90系列串接采集设备技术白皮书-V1 3_EN

Technical White Paper for Series 90 Serial-connection Acquisition EquipmentCommunication Data Reconnaissance Station System System Design Manual Technical White Paper for Series 90 Serial-connection Acquisition Equipment CEIECContents1.Overview11.1Product positioning11.2Product advantages11.3Production form22.System architecture32.1System hardware architecture32.2System software architecture53.System specifications73.1Product hardware specification73.2Product software specification83.3Circuit processing board103.3.1200G service capacity line processing board103.3.240G service capacity line processing board143.4Optical protective plate183.4.14-circuit optical protection board184.Functional characteristics194.1Message identification194.2Rule matching194.3Optical protection204.3.1PASS serial-connection working mode204.3.2BYPASS offline protection mode215.Typical application226.Working principle236.1Data packet processing flow236.2Backflow processing flow246.3Homologous homoclinic processing flow of IP fragments241. Overview 1.1 Product positioning Along with the explosive growth of the network flow, security and manageability of the network has to face higher requirements. It is not only required to provide the normal user service but also have controllability, so as to monitor and manage the illegal information on the Internet. Relying on the rich experience in R&D and production of telecommunications-class communication products, our company has developed Series 90 Serial-connection Acquisition Equipment to meet the network illegal information monitoring needs. Series 90 serial-connection acquisition equipment is equipment applied to backbone networks of operators (including international output, provincial or urban output and metropolitan area network output), IDC, ISP service providers and large enterprises, governments, schools and others that have network security demands. It is deployed in a network in series, supporting traffic identification, rule matching, load balancing, homologous homoclinic and light splitting. In addition, it has the telecommunications-class reliability, and the high-density single board, large-capacity switching and rapid customization ability, so it is able to provide the convenient and efficient abnormal traffic cleaning and traffic control solutions for network security applications of fixed networks and the mobile Internet. 1.2 Product advantages Series 90 serial-connection acquisition equipment owns the product advantages as below: u Large capacity and high density The whole equipment supports 12 service slots at most The whole equipment supports 5.12T switching ability at most The whole equipment supports 2.4T processing ability at most The whole equipment supports 37.8T backboard capacity at most The slot bandwidth is up to 600G The whole equipment supports 24 100GE, 72 40GE, 576 10GE/GE, 24 40GPOS and 96 10G/2.5GPOS ports at most Relying on the built-in optical protection board, the whole equipment supports 9 100GE, 20 40GE, 32 10GE/GE, 9 40GPOS and 24 10GE/2.5GPOS links at most u High performance and high reliability Message parsing and rule matching based on the special chip Full-port wire-speed forwarding ability The power supply and the fan support N+1 redundancy The master control switching board supports 1+1 redundancy Photoelectric protection and uninterrupted abnormal equipment link Port and analysis server alive-keeping mechanism Abnormality processing, fault-tolerance mechanism and telecommunications-class software and hardware architecture allow the long-term stable running under the high load status u Modularity and high extension The advanced software and hardware frames in the industry with flexible and extensible functions Various board cards with abundant interfaces, so the equipment could be configured as required Interfaces support POS/LAN/WAN switching u Environmental protection and energy saving Front and rear air supply design and well-adapted rack The advanced heat dissipation structure in the industry to improve the dissipation efficiency of the whole equipment Intelligent fan speed regulating, to effectively lower down the rotating speed, power consumption and noise pollution and prolong the service life of the fan 1.3 Production form Series 90 serial-connection equipment is composed of three models, namely, 9002, 9005 and 9012, detailed as below: 12 service slots of 17U5 service slots of 10U2 service slots of 4UFigure 1-1 Product form 2. System architecture 2.1 System hardware architecture Series 90 serial-connection equipment is of the rack-type design. The system, relying on the large-capacity and high-speed serial bus backboard, connect the master control switching board with various interface boards. The master control is integrated with the switching matrix and supports 1:1 redundancy design. Each board card provides the line-speed message processing ability via the network processor and the ASIC switching chip and provides abundant interfaces such as 100GE, 40GPOS/40GE, 10GPOS, 2.5GPOS, 10GE and GE according to the service requirements. Figure 2-1 System hardware architecture Large-capacity high-speed backboard The system connects with the master control switching board and various service interface boards relying on the large-capacity high-speed backboard, to guarantee the enough switching capacity required for system running and reserve the sufficient bandwidth capacity required for future upgrading. Master control switching board Master control switching boards are important comprehensive independent boards of 1:1 redundancy and two master control switching boards maintain active connection in the running process. Each master control switching board is composed of: A large-capacity switching matrix, to ensure the switching capacity required for the line-speed running of the system A CPU characterized by high performance and large internal storage capacity, to guarantee the storage space required for the high-speed protocol processing and the giant table capacity An inter-board communication switching module A system monitoring A timer module LPB line processing board The line processing board is applied to flow classification service of L2-L4. The data plane of the line processing board is completed via the network processor NP + ASCI chip and the control plane is completed via the high-performance CPU. OPB optical protection board The optical protection board is used for link protection under the serial deployment mode. When the system defects the failure of the equipment or the line processing board, it directly passes transparently network traffic. 2.2 System software architecture The control software architecture of Series 90 serial-connection equipment mainly includes the issuance of various user rules of L2-L4, data synchronization between the master control and the service processing board, OAM and user management. User managementMUXSSPHardware platformOAMOS kernelBSPMIBL2-L4 message processing用户管理ROSFigure 2-2 System software architecture From the perspective of the software layer, the front-end software could be divided into five major parts, as shown in the following table. In addition, in terms of management, there is the back-end network management subsystem, to achieve network management, data configuration, warning display and other functions. Table 2-1 Software subsystem Running supporting subsystem Including software modules such as BSP, ROS, SSP and OS kernel. Supporting subsystem (MUX) Including the MUX module and the statistics monitoring module. The MUX module is responsible for encapsulating the function of SSP on the bottom layer and providing it for the upper layer for calling. The statistics monitoring module is responsible for monitoring of the statistical data forwarding information and the driver software table. L2-L4 message processing subsystem The software module of the equipment service function control plane includes issuance, synchronization and aging of matched rules, action processing and load balancing forwarding policy setup. User management subsystem Management system matching rules and resource configuration. Network management and operation maintenance subsystem (OAM) Achieve the Agent function of SNMP network management, support the command line management function and provide the operation maintenance interface. There are data synchronization interfaces on the service processing board, to be responsible for achieving the data synchronization function of service and port configuration. 253. System specifications 3.1 Product hardware specification The hardware specifications of Series 90 serial-connection equipment are as shown in the following table. Table 3-1 Product hardware specifications Product model 9002 9005 9012 Basic performance Switching capacity of the whole equipment 1.2T bps 2.56T bps 5.12T bps Backboard capacity of the whole equipment 6.3T bps 15.75T bps 37.8T bps Slot bandwidth 600G bps Service interface Interface type 100GE/40GE/10GE/GE/40GPOS/10GPOS/2.5GPOS Number of 100GE/40GPOS ports 41024Number of 40GE ports 123072Number of 10GPOS/2.5GPOS ports 16409610GE/GE ports 96240576Number of slots Total number of slots 4 7 14 Number of service slot 2 5 12 Number of serial-connection links in the built-in optical protection board scenario Number of 100GE/40GPOS link 149Number of 40GE link 3820Number of 10GPOS/2.5GPOS link 4824Number of 10GE/GE link 41232Reliability MTBF400,000h MTTR30min Hot plug Master control switching board, service board and optical protection board Redundant backup Master control switching board, power supply module and fan Power supply consumption Maximum power consumption 850W 1750W 4200W Power supply condition AC：100V240V，5060Hz DC：-57V-40V HVDC：192V400V Physical parameters Height 4U 10U 17U Dimensions (mm) (width * height * depth) 442175450 442440450 442755450 Weight 27kg 52kg 89kg Working environment Working temperature 0+40 Storage temperature -40+70 Relative humidity 10%-90% (no condensation) Anti-seismic Resist M7 earthquake 3.2 Product software specification The software specifications of Series 90 serial-connection equipment are as shown in the following table. Table 3-2 Product software specifications Product model 9002 9005 9012 Basic performance Service ability of the whole equipment 400G bps 1T bps 2.4T bps Packet forwarding rate of the whole equipment 1.42G pps 3.57G pps 8.57G pps Average forwarding delay 30 microseconds Line-speed processing ability Random rules hit 256-byte line speed and full rules hit 512-byte line speed Rule loading ability The rule loading speed is 100,000/s, and the time to take effect is less than 1 ms Message identification Support the common L2/L3/L4 protocols and L2/L3 tunnel protocols Rule matching Rule type Support multiple rule types including quintuple, six-tuple, mask, feature code, TCP Flag/load length, IPv6 extension header and the quintuple rule supports bidirectional rule Rule capacity 15 million pieces of quintuple, 500,000 pieces of mask, 8,192 pieces of feature code, 8,192 pieces of TCP Flag/load length and 14 pieces of IPv6 extension header Rules binding Support binding of rules with ports Forwarding action Support actions such as drop, transparent transmission, backflow redirection, drop redirection and backflow redirection and injection Support VLAN tag carrying, traffic limiting and counting Redirection supports message encapsulation formats such as POS single-layer MAC, Ethernet single-layer MAC, Ethernet MacInMac and VXLAN Redirection supports alive-keeping between the equipment and the server and the alive-keeping protocol supports ICMP and BFD Load balancing Support load balancing based on port groups and server groups Special message processing Support homologous homoclinic processing of IP fragment messages and the fragment session table supports 10 million pieces Support the rule matching and load balancing of tunnel messages according to the internal layer, the external layer and the external layer+ the internal layer Photoelectric protection Optical protection Support the built-in optical protection board Automatic switching when the service board card fails with the millisecond response time Electric protection Automatic switching when the function module fails with the millisecond response time 3.3 Circuit processing board 3.3.1 200G service capacity line processing board 3.3.1.1 2 ports of 100GE + 24 ports of 10GE This board card could provide 2-way CFP2 100GE optical interfaces and 24-way SFP+10-gigabit optical interfaces, realizing packet processing from L2 to L4 so as to satisfying the complex applications in the actual networking. This board card adopts the CFP2 100G optical module and the SFP+10-gigabit optical module that support hot plug, and SFP+ could satisfy multiple transmission distance requirements. Figure 3-1 2 ports of 100GE + 24 ports of 10GE 3.3.1.2 2 ports of 40GPOS + 12 ports of 10GE This board card could provide 2-way 40GPOS optical interfaces and 12-way SFP+ 10-gigabit optical interfaces, realizing packet processing from L2 to L4 so as to satisfying the complex applications in the actual networking. This board card adopts the SFP+ 10-gigabit optical module that supports hot plug, satisfying multiple transmission distance requirements. Figure 3-2 2 ports of 40GPOS + 12 ports of 10GE 3.3.1.3 2 ports of 40GE + 24 ports of 10GE This board card could provide 2-way QSFP+ 40G Ethernet interfaces and 24-way SFP+ 10-gigabit optical interfaces, realizing packet processing from L2 to L4 so as to satisfying the complex applications in the actual networking. This board card adopts the QSFP+ 40GE optical module and the SFP+ 10-gigabit optical module that support hot plug, and could satisfy multiple transmission distance requirements. Figure 3-3 2 ports of 40GE + 24 ports of 10GE 3.3.1.4 6 ports of 40GE + 24 ports of 10GE This board card could provide 6-way QSFP+ 40G Ethernet interfaces and 24-way SFP+ 10-gigabit optical interfaces, realizing packet processing from L2 to L4 so as to satisfying the complex applications in the actual networking. This board card adopts the QSFP+ 40GE optical module and the SFP+ 10-gigabit optical module that support hot plug, and could satisfy multiple transmission distance requirements. Figure 3-4 6 ports of 40GE + 24 ports of 10GE 3.3.1.5 8 ports of 10G POS/LAN/WAN + 24 ports of 10GE This board card could provide 8-way SFP+ 10G switchable optical interfaces and 24-way SFP+ 10-gigabit optical interfaces, realizing packet processing from L2 to L4 so as to satisfying the complex applications in the actual networking. This board card adopts the SFP+ and SFP+ 10-gigabit optical module that support hot plug and could satisfy multiple transmission distance requirements. 8 10G interfaces could support POS/LAN/WAN switching. Figure 3-5 8 ports of 10G POS/LAN/WAN + 24 ports of 10GE 3.3.1.6 8 ports of 10G POS/LAN/WAN + 12 ports of 10GE This board card could provide 8-way SFP+ 10G optical interfaces and 12-way SFP+ 10-gigabit optical interfaces, realizing packet processing from L2 to L4 so as to satisfying the complex applications in the actual networking. This board card adopts the SFP+ and SFP+ 10-gigabit optical module that support hot plug and could satisfy multiple transmission distance requirements. 8 10G interfaces could support POS/LAN/WAN switching. Figure 3-6 8 ports of 10G POS/LAN/WAN + 12 ports of 10GE 3.3.1.7 4 ports of 10G POS/LAN/WAN + 4 ports of 10G POS/LAN/WAN + 12 ports of 10GE This board card could provide 8-way SFP+ 10G optical interfaces and 12-way SFP+ 10-gigabit optical interfaces, realizing packet processing from L2 to L4 so as to satisfying the complex applications in the actual networking. This board card adopts the SFP+ and SFP+ 10-gigabit optical module that support hot plug and could satisfy multiple transmission distance requirements. 4 10G interfaces respectively in two groups could support POS/LAN/WAN switching. Figure 3-7 4 ports of 10G POS/LAN/WAN + 4 ports of 10G POS/LAN/WAN + 12 ports of 10GE 3.3.1.8 4 ports of 10G POS/LAN/WAN + 4 ports of 10G POS/LAN/WAN + 24 ports of 10GE This board card could provide 8-way SFP+ 10G optical interfaces and 24-way SFP+ 10-gigabit optical interfaces, realizing packet processing from L2 to L4 so as to satisfying the complex applications in the actual networking. This board card adopts the SFP+ and SFP+ 10-gigabit optical module that support hot plug and could satisfy multiple transmission distance requirements. 4 10G interfaces respectively in two groups could support POS/LAN/WAN switching. Figure 3-8 4 ports of 10G POS/LAN/WAN + 4 ports of 10G POS/LAN/WAN + 24 ports of 10GE 3.3.1.9 8 ports of 2.5G/10G POS/LAN/WAN + 24 ports of 10GE This board card could provide 8-way SFP+ 2.5G/10G optical interfaces and 24-way SFP+ 10-gigabit optical interfaces, realizing packet processing from L2 to L4 so as to satisfying the complex applications in the actual networking. This board card adopts the SFP+ and SFP+ 10-gigabit optical module that support hot plug and could satisfy multiple transmission distance requirements. 8 2.5G/10G interfaces could support 2.5GPOS/10GPOS/10GE LAN/10GE WAN switching. Figure 3-9 8 ports of 2.5G/10G POS/LAN/WAN +