SJ 20140312095717 003 ZXA10 C300 C320 V2 0 1 Optical Access Convergence Equipment Feature Guide PDF

ZXA10 C300/C320
Optical Access Convergence Equipment
Feature Description
ZXA10 C300/C320 Feature Description Manual
ZXA10 C300/C320
Optical Access Convergence Equipment
Feature Description
Revision History
R1.0 (2014-06-30)
First edition
© 2013 ZTE Corporation. All rights reserved.

ZTE CONFIDENTIAL: This document contains proprietary information of ZTE and is not to be disclosed or used
without the prior written permission of ZTE.
Due to update and improvement of ZTE products and technologies, information in this document is subjected to
change without notice.
ZTE Confidential & Proprietary 1

CONTENTS
1 GPON Feature .......................................................................................................... 14
1.1 Introduction ................................................................................................................. 14
1.2 GPON Principle .......................................................................................................... 17
1.2.1 Transmission Mechanism.......................................................................................... 17
1.2.2 OAM ............................................................................................................................ 22
1.2.3 ONU Registration and Authentication ...................................................................... 24
1.3 Key Technologies....................................................................................................... 28
1.3.1 Authentication security method introduction ............................................................ 28
1.3.2 Dynamic Bandwidth Allocation.................................................................................. 30
1.3.3 Data Encryption.......................................................................................................... 33
1.3.4 FEC ............................................................................................................................. 35
1.4 GPON ONU Remote Management .......................................................................... 36
1.4.1 Introduction ................................................................................................................. 36
1.4.2 Port Isolation............................................................................................................... 37
1.4.3 ONU Auto-Delivery .................................................................................................... 37
1.4.4 E1 Port Configuration ................................................................................................ 37
1.4.5 Port MAC Configuration............................................................................................. 37
1.4.6 Maximum MAC Address Learning Number of ONU Bridge ................................... 38
1.4.7 Multicast Configuration .............................................................................................. 38
1.4.8 Layer-2 Service on ONU ........................................................................................... 40
1.4.9 Remote ONU Version Upgrading ............................................................................. 41
2 XG-PON1 Feature .................................................................................................... 43

2.1.1 Introduction ................................................................................................................. 43
2.1.2 Features & Specification ........................................................................................... 46
3 P2P Access Feature ................................................................................................ 47

3.1 Introduction ................................................................................................................. 47
3.2 Features & Specification ........................................................................................... 48
4 Layer 2 Forwarding Feature .................................................................................. 49

4.1 MAC Address Management ...................................................................................... 49
4.1.1 Introduction ................................................................................................................. 49
4.1.2 Basic Theory and Solution ........................................................................................ 50
4.2 VLAN ........................................................................................................................... 52
4.2.1 Overview ..................................................................................................................... 52
4.2.2 Basic VLAN Service................................................................................................... 58
4.2.3 VLAN Translation ....................................................................................................... 59
4.2.4 VBES（or TLS）........................................................................................................ 60
2 ZTE Confidential & Proprietary

4.2.5 Selective Q-in-Q ......................................................................................................... 61

4.2.6 VLAN Forwarding....................................................................................................... 62
5 Ethernet OAM ........................................................................................................... 63

5.1 Introduction ................................................................................................................. 63
5.2 Link Level Ethernet OAM (802.3ah) ......................................................................... 65
5.2.1 Introduction ................................................................................................................. 65
5.3 Ethernet Service Level Ethernet OAM (802.1ag/Y.1731) ....................................... 67
5.3.1 Introduction ................................................................................................................. 67
6 IPV4 L3 Feature ........................................................................................................ 73

6.1 IP routing basic feature.............................................................................................. 73
6.1.1 Introduction ................................................................................................................. 73
6.2 ARP Agent .................................................................................................................. 76
6.2.1 Introduction ................................................................................................................. 76
6.3 ARP Proxy .................................................................................................................. 78
6.3.1 Introduction ................................................................................................................. 78
6.4 DHCP Relay ............................................................................................................... 79
6.4.1 Introduction ................................................................................................................. 79
6.5 DHCP Proxy ............................................................................................................... 81
6.5.1 Introduction ................................................................................................................. 81
6.6 DHCP Option60 ......................................................................................................... 83
6.6.1 Introduction ................................................................................................................. 83
6.7 DHCP L2RA and Option82 ....................................................................................... 85
6.7.1 Introduction ................................................................................................................. 85
6.8 Super VLAN................................................................................................................ 87
6.8.1 Introduction ................................................................................................................. 87
6.9 Static Routing ............................................................................................................. 88
6.9.1 Introduction ................................................................................................................. 88
6.10 ECMP .......................................................................................................................... 89
6.10.1 Introduction ................................................................................................................. 89


6.11 RIP............................................................................................................................... 91
6.11.1 Introduction ................................................................................................................. 91
6.12 OSPF .......................................................................................................................... 92
6.12.1 Introduction ................................................................................................................. 92
6.13 IS-IS ............................................................................................................................ 94
6.13.1 Introduction ................................................................................................................. 94
6.14 BGP ............................................................................................................................. 96
6.14.1 Introduction ................................................................................................................. 96
7 MPLS Feature ........................................................................................................... 98

7.1 MPLS basic features .................................................................................................. 98
7.1.1 Introduction ................................................................................................................. 98
7.1.3 Main Performance Indices....................................................................................... 102
7.2 MPLS Label Distribution Management................................................................... 102
7.2.1 Introduction ............................................................................................................... 102
7.2.2 Basic Theory and Solution ...................................................................................... 103
7.3 LDP ........................................................................................................................... 103
7.3.1 Introduction ............................................................................................................... 103
7.4 MPLS L2 VPN .......................................................................................................... 107
7.4.1 Introduction ............................................................................................................... 107
7.5 MPLS Redundancy .................................................................................................. 115
7.5.1 Introduction ............................................................................................................... 115
7.6 Load Balancing......................................................................................................... 118
7.6.1 Introduction ............................................................................................................... 118
7.7 MPLS OAM............................................................................................................... 118
7.7.1 Introduction ............................................................................................................... 118
8 IPV6 Features ......................................................................................................... 125

8.1 IPv6 Basic Functions ............................................................................................... 125
8.1.1 Introduction ............................................................................................................... 125

8.2 IPv6 static route ....................................................................................................... 128

8.2.1 Introduction ............................................................................................................... 128
8.3 LIO in SLAAC scenario............................................................................................ 129
8.3.1 Introduction ............................................................................................................... 129
8.4 DHCPv6 relay........................................................................................................... 132
8.4.1 Introduction ............................................................................................................... 132
8.5 IPv6 Source Guard .................................................................................................. 135
8.5.1 Introduction ............................................................................................................... 135
8.6 IPv6 ND Forwarding Control ................................................................................... 137
8.6.1 Introduction ............................................................................................................... 137
8.7 IPv6 Network Administration ................................................................................... 139
8.7.1 Introduction ............................................................................................................... 139
9 QOS .......................................................................................................................... 140

9.1 Introduction ............................................................................................................... 140
9.2 Basic Theory and Solution ...................................................................................... 142
10 Multicast .................................................................................................................. 145

10.1 Multicast Overview ................................................................................................... 145
10.1.1 Introduction ............................................................................................................... 145
10.2 IGMP Snooping ........................................................................................................ 146
10.2.1 Introduction ............................................................................................................... 146
10.3 IGMP Proxy .............................................................................................................. 148
10.3.1 Introduction ............................................................................................................... 148
10.4 IGMP Router............................................................................................................. 149
10.4.1 Introduction ............................................................................................................... 149
10.5 IGMPv3 ..................................................................................................................... 150
10.5.1 Introduction ............................................................................................................... 150
10.6 MVLAN...................................................................................................................... 151
10.6.1 Introduction ............................................................................................................... 151

10.7 Channel Management ............................................................................................. 152

10.7.1 Introduction ............................................................................................................... 152
10.8 Service Package Management ............................................................................... 154
10.8.1 Introduction ............................................................................................................... 154
10.9 G.984.4 ONU Dominated Multicast ........................................................................ 155
10.9.1 Introduction ............................................................................................................... 155
10.10 IPV6 Multicast .......................................................................................................... 155
10.10.1 Introduction ............................................................................................................... 155
10.11 MLD Snooping.......................................................................................................... 158
10.11.1 Introduction ............................................................................................................... 158
10.12 MLD Proxy ................................................................................................................ 159
10.12.1 Introduction ............................................................................................................... 159
10.13 MLD Router .............................................................................................................. 160
10.13.1 Introduction ............................................................................................................... 160
11 Network Protection Feature................................................................................. 161

11.1 STP/RSTP/MSTP..................................................................................................... 161
11.2 LACP ......................................................................................................................... 167
11.3 G.8032 ...................................................................................................................... 169
11.4 TDM Services Protection......................................................................................... 172
11.4.1 Introduction ............................................................................................................... 172
11.5 GPON Protection ..................................................................................................... 174
11.6 UAPS ........................................................................................................................ 176
12 Access Security ..................................................................................................... 177

12.1 User Isolation............................................................................................................ 178
12.1.1 Introduction ............................................................................................................... 178
12.2 Port Location ............................................................................................................ 180
12.2.1 Introduction ............................................................................................................... 180
12.3 MAC Security Technology....................................................................................... 183
12.3.1 Introduction ............................................................................................................... 183

12.4 vMAC ........................................................................................................................ 185

12.4.1 Introduction ............................................................................................................... 185
12.5 IP Security Technology............................................................................................ 187
12.5.1 Introduction ............................................................................................................... 187
12.6 Packets Suppression and Filtering ......................................................................... 190
12.6.1 Introduction ............................................................................................................... 190
12.7 System Security ....................................................................................................... 193
12.7.1 Introduction ............................................................................................................... 193
12.8 MAC Forced Forwarding ......................................................................................... 196
12.8.1 Introduction ............................................................................................................... 196
12.8.2 Basic Theory............................................................................................................. 197
12.9 DHCP Snooping and DAI ........................................................................................ 198
12.9.1 Introduction ............................................................................................................... 198
12.9.2 Basic Theory............................................................................................................. 199
12.10 Rogue ONU Detection ............................................................................................. 200
12.10.1 Introduction ............................................................................................................... 200
13 ACL........................................................................................................................... 202
13.1 Introduction ............................................................................................................... 202
14 TDM Circuit Emulation ......................................................................................... 205

14.1 Introduction ............................................................................................................... 205
15 Clock and Time ...................................................................................................... 207

15.1 Frequency Synchronization module ....................................................................... 207
15.1.1 Introduction ............................................................................................................... 207
15.2 Phase Synchronization module .............................................................................. 209
15.2.1 Introduction ............................................................................................................... 209
15.3 NTP ........................................................................................................................... 212
15.3.1 Introduction ............................................................................................................... 212

16 Power Saving ......................................................................................................... 213

16.1 Introduction ............................................................................................................... 213
17 ODN Fault Diagnostic Manage ment ................................................................... 216

17.1 Introduction ............................................................................................................... 216
18 Environment Monitor ............................................................................................ 220

18.1 Introduction ............................................................................................................... 220
19 Device manage ment ............................................................................................. 222

19.1 Card Management ................................................................................................... 222
19.1.1 Introduction ............................................................................................................... 222
19.2 Version Management............................................................................................... 223
19.2.1 Introduction ............................................................................................................... 223
19.3 SNMP Management ................................................................................................ 224
19.4 In-Band Management VPN ..................................................................................... 224
19.4.1 Introduction ............................................................................................................... 225
19.5 SSH ........................................................................................................................... 226
19.5.1 Introduction ............................................................................................................... 226
19.5.3 Remote Connection Encryption Based on SSH .................................................... 228
19.5.4 File Transfer Encryption Policy Based on SSH ..................................................... 229
19.6 User Management ................................................................................................... 229
19.6.1 Introduction ............................................................................................................... 229
19.7 Remote Connection Security .................................................................................. 231
19.7.1 Introduction ............................................................................................................... 231
19.8 Log Management ..................................................................................................... 232
19.8.1 Introduction ............................................................................................................... 232
19.9 Alarm and Event Management ............................................................................... 233
19.9.1 Introduction ............................................................................................................... 233

20 Reliability ................................................................................................................ 235

20.1 Main Control and Switching Protection .................................................................. 235
20.1.1 Introduction ............................................................................................................... 235
20.1.2 Basic Theory and solution ....................................................................................... 236
20.2 Power Supply Protection ......................................................................................... 237
20.3 Clock Protection ....................................................................................................... 237
20.3.1 Introduction ............................................................................................................... 237

FIGURES
Figure 1-1 GPON Position in PON............................................................................................ 14
Figure 1-2 GEM Frame Format ................................................................................................. 18
Figure 1-3 Encapsulating Ethernet Frame to GEM Frame ..................................................... 18
Figure 1-4 Encapsulating GEM Frames to a GTC Frame....................................................... 19
Figure 1-5 Downstream & Upstream GTC Frame ................................................................... 19
Figure 1-6 ONU Burst Format ................................................................................................... 20
Figure 1-7 GPON Downstream Data Transmission Mechanism ............................................ 21
Figure 1-8 GPON Upstream Data Transmission Mechanism................................................. 22
Figure 1-9 GPON functions reference model........................................................................... 23
Figure 1-10 PLOAM Message Structure .................................................................................. 23
Figure 1-11 OMCI Packet Form at ............................................................................................. 24
Figure 1-12 The registration and authentication process of the GPON ONUs ..................... 26
Figure 1-13 Queues Scheduling on ONU................................................................................. 32
Figure 1-14 AES Key Switch Procedure................................................................................... 34
Figure 1-15 the downstream frame with FEC code ................................................................. 36
Figure 1-16 Upstream Frame with FEC Code ......................................................................... 36
Figure 1-17 Upgrading ONU Version through OMCI Protocol ............................................... 42
Figure 1-18 Activating the Version ............................................................................................ 43
Figure 2-1 Co-existence of XG-PON1, G-PON and RF video in the same ODN via WDM1r
........................................................................................................................................................ 45
Figure 2-2 Parameter of WDM1 ................................................................................................ 46
Figure 4-1 IEEE802.1Q format .................................................................................................. 53
Figure 4-2 IEEE 802.3ad Form at .............................................................................................. 54
Figure 4-3 1:1 /N:1 VLAN Translation....................................................................................... 60
Figure 5-1 Data Link Layer OAM Sublayer .............................................................................. 66
Figure 5-2 Service Level Etherent OAM Maintenance Entity Group Model .......................... 71
Figure 6-1 Layer-3 Forwarding Process ................................................................................... 75
Figure 6-2 DHCP Principle-2 ..................................................................................................... 80

Figure 6-7 Super VLAN Application Scenario .......................................................................... 88
Figure 6-8 ECMP Application Scenario .................................................................................... 90
Figure 6-9 ECMP Principles ...................................................................................................... 91
Figure 7-1 MPLS labels forwarding........................................................................................... 99
Figure 7-2 MPLS Label format ................................................................................................ 100
Figure 7-3 The implementation of MPLS................................................................................ 101
Figure 7-4 Inter-Area LSP........................................................................................................ 107
Figure 7-5 VPLS Reference Model ......................................................................................... 110
Figure 7-6 H-VPLS ................................................................................................................... 113
Figure 7-7 VPWS Reference Model........................................................................................ 114
Figure 7-8 LDP FRR................................................................................................................. 116
Figure 7-9 PW Redundancy .................................................................................................... 117
Figure 7-10 LSP Ping ............................................................................................................... 120
Figure 7-11 LSP Traceroute .................................................................................................... 122
Figure 7-12 LSP multipath tree trace ...................................................................................... 124
Figure 8-1 Network architecture for Ethernet- based GPON aggregation ........................ 127
Figure 8-2 Dual-Stack architecture ......................................................................................... 128
Figure 8-3 OLT tunnel ND messages with LIO appended .................................................... 131
Figure 8-4 AN as LDRA, BNG as DHCP L3 relay in DHCPv6-PD Process Diagram ........ 134
Figure 8-5 Relay Forward message of LDRA ........................................................................ 135
Figure 8-6 IPv4/IPv6 dual stack structure by Network element............................................ 140
Figure 9-1 Upstream end-to-end QoS solution ...................................................................... 143
Figure 9-2 Downstream end-to-end QoS solution ................................................................. 144
Figure 10-1 Layer-2 Multicast Processing Principle .............................................................. 146
Figure 10-2 Form at of an IPv6 multicast address.................................................................. 156
Figure 11-1 STP ....................................................................................................................... 163
Figure 11-2 RSTP..................................................................................................................... 164

Figure 11-3 Asymmetric Network ............................................................................................ 165
Figure 11-4 Low SST Bandwidth Utilization ........................................................................... 165
Figure 11-5 MSTP Working Principle ..................................................................................... 166
Figure 11-6 logical structure of an Ethernet Ring .................................................................. 171
Figure 11-7 Principle of implement TDM service protection. ................................................ 173
Figure 11-8 Type B: OLT-only Duplex System ...................................................................... 175
Figure 11-9 Type C: Full Duplex System ............................................................................... 175
Figure 11-10 G.984.1 – Dual Parented duplex system model ............................................. 176
Figure 12-1 Implementation of isolation for different users (ONUs) ..................................... 179
Figure 12-2 Implementation of isolation for different service flows with different users ..... 179
Figure 12-3 DHCP Option 82 Interaction Flowchart .............................................................. 181
Figure 12-4 DHCP Option82 Frame Format .......................................................................... 181
Figure 12-5 Relay Agent Fields Format................................................................................. 182
Figure 12-6 PPPoE+ Interaction Flowchart........................................................................... 182
Figure 12-7 PPPoE+ Frame Form at ...................................................................................... 183
Figure 12-8 The basic principle of vMAC technology............................................................ 187
Figure 12-9 SSH Module Position........................................................................................... 195
Figure 12-10 MAC Forced Forwarding Implementation Mechanism ................................... 197
Figure 12-11 DHCP Principle-1............................................................................................... 200
Figure 13-1 ACL Processing Principle.................................................................................... 204
Figure 14-1 principle to implement CES................................................................................. 206
Figure 15-1 Frequency synchronization function Diagram ................................................... 209
Figure 15-2 Phase synchronization over GPON function Diagram ...................................... 211
Figure 17-1 Software Architecture of fault diagnostic system .............................................. 219
Figure 18-1 Interfaces Supported by Common Public Interface Card ................................. 221
Figure 20-1 ZXA10 C300 supports time and clock redundancy function ............................ 238

TABLES
Table 2-1 Technical Difference between G-PON and XG-PON1........................................... 44
Table 4-1 MAC address management function description.................................................... 50
Table 4-2 IEEE802.1Q header .................................................................................................. 53
Table 4-3 VLAN concepts .......................................................................................................... 54
Table 4-4 VLAN funtions ............................................................................................................ 56
Table 5-1 Functions and Scenarios of Ethernet OAM Features............................................. 63
Table 8-1 Control mode of ICMP message ............................................................................ 138
Table 12-1 DHCP Snooping Binding Table........................................................................... 188
Table 13-1 4 Types of ACLs .................................................................................................... 203
Table 17-1 OTDR system function.......................................................................................... 217

1 GPON Feature
1.1 Introduction
 Description
GPON is an optical broadband access network. Its position in the PON network is
shown in the following Figure 1. The uplink network is the core switch network, while
the downlink is the user’s local network. It is to implement the user services
collecting, switching and forwarding.
Figure 1-1 GPON Position in PON
Adopting a point-to-multipoint network structure, the GPON system generally consists of

an OLT at the central office side, ONUs/ONTs at the user side, and the ODN.
ONUs provide the access to users. ONUs implement the following functions:
 Provides ODN interface.
 Supports PON transmission convergence layer function .

 Optionally receives broadcast data sent by OLT.
 Responds to distance measurement messages.
 Buffers user traffic and sends it in specified T-CONT.
 Multiplexes/de-multiplexes services.
OLT converges and handles the service traffics on several access nodes. An OLT is a
switch or router. It is also a platform, which provides multiple services. It is the core part
of GPON system. OLT implements the following functions:
 Provides ODN interface.
 Supports PON transmission convergence layer function.
 Supports services adaptation.
 Supports distance measurement.
 Supports DBA by allocating upstream bandwidth to T -CONT (transmission

container)
 Supports layer-2/layer-3 Ethernet functions.
 Manages ONUs through OMCI protocol.
ODN consists of single-mode optical fiber and optical splitter, optical connector, which
provides optical transmission media for the physical connection between the OLT and
the ONU.
 Target
The basic GPON technology has the following functions:
 Supports all-round services, including voice, Ethernet, and TDM.
 The downstream transmission adopts 1490 nm wavelength and the upstream

transmission adopts 1310 nm wavelength.

 Supports multi-rate modules. The downstream supports 2488.32Mbit/s, and

the upstream supports 1244.16 Mbit/s.
 Multiple rate modes are adopted;
 Downstream rate: 1244.16Mbits/s or 2488.32 Mbit/s,
 Upstream rate: 155.52 Mbit/s, 622.08 Mbit/s、1244.16 Mbit/s or 2488.32 Mbit/s.
 The maximum split ratio is 1:128.
 The maximum physical distance is 20 km, the maximum logical distance is 60

km and the maximum difference distance is 20 km.
 Provides OAM function.
 Provides security protection mechanism on the protocol layer according to

feature that the PON downstream traffic is transmitted through broadcasting.
 Features & Specification
ZXA10 C300/C320 has the following features:
 Supports Ethernet, TDM, and VoIP services.
 The downstream transmission adopts 1490 mm wavelength and the upstream

transmission adopts 1310 mm wavelength.
 The downstream rate is 2488.32 Mbit/s and the upstream rate is 1244.16
Mbit/s.
 The physical distance supports 3 modes, including 0-20 km, 20-40 km, and
40-60 km. The maximum logical distance is 60 km, and the maximum
difference distance is 20 km.
 The maximum split ratio is 1:128.
 Supports OAM function.
 Supports ONU password authentication.

 Supports downstream AES encryption
 Supports Type-B/C protection.
1.2 GPON Principle
1.2.1 Transmission Mechanism
 Description
GPON uses single fiber duplex transmission, with the downlink wavelength of 1490
nm and uplink wavelength of 1310 nm. The downlink data flow uses the TDM
technology and the uplink data flow uses the TDMA technology.
GPON defines the GEM frame format to encapsulate the uplink and downlink data
flow. The encapsulated GEM frames and the overhead bytes at the physical layer
form the GTC frames, which are transmitted between the OLT and ONU.
To schedule the uplink bandwidth, GPON uses T-CONTs as the bandwidth

scheduling units.
 Target
The single fiber duplex transmission mechanism implements high efficient

transmission of both uplink and downlink service flow, and supports finer bandwidth
management.
The ZXA10 C300/C320 supports the transmission mechanism defined by the

GPON standard.
GPON uses GEM as the data encapsulation method. Different GEM frames are
identified with different GEM Port-IDs. Figure 1-2 shows the GEM frame format.

Figure 1-2 GEM Frame Format
The GEM header field consists of PLI, Port ID, PTI, and HEC. PLI indicates the
loading length, Port ID identifies the GEM frame, PTI indicates the GEM frame type,
and HEC is used to verify the header field. The GEM loading length can customized.
Since PLI is only 12 bits, the maximum loading length is 4095 bytes.
Figure 1-3 shows the method of encapsulating an Ethernet frames to a GEM frame.
For the methods of encapsulating other frames to GEM frames, refer to the GPON
standard.
Figure 1-3 Encapsulating Ethernet Frame to GEM Frame
After the data flow is encapsulated to GEM frames, multiple GEM frames are
encapsulated to a GTC frame.
filet-0000973721_A-036FE9D4_EncapsulatingGEMFramesToAGTC129_29
Figure 1-4 shows the downstream GTC frame format.

Figure 1-4 Encapsulating GEM Frames to a GTC Frame
PCBd indicates the downstream physical control block, including downstream

management parameters. Each GTC frame has a fixed length and sending period.
When the downstream speed rate is 2488.32 Mbps, the downstream GTC frame
length is 38880 bytes. One frame is sent every 125 us.
Since the TDMA transmission mechanism is used for upstream, the upstream GTC
frames consist of a series of ONU bursts, as shown in Figure 1-5.
Figure 1-5 Downstream & Upstream GTC Frame
Figure 1-6 shows the ONU burst format.

Figure 1-6 ONU Burst Format
PLOu indicates the uplink physical layer overhead of the ONU. Each Allocation
interval indicates a T-CONT upstream timeslot. ONU sends the data in the
T-CONT queue to the OLT during this timeslot. The BWmap field in PCBd of the
downstream frame defines the upstream starting time and end time of each
T-CONT.
Note:
 T-CONT (Transmission Container) is the minimum unit of the upstream

bandwidth. It is identified by Alloc IDs.
 GEM port and GPON encapsulation port are identified by Port-IDs.
 The data of multiple GEM ports can be mapped to the same T-CONT.
In the GPON system, the downstream data flow of the OLT PON port is distributed
to different logical channels according to the GEM Port-IDs. The ONU filters the
downstream data according to the GEM Port-IDs, and it handles its own GEM data.
The data from one GEM Port-ID can be received by multiple ONUs to transmit
downstream broadcast or multicast data, as shown in Figure 1-7.

Figure 1-7 GPON Downstream Data Transmission Mechanism
In the upstream direction, the data of multiple GEM Port-IDs can be converged to
one T-CONT. In the T-CONT upstream timeslot, the ONU sends these GEM
frames to the OLT. The OLT determines the scheduling between multiple GEM
Port-IDs in the same T-CONT. Figure 1-8 shows the upstream data transmission
mechanism.

Figure 1-8 GPON Upstream Data Transmission Mechanism
1.2.2 OAM
 Description
GPON OAM function includes three parts:
 Embedded OAM, PLOAM and OMCI.
 Embedded OAM and the PLOAM channel manage the functions of PMD, and
on the GTC layer.
 OMCI is used to implement remote service configuration and management on

the ONU
 Target
 It is to implement various operation, management, and maintenance on the OLT

and the ONU.

ZXA10 C300/C320 completely supports embedded OAM and PLOAM functions

specified by the GPON standards. It supports to implement service configuration
and management on the ONU through OMCI.
As shown in the Figure 1-9 GPON functions reference model, the DBA control
belongs to the embedded OAM channel provided by the domain signal field in the
GTC frame head. Because each signal section is directly mapped to a specific
area in the GTC frame head, the OAM channel provides a channel with low delay
for time sensitive control information. The channel has the following functions,
including bandwidth authorization, FEC enabling identifier, uplink dynamic
bandwidth report, and link BER information.
Figure 1-9 GPON functions reference model
PLOAM channel is formatted information system born in a specified position in the

GTC frame. 13 bytes frame transmits all the PMD and GTC management
information which fails to be transmitted through the embedded OAM channel.
Figure 1-10 shows the PLOAM message structure.
Figure 1-10 PLOAM Message Structure

OMCI message, which is encapsulated in GEM packets and transmitted through

specified GEM channel, is used to manage the GTC upper-layer service definition.
The tail of the OMCI packet is used to check CRC. The packet format is shown in
Figure 1-11.
Figure 1-11 OMCI Packet Format
OLT can implement the following management functions through the OMCI
channel:
 To establish and release the service connection with the ONT
 To manage the UNI interface on the ONT
 To request configuration information and performance statistics
 To automatically report event, such as link fault, to the system administer
1.2.3 ONU Registration and Authentication
 Description
GPON OLT applies embedded OAM and PLOAM channel to search ONUs
periodically. When it gets a legal ONU, it allocates corresponding ONU-ID and
measures the distance. After it successfully measures the distance, it registers the
ONU through PLOAM channel if necessary. After the successful registration, it
configures and manages services through the OMCI management channel just
set.
 Target
GPON OLT is used to access and control the ONU.

ZXA10 C300/C320 ONU authentication and registration supports the following

features:
 Registration mode based on the ONU SN
 Registration mode based on the ONU password
 Registration mode based on the ONU SN + the ONU password
 Configure the ONU searching period
 Configure automatically learning registration ONU module. When the OLT

search an unconfigured ONU, it adopts the ONU SN to automatically register
the ONU.
 ONU password authentication in the mode of the ONU SN registration

Figure 1-12 The registration and authentication process of the GPON ONUs
The registration and authentication process is as follows:

 The OLT sends a downstream GTC frame every 125 μs.
 After receiving the downstream GTC frame, the ONU clears the local
LOS/LOF, and the state is changed from O1 to O2.
 The OLT sends downstream Upstream_Overhead PLOAM message. This

message defines the preamble, delimiter, and equalization delay of the
upstream frame.
 After receiving the Upstream_Overhead PLOAM message, the ONU set the
preamble, delimiter, and equalization delay of the upstream frame according to
the message content, and the state is changed from O2 to O3.
 The OLT sends the downstream Extended_Burst_Length PLOAM message.

This message defines the preamble length of the upstream frame during
distance measurement and normal operation. During distance measurement,
the preamble is longer, which helps the OLT to capture the ONU upstream
frames.
 After receiving the Extended_Burst_Length PLOAM message, the ONU sets

the preamble length of the upstream frame during distance measurement and
normal operation according to the message content.
 The OLT uses the BWMap field of the downstream GTC frame to open a
public quiet window. All the unregistered ONUs can send their serial numbers
to the OLT through this quiet window.
 The ONU sends its serial number to the OLT in the Serial_Number_ONU
PLOAM message.
 After receiving the ONU serial number, the OLT assigns an ONU-ID to the
ONU through the Assign_ONU_ID PLOAM message.
 The ONU receives the Assign_ONU_ID PLOAM message, and the state is
changed from O3 to O4.

 The OLT uses the BWMap field of the downstream GTC frame to open an
upstream quiet window for the ONU-ID. The ONU sends its serial number to
the OLT through the quiet window.
 The ONU sends its serial number to the OLT in the Serial_Number_ONU
PLOAM message.
 After receiving the ONU serial number, the OLT calculates the ONU distance
and equalization delay, and sends the equalization delay to the ONU in the
Ranging_Time PLOAM message.
 After receiving the Ranging_Time PLOAM message, the ONU sets its
equalization delay, and the state is changed from O4 to O5.
 The OLT delivers the Request_password PLOAM message, requesting the

ONU to report the password.
 The ONU sends its password to the OLT in the Password PLOAM message.
 The ONU password is verified, The OLT delivers the Configure Port-ID
PLOAM message and configures the ONU OMCI management channel.
 The ONU sets the OMCI management channel. The OLT can perform service
configuration and management through this channel.
1.3 Key Technologies
1.3.1 Authentication security method introduction
 Description
The authentication security method is used to configure the username/password to

establish a session between a client and server.
 Target
The authentication security method includes validation schemes as follows:

 Disable
 MD5 digest authentication as defined in RFC2617
 Basic authentication as defined in RFC2617
 Features & Specification
 ZXA10 C300/C320 supports the following features of the authentication

security method:
 The OLT supports the configuration of validation scheme, username,

password and realm.
 The ONU supports the session between the client and server by the
configured validation parameters.
 Basic Theory
The OLT configures the parameters of authentication security method by OMCI
messages according to the G.984.4 9.12.4 authentication security method.
The ONU implements the validation according to RFC2617.
The authentication security method defines the user id/password configuration to

establish a session between a client and a server. This object may be used in the
role of the client or server. An instance of this managed entity is created by the
OLT if authenticated communication is necessary.
 Relationships
 One instance of this management entity may be associated with a network

address ME. This ME may also be cited by other MEs that require
authentication parameter management.
 Attributes
 Managed entity id: This attribute uniquely identifies each instance of this
managed entity. The value 0xFFFF is not valid. (R, Set-by-create) (mandatory)
(2 bytes)

 Validation scheme: This attribute specifies the validation scheme used when
the ONT validates a challenge. Validation schemes are defined as follows:
 Validation disabled
 Validate using MD5 digest authentication as defined in RFC 26 17

(recommended)
 Validate using basic authentication as defined in RFC 2617
 (R, W) (mandatory) (1 byte)
 Username: This string attribute is the user name. If the string is shorter than 25
bytes, it must be null terminated. (R, W) (mandatory) (25 bytes)
 Password: This string attribute is the password. If the string is shorter than 25
bytes, it must be null terminated. (R, W) (mandatory) (25 bytes)
 Realm: This string attribute specifies the realm used in digest authentication. If
the string is shorter than 25 bytes, it must be null terminated. (R, W)
(mandatory) (25 bytes)
 Solution
The solutions are as follows:
 When the security authentication establishes a session between client and

server, VoIP service configuration and authentication parameters will be
configured by operator.
 The OLT sends authentication parameters to the ONU by OMCI messages.
 The ONU uses authentication configuration to establish sessions.
1.3.2 Dynamic Bandwidth Allocation
 Description

The dynamic bandwidth allocation of GPON is that the OLT dynamically allocate
uplink transmission time slot for ONU according to the transmission buffer
occupancy ratio.
 Target
It is to implement the dynamic allocation of GPON uplink bandwidth.
 Features& Specification
ZXA10 C300/C320 supports the following features:
 SR-DBA and TM-DBA.
 Configuration on fixed bandwidth, guaranteed bandwidth and the maximum

bandwidth for each TCONT.
 Bandwidth granule is 64 Kbps.
 One PON port with maximum 1244 Mbps bandwidth
 Basic Theory and Solution
In GPON, T-CONT is the minimum scheduling unit for uplink bandwidth allocation.
Bandwidth authority is correlated with only one T-CONT. Regardless the count of
cache queues on one T-CONT, OLT DBA algorithm considers T-CONT as a
container containing only one logical cache.
According to logical cache occupation on each T-CONT, DBA allocates specific

upstream bandwidth for T-CONT. The bandwidth information is sent to ONU
through the BWmap field of downstream frame. After receiving bandwidth
information, ONU allocates bandwidth to the queues on T-CONT.
The DBA in GPON has the following functions:
 Obtains the occupied state for the T-CONT logical cache.
 Calculates the current upstream bandwidth value allocated to the T -CONT

according to the T-CONT cache occupied state and configuration bandwidth
parameter.

 Builds the BWmap field for the downstream frame according to the upstream
bandwidth value and store it in the BWmap table.
 Transmits the BWmap table contents in each downstream frame to implement

dynamic management of the upstream flow.
The OLT can set the queue scheduling policy on ONU T-CONT through
management channel, as shown in Figure 1-13.
Figure 1-13 Queues Scheduling on ONU
The OLT can obtain the occupied state of T-CONT logical cache by two ways:
 The OLT continuously monitor the T-CONT upstream flow, and speculate the
current occupied state of the T-CONT logical cache according to the
fluctuation condition for corresponding bandwidth allocation. The DBA
implementing this method is known as TM-DBA.
 The OLT can require ONU to report current occupied state of each T -CONT
logical cache for corresponding bandwidth allocation. The DBA applying this
method is known as SR-DBA.
 The GPON DBA bandwidth types are as follows:
 Fixed bandwidth: After T-CONT activation, OLT allocates bandwidth

regardless the cache occupation and T-CONT upstream loading.

 Assured bandwidth: T-CONT bandwidth requirements must be fulfilled. If the

required bandwidth is less than the assured, the extra bandwidth can be used
by other T-CONTs.
 Non-assured bandwidth: T-CONT bandwidth requirements need not be fulfilled.

The non-assured bandwidth is allocated only after fixed and assured
bandwidth are allocated.
 Best-effort bandwidth: It is of the lowest priority and is allocated after the fixed,
assured, and non-assured bandwidth are allocated.
 Maximum bandwidth: Regardless the T-CONT actual upstream traffic,

allocated bandwidth must notexceed the maximum bandwidth.
1.3.3 Data Encryption
 Description
Data Encryption is to encrypt the downstream service data.
 Target
As GPON is a point-to-multipoint system, the encryption on the downstream data

can prevent the data sent to an ONU being wiretapped to ensure user data
security.
ZXA10 C300/C320 supports AES encryption algorithm and implement AES

encryption with a GEM port as a unit.
In GPON system, the downstream data is broadcasted to all ONUs in PON

network. If some malicious user reprograms the ONU, he can listen to all users
downstream data. This is the snooping threat that PON security system may
encounter. To solve this problem, encrypt the downstream data to ensure the
users' data security. The ONU generates the key and transmits it upward. To avoid
key deciphering, it should be changed periodically.

Figure 1-14 shows the AES key of GPON switch procedure
Figure 1-14 AES Key Switch Procedure
The specific procedures are as follows:
 OLT delivers Request_Key PLOAM message to request ONU for a new key.
 ONU transmits new key to OLT through Encryption_Key PLOAM message.
 OLT saves the new key locally and delivers Key_Switching_Time PLOAM
message to inform the ONU of the activation time of the new key.
 ONU configures the activation time of new key and transmits a confirmation
message to the OLT through Acknowledge message PLOAM.

 At the activation time of the new key, the OLT encrypts the downstream data
with the new key, then delivers it to the ONU.
 The ONU uses the new key to decipher downstream data to obtain effective
data.
1.3.4 FEC
 Description
FEC is to encode transmission data according to a certain algorithm to add extr a

redundant bit.
 Target
FEC technology has the following functions:
 Low data transmission error ratio to avoid data retransmission.
 Increase in link budget by 3~4 dB. Therefore, it can support longer

transmission distance with a higher speed. Each PON can support more
branches.
ZXA10 C300/C320 has the following FEC features
 Enable/disable FEC function on a single PON port.
 Uplink FEC based on ONU
 Downlink FEC based on GPON port
In the GPON system, RS code is used to implement FEC and is based on a block.
It selects a fixed-size data block and adds extra redundancy at the end. FEC
decoder uses these extra bits to process the data flow, find errors, correct errors
and then obtain the original data.
The general RS code is RS (255, 239) with the length of 255 bytes including 239
data bytes and 16 bytes of check fields.

The original data is reserved when FEC based on the block is applied. Therefore,
even the opposite port does not support the FEC, the original data can be
processed by ignoring check bits.
Figure 1-15 shows the downstream frame with FEC code
Figure 1-15 the downstream frame with FEC code
Figure 1-16 shows the upstream frame with FEC code
Figure 1-16 Upstream Frame with FEC Code
1.4 GPON ONU Remote Management
1.4.1 Introduction
User can manage ONU through OLT by unified NMS for management and
maintenance, or directly manage ONU by unified NMS
Mode1: ONU remote management is to manage ONU at the NMS workstation

through OLT and exchange through OMCI between the OLT and the ONU. OLT
manages and controls ONT through OMCI protocol specified by G984.4
Mode2: Users can configure and manage the ONU IP address by NMS or manual
configuration of IP address pool. When the ONU is online, OLT automatically
obtains an IP address and allocates it to ONU. The OLT sets the IP to the ONU.

After configuring ONU to manage IP, users can directly log on the ONU to manage
through in-band modes: such as SNMP, Telnet, Web etc
1.4.2 Port Isolation
Port isolation is to prevent layer 2 interworking among ONU user ports to strengthen
the network security.The ONU bridge port allows local exchange or not by
Configure a bridge to allow or block the local exchange
1.4.3 ONU Auto-Delivery
Auto-delivery is to save ONU service data on OLT while ONU does not need the
service data. When the ONU goes online, the OLT automatically deliver remote
management data to the ONU to ensure normal services. The implementation of
the unified management of the OLT on the ONU is convenient to maintain and
replace the ONU.The system automatically delivers the configuration to the ONU
while the ONU goes online again.
OLT re-set the local configuration of the ONU after the an ONU goes online at the
first time, then it deliver the configuration to the ONU. If the ONU goes online again,
the OLT and ONU maintains a counter respectively. When the ONU goes online
again, the OLT compares the two counters. If the counters are different, use the
OLT configuration to reset the local configuration of the ONU. If they are the same,
it is unnecessary to reset the configuration.
1.4.4 E1 Port Configuration
Configure the ONU E1 port through OMCI, ZXA10 C300/C320 supports E1 port
enable/disable function.E1 supported ONUs can be configured to enable or disable
E1 port.
1.4.5 Port MAC Configuration
Configure MAC binding on ONU port to filter packets transmitted from illegal MAC
address. Configure port static MAC address to avoid MAC addresses learning.
ZXA10 C300/C320 supports the following configurations:
 Port MAC Binding

 After configuring port MAC address binding, only the packets with source MAC
of bound MAC can pass. The packets with other source MAC is to be
discarded.
 Port MAC Filtering
 After configuring port MAC filtering, the packets with the source MAC of the
filtered MAC is to be discarded.
 Static MAC Address
 The static MAC address must not age or learn after configuration.
1.4.6 Maximum MAC Address Learning Number of ONU Bridge
Configure the maximum MAC address learning number of ONU bridge through
OMCI to restrict the user number connected to each ONU bridge.
ZXA10 C300/C320 supports configuration on the maximum MAC address number

that an Ethernet port can learn. The maximum can be configured to be 65534.
Different types of ONU support different maximum value according to the ability of
the ONU.
Configure the maximum MAC address learning number of ONU bridge through
OMCI to restrict the user number connected to each ONU bridge. When the
addresses that the port learns reaches the maximum value, the port does not learn
the addresses of the different— source— address packets that it receives. The
difference in processing the packets leads to the possible difference in ONUs.
There are usually two situations as follows:
 Forward the packets upstream. The downstream packets flood because they
fail to find the forwarding port.
 Discard the packets with unknown MAC addresses.
1.4.7 Multicast Configuration
Configure controllable multicast on ONU through OMCI.

 Multicast working mode: IGMP snooping or controllable multicast.
 Fastleave function.
 Multicast VLAN configuration.
 Port multicast VLAN with/without Tag configuration.
 Maximum multicast number on a port to 255. Different ONU supports different

maximum value according to the ONU ability.
 IGMP Snooping
 IGMP Snooping runs on the layer-2 broadband access equipment. It is to

intercept the IGMP Report/Leave from the upstream host and IGMP Query
from the downstream router and to maintain layer-2 multicast forwarding table.
 IGMP Snooping considers that Layer–2 switch is between the host and the
router (Layer–3 switch). Between the router and the host, IGMP establishes
the relation between the IP multicast group and router members . The router
transmits a Query packet to all the ports to query which host to join. The host
transmits a Report packet to the router after the host receives the Query
packet to inform the router the host IP address which intends to join. When the
IGMP packets is interacting, the router uses a specific type D multicast IP
address of 224.0.0.1 to transmit the Query packet and the host uses a specific
type D IP address of 224.0.0.2 to transmit the Report packet. The MAC
address that the two IP addresses maps is unique. Therefore, the Layer–2
switch traps the Ethernet frame of the two multicast MAC address which the
Layer–2 switch receives, then the CPU defames the Ethernet frame to be
IGMP packet. Processing the IGMP packet is to get the relation between the
IP multicast group and the switch port and map it to be the relation between
the MAC multicast group address and the switch port. The IGMP Snooping
module processes the Query packets from the router and ana lyzes its
multicast source, and forwards it to other ports of the same VLAN. The IGMP
Snooping also receives Report and Leave packets from other hosts, analyzes
the members of the multicast group, and forwards the frame all the ports of the
same VLAN.

 Controllable Multicast
 According to China Telecommunication EPON Equipment Technology

Requirements (V2.0 ). The core concept of the dynamic controllable protocol is
that OLT authenticates the user on the basis of the user ID information carried
by the IGMP control packet. The OLT also implements the ONU forwarding
control on the multicast data packets through the extended OAM.
 The OLT identifies the user on the port according to the use's LLID or the
VLAN ID carried by the upstream IGMP Join packet. It judges whether the user
has the authority and parameters to access the applied multicast services. The
OLT transmits the authority to access the multicast channel to the ONU
through the extended OAM packet controlled by the multicast. Then the ONU
forwards or shuts down the multicast service traffic of the user on this port.
 Fast Leave Basic Theory
 When the ONU receives IGMP Leave message, it immediately stops

forwarding service traffic of the multicast group to the user port (and deletes
the corresponding contents in the multicast forwarding table). Meanwhile, the
ONU transparently transmits the IGMP Leave message to the OLT.
 Multicast VLAN
 Multicast VLAN is used to control forwarding multicast packets and general

query packets. The port VLAN module decides whether to add tag to the
multicast Join packet. If the port VLAN module is Tag module with the VID of
100, add VLAN100 tag to the multicast Join packet, then forward it to the PON
port.
1.4.8 Layer-2 Service on ONU
Configure ONU through OMCI to complete Layer-2 services.
ZXA10 C300/C320 uses the flow concept of to implement Layer-2 services on the
ONU.
 MAC bridge service. ZXA10 C300/C320 adopts the concept of switch.

 802.1 mapping service.
 MAC bridge + 802.1p mapping service.
802.1p mapping service: Map the Ethernet data frame to different Gemport
according to the 3 bit priority field in the Ethernet data frame.
Flow: The service in ZXA10 C300/C320 GPON obtains a flow according a certain
mapping rules.
Complete Layer-2 service on ONU according to the service model specified by

G984.4 standard.
1.4.9 Remote ONU Version Upgrading
ZXA10 C300/C320 can upgrade ONU version remotely through OLT, ZXA10
C300/C320 supports remote upgrading multiple ONU version simultaneously.
OLT upgrades ONU version through OMCI protocol, as shown in Figure 1-17

Figure 1-17 Upgrading ONU Version through OMCI Protocol
Activate the version after downloading the version to the ONU, as shown in Figure
1-18

Figure 1-18 Activating the Version
2 XG-PON1 Feature
2.1.1 Introduction
XG-PON1 is the next-generation evolution of GPON, therefore XG-PON1 scenarios

is similar with GPON scenarios. XG-PON1 is the technology used for
10-gigabit-capable passive optical network systems – a family of flexible access
network systems that operate over a point-to-multipoint optical access infrastructure
at the nominal data rates on the order of 10.0 Gbit/s in downstream direction, while
providing a wide range of broadband and narrow-band services to the end-users.

XGPON is accordance with ITU-T G.987 series standard The downstream rate of
XGPON1 is 10Gbit/s, and the upstream rate is 2.5Gbit/s.
Table 2-1 shows the technical Difference between G-PON and XG-PON1
Table 2-1 Technical Difference between G-PON and XG-PON1
G-PON XG-PON1
Standard G.984 G.987

Nominal line rate DS2.5Gbps DS10Gbps
US1.25Gbps US2.5Gbps
Split Ratio 1:128 1:512
Line code NRZ NRZ
Operating wavelength DS DS 575-1580nm

1480-1450nm US 1260-1280nm
US
1290-1330nm
Max Distance/ Differential Distance 20km/20km 40km/40km

Max logic Distance/ Differential logic 60km/20km 60km/60km
Distance
Encapsulation Method GEM XGEM
FEC RS(255, 239) DS RS(248,216)

US RS(248.232)
Encryption DS AES DS/US AES
Multicast Encryption No Support Support
OMCI Fix length Fix length and Variable

length
Generic physical configuration of the optical distribution network of XGPON1 is

same as GPON, and the differences between them are rate and XGTC layer
feature. XGPON can support higher rate and XGTC layer of XGPON has better
efficiency, reliability and security just as described as below:
 Password of ONU is exchanged during activation to ensure ONU’s registration

integrity during activation.
 Multiple PLOAM messages are transmitted into one downstream XGTC frame,
which increases PLOAM channel capacity.

 Flexible burst profile selection to meet different application scenarios.
 PON-ID Broadcast in the downstream to support PON interface verification by

handheld device and potentially improves fast protection.
 Decouple of FEC and bandwidth on the ONU side to reduce ONU’s cost.
 Doze and cyclic sleep power saving modes to decrease power consumption
on the ONU side.
The basic principle of co-existence of XG-PON1, G-PON and RF video in the same
ODN prototype is shown in Figure 2-1
Figure 2-1 Co-existence of XG-PON1, G-PON and RF video in the same ODN via
WDM1r
The parameter for WDM1 is shown in Figure 2-2

Figure 2-2 Parameter of WDM1
2.1.2 Features & Specification
ZXA10 C300/C320 XGPON1 supports the following features:
 It provides asymmetric upstream and downstream rates, with a maximum

upstream rate of 2.5 Gbit/s and a maximum downstream rate of 10 Gbit/s.
 Each XG-PON1 line card can provide eight 10G gigabit-capable passive optical
network(GPON) ports.
 Each 10G GPON port supports 256 optical network units (ONUs).
 Each 10G GPON port supports 8192 XGPON encapsulation mode (XGEM) ports.
 Each 10G GPON port supports 4096 transmission containers (T-CONTs).
 OLTs use AES-128 to transmit key ciphertext. AES is the acronym for Advanced
Encryption Standard.
 OLTs support dynamic bandwidth allocation (DBA), and a minimum granularity of

64 kbit/s and a minimum bandwidth of 256k for each bandwidth allocation.

 OLTs support the function for querying 10G GPON optical module parameters,
such as temperature, bias current, voltage, and receive optical power.
 The downstream FEC function is enable by default.
3 P2P Access Feature
3.1 Introduction
Point-to-point (P2P) GE/FE optical access means the point-to-point FTTX access based
on the combination between its P2P GE/FE optical access card and the P2P GE/FE
terminal devices. ZXA10 C300/C320 provides point-to-point (P2P) Ethernet optical
access with GE/FE ports and coordinates with downstream devices to implement various
optical access solutions for users. The scenarios include FTTC/FTTB, FTTO, and
FTTCell
The P2P card in ZXA10 C300/C320 uses WDM technology. It uses single optical fiber for
sending and receiving. Therefore, it is greatly suitable for those occasions that access
layer is in great demand of optical fibers and optical fibers are in short, to achieve device
interconnection. The P2P card can save a large number of optical fiber resources and
thus reduce the network construction cost. To meet the requirement of connection with
the normal GE/FE Ethernet interface of the downlink equipment. In addition, the P2P
card can also use the dual-fiber SFP optical module to implement the normal GE/FE
Ethernet interface, therefore, the number of each card decrease to half. The P2P card is
mainly applied in the following scenarios:
 FTTH
As an access scenario, the P2P card is connected to an P2P ONU to implement FTTH
application, The FTTH solution implemented through GE P2P optical access can provide
a higher bandwidth for users, thus meeting the requirements of high-end users. Because
each user exclusively possesses an optical fiber, he can be provided the most reliable
optical-layer security isolation.
 FTTO/B

Through P2P access for FTTO application, it provides enterprise user with higher reliable
dedicated line and VPN services. The OLT is connected to enterprise SBUs through GE
P2P Ethernet optical access. The SBUs are connected to user terminals through FE,
POTS, or Wi-Fi. QinQ VLAN encapsulation is implemented on the SBUs and the OLT. In
this way, transparent and secure places, and thus the service data and BPDUs between
the enterprise private networks can be transparently transmitted over the public network.
FTTO is applicable to enterprise networks. In this scenario, FTTO implements TDM PBX,
IP PBX, and private line service in the enterprise intranets
 FTTC
The P2P card provides Ethernet FTTC access which is subtended to mini-OLT/DSLAMs
and hence reduces the cost of networking in order to converge a large number of users
with the features such as inter-board aggregation, smart link, and ring check.
 FTTcell
The P2P card can provide connection to base stations directly or through P2P ring. To
meet the backhaul requirement, it provides the synE/IEEE 1588V2 features. The OLT is
connected to CBUs or base stations through GE/FE P2P Ethernet optical access. The
OLT connects wireless base stations to the core IP bearer network through optical
access technologies. This implementation mode is not only simpler than traditional
private network technologies, but also drives down the costs of base station backhaul.
FTTCell is applicable to reconstruring and capacity expansion of mobile bearer networks.
In this scenario, FTTCell converges the fixed network and the mobile network on the
bearer plane
3.2 Features & Specification
The ZXA10 C300/C320 supports the following P2P GE/FE optical access specifications:
 Each P2P card supports a maximum of forty-eight GE/FE optical ports which is
compliant with IEEE802.3-2008 and ITU-T G.985/G.986.
 L2 VLAN function is compliant with TR-101, VLAN processing function includes

VLAN translation, TLS VLAN, VLAN transparent function, and selective QinQ

 The P2P interface support LACP/MSTP, the LACP function can support for those
ports of inner-card and inter-card
 P2P interface supports the P2P ring based on G.8032
 The P2P card provides multicast function such as IPv4 ASM, IPV4 SSM,IPV6
ASM,IPV6 SSM
 The following IP security function can be supported in P2P card: DHCPV4 Snooping,
DHCPV6 Snooping, IPv4 source guard, IPV6 source guard, ND Snooping.
 The port location can support PPPOE+,DHCPV4 L2 relay agent; DHCPV6 L2 relay
agent, and ND LIO;
 The ACL function includes IPV4 ACL, IPV6 ACL, ACL can support traffic monitoring,
traffic statistics, VLAN, COS and DSCP modification,
 The QOS function includes port+VLAN policing, port+VLAN shaping, DSCP to COS
mapping, etc.
 EOAM based on VLAN
 Each port supports SynE and IEEE1588V2 master.
4 Layer 2 Forwarding Feature
4.1 MAC Address Management
4.1.1 Introduction
 Description
MAC address management is a basic Layer 2 management.
 Target

The system ages dynamic MAC addresses to ensure timely updates of the MAC
address table. If the MAC address table is full and not updated, the system will fail to
learn new MAC addresses and will consequently fail to forward data.
By limiting the number of learnable dynamic MAC addresses, the system

administrator can limit the number of MAC addresses that enter the network and
hence alleviate the load of network devices.
By configuring static MAC addresses, the system administrator denies access to

unauthenticated users.
 Features and Specification
 Dynamically learning MAC addresses
 Querying MAC addresses
 Modifying the aging period of the MAC address table
 Limiting the number of MAC addresses
 Statically setting MAC address items, and deleting MAC addresses.
4.1.2 Basic Theory and Solution
The MAC address management function description listed as the following Table
4-1:
Table 4-1 MAC address management function description
Function Description Remarks

Dynamically The system learns the source The line rate learning is
learning MAC MAC address and outer VLAN ID supported. The MAC address
addresses in accordance with the ingress can be learnt successful even
service flow, and generates a when the traffic is too high.
MAC address table, which is used The maximum number of
as the basis for service MAC addresses of the SCXN
forwarding. board is 64K (65535), and that
of the SCTM board is 256K
(262144). For the GTGO


board, the maximum numbers
of MAC addresses of each
PON interface and the PON
board are all 16K. For the
GTGH board, the maximum
number of MAC addresses of
each PON interface is 16K,
and that of the PON board is
32K.
Querying MAC The system queries the learnt The system can query MAC
addresses MAC address table and performs addresses in real time by
service diagnosis. using uplink interface, PON
interface, ONU, slot, VLAN ID
or designated MAC address.
The system can also query
the 1:1 vMAC conversion
table.
Modifying the aging The system modifies the aging Only the MAC addresses that
period of MAC period of MAC address table in are dynamically learnt will
address table accordance with the service age. The MAC addresses that
deployment requirements. The are set statically will not age.
range is 10–1000000 seconds. When the aging period of a
The default value is 300 seconds. MAC address is set to a low
value, the actual aging period
is one to two times longer
than the specified value due
to the chip principles. When
the aging period is set to a
high value, the dynamic
period is accurate.
Limiting the number The system limits the maximum The number of static MAC
of MAC addresses number of MAC addresses for addresses is also included in
each user, service or ONU port. the maximum number. If the
The range is 1–4095. number of static MAC
addresses that are manually
set for a user increases, the
number of dynamic MAC
addresses that the user can
learn will decrease
correspondingly.


Statically setting The system supports statically The static MAC address table
MAC address items setting MAC address items and does not age with the aging
manually setting the MAC address period of MAC addresses.
table based on the uplink interface The static item of the same
and user interface. MAC address and VLAN must
be unique in the global OLT.
Deleting MAC The system supports manually The specified MAC address,
addresses deleting dynamic MAC addresses or any global MAC address
before the aging period expires. based on the PON interface,
The system supports manually ONU interface, uplink
deleting static MAC addresses. Ethernet interface, and VLAN,
can be deleted.
4.2 VLAN
4.2.1 Overview
 Description
Layer 2 switching uses the Media Access Control (MAC) address from the host's
Network Interface Cards (NICs) to decide where to forward frames. Layer 2 switching is
hardware based, provides wire speed and low latency. Layer 2 switch can be treated as
a multiport bridge. Layer 2 switching is commonly used in LAN communications.
VLAN switching is based on Layer 2 switching, and VLANs are identified by VLAN IDs.
Data with the same VLAN ID can be forwarded through L2 switching, and data with
different VLAN IDs is separated from each other. The VLAN technology ensures that
broadcast data and flood data would not be forwarded to all the other ports and reduces
the traffic load. Data with different VLAN IDs cannot be interworked, so the data security
is improved. In network planning, the Per User Per VLAN (PUPV), Per Service Per VLAN
(PSPV), or Per User Per Service Per VLAN (PUPSPV) methods can be used for
separated control of users or services.
The IEEE 8021.Q standard adds a tag field (four bytes) to an Ethernet frame.
IEEE802.1Q does not actually encapsulate the original frame. Instead, for Ethernet
frames, it adds a 32-bit field between the source MAC address and the

EtherType/Length fields of the original frame, so the minimum and maximum frame sizes
from 64 and 1,518 bytes (octets) to 64 and 1,522 bytes.
Figure 4-1 IEEE802.1Q format
A tag field in an 802.1Q header is composed of the following Table 4-2:
Table 4-2 IEEE802.1Q header
16 bits 3 bits 1 bit 12 bits

TPID PCP TCI/DEI VID
 Tag Protocol Identifier (TPID): a 16-bit field set to a value of 0x8100 in order to
identify the frame as an IEEE 802.1Q-tagged frame. This field is located at the
same position as the EtherType/Length field in untagged frames, and is thus used
to distinguish the frame from untagged frames.
 Tag Control Information (TCI)
 Priority Code Point (PCP): a 3-bit field which refers to the IEEE 802.1p priority.
It indicates the frame priority level. Values are from 0 (best effort) to 7 (highest);
1 represents the lowest priority. These values can be used to prioritize different
classes of traffic (voice, video, data, etc.). See also Class of Service or CoS.
 Drop Eligible Indicator (DEI): a 1-bit field. (formerly CFI) May be used
separately or in conjunction with PCP to indicate frames eligible to be dropped
in the presence of congestion.
 VLAN Identifier (VID): a 12-bit field specifying the VLAN to which the frame belongs.
The hexadecimal values of 0x000 and 0xFFF are reserved. All other values may be
used as VLAN identifiers, allowing up to 4,094 VLANs. The reserved value 0x000
indicates that the frame does not belong to any VLAN, it referred to as a priority tag.

On bridges, VLAN 1 (the default VLAN ID) is often reserved for a management
VLAN; this is vendor-specific by default
As the numbers of VLAN users and services keep increasing, 4094 VIDs cannot meet
the service requirements. Therefore, on the basis of IEEE 802.1Q, the IEEE 802.3ad
standard defines the concept of double-tag. IEEE802.1ad adds double tag field between
the source MAC address and the EtherType/Length fields of the original frame.
Double-tag can be useful for Internet service providers, allowing them to use VLANs
internally while mixing traffic from clients that are already VLAN-tagged. The outer (next
to source MAC and representing ISP VLAN) S-TAG (service tag) comes first, followed by
the inner C-TAG (customer tag). S-TAG VID and C-TAG VID can be combined as a
unique identifier. IEEE 802.3ad increases the number of VIDs to 4094 ×4094.
Figure 4-2 IEEE 802.3ad Format
The ZXA10 C300/C320 may use the following concepts related to VLAN listed as Table
4-3
Table 4-3 VLAN concepts
Concept Description Remarks

VLAN A general term for common VLANs, When a service flow is
including multiple VLAN modes and identified by VLAN, it
scenarios. indicates that the service
flow carries an 802.1Q
domain for differentiation
from untagged data.
When a port is identified by

VLAN, it indicates that the
port can receive and send
data carrying an 802.1Q or

Concept Description Remarks

802.3ad double-tagged
field.
VLAN ID VID in the tag field as defined by The range of VLAN ID
802.1Q. defined in 802.1Q is 1-4094,
while in 802.3ad, S-TAG
VID and C-TAG ID are
combined into a VLAN ID
with the range of 1 to
4094×4094.
C-VLAN Also called C-tag, used to identify the Normally, a C-VLAN
four bytes that are away from the indicates a user or service
source address in an 801.2ad domain. type.
S-VLAN Also called S-tag, used to identify the A unified S-VLAN is added
four bytes that are close to the source for users or services with
address in an 801.2ad domain. the same features, and
forwarded from an OLT port
to the corresponding router.
Normally, an S-VLAN
indicates a Service Provider
(SP).
User-VLAN Original VLAN ID of a service received The VLAN ID may be
by the OLT. carried by the service, or
added or converted by an
ONU based on the
configuration.
Untag It indicates that a service flow does not -
carry any 802.1Q or 802.3ad domain.
Untagged VLAN ID of a service flow is deleted. Normally, the VLAN ID of a
downlink service flow may
be deleted.
C’-VLAN Same as C-VLAN, but the VLAN ID is -
different from C-VLAN.
S’-VLAN Same as S-VLAN, but the VLAN ID is -
different from S-VLAN.
C-PCP PCP in a C-VLAN domain. -
S-PCP PCP in an S-VLAN domain. -
TLS Transparent LAN service, which means Defined in TR-101
that an S-VLAN is added or packets
are transparently transmitted based on
the user-side VLAN configuration.

 Target
It enable the carries network to support multiple service which could identify specific
subscribers and services.
The VLAN function complies with BBF TR156/TR167 standards.
The ZXA10 C300/C320 supports the following VLAN processing rules, which are
applicable to uplink services. For downlink services, the corresponding user -side
interfaces need to be located based on the S-VLANs and destination MAC addresses.
The down link services are then reversely converted according to the VLAN processing
rules of the user-side interfaces. The service flows whose VLAN processing rules cannot
be located will be discarded.
The following figure shows the detailed VLAN functions in ZXA10 C300 /C320 as listed in
Table 4-4 :
Table 4-4 VLAN funtions
Uplink Classification Rule Processing Rule Remarks

Service
Untag Untag Packets are transparently -
transmitted or discarded.
C-VLANs and C-PCPs are
added.
Or C-VLANs, C-PCPs,
S-VLANs, and S-PCPs are
added.
Untag Untag + Ethtype Packets are transparently -
added.
Or C-VLANs, C-PCPs,
added.
Priority tag Priority tag Packets are transparently -


Service
added.
Or C-VLANs, C-PCPs,
added.
C-VLAN C-VLAN ID or C-VLAN Packets are transparently C-VLAN or C-VLAN
ID range transmitted or discarded. PCP modification is
C-VLANs are changed. not supported if
C-VLAN PCPs are modified. services are
S-VLANs are added, and classified by the
C-VLAN PCPs are copied to C-VLAN ID range.
S-VLAN PCPs.
S-VLANs are modified and
added, and C-VLANs or
S-VLAN PCPs are modified.
C-VLAN ID (or Packets are transparently C-VLAN or C-VLAN
C-VLAN ID range) + transmitted or discarded. PCP modification is
Ethtype C-VLANs are changed. not supported if
S-VLAN PCPs.
C-VLAN ID (or Packets are transparently C-VLAN or C-VLAN
C-VLAN ID range) + transmitted or discarded. PCP modification is
C-VLAN PCP C-VLANs are changed. not supported if
S-VLAN PCPs.
TLS VLAN adding Packets are transparently The processing
transmitted if service VLANs rules comply with
are consistent with port TR-101.
VLANs. Or unified S-VLANs
and S-VLAN IDs are added


Service
as TLS VLAN IDs.
4.2.2 Basic VLAN Service
 Description
ZXA10 C300/C320 supports the VLAN service to isolate layer-2 subscribers to

access the network. The network and user side of ZXA10 C300/C320 are
configured with the same VLAN to forward packets to each other and keep the
data independent between VLANs.
 Features & Specification
The ZXA10 C300/C320 supports the following VLAN features:
 IEEE 802.1Q
 K VLAN ID ranging from 1 to 4094
 4 K (1 K = 1024) VLANs entries supported by each PON port
 VLAN tag/priority tag/untag, VLAN transparent transmission, N:1 VLAN

aggregation, VLAN priority mark, and VLAN filter
 VLAN trunk mode supported by network side ports
The basic VLAN service is simple. In the upstream direction, the ONU packets
have VLAN tags (configured through the home gateway or user interface by
default). The packets are sent to the main control and switching card through the
GPON card for VLAN tagging and MAC address learning. The first broadcast
packet is transmitted in flooding mode and then forwarded to the uplink port
(configured with the same VLAN tag) of the uplink card and then to the uplink
device.
In the downstream direction, the GPON card is found based on the user VLAN tag
and the destination MAC address. The packets then send to ONU and ONU will
match the original Tag or Untagged format.

4.2.3 VLAN Translation
 Description
With the development of Triple Play, access devices are required to support more
services such as the Internet, VoIP and IPTV services. A subscriber can access
these services through one home gateway device.
Carriers want to simplify the home gateway configuration. At the meantime the
access devices (ONUs or OLTs) are required to identify different subscribers and
services, and implement N:1 VLAN translation or 1:1 VLAN translation.
ZXA10 C300/C320 VLAN translation has the following features:
 1:1 /N:1 VLAN translation.
 2 K (1 K = 1024) 1:1 VLAN translation items for each port.
 2 K (1 K = 1024) N;1 VLAN translation items for each port.
1:1/N:1 VLAN translation is applicable per user /service/ VLAN. All the service
types (based on different VLANs) with each user are translated to different VLANs.
It is applicable for the single-edge and multi-edge networking, as shown in Figure
4-3
The GPON system works in the following procedures: When there is no home
gateway, ONU adds VLAN tag for each service and user. When there is a home
gateway, the home gateway configures different VLAN tags for different services.
After the ONU sends packets to the OLT, OLT implements 1:1 VLAN translation.
Each service of individual user is identified with a VLAN tag. The OLT can add an
external VLAN tag in order to distribute the traffic under the multi-edge condition.
For the downstream traffic, the OLT needs to implement the forwarding based on
VLAN ID or VLAN ID+MAC.

Figure 4-3 1:1 /N:1 VLAN Translation
 A indicates to implement 1:1 translation for the VLAN which VoIP belongs to
when stripping the GEM port ID, add the external VLAN, and then transmit it.
 B indicates to implement 1:1 translation for the specific service VLAN (such
iTV), add the external VLAN, and then transmit it through the specific SNI as
required.
4.2.4 VBES（or TLS）
 Description
VBES stands for VLAN for Business Ethernet Services. The traffic at the ONU UNI
interface can be untagged, tagged, double-tagged or priority-tagged. For TLS, the
required implementation is for the ONU to always add an S-Tag or translate an
incoming S-Tag to a new S-Tag, on upstream traffic.
 Untagged, tagged, double-tagged or priority-tagged;
 Add or remove SVLAN;

Add SVLAN based on the GEM ID、CVLAN ID、EtherType、CVLAN priority、CVLAN

ID+EtherType and CVLAN ID+Priority (EtherType includes: PPPoE、IPoE and
ARP);
Support outer VLAN and inner VLAN priority copy.
ONU supports tagged, untagged, double-tagged or priority-tagged packets.

Based on Q-Tag and Priority, the packets can be mapped to CVLAN or
CVLAN+SVLAN packets and support outer VLAN and inner VLAN priority copy.
On the other side, ONU only adds CLAN but OLT adds SVLAN.
4.2.5 Selective Q-in-Q
 Description
Selective Q-in-Q is the function that adding the outside VLAN Tag based on the
user packet VLAN tag and the given user port (GEM port in GPON).
Selective Q-in-Q is used with 1:1 VLAN translation for per user/ service/ VLAN.
 1:1 VLAN translation.
 2 K (1 K = 1024) selective Q-in-Q rules for each OLT port.
selective QinQ based on the GEM ID、CVLAN ID、EtherType、CVLAN priority、

CVLAN ID+EtherType、CVLAN ID+Priority (EtherType support PPPoE、IPoE、ARP);
outer VLAN and inner VLAN priority copy.
Each rule of selective Q-in-Q is described as adding outside VLAN tag based on
the user packet VLAN Tag and the given user port(GEM port in GPON), when 1:1
VLAN translation is used, the VLAN will be given a new value which will not be the
original user packet VLAN.
Selective Q-in-Q packet forwarding is described as following:
 In the upstream direction, the user packet with single VLAN tag is received. On
the user port, OLT find the select Q-in-Q rule by the VLAN tag and the user
port. If the rule is found, OLT adds the outside VLAN to the user packet and
forwards it to the NNI side.

 In the downstream direction, the packet with S+C VLAN tag (Double VLAN tag)
is received on NNI port. Then the OLT forwards the packet to the user port with
1:1 or N:1 VLAN forwarding mode. Furthermore, on the user port of the OLT
will find the select Q-in-Q rule by the S+C VLAN tag plus user port. If the rule is
found, the OLT will remove the outside VLAN of the user packet and then send
out.
4.2.6 VLAN Forwarding
 Description
N:1 and 1:1 VLAN Forwarding are the different ways to forward packets in Layer 2
devices.
ZXA10 C300/C320 supports N:1 and 1:1 VLAN forward mode.
 N:1 VLAN Forwarding
N:1 VLAN forwarding mode is the common VLAN + MAC translation mode in
layer-2. Single VLAN can be associated with more than one user port and uplink
port. Firstly when the packets are received, the source MAC address and VLAN
will be learned and contribute to the MAC forwarding table. The next step is to
search the destination port in the MAC forwarding table based on destination MAC
and VLAN ID. If the destination port is found then forward the packets to the
destination port otherwise the packets is flooded.
 1:1 VLAN Forwarding
1:1 VLAN forwarding mode forwards the packets only based on the VLAN ID. In
the upstream direction, the packets are transparently transmitted to the designated
uplink port. In the downstream direction, the packets search the destination port
from the 1:1 VLAN forwarding table and forward to that port.
According to the 1:1 VLAN forwarding mode, it is unnecessary to act the MAC
address learning.

5 Ethernet OAM
5.1 Introduction
 Description
Ethernet has been widely deployed because it’s economic, interoperable and feasible.
Since the Ethernet, especially 10Gbit/s Ethernet standards getting matured, the
technology has penetrated to MAN (Metro Area Network) and WAN (Wide Area Network)
as the carrier-class transport network to cater for multi-service requirements. In MAN and
WAN, there are various types of subscribers who need to be supported by end -to-end
services from several different carriers’ network. People therefore will face more
challenges on its extensibility, reliability, security and manageability while Ethernet is
widely deployed. Today the most popular Ethernet OAM standards including: IEEE
802.3ah, IEEE 802.1ag and ITU-T Y.1731.
 Target
Ethernet OAM solution includes two aspects: one is called Link Level Ethernet OAM
according to IEEE 802.3ah. It can realize automatic neighbor discovery, link fault
detection, link failure indication, and link loop test etc; the other one is called Service
Level Ethernet OAM according to 802.1ag/Y.1731. It can realize end-to-end performance
measurement for connection monitoring, failure indication, frame delay measurement
and frame loss measurement etc.
The following Table 5-1 describes the Ethernet OAM features..
Table 5-1 Functions and Scenarios of Ethernet OAM Features
Feature Function Scenario

Defined by IEEE 802.1ag, CFM CFM is used in the convergence
CFM
detects and locates Ethernet network to monitor the
connectivity faults, and includes the connectivity of the entire network

Feature Function Scenario

following functions: Connectivity and locate end-to-end Ethernet
Check (CC), Loopback detection (LB), connectivity faults.
and Link Trace (LT). ITU-T Y.1731
includes all the CFM functions, and
strengthens the LB function based on
802.1ag to implement multicast LB
and bidirectional diagnosis tests.
Defined by 802.3ah, EFM detects the EFM is used for physical
EFM
Ethernet link quality and connectivity Ethernet links between two
in the ―last mile‖. directly-connected devices in the
user access network.
Defined by ITU-T Y.1731, PM tests PM is used for measuring and
PM
and collects statistics on Ethernet monitoring performance and
performance, including frame Loss quality of the network and
Measurement (LM), frame Delay detecting network defects.
Measurement (DM), and frame
throughput measurement statistics.
ZXA10 C300/C320 provides the following EOAM features:
 Supports S+C ports
 Supports cascade ports and P2P board ports
 Supports S+C MIP
 Supports 15-minute/24-hour performance statistics, including link detection

events as specified by 802.3ah and performance statistics as specified by
Y.1731
 Supports 802.3ah for V-cut boards/P2P boards, and emergency link detection
 Supports 16K MEP and 4k MIP

5.2 Link Level Ethernet OAM (802.3ah)
5.2.1 Introduction
 Description
Link Level Ethernet OAM is the tactics for link fault detection, link failure indication
and fault recovery processing in Point-to-Point Ethernet link.
 Target
Users could achieve the Ethernet network management with the minimum cost in
Point-to-Point Ethernet level, which means to provide with connection monitoring,
failure indication and link loop test for link automatic protection switch.
C300/C320 XPON support link level Ethernet OAM including:
 Automatic neighbor discovery
 Link monitoring and failure indication
 Link loop test
 Abbreviations
OAM ：Operation Administration and Maintenance
Link Level Ethernet OAM (IEEE 802.3ah) is an optional sub-layer in Data Link
Layer for implementing link operation, monitoring and fault location detection
supporting with remote link alarm indication, remote loopback control etc. Link
Level Ethernet OAM uses OAMPDU with the destination MAC address of
0x0180c2000002. Generally there is no forwarding over bridges for those
OAMPDU but it could be directly processed through MAC sub-layer.
Ethernet OAM is based on 802.3 full-duplex or simulate full-duplex data link for
Point-to-Point link management. It does not support those such as Point-to-
Multipoint shared link OAM management; in the meantime Ethernet OAM based on

link single-direction communication mechanism implement the link advertisement.

Please refer the IEEE802.3 module as Figure 5-1 in below:
Figure 5-1 Data Link Layer OAM Sublayer
 Solution
 Link Level Ethernet OAM Discovery function
 Initially peer end devices will need to start the Link Level Ethernet OAM
protocol discovery process, the active side device will send out the Discovery
frame of the protocol from OAM port to negotiate the parameters with the
passive side device.
 The parameters general include: maximum OAMPDU size, supported OAM

capabilities etc and then establish the OAM connection.
 Link Level Ethernet OAM Remote Failure Indication
 Link Level Ethernet OAM defines a series of process for response the link
operation consists of remote equipment communication mechanism. Through
the defined events, the local device will report the Link Event Notification to the
remote OAM client and provide the explicit Event Notification messages.
 Link monitoring function are for detecting and indicting link faults under a
variety of circumstances. Link monitoring uses the Event Notification
OAMPDU, and sends events to the remote OAM entity when there are
problems detected on the link, The error events defined in the standard are:

Errored Symbol Period, Errored Frame, Errored Frame Period, Errored Frame
Seconds Summary.
 Ethernet OAM remote Loopback function
 OAM provides an optional data link level loopback mode for initiating remote
control. When the remote device under the OAM remote loopback mode, it can
query and compare the local and remote devices statistics at the random time.
Through analyzing the OAM sublayer remote loopback message, it can
ensure the status of the link connection.
5.3 Ethernet Service Level Ethernet OAM (802.1ag/Y.1731)
5.3.1 Introduction
 Description
This standard is dedicated for providing point-to-point management for service

provider's network which allows service providers to manage independent services
for individual subscriber. For the "service" level to manage, detect, identify and
isolate connectivity failure, the standard provides the facilitated and efficient
functions for prompt fault detection, testing and management.
C300/C320 XPON support Service Level Ethernet OAM
802.1ag Service Level Ethernet OAM standard is supported, supported function/

performance characteristics are to show as below:
Support full Ethernet OAM function
Support ETH-LB, Ethernet LoopBack function
Support ETH-LT, Ethernet Link Trace function
Support ETH-CC, Ethernet Continuity Check function
Support ETH-RDI, Ethernet Remote Defect Indication function
Support Ethernet OAM frame through MPLS pseudo-wire

Supports 16 MD
Support 64 MA
Support 512 MEP, MEG End Point
Support Y.1731 Service Level Ethernet OAM function, support functions as below:
Support AIS, Alarm Indication Signal
Support DM, Delay Measurement
Support LM, Loss measurement
supports six frequency levels to send CCM frames, the 3.3ms is fast time interval
support ETH-LCK, Ethernet Lock signal function
support ETH-Test, Ethernet Test function
support Availability Performance function according to MEF 10.2.1
 Abbreviations
1DM One-way delay measurement
AIS Alarm indication signal
APS Automatic protection switching
CCM Continuity check message
CE Customer edge
CoS Class of service
DMM Delay measurement message
DMR Delay measurement reply
ETH Ethernet MAC layer network
ETH-AIS Ethernet alarm indication signal function
ETH-APS Ethernet automatic protection switching function
ETH-CC Ethernet continuity check function

ETH-DM Ethernet delay measurement function
ETH-LCK Ethernet lock signal function
ETH-LB Ethernet loopback function
ETH-LM Ethernet loss measurement function
ETH-LT Ethernet link trace function
ETH-RDI Ethernet remote defect indication function
ETH-Test Ethernet test function
LBM Loopback message
LBR Loopback reply
LCK Locked
LMM Loss measurement message
LMR Loss measurement reply
LOC Loss of continuity
LTM Link trace message
LTR Link trace reply
MAC Media access control
ME Maintenance entity
MEG ME group
MEL MEG level
MEP MEG end point
MIP MEG intermediate point
NMS Network management system
NNI Network node interface
OAM Operation, administration and maintenance

PDU Protocol data unit
PE Provider edge
PRBS Pseudo random bit sequence
RDI Remote defect indication
STP Spanning tree protocol
UNI User network interface
UNI-C Customer side of UNI
UNI-N Network side of UNI
VID VLAN identifier
VLAN Virtual LAN
Service Level Ethernet OAM, according to IEEE802.1ag/ ITU-T Y.1731 standards,

adopts multi-domain network management model to provide diverse management
and maintenance scope for different organizations. Carrier Level Ethernet is
usually separated to three levels to maintain individual user group, service provider
group and operator group services and they are corresponding to different
management domains. End to end service provider will be responsible for the
business management, however Telco operators will guarantee the network
transmission. The domain of the maintenance model as Figure 5-2 shows:

Figure 5-2 Service Level Etherent OAM Maintenance Entity Group Model
 Solution
 Linktrace protocol is used to determine the trace to a destination MAC address.

The trace starts from a MEP, passes through multiple MIPs, then reachs to the
destination MEP. Linktrace Message (LTM) is a multicast packet. Every MIP
and the last MEP in the path will all generate a response which is unicast
Linktrace Replies (LTR) to the original MEP who launched LTM. The response
packets will be inspected by the original MEP to obtain MEP/MIP path
connection topology.
 Fault detection function
 When ETH-CC transmission is enabled in a MEG, all MEPs are enabled to

periodically transmit frames with ETH-CC information to all other MEPs in the
MEG. The ETH-CC transmission period is the same for all MEPs in the MEG.
When a MEP is enabled to generate frames with ETH-CC information, it also
expects to receive frames with ETH-CC information from its peer MEPs in the
MEG.

 Faulty Verification function

Network administrators use the Loopback protocol to verify failure connection.
MEP can send out a unicast Loopback Message (LBM) to the destination
entity which is another MEP or MIP. The MP, who receives the LBM generates
a unicast loopback response (LBR), sends to the source MEP. Then the
source MEP could confirm whether there is a failure connection.
 Fault notification function

Send out by the fault MEP, MEP will recognize the failure which could be due
to not receiving the desired CCM, or received invalid CCM, or the CCM which
contains the failure alarm information on its related bridge port.
 Fault recovery
Network administrator operates the fault recovery, such as modify the
configuration errors, or enable STP protocol, or initiate APS.
 Delay measurement includes One-way ETH-DM and Two-way ETH-DM, in

between the One-way ETH-DM requires all the network devices synchronized.
 In One-way ETH-DM, each MEP sends a frame with one-way ETH-DM

information to its peer MEP in a point to-point ME to facilitate one-way frame
delay and/or one-way frame delay variation measurements at the peer MEP. If
the clocks between the two MEPs are synchronized, one-way frame delay
measurement can be carried out; otherwise, only one-way frame delay
variation measurement can be performed. The PDU used for one-way
ETH-DM is 1DM. Frames which carry the1DM PDU are called as 1DM frames.
 In Two-way ETH-DM, a MEP sends frames with ETH-DM request information

to its peer MEP and receives frames with ETH-DM reply information from its
peer MEP to carry out two-way frame delay and two-way frame delay variation
measurements. The MEP could measure the delay based on the calculation of
the source transmitting/receiving timestamp, and peer MEP
transmitting/receiving timestamp.
 Loss measurement function

Loss measurement fucntion includes Single-ended ETH-LM and Dual-ended
ETH-LM, in between Dual-ended ETH-LM is accomplished by sending CCM.

 For single-ended ETH-LM, the source MEP sends LMM message added with
the counters of service frames at the egress point, the peer MEP received the
LMM message, copy the original counters and also add the local counters of
service frames for ingress and egress packets, then send the LTP message
out. The source MEP receives the LMR message, cumulates the counters of
the service frames at all the interfaces, thus the source MEP will get the loss
measurement result by simply calculating the sending the receiving counters
of service frame.
 availability performance measurement function
 When the availability performance measurement starts, within a short time

interval (e.g. 10s), test the service frame loss rate (referring the method 7), if
the rate exceed a certain threshold, then the services will be in vain, otherwise
the services will be accounted.
 By using this function, we can calculate the effective service time and total
time in a relative long period (e.g. 1h) to obtain the availability performance
results.
6 IPV4 L3 Feature
6.1 IP routing basic feature
6.1.1 Introduction
 IP Routing Overview
At present, carriers use VoIP to implement voice access. The ONU is built in with a
VoIP module or the ONU is connected by an IAD to access the broadband network
through the PON system.
The subscribers of different ONUs under the same OLT or different IADs under the
same ONU can realize VoIP interoperation. According to the networking plan of
most operators, the devices of access network are required to be separated from
each other. The access subscribers interoperate with each other through the uplink

router. Such a network has high security and is easy to be planned. The layer-2
devices are separated and they interoperate with each other through a layer-3
device.
Interoperating through layer-3 handles the ARP address resolution and packet
forwarding. The interoperating is realized in the following methods:
 The uplink router enables the ARP proxy function, the OLT implements layer -2
separation, and the uplink router implements interoperating through layer-3.
 The uplink router does not enable the ARP proxy function, the OLT
implements layer-2 separation, the OLT or the convergence switch enables
the ARP agent function (based on the VoIP VLAN, not for all subscribers). The
OLT takes place of the uplink router to return the MAC address of the router.
Packets are forwarded by the uplink routers on layer-3.
 The uplink router does not enable the ARP proxy function, the OLT enables
the layer-3 function, that is, the OLT implements the functions of ARP proxy
and layer-3 data forwarding between the VoIP subscribers under the OLT.
 Description
IP routing features refer to the condition that ZXA10 C300/C320 works for layer-3
forwarding. It uses the destination IP address of the IP packet and lookup the IP
routing table of ZXA10 C300/C320 to forward packets to the next-hop device. This
is different from the layer-2 forwarding where ZXA10 C300/C320 uses the
destination MAC+VLAN to forward packets to next-hop device. The IP routing table
can be configured in static mode or obtained dynamically through routing protocols
such as RIP, OSPF, BGP, or IS-IS.
 Target
Under layer-3 networking, ZXA10 C300/C320 uses the destination IP address to

forward IP packets to the next-hop device.
Figure 6-1 shows the layer-3 forwarding process. For layer-3 forwarding, the
destination MAC address is ZXA10 C300/C320 MAC address. The upper-layer
protocol configuration determines if the L3 marks with 1 in the layer-2 forwarding
table.

Figure 6-1 Layer-3 Forwarding Process
 Description
The routing supports the following:
 Static routing
 RIP
 OSPF
 BGP
 IS-IS
 Hardware and Software Requirements
The IP routing function requires ZXA10 C300/C320 to support IP layer-3

forwarding.

6.2 ARP Agent
6.2.1 Introduction
 Description
ARP agent includes two sub features can enable independently
MAC forced forwarding(MFF) according to RFC4562
it implements layer-2 interoperating. The OLT has no L3 interface and configures

the ARP agent to allow the VoIP subscribers under the same OLT to communicate
with each other by sending ARP reply packets with the MAC address of the uplink
router gateway.
IP-aware ARP request filtering
OLT populates a local ARP table according to DHCP snooping or static IP/MAC
bundle (also called static ARP). When OLT snooping downstream broadcast ARP
request from network side, OLT looks up local table with Target IP of ARP request
message and change its Ethernet frame’s destination MAC from broadcast to
unicast. It prevents ARP request from network side broadcast to all end users
The ZXA10 C300/C320 supports the following ARP agent features:
 Supports enable MFF for specific VLAN subscribers only.
 Supports enable IP-aware ARP request filtering for specific VLAN subscribers
only.
 Configuration of MAC address of layer-3 router gateway is optional. If not

configured by manual, the system learns the gateway MAC address
automatically.
 To save addresses, the ZXA10 C300/C320 is not configured with a layer-3

interface.
 Supports eight ARP agent items at the maximum.

To enable subscribers A1 and C1 (in same VLAN and same IP subnet) under the
same OLT to communicate with each other, configure the global ARP function
based on the specific VLAN on the OLT. In addition, configure the IP address and
MAC address of the uplink router gateway.
The process of communication between subscribers is described as follows:
 Since subscribers A1 and C1 are in the same subnet, when A1 visits C1 for the
first time, it sends an ARP request broadcast packet to obtain the MAC
address of C1.
 Since subscribers A1 and C1 are separated physically, the ARP request

packet can not be sent to C1 directly. The ARP request packet is captured by
the ARP agent module enabled by the OLT.
 The ARP agent module intercepts the gateway MAC address, and then sends
the ARP reply packet to subscriber A1 using the gateway MAC address
instead of the C1 MAC address.
 The packets that subscriber A1 sends to C1 are sent to the gateway firstly. The
gateway forwards the packets to subscriber C1. Thus subscribers A1 and C1
can communicate with each other.
Since ARP agent does not occupy the user address and does not need to enable
layer-3 interface, it is recommended for layer-2 interoperating based on specific
VLAN subscribers.
The process of IP-aware ARP request filtering is described as follows:
OLT has DHCP snooping feature enabled and populated an entry in local ARP
table that bundle A1’s IP address and MAC address
OLT has IP-aware ARP request filtering enabled.
When BRAS send an broadcast ARP request to resolve A1’s MAC address, OLT
looks up Target IP of ARP request and hit an entry in local table
OLT changes broadcast destination MAC with A1’s MAC from the entry.
Only A1 received ARP request and replied his MAC as link-layer address

6.3 ARP Proxy
6.3.1 Introduction
 Description
ARP proxy implements the layer-3 ARP function. The ARP proxy function needs to
be enabled on the layer-3 router for the VoIP subscribers under the same OLT to
interoperate with each other. When the layer-3 router does not enable ARP proxy
for security purposes, the OLT returns the MAC address of the uplink router
gateway, that is, the OLT enables ARP agent.
The ZXA10 C300/C320 supports the following ARP proxy features:
 Supports ARP proxy for specific VLAN subscribers only.
 Supports ARP proxy for Super VLAN
 C300/C320 will create a layer-3 interface and the assigned IP address is in the
same subnet with the subscribers, and ARP proxy function is enabled on
C300/C320.
 Supports 32 layer-3 interfaces at the maximum.
To enable subscribers A1 and C1 (in same VLAN and same IP address subnet)
under the same OLT to communicate with each other, configure a layer-3 interface
(based on the specific VLAN) on the OLT. On interface configuration mode,
configure an IP address in the same subnet as A1 and C1, and enable ARP proxy
function under the interface.
The process of communication between subscribers is as follows:
 Since subscribers A1 and C1 are in the same subnet, when A1 visits C1 for the
first time, it sends an ARP request broadcast packet to obtain the MAC
address of C1.

 Since subscribers A1 and C1 are separated physically, the ARP request

packet is not sent to C1 directly. The ARP request packet is captured by the
ARP proxy module enabled by the OLT.
 The ARP proxy module sends the ARP reply packet to subscriber A1 using
OLT MAC address instead of the C1 MAC address, and adds a host route
entry pointing to A1 to the route table.
 The packets that subscriber A1 sends to C1 are sent to the OLT firstly. Then
the OLT forwards the packets to subscriber C1. Thus subscribers A1 and C1
can communicate with each other.
ARP proxy is different from ARP agent in the following ways:
 When the subscriber sends an ARP request, ARP proxy returns the OLT MAC
address, while ARP agent returns the gateway MAC address.
 For ARP proxy, the OLT transits data, while in ARP agent, the layer-3 gateway
router transits data.
 ARP agent does not require layer-3 interface or occupy an IP address, while
ARP proxy does.
ARP agent is recommended for layer-2 interworking.
6.4 DHCP Relay
6.4.1 Introduction
 Description
When a DHCP Client and DHCP servers are on different network segments,
DHCP relay is used to forward DHCP client’s request to a specific DHCP server.
ZXA10 C300/C320 works as a DHCP relay on the layer-3 switch condition.
 Target
DHCP relay is a general way to deploy DHCP service in the layer-3 networking
environment. DHCP servers can be collectively deployed to simplify operator

maintenance management. ZXA10 C300/C320 can forward the user DHCP

request to the specific DHCP server. It not only prevents DHCP server from being
forged, but also improves the service security of the operator network.
DHCP relay has the following features:
 Supports to configure DHCP server under the layer-3 VLAN interface.
 Supports relay to maximal 20 DHCP server groups
 Each layer-3 VLAN interface can be configured with at most four DHCP
servers per group for load balance, and adopts polling modes to implement
mutual backup.
ZXA10 C300/C320 completely supports DHCP relay and has no requirements on

the hardware devices.
 Application Scenario
When the DHCP server and the user are in different network segment, ZXA10
C300/C320 is applied to implement layer-3 switch and to run DHCP relay function,
as shown in Figure 6-2.
Figure 6-2 DHCP Principle-2
The principle of DHCP relay is to modify the 'giaddr' in the heading of the DHCP
packet transmitted by the user to be as a local IP. It is forcibly transmitted to the
DHCP server in the unicast packet mode with the relay of ZXA10 C300/C320.
Then the DHCP server transmits DHCP response to ZXA10 C300/C320 with the

destination address of 'giaddr', finally ZXA10 C300/C320 forwards it to the user.

Figure 6-3 shows the DHCP principles:
6.5 DHCP Proxy
6.5.1 Introduction
 Description
DHCP proxy is a special form of the DHCP relay. Through ZXA10 C300/C320, the
DHCP proxy converts the originally obtained long leased time to pre-configured
short leased time and assigns it to users. It can also implements abnormal offline
test on the DHCP users.
 Target
DHCP proxy is used to improve the service efficiency of IP addresses by

preventing some users from being offline abnormally, while their long leased IP
addresses cannot be recycled in time.
DHCP proxy has the following features:

 Configure DHCP relay on layer 3 VLAN interface to be DHCP proxy.
 Configure short lease time for users testing on layer 3 VLAN interface.
ZXA10 C300/C320 completely supports DHCP proxy and has no requirements on

The application scenario of the DHCP proxy is consistent with the DHCP relay.
DHCP proxy mainly applies the renew mechanism in the DHCP. According to the
protocol, the user should transmit a DHCP renew message to the DHCP server at
the 1/2 of the leased time. If the user leased time is not expired, the DHCP server
transmits a DHCP Ack to the user. Otherwise, it transmits a DHCP NAck to the
user. Then the user releases the IP address, which is to be recycled by the DHCP
server.
DHCP proxy is to simulate a DHCP server on ZXA10 C300/C320 to process the

renew message. It converts the long leased time got from the DHCP server to be a
short leased time for the user while obtaining an IP address by DHCP request.
Meanwhile, the user transmits the DHCP renew message at 1/2 of the leased time
and configure a timer on ZXA10 C300/C320. If the DHCP proxy fails to receive
user DHCP renew message, the user is considered to be offline abnormally. Then
ZXA10 C300/C320 represtents the user to transmit a DHCP release message to
the DHCP server and thereby release the IP address.

6.6 DHCP Option60
6.6.1 Introduction
 Description
As a field in the DHCP, Option60 is used to define user ONT. ZXA10 C300/C320,
as a DHCP relay, forwards DHCP packets to different DHCP servers according to
the different Option60 fields and thereby obtains different IP addresses. Option60
is actually a special mode of DHCP relay/proxy to choose the DHCP server.
 Target
Option60 is used for different ONT to forward protocol packets to different DHCP
servers according to ZXA10 C300/C320 configuration policy in the same VLAN.
Option60 has the following features:
 One option60 is a character string, which corresponds to a DHCP server.

 A practical option60 can be configured in the DHCP relay/proxy mode to

choose a DHCP server.
ZXA10 C300/C320 completely supports DHCP relay and has no requirements on

There are two types of ONT at ZXA10 C300/C320 user side: One is for VoIP, the
other is for IPTV, which are identified with Option60 fields. The ONT of the VoIP
applies addresses from the DHCP Server 139.1.1.1 and the ONT of the IPTV
applies address from the DHCP sever 160.1.1.1, as shown in Figure 6-5
There are two types of ONT at ZXA10 C300/C320 user side: One is for VoIP, the
other is for IPTV, which are identified with Option 60 fields. The ONT of the VoIP
applies addresses from the DHCP server 139.1.1.1 and the ONT of the IPTV
applies address from the DHCP sever 160.1.1.1.
As shown in Figure 6-6, ZXA10 C300/C320 obtains the address 139.1.1.1 of the
DHCP server according to the VoIP character string of the DHCP Option 60 from
the ONT, and then forwards it to the DHCP server 139.1.1.1 to obtain the IP
address.

6.7 DHCP L2RA and Option82
6.7.1 Introduction
 Description
The option82 is called the Relay Agent Information option and is inserted by the
DHCP relay agent when forwarding client-originated DHCP packets to a DHCP
server. It carries information like line identification. Servers recognizing the Relay
Agent Information option may use the information to implement IP address or other
parameter assignment policies.
Access node like OLT, DSLAM is only a bridge device and has no IP interfaces of
a Layer3 DHCP relay, while option82 is still required by DHCP server when
receiving request from same VLAN. In this case, DHCP L2RA (layer2 relay agent)
feature of OLT should be enabled to insert option82
 Target
Act as a relay agent most close to DHCP client, insert option 82 in upstream and
remove option 82 in downstream

Support option 82 either in DHCP relay or DHCP L2RA scenario
Support sub-option1 (circuit id) and sub-option2 (remote id)
Can be configured globally or per port
OLT provides the solution that is compliant with RFC3046 and draft-ietf-dhc-l2ra
1. The client broadcasts a DHCPDISCOVER message on its local physical

subnet. OLT as L2RA intercepts this message. If OLT is closest to client, it will find
there is no option82 in the message, and then append one. Otherwise there may
be option82 appended by other relay agent, like MDU. OLT can be configured to
trust or not trust option 82 from that port and then append additional circuit id &
remote id information or replace with a new option82. OLT will broadcast the
message to all the ports except the one on which it was received. As users are
isolated horizontally, in fact, broadcast only forwarded to uplink ports. The OLT as
L2RA does not set the 'giaddr' field.
2. The DHCP server responds with a DHCPOFFER message after applying its
local policies. It echoes back option82 in the DHCPOFFER message. The
message can be either unicast with MAC of client or broadcast. OLT as L2RA will
intercept the message and remove option82 if it’s closest L2RA to client. If the
message is broadcast, OLT will identify the outgoing port using option82 and
forwards the message to the identified interface only.
3. The same DHCPOFFER message may be broadcasted by server to other

OLTs. As the information of option82 has not been recorded by those OLTs before,
the message will be dropped by those OLTs.
4. The client receives this DHCPOFFER message and it broadcasts a

DHCPREQUEST message. OLT handles this message similar to how it handles a
DHCPDISCOVER message.
5. The server receives the DHCPREQUEST message from the client and
responds with a DHCPACK/DHCPNAK message. If DHCP server either unicasts
or broadcasts the DHCPACK/DHCPNAK message, OLTs process it similar to a
DHCPOFFER message.

6. The OLT as L2RA processes a DHCPDECLINE message similar to a

DHCPDISCOVER message.
6.8 Super VLAN
6.8.1 Introduction
 Description
Super VLAN is also known as VLAN aggregation. A super VLAN involves multiple
sub-VLANs. It has a VLAN interface with an IP address assigned for layer 3
communications between sub-VLANs.
 Target
If Layer 3 communication is required from a sub-VLAN, it uses the IP address of

the super VLAN as the gateway IP address. Thus, multiple sub-VLANs share the
same gateway address and thereby save IP address resource.
ZXA10 C300/C320 supports 256 super VLANs, and each super VLAN
contains1024 sub-VLANs.
ZXA10 C300/C320 supports super VLAN and has no requirements on the uplink or
downlink devices.
Figure 6-7 shows the super VLAN application scenario. Three subscribers use
VLAN10, VLAN20, and VLAN30 for layer 3 routing. Super VLAN100 is created,
including three sub-VLANs: VLAN10, VLAN20, and VLAN30. The sub-VLANs
share one layer 3 interface for layer 3 forwarding.

Figure 6-7 Super VLAN Application Scenario
Super VLAN principle is similar to the layer 3 routing principle. For details, refer to
the section 'Route Overview'.
6.9 Static Routing
6.9.1 Introduction
 Description
A static route is a route that is created manually by a network administrator .
 Target
Static routing can implement IP route forwarding in the simple layer-3 networking.
Support static default route(dest 0.0.0.0, mask 0.0.0.0)
ZXA10 C300/C320 supports 4 K (1 K = 1024) static routes.

ZXA10 C300/C320 supports static routing and has no specific requirements on

hardware and software.
A static route includes at least parameters of destination address, net-mask,

next-hop and interface
To configure a static route, the network administrator manually configures a route

with destination address, net-mask and next-hop address for ZXA10 C300/C320
OLT. OLT uses next-hop address to do a recursive lookup in routing table and find
out the interface of the route. Then OLT records all parameters of the route to
routing table.
6.10 ECMP
6.10.1 Introduction
 Description
(ECMP) is a routing strategy in which the network element will assign multiple
next hops for a specific IP. The network element will load balance the traffic by the
IP header message.
 Target
Equal-Cost Multi-Path (ECMP) Routing improves reliability of IP route forwarding

by multi-path load balancing and link backup.
EMCP has the following features:
 Eight ECMP route entries can be configured for a specified destination IP

address.
 The EMCP route can be configured statically or through RIP or OSPF.
 Equalization algorithm can be based on source or destination IP address.

The ZXA10 C300/C320 supports ECMP and has no specific requirements on

hardware or software.
Figure 6-8 shows the ECMP application scenario. The ZXA10 C300/C320 works
as the layer-3 router. Two route items, pointing to two next-hops, are configured to
route the IP address 190.1.1.1. The source IP address is selected as the load
balancing algorithm for IP packets from 136.1.0.0/16 subscribers. The IP route
from the ZXA10 C300/C320 to 190.1.1.1 is ECMP.
Figure 6-8 ECMP Application Scenario
In the IP route forwarding process, multiple route entries are searched according to
the destination IP address before one route entry can be selected by the
equalization algorithm based on the source or destination IP address. The packets
are forwarded through this route entry, as shown in Figure 6-9.

Figure 6-9 ECMP Principles
6.11 RIP
6.11.1 Introduction
 Description
RIP is an IGP used to transmit routing information inside an AS. RIP is based on
distance vector algorithm. It uses the hop count as its routing metric.
 Target
RIP is used in small layer 3 networks with less than 16 hops to implement dynamic
IP routing learning and selection.
RIP supports the following:
 K (1 k = 1024) routes
 RIPv1 and RIPv2
 Triggering update

 Poison reverse
 Split horizon
ZXA10 C300/C320 supports RIP, so the peer end device should also support RIP.
RIP is a distance-vector routing protocol that employs hop count as its routing
metric. The hop count increases with router count. The more the hops, the longer
the path is. RIP selects the path with least hops, according to the distance vector
algorithm. RIP supports 15 hops at the maximum. A network with more than 15
hops is considered unreachable (infinite distance) and cannot be reached.
RIP routes are updated by a periodic broadcast. By default, a router broadcasts its
routing table to its connected network every 30 seconds. The routers that receive
the broadcast information adds the information to its own routing table. All the
routers broadcast in this way, and thus all the routers in the network obtain all the
route information.
Generally, routers receive route acknowledgement information every 30 seconds.

If a routing item is not acknowledged within 180 seconds, it is considered as invalid.
If a routing item is not acknowledged within 240 seconds (eight periods), it is
deleted from the routing table.
The delay time mentioned above is controlled by the following timers:
 Update timer
 Invalid timer
 Flush timer
6.12 OSPF
6.12.1 Introduction
 Description

OSPF is a typical link-state routing protocol, operating within a routing domain. The
routing domain refers to an AS, which is a collection of networks that exchange
routing information through a specific routing policy or protocol. In an AS, all the
OSPF routers maintain the same database presenting the AS. The database
stores the link status information on the routing domain. The OSPF calculates the
OSPF routing table through this database.
As a link-state routing protocol, OSPF sends the LSA packet to all the routers in
the same domain, while the distance-vector routing protocol router sends some or
all of the routing tables to its neighboring routers.
 Target
OSPF is used for dynamic IP learning and selection in a large or medium layer-3
network containing hundreds of routers.
OSPF supports the following:
 K (1 K = 1024) routers
 OSPFv2
 AS border router, area border router, and internal router
ZXA10 C300 supports OSPF, so the peer end device should also support OSPF.
The OSPF working principle is as follows:
 Neighbor setup
The router that advertises OSPF sends the Hello packet through all the OSPF
interfaces. If two routers share one link and they can negotiate the Hello
packet parameters, neighbor relationship is set up between them. If the
parameters cannot be matched, the received Hello packet is discarded, and
the neighbor relationship cannot be set up. Hello packet parameters include

the area-ID, authentication information, network mask, Hello time interval,

invalid router time interval, and optional parameters.
 Routing flooding
Each router sends the LSA packet to its neighbors. LSA describes the
information on all the router links and interfaces, the router neighbors, and the
link status.
When a router receives an LSA packet from its neighbor, it re cords the LSA
information in its link state database, and then sends a copy of the LSA to the
other neighbors. The LSA packet is flooded in the entire area, and all the
routers then have the same link state database.
OSPF routing flooding is reliable, and it is implemented hop by hop.
 Routing calculation
Each router takes itself as the root to calculate a non-loop topology through the
SPF algorithm. This topology presents the shortest path to each destination.
6.13 IS-IS
6.13.1 Introduction
 Description
Intermediate System-to-Intermediate System (IS-IS) Protocol is an intradomain

Open System Interconnection (OSI) dynamic routing protocol specified in
International Organization for Standardization (ISO) 10589. The protocol is
designed to operate in OSI Connectionless Network Service (CLNS). Data is
carried using the protocol specified in ISO 8473.
 Target
The IS-IS routing protocol is a link-state protocol, as opposed to distance-vector

protocols such as Interior Gateway Routing Protocol (IGRP) and Routing
Information Protocol (RIP). Link-state offers several advantages over

distance-vector protocols. It is faster converging, supports much larger

internetworks, and is less susceptible to routing loops.
IS-IS supports the following:
 K (1 K = 1024) routers
 Level-1 router, Level-2 router, L1/L2 router
 SNP
 MD5 authentication
 FRR
ZXA10 C300 supports IS-IS, so the peer end device should also support IS-IS.
The IS-IS working principle is as follows:
 Neighbor setup
 IS-IS hello PDU is similar to the HELLO packet in OSPF protocol, which is
responsible to form adjacency between routers, discovers new neighbors and
detects the leaving of any neighbors.
 Routing flooding
 IS-IS routers uses LSA to exchange routing information, set up and maintain
link state database. A LSP indicates the important information related to a
router, including the area and the connected network. SNP is used to ensure
that LSPs can be transmitted reliably.
 Routing calculation

 IS-IS protocol also uses the Dijkstra SPF algorithm to calculate routes. Based
on the link state database, it uses the SPF algorithm to calculate the optimal
route and then adds the route to IP routing table.
6.14 BGP
6.14.1 Introduction
 Description
Border Gateway Protocol (BGP) is an inter-domain routing protocol used between

ASs. By means of BGP, ASs can exchange the information of network reachability
between each other. The information is a list of ASs where a route passes through,
which is sufficient to set up a diagram to indicate the connection status of the ASs.
In this way, AS-based routing selection policy is available, and BGP also solves
the problem of route loop.
 Target
BGP allows you to set up an interdomain routing system that automatically

guarantees the loop-free exchange of routing information between autonomous
systems.
BGP vsrion4 supports the following:
 CIDR
 Route aggregation
 MD5 authentication
 EBGP, IBGP
ZXA10 C300 supports BGP, so the peer end device should also support BGP.

The BGP working principle is as follows:
 Idle State
 It is the initial state. The BGP starts initialization after the protocol is activated.
It resets the timer, launches the first TCP connection and enters state 2.
 Connect state
 The BGP starts TCP connection and waits for the message of TCP successful
connection. If the connection is successful, then the BGP enters OpenSent
state. Otherwise, the BGP enters Active state.
 Active state
 The BGP always tries to establish TCP connection. If the connection timer
times out, then the BGP returns to Connect state. If TCP connection is
successful, then BGP enters OpenSent state.
 OpenSent state
 TCP connection is established already. The BGP sends the first OPEN packet
and waits for the reply from the peer. BGP examines the reply packet. If the
BGP finds error, it will send a NOTIFICATION packet and return to Idle state. If
there is no error in the reply packet, BGP will send a KEEPALIVE packet.
KEEKALIVE timer starts timing. The BGP enters into OpenConfirm state.
 OpenConfirm state
 The BGP waits for KEEPALIVE packet and resets the KEEPALIVE timer.
When the BGP receives a KEEPALIVE packet, it enters Established state.
 Established state
 Neighborhood is set up already. Router exchanges Update packet with its

neighbor, and meanwhile, the KEEPALIVE timer is reset.

7 MPLS Feature
7.1 MPLS basic features
7.1.1 Introduction
 Description
Multi-Protocol Label Switch, MPLS operates at a layer that lies between traditional
definitions of layer 2 (data link layer) and layer 3 (network layer). In an MPLS
network, data packets are assigned labels. Packet-forwarding decisions are made
solely on the contents of this label, without the need to examine the packet itself.
MPLS supports label stacking that can build overlay network architecture that
multi-service forwarding on same bearing network.
 Target
OLT here can act as a LER(Label Edge Router), and setup MPLS tunnels by IP
route topology. User services are overlaid on this IP/MPLS network by PWE3
encapsulation that includes SAToP and Ethernet mode. The MPLS service in
C300 focuses on MPLS L2VPN application including wholesale, mobile backhaul
scenarios. The Multi-Protocol Label Switch (MPLS) architecture is used for
high-speed data switching. MPLS provides network data flow with capacities such
as destination finding, routing, switching, and forwarding.
 Features& Specifications
 Supporting IPv4/IPv6 MPLS.
 Realizing label distribution, including static MPLS label configuration and

dynamic configuration by Label Distribution Protocol (LDP).
 Supporting PWE3 encapsulation, type of SAToP E1/T1, Ethernet tag/raw
 Supporting MPLS L2VPN Ethernet services, including VPWS and

VPLS/H-VPLS.

 Supporting MPLS OAM, includes MPLS ping/trace route, PW VCCV
Figure 7-1 MPLS labels forwarding
FEC forwarding equivalence class, a group of L3 packets which are forwarded in the
same manner (e.g., over the same path, with the same forwarding treatment)
LSR label switching router, an MPLS node which is capable of forwarding labeled L3
packets
LER label edge router, an MPLS node that connects an MPLS domain with a node
which is outside of the domain, either because it does not run MPLS, and/or because it is
in a different domain. Note that if an LSR has a neighboring host which is not running
MPLS, that the LSR is a LER.
LSP label switched path, the path through one or more LSRs at one level of the
hierarchy followed by a packets in a particular FEC.
In MPLS, a label is a short, fixed length, locally significant identifier which is used to
identify a FEC. The label which is put on a particular packet represents the Forwarding
Equivalence Class to which that packet is assigned.

Figure 7-2 MPLS Label format
The label stack entries appear AFTER the data link layer headers, but BEFORE any
network layer headers. The top of the label stack appears earliest in the packet, and
the bottom appears latest. The network layer packet immediately follows the label stack
entry which has the S bit set.

Figure 7-3 The implementation of MPLS
OAM
Management Plane Telnet Snmp SSH
Application Protocol
MPLS IPv4 Stack IPv6 Stack

route management
L3 Protocol Multiple Layer
L2 Protocol
stp vlan
Control Plane ……
Data Plane
Physical Layer VLAN handling Physical Layer

TC Layer MAC Management L2vpn Processing Line Adaption
GEM Ipv4/Ipv6 forwarding PW handling Transport
DBA IP Multicast Lable handling OAM
OAM Routing
AES/FEC Load balancing
OMCI QOS
Redundancy
TM/Qos Routing
Load balancing MPLS OAM
Xpon <-> ETH Qos/Cos
Redundancy
Performance Performance
ETH Switch/Aggregation
MPLS SubSystem
xPON Subsystem subSystem Network ETH port
The implementation of MPLS in C300 is subject to the principle of three-plane

isolation:
The management plane supports telnet, ssh, console, snmp, and rmon. These are
device management methods used for configuration and management of
operation.
The control plane integrates multiple protocols and service control modules, which
are used to support frames switching and packets forwarding. C300 supports
IPV4/IPV6 dual stack, which can work simultaneously and forward packets through
binding the interface to the protocol stack.
The forwarding plane realizes frame switching and packet forwarding. MPL S Bear
Subsystem includes L2vpn processing, PW handling, label handling, Routing,
Load balancing, Redundancy, MPLS OAM, COS mapping, mapping between
MPLS TC and COS, and Performance Monitor.

7.1.3 Main Performance Indices
Maximum LDP sessions: 16
Maximum PWs: 2048
Maximum ACs: 2048
Maximum PSN LDP label entries on the forwarding plane：2048
Maximum VSIs: 256
Maximum LDP label entries on the control plane: 30000
Maximum label stacks level: 4
7.2 MPLS Label Distribution Management
7.2.1 Introduction
 Description
MPLS requires a set of procedures to enhance network layer packets with label
stacks, which thereby turns them into labeled packets. Routers/OLT that supports
MPLS is known as Label Switching Routers (LSRs). In order to transmit a labeled
packet on a particular data link, an LSR must support the encoding technique
which, when given a label stack and a network layer packet, produces a labeled
packet.
Both PSN label and PW label in C300 support static and dynamic distribution.
 Supporting static PW.
 Supporting static LSP.
 Supporting LDP in accordance with RFC3036.

 Static LSP:
C300 can support static LSP. As a LER, C300 mainly supports the static egress
LSP.
Static PW:
C300 supports static PW by assigning static ingress or egress label.
 LDP:
C300 supports LDP in accordance with IETF standards and drafts, such as
RFC3036, RFC5036, RFC4447, and RFC4762.
7.3 LDP
7.3.1 Introduction
 Description
The Label Distribution Protocol (LDP) is a protocol defined by the IETF (RFC 5036)
for the purpose of distributing labels in an MPLS environment.
 Target
Label Distribution Protocol (LDP) is used for two Label Switch Routers (LSR)
exchange label mapping information. The two LSRs are called LDP peers and the
exchange of information is bi-directional. LDP is used to build and maintain LSP
databases that are used to forward traffic through Multiprotocol Label Switching
(MPLS) networks.
 Supporting LDP protocol in accordance with RFC3036
 Supporting DoU mode
 Supporting DoD mode

 Supporting Inter-Area LDP in accordance with RFC5283
 Supporting Nonstop Forwarding (NSF) and MPLS LDP Graceful Restart in

accordance with RFC3478
 Abbreviation
LSP Label Switched Path
PW Pseudo Wire
LDP Label Distribution Protocol
DoU Downstream Unsolicited
DoD Downstream on Demand
 LDP General
LDP label distribution is topology-driven.
LDP has two different label distribution modes:
 Downstream Unsolicited mode: For a specific FEC, LSR allocates and

distributes label while receiving nothing from the upstream node.
 Downstream On Demand: For a specific FEC, LSR allocates and distributes

label only after receiving Label Request message from the upstream node.
LDP has two label control modes:
 Independent mode: LSR can, at any time, distribute label to its peers. In this
distribution pattern, LSR would distribute label to the upstream node before
receiving labels distributed by the downstream node.
 Ordered mode: The only condition for LSR to distribute label to the upstream
node is to receive labels distributed by the downstream node.
LDP has two label reservation modes:

 Liberal reservation mode: LSR keeps all label mappings received from its peer
LSR, regardless of whether the LSR is the next hop for the advertised
mapping.
 Conservative reservation mode: LSR only keeps label mappings received from
its peer LSR, which is the next hop LSR according to routing.
LDP has two loop check modes:
 Path Vector
 Hop Count
By default, C300 runs in Downstream Unsolicited mode for label distribution. In

Downstream Unsolicited mode, Independent label control mode and Liberal label
reservation mode are adopted. In Downstream on Demand mode, ordered label
control mode and Conservation label reservation mode are adopted by default.
 DP Graceful Restart
C300 supports Non-Stop Forwarding (NSF) and LDP Graceful Restart in

accordance with RFC3487. GR function is started by Initial message and used to
make sure that the data flow is not broken while the main and standby boards are
switching.
C300 acts as a Restarter: While the main control board and standby board are
switching, the new main board starts a keeping timer, and keeps all MPLS
switching entries which are marked as stale. The binding relationship between
FEC and label is recovered through the interaction between Restarter and Helper.
The MPLS switching entries will be deleted when the forwarding status keeping
timer is timeout in Restarter.
C300 acts as a Helper: While the session down event is captured, Helper will mark
all MPLS entries as ―stale‖, which is learned from Restarter. These entries will be
kept for a while (The value of the Recovery Time advertised in the FT Session TLV
is set to the (current) value of the timer at the point in which the Initialization
message carrying the FT Session TLV is sent.) If LDP session restart fails during
this period, MPLS entries marked as ―stale‖ will be deleted. Otherwise, these
entries will be kept for a Recovery time. And during the Recovery time, Helper
interacts with Restarter and helps Restarter recover the MPLS switch entries,
which were marked as ―stale‖. Helper would delete the stale mark after receiving

the same label binding information from Restarter. The remaining entries marked
as ―stale‖ will be deleted after Recovery time.
The data flow would not be interrupted by the mechanism described above.
By default, Helper mode is enabled after the successful GR negotiation. And it can
also be shut down by command.
 Inter-Area LSP
As the increasing applications of MPLS L2VPN/L3VPN and the extension of MPLS

network, LSPs need to be established among different PE devices located in
different IGP domains.
RFC5036 recommends that the IP address of the FEC Element should exactly
match an entry in the IP Routing Information Base (RIB). A Label Switching Router
(LSR) receiving a Label Mapping message from a downstream LSR for a Prefix
SHOULD NOT use the label for forwarding unless its routing table contains an
entry that exactly matches the FEC Element.
Therefore, MPLS LSPs between Label Edge Routers (LERs) in different

areas/levels are not set up unless the specific (e.g., /32 for IPv4) loopback
addresses of all the LERs are redistributed across all areas.
The traditional solution is IGP route leaking. As a consequence, the potential

benefits that a multi-area domain may yield are significantly diminished since a lot
of addresses have to be redistributed by ABRs, and the number of IP entries in the
IGP Link State Database (LSDB), RIB, and Forwarding Information Base (FIB)
maintained by every LSR of the domain (whatever the area/level it belongs to)
cannot be minimized. Because C300 supports LDP Extension for Inter-Area LSPs
in accordance with RFC5283, this problem can be solved by taking the
Longest-Match Label Mapping Message Procedure, as shown below:

Figure 7-4 Inter-Area LSP
10.1.1.0/24 10.1.1.1/32 10.1.1.1

10.1.1.0/24 PE2
PE1 ABR1 ABR2

10.1.1.1/32
16
10.1.1.2/32
16
10.1.1.1/32 16 , 10.1.1.2/32 10.1.1.1/32 16 , 10.1.1.2/32
17 17
10.1.1.2/32
PE3
LDP label transmission path
10.1.1.2
IGP routes study path
This figure shows the transmission path of 32-bits IGP routes and LDP labels. In
ABR1 and PE1, FEC 10.1.1.1/32 and FEC 10.1.1.2/32 cannot find an exactly
matched route, but they can use the longest-match method to find the route
10.1.1.0/24. So the outbound interface and the next hop information of this route
are used for both FECs to distribute labels.
7.4 MPLS L2 VPN
7.4.1 Introduction
 Target
C300 uses MPLS L2VPN technology to support Ethernet point-to-point Services

(E-Line)，Ethernet point-to-multipoint Services（E-Tree）and Ethernet multipoint-to-
multipoint Services（E-LAN）.
 Features & Specifications
The implementation of MPLS L2VPN is to encapsulate ATM cells, FR frames, and

Ethernet frames to MPLS frames, and design VPN network to enable VPN
member sites communicate in MPLS domain.
 Supporting VPWS in accordance with RFC4448.
 Supporting VPLS and H-VPLS in accordance with RFC4762.

 Supporting MPLS Pseudowire (PW) and FEC types 128 and 129 in
accordance with RFC3985.
 Supporting PW AII, SAI, and TAI in accordance with RFC5003.
 Supporting static PW and establishing PW by LDP signaling in accordance

with RFC4447.
 Supporting multi-segments Pseudowire.
 Supporting Ethernet PW in both raw mode and tagged mode in accordance

with RFC4448.
 Supporting negotiation of control word in accordance with RFC4385.
 Supporting NSP VLAN handling.
 Acronyms
AII Attachment Individual Identifier
SAI Source Attachment Identifier
TAI Target Attachment Identifier
VPWS Virtual Private Wire Service
VPLS Virtual Private LAN Service
PWE3 Pseudo Wire Emulation Edge to Edge
NSP Native Service Process
Attachment Circuit (AC): AC is a link or virtual link between CE and PE,

established through CIP accessing VSI instance. CIP binds different interfaces or
VLAN to different L2VPN instances. The customers' packets in AC are transmitted
to the peer site without any changes. These packets include L2 frames and L3
packets. But the VLAN-ID used to distinguish different service frames can be
modified, deleted, and added according to different purposes.
Pseudowire (PW): PW is a method, which encapsulates service-specific bit

streams, cells, or PDUs arriving at an ingress port, and carries them across an IP

path or MPLS tunnel. A PW for VPWS is just like a direct link between local AC and
remote AC, which is used for transparently transmitting layer2 frames.
VPLS Instance (VSI): VPLS instance, which is used to manage AC and PW.
Forwarders: Forwarder in PE is used to choose a PW to forward packets received

from AC, and vice versa. In fact, forwarder is the MAC switching table and member
table in VPLS.
Tunnels: Tunnels are used for carrying PW. One tunnel can carry many PWs. In
general, they are MPLS LSP tunnels used for transparently transmitting frames
between local PE and remote PE.
Encapsulation: The frames transmitted through PW are encapsulated by standard

PW encapsulation format and technology. There are two encapsulation modes:
Tagged mode and Raw mode.
Pseudowire Signaling Protocol: PW signaling protocol is the base for VPWS/VPLS

implementation. This signal protocol is used for establishing and maintaining PW.
Nowadays, the main PW signaling protocol is LDP.
 MPLS Pseudowire (PW)
C300 supports MPLS L2VPN application, supports Pseudowire Emulation Edge to

Edge (PWE3) in accordance with RFC3985 and others, including:
 Supporting FEC 128 type and 129 type, establishing PW through LDP
according to RFC4447.
 Supporting Globally unique Attachment Individual Identifiers （AII）for the

addressing of the start（SAI）and end points（TAI）of the Pseudowire in
accordance with RFC5003.
 Supporting Multi-Segment Pseudowire (MS-PW) in accordance with

draft-ietf-pwe3-segmented-pw-15.
 Supporting negotiation of control word. Supporting adding, recognizing and

handling control word on the forwarding plane. And also, C300 supports

configuration of control word preferred based on PW in accordance with

RFC4385.
C300 supports Ethernet Circuit Emulation according to RFC4448, and supports

Raw mode and Tag mode through VLAN NSP.
C300 supports OAM mechanism based on VCCV in accordance with RFC5085.

C300 supports In-Band VCCV (Type 1) and Out-of-Band (Type 2) of control
channel. And C300 supports MPLS LSP Ping in connectivity verification
 VPLS (Virtual Private LAN Service)
Figure 7-5 VPLS Reference Model
C300 supports VPLS based on LDP in accordance with RFC4664, RFC4448 and
RFC4762.
Signaling Protocol
The VPLS service in C300 uses extension LDP signaling protocol to establish
session. VPLS information is carried in TLV field in LDP packet. FEC type 128 and
type 129 are supported. Target session type is needed for non-direct connection
devices to exchange VC signal information through LDP session.
As shown in the figure above, while one VSI is configured to PE1, and PE2 is
assigned to be its peer, a label will be allocated. After successfully establishing
LDP session, PE1 will send mapping message to PE2. After receiving mapping

message, PE2 will check whether the same VSI exists. If PE2 has the same VSI
and the same VCID and encapsulation type with PE1, PE1 and PE2 is in the same
VPN. After checking, the PW will be established in PE2. PE2 will also send
mapping message to PE1. After receiving mapping message, PE1 will do the same
check and then PW will be established in PE1. And then, a whole PW link is
created successfully.
While the VPN between PE1 and PE2 is broken, PE1 will send withdraw message
to PE2. After receiving withdraw message, PE2 removes PW and sends back to
PE1 with release message. After receiving release message, PE1 removes PW
and withdraw label.
Frames Switching
The VPLS network can be treated as a big switch crossing MPLS cloud. It
transparently switches frames through PWs established among VPN sites. PE
learns MAC addresses and creates a MAC switching table which contains
mappings between MAC address and AC and PW while switching frames. P
device switches MPLS frames according to MPLS label only and it does not care
about layer2 customer content. C300 can be PE device. After PSN tunnel and PW
have been established, C300 maintains L2VPN VSI and MAC table and switching
frames.
MAC Addresses Management
The VSI instance in VPLS network has the similar function of L2 Ethernet switch.
The L2 switching table needs to be created and maintained. Frames switching is
done according to this table. VSI supports L2 functions such as MAC address
learning, MAC address aging and MAC address flooding.
 Source MAC Address Learning
 In order to switch frames, PE must create a MAC switching table. VPLS

creates MAC switching table in a standard way, which includes two parts:
 Remote MAC Address Learning
 PW consists of a pair of VC LSP. While an unknown MAC address is learned

at ingress VC LSP, the mapping between this MAC address and egress VC
LSP is created.
 Local MAC Address Learning

VSI would learn the MAC address in frames coming from CE.
 MAC Address Aging
Unused MAC address entries need to be deleted. A timer will be started just after
this entry is created. And then it will be deleted upon time out.
 MAC Address Flooding
MAC address for unicast frames would be flooded in the whole VPLS network
before it is learned. The mechanism is also applied for broadcast and multicast
frames. While flooding, all AC and PW in the same VPN will be received.
 VSI MAC Address learning Control
 The maximum MAC address number can be configured.
 MAC Address Deleting
 Any specific MAC address entry can be deleted easily by configuration.
 MAC Address Withdrawal
Except MAC address aging mechanism, sometimes, fast convergence mechanism

for useless MAC entries is needed. C300 supports MAC Address Withdrawal
mechanism in accordance with RFC4762. This mechanism is used for sending
LDP Address Withdraw Message to new active PE through existing LDP session
while the switching over between active and standby PW is happening. It can also
be used for receiving and handling LDP Address Withdraw Message from other
PEs and deleting useless MAC entries in L2VPN instance, which includes three
different methods:
For each MAC address in the TLV ：Remove the association between the MAC
address and the AC or PW over which this message is received
For a MAC Address Withdraw message with empty list ：Remove all the MAC
addresses associated with the VPLS instance (specified by the FEC TLV) except
the MAC addresses learned over the PW associated with this signaling session
over which the message was received
For a MAC Address Withdraw message with empty list and PE-ID TLV：Removes
all MAC addresses learned on the PW that terminated in PE associated with

PE-ID and relays MAC flush messages with the received PE-ID to all its peer PE
devices in accordance with draft-ietf-l2vpn-vpls-ldp-mac-opt.
 H-VPLS
Figure 7-6 H-VPLS
In VPLS network, it is a full-mesh network among all PEs. If a new PE is added to

this network, this new PE needs to establish a PW with all other PEs. As the
number of PE increases, there will be a huge number of LDP session and PW. In
order to solve this problem, H-VPLS is introduced. C300 supports H-VPLS.
The core idea of H-VPLS is to establish a hierarchical network. A full-mesh network

is created in the top-level network just like the flat mode. The PE devices in
different level networks are connected by spoke PW. Upper level device is called
Network-facing Provider Edge (NPE), and lower level device is called User -facing
Provider Edge (UPE). In NPE, the spoke PW can exchange frames with ACs and
other PWs. However, the HUB PW cannot exchange frames with other HUB PWs
in accordance with the horizontal split principle. PW in C300 can be configured as
Hub mode or Spoke mode, and Hub mode PW is default.
 VPWS（Virtual Private Wire Service）

Figure 7-7 VPWS Reference Model
Based on the ―Framework for Layer 2 Virtual Private Networks‖ of the RFC4664 ，
C300 OLT supports the ―Encapsulation Methods for Transport of Ethernet over
MPLS Networks‖ defined in RFC4448, provides high-speed Layer 2 transparent
transmission to peer PE router of VPWS.
VPWS is mainly composed of PE routers, LDP and LSP Tunnel of the MPLS.
AS PE router, C300 OLT possesses and maintains link information of Layer 2

transparent transmission connected directly to it. C300 OLT is responsible for
making and removing labels on common packet of VPN clients, so that C300
should be an edge label switch router.
LSP tunnel through MPLS network should be defined between two PE routers and
should provide Tunnel Label transparently transmitting data between two PE
routers. At the same time, direct process of LDP label distribution protocol is also
defined between two PE routers to transmit virtual link information. Among them,
distributing VC Label through matching VCID is critical.
When data packet enters C300 OLT at the port of Layer 2 transparent transmission,
C300 OLT finds the corresponding Tunnel Label and VC Label through matching
VCID. C300 OLT will put two layers labels on the data packet. External layer is
Tunnel Label indicating the route from this PE router to destination PE router.
Internal layer is VC Label indicating which corresponding router port of VCID
belongs to on destination PE router. When C300 OLT receives packets from

pseudo wire, C300 OLT finds the corresponding L2VPN instance, removes the
labels and sends the packets to corresponding attachment circuit.
C300 OLT monitor Layer 2 protocol state at each port。When a fault occurs, users
can cancel VC Label through LDP label distribution protocol process so that Layer
2 transparent transmission is shut off avoiding producing unidirectional unwanted
data stream.
7.5 MPLS Redundancy
7.5.1 Introduction
 Target
The Redundancy feature enables you to configure your network to detect a failure
in the network and reroute the Layer 2 (L2) service to another endp oint that can
continue to provide service.
For MPLS service, C300 mainly supports PSN tunnel fast re-route and PW
redundancy. The method of PSN re-route is LDP FRR. PW redundancy is
accomplished by referring to draft-ietf-pwe3-redundancy and
draft-ietf-pwe3-redundancy-bit draft.
 Supports LDP FRR
 Supports PW redundancy
 Abbreviations
VCCV Virtual Circuit Connectivity Verification
OAM Operation and Maintenance
 LDP FRR
C300 PSN protection function relies on LDP FRR technology. In DoU mode, when
the liberal reservation mode is used, C300 learns the labels distributed by the peer

PE, sets up the main LSP and reserves the label information of the backup path. In
DoD mode, for multiple paths, C300 actively requests for related next hop and
reserves path label. The fast PSN LSP switchover （that is, the previous active
LSP switches the traffic to the backup LSP.）can be initiated in the case of link fault
through associating the static route with the fault detection mechanisms like link
status, fast BFD.
Figure 7-8 LDP FRR
As shown in the above figure, when LSR1 detects LSR2 path fault through link or
BFD, the backup LSP through LSR3 is enabled to guarantee that the service traffic
can be switched over a new available path quickly.
 PW Redundancy

Figure 7-9 PW Redundancy
C300 supports dual-homing backup PE described in draft-ietf-pwe3-redundancy.
As shown in the above figure, C300 (PE1) establishes active or standby PWs
respectively with PE2 and PE3. The active/standby PW supports 1:1 backup.
1:1 backup: C300 only sends data to the active PW.
C300 supports fault detection mechanism such as VCCV to detect the PE status.
When it detects communication failure, the PW switchover is initiated and the
active PW is switched over the standby PW. For VPLS application, C300 sends the
corresponding MAC address withdraw message to PE3 at the same time. When
the previous active PE2 returns to working status, the switch back depends on the
configured policy. If the policy is configured to switchover, the service traffic will
return to the PW connected to PE2. C300 supports both immediate and postponed
switchover configurations. If the policy is configured not to switch, the PW
connected to the PE3 will work as the active PW.

7.6 Load Balancing
7.6.1 Introduction
 Description:
To utilize the bandwidth of multiple data links efficiently, load balancing sets up a
bunch of equal-cost routings that have a same destination.
 Features& Specifications:
Support the load balancing based on ECMP (Equal-Cost Multi-Path) technology

Abbreviations:
ECMP Equal-Cost Multi-Path
LER Label Edge Router
C300 supports load balancing based on ECMP mechanism (Equal-Cost

Multi-path): by setting up multiple equal-cost routings to destination, implements
multi-path on the forwarding plane and achieves load balancing, depending on the
destination address.
By this method, bandwidth is more efficiently utilized.
Load balancing can also be enabled when C300 provides MPLS service based on
the bottom stack label to realize load balancing of MPLS L2VPN service flow. By
default, this bottom stack label is PW label. Data flow of the same PW label
transfers through the same LSP to the destination PE to ensure its order.
7.7 MPLS OAM
7.7.1 Introduction
 Description

Operation and Management (OAM) for Multi-Protocol Label Switching (MPLS)

support the daily maintenance and operation such as monitoring, analyzing, testing,
and failure diagnosing of MPLS Network and its services.
 Target
To help operators to monitor, analyze, detect fault, diagnose the services in the
MPLS network. MPLS OAM functions are provided, including connectivity test of
label switching path, MPLS forwarding failure fast isolation or avoidance.
 Features & Specifications
 Support MPLS LSP PING/TRACEROUTE in accordance with RFC4379
 Support MPLS LSP Multipath Tree Trace in accordance with RFC4379
 Support ICMP Enhanced TRACEROUT，handle of ICMP extended MPLS

Label Stack Object in accordance with RFC4950
 Support VCCV and PW ping, in accordance with RFC5085
 Abbreviations
AIS Alarm Indication Signal
BFD Bidirectional Forwarding Detection
CV Connectivity Verification
ECMP Equal Cost Multiple Path
MEP ME End Points
VCCV Virtual Circuit Connectivity Verification
 LSP Ping/Traceroute
LSP ping/traceroute is a method to detect the forwarding plane failure of MPLS

LSP. It serves as a solution for fast discovery and isolation of routing black-hole.
By using the packets which belong to a specific FEC, C300 can verify the integrit y
of the LSP (from Ingress LSR to Egress LSR) which is included in the FEC, and

pack the belonged FEC’s information into MPLS ping echo request message. An
MPLS ping packet is an IPv4/IPv6 UDP packet including sequence number and
timestamp. By handling MPLS ping requests, MPLS have the same forwarding
mechanism of the FEC packet. In "ping" mode (basic connectivity check), the
packet should reach the end of the path, at which point it is sent to the control
plane of the egress LSR, which then verifies whether it is indeed an egress for the
FEC.
Figure 7-10 LSP Ping
MPLS Echo Reply
4
3 1
5 3
2 4
P2 2 PE2 CE2
6
1
88.3 1 P1
3 MPLS Echo Request
MPLS
2
CE1 PE1
P3
P4
P5 PE3 CE3
LER LSR
LER
As shown in this Figure 7-10, when PE1 initiates an MPLS echo request toward the
PE2, the procedure is:
 Step 1：PE1 initiates an MPLS echo request toward PE2 and sends it to the
next hop P1.
 Step 2: P1 receives this MPLS echo request, and forwards it to P2 along the
LSP.
 Step 3: P2 receives this MPLS echo request, pops the current MPLS label
(following penultimate hop popping) and sends the packet to PE2 along the
LSP.
 Step 4: PE2 receives the MPLS echo request packet, processes MPLS echo
request, returns an MPLS echo reply packet to PE1 along the backward path.

 Step 5: P2 and P1 forward the packet to PE1 according to the IP routing.
 Step 6: PE1 processes MPLS echo reply, and provides LSP path detecting
result.
When the LSP corresponding to the detected FEC communication fails, PE1 will
not receive MPLS echo reply from PE2. Then PE1 will provide the failure report.
LSP traceroute is used for hop-by-hop fault localization as well as path tracing..
In "traceroute" mode (fault isolation), the packet is sent to the control plane of
each transit LSR, which performs various checks that it is indeed a transit LSR for
this path; this LSR also returns further information that helps check the control
plane against the data plane, i.e., that forwarding matches what the routing
protocols determined as the path.
As shown in the Figure 7-11, when the PE1 initiates an MPLS traceroute toward
the PE2, the procedure is:

Figure 7-11 LSP Traceroute
LSP
MPLS Echo Request,TTL=1
PE1 P1 P2 PE2
MPLS Echo Reply
2
LSP
MPLS Echo Request,TTL=2 MPLS Echo Request,TTL=1
3 4
PE1 P1 P2 PE2
MPLS Echo Reply
5
MPLS Echo Request,TTL=3 MPLS Echo Request,TTL=2 MPLS Echo Request,TTL=1
6 7 8
PE1 P1 P2 PE2
MPLS Echo Reply
9
 Step 1: PE1 initiates an MPLS echo request toward PE2, sets value of the
MPLS label TTL to 1, and sends this request packet to next hop P1.
 Step 2: P1 receives MPLS echo request with TTL=1, decreases the TTL value
from 1 to 0, which causes timeout, then sends it up to control plane to process.
P1 searches for download mapping according to the entrance label and sends
an MPLS echo reply containing its own download mapping information to PE1
on the control plane.
 Step 3: When PE1 receives the MPLS echo reply and records the information,
the PE1 initiates a new MPLS echo request with TTL=2, which contains
download mapping information gained from the MPLS echo reply, and sends
to the next hop P1.

 Step 4: P1 receives the MPLS echo request with TTL=2, decreases from 2 to 1,
forward it to next hop P2.
 Step 5: P2 receives the MPLS echo request with TTL=1, decreases from 1
to 0, which causes timeout, then sends it up to control plane to pr ocess.. P2
searches for download mapping according to the entrance label and sends an
MPLS echo reply containing its own download mapping information to PE1 on
the control plane.
 Step 6: When PE1 receives the MPLS echo reply and records the information,
the PE1 initiates a new MPLS echo request with TTL=3, which contains
download mapping information gained from the MPLS echo reply, and sends
to the next hop P1.
 Step 7: P1 receives the MPLS echo request with TTL=3, decreases from 3 to 2,
forward it to next hop P2.
 Step8: P2 receives the MPLS echo request with TTL=2, decreases from 2 to 1,
forward it to next hop PE2.
 Step 9: PE2 receives the MPLS echo request with TTL=1, decreases from 1 to
0, which causes timeout, then sends it up to control plane to process. On the
control plane, PE2 searches for download mapping according to the entrance
label, finds it is egress LER of the LSP, and sends an MPLS echo reply to PE1.
 Finally, PE1 receives the MPLS echo reply, and displays the result.
When the LSP corresponding to the detected FEC communication is broken, one
of LSRs will return an MPLS echo reply with corresponding echo return code. Then
PE1 displays the result according to the echo return code in the MPLS echo reply
or whether the MPLS echo reply is missing.
According to MPLS echo reply from routers on LSP path, PE1 will return
corresponding Echo Return Code. PE1 can give out the traceroute basing on the
received Echo Return Code within MPLS echo reply.
 MPLS LSP Multipath Tree Trace
MPLS LSP Multipath Tree Trace feature provides an automated way to discover all
paths from the ingress PE to the egress PE in multivendor networks that use IPv4

load balancing at the transit devices. Once the PE-to-PE paths are discovered, use
MPLS LSP ping and MPLS LSP TRACEROUTE to periodically test them.
When executing MPLS LSP Multipath Tree Trace on the source device, the OLT
needs to find the set of IP header destination addresses to use all possible output
paths. The source device starts path discovery by sending a transit r outer a bitmap
in an MPLS echo request. The transit router returns information in an MPLS echo
request that contains subsets of the bitmap in a downstream map (DS Map) in an
echo reply. The source device can then use the information in the echo reply to
interrogate the next device. The source device interrogates each successive router
until it finds one bitmap setting that is common to all devices along the path. The
device uses TTL expiry to interrogate the routers to find the common bits.
Figure 7-12 LSP multipath tree trace
Adr:1,2,4,15 Adr:1,4
Ad
,15 LSR120 LSR130
Ad
LSR140 r:4
,7 ,13 Ad
r :2
,15
~5 r: 3
r :1 ,5,
Ad 7 ,13
Adr:0~15
Adr:7,13 Adr:15
Adr:7
Adr:14
LSR101 LSR111 LSR131 LSR141 LSR150
Ad
r:
4
0,
1
9,
6,
6,
8,
r:
9,
Ad
10
,1
1,
12
,1
4
Adr:6,9,12,14
LSR121 LSR132 LSR142
A router load balances MPLS packets based on the incoming label stack and the
source and destination addresses in the IP header. The outgoing label stack an d
IP header source address remain constant for each path being traced. The router
needs to find the set of IP header destination addresses to use all possible output
paths. This might require exhaustive searching of the 127.x.y.z/8 address space.
Once you discover all paths from the source LSR to the target or destination LSR
with MPLS LSP multipath tree trace, you can use MPLS LSP traceroute to monitor
these paths.
 ICMP Enhanced Traceroute
C300 supports ICMP extension mechanism to enhance Traceroute mecha nism.

Not only the path detecting is achieved, but also the MPLS encapsulation status of
each package is provided. Through the MPLS Label Stack Objects (regarding to

RFC4950), which are inserted into ICMP Time Exceeded and Destination
Unreachable messages upon timeout , original router receives the timeout
message, and analyze MPLS Label Stack Object to acquire the MPLS
encapsulation status.
 VCCV and PW Ping
In MPLS LS VPN scenarios, for PW operation and maintenance, OLT provides

peer-to-peer PW detection to exam the actual operational status of the PW. By
supporting VCCV (Virtual Circuit Connectivity Verification) mechanism, C300
establishes a control tunnel between PW ingress and egress LERs to transfer
Connectivity Verification messages, which include:
 a means of signaling VCCV capabilities to a peer PE
 an encapsulation for the VCCV control channel messages that allows the
receiving PE to intercept, interpret, and process them locally as OAM
messages
 specifications for the operation of the various VCCV operational modes

transmitted within the VCCV messages.
PW ping has the same mechanism as LSP ping, to detect fault on PW forwarding
plane.
8 IPV6 Features
8.1 IPv6 Basic Functions
8.1.1 Introduction
 Description
C300/C320 supports all basic functions and features required by IPv6.
 Target

C300/C320 satisfies IPoE scenarios that defined in TR177, and supports all the
IPv6 functions in accordance with the definition of Access Node in T R177.
C300/C320 satisfies PPPoE scenarios that defined in TR187, and supports all the
IPv6 functions in accordance with the definition of Access Node in T R187.
As TR-187 has no additional requirement of Access Node based on TR-101,

C300/C320 fulfilled TR-101 requirements means compliance to TR-187 too.
 Features And Specification
C300/C320 supports IPv4/IPv6 dual protocol stack.
Both user line card and network line card can receive and forward IPv4 and IPv6
frames.
Support both IPv4 and IPv6 address on L3 interface, and support Default Address
Selection that is compliant to RFC3484
Support VLAN interface, loopback interface statically assigned with IPv6

addresses
On L3 interface of IPv6, support Path MTU (refer to RFC1981), support ICMPv6

Ping/Trace-route (refer to RFC4443), support address resolution (refer to
RFC4861), not support SLAAC (refer to RFC4862)
C300/C320 can support N: 1 and 1:1 VLAN scenarios.
C300/C320 supports layer 2 frames forwarding according to their destination MAC

address, and it doesn’t care if it’s IPv4 or IPv6 frame.
C300/C320 can classify data flow based on protocol type in layer 2 frame.
 Glossary
Access Node：The Access Node, as described in TR-101, is distributed between

the OLT and ONU. The OLT and ONU share the responsibility for Access Node
requirements as specified in TR-101.
 Abbreviations

As we all know, IPv6 provides us with so many addresses that solves the problem
of lacking of addresses for IPV4. IPv6 not only enables the operators to provide
internet service using public IP addresses, but also makes the M2M (Machine To
Machine) network, Intelligent Earth/Data Earth and the 4G services possible. All
these services require numerous IP addresses.
Since different operators would deploy IPV6 differently, therefore, Broadband

Forum introduced TR177 standard based on TR101. TR177 standard presents a
broadband access network architecture that enables operators to support IPv6. It
is built upon TR-101, which describes a popular and successful architecture for
supporting Ethernet-based DSL aggregation network.
The IPv6 function in C300/C320, used as OLT, meets all requirements defined in
TR177 standard.
Figure 8-1 Network architecture for Ethernet- based GPON aggregation
As shown in figure above, TR156 standard described the equipments used in

access network such as OLT and ONU are located in layer 2 networks. The main
function of these equipments is forwarding frames according to MAC address or
VLAN-ID. However, in IPv4 environment, TR156 has many functions related to IP
address such as ACL, binding IP address together with OLT/ONU’s interface, port
location identification (DHCP OPTION 82), and so on.
According to TR177, C300/C320 supports many IPv6 functions such as DHCPv6

relay, VLAN interface, Loopback interface statically assigned with IPv6 addresses,
IPv6 multicast, IPv6 ACL, IPv6 port location identification (DHCPv6 OPTION18,
LIO in RS packet), and address binding and so on.

Figure 8-2 Dual-Stack architecture
IPv4/IPv6 application
TCP UDP
IGMP ICMPv4 ICMPv6 MLD ND

IPv4
ARP IPv6
EthType:0x0800 EthType:0x0806 EthType:0x86DD
Ethernet
In IPv4/IPv6 dual-stack architecture,
When access node (OLT) working as a 802.3 Ethernet bridge, both IPv4 and IPv6
packets are encapsulated in 802.3 Ethernet frames however with different
EthType(protocol type). So OLT can classify data flow based on EthType without
inspection of IP payload. OLT can forward both IPv4 and IPv6 frames by MAC
address.
When OLT enable L3 interface, the IPv6 addressing architecture allows multiple
unicast addresses to be assigned to an interface. Typically OLT will have both LLA
and GUA addresses with different reachable scopes (link-local, or global). In
dual-stack scenario, the same interface will have an IPv4 global address too. So
when initiating an IP connection, OLT will have minimal three candidates as IP
source address. The algorithm described in RFC3484 is used for source and
destination address selection of IP applications. ND (neighbor detection) is used in
IPv6 to do address resolution instead of ARP in IPv4. ICMPv6 is used for
ping/traceroute that is similar to IPv4, and it’s also used for path MTU detection as
middle forwarding node of IPv6 should not fragment an IPv6 frame
8.2 IPv6 static route
8.2.1 Introduction
 Description
Similar to IPv4 static route, an IPv6 static route is a route that is created manually
by a network administrator .

 Target
IPv6 Static routing can implement IPv6 route forwarding in the simple layer-3
networking.
Support static default route (: : /0)
ZXA10 C300/C320 supports 4 K (1 K = 1024) static routes.
ZXA10 C300/C320 supports static routing and has no specific requirements on

hardware and software.
A static IPv6 route includes at least parameters of destination address, net-mask,

next-hop and interface
To configure a static route, the network administrator manually configures a route

with destination address, net-mask and next-hop address for ZXA10 C300/C320
OLT. OLT uses next-hop address to do a recursive lookup in routing table and find
out egress interface of OLT. Then OLT records all parameters of the route to
routing table.
8.3 LIO in SLAAC scenario
8.3.1 Introduction
 Description
C300/C320 can add user port information in RS packets to BRAS.
 Target
While the SLAAC IPv6 address allocation method is used, C300/C320 can add
user port information in RS packets so that BRAS server can locate each single
user.

According to the requirements defined in TR177 N: 1 scenario, if customers use a

bridged ONU, BRAS must allocate the same IPv6 prefix to customers, which is
under the same ONU interface. User port information is the key for analyzing the
RS packets coming from the same customers by BRAS.
Every C300/C320 GPON interface supports per user controlled ND snooping,

which can be turned on/off independently.
 Compliant to RFC6788
 Tunnel end-user’s ND messages inside another IPv6 packet that appends a

destination option (Line-ID option) to convey line-identification information to
BRAS.
 The LIO format is complied with TR-156’s requirements.
 Abbreviations
BRAS broadband remote Access server
NA neighbor advertisement
ND neighbor discovery
NS neighbor solicitation
SLAAC Stateless Address Auto Configuration
RA router advertisement
RS router solicitation
LIO Line Identification Option
IPv6 hosts can configure themselves automatically when connected to a routed

IPv6 network using ICMPv6 router discovery messages. When first connected to a
network, a host sends a link-local multicast router solicitation request for its

configuration parameters; if configured suitably, routers respond to such a request

with a router advertisement packet that contains network-layer configuration
parameters.
Figure 8-3 OLT tunnel ND messages with LIO appended
While the RS packets sent by customers are crossing AN, OLT tunnels those
packets inside another IPv6 packet that original packets are left unmodified inside
the encapsulating packet.
The LIO information is added as destination option in new IP datagram by OLT.

The LIO information can be used to identify user’s information at C300/C320, such
as user’s port number, ONU number etc.
The OLT can identify tunneled RAs from BRAS by destination address,
FF02::10/128 (All-BBF-Access-Nodes, which is a reserved link-local scoped
multicast address) of the outer packets and the presence of a destination option

header with an LIO destination option. OLT removes the tunnel encapsulation and
forward RA to subscriber.
The LIO information added in tunneled ND packets is strictly complied with

TR-156’s requirements ―Access-Node-Identifier Eth
Slot/Port/ONUID/Slot/Port[:VLAN-ID]‖
8.4 DHCPv6 relay
8.4.1 Introduction
 Description
Similar to DHCPv4, support both DHCPv6 L3 relay and LDRA (layer2 relay).
 Target
If subscriber gets IPv6 address through DHCPv6, and DHCPv6 servers are on
different network segments route from OLT’s uplink, OLT can act as a DHCPv6 L3
relay and forward DHCP client’s request to a specific DHCP server.
If OLT as a L2 bridge and has no L3 interfaces, according to the requirements

defined in TR177 N: 1 scenario, OLT can act as a DHCPv6 LDRA and insert
OLT/ONU port location information into DHCPv6 packets to make BRAS aware the
port information for each user.
When enable DHCPv6 L3 relay,
 Supports to configure DHCP server under the layer-3 VLAN interface.
 Supports relay forward to maximal 20 DHCP server groups
 Each layer-3 VLAN interface can be configured with at most four DHCP
servers per group for load balance, and adopts polling modes to implement
mutual backup.
When enable DHCPv6 L2 LDRA,

 Support Interface-id option(option 18) either in DHCPv6 L3 relay or DHCPv6

LDRA scenario (equivalent to DHCPv4 Option82’s suboption1, circuit-id)
 Support Remote-id option(option 37) either in DHCPv6 L3 relay or DHCPv6

LDRA scenario (equivalent to DHCPv4 Option82’s suboption2, remote-id)
 Can be configured globally or per port
 As a LDRA that is most close to DHCPv6 client, OLT inserts option18/37 in

upstream and remove it in downstream
 OLT don’t modify the source and destination IP address in DHCPv6 packets;
don’t change the multicast packet to unicast packet. All multicast packets
would only be sent to network side.
 If multicast DHCPv6 packets sent from BRAS, OLT as DHCP LDRA will only
forward to the specific user side, according to the interface-id in DHCPv6
packets
 Glossary
 Abbreviations
BRAS broadband remote Access server
DHCP dynamic host configuration protocol
LDRA lightweight DHCP relay agent
PD prefix delegate
DHCPv6 is the Dynamic Host Configuration Protocol for IPv6. Although IPv6's
stateless address auto-configuration removes the primary motivation for DHCP in
IPv4, DHCPv6 can still be used to statefully assign addresses if the network
administrator desires more control over addressing. It can also be used to
distribute information which is not otherwise discoverable; the most important case
of this is the DNS server.

The DHCPv6 message flow of LDRA and that of L3 relay is similar.
The Figure 8-4 below describes a LDRA in DHCP-PD interaction process.
Figure 8-4 AN as LDRA, BNG as DHCP L3 relay in DHCPv6-PD Process Diagram
Host
Host // Gateway
Gateway Access
Access Node
Node BNG
BNG DHCPv6
DHCPv6 Server
Server
1. DHCP v6 Solicit
+IA_PD
2. DHCP v6 Relay -forward
+ Interface-Id (option 18)
4. DHCP v6 Relay -reply

5. DHCP v6 Relay -reply
6. DHCP v6 Advertise
+IA_PD: /56 prefix
7. DHCP v6 Request
+IA_PD: /56 prefix
10. DHCP v6 Relay-reply

11. DHCP v6 Relay-reply
12 .DHCP v6 Confirm
+IA_PD: /56 prefix
The DHCPv6 module in C300/C320 works as LDRA between client and server.
C300/C320 sends Relay-Forward message which contains ―Solicit‖ and ―Request‖
information coming from client side to DHCP Server. If DHCPv6 Option18
(Interface-id option) is enabled, the Relay-Forward message will contain ―Option18‖
which is the port information in C300/C320. DHCPv6 server replies ―Relay-reply‖
messages for answering. While receiving ―Relay-reply‖ message, C300/C320 will
delete ‖Option18‖ sector, then reconstruct ―Advertise‖ and ―Confirm‖ messages,
and finally send them to client.

Figure 8-5 Relay Forward message of LDRA
If OLT is a L2 LDRA, OLT will not change source and destination IP of client’s
DHCPv6 message, client message will be copied to RELAY_FORWARD
message’s Relay Message option (option 9). In content of RELAY_FORWARD
message, copy client IP to Peer Address field, fill unspecified address (: :/128) in
Link Address field
If OLT is a DHCPv6 L3 relay, OLT will change destination IP from multicast ―all
DHCP relay/server‖ address to a DHCP server/relay unicast address, change
source IP from client IP to OLT’s L3 interface IP. Client message will be copied to
RELAY_FORWARD message’s Relay Message option (option 9). In
RELAY_FORWARD message content, copy client IP to Peer Address field and
OLT’s IP address to Link Address field
The format of ―Option18‖ which inserted in DHCPv6 packet is strictly complied with
TR-156’s definition (Access-Node-Identifier Eth
Slot/Port/ONUID/Slot/Port[:VLAN-ID])
8.5 IPv6 Source Guard
8.5.1 Introduction
 Description
IPv6 address binding function.
 Target

IP address spoofing often happens in IPoE access environment, such as infringing,

stealing service, accessing in network without getting a valid address through
DHCP server and so on; all of these issues are affecting operator’s integrating
management, service for legitimate customer, threatening the system and user’s
security.
With the IP security technologies provide by C300/C320, operators are able to

effectively stop the IP address spoofing.
 Support IPv6 address and/or IPv6 address prefix legitimate binding with VLAN
interface by DHCPv6 snooping, static IP configuration or ND RA snooping.
 Support IPv6 anti-spoofing by the legitimate binding.
 Support inspection of ND address resolution by the legitimate binding
 Support IPv6 ACL.
 DHCPV6 Snooping/ND RA snooping
C300/C320 supports DHCPv6 snooping technology.
DHCPv6 snooping technology is a security feature. By snooping IPv6 address or

prefix assignment of DHCPv6, building up a legitimate binding table contains the
MAC address, IPv6 address/prefix, lease time, VLAN-ID and interface information
from distrusted areas and the table is dynamically aging entries according to the
lease time.
When SLAAC is used as address assignment, OLT can also snooping ND RA

message from BNG to subscriber to build up binding table.
When static IP is used as address assignment, OLT can be configured by operator

with this static binding. The lease time is permanent till operator deletes the static
binding
 IPv6 Source Guard

IPv6 Source Guard technology is based on DHCPv6 snooping binding table.

Binding IPv6 address/prefix with port can filter distrusted packets according to
packets’ IPv6 address.
C300/C320 can monitor all DHCPv6 packets between customers and BRAS.
Before obtaining a valid configuration, C300/C320 drops all packets except ones
are not specified IPv6 address (::), FE80 prefix and DHCPv6 protocol packets.
Once C300/C320 gets the DHCPv6 Confirm packet, it will bind the <IPv6
address/prefix, MAC address> to customer interface and enable sending upstream
data flow. While customers are sending upstream data flow, C300/C320 will check
the IPv6 address and MAC address. If the addresses are not identical with the
binding table, packets will be dropped. After expiration of the leasing time,
C300/C320 will delete the binding item and stop forwarding customers’ upstream
packets except DHCPv6 protocol packets.
Upstream ND NA anti-spoofing, that is similar to ARP anti-spoofing. When a

distrust subscriber sends a fake unsolicited NA or a solicited NA as reply to
BRAS’s address resolution, it may poison BRAS’s ND neighbor cache. OLT can
inspect the Target address and Link Layer address in NA messages against
DHCPv6 snooping table. If a legitimate binding could not be found, OLT will drop
the NA from subscriber.
 Downstream ND NS filter, that’s similar to ARP agent. OLT will change multicast NS
message from a multicast destination MAC to unicast MAC according to DHCP
binding table with Target address in NS message.
 IPv6 ACL, that’s similar to IPv4 ACL
8.6 IPv6 ND Forwarding Control
8.6.1 Introduction
 Description
To control the ND packet forwarding according to configuration
 Target
To decrease the amount of flooding ND packets

To filter some packets that shouldn’t appear in the specific scenario
 Features and Specifications
Support ICMPv6 and ND filter requirement defined in TR-177
 Abbreviations
MLD: Multicast Listener Discovery
ND: Neighbor Discovery
As TR-177 demanded, control mode of ICMP message is described below:
Table 8-1 Control mode of ICMP message
ICMPv Message
Destination IP address Upstream Downstream
6 type name
ICMPv6 error messages
Destination
1 Unicast Forward Forward
Unreachable
Packet Too
Big
Time
Exceeded
Parameter
Problem
ICMPv6 informational messages
128 Echo Request Unicast Forward Forward
129 Echo Reply Unicast Forward Forward
Neighbor Discovery
Snoop(for
Router
133 All-routers multicast LIO Discard
Solicitation
insertion)
Router Unicast to host sending Snoop(for
134 Advertisemen RS Discard legitimate
t All-nodes multicast binding)

ICMPv Message
Destination IP address Upstream Downstream
6 type name
Unicast of target Forward
Forward(Snoo
Neighbor
135 Solicited-Node multicast Forward p when NS
Solicitation address corresponding filter enabled,
to the target like ARP
agent)
Forward(S
noop when
NA
Neighbor anti-spoofi
Unicast to host sending
136 Advertisemen ng Forward
NS or All-nodes multicast
t enabled(lik
e ARP
anti-spoofi
ng)
137 Redirect unicast Discard Forward
To prevent illegal steaming overflow, the legality of terminals and routers can be
identified by the use of forwarding control and monitoring of ND message which
are described in TR-177.
8.7 IPv6 Network Administration
8.7.1 Introduction
 Target
As under IPv4 environment, ZXA10 C300/C320 provides the common network

management features of IPv6, which implement access and management of an
IPv4/IPv6 dual stack capable network element through multiple protocols.
 Management of IPv6 global unicast
 Management of IPv6 default routing

 Support SNMPv2 and SNMPv3 under IPv6
 Support telnet6,ftp6
 Support diagnostic program ping6, trace6
Figure 8-6 IPv4/IPv6 dual stack structure by Network element
Application Layer
TCP/UDP
IPv4 IPv6
Data Transfer Layer
Physical Layer
For the IPv4&IPv6 dual stack supporting network elements, applications above
TCP/UDP Layer are universal. The Application Layer will determine whether to use IPv4
or IPv6 protocol stack according to the form of network element’s IP address, the
features of Application Layer remain.
A large amount of services, which network elements provide, for instance multicast and
IPTV, are able to co-existence with dual stack protocols. Network managements of those
services are also capable of inter-operation, for example, users can gain access and
administrate the services of aIPv6 network under IPv4 environment.
9 QOS
9.1 Introduction
 Description
QoS provides various techniques to guarantee service quality for specific user,
specific application.
 Target

The SLA requirements of the service will be guaranteed through below QOS
elements:
 PON DBA
 Marking and remarking the packet priority
 Packet mapping to queues base on the packet priority
 The H-QoS (Hierarchical- QoS) scheduler mechanism of the queues and

dropping the packet base on the occupation of the queues by WRED
mechanism
 Traffic flow rate limitation and trTCM
 Dropping the packet based on the color of the packet when the network
congestion.
ZXA10 C300/C320 supports QoS features as follows:
 Support marking/re-marking traffic flow and network management flow through

different TOS/DSCP, forwarding the traffic based on the IP priority ;

different 802.1P, forwarding the traffic based on the Ethernet priority;

different MPLS EXP, forwarding the traffic based on the MPLS priority
 Support H-QOS
 Traffic mapping to queues with multi-mode
 Based on 802.1p
 Based on GEM-PORT
 Scheduler can be configured with multi-mode

 SP
 SP+DWRR/WFQ
 DWRR/WFQ
 Support to classify the traffic based on the key words of L2 to L7 in the packet
and to colorize the traffic according to trTCM (RFC 2698 or RFC 2697),
support over-booking;
 DBA algorithm is implemented by hardware therefore it provides the flexibility,

low latency with the most efficiency. DBA could be configured with SR-DBA or
NSR-DBA mode.
9.2 Basic Theory and Solution
[OLT QOS solution]
C300/C320 OLT provides hierarchical rate limitation and user traffic H-QoS
scheduling to implement QoS controlling based on user/service.
 Algorithm of the limitation is compliant to RFC 2698 with color awareness.
 The color is marked at the GPON line card and indicated by the DEI bit. The
rate limitation at the Core-control card will be color aware and the yellow
packets will be first dropped
 H-QoS scheduling at user segment
 The user H-QoS scheduling resides at the GPON line card
 Support two level scheduling based on queues with WRED algorithm.
 scheduling among different users
 scheduling among different services within each user
 H-QoS supports downstream and upstream traffic scheduling simultaneously.

Figure 9-1 Upstream end-to-end QoS solution
[End-to-End QoS solution]
Upstream end-to-end QoS
 Ingress traffic from UNI will be mapped to different T-CONT based on VLAN,
priority and etc
 PON DBA will schedule the packets from the T-CONT to the OLT based on the
DBA parameters
 The traffic will be mapped to the user Scheduler. The below is the action of the
traffic based on the user QoS profile:
 Scheduling
 Shaping
 Coloring(DEI bit)
 The rate limitation is color awareness

 The rate limitation will drop the yellow packets first
 The traffic will be scheduled , the scheduler will work at below

modes( configurable)
 SP
 SP+DWRR
 DWRR
 The uplink scheduler will drop the packet base on the color (DEI bit) with
WRED algorithm.
 The connection between Core-control card and PON card is unblock in the
upstream direction
 The connection between Core-control card and Uplink card is unblock in the
upstream direction
Figure 9-2 Downstream end-to-end QoS solution
Downstream end-to-end QoS

 The connection between the uplink card and the Core-control card is
non-block;
 The traffic will schedule at the connection between Core-control card and PON
card, the scheduler will drop the packet based on the packet color, yellow
packets will be dropped first;
 The traffic will be scheduled per user at the PON card
 The traffic will be scheduled among users at the PON port
 The multicast traffic can be mapped into SCB queue to be scheduled with the
highest priority
 The traffic will be scheduled at the UNI egress direction
10 Multicast
10.1 Multicast Overview
10.1.1 Introduction
 Description
Multicast is a Point to multi-point communication technology. ZXA10 C300/C320

constructs multicast forwarding between the source port and the receiving port by
using IGMP/MLD snooping/proxy between the host and the router.
 Target
ZXA10 C300/C320 effectively saves the bandwidth by multi-level replication and

management through the multicast traffic at the OLT /ONU for the business
development such as IPTV, Triple Play etc.

 Support IGMP v1/v2/v3.
 Support IGMP Snooping.
 Support IGMP Proxy.
 Support G.984.4 ONU dominated multicast.
 Support IPTV service.
 Support IPV6 Multicast（MLDV1/V2）
ZXA10 C300/C320 identifies the Layer-2 multicast at the access side. The control
plane constructs a multicast forwarding table by processing IGMP/MLD packets.
The multicast traffic implements the data platform Layer-2 forwarding according to
the table. The processing procedure is shown in Figure 10-1.
Figure 10-1 Layer-2 Multicast Processing Principle
10.2 IGMP Snooping
10.2.1 Introduction
 Description
IGMP snooping is performed on a Layer-2 broadband access equipment to snoop

on the IGMP report/leave messages transmitted from upstream hosts and IGMP

query messages from downstream routers. It also maintains Layer-2 multicast

forwarding table.
 Support IGMP snooping。
 Support IGMP snooping with proxy reporting。
ZXA10 C300/C320 receives the user upstream report/leave packets and converts
the user VLANs to multicast VLANs. It forwards the packets to the upper layer
router to establish multicast group information without changing the packets
content. ZXA10 C300/C320 receives the downstream query packets from the
router and forwards them to the users. It deletes the users that do not respond in a
particular period of time.
IGMP snooping has extended the following functions:
 OLT snoop IGMP messages and construct membership table；
 According to the memebership table to establish the multicast forwarding table

and then forward
IGMP snooping with proxy reporting has extended the following functions:
 Report suppression: blocks, absorbs and summarizes IGMP reports from

IGMP hosts. Only when the first user reports to the IGMP querying,
summarized IGMP report message will be sent to the multicast router.
 Last leave: blocks, absorbs and summarizes IGMP leave packets from IGMP
hosts. When the last user leaves the multicast group, summarized IGMP leave
message will be sent to the multicast router.

 Query suppression: blocks and processes IGMP queries. In this method, the
IGMP specific query message will not transmit to the user side directly.
However the IGMP general query message will send to the user side by OLT.
10.3 IGMP Proxy
10.3.1 Introduction
 Description
In IGMP proxy mode, ZXA10 C300/C320 transmits query packets to a user and
responds to query packets from upper layer router. In other words, ZXA10
C300/C320 behaves as a proxy located between router and user.
IGMP proxy has the following features:
Support IGMP proxy
IGMP proxy consists of IGMP host and IGMP router. The IGMP router is applicable
to the interface at the user side to terminate the report message on the host. IGMP
host is applicable to the interface at the network side to respond to the query
messages on the multicast router. The proxy host only forwards the join message
of the first user and leave message of the last user in the same multicast group. It
responds to the query message of the router. The proxy router periodically
transmits query packets.
Multicast group only forwards report packets from the first port member and leave
packets from the last port member.
Proxy queries transmit general-query packets to all receiving ports periodically.
Transmits specific-query packets to a specific port when the port is in the non-fast
leave mode.

10.4 IGMP Router
10.4.1 Introduction
 Description
ZXA10 C300/C320 acts as a multicast router to send the IGMP query message to
host periodically and at the meantime to respond the report message from the host.
Then construct the membership table and establish the multicast stream
forwarding table.
 Target
ZXA10 C300/C320 has following functions:
 Router mode is often used in application scenario to send multicast traffic

directly to the OLT equipment to shorten the delay on switching channels.
 Router mode can be used with the pre-join group function.
ZXA10 C300/C320 has following features:
 Supports IGMP v1/v2/v3.
 Periodically transmits report packets of pre-join group to uplink multicast

source port.
 Neither forward report/leave packets of users, nor respond the query packets
of the router.
In IGMP router mode, ZXA10 C300/C320 periodically transmits report message of

multicast group to upper layer router. It transmits only one report message when
the multicast group has several users. Only when the last user leaves, it transmits
the leave message to multicast router. ZXA10 C300/C320 periodically transmits
query packets to users but does not forward user's report/leave message and the
query message of the router.

10.5 IGMPv3
10.5.1 Introduction
 Description
IGMP is the protocol used by IPv4 systems to report their IP multicast group
memberships to neighboring multicast routers. IGMPv3 is the latest version of
IGMP, adds support for ―source-filtering‖ to implement SSM. The network
operators can exert the advantages of IGMPv3 to fulfill need of multiple content
providers for IPTV service.
ZXA10 C300/C320 supports the following IGMPv3 features:
 Supports up to 16 source address per group, which can be adjusted for

requirement.
 Supports both include and exclude source address filter mode.
 Supports multiple records in a report message, only restricted by the packet

length.
 Abbreviations
ASM: Any-Source Multicast
SSM: Specific-Source Multicast
IGMPv3 defines a new type (0x22) of IGMP report packet, includes several group
records. Each record comprises of a multicast IP group address, a list of source
address, and a source filter mode which can be one of the following values:
 Mode is include
 Mode is exclude
 Change to include mode

 Change to exclude mode
 Allow new sources
 Block old sources
For detail please refer to RFC3376.
IGMPv3 protocol is running on the PON system, optionally working on proxy mode
on the OLT, and snooping mode on the ONU.
When the OLT receives IGMPv3 report packet, the group and user configuration
will be checked previously. Then one or more multicast filter entry based on l3
information will be setup on the hardware, and the report packet will be forwarded
to the uplink port.
10.6 MVLAN
10.6.1 Introduction
 Description
MVLAN is a special VLAN to separate the multicast data from the unicast data.
 Target
In practice, MVLAN is generally applied to distinguish and isolate different

multicast services from the different operators.
ZXA10 C300/C320 has the following functions:
 Support span VLAN multicast.
 Support user multicast group to pre-join.
 Support static multicast.
 Support user fast-leave.

 support the maximum of 256 multicast VLANs.
 support 8K multicast groups.
 Each MVLAN supports a maximum of 8K multicast groups.
 Each MVLAN supports a maximum of 8K multicast channels.
 Each MVLAN support IGMP snooping, IGMP proxy mode and IGMP router
mode.
 ZXA10 C300/C320 supports multicast access control. Each MVLAN supports

a maximum of 16 valid multicast source addresses.
Only MVLAN members can receive multicast data. The MVLAN includes the
following:
 Source port: The port is connected to the multicast traffic source port. The
upstream report/leave packets can only be transmitted to the source port.
 Receiving port: the port is connected to the multicast user. Each multicast
address of the MVLAN stands for a multicast group. The multicast group
members can join in and leave the group at anytime.
 The general multicast users can join multicast group with any sources. ZXA10
C300/C320 supports multicast access control. It separates invalid multicast
service and valid source addresses by specific configuration.
10.7 Channel Management
10.7.1 Introduction
 Description

A channel is a program (or multicast group) configured with the permission of

preview and log functions. It is a technique to control the programs of the user
demand.
 Target
The channel management allows the users to watch the channels which have
been purchased, to preview or deny access of some channels which have not
been purchased. It will record the user action log and generate the CDR report to
the server for billing.
 Support up to 8K channels at most.
 Support to apply one channel to 1024 service packages.
 Support to apply one preview template to a channel.
 Support CDR functions to set channels.
 Support channel bandwidth control.
IPTV service is based on the multicast technology. The channel management is

used to avoid illegal user access. Each user has the following authorities on a
particular channel:
 Permit: Users can view programs on channel at any time.
 Preview: Users can view a portion of a program for a short period for several
times.
 Deny: Users are not allowed to view any content of the program.
According to the configuration and status of the channel/user, it will record the user
action log and generate the CDR report to the server for billing.

10.8 Service Package Management
10.8.1 Introduction
 Description
Service package is a bound of several channels. It specifies the authority of the

channel in the package as Purchase or Preview. It is also a technique to control
the programs of the user demand.
 Target
The service package has all the functions of the channel management but it is
more flexible to manage comparing the channel management.
 Support up to 1024 service packages.
 Support maximum 8K channels by each service package
Configure each program in the service package to permit or preview. Any channel
can be configured into any service package and each service package can be
assigned with independent authorities. The service package will be applied to a
specific user for access control of the multicast channels.
When the same channel has different authorities in various service packages, the
authorities will be merged. The principle for merging is to take the highest among
all the authorities. The sequence from the highest to the lowest is: Permit,
Preview, and Deny. When deleting a service package, recalculate the authorities
again.

10.9 G.984.4 ONU Dominated Multicast
10.9.1 Introduction
 Description
According to ITU-T G.984.4 standard, several multicast MEs are defined to support
ONU dominated multicast, including multicast operations profile, multicast
subscriber configuration and multicast subscriber monitoring.
 Target
ZXA10 C300/C320 implements the ONU dominated multicast based on the local
multicast privilege table.
 Support up to 8K multicast operations profiles.
Support maximum 8K channels by each service package
Multicast profile is configured through the standard OMCI interface. Each profile
contains a multicast channel and relative multicast protocol parameters.
10.10 IPV6 Multicast
10.10.1 Introduction
 Description
Multicast Listener Discovery (MLD) is a subprotocol of Internet Control Message

Protocol version 6 (ICMPv6). MLD establishes and maintains the multicast group
membership between a user host and its directly neighboring multicast router. MLD
can be regarded as the Internet Group Management Protocol (IGMP) in IPv6, as
MLD and IPv6 IGMP have similar implementation.

MLD has two versions: MLDv1 and MLDv2. MLDv2 is fully compatible with MLDv1
and covers all basic concepts of MLDv1.
 MLDv1 (defined in RFC2710)
MLDv1 is derived from IGMPv2 and directly supports any-source multicast (ASM)
but requires source-specific multicast (SSM) mapping for supporting SSM.
 MLDv2 (defined in RFC3810)
MLDv2 is a translation of IGMPv3 for IPv6 semantics and directly supports ASM
and SSM.
 Target
By using IPv6 multicast technologies, the network device can manage, control, and
forward IPv6 multicast services and in this way meets carriers' requirements for
provisioning IPv6 multicast services.
 Support MLD v1/v2
 Support MLD snooping，MLD proxy，MLD router
The following Figure 10-2 shows the format of an IPv6 multicast address as defined in
RFC4291：
Figure 10-2 Format of an IPv6 multicast address
The binary 11111111 at the start of the address identifies the address as being a
multicast address.

The flgs is a set of 4 flags：|0|R|P|T|. The high-order flag is reserved, and must be
initialized to 0.
T = 0 indicates a permanently-assigned ("well-known") multicast address, assigned by

the Internet Assigned Numbers Authority (IANA).
T = 1 indicates a non-permanently-assigned ("transient" or "dynamically" assigned)

multicast address.
The P flag's definition and usage can be found in [RFC3306].
The R flag's definition and usage can be found in [RFC3956].The scop is a 4-bit multicast
scope value used to limit the scope of the multicast group. The values are as follows:
0 reserved
1 Interface-Local scope
2 Link-Local scope
3 reserved
4 Admin-Local scope
5 Site-Local scope
6 (unassigned)
7 (unassigned)
8 Organization-Local scope
9 (unassigned)
A (unassigned)
B (unassigned)
C (unassigned)
D (unassigned)

E Global scope
F reserved
RFC2464 defines a set of rules for mapping IPv6 multicast addresses to MAC addresses.
An IPv6 address is mapped to the MAC address 3333.XXXX.XXXX, with the 32 -bit
XXXX.XXXX copied from the least significant 32 bits of the IPv6 address
The MLDv2 protocol, when compared to MLDv1, adds support for "source filtering", i.e.,
the ability for a node to report interest in listening to packets *only* from specific source
addresses, as required to support Source-Specific Multicast [RFC3569], or from *all but*
specific source addresses, sent to a particular multicast address.MLDv2 is designed to
be interoperable with MLDv1.
10.11 MLD Snooping
 Description
MLD Snooping is an IPv6 multicast constrain mechanism that runs on Layer 2

devices to manage a control IPv6 multicast groups. By analyzing received MLD
messages, a Layer 2 device running MLD Snooping establishes mappings
between ports and multicast MAC addresses and forwards IPv6 multicast data
based on these mappings.
 Features and specifications
 Support MLD V1/V2 snooping
 Support MLD Snooping with Proxy Reporting
 Support multicast group aging configuration

When a host sends an MLD report/done upstream messages, C300/C320 records

the message content, transfer user VLAN to multicast VLAN, then establishes
multicast group data and transport the message to uplink router.
Basing on the existing multicast group information, C300/C320 receives the

downstream query message from router and transfer it to the hosts. Upon aging
mechanism, C300/C320 deletes the entries of none-responding hosts from the
multicast group list.
MLD Snooping with Proxy Reporting extends the specific functions of Report
Inhibition, Last Leave and Query Inhibition.
Report Inhibition: to intercept, accept and integrate the reports from MLD hosts. If
necessary, it would send an integrated MLD Report messages through the uplink
port to the multicast router.
Last Leave: to intercept, accept and integrate the reports from MLD hosts, only if
necessary, send the integrated MLD Leave messages through the uplink port to
the multicast router side.
For example, when the last host left a multicast group
Query Inhibition: to inhibit and process MLD Query message. Send none of the
specific-query to hosts’ port, but relay the general-query to hosts, when and only
when the ports accept at least one multicast group.
10.12 MLD Proxy
 Description
In MLD Proxy Mode, C300/C320 send query periodically to hosts instead of a

router, and response to the query from router for hosts.
 Features and specificationss
 Support MLD V1/V2

Within the same multicast group, relay only the first Report message and last
Leave message.
C300/C320 sends periodically general-query message to all receiving ports.
In a non Fast-Leave occasion, it sends specific-query message to appointed ports.
MLD Proxy consists of MLD Host and MLD Router. MLD Router, running on the
ports link to consumer, is used to terminate Report message from hosts. MLD Host,
running on ports uplink to network, is to response to Query message from multicast
routers.
10.13 MLD Router
 Description
C300/C320 send MLD Query message to the hosts instead of router, none of MLD
message interchange take place in between C300/C320 and uplink equipments.
 Target
MLD Router mode is normally used in the occasion, in which multicast program
stream is directly forwarding to OLT, to reduce channel zapping time.
 Support MLD V1/V2
 Periodically send pre-join group Report/Leave message to the uplink multicast

source port
 Not forwarding Report/Done message from the host, not responding query
from router.

Periodically send ―Report/Done message‖ of multicast group to upper layer router in MLD
Router Mode. Send ―Report message‖ only once under multi-hosts in one group
occasion, send ―Done message‖ when the last host of a group leaves.
C300/C320 sends‖Query message‖ to hosts periodically as a router, reply no

―Report/Done message‖ from hosts and no ―Query message‖ from a router.
11 Network Protection Feature
11.1 STP/RSTP/MSTP
1.1.1 Introduction
 Description
ZXA10 C300/C320 STP supports three modes including: SSTP, RSTP and MSTP.
SSTP complies with IEEE802.1d standard. The bridge running SSTP module can
work with the bridges running RSTP module and MSTP module.
RSTP provides faster spanning tree convergence than STP after a topology
change. The configured redundant switch transits rapidly from 'Discard' to
'Forward' in the point-to-point connection.
MSTP extends the concepts of instances and VLAN mapping. Both SSTP and
RSTP can be considered the MSTP special cases. That means there's only the
instance of 0. MSTP also provides rapid aggregation of VLANs and load balancing.
In the modes of SSTP and RSTP, there is no VLAN. Each port has only one status:
The port has a consistent status while forwarding in different VLANs. In MSTP
mode, there are several spanning-tree instances: The port has different status
while transmitting in different VLANs. Inside the MST region, there are several
independent subtree instances to implement load balance.

 Target
STP adopts certain algorithms to block some redundant paths and prevent
messages from proliferating and infinite recycling in the ring network.
The STP supports the following standards:
 IEEE802.1d
 IEEE802.1w
 IEEE802.1s
 Glossary
BPDU: The BPDU is used for communication between bridges. STP BPDU is a
Layer-2 packet with the destination MAC of the STP multicast address
01-80-C2-00-00-00. All the bridges that support STP can receive and process the
received BPDU packets. The packets have all the information for Spanning Tree
computation.
Root Bridge: A root bridge is selected according to the smallest bridge ID which is
combined with bridge priority and MAC address.
Root Port: The root port is the BPDU port that receives information. Namely, the
root port is the least-cost path from the bridge to the root.
Designated Port: The designated bridge is the one with the least-cost path from the
network segment to the root.
MSTP Regions: All MST switches must be configured with the same MST
information. A group of switches within the same MST configurations make up
MST region. MST configuration, including region name, revision number and MST
VLAN-to-instance mapping, determines the switch location.
STP is used to exchange BPDU among all the STP switches in an extended LAN.
The following operations can be completed by exchanging the BPDU:
 Choose a root bridge in the stable spanning tree topology.

 Specify a switch in each switching network segment.
 Avoid the loops in the topology network by setting the redundant switch port to
be Discard.
STP defines the concept of root bridge, root port, designated port, route cost etc. It
aims to get rid of the redundant loops by constructing a natural tree to implement
the link backup and find the best route. Spanning tree algorithm is applied to
construct the tree, as shown in Figure 11-1.
Figure 11-1 STP
Defects:
 When the topology changes, the new configuration information is spread to the
whole network with a certain delay, known as forward delay with the default
time of 15 seconds. Before all the bridges receive the information of changes,
if the port in forwarding status in the old topology does not take action to
suspend forwarding in the new topology, there is possibly a temporary loop. In
order to solve the problem of temporary loop, the spanning tree adopts a policy
of timer. That's to add an interim status between the blocked status and
forwarding status to the port to learn the MAC address only but not to forward.
The time for the two switchovers is the same as the forward delay. Thus, the
temporary loop can be effectively avoided when the topology changes. But the
seemingly good solution cost at least double forward delay for the
convergence.
 RSTP has made the improvement on the following 3 important points on the
basis of STP, which accelerate the convergence rate (The fastest is within 1
second).

 First: RSTP sets an alternate port and a backup port for rapid switchover for
the root port and the specified port. When the root port/specified port is invalid,
the alternate port/backup port enters the forwarding status without delay. As
shown in Figure 35, all the bridges run RSTP and SW1 is the root bridge.
Suppose the SW2 Port 1 is the root port, then Port 2 can distinguish the
topology to be the alternate port of the root port and enters the blocked status.
When the links on Port 1 are invalid, Port 2 can immediately enter the
forwarding status without waiting for two times of forward delay.
Figure 11-2 RSTP
Second: On the point to point link which only connects two exchanging ports, the
specified port can enter the forwarding status without delay only after shaking
hands once with the downstream bridge. If the port is on a shared link which
connects over 3 bridges, the downstream bridge does not respond to the shaking
hands request from the specified port upstream. It can just wait for double forward
delay to enter the forwarding status.
Third: It defines the port directly connected to the terminal to be an edge port, not
the port connected to other bridges. The edge port can directly enter the
forwarding status without any delay. As the bridge can not know whether the port is
directly connected to the terminal, it needs to be configured manually.
Defects:
Both RSTP and STP belong to SST, which has its own defects as follows:
 First, as there's only one spanning tree in the whole switching network, it takes
long time to converge in a larger network and the influence of the topology
changes is also great.
 Second, IEEE 802.1Q has gradually become the standard protocol as it is

widely used in recent years. In the symmetric network, the SST does not
influence a lot. But in the asymmetric network, the SST influences the network
connectivity.

Suppose SW1 is the root bridge, solid line link is VLAN 10, dotted line link is
802.1Q trunk link connecting VLAN 10 and VLAN 20, as shown in Figure 11-3.
When SW2 is blocked, the VLAN 20 channel between SW1 and SW2 is broken.
Figure 11-3 Asymmetric Network
 Third, the link does not bear any traffic when it is blocked. Therefore, it causes
the waste of the bandwidth, which is quite obvious in ring MAN.
Suppose SW1 is a root bridge, and SW4 is a port to be blocked, as shown in

Figure 11-4. In this condition, the optical fiber between the SW2 and SW4 does not
bear any traffic. All the service traffics between SW2 and SW4 are forwarded by
SW1 and SW3, which increases the load of other links.
Figure 11-4 Low SST Bandwidth Utilization
As these defects can not be overcome by the SST, the MSTP which support VLAN
appears.
MSTP defines the concept of instance. To be simple, the STP/RSTP base on ports,
the PVST/PVST+ on VLANs and the MISTP on instances. The so called instance
is a collection of multiple VLANs. Binding multiple VLANs to an instance can save
the communication overhead the resource occupancy.
Map several VLANs with the same topology structure to an instance in application.
The forwarding statuses of these VLANs are up to the status of the corresponding

instances in MSTP. The VLANs of all the switched in the network must be
consistent with the instances mapped, otherwise the network connectivity is
influenced. In order to detect the mistakes, the MSTP BPDU brings the instance
numbers together with the information of the corresponding VLANs. MSTP does
not process STP/RSTP/PVST BPDU, therefore it is not compatible with
STP/RSTP.
MSTP assigns the switches supporting MSTP and not supporting MSTP in
different regions, which are MST domain and SST domain respectively. Run the
spanning tree with multiple instances inside the MST domain and IST compatible
with RSTP at the edge of the MST domain.
As shown in Figure 11-5, the switches inside the MST domain applies MSTP
BPDU to exchange topology information and the switches in the SST domain
applies STP/RSTP/PVST＋ BPDU to exchange the topology information. At the
edge between the MST domain and the SST domain, SST equipment considers
the equipment interconnected is a RSTP equipment. While the MST equipment
status on the edge port is up to the IST status. That means that the spanning tree
status of all the VLANs on the port will be consistent.
Figure 11-5 MSTP Working Principle
MSTP has more obvious advantages compared to the former spanning tree
protocols. MSTP has VLAN understanding ability to share the load and to
implement quick switchover of the port status similar to the RSTP. Binding multiple
VLANs to an instance can decrease the resource occupancy. The MSTP is
downward compatible with STP/RSTP.
MSTP sets up and maintains the following two spanning trees:
 IST is the spanning tree running inside the MST region.
In MST region, the MSTP maintains multiple spanning tree instances. Instance 0 is
a special instance, known as IST. Other MST instances are instance 1 to instance
15. The IST is the only spanning tree to receive and transmit BPDU packets. The

information of the other instances is included in an M-records. Therefore, the

BPDU packets quantity is greatly reduced.
All the MST instances share the same protocol timer in the MST region, but each
instance have its own topology parameters, such as root switch ID, r oot path coast.
All the VLANs belong to IST by default.
MST instance belongs to MST region. For example, MST instance 1 in Region A is
independent from the instance 1 in Region B even if Region A and Region B are
interconnected.
CIST is integrated IST and CST in MST region. CST connects MST region and the
SST.
 Spanning tree in the MST region is the CST sub-tree. CIST is the result of
spanning tree algorithm run by the switch, which supports 802.1D, 802.1W
and 802.1s protocols. The CIST inside the MST region and the CST outside
the region are the same.
11.2 LACP
1.1.3 Introduction
 Description
Link Aggregation is also known as trunking. It combines several physical Ethernet

ports into one logical channel to get required bandwidth.
ZXA10 C300/C320 supports the following two link aggregation modes:
 Static trunk: It directly adds several ports in a trunk group to form a logical
channel.
 LACP: It complies with IEEE 802.1AX standard. It dynamically aggregates

several physical ports in a trunk group to form a logical channel.
 Target
The link aggregation has the following functions:

 Link aggregation bundles several physical ports together to form a logical

channel to implement the load sharing among each member port. The switch
decides from which member port the packets should be sent to the opposite
switch according to the configured port load sharing policy. When the switch
detects any faulty link of the member port, it suspends packets transmission
from that port. It will recount the packets transmitting ports on the left links
according to the load sharing policy and recounts the packets transmitting
ports after the faulty port recovers.
 Link aggregation is an important technology to increase the link bandwidth and

realize the link transmission flexibility and redundancy.
The LACP supports the following features:
 IEEE 802.1AX standard.
 Nine trunk groups at most, each of which has 8 member ports at most.
 Supports across card aggregation.
 Support trunk resolution using a hashing function based on a programmable

combination of packet fields: MAC DA, MAC SA, VLAN, EtherType, IP DA, IP
SA, IP protocol number, TCP port number and MPLS labels.
 Port priorities are 0 – 65535 with the default valueis 0.
 System priorities are 0 – 65535 with the default value is 32768.
 The LACP long timeout is 30 seconds while the short timeout is 1 second.
Static trunk is used to directly add several physical ports in a trunk group to form a
logical channel. It is easy to implement but not convenient to observe the port
status of link aggregation.
Dynamic Trunk adopts LACP to add several physical ports in a trunk group
according to the port status. The opposite equipment of the ZXA10 C300/C320 to

the dynamic trunk must run LACP. They exchange LACPDU with each other to
inform the opposite of their system priority, system MAC, port priority, port number
and operation key. On receiving that information, the opposite chooses the port to
aggregate through comparing the information with the other information saved by
other ports. Thus, the two parties can be consistent in port-joining or exiting a
certain dynamic trunk group.
11.3 G.8032
1.1.5 Introduction
 Description
The network is required to be highly reliable and stable in the scenarios such as mobile
backhaul, Digital Subscriber Line Access Multiplexer (DSLAM) convergence and
important enterprise/business application. The G.8032 protocol is the Ethernet Ring
Protection Switching (ERPS) protocol defined by the ITU-T. It provides high efficiency
and switching performance, and has been applied in the access network
 Target
Provides Ethernet ring protection
The main service features are as follows:
 ERPS ensures that there are no loops formed at any time.
 ERPS ensures the loop is recovered after multiple nodes or a single node is
recovered (from a fault).
 ERPS supports multiple domains and multiple rings. For the C320 device, it
supports two physical rings and four logical rings. For the C300/C320 device, it
supports four physical rings and eight logical rings (low priority). For the
C300/C320 V2.0.0, crossover rings are not supported.

 ERPS only supports physical ports forming a loop and does not support LAG
forming a loop. (The hardware does not support the function, but the standard
does not clarify it.)
 ERPS uses R-APS control messages defined in the ITU-T Y.1731.
 ERPS detects links by using CCM packets defined in the ITU-T Y.1731, with a
frequency of 3.3 ms.
 ERPS supports 16–255 nodes. For the C300/C320 V2.0.0, only 16 nodes are
supported.
 ERPS supports manual switching, forced switching, and clearing switching.
 ERPS supports the Revertive and Non-revertive modes.
 Manual switching and protection switching upon link failure can be finished
within 50 ms. (For the C320 device, the function may not be fulfilled due to
hardware limit.)
 ERPS supports the Guard time/WTR timer, but not the Holdoff timer (0–10 s,
default: 0) or WTB timer (5 s). For the WTR timer, the time is 1–12 min, and
the default is 5 min. For the Guard timer, the time is 10–2000 ms, and the
default is 500 ms.
 ERPS supports unicast, multi-cast and broadcast.
 The C320 device can serve as an ordinary node or RPL Owner node.
 The G.8032 2012 (version 2) is supported.
Figure 11-6 shows the logical structure of an Ethernet Ring.

Figure 11-6 logical structure of an Ethernet Ring
Under normal conditions, a main control node (RPL Owner) is configured in each
Ethernet Ring in accordance with ERPS (G.8032), and the main control node blocks a
port in the ring, for example, a port of the Node D in Figure 5-2 is blocked. Therefore, the
Ethernet Ring is broken logically, and broadcast storms are avoided. The link connected
to the blocked port of Node D is called the Ring Protection Link (RPL), that is, the
standby link. The node responsible for blocking the link is called RPL Owner Node. The
node at the other end of the RPL is known as RPL Neighbor Node Other nodes in the
Ethernet Ring are transmitting nodes and the ports on these nodes are set to be in
forwarding status. Each node in the Ethernet Ring is capable of forwarding services and
APS switching control messages through a bridge between two ring ports or between the
local port and ring port.
When a link fails in the ring, the transmitting nodes adjacent to the failed link will detect
the link failure and send an SF message every 5 s through two ports in two reverse
directions. On obtaining this message, the RPL Owner unblocks the blocked port to
resume data forwarding. Other nodes in the ring flush and re -create the forwarding
address table (FDB) after receiving the SF message. The node with the blocked port will
set the blocked port to forwarding status.

After the failed link is restored, the nodes that detect the restored link send recovery
messages in two directions and keep blocking the ports adjacent to the restored link.
After receiving the recovery message, the RPL Owner waits for the WTR timer to expire
in order to ensure stable switching, and sends the message that the RPL port is
re-blocked to the nodes adjacent to the restored link. Obtaining the re -blocking message,
the nodes adjacent to the restored link unblock the ports that are blocked due to link
failure to recover the traffic
11.4 TDM Services Protection
11.4.1 Introduction
 Description
ZXA10 C300 TDM Service supports 1+1 automatic protection between STM-1 or
STM-4 uplink interfaces.
 Target
When one of the following alarm is detected by the equipment, the automatic
protection switch is launched:
 LOS alarm
 LOF alarm
 MS-AIS alarm
The following features of the protection:
 It supports automatic switchover and manual switchover.
 During the active/standby switchover, ZXA10 C300 supports data

synchronization and smooth processing of data.
 The switchover time for TDM service is less than 50 ms.

 Glossary
E1: European 2.048 Mbps digital carrier
T1: signal transmitted in the DS-1 format at the rate of 1.544Mbps
 Abbreviations
TDM：Time Division Multiplexing
ONT： Optical Line Terminal
ONU：Optical Network Terminal
CES：Circuit Emulation Service
IWF：Interworking Function
Figure 11-7 Principle of implement TDM service protection.
Uplink 1
TDM traffic
OLT
to/from
ONU
Uplink 2
The TDM service protection is 1+1 mode protection, that is the TDM traffic was
transmitted in both two uplink ports in upstream direction and only one uplink port
is allowed to receive downstream traffic. When alarm occurred, the protection
takes into action by switching downstream traffic from one uplink port to the other
one so as to ensure the service is not interrupted in the receiving direction. Note
that this kind of switchover should be taken at either the ends of the TDM service
provider despite whatever network set between.
 Solution

Under normal condition, the TDM service traffic is copied into two uplink port in
upstream direction and only receives one traffic in the downstream direction. When
uplink ports detect LOS or some of the other alarms, then transfer the port
information to the main control board, the main control board receive the
information, analyze it which protection group it belongs to, and write the slot and
port information down, and transfer the information to switch module, the switch
module configure the hardware and make the receiving traffic allowed in the other
port, forbidding the old one, then inform software for later proposal.
11.5 GPON Protection
1.1.7 Introduction
 Description
Setup backup GPON system and active/standby equipment simultaneously. When

the active equipment is faulty, switch the services over to the standby equipment.
 Target
It is to improve the system liability.
ZXA10 C300/C320 supports protections as follows:
 Type B: OLT-only duplex system
 Type C: Full duplex system
 Dual Parented OLT Protection
GPON standard provides the following four typical PON backup protections:
 Type B: OLT-only duplex system
The OLT only duplex system at the OLT side is shown in Figure 11-7. It backs up
the OLT and the optical fiber between the OLT and the optical splitter which has

two input/output ports. This configuration mode can only recover the redundancy at
the OLT side.
Figure 11-8 Type B: OLT-only Duplex System
 Type C: Full duplex system
The full duplex system is shown in Figure 13. It backs up OLT, ONU, optical splitter
and all optical fibers. This configuration mode has high reliability and recovers the
faults at any point by switching the over to the backup equipment.
Figure 11-9 Type C: Full Duplex System
 Dual Parented OLT Protection
Figure 14 shows the duplex system model for the dual parented access network.
The relevant part of the protection in the GPON system should be a part of the
protection between the ODN interface in the ONU and each ODN interface in the
two OLTs via the ODN, plus the signalling required to implement protection
functions upstream from the SNI.

Figure 11-10 G.984.1 – Dual Parented duplex system model
S/R R/S
OLT
PON LT(1) Switch SNI LT(1)

ONU ODN(1)
M PON LT(1)
UNI
U
LT
X
PON LT(0)
Network
OLT
ODN(0)
PON LT(0) Switch SNI LT(0)
11.6 UAPS
1.1.9 Introduction
 Target
ZXA10 C300/C320 supports dual Ethernet interfaces or multiple Ethernet interface

uplinks to avoid the service interruption caused by single link fault. It improves the
reliability of the system and ensures the continuity of the services.
 UAPS: Its protection switch-over time is less than 50 ms.
Relations among Features
 Link aggregation, UAPS and STP/RSTP belong to different uplink protection

mechanism. They cannot be supported synchronously.
 ZXA10 C300/C320 supports UAPS mechanism.
 UAPS works in dual uplink scenario: Normally one link works at active mode
while another link works at backup state; when main link breaks down, backup

link will be switched on automatically, and active link can be switched back
after it is resumed.
 Link state can be inspected by physical layer information or link layer (802.3AD,
BFD) information.
 ZXA10 C300/C320 also supports switching UAPS links manually for the
convenience of installation and test.
12 Access Security
 Access Security Overview
Rapid development of access network not only brings increase of users, but also
increases the possibility of attacking. With the widely usage of the Ethernet and IP
technology, the access network security is becoming more important. The security
related problems have frequently happened such as sniffering other users’
information, spoofing of service, attacking with Denial of Service and so on.
The common concerns of the equipment vendors and the carriers are included as
below:
 To provide a Carrier-class access network
 To provide a secured access service for users
 To detect illegal services
 To ensure the normal network operation
ZXA10 C300/C320 provides the following two sets of access security solutions:
 User access security: Including user ID technology, MAC security technology,

IP security technology, excessive and illegal packets suppression and
multicast service security.
 System security: Including control plane rate limitation, anti-DoS attack,

managed ACL, administrator authentication technology and so on.

12.1 User Isolation
12.1.1 Introduction
 Description
Services for different users will not be interacted each other by using user isolation.
 Target
Two targets need to be met: one is to protect the security of user ’s data and make
sure it will not be sniffered illegally; another one is to control user’s access so as to
ensure user’s access security is not attacked by other malicious users.
Features of user isolation implemented in ZXA10 C300/C320 are listed below:
 VLAN isolation by allocating different users with different VLAN
 Port isolation for users in different ports.
 Service flow isolation in same port for different users by VLAN in layer 2
User isolation can be configured to be enable/disable based on port or VLAN.
MAC address is published openly in Ethernet, which make it convenient for

malicious users to get other user’s MAC address and IP address with scanning
tools. Legal user’s private information can be stolen illegally by listening packages.
Legal user’s private information can be prevented from leaking by VLAN or port
isolation.
 Solution
Implementation of isolation for different users (ONUs):
 Just as shown in Figure 47, ONU1 and ONU2 can visit each other freely as
they are configured into the same interoperative group while ONU3 is

completely isolated from ONU1 and ONU2 as it is not in this interoperative

group.
 All ONUs are configured to be isolated as default.
Figure 12-1 Implementation of isolation for different users (ONUs)
OLT Interface
Onu1 Onu2 Onu3
Interoperation Service Flow
Isolation Service Flow
Implementation of isolation for different service flows with different users:
Just as shown in Figure 12-2, each ONU has 3 service flows: VLAN1, VLAN2 and
VLAN3. VLAN1 service flow can be accessed in ONU1, ONU2 and ONU3, while
VLAN2 and VLAn3 service flows are isolated among ONU1, ONU2 and ONU3 by
VLAN isolation.
All VLAN services are configured to be isolated as default.
Figure 12-2 Implementation of isolation for different service flows with different users
OLT Interface
Onu1 Onu2 Onu3
Vlan1 Interoperation Service Flow
Vlan2 Isolation Service Flow
Vlan3 Isolation Service Flow

12.2 Port Location
12.2.1 Introduction
 Target
User identification and authentication technologies, such as PPPoE and DHCP,

have been matured and used widely. The main concern in telecommunication
industry is user port identification, also known as user line identification. If the user
can only be identified by user name in authentication server, that user can share its
user name and password so other users can access the network by the same,
which is not what the carriers expected and will suffer huge losses.
The user identification technology is the perfect choice for blocking the illegal
access.
 User ID (Port Location) technologies, including DHCP Option 82 and PPPoE+,

to provide multiple user ports (or user lines) identifying solutions.
 Port locating function based on global or port enabling configuration.
 Glossary
PPPoE＋: PPPoE Intermediate agent
DHCP Option82: A specific application of DHCP agent, which is defined in RFC

3046.
The interaction flowchart of DHCP Option 82 is shown in Figure 12-3.

Figure 12-3 DHCP Option 82 Interaction Flowchart
In the DHCP application scenario defined by RFC 3046, Option82 is inserted in

each DHCP discover packet and each DHCP request packet with the content of
Circuit ID and Remote ID (user access line identifier), and then is transmitted to a
DHCP or a RADIUS server for authentication, authorization, billing and so on.
Port locating implementation through DHCP Option82 is an extension on the

original DHCP without an extra protocol interaction. It can be implemented
effectively but has no influence on user’s services.
DHCP Option82 frame format is shown in Figure 12-4
Figure 12-4 DHCP Option82 Frame Format
The field N indicates the length of the relay agent fields. The relay agent field
consists of sub-option, length, sub-option value and is encoded in a certain format,
as shown in Figure 12-5

Figure 12-5 Relay Agent Fields Format
 PPPoE Intermediate Agent
PPPoE+ interaction flowchart is shown in Figure 12-6
Figure 12-6 PPPoE+ Interaction Flowchart
PPPoE Intermediate agent is implemented by ZXA10 C300/C320 to modify PPPoE

packets.
Port locating implementation through PPPoE is an extension on the original

PPPoE without an extra protocol interaction. It can be implemented effectively but
has no influence on user’s services.
PPPOE+ option is added to the end of the PPPoE packet, as shown inFigure 12-7

Figure 12-7 PPPoE+ Frame Format
12.3 MAC Security Technology
12.3.1 Introduction
 Target
MAC security is used for user security.
 Support multiple types of MAC security technology to implement MAC address

protection and anti-spoofing.
 Support MAC Anti-flooding, MAC Anti-spoofing etc.
 Static MAC address binding/filtering
 MAC Anti-flooding

Malicious users attack the access equipment by constructing packets with dynamic
source MAC addresses to exhaust the MAC addresses. Legitimate services will be
affected because MAC address forwarding table in the access equipment is full
and new MAC address can not be learned, so legitimate user’s packets will be
discarded or flooded.
The MAC anti-flooding function in ZXA10 C300/C320 will effectively resist the
malicious user’s DoS attacks by preventing the MAC addresses numbers to be
automatically learned on each port.
If the MAC addresses learned by port which are less than configured, new users’
MAC addresses will be automatically learned and users’ packets will be forwarded
by ZXA10 C300/C320 forwarding module. On the contrary, if the MAC addresses
learned by port which are more than configured, new MAC addresses will be
ignored until the old MAC addresses are aged out and the packets will be
discarded.
Static MAC addresses and dynamic MAC addresses will be counted together when
MAC anti-flooding function is enabled in ZXA10 C300/C320.
 MAC Anti-spoofing
The following two serious security problems need to be solved in broadband

services:
 Physical loops may be formed either at the user side equipment or at the
network side switch, which caused large abnormal traffics in OLT equipment.
OLT will fail to learn the MAＣaddresses functionally so no user will be able to
access the network.
which has two types as below:
 User MAC address spoofing
 MAC-address-spoofing from upper network service server, such as BRAS,

DHCP Server/Relay etc.
The mean reason of these problems is the repeated MAC addresses which cause
the migration of the switching chip MAC address learning and some users will fail
to access the network.

In order to prevent from MAC address spoofing and physical loops, MAC
anti-spoofing/anti-migration and protection function at the network side are
enabled in ZXA10 C300/C320 automatically.
Suppose the MAC address, which is initially learned on Port A, appears on Port B,
following procedures will be implemented in ZXA10 C300/C320 as below:
 If both Port A and Port B are UNIs, the MAC address won’t be migrated.
 If Port A is a NNI and Port B is a UNI, the MAC address won’t be migrated.
 If Port A is a UNI and Port B is a NNI, the MAC address will be migrated to Port
B.
Packets will be discarded or flooded when the MAC spoofing or migration, is

detected in ZXA10 C300/C320.
 Static MAC address binding/filtering
Static MAC address binding refers to that the MAC address of a known device is
statically bound to the port of the OLT device and the Allow mode is set. The MAC
address is not allowed to be learnt and will not age, so that other devices cannot
imitate it. Static MAC address filtering refers to that the MAC address of a known
device is statically bound to the port of the OLT device and the Forbid mode is set.
Data flows of the source MAC address will be discarded on the port.
12.4 vMAC
12.4.1 Introduction
 Target
Each MAC address on a Layer 2 network must be unique. The MAC address
allocation mechanism ensures global uniqueness of each address. However,
hackers use scanning tools to obtain existing MAC addresses, which allow hackers
to impersonate genuine users. The impersonation of a MAC address is known as
MAC spoofing. Duplicate MAC addresses exist in MAC spoofing; the same MAC
address appears on different ports of a switch, causing a MAC address transfer on
the switch. As a result, data is sent to the hacker's device instead of to the genuine
user.

Generally, operators control the aggregation network directly, which protects

against MAC spoofing or duplication. The end-user system, constituted by a large
number of users, is hard to control, because the MAC addresses of end-users are
not trustworthy to carriers. Virtual media access control (VMAC) provides carriers
another way to protect against MAC spoofing and duplication.
The C300/C320 device supports source MAC address conversion. In the upstream
direction, the device uses the converted source MAC address to communicate with
the BNG server, and in the downstream direction, the device converts the source
MAC address reversely and sends data from the server to the user. The
C300/C320 device generates and coverts MAC addresses, ensuring the converted
MAC addresses are secure and unique. Users and servers are not perceptible to
the conversion operation. This technology is called virtual MAC.
The C300/C320 device supports the following two vMAC conversion modes:
1:1 vMAC: The C300/C320 device converts source MAC addresses on the user
side to new vMAC addresses, each of which is unique, in the ratio of one to one.
N:1 vMAC: The C300/C320 device converts a set of source MAC addresses on the
user side with the same features to a new vMAC address that is unique.
The basic principle of vMAC technology is shown in the following Figure 12-8:

Figure 12-8 The basic principle of vMAC technology
BNG device, source BNG device, source

MAC=Y MAC=Y
The vMAC function is

MAC table =Y enabled. MAC table =Y
OLT OLT
MAC table =A MAC table =B MAC table =vA MAC table =vB
User A, source MAC=A User B, source MAC=B User A, source MAC=A User B, source MAC=B
12.5 IP Security Technology
12.5.1 Introduction
 Target
IP spoofing exists in various IPoE access scenarios, including fabricating other’s IP

addresses, spoofing of services, or breakthrough the network without obtaining the
configuration information through DHCP, which hinder carrier’s management and
influence legitimate subscribers services, and threaten the security of subscribers
and the system.
ZXA10 C300/C320 provides IP security technology, which can effectively prevent

illegal users from IP spoofing.
 Abundant IP security technology which effectively protects IP address.
 Protections including DHCP Snooping and DHCP Source Guard.

The IP security technology includes the following:
DHCP Snooping
 In IPoE access scenarios, illegal behavior including fabricating other’s IP

addresses, snooping of service, or breakthrough the network without obtaining
the configuration information through DHCP which severely hinder the
operators uniform management and influence the legitimate subscriber’s
services, and also threaten the security of the subscribers and the system.
DHCP snooping technology is supported in ZXA10 C300/C320:
 DHCP snooping is a DHCP security feature. DHCP snooping filters

untrustworth DHCP messages from unreliable DHCP area by establishing and
maintaining DHCP snooping binding table.
 DHCP snooping binding table inspects the messages from the unreliable area,
such as the user MAC addresses, IP address, leased time, VLAN-ID interface
and so on. Items in DHCP snooping binding table will be aged according to the
leased time.
 Maintenance of the DHCP snooping binding table includes listening to the

messages such as DHCP request, DHCP ACK, DHCP NAK, DHCP decline
and DHCP release.
 DHCP snooping binding table in ZXA10 C300/C320 can be saved in the flash.
System will read the backup message from the flash after it is rebooted to
avoid abnormal services when the user's IP address is not released.
Content of the DHCP snooping binding table is listed in Table 4-1
Table 12-1 DHCP Snooping Binding Table
Fields Description
PORT Port No.(including field for ONUID)
PVC PVCID

Fields Description
MAC Source MAC Address
IP User IP Address
Leadse-time IP Address Lease-time
XID Transaction ID
TimeStamp Time Stamp
Vid VLAN-ID
Gard Binding IP Identifier
AgeTime Aging Time
IP Source Guard
 The IP source guard technology relies on the DHCP Snooping binding table
established and maintained by the DHCP snooping. The non-DHCP IP
packets on this port are filtered with its source IP addresses in this method.
 ZXA10 C300/C320 listens to the protocol packets from and to the users and
the DHCP Server/Relay. Before the user gets the configuration information,
the upstream packets are to be discarded but it will keep the DHCP protocol
packets. Once ZXA10 C300/C320 detects DHCP ACK packets, it binds the
distributed IP, user's MAC address to the user port and enables to transmit the
upstream data packets. Meanwhile, it guarantees the consistency between the
upstream data packets and the bound IP, user MAC, otherwise it discards the
packets. When the DHCP leased time is expired, the bound are to be
cancelled, and the transmission of the upstream non-DHCP packets are to be
suspended.
 The application of IP Source Guard on ZXA10 C300/C320 effectively avoids

the IP address spoof and malicious users DoS attack. It greatly improves the
security of the equipment operation.

12.6 Packets Suppression and Filtering
12.6.1 Introduction
 Target
As there is no restriction to the users, some users transmit the illegal protocol
packets upwards, which deteriorate the network equipment processing
performance. Sometimes, it will cause the system disordered, even the system
shutdown. If the malicious users excessively transmit protocol packets,
broadcasting packets upwards, no matter legal or illegal ones, the system
performance will still be deteriorated. The processing of the protocol and
broadcasting packets consume a great deal of equipment resources. ZXA10
C300/C320 supports suppression of excess packets and illegal packets to
strengthen the protection on the security of the system and the users.
ZXA10 C300/C320 supports excessive packets suppression as follows:
 Suppress excessive protocol packets
 Supress excessive broadcasting packets
 Supress excessive multicasting packets
 Supress excessive packets with different source MAC addresses
ZXA10 C300/C320 supports illegal packets filtering as follows:
 Filter packets with illegal source MAC addresses
 Filter pIllegal protocol packets
 Fiter jumbo packets, mini packets or packets with checksum error
The packets suppression and filtering principle includes the following:
Packets Suppression

 If illegal users excessively transmit protocol and broadcasting packets to

upstream, no matter legal or illegal, they consume a great amount of system
resources and deteriorate the equipment services.
 On the downstream, duo to the network complexity, ZXA10 C300/C320 may

transmit excessive packets although it controlled network. The related
protection should also be taken.
ZXA10 C300/C320 supports excessive packets suppression as follows:
 Supress excessive protocol packets
 Supress excessive broadcast packets
 Supress excessive multicast packets
 Supress excessive packets with different source MAC addresses
 Processing the top three types of methods consume a great deal of equipment
resources while the fouth method consumes the limited resources of the MAC
address table, therefore all four excessive packets need to be controlled. .
The process of the top three excessive packets supression as follows:
 Match the specific packets features: specific protocol packets, broadcast ing
packets (or some with more specific features), multicasting packets (or some
with more specific features).
 Count the transmission rate of these packets.
 It the transmission rate exceeds the predefined rate, discard the packets.
 Processing the fouth excessive packets suppression is relavitvely simple

which is to define the maximum MAC address on user side port Once the port
reaches the number of pre-defined MAC address, the consequent packets with
new MAC address will be discarded.
 Illegal Packets Filtering

 As users are not restricted to construct networks by themselves, some

malicious users transmit some illegal protocol packets upwards which
deteriorate ZXA10 C300/C320 equipment processing performance.
Sometimes, it will cause the system disordered, even shut the system down.
ZXA10 C300/C320 supports the illegal packets filtering as follows:
 Illegal source MAC address packets:
 The source MAC address can not be a broadcasting or multicasting address,

or some predefined MAC addresses which are conserved for specific purpose.
 Illegal protocol packets:
 To analyze the application security:
 The upstream IGMP shouldn't have Query packets, and the downstream
shouldn't have the Report/Leave/Join packets.
 The upstream DHCP shouldn't have Offer/ACK packets, and the downstream
shouldn't have the Discover/Request packets.
 The upstream PPPoE shouldn't have PADO and PADS packets, while the
downstream shouldn't have PADI and PADR packets.
 To ensure the application security, the above mentioned packets should be

filtered.
 Jumbo packets, mini packets or packets with checksum error
 Generally, packet length less than 65 bytes are mini packets; those more than
1518 bytes are jumbo packets. In some specific situation, the length of the
jumbo frame can be as long as 9K bytes.
 Jumbo, mini packets or packets with checksum error should be filtered.

12.7 System Security
12.7.1 Introduction
 Target
To avoid maliscious user attacking the equipments, ZXA10 C300/C320 provides a

powerful security protection mechanism in various aspects to effectively guarantee
users security and strengthen the stability of system operation.
ZXA10 C300/C320 provides the following security protection mechanism:
 ACL on the management channel
 Packets suppression on the management channel: Supports general rate

limitation on the management channel and implement the following nine
protocols, such as ARP, BPDU, CFM, DHCP, ICMP, IGMP, PPPoE, SNMP,
VBAS etc.
 Anti-DoS attack on the management channel: Count on the basis of the user
source MAC, the user packets are not allowed to be sent to the management
channel if the source MAC exceeds a certain threshold.
 SSH
 Multi-level management on user’s authority protection and authentication

(local and remote)
 ACL on the Management Channel
 ACL is used to classify data packets based on series of matching conditions

and then to decide the policy to process the data packets (to accept or to
discard). Thereby, it effectively restricts the network access of external
equipment to ZXA10 C300/C320 equipment.

 ACL on the management channel is a special accessing policy for the network
management channel. The ZXA10 C300/C320 configures an IP address white
list. Only the hosts with the IP addresses on the white list can manage ZXA10
C300/C320. The management requested from other hosts is to be refused.
 Packets Rate Limit on the Management Channel
 ZXA10 C300/C320 effectively controls illegal packets on the system through

the ACL on the management channel. Along with the broadcast storm
suppression, the ACL on the management channel is used to effectively
control excessive attacks on the system to significantly improve the system
security.
 ZXA10 C300/C320 controls the packet number accessing the system by

limiting packet rate on the management channel. It keeps consumption of
system resources under safe threshold to ensure normal operation of the
services.
 In-band configuration supports the rate limit on all packets and the other nine
packet types, such as ARP, BPDU, CFM, DHCP, ICMP, IGMP, PPPoE, SNMP,
VBAS etc. The out-of-band configuration supports the rate limitation on all
packets and packets types of ARP and ICMP.
 SSH
 SSH is used to provide secure remote login and network services on unsecure
network. The transmitted data can be encrypted through SSH, which
effectively prevents from middleman attacks, DNS spoofing and IP spoofing.
The application of SSH accelerates transmission speed as the transmitted
data are compressed.
Figure 12-9 shows ZXA10 C300/C320 SSH module position in the system.

Figure 12-9 SSH Module Position
SFTP
 Anti-DoS Attack on the Management Channel
 After enabling the anti-DoS function, the system dynamically counts the
packets transmitted to the management channel. It defines the users who
transmit excessive packets as MAC blacklist users and adds them to the
blacklist, sends trap alarms to them and discards their packets. If the packets
transmitted are less than 3 times of the normal packets value, check if the user
is on the blacklist. If the user is not the blacklist, the packets are transmitted to
the upper layer normally, otherwise the packets are discarded. The lower -layer
forwarding platform forwards the user packets normally.
 The system periodically checks the statistics value and the blacklist. If the
user's MAC address ages out, remove the users from the blacklist. If the
statistics value is less than or equal to the normal value, the users will also be
cancelled from the blacklist. And their packets will be transmitted to the
management channel regularly.
 Multi-level Management User Authority Protection and Authentication
 ZXA10 C300/C320 supports multi-level management user authority: common

user mode and privilege user mode.
 In the common user mode, users can only view the configuration but cannot
modify any configuration. In the privilege user mode, users can view and
modify the configuration.
 ZXA10 C300/C320 can create several common user accounts. The user can
login the system through the authenticated username and password. The

system creates a privilege user by default. Administer cannot add new

privilege users but can modify the login password of the privilege user.
 ZXA10 C300/C320 supports local and remote management user

authentication. When the system is configured to authenticate the user locally,
system saves the authorization list of the username and password locally and
authenticates the intended usernames and passwords. When ZXA10
C300/C320 is configured to the remote authentication mode, the system will
create a RADIUS client to communicate with the remote RADIUS server when
the administrators login. It transmits the input username and password to the
RADIUS server for authentication and decides whether to allow the user
access based on the authentication result returned from the server or not.
12.8 MAC Forced Forwarding
12.8.1 Introduction
 Target
In N:1 VLAN forwarding mode, the user can communicate with each other on
layer-2, especially using ARP broadcasting packets.
MAC-Forced Forwarding (MACFF) is used to control unwanted broadcasting traffic

and host-to-host communication in N:1 VLAN domain. By replying the user ARP
request of the other host with the gateway MAC address, the OLT can direct
network traffic from hosts located on the same subnet but at different locations to
an upstream gateway device at layer-3 based on the IP header of the host packet.
This provides security at layer-2 as no traffic is able to pass directly between the
hosts.
MACFF is an enhanced security feature in VLAN and each MACFF VLAN can
have only one gateway IP. ZXA10 C300/C320 supports 16 MACFF VLANs.

12.8.2 Basic Theory
In traditional Ethernet network topology, VLAN is used on switch to separate the

hosts on layer-2 and enable the communication between layer-3 hosts. However,
when the number of hosts increases, the number of VLANs used also increases.
Also, it is required to assign different IP segments to each VLAN for Layer 3
communication, so the IPaddress distribution efficiency decreases.
To increase the efficiency, MACFF provides the solution to realize layer-2 and
layer-3 communication between the hosts within a broadcast domain.
MACFF captures ARP request message from Host, through ARP proxy and the
ARP response message is sent back with gateway MAC address. Using this, all
streams (with a subnet) are routed through gateway, so that the gateway can
supervise the stream. As a result, a more secured network is ensured.
As shown in Figure 12-10, Switch A and Switch B are Ethernet Access Nodes
(EAN) and a connection between the hosts (Switch A and Switch B) and Switch C
is setup. If the user configures the MACFF feature on EAN, it ensures that all the
streams from host (Switch A and Switch B) are transferred to the gateway through
Switch C and the layer-3 communication and layer-3 separation is also ensured.
Figure 12-10 MAC Forced Forwarding Implementation Mechanism
For Host A, the MAC address of Host B is same as the gateway address, which
ensures that Host A and Host B are in the same segment, having the same VLAN.
The communication between them passes through the gateway, while they are
separated on layer-2 level.
The current MACFF has two modes:

 Manual Mode – the host IP address is set manually.
 Auto Mode – the host IP address is obtained by DHCP automatically.
12.9 DHCP Snooping and DAI
12.9.1 Introduction
 Description
DHCP snooping is applied to ensure security. DHCP snooping listens to the DHCP
exchange procedure of a specific ONT in a VLAN specified by ZXA10 C300/C320
and records the user IP/MAC relation of the ONT.
DAI is Dynamic ARP Inspection. If manipulated ARP requests or ARP responses

are received, whose IP-MAC assignment does not match an entry in the DHCP
Snooping Table, they must be rejected.
 Target
The DHCP snooping has the following functions:
 Administrator can view the user DHCP exchange relation through the DHCP
snooping function to locate the protocol problems of the user DHCP access
and finally exclude the fault.
 Administrator can locate the accessed user through IP through DHCP

snooping function if necessary so as to take further measures.
 The DHCP snooping can generate dynamic user IP/MAC database. Combine
it with the DAI function exchanged on the layer-3 to implement user IP
anti-spoofing function.
 Besides dynamic IP/MAＣtable, static IP/MAC table is also supported in DHCP

snooping by binding MAC address, IP address, ONT ID and VLAN ID via
command line, and provides supports for IP Anti-Spoofing.

DHCP snooping has the following functions:
 It can be globally enabled.
 It can be enabled on VLAN and ONT.
 It has a database recording the binding relation between ONT and user
IP/MAC.
 It can be configured by adding binding of user’s MAC, IP, ONT Id and VLAN.
 It provides various querying functions.
 It combines the DAI function to implement the anti-spoofing function of user IP

address.
 Application Scenarios
On the layer-2 networking condition, DHCP snooping is implemented with a

specified VLAN to record the IP/MAC binding relation of the user.
On the layer-3 networking condition, ARP learning of the layer-3 interface VLAN is
disabled at the user side and the DHCP of the VLAN is enabled at the user side.
The user IP/MAC information learnt is set to the ARP table of the layer-3 interface
VLAN. DAI function is enabled to control user ARP.
Thus, it prevents the route forwarding of the user with an illegal IP address and the
illegal user with legitimate user IP address (but with different MAC) to implement
the anti-spoofing function of the IP address.
12.9.2 Basic Theory
On the layer-3 networking condition, ZXA10 C300/C320 enables DHCP snooping

on the VLAN10, as shown in Figure 12-11. Only after the user is assigned with
addresses the user IP/MAC information can be recorded. When detecting the user
is offline, ZXA10 C300/C320 deletes the user IP/MAC information.

12.10 Rogue ONU Detection
 Target
The rogue ONU detection is a feature for detecting and isolating ONUs that send
optical signals in timeslots other than specified. .
GPON uses time division multiplexing (TDM) mechanism in the upstream direction.
Each ONU sends data upstream to the OLT at its own timeslot allocated by the
OLT. If an ONU sends optical signals at other ONUs' timeslots, the optical signals
of the ONU conflicts with those sent by other ONUs. As a result, the ommunication
of between the OLT and another ONU or all the ONUs is affected. Such an ONU
that sends optical signals upstream not at its allocated timeslot is called a rogue
ONU.
There are many types of rogue ONUs. Based on the time of optical signal
transmission, rogue ONUs can be classified into:

 Continuous-mode ONUs: ONUs transmitting optical signals continuously. After

detecting a continuous-mode ONU, an OLT issues an instruction to isolate this
ONU.
 Irregular-mode ONUs: ONUs transmitting optical signals in a period other than

specified, such as at a premature time or in a prolonged period. After automatically
detecting itself as an irregular-mode ONU, an ONU automatically isolates itself.
 The OLT detects a rogue ONU
 The OLT isolates the rogue ONU to ensure the normal services of other ONUs
 .The OLT reports information about the faulty ONU to the NMS for the
operation, administration and maintenance (OAM) personnel to rectify the fault
in time.
The OLT supports the detection of rogue ONUs. It keeps monitoring signals in the
upstream direction in real time, which helps locate the rogue ONU. It can also control the
power of the optical transmitter (Tx) of the ONU PON interface.
When the OLT detects a rogue ONU or needs to diagnose the optical link, it can turn off
the optical transmitter power of the specific ONU by sending the Disable_Serial_Number
message (the third byte is 0x0FF) with the ―disable‖ option, or the optical transmitter
power supplies of all ONUs by sending the the Disable_Serial_Number message (the
third byte is 0x0F) with the ―disable‖ option, and can turn on the optical transmitter power
of the specific ONU by sending the disable_Serial_Number message (the third byte is
0x00) with the ―enable‖ option. After being restarted, the ONU in O7 status will remain in
O7 status and ensure its optical transmitter power is in Off status.
In the detection of rogue ONUs, the rogue ONU can be located by turning on and off the
optical transmitter power of the specific ONU in turn through the Disable_Serial_Number
message. The rogue ONU will turn off the optical transmitter power and go into O7 status
after receiving the Disable_Serial_Number (0xFF) message. When the OLT determines

the ONU is a rogue ONU, it will not send the Disable_Serial_Number (0x00) message to
the ONU, so the ONU will remain in O7 status and the power is off. Normal ONUs will be
restored to O2 status after receiving the Disable_Serial_Number (0xFF and 0x00)
message and then activated normally. Under special conditions, the OLT sends the
Disable_Serial_Number (0xFF and 0x00) message, but an ONU turns off the power
before receiving the Disable_Serial_Number (0x00) message. Therefore, the ONU will
remain in O7 status. After locating the rogue ONU and turning off the optical transmitter
power, the OLT should be able to turn on the optical transmitter power of the ONU and
make it go back to O2 status (the ONU is then activated, and the OLT can receive the
Serial_ Number_ONU message from the ONU).
In the detection of rogue ONUs, the OLT can record that the Disable_Serial_Number
message is sent to which ONUs that are connected to a PON interface. After completing
the detection, in accordance with the record, the OLT periodically sends the Disable
Serial Number (0x00) message to the ONUs, which receive the Disable_Serial_Number
(0xFF and 0x00) message but are not activated normally (the OLT does not receive the
Serial_Number_ONU message from the ONUs), to turn on their optical transmitter power
supplies. The period (Timer1) is the same for all possible ONUs, and the time is
configurable. The default is 30 s. When the OLT detects the Serial_Number_ONU
message from an ONU, it stops sending the Disable Serial Number message to the
ONU.
13 ACL
13.1 Introduction
 Description
ACL is to classify and filter the packets accessed to the equipment according to the
predefined matching rules.
 Target

ACL classification of data packets can be the reference to the subsequent QoS
process and is the prerequisite for the system to provide efficient and differentiated
services.
ZXA10 C300/C320 supports 4 types ACLs, as shown in Table 4-1.
Table 13-1 4 Types of ACLs
Types Range Characteristics
Standard ACL 1 – 99 Matching rule: source

IP
Extended ACL 100 – 199 Matching rule: source

IP, destination IP, IP
protocol type, source
port, destination port
Link ACL 200 – 299 Matching rule: source

MAC, destination, CoS,
VLAN ID, Ethernet
protocol type
Hybrid ACL 300 – 700 Matching rule: free

combination of the 80
bytes in front of the
layer-2 data frame
Each ACL can define 128 rules and each type of ACL in system has maximum of
3500 rules.
Each port supports one ACL.
 Glossary
Rule: To distinguish and identify the keywords of the data packets.
ACL: A sequential list of a series of rules and each rule decides an action to be
triggered once that rule is matched in ACL.

Actions adopted include forwarding, discarding, mirroring, redirecting, retagging

priority, retagging VLAN, counting and limiting rate.
The ACL processes data packets that access the equipment, as shown in Figure
13-1.
Figure 13-1 ACL Processing Principle
The ACL protocol has the following principles:
 Match the data steam with rules in ACL in sequence. If the data steam
matches with a certain rule, related actions will be triggered and other rules will
not need to be matched. If the related action is to forward it, the subsequent
QoS processing is to be implemented.
 QoS subsequent processes include the following:

Retagging priority: Tag the packet matched with the rules with priorities of TOS,
DSCP, CoS.
Retagging VLAN: Modify the VLAN ID of the packet matched with the rules.
Statistics: Count the data stream of the packet matched with the rules.
Limiting the rate: To limit the traffic rate of data stream matching with rules. Single
rate three color algorithms and the double rates three color algorithm will be used
in rate limitation.
Mirroring: Copy a packet matched with the rules to a specified port.
Redirection: Forward the packets matched with the rules to the specified ports.
 Data stream is to be discarded if rules are not matched or the specified action
related to match rule is discarding.
14 TDM Circuit Emulation
14.1 Introduction
 Description
CES (circuit Emulation Services) is used to support traditional TDM service over
PSN in xPON system.
 Target
The advantages of the low operation cost and the sole network management of the
PSN can extend the service scope of TDM for the operators.
The CES has the following features:
 Support 32*E1/T1 interfaces and STM-1/OC-3, STM-4/OC-12 interfaces.
 Support structured/unstructured data transfer for E1 stream.

 Support transparent and termination mode for TDM traffic.
 Support Ethernet, IP and MPLS encapsulation format for CES services.
 Support Differential Timing and Adaptive Timing mode for service clock
synchronization..
CES services Basic Theory is as follows:
 TDM is still the core switching technology at the heart of the

telecommunication networks, Ethernet/IP is the dominant packet technology in
metro and access networks.
 CES services perform seamless transmission of traffic, timing & signalling of

TDM-based connections across a managed Packet Switched Network (PSN)
 Pseudo Wires create a transparent tunnel for all Layer 2 TDM information over
managed MPLS, IP or Ethernet networks
 CESoP, also known as TDM-over-packet, is used to provide a bridge on the

PSN to implement TDM service, as shown in Figure 1. At the entrance of PSN,
CES modules transfer the TDM data to be a series of packets. While at the exit
of the PSN, the series of packets are applied to regenerate a TDM circuit.
 Figure 14-1 shows the principle to implement CES.
Figure 14-1 principle to implement CES

15 Clock and Time
15.1 Frequency Synchronization module
15.1.1 Introduction
 Description
OLT Frequency Synchronization module can recover the frequency from all uplink
ports and T12 clock ports, and then select the best one as system clock based on
the Clock-source quality-level.
 Target
ZXA10 C300/C320 supports network synchronization with master-slave

architecture. GPON System can provide the frequency and phase synchronization
for business customers and Node B backhauling.
ZXA10 C300/C320 supports the following features of the Frequency

Synchronization module:
 System Clock input can be selected from two T12 ports (or E12
ports) , all 1GE ports, all 10GE port or all CES ports.
 All 1GE and 10GE uplinks (NNI) can act as timing input for EEC frequency
synchronization via SyncE including Ethernet Synchronization Message
Channel (ESMC) with Synchronization Status Message (SSM) – Quality Level
(QL) according to G.8261, G.8262 and G.8264.
 Support ITU-T G.781 /G.783 (Synchronization layer functions)
 Support frequency accuracy with +/- 4.6 ppm for entire span time under
hold-over conditions
 Support frequency accuracy with +/- 4.6 ppm for entire span time under
free-running conditions

 Support two physical timing input T12 or E12 synchronization interfaces

according to ITU-T G.703
 The T12 port has the characteristics including impedance 120 ohm
non-earthed, symmetrical and short-circuits proof.
 T12 port’s jitter and wander tolerance according to G.813 (8. noise tolerance)
 Glossary
T12: Digital 2048 kHz clock interface
E12: 2048 Kbit/s interface
SyncE: Ethernet Physical Layer Synchronization
 Abbreviations
OLT: Optical Line Terminal
ONT: Optical Network Terminal
ESMC: Ethernet Synchronization Message Channel
SSM: Synchronization Status Message
QL: Quality Level
PRC: Primary Reference Clocks
SSU: Synchronization Supply Units
SEC: Synchronous Equipment Clocks or SDH Equipment Clocks
EEC: Ethernet Equipment Clocks
In case of frequency synchronization module, there are three types of clock source:
T12/E12 clock, SyncE clock or CES recovery clock. Those clock sources and clock
alarms from each line card connect to CPLDs in both active and standby switch
control card. Clock Selector in CPLD receives signal to switch the clock source, the
signal is calculated by SSM_QL algorithm and clock alarm. CPLD provides two
clock output to PLL: main clock source and backup clock source. If the main clock

source is abnormal, the PLL will use backup clock source. PLL output provides a
19.44M system clock to each line card. PLL has the hold-on and free-run function.
The following Figure 15-1 shows the architecture of the system frequency
synchronization function.
Figure 15-1 Frequency synchronization function Diagram
CES recover clock

SDH 16K clock
STM-1/E1/T1 LIU CPLD
LOS LOS
Main
control
GE SyncE clock 16K clock
Card
SyncE(GE) PHY CPLD Cpld
LOS LOS 8K clock
PLL
SELECT 8K clock
VCXO
10GE SyncE clock 16K clock
SyncE(10GE) PHY CPLD
LOS LOS
TCXO
compar +/-
2M clock 16K clock 4.6PPM
T12 ator
CPLD
T12/E12(RJ45) relay LOS
E12 2M clock
E12 LOS
LIU SSM
select
Software _QL
control module
priority
E12 E12 2M clock
T12/E12(RJ45)
relay LIU 2M clock
2M clock
T12 To line card
select
19.44M clock
GPON PLL
To GPON card
OLT
To GPON ONU MAC
15.2 Phase Synchronization module
15.2.1 Introduction
 Description
The OLT phase synchronization module can recover the 1PPS signal from the
uplink port according to IEEE 1588 V2 standard, or from the external 1PPS+TOD
interface, and then for GPON, the 1PPS information is transferred to ONU
according to G.984.3 Amendment 2. The ONU can provide 1PPS interface or 1588
active port to the mobile base station like LTE, CDMA2000 and TD SCDMA which
need the phase synchronization information. For P2P Ethernet port in OLT, each

port supports working at IEEE 1588V2 master mode and connects directly to base
station.
 Target
ZXA10 C300/C320 supports phase synchronization network to the mobile base

station.
ZXA10 C300/C320 supports the following features of the phase synchronization

module:
 The OLT has an IEEE1588-2008 Slave (SOOC) for phase extraction from
uplink signals.
 The OLT has a 1PPS output from the selected IEEE1588-2008 signal
received.
 The phase transfers between the OLT and the ONU. The GPON build-in time
transfer mechanism bases on G.984.3 Amendment 2 (11/2009).
 The phase transfers between the P2P interfaces through IEEE 1588V2
 The phase synchronization via IEEE1588-2008 is implemented in addition to

frequency synchronization
 The phase synchronization accuracy between the OLT and the ONU is +/-
50ns.
 Glossary
1PPS: one pulse per second
 Abbreviations
LTE: Long Term Evolution
BC: Boundary Clock
TC: Transparent Clock
SOOC: Slave Only Ordinary Clock

MOOC: Master Only Ordinary Clock
PRTC: Primary Reference Time Clock
The system can receive 1588v2 Ethernet packet from all 1GE and 10GE ports. The
main switch control card has 1588 slave function, which can recover 1PPS from
the 1588 signal. The main switch control card sends the 1PPS signal to each line
card. The GPON OLT MAC receives the 1PPS and uses time transferring
mechanism according to G.984.3 Amendment 2 to transfer phase synchronization
information to the ONU. Figure 15-2 shows the architecture of the system phase
synchronization over GPON function.
Figure 15-2 Phase synchronization over GPON function Diagram
GE SyncE clock 16K clock

SyncE(GE) PHY LOS CPLD SELECT
LOS 8K clock
PLL
SSM 8K clock
16K clock
_QL VCXO
10GE SyncE clock module
SyncE(10GE) PHY CPLD
LOS LOS
TCXO
Ethernet traffic Ethernet traffic
19.44M clock
1588V2 packet 1588
Switch slave
1PPS GPON
OCXO OLT
MAC
splitter
1PPS (75o/120o) G.984.3

GPON
Amendment 2
1PPS ONU
MAC
1588
SyncE(1588V2) master
OCXO

15.3 NTP
15.3.1 Introduction
 Description
NTP protocol is designed to synchronize clocks of computers over the Internet. It

provides a time synchronization mechanism to distribute Coordinated Universal
Time (UTC) over the Internet. NTP requires an NTP server and NTP client in which
NTP server providing the time basis.
 Target
The ZXA10 C300/C320 implements the NTP client functions. It can synchronize
with the NTP server’s time with the precision of seconds.
The ZXA10 C300/C320 implements the NTP client functions only, which complies
with RFC5905 NTPv4 standard.
 Support the configuration of 5 different NTP servers.
 Support configurable interval between synchronizations
 In a failure of NTP, the local RTC(real time clock) will work in a free-running
mode, with the accuracy no worse than +/- 20ppm
 Abbreviations
NTP ：Network Time Protocol
As NTP client, the ZXA10 C300/C320 works in the following process:
 The ZXA10 C300/C320 sends an NTP request packet, including the

timestamp T1 that indicates the depart-time of the request packet.

 The NTP request packet arrives at the NTP server. The NTP server records
the arrival time T2 of the NTP request packet.
 The NTP server sends the NTP response packet, which contains timestamps
T2 and T3 (T3 is when the NTP response packet leaves the NTP server).
 The NTP response packet arrives at the ZXA10 C300/C320, and the ZXA10
C300/C320 records the arriving time T4.
The ZXA10 C300/C320 can calculate the transmission delay and clock offset
between the ZXA10 C300/C320 (NTP client) and NTP server. It then adjusts the
local clock to synchronize with the NTP server clock.
DELAY = (T4-T1) – (T3-T2)
OFFSET = ((T2-T1) + (T3-T4))/2
16 Power Saving
16.1 Introduction
 Description
There are three kinds of power saving measures in system including ONU Power
Saving Management, Line Card Power Saving Management and Port Power
Saving Management.
As for ONU Power Saving Management, three kinds of power saving mode,
including Fast Sleep Power Saving Mode, Deep Sleep Power Saving Mode,
Dozing Power Saving Mode and Power Shedding Mode, are supported according
to white paper in ITU-T G.Suppl. 45 ―GPON power conservation‖, and can be
configured at ONU level.
Line Card Power Saving Management and Port Power Saving Management are for
power saving measurements provided by OLT in line cards, PON interfaces and
uplink interfaces.
 Target

To provide implementations of green features of low power consumption, and have

no significant impact on user’s experiences.
ZXA10 C300/C320 supports three kinds of power saving measures including ONU
Power Saving Management, Line Card Power Saving Management and Port
Power Saving Management. Detail implementation of these measurements are
listed in the following:
 ONU Power Saving Management
 Fast Sleep Power Saving Mode,
 Deep Sleep Power Saving Mode,
 Dozing Power Saving Mode
 Power Shedding Mode.
 Line Card Power Saving Management：
 Power down of unconfigured service line card.
 Remote query for attributes of power off line card in Network Management
System (NMS).
 Port Power Saving Management：
 Closure of optical module in unconfigured service port.
 Auto Laser Shutdown (ALS) function.
 ONU Power Saving Management
 OLT support the following ONU Power Saving Modes Management: Fast
Sleep Power Saving Mode, Deep Sleep power saving Mode, Dozing Power
Saving Mode and Power Shedding Mode.

 Query and report of Power Saving Mode state are supported.
 Alarm suppressing in Power Saving Mode is supported.
 Line Card Power Saving Management
 Power down of unconfigured service line card
 Power down and power on are controlled by single chip in line card.
 Unconfigured service line card can be configured to Power Down mode and
main switch control card can send command to single chip in line card.
 Only single chip works when line card is configured in Power Down mode to
inspect configuration commands, while other parts of line card are in Power
Down state.
 Remote query for attributes of power off line card in NMS.
 Offline alarm of line card can be sent to NMS as long as Power Down
command is executed successfully by line card. Restore alarm will be sent to
NMS when line card powers on successfully and state of line card returns to
normal.
 Users can use NMS or CLI command (show card) to check if line card is at
Power Saving state.
 Port Power Saving Management
 Closure of optical module in unconfigured service port
 If optical port didn’t be used, Shut Down command can be applied to close
optical module.
 Auto closure function for Optical Module (ALS)
 ALS function at optical port can be enabled/disabled by command

configuration;
 Cycle of open/closure can be configured when ALS is enabled.

 Optical module will be opened and closed periodically after configured enable.
If no optical signal is received during open period, close period will be entered
alternately.
 If optical signal is received during open period, Normal Work mode will be
entered.
17 ODN Fault Diagnostic Management
17.1 Introduction
 Description
ZXA10 C300/C320 supports optical link fault diagnostics based on a flexible

mechanism to meet operator’s different deployment requirements. In order to cut
down the CAPEX of FTTX network and reduce the complexity of deployment,
ZXA10 C300/C320 supports the fault diagnosis on built-in OLS technology basis,
which can realize the fiber fault demarcation; meanwhile, for high accuracy fiber
maintenance requirement, ZXA10 C300/C320 also supports the fault diagnosis on
OTDR (Optical Time-Domain Reflectometer) technology basis, which can locate
the accurate fiber failure position.
 Target
ZXA10 C300/C320 supports the following fault diagnostic functions:
 Broadband Service Failure.
 It supports the diagnosis of FTTX based broadband service failures and the
diagnosis includes connectivity diagnosis, stability diagnosis and quality
diagnosis. In case that these service failures happen, it can start the diagnosis
and find out whether the failure is located in access layer; furthermore, for
access layer failures, it can still locate the accurate failure position or scope,
and propose the correct solution per the diagnosis result.
 Optical Link Failures.

 When the FTTX service failures are caused by optical fiber link, it can
diagnose the link and find out the most possible fault reason via OLS
technology.
 With the built-in OLS technology and expert knowledge supported, it can
realize the fiber fault demarcation, feeder fiber fault or distribution fiber fault
(inclusive of which branch fault); It can also detect the possible fiber fault
cause, fiber broken, power attenuation, or transceiver failures; and for the
possible faults detected, it can propose the correct solution per the diagnosis
result.
 With the external OTDR, it can perform high accurate fiber link fault diagnosis
to locate the real fault position and fault type or cause. The follow Table 17-1 is
the comparison between the OLS and OLS+OTDR.
Table 17-1 OTDR system function
Main Function OLS (Without OTDR) OLS+OTDR

Solution
Broken Line Detection ● ●
Line Attenuation Analysis ● ●
OLT/OLT Module ● ●
Abnormal
Main/Branch Line Fault ○ ●

Location
Constant Light ONU ● ●

Fault Diagnosis
Optical Line Monitoring ● ●

and Routing Test
Service Fault Diagnosis ● ●*

and Fast Solved
Service Performance ● ●*

Main Function OLS (Without OTDR) OLS+OTDR

Solution
Prediction
Service Optimization ● ●*
 support
 ○ not support
 * Pure OTDR solution cannot support these functions
 OUN fault diagnosis mainly includes MDU fault diagnosis, ONT fault diagnosis
and Rouge ONU diagnosis.
 In case that MDU subscriber encounters service failure, it can start the MDU
diagnosis remotely to determine whether MDU is power off or its uplink fiber is
broken, whether the configuration is correct and whether the user port status is
normal, and then as per the diagnosis result the related solution is proposed.
Meanwhile, the MDU failure information, diagnosis result and related
subscriber information can be forwarded to the concerned maintenance
engineer via e-mail or SMS to realize the proactive maintenance.
 In case of FTTH service failure, it can diagnose the ONT remotely to determine
whether ONT is power off or its uplink fiber is broken, whether the
configuration is correct and whether each UNI port status is normal, and then
as per the diagnosis result the related solution is proposed.
 It can determine whether ONU is experiencing a rogue ONU issue: if yes, it will
try to locate the rogue ONU and turn it off.
Fault diagnostic function has the following features:
 Increased Troubleshooting Efficiency
 Reduced Broadband Service Failure Rate

 Improved Service Capability of Broadband Network
 Easy to Use, Deploy and Expand
 Lower OPEX of Broadband Service
 Higher CSI and QoE
 Hardware and Software Requirement
The fault diagnostics function needs the high reliability server, and configure RAID
card and redundant hard disk for mirror mode storage. Based on the reliable server,
the storage redundancy assures the whole reliability further.
The fault diagnostic function mainly includes following eight function modules:
system administration module, integrated interface management module,
WEB-based GUI module, expert knowledge base module, fault diagnostics module,
performance prediction module and statistics and analysis module, and
optimization module. The relationship among the function modules is illustrated in
the following software architecture Figure 17-1.
Figure 17-1 Software Architecture of fault diagnostic system

System administration module mainly fulfills the system management function of

EasyOptical, including system configuration, security and log, and so on.
Integrated interface management module mainly fulfills the integrated

management of NBI and SBI interfaces. The SBI mainly consists of the interfaces
to PON EMS, to ACS (Auto Configuration Server), to OTDR and to OSW; while the
NBI mainly is the one to BOSS.
WEB-based GUI module is to realize the WEB interface for maintenance engineer
to conduct the diagnosis and related operations.
Fault diagnostics module mainly implements the intelligent diagnosis logic for the
related FTTX faults, including the network status analysis, alarm analysis, fault
analysis, diagnosis procedure generation and optimization, diagnosis result
generation and optimization, and so on.
Performance prediction module mainly monitors the FTTX network performance

and predicts the possible decline of system performance or subscriber service.
Statistics and analysis module mainly provides the statistics and report facility for
faults, diagnosis operations, historical performance data and related manpower
works.
Service optimization module mainly provides service capability evaluation and

optimization functions.
18 Environment Monitor
18.1 Introduction
 Description
This topic introduces ZXA10 C300/C320 environment monitoring functions.
 Target
The environment monitoring equipment performs monitoring on environment

parameters

monitoring temperature, humidity, flood, entrance-control and smoke and

dry-contact control inputs and outputs.
ZXA10 C320 provides various environment monitoring serial ports with RJ-45
connector: They connect with the environment monitoring module with dedicated
cables to collect various environment information from the environment monitoring
module, including temperature, humidity, power voltage, and smog to facilitate
system management and maintenance.
ZXA10 C300 environment and power monitoring card CICG/CICK provide the
following interfaces:
Figure 18-1 Interfaces Supported by Common Public Interface Card
Item Interface Description CICG CICK

No.
1 BITS clock input interface 2 1
2 BITS clock output interface 1 2
3 120 Ohm clock input interface 0 2
(RJ45)
4 120 Ohm clock output interface 0 1
(RJ45)
5 1PPS + TOD input interface 0 2
6 Out-of-band maintenance 1 1
interface
7 Pre-set interface 1 1
8 Public serial port 1 1
9 Pre-set maintenance serial port 1 1
10 Pre-set Boolean input interface 1 4
11 Pre-set Boolean output 1 4
interface
12 Temperature sensor interface 1 1
13 Humidity sensor interface 1 1
14 Smog sensor interface 1 1
15 Flood sensor interface 1 0
16 Door control sensor interface 1 1

19 Device management
19.1 Card Management
19.1.1 Introduction
 Description
Cards are the physical fundermental to implement various services. The card
management refers to the unified management of cards resources on ZXA10
C300.
 Target
Card management is used to promptly discover the change of the card running
status and thereby inform each service module without any delay. It presents to the
user with the card running status through running indicators especially alarm
indicators. The user can also query the card running status through the NM or
command lines.
 Adding, deleting and resetting line cards
 Manage the line card working status
 Alarm notification of the abnormal status
 Manage the card running status indicators
Card management aims at managing card resources by monitoring the card and
status information. It includes the following:

 If the user does not configure the card which is plugged in the shelf, the card
reports the alarm notification and informs the user to configure the card
correctly.
 It supports offline configuration on cards and informs the user if the configured
card is not available.
 Informs the service card to change status to online if the configured card runs
normally.
 Reports the alarm to the user if the configured card type is not consistent with
the card in actual environment.
19.2 Version Management
19.2.1 Introduction
 Description
Version management refers to the management of software version of card. It is

responsible for downloading, upgrading and synchronizing the software version of
all the cards.
 Target
ZXA10 C300/C320 implements downloading and upgrading of the card

BootRom/software version and synchronization of different versions of
active/standby main control and switch cards.
Version management has following features:
 ZXA10 C300/C320 uses FTP or SFTP to download version files.
 Supports related update simutaneously while the card version updates.

As the version files are downloaded through FTP or SFTP, it requires a host
enabled as FTP server and stored with version files. ZXA10 C300/C320 equipment
enables FTP client to complete downloading the version files from the FTP server.
Updating card version means to obtain the version from the main control&switch
card and to update running software in the local memory. The procedure is
completed through a self-defined private protocol and a server/client mechanism.
The server known as VN server is started on the main control&switch card while
the clients, known as VN clients, are started on other cards. In order to support the
related updates, all version downloading command and other relative updating
negotiation flow maintain a session status table. The session represents one
updating flow (possibly including several version files). It is a dynamic concept
including all the information exchanged during the version updating negotiation
and downloading. One session is identified with an ID. All the information related
with the session has the same ID. After the line card is powered on or the main
control&switch card delivers the version updating command, the VN server and the
VN client start the version negotiation flow between them to complete the version
information exchange and the version download.
19.3 SNMP Management
The Simple Network Management Protocol (SNMP) is a widely used network

management protocol in TCP/IP networks. It provides a method for managing network
resources by using a central computer (that is, network management workstation), on
which the network management software runs.
The C300/C320 V2.0 supports SNMP V1, SNMP V2c, and SNMP V3 Server. The SNMP
V3 is recommended. The specific mechanisms of each SNMP version follow relevant
standards.
19.4 In-Band Management VPN
The in-band management VPN refers to the carrier managing and maintaining devices
through the VPN network. The management protocol on devices can be forwarded by
using virtual routers.

19.4.1 Introduction
 Description
In the in-band management VPN, the associated in-band management protocols on the
device support the specified VPN instances so that management packets can be
received and forwarded using multiple virtual routes. In this way, the carrier can manage
and maintain remote devices through private IP addresses. This method not only saves
public IP addresses but also isolates the management network from the public network.
 Target
Both the in-band management server and client be able to receive the connection
requests and data packets from VPN, to achieve in-band management VPN.
The out-of-band management interfaces cannot be assigned to the VPN. They always
belong to the public network. Therefore, only the in-band interfaces support VPN
management.
The following servers can receive VPN requests:
 Telnet server
 SSH server
 SNMP AGENT
Note: The SSH server is recommended.
The following clients can receive VPN requests:
 FTP client
 SFTP client
 SNMP TRAP
 SYSLOG

 Telnet client
Note: The SFTP client is recommended.
VPN is a networking technology for encapsulating or encrypting private data and then
transmitting the data over the public network. With this technology, the security level of
the private network can be provided for the transmitted data and a private network can be
constructed based on the public network. VPN is a logical private network that provides
the functions of the private network. The network itself, however, is not an independent
physical network. In the IP bearer network, VPN is an important measure for logically
isolating services, preventing attacks, and helping implement QoS control.
A VPN instance is also called a VPN routing and forwarding table (VRF). Each router is
logically divided into multiple virtual routers, that is, multiple VRFs. Each VRF
corresponds to a VPN, and has its own routing table, forwarding table and corresponding
interfaces. In other words, one router that is shared by VPNs is simulated as multiple
dedicated routers, thereby isolating VPN routes. Devices that are grouped into a private
route exchange routing information of only the private route.
The in-band management VPN uses the VRF function and assigns the remote network
management and OLT to the same VPN. On the OLT, the management addresses and
VoIP addresses are assigned to different VRFs. In this way, the carrier ca n manage and
maintain remote devices through private IP addresses. This method saves public IP
addresses and isolates the management network from the public network.
19.5 SSH
19.5.1 Introduction
 Description
Secure Shell (SSH) is formulated by the IETF Network Working Group. Based on the
application layer and transport layer, SSH provides security for remote login session and
other network services.

 Target
Compared with the traditional network service programs that send passwords and data in
plaintext, SSH encrypts all the data before sending it. This avoids information disclosure
during remote management. Therefore, SSH is recommended. With the use of SSH, the
data transmission is speeded up because the data is compressed.
The relevant specifications of the feature are as follows:
 SSH 1.x and SSH 2.0.
 Radius authentication for user login in SSH mode.
 Four authentication modes: user password authentication, user public-key

authentication, user password and public-key authentication, and user
password/public-key authentication.
 AES, DES, 3DES, and BLOWFISH encryption algorithms for SSH login.
 A device can serve as an SSH server and at the same time as an SSH client to
log in to other devices.
An SSH server is a daemon running in the background. It responds to connection

requests from clients and processes remote connections, including public-key
authentication, key exchange, symmetric key encryption, and insecure connections.
An SSH client includes SSH programs and application programs such as slogin and sftp.
Viewed from a client, SSH provides the following two levels of security authentication:
 One is password-based security authentication. The client can log in to the remote
host only with an account and password. All the data is encrypted. But it cannot
ensure the server to be logged in is the desired server because another server may
imitate the desired server.

 The other is key-based security authentication. In this authentication mode, a pair of

keys (service key and host key) needs to be created, and the service key needs to
be placed on the server to be accessed. If a client wants to log in to the SSH server,
it will send a request to the server and require security verification using the host
key. After receiving the request, the server compares the service key with the key
sent by the client. If the two keys are consistent, the server sends a "challenge"
message encrypted with the server key to the client. After receiving the "challenge"
message, the client decrypts the message using the host key and then sends the
message back to the server. Till now the client passes the authentication.
SSH is a cryptographic protocol. It provides a secure channel only not data transmission.
Through the steps including version negotiation, key exchange, algorithm negotiation,
and user authentication, an SSH secure channel is set up. Any data transfer protocol can
transfer data in the channel. The tool used by the secure maintenance terminal provides
the SSH client function.
19.5.3 Remote Connection Encryption Based on SSH
The system supports remote operation and management, including out-of-band Telnet
and in-band Telnet.
The interface used by out-of-band Telnet is the only Ethernet maintenance interface
(RJ45) on the main control panel. After the IP address of the interface and relevant
routes are configured, the system can telnet to remote devices and perform operation
and maintenance.
The interface used by in-band Telnet is the VLAN L3 interface inside the device. The
system supports a maximum of 32 IP addresses for the VLAN interfaces. The subnets of
these IP addresses must be different.
In the remote operation, both the secure and ordinary maintenance terminals use the
Telnet protocol. The difference is that the secure maintenance terminal encrypts all the
data using SSH before transferring data using Telnet. With SSH-based encryption, all the
operations are secure after the user logs in to the device through a remote terminal for
maintenance and management.

19.5.4 File Transfer Encryption Policy Based on SSH
SSH File Transfer Protocol (SFTP) is a protocol based on SSH. When the password
mode is used for client authentication, a client must enter the user name and password. If
the user name or password is not correct, files cannot be transferred.
The file uploading flow through SFTP is as follows:
 The client opens the file to be uploaded to the server.
 The client requests to open a file on the server.
 The client writes the local data onto the server in accordance with the returned file
handle.
 Files can be downloaded through SFTP only after the SSH authentication is passed.
The file downloading flow is as follows:
 The server and the client both verify the SFTP version in the SFTP stage.
 The client opens the local and remote files.
 The client reads the corresponding data.
 The client closes the opened files after reading the data.
19.6 User Management
19.6.1 Introduction
 Description
User management involves the following two parts:
A user needs to be authenticated with user name and password when the user atte mpts
to log in to the device through the Command Line Interface (CLI).
Users are classified into four levels: supervisor, administrator, operator, and user.
Different levels of users are assigned different operation rights.

 Target
User management is to ensure the security of device management and maintenance by

user name and password authentication and hierarchical right-based management.
Four levels of operation users by rights are as follows:
 The supervisor can manage all the accounts and is allowed to execute all the
configuration and operation commands.
 The administrator can manage all the operators, query the accounts and is
allowed to execute all the configuration and operation commands.
 The operator can only perform data configuration and service provisioning,
and has no right to manage the accounts.
 The user can only query the data, mainly for troubleshooting.
User name: 1–16 characters length, a space is not allowed. The allowed characters are
as follows:0123456789abcdefghijklmorqrstuvwxyz_
Password, 3–16 characters length. a space is not allowed. The allowed characters are as
follows:
0123456789abcdefghijklmnopqrstuvwxyz_ABCDEFGHIJKLMNOPQRST UVWXYZ`*-=~!
@#$%^&()_+[]{}|;':,./<> \\
When a user logs in to the system through the CLI, the user must enter the user name
and password for authentication. In this way, the user is authenticated to ensure the
system security.
Users are classified into four levels: super user, administrator, operator, and user.
Different levels of users are assigned different operation rights.
The internal command nodes in the system have their corresponding rights. A user can
see and operate a command node only if its access right is larger tha n or equal to the

access right of the command node. Therefore, users with high priority have the operation
rights of users with low priority.
19.7 Remote Connection Security
19.7.1 Introduction
 Description
With the remote connection security feature, the IP firewall, or the service port of the
system is disabled to prevent the device from being attacked by illegal users or illegal
operations.
 Target
IP firewall or disabling the service port can prevent the device from being attacked by
illegal users to ensure the security of devices.
The IP firewall can limit the access to IP service processes.
The IP firewall can control the connection requests of SSH2 clients.
The IP firewall can enable or disable SSH and Telnet servers.
With the IP firewall function, only the operators from valid IP address segments are
allowed to log in to the device through valid access protocols, and the operators from
invalid IP address segments or through invalid access protocols are not allowed to log in
to the device.
With the function of disabling the system service, the default service monitoring port of
the system can be disabled to prevent the port from malicious scanning or attack.

19.8 Log Management
19.8.1 Introduction
 Description
Logs can be classified into security event logs and operation logs.
 A security event log is a log recorded by the system after a security event
occurs.
 An operation log is a log about the user operation recorded by the system. It
records user login and logout information and other operations performed on
the system.
 Generally, logs are queried through the CLI, syslog, or backup log file during
troubleshooting.
 Operation logs and security event logs are reported to the NMS.
 Target
Logs recorded help users obtain the overall system maintenance information for
timely troubleshooting.
 Operation Log
The system records commands of successfully issued configurations from the CLI
or SNMP interface, that is, operation logs. Operation logs record both succe ssful
and failed operations. In logs of failed operations, the operation results can also be
recorded. By default, the system supports a maximum of N (configurable) operation
logs, which are saved in the order of time and are overwritten cyclically. After the
system is restarted, logs recorded are not lost.
 Security Event Log

Events are reminders to the user during the system running.When the level of a
security event is changed, whether the event is recorded may be changed. A
security event is recorded in the log only when its level is minor or higher.
 Log Server
Logs can be reported to the log server using syslog in real time. Also, logs can be
transmitted to the file server through TFTP/FTP/SFTP at a specified time or when
the specified capacity is reached after the automatic uploading conditions are
configured. Integrity of logs must be ensured.
19.9 Alarm and Event Management
19.9.1 Introduction
 Description
Alarm and event management mainly involves recording and setting alarms and events
and collecting their statistics.
 Target
Alarm and event management facilitates carriers in performing routine maintenance on

the device, locating device faults, and restoring the services provided for users quickly
after the services become abnormal.
The specifications of alarm and event management are as follows:
 Alarms and events of four severity levels: critical, major, minor, and warning
 Storing history alarms and 901 history events
 Backing up the history alarms and events automatically to a file serve r
 Clearing the active alarms in the current system
 Adjusting the severity level of an alarm or event

 Jitter-proof function of an alarm or event
 Collecting the statistics of the alarms and events
 Correlation function of the alarms and events
 Filtering the alarms or events
The alarm and event management refers to recording and setting the alarms and events
and collecting statistics of the alarms and events. The maintenance engineers maintain
the device through the alarm and event management so that the device works effectively.
After an alarm or event is generated, the system broadcasts the alarm or event to the
terminals, mainly including the Network Management System (NMS) and CLI terminals.
The system supports storing history alarms and 800 history events.
The severity level of an alarm or event can be critical, major, minor, or warning. Although
an alarm or event has a default severity level, this severity level can be adjusted in
accordance with actual conditions. The contents of an alarm or event include name,
parameters (including subrack, slot, and port information), description, possible causes,
and handling suggestions.
When an alarm is generated, the system implements the jitter-proof function of the alarm
to prevent the misreporting of the alarm. To be specific, the alarm is reported only after a
specified period expires after the alarm status changes (the specified period ranges from
1 s to 60 s and default is 10 s). If the alarm status recovers within the specified period,
the alarm is not reported.
The alarm statistics function is used to collect the statistics of alarms within a specified
period. This helps to locate system faults.
Alarm correlation refers to associating related alarms. When alarms are in the
parent-child relations, the system automatically filters related child alarms if the parent
alarm is generated.

With the alarm and event filtering function, the user can configure the filtering conditions
so that the system reports only the alarms and events that pass the filtering. In this way,
the user can concentrate on the important and specified alarms and events. The alarms
and events can be filtered by alarm/event ID, severity level, and alarm/event type.
20 Reliability
20.1 Main Control and Switching Protection
20.1.1 Introduction
 Target
The main control and switch module implements centralized processing on ZXA10
C300/C320 main control and switch card. In order to ensure the reliability of the
services, it is necessary for the main control and switch module to support 1:1
active/standby mode backup or 1+1 load-sharing mode to ensure the continuity of
services.
The switchover of the main control and switch module is as follows:
 Passive switchover under the manual interference: When the card is to be

replaced or any fault is discovered manually, switchover is implemented with
the commands set by the EMS or CLI.
 Software abnormally auto-switchover: When the active main switch and

control card software runs abnormally, the active card gives up and is rebooted,
and then the standby card is automatically switched over to be active.
 The control module implements real-time detection on the main modules in the
card. When detecting any hardware fault, the active card gives up and is
rebooted, and then the standby card is automatically switched over to be
active.

ZXA10 C300/C320 supports the following features of the main control and
switching protection:
 It supports automatic switchover and manual switchover.
 During the active/standby switchover, ZXA10 C300/C320 supports data

synchronization and smooth processing of data.
 The switchover time for card services is less than 50 ms.
20.1.2 Basic Theory and solution
 Active/standby mode
As the core of the C300/C320, the active control board communicates with external
devices and implements functions of internal modules of the system. The standby
control board
does not communicate with external devices and only serves as a backup of the
active control board. During its operation, the active control board backs up all static
configurations and some dynamic configurations to the standby control board to
keep data synchronized between the two boards.
Redundancy backup of control boards protects services against a control board

failure. If two control boards are configured, services can be switched to the
standby control board when the active control board fails. Any of the following
conditions triggers a switchover between the active and standby control boards:
 Active control board failure. In this case, the system performs an

active/standby switchover automatically.
 System upgrade. In this case, the operator resets the control boards and
performs the active/standby switchover manually.
 Board replacement or annual maintenance. In this case, the operator performs

the active/standby switchover manually.
 Load-sharing mode

When the two control boards work in load sharing mode, redundancy backup
improves reliability of services as well as doubling bandwidth and enhancing data
forwarding performance.
 On the forwarding plane, the active and standby control boards share loads.
Both boards forward data.
 On the control plane, the two control boards work in the active/standby mode.
The CPU on the active control board manages the system and controls data
forwarding while the CPU on the standby control board is in the standby state.
20.2 Power Supply Protection
Power supply redundancy: ZXA10 C300/C320 system supports two 1:1

redundancy power cards. Every card can support the independent power input,
and the two cards also adopt 1:1 backup. Only one card can supply the power of
the whole system. When the active power card or the input line has some error, the
system switches the power supply input, and the power protection switching action
does not affect all services of the system.
20.3 Clock Protection
20.3.1 Introduction
 Description
ZXA10 C300 supports time and clock synchronization between active control
module and standby control module to ensure high reliability services of time and
clock. Seamless switch over is also supported.
Time and clock synchronization module, which supports redundancy function, is

implemented in C300 main switch and control card. Seamless switch over is
supported when switching active card with standby card.

ZXA10 C300 supports time and clock redundancy function.
Figure 20-1 ZXA10 C300 supports time and clock redundancy function
B I
1 P
M a i
( S
M a i
B I ( T AC S cE
1 P T P i S
C P I r C
S （ P1 O
L i n e
C E P S 2
S y n X c E
X E /
 Time and clock module is placed in the main switch and control card, and
different kinds of clock source are passed to the active and standby switch and
control cards through the backplane card. Time and clock modules in both
e
active and standby switch and control card work simultaneously and lock the
same clock source. Time and clock module in line card choose and lock output
clock source based on active/standby state of main switch and control card
and quality of clock. Each time and clock module supports multi clock source
input, and chooses clock source based on clock quality and priority. When one
clock source got lost, another clock source can be switched over smoothly.
l
 Similar to time and clock module, active and standby switch and control cards
both support 1588v2 SLAVE function. Time and clock module supporting
1588v2 can rescue clock by PTP protocol and pass 1PPS+TOD message to
line card, and then forward to ONU through PON protocol.
e

c
Glossary
ACL - Access Control List
AES - Advanced Encryption Standard
ANCP- Access Network Control Protocol
ARP - Address Resolution Protocol
AS - Application Server，Autonomous System
ATM - Asynchronous Transfer Mode
BER - Basic Encode Rule，Bit Error Rate
BPDU - Bridge Protocol Data Unit
BRAS - Broadband Remote Access Server
BSR - Bootstrap Router
CAR - Committed Access Rate
CDR - Call Detail Record，Clock and Data Recovery
CES - Channel Element Subsystem，Circuit Emulation Services
CIR - Committed Information Rate
CIST - Common and Internal Spanning Tree
CLI - Command Line Interface，Command Language Interpreter，Calling Line

Identity
CPU - Central Processing Unit，Central Policy Unit
CRC - Cyclic Redundancy Check
CST - Common Spanning Tree
CoS - Class of Service
DBA - DataBase Agent，Dynamic Bandwidth Allocation
DHCP - Dynamic Host Configuration Protocol

DNS - Domain Name Service，Domain Name Server
DoS - Denial of Service
DR - Designate Router，Differentiate Ring
DSCP - Differentiated Services Code Point
DSLAM - Digital Subscriber Line Access Multiplexer
DWRR - Deficit weighted round rokin
EMS - Electromagnetic Susceptibility，Element Management System，Electronic

Mailbox Service，Enterprise Management System
FEC - Forward Error Correction，Forwarding Equivalence Class
FTP - File Transfer Protocol
FTTB - Fiber to the Building
FTTH - Fiber to the Home
GEM - GPON Encapsulation Method
GPON - Gigabit Passive Optical Network
GTC - GPON Transmission Convergence
IAD - Integrated Access Device
ICMP - Internet Control Message Protocol
IEEE - Institute of Electrical and Electronics Engineers
IGMP - Internet Group Management Protocol
IGP - Interior Gateway Protocol
IP - Internet Protocol，Intelligent Peripheral
IPTV - Internet Protocol Television
IPoE - Internet Protocol over Ethernet
IS-IS - Intermediate System-to-Intermediate System

IST - Internal Spanning Tree
IWF - InterWorking Function，Integrated Wavelength Feedback
LACP - Link Aggregation Control Protocol
LAN - Local Area Network
LLID - Logical Link Identifier
LOF - Loss Of Frame
LOS - Line-out-0f-service Signal，Loss Of Signal
LSA - Link State Advertisement，Localised Service Area，Link State Advertisement
MAC - Medium Access Control
MAN - Metropolitan Area Network
ME - Mobile Equipment，Maintenance Entity
MST - Master，Multiplex Section Termination，Multiple Spanning Tree
MSTP - Multi-Service Transport Platform，Multiple Spanning Tree Protocol
MVLAN - Multicast Virtual Local Area Network
NM - Network Management
NMS - Network Management System，Network Management Server，Network

Management Subsystem，Network element Management System
NNI - Network Node Interface
NTP - Network Time Protocol
OAM - Operation, Administration and Maintenance，Operation, Administration and

Maintenance
ODN - Optical Distribution Network
OLT - Optical Line Terminal
OMCI - ONT Management Control Interface，Open Manage Client Instrumentation
ONT - Optical Network Terminal

ONU - Optical Network Unit
OSPF - Open Shortest Path First
PBX - Private Branch Exchange
PIM - PA Interface Module
PIM-SM - Protocol Independent Multicast - Sparse Mode
PIR - Peak Information Rate
PLOAM - Physical Layer Operations, Administration and Maintenance
PMD - Physical Medium Dependent，Polarization Mode Dispersion
PON - Passive Optical Network
POP - Post Office Protocol，Points Of Presence
PPP - Point to Point Protocol
PPPoE - Point to Point Protocol over Ethernet
PSN - Packet Switched Network
PSTN - Public Switched Telephone Network
Q-in-Q - 802.1q Tunnel Tags，VLAN Tag in VLAN Tag
QoS - Quality of Service
RADIUS - Remote Authentication Dial In User Service
RFC - Request For Comments，Remote Feature Control
RIP - Routing Information Protocol，Request In Progress
RP - Rendezvous Point，Reference Point，Rendezvous Point，RAN and PDS，

RAN and PDSN
RS - Reed Solomon，Recommended Standard，Regenerator Section
RSTP - Rapid Spanning Tree Protocol
SMS - Short Message Service，Service Management System，System

Management Server，Short Message Subsystem，SDH Management Sub-network

SNMP - Simple Network Management Protocol
SP - Signal Processing module，Service Provider，Signaling Point，Service

Processing，Strict Priority，Service Profile，SPare number
SPF - Shortest Path First
SS - Subscriber Station，Soft Switch，Service System，Supervision Station，

Supplementary Service，Subscriber Station，Stream Server
SSH - Secure Shell
SST - Subsystem Status Test
SSTP - Single Spanning Tree Protocol
STM - Synchronous Transfer Mode，Synchronous Transport Module
STP - Signaling Trace Part，Signaling Transfer Point，Spanning Tree Protocol
TB - Tocken Bucket
TDM - Time Division Multiplexing
TOS - Termination Of Service
UAPS - Uplink Auto Protection Switching
UNI - User Network Interface
VBAS - Virtual Broadband Access Server
VLAN - Virtual Local Area Network
VOD - Video On Demand
VoIP - Voice over Internet Protocol
WFQ - Weighted Fair Queuing
XGPON-10-Gigabit-capable passive optical network

SJ 20140312095717 003 ZXA10 C300 C320 V2 0 1 Optical Access Convergence Equipment Feature Guide PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SJ 20140312095717 003 ZXA10 C300 C320 V2 0 1 Optical Access Convergence Equipment Feature Guide PDF

Hochgeladen von

Copyright:

Verfügbare Formate

ZXA10 C300/C320

Optical Access Convergence Equipment

© 2013 ZTE Corporation. All rights reserved.

ZTE Confidential & Proprietary 1

2 XG-PON1 Feature .................................................................................................... 43

3 P2P Access Feature ................................................................................................ 47

4 Layer 2 Forwarding Feature .................................................................................. 49

2 ZTE Confidential & Proprietary

4.2.5 Selective Q-in-Q ......................................................................................................... 61

5 Ethernet OAM ........................................................................................................... 63

6 IPV4 L3 Feature ........................................................................................................ 73

ZTE Confidential & Proprietary 3

6.10.2 Basic Theory and Solution ........................................................................................ 90

7 MPLS Feature ........................................................................................................... 98

8 IPV6 Features ......................................................................................................... 125

4 ZTE Confidential & Proprietary

8.2 IPv6 static route ....................................................................................................... 128

9 QOS .......................................................................................................................... 140

10 Multicast .................................................................................................................. 145

ZTE Confidential & Proprietary 5

10.7 Channel Management ............................................................................................. 152

11 Network Protection Feature................................................................................. 161

12 Access Security ..................................................................................................... 177

6 ZTE Confidential & Proprietary

12.4 vMAC ........................................................................................................................ 185

14 TDM Circuit Emulation ......................................................................................... 205

15 Clock and Time ...................................................................................................... 207

ZTE Confidential & Proprietary 7

16 Power Saving ......................................................................................................... 213

17 ODN Fault Diagnostic Manage ment ................................................................... 216

18 Environment Monitor ............................................................................................ 220

19 Device manage ment ............................................................................................. 222

8 ZTE Confidential & Proprietary

20 Reliability ................................................................................................................ 235

ZTE Confidential & Proprietary 9

Figure 1-2 GEM Frame Format ................................................................................................. 18

Figure 1-3 Encapsulating Ethernet Frame to GEM Frame ..................................................... 18

Figure 1-4 Encapsulating GEM Frames to a GTC Frame....................................................... 19

Figure 1-5 Downstream & Upstream GTC Frame ................................................................... 19

Figure 1-6 ONU Burst Format ................................................................................................... 20

Figure 1-7 GPON Downstream Data Transmission Mechanism ............................................ 21

Figure 1-8 GPON Upstream Data Transmission Mechanism................................................. 22

Figure 1-9 GPON functions reference model........................................................................... 23

Figure 1-10 PLOAM Message Structure .................................................................................. 23

Figure 1-11 OMCI Packet Form at ............................................................................................. 24

Figure 1-13 Queues Scheduling on ONU................................................................................. 32

Figure 1-14 AES Key Switch Procedure................................................................................... 34

Figure 1-15 the downstream frame with FEC code ................................................................. 36

Figure 1-16 Upstream Frame with FEC Code ......................................................................... 36

Figure 1-17 Upgrading ONU Version through OMCI Protocol ............................................... 42

Figure 1-18 Activating the Version ............................................................................................ 43

Figure 2-2 Parameter of WDM1 ................................................................................................ 46

Figure 4-1 IEEE802.1Q format .................................................................................................. 53

Figure 4-2 IEEE 802.3ad Form at .............................................................................................. 54

Figure 4-3 1:1 /N:1 VLAN Translation....................................................................................... 60

Figure 5-1 Data Link Layer OAM Sublayer .............................................................................. 66

Figure 6-1 Layer-3 Forwarding Process ................................................................................... 75

Figure 6-2 DHCP Principle-2 ..................................................................................................... 80

Figure 6-3 DHCP Principle-3 ..................................................................................................... 81

10 ZTE Confidential & Proprietary

Figure 6-4 DHCP Principle-4 ..................................................................................................... 83

Figure 6-5 DHCP Principle-5 ..................................................................................................... 84

Figure 6-6 DHCP Principle-6 ..................................................................................................... 85