31025882-MA5200F Technical Manual V1.70

HUAWEI
SmartAX MA5200F Broadband Access Server

Technical Maunal
MA2.10
SmartAX MA5200F Broadband Access Server
Technical Manual
Manual Version T2-080282-20030728-C-1.70
Product Version MA2.10
BOM 31025882
Huawei Technologies Co., Ltd. provides customers with comprehensive technical support
and service. If you purchase the products from the sales agent of Huawei Technologies Co.,
Ltd., please contact our sales agent. If you purchase the products from Huawei
Technologies Co., Ltd. directly, Please feel free to contact our local office, customer care
center or company headquarters.
Huawei Technologies Co., Ltd.
Address: Administration Building, Huawei Technologies Co., Ltd.,
Bantian, Longgang District, Shenzhen, P. R. China
Postal Code: 518129
Website: http://www.huawei.com
Email: support@huawei.com
Copyright © 2003 Huawei Technologies Co., Ltd.
All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any

means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks
, HUAWEI, C&C08, EAST8000, HONET, , ViewPoint, INtess, ETS, DMC,

TELLIN, InfoLink, Netkey, Quidway, SYNLOCK, Radium, M900/M1800,
TELESIGHT, Quidview, Musa, Airbridge, Tellwin, Inmedia, VRP, DOPRA, iTELLIN,
HUAWEI OptiX, C&C08 iNET, NETENGINE, OptiX, SoftX, iSite, U-SYS, iMUSE,
OpenEye, Lansway, SmartAX are trademarks of Huawei Technologies Co., Ltd.
All other trademarks mentioned in this manual are the property of their respective
holders.
Notice
The information in this manual is subject to change without notice. Every effort has
been made in the preparation of this manual to ensure accuracy of the contents, but
all statements, information, and recommendations in this manual do not constitute
the warranty of any kind, express or implied.
About This Manual
Version
The product version that corresponds to the manual is SmartAX MA5200F Broadband
Access Server (referred to as the MA5200F hereafter) MA2.10.
Related Manuals
The following manuals provide more information about the MA5200F.
Manual Content
It provides an overall introduction to the MA5200F, including the

SmartAX MA5200F Broadband Access
system overview, hardware description, software description,
Server Technical Manual
networking applications and technical specifications and indices.
It provides information for the system installation, including the

SmartAX MA5200F Broadband Access introduction to equipment, installation requirements, hardware
Server Installation Manual installation, layout and connection of cables and fibers, as well as
appendix.
It can guide the user in the configuration of functions and services.

It includes four parts: basic operations, fundamental functions,
Server Operation Manual
service applications and maintenance operations.
It introduces all commands available in the MA5200F, as well as

the command usage and examples. It is not included in the
package of documentation shipped with the equipment. For
Server Command Manual
specific command reference, consult the related electronic
documentation.
SmartAX MA5200F Broadband Access It lists the safety information needed to install and maintain the
Server Safety Manual equipment.
Organization of the Manual
The manual introduces the system structure, service functions and networking
applications of the MA5200F. There are six chapters and one appendix in the manual.
Chapter 1 System Overview profiles the system characteristics and orientations of

the MA5200F.
Chapter 2 Hardware and Software Structure focuses on the hardware and software
modules of the MA5200F, including the appearance, hardware functions, cards,
indicators and physical ports of the MA5200F, as well as the software functions.
Chapter 3 Service and Function gives a detailed description on the functions of the
MA5200F, including route management, access authentication, address management,
user management, service control, security management, value added services,
network management and system maintenance.
Chapter 4 Networking Applications presents typical networking applications of the

MA5200F.
Chapter 5 NMS introduces the management and maintenance functions provided by

Huawei iManager N2000 and Quidview systems on the MA5200F.
Chapter 6 Parameters and Specifications introduces the physical features of the

MA5200F, and specifications about the working environment, system performance and
service support of the MA5200F.
Appendix lists the terminologies, acronyms and their meanings. Specifications of the
SmartAX MA5200E Broadband Access Server are also given in the Appendix.
Intended Readers
The manual is intended for the following readers:

z Networking engineers
z Network administrators
z MA5200F users with basic network knowledge
Conventions
This manual uses the following conventions:
I. General conventions
Convention Description
Arial Normal paragraphs are in Arial.
Arial Narrow Warnings, Cautions, Notes and Tips are in Arial Narrow.
Boldface Headings are in Boldface.
II. Symbols
Eye-catching symbols are also used in the manual to highlight the points worthy of
special attention during the operation. They are defined as follows:
Caution: Means reader be extremely careful during the operation.

Note: Means a complementary description.
Technical Manual
SmartAX MA5200F Broadband Access Server Table of Contents
Table of Contents
Chapter 1 System Overview ......................................................................................................... 1-1

1.1 Introduction ........................................................................................................................ 1-1
1.2 Product Orientation............................................................................................................ 1-1
1.2.1 Application in Broadband MANs ............................................................................. 1-1
1.2.2 Application in Enterprise Intranet ............................................................................ 1-2
1.2.3 Application in CANs ................................................................................................ 1-3
1.2.4 Application in GDNs ................................................................................................ 1-3
1.2.5 Intelligent Hotel........................................................................................................ 1-4
1.3 System Features................................................................................................................ 1-4
Chapter 2 Hardware and Software Structure.............................................................................. 2-1

2.1 Hardware Structure............................................................................................................ 2-1
2.1.1 Appearance ............................................................................................................. 2-1
2.1.2 Hardware Modules .................................................................................................. 2-2
2.1.3 Cards....................................................................................................................... 2-3
2.1.4 Indicators................................................................................................................. 2-4
2.1.5 Hardware Interface.................................................................................................. 2-7
2.2 Software Architecture ........................................................................................................ 2-8
Chapter 3 Service and Function .................................................................................................. 3-1

3.1 Supporting Platform ........................................................................................................... 3-1
3.2 Route Management ........................................................................................................... 3-2
3.2.1 Route Management Policy ...................................................................................... 3-2
3.2.2 Static Route and Default Route............................................................................... 3-3
3.2.3 RIP .......................................................................................................................... 3-3
3.2.4 OSPF....................................................................................................................... 3-4
3.2.5 BGP......................................................................................................................... 3-5
3.3 Access Authentication ....................................................................................................... 3-6
3.3.1 PPPoE Access ........................................................................................................ 3-7
3.3.2 VLAN Access .......................................................................................................... 3-8
3.3.3 802.1X Access ...................................................................................................... 3-11
3.3.4 Leased Line Access .............................................................................................. 3-13
3.3.5 Layer3 BAS ........................................................................................................... 3-14
3.4 Address Management...................................................................................................... 3-14
3.4.1 Address Allocation ................................................................................................ 3-14
3.4.2 Secondary Allocation of Address .......................................................................... 3-16
3.4.3 NAT ....................................................................................................................... 3-17
3.5 Subscriber Accounting..................................................................................................... 3-18
3.6 Service Control ................................................................................................................ 3-19
i
Technical Manual
3.6.1 Restriction on the number of subscribers ............................................................. 3-19

3.6.2 Access Types ........................................................................................................ 3-20
3.6.3 Flow Control .......................................................................................................... 3-20
3.6.4 Idle-Cut.................................................................................................................. 3-20
3.6.5 QoS ....................................................................................................................... 3-20
3.6.6 Policy Routing ....................................................................................................... 3-21
3.7 Security Management...................................................................................................... 3-22
3.7.1 Prevention on Account Forgery............................................................................. 3-22
3.7.2 ACL ....................................................................................................................... 3-22
3.7.3 User Log................................................................................................................ 3-25
3.7.4 Protection on Resources....................................................................................... 3-25
3.8 Value Added Services ..................................................................................................... 3-25
3.8.1 Multicast ................................................................................................................ 3-25
3.8.2 IP Hotel.................................................................................................................. 3-28
3.8.3 WLAN .................................................................................................................... 3-29
3.8.4 VPN ....................................................................................................................... 3-30
3.8.5 Plug and Play ........................................................................................................ 3-33
3.8.6 Forced Portal......................................................................................................... 3-35
3.9 Network Management...................................................................................................... 3-36
3.9.1 HGMP V1 .............................................................................................................. 3-36
3.9.2 HGMP V2 .............................................................................................................. 3-36
3.10 System Maintenance ..................................................................................................... 3-37
3.10.1 Managing the Operators ..................................................................................... 3-37
3.10.2 Loading and Backup ........................................................................................... 3-38
3.10.3 Information Center .............................................................................................. 3-39
3.10.4 Diagnoses and Debugging.................................................................................. 3-41
3.10.5 Tools for Connectivity Test.................................................................................. 3-42
Chapter 4 Networking Applications............................................................................................. 4-1

4.1 Networking Based on Layer2 Devices............................................................................... 4-1
4.1.1 Networking Based on Ethernet Access................................................................... 4-1
4.1.2 Networking for xDSL Access................................................................................... 4-3
4.1.3 Networking for HFC Access .................................................................................... 4-4
4.1.4 Networking for WLAN Access ................................................................................. 4-5
4.2 Networking for Varied Application Situations..................................................................... 4-6
4.2.1 Networking for CAN ................................................................................................ 4-6
4.2.2 Networking for Enterprise Network ......................................................................... 4-7
4.2.3 Networking for GDN ................................................................................................ 4-8
4.2.4 Networking for Intelligent Buildings ......................................................................... 4-9
4.2.5 Networking for Intelligent Community ................................................................... 4-10
4.3 Networking for Value-added Services ............................................................................. 4-11
4.3.1 Networking for Controllable Multicast.................................................................... 4-11
4.3.2 Networking for IP Hotel ......................................................................................... 4-12
ii
Technical Manual
4.3.3 Networking for MPLS VPN.................................................................................... 4-13
Chapter 5 NMS ............................................................................................................................... 5-1

5.1 Features of NMS................................................................................................................ 5-1
5.2 NMS Functions .................................................................................................................. 5-1
Chapter 6 Parameters and Specifications .................................................................................. 6-1

6.1 Parameters of Power Supply and Environment................................................................. 6-1
6.1.1 Parameters of Power Supply .................................................................................. 6-1
6.1.2 Environment Parameters ........................................................................................ 6-1
6.2 Performance Parameters................................................................................................... 6-2
6.3 Technical Parameters of Interfaces ................................................................................... 6-4
6.3.1 Technical Parameters of 1000M Ethernet Optical Interface ................................... 6-4
6.3.2 Technical Parameters of 100M Ethernet Optical Interface ..................................... 6-7
6.3.3 Technical Parameters of 100M Ethernet Electric Interface .................................... 6-9
6.4 Designs for Reliability and Security ................................................................................. 6-11
6.4.1 Reliability of Hardware .......................................................................................... 6-11
6.4.2 Reliability of Software............................................................................................ 6-11
6.4.3 Security of Hardware............................................................................................. 6-12
6.4.4 Security of Services .............................................................................................. 6-12
Appendix A Terminology..............................................................................................................A-1
Appendix B List of Acronyms and Abbreviations .....................................................................B-1
Appendix C Specifications of MA5200E......................................................................................C-1

C.1 Hardware Structure ...........................................................................................................C-1
C.1.1 Appearance of Device ............................................................................................C-1
C.1.2 Boards ....................................................................................................................C-2
C.1.3 Hardware Interface .................................................................................................C-2
C.1.4 Indicators ................................................................................................................C-3
C.2 Power Supply and Environment Parameters ....................................................................C-3
C.2.1 Power Supply Parameters......................................................................................C-3
C.2.2 Environment Parameters........................................................................................C-3
C.3 External Optic/Electro Converter.......................................................................................C-3
C.3.1 Selection of External Optic/Electro Converter ........................................................C-3
C.3.2 Technical Specifications of Optic/Electro Converter ..............................................C-4
iii
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 1 System Overview
Chapter 1 System Overview
1.1 Introduction
The SmartAX MA5200F Broadband Access Server (referred to as the MA5200F
hereafter) of Huawei is a new-generation Internet Protocol (IP) access server. The
MA5200F was developed to overcome the disadvantages in Ethernet access
technology, including the weakness of subscriber management, server control and
network security.
The MA5200F series contains the MA5200F and the MA5200F-2000. The MA5200F
supports a maximum of 1000 online subscribers, while the MA5200F-2000 supports a
maximum of 2000 online subscribers. Since the MA5200F and the MA5200F-2000 are
completely the same except for the access capacity, they are both called the MA5200F
unless otherwise specified in this manual.
Based on the architecture of the fifth-generation routers put forward by Huawei, the
MA5200F adopts high performance network processors and large capacity ASIC chips
(ASIC stands for Application Specific Integrated Circuit). All these have enabled the
MA5200F with powerful forwarding capacity and flexible processing on different
services.
The MA5200F is suitable for access networks of Ethernet, x Digital Subscriber Line
(xDSL), Hybrid Fiber Coaxial (HFC) and Wireless Local Area Network (WLAN),
providing subscriber management, accounting control, address management, service
control and security management functions.
The MA5200F boasts carrier-class reliability, and is widely applied in broadband
Metropolitan Area Networks (MANs), enterprise Intranets, Campus Area Networks
(CANs), Government Data Networks (GDNs) and intelligent hotels.
1.2 Product Orientation

The MA5200F locates at the access layer or convergence layer of networks that need
subscriber management and security management, providing subscriber management,
accounting control, address management, service control and security management
functions. The MA5200F can be applied in broadband MANs, enterprise Intranets,
CANs, GDNs and intelligent hotels.
1.2.1 Application in Broadband MANs
Generally, the MANs are divided into three layers: core layer, convergence layer and
access layer, providing subscriber access and value added services.
1-1
Technical Manual
According to different scales of the MANs, the MA5200F can be applied in the local
access layer of a large MAN, or the edge convergence layer of a small MAN. The
MA5200F device can be installed in the central machine room of the community, or
installed in the end office, providing the access authentication, accounting, traffic
control, access control, security and service support functions. With the MA5200F, the
carriers can provide individual subscriber access, intelligent broadband access for
communities and office buildings, dedicated line access for small and medium
enterprises, and Virtual Private Network (VPN) service.
Figure 1-1 shows a typical application of the MA5200F in a MAN.
Service Platform NMS

AAA Server
Core GSR GSR GSR

Layer
Convergence MA5200F MA5200F

Layer
MA5200F MA5200F CMTS IP DSLAM
Access
Layer LAN Sw itch AP
Figure 1-1 Application of the MA5200F in a broadband MAN
1.2.2 Application in Enterprise Intranet
The structure of an enterprise Intranet can either be distributed, or centralized,

according to the size of the enterprise.
In a distributed Intranet, the MA5200F is the core device for the branch office of the
enterprise, accomplishing the subscriber access, guarding against account forgery,
and controlling the network security. The MA5200F also provides Layer 2 Tunneling
Protocol (L2TP), Generic Routing Encapsulation (GRE) channels to construct virtual
private network.
According to the size of the enterprise, the centralized Intranet or the central part of the
distributed Intranet can be a three-layer (core, convergence and access) or a two-layer
(core convergence and access) network. The MA5200F locates at the convergence
1-2
Technical Manual
layer, access layer or the core convergence layer, providing access authentication,
guarding against account forgery, and controlling the network resource. The MA5200F
can also play the role of a Customer Edge (CE) device to coordinate with the
Provider/Provider Edge (P/PE) device to implement MPLS VPN (Multi-protocol Label
Switching VPN).
Note:
4.2.2 gives more details about the application of the MA5200F in an enterprise Intranet.
1.2.3 Application in CANs
The structure of a CAN is similar to that of an enterprise Intranet. In China, the CANs
are connected to both the China Education and Research Network (CERNET) and the
Internet at the same time. The operation of a CAN is somewhat like that of a carrier
network, because there are also requirements on the access control and different
accounting mode bases on time or traffic. The CAN users in China can access the CAN
and CERNET directly, but authentication and accounting shall be implemented if the
user accesses the Internet.
The MA5200F usually locates at the access layer of a CAN. In some scenarios, a
standalone MA5200F can also connect to the switch in the convergence layer to
provide access authentication, accounting and security control on the subscribers.
Note:
4.2.1 gives more details about the application of the MA5200F in a CAN.
1.2.4 Application in GDNs
In a GDN, there is very high requirement on the network security. The MA5200F locates
at the edge access layer of a GDN to control the access authority and guard against
account forgery. The MA5200F can also act as a CE device to coordinate with the P/PE
device to construct MPLS VPN.
Note:
4.2.3 gives more details about the application of the MA5200F in a GDN.
1-3
Technical Manual
1.2.5 Intelligent Hotel
Together with the iTELLIN broadband intelligent service system and console of Huawei,
the MA5200F can provide intelligent hotel – “IP Hotel” solution for broadband access of
multiple hotels. With this solution, each hotel has a virtual platform for subscriber
management, accounting management and configuration management.
In the IP Hotel solution, the MA5200F device can be purchased and maintained by the
hotels, or purchased by the carriers to operate together with the hotels. According to
different operation modes, the MA5200F can be installed in the machine room of the
hotel or the carrier.
Note:
4.3.2 gives more details about the application of the MA5200F in IP Hotel solution.
1.3 System Features

The MA5200F is an intelligent broadband access server, and meanwhile a high
performance router. With its high-speed switching technology, large-capacity switching
network and modular design, the MA5200F is a high reliability, multi-service and
scalable access device with diversified interfaces, which can well satisfy the demands
of the carriers. The following lists the features of the MA5200F.
I. Powerful route forwarding function
The MA5200F is based on the advanced architecture of the fifth-generation routers,

adopting the advanced network processors and large scale ASIC chips, and thus it has
excellent routing and transfer capabilities.
The MA5200F can work as a standard router, supporting a variety of routing protocols,
including the static route, Routing Information Protocol (RIP) V1/V2, Open Shortest
Path First (OSPF), Border Gateway Protocol (BGP), PIM-Dense Mode (PIM-DM),
PIM-Sparse Mode (PIM-SM), and Internet Group Management Protocol (IGMP) V1/V2,
as well as the tunneling protocols like L2TP and GRE.
The MA5200F has a built-in 10Gbps switching network to support 4.4Gbps bidirectional
linear throughput at the ports, and linear packet forwarding at 3Mpps. Based on its
fifth-generation router architecture, the MA5200F can ensure its packet forwarding
capacity after implementation of the various service control policies such as the access
control list (ACL) and logs.
1-4
Technical Manual
II. Larger capacity and high integration
The built-in 10Gbps large capacity switching network ensures good forwarding
performance and Quality of Service (QoS). The MA5200F supports 1000 (MA5200F) or
2000 (MA5200F-2000) online subscribers of various types, 128 Virtual Local Area
Network (VLAN) dedicated lines and 128 transparent transmission VLAN dedicated
lines.
The ASIC chips enable high integration of packet forwarding, data exchange, route
processing, subscriber management, security management and device management
on the MA5200F.
III. Flexible network interfaces
The MA5200F provides 100M electric Ethernet port, 100M optical Ethernet port, 100M
multi-mode optical Ethernet port, 1000M single mode optical Ethernet port and 1000M
multi-mode optical Ethernet port for different networks. It also provides serial port and
network port for maintenance.
IV. Diversified access modes
Ethernet, xDSL, HFC and WLAN subscribers can access through the layer2 devices
like LAN Switch, IP DSLAM (Digital Subscriber Line Access Multiplexer), VDSL switch,
CMTS (Cable Modem Terminal System) and AP (Access Point).
Layer3 subscribers can access through Layer3 LAN Switch or router to the MA5200F.
According to different access methods and access requests, the MA5200F supports
Layer2 individual subscriber, Layer3 individual subscriber and dedicated line
subscribers (including Layer2 VLAN dedicated line, Layer3 VLAN dedicated line, Proxy
dedicated line, VLAN transparent transmission dedicated line and PPPoE dedicated
line)
The access requests from a subscriber can be touched off by various factors on the
MA5200F, including: Static configuration, DHCP packet, ARP packet (ARP stands for
Address Resolution Protocol), PPPoE packet (PPPoE stands for Point-to-Point
Protocol over Ethernet), EAPoL packet (EAPoL stands for Extensible Authentication
Protocol over LAN) and data packet. In this way, the subscribers can obtain the service
very conveniently when they are in different status.
V. Flexible authentication methods
The MA5200F supports a variety of authentication methods for your option: PPPoE
authentication, Web authentication, binding authentication, fast authentication, 802.1X
authentication, and no authentication.
1-5
Technical Manual
Caution:
The MA5200F supports PPPoE, Web, fast and 802.1X authentication on the same port simultaneously.
The MA5200F supports local PAP, CHAP and EAP-MD5 authentication methods (PAP
stands for Password Authentication Protocol, CHAP stands for Challenge Handshake
Authentication Protocol). It also supports remote PAP, CHAP, EAP-MD5 and EAP-SIM
authentication (EAP-SIM stands for EAP Subscriber Identity Module).
The MA5200F can convert EAP-MD5 into CHAP, so that the authentication servers that
do not support EAP-MD5 can provide 802.1X authentication.
VI. Effective IP address solution
The MA5200F supports static IP address and dynamic IP address, it provides built-in
DHCP server (DHCP stands for Dynamic Host Configuration Protocol), and supports
DHCP Relay of an external DHCP server.
The MA5200F provides a unique function of secondary allocation of IP address to
protect public IP address resource. It also provides Network Address Translation (NAT)
to enable effective and flexible use of IP address resource.
VII. Completed accounting scheme
The MA5200F can collect the accounting information of the subscriber including time
and traffic. The MA5200F also supports local and remote accounting.
Realtime accounting is supported both locally and remotely, in order to ensure the
accuracy of the accounting information. Local protection mechanism is provided in
remote accounting, so that the tickets will not get lost when the network fails, and no
error ticket will be generated.
The MA5200F supports different accounting modes, including no accounting, prepaid
accounting and postpaid accounting. The prepaid accounting can be on the basis of
time or traffic. Together with the RADIUS server (RADIUS stands for Remote
Authentication Dial in User Service), the MA5200F also supports the integrated prepaid
accounting based on time and traffic, and supports switching between different tariffs.
VIII. Enriched service control policies
The MA5200F provides access restriction, traffic control, idle disconnection, QoS,
policy routing to guarantee the service quality.
IX. Powerful network security management
The MA5200F provides Access Control List (ACL), user log, and forgery check to
ensure legal use and effective management of the network resources.
1-6
Technical Manual
X. Diversified value added services
The MA5200F provides VPN, multicast, plug-and-play, WLAN, forced Portal and IP
Hotel to satisfy broadband application in different scenarios, and bring more revenue to
the carriers.
XI. High security and reliability
The powerful heat dissipation and temperature adjustment system of the MA5200F
enables the operation of the device in places without air-conditioners. The MA5200F
provides both -48V DC and 220V AC power module. Good electromagnetic screen of
the system enables its anti-interference performance. The high-integration chip in the
network processor reduces the complexity of the system, reduces the power
consumption, and enhances system stability. The system supports various online loop
tests and self-tests, and provides abundant alarm information. Carrier-class isolation,
lightning proof and anti-interference design on the subscriber ports ensure high
reliability of the devices on the subscriber side.
XII. Good maintenability
MA5200F supports local, remote and centralized maintenance, through serial port
communication or Telnet connection on the Ethernet port. The MA5200F supports
Simple Network Management Protocol (SNMP), using the iManager N2000 centralized
management system of Huawei to provide complete functions including alarm reporting,
network test, fault diagnosis and tracing.
Through HUAWEI Group Management Protocol (HGMP), the MA5200F can manage
and maintain the LAN Switches and IP DSLAM devices in the lower layer, and make the
integrated global management easier and more pleasant.
1-7
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 2 Hardware and Software Structure
Chapter 2 Hardware and Software Structure
2.1 Hardware Structure

2.1.1 Appearance
The MA5200F is a chassis device of 2U, and can be accommodated in standard

19-inch cabinet. The dimensions are: 88.9mm (H), 426.7mm (D) and 482.6mm (W); the
weight of the device is 10kg. Figure 2-1 shows the appearance of the MA5200F.
Figure 2-1 Appearance of the MA5200F
Figure 2-2 shows the hardware components inside the MA5200F chassis.
(1) Fan (2) SPUC/SPUE (3) BKPC

(4) GE (5) FE0 (6) FE1
(7) FE2 (8) FE3 (9) Network interface, serial port, reset button and indicator
Figure 2-2 Hardware components of the MA5200F
The GE card is connected with the SPUC/SPUE through the 2mm connecter. The FE
card is connected with the backplane BKPC through the 2mm connecter. The cables on
the FE service network port, GE service network port, maintenance serial port and
network port are all led out from the front panel of the cards. The power supply, which
can either be 220V AC or -48 DC, is connected on the rear panel of the chassis. The
2-1
Technical Manual
power module outputs 3.3V and 12V supplies for the cards and the fan respectively.
There are four fans inside the chassis to draw out the air for heat dissipation.
2.1.2 Hardware Modules
The MA5200F hardware modules consist of the service interface module, hardware
forwarding module, switching network module, control module, maintenance module,
power module and clock module, as shown in Figure 2-3.
CPU
Clock
Control Switching Power module
Maint. module network module
module
Hardware
forwarding MA5200F
module
Service interface module
NMS command line LAN Switch IP backbone
Figure 2-3 MA5200F hardware structure
The service interface module provides 24 10/100M electric or optical Ethernet ports,
subject to the hardware configuration, 2 1000M optical Ethernet ports (single mode and
multi-mode).
The hardware forwarding module is the core for high speed forwarding of packets in the
MA5200F, in which the analysis, process and forwarding of packets are all
implemented through hardware. Comparing with the mechanism in which packets are
forwarded through software, hardware forwarding is less complex and more efficient.
The switching network module provides a total capacity of 10Gbps for bidirectional
switching, and large capacity QoS queuing, which ensure the overall forwarding
performance and good QoS.
The control module is the center of the system that completes the various functions
including system configuration, device management, route management, connection
2-2
Technical Manual
management, protocol processing, device self-test, system alarm and network

management.
The clock module provides 32.768 kHz clock to ensure accurate timing of the system.
The maintenance module provides command line interface and network management
interface for system maintenance.
The power module supports 220V AC and -48V DC supply in 1+1 hot backup mode.
2.1.3 Cards
I. SPUC/SPUE
SPUC/SPUE (SPUC for the MA5200F and SPUE for the MA5200F-2000) is the control
and service process card that provides all the service functions, including the linear
forwarding of data packets, system management, subscriber management, accounting
and authentication. Each MA5200F is configured with one SPUC/SPUE.
SPUC/SPUE provides these interfaces:
z 3 power supply connecters for the fans
z 2 external power supply connecters
II. DMIC
The Debug Management Interface Card (DMIC) provides the maintenance interfaces,
reset button and indicator lamps. Each MA5200F is configured with one DMIC.
The DMIC provides these interfaces:
z 1 10/100Mbps maintenance network port, 1 maintenance serial port
z 1 reset button
z 1 power indicator, 1 running indicator, 1 alarm indicator
III. XSM
The XSM is a daughter card on the SPUC/SPUE, which completes some hardware
calculations and searching, including flow classification, address mapping and keyword
searching. Each MA5200F is configured with one XSM.
IV. BKPC
The BKPC is the backplane of the MA5200F, which connects the SPUC/SPUE and the
various interface cards. SPUC/SPUE is connected vertically to the BKPC through three
2mm HM A connecters (22×5). Each MA5200F is configured with one BKPC.
V. FE
The fast Ethernet interface card FE is connected vertically to the BKPC through one
2mm HM A connecter (22×5). Each FE card provides 6 10/100Mbps electric Ethernet
ports or 6 100Mbps optical Ethernet ports. Each MA5200F is configured with 1~4 FE
cards.
2-3
Technical Manual
According to different types of interface provided, there are three types of FE interface
cards:
z 6-port electric FE interface card
z 6-port single mode optical FE interface card (15km)
z 6-port multi-mode optical FE interface card (2km)
Hybrid configuration of these three types of FE cards is allowed on the same MA5200F
device.
VI. GE
The gigabit Ethernet interface card GE is connected vertically to the BKPC through 3
2mm HM A connecters (22×5). Each GE card provides one or two 1000M optical
Ethernet ports. Each MA5200F is configured with one GE card.
According to different types of interface provided, there are six types of GE cards:
z 1-port single mode optical GE interface card (10km)
z 1-port multi-mode optical GE interface card (500m)
z 2-port multi-mode optical GE interface card (500m)
According to actual situation, one of the above GE interface cards is configured.
2.1.4 Indicators
On the MA5200F, there are various indicator lamps that help you to understand the
operation status of the device.
I. Power indicator
The power indicator is on the lower right corner of the MA5200F front panel, under the
mark “PWR”. This indicator tells you about the status of power supply to the MA5200F.
Table 2-1 shows the status and meanings of the power indicator.
Table 2-1 States and meanings of the power indicator
State Meaning
Off No power is supplied.
On System is powered on and is running.
II. Running indiator
The running indicator is on the lower right corner of the MA5200F front panel, under the
mark “RUN”. This indicator tells you about the running status of MA5200F. Table 2-2
shows the status and meanings of the running indicator.
2-4
Technical Manual
Table 2-2 States and meanings of the running indicator
State Meaning
2Hz flash Configuration file is being loaded.
1Hz flash System is running normally.
III. Alarm indicator
The alarm indicator is on the lower right corner of the MA5200F front panel, under the
mark “ALM”. This indicator tells you about the alarm status of the MA5200F. Table 2-3
shows the status and meanings of the alarm indicator.
Table 2-3 States and meanings of the alarm indicator
State Meaning
Off System is running normally.
On Error occurred in the system.
IV. Link status indicator on electric FE port
The link status indicator on the electric FE port (Link) locates at the edge of the port.
This is an green LED (Light Emitting Diode), indicating the link status on the port. Table
2-4 shows the status and meanings of the link status indicator on the electric FE port.
Table 2-4 States and meanings of the link status indicator on the electric FE port
State Meaning
Off The link has not been set up.
On The link has been set up.
V. Rate indicator on the electric FE port
The rate indicator on the electric FE port (Active) is located at the edge of the port. This
is an orange LED, indicating the data transceiving state. Table 2-5 shows the states and
meanings.
Table 2-5 States and meanings of the rate indicator on the electric FE port
State Meaning
Off No data is being transceived.
Flash Data is being transceived.
VI. Link status indicator on optical FE port
The link status indicator on the optical FE port (Link) locates at the edge of the port.
This is a green LED, indicating the link status of the port. Table 2-6 shows the status
and meanings of the link status indicator on the optical FE port.
2-5
Technical Manual
Table 2-6 States and meanings of the link status indicator on the optical FE port
State Meaning
VII. Data transceiving indicator on optical FE port
The data transceiving indicator on the optical FE port (Active) locates at the edge of the
port. This is an orange LED, indicating the data transceiving status on the optical FE
port. Table 2-7 shows the status and meanings of the data transceiving indicator on the
optical FE port.
Table 2-7 States and meanings of the data transceiving indicator on the optical FE port
State Meaning
Flash Data is being transceived.
VIII. Link status indicator on optical GE port
The link status indicator on the optical GE port (Link) locates at the edge of the port.
This is a green LED, indicating the link status of the port. Table 2-9 shows the status
and meanings of the link status indicator on the optical GE port.
Table 2-8 States and meanings of the link status indicator on the optical GE port
State Meaning
IX. Data transceiving indicator on optical GE port
The data transceiving indicator on the optical GE port (Active) locates at the edge of the
port. This is a green LED, indicating the data transceiving status on the optical GE port.
Table 2-9 shows the status and meanings of the data transceiving indicator on the
optical GE port.
Table 2-9 States and meanings of the data transceiving indicator on the optical GE port
State Meaning
Data is being transceived. The brightness of the indicator is in direct proportion with the
On
amount of data being transceived.
2-6
Technical Manual
2.1.5 Hardware Interface
I. Service interface
The MA5200F supports 24 electric or optical FE ports and 2 optical GE ports. Four
interface cards provide 24 FE ports, each having 6 FE ports. The optical GE ports are
also provided through the interface card. You can configure them as required.
This following section only gives a brief introduction to the FE ports and GE ports. For
detailed specifications, refer to Chapter 6.
z Electric FE port
Table 2-10 shows the specifications of the electric FE port.
Table 2-10 Specifications of the electric FE port
Features Specifications
Quantity 6 electric FE ports on each FE card; 24 FE ports for each MA5200F at most
Rate 10/100Mbps
Mode 10Base-T/100Base-TX
Cable Unshielded Twisted Pair (UTP)/Shielded Twisted Pair (STP)
Connector RJ-45
UTP 100m
Transmission distance
STP 150m
Standards IEEE 802.2, IEEE 802.3, IETF Ethernet II
z Optical FE port
Table 2-11 shows the specifications of the optical FE port.
Table 2-11 Specifications of the optical FE port
Quantity 6 optical FE ports on each FE card; 24 FE ports for each MA5200F at most
Rate 100Mbps
Mode 100Base-FX
Cable Single-mode/multi-mode
Connector LC
Single-mode 15km
Multi-mode 2km
Ambient temperature 0-70 degrees Celsius
Standards IEEE 802.3u
z Optical GE port
Table 2-12 shows the specifications of the optical GE port.
Table 2-12 Specifications of the optical GE port
Quantity Maximum 2
Rate 1250Mbps
Mode 1000Base-FX
Cable Single-mode/multi-mode
2-7
Technical Manual
Connector LC
Single-mode 10km, 40km, 70km
Multi-mode 500m
Standards for optical port GPCS port
Ambient temperature 0-70 degrees Celsius
Standards IEEE 802.ab
II. Maintenance port
The MA5200F provides one serial port and one Ethernet port for maintenance.
z Serial port
Table 2-13 Specifications of the maintenance port
Quantity 1
Rate Default as 9600bps
Connector RJ-45
Standards RS232
z Ethernet port
The specifications of the maintenance Ethernet port are the same as those of the
electric FE ports; refer to Table 2-10.
III. Power interface
The MA5200F provides 220/110V compatible AC power interface or -48V DC power

interface for your option.
2.2 Software Architecture

With its modular design and standard protocols or interfaces, the MA5200F software
modules are interfaced for standard and independent functions. This has enabled the
clear architecture and function of the software system, and facilitates system update
and service expansion.
The MA5200F software has three logic modules:
z System management module
The module provides these functions: device management, system resource
management, monitoring on system running status, management and control interface
(command line, Telnet, NM interface), log, alarm, patch and loading.
z Route forwarding control module
By processing the routing information and the connection information from the service
forwarding module, this module establishes the forwarding paths and control policies
for the service packets of the subscribers. Based on the information, the network
2-8
Technical Manual
processor can forward the packets while implementing access control, flow control,
congestion control and queuing priority control.
z Service control module
The module authenticates the access requests to identify the legal requests. According
to the configuration information, it sets up the connection information table for other
modules to implement management on the subscribers. The connection information
includes ACL, priority and restriction on service speed and so on. This module also
extracts and records the statistics on subscriber data packets and access time, so that
accounting can be made on the basis of time and traffic.
2-9
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 3 Service and Function
Chapter 3 Service and Function
The MA5200F is located at the access layer or convergence layer of networks,

providing subscriber management, accounting control, address management, service
control and security management functions. The MA5200F can be applied in
broadband MANs, enterprise Intranets, CANs, GDNs and intelligent hotels.
The MA5200F can provide, together with Huawei Quidway series of routers and LAN
Switches, MA5100 series, MA5300 and iTELLIN intelligent network products, the
“Manageable, Operable and Profitable” broadband MAN solutions.
This chapter introduces the services and functions that the MA5200F can provide from
the following aspects:
z Supporting platform
z Route management
z Access authentication
z Address management
z Subscriber accounting
z Service control
z Security management
z Value added services
z Network management
z System Maintenance
3.1 Supporting Platform

The MA5200F is based on the Versatile Routing Platform (VRP) for Huawei datacom
products. The VRP, taking IP service as its core, has a modular structure and provides
rich function features with application-based flexibility and extensibility.
Taking TCP/IP (Transmission Control Protocol/Internet Protocol) as its core, VRP
integrates in its operating system the routing technology, QoS technology, VPN
technology and security technology, and its IP TurboEngine technology enables
excellent packet forwarding performance.
VRP is a versatile routing platform with complete intellectual property rights of Huawei.
It provides unified network interface, user interface and management interface for
different types of hardware platforms. It also provides flexible application solutions with
hundreds of function features. VRP is a platform with sustainable development features,
and can protect the customers’ investment to the largest extent.
3-1
Technical Manual
3.2 Route Management

Basic principles about route management are found in many TCP/IP publications;
hence details are not given in this book.
The MA5200F supports static routes, and dynamic routing protocols like RIP, OSPF
and BGP. The router can also obtain some direct routes automatically while running,
according to the interface status and user configuration.
The MA5200F supports multicast routing protocols like PIM-SM, PIM-DM and IGMP
(Internet Group Management Protocol). Refer to 3.8.1 Multicast for more details.
3.2.1 Route Management Policy
In the MA5200F, you can configure manually static route(s) to a specific destination, or
configure dynamic routing protocols to interact with other routers in the network, and
discover the routes through route algorithm.
The MA5200F manages the static routes and the dynamic routes together. The static
routes and the routes discovered or configured with different routing protocols can
share each other in the routing protocols.
I. Routing protocol and route priority
Different routing protocols may discover different routes to the same destination, but
not all these routes, including the static route(s), are the most optimum routes. Priority
values have been given to different routing protocols (including the static routes). When
there are multiple routes to the same destination, the route discovered by the routing
protocol that has the highest priority will be used to forward the packets.
You can configure manually the priority values for different routing protocols except for
the direct route, Internal BGP (IBGP) and External BGP (EBGP). The priority values of
different static routes may also be different.
II. Route backup
Route backup means to switch the route to the secondary one, when the primary route
is faulty, in order to ensure the reliability of the network.
To implement route backup, multiple routes are configured for the same destination.
Among these routes, the one with the highest priority is the primary route, and the rest
routes are the secondary routes, queuing up according to their priorities. In normal
cases, the router forwards packets through the primary route. When the primary route
fails, the route with the highest priority among the secondary routes will be selected to
forward packets. This is the switchover between the primary and secondary routes.
When the primary route restores, the router will select it again to forward packets.
3-2
Technical Manual
III. Route sharing among different routing protocols
Since different routing protocols have different algorithms, they may discover different
routes to the same destination. The MA5200F supports importing the route that is
discovered by one routing protocol to another routing protocol so as to share the
routing data discovered by different routing protocols. Each protocol has its
route-import functionality.
3.2.2 Static Route and Default Route
I. Static route
Static route is a special route that is configured manually by the administrator.

In a network with simple structure, you need only the static route to make the router
work normally. Proper configuration and use of static route can enhance network
performance, and give a guaranteed bandwidth to the special customers.
Static route has its limitation: when a network changes, the static route in the network
will not make change to cope with the new situation; instead, it has to be modified by
the administrator.
II. Default route
Default route is a special route, which can be a configured static route, or a route
configured through some dynamic routing protocols, like OSPF.
The default route is used when no routing entry is found in the routing table to match the
destination. That is to say, the default route is used only when there is no suitable route
to the destination.
In the routing table, the default route is to the network 0.0.0.0 (netmask as 0.0.0.0). If no
default route has been configured, and the destination of the packet is not in the routing
table, the packet will be discarded. Meanwhile, an ICMP packet (ICMP stands for
Internet Control Message Protocol) will be returned to the source address, reporting
that the destination or the network is unreachable.
3.2.3 RIP
RIP is a simple but widely-used dynamic routing protocol.

RIP is based on Distance-Vector (DV) algorithm, using User Datagram Protocol (UDP)
packet to exchange the routing information. A RIP router sends a route update
message in every 30 seconds. If no route update message is received from a
neighboring node within 180 seconds, all the routes to this node will be marked as
unreachable. If the expected route update message is not received within 300 seconds,
this node will be removed from the routing table that is kept on the router. RIP-1 does
not support packet encryption, while RIP-2 supports the packet encryption.
3-3
Technical Manual
RIP uses Hop Count to measure the distance between the source and distance of the
packet, which is called Routing Metric. In RIP, the Hop Count from a router to its directly
connected network is 0; to the network that has one router in between is 1, and so on.
To control the convergence time, the metric value in RIP is an integer between 0 and 15.
A hop count equals to or larger than 16 is defined as infinite, which means the
destination network or host is unreachable.
To prevent route loop, RIP supports Split Horizon and Poison Reverse. RIP also allows
the import of routes that are discovered by other protocols.
RIP is used by most of the IP manufacturers. RIP is used in most of the CANs and area
networks with simple structure. For large or complicated networks, RIP is not used.
3.2.4 OSPF
OSPF is presented by IETF, and is an internal gateway protocol based on link status.
Current OSPF version is 2 (RFC2328), and Table 3-1 shows its features.
Table 3-1 OSPF features
Features Description
Application Supports networks of various sizes, up to hundreds of routers.
Route update is sent immediately after the network topology changes so that the
Fast convergence information can be synchronized in the AS.
Route loop is not generated since the route is calculated through the shortest path first
Loop free
(SPF) algorithm according to the link status.
AS networks can be divided into areas to further abstract the routing information
Area management
transmitted between the zones in order to reduce occupied network resource.
Metric route Supports multiple routes with same metric to the same destination.
Uses four types of routes, which are classified, according to their priorities, as:
Classified routes Intra-area route, Inter-area route, Category 1 external route, and Category 2 external
route.
Packet authentication Supports port-based packet authentication to ensure security of route calculation.
Multicasting Supports multicast addresses.
OSPF route calculation procedures are as follows:

1) A router that supports OSPF maintains a Link State Database (LSDB) that
describes the topological structure of the whole AS. According to its adjacent
network topology, this router generates Link State Advertisement (LSA) and sends
it to other routers in the network. After all the routers have received the LSAs from
other routers in the network, all these LSAs together can form an LSDB.
2) LSA describes the topology that is adjacent to a specific router, while LSDB
describes the topology of the entire network. A router can easily convert the LSDB
3-4
Technical Manual
into a route metric map that reflects the real structure of the entire network. This
route metric map is completely the same on all the routers.
3) In OSPF, a router regards itself as the root, and uses SPF algorithm to calculate a
shortest path tree. The tree gives the paths to all the nodes in the AS, and external
routing information are the leaf nodes. A router that broadcasts an external route
makes tag on the route, so that additional information about the AS can be
recorded. The routing tables obtained after the calculation are different on different
routers.
In order to broadcast the local state of a router (like the information of available
interfaces and reachable neighbors) to the entire network, multiple adjacencies must
be established between the router and other routers in the network. However, this
adjacent relationship causes multiple transmissions of the route change in any of the
routers, and wastes network resources. OSPF has defined a Designated Router (DR),
and all the routers will send routing information only to this DR. Then the DR will
broadcast the information to the network. This can reduce the number of adjacencies
between the routers in a multi-address access network.
OSPF supports port-based packet authentication to ensure security of route calculation.
The packets are sent and received in IP multicast mode.
3.2.5 BGP
BGP is a dynamic route discovery protocol between ASs. It exchanges loop-free

routing information between different ASs. By exchanging information about reachable
routes that contain the AS serial number attributes, BGP helps to construct the topology
map of an autonomous area.
BGP versions include BGP-1 (refer to RFC1105), BGP-2 (refer to RFC1163), BGP-3
(refer to RFC1267) and BGP-4 (refer to RFC1771).
BGP-4 is applicable to a distributed network structure, and supports Classless
Inter-Domain Routing (CIDR). BGP also supports the implementation of
user-configured policies. BGP-4 is becoming the standard for Internet external routing
protocols, and the application of BGP is often found between the Internet Service
Providers (ISPs).
Table 3-2 shows the features of BGP.
Table 3-2 BGP features
BGP is an external routing protocol, which is different from internal routing protocols like OSPF
External routing
and RIP. BGP is not intended to discover and calculate the routes, instead, it aims to control
protocol
the transmission of routing information, and select the optimized route.
Loop free By carrying AS attribute information in the BGP routing packets, route loop can be eliminated.
Protocol
The transmission layer protocol is TCP, which enhances the reliability.
reliability
3-5
Technical Manual
BGP-4 supports CIDR, which is an important improvement over BGP-3. CIDR does not
classify IP address in the usual way like Class A, B and C. For example, an illegal Class C
address 192.213.0.0 (255.255.0.0) will be indicated in CIDR as 192.213.0.0/16, which is a
CIDR
legal super network address, and /16 indicates the subnet mask is composed of the first 16 bits
from the leftmost of the address. CIDR simplifies Routes Aggregation (RA) process by
broadcasting one route instead of multiple routes, and reduces the sizes of the routing tables.
BGP only sends the updated part of routing information, and the occupied bandwidth is
Route update reduced remarkably. This feature is especially suitable for transmission of large amount of
routing information over the Internet.
BGP provides abundant routing policies for flexible selection and filtering of the routes, and
Routing policy
facilitates future expansion of network.
BGP runs in a specific router (MA5200F here) as a high level protocol. When the
system starts, the BGP router sends out the whole BGP routing table to its peers to
exchange routing information. After that, only the update messages are exchanged.
The system keeps sending and receiving the keep-alive messages to detect the
connection status between the devices.
The router that sends the BGP message is called BGP speaker, which receives and
generates new route updates and advertises them to other BGP speakers. When a
BGP speaker receives an unknown route update, or a route update that is better than
all the known routes, the BGP speaker will advertise the route update to all the rest
BGP speakers in the AS. BGP speakers that exchange routing information between
them are called peers. Multiple peers can form a peer group.
On the MA5200F, BGP runs in IBGP or EBGP modes. When BGP runs in the same AS,
it is called IBGP; when it runs in different ASs, it is called EBGP.
3.3 Access Authentication
Note:
The access described in this section is different from physical link access (like Ethernet access, ADSL
access and WLAN access). Instead, the access here means the access protocol, or the collection of
access protocol and technologies used to complete the user access.
The following are key factors about an access system:

z Identification on the access session, that is, the link layer protocols used for the
access.
z Authentication on the subscriber who requests for access, that is, protocols and
technologies used to authenticate the user.
z Isolation and control on the access subscriber, that is, the technologies to
separate different subscribers and implement access proxy.
3-6
Technical Manual
z Allocation of IP addresses, that is, the method to assign IP address for the
subscriber.
z Accounting method to be applied to the access subscriber.
This chapter describes specifically the IP address allocation and accounting. In this part,
the principles to implement the rest three access technologies in the MA5200F are
described.
The basic access methods on the MA5200F include PPPoE, VLAN and 802.1X,
Leased line access and Layer3 BAS authentication are also supported.
Note:
Physical links are somewhat related to the access protocols. For example, the most popular protocol for
Ethernet access is VLAN+DHCP, that for ADSL access is PPPoE, and that for WLAN access is 802.1X.
However, such kind of relation is neither obvious nor certain. For example, 802.1X and PPPoE can be
used as the access protocol in Ethernet access.
3.3.1 PPPoE Access
I. Introduction to PPPoE access
PPPoE access means to establish point-to-point connection between the MA5200F

and the subscriber through PPPoE virtual dialing. In PPPoE access, the authentication
protocol is PAP or CHAP, and IP address is obtained through PPP negotiation.
PPPoE access actually covers the entire series of protocols and technologies that are
related to this access mode, not only link layer PPPoE, but also PPP (Point-to-Point
Protocol) suite.
In the MA5200F, PPPoE and PPP belong to different functional items. The MA5200F
has built-in PPPoE server and PPP server. PPPoE server is responsible for
establishing session between the MA5200F and the subscriber. It terminates the
PPPoE packets from the subscriber and extracts the PPP packets to send them to the
PPP server. It also makes PPPoE encapsulation on the PPP packets from the PPP
server, and sends the packets to the subscriber.
The PPP server is responsible for PPP negotiation with the subscriber after the PPPoE
session has been established. PPP server allocates the IP address to the subscriber,
authenticates the subscriber and completes the access authentication process. At this
time, the MA5200F plays the role of a BAS. It terminates the PPP packets from the
subscriber, extracts and forwards the IP packets, or makes PPP encapsulation on the
IP packets and sends them to the PPPoE server for processing.
3-7
Technical Manual
II. PPPoE access authentication flow
The authentication flow for PPPoE access is as follows:

1) The client terminal sends out connection request through PPPoE dialing.
2) The MA5200F makes PPPoE negotiation with the client terminal, creates PPPoE
control block, sets up the session for the subscriber, allocates Session ID for the
session, and sets up the PPPoE link.
3) The MA5200F makes PPP negotiation with the client, the user name and
password of the subscriber are sent to the MA5200F in PAP or CHAP
authentication.
4) According to the configured authentication scheme in the subscriber domain, the
MA5200Fimplementes local or remote authentication on the subscriber, and
returns the authentication result.
5) After the authentication is successful, the MA5200F allocates IP address to the
subscriber from the address pool configured in the subscriber domain. The IP
address can also be allocated through DHCP Relay from remote DHCP server.
6) Now the subscriber can access the Internet, and accounting starts. All the packets
that the subscriber sends or receives are encapsulated with PPPoE/PPP.
7) During the period while the subscriber is online, the MA5200 will “shake hands”
with the subscriber at regular time interval, in order to obtain the accurate
connection information in realtime. If no reply is received within the configured
maximum number of handshakes, the MA5200F will regard that the subscriber is
offline. Then the MA5200F releases the connection, deletes related information
and stops accounting on the subscriber.
8) The online subscriber can use the PPPoE dialing software to terminate the
connection. In this case, the MA5200F will delete the connection information and
stop the accounting immediately.
3.3.2 VLAN Access
I. Introduction to VLAN access
VLAN access means to establish a connection between the MA5200F and the
subscriber by Ethernet II or 802.1Q protocol. In VLAN access, the authentication
methods are Web authentication, binding authentication or fast authentication, and IP
address is obtained through static configuration or DHCP server.
In VLAN access, the subscribers are identified and isolated by VLAN IDs. The
subscriber terminal (PC) must be connected to the MA5200F through one LAN Switch,
or through multiple subtended LAN Switches. According to the physical position of the
subscriber, the LAN Switch will add VLAN ID that complies with 802.1Q to the
subscriber packets. In this way, subscribers of different VLANs are isolated. To
exchange information, the packets from the subscribers must be forwarded through the
MA5200F.
3-8
Technical Manual
II. Procedures to obtain IP address in VLAN access
In VLAN access, static IP address can be configured, or the IP address can be obtained
through DHCP mode. To obtain IP address through DHCP mode:
1) The subscriber terminal broadcasts DHCP Discovery message when the terminal
is powered on.
2) The MA5200F returns a reply for the DHCP Discovery message.
3) The subscriber sends DHCP Request message.
4) The MA5200F decides, according to VLAN information contained in the DHCP
Request message, which local address pool or remote DHCP server should be
used to allocate IP address to the subscriber.
5) If the address is allocated from local address pool, an address will be taken from
the address pool and sent to the subscriber together with the address lease
information.
6) If the address is allocated from DHCP server, the MA5200F will forward the DHCP
request (DHCP Relay) to the DHCP server, and transmit the reply message from
the DHCP server to the subscriber.
7) After the subscriber has obtained the IP address with a certain lease, the access
link is established.
At a certain time before the IP address lease gets expired, a request will be sent from
the subscriber to extend the lease. If local address pool or DHCP server accepts the
request, the lease will be extended automatically. Otherwise, the subscriber will have to
request for an IP address again by sending the DHCP Request message.
III. Authentication flow in VLAN access
In VLAN access, the subscriber is authenticated through Web authentication, binding

authentication or fast authentication. You can also configure not to implement
authentication on the subscriber. Table 3-3 shows the authentication for VLAN access.
Table 3-3 Authentication for VLAN access
Authentication mode Description

The subscriber is authenticated by inputting user name and password in the Web
Web authentication
page.
The MA5200F authenticates the subscriber through the account name and
Binding authentication password that are generated automatically from the access VLAN port
information.
The subscriber visits the Web page and requests for authentication without
inputting user name and password. The MA5200F will generate account name
Fast authentication and password for the subscriber according to the access VLAN port information.
Fast authentication is a combination of Web authentication and binding
authentication.
The subscriber needs no authentication, and is online automatically after the
No authentication
subscriber PC is switched on.
In binding authentication, after the subscriber has obtained the IP address, the
MA5200F will generate account name and password for the subscriber, according to
3-9
Technical Manual
the access port and VLAN information. This process is invisible to the subscriber, who
can get online after the IP address is obtained. However, in this authentication mode, a
VLAN is generally configured with only one user, in order to guarantee the legality of
the user.
In Web authentication and fast authentication, the subscriber is in a “pre-connection”
status after IP address is obtained. In this status, the subscriber is allowed to access
only the addresses that are defined in ACL, like the Web authentication server (built-in
or external). To obtain the access authority to the Internet, the subscriber needs Web
authentication or fast authentication.
The procedures of Web authentication and fast authentication are as follows:
1) The subscriber can visit the Web authentication server directly, or through forced
Web authentication mode. In the forced Web authentication mode, the
subscriber’s request to access a certain address is force-redirected by the
MA5200F to the forced Web authentication server, and a client end software for
heart-beat detection is downloaded.
2) In Web authentication, the subscriber inputs the user name and password in the
Web page provided by the Web authentication server; in fast authentication, the
subscriber does not need to input the user name and password.
3) The Web authentication server sends the user name and password input by the
subscriber, or the user name and password configured for fast authentication, to
the MA5200F.
4) According to related configuration, the MA5200F implements local or RADIUS
authentication on the subscriber. After the authentication, the subscriber obtains
the authority, and receives authentication successful message from the Web
server.
5) The subscriber is connected to the Internet, and the MA5200F starts accounting
on the subscriber.
6) The client end sends the heart beat packets to report its online status to the Web
server. If the Web server does not receive the heart beat packet within a certain
period of time, the subscriber will be regarded as offline. Consequently, the Web
authentication server will inform the MA5200F to disconnect the subscriber, and
stop accounting.
7) The online subscriber can use the client end software to inform the Web
authentication server to terminate the connection. After that, the Web server will
inform the MA5200F to delete the connection information, and stop accounting on
the subscriber.
3-10
Technical Manual
Note:
Forced Web authentication: When the subscriber who needs Web authentication or fast authentication
attempts to access the unauthorized address, the MA5200F will force-redirect the access request to the
forced Web authentication server.
In the forced Web authentication, the forced Web authentication server and Web authentication server
may work separately. The forced Web authentication server provides the authentication Web page to get
the subscriber’s name and password and send them to the Web authentication server by using the internal
protocol. The Web authentication server will interact with the MA5200F to complete the authentication
process.
3.3.3 802.1X Access
I. Introduction to 802.1X access
802.1X access means to establish a connection between the MA5200F and the
subscriber by using EAPoL protocol. In 802.1x access, the authentication method is
EAP, and IP address is obtained through static configuration or DHCP server.
802.1X (IEEE Std 802.1X-2001) defines the authentication protocol EAP, which aims to
point-to-point or wireless access, or Leased line. However in the MA5200F, 802.1X can
not only be used in WLAN access authentication, but also Ethernet access
authentication. In this case, EAPoL is required to bear the EAP packets.
In the networking of the MA5200F, LAN Switches and HUBs are used to connect the
subscribers, the concept of EAP logic port must be extended. The MA5200F defines
the 802.1X logic port, in which the physical port, VLAN and MAC address (MAC stands
for Media Access Control) make up a logic port for the protocol.
802.1X only defines the authentication protocol on the port, without concerning the
acquirement of subscriber address and the various access control rules. To realize the
“operable and manageable” idea in broadband access, the MA5200F binds the Layer2
and Layer3 authorities in EAP authentication of standard 802.1X access. This means
that the subscriber must pass the EAP authentication before obtaining an IP address
through DHCP. Also, after passing the EAP authentication, the subscriber obtains all
the authorities, and does not need any further authentication.
Compared with VLAN access mode, 802.1X access has some advantages, especially
on the protection of IP address pool. In VLAN access, IP address can be obtained
before the subscriber has been authenticated, this may exhaust the IP address pool if
huge number of subscribers log in without authentication.
II. Authentication procedures in 802.1X access
The following describes the authentication procedures of 802.1X access:
3-11
Technical Manual
1) The authentication is trigged when the subscriber inputs the user name and
password through 802.1X call maker. The authentication can also be initiated by
the MA5200F, after the subscriber is judged to be a 802.1X subscriber according
to the DHCP request. According to the ARP request from a static IP address, the
MA5200F can also judge that the subscriber is a 802.1X subscriber, and initiate
authentication.
2) The MA5200F conducts EAP negotiation with the 802.1X call maker on the
subscriber side, and establishes EAPoL link.
3) According to the location of the subscriber domain, the subscriber can be
authenticated locally (EAP-END), or authenticated by the RADIUS server
(EAP-to-RADIUS) by converting EAP-MD5-based authentication into CHAP
authentication, and sending the user name and password to the RADIUS server.
The EAP packet from the subscriber can also be sent directly to the RADIUS
server for authentication (EAP-over-RADIUS).
4) The authentication result is sent to the subscriber. If the authentication fails, the
authentication can be terminated, or another authentication request can be
originated.
5) The subscriber originates DHCP request.
6) The MA5200F responds to the DHCP request, and allocates IP address for the
subscriber from local address pool, or from DHCP server through DHCP Relay.
7) The subscriber is connected to the Internet, and the MA5200F starts accounting.
8) When the subscriber is online, the MA5200F will make handshake detection at
regular time interval to check the connection status of the subscriber. If no reply is
received from the subscriber within the configured maximum detection time, the
MA5200F will regard that the subscriber has been offline due to unknown reason.
In this case, the MA5200F will disconnect the subscriber, delete related
information and stops accounting on that subscriber.
9) The disconnection request can also be originated by the subscriber through
802.1X call maker, then the MA5200F will disconnect the subscriber, take back
the IP address and stops accounting.
Caution:
In EAP authentication, some special configurations are required. If the subscriber terminal does not
support 802.1X dialing when power on, it may fail to obtain the IP address, so the boot up process may
take longer time. This is the reason why the MA5200F supports not only EAP, but also logic port EAP and
Web authentication. With this function, the IP address is first obtained, then the Web authentication or EAP
authentication can be used to obtain the authority.
3-12
Technical Manual
3.3.4 Leased Line Access
Leased line access means to connect a group of subscribers to the Internet through
Layer2 network or Layer3 network. This group of subscribers have the same service
attribute, and are authenticated and charged as if they are the same subscriber. The
MA5200F reserves system resources for this type of subscribers.
There are four types of Leased line access modes: PPPoE, VLAN, VLAN transparent
transmission and Proxy.
I. PPPoE leased line access
PPPoE leased line access means subscribers (for example, servers) are connected to
L3/GSR devices, which access the MA5200F in the PPPoE dialup mode.
In PPPoE leased line access, the MA5200F is not responsible for the address
allocation and service control of the subscribers. As the PPPoE server, the MA5200F
port can be configured with static IP address to connect the L3/GSR and establish
PPPoE connection with L3/GSR. The MA5200F is responsible for terminating PPPoE
packets, and forwarding the packets through configured static route between the
L3/GSR.
II. VLAN leased line access
VLAN leased line access means the access mode in which all the subscribers in the
same VLAN of a port are authenticated, authorized and charged as if they were one
subscriber. In this mode, the subscribers do not need to input user name and password
to log in, flow control and statistics on the subscribers are made together.
The MA5200F is able to allocate both dynamic and static address for VLAN access
subscribers. The MA5200F can also assign a network segment to the leased line
subscribers, and leave the allocation of terminal IP addresses to the VLAN leased line.
To authenticate the VLAN subscribers, the MA5200F first gets the IP address out of the
ARP request packet sent from the subscriber, then checks the legality of the packet
according to the physical port address, VLAN ID and network segment.
VLAN leased line access has the following features:
z All the subscribers of the same leased line have the same authority.
z All the subscribers of the same leased line are charged together.
z Flow control and statistics of all the subscribers of the same leased line are made
together.
z VLAN ID is used to identify the access line.
z User-configured authentication is not supported.
III. Proxy leased line access
In Proxy access, the address allocation policy, authentication and authorization

methods are completely the same with those in individual subscriber access. However,
3-13
Technical Manual
after Proxy leased line has been configured, the MA5200F will reserve corresponding
network resources for the leased line subscribers.
IV. VLAN transparent transmission access
In VLAN transparent transmission access, the MA5200F will replace the VLAN ID and
then forward the packets from related port according to the MAC address of the packets.
The MA5200F does not manage the IP address of the subscribers in this access mode.
3.3.5 Layer3 BAS
Layer3 BAS function means that the MA5200F provides Web authentication to the
subscribers who access the network through Layer3 devices like routers and L3 LAN
Switches.
In Layer3 BAS, the MA5200F is usually connected to the convergence layer device
without connecting any subscriber devices. The MA5200F is not responsible for
providing access links, nor allocating IP addresses to the subscribers. These functions
are completed by the routers and L3 LAN Switches, or the devices connected to them.
The MA5200F is only responsible for authenticating and authorizing the subscribers
who visit the external network.
Layer3 BAS is mostly used for Web authentication on CAN subscribers when they
access external networks like the Internet. If the subscribers are visiting internal
network, the MA5200F does not implement any control.
3.4 Address Management

3.4.1 Address Allocation
I. Address allocation in VLAN and 802.1X access
The MA5200F supports dynamic and static IP address in VLAN or 802.1X access. In
dynamic allocation of IP address, the address can be allocated from the external DHCP
server through DHCP Relay function, or allocated from the built-in DHCP server of the
MA5200F.
The MA5200F supports detection on illegal DHCP server, and supports re-logon
trigged off by ARP request or IP data packet after the connection of a DHCP
dynamic-address subscriber is interrupted, so that the original IP address can be
allocated again to the subscriber.
After receiving the DHCP request from a subscriber, the MA5200F will look in the local
or remote address pool, according to the location of subscriber domain, to allocate an
idle IP address to the subscriber. A subscriber domain can be configured with at most
three address pools, and the addresses in each address pool can be allocated to
subscribers in multiple domains.
3-14
Technical Manual
The addresses in an address pool are identified with the gateway address and network
mask. The available addresses in the pool are those in the segment specified by the
gateway address and mask, excluding the gateway address. When different address
pools are configured, a multi-address pool is available in the domain.
The MA5200F supports 128 local address pools, and each pool can be divided into 8
address segments. The MA5200F also supports 128 DHCP server groups, each group
with one active and one standby DHCP server.
Caution:
If an address segment has been configured as a legal address segment for Layer3 authentication
subscribers, it cannot be used by Layer2 authentication subscribers.
The MA5200F follows these principles to allocate address for the subscribers:
z If the subscribers are allocated with addresses from the local address pool, all the
three address pools will be used.
z If the address can either be allocated from local address pool or remote address
pool, the local pool will be used first. When there is no available address in the
local pool, an address will be allocated from remote pool according to the rule
described below.
z If the address is allocated from the remote address pool, factors like the stability of
the DHCP server, size of the address pool, number of available addresses in the
pool, should all be considered before the address pool is selected to allocate the
address.
II. Address allocation in PPPoE access
IP address is allocated to PPPoE access subscribers in the following ways:

z Address is allocated by the RADIUS server when the authentication is successful.
z Number of the address pool and address segment are assigned to the subscriber
by the RADIUS server when the authentication is successful.
z Number of the address pool is assigned by the MA5200F when the RADIUS
authentication or local authentication is successful.
In the latter two methods, the MA5200F supports allocation of IP address from DHCP
server for the PPPoE subscribers, so that the service provider can use the DHCP
server to manage the IP addresses of all the broadband subscribers.
3-15
Technical Manual
3.4.2 Secondary Allocation of Address
Secondary allocation of address is an IP address solution put forward by Huawei. With

this solution, the VLAN or 802.1X subscribers are first assigned with an address
(usually a private address) in DHCP process. After the Web authentication (for VLAN
access) or EAP authentication (for 802.1X) is passed, the subscribers will be allocated
with an address (usually a public address).
Secondary allocation of IP address avoids the allocation of public IP address to all the
subscriber terminals in DHCP process, so as to save the address resource, and
improve the usage of existing address resource.
Secondary allocation of IP address is also used for multiple ISPs. Before a subscriber is
authenticated, the MA5200F does not know from which ISP the subscriber should
request for authentication. At this time, a public address is allocated to the subscriber.
After the subscriber has been authenticated, an address from the address pool of the
ISP will be allocated again.
The procedures for secondary allocation of addresses are as follows:
1) When the subscriber terminal is powered on, DHCP request is sent to the
MA5200F.
2) According to the VLAN ID of the subscriber and the port from which the subscriber
comes, the MA5200F allocates an address (usually a private address) from local
address pool or DHCP server.
3) After the subscriber passes the Web authentication, the MA5200F informs the
Web authentication server that secondary allocation of address is needed, and
waits for the new DHCP request from the subscriber.
4) The Web server checks whether the client program already exists on the
subscriber terminal. If it does not exist, the Web server will send the program to the
subscriber terminal.
5) The Web server sends a message to trigger off the client program, the subscriber
terminal releases the allocated IP address, and sends a new DHCP request.
6) The MA5200F receives the DHCP request, and allocate a public IP address for the
subscriber according to the allocation policy configured for the VLAN port.
7) The client program sends heart-beat message to the Web server at regular time
interval to report the connection state of the subscriber. If no such message is
received after timeout, or a disconnection message is received, the subscriber is
regarded as offline.
8) When the subscriber gets offline, the MA5200F informs the client terminal through
the Web server to release the IP address, and to obtain a private address by
sending DHCP request again.
9) If the subscriber is interrupted, communication between the Web server and the
client program will be timeout, the connection is released, and the allocated IP
address will be taken back.
3-16
Technical Manual
3.4.3 NAT
In ordinary Internet access mode, each host must have a globally exclusive IP address.
As the resource of IP address gets more and more limited, Network Address
Translation (NAT) becomes necessary.
With NAT, different hosts in the same network segment can share the same IP address
(or several IP addresses) to access the Internet. This can ease the tension of limited
IPv4 address, and enhance the security of internal network.
NAT in the MA5200F supports static address mapping and Port Address Translation
(PAT).
I. Static address mapping
In static address mapping, a public address is exclusively mapped with a private

address.
Static address mapping in the MA5200F supports the visit on internal network servers
from an external subscriber. The MA5200F supports packet slice, FTP application layer
gateway (FTP stands for File Translation Protocol), NetMeeting application layer
gateway and MGCP application layer gateway (MGCP stands for Media Gateway
Control Protocol).
II. PAT
PAT is a method to multiplex the ports in the transmission layer, so that large amount of
subscribers in the internal network can access the Internet by using the same public IP
address. The PAT subscriber terminals should run TCP/UDP (UDP stands for User
Datagram Protocol).
In PAT, source addresses (private addresses) in the user datagram are mapped to an
exclusive TCP/UDP port. This mapping table is maintained in the MA5200F. When a
packet from external network is received, the MA5200F will, according to the
destination TCP/UDP port of the packet, find the private address from the mapping
table, and redirect the packet to the subscriber.
PAT of the MA5200F supports FTP and NetMeeting application layer gateway, MGCP
gateway and ICMP gateway, but does not support packet slice. It supports the control
on the number and transmission speed of the connections that can be established by
individual subscriber.
Note:
The MA5200F does not implement NAT to leased line subscribers.
3-17
Technical Manual
3.5 Subscriber Accounting

The MA5200F provides powerful and flexible accounting functions to contribute to the
idea of a “manageable, operable and profitable” network given by Huawei.
The following accounting attributes can be set on the MA5200F:
I. Accounting method
The MA5200F supports local accounting, RADIUS accounting and no-accounting.

z Local accounting: The MA5200F has a built-in accounting server to deal with the
accounting information for the subscribers and generate tickets. The administrator
can get the tickets at specific time interval for accounting.
z RADIUS accounting: The MA5200F can send the accounting information to the
RADIUS server through RADIUS protocol, so that the server can generate the
tickets for accounting.
z No accounting: Sometimes accounting is not required for special networks, and
this setting can disable the accounting.
The attributes concerning local accounting and RADIUS accounting are completely the
same, including the user name, IP address, MAC address, ticket type, offline reason,
access type, logon time, logoff time, port number, VLAN ID and traffic flow before and
after traffic switch.
II. Accounting type
The MA5200F supports accounting on the subscribers on the basis of traffic flow or
session time. Traffic can be obtained according to service types and destinations,
which meets the needs of service providers for different charging policies.
III. Realtime accounting
Generally a ticket is produced when the subscriber logs off, and no intermediate ticket
is produced. If the subscriber is disconnected because of some abnormality, it may not
be able to produce the correct accounting ticket.
The MA5200F provides realtime accounting function to collect the traffic at regular time
interval, so that local accounting server or the RADIUS server can produce realtime
ticket. This ensures the accuracy of the tickets to the largest extent, even if the
subscriber is interrupted.
Realtime accounting consumes network resources, and should be configured by taking
into consideration the network condition, performance of the RADIUS server, and the
total number of subscribers. Refer to SmartAX MA5200F Broadband Intelligent Access
Server Operation Manual for more details.
3-18
Technical Manual
IV. Prepaid accounting
The MA5200F supports prepayment based on traffic or session time. By making related
configuration on the RADIUS server, the MA5200F can start countdown before the
prepaid traffic or session time is exhausted, and disconnect the subscriber when the
prepaid traffic or time is due. If the subscriber recharges the prepaid value during this
time, the countdown will stop.
V. Accounting failure
The MA5200F adopts different policies when accounting on the subscriber fails. These
policies include disconnecting the subscriber, local protection or no action.
VI. Secondary accounting for different ISPs
Secondary accounting for different ISPs means that the MA5200F sends the
accounting information of the same subscriber to the RADIUS servers of two different
ISPs at the same time, then waits for the reply.
This function is used when it is required that the original accounting information to be
saved in different places (like in a network of multiple ISPs). The “RADIUS servers”
here does not mean the active and standby ones in RADIUS configuration. Instead, it
means two independent RADIUS servers, most probably from two different ISPs.
VII. Switching the tariff
By coordinating with the RADIUS server, the MA5200F can switch the tariff for
accounting. After the MA5200F sends out the accounting-start or realtime-accounting
message, if the reply from the RADIUS server contains the information to switch the
tariff, the MA5200F will activate corresponding timer. When the timer gets timeout
(switch starts), the MA5200F counts the traffic or session time, and sends the ticket to
the RADIUS server. Then the MA5200F starts a new round of accounting on the same
subscriber on the basis of the new tariff.
3.6 Service Control

3.6.1 Restriction on the number of subscribers
The MA5200F can restrict the total number of subscribers that can access from a
certain physical port or port VLAN, in order to guarantee the bandwidth of online
subscribers
The MA5200F can also restrict the number of subscribers logging on from a certain
domain, or using a certain user account. By coordinating with the RADIUS server, the
number of subscribers that can access from a certain RADIUS account can also be
restricted. This helps to prevent illegal use of network resource.
The MA5200F can also restrict the number of connections that can be established by
each online subscriber. The “connection” here means the logical forwarding channel
3-19
Technical Manual
that is composed by the quintuple “source IP address, source TCP/UDP port number,
destination IP address, destination TCP/UDP port number, and protocol type”, or some
of the components in the quintuple.
3.6.2 Access Types
The MA5200F can allocate user accounts according to access type (PPPoE, VLAN or
802.1X). By doing this, the access request from one or multiple access types can be
allowed, or forbidden, when the request is authenticated.
3.6.3 Flow Control
This function enables the MA5200F to restrict and manage the service flow of the
subscribers. After the average and peak values for upstream and downstream rates are
set for a certain control level, the number of data packets that can be received or
forwarded in a specific time period can be controlled.
The MA5200F provides a total of 30 flow control levels. All these 30 control levels can
be configured globally, with the average and peak values range from 64kbps to
100Mbps (FE interface) or 64kbps to 1Gbps (GE interface), and the granularity as
1kbps. The specific control level can be applied on the basis of domain (a domain is the
largest unit in account-oriented service control, generally an ISP is set as a domain) or
specific subscriber.
The same control level can be used in the domain to unify the ISP configuration, or a
diversity of control levels can be configured for subscribers respectively.
3.6.4 Idle-Cut
Idle-Cut means to disconnect the subscriber whose traffic has been under a certain
threshold for a set period of time.
In idle-cut, the period of time and threshold of traffic can both be set on the basis of
domain, that is to say, all the subscribers in the same domain have the same settings
about idle-cut. However, the switch that controls whether the idle-cut function will be
implemented can be configured on the basis of individual subscriber.
3.6.5 QoS
Network QoS is more and more important as multimedia, Voice over IP (VoIP) and
video applications are getting popular.
QoS is an issue that requires cooperation of devices from the entire network. According
to its position in the network, the MA5200F supports Diff-Serv and 802.1P.
3-20
Technical Manual
I. Diff-Serv
Diff-Serv (refer to RFC2475) provides a QoS scheme. In this scheme, the MA5200F
determines the priority of packets according to Diff-Serv Code Point (DSCP) defined in
the packet, and implements traffic shaping, queue dispatch and congestion control.
The MA5200F usually uplinks with the Gigabit Switching Router (GSR) or
large-capacity Layer3 switches, which support Diff-Serv. So the MA5200F will
encapsulate the upstream packets with DSCP code, and make queue dispatch and
congestion control according to service type or priority.
II. 802.1P
802.1P is an IEEE-defined QoS protocol implemented in LAN. According to different

service types, 8 priority levels have been defined the IEEE. The queue dispatch and
congestion control are implemented according to 802.1P TAG by switches that support
802.1P.
The MA5200F usually downlinks with IP DSLAM and LAN Switches. To solve the global
QoS problem, switches at the access layer must support 802.1P. The MA5200F can
modify the 802.1P TAG in the downstream packets. It also supports the mapping
between DSCP and 802.1P priorities.
To sum up, the MA5200F provides complete QoS policies globally, not only supporting
precise Committed Access Rate (CAR), but also various QoS protocols. With its
powerful forwarding capacity, the MA5200F is suitable for application in NGN bearer
network, multimedia videoconferencing system, as well as video and multicasting
systems.
3.6.6 Policy Routing
In ordinary packet forwarding process, the next hop address is selected automatically
by the router according to the entries in its routing table. In an access network with
multiple ISPs, this forwarding method cannot constrain the data flow of a specific
subscriber within the port of the corresponding ISP.
Policy routing is an effective solution for multi-ISP access control. Policy routing is a
route selection mechanism that is based on user-defined policies. One of the most
common policy routing methods is source address routing, in which the forwarding port
for a packet on the router is determined by the source IP address contained in the
packet, instead of the destination of the packet.
With policy routing, the operator can designate the port that forwards the data packets
of a subscriber to the next hop after the subscriber logs in. In this way, the traffic flow of
the subscriber can be constrained in the port of a specific ISP, which is essential in
accounting.
Apart from this, the MA5200F can also add VLAN ID to a packet, so that upstream
packets from the same domain will be converged to the same VLAN.
3-21
Technical Manual
This feature can be applied in the Multi-protocol Label Switching (MPLS) VPN. If you
set a domain as the bearer domain for a certain service, upstream packets from such
domain will be converged into the same VLAN, and packets for different services are
isolated strictly, so that the network-side device can construct a VPN network for NGN
MPLS.
3.7 Security Management

The MA5200F provides security management functions on the access subscriber,
protects the network resource and provides fundamental guarantee to other security
measures.
3.7.1 Prevention on Account Forgery
The MA5200F provides special packet-binding check, in which the packets of an

authenticated subscriber are checked by binding the logic port (access port + VLAN ID),
MAC address and IP address. Any packet that does not match with the rule will be
discarded. This function eliminates possible account forgery attempts, and provides a
basic protection in aspect of network security.
3.7.2 ACL
The MA5200F provides multiple authentication methods to control the access authority
of the subscribers. However, this is a very general control on the access authority, since
all the subscribers will have the same authority after the authentication is passed. To
implement more detailed control, access control list (ACL) is needed
ACL controls a variety of access authorities. The control list is matched with the key
attributes of a request packet or the subscriber. The packet is forwarded or discarded
according to the result of matching, or default setting of the matching. This helps to
control different access authorities.
The so called “key attributes” can be all of part of these: source IP address, destination
IP address, source TCP/UDP port number, destination TCP/UDP port number, physical
port number, VLAN ID, protocol type, source ACL group, destination ACL group, source
inter-access group and destination inter-access group.
3-22
Technical Manual
Note:
ACL group is defined for subscribers who have the same authority to access the same destination in the
external network
Inter-access group is defined to control the visit between the internal subscribers. Subscribers in the same
inter-access group have the same authority to visit another inter-access group (or another subscriber in
the same inter-access group).
Each subscriber has an ACL group number and inter-access group number to identify the two different
groups that the subscriber locates in.
In the MA5200F, there are four ACL rules that control the following four access
situations respectively:
z Access from subscriber to network, using User-Net rule
z Access from network to subscriber, using Net-User rule
z Access from one subscriber to another subscriber, using Inter-User rule
z Access from one network to another network, using Net-Net rule
Note:
The “Net” in the MA5200F is a network segment defined with “IP adderss + netmask”, which is the
controlled object when the access is between subscriber and network, or between two networks. In the
following text, “Net” is presented in the way of “IP address/mask length”. For example, 10.163.168.1/24
represents the network segment from 10.163.168.0 to 10.163.168.255.
Basically, these four access control rules are different because they have different key
attributes to control. The following gives more details.
Note:
All the ACLs defined by the MA5200F can be applied on a physical port, a port VLAN, or globally. Because
of this, a septet ACL control can be implemented based on “source IP address + destination IP address +
source TCP/UDP port number + destination TCP/UDP port number + protocol type + physical port number
+ port VLAN”.
I. Access from subscriber to network
The access from a subscriber to the network is controlled by User-Net type ACL rules.
Fundamental elements in a User-Net rule include these: source ACL group, destination
Net, protocol type and related access authorities.
3-23
Technical Manual
For example, set an ACL rule with ACL group as 1, destination NET as 10.163.168.1/24,
protocol type as TCP, access authority as “denied”, and apply the rule to Port 1. After
the setting, TCP packets sent from subscribers in ACL group 1 of Port 1 to network
segment 10.163.168.0 - 10.163.168.255 will be discarded.
II. Access from network to subscriber
The access from the network to a subscriber is controlled by Net-User type ACL rules.
Fundamental elements in a Net-User rule include these: Source Net, destination ACL
group, protocol type and related access authorities.
For example, set an ACL rule with source NET as 10.110.1.1/16, destination ACL group
as 2, protocol type as UDP, access authority as “allowed”, and apply the rule to global
network. After the setting, UDP packets that are sent to subscribers in ACL group 2
from source address 10.110.1.1/16 will be forwarded.
III. Access from subscriber to subscriber
The access from a subscriber to another subscriber is controlled by Inter-User type of

ACL rules. Fundamental elements in an Inter-User rule include these: Source
inter-access group, destination inter-access group, protocol type and related access
authorities.
For example, set an ACL rule with source inter-access group as 1, destination
inter-access group as 2, protocol type as IP, access authority as “allowed”, and apply
the rule to global network. After the setting, IP packets that are sent to subscribers in
inter-access group 2 from inter-access group 1 will be forwarded.
IV. Access from network to network
The access from a network to another network is controlled by Net-Net type ACL rules.
Fundamental elements in a Net-Net type ACL rule include these: Source Net,
destination Net, protocol type and related access authorities.
For example, set an ACL rule with source NET as 10.110.1.1/16, destination Net as
10.163.168.1/24, protocol type as IP, access authority as “allowed”, and apply the rule
to Port 1. After the setting, IP packets that are sent to destination addresses
10.163.168.1/24 from source address 10.110.1.1/16 of Port 1 will be forwarded.
Note:
If the ACL protocol type (TCP/UDP) has been set, the ACL source and destination TCP/UDP port numbers
can also be set, in order to further restrict the ACL.
In the MA5200F, the ACL is not only used to control the access authorities, but also to set the access
attributes like user log, accounting level, user priority, and anti-attack CAR for the host.
3-24
Technical Manual
3.7.3 User Log
The MA5200F provides user log to record the access history of all the subscribers on
the ISPs. Based on individual subscriber and combines the prevention against account
forgery, the user log of the MA5200F can provide credible log records.
The user log contains two parts: access log and session log.
Access log records information about the login and logoff of a subscriber, which include
the user name, user VLAN, IP address, login time and logoff time.
Session log records the information about the service connections that the MA5200F
established for the subscriber, including the user name, user VLAN, source IP address,
source MAC address, destination IP address, and session time. The MA5200F
provides ACL-based filtering on the session logs, which means you can enable session
log on individual ACL rule.
Caution:
The MA5200F does not record user log for leased line subscribers.
The MA5200F can back up the user log to the log host through TFTP on a regular time
basis, or when the logs reach a certain amount.
3.7.4 Protection on Resources
The MA5200F provides protection on the resources of the local device or the network.
I. Protection on the resources
The protection covers the IP address resource and TCP connection resources. Aiming
at the DHCP defect that the DHCP Server is exposed to Denial of Service (DOS) attack,
the MA5200F restricts the amount of addresses that can be applied by a subscriber to
protect the address resource on the DHCP server.
II. Limitation on speed
The limitation on speed that is implemented by MA5200F can be based on physical port,
MAC address and IP address.
3.8 Value Added Services

3.8.1 Multicast
Multicast means a transmission method in which the copies of a packet are sent to
multiple hosts in the network. The destinations of the multicast packets are the
3-25
Technical Manual
multicast group addresses (224.0.0.0-239.255.255.255). The multicast packets are

sent to the hosts in this group by switches or routers that support multicast transmission.
A host in the network can be added into, or removed from the multicast group by
sending an IGMP request (IGMP stands for Internet Group Management Protocol).
Multicast packets are usually UDP packets. The most popular multicast services at
present are video services like Video on Demand (VOD) and video conferencing. Video
services take larger bandwidth than other types of services. In unicast mode, the data
source will send the package of data to all the hosts in the network, and this takes huge
amount of network resource. In multicast transmission, the data source will send only
one package of data, and this package of data is duplicated and forwarded at the next
network node. In this way, all the members of the multicast group can get a copy of the
data.
Multicast reduces the burden of network devices, and saves the network bandwidth. In
some multicast applications, the increase of multicast users does not need extra
bandwidth.
Traditional multicast is uncontrolled, neither the sending at the data source, nor the
receiving at the destination, is controlled. It is impossible to guarantee the legality of the
sender and the receiver.
The MA5200F supports not only uncontrolled multicast, but also HGMP V2 multicast,
which is a controllable multicast mode.
I. Uncontrolled multicast
The MA5200F supports IGMP-based multicast and PIM-DM/PIM-SM-based multicast

(PIM-DM stands for Protocol Independent Multicast-Dense Mode, PIM-SM stands for
Protocol Independent Multicast-Sparse Mode), but only one of them can run at a time.
The service process flow for IGMP-based multicast is as follows:
1) A multicast user sends IGMP member application request, in order to join a
multicast group.
2) The IGMP request is forwarded by a LAN Switch to the MA5200F.
3) The MA5200F receives the request, and add the user side port of the request into
a multicast group.
4) The MA5200F, as a multicast member, sends an IGMP member report to the
multicast router, requesting the router to copy and forward related multicast
packets to the MA5200F.
5) The router copies and forwards the multicast packets related to such multicast
group to the MA5200F.
6) The MA5200F looks up in its multicast forwarding table to find out the user-side
port, copies and forwards the packet to the port.
7) The LAN Switch looks up in its multicast forwarding table, and forwards the packet
to the subscribers. The quantity of copies is equal to that of ports of this multicast
group.
3-26
Technical Manual
Service process flow for PIM-based multicast is as follows:

1) The MA5200F exchanges multicast information with the router through PIM
packets. The MA5200F establishes a routing table without any output port.
2) A multicast user sends IGMP member application request, in order to join a
multicast group.
3) The IGMP request is forwarded by a LAN Switch to the MA5200F.
4) The MA5200F receives the request, and add the user side port into the outgoing
port in the routing table.
5) The router copies and forwards the multicast packet related to the multicast group
to the MA5200F.
6) The MA5200F looks up in its multicast forwarding table, copies the packet and
forwards it from each of the outgoing port.
7) The LAN Switch looks up in its multicast forwarding table, and forwards the packet
to the subscribers.
Note:
In uncontrolled multicast, the Layer2 devices need to support IGMP Snooping, and with the function
enabled. Otherwise, the Layer2 devices have to broadcast the multicast packet to all the VLAN interfaces,
which degrades the performance remarkably.
Uncontrolled multicast has the following limitations:

z Subscribers can join a multicast group easily since the LAN Switch does not have
the management function. This fact makes it possible for a VLAN subscriber to
enjoy paid services without paying.
z The MA5200F implements no control on the subscriber who attempts to join the
group. If the IGMP packet from a subscriber can be received, the subscriber can
receive multicast packets.
z Because the bandwidths of the multicast data source and multicast group are not
controlled, subscribers can access the multicast sources.
z No accounting function.
II. Controllable multicast
The controllable multicast in the MA5200F is based on HGMP V2. The following
describes its basic principles and process flow. Refer to 3.9.2 HGMP V2 for more
details about HGMP V2, and Chapter 4 for multicast networking applications.
1) Through MA5200F, the authority of a subscriber to receive multicast packets can
be configured on local or remote servers. The authority of a data source to send
multicast packets can also be configured.
3-27
Technical Manual
2) The subscriber obtains multicast authority after passing ordinary unicast

authentication.
3) The subscriber sends an IGMP member report to apply for membership of a
multicast group.
4) The IGMP packet can not be identified by the Layer2 device, so it is transmitted
transparently to the MA5200F.
5) The MA5200F judges whether the subscriber request is legal. If it is legal, the
subscriber will be added into the multicast forwarding table of the MA5200F. If it is
illegal, the request will be denied.
6) The MA5200F obtains information about the neighboring Layer2 device according
to HGMP V2, and sends command to the device to add the subscriber into its
multicast forwarding table.
7) The Layer2 device adds the subscriber into its multicast forwarding table, and
sends command to its downlink device to add the subscriber into the
corresponding forwarding table. After the device at the lowest level has finished
the procedure, it sends a message back to the MA5200F, informing the latter that
the subscriber has been added successfully.
8) After the MA5200F receives a multicast packet from the data source, it checks the
legality of the packet, then forwards the packet to the port that connects with the
multicast subscriber, if the packet is legal; or discard the packet, if the packet is
illegal.
9) The Layer2 device takes the same procedure to forward to multicast packet.
10) HGMP V2 can discover the last level of Layer2 device. If a multicast packet does
not carry VLAN ID, the LAN Switch will forward the packet to all the physical ports.
If VLAN ID is contained in the packet, the packet will be forwarded to the physical
ports of the VLAN, then to the subscriber.
In a controlled multicast, the adding of a subscriber to the multicast group, and the
sending of packet from the multicast data source are all controlled. Illegal subscriber
cannot receive multicast packets, and illegal multicast data source cannot send
packets to subscribers that access through the MA5200F.
In multicast service provided by the MA5200F, the traffic on the sender or receiver of
multicast packets can all be controlled, and accounting is made on a time or traffic basis,
which reflects the “operable and manageable” idea of Huawei.
3.8.2 IP Hotel
IP Hotel is a broadband access solution of Huawei, which aims to provide broadband

Internet access in hotels, office buildings and residential areas of a MAN. IP Hotel also
provides management, authentication and accounting on the subscribers.
IP Hotel consists of the broadband network device, IP Hotel service platform, integrated
hotel interface/integrated console/property management system interface (PMSI).
Chapter 4 gives more details about the networking application of the IP Hotel solution.
3-28
Technical Manual
Table 3-4 Features of IP Hotel system
Component Description
Provides physical path for broadband access subscriber, and provides BAS
Broadband network device
function
Provides the authentication, accounting, accounting policy management and

IP Hotel service platform
subscriber management functions
Integrated console Provides subscriber management methods
Connects the property management system (PMS) with the IP Hotel service
Property Management
platform, provides subscriber management methods and collects online charge
System Interface (PMSI)
information to the PMS
Property Management Connects with the broadband network device through PMSI, and completes
System management and accounting on the online subscribers
In IP Hotel application, some of the ports on the MA5200F can be leased to the agents
(hotels or residential quarters), who provides broadband access to the subscribers
directly. This brings revenue to both the agents and the service providers.
The MA5200F acts as the broadband network device in IP Hotel application, providing
high speed Ethernet access, so as to:
z provide hardware platform for high speed E-commerce over Internet.
z build up business platform for hotels, on which related PMS and database can be
established to provide information to the guests.
z build up an access management platform for broadband operators, so that
information from the MAN can be shared by the guests in the hotels.
The MA5200F provides standard interface to connect with Centrex console, so that to
be easily merged with management systems of group users and other business users.
3.8.3 WLAN
WLAN extends the coverage of Ethernet to satisfy the growing demand of Internet
access.
The MA5200F acts as the Access Controller (AC) in WLAN network to manage the
access subscribers. Refer to Chapter 4 for details about WLAN networking application.
The MA5200F provides VLAN access, 8/02.1X access and PPPoE access in WLAN,
and authenticates the subscribers who use these access methods. Refer to 3.3
Access Authentication for more details. The MA5200F also provides user management,
security management, accounting management and service management functions.
Data packets of a WLAN subscriber are directly connected to the Internet through the
AC.
Table 3-5 lists the functions that can be provided by the MA5200F in WLAN.
3-29
Technical Manual
Table 3-5 Functions of the MA5200F as an AC
Features Note
BAS As a universal BAS, complying with WLAN specifications.
Supports VLAN access, 802.1X access and related authentication at the same time.
Access authentication
Supports EAP and Web authentication on ports.
Powerful service management that supports QoS, bandwidth control and access
Service management
control.
Different accounting methods for payment based on service time or traffic, and
Accounting
monthly payment.
Forced Portal Supports forced Portal to redirect subscribers to specific service provider.
Provides wired and wireless access for places like hotels, tailor-made IP Hotel
Integrated access
service.
When a WLAN subscriber switches between APs, the service is sustained, and
Switching between APs
authentication is implemented again to guarantee the legality of the subscriber.
AP cluster management AP devices can be managed in clusters.
3.8.4 VPN
VPN is a virtual private network (VPN) that is constructed over public network. The
security, reliability and manageability of a VPN are the same like those in an enterprise
Intranet.
Table 3-6 lists some VPN features.
Table 3-6 Features of VPN
Different from other networks, VPN does not exist physically. VPN is a logic network that is formed by
Virtuality
configuring related resources from pubic network.
VPN is used specially for specific enterprises or group users. From the view point of a VPN user, there
is no difference between VPN and other dedicated networks. The resources of a VPN is independent
Speciality of those in the bearer network, which means that the resources of one VPN will not be used by any
other members in the bearer network, including other VPNs. VPN also provides adequate security
features to ensure the safety of data in the VPN.
VPN establishes interconnection between dedicated networks, sets up VPN internal topology,
Complexity calculates the routes, add and remove VPN members, which make the VPN technology more
complex than ordinary point-to-point applications.
Comparing with traditional networks, VPN has the following advantages:

z VPN is used to establish secured and reliable connection between headquarters
of an enterprise and its branch offices, business partners and staff that are in
remote places. This advantage is especially useful in E-commerce and the merge
of dedicated financial network into public communication network.
3-30
Technical Manual
z VPN constructed over public network enables the enterprises to communicate

with remote parties (partners) at low cost, and brings more revenues to ISPs since
the network resources are used better.
z There is no need to change hardware devices; VPN users are added and removed
through software configuration, which makes VPN more flexible.
z Mobile access of VPN users in any place at any time can satisfy growing mobile
services.
z VPNs with different service levels (like MPLS VPN) are provided for different
levels of service qualities, in order to bring more profit to ISPs.
VPN functions provided by the MA5200F are as follows:
I. VPDN
In traditional VPN network, connection is made through remote dialing, so it is also

called VPDN. VPDN enables an enterprise or institution to communicate with its branch
offices, traveling staff or business partners at remarkably low cost.
VPDN uses Layer Two Tunneling Protocol (L2TP) to establish virtual tunnel between
local access network and remote server, in order to transmit data. Figure 3-1 shows an
application of VPDN.
Remote user
LAC LNS Internal sever
Internet
PSTN/ISDN
L2TP tunnel
NAS
Branch office
Headquarters
LAC: L2TP Access Concentrator LNS: L2TP Network Server NAS: Network Access Server
Figure 3-1 VPDN structure
In the figure, LAC is a node in a switching network, which has the ability to process PPP
end program and L2TP. LAC provides access service for subscribers through Ethernet,
and establish tunnel and session with remote LNS. LNS is responsible for processing
L2TP server-end program on the PPP end system.
There are two types of connections between LNS and LAC. One is Tunnel, which
defines a pair of LNS and LAC; another is Session, which multiplexes on the Tunnel to
bear PPP sessions in the tunnel.
The MA5200F acts as LAC in a VPDN, and supports a maximum of 128 tunnels, and
each tunnel supports a maximum of 1024 sessions. The MA5200F also supports L2TP
upstream packet slice, upstream and downstream packet Trunk and CAR, as well as
QoS of VPDN subscribers.
In VPDN, a PPPoE subscriber establishes PPPoE line with the MA5200F through
PPPoE call maker, which is the same with the process in PPPoE access. However, in
3-31
Technical Manual
the authentication process that follows, the MA5200F does not make PPP negotiation
with the subscriber to terminate PPP. Instead, the MA5200F establishes an L2TP
tunnel with remote server and transmits the connection request to the server for
authentication.
Another popular VPDN application is in multi-ISP network.
II. GRE tunnel
The MA5200F supports GRE tunnel. The MA5200F establishes GRE tunnel between
other deices that support GRE tunnel, in order to transmit data packets. GRE tunnel is
used to construct Intranet VPN and Extranet VPN.
GRE is used to encapsulate data packets of some network layer protocols (like IP and
IPX), so that these packets can be transmitted over network using another network
layer protocol (like IP). GRE is VPN Layer3 tunneling protocol, in which tunneling is
adopted between the protocol layers. GRE tunnel is a virtual point-to-point connection,
and can be regarded as a virtual interface that only supports point-to-point connection.
This interface provides a path to transmit encapsulated packets, and provides
encapsulation and decapsulation for the packets at both ends of the tunnel.
III. MPLS VPN
MPLS VPN is a VPN constructed by using Multi-Protocol Label Switching (MPLS)

technology. MPLS uses short and fixed length labels to encapsulate the packets. MPLS
obtains link layer service from various networks (like PPP, ATM, frame relay and
Ethernet), and provides connection-oriented service to the network layer.
Note:
Detailed description on MPLS is not given here. Please refer to related publications.
MPLS can easily realize VPN service based on IP technology, and satisfy the
requirements on scalability and manageability of VPN. Various measures can be
implemented on MPLS VPN to ensure its security. VPN constructed over MPLS also
supports value added services. An individual access point can be configured as
multiple types of VPNs, each VPN represents one type of service, so that different
types of services are transmitted flexibly.
Figure 3-2 shows the basic architecture of MPLS VPN.
3-32
Technical Manual
CE3
Branch 3
PE3
Backbone
network CE2
CE1 PE1
Branch 1 Branch 2
P
PE2
CE: Customer Edge P: Provider PE: Provider Edge

Figure 3-2 Basic structure of MPLS VPN
In the figure, CE is customer edge device, which can be a router, a switch, or even a
host. PE is the edge router of the provider, which locates at the edge of the backbone
network. P is the backbone router of the provider, which manages the VPN users, sets
up connection between the PEs, and allocates routes for network branches in the same
VPN.
In MPLS VPN, the MA5200F acts as the CE device to coordinate with P/PE in the
backbone network. When acting as a CE, the MA5200F can either provide transparent
transmission, or policy routing, to forward the packets.
When providing VLAN transparent transmission, specific logic port (port + VLAN) is
designated to transmit the packets that arrive at the MA5200F on a specific logic port,
and VLAN ID is used as VPN tag.
When providing policy routing (refer to 3.6.6 Policy Routing), the MA5200F designates
different service domains and corresponding uplink VLANs for the domains. Then the
MA5200F converges the upstream packets from different domains to corresponding
VLANs.
Refer to Chapter 4 for detailed networking application of MPLS VPN.
3.8.5 Plug and Play
I. Overview
Plug and Play (PNP) indicates the service that a PC can access the Internet without
changing the network settings (like IP address, DNS address and HTTP proxy), after
the PC has been moved to another geographical position.
PNP is used in public areas like hotels, airports and conference centers, where easy
and fast access to the Internet is needed. Usually, the Internet users in these places are
traveling around, and may have a variety of terminals. PPPoE or VLAN access require
some special client program, or modification on network settings of the terminal PC,
and are not suitable for use in these places.
3-33
Technical Manual
With PNP, there is no need to change the network settings of the terminal PC, and no
special client program is required. The users can access the Internet through Web
authentication or fast authentication.
The MA5200F can play the role of an access server for PNP applications, or provide
one of its ports to provide PNP service for these places.
II. MA5200F in PNP application
In PNP service, the MA5200F authenticates the subscriber, and converts the IP
addresses of the subscriber, the DNS server and the HTTP proxy server, so that the
subscriber can be connected.
1) Subscriber authentication
In the MA5200F, the authentication methods on the subscribers include Web
authentication, fast authentication and no authentication. The authentication is trigged
off by any of the following:
z ARP request that is sent in the ARP packet from the subscriber
z DHCP request that is sent in the DHCP packet from the subscriber
z Any connection request that is sent in the data packet from the subscriber
2) IP address conversion
Generally, the original IP address of a PNP subscriber will become invalid after the
subscriber has moved to another place. The MA5200F will first assign a legal IP
address to the subscriber (this address is invisible to the subscriber), then map the
MAC address of the subscriber terminal with the IP address. After a packet from the
subscriber is received, the legal IP address is used to forward the packet, instead of the
original IP address. When an external packet to the subscriber is received, the
MA5200F will use the original IP address of the subscriber to replace the destination
address in the packet.
3) DNS conversion
The address of the original DNS server for the subscriber may also be incredible, and
the DNS request from the subscriber cannot be forwarded directly to this address.
The MA5200F intercepts the DNS request from the PNP subscriber, converts the DNS
server address in the packet into that of a valid DNS server, then sends out the request.
When the valid DNS server sends back a reply, the MA5200F intercepts the reply,
replaces the source address of the reply with that of the original DNS server, then
sends the reply to the subscriber.
4) HTTP proxy conversion
If a PNP subscriber has configured with HTTP proxy, the HTTP request from the
subscriber will always be sent to the configured HTTP proxy server. However, the
address of this HTTP proxy server may also be incredible.
If the address of a PNP subscriber is the address of HTTP proxy server, the MA5200F
will use the address of the external HTTP proxy server to replace the destination
3-34
Technical Manual
address of the HTTP request packet, then forward the packet to the external HTTP
proxy server.
If a PNP subscriber has the HTTP proxy server as the domain name, the MA5200F will
first convert the DNS address. If DNS resolution is successful, then the MA5000F
converts the address of the HTTP proxy server. If DNS resolution fails, the MA5200F
will use the external HTTP proxy server for DNS cheat. Then all the HTTP requests will
be sent to the external HTTP proxy server.
The MA5200F supports application layer gateway services on PNP subscribers,
including ICMP, FTP, MGCP and NetMeeting services on application layer. One
MA5200F supports a maximum of two thousand PNP subscribers.
Note:
When combining the NAT and PNP functions, all the subscribers can use the same public address to
access the Internet. At this time, the newly allocated IP addresses all go through another NAT process.
3.8.6 Forced Portal
Forced Portal is a service in which the MA5200F redirects the access of a subscriber to
the Portal server of a specific service provider, when the subscriber passes the
authentication and connects to the Internet for the first time. With this function, the
subscriber will always be directed to the Web site of the specific service provider after
login.
The MA5200F is able to use HTTP redirecting function to redirect the subscriber to a
specific Portal server, no matter what type of access mode the subscriber is using.
If it is PPPoE access, PPPoE Activate Discovery Message (PADM) is also applicable
for the redirection, apart from the HTTP mode. When a PPPoE subscriber passes the
authentication, the MA5200F will send the forced Portal address to the PPPoE client
end through PADM packets. If the client supports PADM, the browser on the subscriber
terminal will be activated and access the site.
Caution:
Forced Portal is different from forced Web authentication in the MA5200F: Forced Web authentication
means that the subscriber will be redirected to the Web server for authentication, if the subscriber attempts
to access an external site before authentication is passed. While forced Portal means that the first site that
an authenticated subscriber can access is directed to the Portal server of a service provider.
3-35
Technical Manual
Forced Portal service helps service providers to advertise for themselves, to attract
more attention, and increase revenue from advertisement.
3.9 Network Management

An access network may make hybrid use of LAN Switch, IP DSLAM and VDSL switch
to access the subscribers. How to manage these various devices, and save the IP
address resource for these managed devices is an important issue to the system
administrator.
With HGMP, the MA5200F is able to manage its downlink Layer2 devices of Huawei
(HGMP V1 can only manage the LAN Switches). HGMP contains V1 and V2 suites,
both can work independently.
Through HGMP V1 or V2, the MA5200F is able to obtain information about the
downlink physical devices, and construct a complete topology map.
3.9.1 HGMP V1
HGMP V1 supports the query from and configuration for the downlink LAN Switches. It
can also monitor the change of communication state between the LAN Switch and the
MA5200F. HGMP V1 on the MA5200F implements the following functions:
z With HGMP V1, a LAN Switch that connects with the MA5200F can register
automatically to the MA5200F, and activate the default data configuration that can
satisfy the hybrid networking of MA5200F.
z The MA5200F can send configuration data to the LAN Switch, including the VLAN
ID, Tag attribute, UP/DOWN state, and VLAN broadcast domain, of a port. These
data can be configured on the MA5200F through command line interface.
z After a LAN Switch has been replaced, the new LAN Switch is able to inherit the
original data configured for the previous switch, which makes the replacement
easier.
z The LAN Switch can be loaded with program from remote place.
HGMP V1 is supported in the S2403F, S3026 series and S2008 series LAN Switches of
Huawei.
3.9.2 HGMP V2
HGMP V2 implements cluster management to discover the downlink Layer2 devices

and collect the topology information.
HGMP V2 suite consists of Neighbor Discovery Protocol (NDP), Neighbor Topology
Discovery Protocol (NTDP) and Cluster protocol.
z NDP is used to discover the information of the connected neighboring Huawei
device(s), which includes the device type, hardware version, software version,
3-36
Technical Manual
connecting port, device ID, port address (device address), capability and
hardware platform.
z NTDP is used to collect topological information about the network that connects
with local device.
z Cluster protocol is used to establish and maintain the HGMP V2 cluster.
A cluster is a group of switches and a management domain as well. A cluster contains
one command switch (here it is the MA5200F) that controls the operation of the cluster,
and multiple member switches. The command switch manages and controls all the
member switches in the cluster through one public IP address.
In a cluster, network management is made through the same interface configured on
the command switch. Candidate switch is a switch that does not belong to any cluster,
and is discovered by NTDP. The candidate switch can be added into a cluster and
become a member switch, or can be managed independently without being added into
the cluster.
In HGMP V2 cluster management, the entire cluster needs only one public IP address.
This is very useful in an access network that owns large number of Layer2 devices,
because it saves a lot of IP addresses.
Note:
One MA5200F can manage a maximum of 400 LAN Switches.
A maximum of 300 LAN Switches that only support HGMP V1 can be registered to the MA5200F.
A maximum of 253 member switches can be managed in one cluster.
3.10 System Maintenance

The MA5200F can be maintained:
z through serial port communication program (running Xmodem protocol)
z through Telnet terminal (running Telnet protocol)
z through network management system (running SNMP)
Refer to Chapter 5 for more details about the network management system.
3.10.1 Managing the Operators
The operators here indicate the persons who maintain and manage the MA5200F
through the operation terminal like Telnet client terminal or serial port terminal.
The authorities of the MA5200F operators are classified into four levels: visitor, monitor,
operator, and administrator:
z Visitor (Vist): only the simplest commands can be executed, like ping and tracert
3-37
Technical Manual
z Monitor (Monit): simple queries and execution of some system commands

z Operator (Oper): general configuration and maintenance on the MA5200F can be
implemented
z Administrator (Admin): all commands can be executed, including the management
of user accounts.
The attributes of an operator include account (user name), authority, password and
simultaneous logins.
The Oper and Admin can add or delete the account of other lower-level operators, and
can set their authority, password and simultaneous logins. Other operators can only
change their own passwords. The new account cannot repeat with the existing ones.
3.10.2 Loading and Backup
The MA5200F provides operation on the files in its Flash memory in a method similar to
that in the Disk Operating System (DOS):
z formats the Flash memory
z creates, deletes, switches and displays a directory
z displays current working directory
z copies, renames, moves, deletes, restores, compresses and decompresses a file
z sets file attributes
z displays the content of a file
All the external files can be loaded to flash memory of the MA5200F in FTP or TFTP
mode, either locally or remotely. Files in the MA5200F can also be backed up using the
same method.
I. Loading
The loading operation contains the loading of program and loading of configuration files.
The program here means host software, microcode and logic programs.
Programs can be loaded easily through the file system of the MA5200F. Software
releases of the MA5200F are provided in a package file. Load this file through FTP or
TFTP to the Flash memory of the MA5200F, and designate this package file as the boot
up file for the MA5200F. When the MA5200F starts, the package file will be
decompressed, and the programs contained in the file will be loaded.
The loading of configuration file is similar to that of the program files. The configuration
files can be edited offline, then uploaded to the MA5200F through FTP or TFTP. Note
that the configuration file must be loaded to the designated path: /vrpcfg.zip.
3-38
Technical Manual
Caution:
The maximum size of MA5200F configuration file is 512k.
II. Backup
The MA5200F provides backup function for these files: configuration files, log files
(running log, operation log and debugging log), ticket files and alarm files. These files
can be backed up easily through the MA5200F file system by using FTP or TFTP
(excluding alarm information). Table 3-7 lists the file names and paths.
Table 3-7 Name and path for the backup files
Backup file File name and path
Configuration file /vrpcfg.zip
Log file /ic/*log.txt
Ticket file /billfile/
You are recommended to execute the backup command to back up the ticket files, log
files and alarm files. The MA5200F provides complete backup system for these files.
The MA5200F has two parts of tickets: Cache-bill, which is stored in Synchronous
Dynamic Random Access Memory (SDRAM); and Flash-bill, which is stored in Flash
memory. You can also store the log files and alarm files in SDRAM and Flash memory if
necessary.
Cache-bills, log files and alarm files can either be backed up to the Flash memory, or
backed up to the TFTP server through TFTP. The ticket files, log files and alarm files in
Flash memory are backed up to the TFTP server. All these backup operations are
implemented either manually or automatically on the basis of time or quantity of files.
3.10.3 Information Center
The information center of the MA5200F controls the output of most of the information
and classifies the information. By combining with the Debug program, the information
center provides powerful support to the administrators in monitoring the network and
diagnosing the faults.
Table 3-8 shows the features of the MA5200F information center.
3-39
Technical Manual
Table 3-8 Features of the MA5200F information center
Information The information center controls the output of the following types of information: running log,
classification ordinary alarm, debugging information, operation log, debugging log and debugging alarm.
The information is classified into eight levels according to their importance, and the output
Information level
can be filtered according to the importance.
The information can be output to four destinations from the information center: buffer, log
Information output
host, operation terminal and network management station.
The system consists of various protocol modules, board driving programs and configuration
Information filtering modules; the information center provides filtering on the information according to source
module.
Information output
The information is output in English.
language
Information The heading of each piece of information is consisted of a time stamp, source module
heading information, information level, source slot and extract.
The major task of the information center is to output the various types of information
from the function modules, according to their importance level and the user
configuration, to the four directions. The following section describes the classification,
level and output direction of the information.
II. Types of information
Table 3-9 shows the types of information in the MA5200F information center.
Table 3-9 Classification of information
Information type Description
Running log Log information that is generated when the device is running.
General alarm Alarm information generated from the hardware or software system of the device.
Debugging information Information that is output during the debugging process.
Operation log Log information about the operations made on the device by maintenance persons.
Debugging log Log information about the operations made on the device by debugging persons.
Debugging alarm Alarm generated during the debugging process.
III. Information level
The information is classified into eight levels according to their severity or emergency.
When filtering the information according to levels, the information with higher severity
than the set threshold cannot be output. The information with higher emergency has a
lower severity. “emergencies” means level 1, and “debugging” means level 8. So when
the severity threshold is set as “debugging”, all the information will be output.
Table 3-10 lists all the eight levels of information.
3-40
Technical Manual
Table 3-10 Information level
Information level Description
emergencies Error that requires extremely urgent handling.
alerts Error that requires immediate correction.
critical Critical error.
errors Error that requires attention but not critical.
warnings Certain type of error may exist.
notifications Information that needs attention.
informational General prompt.
debugging Debugging information.
IV. Information output direction
The information in the MA5200F information center can be output to the buffer, log host,
operation terminal and network management station, as described in Table 3-11.
Table 3-11 Directions to output the information
Directions to output
Description
the information
Buffer A buffer with proper size can be allocated in the MA5200F to record the information.
The information can be sent to the log host directly, and saved as files for query at any
Log host
time.
The information can be converted in character strings and sent to the command line
Operation terminal
system, then sent to the operation terminal (serial port terminal or Telnet terminal).
The information can be sent to the NM agent that exchanges information with the NMS
NMS
through SNMP.
3.10.4 Diagnoses and Debugging
I. Diagnoses
The MA5200F provides the diagnosis function at three levels: hardware, software and
service.
z Hardware diagnosis
The hardware diagnosis is implemented on the smallest hardware unit, like the memory
and the power voltage. The hardware diagnosis made by the MA5200F includes the
check on the memory, Flash, functional modules, physical interface chips, interfaces
and loops (loopback test).
z Software diagnosis
3-41
Technical Manual
The software diagnosis is implemented on the software architecture, including the

check on the software version and running details like the memory occupation,
message queuing, timer status, CPU occupation rate (CPU stands for Central
Processing Unit).
z Service diagnosis
The service diagnosis is implemented on the service modules, including the display
and self-check of the fundamental data tables, like the information about subscriber
connection, packet forwarding, neighboring nodes, and ARP message. This diagnosis
can also be made through the command line interface.
II. Debugging
The MA5200F provides complete debugging mechanism. The software debugging on

the MA5200F is based on the modules. After the debugging switch of a certain module
has been opened, you can use related debug commands to display the information
about the module. The information can also be reported to the operation terminal in
realtime, in order to facilitate troubleshooting.
3.10.5 Tools for Connectivity Test
The MA5200F provides Ping, Tracert and Telnet tools to test the network connectivity
for easier troubleshooting.
Note:
Basic principles about Ping, Tracert and Telnet are found in most of the TCP/IP publications; hence they
are not given here.
3-42
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 4 Networking Applications
Chapter 4 Networking Applications
The MA5200F is located at the access layer or convergence layer of the network, which
needs user management and security management. It provides functions such as user
management, authentication, accounting, address management, and security control.
It can be widely used in the telecom operator’s broadband Metropolitan Area Network
(MAN), enterprise network, Campus Area Network (CAN), Government Data Network
(GDN), and intelligent hotel.
In this chapter, the networking based on different Layer2 devices is introduced,

followed by the networking for different situations and the networking for value-added
services.
4.1 Networking Based on Layer2 Devices
In typical applications, the MA5200F can be accessed upstream to the L3 (Layer Three
LAN Switch)/GSR in the convergence layer or backbone layer, and downstream to the
Ethernet switch, IP DSLAM, VDSL access switch, or WLAN through FE/GE interfaces.
In this way, it can accomplish the broadband access based on the Ethernet, XDSL,
HFC, or WLAN.
4.1.1 Networking Based on Ethernet Access
I. Concentrated management and control mode
The networking for concentrated management and control of Ethernet access is as

shown in Figure 4-1.
4-1
Technical Manual
AAA/RADIUS Server
VOD Server
MAN backbone network Portal Server

L3/GSR
MA5200F
LAN Switch LAN Switch
HUB LAN Switch LAN Switch
PC PC PC PC PC PC PC PC
Figure 4-1 Networking for Ethernet access application (concentrated management and control)
In the concentrated management and control mode, various servers, like Video On
Demand (VOD) server, World Wide Web (WWW) server, DHCP server, RADIUS server
and Portal server are provided by the MAN operators. This mode is commonly seen
when the whole MAN is established by one operator.
II. Distributed management and control mode
The networking for distributed management and control mode is as shown in Figure 4-2.
In this networking mode, various LANs have their own servers. This mode is commonly
seen when the Customer Premises Network (CPN) is opened, and multiple operators
establish the LANs.
4-2
Technical Manual
MAN backbone network

VOD Server
L3/GSR
AAA/RADIUS Server
Portal Server
MA5200F
HUB LAN Switch LAN Switch
Figure 4-2 Networking for Ethernet access application (distributed management and control)
4.1.2 Networking for xDSL Access
Through the IP DSLAM devices (Huawei’s MA5100 series) connecting to the FE

interface, the MA5200F can access, authenticate and manage ADSL subscribers. The
MA5200F can also access, authenticate and manage VDSL subscribers through VDSL
devices (such as Huawei’s S3026V).
The networking including these two access modes is as shown in Figure 4-3. The
MA5200F connects with the MA5105 (IP DSLAM) through the FE interface. The
MA5105 accesses ADSL subscribers through the Remote Terminal Unit (RTU) and
subscriber authentication is implemented on the MA5200F. Similarly, the S3026V can
connect to the MA5200F, and the S3026V can access VDSL subscribers through
Customer Premises Equipment (CPE). Authentication and accounting of the subscriber
can be implemented on the MA5200F.
4-3
Technical Manual
VOD Server AAA/RADIUS Server

Portal Server
L3/GSR
MA5200F
FE FE
S3026V MA5105
CPE CPE RTU RTU RTU
PC PC PC PC PC
Figure 4-3 Networking for xDSL access
4.1.3 Networking for HFC Access
Through the Cable Modem Terminal System (CMTS) or Cable Modem (CM), the
MA5200F can access HFC subscribers. Subscriber’s PC can access the CMTS
through the CM and Cable TV (CATV) coaxial cable. The CMTS accesses the
MA5200F through network cable or fiber. The MA5200F performs the functions like
subscriber authentication. The networking for HFC access is as shown in Figure 4-4.
4-4
Technical Manual
VOD Server AAA/RADIUS Server

Portal Server
L3/GSR
MA5200F
CMTS CMTS
CATV coaxial cable
CM CM CM CM CM
PC PC PC PC PC
Figure 4-4 Networking for HFC access
4.1.4 Networking for WLAN Access
In the networking of WLAN access, the MA5200F acts as AC device, implementing the
authentication and service control of WLAN subscribers. The fundamental networking
is as shown in Figure 4-5.
WLAN SIM
MAN backbone network Authentication
Server(AS)
L3/GSR
RADIUS Server
MA5200F(AC) Portal Server
AP AP AP
PC PC PC NoteBook PC NoteBook
Figure 4-5 Networking for WLAN access
4-5
Technical Manual
The subscriber establishes a wireless link with the Access Point (AP), through the
wireless network adapter, or Subscriber Identity Module (SIM) card. The AP accesses
the MA5200F through the LAN Switch. Usually, the AP does not have the VLAN
isolation function, and needs to implement it via the LAN Switch. The MA5200F
implements the authentication and management (the authentication for a mobile
subscriber using the SIM card needs to be processed on the AS).
Note:
In actual application, the above various Layer2 access devices can form the network in hybrid mode,
which can access Ethernet, XDSL, HFC and WLAN.
4.2 Networking for Varied Application Situations
Besides the above typical MAN networking, the MA5200F can be used for CAN,
enterprise network, GDN, intelligent building, and intelligent community. The related
networking is described in the following part.
Note:
The networking based on application situations and value-added services can also use the Layer2 access
devices, rather than via the Ethernet only.
4.2.1 Networking for CAN
The networking for CAN is as shown in Figure 4-6.
4-6
Technical Manual
NMS
AAA Server Internet
163 CERNET
MA5200F
L3/GSR Former network
LAN Switch MA5200F

LAN Switch
Figure 4-6 Networking for CAN
In CAN, the MA5200F can act as the BAS device of Layer3. It can be directly
connected to the L3/GSR, providing authentication (usually Web authentication mode)
for CAN subscribers who visit the external network. It can also act as the device of
convergence layer or access layer, providing access or convergence service for the
dormitory building, teaching building and office building.
4.2.2 Networking for Enterprise Network
The networking for enterprise network is as shown in Figure 4-7.
4-7
Technical Manual
PC PC PC PC
LAN Sw itch
DHCP server
LAN Sw itch
MA5200F
File server
Headquarters
MAN backbone netw ork
Branch 1
Branch 2
File server MA5200F MA5200F File server
DHCP server LAN Sw itch DHCP server

LAN Sw itch
LAN Sw itch
LAN Sw itch
Figure 4-7 Networking for enterprise network
By nature, enterprise network is not an operational network; therefore, it requires less

on the manageable and operational abilities, but more on the security of data.
The networking for enterprise network resembles that for MAN access network: the
LAN Switch accesses the subscribers, and the MA5200F converges the services. The
servers in the enterprise network can also be connected to the MA5200F. Access
networks can be separately built for multiple branches, which are connected via MAN.
Technologies like VPN are adopted to guarantee the security of the enterprise network.
4.2.3 Networking for GDN
GDN requires high security. The MA5200F can be used in the edge access layer of
GDN, providing access control, authority control, fake restriction over subscribers. It
can also provide CE function and cooperate with core layer equipment to form the
Multiprotocol Label Switching Virtual Private Network (MPLS VPN) of the whole
network.
The use of the MA5200F in GDN is as shown in Figure 4-8.
4-8
Technical Manual
PE
P
P
P
PE
MA5200F CE
PC PC PC PC PC
Figure 4-8 Networking for GDN
4.2.4 Networking for Intelligent Buildings
The MA5200F can be used in intelligent buildings to provide Internet access services
via dedicated lines for small- and medium-sized enterprises. It can control the access
of the dedicated line and charge the subscriber according to the time duration or traffic.
Enterprises can access the MA5200F in various modes, including the access via
Layer2 switch, router, and Proxy server.
The networking for intelligent buildings is as shown in Figure 4-9.
4-9
Technical Manual
Enterprise 1 S3026
VLAN leased
line
Enterprise 2 S3026 VLAN leased

line
R3620
MA5200F Internet
Proxy leased GSR

Enterprise 3 S3026
line
Proxy
Server
Enterprise 4 S3026 PPPoE leased

line
R3620
Figure 4-9 Networking for intelligent buildings
4.2.5 Networking for Intelligent Community
The use of the MA5200F in an intelligent community is as shown in Figure 4-10. The
MA5200F can be connected with the Intelligence Digital Terminal (IDT). Fixed IP
address is adopted, and the IDT is configured through the MA5200F. The IDT has a
4-port Hub, which can connect the subscriber ports provided by the computer and LAN
Switch. The IDT also has various sensors and probes, which can collect the alarm
information related to water, electricity, gas and smoke. Via the MA5200F, such
information is sent to the data center of the community and automatic management of
the community is implemented. Simultaneously, the data center can provide services
like VOD, information query, and community bulletin board.
4-10
Technical Manual
MAN backbone AAA /RADIUS Server

network
L3/GSR
Community VOD Server

MA5200F data center
LAN Switch Portal Server

Family A Family B
Digital w ater Digital w ater

meter meter
Digital Digital
ammeter ammeter
…… HUB/IDT PC PC HUB/IDT
……
Smoke Smoke
sensor sensor
Figure 4-10 Networking for intelligent community
4.3 Networking for Value-added Services
With the powerful functions of the MA5200F, network operators (carriers) can provide
various value-added services, like controllable multicast, IP Hotel (including “Plug and
Play”), VPDN, NGN bearer network, and forced Portal. In the following part, some
commonly used networking modes for value-added services are introduced.
4.3.1 Networking for Controllable Multicast
The MA5200F can work with Huawei’s LAN Switch and IP DSLAM, providing
controllable multicast service for Ethernet access subscribers and ADSL access
subscribers. The networking is as shown in Figure 4-11.
In multicast service, the MA5200F acts as the proxy server. The multicast source can
be the multicast server connected directly to the MA5200F, or the server in the MAN.
When the multicast proxy function of the MA5200F is turned on, the control messages
interact between the multicast source and MA5200F by using IGMP. The MA5200F and
its subordinate device (supporting HGMP V2) can interact with the multicast control
messages by using HGMP.
The multicast subscriber and multicast source can be controlled through authentication
and authorization. By using HGMP, controllable management over multicast service
4-11
Technical Manual
can be implemented. Accounting can be performed according to the time duration or

traffic.
PIM-SM is run between the MA5200F and the router or Layer3 switch on the network
side. The system can access the backbone network in the double return circuit mode,
promoting the reliability of the multicast service.
Multicast source iTELLIN Multicast source
L3/GSR
PIM
Program making
center
Video service
IMA5200F network
L3
LAN Switch MA5105

MA5200F
LAN Switch
RTU RTU
Figure 4-11 Networking for controllable multicast
Note:
The MA5200F can also work with the LAN Switch and IP DSLAM devices from other suppliers, providing
uncontrollable multicast service.
4.3.2 Networking for IP Hotel
The IP Hotel service of the MA5200F is mainly used in such public places as hotel,
airport, exhibition center and mall. With the “Plug and Play” function of the MA5200F
and the IP Hotel broadband value-added service platform, the subscriber can access
the Internet by connecting the computer to the MA5200F. Figure 4-12 demonstrates the
networking for IP Hotel, with a hotel as an example.
The MA5200F can work with Huawei’s iTELLIN broadband intelligent service system
and the console for an IP Hotel solution, providing broadband access for multiple hotels.
4-12
Technical Manual
A virtual subscriber management/accounting/configuration platform can be provided for

each hotel.
Figure 4-12 Networking for IP Hotel
4.3.3 Networking for MPLS VPN
The MA5200F can act as the CE device in MPLS VPN, and work with the P/PE devices
in the backbone network to construct the MPLS VPN of the whole network. The
MA5200F can also act as the non-managed CE (using VLAN transparent transmission
technology) or manageable CE (using policy routing technology) to access subscribers,
providing the service convergence function. The use of the MA5200F in MPLS VPN is
as shown in Figure 4-8.
4-13
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 5 NMS
Chapter 5 NMS
5.1 Features of NMS
NMS is the abbreviation of Network Management System. The MA5200F provides the
SNMP network management interface, which enables the iManager N2000 or
Quidview NMS (hereafter, called Quidview for short) to effectively manage the
MA5200F and the network connected to it. These NMSs help the subscriber to
anticipate and detect the network faults, manage the distributed network nodes in
concentrated mode, reasonably plan and assign network resources.
Main features of the iManager N2000/Quidview:
I. Open management frame
z Standard SNMP is adopted.

z Management Information Base (MIB) adopts standard definition.
z NMS adopts Client/Server structure.
z NMS can dynamically expand to new services.
II. Supporting mulitple NMS platforms
z Support multiple hardware platforms, like SUN workstation.

z Support multiple operating systems (OS), for example, SUN Solaris.
z Support multiple databases, including Sybase, Oracle and so on.
z Support NMS platforms of other manufacturers.
III. Complete NMS functions
z Management functions, including configuration, fault management, performance

management, security management, and accounting.
z Management layers include equipment management and network management.
IV. Monitor and analysis tools in GUI form
z Topological view of layer structure.

z Realtime data monitor in Graphic User Interface (GUI) form.
z Analysis of statistical data in GUI form.
5.2 NMS Functions
The iManager N2000/Quidview provides the following NMS functions for the MA5200F:
5-1
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 5 NMS
z Effective management and configuration of the MA5200F, LAN Switch and

network, including query, enabling and disabling of ports, query, resetting and
loading of board, configuration and query of port parameters and VLAN, as well as
routing configuration.
z Via topological view, configuration, performance monitor and fault query, the
network administrator can conveniently use the GUI to manage and maintain the
broadband devices, anticipate and detect network faults.
z Via performance monitor, fault query, configuration management tool, the network
administrator can know the network configuration and performance parameters in
time, then, optimize the network according to the data provided by the NMS and
keep the network working in good condition.
z Flexible and convenient online help can reduce the time and expense on training
network administrator, and decrease the cost for managing the system.
z The NMS provides the security management mechanism. The network
administrator can use the NMS only after passing the registration and login
procedure. The administrator can perform the network management within the
authority range endowed by the system.
z The MA5200F NMS provides six functions, including configuration management,
performance management, fault management, accounting management, security
management and log management.
5-2
Technical Manual
SmartAX MA5200F Broadband Access Server Chapter 6 Parameters and Specifications
Chapter 6 Parameters and Specifications
6.1 Parameters of Power Supply and Environment
6.1.1 Parameters of Power Supply
The parameters of power supply in the MA5200F are shown in Table 6-1.
Table 6-1 Parameters of power supply in MA5200F
Item Parameter
(110V/220V) ±20%
Working power AC (Alternating Current)
Frequency range: 47~63Hz
supply
DC (Direct Current) -48V (-72V~-36V)
Output voltage of
3.3V or 12V
power supply
Rated current 3A
Electro Magnetic Conduct Class B
Interference (EMI)
Radiation Class B
filter
Power consumption
with full <90W
configuration
H521SPUC (MA5200F main service processing
board)/H521SPUE (MA5200F-2000 main <55W
service processing board)
Power consumption H521XSMC (pinch board of external search
<6W
of board engine)
H521OG2C (GE service pinch board with
<5W
double ports)
H521O6FC (FE service pinch boardx4) <6W×4=24W
6.1.2 Environment Parameters
The environment parameters of MA5200F are shown in Table 6-2.
Table 6-2 Environment parameters of MA5200F
Item Parameter
Working Long-term 0°C~45°C
temperature Short-term -5°C~55°C
Working humidity 10%~90%, no coagulation
Temperature -40°C~70°C
Storage conditions
Humidity 10%~90%, no coagulation
Density of dusts (with diameter larger than 5µm) ≤3x104 grains/m3. The dusts must be
Cleanness
insulative, unmagnetized and noncorrosive.
6-1
Technical Manual
6.2 Performance Parameters
The performance indices of MA5200F are shown in Table 6-3.
Table 6-3 Performance indices of MA5200F
Item Parameter
Switch capacity 10Gbps non-blocked shared buffer switching, with shared buffer as 3MB.
RTC accuracy < 2 s/day
10Base-T/100Base-TX electric
24
port or 100Base-FX optical port
Number of physical
1000Base-FX optical port 1 or 2 (optional)
ports
10Base-T/100Base-TX
1
maintenance port
Virtual template interface 32
Trunk interface 13
Logical interface
VLAN sub-interface 512
GRE tunnel interface 128
Forwarding rate of IP Without QoS control 3Mpps, forwarding at wire speed.
packets With QoS control 2Mpps, forwarding at wire speed.
<40µs (for packets smaller than 64 bytes)
Time delay in FE
<180µs (for packets smaller than 1518 bytes)
forwarding
GE <40µs
Speed for
<5s
login/logout
Number of 10% users can be concurrent users. That means in 10 seconds, 100 (MA5200F) or 200
concurrent users (MA5200F-2000) users can log in or log out.
<1% (3 hours)
10% of users are online <2% (6 hours)
<3% (24 hours)
Disconnection rate
<1% (3 hours)
100% of users are online <3% (6 hours)
<5% (24 hours)
Average time delay
in the processing of <3s
PPPoE calls
TCP/IP TCP/UDP Socket总数 4096
Capacity of routing table 1k
Static route 256
RIP 32 neighbors, 8 interfaces
Routing OSPF 32 areas, 100 interfaces/areas
BGP 8 peers, 32 ASs
32 neighbors. Each port has 8 neighbors and can be
PIM-SM
configured with 8 standby Rendezvous Points (RP).
Number of ARP table items 4k access users +4k Layer3 routing devices
ARP/ARP Proxy AIB (ARP Information Base)
4k access users +4k Layer3 routing devices
table items
Number of VLAN Each port has 4k VLANs (the VLANs of the ports can overlap each other)
Concurrent online users 1k (MA5200F) or 2k (MA5200F-2000)
Number of VLANs transmitted
128
User capacity transparently
Number of VLAN dedicated
128 (VLAN dedicated lines, Proxy dedicated lines)
lines
ISPs 128
IP address pool Number of IP address pools 128
Total IP addresses 8k
Maximum of address segments
8
in each IP address pool
6-2
Technical Manual
Item Parameter
Maximum of IP addresses in
1024
each IP address segment
SDRAM 5k
Capacity of local bills
Flash 70k
Accounting Precision of the time in prepay service ≤1s
Number of IP address pools in
16
public network
Number of NAT connections 20k
NAT
Speed of NAT connections 2k/s
Forwarding speed 1.5Mpps
Throughput 1Gbps
When there is no NAT at the egress, 2k users can be
supported.
Number of users supported
When there is an NAT at the egress, 512 users can be
Plug-and-play
supported.
Forwarding speed 1.5Mpps
Throughput 1Gbps
Number of L2TP tunnels 128
VPDN
Number of VPDN users 1k
Authorization groups for user
256
multicast
Multicast Multicast groups can be
simultaneously obtained by the 4
user
64kbps~100Mbps (FE)
Range of bandwidth
64kbps~1Gbps (GE)
CAR
Granularity 1kbps
Precision ±3%
Number of Rules 32 Rules can be configured for an ACL.
ACL Number of standard ACLs: 99 (1~99)
Number of ACLs Number of advanced ACLs: 100 (100~199)
Note: 198 and 199 are reserved for HGMP.
QoS User priority levels 8
Mean Time Between
133000 hours
Failures (MTBF)
Built-in Web Users supported 512
authentication server Heartbeat detection period 10~60s
Number of manageable LAN
300
Switches
Number of LAN Switch
HGMP V1 3
concatenations allowed
Number of supported LAN S2403F, S2403H, S3026, S3026V, S2008, S2016,
Switch types S2026, S2008B, S2016B, S2026B
Number of manageable LAN
253
Switches
Number of LAN Switch
HGMP V2 Configurable
concatenations allowed
Number of supported LAN
S2403H, S3026, S3026V, S2008, S2016, S2026
Switch types
Maximum number of patches 200
Patch Maximum number of functions
20
for each patch
6-3
Technical Manual
6.3 Technical Parameters of Interfaces
6.3.1 Technical Parameters of 1000M Ethernet Optical Interface
I. General features
Table 6-4 General features of 1000M Ethernet optical interface
Features Indices
Rate 1250Mbps
Format 1000Base-FX (IEEE802.3z)
Mode Single mode/multimode
Connector LC
Transmission distance Single mode 10km, 40km, 70km
Multimode 500m
Standard of optical interface GPCS interface
Environment temperature 0°C~70°C
II. Technical parameters of single mode optical interface
z Features of laser
Table 6-5 Transmission parameters of 1000M Ethernet single mode optical interface (10km)
Parameter Symbol Min. Typical value Max. Unit Description
Output 9mm SMF POUT -9.5 -3 dBm Description 1

optical 62.5/125mm MMF POUT -11.5 -3 dBm Description 1
power 50mm MMF POUT -11.5 -3
Extinction ratio 9 dB Description 2
Central wave length 1285 1310 1343 nm
ns
Spectrum range rms 2.8
rms
Rise/fall time of optical pulse tr/tf 0.26 ns Description 3, 4
RIN12 -120 dB/Hz
Total jitter of the optical generator
227 ps Description 5
at TP2 point
Table 6-6 Transmission parameters of 1000M Ethernet single mode optical interface (40km/70km)

Output 40km -4 1
optical 70km PO dBm
-3 2
power
Extinction ratio Phi/Plo 9 dB
Central wave length λC 1480 1550 1580
nm
Spectrum range rms Δλ20 1.0
6-4
Technical Manual
z Features of receiver
Table 6-7 Receiving parameters of 1000M Ethernet single mode optical interface (10km)

Input optical power PIN -20 -3 dBm Description 6
Sensitivity of strain receiver -14.4 dBm
Openness of eye pattern of the
strain receiver at TP4 point
Central working wave length 1270 1355 nm
Cutoff frequency at the 3dB
1500 MHz Description 7
bandwidth of the receiver
Return loss 12 dB Description 8
Table 6-8 Parameters of 1000M Ethernet single mode optical interface (40km/70km)

Minimum input optical 40km -21 -24
Pmin
power 70km -23 -26
Maximum input optical power Pmax -3 dBm
40km -21
Sensitivity of strain receiver
70km -23
Openness of eye pattern of the
201 ps
strain receiver at TP4 point
1500 MHz
Return loss 12 dB
Note:
Description 1: Maximum output optical power meets IEEE802.3z, and meets the class 1 security
requirement on laser for human eyes.
Description 2: Extinction ratio means the ratio between the average output optical powers when the
transmitter sends “0” and “1”.
Description 2: The 20%~80% values not filtered.
Description 4: The pulse features of the laser can be displayed in eye pattern. The output wave form meets
the requirements of eye pattern template described in section 38.6.5 of IEEE802.3z.
Description 5: TP is the turn point defined in section 38.2.1 of IEEE802.3z.
Description 6: The sensitivity of the receiver is sampled in the center of the eye pattern when the extinction
ratio is in the worst condition.
Description 7: The 3dB bandwidth of the receiver is tested according to the indices listed in section
38.6.11 of IEEE802.3z.
Description 8: Return loss is defined as the minimum loss when the received optical power is reflected to
the fiber.
6-5
Technical Manual
III. Technical parameters of multimode
z Features of laser
Table 6-9 Transmission parameters of 1000M Ethernet multimode optical interface

50/125µm, NA=0.20
Output POUT -9.5 -4 dBm Description 1
fiber
optical
62.5/125µm,
power POUT -9.5 -4 dBm Description 1
NA=0.20 fiber
Extinction ratio 9 dB Description 2
Central wave length 830 850 860 nm
ns
Spectrum range rms 0.85
rms
Rise/fall time of optical pulse tr/tf 0.26 ns Description 3, 4
RIN12 -117 dB/Hz
Coupling power ratio CPR 9 dB Description 5
Total jitter of transmitter at TP2
point
Table 6-10 Receiving parameters of 1000M Ethernet multimode optical interface

Input optical power PIN -17 0 dBm Description 7
Sensitivity of strain 62.5µm -9.5 -12.5 dBm
receiver 50µm -9.5 -13.5 dBm
Openness of the eye pattern in
the strain receiver at TP4 point
1500 MHz Description 8
Return loss 12 dB Description 9
6-6
Technical Manual
Note:
Description 1: Maximum output optical power meets IEEE802.3z, and meet the class 1 security
requirement on laser for human eyes.
Description 2: Extinction ratio means the ratio between the average output optical powers when the
transmitter sends “0” and “1”.
Description 2: The 20%~80% values not filtered.
Description 4: The pulse features of the laser can be displayed in eye pattern. The output wave form meets
the requirements on eye pattern template described in section 38.6.5 of IEEE802.3z.
Description 5: CRP is tested according to section 38.6.10 of IEEE802.3z and the EIA/TIA-526-14A
standard.
Description 6: TP is the turn point defined in section 38.2.1 of IEEE802.3z.
Description 7: The sensitivity of the receiver is sampled in the center of the eye pattern when the extinction
ratio is in the worst condition.
Description 8: The 3dB bandwidth of the receiver is tested according to the indices listed in section 38.6.11
of IEEE802.3z.
Description 9: Return loss is defined as the minimum loss when the received optical power is reflected to
the fiber.
6.3.2 Technical Parameters of 100M Ethernet Optical Interface
I. General features
Table 6-11 General features of 100M Ethernet optical interface
Feature Index
Speed 100Mbps
Format 100Base-FX(IEEE802.3u)
Mode Single mode/Multimode
Connector LC
Transmission distance Single mode 15km
Multimode 2km
Standard of optical interface SAMI interface
Environment temperature 0°C~70°C
II. Technial parameters of single mode optical interface
z Features of laser
Table 6-12 Transmission parameters of 100M Ethernet single mode optical interface
Parameter Symbol Min. Typical value Max. Unit

Current of power supply Icc 50 120 mA
Power consumption Pdiss 0.17 0.42 W
Output optical power Po -15 -8 dBm
6-7
Technical Manual

Central wave length λ 1261 1360 nm
Spectrum range Δλ - 7.7 nm
Extinction ratio Er 8.2 dB
Meets Bellcore TR-NWT-000253 and the requirements on eye pattern
Output eye pattern
template in ITU (International Telecommunications Union) G.957
Rise time of optical pulse tR - 2 ns
Fall time of optical pulse tF - 2 ns
Input current of the data (low) IiL -200 - mA
Input current of the data (high) IiH - 200 mA
Input voltage of the data (low) ViL-Vcc -1.81 -1.48 V
Input voltage of the data (high) ViH-Vcc -1.17 -0.88 V
z Features of optical receiver
Table 6-13 Receiving parameters of 100M Ethernet single mode optical interface

Current of power supply Icc 75 100 mA
Power consumption PDISS 0.26 0.35 W
Sensitivity of the receiver at the
PIN Min(C) -31.8 dBm
center of the eye pattern
Sensitivity of the receiver at the
PIN Min(W) -31 dBm
edge of the eye pattern
Max. input optical power PIN Max -8 - dBm
Working wave length λ 1261 1360 nm
Output voltage of the data (low) Vol-Vcc -1.84 -1.62 v
Output voltage of the data (high) VoH-Vcc -1.04 -0.88 v
Output voltage of signal monitor
Vol-Vcc -1.84 -1.62 v
(low)
Output voltage of signal monitor
VoH-Vcc -1.04 -0.88 v
(high)
Signal monitor alarm-start PA PD+1.5dB -34 dBm
Signal monitor alarm-close PD -45 dBm
Signal monitor alarm-lag PA-PD 0.5 4 dB
Start time of signal monitor alarm
AS_Max 0 100 µs
(from 0 to 1)
Close time of signal monitor alarm
ANS_Max 0 350 µs
(from 1 to 0)
Noise restrain of power PSNR 50 mV
III. Technical parameters of mulitmode optical interface
z Features of laser
Table 6-14 Transmission parameters of 100M Ethernet multimode optical interface

Output optical power BOL -19
PO -15.7 -14 dBm
62.5/125µm, NA=0.275 EOL -20
6-8
Technical Manual

Output optical power BOL -22.5
PO -14 dBm
62.5/125µm, NA=0.20 EOL -22.5
0.05 0.2 %
Extinction ratio
-50 -35 dB
Output optical power of code "0" PO("0") -45 dBm
Central wave length λc 1270 1308 1380 nm
Spectrum range -FWHM 147
Δλ ns
-RMS 63
Rise time of optical pulse tr 0.6 1.2 3 ns
Fall time of optical pulse tf 0.6 2 3 ns
Systematic jitter of transmitter SJ 0.04 1.2 ns p-p
Random jitter of transmitter RJ 0 0.52 ns p-p
Table 6-15 Receiving parameters of 100M Ethernet multimode optical interface

Minimum of input optical power
PIN Min (W) -30 dBm
(at the edge of eye pattern)
Minimum of input optical power
PIN Min (C) -31 dBm
(at the center of eye pattern)
Maximum of input optical power PIN Max -14 dBm
Working wave length λ 1270 1380 nm
Systematic jitter of receiver SJ 0.2 1.2 nm
Random jitter of receiver RJ 1 1.91 ns p-p
Signal monitor alarm-start PA PD+1.5dB -31 dBm
Signal monitor alarm-close PD -45 dBm
Signal monitor alarm-lag PA-PD 1.5 dB
Start time of signal monitor alarm
0 2 100 µs
(from 0 to 1)
Close time of signal monitor alarm
0 5 350 µs
(from 1 to 0)
6.3.3 Technical Parameters of 100M Ethernet Electric Interface
I. Gneral features
Table 6-16 General features of 100M Ethernet electric interface
Feature Index
Speed 10/100Mbps compatible
Format 10Base-T/100Base-TX
Mode UTP/STP
Connector RJ-45
Transmission distance UTP 100m
STP 150m
Cable type Category-5 twisted pair
6-9
Technical Manual
II. Parameters of 100M Ethernet electric interface
z Interface parameters of transmitter
Table 6-17 Transmission parameters of 100M Ethernet electric interface

Output voltage UTP Vout 1165 1285 mV
of differential Description 1
STP Vout 950 1050 mV
mode
Symmetry of signal amplitude 0.98 1.02 Description 2
2MHz~30MHz 16 dB Description 3
Resistance 16-20lo
30MHz~60MHz dB Description 4
return loss g (f/3)
60MHz~80MHz 10 dB
Rise/fall time at the edge of signal tr/tf 3.0 5.0 ns Description 5
Voutx
Overshoot of wave form Vover mV Description 6
5%
Distortion of duty ratio ±0.5 ns Description 7
Jitter 0.5 ns
z Interface parameters of receiver
Table 6-18 Receiving parameters of 100M Ethernet electric interface

2MHz~30MHz 16 dB Description 3
Resistance 16-20lo
30MHz~60MHz dB Description 4
return loss g (f/3)
60MHz~80MHz 10 dB
Resist
Restrain 0 125 MHz
frequency
capability of
Resist
common mode 1.0 Vpp
amplitude
6-10
Technical Manual
Note:
Description 1: Output voltage of differential mode refers to the difference between the voltages at the two
ends of the balance circuit. The output voltage of differential mode of transmitter is the voltage difference
between the difference line pair TD+ and TD.
Description 2: Symmetry of signal amplitude equals the ratio between the absolute values of +Vout and
–Vout.
Description 3: Resistance return loss is an important index that reflexes the match of resistance. The
calculation formula is Xr=20lg|(Z+R)/(Z-R). Z is the actual resistance, R is the rated resistance, the rated
resistance of UTP is 100 ohms, and that of STP is 150 ohms.
Description 4: f is the frequency, in the unit of MHz.
Description 5: The rise edge is defined as the time needed when the signal is transited from base voltage
(usually 0) to stable value +Vout or –Vout. The fall edge is defined as the time needed when the signal is
transited from +Vout or –Vout to base voltage. They are usually 10%~90% of the Vout.
Description 6: Overshoot of wave form indicates the relationship between the output voltage Vout of
differential mode in stable status and the signal overshoot peak voltage Vover (the maximum change than
stable status value in transition).
Description 7: Distortion of duty ratio means the changes of pulse width caused by the deformation, time
delay in signal transmission. Such changes may change the ratio between the time durations in which
there is pulse and no pulse.
6.4 Designs for Reliability and Security
6.4.1 Reliability of Hardware
In the design of MA5200F hardware, the system's reliability and stability had been
taken into account. Therefore, the investments of the operators are protected. The
main designs of reliability include:
z SPUC/SPUE is designed with software/hardware watch dog circuit. When a
serious fault occurs, the resetting circuit of the board will be triggered.
z The hardware is designed with protection functions for over-current, over-voltage
and short circuit.
z The power supply is designed with the protection functions for too high/low voltage
and current. It supports the input of AC and DC, and provide 1+1 backup.
z System MTBF>133000 hours. Mean Time to Repair (MTTR) <2 hours.
6.4.2 Reliability of Software
The software of MA5200F is designed with the following functions for reliability:
z Loading and backup of running software and configuration data.
6-11
Technical Manual
z Operation users can be managed hierarchically according to their priorities, so as

to guarantee the security of operation and data.
z VLAN, IP and MAC can be bond for authentication, so as to prevent pretender.
z Traffic control based on port, which prevents broadcast storm.
z Control over user flow numbers and transmitting speed of the first packet, which
prevents the Denial of Service (DOS) attack and port scan attack.
z Support of port bundling, achieving network reliability.
6.4.3 Security of Hardware
MA5200F has the following designs for security.
I. Electro Magnetic Compatibility (EMC)
All the ports of MA5200F adopt the connectors with metal shielding shells, which well
contact the cabinet cover. The maximum length of the seam between the connector
and the cabinet cover is not greater than 25mm. The maximum lengths of the seams
between the connectors are not greater than 25mm. All the cables led out are shielded
cables.
II. Lightning protection and grounding
The metal cover of the MA5200F cabinet is connected to the grounding post on the
board via multiple conduction installing holes. The shell of the power supply is
connected with the cabinet via multiple installation bolts. An M3 grounding bolt is
installed out of the cabinet.
III. Security specifications
The MA5200F uses security-qualified components and parts. The edges and corners of
the device are all polished. Protection measures are provided for the fans.
IV. Heat dissipation
All the parts which generate high heat have cooling fins. The whole system is designed
with four fans for heat dissipation.
6.4.4 Security of Services
MA5200F provides security features of carrier-class, including:
I. Binding of VLAN+MAC+IP
Binding of VLAN+MAC+IP is used to prevent the users from setting IP addresses by

themselves and accessing the Internet illegally. The traditional routers and switches
allow the users to use static IP addresses, and do not control the allocation and use of
6-12
Technical Manual
users’ IP addresses. MA5200F not only allows the users to use static IP addresses, but
also allows them to obtain IP addresses via DHCP or PPPoE. However, MA5200F
establishes the VLAN+MAC+IP binding relations for the users. When the users
configure IP addresses illegally, they can not access the Internet. To some extent, this
measure guarantees the network security.
II. Prevent IP Spoofing attack
In the IP Spoofing attack, the hacker forages source IP addresses to attack the target,
in order to pass the firewall. For example, the hacker disguises his/her IP address into
an IP address in the network segment trusted by the firewall. The traditional BAS and
L3 forward the packets according to the destination IP address, and do not judge the
legality of the source IP address. MA5200F can not only forward the packets according
to the destination IP address, but also judge the legality of the source IP address of the
packets. In this way, attacks like ICMP Echo Flood attack, TCP LAND Attack and forge
IP address attack can be effectively prevented.
III. Prevent ICMP Host Unreachable attack
Some hackers use the unreachable messages of ICMP destination hosts or destination
network segment to attack the router or switch. Hackers can forge huge Number of
destination IP or destination network segment unreachable packets. Upon receiving
such packets, the router will send them to the CPU for processing. Since the traffic of
the attack packets is very heavy, the protocol channels of the router or switch will be
blocked. MA5200F can guard against such attacks.
IV. Prevent DHCP attack
Standard DHCP Server and DHCP Relay have no security guarantee. They do not limit
the Number of IP addresses applied by VLAN port. Since the IP addresses in the DHCP
Server are important resources, and if the hacker exhausts the IP addresses in the
address pool, other users can not access the Internet. Therefore, MA5200F is
designed with the function to limit the Number of IP addresses applied by the user
according to VLAN. In this way, the hacker’s attack to the DHCP server is prevented.
V. ACL filtering
MA5200F provides powerful ACL function. It can not only provide the UCL based on
user, but also perform ACL filtering according to the flow classification according to the
seven element group (incoming physical port number + VLAN ID + source IP address +
destination IP address + source port number + destination port number + protocol
type).
6-13
Technical Manual
VI. Access control
In MA5200F, the concept of port is expanded. Generally, the system takes the incoming
physical port number + VLAN ID as an access control unit. That is, the traditional
concept of port is expanded to the logic port based on physical port + VLAN ID.
MA5200F supports the access control based on logic port, which can limit the Number
of users accessed by each logic port and control the authentication policies used on
such ports.
6-14
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix A Terminology
Appendix A Terminology
Terms Description
Service part
Accounting In the accounting process, the billing information is also sent to the two RADIUS servers and responses are
Information copy requested
It classifies the traffic on the basis of five-element group (physical incoming port number + source IP address
Advanced ACL
+ destination IP address + source port + destination port), so as to control the access authority.
It is a kind of technology. By responding the ARP request of the host, the proxy makes the host regard this
ARP proxy
proxy as the destination host.
Bind a few of the user parameters like IP address, MAC address, port or some elements of the VLAN, to check
Binding check
the validity of the access subscriber.
It refers to the management domain formed by a group of switches, including a command switch (it controls the
Cluster cluster, and it is usually the MA5200F in the related networking) and multiple member switches. All the
switches in the cluster are managed through a public IP address.
Controllable It means to authenticate and charge the multicast service needed by the subscriber, and control the Layer2
multicast device to forward the multicast packets.
It is a kind of technology. A designated address is used to respond to the DNS request of the subscriber’s host,
DNS cheat
thus, the host regards this address as the domain name to be resolved.
Dual
Under the same logical port, both Web and EAP authentication modes are supported.
authentication
It is the EAP authentication mode based on SIM card. In Windows XP, it is also called 802.1X intelligent card
EAP-SIM
authentication.
Forced Portal
In compelling Portal services, this server provides the Portal Web page.
server
When the subscriber passes the authentication and visits the external network for the first time, the MA5200F
Forced Portal
will force-redirect the access request to a certain server (it is usually the Portal server of the operator). In this
service
way, the first website visited by the subscriber will be the website of the operator.
Forward packets
For each packet, it must be forwarded by querying the routing table via maximum length matching mode.
one by one
When the subscriber who needs Web authentication or fast authentication attempts to access the
Forced Web
unauthorized address, the MA5200F will force-redirect the access request to the forced Web authentication
authentication
server.
In the forced Web authentication, the forced Web authentication server provides the authentication Web page
Forced Web
to the user and sends the user name and password to the Web authentication server by using the internal
authentication
protocol. The Web authentication server and the forced Web authentication server can be combined into one
server
or separated physically.
When the subscriber’s traffic is smaller than the threshold during a period, the system will regard the
Idle Cut
subscriber as in idle status, and the connection will be cut off according to the configuration.
Illegal VLAN The VLAN is not configured under a port, and all the packets received from this VLAN will be discarded.
The solution provided by Huawei Technologies Co., Ltd.. It is used to provide broadband access to the Internet
IP Hotel and related subscriber management, authentication and accounting (charging) for the hotels, office buildings,
communities in the MAN.
It provides Web authentication function for Layer3 device like the router, Ethernet switch, when they are
Layer3 BAS
accessing the MA5200F.
Leased line for
When VLAN transparent transmission is going on, it is necessary to charge the leased line and execute service
VLAN transparent
control policies like CAR.
transmission
Logical port The service control unit composed of physical port + VLAN.
It is the acronym of Next Generation Network. It usually refers to a multimedia communication network, which
can bear voice, image and data. More intelligentized diversified and customized services can be provided by it.
NGN
It also supports the service development by the third party and specific customization by the customer. More
flexible access modes are provided to adapt to the current conditions of different operators.
Non-management For the packets in the VLAN, only normal routing forwarding is performed and no authentication and
VLAN accounting are carried out.
The MA5200F will send the last bill of the subscriber to the RADIUS server. When the RADIUS receives this
Offline bill
offline bill, it will know that the subscriber has logged off and stop charging the subscriber.
A-1
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix A Terminology
Terms Description
The bill generated periodically by the MA5200F to the RADIUS server, when the subscriber has passed the
Online bill
authentication by the AAA server and is online.
The operator who maintains and manages the MA5200F via command line terminal (Telnet client or serial port
Operator
communication terminal).
When the location of the computer is changed, it can provide the Internet access services normally without
Plug and Play
changing the former configured network parameters (IP address, IP address of DNS server, HTTP proxy).
The function which decides the forwarding port according to the source IP address of user packets. In the
Policy routing
normal routing forwarding, the forwarding port is decided according to the destination IP address of the packet.
Portal protocol It is a protocol developed by Huawei Technologies Co., Ltd. for Web authentication.
One of management VLAN. The Proxy Server configured below VLAN is taken as a unit for service control.
Proxy leased line
Only one Proxy Server can be configured below one VLAN. The packets are forwarded one by one.
Realtime Traffic is measured periodically. Realtime bill is generated locally or by informing the RADIUS server. In this
accounting way, even if the subscriber is abnormally disconnected, the uncertainty of the accounting can be minimized.
Among the multiple routes to the same destination, the one with the highest priority is called main route, and
Route standby others with descending priorities are called standby routes. When the main route goes wrong, the traffic will be
automatically switched to the standby route. Therefore, the reliability of the network is improved.
Secondary
It is also called the accounting packet copy function. It means that in the accounting process, the accounting
accounting based
information will be sent to two RADIUS servers at the same time, and the responses are waited respectively.
on ISP
It is a technology. In VLAN or 802.1X access mode, when the DHCP function is initialized, the IP address is
pre-allocated to the subscriber (usually the IP address of a private network). After the subscriber has passed
Secondary
the authentication or re-authentication (Web authentication of VLAN access or the EAP authentication of
address allocation
802.1X access), a new IP address will be allocated for the subscriber (usually the IP address in the public
network).
Access Control List, which classifies the traffic on the basis of source IP address, so as to implement the
Standard ACL
control over access authority.
The log information of service recorded during the process of the User’s login/logoff, or the MA5200F is
User log creating the subscriber connection. It includes the User’s name, VLAN, source IP address, source MAC
address, destination IP address and access time.
User-managed It is the general name of the VLAN types which need to control all the subscribers in the VLAN or the service of
VLAN the whole VLAN.
It means that all the subscribers under the VLAN of the same port do not need to input account number and
VLAN leased line password for authentication. Their traffic control and statistics are carried out in a unified way, and on the AAA
server they look like the access of a single subscriber.
The device does not terminate the Layer2 packets in the VLAN of a specific port, but forward them from a
VLAN transparent
designated port and has them terminated by the upper device. This service is mainly used in MPLS VPN to
transmission
realized the interconnection between enterprises.
Versatile Routing Platform of data communication products in Huawei Technologies Co., Ltd. Its takes IP
VRP service as the nucleus, and realizes the modular system structure. When providing abundant performances, it
also can be tailored and expanded based on applications.
Web
The subscriber is authenticated by inputting user name and password in the Web page.
authentication
Web Providing Web page for authentication. (In the forced Web authentication mode, if the forced Web
authentication authentication server works separately, then the Web page will not be provided.) The Web authentication
server server interacts with the MA5200F by using the Portal protocol to complete the user authentication.
Hardware
It is the optic/electro converter or optic Modem. It implements the conversion from electric 100Base-TX FE
Fiber transceiver interface to optical interface, in order to increase the transmission distance of category five cable of electric
interface.
It is the network interface on the front panel of the MA5200F, which is used for maintenance and management.
Maintenance
It is located on the same line of the maintenance serial port. It is used for the out-band loading and backup of
network interface
host software or configuration data.
It is the serial port on the front panel of the MA5200F, which is used for maintenance and management. It is an
Maintenance RJ45 interface, located on the same line of the maintenance network interface. It can be connected with the
serial port terminal device via serial port cable, and the device can be maintained by using serial port communication
software.
Optic/electro It is the box containing the fiber transceivers, with a 220V power module and can supply power to 12 fiber
converter box transceivers.
It refers to the network interface for inputting/outputting subscriber’s service packets. It contrasts to the
Service network
maintenance network interface. The interfaces at subscriber side and network side are all service network
interface
interfaces. There are 24 FE interfaces and 2 GE interfaces on the MA5200F.
A-2
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix B List of Acronyms and Abbreviations
Appendix B List of Acronyms and Abbreviations

AcronymsAbbreviations Description
AAA Authentication, Authorization and Accounting
AC Access Controller
AC Alternating Current
ACL Access Control List
ADSL Asymmetric Digital Subscriber Line
ALG Application Layer Gateway
AIB ARP Information Base
AP Access Point
ARP Address Resolution Protocol
AS Autonomous System
ASIC Application Specific Integrated Circuit
BAS Broadband Access Server
BGP Border Gateway Protocol
CAR Committed Access Rate
CERNET China Education and Research Network
CHAP Challenge Handshake Authentication Protocol
CIDR Classless Inter-Domain Routing
CPE Customer Premises Equipment
CPU Central Processing Unit
DoS Denial of Service
DC Direct Current
DHCP Dynamic Host Configuration Protocol
DNS Domain Name Server
DOS Disk Operating System
DR Designated Router
DSCP Diff-Serv Code Point
DSLAM Digital Subscriber Line Access Multiplexer
EAP Extensible Authentication Protocol
EAPoL EAP over LAN
EBGP External BGP
EMC Electro Magnetic Compatibility
EMI Electro Magnetic Interference
FE Fast Ethernet
FTP File Translation Protocol
GE Gigabit Ethernet
GSR Gigabit Switching Router
HGMP HUAWEI Group Management Protocol
HTTP Hyper Text Transport Protocol
IAD Integrated Access Device
IBGP Internal BGP
ICMP Internet Control Message Protocol
IDT Intelligence Digital Terminal
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IGMP Internet Group Management Protocol
IP Internet Protocol
ISP Internet Service Provider
ITU International Telecommunications Union
L2TP Layer 2 Tunneling Protocol
L3 Layer 3 LAN Switch
LAC L2TP Access Concentrator
LAN Local Area Network
LED Light Emitting Diode
LNS L2TP Network Server
B-1
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix B List of Acronyms and Abbreviations
AcronymsAbbreviations Description
LSA Link State Advertisement
LSDB Link State Database
MAC Media Access Control
MGCP Media Gateway Control Protocol
MIB Management Information Base
MPLS Multi-protocol Label Switching
MTBF Mean Time Between Failures
MTTR Mean Time to Repair
NAT Network Address Translation
NDP Neighbor Discovery Protocol
HTDP Neighbor Topology Discovery Protocol
NGN Next Generation Network
NPS Network Process Service
OSPF Open Shortest Path First
PADM PPPoE Activate Discovery Message
PAP Password Authentication Protocol
PAT Port Address Translation
PDU Protocol Data Unit
PIM Protocol Independent Multicast
PIM-DM PIM-Dense Mode
PIM-SM PIM-Sparse Mode
PNP Plug and Play
PPP Point-to-Point Protocol
PPPoE PPP Over Ethernet
QoS Quality of Service
RA Routes Aggregation
RADIUS Remote Authentication Dial in User Service
RIP Routing Information Protocol
RP Rendezvous Point
RTU Remote Terminal Unit
SDRAM Synchronous Dynamic Random Access Memory
SIM Subscriber Identity Module
SNMP Simple Network Management Protocol
SPF Shortest Path First
STP Shielded Twisted Pair
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
UDP User Datagram Protocol
UTP Unshielded Twisted Pair
VDSL Very-high-rate Digital Subscriber Line
VLAN Virtual Local Area Network
VOD Video On Demand
VoIP Voice over IP
VPDN Virtual Private Dial Network
VPN Virtual Private Network
VRP Versatile Routing Platform
WLAN Wireless Local Area Network
WWW World Wide Web
B-2
Technical Manual
SmartAX MA5200F Broadband Access Server Appendix C Specifications of MA5200E
Appendix C Specifications of MA5200E
In some upgrading applications, the hardware of the SmartAX MA5200E Broadband

Access Server (hereafter, referred as the MA5200E for short) may be used to bear the
software system of the MA5200F. In this chapter, the hardware structure and related
technical specifications are introduced.
C.1 Hardware Structure
C.1.1 Appearance of Device
The MA5200E takes the structure of integrated built-in box, and is very concise.
The dimensions of the device are 44.45mm (h) x 350mm (d) x 482.6mm (w). Its width
conforms to the 19-inch standard. The total weight is 4kg. Its appearance is as shown in
Figure C-1.
Figure C-1 Appearance of MA5200E
Sketch of the MA5200E hardware:
(1) Fan (2) Power supply (3)(4) O1GB board

(5) 2mm connector (6) SPUB (7) Indicator
(8) 10/100M FE electric interface (9) Maintenance serial port (10) Maintenance network interface
Figure C-2 Sketch of MA5200E hardware structure
C-1
Technical Manual
In the MA5200E, the cables of FE service network interface, maintenance serial port
and maintenance network interface are led out from the front, while GE fiber is led out
from the back. The power is led in from the back. The heat is dissipated in air-draw
mode, and four fans are integrated into the device.
C.1.2 Boards
I. SPUB
SPUB is the core processing board of the MA5200E, which implements all the service
processing functions of the system. One SPUB is configured in the system.
SPUB provides the following interfaces:

z 24 FE electric interfaces
z 2 GE interfaces (used for connecting O1GB pinch board, and invisible from
outside)
z 1 maintenance network interface
z 1 maintenance serial port
II. O1GB
O1GB is the board with a single GE optical interface, which implements the PHY and
O/E function. Two O1GBs are configured in the system.
O1GB is plugged in the GE interface of SPUB, providing one GE optical interface. The
system provides two GE optical interfaces.
C.1.3 Hardware Interface
The MA5200E provides 24 10/100M Ethernet electric interfaces and two 1000M
Ethernet optical interfaces (single mode/multimode). According to actual needs, the
10/100M Ethernet electric interface can use an optic/electro converter to change the
interface into an Ethernet optical interface, so as to increase the transmission distance.
Besides, the MA5200E can provide one maintenance serial port and one maintenance
network interface for debugging and maintenance.
The 10/100M Ethernet electric interface, 1000M Ethernet optical interface,

maintenance serial port and maintenance network interface are the same as those of
the MA5200F. For details, refer to Section 2.1.5 Hardware Interfaces of Chapter 2
Hardware and Software Structure. For the technical specification, refer to Section 6.3
Interface Technical Specification, Chapter 6 Technical Parameters and Specifications.
C-2
Technical Manual
C.1.4 Indicators
The indicators of the MA5200E resemble those of the MA5200F. The only difference is
that the power indicator, running indicator and alarm indicator are in the left lower
corner of the panel (those of the MA5200F are in the right lower corner). For details,
refer to Section 2.1.4 Device Indicator of Chapter 2 Hardware and Software Structure.
C.2 Power Supply and Environment Parameters
C.2.1 Power Supply Parameters
The power supply parameters of the MA5200E are shown in Table C-1.
Table C-1 Power supply parameters of the MA5200E
Item Parameter
(110V/220V)±20%
Working power AC
Frequency range: 47~63Hz
supply
DC -48V (-72V~-36V)
Output voltage of
3.3V and 12V
power supply
Rated current 3A
Conduction Class B
EMI wave filter
Radiation Class B
Power consumption
with full <45W
configuration
Power consumption H521SPUC (main service processing board) <38.3W
of board H521O1GB (GE service pinch board) 3~5W
C.2.2 Environment Parameters
The environment parameters of the MA5200E are the same as those of the MA5200F.
Refer to Section 6.1.2 Environment Parameters of Chapter 6 Technical Parameters
and Specifications.
C.3 External Optic/Electro Converter
C.3.1 Selection of External Optic/Electro Converter
The whole system of the MA5200E has “24 FE interfaces + 2 GE interfaces”. The GE
interfaces are optical interfaces, while FE interfaces are all electric interfaces. If FE
interfaces need to become optical interfaces, external optic/electro converters should
be configured. A customer can configure the optic/electro converters alone according
to actual networking needs, or choose the optic/electro converters delivered by
Huawei.
C-3
Technical Manual
The optic/electro converters delivered are put into the optic/electro converter box, and
each box contains 12 optic/electro converters that are powered in concentrated mode.
If the MA5200E needs to change all the interfaces into optical interfaces, each
MA5200E needs to be configured with 24 optic/electro converters, it means that two
external optic/electro converter boxes are needed.
Specifications of related short-distance optic/electro converter and optic/electro

converter box.
z Optic/electro converter box + 220V power supply
z 100M Ethernet optic/electro converter-1310nm-multimode 5km-SC interface
z 100M Ethernet optic/electro converter-1310nm-single mode 15km-SC interface
Specification of long-distance optic/electro converter:
z Whole equipment-100M Ethernet optic/electro converter-1550nm-single mode
100km-SC interface
Customer can choose appropriate optic/electro converters according to actual
networking needs.
C.3.2 Technical Specifications of Optic/Electro Converter
The technical specifications of optic/electro converters shipped with the MA5200E are
as shown in Table C-2.
Table C-2 Technical specifications of optic/electro converter
Item Parameter
IEEE802.3u
Standards
IEEE802.1Q, overlong frames with VLAN flag
supported
IEEE802.3x full duplex traffic control protocol
Interface type RJ-45
Mode UTP
Parameters of
electric interface 10m (the length of the connecting cable between
Distance the FE interface of the MA5200E and the electric
interface of the optic/electro converter)
850nm, multimode, ST/SC
2km (14dB)
interface
Parameters of
15km (11dB), 30km (17dB), 40km (21dB), 60km
optical interface 1310nm, single mode, SC interface
(29dB)
1550nm, single mode, SC interface 100km (30dB)
The indicator meanings of the optic/electro converter shipped with the MA5200E are
shown in Table C-3.
C-4
Technical Manual
Table C-3 Indicators of optic/electro converter
Indicator Meaning
POWER Power indicator
TP ACT Data transmission indicator of twisted pair
TP LINK Link status indicator of twisted pair
FX ACT Data transmission indicator of fiber
FX LINK Link status indicator of fiber
LINK LOS DIS Link alarm disconnection indicator
C-5

31025882-MA5200F Technical Manual V1.70

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

31025882-MA5200F Technical Manual V1.70

Hochgeladen von

Copyright:

Verfügbare Formate

HUAWEI

SmartAX MA5200F Broadband Access Server

Manual Version T2-080282-20030728-C-1.70

Product Version MA2.10

Huawei Technologies Co., Ltd.

Address: Administration Building, Huawei Technologies Co., Ltd.,

Bantian, Longgang District, Shenzhen, P. R. China

Postal Code: 518129

All Rights Reserved

No part of this manual may be reproduced or transmitted in any form or by any

, HUAWEI, C&C08, EAST8000, HONET, , ViewPoint, INtess, ETS, DMC,

The following manuals provide more information about the MA5200F.

It provides an overall introduction to the MA5200F, including the

It provides information for the system installation, including the

It can guide the user in the configuration of functions and services.

It introduces all commands available in the MA5200F, as well as

Organization of the Manual

Chapter 1 System Overview profiles the system characteristics and orientations of

Chapter 4 Networking Applications presents typical networking applications of the

Chapter 5 NMS introduces the management and maintenance functions provided by

Chapter 6 Parameters and Specifications introduces the physical features of the

The manual is intended for the following readers:

This manual uses the following conventions:

Arial Normal paragraphs are in Arial.

Boldface Headings are in Boldface.

Caution: Means reader be extremely careful during the operation.

Chapter 1 System Overview ......................................................................................................... 1-1

Chapter 2 Hardware and Software Structure.............................................................................. 2-1

Chapter 3 Service and Function .................................................................................................. 3-1

3.6.1 Restriction on the number of subscribers ............................................................. 3-19

Chapter 4 Networking Applications............................................................................................. 4-1

4.3.3 Networking for MPLS VPN.................................................................................... 4-13

Chapter 5 NMS ............................................................................................................................... 5-1

Chapter 6 Parameters and Specifications .................................................................................. 6-1

Appendix B List of Acronyms and Abbreviations .....................................................................B-1

Appendix C Specifications of MA5200E......................................................................................C-1

Chapter 1 System Overview

1.2 Product Orientation

1.2.1 Application in Broadband MANs

Service Platform NMS

Core GSR GSR GSR

Convergence MA5200F MA5200F

MA5200F MA5200F CMTS IP DSLAM

Figure 1-1 Application of the MA5200F in a broadband MAN

1.2.2 Application in Enterprise Intranet

The structure of an enterprise Intranet can either be distributed, or centralized,

1.2.3 Application in CANs

1.2.4 Application in GDNs

1.2.5 Intelligent Hotel

1.3 System Features

I. Powerful route forwarding function

The MA5200F is based on the advanced architecture of the fifth-generation routers,

II. Larger capacity and high integration

III. Flexible network interfaces

IV. Diversified access modes

V. Flexible authentication methods

VI. Effective IP address solution

VII. Completed accounting scheme

VIII. Enriched service control policies

IX. Powerful network security management

X. Diversified value added services

XI. High security and reliability

XII. Good maintenability

Chapter 2 Hardware and Software Structure