CiTRANS R8000 Series Multi-Service High-End Router Commissioning and Configuration Guide-CLI

CiTRANS R8000 Series
Multi-Service High-End Router
Commissioning and
Configuration Guide-CLI
Version: D
Code: MN000001947
FiberHome Telecommunication Technologies Co., Ltd.
August 2018
Thank you for choosing our products.
We appreciate your business. Your satisfaction is our goal.

We will provide you with comprehensive technical support
and after-sales service. Please contact your local sales
representative, service representative or distributor for any
help needed at the contact information shown below.
Fiberhome Telecommunication Technologies Co., Ltd.
Address: No. 67, Guanggu Chuangye Jie, Wuhan, Hubei, China

Zip code: 430073
Tel: +6 03 7960 0860/0884 (for Malaysia)
+91 98 9985 5448 (for South Asia)
+593 4 501 4529 (for South America)
Fax: +86 27 8717 8521
Website: http://www.fiberhomegroup.com
Legal Notice
are trademarks of FiberHome Telecommunication Technologies Co., Ltd.

(Hereinafter referred to as FiberHome)
All brand names and product names used in this document are used for
identification purposes only and are trademarks or registered trademarks
of their respective holders.
All rights reserved
No part of this document (including the electronic version) may be

reproduced or transmitted in any form or by any means without prior
written permission from FiberHome.
Information in this document is subject to change without notice.
Preface
Related Documentation
Document Description
CiTRANS R8000 Series Multi- Introduces the product’s functions and features, software
Service High-End Router Product and hardware structures, networking applications, and
Description technical specifications.
Describes the equipment’s structures, functions,

CiTRANS R8000 Series Multi-
specifications, and technical parameters in terms of its
Service High-End Router
hardware components (i.e. the cabinet, the subrack, cards,
Hardware Description
and cables).
Details the equipment’s appearance and structure, how to

install the equipment, connect and lay out its wires and
cables, as well as the requirements of the installation
Installation Guide
environment.
Introduces the methods for configuring various protocols,
services and functions supported by the equipment
Commissioning and
through the CLI.
Configuration Guide-CLI

Introduces the methods for configuring various protocols,
services, and functions supported by the equipment via the
Configuration Guide -
OTNM2000.
OTNM2000
CiTRANS R8000 Series Multi- Describes levels and classification of alarms and
Service High-End Router Alarm performance events; lists definitions, causes and
and Performance Reference processing methods of all alarms and performance events.
Gives a detailed description of items and procedures of

CiTRANS R8000 Series Multi- routine maintenance; introduces the daily operation
Service High-End Router Routine methods of the equipment to instruct users on basic
Maintenance operations of the equipment based on hardware, command
line and network management system.
Gives a detailed introduction to service protection

schemes, configuration notices and possible causes of
common faults, as well as procedures and methods of
Troubleshooting Guide
troubleshooting.
I
Document Description
CiTRANS R8000-3 Multi-Service Details how to install the CiTRANS R8000-3, connect and
High-End Router Quick lay out its wires and cables, and the requirements of the
Installation Guide installation environment.
CiTRANS R8000-5 Multi-Service Details how to install the CiTRANS R8000-5, connect and
High-End Router Quick lay out its wires and cables, and the requirements of the
CiTRANS R8000-10 Multi- Details how to install the CiTRANS R8000-10, connect and
Service High-End Router Quick lay out its wires and cables, and the requirements of the
Details how to install the CiTRANS R8000-10E, connect
CiTRANS R8000-10E Core
and lay out its wires and cables, and the requirements of
Router Quick Installation Guide
the installation environment.
Details how to install the CiTRANS R8000-20E, connect
CiTRANS R8000-20E Core
and lay out its wires and cables, and the requirements of
Router Quick Installation Guide
the installation environment.
Includes manuals such as product description, operation
guide, routine maintenance, and installation guide. All of
e-Fim OTNM2000 Element
them aim at introducing common and fundamental
Management System Manual Set
contents of the OTNM2000 for a better understanding and
proficient use of the network management system.
II
Version
Version Description
Initial version.
Product version CiTRANS R8000 V3R1
A
Corresponds to the OTNM2000 version V2.0R5 (Build04.
20.05.56SP2).
Product version CiTRANS R8000 V3R2

B Corresponds to the OTNM2000 version V2.0R5 (Build04.
20.05.56SP12).
Intended Readers
This manual is intended for the following readers:
u Planning and designing engineers
u Commissioning engineers
u Operation and maintenance engineers
To utilize this manual, these prerequisite skills are necessary:
u Router related technology
u Data communication technology
u Ethernet technology
u SDH communication principles
u IPRAN related technology
III
Conventions
Terminology Conventions
Terminology Convention
CiTRANS R8000-3 CiTRANS R8000-3 Multi-Service High-End Router
PWR Power Supply Board
FAN Fan Unit

SRCA Switch & Router & Clock Unit A
SRCB Switch & Router & Clock Unit B
SRCC Switch & Router & Clock Unit C
SPUA 100GE Service Process Unit
SPUB Service Process Unit B
SPUD Service Process Unit D
SPUE Service Process Unit E
SPUA200 200GE Service Process Unit
SNUA Switch Network Unit A
SSUA13 12 x GE + 1 x 10GE Service Switch Unit A
SSUA2 2 × 100G Service Switch Unit A
SSUA1 1 × 100G Service Switch Unit A
SSUA21 20 x GE + 1 x 10GE Service Switch Unit A
CTCA1 100GE Optical Card (1 Port)
FTCA4 25GE Optical Card (4 Ports)
XTCA10 10GE Optical Card(10 Ports)
XTCA2 10GE Optical Card (2 Ports)
XTCB2 2 × 10G LAN / WAN Transparent Card B
XTCB5 5 × 10G LAN / WAN Transparent Card B
MTCA20 GE / FE Mix Optical Card (20 Ports)
TCA17 16 × GE and 1 × 10G Transparent Card A
CS1A8 8 x Channelized cSTM-1 A
IV
Terminology Convention
CE1A32 2M Process Card (32 Ch, Panel Outlet, 75/120Ω)
ESCA16 GE/FE Mix Electrical Card (16 Ports)
Symbol Conventions
Symbol Convention Description
Note Important features or operation guide.
Possible injury to persons or systems, or cause traffic

Caution
interruption or loss.
Warning May cause severe bodily injuries.
➔ Jump Jumps to another step.
Cascading
→ Connects multi-level menu options.
menu
Bidirectional
↔ The service signal is bidirectional.
service
Unidirectional
→ The service signal is unidirectional.
service
V
Contents
Preface...................................................................................................................I
Related Documentation ...................................................................................I
Version ..........................................................................................................III
Intended Readers ..........................................................................................III
Conventions ................................................................................................. IV
1 Initializing the CiTRANS R8000.......................................................................1
1.1 Power-on Testing ..............................................................................2
1.2 Logging into Main Control Protocol Stack ..........................................3
1.3 Checking Software Version .............................................................14
1.4 Upgrading the CiTRANS R8000......................................................15
2 Hardware Commissioning .............................................................................17
2.1 Checking System Time ...................................................................18
2.2 Checking Card Status .....................................................................18
2.3 Checking Interface Status ...............................................................19
2.4 Checking Interface Optical Power ...................................................20
2.5 Checking CPU / Memory Utilization.................................................22
2.6 Checking Card Registration Status..................................................22
2.7 Checking Card Temperature ...........................................................23
2.8 Checking Fan Status.......................................................................23
2.9 Checking Alarm Information ............................................................24
3 Global Basic Configuration............................................................................25
3.1 Configuring Host Name...................................................................26
3.2 Configuring System Time ................................................................26
3.3 Configuring VPN Router-ID and VRF...............................................27
3.4 Enabling Global Routing .................................................................29
3.5 Enabling Global MPLS....................................................................30

4 Interface Configuration..................................................................................31
4.1 Configuring a Loopback Interface....................................................32
4.2 Configuring an Interconnection Interface .........................................33
4.3 Configuring a LAG Interface ............................................................38
4.4 Configuring an Interface Monitoring Group ......................................41
4.5 Configuring the MTU.......................................................................44
5 Protocol Configuration ..................................................................................45
5.1 Configuring OSPF...........................................................................46
5.2 Configuring BFD for OSPF..............................................................50
5.3 Configuring LFA / R-LFA of OSPF ...................................................53
5.4 Configuring BGP.............................................................................56
5.4.1 Not Deploying RRs ...........................................................57

5.4.2 Deploying RRs .................................................................59
5.5 Configuring a Routing Policy ...........................................................64
6 Configuring a Tunnel.....................................................................................66
6.1 Background Information and Deployment Principles ........................67
6.2 Configuring a Static Tunnel and LSP 1:1 Protection .........................68
6.3 Configuring LDP LSP......................................................................73
6.4 Configuring LDP FRR .....................................................................74
7 Configuring L2VPN / L3VPN .........................................................................78
7.1 Configuring VPWS..........................................................................79
7.1.1 Configuring VPWS Using a Static Single-Segment PW......79

7.1.2 Configuring VPWS Using Static MS-PW............................81
7.1.3 Configuring VPWS Using Static PW Redundancy..............83
7.1.4 Configuring VPWS Using Dynamic Single-Segment PW....87
7.1.5 Configuring VPWS Using Dynamic MS-PW.......................89
7.1.6 Configuring VPWS Using Dynamic PW Redundancy.........92
7.2 Configuring VPLS ...........................................................................96
7.2.1 Configuring an E-Tree Service ..........................................96

7.2.2 Configuring an E-LAN Service.........................................102
7.2.3 Configuring HVPLS.........................................................107
7.2.4 Viewing VPLS MAC Address Table ................................. 110
7.3 Configuring L3VPN Using an LDP Tunnel ..................................... 111
7.4 Configuring Inter-Area L2VPN in OptionC Mode ............................ 115
7.5 Configuring Inter-Area L3VPN in OptionB Mode ............................120
8 Configuring AAA .........................................................................................124
8.1 Configuring Local Authentication and Authorization .......................126
8.2 Configuring Remote RADIUS Authentication .................................127
8.3 Configuring Remote TACACS Authentication and Authorization.....130
8.4 Configuring Remote Authentication Using CLI ...............................132
9 Configuring QoS .........................................................................................135
9.1 Configuring Traffic Shaping ...........................................................136
9.2 Configuring Queue Scheduling Policy ...........................................137
9.3 Configuring Congestion Avoidance ...............................................139
9.4 Configuring HQoS.........................................................................140
10 Other Configuration.....................................................................................145
10.1 Configuring SNMP ........................................................................146
10.2 Configuring LLDP .........................................................................148
10.3 Configuring NTP ...........................................................................149
10.4 Configuring Router Access Control ...............................................151
10.5 Configuring System Logs ..............................................................156
11 Saving Configuration Files ..........................................................................159
11.1 Backing Up the Configuration Files to the CF Card ........................160
11.2 Backing up the Configuration File via FTP .....................................160
12 Common Verification Commands ................................................................162
Appendix A Abbreviations ..........................................................................163

1 Initializing the CiTRANS R8000
You need to perform the initialization operations such as power-on test and logging
into main control protocol stack before service configuration. The following
introduces the items and configuration method of initializing the CiTRANS R8000.
Power-on Testing
Logging into Main Control Protocol Stack
Checking Software Version
Upgrading the CiTRANS R8000
Version: D 1
CiTRANS R8000 Series Multi-Service High-End Router Commissioning and Configuration Guide-CLI
1.1 Power-on Testing
Test the equipment after it is powered on to eliminate the silent failure during the
equipment commissioning so as to reduce the subsequent work load for repairing.
1. Before the power-on, check whether the power supply polarity is correct and
whether the card components (especially the optical modules) are loosened.
2. After the power-on, check whether cards are electrified normally, and whether
the indicator RUN on each card blinks quickly.
3. Use a fiber pigtail to loopback each optical interface. Observe for five minutes
and if no error occurs, the circuit is normal.
4. Long press the SW/OFL button on the active switch & router & clock unit to
switch over to the standby unit, and ensure that the cards are in normal hot
standby status.
5. Test the optical power of each receiving line and compare it with the theoretical
calculating value, and analyze whether the line attenuation is normal.
Note:
u Generally, the line attenuation is set to 0.275 dB/km; the theoretical

received optical power = transmitting optical power at the opposite
end - 0.275 × interval optical cable line length.
u The difference between the optical power of a receiving line and the
theoretical calculating value should be within 4 dB.
6. Connect a laptop to the equipment to check the received optical power reported
by the card (see Checking Interface Optical Power). The difference between
the received optical power reported by the card and the tested line optical
power should be within 2 dB.
7. Check that the fiber pigtails at the ODF side are normal, and their connections
are correct.
8. Only after being confirmed by the operator on site can users insert fibers to or
remove fibers from the ODF. This avoids removing the wrong fibers and
interrupting user services.
2 Version: D
9. Ensure that the east-west fiber connections are correct referring to the project
planning. Avoid reverse connections or misconnections.
10. Ensure that the link status at both ends of the optical path is correct and the
connection is normal by checking the link status indicator corresponding to the
optical interface on the service card.
11. Perform emergency troubleshooting for some simple faults such as loosening
of BCTs and optical transceivers or falling off of shorting jumpers which may be
caused by vibration during transportation.
1.2 Logging into Main Control Protocol Stack

Background Information
u Main control protocol stack
4 Concept: A system platform integrated in the SRC card to manage the

equipment; used to configure, maintain and commission the equipment.
4 Common operations: the interface / protocol / service configuration and

equipment status checking.
4 Login method:
¡ For first station or directly-connected equipment station: Log into the

operating system of the core switch card, and use the telnet 127.0.0.1
2650 command to log into the main control protocol stack.
¡ For project in normal use: Log into the main control protocol stack
directly.
u Card operating system
4 Concept: A system platform integrated in each card to manage and

commission the card.
4 Common operations: Check the version, log and packet capture of the
operating system.
4 Login method: If you have logged into the operating system of the core
switch card, switch to the card operating system through the ssh root@IP
command.
u File system
Version: D 3
4 Concept: A system platform integrated in each protocol stack or operating

system and used to store the files and management directory in the
equipment. You can create, delete, and modify the files and directories, or
change their names through the file system. This system can also display
the contents in the file.
4 Common operations: Upload upgrade packages, and view configuration

files.
4 Login method: You can call the file system by logging into the main control
protocol stack or operating system.
As shown in Figure 1-1, Figure 1-2 and Figure 1-3, the examples will introduce how
to log into the operating system GUI of the core switch card, the main control
protocol stack (initial username and password: fiberhome) and card operating
system GUI (initial username and password: root).
Note:
After logging into the operating system of the core switch card, you can
choose to log into the card operating system, log into the main control
protocol stack or upgrade the equipment.
Figure 1-1 Logging into Operating System GUI of Core Switch Card
Figure 1-2 Logging into the Main Control Protocol Stack GUI
4 Version: D
Figure 1-3 Logging into Card Operating System GUI
As shown in Figure 1-4, if you have logged into the main control protocol stack, you
can switch to the operating system of the core switch card through the ostelnet
127.0.0.1 command (initial username and password are both "fiberhome").
Figure 1-4 Switching to Operating System of Core Switch Card
Prerequisite
The CiTRANS R8000 has been powered on and started normally.
Tools and Instruments
u A personal computer (PC)
u Ethernet cables
u The terminal login emulation software (taking the SecureCRT software for
example)
u The file transfer protocol client software (taking the WinSCP software for
example)
Introduction to Login Mode
u First login: Log in through the ETH1 interface of the SRC card in SSH mode.
Version: D 5
1) Log in through the default IP address of the ETH1 interface in SSH mode.
2) Configure the IP address of the mgmt interface or that of ETH1.4088 (that

is, the IP address of the MGMT interface on the equipment panel,
hereinafter referred to as IP address of "ETH1.4088" to distinguish it from
the IP address of the mgmt interface).
u Subsequent login: It is advised to log in through the MGMT interface of the SRC
card in Telnet or SSH mode.
You can use the IP address of the mgmt interface or ETH1.4088.
4 If using the IP address of the mgmt interface, you need to enter the
username and password to log into the main control protocol stack in
Telnet mode.
4 If using the IP address of ETH1.4088, you need to log into the operating
system of the core switch card in SSH mode.
Note:
In actual projects, you are advised to use the IP address of the mgmt
interface to log into the main control protocol stack and operate on the
equipment.
First Login
1. Perform physical connection: use an Ethernet cable to connect the network

card of the PC with the ETH1 interface of the SRC card directly.
2. Set the IP address of the PC's network card and the default IP address of the
ETH1 interface to be in the same network segment (see Table 1-1). For
example, set the IP address of the PC to 10.22.12.99.
Table 1-1 Default IP Address of the ETH1 Interface
Default IP Address of
CiTRANS R8000-10 CiTRANS R8000-5 CiTRANS R8000-3
ETH1 Interface
10.22.12.(100+slot
SCR card in slot 12 SCR card in slot 6 SCR card in slot 4
number)
10.22.13.(100+slot
SCR card in slot 13 SCR card in slot 7 SCR card in slot 5
number)
6 Version: D
Note:
u Set the mask to 255.255.0.0 or 255.255.255.0.
u Set the default gateway to the IP address of the corresponding ETH1

interface, or leave it blank.
3. Log into the operating system GUI of the core switch card through the ETH1
interface.
1) Double-click the icon on the OTNM2000 server desktop to

access the not connected - SecureCRT window.
2) Click File (F)→Quick Connect (Q)... in the main menu to bring up the
Quick Connect dialog box.
3) Set the relevant parameters of the quick connection and click Connect.
¡ Protocol: Select SSH2.
Version: D 7
¡ Hostname: Set it to the default IP address of the ETH1 interface (see

Table 1-1).
¡ Username: Set it to fiberhome.
¡ Keep the default settings for the other items.
Note:
Select Save Session. When logging into the main control command line
GUI next time, click File (F)→Connect (C)... in the main menu, and you
can select this session in the dialog box that appears.
4) In the Enter Secure Shell Password dialog box that appears, enter the
password fiberhome and click OK to log into the operating system of the
core switch card.
fiberhome@CR8000-1:/root>
4. Set the IP address of ETH1.4088. It can be configured in either command line

mode or WinSCP mode.
4 Command line mode:

fiberhome@CR8000–1:/root>cd /mnt/cfdisk2/config
// Enter the config folder.
fiberhome@CR8000-1:/mnt/cfdisk2/config>vi user_config.sh
8 Version: D
// Enter user_config.sh file editing mode.

# vconfig add eth1 4088
/sbin/ifconfig eth1.4088 10.171.0.123 netmask 255.255.0.0
/sbin/ifconfig eth1.4088 down
/sbin/ifconfig eth1.4088 hw ether 44:4B:4D:0D:20:21
/sbin/ifconfig eth1.4088 up promisc
Configure the IP address, mask and MAC address according to the project
planning.
4 WinSCP mode:
a) Double-click on the OTNM2000 server desktop to access

the "WinSCP Login" dialog box.
b) Set the parameters, and click Login.
• Host name: The default IP address of the ETH1 interface.
• User name: fiberhome.
• Password: fiberhome.
• Use the default values for other items.
Version: D 9
c) Enter the "/mnt/cfdisk2/config" folder, and open the user_config.sh

file. Configure the IP address, mask and MAC address according to
the project planning.
5. Configure the IP address of the mgmt interface.
1) In the operating system GUI of the core switch card, enter the telnet
127.0.0.1 2650 command, and log into the main control protocol stack
(initial username and password: fiberhome).
2) Configure the IP address of the mgmt interface.

FH-CR8000#config terminal
// Enter the configuration mode.
FH-CR8000(config)#interface mgmt
// Enter the mgmt interface configuration.
FH-CR8000(if-mgmt)#ip address 4.90.64.9/30
// Set the IP address of the mgmt interface to 4.90.64.9/30.
Note:
u After that, all operations will be performed through accessing the

equipment via the MGMT interface, and the ETH1 interface will no
longer be used.
u The IP address of the mgmt interface generally uses a 30-digit mask

(255.255.255.252), and the IP address should be planned and used
in a unified way.
10 Version: D
Subsequent Login
1. Perform physical connection: use an Ethernet cable to directly connect the

network card of the PC with the MGMT interface of the SRC card or
interconnect them through switches.
2. Set the IP address of the PC's network card and the default IP address of the
mgmt interface or ETH1.4088 to be in the same network segment. The
following introduces how to set the IP address of the PC to 4.90.64.10, using
the IP address of the mgmt interface as an example.
Version: D 11
12 Version: D
3. Double-click the icon on the PC desktop to access the not

connected - SecureCRT window.
4. Click File (F)→Quick Connect (Q)... in the main menu to bring up the Quick
Connect dialog box.
5. Set the relevant parameters of the quick connection.
4 When using the IP address of the mgmt interface:
¡ Protocol: Select Telnet.
¡ Hostname: Set it to the IP address of the mgmt interface, for example,

4.90.64.9.
¡ Port: Set it to 23.
4 When using the IP address of ETH1.4088:
¡ Protocol: Select SSH2.
¡ Hostname: Set it to the IP address of ETH1.4088.
Note:
Select Save Session. When you log into the NE command line GUI next
time, click File (F)→Connect (C)... in the main menu, and you can select
this session in the dialog box that appears.
6. Click Connect.
4 Use the IP address of the mgmt interface, and you can directly log into the
main control protocol stack (both the initial username and password are
"fiberhome").
Version: D 13
Note:
If you need to log into the operating system of the card or upgrade the
equipment, you can run the ostelnet 127.0.0.1 command to switch to the
operating system GUI of the core switch card.
4 Use the IP address of ETH1.4088, and you can directly log into the
operating system of the core switch card.
In the operating system GUI of the core switch card, enter the telnet
127.0.0.1 2650 command, and log into the main control protocol stack
(initial username and password: fiberhome).
1.3 Checking Software Version

Prerequisite
Users have logged into the main control protocol stack (see Logging into Main
Control Protocol Stack for operation procedures).
Procedure
1. Check the software version of all cards.
2. Check the compiling time of the card software.
Note:
u Software Version indicates the software version of the card.
u Compile-Version1 indicates the compiling time of the card software.
u Compile-Version2 indicates the SVN number of the RCU software.
14 Version: D
1.4 Upgrading the CiTRANS R8000
You can upgrade the equipment if you need to add new features, optimize the
original performance or solve the problems of the current version.
Upgrade Requirement
The following requirements can be met by upgrading the equipment.
u Adding new features
u Optimizing the original performance
u Solving the problems of the current version
Precautions
Before the upgrading, pay attention to the following aspects:
u Prepare one spare for each card for the on-site upgrading.
u Obtain the required new version of system software, PAF / License file and the
corresponding supporting document from proper channels.
u Before upgrading, back up the configuration files of the current equipment,

collect the service configuration information and save the configuration.
u Enable the log function to record all the operations during the entire upgrading.
u View the current software version information of all the modules on each card,
including the network protocol stack version, OS firmware version and
electromechanical version.
Supported Upgrading Mode
The supported upgrading modes include CLI mode, automatic mode using mobile
storage device and BootROM mode.
The upgrading modes are applicable under the following conditions:
u CLI mode
4 The equipment operates normally. You can log into the equipment
remotely and upgrade the equipment using the FTP / TFTP.
Version: D 15
4 The equipment is loaded with a large system software package. You can
either log into the equipment through a serial port and set the IP address,
or log in remotely through in-band signaling.
u Automatic mode using mobile storage device (CF card)
4 In this mode, the CF card is used to load the large package of system
software. This mode is applicable to project upgrade or fault handling.
Before you start, prepare two CF cards.
4 To use this mode, replace the built-in CF cards of the active and standby
core switch cards with the prepared new CF cards (cfdisk2) which contain
the large packet of system software.
u BootROM mode
4 The equipment is going to be upgraded for the first time, but the built-in
large package of system software is faulty or does not exist.
4 After the software is reset during the system upgrading, two core switch
cards can not be registered.
4 After the system software is upgraded, the active core switch card is
registered and the standby one is not.
4 You cannot log into the equipment via the Telnet mode.
16 Version: D
2 Hardware Commissioning
This chapter introduces the items and method of hardware commissions of the
equipment.
Checking System Time
Checking Card Status
Checking Interface Status
Checking Interface Optical Power
Checking CPU / Memory Utilization
Checking Card Registration Status
Checking Card Temperature
Checking Fan Status
Checking Alarm Information
Version: D 17
2.1 Checking System Time

Prerequisite
Procedure
Check the system time using the following commands.
FH-CR8000#show date
system date:Mon Sep 5 15:17:39 CST 2016
If the current time and time zone of the equipment in the information shown above is
consistent with local time and time zone, you can proceed with the following
commissioning items.
2.2 Checking Card Status

Prerequisite
Procedure
1. Query the active / standby status of the cards.

FH-CR8000#show device
Slot Type Online Register Status Primary
2 SPUD Present Registered OK Primary
4 SSUA13 Present Registered OK Primary
5 SSUA13 Present Registered OK Primary
6 SRCA Present Registered OK Primary
7 SRCA Present Registered OK Backup
2. Check the card slots and the sub-card configuration in the NE.
FH-CR8000#show device all
Slot SubSlot name Online Status UnSync Comment
5 0 SPUD OK OK 0 -
5 2 TCA17 OK OK 0 -
6 0 SRCA OK OK 0 -
18 Version: D
7 0 - Init Absent 0 -
3. Query the subcard status.

FH-CR8000#show device subcard
Slot SubSlot Type Online Register Status
2 0 SPUD Present Registered OK
2 2 XTCA5 Present Registered OK
6 0 SRCA Present Registered OK
4. Check the basic status of the card in the designated slot (taking slot 4 for
example).
FH-CR8000#show board state slot 4
Board version : WKE2200913R2C
PCB version : WKE7200708R2C
Software version : RP0100
Board temperature : 47.0
Power on time : 0 Days, 23:49:57
Active : -
Register : Registered
In the above information, users should focus on the following aspects: whether the
active / standby status of the card is normal, whether the online status is Present,
whether the registration status is Registered and whether the card Status is OK.
2.3 Checking Interface Status

Prerequisite
Procedure
Check the interface status including the physical status, protocol status, recent
bandwidth utilization in Tx and Rx directions, and the received and sent error
packets.
Version: D 19
In the information shown above, users should focus on the issue whether the
physical status (PHY) of the physical port is "up".
See the table below for the parameter descriptions.
Item Description
Displays the port status.

u Physical main interface and sub-interface: If the physical
ports are normally connected, and the ports are enabled in
PHY
the protocol stack, the status is displayed as up.
u Loopback interface and virtual interface: If the ports are
enabled in the protocol stack, the status is displayed as up.
Generally, after the IP address is configured for the port, the

Protocol
status is displayed as up.
Indicates the average bandwidth utilization in Tx/Rx direction of

the interface in recent 300 seconds, which should be less than
80% in normal conditions. This item is displayed only for the
InUti% / OutUti%
physical main interface, and is displayed as 0 for other
interfaces. It should be displayed as 0.01 when the PHY of port
is up and there is no service traffic.
Displays the quantity of sent and received error packets of the

inErrors / outErrors
port. It should be normally displayed as 0.
2.4 Checking Interface Optical Power
For all the optical interfaces connected through optical fibers, users should check
whether their optical power is normal. Abnormal optical power will affect the stable
operation of services.
20 Version: D
Prerequisite
Procedure
Check interface optical power: Check the status of all interfaces or a designated
interface in the CLI GUI. The following introduces how to check the status of the
GE0/3/1/18 interface as an example.
FH-CR8000#show interface gigabitethernet 0/3/1/18

interface gigabitethernet 0/3/1/18
index 18 mtu 1500
current state Up
Line protocol state Up
Description: FIBERHOME, gigabitethernet 0/3/1/18 Interface
route_type L3
HWaddr: 344b.3d06.8ef9
WaveLength: 850nm, Transmission Distance: 550m
Rx Power: -6.54 dBm
Tx Power: -6.13 dBm
Last 300 seconds input rate: 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bits/sec, 0 packets/sec
Input: 0 bytes, 0 packets
Output: 0 bytes, 0 packets
Input:
Unicast: 0 packets, Multicast: 0 packets
Broadcast: 0 packets, JumboOctets: 0 packets
CRC: 0 packets, Symbol: 0 packets
Overrun: 0 packets, InRangeLength: 0 packets
LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
Fragment: 0 packets, Undersized Frame: 0 packets
RxPause: 0 packets
Output:
Unicast: 0 packets, Multicast: 0 packets
Broadcast: 0 packets, JumboOctets: 0 packets
Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets
System: 0 packets, Overruns: 0 packets
TxPause: 0 packets
Input bandwidth utilization(%) : 0
Output bandwidth utilization(%) : 0
Version: D 21
In the above information, you should focus on the following aspects: whether the Tx
/ Rx power of the card's optical interface is in a normal range (the Tx / Rx power is
displayed only for the physical main interface), and whether parameters such as
central wavelength and maximum transmission distance of the optical modules at
both ends of the link are consistent.
2.5 Checking CPU / Memory Utilization

Prerequisite
Procedure
Check the CPU / memory utilization.
FH-CR8000#ems-show system-usage
CPU usage : 53%
MEMORY usage : 23%
You can view the value of CPU / memory utilization in the information displayed
above.
2.6 Checking Card Registration Status

Prerequisite
Procedure
Check the registration status of cards.
FH-CR8000#ems-show device
Slot Type Online Register Status Primary
01 SPUE Present Registered OK -
06 SRCA Present Registered OK -
07 - - - - -
22 Version: D
In the above information, you should focus on the following aspects: whether
"Register" is "Registered" and whether "Status" is "OK".
2.7 Checking Card Temperature

Prerequisite
Procedure
Check the temperature of cards.
FH-CR8000#ems-show cardtemp
BoardName Addr Loc Temp TrefVal TmaxVal Tdiff
SPUE 01 50 90 83 89 12
SRCA 06 9 87 87 93 9
You should focus on the card temperature ("Temp") in the information displayed
above.
2.8 Checking Fan Status

Prerequisite
Procedure
Check the fan status.
FH-CR8000#ems-show fanctrl
runmode: auto
runlevel: 6
You can view the fan operating mode and speed choice in the information displayed
above.
Version: D 23
2.9 Checking Alarm Information

Prerequisite
Procedure
Check alarm information.
You can view the information such as alarm level, generation date and time, alarm
name, slot and port from the data displayed above, so as to analyze and isolate the
alarm.
24 Version: D
3 Global Basic Configuration
This chapter introduces the global basic configuration of the CiTRANS R8000
Series.
Configuring Host Name
Configuring System Time
Configuring VPN Router-ID and VRF
Enabling Global Routing
Enabling Global MPLS
Version: D 25
3.1 Configuring Host Name
Configure the host name for identifying equipment.
Procedure
1. Enter the configuration mode of the equipment.

change to configuration mode
FH-CR8000(config)#
2. Configure the host name of the equipment.

FH-CR8000(config)#sysname HB-WH-JDK.MCN.R8000
HB-WH-JDK.MCN.R8000(config)#
Note:
Devices differ from each other in some parameters, which are marked in
red.
3. Save the configuration of the equipment.

HB-WH-JDK.MCN.R8000(config)#exit
HB-WH-JDK.MCN.R8000#save
Configuration Result
u After the host name of the equipment is configured, FH-CR8000 in the CLI view
prompt will become the host name.
u In the user view, use the show running-config command to check the
returned information, which should include the following contents.
HB-WH-JDK.MCN.R8000#show running-config
!
!Current configuration：
!
sysname HB-WH-JDK.MCN.R8000
3.2 Configuring System Time
Configure the system time using GMT to synchronize the time of all the current
cards of the equipment.
26 Version: D
Note:
After the system time command is issued, if a new card is added to the
equipment, users need to re-issue the command to synchronize the time
of the new card and the equipment.
Procedure

FH-CR8000(config)#
2. Configure the system time of the equipment. In the example below, the date is
set to 2016-09-05 and the system time is set to 15:13:13.
FH-CR8000(config)#device
change to device mode
FH-CR8000(device)#set system-time date 2016-09-05 time 15:13:13
FH-CR8000(device)#withdraw

FH-CR8000#save
After the system time is configured, synchronize the time of all current cards of the
equipment with this system time.
3.3 Configuring VPN Router-ID and VRF
The existence of VPN instance is the prerequisite for you to associate a protocol
process or an interface with a VPN instance. Configure a VPN instance first in the
basic configuration to facilitate subsequent operations.
u Set the VPN Route-ID.
u Configure the VPN instance. For bearing the 3G base station service, configure
the L3VPN-1. For bearing the 4G base station service, configure the L3VPN-2.
The following illustrates the configuration using L3VPN-1 as an example.
Version: D 27
Procedure

FH-CR8000(config)#
2. Set the VPN Router-ID of the equipment. The example below illustrates how to
set the VPN Router ID to 3.173.0.167.
Generally, set the VPN Router-ID to the equipment management Loopback

address (loopback0, see Configuring a Loopback Interface for the
configuration).
FH-CR8000(config)#vpn router-id 3.173.0.167
3. Configure a VPN instance on the equipment.
Item Parameter
VRF instance name L3VPN-1
Service VPN RD valueNote 1 4134:3050
instance Ingress RT valueNote 2 4134:305000 4134:305001
Egress RT value 4134:305000
Note 1: The equipment serves as the VPN PE node configured with dual RDs, advertises
equal-cost VPNv4 routes and supports the downlink VPNv4 ECMP loading balancing
(the terminating equipment must be configured with ECMP). The RD of the active
station should be different from that of the standby one. It is advisable to set different
RDs for each station.
Note 2: The ingress RT values of the active and standby terminating devices of the 3G PS / 4G
service are a and b, while the egress RT value is b. The ingress RT value of the active /
standby convergence device is b while the egress RT value is a. a is unequal to b.
FH-CR8000(config)#ip vrf L3VPN-1

Vrf instant create success and enter vrf mode, you must configure
vpn-type(default-type is dynamic)
FH-CR8000(vrf-L3VPN-1)#rd 4134:3050
The vrf is actived as dynamic instance.
FH-CR8000(vrf-L3VPN-1)#route-target import 4134:305000
FH-CR8000(vrf-L3VPN-1)#route-target import 4134:305001
FH-CR8000(vrf-L3VPN-3)#route-target export 4134:305000
FH-CR8000(vrf-L3VPN-1)#exit
FH-CR8000(config)#exit

FH-CR8000#save
28 Version: D
In the user view of convergence equipment's main control protocol stack, use the
show running-config vrf command to check the returned information, which
should include the following contents.
FH-CR8000#show running-config vrf

!
vpn router-id 3.173.0.167
!
ip vrf L3VPN-1
rd 4134:3050
route-target import 4134:305000
route-target import 4134:305001
route-target export 4134:305000!
3.4 Enabling Global Routing
The global routing function is disabled by default. Users must enable the global
routing function of the equipment before configuring the routing protocol for the
equipment.
Procedure

FH-CR8000(config)#
2. Enable the ip routing function for the equipment globally.

FH-CR8000(config)#ip routing

FH-CR8000#save
In the user view of equipment protocol stack, use the show running-config
command to check the returned information, which should include the following
contents.
FH-CR8000#show running-config
Version: D 29
!
!Current configuration：
!
ip routing
3.5 Enabling Global MPLS
Enable the global MPLS switching function of the equipment. The router needs to
use the MPLS forwarding function, thus the global MPLS must be enabled.
Procedure

FH-CR8000(config)#
2. Enable the MPLS function for the equipment globally.

FH-CR8000(config)#mpls

FH-CR8000#save
In the user view of equipment protocol stack, use the show running-config
command to check the returned information, which should include the following
contents.
!
!urrent configuration：
!
mpls
30 Version: D
4 Interface Configuration
This chapter introduces how to configure each type of interface.
Configuring a Loopback Interface
Configuring an Interconnection Interface
Configuring a LAG Interface
Configuring an Interface Monitoring Group
Configuring the MTU
Version: D 31
4.1 Configuring a Loopback Interface
Configure an equipment management loopback interface on the equipment. The

loopback interface improves the configuration reliability and serves as the Router-ID
of routers.
Network Requirement
Figure 4-1 Network Requirement of Loopback Interface
As shown in Figure 4-1, configure the loopback0 interface of NE1 to NE6. The
following illustrates the setting using the NE5 as an example.
Procedure

FH-CR8000(config)#
2. Configure the properties of the equipment management loopback 0 interface.
Item Parameter
Port name loopback 0
IP address / mask length 3.173.0.167/32

Enabling the port no shutdown
32 Version: D
Note:
u Set the IP address to that of the host with 32-bit mask.
u Generally only one equipment management loopback 0 interface

should be configured.
u The management interface IP address should be unique in the entire

network. It is advisable to plan it according to the network segment
provided by the network operator.
FH-CR8000(config)#interface loopback 0
FH-CR8000(if-loopback0)#ip address 3.173.0.167/32
FH-CR8000(if-loopback0)#no shutdown
FH-CR8000(if-loopback0)#withdraw

FH-CR8000#save
1. Use the "show running-config interface loopback 0" command to check the
configuration data on the equipment, which should be consistent with the
planning data.
FH-CR8000#show running-config interface loopback 0
!
interface loopback 0
ip address 3.173.0.167/32
2. Use the "show interface brief" command to check the interface status. The
items PHY and Protocol should be up.
FH-CR8000#show interface brief
4.2 Configuring an Interconnection Interface
Configure the interconnection interface on the device to bear service traffic between
devices.
Version: D 33
Network Requirement
Figure 4-2 Network Requirement of Interconnection Interface
As shown in Figure 4-2, configure the interconnection interface of NE1 to NE6. The
following illustrates the setting using the NE5 as an example.
Procedure

FH-CR8000(config)#
2. Configure the interconnection interfaces. The interconnection interfaces of NE5

include those interconnected with the access equipment, with the convergence
equipment and with the core equipment.
34 Version: D
4 Interconnection interface to the access equipment
a) Configure the interconnection interface for setting up the service

OSPF communication.
Note:
Configure the physical interconnection interface to the auto-negotiation

mode.
Item Parameter
Port name gigabitethernet 0/3/1/1
Port negotiation (optional) negotiation auto

Enabling MPLS enable-mpls
FH-CR8000(config)#interface gigabitethernet 0/3/1/1

FH-CR8000(if-gigabitethernet0/3/1/1)#negotiation auto
FH-CR8000(if-gigabitethernet0/3/1/1)#ip address 192.168.1.1/30
FH-CR8000(if-gigabitethernet0/3/1/1)#no shutdown
FH-CR8000(if-gigabitethernet0/3/1/1)#enable-mpls
FH-CR8000(if-gigabitethernet0/3/1/1)#exit
4 Interconnection interface to the convergence equipment
a) Configure the physical interconnection interface.
Item Parameter
Port name ten-gigabitethernet 0/2/1/1
MTU 9000
FH-CR8000(config)#interface ten-gigabitethernet 0/2/1/1

FH-CR8000(if-ten-gigabitethernet0/2/1/1)#mtu 9000
FH-CR8000(if-ten-gigabitethernet0/2/1/1)#no shutdown
FH-CR8000(if-ten-gigabitethernet0/2/1/1)#exit
b) Set the sub-interfaces with the VLAN IDs 30, 31 and 32 between
convergence devices for setting up the service OSPF communication.
The following illustrates the configuration using the sub-interface with
VLAN ID 31 as an example.
Version: D 35
Item Parameter
Port name ten-gigabitethernet 0/2/1/1.31
VLAN 31
FH-CR8000(config)#interface ten-gigabitethernet 0/2/1/1.31

FH-CR8000(if-ten-gigabitethernet0/2/1/1.31)#vlan-type dot1q 31
FH-CR8000(if-ten-gigabitethernet0/2/1/1.31)#ip address 192.168.1.29/30
FH-CR8000(if-ten-gigabitethernet0/2/1/1.31)#no shutdown
FH-CR8000(if-ten-gigabitethernet0/2/1/1.31)#enable-mpls
FH-CR8000(if-ten-gigabitethernet0/2/1/1.31)#exit
c) Configure the sub-interface with VLAN 101 between convergence

devices for setting up service ISIS communication.
Item Parameter
Port name ten-gigabitethernet 0/2/1/1.101
MTU 9000
VLAN 101

FH-CR8000(if-ten-gigabitethernet0/2/1/1.101)#mtu 9000
FH-CR8000(if-ten-gigabitethernet0/2/1/1.101)#vlan-type dot1q 101
FH-CR8000(if-ten-gigabitethernet0/2/1/1.101)#ip address 192.168.2.25/30
FH-CR8000(if-ten-gigabitethernet0/2/1/1.101)#no shutdown
FH-CR8000(if-ten-gigabitethernet0/2/1/1.101)#enable-mpls
FH-CR8000(if-ten-gigabitethernet0/2/1/1.101)#exit
4 Interconnection interface to the core equipment
a) Configure the physical interface of convergence equipment uplinked

with the core equipment.
Item Parameter
Port name ten-gigabitethernet 0/1/1/1
MTU 9000
36 Version: D
Item Parameter

FH-CR8000(if-ten-gigabitethernet0/1/1/1)#mtu 9000
FH-CR8000(if-ten-gigabitethernet0/1/1/1)#no shutdown
FH-CR8000(if-ten-gigabitethernet0/1/1/1)#ip address 192.168.2.6/30
FH-CR8000(if-ten-gigabitethernet0/1/1/1)#enable-mpls
FH-CR8000(if-ten-gigabitethernet0/1/1/1)#withdraw

FH-CR8000#save
1. Use the "show running-config interface" command to check the configuration

data on the equipment, which should be consistent with the planning data.
FH-CR8000#show running-config interface
!
ip address 192.168.1.1/30
enable-mpls
!
interface ten-gigabitethernet 0/2/1/1
mtu 9000
!
interface ten-gigabitethernet 0/2/1/1.31
vlan-type dot1q 31
ip address 192.168.1.29/30
enable-mpls
!
mtu 9000
vlan-type dot1q 101
ip address 192.168.2.25/30
enable-mpls
!
interface ten-gigabitethernet 0/1/1/1
mtu 9000
ip address 192.168.2.6/30
enable-mpls
Version: D 37
2. Use the "show interface brief" command to check the interface status. The item
PHY should be up.
4.3 Configuring a LAG Interface
Configure a LAG interface on the equipment to protect services from being

interrupted by single-fiber failure. The LAG interface is generally used for the NNI
interconnection interface and the UNI interface connected to the terminating device.
Network Requirement
Figure 4-3 Network Requirement of LAG Interface
As shown in Figure 4-3, the UNI interfaces of NE1 and NE2 are the LAG interfaces.
The following introduces the configuration using the LAG interface of NE1 as an
example.
Procedure

FH-CR8000(config)#
2. Configure the LAG interface using the manual load balancing mode.
Item Parameter
LAG interface name 1
LAG interface mode no l2transport
Load balancing mode of the LAG interfaceNote 1 work-loadNote 2

MAC address of the LAG interfaceNote 3 0000.0001.0112
38 Version: D
Item Parameter
Interface switch no shutdown
Note 1: The load balancing modes include non-load balancing, manual load balancing (work-
load) and LACP load balancing (lacp-load). The work-load mode is recommended for
the NNI interface. In the interconnection scenario, select "work-load" or "lacp-load" for
the UNI interface.
Note 2: If this item is set to lacp-load, LACP should be enabled in the configuration mode.
Note 3: The MAC address is optional. When the LAG interface is used for the UNI interface
interconnection, the MAC addresses of the LAG interfaces of two connected devices
should be different. It is recommended to set the MAC address to 00-00-00-XX-YY-ZZ,
in which XX is the network block number, YY is the NE number and ZZ is the LAG
interface number.
FH-CR8000(config)#interface lag 1
FH-CR8000(if-lag1)#no l2transport
FH-CR8000(if-lag1)#lag-mode work-load
FH-CR8000(if-lag1)#lag-arithmetic source-destination-ip
FH-CR8000(if-lag1)#lag-mac-address 0000.0001.0112
FH-CR8000(if-lag1)#no shutdown
FH-CR8000(if-lag1)#exit
Note:
The NNI interface needs be enabled with the RSVP and MPLS protocols,
while the UNI interface does not need.
3. Add the member interfaces into the LAG interface in non-load balancing mode.
Item Parameter
Main member interface gigabitethernet 0/2/1/1
Slave member interface gigabitethernet 0/2/1/3

FH-CR8000(if-gigabitethernet0/2/1/1)#lag 1 master
FH-CR8000(if-gigabitethernet0/2/1/3)#lag 1 backup
Version: D 39
Note:
If the load balancing mode is " work-load" or "lacp-load", use the lag 1
member command to add the interface to the LAG.
4. Configure the member interface BFD.
Item Parameter
Configuring the main member Local ID 1
interface BFD Remote ID 1
Configuring the slave member Local ID 2
interface BFD Remote ID 2

FH-CR8000(if-gigabitethernet0/2/1/1)#bfd default-ip local-discriminator 1 remote-
discriminator 1 process-interface-status
FH-CR8000(if-gigabitethernet0/2/1/3)#bfd default-ip local-discriminator 2 remote-
discriminator 2 process-interface-status
FH-CR8000(if-gigabitethernet0/2/1/3)#withdraw

FH-CR8000#save
1. Use the "show running-config interface" command to check the configuration

FH-CR8000#show running-config interface
!
interface lag 1
no l2transport
lag-mode work-load
lag-mac-address ace0.0001.0002
!
lag 1 master
bfd default-ip localdiscriminator 1
remote-discriminator 1 process-interface-status
!
40 Version: D
lag 1 backup
bfd default-ip localdiscriminator 2
remote-discriminator 2 process-interface-status
2. Use the "show interface brief" command to check the interface status. The item
PHY should be up.
FH-CR8000#show interface brief
3. Use the "show lag 1" command to check the LAG interface status and
configuration information.
FH-CR8000#show lag 1
Interface Index :671621120
Status :up
Device priority :1
Lag mode :work-load
Lag arithmetic :-
Lag attribute :L3
Lag mac address :ace0.0001.0002
Lag return mode :enable
Lag wait recover time :5
MasterPortName :gigabitethernet 0/2/1/1
BackupPortName :gigabitethernet 0/2/1/3
ActorPort
ActorPortName :gigabitethernet 0/2/1/1
Status :Deactive
Bfd_status :-
ActorPort
ActorPortName :gigabitethernet 0/2/1/3
Status :Deactive
Bfd_status :-
4.4 Configuring an Interface Monitoring Group
The interface monitoring group is a port coordination scheme. It disables the

downlink port VC BFD by monitoring the UP / Down status of the equipment uplink
port, so as to trigger the PW redundancy switching.
Version: D 41
The interface monitoring group associates the interfaces at the network side with
those at the user side. If it detects that all the interfaces bound at the network side
are in "Down" status, it forces the tracing interface at the user side to turn into the
"Down" status. The interface monitoring group is mainly used for the association
between L3 and L2 in the L2 / L3 service model, and is deployed on the
convergence device. The interface bound to the network side is a horizontal NNI
interface, and the user-side tracing interface is a downlink interface connected to
the access device. Each tracing interface at the user side should be configured with
an interface monitoring group.
Network Requirement
Figure 4-4 Network Requirement of Interface Monitoring Group
As shown in Figure 4-4, after the uplink interfaces and parallel interfaces of NE5 are
all in "Down" status, NE5 can no longer forward service traffic, but the access
device still transmits uplink traffic to NE5, so that the uplink traffic will be interrupted.
To prevent the traffic interruption, an interface monitoring group can be used.

Actively disable the downlink interface of NE5 using interface association, and
trigger the uplink traffic switchover from NE5 to NE6.
The bound interfaces at the network side are XGE0/1/1/1 and XGE0/2/1/1, and the
tracing interfaces at the user side are GE0/3/1/1 and GE0/3/1/2.
42 Version: D
The following illustrates the configuration using NE5 as an example.
Note:
u Generally deploy an interface monitoring group on two convergence

devices simultaneously.
u Use physical ports as the uplink, parallel and downlink interfaces.
Procedure

FH-CR8000(config)#
2. Create a monitoring group. Add the uplink and parallel interfaces of the
convergence device into the monitoring group.
Item Parameter
Creating a monitoring group monitor-group 1
ten-gigabitethernet 0/1/1/1
Binding ports
ten-gigabitethernet 0/2/1/1
FH-CR8000(config)#monitor-group 1
FH-CR8000(monitor-group-1)#binding interface ten-gigabitethernet 0/1/1/1
FH-CR8000(monitor-group-1)#binding interface ten-gigabitethernet 0/2/1/1
FH-CR8000(monitor-group-1)#exit
3. Set the monitoring type and action type of the monitoring group interfaces of
user.
FH-CR8000(monitor-group-1)#monitorbfd
// Set the monitoring type of the monitoring group interfaces of user to bfd association.
FH-CR8000(monitor-group-1)#no monitorbfd
// Set the monitoring type of the monitoring group interfaces of user to non-bfd association.
FH-CR8000(monitor-group-1)#block action-typebfd-off
// Set the action type of the monitoring group interfaces of user to bfd blocking.
FH-CR8000(monitor-group-1)#no block action-type
// Set the action type of the monitoring group interfaces of user to laser shutdown.
4. Use the monitoring group for the downlink interface.

FH-CR8000(if-gigabitethernet0/3/1/1)#track monitor-group 1
Version: D 43
FH-CR8000(if-gigabitethernet0/3/1/2)#track monitor-group 1

FH-CR8000#save
Use the "show running-config monitor-group" command to check the configuration

FH-CR8000#show running-config monitor-group

!
track monitor-group 1
!
track monitor-group 1
!
monitor-group 1
binding interface ten-gigabitethernet 0/1/1/1
binding interface ten-gigabitethernet 0/2/1/1
4.5 Configuring the MTU
This section introduces how to configure the MTU of an Ethernet interface.
Procedure

FH-CR8000(config)#
2. Enter the Ethernet interface view.

FH-CR8000(config-if)#
3. Configure the MTU value in the interface view.

FH-CR8000(config-if)#mtu 8000
FH-CR8000(config-if)#commit
44 Version: D
5 Protocol Configuration
This chapter introduces how to configure the routing protocol.
Configuring OSPF
Configuring BFD for OSPF
Configuring LFA / R-LFA of OSPF
Configuring BGP
Configuring a Routing Policy
Version: D 45
5.1 Configuring OSPF
Use the OSPF protocol as the access layer IGP for distributing different OSPF
process IDs for service forwarding and network management. This section
introduces the OSPF configuration related to service.
Network Requirement
Figure 5-1 Network Requirement of OSPF
As shown in Figure 5-1, configure the OSPF instances on NE5 and NE6, and set
the OSPF parameters on the equipment management Loopback interface, and the
service sub-interfaces (interconnection interfaces) between convergence devices
and between convergence device and access device. The following illustrates the
configuration using NE5 as an example.
Procedure

FH-CR8000(config)#
46 Version: D
2. Configure routing policies to implement routing isolation of the access ring.

Configure the IP address prefix list.
Item Parameter
Prefix list name p_into_list
Note 1
Prefix list number 5 10 200
Filter mode permit permit deny
Network IP address 3.173.0.167Note 2 3.173.0.168Note 3 anyNote 4
Note 1: The list number starts from 5 and increases in the step of 5. A router checks the table
entries identified by the prefix list name in ascending order.
Note 2: The equipment management Loopback address of NE5.
Note 3: The equipment management Loopback address of NE6.
Note 4: It indicates any network address.
FH-CR8000(config)#ip prefix-list p_into_list seq 5 permit 3.173.0.167/32

FH-CR8000(config)#ip prefix-list p_into_list seq 10 permit 3.173.0.168/32
FH-CR8000(config)#ip prefix-list p_into_list seq 200 deny any
3. Configure service OSPF process on the equipment.
Item Parameter
Program number 31
Router IDNote 1 3.173.0.167
Area ID 0.0.0.0 0.0.0.1 0.0.0.2
Note 2
Area type TRANSIT TRANSIT TRANSIT
Filter type - prefix prefix
Basic configuration Filter list nameNote 3 - p_into_list p_into_list
of the OSPF protocol
Filter direction - in in
3.173.0.167/32 192.168.1.
192.168.1.24/30
Subnet joining into the domainNote 4 192.168.1. 28/30
192.168.1.12/30
20/30 192.168.1.0/30
Maximum hold-off time calculated by
10
SPF (ms)
Version: D 47
Item Parameter
Enabling Opaque-LSA capability capability opaque
Traffic engineering
Enabling traffic engineering capability traffic-engineering
configurationNote 5
Enabling CSPF algorithm capability cspf 31Note 6
Note 1: Set this item to the IP address of the equipment management Loopback interface of NE5.
Note 2: It is a TRANSIT area by default when the area type is not configured.
Note 3: Set this item to the IP address prefix list name in Step 2.
Note 4: For the area 0, set this item to the IP address of the equipment loopback interface and the IP network
segment of the interconnection interfaces of area 0 between the convergence devices. For the non-0 area,
set this item to the IP network segment of the interconnection interfaces of the corresponding area between
the convergence devices and that of the access equipment.
Note 5: The RSVP tunnel can be set up. The Opaque-LSA capability, traffic engineering and CSPF algorithm should
be enabled for the OSPF.
Note 6: Set this item to the OSPF process ID.
FH-CR8000(config)#router ospf 31
FH-CR8000(ospf-31)#router-id 3.173.0.167
FH-CR8000(ospf-31)#timers spf exp 10
FH-CR8000(ospf-31)#network 3.173.0.167/32 area 0.0.0.0
FH-CR8000(ospf-31)#area 0.0.0.1 filter-list prefix p_into_list in
FH-CR8000(ospf-31)#area 0.0.0.2 filter-list prefix p_into_list in
FH-CR8000(ospf-31)#capability opaque
FH-CR8000(ospf-31)#capability traffic-engineering
FH-CR8000(ospf-31)#capability cspf 31
FH-CR8000(ospf-31)#exit
4. Set the OSPF interface parameters on the equipment. The interfaces include
the sub-interfaces between the convergence device and access device, and
those between the convergence devices. The following illustrates the sub-
interface configuration between the convergence devices using the sub-
interface XGE0/2/1/1.31 as an example.
Item Parameter
gigabitethernet gigabitethernet ten-gigabitethernet
Basic configuration Port name
0/3/1/1 0/3/1/2 0/2/1/1.31
of the OSPF
Enabling IGP-LDP
interface ospf ldp-synct ospf ldp-synct ospf ldp-synct
synchronization
48 Version: D
Item Parameter
Network type point-to-point point-to-point point-to-point
Cost 10 10 2000

FH-CR8000(if-gigabitethernet0/3/1/1)#ospf ldp-synct
FH-CR8000(if-gigabitethernet0/3/1/1)#ip ospf network point-to-point
FH-CR8000(if-gigabitethernet0/3/1/1)#ip ospf cost 10
FH-CR8000(if-gigabitethernet0/3/1/2)#ospf ldp-synct
FH-CR8000(if-gigabitethernet0/3/1/2)#ip ospf network point-to-point
FH-CR8000(if-gigabitethernet0/3/1/2)#ip ospf cost 10
FH-CR8000(if-gigabitethernet0/2/1/1.31)#ospf ldp-synct
FH-CR8000(if-ten-gigabitethernet0/2/1/1.31)#ip ospf network point-to-point
FH-CR8000(if-ten-gigabitethernet0/2/1/1.31)#ip ospf cost 2000
FH-CR8000(if-ten-gigabitethernet0/2/1/1.31)#withdraw

FH-CR8000#save
1. Use the "show running-config ospf" command to check the configuration data
on the equipment, which should be consistent with the planning data.
FH-CR8000#show running-config ospf
!
router ospf 31
router-id 3.173.0.167
capability opaque
capability traffic-engineering
network 3.173.0.167/32 area 0.0.0.0
network 192.168.1.20/30 area 0.0.0.0
network 192.168.1.28/30 area 0.0.0.1
network 192.168.1.0/30 area 0.0.0.1
network 192.168.1.24/30 area 0.0.0.2
network 192.168.1.12/30 area 0.0.0.2
area 0.0.0.1 filter-list prefix p_into_list in
area 0.0.0.2 filter-list prefix p_into_list in
capability cspf 31
timers spf exp 10
Version: D 49
!
ip ospf cost 10
!
ip ospf cost 10
!
ip ospf cost 2000
2. Use the "show ip ospf neighbor" command to check the OSPF neighbor. The
State item of neighbor should be FULL. After the OSPF has been configured
on the access equipment, the neighbor can be established successfully.
FH-CR8000#show ip ospf neighbor
Note:
Address refers to the IP address of the OSPF interface of a neighbor.
5.2 Configuring BFD for OSPF
The equipment uses BFD in the OSPF network to detect faults rapidly and notify the
OSPF protocol so as to trigger fast switching of traffic flow. This section introduces
how to configure BFD for OSPF.
50 Version: D
Network Requirement
Figure 5-2 Network Requirement of BFD for OSPF
As shown in Figure 5-2, configure the OSPF instances on NE1, NE2 and NE3, and
configure the OSPF protocol and BFD for OSPF-related parameters on the
equipment Loopback interfaces and service sub-interfaces. The following illustrates
the configuration using NE2 as an example.
Procedure

FH-CR8000(config)#
2. Enable global routing.

3. Configure the IP address of an interface.
Interface Interface IP Address and Mask

loopback 0 2.2.2.2/32
GE 0/1/1/1 3.0.3.1/24
GE 0/1/1/2 6.0.3.46/24
Version: D 51
// Configure the IP address and mask of a loopback interface.
FH-CR8000(if-loopback0)#exit
// Configure the IP address and mask of a physical interface.
// Configure the IP address and mask of a physical interface.
FH-CR8000(config)#
4. Configure the OSPF basic protocol.

// Set the OSPF process number.
// Set the Router-ID.
// Set the subnet IP address / mask within the backbone domain.
// Set the subnet IP address / mask within the STUB domain.
FH-CR8000(ospf-100)#area 0.0.0.1 stub
// Specify the domain type as STUB.
FH-CR8000(config)#
5. Configure BFD For OSPF.
Minimum Interval for Minimum Interval for

Interface Time Interval Multiple
Sending BFD Packets Receiving BFD Packets
GE 0/1/1/1 30 ms 30 ms 3
GE 0/1/1/2 30 ms 30 ms 3

FH-CR8000(if-gigabitethernet0/1/1/1)#ip ospf bfd
// Enable BFD for OSPF.
FH-CR8000(if-gigabitethernet0/1/1/1)#bfd interval mintx 30 minrx 30 multiplier 3
// Configure the BFD properties.
FH-CR8000(if-gigabitethernet0/1/1/2)#ip ospf bfd
52 Version: D
FH-CR8000(if-gigabitethernet0/1/1/2)#bfd interval mintx 30 minrx 30 multiplier 3

6. Save the equipment configuration.

FH-CR8000#save
5.3 Configuring LFA / R-LFA of OSPF
The basic idea of the LFA algorithm to calculate the backup path is to take the
neighbor who can provide the backup path as the root node, use the SPF algorithm
to calculate the shortest distance to the destination node, and then calculate the
backup path with the minimum cost but no loop according to the inequality specified
in RFC 5286.
OSPF IP FRR uses LFA algorithm to calculate the backup next hop route in
advance, and joins the forwarding table with the primary path route. When the
network fails, OSPF IP FRR can quickly switch the traffic to the backup path before
the control plane routes are converged, and shorten the recovery time of the failure
to less than 50 ms, so as to protect traffic.
The following introduces how to configure the LFA / R-LFA of OSPF.
Version: D 53
Network Requirement
Figure 5-3 Network of OSPF LFA/R-LFA
As shown in Figure 5-3, NE4 to NE6 are the CiTRANS R8000s. Configure the
OSPF instances, LDP and OSPF of R-LFA on each device. NE5 is taken for
example.
Procedure

FH-CR8000(config)#
2. Enable global routing.

54 Version: D

loopback 0 5.5.5.5/32
10GE 0/1/1/1 192.168.1.5/24
10GE 0/1/1/2 192.168.4.5/24
// Set the IP address and mask of the loopback interface.
// Set the IP address and mask of the physical interface.
FH-CR8000(config)#
4. Configure the OSPF basic protocol.

// Set the OSPF process number.
// Set the subnet IP address / mask within the domain.
FH-CR8000(config)#
5. Configure LDP.
FH-CR8000(config)#router ldp
// Enable the global LDP.
FH-CR8000(ldp)#router-id 5.5.5.5
set-router-id success
FH-CR8000(ldp)#transport-address ipv4 5.5.5.5
// Set the IPv4 transmitting address.
FH-CR8000(ldp)#exit
// Enable MPLS for the interface.
FH-CR8000(if-ten-gigabitethernet0/1/1/1)#enable-ldp
// Enable the LDP for the interface.
Version: D 55
// Enable MPLS for the interface.
FH-CR8000(if-ten-gigabitethernet0/1/1/2)#enable-ldp
// Enable the LDP for the interface.
FH-CR8000(config)#
6. Configure the R-LFA of OSPF.

// Enter the OSPF view.
FH-CR8000(ospf-1)#frr enable
// Enable FRR.
FH-CR8000(ospf-1)#fast-reroute per-prefix remote-lfa area 0 tunnel ldp
// Enable R-LFA.
FH-CR8000(ospf-1)#fast-reroute max-delay 500
// Set the interval for LFA calculation.
FH-CR8000(ospf-1)#commit
FH-CR8000(config)#
7. Save the configuration.

FH-CR8000#save
5.4 Configuring BGP
The Packet Based Network (PBN) of FiberHome uses the L3VPN at the
convergence layer and above to bear the backhaul service from the base station.
Currently the MP-BGP is used to set up the dynamic L3VPN between the
convergence layer and terminating layer. Two BGP deployment modes are provided
for different network scales: non-RR mode and RR mode.
u Non-RR deployment: Set up the IBGP neighbor relationship and full-meshed

network between all the aggregation nodes and terminating nodes in the entire
network.
u RR deployment: Deploy dual RR on the core devices, which performs both

route reflecting and active/standby RR protection. Set the convergence devices
and terminating devices as the RR clients, and set up the IBGP neighborhood
with RR.
56 Version: D
For the local network with more than three pairs of terminating devices, the RR
deployment is recommended.
5.4.1 Not Deploying RRs
Network Requirement
Figure 5-4 Network Diagram of Not Deploying RRs
As shown in Figure 5-4, the MP-BGP is used between the convergence and
terminating devices. Configure the BGP on NE1, NE2, NE5 and NE6. The following
illustrates the configuration using the NE5 as an example.
Procedure

FH-CR8000(config)#
2. Configure the BGP on the equipment.
Item Parameter
Local AS numberNote 1 65031
Note 2
Router ID 3.173.0.167
Maximum IBGP path number 2
Basic configuration of the
3.173.0.163
BGP Neighbor IP addressNote 3
3.173.0.164
Neighbor AS number 65031
Update source IP addressNote 4 3.173.0.167
VPNV4 configuration BGP address family vpnv4 unicast
Version: D 57
Item Parameter
neighbor 3.173.0.163 activate
Enabling vpnv4 function with the neighborNote 6
VPN routing table Enabling routing for L3VPN-1 transmission in MP-

address-family ipv4 vrf L3VPN-1
configuration of base BGPNote 7
station service Redistributing connected route redistribute connected
Note 1: Configure the AS number that a router belongs to according to the planning requirement of the operator.
Note 2: Set this item to the equipment management Loopback address.
Note 3: Set this item to the equipment management Loopback IP addresses of NE1 and NE2 respectively, and set up
the IBGP neighborhood.
Note 4: Designate the local end address that sets up BGP neighborhood with the opposite end equipment. Set it to
the equipment management Loopback address so as to avoid disconnecting from a BGP neighbor owing to
the fault of single link.
Note 5: Enable the neighbors in VPNv4 and ensure that the VPNV4 routing information is transmitted between them.
Note 6: The L3VPN-1 is used as an example for the base station service VPN configuration.
Note:
The IPv4 address family is activated by the system by default and needs
no configuration.
FH-CR8000(config)#router bgp 65031
FH-CR8000(bgp-65031)#bgp router-id 3.173.0.167
FH-CR8000(bgp-65031)#max-paths ibgp 2
FH-CR8000(bgp-65031)#neighbor 3.173.0.163 remote-as 65031
FH-CR8000(bgp-65031)#neighbor 3.173.0.163 update-source 3.173.0.167
FH-CR8000(bgp-65031)#address-family vpnv4 unicast
Enter bgp vpnv4 address family mode
FH-CR8000(bgp-afv4-uc)#neighbor 3.173.0.163 activate
FH-CR8000(bgp-afv4-uc)#exit
FH-CR8000(bgp-65031)#address-family IPv4 vrf L3VPN-1
Enter bgp ipv4 address family vrf mode
FH-CR8000(bgp-af4-vrf-L3VPN-1)#redistribute connected
FH-CR8000(bgp-af4-vrf-L3VPN-1)#exit

FH-CR8000#save
58 Version: D
1. Use the "show running-config bgp" command to check the BGP configuration
FH-CR8000#show running-config bgp
!
router bgp 65031
bgp router-id 3.173.0.167
max-paths ibgp 2
neighbor 3.173.0.163 remote-as 65031
neighbor 3.173.0.163 update-source 3.173.0.167
!
address-family ipv4 unicast
exit-address-family
!
address-family vpnv4 unicast
exit-address-family
!
address-family ipv4 vrf L3VPN-1
redistribute connected
exit-address-family
2. Use the "show ip bgp summary" command to check the BGP neighbor setup
between the convergence and core devices. If Up/Down is not 0, the BGP
neighbor is set up successfully.
FH-CR8000#show ip bgp summary
5.4.2 Deploying RRs
NE5 and NE6, and NE1 and NE2 (VRR-Client) set up neighborhood with NE3 and
NE4 (VRR) respectively, advertise the base station service / management route and
the network management address route of access equipment to VRR, and receive
the VPNv4 route from the VRR.
Version: D 59
Network Requirement
Figure 5-5 Network Requirement of Deploying RRs
As shown in Figure 5-5, the MP-BGP is used between the convergence, core and
terminating devices. Configure the BGP on NE1 to NE6. The core devices (NE3 and
NE4) serve as the VRRs, and the NE1, NE2, NE5, and NE6 serve as the VRR-
Clients. The following illustrates the configuration taking the VRR device NE3 and
the VRR-Client NE5 as examples.
Note:
See Not Deploying RRs for the configuration of NE1, NE2, NE5 and NE6.
Procedure

FH-CR8000(config)#
2. Configure the BGP on the equipment. The following illustrates the configuration
of NE3.
60 Version: D
Item Parameter of NE5 Parameter of NE3

Note 1
Local AS number 65031 65031
Router IDNote 2 3.173.0.167 3.173.0.165
Maximum IBGP path
2 2
number
Basic 3.173.0.163
configuration of 3.173.0.165 3.173.0.164
Neighbor IP addressNote 3
the BGP 3.173.0.166 3.173.0.167
3.173.0.168
Neighbor AS number 65031 65031
Upgrade source IP
3.173.0.167 3.173.0.165
addressNote 4
BGP address family vpnv4 unicast vpnv4 unicast
neighbor 3.173.0.165 neighbor 3.173.0.163 activate

Enabling vpnv4 function activate neighbor 3.173.0.164 activate
Note 5
with the neighbor neighbor 3.173.0.166 neighbor 3.173.0.167 activate
activate neighbor 3.173.0.168 activate
VPNV4 neighbor 3.173.0.163 route-reflector-

configuration client
neighbor 3.173.0.164 route-reflector-
client
Designating a VRR-Client -
client
client
Enabling routing for
VPN routing table address-family ipv4 vrf
L3VPN-1 transmission in
configuration of L3VPN-1
MP-BGPNote 7 -
base station
Redistributing connected
serviceNote 6 redistribute connected
route
Note 1: Configure the AS number that a router belongs to according to the planning requirement of the operator.
Note 2: Set this item to the equipment management Loopback address.
Note 3: For the NE5, set the loopback IP addresses of the NE3 and NE4 as the neighbor IP addresses. For the NE3,
set the equipment management loopback IP addresses of the NE1, NE2, NE5 and NE6 as the neighbor IP
addresses.
Note 4: Designate the local end address that sets up BGP neighbor with the opposite end equipment. Set it to the
equipment management Loopback address so as to avoid disconnecting from BGP neighbor owing to the
fault of single link.
Note 5: Enable the neighbors in VPNv4 and ensure that the VPNV4 routing information is transmitted between them.
Note 6: The L3VPN-1 is used as an example for the base station service VPN configuration.
Note 7: There is no need to set this item for NE3 and NE4.
Version: D 61
Note:
The IPv4 address family is activated by the system by default and needs
no configuration.
FH-CR8000(bgp-65031)#max-paths ibgp 2
FH-CR8000(bgp-afv4-uc)#neighbor 3.173.0.163 route-reflector-client
FH-CR8000(bgp-afv4-uc)#withdraw

FH-CR8000#save
Note:
The following only introduces the configuration result of NE3, and see
Not Deploying RRs for that of NE5.
1. Use the "show running-config bgp" command to check the BGP configuration
FH-CR8000#show running-config bgp
62 Version: D
!
router bgp 65031
bgp router-id 3.173.0.165
max-paths ibgp 2
bgp cluster-id 3.173.0.165
bgp client-to-client reflection
!
address-family ipv4 unicast
exit-address-family
!
address-family vpnv4 unicast
neighbor 3.173.0.168 route-reflector-client
exit-address-family
2. Use the "show ip bgp summary" command to check the BGP neighbor setup
between the convergence and core devices. If Up/Down is not 0, the BGP
neighbor is set up successfully.
FH-CR8000#show ip bgp summary
Version: D 63
5.5 Configuring a Routing Policy
Routing policy is a method used to change the path of network traffic. It is realized
by applying routing attributes (including reachability). The router applies the policy
when distributing and receiving routes. Currently, the route policy is applied by
filtering routes.
A routing protocol may need to induct the routes discovered by other routing
protocols to enrich its routing knowledge. Only a part of routes satisfying the
conditions need to be inducted, and some properties of the inducted routes should
be set to meet the requirements of this protocol.
To apply the routing policy, first define the characteristics of the desired routes, that
is, define a set of matching rules and set them, and then apply them to the routing
policy in the process of route distributing, receiving and inducting.
The following introduces how to configure the routing policy.
Network Requirement
Figure 5-6 Network of Routing Policy
As shown in Figure 5-6, NE1 and NE2 are the CiTRANS R8000s, and NE3 and NE4
are the CiTRANS R800 series devices. Configure the routing policy on NE2.
Prerequisite
You have configured a loopback port for each NE.
64 Version: D
Procedure
Item Value
Prefix list name lo0
Sequence number of the matching entry in the IP prefix list 1
IP address and mask 3.173.0.170/32
Routing policy name lo0
Sequence number of the routing policy list 1

FH-CR8000(config)#
2. Configure the prefix list, allowing the local loopback port IP addresses to pass
only.
FH-CR8000(config)#ip prefix lo0 seq 1 permit 3.173.0.170/32
3. Configure the routing policy.

FH-CR8000(config)#route-map lo0 permit 1
4. Configure the matched prefix list name.

FH-CR8000(config-route-map)#match ip address prefix-list lo0
5. Label the prefix lists matched in the routing policy.

FH-CR8000(config-route-map)#set mpls-label
6. Deliver the configuration.

FH-CR8000(config-route-map)#commit
Version: D 65
6 Configuring a Tunnel
This chapter introduces the configuration methods of the static Tunnel, dynamic
RSVP Tunnel, LDP LSP and LDP FRR.
Background Information and Deployment Principles
Configuring a Static Tunnel and LSP 1:1 Protection
Configuring LDP LSP
Configuring LDP FRR
66 Version: D
6.1 Background Information and Deployment

Principles
Definition
The Tunnel is an encapsulation technology. It encapsulates the data messages

generated by other protocols into its own messages using a network transmission
protocol, and transmits the messages in the network. A Tunnel is a virtual point-to-
point connection. It provides a path to transmit the encapsulated data messages,
and can encapsulate and decapsulate the data messages on both ends respectively.
Several Tunnels constitute an LSP. An LSP is a packet forwarding path created

using the MPLS protocol. This path is composed of multiple LSRs and links
between the source LSR and destination LSR. From another perspective, the LSP
is composed of the relevant entries in the label forwarding tables at each node all
along the Tunnel.
The LSP tunnel can be classified into static Tunnel and dynamic Tunnel according
to its application.
u Static Tunnel: The port is designated manually. The egress and ingress label
values are manually designated or automatically assigned by the OTNM2000.
The static tunnel is applicable to the small-scale stable network with simple
topology architecture.
u Dynamic Tunnel: created dynamically via the RSVP and LDP. The manual
setting of egress and ingress labels and ports is not needed.
Deployment Principles
u The dynamic Tunnel label is assigned by RSVP. Ensure the basic configuration
is normal before configuring Tunnels.
u Tunnel sharing principles: When the source nodes and sink nodes for Tunnels
are the same, all services, even of different service types, can share one
Tunnel. That is, share a Tunnel within as many services as possible.
Deployment and Application
Configure related Tunnels respectively for L2VPN and L3VPN services.
Version: D 67
Considering controllability and security requirements of Tunnels at the core

distribution layer / access layer, we commend deploying RSVP TE.
The RSVP TE configuration is complicated. You are required to configure TE

Tunnels point to point. The RSVP TE Tunnels have the following features:
u High security. Adjacency and interface oriented authentication can be

deployed.
u Controllable establishment of Tunnels. It is unnecessary to create Tunnels for

each FEC.
u Powerful bandwidth controllability. The bandwidth can be adjusted or re-

optimized automatically.
u High protection switching performance.
6.2 Configuring a Static Tunnel and LSP 1:1

Protection
In some scenarios, the static tunnel and LSP 1:1 protection will be used. For
example, in the bypass protection scenario, a static tunnel can be configured as the
tunnel corresponding to the bypass PW and the protection should be loaded to
ensure the stability and reliability of the bypass service.
68 Version: D
Network Requirement
Figure 6-1 Network Requirement of Static Tunnel LSP 1:1 Protection
As shown in the figure above, it is required to configure a static tunnel between NE1
and NE2 to bear the bypass PW. The planning data of the working and protection
LSPs are shown in the figure.
Prerequisite
The loopback interfaces and interconnection interfaces of all the NEs, and the basic
routing protocols between NEs have been configured.
Configuration Analysis
1. Configure the working and protection LSPs on NE1 to NE4.
2. Configure the tunnels on NE1 and NE2 and bind them to LSPs.
3. Bind the working and protection LSPs of NE1 and NE2 to the BFD template.
Procedure

FH-CR8000(config)#
Version: D 69
2. Configure the working and protection LSPs on NE1 to NE4 respectively via the
commands listed in the tables below. The configuration commands for each
node in both positive and inverse directions of the LSPs are illustrated.
Bidirectional interconnection can be achieved only when the LSPs are
configured in both directions. In practice, you can complete the configurations
for one NE via all the related commands and then move on to the next one.
Table 6-1 Working LSP Configuration (Positive Direction: NE1→NE2)
NE Command
FH-CR8000(config)#static-lsp ingress tunnel-name 1-1.1-2 from

NE1 3.173.0.163 to 3.173.0.164 outgoing-interface ten-gigabitethernet 0/2/1/
1 out-label 33333 nexthop 192.168.2.22Note
FH-CR8000(config)#static-lsp egress tunnel-name 1-1.1-2 from

NE2 3.173.0.163 to 3.173.0.164 incoming-interface ten-gigabitethernet 0/2/1/
1 in-label 33333
Note 1: The tunnel names of the LSP on two nodes should be consistent to facilitate data
viewing and analysis.
Note 2: See Figure 6-1 for the IP addresses and interfaces in the commands.
Note 3: The in-label of the current NE should be consistent with the out-label of the previous
one.
Table 6-2 Working LSP Configuration (Inverse Direction: NE2→NE1)
NE Command
FH-CR8000(config)#static-lsp ingress tunnel-name 1-2.1-1 from
NE2 3.173.0.164 to 3.173.0.163 outgoing-interface ten-gigabitethernet 0/2/1/
1 out-label 33334 nexthop 192.168.2.21
FH-CR8000(config)#static-lsp egress tunnel-name 1-2.1-1 from

NE1 3.173.0.164 to 3.173.0.163 incoming-interface ten-gigabitethernet 0/2/1/
1 in-label 33334
Table 6-3 Protection LSP Configuration (Positive Direction: NE1→NE3→NE4→NE2)
NE Command
FH-CR8000(config)#static-lsp ingress secondary tunnel-name 1-1.1-2
NE1 outgoing-interface ten-gigabitethernet 0/1/1/1 out-label 33335 nexthop
192.168.2.2 1to1 Note
FH-CR8000(config)#static-lsp transit tunnel-name 1-1.1-2 from
3.173.0.163 to 3.173.0.164 incoming-interface ten-gigabitethernet 0/5/1/
NE3
1 in-label 33335 outgoing-interface ten-gigabitethernet 0/3/1/1 out-label
33335 nexthop 192.168.2.18
70 Version: D
Table 6-3 Protection LSP Configuration (Positive Direction: NE1→NE3→NE4→NE2)

(Continued)
NE Command
NE4
1 in-label 33335 outgoing-interface ten-gigabitethernet 0/5/1/1 out-label
33335 nexthop 192.168.2.9
FH-CR8000(config)#static-lsp egress secondary tunnel-name 1-1.1-2

NE2
incoming-interface ten-gigabitethernet 0/1/1/1 in-label 33335 1to1
Note 1: secondary distinguishes the protection LSP command from the working LSP command.
1to1 indicates that the LSP1:1 protection has been configured.
Note 2: NE3 and NE4 serve as the intermediate nodes. transit distinguishes this command
from the source / sink node command.
Note 3: The in-label of the current NE should be consistent with the out-label of the previous
one. For example, the in-label of NE3 should be consistent with the out-label of NE1,
and the in-label of NE4 should be consistent with the out-label of NE3.
Table 6-4 Protection LSP Configuration (Inverse Direction: NE2→NE4→NE1→NE3)
NE Command
static-lsp ingress secondary tunnel-name 1-2.1-1 outgoing-interface
NE2
ten-gigabitethernet 0/1/1/1 out-label 33336 nexthop 192.168.2.10 1to1

NE4
1 in-label 33336 outgoing-interface ten-gigabitethernet 0/3/1/1 out-
label 33336 nexthop 192.168.2.17

NE3
1 in-label 33336 outgoing-interface ten-gigabitethernet 0/5/1/1 out-
label 33336 nexthop 192.168.2.1
FH-CR8000(config)#static-lsp egress secondary tunnel-name 1-2.1-1

NE1
incoming-interface ten-gigabitethernet 0/1/1/1 in-label 33336 1to1
3. Configure the tunnels on NE1 and NE2 and bind them to LSPs.
NE Command
FH-CR8000(config)#interface tunnel 4
NE1
FH-CR8000(if-tunnel4)#lsp-binding 1-1.1-2 Note
FH-CR8000(config)#interface tunnel 4
NE2
FH-CR8000(if-tunnel4)#lsp-binding 1-2.1-1
Note 1: Only the tunnel names of the working LSPs need to be bound.
Version: D 71
4. Binding the LSPs to the static BFD.
Item Parameter
Template name LSP_BFD
Minimum transmission interval 20

BFD template
Minimum receiving interval 20
Test multiple 3
local-discriminator 1
Binding BFD Working LSP
remote-discriminator 1
template to
local-discriminator 2
LSP Protection LSP
remote-discriminator 2
FH-CR8000(config)#mpls bfd tpm-name LSP_BFD mintx 20 minrx 20 multiplier 3

FH-CR8000(config)#mpls static-bfd tunnel-if-name tunnel4 lsp-main local-discriminator 1
remote-discriminator 1 bind-bfd LSP_BFD
FH-CR8000(config)#mpls static-bfd tunnel-if-name tunnel4 lsp-backup local-
discriminator 2 remote-discriminator 2 bind-bfd LSP_BFD

FH-CR8000#save
1. Use the command "show bfd session all" to view the bfd set up on the
equipment. If Sess-State is UP, the session is set up successfully.
FH-CR8000#show bfd session all
2. Use the "show running-config" command to check whether the tunnel

configuration data on the equipment are consistent with the command.
72 Version: D
6.3 Configuring LDP LSP
This section introduces the LSP creation method via LDP. The following uses the
scenario of neighbor devices as an example.
Network Requirement
Figure 6-2 Network Requirement of Configuring LDP LSP
As shown in the figure above, it is required to configure an LSP between NE1 and
NE2 using LDP. The planning data of interfaces are shown in the figure.
Prerequisite
The routing protocols of NE1 and NE2 have been configured to ensure that the
routes between two NEs are unimpeded. See Protocol Configuration for the detailed
configuration.
1. Configure interfaces on NE1 and NE2, including the loopback interfaces and
their IP addresses, and the IP addresses and LDP of the Ethernet interfaces.
2. Set the LDP basic parameters and peer attributes on NE1 and NE2.
Procedure
1. Configure the loopback interfaces and their IP addresses, and the IP

addresses and LDP of the Ethernet interfaces of NE1 and NE2. The following
illustrates the configuration using NE1 as an example.
FH-CR8000(if-loopback0)#ip adress 3.173.0.163/32
FH-CR8000(config)#interface ten–gigabitethernet 0/2/1/1
FH-CR8000(if-ten–gigabitethernet 0/2/1/1)#ip address 192.168.2.21/30
FH-CR8000(if-ten–gigabitethernet 0/2/1/1)#enable-mpls
FH-CR8000(if-ten–gigabitethernet 0/2/1/1)#enable-ldp
Version: D 73
FH-CR8000(if-ten–gigabitethernet 0/2/1/1)#exit
2. Set the LDP basic parameters and peer attributes on NE1 and NE2. The
following illustrates the configuration using the NE1 as an example.
FH-CR8000(ldp)#targeted-peer ipv4 3.173.0.164
Enter targeted peer mode
FH-CR8000(targeted-peer-3.173.0.164)#exit
FH-CR8000(ldp)#exit
FH-CR8000#save
3. Run the "show ldp session" command to query the LDP session information. If
the LDP session between NE1 and NE2 has been set up, "State" is
"OPERATIONAL".
6.4 Configuring LDP FRR
LDP FRR includes Manual LDP FRR and Auto LDP FRR. Compared with manual
LDP FRR, Auto LDP FRR does not require specifying a next-hop address. When
LDP Auto FRR is configured, a backup LSP is automatically created based on IGP
routes. LDP Auto FRR simplifies the configuration process and avoids loops that
may occur in manual LDP FRR. It applies to complex and large networks.
This section introduces how to configure the LDP FRR, using the Manual LDP FRR
as an example.
74 Version: D
Network Requirement
Figure 6-3 Network Diagram of Configuring LDP FRR
As shown in the figure above, working and protection LSPs exist between NE1 and
NE2. The LSP between NE1↔NE2 is the working LSP and that between
NE1↔NE3↔NE2 is the protection LSP. It is required that the traffic can be switched
to the protection LSP quickly when the working LSP fails. In this case, the Manual
LDP FRR function should be configured on NE1 and NE2 and the protection LSP
should be enabled to implement the fast switching, so as to reduce the traffic lost.
Prerequisite
The ISIS protocols of NE1 to NE3 have been configured to ensure that the routes
between NEs are unimpeded.
Configuration Proposal

addresses and LDP of the active Ethernet interfaces of NE1 to NE3.
2. Configure the IP addresses and LDP of the standby Ethernet interfaces of NE1
to NE3.
3. Configure the LFA function on NE1 to NE3.
4. Set the LDP basic parameters and the LDP peer attributes on NE1 to NE3,
including the Router-ID, IPv4 transmitting address and peer IPv4 address.
Version: D 75
Procedure

addresses and LDP of the active Ethernet interfaces of NE1 to NE3. The
following illustrates the configuration using NE1 as an example.
2. Configure the IP addresses and LDP of the standby Ethernet interfaces of NE1
to NE3.
The following illustrates the configuration on NE1.



3. Configure the LFA function on NE1 to NE3. The following illustrates the detailed
configuration.
FH-CR8000(config)#router isis 101
FH-CR8000((isis-101))#frr enable
FH-CR8000((isis-101))#fast-reroute per-prefix remote-lfa level-2 tunnel ldp
FH-CR8000((isis-101))#fast-reroute max-delay 500000
76 Version: D
FH-CR8000((isis-101))#exit
4. Set the LDP basic parameters, the LDP peer attributes and the FRR function
on NE1 to NE3.

FH-CR8000(ldp)#auto-frr lsp-trigger ip-prefix frr
FH-CR8000(ldp)#accepttarget-helloall

FH-CR8000(ldp)#auto-frr lsp-trigger ip-prefix frr

FH-CR8000(ldp)#exit
FH-CR8000(ldp)#accepttarget-helloall
Version: D 77
7 Configuring L2VPN / L3VPN
This chapter introduces the L2VPN and L3VPN configuration.
Configuring VPWS
Configuring VPLS
Configuring L3VPN Using an LDP Tunnel
Configuring Inter-Area L2VPN in OptionC Mode
Configuring Inter-Area L3VPN in OptionB Mode
78 Version: D
7.1 Configuring VPWS
VPWS is a technology that bears Layer 2 services. VPWS emulates services such
as ATM, FR, Ethernet, and low-speed TDM circuit in a PSN. It provides the point-to-
point L2VPN service in the public network.
7.1.1 Configuring VPWS Using a Static Single-Segment PW
This section introduces how to configure VPWS using a static single-segment PW.
Network Requirement
Figure 7-1 Network Diagram of Configuring VPWS Using Static Single-PW
As shown in the figure above, create a static single-segment PW between NE1 and
NE2 and use it to bear the L2VPN service.
Prerequisite
u The loopback interfaces and their IP addresses, the IP addresses of NNI

interfaces, and the MPLS of NE1 and NE2 have been configured.
u The routing protocols of NE1 and NE2 have been configured to ensure that the
routes between two NEs are unimpeded. See Protocol Configuration for the
detailed configuration.
u One static tunnel (tunnel12) between NE1↔NE2 has been created.
1. Configure the UNI interfaces on NE1 and NE2, including the UNI sub-interface
creation, L2 mode setting and SVLAN ID setting.
2. Create a Raw-mode PW between NE1 and NE2.
3. Modify the PW mode to "Tagged" on NE1 and NE2.
Version: D 79
4. Modify the parameter "tpid" on NE1 and NE2.
Procedure
1. Create UNI sub-interfaces on NE1 and NE2, set them to L2 mode and set the
SVLAN IDs. The following uses the configuration on NE1 as an example.
FH-CR8000(config)#interface gigabitethernet 0/1/1/1.10
FH-CR8000(if-gigabitethernet 0/1/1/1.10)#l2transport
FH-CR8000(if-gigabitethernet 0/1/1/1.10)#vlan-type dot1q 10
FH-CR8000(if-gigabitethernet 0/1/1/1.10)#exit
2. Create Raw-mode PW between NE1 and NE2 as follows.
Item NE1 NE2

VC name pw1vpws pw1vpws
VC ID 1 1
Remote IP address 3.173.0.164 3.173.0.163
Bound tunnel tunnel12 tunnel12
Incoming label 500 501
Outgoing label 501 500
Configure the PW on NE1.

FH-CR8000(if-gigabitethernet 0/1/1/1.10)#mpls l2-circuit pw1vpws 1 3.173.0.164
tunnelif-name tunnel12 static in-label 500 out-label 501 control-word encapsulation raw
Configure the PW on NE2.

tunnelif-name tunnel12 static in-label 501 out-label 500 control-word encapsulation raw
3. Modify the PW mode to "Tagged" on NE1 and NE2. The following illustrates the
configuration using NE1 as an example.
FH-CR8000(if-gigabitethernet 0/1/1/1.10)#no mpls l2-circuit pw1vpws
tunnelif-name tunnel12 static in-label 500 out-label 501 control-word encapsulation tagged
tagtype type8100 vlan-id 100
4. Modify "tpid" on NE1 and NE2. The following illustrates the configuration using
NE1 as an example.
FH-CR8000(if-gigabitethernet 0/1/1/1.10)#no mpls l2-circuit pw1vpws
80 Version: D

tunnelif-name tunnel12 static in-label 500 out-label 501 control-word encapsulation tagged
tagtype type88a8 vlan-id 100
5. Run the "show mpls l2vc" command on the equipment to view the VPWS
service status. If "State" is "active", the VPWS service is normal.
7.1.2 Configuring VPWS Using Static MS-PW
This section introduces how to configure VPWS using static multi-segment PW

(MS-PW).
Network Requirement
Figure 7-2 Network Diagram of Configuring VPWS Using Static MS-PW
As shown in the figure above, first create static MS-PWs between NE1↔NE3↔NE2,
among which NE3 serves as the intermediate node. And then use the static MS-
PWs to bear the L2VPN service.
Prerequisite

interfaces, and the MPLS of NE1 to NE3 have been configured.
u The routing protocols of NE1 to NE3 have been configured to ensure that the
routes between NEs are unimpeded. See Protocol Configuration for the
u Two static tunnels (tunnel31 and tunnel32) between NE3 and NE1, and
between NE3 and NE2 have been created respectively.
1. Configure the UNI interfaces on NE1 and NE2, including the UNI sub-interface
creation, L2 mode setting and SVLAN ID setting.
Version: D 81
2. Create MS-PW between NE1 and NE2.
3. Configure MS-PW on the switching node NE3.
Procedure
1. Create UNI sub-interfaces on NE1 and NE2, set them to L2 mode and set the
SVLAN IDs. The following uses the configuration on NE1 as an example.
2. Create MS-PW between NE1 and NE2. One single-segment PW is

VC_NE3_NE1 (NE3↔NE1) and the other one is VC_NE3_NE2 (NE3↔NE2).
The table below lists the planning data of two segments of PWs.
Item NE1 NE2
Interface GE 0/1/1/1.20 GE 0/1/1/1.20
Segmented VC name VC_NE3_NE1 VC_NE3_NE2
VC ID 1 2
Remote IP address of segmented PW 3.173.0.165 3.173.0.165
Tunnel policy bound to segmented PW tunnel31 tunnel32

FH-CR8000(if-gigabitethernet 0/1/1/1.20)#mpls l2-circuit VC_NE3_NE1 1
3.173.0.165 tunnelif-name tunnel31 static in-label 401 out-label 400 control-word
encapsulation raw

encapsulation raw
3. Configure MS-PWs on the switching node NE3. One single-segment PW is

VC_NE3_NE1 (NE3↔NE1) and the other one is VC_NE3_NE2 (NE3↔NE2).
The table below lists the planning data of the PW.
82 Version: D
Item NE3
Segmented VC name VC_NE3_NE1 VC_NE3_NE2
VC ID 1 2
Remote IP address of segmented PW 3.173.0.163 3.173.0.164
Tunnel policy bound to segmented PW tunnel31 tunnel32
Item NE3
MS-PW name VC_NE1_NE3_NE2
Name of VC1 to be exchanged VC_NE3_NE1

FH-CR8000(config)#mpls ss-pw VC_NE3_NE1 1 3.173.0.163 tunnelif-name tunnel31
static in-label 400 out-label 401 control-word bfd
FH-CR8000(config)#mpls ss-pw VC_NE3_NE2 2 3.173.0.164 tunnelif-name tunnel32
static in-label 402 out-label 403 control-word bfd
FH-CR8000(config)#mpls ms-pw VC_NE1_NE3_NE2 VC_NE3_NE1 VC_NE3_NE2
4. Run the "show mpls l2vc" command to view the VPWS service status. If "State"
is "active", the VPWS service is normal.
7.1.3 Configuring VPWS Using Static PW Redundancy
This section introduces how to configure VPWS using static PW redundancy.
Version: D 83
Network Requirement
Figure 7-3 Network Diagram of Configuring VPWS Using Static PW Redundancy
As shown in the figure above, set up PW redundancy protection between NE3 and
NE1, and between NE3 and NE2. Create an active PW between NE3↔NE2 and a
standby one between NE3↔NE1, and use the static PW redundancy to bear the
L2VPN service.
Prerequisite

interfaces, and the MPLS of NE1 to NE3 have been configured.
u Two static tunnels (tunnel31 and tunnel32) between NE3 and NE1, and
between NE3 and NE2 have been created respectively.
1. Configure the UNI sub-interfaces on NE1 to NE3, including the UNI sub-
interface creation, L2 mode setting and SVLAN ID setting.
2. Create an active PW between NE3 and NE2 and a standby one between NE3
and NE1.
3. Configure static BFD templates on NE1 to NE3 and bind them to the PWs.
84 Version: D
Procedure
1. Create UNI sub-interfaces on NE1 to NE3, set them to L2 mode and set the
SVLAN IDs.
The planning data of the UNI sub-interfaces on NE1 to NE3 are as follows.
Item NE1 NE2 NE3
UNI sub-interface GE 0/2/1/1.10 GE 0/2/1/1.10 GE 0/1/1/1.10
The following takes NE1 for example to illustrate the configuration method.
2. Create an active PW between NE3 and NE2 and a standby one between NE3
and NE1. The active PW is VC_NE3_NE2 (NE3↔NE2) and the standby PW is
VC_NE3_NE1 (NE3↔NE1).
The table below lists the planning data of the active and standby PWs.
Item NE1 NE2 NE3
Interface GE 0/2/1/1.10 GE 0/2/1/1.10 GE 0/1/1/1.10
VC name VC_NE3_NE1 VC_NE3_NE2 VC_NE3_NE1 VC_NE3_NE2
VC ID 1 2 1 2
Remote IP address of PW 3.173.0.165 3.173.0.165 3.173.0.163 3.173.0.164
Tunnel policy bound to PW tunnel31 tunnel32 tunnel31 tunnel32
Incoming label 401 403 400 402
Outgoing label 400 402 401 403

encapsulation raw

encapsulation raw
Version: D 85

3.173.0.163 tunnelif-name tunnel31 static in-label 401 out-label 400 control-word secondary
redundancy encapsulation raw
encapsulation raw
3. Configure static BFD templates on NE1 to NE3 and bind them to the PWs.
The table below lists the planning data of the static BFD template.
Item NE1 NE2 NE3
Template name PW_BFD PW_BFD PW_BFD
BFD time
Minimum transmitting time 30 30 30
parameter
Minimum receiving interval 30 30 30
template name
Test multiple 5 5 5
VC name VC_NE3_NE1 VC_NE3_NE2 VC_NE3_NE1 VC_NE3_NE2

BFD template
Local ID 31 32 13 23
bound to PW
Remote ID 13 23 31 32

FH-CR8000(config)#mpls bfd tpm-name PW_BFD mintx 30 minrx 30 multiplier 5
FH-CR8000(config)#mpls static-bfd pw-name VC_NE3_NE1 local-discriminator 31
remote-discriminator 13 bind-bfd PW_BFD


86 Version: D
7.1.4 Configuring VPWS Using Dynamic Single-Segment

PW
This section introduces how to configure VPWS using dynamic single-segment PW.
Network Requirement
Figure 7-4 Network Diagram of Configuring VPWS Using Dynamic Single-PW
As shown in the figure above, create a dynamic single-segment PW between NE1

and NE2 and use it to bear the L2VPN service.
Prerequisite
u The LDP basic configuration (including Router-ID setting and IPv4 address
setting) of NE1 and NE2 has been completed.
u The loopback interfaces and their IP addresses, and the IP addresses and LDP
of NNI interfaces of NE1 and NE2 have been configured.
1. Configure the UNI interfaces on NE1 and NE2.
2. Configure a VC on NE1 and NE2 and create a dynamic PW.
3. Configure the OSPF protocol on NE1 and NE2 to implement the inter-
communication within the mpls domain.
Procedure
1. Configure the UNI sub-interfaces on NE1 and NE2, including the UNI sub-
The planning data of the UNI sub-interfaces on NE1 and NE2 are as follows.
Item NE1 NE2
UNI sub-interface GE 0/1/1/1.20 GE 0/1/1/1.20
Version: D 87


The planning data of the VC configuration on NE1 and NE2 are as follows.
Item NE1 NE2
Interface GE 0/1/1/1.20 GE 0/1/1/1.20
VC name VC_NE1_NE2 VC_NE1_NE2
VC ID 20 20
Remote IP address of PW 3.173.0.164 3.173.0.163

FH-CR8000(if-gigabitethernet 0/1/1/1.20)#mpls l2–ciruit VC_NE1_NE2 20
3.173.0.164 control-word encapsulation raw vccv cc 4 bfd-cv-type 2
FH-CR8000(if-gigabitethernet 0/1/1/1.20)#no mpls l2–ciruit VC_NE1_NE2
3.173.0.164 control-word encapsulation tagged vccv cc 4 bfd-cv-type 2

3. Configure the OSPF protocol on NE1 and NE2, including the OSPF process
number setting, Router-ID setting and the subnetwork IP address / mask
setting within the domain, to implement the inter-communication within the mpls
domain.
The planning data of the OSPF configuration on NE1 and NE2 are as follows.
88 Version: D
Item NE1 NE2

OSPF process number 31 31
Router ID 3.173.0.163 3.173.0.164


7.1.5 Configuring VPWS Using Dynamic MS-PW
This section introduces how to configure VPWS using dynamic multi-segment PW.
Network Requirement
Figure 7-5 Network Diagram of Configuring VPWS Using Dynamic MS-PW
As shown in the figure above, first create dynamic MS-PWs between

NE1↔NE3↔NE2, among which NE3 serves as the intermediate node. And then
use the dynamic MS-PWs to bear the L2VPN service.
Prerequisite
setting) of NE1 to NE3 has been completed.
Version: D 89
of NNI interfaces of NE1 to NE3 have been configured.
1. Configure the UNI interfaces on NE1 and NE2.
4. Configure the OSPF protocol on NE1 to NE3 to implement the inter-

Procedure
1. Configure the UNI sub-interfaces on NE1 and NE2, including the UNI sub-
The planning data of the UNI interfaces on NE1 and NE2 are as follows.
Item NE1 NE2


2. Configure VCs on NE1 and NE2, including the dynamic PW-1 (NE3↔NE1) and
PW-2 (NE3↔NE2).
The planning data of the VC configuration on NE1 and NE2 are as follows.
Item NE1 NE2
Interface GE 0/1/1/1.10 GE 0/1/1/1.10
Segmented PW name VC_NE3_NE1 VC_NE3_NE2
90 Version: D
Item NE1 NE2

VC ID 1 2
Remote IP address of segmented
3.173.0.165 3.173.0.165
PW

3.173.0.165 control-word encapsulation raw
FH-CR8000(if-gigabitethernet 0/1/1/1.10)#no mpls l2-circuit VC_NE3_NE1
3.173.0.165 control-word encapsulation tagged

3.173.0.165 control-word encapsulation raw
FH-CR8000(if-gigabitethernet 0/1/1/1.10)#no mpls l2-circuit VC_NE3_NE1
3.173.0.165 control-word encapsulation tagged
The planning data of the MS-PW on NE3 are as follows.

Item NE3
Segmented PW name VC_NE3_NE1 VC_NE3_NE2
VC ID 1 2
Remote IP address of segmented
3.173.0.163 3.173.0.163
PW
Item NE3
MS-PW name VC_NE1_NE3_NE2

FH-CR8000(config)#mpls ss-pw VC_NE3_NE1 1 3.173.0.163 control-word encap-tagged
FH-CR8000(config)#mpls ss-pw VC_NE3_NE2 2 3.173.0.164 control-word encap-tagged
FH-CR8000(config)#mpls ms-pw VC_NE1_NE3_NE2 VC_NE3_NE1 VC_NE3_NE2
4. Configure the OSPF protocol on NE1 to NE3, including the OSPF process
Version: D 91
setting within the domain, to implement the inter-communication within the

MPLS domain.
The planning data of the OSPF configuration on NE1 to NE3 are as follows.
Item NE1 NE2 NE3
OSPF process
31 31 31
number
Router ID 3.173.0.163 3.173.0.164 3.173.0.165



7.1.6 Configuring VPWS Using Dynamic PW Redundancy
This section introduces how to configure VPWS using dynamic PW redundancy.
92 Version: D
Network Requirement
Figure 7-6 Network Diagram of Configuring VPWS Using Dynamic PW Redundancy
As shown in the figure above, set up dynamic PW redundancy protection between

NE3 and NE1, and between NE3 and NE2. Create an active PW between
NE3↔NE2 and a standby one between NE3↔NE1, and use the dynamic PW
redundancy to bear the L2VPN service.
Prerequisite
setting) of NE1 to NE3 has been completed.
of NNI interfaces of NE1 to NE3 have been configured.
1. Configure the UNI interfaces on NE1 to NE3.
2. Configure the VC on NE1 to NE3 and create dynamic PWs.
3. Configure the OSPF protocol on NE1 to NE3 to implement the inter-

Procedure
1. Configure the UNI sub-interfaces on NE1 to NE3, including the UNI sub-
The planning data of the UNI interfaces on NE1 to NE3 are as follows.
Version: D 93
Item NE1 NE2 NE3

UNI sub-interface GE 0/3/1/1.20 GE 0/3/1/1.20 GE 0/1/1/1.20
The following takes NE1 for example to illustrate the configuration method.
FH-CR8000(if-gigabitethernet 0/3/1/1.20)#no shutdown
2. Configure VC on NE1 to NE3, including the active and standby dynamic PW

creation. The active PW is VC_NE3_NE2 (NE3↔NE2) and the standby PW is
VC_NE3_NE1 (NE3↔NE1).
The planning data of the VC configuration on NE1 to NE3 are as follows.

Item NE1 NE2 NE3
Interface GE 0/3/1/1.20 GE 0/3/1/1.20 GE 0/1/1/1.20
PW name VC_NE3_NE1 VC_NE3_NE2 VC_NE3_NE1 VC_NE3_NE2
VC ID 1 2 1 2
Peer IP address 3.173.0.165 3.173.0.165 3.173.0.163 3.173.0.164

3.173.0.165 control-word secondary redundancy encapsulation raw vccv cc 4 bfd-cv-type 2
3.173.0.165 control-word secondary redundancy encapsulation tagged vccv cc 4 bfd-cv-
type 2


3.173.0.163 control-word secondary redundancy encapsulation raw vccv cc 4 bfd-cv-type 2
94 Version: D

3.173.0.163 control-word secondary redundancy encapsulation tagged vccv cc 4 bfd-cv-
type 2
3. Configure the OSPF protocol on NE1 to NE3, including the OSPF process
setting within the domain, to implement the inter-communication within the mpls
domain.
The planning data of the OSPF configuration on NE1 to NE3 are as follows.
Item NE1 NE2 NE3
OSPF process number 31 31 31
Router ID 3.173.0.163 3.173.0.164 3.173.0.165



Version: D 95
7.2 Configuring VPLS
VPLS is a VPWS-based point-to-multipoint L2VPN service provided over a public

network, extended with the L2 switch capacity on PE equipment.
7.2.1 Configuring an E-Tree Service
This section introduces how to configure an E-Tree service.
Network Requirement
Figure 7-7 Network Diagram of Configuring ETREE Service
Set up an E-Tree service between NE1 and NE2, and between NE1 and NE3. The
interface planning data of each NE are shown in the figure above.
Prerequisite
u The loopback interfaces and their IP addresses, and the NNI interfaces and
their IP addresses of NE1 to NE3 have been configured, and the MPLS of the
NNI interfaces have been enabled.
96 Version: D
u Four static tunnels (tunnel12, tunnel13, tunnel21, and tunnel31) have been
configured.
1. Configure VSI instances on NE1 to NE3.
2. Configure UNI interfaces on NE1 to NE3, and bind them to the VSI instances.
Procedure
1. Create two VSI instances on NE1 to NE3 respectively.
4 The planning data of two VSI instances on NE1 are as follows.
Remote IP
VSI Name VSI ID Tunnel Name Outgoing Label Incoming Label
Address
3.173.0.164 tunnel12 601 600
ETree1 1
3.173.0.165 tunnel13 701 700
3.173.0.164 tunnel12 603 602
ETree2 2
3.173.0.165 tunnel13 703 702
Version: D 97
FH-CR8000(config)#mpls vsi ETree1

vpls instant create success and enter vsi mode
FH-CR8000(vsi-ETree1)#vsi-id 1
FH-CR8000(vsi-ETree1)#vsi-peer 3.173.0.164 tunnelif-name tunnel12 static out-label 601
in-label 600 control-word encapsulation tagged
// Static configuration. Select either from static configuration and dynamic configuration.
FH-CR8000(vsi-ETree1)#vsi-peer 3.173.0.164 upe
// Dynamic configuration. Select either from static configuration and dynamic configuration.
FH-CR8000(vsi-ETree1)#exit

Remote IP
Address
ETree1 1 3.173.0.163 tunne21 600 601
ETree2 2 3.173.0.163 tunne21 602 603
98 Version: D


Remote IP
Address
ETree1 1 3.173.0.163 tunnel31 700 701
ETree2 2 3.173.0.163 tunnel31 702 703
Version: D 99


2. Create two UNI interfaces on NE1 to NE3 respectively and bind them to VSI
instances.
4 The following lists the planning data of the UNI interfaces on NE1, as well
as the corresponding VSI instances.
Interface Name of the Bound VSI Instance

GE 0/3/1/1.10 ETree1
GE 0/3/1/1.20 ETree2

FH-CR8000(if-gigabitethernet 0/3/1/1.10)#mpls-vsi ETree1

100 Version: D
GE 0/3/1/1.10 ETree1
GE 0/3/1/1.20 ETree2



GE 0/1/1/1.10 ETree1
GE 0/1/1/1.20 ETree2


3. Run the "show mpls vsi" command on the root node NE1 to view the service
status. If "State" is "active", the VPLS service is normal.
Version: D 101
7.2.2 Configuring an E-LAN Service
This section introduces how to configure an ELAN service.
Network Requirement
Figure 7-8 Network Diagram of Configuring ELAN Service
Set up an ELAN service between NE1, NE2 and NE3. The interface planning data
of each NE are shown in the figure above.
Prerequisite
u Six static tunnels (tunnel12, tunnel13, tunnel21, tunnel23, tunnel31 and tunnel32)
have been configured.
1. Configure VSI instances on NE1 to NE3.
2. Configure UNI interfaces on NE1 to NE3, and bind them to the VSI instances.
102 Version: D
Procedure
1. Create two VSI instances on NE1 to NE3 respectively.
VSI Name VSI ID Remote IP Address Tunnel Name Outgoing Label Incoming Label
3.173.0.164 tunnel12 601 600

ELAN1 1
3.173.0.165 tunnel13 701 700
3.173.0.164 tunnel12 603 602
ELAN2 2
3.173.0.165 tunnel13 703 702

FH-CR8000(config)#mpls vsi ELAN1
FH-CR8000(vsi-ELAN1)#vsi-id 1
FH-CR8000(vsi-ELAN1)#vsi-peer 3.173.0.164 tunnelif-name tunnel12 static out-label 601
FH-CR8000(vsi-ELAN1)#vsi-peer 3.173.0.164 upe
FH-CR8000(vsi-ELAN1)#exit

Version: D 103
Outgoing Incoming
VSI Name VSI ID Remote IP Address Tunnel Name
Label Label
3.173.0.163 tunnel21 600 601
ELAN1 1
3.173.0.165 tunnel23 801 800
3.173.0.163 tunnel21 602 603
ELAN2 2
3.173.0.165 tunnel23 803 802


Remote IP
Address
3.173.0.163 tunnel31 700 701
ELAN1 1
3.173.0.164 tunnel32 800 801
104 Version: D
Remote IP
Address
3.173.0.163 tunnel31 702 703
ELAN2 2
3.173.0.164 tunnel32 802 803


2. Create two UNI interfaces on NE1 to NE3 respectively and bind them to VSI
instances.
Version: D 105

GE 0/3/1/1.10 ELAN1
GE 0/3/1/1.20 ELAN2

FH-CR8000(if-gigabitethernet 0/3/1/1.10)#mpls-vsi ELAN1

GE 0/3/1/1.10 ELAN1
GE 0/3/1/1.20 ELAN2



GE 0/1/1/1.10 ELAN1
GE 0/1/1/1.20 ELAN2
106 Version: D


3. Run the "show mpls vsi" command on NE2 or NE3 to view the service status. If
"State" is "active", the VPLS service is normal.
Procedure - Disabling Split Horizon
In the EVLAN configuration, the split horizon is enabled by default. You can disable
it as required. The following introduces the disabling procedure on NE3.

FH-CR8000(vsi-ELAN1)#no vsi-peer 3.173.0.163
in-label 701 control-word upe

7.2.3 Configuring HVPLS
This section introduces how to configure the dynamic HVPLS using the LDP.
Version: D 107
Network Requirement
Figure 7-9 Network Diagram of HVPLS
If there are a large number of VPLS PEs, you can adopt the Hierarchical VPLS
(HVPLS) networking scheme to reduce the performance requirements for PEs.
As shown in the figure above, the networks where NE4 to NE6 reside belong to one
VPLS. NE4 and NE5 access the VPLS full-mesh connection network via UPE (NE2),
and NE6 via common PE (NE3), forming an HVPLS network.
Prerequisite
u The LDP basic configuration (including the router ID setting and transmission
address setting) of NE1 to NE3 has been completed.
u The routing protocols of all the NEs have been configured to ensure that the
1. Configure the VSI instances on NE1 to NE3.
2. Configure the UNI interfaces on NE1 to NE3, and bind them to the VSI
instances.
108 Version: D
Procedure
1. Create VSI instances on NE1 to NE3.
4 The planning data of the VSI instance on NE1 are as follows.
VSI Name VSI ID Remote IP Address
3.173.0.164
VPLS-100 100
3.173.0.165

FH-CR8000(config)#mpls vsi VPLS-100
FH-CR8000(vsi-VPLS–100)#vsi-id 100
FH-CR8000(vsi-VPLS–100)#vsi-peer 3.173.0.164 upe
FH-CR8000(vsi-VPLS–100)#exit
VSI Name VSI ID Remote IP Address
VPLS-100 100 3.173.0.163

VSI Name VSI ID Remote IP address
VPLS-100 100 3.173.0.163

2. Create UNI interfaces on NE2 and NE3 and bind them to VSI instances.The
following lists the planning data of the UNI interfaces on NE2 and NE3, as well
Version: D 109
Item NE2 NE3

GE 0/2/1/1.10
Interface GE 0/2/1/1.10
GE 0/2/1/1.20
Name of the bound VSI
VPLS-100 VPLS-100
instance

FH-CR8000(if-gigabitethernet 0/2/1/1.10)#mpls-vsi VPLS-100


3. Run the "show mpls vsi" command on the equipment to view the service status.
If "State" is "active", the VPLS service is normal.
7.2.4 Viewing VPLS MAC Address Table
You can view the VPLS MAC address table using the following two methods.
1. View the VPLS MAC address table based on interfaces. Run the show vpls
mac if-name [gigabitethernet A/B/C] slot X command on the equipment to
view the VPLS MAC address table, as shown in the figure below.
110 Version: D
2. View the VPLS MAC address table based on VSI. Run the show vpls mac vsi-
name [name] slot X command on the equipment to view the VPLS MAC
address table, as shown in the figure below.
7.3 Configuring L3VPN Using an LDP Tunnel
This section introduces how to configure the L3VPN using the LDP tunnel.
Network Requirement
Figure 7-10 Network Diagram of Configuring L3VPN Using LDP Tunnels
Set up the L3VPN service between NE1 and NE2. The interface planning data of
each NE are shown in the figure above.
Prerequisite
u The global routes and the MPLS of NE1 and NE2 have been enabled.
u The VPN router IDs of NE1 and NE2 have been set.
Version: D 111
u The IP addresses and masks of the loopback interfaces of NE1 and NE2 have
been set.
u The IP addresses and masks of the NNI interfaces of NE1 and NE2 have been
set, and the MPLS and LDP have been enabled.
u The UNI sub-interfaces of NE1 and NE2 have been set up. The VLAN IDs of
the UNI sub-interfaces have been set and the sub-interfaces have been bound
to the IPv4 addresses.
1. Configure the OSPF on NE1 and NE2, including the OSPF router ID setting,
subnetwork IP address and mask setting within the domain
2. Configure the LDP on NE1 and NE2, including the LDP router ID setting and
IPv4 transmitting address setting.
3. Configure the L3VPN on NE1 and NE2, including the VRF configuration and
the UNI sub-interface configuration.
4. Configure the IBGP on NE1 and NE2, including the basic IBGP configuration,
the BGP peer configuration and the IPv4 address family setting.
5. Configure the MP-BGP on NE1 and NE2, including the VPNv4 address family
setting and the IPv4 VRF address family setting.
Procedure
1. Set the basic OSPF parameters on NE1 and NE2. Set the OSPF router ID, and
the subnetwork IP address and mask within the domainThe table below lists
the planning data of the NE.
Item NE1 NE2

Router ID 3.173.0.163 3.173.0.164
Configure as below, using the NE1 as an example.

112 Version: D
2. Configure the basic LDP parameters on NE1 and NE2. Set the LDP router ID,
and the IPv4 transmitting address.The table below lists the planning data of the
NE.
Item NE1 NE2

Router ID 3.173.0.163 3.173.0.164
IPv4 transmitting address 3.173.0.163 3.173.0.164

FH-CR8000(ldp)#exit
3. Configure the L3VPN services on NE1 and NE2. Configure the VRF and UNI
sub-interface.
1) Set the basic VRF parameters on NE1 and NE2, including the VRF setting
up, the RD value setting, ingress RT setting and egress RT setting.The
table below lists the planning data of the NEs.
Item NE1 NE2

VRF instance name CDMA-RAN CDMA-RAN
RD value 1001:1 1002:1
Ingress RT value 1001:1 1002:1
Egress RT value 1001:1 1002:1

FH-CR8000(config)#ip vrf CDMA-RAN
FH-CR8000(vrf-CDMA-RAN)#rd 1001:1
FH-CR8000(vrf-CDMA-RAN)#route-target both 1001:1
FH-CR8000(vrf-CDMA-RAN)#exit
2) Configure the UNI sub-interface on NE1 and NE2, including the UNI sub-
interface setting up, VRF binding and IPv4 address binding.The table
below lists the planning data of the NE.
Item NE1 NE2

VRF name CDMA-RAN CDMA-RAN
IPv4 address 192.168.2.1/30 192.168.2.5/30
Version: D 113

FH-CR8000(if-gigabitethernet 0/1/1/1.100)#ip vrf forwarding CDMA-RAN
FH-CR8000(if-gigabitethernet 0/1/1/1.100)#ip address 192.168.2.1/30
4. Configure the IBGP on NE1 and NE2, including the basic IBGP configuration,
BGP peer configuration and IPv4 address family setting.The table below lists
the planning data of each NE.
Item NE1 NE2

BGP process number 100 100
BGP router ID 3.173.0.163 3.173.0.164
IP address of BGP peer 3.173.0.164 3.173.0.163
Number of AS where the BGP peer
100 100
resides
Remote IP address 3.173.0.164 3.173.0.163
Neighbor next hop address 3.173.0.164 3.173.0.163
The following takes NE1 for example to illustrate the configuration method,
including the basic IBGP configuration and BGP peer configuration.
FH-CR8000(bgp-100)#neighbor 3.173.0.164 next-hop-self
The following takes NE1 for example to illustrate the configuration method,
including the IPv4 address family configuration.
FH-CR8000(bgp-100)#address-family ipv4 unicast
FH-CR8000(bgp-af4–uc)#neighbor 3.173.0.164 activate
FH-CR8000(bgp-af4–uc)#neighbor 3.173.0.164 next-hop-self
FH-CR8000(bgp-af4–uc)#exit-address-family
5. Configure the MP-BGP on NE1 and NE2, including the VPNv4 address family
configuration and IPv4 VRF address family configuration. The configuration on
NE1 is used as an example.
114 Version: D

FH-CR8000(bgp-afv4–uc)#neighbor 3.173.0.164 activate
FH-CR8000(bgp-afv4–uc)#exit-address-family
FH-CR8000(bgp-100)#address-family ipv4 vrf CDMA-RAN

Enter bgp ipv4 address family vrf mode
FH-CR8000(bgp-af4–vrf-CDMA-RAN)#redistribute connected
FH-CR8000(bgp-af4–vrf-CDMA-RAN)#exit-address-family
6. Run the "show ip route vrf + vrf name" command to check the L3VPN status.
7.4 Configuring Inter-Area L2VPN in OptionC

Mode
This section introduces the configuration method and procedure for the inter-area
L2VPN in OptionC mode.
Network Requirement
Figure 7-11 Network of Inter-Area L2VPN in OptionC Mode
As shown in the figure above, PE1 and ASBR1 are the CiTRANS R8000s. In the
scenario of inter-area L2VPN in OptionC mode:
u Use the OSPF as the IGP protocol to achieve the MPLS area interconnection.
u Establish OSPF, LDP and IBGP LU sessions between PE1 and ASBR1, and
between PE2 and ASBR2.
u Establish an EBGP LU session between ASBR1 and ASBR2.
u Establish an EBGP VPNv4 session between PE1 and PE2.
u The UNI interfaces of PE1 and PE2 are configured with the VPWS services
using the static single-segment PWs.
Version: D 115
The configuration procedures of PE1 and PE2 are the same, and those of ASBR1
and ASBR2 are the same, too. The following takes PE1 and ASBR1 as examples to
introduce the configuration procedure.
Prerequisite
u You have enabled the global routing and MPLS for PE1 and ASBR1.
u You have configured the VPN router IDs for PE1 and ASBR1.
u You have configured the loopback interface IP addresses and masks for PE1
and ASBR1.
u You have configured the IP addresses and masks of the NNI interfaces, and
enabled the MPLS and LDP for PE1 and ASBR1.
1. Configure the basic OSPF parameters on PE1 and ASBR1.
2. Configure the basic LDP parameters on PE1 and ASBR1.
3. Configure the L2VPN service on PE1.
4. Configure the BGP routing policy on PE1.
5. Configure the IBGP and MP-EBGP, and enable the label routing on PE1.
6. Configure the IBGP and MP-EBGP, and enable the label routing on ASBR1.
Procedure
1. Configure the basic OSPF parameters on PE1 and ASBR1, including the
OSPF router ID setting, sub-network IP address and mask setting within the
area.
Item PE1 ASBR1

Router ID 1.1.1.1 2.2.2.2
See Step 1 in Configuring L3VPN Using an LDP Tunnel for the configuration
procedure.
2. Configure the basic LDP parameters on PE1 and ASBR1. Set the LDP router
ID, and the IPv4 transmitting address.
116 Version: D
Item PE1 ASBR1

Router ID 1.1.1.1 2.2.2.2
procedure.
Item PE1
UNI interface GE 0/3/1/1
SVLAN ID 10
VC name pw1vpws
VC ID 1
PW in the Raw Remote IP address 2.2.2.2

mode Name of the bound tunnel tunnel12
Incoming label 500
Outgoing label 501

FH-CR8000(if-gigabitethernet0/3/1/1)#l2transport
FH-CR8000(if-gigabitethernet0/3/1/1)#vlan-type dot1q 10
// Set the SVLAN ID.
FH-CR8000(if-gigabitethernet0/3/1/1)#mpls l2-circuit pw1vpws 1 2.2.2.2 tunnelif-
name tunnel12 static in-label 500 out-label 501 control-word encapsulation raw
// Configure the PW in the Raw mode.
FH-CR8000(config)#
4. Configure the BGP routing policy on PE1.
Item PE1
Prefix list name A
Prefix list number 1
Prefix list
Filter mode permit
Network IP address All

Policy name CTVPN193
Sequence number of the policy list 1
Routing policy
Matched prefix list name A
Action rule Enable the route ID
Version: D 117
FH-CR8000(config)#ip prefix-list A seq 1 permit any

FH-CR8000(config)#route-map CTVPN193 permit 1
FH-CR8000(config-route-map)#match ip address prefix-list A
FH-CR8000(config-route-map)#set mpls-label
// Apply an ID for the public network route for the scenario in option C mode.
FH-CR8000(config-route-map)#exit
FH-CR8000(config)#
5. Configure the IBGP and MP-EBGP, and enable the label routing on PE1.
Item PE1
BGP process number 100
BGP router ID 1.1.1.1
IP address of BGP peer 2.2.2.2
100
IBGP resides
Remote IP address 2.2.2.2
Neighbor next hop address 1.1.1.1
EBGP 200
resides
Maximum number of EBGP connections 10

// Configure the IBGP neighbor of the public network.
// Configure the EBGP neighbor of the public network.
FH-CR8000(bgp-100)#neighbor 4.4.4.4 ebgp-multihop 10
FH-CR8000(bgp-af4–uc)#neighbor 1.1.1.1/32 route-map CTVPN193
// Distribute IPv4 labels based on the route-map.
FH-CR8000(bgp-af4–uc)#neighbor 2.2.2.2 send-label
// Enable the BGP LU capability negotiation in OptionC mode.
// Activate neighbors.
118 Version: D
FH-CR8000(bgp-100)#exit
FH-CR8000#save
6. Configure the IBGP and MP-EBGP, and enable the label routing on ASBR1.
Item ASBR1
100
IBGP resides
EBGP Number of AS where the BGP peer
200
resides

// Configure the IBGP neighbor for the public network.
// Configure the EBGP neighbor for the public network.
FH-CR8000(bgp-af4–uc)#network 1.1.1.1/32
// Induct the IP address of the PE loopback interface.
FH-CR8000(bgp-af4–uc)#network 1.1.1.1/32 send-label
// Enable the BGP LU capability in the scenario in option C mode.
FH-CR8000(bgp-af4–uc)#neighbor 20.1.1.2 send-label check-tunnel-reachable
// Enable the BGP LU capability and check the tunnel-reachability across areas in the scenario in option
C mode.
FH-CR8000#save
Version: D 119
7.5 Configuring Inter-Area L3VPN in OptionB

Mode
This section introduces the configuration method and procedure for the inter-area
L3VPN in OptionB mode.
Network Requirement
Figure 7-12 Network of Inter-Area L3VPN in OptionB Mode
As shown in the figure above, PE1 and ASBR1 are the CiTRANS R8000s. In the
scenario of inter-area L3VPN in OptionB mode:
u Use the OSPF as the IGP protocol to achieve the MPLS area interconnection.
u Establish OSPF, LDP and IBGP LU sessions between PE1 and ASBR1.
u Establish OSPF, LDP and IBGP LU sessions between PE2 and ASBR2.
u Establish an EBGP LU session between ASBR1 and ASBR2.
u Establish an EBGP VPNv4 session between PE1 and PE2.
The configuration procedures of PE1 and PE2 are the same, and those of ASBR1
and ASBR2 are the same, too. The following takes PE1 and ASBR1 as examples to
introduce the configuration procedure.
Prerequisite
u You have enabled the global routing and MPLS for PE1 and ASBR1.
u You have configured the VPN router IDs for PE1 and ASBR1.
u You have configured the loopback interface IP addresses and masks for PE1
and ASBR1.
120 Version: D
u You have configured the IP addresses and masks of the NNI interfaces, and
enabled the MPLS and LDP for PE1 and ASBR1.
1. Configure the basic OSPF parameters on PE1 and ASBR1.
2. Configure the basic LDP parameters on PE1 and ASBR1.
4. Configure the IBGP and EBGP on PE1.
5. Configure the IBGP and EBGP, and enable the Option B switch on ASBR1.
Procedure
1. Configure the basic OSPF parameters on PE1 and ASBR1, including the
OSPF router ID setting, sub-network IP address and mask setting within the
area.
Item PE1 ASBR1

Router ID 1.1.1.1 2.2.2.2
procedure.
2. Configure the basic LDP parameters on PE1 and ASBR1. Set the LDP router
ID, and the IPv4 transmitting address.
Item PE1 ASBR1

Router ID 1.1.1.1 2.2.2.2
procedure.
3. Configure the L3VPN service on PE1. Configure the VRF and UNI interface.
Item PE1
VRF instance name CDMA-RAN
RD value 1001:1
Ingress RT value 1001:1
Version: D 121
Item PE1
Egress RT value 1001:1
Bound UNI interface GE 0/3/1/1
Interface IP 100.1.1.1/24
procedure.
4. Configure IBGP on PE1, including the basic IBGP configuration, BGP peer
configuration, VPNv4 family setting and IPv4 VRF address family setting.
Item PE1
Number of AS where the BGP peer resides 100

Enter bgp vpnv4 address family mode.
FH-CR8000(bgp-100)#address-family ipv4 vrf CDMA-RAN
FH-CR8000(bgp-af4–vrf-CDMA-RAN)#redistribute connected
// Induct the directly connected routes.
FH-CR8000(bgp-af4–vrf-CDMA-RAN)#exit-address-family
FH-CR8000#save
5. Configure IBGP and EBGP on ASBR1, including the basic BGP configuration,
BGP peer configuration, IPv4 address family setting, VPNv4 address family
setting. Enable the Option B switch.
122 Version: D
Item ASBR1
100
IBGP resides
EBGP Number of AS where the BGP peer
200
resides

// Configure the EBGP neighbor of the public network.
FH-CR8000(bgp-af4–uc)#network 1.1.1.1/32
// Induct the IP address of the PE1 loopback interface.
Enter bgp vpnv4 address family mode.
FH-CR8000(bgp-afv4–uc)#l3vpn switch label
// Enable the OptionB switch.
FH-CR8000#save
Version: D 123
8 Configuring AAA
This chapter introduces the definition and functions of AAA.
Definition
AAA provides security functions for user authentication, authorization, and

accounting.
u Authentication: Determines the users who can access the network.
u Authorization: Authorizes users to use specific services.
u Accounting: Records usage of network resources of users.
Feature
AAA adopts the client/server model. This model has good extensibility and
facilitates concentrated management over user information.
AAA supports the following modes.
u AAA supports three authentication modes: non-authentication, local

authentication, and remote authentication. Remote authentication is
implemented through either the RADIUS or TACACS protocol.
u AAA supports three authorization modes: direct authorization, local

authorization and TACACS authorization.
u AAA supports two accounting modes: non-accounting and remote accounting.
Note:
u RADIUS: Remote Authentication Dial In User Service.
u TACACS: Terminal Access Controller Access Control System.
u RADIUS integrates authentication and authorization. Therefore,

RADIUS authorization accompanies with RADIUS authentication.
All user authentication, authorization, and accounting should be performed in the

domain view.
124 Version: D
8 Configuring AAA
Configuring Local Authentication and Authorization
Configuring Remote RADIUS Authentication
Configuring Remote TACACS Authentication and Authorization
Configuring Remote Authentication Using CLI
Version: D 125
8.1 Configuring Local Authentication and

Authorization
This section introduces how to configure local authentication and authorization.
Network Requirement
Figure 8-1 Configuring AAA - Scenario of Local Authentication and Authorization
As shown in the figure above, the user is located in the fiberhome domain,
accessing the network via router NE1. Configure router NE1 to authenticate and
authorize the user locally.
Planning Data
Item Parameter
Local username 123
cipher 123
Local user password A password is composed of "cipher" and
characters, or "simple" and characters.
Local user level 12

Local user access type telnet ssh
Authentication scheme name authen1
Authentication mode local
Authentication scheme name author1
Authorization mode local
User domain name fiberhome
1. Set the parameters of the local user, including the username, password, level
and access mode.
2. Configure an authentication scheme, including creating a scheme and setting

the authentication mode.
126 Version: D
8 Configuring AAA
3. Configure an authorization scheme, including creating a scheme and setting

the authorization mode.
4. Configure the domain where the user is located, including creating a domain
and configuring the domain authentication and authorization schemes.
Procedure
1. Set the parameters of local user as follows.

FH-CR8000(config)#aaa
FH-CR8000(config-aaa)#local-user 123 password cipher 123
FH-CR8000(config-aaa)#local-user 123 privilege 12
FH-CR8000(config-aaa)#local-user fiberhome service-type telnet ssh
2. Configure the authentication scheme as follows.

FH-CR8000(config-aaa)#authentication-scheme authen1
FH-CR8000(aaa-authen-authen1)#authentication-mode local
FH-CR8000(aaa-authen-authen1)#exit
3. Configure the authorization scheme as follows.

FH-CR8000(config-aaa)#authorization-scheme author1
FH-CR8000(aaa-author-autuor1)#authorization-mode local
FH-CR8000(aaa-author-autuor1)#exit
4. Configure the domain where the user resides as follows.

FH-CR8000(config-aaa)#domain fiberhome
FH-CR8000(aaa-domain-fiberhome)#authentication-scheme authen1
FH-CR8000(aaa-domain-fiberhome)#authorization-scheme author1
FH-CR8000(aaa-domain-fiberhome)#exit
8.2 Configuring Remote RADIUS Authentication
This section introduces how to configure the remote RADIUS authentication.
Version: D 127
Network Requirement
Figure 8-2 Configuring AAA - Scenario of Remote RADIUS Authentication
As shown in the figure above, the user is located in the fiberhome domain, and
router NE1 accesses the servers. The user visits the network via router NE1.
Configure router NE1 to authenticate the user using the RADIUS protocol.
Planning Data
Item Parameter
RADIUS server template name radius1
Note 1
VPN instance that the RADIUS server belongs to vpn1
Local source IP addressNote 1 3.173.0.163

IP address of the active RADIUS authentication server 192.168.2.1
IP address of the standby RADIUS authentication server 192.168.2.2
Shared key of the RADIUS server wri123
Time-out duration of the RADIUS request message 10
Number of the RADIUS request message retransmission
5
times
Authentication mode radius
Authorization scheme name author1
Authorization mode none
Note 1: The VPN instance that the RADIUS server belongs to and the local source IP address
are optional.
128 Version: D
8 Configuring AAA
1. Configure a RADIUS server template, which covers the active and standby
RADIUS authentication servers, the shared key for the servers, the time-out
duration for the RADIUS request message, the number of times that the
message is retransmitted (optional), and the user name in the message sent by
the equipment to the RADIUS server (optional).


Procedure
1. Configure a RADIUS server template as follows.

FH-CR8000(config-aaa)#radius-server-template radius1
FH-CR8000(aaa-radius-radius1)#radius-server authentication 192.168.2.1 source-ip
3.173.0.163 vrf vpn1
FH-CR8000(aaa-radius-radius1)#radius-server authentication secondary 192.168.2.2
source-ip 3.173.0.163 vrf vpn1
FH-CR8000(aaa-radius-radius1)#radius-server shared-key wri123
FH-CR8000(aaa-radius-radius1)#radius-server timeout 10
FH-CR8000(aaa-radius-radius1)#radius-server retransmit 5
FH-CR8000(aaa-radius-radius1)#no radius-server username domain-include
FH-CR8000(aaa-radius-radius1)#exit

FH-CR8000(aaa-authen-authen1)#authentication-mode radius

FH-CR8000(aaa-author-author1)#authorization-mode none
FH-CR8000(aaa-author-author1)#exit

Version: D 129
FH-CR8000(aaa-domain-fiberhome)#authentication-scheme author1
FH-CR8000(aaa-domain-fiberhome)#radius-server-template radius1
8.3 Configuring Remote TACACS Authentication

and Authorization
This section introduces how to configure remote TACACS authentication and

authorization.
Network Requirement
Figure 8-3 Configuring AAA - Scenario of Configuring Remote TACACS Authentication and
Authorization
As shown in the figure above, the user is located in the fiberhome domain, and
router NE1 accesses the servers. The user visits the network via router NE1.
Configure router NE1 to authenticate and authorize the user by using the TACACS
protocol.
Planning Data
Item Parameter
TACACS server template name tacacs1
VPN instance that the TACACS server belongs toNote 1 vpn1
Local source IPNote 1 3.173.0.163

IP address of active TACACS authentication /
192.168.2.1
authorization server
IP address of standby TACACS authentication /
192.168.2.2
authorization server
130 Version: D
8 Configuring AAA
Item Parameter
Shared key of the TACACS server wri123
Time-out duration of the TACACS request message (s) 10
Authentication mode tacacs
Authorization scheme name author1
Authorization mode none
Note 1: The VPN instance that the TACACS server belongs to and the local source IP address
are optional.
1. Configure a TACACS server template, including configuring the active and

standby TACACS authentication / authorization servers, the shared key, the
time-out duration of the TACACS request message (optional), and the user
name in the message sent by the equipment to the TACACS server (optional).


Procedure
1. Configure a TACACS server template as follows.

FH-CR8000(config-aaa)#tacacs-server-template tacacs1
FH-CR8000(aaa-tacacs-tacacs1)#tacacs-server authentication 192.168.2.1 source-ip
3.173.0.163 vrf vpn1
FH-CR8000(aaa-tacacs-tacacs1)#tacacs-server authentication secondary 192.168.2.2
FH-CR8000(aaa-tacacs-tacacs1)#tacacs-server authorization 192.168.2.1 source-ip
3.173.0.163 vrf vpn1
FH-CR8000(aaa-tacacs-tacacs1)#tacacs-server authorization secondary 192.168.2.2
FH-CR8000(aaa-tacacs-tacacs1)#tacacs-server shared-key wri123
FH-CR8000(aaa-tacacs-tacacs1)#tacacs-server timeout 10
Version: D 131
FH-CR8000(aaa-tacacs-tacacs1)#no tacacs-server username domain-include

FH-CR8000(aaa-tacacs-tacacs1)#exit

FH-CR8000(aaa-authen-authen1)#authentication-mode tacacs

FH-CR8000(aaa-author-author1)#authorization-mode tacacs

FH-CR8000(aaa-domain-fiberhome)#radius-server-template tacacs1
8.4 Configuring Remote Authentication Using

CLI
This section introduces how to configure remote authentication using CLI.
Network Requirement
Figure 8-4 Configuring AAA - Scenario of Configuring Remote Authentication Using CLI
132 Version: D
8 Configuring AAA
As shown in the figure above, the user is located in the fiberhome domain and
router NE1 accesses the servers. The user accesses NE1 via remote authentication
and authorization. In this example, the user is granted the authority to execute CLI
on NE1 in a remote manner.
Planning Data
Item Parameter
TACACS authentication server template name tacacs1
VPN instance that the TACACS authentication server
vpn1
belongs toNote 1
Local source IPNote 1 3.173.0.163

IP address of active TACACS authentication server 192.168.2.1
IP address of standby TACACS authentication server 192.168.2.2
Shared key of the TACACS server wri123
Time-out duration of the TACACS request message (s) 10
Authentication scheme name author1
User level 12
Note 1: The VPN instance that the TACACS server belongs to and the local source IP address
are optional.
1. Configure a TACACS server template, including configuring the active and

standby TACACS authentication servers, the shared key, the time-out duration
of the TACACS request message (optional), and the user name in the message
sent from the equipment to the TACACS server (optional).
2. Configure an authorization scheme, including creating a scheme and

authorizing the users of designated level to execute CLI.
3. Configure the domain where the user is located, including creating a domain,
configuring the domain authorization scheme, and configuring the template of
the domain's TACACS server.
Procedure
1. Configure a TACACS server template as follows.

FH-CR8000(config-aaa)#tacacs-server-template tacacs1
Version: D 133
FH-CR8000(aaa-tacacs-tacacs1)#tacacs-server-authorization 192.168.2.1 source-ip

3.173.0.163 vrf vpn1
FH-CR8000(aaa-tacacs-tacacs1)#tacacs-server-authorization secondary 192.168.2.2
FH-CR8000(aaa-tacacs-tacacs1)#tacacs-server shared-key wri123
FH-CR8000(aaa-tacacs-tacacs1)#tacacs-server timeout 10
FH-CR8000(aaa-tacacs-tacacs1)#no tacacs-server username domain-include
FH-CR8000(aaa-tacacs-tacacs)#exit

FH-CR8000(aaa-author-author1)#authorization-cmd 12 tacacs

FH-CR8000(aaa-domain-fiberhome)#tacacs-server-template tacacs1
134 Version: D
9 Configuring QoS
The QoS technology uses parameters such as bandwidth, delay, delay change,
packet loss rate to measure network resources. This can provide end-to-end service
quality guarantee for various services.
Configuring Traffic Shaping
Configuring Queue Scheduling Policy
Configuring Congestion Avoidance
Configuring HQoS
Version: D 135
9.1 Configuring Traffic Shaping
Traffic shaping typically limits the traffic and burst of a specific connection, so that
such packets can be sent out at a uniform speed. The traffic shaping is generally
used for the egress direction of an interface. The peak of the irregular traffic in the
upstream will be cut off to fill the valley, and a flat flow will be output.
Network Requirement
Figure 9-1 Network Requirement of QoS
As shown in Figure 9-1, the CiTRANS R8000 connects the IPTV service and data
service to the IP / MPLS network through Ethernet interfaces. Set the queue priority
of the IPTV service and data service to EF and AF1 respectively, and configure the
traffic shaping at the outgoing interface.
Prerequisite
u You have configured the physical parameters of relevant interfaces. All the
service interfaces are in the "Up" status.
u You have configured the link layer properties of relevant interfaces to ensure
their normal operation.
u You have enabled the routing protocol to ensure the route interconnection.
Procedure

FH-CR8000(config)#
136 Version: D
9 Configuring QoS
2. Enter the outgoing interface of the equipment.

3. Configure the parameters of traffic shaping.
Queue Peak Rate in Percentage
EF 40
AF1 1
FH-CR8000(config-if)#port-shaping ef pir-percent 40
FH-CR8000(config-if)#port-shaping af1 pir-percent 1
FH-CR8000(config-if)#exit
FH-CR8000(config)#
4. Enable the HQoS switch for slots.

FH-CR8000(config)#hqos enable slot 2
9.2 Configuring Queue Scheduling Policy
Queue scheduling divides all packets to be sent from one interface into multiple
queues and processes them according to their priorities. Through an appropriate
queue scheduling mechanism, QoS parameters of certain types of packets, such as
bandwidth, delay, jitter, etc., can be guaranteed first.
The CiTRANS R8000 series router supports two queue scheduling modes: SP and
WFQ. When congestion occurs, the CiTRANS 8000 uses different queue
scheduling policies to guarantee the QoS of services with high priorities.
Network Requirement
As shown in Figure 9-1, the CiTRANS R8000 connects the IPTV service and data
service to the IP / MPLS network through Ethernet interface. The queue priorities of
the IPTV service and data service are EF and AF1 respectively. Configure the traffic
shaping at the outgoing interface.
Prerequisite
Version: D 137
the normal operation of interfaces.
Procedure

FH-CR8000(config)#

3. Configure the queue scheduling parameters.
Queue Scheduling Policy Policy Weight
EF WFQ 34
AF1 WFQ 20
FH-CR8000(config-if)#port-scheduling ef wfq 34
FH-CR8000(config-if)#port-scheduling af1 wfq 20
FH-CR8000(config)#

5. Check the configuration result.

FH-CR8000(config)#show port scheduling interface ten-gigabitethernet 0/2/1/3
Interface: ten-gigabitethernet 0/2/1/3 ID: 1
be mode:WFQ weight: 10
af1 mode:WFQ weight: 20
ef mode:WFQ weight: 34
cs6 mode:SP
cs7 mode:SP
138 Version: D
9 Configuring QoS
9.3 Configuring Congestion Avoidance
Congestion avoidance is a flow control mechanism that monitors the use of network
resources (such as queues or memory buffers), discards packets actively when
congestion tends to increase, and relieves network overload by adjusting network
traffic. The CiTRANS R8000 supports the following two congestion policies:
u Tail drop algorithm: When the queue is filled to its maximum capacity, the newly
arriving packets are dropped until the queue has enough room to accept
incoming traffic.
u Color blind WRED: WRED algorithms are implemented based on the packet
colors (green, yellow, and red). Before the output buffer area reaches the
START threshold, no packet will be discarded; when the output buffer area
crosses the END threshold, all packets will be discarded. Between the START
and the END thresholds, all packets are probable to be dropped based on an
average-queue-length function.
Network Requirement
As shown in , the CiTRANS R8000 connects the IPTV service and data service to
the IP / MPLS network through Ethernet interface. The queue priorities of the IPTV
service and data service are EF and AF1 respectively. Configure the congestion
policy at the outgoing interface.
Prerequisite
Procedure

FH-CR8000(config)#
Version: D 139
2. Configure a WRED template.
Table 9-1 Over-High / Over-Low Thresholds and Discard Ratio of WRED
Over-Low Threshold Over-High Threshold

Message Color Discard Percentage
(in Percentage) (in Percentage)
green 50 100 100
yellow 50 100 100
red 30 80 30
FH-CR8000(config)#wred TIM
FH-CR8000(wred-TIM)#cfg green low-limit 50 high-limit 100 discard-percentage 100
FH-CR8000(wred-TIM)#cfg yellow low-limit 50 high-limit 100 discard-percentage 100
FH-CR8000(wred-TIM)#cfg red low-limit 30 high-limit 80 discard-percentage 30
FH-CR8000(wred-TIM)#commit
FH-CR8000(wred-TIM)#exit
FH-CR8000(config)#

4. Apply the WRED object TIM to EF and AF1 queues.

FH-CR8000(config-if)#port-congestion ef wred TIM
FH-CR8000(config-if)#port-congestion af1 wred TIM
FH-CR8000(config)#

9.4 Configuring HQoS
HQoS indicates the hierarchical QoS. It is a technology to guarantee the bandwidth

of multi-user and multi service under the DiffServ Model through a multi-level queue
scheduling mechanism.
140 Version: D
9 Configuring QoS
Traditional QoS adopts one-level scheduling. A port can only distinguish the service
priority rather than user priority. If the traffic with the same priority uses the same
port queue, the traffic of different users compete with each other for the same queue
resource. In this case, the single traffic of a single user on the port cannot be
differentiated. With multi-level scheduling, HQoS can distinguish the traffic of
different users and different services, and provide differentiated bandwidth
management.
Network Requirement
Figure 9-2 Network of HQoS
As shown in Figure 9-2, configure the three-level QoS scheduling based on user
group on the Ethernet outgoing interface 10GE 0/2/1/3.
Prerequisite
1. Configure the WRED.
2. Configure a traffic behavior template.
4 Level 1 scheduling: Scheduling, congestion avoidance and shaping based

on traffic queue.
4 Level 2 scheduling: Shaping and scheduling based on user queue.
4 Level 3 scheduling: Scheduling, congestion avoidance and shaping based

on user group queue and shaping and scheduling based on user group.
Version: D 141
3. Configure the traffic policy.
4 Level 1 traffic policy
4. Configure a user group template.
5. Enable HQoS for slots.
6. Configure the three-level scheduling policy of HQoS based on user group on

the Ethernet physical port.
Procedure
1. Configure the WRED object, discard threshold and its percentage.

FH-CR8000(config)#wred w1
FH-CR8000(wred-w1)#cfg green low-limit 50 high-limit 100 discard-percentage 100
FH-CR8000(wred-w1)#exit
FH-CR8000(config)#
2. Configure a traffic behavior template.
1) Configure the level 1 scheduling.

FH-CR8000(config)#traffic behavior be1
// Define the traffic behavior.
FH-CR8000(behavior-be1)#queue af1 shaping pir 100 cbs 1000 pbs 1000
// Configure the traffic shaping for traffic queue.
FH-CR8000(behavior-be1)#queue af2 scheduling wfq 18
// Configure the scheduling policy of traffic queue.
FH-CR8000(behavior-be1)#queue af3 congestion wred w1
// Configure the congestion policy of traffic queue.
FH-CR8000(behavior-be1)#exit
FH-CR8000(config)#
2) Configure the level-2 scheduling.

FH-CR8000(config)#traffic behavior be2
FH-CR8000(behavior-be2)#shaping pir 100 cbs 1000 pbs 1000
// Configure the traffic shaping for user queue.
FH-CR8000(behavior-be2)#scheduling wfq 18
// Configure the scheduling policy of user queue.
FH-CR8000(behavior-be2)#exit
FH-CR8000(config)#
3) Configure the level-3 scheduling.
142 Version: D
9 Configuring QoS
FH-CR8000(config)#traffic behavior be-g1

FH-CR8000(behavior-be-g1)#queue af1 shaping pir 100 cbs 100 pbs 100
// Configure the traffic shaping for traffic queue.
FH-CR8000(behavior-be-g1)#queue af2 scheduling wfq 10
// Configure the scheduling policy of traffic queue.
FH-CR8000(behavior-be-g1)#queue af3 congestion wred w1
// Configure the congestion policy of traffic queue.
FH-CR8000(behavior-be-g1)#shaping pir 200 cbs 200 pbs 200
// Configure the traffic shaping of user queue.
FH-CR8000(behavior-be-g1)#scheduling wfq 20
// Configure the scheduling policy of user queue.
FH-CR8000(behavior-be-g1)#exit
FH-CR8000(config)#
3. Configure a traffic policy template.
1) Configure the level 1 policy template.

FH-CR8000(config)#traffic policy p-be1
// Define a traffic policy.
FH-CR8000(policy-p-be1)#mode behavior-only
// Configure the policy mode to scheduling based on a node's QoS.
FH-CR8000(policy-p-be1)#behavior be1
// Bind the traffic classification with the traffic behavior.
FH-CR8000(policy-p-be1)#exit
FH-CR8000(config)#

FH-CR8000(config)#traffic policy p-be2
FH-CR8000(policy-p-be2)#mode behavior-only
FH-CR8000(policy-p-be2)#behavior be2
FH-CR8000(policy-p-be2)#exit
FH-CR8000(config)#

FH-CR8000(config)#traffic policy p-be-g1
FH-CR8000(policy-p-be-g1)#mode behavior-only
FH-CR8000(policy-p-be-g1)#behavior be-g1
FH-CR8000(policy-p-be-g1)#exit
FH-CR8000(config)#
4. Configure a user group template.

FH-CR8000(config)#user-group g1
// Define the user group node.
FH-CR8000(usergroup-g1)#policy p-be-g1 outbound
// Configure the QoS policy of dropping user group.
Version: D 143
FH-CR8000(usergroup-g1)#exit
FH-CR8000(config)#
5. Enable HQoS for slots.

6. Configure the three-level scheduling policy of HQoS based on user group on

the Ethernet physical port.
FH-CR8000(config-if)#hqos policy outbound fq p-be1 sq p-be2 user-group g1
// Configure the HQoS scheduling policy of dropping three-level scheduling.
FH-CR8000(config)#
144 Version: D
10 Other Configuration
This chapter introduces other configuration, including DHCP Relay, router access
control and SNMP access control.
Configuring SNMP
Configuring LLDP
Configuring NTP
Configuring Router Access Control
Configuring System Logs
Version: D 145
10.1 Configuring SNMP
Simple Network Management Protocol (SNMP) is a communication protocol

between the management process (NMS) and the agent process (agent). It defines
the standardized management framework, common languages in communication,
security and access control mechanisms used in monitoring and managing devices
in a network. The administrators usually query device information, modify device
parameters, monitor device status, and enable automatic detection of network faults
and generation of reports by using SNMP.
Currently, SNMP includes three versions: SNMPv1, SNMPv2c and SNMPv3.
u SNMPv1 is the first version of the SNMP protocol, providing a minimum

network management function. SNMPv1 uses community name for
authentication. A community name plays a similar role as a password and can
be used to control access from NMS to Agent. SNMP packets with community
names that do not pass the authentication on the device are simply discarded.
u SNMPv2c uses community name for authentication. Compatible with SNMPv1,

it extends the functions of SNMPv1. SNMPv2c provides more operation modes
such as GetBulk; it supports more data types such as Counter32; and it
provides various error codes, thus being able to distinguish errors in more
details.
u By adopting User-based Security Model (USM) and View-based Access

Control (VACM) technologies, SNMPv3 enhances security. USM offers
authentication and privacy functions; while VACM controls users’ access to
specific MIBs.
Network Requirement
As shown in the figure above, the NE is a CiTRANS R8000 device. Configure the
SNMP for the NE.
146 Version: D
Procedure

FH-CR8000(config)#

GE 0/3/1/1 10.10.10.10/24

// Configure the IP address and mask of the physical interface
FH-CR8000(config)#
3. Configure the SNMP protocol for the equipment.
Item Parameter
Community configuration Security name secname2

(v1 / v2) Community name public2
User group name g2

User group configuration
Security model v2c
1) Enable the SNMP service.

FH-CR8000(config)#snmp-agent enable
2) Configure the SNMP community.

FH-CR8000(config)#snmp-agent community secname2 public2
3) Configure the SNMP group.

FH-CR8000(config)#snmp-agent group g2 v2c secname2
4) Configure SNMP access.

FH-CR8000(config)#snmp-agent access g2 v2c noauth prefix _all_ _all_ _all_
4. Save the configuration.

FH-CR8000#save
Version: D 147
10.2 Configuring LLDP
The Link Layer Discovery Protocol (LLDP) is a layer-2 discovery protocol defined in
IEEE 802.1ab. By running the protocol, the network system can clearly learn about
all layer 2 information of the devices in direct connection. The mechanism facilitates
quick network management scale-up and enables the management of more
detailed network topology information and change information.
Network Requirement
As shown in the figure above, the Ethernet interfaces of NE1 and NE2 are
interconnected. Both of NE1 and NE2 have available routes to the NMS.
u NE1 and NE2 can obtain each other's status information through LLDP.
u The network management system can find NE1 and NE2 through the LLDP
management IP address to obtain topology information.
u When the LLDP management IP address changes, the global LLDP is disabled
and the neighbor information changes, NE1 is required to send LLDP alarm to
the network management system.
1. Enable the global LLDP for NE1 and NE2.
2. Set the management IP addresses of NE1 and NE2 to facilitate the network
management system to manage them.
148 Version: D
3. Enable the LLDP proxy for the interfaces of NE1 and NE2.
4. Configure the LLDP proxy properties for NE1 and NE2.
Procedure
The following takes NE1 for example to illustrate the configuration procedure.

FH-CR8000(config)#
2. Enable the global LLDP.

FH-CR8000(config)#lldp enable
3. Set the management IP address.
Item Parameter
NE1 management IP address 10.10.10.1
FH-CR8000(config)#lldp management-address10.10.10.1
4. Configure the LLDP proxy.

FH-CR8000(if-gigabitethernet0/2/1/1)#lldp agent enable
5. Configure the LLDP proxy properties.

FH-CR8000(if-gigabitethernet0/2/1/1)#lldp agent-mode txonly

FH-CR8000(if-gigabitethernet0/2/1/1)#commit
10.3 Configuring NTP
NTP configuration implements clock synchronization to equipment that provides

clocks within the network and keeps all clocks basically consistent over the network.
In this way, the equipment can provide various applications based on a unified time.
Version: D 149
Network Requirement
As shown in the figure above, NE1 and NE2 are the CiTRANS R8000 devices, and
NE3 and NE4 are the CiTRANS R800 series devices. When NE3 and NE1 are
connected, NE1 can be used as an NTP client. When NE1 and NE2 are connected,
NE1 can be used as both an NTP client and an NTP server.
The NTP configuration includes the configuration of client and server. The following
uses NE1 as an example to introduce the configuration procedure.
Prerequisite
You have configured the loopback ports for each NE.
Configuration Procedure - Client

FH-CR8000(config)#
2. Enable NTP.
FH-CR8000(config)#ntp-service enable
3. Set the IP address of the NTP server.

FH-CR8000(config)#ntp-service unicast-server 3.173.0.163
150 Version: D
FH-CR8000(config)#commit
Configuration Procedure - Server

FH-CR8000(config)#
2. Enable NTP.
FH-CR8000(config)#ntp-servive enable
3. Configure the NTP reference clock.

FH-CR8000(config)#ntp-service refclock-master

FH-CR8000(config)#commit
10.4 Configuring Router Access Control
Perform access control to the VTY interface of equipment so as to prevent illegal

users from controlling equipment via the Telnet / SSH mode.
u Set the corresponding access control list to the VTY port to limit the access to
the router via the VTY port. The access control list filters users according to the
user network segment.
u Modify the default value of concurrent connections to VTY, and adjust it to the
maximum value allowed by the vendor.
u The timeout for the router VTY port is configured so that the equipment will
actively disconnect a remote login when no operation is performed there in the
designated period of time. Otherwise, all the VTY ports will be occupied and
you cannot manage the equipment through remote login.
u Strengthen the VTY user password management.
1. Set the authentication mode to local username and password login.
2. Allow the remote login to the equipment.
3. Configure the access control list of the equipment.
Version: D 151
4. Apply the access control list in the Telnet / SSH login mode.
5. Configure the numbers of Telnet / SSH users for the equipment.
6. Configure the login timeout of the equipment.
Procedure

FH-CR8000(config)#
2. Set the authentication mode to local username and password login.
1) Configure the VTY username and login password of the equipment.
Note:
In case that the authentication mode is set to local, users must enter the
set username and password when logging into the core switch protocol
stack (see Logging into Main Control Protocol Stack).
Item Parameter
User name fiberhome
Password display modeNote 1 cipher
Login password cr8000
Authentication scheme name 1
Note 1: cipher: The password saved in the configuration file is generated from the Login
Password after being re-encrypted by the system; simple: the password is not
encrypted and displayed directly in the configuration file.
FH-CR8000(config-aaa)#local-user fiberhome password cipher cr8000
FH-CR8000(config-aaa)#authentication-scheme 1
Add new authentication scheme!
FH-CR8000(aaa-authen-1)#
2) Configure the system authentication type of the equipment.
152 Version: D
Item Parameter
Note 1
System authentication type local
Note 1: Configure the system authentication mode according to actual conditions. local refers
to local authentication; none refers to direct login without any authentication. For the
sake of security, the none mode is not recommended.
FH-CR8000(aaa-authen-1)#authentication-mode local
FH-CR8000(aaa-authen-1)#exit
FH-CR8000(config-aaa)#exit
3. Allow the remote login.
Item Parameter
Enabling the telnet equipment functions in CTVPN193 telnet-server vrf CTVPN193
Enabling the ssh equipment functions in CTVPN193 ssh-server vrf CTVPN193
FH-CR8000(config)#telnet-server vrf CTVPN193

FH-CR8000(config)#ssh-server vrf CTVPN193
4. Configure the access control list of the equipment.
Note:
u ACL uses the first matching algorithm. The router checks the list one
by one from the beginning till the matched item is found. If the group
matches with a certain rule, operation will be performed according to
the key word permit or deny in the rule, and all the follow-up rules are
ignored.
u The system will automatically add an implicit deny rule which refuses
all datagrams at the end of each ACL. If the coming group does not
match with any preceding rule, this group will be discarded.
Item Parameter
Note 1
ACL number 4001
59.43.0.0/19
59.43.32.0/20
Source IP address segment allowing access 59.43.48.0/21
202.97.3.0/24
115.168.128.0/17
Version: D 153
Item Parameter
115.168.254.0/24
Source IP address segment refusing access
115.168.255.0/24
Note 1: The ACL number that enters the ACL basic configuration view ranges from 4000 to
4999.
FH-CR8000(config)#acl 4001
FH-CR8000(acl-userdefine-4001)#rule 1 permit ip src-ip 59.43.0.0/19
FH-CR8000(acl-userdefine-4001)#rule 6 deny ip src-ip 115.168.254.0/24
FH-CR8000(acl-userdefine-4001)#rule 7 deny ip src-ip 115.168.255.0/24
FH-CR8000(acl-userdefine-4001)#exit
5. Apply the access control list in the telnet or ssh login mode. After the list is
applied, only the src-ip packets whose rule is permit can access the equipment.
4 Enable the Telnet VPN login function of the equipment, and configure the
Telnet access control list.
Item Parameter
VPN name CTVPN193
Telnet access control listNote 1 4001
Note 1: Set it to the ACL number in Step 4.
FH-CR8000(config)#telnet-server vrf CTVPN193

FH-CR8000(config)#telnet-server acl number 4001
4 Enable the SSH VPN login function of the equipment, and configure the
SSH access control list.
Item Parameter
VPN name CTVPN193
Note 1
SSH access control list 4001
Note 1: Set it to the ACL number in Step 4.
FH-CR8000(config)#ssh-server vrf CTVPN193

FH-CR8000(config)#ssh-server acl number 4001
6. Configure the numbers of Telnet / SSH users for the equipment.
154 Version: D
Item Parameter
User quantity of Telnet 5
User quantity of SSH 5
FH-CR8000(config)#line vty telnet max-user 5

FH-CR8000(config)#line vty ssh max-user 5
7. Configure the login timeout exit time of the equipment.
Item Parameter
Login timeout exit time (minute) 5
FH-CR8000(config)#line vty timeout 5


FH-CR8000#save
1. Use the "show running-config" command to check the configuration data on the
equipment, which should be consistent with the planning data.
!
aaa
local-user fiberhome password cipher W$xSDITQDa4A
local-user fiberhome privilege 12
!
authentication-scheme 1
authentication-mode local
exit
!
line vty timeout 5
line vty telnet max-user 5
line vty ssh max-user 5
!
acl 4001
rule 1 permit ip src-ip 59.43.0.0/19
rule 6 deny ip src-ip 115.168.254.0/24
Version: D 155
rule 7 deny ip src-ip 115.168.255.0/24

!
telnet-server acl number 4001
ssh-server acl number 4001
!
telnet-server vrf CTVPN193
ssh-server vrf CTVPN193
!
10.5 Configuring System Logs
u The system logs include alarm logs and operation logs, which are saved in the
equipment and in the log server. The level of the logs saved in the log server is
Warnings and above.
u It is required that all the system logs on the equipment should be preset and
sent to the log server in the network management center. The system log
should be checked every day so as to find any abnormality and process it in a
timely manner. The logs should be kept in the log server for at least three
months.
u Configure the alarm logs and operation logs of all levels for the system and
save them locally.
Configure the system log.
Procedure

FH-CR8000(config)#
2. Configure the system logs of the equipment.
Item Parameter
Enabling printing the alarm information of all
info-center default log source all
modules
Outputting the logs with levels higher than
info-center source default channel 4 log level
"warning" of all the modules to the syslog
warnings state on
buffer area.
156 Version: D
Item Parameter
info-center source default channel 5 trap level
Outputting the traps with levels higher than
warnings state on
"warning" of all the modules to the snmp.
info-center snmp
Saving the logs with levels higher than info-center source default channel 9 log level
"warning" of all the modules to the syslog. warnings stateon
Saving the traps with levels higher than info-center source default channel 9 trap level
"warning" of all the modules to the traplog. warnings state on
info-center loghost 1.1.1.1

Configuring the device to send information to
info-center source default channel 2 log level
the specified log host server
warnings state on
info-center loghost 195.168.1.2 channel 2

info-center loghost 198.168.1.2 channel 2
Configuring the device to send information to
facility local1
multiple log host servers
info-center loghost 45.12.203.66 channel 2 vrf
FHNMVPN facility local3
FH-CR8000(config)#info-center default log source all

FH-CR8000(config)#info-center source default channel 4 log level warnings state on
FH-CR8000(config)#info-center source default channel 5 trap level warnings state on
FH-CR8000(config)#info-center snmp
FH-CR8000(config)#info-center source default channel 9 log level warnings stateon
FH-CR8000(config)#info-center source default channel 9 trap level warnings state on
FH-CR8000(config)#info-center loghost 1.1.1.1
FH-CR8000(config)#info-center source default channel 2 log level warnings state on
FH-CR8000(config)#info-center loghost 195.168.1.2 channel 2
FH-CR8000(config)#info-center loghost 198.168.1.2 channel 2 facility local1
FH-CR8000(config)#info-center loghost 45.12.203.66 channel 2 vrf FHNMVPN facility
local3
3. Save the equipment configuration.

FH-CR8000#save
Use the "show run infoc" command to check the configuration data on the
equipment, which should be consistent with the planning data.
FH-CR8000#show run infoc

!
info-center default log source all
info-center default trap source all
Version: D 157
info-center source default channel 4 log state on level debug

info-center source default channel 5 trap state on
info-center source default channel 9 log state on level debug trap state on
info-center snmp
!
Note:
You can run the show channel or show info-center command to view
the channel status.
Default Output Destination of Channel Parameter
Default output destination of channel 1 remote-terminal

Default output destination of channel 2 loghost
Default output destination of channel 3 trapbuffer
Default output destination of channel 4 logbuffer
Default output destination of channel 5 snmpagent
Default output destination of channel 9 logfile
158 Version: D
11 Saving Configuration Files
Save the configuration data to files in a timely manner: After the configuration
command of a group of data is executed, use the save command to save the
configuration data.
Back up the configuration files: When configuration of a group of data is completed,

if the data are verified to satisfy the expected function, users should save the current
configuration file to the storage equipment in a timely manner. The backup can be
performed via the CF card or the FTP.
Backing Up the Configuration Files to the CF Card
Backing up the Configuration File via FTP
Version: D 159
11.1 Backing Up the Configuration Files to the CF

Card
After logging into the main control protocol stack, you can use commands to back
up the current configuration files in the CF card of the router.
Prerequisite
Procedure
1. Use the show current config file command to view the current configuration
files.
FH-CR8000#show current config file
current startup config file:userdir/ZEBOS.CFG
2. Use the cp command to back up the current configuration data to the

config_back1.CFG file under the directory /userdir/ of the CF card.
FH-CR8000#cp /mnt/cfdisk2/config.CFG /mnt/userdir/config_back1.CFG
progress: 100%
3. Check the backup results.

FH-CR8000#show dir include CFG
11.2 Backing up the Configuration File via FTP
In the FTP backup mode, after the OTNM2000 is installed, it serves as the FTP
server and the equipment serves as the FTP Client. Upload the configuration files of
client to the FTP server for backup.
Prerequisite
u The FTP server is normal.
Checking method: Use "cmd" on the server to enter the command prompt and
enter ftp 127.0.0.1. The default username and password are both 1.
160 Version: D
11 Saving Configuration Files
C:\Users\wjun>ftp 127.0.0.1
Connect to 127.0.0.1.
220-FileZilla Server version 3.46 final
220-written by Tim Kosse (Tim.Kosse@gmx.de)
220 Please visit http://sourceforge.net/projects/filezilla/
User(127.0.0.1:(none)): 1
331 Password required for 1
Password:
230 Logged on
ftp>
If you log in successfully as shown above, the FTP server is normal.
The root directory of the OTNM2000 serving as the FTP server is D:\OTNM\md
\ftproot.
u The equipment can ping the OTNM2000 server successfully.
Procedure
1. Log into the FTP server using the FTP command in the CLI GUI. As shown
below, 10.18.26.106 is the IP address of the OTNM2000 server, that is, the IP
address of the network card of the OTNM2000 connected to the equipment.
FH-CR8000#ftp 10.18.26.106 user 1 password 1 vrf FHNMVPN
2. Back up the "config.CFG" file under the directory /mnt/cfdisk2 of the equipment
to the FTP server using the "put" command.
FH-CR8000(FTP-10.18.26.106)#put /mnt/cfdisk2/config.CFG config_backup2.CFG
3. Check the directory \OTNM\md\ftproot of the OTNM2000 server, and there

should be the config_backup2.cfg file.
Version: D 161
12 Common Verification Commands
See Table 12-1 for the common verification commands used by the CiTRANS
R8000 Series.
Table 12-1 Common Verification Commands
Command Description
Shows the configuration information of all ports. Users can add port name to
show running-config interface
check the information of a designated port.
show ip interface brief Shows the IP information of a port.
show mpls l2vpn Shows the FEC statistical information of all VCs.
show bfd session ip
Shows the session information of bfd.
show bfd session al
show ip ospf neighbor Shows the neighbor information of OSPF.
show clns is-neighbors Shows the adjacency information of all ISIS neighbors.
Shows all sessions established between the current LSR and other LSRs.
show ldp session
The IP parameter can be used to designate the opposite end LSR address.
show ip bgp summary Shows the BGP neighbor information.
show running-config Shows global configuration.
162 Version: D
Appendix A Abbreviations
ACL Access Control List

APS Automatic Protection Switched
BGP Border Gateway Protocol
BC Boundary Clock
BMU Board Management Unit
BDR Backup Designated Router
CAC Call Admission Control

CLV Code Length Value
CSNP Complete SNP
DM Delay Measurement
DR Designated Router
DDOS Distributed Denial of Service

DWRR Deficit Weighted Round Robin
EBGP External BGP

EMC Electro Magnetic Compatibility
EMI Electromagnetic Interference
ECC Error Checking and Correction
FC Fiber Channel
FCS Frame Check Sequence
FE Fast Ethernet
FIB Forwarding Information Base
FPGA Field Programmable Gate Array
FRR Fast Reroute

FTP File Transfer Protocol
GE Gigabit Ethernet
GRE Generic Routing Encapsulation
GTSM Generalized TTL Security Mechanism
GUI Graphical User Interface
IBGP Internal BGP

IETF Internet Engineering Task Force
IGP Interior Gateway Protocols
IP Internet Protocol
IPTV Internet Protocol Television
Version: D 163
IPv4 Internet Protocol Version 4

IPv6 Internet Protocol Version 6
IS-IS Intermediate System to Intermediate System Routing Protocol
ISP Internet Service Provider

L2VPN Layer 2 Virtual Private Networks
L3VPN Layer 3 Virtual Private Networks
LAG Link Aggregation Group
LMM Loss Measurement Message
LDP Label Distribution Protocol

LSP Label Switched Path
MD5 Message Digest 5
ME Maintenance Entity
MEP Maintenance Entity Group End Points
MPLS Multi-Protocol Label Switching
MSTP Multi-Service Transfer Platform

MTU Maximum Transmission Unit
NTP Network Time Protocol
OAM Operation, Administration and Maintenance
OC Ordinary Clock
OSPF Open Shortest Path First
PSNP Partial SNP

PE Provider Edge
PM Performance Monitoring
PQ Priority Queue
PTP Precision Time Protocol

PW Pseudo Wire
PWE3 Pseudo Wire Emulation Edge-to-Edge
QinQ 802.1Q In 802.1Q or Double VLAN

QoS Quality of Service
RAN Radio Access Network

RSVP Resource Reservation Protocol
RTC Real-Time Clock
SDH Synchronous Digital Hierarchy
SFP Small Form-Factor Pluggable
SNP Sequence Number Packet
TE Traffic Engineering
URPF Unicast Reverse Path Forwarding
164 Version: D
Appendix A Abbreviations
VLAN Virtual Local Area Network

VPN Virtual Private Network
VRRP Virtual Router Redundancy Protocol
WFQ Weighted Fair Queuing
WRED Weighted Random Early Detection
Version: D 165
Product Documentation Customer Satisfaction Survey
Thank you for reading and using the product documentation provided by FiberHome. Please take a moment to
complete this survey. Your answers will help us to improve the documentation and better suit your needs. Your
responses will be confidential and given serious consideration. The personal information requested is used for
no other purposes than to respond to your feedback.
Name
Phone Number
Email Address
Company
To help us better understand your needs, please focus your answers on a single documentation or a complete
documentation set.
Documentation Name
Code and Version
Usage of the product documentation:

1. How often do you use the documentation?
□ Frequently □ Rarely □ Never □ Other (please specify)
2. When do you use the documentation?
□ in starting up a project □ in installing the product □ in daily maintenance □ in trouble
shooting □ Other (please specify)
3. What is the percentage of the operations on the product for which you can get instruction from the
documentation?
□ 100% □ 80% □ 50% □ 0% □ Other (please specify)
4. Are you satisfied with the promptness with which we update the documentation?
□ Satisfied □ Unsatisfied (your advice)
5. Which documentation form do you prefer?
□ Print edition □ Electronic edition □ Other (please specify)
Quality of the product documentation:
1. Is the information organized and presented clearly?
□ Very □ Somewhat □ Not at all (your advice)
2. How do you like the language style of the documentation?
□ Good □ Normal □ Poor (please specify)
3. Are any contents in the documentation inconsistent with the product?
4. Is the information complete in the documentation?
□ Yes
□ No (Please specify)
5. Are the product working principles and the relevant technologies covered in the documentation sufficient for
you to get known and use the product?
□ Yes
□ No (Please specify)
6. Can you successfully implement a task following the operation steps given in the documentation?
□ Yes (Please give an example)
□ No (Please specify the reason)
7. Which parts of the documentation are you satisfied with?
8. Which parts of the documentation are you unsatisfied with?Why?
9. What is your opinion on the Figures in the documentation?
□ Beautiful □ Unbeautiful (your advice)
□ Practical □ Unpractical (your advice)
10. What is your opinion on the layout of the documentation?

□ Beautiful □ Unbeautiful (your advice)
11. Thinking of the documentations you have ever read offered by other companies, how would you compare
our documentation to them?
Product documentations from other companies:
Satisfied (please specify)
Unsatisfied (please specify)
12. Additional comments about our documentation or suggestions on how we can improve:
Thank you for your assistance. Please fax or send the completed survey to us at the contact information
included in the documentation. If you have any questions or concerns about this survey please email at
edit@fiberhome.com

CiTRANS R8000 Series Multi-Service High-End Router Commissioning and Configuration Guide-CLI

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CiTRANS R8000 Series Multi-Service High-End Router Commissioning and Configuration Guide-CLI

Uploaded by

Copyright:

Available Formats

CiTRANS R8000 Series

Multi-Service High-End Router

FiberHome Telecommunication Technologies Co., Ltd.

We appreciate your business. Your satisfaction is our goal.

Fiberhome Telecommunication Technologies Co., Ltd.

Address: No. 67, Guanggu Chuangye Jie, Wuhan, Hubei, China

are trademarks of FiberHome Telecommunication Technologies Co., Ltd.

All rights reserved

No part of this document (including the electronic version) may be

Describes the equipment’s structures, functions,

Details the equipment’s appearance and structure, how to

CiTRANS R8000 Series Multi-

Gives a detailed description of items and procedures of

Gives a detailed introduction to service protection

Product version CiTRANS R8000 V3R2

This manual is intended for the following readers:

u Planning and designing engineers

u Operation and maintenance engineers

To utilize this manual, these prerequisite skills are necessary:

u Router related technology

u Data communication technology

u SDH communication principles

u IPRAN related technology

CiTRANS R8000-3 CiTRANS R8000-3 Multi-Service High-End Router

CiTRANS R8000-5 CiTRANS R8000-5 Multi-Service High-End Router

CiTRANS R8000-10 CiTRANS R8000-10 Multi-Service High-End Router

PWR Power Supply Board

FAN Fan Unit

FTCA4 25GE Optical Card (4 Ports)

XTCA10 10GE Optical Card(10 Ports)

XTCA2 10GE Optical Card (2 Ports)

XTCA4 10GE Optical Card (4 Ports)

XTCA5 10GE Optical Card (5 Ports)

XTCB2 2 × 10G LAN / WAN Transparent Card B

XTCB5 5 × 10G LAN / WAN Transparent Card B

MTCA20 GE / FE Mix Optical Card (20 Ports)

TCA17 16 × GE and 1 × 10G Transparent Card A

TCA13 12 × GE and 1 × 10G Transparent Card A

TCA12 10 × GE and 2 × 10G Transparent Card A

CS1A8 8 x Channelized cSTM-1 A

CE1A32 2M Process Card (32 Ch, Panel Outlet, 75/120Ω)

ESCA16 GE/FE Mix Electrical Card (16 Ports)

Symbol Convention Description

Note Important features or operation guide.

Possible injury to persons or systems, or cause traffic

Warning May cause severe bodily injuries.

➔ Jump Jumps to another step.

Related Documentation ...................................................................................I

Intended Readers ..........................................................................................III

1 Initializing the CiTRANS R8000.......................................................................1

1.1 Power-on Testing ..............................................................................2

1.2 Logging into Main Control Protocol Stack ..........................................3

1.3 Checking Software Version .............................................................14

1.4 Upgrading the CiTRANS R8000......................................................15

2 Hardware Commissioning .............................................................................17

2.1 Checking System Time ...................................................................18

2.2 Checking Card Status .....................................................................18

2.3 Checking Interface Status ...............................................................19

2.4 Checking Interface Optical Power ...................................................20

2.5 Checking CPU / Memory Utilization.................................................22

2.6 Checking Card Registration Status..................................................22

2.7 Checking Card Temperature ...........................................................23

2.8 Checking Fan Status.......................................................................23

2.9 Checking Alarm Information ............................................................24