ZXR10 ZSR Router
Product Description
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 1
ZXR10 ZSR Router
Product Description
Version Date Author Reviewer Notes
V2.3 2011/7/20 Chen Chixin Modify interface cards and parameters of
Chapter 5
V2.4 2011/2/28 Xie Huachao Use new template
V2.5 2012/4/30 Xie uachao Update
V2.6 2013/2/4 Chen Hongting Update new Template
© 2015 ZTE Corporation. All rights reserved.
ZTE CONFIDENTIAL: This document contains proprietary information of ZTE and is not to be disclosed or used
without the prior written permission of ZTE.
Due to update and improvement of ZTE products and technologies, information in this document is subjected to
change without notice.
ZXR10 ZSR Router Product Description
2 ZTE Confidential Proprietary
TABLE OF CONTENTS
1 Overview ............................................................................................................ 5
2 Highlight Features ............................................................................................. 6
2.1 Full modular design, various interface types and flexible scalability ..................... 6
2.2 Perfect integration of switching and routing .......................................................... 6
2.3 Various VPN functions ......................................................................................... 7
2.4 Built-in Firewall .................................................................................................... 7
2.5 Completely support IPv4/v6 dual stacking ............................................................ 8
2.6 Refined QoS features .......................................................................................... 9
2.7 Industry-leading Data Encryption Protection Feature ......................................... 10
2.8 Leading Multi-Function and Multi-Service Platform ............................................ 10
2.9 Carrier-class reliability ........................................................................................ 11
3 Features ........................................................................................................... 12
3.1 Narrowband and broadband in one .................................................................... 12
3.2 802.1X ............................................................................................................... 12
3.3 DHCP function ................................................................................................... 13
3.4 PPPoE-Client ..................................................................................................... 14
3.5 Compression and decompression ...................................................................... 15
3.5.1 Compressed RTP .............................................................................................. 15
3.5.2 Compressed TCP .............................................................................................. 15
3.6 Fast Forwarding ................................................................................................. 16
3.7 Network Address Translation (NAT) ................................................................... 16
3.7.1 Translation of Internal Source Address .............................................................. 17
3.7.2 Internal Global Address Overlapping .................................................................. 18
3.8 Switching and Routing in One ............................................................................ 19
3.8.1 Ethernet switching .............................................................................................. 19
3.8.2 V-switch ............................................................................................................. 20
3.8.3 IPv4 Features .................................................................................................... 20
3.8.4 IPv6 Features .................................................................................................... 22
3.9 Multicast route protocol ...................................................................................... 23
3.9.1 IGMP ................................................................................................................. 23
3.9.2 PIM-SM .............................................................................................................. 23
3.9.3 PIM-DM ............................................................................................................. 24
3.9.4 MSDP ................................................................................................................ 24
3.10 Access Control List ............................................................................................ 24
3.11 IP VPN ............................................................................................................... 26
3.11.1 L2TP VPN .......................................................................................................... 27
3.11.2 GRE VPN .......................................................................................................... 29
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 3
3.11.3 IPSec VPN ......................................................................................................... 29
3.12 MPLS VPN......................................................................................................... 32
3.12.1 MPLS L2 VPN .................................................................................................... 33
3.12.2 MPLS L3 VPN .................................................................................................... 33
3.12.3 Multi-VRF ........................................................................................................... 34
3.13 Security functions............................................................................................... 34
3.13.1 Defense against attacks ..................................................................................... 35
3.13.2 Application proxy................................................................................................ 40
3.13.3 Application filtering ............................................................................................. 44
3.14 Network management features .......................................................................... 47
3.14.1 Simple Network Management Protocol (SNMP) ................................................. 47
3.14.2 Remote Network Monitoring (RMON) ................................................................. 47
3.14.3 Statistics and Alarm Management Function ....................................................... 48
3.14.4 Log Management Function ................................................................................ 48
3.14.5 NetNumen™ Integrated Network Management Platform.................................... 48
3.14.6 Netflow ............................................................................................................... 50
3.14.7 Ethernet OAM .................................................................................................... 50
4 System Architecture ........................................................................................ 51
4.1 Product Physical Structure ................................................................................. 51
4.2 Hardware Architecture ....................................................................................... 53
4.3 Technical Specifications ..................................................................................... 55
5 Typical Networking ......................................................................................... 57
5.1 Access Router ................................................................................................... 57
5.2 Egress and Security Gateway of Enterprises ..................................................... 58
ZXR10 ZSR Router Product Description
4 ZTE Confidential Proprietary
FIGURES
Figure 3-1 Ethernet interface application PPPoE-Client networking ...................................14
Figure 3-2 The internal source address is translated into external source address ............17
Figure 3-3 Internal global address overlapping ..................................................................18
Figure 3-4 Switching and Routing perfectly in one .............................................................19
Figure 3-5 VPN application ................................................................................................26
Figure 4-1 Front panel of ZXR10 ZSR1809 ........................................................................52
Figure 4-2 Front panel of ZXR10 ZSR1822E .....................................................................52
Figure 4-3 Front panel of ZXR10 ZSR 2842 .......................................................................52
Figure 4-4 Front panel of ZXR10 ZSR 3844 .......................................................................52
Figure 4-5 Front panel of ZXR10 ZSR 3884 .......................................................................52
Figure 4-6 General architecture of ZXR10 ZSR intelligent integrated multi-service router ..54
Figure 5-1 ZSR router is used as Access router .................................................................57
Figure 5-2 ZSR router is used as Egress and Security Gateway of Enterprises .................58
TABLES
Table 4-1 ZXR10 ZSR1800/2800/3800 series specifications and parameters ....................56
Table 4-2 ZXR10 ZSR1800/2800/3800 series interface boards .........................................57
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 5
1 Overview
ZXR10 ZSR series intelligent integrated multi-service router is based on ZXROS platform
and technology accumulation. It surpasses functions of router itself (by integrating
functions of multiple devices of access router, Ethernet switch, VPN safety gateway, and
firewall into one platform) as a high-level network integrated application platform. It
provides users with a comprehensive communication platform oriented to next
generation service application, integrating functions of routing, switching, security, high
QoS guarantee and service application. It implements secure and reliable user access
based on various ways and integration of various services. Additional intelligent
application modules can be added to implement more simple configuration and
deployment, more flexible service management, and more rich service application.
ZXR10 ZSR series intelligent integrated multi-service router includes models of 1809,
1822E, 2842, 3844 and 3884, satisfying networking requirements of different users. They
are suitable to work as carrier’s access router, work for small to medium size enterprise
and large enterprise branches. They can provide various integrated solutions for
connection between remote offices, mobile user, and external partner network or service
provider and for net cafe, campus network, and private networks.
ZXR10 ZSR Router Product Description
6 ZTE Confidential Proprietary
2 Highlight Features
2.1 Full modular design, various interface types and
flexible scalability
Combining fixed interface and modular interface card, adopting high-performance
RISC forwarding and highly-efficient software design, adopting V-BUS intelligent
multiple bus and multiple processing engine, which can satisfy performance and
port requirements of different customers.
Integrating 2 GE Combo interfaces, 2 FE interfaces, supporting 2, 4, and 8
expanded slots.
Supporting different interface rate from 300bps to 1000Mbps on one platform with
universal slots on which various types of interface boards can be accepted.
Supporting for 3G WWAN interface card via USB card and supporting for three 3G
standard: WCDMA, CDMA2000 and TD-SCDMA. Providing wireless backup to
protect the user WAN network connection resiliency.
2.2 Perfect integration of switching and routing
According to enterprise internal network interconnection requirements, ZXR10 ZSR
proposes high-density Ethernet switching module and implements seamless
integration of router and Ethernet switch. It supports up to 68 Ethernet ports with
high-speed internal switching bus, reducing bandwidth bottleneck and security
sequela in external interconnection.
ZSR provides various interface types, integrates multiple services, and supports L2
security access technologies such as 802.1 x, Guest VLAN, and MAC/VLAN
binding, providing an integrated networking solution for access layer equipment. On
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 7
one hand management investment is low and network is simple and on the other
hand, long-term cost of operation and maintenance is effectively saved.
ZSR supports ADSL board, support G.DMT(G992.1),
G.Lite(G992.2),T1.413,ADSL2(G992.3) and ADSL2+(G992.5). Perfectly
integrated ADSL MODEM, reducing the user network construction investment.
2.3 Various VPN functions
With the wide application in various enterprises, VPN technology has been well known
by people. VPN can be built by IP network, frame relay network, and ATM network. It can
offer network services the same security, reliability, priority and manageability in virtual
private network with those in private network. Since virtual private network can provide
users with convenient and inexpensive remote access, VPN services have been wider
and wider.
ZXR10 ZSR series routers support three types of VPN technologies as follows:
Traditional IP VPN technology including L2TP, GRE, and IPSec VPN.
Main VPN technology provided for operators is MPLS L3/L2 VPN, satisfying VPN
networking requirements of different users.
Private line VPN, which is built on L2 link by frame relay, L2 MPLS, and virtual
circuit.
2.4 Built-in Firewall
ZXR10 ZSR deploys filtering network-inbuilt L4~L7 firewall function inside enterprise
network, supporting WEB filtering, and application state filtering. By combining AMAT
system with firewall and IDS/IPS, intelligent active network defense and protection can
be implemented on ZXR10 ZSR platform.
ZXR10 ZSR Router Product Description
8 ZTE Confidential Proprietary
ZSR supports inbuilt anti-DDOS attack, application proxy and application filtering
covering
URPF
Anti Flood attack, including TCP/UDP/ICMP
Abnormal packet detection
Anti-scanning and anti-detection
Anti-ARP attack
URL/ActiveX/Java/Exe/Zip small program filtering
IM block
P2P software block
2.5 Completely support IPv4/v6 dual stacking
ZXR10 router series is a new generation router series from ZTE with the first IPv4/v6
dual stacks certification in China, which is also a global-leading one.
ZXR10 ZSR supports Ipv6 protocol with the following features:
Supporting IPv6 basic protocols including Ipv6 protocols, ICMPv6, ND (Neighbor
Discovery), DNS6 etc.
Support TCP6, UDP6 and Socket IPv6
Supporting PMTU Discovery (Path MTU Discovery)
Supporting IPv6 policy routing
Support RIPng, OSPFv2/v3, BGP4/4+, IS-ISv4/v6, etc.
Support various IPv4/v6 transition mechanisms, including manual tunnel
configuration, auto tunnel configuration, dual stacks, 4in6,6in4,6to4 tunnel, etc.
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 9
2.6 Refined QoS features
To satisfy the strict requirements of next generation network on real-time services such
as video and IPTV, ZXR10 ZSR intelligent integrated multi-service product provides
refined QoS functions.
Supporting various queue scheduling mechanisms such as PQ, CQ, WFQ, and
CBWFQ/LLQ.
Supporting congestion-avoidance technologies (RED, WRED)
Supporting port and traffic multilevel rate limit.
Supporting dynamic traffic-aware based load sharing.
Supporting CAR with bandwidth controlling granularity as accurate as 8kbit/s
Implementing different service level guarantee for delay, jitter, bandwidth, and
packet-dropping ratio for different services of data transmission and video services,
so as to meet the developing requirements of next generation network multiservice
bearing.
Support DiffServ for differentiated service, providing IP QoS to meet the
requirements of traffic management.
Supporting complicated traffic classification policy based on port, VLAN, 802.1p,
source/destination IP address, TOS, protocol type or port number.
Traffic engineering based upon MPLS TE is supported for network traffic
engineering, making network operation more stable and offering carriers the most
profitable bandwidth.
It supports RSVP protocol to provide sound SLA application.
ZXR10 ZSR Router Product Description
10 ZTE Confidential Proprietary
2.7 Industry-leading Data Encryption Protection
Feature
The embedded hardware-based encryption engine, designed specifically for the data
forwarding engine of ZXR10 ZSR, offers users with effective IPSec encryption features.
Via ZXROS software and the embedded hardware-based encryption acceleration engine,
ZXR10 ZSR supports the following functions:
Supporting encryption/decryption of data.
Supporting IPSec IKE negotiation.
Supporting encryption algorithms including DES-CBC, 3DES-CBC, AES-CBC.
Supporting public key generation algorithms: DH.
Supporting HMAC-MD5 and HMAC-SHA-1, which can guarantee the information
security for government and financial institutes
2.8 Leading Multi-Function and Multi-Service Platform
ZXR10 ZSR is designed based upon ZXROSTM general routing software platform with
ZTE self-owned intellectual property.
This platform providing various router features and services.
Supporting IPv4/IPv6 dual stacks.
Supporting abundant routing protocols e.g. BGP, PIM.
Supporting MPLS and MPLS L2/L3 VPN technologies
Support QOS applications, such as CAR, etc.
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 11
2.9 Carrier-class reliability
Hardware reliability: key modules such as power supply and fan are 1+1
redundancy.
Function reliability: supporting VRRP and FRR. Supporting uRPF. Supporting MD5
information encryption. Supporting multilink binding. Supporting 8-link simultaneous
load sharing to ensure network reliability, supporting carrier-class network
management.
Maintenance reliability: WEB-GUI/SNMPv3 management, refined log management,
and hierarchical password setting.
Operational system reliability: integrated ROS platform which is mature and stable
in large-scale commercial use. It can provide continuous service development
capability to satisfy users’ changing networking requirements. It adopts modular
design for software and has strong error tolerance capability. The stability and
reliability of routing software, and security authentication mechanism of routing
protocol guarantee network secure and reliable operation.
Besides, ZXR10 ZSR series routers can provide carrier-class reliability with the following
features:
Supporting AAA authentication technologies such as Radius, and TACACS+.
IPSec support which ensures the security of user information and the irreversibility
of the operation.
Comprehensive policy-based packet filtering feature for avoiding DOS attack.
Providing hierarchical password setting and refined log management, completely
protecting router operation.
Complete environmental sensor system, including overheating, etc.
Convenient operation maintenance interface and multiple operation maintenance
modes.
ZXR10 ZSR Router Product Description
12 ZTE Confidential Proprietary
All interface cards on routers are universal with good backward and forward
compatibility. User investment is well protected
3 Features
3.1 Narrowband and broadband in one
With the rapid development of broadband access technology, more and more network
edge access ways, higher and higher port rate of network access, ZXR10 ZSR provides
various interface types and interface rates for users to satisfy multiple access ways
requirements of small to medium enterprises, involving high-speed asynchronized serial
interface, E1/CE1, OC-3/STM-1c POS, fast Ethernet interface, GE Ethernet interface.
ZSR can support different Ethernet interface rates from low speed V24 (asynchronized)
300bps to GE Ethernet on one platform. It satisfies various broadband access
requirements of small to medium enterprises and help users to implement narrowband
and broadband in one.
3.2 802.1X
802.1X is a port based network access control protocol. Its authentication mode and
authentication architecture is optimized to solve the problems of the traditional
PPPoE and Web/Portal authentication method, which is more suitable for use in
broadband Ethernet.
IEEE 802.1x protocol consists of three important parts: Supplicant System,
Authenticator System and Authentication Server System.
1. Supplicant System initiates the certification process of the IEEE802.1x
protocol by launching the client software. In order to support port-based
access control, supplicant system needs to support the EAPOL (Extensible
Authentication Protocol Over LAN)
2. Authenticator System is usually the network device, which supports IEEE
802.1x protocol and corresponds to the different user ports (physical port,
MAC, VLAN and IP). For each user, the IEEE 802.1x protocol establishes of
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 13
a logic authentication channel, which other users can not use.
3. Authentication Server System is usually a RADIUS server, the server can
store information about users, such as the VLANs, the CAR parameters,
priority and ACL. When the user is authenticated, the authentication server
will send the information of the user to the authenticator system.
Authenticator system builds a dynamic access control list, and the follow-up
of the user's flow will accept the regulatory of the above parameters.
Authenticator system and the RADIUS server via RADIUS protocol
communication.
ZXR10 ZSR18/28/38 routers, the 802.1x authentication is limited to the L2 switching
interface board, authentication port must work on the L2 switching mode.
3.3 DHCP function
DHCP (Dynamic Host Configuration Protocol) can enable a host in network from a DHCP
server to obtain an IP address and its configuration information which could make the
host implement normal communication. DHCP adopts UDP as transmission protocol.
DHCP works with the following steps:
The host sends a request IP address and other configuration parameter
broadcasting packets DHCP-Discover.
DHCP server sends back a unicast packet DHCP-Offer containing effective IP
address and configuration.
The host selects the server DHCP-Offer first arrives, and sent a unicast packet
DHCP-Request to it, indicating the related configuration is accepted.
The selected DHCP server sends back an acknowledgement unicast packet
DHCP-Ack.
In this way, the host can implement communication with the IP address and its related
configuration obtained from DHCP server.
DHCP server distributes address randomly to host for a period of time. The valid
ZXR10 ZSR Router Product Description
14 ZTE Confidential Proprietary
application time for address is called lease. Before the lease is due, the host must
request for renew from the server. It can go on use the address if the server accepts the
request. Otherwise it gives up.
Router won’t send broadcast packets received from one subnet to another in default
situation. When DHCP server and client host are not in one subnet, the router acting as
client host default gateway must send the broadcast packets to the subnet that DHCP
server locates in. this function is called DHCP relay.
3.4 PPPoE-Client
PPP over Ethernet (PPPoE, Point-to-Point Protocol over Ethernet) provides the function
to connect multiple hosts in a network to remote access concentrator by simply bridging
the access device. It implements control and accounting for each accessed host. Its high
performance price ratio makes PPPoE widely applied in community networking. In this
model, each host uses its own PPP protocol stack. It provides users with familiar user
interface. Access control, payment and type of service are based on each user, not site.
Adopting Client/Server, PPPoE protocol encrypts PPP packets inside Ethernet frame
and provides point-to-point connection on Ethernet. Thus each PPP session must have
the Ethernet address of the peer of remote communication, and create a sole session
identifier.
ZXR10 ZSR series routers implement PPPoE-Client (PPPoE client dialing). The
following diagram shows a typical PPPoE-Client networking application:
The computer in Ethernet connects to ZXR10 router, and implements PPPoE-Client on
the router. The data uploaded to internet arrives router first, get encrypted by PPPoE
protocol, directly get connected to access concentrator PPPoE-Server via Ethernet
connected with router, and get into Internet at last. The whole process can be
implemented without installing PPPoE client dialing software on computer by users.
Figure 3-1 Ethernet interface application PPPoE-Client networking
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 15
3.5 Compression and decompression
3.5.1 Compressed RTP
When the voice packets are encapsulated into IP format, add three headers as UDP, IP
and RTP (Realtime Transport Protocol). Typically, a voice packet will include 20 bytes of
voice payload traffic and 40 bytes of three headers. In the transmission process, many
fields remain unchanged or the difference between two adjacent packets is constant. It
can be compressed into 2 or 4 bytes, which is obviously to improve the efficiency of data
transmission.
Compression side and the decompression side maintain a state-reliable share
information collection. Each IP/UDP/RTP packet flow has a separate ‘Session Context’
including source IP address, destination IP address, A pair of UDP ports and the RTP
SSRC field. To maintain the number of session context is determined by mutual
agreement.
Compressed RTP is divided into ordinary type and enhanced type, the two are not
compatible, and the enhanced type is more suitable for a link status unstable network.
Enhanced type of improvement is that when a field changes, will send the change of the
‘delta value’ repeatedly, so the change will not miss because of the packet loss. It is
called the number of ECRTP retransmission.
3.5.2 Compressed TCP
TCP/IP packet header is 40 bytes: 20 bytes of IP header and 20 bytes of TCP header.
While packet switching, more than half of the byte information of header remains
unchanged. For low-speed link, the CTCP is used to solve the limited bandwidth is
unnecessarily consumed. The CTCP can compress 40 bytes of IP/TCP header into 3-16
fei_1/1.
GAR1 GAR PC
fei_2/1
GAR2
PPPoE- Client PPPoE- Server
1 0.10.1.2/24. 1 0.10.1.1/24. Internet
ZXR10 ZSR Router Product Description
16 ZTE Confidential Proprietary
bytes.
The ZSR10 ZSR does not support compression TCP, only supports the decompression
function. The CTCP sub-function module is embedded in the CRTP function module.
Compressed RTP and Compressed TCP only used in CE1, POS,CPOS,Serial and
Multilink interface, and must be configured for PPP protocol.
3.6 Fast Forwarding
Fast Forwarding improves forwarding performance by buffering forwarding messages
based on normal forwarding process. Fast forwarding subsystem is located in ZXR10
ZSR 18&/28/38 software forwarding subsystem. It is an important supplement for
software forwarding system. It helps to improve the performance of the whole system.
The main aim of Fast Forwarding subsystem is to improve the forwarding performance of
the whole system. In current normal data packets forwarding process, one data flow
needs to be checked from routing table every time. Ethernet packets need to be checked
from ARP table. Except the first checking, the following up checking repeats the
operations and greatly reduce forwarding performance of the system. Therefore,
exchanging message (combination of multiple key of data packet to determine a data
flow) and forwarding message buffer can be implemented in normal IP packet forwarding
process to adopt once table checking for multiple use, so as to improve the forwarding
performance of the system. When forwarding message changes, clear the buffer and
generate buffering message from the next checking.
3.7 Network Address Translation (NAT)
Network address translation (NAT) can translate an IP address used in one network into
a different IP address in another network. Usually, NAT is used to map IP addresses
used in private network or local enterprise network into one or multiple addresses in
public network or global internet. The features of NAT are:
Restrict the number of IP address requiring IANA registration used by private
network.
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 17
Save global IP address space required by intranet (for example, one organization
can use a single IP address for communication on internet)
Keep the confidentiality of LAN as the inner IP is not for public.
ZXR10 ZSR supports large-capacity NAT.
For using NAT, local network would be assigned as internal network, while the global
internet would be assigned as external network. In addition, ZXR10 routers also support
port address translation (PAT) for dynamic or static binding of port address.
3.7.1 Translation of Internal Source Address
When communicating to external network, this feature can translate internal IP address
into a global IP address from an IP address pool. The following methods can be used to
configure static or dynamic internal source address translation:
1 Static translation creates one-to-one mapping between internal local address and
internal global address. When an internal host should be accessed by a specified
external address, static translation will help the specified external address to access
the internal host.
2 Dynamic translation establishes dynamic mapping between internal local address
and the external address pool.
The following figure illustrates a NAT router translates an internal network source
address into external network source address
Figure 3-2 The internal source address is translated into external source address
ZXR10 ZSR Router Product Description
18 ZTE Confidential Proprietary
3.7.2 Internal Global Address Overlapping
The router can share one global address for multiple local addresses, for which the
mapping will be stored in the internal global address pool. When address overlapping is
configured, the router would keep appropriate information from higher-level protocols
(e.g. TCP or UDP port numbers) and translates the global address into correct local
addresses. When multiple local addresses are mapped to one global address, the TCP
or UDP port number of each host between local addresses is distinguishable. The
following figure shows corresponding NAT operation when an inside global address is on
behalf of multiple inside local addresses. TCP port number is used for discrimination.
Figure 3-3 Internal global address overlapping
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 19
3.8 Switching and Routing in One
3.8.1 Ethernet switching
Figure 3-4 Switching and Routing perfectly in one
Based on the network connection requirements inside enterprise, ZXR10 ZSR promotes
high-density Ethernet switching module to implement seamless integration of router and
Ethernet switch. It supports up to 68 Ethernet switching ports by high-speed internal
ZXR10 ZSR Router Product Description
20 ZTE Confidential Proprietary
switching bus and reduces bandwidth bottleneck and security risk of external connection.
ZSR provides various interface types. Integrating multiple services, ZSR provides access
layer devices with an integrated networking solution. On one hand, management
investment is small with simple network architecture and on the other hand, long-term
cost of operation and maintenance can be effectively saved.
3.8.2 V-switch
In ‘Router+BAS’ networking mode , the router has a dual role: First, forwarding
PPPoE packet to the BAS; Second, the data aggregation, supplying large customer
access (VPN), QoS, NAT, multicast, and other businesses. The ZXR10 ZSR uses
static V-Switch forwarding to achieve transmission of L2 packets between the
different VLANs.
ZXR10 ZSR supports V-Switch over Ethernet, V-Switch QinQ and V-Switch
heterogeneous, it can achieve on PPP interface, including E1/CE1/MPPP, and
sub-interface of Ethernet.
3.8.3 IPv4 Features
ZXR10 ZSR fully supports a variety of unicast routing protocols, including static routing,
RIP, OSPF, IS-IS and BGP.
3.8.3.1 Static Route
Static route is configured manually by an administrator to simplify network configuration
and improve network performance. It uses a scenario of simple network structure. When
a network failure or topology change happens, static route is not automatically changed,
but it is manually changed by an administrator.
ZXR10 ZSR supports static route configuration based on next hop and egress interface
as well as the correlation between static route and VRF instance.
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 21
3.8.3.2 RIP
RIP is a UDP-based distance vector dynamic routing protocol. It periodically broadcasts
route tables to neighbors to maintain the relationship between adjacent routers and
calculate its own route table according to the received routes. RIP runs simply and is
applied to small networks.
ZXR10 ZSR supports the following RIP functions:
Support RIPv1/v2 basic functions such as split horizon, poison reverse, interface
verification, route collection, and route protocol redistribution.
Support RIP load sharing.
Support RIP VPN access.
Support RIP MIB.
3.8.3.3 OSPF
OSPF routing protocol is used for route information exchange between routers in one
Autonomous System (AS), so it is an Interior Gateway Protocol (IGP) based on link
status. OSPF is one of the most widely used IPv4 IGP routing protocols. ZXR10 ZSR
supports the following OSPF functions:
Support OSPF basic functions such as neighbor certification, Virtual Link, STUB,
NSSA, Type-3 LSA aggregation, Type-5 LSA aggregation, and redistribution of
other route protocols.
Support OSPF route load sharing.
Support VPN access and advanced functions such as sham-link.
Support OSPF-TE.
Support OSPF MIB.
3.8.3.4 IS-IS
IS-IS is a routing protocol drafted by ISO to support Connectionless Network Service
(CLNS). IETF extends the IS-IS to support IP route information. ISIS is also an Interior
Gateway Protocol (IGP) based on link status.
ZXR10 ZSR Router Product Description
22 ZTE Confidential Proprietary
IS-IS is one of the most widely used IPv4 IGP route protocols. ZXR10 ZSR supports the
following IS-IS functions:
Support IS-IS basic functions.
Support IS-IS extension functions such as hostname and overload-bit.
Support IS-IS route load sharing.
Support IS-IS VPN ACCESS.
Support IS-IS-TE.
Support IS-IS MIB.
3.8.3.5 BGP
Border Gateway Protocol (BGP) is an inter-AS routing protocol. It is used for network
reachability information exchange between AS running BGP.
ZXR10 ZSR supports the following BGP functions:
Support BGP basic function and such enhanced functions as session certification,
route oscillation suppression, route reflector, alliance, extension group attribute,
route aggregation, and route filtering.
Support BGP route load sharing.
Support MP-BGP functions such as IPv4 unicast, IPv4 multicast, IPv4
labeled-unicast, IPv4 mdt, IPv6 unicast, IPv6 multicast, IPv6 labeled-unicast, VPNv4,
and other AFIs.
Support BGP MIB.
3.8.4 IPv6 Features
3.8.4.1 Basic Function of IPv6
ZXR10 ZSR supports IPv4/IPv6 dual-stack:
IPv6 basic protocols: IPv6 protocol and ND (Neighbor Discovery) ,etc.
MLD (Multicast Listener Discover)
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 23
TCP6, UDP6.
PMTU Discovery (Path MTU Discovery).
3.8.4.2 IPv6 Unicast Routing Protocol
ZXR10 ZSR supports unicast routing protocols including IPv6 static route, RIPng,
OSPFv3, IS-ISv6, BGP4+, and IPv6 strategy routing.
3.8.4.3 IPv6 Tunnel
ZXR10 ZSR supports IPv6 tunnel protocols including manually configured tunnel,
automatic configuration tunnel, 4in6, 6in4 and 6to4 tunnels, etc.
3.9 Multicast route protocol
The multicast is a point-to-multipoint or multipoint-to-multipoint communications mode,
namely, multiple receivers receive the same information from single source.
Multicast-based applications include video conference, remote teaching, software
allocation, etc.
3.9.1 IGMP
The host uses Internet Group Management Protocol (IGMP) to inform the multicast
router on the network which group the router should join or leave. In this way, the
multicast router on the network knows whether a multicast group member is available on
the network, and decides whether to forward multicast packets to the network. When a
multicast router receives a multicast packet, it checks the multicast destination address
of the packet, and forward packets to the interfaces of all group members or downstream
routers.
3.9.2 PIM-SM
Protocol Independent Multicast-Sparse Mode (PIM-SM) is applied to the following
situations:
ZXR10 ZSR Router Product Description
24 ZTE Confidential Proprietary
Group members are extended across a wide scope.
Network bandwidth resource is limited.
3.9.3 PIM-DM
PIM-DM (PIM-Dense-mode) is a dense-mode multicast route protocol and sends
multicast data in the ‘push’ mode. It usually applies to small network with dense multicast
group members.
3.9.4 MSDP
Multicast Source Discovery Protocol (MSDP) is a mechanism connecting several PIM
domains. It works on TCP to provide PIM-SM with multicast source information outside
PIM domain.
A MSDP speaker in one PIM-SM domain creates a session with other inter-domain
MSDP neighbors via TCP. When the MSDP speaker knows a new multicast source in
the MSDP domain (through the PIM register mechanism), it generates a Source Active
(SA) message and sends it to all MSDP neighbors.
:
3.10 Access Control List
Access control list is used to permit or reject packet based on criteria configured. The
packet filtering criteria determines the type of access control list. Packet filtering can be
defined based on the following conditions:
MAC
VLAN
Source IP address
Destination IP address
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 25
Source port number
Destination port number
Protocol number for transmission layer
Type of service (TOS)
Time-range
Highlights of ZXR10 ZSR ACL feature are:
For upper-layer protocols, it filters source and destination addresses and supports
multiple filtering conditions.
For lower-layer forwarding, it defines the maximum and minimum threshold for
source and destination addresses, so flows within this exclusive range can be
forwarded. By using the same scope for restricting all ports on the same line card, it
allows the lower-layer microcode software to be executed efficiently.
Support two types of access control list: standard access control list and extended
access control list.
For router interface, a configured access control list will only take effect when it is applied
on an interface. As data flow passing an interface is bidirectional, the access control list
should be adopted on the interface in one specific direction, which is egress direction (i.e.
data flow moves away from router) or ingress direction (i.e. data flow enters router)
There are three procedures for implementing access control list on an interface:
1 Define access control list
2 Define the interfaces on which the access control list will be implemented
3 Define the direction in which the access control list will be implemented on the
interface
While using ACL, firstly the type of ACL is classified via ACL number, and then packets
are compared with the configured ACL to see if the packets are permitted to pass
through the interface. The rule of ACL processing is, beginning items are given the
ZXR10 ZSR Router Product Description
26 ZTE Confidential Proprietary
highest priority, in other words, as per the sequence of access control list. The
processing will stop when there is one item matching to the configured control list.
Therefore, the sequence is very important when configuring access control list, and
items with high priorities should be put in the beginning. If there is an exact match for the
packet, it will be permitted or denied to pass through the interface according to the
specified fields ‘permit’ or ‘deny’. If there is no exact match for the packet, it will follow the
default filtering principle, i.e. this unmatched packet will be denied to pass through the
interface.
3.11 IP VPN
ZXR10 ZSR series routers provide complete IP VPN features which offer reliable
security and service quality to branch offices, remote users, traveling staffs, partners and
headquarters.
ZXR10 ZSR series routers contain various features, including L2TP VPN, IPSec VPN,
and GRE VPN. ZXR10 ZSR support IPSec NAT Traversal.
Figure 3-5 VPN application
Building private network by Internet, enterprises can reduce the private line fee to a little
local call fee and Internet fee. VPN greatly reduces network complexity. VPN user
Internet
SoHo subscriber
Mobil subscriberBranch
Large customer
Enterprise
Headquarter
VPN Gateway
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 27
addresses can be integrated distributed inside enterprise. VPN networking flexibility
simplifies enterprise network management. VPN improves the interconnection of the
whole enterprise network. Its excellent scalability enables enterprise to adapt to Internet
economy development better and sooner, so as to grasp the business opportunities.
Besides, in VPN application, remote user authentication and tunnel data encryption
guarantee security of private data transmitted via public network.
3.11.1 L2TP VPN
L2TP (Layer 2 Tunneling Protocol) is a L2 tunnel protocol based upon point-to-point
protocol PPP. L2TP mainly consists of LAC (L2TP Access Concentrator) and LNS
(L2TP Network Server). LAC supporting client-end L2TP is used to initiate call, receive
call and establish tunnel. LNS is the end of all the tunnels to terminate all PPP flows.
Figure 3-6 Typical dialing VPN service
LAC: L2TP Access Concentrator is a PPP-initiator system with L2TP protocol processing
capability. Usually, LAC is a network access server (NAS), which supplies network
access service through PSTN/ISDN.
LNS: L2TP Network Server, the logical termination of PPP conversation, is used on the
PPP-end system for processing the software of L2TP protocol server.
PSTN/DSL/IP
Internet
Acess gateway Enterprise gateway
User Part
User
RadiusServer RadiusServer
ISP/Public Part Enterprise Part
L2TP
ZXR10 ZSR Router Product Description
28 ZTE Confidential Proprietary
Between a pair of LNS and LAC there are two types of connection: one is tunnel
connection, which defines a LNS and LAC pair. The other is session connection, which is
multiplexed on tunnel connection, indicating each PPP session process in the tunnel.
One tunnel connection can bear multiple session connections. L2TP connection
maintenance and PPP data transmission are both implemented by exchange of L2TP
message, which uses UDP port 1701. L2TP message can be divided into two types:
control message and data message. Control message works to create and maintain
tunnel connection and session connection. Data message works to bear users’ PPP
session data packets.
L2TP is featured as follows:
Secure identity authentication mechanism: similar to PPP, L2TP can implement
tunnel endpoint verification. PPP CHAP verification is stipulated to be used.
Internal address distribution support: LNS is deployed behind enterprise network
firewall. It implements dynamic distribution and management of remote user
address and supports DHCP and private address application (RFC1918). Address
distributed for remote user is not Internet address but internal private address of
enterprise network, which facilitates address management and enhances security.
Network accounting flexibility: accounting could be implemented at LAC (usually is
ISP) and LNS (usually is enterprise) at the same time. The former accounting
generates bills and the latter is for payment and auditing. L2TP can provide
accounting data of data transmission such as incoming and outgoing packets
number, bytes number, beginning and ending time for connection.
Reliability: L2TP protocol supports LNS backup. When main LNS is unreachable,
LAC (access server) can re-establish connection with backup LNS to improve VPN
service reliability and error tolerance.
Integrated network management: L2TP protocol has become standard RFC
protocol. Related L2TP standard MIB has been established. In this way SNMP
network management solution can be integrated adopted to implement easy
network maintenance and management.
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 29
3.11.2 GRE VPN
In the simplest situation, router receives an original data packet (Payload) needs
encryption and routing, which is first encrypted to GRE packet by GRE, then encrypted in
IP protocol, and forwarded by IP layer. The original packet protocol is called Passenger
Protocol. GRE is called encryption protocol. The IP takes care of forwarding is called
Delivery or Transport protocol. It’s unnecessary to pay attention to specific format or
content for passenger protocol need during the above process.
GRE is featured with the following advantages:
Multi-protocol local network can implement transmission via backbone network with
a single protocol.
Connect some in continuous sub-networks to build VPN.
Expand network work scale, including the routing gateway limited protocols.
3.11.3 IPSec VPN
IPSec is the collective for a group of open protocols. Particular communication parties
guarantee the privacy, integrity and authenticity of data packets transmitted through
Internet by encryption and data source verification on IP layer.
IPSec is implemented by two security protocols of AH (Authentication Header) and ESP
(Encapsulating Security Payload). The implementation will not impact user, host or other
Internet components. User can also select different hardware and software encryption
algorithms without influencing the implementation of other parts.
AH (Authentication Header) is packet header authentication protocol. The functions it
provides include data source authentication, data integrity check and packet replay
protection. AH protocol by itself does not encrypt data packets.
ESP (Encapsulating Security Payload) protocol can provide not only authentication
function but also encryption function. It not only provides authentication function basically
similar to all functions of AH protocol, but also provides IP packet encryption function,
which can improve the privacy of data packets.
ZXR10 ZSR Router Product Description
30 ZTE Confidential Proprietary
IPSec can effectively reduce network building and operation cost by constructing Intranet
and Extranet based on public network. IPSec has become virtual IP layer security
standards with wide application prospect.
ZXR10 ZSR series routers provide IPSec with services such as automatic negotiating
exchange key, creating and maintaining security association by manually configuring key
or IKE (Internet Key Exchange), so as to simplify IPSec application and management.
IKE indicates that IPSec implement SA dynamic negotiation and SADB database filling.
IKE applies two phases of ISAKMP. In the first phase IKE creates IKE security
association. In second phase IKE negotiates specific security association for IPSec
based on this particular association. The final result of IKE exchange is a verified key and
security service based on mutual agreement, which is called ‘IPSec Security Association
(SA)’.
IPSec compatible equipment provides encryption, verification, authentication, and
management at the third layer of OSI model. It’s transparent for users. There is no
difference in application for users. Key exchange, digital signature checking and
encryption are all implemented automatically in background. Besides, to build large scale
VPN, it’s necessary for authentication center to implement identity authentication and
public user key distribution.
IPSec can encrypt data flow in two ways: tunnel and transmission. The tunnel way
encrypts the whole IP packet and uses a new IPSec packet. The tunnel protocol is
implemented on IP thus it doesn’t support multiple protocols. In the transmission way,
address of IP packet is not processed. Only data payload is encrypted. Currently, IPSec
is the most effective way to guarantee IP security. Main IPSec application is to use IPSec
technology to create tunnel-based VPN. But IPSec technology is not restricted to VPN
building (IPSec also has transmission mode with good application scenarios).
IPSec supports networking between hosts, between host and site, and between sites.
IPSec also supports remote user access. IPSec also can be applied together with tunnel
protocols such as L2TP, and GRE, providing users with more flexibility and reliability.
Compared with other VPN solutions, VPN of IPSec has the following features:
Data privacy protection
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 31
IPSec sender encrypts the packets before they are sent to the public network, which
makes data unreadable during the transmission.
Data integrity verification
IPSec receiver verifies the hashes of re-calculated message sent by sender to
guarantee that data is not tampered in transmission.
Source authentication
Identify the data sender with the method of pre-shared key and RSA signature.
Anti-replacement protection
AH and ESP both contain a 32-bit sequence number. IPSec distinguishes whether
the data packets are duplicated by comparing sliding window on objective host and
the sequence number in received data packets. In this way attackers can be
prevented from intercepting IPSec data packets and then inserting them into
session again.
Automatic key management and security association management
This ensures that virtual network policies of the company can be implemented
conveniently and accurately on the extended network with a little or even no manual
configuration.
Network layer-based security protection
IPSec protects all data forwarded between terminal sites no matter what type of
network application is. IPSec can actually ‘put’ remote users virtually inside the
enterprise network to provide them with the same authority and operating function
with those of users of internal network.
Higher security level
IPSec is an end-to-end service which put any specific requirement on the backbone
network for bearing service-related functions. IPSec requires properly installing and
configuring IPSec client-side software and access equipment at the remote access
user-end, which will greatly improve the security level because the access is
ZXR10 ZSR Router Product Description
32 ZTE Confidential Proprietary
controlled by specific access equipment, user software, and user verification
mechanism and pre-defined security rules.
Quick response
It can quickly response to market changes, and can be deployed over any existing
IP network. Users can use it at any location.
ZXR10 ZSR series routers provide two kinds of universal hash algorithms to guarantee
that data is not tampered in transmission.
1 HMAC-MD5: use 128-bit shared key to implement hash calculation.
2 HMAC-SHA-1: use 160-bit shared key to implement hash calculation.
The encryption algorithms support by ZXR10 ZSR router series are:
1 DES (Data Encryption Standard): Encrypt a 64bit clear text block using a 56bit key.
2 3DES (Triple DES): Encrypt a clear text using three 56bit DES key.
3 AES (Advanced Encryption Standard): ZXR10 ZSR implements the AES algorithm
for key length of 128bit.
:
3.12 MPLS VPN
ZXR10 ZSR supports MPLS (multi protocol label switching) technology. Its features are:
Supporting basic functions and label forwarding services of MPLS, realizing LDP
signaling protocol. MPLS signaling protocol is mainly responsible for offering all the
required parameters in distributing label, creating LSP and delivering LSP.
Supporting MPLS Ping/Tracert. MPLS echo request and MPLS echo reply are used
to test the usability of LSP.
Supporting load balance function of MPLS LSP.
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 33
Supporting the management of multi-layer label stacking.
Supporting MPLS CoS, mapping IP message from ToS domain to MPLS message
EXP domain
Supporting RSVP TE
Supporting L2/L3 VPN, including VPWS, VPLS, and BGP/MPLS-based L3 VPN.
3.12.1 MPLS L2 VPN
ZXR10 ZSR supports Martini MPLS-L2VPN by adopting VC-Type+VC-ID to identify a VC.
VC-Type identifies the type of this VC to be Ethernet or VLAN. VC-ID is used to solely
mark a VC. VC-ID for each VC of one same VC-Type should be sole. PE connecting two
CE exchange VC labels by LDP and bind the corresponding CE by VC-ID. When LSP
connecting two PE is successfully created, label exchanging and binding of two parties
are completed, a VC is established. Two CE can transmit L2 data via this VC. To
exchange VC label between PE, Martini draft extends LDP and adds VC FEC type.
Besides, two PE exchanging VC labels may not be directly connected, so LDP must use
remote peer to establish session via which VC FEC and VC label are transmitted.
L2 VPN service supports the following features:
Adopt LDP protocol as basic signaling.
Supports two L2 VPN services: VPWS and VPLS.
Supports L2 VPN MIB.
Supports 129 FEC coding.
HVPLS
Supports MAC address restriction.
3.12.2 MPLS L3 VPN
ZXR10 ZSR supports MPLS/BGP-based L3 VPN. Providing users with virtual private
ZXR10 ZSR Router Product Description
34 ZTE Confidential Proprietary
network service by using existing public network resource, ZXR10 T600 satisfies users’
service requirement of private data transmission on public network and security
requirement. VPN end-to-end solution provided can meet these service requirements.
Be able to play the part of CE or PE.
Supports dynamic (BGP, RIP, OSPF, and IS-IS) and static (static route) VPN
access.
Supports policy control such as RT rewriting and SOO
Supports Option A/B inter-Area VPN.
3.12.3 Multi-VRF
Multi-VRF extends the capability of CE and makes it has VRF function, this device called
the VCE. In networking, form a distributed PE by using this combination of VCE and PE.
More than one VRF configured in VCE, corresponding to more than one VPN site. In
each VRF, there are a number of uplink ports, they are connected to the VCE, while one
(there can be multiple) uplink interface, this interface connects with PE. In the PE, the
configuration corresponding to the same VRF, each VRF a (there can be multiple)
interface, this interface is connected with the VCE. In this way, a characteristic of the
Multi-VRF CE is actually simulated more than one CE, each virtual CE isolated from
each other, multiple VPN users can access, while the PE device can not perceive there
is several CE or a VCE., and thus do not need any extensions.
3.13 Security functions
ZSR security technologies can be divided into the following categories based on the
firewall functions supported by ZSR:
4 Defense against internal/external attack
5 Application proxy
6 Application filtering
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 35
3.13.1 Defense against attacks
ZSR supports defense against firewall-oriented DoS attack, anti-scanning and
anti-detection, inspection of attributes of suspicious packets, prevention of ARP attack.
Here each technology is described in details.
3.13.1.1 Firewall DoS attack
If the attacker finds there is a firewall, he may initiate firewall DoS attack without
attacking the network behind the firewall. A successful firewall DoS attack is a successful
attack against the protected network since the attack can prevents legal messages from
going through the firewall. Usually there are two kinds of DoS attacks: session table flood
and SYN-ACK-ACK proxy flood.
Session table flood
Successful DoS attack use huge quantity of false simulated message flow to block
and consume the session resource on the firewall to make it unable to process legal
connection requests. ZSR supports the following measures to defense against the
attack:
i Source and destination-based session restriction. It restricts concurrent
sessions from the same source IP address, and concurrent sessions to the
same destination IP address.
ii TCP adjusts session time actively. ZSR can work in Syn proxy mode. It can
dynamically adjust TCP session timeout value after TCP session is established.
It speeds up timeout process when the sessions in session table exceed the
designated upper threshold. The timeout process will return to normal when
sessions drop below the designated lower threshold.
SYN-ACK-ACK proxy flood.
In TCP proxy mode, when an authorized user initiates Telnet or FTP connection, he
sends SYN segment to Telnet or FTP server. The security device intercepts the
segment and creates an item in its session table, and sends a SYN-ACL segment to
the user. The user replies with an ACK segment. Thus an initial three-way
ZXR10 ZSR Router Product Description
36 ZTE Confidential Proprietary
handshake is completed. The device generates a login banner for the user. If a
malicious user doesn’t login but continues initiating SYN-ACK-ACK sessions,
security device session table will be filled in to the state in which occasion the
device would deny legal connection requests.
ZSR can start SYN-ACK-ACK proxy protection. The security device will reject other
connection requests from an IP address when the connections from the same IP
address reach the threshold of SYN-ACK-ACK proxy.
3.13.1.2 Network DoS attack
Denial of Service attack against network resource usually use large quantity of SYN,
ICMP or UDP packet flood to attack its object, or use large quantity of SYN fragments
flood to attack the object.
SYN Flood attack
SYN Flood implements attack by the defect of Three-way Handshake mechanism
when TCP link is created. It sends large quantity of SYN links to the attacked host,
which will gather a great deal of half-links in a short time. This will consume the
resource of the attacked host in a short time, which disables it to provide service for
normal user links so as to achieve its DoS attack goal.
ZSR implements effective protection by SYN proxy. SYN proxy implements proxy
Three-way Handshake and status monitoring of large quantity of half-links based on
protocol status. It guarantees TCP resource continuous availability by restricting
SYN fragments supported by firewall and controlling SYN aging and creating
speed.
ICMP Flood
ICMP flood occurs when large quantity of ICMP response requests exceeds the
maximum of victim so that the victim consumes all resource to respond and be
unable to deal with other effective network information flows.
ZSR monitors all ICMP information types instead of monitoring only response
requests. It set a critical value. Once the ICMP response requests exceeds the
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 37
value, ICMP flood attack protection will be invoked, and hereafter other ICMP
response requests will be ignored.
UDP Flood and Land Flood
Similar to ICMP flood, UDP flood occurs when the attacker sends a point IP packets
with UDP data packets with the purpose to slow down speed of the victim so that
the victim cannot deal with effective connections any more.
ZSR also supports a critical value. Once UDP packets exceed the value UDP flood
attack protection will be invoked. If UDP data packets sent from one or multiple
sources to a single objective exceeds the value, hereafter other UDP data packets
will be ignored.
LAND attack occurs when attacker sends spoofing SYN packets with the IP
address of the victim, which is taken as destination and source IP address. ZSR
organically combines SYN flood prevention and IP spoofing protection to detect and
block this attack.
3.13.1.3 Operation System DoS attack
Ping of Death: many ping solutions permit users to designate packets larger than 65,507
bytes. Oversized ICMP packets will cause a series of abnormal system reactions such as
DoS, system crash, breakdown and restart. ZSR detects and rejects these oversized and
irregular packets even if those similar attacks of concealing overall packet size by
intentional segmenting.
Teardrop attack takes advantage of IP packet reassembling. When a packet fragment
offset and sum of size are different from the next one, the packets are overlapped. The
attempt of server to reassemble packets will cause system crash, especially when the
server is operating an operation system of old version containing this kind of bugs. ZSR
detects packet fragment abnormality and discard it.
3.13.1.4 Anti-scanning and detection
ZSR in-built firewall supports anti-detection and spoofing technologies such as anti-IP
address scanning, port scanning, FIN scanning, IP spoofing, and IP source routing.
ZXR10 ZSR Router Product Description
38 ZTE Confidential Proprietary
Anti-IP address scanning and port scanning
ZSR keeps a record from inside of ICMP packets number from a remote source site
to different addresses. If a remote host send ICMP information flow to multiple
addresses in a period of time, it is marked as address scanning attack. More ICMP
response requests from this host will be rejected within the rest of the designated
critical time period.
The principal of port scanning is similar to that of IP address scanning. If a host
sends TCP SYN segments to different ports during a period of time, it will be
marked as port scanning attack. All other IP packets from source are rejected
during the designated timeout period.
Anti-spoofing measures
FIN scanning sending set TCP fragments marked by FIN in an attempt to trigger
response (TCP segments set with RST mark) and hence find out the active port on
active host or host. The attacker may use this method to substitute address
scanning implementing ICMP response request or address scanning containing
SYN segments. ZSR will discard TCP segment packets set with FIN but without
ACK mark (which is abnormal for TCP segment).
uRPF includes loose mode and strict mode. This feature checks the integrity of the
IP source address of the packets transmitted inwards. In this way packets
transmitted to hosts out of the controlled area can be guaranteed with IP source
address which can be verified by route when local entity routing table is
implemented. ZSR can implement this.
Check and filtering of attributes for suspicious packets
Attackers may elaborately design packets to detect or launch DoS attack. These
packets will get filtered on ZSR.
The ICMP packets set with segment attributes may cause abnormity on some hosts.
Thus ZSR drops any ICMP packets set with ‘fragmented’ mark or any ICMP
packets containing the offset designated in offset field. If ICMP packet is singularly
large, it may cause abnormity. ZSR detects and drops ICMP packets with length
over 1024 bytes.
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 39
Abnormal IP options generate incomplete or malformed fields by incorrectly
configure IP options. Thus there is potential damage to the target receiver. When
there is any abnormal IP options in IP packet header, ZSR will discard these
packets.
Unknown protocol uses non-standard protocol field with ID number of 137 or even
larger, which may lead to abnormity of target receiver. When protocol field contains
protocol with ID number of 137 or larger, ZSR will discard these packets.
When packets go through different network, sometimes they need to be divided into
smaller parts (segments) based on the MTU for each network. The attacker may
take advantage of the bug in packet reassembling of IP stacking implementation
solution to attack by IP fragments, which may cause system crash. ZSR can be set
to discard all received IP packet fragments at the interface.
SYN fragments initiates connection and invokes SYN/ACK fragments when they
make response. Thus SYN segments usually don’t contain any data. IP packet is
small with no need to be put into fragments. The fragmented SYN packets are
abnormal can my cause abnormity. Thus ZSR will discard these packets when it
detects IP packet header indicating packets are fragmented and SYN mark is set in
TCP packet header.
3.13.1.5 Anti-ARP attack
ARP attack is a kind of abnormity easily occurs in the internal network. Sometimes it is
caused by ARP virus. But possibility exists that internal users may launch malicious
attack against gateway. ARP attacks could be implemented in two ways:
1 Modify gateway ARP, disable internal users to get access to gateway.
2 Modify internal user ARP. Update incorrect MAC address on gateway; make
incorrect forwarding of data packets sent back.
ZSR supports the following responding measures providing complete solutions against
these two kinds of attacks:
Free ARP packets
ZXR10 ZSR Router Product Description
40 ZTE Confidential Proprietary
ZSR periodically sends ARP packets of local gateway and continuously broadcasts
its correct ARP message in a short time, which enables the attacked host in the
internal network get back to normal situation. It’s affirmed by the test that about
10-100MS sending interval could effectively solve abnormal attack ARP changed.
IP + MAC binding and ARP SCAN technology
ARP spoofing spoofs gateway by ARP dynamic real-time rule. Thus ARP is set to
be static on gateway. At this time internal network user’s ARP update could be
ignored on ZSR, which guarantees the correct accessibility of the packets sent
back.
There are usually some assisting technologies for this as follows, which can
guarantee normal and easy implementation of the system.
iii To guarantee large quantity of ARP attacks are not launched against gateway,
ZSR supports CPU processing rate limit. The quantity of ARP packets
processed by CPU could be set. Thus normal network update is guaranteed,
and at the same time the problem of large quantity of false ARP which leads to
abnormal high CPU utilization could be avoided.
iv In large scale network, configuring static IP+MAC binding is a complicated job.
ZSR supports ARP scanning. It broadcasts ARP request, collect messages of
corresponding IP and MAC, and generate static IP/MAC binding table inside
the system.
v In the environment where gateway also works as DHCP SERVER, ZSR
supports static IP address distribution in DHCP SERVER. It distributes IP
addresses to a fixed host by setting MAC addresses to prevent spoofing ARP
message from obtaining IP addresses of key equipment such as internal
network server.
3.13.2 Application proxy
ZSR implements TCP connection proxy as application proxy. It’s also called SYN proxy,
which can effectively solve SYN attack problem. Its details and implementation features
are described as follows:
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 41
3.13.2.1 TCP Three-way Handshake and SYN attack
TCP connection is created by three-way handshake mechanism. TCP three-way
handshake mechanism is described briefly as follows:
The client sends a SYN set packet to the server containing link information of SYN
number a, the client port number, and server port number etc.
Receiving SYN packet from the client, the server will send a packet with SYN and ACK
set to the client, in which ACK number is (a+1), and its initial SYN number is b. At the
same time buffer area and other necessary resource will be allocated for the link.
Upon receiving SYN and ACK set packet from server, the client will send back an ACK
set TCP packet to the server. At this time ACK number is (b+1). Then the client and the
server complete three-way handshake and establish the connection.
Figure 3-7 TCP three-way handshake
In SYN Flood attack, attacking host sends a large quantity of TCP SYN packets with
false source address to the victim host, which distributes necessary resource to each
TCP connection, returns SYN and ACK set SYN-ACK TCP packet to the source address
and waits for ACK packet returned by the client.
Since the source IP address of the attacking host is false, the SYN-ACK packet returned
by the server will not be able to arrive at the destination address and will be discarded.
Or even if the destination address is reachable, it doesn’t initiate TCP connection request,
the packet will also be discarded. Thus the server will never receive ACK packet.
ZXR10 ZSR Router Product Description
42 ZTE Confidential Proprietary
For a certain server, the available TCP connections are limited since they only have
limited memory buffer area for connections. If the buffer area is full of initial information of
false connection, the server will stop responding to the following connections until the
connections timeout in buffer area. If the malicious attacker quickly sends this kind of
connection requests continuously, the available TCP connection queue of the server will
be quickly blocked. Available system resource will dramatically decrease and available
network bandwidth will be quickly reduced, which may disable the server to provide
normal legal service to users.
3.13.2.2 Work mode and features of SYN proxy
When ZSR receives a TCP connection request from Internet to the protected server in
internal network, it stores the packets instead of forwarding them to the server
immediately. It generates a TCP connection record and responds to the request taking
the place of the protected server. If the external host launching the request implements
normal access, it should send acknowledge packet to implement three-way handshake
after receiving ACK packet from ZSR. If the external host launching the request
implements a SYN attack, it will not send acknowledge packet.
If the external host implements normal access, ZSR will implement three-way handshake
taking the place of the protected server. Then ZSR will substitute the external host to
implement three-way handshake with the internal protected server to create TCP
connection by the TCP connection request packets sent by the external host. ZSR still
keeps TCP connection record after the connection is established. But TCP storage
status will change.
If the external host implements a SYN attack, ZSR will delete the TCP connection record
after waiting for a period of time for acknowledge packet without receiving it from the
external host. In this way the internal server won’t receive those half-open TCP
connections caused by SYN attack.
ZSR router permits a limited TCP interception quantity. If the current connections reach
the full quota (suppose it is n), when number n+1 TCP connection packet arrives, the
router reject the connection in usual situation. It will delete the oldest half connection item
when it is under attack.
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 43
Figure 3-8 SYN proxy
SYN proxy can monitor all TCP packets going through router. It can also implement
monitoring of particular TCP packets, which is decided by users’ configuration with
flexible application. SYN proxy can obtain the following information:
Source IP Address, Source IP Address for TCP connection
Destination IP Address, Destination IP Address for TCP connection
Source Port, Source Port number for TCP connection
Destination Port, Destination Port number for TCP connection
Create Time, the time to live of TCP connection
Timeout Time, timeout time for TCP connection
Connections in one minute, the TCP connections created in the latest one minute.
Work state: whether the currently configured resource is under attack
TCP connection state, you can check the current degree of connection creation for the
TCP Client TCP Server
Syn(A)
Initiate TCP Syn Message
Syn(B)/ACK(A+1)
ACK(B+1)Setup Connection
ZSR
Virtual Application
Proxy
I am the server for
internal network
Syn(A)
Syn(B)/A
CK(A+1)
ACK(B+1)
I am the client for
external access
Virtual TCP
connection
ZXR10 ZSR Router Product Description
44 ZTE Confidential Proprietary
packets. That is to say, you can check whether the connection is in the state of
half-connection or connection completed.
SYN proxy configuration is flexible to alter. Interception mode, timeout time, waterline
attack configuration can be altered during in application without influencing any working
connections.
SYN proxy has alarm function. When current resource is detected to be attacked based
on waterline attack configuration, it will automatically alarm the user that the current
resource needs protection may under attack, so that the user can take further positive
measures.
At the same time timeout time could be dynamically adjusted to half based on the attack,
to get the attacked connections deleted quickly, so that the server can be better
protected.
3.13.3 Application filtering
ZSR supports application filtering technologies involving:
Web page address filtering
URL parameter filtering
Java/ActiveX block
MSN/QQ instant messenger block
P2P software block
3.13.3.1 Web page address filtering
URL web page address filtering can prevent internal users from accessing illegal and
unhealthy websites, or just permit users to get access to certain particular websites.
When receiving HTTP packets, router checks URL web page addresses in them. If the
address is permitted as user configures, the WEB request is accepted. If the web page
address is prohibited as user configures, the WEB request is rejected. At the same time
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 45
TCP reset packet is sent to the client and server sending WEB request. After enabling
URL web page address filtering, designate the default behavior for URL address filtering.
When URL web page address filtering is initiated, the system will by default reject all
WEB requests with direct website IP address. If website access by IP address is still
preferred, ZSR needs to initiate address group filtering.
ZSR URL filtering is based on key words customized by user, no matter the URL
character string and the set key words are completely matched or partially matched.
3.13.3.2 URL parameter filtering
At present web pages are usually dynamic and associated with database, querying or
modifying the data needed by WEB request in the database. This enables some
lawbreakers to steal confidential data from database or continuously alter the information
in database by constituting special SQL sentence in WEB page to cause database
breakdown. This is called SQL injection attack.
Manual SQL injection intrusion may cost half a day, one whole day or several days.
However, special tools can be applied to implement it in several minutes. With the
obtained administrator’s account and password, uploading a backdoor program
downloaded from internet, the management authority of the whole network, even that of
the server can be easily grabbed.
For gateway equipment, use keywords in SQL sentence or other characters which may
generate SQL sentence to match HTTP WEB request packets. If they are matched, it is
considered as SQL injection attack and prohibited to get through. This is called URL
parameter filtering.
WEB transmits parameters by multiple ways such as get and post, which are most
commonly applied. The way of parameter transmission determines its location. Obtain
parameter based on the position it locates, and implement matching and filtering.
Currently ZSR supports filtered WEB parameter transmission way of get, post and put. It
implements matching and filtering by checking URL parameter and the configured
filtering parameter items on router. If matching is completed, the request is rejected.
Otherwise the packets are permitted to get through.
ZXR10 ZSR Router Product Description
46 ZTE Confidential Proprietary
3.13.3.3 Java/ActiveX block
ActiveX control, Java applet, .zip file and .exe file sent by HTTP pose threats to network
security: They provide a measure for un-trusted party to make it possible to load and
then control the application on the host in the protected network.
When small program block of ZSR is initiated, all requests for small programs in WEB
page will be filtered. If user still expects to obtain small programs in part of WEB pages,
they have to configure address group planning. If address group is permitted to access,
the corresponding address group request can get through.
java Applet is’. Jar’, ‘.class’,exe file is ‘.exe’,zip file is’. Zip’ The system provides ways to
add and delete extension names for each kind of application, so as to add configurable
command line with filtered suffix blocked for users. Java Applet is ‘.jar’, ‘.class’,exe file is
‘.exe’, and zip file is ‘.zip’ by default.
3.13.3.4 MSN/QQ instant messenger block
ZSR router supports instant messenger tool block. At present ZSR supports block of two
popular messengers: MSN and QQ. Unmonitored communication at the client via instant
messenger could be avoided by blocking MSN/QQ communication protocol,
communication port or communication server address. Besides, security weaknesses
imported by these tools are prevented from being attacked by some hacker.
3.13.3.5 P2P software block
Nowadays software download by P2P software is more and more popular such as Bit
Torrent, eDonkey, and eMule etc., which brings great convenience to data downloading
for users. But at the same time it consumes huge network resource including bandwidth
and concurrent connections.
ZSR provides P2P protocol software download blocking policy setting. It can block the
following tools: Bit Torrent, eDonkey, and eMule. At the same time it supports setting of
Session connections limit for single user to avoid too many concurrent connections for
single user consuming too much network resource. In this way DoS attack can also be
effectively prevented to provide guarantee for the smooth implementation of the network.
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 47
3.14 Network management features
3.14.1 Simple Network Management Protocol (SNMP)
SNMP (Simple Network Management Protocol) is a protocol on application layer. it is
used to exchange management information between network equipments. It is a part of
the TCP/IP protocol suit. it is used to ensure the normal operation of network protocols
and equipments. It enables the administrator to detect network problems and make
adjustment according to the commands exchanged between the client terminal and the
server. The SNMP runs on top of UDP.
Network management model of the SNMP comprises four key elements:
1 Management workstation
2 Management agent
3 Management information base
4 Network management protocol
MIB is a set of information which adopts a hierarchical structure. Network management
protocols (such as SNMP) can be adopted to access the MIB. MIB is consisted of
managed objects and is identified by object identifiers.
3.14.2 Remote Network Monitoring (RMON)
RMON is Remote Network Monitoring, which can monitor information such as overall
traffic of Ethernet and token ring networks. RMON is an important enhancement for
SNMP. In RFC, RMON is a MIB definition (RFC1757), and the defined MIB has been
further enhanced to MIB-II. In this way, overall traffic information of each specified
sub-network can be obtained.
ZXR10 RMON function module implements all functions of nine groups defined by
RFC1757. By properly configuring related functions, it can help network administrators to
master and analyze running status of the network, and get to know the network alarm
timely to maintain the network better.
ZXR10 ZSR Router Product Description
48 ZTE Confidential Proprietary
3.14.3 Statistics and Alarm Management Function
Statistics and alarm management system informs network administrators about network
and equipment operation information. It provides the following information:
1 Collect traffic data for network traffic analysis
2 Detailed log files
3 Various configuration and operation information
The system can save real-time statistics and alarms information. In case when the router
is failed, it can quickly find the cause and solve the problem. In warning alarms,
according to the requirement of the administrator and working with diagnosis and testing
program, it can diagnose failed alarm spots, implement testing and record the testing for
the reference of the administrator.
3.14.4 Log Management Function
Log management mainly records configuration commands on the routers implemented
by users that logs on to the routers. It facilitates query of history configuration commands
on the router. This function can help to analyze fault causes in the router and provide
supports for system security.
In addition to record configuration command, operation log module of ZXR10 ZSR also
enables management on operation logs. It provides users with log addition function. It
also enables record query and storage according to user name, time, log terminal
number, and log address.
3.14.5 NetNumen™ Integrated Network Management Platform
3.14.5.1 Network Management Networking
ZTE NetNumen™ is a network management system constructed on the data
communication network. It can take integrated maintenance and management of various
types of network equipment in a wide area and complicated application environment.
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 49
In-band management and out-band network management can be adopted between
NetNumen™ network management system and ZXR10 ZSR.
In-band management
In-band management means network management information and service data are
transported in one channel. No extra DCN should be built. NetNumen™ network
management system can fulfill its task as long as it’s connected to the nearby network
equipment with related SNMP parameters configured.
Out-band management
Out-band management means network management information is independent from
service data. The network management information is transported inside network
management system. Extra DCN network is needed. NetNumen™ network management
is connected to ZXR10 ZSR via its out-band management interface. Network
management information and service information are transmitted independently and
respectively.
3.14.5.2 NetNumen™ Network Management System
The NetNumen™ U31 (BN) developed by ZTE is a unified network management system
aiming at managing SDH, MSTP, WDM, PTN, OTN and IP device (router and switch,
etc.). It includes the management of the network element, network, and service. The
network management provides the following services:
Fault management ensures stable network operation.
Performance management gives overall picture to the entire network service
situation.
Resource management enables rational network resource adoption.
View management makes the network running obvious.
Configuration management enables fast service deployment.
Security management makes the network safer.
Northbound interface supports third-party systems integration.
ZXR10 ZSR Router Product Description
50 ZTE Confidential Proprietary
3.14.6 Netflow
The Netflow achieve measurement and statistics of high-speed forwarding IP data flow,
become the Internet field recognized and most important IP/MPLS traffic analysis and
measurement industry standard, and it is widely used in network security management. It
can be achieved through the analysis of IP packets under the seven attributes:
Source IP address
Destination IP address
Source port number
Destination port number
Layer 3 protocol type
TOS byte (DSCP)
Network equipment input (or output) of the logical network port (ifIndex)
Netflow technology is the use of analysis of the seven attributes of IP packets, you can
quickly distinguish a variety of different types of business flow transmitting in the network.
Distinguish each data flow, Netflow can separate tracking and accurate measurement to
record the flow features, such as the transmission direction and destination, statistics its
start and end time, type of service, including the traffic information, such as the number
of packets and the number of bytes. The Netflow periodically output the original records,
or output the aggregation statistics on the original records automatically.
3.14.7 Ethernet OAM
With IP bearer network to multi-service and broadband, traditional Ethernet lack of
carrier-class management capabilities, such as detect, alarm and isolate the Layer 2
network failure. Using the SNMP protocol network management can only manage the
link and the device status, cannot detect the end-to-end connection of the user service
performance and status, when a network failure, unable to locate positioning or not quick
enough.
The docking of the router and the Layer 2 switch, a Layer 2 switch does not have the
Layer 3 function, so we cannot detect the point-to-point link between router and Layer 2
switch by ‘ping’ .To solve this problem, the ZXR10 ZSR supports the Ethernet OAM
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 51
function to detect point-to-point link detection: Ethernet OAM Discovery, Remote
loopback and Link monitoring.
Ethernet OAM discovery function:
1. Global and interfaces to open the Ethernet OAM, the interface working in active
mode sends the OAMPDU protocol packet to the other side on a regular basis
to initiate the OAM discovery process. Protocol packet contains local Ethernet
OAM configuration information and support information.
2. After OAMPDU response message is received, check the opposite side packets
carrying Ethernet OAM configuration parameters. Only pass checking both
ends of the Ethernet OAM configurations, establishment of the Ethernet OAM
connection.
3. After the connection is established, both ends stay connected through the
OAMPDU message. If not received the right side OAMPDU message within the
timeout period, the connection automatically interrupt.
Ethernet OAM Remote loopback:
Ethernet OAM connection is established, the port working in active mode can
initiate a remote loopback, and the right side response it. When the port is in remote
loopback state, all non-loopback and non-OAMPDU packets are discarded. Remote
loopback determine the link quality by comparing host port loopback count packets
(sent automatically) and loopback count packets received.
Ethernet OAM Link monitoring:
It is used for detection and discovery the link layer failure. When one side of the
Ethernet OAM detects a link failure, it will trigger a local ‘link event’, which will
record the fault and send this ‘link event’ via Ethernet OAMPDU message, and the
right side will record the event of a remote link too.
4 System Architecture
4.1 Product Physical Structure
1 Front panel diagram of ZSR1800
ZXR10 ZSR Router Product Description
52 ZTE Confidential Proprietary
Figure 4-1 Front panel of ZXR10 ZSR1809
Figure 4-2 Front panel of ZXR10 ZSR1822E
2 Front panel diagram of ZSR 2800
Figure 4-3 Front panel of ZXR10 ZSR 2842
3 Front panel diagram of ZSR 3800
Figure 4-4 Front panel of ZXR10 ZSR 3844
Figure 4-5 Front panel of ZXR10 ZSR 3884
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 53
4.2 Hardware Architecture
ZXR10 ZSR hardware architecture integrates security, data compression, L2 switching,
USB intelligent service and large-capacity network storage is a new series of equipment
introduced by ZTE with considerations for the market requirement for service integration.
ZXR10 ZSR hardware is designed to realize different working modes as per users’
different configuration requirements via related hardware and software.
Compared to similar products on the market, ZXR10 ZSR not only implements modular
design, but also supports wide range of interface speed from low-end 300bit/s to
high-end 1000Mbit/s, which can satisfy users’ requirement for broadband upgrade.
The architecture and technology design is done with considerations for radiation and
EMC (Electromagnetic Compatibility) of modules and the entire equipment.
The three series of ZXR ZSR router are designed to be hardware compatible with each
other. Considering the trend towards network service integration nowadays, powerful
hardware foundation for equipment service expansion has been created via advanced
V-BUS architecture:
1 Advanced V-BUS architecture ensures real-time wire-speed concurrency of multiple
services and solves system performance bottleneck of traditional router caused by
single bus.
2 Industry-leading high-performance RISC processor provides powerful drive to
network service processing.
3 Large-capacity and high-performance system memory and flash provides network
service deep processing with stable foundation.
4 Embedded high-performance hardware security module fully meets users’ security
requirements.
5 High-performance USB2.0 interface module, support for 3G WWAN, and easy
access to wireless services.
6 Modular hardware architecture is completely compatible, which saves users’
ZXR10 ZSR Router Product Description
54 ZTE Confidential Proprietary
investment.
The core processing system of ZXR10 ZSR router adopts high-performance RISC CPU
and propriety ASIC architecture based upon V-BUS multi-bus architecture. With modular
design, it meets users’ different demands by corresponding hardware or software. The
relationships between all functional modules are as follows:
Figure 4-6 General architecture of ZXR10 ZSR intelligent integrated multi-service
router
According to system hardware architecture, ZXR10 ZSR series routers can be divided
into the following hardware processing modules:
Central Processing module: It adopts high-performance single-core/multi-core CPU of
up to speed of 1.5GHz. The system uses high-performance DDR2 Memory module to
provide memory throughput of up to 30Gbps to fit the requirements of network service
processing. With embedded hardware-based encryption module and data compression
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 55
module in CPU, the implementation of system encryption and data compression service
have been greatly improved. By using fast internal switching between CPU and
hardware modules, the bus bottleneck caused by using external bus encryption and
module compression can be avoided, which improves service processing efficiency
greatly.
Fixed Interface Module: The basic system is designed to provide 2/4 10/100/1000M
Ethernet WAN interfaces.
USB Service Expansion Module: The system provides USB2.0 interface to reserve
adequate space for the service expansion.
Large-capacity Data Memory Unit: Via data interaction realized by high-speed bus,
large-capacity data memory unit module offers sufficient built-in memory space for
network security and service expansion applications, such as equipment log alarm,
anomaly traffic log, real-time memory of anomaly traffic, NAT log, customized voice
memory and FTP server, which solves local data memory problems existing in traditional
equipment.
Ethernet Switching Unit: The system is embedded with Ethernet switching unit to offer
non-blocking Ethernet switching capability of up to 24Gbps. Ethernet switching unit
enables the fast interconnection between all the slots avoiding inter-exchange between
Ethernet modules that other equipment has. Ethernet switching unit provides L3 to L7
services with a fast data tunnel via high-speed data bus and system internal switching
modules. It solves the problems in L2 data service.
Data Service Processing Unit: The system can implement hardware-based
large-capacity IPv4/v6 NAT feature trough the embedded data service processing center
module.
Data Security Processing Unit: The built-in data security processing center module of
the system can implement hardware-based IDS and IPS network security features.
4.3 Technical Specifications
As per different processing capability, ZXR10 ZSR series routers mainly consist of 5
ZXR10 ZSR Router Product Description
56 ZTE Confidential Proprietary
products to meet different requirements, in order to enterprises with various network
scale, performance, and service feature requirement etc.
Table 4-1 ZXR10 ZSR1800/2800/3800 series specifications and parameters
Description ZSR1809 ZSR1822E ZSR2842 ZSR3844 ZSR3884
Model
RA-1809-A
C
RA-1822E-A
C RA-2842-AC RA-3844-AC RA-3884-AC
- RA-1822E-D
C RA-2842-DC RA-3844-DC RA-3884-DC
Fixed interface
1×Console
port
1×Console
port
1×Console
port
1×Console
port
1×Console
port
- 1×AUX port 1×AUX port 1×AUX port 1×AUX port
- 2×USB2.0
interface
2×USB2.0
interface
2×USB2.0
interface
2×USB2.0
interface
1×10/100/1
000M WAN
port and
8×10/100M
port, All can
be WAN
interface
2×GE
Combo port
2×GE Combo
port
2×10/100M
fast Ethernet
port
(electrical)
+2×GE
Combo port
2×10/100M
fast Ethernet
port (electrical)
+2×GE Combo
port
Number of
interface card slot - 2 4 4 8
Dimensions
(W×H×D)
360×44×28
7mm
442×44×320
mm
442×86.1×420
mm
442×86.1×42
0mm
442×130.5×42
0mm
Weight 3kg 5kg 10kg 10kg 15kg
Maximum power
consumption 25W 60W 110W 120W 180W
Heat dissipation
Silent
design, no
fan, natural
cooling
AC:Silent
design, no
fan, natural
cooling
DC:Forced
air-cooled
Forced air-cooled
Power supply
AC:100~24
0V(220V/11
0V)
50/60Hz
AC:100V~24
0V(220V/110
V) 50/60Hz
DC:-36V~-72
V(-48V)
AC:100V~240V(220V/110V) 50/60Hz
DC:-36V~-72V(-48V)
supply 1+1 redundancy
MTBF/MTTR 20,000 hours/0.5 hours
ZXR10 ZSR Router Product Description
ZTE Confidential Proprietary 57
Temperature/humi
dity Temperature: -5~45 oC, Humidity: 20~90% (no condensation)
Table 4-2 ZXR10 ZSR1800/2800/3800 series interface boards
Interface Type
Ethernet
2/4-port10Base-T/100Base-TX interface
8-port 100M L2 switching board
1-port 100M optical interface+4-port 100M electrical interface
1-port 10/100/1000M electrical interface
1-port 1000M SFP optical interface
Serial 8× Asynchronous serial interface card (V.24)
E1
1/2/4/8-port channelized E1 interfaces(75/120Ω)
1/2/4/8-port unchannelized E1 interfaces (75/120Ω)
POS 1-port channelized OC-3/STM-1 POS interface
XDSL 1-port ADSL interface
WWAN 3G WWAN(USB inserted)
Service
card Network data encryption card(NDEC)
5 Typical Networking
5.1 Access Router
By providing rich interfaces ranging from the low-speed interface to the high-speed
interface and 3G interface, and supporting the rich L2TP/GRE/IPSec VPN and MPLS
VPN services, which greatly improves the network flexibility. ZSR router is used as the
access router of the enterprise headquarters, branch offices, business office and mobile
office.
Figure 5-1 ZSR router is used as Access router
ZXR10 ZSR Router Product Description
58 ZTE Confidential Proprietary
5.2 Egress and Security Gateway of Enterprises
Inbuilt high-performance NAT service, supports NAT dual egresses. It uses the policy
route to realize load balance. ZSR is configured with in-built firewall. The design of the
software and hardware are safe, which effectively ensures the safety of the egress
gateway and the intranet. ZSR supports IPv4/IPv6 dual-stack technologies. ZSR router is
used as egress and security gateway of the enterprise network, campus network and
data center network.
Figure 5-2 ZSR router is used as Egress and Security Gateway of Enterprises