Beruflich Dokumente
Kultur Dokumente
MA2.10
SmartAX MA5200F Broadband Access Server
Technical Manual
BOM 31025882
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support
and service. If you purchase the products from the sales agent of Huawei Technologies Co.,
Ltd., please contact our sales agent. If you purchase the products from Huawei
Technologies Co., Ltd. directly, Please feel free to contact our local office, customer care
center or company headquarters.
Website: http://www.huawei.com
Email: support@huawei.com
Copyright © 2003 Huawei Technologies Co., Ltd.
Trademarks
All other trademarks mentioned in this manual are the property of their respective
holders.
Notice
The information in this manual is subject to change without notice. Every effort has
been made in the preparation of this manual to ensure accuracy of the contents, but
all statements, information, and recommendations in this manual do not constitute
the warranty of any kind, express or implied.
About This Manual
Version
The product version that corresponds to the manual is SmartAX MA5200F Broadband
Access Server (referred to as the MA5200F hereafter) MA2.10.
Related Manuals
Manual Content
SmartAX MA5200F Broadband Access It lists the safety information needed to install and maintain the
Server Safety Manual equipment.
The manual introduces the system structure, service functions and networking
applications of the MA5200F. There are six chapters and one appendix in the manual.
Chapter 2 Hardware and Software Structure focuses on the hardware and software
modules of the MA5200F, including the appearance, hardware functions, cards,
indicators and physical ports of the MA5200F, as well as the software functions.
Chapter 3 Service and Function gives a detailed description on the functions of the
MA5200F, including route management, access authentication, address management,
user management, service control, security management, value added services,
network management and system maintenance.
Appendix lists the terminologies, acronyms and their meanings. Specifications of the
SmartAX MA5200E Broadband Access Server are also given in the Appendix.
Intended Readers
Conventions
I. General conventions
Convention Description
Arial Narrow Warnings, Cautions, Notes and Tips are in Arial Narrow.
II. Symbols
Eye-catching symbols are also used in the manual to highlight the points worthy of
special attention during the operation. They are defined as follows:
Table of Contents
i
Technical Manual
SmartAX MA5200F Broadband Access Server Table of Contents
ii
Technical Manual
SmartAX MA5200F Broadband Access Server Table of Contents
Appendix A Terminology..............................................................................................................A-1
iii
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 1 System Overview
1.1 Introduction
The SmartAX MA5200F Broadband Access Server (referred to as the MA5200F
hereafter) of Huawei is a new-generation Internet Protocol (IP) access server. The
MA5200F was developed to overcome the disadvantages in Ethernet access
technology, including the weakness of subscriber management, server control and
network security.
The MA5200F series contains the MA5200F and the MA5200F-2000. The MA5200F
supports a maximum of 1000 online subscribers, while the MA5200F-2000 supports a
maximum of 2000 online subscribers. Since the MA5200F and the MA5200F-2000 are
completely the same except for the access capacity, they are both called the MA5200F
unless otherwise specified in this manual.
Based on the architecture of the fifth-generation routers put forward by Huawei, the
MA5200F adopts high performance network processors and large capacity ASIC chips
(ASIC stands for Application Specific Integrated Circuit). All these have enabled the
MA5200F with powerful forwarding capacity and flexible processing on different
services.
The MA5200F is suitable for access networks of Ethernet, x Digital Subscriber Line
(xDSL), Hybrid Fiber Coaxial (HFC) and Wireless Local Area Network (WLAN),
providing subscriber management, accounting control, address management, service
control and security management functions.
The MA5200F boasts carrier-class reliability, and is widely applied in broadband
Metropolitan Area Networks (MANs), enterprise Intranets, Campus Area Networks
(CANs), Government Data Networks (GDNs) and intelligent hotels.
Generally, the MANs are divided into three layers: core layer, convergence layer and
access layer, providing subscriber access and value added services.
1-1
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 1 System Overview
According to different scales of the MANs, the MA5200F can be applied in the local
access layer of a large MAN, or the edge convergence layer of a small MAN. The
MA5200F device can be installed in the central machine room of the community, or
installed in the end office, providing the access authentication, accounting, traffic
control, access control, security and service support functions. With the MA5200F, the
carriers can provide individual subscriber access, intelligent broadband access for
communities and office buildings, dedicated line access for small and medium
enterprises, and Virtual Private Network (VPN) service.
Figure 1-1 shows a typical application of the MA5200F in a MAN.
Access
Layer LAN Sw itch AP
1-2
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 1 System Overview
layer, access layer or the core convergence layer, providing access authentication,
guarding against account forgery, and controlling the network resource. The MA5200F
can also play the role of a Customer Edge (CE) device to coordinate with the
Provider/Provider Edge (P/PE) device to implement MPLS VPN (Multi-protocol Label
Switching VPN).
Note:
4.2.2 gives more details about the application of the MA5200F in an enterprise Intranet.
The structure of a CAN is similar to that of an enterprise Intranet. In China, the CANs
are connected to both the China Education and Research Network (CERNET) and the
Internet at the same time. The operation of a CAN is somewhat like that of a carrier
network, because there are also requirements on the access control and different
accounting mode bases on time or traffic. The CAN users in China can access the CAN
and CERNET directly, but authentication and accounting shall be implemented if the
user accesses the Internet.
The MA5200F usually locates at the access layer of a CAN. In some scenarios, a
standalone MA5200F can also connect to the switch in the convergence layer to
provide access authentication, accounting and security control on the subscribers.
Note:
4.2.1 gives more details about the application of the MA5200F in a CAN.
In a GDN, there is very high requirement on the network security. The MA5200F locates
at the edge access layer of a GDN to control the access authority and guard against
account forgery. The MA5200F can also act as a CE device to coordinate with the P/PE
device to construct MPLS VPN.
Note:
4.2.3 gives more details about the application of the MA5200F in a GDN.
1-3
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 1 System Overview
Together with the iTELLIN broadband intelligent service system and console of Huawei,
the MA5200F can provide intelligent hotel – “IP Hotel” solution for broadband access of
multiple hotels. With this solution, each hotel has a virtual platform for subscriber
management, accounting management and configuration management.
In the IP Hotel solution, the MA5200F device can be purchased and maintained by the
hotels, or purchased by the carriers to operate together with the hotels. According to
different operation modes, the MA5200F can be installed in the machine room of the
hotel or the carrier.
Note:
4.3.2 gives more details about the application of the MA5200F in IP Hotel solution.
1-4
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 1 System Overview
The built-in 10Gbps large capacity switching network ensures good forwarding
performance and Quality of Service (QoS). The MA5200F supports 1000 (MA5200F) or
2000 (MA5200F-2000) online subscribers of various types, 128 Virtual Local Area
Network (VLAN) dedicated lines and 128 transparent transmission VLAN dedicated
lines.
The ASIC chips enable high integration of packet forwarding, data exchange, route
processing, subscriber management, security management and device management
on the MA5200F.
The MA5200F provides 100M electric Ethernet port, 100M optical Ethernet port, 100M
multi-mode optical Ethernet port, 1000M single mode optical Ethernet port and 1000M
multi-mode optical Ethernet port for different networks. It also provides serial port and
network port for maintenance.
Ethernet, xDSL, HFC and WLAN subscribers can access through the layer2 devices
like LAN Switch, IP DSLAM (Digital Subscriber Line Access Multiplexer), VDSL switch,
CMTS (Cable Modem Terminal System) and AP (Access Point).
Layer3 subscribers can access through Layer3 LAN Switch or router to the MA5200F.
According to different access methods and access requests, the MA5200F supports
Layer2 individual subscriber, Layer3 individual subscriber and dedicated line
subscribers (including Layer2 VLAN dedicated line, Layer3 VLAN dedicated line, Proxy
dedicated line, VLAN transparent transmission dedicated line and PPPoE dedicated
line)
The access requests from a subscriber can be touched off by various factors on the
MA5200F, including: Static configuration, DHCP packet, ARP packet (ARP stands for
Address Resolution Protocol), PPPoE packet (PPPoE stands for Point-to-Point
Protocol over Ethernet), EAPoL packet (EAPoL stands for Extensible Authentication
Protocol over LAN) and data packet. In this way, the subscribers can obtain the service
very conveniently when they are in different status.
The MA5200F supports a variety of authentication methods for your option: PPPoE
authentication, Web authentication, binding authentication, fast authentication, 802.1X
authentication, and no authentication.
1-5
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 1 System Overview
Caution:
The MA5200F supports PPPoE, Web, fast and 802.1X authentication on the same port simultaneously.
The MA5200F supports local PAP, CHAP and EAP-MD5 authentication methods (PAP
stands for Password Authentication Protocol, CHAP stands for Challenge Handshake
Authentication Protocol). It also supports remote PAP, CHAP, EAP-MD5 and EAP-SIM
authentication (EAP-SIM stands for EAP Subscriber Identity Module).
The MA5200F can convert EAP-MD5 into CHAP, so that the authentication servers that
do not support EAP-MD5 can provide 802.1X authentication.
The MA5200F supports static IP address and dynamic IP address, it provides built-in
DHCP server (DHCP stands for Dynamic Host Configuration Protocol), and supports
DHCP Relay of an external DHCP server.
The MA5200F provides a unique function of secondary allocation of IP address to
protect public IP address resource. It also provides Network Address Translation (NAT)
to enable effective and flexible use of IP address resource.
The MA5200F can collect the accounting information of the subscriber including time
and traffic. The MA5200F also supports local and remote accounting.
Realtime accounting is supported both locally and remotely, in order to ensure the
accuracy of the accounting information. Local protection mechanism is provided in
remote accounting, so that the tickets will not get lost when the network fails, and no
error ticket will be generated.
The MA5200F supports different accounting modes, including no accounting, prepaid
accounting and postpaid accounting. The prepaid accounting can be on the basis of
time or traffic. Together with the RADIUS server (RADIUS stands for Remote
Authentication Dial in User Service), the MA5200F also supports the integrated prepaid
accounting based on time and traffic, and supports switching between different tariffs.
The MA5200F provides access restriction, traffic control, idle disconnection, QoS,
policy routing to guarantee the service quality.
The MA5200F provides Access Control List (ACL), user log, and forgery check to
ensure legal use and effective management of the network resources.
1-6
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 1 System Overview
The MA5200F provides VPN, multicast, plug-and-play, WLAN, forced Portal and IP
Hotel to satisfy broadband application in different scenarios, and bring more revenue to
the carriers.
The powerful heat dissipation and temperature adjustment system of the MA5200F
enables the operation of the device in places without air-conditioners. The MA5200F
provides both -48V DC and 220V AC power module. Good electromagnetic screen of
the system enables its anti-interference performance. The high-integration chip in the
network processor reduces the complexity of the system, reduces the power
consumption, and enhances system stability. The system supports various online loop
tests and self-tests, and provides abundant alarm information. Carrier-class isolation,
lightning proof and anti-interference design on the subscriber ports ensure high
reliability of the devices on the subscriber side.
MA5200F supports local, remote and centralized maintenance, through serial port
communication or Telnet connection on the Ethernet port. The MA5200F supports
Simple Network Management Protocol (SNMP), using the iManager N2000 centralized
management system of Huawei to provide complete functions including alarm reporting,
network test, fault diagnosis and tracing.
Through HUAWEI Group Management Protocol (HGMP), the MA5200F can manage
and maintain the LAN Switches and IP DSLAM devices in the lower layer, and make the
integrated global management easier and more pleasant.
1-7
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 2 Hardware and Software Structure
Figure 2-2 shows the hardware components inside the MA5200F chassis.
The GE card is connected with the SPUC/SPUE through the 2mm connecter. The FE
card is connected with the backplane BKPC through the 2mm connecter. The cables on
the FE service network port, GE service network port, maintenance serial port and
network port are all led out from the front panel of the cards. The power supply, which
can either be 220V AC or -48 DC, is connected on the rear panel of the chassis. The
2-1
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 2 Hardware and Software Structure
power module outputs 3.3V and 12V supplies for the cards and the fan respectively.
There are four fans inside the chassis to draw out the air for heat dissipation.
The MA5200F hardware modules consist of the service interface module, hardware
forwarding module, switching network module, control module, maintenance module,
power module and clock module, as shown in Figure 2-3.
CPU
Clock
Control Switching Power module
Maint. module network module
module
Hardware
forwarding MA5200F
module
The service interface module provides 24 10/100M electric or optical Ethernet ports,
subject to the hardware configuration, 2 1000M optical Ethernet ports (single mode and
multi-mode).
The hardware forwarding module is the core for high speed forwarding of packets in the
MA5200F, in which the analysis, process and forwarding of packets are all
implemented through hardware. Comparing with the mechanism in which packets are
forwarded through software, hardware forwarding is less complex and more efficient.
The switching network module provides a total capacity of 10Gbps for bidirectional
switching, and large capacity QoS queuing, which ensure the overall forwarding
performance and good QoS.
The control module is the center of the system that completes the various functions
including system configuration, device management, route management, connection
2-2
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 2 Hardware and Software Structure
2.1.3 Cards
I. SPUC/SPUE
SPUC/SPUE (SPUC for the MA5200F and SPUE for the MA5200F-2000) is the control
and service process card that provides all the service functions, including the linear
forwarding of data packets, system management, subscriber management, accounting
and authentication. Each MA5200F is configured with one SPUC/SPUE.
SPUC/SPUE provides these interfaces:
z 3 power supply connecters for the fans
z 2 external power supply connecters
II. DMIC
The Debug Management Interface Card (DMIC) provides the maintenance interfaces,
reset button and indicator lamps. Each MA5200F is configured with one DMIC.
The DMIC provides these interfaces:
z 1 10/100Mbps maintenance network port, 1 maintenance serial port
z 1 reset button
z 1 power indicator, 1 running indicator, 1 alarm indicator
III. XSM
The XSM is a daughter card on the SPUC/SPUE, which completes some hardware
calculations and searching, including flow classification, address mapping and keyword
searching. Each MA5200F is configured with one XSM.
IV. BKPC
The BKPC is the backplane of the MA5200F, which connects the SPUC/SPUE and the
various interface cards. SPUC/SPUE is connected vertically to the BKPC through three
2mm HM A connecters (22×5). Each MA5200F is configured with one BKPC.
V. FE
The fast Ethernet interface card FE is connected vertically to the BKPC through one
2mm HM A connecter (22×5). Each FE card provides 6 10/100Mbps electric Ethernet
ports or 6 100Mbps optical Ethernet ports. Each MA5200F is configured with 1~4 FE
cards.
2-3
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 2 Hardware and Software Structure
According to different types of interface provided, there are three types of FE interface
cards:
z 6-port electric FE interface card
z 6-port single mode optical FE interface card (15km)
z 6-port multi-mode optical FE interface card (2km)
Hybrid configuration of these three types of FE cards is allowed on the same MA5200F
device.
VI. GE
The gigabit Ethernet interface card GE is connected vertically to the BKPC through 3
2mm HM A connecters (22×5). Each GE card provides one or two 1000M optical
Ethernet ports. Each MA5200F is configured with one GE card.
According to different types of interface provided, there are six types of GE cards:
z 1-port single mode optical GE interface card (10km)
z 1-port multi-mode optical GE interface card (500m)
z 2-port single mode optical GE interface card (10km)
z 2-port multi-mode optical GE interface card (500m)
z 1-port single mode optical GE interface card (40km)
z 1-port single mode optical GE interface card (70km)
According to actual situation, one of the above GE interface cards is configured.
2.1.4 Indicators
On the MA5200F, there are various indicator lamps that help you to understand the
operation status of the device.
I. Power indicator
The power indicator is on the lower right corner of the MA5200F front panel, under the
mark “PWR”. This indicator tells you about the status of power supply to the MA5200F.
Table 2-1 shows the status and meanings of the power indicator.
State Meaning
Off No power is supplied.
On System is powered on and is running.
The running indicator is on the lower right corner of the MA5200F front panel, under the
mark “RUN”. This indicator tells you about the running status of MA5200F. Table 2-2
shows the status and meanings of the running indicator.
2-4
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 2 Hardware and Software Structure
State Meaning
2Hz flash Configuration file is being loaded.
1Hz flash System is running normally.
The alarm indicator is on the lower right corner of the MA5200F front panel, under the
mark “ALM”. This indicator tells you about the alarm status of the MA5200F. Table 2-3
shows the status and meanings of the alarm indicator.
State Meaning
Off System is running normally.
On Error occurred in the system.
The link status indicator on the electric FE port (Link) locates at the edge of the port.
This is an green LED (Light Emitting Diode), indicating the link status on the port. Table
2-4 shows the status and meanings of the link status indicator on the electric FE port.
Table 2-4 States and meanings of the link status indicator on the electric FE port
State Meaning
Off The link has not been set up.
On The link has been set up.
The rate indicator on the electric FE port (Active) is located at the edge of the port. This
is an orange LED, indicating the data transceiving state. Table 2-5 shows the states and
meanings.
Table 2-5 States and meanings of the rate indicator on the electric FE port
State Meaning
Off No data is being transceived.
Flash Data is being transceived.
The link status indicator on the optical FE port (Link) locates at the edge of the port.
This is a green LED, indicating the link status of the port. Table 2-6 shows the status
and meanings of the link status indicator on the optical FE port.
2-5
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 2 Hardware and Software Structure
Table 2-6 States and meanings of the link status indicator on the optical FE port
State Meaning
Off The link has not been set up.
On The link has been set up.
The data transceiving indicator on the optical FE port (Active) locates at the edge of the
port. This is an orange LED, indicating the data transceiving status on the optical FE
port. Table 2-7 shows the status and meanings of the data transceiving indicator on the
optical FE port.
Table 2-7 States and meanings of the data transceiving indicator on the optical FE port
State Meaning
Off No data is being transceived.
Flash Data is being transceived.
The link status indicator on the optical GE port (Link) locates at the edge of the port.
This is a green LED, indicating the link status of the port. Table 2-9 shows the status
and meanings of the link status indicator on the optical GE port.
Table 2-8 States and meanings of the link status indicator on the optical GE port
State Meaning
Off The link has not been set up.
On The link has been set up.
The data transceiving indicator on the optical GE port (Active) locates at the edge of the
port. This is a green LED, indicating the data transceiving status on the optical GE port.
Table 2-9 shows the status and meanings of the data transceiving indicator on the
optical GE port.
Table 2-9 States and meanings of the data transceiving indicator on the optical GE port
State Meaning
Off No data is being transceived.
Data is being transceived. The brightness of the indicator is in direct proportion with the
On
amount of data being transceived.
2-6
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 2 Hardware and Software Structure
I. Service interface
The MA5200F supports 24 electric or optical FE ports and 2 optical GE ports. Four
interface cards provide 24 FE ports, each having 6 FE ports. The optical GE ports are
also provided through the interface card. You can configure them as required.
This following section only gives a brief introduction to the FE ports and GE ports. For
detailed specifications, refer to Chapter 6.
z Electric FE port
Table 2-10 shows the specifications of the electric FE port.
Features Specifications
Quantity 6 electric FE ports on each FE card; 24 FE ports for each MA5200F at most
Rate 10/100Mbps
Mode 10Base-T/100Base-TX
Cable Unshielded Twisted Pair (UTP)/Shielded Twisted Pair (STP)
Connector RJ-45
UTP 100m
Transmission distance
STP 150m
Standards IEEE 802.2, IEEE 802.3, IETF Ethernet II
z Optical FE port
Table 2-11 shows the specifications of the optical FE port.
Features Specifications
Quantity 6 optical FE ports on each FE card; 24 FE ports for each MA5200F at most
Rate 100Mbps
Mode 100Base-FX
Cable Single-mode/multi-mode
Connector LC
Single-mode 15km
Transmission distance
Multi-mode 2km
Ambient temperature 0-70 degrees Celsius
Standards IEEE 802.3u
z Optical GE port
Table 2-12 shows the specifications of the optical GE port.
Features Specifications
Quantity Maximum 2
Rate 1250Mbps
Mode 1000Base-FX
Cable Single-mode/multi-mode
2-7
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 2 Hardware and Software Structure
Connector LC
Single-mode 10km, 40km, 70km
Transmission distance
Multi-mode 500m
Standards for optical port GPCS port
Ambient temperature 0-70 degrees Celsius
Standards IEEE 802.ab
The MA5200F provides one serial port and one Ethernet port for maintenance.
z Serial port
Features Specifications
Quantity 1
Rate Default as 9600bps
Connector RJ-45
Standards RS232
z Ethernet port
The specifications of the maintenance Ethernet port are the same as those of the
electric FE ports; refer to Table 2-10.
2-8
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 2 Hardware and Software Structure
processor can forward the packets while implementing access control, flow control,
congestion control and queuing priority control.
z Service control module
The module authenticates the access requests to identify the legal requests. According
to the configuration information, it sets up the connection information table for other
modules to implement management on the subscribers. The connection information
includes ACL, priority and restriction on service speed and so on. This module also
extracts and records the statistics on subscriber data packets and access time, so that
accounting can be made on the basis of time and traffic.
2-9
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
3-1
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
In the MA5200F, you can configure manually static route(s) to a specific destination, or
configure dynamic routing protocols to interact with other routers in the network, and
discover the routes through route algorithm.
The MA5200F manages the static routes and the dynamic routes together. The static
routes and the routes discovered or configured with different routing protocols can
share each other in the routing protocols.
Different routing protocols may discover different routes to the same destination, but
not all these routes, including the static route(s), are the most optimum routes. Priority
values have been given to different routing protocols (including the static routes). When
there are multiple routes to the same destination, the route discovered by the routing
protocol that has the highest priority will be used to forward the packets.
You can configure manually the priority values for different routing protocols except for
the direct route, Internal BGP (IBGP) and External BGP (EBGP). The priority values of
different static routes may also be different.
Route backup means to switch the route to the secondary one, when the primary route
is faulty, in order to ensure the reliability of the network.
To implement route backup, multiple routes are configured for the same destination.
Among these routes, the one with the highest priority is the primary route, and the rest
routes are the secondary routes, queuing up according to their priorities. In normal
cases, the router forwards packets through the primary route. When the primary route
fails, the route with the highest priority among the secondary routes will be selected to
forward packets. This is the switchover between the primary and secondary routes.
When the primary route restores, the router will select it again to forward packets.
3-2
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
Since different routing protocols have different algorithms, they may discover different
routes to the same destination. The MA5200F supports importing the route that is
discovered by one routing protocol to another routing protocol so as to share the
routing data discovered by different routing protocols. Each protocol has its
route-import functionality.
I. Static route
Default route is a special route, which can be a configured static route, or a route
configured through some dynamic routing protocols, like OSPF.
The default route is used when no routing entry is found in the routing table to match the
destination. That is to say, the default route is used only when there is no suitable route
to the destination.
In the routing table, the default route is to the network 0.0.0.0 (netmask as 0.0.0.0). If no
default route has been configured, and the destination of the packet is not in the routing
table, the packet will be discarded. Meanwhile, an ICMP packet (ICMP stands for
Internet Control Message Protocol) will be returned to the source address, reporting
that the destination or the network is unreachable.
3.2.3 RIP
3-3
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
RIP uses Hop Count to measure the distance between the source and distance of the
packet, which is called Routing Metric. In RIP, the Hop Count from a router to its directly
connected network is 0; to the network that has one router in between is 1, and so on.
To control the convergence time, the metric value in RIP is an integer between 0 and 15.
A hop count equals to or larger than 16 is defined as infinite, which means the
destination network or host is unreachable.
To prevent route loop, RIP supports Split Horizon and Poison Reverse. RIP also allows
the import of routes that are discovered by other protocols.
RIP is used by most of the IP manufacturers. RIP is used in most of the CANs and area
networks with simple structure. For large or complicated networks, RIP is not used.
3.2.4 OSPF
OSPF is presented by IETF, and is an internal gateway protocol based on link status.
Current OSPF version is 2 (RFC2328), and Table 3-1 shows its features.
Features Description
Route update is sent immediately after the network topology changes so that the
Fast convergence information can be synchronized in the AS.
Route loop is not generated since the route is calculated through the shortest path first
Loop free
(SPF) algorithm according to the link status.
AS networks can be divided into areas to further abstract the routing information
Area management
transmitted between the zones in order to reduce occupied network resource.
Metric route Supports multiple routes with same metric to the same destination.
Uses four types of routes, which are classified, according to their priorities, as:
Classified routes Intra-area route, Inter-area route, Category 1 external route, and Category 2 external
route.
Packet authentication Supports port-based packet authentication to ensure security of route calculation.
3-4
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
into a route metric map that reflects the real structure of the entire network. This
route metric map is completely the same on all the routers.
3) In OSPF, a router regards itself as the root, and uses SPF algorithm to calculate a
shortest path tree. The tree gives the paths to all the nodes in the AS, and external
routing information are the leaf nodes. A router that broadcasts an external route
makes tag on the route, so that additional information about the AS can be
recorded. The routing tables obtained after the calculation are different on different
routers.
In order to broadcast the local state of a router (like the information of available
interfaces and reachable neighbors) to the entire network, multiple adjacencies must
be established between the router and other routers in the network. However, this
adjacent relationship causes multiple transmissions of the route change in any of the
routers, and wastes network resources. OSPF has defined a Designated Router (DR),
and all the routers will send routing information only to this DR. Then the DR will
broadcast the information to the network. This can reduce the number of adjacencies
between the routers in a multi-address access network.
OSPF supports port-based packet authentication to ensure security of route calculation.
The packets are sent and received in IP multicast mode.
3.2.5 BGP
Features Description
BGP is an external routing protocol, which is different from internal routing protocols like OSPF
External routing
and RIP. BGP is not intended to discover and calculate the routes, instead, it aims to control
protocol
the transmission of routing information, and select the optimized route.
Loop free By carrying AS attribute information in the BGP routing packets, route loop can be eliminated.
Protocol
The transmission layer protocol is TCP, which enhances the reliability.
reliability
3-5
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
Features Description
BGP-4 supports CIDR, which is an important improvement over BGP-3. CIDR does not
classify IP address in the usual way like Class A, B and C. For example, an illegal Class C
address 192.213.0.0 (255.255.0.0) will be indicated in CIDR as 192.213.0.0/16, which is a
CIDR
legal super network address, and /16 indicates the subnet mask is composed of the first 16 bits
from the leftmost of the address. CIDR simplifies Routes Aggregation (RA) process by
broadcasting one route instead of multiple routes, and reduces the sizes of the routing tables.
BGP only sends the updated part of routing information, and the occupied bandwidth is
Route update reduced remarkably. This feature is especially suitable for transmission of large amount of
routing information over the Internet.
BGP provides abundant routing policies for flexible selection and filtering of the routes, and
Routing policy
facilitates future expansion of network.
BGP runs in a specific router (MA5200F here) as a high level protocol. When the
system starts, the BGP router sends out the whole BGP routing table to its peers to
exchange routing information. After that, only the update messages are exchanged.
The system keeps sending and receiving the keep-alive messages to detect the
connection status between the devices.
The router that sends the BGP message is called BGP speaker, which receives and
generates new route updates and advertises them to other BGP speakers. When a
BGP speaker receives an unknown route update, or a route update that is better than
all the known routes, the BGP speaker will advertise the route update to all the rest
BGP speakers in the AS. BGP speakers that exchange routing information between
them are called peers. Multiple peers can form a peer group.
On the MA5200F, BGP runs in IBGP or EBGP modes. When BGP runs in the same AS,
it is called IBGP; when it runs in different ASs, it is called EBGP.
Note:
The access described in this section is different from physical link access (like Ethernet access, ADSL
access and WLAN access). Instead, the access here means the access protocol, or the collection of
access protocol and technologies used to complete the user access.
3-6
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
z Allocation of IP addresses, that is, the method to assign IP address for the
subscriber.
z Accounting method to be applied to the access subscriber.
This chapter describes specifically the IP address allocation and accounting. In this part,
the principles to implement the rest three access technologies in the MA5200F are
described.
The basic access methods on the MA5200F include PPPoE, VLAN and 802.1X,
Leased line access and Layer3 BAS authentication are also supported.
Note:
Physical links are somewhat related to the access protocols. For example, the most popular protocol for
Ethernet access is VLAN+DHCP, that for ADSL access is PPPoE, and that for WLAN access is 802.1X.
However, such kind of relation is neither obvious nor certain. For example, 802.1X and PPPoE can be
used as the access protocol in Ethernet access.
3-7
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
VLAN access means to establish a connection between the MA5200F and the
subscriber by Ethernet II or 802.1Q protocol. In VLAN access, the authentication
methods are Web authentication, binding authentication or fast authentication, and IP
address is obtained through static configuration or DHCP server.
In VLAN access, the subscribers are identified and isolated by VLAN IDs. The
subscriber terminal (PC) must be connected to the MA5200F through one LAN Switch,
or through multiple subtended LAN Switches. According to the physical position of the
subscriber, the LAN Switch will add VLAN ID that complies with 802.1Q to the
subscriber packets. In this way, subscribers of different VLANs are isolated. To
exchange information, the packets from the subscribers must be forwarded through the
MA5200F.
3-8
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
In VLAN access, static IP address can be configured, or the IP address can be obtained
through DHCP mode. To obtain IP address through DHCP mode:
1) The subscriber terminal broadcasts DHCP Discovery message when the terminal
is powered on.
2) The MA5200F returns a reply for the DHCP Discovery message.
3) The subscriber sends DHCP Request message.
4) The MA5200F decides, according to VLAN information contained in the DHCP
Request message, which local address pool or remote DHCP server should be
used to allocate IP address to the subscriber.
5) If the address is allocated from local address pool, an address will be taken from
the address pool and sent to the subscriber together with the address lease
information.
6) If the address is allocated from DHCP server, the MA5200F will forward the DHCP
request (DHCP Relay) to the DHCP server, and transmit the reply message from
the DHCP server to the subscriber.
7) After the subscriber has obtained the IP address with a certain lease, the access
link is established.
At a certain time before the IP address lease gets expired, a request will be sent from
the subscriber to extend the lease. If local address pool or DHCP server accepts the
request, the lease will be extended automatically. Otherwise, the subscriber will have to
request for an IP address again by sending the DHCP Request message.
In binding authentication, after the subscriber has obtained the IP address, the
MA5200F will generate account name and password for the subscriber, according to
3-9
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
the access port and VLAN information. This process is invisible to the subscriber, who
can get online after the IP address is obtained. However, in this authentication mode, a
VLAN is generally configured with only one user, in order to guarantee the legality of
the user.
In Web authentication and fast authentication, the subscriber is in a “pre-connection”
status after IP address is obtained. In this status, the subscriber is allowed to access
only the addresses that are defined in ACL, like the Web authentication server (built-in
or external). To obtain the access authority to the Internet, the subscriber needs Web
authentication or fast authentication.
The procedures of Web authentication and fast authentication are as follows:
1) The subscriber can visit the Web authentication server directly, or through forced
Web authentication mode. In the forced Web authentication mode, the
subscriber’s request to access a certain address is force-redirected by the
MA5200F to the forced Web authentication server, and a client end software for
heart-beat detection is downloaded.
2) In Web authentication, the subscriber inputs the user name and password in the
Web page provided by the Web authentication server; in fast authentication, the
subscriber does not need to input the user name and password.
3) The Web authentication server sends the user name and password input by the
subscriber, or the user name and password configured for fast authentication, to
the MA5200F.
4) According to related configuration, the MA5200F implements local or RADIUS
authentication on the subscriber. After the authentication, the subscriber obtains
the authority, and receives authentication successful message from the Web
server.
5) The subscriber is connected to the Internet, and the MA5200F starts accounting
on the subscriber.
6) The client end sends the heart beat packets to report its online status to the Web
server. If the Web server does not receive the heart beat packet within a certain
period of time, the subscriber will be regarded as offline. Consequently, the Web
authentication server will inform the MA5200F to disconnect the subscriber, and
stop accounting.
7) The online subscriber can use the client end software to inform the Web
authentication server to terminate the connection. After that, the Web server will
inform the MA5200F to delete the connection information, and stop accounting on
the subscriber.
3-10
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
Note:
Forced Web authentication: When the subscriber who needs Web authentication or fast authentication
attempts to access the unauthorized address, the MA5200F will force-redirect the access request to the
forced Web authentication server.
In the forced Web authentication, the forced Web authentication server and Web authentication server
may work separately. The forced Web authentication server provides the authentication Web page to get
the subscriber’s name and password and send them to the Web authentication server by using the internal
protocol. The Web authentication server will interact with the MA5200F to complete the authentication
process.
802.1X access means to establish a connection between the MA5200F and the
subscriber by using EAPoL protocol. In 802.1x access, the authentication method is
EAP, and IP address is obtained through static configuration or DHCP server.
802.1X (IEEE Std 802.1X-2001) defines the authentication protocol EAP, which aims to
point-to-point or wireless access, or Leased line. However in the MA5200F, 802.1X can
not only be used in WLAN access authentication, but also Ethernet access
authentication. In this case, EAPoL is required to bear the EAP packets.
In the networking of the MA5200F, LAN Switches and HUBs are used to connect the
subscribers, the concept of EAP logic port must be extended. The MA5200F defines
the 802.1X logic port, in which the physical port, VLAN and MAC address (MAC stands
for Media Access Control) make up a logic port for the protocol.
802.1X only defines the authentication protocol on the port, without concerning the
acquirement of subscriber address and the various access control rules. To realize the
“operable and manageable” idea in broadband access, the MA5200F binds the Layer2
and Layer3 authorities in EAP authentication of standard 802.1X access. This means
that the subscriber must pass the EAP authentication before obtaining an IP address
through DHCP. Also, after passing the EAP authentication, the subscriber obtains all
the authorities, and does not need any further authentication.
Compared with VLAN access mode, 802.1X access has some advantages, especially
on the protection of IP address pool. In VLAN access, IP address can be obtained
before the subscriber has been authenticated, this may exhaust the IP address pool if
huge number of subscribers log in without authentication.
3-11
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
1) The authentication is trigged when the subscriber inputs the user name and
password through 802.1X call maker. The authentication can also be initiated by
the MA5200F, after the subscriber is judged to be a 802.1X subscriber according
to the DHCP request. According to the ARP request from a static IP address, the
MA5200F can also judge that the subscriber is a 802.1X subscriber, and initiate
authentication.
2) The MA5200F conducts EAP negotiation with the 802.1X call maker on the
subscriber side, and establishes EAPoL link.
3) According to the location of the subscriber domain, the subscriber can be
authenticated locally (EAP-END), or authenticated by the RADIUS server
(EAP-to-RADIUS) by converting EAP-MD5-based authentication into CHAP
authentication, and sending the user name and password to the RADIUS server.
The EAP packet from the subscriber can also be sent directly to the RADIUS
server for authentication (EAP-over-RADIUS).
4) The authentication result is sent to the subscriber. If the authentication fails, the
authentication can be terminated, or another authentication request can be
originated.
5) The subscriber originates DHCP request.
6) The MA5200F responds to the DHCP request, and allocates IP address for the
subscriber from local address pool, or from DHCP server through DHCP Relay.
7) The subscriber is connected to the Internet, and the MA5200F starts accounting.
8) When the subscriber is online, the MA5200F will make handshake detection at
regular time interval to check the connection status of the subscriber. If no reply is
received from the subscriber within the configured maximum detection time, the
MA5200F will regard that the subscriber has been offline due to unknown reason.
In this case, the MA5200F will disconnect the subscriber, delete related
information and stops accounting on that subscriber.
9) The disconnection request can also be originated by the subscriber through
802.1X call maker, then the MA5200F will disconnect the subscriber, take back
the IP address and stops accounting.
Caution:
In EAP authentication, some special configurations are required. If the subscriber terminal does not
support 802.1X dialing when power on, it may fail to obtain the IP address, so the boot up process may
take longer time. This is the reason why the MA5200F supports not only EAP, but also logic port EAP and
Web authentication. With this function, the IP address is first obtained, then the Web authentication or EAP
authentication can be used to obtain the authority.
3-12
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
Leased line access means to connect a group of subscribers to the Internet through
Layer2 network or Layer3 network. This group of subscribers have the same service
attribute, and are authenticated and charged as if they are the same subscriber. The
MA5200F reserves system resources for this type of subscribers.
There are four types of Leased line access modes: PPPoE, VLAN, VLAN transparent
transmission and Proxy.
PPPoE leased line access means subscribers (for example, servers) are connected to
L3/GSR devices, which access the MA5200F in the PPPoE dialup mode.
In PPPoE leased line access, the MA5200F is not responsible for the address
allocation and service control of the subscribers. As the PPPoE server, the MA5200F
port can be configured with static IP address to connect the L3/GSR and establish
PPPoE connection with L3/GSR. The MA5200F is responsible for terminating PPPoE
packets, and forwarding the packets through configured static route between the
L3/GSR.
VLAN leased line access means the access mode in which all the subscribers in the
same VLAN of a port are authenticated, authorized and charged as if they were one
subscriber. In this mode, the subscribers do not need to input user name and password
to log in, flow control and statistics on the subscribers are made together.
The MA5200F is able to allocate both dynamic and static address for VLAN access
subscribers. The MA5200F can also assign a network segment to the leased line
subscribers, and leave the allocation of terminal IP addresses to the VLAN leased line.
To authenticate the VLAN subscribers, the MA5200F first gets the IP address out of the
ARP request packet sent from the subscriber, then checks the legality of the packet
according to the physical port address, VLAN ID and network segment.
VLAN leased line access has the following features:
z All the subscribers of the same leased line have the same authority.
z All the subscribers of the same leased line are charged together.
z Flow control and statistics of all the subscribers of the same leased line are made
together.
z VLAN ID is used to identify the access line.
z User-configured authentication is not supported.
3-13
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
after Proxy leased line has been configured, the MA5200F will reserve corresponding
network resources for the leased line subscribers.
In VLAN transparent transmission access, the MA5200F will replace the VLAN ID and
then forward the packets from related port according to the MAC address of the packets.
The MA5200F does not manage the IP address of the subscribers in this access mode.
Layer3 BAS function means that the MA5200F provides Web authentication to the
subscribers who access the network through Layer3 devices like routers and L3 LAN
Switches.
In Layer3 BAS, the MA5200F is usually connected to the convergence layer device
without connecting any subscriber devices. The MA5200F is not responsible for
providing access links, nor allocating IP addresses to the subscribers. These functions
are completed by the routers and L3 LAN Switches, or the devices connected to them.
The MA5200F is only responsible for authenticating and authorizing the subscribers
who visit the external network.
Layer3 BAS is mostly used for Web authentication on CAN subscribers when they
access external networks like the Internet. If the subscribers are visiting internal
network, the MA5200F does not implement any control.
The MA5200F supports dynamic and static IP address in VLAN or 802.1X access. In
dynamic allocation of IP address, the address can be allocated from the external DHCP
server through DHCP Relay function, or allocated from the built-in DHCP server of the
MA5200F.
The MA5200F supports detection on illegal DHCP server, and supports re-logon
trigged off by ARP request or IP data packet after the connection of a DHCP
dynamic-address subscriber is interrupted, so that the original IP address can be
allocated again to the subscriber.
After receiving the DHCP request from a subscriber, the MA5200F will look in the local
or remote address pool, according to the location of subscriber domain, to allocate an
idle IP address to the subscriber. A subscriber domain can be configured with at most
three address pools, and the addresses in each address pool can be allocated to
subscribers in multiple domains.
3-14
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
The addresses in an address pool are identified with the gateway address and network
mask. The available addresses in the pool are those in the segment specified by the
gateway address and mask, excluding the gateway address. When different address
pools are configured, a multi-address pool is available in the domain.
The MA5200F supports 128 local address pools, and each pool can be divided into 8
address segments. The MA5200F also supports 128 DHCP server groups, each group
with one active and one standby DHCP server.
Caution:
If an address segment has been configured as a legal address segment for Layer3 authentication
subscribers, it cannot be used by Layer2 authentication subscribers.
The MA5200F follows these principles to allocate address for the subscribers:
z If the subscribers are allocated with addresses from the local address pool, all the
three address pools will be used.
z If the address can either be allocated from local address pool or remote address
pool, the local pool will be used first. When there is no available address in the
local pool, an address will be allocated from remote pool according to the rule
described below.
z If the address is allocated from the remote address pool, factors like the stability of
the DHCP server, size of the address pool, number of available addresses in the
pool, should all be considered before the address pool is selected to allocate the
address.
3-15
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
3-16
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
3.4.3 NAT
In ordinary Internet access mode, each host must have a globally exclusive IP address.
As the resource of IP address gets more and more limited, Network Address
Translation (NAT) becomes necessary.
With NAT, different hosts in the same network segment can share the same IP address
(or several IP addresses) to access the Internet. This can ease the tension of limited
IPv4 address, and enhance the security of internal network.
NAT in the MA5200F supports static address mapping and Port Address Translation
(PAT).
II. PAT
PAT is a method to multiplex the ports in the transmission layer, so that large amount of
subscribers in the internal network can access the Internet by using the same public IP
address. The PAT subscriber terminals should run TCP/UDP (UDP stands for User
Datagram Protocol).
In PAT, source addresses (private addresses) in the user datagram are mapped to an
exclusive TCP/UDP port. This mapping table is maintained in the MA5200F. When a
packet from external network is received, the MA5200F will, according to the
destination TCP/UDP port of the packet, find the private address from the mapping
table, and redirect the packet to the subscriber.
PAT of the MA5200F supports FTP and NetMeeting application layer gateway, MGCP
gateway and ICMP gateway, but does not support packet slice. It supports the control
on the number and transmission speed of the connections that can be established by
individual subscriber.
Note:
The MA5200F does not implement NAT to leased line subscribers.
3-17
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
I. Accounting method
The MA5200F supports accounting on the subscribers on the basis of traffic flow or
session time. Traffic can be obtained according to service types and destinations,
which meets the needs of service providers for different charging policies.
Generally a ticket is produced when the subscriber logs off, and no intermediate ticket
is produced. If the subscriber is disconnected because of some abnormality, it may not
be able to produce the correct accounting ticket.
The MA5200F provides realtime accounting function to collect the traffic at regular time
interval, so that local accounting server or the RADIUS server can produce realtime
ticket. This ensures the accuracy of the tickets to the largest extent, even if the
subscriber is interrupted.
Realtime accounting consumes network resources, and should be configured by taking
into consideration the network condition, performance of the RADIUS server, and the
total number of subscribers. Refer to SmartAX MA5200F Broadband Intelligent Access
Server Operation Manual for more details.
3-18
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
The MA5200F supports prepayment based on traffic or session time. By making related
configuration on the RADIUS server, the MA5200F can start countdown before the
prepaid traffic or session time is exhausted, and disconnect the subscriber when the
prepaid traffic or time is due. If the subscriber recharges the prepaid value during this
time, the countdown will stop.
V. Accounting failure
The MA5200F adopts different policies when accounting on the subscriber fails. These
policies include disconnecting the subscriber, local protection or no action.
Secondary accounting for different ISPs means that the MA5200F sends the
accounting information of the same subscriber to the RADIUS servers of two different
ISPs at the same time, then waits for the reply.
This function is used when it is required that the original accounting information to be
saved in different places (like in a network of multiple ISPs). The “RADIUS servers”
here does not mean the active and standby ones in RADIUS configuration. Instead, it
means two independent RADIUS servers, most probably from two different ISPs.
By coordinating with the RADIUS server, the MA5200F can switch the tariff for
accounting. After the MA5200F sends out the accounting-start or realtime-accounting
message, if the reply from the RADIUS server contains the information to switch the
tariff, the MA5200F will activate corresponding timer. When the timer gets timeout
(switch starts), the MA5200F counts the traffic or session time, and sends the ticket to
the RADIUS server. Then the MA5200F starts a new round of accounting on the same
subscriber on the basis of the new tariff.
The MA5200F can restrict the total number of subscribers that can access from a
certain physical port or port VLAN, in order to guarantee the bandwidth of online
subscribers
The MA5200F can also restrict the number of subscribers logging on from a certain
domain, or using a certain user account. By coordinating with the RADIUS server, the
number of subscribers that can access from a certain RADIUS account can also be
restricted. This helps to prevent illegal use of network resource.
The MA5200F can also restrict the number of connections that can be established by
each online subscriber. The “connection” here means the logical forwarding channel
3-19
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
that is composed by the quintuple “source IP address, source TCP/UDP port number,
destination IP address, destination TCP/UDP port number, and protocol type”, or some
of the components in the quintuple.
The MA5200F can allocate user accounts according to access type (PPPoE, VLAN or
802.1X). By doing this, the access request from one or multiple access types can be
allowed, or forbidden, when the request is authenticated.
This function enables the MA5200F to restrict and manage the service flow of the
subscribers. After the average and peak values for upstream and downstream rates are
set for a certain control level, the number of data packets that can be received or
forwarded in a specific time period can be controlled.
The MA5200F provides a total of 30 flow control levels. All these 30 control levels can
be configured globally, with the average and peak values range from 64kbps to
100Mbps (FE interface) or 64kbps to 1Gbps (GE interface), and the granularity as
1kbps. The specific control level can be applied on the basis of domain (a domain is the
largest unit in account-oriented service control, generally an ISP is set as a domain) or
specific subscriber.
The same control level can be used in the domain to unify the ISP configuration, or a
diversity of control levels can be configured for subscribers respectively.
3.6.4 Idle-Cut
Idle-Cut means to disconnect the subscriber whose traffic has been under a certain
threshold for a set period of time.
In idle-cut, the period of time and threshold of traffic can both be set on the basis of
domain, that is to say, all the subscribers in the same domain have the same settings
about idle-cut. However, the switch that controls whether the idle-cut function will be
implemented can be configured on the basis of individual subscriber.
3.6.5 QoS
Network QoS is more and more important as multimedia, Voice over IP (VoIP) and
video applications are getting popular.
QoS is an issue that requires cooperation of devices from the entire network. According
to its position in the network, the MA5200F supports Diff-Serv and 802.1P.
3-20
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
I. Diff-Serv
Diff-Serv (refer to RFC2475) provides a QoS scheme. In this scheme, the MA5200F
determines the priority of packets according to Diff-Serv Code Point (DSCP) defined in
the packet, and implements traffic shaping, queue dispatch and congestion control.
The MA5200F usually uplinks with the Gigabit Switching Router (GSR) or
large-capacity Layer3 switches, which support Diff-Serv. So the MA5200F will
encapsulate the upstream packets with DSCP code, and make queue dispatch and
congestion control according to service type or priority.
II. 802.1P
In ordinary packet forwarding process, the next hop address is selected automatically
by the router according to the entries in its routing table. In an access network with
multiple ISPs, this forwarding method cannot constrain the data flow of a specific
subscriber within the port of the corresponding ISP.
Policy routing is an effective solution for multi-ISP access control. Policy routing is a
route selection mechanism that is based on user-defined policies. One of the most
common policy routing methods is source address routing, in which the forwarding port
for a packet on the router is determined by the source IP address contained in the
packet, instead of the destination of the packet.
With policy routing, the operator can designate the port that forwards the data packets
of a subscriber to the next hop after the subscriber logs in. In this way, the traffic flow of
the subscriber can be constrained in the port of a specific ISP, which is essential in
accounting.
Apart from this, the MA5200F can also add VLAN ID to a packet, so that upstream
packets from the same domain will be converged to the same VLAN.
3-21
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
This feature can be applied in the Multi-protocol Label Switching (MPLS) VPN. If you
set a domain as the bearer domain for a certain service, upstream packets from such
domain will be converged into the same VLAN, and packets for different services are
isolated strictly, so that the network-side device can construct a VPN network for NGN
MPLS.
3.7.2 ACL
The MA5200F provides multiple authentication methods to control the access authority
of the subscribers. However, this is a very general control on the access authority, since
all the subscribers will have the same authority after the authentication is passed. To
implement more detailed control, access control list (ACL) is needed
ACL controls a variety of access authorities. The control list is matched with the key
attributes of a request packet or the subscriber. The packet is forwarded or discarded
according to the result of matching, or default setting of the matching. This helps to
control different access authorities.
The so called “key attributes” can be all of part of these: source IP address, destination
IP address, source TCP/UDP port number, destination TCP/UDP port number, physical
port number, VLAN ID, protocol type, source ACL group, destination ACL group, source
inter-access group and destination inter-access group.
3-22
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
Note:
ACL group is defined for subscribers who have the same authority to access the same destination in the
external network
Inter-access group is defined to control the visit between the internal subscribers. Subscribers in the same
inter-access group have the same authority to visit another inter-access group (or another subscriber in
the same inter-access group).
Each subscriber has an ACL group number and inter-access group number to identify the two different
groups that the subscriber locates in.
In the MA5200F, there are four ACL rules that control the following four access
situations respectively:
z Access from subscriber to network, using User-Net rule
z Access from network to subscriber, using Net-User rule
z Access from one subscriber to another subscriber, using Inter-User rule
z Access from one network to another network, using Net-Net rule
Note:
The “Net” in the MA5200F is a network segment defined with “IP adderss + netmask”, which is the
controlled object when the access is between subscriber and network, or between two networks. In the
following text, “Net” is presented in the way of “IP address/mask length”. For example, 10.163.168.1/24
represents the network segment from 10.163.168.0 to 10.163.168.255.
Basically, these four access control rules are different because they have different key
attributes to control. The following gives more details.
Note:
All the ACLs defined by the MA5200F can be applied on a physical port, a port VLAN, or globally. Because
of this, a septet ACL control can be implemented based on “source IP address + destination IP address +
source TCP/UDP port number + destination TCP/UDP port number + protocol type + physical port number
+ port VLAN”.
The access from a subscriber to the network is controlled by User-Net type ACL rules.
Fundamental elements in a User-Net rule include these: source ACL group, destination
Net, protocol type and related access authorities.
3-23
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
For example, set an ACL rule with ACL group as 1, destination NET as 10.163.168.1/24,
protocol type as TCP, access authority as “denied”, and apply the rule to Port 1. After
the setting, TCP packets sent from subscribers in ACL group 1 of Port 1 to network
segment 10.163.168.0 - 10.163.168.255 will be discarded.
The access from the network to a subscriber is controlled by Net-User type ACL rules.
Fundamental elements in a Net-User rule include these: Source Net, destination ACL
group, protocol type and related access authorities.
For example, set an ACL rule with source NET as 10.110.1.1/16, destination ACL group
as 2, protocol type as UDP, access authority as “allowed”, and apply the rule to global
network. After the setting, UDP packets that are sent to subscribers in ACL group 2
from source address 10.110.1.1/16 will be forwarded.
The access from a network to another network is controlled by Net-Net type ACL rules.
Fundamental elements in a Net-Net type ACL rule include these: Source Net,
destination Net, protocol type and related access authorities.
For example, set an ACL rule with source NET as 10.110.1.1/16, destination Net as
10.163.168.1/24, protocol type as IP, access authority as “allowed”, and apply the rule
to Port 1. After the setting, IP packets that are sent to destination addresses
10.163.168.1/24 from source address 10.110.1.1/16 of Port 1 will be forwarded.
Note:
If the ACL protocol type (TCP/UDP) has been set, the ACL source and destination TCP/UDP port numbers
can also be set, in order to further restrict the ACL.
In the MA5200F, the ACL is not only used to control the access authorities, but also to set the access
attributes like user log, accounting level, user priority, and anti-attack CAR for the host.
3-24
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
The MA5200F provides user log to record the access history of all the subscribers on
the ISPs. Based on individual subscriber and combines the prevention against account
forgery, the user log of the MA5200F can provide credible log records.
The user log contains two parts: access log and session log.
Access log records information about the login and logoff of a subscriber, which include
the user name, user VLAN, IP address, login time and logoff time.
Session log records the information about the service connections that the MA5200F
established for the subscriber, including the user name, user VLAN, source IP address,
source MAC address, destination IP address, and session time. The MA5200F
provides ACL-based filtering on the session logs, which means you can enable session
log on individual ACL rule.
Caution:
The MA5200F does not record user log for leased line subscribers.
The MA5200F can back up the user log to the log host through TFTP on a regular time
basis, or when the logs reach a certain amount.
The MA5200F provides protection on the resources of the local device or the network.
The protection covers the IP address resource and TCP connection resources. Aiming
at the DHCP defect that the DHCP Server is exposed to Denial of Service (DOS) attack,
the MA5200F restricts the amount of addresses that can be applied by a subscriber to
protect the address resource on the DHCP server.
The limitation on speed that is implemented by MA5200F can be based on physical port,
MAC address and IP address.
Multicast means a transmission method in which the copies of a packet are sent to
multiple hosts in the network. The destinations of the multicast packets are the
3-25
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
I. Uncontrolled multicast
3-26
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
Note:
In uncontrolled multicast, the Layer2 devices need to support IGMP Snooping, and with the function
enabled. Otherwise, the Layer2 devices have to broadcast the multicast packet to all the VLAN interfaces,
which degrades the performance remarkably.
The controllable multicast in the MA5200F is based on HGMP V2. The following
describes its basic principles and process flow. Refer to 3.9.2 HGMP V2 for more
details about HGMP V2, and Chapter 4 for multicast networking applications.
1) Through MA5200F, the authority of a subscriber to receive multicast packets can
be configured on local or remote servers. The authority of a data source to send
multicast packets can also be configured.
3-27
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
3.8.2 IP Hotel
3-28
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
Component Description
Provides physical path for broadband access subscriber, and provides BAS
Broadband network device
function
Connects the property management system (PMS) with the IP Hotel service
Property Management
platform, provides subscriber management methods and collects online charge
System Interface (PMSI)
information to the PMS
Property Management Connects with the broadband network device through PMSI, and completes
System management and accounting on the online subscribers
In IP Hotel application, some of the ports on the MA5200F can be leased to the agents
(hotels or residential quarters), who provides broadband access to the subscribers
directly. This brings revenue to both the agents and the service providers.
The MA5200F acts as the broadband network device in IP Hotel application, providing
high speed Ethernet access, so as to:
z provide hardware platform for high speed E-commerce over Internet.
z build up business platform for hotels, on which related PMS and database can be
established to provide information to the guests.
z build up an access management platform for broadband operators, so that
information from the MAN can be shared by the guests in the hotels.
The MA5200F provides standard interface to connect with Centrex console, so that to
be easily merged with management systems of group users and other business users.
3.8.3 WLAN
WLAN extends the coverage of Ethernet to satisfy the growing demand of Internet
access.
The MA5200F acts as the Access Controller (AC) in WLAN network to manage the
access subscribers. Refer to Chapter 4 for details about WLAN networking application.
The MA5200F provides VLAN access, 8/02.1X access and PPPoE access in WLAN,
and authenticates the subscribers who use these access methods. Refer to 3.3
Access Authentication for more details. The MA5200F also provides user management,
security management, accounting management and service management functions.
Data packets of a WLAN subscriber are directly connected to the Internet through the
AC.
Table 3-5 lists the functions that can be provided by the MA5200F in WLAN.
3-29
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
Features Note
Supports VLAN access, 802.1X access and related authentication at the same time.
Access authentication
Supports EAP and Web authentication on ports.
Powerful service management that supports QoS, bandwidth control and access
Service management
control.
Different accounting methods for payment based on service time or traffic, and
Accounting
monthly payment.
Forced Portal Supports forced Portal to redirect subscribers to specific service provider.
Provides wired and wireless access for places like hotels, tailor-made IP Hotel
Integrated access
service.
When a WLAN subscriber switches between APs, the service is sustained, and
Switching between APs
authentication is implemented again to guarantee the legality of the subscriber.
3.8.4 VPN
VPN is a virtual private network (VPN) that is constructed over public network. The
security, reliability and manageability of a VPN are the same like those in an enterprise
Intranet.
Table 3-6 lists some VPN features.
Features Description
Different from other networks, VPN does not exist physically. VPN is a logic network that is formed by
Virtuality
configuring related resources from pubic network.
VPN is used specially for specific enterprises or group users. From the view point of a VPN user, there
is no difference between VPN and other dedicated networks. The resources of a VPN is independent
Speciality of those in the bearer network, which means that the resources of one VPN will not be used by any
other members in the bearer network, including other VPNs. VPN also provides adequate security
features to ensure the safety of data in the VPN.
VPN establishes interconnection between dedicated networks, sets up VPN internal topology,
Complexity calculates the routes, add and remove VPN members, which make the VPN technology more
complex than ordinary point-to-point applications.
3-30
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
I. VPDN
Headquarters
LAC: L2TP Access Concentrator LNS: L2TP Network Server NAS: Network Access Server
Figure 3-1 VPDN structure
In the figure, LAC is a node in a switching network, which has the ability to process PPP
end program and L2TP. LAC provides access service for subscribers through Ethernet,
and establish tunnel and session with remote LNS. LNS is responsible for processing
L2TP server-end program on the PPP end system.
There are two types of connections between LNS and LAC. One is Tunnel, which
defines a pair of LNS and LAC; another is Session, which multiplexes on the Tunnel to
bear PPP sessions in the tunnel.
The MA5200F acts as LAC in a VPDN, and supports a maximum of 128 tunnels, and
each tunnel supports a maximum of 1024 sessions. The MA5200F also supports L2TP
upstream packet slice, upstream and downstream packet Trunk and CAR, as well as
QoS of VPDN subscribers.
In VPDN, a PPPoE subscriber establishes PPPoE line with the MA5200F through
PPPoE call maker, which is the same with the process in PPPoE access. However, in
3-31
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
the authentication process that follows, the MA5200F does not make PPP negotiation
with the subscriber to terminate PPP. Instead, the MA5200F establishes an L2TP
tunnel with remote server and transmits the connection request to the server for
authentication.
Another popular VPDN application is in multi-ISP network.
The MA5200F supports GRE tunnel. The MA5200F establishes GRE tunnel between
other deices that support GRE tunnel, in order to transmit data packets. GRE tunnel is
used to construct Intranet VPN and Extranet VPN.
GRE is used to encapsulate data packets of some network layer protocols (like IP and
IPX), so that these packets can be transmitted over network using another network
layer protocol (like IP). GRE is VPN Layer3 tunneling protocol, in which tunneling is
adopted between the protocol layers. GRE tunnel is a virtual point-to-point connection,
and can be regarded as a virtual interface that only supports point-to-point connection.
This interface provides a path to transmit encapsulated packets, and provides
encapsulation and decapsulation for the packets at both ends of the tunnel.
Note:
Detailed description on MPLS is not given here. Please refer to related publications.
MPLS can easily realize VPN service based on IP technology, and satisfy the
requirements on scalability and manageability of VPN. Various measures can be
implemented on MPLS VPN to ensure its security. VPN constructed over MPLS also
supports value added services. An individual access point can be configured as
multiple types of VPNs, each VPN represents one type of service, so that different
types of services are transmitted flexibly.
Figure 3-2 shows the basic architecture of MPLS VPN.
3-32
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
CE3
Branch 3
PE3
Backbone
network CE2
CE1 PE1
Branch 1 Branch 2
P
PE2
In the figure, CE is customer edge device, which can be a router, a switch, or even a
host. PE is the edge router of the provider, which locates at the edge of the backbone
network. P is the backbone router of the provider, which manages the VPN users, sets
up connection between the PEs, and allocates routes for network branches in the same
VPN.
In MPLS VPN, the MA5200F acts as the CE device to coordinate with P/PE in the
backbone network. When acting as a CE, the MA5200F can either provide transparent
transmission, or policy routing, to forward the packets.
When providing VLAN transparent transmission, specific logic port (port + VLAN) is
designated to transmit the packets that arrive at the MA5200F on a specific logic port,
and VLAN ID is used as VPN tag.
When providing policy routing (refer to 3.6.6 Policy Routing), the MA5200F designates
different service domains and corresponding uplink VLANs for the domains. Then the
MA5200F converges the upstream packets from different domains to corresponding
VLANs.
Refer to Chapter 4 for detailed networking application of MPLS VPN.
I. Overview
Plug and Play (PNP) indicates the service that a PC can access the Internet without
changing the network settings (like IP address, DNS address and HTTP proxy), after
the PC has been moved to another geographical position.
PNP is used in public areas like hotels, airports and conference centers, where easy
and fast access to the Internet is needed. Usually, the Internet users in these places are
traveling around, and may have a variety of terminals. PPPoE or VLAN access require
some special client program, or modification on network settings of the terminal PC,
and are not suitable for use in these places.
3-33
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
With PNP, there is no need to change the network settings of the terminal PC, and no
special client program is required. The users can access the Internet through Web
authentication or fast authentication.
The MA5200F can play the role of an access server for PNP applications, or provide
one of its ports to provide PNP service for these places.
In PNP service, the MA5200F authenticates the subscriber, and converts the IP
addresses of the subscriber, the DNS server and the HTTP proxy server, so that the
subscriber can be connected.
1) Subscriber authentication
In the MA5200F, the authentication methods on the subscribers include Web
authentication, fast authentication and no authentication. The authentication is trigged
off by any of the following:
z ARP request that is sent in the ARP packet from the subscriber
z DHCP request that is sent in the DHCP packet from the subscriber
z Any connection request that is sent in the data packet from the subscriber
2) IP address conversion
Generally, the original IP address of a PNP subscriber will become invalid after the
subscriber has moved to another place. The MA5200F will first assign a legal IP
address to the subscriber (this address is invisible to the subscriber), then map the
MAC address of the subscriber terminal with the IP address. After a packet from the
subscriber is received, the legal IP address is used to forward the packet, instead of the
original IP address. When an external packet to the subscriber is received, the
MA5200F will use the original IP address of the subscriber to replace the destination
address in the packet.
3) DNS conversion
The address of the original DNS server for the subscriber may also be incredible, and
the DNS request from the subscriber cannot be forwarded directly to this address.
The MA5200F intercepts the DNS request from the PNP subscriber, converts the DNS
server address in the packet into that of a valid DNS server, then sends out the request.
When the valid DNS server sends back a reply, the MA5200F intercepts the reply,
replaces the source address of the reply with that of the original DNS server, then
sends the reply to the subscriber.
4) HTTP proxy conversion
If a PNP subscriber has configured with HTTP proxy, the HTTP request from the
subscriber will always be sent to the configured HTTP proxy server. However, the
address of this HTTP proxy server may also be incredible.
If the address of a PNP subscriber is the address of HTTP proxy server, the MA5200F
will use the address of the external HTTP proxy server to replace the destination
3-34
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
address of the HTTP request packet, then forward the packet to the external HTTP
proxy server.
If a PNP subscriber has the HTTP proxy server as the domain name, the MA5200F will
first convert the DNS address. If DNS resolution is successful, then the MA5000F
converts the address of the HTTP proxy server. If DNS resolution fails, the MA5200F
will use the external HTTP proxy server for DNS cheat. Then all the HTTP requests will
be sent to the external HTTP proxy server.
The MA5200F supports application layer gateway services on PNP subscribers,
including ICMP, FTP, MGCP and NetMeeting services on application layer. One
MA5200F supports a maximum of two thousand PNP subscribers.
Note:
When combining the NAT and PNP functions, all the subscribers can use the same public address to
access the Internet. At this time, the newly allocated IP addresses all go through another NAT process.
Forced Portal is a service in which the MA5200F redirects the access of a subscriber to
the Portal server of a specific service provider, when the subscriber passes the
authentication and connects to the Internet for the first time. With this function, the
subscriber will always be directed to the Web site of the specific service provider after
login.
The MA5200F is able to use HTTP redirecting function to redirect the subscriber to a
specific Portal server, no matter what type of access mode the subscriber is using.
If it is PPPoE access, PPPoE Activate Discovery Message (PADM) is also applicable
for the redirection, apart from the HTTP mode. When a PPPoE subscriber passes the
authentication, the MA5200F will send the forced Portal address to the PPPoE client
end through PADM packets. If the client supports PADM, the browser on the subscriber
terminal will be activated and access the site.
Caution:
Forced Portal is different from forced Web authentication in the MA5200F: Forced Web authentication
means that the subscriber will be redirected to the Web server for authentication, if the subscriber attempts
to access an external site before authentication is passed. While forced Portal means that the first site that
an authenticated subscriber can access is directed to the Portal server of a service provider.
3-35
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
Forced Portal service helps service providers to advertise for themselves, to attract
more attention, and increase revenue from advertisement.
3.9.1 HGMP V1
HGMP V1 supports the query from and configuration for the downlink LAN Switches. It
can also monitor the change of communication state between the LAN Switch and the
MA5200F. HGMP V1 on the MA5200F implements the following functions:
z With HGMP V1, a LAN Switch that connects with the MA5200F can register
automatically to the MA5200F, and activate the default data configuration that can
satisfy the hybrid networking of MA5200F.
z The MA5200F can send configuration data to the LAN Switch, including the VLAN
ID, Tag attribute, UP/DOWN state, and VLAN broadcast domain, of a port. These
data can be configured on the MA5200F through command line interface.
z After a LAN Switch has been replaced, the new LAN Switch is able to inherit the
original data configured for the previous switch, which makes the replacement
easier.
z The LAN Switch can be loaded with program from remote place.
HGMP V1 is supported in the S2403F, S3026 series and S2008 series LAN Switches of
Huawei.
3.9.2 HGMP V2
3-36
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
connecting port, device ID, port address (device address), capability and
hardware platform.
z NTDP is used to collect topological information about the network that connects
with local device.
z Cluster protocol is used to establish and maintain the HGMP V2 cluster.
A cluster is a group of switches and a management domain as well. A cluster contains
one command switch (here it is the MA5200F) that controls the operation of the cluster,
and multiple member switches. The command switch manages and controls all the
member switches in the cluster through one public IP address.
In a cluster, network management is made through the same interface configured on
the command switch. Candidate switch is a switch that does not belong to any cluster,
and is discovered by NTDP. The candidate switch can be added into a cluster and
become a member switch, or can be managed independently without being added into
the cluster.
In HGMP V2 cluster management, the entire cluster needs only one public IP address.
This is very useful in an access network that owns large number of Layer2 devices,
because it saves a lot of IP addresses.
Note:
One MA5200F can manage a maximum of 400 LAN Switches.
A maximum of 300 LAN Switches that only support HGMP V1 can be registered to the MA5200F.
A maximum of 253 member switches can be managed in one cluster.
The operators here indicate the persons who maintain and manage the MA5200F
through the operation terminal like Telnet client terminal or serial port terminal.
The authorities of the MA5200F operators are classified into four levels: visitor, monitor,
operator, and administrator:
z Visitor (Vist): only the simplest commands can be executed, like ping and tracert
3-37
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
The MA5200F provides operation on the files in its Flash memory in a method similar to
that in the Disk Operating System (DOS):
z formats the Flash memory
z creates, deletes, switches and displays a directory
z displays current working directory
z copies, renames, moves, deletes, restores, compresses and decompresses a file
z sets file attributes
z displays the content of a file
All the external files can be loaded to flash memory of the MA5200F in FTP or TFTP
mode, either locally or remotely. Files in the MA5200F can also be backed up using the
same method.
I. Loading
The loading operation contains the loading of program and loading of configuration files.
The program here means host software, microcode and logic programs.
Programs can be loaded easily through the file system of the MA5200F. Software
releases of the MA5200F are provided in a package file. Load this file through FTP or
TFTP to the Flash memory of the MA5200F, and designate this package file as the boot
up file for the MA5200F. When the MA5200F starts, the package file will be
decompressed, and the programs contained in the file will be loaded.
The loading of configuration file is similar to that of the program files. The configuration
files can be edited offline, then uploaded to the MA5200F through FTP or TFTP. Note
that the configuration file must be loaded to the designated path: /vrpcfg.zip.
3-38
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
Caution:
II. Backup
The MA5200F provides backup function for these files: configuration files, log files
(running log, operation log and debugging log), ticket files and alarm files. These files
can be backed up easily through the MA5200F file system by using FTP or TFTP
(excluding alarm information). Table 3-7 lists the file names and paths.
You are recommended to execute the backup command to back up the ticket files, log
files and alarm files. The MA5200F provides complete backup system for these files.
The MA5200F has two parts of tickets: Cache-bill, which is stored in Synchronous
Dynamic Random Access Memory (SDRAM); and Flash-bill, which is stored in Flash
memory. You can also store the log files and alarm files in SDRAM and Flash memory if
necessary.
Cache-bills, log files and alarm files can either be backed up to the Flash memory, or
backed up to the TFTP server through TFTP. The ticket files, log files and alarm files in
Flash memory are backed up to the TFTP server. All these backup operations are
implemented either manually or automatically on the basis of time or quantity of files.
The information center of the MA5200F controls the output of most of the information
and classifies the information. By combining with the Debug program, the information
center provides powerful support to the administrators in monitoring the network and
diagnosing the faults.
Table 3-8 shows the features of the MA5200F information center.
3-39
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
Features Description
Information The information center controls the output of the following types of information: running log,
classification ordinary alarm, debugging information, operation log, debugging log and debugging alarm.
The information is classified into eight levels according to their importance, and the output
Information level
can be filtered according to the importance.
The information can be output to four destinations from the information center: buffer, log
Information output
host, operation terminal and network management station.
The system consists of various protocol modules, board driving programs and configuration
Information filtering modules; the information center provides filtering on the information according to source
module.
Information output
The information is output in English.
language
Information The heading of each piece of information is consisted of a time stamp, source module
heading information, information level, source slot and extract.
The major task of the information center is to output the various types of information
from the function modules, according to their importance level and the user
configuration, to the four directions. The following section describes the classification,
level and output direction of the information.
Table 3-9 shows the types of information in the MA5200F information center.
Running log Log information that is generated when the device is running.
General alarm Alarm information generated from the hardware or software system of the device.
Operation log Log information about the operations made on the device by maintenance persons.
Debugging log Log information about the operations made on the device by debugging persons.
The information is classified into eight levels according to their severity or emergency.
When filtering the information according to levels, the information with higher severity
than the set threshold cannot be output. The information with higher emergency has a
lower severity. “emergencies” means level 1, and “debugging” means level 8. So when
the severity threshold is set as “debugging”, all the information will be output.
Table 3-10 lists all the eight levels of information.
3-40
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
The information in the MA5200F information center can be output to the buffer, log host,
operation terminal and network management station, as described in Table 3-11.
Directions to output
Description
the information
Buffer A buffer with proper size can be allocated in the MA5200F to record the information.
The information can be sent to the log host directly, and saved as files for query at any
Log host
time.
The information can be converted in character strings and sent to the command line
Operation terminal
system, then sent to the operation terminal (serial port terminal or Telnet terminal).
The information can be sent to the NM agent that exchanges information with the NMS
NMS
through SNMP.
I. Diagnoses
The MA5200F provides the diagnosis function at three levels: hardware, software and
service.
z Hardware diagnosis
The hardware diagnosis is implemented on the smallest hardware unit, like the memory
and the power voltage. The hardware diagnosis made by the MA5200F includes the
check on the memory, Flash, functional modules, physical interface chips, interfaces
and loops (loopback test).
z Software diagnosis
3-41
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
II. Debugging
The MA5200F provides Ping, Tracert and Telnet tools to test the network connectivity
for easier troubleshooting.
Note:
Basic principles about Ping, Tracert and Telnet are found in most of the TCP/IP publications; hence they
are not given here.
3-42
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
The MA5200F is located at the access layer or convergence layer of the network, which
needs user management and security management. It provides functions such as user
management, authentication, accounting, address management, and security control.
It can be widely used in the telecom operator’s broadband Metropolitan Area Network
(MAN), enterprise network, Campus Area Network (CAN), Government Data Network
(GDN), and intelligent hotel.
In typical applications, the MA5200F can be accessed upstream to the L3 (Layer Three
LAN Switch)/GSR in the convergence layer or backbone layer, and downstream to the
Ethernet switch, IP DSLAM, VDSL access switch, or WLAN through FE/GE interfaces.
In this way, it can accomplish the broadband access based on the Ethernet, XDSL,
HFC, or WLAN.
4-1
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
AAA/RADIUS Server
VOD Server
MA5200F
PC PC PC PC PC PC PC PC
Figure 4-1 Networking for Ethernet access application (concentrated management and control)
In the concentrated management and control mode, various servers, like Video On
Demand (VOD) server, World Wide Web (WWW) server, DHCP server, RADIUS server
and Portal server are provided by the MAN operators. This mode is commonly seen
when the whole MAN is established by one operator.
The networking for distributed management and control mode is as shown in Figure 4-2.
In this networking mode, various LANs have their own servers. This mode is commonly
seen when the Customer Premises Network (CPN) is opened, and multiple operators
establish the LANs.
4-2
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
Portal Server
MA5200F
PC PC PC PC PC PC PC PC
Figure 4-2 Networking for Ethernet access application (distributed management and control)
The networking including these two access modes is as shown in Figure 4-3. The
MA5200F connects with the MA5105 (IP DSLAM) through the FE interface. The
MA5105 accesses ADSL subscribers through the Remote Terminal Unit (RTU) and
subscriber authentication is implemented on the MA5200F. Similarly, the S3026V can
connect to the MA5200F, and the S3026V can access VDSL subscribers through
Customer Premises Equipment (CPE). Authentication and accounting of the subscriber
can be implemented on the MA5200F.
4-3
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
MA5200F
FE FE
S3026V MA5105
PC PC PC PC PC
Through the Cable Modem Terminal System (CMTS) or Cable Modem (CM), the
MA5200F can access HFC subscribers. Subscriber’s PC can access the CMTS
through the CM and Cable TV (CATV) coaxial cable. The CMTS accesses the
MA5200F through network cable or fiber. The MA5200F performs the functions like
subscriber authentication. The networking for HFC access is as shown in Figure 4-4.
4-4
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
MA5200F
CMTS CMTS
CM CM CM CM CM
PC PC PC PC PC
In the networking of WLAN access, the MA5200F acts as AC device, implementing the
authentication and service control of WLAN subscribers. The fundamental networking
is as shown in Figure 4-5.
WLAN SIM
MAN backbone network Authentication
Server(AS)
L3/GSR
RADIUS Server
AP AP AP
PC PC PC NoteBook PC NoteBook
4-5
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
The subscriber establishes a wireless link with the Access Point (AP), through the
wireless network adapter, or Subscriber Identity Module (SIM) card. The AP accesses
the MA5200F through the LAN Switch. Usually, the AP does not have the VLAN
isolation function, and needs to implement it via the LAN Switch. The MA5200F
implements the authentication and management (the authentication for a mobile
subscriber using the SIM card needs to be processed on the AS).
Note:
In actual application, the above various Layer2 access devices can form the network in hybrid mode,
which can access Ethernet, XDSL, HFC and WLAN.
Besides the above typical MAN networking, the MA5200F can be used for CAN,
enterprise network, GDN, intelligent building, and intelligent community. The related
networking is described in the following part.
Note:
The networking based on application situations and value-added services can also use the Layer2 access
devices, rather than via the Ethernet only.
4-6
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
NMS
AAA Server Internet
163 CERNET
MA5200F
L3/GSR Former network
PC PC PC PC PC PC PC PC
In CAN, the MA5200F can act as the BAS device of Layer3. It can be directly
connected to the L3/GSR, providing authentication (usually Web authentication mode)
for CAN subscribers who visit the external network. It can also act as the device of
convergence layer or access layer, providing access or convergence service for the
dormitory building, teaching building and office building.
4-7
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
PC PC PC PC
LAN Sw itch
DHCP server
LAN Sw itch
MA5200F
File server
Headquarters
Branch 1
Branch 2
PC PC PC PC PC PC PC PC
The networking for enterprise network resembles that for MAN access network: the
LAN Switch accesses the subscribers, and the MA5200F converges the services. The
servers in the enterprise network can also be connected to the MA5200F. Access
networks can be separately built for multiple branches, which are connected via MAN.
Technologies like VPN are adopted to guarantee the security of the enterprise network.
GDN requires high security. The MA5200F can be used in the edge access layer of
GDN, providing access control, authority control, fake restriction over subscribers. It
can also provide CE function and cooperate with core layer equipment to form the
Multiprotocol Label Switching Virtual Private Network (MPLS VPN) of the whole
network.
4-8
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
PE
P
P
P
PE
MA5200F CE
PC PC PC PC PC
The MA5200F can be used in intelligent buildings to provide Internet access services
via dedicated lines for small- and medium-sized enterprises. It can control the access
of the dedicated line and charge the subscriber according to the time duration or traffic.
Enterprises can access the MA5200F in various modes, including the access via
Layer2 switch, router, and Proxy server.
4-9
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
Enterprise 1 S3026
VLAN leased
line
R3620
MA5200F Internet
Proxy
Server
R3620
The use of the MA5200F in an intelligent community is as shown in Figure 4-10. The
MA5200F can be connected with the Intelligence Digital Terminal (IDT). Fixed IP
address is adopted, and the IDT is configured through the MA5200F. The IDT has a
4-port Hub, which can connect the subscriber ports provided by the computer and LAN
Switch. The IDT also has various sensors and probes, which can collect the alarm
information related to water, electricity, gas and smoke. Via the MA5200F, such
information is sent to the data center of the community and automatic management of
the community is implemented. Simultaneously, the data center can provide services
like VOD, information query, and community bulletin board.
4-10
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
With the powerful functions of the MA5200F, network operators (carriers) can provide
various value-added services, like controllable multicast, IP Hotel (including “Plug and
Play”), VPDN, NGN bearer network, and forced Portal. In the following part, some
commonly used networking modes for value-added services are introduced.
The MA5200F can work with Huawei’s LAN Switch and IP DSLAM, providing
controllable multicast service for Ethernet access subscribers and ADSL access
subscribers. The networking is as shown in Figure 4-11.
In multicast service, the MA5200F acts as the proxy server. The multicast source can
be the multicast server connected directly to the MA5200F, or the server in the MAN.
When the multicast proxy function of the MA5200F is turned on, the control messages
interact between the multicast source and MA5200F by using IGMP. The MA5200F and
its subordinate device (supporting HGMP V2) can interact with the multicast control
messages by using HGMP.
The multicast subscriber and multicast source can be controlled through authentication
and authorization. By using HGMP, controllable management over multicast service
4-11
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
PIM-SM is run between the MA5200F and the router or Layer3 switch on the network
side. The system can access the backbone network in the double return circuit mode,
promoting the reliability of the multicast service.
L3/GSR
PIM
Program making
center
Video service
IMA5200F network
L3
PC PC PC PC PC PC PC PC
Note:
The MA5200F can also work with the LAN Switch and IP DSLAM devices from other suppliers, providing
uncontrollable multicast service.
The IP Hotel service of the MA5200F is mainly used in such public places as hotel,
airport, exhibition center and mall. With the “Plug and Play” function of the MA5200F
and the IP Hotel broadband value-added service platform, the subscriber can access
the Internet by connecting the computer to the MA5200F. Figure 4-12 demonstrates the
networking for IP Hotel, with a hotel as an example.
The MA5200F can work with Huawei’s iTELLIN broadband intelligent service system
and the console for an IP Hotel solution, providing broadband access for multiple hotels.
4-12
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
The MA5200F can act as the CE device in MPLS VPN, and work with the P/PE devices
in the backbone network to construct the MPLS VPN of the whole network. The
MA5200F can also act as the non-managed CE (using VLAN transparent transmission
technology) or manageable CE (using policy routing technology) to access subscribers,
providing the service convergence function. The use of the MA5200F in MPLS VPN is
as shown in Figure 4-8.
4-13
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 5 NMS
Chapter 5 NMS
NMS is the abbreviation of Network Management System. The MA5200F provides the
SNMP network management interface, which enables the iManager N2000 or
Quidview NMS (hereafter, called Quidview for short) to effectively manage the
MA5200F and the network connected to it. These NMSs help the subscriber to
anticipate and detect the network faults, manage the distributed network nodes in
concentrated mode, reasonably plan and assign network resources.
The iManager N2000/Quidview provides the following NMS functions for the MA5200F:
5-1
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 5 NMS
5-2
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
The parameters of power supply in the MA5200F are shown in Table 6-1.
Item Parameter
(110V/220V) ±20%
Working power AC (Alternating Current)
Frequency range: 47~63Hz
supply
DC (Direct Current) -48V (-72V~-36V)
Output voltage of
3.3V or 12V
power supply
Rated current 3A
Electro Magnetic Conduct Class B
Interference (EMI)
Radiation Class B
filter
Power consumption
with full <90W
configuration
H521SPUC (MA5200F main service processing
board)/H521SPUE (MA5200F-2000 main <55W
service processing board)
Power consumption H521XSMC (pinch board of external search
<6W
of board engine)
H521OG2C (GE service pinch board with
<5W
double ports)
H521O6FC (FE service pinch boardx4) <6W×4=24W
Item Parameter
Working Long-term 0°C~45°C
temperature Short-term -5°C~55°C
Working humidity 10%~90%, no coagulation
Temperature -40°C~70°C
Storage conditions
Humidity 10%~90%, no coagulation
Density of dusts (with diameter larger than 5µm) ≤3x104 grains/m3. The dusts must be
Cleanness
insulative, unmagnetized and noncorrosive.
6-1
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
Item Parameter
Switch capacity 10Gbps non-blocked shared buffer switching, with shared buffer as 3MB.
RTC accuracy < 2 s/day
10Base-T/100Base-TX electric
24
port or 100Base-FX optical port
Number of physical
1000Base-FX optical port 1 or 2 (optional)
ports
10Base-T/100Base-TX
1
maintenance port
Virtual template interface 32
Trunk interface 13
Logical interface
VLAN sub-interface 512
GRE tunnel interface 128
Forwarding rate of IP Without QoS control 3Mpps, forwarding at wire speed.
packets With QoS control 2Mpps, forwarding at wire speed.
<40µs (for packets smaller than 64 bytes)
Time delay in FE
<180µs (for packets smaller than 1518 bytes)
forwarding
GE <40µs
Speed for
<5s
login/logout
Number of 10% users can be concurrent users. That means in 10 seconds, 100 (MA5200F) or 200
concurrent users (MA5200F-2000) users can log in or log out.
<1% (3 hours)
10% of users are online <2% (6 hours)
<3% (24 hours)
Disconnection rate
<1% (3 hours)
100% of users are online <3% (6 hours)
<5% (24 hours)
Average time delay
in the processing of <3s
PPPoE calls
TCP/IP TCP/UDP Socket总数 4096
Capacity of routing table 1k
Static route 256
RIP 32 neighbors, 8 interfaces
Routing OSPF 32 areas, 100 interfaces/areas
BGP 8 peers, 32 ASs
32 neighbors. Each port has 8 neighbors and can be
PIM-SM
configured with 8 standby Rendezvous Points (RP).
Number of ARP table items 4k access users +4k Layer3 routing devices
ARP/ARP Proxy AIB (ARP Information Base)
4k access users +4k Layer3 routing devices
table items
Number of VLAN Each port has 4k VLANs (the VLANs of the ports can overlap each other)
Concurrent online users 1k (MA5200F) or 2k (MA5200F-2000)
Number of VLANs transmitted
128
User capacity transparently
Number of VLAN dedicated
128 (VLAN dedicated lines, Proxy dedicated lines)
lines
ISPs 128
IP address pool Number of IP address pools 128
Total IP addresses 8k
Maximum of address segments
8
in each IP address pool
6-2
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
Item Parameter
Maximum of IP addresses in
1024
each IP address segment
SDRAM 5k
Capacity of local bills
Flash 70k
Accounting Precision of the time in prepay service ≤1s
Number of IP address pools in
16
public network
Number of NAT connections 20k
NAT
Speed of NAT connections 2k/s
Forwarding speed 1.5Mpps
Throughput 1Gbps
When there is no NAT at the egress, 2k users can be
supported.
Number of users supported
When there is an NAT at the egress, 512 users can be
Plug-and-play
supported.
Forwarding speed 1.5Mpps
Throughput 1Gbps
Number of L2TP tunnels 128
VPDN
Number of VPDN users 1k
Authorization groups for user
256
multicast
Multicast Multicast groups can be
simultaneously obtained by the 4
user
64kbps~100Mbps (FE)
Range of bandwidth
64kbps~1Gbps (GE)
CAR
Granularity 1kbps
Precision ±3%
Number of Rules 32 Rules can be configured for an ACL.
ACL Number of standard ACLs: 99 (1~99)
Number of ACLs Number of advanced ACLs: 100 (100~199)
Note: 198 and 199 are reserved for HGMP.
QoS User priority levels 8
Mean Time Between
133000 hours
Failures (MTBF)
Built-in Web Users supported 512
authentication server Heartbeat detection period 10~60s
Number of manageable LAN
300
Switches
Number of LAN Switch
HGMP V1 3
concatenations allowed
Number of supported LAN S2403F, S2403H, S3026, S3026V, S2008, S2016,
Switch types S2026, S2008B, S2016B, S2026B
Number of manageable LAN
253
Switches
Number of LAN Switch
HGMP V2 Configurable
concatenations allowed
Number of supported LAN
S2403H, S3026, S3026V, S2008, S2016, S2026
Switch types
Maximum number of patches 200
Patch Maximum number of functions
20
for each patch
6-3
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
I. General features
Features Indices
Rate 1250Mbps
Format 1000Base-FX (IEEE802.3z)
Mode Single mode/multimode
Connector LC
Transmission distance Single mode 10km, 40km, 70km
Multimode 500m
Standard of optical interface GPCS interface
Environment temperature 0°C~70°C
z Features of laser
Table 6-5 Transmission parameters of 1000M Ethernet single mode optical interface (10km)
Table 6-6 Transmission parameters of 1000M Ethernet single mode optical interface (40km/70km)
6-4
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
z Features of receiver
Table 6-7 Receiving parameters of 1000M Ethernet single mode optical interface (10km)
Table 6-8 Parameters of 1000M Ethernet single mode optical interface (40km/70km)
Note:
Description 1: Maximum output optical power meets IEEE802.3z, and meets the class 1 security
requirement on laser for human eyes.
Description 2: Extinction ratio means the ratio between the average output optical powers when the
transmitter sends “0” and “1”.
Description 2: The 20%~80% values not filtered.
Description 4: The pulse features of the laser can be displayed in eye pattern. The output wave form meets
the requirements of eye pattern template described in section 38.6.5 of IEEE802.3z.
Description 5: TP is the turn point defined in section 38.2.1 of IEEE802.3z.
Description 6: The sensitivity of the receiver is sampled in the center of the eye pattern when the extinction
ratio is in the worst condition.
Description 7: The 3dB bandwidth of the receiver is tested according to the indices listed in section
38.6.11 of IEEE802.3z.
Description 8: Return loss is defined as the minimum loss when the received optical power is reflected to
the fiber.
6-5
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
z Features of laser
z Features of receiver
6-6
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
Note:
Description 1: Maximum output optical power meets IEEE802.3z, and meet the class 1 security
requirement on laser for human eyes.
Description 2: Extinction ratio means the ratio between the average output optical powers when the
transmitter sends “0” and “1”.
Description 2: The 20%~80% values not filtered.
Description 4: The pulse features of the laser can be displayed in eye pattern. The output wave form meets
the requirements on eye pattern template described in section 38.6.5 of IEEE802.3z.
Description 5: CRP is tested according to section 38.6.10 of IEEE802.3z and the EIA/TIA-526-14A
standard.
Description 6: TP is the turn point defined in section 38.2.1 of IEEE802.3z.
Description 7: The sensitivity of the receiver is sampled in the center of the eye pattern when the extinction
ratio is in the worst condition.
Description 8: The 3dB bandwidth of the receiver is tested according to the indices listed in section 38.6.11
of IEEE802.3z.
Description 9: Return loss is defined as the minimum loss when the received optical power is reflected to
the fiber.
I. General features
Feature Index
Speed 100Mbps
Format 100Base-FX(IEEE802.3u)
Mode Single mode/Multimode
Connector LC
Transmission distance Single mode 15km
Multimode 2km
Standard of optical interface SAMI interface
Environment temperature 0°C~70°C
z Features of laser
Table 6-12 Transmission parameters of 100M Ethernet single mode optical interface
6-7
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
Table 6-13 Receiving parameters of 100M Ethernet single mode optical interface
z Features of laser
6-8
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
z Features of receiver
I. Gneral features
Feature Index
Speed 10/100Mbps compatible
Format 10Base-T/100Base-TX
Mode UTP/STP
Connector RJ-45
Transmission distance UTP 100m
STP 150m
Cable type Category-5 twisted pair
6-9
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
6-10
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
Note:
Description 1: Output voltage of differential mode refers to the difference between the voltages at the two
ends of the balance circuit. The output voltage of differential mode of transmitter is the voltage difference
between the difference line pair TD+ and TD.
Description 2: Symmetry of signal amplitude equals the ratio between the absolute values of +Vout and
–Vout.
Description 3: Resistance return loss is an important index that reflexes the match of resistance. The
calculation formula is Xr=20lg|(Z+R)/(Z-R). Z is the actual resistance, R is the rated resistance, the rated
resistance of UTP is 100 ohms, and that of STP is 150 ohms.
Description 4: f is the frequency, in the unit of MHz.
Description 5: The rise edge is defined as the time needed when the signal is transited from base voltage
(usually 0) to stable value +Vout or –Vout. The fall edge is defined as the time needed when the signal is
transited from +Vout or –Vout to base voltage. They are usually 10%~90% of the Vout.
Description 6: Overshoot of wave form indicates the relationship between the output voltage Vout of
differential mode in stable status and the signal overshoot peak voltage Vover (the maximum change than
stable status value in transition).
Description 7: Distortion of duty ratio means the changes of pulse width caused by the deformation, time
delay in signal transmission. Such changes may change the ratio between the time durations in which
there is pulse and no pulse.
In the design of MA5200F hardware, the system's reliability and stability had been
taken into account. Therefore, the investments of the operators are protected. The
main designs of reliability include:
z SPUC/SPUE is designed with software/hardware watch dog circuit. When a
serious fault occurs, the resetting circuit of the board will be triggered.
z The hardware is designed with protection functions for over-current, over-voltage
and short circuit.
z The power supply is designed with the protection functions for too high/low voltage
and current. It supports the input of AC and DC, and provide 1+1 backup.
z System MTBF>133000 hours. Mean Time to Repair (MTTR) <2 hours.
The software of MA5200F is designed with the following functions for reliability:
z Loading and backup of running software and configuration data.
6-11
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
All the ports of MA5200F adopt the connectors with metal shielding shells, which well
contact the cabinet cover. The maximum length of the seam between the connector
and the cabinet cover is not greater than 25mm. The maximum lengths of the seams
between the connectors are not greater than 25mm. All the cables led out are shielded
cables.
The metal cover of the MA5200F cabinet is connected to the grounding post on the
board via multiple conduction installing holes. The shell of the power supply is
connected with the cabinet via multiple installation bolts. An M3 grounding bolt is
installed out of the cabinet.
The MA5200F uses security-qualified components and parts. The edges and corners of
the device are all polished. Protection measures are provided for the fans.
All the parts which generate high heat have cooling fins. The whole system is designed
with four fans for heat dissipation.
I. Binding of VLAN+MAC+IP
6-12
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
users’ IP addresses. MA5200F not only allows the users to use static IP addresses, but
also allows them to obtain IP addresses via DHCP or PPPoE. However, MA5200F
establishes the VLAN+MAC+IP binding relations for the users. When the users
configure IP addresses illegally, they can not access the Internet. To some extent, this
measure guarantees the network security.
In the IP Spoofing attack, the hacker forages source IP addresses to attack the target,
in order to pass the firewall. For example, the hacker disguises his/her IP address into
an IP address in the network segment trusted by the firewall. The traditional BAS and
L3 forward the packets according to the destination IP address, and do not judge the
legality of the source IP address. MA5200F can not only forward the packets according
to the destination IP address, but also judge the legality of the source IP address of the
packets. In this way, attacks like ICMP Echo Flood attack, TCP LAND Attack and forge
IP address attack can be effectively prevented.
Some hackers use the unreachable messages of ICMP destination hosts or destination
network segment to attack the router or switch. Hackers can forge huge Number of
destination IP or destination network segment unreachable packets. Upon receiving
such packets, the router will send them to the CPU for processing. Since the traffic of
the attack packets is very heavy, the protocol channels of the router or switch will be
blocked. MA5200F can guard against such attacks.
Standard DHCP Server and DHCP Relay have no security guarantee. They do not limit
the Number of IP addresses applied by VLAN port. Since the IP addresses in the DHCP
Server are important resources, and if the hacker exhausts the IP addresses in the
address pool, other users can not access the Internet. Therefore, MA5200F is
designed with the function to limit the Number of IP addresses applied by the user
according to VLAN. In this way, the hacker’s attack to the DHCP server is prevented.
V. ACL filtering
MA5200F provides powerful ACL function. It can not only provide the UCL based on
user, but also perform ACL filtering according to the flow classification according to the
seven element group (incoming physical port number + VLAN ID + source IP address +
destination IP address + source port number + destination port number + protocol
type).
6-13
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
In MA5200F, the concept of port is expanded. Generally, the system takes the incoming
physical port number + VLAN ID as an access control unit. That is, the traditional
concept of port is expanded to the logic port based on physical port + VLAN ID.
MA5200F supports the access control based on logic port, which can limit the Number
of users accessed by each logic port and control the authentication policies used on
such ports.
6-14
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix A Terminology
Appendix A Terminology
Terms Description
Service part
Accounting In the accounting process, the billing information is also sent to the two RADIUS servers and responses are
Information copy requested
It classifies the traffic on the basis of five-element group (physical incoming port number + source IP address
Advanced ACL
+ destination IP address + source port + destination port), so as to control the access authority.
It is a kind of technology. By responding the ARP request of the host, the proxy makes the host regard this
ARP proxy
proxy as the destination host.
Bind a few of the user parameters like IP address, MAC address, port or some elements of the VLAN, to check
Binding check
the validity of the access subscriber.
It refers to the management domain formed by a group of switches, including a command switch (it controls the
Cluster cluster, and it is usually the MA5200F in the related networking) and multiple member switches. All the
switches in the cluster are managed through a public IP address.
Controllable It means to authenticate and charge the multicast service needed by the subscriber, and control the Layer2
multicast device to forward the multicast packets.
It is a kind of technology. A designated address is used to respond to the DNS request of the subscriber’s host,
DNS cheat
thus, the host regards this address as the domain name to be resolved.
Dual
Under the same logical port, both Web and EAP authentication modes are supported.
authentication
It is the EAP authentication mode based on SIM card. In Windows XP, it is also called 802.1X intelligent card
EAP-SIM
authentication.
Forced Portal
In compelling Portal services, this server provides the Portal Web page.
server
When the subscriber passes the authentication and visits the external network for the first time, the MA5200F
Forced Portal
will force-redirect the access request to a certain server (it is usually the Portal server of the operator). In this
service
way, the first website visited by the subscriber will be the website of the operator.
Forward packets
For each packet, it must be forwarded by querying the routing table via maximum length matching mode.
one by one
When the subscriber who needs Web authentication or fast authentication attempts to access the
Forced Web
unauthorized address, the MA5200F will force-redirect the access request to the forced Web authentication
authentication
server.
In the forced Web authentication, the forced Web authentication server provides the authentication Web page
Forced Web
to the user and sends the user name and password to the Web authentication server by using the internal
authentication
protocol. The Web authentication server and the forced Web authentication server can be combined into one
server
or separated physically.
When the subscriber’s traffic is smaller than the threshold during a period, the system will regard the
Idle Cut
subscriber as in idle status, and the connection will be cut off according to the configuration.
Illegal VLAN The VLAN is not configured under a port, and all the packets received from this VLAN will be discarded.
The solution provided by Huawei Technologies Co., Ltd.. It is used to provide broadband access to the Internet
IP Hotel and related subscriber management, authentication and accounting (charging) for the hotels, office buildings,
communities in the MAN.
It provides Web authentication function for Layer3 device like the router, Ethernet switch, when they are
Layer3 BAS
accessing the MA5200F.
Leased line for
When VLAN transparent transmission is going on, it is necessary to charge the leased line and execute service
VLAN transparent
control policies like CAR.
transmission
Logical port The service control unit composed of physical port + VLAN.
It is the acronym of Next Generation Network. It usually refers to a multimedia communication network, which
can bear voice, image and data. More intelligentized diversified and customized services can be provided by it.
NGN
It also supports the service development by the third party and specific customization by the customer. More
flexible access modes are provided to adapt to the current conditions of different operators.
Non-management For the packets in the VLAN, only normal routing forwarding is performed and no authentication and
VLAN accounting are carried out.
The MA5200F will send the last bill of the subscriber to the RADIUS server. When the RADIUS receives this
Offline bill
offline bill, it will know that the subscriber has logged off and stop charging the subscriber.
A-1
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix A Terminology
Terms Description
The bill generated periodically by the MA5200F to the RADIUS server, when the subscriber has passed the
Online bill
authentication by the AAA server and is online.
The operator who maintains and manages the MA5200F via command line terminal (Telnet client or serial port
Operator
communication terminal).
When the location of the computer is changed, it can provide the Internet access services normally without
Plug and Play
changing the former configured network parameters (IP address, IP address of DNS server, HTTP proxy).
The function which decides the forwarding port according to the source IP address of user packets. In the
Policy routing
normal routing forwarding, the forwarding port is decided according to the destination IP address of the packet.
Portal protocol It is a protocol developed by Huawei Technologies Co., Ltd. for Web authentication.
One of management VLAN. The Proxy Server configured below VLAN is taken as a unit for service control.
Proxy leased line
Only one Proxy Server can be configured below one VLAN. The packets are forwarded one by one.
Realtime Traffic is measured periodically. Realtime bill is generated locally or by informing the RADIUS server. In this
accounting way, even if the subscriber is abnormally disconnected, the uncertainty of the accounting can be minimized.
Among the multiple routes to the same destination, the one with the highest priority is called main route, and
Route standby others with descending priorities are called standby routes. When the main route goes wrong, the traffic will be
automatically switched to the standby route. Therefore, the reliability of the network is improved.
Secondary
It is also called the accounting packet copy function. It means that in the accounting process, the accounting
accounting based
information will be sent to two RADIUS servers at the same time, and the responses are waited respectively.
on ISP
It is a technology. In VLAN or 802.1X access mode, when the DHCP function is initialized, the IP address is
pre-allocated to the subscriber (usually the IP address of a private network). After the subscriber has passed
Secondary
the authentication or re-authentication (Web authentication of VLAN access or the EAP authentication of
address allocation
802.1X access), a new IP address will be allocated for the subscriber (usually the IP address in the public
network).
Access Control List, which classifies the traffic on the basis of source IP address, so as to implement the
Standard ACL
control over access authority.
The log information of service recorded during the process of the User’s login/logoff, or the MA5200F is
User log creating the subscriber connection. It includes the User’s name, VLAN, source IP address, source MAC
address, destination IP address and access time.
User-managed It is the general name of the VLAN types which need to control all the subscribers in the VLAN or the service of
VLAN the whole VLAN.
It means that all the subscribers under the VLAN of the same port do not need to input account number and
VLAN leased line password for authentication. Their traffic control and statistics are carried out in a unified way, and on the AAA
server they look like the access of a single subscriber.
The device does not terminate the Layer2 packets in the VLAN of a specific port, but forward them from a
VLAN transparent
designated port and has them terminated by the upper device. This service is mainly used in MPLS VPN to
transmission
realized the interconnection between enterprises.
Versatile Routing Platform of data communication products in Huawei Technologies Co., Ltd. Its takes IP
VRP service as the nucleus, and realizes the modular system structure. When providing abundant performances, it
also can be tailored and expanded based on applications.
Web
The subscriber is authenticated by inputting user name and password in the Web page.
authentication
Web Providing Web page for authentication. (In the forced Web authentication mode, if the forced Web
authentication authentication server works separately, then the Web page will not be provided.) The Web authentication
server server interacts with the MA5200F by using the Portal protocol to complete the user authentication.
Hardware
It is the optic/electro converter or optic Modem. It implements the conversion from electric 100Base-TX FE
Fiber transceiver interface to optical interface, in order to increase the transmission distance of category five cable of electric
interface.
It is the network interface on the front panel of the MA5200F, which is used for maintenance and management.
Maintenance
It is located on the same line of the maintenance serial port. It is used for the out-band loading and backup of
network interface
host software or configuration data.
It is the serial port on the front panel of the MA5200F, which is used for maintenance and management. It is an
Maintenance RJ45 interface, located on the same line of the maintenance network interface. It can be connected with the
serial port terminal device via serial port cable, and the device can be maintained by using serial port communication
software.
Optic/electro It is the box containing the fiber transceivers, with a 220V power module and can supply power to 12 fiber
converter box transceivers.
It refers to the network interface for inputting/outputting subscriber’s service packets. It contrasts to the
Service network
maintenance network interface. The interfaces at subscriber side and network side are all service network
interface
interfaces. There are 24 FE interfaces and 2 GE interfaces on the MA5200F.
A-2
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix B List of Acronyms and Abbreviations
B-1
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix B List of Acronyms and Abbreviations
AcronymsAbbreviations Description
LSA Link State Advertisement
LSDB Link State Database
MAC Media Access Control
MGCP Media Gateway Control Protocol
MIB Management Information Base
MPLS Multi-protocol Label Switching
MTBF Mean Time Between Failures
MTTR Mean Time to Repair
NAT Network Address Translation
NDP Neighbor Discovery Protocol
HTDP Neighbor Topology Discovery Protocol
NGN Next Generation Network
NPS Network Process Service
OSPF Open Shortest Path First
PADM PPPoE Activate Discovery Message
PAP Password Authentication Protocol
PAT Port Address Translation
PDU Protocol Data Unit
PIM Protocol Independent Multicast
PIM-DM PIM-Dense Mode
PIM-SM PIM-Sparse Mode
PNP Plug and Play
PPP Point-to-Point Protocol
PPPoE PPP Over Ethernet
QoS Quality of Service
RA Routes Aggregation
RADIUS Remote Authentication Dial in User Service
RIP Routing Information Protocol
RP Rendezvous Point
RTU Remote Terminal Unit
SDRAM Synchronous Dynamic Random Access Memory
SIM Subscriber Identity Module
SNMP Simple Network Management Protocol
SPF Shortest Path First
STP Shielded Twisted Pair
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
UDP User Datagram Protocol
UTP Unshielded Twisted Pair
VDSL Very-high-rate Digital Subscriber Line
VLAN Virtual Local Area Network
VOD Video On Demand
VoIP Voice over IP
VPDN Virtual Private Dial Network
VPN Virtual Private Network
VRP Versatile Routing Platform
WLAN Wireless Local Area Network
WWW World Wide Web
B-2
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix C Specifications of MA5200E
The MA5200E takes the structure of integrated built-in box, and is very concise.
The dimensions of the device are 44.45mm (h) x 350mm (d) x 482.6mm (w). Its width
conforms to the 19-inch standard. The total weight is 4kg. Its appearance is as shown in
Figure C-1.
C-1
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix C Specifications of MA5200E
In the MA5200E, the cables of FE service network interface, maintenance serial port
and maintenance network interface are led out from the front, while GE fiber is led out
from the back. The power is led in from the back. The heat is dissipated in air-draw
mode, and four fans are integrated into the device.
C.1.2 Boards
I. SPUB
SPUB is the core processing board of the MA5200E, which implements all the service
processing functions of the system. One SPUB is configured in the system.
II. O1GB
O1GB is the board with a single GE optical interface, which implements the PHY and
O/E function. Two O1GBs are configured in the system.
O1GB is plugged in the GE interface of SPUB, providing one GE optical interface. The
system provides two GE optical interfaces.
The MA5200E provides 24 10/100M Ethernet electric interfaces and two 1000M
Ethernet optical interfaces (single mode/multimode). According to actual needs, the
10/100M Ethernet electric interface can use an optic/electro converter to change the
interface into an Ethernet optical interface, so as to increase the transmission distance.
Besides, the MA5200E can provide one maintenance serial port and one maintenance
network interface for debugging and maintenance.
C-2
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix C Specifications of MA5200E
C.1.4 Indicators
The indicators of the MA5200E resemble those of the MA5200F. The only difference is
that the power indicator, running indicator and alarm indicator are in the left lower
corner of the panel (those of the MA5200F are in the right lower corner). For details,
refer to Section 2.1.4 Device Indicator of Chapter 2 Hardware and Software Structure.
The power supply parameters of the MA5200E are shown in Table C-1.
Item Parameter
(110V/220V)±20%
Working power AC
Frequency range: 47~63Hz
supply
DC -48V (-72V~-36V)
Output voltage of
3.3V and 12V
power supply
Rated current 3A
Conduction Class B
EMI wave filter
Radiation Class B
Power consumption
with full <45W
configuration
Power consumption H521SPUC (main service processing board) <38.3W
of board H521O1GB (GE service pinch board) 3~5W
The environment parameters of the MA5200E are the same as those of the MA5200F.
Refer to Section 6.1.2 Environment Parameters of Chapter 6 Technical Parameters
and Specifications.
The whole system of the MA5200E has “24 FE interfaces + 2 GE interfaces”. The GE
interfaces are optical interfaces, while FE interfaces are all electric interfaces. If FE
interfaces need to become optical interfaces, external optic/electro converters should
be configured. A customer can configure the optic/electro converters alone according
to actual networking needs, or choose the optic/electro converters delivered by
Huawei.
C-3
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix C Specifications of MA5200E
The optic/electro converters delivered are put into the optic/electro converter box, and
each box contains 12 optic/electro converters that are powered in concentrated mode.
If the MA5200E needs to change all the interfaces into optical interfaces, each
MA5200E needs to be configured with 24 optic/electro converters, it means that two
external optic/electro converter boxes are needed.
The technical specifications of optic/electro converters shipped with the MA5200E are
as shown in Table C-2.
Item Parameter
IEEE802.3u
Standards
IEEE802.1Q, overlong frames with VLAN flag
supported
IEEE802.3x full duplex traffic control protocol
Interface type RJ-45
Mode UTP
Parameters of
electric interface 10m (the length of the connecting cable between
Distance the FE interface of the MA5200E and the electric
interface of the optic/electro converter)
850nm, multimode, ST/SC
2km (14dB)
interface
Parameters of
15km (11dB), 30km (17dB), 40km (21dB), 60km
optical interface 1310nm, single mode, SC interface
(29dB)
1550nm, single mode, SC interface 100km (30dB)
The indicator meanings of the optic/electro converter shipped with the MA5200E are
shown in Table C-3.
C-4
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix C Specifications of MA5200E
Indicator Meaning
POWER Power indicator
TP ACT Data transmission indicator of twisted pair
TP LINK Link status indicator of twisted pair
FX ACT Data transmission indicator of fiber
FX LINK Link status indicator of fiber
LINK LOS DIS Link alarm disconnection indicator
C-5