Oct 27, 2007

IS-IS LSP(Link-State Packets) Header

Appendix A. IS-IS Packet Formats

IS-IS Packet Fields (Alphabetical Order)

  • ATT— Attachment Bits (Flags attachment to other areas)
  • Checksum— Checksum of contents of LSP from source ID field to the end
  • Circuit Type— Defines whether link is Level-1 and Level-2
  • End LSP— LSP ID of last LSP in CSNP
  • Holding Time— Defines how long to wait for a hello from this system before clearing the adjacency
  • ID Length— Length of the System ID field in an NSAP(NET)
  • Intradomain Routing Protocol Discriminator— Network layer protocol identifier
  • IS Type— Defines type of router, Level-1 or Level-2
  • LAN ID— LAN Identifier, Consists of the System ID of the designated intermediate system plus a unique number
  • Length Indicator— Length of the fixed header of the packet in bytes
  • Local Circuit ID— Unique identifier for a link
  • LSP ID— Identifier for router's LSP, consisting of the System ID of the router, fragment number, and a nonzero octet for pseudonode number in case of pseudonode LSP
  • Maximum Area Addresses— Number of areas permitted
  • OL— LSP overload bit (also represented as LSPDBOL)
  • P— Partition repair bit
  • PDU Length— Length of packet (PDU) in bytes
  • PDU Type— Type of packet
  • Priority— Priority for node for DIS arbitration
  • R— See Reserved
  • Remaining Lifetime— Remaining time for an LSP to expire
  • Reserved— Unspecified fields, transmitted as 0s and ignored on receipt
  • Sequence Number— Sequence number of LSP
  • Source ID— Same as system identifier (SysID)
  • TLV Fields— Type (or code), Length and Value fields, also known as variable-length fields
  • Version/Protocol ID Extension— Of the IS-IS protocol (defined as 1)

Cisco Segmented Generalized Multiprotocol Label Switching(GMPLS)

A primary component of the Cisco Systems® IP over Dense Wavelength-Division Multiplexing (IPoDWDM) solution for the IP Next-Generation Network (IP NGN) is the simplification of end-to-end control between IP and DWDM networks. To alleviate high operational expenses (OpEx), increase speed for carrier service activations, and eliminate cumbersome and disparate manual provisioning methods at the transport layer, Cisco® has introduced a new cost-effective and efficient solution based on Generalized Multiprotocol Label Switching (GMPLS). This solution enables both optical and IP devices to dynamically find, identify, and provision optimal paths based on user traffic requirements. Called the Segmentation model of GMPLS (S-GMPLS), this new GMPLS model is a hybrid of current approaches that overcomes several daunting obstacles by allowing both IP and optical networks to maintain their existing segmented administration environments. S-GMPLS allows providers to keep the topology of the IP routing domain isolated from the topology of the optical domains, providing a new way to deploy and realize the benefits of GMPLS while respecting the boundaries of these different organizational boundaries or domains.
This paper presents details of S-GMPLS, an innovative technology from Cisco Systems developed for service providers in their optical networks that utilizes the power of IP/GMPLS control protocols for autoconfiguration of optical wavelengths and separates IP routing and optical network domains to respect those diverse organizational boundaries.
GMPLS is a proposed IETF standard designed to simplify the creation and management of IP/MPLS services over optical networks. The standard would create a single control plane that extends from IP at Layer 3 right down to the optical transport level at Layer 1.
Since service providers first began transporting IP traffic, an extremely complex, multilayered overlay architecture has evolved to do the job of carrying IP traffic over networks that were originally designed to support voice and fixed circuits technology. Yet today, with the rapid growth of IP traffic promoted by the rapid increase in broadband access, new applications, and new services, these complex overlay networks cannot support rapid service provisioning, dynamic bandwidth management, and flexible service creation to meet user demand.
GMPLS was developed as a unified control plane that extends intelligent IP/MPLS connections from Layer 2 and Layer 3 all the way to Layer 1 optical devices. Unlike MPLS, which is supported mainly by routers and switches, GMPLS can also be supported by optical platforms, including SONET/SDH, optical cross-connects (OXCs), and DWDM. GMPLS therefore allows an entire network infrastructure-from access network to core networks-using a common control plane. Establishing a path to enable optical elements within the transport network to become peers of the routers in the IP network and being able to autoprovision wavelengths driven by the IP control plane can translate to significant savings in operational costs because the networks can cooperatively handle fault correlation in real time. Additionally, service provisioning can also be greatly accelerated.
Until recently there were two basic methods proposed for deploying GMPLS-the peer model and the overlay model, which are discussed later in this paper. Both of these have shortcomings that have impeded adoption of GMPLS by service providers.
Now service providers have a better alternative, Cisco S-GMPLS.
S-GMPLS internetworks with the Automatically Switched Optical Network (ASON) architecture (G. 8080) developed by the ITU. ASON, shown in one of many possible implementations of global optical connection control in Figure 1, is a dynamic signaling-based, policy-driven control solution over optical and SONET networks through a distributed or partially distributed control plane that provides autodiscovery and dynamic connection setup.
Figure 1. ASON Architecture for Global Optical Connection Control
Source: ITU pamphlet.
ASON enables improved support for end-to-end provisioning, rerouting, and restoration; new transport services, including bandwidth on demand; rapid service restoration for disaster recovery; switched connections in a private network; and support for a wide range of narrowband and broadband signaling types. The user network interface (UNI) is responsible for signaling operations between end-user and service provider administrative domains. The external network-to-network interface (E-NNI) provides multicontrol domain operations for a single service provider and multicontrol domain operations between different service providers. The visibility of the inner structure of the administrative domain is controlled by the policy of the service provider. The internal network-to-network interface (I-NNI) provides intracontrol domain operation. Finally, the OXC system is an electrical or photonic matrix for switching wavelengths.
Cisco S-GMPLS is an excellent solution for the I-NNI and E-NNI portions of the ASON architecture.
GMPLS Operation and Deployment Challenges
GMPLS extends MPLS functionality with the enhancement of forwarding, traffic engineering, and quality-of-service (QoS) capabilities of packet-based networks by creating virtual label-switched paths (LSPs) across a network of label switching routers (LSRs) to optical network devices utilizing time-division multiplexing (TDM), fiber switching, and lambda switching. In a GMPLS network it is therefore possible to find and provision end-to-end paths that traverse different networks. For example, a packet/cell-based LSP can be nested in a TDM-based LSP for transport over a SONET network. The TDM-based LSP can similarly be nested in a lambda-based LSP for transport over a wavelength network. Multiple lambda switch-capable LSPs can be nested within a fiber switch-capable set up between two fiber switching elements. This forwarding hierarchy of nested LSPs allows service providers to transparently send different types of traffic over various types of network segments.
GMPLS introduces Link Management Protocol (LMP) to manage and maintain the health of the control and data planes between two neighboring nodes. LMP is an IP-based protocol that includes extensions to the Resource Reservation Protocol Traffic Engineering (RSVP-TE) and Constraint-Based Label Distribution Protocol (CR-LDP) signaling protocols.
GMPLS provides the ability to automate many of the network functions that are directly related to operational complexities, including:
• End-to-end provisioning of services
• Network resource discovery
• Bandwidth assignment
• Service creation

Traffic engineering parameters relating to SONET protection support, available bandwidth, route diversity, and QoS are distributed throughout the network. This allows every node in the network to have full visibility and configuration status of every other node. This ultimately provides an intelligent optical network.
As service providers introduce new network elements into their networks, add or remove facilities, or turn up new circuits, the control plane will automatically distribute and update the network with the new information. Contrast this with the operationally intensive manual upgrades and updates performed today. Provisioning of connections often requires a substantial amount of coordination among operations staff located throughout the network. Capacity is assessed, optimal connection and restoration paths are determined, and the connection must be fully tested after it is established.
In contrast with operationally intensive manual upgrades and updates, GMPLS uses advanced routing features, including the Open Shortest Path First (OSPF) protocol and Intermediate System-to-Intermediate System (IS-IS) protocol and signaling protocols such as RSVP and CR-LDP to build intelligence into the network. The network can then effectively self-discover to dynamically advertise the availability or lack of availability of resources. With such capabilities, multihop connections with optical routes and backup paths can be established in a single provisioning step.
GMPLS Peer Model Deployment
In the peer model instance of GMPLS, an NNI allows the IP/MPLS layer to operate as a full peer of the optical transmission layer, as noted in Figure 2. Specifically, the IP routers are able to determine the entire path of the connection, including passing through the optical cross connects and SONET/SDH optical devices.
Figure 2. Peer GMPLS Topology
• Routers and optical transport network (OTN) nodes in same network act as peers
• Single instance of a control plane for addressing, routing, signaling, etc.
• More efficient interaction between IP and optical nodes for faster provisioning and optimal path selection
• Applicable to single administrative domain
One of the major challenges for the full peer model deployment can be the lack of separation of administrative organizational boundaries between the routed and optical domains. All of the network elements have to be in a single administrative domain. This can be a problem if there are multiple administrative groups (transport and data) for each within a service provider's domain or where multiple service providers may be involved. Where optical transport and ISP networks are operated by the same entity, no such separation is required, and the peer model may be suitable.
Another potential challenge with the GMPLS peer model is that it results in the exposure of control and topology information on the transport network between the transport and data groups or between the service provider and customers. This can create both security and operational risks. Today two different organizations are responsible for optical and IP networks in many service provider organizational structures, each with longstanding practices, procedures, and infrastructures. The full peer model assumes the abrupt convergence of technologies and administrative control, an often unsettling organizational challenge.
The full peer model also requires that all of the transport nodes be able to run the full GMPLS protocol suite to interoperate. This would be a significant burden on some of the existing transport equipment, which was designed with manual provisioning in mind. Also, any upgrade would require the entire network or significant part to be down and unavailable as every device is upgraded, another challenge that is not easily manageable in service provider environments.
GMPLS Overlay Deployment Model
In the overlay model of GMPLS, also called a user-to-network interface (UNI), the router is a client to the optical domain and interacts only with the optical node that is directly adjacent to it (Figure 3). The physical light path is decided by the optical network and not by the router.
Figure 3. Overlay GMPLS Topology
• Two Administrative Domains
• Optical Service Provider
• Internet Service Provider
• No Exchange of Routing and Topology Information between Optical and IP Networks
• Routers do not see optical transport topology and vice-versa

The goal for the overlay model is to define a signaling message to provision a circuit from a point of presence (POP) in one IP network to an optical network endpoint or through an optical network to another POP in an IP network. On the UNI no routing protocol is running; it is just a signaling interface.
To overcome the limitations of GMPLS overlay and peer models, Cisco has developed S-GMPLS, which combines the best of both topologies. In the S-GMPLS model, only border routers receive information from the optical devices and from other routers (Figure 4). The border routers in the four corners between the optical network (dotted lines) and the IP network (solid lines) maintain both routing and optical topology information. Routers in the IP cloud only maintain topology information for their region, and optical devices only maintain optical topologies within the optical network segment.
Figure 4. S-GMPLS Topology
• Border routers receive routing information from the optical devices as well as router
• Border router keeps the optical and router domain topology information in separate routing tables
• No routing information from the router region is carried into the optical region
The border routers use secure domain logical router instances to shield and segment the topology information between the IP domain and the optical domain. They act as gatekeepers between the two and enable a segmented administrative boundary that helps ensure management separation between the two networks, while still unifying the control plane aspects of the two networks. S-GMPLS is now available in Cisco IOS® XR Software on Cisco platforms, including the Cisco Carrier Routing System 1 (CRS-1), and the Cisco XR 12000 Series Routers, allowing optical and IP network administrators to each manage their own end devices as the networks gain a single intelligent IP and optical control plane. The border router has separate instances for IP and optical topologies but does not leak information to either side. Instead, the border router handles routing and signaling for a region, moving traffic back and forth across the border of the networks in a manner similar to how service providers peer in IP networks today. The border router keeps the optical and routing domain topology information in a separate topology database through the use of secure domain routing instances on the border routers. Administrative control of the secure domain routing instances can be provided through both in-band and out-of-band management.
S-GMPLS uses the strengths of the peer model while respecting the separateness of IP and optical administrative domains. Service providers have the choice of supporting either integrated or separated operations groups depending on organizational needs. S-GMPLS brings the benefits of MPLS for efficient use of resources and consistent path selection in a heterogeneous network of routers and optical devices. It also simplifies fault handing. To make the transition to GMPLS smoother and easier for service providers, S-GMPLS allows for incremental deployment of optical regions with little or no reconfiguration of the router region required, making GMPLS more deployable within service providers, and allows control of capital expenditures.
A comparison of the three GMPLS models in Figure 5 shows how Cisco S-GMPLS borrows the best features of the other models while engineering around one of the primary problems that has slowed GMPLS adoption.
Figure 5. Comparison of GMPLS Models
An important element of the Cisco IPoDWDM solution is reconfigurable optical add/drop multiplexers (ROADMs), which integrate photonic switching into optical multiplexers. ROADM can provide automated patching capabilities alongside S-GMPLS, which will provide automated provisioning capabilities from an end-to-end perspective across both IP routing and optical platforms.
Standards Framework Applicability
Table 1 shows the protocol perspectives of the ASON framework. Today there are two applicable standards for UNI: Optical Internetworking Forum UNI (OIF-UNI) and GMPLS-UNI. In the context of S-GMPLS, when considering client layers with intra-service provider and inter-service provider networks, GMPLS-UNI is a preferred choice for UNI because the protocols are drawn from one standards organization, the IETF. Use of OIF-UNI introduces compatibility issues to interoperate with S-GMPLS because the original RSVP-TE signaling protocol in Overlay UNI (O-UNI) is modified and departs from the IETF RSVP-TE RFC.
Table 1. Comparison of GMPLS Models
ASON Framework
Inter service provider (wholesale), service provider to customer
Intra service provider
Intra service provider, inter service provider
Service provider to customer
The deployment of Cisco S-GMPLS will alleviate many of the challenges currently faced with integrated IP and optical network services by making GMPLS more deployable. It brings the opportunity for new service provider revenue with new service offerings such as Gigabit Ethernet, networked storage, video streaming, and VPNs across both network types that can be rapidly provisioned in a more flexible manner while reducing the operational complexity for the service provider. Instead of investing in multiple new networks with differing control architectures that are complex to interoperate and manage and have questionable long-term operational benefits, service providers can now deploy a new generation architecture-S-GMPLS-that is simple, efficient, and automated.
Cisco and NTT Com recently announced that they have successfully demonstrated on-demand network settings and automatic fault recovery between Tokyo and Osaka by utilizing S-GMPLS technology, available on Cisco XR 12000 Series Routers. In the experiment, NTT deployed the S-GMPLS control plane on Cisco XR 12000 Series Routers over a wide-area SDH optical network to demonstrate autonomous network settings. The testing succeeded in running conventional fixed redundant switchover functions and autonomous rererouting functions using S-GMPLS.

Multicast VPNs(MVPN)

Multicast VPNs (mVPNs) provide a scaleable architecture to enable multicast in an RFC2547 Layer 3 Multiprotocol Label Switching (MPLS) VPN environment.
Originally derived from tag switching, MPLS uses labels to combine the intelligence of routing with the high performance of switching. MPLS VPNs are a natural extension of MPLS and are often by service providers to offer VPN services over a shared infrastructure. MPLS VPNs operate based on label stacks.
Despite the advantage of label stacking and the ability to decouple routing from forwarding for unicast traffic, MPLS VPNs did not address how to handle multicast traffic. As a result, the only available solution for delivery of IP multicast video, voice, and data over a deployed Layer 3 MPLS VPN was to statically configure point-to-point GRE tunnels between Customer Edge (CE) routers. As the number of CE routers increased, the number of point-to-point GRE tunnels required to maintain a full mesh of CEs quickly became unmanageable. A more scalable solution was required.
Cisco IOS Multicast VPNs address the inherent scalability issues of using fully meshed point-to-point GRE tunnels by introducing the concept of Multicast Tunnel Interfaces (MTIs) and Multicast Distribution Trees (MDTs).
MTIs use GRE encapsulation; however they fundamentally differ from traditional point-to-point GRE tunnels in that they use multicast-rather than unicast-destination addresses. The multicast destination address used by a MTI is what allows a Provider Edge (PE) router to map Customer multicast traffic (C-packets) to Provider multicast traffic (P-packets).

Figure 21. Example of MTI Encapsulation

MVPN uses two types of MDTs in the MPLS core. Each serves a different purpose:
• Default-Multicast Distribution Tree (MDT): nailed tree used for maintaining PIM adjacencies between PE routers and carrying low-rate multicast traffic.

• Data-MDT: dynamic tree used for high-rate multicast traffic; unlike the Default-MDT, this tree is built only as needed between the source PE and PEs with interested receivers.

Figure 22. Example of Default-MDT

Figure 23. Example of Data-MDT

Layer 2 VPN Architectures: Understanding Any Transport over MPLS


Understanding AToM Operations

In Chapter 3, you learned how AToM achieves a high degree of scalability by using the MPLS encoding method. You also read an overview of LDP in the previous section. Reading through this section, you will develop a further understanding of how MPLS encapsulation, LDP sig-naling, and pseudowire emulation work together.

The primary tasks of AToM include establishing pseudowires between provider edge (PE) routers and carrying Layer 2 packets over these pseudowires. The next sections cover the operations of AToM from the perspectives of both the control plane and the data plane as follows:

  • Pseudowire label binding
  • Establishing AToM pseudowires
  • Control word negotiation
  • Using sequence numbers
  • Pseudowire encapsulation

Pseudowire Label Binding
An AToM pseudowire essentially consists of two unidirectional LSPs. Each is represented by a pseudowire label, also known as a VC label. The pseudowire label is part of the label stack encoding that encapsulates Layer 2 packets going over AToM pseudowires. Refer to Chapter 3 for an overview of an AToM packet.

The label distribution procedures that are defined in LDP specifications distribute and manage the pseudowire labels. To associate a pseudowire label with a particular Layer 2 connection, you need a way to represent such a Layer 2 connection. The baseline LDP specification only defines Layer 3 FECs. Therefore, the pseudowire emulation over MPLS application defines a new LDP extension—the Pseudowire ID FEC element—that contains a pseudowire identifier shared by the pseudowire endpoints. Figure 6-8 depicts the Pseudowire ID FEC element en-coding.

Figure 6-8 Pseudowire ID FEC Element

The Pseudowire ID FEC element has the following components:

  • Pseudowire ID FEC—The first octet has a value of 128 that identifies it as a Pseudowire ID FEC element.
  • Control Word Bit (C-Bit)—The C-bit indicates whether the advertising PE expects the control word to be present for pseudowire packets. A control word is an optional 4-byte field located between the MPLS label stack and the Layer 2 payload in the pseudowire packet. The control word carries generic and Layer 2 payload-specific information. If the C-bit is set to 1, the advertising PE expects the control word to be present in every pseudowire packet on the pseudowire that is being signaled. If the C-bit is set to 0, no control word is expected to be present.
  • Pseudowire Type—PW Type is a 15-bit field that represents the type of pseudowire. Examples of pseudowire types are shown in Table 6-1.
  • Pseudowire Information Length—Pseudowire Information Length is the length of the Pseudowire ID field and the interface parameters in octets. When the length is set to 0, this FEC element stands for all pseudowires using the specified Group ID. The Pseudowire ID and Interface Parameters fields are not present.
  • Group ID—The Group ID field is a 32-bit arbitrary value that is assigned to a group of pseudowires.
  • Pseudowire ID—The Pseudowire ID, also known as VC ID, is a non-zero, 32-bit identifier that distinguishes one pseudowire from another. To connect two attachment circuits through a pseudowire, you need to associate each one with the same Pseudowire ID.
  • Interface Parameters—The variable-length Interface Parameters field provides attachment circuit-specific information, such as interface MTU, maximum number of concatenated ATM cells, interface description, and so on. Each interface parameter uses a generic TLV encoding, as shown in Figure 6-9.

Table 6-1 Pseudowire Types
Pseudowire Type Description
0x0001 Frame Relay data-link connection identifier (DLCI)
0x0002 ATM AAL5 service data unit (SDU) virtual channel connection (VCC)
0x0003 ATM Transparent Cell
0x0004 Ethernet VLAN
0x0005 Ethernet
0x0006 High-Level Data Link Control (HDLC)
0x0007 PPP

Figure 6-9 Interface Parameter Encoding

Even though LDP allows multiple FEC elements encoded into an FEC TLV, only one FEC element—the Pseudowire ID FEC element—exists in each FEC TLV for the pseudowire emulation over MPLS application.




RFC 3270 presents three modes of MPLS/DiffServ marking for service providers:

1)Uniform Mode: SP can remark customer DSCP values


Understanding Selective Packet Discard (SPD)


SPD State Check
The IP process queue on the RP is divided into two parts: a general packet queue and a priority queue. Packets put in the general packet queue are subject to the SPD state check, and those that are put in the priority queue are not. Packets that qualify for the priority packet queue are high priority packets such as those of IP precedence 6 or 7 and should never be dropped. The non-qualifiers, however, can be dropped here depending on the length of the general packet queue depending on the SPD state. The general packet queue can be in three states and, as such, the low priority packets may be serviced differently:

  • NORMAL: queue size <= min
  • RANDOM DROP: min <= queue size <= max
  • FULL DROP: max <= queue size

In the NORMAL state, we never drop well-formed and malformed packets.

In the RANDOM DROP state, we randomly drop well-formed packets. If aggressive mode is configured, we drop all malformed packets; otherwise, we treat them as well-formed packets.

In FULL DROP state, we drop all well-formed and malformed packets. These minimum (default 73) and maximum (default 74) values are derived from the smallest hold-queue on the chassis, but can be overridden with the global commands ip spd queue min-threshold and ip spd queue max-threshold.




3)Short Pipe Mode (shown below):

SP does not remark customer DSCP values (SP uses independent MPLS EXP markings); final PE-to-CE policies are based on customer’s markings


Layer Two Tunneling Protocol - Version 3 (L2TPv3)


4.1.1. L2TPv3 over IP

L2TPv3 over IP (both versions) utilizes the IANA-assigned IP protocol ID 115.


AToM traffic encapsulation(Control Word)

Layer 2 Circuit Concept

The Layer 2 circuit framework requires LDP to be used as the signaling protocol for advertising ingress labels. In most cases, it is not necessary to transport the Layer 2 encapsulation across the network; rather, the Layer 2 header can be stripped at one PE router, and reproduced at the egress PE router. Such Layer 2 information is carried in a special Layer 2 circuit header called a control word.

In the Layer 2 circuit IETF drafts, the control word is optional for most Layer 2 protocols, except Frame Relay and ATM AAL5 where it is required. However, in JUNOS Release 5.6 and later, a control word for all forms of Layer 2 circuits is sent by default. If you are establishing a Layer 2 circuit between a router running JUNOS Release 5.5 or earlier and a router running JUNOS Release 5.6 or later, use of the control word is negotiated automatically.

The Layer 2 protocols that are supported for Layer 2 circuits are:

  • ATM cell-relay mode and ATM Adaptation Layer 5 (AAL5) mode on ATM2 Intelligent Queuing (IQ) interfaces
  • Cisco High-Level Data Link Control (HDLC), Frame Relay, and PPP on
    SONET/SDH-based interfaces
  • Ethernet, VLAN, and Extended VLAN on Ethernet-based interfaces

For an Ethernet 802.1q VLAN or simple Ethernet, the entire Ethernet frame without the preamble or frame check sequence (FCS) is transported. For ATM cell-relay mode, ATM cells are transported without a SAR process. For Cisco HDLC, the frame is transported in its entirety except for HDLC flags and the FCS. For PPP, the frame is transported in its entirety except for any media-specific framing information.

For most protocols, a null control word consisting of all zeroes is sent between Layer 2 circuit neighbors. However, individual bits are available in a control word that can carry Layer 2 protocol control information. The control information is mapped into the control word, which allows the header of a Layer 2 protocol to be stripped from the frame. The remaining data and control word can be sent over the Layer 2 circuit, and the frame can be reassembled with the proper control information at the egress point of the circuit.

The Layer 2 protocols that map Layer 2 control information into special bit fields in the control word are as follows:

  • Frame Relay—This control word supports the transport of discard eligible (DE), forward explicit congestion notification (FECN), and backward explicit congestion notification (BECN) information. (For configuration information, see Option: Map Layer 2 Protocol Control Information into a Layer 2 Circuit.)
  • ATM AAL5 mode—This control word supports the transport of sequence number processing, ATM cell loss priority (CLP), and explicit forward congestion indication (EFCI) information. When you configure an AAL5 mode Layer 2 circuit, the control information is carried by default and no additional configuration is needed.
  • ATM cell-relay mode—This control word supports sequence number processing only. When you configure a cell-relay mode Layer 2 circuit, the sequence number information is carried by default and no additional configuration is needed.

MPLS TE Tunnel


After having established the TE tunnel, the next step in deploying MPLS-TE is to direct traffic down the TE tunnel. Directing traffic down a TE tunnel can be done by one of the following four methods:

  • Autoroute—The TE tunnel is treated as a directly connected link to the tail IGP adjacency and is not run over the tunnel. Unlike an ATM/FR VC, autoroute is limited to single area/level only.
  • Forwarding adjacency—With autoroute, the LSP is not advertised into the IGP, and this is the correct behavior if you are adding TE to an IP network. However, it might not be appropriate if you are migrating from ATM/FR to TE. Sometimes advertising the LSP into the IGP as a link is necessary to preserve the routing outside the ATM/FR cloud.
  • Static routes
  • Policy routing


MPLS Label Stacking


Destination-Based Remotely Triggered Black Hole Filtering

With a denial-of-service (DoS) attack, in addition to service degradation of the target, there is possible collateral damage such as bandwidth
consumption, processor utilization, and potential service loss elsewhere in the network. One method to mitigate the damaging effects of such
an attack is to black hole (drop) traffic destined to the IP address or addresses being attacked and to filter the infected host traffic at the edge of
the network closest to the source of the attack.

The challenge is to find a way to quickly drop the offending traffic at the network edge, document and track the black holed destination addresses,
and promptly return these addresses to service once the threat disappears.

Destination-based IP black hole filtering with remote triggering allows
a network-wide destination-based black hole to be propagated by adding a simple static route to the triggering device (trigger).

The trigger sends a routing update for the static route using iBGP to the other edge routers configured for black hole filtering. This routing
update sets the next hop IP address to another preconfigured static route pointing to the null interface. This process is illustrated in Figure 1.

Figure 1. Destination-Based Black Hole Filtering with Remote Triggering

The three steps in destination-based black hole filtering are summarized below.

Step 1. The setup (preparation)
A trigger is a special device that is installed at the NOC exclusively for the purpose of triggering a black hole. The trigger must have
an iBGP peering relationship with all the edge routers, or, if using route reflectors, it must have an iBGP relationship with the route
reflectors in every cluster. The trigger is also configured to redistribute static routes to its iBGP peers. It sends the static route by means
of an iBGP routing update.
The Provider Edges (PEs) must have a static route for an unused IP address space. For example, is set to Null0. The IP
address is reserved for use in test networks and is not used as a deployed IP address.

Step 2. The trigger
An administrator adds a static route to the trigger, which redistributes the route by sending a BGP update to all its iBGP peers, setting
the next hop to the target destination address under attack as in the current example.
The PEs receive their iBGP update and set their next hop to the target to the unused IP address space The route to this address
is set to null0 in the PE, using a static routing entry in the router configuration. The next hop entry in the forwarding information base
(FIB) for the destination IP (target) is now updated to null0.
All traffic to the target will now be forwarded to Null0 at the edge and dropped.

Step 3. The withdrawal
Once the trigger is in place, all traffic to the target destination is dropped at the PEs. When the threat no longer exists, the administrator
must manually remove the static route from the trigger, which sends a BGP route withdrawal to its iBGP peers. This prompts the edge
routers to remove the existing route for the target that is pointed to and to install a new route based on the IGP routing
information base (RIB).

AFI(Address Family Identifier) vs SAFI(Subsequent Address Family Identifier)


2. Multiprotocol Reachable NLRI - MP_REACH_NLRI (Type Code 14):

This is an optional non-transitive attribute that can be used for the
following purposes:

(a) to advertise a feasible route to a peer

(b) to permit a router to advertise the Network Layer address of
the router that should be used as the next hop to the
destinations listed in the Network Layer Reachability
Information field of the MP_NLRI attribute.

(c) to allow a given router to report some or all of the
Subnetwork Points of Attachment (SNPAs) that exist within the
local system

The attribute is encoded as shown below:

Address Family Identifier (2 octets)
Subsequent Address Family Identifier (1 octet)
Length of Next Hop Network Address (1 octet)
Network Address of Next Hop (variable)
Number of SNPAs (1 octet)
Length of first SNPA(1 octet)
First SNPA (variable)
Length of second SNPA (1 octet)
Second SNPA (variable)
Length of Last SNPA (1 octet)
Last SNPA (variable)
Network Layer Reachability Information (variable)

The use and meaning of these fields are as follows:

Address Family Identifier:

This field carries the identity of the Network Layer protocol
associated with the Network Address that follows. Presently
defined values for this field are specified in RFC 1700 (see
the Address Family Numbers section).

Subsequent Address Family Identifier:

This field provides additional information about the type of
the Network Layer Reachability Information carried in the

Length of Next Hop Network Address:

A 1 octet field whose value expresses the length of the
"Network Address of Next Hop" field as measured in octets

Network Address of Next Hop:

A variable length field that contains the Network Address of
the next router on the path to the destination system

Number of SNPAs:

A 1 octet field which contains the number of distinct SNPAs to
be listed in the following fields. The value 0 may be used to
indicate that no SNPAs are listed in this attribute.

Length of Nth SNPA:

A 1 octet field whose value expresses the length of the "Nth
SNPA of Next Hop" field as measured in semi-octets

Nth SNPA of Next Hop:

A variable length field that contains an SNPA of the router
whose Network Address is contained in the "Network Address of
Next Hop" field. The field length is an integral number of
octets in length, namely the rounded-up integer value of one
half the SNPA length expressed in semi-octets; if the SNPA
contains an odd number of semi-octets, a value in this field
will be padded with a trailing all-zero semi-octet.

Network Layer Reachability Information:

A variable length field that lists NLRI for the feasible routes
that are being advertised in this attribute. When the
Subsequent Address Family Identifier field is set to one of the
values defined in this document, each NLRI is encoded as
specified in the "NLRI encoding" section of this document.


What is a Forwarding Equivalence Class (FEC)?

A. FEC is a group of IP packets which are forwarded in the same manner, over the same path, and with the same forwarding treatment. An FEC might correspond to a destination IP subnet, but it also might correspond to any traffic class that the Edge-LSR considers significant. For example, all traffic with a certain value of IP precedence might constitute a FEC.

阿里巴巴赴港上市 募港幣百億

【經濟日報╱記者王茂臻/綜合報導】 2007.10.16 03:47 am










馬雲 下月來台演講




【2007/10/16 經濟日報】@ http://udn.com/

合勤科技發佈新型安全網關USG 300

發佈時間:2007.10.25 16:35 來源:賽迪網 作者:賽文

【賽迪網訊】合勤科技近日發佈其新型網路安全設備-ZyWALL USG 300。ZyWALL USG 300為中小企業量身打造,滿足企業對分佈安全網路的需求,提供全面的企業級安全保障。

ZyWALL USG 300融合IPSec VPN和SSL VPN技術,在分佈機構間建立安全的VPN隧道連接,例如遠程分支機構,合作夥伴,併為出差員工和移動用戶提供便捷安全的網路接入。豐富的安全特性包括:用戶訪問控制,時間表,帶寬管理,病毒及入侵偵測及應用控制等。ZyWALL USG 300採用網路多層偵測技術,聯手卡巴斯基,提供全球領先的保護能力,幫助構築安全的企業網路環境。

通過內置雙重SecuASIC專用安全處理器,ZyWALL USG 300能夠在高負載狀況下提供卓越,穩定的網路吞吐量。先進的防病毒和入侵檢測技術針對氾濫的惡意軟體,攻擊和可疑行為,有效保護內部網路不受侵害,降低潛在的安全威脅。

ZyWALL USG 300具備全面彈性的IM/P2P應用管理能力。通過該功能,網路管理人員能夠輕鬆地建立IM/P2P使用規則,根據不同用戶分配不同許可權及網路帶寬配額,例如對濫用帶寬的P2P應用限制帶寬定額,對重要的應用VoIP等給予最高優先級,保障良好的通信效果。同時ZyWALL USG 300具備綜合統計報告,實時監測用戶帶寬利用狀況。

設備高可用性HA的實現徹底消除單點網路故障給企業帶來的災難性破壞,使得中小企業也能享受冗余技術帶來的永續網路。另一方面,ZyWALL USG 300支援多WAN口,多ISP連接,單一ISP不可用將不再會影響網路的正常使用。同時多ISP負載均衡演算法充分利用,優化每條線路利用率。



發佈時間:2007.10.26 04:58 來源:賽迪網-技術社區 作者:kill




Nortel Networks Meridian-Core-Option 81C

Nortel Networks Meridian-Core-Option 61C

Nortel Networks Meridian-Core-Option 51C

Nortel Networks Meridian-Core-Option 11C Mini

Nortel Networks IP Softphone 2050

Nortel Networks IP Phone 2007

Nortel Networks IP Phone 2004

Nortel Networks IP Phone 2002

Nortel Networks IP Phone 2001

Nortel Networks IP Phone 1150E

Nortel Networks IP Phone 1140E

Nortel Networks IP Phone 1120E

Nortel Networks IP Phone 1110

Nortel Networks IP Phone

Nortel Networks Mobile Voice Client 2050

Nortel Networks IP Audio Conference Phone 2033

Nortel Networks Communications Server 2100

Nortel Networks Communications Server 1000S

Nortel Networks Communications Server 1000M Cabinet/Chassis

Nortel Networks Communications Server 1000E



Nortel IP Phone、IP Softphone等都是Nortel所發佈的IP電話設備。

Nortel IP Phone實現上存在漏洞,遠程攻擊者可能利用此漏洞實現遠程現場竊聽。


Nortel Networks:目前廠商已經發佈了升級補丁以修復這個安全問題,請到廠商的主頁下載:http://www.nortelnetworks.com/index.html


Oct 25, 2007

Apple CEO Steve Jobs對史丹佛畢業生演講全文

這是一篇朋友轉寄給我的信件,我覺得對世界上目前活著的每一個人都會有所啟示,不要放棄任何可能讓你未來需要用到的各種經驗,也許現在你覺得毫無價值(我很高興大學畢業前夕考完預官後我學會了嘸蝦米 :P )~

Stay Hungry, Stay Foolish (求知若飢 ,虛心若愚 )


第一個故事,是關於人生中的點點滴滴如何串連在一起。我在里德學院(Reed College)待了六個月就辦休學了。到我退學前,一共休學了十八個月。那麼,我為什麼休學?(聽眾笑)這得從我出生前講起。



當我休學之後,我再也不用上我沒興趣的必修課,把時間拿去聽那些我有興趣的課。這一點也不浪漫。我沒有宿舍,所以我睡在友人家裡的地板上,靠著回收可樂空罐的退費五分錢買吃的,每個星期天晚上得走七哩的路繞過大半個鎮去印度教的 Hare Krishna神廟吃頓好料,我喜歡Hare Krishna神廟的好料。

就這樣追隨我的好奇與直覺,大部分我所投入過的事務,後來看來都成了無比珍貴的經歷(And much of what I stumbled into by following my curiosity and intuition turned out to be priceless later on )。 舉個例來說。當時里德學院有著大概是全國最好的書寫教育。校園內的每一張海報上,每個抽屜的標籤上,都是美麗的手寫字。因為我休學了,可以不照正常選課程序來,所以我跑去上書寫課。我學了 serif 與sanserif字體,學到在不同字母組合間變更字間距,學到活字印刷偉大的地方。書寫的美好、歷史感與藝術感是科學所無法掌握的,我覺得這很迷人。

我沒預期過學這些東西能在我生活中起些什麼實際作用,不過十年後,當我在設計第一台麥金塔時,我想起了當時所學的東西,所以把這些東西都設計進了麥金塔裡,這是第一台能印刷出漂亮東西的電腦。如果我沒沉溺於那樣一門課裡,麥金塔可能就不會有多重字體跟等比例間距字體了。又因為 Windows抄襲了麥金塔的使用方式(聽眾鼓掌大笑),因此,如果當年我沒有休學,沒有去上那門書寫課,大概所有的個人電腦都不會有這些東西,印不出現在我們看到的漂亮的字來了。當然,當我還在大學裡時,不可能把這些點點滴滴預先串連在一起,但在十年後的今天回顧,一切就顯得非常清楚。

我再說一次,你無法預先把點點滴滴串連起來;只有在未來回顧時, 你才會明白那些點點滴滴是如何串在一起的(you can't connect the dots looking forward; you can only connect them looking backwards )。所以你得相信,眼前你經歷的種種,將來多少會連結在一起。你得信任某個東西,直覺也好, 命運也好,生命也好,或者業力。這種作法從來沒讓我失望,我的人生因此變得完全不同。( Jobs停下來喝水)


我很幸運-年輕時就發現自己愛做什麼事。我二十歲時,跟Steve Wozniak在我爸媽的車庫裡開始了蘋果電腦的事業。我們拚命工作,蘋果電腦在十年間從一間車庫裡的兩個小夥子擴展成了一家員工超過四千人、市價二十億美金的公司,在那事件之前一年推出了我們最棒的作品-麥金塔電腦( Macintosh),那時我才剛邁入三十歲,然後我被解僱了。


嗯,當蘋果電腦成長後,我請了一個我以為在經營公司上很有才幹的傢伙來,他在頭幾年也確實幹得不錯。可是我們對未來的願景不同,最後只好分道揚鑣,董事會站在他那邊,就這樣在我 30歲的時候,公開把我給解僱了。我失去了整個生活的重心,我的人生就這樣被摧毀。

有幾個月,我不知道要做些什麼。我覺得我令企業界的前輩們失望-我把他們交給我的接力棒弄丟了。我見了創辦HP的 David Packard跟創辦Intel的 Bob Noyce,跟他們說很抱歉我把事情給搞砸了。我成了公眾眼中失敗的示範,我甚至想要離開矽谷。



接下來五年,我開了一家叫做 NeXT的公司,又開一家叫做 Pixar的公司,也跟後來的老婆(Laurene)談起了戀愛。 Pixar接著製作了世界上第一部全電腦動畫電影,玩具總動員( Toy Story),現在是世界上最成功的動畫製作公司(聽眾鼓掌大笑)。然後,蘋果電腦買下了 NeXT,我回到了蘋果,我們在NeXT發展的技術成了蘋果電腦後來復興的核心部份。

我也有了個美妙的家庭。我很確定,如果當年蘋果電腦沒開除我,就不會發生這些事情。這帖藥很苦口,可是我想蘋果電腦這個病人需要這帖藥。有時候,人生會用磚頭打你的頭。不要喪失信心。我確信我愛我所做的事情,這就是這些年來支持我繼續走下去的唯一理由( I'm convinced that the only thing that kept me going was that I loved what I did)。


你的工作將佔掉你人生的一大部分,唯一真正獲得滿足的方法就是做你相信是偉大的工作,而唯一做偉大工作的方法是愛你所做的事( And the only way to do great work is to love what you do )。如果你還沒找到這些事,繼續找,別停頓。盡你全心全力,你知道你一定會找到。而且,如同任何偉大的事業,事情只會隨著時間愈來愈好。所以,在你找到之前,繼續找,別停頓。(聽眾鼓掌, Jobs喝水)


當我十七歲時,我讀到一則格言,好像是「把每一天都當成生命中的最後一天,你就會輕鬆自在。(If you live each day as if it was your last, someday you'll most certainly be right )」(聽眾笑)這對我影響深遠,在過去33年裡,我每天早上都會照鏡子,自問:「如果今天是此生最後一日,我今天要做些什麼?」每當我連續太多天都得到一個「沒事做」的答案時,我就知道我必須有所改變了。

提醒自己快死了,是我在人生中面臨重大決定時,所用過最重要的方法。因為幾乎每件事-所有外界期望、所有的名聲、所有對困窘或失敗的恐懼-在面對死亡時,都消失了,只有最真實重要的東西才會留下( Remembering that I'll be dead soon is the most important tool I've ever encountered to help me make the big choices in life. Because almost everything - all external expectations, all pride, all fear of embarrassment or failure - these things just fall away in the face of death, leaving only what is truly important )。




這是我最接近死亡的時候,我希望那會繼續是未來幾十年內最接近的一次。經歷此事後,我可以比先前死亡只是純粹想像時,要能更肯定地告訴你們下面這些: 沒有人想死。即使那些想上天堂的人,也想活著上天堂。(聽眾笑)


你們的時間有限,所以不要浪費時間活在別人的生活裡。不要被教條所侷限-- 盲從教條就是活在別人思考結果裡。不要讓別人的意見淹沒了你內在的心聲。最重要的,擁有追隨自己內心與直覺的勇氣,你的內心與直覺多少已經知道你真正想要成為什麼樣的人( have the courage to follow your heart and intuition. They somehow already know what you truly want to become),任何其他事物都是次要的。(聽眾鼓掌)

在我年輕時,有本神奇的雜誌叫做《Whole Earth Catalog》,當年這可是我們的經典讀物。那是一位住在離這不遠的 Menlo Park的Stewart Brand發行的,他把雜誌辦得很有詩意。那是 1960年代末期,個人電腦跟桌上出版還沒出現,所有內容都是打字機、剪刀跟拍立得相機做出來的。雜誌內容有點像印在紙上的平面 Google,在Google 出現之前35年就有了:這本雜誌很理想主義,充滿新奇工具與偉大的見解。

Stewart跟他的團隊出版了好幾期的《Whole Earth Catalog》,然後很自然的,最後出了停刊號。當時是 1970年代中期,我正是你們現在這個年齡的時候。在停刊號的封底,有張清晨鄉間小路的照片,那種你四處搭便車冒險旅行時會經過的鄉間小路。在照片下印了行小字: 求知若飢,虛心若愚(Stay Hungry , Stay Foolish)。那是他們親筆寫下的告別訊息,我總是以此自許。當你們畢業,展開新生活,我也以此祝福你們。