Professional Documents
Culture Documents
Line Solution
Department:
Author:
Date:
Security Level:
Contents
1 Solution Overview
2 Solution Design
2 Huawei Confidential
Solution Overview
Intra-AS site-to-site private line
DAP VPC
Inter-AS site-to-site private line
DAP VPC Intra-AS site-to-cloud private line
Cloud DC Cloud DC Inter-AS site-to-cloud private line
City A
City B
CE Network
ONU OLT MSE CR Cloud PE CR
PE
Cloud MSE CE
OLT ONU
backbone
CE Network
ONU OLT MSE CR Cloud PE CR
PE
• The MSEs on metro networks support the transport of the following types of site-to-site and site-to-cloud private
line services over SRv6 BE:
• Intra-AS site-to-site private line service
• Inter-AS site-to-site private line service
• Intra-AS site-to-cloud private line service
• Inter-AS site-to-cloud private line service
3 Huawei Confidential
System Architecture
Presentation layer: provides unified GUIs for service provisioning.
Provides service provisioning GUIs for tenants and carrier administrators.
Can be implemented through a traditional BSS/OSS or new developments.
Presentation Admin Tenant Admin Service Tenant
BSS/OSS console
O&M app Console console Console
Allows cloud services and site-to-cloud private line services to be either
layer provisioning app separately provisioned or uniformly provisioned through GUIs.
RESTful RESTful RESTful Cloud-network synergy layer:
Cloud management Cloud-network synergy service orchestrator: orchestrates cloud and
Cloud-network RESTful Cloud-network synergy service orchestrator
platform network resources (including PON and metro network resources) and
synergy layer
RESTful uniformly allocates them.
Resource management system (BSS/OSS): The VLAN access information
Network NCE-Super of PON network users is imported through the orchestrator to implement
orchestration layer RESTful RESTful orchestration with metro network resources.
RESTful Network orchestration layer (NCE-Super): E2E automated service
provisioning and visualized O&M
Management E2E automated service deployment across metro and cloud backbone
and control DCN
PON NCE-IP
O&M networks
layer ITMS controller BOD and bandwidth calendaring delivery across metro and cloud backbone
NMS
SNMP/NETCONF networks
Transport DAP VPC /OpenFlow/CLI
E2E service display, quality monitoring, O&M, and fault demarcation
network TR069 SNMP SNMP/NETCONF/ Management and control layer (NCE-IP):
CLI Cloud DC Basic route management and SRv6 locator address management on metro
and cloud backbone networks
FTTO FTTO PON NMS: automated PON service deployment
ONT OLT LSW LSW OLT ONT ITMS: ONT service configuration and management
Metro CR Network CR Metro Transport network:
FTTB MSE Cloud PE MSE FTTB
PE
CE MxU OLT LSW LSW OLT MxU CE
Enterprise services access metro MSEs through PONs (FTTO/FTTB).
EVPN/L3VPN is deployed between metro MSEs and cloud PEs based on
tenants/services to carry enterprises' site-to-cloud private line services.
IS-IS IPv6 routes are deployed on both the metro and cloud backbone
ETH/QinQ ETH/QinQ networks, implementing intra-AS SRv6 locator advertisement.
Site-to-cloud private line Site-to-cloud private line ASBRs/CRs on each metro network are connected to PEs on the cloud
VPN over SRv6 BE VPN over SRv6 BE backbone network through optical fibers or an OTN. IPv6 static routes are
deployed between the metro and cloud backbone networks, so that
loopback and SRv6 locator routes can be advertised across ASs.
ETH/QinQ ETH/QinQ PEs on the cloud backbone network are connected to a cloud DC. They
Site-to-site private line over SRv6 BE interconnect with cloud DAPs through VLANs.
4 Huawei Confidential
Product and Version Mappings
5 Huawei Confidential
Contents
1 Solution Overview
2 Solution Design
Site-to-Cloud Private Line Transport
Solution
Site-to-Cloud Private Line
Provisioning and O&M
Site-to-Site Private Line Transport
Solution
Site-to-Site Private Line Provisioning
and O&M
6 Huawei Confidential
Network Transport
DAP VPC
Local cloud DC
FTTO Network
CE ONT MSE CR Cloud PE
PE
CE MxU
FTTB OLT LSW Cloud backbone DAP VPC
Network
MSE CR
PE
Cloud PE Remote cloud DC
Enterprise-side access: Transport on the metro network: Interconnection with cloud DCs:
• Enterprise-side CEs are connected to • The PON provides VLAN access, and the QinQ solution can be used • PEs on the cloud backbone network are
ONTs/MxUs through physical interfaces or for VLAN deployment. interconnected with cloud DAPs through QinQ or
VLAN sub-interfaces. • IPv6 routes are deployed between the metro and cloud backbone VLAN sub-interfaces.
networks. • Each pair of PEs on the cloud backbone network can
be interconnected with multiple cloud DAPs.
VPN-based transport of site-to-cloud private line services: The site-to-cloud private line services of tenants can be carried over BGP
L3VPN/EVPN L3VPN or EVPN VPWS.
• One-hop VPN connection from an MSE to a PE on the cloud backbone network
SRv6 BE is deployed for traffic forwarding based on SID locators.
7 Huawei Confidential
IPv6 Address Planning
8 Huawei Confidential
MTU Planning
FTTO Network
CE ONT MSE CR Cloud PE
PE
CE MxU
FTTB OLT LSW Cloud backbone DAP VPC
Network
MSE CR
PE
Cloud PE Remote cloud DC
MTU 4470/9600
MTU 1500
9 Huawei Confidential
Basic Routing Design
FTTO
CE ONT
OLT Network
LSW MSE CR Cloud PE DAP VPC
FTTB PE
CE MxU Remote cloud DC
Enable IPv4/IPv6 dual stack on CR: IS-IS route import to BGP Network PE: IS-IS route import to IS-IS route advertisement:
the metro network and deploy • Configure a route-policy to import the BGP • Configure IPv6 loopback
IS-IS IPv6 multi-topology. IPv6 loopback and SRv6 locator • Configure a route-policy to import the routes for PEs on the cloud
routes of the MSE on the metro IPv6 loopback and SRv6 locator backbone network.
network from the IS-IS process to the routes of PEs on the cloud backbone • Configure SRv6 locator routes
BGP process. network from the IS-IS process to the for PEs on the cloud backbone
IS-IS process: BGP process. network.
• Configure a route-policy to import the
IPv6 loopback and SRv6 locator IS-IS process:
routes of devices on the cloud • Configure a route-policy to import the
backbone network from the BGP IPv6 loopback and SRv6 locator
process to the IS-IS process. In the routes of devices on all metro
case of an inter-AS site-to-site private networks from the BGP process to the
line, also import the IPv6 loopback IS-IS process.
and SRv6 locator routes of MSEs in
other ASs from the BGP process to
the IS-IS process.
• To control the import of BGP routes to IS-IS when the CR and network PE are deployed in square-looped mode,
configure a route tag and route filtering for the IS-IS process between the CR and network PE.
11 Huawei Confidential
Basic Routing Design (Route Summarization)
FTTO
CE ONT
OLT LSW MSE CR Network DAP VPC
FTTB Cloud PE
PE
CE MxU Remote cloud DC
BGP: BGP:
• The routes imported to IS-IS • The routes imported to IS-
are summarized into two IS are summarized into two
routes on the entire metro routes on the entire cloud
network, that is, the loopback backbone network, that is,
and SRv6 locator routes of the loopback and SRv6
the MSE. locator routes of PEs.
• The CR advertises only loopback and locator summary routes to the cloud backbone network.
• The network PE advertises only loopback and locator summary routes to the metro network.
12 Huawei Confidential
Basic Routing Design (VPN RR)
RR
RR1 RR2
Cloud backbone
AS
MSE CR Network
Cloud PE
PE
DAP VPC
Metro AS Remote cloud DC
Network
MSE CR Cloud PE
PE
• Two RRs (P nodes) are deployed on the cloud backbone network. The RRs can be CRs or other independent devices.
• VPNv4 and EVPN address family peer relationships are established between the RRs.
• PEs on the cloud backbone network function as the clients of the RRs and establish VPNv4 and EVPN address family peer
relationships with the RRs.
• An EBGP peer relationship, VPNv4 address family peer relationship, and EVPN address family peer relationship are established
between each MSE on the metro network and each RR on the cloud backbone network.
• The metro and cloud backbone networks belong to different ASs. Therefore, the peer allow-as-loop 2 command needs to be run
in the VPNv4 address family view of each MSE.
13 Huawei Confidential
Service Routing Design (L2 Site-to-Cloud Private Line)
IP2.2
IP1 FTTO IP2.1
CE ONT
OLT LSW MSE CR
Network
Cloud PE DAP VPC IP3
FTTB PE
CE MxU Remote cloud DC
VLAN/QinQ EVPN VPWS over SRv6 BE VLAN VRF
Static route
• A static route must be configured between the CE and DAP to guide traffic forwarding.
14 Huawei Confidential
Service Routing Design (L3 Site-to-Cloud Private Line in an
LSW Single-Homing Scenario)
Network IP3.1
CR Cloud PE
PE
IP1 IP2.2 IP3.2
FTTO IP2.1
CE ONT
Network DAP VPC IP5
OLT LSW MSE CR Cloud PE
FTTB PE IP4.1 IP4.2
CE MxU Remote cloud DC
VLAN/QinQ VPNv4 L3VPN over SRv6 VLAN VRF
• Configure a route • Configure a route from the MSE to the • Configure a static route from the cloud • Configure a static route from
from the CE to the user side, with the next hop being a PE to the involved VPC, with the next the cloud DAP to the
VPC, with the next CE's interconnection address. hop being a DAP's interconnection enterprise side, with the next
hop being an MSE's • Import the static route into the address. hop being a cloud PE's
interconnection corresponding BGP VPN instance. • Import the static route into the interconnection address.
address. corresponding BGP VPN instance. • Configure a static route from
the cloud DAP to the VPC.
15 Huawei Confidential
Service Routing Design (L3 Site-to-Cloud Private Line in an
LSW Dual-Homing Scenario)
Network IP4.1
IP2.1 MSE CR Cloud PE
PE
IP1 IP2.2 IP4.2
FTTO
CE ONT
Network DAP VPC IP6
IP3.2 OLT LSW MSE CR Cloud PE
FTTB PE IP5.1 IP5.2
CE MxU IP3.1 Remote cloud DC
VLAN/QinQ VPNv4 L3VPN over SRv6 VLAN VRF
• Configure a route from • Configure a route from the MSE to the • Configure a static route from the cloud PE to • Configure a static route from the
the CE to the VPC, with user side, with the next hop being a CE's the involved VPC, with the next hop being a cloud DAP to the enterprise
the next hop being an interconnection address. DAP's interconnection address. side, with the next hop being a
MSE's interconnection • Import the static route into the • Import the static route into the corresponding cloud PE's interconnection
address. corresponding BGP VPN instance. BGP VPN instance. address.
• Configure a static route from the
cloud DAP to the VPC.
16 Huawei Confidential
Multi-Cloud Access Model 1: Full Mesh (L3 Site-to-Cloud
Private Line) Multi-cloud access: Per-VPC per-VRF configuration is performed.
Multi-cloud access is controlled using the import RTs of VRFs.
DC access to the same cloud PE
VRF 4
MSE Cloud DC 1
CE VRF 1 RT export 1 Cloud PE1
Gateway VPC
VRF 1 RT import 1 VRF 4
Private line 1 of tenant 1 RT import 1
VRF 5 Cloud DC 2
VRF 5 Gateway VPC
RT export 1
RT import 1
DC access to different cloud PEs
MSE Cloud PE2
17 Huawei Confidential
Multi-Cloud Access Model 2: Hub-Spoke (L3 Site-to-Cloud
Private Line) Multi-cloud access: Per-VPC per-VRF configuration is performed.
Multi-cloud access is controlled using the import RTs of VRFs.
DC access to the same cloud PE
VRF 4
MSE Cloud DC 1
CE VRF 1 RT export 2 Cloud PE1
Gateway VPC
VRF 1 RT export 1 RT import 1, 2 VRF 4
RT export 2
RT import 1, 2
DC access to different cloud PEs
MSE Cloud PE2
18 Huawei Confidential
Multi-Cloud Access Model 3: Flexible Connection (L3 Site-to-
Cloud Private Line) Multi-cloud access: Per-VPC per-VRF configuration is performed.
Multi-cloud access is controlled using the import RTs of VRFs.
DC access to the same cloud PE
VRF 4
MSE Cloud DC 1
CE VRF 1 RT export 4 Cloud PE1
Gateway VPC
VRF 1 RT export 1 RT import 1 VRF 4
RT export 5
RT import 1, 2
DC access to different cloud PEs
MSE Cloud PE2
Local cloud DC
FTTO
CE ONT
OLT Network DAP VPC
LSW MSE CR Cloud PE
FTTB PE
CE MxU Remote cloud DC
EVPN VPWS over SRv6 BE or VPNv4 L3VPN
VLAN/QinQ over SRv6 BE VLAN VRF
VLAN/QinQ EVPN VPWS over SRv6 BE or VPNv4 L3VPN over SRv6 BE VLAN VRF
L2/L3
Queue
scheduling PQ and WFQ scheduling is performed on the transport network.
20 Huawei Confidential
Reliability Design (L3 Private Line)
DAP VPC
CE ONT
FTTO Local cloud DC
Single-homing
FTTB OLT LSW LAG
CE MxU
Network
FTTO MSE CR Cloud PE
CE ONT PE
FTTB OLT LSW DAP VPC
CE MxU
Network Remote cloud DC
MSE CR Cloud PE
PE
L3
Reliability
design
PON reliability Reliability of the network Reliability of the metro network Reliability of the cloud Reliability of the network
• Type B protection between LSWs and MSEs Single-homing scenario: LAG backbone network between the cloud backbone
protects backbone • An LSW can be single- protection • Metro side: route network and cloud DC
optical fibers. homed to an MSE through Dual-homing scenario: static route- convergence and IP FRR • A DAP connects to cloud PEs
• Type C protection a LAG. based dual-homing protection • Cloud side: The addresses of through active and standby
protects both • An LSW can also be dual- • BFD for IS-IS on the metro network cloud PEs and the service static routes.
branch and homed to two MSEs addresses in a cloud DC are
• Fast IGP convergence on the metro
backbone optical through static routes. on different network
fibers. network
segments, and static route-
based dual-homing is
deployed.
21 Huawei Confidential
Reliability Design (L3 Private Line in an LSW Single-Homing
Scenario) Single-homing
DAP VPC
Local cloud DC
LAG
FTTO
CE ONT 1 4 6 7
2 3 5 10
FTTB OLT LSW MSE CR PE
8
Network
9 Cloud PE
11
CE MxU
DAP VPC
FTTO
Network Remote cloud DC
MSE CR Cloud PE
PE
L3
Failure
Detection Method Protection Method Rectification Method
Point
1 • Optical fiber PON type C protection for branch optical fibers
PON type B protection for backbone optical fibers; PON type
2 • Optical fiber C protection for both branch and backbone optical fibers
3 • LACP • LAG protection • LAG protection
4 • None • None • None
5/9 BFD for IS-IS (10 ms x 3) IGP FC and IP FRR IGP route convergence
MSE: BFD for IS-IS (10 ms x 3) MSE: IGP FC and IP FRR MSE: IGP route convergence
6
Network PE: link status detection Network PE: IP FRR Network PE: BGP route convergence
7 Link status detection IP FRR BGP route convergence
CR: link status detection CR: IP FRR CR: BGP route convergence
8
Network PE: BFD for IS-IS (10 ms x 3) Network PE: IGP FC and IP FRR Network PE: IGP route convergence
Cloud PE: configuration of a delay for cloud-side interfaces
MSE/RR: BFD for BGP peer (200 ms x 3) MSE: BGP route convergence
10 to go up
DAP: link status detection DAP: static route switching
DAP: static route switching
Cloud PE: IP FRR
11 Link status detection Static route switching
22 Huawei Confidential DAP: static route switching
Reliability Design (L3 Private Line in an LSW Dual-Homing
Scenario) DAP VPC
Local cloud DC
FTTO
CE ONT 1 3 4 6 7
2 5 10
FTTB OLT LSW MSE CR PE
8
Network
9 Cloud PE
11
CE MxU
DAP VPC
FTTO
Network Remote cloud DC
MSE CR Cloud PE
PE
L3
Failure
Detection Method Protection Method Rectification Method
Point
1 • Optical fiber PON type C protection for branch optical fibers
PON type B protection for backbone optical fibers; PON type C
2 • Optical fiber protection for both branch and backbone optical fibers
CE: route convergence
3 BFD for static route Route convergence
MSE: IP FRR or route convergence
CE: BFD for static route CE: static route switching Route convergence
4
Cloud PE/RR: BFD for BGP peer Cloud PE: BGP route convergence MSE: configuration of a delay for LSW-side interfaces to go up
5/9 BFD for IS-IS (10 ms x 3) IGP FC and IP FRR IGP route convergence
MSE: BFD for IS-IS (10 ms x 3) MSE: IGP FC and IP FRR MSE: IGP route convergence
6
Network PE: link status detection Network PE: IP FRR Network PE: BGP route convergence
7 Link status detection IP FRR BGP route convergence
CR: link status detection CR: IP FRR CR: BGP route convergence
8
Network PE: BFD for IS-IS (10 ms x 3) Network PE: IGP FC and IP FRR Network PE: IGP route convergence
MSE/RR: BFD for BGP peer (200 ms x 3) MSE: BGP route convergence Cloud PE: configuration of a delay for cloud-side interfaces to go up
10
DAP: link status detection DAP: static route switching DAP: static route switching
Cloud PE: IP FRR
11 Link status detection Static route switching
23 Huawei Confidential DAP: static route switching
Reliability Design (L2 Private Line)
DAP VPC
L2
Reliability
design
PON reliability Reliability of the network Reliability of the metro network Reliability of the cloud Reliability of the network
• Type B protection between LSWs and MSEs Single-homing scenario: LAG backbone network between the cloud backbone
protects backbone • An LSW can be single- protection • Metro side: route network and cloud DC
optical fibers. homed to an MSE through Dual-homing scenario: E-Trunk convergence and IP FRR • A DAP connects to cloud PEs
• Type C protection a LAG. • BFD for IS-IS on the metro network • Cloud side: E-Trunk on two in LACP mode.
protects both • An LSW can also be dual- • Fast IGP convergence on the metro cloud PEs connecting to a
branch and homed to two MSEs DAP
network
backbone optical through E-Trunk.
fibers. • E-Trunk is configured for
the two MSEs to work in
master/backup mode.
24 Huawei Confidential
Reliability Design (L2 Private Line in an LSW Single-Homing
Scenario) Single-homing
DAP VPC
Local cloud DC
LAG
FTTO
CE ONT 1 4 6 7
2 3 5 10
FTTB OLT LSW MSE CR PE
8
Network E-Trunk 9 Cloud PE
11
CE MxU
E-Trunk DAP VPC
FTTO
Network Remote cloud DC
MSE CR Cloud PE
PE
ETH/VLAN EVPN VPWS over SRv6 BE or VPNv4 L3VPN over SRv6 BE VLAN VRF
ETH/VLAN EVPN VPWS over SRv6 BE or VPNv4 L3VPN over SRv6 BE VLAN VRF
L2
Failure
Detection Method Protection Method Rectification Method
Point
1 • Optical fiber PON type C protection for branch optical fibers
PON type B protection for backbone optical fibers; PON type C
2 • Optical fiber protection for both branch and backbone optical fibers
3 • LACP • LAG protection • LAG protection
4 • None • None • None
5/9 BFD for IS-IS (10 ms x 3) IGP FC and IP FRR IGP route convergence
MSE: BFD for IS-IS (10 ms x 3) MSE: IGP FC and IP FRR MSE: IGP route convergence
6
Network PE: link status detection Network PE: IP FRR Network PE: BGP route convergence
7 Link status detection IP FRR BGP route convergence
CR: link status detection CR: IP FRR CR: BGP route convergence
8
Cloud PE: BFD for IS-IS (10 ms x 3) Cloud PE: IGP FC and IP FRR Cloud PE: IGP route convergence
MSE: BFD for BGP peer (200 ms x 3) MSE: remote FRR
10 Cloud PE: configuration of a delay for cloud-side interfaces to go up
DAP: LACP DAP: LACP
Cloud PE: local-remote FRR
11 LACP LACP link switching
25 Huawei Confidential DAP: LACP
Reliability Design (L2 Private Line in an LSW Dual-Homing
Scenario) DAP VPC
Local cloud DC
FTTO
CE ONT 1 3 4 6 7
2 5 10
FTTB OLT LSW MSE CR PE
8
Network E-Trunk 9 Cloud PE
11
CE MxU
E-Trunk E-Trunk DAP VPC
FTTO
Network Remote cloud DC
MSE CR Cloud PE
PE
L2
Failure
Detection Method Protection Method Rectification Method
Point
1 • Optical fiber PON type C protection for branch optical fibers
PON type B protection for backbone optical fibers; PON type C
2 • Optical fiber protection for both branch and backbone optical fibers
MSE: local-remote FRR
3 LACP LACP link switching
LSW: LACP
Cloud PE/RR: BFD for BGP peer (200 ms x 3) Cloud PE: remote FRR
4 MSE: configuration of a delay for LSW-side interfaces to go up
LSW: LACP LSW: LACP
5/9 BFD for IS-IS (10 ms x 3) IGP FC and IP FRR IGP route convergence
MSE: BFD for IS-IS (10 ms x 3) MSE: IGP FC and IP FRR MSE: IGP route convergence
6
Network PE: link status detection Network PE: IP FRR Network PE: BGP route convergence
7 Link status detection IP FRR BGP route convergence
CR: link status detection CR: IP FRR CR: BGP route convergence
8
Cloud PE: BFD for IS-IS (10 ms x 3) Cloud PE: IGP FC and IP FRR Cloud PE: IGP route convergence
MSE/RR: BFD for BGP peer (200 ms x 3) MSE: remote FRR Cloud PE: configuration of a delay for cloud-side interfaces to
10
DAP: LACP DAP: LACP go up
Cloud PE: local-remote FRR
11 LACP LACP link switching
26 Huawei Confidential DAP: LACP
Security Design (SRv6 Security Border)
SRv6 trusted
domain
ONT OLT LSW
MSE Metro CR Network Cloud Cloud DAP VPC
FTTB PE PE
CE MxU OLT LSW backbone
Cloud DC
VLAN EVPN IPv4 L3VPN over SRv6 BE VLAN
Security control for access devices Security control for the metro network Security control for the cloud backbone network
• Irrelevant to SRv6 services. Original • Deploy IPv6 security hardening policies to enable • Deploy IPv6 security hardening policies to enable
security policies are used. dual stack. dual stack.
• For SRv6 services, configure IPv6 ACLs on • For SRv6 services, configure IPv6 ACLs on the
the MSE to achieve the following: cloud PE to achieve the following:
Packets from a cloud PE can be sent to a local Packets from an MSE on the metro network can
SID on the metro network. be sent to a local SID on the cloud backbone
Packets from a local IPv6 loopback interface can network.
be sent to a local SID on the metro network. Packets from a local IPv6 loopback interface can
All IPv6 packets with the destination address be sent to a local SID on the metro network.
being a local SID or IPv6 loopback address are All IPv6 packets with the destination address
dropped by default. being a local SID or IPv6 loopback address are
dropped by default.
• IPv6 security hardening policies need to be deployed to enable dual stack on the metro and cloud backbone networks.
• A cloud backbone network is a closed transport network and defined as an SRv6 trusted domain, whereas a metro network and an IDC are public
networks and defined as untrusted domains. ACLs are configured on the boundary devices of the trusted domain to permit only specified SRv6
packets to pass through.
• An ASBR/CR on the metro network and a cloud PE on the cloud backbone network advertise only their SRv6 SIDs and IPv6 loopback addresses
to each other through the EBGP peer relationship.
27 Huawei Confidential
Security Design (CP-CAR Attack Defense and Management
Protection)
28 Huawei Confidential
Contents
1 Solution Overview
2 Solution Design
Site-to-Cloud Private Line Transport
Solution
Site-to-Cloud Private Line
Provisioning and O&M
Site-to-Site Private Line Transport
Solution
Site-to-Site Private Line Provisioning
and O&M
29 Huawei Confidential
O&M Design
FTTO Single-
CE ONT
homing LAG
FTTB OLT LSW
CE MxU
Network
FTTO MSE CR Cloud PE
CE ONT PE
FTTB OLT LSW DAP VPC
CE MxU
Network Remote cloud DC
MSE CR Cloud PE
PE
VLAN/QinQ EVPN VPWS over SRv6 BE or VPNv4 L3VPN over SRv6 BE VLAN VRF
L2/L3
ICMP ping/trace
IP
L3VPN
Ping/Trace/TWAMP/Y.1564
VPN EVPN L3VPN
Ping/Trace/TWAMP/Y.1564
EVPN VPWS
Ping/Trace/Y.1731/Y.1564
30 Huawei Confidential
Contents
1 Solution Overview
2 Solution Design
Site-to-Cloud Private Line Transport
Solution
Site-to-Cloud Private Line
Provisioning and O&M
Site-to-Site Private Line Transport
Solution
Site-to-Site Private Line Provisioning
and O&M
31 Huawei Confidential
Overview of the Site-to-Site Private Line Transport Solution
Intra-AS site-to-site private line
Inter-AS site-to-site private line
City A City B
CE Network
ONU OLT MSE CR Cloud PE CR
PE
Cloud MSE CE
OLT ONU
backbone
CE Network
ONU OLT MSE CR Cloud PE CR
PE
L2
private VLAN/QinQ EVPN VPWS over SRv6 BE VLAN/QinQ
line
L2
L3
private
VLAN/QinQ VPNv4 L3VPN over SRv6 BE VLAN/QinQ
line
L3
Enterprise-side access: Transport of site-to-site private line services between MSEs: Transport on the metro and cloud backbone
• Enterprise-side CEs are • SRv6 BE tunnels are deployed between MSEs for the transport networks:
connected to PON devices of site-to-site private line services. • IPv6 routes are deployed between the metro and
through physical interfaces • EVPN E-Line is deployed for L2 private lines. cloud backbone networks.
or VLAN sub-interfaces. • VPNv4 L3VPN or EVPN L3VPN is deployed for L3 private lines. • EBGP is deployed between the metro and cloud
• According to CE access points, there are two networking backbone networks.
scenarios: intra-AS site-to-site private line scenario and inter-AS
site-to-site private line scenario.
32 Huawei Confidential
IPv6 Address Planning
33 Huawei Confidential
MTU Planning
FTTO Network
CE ONT MSE CR Cloud PE CR MSE
PE
Cloud
FTTB OLT LSW Metro Metro
Network backbone
CE MxU
MSE CR Cloud PE CR MSE
PE
34 Huawei Confidential
Basic Routing Design
FTTO
CE ONT
OLT Network
LSW MSE CR Cloud PE DAP VPC
FTTB PE
CE MxU Remote cloud DC
Enable IPv4/IPv6 dual stack on CR: IS-IS route import to BGP Network PE: IS-IS route import to IS-IS route advertisement:
the metro network and deploy • Configure a route-policy to import the BGP • Configure IPv6 loopback
IS-IS IPv6 multi-topology. IPv6 loopback and SRv6 locator routes • Configure a route-policy to import the routes for PEs on the cloud
of the MSE on the metro network from IPv6 loopback and SRv6 locator backbone network.
the IS-IS process to the BGP process. routes of PEs on the cloud backbone • Configure SRv6 locator routes
IS-IS process: network from the IS-IS process to the for PEs on the cloud backbone
• Configure a route-policy to import the BGP process. network.
IPv6 loopback and SRv6 locator routes
of devices on the cloud backbone IS-IS process:
network from the BGP process to the • Configure a route-policy to import the
IS-IS process. In the case of an inter- IPv6 loopback and SRv6 locator
AS site-to-site private line, also import routes of devices on all metro
the IPv6 loopback and SRv6 locator networks from the BGP process to the
routes of MSEs in other ASs from the IS-IS process.
BGP process to the IS-IS process.
35 Huawei Confidential
Basic Routing Design (IS-IS Route-Policy Configuration on the
ASBR/CR)
FTTO
CE ONT
OLT LSW MSE CR Network DAP VPC
Cloud PE
FTTB PE
CE MxU Remote cloud DC
• To control the import of BGP routes to IS-IS when the CR and network PE are deployed in square-looped mode,
configure a route tag and route filtering for the IS-IS process between the CR and network PE.
36 Huawei Confidential
Basic Routing Design (Route Summarization)
FTTO
CE ONT
OLT LSW MSE CR Network DAP VPC
Cloud PE
FTTB PE
CE MxU Remote cloud DC
BGP: BGP:
• The routes imported to IS-IS are • The routes imported to IS-IS
summarized into two routes on are summarized into two
the entire metro network, that is, routes on the entire cloud
the loopback and SRv6 locator backbone network, that is,
routes of the MSE. the loopback and SRv6
locator routes of PEs.
• The CR advertises only loopback and locator summary routes to the cloud backbone network.
• The network PE advertises only loopback and locator summary routes to the metro network.
37 Huawei Confidential
Basic Routing Design (VPN RR)
RR
RR1 RR2
Cloud backbone
AS
MSE CR Network
Cloud PE
PE
DAP VPC
Metro AS Remote cloud DC
Network
MSE CR Cloud PE
PE
• Two RRs (P nodes) are deployed on the cloud backbone network. The RRs can be CRs or other independent devices.
• VPNv4 and EVPN address family peer relationships are established between the RRs.
• PEs on the cloud backbone network function as the clients of the RRs and establish VPNv4 and EVPN address family peer
relationships with the RRs.
• An EBGP peer relationship, VPNv4 address family peer relationship, and EVPN address family peer relationship are established
between each MSE on the metro network and each RR on the cloud backbone network.
• The metro and cloud backbone networks belong to different ASs. Therefore, the peer allow-as-loop 2 command needs to be run
in the VPNv4 address family view of each MSE.
38 Huawei Confidential
Service Routing Design (L2 Site-to-Site Private Line)
FTTO FTTO
CE ONT ONT CE
OLT Network OLT
LSW MSE CR Cloud PE CR MSE LSW
Site A FTTB PE FTTB Site B
CE MxU MxU CE
MSE CR Network
Cloud PE CR MSE LSW
PE
• A static route must be configured between the CE of site A and the CE of site B to guide traffic forwarding.
39 Huawei Confidential
Service Routing Design (L3 Site-to-Site Private Line)
FTTO FTTO
CE ONT ONT CE
OLT Network OLT
LSW MSE CR Cloud PE CR MSE LSW
Site A FTTB PE FTTB Site B
CE MxU MxU CE
MSE CR Network
Cloud PE CR MSE LSW
PE
• Configure a route from the • Configure a route from the MSE to site A, with • Configure a route from the MSE to site B, • Configure a route from the
CE to site B, with the next the next hop being a CE's interconnection with the next hop being a CE's CE to site B, with the next
hop being an MSE's address. interconnection address. hop being an MSE's
interconnection address. • Import the static route into the corresponding • Import the static route into the interconnection address.
BGP VPN instance. corresponding BGP VPN instance.
40 Huawei Confidential
QoS Design
DiffServ QoS policies are used to implement differentiated transport of cloud-to-cloud private line services. BOD and bandwidth calendar functions are
provided through dynamic bandwidth control.
FTTO FTTO
CE ONT ONT CE
OLT Network OLT
LSW MSE CR Cloud PE CR MSE LSW
Site A FTTB PE FTTB Site B
CE MxU
Cloud MxU CE
backbone
L2
L3
Queue
scheduling PQ and WFQ scheduling is performed on the transport network.
41 Huawei Confidential
Reliability Design (L3 Private Line)
IP2.2
IP1 IP2.1
FTTO
CE ONT Network IP3.1
OLT LSW MSE CR Cloud PE CR MSE
FTTB PE
Site A CE Cloud FTTO IP3.2
IP5
MxU
Metro Metro OLT
ONT CE
backbone LSW
FTTB IP4.2 Site B
MSE CR Network MxU CE
Cloud PE CR MSE
PE
IP4.1
L3
Reliability
design
PON reliability Reliability of the network Reliability of the metro network Reliability of the cloud
• Type B protection between LSWs and MSEs Single-homing scenario: LAG backbone network
protects backbone • An LSW can be single- protection • Metro side: route
optical fibers. homed to an MSE through Dual-homing scenario: static route- convergence and IP FRR
• Type C protection a LAG. based dual-homing protection
protects both • An LSW can also be dual- • BFD for IS-IS on the metro network
branch and homed to two MSEs. The • Fast IGP convergence on the metro
backbone optical MSEs provide protection
fibers. network
through static routes for
which BFD is enabled.
42 Huawei Confidential
Reliability Design (L3 Private Line)
1 4 6 8 10
FTTO 2 3 5 7 9
CE ONT Network
OLT LSW MSE CR Cloud PE CR MSE
FTTB PE 11
Site A CE Cloud FTTO
MxU
Metro Metro OLT
ONT CE
backbone LSW
FTTB Site B
MSE CR Network MxU CE
LSW single- Cloud PE CR MSE
PE
homing LSW dual-
homing
L3
Failure
Detection Method Protection Method Rectification Method
Point
1 • Optical fiber PON type C protection for branch optical fibers
PON type B protection for backbone optical fibers; PON type
2 • Optical fiber C protection for both branch and backbone optical fibers
3 • LACP • LAG protection • LAG protection
4 • None • None • None
5/9 BFD for IS-IS (10 ms x 3) IGP FC and IP FRR IGP route convergence
MSE: BFD for IS-IS (10 ms x 3) MSE: IGP FC and IP FRR MSE: IGP route convergence
6
Network PE: link status detection Network PE: IP FRR Network PE: BGP route convergence
7 Link status detection IP FRR BGP route convergence
CR: link status detection CR: IP FRR CR: BGP route convergence
8
Network PE: BFD for IS-IS (10 ms x 3) Network PE: IGP FC and IP FRR Network PE: IGP route convergence
Remote MSE/RR: BFD for BGP peer (200 ms x 3) Remote MSE: BGP route convergence MSE: configuration of a delay for LSW-side interfaces to go up
10
CE: BFD for static route CE: static route convergence CE: static route convergence
MSE: IP FRR MSE: configuration of a delay for LSW-side interfaces to go up
11 BFD for static route
CE: static route convergence Static route convergence
43 Huawei Confidential
Reliability Design (L2 Private Line)
IP2.2
IP1 FTTO
CE ONT Network
OLT LSW MSE CR Cloud PE CR MSE
FTTB PE IP2.1
Site A CE Cloud FTTO
IP3
MxU
Metro Metro E-Trunk OLT
ONT CE
backbone LSW
FTTB Site B
MSE CR Network MxU CE
Cloud PE CR MSE
PE
L2
Reliability
design
PON reliability Reliability of the network Reliability of the metro network Reliability of the cloud
• Type B protection between LSWs and MSEs Single-homing scenario: LAG backbone network
protects backbone • An LSW can be single- protection • Metro side: route
optical fibers. homed to an MSE through Dual-homing scenario: E-Trunk convergence and IP FRR
• Type C protection a LAG. • BFD for IS-IS on the metro network
protects both • An LSW can also be dual- • Fast IGP convergence on the metro
branch and homed to two MSEs network
backbone optical through E-Trunk.
fibers.
44 Huawei Confidential
Reliability Design (L2 Private Line)
1 4 6 8 10
FTTO 2 3 5 7 9
CE ONT Network
OLT LSW MSE CR Cloud PE CR MSE
FTTB PE 11
Site A CE Cloud FTTO
MxU
Metro Metro E-Trunk OLT
ONT CE
backbone LSW
FTTB Site B
MSE CR Network MxU CE
LSW single- Cloud PE CR MSE
PE
homing LSW dual-
homing
L3
Failure
Detection Method Protection Method Rectification Method
Point
1 • Optical fiber PON type C protection for branch optical fibers
PON type B protection for backbone optical fibers; PON type
2 • Optical fiber C protection for both branch and backbone optical fibers
3 • LACP • LAG protection • LAG protection
4 • None • None • None
5/9 BFD for IS-IS (10 ms x 3) IGP FC and IP FRR IGP route convergence
MSE: BFD for IS-IS (10 ms x 3) MSE: IGP FC and IP FRR MSE: IGP route convergence
6
Network PE: link status detection Network PE: IP FRR Network PE: BGP route convergence
7 Link status detection IP FRR BGP route convergence
CR: link status detection CR: IP FRR CR: BGP route convergence
8
Network PE: BFD for IS-IS (10 ms x 3) Network PE: IGP FC and IP FRR Network PE: IGP route convergence
Remote MSE/RR: BFD for BGP peer (200 ms x 3) Remote MSE/RR: remote FRR
10 MSE: configuration of a delay for LSW-side interfaces to go up
LSW: LACP LSW: LACP
Cloud PE: local-remote FRR
11 LACP LACP link switching
45 Huawei Confidential LSW: LACP
Security Design (SRv6 Security Border)
SRv6 trusted domain
ONT OLT LSW
FTTB MSE Metro CR Network
PE
Cloud Cloud
PE DAP VPC
CE MxU OLT LSW backbone Cloud DC
VLAN EVPN IPv4 L3VPN over SRv6 BE VLAN
Security control for access devices Security control for the metro network Security control for the cloud backbone network
• Irrelevant to SRv6 services. Original • Deploy IPv6 security hardening policies to enable • Deploy IPv6 security hardening policies to enable
security policies are used. dual stack. dual stack.
• For SRv6 services, configure IPv6 ACLs on • For SRv6 services, configure IPv6 ACLs on the
the MSE to achieve the following: cloud PE to achieve the following:
Packets from a cloud PE can be sent to a local Packets from an MSE on the metro network can be
SID on the metro network. sent to a local SID on the cloud backbone network.
Packets from a local IPv6 loopback interface can Packets from a local IPv6 loopback interface can
be sent to a local SID on the metro network. be sent to a local SID on the metro network.
All IPv6 packets with the destination address All IPv6 packets with the destination address being
being a local SID or IPv6 loopback address are a local SID or IPv6 loopback address are dropped
dropped by default. by default.
• IPv6 security hardening policies need to be deployed to enable dual stack on the metro and cloud backbone networks.
• A cloud backbone network is a closed transport network and defined as an SRv6 trusted domain, whereas a metro network and an IDC are public
networks and defined as untrusted domains. ACLs are configured on the boundary devices of the trusted domain to permit only specified SRv6
packets to pass through.
• An ASBR/CR on the metro network and a cloud PE on the cloud backbone network advertise only their SRv6 SIDs and IPv6 loopback addresses
to each other through the EBGP peer relationship.
46 Huawei Confidential
Security Design (CP-CAR Attack Defense and Management
Protection)
PEs on the cloud backbone network:
• Use the default security policy (application layer association).
RR:
• Perform MD5 authentication on BGP peers to prevent the establishment of BGP peer relationships with unauthorized MSEs.
• Enable application layer association.
• RRs support BGP-based application layer association. An RR can send BGP packets to the CPU only when a BGP peer relationship is
successfully established. If the BGP peer relationship is not established, the RR processes BGP packets through an independent CP-
CAR channel to prevent BGP attacks.
All devices:
• A device can log in to only a directly connected device.
• Only NMSs are allowed to obtain device information through SNMP.
• Only controllers are allowed to configure devices through NETCONF.
• MD5 authentication needs to be configured for the BGP-LS connections between the controller and devices. In addition, Telnet needs
to be disabled on the devices, and SSH server authentication needs to be configured.
47 Huawei Confidential
Contents
1 Solution Overview
2 Solution Design
Site-to-Cloud Private Line Transport
Solution
Site-to-Cloud Private Line
Provisioning and O&M
Site-to-Site Private Line Transport
Solution
Site-to-Site Private Line Provisioning
and O&M
48 Huawei Confidential
O&M Design
FTTO FTTO
CE ONT ONT CE
OLT Network OLT
LSW MSE CR Cloud PE CR MSE LSW
Site A FTTB PE FTTB Site B
CE MxU MxU CE
MSE CR Network
Cloud PE CR MSE LSW
PE
IP ICMP ping/trace
L3VPN
Ping/Trace/TWAMP/Y.1564
VPN EVPN L3VPN
Ping/Trace/TWAMP/Y.1564
EVPN VPWS
Ping/Trace/Y.1731/Y.1564
49 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织,构建万物互联的智能世界。
Bring digital to every person, home and
organization for a fully connected,
intelligent world.