Académique Documents
Professionnel Documents
Culture Documents
V100R003C00
Issue 02
Date 2010-07-15
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Intended Audience
This document is intended for:
l Hardware installation engineers
l Commissioning engineers
l On-site maintenance engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Contents
Figures
Tables
Functioning as the value-added service (VAS) board of the S9300, the Service Process Unit
(SPU) provides service functions such as load balancing, firewalls, Network Address Translation
(NAT), IP Security (IPSec), and NetStream, thus meeting requirements of different application
scenarios for diverse industry networks.
NOTE
The release of Russia does not provide the IPSec VPN function.
Receiving Transmitting
LPU
Packets Packets
Load Balancing
l Server load balancing
Intranet
Intranet ServerA
User Switch
External
Network ServerB
ServerC
As shown in Figure 1-2, an Intranet user accesses the internal server that is deployed in
the group of load balancing servers through the external network. The group is composed
of three servers. As the load balancing (LB) device, the Switch implements load balancing
at layers from L4 to L7. The service load varies according to servers. When one or more
servers are faulty, the system automatically switches services to normal servers so that
services are not interrupted. In this manner, network faults are reduced and the reliability
of service processing is improved.
l Egress link load balancing
RouterA
ISP1
External
Network
Intranet Switch
user
RouterB ISP2
As shown in Figure 1-3, an enterprise rents links of multiple carriers as egresses between
the Intranet and the external network. The bandwidth and delay vary according to carriers.
You can configure the Switch (SPU) to select the optimal link according to requirements
for external network access of different enterprise users. The Switch also supports the
reverse NAT function.
IPSec
SwitchA SwitchB
Internet
Intranet Intranet
User A User B
As shown in Figure 1-4, an IPSec tunnel is set up between Switch A and Switch B. In this way,
data flows of intranet user A and intranet user B can be protected when being transmitted on
insecure networks. IPSec allows network users or administrators to control the granularity of
security services between peers. The Security Association (SA) can be established manually or
in IKE negotiation mode. The SA provides security protection for different data flows.
NAT
Internet
10.1.1.1/24 Intranet
PC2
PC1
10.1.2.1/24
As shown in Figure 1-5, IP addresses of PC1 and PC2 on the intranet can be mapped to the
public IP addresses on the external network through NAT. In this way, users on private networks
can access external networks, thus saving public IP addresses. The NAT mapping table is used
to limit hosts on internal networks that access hosts on external networks.
By configuring the internal servers, you can map the corresponding external IP addresses and
port numbers to internal servers. In this manner, users on external networks can access internal
servers. For example, an enterprise provides World Wide Web (WWW), File Transfer Protocol
(FTP), and Simple Mail Transfer Protocol (SMTP) services externally.
Firewall
l Virtual firewall
Internet
Switch
As shown in Figure 1-6, an intranet can be divided into multiple subnets through VLANs.
The Switch (SPU) configures a virtual firewall for each subnet. The server on each subnet
can access external networks through the Switch and provide different services externally.
l Firewall in transparent mode
PC A
Zone A
VLAN 10
PC B
Switch VLAN 20
Zone B
VLAN 30
PC C
Zone C
As shown in Figure 1-7, the Switch functions as the firewall in transparent mode. In this
case, all interfaces are L2 interfaces and the network is divided into multiple access zones
through different VLANs. All PCs in a zone share the same network segment. The packet
filtering, attack defense, and traffic monitoring policies are defined for different VLANs
on the Switch. For example, PC A can access Zone B and Zone C. PC B can send packets,
whereas the packets cannot pass the firewall.
l Firewalls in backup mode
SPU1
SPU2
Internet
Switch
PC 1 PC 2
As shown in Figure 1-8, SPU 1 and SPU 2 are installed on the Switch. VRRP is enabled
on these two SPUs to provide a virtual IP address for the switch and thus to back up services.
When SPU 1 functions as the master, data flows are transmitted to the Internet through
SPU 1. At the same time, data is synchronized from SPU 1 to SPU 2. After SPU 1 becomes
faulty, data flows are transmitted to the Internet through SPU 2.
NetStream
l Monitoring MPLS network traffic
PE
AS 200
P Web Server
Mail Server
PE
PE
PE
FTP Server
AS 100
NSC&NDA
PE PE
PC PC PC
As shown in Figure 1-9, users can collect statistics on IP traffic from MPLS to IP (IPv4
or IPv6) and from IP (IPv4 or IPv6) to MPLS by deploying NetStream on user-side
interfaces of PEs. Users can also collect statistics on MPLS packets by deploying NetStream
on network-side interfaces of PEs and P devices. According to the analysis result of the
statistics, users can understand the composition and mode of the MPLS service accurately.
l Monitoring traffic carried by a tunnel
Web Server
Mail Server
AS 100
AS 100
NSC&NDA
PC PC PC
As shown in Figure 1-10, if a user collects statistics on the traffic transmitted through a
tunnel on physical interfaces of the switch, the user cannot differentiate the traffic carried
by the tunnel. In this case, the user needs to collect traffic statistics by using NetStream
twice, that is, before the traffic enters the tunnel and after the traffic exits the tunnel. In this
way, the user can accurately analyze the traffic composition in the tunnel.
This topic describes hardware information about the VAMPA. Currently, the SPU supports only
the VAMPA.
2.1 Panel
This topic describes the appearance of the SPU, including interfaces, indicators and the colors
and blinking states of interface and board indicators.
2.2 Description of Interfaces on the SPU
This topic describes types, quantity, and functions of interfaces on the SPU.
2.3 Attributes of Interfaces on the SPU
This topic describes connector types, attributes, operation modes, and compliance standards of
the interfaces on the panel.
2.4 Technical Specifications
This topic describes technical specifications of the SPU, such as board dimensions, panel
dimensions, maximum power consumption, and weight.
2.1 Panel
This topic describes the appearance of the SPU, including interfaces, indicators and the colors
and blinking states of interface and board indicators.
Currently, the SPU supports only the VAMPA.
The VAMPA is installed horizontally. A serial interface (identified as CON) and an FE electrical
interface (identified as ETH) are located on the panel. Figure 2-1 shows the panel.
The board indicator RUN/ALM and interface indicators ACT and LINK are located on the
VAMPA panel. Table 2-1 describes the colors and blinking states of the indicators.
Console interface 1 Provides a serial interface. A user can log in to the local
SPU by connecting the serial interface on the host and
the console interface on the SPU through a cable to
configure the SPU locally.
Table 2-3 and Table 2-4 describe attributes of the interfaces on the panel.
Attribute Description
Attribute Description
A user can log in to the SPU in either of the following ways: logging in to the SPU through the
console interface; logging in to the SPU through Telnet; logging in to the MPU of the S9300 for
redirection, and then logging in to the SPU through the console interface of the SPU.
Networking Requirements
When logging in to the SPU through the console interface, a user needs to connect the console
interface on the SPU to the RS232 interface on the host through a serial cable, as shown in
Figure 3-1.
Procedure
Step 1 Connect the PC with the SPU through a serial cable according to Figure 3-1.
Step 2 Enable the HyperTerminal on the PC.
Choose Start > All Programs > Accessories > Communications > HyperTerminal to start
the HyperTerminal.
Step 3 Set up a new connection.
As shown in Figure 3-2, enter the name of the new connection in the Name text box and choose
an icon. Click OK.
NOTE
In the Windows operating systems of some versions, Bit per second may be called Baud rate and Flow
control may be called Traffic control.
Parameter Value
Data bit 8
Stop bit 1
Step 6 After starting the HyperTerminal, choose File > Attributes to display the COMM1
Properties dialog box, as shown in Figure 3-5. Click the Settings tab, and select Auto detect
or VT100 from the Emulation drop-down list box. Click OK to complete the settings.
After the preceding settings, press Enter. If the <Quidway> prompt is displayed, it indicates
that you have logged in to the SPU. In this case, you can enter commands to configure or manage
the SPU.
----End
Networking Requirements
A user can log in to the MPU of the S9300 through a serial interface or through Telnet, and then
run the corresponding command for redirection. Then the user redirects the login process to the
console interface of the SPU as prompted and logs in to the SPU through the console interface,
as shown in Figure 3-6.
Figure 3-6 Networking of redirecting to the console interface of the SPU through the MPU of
the S9300
Procedure
Step 1 Log in to the MPU of the S9300.
Step 2 Run the following command in the user view: spu connect slot slot-num.
slot-num indicates the number of the slot where the SPU is installed on the S9300.
Press Ctrl+Y. The system redirects you to the serial interface of the SPU so that you can log in
to the SPU.
NOTE
----End
Networking Requirements
Telnet supports local and remote login, facilitating maintenance. After setting the Telnet user
of the SPU, a user can log in to the SPU through Telnet from the Ethernet interface or service
interfaces such as XGE sub-interface or the Eth-Trunk sub-interface whose member interfaces
are XGE interfaces, as shown in Figure 3-7.
PC Crossover
STC cable
SPU
HUB
Crossover
PC cable or
STC optical fiber
SPU
L2 Switch
NOTE
The SPU is a board installed on the S9300. Generally, the ETH port of the SPU is not used to connect to
the network; therefore, the service interface of the SPU is usually used for logging in to the SPU through
Telnet.
In this way, you can configure the user name and password of the Telnet user on the SPU. The
method for configuring a Telnet user on the SPU is the same as that for configuring a Telnet
user on the S9300. For details, see the Quidway S9300 Terabit Routing Switch Configuration
Guide - Basic Configuration.
If you do not configure the Telnet user on the SPU, the user name and password are absent for
the first login through Telnet.
Procedure
Step 1 Set the IP address of the Ethernet interface of the SPU.
The service interface of the SPU is the Eth-Trunk sub-interface whose member interfaces
are XGE interfaces or the XGE sub-interface. The configuration methods of the Eth-Trunk
interface and the XGE sub-interface are different. The details are as follows:
– Assign an IP address to the XGE sub-interface.
1. Run the system-view command to enter the system view.
2. Run the interface xgigabitethernet interface-number.subinterface-number
command to enter the XGE sub-interface view.
3. Run the ip address ip-address { mask | mask-length } [ sub ] command to assign an
IP address to the XGE sub-interface.
– Assign an IP address to the Eth-Trunk sub-interface whose member interfaces are XGE
interfaces.
1. Run the system-view command to enter the system view.
2. Run the interface eth-trunk trunk-id command to enter the Eth-Trunk interface
view.
3. Run the trunkport xgigabitethernet { interface-number1 [ to interface-
number2 ] } &<1-8> command to add two virtual interfaces of the SPU to the Eth-
Trunk interface to complete link aggregation.
4. Run the quit command to exit the Eth-Trunk interface view.
5. Run the interface eth-trunk trunk-id.subtrunk-id command to enter the Eth-Trunk
sub-interface view.
6. Run the ip address ip-address { mask | mask-length } [ sub ] command to assign an
IP address to the Eth-Trunk sub-interface.
Step 2 Log in to the SPU through Telnet.
A user can log in to the SPU on the local PC or terminal through Telnet.
1. Open the Command Prompt window on the PC.
Choose Start > Programs > Accessories > Command Prompt. The Command
Prompt window is displayed.
The Command Prompt window displays the following messages:
Microsoft Windows XP [version 5.1.2600]
(c) Versions 1985-2001 Microsoft Corp.
C:\>
Press Enter to access the Telnet client. The Command Prompt window displays the
following messages:
Welcome to use Microsoft Telnet Client
Escape character is ¡¯CTRL+]¡¯
Microsoft Telnet>
----End
This topic describes all the features supported by the SPU according to the feature description
in each volume (basic configuration, Ethernet, IP service, IP routing, QoS, security, reliability,
device management, network management, and VPN).
Basic Configuration
Feature Description Support Remarks
ed by
the SPU
Only
File A file system manages No The feature of the SPU is the same as that
system files and directories in the of the S9300. For details, see
storage device. In the file Management of Configuration Files in the
system, you can create, Quidway S9300 Terabit Routing Switch
delete, modify, and Configuration Guide - Basic
rename a file or a Configuration.
directory, and display
contents of a file.
Login In the case that the No The feature of the SPU is the same as that
throug network is unreachable, a of the S9300. To log in to the SPU through
h the user needs to log in to the the console interface, see 3.1 Logging In
Console SPU through the console to the SPU Through the Console
interfac interface. Interface.
e
Login In the case that the No The feature of the SPU is the same as that
throug network is reachable, a of the S9300 in some aspects. The
h Telnet user can log in to the SPU difference is as follows: A user can
on the local PC or configure the IP address of the Ethernet
through Telnet. interface on the SPU by logging in to the
MPU of the S9300. To log in to the SPU
through Telnet, see 3.3 Logging In to the
SPU Through Telnet.
SSH The SSH supports secure No The feature of the SPU is the same as that
login local and remote login. of the S9300. For details, see
The SPU supports the Configuration of the SSH Server and
route iteration by the Client in the Quidway S9300 Terabit
BGP. Routing Switch Configuration Guide -
Basic Configuration.
Ethernet
Feature Description Support Remarks
ed by
the SPU
Only
MAC A MAC address table No The feature of the SPU is the same as that
stores the MAC of the S9300. For details, see MAC
addresses of other Address Table Configuration in the
devices learned by the Quidway S9300 Terabit Routing Switch
S9300, VLAN IDs, and Configuration Guide - Ethernet.
outbound interfaces that
are used to send data.
Before forwarding the
data, the SPU searches
the MAC address table
based on the destination
MAC address and the
VLAN ID of the data to
find the corresponding
outgoing interface
rapidly. This reduces the
number of broadcast
packets.
ARP The Address Resolution No The feature of the SPU is the same as that
Protocol (ARP) provides of the S9300. For details, see ARP
a mapping between an IP Configuration in the Quidway S9300
address and a MAC Terabit Routing Switch Configuration
address. Guide - Ethernet.
Link Link aggregation refers No The feature of the SPU is the same as that
aggrega to a method of binding a of the S9300. For details, see Link
tion group of physical Aggregation Configuration in the
interfaces together as a Quidway S9300 Terabit Routing Switch
logical interface to Configuration Guide - Ethernet.
increase the bandwidth.
By setting up a link
aggregation group
between two devices,
you can obtain higher
bandwidth and
reliability.
IP Services
Feature Description Suppor Remarks
ted by
the SPU
Only
IP Routing
Feature Description Suppor Remarks
ted by
the SPU
Only
IPv4 This feature provides No The feature of the SPU is the same as that
unicast IPv4 static and dynamic of the S9300. For details, see the Quidway
static routing protocols to S9300 Terabit Routing Switch
routes, implement interworking Configuration Guide - IP Routing.
RIP, at Layer 3.
OSPF,
IS-IS,
and
BGP
Routing A routing policy is used No The feature of the SPU is the same as that
policies to change the path that the of the S9300. For details, see the Quidway
and traffic passes through. S9300 Terabit Routing Switch
policy- Different from the Configuration Guide - IP Routing.
based routing mechanism based
routing on the destination
addresses of IP packets,
the policy-based routing
is a mechanism based on
the customized routing
policies.
Route The route iteration is a No The feature of the SPU is the same as that
iteration process of finding a of the S9300. For details, see the Quidway
dependent route S9300 Terabit Routing Switch
according to the next hop Configuration Guide - IP Routing.
address. The SPU
supports route iteration
by the BGP.
QoS
Feature Description Suppor Remarks
ted by
the SPU
Only
Names During traffic No The feature of the SPU is the same as that
of the classification, packets of the S9300. For details, see the Quidway
traffic sharing common features S9300 Terabit Routing Switch
classific are classified into a class Configuration Guide - QoS.
ation, by matching the
traffic information carried in
behavio packets with the specific
r, and rule. The packets of the
traffic same class provide QoS
policy services for traffic of the
same type, and thus
provide differentiated
services for different
services.
Priority The packets are sent to No The feature of the SPU is the same as that
mappin different interface queues of the S9300. For details, see the Quidway
g according to the internal S9300 Terabit Routing Switch
priority, and then traffic Configuration Guide - QoS.
shaping, congestion
avoidance, and queue
scheduling are performed
for the queues.
Security
Feature Description Suppor Remarks
ted by
the SPU
Only
ACL The ACL classifies No The feature of the SPU is the same as that
packets based on the of the S9300. For details, see the Quidway
rules defined by the ACL. S9300 Terabit Routing Switch
After these rules are Configuration Guide - Security.
applied to interfaces, the
device can determine
which packets to accept
and which to deny.
URPF URPF obtains the source No The feature of the SPU is the same as that
IP address and the of the S9300. For details, see the Quidway
inbound interface of the S9300 Terabit Routing Switch
packet and checks Configuration Guide - Security.
whether the inbound
interface corresponding
to the source IP address in
the forwarding table
matches the actual
inbound interface of the
packet. If they do not
match, URPF considers
the source IP address as a
pseudo address and
discards the packet. In
this way, URPF can
efficiently protect the
network against vicious
attacks initiated by
modifying the source
address.
Reliability
Feature Description Suppor Remarks
ted by
the SPU
Only
BFD The Bidirectional No The feature of the SPU is the same as that
Forwarding Detection of the S9300. For details, see the Quidway
(BFD) is a detection S9300 Terabit Routing Switch
mechanism used Configuration Guide - Reliability.
uniformly on an entire
network. It is used to
rapidly detect and
monitor the connectivity
of links or IP routes on a
network. A
communication failure
between adjacent
systems must be detected
quickly and the standby
tunnel must be created
faster for communication
recovery.
VRRP By separating physical No The feature of the SPU is the same as that
devices from logical of the S9300. For details, see the Quidway
devices, the Virtual S9300 Terabit Routing Switch
Router Redundancy Configuration Guide - Reliability.
Protocol (VRRP)
implements route
selection among multiple
egress gateways. In this
manner, services are not
affected when a gateway
is faulty, and the
configuration of the
routing protocol does not
need to be changed.
Device Management
Feature Description Suppor Remarks
ted by
the SPU
Only
Interfac A packet passing through No The feature of the SPU is the same as that
e a mirroring interface is of the S9300. For details, see the Quidway
mirrorin copied and then sent to a S9300 Terabit Routing Switch
g specified observing Configuration Guide - Device
interface for analysis and Management.
monitoring.
Network Management
Feature Description Suppor Remarks
ted by
the SPU
Only
Ping and The ping command is No The feature of the SPU is the same as that
Tracert used to check network of the S9300. For details, see the Quidway
connectivity and whether S9300 Terabit Routing Switch
a host is reachable. Configuration Guide - Network
Tracert is used to check Management.
IP addresses and the
number of gateways
between the source and
the destination. Tracert is
helpful in testing network
reachability and locating
the fault on the network.
VPN
Feature Description Suppor Remarks
ted by
the SPU
Only
GRE GRE uses the tunnel No The feature of the SPU is the same as that
technololgy to of the S9300. For details, see the Quidway
encapsulate packets of S9300 Terabit Routing Switch
some network protocols Configuration Guide - VPN.
such as IP and IPX. In
this manner, the
encapsulated packets can
be transmitted on
networks supporting
other protocols such as
IP.
5 Replacing an SPU
Precautions
Before replacing an SPU, pay attention to the following points:
Before replacing an SPU, prepare an SPU with the same specifications of the SPU to be replaced.
Tools
l ESD-preventive wrist straps or gloves
l ESD-preventive bag
Procedure
Step 1 Check the position of the SPU to be replaced.
Before removing the SPU that you need to replace, check the position of the the cabinet, chassis,
and slot where the SPU is installed.
Find out the SPU to be replaced in the chassis and attach a label to identify the SPU.
Step 2 Check whether there is any bent pin in the connector of the new SPU.
CAUTION
l During the operation, remove the SPU slowly and smoothly to prevent it from colliding
with other boards and causing failures of the running boards.
l When swapping an SPU, do not touch the parts on the SPU to prevent it from being
damaged.
3. Hold the two ejector levers and pull out the SPU smoothly from the chassis along the guide
rail of the slot, as shown in (2) of Figure 5-1.
4. Place the removed board in the ESD-preventative bag.
CAUTION
l During the operation, install the SPU slowly and smoothly to prevent it from colliding
with other boards and causing failures of the running boards.
l When swapping an SPU, do not touch the parts on the SPU to prevent it from being
damaged.
2. Hold the two ejector levers and insert the SPU smoothly into the chassis along the guide
rail of the slot, as shown in (1) of Figure 5-2. Push the SPU until the bayonets of the ejector
levers touch the edges of the chassis.
3. Secure the bayonets of the ejector levers on the edges of the chassis, and then push the
ejector levers inwards until you hear a click, as shown in (2) of Figure 5-2.
Step 6 Connect the cables to the corresponding interfaces in the original sequence.
Step 7 Check the running status of the new SPU.
In normal situations, after the new SPU is installed into the chassis, the SPU automatically
communicates with the MPU. In this case, check the running status of the new SPU as follows:
l If the RUN/ALM indicator on the panel of the SPU is green and blinks at the frequency of
0.5 Hz, it indicates that the SPU is running normally.
l You can check the alarms. In normal situations, the system does not generate any alarm
related to the new SPU.
l Run the display device command on the client after logging in to the SPU to view the running
status of the new SPU. If the output is displayed as follows, it indicates that the SPUs in the
corresponding slots are running normally.
<Quidway> display device
----End
Postrequisite
After finishing the replacement, put all the tools away. If an SPU that is replaced is confirmed
to be faulty, maintainers should fill in the Faulty Card for Repair, and mail the card and the
faulty SPU together to Huawei local office for timely maintenance.
This topic describes system parameters and technical specifications of the SPU.
Flash 64 MB -
Table 6-2 describes the software service features and hardware technical specifications of the
SPU.
Table 6-2 Software service features and hardware technical specifications of the SPU