5: bytes=56 Sequence=5 ttl=254 time=1 ms

105 Huawei Confidential

 Contents

1. SRv6 Overview

2. SRv6 Fundamentals

3. SRv6 High Reliability

4. Basic SRv6 Configuration

5. SRv6 Deployment Using iMaster NCE-IP

106 Huawei Confidential

 SRv6 Deployment Using iMaster NCE-IP
⚫ Static SRv6 deployment on the live network poses great challenges to network O&M. For example, static SRv6
deployment takes a long period and does not support global path planning or network quality-based SRv6
forwarding path adjustment.
⚫ Deploying SRv6 through iMaster NCE-IP can avoid the problems faced by static SRv6 deployment.
⚫ iMaster NCE-IP uses the following protocols to deploy SRv6 tunnels and VPN services:

BGP-LS iMaster NCE-IP

BGP IPv6 SR Policy

NETCONF

R2

R1 R4 R3

107 Huawei Confidential

• IGP: generates network topology information, such as bandwidth, delay, and SID
information, on a router.
• BGP-LS: collects topology information and reports collected information to the
controller. If an RR exists on the network, you only need to deploy BGP-LS on the
RR and establish a BGP-LS peer relationship between the RR and controller.
• BGP IPv6 SR Policy: Such a peer relationship is established between the controller
and forwarder, so that the controller can deliver an SRv6 Policy to the forwarder
through the peer relationship to direct traffic forwarding. To reduce the number
of peer relationships, you can deploy an RR and configure PEs and the controller
to function as RR clients.
• NETCONF: delivers service configurations from the controller to forwarders. This
document does not describe service delivery or NETCONF-related configuration.
 SRv6 Policy Advertisement Process
⚫ To facilitate configuration, the controller provides
3 Automatic path
the following functions: planning by the
controller 2
Requirement
 Directly creates a bidirectional tunnel between the input
ingress and egress. In other words, a tunnel from
4 Network
the egress to the ingress is automatically created Forwarding Network
1 administrator
path

BGP-LS
topology
when a tunnel from the ingress to the egress is deployment reporting
created. PE1 RR PE3

 Allows you to configure tunnel and color templates Tunnel status

to simplify the configuration of some parameters. reporting
5
⚫ In Huawei's CloudWAN solution:
PE2 P1 PE4
 The SRv6 Policy configurations are delivered by
SRv6 Policy
BGP IPv6 SR Policy, and the tunnel status is
BGP-LS peer
reported by BGP-LS. BGP SR-Policy peer

108 Huawei Confidential

• The process of planning and deploying forwarding paths through iMaster NCE-IP
is as follows:
▫ Devices use BGP-LS to report network topology information to the
controller, which then generates forwarding paths based on requirements.
▫ The controller delivers the computed paths to the devices through BGP IPv6
SR Policy.

▫ Target traffic travels along the delivered paths.

Key Information Required for SRv6 Policy Path Computation
⚫ iMaster NCE-IP uses an IGP to collect the following key
information for SRv6 Policy path computation:

SID information: End and End.X SIDs.

Locator information: After a locator is configured for a node, the
system generates a locator route and propagates the route
iMaster NCE-IP
throughout the SR domain using an IGP. Other nodes on the
network can locate this node through the locator route.

Interface bandwidth information: physical bandwidth and
reservable bandwidth.

Interface delay and packet loss rate.
IGP
 Network topology information.

⚫ BGP-LS advertises the information collected by an IGP to R1 R3

iMaster NCE-IP.

R2

109 Huawei Confidential

Basic IGP Configurations
⚫ In Huawei's SRv6 solution, it is recommended that extended IS-IS be used as an IGP for the collection of basic network information.

⚫
Basic IGP configurations are as follows:
 Global IS-IS configurations
[P1]isis 1
[P1-isis-1] is-level level-2
[P1-isis-1] cost-style wide //TE information (such as bandwidth information) required in TE scenarios cannot be carried in narrow mode. Therefore, the wide
type needs to be set.
[P1-isis-1] network-entity 49.0001.0010.0000.0005.00
[P1-isis-1] is-name P1
[P1-isis-1] ipv6 enable topology ipv6
[P1-isis-1] ipv6 bgp-ls enable level-2 //The device is enabled to send topology information collected by IS-IS to the controller through BGP-LS. This function
only needs to be configured on the RR. That is, only one device in the IGP domain needs to send topology information to the controller through BGP-LS.
[P1-isis-1] ipv6 advertise link attributes //The device is enabled to carry link attribute-related TLVs in LSPs. TLV informationincludes the IPv6 addresses and
indexes of interfaces.
[P1-isis-1] ipv6 metric-delay advertisement enable level-1-2 //The device is enabled to advertise IPv6 delay information. Intra-domain IPv4 link delay
information is collected and flooded through IS-IS and then reported to the controller through BGP-LS. Based on the delay information, the controller
computes the optimal path on the P2P network.
[P1-isis-1] ipv6 traffic-eng level-2 //IS-IS TE is enabled so that link bandwidth information is reported to the TE module.
 Interface-specific IS-IS configurations
[P1]interface GigabitEthernet0/3/0
[P1-GigabitEthernet0/3/0] isis ipv6 enable 1
[P1-GigabitEthernet0/3/0] isis circuit-type p2p //The IS-IS interface's network type must be set to P2P. Otherwise, the required network topology cannot be
formed on the controller.

110 Huawei Confidential

Topology Information Reporting to the Controller Through
BGP-LS
⚫ Each router maintains one or more LSDBs. Each LSDB contains multiple link attributes, such as the
interface IP address, link metric, TE metric, link bandwidth, and reservable bandwidth. The BGP process
of a router obtains information from these LSDBs and carries the information in the extended NLRI
attribute.

R1's link state R1's link state Node NLRI

information information
Link NLRI
R2's link state R2's link state
information Extraction information NLRI Topology Prefix NLRI Reporting Controller
R3's link state R3's link state (IPv4)
information information Topology Prefix NLRI
R2's LSDB R2's BGP process (IPv6)

Advertised to the BGP-LS peer

111 Huawei Confidential

BGP-LS Deployment
⚫ BGP-LS is mainly used to upload network topology and tunnel information. As such, iMaster NCE-IP needs to establish BGP-LS peer
relationships with at least two types of devices:
 Establishes a BGP-LS peer relationship with an intra-AS network node, which is usually a BGP RR, in order to obtain network topology information.
 Establishes a BGP-LS peer relationship with the ingress of the involved tunnel in order to obtain SRv6 Policy status.

⚫
BGP-LS deployment solutions:
iMaster NCE-IP
iMaster NCE-IP

BGP-LS
PE1 RR PE2
PE1 P1 PE2

CE1 CE2
CE1 CE2 ⚫ Solution 2: Establish BGP-LS peer relationships between iMaster
⚫ Solution 1: Establish BGP-LS peer relationships between NCE-IP and RRs and between the RRs and other devices.
iMaster NCE-IP and all PEs and between iMaster NCE-IP ⚫
Solution 2 is recommended to reduce the number of BGP peers
and all Ps. maintained by iMaster NCE-IP.

112 Huawei Confidential

 BGP-LS Peer Relationship Establishment

BGP-LS
2000::102 FC01::5

[P1]display bgp link-state unicast peer

[P1]bgp 65001
BGP local router ID : 1.0.0.5
[P1-bgp]peer 2000::102 as-number 65001 Local AS number : 65001
[P1-bgp]peer 2000::102 connect-interface LoopBack0
Total number of peers : 1 Peers in established state : 1
[P1-bgp]link-state-family unicast
[P1-bgp-af-ls]peer 2000::102 enable
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2000::102 4 65001 72877 72106 0 1039h31m Established 0

113 Huawei Confidential

• BGP-LS peer relationships can be established using IPv4 or IPv6 addresses. This
course uses IPv6 addresses to establish such relationships.
 SRv6 Policy Path Computation and Deployment
⚫ With the SRv6 Policy path computation algorithm, the controller can provide the following path computation results if specified
constraints are met:
 Minimum cost: path with the minimum cost among all qualified paths
 Minimum delay: path with the minimum delay among all qualified paths

 Bandwidth balancing: path with the most remaining bandwidth among all qualified paths that have the same cost

⚫
During SRv6 Policy creation, you need to specify a color value for each SRv6 Policy.

114 Huawei Confidential

• Optional constraints:

▫ Bandwidth constraint: ensures that the bandwidth configured for a service

does not exceed the remaining bandwidth of the link that the service
traverses.
▫ PIR constraint: ensures that the peak bandwidth does not exceed the BC0
bandwidth of the link that the service traverses. PIR refers to the peak
bandwidth of a service.

▫ Delay limit constraint: ensures that the path delay of a service does not
exceed the configured delay limit.
▫ Hop limit constraint: ensures that the number of links that a service
traverses does not exceed the configured hop limit.

▫ Affinity constraint: determines which types of links are allowed and which
types of links are not allowed for services.
BGP IPv6 SR Policy Deployment
⚫ BGP IPv6 SR Policy is mainly used to deliver SRv6 tunnel information. As such, iMaster NCE-IP needs to establish a
BGP IPv6 SR Policy peer relationship with the ingress of the involved tunnel.
⚫ BGP IPv6 SR Policy deployment solutions:
iMaster NCE-IP
iMaster NCE-IP

BGP IPv6 SR Policy

PE1 RR PE2
PE1 P1 PE2

CE1 CE2
CE1 CE2

⚫
Solution 2: Establish BGP IPv6 SR Policy peer relationships
⚫ Solution 1: Establish BGP IPv6 SR Policy peer between iMaster NCE-IP and RRs and between the RRs
relationships between iMaster NCE-IP and all PEs. and other devices.
⚫ Solution 2 is recommended to reduce the number of BGP
peers maintained by iMaster NCE-IP.

115 Huawei Confidential

 BGP IPv6 SR Policy Peer Relationship Establishment

BGP IPv6
2000::102 FC01::5
SR Policy

[P1]display bgp sr-policy ipv6 peer

[P1]bgp 65001
BGP local router ID : 1.0.0.5
[P1-bgp]peer 2000::102 as-number 65001 Local AS number : 65001
[P1-bgp]peer 2000::102 connect-interface LoopBack0
Total number of peers : 7 Peers in established state : 5
[P1-bgp]ipv6-family sr-policy
[P1-bgp-af-ls]peer 2000::102 enable
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
2000::102 4 65001 11286 11195 0 0160h44m Established 2

116 Huawei Confidential

• BGP IPv6 SR Policy peer relationships can be established using IPv4 or IPv6
addresses. This course uses IPv6 addresses to establish such relationships.
VPN Service Forwarding over SRv6 Policies
⚫ The following types of VPNs are available in enterprise network scenarios:
 L2VPN: Customer IP addresses are on the same network segment.
L2VPN L3VPN EVPN
 L3VPN: Customer IP addresses are on different network segments.
 EVPN: Customer IP addresses are either on the same network segment (L2VPN
Tunnel policy-based tunnel
scenario) or on different network segments (L3VPN scenario).
type selection
⚫ A tunnel policy is used by an application module to select tunnels for
services. There are two types of tunnel policies:
SRv6 Policy SRv6 Policy Group
 (Preferred mode) Tunnel type prioritizing policy: recurses services to a tunnel
based on the tunnel type priority and the number of tunnels participating in load
balancing. A forwarding path is selected
among tunnels of the same type in
 Tunnel binding policy: binds a destination address to a tunnel, so that the traffic of
either of the following modes:
VPN services referencing the policy and destined for this address will be
transmitted over the tunnel.

⚫ VPN services first select tunnels in the up state based on the tunnel policy, Color DSCP
and then select a forwarding path from qualified tunnels.

117 Huawei Confidential

 Quiz

1. (Short-answer question) An SRv6 SID has 128 bits. What are the three fields of
an SRv6 SID?
2. (Short-answer question) In SIDs corresponding to SRv6 endpoint behaviors, which
types of SIDs are similar to the node segments and adjacency segments in SR-
MPLS?

118 Huawei Confidential

1. An SRv6 SID has 128 bits and consists of the Locator, Function, and Arguments
fields.
2. End SIDs and End.X SIDs.
 Summary
⚫ This course describes the concept of SRv6 network programming, SRv6 instruction sets (endpoint node
behaviors, source node behaviors, and flavors), SRv6 Policy, and basic SRv6 SID configurations on
Huawei NetEngine series routers.
⚫ Leveraging the programmability of 128-bit IPv6 addresses, SRv6 enriches the network functions
expressed by SRv6 instructions. For example, in addition to identifying an instruction that can indicate a
forwarding path, a network function can identify a VAS (e.g. firewall, application acceleration gateway,
user gateway). To deploy a new network function, you only need to define a new instruction, without
the need to change the protocol mechanism or deployment.

⚫ SRv6 Policy information is carried by extending new NLRIs based on MP-BGP. The controller establishes
BGP IPv6 SR Policy peer relationships with forwarders to deliver SRv6 Policies to them.

119 Huawei Confidential

 More Information

⚫ SRv6 Network Programming: Ushering in a New Era of IP Networks

⚫ https://datatracker.ietf.org/doc/rfc8754/
⚫ https://datatracker.ietf.org/doc/rfc8986/

120 Huawei Confidential

Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Enterprise Bearer WAN Design
 Foreword
⚫ The enterprise bearer WAN is also called the enterprise backbone WAN, which is used for
interconnection between enterprise branches, between enterprise branches and clouds, and
between clouds.
⚫ In the past, the enterprise bearer WAN only needs to forward traffic. However, as growing
enterprise services depend increasingly on the network, service SLA assurance requirements
are imposed on the network.
⚫ To meet service requirements, the enterprise bearer WAN has employed various new
technologies, which complicates the O&M and design of the bearer WAN.
⚫ This course describes the technologies and network design roadmap of the bearer WAN
based on Huawei's CloudWAN solution.

1 Huawei Confidential

• This course is based on Huawei's CloudWAN solution.

 Objectives

⚫ On completion of this course, you will be able to:

 Describe the challenges faced by the enterprise bearer WAN.
 Describe the basic functions of Huawei's CloudWAN solution.
 Describe the basic design roadmap of the enterprise bearer WAN.
 Describe the tunnel and VPN design roadmap of the enterprise bearer WAN.
 Describe the SLA and reliability design roadmap of the enterprise bearer WAN.
 Describe the optimization and O&M design roadmap of the enterprise bearer WAN.

2 Huawei Confidential
 Contents

1. Current Situation and Challenges of the Enterprise Bearer WAN

2. Huawei CloudWAN Solution Overview

3. Basic Design for the Enterprise Bearer WAN

4. Tunnel and VPN Design for the Enterprise Bearer WAN

5. SLA and Reliability Design for the Enterprise Bearer WAN

6. Optimization and O&M Design for the Enterprise Bearer WAN

3 Huawei Confidential
 Enterprise Bearer WAN Overview
⚫
Bearer WANs can be classified into IP bearer networks and transmission bearer networks by network layer. For most enterprises,
transmission bearer networks cannot be built by themselves (optical fiber layout requires qualification certificates). Therefore, they
usually lease transmission lines from carriers. An enterprise can build its own IP bearer network over the transmission bearer
network.
⚫
The IP bearer network built by an enterprise is called the enterprise bearer WAN, which is also called the enterprise backbone
network or enterprise core network.
⚫
The enterprise bearer WAN carries the enterprise's internal cross-region interconnection services, such as synchronization services
between data centers and voice services between enterprise branches and the HQ.
Branch Data
site center

Branch HQ
site

IP bearer
network

Transmission
bearer network

4 Huawei Confidential

• The bearer WAN mentioned in this course mainly refers to the IP bearer WAN.
Enterprise Bearer WAN Architecture
⚫ While the bearer WANs of different enterprises vary greatly in scale and actual topology, their architecture can be
generally divided into the access, aggregation, and core layers.

Access layer

Aggregation layer Data

Branch center
site

Access layer:
provides access for enterprise
sites in different regions or Core layer Core layer:
serves as the top-layer
different types of services.
Aggregation layer: interconnection area to
Aggregates traffic by provide high-speed mutual
service type or geographical access between services.
location and then transmits
aggregated traffic to the
core backbone network.
Branch HQ
site

5 Huawei Confidential
 Development Trend of the Enterprise Bearer WAN
⚫ The emergence of new technologies such as cloud computing and big data promotes the development of enterprise
services and poses new requirements on enterprise bearer WANs.

Multi-network convergence

Flexible multi-service bearer Data Flexible multi- Data
HQ
center 1 service bearer center 2
 High reliability

Easy O&M
NMS/Controller
Production Office bearer
bearer network network

bearer network
Converged
Easy O&M

Multi-network
convergence

High reliability

Branch Branch
site site

6 Huawei Confidential

• Multi-network convergence:
▫ The bearer network uses one physical network to carry production, office,
and other services. Powerful BGP routing policies are used to control traffic
on the bearer network. Traffic diversion policies are deployed based on
service attributes so that different types of services, such as production and
office services, can run on different paths based on the customized policies.
• Flexible multi-service bearer:

▫ As multiple services are migrated to the cloud and multiple networks are
converged, issues such as low network resource utilization and unbalanced
traffic distribution become more prominent. The segment routing
technology can be used to flexibly plan paths to carry traffic, improving
network utilization.
• High reliability:
▫ Reliability is classified into network reliability and service reliability.

▫ Network reliability is ensured from aspects such as network architecture and

network stability.
▫ Service reliability is mainly ensured by optimizing network bandwidth, delay,
and packet loss rate based on service requirements.
• Easy O&M:
▫ Topologies, events, configurations, service provisioning, and link quality are
managed in a unified manner.

▫ The import of traffic into tunnels, tunnel bandwidth, paths, and node traffic
are dynamically controlled.

▫ Application data flows are visible, analyzable, and predictable.

 Challenges Faced by Enterprise Bearer WANs
⚫ The development trend of the
enterprise bearer WAN brings many
challenges. Data Data
HQ
center 1 center 2
 Multi-network convergence
◼ Challenge: It is difficult to isolate multiple
services. NMS/Controller

 Flexible multi-service bearer

◼ Challenge: Network resource planning is not Fast network Visualized
precise enough, and traffic path planning convergence not traffic O&M
Difficult possible in some not possible
and deployment are difficult.
multi-service scenarios
isolation Path
 High reliability optimization not
◼ Challenge: Fast convergence cannot be accurate enough
Difficult
implemented in all scenarios, and service traffic path Flawed path
SLA cannot be effectively guaranteed. deployment planning
 Easy O&M Type 1 service forwarding path
◼ Challenge: Precise traffic path optimization Backup type 1 service forwarding path
and visualized O&M cannot be provided. Branch site Type 2 service forwarding path
Type 3 service forwarding path

8 Huawei Confidential

• Multi-service isolation:
▫ Due to the convergence of multiple networks, the originally physically
isolated production and office networks are now carried on the same
network. The service isolation requirements of some enterprises can be met
using the VPN technology. However, for other enterprises, services need to
be isolated using hard pipes.
• Network resource and traffic path planning:

▫ To make full use of network resources (mainly bandwidth), network traffic

needs to be planned. Traditional traffic engineering (mainly MPLS-TE) has
many disadvantages, such as complex configuration and flawed path
computation mechanism. Therefore, it cannot effectively solve the problem
in multi-service bearing.
• Fast network convergence and service SLA assurance:
▫ Traditional networks usually use FRR to shorten the convergence time.
However, FRR based on the LFA or RLFA algorithm has restrictions in
application scenarios and may fail to meet the high reliability of some
networks.
• Traffic path optimization and visualized O&M:
▫ Traditional enterprise WANs mainly use the NQA technology to measure
network quality. However, the NQA technology cannot precisely reflect the
actual network situation. As a result, traffic paths cannot be effectively
optimized.

▫ Traditional network management software cannot perform end-to-end

traffic monitoring based on services, and therefore cannot implement
visualized O&M for traffic.
Solutions to Challenges Faced by the Enterprise Bearer WAN
⚫ To address challenges faced by the enterprise TWAMP or iFIT for
Bearer WAN, Huawei provides the CloudWAN network performance
solution. detection TWAMP/iFIT

 Difficult multi-service isolation

◼ Network slicing technology is deployed to carry
different services over different slices. TI-LFA-based
SR-based backup path
 Difficult traffic path planning and deployment
path planning computation
◼ Based on SR, the controller plans paths globally and
automatically deploys paths.
 Lack of fast network convergence and service SLA
assurance
◼
TI-LFA is used for backup path computation, and TI-LFA High-bandwidth slice
works with FRR and HSB technologies for fast network
convergence. Voice service Low-delay slice

 Difficult traffic path optimization and lack of Default slice

visualized O&M
◼ TWAMP and iFIT are used to precisely detect network Network slicing for
quality, facilitating accurate traffic optimization. service isolation

10 Huawei Confidential
 Contents

1. Current Situation and Challenges of the Enterprise Bearer WAN

2. Huawei CloudWAN Solution Overview

3. Basic Design for the Enterprise Bearer WAN

4. Tunnel and VPN Design for the Enterprise Bearer WAN

5. SLA and Reliability Design for the Enterprise Bearer WAN

6. Optimization and O&M Design for the Enterprise Bearer WAN

11 Huawei Confidential
 Solution Overview Main Functions Application Scenarios

Huawei CloudWAN Solution Overview

B2C B2B B2H Solution highlights
Enterprise
CloudVR private line 4K/8K video 1. New platform: NetEngine series routers with large capacity and
Online gaming Vertical Internet full-service support
industries • A unified platform is provided for all
scenarios, including broadband, private line,
Analyzer data center egress, IGW, and BNG service
scenarios.
Manager Controller
2. New protocol: SLA assurance and committed delay

• SRv6 shortens the TTM and ensures committed delay.

NETCONF/YANG Telemetry
3. New pipe: FlexE-based hard slicing, ensuring bandwidth
• Zero preemption between FlexE-based slices,
E2E SRv6 VIP services ensuring bandwidth
Common services • Network slicing granularity (1 Gbit/s at least)

Backbone/DCI 4. New O&M: AI-powered intelligent O&M, visualizing service quality

Metro Metro • iMaster NCE-IP + iFIT, hop-by-hop packet loss detection
Simplified architecture, intelligent • TI-LFA, enabling E2E switching within 50 ms
connection, intelligent O&M

12 Huawei Confidential

• TI-LFA: Topology-Independent Loop-free Alternate

• BNG: broadband network gateway

• TTM: time to market

 Solution Overview Main Functions Application Scenarios

Huawei iMaster NCE-IP Architecture

Value- Mobile Unified
Apps Basic apps portal
added apps bearer apps

NBIs RESTful SNMP XML CORBA FTP

Manager & Controller Analyzer

Service MPLS
PCEP Traffic forecast Simulation analysis
management optimization

NE
IP optimization BGP-LS Traffic analysis Fault diagnosis
management

Slice Centralized path

Route flooding Anomaly detection SLA monitoring
management computation

Third-party device Southbound programming

Big data engine
adaptation framework

SBIs NETCONF Telnet SNMP BGP-LS FTP Telemetry

Network devices ATN NE CX

13 Huawei Confidential

• Based on the cloud platform, iMaster NCE-IP provides three logical modules
(Manager, Controller, and Analyzer) and various scenario-specific applications to
achieve flexible modular deployment based on customer requirements.
 Solution Overview Main Functions Application Scenarios

CloudWAN Product Overview

Internet

Access Metro Backbone Cl

Cloud

ATN series mobile NE series metro NE and CX series cloud

bearer routers routers backbone routers

14 Huawei Confidential

• Huawei has all-scenario SRv6 product capabilities and can provide access, metro,
and backbone network routers for carriers and enterprises.
 Solution Overview Main Functions Application Scenarios

Main Functions of Huawei's CloudWAN Solution

⚫ Huawei's CloudWAN solution mainly provides the
following functions: Visualized Automatic

Automatic planning and deployment of forwarding paths O&M path planning

Real-time network performance monitoring and intelligent
traffic optimization

Network slicing for isolated traffic forwarding
Southbound

Visualized O&M for quick fault locating channels

HQ

Automatic path
deployment

Branch
site
Backup path
IP bearer network

Low-delay slice
Network slice

Default slice

15 Huawei Confidential
 Solution Overview Main Functions Application Scenarios

Path Planning and Deployment Overview

⚫ Traditional traffic engineering (MPLS TE) encounters
problems such as inaccurate path computation and
difficult forwarding path deployment during path
planning and deployment. 3 Automatically
⚫ To solve the problems of traditional traffic engineering, plans paths. 2
Inputs
Huawei's CloudWAN solution uses the SDN controller requirements.
and SR to optimize path computation and simplify
forwarding path deployment. Network administrator
4 Reports network 1
⚫ SR is used to plan and deploy forwarding paths as Deploys
forwarding paths. topology

BGP-LS
follows: information.
 Devices use BGP-LS to report network topology information PE1 RR PE3
to the controller, which then generates forwarding paths
based on requirements.

The controller uses PCEP or BGP SR-Policy to deliver
computed paths to devices.

Target traffic travels along delivered paths.
PE2 P1 PE4

16 Huawei Confidential

• BGP-LS is a new method of collecting network topology information, which

makes topology information collection simpler and more efficient. Using BGP-LS
to report topology information has the following advantages:

▫ Requirements on the computing capability of the upper-layer controller are

lowered, and there is no requirement on the IGP capability of the controller.

▫ BGP summarizes the topology information of each process or AS and

directly sends the complete topology information to the controller,
facilitating path selection and calculation.
▫ All topology information on the network is sent to the controller through
BGP, unifying the protocols for sending topology information.

• BGP SR-Policy delivers data forwarding path information to the headend through
the BGP route. The headend then directs traffic to a specific SR Policy. Segment
lists in SR Policies are used to guide traffic forwarding. A segment list is calculated
based on a series of optimization objectives and constraints, such as delay, affinity,
and SRLG.

• SR Policy is the mainstream SR implementation mode.

 Solution Overview Main Functions Application Scenarios

Network Performance Monitoring and Optimization

⚫ As networks carry increasingly more enterprise The controller 4
optimizes forwarding
services, they need to meet increasingly higher paths based on
requirements. As such, a fast, flexible IP network network performance.

performance measurement tool is required to monitor 3

Devices report
The controller network
network performance in a timely manner. delivers optimized performance data to
forwarding paths. the controller.
5
⚫ Huawei's CloudWAN solution uses TWAMP and iFIT to SNMP/FTP/Telemetry

precisely and quickly measure historical and real-time

network performance.
PE1 RR Severe packet PE3
⚫ Based on real-time network performance, the loss occurs on
PE2 links.
P1 2 PE4
controller can optimize the network through PCEP or
BGP SR-Policy.
TWAMP/iFIT
TWAMP or iFIT is used to 1
measure network quality.

17 Huawei Confidential

• TWAMP is a standard protocol and can be deployed on IP, MPLS, and L3VPN
networks. TWAMP is easy to obtain and deploy and does not require clock
synchronization.

• iFIT measures the packet loss rate and delay of service packets transmitted on an
IP network to determine network performance. It is easy to deploy and provides
an accurate assessment of network performance.
 Solution Overview Main Functions Application Scenarios

Network Slicing Overview

⚫ Slice resource reservation technologies, such as PIC
SQ GQ VI DP TM

QoS
CS7
FlexE, channelized sub-interface, and QoS BE
MAC PHY

queuing, can be used to direct services to

respective service slices. These slices are isolated Channelized sub-interface

Channelized sub-
SQ GQ VI TM PIC
CS7
from each other and do not affect each other,

interface
BE
DP

…
providing different SLA levels. Channelized sub-interface MAC PHY
SQ GQ VI
CS7
⚫ Slicing is an SLA assurance method in essence. It BE

effectively integrates the network capabilities

TM PIC
required by users to form a logical network SQ DP
CS7
FlexE client
called "slice". BE

FlexE

…
MAC FlexE shim PHY
SQ DP
CS7 FlexE client
BE

18 Huawei Confidential

• Channelized sub-interfaces provide a mechanism to isolate different types of

services. Different types of service traffic can be forwarded to different VLAN
channelized sub-interfaces that use different dot1q encapsulation modes. Each
channelized sub-interface can implement independent HQoS scheduling to isolate
different types of services.

• FlexE is an Ethernet-based bearer technology for multi-rate sub-interfaces on

multiple PHY links. FlexE supports bundling, channelization, and sub-rating.

• SQ: subscriber queue

• GQ: group queue

• VI: virtual interface

• DP: data plane

• TM: traffic manager

• PIC: physical interface card

 Solution Overview Main Functions Application Scenarios

Financial CloudWAN Scenario

City C Data center C
⚫ With the deployment of distributed cloud
data centers, the cloud backbone network is
WAN-P elastically expanded by adding core and
DC-P DC-PE aggregation nodes to implement
iMaster NCE-IP
interconnection between these data centers.
RR In addition, technologies such as SDN and
SRv6 are introduced to implement functions
DC-PE DC-P DC-P DC-PE
such as intelligent network management and
traffic optimization.
Data Backbone network Data
center B
 Fast service provisioning, centralized path
center A RR computation, intelligent path selection

Intelligent network visualization, enabling real-
time awareness of service status
City A WAN-P WAN-P City B

Evolution to the distributed multi-city multi-
center architecture

Capability openness (the controller provides
BR-PE BR-PE
open southbound and northbound interfaces)

Tier-1 branch Tier-1 branch

19 Huawei Confidential
 Contents

1. Current Situation and Challenges of the Enterprise Bearer WAN

2. Huawei CloudWAN Solution Overview

3. Basic Design for the Enterprise Bearer WAN

4. Tunnel and VPN Design for the Enterprise Bearer WAN

5. SLA and Reliability Design for the Enterprise Bearer WAN

6. Optimization and O&M Design for the Enterprise Bearer WAN

20 Huawei Confidential
Basic Design Overview for the Enterprise Bearer WAN
⚫ Basic design for the enterprise bearer WAN includes physical network design, IP address
planning, and routing design.

Route
Design

IS-IS PE

network
PE

Bearer
IP address
BGP
1.1.1.1/32 planning
1::1/128
PE P PE

RR

PE P P PE

Physical network design

21 Huawei Confidential
Physical Network Design for the Enterprise Bearer WAN

1. Physical network
2. IP address planning 3. Routing design
design

Core layer design IPv4 address planning IGP routing design

Aggregation layer IPv6 address planning BGP routing design

design
SRv6 locator planning
Access layer design

22 Huawei Confidential
 Core Layer Design Aggregation Layer Design Access Layer Design

Core Layer Design

⚫ The core layer, as the backbone of the entire network, aggregates and forwards various service traffic.
When selecting core nodes, consider the following factors:
 Service volume: Consider the current service volume and expected service growth.
 Physical location: Ensure that core nodes are secure, easy to obtain, and easy to maintain, as they are the key
infrastructure of the bearer network.
 Number of nodes: The core layer usually adopts the full-mesh + dual-plane architecture to ensure stability.

Core layer City B

City A City C

New site

23 Huawei Confidential

• The service volume involves two aspects. The first is the service flow direction,
that is, where the services concentrate. The second is the service volume size. The
two aspects are complementary to each other. Generally, a greater concentration
indicates a larger service volume. The core nodes must be nodes where services
concentrate and the service volume is large.

• Core nodes in the same city are interconnected through WDM, and core nodes in
different cities are interconnected through inter-provincial or inter-metro carrier
private lines. The number of core nodes must be comprehensively considered and
cannot be too large.
 Core Layer Design Aggregation Layer Design Access Layer Design

Aggregation Layer Design

⚫ Aggregation layer design must take into account the service types and scale on each aggregation node. In the initial
phase of bearer network planning and construction, the aggregation layer can be planned based on existing
enterprise services. The following three aggregation modes are available:
 Data center aggregation (DC-PE): aggregates traffic from service units that provide services for the HQ in an enterprise. Such
service units include data centers and service centers.

Metro aggregation (MAN-PE): aggregates the metro services of intra-city institutions and affiliated institutions.
 Branch aggregation (BR-PE): aggregates the services of branches, provincial metro institutions, and affiliated institutions.

Model 1: Data center/Service center Model 2: Municipal metro Model 3: Regional branch
aggregation aggregation aggregation

Core layer Core layer Core layer Core layer Core layer Core layer

Aggregation Data center Aggregation MAN Aggregation BR

layer aggregation layer aggregation layer aggregation

Access Data … Service Access Intra-city … Affiliated Access Regional … Affiliated

layer center center layer institution institution layer subsidiary institution

24 Huawei Confidential
 Core Layer Design Aggregation Layer Design Access Layer Design

Access Layer Design Factors

⚫ When designing the access layer, you need to consider factors such as the bandwidth required by access services,
required private lines, and private line prices. Moreover, you need to consider access reliability and traffic load
balancing. For example:
 You can use single-homed networking at the access layer to form dual planes working in active/standby mode. This helps
improve network reliability.

On the active and standby planes, you can load-balance WAN traffic through service planning or routing policies.

Aggregation layer Aggregation layer

Access layer Access layer

25 Huawei Confidential
Bearer Network Private Line Selection
⚫ Only a few enterprises have the capability to build their own transmission private lines. Most enterprises need to
purchase transmission private lines from carriers and build their own bearer networks over these transmission
private lines.
⚫ Currently, the transmission private lines provided by carriers are mainly MSTP and OTN private lines:

MSTP private lines or MPLS VPNs can be used to transmit services from branches to the access layer of the bearer network.
 MSTP private lines can be used between the access and aggregation layers of the bearer network.

If the aggregation layer and core layer are in different equipment rooms, MSTP/OTN private lines can be used between them.
 MSTP/OTN private lines can be used between core-layer devices. DWDM private lines can also be used between core-layer
devices if bare fibers are available.

PE P P PE

MSTP Bare fiber OTN

26 Huawei Confidential
IP Address Planning Roadmap for the Enterprise Bearer
WAN

1. Physical network
2. IP address planning 3. Routing design
design

Core layer design IPv4 address planning IGP routing design

Aggregation layer IPv6 address planning BGP routing design

design
SRv6 locator planning
Access layer design

27 Huawei Confidential
IP Address Planning Overview
⚫ With the development of services, increasingly more networks are deployed as IPv4/IPv6 dual-stack
networks. Dual-stack address planning is essential to dual-stack networks.
⚫ IP address planning is generally classified into the following:
 IPv4 address planning
100.0.0.0/24
 IPv6 address planning 100::/64
 SRv6 locator planning
PE PE

Bearer network
SRv6 locator
IPv4 address planning
planning
Locator: FC00::1
1.1.1.1/32 PE P PE
10.0.0.0/30

1::1/32 2000::/64

IPv6 address
planning

PE P P PE

28 Huawei Confidential
 IPv4 Address Planning IPv6 Address Planning SRv6 Locator Planning

IPv4 Address Design Rules

⚫ For the convenience of service inheritance and network management, the backbone network retains
interconnection IPv4 addresses. IPv4 address allocation must comply with the existing IPv4 address allocation
specifications of the customer.

IPv4 address design rules IPv4 address allocation range on the bearer WAN
⚫ Uniqueness
 Hosts on the backbone network must use unique IP addresses. Try to
allocate a different address to each host even if they support VPN
address overlapping. PE/CE Loopback address
interconnection Controller of a backbone
⚫
Contiguity address network device
address
 Routes with contiguous addresses can be easily summarized on a
CE PE P PE CE
hierarchical network, reducing the routing table size and accelerating
route calculation.
⚫
Scalability Interconnection
address of a backbone
 Addresses need to be reserved at each layer to ensure contiguity of
network device
addresses when the network is expanded.
⚫
Meaningfulness
CE PE P PE CE
 A well-planned IP address denotes the device to which the IP address
belongs.

29 Huawei Confidential
 IPv4 Address Planning IPv6 Address Planning SRv6 Locator Planning

Loopback Address Design Rules

⚫ The loopback address of each router plays an important role in the normal running of the entire network.
Therefore, a unified, dedicated address space must be used for the allocation and management of loopback
addresses on each router.

Loopback address design rules and application scenarios

Used for
communication
between the device Used to establish BGP
and controller. peer relationships
between devices.

CE PE P PE CE
Used to establish LDP
peer relationships
between devices.
⚫
Use 32-bit masks for loopback addresses.
 Allocate loopback addresses based on physical locations and reserve sufficient address space.
 Allocate loopback addresses for the same geographical location by plane. If there are two planes, allocate IP addresses to planes 1 and 2 in sequence.

30 Huawei Confidential
 IPv4 Address Planning IPv6 Address Planning SRv6 Locator Planning

IPv4 Address Planning Suggestions

⚫ It is recommended that the bearer WAN use a dedicated subnet. The allocated addresses include the management
addresses and internal interconnection addresses of devices and access addresses of the bearer network. The
following table describes the address allocation plan:

Internal interconnection addresses: Use a 30-bit mask for IP addresses used for internal interconnection between devices on the
bearer network.

Access addresses: The access-layer device interfaces on the bearer network need to connect to the original network. Therefore, it
is recommended that the IP addresses of these interfaces be allocated based on the original planning. For example, use a 29-bit
mask for these IP addresses.

Address allocation sequence: Allocate interconnection addresses in ascending order and loopback addresses in descending order.

Interconnection between devices of the same layer: Assign an odd address to the device with a smaller number and an even
address to the device with a larger number.

Interconnection between devices at different layers: Assign an odd address to the device close to the network core and an even
address to the device far away from the network core.

31 Huawei Confidential
 IPv4 Address Planning IPv6 Address Planning SRv6 Locator Planning

Typical IPv4 Address Planning

⚫ IPv4 addresses can be planned based on planning suggestions or the customer's planning rules.

Loopback IP addresses
allocated in descending order

L0: 128.0.0.247/32 L0: 128.0.0.251/32 L0: 128.0.0.253/32 L0: 128.0.0.249/32

CE1 PE1 P1 P3 PE3 CE3
192.168.1.0/29 128.1.1.0/30 128.1.1.16/30 128.1.1.28/30 192.168.1.16/29
.1 .7 .2 .1 .17 .18 .29 .30 .23 .17

.25
.13
.5

.37
Odd IP address for the device
Odd IP address for
Bearer network

with a smaller number (intra-

128.1.1.24/30
128.1.1.12/30

128.1.1.36/30
128.1.1.4/30
the device near
layer interconnection)
the core layer
Even IP address for Even IP address for the device
the device far away with a larger number (intra-
from the core layer layer interconnection)

.38
.14

.26
.6

.9 .15 .10 .9 .21 .22 .33 .34 .31 .25

192.168.1.8/29 128.1.1.8/30 128.1.1.20/30 128.1.1.32/30 192.168.1.24/29
CE2 PE2 P2 P4 PE4 CE4
L0: 128.0.0.248/32 L0: 128.0.0.252/32 L0: 128.0.0.254/32 L0: 128.0.0.250/32

32 Huawei Confidential
 IPv4 Address Planning IPv6 Address Planning SRv6 Locator Planning

IPv6 Address Planning Requirements and Rules

Requirements Routing domains on the
Number of Address types for
network and where route
required addresses filtering/ACL
summarization is performed
Planning

Uniformity Uniqueness Hierarchy Security Contiguity Scalability

2000:EAB8:2203:5505::1/127

CE PE P PE CE

33 Huawei Confidential

• Uniformity: All IP addresses on the entire network are planned in a unified

manner, including service addresses, platform addresses, and network addresses.
• Uniqueness: Each address is unique throughout the entire network.

• Hierarchy: The massive IPv6 address space poses higher requirements on the
route summarization capability. The primary task of IPv6 address planning is to
reduce network address fragments, enhance the route summarization capability,
and improve the network routing efficiency.

• Security: Services with shared attributes have the same security requirements.
Mutual access between services needs to be controlled. Services with shared
attributes are allocated with addresses in the same address space, which
facilitates security design and policy management.

• Contiguity: IPv6 addresses in an IPv6 address segment must be contiguous to

prevent address wastes.
• Scalability: IP addresses must be planned and allocated based on network
development requirements to reserve space for future capacity expansion. The
addition of a small number of subnets does not require large-scale architecture or
policy adjustment.
 IPv4 Address Planning IPv6 Address Planning SRv6 Locator Planning

Structured IPv6 Address Planning

⚫ Structured planning: The massive IPv6 address space poses higher requirements on the route summarization
capability. Hierarchical IPv6 address allocation is recommended, which helps reduce the sizes of routing tables
through route summarization. In addition, the subnet field of an IPv6 address can be divided into several
independent fields to make the address more readable. (If possible, it is recommended that the subnet field be
divided by 4 bits.) The following is a planning example:

N bits (64 – N) bits 64 bits

4 bits (64 – 4 – N) bits

Fixed Network
Allocatable Address Block Host Address
Prefix Type

⚫ Fixed Prefix: indicates the fixed prefix applied for.

⚫ Network Type: indicates the type of a network. For example, 0 indicates a backbone
network, 1 indicates a data center, and 2 to F are reserved.

34 Huawei Confidential
 IPv4 Address Planning IPv6 Address Planning SRv6 Locator Planning

IPv6 Address Planning Suggestions

⚫ The user-defined part of an IPv6 address needs to be planned based on its summarization characteristics. Fields that
are easy to summarize, such as the address space and area, should be placed in the left -most part. Excessive
layering results in strong coupling between services and address planning, which hinders subsequent service
development and reduces address space utilization. Therefore, you need to determine the number of fields based
on site requirements.
N bits (64 – N) bits 64 bits
4 bits 4 bits 4 bits 4 bits (64 – 16 – N) bits
Fixed Attribute Network Address Allocatable
Area Host Address
Prefix ID Type Type Address Block

⚫
Fixed Prefix: indicates a fixed-length prefix applied for by an enterprise from an address allocation
organization.
⚫ Subnet:
 Attribute ID: is used to distinguish address types. It is used for level-1 address classification.
 Network Type: identifies the type of a network.
 Address Type: identifies the type of an address on the network.
 Area ID: identifies an area on the network.
 Allocatable Address Block: is reserved for future address allocation.
⚫ Interface Address: indicates the last 64 bits of an IP address. It is equivalent to the host ID in an IPv4 address.

35 Huawei Confidential
 IPv4 Address Planning IPv6 Address Planning SRv6 Locator Planning

Typical IPv6 Address Planning

⚫
IPv6 addresses can be planned based on planning suggestions or the customer's planning rules.

Fixed prefix Area Interconnection link Fixed prefix Area

IPv6 interconnection address: 2001 : : 1 : 1 : 101 : 100 : 0/127 IPv6 loopback address: 2001 : : 1 : 100 : 0 : 0/128

Address use Interconnection Device

device
L0: 2001::1:100:0:0/128 L0: 2001::1:300:0:0/128 L0: 2001::2:300:0:0/128 L0: 2001::2:100:0:0/128
CE1 PE1 P1 P3 PE3 CE3
2001::1:1:103:100:0/127 2001::1:102:303:100:0/127 2001::1:2:103:100:0/127
.1 .0 .0 .1 .0 .1
.0 .0 .0 .0
2001::1:1:102:200:0/127

2001::1:1:304:400:0/127

2001::1:2:304:400:0/127

2001::1:2:102:200:0/127

Bearer network
Bearer network

.1 .1 .1 .1
.1 .0 .0 .1 .0 .1
2001::1:1:204:300:0/127 2001::1:102:404:200:0/127 2001::1:2:204:300:0/127
CE2 PE2 P2 P4 PE4 CE4
L0: 2001::1:200:0:0/128 L0: 2001::1:400:0:0/128 L0: 2001::2:400:0:0/128 L0: 2001::2:200:0:0/128

36 Huawei Confidential
 IPv4 Address Planning IPv6 Address Planning SRv6 Locator Planning

SRv6 SID Overview

⚫ An SRv6 SID usually consists of three fields: Locator, Function, and Arguments. The SRv6 SID is expressed in the
Locator:Function:Arguments format. Note that the total length (Locator + Function + Arguments) is less than or
equal to 128 bits. If the total length is less than 128 bits, the reserved bits are padded with 0s.
⚫ If the Arguments field does not exist, the format is Locator:Function . The Locator field occupies the most significant
bits of an IPv6 address, and the Function field occupies the remaining part of the IPv6 address .

IPv6 SRH (IPv6 Extension

Header)
IPv6 Header IPv6 Payload
128 bits 128 bits 128 bits

SRv6 segment: IPv6

Locator Function Arguments
address format

|--Locator--|--Dynamic Opcode--|--Static Opcode--|--Args--|

37 Huawei Confidential

• The locator is an IPv6 network segment. All IPv6 addresses in this network
segment can be allocated as SRv6 SIDs. After a locator is configured for a node,
the system generates a locator route. The node can be located based on the
locator route. In addition, all SIDs advertised by the node can reach the node
through the locator route.

• The Function field is also called opcode, which can be dynamically allocated using
an IGP or statically configured using the opcode command. When configuring a
locator, you can use the static static-length parameter to specify the length of
the static segment, which determines the number of static opcodes that can be
configured in the locator. When an IGP dynamically allocates opcodes, it applies
for opcodes outside of the static segment range to ensure that SRv6 SIDs do not
conflict.
• The Args field is determined by the args args-length parameter. The Args field is
optional in SRv6 SIDs and is determined by the command configuration.
 IPv4 Address Planning IPv6 Address Planning SRv6 Locator Planning

SRv6 Locator Overview

⚫ The Locator field identifies the location of a network node, and is used for other nodes to route and forward
packets to this identified node so as to implement network instruction addressing.
⚫ A locator has two important characteristics: routable and aggregatable. After a locator value is configured for a
node, the system generates a locator route and propagates the route throughout the SR domain using an IGP. A
device advertising a locator route can be located by other devices on the same network based on the received
locator route information, and all the SRv6 SIDs advertised by the device can be reached over the route.
⚫ It is recommended that the same mask be used for the locators of all NEs on the entire network. After the mask is
set, locators can be allocated in ascending order for the core, aggregation, and access layers in sequence.

128 bit Locator Function Arguments

IPv6 prefix

38 Huawei Confidential
 IPv4 Address Planning IPv6 Address Planning SRv6 Locator Planning

SRv6 Locator Planning Suggestions

⚫ SRv6 locator addresses are allocated from the IPv6 host address field. Using hierarchical address allocation and
reserving some address spaces are recommended for future expansion. An example is provided as follows:
N bits (64 – N) bits 64 bits
8 bits 8 bits 8 bits 28 bits 12 bits

Fixed
Subnet Reserved Site ID Node ID Function Args
prefix
Dynamic End&End.X,
End.DT
/Static etc.
88 bits
1 bit 15 bits 12
32 bits bits

For compatibility with future SID compression, keep this part

within 32 bits. It is recommended that this part contain 32 bits.
⚫
Site ID: uniquely identifies a site.
⚫ Node ID: uniquely identifies a device at a site.
⚫
Function: indicates the Function field in an SRv6 SID.
 Dynamic/Static: indicates whether a SID is a dynamic or static SID. 0 indicates a static SID (it is recommended that the End, End.X,
and OAM-related SIDs be statically allocated). 1 indicates a dynamic SID (if many VPNs exist or VPNs change frequently, it is
recommended that service SIDs, such as End.DT SIDs, be dynamically allocated).
 End&End.X, etc: indicates the type of a SID. 0x000[1–F] indicates an End SID, and 0X1[peer site ID]X indicates an End.X SID.
⚫ Args: indicates the parameter field in an SRv6 SID.

39 Huawei Confidential

• End.DT SIDs can be classified into End.DT4 SIDs and End.DT6 SIDs.
▫ An End.DT4 SID (PE endpoint SID) identifies an IPv4 VPN instance on a
network.

▫ An End.DT6 SID (PE endpoint SID) identifies an IPv6 VPN instance on a

network.

• In SRv6, End.OP SIDs are used to implement operation, administration and

maintenance (OAM).

▫ End.OP SIDs are mainly used in ping/tracert scenarios.

 IPv4 Address Planning IPv6 Address Planning SRv6 Locator Planning

Typical SRv6 Locator Planning

⚫ In SRv6 Locator Planning, it is recommended that the locator length not exceed 88 bits. Moreover, try to statically
configure SRv6 SIDs, so that SRv6 SIDs remain unchanged after devices go online again. This facilitates
management.
Fixed prefix Area Locator length Args length

SRv6 Locator: 2001 : : 2 : 2 : 1 : 0 : 0 88 Static 27 args 12

Address Device Static opcode length
use number

Locator: 2001::2:1:1:0:0 88 static 27 args 12 Locator: 2001::2:2:3:0:0 88 static 27 args 12

CE1 PE1 P1 P3 PE3 CE3

network

network
Bearer
Bearer

CE2 PE2 P2 P4 PE4 CE4

Locator: 2001::2:1:4:0:0 88 static 27 args 12 Locator: 2001::2:2:2:0:0 88 static 27 args 12

40 Huawei Confidential
Routing Design Roadmap for the Enterprise Bearer WAN

1. Physical network
2. IP address planning 3. Routing design
design

Core layer design IPv4 address planning IGP routing design

Aggregation layer BGP routing design

IPv6 address planning
design

Access layer design SRv6 locator planning

41 Huawei Confidential
Routing Design Overview
⚫ Routing protocols are generally classified into IGP and BGP. These two types of protocols have different
functions and therefore are designed for different purposes.
⚫ Routing design can be classified into the following types:
 IGP routing design
 BGP routing design BGP routing
design

BGP
CE PE P/RR PE CE

IS-IS IS-IS

IGP routing
design
CE PE P/RR PE CE

Bearer network

42 Huawei Confidential
 IGP Route Planning BGP Route Planning

IGP Overview
⚫ On a bearer WAN, an IGP functions as a basic support protocol to collect and flood Layer 3 topology information on
the entire network, and works with protocols such as TWAMP and iFIT to collect network status information, such
as link delay.
⚫ Generally, OSPF or IS-IS can be used on the backbone network for route reachability. However, the application
scenarios of the two protocols are different to some extent.

IS-IS OSPF Remarks

Some devices support a maximum of 4K IS-IS routes and a
Network scale Large Small maximum of 2K OSPF routes in a single area (with a single
level).
TLV-based packets are When OSPF supports both IPv4 and IPv6, OSPFv2 and OSPFv3
OSPFv3 needs to be
used, and no extra neighbor relationships need to be configured separately. The
IPv6 support independently
protocol needs to be exchange of large numbers of protocol packets consumes a lot
deployed.
independently deployed. of resources.
The standardization process of OSPF lags behind that of IS-IS in
Related standards or Related standards or
SRv6 support terms of SRv6 support. Not all vendors support SRv6-oriented
drafts are available. drafts are available.
OSPF extensions.
Supported. The related
Supported. The related
SR-MPLS support functions are basically
functions are complete.
complete.

43 Huawei Confidential
 IGP Route Planning BGP Route Planning

IGP Route Planning

⚫ Compared with OSPF, IS-IS supports SR-MPLS/SRv6 in a more comprehensive and scalable manner.
Considering network expansion brought by enterprise service growth, large enterprise bearer networks
generally start to use IS-IS. Therefore, it is recommended that IS-IS be preferentially used as the IGP for
bearer networks.

CE PE P/RR PE CE

IS-IS IS-IS
L2 L2

CE PE P/RR PE CE
Bearer network

⚫
IS-IS: One IS-IS process is configured on the entire network, and an
IS-IS level-2 area is configured in E2E mode.

44 Huawei Confidential

• It is recommended that some IGP parameters be set as follows:

▫ IGP process ID: It is recommended that the IS-IS or OSPF process ID of a
device on the backbone network be the same as the BGP AS number.

▫ IS-IS NET: The recommended format is aa.bbbb.cccc.dddd.00. The loopback0

address of the device is used for NET derivation. For example, if the
loopback0 address is 21.231.232.1, then the derived NET is
21.0231.0232.0001.00.

▫ OSPF router ID: The global router ID is used. Generally, the router ID is the
same as the loopback0 address.

▫ Interface type: To speed up convergence, all interfaces are of the P2P type.

▫ Route advertisement: IGP is mainly used to ensure the reachability of

internal addresses on the WAN. Therefore, IGP advertises only
interconnection interface addresses and device management addresses.
 IGP Route Planning BGP Route Planning

IGP Metric Planning

⚫ The bearer network transmits different types of service traffic. When deploying an IGP on the bearer
network, properly plan route metric to maximize bandwidth utilization, improve service quality, and
ensure service reliability.
⚫ IGP metric design rules:
 Ensure that the metric of access-layer links is lower than that of aggregation-layer links.
 Ensure that the metric of aggregation-layer links is lower than that of core-layer links.
 Ensure that the metric of links between data centers is lower than that of WAN links between branches and data
centers.
 Ensure that inter-plane traffic between data centers preferentially traverses across planes through core nodes.
 If a standalone RR is deployed, ensure that the metric of the link between the RR and core P is set to the
maximum value (the RR only reflects routing information and does not forward data).

45 Huawei Confidential
 IGP Route Planning BGP Route Planning

IGP Metric Planning Suggestions

CE PE P P PE CE
10 200

RR RR
Data center A

Data center B
20 10

10 200

CE PE P P PE CE

RR
10 PE CE

Enterprise branch
Bearer network

20
P

PE CE
IGP: IS-IS/OSPF

46 Huawei Confidential
 IGP Route Planning BGP Route Planning

Overall BGP Planning

⚫ After an enterprise bearer WAN is used to carry services that were used to be carried by multiple networks, it needs
to use BGP/MPLS IP VPN to isolate these services.
⚫ Generally, IBGP runs on the bearer network, and EBGP runs between the bearer network and other ASs (such as
data centers and enterprise branches). PEs use BGP policies to control the transmission of VPN routes between ASs,
achieving complex access control.
⚫ If a controller is deployed on the bearer WAN, BGP-LS must be deployed between the controller and RR.

BGP-LS

EBGP EBGP

Data RR Enterprise
center branch
CE PE PE CE

EBGP Bearer network EBGP

Data Enterprise
center branch
CE PE PE CE

47 Huawei Confidential

• In BGP peer relationship establishment, IBGP peer relationships are established

using Loopback0 addresses, and EBGP peer relationships are established using
interface addresses.

• AS: The bearer WAN can be classified as an independent AS.

• IBGP: PEs use loopback addresses to establish IBGP peer relationships with all RRs
and use MP-IBGP to exchange VPN routes.
• EBGP: PEs use interface IP addresses to establish EBGP peer relationships with CEs.
In inter-AS VPN route exchange scenarios, Option A is generally used.
• BGP-LS: The controller establishes BGP-LS peer relationships with all RRs to
collect logical topology information on the backbone network.

• Deploy independent RRs and establish IBGP peer relationships for RRs on the
backbone network.

• In addition to EBGP, IGPs such as OSPF, IS-IS, and RIP can also be used between
PEs and CEs on the bearer network. Static routes can also be used to meet the
requirements of flexible access in various scenarios.
 IGP Route Planning BGP Route Planning

BGP AS Planning
⚫ An enterprise network usually uses a private AS number ranging from 64512 to 65534 during BGP
deployment.
⚫ It is recommended that one AS be deployed as the high-speed forwarding core of the entire bearer
network, independent ASs be deployed for data centers and enterprise branches in different regions,
and EBGP peer relationships be established between these ASs and the bearer network AS.

EBGP EBGP

RR Enterprise
Data center branch
AS 65001 CE PE PE CE AS 65003

EBGP Bearer network EBGP

Enterprise
Data center branch
AS 65002 CE PE AS 65000 PE CE AS 65004

48 Huawei Confidential
 IGP Route Planning BGP Route Planning

BGP Route Control Planning

⚫
To ensure network reliability, dual planes working in active/standby mode are generally deployed on the bearer network.
⚫ Route control is required to ensure that the active plane carries traffic in normal cases, and the standby plane takes over traffic when
the active plane fails.
 Generally, community attributes are added to routes between CEs and PEs, and the MED values of specific routes are changed based on community
attributes.
 Generally, PEs and RRs change the MED values of specific routes based on community attributes.
 Changing the MED values of specific routes ensures that traffic is sent from the local PE on the active plane to the remote P E on the active plane in
normal cases.
Configure the active-plane PE to
Configure Configure the PE to add a increase the MED value of a
bidirectional route community attribute to route by 10 before advertising
import between CEs. routes received from the CE. RR
the route to the CE.
CE1 PE1 PE3 CE3
Plane A
(active)
Configure PEs to change the
MED value of routes received
from the RR to ensure that

Enterprise
Plane B traffic is forwarded on the

branch
center
Data

(standby) same plane.

CE2 PE2 PE4 CE4
Configure the standby-plane PE to
Bearer network
increase the MED value of a route by 20
before advertising the route to the CE.

49 Huawei Confidential

• PE3 changes the MED value to 100 for the route whose next hop is PE1 (a PE on
the same plane) and changes the MED value to 200 for the route whose next hop
is PE2 (a PE on a different plane).

• PE4 changes the MED value to 100 for the route whose next hop is PE2 (a PE on
the same plane) and changes the MED value to 200 for the route whose next hop
is PE1 (a PE on a different plane).
• If PE1 and PE2 on the left learn the same VPN route and advertise the route to
PE3 and PE4 on the right through the RR, PE3 and PE4 preferentially select the
VPN route on the same plane as them. After the route is advertised to the CE,
traffic from the CE preferentially travels along the route advertised by PE3
(because the MED value of the route advertised by PE3 is only increased by 10).
 IGP Route Planning BGP Route Planning

Design for BGP Routing Loop Prevention and Sub-optimal

Route Prevention
⚫ Generally, data center networks and branch networks do not run BGP. Their IGPs need to import routes learned by
EBGP.
⚫ When an IGP imports EBGP routes, it needs to add a tag to the routes, so that the IBGP peer can filter out imported
BGP routes based on tags when importing local IGP routes to BGP.

BGP filters out

tagged routes when
importing IGP routes. CE1 PE1
Plane A
(active)

IGP adds a tag Plane B

to imported
BGP routes. CE2 PE2
(standby)
Data center/ Bearer network
Enterprise branch

50 Huawei Confidential
 Contents

1. Current Situation and Challenges of the Enterprise Bearer WAN

2. Huawei CloudWAN Solution Overview

3. Basic Design for the Enterprise Bearer WAN

4. Tunnel and VPN Design for the Enterprise Bearer WAN

5. SLA and Reliability Design for the Enterprise Bearer WAN

6. Optimization and O&M Design for the Enterprise Bearer WAN

51 Huawei Confidential
Tunnel and VPN Design Overview for the Enterprise Bearer
WAN
⚫ Enterprises usually use VPN to isolate services and SR to establish tunnels for traffic optimization and
path planning.
⚫ VPN traffic is carried over tunnels to isolate enterprise services while ensuring service quality.

HQ

VPN design
Branch
site

Backup tunnel
Tunnel design IP bearer network

52 Huawei Confidential
Tunnel Design Roadmap for the Enterprise Bearer WAN

1. Tunnel design 2. VPN design

Basic tunnel concepts VPN classification

SR-MPLS tunnel VPN type selection

planning

SRv6 tunnel planning

53 Huawei Confidential
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

Tunneling Technology Overview

⚫ The tunneling technology uses one protocol to encapsulate the packets of another protocol, and the
carrier protocol itself can be encapsulated or carried by other protocols.
⚫ For example, BGP/MPLS IP VPN commonly used on enterprise networks uses MPLS LDP or MPLS TE
tunnels to carry VPN services.

MPLS LDP or MPLS TE

is used to establish
VPN1 MPLS tunnels. VPN1
Site A Site B

MPLS LDP tunnel

MPLS TE tunnel
VPN2
VPN2
Site B
Site A

54 Huawei Confidential
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

Issues with MPLS LDP and RSVP-TE

MPLS LDP RSVP-TE

R2 R2

R1 R1

R3 R3
R4 R4

• RSVP-TE is complex to configure and does not support load

• LDP itself does not have the path computation capability and
balancing.
requires an IGP for path computation.
• To implement TE, devices need to exchange a large number of RSVP
• Both the IGP and LDP need to be deployed for the control plane,
packets to maintain neighbor relationships and path states, wasting
and devices need to exchange a large number of packets to
link bandwidth and device resources.
maintain neighbor relationships and path states, wasting link
• RSVP-TE uses a distributed architecture, so that each device only
bandwidth and device resources.
knows its own state and needs to exchange signaling packets with
• If LDP-IGP synchronization is not achieved, data forwarding may
other devices.
fail.

55 Huawei Confidential

• MPLS is a tunneling technology that guides data forwarding in essence and has
complete tunnel creation, management, and maintenance mechanisms. The
preceding mechanisms are driven by network operation and management
requirements, not by applications.
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

Solution Provided by SR
⚫ Simplifying protocols and extending existing protocols
Service-defined 
The extended IGP/BGP supports label distribution. Therefore, LDP
Controller network is not required on the network, achieving protocol simplification.
In addition, devices require only software upgrades instead of
hardware replacement, protecting investments on the live
network.

The source routing mechanism is introduced. The forwarding
policy is instantiated into a segment list on the ingress to control
the forwarding path of service traffic.
⚫ Enabling networks to be defined by services
R2  After an application raises requirements (e.g. delay, bandwidth,
and packet loss rate), the controller collects information (e.g.
network topology, bandwidth usage, and delay) and computes an
IGP/BGP explicit path according to the requirements.

R1 R3
R4

56 Huawei Confidential
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

SR-MPLS Classification
SR-MPLS BE SR-MPLS Policy
The IGP is used to RSVP-TE is no longer needed,
distribute labels, and LSDB simplifying the configuration. LSDB
LDP is not required. Moreover, load balancing and
strict explicit paths are
R2 supported. R2
LSDB LSDB

R1 R1

R3 R3
LSDB R4 LSDB R4

LSDB Controller LSDB

• An extended IGP has the label distribution capability. An LSDB can be • Extended BGP/IGP sends the LSDB that carries label information to the
formed based on the SRGB, prefix SID, link state, and other information controller, which then globally computes paths. There is no need to use
distributed through the IGP, and the SPF algorithm can be used to RSVP-TE packets to apply for paths or maintain path status.
compute the shortest forwarding paths based on labels. Therefore, LDP • Node SIDs and adjacency SIDs are used to implement load balancing
is no longer required on the network. and strict explicit paths.
• Because only the IGP/BGP is used, the network does not have traffic • Path computation and service delivery are performed by the controller,
blackholes and does not need to maintain LDP peer relationships. simplifying configuration.

57 Huawei Confidential
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

SR-MPLS-based VPN Traffic Transmission

SR-MPLS BE-based VPN
1036 1031 1036
traffic transmission
1024 1024 1024
Data Data Data Data Data
VPN1 VPN1
Site A Site B
CE1 PE1 P1 P2 PE2 CE2

SR Domain

SR-MPLS Policy-based VPN 16001

traffic transmission 16002 16002
1024 1024 1024
Data Data Data Data Data
VPN1 VPN1
Site A Site B
16001 16002
CE1 PE1 P1 P2 PE2 CE2

SR Domain

58 Huawei Confidential

• The process of forwarding VPN traffic based on SR-MPLS BE is similar to the

process of forwarding BGP/MPLS IP VPN traffic based on LDP.
▫ After PE1 receives a VPN packet from CE1, PE1 searches the routing table
and pushes two layers of labels into the packet. The outer label is a public
network label, and the inner label is a private network label.

▫ PE1 then sends the packet to P1, which swaps the outer label of the packet
based on the SR-MPLS BE tunnel entry and sends the packet to P2. The
process on P2 is similar to that on P1.
▫ Upon receipt of the packet, PE2 sends the packet to a specific VPN site
based on the inner label (PHP is not considered in this case).

• When an SR-MPLS Policy is used to carry VPN traffic, the forwarding path must
be pre-computed and delivered to the ingress (PE1) as a segment list.
▫ After receiving a VPN packet from CE1, PE1 searches the corresponding
table and pushes the related segment list into the packet.

▫ PE1 then sends the packet to P1, which determines the forwarding path
based on the outer label, pops out the outer label, and sends the packet to
P2.
▫ After receiving the packet, P2 determines the forwarding path based on the
outer label, pops out the outer label, and sends the packet to PE2.

▫ PE2 sends the packet to the specified VPN site according to the inner label.
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

SRv6 Overview
⚫ SRv6, or Segment Routing IPv6, is designed to forward IPv6 data packets on a network based on the source routing
paradigm.
⚫ SRv6 forwarding is no longer based on MPLS, simplifying the forwarding plane. SRv6 implements hop-by-hop
forwarding by adding a Segment Routing header (SRH) into IPv6 packets, encapsulating an explicit IPv6 address
stack into the SRH, and continuously updating destination addresses on transit nodes.

Version Traffic Class Flow Label

Standard Payload Length Next=43 Hop Limit
IPv6 header Source Address
Destination Address
Next Header Hdr Ext Len Routing Type=4 Segments Left
Last Entry Flags Tag
IPv6 Segment List[0] (128-bit IPv6 address)
extension
Segment List[1] (128-bit IPv6 address)
header (SRH)
Segment List[2] (128-bit IPv6 address)
Optional TLV objects (variable)
IPv6 Payload

59 Huawei Confidential
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

SRv6-based VPN Traffic Transmission

SRv6 BE-based VPN
FC01::1 FC01::1 FC01::1
traffic transmission
2001::1 2001::1 2001::1 2001::1 2001::1
Data Data Data Data Data VPN1
VPN1
Site B
Site A
2001:: 64
CE1 PE1 P1 P2 PE2 CE2

IPv6 Domain

(SL=3) (SL=2) (SL=1)

FC10::1 FC10::1 FC10::1
SRv6 Policy-based VPN FC03::1 FC03::1 FC03::1
FC02::1 FC02::1 FC02::1
traffic transmission FC02::1 FC03::1 FC10::1
2001::1 2001::1 2001::1 2001::1 2001::1
Data Data Data Data Data VPN1
VPN1 Site B
Site A 2001:: 64
PE1 FC02::1 FC03::1 PE2 CE2
CE1 P1 P2

IPv6 Domain

60 Huawei Confidential

• When SRv6 BE is used to carry VPN traffic, data packets carry two layers of IPv6
headers. The outer IPv6 header address is used to identify the VPN to which the
data belongs, and the inner IPv6 header identifies the actual destination address
of the data.
▫ The outer IPv6 address is generated by the locator of PE2 and advertised to
PE1 through BGP. PE2 advertises the locator to other devices in the form of
a route.

▫ After PE1 receives a packet destined for the destination network segment
(2001:: 64), PE1 encapsulates the packet with an outer IPv6 header and
forwards the packet based on the routing table.
▫ Ps (P1 and P2) forward the packet based on the outer IPv6 header.

▫ After receiving the packet, PE2 matches the packet with the corresponding
VPN instance based on the outer IPv6 header and forwards the packet
based on the routing table.

• When SRv6 Policy is used to carry VPN traffic, data packets carry two layers of
IPv6 headers. The outer IPv6 header address is replaced by each hop based on the
SRH information, and the inner IPv6 header identifies the actual destination
address of the data.

▫ Upon receipt of a packet destined for 2001:: 64, PE1 adds an outer IPv6
header (including the SRH) to the packet and sends the packet to the next
hop based on the header.
▫ After receiving the packet, P1 replaces the outer IPv6 header based on the
SRH information and forwards the packet. P2 processes the packet in a
similar way.

▫ After receiving the packet, PE2 determines the VPN to which the packet
belongs based on the outer IPv6 header and forwards the packet based on
the routing table.
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

SR-MPLS Tunnel Design Principles

⚫ Tunnels are intended to better serve services and focus on optimization requirements under the
prerequisite that VPN bearer requirements are met. Comply with the following principles to achieve a
balance among aspects such as service path visualization, service protection, network maintainability,
and network scalability:
 Service path visualization: Associate service traffic with tunnels to achieve some degree of path visualization.
 Maintainability: Keep the total number of tunnels at an appropriate level to reduce live network maintenance
pressure and shorten the optimization time.

 Ease of optimization: Ensure that the traffic on each tunnel is not too heavy. Otherwise, bandwidth optimization
will be difficult.
 Reliability: Ensure that main services are under protection, and key services can be quickly converged.
 Scalability: Consider possible network expansion in the future.

62 Huawei Confidential

• SR-MPLS BE tunnels are similar to LDP tunnels. Tunnel establishment depends on

IGP design. Therefore, after IGP design is complete, SR-MPLS BE design is
complete.

• This section mainly focuses on SR-MPLS Policy design.

 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

SR-MPLS Policy Deployment Design

⚫ Generally, an enterprise bearer network belongs to an independent AS. Therefore, E2E SR-MPLS
Policies can be deployed.
⚫ An E2E tunnel can be deployed between the ingress (PE) where service traffic enters the bearer
network and the egress (PE) where service traffic leaves the backbone network.

SR domain

VPN1 CE1 PE1 P1 P2 PE2 CE2 VPN1

Site A Site B

L2 VPN

L3 VPN

E2E SR-MPLS
Policy

63 Huawei Confidential

• End-to-end deployment has the following characteristics:

▫ Strong path control can be implemented through the planning of end-to-
end paths (especially explicit paths).

▫ Path visualization is relatively good.

▫ If the network is large (for example, a network with multiple data centers
and dozens of branches) and has 5,000 to 10,000 TE tunnels, the
maintenance workload is heavy.

▫ The scalability is fair. If a new data center or branch is added, a large

number of end-to-end tunnels need to be added.
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

SR-MPLS Policy Path Planning

⚫ SR-MPLS Policy paths can be planned based on factors such as bandwidth, delay, and path disjoint.

When planning paths based on bandwidth, you need to set the maximum available bandwidth of each interface in advance.

If path planning is based on delay, TWAMP or iFIT must be deployed in advance to detect real-time network delay.
⚫ If SR-MPLS Policy paths are planned through the controller or static configuration, the following two modes ar e
available (CP stands for candidate path):
 Single-CP multi-segment path

Multi-CP single-segment path

Multi-CP single-segment path Single-CP multi-segment path

<Headend, color, Candidate path 1 Segment list 1 <Headend, color,

endpoint> (preference: 200) (weight: 10) endpoint> Segment list 1
SR-MPLS (weight: 20)
SR-MPLS Candidate path 1
Policy Policy (preference: 200) Segment List 2
Candidate path 2 Segment list 1 (weight: 10)
(preference: 100) (weight: 10)

64 Huawei Confidential

• If iFIT is used to measure the network delay, 1588v2 must be enabled on the
entire network. Therefore, there are restrictions on application scenarios.
• TWAMP requires only NTP in network delay measurement.

• For a tunnel planned based on bandwidth, the actual traffic volume of the tunnel
cannot be limited on devices after the tunnel is delivered. The traffic volume of a
tunnel needs to be limited on the ingress, and the QoS or network slicing
technology needs to be used.
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

SR-MPLS Policy Traffic Diversion Mode Design

⚫ SR-MPLS Policies need to steer service traffic into tunnels for forwarding. This process is called traffic diversion.
Currently, SR-MPLS Policies support the following traffic diversion modes:

Color-based traffic diversion: In this mode, the headend steers traffic into an SR-MPLS Policy through route recursion
implemented based on the color value and destination address in the route.

DSCP-based traffic diversion: In this mode, the headend searches for a matching SR-MPLS Policy group based on specific
endpoint information and then finds the corresponding SR-MPLS Policy based on the DSCP value of packets.

Color-based traffic diversion DSCP-based traffic diversion

FTP FTP
service service
HTTP HTTP
service service

Bearer network Bearer network

• DSCP-based traffic diversion can better ensure service quality.

65 Huawei Confidential

• In color-based traffic diversion, different tunnels (including primary and backup

tunnels) can only be selected based on endpoints. If different service traffic (such
as HTTP and FTP traffic) is destined for the same address, color-based traffic
diversion diverts the traffic to the same tunnel. As a result, the quality of some
services deteriorates.

• In DSCP-based traffic diversion, different tunnels can be selected based on

endpoint + DSCP information. If different service traffic (such as HTTP and FTP
traffic) is destined for the same address, DSCP-based traffic diversion will steer
different services into different tunnels based on the configuration, thereby
ensuring the service quality.
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

Best-Effort Forwarding Design for SR-MPLS Tunnels

⚫ VPN services can be carried over either SR-MPLS Policies or SR-MPLS BE tunnels.
⚫ An SR-MPLS Policy can contain multiple candidate paths with the preference attribute. The valid candidate path
with the highest preference functions as the primary path of the SR-MPLS Policy, and the valid candidate path with
the second highest preference functions as the HSB path.
⚫ If all SR-MPLS Policies fail, VPN services can be carried over SR-MPLS BE tunnels.
⚫ It is recommended that both SR-MPLS Policies and SR-MPLS BE tunnels be deployed. SR-MPLS Policies are
preferentially used, and SR-MPLS BE tunnels serve as their backup.

Segment list 1
<Headend, color, Candidate path 1 (weight: 20)
endpoint> (preference: 200) Segment List 2
SR-MPLS (weight: 10)
Policy
Candidate path 2 Segment list 1
(preference: 100) (weight: 10)
Tunnel
Selection

SR-MPLS BE

66 Huawei Confidential

• An SR-MPLS Policy can have multiple candidate paths, such as CP1 and CP2. Each
path is uniquely identified by a 3-tuple <protocol, origin, discriminator>.
• CP1 is the activated path because it is valid and has a higher priority. The two SID
lists (also called segment lists) of CP1 are delivered to the forwarder, and traffic is
balanced between the two tunnel paths based on weight. For example, traffic
along the SID list <SID11, SID12> is balanced based on W1/(W1+W2). In the
current mainstream implementation, a candidate path has only one segment list.

• If a controller is used to generate SR-MPLS Policies, only primary and backup

tunnels can be established, and load balancing cannot be implemented for the
primary tunnel.
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

SRv6 Tunnel Design

⚫ SRv6 BE forwards traffic based on the optimal path selected by the routing protocol and applies to services that
have low path SLA requirements. Services with high path SLA requirements need to be forwarded in SRv6 Policy
mode where the controller is used to compute paths based on constraints to ensure service SLA.
⚫ The deployment and traffic import mode design for SRv6 Policies is similar to that for SR-MPLS Policies.

It is recommended that E2E SRv6 tunnels be deployed on enterprise bearer networks to facilitate monitoring and O&M.
 Traffic can be steered into SRv6 tunnels based on either the color or DSCP attribute, and DSCP-based traffic diversion can better
ensure service quality.

Color-based traffic diversion DSCP-based traffic diversion

FTP FTP
service service
HTTP HTTP
service service

Bearer network Bearer network

• DSCP-based traffic diversion can better ensure service quality.

67 Huawei Confidential

• Similar to LDP tunnels, SRv6 BE tunnels are calculated based on IGP/BGP optimal
paths. Unlike label-featured MPLS, SRv6 BE uses the shortest path first (SPF)
algorithm to calculate forwarding paths based on SRv6 SIDs in an IGP domain.
SRv6 BE requires only one segment to identify a forwarding path and the carried
services. Traffic forwarding along paths depends on cost planning. Traffic is
forwarded based on the least-cost route.
• This section describes SRv6 TE Policy design.
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

SRv6 Policy Path Planning

⚫ SRv6 Policy paths can be planned based on factors such as bandwidth, delay, and path disjoint.

When planning paths based on bandwidth, you need to set the maximum available bandwidth of each interface in advance.

If path planning is based on delay, TWAMP or iFIT must be deployed in advance to detect real-time network delay.
⚫ If SRv6 Policy paths are planned through the controller or static configuration, the following two modes are
available:
 Single-CP multi-segment path

Multi-CP single-segment path

Multi-CP single-segment path Single-CP multi-segment path

<Headend, color, Candidate path 1 Segment list 1 <Headend, color,

endpoint> (preference: 200) (weight: 10) endpoint> Segment list 1
Candidate path 1 (weight: 20)
SRv6 Policy SRv6 Policy
(preference: 200) Segment List 2
Candidate path 2 Segment list 1 (weight: 10)
(preference: 100) (weight: 10)

68 Huawei Confidential

• If iFIT is used to measure the network delay, 1588v2 must be enabled on the
entire network. Therefore, there are restrictions on application scenarios.
• TWAMP requires only NTP in network delay measurement.

• For a tunnel planned based on bandwidth, the actual traffic volume of the tunnel
cannot be limited on devices after the tunnel is delivered. The traffic volume of a
tunnel needs to be limited on the ingress, and the QoS or network slicing
technology needs to be used.
 Basic Tunnel Concepts SR-MPLS Tunnel Design SRv6 Tunnel Design

Best-Effort Forwarding Design for SRv6 Tunnels

⚫ Similar to SR-MPLS, SRv6 can use either SRv6 BE tunnels or SRv6 Policies to carry VPN services.
⚫ SRv6 BE tunnels are generally used as best-effort tunnels. If all SRv6 Policies fail, SRv6 BE tunnels are used to carry
services.
⚫ It is recommended that SRv6 BE tunnels and SRv6 Policies both be deployed. SRv6 Policies are preferentially used,
and SRv6 BE tunnels serve as their backup.

Segment list 1
<Headend, color, Candidate path 1 (weight: 20)
endpoint> (preference: 200) Segment list 2
(weight: 10)
SRv6 Policy
Candidate path 2 Segment list 1
(preference: 100) (weight: 10)
Tunnel
Selection

SRv6 BE

69 Huawei Confidential
VPN Design Roadmap for the Enterprise Bearer WAN

1. Tunnel design 2. VPN design

Basic tunnel concepts VPN classification

SR-MPLS tunnel VPN route

planning transmission

SRv6 tunnel planning

70 Huawei Confidential
 VPN Classification VPN Route Transmission

VPN Classification
⚫ Different enterprises have different requirements for VPN division. Most enterprises use one VPN for
major services (including production and office services), one VPN for non-major services, one VPN for
external services, and one VPN for Internet services.

IS-IS PE PE

network
Bearer BGP

PE P PE

RR

PE P P PE
VPN access point

71 Huawei Confidential
 VPN Classification VPN Route Transmission

IPv4 VPN Type Selection

⚫ When SR-MPLS is used to carry IPv4 L3VPN traffic, the BGP VPNv4 or BGP EVPN address family can be used to
transmit VPN routes.
⚫ When SRv6 is used to carry IPv4 L3VPN traffic, it is recommended that the BGP EVPN address family be used to
transmit VPN routes, so that IPv6 and Layer 2 services can be carried in the same manner.
⚫ The L3VPN capabilities and implementation processes of VPNv4 and EVPN address families are basically the same.

VPNv4 EVPNv4 Remarks

Forwarding plane MPLS/SRv6 MPLS/SRv6

VPN route learning BGP BGP The BGP route formats are different.

Whether RR-based
route reflection is Supported Supported
supported
VPN FRR, IP FRR, TE-HSB (MPLS),
Failover Supported Supported
CBTS, TI-LFA (SRv6), Mirror-SID

72 Huawei Confidential
 VPN Classification VPN Route Transmission

IPv6 VPN Type Selection

⚫ When SR-MPLS is used to carry IPv6 L3VPN traffic, the MP-VPNv6 or BGP EVPN address family can be used to
transmit VPN routes.

⚫ When SRv6 is used to transmit IPv6 services, it is recommended that the BGP EVPN address family be used to
transmit VPN routes.

VPNv6 EVPNv6 Remarks

Forwarding plane MPLS/SRv6 MPLS/SRv6

VPN route learning BGP BGP The BGP route formats are different.

Whether RR-based
route reflection is Supported Supported
supported
VPN FRR, IP FRR, TE-HSB, CBTS, TI-FLA,
Failover Supported Supported
Mirror-SID

73 Huawei Confidential
 Contents

1. Current Situation and Challenges of the Enterprise Bearer WAN

2. Huawei CloudWAN Solution Overview

3. Basic Design for the Enterprise Bearer WAN

4. Tunnel and VPN Design for the Enterprise Bearer WAN

5. SLA and Reliability Design for the Enterprise Bearer WAN

6. Optimization and O&M Design for the Enterprise Bearer WAN

74 Huawei Confidential
SLA and Reliability Design Overview for the Enterprise
Bearer WAN
⚫ The enterprise bearer WAN uses reliability and SLA technologies to effectively ensure the quality of
carried services. Therefore, reliability and SLA design are very important.

Reliability design

HQ

Branch
site
Backup tunnel
IP bearer network
Low-delay slice

SLA design Default slice

75 Huawei Confidential
SLA Design Roadmap for the Enterprise Bearer WAN

1. SLA design 2. Reliability design

Controller reliability
QoS design
design
Slice design Device reliability
design
Network reliability
design

76 Huawei Confidential
SLA Technology Overview
⚫ In Huawei's CloudWAN solution, iMaster NCE-IP can compute paths based on bandwidth requirements and deliver
forwarding paths (SR Policies) to network devices.
⚫ Although the controller can compute paths based on bandwidth requirements, the delivered path information does
not contain any traffic rate limiting policy. As a result, the traffic rate on the forwarding path (SR Policy) may
exceed the planned bandwidth.
⚫ To ensure that the traffic rate does not exceed the planned bandwidth, SLA technologies need to be deployed on
the network to limit traffic bandwidth.
⚫ SLA technologies mainly include QoS and network slicing.
Deploys a
Plans paths based on
tunnel with
bandwidth requirements.
a bandwidth
of 1 Gbit/s.

Uses the SLA technology to ensure

that the traffic rate does not Network administrator
exceed the planned bandwidth.

technology
PE1 RR PE3

SLA
2 Gbit/s
1 Gbit/s traffic SR Policy
traffic

77 Huawei Confidential
 QoS Design Slice Design

QoS Planning Principles

⚫ The enterprise bearer network needs to provide differentiated service quality assurance for different
services. QoS planning ensures that various services are properly forwarded on the bearer network.
QoS planning mainly complies with the following four principles:
 Reasonableness: Resources must be allocated appropriately based on the importance of services.
 Consistency: QoS planning involves various behaviors (such as service classification, marking, scheduling, and
rate limiting), which must be consistent on the entire network.
 Scalability: Current QoS policies must take into account future service expansion.
 Maintainability: Because services change rapidly in real-world situations, QoS policies may be frequently
adjusted during routine maintenance. Ensure that QoS policies can be easily adjusted and maintained.

78 Huawei Confidential
 QoS Design Slice Design

QoS Design Suggestions

⚫ When the network is normal, a different link can be planned for each service of an enterprise to ensure that these
services do not affect each other. However, when a link is faulty, the affected services are switched to other links,
and bandwidth competition may occur. QoS policies need to be deployed for key services in a unified manner.
⚫ If there are more than eight types of enterprise services, they need to be properly classified and combined. The
following is an example of common enterprise service planning.
Scheduling
Priority Service Weight Traffic Shaping Drop Method
Mode
CS6/CS7 Protocol packet PQ NA NA Tail drop
Production
EF PQ NA NA Tail drop
service
Configure rate limiting to
VoIP, video
AF4 PQ NA prevent bandwidth starvation Tail drop
conference
of low-priority services.

Video Determined based on

AF3 WFQ NA WRED
surveillance live network conditions.

Determined based on
AF2 Office service WFQ NA WRED
live network conditions.

AF1 OA service LPQ NA NA Tail drop

BE Other workloads LPQ NA NA Tail drop

79 Huawei Confidential
 QoS Design Slice Design

QoS Deployment Design

⚫ QoS planning requires that QoS features be properly deployed at different locations on the network.
The following figure shows the deployment of different features on the network:

3. Congestion avoidance and congestion

1. If the CE cannot classify management must be deployed in the
or mark services, the outbound direction of all devices on the
services can be marked on bearer network.
the PE ingress.
CE PE P/RR PE CE

CE PE P/RR PE CE
2. Desired flows must be
specified on the PE ingress, Bearer network
and rate limiting must be
configured on the PE ingress.

80 Huawei Confidential
 QoS Design Slice Design

Network Slicing Overview

⚫ Network slicing can be used to allocate dedicated network resources on a network to carry high -value service
traffic.
⚫ Network slicing and SR tunnels apply to different network layers. Network slicing reserves resources on the Layer
1.5 or Layer 2 network and can be used together with SR tunnels.
⚫ Network slicing is generally implemented based on channelized sub-interfaces or FlexE.

Channelized sub-interface FlexE

TM PIC
Channelized sub-interface SQ DP
TM PIC CS7
CS7 SQ GQ VI FlexE client
BE
BE
DP

…
MAC FlexE shim PHY
…

Channelized sub-interface MAC PHY SQ DP

CS7 FlexE client
SQ GQ VI
CS7 BE
BE

• Channelized sub-interface: Queue resources are isolated. Hierarchical • FlexE: Queue and interface resources are isolated. Every resource is
scheduling is used to implement flexible and refined management of divided by TDM timeslot. This meets the requirements for exclusive
interface resources, provide bandwidth guarantee, and work with the resource use and resource isolation and provides flexible and refined
controller to provide E2E resource reservation. management of interface resources.

81 Huawei Confidential
 QoS Design Slice Design

Network Slicing Design

⚫ Currently, existing devices mainly implement network slicing based on bandwidth.
⚫ A slice with the corresponding bandwidth is created based on actual service requirements. An SR tunnel is then
bound to the slice for bearing.

⚫ SR BE tunnels or SR Policies can be

deployed in the default slice.
⚫ SR Policies are deployed in the service
slice. BFD is deployed to detect tunnel
status, implementing HSB protection
Backup tunnel
and VPN FRR within slices.
Service slice
⚫ iMaster NCE-IP computes tunnels over
slices based on affinity attributes.
⚫ iMaster NCE-IP optimizes traffic within
Backup tunnel slices.
Default slice

82 Huawei Confidential
 QoS Design Slice Design

Network Slicing Application Scenarios

⚫ FlexE-based network slicing and channelized sub-interface-based network slicing have different application
scenarios.

It is recommended that FlexE be used to reserve resources for 50GE and higher-speed interfaces and channelized sub-interfaces
be used to reserve resources for lower-speed interfaces.

Only channelized sub-interface-based network slicing can be deployed across MSTP devices.

FlexE- or channelized sub-interface-based network slicing can be deployed across OTN devices as required.

Channelized sub- FlexE- or channelized sub-

interface-based network interface-based network
slicing deployment slicing deployment

IP bearer IP bearer
network network
MSTP network OTN

Transmission Transmission
bearer network bearer network

83 Huawei Confidential
 QoS Design Slice Design

Typical Network Slicing Planning

⚫ Services can be placed into different slices based on application types. Moreover, different slicing
technologies can be used based on transmission lines (MSTP or OTN).

Production service Internal communication

Office service service slice
Tested Service (bandwidth: 5 Gbit/s)

Gold service
External communication
Silver service service slice
Network slice
Bronze service (bandwidth: 5 Gbit/s)
IP bearer network
App service
Internet service slice
Internet access (bandwidth: 1 Gbit/s)
MSTP network service
Transmission
bearer network
New service slice
Because the transmission network New service
(bandwidth: 1 Gbit/s)
uses MSTP, only channelized sub-
interface-based network slicing can
be used as the slicing technology.

84 Huawei Confidential
Enterprise Bearer WAN Reliability Design

1. SLA design 2. Reliability design

QoS design Controller reliability design

Slice design Device reliability design

Network reliability design

85 Huawei Confidential
 Controller Reliability Design Device Reliability Design Network Reliability Design

Controller Local Reliability Design

⚫ iMaster NCE-IP has two high reliability modes:
 Active/standby protection mode: Only the services on the active node are in the running status. If a service
process on the active node encounters a fault, the controller automatically starts the service process on the
standby node to provide services.
 Cluster protection mode: When running properly, all cluster nodes are in the all-active state. If one node is
faulty, other nodes share the load of the faulty node and continue to provide services evenly.
Protection Layer Component Remarks
Protection mechanism: application active/standby protection
Manager
Performance indicators: RPO: 0s; RTO: ≤ 5 minutes
Network management
Management plane

Network analysis Protection mechanism: application active/standby protection

Network control

Application layer Controller

Performance indicators: RPO: 0s; RTO: ≤ 60s

Protection mechanism: application active/standby protection

Analyzer
Performance indicators: RPO: 0s; RTO: ≤ 5 minutes

… Protection mechanism: database active/standby protection

Database Database
Performance indicators: RPO: 60s; RTO: ≤ 60s
Virtualization layer FusionCompute N/A
OS/DB OS/DB OS/DB OS/DB
TaiShan/RH/E9 Management module: 1+1 backup; power supply: 1+1 backup
VM1 VM2 VM3 VMn Server
000 server Network port: 1+1 backup; hard disk: RAID1/RAID10

86 Huawei Confidential

• RPO: recovery point objective

• RTO: recovery time objective
 Controller Reliability Design Device Reliability Design Network Reliability Design

Controller Reliability Design: Geographic Redundancy

⚫
Two controllers with consistent hardware configuration, service schemes, and other configurations are respectively deployed at the
active and standby sites. Data in each database at the active site is synchronized to the standby site in real time based on the
corresponding synchronization policy. If the active site fails, the arbitration service automatically starts the standby site for controller
service continuity. You can also manually start the standby site in this case.

DRMgr Arbitration (A third site)

Replication
management
Monitoring
management
Active site DR Automatic/manual switchover DR Standby site
Switchover
management RTO ≤ 15 minutes
DRMgr RPO ≤ 60s DRMgr
NCE
database
Heartbeat
Service 1 Service 1
Linux
Database Database Service 2
Service 2
Asynchronous replication
VM ... ...
RPO ≤ 60s (service data of Replication
File Manager and Controller) link File
Service n Service n
Hypervisor Network delay: < 50 ms; packet loss rate < 1%
Services Data Data Services
* You are advised to use redundant private lines for
replication. Ensure that the switching time is less
than 1s.

87 Huawei Confidential

• During the operation of the DR system, NCE monitors the association status of
the primary and secondary sites over the heartbeat link and synchronizes data
over the replication link. If the heartbeat or replication link between the primary
and secondary sites is abnormal, the controller reports an alarm. The fault can be
either manually rectified or automatically processed by the arbitration service.

• The DRMgr service is developed by Huawei. Customers do not need to purchase

third-party HA management software.
 Controller Reliability Design Device Reliability Design Network Reliability Design

Control Network Reliability Design for the Controller

⚫ GR needs to be deployed on both iMaster NCE-IP and devices, so that policy entries on forwarders can be retained
for a longer time if the controller is faulty, maintained, or upgraded, or an active/standby controller switchover
occurs.

Active site Heartbeat Standby site

GR GR

CE PE P/RR PE CE

CE PE P/RR PE CE

Bearer network

88 Huawei Confidential

• Currently, the active/standby switchover of iMaster NCE-IP can be completed

within 10 minutes. Therefore, the GR time cannot be less than 20 minutes.
• GR: graceful restart
 Controller Reliability Design Device Reliability Design Network Reliability Design

Device Reliability Design

⚫ High device reliability is essential to the effective running of the network and needs to be guaranteed through the
hardware, software, and protection mechanisms.
⚫ Device reliability deployment:
 1+1 active/standby protection for main control boards (NSR is recommended for smooth active/standby switchovers)

Load balancing among multiple microengines for interface boards
 Maximum backup for power supplies

Redundancy protection for other key components (such as fan modules)

1+1 active/standby
protection for main
control boards

Maximum backup
for power supplies

89 Huawei Confidential

• NSR: non-stop routing

 Controller Reliability Design Device Reliability Design Network Reliability Design

Network Reliability Solution Overview

⚫ Multiple reliability technologies can be deployed on the bearer network to implement E2E reliability
protection.
⚫ Network reliability technologies include:
 BFD/SBFD: is mainly used to check network connectivity.
 IP FRR: is mainly used to provide link and node protection for transit networks and can work with the
LFA/RLFA/TI-LFA algorithm.
 Anycast FRR: is mainly used to provide protection for specific nodes, including transit and egress nodes.
 HSB: is mainly used to provide E2E tunnel protection.
 Mirror SID: is mainly used to provide protection for egress nodes.
 Microloop avoidance: is mainly used to prevent temporary loops caused by inconsistent route convergence time
on the entire network.

90 Huawei Confidential
 Controller Reliability Design Device Reliability Design Network Reliability Design

Source Network Reliability Design

⚫ The source network mainly includes source CEs, source PEs, and links between source CEs and source PEs. The
source network may encounter the following faults:
1. Source CE fault
2. Link fault between a source CE and a source PE
3. Source PE fault
⚫ These three types of faults can be quickly detected through BFD, and IP FRR (mainly based on the LFA/RLFA
algorithm) can be used to compute backup links, so that services can be quickly switched to the protection paths.

CE PE P P PE CE
Source network

2
1 3
Original path

CE PE P P PE CE
Protection path
Bearer network

91 Huawei Confidential
 Controller Reliability Design Device Reliability Design Network Reliability Design

Transit Network Reliability Design

⚫ The transit network mainly includes Ps, links between Ps and source PEs, and links between Ps.
⚫ The transit network may encounter the following faults:
1. P fault
2. Link fault between a P and a PE or between Ps
⚫ The following method can be used to protect the network against these two types of faults:

 Deploy BFD to quickly detect network link

Transit network
faults. Original path
 Use IP FRR (mainly based on the TI-LFA CE PE P
1
P PE CE
2
algorithm) to compute backup paths.
Node/link
 If the transit network cannot meet service protection path
requirements due to a fault, use the tunnel
HSB technology to switch traffic to the CE PE P P PE CE

backup path. Bearer network Backup

tunnel path

92 Huawei Confidential

• The transit network may fail to meet service requirements due to insufficient
bandwidth or long delay. To detect the network bandwidth or delay, network
quality detection technologies such as TWAMP or iFIT need to be deployed.
 Controller Reliability Design Device Reliability Design Network Reliability Design

Destination Network Reliability Design

⚫
The destination network mainly includes destination
PEs, destination CEs, links between destination PEs and
Ps, and links between destination PEs and destination
CEs.
⚫
The destination network may encounter the following
Original path
faults:
1. Destination PE fault CE PE P P PE CE
1 3

Destination
2 4

network
2. Link fault between a destination PE and a P
3. Destination CE fault
4. Link fault between a destination PE and a destination CE
⚫ The following method can be used to protect the
network against the type 1 and type 2 faults:
CE PE P P PE CE
 Deploy BFD to quickly detect network link faults.
Node/link
 Use mirror SID or anycast FRR to switch traffic to the Bearer network protection path
standby destination PE.
⚫
The following method can be used to protect the
network against the type 3 and type 4 faults:
 Deploy BFD to quickly detect network link faults.
 Compute backup paths through IP FRR (mainly based on the
LFA/RLFA algorithm).

93 Huawei Confidential
 Contents

1. Current Situation and Challenges of the Enterprise Bearer WAN

2. Huawei CloudWAN Solution Overview

3. Basic Design for the Enterprise Bearer WAN

4. Tunnel and VPN Design for the Enterprise Bearer WAN

5. SLA and Reliability Design for the Enterprise Bearer WAN

6. Optimization and O&M Design for the Enterprise Bearer WAN

94 Huawei Confidential
Optimization and O&M Design Overview for the Enterprise
Bearer WAN
⚫ Network operation becomes the new focus after the initial stage of network construction is complete. Network
optimization and O&M are essential to smooth network operation.
⚫ To better support subsequent network optimization and O&M, network optimization and O&M design must be
performed in advance. Maintenance Normal O&M design
window running

0:00 8:00 24:00

Bearer network
PE P PE

Network
optimization
design
RR

PE P P PE

95 Huawei Confidential
Optimization Design Roadmap for the Enterprise Bearer
WAN

1. Network optimization
2. O&M design
design

Network performance User management

monitoring design
Maintenance window
Network traffic
optimization design
Application
optimization design

96 Huawei Confidential
 Network Performance Network Traffic Application
Monitoring Design Optimization Design Optimization Design

Network Performance Monitoring Overview

⚫ Network performance monitoring can be implemented in multiple ways, one of the most common
being SNMP. However, as services impose increasingly more requirements on networks, new
technologies are required to quickly obtain network performance indicators.
⚫ Network performance monitoring technologies commonly used on live networks include:
 SNMP: During performance monitoring, SNMP obtains network performance information in a query-reply
manner. When frequently obtaining information, SNMP imposes heavy pressure on the device.
 Telemetry: Telemetry mainly obtains network performance information in a subscription-reporting manner.
When frequently obtaining information, telemetry does not impose much pressure on the device.
 NQA: NQA is mainly used to detect network quality. NQA uses simulated traffic to test the network
environment. Therefore, the test result is not so accurate.
 TWAMP: TWAMP is mainly used to detect network quality. Compared with NQA, TWAMP has a unified
detection model and packet format, and is easy to deploy.

97 Huawei Confidential
 Network Performance Network Traffic Application
Monitoring Design Optimization Design Optimization Design

Application Scenarios of Network Performance Monitoring

⚫ In Huawei's CloudWAN solution, SNMP is used to collect common device performance information,
telemetry is used to collect information that needs to be measured within seconds, and TWAMP is used
to collect link quality-related performance data (including packet loss, delay, and jitter).

Used to detect Used to measure network

common device performance (including SR
performance SNMP Telemetry Policy performance) within
seconds
Bearer network

PE TWAMP P TWAMP PE

Used to detect
network link quality
RR

PE P P PE

98 Huawei Confidential
 Network Performance Network Traffic Application
Monitoring Design Optimization Design Optimization Design

Network Performance Monitoring Design

⚫ The major performance indicators for
WAN services include: Telemetry is used to
measure the link

Link bandwidth usage (measured through
bandwidth usage, tunnel
telemetry) bandwidth usage, and
tunnel packet loss rate.

Link delay (measured through TWAMP) TWAMP is used to
measure link delay.

Tunnel bandwidth usage (measured
PE TWAMP P TWAMP PE
through telemetry)
SR Policy
 Tunnel packet loss rate (measured
through telemetry)
RR

PE P P PE

Bearer network

99 Huawei Confidential
 Network Performance Network Traffic Application
Monitoring Design Optimization Design Optimization Design

Network Traffic Optimization Overview

⚫ MPLS TE uses the Constrained Shortest Path
First (CSPF) algorithm to compute paths. This
The controller
distributed computation and management optimizes forwarding
4
mode, however, cannot manage network paths based on
bandwidth resources in a coordinated manner. network performance.
Devices report
⚫ Huawei's CloudWAN solution uses BGP-LS network
5 3
(SRv6 Policy) or BGP-LS + SR-MPLS Policy The controller performance data
(PCEP) to obtain tunnel status and adjusts delivers optimized to the controller.
forwarding paths. SNMP/FTP/Telemetry
tunnel paths based on the network status.

PE1 RR 2 PE3
Severe packet loss
P1 occurs on links.
PE2 PE4

TWAMP

1
TWAMP or iFIT is
used to measure
network quality.

100 Huawei Confidential

 Network Performance Network Traffic Application
Monitoring Design Optimization Design Optimization Design

Network Traffic Optimization Design

⚫ Network optimization design focuses on two aspects: what to optimize and how to optimize.
⚫ What to optimize
 Simply put, optimization is to optimize service paths (LSPs). An LSP is a logical path equivalent to a tunnel, and
a link is a physical path. One link can carry multiple tunnels, and one tunnel (LSP) corresponds to one service.
Therefore, service paths can be changed based on either links or tunnels.
◼
Link optimization: When one or more links are selected for optimization, all LSPs carried by the selected links are involved in
path computation.
◼
Tunnel optimization: When one or more tunnels are selected for optimization, the LSPs corresponding to the selected tunnels
are involved in path computation.
⚫ How to optimize
 Optimization can be performed either automatically or manually:
◼ In an automatic optimization scenario, traffic is automatically analyzed, and the optimization is automatically performed at
scheduled times.
◼
In a manual optimization scenario, traffic is manually optimized on demand based on network conditions.

101 Huawei Confidential

 Network Performance Network Traffic Application
Monitoring Design Optimization Design Optimization Design

Automatic Tunnel Optimization Design

⚫ If the network scale is too large for manual tunnel quality assurance, automatic optimization can be
used to automatically analyze tunnel quality and optimize tunnel paths. This helps reduce manual
maintenance costs and improve network optimization efficiency.
⚫ Automatic tunnel optimization applies to the following scenarios:
 Scheduled optimization
 Automatic optimization upon bandwidth threshold crossing
 Maintenance window-triggered optimization

⚫ The optimization trigger mode can be Traffic, Delay, or Delay + Traffic.

102 Huawei Confidential

• Automatic optimization:
▫ Scheduled optimization: You can set the interval for automatically
optimizing network paths to 5 minutes or longer to ensure that the current
service paths are optimal.
▫ Automatic optimization upon bandwidth threshold crossing: You can set the
link threshold. Then, when the bandwidth usage of a link exceeds the
threshold, the system automatically adds tunnels over the link to the path
computation queue and performs optimization when the optimization
period arrives.

▫ Maintenance window-triggered optimization: You can maintain a node or

link. During the maintenance, the node or link is unavailable. After the
maintenance starts or ends, the controller automatically recomputes the
paths of tunnels that pass through the node or link.

▫ The automatic optimization interval is an integer multiple of 5 minutes, for

example, 10 minutes or 15 minutes.

• Optimization policy:
▫ Traffic-based optimization: In this mode, the link threshold must be set. If
the bandwidth usage of links exceeds the threshold, the controller
determines whether to perform local or global optimization based on the
number of threshold-crossing links.
▫ Delay-based optimization: In this mode, the controller traverses and
compares the configured delay of all tunnels with the accumulated delay
collected from forwarders, and performs local optimization on all the
tunnels whose accumulated delay exceeds the configured delay.
▫ Delay+traffic-based optimization: If either of the preceding trigger
conditions is met, traffic optimization is performed.
 Network Performance Network Traffic Application
Monitoring Design Optimization Design Optimization Design

Manual Tunnel Optimization Design

⚫ In manual optimization, the operator analyzes the network status and then adjusts the network
manually. Manual optimization can be performed on demand at any time.
⚫ Manual optimization is typically performed in the following scenarios:
 If the current traffic paths do not meet requirements, you can modify link constraints and then manually trigger
optimization to change traffic paths.
 After configuring a service, you can manually perform network re-optimization to ensure that all tunnel paths
are optimal.
 When the link quality deteriorates (or the bandwidth usage is high but does not reach the automatic
optimization threshold) or the bandwidth usage of links is uneven (some links have high bandwidth usage while
others are idle), you can manually perform local/global optimization.

104 Huawei Confidential

 Network Performance Network Traffic Application
Monitoring Design Optimization Design Optimization Design

Application Optimization Overview

⚫ On a network where VPN is deployed and application-based differentiated SLA path assurance is
required, applications can be classified into different types and identified based on differentiated
services code point (DSCP) values. The DSCP value corresponds to the color of a tunnel. Application
traffic can be steered into the corresponding tunnel based on the DSCP value.

CE PE P PE
Service 1 DSCP EF

Service 2 DSCP AF41

RR CE

PE P P PE

SR Policy

105 Huawei Confidential

 Network Performance Network Traffic Application
Monitoring Design Optimization Design Optimization Design

Application Optimization Design

⚫
A different DSCP value must be assigned to each application prior to application optimization. Generally, DSCP values are assigned
to applications on the CE side.
⚫ To enable different types of applications to be carried over different tunnels, the SR Policy group+DSCP mode is generally used.
The traffic of different
Applications from the applications is steered
same VPN are into different SR Policies
differentiated by based on DSCP values.
DSCP value.
SR Policy
group 1
VPN
instance
SR Policy
group 2

CE P PE
Service 1 DSCP EF

Service 2 DSCP AF41 PE

DSCP values are assigned to
applications on the CE side. PE
RR CE
SR Policy
P P PE

106 Huawei Confidential

Optimization Design Roadmap for the Enterprise Bearer
WAN

1. Network optimization
2. O&M design
design

Network Performance User management

Monitoring Design
Network Traffic Maintenance window
Optimization Design
Application
Optimization Design

107 Huawei Confidential

 User Management Maintenance Window

User Type Overview

⚫ Operations that can be performed by a user on the cloud WAN vary according to the user type. iMaster NCE-IP
provides the following default user roles:

Administrators: Users attached to this role have permission to perform operations except managing users, querying security logs,
querying personal security logs, and viewing online users.

SMManagers: Users attached to this role have permission to manage users, query security logs, and view online users.

Operators: Users attached to this role have permission to perform non-security-related operations.

Monitors: Users attached to this role have permission to view non-security-related functions, but do not have permission to
perform the corresponding operations.

System administrator (admin)

Administrators
Monitors SMManagers
Operators

108 Huawei Confidential

 User Management Maintenance Window

User Monitoring Overview

⚫ By monitoring user sessions, the security administrator can learn information such as online users in
the user system, IP addresses used by these users to access the system, access time, and roles of these
users. When detecting that a user is attempting to perform unauthorized operations, the security
administrator can send an instant message to the user or forcibly deregister the user.
 A user session refers to the connection between a user and the system. A session starts when a user logs in and
ends when the user deregisters or logs out. A user can generate multiple sessions.
 The maximum number of online sessions allowed for a user is specified by the Max. online sessions parameter.

 The function of monitoring user sessions does not involve users' personal information.

109 Huawei Confidential

 User Management Maintenance Window

Maintenance Window Overview

⚫
When cutting over or maintaining devices and links, you can configure maintenance policies for them. The Network Path Navigation
app allows you to configure maintenance policies for NEs and links.
⚫ After the maintenance starts, the system generates new service tunnel paths that bypass the maintained devices and links. After the
maintenance is complete, the system triggers path computation for traffic optimization.
⚫
During the maintenance window, you can set the maintenance time and maintain the target devices. During the maintenance, the
traffic does not pass through the maintained devices.

After the maintenance

Target device for Target device is complete, traffic
maintenance under maintenance recovers.

Traffic bypasses
the maintained
device.

Peak hours Maintenance window Peak hours

110 Huawei Confidential

 Quiz

1. (Multiple-answer question) Which of the following tunnels can be used to carry

IPv6 services? ( )
A. SR-MPLS BE tunnel

B. SRv6 BE tunnel

C. SR-MPLS Policy

D. SRv6 Policy

111 Huawei Confidential

1. ABCD
 Summary
⚫ When designing the enterprise bearer WAN, you need to design the infrastructure network first,
including the physical network, IPv4/IPv6 addresses, and IGP/BGP.
⚫ Tunnels, including SR-MPLS BE tunnels, SR-MPLS Policies, SRv6 BE tunnels, and SRv6 Policies, can be
established on the infrastructure network. During tunnel design, pay attention to the tunnel path
planning, traffic diversion, and best-effort forwarding mode.
⚫ After a tunnel is established, it can carry VPN services. VPN planning must be based on enterprise
service types and requirements.
⚫ Reliability and SLA assurance are also very important for services. QoS and network slicing design helps
ensure service SLA, and high reliability design for controllers, devices, and networks helps ensure
service reliability.
⚫ A network needs optimization and maintenance after it is constructed. Optimization design needs to
cover both performance monitoring and traffic optimization. The maintenance scope needs to be
divided based on user roles, and the network needs to be maintained at a proper time.

112 Huawei Confidential

Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huaw ei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
IPE Key Technologies and Evolution Trends
 Foreword

⚫ Given that IPv6 addresses are abundant, secure, and scalable, they have become an
inevitable trend for network evolution. IP Enhanced Innovation (IPE) is a further
development and application of IPv6 technologies and an upgrade of the IPv6-based next-
generation Internet, and can create greater value for users.
⚫ This course introduces the basic concepts, development trends, and key technical
applications of IPE.
⚫ This course also introduces IPv6 network evolution solutions for scenarios such as DCs,
WANs, and campus networks, covering IPv6 network evolution phases and technologies and
network architectures adopted in each phase.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the technical concepts related to IPE.
 Describe the key technical applications of IPE.
 Describe IPv6 network evolution trends in scenarios such as DCs, WANs, and
campus networks.

2 Huawei Confidential
 Contents

1. Technical Background of IPE

2. Key Technical Applications of IPE

3. IPv6 Network Evolution Solutions

3 Huawei Confidential
Datacom Network: Cornerstone for Digitalization
DC

Computing power

• The datacom network comprises a

variety of datacom devices.

Security O&M • The digital world connects individuals,

Carrier metro/
SD-WAN backbone network enterprises, and computing power.

• The datacom network is the

cornerstone for the digital world.
Office Online Manufacturing Site Home Terminal
meeting

Enterprises Individuals

4 Huawei Confidential
Understanding IP Forwarding on a Datacom Network
Through a Network Model
Application layer
Transport layer Destination Next
Protocol
Network layer Network layer Network/Mask Hop
Data link layer Data link layer 192.168.2.0/24 OSPF R3 R5
Physical layer Physical layer … … …

High High
bandwidth bandwidth
192.168.1.1 192.168.2.1
Low bandwidth

PC1 R1 R2 R3 PC2
• IP is one of the most important protocols at the network layer.
Source IP:
Source Port • A device performs IP encapsulation on the payload and
Source MAC 192.168.1.1
Destination Payload forwards the payload on the network.
Destination MAC Destination IP:
Port
192.168.2.1 • Network devices search their routing tables for a matching
Ethernet header IP header TCP header
forwarding entry based on the destination IP address of the
packet and forward the packet along the shortest paths.

5 Huawei Confidential
Emergence and Application of MPLS
Label
Ethernet MPLS IP TCP
header
IP packet
Low
header header header header
bandwidth
Source MAC Source IP Source Port
Label
Destination Destination Destination Payload IP
header 1024
MAC IP Port packet
IP
1036
packet

Label EXP BoS TTL

IP
1061
packet

• Multiprotocol Label Switching (MPLS) is used on IP backbone IP packet

networks. IP
1099
• MPLS combines Layer 3 routing with Layer 2 switching by packet
applying connection-oriented label switching on connectionless • MPLS headers are added to IP packets for data forwarding based on MPLS labels.
IP networks. Therefore, it has flexibility of IP routing and • MPLS has higher forwarding efficiency, and MPLS labels can carry instruction
simplicity of Layer 2 switching. information to guide data forwarding.
• MPLS is essentially a tunneling technology and supports • It supports applications such as traffic engineering (TE), virtual private network
multiple upper-layer protocols and services. (VPN), and QoS.

6 Huawei Confidential
 History of IP Network Transformation

IPv6 + Protocol innovation + AI

Internet IP All IP Intelligent IP
5G & Cloud era

IPv4 MPLS IPE

Best effort, manual O&M Static policy, semi-automated O&M

Connectivity of everything, flexible

connections, intelligent O&M

7 Huawei Confidential

• After more than 40 years of development, IP networks have actually gone

through three eras.
▫ The first era is the Internet era. The iconic technology of this era is best-
effort forwarding represented by IPv4.
▫ The second era is the all-IP era. The core technology of this era is MPLS,
which supports applications such as TE and E2E VPN.
▫ Currently, we are experiencing the intelligence era of Internet of Everything,
and the core technology of this era is IPE. This era is featured by the shift
from human-to-human and human-to-machine communication to the
Internet of Everything. There are huge bandwidth demands, large numbers
of connections, and flexible connection models. The requirements for
Service Level Agreement (SLA) assurance extend from providing only
connectivity to providing comprehensive capabilities (such as strict delay,
jitter, and packet loss guarantee capabilities), and O&M complexity
increases accordingly. As a result, a new technology is required to empower
this era, and the heavy responsibility of leading networks into the IPE era
falls onto the SRv6 technology family.
From MPLS to SRv6
⚫ SRv6 provides a unified forwarding plane and has advantages such as simplified protocols, high
scalability, and programmability.
Classic MPLS SR-MPLS SRv6
LDP IGP + SR IGP + SR
Control
RSVP-TE extension extension
plane
IGP

Forwarding
plane Push Swap Pop Push Continue Next

MPLS 2004 MPLS 1368 MPLS 222

MPLS 1949 MPLS 1949 MPLS 111 MPLS 111 IPv6 + SRH IPv6 + SRH
Payload Payload Payload Payload Payload Payload Payload Payload Payload Payload Payload Payload

✓ Simplified protocols
✓ High scalability
Control plane Forwarding plane ✓ Programmability
simplification simplification
8 Huawei Confidential
 IPE Technology System: Comprehensively Enabling Next-
Generation Mobile Networks and the Cloud era

Any-to-any Experience Intelligent

connection assurance applications
• SRv6 • Network slicing • APN6
• BIERv6 • In-band flow • SFC
measurement

⚫ IPE is a technology system oriented to the next-generation mobile networks and cloud era. It uses "IPv6 +
intelligent computing + protocol innovation" to meet next-generation mobile Internet bearer and cloud-network
synergy requirements, such as flexible networking, fast service provisioning, on-demand services, and differentiated
assurance, simplifying network O&M and improving user experience.

9 Huawei Confidential

• IPE technologies are innovations to the network technology system, represented

by Segment Routing over IPv6 (SRv6), network slicing (FlexE), deterministic
network (DetNet), in-band flow measurement (iFIT), new multicast (BIERv6), and
application-aware IPv6 networking (APN6), and more.
• The IPE technology system is classified into the following three categories:

▫ The first category provides basic connectivity and is represented by SRv6

(used to carry unicast services) and BIERv6 (used to carry multicast
services). Both protocols carry and forward traffic based on the native IPv6
architecture, which eliminates the need of MPLS on the control and
forwarding planes and takes advantage of IPv6's inherent scalability and
other benefits.

▫ The second category provides experience assurance and is represented by

technologies used to reserve network resources, deliver slice-based
deterministic network capabilities, and provide in-band flow measurement.
▫ The third category comprises APN6 and SFC. APN6 provides application-
level network service capabilities from the application perspective, and SFC
provides flexible programming of network capabilities.
• FlexE: Flexible Ethernet
• DetNet: Deterministic Networking

• iFIT: in-situ Flow Information Telemetry

• BIERv6: Bit Index Explicit Replication IPv6 Encapsulation
• APN6: Application-aware IPv6 Networking
 IPE Development Phases
Phase 1: network programming Phase 2: user experience assurance Phase 3: application-driven network

• Simplified, partial autonomous networks • Experience-guaranteed, conditional • Application-aware, highly autonomous

▫ Based on SRv6 BE/Policy, featuring fast autonomous networks: networks:
service provisioning, flexible path ▫ Based on new technologies such as network ▫ Application-aware network, application-
control, and automated configuration slicing, in-band flow measurement, new driven network programming, and per-
delivery. multicast, deterministic forwarding, and flow SLA assurance. SRv6-based
low delay
security, featuring visualized and optimal
SRv6-based
user experience. high bandwidth
Lower-level Traditional
subnet DC Slice topology
information collection Collaboration
Office
Slice 1
Campus Cloud Slice 2 Video
network SRv6 Default conferencing
slice
⚫ The next-generation Internet requires more than just IPv6, which is only a starting point and platform for
innovation of the next-generation Internet. The IPE roadmap facilitates systematic network evolution. With the
large-scale deployment of IPv6, IPE technologies represented by SRv6 will be widely used to build intelligent,
simplified, and automated next-generation networks with committed SLAs.
10 Huawei Confidential

• Phase 1:
▫ SRv6 is used to simplify protocols, resolve the low efficiency problem caused
by segment-based configuration and manual cross-domain configuration
on traditional MPLS networks, and achieve fast E2E service provisioning
across domains.
▫ In addition, SRv6 Policies can quickly adjust and optimize paths, improving
network-wide flexibility and laying a foundation for autonomous networks.
• Phase 2:
▫ Network slicing and FlexE are introduced to provide deterministic
forwarding and differentiated dedicated network experience. Layer 2 FlexE
and Layer 3 network slicing provide dedicated network resources for
different services, E2E service isolation, and manageable and controllable
paths. In this way, different services can be transmitted on the same
network. Abundant slices ensure that each service can enjoy dedicated
network experience and deterministic forwarding with controllable delay
and jitter.
▫ Moreover, the in-band flow measurement mechanism reports service traffic
status in real time, enabling network experience visualization. This allows us
to determine whether service quality deteriorates in a timely manner. If
service quality deteriorates, we can adjust service configurations in a timely
manner to ensure optimal user experience.
• Phase 3:
▫ In this phase, we not only need to ensure service experience, but also need
to deliver experience assurance at a finer granularity (application level).
▫ IPv6 apps can directly carry application information in IPv6 extension
headers, enabling the network to identify user and application information
and provide fine-grained differentiated network channels.
 Contents

1. Technical Background of IPE

2. Key Technical Applications of IPE

3. IPv6 Network Evolution Solutions

11 Huawei Confidential
 SRv6 Network Slicing In-band Flow Measurement New Multicast

SRv6 for Flexible Forwarding Path Orchestration

⚫ A carrier provides a DDoS attack mitigation service through traffic cleaning to ensure network security.
⚫ The carrier has multiple backbone networks. Network A has only the IP routing and forwarding capability, and but
has sufficient bandwidth resources. Network B has the VPN service capability, but has limited bandwidth resources.

As-Is: Cleaned traffic is diverted through network A (without VPN To-Be: Native IPv6-based SRv6 VPN is deployed, allowing the service scale
isolation). The supported traffic scale is limited. to expand by 10 times.

Cloud DC Cloud DC
Network B has the VPN service
Traffic will be diverted capability, but the supported SRv6 only needs to be Cloud ASBR
again due to a lack of the service scale is limited during enabled on egress Cleaned traffic is
VPN service capability on 2 traffic diversion. nodes and cloud ASBRs diverted by the
the network. 1 to implement E2E VPN. native IPv6 VPN.

Network A Network B Network A

To-be-cleaned traffic SRv6

To-be-cleaned traffic Egress node
(such as attack traffic)
Internet DDoS cleaning center Internet DDoS cleaning center

12 Huawei Confidential

• This figure shows a typical SRv6 deployment case. A carrier provides network
security services for customers. To prevent DDoS attacks, the traffic to the DC
needs to be cleaned by the DDoS cleaning center first. Such traffic traverses the
backbone network.
▫ The carrier has two backbone networks. Network A has high bandwidth but
does not have the VPN service capability. As a result, cleaned traffic may be
sent back to the cleaning center if network A is used.

▫ Network B has the VPN service capability but does not have high
bandwidth. It is unable to support the cleaning of all service traffic.
▫ The volume of to-be-cleaned traffic is large. If such traffic is diverted
through network A (without VPN isolation), cleaned traffic may be diverted
back to the cleaning center, causing a loop. If such traffic is diverted
through network B, the bandwidth resources of network B become a
bottleneck as the service scale expands.
• In this situation, SRv6 can be deployed on network A to direct traffic to this high-
bandwidth backbone network. This implementation can provide protection for
hundreds of DCs. SRv6 is easy to deploy and supports fast service provisioning.
 SRv6 Network Slicing In-band Flow Measurement New Multicast

SRv6 Enables Fast E2E Service Provisioning and One-Hop

Cloud Access
⚫ With the acceleration of digital transformation, cloudification has become an inevitable trend of enterprise
development. Traditional private lines cannot meet the agile requirements of the cloud era in terms of provisioning
speed and service quality.
As-Is: Cloud-network separation results in slow provisioning of site- To-Be: Cloud-network convergence enables one-hop cloud access and
to-cloud private lines for enterprises. provisioning of site-to-cloud private lines within two days.

1 Cloud-network separation, with cloud resources 1 Cloud-network convergence, with cloud PEs pre-
interconnected case by case based on enterprise requirements. integrated with numerous cloud resources.

Metro Backbone Cloud Metro Cloud Cloud

CPE PE CPE backbone Cloud PE
Enterprise-side Metro Backbone Cloud-side EVPN over SRv6
deployment deployment deployment deployment

2 Segment-by-segment deployment, multi-party 2 E2E EVPN over SRv6 deployed between CPEs and
collaboration required, deployment taking 1 to 2 months. cloud PEs to enable one-hop cloud access.

13 Huawei Confidential

• Currently, large numbers of enterprises are deploying their services on the cloud.
Carriers must consider how to quickly provision site-to-cloud private lines for
enterprises.

▫ Traditional private lines, such as MPLS private lines, may involve multiple
ASs. Different ASs are managed and maintained by different management
teams. The provisioning of a private line for one-hop cloud access involves
collaboration and coordination among multiple departments.

▫ With SRv6, the deployment is easy. An E2E SRv6 logical private line can be
established between the enterprise CPE and cloud PE to carry cloud-based
services, achieving one-hop cloud access. Moreover, private line provisioning
is very fast in this case.

• As shown in the figure, carriers want to build a cloud backbone network to

enhance their market competitiveness in the cloud era by delivering one-hop
cloud access and cloud-network convergence capabilities to enterprises.
 SRv6 Network Slicing In-band Flow Measurement New Multicast

SRv6 Implements Delay-based Path Computation and

Flexible Optimization
⚫ The backbone network of a carrier is a native IP network, which provides best-effort IP forwarding for services. The
carrier wants to provide differentiated services for customers and increase revenue by improving the user
experience of delay-sensitive services.
As-Is: unified service bearer, best-effort IP forwarding To-Be: SRv6-based low-delay and differentiated service experience
1 The controller orchestrates
1 Services treated equally service paths based on
regardless of service types. service delay requirements. Network Low-delay path
Metro 1
information orchestration
Backbone Metro 1
collection
Backbone

Unified service bearer, no

service differentiation DC
DC
Metro 2
Metro 2
Common links
2 The network loads are uneven. Service paths are Low-delay links
adjusted based on cost, complicating deployment.
3 There is no VPN service capability, and services are not isolated. 3 SRv6 L3VPN provides 2 Some services are flexibly and dynamically steered
service isolation. to other paths based on link loads and delay.

14 Huawei Confidential

• As shown in the figure, the backbone network of a carrier is a native IP network,

which provides best-effort IP forwarding for services. The carrier's DC provides
cloud services for users, and some of these services are delay-sensitive. The
current network does not differentiate delay-sensitive services from common
services during service transmission, resulting in poor user experience of delay-
sensitive services. Moreover, because services are forwarded along least-cost
paths, network loads are uneven, and network management and maintenance
are complex. Against this backdrop, the carrier wants to provide differentiated
services for customers and increase revenue by improving the user experience of
delay-sensitive services.
• The iMaster NCE + SRv6 solution measures the delay of each link on the network
and computes paths based on the shortest delay. This solution allows public
cloud-based services to travel along the shortest-delay paths, improving the
competitiveness of the public cloud.
 SRv6 Network Slicing In-band Flow Measurement New Multicast

Multi-Service Bearer Through Network Slicing in a Power

Company
Office services
Physical network slicing: The TDM-
DC based FlexE technology divides the
Campus Various office physical network into multiple slices
surveillance
services Slice 1 on demand to isolate different
services and ensure service SLAs.
Office
automation
Flexible, convenient service
Customer Video surveillance Slice 2
deployment.
service Production O&M
Office phone Unified bearer: The controller
Slice 3 deploys network resources in a
Dispatch phone unified manner to carry power
Production services services, implementing intelligent
optimization.
Video
surveillance Slice 4
Relay protection Support for network evolution over the
Production next 10 years:
O&M Smooth upgrade to 100G/200G
WAMS Smooth evolution to SRv6 + EVPN
Dispatch
phone
Relay
protection

15 Huawei Confidential

• WAMS: Wide Area Measurement System

 SRv6 Network Slicing In-band Flow Measurement New Multicast

Application of iFIT to One-Financial-WAN-for-All-Services

Scenarios
⚫ In a one-financial-WAN-for-all-services scenario, SRv6 can quickly and conveniently establish basic
network connections between clouds and various access points, ensuring efficient service provisioning.

• Solution highlights:
▫ In SRv6 scenarios, tunnel-level iFIT can be enabled to

Cloud measure the quality of each SRv6 segment list and select the
optimal link. The link currently in use is periodically compared
Aggregation
layer Core layer Cloud with the optimal link for path selection and optimization,
CPE
implementing intelligent traffic steering.
Outlet Branch Head office Cloud ▫ One controller is deployed to perform centralized O&M on
Candidate path 1 the entire financial network and implement E2E management
SRv6 Candidate path 2
... and scheduling.
iFIT measurement domain

16 Huawei Confidential

• One WAN for all services is a technology that provides cross-domain network
services through coordination among different networks. In the financial industry,
tier-2 banks, outlets, subsidiaries, and external organizations access the head
office DC through tier-1 banks, which aggregate service traffic and forward
aggregated traffic to the bank core network.

• The financial industry has high requirements on SLA performance. With the
development of banking services, diversified service types have emerged in
outlets. In addition to traditional production and office services, there are also
security protection, IoT, public cloud, and other services. This poses higher O&M
requirements on the one-financial-WAN-for-all-services scenario. Against this
backdrop, Huawei proposes the iFIT tunnel-level measurement solution.
 SRv6 Network Slicing In-band Flow Measurement New Multicast

Application Trends of Multicast Technologies

⚫ Currently, video traffic accounts for a large proportion of Internet traffic, including video calls, video sharing, and
video conferences. High Definition (HD) visual and new interactive videos may become the main social means in
the future, and media gradually evolve to Virtual Reality (VR)/Augmented Reality (AR). These new services pose
new requirements on network bandwidth and user experience.

Multicast Technical
Benefits New services

Reduced
network load

Reduced VR Video Online HD Video

server load streaming education video conferencing

⚫ While the potential applications of multicast are booming, the trend of adopting IPv6-based networks becomes
more and more prominent. As IPv6 becomes more widely adopted and new service scenarios require higher
bandwidth and better user experience, multicast technologies on IPv6 networks need to continuously evolve in
order to keep pace with new service scenarios and technology development trends.

17 Huawei Confidential
 SRv6 Network Slicing In-band Flow Measurement New Multicast

New Multicast Technology

⚫ Compared with conventional multicast protocols, Bit Index Explicit Replication (BIER)/Bit Index Explicit Replication
IPv6 Encapsulation (BIERv6) uses the basic IGP and unicast routing forwarding mechanisms combined with the
BitString mechanism to implement multicast packet replication and forwarding.
My BFR-ID is 2.
The transit node replicates I want to watch multicast channel X. Basic Concepts of Bit Index Explicit Replication (BIER)
packets according to the 1
BitString generated based
• BIER domain: network domain that supports BIER forwarding. A BIER
on BFR-IDs. 3 R4 Multicast client domain can be divided into multiple sub-domains, and each BIER
domain contains at least one sub-domain.
R2
• Bit Forwarding Router (BFR): a router that supports BIER forwarding.
1 ▫ Bit Forwarding Ingress Router (BFIR): ingress router in a BIER
R5 Multicast client domain.
My BFR-ID is 3.
I want to watch multicast channel X. ▫ Bit Forwarding Egress Router (BFER): egress router in a BIER domain.
R1 ▫ Edge BFR: BFIRs and BFERs are collectively referred to as edge BFRs.
2
Combines 2, 3, and 5 That is, edge BFRs refer to source and destination nodes in a BIER
into a BitString and domain.
3 R6
encapsulates the • BFIR Forwarding Router Identifier (BFR-ID): dedicated identifier of an
BitString into packets
edge BFR, with the value ranging from 1 to 65535.
so that the packets can R3
reach R4, R5, and R7. • BitString: 256-bit (or 32-byte) set consisting of BFR-IDs of destination
My BFR-ID is 5. 1 nodes. The position or index of each bit in the BitString indicates a
I want to watch multicast channel X. R7 Multicast client specific edge node.

18 Huawei Confidential

• BIER overview:
▫ This multicast technology encapsulates a set of destination nodes of
multicast packets in a BitString in the packet header before sending the
packets. With this multicast technology, transit nodes do not need to
establish a multicast distribution tree (MDT) for each multicast flow, or
maintain the states of multicast flows. Instead, the transit nodes replicate
and forward packets according to the BitString in the packet header.
▫ In BIER, each destination node is a network edge node. For example, on a
network with no more than 256 edge nodes, each node needs to be
configured with a unique value ranging from 1 to 256. In this case, the set
of destinations is represented by a 256-bit (32-byte) BitString, and the
position or index of each bit in the BitString indicates an edge node. This
explains the meaning of Bit Index Explicit Replication.
• Advantages of BIER:
▫ Supports large-scale multicast service scenarios and reduces resource
consumption as BIER does not need to establish an MDT for each multicast
flow or maintain the states of multicast flows.
▫ Improves multicast group joining efficiency of multicast users in SDN
network scenarios because requests of the multicast users do not need to
be forwarded along the MDT hop by hop, and instead their requests are
directly sent by leaf nodes to the ingress node. This is more suitable for the
controller on an SDN network to directly deliver the set of destinations to
which multicast packets are to be sent after collecting the set.
• BIERv6 inherits the advantages of BIER and uses IPv6 to program paths,
functions, and objects, facilitating multicast forwarding on SRv6-based networks.
 SRv6 Network Slicing In-band Flow Measurement New Multicast

BIER Multicast Traffic Forwarding Mechanism

PE1, edge node, BFR-ID: 1
⚫
To send multicast traffic of (S1, G1) to PE1, PE2, and
P1 PE3, PE4 encapsulates a multicast packet with the
Transit node 0:0001 Data packet
BitString (0111). The multicast traffic is sent as
0:1000 Data packet P2 PE2, edge node, BFR-ID: 2 follows:
Transit node
1. PE4 -> P2: In the packet sent from PE4 to P2, the

0:0010 Data packet BitString is 0111 (set of the BFR-IDs of PE1, PE2, and
PE4, edge node, BFR-ID: 4
PE3, edge node, BFR-ID: 3 PE3).

0:0100 Data packet 2. P2 -> PE3: In the packet sent from P2 to PE3, the
BFR-PE4 BIFT BFR-P2 BIFT BFR-P1 BIFT BitString is 0100 (containing only the BFR-ID of PE3).
ID F-BM NBR ID F-BM NBR ID F-BM NBR 3. P2 -> P1: In the packet sent from P2 to P1, the BitString
1 0111 P2 1 0011 P1 1 0001 PE1 is 0011, which contains the set of BFR-IDs of PE1 and
2 0111 P2 2 0011 P1 2 0010 PE2
PE2, with the BFR-ID of PE3 removed.
3 0111 P2 3 0100 PE3 3 1100 P2
4 1000 PE4 4 1000 PE4 4 1100 P2 4. P1 -> PE1: In the packet sent from P1 to PE1, the
• The ID refers to a BFR-ID. To forward packets to the node of a specified BFR-ID, the device BitString is 0001 (containing only the BFR-ID of PE1).
needs to query the entry corresponding to the BFR-ID.
• F-BM is short for Forwarding BitMask. It indicates the set of BIER domain edge nodes that 5. P1 -> PE2: In the packet sent from P1 to PE2, the
are reachable through the next hop after packets are replicated and sent to the next hop. BitString is 0010 (containing only the BFR-ID of PE2).
• NBR is short for neighbor. It indicates the next hop neighbor through which packets can
reach a node of a specified BFR-ID.

19 Huawei Confidential

• Bit allocation fundamentals: BIER floods the mapping between bit positions (BFR-
IDs) of nodes and prefixes through IS-IS LSPs (IS-IS for BIER is used as an
example). Devices learn the complete BIFT (BIER neighbor table) through
flooding. The BIFT has the following characteristics:
▫ In the neighbor table, each directly connected neighbor has one entry.

▫ Each entry contains information about the edge nodes that are reachable
to a neighbor.

• BIFT: Bit Index Forwarding Table

 SRv6 Network Slicing In-band Flow Measurement New Multicast

BIERv6
⚫ In terms of unicast forwarding, SRv6, which is based on the IPv6 data plane, has developed rapidly and surpassed
SR-MPLS, which is based on the MPLS data plane. In terms of multicast, however, a solution was urgently needed to
use the BIER architecture and encapsulation in order to implement MPLS-independent technologies and match the
development trend of IPv6 networks. Against this background, BIERv6 was proposed in the industry.
⚫ BIERv6 inherits the core design concept of BIER. It uses the BitString to guide multicast packet replication and
forwarding to specified receivers, eliminates the need for transit nodes to establish MDTs, thereby implementing
stateless forwarding.
BIER encapsulation BIERv6 encapsulation
Ethernet Ethernet
MPLS Label IPv6 Header
(VPN)
BIER
VPN Label BIER
Payload Payload

⚫ The main difference between BIERv6 and BIER is that BIERv6 is a multicast solution based on native IPv6 rather
than MPLS labels.

20 Huawei Confidential

• Advantages of BIERv6:
▫ Simplified network protocols:

▪ BIERv6 uses IPv6 addresses to carry Multicast VPN (MVPN) and GTM
services, further simplifying protocols and eliminating the need to
allocate, manage, and maintain MPLS labels.

▪ BIERv6 has high extensibility as it complies with the design concept of

SDN and network programming.

▫ Simplified deployment and O&M:

▪ BIERv6 uses an IPv6 extension header to carry BIER forwarding

instructions, eliminating the need for MPLS label-based forwarding.
IPv6 extensibility facilitates the evolution and addition of new
features.

▪ Because BIERv6 is deployed only on the ingress and egresses, transit

nodes are unaware of multicast service changes. When the network
topology changes, there is no need to withdraw or re-establish
numerous MDTs, thereby greatly simplifying O&M.
▫ High network reliability:

▪ BIERv6 uses IGP extension to flood BIER information, using which

each node establishes a multicast forwarding table for data
forwarding. In addition, BIERv6 uses unicast routes to forward traffic,
meaning that there is no need to establish MDTs. This eliminates the
need for complex protocol processing, such as multicast source
sharing and SPT switching.

▪ In addition, BIERv6 reduces the number of entries that need to be

stored because it does not need to maintain per-flow MDT states. If a
fault occurs on the network, devices only need to update entries in
their BIFTs after the underlay route convergence. This ensures fast
BIERv6 convergence if a fault occurs, thereby improving reliability and
enhancing user experience.
 SRv6 Network Slicing In-band Flow Measurement New Multicast

BIERv6 Application in an IPTV Scenario

⚫ IP video services include live TV (such as news, sports events, movies and TV series, and live webcasting), video on
demand (VOD), and video surveillance. Video transmission service applications such as 4K IPTV, 8K VR, smart city,
smart home, autonomous driving, telemedicine, and safe city are expected to grow dramatically in the near future,
especially in countries and regions with fast economic development.

Sender • In the figure, MVPN over BIERv6 is deployed on the

ACC OLT 4K TV
PE
public network to carry IPTV traffic. BIERv6 multicast
4K
technology greatly reduces the network load and
IP metro
IP backbone network improves user experience (for example, it ensures fast
network
Source VOD, clear images, and smooth playback).
4K
• In addition, this solution features simple deployment,
Sender ACC OLT 4K TV
PE
O&M, and capacity expansion and is suitable for
large-scale deployment.

Multicast traffic

22 Huawei Confidential

• IPTV: Internet Protocol Television

• OLT: Optical Line Termination
 Contents

1. Technical Background of IPE

2. Key Technical Applications of IPE

3. IPv6 Network Evolution Solutions

23 Huawei Confidential
 Overview DC WAN Campus Network Other Systems

General Principles for IPv6 Network Evolution

⚫ The purpose of enterprise network evolution to IPv6 is to build IPv6 capabilities on the existing network architecture and meet the
requirements of current network service development. From the perspective of enterprise services, IPv6 reconstruction requires that
the original IPv4 services be sustainable during network evolution and upgrade and the network security level after evolution be
higher than or equal to that of the original IPv4 network.
⚫
Considering reconstruction cost, technology evolution, and impact scope, it is recommended that enterprise IPv6 reconstruction
comply with the following principles:
 Smooth evolution: IPv6 network upgrade and reconstruction involve the changes of basic protocols. During network evolution, ensure that existing
users are unaware of these changes and existing services are migrated smoothly.
 Future readiness: Seize IPv6 evolution and upgrade opportunities and build an advanced next-generation enterprise IPv6 network architecture to fully
support the long-term development and stable operation of enterprise service systems to avoid repeated network construction and investments.
 Economical feasibility: A proper IPv6 upgrade and evolution solution should be selected from the overall perspective based on the current enterprise
network system conditions to properly reuse existing devices and avoid asset wastes.
 Architecture optimization: The IPv6 evolution of enterprise networks provides opportunities to update or reconstruct the enterprise system
management architecture, such as adding strict control of enterprise addresses and unified management of DNS resources.

24 Huawei Confidential

• Enterprise services can be classified into Internet services, DMZ services, and
enterprise-built service systems. Internet services and DMZ services depend on
external network applications and user environments and require long-term
coexistence of IPv4 and IPv6 user access. This factor must be considered during
IPv6 reconstruction of enterprise networks.
 Overview DC WAN Campus Network Other Systems

Logical Architecture Panorama of Enterprise Networks

DC 1 DC N

Internet

WAN

Enterprise-built WAN Carrier private line Internet private line

Access over a dedicated network Access over a dedicated network

Production Egress Egress

Egress
system

Access Access … Access Access … Access Access

Production campus Large- and medium-sized Small branch campus

office campuses

25 Huawei Confidential

• DCN:
▫ Based on the service scope, enterprise DC services can be classified into
external services and internal applications.

▪ The front-end servers for external services are generally deployed in

the DMZ of the DC and connect to external user devices through the
Internet egress zone.

▪ Internal applications mainly involve the DC's internal service networks

(such as networks in the WAN egress zone and service zone).

▫ From the perspective of service reconstruction, the DCN can be classified

into the internal application network, DMZ (for external services), Internet
egress, and internal service network during IPv6 evolution and upgrade
planning.
• WAN:

▫ Multiple backhaul solutions are available for interconnection between

enterprise branches, such as enterprise-built WAN, carrier MPLS
L2VPN/L3VPN, and Internet private line.
▫ The IPv6 evolution of enterprise WANs mainly considers the WAN upgrade
policy.
• Campus network:
▫ Office campuses can be classified into HQ campuses and branch campuses.
The two types of campuses have different networking scales. Moreover,
branch campuses may have multiple WAN backhaul access modes, such as
enterprise-built WAN and carrier private line. Therefore, targeted design is
required during IPv6 evolution and upgrade design.
▫ A large number of production terminals and systems are deployed in
production campuses. Most production service flows are closed within
campuses. The production systems and terminals on production campuses
have long lifecycles. Therefore, networks must support IPv4/IPv6 dual-stack
services within a long period of time, and IPv4 + IPv6 interworking must be
considered.
 Overview DC WAN Campus Network Other Systems

IPv6 Network Migration Process

⚫ The entire IPv6 migration process for enterprise networks can be divided into three phases:
 Phase 1: Prioritize pipe upgrade and Internet egress upgrade, including DMZ upgrade, WAN upgrade, and IPv6 test field construction.
 Phase 2: Fully upgrade internal networks, such as upgrading the DCN and production campus networks and reconstructing office campus networks.
Moreover, configure services to preferentially access IPv6 networks.
 Phase 3: Switch internal applications to IPv6 channels and retain the IPv4 capability for external Internet access.

DC WAN Office Production campus

Internal DMZ Internet Branch Production Production
DCN WAN HQ campus campus
applications public service egress campus network system
Now v4 v4 v4 v4 v4 v4 v4 v4 v4

Phase 1 v4 v4/v6 v4/v6 v4 v4/v6 v4/v6 v4 v4/v6 v4 v4 v4

Phase 2 v4 v4/v6 v4/v6 v4/v6 v4/v6 v4/v6 v4/v6 v4/v6 v4/v6 v4 v6

Phase 3 v6 v4/v6 v4/v6 v6 v4/v6 v4/v6 v4/v6 v4/v6 v4 v6

Future v6 v6 v6 v6 v6 v6 v6 v6 v6

27 Huawei Confidential

• The overall IPv4-to-IPv6 network migration principle is "DCN first, WAN second,
and campus network reconstruction on-demand".
▫ Phase 1: Deploy dual-stack services in the DC's public service and test zones
and IPv4 single-stack services on the WAN's underlay network and dual-
stack services on the WAN's overlay network, and pilot dual-stack services
on the campus network .
▫ Phase 2: Gradually apply dual-stack to the DC's internal applications and
the campus network's office campus part and apply dual-stack to the
campus network's production campus part.
▫ Phase 3: Comprehensively apply IPv6 single stack to the DC's internal
applications and ensure that the WAN gradually evolves to IPv6-only
networks.
 Overview DC WAN Campus Network Other Systems

IPv6 Network Evolution Solutions

Network
Phase 1: Dual-Stack Service Phase 2: Dual-Stack Service Phase 3: Single-Stack Service
Layer
Management
IPv4/IPv6 dual-stack management
and control IPv4 management channel IPv6 management channel
channel
layer
Traditional DC: dual stack
VXLAN underlay IPv6 + overlay dual
DCN VXLAN underlay IPv6 + overlay IPv6
VXLAN underlay IPv4 + overlay dual stack
stack
Dual stack over MPLS (6VPE)

Bearer WAN Native IP dual stack Dual stack over SRv6 IPv6 over SRv6

Dual stack over SRv6

Traditional campus network: dual-stack Virtualized campus network:

Campus
VXLAN underlay IPv6 + overlay dual
network
Virtualized campus network: VXLAN underlay IPv4 + overlay dual stack stack

28 Huawei Confidential

• DCN:
▫ The reconstruction solutions for the Internet access zone include NAT64, IVI,
and dual-stack reconstruction. It is recommended to use the dual-stack
solution to provide IPv6 addresses and service capabilities.

▪ NAT64 is limited by session table specifications and consumes a lot of

resources. With the increase of IPv6 terminals, NAT64 will become a
performance bottleneck for IPv6 service development. Therefore,
NAT64 is applicable only to the early deployment of IPv6 services and
is not recommended to be a target solution.

▪ The IPv6 address structure of the IVI is limited and does not meet the
IPv6 address planning principles. Therefore, the IVI is not
recommended for large-scale deployment.
▫ Internal network resource pool reconstruction mainly uses dual-stack
solutions, including VXLAN underlay IPv4 + overlay dual stack and VXLAN
underlay IPv6 + overlay dual stack.

▪ VXLAN underlay IPv4 + overlay dual stack can be used for initial dual-
stack reconstruction to quickly provide IPv6 service bearer capabilities.

▪ VXLAN underlay IPv6 + overlay dual stack can be used for new DCN
deployment and existing DCN reconstruction. This facilitates gradual
evolution to IPv6-only networks.
• WAN:
▫ WAN IPv6 reconstruction solutions mainly include dual stack, 6VPE, and IPE.

▪ Networks without VPN services can use native IPv4 and native IPv6
dual-stack forwarding. Increasing SLA requirements, such as
requirements for on-demand optimization and intelligent O&M, will
gradually drive network evolution to IPE, so that these networks can
provide better service assurance and experience capabilities. Finally,
these networks will evolve to IPv6-only networks.

▪ For networks with VPN services, it is recommended that they directly

evolve to IPE to provide IPE bearer for interconnection between
campuses and DCs.

• Campus network:

▫ Campus IPv6 reconstruction solutions mainly include dual stack, VXLAN

underlay IPv4 + overlay dual stack, and VXLAN underlay IPv6 + overlay dual
stack.

▪ For campus dedicated networks that do not require VPN services, it is

recommended to use dual stack to provide IPv6 services, gradually
evolve these networks to IPE to provide high-order features such as
SDN, fast service cloudification, on-demand optimization, and
intelligent O&M, and finally evolve these networks to IPv6-only
networks.

▪ For networks that require VPN isolation, it is recommended to use

VXLAN underlay IPv4 + overlay dual stack to quickly provision IPv6
services and implement SDN, gradually evolve these networks to IPE,
and finally evolve these networks to IPv6-only networks.
 Overview DC WAN Campus Network Other Systems

DCN IPv6 Evolution Overview

Internet
Evolution Strategies
WAN Router
• Internet zone (new deployment is
Anti-DDoS
DC-PE recommended):
AS
▫ Internet access zone: dual stack
FW ▫ Internet resource pool: new fabric deployment,
DC-CE
Internet VXLAN underlay IPv6 + overlay dual stack
WAN access zone IPS
access zone
• Intranet resource pool:
Extranet ▫ Live network reconstruction: VXLAN underlay IPv4
core
Intranet core + overlay dual stack
▫ New fabric deployment: VXLAN underlay IPv6 +
Border- Border- overlay dual stack
DS DS Leaf Leaf • OAM zone:
VXLAN VXLAN Spine
Spine ▫ Live network reconstruction: dual stack
FW domain FW domain
FW
AS FW • Other zones (WAN access area & core area):
AS
Leaf Leaf ▫ Live network reconstruction or new deployment:
Management Out-of-band
service zone management zone dual stack

OAM zone Intranet resource pool Internet resource pool (DMZ)

30 Huawei Confidential

• DCN architecture:
▫ The underlay network refers to the physical network or infrastructure
network. It is required that any two nodes on the physical network be
routable to each other. The spine-leaf architecture is recommended for
underlay networking.

▪ A spine node is a core node on a VXLAN fabric network, which

provides high-speed IP forwarding and connects to leaf nodes using
high-speed interfaces.

▪ A leaf node is an access node on a VXLAN fabric network, which

connects various network devices to the VXLAN network. Different
access objects are classified into border leaf nodes, server leaf nodes,
and service leaf nodes.
▫ The overlay network is a virtualized network built on the underlay network
to carry applications over the physical network while remaining isolated
from other service networks.
• VXLAN is deployed to construct fabric resource pools for intranet and Internet
resource pools on a DCN.
• DC services mainly involve external public services and enterprise internal
applications. Generally, the external public service system is deployed in the DMZ
of a DC. To provide services for IPv6 users, perform IPv6 upgrade for external
public services in the DMZ. The upgrade involves the interconnection egress
where the DMZ is located, the DMZ network, and the corresponding public
service system. The dual-stack solution is recommended for the overall evolution
policy, so that IPv4 and IPv6 Internet users can both access public services.
• AS: access switch
• DS: distributed switch, which corresponds to the aggregation switch on the
traditional network.

• IPS: intrusion prevention system

• Anti-DDoS: anti-distributed denial of service
 Overview DC WAN Campus Network Other Systems

IPv6 Reconstruction for the DC's Internet Access Zone

IPv4 IPv6
Internet Internet
Carrier address Static route Public network address BGP route Newly deployed IPv6 Internet access zone
Router Router
• A general way to reconstruct the Internet
Anti-DDoS Anti-DDoS
access zone is to deploy a new IPv6 Internet
AS AS
access zone.
Firewall Firewall ▫ Solution 1: Deploy NAT64 at the egress of the
IPv4 Newly deployed
IPS Internet access zone.
Internet IPv6 Internet IPS
access zone access zone ▫ Solution 2: Perform dual-stack reconstruction in the
Internet access zone.
Extranet ▫ Solution 3: Deploy a new IPv6 Internet access zone.
core
• Deploy new egress lines:
Border-Leaf Border-Leaf
▫ New IPv6 lines are usually used to prevent
VXLAN VXLAN production accidents.
Spine Spine
Firewall domain Firewall domain ▫ The IPv6 Internet access zone can interconnect with
the carrier network through static routes or EBGP4+
Leaf Leaf
and support IPv6 user access.

IPv4 Internet resource pool (DMZ) IPv6 Internet resource pool (DMZ)

32 Huawei Confidential

• Internet zone evolution strategies:

▫ Solution 1: Deploy NAT64 at the egress of the Internet access zone. If
existing DC services remain in IPv4 single-stack mode but IPv6 services need
to be quickly provided due to other factors, NAT64 can be deployed for IPv4
servers in the DC's DMZ to temporarily provide IPv4/IPv6 dual-stack services
through the NAT64 gateway.
▫ Solution 2: Perform dual-stack reconstruction in the Internet access zone
and DMZ. If the Internet zone (including the DMZ) supports IPv6 well and
devices are far from reaching the end of their lifecycle, it is recommended
that these devices be reused. You can deploy the dual-stack solution in the
existing Internet access zone and DMZ to complete the reconstruction at a
low cost.
▫ Solution 3: Deploy a new Internet access zone and DMZ. Reusing existing
devices during IPv6 network reconstruction may involve software and
hardware upgrades or partial hardware replacement, which affects IPv4
services. To ensure enterprise DMZ service continuity and zero impact on
live network IPv4 services, deploy an IPv6-only Internet access zone and
DMZ. IPv4 users access the IPv4 DMZ through the IPv4 Internet access zone,
and IPv6 users access the IPv6 DMZ through the IPv6 Internet access zone.
• Egress route selection:
▫ Single-egress Internet access: Static routes are preferred.
▫ Multi-egress Internet access: BGP routes are preferred. To ensure load
balancing and reliability, BGP route attributes can be used to control route
selection.
 Overview DC WAN Campus Network Other Systems

IPv6 Reconstruction for DC Intranet Resource Pools

⚫ Application scenario: Devices on the live network are approaching the end of their lifecycles or do not support
underlay or overlay IPv6 deployment.
⚫ Overall policy: Create an intranet resource pool that supports VXLAN underlay IPv6 + overlay dual stack.
Step 1: Traditional IPv4 network Step 2: IPv6 SDN network Step 3: IPv6 SDN network

Intranet core Core (IPv4) Intranet core Core (dual stack) Intranet core Core (IPv6)

Border- Border- Border-

Leaf Leaf Leaf
Overlay dual stack Spine Overlay IPv6
Overlay IPv4 Spine Spine
Firewall Firewall (MP-BGP EVPN) Firewall (MP-BGP EVPN)

Leaf Leaf Leaf

Underlay IPv4 Underlay IPv6 Underlay IPv6

Intranet resource pool Intranet resource pool Intranet resource pool
Make preparation for IPv6 resource pool Deploy a network based on the fabric granularity. Use Finally, after application reconstruction,
network evolution, such as IPv6 address IPv6 for the underlay layer, and IPv4/IPv6 dual stack disable IPv4 at the overlay layer, so that
planning, device reuse evaluation, solution for the overlay layer. Establish dual-stack connections the DC's internal network resource pool
design, and service impact evaluation. between border leaf nodes and core nodes and uses IPv6 single stack.
between border leaf nodes and firewalls.

33 Huawei Confidential

• Resource pool/server deployment:

▫ A general way to prevent production accidents and service interruption
caused by the upgrade of original IPv4 services is to deploy new IPv6
resource pools/servers.
▫ If the DC is a traditional DC, it is recommended that new technologies, such
as SDN, be deployed in the new resource pools.
 Overview DC WAN Campus Network Other Systems

WAN IPv6 Evolution Overview

⚫ The WAN is mainly used to carry services. Currently, the
• IPv6-only networks are deployed once
industry has reached a consensus that IPv4 and IPv6 will and for all, with all network traffic carried
IPE using IPv6.
coexist for a long time. • IPE supports service isolation.

For an existing WAN where MPLS is deployed, using 6VPE for
reconstruction is recommended. Only edge nodes need to be
• IPv4/IPv6 dual stack must be enabled on
upgraded or have their hardware replaced. P nodes do not all Layer 3 devices.
need to be reconstructed. Deploying IPv6 is like introducing • Layer 3 devices must be reachable to each
Dual
other through dual-stack routes.
new services and has little impact on original maintenance. stack • The network needs to maintain two
Therefore, this solution is suitable for evolution from existing protocol stacks, increasing complexity.
networks to IPv6.

SRv6 can be considered during new WAN planning and design. • IPv4/IPv6 dual stack must be enabled on
edge nodes. The edge nodes must be
SRv6 is the preferred technology for SDN-based networks in
enabled to exchange VPNv6 routing
the IPv6 era. SRv6 features high scalability, good application information with their original MP-IBGP
6VPE peers.
compatibility, and strong programming capabilities. SRv6 can
• The intermediate nodes only require IPv4
meet the requirements of future service changes and is single stack (MPLS) deployment and do
suitable for evolving new networks to IPv6. not need to be reconstructed.

34 Huawei Confidential
 Overview DC WAN Campus Network Other Systems

IPv6 Evolution Strategy for the Bearer WAN (New

Deployment Scenario)
⚫ Application scenario: Devices on the live network are approaching the end of their lifecycles or devices on the live
network do not support IPE.

Step 1: Prepare for Step 2: Construct the network Step 3: Remove the legacy
the evolution. and cut over services. network after service cutover.

IP/MPLS
Lower- Lower-
Lower-
level Traditional level Traditional
level Traditional subnet
subnet subnet DC
DC DC

Campus IP/MPLS Cloud Campus IPE Cloud

Campus Cloud
network network
network

IPE
Create an IPE single-stack network Deploy IPE single stack on the
to carry IPv6 services. entire WAN to carry IPv6 services.

35 Huawei Confidential

• Overall strategy: Deploy IPE single stack to carry both IPv4 and IPv6 services, and
gradually evolve office, production, management, and other services from IPv4 to
IPv6.

• Step 1: Prepare for the evolution.

▫ Address application: Apply for IPv6 addresses based on enterprise
requirements from address management organizations or carriers.
▫ Live network evaluation: Evaluate live network conditions, covering the
network infrastructure, security infrastructure, service support systems, and
service applications.

▫ Integration verification: Design and verify the IPE evolution solution and
prepare a feasibility report.

▫ Network planning: Formulate the IPE network construction specifications

and evolution solution to support smooth evolution to IPv6-only networks.

• Step 2: Construct the network and cut over services.

▫ Network construction: Build an IPE network based on the network plan and
deploy capabilities such as SRv6, network slicing, in-band flow
measurement, and SDN.
▫ Security construction: Security devices must support IPv6 security protection.
Network devices interwork with security devices to ensure that IPv6 has the
same or even stronger security protection capabilities compared with IPv4.
 ▫ Acceptance test: Perform service tests based on the new IPv6 network to
determine whether the network meets service SLA, network security, and
OAM requirements.

▫ Service cutover: Gradually migrate services from the traditional WAN to the
new IPv6 WAN based on diversified service requirements.

• Step 3: Remove the legacy network after service cutover.

▫ O&M observation: After services are migrated from the traditional network
to the IPE network, set an observation period to observe the service running
status.
▫ Legacy network removal: Remove the legacy network only when there are
no major service issues during the observation period. The IPE evolution of
the WAN is then complete.
 Overview DC WAN Campus Network Other Systems

IPv6 Evolution Strategy for the Bearer WAN (Upgrade

Scenario)
⚫ Application scenario: Devices on the live network have not reached the end of their lifecycles and can be upgraded
to support IPE.

Step 1: Prepare for the Step 2: Reconstruct the edge and Step 3: Reconstruct the entire
evolution. enable basic IPE capabilities. network and enable higher-order IPE
capabilities.
Lower-
Lower-level Lower-level level Traditional
Traditional Traditional
subnet subnet subnet DC
DC DC

Campus IP/MPLS Cloud Campus Coexistence of Cloud Campus IPE Cloud

network network IP/MPLS and IPE network

Upgrade some devices to support IPE and deploy Upgrade all WAN devices to support IPE and
SRv6 and IP/MPLS, so that these devices can deploy SRv6 for these devices to transmit IPv6
transmit both IPv6 and IPv4 services. services.

37 Huawei Confidential

• Overall strategy: Upgrade and replace nodes one by one from the edge to the
core. Gradually deploy IPE features (simple features first, then complex features)
and cut over services (common services first, then critical services).

• Step 1: Prepare for the evolution.

▫ Address application: Apply for IPv6 addresses based on enterprise
requirements from address management organizations or carriers.
▫ Live network evaluation: Evaluate live network conditions, covering the
network infrastructure, security infrastructure, service support systems, and
service applications.

▫ Integration verification: Design and verify the IPE evolution solution and
prepare a feasibility report.

▫ Network planning: Formulate the IPE network construction specifications

and evolution solution to support smooth evolution to IPv6-only networks.

• Step 2: Reconstruct the edge and enable basic IPE capabilities.

▫ Edge device upgrade: Upgrade edge devices (cloud, Internet egress, and
campus egress PEs preferred) to support IPE.
▫ IPE basic capability deployment: Deploy both SRv6 and traditional IP/MPLS
on upgraded devices. Configure new and old devices to interwork through
IP/MPLS, and use SRv6 between new devices. Deploy a controller for
network-wide management and control.
 ▫ IPv6 security deployment: For services that have been upgraded to IPv6,
upgrade related security devices to support IPv6 security protection.
▫ Common service cutover: Use SRv6 to carry some common services and
verify the basic capabilities of the IPE solution.
• Step 3: Remove the legacy network after service cutover.
▫ Core device upgrade: Upgrade core devices to ensure that IPE is supported
on the entire network.

▫ High-order IPE capability deployment: Deploy high-order capabilities such

as SRv6, network slicing, in-band flow measurement, SDN, and network-
security association.
▫ Service cutover: Gradually migrate services from IP/MPLS to IPE based on
diversified service requirements.

▫ Redundant configuration deletion: After service migration, set an

observation period and observe the service running status. If services run
properly during the observation period, delete IP/MPLS configurations to
complete the IPE evolution of the WAN.
 Overview DC WAN Campus Network Other Systems

SRv6 Solution Overview

⚫ SRv6 can be considered during new WAN planning and design. SRv6 is the preferred technology for SDN-based
networks in the IPv6 era. SRv6 features high scalability, good application compatibility, and strong programming
capabilities, which can fully meet the requirements of future service changes on networks. Therefore, SRv6 has
become the best network bearer technology available and is suitable for evolving new networks to IPv6.
Overall SRv6 bearer solution

PE1 ASBR1 ASBR3 PE3 • For different service scenarios, the SRv6 WAN bearer
solution uses SRv6 at the overlay layer to carry Layer 2,
IPv4, and IPv6 services and IPv6 single stack at the
underlay layer. This design prevents the IGP from
PE2 ASBR2 ASBR4 PE4 maintaining both IPv4 and IPv6 protocol stacks, reducing
IGP IGP the pressure on device protocol maintenance.
Underlay MP-BGP MP-BGP MP-BGP Basic ▫ The underlay layer uses routing protocols such as IS-IS for IPv6
routing and MP-BGP to advertise basic routes (such as loopback routes
and SRv6 locator routes), delivering basic IPv6 route reachability
EVPN VPWS over SRv6
Layer 2 service and laying a foundation for SRv6 to carry overlay services.
L3VPNv4/EVPN L3VPNv4 over SRv6 ▫ The overlay layer selects different BGP address families based
Overlay IPv4 service
L3VPNv6/EVPN L3VPNv6 over SRv6 on service types to transmit user information (such as IP and
IPv6 service MAC address information).

39 Huawei Confidential

• Overlay service deployment suggestions:

▫ Layer 2 services: Use SRv6 EVPN as the bearer protocol to provide P2P and
P2MP connection models. Compared with traditional Virtual Switching
Instances (VSIs) and Pseudo Wires (PWs), EVPN features simple
deployment, high bandwidth utilization, and fast convergence. EVPN is the
best choice for L2VPN service bearer.
▫ Layer 3 IPv4 services: Use either SRv6 L3VPN or SRv6 EVPN L3VPN. Using
SRv6 EVPN L3VPN is recommended.

▫ Layer 3 IPv6 services: Use either SRv6 L3VPNv6 or SRv6 EVPN L3VPNv6.
Using SRv6 EVPN L3VPNv6 is recommended.
 Overview DC WAN Campus Network Other Systems

SRv6 Solution: IGP & BGP Design

⚫ IGP design: Use the existing network design for IGP planning. The existing IPv4 network does not need to be
redesigned. It is advised to use IS-IS and enable IPv6 (IS-IS for IPv6).
⚫ BGP design: BGP focuses on the control and advertisement of routes. After an IGP is deployed, PEs need to establish
BGP peer relationships to advertise service routes through different address families.

BGP-based advertisement of service routes &

IS-IS for IPv6 (single area) SRv6 locators/SRv6 SIDs
PE1 PE3 RR1 RR2

BGP EPE/BGP-LS
PE1 PE2 PE3 PE4
P1 P2
PE2 PE4
IS-IS for IPv6 (Level 2)

Loopback route
Locator route
IBGP
EBGP

40 Huawei Confidential

• Loopback routes and SRv6 locator routes need to be advertised in an IGP domain.
Loopback routes are used for network management or BGP peer relationship
establishment. Locator routes are used to guide the forwarding of data traffic
over SRv6 tunnels in an IGP domain.
• BGP Egress Peer Engineering (EPE) is used to allocate SRv6 SIDs to BGP peers
between ASs in inter-AS scenarios.
 Overview DC WAN Campus Network Other Systems

SRv6 Solution: Layer 3 IPv6 Services (1)

⚫ Implementing EVPN L3VPNv6 over SRv6 involves establishing SRv6 paths, advertising VPN routes, and forwarding
data. MP-BGP
Service establishment procedure (SRv6 BE)
SRv6
VPN1 VPN1
IPv6 IPv6 1. A user configures SRv6 and IPv6 VPN instances on PEs, and configures
CE1 PE1 P1 PE2 CE2 transit devices to support IPv6.
2. PE2 advertises an SRv6 locator route to PE1.
1. Configures an 1. Configures an 3. CE-to-PE route advertisement: CE2 advertises its IPv6 routes to PE2. Static
IPv6 VPN instance. IPv6 VPN instance. routes, OSPFv3, IS-IS for IPv6, or BGP4+ can be used between CEs and PEs.
2. Advertises locator routes. 4. After learning the VPN route advertised by CE2, PE2 installs it in the IPv6
3. Advertises routing table of the corresponding VPN instance and converts it into an
IPv6 routes. EVPN IP prefix route.
5. Inter-PE route advertisement: PE2 advertises an EVPN route to PE1 (BGP
4. Learns VPN instance EVPN peer) through an update message carrying RT and SRv6 VPN SID
IPv6 routes and attributes.
generates EVPN routes. 6. PE1 receives the EVPN route. If the next hop in the EVPN route is reachable
5. Advertises EVPN routes and the route matches the BGP route import policy, PE1 performs a series
carrying VPN SIDs. of actions to determine whether to install the route in the IPv6 routing
table of the corresponding EVPN instance. These actions include route
6. Receives the EVPN leaking, route recursion to an SRv6 path, and route selection. The VPN
routes and generates VPN route is associated with an SRv6 VPN SID when being delivered.
instance IPv6 routes 7. PE-to-CE route advertisement: CE1 can learn VPN routes from PE1 in
carrying SRv6 VPN SIDs. multiple modes, including static routing, OSPFv3, IS-IS for IPv6, and BGP4+.
The route exchange between CE1 and PE1 is similar to that between CE2
7. Advertises the IPv6 routes.
and PE2.

41 Huawei Confidential
 Overview DC WAN Campus Network Other Systems

SRv6 Solution: Layer 3 IPv6 Services (2)

⚫ Implementing EVPN L3VPNv6 over SRv6 involves establishing SRv6 paths, advertising VPN routes, and forwarding
data. Configured locator: 2002:1::/64
Locator Opcode
Configured locator: 2001:1::/64 Generated End SID: 2002:1::1
Generated End SID: 2001:1::1 MP-BGP Configured VPN SID: 2002:1::D100 Configured End.DT6 SID: 2002:1::D100
Local SID Table generation
SRv6
VPN1 VPN1
IPv6 IPv6
2200::1/128 2100::1/128
CE1 PE1 P1 PE2 CE2
Advertises IS- Advertises IS-

advertisement
IS routes. IS routes.
2002:1::/64 2002:1::/64

Route
Advertises Advertises the EVPN route 2100::1/128, Advertises
IPv6 routes. with the next hop being PE2, and the IPv6 routes.
2100::1/128 VPN SID being 2002:1::D100. 2100::1/128
Data forwarding

SA=2001:1::1 SA=2001:1::1
DA=2002:1::D100 DA=2002:1::D100
SA=2200::1 SA=2200::1 SA=2200::1 SA=2200::1
DA=2100::1 DA=2100::1 DA=2100::1 DA=2100::1
Payload Payload Payload Payload
Note: SRv6 BE route advertisement and
data forwarding are used as an example.

42 Huawei Confidential

• Route advertisement:
1. PE2 generates an End SID based on the configured SRv6 locator.
2. PE2 advertises the locator route 2002:1::/64 corresponding to the specified
End SID to PE1 through an IGP. PE1 installs the route to its IPv6 routing
table.

3. A VPN End.DT6 SID 2002:1::D100 within the locator range is configured on

PE2, which then generates Local SID Table.

4. After receiving the VPN IPv6 route advertised by CE2, PE2 converts it into
an EVPN IP prefix route and advertises it to PE1 through the BGP EVPN
peer relationship. The route carries an SRv6 VPN SID — VPN End.DT6 SID
2002:1::D100.

5. After receiving the EVPN route, PE1 leaks it to the IPv6 routing table of the
corresponding VPN instance, converts it into a common IPv6 route, and
advertises it to CE1.
• Data forwarding:
1. CE1 sends a common IPv6 packet to PE1.

2. After receiving the packet through the interface bound to a VPN instance,
PE1 searches the IPv6 routing table of the corresponding VPN instance for
a matching IPv6 prefix and finds the associated SRv6 VPN SID and next
hop. Then, the device directly uses the SRv6 VPN SID 2002:1::D100 as the
destination address and encapsulates the packet into an IPv6 one.

3. PE1 finds the route 2002:1::/64 based on the longest match rule and
forwards the packet to the P device over the shortest path.
4. Similarly, the P device finds the route 2002:1::/64 based on the longest
match rule and forwards the packet to PE2 over the shortest path.

5. PE2 searches Local SID Table based on 2002:1::D100 and finds a matching
End.DT6 SID. According to the instruction bound to the SID, PE2 removes
the IPv6 header and searches the IPv6 routing table of the VPN instance
corresponding to the End.DT6 SID for packet forwarding.

• Note:

▫ End SID: identifies an SRv6 destination node on the network.

▫ VPN SID: identifies a VPN service.

▫ End.DT6: decapsulates a packet and searches a specified IPv6 routing table
for packet forwarding.
 Overview DC WAN Campus Network Other Systems

Campus Network IPv6 Evolution Overview

⚫ Overall IPv6 evolution roadmap for campus networks:

Phase 1 (IPv6 dual stack) Phase 2 (IPv6 dual stack) Phase 3 (IPv6 only)
• IPv4 for management networks • Dual stack for management networks • IPv6 only for management networks
• Dual stack for campus egress networks • Dual stack for campus egress networks • IPv6 only for campus egress
• Underlay IPv4 + overlay dual stack for • Underlay IPv6 + overlay dual stack for networks
campus networks campus networks • IPv6 only for campus networks

⚫ After an enterprise campus network completes dual-stack reconstruction, terminals on the network can access both
IPv4 and IPv6 services.

⚫ Generally, the IPv6 capabilities of live network devices need to be evaluated during the reconstruction of existing
networks. If their IPv6 capabilities do not meet the reconstruction requirements, these devices need to be replaced
or upgraded.

44 Huawei Confidential

• Campus networks mainly involve large- and medium-sized office campuses,

small-sized branch office campuses, and industrial production campuses. There
are three scenarios for intra-campus mutual access: mutual access between
internal office systems, Internet access, and mutual access between production
systems.

▫ During dual-stack reconstruction for large- and medium-sized office

campus networks, the original IPv4 network architecture and configurations
are retained, and IPv6 configurations and IPv6-related support systems are
added.
▫ In large- and medium-sized virtualized campus scenarios, underlay IPv4 +
overlay VXLAN dual stack can be used to evolve VXLAN to IPv6 based on
live network device capabilities.
▫ When a small office campus network is upgraded to IPv4/IPv6 dual-stack,
services from terminals inside the campus to the enterprise HQ need to be
transmitted through WAN dual-stack channels. Considering the campus
network scale and WAN line leasing solution, we can determine which
option to choose based on live network conditions:

▪ In the scenario where only a single Internet private line is leased for
backhaul, the campus egress generally connects to the intranet over
an IPsec tunnel. One of the following solutions can be used: dual-
stack traffic over IPsec6, dual-stack traffic over IPsec4, and dual-stack
traffic over GRE over IPsec6/4.
▪ In the scenario where only an MPLS VPN private line is leased for
backhaul, the MPLS VPN private line needs to be upgraded to support
IPv4/IPv6 dual-stack connections. Campus egress routes can flexibly
interwork with carriers' MPLS VPN private lines using BGP, IGP, or
static routes.

▪ In the scenario where multiple backhaul modes (such as MPLS VPN

and Internet private lines) are available, the SD-WAN technology can
be used to flexibly select routes for IPv4 and IPv6 traffic. If campus
WAN links are not upgraded, IPv6 service traffic can be encapsulated
using IPv4 GRE and then transmitted over the SD-WAN.
 Overview DC WAN Campus Network Other Systems

Phase 1 IPv6 Evolution Strategy for Traditional Campus

Networks
Evolution roadmap
NAT64
DC Internet
1. Controller deployment: Deploy an SDN controller in the DC.
2. New core switch deployment: Deploy new core switches in the
campus core equipment room and connect them to other network
New core areas. The connections are consistent with those of the existing
core switches. In addition, establish temporary links to the legacy
VXLAN
core network for service cutover.
(IPv6)
3. Basic route configuration: Configure basic routes for future
service interworking on core switches and interconnection devices.
4. Building-by-building reconstruction: Perform IPv6 and SDN
reconstruction in a building. Connect aggregation switches in the
building to new core switches and deliver services through SDN to
IPv6 and SDN
devices in this building. Meanwhile, add routes to this building on
reconstruction
the new core switches and interconnection devices.
Building 1 (IPv4) Building 2 (IPv4) Building 2 (IPv6)
5. After all buildings are reconstructed, the entire network has
evolved to IPv6 and SDN.
Note: The IPv6 devices in the new building and
IPv4 devices in the old building need to Service interworking between the network after IPv6
communicate through NAT64 devices in the DC. reconstruction and network before IPv6 reconstruction

46 Huawei Confidential

• Phase 1 evolution strategy: Perform IPv6 and SDN evolution concurrently to

achieve two objectives at one time.
▫ Overall solution roadmap: Create a core network that supports SDN and
IPv6 network virtualization, and connect the core network to the campus
egress network. Reconstruct the existing network building by building
(aggregation + access) and connect the network to the new core network.
Use the SDN controller for automated deployment in reconstructed
buildings.
▫ Solution advantages: Operations are simple, the deployment pace is
controllable, and the impact on live network services is minimized.
 Overview DC WAN Campus Network Other Systems

IPv6 Reconstruction for Large- and Medium-Sized

Traditional Campus Networks (1)
• Address allocation:
Internet WAN ▫ Before considering the address allocation solution, you must
determine the address types and planning for the enterprise campus
Network
Egress zone network. A large enterprise group has a large number of users and
management
AC zone a large network scale and can apply for GUA PI addresses
DHCPv6 server independently. Therefore, it is recommended that the enterprise
Core layer
group apply for GUA PI addresses independently and allocate
L3 campus addresses uniformly.
Aggregation layer DHCPv6 relay
L2 ▫ Campus terminals can obtain IPv6 addresses through DHCPv6,
SLAAC, or manual configuration. Generally, the DHCPv6 or SLAAC
Access layer solution can be used to obtain addresses for wired terminals. If the
DHCPv6 solution uses the centralized server mode, DHCPv6 relay
needs to be deployed gradually to relay DHCPv6 packets. Android
terminals do not support DHCPv6 and must use the SLAAC solution
Terminal layer to obtain addresses.

47 Huawei Confidential

• Large- and medium-sized traditional campus networks generally use Layer 3 IP

forwarding and use Layer 2 VLANs to isolate broadcast domains. If Layer 3
isolation is required, ACLs can be deployed. For external services such as Internet
access and enterprise WAN interconnection, intra-campus support systems
include AAA authentication servers and DHCP servers. During dual-stack
reconstruction for large- and medium-sized traditional campus networks, the
original IPv4 network architecture and configurations are retained, and IPv6
configurations and IPv6-related support systems are added.
• GUA: global unicast address
• The PI address space is a block of IPv6 addresses assigned by a regional Internet
registry to enterprises.
 Overview DC WAN Campus Network Other Systems

IPv6 Reconstruction for Large- and Medium-Sized

Traditional Campus Networks (2)
Internet WAN
• Interconnection between internal networks:
Static Static
IGP-based internal ▫ The Layer 3 network of the campus network is upgraded and
routing/ routing/IGP
default route
BGP /BGP reconstructed to support IPv4/IPv6 dual-stack communication.
advertisement
Egress zone Network Considering the scale of the enterprise campus network and the
AC OSPFv3 management general user habits of the original IPv4 network, OSPFv3 is enabled
area 0 zone
as the IGP, and OSPFv3 area settings are the same as those of
Core layer OSPFv2 to ensure Layer 3 route reachability in the campus network.
OSPFv3 OSPFv3 ▫ An enterprise campus network can communicate with a WAN in
area 1 area 2 multiple modes. For example, static default routes, IGP routes, or
L3
Aggregation layer BGP routes can be used for interconnection.
L2 ▫ The interconnection mode between the campus network and WAN
depends on factors such as the capabilities of the campus egress
Access layer
devices, the number of campus egress paths, and campus egress
traffic. This scenario is not closely related to IPv6. Therefore, it is
recommended that the IPv4 network interconnection policy still be
used.
Terminal layer

48 Huawei Confidential

• Interconnection with external networks:

▫ For example, if the campus network IPv6 addresses are PI addresses
independently applied for, static routes can be used for interconnection
with external networks and IGPs can be used to advertise default routes on
the internal network. Carrier networks advertise specific routes to the
campus network, and default egress routes are configured on the campus
network.

▫ If multiple egresses are involved, BGP can be used for interconnection with
external networks and IGPs can be used to advertise default routes on the
internal network. The campus network internally advertises default egress
routes to ensure that internal service packets can reach egress routers. The
egress routers connect to the Internet using BGP to implement optimal
path selection and load balancing.
 Overview DC WAN Campus Network Other Systems

IPv6 Reconstruction for Large- and Medium-Sized

Virtualized Campus Networks (1)
⚫
Currently, the virtualized network solution (VXLAN) is deployed on some large- and medium-sized campus networks to meet the
requirements of these networks, such as one network for multiple purposes and fast, automated service provisioning.
⚫ VXLAN underlay IPv4 + overlay dual stack can be used for the IPv6 evolution of virtualized campus networks. The horizontal traffic
between networks in an enterprise campus is light. The centralized gateway mode is generally used in the virtualized network VXLAN
solution. Therefore, the centralized gateway mode is used in the following examples.
Internet WAN
• Address allocation:
▫ There are three network address allocation modes: DHCPv6, SLAAC, and
Egress zone manual configuration. If the DHCPv6 or SLAAC mode is used for
DHCPv6
AC automatic address allocation, the virtualized network design is different
server
DHCPv6 from that of the traditional network.
Core layer
relay ▫ In DHCPv6 address allocation mode, the DHCPv6 server needs to be
L3 deployed in centralized mode, and DHCPv6 relay needs to be enabled on
Aggregation layer
L2 the VBDIF interface serving as the centralized VXLAN IPv6 gateway to
relay DHCPv6 packets. Android terminals do not support DHCPv6 and
Access layer must use the SLAAC solution to obtain addresses.
▫ In SLAAC address allocation mode, RA parameters need to be configured
on the centralized gateway, so that the centralized gateway pushes RA
Terminal layer messages carrying address prefixes and DNS information to terminals.

49 Huawei Confidential
 Overview DC WAN Campus Network Other Systems

IPv6 Reconstruction for Large- and Medium-Sized

Virtualized Campus Networks (2)
VXLAN underlay IPv4 + overlay dual stack
Internet WAN
Static
IGP-based Static
routing/IGP
default route routing/BGP
/BGP
Egress zone advertisement
• If enterprise campus networks use the
OSPFv2/
AC
OSPFv3 virtualization solution (VXLAN underlay IPv4 +
area 0
Core layer overlay IPv4), we only need to enable IPv6 at the
Centralized gateway
Fabric overlay layer and configure the dual-stack
VXLAN underlay IPv4 capability in the egress zone to upgrade these
(OSPFv2)
Aggregation layer L3
Overlay dual stack networks to support IPv6.
L2

Access layer

AP AP

Terminal layer

50 Huawei Confidential

• Service forwarding:
▫ The overlay IPv6 design is similar to the original overlay IPv4 design. The
underlay configuration from the access layer to the core layer remains
unchanged. The VXLAN control plane uses BGP EVPN, and core switches are
configured as RRs. Enable IPv6 on the centralized gateway and configure an
IPv6 address for the VBDIF interface to ensure Layer 2 IPv6 communication.
▫ Edge nodes on the access side can associate forwarded packets with overlay
BDs based on interface VLANs, enabling terminals to be assigned to
different gateway areas. In VXLAN Layer 3 forwarding, terminal packets are
first advertised to the centralized gateway, and horizontal and vertical
traffic are forwarded by the gateway in a unified manner.
▫ For design details about internal network interconnection and external
network interconnection involved in the network egress zone, see the
traditional campus network solution.
• Access authentication:
▫ Edge nodes on the campus network provide access for dual-stack users.
Single authentication and dual-stack service policy association needs to be
implemented for dual-stack users. This helps prevent dual-stack terminals
from undergoing two separate authentications when accessing IPv4 and
IPv6 services.
▫ A campus network with VXLAN underlay IPv4 + overlay dual stack must
support various authentication modes (such as 802.1x, Portal, and MAC
address authentication) for IPv6 users, so that authentication schemes can
be implemented flexibly based on user terminals (such as Portal
authentication for guest terminals and 802.1x authentication for internal
office terminals). The deployment of network authentication points, policy
enforcement points, and access points in the IPv6 solution is consistent with
that in the original IPv4 solution. The authentication server uses a unified
controller to provide authentication policy services.
 Overview DC WAN Campus Network Other Systems

WLAN IPv6 Access

⚫ IPv6 evolution and upgrade of campus networks involves WLAN reconstruction. Currently, WLANs in large- and
medium-sized single campus networks usually use AC+ FIT AP networking. The IPv6 upgrade and reconstruction of
WLANs mainly focus on the management between ACs and APs and the address obtaining modes of access wireless
terminals. Other WLAN designs are not affected by IPv6 upgrade and reconstruction.
Internet WAN

Egress zone
AC
• As shown in the figure, an AC connects to core
Core layer
switches in bypass mode, and APs connect to access
L3 switches. The APs are configured with multiple SSIDs
Aggregation layer
L2
for IPv6 single-stack users using internal office
terminals and guest terminals to access the wireless
Access layer network. The authentication point is on the AC.

AP

Terminal layer
CAPWAP6 tunnel

51 Huawei Confidential

• Wireless terminal access solution:

▫ The core switches or AC functions as the gateway for wireless access of
office terminals. The SLAAC hybrid solution can be used to configure IPv6
addresses for terminals, and 802.1x authentication can be used.
▫ Different VLANs are configured for guest SSIDs. The core switches or AC
functions as the gateway for wireless access of guest terminals. The SLAAC
hybrid solution is used to allocate IPv6 addresses. Portal authentication is
recommended.

• AP management solution:

▫ The CAPWAP tunnel supports both IPv4 and IPv6. However, only IPv4 or
IPv6 can be selected at one time. That is, the AC can manage APs only in
either IPv4 or IPv6 mode. The default mode is IPv4.
▫ APs can go online in either IPv4 or IPv6 mode. That is, an AP can obtain
only one IP address. The AC's IP address is manually configured. The AC can
use DHCPv6 or SLAAC to assign IP addresses to APs.

• Note: You can run the capwap ipv6 enable command to enable the IPv6
function for the CAPWAP tunnel.
 Overview DC WAN Campus Network Other Systems

IPv6 Reconstruction of Other Related Systems (1)

⚫ The key to internal application system reconstruction is to adjust address-related modules.
IPv6 reconstruction of application systems mainly
involves the network layer.
• General suggestions on IPv6 reconstruction of application
IPv4/IPv6
IPv4 application
application systems:
▫ Deploy an IPv6-capable DNS system and add AAAA records to the
TCP UDP TCP UDP system. All service systems identify remote hosts by domain names
instead of using IP addresses as host identifiers. Check whether
IPv4 IPv4 IPv6 applications can correctly parse the AAAA records of URLs.
Protocol Protocol Protocol ▫ Check whether the application system directly uses IP addresses. Ensure
0x0800 0x0800 0x86DD
that IP addresses are used only as addresses, not as user IDs or key
Ethernet Ethernet
service attributes, and ensure that services are independent of IP address
IPv4 only IPv4/IPv6 types.
dual stack
▫ Check the socket communication interface. Ensure that this interface has
• The network layer is used to transparently transmit data
shifted from an IPv4-oriented programming interface to one that
between two end systems and is a channel for
communication between application systems. supports IPv4&IPv6 compatibility. Use IPv6-oriented functions, macros,
• Application programs connect to application processes and and libraries to check whether the code for verifying IP address validity
network protocol stacks through sockets to implement needs to be modified.
binding between application programs and network
protocol interfaces.

52 Huawei Confidential
 Overview DC WAN Campus Network Other Systems

IPv6 Reconstruction of Other Related Systems (2)

NMS Portal web system Server operating system
• The management and control planes of the • The web server mainly provides the Internet • The common operating systems of servers
NMS can still use the IPv4 solution. IPv6
reconstruction can be performed after browsing service, which is the most widely include Linux, Unix, and Windows Server.
network-wide reconstruction. used service on the Internet. Currently, the • If the operating system does not meet the
• Currently, iMaster NCE does not require commonly used web server software version requirements (supporting IPv6),
special licenses for delivering IPv6 services.
includes Apache, Nginx, and Microsoft IIS. upgrade the operating system.
Currently, mainstream functions such as user
management and free mobility support both ▫ Apache provides IPv6 support since
IPv4 and IPv6 services. version 2.0.11.
DNS server ▫ Nginx 0.7.36 and later versions support Database system
IPv6.
• The DNS servers provided by BIND and ▫ Microsoft's IIS service has supported IPv6 • Common database systems support IPv6 as
Microsoft are mainstream DNS servers in the
market. since IIS 6.0 was released in 2003. follows. If the current version of a database
▫ BIND9 and later versions support IPv6 • If the current service version is later than the system is earlier than the following, we need to
address resolution. Microsoft Server 2003 preceding version, we can enable the IPv6 upgrade it.
and later versions support IPv6.
service through simple configurations. ▫ MySQL 5.7.17, Microsoft SQL Server 2016,
▫ If the current service version is later than
the preceding version, we only need to • Check whether the code for using IP Oracle Database 12.1.0.2.0, MariaDB 10.2.9,
add IPv6 address resolution through addresses for communication exists in the IBM DB2 10.5, FileMaker Pro 16.0.2.205,
simple configurations. portal's front-end implementation. If yes, FileMaker Server 16.0.1.185, PostgreSQL 10,
• Note: If Internet domain name resolution is
involved, ensure that the upper-level DNS change the IP addresses to URLs or absolute IBM Informix Dynamic Server (IDS) 11.5,
server provides the IPv6 capability before the addresses. Sybase OpenSwitch 15.1, etc.
reconstruction.

53 Huawei Confidential

• NMS IPv6 reconstruction:

▫ The NMS is not user-oriented and requires only a small number of IP
addresses. Therefore, IPv4 addresses can still be reserved for internal
communication, and IPv6 addresses are only optional.
▫ Through reconstruction, the NMS can also provide the following functions:
▪ Identifies and manages various IPv6 address types.
▪ Supports DNS resolution monitoring in IPv6.
▪ Collects performance, resource, and fault data of IPv6 and dual-stack
devices, and provides functions such as performance management,
resource management, and fault management and analysis for these
devices.
▪ Associates IPv4 with IPv6 for dual-stack devices, so that the resource,
performance, and fault data of these devices can be smoothly
associated with historical data.
▪ Accesses the IPv6 MIBs of devices through IPv4-based SNMP and
obtains IPv6 configuration, traffic, and other information from the
IPv6 MIBs.
• IPv6 reconstruction for server operating systems:
▫ Common Linux versions that support IPv6 are as follows (IPv6 installed by
default):
▪ Fedora 13, Red Hat Enterprise Linux 6, Ubuntu 12.04, Oracle Solaris
10, SUSE Linux Enterprise Server 11, etc.
▫ Windows Server supports IPv6 as follows:
▪ Windows Server 2003 supports IPv6, but IPv6 is not installed by
default and needs to be manually installed.
▪ Windows Server 2008 and later versions have IPv6 installed by
default.
 Quiz

1. (Multiple-answer question) Which of the following deployment solutions may be used during WAN
IPv6 evolution? ( )
A. Dual stack

B. 6VPE

C. SRv6

D. VXLAN underlay IPv4 + overlay dual stack

2. (True or false) IPE technologies include network programming, network slicing, deterministic
networking, in-band flow measurement, new multicast, and application awareness. ( )
A. True

B. False

54 Huawei Confidential

1. ABC
2. A
 Summary
⚫ Enterprise networks generally involve DCNs, WANs, and campus networks. IPv6 evolution
needs to take into consideration the overall capability upgrade and coordination of
applications, terminals, and networks to ensure that the user experience of existing services
is not affected during IPv6 evolution. IPv6 solution design must ensure smooth and
continuous network evolution. During the solution design, consider using the optimal IPv6
technologies to build next-generation IPv6 informatization infrastructure and facilitate
sustainable service development.
⚫ This course describes the evolution trends of IPv6 networks in scenarios such as DCs, WANs,
and campus networks and the technical application of IPE technologies.

55 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Network Automation Overview
 Foreword

⚫ Networks are evolving to be more open, more flexible, and simpler.

Huawei's vision is to help customers build intent-driven networks (IDNs).
⚫ Network openness and programmability are prerequisites of intent-driven
networks.
⚫ AI is enabling a wide range of industries. The combination of AI and
networks is an inevitable trend.
⚫ This course briefly introduces the current situation of the AI industry and
Huawei's network AI engine iMaster NAIE.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to describe:

 Background of network programming and automation.
 Network openness levels.
 Open capabilities of Huawei iMaster NCE.
 Positioning and capabilities of network automation engineers.
 Describe the requirements of network AI.
 Describe the iMaster NAIE services of Huawei network AI engine.

2 Huawei Confidential
 Contents

1. Network Programming and Automation

2. Network Automation Engineers

3. Network Automation Classification

4. Network AI

3 Huawei Confidential
 Background: Complex Networks
⚫ From the first day when the computer network is generated, the network is complex and difficult to
manage, which is reflected in the following aspects:
 There are various network devices such as routers, switches, firewalls, and intrusion detection system (IDS).
 Devices from different or even the same vendors are managed in different ways.
 Complex devices result in complex network management.

Complex network management Multiple network management systems

Different device management modes

CLI SNMP Web IPFIX

Diverse network devices

Router Switch Firewall Device from another vendor

4 Huawei Confidential

• There are different device management modes, such as SNMP, CLI, IPFIX, and Web UI.
 Background: Network Architecture Transformation
⚫ Software defined networking (SDN) brings about network architecture transformation. It introduces a network
controller to implement centralized control from a global perspective, achieving objectives such as fast service
deployment, traffic optimization, and network service openness.

Orchestration application layer APP Service

collaboration

NBI

Controller layer Service

orchestration

SBI

Data
Device layer
forwarding

5 Huawei Confidential

• Orchestration application layer: implements various upper-layer applications of user

intents. Typical orchestration applications include OSS and OpenStack. The OSS is
responsible for service collaboration on the entire network. The OpenStack is used for
network, computing, and storage service collaboration in a data center. There are
other orchestration-layer applications. For example, a user wants to deploy a security
application. The security application does not care about the device deployment
location but invokes a controller NBI, for example, Block (Source IP, DestIP). Then the
controller delivers an instruction to network devices. This instruction varies according
to the southbound protocol.
• Controller layer: The entity at the controller layer is the SDN controller, which is the
core of the SDN network architecture. The control layer is the brain of the SDN system.
Its core function is to implement network service orchestration.
• Device layer: The network devices receive instructions from the controller and forward
the instructions.

• NBIs: NBIs are used by the controller to interconnect with the orchestration application
layer. The main NBIs are RESTful interfaces.
• SBIs: SBIs are protocols used for interaction between the controller and devices,
including NETCONF, SNMP, OpenFlow, and OVSDB.
 Basic Network Automation
⚫ Network automation means that tools are used to implement automatic network deployment,
operation, and maintenance, gradually reducing the dependency on human resources.
⚫ There are many open-source tools that implement network automation in the industry, such as Ansible,
SaltStack, Puppet, and Chef. These tools connect to devices through SSH to implement batch operation
and management, achieving basic network automation.
Network automation
Chef keywords SaltStack

NMS
tool

Ansible Python Autom

ation
scripts Shell

6 Huawei Confidential

• Network automation tools implement basic network automation. That is, tools connect
to devices through SSH to implement batch operation and management.
 Development of Network Automation
⚫ In basic network automation, networks are managed on the CLI. The pain point is that network devices return
unstructured data (text display), which is inconvenient for computers to process. The basic requirement of network
automation development is that devices provide structured data, which can greatly promote the development of
network automation. Devices provide NETCONF/RESTCONF interfaces to provide data in XML or JSON format.
Structured data: easy to understand for machines
{ "Interfaces":
{ "GigabitEthernet0/0/0":
Unstructured data: easy to understand for humans { "InUti": "10", "OutUti": "20", "inErrors": "0", "outErrors":
Interface InUti OutUti inErrors outErrors "0" },
GigabitEthernet0/0/0 10% 20% 0 0 "GigabitEthernet0/0/1":
GigabitEthernet0/0/1 20% 30% 0 0 {"InUti": "20", "OutUti": "30", "inErrors": "0",
... "outErrors":"0"}
}
}
CLI/SSH, SNMP

NETCONF, RESTCONF

Network devices

7 Huawei Confidential

• Unstructured data can be easily understood by humans, but it is difficult for machines
to understand and difficult for automatic data collection.
Network Openness and Programmability
⚫ Network openness and programmability is to use programming methods to implement automated
networks on the premise of open networks.
⚫ In the early stage of SDN commercial use and in the future, traditional networks and SDN networks
will coexist on a large scale. Network openness is implemented at two levels: device openness and SDN
platform openness. RESTful API

CLI/SSH, SNMP, NETCONF, RESTCONF,

Telemetry, OPS, ...

Device-based openness and programmability

SDN-based openness and programmability
8 Huawei Confidential
 Huawei iMaster NCE, Open and Programmable
⚫ iMaster NCE (NCE for short) is an innovative network cloud engine of Huawei. The overall open programming
capabilities of NCE include automation, analytics, and intent engines. The goal is to build a full-lifecycle open
programmable architecture to meet customer requirements for openness and programmability. NCE service
openness and programmability are designed to help customers implement service automation.

Intent
Design Conversion

Verification
Intent engine

Automation Analytics
Management unit Control unit Decision
Sensing Analysis
making
Automation engine
Analytics engine

Open and programmable NCE services

9 Huawei Confidential

• iMaster NCE is not only a controller, but also provides analysis and network
management functions.
 Contents

1. Network Programming and Automation

2. Network Automation Engineers

3. Network Automation Classification

4. Network AI

10 Huawei Confidential
Network Automation Engineers
⚫ Network engineers:
 Network engineers are professionals who master network technologies, have professional skills,
competence, and project management experience in the network engineering field. They are able to
fully communicate with customers or other project stakeholders onsite. In addition, they can
develop implementation solutions and project plans (recognized by project stakeholders) based on
customer requirements and environment factors, fully mobilize resources of all parties to ensure
timely and high-quality project implementation, and provide training for stakeholders and deliver
engineering documents after the project is implemented.

⚫ Network automation engineers:

 They are professionals who have network skills, competence, and project management experience
in the network automation field. They aim to meet the requirements of automatic deployment,
development, and O&M of enterprise networks.

11 Huawei Confidential
Comprehensive Competence Model
⚫ Compared with the comprehensive competence model of network engineers, network automation
engineers have the same basic competence and professional skills, but have different skill requirements
in terms of expertise.

Comprehensive competence model for network engineers

Business Team Process

etiquette collaboration specification
Service Industrial
Values
management knowledge In addition to basic network
Service Presentation Engineering
consciousness capability knowledge
technologies, network automation
Information
Problem solving
Product engineers need to master
search knowledge
Communication Technical development-related technology,
Learning ability
competence knowledge
Basic Professional product, and engineering knowledge.
Expertise
qualification skills

12 Huawei Confidential
 Expertise
⚫ The expertise of network automation engineers must be all-rounders who master skills of network
engineers, system engineers, and development engineers to some extent, including but not limited to
the following capabilities:

Source code management Source code control to help developers manage and store code

Programming language A good command of at least one programming language

Operating system (OS) Understanding the basic principles and mechanism of the OS

Network technology A good command of basic network protocol principles and network engineering technologies

Open network architecture A good command of the data structure and resource structure of open networks

Other professional knowledge Other related professional knowledge, such as database knowledge

13 Huawei Confidential

• Network automation developers may need to have more professional knowledge, such
as database, algorithm, cryptography, software development lifecycle management,
development framework, big data, cloud computing, and artificial intelligence (AI),
depending on the specific work content and scenario.
 Contents

1. Network Programming and Automation

2. Network Automation Engineers

3. Network Automation Classification

4. Network Automation Engineers

14 Huawei Confidential
 Device Openness and Programmability
⚫ Device openness and programmability aim to provide engineers with guidance on how to implement network
automation through programming based on device openness capabilities.

⚫ The following figure shows the open capabilities of Huawei network devices. This course module focuses on how to
use Python modules. Python code
#!/usr/bin/env python
...

paramiko pysnmp ncclient requests gRPC Uploading .py files

SSH SNMP NETCONF RESTCONF Telemetry FTP

Network devices MIB YANG Open Programmability System

15 Huawei Confidential

• Part 1 of this course module describes how to use Python modules, including
paramiko, pysnmp, ncclient, requests, and grpc, to communicate with devices.

• Part 2 focuses on the OPS. The OPS refers to open programmability provided by
Huawei devices. You can upload Python code to a device, and the device runs the code
to implement specified functions.
NCE Northbound Openness
⚫ The openness and programmability of the controller provide engineers with guidance on how to implement
network automation through programming based on the open capabilities of the SDN controller.

⚫ Huawei iMaster NCE includes controllers and provides northbound RESTful APIs. This course module focuses on how
to use tools to invoke NCE NBIs.
RESTful API

iMaster NCE-Fabric iMaster NCE-Campus iMaster NCE-WAN iMaster NCE-IP

Network devices

16 Huawei Confidential
 Huawei NCE Service Openness and Programmability
RESTful API Web UI
• NCE service openness and programmability is a
Open programmability subsystem of NCE. It provides E2E programing
framework of Huawei NCE
capabilities including the openness of NE-layer

SSP functions and the openness of network service

YANG
functions.
SSP YANG
• Engineers compile an NE driver package (specific NE

Python driver, SND) and a service driver package (specific

Service callback logic
service plugin, SSP) to implement the following
functions:
NE profile 1 NE profile 2 Jinja2
▫ Multi-vendor device management

SND ▫ User-defined network services

SND
NE YANG 1 NE YANG 2 YANG ▫ Web-based service management

▫ Automatic exposure of northbound RESTful APIs

NCE automatically generates NETCONF packets and sends the
packets to a device, or configure a device in CLI/SSH mode.

17 Huawei Confidential

• An SND abstracts device capabilities based on a device YANG model. A user can
generate an SND based on device YANG files and a few Python code. After the SND is
uploaded to NCE, device management and service provisioning can be implemented.
SND types include NETCONF SNDs, CLI SNDs, and customized SNDs.
▫ NETCONF SND: provides the capability of converting YANG files into NETCONF
files.
▫ CLI SND: provides the conversion capability from YANG to CLI.

▫ Customized SND: provides the capability of converting YANG to other protocols

such as RESTCONF.
• An SSP allows user to customize network services (apps), for example, quickly
provision L3VPN services. These types of services or application involve multiple devices
and protocols and are presented as an SSD. To compile an SSD, an engineer needs to
compile service YANG files, Python scripts (service callback logic) for service mapping,
and Jinja2 template. The basic principles are as follows (from north to south):

▫ A service model automatically generates northbound interfaces or UIs, which are

invoked by an external system to initiate a service request.
▫ The service request is processed by the service logic compiled by the user. The
processing includes two parts: Python code processing and Jinja template
processing.

▪ Python code processing implements service logic irrelevant to vendors.

▪ Template processing implements the logic related to vendors. A template is
the data delivered to a device model. Different vendors use different
templates. In this way, a user-defined service model is converted into a
device model.
▫ The SND converts the device model into protocol packets and delivers the
packets to the device. For example, the SND delivers the packets to a device
through NETCONF.
 Contents

1. Network Programming and Automation

2. Network Automation Engineers

3. Network Automation Classification

4. Network AI

19 Huawei Confidential
 AI: New General Purpose Technology

9000 BC to 1000 AD 15th to 18th Century 19th Century 20th Century 21st Century

Plant domestication Barque Railway Automobile Business

Animal domestication Printing Iron ship Aircraft virtualization
Ore smelting Factory system Internal combustion Mass production Nanotechnology
Wheel Steam engine engine Laptop Artificial
Writing Electric power Lean production intelligence (AI)
Bronze Internet
Iron Biotechnology
Water wheel

AI is a multi-functional technology that can be applied almost everywhere to

support techno-complementarity and generate technical overflow effect.

20 Huawei Confidential

• General Purpose Technology (GPT) is the main driving force for economic and social
transformation. From the agricultural society to the industrial society and then to the
information society, the production mode, life mode, and management mode of the
human society have undergone tremendous changes and experienced unprecedented
economic and social transformation. For a long time, people have been thinking and
exploring the drivers of economic and social development and transformation. From
the first technological revolution represented by steam engine to the second
technological revolution represented by electricity technology, looking at the industrial
and technological revolution of the past 300 years, we can see that science and
technology are important sources for promoting sustained economic growth. AI has
become a new general purpose technology. Currently, popular AI technologies are
being implemented, enabling a wide range of industries.
• https://en.wikipedia.org/wiki/General_purpose_technology

• Richard G. Lipsey, etc., Economic Transformations: General Purpose Technologies and

Long-Term Economic Growth.
AI-based Network Becomes a Consensus in the Industry

Manual Processing -> Tool Assistance -> Intelligent Processing

L2 L3 L4 L5
L0 L1
Partially Restricted Highly Fully
Definition/Level Manual Tool-assisted
autonomous autonomous autonomous autonomous
operation automation
networks networks networks networks
Repeated
Man Man-Machine Machine Machine Machine Machine
execution
Context
Man Man Man-Machine Machine Machine Machine
awareness
Analysis and
Man Man Man Man-Machine Man-Machine Machine
decision-making
Service
Man Man Man Man Man-Machine Machine
experience
Service
Public ICT
Scope N/A Subtask level Unit level Domain level level/Cross-
infrastructure
domain

21 Huawei Confidential
 Many Challenges in AI Implementation
Data optimization

Model upgrade

Data Model Model AI app 1

Data Deployment
processing training management
There are also
• Difficult to obtain AI considerable non-
computing power and technical challenges
environment, high cost. AI market AI app 2 in AI
• Quickly find the most implementation,
• No data, lack of including
appropriate algorithm
data, or
and evaluation model. • Various application organizational
insufficient data.
Standards vary systems and heavy changes that match
• Different data is depending on workload in model technologies, AI
required in scenarios. deployment and
different scenarios. integration.
talent development,
• AI model training and data security, and
optimization require • AI models are
processes.
extensive expert frequently updated,
experiences. and iteration security
needs to be focused
on.

22 Huawei Confidential

• Technically, AI case training requires joint development across domains (such as data,
algorithm, and expert experience). Model optimization requires continuous iterative
training, which has the following difficulties:

▫ The success of AI projects requires the cooperation of service experts and AI

experts.
▫ It is difficult for service experts to transform into AI experts.
▫ There are many data issues, such as a few data sources and the requirement for
data governance (labor-intensive).
▫ There are many algorithm engineering issues, such as conversion from paper to
code and the efficiency of open-source algorithms.
▫ The computing power is difficult to obtain. The computing power is used during
peak hours. (Nvida does not allow the use of G series GPUs in data centers.)

• Essentially, AI will bring about organizational transformation, from human resources

to human-machine coexistence in the AI Ops phase.
Network AI Engine iMaster NAIE
⚫ iMaster NAIE is a one-stop AI application development cloud platform that Huawei introduces AI
technologies to telecom networks. Based on the public cloud mode, iMaster NAIE provides the data
service, model training service, model generation service, and communication model service, covering
the most complex parts of network AI app development, such as data preparation, data feature
exploration, and model optimization. This helps developers quickly obtain NAIE capabilities.
2 3
Cloud+AI
Data processing Model development
and training
iMaster
NAIE
Efficient governance, reducing Embedded Huawei
Data Training Ecosystem data preparation time by 90%. experiences and improved
service service service training efficiency.
1
Low-threshold model
Model Training data Cloud data
generation and zero code
collection
development.

23 Huawei Confidential
Example: Intelligent Traffic Sorting
⚫ Requirement description:
 Data center networks carry various services, including big data, distributed storage, high-
performance computing, and GPU cluster services. Traffic sorting is a process in which
data center switches identify and classify traffic packets and determine the service to
which each data flow or data packet belongs.
 It is required that an AI algorithm for traffic classification be implemented based on the
embedded AI platform APIs (compatible with TensorFlow and Caffe) of Huawei's AI
Fabric switches.

24 Huawei Confidential
 Training of the Intelligent Traffic Sorting Model
⚫ The dataset, algorithm model, and training environment required for intelligent traffic
sorting can be provided by the iMaster NAIE.

Training dataset
Training result
Algorithm model
(prediction result)
Training environment
Test dataset

iMaster NAIE

Data Training Ecosystem

service service service

25 Huawei Confidential

• The final objective of the experiment is to deploy the trained model in a real
environment. Therefore, it is expected that the trained model can obtain a good
prediction effect on real data. That is, it is expected that a smaller error between a
prediction result of the model and the real result on real data is better. The best
method is to divide real data into a training dataset and a test dataset. We can use the
training dataset to train the model, and then use the error of the test dataset as the
error of the final model in actual scenarios. With the test dataset, to verify the final
effect of the model, we can calculate the error of the trained model only based on the
test dataset. A smaller error indicates a better algorithm model.
• For detailed operations, see the following website:
https://devstar.developer.huaweicloud.com/devstar/code-
templates/e9078ee2d7024ffabbac3f8fd1bad806
• For more information about AI, refer to Huawei AI certification documents.
 Quiz

1. (Multiple-answer question) Which of the following protocols are used by the

controller to interact with devices? ( )
A. NETCONF

B. SNMP

C. OpenFlow

D. RESTful

26 Huawei Confidential

1. ABC
 Summary
⚫ Network programing and automation is to use programming methods to implement automated
networks on the premise of open networks. Network openness is implemented at two levels: device
openness and SDN platform openness.
⚫ Network automation engineers must be all-rounders who master skills of network engineers, system
engineers, and development engineers to some extent to support enterprise network automation.

⚫ This course consists of four modules: programming basics, device openness and programmability, NCE
northbound openness, and NCE service openness and programmability. Next, let's learn network
programmability.
⚫ The combination of network and AI is the development trend of the network industry.

⚫ Huawei iMaster NAIE provides network-based AI services, making network AI openness easier.

27 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huaw ei Technologies Co., Ltd.

All Rights Reserv ed.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
SSH Fundamentals and Practice
 Foreword

⚫ To achieve efficient O&M and enhance agility amid increasingly complex service
requirements and network architecture, network automation is gaining
momentum and ever evolving. Currently, Secure Shell (SSH) is the most common
method used by engineers to log in to devices for remote management. As such,
engineers are expected to learn about and use an automation tool to implement
SSH remote login, simulate man-machine interaction with O&M personnel, and
automatically transfer files.
⚫ In this course, we will use the Python Paramiko module to write automation scripts
to implement SSH-based preliminary network automation.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the basic concepts and working principles of SSH.
 Understand the concept of Paramiko.
 Master the composition and common methods of Paramiko.
 Grasp the common methods for implementing Paramiko.

2 Huawei Confidential
 Contents

1. Introduction to SSH
◼ Overview of SSH

▫ Working Principles of SSH

2. Paramiko Component Architecture

3. SSH Practices

3 Huawei Confidential
Overview of SSH
⚫ Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an
insecure network.
⚫ SSH consists of the following sub-protocols: SSH transport layer protocol, SSH user authentication
protocol, and SSH connection protocol.

User
SSH connection protocol Establishes a session connection.
Authentication
Protocol
SSH user authentication Authenticates users (password and key).
protocol

SSH transport layer Negotiates the version and algorithm and exchanges keys.
protocol

4 Huawei Confidential
 SSH Transport Layer Protocol
⚫ SSH transport layer protocol is a secure transport protocol. The SSH transport layer is usually
established over TCP/IP connections. It can also be established over any other reliable data flow.
⚫ The SSH transport layer protocol negotiates all key exchange algorithms, public key algorithms,
symmetric encryption algorithms, and message authentication algorithms.

Algorithm Type Function Name

diffie-hellman-group14-sha1, diffie-hellman-
Key exchange algorithm Generates session keys.
group1-sha1, etc.
Performs digital signature
Public key algorithm ssh-rsa, ssh-dss, etc.
and user authentication.
Symmetric encryption
Encrypts sessions. aes128-ctr, 3des-cbc, etc.
algorithm
Message authentication
Verifies data integrity. hmac-sha1, hmac-md5, etc.
algorithm

5 Huawei Confidential

• Perfect Forward Secrecy (PFS) is a property of secure communication protocols. PFS

was proposed by Christoph G. Gunther in 1990. PFS is essentially defined as the
cryptographic property of a key-establishment protocol in which the compromise of a
session key or long-term private key after a given session does not cause the
compromise of any earlier session. PFS ensures that any future disclosure of passwords
or keys cannot be used to decrypt any communications sessions recorded in the past,
even if the attacker proactively intervenes.

• The SSH transport layer protocol uses the Diffie-Hellman key exchange algorithm to
implement PFS.
• For details, see section 9.3.7 "Forward Secrecy" in RFC 4251
(https://www.ietf.org/rfc/rfc4251.txt).
 SSH User Authentication Protocol
⚫ The SSH user authentication protocol authenticates the client-side user to the server. It runs over the
transport layer protocol.
⚫ The SSH user authentication protocol provides two authentication methods: password authentication
and public key authentication.
 Password authentication: The client uses the user name and password for authentication before successfully
logging in to the server.

 Public key authentication: The server decrypts the digital signature of the client by using a public key.

Password authentication Public key authentication

User name + Digital

Password signature
Client Server Client Server

6 Huawei Confidential

• A public key is used to decrypt information to ensure message authenticity and

integrity. Therefore, the receiver knows that the information comes from someone
who has a private key. The encrypted information is called a digital signature. The
public key is in the form of a digital certificate.
• When the SSH user authentication protocol is started, it receives a session ID from the
SSH transport layer protocol. The session ID uniquely identifies a session and is a part
of the digital signature to indicate the ownership of the private key.
 SSH Connection Protocol
⚫ The SSH connection protocol multiplexes several logical channels into a single encrypted tunnel. It
provides interactive login sessions, remote execution of commands, forwarded TCP/IP connections, and
forwarded X11 connections.
⚫ The SSH connection protocol runs on top of the SSH transport layer protocol and user authentication
protocol.

session
SSH connection
X11

forwarded-tcpip

direct-tcpip

7 Huawei Confidential

• A TCP/IP connection can forward network data of other TCP ports through SSH
channels, ensuring security.

• Data of Telnet, SMTP, IMAP, and other TCP/IP-based insecure protocols can be
forwarded through SSH, which prevents the transmission of user names, passwords,
and privacy information in plaintext and therefore enhances security. In addition, if the
firewall restricts the use of some network ports but allows the SSH connection,
communication can be implemented through the SSH TCP/IP connection.

• In X11, X refers to the X protocol, and 11 is the eleventh version of the X protocol. The
Linux graphical user interface (GUI) is based on the X protocol at the bottom layer.
When remote interaction with graphical applications on the Linux server is required, a
method for enhancing communication security is to use SSH to display the GUI on the
local client through the X11 tunnel.
• A session is a remote execution of a program. A program can be a shell, an
application, a system command, or some built-in subsystems. Multiple session channels
can be active at the same time. An interactive login session can be implemented using
the invoke_shell() method, and the remote command can be implemented using the
exec_command() method, which will be described in detail later.
 Contents

1. Introduction to SSH
▫ Overview of SSH
◼ Working Principles of SSH

2. Paramiko Component Architecture

3. SSH Practices

8 Huawei Confidential
Working Principles of SSH
⚫ In the entire communication process, to implement a secure SSH connection, the server and client go through the following five
phases:

Version negotiation phase: Two versions of SSH are available: SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2). The server and client determine the
version to be used through negotiation.

Algorithm negotiation phase: SSH supports multiple encryption algorithms. The server and client negotiate the encryption algo rithm to be used based
on the algorithms that they support.

Key exchange phase: A session key is generated by using a key exchange algorithm. The subsequent sessions between the server and client are
encrypted by using the session key.

User authentication phase: The SSH client sends an authentication request to the server, and the server authenticates the SSH client.

Session interaction phase: After the authentication succeeds, the server and client exchange information.

User
Transport Layer Connection
Authentication
Protocol Protocol
Protocol

Version Algorithm Key User Session

1 2 negotiation 3 exchange 4 authentication 5
negotiation interaction

Client Server

9 Huawei Confidential
 Version Negotiation Phase
⚫ The client and server exchange SSH version negotiation packets to determine whether to use SSHv1 or SSHv2.

Client Server

Three-way TCP Establish a TCP

1
handshake connection.

Send an SSH version Client protocol: ssh-2.0-paramiko_2.7.1

2
negotiation packet.

Server protocol: SSH-2.0--

Send an SSH version
3
negotiation packet.

SSH-<Major protocol version number>

Protocol .<Secondary version number>-
<Software version number>

10 Huawei Confidential

• Port 22 is enabled on the server, waiting for the client to connect. The client initiates a
TCP connection to the server. The two parties complete the handshake and establish a
connection. The client sends a packet to the server. The packet contains the version
field, in the format of Major version number.Secondary version number-Software
version number. After receiving the packet, the server parses it to obtain the protocol
version number. If the protocol version number of the client is earlier than that of the
server and the server supports the earlier version of the client, the server uses the
protocol version number of the client. Otherwise, the server uses its own protocol
version number.
 Algorithm Negotiation Phase
⚫ The client and the server exchange a list of algorithms that they support. The list includes specific names of the four types of
supported algorithms.

Client Server:Key Exchange Init Server

1
diffie-hellman-group14-sha1,ecdh- Send a list of
Key exchange algorithm
sha2-nistp521
supported algorithms.
Public key algorithm ssh-dss,ssh-rsa,ecdsa-sha2-nistp521
Symmetric encryption
aes128-ctr,3des-cbc,aes256-ctr
algorithm
Message authentication hmac-sha2-512, hmac-sha1,hmac-
algorithm md5

Client:Key Exchange Init

2 3
The server searches its algorithm
Send a list of diffie-hellman-group1-sha1,diffie-
hellman-group-exchange- list for matching algorithms. If a
supported algorithms. Key exchange algorithm
sha256,diffie-hellman-group14-sha1 match is found for each type of
Public key algorithm ecdsa-sha2-nistp384,ssh-rsa,ssh-dss algorithm, the next phase starts.
Symmetric encryption Otherwise, the connection is
aes192-ctr,aes256-ctr,aes128-ctr
algorithm disconnected.
Message authentication hmac-sha2-512,hmac-sha1,hmac-
algorithm md5

11 Huawei Confidential

• The algorithm negotiation process is as follows: The server obtains the first algorithm
from the algorithm list of the client and searches its own algorithm list for the same
algorithm. If the same algorithm is found, the negotiation succeeds, and the server
continues to negotiate the algorithm of the next type. Otherwise, the server searches
its own algorithm list for the next algorithm in the client's algorithm list until a match
is found.
 Key Exchange Phase
⚫ Based on the key exchange algorithm, the server and client dynamically generate a session key for subsequent
session encryption. The session key cannot be intercepted by a third party, enhancing security and reliability.

Client Server
The server and client agree on the prime
Data numbers p and g. Data
The client generates a random private key Xc, calculates a p, g
p, g public key Yc, and sends the public key Yc to the server.
1
Xc Xs
The server generates a random private key Xs, calculates the
Yc public key Ys, and sends the public key Ys to the client. 2
Ys

The client calculates the session The server calculates the session
key based on the public key Ys key based on the public key Yc
3 4
and private key Xc. and the private key Xs.

Subsequent packets are encrypted based on the session

Data Data
key, and the encryption algorithm is the symmetric
p, g encryption algorithm determined in the algorithm p, g
negotiation phase.
Xc Xs
Ys Yc
Session Key Session Key

12 Huawei Confidential

• The client and the server first agree on two public prime numbers p and g.

• The client and server each randomly generate a private key Xc and Xs, respectively.

• The client and server each calculate their own public key Yc and Ys, respectively.

• The client and server exchange their own public key.

• The client and server calculate the session key for encryption based on the public and
private keys.
• The Diffie-Hellman key exchange algorithm is used for key exchange, which is based
on the mathematical discrete logarithm and is not described in this course. During key
exchange, the private keys Xc and Xs are not transferred and, due to the difficulty in
computing discrete logarithms, they cannot be decrypted by other users even if p, g,
Yc, and Ys are obtained. This ensures the confidentiality of the session keys.

• Note that the public and private keys generated in this phase are used only to
generate session keys and are irrelevant to subsequent user authentication. After the
key exchange phase is complete, all subsequent packets are encrypted based on the
session keys.
User Authentication Phase: Password Authentication
⚫ There are two user authentication modes: password authentication and public key authentication.
⚫ During password authentication, the client sends an authentication request carrying the user name and password,
and the server authenticates the received user information against the local user information.

Client Server

SSH_MSG_USERAUTH_REQUEST
Initiate an 1
authentication request.

User name testuser

Authentication method password
Password testpwd Compare the user name and
password with those saved locally. If
they are the same, an authentication
SSH_MSG_USERAUTH_SUCCESS
2 success message is returned.

13 Huawei Confidential
 User Authentication Phase: Public Key Authentication
⚫ During public key authentication, a client sends an authentication request carrying a digital signature,
and the server decrypts the digital signature based on the public key to implement authentication.
Client Server

Manually generate the Manually copy the public

public and private keys. key to the server.
SSH_MSG_USERAUTH_REQUEST
1
Initiate an
authentication request. User name testuser

Authentication
publickey
method
Public key algorithm ssh-rsa/ssh-dss …
Decrypt the digital signature using the
Public key ssh-rsa AAAAB3NzaC1yc2EA… locally stored public key, and check the
Contains data such as the user name, correctness of the public key and digital
Digital signature session ID, public key algorithm, and
public key. signature provided by the client. If they
2 are correct, an authentication success
SSH_MSG_USERAUTH_SUCCESS message is returned.

14 Huawei Confidential

• The digital signature is encrypted by client’s private key. To see the content, we need
public key to decrypt it.
 Session Interaction Phase
⚫ After the user is authenticated, the client sends a request to the server for establishing a channel to
transmit data. Client Server

SSH_MSG_CHANNEL_OPEN
Initiate a request 1
to establish a
session channel.
SSH_MSG_CHANNEL_OPEN_CONFIRMATION
2
Check whether the channel type is
supported. If so, a message is
returned, indicating that the session
Transmit data. channel is successfully created.

The data is encrypted by using a

symmetric encryption algorithm based on
session keys.

15 Huawei Confidential

• The channel types include session, x11, forwarded-tcpip, and direct-tcpip.

• For details, see section 4.9.1 "Connection Protocol Channel Types" in RFC4250 at
https://www.ietf.org/rfc/rfc4250.txt.

• Different ssh logical channels can multiplex one ssh session.

 Contents

1. Introduction to SSH

2. Paramiko Component Architecture

◼ Paramiko Component Architecture

▫ Transport Class and Its Methods

▫ Key Handling Class and Its Methods

▫ SFTPClient Class and Its Methods

▫ SSHClient Class and Its Methods

3. SSH Practices
16 Huawei Confidential
 Overview of Paramiko
⚫ Paramiko is a Python module that implements the SSHv2 protocol. It supports
password authentication and public key authentication and implements functions
such as secure remote command execution and file transfer.
⚫ Engineers can compile Python code based on the Paramiko module to implement
SSH functions.

Paramiko Script

SSH server SSH client

SSH protocol interaction

17 Huawei Confidential

• In HCIA courses, we learned how to use the telnetlib module for Telnet remote
connections. In the production environment, the more secure Paramiko module is
recommended for SSH remote connections.
Paramiko Component Architecture
⚫ The following figure shows the components of the Paramiko module. SSHClient and SFTPClient are its
most commonly used classes, which provide the SSH and SFTP functions, respectively.

Key Key-related
SSH agents Host keys
handling classes

Common
Channel Message Packetizer Transport SSHClient SFTPClient protocol
classes

Paramiko

18 Huawei Confidential
 Common Paramiko Classes
⚫ Channel: This class is used to create a secure channel over the SSH transport layer.
⚫ Message: An SSH message is a stream of bytes that encodes some combinations of strings, integers,
bools, and infinite-precision integers (known in Python as longs).
⚫ Packetizer: This class is used for packet handling.
⚫ Transport: This class is used to create a transport session object over an existing socket or socket-like
object.
⚫ SFTPClient: This class creates an SFTP session connection through an open SSH transport session and
performs remote file operations.
⚫ SSHClient: This class is an advanced representation of a session with the SSH server. This class
integrates the Transport, Channel, and SFTPClient classes.

Common
Channel Message Packetizer Transport SSHClient SFTPClient protocol
classes

19 Huawei Confidential

• The Channel class provides methods for executing commands, requesting X11 sessions,
sending data, and opening interactive sessions. Generally, these common methods
from the Channel class have been packaged in the SSHClient class.

• The Message class provides methods for writing bytes to a stream and extracting
bytes.
• The Packetizer class provides methods for checking handshakes and obtaining channel
IDs.

• The Transport class provides methods such as public key authentication, private key
authentication, and channel opening.
• The SSHClient class provides methods for establishing connections and opening
interactive sessions.

• The SFTPClient class provides methods such as file upload and download.
 Key-Related Classes of the Paramiko Module
⚫ SSH Agent: This class is used for the SSH agent.
⚫ Host keys: This class is related to the OpenSSH known_hosts file and is used to
create a host keys object.
⚫ Key handling: This class is used to create instances of the corresponding key type, for
example, RSA keys and DSS (DSA) keys.

SSH agents Host keys Key handling Key-related

classes

20 Huawei Confidential

• OpenSSH is a free open-source implementation of the SSH protocol. It provides server

programs and client tools. OpenSSH is integrated in all Linux operating systems.
OpenSSH records the public key of each computer that a user has accessed in
~/.ssh/known_hosts. When the same computer is accessed next time, OpenSSH checks
the public key. If the public keys are different, OpenSSH generates a warning to
prevent man-in-the-middle attacks.
 Process of Using Paramiko

Instantiate the SSH Transport class

session channel
tran = paramiko.Transport(('192.168.56.100',22))

Configure password Configure public key Key handling class

authentication authentication key=paramiko.RSAKey.from_private_key
_file(r'C:\Users\exampleuser\.ssh\id_rsa')

Transport class
Set up an SSH session
connection tran.connect(username=‘client’, pkey=key)

SFTPClient class
Send related instructions sftp = paramiko.SFTPClient.from_transport(tran)
sftp.get(remote_path, local_path)

Transport class
Close the session channel
tran.close()

21 Huawei Confidential

• This course describes methods of four classes: Transport, key handling, SSHClient, and
SFTPClient.

• This process uses the Paramiko SFTP session as an example. Because the SSHClient
class integrates the Transport, Channel, and SFTPClient classes, the preceding methods
can be implemented by the SSHClient class. This is especially true for SSH sessions.
 Contents

1. Introduction to SSH

2. Paramiko Component Architecture

▫ Paramiko Component Architecture
◼ Transport Class and Its Methods

▫ Key Handling Class and Its Methods

▫ SFTPClient Class and Its Methods

▫ SSHClient Class and Its Methods

3. SSH Practices
22 Huawei Confidential
 Transport Class and Its Methods
⚫ Transport class: An SSH transport connects to a stream (usually a socket) to negotiate and encrypt
sessions and perform authentication. Channels can then be created based on the encrypted sessions.
Multiple channels can be multiplexed in a single session connection (in fact, this is often the case, such
as port forwarding).
⚫ The following is an example of the method:
tran = paramiko.Transport(('192.168.56.100', 22))
tran.connect(username=‘client’, password=‘test’)

Common Method Function

Transport(sock) Creates a Transport object and instantiates the SSH session channel.
Establishes an SSH session connection and uses a password or private
connect(username=“,password=None,pkey=None)
key for identity authentication.
close() Closes the session.

23 Huawei Confidential

• For ease of use, you can use an address (as a tuple) or a host string as the sock
parameter. The host string is the host name with an optional port, separated by a
colon (:). If a port is transferred, it is converted to a tuple in the format (host name,
port).
 Contents

1. Introduction to SSH

2. Paramiko Component Architecture

▫ Paramiko Component Architecture

▫ Transport Class and Its Methods

◼ Key Handling Class and Its Methods

▫ SFTPClient Class and Its Methods

▫ SSHClient Class and Its Methods

3. SSH Practices
24 Huawei Confidential
Key Handling Class and Its Methods
⚫ The key handling class is used to create instances of the corresponding key type, for example, RSA keys
and DSS (DSA) keys. This class provides methods for reading and writing keys.
⚫ The following is an example of the method:

key=paramiko.RSAKey.from_private_key_file(r'C:\Users\exampleuser\.ssh\id_rsa')

Common Method Function

RSAKey.from_private_key_file(filename) Reads the RSA private key from a file to create a key object.

DSSKey.from_private_key_file(filename) Reads the DSS private key from a file to create a key object.

25 Huawei Confidential
 Contents

1. Introduction to SSH

2. Paramiko Component Architecture

▫ Paramiko Component Architecture

▫ Transport Class and Its Methods

▫ Key Handling Class and Its Methods

◼ SFTPClient Class and Its Methods

▫ SSHClient Class and Its Methods

3. SSH Practices
26 Huawei Confidential
SFTPClient Class and Its Methods
⚫ The SFTPClient class creates an SFTP session connection through an open SSH transport session and
performs remote file operations.
⚫ The following is a typical example:
key=paramiko.RSAKey.from_private_key_file(r'C:\Users\exampleuser\.ssh\id_rsa')
tran = paramiko.Transport(('192.168.56.100', 22))
tran.connect(username=‘client’, pkey=key)
sftp = paramiko.SFTPClient.from_transport(tran)
local_path=r'C:\Users\exampleuser\.ssh\vrptest.cfg'
remote_path= '/vrpcfg.cfg'
sftp.get(remote_path, local_path)

Common Method Function

from_transport() Creates an SFTP session connection through an open Transport session channel.
get() Downloads a specified file.
put() Uploads a specified file.

27 Huawei Confidential
Method from_transport
⚫ from_transport(): This method creates an SFTP client channel from the enabled Transport session
channel.
⚫ The following is an example of the method:

t = paramiko.Transport((‘192.168.56.100’, 22))
sftp = paramiko.SFTPClient.from_transport(t)

Parameter Description
T An authenticated and enabled Transport session, in the format of (hostname,port).

windows_size Size of the SFTP session window. This parameter is optional.

max_packet_size Maximum size of the SFTP session window. This parameter is optional.

28 Huawei Confidential
Method get
⚫ get(): This method copies a remote file (specified by remotepath) from the SFTP server to the
destination path (specified by localpath) on the local host. Any exception raised by operations will be
passed through.
⚫ The following is an example of the method:

local_path=r'C:\Users\exampleuser\.ssh\vrptest.cfg'
remote_path= '/vrpcfg.cfg'
sftp.get(remote_path, local_path)

Parameter Description
remotepath Remote file.
Destination path on the local host. The path must contain the file name. If only a directory is
localpath
specified, an error may occur.

29 Huawei Confidential
Method put
⚫ put(): This method copies a local file (specified by localpath) from the local host to the destination
path (specified by remotepath) on the SFTP server. Any exception raised by operations will be passed
through.
⚫ The following is an example of the method:

local_path=r'C:\Users\exampleuser\.ssh\vrptest.cfg'
remote_path= '/vrpcfg.cfg'
sftp.put(localpath, remotepath)

Parameter Description
localpath Local file.
Destination path on the SFTP server. The path must contain the file name. If only a directory
remotepath
is specified, an error may occur.

30 Huawei Confidential
 Contents

1. Introduction to SSH

2. Paramiko Component Architecture

▫ Paramiko Component Architecture

▫ Transport Class and Its Methods

▫ Key Handling Class and Its Methods

▫ SFTPClient Class and Its Methods

◼ SSHClient Class and Its Methods

3. SSH Practices
31 Huawei Confidential
SSHClient Class and Its Methods
⚫ The SSHClient class is an advanced representation of a session with an SSH server. This class contains
the Transport, Channel, and SFTPClient classes for session channel establishment and authentication.
The following is a typical example:
client=paramiko.client.SSHClient()
client.connect(hostname=192.168.56.100’,port=22,username=‘client’,password=‘123456’)
stdin,stdout,stderr=client.exec_command(‘ls –l’)

Common Method Function

connect() Connects to the remote server and implements authentication.
set_missing_host_key_policy() Specifies a policy to be used when the connected server does not have a known host key.
load_system_host_key() Loads the host key from the system file.
exec_command() Runs Linux commands on the remote server.
invoke_shell() Starts an interactive shell session on the remote server.
open_sftp() Creates an SFTP channel in a session connection.
close() Closes a connection.

32 Huawei Confidential
Method connect
⚫ connect(): This method is used to connect to a remote server and implement authentication.
⚫ The following is an example of the method:

client.connect(hostname='192.168.56.100',port=22,username=‘client',key_filename='id_rsa')
client.connect(hostname='192.168.56.100',port=22,username=‘client',password=‘123456')

Parameter Description
hostname Target host to be connected. Only this parameter is mandatory.
port Specified port. The default value is 22.
username User name for authentication. This parameter is left empty by default.
password Password of the user to be authenticated. This parameter is left empty by default.
key_filename Private key file name or list. This parameter is left empty by default.
pkey Private key used for identity authentication.
... ...

33 Huawei Confidential
 Method set_missing_host_key_policy
⚫ set_missing_host_key_policy(): This method specifies a policy to be used when the connected server
does not have a known host key.
⚫ The following is an example of the method:

client.set_missing_host_key_policy(paramiko.client.AutoAddPolicy())

Parameter Description
Automatically adds the host name and host key to the local HostKeys object, without
AutoAddPolicy depending on the configurations of the load_system_host_keys method. That is, when a new
SSH connection is set up, you do not need to enter yes or no for confirmation.

Logs a Python-style warning for an unknown host key and accepts it. This method provides
WarningPolicy functions similar to AutoAddPolicy. The difference lies in that this method will display a
message, indicating that the connection is a new connection.
Automatically rejects the unknown host name and key. This method depends on the
RejectPolicy
configuration of the load_system_host_keys method. This is the default option.

34 Huawei Confidential

• OpenSSH records the public key of each computer that a user has accessed in
~/.ssh/known_hosts. When the same computer is accessed next time, OpenSSH checks
the public key. If the public keys are different, OpenSSH generates a warning to
prevent man-in-the-middle attacks. Generally, when a client connects to the SSH
server for the first time, you need to enter Yes or No for confirmation.
Method load_system_host_keys
⚫ load_system_host_keys(): This method loads the host key from the system file. If no parameter is
specified, the system attempts to read the key from the known hosts file on the local host.
⚫ The following is an example of the method:

client.load_system_host_keys(filename)

Parameter Description
filename File name. This parameter is left empty by default.

35 Huawei Confidential
Method exec_command
⚫ exec_command(): This method is used to run Linux commands on a remote server.
⚫ The following is an example of the method:

stdin, stdout,stderr=client.exec_command(‘ls –l’)

36 Huawei Confidential
Method invoke_shell
⚫ invoke_shell(): This method starts an interactive shell session based on the SSH session connection.
⚫ The following is an example of the method:

cli = client.invoke_shell()

37 Huawei Confidential
Method open_sftp
⚫ open_sftp(): This method creates and opens an SFTP session on the SSH server.
⚫ The following is an example of the method:

sftp=client.open_sftp()

38 Huawei Confidential
 Contents

1. Introduction to SSH

2. Paramiko Component Architecture

3. SSH Practices
◼ Practices in SSH Python Scripts

▫ Practices in SFTP Python Scripts

39 Huawei Confidential
Case: Using SSH to Log In to a Device
⚫ Description:
 As shown in the figure below, after the STelnet server function is enabled on the switch that functions as the
SSH server, the PC functioning as the SSH client can log in to the SSH server in password or RSA authentication
mode.

 This case uses RSA user authentication as an example to describe how to configure a client so that it logs in to a
server through SSH using the Paramiko module of Python.

Enable STelnet on the Configure Generate a Configure the Verify the

Compile Python code
device users key pair public key configuration

192.168.56.100 192.168.56.1
GE1/0/0
Stelnet Server Stelnet Client

40 Huawei Confidential
Configuration Roadmap
Enable STelnet on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

192.168.56.100 192.168.56.1
GE1/0/0
Stelnet Server Stelnet Client

⚫ Configuration on the server: • Configuration on the client:

 Configure STelnet. Specially, configure a management IP address, ▫ Generate a key pair. Specifically, generate a public key
enable the STelnet function, and configure the user interface. and a private key locally.

 Configure users. Specially, create a local user and an SSH user, ▫ Compile Python code.
and configure the service type and authentication mode for the ▫ Verify the configuration.
users.

 Configure a public key. Specially, add the public key generated

by the client and allocate it to the user.

41 Huawei Confidential
Case: Configuring STelnet on the Server
Enable STelnet on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

192.168.56.100 192.168.56.1
GE1/0/0
Stelnet Server Stelnet Client

1. Configure an IP address for the management network port 2. Enable STelnet on the server and configure the VTY
on the server. user interface.
<HUAWEI>system-view immediately [SSH Server] stelnet server enable
[HUAWEI] sysname SSH Server [SSH Server] user-interface vty 0 4
[SSH Server] interface GE 1/0/0 [SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-GE1/0/0] ip add 192.168.56.100 24 [SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-GE1/0/0] quit [SSH Server-ui-vty0-4] user privilege level 3
[SSH Server-ui-vty0-4] quit

42 Huawei Confidential
Case: Configuring Users on the Server
Enable STelnet on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

192.168.56.100 192.168.56.1
GE1/0/0
Stelnet Server Stelnet Client

3. Create a local user on the server, add the user to the administrator group, and configure the service type for the user.

[SSH Server] aaa

[SSH Server-aaa] local-user client password irreversible-cipher Huawei@123
[SSH Server-aaa] local-user client user-group manage-ug
[SSH Server-aaa] local-user client service-type ssh
[SSH Server-aaa] quit

4. Create an SSH user on the server and configure the authentication mode and service type for the user.

[SSH Server] ssh user client

[SSH Server] ssh user client authentication-type rsa
[SSH Server] ssh user client service-type stelnet

43 Huawei Confidential
Case: Creating an RSA Key Pair on the Client
Enable STelnet on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

5. On the client, use Git Bash to create an RSA key pair (private key id_rsa and public key id_rsa.pub) and check the
public key.

exampleuser@exampleuser MINGW64 ~
Generate an RSA public/private key pair -- $ ssh-keygen -t rsa
Generating public/private rsa key pair.
Set the path for storing the key. (Press Enter to use the default path.) -- Enter file in which to save the key (/c/Users/exampleuser/.ssh/id_rsa):
Enter the pass phrase. (Press Enter to use the default pass phrase.) -- Enter passphrase (empty for no passphrase):
Enter the pass phrase again. (Press Enter to use the default pass phrase.) -- Enter same passphrase again:
Path for storing the private key file of the client. -- Your identification has been saved in /c/Users/exampleuser/.ssh/id_rsa
Path for storing the public key file of the client. -- Your public key has been saved in /c/Users/exampleuser/.ssh/id_rsa.pub

Check the public key. -- $ cat /c/Users/exampleuser/.ssh/id_rsa.pub

44 Huawei Confidential
 Case: Configuring a Public Key on the Server
Enable STelnet on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

6. On the server, add the public key generated by the client and allocate it to the user.

[SSH Server] rsa peer-public-key rsa01 encoding-type openssh

[SSH Server-rsa-public-key] public-key-code begin
[SSH Server-rsa-public-key-rsa-key-code] ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQDwLRx8MmuNs500dRemhFHdDbBmxco8Bp+wyqwaGuHJZBCjyFQV6AB+ezu
5t0eWE3mw57IZfgmvR+MjBcliZv/x3l8oUMLcQKlKslYQDtvfUCZd+za1suXAPB/dyPKMhYPAzSDA7K+xqCWlmU3q06vxH
EPLMv4A5IX54rKtBnK92fWjl9ACU+ak0ZlHxbKwOFn1tr0GJBazcInEs9DKGwkTTqJdu9+5hI5NxXTSbM3an53805ZbCU18
xPy57g7MZC89vbdsag/uvQmFkLJ3arts/Om2R7fhR92EU/SNPmVy+qDEdwZEVdubdqJInW+8zzVkPGlnb2oH5hwH78Kskl
bxb0fEfmGR0mS1ZAi3ZHUGcEEjuFZona3+5Z0Un2OPxfXwvoljVDusbYcugJHo9Ssurz05GzVuamQZlcO2JYY6FhtLUAImt
XGQ80MpTjB0lcprkAZCib8agYOtVQNTZ7iB0g2EcBN9UTyMz7sh8RtrBDj445r+XPaDE8LmpDRKHMk=
[SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[SSH Server-key-code] peer-public-key end
[SSH Server] ssh user client assign rsa-key rsa01

45 Huawei Confidential

• For details about the commands, refer to the product documentation at

https://support.huawei.com/enterprise/en/doc/EDOC1000097293/466984de?idPath=24
030814|21432787|21430822|22318704|9794900.
Case: Compiling Python Code on the Client
Enable STelnet on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

7. Compile and run Python code on the client to log in to the server through SSH.

Import module -- import paramiko

import time
Instantiate SSH objects. -- ssh = paramiko.SSHClient()
Allow connections to unknown hosts. -- ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
Set up an SSH session connection. -- ssh.connect(hostname='192.168.56.100',port=22,username='client',key_filename=r'C:
\Users\exampleuser\.ssh\id_rsa')
Open an interactive session. -- cli = ssh.invoke_shell()
Send the command for canceling screen splitting. -- cli.send('screen-length 0 temporary\n')
Send the command for displaying the current configuration. -- cli.send('display cu\n')
Set the pause duration to 3 seconds. -- time.sleep(3)
Instantiate the received data. -- dis_cu = cli.recv(999999).decode()
Print the command output. -- print(dis_cu)
Close the SSH connection. -- ssh.close()

46 Huawei Confidential
Case: Verifying the Configuration on the Client
Enable STelnet on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

8. Run the code. The current configuration of the SSH server is displayed.

Info: The max number of VTY users is 5, the number of current VTY users online is 1,
and total number of terminal users online is 2.
<SSH Server>screen-length 0 temporary
Info: The configuration takes effect on the current user terminal interface only.
<SSH Server>display cu
!Software Version V200R005C10SPC607B607
#
……

47 Huawei Confidential
 Contents

1. Introduction to SSH

2. Paramiko Component Architecture

3. SSH Practices
▫ Practices in SSH Python Scripts
◼ Practices in SFTP Python Scripts

48 Huawei Confidential
Case: Using SFTP to Upload and Download Files
⚫ Description:

SSH File Transfer Protocol (SFTP) is a secure file transfer protocol based on SSH. SFTP not only provides all functions of FTP, but also has higher
security and reliability.

As shown in the figure below, after the SFTP server function is enabled on the switch that functions as the SFTP server, the PC functioning as a client
can log in to the SFTP server in password or RSA authentication mode to upload or download files.

This case uses RSA user authentication as an example to describe how to upload and download files on the client through SFTP using the Paramiko
module of Python.

Configure SFTP on the Configure Generate a Configure the Verify the

Compile Python code
device users key pair public key configuration

192.168.56.100 192.168.56.1
GE1/0/0
SFTP server SFTP client

49 Huawei Confidential
Configuration Roadmap
Configure SFTP on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

192.168.56.100 192.168.56.1
GE1/0/0
SFTP server SFTP client

⚫ Configuration on the server: • Configuration on the client:

 Configure SFTP. Specifically, configure the management IP ▫ Generate a key pair. Specifically, generate a public key
address and enable SFTP on the device. and a private key locally.

 Create a user. Specifically, create an SSH user and configure the ▫ Compile Python code.
service type, authentication mode, and SFTP path. ▫ Verify the configuration. Specifically, check the
 Configure a public key. Specially, add the public key generated downloaded files.
by the client and allocate it to the user.

 Verify the configuration. Specifically, check the uploaded files.

50 Huawei Confidential
Case: Configuring SFTP and Users on the Server
Configure SFTP on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

192.168.56.100 192.168.56.1
GE1/0/0
SFTP server SFTP client

1. Configure the management IP address for the SFTP 2. Create the SSH user client and configure the
server and enable the SFTP server function. authentication type and service type for the user.
<HUAWEI>system-view immediately [SFTP Server] ssh user client
[HUAWEI] sysname SFTP Server [SFTP Server] ssh user client authentication-type rsa
[SFTP Server] interface GE 1/0/0 [SFTP Server] ssh user client service-type sftp
[SFTP Server-GE1/0/0] ip add 192.168.56.100 24 [SFTP Server] ssh user client sftp-directory cfcard:
[SFTP Server-GE1/0/0] quit [SFTP Server] ssh authorization-type default root
[SFTP Server] sftp server enable

51 Huawei Confidential
Case: Creating an RSA Key Pair on the Client
Configure SFTP on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

3. On the client, use Git Bash to create an RSA key pair (private key id_rsa and public key id_rsa.pub) and check the
public key.

Generate an RSA public/private key pair. -- exampleuser@exampleuser MINGW64 ~

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Set the path for storing the key. (Press Enter to use the default path.) -- Enter file in which to save the key
(/c/Users/exampleuser/.ssh/id_rsa):
Enter the pass phrase. (Press Enter to use the default pass phrase.) -- Enter passphrase (empty for no passphrase):
Enter the pass phrase again. (Press Enter to use the default pass phrase.) -- Enter same passphrase again:
Path for storing the private key file of the client. -- Your identification has been saved in
/c/Users/exampleuser/.ssh/id_rsa
Path for storing the public key file of the client. -- Your public key has been saved in
/c/Users/exampleuser/.ssh/id_rsa.pub

Check the public key. -- $ cat /c/Users/exampleuser/.ssh/id_rsa.pub

52 Huawei Confidential
 Case: Configuring a Public Key on the Server
Configure SFTP on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

4. On the server, add the public key generated by the client and allocate it to the user.

[SFTP Server] rsa peer-public-key rsa01 encoding-type openssh

[SFTP Server-rsa-public-key] public-key-code begin
[SFTP Server-rsa-public-key-rsa-key-code] ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQDwLRx8MmuNs500dRemhFHdDbBmxco8Bp+wyqwaGuHJZBCjyFQV6AB+ezu
5t0eWE3mw57IZfgmvR+MjBcliZv/x3l8oUMLcQKlKslYQDtvfUCZd+za1suXAPB/dyPKMhYPAzSDA7K+xqCWlmU3q06vxH
EPLMv4A5IX54rKtBnK92fWjl9ACU+ak0ZlHxbKwOFn1tr0GJBazcInEs9DKGwkTTqJdu9+5hI5NxXTSbM3an53805ZbCU18
xPy57g7MZC89vbdsag/uvQmFkLJ3arts/Om2R7fhR92EU/SNPmVy+qDEdwZEVdubdqJInW+8zzVkPGlnb2oH5hwH78Kskl
bxb0fEfmGR0mS1ZAi3ZHUGcEEjuFZona3+5Z0Un2OPxfXwvoljVDusbYcugJHo9Ssurz05GzVuamQZlcO2JYY6FhtLUAImt
XGQ80MpTjB0lcprkAZCib8agYOtVQNTZ7iB0g2EcBN9UTyMz7sh8RtrBDj445r+XPaDE8LmpDRKHMk=
[SFTP Server-rsa-public-key-rsa-key-code] public-key-code end
[SFTP Server-key-code] peer-public-key end
[SFTP Server] ssh user client assign rsa-key rsa01

53 Huawei Confidential

• For details about the commands, refer to the product documentation at

https://support.huawei.com/enterprise/en/doc/EDOC1000097293/466984de?idPath=24
030814|21432787|21430822|22318704|9794900.
Case: Compiling Python Code on the Client
Configure SFTP on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

5. Compile and run Python code on the client to log in to the server through SFTP and upload and download files.

Import module. -- import paramiko

Create an RSA key object. -- key=paramiko.RSAKey.from_private_key_file(r'C:\Users\exampleuser\.ssh\id
Instantiate the session channel. -- _rsa')
Set up an SSH session connection. tran = paramiko.Transport(('192.168.56.100', 22))
--
Set up an SFTP channel. tran.connect(username=‘client’, pkey=key)
--
sftp = paramiko.SFTPClient.from_transport(tran)
Set the local path. -- local_path=r'C:\Users\exampleuser\.ssh\vrptest.cfg'
Set the remote path. -- remote_path='/vrpcfg.cfg'
Perform the download operation. -- sftp.get(remote_path, local_path)
Perform the upload operation. -- sftp.put(local_path,’/test.cfg’)
Close the session. -- tran.close()

54 Huawei Confidential
Case: Verifying the Configuration on the Server and Client
Configure SFTP on the Configure Generate a Configure the Verify the
Compile Python code
device users key pair public key configuration

6. Run the code. The client successfully downloads the specified file to the local host.

7. Run the dir command on the server. The specified file is successfully uploaded to the server.
<SFTP Server>dir
Directory of cfcard:/

Idx Attr Size(Byte) FileName

5 -rw- 2,428 test.cfg
6 -rw- 2,493 vrpcfg.cfg

55 Huawei Confidential
 Quiz

1. (Multiple-answer question) Which of the following phases are involved in the

SSH protocol? ( )
A. Version negotiation phase

B. Algorithm negotiation phase

C. Key exchange phase

D. User authentication phase

E. Session interaction phase

56 Huawei Confidential

1. ABCDE
 Summary
⚫ This course describes the concepts of Paramiko and SSH, and illustrates the working
principles of SSH.
⚫ This course also describes the components and common methods of Paramiko. In the last
part, this course uses example scripts of Python SSH and SFTP to show the use and practices
of Paramiko methods, thereby implementing preliminary network automation based on
SSH.
⚫ For more information, visit Paramiko's official website, read SSH RFC documents, and learn
upper-layer SSH libraries such as Fabric. Fabric is developed based on Paramiko and is
further encapsulated to improve SSH-based application deployment and system
management efficiency.

57 Huawei Confidential
 More Information
⚫ Paramiko official websites
 docs.paramiko.org/en/latest/index.html
 www.paramiko.com
⚫ SSH RFC documents
 https://tools.ietf.org/html/rfc4251.html
 https://tools.ietf.org/html/rfc4252.html
 https://tools.ietf.org/html/rfc4253.html
 https://tools.ietf.org/html/rfc4254.html
 Fabric official website
 https://fabric-chs.readthedocs.io/zh_CN/chs/tutorial.html

58 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huaw ei Technologies Co., Ltd.

All Rights Reserv ed.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
NETCONF YANG Principles and Practices
 Foreword

⚫ For device configuration management, engineers are more accustomed to

using the CLI to interact with devices. This mode is simple, direct, and easy
to understand. However, in the network automation field, the CLI mode
has problems such as low efficiency and difficult command understanding.
⚫ To simplify device configuration and management, Internet Engineering
Task Force (IETF) has set up work groups and released NETCONF, YANG,
and RESTCONF standards.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the problems and challenges of traditional network configuration
management.
 Describe the basic principles of NETCONF, YANG, and RESTCONF.
 Describe the differences and relationships between NETCONF, YANG, and
RESTCONF.
 Understand the working principles of NETCONF and RESTCONF.

2 Huawei Confidential
 Contents

1. Network Management Technology Background

2. NETCONF Protocol

3. Modeling Language of YANG

4. RESTCONF Protocol

3 Huawei Confidential
Introduction to Device Data
• Data is the carrier of information. Information
that can be obtained from a running device is
SNMP Telemetry classified into configuration data and status
data.
 Configuration data is writable. It can change the
Configuration system status, for example, from the initial state
Status data
data
to the current state.
CLI
 Status data is read-only non-configuration data
in a system, for example, status information and
statistics information.

There are multiple methods to modify device

NETCONF RESTCONF data, either based on command lines or based on
specific protocols. The CLI and SNMP are the
most typical methods for obtaining device data.

4 Huawei Confidential
 Configuring a Network Device
⚫ You can configure and manage a device in multiple ways. You can use the console cable to directly
connect to the device or use SSH to remotely log in to the device, and then use the CLI to configure the
device. You can also use the NMS server to set parameters in the MIB node of the device through
SNMP set.
⚫ With the increase of network scale and complexity, the preceding two methods cannot satisfy the
configuration management requirements. To resolve this problem, NETCONF based on Extensible
Markup Language (XML) is introduced.

Telnet/SSH SNMP Set操作 NETCONF

Console RESTCONF

CLI SNMP NETCONF/RESTCONF

5 Huawei Confidential

• SNMP is based on UDP and is stateless, unordered, and unreliable for configuration
management.

• SNMP can be configured for only one object, not for one service. During the concurrent
configuration of multiple objects, if some objects are successfully configured but some
objects fail to be configured, unknown impacts will be caused on the network.
• The SNMP interface is difficult to understand.
Typical Configuration Management Methods
Advantage Disadvantage

1. It uses a text interface, 1. Vendors have different definitions. Carriers need to learn and develop
which is easy to adaptation scripts for each vendor.
2. Configuration scripts are unstructured, unpredictable, and easy to change,
CLI understand. which makes parsing complex. CLI scripts are difficult to maintain, and
2. Based on Telnet/SSH, automatic parsing is difficult to implement.
it is easy to use.
1. Based on the UDP protocol, it is stateless, unordered, and unreliable.
1. It uses an interface 2. Configuration can be performed on objects only one by one, but does not
between machines. orient to a service. During the concurrent configuration of multiple objects,
The data model file if some objects are successfully configured but some objects fail to be
SNMP (MIB) is available. configured, unknown impacts may be caused on the network.
3. SNMP manages only a single device and does not support network-level
2. It is mainly used for configuration or multi-device configuration collaboration.
network monitoring. 4. The binary interface is difficult to understand.
5. It is insecure.

No matter how configuration automation technologies develop, the CLI is still used in essence.

SNMP is not suitable for configuration management.

6 Huawei Confidential
 Requirements for Network Management
Proper internal configuration
Role-based access control and
01 Ease of use 06 sequence, minimizing the impact 11 minimum authorization
caused by configuration changes

Clear distinction between Supports configuration backup and Support for consistency check of
02 configuration data and status data 07 restoration 12 access control lists across devices

Support for configuration

Support for multiple configuration
Separate obtaining of configuration 08 verification, including network-level
sets and distinguishing between the
data and status data and support configuration verification
03 for data comparison between 13 distribution of configurations and
devices the activation of a certain
Standard data models and unified configuration
09 data formats

Network-level service configuration Support for data-oriented or task-

04 capability 12 oriented access control
10 Text-based configuration

Support for network-level

05 configuration transactions

⚫ At the 2002 IAB Network Management Workshop, 14 essential requirements for network management
were raised.
7 Huawei Confidential

• For details, see RFC3535.

• Different IETF work groups and drafts gradually meet 14 requirements.

 Gradual Implementation of Meeting Conclusions by the IETF
Work Group
RFC7951
RFC6243
JSON encoding of YANG
With-defaults RFC6470
modeling data
Base
RFC6241, 6242
Notification RFC7895
RFC3535 RFC4741, 4742 NETCONF 1.1,
YANG Library
IAB Network NETCONF 1.0, not determining the RFC6536
Management restricting the model RFC5717 combination with NETCONF RFC7950
Workshop language Partial Lock YANG access control YANG 1.1

2002 2006 2008 2009 2010 2011 2012 2014 2016 2017

RFC5277 RFC6020 RFC7223, 7224, 7277, RFC8040

NETCONF Event YANG 1.0, defining 7317, 7407 RESTCONF 1.0
Notification the method of Four standard YANG
combining with models: Interface, IP,
NETCONF System Management,
SNMP Config
RFC6022
NETCONF
Monitoring

8 Huawei Confidential

• The IETF gradually implements the conclusions of the IAB meeting. Different work
groups gradually improve the 14 requirements.

• NETCONF 1.0 has no requirements on the model language. The combination between
NETCONF 1.1 and YANG is determined.
Process for an Engineer to Configure Devices
⚫ The command line is an interactive language between humans and devices. Engineers query the
product documentation and configure a device using the CLI.
⚫ Command lines are nested to implement device configuration.

Device Description
CLI
Interface SSH/Console
name
Interfaces
MTU
[Router] interface GE 1/0/0
[Router-GE1/0/1] mtu 1500
Router System name
Attributes
...
...

9 Huawei Confidential
 Process for NETCONF to Configure Devices
⚫ A YANG file describes device data in another way.
⚫ The YANG model uses the module-container-leaf structure to describe devices. For example, the YANG model
defines field types and specifications for router interfaces and attributes.

Device Description YANG File

module HuaweiRouter {
Interface name container interface { NETCONF
leaf name {
Interfaces
MTU type string;
}
System name leaf mtu {
Router
type uint16;
Attributes
... } The NETCONF client converts the
... }
YANG file into NETCONF
container properties {
leaf sysname { messages to configure a device.
type string;
}
leaf ...
}
}

10 Huawei Confidential

• This example is not a real example. The YANG model does not take the entire device
as one YANG file. Instead, the YANG model splits it into multiple YANG files by
function.
 Contents

1. Network Management Technology Background

2. NETCONF Protocol

3. Modeling Language of YANG

4. RESTCONF Protocol

11 Huawei Confidential
NETCONF Overview
⚫ NETCONF provides a network device management mechanism. You can use NETCONF to add, modify,
or delete configurations of network devices, and obtain configurations and status of network devices.

⚫ NETCONF has three

objects: Management Platform SDN Controller

 NETCONF client NETCONF Client

 NETCONF server
NETCONF Network
 NETCONF message

NETCONF Server
Device
Device 1 Device 2 Device 3

12 Huawei Confidential
NETCONF Protocol Framework
NETCONF is partitioned into four layers, as described in the
following table.
⚫ Secure transport layer: provides a communication path for
interaction between the client and server. Currently, Huawei uses
Config&Status Notification
Data Data SSH as the transport protocol of NETCONF.
Content layer
⚫ Messages layer: provides a simple RPC request and response
mechanism independent of the transport protocol layer. The
<edit-config>
<get-config>
>.etc NETCONF client uses an <rpc> element to encapsulate RPC
Operations layer request information and sends the information to the NETCONF
server. Upon receipt, the NETCONF server uses an <rpc-reply>
<rpc>
<rpc-reply> <notification> element to encapsulate RPC response information and returns
Messages layer the information to the NETCONF client.
⚫ Operations layer: defines a group of basic operations as RPC
SSH BEEP SOAP TLS
invoking methods. These operations constitute basic NETCONF
Secure transport layer
capabilities.
⚫ Content layer: describes configuration data involved in network
NETCONF management. The configuration data depends on vendors'
devices. Currently, mainstream data models include the Schema
model and YANG model.

13 Huawei Confidential
XML Encoding
⚫ XML is the encoding format of NETCONF. NETCONF uses text files to represent complex hierarchical data.

<?xml version="1.0" encoding="UTF-8"?> The header of an XML encoding file is as follows:

<note> <?xml version="1.0" encoding="UTF-8"?>

<to>Learners</to> In the preceding format:

<from>Huawei</from> <?: indicates the start of an instruction.

xml: identifies an XML file.
<heading>Reminder</heading>
version: indicates the XML version. "1.0" indicates that the XML1.0 standard
<body>Don't forget Reading!</body>
version is used.
</note>
encoding: indicates the character set encoding format. Only UTF-8 encoding
is supported.
?>: indicates the end of an instruction.

The XML document forms a tree structure, unfolding from the root.
The <note><to><from><heading><body> tag is private. The XML language does not have predefined tags, allowing users to
customize tags and document structures.
Content is nested in the tag format. The slash (/) indicates the end of the current tag.

14 Huawei Confidential
 Transport layer Messages layer Operations layer Content layer

Transport Layer and Messages Layer

⚫ NETCONF uses SSH to implement secure transmission and uses Remote Procedure Calls (RPCs) to
implement communication between the client and server.

NETCONF Client NETCONF Server

<rpc> <rpc-reply>

SSH

The RPC framework is independent of the transport layer, and is used to indicate NETCONF requests and responses.

⚫ <rpc>: encapsulates NETCONF requests from the client to the server. The header defines the message-id
identification sequence.
⚫ <rpc-reply>: response message sent by the user server to the <rpc>. The values of message-id in the headers are the
same.
 <rpc-error> is sent in <rpc-reply>. One <rpc-reply> element can contain multiple <rpc-error> elements.
 If <ok> is sent in <rpc-reply>, no error or data is returned.

15 Huawei Confidential

• For details, see RFC 6241.

 Transport layer Messages layer Operations layer Content layer

Basic Operations of NETCONF

⚫ NETCONF defines a series of operations:

Scenario Type Operation Function Description

<get-config> Queries configuration data.
Querying data
<get> Queries the current configuration and status data of the device.
Editing data <edit-config> Creates, modifies, or deletes configuration data.
Exports configuration data, or replaces one set of configuration data with another set of
<copy-config>
Backup/Recovery configuration data.
<delete-config> Deletes the configuration data set and clears the startup configuration.
<lock> Locks and exclusively occupies the permission to modify the configuration data set.
Locking/Unlocking Unlocks the configuration data set and cancels the exclusive permission to modify the
<unlock>
configuration data set.
Commits configuration data in the <candidate> data set to the current running
<commit>
configuration data.

Transaction <cancel-commit> Cancels the trial run of configuration committing.

<discard-changes> Discards the uncommitted configuration data in <candidate>.
<validate> Checks whether the syntax and semantics of the specified configuration data are correct.
<close-session> Normally ends the NETCONF session.
Session Forcibly terminates other NETCONF sessions. You must have the administrator rights to
<kill-session>
perform this operation.

16 Huawei Confidential
 Transport layer Messages layer Operations layer Content layer

Operation Objects of NETCONF

⚫ Operation objects have three configuration databases. You can flexibly read and edit the candidate, running, and
startup configuration databases to deliver, verify, and roll back the overall configuration.

Router/
Switch <edit-config>

<validate>

<copy-config> Restart/Recovery
Candidate Startup
configuration Running configuration
configuration
database database
<copy-config> database
<candidate> <commit> <running>
<startup>

<copy-config>
<discard-changes> <delete-config>
File
<lock> / <unlock> <url>

17 Huawei Confidential
 Transport layer Messages layer Operations layer Content layer

Example: Delivering VLAN Configurations

<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="801">
⚫ In this example, the edit-config
<edit-config> operation can load data to the running
<target>
<running/>
configuration database <running/>.
</target>
⚫ Deliver the information for creating
<default-operation>merge</default-operation>
<error-option>rollback-on-error</error-option> VLAN 10.
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
<vlan xmlns="http://www.huawei.com/netconf/vrp/huawei-vlan"> ⚫ The operation is merge. Other
<vlans>
operations are as follows:
<vlan>
<vlanId>10</vlanId>  merge
<protocolVlans>
<protocolVlan xc:operation="merge"> RPC request: Create a common  create
<protocolIndex>0</protocolIndex> VLAN with the VLAN ID of 10.  delete
</protocolVlan>
</protocolVlans>  remove
</vlan>
</vlans>
...
</rpc>

18 Huawei Confidential

• <config> may contain the optional attribute <operation>, which is used to specify an
operation type for a configuration item. If the <operation> attribute is not carried, the
<merge> operation is performed by default. The <operation> attribute values are as
follows:
▫ merge: In the database, modify the existing data or create data that does not
exist. This is the default operation.
▫ create: Add configuration data to the configuration database only when the
configuration data to be created does not exist in the configuration database. If
the configuration data exists, <rpc-error> is returned, in which the <error-tag>
value is data-exists.

▫ delete: Delete a specified configuration data record from the configuration

database. If the data record exists, the data record is deleted. If the data record
does not exist, <rpc-error> is returned, in which the <error-tag> value is data-
missing.

▫ remove: Delete a specified configuration data record from the configuration

database. If the data exists, the data is deleted. If the data does not exist, a
success message is returned.
 Transport layer Messages layer Operations layer Content layer

Content Layer of NETCONF

⚫ The NETCONF content layer configures data for devices. Configuration data requires a modeling language, which
depends on the implementation of each vendor. NETCONF 1.0 has no requirements on the model language.
NETCONF 1.1 clearly defines the combination with YANG and starts to standardize the NETCONF content format.

NETCONF has two modeling languages: Schema and YANG.

⚫ Schema is a set of defined rules for describing XML documents. A schema file defines all the management objects
on a managed device, the constraints and hierarchical relationships between these management objects, and the
read and write permissions of these management objects.
⚫ YANG is a data modeling language developed to design NETCONF-oriented configuration data, status data models,
RPC models, and notification mechanisms.

⚫ Currently, Huawei devices support the following content layers:

 Huawei-YANG
 NETCONF Schema
 IETF-YANG
 OpenConfig-YANG

19 Huawei Confidential

• Schema is a language that Huawei extends private syntax based on the W3C XML
standard. Before the NETCONF standard is bound to the YANG model, VRPV8 has
implemented Schema.

• Huawei-YANG has the most abundant content.

 Transport layer Messages layer Operations layer Content layer

Example: Delivering VLAN Configurations (HUAWEI-YANG)

<?xml version="1.0" encoding="UTF-8"?> ⚫ In this example, the edit-config
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="801">
<edit-config> operation can load data to the
<target>
running configuration database
<running/>
</target> <running/>.
<default-operation>merge</default-operation>
<error-option>rollback-on-error</error-option> ⚫ <config></config>: content layer
<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
information.
<vlan xmlns="http://www.huawei.com/netconf/vrp/huawei-vlan">
<vlans> ⚫ The namespace of the content
<vlan>
<vlanId>10</vlanId> layer is
<protocolVlans> http://www.huawei.com/netconf/
<protocolVlan xc:operation="merge">
<protocolIndex>0</protocolIndex> RPC request: Create a common VLAN with vrp/huawei-vlan.
</protocolVlan>
the VLAN ID of 10.
</protocolVlans>
⚫ The content layer structure is as
</vlan> follows: <vlans> contains <vlan>,
</vlans>
… including <vlanId> and
</rpc> <protocalVlans>.

20 Huawei Confidential

• For details, see the NETCONF YANG API Reference released at the official website.
 Transport layer Messages layer Operations layer Content layer

Example: Delivering VLAN Configurations (Schema)

<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="801">
⚫ This example also describes how
<edit-config> to create VLAN 10, but the
<target>
<running/>
content is in the Schema mode.
</target> ⚫ HUAWEI-YANG is recommended,
<default-operation>merge</default-operation>
<error-option>rollback-on-error</error-option> because it has more
<config>
comprehensive support features.
<vlan xmlns="http://www.huawei.com/netconf/vrp" content-version="1.0" format-version="1.0">
<vlans>
<vlan operation="merge">
<vlanId>10</vlanId>
<vlanType>common</vlanType> RPC request: Create a common
</vlan> VLAN with the VLAN ID of 10.
</vlans>
</vlan>
</config>
</edit-config>
</rpc>

21 Huawei Confidential
NETCONF Configuration
1. Enter the NETCONF view.

[Huawei] netconf

Run the netconf command in the system view to enter the NETCONF view.

2. Configure the port number for NETCONF services.

[Huawei-netconf] protocol inbound ssh port 830

Enable NETCONF services on port 830 of the SSH server.

3. Enable NETCONF.

[Huawei] snetconf server enable

Enable the NETCONF services of the SSH server on TCP port 22.
• Either snetconf server enable or protocol inbound ssh port 830 command can be used to enable NETCONF. If both
commands are executed, the client can use port 22 or 830 to establish a NETCONF connection with the server.
• NETCONF uses SSH as the transport protocol. Therefore, you must configure SSH before using NETCONF.

22 Huawei Confidential
 Contents

1. Network Management Technology Background

2. NETCONF Protocol

3. Modeling Language of YANG

4. RESTCONF Protocol

23 Huawei Confidential
Origin of YANG
⚫ Although the NETCONF protocol is standardized, data content is not standardized. How can we
describe a piece of data?

NETCONF session RPC message Data

√ √ ×
A data model is an abstraction and expression of data features.

Intuitive simulation of the

Data structure
real world To describe the
Data data model,
Easy to understand Data integrity constraint a language is
model
required!
Easy to be implemented by
Data operation
computers
Requirements Three factors

24 Huawei Confidential
 YANG Language Overview
⚫ Yet Another Next Generation (YANG) is a data modeling language.
⚫ The YANG model defines the hierarchical structure of data and can be used for NETCONF-based
operations. Modeling objects include configuration, status data, remote procedure calls, and
notifications. This allows a complete description of all data exchanged between a NETCONF client and
server. YANG has the following features:
 Hierarchical tree-like structure modeling.
 Data models are presented as modules and sub-modules.
 It can be converted to the YANG Independent Notation (YIN) model based on the XML syntax without any loss.
 Defines built-in data types and extensible types.

The YANG model is presented as a .yang file.

25 Huawei Confidential

• YANG originates from NETCONF but is not only used for NETCONF. Although the
YANG modeling language is unified, YANG files are not unified.

• YANG files can be classified into three types: vendor-specific YANG files, IETF-defined
YANG files, and OpenConfig YANG files.
• The Config&Status Data, Notification Data, and bottom-layer RPC messages in
NETCONF can be modeled using the YANG model. YANG model files can be converted
into XML/JSON files using a tool and then encapsulated into NETCONF/RESTCONF
messages.
• For details, see RFC 7950.
 Introduction to YANG Files – Module
module example-system {
• A YANG file can be defined as a module or
yang-version 1.1;
namespace "urn:example:system"; submodule. Modules and submodules can reference
prefix "sys";
other modules' model files to use the data types and
organization "Example Inc."; structures defined by other modules.
contact "joe@example.com"; • Each module contains multiple declarations,
description
"The module for entities implementing the Example system.";
including:
 YANG version, which is 1.0 or 1.1.
revision xxxx-xx-xx {  YANG namespace, which is IETF YANG or Openconfig
description "Initial revision.";
YANG.
}
 Organization information
container system {  Contact
leaf host-name {...}  File description
container login{...}
 Change history
}
container X {...}
}

26 Huawei Confidential

• For details, see RFC 7950.

 Introduction to YANG Files – Leaf Node
⚫ A leaf node is used to define a variable of a simple specified type and is declared using the leaf keyword.

⚫ A leaf node has sub-declarations and values but no sub-nodes. In this example, host-name contains two sub-
declarations: type and description.
 type indicates the value type. In this example, the value is string.

 description indicates the description.

YANG model XML encoding

leaf host-name { <host-name>my.example.com</host-name>
type string;
description
"Hostname for this system.";
}

27 Huawei Confidential

• For more information, see RFC 7950.

Introduction to YANG Files – Leaf List
⚫ Leaf List is used to define an array variable and is declared using the leaf-list keyword.

⚫ In this example, domain-search has two sub-declarations: type and description.

 type indicates the value type. In this example, the value is string.

 description indicates the description.

YANG model XML encoding

leaf-list domain-search { <domain-search>high.example.com</domain-search>

type string; <domain-search>low.example.com</domain-search>
description <domain-search>everywhere.example.com</domain-search>
"List of domain names to search.";
}

28 Huawei Confidential
Introduction to YANG Files – List Node
⚫ A list node is used to define a higher-level data
XML encoding
node. Each list node is uniquely identified by a key
<user>
and can contain multiple leaf nodes.
<name>glocks</name>

YANG model <full-name>Goldie Locks</full-name>

<class>intruder</class>
list user { </user>
key "name"; <user>
leaf name { <name>snowey</name>
type string; <full-name>Snow White</full-name>
} <class>free-loader</class>
leaf full-name { </user>
type string; <user>
} <name>rzell</name>
leaf class { <full-name>Rapun Zell</full-name>
type string; <class>tower</class>
} </user>
}

29 Huawei Confidential
Introduction to YANG Files – Container Node
YANG model XML encoding
container system { <system>
container login {
<login>
leaf message {
<message>Good morning</message>
type string;
description
</login>
"Message given at start of login session."; </system>
}
list user {
key "name";
leaf name {
type string; • Container nodes are used to define data
}
leaf full-name { sets in a larger scope. Each container node
type string; has only different sub-nodes, but does not
}
leaf class { have any value. These sub-nodes can be
type string; container, leaf, leaf-list, or list nodes.
}
}}
}

30 Huawei Confidential
Introduction to YANG Files – Grouping
grouping target { ⚫ Grouping is used to define nodes that can be
leaf address { reused. Generally, grouping is used together
with uses. In this example, target defines leaf
type inet:ip-address;
address and port. If use target is specified in
description "Target IP address."; the container peer, the leaf model is reused.
}
leaf port {
type inet:port-number;
description "Target port number.";
}
}
container peer {
container destination {
uses target;
}
}

31 Huawei Confidential
 Introduction to YANG Files – Configuration Data and Status Data
list interface { ⚫ YANG files can declare data types.
key "name";
config true;
• The config declaration is used to distinguish
leaf name {
type string; configuration data from status data.
} ▫ config true indicates configuration data.
leaf speed {
▫ config false indicates status data.
type enumeration {
enum 10m;
enum 100m;
enum auto;
}
}
leaf observed-speed {
type uint32;
config false;
}
}

32 Huawei Confidential

• For details, see RFC 7950.

Introduction to YANG Files – Data Type
Name Description ⚫ The YANG model supports built-in
binary Any binary data
bits A set of bits or flags default data types and extended
boolean "true" or "false" data types. The typedef declaration
decimal64 64-bit signed decimal number
empty A leaf that does not have any value is used to define extended data types.
enumeration Enumerated strings
identityref A reference to an abstract identity
instance-identifier References a data tree node typedef percent {
int8 8-bit signed integer type uint8 {
int16 16-bit signed integer range "0 .. 100";
int32 32-bit signed integer
}
int64 64-bit signed integer
leafref A reference to a leaf instance }
string Human-readable string
uint8 8-bit unsigned integer
leaf completed {
uint16 16-bit unsigned integer
uint32 32-bit unsigned integer type percent;
uint64 64-bit unsigned integer }
union Choice of member types
33 Huawei Confidential
FAQ: How Do I Load a YANG Model?
⚫ A YANG file is loaded on the NETCONF client (such as the NMS or SDN controller). A tool is
used to convert YANG files into NETCONF messages and deliver the messages to devices.

Device
Huawei YANG

IETF YANG NETCONF

YANG

OpenConfig YANG
YANG file translation

NETCONF Schema

Management platform/SDN controller

table1 table2 tableN…

34 Huawei Confidential
 Contents

1. Network Management Technology Background

2. NETCONF Protocol

3. Modeling Language of YANG

4. RESTCONF Protocol

35 Huawei Confidential
Origin of RESTCONF
⚫ Doctoral thesis of Roy Thomas Fielding in 2000
 "Architectural Styles and the Design of Network-based Software Architectures“

⚫ REST: Representational State Transfer

 The state of a resource is transferred in a representation mode on the network.

Resource: data. Representation State transfer:

Uniue URI mode HTTP operation

REST: Client-server interaction framework

GET/POST/PUT/DELETE
API

36 Huawei Confidential
 RESTCONF Overview
⚫ RESTCONF allows web applications to access configuration data, status data, and event notifications of
network devices in a modular and scalable manner. It has the following features:
 RESTCONF uses HTTP methods to perform operations (CRUD) on data defined by YANG.
 YANG files can be shared by NETCONF and RESTCONF.
 The data encoding format can be XML or JSON.

NETCONF
YANG NETCONF Client
Device
DataStore Web APP Management platform SDN controller
RESTCONF

Compared with NETCONF, RESTCONF uses different operation methods and data encoding formats.

37 Huawei Confidential

• NETCONF and RESTCONF can coexist.

• CRUD: Create, Remove, Update, Delete.

Comparison Between RESTCONF and NETCONF

NETCONF RESTCONF RESTCONF NETCONF Operation

Content GET <get-config>, <get>

Data (XML) Data (XML/JSON)
layer <edit-config> (nc:operation="create")
POST
Operation <get>, <get-config> GET, POST invoke an RPC operation
s layer <edit-config>, etc. PUT, PATCH, DELETE <edit-config>
PUT (nc:operation="create/replace")
Messages
<rpc>, <rpc-reply> <copy-config> (PUT on datastore)
layer
HTTP
TLS over TCP <edit-config> (nc:operation depends
Transport
SSH over TCP
PATCH
layer on PATCH content)
DELETE <edit-config> (nc:operation="delete")

⚫ NETCONF operates multiple configuration libraries of a device. The transaction mechanism and rollback
mechanism are available.
⚫ RESTCONF uses HTTP operations, which are stateless, have no transaction mechanism, and does not support
rollback.

38 Huawei Confidential
 Typical RESTCONF Interaction
⚫ A complete RESTCONF interaction includes a request and a response.
⚫ In this example, the client uses the OPTIONS method to obtain the operations supported by the device.
⚫ The device response supports the following operations: POST, DELETE, GET, HEAD, PATCH, and
OPTIONS.
RESTCONF request

OPTIONS /restconf/data/huawei-aaa:aaa/domains/domain HTTP/1.1

YANG
Web App
HTTP/1.1 200 OK DataStore
Accept-Patch: application/yang-data+xml, application/yang-data+json
Allow: POST, DELETE, GET, HEAD, PATCH, OPTIONS
Content-Length:0

RESTCONF response

39 Huawei Confidential

• NETCONF and RESTCONF can coexist.

 RESTCONF Request Packet

RESTCONF request

Method URI HTTP/Version

YANG
Header 1 : value
Web App Header 2 : value
... DataStore
(Optional) request body

Description
Method HTTP method, performed on the resource identified by the request URI.
URI Uniform Resource Identifier.
HTTP/Version HTTP version.
Header of a request packet, which has specific field requirements. The
Header : value
format is header field and value.
Request body (Optional) Request body. Some methods do not carry body information.

40 Huawei Confidential

• A request header may contain multiple fields, such as Accept, Authorization, Host, and
From. For details, see RFC 2916.
RESTCONF Request Example
⚫ The IP address of the RESTCONF request object is 192.168.56.100. Change the value of domainName to abc and
the value of accessLimit to 10.
HTTP method URI HTTP/Version

POST /restconf/data/huawei-aaa:aaa/domains HTTP/1.1

Host: 192.168.56.100
Header Content-Type: application/yang-data+xml

<domain xmlns="http://www.huawei.com/netconf/vrp/huawei -aaa">

<domainName>abc</domainName>
<accessLimit>10</accessLimit>
</domain>

Request body
41 Huawei Confidential
 RESTCONF Response Packet

RESTCONF response

HTTP/Version Status Code Message

YANG
Header 1 : value
Web App Header 2 : value
... DataStore
(Optional) response body

Description
HTTP/Version HTTP method, performed on the resource identified by the request URI.
Status code HTTP status code.
Message HTTP status message.
Header of a response packet, which has specific field requirements. The
Header : value
format is header field and value.
Response body (Optional) Response body. Some methods do not carry body information.

42 Huawei Confidential

• Header information contains details about Response Header and Entity Header. For
details, see sections 6.2 and 7.1 in RFC 2916.
 HTTP Status Code
⚫ An HTTP status code is a three-digit number indicating the status of a response from the server. It is used to return
the operation result to the client.
Status Code Description
(Informational) The request is
1XX 100 Continue If the request is received, go to the next step.
received.
200 OK Success. The response body is available.
(Successful) The request is A resource is successfully created, and the URI of the newly created
2XX 201 Created
successful. resource exists in the location field.
204 No Content Success. The response body is unavailable.
(Redirection) Further
A new URI is allocated to the target resource, and all future resources
3XX operations need to be 301 Moved Permanently
will be associated with the new URI.
performed.
400 Bad Request The request body is incorrect and carries error information.
401 Unauthorized Authorization failed. For example, the certificate does not match.

4XX (Client Error) Request error. Access denied. The possible cause is that the user attempts to perform
403 Forbidden operations beyond the permission or the login user name or password is
incorrect.
404 Not Found The requested resource cannot be found.
The request cannot be executed due to an internal server error. The
500 Internal Server Error
5XX (Server Error) Server error. user needs to resend the request later.
501 Not Implemented The function has not been implemented.

43 Huawei Confidential

• For details, see 6 Response Status Code in RFC 7231.

RESTCONF Response Example
⚫ RESTCONF response packet
 If status code 201 is returned, the resource is successfully created.
 Content-Type and Content-Length in the header describe body information. The body data type is XML, and
the content length is 0.

HTTP/Version Status code HTTP status message

HTTP/1.1 201 Created

Content-Type:application/yang-data+xml
Header
Content-Length:0

44 Huawei Confidential
 Quiz

1. (Short-answer question)Which protocol is used at the transport layer of Huawei

NETCONF?

2. (Short-answer question)What is the relationship between NETCONF, RESTCONF,

and YANG?

45 Huawei Confidential

1. Huawei uses SSH as the transport layer protocol. Before enabling the NETCONF
function on a device, you need to create an SSH user as the NETCONF user for login.

2. YANG is a modeling language used to describe the content layer of NETCONF and
RESTCONF. The difference between NETCONF and RESTCONF is as follows:
RESTCONF constructs the transport layer, messages layer, and operations layer based
on HTTP, while NETCONF has defined the operations layer and uses SSH as the
transport layer and RPC as the messages layer.
 Summary

⚫ NETCONF provides a network device management mechanism. You can

use NETCONF to add, modify, or delete configurations of network devices,
and obtain configurations and status of network devices.
⚫ The YANG model defines the hierarchical structure of data and can be used
for NETCONF-based operations.
⚫ RESTCONF uses HTTP methods to perform operations (CRUD) on data
defined by YANG.

46 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huaw ei Technologies Co., Ltd.

All Rights Reserv ed.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
Telemetry Fundamentals and Practices
 Foreword

⚫ Telemetry is a network device monitoring technology that periodically

samples statistics and status data on network devices. This course describes
the technical background, concepts, framework, and technical
fundamentals of telemetry, as well as the configuration procedure of static
telemetry subscription.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the background of the telemetry technology.
 Describe the telemetry concepts and framework.
 Distinguish static and dynamic telemetry subscriptions.
 Describe the concepts and functions of gRPC.
 Configure telemetry data sampling.

2 Huawei Confidential
 Contents

1. Introduction to Telemetry
◼ Technical Background

▫ Overview

2. Telemetry Technical Fundamentals

3. Telemetry Configuration and Practice

3 Huawei Confidential
Technical Background: Introduction to Network Device
Monitoring
⚫ An O&M platform mainly provides unified
monitoring and performance management

Monitoring for network devices. It monitors device data

center on the data, control, and management
planes.
CPU speed, device temperature, and fan
Management-plane data
speed
BGP peer, MPLS neighbor, and routing
Control-plane data
information
• Device monitoring data can be obtained through
Data-plane data Incoming and outgoing interface traffic
SNMP, CLI, Syslog, NetStream, and sFlow.
• NetSteam and sFlow deal with network traffic
monitoring and are mainly applicable to data-
plane data.
Equipment Equipment Equipment • SNMP is the most popular protocol for device
room A room B room C monitoring.

4 Huawei Confidential
Technical Background: Bottlenecks of Traditional Data
Sampling Technologies
⚫ The Nyquist Sampling Theorem states that a signal must be sampled at more than twice the highest frequency
component of the signal to ensure that no information will be lost.

Long sampling period

Bandwidth SNMP sampling SNMP sampling

(Mbit/s) point point
5 min

• The red wavy line represents a normal

interface bandwidth change trend. Traffic
exceptions cannot be detected through
periodic SNMP-based data collection.

Time

5 Huawei Confidential
 Summary: Traditional Network O&M Faces Many Challenges
⚫ On a traditional network, data is sampled in pull mode at an interval of 5 to 15 minutes on average. Data sampling
in pull mode at a shorter interval will result in network breakdown.
Pulling Model
SNMP
Data collection Data analysis Error correction
sFlow

NetStream Sampling Model

Problems in traditional network O&M

• The large sampling interval results in low network visibility.
• SNMP-based O&M systems are inefficient.
• Real-time end-to-end monitoring, like IT O&M, cannot be achieved, and complete
historical data cannot be retained.
• Network problems caused by a large number of microbursts cannot be detected.

6 Huawei Confidential

• A microburst refers to a situation in which a large amount of burst data is received

within a very short time (milliseconds), so that the burst data rate is tens or hundreds
times higher than the average rate or even exceeds the port bandwidth. The NMS or
network performance monitoring software calculates the real-time network bandwidth
at an interval of seconds to minutes. At such an interval, the network traffic seems to
be stable. However, packet loss may have occurred due to microbursts.
 Summary: Traditional Data Collection Mechanisms Cannot
Cope with Massive Data
Network data source Data consumer
Pull mode for full polling, poor
performance, not timely. SNMP
SNMP server
Text mode, without model
definition, poor scalability. Syslog
Syslog
server
Text mode, without model
definition, poor scalability. Shell client
CLI
scripts

A mechanism that supports ultra-large-scale

networks and O&M of massive data is required.
Telemetry
This mechanism must feature real-time data
collection, high performance, and easy scalability.

7 Huawei Confidential

• SNMP queries are performed in a question-answer manner. If 1000 interactions are

performed within 1 minute, SNMP parses 1000 query request packets. Telemetry
avoids repeated queries. This is because subscription needs to be performed only once
and then devices can continuously push data to the NMS.
 Contents

1. Introduction to Telemetry
▫ Technical Background
◼ Overview

2. Telemetry Technical Fundamentals

3. Telemetry Configuration and Practice

8 Huawei Confidential
 Telemetry Overview
⚫ Telemetry, also called network telemetry, is a technology that remotely collects data from physical or virtual devices
at a high speed. Devices periodically send interface traffic statistics, CPU usage, and memory usage to collectors in
push mode. Compared with the traditional pull mode (question-answer interaction), the push mode provides faster
and real-time data collection.

Analyzer

Telemetry-based
data push
Collector Controller

Device

9 Huawei Confidential

• There is also a view in the industry that SNMP is considered as a traditional telemetry
technology, and telemetry is currently referred to as streaming telemetry or model-
driven telemetry.

• Telemetry packs the data to be sent, improving transmission efficiency.

Telemetry Technical Features
⚫ Telemetry works in push mode. YANG models define the telemetry data structure, and data sampling can be
performed at an interval of sub-seconds.

• Open APIs are available to third-party data

analysis and processing companies,
Analyzer providing stronger data storage and
processing capabilities.

• The traditional NMS is decoupled into a

collector and a controller. In addition,
Collector Controller communication protocols and management
applications are decoupled.

• Improves devices' data collection

capabilities.
• Supports the subscription mechanism.
Device • Constructs standard data models.

10 Huawei Confidential
Telemetry Advantages
⚫ Telemetry obtains abundant monitoring data in push mode in a timely manner. The data helps quickly locate
network faults. In addition, telemetry provides a uniform data stream format, which simplifies data collection and
analysis to solve problems in traditional network O&M.

Refined monitoring
The collected data is of high precision and various types,
which can fully reflect the network status.

A Fast fault locating

Users want faults to be quickly located in seconds or even sub-
Telemetry B
seconds on a complex network.
C

Proactive data reporting

For telemetry, subscription needs to be performed only once.
Then devices can continuously report data, reducing the
pressure on devices to process query requests.

11 Huawei Confidential
Telemetry Network Model

Telemetry in a
• The telemetry network model is defined in two ways:
broad sense
▫ In a broad sense, telemetry is a self-closed-loop
Analyzer
Data sending system consisting of network devices, a collector, an
Response
and analysis
analyzer, and a controller.

Collector Controller ▫ In a narrow sense, telemetry is the function of

sending sampled device data to a collector.
Configuration
Collection
adjustment Using telemetry, a collector can collect a large
amount of device data and send the data to an
Device 1 Device 2 analyzer for comprehensive analysis. The analyzer
sends the results to a controller, which then adjusts
Telemetry in a
narrow sense device configurations accordingly, enabling the
analyzer to determine whether the device status
after adjustment meets expectations in real time.

12 Huawei Confidential
Telemetry Application Scenario: WAN
⚫ Interface data of routers is reported in real time to help you gain insight into the traffic direction.
Internet
AS 1 AS 2 AS 3 Domestic
interconnected
peers
IGW
Content CDN settings
supervision Routing policy
Node addition
or deletion
Cost
adjustment Link capacity
expansion

Data analysis

Data collection

Mobile data network Fixed broadband network

13 Huawei Confidential
Telemetry Application Scenario: Campus Network
⚫
On a campus network, telemetry can be used to monitor and report device status and wired and wireless data to the analyzer at the same time,
implementing intelligent O&M.
Measurement
WAN Metric
iStack/CSS link Object
CPU usage, memory usage, and number of online
Egress zone AP
clients
Number of online users, channel usage, noise, traffic,
Radio
Data center backpressure queue, interference rate, and power
NMS O&M zone/Analyzer
User RSSI, negotiated rate, packet loss rate, and latency

Core layer Device/Board CPU and memory usages

Numbers of sent and received broadcast, multicast,
and unicast packets, numbers of discarded received
Port
Aggregatio and sent packets, and numbers of received and sent
n layer error packets

Access layer Data analysis

Terminal layer Data collection

14 Huawei Confidential
 Telemetry Application Scenario: Data Center
⚫
Upon the receipt of data sent through telemetry, the analyzer calculates the forwarding path, forwarding latency, and link latency of packets. In addition, it
analyzes the application interaction relationship and associates applications with network paths. The analyzer can collect statistics, analyze data, and
display analysis results, implementing intelligent O&M.
Measurement
Metric
Object
Campus Device CPU and memory usages
Internet WAN
network
CPU, memory, FIB entry, and MAC entry
Board
usages
NMS O&M zone/Analyzer Chip TCAM usage
Number of received/sent packets, number
Core switch Telemetry/ERSPAN of bytes, number of lost packets, number
Port
of error packets, and numbers of
broadcast, multicast, and unicast packets
Queue Buffer size
Spine Receive/Transmit optical power, current,
Optical module
voltage, and temperature
Packet loss behavior Detection of packet loss due to congestions
Leaf

Server Data analysis

Production environment zone Test environment zone

Data collection

15 Huawei Confidential

• The collector in the data center collects device performance data through telemetry
and collects device flow mirroring data through ERSPAN.
 Contents

1. Introduction to Telemetry

2. Telemetry Technical Fundamentals

3. Telemetry Configuration and Practice

16 Huawei Confidential
 Telemetry Framework
⚫ The framework of telemetry in a narrow sense consists of four modules: data source, data generation,
data subscription, and data push.

Data analysis
Data Analysis

gRPC Data collection

Data
Data Export
Subscription gRPC gRPC UDP
Data subscription Data push
Data Generation
Data generation Protobuf
Data Source
Data source NP

17 Huawei Confidential

• For details about the framework, see the corresponding RFC draft at
https://tools.ietf.org/html/draft-song-ntf-02.

• Google Remote Procedure Call (gRPC) is an open-source remote procedure call (RPC)
system developed by Google.
• User Datagram Protocol (UDP) provides a method for an application to send
encapsulated IP packets without establishing a connection.
• Protocol buffers (Protobuf) is a mechanism for serializing structured data.
 Telemetry Protocol Stack
⚫ The telemetry protocol stack is divided into the transport layer, communication layer, data encoding
layer, and data model layer.
Network device Telemetry data user end

CPU/NP App 1 App 2 App 3

VRP (central processing module) API

MIB YANG models Data model layer MIB YANG models

Data encoding
BER XML JSON GPB BER XML JSON GPB
layer

SNMP NETCONF RESTCONF gRPC Communication SNMP NETCONF RESTCONF gRPC

layer

UDP SSH HTTP Transport layer UDP SSH HTTP

18 Huawei Confidential

• A YANG model is similar to a menu for a fast-food restaurant. If a customer wants to

eat a hamburger or fried chicken, the customer writes an A4 paper purchase list with
one hamburger and two fried chickens according to the menu, folds the list into a
stamp-sized note, puts it in the GPB envelope, and gives the envelope to the
messenger gRPC at the door. The gRPC then rides on an HTTP/2 electric motorcycle
and goes to the fast food restaurant. The messenger gRPC gives the GPB envelope to
the restaurant boss, and the restaurant manager opens the envelope to check whether
the items that the customer orders are on the restaurant menu.
 Data Source Data Subscription Data Generation Data Push

Telemetry Data Source

⚫ The telemetry data source defines the data that can be obtained. Telemetry uses various types of YANG models to
define data sources available to devices, such as Huawei-YANG, IETF-YANG, and OpenConfig-YANG.

Data source position in

Data analysis the protocol stack

Data collection CPU/NP

gRPC

VRP (central processing module)

gRPC gRPC UDP MIB YANG Models

Data subscription Data push
BER XML JSON GPB
Data generation Protobuf
NETCO RESTC
SNMP gRPC
NF ONF
Data source NP UDP SSH HTTP

19 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

YANG Model and Sampling Path

Module Huawei-debug {
Top node in the YANG model namespace “urn:Huawei:yang:Huawei-debug”;
prefix debug;
import huawei-extension {
prefix ext;
Top container in the YANG model }
container debug {
description
Level-2 container in the YANG model “Debug information”;
container cpu-infos {
description
“CPU information of boards”;
Node to be sampled list cpu-info {
ext:entry-from “system”;
key “position”;
description
“CPU information of a board”
leaf position {
huawei-debug:debug/cpu-infos/cpu-info type string {
length “1..32”;
}
……

20 Huawei Confidential

• For more information about the YANG model, visit

https://datatracker.ietf.org/doc/rfc7895/.
 Data Source Data Subscription Data Generation Data Push

Telemetry Data Subscription

⚫ Telemetry data subscription defines the data receive end and transmit end, as well as their interactions.

Huawei provides two subscription modes for telemetry: static and dynamic.
Data analysis In static telemetry subscription, a device functions as a client and a collector functions as the
server. The device proactively initiates a connection to the collector to collect and send data.
This mode is applicable to long-term inspection.
gRPC Data collection In dynamic telemetry subscription, a collector functions as a client and initiates a connection to
a device functioning as a server to collect data. This mode is applicable to short-term
monitoring.

gRPC gRPC UDP

CLI/NMS Collector Collector
Data subscription Data push
The device Dynamic
Data generation Protobuf Static proactively sends subscription
configuration data (dial-in)
(dial-out).

Data source NP Device Device

Static subscription Dynamic subscription

21 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

Static Telemetry Subscription

Router CLI/NMS Collector
Static Telemetry Subscription
1. The NMS delivers static subscription configurations to the
The NMS subscribes to device, including the sampling path, sampling interval,
sampled data, and the router
continuously sends data at an destination to which the sampled data is reported, and data.
interval of λ seconds.
The configurations can be delivered in the following modes:
• Through the CLI
T=λ
• Through the NETCONF model openconfig-telemetry.yang
2. The device starts to sample data, establishes a connection with
the collector, and pushes the sampled data to the collector in
the following modes:
ΣT = ∞
• Through gRPC using the RPC method dataPublish
• Through UDP

22 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

Static Telemetry Subscription

Router CLI/NMS Collector

system-view
Telemetry
Configure the destination-group
The NMS subscribes to collector. ipv4-address
sampled data, and the router IP address, port number, protocol, and
continuously sends data at an encryption mode for the collector
interval of λ seconds.
system-view
Configure the telemetry
T=λ data to be sensor-group
sampled. sensor-path
Sensor sampling path
system-view
telemetry
subscription
Create a
sensor-group
subscription.
ΣT = ∞ Associate the sampling sensor group, and
configure a sampling period, redundancy
suppression, and a heartbeat interval.
display telemetry sensor
Verify the display telemetry destination
configuration. display telemetry subscription
display telemetry sensor-path

23 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

Customized Event Reporting

Router CLI/NMS Collector

When a parameter exceeds

the threshold, the NMS After a specific parameter exceeds the threshold, static
starts to subscribe to some subscription is triggered.
data.
Whether the CPU
usage exceeds 40%
Condition = True system-view
telemetry
Configure a sensor-group test
customized
sensor-path huawei-
event in the
static
debug:debug/cpu-infos/cpu-info
subscription. filter 1
op-field system-cpu-usage op-
type gt op-value 40

24 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

Dynamic Telemetry Subscription Using gRPC (1)

Router CLI/NMS Collector

Dynamic Telemetry Subscription

Configure the
device so that its 1. The collector initiates a gRPC connection request to
data can be
subscribed. the router.
2. The collector initiates a dynamic subscription request
T=λ
to the router.
• RPC method: Subscribe
ΣT = λn • Specify the sampling path and sampling interval.
3. The router starts to sample data, sends the sampled
data (as the response to the dynamic subscription
request) to the collector.

25 Huawei Confidential

• gRPC is a RPC system developed by Google.

 Data Source Data Subscription Data Generation Data Push

Dynamic Telemetry Subscription Using gRPC (2)

Parameter-specific data collection and on-demand data
Router CLI/NMS Collector push

system-view
grpc
Configure the device grpc server // Enters the gRPC server
so that its data can view.
be subscribed. source-ip // Specifies a source IP
address to be listened on.
server-port // Specifies the
Configure the number of a port to be listened
T=λ
collector. on.
service enable // Enables the gRPC
service.
(Optional) acl
ΣT = λn
(Optional) idle-timeout
(Optional) ssl-policy
(Optional) ssl-verify peer
commit
Verify the
display telemetry dynamic-subscription
configuration.

26 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

gRPC
⚫ gRPC is a language-neutral, platform-neutral, and open-source remote procedure call (RPC) system. It can be used
to perform secondary development for both communication parties (NMS and devices). This development focuses
on services and shortens interconnection development periods.

⚫ gRPC supports the following languages: C++, Node.js, Python, Ruby, Objective-C, PHP, C#, Java, and Go.

⚫ gRPC is based on HTTP/2, which is better than HTTP/1 in performance. HTTP/2 features include bidirectional
streaming, flow control, header compression, and multiplexing request of a single connection.

Data model Focus on services

gRPC

HTTP2
gRPC encapsulation
TLS

TCP

27 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

gRPC Protocol Stack

⚫ The gRPC protocol stack consists of the following layers:
 TCP layer: This layer provides connection-oriented and reliable data links.
 Transport Layer Security (TLS) layer: This layer ensures secure communication between devices and collectors using the TLS
protocol, which is optional.
 HTTP/2 application layer: gRPC is based on the HTTP/2 protocol. To be specific, gRPC uses HTTP/2 features such as bidirection al
streams, flow control, and multiplexing.
 gRPC layer: This layer defines the protocol interaction format for RPCs. Public RPC methods are defined in common .proto file s,
for example, huawei-grpc-dialout.proto.
 Data model layer: This layer carries encoded service data. The data can be encoded in Google Protocol Buffers (GPB), XML, and
JSON.
Data model Focus on services

gRPC

HTTP2
gRPC encapsulation
TLS

TCP

28 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

gRPC Service Methods

⚫ gRPC defines four service methods (distinguished by streams).
 Unary RPCs: The client sends a single request to the server and gets a single response back.
◼ Example: rpc Cancel(CancelArgs) returns(CancelReply) {};

 Server streaming RPCs: The client sends a request to the server, and the server continuously sends a
stream back.
◼ Example: rpc Subscribe(SubsArgs) returns(stream SubsReply) {};

 Client streaming RPCs: The client continuously sends a stream to the server and waits for a response
from the server.
◼ Example: rpc LotsOfGreetings(stream HelloRequest) returns (HelloResponse) {};

 Bidirectional streaming RPCs: Both the client and server send a stream.
◼ Example: rpc dataPublish(stream serviceArgs) returns(stream serviceArgs) {};

29 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

Telemetry Data Generation

⚫ With telemetry, data is encoded using GPB, which provides a mechanism for serializing structured data flexibly,
efficiently, and automatically. Similar to XML and JSON, GPB is a binary encoding mode with better performance.

Data analysis GBP position in the protocol stack

Data collection CPU/NP

gRPC

VRP (central processing module)

gRPC gRPC UDP MIB YANG Models

Data subscription Data push
BER XML JSON GPB
Data generation Protobuf
NETCO RESTC
SNMP gRPC
NF ONF
Data source NP UDP SSH HTTP

30 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

GPB Encoding
⚫ GPB uses a .proto file to describe the message format and uses digits to replace flag names (keyword names).

Before GPB Encoding huawei-telemetry.proto After GPB Decoding

{ syntax = "proto3"; {
1:"HUAWEI" package telemetry; "node_id_str":"HUAWEI",
2:"s4" "subscription_id_str":"s4",
3:"huawei-ifm:ifm/interfaces/interface" message Telemetry { "sensor_path":"huawei-ifm:ifm/interfaces/interface",
4:46 string node_id_str = 1; "collection_id":46,
5:1515727243419 string subscription_id_str = 2; "collection_start_time":"2018/1/12 11:20:43.419",
6:1515727243514 string sensor_path = 3; "msg_timestamp":"2018/1/12 11:20:43.514",
7{ string proto_path = 13; "data_gpb":{
1[{ uint64 collection_id = 4; "row":[{
1: 1515727243419 uint64 collection_start_time = 5; "timestamp":"2018/1/12 11:20:43.419",
2{ uint64 msg_timestamp = 6; "content":{
5{ TelemetryGPBTable data_gpb = 7; "interfaces":{
1[{ uint64 collection_end_time = 8; "interface":[{
5:1 uint32 current_period = 9; "ifAdminStatus":1,
16:2 string except_desc = 10; "ifIndex":2,
25:"Eth-Trunk1" string product_name = 11; "ifName":"Eth-Trunk1"
}] Encoding encoding =12; }]
} string data_str = 14; }
} }
}] } }]
} }
}

31 Huawei Confidential

• GPB transmits data in binary mode with a small number of bytes for each
transmission, and therefore stands out from other encoding methods, such as XML and
JSON, in terms of transmission efficiency. Data collection efficiency is a key concern of
Telemetry.
• For more information, see https://developers.google.com/protocol-buffers/.
 Data Source Data Subscription Data Generation Data Push

Telemetry Data Push

⚫ Telemetry data can be pushed in gRPC or UDP mode.

Data analysis

gRPC Data collection

gRPC gRPC UDP

Data subscription Data push

Data generation Protobuf

Data source NP

32 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

gRPC-based Telemetry Data Push

⚫ gRPC is connection-oriented. A gRPC connection is set up only between the collector and the MPU's
CPU. LPU's packet
LPU's CPU MPU's CPU Collector
forwarding engine

NP C C

33 Huawei Confidential

• The collector functions as the gRPC client, and the device functions as the gRPC server.

• The collector constructs data in GPB or JSON format based on the subscribed event,
compiles a .proto file through Protocol Buffers, establishes a gRPC channel with the
device, and sends a request message to the device using gRPC.
• After receiving the request, the device parses the .proto file using Protocol Buffers to
restore the data for processing.
• After data sorting is complete, the device re-compiles the data using Protocol Buffers
and sends a response to the collector using gRPC.
• The collector receives the response message. So far, the gRPC interaction ends.
 Data Source Data Subscription Data Generation Data Push

UDP-based Telemetry Data Push

⚫ Compared with gRPC, data push based on UDP is optimized. In addition to the UDP tunnel with the MPU's CPU, the
collector establishes a UDP tunnel with the LPU's CPU. This reduces the pressure on the MPU's CPU and improves
efficiency.
LPU's packet
LPU's CPU MPU's CPU Collector
forwarding engine

NP C C

34 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

Format of Pushed Data (Based on gRPC)

⚫ The gRPC encapsulation layer is provided by the gRPC open-source software. The following figure shows the
protocol stack for pushing data based on gRPC.
Hierarchy Description
TCP layer Underlying communication protocol, which is based on TCP connections.

TLS layer This layer is optional. It is based on the TLS 1.2–encrypted channel and bidirectional certificate authentication.

gRPC is based on HTTP/2, which is better than HTTP/1 in performance. HTTP/2 features include bidirectional
HTTP/2 layer
streaming, flow control, header compression, and multiplexing request of a single connection.
gRPC layer Defines the protocol interaction format for RPCs.

The device proactively initiates an RPC request to the collector, which is defined in the huawei-grpc-
dialout.proto file.
RPC layer
A collector proactively initiates an RPC request for dynamic subscription to a device, which is defined in the
huawei-grpc-dialin.proto file.

Telemetry layer This is defined in the huawei-telemetry.proto file.

Data model
layer
Service data at this layer needs to be encoded by the .proto file of the corresponding service, and the NMS
needs to decode the data using the .proto file of the corresponding service as well. For example, if the
Service data layer sampling path is huawei-debug:debug/cpu-infos/cpu-info, the huawei-debug.proto file needs to be used
for data encoding and decoding.

35 Huawei Confidential
 Data Source Data Subscription Data Generation Data Push

Format of Pushed Data (Based on UDP)

⚫ The format of the data pushed based on UDP is as follows.

Hierarchy Description
UDP layer Underlying communication protocol, which is connectionless based on UDP.
This layer is optional. It is based on the TLS 1.2–encrypted channel and bidirectional certificate
DTLS layer
authentication.
This layer describes the message header format of pushed telemetry data. The IETF definition is
available at
Message header layer https://datatracker.ietf.org/doc/draft-ietf-netconf-udp-pub-channel/01/?include_text=1
The draft has six versions ranging from 00 to 05. Currently, telemetry is implemented based on the 01
version, as shown in the following figure.
Telemetry
This is defined in the huawei-telemetry.proto file.
layer
Notificatio Service data at this layer needs to be encoded by the .proto file of the corresponding service, and the
n message NMS needs to decode the data using the .proto file of the corresponding service as well. For example, if
layer Service data
the sampling path is huawei-debug:debug/cpu-infos/cpu-info, the huawei-debug.proto file needs to
layer
be used for data encoding and decoding.

36 Huawei Confidential
 Contents

1. Introduction to Telemetry

2. Telemetry Technical Fundamentals

3. Telemetry Configuration and Practice

37 Huawei Confidential
Case: Configuring Static Telemetry Subscription
⚫ Description:
 A company has deployed a CE12800 switch with the management IP address 192.168.56.100. To
better collect device performance data, it is required that the device push CPU information to the
collector in static telemetry subscription mode.

192.168.56.100 192.168.56.1
GE1/0/0 Collector
Network device (Local PC in this example)

38 Huawei Confidential
Configuration Roadmap
Configure a Configure data Configure static Compile .proto Compile Verify the
destination collector. sampling. subscription. files. Python code. configuration.

192.168.56.100 192.168.56.1
GE1/0/0
Network device Collector
(Local PC in this example)

⚫ Device configuration: • Collector configuration:

 Configure a destination collector for receiving ▫ Prepare and compile .proto files.
sampled data.
▫ Compile Python code: Import modules, create a
 Configure data sampling. gRPC server, obtain telemetry data, and decode
 Configure static telemetry subscription. telemetry data.

39 Huawei Confidential
Configuring a Destination Collector
Configure a Configure data Configure static Compile .proto Compile Verify the
destination collector. sampling. subscription. files. Python code. configuration.

192.168.56.100 192.168.56.1
GE1/0/0
Network device Collector
(Local PC in this example)

1. Enter the telemetry view. 2. Configure a destination collector for receiving

sampled data.
<CE1> system-view immediately Create a destination group where a destination collector
[CE1] telemetry belongs. In this example, create a destination group named
[CE1-telemetry] Dest1 and set the IP address and port number of the
destination collector to 192.168.56.1 and 20000, respectively.
[CE1-telemetry] destination-group Dest1
[CE1-telemetry-destination-group-Dest1] ipv4-address
192.168.56.1 port 20000 protocol grpc no-tls

40 Huawei Confidential
Configuring Data Sampling and Static Subscription
Configure a Configure data Configure static Compile .proto Compile Verify the
destination collector. sampling. subscription. files. Python code. configuration.

192.168.56.100 192.168.56.1
GE1/0/0
Network device Collector
(Local PC in this example)

3. Configure data sampling. 4. Configure static subscription.

When configuring static subscription to collect sampled Create a subscription by associating the destination group and
data, create a sampling sensor group and specify a the sampling sensor group. In this example, the destination
sampling path. In this example, create a sampling group group Dest1 is associated with the sampling sensor group
named Sensor1 and configure a sampling path of CPU Sensor1, and the sampling interval is set to 1000 ms. After the
information. configuration is complete, the device continuously pushes data
to the destination collector.
[CE1-telemetry] sensor-group Sensor1 [CE1-telemetry]subscription Sub1
[CE1-telemetry-sensor-group-Sensor1] sensor-path [CE1-telemetry-subscription-Sub1]destination-group Dest1
huawei-devm:devm/cpuInfos/cpuInfo [CE1-telemetry-subscription-Sub1]sensor-group Sensor1
sample-interval 1000

41 Huawei Confidential
Compiling .proto Files for the Collector (1)
Configure a Configure data Configure static Compile .proto Compile Verify the
destination collector. sampling. subscription. files. Python code. configuration.

5. Compile .proto files.

⚫ After the device pushes the sampled data to the collector using telemetry, the collector must connect to the device to obtain the
sampled data. gRPC and GPB knowledge and development experience are required for interconnection.
⚫ The .proto files corresponding to the device are released. The collector needs to perform secondary development based on thes e
.proto files to connect to the device. You can download the Huawei device .proto files from the Huawei official website.
 Common .proto file:
◼ huawei-grpc-dialin.proto: The collector functions as the client to send an RPC request to the device to subscribe to
sampled data for dynamic telemetry subscription.
◼ huawei-grpc-dialout.proto: The device functions as the client to initiate an RPC request to the collector to push data for
static telemetry subscription.
◼ huawei-telemetry.proto: After sampling service data, the device uses the telemetry header to encapsulate the data,
facilitating interconnection with the collector.
 Service .proto files:
◼ huawei-xxx.proto: After sampling service data, the device encodes the sampled data in GPB method using this file, and
the NMS decodes data using this file as well. Example: huawei-mac.proto and huawei-mpls.proto.

42 Huawei Confidential
 Compiling .proto Files for the Collector (2)
Configure a Configure data Configure static Compile .proto Compile Verify the
destination collector. sampling. subscription. files. Python code. configuration.

⚫ Compile .proto files to obtain the method invoked by the server. You can create a Python script, for example, run_codegen.py, and
compile .proto files with the following codes:
from grpc_tools import protoc protoc.main(
protoc.main( (
( '',
'', '-I./protos',
'-I./protos', '--python_out=.',
'--python_out=.', '--grpc_python_out=.',
'--grpc_python_out=.', ‘./protos/huawei-telemetry.proto’, # telemetry file path
‘./protos/huawei-grpc-dialout.proto’, #dialout file path )
) )
)

protoc.main(
(
'',
'-I./protos',
'--python_out=.',
'--grpc_python_out=.',
'./protos/huawei-devm.proto', # devm file path
)
)

43 Huawei Confidential

• After the files are compiled successfully, multiple Python files are generated in the
current folder.
Compiling .proto Files for the Collector (3)
Configure a Configure data Configure static Compile .proto Compile Verify the
destination collector. sampling. subscription. files. Python code. configuration.

⚫ Run the run_codegen.py script file to obtain related files generated in the current directory after .proto files are
compiled in Python.

.py files generated after .proto files are compiled

44 Huawei Confidential
 Compiling Python Code (1)
Configure a Configure data Configure static Compile .proto Compile Verify the
destination collector. sampling. subscription. files. Python code. configuration.

6. Compile Python code to obtain device information.

from concurrent import futures
import time
import importlib
Import modules. -- import gRPC
import huawei_gRPC_dialout_pb2_gRPC
import huawei_telemetry_pb2

_ONE_DAY_IN_SECONDS = 60 * 60 * 24

def serve():
Create a gRPC server object. -- server = gRPC.server(futures.ThreadPoolExecutor(max_workers=10))
Register the data listening service. -- huawei_gRPC_dialout_pb2_gRPC.add_gRPCDataserviceServicer_to_server(Telemetry_CPU_Info(),
server)
Set the socket listening port. -- server.add_insecure_port('192.168.56.1:20000')
Start the gRPC server. -- server.start()
try:
while True:
Infinite loop listening. -- time.sleep(_ONE_DAY_IN_SECONDS)
except KeyboardInterrupt:
server.stop(0)

45 Huawei Confidential

• The gRPC module is installed by running the pip install grpc command.

• The huawei_grpc_dialout_pb2_grpc and huawei_telemetry_pb2 modules are generated

after the .proto files are compiled.
Compiling Python Code (2)
Create a class to inherit the class Telemetry_CPU_Info(huawei_gRPC_dialout_pb2_gRPC.gRPCDataserviceServicer):
--
Servicer method.
def __init__(self):
Define the initialization method. -- return

-- def dataPublish(self, request_iterator, context):

Inherit the dataPublish method.
for i in request_iterator:
print ('############ start ############\n')
telemetry_data = huawei_telemetry_pb2.Telemetry.FromString(i.data)
print (telemetry_data)

for row_data in telemetry_data.data_gpb.row:

print ('-----------------')
Dynamically load a module for print ('The proto path is :'+telemetry_data.proto_path)
obtaining data through telemetry. -- print ('-----------------')
module_name = telemetry_data.proto_path.split('.')[0]
root_class = telemetry_data.proto_path.split('.')[1]

decode_module = importlib.import_module( module_name+'_pb2')

Dynamically load a module for -- print (decode_module)
obtaining data through telemetry. decode_func = getattr(decode_module,root_class).FromString
print ('----------- content is -----------\n')
Decode and print data. -- print (decode_func(row_data.content))
print ('----------- done -----------------')
if __name__ == '__main__':
serve()

46 Huawei Confidential
Verifying the Configuration
Configure a Configure data Configure static Compile .proto Compile Verify the
destination collector. sampling. subscription. files. Python code. configuration.

7. Verify the configuration.

 Run the following script to check whether the CPU information is successfully obtained.

----------- content is -----------

cpuInfos {
cpuInfo {
entIndex: 16842753
interval: 8
ovloadThreshold: 90
position: "1"
systemCpuUsage: 6
unovloadThreshold: 75
}
}

----------- done -----------------

47 Huawei Confidential
 Quiz

1. (Multiple-answer question) Which of the following methods can be used to push

data using telemetry? ( )
A. TCP

B. UDP

C. gRPC

2. (Short-answer question) What are telemetry data subscription modes?

48 Huawei Confidential

1. BC

2. Static subscription and dynamic subscription.

 Summary

⚫ Telemetry remotely collects data from physical or virtual devices at a high speed.
⚫ In a narrow sense, the telemetry framework consists of four modules: data source,
data generation, data subscription, and data push.
⚫ The data source uses YANG models to define devices. Data is generated using the
GPB encoding method. Data subscription can be implemented in static or dynamic
mode. Sampled data can be pushed based on gRPC or UDP.
⚫ Python scripts can be run to subscribe to sampled device data through telemetry.

49 Huawei Confidential
 More Information

⚫ Protobuf official website

 https://developers.google.com/protocol-buffers/

⚫ gRPC official website

 https://www.grpc.io/

50 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huaw ei Technologies Co., Ltd.

All Rights Reserv ed.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
OPS Fundamentals and Practices
 Foreword
⚫ A conventional network device is a closed system that provides fixed functions and services and is not
dynamic or flexible. With the rapid development and popularization of networks, diversified and
differentiated requirements emerge one after another. Conventional network devices cannot meet
these requirements. Some customers require devices with specific openness so that they can develop
their own functions and deploy proprietary management policies to implement automatic management
and maintenance, lowering management costs.

⚫ Huawei has launched the open programmability system (OPS) to provide openness and
programmability capabilities for network devices and enable users to perform secondary development,
fully unleashing the potential of devices.

⚫ This course introduces the OPS, describes its principles and application scenarios, and provides a case.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe basic OPS concepts.
 Describe basic OPS functions.
 Understand the OPS working principles.
 Implement the basic OPS configuration.

2 Huawei Confidential
 Contents

1. OPS Overview

2. OPS Application Scenarios

3. OPS Configuration Practices

3 Huawei Confidential
 OPS Overview (1)
⚫ In the following scenarios:
 During network deployment, services need to be configured for a large number of devices after hardware
installation.
 The network administrator wants devices to automatically take actions when alarms are generated.
 The network is disconnected when the network administrator wants to remotely deliver commands and
periodically collect device information through compiled scripts.

Conventional network devices cannot

effectively solve the problems in these
scenarios and meet the requirements.
Administrator

4 Huawei Confidential

• Traditional network devices are relatively closed and cannot meet flexible and
differentiated network management requirements.
 OPS Overview (2)
⚫ Huawei offers the OPS.

⚫ The OPS allows users and third-party developers to develop and deploy network management policies using open
RESTful APIs. It implements rapid service expansion, automatic function deployment, and intelligent device
management, helping reduce network operation and maintenance costs and simplify network operations.

Script

RESTful API
Administrator

System
Capability

5 Huawei Confidential

• With the OPS, you can compile scripts based on their requirements and import the
scripts to network devices for running, which is flexible and efficient.
 OPS Architecture
⚫ The OPS is developed on Huawei Versatile
Routing Platform (VRP). It uses open RESTful python Java C/C++ ……
APIs to work with VRP's management plane,
control plane, and data plane, allowing for
RESTful API
function expansion on a device.
⚫ The OPS provides managed objects (MOs) to
open devices. Each MO is uniquely identified by a Management Plane
Uniform Resource Identifier (URI). The client can
perform operations on objects using standard Control Plane
HTTP methods, such as GET, PUT, POST, and
DELETE. Data Plane
1998

6 Huawei Confidential

• The VRP system is developed by Huawei based on years of research and network
application experience and its intellectual property rights is owned by Huawei.

• Managed object (MO): an object that can be used to manage network devices by
invoking RESTful APIs, such as CPU information, system information, and interface
information.
• Uniform Resource Identifier (URI): identifies a specific resource. In the OPS, URIs are
used to identify MOs. For example, the URI of the CPU information is
/devm/cpuInfos/cpuInfo, which uniquely identifies the CPU information.
• Uniform resource locator (URL): A URL is a URI that can be used to present a resource
and specify how to locate the resource, for example, http://www.ietf.org/rfc/rfc2396.txt
and ftp://ftp.is.co.za/rfc/rfc1808.txt.

• Huawei network devices that support the OPS provides a running environment for
Python scripts. Scripts in Java and C/C++ languages are not supported.
 Introduction to RESTful APIs
⚫ Representational State Transfer (REST) is a style of software architecture. The design concepts and
principles are as follows:
 All elements on networks can be abstracted as resources.
 Each resource has a unique resource ID. Operations on resources do not change the resource IDs.
 Standard methods are used to operate resources. The core operations are GET, PUT, POST and DELETE defined
in HTTP.

 All operations are stateless.

⚫ RESTful API: application programming interfaces (APIs) that comply with the REST architecture.
⚫ The OPS defines a set of RESTful APIs and uses URIs to identify open MOs. You can access MOs using
standard HTTP methods (GET, PUT, POST, and DELETE).

7 Huawei Confidential

• An API is a particular set of rules and specifications that are used for communication
between software programs.

• For more information about RESTful, see the HCIP Programming and Automation
Course — RESTful Fundamentals and Practices.
 OPS RESTful API Interaction Example
⚫ With RESTful APIs defined by the OPS, you can write Python scripts to send HTTP requests to perform
operations on MOs of network devices. Network devices will return HTTP response messages based on
the operation results.

MOs:

CPU Information

HTTP Request System Information

Python
Interface Information
Script
HTTP Response
Routing Information
…

8 Huawei Confidential

• The OPS allows you to compile Python scripts, install the scripts on network devices,
and send HTTP requests when the scripts are running to manage network devices.
 OPS RESTful API Description Example
⚫ The HTTP requests sent by a user must be constructed based on the RESTful APIs defined by the OPS.
The API for obtaining system information is described as follows:

Request example including the HTTP header Response example including the HTTP header
(XML format): (XML format):
GET /system/systemInfo HTTP/1.1 HTTP/1.1 200 OK
Host: localhost Cache-Control: no-cache
Accept-Encoding: identity Content-Type: application/xml
Content-Length: 66
Content-type: application/xml <?xml version="1.0" encoding="UTF-8"?> <systemInfo>
Accept: application/xml <sysName>HUAWEI</sysName>
<platformName>VRP</platformName>
<?xml version="1.0" encoding="UTF-8"?> <platformVer>v800r007c00</platformVer>
<systemInfo> <productName>Device</productName>
</systemInfo> <productVer>V800R007C00</productVer>
<patchVer></patchVer>
<esn>123456789</esn>
<mac>00e0-fc34-1234</mac>
</systemInfo>

9 Huawei Confidential

• The formats of the OPS RESTful API request and response packets are similar to those
of the HTTP request and response packets described in the previous slide.

• Extensible Markup Language (XML) is designed to transmit and store data.

• Currently the OPS RESTful APIs use the XML format to transmit data. In a later version,
the APIs can use the JavaScript Object Notation (JSON) format to transmit data.
Therefore, the body of the OPS RESTful API request and response packets is in XML
format.

• You can download RESTful API Reference on the network device page of
http://support.huawei.com.
 Usage of Python Scripts
⚫ Currently, the OPS RESTful APIs can be used only in the Embedded Running Environment (ERE). You
can compile Python scripts based on OPS APIs and install them on the devices that provide a Python
running system. When a Python script is running, an HTTP request is sent to the system to manage
devices.
• The following figure shows the Python script execution process.

Compile and upload a Python Upload a Python script to a network device.

script

Only installed Python scripts can be run on a device.

Install the Python script

You can manually run a Python script using a command

Run the Python script or configure the maintenance assistant function to run
a Python script.

10 Huawei Confidential

• The maintenance assistant is a function of Huawei network devices. You can set the
trigger conditions and the Python script to be executed when the conditions are met.
The system monitors device running in real time. When the specified trigger condition
is met, the network device system automatically executes the Python script to
complete the actions defined in the script. For more information about the
maintenance assistant, see the Huawei network device product documentation.
 Contents

1. OPS Overview

2. OPS Application Scenarios

3. OPS Configuration Practices

11 Huawei Confidential
 Scenario 1: Automatic Deployment of Unconfigured Devices
⚫ The OPS can implement automatic deployment of unconfigured devices without the need of on-site
installation, reducing labor costs and improving deployment efficiency.

Download and run DHCP

a Python script server

② Download the
Python script
Script file
server

Switch DHCP relay

Software and
configuration
file server

12 Huawei Confidential

• DHCP server: allocates the temporary IP address, default gateway, and script file server
address to the device to be automatically deployed.

• DHCP relay agent: forwards packets exchanged between the device to be

automatically deployed and the DHCP server when they are located on different
network segments.
• Script file server: stores scripts (Python) required for automatic network device
deployment. By running the script files, a network device can obtain information such
as the IP address of the software and configuration file server, version file, and
configuration file.
• Software and configuration file server: stores system software, configuration files, and
patch files required for automatic network device deployment.
 Scenario 2: Automatic Health Check
⚫ During conventional device health check, you need to log in to a device and run commands to check
the hardware and service running status.
⚫ With the OPS function, a device can automatically run the health check commands, periodically collects
health check results, and sends the results to a server for analysis. This function reduces maintenance
workload. These commands are delivered through the Python scripts installed in the network device
system instead of being remotely delivered. Therefore, you do not need to worry about network
disconnection.

Automatically collects and sends device

health information

Switch Server

13 Huawei Confidential

• A Python script can be compiled to deliver commands. When the network is

disconnected, the execution result is temporarily stored on the device. After the
network is recovered, the execution result is transmitted to the server. Therefore, the
impact of network disconnection can be mitigated.
Scenario 3: Automatic Backup of Configuration Files
⚫ A network device subscribes to the configuration file saving events through the maintenance assistant.
After the configuration is saved, the device automatically runs the Python script and sends its
configuration file to the server for backup, reducing the manual backup workload.

Automatically back up the configuration

file to the server

Switch Server

14 Huawei Confidential
 Contents

1. OPS Overview

2. OPS Application Scenarios

3. OPS Configuration Practices

15 Huawei Confidential
Configuration Roadmap
⚫ The configuration roadmap is as follows: The core is to compile Python scripts, which will be detailed later. For the
operation modes and involved commands of the other three steps, see the following figure.

Compile the Python script Assume that a Python script has been compiled. Perform the following
three steps to complete the configuration.

Upload the script to the For details about the

Upload a Python script maintenance assistant, see the
network device through FTP.
product documentation.

Install the Python script ops install file file-name

Command assistant
Through the maintenance
assistant
Run the Python script Script assistant
Through the CLI (manual)

ops run python file-name

16 Huawei Confidential
Compiling a Python Script (1)
⚫ Python scripts are used to deliver HTTP requests to the system for management. Huawei provides Python script
templates. You only need to search for RESTful APIs based on the functions to be implemented and modify code.

⚫ Example of a Python script template:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

⚫ The import statement is used to import third-

import traceback
import httplib party modules required in the Python script
import string
template.
class OPSConnection(object): ⚫ The OPSConnection class is used to invoke
"""Make an OPS connection instance."""
RESTful APIs. This class defines methods for
#: an initialization class that creates an HTTP connection establishing HTTP connections and does not
def __init__(self, host, port = 80):
need to be modified.
self.host = host
self.port = port
self.headers = {
(See the next slide for the rest of code.)

17 Huawei Confidential
Compiling a Python Script (2)
"Content-type": "text/xml",
"Accept": "text/xml"
} ⚫ Methods defined in the OPSConnection class:
self.conn = None
 def _init_(): is an initialization method that
# Disable an HTTP connection. creates an HTTP connection.
def close(self):
"""Close the connection"""  def close(): shuts down an HTTP
self.conn.close()
connection.
# Create device resources.  def create(): creates device resources.
def create(self, uri, req_data):
"""Create operation"""  def delete(): deletes device resources.
ret = self.rest_call("POST", uri, req_data)
return ret

# Delete device resources.

def delete(self, uri, req_data):
"""Delete operation""“
ret = self.rest_call("DELETE", uri, req_data)
return ret
(See the next slide for the rest of code.)

18 Huawei Confidential
Compiling a Python Script (3)
# Query device resources.
def get(self, uri, req_data = None):
⚫ Methods defined in the OPSConnection class:
"""Get operation"""
ret = self.rest_call("GET", uri, req_data)  def get(): queries device resources.
return ret
 def set(): modifies device resources.
# Modify device resources.
def set(self, uri, req_data):  def rest_call(): indicates a class method
"""Set operation""" that is invoked by a method mentioned
ret = self.rest_call("PUT", uri, req_data)
return ret
above (create, delete, get, or set).

⚫ You do not need to modify the methods

# Invoke classes internally.
def rest_call(self, method, uri, req_data): defined in the OPSConnection class.
"""REST call"""
print('|---------------------------------- request: ----------------------------------|')
print('%s %s HTTP/1.1\n' % (method, uri))
if req_data == None:
body = ""
else:
body = req_data

19 Huawei Confidential
Compiling a Python Script (4)
print(body)
if self.conn:
self.conn.close()
⚫ You need to compile a method to invoke the
self.conn = httplib.HTTPConnection(self.host, self.port) RESTful API through an instance of the

self.conn.request(method, uri, body, self.headers)

OPSConnection class to manage devices. For
response = self.conn.getresponse() example, the def get_startup_info(ops_conn)
response.status = httplib.OK # stub code
method in this document is invoked to obtain
ret = (response.status, response.reason, response.read())
print('|---------------------------------- response: ---------------------------------|') system startup information. You can specify the
print('HTTP/1.1 %s %s\n\n%s' % ret)
method name.
print('|------------------------------------------------------------------------------|')
return ret ⚫ uri = "/cfg/startupInfos/startupInfo" is the URI
of the system startup information. Different
# Define the function for obtaining system startup information.
def get_startup_info(ops_conn): MOs have different URIs. You need to change
the URI as required.
uri = "/cfg/startupInfos/startupInfo“

req_data = \ The bold code needs to be modified based on the site

'''<?xml version="1.0" encoding="UTF-8"?>
requirements when you compile a Python script.

20 Huawei Confidential
Compiling a Python Script (5)
<startupInfo>
</startupInfo>
⚫ You can obtain the values of uri and req_data from
'''
# The response data of the system startup information is similar to the following: RESTful API Reference based on the site
''' requirements.
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply>
⚫ The system startup information in this document is
<data> described in the RESTful API Reference as follows:
<cfg xmlns="http://www.huawei.com/netconf/vrp" format-version="1.0"
content-version="1.0"> Operation URI Description
<startupInfos>
<startupInfo> /cfg/startupinfos/star Obtain system startup
GET
tupinfo information
<position>6</position>
<nextStartupFile>flash:/vrpcfg.cfg</nextStartupFile>
<configedSysSoft>flash:/system-software.cc</configedSysSoft> Request example
<curSysSoft>flash:/system-software.cc</curSysSoft> <?xml version=“1.0” encoding=“UTF-8”?>
<nextSysSoft>flash:/system-software.cc</nextSysSoft>
<curStartupFile>flash:/vrpcfg.cfg</curStartupFile> <startupInfo>
<curPatchFile>NULL</curPatchFile> </startupInfo>
<nextPatchFile>NULL</nextPatchFile>
</startupInfo>

21 Huawei Confidential
Compiling a Python Script (6)
</startupInfos>
</cfg>
⚫ According to the RESTful API Reference, the HTTP
</data>
</rpc-reply> operation corresponding to the RESTful API for
''‘ obtaining system startup information is GET.
Therefore, the get method of the OPSConnection
# Execute a GET operation request.
ret, _, rsp_data = ops_conn.get(uri, req_data)
class instance is invoked.
if ret != httplib.OK: ⚫ You can change the get method to the create, delete,
return None
or set method of the OPSConnection class based on

return rsp_data the device management function to be implemented.

⚫ req_data indicates the request content, and rsp_data

# main() function defines the operations to be performed during script running. You
can modify the function according to service requirements. indicates the response message after the network
def main(): device performs the request operation.
"""The main function."""
host = "localhost"
⚫ In the main() method, host indicates the loop
try: address. Currently, RESTful APIs can be invoked only
# Establish an HTTP connection. inside the device, that is, the value is localhost.
ops_conn = OPSConnection(host)
# Invoke the function for obtaining system startup information.

22 Huawei Confidential
Compiling a Python Script (7)
rsp_data = get_startup_info(ops_conn) ⚫ You can invoke the method compiled based
# Disable an HTTP connection.
on the RESTful API in the main() method, for
ops_conn.close()
return example, the get_startup_info method in this
document, to complete the desired function.
except:
errinfo = traceback.format_exc() ⚫ The main() method can flexibly implement
print(errinfo)
various management functions of a network
return
device by using various RESTful APIs and
if __name__ == "__main__": structures of Python such as loops and if-else.
main()
⚫ The last line of the script indicates that the
main() method is executed.

23 Huawei Confidential
Case: Obtaining CPU Information of a Device
⚫ Description: A network administrator compiles a Python script and uploads the script to a
network device to obtain CPU information by using the OPS function of the device. The
networking is as follows.

GE1/0/0
Python Script
192.168.56.100

192.168.56.1

Network Network
administrator device

24 Huawei Confidential
 Compiling a Python Script (1)
⚫ Based on the function of obtaining device CPU information to be implemented, obtain the
URI, request message, and response message by referring to the RESTful API Reference. The
result is as follows.
URI information:

Operation URI Description

GET /devm/cpuInfos/cpuInfo Query a board's CPU usage

Request message: Response message:

<?xml version=‘1.0’ encoding=‘UTF-8’?> <?xml version=“1.0” encoding=“UTF-8”?>
<cpuInfo> <cpuInfo>
<position></position> <position chassis=“1” slot=“17”>17</position>
<entIndex></entIdex> <entIndex>17891329</entIndex>
<systemCpuUsage></systemCpuUsage> <systemCpuUsage>5</systemCpuUsage>
<ovloadThreshold><ovloadTreshold> <ovloadThreshold>95</ovloadThreshold>
<unovloadThreshold></unovloadThreshold> <unovloadThreshold>75</unovloadThreshold>
</cpuInfo> </cpuInfo>

25 Huawei Confidential

• After knowing the format of the response message, you can parse the response
message in the Python script. In this case, the response message is only displayed. You
can try to parse the response message to implement more complex functions.
Compiling a Python Script (2)
⚫ Modify the related code in the Python script template based on the URI and request content. Other code in the template does not
need to be modified.
Define the get_cpu_info method. Invoke the get_cpu_info method in the main method.
def get_cpu_info(ops_conn): def main():
uri = “/devm/cpuInfos/cpuInfo“ #URI corresponding to the CPU """The main function.""“
information
req_data = \ #Set the content of the request for host = "localhost"
obtaining CPU information.
try:
'''<?xml version='1.0' encoding='UTF-8'?>
# Establish an HTTP connection.
<cpuInfo>
ops_conn = OPSConnection(host)
<position></position>
# Invoke the function for obtaining CPU information.
<entIndex></entIndex>
rsp_data = get_cpu_info(ops_conn)
<systemCpuUsage></systemCpuUsage>
# Disable an HTTP connection.
<ovloadThreshold></ovloadThreshold>
ops_conn.close()
<unovloadThreshold></unovloadThreshold>
return
</cpuInfo>
'''
except:
ret, _, rsp_data = ops_conn.get(uri, req_data) #Execute the get operation.
errinfo = traceback.format_exc()
if ret != httplib.OK:
print(errinfo)
return None
return
return rsp_data

26 Huawei Confidential
 Uploading a Python Script
⚫ After the Python script is compiled, save it as cpu_demo.py. The network administrator enables the FTP server on
the local PC, and the network device functions as the FTP client to download the Python script.

<CE1>ftp 192.168.56.1 # Connect to the FTP server.

Trying 192.168.56.1 ...
Press CTRL + K to abort
Connected to 192.168.56.1.
220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user
User(192.168.56.1:(none)):1 # Enter the user name.
331 Give me your password, please
Enter password: # Enter the password.
230 Logged in successfully
[ftp]get cpu_demo.py # Obtain the cpu_demo.py script file.
Warning: The file may not transfer correctly in ASCII mode.
500 Unidentified command SIZE cpu_demo.py
200 PORT command okay
150 "D:\FTPSERVER\cpu_demo.py" file ready to send (4605 bytes) in ASCII mode
..
226 Transfer finished successfully. # FTP transmission is complete.

FTP: 4605 byte(s) received in 1.135 second(s) 3.962Kbyte(s)/sec.

27 Huawei Confidential

• For details about how to enable the FTP server on the local PC, you can easily search
the way from a search engine.
Compiling a Python Script
⚫ After the Python script is uploaded, run the ops install file file-name command to install the script.

<CE1>ops install file cpu_demo.py # Install the Python script.

• Verify the installation result.

<CE1>display ops script # Check the installed Pyth on
script.
--------------------------------------------------------------------------------
Index Size(Byte) Filename
--------------------------------------------------------------------------------
0 4605 cpu_demo.py
--------------------------------------------------------------------------------

The cpu_demo.py script has been successfully installed.

28 Huawei Confidential
Running the Python Script (1)
⚫ Run the ops run python file-name command to run the Python script.
<CE1>ops run python cpu_demo.py
|---------------------------------- request: ----------------------------------| # Content of the get operation
GET /devm/cpuInfos/cpuInfo HTTP/1.1

<?xml version='1.0' encoding='UTF-8'?>

<cpuInfo>
<position></position>
<entIndex></entIndex>
<systemCpuUsage></systemCpuUsage>
<ovloadThreshold></ovloadThreshold>
<unovloadThreshold></unovloadThreshold>
</cpuInfo>

|---------------------------------- response: ---------------------------------| # Content of the response message

HTTP/1.1 200 OK

<?xml version="1.0" encoding="UTF-8"?>

<rpc-reply>
<data>
<devm xmlns="http://www.huawei.com/netconf/vrp" format-version="1.0" content
-version="1.0">

(See the next slide for the rest of code.)

29 Huawei Confidential
Running the Python Script (2)
<cpuInfos> # Returned CPU information. In this case, the netwo rk device has
<cpuInfo> two cpus.
<position chassis=“1” slot=“1”>1</position> # position indicates the CPU position information.
<entIndex>16842753</entIndex> # entIndex indicates the CPU index information.
<systemCpuUsage>4</systemCpuUsage> # systemCpuUsage indicates the CPU usage.
<ovloadThreshold>90</ovloadThreshold> # ovloadThreshold indicates the CPU overload clearance threshold.
<unovloadThreshold>75</unovloadThreshold> # unovloadThreshold indicates the CPU non-overload threshold.
</cpuInfo>
<cpuInfo>
<position chassis="1" slot="17">17</position>
<entIndex>17891329</entIndex>
<systemCpuUsage>4</systemCpuUsage>
<ovloadThreshold>90</ovloadThreshold>
<unovloadThreshold>75</unovloadThreshold>
</cpuInfo>
</cpuInfos>
</devm>
</data>
</rpc-reply>

|------------------------------------------------------------------------------|

30 Huawei Confidential
 Quiz

1. (Multiple-answer question) The OPS function uses standard HTTP methods to

access managed objects (MOs). Which of the following methods are supported?
( )
A. GET

B. PUT

C. POST

D. DELETE

31 Huawei Confidential

1. ABCD
 Summary

⚫ The OPS is a unique function of Huawei network devices. It uses RESTful

APIs and standard HTTP methods to access MOs on devices, helping users
easily cope with various network O&M requirements.
⚫ Huawei provides Python script templates. You only need to search for
RESTful APIs based on the functions to be implemented and modify code,
which is easy to use.

32 Huawei Confidential
 More Information

⚫ For more REST information, see the paper written by Dr. Roy Fielding.
 https://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm

⚫ For more information about HTTP, see RFC 2616.

⚫ Python official website: https://www.python.org
⚫ RESTful API reference: https://support.huawei.com

33 Huawei Confidential

• The REST software architecture was first mentioned by Roy Fielding in his doctoral
paper. Roy Fielding is one of the major authors of the HTTP specifications.
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huaw ei Technologies Co., Ltd.

All Rights Reserv ed.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
RESTful Fundamentals and Practice
 Foreword
⚫ The open ecosystem of the computing industry brings booming development of multiple fields. The
network industry is seeking transformation and development, where Software Defined Networking
(SDN) is a concept that attracts great attention.
⚫ In the network communications field, network openness is an inevitable trend of industry development.
In a fully connected, intelligent world, opening more interfaces means quick connections with other
networks. Network openness not only transforms networks, but also further segments the industry
chain, bringing new opportunities for industry development. Nowadays, REST is selected and preferred
by a growing number of companies, and likewise, RESTful application programming interfaces (APIs)
are growing in popularity across the entire network.

⚫ This course aims to help development engineers understand the concepts and functions of SDN, REST
and RESTful, working principles of HTTP, and typical practices in invoking RESTful APIs.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the development of SDN.
 Have full knowledge of the background, concepts, and highlights of REST.
 Understand the relationship between REST, RESTful, and RESTCONF.
 Master the HTTP packet format and field descriptions.
 Understand the relationship between HTTP, HTTPS, and HTTP/2.
 Grasp basic capabilities for invoking RESTful APIs.

2 Huawei Confidential
 Contents

1. SDN Overview

2. REST and RESTful

3. Working Principle of HTTP

3 Huawei Confidential
 SDN Origin
⚫ SDN was developed by the Clean Slate Program at Stanford University as an innovative new network architecture.
The core of SDN is to separate the control plane from the data plane of network devices to implement centralized
control of the network control plane and provide good support for network application innovation.

⚫ SDN has three characteristics in initial phase: forwarding-control separation, centralized control, and open
programmable interfaces.
SDN application

The OpenFlow controller provides

control plane functions.
OpenFlow controller Control Plane

Control plane
OpenFlow
OpenFlow interconnection
Forwarding plane

Forwarding plane
OpenFlow Switches
OpenFlow switches have
only the data plane.

4 Huawei Confidential

• OpenFlow was defined in the initial phase of SDN. With technology development,
many other southbound interface (SBI) protocols are defined between the controller
and network devices.
 Essential Requirements of SDN
⚫ The essence of SDN is to make networks more open, flexible, and simple. It builds a core brain for a network and
implements fast service deployment, traffic optimization, or network service openness through centralized control in
the global view.

⚫ Highlights:
 Provides centralized management, simplifying network management and O&M.

 Shields technical differences, simplifying network configuration and reducing O&M costs.

 Offers automatic optimization, improving network utilization.

 Deploys services rapidly, shortening the service provisioning time.

 Builds an open network, supporting open and programmable third-party applications.

SDN transforms the network architecture.

5 Huawei Confidential

• SDN is a broader concept, not limited to OpenFlow. Separation between the control
and data planes is a method rather than the essence of SDN.
 SDN Architecture
⚫ An SDN architecture consists of the application layer, control layer, and infrastructure layer. To communicate
between these layers, SDN uses open interfaces where the northbound interfaces (NBIs) communicate between the
infrastructure and control layers and the southbound interfaces (SBIs) communicates between the application and
the control layers. OpenFlow is an SBI protocol.

Application layer Service

APP
collaboration

NBI

Control layer Service

orchestration

SBI

Infrastructure Data forwarding

layer

6 Huawei Confidential

• Application layer: provides various upper-layer applications for service intents, such as
OSS and OpenStack. The OSS is responsible for service orchestration of the entire
network, and OpenStack is used for service orchestration of network, compute, and
storage resources in a DC. There are also other applications at this layer. For example,
a user deploys a security app. This app invokes NBIs of the controller, such as Block
(Source IP，DestIP), regardless of the device locations. Then the controller delivers
different instructions to network devices based on different southbound protocols.

• Control layer: The SDN controller is deployed at this layer and is the core of the SDN
network architecture. The control layer is the brain of the SDN system and implements
network service orchestration.

• Infrastructure layer: A network device receives instructions from the controller and
performs data forwarding.
• NBI: NBIs, mainly RESTful APIs, are used by the controller to interconnect with the
application layer.

• SBI: SBIs are used by the controller to interact with devices through protocols such as
NETCONF, SNMP, OpenFlow, and OVSDB.
 Huawei SDN Network Architecture
⚫ Huawei SDN network architecture supports various SBIs and NBIs, including OpenFlow, OVSDB, NETCONF, PCEP,
RESTful, SNMP, BGP, JSON-RPC, and RESTCONF interfaces.

Network
application Cloud platform EMS Orchestration Apps

NBI plane RESTful SNMP MTOSI/CORBA Kafka/SFTP RESTCONF

NBI

SBI

PCEP NETCONF OpenFlow BGP-LS OVSDB SNMP BGP JSON-RPC

Telemetry
interface interface interface interface interface interface interface interface

Forwarding
device AP Switch CPE Router Security gateway VNF

7 Huawei Confidential

• Cloud platform: resource management platform in a cloud DC. The cloud platform
manages network, compute, and storage resources. OpenStack is the most mainstream
open-source cloud platform.

• The Element Management System (EMS) manages one or more telecommunication

network elements (NEs) of a specific type.
• Container-based orchestration: The container-based orchestration tool can also provide
the network service orchestration function. Kubernetes is a mainstream tool.

• MTOSI or CORBA is used to interconnect with the BSS or OSS. Kafka or SFTP can be
used to connect to a big data platform.
Huawei SDN Solution - Integrating Management, Control,
and Analysis to Build an Intent-Driven Network
Application Cloud Self-service Mobile Third-party …
layer platform portal app app

Network
management
and control Manager Controller Analyzer
layer

AP AP
DC fabric

Campus Campus
CPE CPE
Network layer WAN/DCI WAN/DCI

DC fabric

Branch SD-WAN
CPE Branch
CPE

8 Huawei Confidential
 Introduction to iMaster NCE
⚫ Huawei iMaster NCE is an industry intelligent network automation platform that integrates management, control,
analysis, and AI capabilities.
SDN-based automatic service Unified data base Full lifecycle management
configuration and deployment Centralized detection, location Simulation verification and
AI-based intelligent analysis, and troubleshooting monitoring optimization
prediction, and troubleshooting
Planning + Construction + Maintenance
Automated + Intelligent Manager + Controller + Analyzer
+ Optimization

2 3 4

Autonomous Driving
Manager Controller Analyzer Network System
=
Network

9 Huawei Confidential

• iMaster NCE effectively connects physical networks with business intents and
implements centralized management, control, and analysis of global networks. It
enables resource cloudification, full lifecycle automation, and data analytics-driven
intelligent closed-loop management according to business and service intents and
provides open network APIs for rapid integration with IT systems.

• Huawei iMaster NCE can be used in the enterprise data center network (DCN),
enterprise campus, and enterprise branch interconnection (SD-WAN) scenarios to
make enterprise networks simpler, smarter, open, and secure, accelerating enterprise
service transformation and innovation.
iMaster NCE Application

Data center iMaster NCE-Fabric *

Enterprise iMaster NCE-Campus *

campus

SD-WAN iMaster NCE-WAN

IP WAN iMaster NCE-IP

WAN iMaster NCE-T

transmission

* Introduced in this document

10 Huawei Confidential
 Contents

1. SDN Overview

2. REST and RESTful

◼ Background of REST

▫ Overview of REST

3. Working Principle of HTTP

11 Huawei Confidential
 Basic Concepts of Southbound and Northbound
⚫ Southbound and northbound are relative concepts. Generally, the interfaces provided by an upper-layer system for
a lower-layer system are called southbound APIs, and the interfaces provided by a lower-layer system for an upper-
layer system are called northbound APIs.

⚫ APIs provide the interaction function to implement data transmission.

OSS

Northbound API MTOSI/CORBA/SNMP/REST

Controller
Southbound API

12 Huawei Confidential

• The operation support system (OSS) is a necessary support platform for telecom
services.

• MTOSI: Multi-Technology Operations System Interface

• Common Object Request Broker Architecture (CORBA) is a standard object-oriented

application program system specification formulated by Object Management Group
(OMG).
Development of Northbound APIs
⚫ There are many northbound API standards, for example, MTOSI and CORBA. Vendors' controllers need to open
northbound APIs compliant with specific standards to easily interconnect with carriers' integrated network
management platform.

⚫ Devices may use diverse northbound APIs such as SNMP, CORBA, and REST. Nowadays, these APIs are gradually
unified into the REST style.

OSS OSS

MTOSI/CORBA/SNMP REST

Controller Controller

13 Huawei Confidential
API Evolution: Unified URI Naming Conventions
⚫ REST standardizes universal resource identifier (URI) naming conventions. Resource-oriented URI
names are easy to understand.
⚫ A URI identifies the location of a resource.

Without REST: URIs were randomly named. With REST: URIs are independent and methods are clear.

URIs without constraints on naming conventions: URIs with naming conventions of REST:
• Reserving a meeting room: /reserve/meetingroom/B25R • Reserving a meeting room: /meetingroom/B25R, with the
• Canceling a reserved meeting room: calling method being POST
/cancel/meetingroom/B25R • Canceling a reserved meeting room: /meetingroom/B25R,
• Querying the meeting room status: with the calling method being DELETE
/meetingroom/B25R?method=query • Querying the meeting room status: /meetingroom/B25R,
with the calling method being GET

14 Huawei Confidential
 API Evolution: Stateless Design
⚫ REST uses a stateless design to enhance system scalability.

⚫ Stateful: The server needs to save and maintain the state information of previous requests. Each subsequent state depends on the
previous state.

⚫ Stateless: The server sends back the same response for invocation of the same request, function, or method, without depending on
other requests. The server does not need to maintain state information, facilitating expansion. At least one URI is available to locate
a resource.

Without REST: both stateful and stateless used With REST: stateless

A client can obtain the required Log in to the OA

system
information only after multiple In the REST architecture, the required result can be obtained with
requests. The figure on the right shows
Access the only one request. For example, the salary can be queried using
an example of logging in to the office personal center
the following URIs:
automation (OA) system to view the
salary. The process is complex, Access the salary Salary of Tom: http://oa.company.com/salary/tom
query page
affecting user experience. Salary of Jerry: http://oa.company.com/salary/jerry
The required information cannot be
View the salary
directly located using only one URI.

15 Huawei Confidential

• Stateful request: A server generally needs to save and maintain the status information
of previous requests. Each request can use information about the previous requests by
default.

• Stateless request: The processing result on the server must be based on the
information carried in the same request.
 Contents

1. SDN Overview

2. REST and RESTful

▫ Background of REST
◼ Overview of REST

3. Practices in Invoking RESTful APIs

16 Huawei Confidential
 Overview of REST
⚫ Representational State Transfer (REST) was proposed by Roy Thomas Fielding, HTTP's leading designer,
in his doctoral dissertation in 2000. In short, REST is a design style.

Presentation

Resource REST uses the client-server

REST interaction framework and involves
the following concepts:
• Resource
State • Presentation
transfer
• State transfer

17 Huawei Confidential

• Abstract of Roy's doctoral dissertation Architectural Styles and the Design of Network-
based Software Architectures:

▫ This dissertation explores a junction on the frontiers of two research disciplines in

computer science: software and networking. Software research has long been
concerned with the categorization of software designs and the development of
design methodologies, but has rarely been able to objectively evaluate the
impact of various design choices on system behavior. Networking research, in
contrast, is focused on the details of generic communication behavior between
systems and improving the performance of particular communication techniques,
often ignoring the fact that changing the interaction style of an application can
have more impact on performance than the communication protocols used for
that interaction. My work is motivated by the desire to understand and evaluate
the architectural design of network-based application software through
principled use of architectural constraints, thereby obtaining the functional,
performance, and social properties desired of an architecture.
 REST Concepts - Resource
⚫ A resource is an information entity. All things on the network can be abstracted as resources. Each
resource has a URI. For example, ports, network elements (NEs), boards, and equipment rooms are
resources.
⚫ Resources and operations are the core of REST. The URI is used to locate resources, and HTTP actions
(GET, POST, PUT, and DELETE) are used to describe operations.

State transfer:
Resource: Presentation layer:
HTTP actions for create, read,
URI for locating Format for
update, delete (CRUD)
resources presenting resources
operations

GET/POST/PUT/DELETE
API

18 Huawei Confidential

• REST is short for Representational State Transfer, in which the main entity — resource
— is not presented.
 REST Concepts - Presentation Layer
⚫ Representation is the way a resource is presented.
⚫ For example, a text can be presented in TXT, HTML, XML, JSON, or even binary format; an image can
be presented in JPG, PNG, or other formats.

Presentation layer: State transfer:

Resource:
Format for HTTP actions for create, read,
URI for locating
presenting update, delete (CRUD)
resources
resources operations

GET/POST/PUT/DELETE
API

19 Huawei Confidential

• A URI represents only a resource entity but not its presentation.

REST Concepts - State Transfer
⚫ Accessing a URI represents an interaction between the client and the server. In this process, data and status
changes are involved.
⚫ Hypertext Transfer Protocol (HTTP) is a stateless protocol. This means that all states are stored on the server side,
not on the client side. Therefore, the client performs operations on the server by using a certain method, so that a
state transfer occurs on the server. Such a state transfer depends on the presentation layer, so it is called
"Representational State Transfer".
⚫ The method used by the client is HTTP.
State transfer:
Resource: Presentation layer:
HTTP actions for create,
URI for locating Format for
read, update, delete (CRUD)
resources presenting resources
operations

GET/POST/PUT/DELETE
API

20 Huawei Confidential
 RESTful and RESTCONF
⚫ RESTful APIs comply with the REST design style. There are no mandatory requirements on RESTful APIs, and
therefore RESTful APIs can be defined freely.

⚫ RESTCONF APIs also comply with the REST design style. Unlike RESTful APIs, RESTCONF APIs must comply with
RFC 8040 defined by Internet Engineering Task Force (IETF). RFC 8040 defines RESTCONF APIs and their
specifications. RESTCONF APIs are based on HTTP and are used to access data defined in Yet Another Next
Generation (YANG). RESTCONF allows web applications to access configuration data, status data, and event
notifications of network devices in a modular and scalable manner.

REST + Configuration

REST style RFC8040 RESTCONF

21 Huawei Confidential

• YANG defines the storage content and configuration of data.

 Defining RESTful APIs
⚫ What is the content defined when we define RESTful APIs?

Request
URI
method
HTTP request
Message Status
header code
HTTP response
Message
body

All the preceding fields are contained in HTTP packets. Therefore, REST makes full use
or heavily relies on HTTP.

22 Huawei Confidential

• Relationship between the URI and URL.

▫ The URL is a subset of the URI. The former must be an absolute path, while the
latter can be an absolute path or a relative path. For example,
http://127.0.01:8080/AppName/rest/product/1 is a URL, and
AppName/rest/product/1 is a URI.
 Contents

1. SDN Overview

2. REST and RESTful

3. Working Principle of HTTP

◼ Overview of HTTP

▫ HTTP/1.1

▫ HTTPS and HTTP/2

23 Huawei Confidential

• As mentioned earlier, REST makes full use or heavily relies on HTTP. Next, we will
move on to HTTP.
 Development of HTTP
⚫ HTTP was proposed by Tim Berners-Lee in 1990. After the WWW Alliance was established, the IETF working group
further optimized and released the HTTP protocol. Over the evolution from HTTP/0.9 to HTTP/3, HTTP offers
increasingly high performance.

HTTP/0.9 HTTP/1.1 SPDY HTTP/2

Only the GET method Mainstream standard, Predecessor of HTTP/2, Second-generation
is supported. supporting connection which optimizes the protocol, supporting
The request header is reuse and block-based performance of HTTP. multiplexing, header
not supported. transmission. compression, and
priority.

1991 1996 1999 2000 2009 2013 2015 Future

HTTP/1.0 HTTPS QUIC HTTP/3

Basic functions available, TLS/SSL used Predecessor of HTTP/3, HTTP-over-QUIC, which
supporting rich text, Encryption-enabled which uses UDP to is being formulated.
request headers, and HTTP. implement TCP + TLS +
status codes. HTTP/2.

24 Huawei Confidential

• SPeeDY (SPDY) is a TCP-based application-layer protocol developed by Google. Its

objective is to optimize the performance of HTTP and shorten the loading time of web
pages and improve security by using technologies such as compression, multiplexing,
and priority. The core idea of SPDY is to minimize the number of TCP connections.
SPDY is an enhancement to HTTP, instead of a protocol for replacing HTTP.

• Quick UDP Internet Connection (QUIC) is a UDP-based low-delay Internet transport

layer protocol developed by Google. In November 2016, the IETF convened the first
meeting of the QUIC working group, which attracted wide attention from the industry.
This means that QUIC starts its standardization process and will become a next-
generation transport layer protocol.
 Overview of HTTP
⚫ Hypertext Transfer Protocol (HTTP) is an application layer protocol for distributed, collaborative, and
hypermedia information systems. HTTP has been used by the World Wide Web since its inception.
⚫ It uses TCP/IP to transmit data and uses TCP port 80 by default. Websites starting with http:// are
standard HTTP services.

http://WWW

25 Huawei Confidential

• The data transmitted using HTTP can be HTML, images, texts, and so on.
 Working Principle of HTTP
⚫ HTTP is based on the client/server (C/S) architecture. The HTTP request and response process is as follows:
 A client establishes a TCP connection with the server.

 The client sends an HTTP request, which consists of a request line, request header, empty line, and request data.
 The server receives the request and sends back an HTTP response, which consists of a status line, response header, empty line,
and response body.

 The TCP connection is released.

 The client parses the status line, response header, and response body in sequence and displays the response packet. If the bo dy
contains HTML data, the client formats the data based on the HTML syntax and displays the data.

HTTP request

Client HTTP response Server

26 Huawei Confidential

• An HTTP client is usually a browser. A web server can be an Apache server or an

Internet Information Services (IIS) server.

• When a TCP connection is released, if the value of the Connection field in the packet
header is close, the server proactively closes the TCP connection, and the client
passively closes and releases the TCP connection. If the value of Connection is
keepalive, the connection lasts for a period of time and can continue to receive
requests.
 Features of HTTP
⚫ HTTP has the following features:
 Connectionless: Only one request is processed for each connection. After processing the client's request, the
server disconnects from the client.
 Media independent: Any type of data can be sent by HTTP as long as both the client and the server know how to
handle the data content. It is required for the client as well as the server to specify the content type using
appropriate MIME-type.
 Stateless: The server and client are aware of each other only during a current request. Afterwards, both of them
forget about each other. This facilitates quick processing of a large number of transactions and enhances the
protocol scalability.
Media
Connectionless Stateless
independent

HTTP request

Client HTTP response Server

27 Huawei Confidential

• The browser differentiates the displayed content such as HTML, XML, GIF, and flash
based on MIME-type.

• Advantages of the connectionless feature: This mode saves the transmission time and
improves the concurrent performance. No persistent connection is established. Instead,
one response is made to each request. However, if a connection is repeatedly
established and torn down, the efficiency is affected. In HTTP/1.1, a TCP connection is
maintained between the browser and the server for a period of time and will not be
disconnected immediately after a request ends.
• Stateless means that, if the processing of subsequent packets requires the previously
exchanged information, the information must be retransmitted. Although HTTP/1.1 is
a stateless protocol, cookies are introduced to implement the function of maintaining
status information.
• A cookie is a text file stored on a client. This file is associated with a specific web page
and saves the information about the web page accessed by the client.
 Contents

1. SDN Overview

2. REST and RESTful

3. Working Principle of HTTP

▫ Overview of HTTP
◼ HTTP/1.1

▫ HTTPS and HTTP/2

28 Huawei Confidential

• HTTP/1.1 has been widely used since it was proposed in 1999 and has become a
mainstream standard for more than 20 years. In the following part, we will introduce
HTTP packets, which are based on HTTP/1.1.
Client Request Message
⚫ An HTTP request message sent by a client consists of a request line, request header, empty line, and
request data. The following figure shows the format of a request message.

Request Carriage
Request line Space URI Space Protocol version Linefeed
method return
Carriage
Header field name:Value Linefeed
return

Request header ...

Carriage
Header field name:Value Linefeed
return
Carriage
Empty line Linefeed
return

Request Data Data

29 Huawei Confidential
 Request Line Request Header Request Data

Client Request Message - Request Line

⚫ A request line consists of the request method field, URI field, and HTTP version field.
 Request method: HTTP request method, for example, GET and POST. An HTTP client (for example, a browser) must specify the
request type when sending a request to the server.
 URI: A URI identifies the resource involved in a request.
 Protocol version: The protocol version allows the sender to indicate the format of a message and its capacity for understanding
further HTTP communication.
Example of a request line: GET http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1

Request Carriage
Space URI Space Protocol version Linefeed
method return
Carriage
Header field name:Value Linefeed
return

...

Carriage
Header field name:Value Linefeed
return
Carriage
Linefeed
return

Data

30 Huawei Confidential
 Request Line Request Header Request Data

HTTP Request Method

⚫ HTTP requests can use multiple request methods. HTTP 1.0 defines three request methods: GET, POST, and HEAD. H
TTP 1.1 provides six new request methods: OPTIONS, PUT, PATCH, DELETE, TRACE, and CONNECT.

Method Function
GET Requests the specified page information. The server returns the specific data.
POST Submits data, for example, a form.
Similar to the GET method. However, the response does not contain any specific data. HEAD is used
HEAD
to obtain the header.
PUT Updates and modifies data.
DELETE Deletes a specified page.
CONNECT Implements HTTP proxy.
OPTIONS Allows the client to check the server performance.
TRACE Echoes back the request received by the server. This is used for testing or diagnosis.
PATCH Partially updates known resources.

31 Huawei Confidential
 Request Line Request Header Request Data

Client Request Message - Request Header

⚫ The request header allows the client to send additional information about the request to the server. These fields act
as request modifiers whose semantics are equivalent to the parameters invoked in the programming language
method.
Example of a request header:
Accept: text/html
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

Request Carriage
Space URI Space Protocol version Linefeed
method return
Carriage
Header field name:Value Linefeed
return

...

Carriage
Header field name:Value Linefeed
return
Carriage
Linefeed
return

Data

32 Huawei Confidential
 Request Line Request Header Request Data

Request Header Fields

Request Header Field Description
Accept Media types which are acceptable for the response.
Accept-Encoding Data encoding format that can be used by the client for decoding, for example, gzip.
Natural languages that are preferred as a response to the request. This field is
Accept-Language
mandatory if the server can provide more than one language.
Authorization information, which is usually contained in the response to the WWW-
Authorization
Authenticate header sent by the server.
Content-Type Media type of the data. The default value is text/plain.
Content-Length Length of the request message body.
Host Name of the host to be accessed by the client.
Resource from which the client accesses the server. This field contains a URI, indicating
Referer
that the client accesses the requested page from the page represented by the URI.
User-Agent Information about the user who sends the request and the client type.
Used by the client to save the data returned by the server. Generally, the user identity
Cookie
information is saved.
Connection Whether to disconnect the connection after the request is processed.

33 Huawei Confidential

• In HTTP 1.0, each connection involves only one request and response and is closed
after the request is processed. HTTP 1.0 does not have the Host field. In HTTP 1.1,
multiple requests and responses can be transmitted in the same connection, and
multiple requests can be processed concurrently.
• WWW-Authenticate is a simple and effective user identity authentication technology in
the early stage.
• The browser differentiates the displayed content such as HTML, XML, GIF, and flash
based on MIME-type.
• For more information, refer to RFC HTTP 1.1 at https://www.ietf.org/rfc/rfc2616.html.
 Request Line Request Header Request
Request Data
Data

Client Request Message - Request Data

⚫ Empty line: The server is notified of the end of a request header through an empty line.
⚫ Request data: If the GET method is used, the request data is empty. If the POST method is used, the
request data is the data to be submitted.
Example of request data:
user=admin&password=123456

Request Carriage
Space URI Space Protocol version Linefeed
method return
Carriage
Header field name:Value Linefeed
return

...

Carriage
Header field name:Value Linefeed
return
Carriage
Linefeed
return

Data

34 Huawei Confidential
Server Response Message
⚫ An HTTP response consists of four parts: status line, response header, empty line, and response body.

Protocol Carriage
Status line Space Status code Space Reason phrase Linefeed
version return
Carriage
Header field name:Value Linefeed
return

Request header ...

Carriage
Header field name:Value Linefeed
return
Carriage
Empty line Linefeed
return

Response body Data

35 Huawei Confidential
 Status line Response header Response
Request Data
body

Server Response Message - Status Line

⚫ The first line of the response message is the status line, which consists of the protocol version, status code, and
reason phrase, separated by a space character.
 Protocol version: The protocol version allows the sender to indicate the format of a message and its capacity for understanding
further HTTP communication.
 Status code: a three-digit result code, which is used to return the operation result to the client.
 Reason phrase: a short text description of the status code, which facilitates understanding.
Example of a status line: HTTP1.1 200 OK

Protocol Carriage
Space Status code Space Reason phrase Linefeed
version return
Carriage
Header field name:Value Linefeed
return

...

Carriage
Header field name:Value Linefeed
return
Carriage
Linefeed
return

Data

36 Huawei Confidential
 Status line Response header Response
Request Data
body

Status Code
⚫ An HTTP status code is a three-digit number indicating the status of a response from the server. It is used to return the operation
result to the client.

Status Code Description

(Informational) The
1XX 100 Continue If the request is received, go to the next step.
request is received.
200 OK Success. The response body is available.
(Successful) The
2XX 201 Created Resource created successfully.
request is successful.
204 No Content Success. No response body is available.
(Redirection) Further
A new URI is allocated to the target resource, and all future resources will be
3XX operations need to be 301 Moved Permanently
associated with the new URI.
performed.
400 Bad Request The request body is incorrect and carries error information.
401 Unauthorized Authorization failed. For example, the certificate does not match.
(Client Error) Request
4XX Access denied. The possible cause is that the user attempts to perform operations
error. 403 Forbidden
beyond the permission or the login user name or password is incorrect.
404 Not Found The requested resource cannot be found.
The request cannot be executed due to an internal server error. The user needs to
(Server Error) Server 500 Internal Server Error
5XX resend the request later.
error.
501 Not Implemented The function has not been implemented.

37 Huawei Confidential
 Status line Response header Response
Request Data
body

Server Response Message - Response Header

⚫ A response header allows the server to transfer additional information about the response. These header fields
provide information about the server and the resource identified by the URI.

Example of a response header: Server: JSP3/2.0.14

Protocol Carriage
Space Status code Space Reason phrase Linefeed
version return
Carriage
Header field name:Value Linefeed
return

...

Carriage
Header field name:Value Linefeed
return
Carriage
Linefeed
return

Data

38 Huawei Confidential

• The response header describes the basic information about the server and data. The
server uses the response header to notify the client of how to process the data that it
replies to.
 Status line Response header Response
Request Data
body

Common Fields in the Response Header

Response Header
Description
Field
Allow Request methods, for example, GET and POST, supported by the server.

Encoding method of a document. The content type specified by Content-Type can be obtained
Content-Encoding
only after decoding.

Content-Length Content length. This field is required only when the client uses a persistent HTTP connection.

Content-Type Media type of the data. The default value is text/plain.

Date Current Greenwich Mean Time (GMT) time.

Location from which the client obtains resources. This field is used together with status code
Location
302 to specify a new URI as the recipient.

Server Type of a server.

Set-Cookie Cookie associated with the page.

Transfer-Encoding Data transfer format.

Type of authorization information that the client should provide in the Authorization header.
WWW-Authenticate
This field is mandatory in a response that contains the 401 (Unauthorized) status line.

39 Huawei Confidential

• The HTTP response header is often combined with the status code. For example, the
status code 302 (indicating that the location has changed) is usually used together
with the Location header, and the status code 401 (Unauthorized) must be used
together with a WWW-Authenticate header. The response header can be used to set
the cookie, specify the date, instruct the client to refresh the page at the specified
interval, and so on.
 Status line Response header Response body
Request Data

Server Response Message - Response Body

⚫ Empty line: It is used to inform the server of the end of the response header.
⚫ Response body: message body of the response. If data of the pure data type is requested by the client,
pure data is returned. If an HTML page is requested, the HTML code is returned.

Protocol Carriage
Space Status code Space Reason phrase Linefeed
version return
Carriage
Header field name:Value Linefeed
return

...

Carriage
Header field name:Value Linefeed
return
Carriage
Linefeed
return

Data

40 Huawei Confidential
Client Request Message - Example
⚫ A client sends a request containing the user name and password to the server for login authentication.

POST http://www.w3.org/pub/WWW/TheProject.html HTTP/1.1

Request line Accept: text/html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Request header
Content-Type: text/html;charset=utf-8
Connection: keep-alive
Empty line

Request data user=admin&password=123456

Request Carriage
Space URI Space Protocol version Linefeed
method return
Carriage
Header field name:Value Linefeed
return
...
Carriage
Header field name:Value Linefeed
return
Carriage
Linefeed
return
Data

41 Huawei Confidential
Server Response Message - Example
⚫ The server sends a response to the client, indicating that the authentication is successful.
HTTP/1.1 200 OK
Status line
Date: DD MM YYYY HH:MM:SS Time zone
Content-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Response header
Content-Type: text/html
Connection: keep-alive
Empty line

Response body Login succeeded

Protocol Carriage
Space Status code Space Reason phrase Linefeed
version return
Carriage
Header field name:Value Linefeed
return
...
Carriage
Header field name:Value Linefeed
return
Carriage
Linefeed
return
Data

42 Huawei Confidential
 Contents

1. SDN Overview

2. REST and RESTful

3. Working Principle of HTTP

▫ Overview of HTTP

▫ HTTP/1.1
◼ HTTPS and HTTP/2

43 Huawei Confidential
 Overview of HTTPS
⚫ Based on HTTP, Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) uses SSL/TLS for
encryption, enhancing security.

HTTP vs. HTTPS

Plaintext
Client Server Client Ciphertext Server

• Identity
HTTP authentication
HTTP • Information
TLS encryption
• Integrity check
TCP
TCP
IP
IP

44 Huawei Confidential

• HTTP transmits information in plaintext, which may pose risks of information

interception, tampering, and hijacking. Transport Layer Security (TLS) provides identity
authentication, information encryption, and integrity check functions, and therefore
can prevent such problems.
 Overview of SSL/TLS
⚫ Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are security protocols that ensure
security and data integrity for network communication.
⚫ TLS is the successor of SSL. SSL and TLS encrypt data transmitted on network connections between the
transport layer and application layer without affecting the TCP and HTTP protocols. Therefore, if HTTPS
is used, it does not require much modification on HTTP pages.

Risks of HTTP communication without using SSL/TLS Features of HTTPS communication using SSL/TLS

1. Eavesdropping: HTTP transmits information in plaintext, and 1. Data integrity: HTTPS uses SSL/TLS to encrypt and transmit all
third parties can obtain communication data. HTTP packets. All information is encrypted and cannot be

2. Tampering: Third parties can tamper with the communication intercepted or tampered with by third parties.

content. 2. Data verification: Communication data is verified. If data is

3. Pretending: Third parties can pretend others to participate in tampered with, the communication parties can immediately detect

communications. the tampering.

3. Trusted data source: Identity certificates are used to prevent

identity spoofing.

45 Huawei Confidential

• For more information, refer to the RFC document at

https://www.ietf.org/rfc/rfc5246.html.
 Overview of HTTP/2
⚫ HTTP/2 is the second major version of the HTTP protocol. It was initially named HTTP 2.0 and is based on the
SPeeDY (SPDY) protocol.

⚫ HTTP/2 greatly improves web performance without changing HTTP semantics, methods, status codes, URIs, and
header fields.
HTTP/1.1 HTTP/2
Latency: 57 ms Latency: 38 ms
Load time: 7.84s Load time: 3.6s

30% 80%
46 Huawei Confidential

• SPDY is a TCP-based application-layer protocol developed by Google. SPDY aims to

optimize the performance of HTTP and shorten the loading time of web pages and
improve security by using technologies such as compression, multiplexing, and priority.
The core idea of SPDY is to minimize the number of TCP connections. SPDY is an
enhancement to HTTP, instead of a protocol for replacing HTTP.
 Core of HTTP/2 - Binary Transmission
⚫ The core of performance enhancement in HTTP/2 is binary transmission.

⚫ In HTTP/1, data is transmitted in text mode, which has some defects. This is because various scenarios need to be
considered to achieve robustness, due to the diversity of text formats. On the contrary, the binary format involves
only 0s and 1s, featuring significant convenience and robustness.

HTTP/1.1
POST http://www.w3.org HTTP/1.1
Accept: text/html
Application Content-Type: text/html;charset=utf-8
Connection: keep-alive
layer (HTTP)
user=admin&password=123456
Session layer

HTTP/2
Transport layer
Header
Network layer Frame

47 Huawei Confidential

• Enhancements to HTTP/2:

• Header compression: The HPACK algorithm is used to compress headers to reduce the
header size and improve performance.

• Multiplexing: A request message can be divided into frames, which are sent in
sequence and are reassembled at the other end. In HTTP/1.1, when a client sends
multiple requests through a TCP connection, the server can only respond to the
requests in sequence. Subsequent requests may be blocked.

• Resource pushing: In addition to responding to client requests, the server can push
additional resources to clients.
• Priority: HTTP/2 defines complex priority rules. A browser can request multiple
resources at a time and specify priorities to help the server determine how to process
these resources, avoiding resource competition.
 Quiz

1. (Single-answer question) Which of the following HTTP request methods does not
need to contain request data in an HTTP request? ( )
A. POST

B. GET

C. PUT

D. DELETE

48 Huawei Confidential

1. B
 Summary

⚫ SDN innovates the network architecture. It uses a controller to build a

more open, flexible, and simplified network.
⚫ REST is an architectural or design style rather than a standard. It provides
only design principles and constraints.
⚫ REST makes full use of HTTP. The core of REST is to perform operations
(such as GET, POST, PUT, and DELETE) on resources in multiple forms.
⚫ By invoking RESTful APIs, users can write Python scripts to implement
automation as required.

49 Huawei Confidential
 More Information

⚫ REST dissertation
 https://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm

⚫ RFC HTTP/1.1
 https://www.ietf.org/rfc/rfc2616.html
⚫ RFC HTTP/2
 https://www.ietf.org/rfc/rfc7540.html

⚫ RFC HTTPS
 https://www.ietf.org/rfc/rfc2818.html
50 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huaw ei Technologies Co., Ltd.

All Rights Reserv ed.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
iMaster NCE-Campus Open API Introduction
 Foreword

⚫ iMaster NCE-Campus is a next-generation SDN controller for enterprise campuses

and is a core component of Huawei CloudCampus Solution.
⚫ iMaster NCE-Campus centrally manages and controls enterprise campuses and
provides automatic deployment, security defense, and visualized O&M. It helps
customers build service-centric dynamic scheduling capabilities of network services.
⚫ iMaster NCE-Campus provides standard-compliant open RESTful APIs for partners
to develop innovative applications and continuously create value for enterprise
customers.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe Huawei CloudCampus Solution.
 Describe main open APIs of iMaster NCE-Campus.
 Describe typical application scenarios of iMaster NCE-Campus.

2 Huawei Confidential
 Contents

1. Solution Overview

2. Typical Scenarios and Open Capabilities

3. Openness and Cooperation Cases

3 Huawei Confidential
 Huawei CloudCampus Solution
Open architecture: Pre-integration and easy integration
Open • Pre-integrates the offerings from 30+ ecosystem partners and
Customer a feature database of 360+ terminals.
Application Electronic Energy Asset ... ecosystem • Provides 300+ APIs of four types for easy integration with
shelf efficiency flow third-party vendors.
layer mgmt.
label mgmt. analysis
Simplified deployment: Automated deployment and cloud-
based architecture
• Automation: automatic deployment based on the policy
Open API engine, with 50% higher efficiency.
Platform • Virtualization: VXLAN-based network virtualization, achieving
Internet one network for multiple purposes.
layer • Cloudification: full-lifecycle cloud management service,
Intent engine Security engine deploying a branch network in minutes.
Secure threat defense: Proactive threat defense and
Smart collaborative network protection.
Campus
iMaster NCE • Collects real-time data through security probes to implement
Insight network network-wide security situation awareness.
• Proactively identifies and handles security threats based on a
Policy engine Analytics engine security engine, with a threat identification rate of over 99%.
NETCONF/YANG Telemetry/Context Intelligent O&M: Experience visibility and prediction-based
optimization.
• Data collection in seconds through telemetry, achieving user
Virtual office experience awareness throughout the journey.
network • 85% fault identification rate based on expert experience and
Virtual production Virtual security AI-based dynamic baseline exception detection.
network protection network
Network Ultra-broadband bearer: Scenario-specific innovations and ultra-
Overlay broadband.
layer Ultra- • Ultra-broadband forwarding: 100GE core switches, ensuring non-
Central AP blocking high-speed forwarding.
broadband • Ultra-broadband access: Industry's first commercial Wi-Fi 6 APs,
successfully delivered to 10+ customers.
Small campus Medium-sized
Large-sized campus connection • Scenario-specific innovations: All-scenario WLAN solutions ideal
campus for coverage needs in different scenarios.
Underlay • IoT: Convergence of IoT and Wi-Fi (Zigbee, RFID, BLE, and UWB).

4 Huawei Confidential

• iMaster NCE-Campus is Huawei's next-generation autonomous driving network

management and control system for campus networks. It is a network automation and
intelligent platform integrating manager, controller, analyzer, and AI functions. As
such, this platform drives enterprise cloudification and digital transformation, and
creates a shortcut to more automated network management and intelligent network
O&M.
 CloudCampus Capability Openness Panorama
MSP Business Educati Manufa Healt Office ...
Application on cturing hcare
layer ▪ Authentication and ▪ ▪ Baby wristband
Crowd profiling ▪ Student health ▪ AGV navigation ▪ Energy efficiency
accounting ▪ Customer flow management ▪ Asset ▪ Asset management management
▪ Network management analysis ▪ e-Schoolbag management ▪ Energy efficiency ▪ Asset
Industry
and monitoring ▪ Electronic shelf label ▪ Personnel management management
focused
▪ Log analysis ▪ Marketing reach management ▪ Personnel management

1 Basic network API 2 Value-added service API 3 Third-party API 4 LBS API
Basic Network Terminal App data Platform RSSI API
Platform service API configuration API data API API
Portal + RADIUS
layer AP RSSI API
O&M and Policy service Traffic data
IoT API Authorization API
monitoring API API API Bluetooth API
Solution platform layer (intent engine, policy engine, security engine, and analytics engine)

5 NETCONF/YANG/Telemetry/Syslog/SNMP/NetStream

Network
layer
Firewall AR Switch WLAN AP 6
IoT card
RFID
Terminal 30.0 ... ... Bluetooth ZigBee
layer Electronic Asset tag Baby Smart wrist Mobile IP phone Tablet Camera Partners
shelf label wristband strap

5 Huawei Confidential

• Application layer: It focuses on mainstream scenarios and provides industry-wide

applications. At this layer, network service data is shared, meeting value-added data
and operation requirements.

• Platform layer: It provides four types of APIs and supports industry-standard network
interconnection protocols.
• Network layer: It provides various open interfaces, such as NETCONF, YANG, and
Telemetry, improving device manageability. APs are compatible with third-party IoT
cards to implement IoT.
• Terminal layer: It supports access of IoT terminals (such as ZigBee, RFID, and BLE), and
access of wired and wireless terminals (such as mobile phones, IP phones, tablets, and
cameras).
Typical Cooperation Scenarios and Open APIs
Typical cooperation
scenarios Authentication Network Location- Crowd
Smart IoT
and authorization O&M based service profiling

▪ Energy efficiency
management
▪ Asset management
▪ IoT-based positioning
▪ Electronic shelf label

1 Basic network API 2 Value-added service API 3 Third-party API 4 LBS API
Platform Basic service Network Terminal data App data Platform RSSI API
Portal + RADIUS
layer API configuration API API API
AP RSSI API
O&M and Traffic data
Policy service API IoT API Authorization API Bluetooth API
monitoring API API

5 NETCONF/YANG/Telemetry/Syslog/SNMP/NetStream
6
Network IoT card
layer RFID
Firewall AR Switch WLAN AP ZigBee
Bluetooth

6 Huawei Confidential
 Contents

1. Solution Overview

2. Typical Scenarios and Open Capabilities

◼ Authentication and Authorization

▫ LBS

▫ Crowd Profiling

▫ Network O&M

▫ Smart IoT

3. Openness and Cooperation Cases

7 Huawei Confidential
 Introduction to Authentication and Authorization
⚫ Authentication and authorization: A third-party authentication and authorization platform interworks with iMaster NCE-Campus to
perform network access authentication and accounting for terminals that access Huawei intent-driven campus networks.

Solution 1: Authorization API

• iMaster NCE-Campus provides two integration solutions for
Open API
authentication and authorization using the third-party
authentication and authorization platform. Tenants can
Third-party select a solution based on the site requirements.
Solution 2: Portal + RADIUS authentication
and
Firewall authorization Integration
Suggestions
platform Solution
iMaster NCE-Campus functions as a RADIUS client
Switch to interact with the third-party authentication and
Portal + RADIUS authorization platform for user authentication and
authorization. Accounting is recommended in this
solution.
After users are authenticated, the third-party
Cloud AP Cloud AP Cloud AP authentication and authorization platform invokes
Authorization
the authorization API to instruct iMaster NCE-
API Campus to authorize the users. Accounting is not
Authentication and authorization recommended in this solution.

8 Huawei Confidential

• The tenant or MSP wants to use an existing or third-party authentication platform to

authenticate user identities and authorize users for network access authentication
through the web page (authentication portal). For example, an MSP provides a unified
access authentication page for tenants.
 Interconnection Using the Authorization API
Third-party
authentication and
Terminal Cloud AP iMaster NCE-Campus
authorization
802.11 platform
1. An HTTP/2 connection channel is set up between the device and controller.
2. The terminal accesses the network.
3. The terminal browser is redirected to the iMaster NCE-Campus web UI.
4. The user access iMaster NCE-Campus.
5. The terminal browser is redirected to the third-party portal server for the second time. (The URL of the key
item carries the parameters of the first redirection, such as the MAC address of the terminal.)
6. The terminal browser accesses the third-party portal server page.
7. The terminal browser displays the login page.
8. The end user enters the user name and password to log in.

10.Delivers authorization to the device through the HACA channel. 9. Invokes the authorization API.
11.Returns the authorization result.
12.Invokes the API for querying
authorization status.
13.The portal server sends the authentication result to the user through the HTTP page.
14. The authentication is successful. The user obtains the
network access permission and downloads the app. Internet 15.Brings the user offline
according to the third-party
policy.

16.Invokes the user offline API.

9 Huawei Confidential

• To access the Internet, a user connects to the SSID of a Wi-Fi network and logs in to
the portal pushed by a developer app. The developer app calls the authorization API of
Huawei iMaster NCE-Campus to deliver the user's Wi-Fi access permission to the AP.
The user then can access the Internet.
• NAC is short for network access control.
• Huawei Agile Cloud Authentication (HACA) is based on the mobile Internet protocol
HTTP/2.
 Interconnection Using the Authorization API
Sample Code (Windows)

The API uses HTTPS and the port 18002.

This is a RESTful API, and Content-Type is application/json.
The following shows only a part of the API URL. For example, if the address of iMaster NCE-Campus is
https://10.186.40.148:18002/, the complete URL of the authorization API is
https://10.186.40.148:18002/controller/cloud/v2/northbound/accessuser/haca/authorization.

Request Response
POST STATUS CODE 200
/controller/cloud/v2/northbound/accessuser/haca/authorization
{ {
"deviceMac":"AA:AA:AA:00:00:89", "errcode": "",
"deviceEsn":"AA50082935AAAA000088", "errmsg": "",
"ssid":"YWFh", "psessionid":
"policyName":"dfdsffd", "846d65a4e1bb38c350a280f46e6d2f6ab0a688df7edbb72b77bc5d03e3
"terminalIpV4":"10.11.11.11", 926cd6"
"terminalMac":"ff-ff-ff-ff-ff-f1", }
"username":"liao",
"nodeIp":"10.186.40.148",
"apMac":"AA:AA:AA:00:00:89"
}

10 Huawei Confidential

• For more information about API-based authentication and authorization, visit

https://devzone.huawei.com/cn/enterprise/campus/apiSolution.html.
 Interconnection Using Portal and RADIUS
Third-party Third-party
1. The user connects to iMaster NCE-Campus portal server RADIUS server
Client a Wi-Fi network and
AP
opens a browser to
access the Internet.
2. The user is redirected to
iMaster NCE-Campus.
3. Redirects the user to iMaster
NCE-Campus.
4. The user is redirected to the third-party portal page again.
5. Redirects the user to the third-party portal page. The user logs in to the page as prompted.
6. Instructs the user to push the user name and password to iMaster NCE-Campus.
7. The user page pushes the user name and password to
iMaster NCE-Campus. 8. Initiates an access authentication request using
RADIUS authentication packets.
If authentication
10.Instructs the AP to 9. Accepts or rejects the access using RADIUS
fails, a dialog box perform authorization. authentication packets.
is popped up to 12.If the authentication succeeds, the success page is 11.Sends the accounting messages using
display the displayed (pushed by the third-party portal server). If the RADIUS authentication packets.
authentication fails, the failure information page is
failure displayed.
information 13.Obtains page resources.
page.
14.Displays the page.

11 Huawei Confidential

• For details about RADIUS-based authentication, visit

https://devzone.huawei.com/cn/enterprise/campus/radiusSolution.html.
 Contents

1. Solution Overview

2. Typical Scenarios and Open Capabilities

▫ Authentication and Authorization
◼ LBS

▫ Crowd Profiling

▫ Network O&M

▫ Smart IoT

3. Openness and Cooperation Cases

12 Huawei Confidential
 LBS Introduction
⚫ A location-based service (LBS) is deployed on a third-party LBS application platform and used to detect and locate terminals
managed on Huawei intent-driven campus networks. The LBS provides the customer flow analysis, Wi-Fi marketing, and navigation
based on the terminal locations.

Method 1: HTTPS + JSON Application Scenario

Open API • Huawei provides location data of Wi-Fi and Bluetooth

terminals to a third-party partner. The partner parses the

LBS server BI location data and provides VAS applications, such as heat
Method 2: AP RSSI API
map, track tracing, and customer flow analysis, for end
Firewall
customers.
RSSI data Method 3:
Bluetooth
Switch Integration
API Suggestions
Solution
Applicable to the interconnection with an
HTTPS + JSON LBS system deployed based on software as
Cloud AP Cloud Cloud a service (SaaS).
AP AP AP RSSI API Applicable to the on-premise scenario.

LBS Applicable to locating Bluetooth terminals

Bluetooth API
and reporting terminal data.

13 Huawei Confidential

• Location-based service (LBS) uses various locating technologies to obtain the current
locations of devices and pushes information and basic service for these devices through
mobile Internet.

• iMaster NCE-Campus aggregates the terminal location data collected by cloud APs and
periodically sends the data to the third-party LBS platform. After parsing and analyzing
the location data with a series of algorithms, the LBS platform provides VASs, such as
heatmap, tracking, and customer flow analysis, for customers.

• Remarks: Partners need to meet related standards based on application scenarios, such
as EU General Data Protection Regulation (GDPR).
 Data Reporting Process: HTTP + JSON Solution
Client AP iMaster NCE-Campus Third-party platform (LBS server)

1. Generates the
interconnection URL and
2. Configures the secret.
interconnection URL and the
secret field.
3. Generates the validator field.
Preparation 4. Sets the validator field
5. Sends a GET request using HTTPS.
One-time
6. Returns the validator value.
8. Enables the data reporting
Configuration function and delivers the 7. Verifies the validator value.
configuration.

9. Collects terminal
location data. 10.Reports RSSI data to
Send RSSI data iMaster NCE-Campus.
to the third- 11.Reports RSSI data in JSON format to the
party platform. third-party platform.

Periodic

14 Huawei Confidential

• iMaster NCE-Campus can directly report terminal location data to a third-party LBS
platform. In this solution, iMaster NCE-Campus function as a relay agent.

• For details about this process, see "Wi-Fi Terminal Location Practice in Huawei
CloudCampus Solution" in the HCIP-Datacom-NCE Northbound Openness Lab Guide.
 Data Example: HTTP + JSON Solution
Sample Code (Windows)

{
• secret: Used by a third-party LBS platform to verify the data
"data":[
{ sent by iMaster NCE-Campus. If the secret does not match
"apMac":"4C:FA:CA:D8:23:A0",
"terminallist":[ that associated with the reported URL, the data is discarded.
{ The value is generated by the third-party LBS platform, and
"terminalMac":"88:19:08:F1:88:45",
"rssi":-68, is a string of 32 hexadecimal characters.
"timestamp":1557460789000
}, • validator: Before sending data, iMaster NCE-Campus checks
{ whether the validator returned by the peer end is correct. If
"terminalMac":"90:2E:1C:6A:2A:57",
"rssi":-57, the validator does not match that associated with the
"timestamp":1557460789000
}
reported URL, iMaster NCE-Campus does not send Wi-Fi
] terminal location data to the third-party LBS platform.
}
],
"secret":"Test@1234",
"type":"Aplocation"
}

15 Huawei Confidential

• The validator value is in UUID format and is generated by iMaster NCE-Campus.

• For more examples, visit

https://developer.huaweicloud.com/techfield/network.html#CloudCampus.
 Data Reporting Process: AP RSSI API Solution
⚫ iMaster NCE-Campus allows WLAN APs to report terminal location data directly to a third-
party LBS platform. iMaster NCE-Campus delivers the location reporting configuration to
APs, and then the APs periodically send location packets to the third-party LBS platform.
iMaster NCE-Campus Third-party LBS platform

Delivers the location Periodically sends

1 2 location packets to the
reporting configuration
to the AP. third-party LBS platform.

AP

Terminal

16 Huawei Confidential

• For more about the AP location reporting solution, see

https://devzone.huawei.com/cn/enterprise/campus/lbsWiFiSolution.html#Wi-Fi
Terminal Data Reporting Process.
 Data Reporting Process: Bluetooth API Solution
⚫ iMaster NCE-Campus allows WLAN APs to report terminal location data through Bluetooth Beacon packets. iMaster
NCE-Campus delivers the Bluetooth-based terminal location configuration to APs. The APs then broadcast Bluetooth
Beacon packets. After receiving the broadcast packets, terminals report their locations to the third-party LBS
platform.
iMaster NCE-Campus Third-party LBS platform

1 Delivers the Bluetooth-

based terminal
location configuration.
3 Reports its location to the third-party
LBS platform after receiving
AP AP broadcast packets.

2 Broadcasts Bluetooth Beacon

packets based on the delivered
configuration.
Terminal

17 Huawei Confidential

• For more about the Bluetooth API solution, see

https://devzone.huawei.com/cn/enterprise/campus/lbsBluetoothSolution.html.
 Contents

1. Solution Overview

2. Typical Scenarios and Open Capabilities

▫ Authentication and Authorization

▫ LBS
◼ Crowd Profiling

▫ Network O&M

▫ Smart IoT

3. Openness and Cooperation Cases

18 Huawei Confidential
Crowd Profiling
• Crowd profiling: A third-party big data analysis platform analyzes the locations and status of terminals detected and
managed on Huawei intent-driven campus networks to obtain the characteristics of crowd profiles in an area, so
that target content can be pushed to the customers to provide personalized services.
Application Scenario
• The business industry has the requirements for precision

Method 1: VAS API marketing. Direct marketing can tag specific people based on

Open API crowd profiles, and push target content to provide personalized
services based on these tags. Crowd profiling requires two types of
MSP 3rd-party data: one is the data left online; the other type of data is left in
service
Method 2: LBS API brick-and-mortar stores (offline data), which can be collected
using Wi-Fi probes and from network access data of customers.
Cloud AP Cloud AP Cloud AP
Integration Solution Suggestions
LBS API Terminal location information is provided.
Terminal login and logout information, network application
VAS API
information, and network traffic information are provided.

19 Huawei Confidential
 Invoking a VAS API

Third-party network management

Device iMaster NCE-Campus
and monitoring platform

The tenant administrator creates a northbound

API administrator account.
The partner obtains the username and password,
obtains the Token_id through postman, and carries
the Token_id in the head of the invoked API to
perform API-based authorization.
Adds a tenant administrator account.

Invokes the API.

Obtains the user status information.

20 Huawei Confidential

• For more about VAS APIs, visit

https://devzone.huawei.com/cn/enterprise/campus/valueAddedApi.html.
 Contents

1. Solution Overview

2. Typical Scenarios and Open Capabilities

▫ Authentication and Authorization

▫ LBS

▫ Crowd Profiling
◼ Network O&M

▫ Smart IoT

3. Openness and Cooperation Cases

21 Huawei Confidential
Network O&M Overview
⚫ Network O&M: Third-party network management platforms (such as MSP-owned or mainstream network
management and monitoring platforms) can manage or monitor devices managed by iMaster NCE-Campus.
Application Scenario
• MSPs and customers use their existing network management platform to
manage or monitor devices that are supposed to be managed by iMaster
Method 1: VAS API NCE-Campus, such as creating tenant administrator accounts, managing
devices, configuring networks for specified devices, and monitoring
Open API
device status and alarms.
3rd-party • Currently, two methods are available to implement network O&M:
MSP
service Network service APIs: The third-party network management platform
manages and monitors devices through RESTful APIs.
Method 2: APIs based on Traditional device APIs based on NETCONF, YANG, Telemetry, and
NETCONF, YANG, Telemetry,
SNMP: Network management platforms can directly configure,
Syslog, SNMP, and NetStream
manage, and maintain devices through these APIs.

Integration Solution Suggestions

Switch AP Firewall AR Applicable to interconnection with various third-party private SaaS

Network service API
platforms.
APIs based on NETCONF,
Applicable to interconnection with traditional network management
YANG, Telemetry, and
platforms.
SNMP

22 Huawei Confidential
 Interconnecting with a Third-Party Network Management
and Monitoring Platform
Third-party network
Device iMaster NCE-Campus management and
monitoring platform

The tenant administrator creates a The partner obtains the account and
northbound API administrator account. password, obtains the Token_id through
postman, and carries the Token_id in the
head of the invoked API to perform API-
based authorization.
Adds a tenant administrator account.

Configures an SSID.
Invokes the SSID configuration API.
Delivers configurations. Configures the SSID on iMaster NCE-Campus.

23 Huawei Confidential

• For more basic network solutions, visit

https://devzone.huawei.com/cn/enterprise/cloudcampus/quickStart.html#network.
 Contents

1. Solution Overview

2. Typical Scenarios and Open Capabilities

▫ Authentication and Authorization

▫ LBS

▫ Crowd Profiling

▫ Network O&M
◼ Smart IoT

3. Openness and Cooperation Cases

24 Huawei Confidential
Introduction to Smart IoT
⚫ Smart IoT: A third party expands an AP into an IoT base station through the open card capability of the AP to
implement functions such as energy efficiency management, asset management, IoT locating, and electronic shelf
label.
Application Scenario
• When partners want to deploy IoT applications (such as
3rd-party
service electronic shelf label, IoT locating, energy efficiency
Electronic shelf management, and asset management), they can use
IoT locating
label Huawei's network infrastructure to provide IoT signal
Energy efficiency Asset coverage (ZigBee, Bluetooth, and RFID), without the
management management need to deploy a secondary IoT network.
Open API
• Based on Huawei Cloud Campus Solution, partners can
develop IoT cards and IoT service software on the cards
to provide IoT services based on the network
infrastructure.
▫ Huawei provides the network infrastructure, open
AP hardware, and basic IoT card management and
monitoring.
Cloud AP ▫ Partners develop IoT cards, card software, and IoT
service software.

25 Huawei Confidential
 Smart IoT: Open Cards
Built-in card External card

USB port Car

d

Card

IoT slot: allows IoT

cards to be installed to MT800
provide extended AP4050DN-E
functions.

26 Huawei Confidential

• For more about the smart IoT solution, visit

https://devzone.huawei.com/cn/enterprise/cloudcampus/quickStart.html#iot.
 Contents

1. Solution Overview

2. Typical Scenarios and Open Capabilities

3. Openness and Cooperation Cases

27 Huawei Confidential
Unified Cloud-based Wi-Fi Management in XX
• How to ensure Wi-Fi signal quality and
user access experience in diversified
tenant environments.
• XX provides Wi-Fi services over
Background Challenges • O&M for massive devices. A large
more than 800 cities and has
number of tenants have devices scattered
1.5 million users.
in difference places, resulting in high
installation and O&M costs.

Customer Benefits
Solution Implementation
System Authentication iMaster NCE-Campus implements plug-and-play Network High-quality Wi-Fi
management /Accounting and fast deployment of devices and provides full- coverage coverage
lifecycle cloud-based and centralized
management, simplifying O&M. It provides open
iMaster 3rd-party APIs to seamlessly interconnect with third-party
platform Cloud-
NCE-Campus authentication and accounting management based 80% lower OPEX
platforms, implementing secure network mgmt
management.
Cloud AP Cloud AP
Cooperation Scenario and API
Smooth Securer customer
... Authentication and authorization: Portal + upgrade investment
RADIUS API

28 Huawei Confidential
XX Builds the Future Business
• Consumer experience: The customer requires high-
• XXX is a large city complex that integrates density, high-quality wireless network access to provide
industry R&D, apartments, hotels, and precise indoor navigation in more than 160 stores and
businesses. 30,000 parking spaces.
Background Challenges • Smart operations: The customer wants to use big data
• It is a landmark building group in XXX.
Wireless networks are an important analytics technology to describe consumer behavior and
infrastructure. visualize staff locations in support of marketing and
operational decision-making.

Authentication Solution Implementation Customer Benefits

server Map BI server
TAG location server Three-RF APs have an independent radio to
LDAP server AC6605 Network High-quality Wi-Fi
Terminal location provide LBS services for Wi-Fi terminals and tags.
DHCP server quality network
server Bluetooth beacons in the underground garage
Aggregation
switch achieve a locating precision of 1 m to 3 m. Open
APIs connect to app platform to implement Customer Big data-based
Access switch flow precision
customer flow analysis, indoor navigation, and
AP4030TN analysis marketing
precision marketing, laying a solid foundation for
operational decision-making.

Cooperation Scenario and API Indoor Improved customers'

navigation shopping experience
Wi-Fi TAG LBS: AP RSSI API

29 Huawei Confidential
Digital Transformation of the XX Supermarket
• XX is a well-known chain supermarket • Shopping experience: The customer wants to provide
in China. high-quality wireless network access to improve
• One of China's top 500 enterprises and customers' shopping experience.
Background Challenges • Manpower: The customer wants to reduce manpower
leading enterprise in China's national
merchandising and agricultural and O&M costs, and improve the accuracy of
industrialization supermarket services.

Internet
Dual-network convergence Customer Benefits
Store Huawei AP4050DN-E provides built-in slots for IoT
Network managemnt modules to converge Wi-Fi and IoT networks, achieving Converged high-quality
Converged
management system unified planning of the two networks. mgmt.
Wi-Fi
platform Electronic shelf label and IoT networks
Electronic shelf labels interwork with the supermarket
WAC Switch management system and customer's Enterprise Resource
ESL-based smart
Planning (ERP) system to display prices in real-time and Smart
provide interactive functions such as code scanning, operations operation
supermarket
coupon claiming, and out-of-stock warning.
AP4050DN-E AP4050DN-E
+ IoT card Wireless Internet service
+ IoT card
Huawei AP4050DN-E helps build a high-quality wireless
Wireless
network for customers to scan QR codes for shopping or Improved customers'
Internet
entertainment. access shopping experience
30.0 30.0 Cooperation Scenario and API
Electronic shelf label Electronic shelf label
Smart IoT: IoT card

30 Huawei Confidential
 Quiz

1. (Multiple-answer question) Which of the following layers are available for

openness on Huawei intent-driven campus networks? ( )
A. Application layer

B. Platform layer

C. Network layer

D. Terminal layer

31 Huawei Confidential

1. ABCD
 Summary

⚫ This course describes the architecture, cooperation scenarios, and API

packet structure involved in Huawei CloudCampus Solution to help readers
understand the basic ecosystem openness capabilities of Huawei
CloudCampus Solution and provide guides for interconnection between
iMaster NCE and third-party applications based on these capabilities. It also
helps MSPs, VAS application partners, and customers quickly implement
system interconnection and service convergence, and helps customers and
partners leverage network values.

32 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huaw ei Technologies Co., Ltd.

All Rights Reserv ed.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
iMaster NCE Service Openness and
Programmability
 Foreword
⚫ As digital network transformation moves forward, new services and technologies are burgeoning, and
network requirements become more complex. Traditional closed networks cannot meet the
requirements for rapid service innovation. It is an inevitable trend to improve network openness using
existing assets. More agile planning of new services and network service orchestration based on
customized customer intents are core capabilities.

⚫ NCE service openness and programmability are based on the open architecture driven by the YANG
model. Huawei enables openness and programmability at the NE and network layers in the form of
Specific NE Driver (SND) and Specific Service Plugin (SSP) packages, implementing quick
interconnection between new devices and fast rollout of new network services.

⚫ This course introduces the background of service openness and programmability and Huawei's
practices.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the basic concepts of Huawei NCE service openness and programmability.
 Describe the open and programmable architecture and working principles of NCE
services.
 Describe the application scenarios of NCE service openness and programmability.
 Use the iMaster NCE open programmability system (OPS) to interconnect new devices
and roll out new services.

2 Huawei Confidential
 Contents

1. Background

2. Introduction to NCE Service Openness and Programmability

3. Key Capabilities

4. Related Concepts
5. Practice Cases

3 Huawei Confidential
 Network O&M Adjustment in the 5G/Cloud Era

Driven by network Driven by service Driven by customization

transformation innovation requirements

4 Huawei Confidential

• First, let's take carriers as an example. Globally, most carriers face the problems of
revenue decrease and OPEX increase. Moreover, as OTT providers continue to preempt
market shares, more and more carriers take OTT providers as their competitors. These
factors drive carriers to transform their networks. In this case, carriers are faced with
the following problems: how to implement multi-network convergence, multi-vendor
collaboration, and fast and efficient management of converged networks.
• In the 5G era, everyone predicts that 5G will lead to new businesses and services.
However, carriers raise requirements for the rollout of new services, and device
vendors implement the requirements. The rollout period is half a year or several years.
It takes only a few months for OTT providers to launch new services, which makes it
impossible for carriers and OTT providers to compete equally. There are many reasons
for slow service rollout. One of the reasons is that there is a gap between carriers and
vendors. That is, carriers do not understand devices, and vendors do not understand
carrier services. It is an urgent issue to eliminate the impact of this gap and enable
carriers and vendors to play their roles in the fields they are familiar with and quickly
provision new services.

• Finally, the products provided by vendors are universal, that is, they are applicable to
most operators. Carriers want systems to match their service requirements and
enterprise cultures. Therefore, they have customization requirements. For example, a
carrier writes the customization capability into its bidding document or customizes
enterprise specifications. From the perspective of vendors, customization requirements
of customers generate high costs. Therefore, the best solution is to provide the
customization capability and let customers complete customization by themselves.
• For other enterprises, they also face the same problem in the cloud era. Cloudification
is a trend. Infrastructures need to be managed by the cloud platform in a unified
manner. In addition, frequent service changes in the cloud data center have high
requirements on automation. These requirements require a more open network.
 Evolution from CLI to Full Automation

Controller Model-based APIs make device

adaptation easier.

# A set of industry-standard models are

SDN architecture built to describe managed devices, and
CX600 NE40E Third-party device network configurations are automated
with the APIs generated based on these
Traditional device adaptation mode models.
# Centralized management is
# Model-based APIs are used to quickly
implemented, and network
manage and detect networkwide devices
automation objects are changed from
# The command line interface (CLI) script is and automatically deliver services.
one-to-many to one-to-one.
generated based on the template mechanism. # Model-based APIs are used to perform
# Application programming interfaces
The device runs the CLI script through the self-programming and build a tool chain,
(APIs) on the control plane are used
network management protocol for device realizing intent-driven networks.
to indirectly control network
configurations. devices, laying a foundation for
# The script scale is increasing, maintainability is network automation.
continuously degraded, and the time required
for new mapping is also increasing.

Traditional network automation, Separation of control and forwarding Network programmability,

unsuitable command lines planes, triggering network automation achieving full automation

6 Huawei Confidential

• On traditional networks, network automation refers to the process of generating

command line scripts based on the template mechanism and enabling devices to run
the received command line scripts through the network management protocol. It does
not change the way it interacts with network devices. During device adaptation,
network management engineers use Python or Perl to compile a specific function with
a narrow application scope to implement a series of automatic operations, or use
automation tools such as Ansible and Puppet to implement more complex automation
tasks. Network management engineers need to adapt to network devices to be
supported one by one, regardless of whether they write scripts or use automation tools.
As the script scale becomes larger and larger, script maintainability decreases
continuously, and the time required for adding a new version increases accordingly.
With the advent of the Internet of Everything (IoE) era, the time to market (TTM) of
new services has become a core indicator for enterprises to survive.
• With the great success of the commercialization of cloud computing, the concept of
software-defined networking (SDN, sometimes referred to as “software-driven
network”), which was popular only in the academic circle, has begun to flourish. On an
SDN network, the separation between the control and forwarding planes is highly
recommended. In an ideal SDN network, a centralized controller becomes an
indispensable basis. As the brain of the entire network, it collects information about
the network topology, calculates an optimal path globally based on service
requirements, and notifies devices along the path. When receiving a service packet,
these devices forward the packet according to a path determined by the centralized
controller.
 7 Huawei Confidential

• In this case, enterprises can directly control the forwarding plane of network devices
through the application programming interface (API) exposed on the control plane,
which paves the way for modern network automation.
• On a modern network with forwarding-control decoupling, the separation of the
forwarding and control planes and centralization of the control plane change the
network automation object from "one-to-many" to "one-to-one". Network engineers
no longer need to worry about device adaptation. With PCEP (RFC 5440), FORCES (RFC
5810), BGP-LS (RFC 7752), and NETCONF/YANG (RFC 6241/RFC 7950) contributed by
the open source community, software vendors can build a set of industry-standard
models to describe managed objects, and the APIs generated based on these models
are called by automation scripts or network configuration applications.
• The benefits of using model-based APIs are significant. Because each model is
decoupled from protocols and encoding rules, one model can adapt to multiple
protocols and encoding rules. This provides a solution to uniformly adapt to network
devices that support different network management protocols. Thanks to a unified
device adaptation solution, we have a new direction to do things that we could not do
before.
▫ (1) Using model-based APIs, enterprises can quickly implement telemetry of
devices on the entire network and automatically collect device-level and service-
level network running data, helping network O&M engineers learn about the
network running status promptly.
▫ (2) Model-based APIs can also help enterprises build a tool chain to implement
user intent identification, automatic service provisioning, automatic network-wide
telemetry, and automatic network adjustment and optimization based on data
analysis, thereby implementing intent-driven networks.
 Huawei's NCE Service Openness and Programmability Practice
⚫ iMaster NCE (NCE for short) is an innovative
network cloudification engine of Huawei. The Overall Openness and Programmability of NCE (Open
overall openness and programmability of NCE API)

include automation, analytics, and intent. The goal

Intent
is to build an open programmable architecture Design Conversion
throughout the lifecycle to satisfy customers' Verification
requirements for openness and programmability. Intent engine

Automation Analytics
• Huawei open programmability system (OPS), a Administration Control Awareness Analysis Decision
unit unit
closed-loop component of the automation Automation engine Analytics engine
engine, are crucial to the entire open
programming system of iMaster NCE.

OPS

8 Huawei Confidential

• iMaster NCE is an innovative network cloudification engine developed by Huawei.

Positioned as the brain of future cloud-based networks, NCE integrates functions such
as network management, service control, and network analysis. It is the core
enablement system for network resource pooling, network connection automation, and
O&M automation. NCE aims to build an intent-driven network (IDN) that is first
automated, then self-adapting, and finally autonomous.
• The overall openness and programmability of NCE include automation, analytics, and
intent. The goal is to build a full-lifecycle open and programmable architecture to
satisfy customer needs. The OPS, as a part of the automation engine, are crucial for
the entire open programming system of NCE to form a closed loop. Equivalent to the
limbs of the human body, the OPS is an executor, which needs to be flexible to support
the automatic closed-loop capability driven by the brain of an intent-driven network.
 Contents

1. Background

2. Introduction to NCE Service Openness and Programmability

3. Key Capabilities

4. Related Concepts
5. Practice Cases

9 Huawei Confidential
 Introduction (1)
⚫ Similar to the operating system on a computer, NCE service openness and programmability are crucial to networks.

NCE service openness and programmability

Service Management
Operating System ⚫ Build new network services based on
service requirements.
⚫ View NE-level configurations
Program Management decomposed based on services.
⚫ Provide other functions such as
rollback upon a transaction failure.
Hardware Management
Device Management
⚫ Manage device status and
configurations.
Driver ⚫ Provide functions such as device
grouping and device configuration
synchronization.
Device Driver
⚫ Know devices.
⚫ Understand device capabilities.
Other Third-party
Mouse Keyboard CX600 NE40E
hadware device

10 Huawei Confidential

• The open architectures of different industries are similar. Similar to the operating
system on a computer, NCE service openness and programmability are crucial to
networks.

• To connect the operating system to managed hardware, such as the mouse and
keyboard, you need to install corresponding drivers. The drivers enable the operating
system to recognize the hardware. NCE service openness and programmability have
similar functions. The difference is that switches and routers are managed in the
datacom industry. First, we need to understand and manage these switches and
routers. That is, load device drivers first, and then add and understand the specific
capabilities of the devices.

• At the upper layer, the operating system implements hardware management,

specifically, managing the status of the mouse and keyboard. NCE service openness
and programmability implement device management, such as managing device status
and configurations.

• At the top layer, the operating system provides program management to manage
various applications, such as Word and Excel. Note that the mouse and keyboard
capabilities are required for using these programs. NCE service openness and
programmability implement service management at the top layer, that is, building
network service capabilities based on application scenarios. In addition, NCE provides
capabilities such as rollback up on a transaction failure and automatic detection of
device configuration changes to improve O&M.
 Introduction (2)
⚫ NCE service openness and programmability are implemented based on two key software packages: Specific NE
Driver (SND) and Specific Service Plugin (SSP). By compiling and loading two driver packages, you can quickly
interconnect new devices and build new services.

iMaster NCE 4 Load IDE

Service management
Python 3 Compile the SSP package.
⚫ Build new network services based on
service requirements.
⚫ View NE-level configurations
decomposed based on services.
⚫ Provide other functions such as
rollback upon a transaction failure.
Device management
⚫ Manage device status and
configurations.
⚫ Provide functions such as device
grouping and device configuration 2 Load IDE
synchronization.

Device driver Python 1 Compile the SND package.

⚫ Know devices.
⚫ Understand device capabilities.

11 Huawei Confidential

• NCE service openness and programmability depend on two software packages: SND
and SSP.

▫ Specific NE Driver (SND): provides a data model for the iMaster NCE OPS to
interact with NEs.
▫ Specific Service Plugin (SSP): defines a data model for completing network
service configuration.
• Engineers compile SND packages and load them to iMaster NCE to quickly
interconnect with new devices. Then, engineers compile SSP packages and load them
to iMaster NCE to quickly construct new services.
 Architecture
Open device and service programmability
Web UI RESTCONF CLI
1. Open device capabilities: Device capability openness is
3 3
enabled by loading the YANG model of an NE.
SSP 2. Open service definition capabilities: Service capability
Project
management openness is enabled by customizing and loading service
2 Service YANG model
iMaster NCE

Transaction YANG models and service logic.

mechanism Python 3. Open northbound capabilities: The system automatically
Mapping generates northbound RESTCONF interfaces based on the
Easymap YANG model to quickly interconnect with northbound
NE YANG
NE YANG model man-machine and machine-machine interfaces.
model
DataStore

1 Huawei SND... 3rd-party SND... Application scenarios

Python
Framework • Supports cross-vendor device management and quick
interconnection with third-party devices.
NETCONF STelnet
• Quickly constructs services and automatically generates
northbound interfaces.
Framework and Provided Open Provided by Provided by • Supports NETCONF- and STelnet-based device
mechanism by NCE programming customers Huawei interconnection in the southbound direction.

12 Huawei Confidential

• NE YANG model: YANG files generated by abstracting atomic capabilities (such as

creating sub-interfaces) at the device layer. They are provided by device vendors.

• Service YANG model: YANG files generated by abstracting service models can be used
to generate northbound interfaces and configuration GUIs.
• Easymap: a mapping logic algorithm that decomposes network-layer services into NE-
layer services.
 Principles
⚫
NCE service openness and programmability consist of the design state and running state. The design state is used to design and develop service logic. The
running state automatically generates service and device management GUIs and northbound interfaces based on the model defined in the design state.
Users can configure devices and deliver services through the GUIs and northbound interfaces.
Design state Running state
Service management Device API gateway
Service YANG model management

Automatic UI NE management
generation

management management
Mapping GET

Synchronization

Reconciliation

Service
Inconsistency

Comparison
CRUD

discovery
NE YANG model Dry run/Preview POST
NE YANG model
Huawei Jinja2 3rd Jinja2 Operated by users
Deliver
configuration/Reset PUT Provided by Huawei
CRUD

Device
Huawei SND 3rd SND or a third party
Dry run/Preview
Deliver DELETE Base
Protocol Stack
configuration/Reset Programmed
NETCONF STelnet Web UI NBI by the user
Common Foundation
Transaction
User management
mechanism Phase 2 Globalization NCE portal ...

13 Huawei Confidential

• The design state is used to establish the mapping between the service YANG model
and NE YANG model. The system provides the mapping logic algorithm to decompose
network-layer services into NE-layer services. Currently, the NCE service openness and
programmability framework supports two layers of mapping logic: 1. Mapping from
the service model to the device model, which is processed by the SSP package. 2.
Mapping from the device model to protocol packets, which is processed by the SND
package.

• The running state uses the mappings established in the design state to manage devices
and provision services. Specifically:
▫ Service management automatically generates a service management GUI based
on the service YANG model to add, delete, modify, and query services.

▫ Device management automatically generates an NE management GUI based on

the NE YANG model to add, delete, modify, and query NE resources, achieving
functions such as difference comparison, data synchronization, and configuration
reconciliation.

▫ API gateway automatically generates northbound RESTCONF interfaces based on

the service and device YANG models and works with the mapping between the
two models to add, delete, modify, and query services and NE resources.

• The running state provides the dryRun function to help users preview the results of the
current operation and the modification of related device configurations.

• Jinja2 is a Python template engine. NCE service openness and programmability use
Jinja2 to quickly complete the template-based processing of SSP packages.
 Development Process
⚫ The overall development process is led by the customer, including requirement analysis and design, SND package development, SSP
package development, and commissioning and verification.

Incremental design

SND SSP development Modification and adjustment

development
(On-demand)
Southbound Debugging Enter the
Requireme New device driver Service YANG
HLD template Mapping code and production
nt analysis development definition
development verification environmen.
Customer
analysis Provided by The customer provides and verifies
Huawei the service package. (One month)

After
⚫ The customer analyzes Develop the SND Develop the Define the Develop service Perform verification is
requirements based on package based on southbound service YANG code and logic code testing and
completed,
service scenarios. the configurations Jinja2 model based based on service verification in a
enter the
⚫ The customer performs to be delivered template on service scenarios. lab production
HLD and outputs the and the involved based on the scenarios. environment.
environment.
configurations to be device types. driver
delivered and the involved package.
device types.

14 Huawei Confidential

• The development process of NCE service openness and programmability is as follows:

▫ First, analyze requirements based on service scenarios and output the high level
design (HLD). In this phase, analyze the configuration commands to be delivered
and the involved device types, and then start the development of a Specific NE
Driver (SND) package. The SND package is developed as required. If the SND
package of a device exists and the SND package to be delivered is supported, you
do not need to develop the SND package again.

▫ Then, develop a Specific Service Plugin (SSP) package. Step 1: Develop the
southbound Jinja2 template. The southbound Jinja2 template can be considered
as the tailoring of the open interfaces of the device. There are many open
capabilities of devices. However, we only need to use some of them. Therefore,
find and select the required ones. Step 2: Define the service YANG model and
determine northbound input parameters. Step 3: Develop the service logic. This
step is optional. If the service layer can directly map and use the southbound
template, skip this step.

▫ Finally, perform commissioning and verification. After the commissioning and

verification are completed, the use in the production environment is formally
started. If there are incremental requirements, follow the incremental design
process and perform incremental development with reference to the preceding
steps.
 Contents

1. Background

2. Introduction to NCE Service Openness and Programmability

3. Key Capabilities

4. Related Concepts
5. Practice Cases

15 Huawei Confidential
Overview of Key Capabilities

Key Capabilities

Device capability
Batch configuration
openness
Service capability
Transaction mechanism
openness
Shielding of device
Service conflict detection
differences for services
Multi-protocol
Security audit
interconnection

16 Huawei Confidential
Device Capability Openness
⚫ Open atomic capabilities of devices. Driven by the device YANG model, the iMaster NCE OPS automatically
generates northbound interfaces and configuration GUIs to quickly manage Huawei and third-party devices. It
supports device data consistency comparison, configuration reconciliation, and configuration synchronization.

NCE service openness and Bearer mode

programmability during running

Device management SND YANG

1. Quickly manage Huawei and third-party devices.

2. Open device configuration capabilities.

17 Huawei Confidential
 Service Capability Openness
⚫ Open service configuration mapping capabilities. Driven by the service YANG model, the iMaster NCE OPS automatically generates
northbound and southbound interfaces to quickly build new services. The Easymap algorithm in the mechanism is used. Users only
need to write the creation process. The update and deletion processes are calculated by the algorithm, thereby simplifying
programming and reducing development difficulties.

NCE service openness and Bearer mode

programmability during running

Easymap SSP YANG

1. Open service configuration mapping capabilities.

2. Automatically generate southbound and northbound interfaces
based on the service YANG model.
3. Write only the mapping creation process. This simplifies
programming and reduces development difficulties.

18 Huawei Confidential

• Easymap: a mapping logic algorithm that decomposes network-layer services into NE-
layer services. Currently, the NCE service openness and programmability framework
supports two layers of mapping logic: 1. Mapping from the service model to the device
model, which is processed by the SSP package. 2. Mapping from the device model to
protocol packets, which is processed by the SND package.
 Multi-Protocol Interconnection
⚫ Support NETCONF- and STelnet-based device interconnection in the southbound direction. New devices
can be interconnected using NETCONF, and existing devices can be interconnected using commands.

NCE service openness and

programmability
YANG driver CLI driver

NETCONF STelnet

1. New devices can be interconnected using NETCONF.

2. Existing devices can be interconnected using commands.

19 Huawei Confidential

• The SND package of the CLI driver is also a YANG file.

Shielding of Differences Between Underlying Devices at the
Service Layer
⚫ Only specific services need to be focused on at the service layer. Devices of different vendors and using different protocols do not
need to be interconnected separately. The OPS supports service interconnection between the devices of different vendors and using
different protocols.

Service
Bearer mode during running
NCE service openness and
programmability
SSP YANG
YANG driver Easymap

STelnet/NETCONF

Support service interconnection between the devices of

different vendors and using different protocols.

20 Huawei Confidential
Batch Configuration
⚫ Provide batch configuration capabilities. Devices with the same configuration can be grouped. A template is preset
in the system first, and then configurations are delivered in batches.

⚫ Templates are applied in batches by device group to improve efficiency.

NCE service openness and

programmability
Preset template Task
management
Easymap

1. Support device grouping.

2. Preset templates, which are delivered in batches by device group.
3. Deliver asynchronous tasks in batches.

21 Huawei Confidential
Transaction Mechanism
⚫ Provide a transaction mechanism to ensure data consistency between the device and controller in both success and failure scenarios.
The dryRun function enables the customer to check the correctness of configurations before delivery. The configurations can be
repeatedly modified, and then the dryRun function is implemented until the configurations are correct. Then, the Commit operation
can be started to commit the configurations to the device.

NCE service openness

and programmability dryRun
Database
Commit Rollback

1. The transaction mechanism ensures data consistency between the device

and controller.
2. Perform dryRun to check the correctness of configurations before
delivery.
3. Perform the Commit operation to commit the configurations to the
device. If the Commit operation fails, a rollback based on the transaction
occurs automatically.

22 Huawei Confidential
Service Conflict Detection
⚫ Provide service conflict detection capabilities. The OPS supports source tracing of configured data sources. Configuration conflicts
between different services can be detected before delivery. If the configurations of a device are modified by a third party, the device
can automatically detect the modifications and re-deploy the configurations to restore the services interrupted by the modifications
by the third party.
⚫ Implement in-depth difference discovery. The controller directly compares the NE-level data decomposed by services with device
data to check data consistency.

SSP1 SSP2

In-depth difference
Configuration diff discovery
conflict
Configuration
consistency check

1. Perform data source tracing and conflict detection.

2. Support service and device data consistency check.
3. Automatically detect device configuration modifications by a
third party and restore services.

23 Huawei Confidential
Security Audit
⚫ Provide security audit capabilities. Historical configuration points can be recorded and rolled back, and
service association configurations can be visualized.

NCE service openness and

programmability
diff Commit history
Configuration
data Commit 1 Rollback
Commit 2
Rollback
Commit 3
Rollback

1. Record and roll back historical configuration points.

2. Support visualization of service association configurations.

24 Huawei Confidential
 Contents

1. Background

2. Introduction to NCE Service Openness and Programmability

3. Key Capabilities

4. Related Concepts
5. Practice Cases

25 Huawei Confidential
Function Package
Specific NE Driver (SND) Specific Service Plugin (SSP)
A type of software package that A type of software package that defines a data model
provides a data model for interaction for completing network-level service configurations.
between the OPS and NEs. The data model usually contains a Jinja2 template file,
The data model usually contains a .py a Python mapping script, and a service YANG model.
file and a data model (YANG) of Specifically:
several features. Specifically: ⚫ The Jinja2 template describes the data structure of
⚫ The former is used to define services and uses the Jinja2 syntax to perform
information related to an NE, such operations such as interpolation, condition
as device type, vendor, and judgment, and recursion.
connection information. ⚫ The Python mapping script describes how to fill the
⚫ The latter describes the data data submitted by users into the template and map
structure of NE-related features. the data to the NE data structure.
⚫ The service YANG model describes service
parameters and is constructed based on service
input.

26 Huawei Confidential
 Package Mapping Mechanism
RESTful API Web-UI
Packet mapping supports two layers of mapping logic:
During the mapping from the service model to the device
NCE service openness and
programmability framework model, the logic is processed by the SSP package. During
the mapping from the device model to protocol packets,
Service package the logic is processed by the SND package.
YANG
• NCE automatically generates northbound interfaces or
Specific Service YANG
Plugin (SSP) configuration GUIs based on service models.
• Users send configuration requests to the service logic
Service callback logic Python
compiled by users through the interface provided by
the service model.
NE template 1 NE template 2 Jinja2 • The service processing consists of two parts:
▫ Python code processing, which processes service
NE driver package logic. For example, allocate resources and read NE
Specific NE Driver or service information.
(SND) NE YANG 1 NE YANG 2 YANG
▫ Jinja2 template processing, which processes
vendor-related logic. A template is actually the
data delivered to a device model. Devices from
Automatically generate NETCONF packets or deliver CLI commands
to devices through SSH. different vendors have different templates.

27 Huawei Confidential

• Currently, the NCE service openness and programmability framework supports two
layers of mapping logic: 1. Mapping from the service model to the device model, which
is processed by the SSP package. 2. Mapping from the device model to protocol
packets, which is processed by the SND package.
• For SND package processing, if the device is a NETCONF device, NCE service openness
and programmability automatically convert the model data into NETCONF packets.
 NETCONF
NETCONF is a protocol defined by the IETF for installing,
maintaining, and deleting configuration data on NEs. All
NETCONF operations are implemented using XML-encoded
RPCs. NCE service openness and programmability use
NETCONF NETCONF to communicate with NEs.
⚫ Content layer: It needs to transmit configuration data
and notification data.
NETCONF server NETCONF client ⚫ Operations layer: It defines an XML-encoded operation
set for implementing RPC operations.
Content layer Data configuration Notification data ⚫ Messages layer: It implements a simple framing
mechanism based on the requirements of the transport
Operations layer <edit-config>...
protocol to encapsulate RPC messages or notification
Messages layer <rpc>, <rpc-reply> <notification> messages.
Secure SSH, TLS, BEEP/TLS, SOAP/HTTP/TLS ⚫ Secure transport layer: It provides a communication
transport layer
path between the client and server. The NETCONF
message hierarchy mechanism is implemented by using
the communication paths that meet related conditions.

28 Huawei Confidential

• For more information about NETCONF, see NETCONF/YANG Principles and Practices.
 YANG Model
⚫ YANG, short for Yet Another Next Generation, is a standard-based and extensible data modeling language. It can be used to model
the configuration and running status data of network devices, remote procedure calls, and server event notifications. YANG was
originally designed to model network management data and provide a standardized content layer for the NETCONF model.
module hbng {
Module namespace http://www.huawei.com/hbng;
prefix hbng;
A module is a collection of related
definitions. Each module contains the
module header, revision, and description import ietf-inet-types {
statements. prefix inet;
}
In a module, you can use the include
statement to import submodules or use the
include foo-bar-types;
import statement to import other modules.
You can also use the augment statement in
a module to extend a specified module. description “This module can configure and manage the HBNGs (Huawei NE40-
X8)”;
A module may include the following four
main types of data nodes, including Leaf, revision YY-MM-DAY {
Leaf-list, Container, and List nodes.
description “Initial revision”;
}

augment “/app:applications” { … }
}

29 Huawei Confidential

• In this example, the service YANG module hbng is customized.

• description describes the functions of the hbng module.

• revision is 2018-04-20, indicating the initial version of the hbng module.

• import and include introduce two modules for subsequent node definition.

• augment "/app:applications" { ... } indicates that the current module hbng is extended
to the /app:applications directory of the app module.
 YANG: Data Nodes
Container container system {
container login {
A container is used to group nodes. It has leaf message {
only sub-nodes, but does not have any
type string;
value. A sub-node can be a container,
description “Message given at start of login session.”;
leaf, leaf-list, or list node.
}

leaf-list prohibited-users {
Leaf & Leaf-list type: string;
A leaf node contains simple data, such as
description: “List of users not allowed to login.”;
integers and character strings. It has only }
one value of a specific type and has no
sub-nodes. list user {
A leaf-list node defines a sequence of key “name”;
values of a specific type. unique “name”;
leaf name {
type string;
List }
A list node is a set of data nodes, which
are identified by key. The unique leaf level {
parameter specifies the data nodes that type uint8;
must be unique. A sub-node can be a }
container, leaf, or leaf-list node. ……

30 Huawei Confidential

• In this example, a container node named system is created, including the login
container sub-node for recording login information.

• The container sub-node login contains the following:

▫ A leaf node named message, which records the login prompt information.

▫ A leaf-list node named prohibited-users, which records the blacklist of users

who are not allowed to log in to the system.
▫ A list node named user. In the list node, the unique key is defined as name and
its type is character string; level is defined as user level and its type is number.
 YANG: Data and Data Types
Native and derived types

list interface { When defining a leaf or leaf-list

Config. & Status node, you must specify the value
key "name";
config true; type. The native data types supported
YANG can model status data and by YANG are binary, bits, boolean,
configuration data based on the decimal64, empty, enumeration,
"config" statement. If a node is leaf name {
type string; identityref, int8/16/32/64, leafref,
marked as "config false", its sub-layer string, and uint8/16/32/64.
is marked as status data. If a node is }
leaf speed { In addition, the typedef statement
marked as "config true", its sub-layer can be used to derive a new type
is marked as configuration data. type enumeration {
enum 10m; from a base type. The base type can
enum 100m; be either a native type or a derived
In the example on the right, leaf type.
nodes name and speed are enum auto;
configuration data, and leaf node }
observed-speed is status data. }
leaf observed-speed { typedef percent {
type uint32; type: uint8 {
config false; range: “0 .. 100”;
} }
} }

31 Huawei Confidential

• In this example, the list interface is defined. config true indicates that the list is
configuration data, and config false in observed-speed indicates that this leaf is status
data.

• The leaf node name is a character string. The leaf node speed provides three options.
type enumeration indicates that the enumerated values are 10m, 100m, and auto.
The leaf node observed-speed is a positive integer of the uint32 type.
 YANG: Reuse & Selection

Reusable node group (grouping) grouping ip-port { container transfer-protocol {

leaf ip { choice name {
If a group of nodes can be type inet:ip-address; case a {
reused in different modules or description “ip address”; leaf udp {
nodes, you can define this group } type empty;
of nodes as a reusable node }
leaf port { }
group and use the uses keyword
type inet:port-number;
to reference modules or nodes. description “port number”; case b {
} leaf tcp {
} type empty;
}
Choices container quadruple { }
container source { }
uses ip-port; }
YANG allows data models to use }
the choice and case statements to
define a set of pattern nodes that container destination {
cannot appear together. uses ip-port;
}
}

32 Huawei Confidential

• In this example, a group node named ip-port is defined, including two leaf sub-nodes:
ip and port.

• The container quadruple contains the source and destination information containers,
both of which use the IP address and port information. The group node ip-port is
reused.
• The container transfer-protocol is used to indicate the transmission protocol. The UDP
and TCP protocols are provided. Either of them can be selected using the choice
function. case a indicates that the UDP protocol is used, and case b indicates that the
TCP protocol is used.
 YANG: Operations
RPCs & Actions module server-farm { leaf address {
yang-version: 1.1; type: inet;
YANG allows the following operation namespace: “urn:example:server-farm”; }
definitions: prefix: “sfarm”;
• Operations at the top layer of the leaf location {
module are defined using RPC import ietf-yang-types { type: string;
statements. An RPC node usually prefix: yang; }
consists of an input node and an }
output node. The input and action reset {
output nodes can contain rpc reset-specified-servers { input {
container, list, leaf, and leaf-list input { leaf reset-at {
nodes. leaf-list servers { type: yang:date-and-time;
• Operations in a container or list type: “inet:ip-address”; }
node are defined by action } }
statements. Generally, an action }
node contains an input node and } output {
an output node. leaf complete-at {
• The difference between RPC and list servers { type: yang:date-and-time;
action is that RPC does not key: “name”; }
directly operate data, but action is leaf name { }
directly bound to the node in the type: string; }
data storage. }

33 Huawei Confidential

• In this example, an RPC interface named reset-specified-servers is defined for

resetting services. input indicates that the input parameter is the IP address of the
server to be restarted. If output is not defined, the HTTP status is used to determine
the returned result.
• The servers list node defines action reset to restart the corresponding service. Input
defines the leaf node reset-at, which indicates that the input parameter is the restart
time. Output defines the leaf node complete-at, which indicates that the returned
result is the restart completion time.
 Template Language Jinja2
Template language Jinja2 <inventory-cfg xmlns="urn:huawei:yang:huawei-ac-nes">
<nes>
Jinja2 is a modern, design-friendly {% for dev in nesInterfacesCfg.nes %}
Python template engine. NCE <ne>
service openness and <neid>{{dev.neName | to_ne_id}}</neid>
<ifm xmlns="urn:huawei:yang:huawei-ifm">
programmability use Jinja2 to
<interfaces>
quickly process service packets {% for ifName in dev.ifNames %}
using templates. <interface
Specifically, Jinja2 is a text file that xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0"ns0:operation="merge">
…
contains tags, variables, and
</interface>
expressions. Tags in the file are {% endfor %}
used to control the internal logic </interfaces>
of the template. Variables and </ifm>
{% endfor %}
expressions are replaced with
</ne>
corresponding values when the </nes>
template is rendered. </inventory-cfg>

34 Huawei Confidential

• The Jinja2 template is only a text file, which can be based on any text format (HTML,
XML, CSV, etc.). In this example, the XML format is used.

• A template contains variables and expressions. The variables and expressions are
converted to corresponding values when the template is used. It has the following
common syntaxes:
▫ {% ... %} contains Control Structures. In this example, {% for dev in
nesInterfacesCfg.nes %} indicates that the for loop starts, and {% endfor %}
indicates that the loop ends.
▫ {{...}} contains an expression, which can be a constant, variable, mathematical
formula, or logical statement.
▫ {# ... #} indicates the comment.

• The variables in {{...}} can be modified using filters. Filters and variables are separated
by vertical bars (|). For example, {{ 'abc' | capitalize }} indicates that the first letter is
capitalized and the filtering result is Abc. In this example, {{dev.neName | to_ne_id}}:
to_ne_id is a user-defined filter, indicating that the variable device name dev.neName
is converted to the device ID.
• For more information, see the Template Designer Document at
https://jinja.palletsprojects.com/en/2.11.x/.
 Contents

1. Background

2. Introduction to NCE Service Openness and Programmability

3. Key Capabilities

4. Related Concepts
5. Practice Cases

35 Huawei Confidential
 Case 1: Fast Interconnection with New Devices and
Automatic Generation of NBIs Implementation process
OSS/Orchestrator
iMaster NCE
1 Generating the SND template
GUI NBI ⚫ In the OPS, choose Project Management > Software
Package Management and generate an SND
1 template.
Project Public key Software package System
management management management configuration 2 Developing the SND package
Service HVPN SRV6 Service ⚫ Download the generated SND template and import it
…
management Service Service template to the local IDE tool.
3 ⚫ Develop the SND package based on the device type.
NE Device
Device group NE template Loading the SND package
management management 3
2 ⚫ Load the developed SND package to NCE.
SND Huawei NE Driver 3rd NE Driver ⚫ Add a new device. Device information is the same as
that in the imported SND package.
Protocol
⚫ Automatically generate configuration GUIs and NBIs
Protocol NETCONF STelnet for new devices.
parameter
4
4
IDE Delivering basic device configurations
Python ⚫ Apply basic device configurations through the GUIs or
NBIs.

36 Huawei Confidential

• NCE uses the Specific NE Driver (SND) package to quickly interconnect and manage
Huawei and third-party devices and open device configuration capabilities. To manage
third-party devices, you need to obtain the YANG file of the device from the vendor's
website. If third-party devices support only command lines and do not support
NETCONF interconnection, Huawei can customize interconnection capabilities.

• Key capabilities:
1. Quickly manage Huawei and third-party devices.

2. Open device configuration capabilities.

3. Automatically generate the configuration GUIs and northbound interfaces of
new devices.
 Case 2: Fast Building of New Services and Automatic
Generation of NBIs Implementation process
OSS/Orchestrator
1
Generating the SSP template
iMaster NCE
⚫ In the OPS, choose Project Management > Software
GUI NBI
Package Management and generate an SSP
1 3 template.
Project Public key Software package System
management management management configuration Developing the SSP package
2
HVPN SRV6 Service
⚫ Download the generated SSP template and import it
Service …
management Service Service template to the local IDE tool.
⚫ Develop the SSP package based on the service
NE Device scenario.
Device group NE template
management management
3 Loading the SSP package
2
SND Huawei NE Driver 3rd NE Driver
⚫ Log in to the OPS and load the developed SSP
package.
⚫ Automatically generate configuration GUIs and NBIs
Protocol
Protocol NETCONF STelnet for new services.
parameter
4
IDE 4 Delivering service configurations to devices
Python ⚫ Deliver service configurations to devices through the
GUIs or NBIs.Key capabilities

37 Huawei Confidential

• In this example, the service openness capability is used. Similar to the device atomic
capability openness, the system is developed based on the standard NETCONF protocol.
The internal data model uses the YANG modeling language to automatically generate
configuration GUIs and northbound interfaces based on the YANG model of services. In
addition, the Easymap algorithm is provided for customers to write only the creation
process, and the update and deletion are calculated by comparing algorithms. This
simplifies customer programming.

• The service layer shields differences between devices, supports interconnection with
different device types, and delivers configurations through different protocols. The
maintenance personnel or upper-layer system only needs to view corresponding
services. They do not need to know the specific vendor and protocol of the device. This
feature improves interconnection efficiency and reduces the pressure on maintenance
personnel.

• Key capabilities:

1. Open service capabilities.

2. Shield differences between underlying devices at the service layer.

3. Automatically generate southbound and northbound interfaces based on the
YANG model.
 Case 3: Batch Configuration Delivery
Implementation process
OSS/Orchestrator
1 Managing devices
iMaster NCE
⚫ Choose NE Management > Device Management, add
GUI NBI
a device, and match the SND package based on the
device NE type, software version, and vendor.
Project Public key Software package System
⚫ Synchronize device configurations to the OPS.
management management management configuration

Service HVPN SRV6 Service 2 Grouping devices on demand

…
management Service Service template

2
⚫ To apply one template to multiple devices, you can
NE Device
management
Device group NE template add these devices to the same device group.
management
1 3
SND Huawei NE Driver 3rd NE Driver
3 Delivering configurations in batches
Protocol
Protocol NETCONF STelnet by device group can be preset for common
parameter ⚫ Some templates
configurations (such as underlay), and device groups
can be selected for batch delivery.

38 Huawei Confidential

• Devices with the same configuration can be grouped. A preset template can be applied
to the system for batch configuration delivery. Currently, more than 60 templates are
preset in the enterprise DCN for users to apply.
 Case 4: Configuration Correctness Pre-check Using the
dryRun Function
OSS/Orchestrator
iMaster NCE
Implementation process
1 Configuring services
GUI NBI
Configure services on the Service Management page as
Project Public key Software package System
required.
management management management configuration
⚫ Create a service.
1 2 ⚫ Select an existing service and modify the configuration
Service HVPN SRV6 Service parameters.
…
management Service Service template ⚫ Select an existing service and delete it.

NE Device
Device group NE template 2 Checking before service configuration delivery
management management

3
⚫ Perform dryRun and check whether the generated
SND Huawei NE Driver 3rd NE Driver configurations are correct.

Protocol 3 Delivering service configurations to devices

Protocol NETCONF STelnet
parameter
⚫ Perform the Commit operation to deliver configurations
to the device.
⚫ View the delivered configurations through the associated
data.

39 Huawei Confidential

• Before service configurations are delivered, the OPS provides the dryRun function to
check the correctness of delivered configurations in advance. If an error occurs, modify
the dryRun function. After the configurations are correct, commit the configurations
again. The system provides a transaction mechanism to ensure data consistency
between the device and controller. If the data fails to be synchronized, the system
automatically rolls back the data to ensure that no residual data exists. For a service
that is successfully delivered, you can view the delivered configurations of the
associated device. In addition, you can view the delivered configurations in historical
records. You can roll back the configurations based on the rollback point.
• Key capabilities:

1. Use the dryRun function to check whether the delivered configurations are
correct in advance.
2. Provide a transaction mechanism to ensure data consistency between the device
and controller. If a failure occurs, automatic rollback will be performed.

3. Provide the visualized display of service association data and historical

configurations.
Case 5: Automatic Detection of Service Configuration Conflicts
Implementation process
OSS/Orchestrator Automatic detection of service
1
iMaster NCE configuration conflicts
GUI NBI
1 Before delivering configurations, the OPS

Public key Software package automatically checks whether the configurations

Project System
management management management configuration delivered to devices conflict with each other. For

Service HVPN SRV6 Service example, if service 1 delivers the description

…
management Service Service template configuration of VLAN 2 to device 1 and service 2 also
NE Device delivers the description configuration of VLAN 2 to
Device group NE template
management management
device 1, this system checks whether the two values

SND Huawei NE Driver

are the same. If they are different, a message
3rd NE Driver
indicating that the configurations conflict will be
Protocol displayed.
Protocol NETCONF STelnet
parameter
On the Service Management page, deliver
configurations. The system automatically checks
whether service configurations conflict.

40 Huawei Confidential
 Quiz

1. (Short-answer question) What are the core function packages of Huawei iMaster
NCE service openness and programmability?

2. (Multiple-answer question) Which of the following are included in a Specific

Service Plugin (SSP) package? ( )
A. Service YANG model

B. Device YANG model

C. Jinja2 template

D. Python mapping script

41 Huawei Confidential

1. Specific NE Driver (SND) and Specific Service Plugin (SSP) packages.

2. ACD
 Summary

⚫ Network service openness and programmability pave the way for development of
the network industry. Enabling the capabilities of network service openness and
programmability is the cornerstone of building an open network ecosystem.
⚫ Huawei OPS is a practice offered by Huawei in this field. Users can compile SND
and SSP packages to quickly interconnect new devices and construct new services.
⚫ To learn this chapter, you need to have a good understanding of Python,
NETCONF, YANG, and Jinja2.

42 Huawei Confidential
 More Information
⚫ Log in to the HUAWEI CLOUD developer community and click the Datacom Network Openness and
Programmability tab to obtain related tools and documents.
 https://developer.huaweicloud.com/resource/network.html#AOC

⚫ Key documents:
 Datacom Network Openness and Programmability Development Guide: This document describes the development
process and methods of related driver packages, and provides guidance for developers to develop SND and SSP
packages, load the packages to the system, and automatically generate configuration GUIs and NBIs.

 Datacom Network Openness and Programmability User Guide: This document describes operations related to the
configuration GUIs and NBIs, and provides guidance for O&M personnel to deliver device and service
configurations.

43 Huawei Confidential
 Recommendations

⚫ For more information about Jinja2, visit the following website:

 https://jinja.palletsprojects.com/en/2.11.x/

44 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huaw ei Technologies Co., Ltd.

All Rights Reserv ed.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.