List of Software Features

**Table 1** List of software features
Level-1 Feature	Level-2 Feature	Level-3 Feature	Description
Link Features	Ethernet Link Features	-	Ethernet interfaces on the NetEngine 8000 F support the following features: Flow control and rate autonegotiation on GE interfaces Bundling of interfaces at different rates Addition or deletion of Eth-Trunk member interfaces; the NetEngine 8000 F can detect the up or down state of member interfaces and dynamically change the Eth-Trunk link bandwidth. Layer 2 and Layer 3 Eth-Trunk interfaces BFD for Eth-Trunk Link Aggregation Control Protocol (LACP) defined in 802.3ad LACP maintains the link status based on the interface status. LACP adjusts or disables link aggregation when aggregation conditions change. Virtual Ethernet (VE) interfaces Synchronous Ethernet 1588v2 clock VLAN sub-interfaces VLANIF interfaces Local and remote interface loopback Flexible Ethernet (FlexE) Channelized sub-interfaces
Service Features	Ethernet Features	Layer 2 Ethernet Features	Ethernet interfaces on the NetEngine 8000 F can work in Layer 2 switched mode and support VLAN, VPLS, and QoS services. Layer 2 Ethernet interfaces that are used as UNIs support MPLS VPN services. The NetEngine 8000 F supports the following Layer 2 Ethernet features: Default VLAN VLAN trunk VLANIF interfaces Intra-VLAN port isolation Ethernet sub-interfaces VLAN aggregation sub-interfaces Port-based VLAN classification VLAN mapping VLAN stacking Unqualified MAC learning and qualified MAC learning (user MAC addresses are learned based on VSI+VLAN) MAC entry limit Suppression of multicast, broadcast, and unknown unicast traffic Y.1731 Eth-LCK, Eth-Test, and Eth-SLM
Service Features	Ethernet Features	Layer 3 Ethernet Features	The NetEngine 8000 F supports the following Layer 3 Ethernet features: IPv4 IPv6 MPLS Multicast VLAN sub-interfaces QoS VLAN aggregation sub-interfaces
Service Features	Ethernet Features	QinQ	The NetEngine 8000 F supports the following QinQ features to satisfy different networking requirements: Identification of inner and outer VLAN tags Outer VLAN tag modification Removal of double VLAN tags and addition of new double VLAN tags Mapping of outer VLAN tags Change of the EtherType value and 802.1p priority in the outer VLAN tag and copy of the 802.1p priority in the inner VLAN tag to the outer VLAN tag of double-tagged packets Traffic classification based on the 802.1p priorities in the outer VLAN tags of packets Rate limiting on interfaces based on the 802.1p priorities in both inner and outer VLAN tags Interface-based QinQ Interface-based QinQ is applicable to the following scenarios: Access to VPLS networks to transparently transmit VLAN packets Access to L2VPNs or PWE3 networks to transparently transmit VLAN packets VLAN-based QinQ 802.1ag QinQ termination EtherType value in the outer VLAN tags of QinQ packets used for interoperation with non-Huawei devices Multicast QinQ QinQ-based VLAN swapping on main interfaces VLAN stacking is applicable to the following scenarios: Access to VPLS networks Access to VLL or PWE3 networks Translation sub-interfaces on which 1 to 1 VLAN tag translation can be implemented IPv4 URPF for QinQ VLAN tag termination sub-interfaces
Service Features	Ethernet Features	Flexible Access to VPNs	In traditional access identification, user or service information is identified by a single tag or double tags. For example, the inner tag identifies user information, and the outer tag identifies service information. Interfaces have different double tags configured to access different VPNs. In some scenarios, the access device does not support QinQ or a single tag is used for multiple services. In this case, the access device may fill service access information in the 802.1p or DSCP field. Then, the NetEngine 8000 F connected to the access device needs to use the 802.1p or DSCP value to identify access users. This helps implement access to different VPNs, different QoS scheduling policies, or service distribution.
Service Features	Ethernet Features	Spanning Tree Protocol (STP)/Rapid Spanning Tree Protocol (RSTP)/Multiple Spanning Tree Protocol (MSTP) Features	The NetEngine 8000 F supports STP, RSTP and MSTP. STP RSTP MSTP MSTP provides BPDU protection to defend against attacks. After BPDU protection is enabled on the device, it disables the edge port that receives BPDUs. The disabled edge port can only be enabled by the network administrator.
Service Features	Ethernet Features	BPDU Tunneling	The NetEngine 8000 F supports the following BPDU tunneling types: Port-based BPDU tunneling VLAN-based BPDU tunneling QinQ-based BPDU tunneling
Service Features	Ethernet Features	VXLAN	Virtual eXtensible Local Area Network (VXLAN) is a Network Virtualization over Layer 3 (NVO3) technology that uses MAC-in-UDP encapsulation. The NetEngine 8000 F supports the following VXLAN features: Layer 3 forwarding between VXLAN tunnels Use of integrated routing and bridging (IRB) routes to advertise host routes between VXLAN tunnels Application of traffic policies to VXLAN tunnels DHCP relay for VXLAN tunnels VNI-based rate limiting VXLAN Layer 2 gateway VXLAN Layer 2 gateway supporting the Spoken split horizon mode MAC address learning using EVPN on the VXLAN control plane BA classification and MF classification VXLAN segments IPv4 over VXLANv6 tunnel forwarding IPv6 over VXLANv6 tunnel forwarding
Service Features	Ethernet Features	ERPS over VPLS	ERPS over VPLS allows an ERPS ring to connect to a VPLS network. This function supports the following VPLS access modes: A VLANIF interface is single-homed to a VPLS network. A VLANIF interface is dual-homed to a VPLS network. A sub-interface is single-homed to a VPLS network. The sub-interfaces can be: QinQ mapping 1:1 and dot1q VLAN sub-interfaces A sub-interface is dual-homed to a VPLS network. The sub-interfaces can be: QinQ mapping 1:1 and dot1q VLAN sub-interfaces
Service Features	IP Features	IPv4/IPv6 Dual Stack	The IPv4/IPv6 dual stack is highly interoperable and easy to implement. The following figure shows the IPv4/IPv6 dual stack structure. Figure 1 IPv4/IPv6 dual stack structure
Service Features	IP Features	IPv4 Features	The NetEngine 8000 F supports the following IPv4 features: TCP/IP protocol suite, including ICMP, IP, TCP, UDP, socket (TCP/UDP/Raw IP), and ARP FTP client/server and TFTP client DHCP relay agent/DHCP server DHCP flooding suppression Ping, tracert, and NQA NQA can detect the status of ICMP and UDP services and test the service response time. IP policy-based routing (PBR) and flow-based next hop to which packets are forwarded IP PBR-based load balancing Load balancing in unequal cost multi-path (UCMP) mode Configuration of secondary IP addresses for all physical and logical interfaces Each interface supports a maximum of 255 secondary IP addresses with 31-bit masks.
Service Features	IP Features	IPv6 Features	The NetEngine 8000 F supports the following IPv6 features: IPv6 neighbor discovery (ND) Path MTU (PMTU) discovery TCP6, IPv6 ping, IPv6 tracert, and IPv6 socket Static IPv6 DNS and specified IPv6 DNS server TFTP IPv6 client IPv6 PBR Telnet and SSH
Service Features	IP Features	IPv4/IPv6 Transition	The NetEngine 8000 F supports the following IPv4/IPv6 transition features: IPv6 over IPv4 tunnels The NetEngine 8000 F supports the following IPv6 over IPv4 tunnels: IPv6 manual tunnel 6to4 tunnel 6to4 relay tunnel 6PE and 6VPE tunnels
Service Features	Routing Protocols	Unicast Routing	The NetEngine 8000 F supports the following unicast routing features: IPv4 routing protocols, including RIP, OSPF, IS-IS, and BGP4 IPv6 routing protocols, including Routing Information Protocol Next Generation (RIPng), OSPFv3, IS-ISv6, and BGP4+ Static routes that are manually configured by the network administrator to simplify network configurations and improve network performance Large-capacity routing table that effectively supports MAN operations Selection of the optimal route using routing policies Import of routes from other protocols Route advertisement and reception through routing policies and router filtering through route attributes Password authentication and MD5 authentication to improve network security NOTE: For the sake of security, using the HMAC-SHA256 algorithm rather than the MD5 algorithm is recommended. Restart of protocol processes using command lines RIPv1 (classful routing protocol) and RIPv2 (classless routing protocol) Advertisement of a default route from a RIP-enabled device to its peers and setting of the metric of this route RIP-triggered updates Disabling a specified interface from sending or receiving OSPF or RIP packets OSPF-BGP synchronization OSPF-LDP synchronization OSPF fast convergence, which can be implemented using either of the following methods: Adjust the LSA transmission interval. Configure BFD for OSPF. OSPF I-SPF and IS-IS I-SPF (I-SPF re-calculates only the changed routes of an SPT and not the entire SPT.) OSPF PRC OSPF link cost calculation based on the reference bandwidth Link costs can be manually configured or automatically calculated by the system based on the reference bandwidth by using the following formula: Link cost = Reference bandwidth/Interface bandwidth The integer of the calculated result is the link cost. If the calculated result is less than 1, the cost is 1. The link cost can be changed by changing the reference bandwidth. The reference bandwidth ranges from 1 to 2147483648, in Mbit/s. The default reference bandwidth of the NetEngine 8000 F is 100 Mbit/s. The value ranges from 1 to 2147483648 Mbit/s. The link cost can be calculated based on the reference link delay. Two-level IS-IS in a routing domain IS-IS and LDP synchronization BGP indirect next hop and dynamic update peer-groups IPv6 indirect next hop Policy-based BGP route selection when multiple routes are available to the same destination BGP route reflector (RR) If there are many IBGP peers, it is costly to establish a full-mesh network. To prevent this problem, deploy RRs so that IBGP peers establish peer relationships only with RRs. Transmission of BGP Update packets that do not carry private AS numbers BGP route dampening, which suppresses unstable routes (Unstable routes are neither added to the BGP routing table nor advertised to other BGP peers.) Routing policy BGP fast convergence The device uses a new route convergence mechanism and algorithm to accelerate BGP route convergence. The mechanism can be: Indirect next hop On-demand route recursion BGP load balancing in multi-homing networking The formula for calculating the interface bandwidth consumed by LSAs in the same area is as follows: For example, if 10000 routes and Ethernet interfaces are used and the MTU of each Ethernet interface is 1500 bytes, the Ethernet frame header+FCS is 18 bytes, and each LSA is 44 bytes. Each LSA carries information about a route. (1500 – 18)/44 = 33. This formula indicates that an Ethernet frame can carry information about 33 routes. Therefore, 304 Ethernet frames are required to carry information about 10,000 routes.
Service Features	Routing Protocols	Multicast Routing	The NetEngine 8000 F supports the following multicast features: Multicast protocols include the Internet Group Management Protocol (IGMP), Protocol Independent Multicast-Sparse Mode (PIM-SM), Multicast Source Discovery Protocol (MSDP), and Multiprotocol Border Gateway Protocol (MBGP). IGMP can be IGMPv1, IGMPv2, or IGMPv3. Reverse Path Forwarding (RPF) PIM-SSM Anycast RP IPv6 multicast routing protocols that include PIM-IPv6-SM and PIM-IPv6-SSM Multicast Listener Discovery (MLD) MLDv1 MLDv1 supports Any-Source Multicast (ASM) and can implement Source-Specific Multicast (SSM) using SSM mapping. MLDv2 MLDv2 supports ASM and SSM. Multicast static routes Configuration of multicast protocols on Ethernet and trunk interfaces Route filtering based on routing policies when the multicast routing module receives, imports, or advertises multicast routes multicast packet filtering and forwarding based on routing policies when IP multicast packets are forwarded Addition and deletion of dummy entries Query of PIM neighbors and the number of control messages PIM neighbor filtering, forwarding boundary control, and BSR service and management boundary control PIM Register message filtering and suppression MSDP authentication IGMP rate limiting Prompt leave of IGMP and MLD group members and use of group-policies to restrict the generation of forwarding entries Configuration of ACLs, including source-address-based packet filtering, generation of multicast forwarding entries, and Switch-MDT switching, to ensure multicast security Multicast-group-based, multicast-source-based, multicast-source/group-based, and stable-preferred load balancing IGMP snooping MLD Snooping Multicast flow control The NetEngine 8000 F discards or broadcasts unknown multicast packets in the VLAN to which the interface that received the packets belongs. Unknown multicast packets do not have matching forwarding entries in the multicast forwarding table. In addition, the NetEngine 8000 F limits the maximum percentage of multicast flows on Ethernet interfaces to control multicast traffic. VSI-based IGMP CP-CAR Distributed multicast Multicast CAC The NetEngine 8000 F supports multicast Call Admission Control (CAC). When multicast CAC rules are configured, the number of multicast groups and bandwidth are restricted for IGMP snooping on interfaces or the entire system. BIER, BIER-MPLS, BIERv6, MVPN over BIERv6, and NG MVPN over BIER
Service Features	MPLS Features	MPLS	The NetEngine 8000 F supports the following MPLS features: Basic MPLS functions, service forwarding, and MPLS LDP signaling MPLS LDP distributes labels, establishes LSPs, and exchanges parameters used for LSP establishment. MPLS LDP supports: A maximum of five MPLS labels in a label stack MPLS LDP supports: Label advertisement in downstream unsolicited (DU) mode Label distribution in independent mode Label distribution in ordered mode Label retention in liberal mode Basic discovery and extended discovery in LDP sessions MPLS ping and tracert operations in which MPLS Echo Request and MPLS Echo Reply packets are exchanged to monitor LSP availability Configuration of 64-channel load balancing (including the ingress and intermediate nodes) MPLS QoS, including the mapping of the ToS fields in IP packets to the EXP fields in MPLS packets, and MPLS uniform, pipe, and short pipe modes MPLS trap LDP-IGP synchronization, which minimizes traffic loss in the event of network failures NetEngine 8000 F functioning as a label edge router (LER) or a label switching router (LSR) An LER is an edge device that connects an MPLS network to other networks. It classifies services, distributes labels, and adds or removes labels as required. An LER functioning as an egress supports PHP and can allocate an explicit null label or an implicit null label to the penultimate hop. An LSR is a core router on an MPLS network. The LSR switches and distributes labels. Establishment of LSPs between routers of different IS-IS levels and between Huawei devices and non-Huawei devices using LDP.
Service Features	MPLS Features	MPLS TE	MPLS TE integrates MPLS technology with traffic engineering. It reserves resources by establishing LSPs over a specified path in an attempt to avoid network congestion and balance network traffic. In the event of insufficient resources, MPLS TE allows preemption of bandwidth resources of low priority LSPs so these resources can be provided for LSPs with large bandwidth requirements or important services. If an LSP fails or a node is congested, MPLS TE can ensure smooth network communication using the backup path and fast reroute (FRR) function. MPLS TE provides automatic re-optimization and bandwidth adjustment to improve tunnel self-adaptation and properly allocate network resources. The traffic engineering database (TEDB) can be used to update the network topology. If a link goes down, the Constrained Shortest Path First (CSPF) failed link timer starts. Before the failed link timer expires, if the IGP route is deleted or the link is changed, CSPF deletes the timer and updates the TEDB. If the IGP route is not deleted or the link is not changed after the CSPF failed link timer expires, the link is considered up. MPLS TE supports the following functions: Processing of Constrained Route-label switched path (CR-LSP) of various types and route calculation using the CSPF algorithm CR-LSPs are classified into the following types: RSVP-TE RSVP authentication complies with relevant standards. Auto routing Auto routing works in either of the following modes: IGP shortcut: An LSP is not advertised to neighboring routers. Therefore, other routers cannot use the LSP. Forwarding adjacency: An LSP is advertised to neighboring routers. Therefore, other routers can use the LSP. FRR FRR switching can be completed in 50 ms, which minimizes data loss if network faults occur. Auto FRR Auto FRR is an extension of MPLS TE FRR. Configuring bypass tunnel attributes, global auto FRR, and interface-based auto FRR for the primary tunnel facilitates automatic establishment of a bypass tunnel over an LSP. If the primary tunnel changes, the bypass tunnel is automatically deleted, and a new one meeting requirements is established. One-to-one backup FRR: an MPLS TE FRR mode. After the detour attribute is configured for the primary tunnel, a detour LSP can be automatically established to protect an LSP on the primary tunnel. The detour LSP is a part of the primary tunnel. When the primary tunnel is established, detour LSPs are automatically established as needed. They are changed or deleted together with the primary tunnel. CR-LSP backup NetEngine 8000 F supports the following backup modes: Hot standby An HSB CR-LSP is established immediately after the primary CR-LSP is established. If the primary CR-LSP fails, MPLS TE switches traffic immediately to the HSB CR-LSP. Ordinary backup A backup CR-LSP is established after the primary CR-LSP fails. LDP over TE Not all devices on a live network support MPLS TE. If only core devices support TE and LDP is used on edge devices, LDP over TE can be used. A TE tunnel is considered a hop of the entire LDP LSP. With forwarding adjacency, one MPLS TE tunnel can be used as a virtual link and advertised to an IGP network. Make-before-break Make-before-break is a CR-LSP switching technology that ensures high reliability. Before a new path or CR-LSP is created, the original path or CR-LSP is not deleted. After a new CR-LSP is created, traffic is switched to the new CR-LSP, and then the original CR-LSP is deleted. This implements non-stop traffic forwarding.
Service Features	MPLS Features	GMPLS UNI	RSVP neighbor authentication and UNI user access authentication Protection for traffic on a specified UNI tunnel connected to the ingress CN on a transport network Collaborative path computation by an IP PCE and optical PCE
Service Features	MPLS Features	MPLS LDP	LDP remote LFA FRR is a supplement to LFA LDP FRR. LFA LDP FRR uses the LFA FRR algorithm that can only protect LDP LSPs in 70% of all scenarios. After the remote LFA technique is implemented, FRR takes effect in more than 96% of all scenarios. The LDP module receives the remote LFA FRR next-hop address of a route prefix sent by the RM module. The LDP module uses the carried PQ node address to create an LDP remote peer and sends a Target Hello message to its peer to establish a remote LDP session. The PQ node address is used as a next-hop IP address for a remote-LFA FRR LSP. The actual next-hop IP address and outbound interface name are used to establish an LDP LSP destined for the PQ node. This LDP LSP allows for recursion to the remote LFR LSP. On the PQ node, the auto-accept function is configured. This function enables the PQ node to use information in the received Target Hello message to automatically establish a remote LDP peer. The PQ node then sends a Target Hello message to its peer to establish a remote LDP session. Label Mapping messages are then transmitted over the remote LDP session to establish a tunnel.
Service Features	Segment Routing Features	SR-MPLS TE	Segment Routing (SR) is designed to forward data packets on a network using the source routing model. SR-MPLS is Segment Routing based on the MPLS forwarding plane. SR-MPLS Traffic Engineering (TE) is a new TE tunnel technology that uses SR as a control protocol. The controller calculates forwarding paths for tunnels and delivers label stacks strictly mapped to the paths to forwarders. The forwarder, which is the ingress of the tunnel, uses a label stack to control the path along which packets are transmitted on a network. The device supports the following SR-MPLS TE functions: Strict label stack Stitching label L2VPN, L3VPN, and LDP over SR-MPLS TE Hot standby (HSB) LSP, and BFD SR-MPLS TE Policy LSP Class-based tunnel selection (CBTS) SR-MPLS TE Policy
Service Features	Segment Routing Features	SR-MPLS BE	A Segment Routing (SR) label switched path (LSP) is a label forwarding path that is established using SR and guides data packet forwarding through a prefix or node SID. Segment Routing-MPLS best effort (SR-MPLS BE) refers to the mode in which an IGP runs the shortest path first (SPF) algorithm to compute an optimal SR LSP. SR and LDP interworking SR-MPLS FlexAlgo
Service Features	Segment Routing	SRv6 BE	The device supports the following SRv6 BE functions: BGP L3VPNv4 over SRv6 BE EVPN L3VPNv4 over SRv6 BE EVPN L3VPNv6 over SRv6 BE EVPN VPWS over SRv6 BE EVPN VPLS over SRv6 BE IPv4 public network services over SRv6 BE IPv6 public network services over SRv6 BE SRv6 FlexAlgo
Service Features	Segment Routing	SRv6 TE Policy	The device supports the following SRv6 TE Policy functions: IPv4 public network services redirected to an SRv6 TE Policy through MF classification IPv6 public network services redirected to an SRv6 TE Policy through MF classification BGP L3VPNv4 over SRv6 TE Policy EVPN L3VPNv4 over SRv6 TE Policy EVPN L3VPNv6 over SRv6 TE Policy EVPN VPWS over SRv6 TE Policy EVPN VPLS over SRv6 TE Policy VLL over SRv6 TE Policy IPv4 public network service over SRv6 TE Policy IPv6 public network service over SRv6 TE Policy BGP-LS Network slicing based on slice IDs SRv6 Flex-Algo G-SRv6
Service Features	VPN Features	Tunnel Policy	A tunnel policy determines which tunnels are to be selected based on destination IP addresses. If no tunnel policy is configured, the tunnel management module uses the default tunnel policy to select tunnels. The NetEngine 8000 F supports the following types of tunnel policies: Select-sequence The priority sequence of tunnels and the number of tunnels used for load balancing are configured. The tunnels of the type specified first are selected as long as the tunnels are in the up state, irrespective of whether they are used by other services. The tunnels of the type specified later are not selected unless load balancing is required or the tunnels of the type specified first are all down. VPN tunnel binding After the peer end of a VPN is bound to an MPLS TE tunnel on a PE on the backbone network, this TE tunnel only transmits data from the VPN to its peer end and not to other VPN services. This ensures QoS for services of the bound VPN.
Service Features	VPN Features	VPN Tunnel	The NetEngine 8000 F supports the following types of VPN tunnels: LSPs TE tunnels GRE tunnel SR-MPLS TE tunnel SR-MPLS BE tunnel
Service Features	VPN Features	MPLS L2VPN	VLL LDP VLL LDP VLL supports double labels. The inner label uses extended LDP as signaling. The VC FEC type is 128. The VC encapsulation type can be 0x0004 Ethernet Tagged Mode, 0x0005 Ethernet, or 0x000B IP Layer 2 Transport. CCC VLL CCC VLL supports local switching of packets in 802.1q mode. VLL heterogeneous interworking VLL heterogeneous interworking is used when the CE link types on both ends of an L2VPN are different. After a PE receives a frame from a CE, the PE removes the link-layer frame header and transparently transmits the IP packet to the peer PE across an MPLS network. Upon receipt, the peer PE encapsulates the link-layer frame header to the IP packet and transmits the frame to the connected CE. PEs process link-layer control packets received from CEs without transmitting them over MPLS networks and discard non-IP packets, such as MPLS and IPX packets. Transparent transmission of specific types of link layer protocol packets Interfaces can be configured to transparently transmit specific types of link layer protocol packets, such as BPDUs, LACP packets, LLDP packets, UDLD packets, and CDP packets. VLL over TE ECMP VLL over LDP ECMP VLL over LDP over TE ECMP VPLS PEs on a VPLS network can be fully meshed and have split horizon configured to prevent Layer 2 loops. VPLS is classified as BGP VPLS or LDP VPLS, depending on the signaling protocol. BGP VPLS BGP VPLS uses BGP as a signaling protocol. BGP VPLS uses BGP to automatically discover VPLS members and then establishes point-to-point PWs. When a PE is added to the VPLS network, the configurations on existing PEs do not need to be modified. The new PE can automatically establish PWs with other PEs on the network. LDP VPLS LDP VPLS uses LDP as a signaling protocol. In LDP VPLS, LDP peer relationships must be manually configured between PEs on a full-mesh VPLS network. When a PE is added to the VPLS network, the configurations on all PEs need to be modified. Therefore, LDP VPLS has poor extensibility. However, using LDP to create, maintain, and delete point-to-point PWs is effective. The NetEngine 8000 F supports the following VPLS functions: Access to the VPLS network in QinQ mode H-VPLS IGMP snooping for VPLS MLD snooping for VPLS One MAC address space for each VSI VPLS/H-VPLS equal-cost load balancing Fast switching of multicast traffic mVPLS Transparent transmission of specific types of link layer protocol packets Interfaces can be configured to transparently transmit specific types of link layer protocol packets, such as BPDUs, STP packets, LLDP packets, UDLD packets, and CDP packets. Ethernet loop detection ERPS ring accessing VPLS PWE3 The NetEngine 8000 F supports the following features: The VCCV ping The NetEngine 8000 F can use VCCV ping to detect LDP PW connectivity on the UPE. It is capable of detecting dynamic PWs, single-segment PWs (SS-PWs), and multi-segment PWs (MS-PWs). PW template The NetEngine 8000 F supports binding between a PW and a PW template and PW resets. The NetEngine 8000 F uses PWE3 to support heterogeneous interworking and transparent transmission of the following types of packets: Ethernet, IP Layer 2 transport, IP-interworking, and Ethernet tagged. PW redundancy
Service Features	VPN Features	BGP/MPLS L3VPN	The NetEngine 8000 F supports BGP/MPLS L3VPN, providing an end-to-end VPN solution. The VPN service is a new type of value-added service, providing flexible choices for users. Access of a CE to an L3VPN through Layer 3 interfaces, such as Ethernet and VLANIF interfaces CE-PE communication using static routes or routing protocols, such as BGP, RIP, OSPF, and IS-IS Inter-AS VPN VPN instance to VPN instance, also called Inter-Provider Backbones Option A In Option A, sub-interfaces connecting the autonomous system boundary routers (ASBRs) are used to manage VPN routes. EBGP redistribution of labeled VPN-IPv4 routes, also called Inter-Provider Backbones Option B In Option B, ASBRs advertise labeled VPN-IPv4 routes to each other using MP-EBGP. Multi-hop EBGP redistribution of labeled VPN-IPv4 routes, also called Inter-Provider Backbones Option C In Option C, PEs advertise labeled VPN-IPv4 routes to each other using Multihop MP-EBGP. Multicast VPN IPv6 VPN and dual-stack VPN IPv6 inter-AS VPN (Option A, B, or C) HVPN+ (H-VPN and HoVPN) Popgo action on an IPv4 public network
Service Features	VPN Features	EVPN	Ethernet Virtual Private Network (EVPN) is a next-generation full-service bearer VPN solution. It unifies the control planes for various VPN services and uses BGP extensions to transmit Layer 2 or Layer 3 reachability information, separating the forwarding plane from the control plane. EVPN offers the following benefits: Improved link utilization and transmission efficiency: EVPN supports load balancing, fully utilizing network resources and alleviating network congestion. Reduced network resource consumption: By deploying RRs on the public network, EVPN decreases the number of logical connections required between PEs on the public network. In addition, EVPN enables PEs to respond to ARP requests from connected sites using locally cached MAC addresses, minimizing the amount of broadcast ARP requests. Supported EVPN functions: The following deployment models are supported: EVPN E-Line EVPN E-LAN EVPN E-Tree (local AC isolation) Access to EVPN through VLL VPLS through EVPN Access to EVPN through VXLAN PBB EVPN NOTE: Only the NetEngine 8000-F1A supports this function. EVPN L3VPN EVPN L3VPNv6 The following basic functions are supported: Unicast traffic forwarding BUM traffic forwarding Unicast traffic load-balancing Inter-AS VPN Option B
Service Features	VPN Features	L2TPv3 NOTE: Only the NetEngine 8000-F1A supports this function.	L2TPv3 over IPv6 establishes an IPv6-based L2TPv3 tunnel that transparently transmits Layer 2 user packets to remote ends over an IPv6 network. L2TPv3 over IPv6, which establishes tunnels based on static configurations, does not require dynamic negotiation for tunnel establishment or teardown. Users can access an L2TPv3 tunnel in whole-interface mode. Users can access an L2TPv3 tunnel in C-tag termination mode. Users can access an L2TPv3 tunnel in S-tag termination mode. Users can access an L2TPv3 tunnel in S-tag+C-tag termination mode. Local packet switching is supported. Packet injection is supported.
Service Features	VPN Features	IP Hard Pipe NOTE: Only the NetEngine 8000 F1A supports this chapter.	IP hard pipe is an end-to-end bandwidth guarantee solution that divides the network bandwidth into two parts, one for the hard pipe and the other for the soft pipe. The hard and soft pipes are isolated and cannot preempt the bandwidth of each other. This guarantees bandwidth and low delay for traffic entering the hard pipe. Currently, only static PW services can be transmitted through the hard pipe. The following functions are supported: Point-to-point IP hard pipe (VLL IP hard pipe) Point-to-multipoint IP hard pipe (VPLS IP hard pipe)
Service Features	QoS	DiffServ Model	Multiple service flows can be aggregated into a behavior aggregate (BA) and then processed based on the same per-hop behavior (PHB). This simplifies the processing and storage of services. On a core network that uses the DiffServ model, packet-specific QoS is provided. Therefore, signaling processing is not required.
Service Features	QoS	BA Classification	BA classifies data packets into multiple priorities or service classes. If the IP precedence, the first three bits of the ToS field in the IP header, is used to mark packets, the packets can be classified into a maximum of eight classes. If the differentiated services code point (DSCP), the first six bits of the ToS field, is used to mark packets, the packets can be classified into a maximum of 64 classes. After the packets are classified, QoS features can be applied to different classifiers to implement classifier-based congestion management and traffic shaping. The network administrator can set BA policies for packets based on the IP preference or DSCP values of IP packets, EXP values of MPLS packets, and 802.1p priorities of VLAN packets. The NetEngine 8000 F supports BA classification on Ethernet interfaces, Ethernet sub-interfaces, Layer 2 Ethernet interfaces, Eth-Trunk interfaces, Eth-Trunk sub-interfaces, Layer 2 Eth-Trunk interfaces, QinQ VLAN tag termination sub-interfaces, dot1q VLAN tag termination sub-interfaces, QinQ stacking interfaces, VE interfaces, . Layer 2 BA classification The NetEngine 8000 F performs BA classification based on 802.1p priorities of VLAN packets. The ingress PE maps the 802.1p priority of a Layer 2 packet to an upper-layer priority value (such as the IP DSCP and MPLS EXP value) so that DiffServ is also implemented for the packet after it enters the backbone network. The egress PE then maps the upper-layer priority value back to the 802.1p priority. QinQ BA classification QinQ requires the 802.1p priorities in both inner and outer VLAN tags to be detected. The NetEngine 8000 F can process the 802.1p priority as follows: Ignore the 802.1p priority in the inner VLAN tag and set a new 802.1p value in the outer VLAN tag. Copy the 802.1p priority in the inner VLAN tag to the outer VLAN tag. Set a new 802.1p priority in the outer VLAN tag based on the 802.1p priority in the inner VLAN tag. QinQ supports 802.1p re-marking in the following modes: Specify a value. Use the 802.1p priority in the inner VLAN tag. Map the 802.1p priority in the inner VLAN tag to the 802.1p value in the outer VLAN tag. The 802.1p priorities in multiple inner VLAN tags of different packets can be mapped to the 802.1p value in one outer VLAN tag, whereas the 802.1p priority in one inner VLAN tag cannot be mapped to the 802.1p priorities in multiple outer VLAN tags of different packets.
Service Features	QoS	MF Classification	The device performs multi-field (MF) classification based on the following information: Layer 2 and Layer 3 information carried in packets Source MAC address, destination MAC address, link layer protocol number, and 802.1p priority (of tagged packets) in the Ethernet frame header; IP precedence/DSCP value/ToS value, source IP address prefix, destination IP address prefix, protocol number, fragmentation flag, TCP SYN flag, TCP/UDP source port number or port range, and TCP/UDP destination port number or port range of IPv4 packets Information carried in MPLS packets The device supports MF classification on Ethernet interfaces, Ethernet sub-interfaces, Layer 2 Ethernet interfaces, Eth-Trunk interfaces, Eth-Trunk sub-interfaces, Layer 2 Eth-Trunk interfaces, QinQ VLAN tag termination sub-interfaces, dot1q VLAN tag termination sub-interfaces, VE interfaces, and QinQ stacking sub-interfaces.
Service Features	QoS	Traffic Policing	Traffic policing controls the rate of incoming packets to ensure that network resources are properly allocated. Committed access rate (CAR) is a traffic policing technique that uses token buckets to measure data flows. Only data flows assigned tokens within a specified period are permitted to pass through. Only data flows assigned tokens within a specified period are permitted to pass through. In addition, the rate of specific types of data flows can be limited based on information, such as the IP address, interface number, and priority. Rate limiting is not performed on data flows that do not meet the specified conditions, and these data flows are forwarded at the original interface rate. CAR is implemented at the network edge to ensure data processing on core devices. The NetEngine 8000 F supports CAR for both incoming and outgoing traffic.
Service Features	QoS	Traffic Shaping	Traffic shaping uses generic traffic shaping (GTS) to shape traffic that is irregular or does not conform to preset traffic features to ensure that traffic is transmitted at an even rate. This improves the allocation of bandwidth resources between the upstream and downstream networks. The NetEngine 8000 F supports traffic shaping only on the outbound interface. Different shaping parameters can be configured for packets based on service classes (EF, AF1, AF2, AF3, AF4, BE, CS6, or CS7). GTS queues can use priority queuing (PQ) or weighted fair queuing (WFQ) scheduling algorithm. Packets with different service levels in GTS queues have different default scheduling modes. For AF1 to AF4 queues and BE queues, WFQ scheduling is configured by default. Bandwidth is allocated based on the configured weight values. For EF, CS6, and CS7 queues, PQ scheduling is configured by default. PQ scheduling is performed based on priorities, and therefore is applicable to delay-sensitive services. When GTS queues use WFQ scheduling, weight values can be configured for services of different priorities in WFQ queues or the bandwidth ratio for each type of flow can be configured. Shaping values can be configured on interfaces. A shaping value is the rate at which tokens enter the token bucket. If the packet rate exceeds the shaping value, the packets are cached in the GTS queue.
Service Features	QoS	Queue Scheduling	The NetEngine 8000 F supports PQ, WFQ, and LPQ for queue scheduling on interfaces. The NetEngine 8000 F maps packets with different priorities to different queues and uses the round robin (RR) algorithm for queue scheduling on each interface. PQ schedules packets in descending order of priority. When packets leave queues, the queue with the highest priority is served first until it is empty, then the queues with lower priorities are served in sequence. PQ provides absolute preferential treatment to high priority traffic, ensuring that mission-critical service traffic gets priority treatment. When the network is idle, non-critical service traffic is transmitted. This implementation ensures that the quality of key services is guaranteed, and the network resources are fully utilized. WFQ is a complex queuing process, which ensures that services with the same priority are fairly treated and services with different priorities are weighted. WFQ ensures fairness (bandwidth and delay) and provides weights. The weights are configurable. The value of this parameter depends on the value of (precedence) in the IP packet header. WFQ dynamically classifies packets based on the quintuple information (or ToS field value). Packets with the same source IP address, destination IP address, source port number, destination port number, protocol number, and ToS value belong to the same flow. Each flow is assigned to a queue. This process is called hash. WFQ uses the hash algorithm to automatically add flows to different queues. When a flow leaves a queue, WFQ allocates the egress bandwidth to the flow based on the flow priority (precedence). The smaller the value of the priority, the less the bandwidth is allocated. A larger value indicates a higher bandwidth. In this way, the fairness between services of the same priority is ensured, and the weight between services of different priorities is reflected. Low priority queuing (LPQ) is performed after PQ and WFQ scheduling is complete. LPQ also schedules packets based on priorities in descending order.
Service Features	QoS	Congestion Avoidance	Congestion avoidance is a flow control technique used to relieve network overload. By monitoring the usage of network resources for queues or memory buffers, the device automatically drops packets on interfaces that show signs of traffic congestion. Random early detection (RED) and weighted random early detection (WRED) algorithms are frequently used to avoid congestion. RED sets the upper and lower limits for each queue and specifies the following rules: When a queue length is below the lower limit, no incoming packets are discarded. When a queue length exceeds the upper limit, all incoming packets are discarded. When a queue length is between the lower and upper limits, incoming packets are discarded randomly. A random number is assigned to each received packet, and the random number is compared with the drop probability of the current queue. If the random number assigned to the packet is greater than the drop probability, the packet is discarded. The longer the queue, the higher the drop probability. The drop probability, however, has an upper limit. Unlike RED, the random number in WRED is based on the IP precedence of packets. WRED uses a lower drop probability for packets with higher IP precedence. RED and WRED employ the random packet drop policy to avoid global TCP synchronization. The NetEngine 8000 F uses WRED to implement congestion avoidance. The NetEngine 8000 F supports congestion avoidance in both inbound and outbound directions of an interface. The WRED template is applied in the outbound direction; the default scheduling policy of the system is applied in the inbound direction. In addition, the NetEngine 8000 F supports WRED application to the multicast tunnel interface (MTI) bound to the distributed multicast VPN on the device. The NetEngine 8000 F supports service-based congestion avoidance and reserves eight service queues on each interface: BE, AF1, AF2, AF3, AF4, EF, CS6, and CS7. The NetEngine 8000 F colors packets red, yellow, or green to indicate their drop priorities.
Service Features	QoS	HQoS	The NetEngine 8000 F supports the following HQoS functions: Provides four scheduling levels to ensure diverse services. Sets flow queue parameters, such as the maximum queue length, WRED, low delay, SP/WRR, CBS, PBS, and statistics function. Sets parameters, such as the CIR, PIR, and queue scheduling algorithm, for each user. Provides the traffic statistics function, which allows users to query the bandwidth usage of services and accordingly distribute bandwidth properly after traffic analysis. Supports interface-based HQoS in VPLS, L3VPN, VLL, and TE scenarios. Supports interface-based, VLAN-based, user-based, and service-based HQoS.
Service Features	QoS	MPLS QoS	MPLS HQoS is a complete L2VPN/L3VPN QoS solution that uses various QoS techniques to meet the diversified and fine-granular QoS demands of VPN users. MPLS HQoS provides relative QoS on MPLS DiffServ networks and end-to-end QoS on MPLS TE networks. Select any of the following based on your networking requirements: MPLS DiffServ: applies to an L2VPN/L3VPN. MPLS TE: applies to an L2VPN/L3VPN. VLL HQoS: implements priority-based scheduling and rate limit management for services in a VLL and traffic bandwidth management for the entire VLL.
Service Features	Load Balancing	Equal-cost load balancing	The NetEngine 8000 F can implement equal-cost load balancing on traffic transmitted through trunk member links. When multiple equal-cost routes are available to a destination, the NetEngine 8000 F can evenly balance traffic among these routes. The NetEngine 8000 F supports per-flow load balancing.
Service Features	Load Balancing	UCMP	The NetEngine 8000 F supports the following UCMP modes: Load balancing based on routes If direct routes have the same cost, a weight can be configured for each route for load balancing. Load balancing based on interfaces A weight can be configured for each trunk member link for load balancing. Load balancing based on link bandwidth for IGP: In this mode, unequal-cost session-by-session load balancing is performed on the outbound interfaces of paths. The proportion of traffic transmitted along each path is approximate to or equal to the proportion of bandwidth of each link. This mode fully considers the link bandwidth. In this manner, the case when links with low bandwidth are overloaded whereas links with high bandwidth are idle does not exist. The NetEngine 8000 F can balance traffic between physical interfaces or between physical and logical interfaces. In addition, the device can detect logical interface bandwidth changes that occur due to manual configuration of new member links or status changes of member links. When the bandwidth of a logical interface changes, traffic is automatically load-balanced based on the new bandwidth proportion.
Service Features	Traffic Statistics	URPF Traffic Statistics	The NetEngine 8000 F can collect statistics about URPF-compliant traffic and URPF denied traffic that is discarded.
Service Features	Traffic Statistics	ACL Traffic Statistics	The NetEngine 8000 F supports ACL traffic statistics collection. When an ACL is created and applied to QoS and PBR, after the ACL traffic statistics collection is enabled, the NetEngine 8000 F collects statistics based on the ACL number. In addition, commands are provided to query the number of ACL matches and the number of matched packets and bytes.
Service Features	Traffic Statistics	CAR Traffic Statistics	The NetEngine 8000 F provides diverse QoS functions, such as traffic classification, traffic policing (using CAR), and queue scheduling. For these specific functions, the NetEngine 8000 F supports the following QoS traffic statistics functions: In traffic classification, the device can collect statistics about the traffic that matches or does not match traffic classification rules. The traffic statistics function for traffic policing is implemented in the following manners: Collects statistics about all traffic that matches CAR. Collects statistics about traffic that is permitted or discarded by CAR. Collects traffic statistics based on interfaces. Collects CAR traffic statistics based on interfaces if the same traffic policy is applied to different interfaces.
Service Features	Traffic Statistics	HQoS Traffic Statistics	Number of forwarded packets, bytes, and discarded packets of a user queue, which includes eight flow queues (each with a different priority) Number of forwarded packets, bytes, and discarded packets of a user group queue Number of forwarded packets, bytes, and discarded packets of eight flow queues on an interface
Service Features	Traffic Statistics	Interface Traffic Statistics	Traffic statistics can be collected on all interfaces, including physical interfaces, sub-interfaces, loopback interfaces, null interfaces, logical channel interfaces, and virtual Ethernet interfaces. Statistics on all supported protocol packets can be collected, including MPLS, ARP, IGP, BGP, PIM, and DHCP packets.
Service Features	Traffic Statistics	TE Tunnel Traffic Statistics	When the NetEngine 8000 F functions as a PE on an MPLS TE network, it can collect statistics about incoming and outgoing traffic of a tunnel. When a VPN is statically bound to a TE tunnel, the device can collect statistics about the traffic of each VPN and all traffic carried over the TE tunnel.
Service Features	Security	Security Authentication	The NetEngine 8000 F supports the following features: AAA Clear text authentication and MD5 ciphertext authentication for routing protocols, including RIPv2, OSPF, IS-IS, and BGP NOTE: The MD5 algorithm is insecure, posing security risks. You are advised to use a more secure authentication mode, such as keychain authentication. MD5 ciphertext authentication supported by LDP and RSVP SNMPv3 encryption and authentication
Service Features	Security	URPF	The device supports URPF for IPv4/IPv6 traffic.
Service Features	Security	MAC Address Limit	The NetEngine 8000 F supports the following MAC address limit functions: Limit on the maximum number of MAC addresses that can be learned Limit on the rate at which MAC addresses can be learned Limit on interface-based MAC address learning Limit on PW-based MAC address learning Limit on VLAN+interface-based MAC address learning Limit on interface+VSI-based MAC address learning Limit on QinQ-based MAC address learning MAC entries in a MAC address table are categorized into three types. Dynamic entries Dynamic entries are learned by interfaces and stored in of the device. Dynamic entries can age and will be lost when the system is reset. Static entries Static entries are manually configured and delivered to the device. Static entries do not age. After static entries are configured and saved, they are not lost when the system is reset. Black hole entries Black hole entries are also manually configured and delivered to the device. They are used to filter out data frames with specific destination MAC addresses. Black-hole entries do not age. After black-hole entries are configured and saved, they are not lost when the system is reset.
Service Features	Security	MAC Entry Deletion	The NetEngine 8000 F supports the following MAC entry deletion functions: Interface+VSI-based MAC entry deletion Interface+VLAN-based MAC entry deletion Trunk-based MAC entry deletion Outbound QinQ interface-based MAC entry deletion
Service Features	Security	Unknown Traffic Limit	The NetEngine 8000 F provides unknown traffic limits to implement the following functions on a VPLS or Layer 2 network: User traffic management User-specific bandwidth allocation This function maximizes network bandwidth usage and ensures network security.
Service Features	Security	IGMP Snooping	The NetEngine 8000 F supports IGMP snooping on Layer 2 interfaces and VPLS PWs.
Service Features	Security	MLD Snooping	The NetEngine 8000 F supports MLD snooping on Layer 2 interfaces and VPLS PWs.
Service Features	Security	Local Attack Defense	The NetEngine 8000 F provides a local attack defense module to manage and maintain the attack defense policies of the entire system, offering an all-around attack defense solution. The NetEngine 8000 F supports the following features: Whitelist Blacklist CPU total CAR User-defined flow Active link protection (ALP) The NetEngine 8000 F uses the whitelist to protect TCP-based application-layer session data. Uniform configuration of CAR parameters The NetEngine 8000 F supports the following methods for configuring CAR parameters: Uniform configuration GUI for users Configuration of protocol-specific CAR parameters, making the GUI more user-friendly Smallest packet compensation The NetEngine 8000 F provides the smallest packet compensation function to effectively defend against network attacks using small packets. After the device receives packets to be sent to the CPU, it checks the packet length. If the packet length is smaller than the preset minimum packet length, the device calculates the packet transmission rate based on the preset minimum length. If the packet length is greater than the preset minimum packet length, the device calculates the packet transmission rate based on the actual packet length. Association between the application layer and lower layers Interface URPF Management and service plane protection Discarding and rate limit based on the TTL range TCP/IP packet attack defense The NetEngine 8000 F defends against attacks by sending the following types of packets on TCP/IP networks: Malformed packets Malformed packets include IGMP null payload packets, packets with invalid TCP flag bits, LAND attack packets, IP null payload packets, and Smurf attack packets. Fragmented packets Fragmented packet attacks can be launched by a large number of fragments, packets that have a large offset value, or repetitive fragmented packets. Fragmented packet attacks include Tear Drop, syndrop, nesta, fawx, bonk, NewTear, Rose, ping of death, and Jolt attacks. TCP SYN packets UDP flood packets Attack source tracing When the NetEngine 8000 F is attacked, it obtains and stores suspicious packets and then displays the packets in a certain format using command lines or offline tools. This makes locating the attack source easier. When attacks occur, the system automatically removes the data encapsulated at upper layers of the transmission layer and then caches the packets in memory. When a specified number of packets are cached, the earliest cached packets are overwritten when more packets are cached.
Service Features	Security	GTSM	Attackers forge valid packets to attack routers, which overloads the routers and consumes limited resources, such as CPU resources. For example, an attacker forges BGP protocol packets and continuously sends them to a router. After the forwarding plane of the router receives the packets, it finds that the packets are destined for itself and then sends the packets directly to the BGP processing module on the control plane without checking the validity of the packets. As a result, the system is busy processing these forged valid packets, and the CPU usage increases rapidly. To prevent the preceding attacks, the NetEngine 8000 F provides the GTSM mechanism. GTSM protects services above the IP layer by checking whether the time to live (TTL) value in the IP header is within a predefined range. In actual applications, GTSM is mainly used to protect the TCP/IP-based control plane (routing protocol) against CPU-utilization attacks, such as CPU overload. The NetEngine 8000 F supports BGP GTSM, OSPF GTSM, and LDP GTSM.
Service Features	Security	ARP Attack Defense	The NetEngine 8000 F supports the following features: Interface-based ARP entry limit Timestamp suppression based on the source and destination IP addresses of ARP packets Destination IP address check for ARP packets The system checks the destination IP addresses of received ARP packets. If the destination IP address of a packet is correct, the system sends it to the CPU; otherwise, the system discards the packet. ARP bidirectional isolation ARP packet filtering The NetEngine 8000 F filters out the following types of ARP packets: Invalid ARP packets Invalid ARP packets include ARP request packets with destination MAC addresses as unicast addresses, ARP request packets with source MAC addresses as non-unicast addresses, and ARP reply packets with destination MAC addresses as non-unicast addresses. Gratuitous ARP packets ARP request packets with non-null destination MAC addresses The preceding types of packets can be filtered out simultaneously.
Service Features	Security	Local Mirroring	In local mirroring, supports a physical observing port, multiple logical observing ports, and multiple mirrored ports configured; supports multiple mirrored ports.
Service Features	Security	Netstream	NOTE: The NetStream feature may be used to analyze the communication information of terminal customers for network traffic statistics and management purposes. Before enabling the NetStream feature, ensure that it is performed within the boundaries permitted by applicable laws and regulations. Effective measures must be taken to ensure that information is securely protected. NetStream supports the following functions: Accounting Network planning and analysis Network monitoring Application monitoring and analysis Abnormal traffic detection NetStream involves three devices: NetStream Data Exporter (NDE), NetStream Collector (NSC), and NetStream Data Analyzer (NDA). The NetEngine 8000 F functions as an NDE to sample packets and aggregate and output flows. The NetEngine 8000 F supports the following sampling functions: Sampling on inbound and outbound interfaces Sampling of IPv4 unicast/multicast packets, fragmented packets, MPLS packets, MPLS L3VPN packets, and IPv6 packets Regular packet sampling, random packet sampling, sampling at regular time, and sampling at random time Sampling on various types of physical and logical interfaces, including Ethernet interfaces, VLAN sub-interfaces, and trunk interfaces The device supports the following aggregation and output functions: IPv4 packets can be aggregated based on the AS number, AS-ToS, protocol-port, protocol-port-ToS, source-prefix, source-prefix-ToS, destination-prefix, destination-prefix-ToS, prefix, and prefix-ToS. MPLS packets can be aggregated based on Layer 3 labels. The generated statistics can be output in v5, v8, or v9 format with 16-bit or 32-bit AS numbers (set using commands). When packets are output in v9 format, both 16-bit and 32-bit interface indexes are supported and can be set.
Service Features	Security	IPFIX	NOTE: Internet Protocol Flow Information Export (IPFIX) is compliant with the IETF RFC 7011, RFC 7012, RFC 7013, and RFC 7015 standards. For details about security risks, see relevant descriptions in these standards. This function can be used to analyze communication contents of specific target users for maintenance and operation purposes. Strictly observe the local law when using this function. When collecting and storing communication contents of specific users, ensure that the contents are profoundly protected. IPFIX supports the following functions: Accounting Network planning and analysis Network monitoring Application monitoring and analysis Detection of unusual traffic The device supports the following sampling functions: Packet sampling on inbound and outbound interfaces (some boards support packet sampling on inbound interface only) Interface-based sampling and traffic-classifier-based sampling Sampling of IPv4 unicast/multicast packets, fragmented packets, MPLS packets, MPLS L3VPN packets, and IPv6 packets Fixed packet sampling, random packet sampling, and fixed interval sampling Sampling on various physical and logical interfaces, such as Ethernet interfaces, VLAN sub-interfaces, and trunk interfaces. The device supports the following flow aggregation and output functions: IPv4 packets can be aggregated based on the AS number, AS-ToS, protocol-port, protocol-port-ToS, source-prefix, source-prefix-ToS, destination-prefix, destination-prefix-ToS, prefix, and prefix-ToS. IPv6 packets can be aggregated based on the AS number, AS-ToS, protocol-port, protocol-port-ToS, source-prefix, source-prefix-ToS, destination-prefix, destination-prefix-ToS, prefix, and prefix-ToS. MPLS packets can be aggregated based on Layer 3 labels. Each type of aggregated flow can be output to a maximum of eight NMS servers.
Service Features	Security	SSHv2	The NetEngine 8000 F supports the STelnet client and server and the SFTP client and server. Both SSHv1 (SSH1.5) and SSHv2 (SSH2.0) are supported.
Service Features	Security	IPsec	The following IPsec features functions are supported: Transport mode and tunnel mode IKEv2 GRE over IPsec NAT traversal IPsec VPN Keepalive and DPD for peer detection Dynamic and remote IPsec access IPsec Public Key Infrastructure (PKI) Pre-shared key CMPv2, which manages certificates online and simplifies certificate management and maintenance VXLAN over IPsec
Service Features	IP RAN Features	Plug and play	Plug-and-Play (PnP) use DHCP to automatically configure and commission devices remotely. On an IP RAN deployed with a large number of devices, the device deployment costs, especially on-site software commissioning, are high. This greatly affects profits. To address this issue, Huawei launches a PnP solution for IP RANs. PnP effectively reduces the on-site software commissioning time and frees engineers from working in bad outdoor environments, which accelerates the project progress and improves the project quality.
Service Features	IP RAN Features	DCN	The data communication network (DCN) refers to the network on which network elements (NEs) exchange Operation, Administration and Maintenance (OAM) information with the network management system (NMS). It is constructed for communication between managing and managed devices. The DCN technique offers a mechanism to implement plug-and-play. After an NE is installed and started, an IP address (NEIP address) mapped to the NEID of the NE is automatically generated. Each NE adds its NEID and NEIP address to a link state advertisement (LSA). Then, Open Shortest Path First (OSPF) advertises all Type-10 LSAs to construct a core routing table that contains mappings between NEIP addresses and NEIDs on each NE. After detecting a new NE, the GNE reports the NE to the NMS. The NMS accesses the NE using the IP address of the GNE and ID of the NE. To commission NEs, the NMS can use the GNE to remotely manage the NEs on the network. Data communication network (DCN) automatically discover NEs and manage NEs using service channels provided by the managed NEs. No additional devices are required, reducing operation costs.
Service Features	IP RAN Features	Y.1731	Y.1731 supports the following functions: Single-ended frame loss measurement Dual-ended frame loss measurement One-way frame delay measurement Two-way frame delay measurement One-way jitter
Service Features	Network Reliability	FRR	The NetEngine 8000 F provides multiple fast reroute (FRR) features, which can be deployed as required to improve network reliability. IP FRR IP FRR switching can be completed in 50 ms, minimizing data loss when network failures occur. The NetEngine 8000 F supports IP FRR, enabling the system to monitor and save the status of boards and interfaces in real time and to check the interface status during packet forwarding. If a fault occurs on an interface, the NetEngine 8000 F can rapidly switch traffic to another preset route. In this manner, the mean time between failures (MTBF) is prolonged and the packet loss rate is reduced. LDP FRR LDP FRR switching can be completed in 50 ms. LDP remote LFA: calculates a remote LFA route using a routing protocol and establishes a remote LDP session over the route and an LSP over the session so that an FRR protection path can be established. LDP remote LFA switching is performed within 50 ms. TE FRR TE FRR is an MPLS TE technology that protects local networks. Only interfaces with transmission rates of over 100 Mbit/s support TE FRR. TE FRR switching can be completed in 50 ms, which minimizes data loss if network failures occur. TE FRR only temporarily protects traffic. When the protected LSP becomes normal or a new LSP is established, traffic switches back to the original protected LSP or the new LSP. After TE FRR is configured for an LSP, if a link or node on the LSP fails, traffic is switched to the protection link, and the ingress on the LSP attempts to establish a new LSP. TE FRR is classified into the following types: Link protection Node protection Auto FRR Auto FRR extends MPLS TE FRR working in facility backup mode. It automatically creates a bypass tunnel that meets the requirements for the LSP by configuring the attributes of the bypass tunnel, global auto FRR attributes, and interface-based auto FRR attributes on the interface of the primary tunnel. When the primary tunnel changes to another path, the previous bypass tunnel is automatically deleted. Then a bypass tunnel that meets the requirements is set up. VPN FRR VPN FRR is a technique that allows a device to fast switch VPN routes by presetting and using master and backup forwarding entries on the remote PE (which correspond to the master and backup PEs, respectively), combined with fast detection of PE failures. VPN FRR prevents the issue where E2E service convergence caused by a PE failure lasts more than 1 second and the issue where the service restoration time for a faulty PE relies on the number of VPN routes in the routing table of the PE on an MPLS VPN where a CE is dual-homed to PEs. After VPN FRR is configured on the PEs, E2E service convergence takes less than 1 second in the event of a PE failure. VPN FRR provides fast service convergence after a node on a tunnel fails, irrespective of the number of VPN routes in the routing table of the node. In addition, VPN FRR is simple, reliable, and easy to deploy. Except for fast detection of PE failures, VPN FRR does not require assistance of adjacent devices. VLL FRR VLL FRR switching can be completed in 50 ms. Multicast FRR
Service Features	Network Reliability	Dual-System Hot Backup	The NetEngine 8000 F support: ARP dual-system 1+1 or 1:1 hot backup
Service Features	Network Reliability	Transmission Alarm Customization and Suppression	Transmission alarm suppression can efficiently filter and suppress alarms, preventing frequent interface flapping. In addition, transmission alarm customization allows the system to effectively control the impact of alarms on the interface status. Transmission alarm suppression and customization implement the following functions: Customizes alarms by specifying the alarms that can cause interface status changes. Suppresses alarms to filter out the burr and prevent frequent network flapping.
Service Features	Network Reliability	Ethernet OAM Fault Management	Ethernet OAM fault management includes the following functions: Ethernet in the First Mile OAM (EFM OAM) NetEngine 8000 F EFM OAM is a point-to-point Ethernet fault management technique defined in IEEE 802.3ah for detecting faults in the last mile of the direct link on the user side of the Ethernet. The NetEngine 8000 F supports EFM OAM functions, including OAM discovery, link monitoring, remote fault notification, and remote loopback. CFM OAM is an end-to-end Ethernet fault management technique defined in IEEE 802.1ag for fault detection and location. CFM OAM supports hierarchical MDs. Each MD has a level that ranges from 0 to 7. The greater the value, the higher the level. 802.1ag packets from a low-level MD are discarded in a high-level MD. 802.1ag packets from a high-level MD can be transmitted through a low-level MD.
Service Features	Network Reliability	iFIT	In-situ Flow Information Telemetry (iFIT) determines network performance by measuring the packet loss rate and latency of end-to-end service packets transmitted on an IP network. Supported scenarios: IFIT detection of IPv4 L3VPN over MPLS tunnels IFIT detection of IPv4 EVPN L3VPN over MPLS tunnels IFIT detection of IPv6 L3VPN over MPLS tunnels IFIT can detect IPv6 EVPN L3VPN over MPLS tunnels IFIT detection of IPv4 L3VPN over SRv6 tunnels IFIT can detect IPv4 EVPN L3VPN over SRv6 tunnels IFIT can detect IPv6 EVPN L3VPN over SRv6 tunnels IFIT detection of EVPN VPWS leased line over SRv6 tunnels IFIT detection of EVPN VPWS leased line over MPLS tunnels
Service Features	Network Reliability	VRRP	VRRP dynamically associates a virtual router with a physical router that carries services. If the physical router fails, another router is elected to take over services. The failover is transparent to users, and therefore the internal and external networks can communicate without interruption. The NetEngine 8000 F supports the following VRRP functions: mVRRP E-VRRP
Service Features	Network Reliability	GR	Graceful restart (GR) is a key technology that implements high availability. It is based on non-stop forwarding (NSF). It is designed based on NSF. The NetEngine 8000 F supports system-level GR and protocol-level GR. Protocol-level GR includes: Protocol-level GR includes: BGP GR helper OSPF GR helper IS-IS GR helper MPLS LDP GR helper LDP VLL GR helper LDP VPLS GR helper L3VPN GR helper RSVP GR helper
Service Features	Network Reliability	BFD	BFD is a detection mechanism used to monitor and rapidly detect the connectivity of network-wide links or IP routes. BFD sends detection packets simultaneously from both ends of a bidirectional link to check the link status in both directions. BFD can detect link faults within milliseconds. The device supports single-hop and multi-hop BFD. The NetEngine 8000 F supports the following BFD applications: BFD for VRRP The system uses BFD to detect and monitor the connectivity of links or IP routes on a network, triggering fast VRRP switchover. BFD for FRR BFD for LDP FRR LDP FRR switchover is triggered after BFD detects faults on protected interfaces. BFD for IP FRR and BFD for VPN FRR IP FRR and VPN FRR are triggered after BFD detects faults on the NetEngine 8000 F and reports fault information to upper layer applications. BFD for static routes BFD for IS-IS The NetEngine 8000 F can use static BFD sessions to detect IS-IS neighbor relationships. BFD detects the fault of the link between the adjacent IS-IS nodes and rapidly reports the fault to the IS-IS module. Thus fast convergence of IS-IS routes is performed. BFD for OSPF/BGP The device supports OSPF and BGP for dynamically setting up and deleting BFD sessions. BFD for PIM BFD for trunk The NetEngine 8000 F can use BFD to monitor the connectivity of a trunk interface and its member links separately. BFD for LSP BFD for LSP performs fast fault detection of LSPs, TE tunnels, and PWs, and subsequently implements fast switchover of MPLS services, such as VPN FRR, TE FRR, and VLL FRR. BFD for dot1q sub-interfaces BFD for mVSI Multi-hop BFD BFD for VPLS PW BFD for VPLS/VLL PW VPLS over LDP FRR/FW unicast BFD protocol packet authentication SBFD
Service Features	Network Reliability	BFD Bit-Error-Triggered Protection Switching	If a bit error occurs on a traditional transmission network, services are dually fed and selectively received. Packets on links with low bit error rates are selectively received. If a bit error occurs on an IP RAN, traditional detection mechanisms cannot trigger protection switching, and the base stations may go out of service. Bit-error-triggered protection switching can be configured to resolve this problem. Bit error-triggered protection switching uses BFD sessions to transmit bit errors of a link, triggering protection switching.
Service Features	Clock	Ethernet Clock Synchronization	Ethernet interfaces on the NetEngine 8000 F provide Ethernet clock synchronization to ensure clock quality and stratum on the network.
Service Features	Clock	1588v2	The 1588v2 features are described as follows: Supports input and output of externally synchronized time. Supports OC, BC, E2ETC, P2PTC, E2ETCOC, P2PTCOC, and TCandBC. Allows the device to function as a GrandMaster. Supports slave-only mode when the device functions as an OC. Supports the dynamic BMC algorithm. Supports two delay measurement methods: Delay and PDelay Supports one-step and two-step modes in which 1588v2 packets used by 1588v2 devices to perform time synchronization are timestamped. Supports multicast MAC encapsulation (The VLAN ID and 802.1p priority are configurable). Supports multicast UDP encapsulation (The source IP address, VLAN ID, and DSCP priority are configurable). Supports unicast MAC encapsulation (The destination MAC address, VLAN ID, and 802.1p priority are configurable). Supports unicast UDP encapsulation (The source IP address, destination IP address, destination MAC address, VLAN ID, and DSCP priority are configurable). Uses the clock recovered using the Precision Time Protocol (PTP) as the clock source and supports the dynamic clock source selection algorithm (based on the clock priority and stratum). Supports performance monitoring of passive ports on a 1588v2 device. Implements back-to-back clock recovery in compliance with G.813 specifications. Implements back-to-back clock recovery within 30 ns.
Service Features	Clock	1588 ACR	Supports only frequency synchronization. Supports clock source switching. Supports unicast UDP encapsulation (with DSCP values). Supports service modeling and networking in compliance with Recommendation G.8261 and performs clock recovery with G.823-compliant accuracy. Supports the 1588 ACR server functionality. Supports two-way frequency recovery mode.
Service Features	Clock	Network Time Protocol (NTP) clock	The NetEngine 8000 F supports the following NTP working modes: Client/server mode Peer mode Broadcast mode Multicast mode The NetEngine 8000 F supports two NTP security mechanisms: Access authority The NetEngine 8000 F provides four access control levels. After receiving an NTP access request packet, the device matches the packet against the access control list from the lowest access control level to the highest access control level. The first successfully matched access control level takes effect. The matching order is as follows: peer: minimum access control. The remote end can send a time request and a control query to the local end. The local clock can also be synchronized with the clock of the remote server. server: The remote end can send a time request and a control query to the local end. The local clock, however, is not synchronized with the clock of the remote server. synchronization: The remote end can only send a time request to the local end. query: maximum access control. The remote end can only send a control query to the local end. Authentication When configuring NTP authentication, note the following rules: NTP authentication must be configured on both the client and server; otherwise, authentication does not take effect. If NTP authentication is enabled, keys must be configured and declared reliable. The client and server must have the same key configured.
Service Features	Clock	Internal Clock	The NetEngine 8000 F provides internal clocks. Clock information can be extracted from the . The precision is 4.6 ppm.
Service Features	Clock	Extended SSM	The NetEngine 8000 F supports the following extended SSM functions: Sends and receives SSM information carrying clock IDs. Configures a clock ID for a clock source. Supports clock source selection based on extended SSM.
Service Features	User Access	IPv4-based IPoX User Access	The NetEngine 8000 F supports the following functions: IP over Ethernet over VLAN (IPoEoVLAN) and IP over Ethernet over QinQ (IPoEoQ) ARP trigger, IP trigger, and DHCP trigger, which indicate the modes for triggering user access by sending ARP packets, IP packets, and DHCP packets respectively Web authentication, fast authentication, and binding authentication Default domain and roaming domain Typical options such as Option 60 and Option 82 Static users IPv4 address allocation Captive portal
Service Features	User Access	IPv6-based IPoX User Access	The NetEngine 8000 F supports the following functions: IPv6 over Ethernet over VLAN (IPv6oEoVLAN), and IPv6oEoQ ND trigger and DHCPv6 trigger, which indicate the modes for triggering user access by sending ND and DHCPv6 packets respectively Web authentication, fast authentication, and binding authentication Default domain and roaming domain Typical options such as Option 18 and Option 37 IPv6 address, stateless prefix, and PD prefix allocation
Service Features	User Access	IPv4-based PPPoX User Access	The NetEngine 8000 F supports the following functions: PPP over Ethernet (PPPoE), PPP over Ethernet over VLAN (PPPoEoV), and PPP over Ethernet over QinQ (PPPoEoQ) Default domain and roaming domain IPv4 address allocation PPPoE+
Service Features	User Access	IPv6-based PPPoX User Access	The NetEngine 8000 F supports the following functions: PPPv6 over Ethernet (PPPv6oE), PPPv6 over Ethernet over VLAN (PPPv6oEoV), and PPPv6 over Ethernet over QinQ (PPPv6oEoQ) Default domain and roaming domain IPv6 stateless prefix and PD prefix allocation PPPv6oE+
Service Features	User Access	AAA	The NetEngine 8000 F supports the following functions: Flexible authentication, authorization, and accounting: Authentication schemes include non-authentication, local authentication, remote authentication, and any combination of these modes. Authorization schemes include authorization through authentication and online authorization. Accounting policies include non-accounting, remote accounting (RADIUS/RADIUS+ and TACACS), post-paid accounting, and pre-paid accounting. Domain management IPv4&IPv6 user management
Service Features	User Access	RADIUS	The device supports flexible RADIUS/RADIUS+ authentication, authorization, and accounting.
Service Features	User Access	Address Management	The NetEngine 8000 F supports the following address management functions: IPv4 address pool management through the DHCP server, DHCP relay agent, and DHCP proxy IPv6 prefix pool management through the local prefix, delegation prefix, and proxy prefix IPv6 address pool management through the DHCPv6 server and DHCPv6 relay agent
Service Features	User Access	L2TP	The NetEngine 8000 F supports the following functions: L2TP sessions and tunnels L2TP tunnel authentication L2TP PPP user authentication and accounting L2TP attributes delivered by the RADIUS server L2TP permanent tunnels L2TP probe LTS L2TP QoS
Service Features	User Access	Reliability	User access through a trunk interface
Service Features	User Access	Value-added Services	The NetEngine 8000 F supports the following functions: EDSG DAA Diameter
Service Features	User Access	User Security	The NetEngine 8000 F supports the following functions: IP-based or IP+MAC-based bogus user access MAC address-based CAR
Service Features	IPv6 Transition	NAT	The NetEngine 8000 F supports the following functions: NAT444 VPN NAT NAT ALG (FTP/ICMP/PPTP/RTSP/SIP) NAT internal server DNS mapping No-PAT Outbound interface-based NAT
Operation and Maintenance	Two-Phase Validation Mode	-	In two-phase validation mode, the system configuration process is divided into two phases. In the first phase, a user enters configuration commands. The system checks the data type, user level, and configuration object, and checks whether there are repeated configurations. If syntax or semantic errors are found in the command line, the system displays a message on the terminal to inform the user of the error and cause. In the second phase, the user commits the configuration. The system then enters the configuration commitment phase and commits the configuration in the candidate database to the running database.
Operation and Maintenance	System Configuration Modes	-	The NetEngine 8000 F supports command line configuration. Command line configuration can be performed using either of the following: Console interface Telnet The console interface can be used as a command input interface to send command lines to the control plane. The console interface can also be used as a debugging interface to receive debugging information from the control and data planes and to deliver debugging and control commands.
Operation and Maintenance	System Management and Maintenance	-	The NetEngine 8000 F supports the following system management and maintenance functions: Plug-and-play Watchdog, board reset, RUN indicator control, fan and power supply control, system debugging, and version query Local and remote software upgrading and data loading, version rollback, and data backup, saving, and clearing Hierarchical user authority management, operation log management, command online help, and command comments Three user authentication modes: local authentication, RADIUS authentication, and HWTACACS authentication, which authenticate and authorize users using commands and an SNMP-based NMS. Multi-user operations Layer 2 and Layer 3 interface information queries Hierarchical alarm management, alarm classification, and alarm filtering Support for the shutdown and undo shutdown commands on interfaces and optical modules
Operation and Maintenance	Device Running Status Monitoring	-	The running status of the NetEngine 8000 F can be monitored through the information center. Syslog is a sub-function of the information center. Syslog uses UDP port 514 to output logs to log hosts. The information center can receive and process the following information: Logs Debugging information Traps The information center supports 10 channels, of which channels 0 through 5 each have a default channel name. By default, the six channels correspond to six directions in which information is output. The log information on the CF card is output to log files through channel 9 by default. This means that a total of seven default output directions are supported. When multiple log hosts are available, you can configure log information to be output to different log hosts through one or more channels. For example, you can configure certain log information to be output to a log host through channel 2 (loghost), and certain log information to a log host through channel 6. In addition, you can change the name of channel 6 to facilitate channel management. The NetEngine 8000 F stores all traps in a log file and provides the CF card to store the log file. The number of logs determines the time these logs can be stored. Generally, logs can be stored for months.
Operation and Maintenance	System Service and Status Tracking	-	The NetEngine 8000 F provides the following functions for tracking system services and status: Monitors the changes of routing protocol state machines. Monitors the changes of MPLS LDP state machines. Monitors the changes of VPN state machines. Monitors the types of protocol packets sent by the forwarding engine to the control plane and displays detailed packet information by enabling debugging. Monitors abnormal packets and collects statistics. Displays a notification when the abnormality process starts. Collects statistics about the resources used by each feature.
Operation and Maintenance	System Test and Diagnosis	-	The NetEngine 8000 F supports the debugging of running services, including online recording of key events, packet processing, packet parsing, and status switching of services at specified time, which serves as powerful support for device commissioning and networking. Debugging can be enabled or disabled through the console interface for specific services (for example, a routing protocol) or specific interfaces (for example, a routing protocol on a specific interface). The NetEngine 8000 Fprovides the system-based trace function to detect and diagnose running software, online recording of important events, such as task switchover, interrupt, queue reading and writing, and system abnormalities. If the system is restarted after a fault occurs, the device can read trace information to facilitate fault locating. The trace function can be enabled or disabled using commands on the console interface. In addition, the NetEngine 8000 F supports the real-time query of the CPU usage. Debugging and trace information provided by the NetEngine 8000 F is classified into different levels. Sensitive information assigned different levels can be output to different destinations as configured. For example, specific information can be output to the console interface, Syslog server, or SNMP agent to trigger traps.
Operation and Maintenance	NQA	-	The NetEngine 8000 F supports Network Quality Analysis (NQA). NQA measures the performance of different protocols running on a network to obtain network operation indicators, such as the total HTTP delay, TCP connection delay, file transfer rate, FTP connection delay, Domain Name System (DNS) resolution delay, and DNS resolution error ratio. Based on these indexes, operators can provide differentiated network services and charge differently. NQA is also an efficient tool for diagnosing and locating network faults. NQA supports the following functions: PWE3 tracert Multicast ping Multicast tracert Tracert using the DISMAN-TRACEROUTE-MIB Ping/UDP/TCP/SNMP tests using the DISMAN-PING-MIB CE-ping (ping the host from a VPLS PE) LSP ping, LSP traceroute, and MPLS LSP jitter DNS verification using the DISMAN-NSLOOKUP-MIB Transmission of consecutive 3000 simulated voice packets in one test Minimum transmission intervals at 10 ms NQA for multiple next hops in packet redirection
Operation and Maintenance	VS	-	A virtual system (VS) is classified as an admin VS or a common VS. Common VS: The network administrator uses hardware-level and software-level emulation to partition a physical system (PS) into VSs. Each interface works only for one VS, and each VS runs individual routing tasks. VSs share software and hardware resources. Admin VS: Each PS has a default VS named admin VS. All unallocated interfaces belong to this VS. The admin VS can process services in the same way as a common VS. In addition, the PS administrator can use the admin VS to manage VSs.
Operation and Maintenance	In-Service Debugging	-	The NetEngine 8000 F provides port mirroring to map specific traffic to a monitoring interface. In this case, in-service debugging can be performed for advanced maintenance engineers to debug and analyze the network operating status.
Operation and Maintenance	Upgrade	-	One-command system upgrade The NetEngine 8000 F provides an optimized upgrade process. A progress bar is displayed to show the upgrade progress. After the upgrade is complete, the upgrade result is displayed. Software version rollback If the new system software cannot start the system after an upgrade, the system can roll back to the previous version instead. NetEngine 8000 F protects services against system upgrade failures.
Operation and Maintenance	License	-	As the NetEngine 8000 F's software functions become increasingly diversified and software costs occupy an increasing proportion of the total costs, the traditional service model is insufficient to meet the following carrier requirements: Lower purchasing costs Effective control over the capacities and functions of devices during system upgrades and capacity expansion To meet different customer requirements, the NetEngine 8000 F implements flexible authorization of service modules. The NetEngine 8000 F provides a license authorization management platform called the global trotter license (GTL). The GTL allows you to: Purchase only required service functional modules, reducing purchasing costs. Extend device functions and expand device capacities by purchasing new licenses.
Operation and Maintenance	Other Operation and Maintenance Features	-	Hierarchical command authorization to prevent unauthorized access Online help obtained by entering a question mark (?) Rich and detailed debugging information for network fault diagnosis DOSKEY-like function that allows specific historical commands to be run Fuzzy matching of keywords using the command resolver, for example, "disp" for a display command