1. Overview¶

Thank you for choosing 6WIND Virtual Service Router.

6WIND Virtual Service Router (VSR) is a high-performance and scalable virtualized software router optimized for Service Providers and Enterprises. It is deployed bare-metal, virtualized, or containerized on COTS servers in private and public clouds.

6WIND VSR product family includes:

Virtual Security Gateway
Virtual Carrier Grade NAT Router
Virtual Border Router
Virtual Provider Edge Router
Virtual Broadband Network Gateway
Virtual Firewall
Virtual Cell Site Router
Virtual CPE Router
Virtual UPF

Each product requires a specific license to enable the needed features.

6WIND VSR products support deployment on x86 and Arm servers in bare metal, virtual machine or container environments.

This document will help you get started with your new product. It provides an overview as well as detailed installation and startup instructions.

1.1. Features¶

Virtual Service Router offers:

Linear performance scalability with the number of cores deployed
Full-featured data plane networking with fast path protocols
High performance control plane
CLI management
NETCONF management
High performance input/output (I/O) leveraging DPDK with multi-vendor NIC support
Bare metal and virtual environment support, including KVM, VMware and AWS
Container support with Docker, Kubernetes, Red Hat Openshift, VMware Telco Cloud Platform, Wind River Studio Cloud Platform

1.1.1. Routing¶

BGP, BGP4+
OSPFv2, OSPFv3
RIP, RIPng
IS-IS
SR-TE
PCEP
SRv6
PIM SM and SSM
cross-VRF
Static Routes
Path monitoring
ECMP
PBR
BFD
MPLS LDP
BGP L3VPN
VXLAN EVPN
Point to Multipoint GRE interfaces
NHRP
DMVPN with IPsec
Weighted ECMP support (Unequal Cost Multipath)

1.1.2. Layer 2 and Encapsulations¶

GRE
VLAN (802.1Q, QinQ)
VXLAN
LAG (802.3ad, LACP)
Ethernet Bridge
PPPoE client

1.1.3. IP Networking¶

IPv4 and IPv6
IPv6 Autoconfiguration
VRF
IPv4 and IPv6 Tunneling
NAT

1.1.4. IPsec 1 ¶

IKEv1, IKEv2 Pre-shared Keys or X509 Certificates
MOBIKE
Encryption: 3DES, AES-CBC/GCM (128, 192, 256)
Hash: MD-5, SHA-1, SHA-2 (256, 384, 512), AES-XCBC (128)
Key Management: RSA, DH MODP groups 1 (768 bits), 2 (1024 bits), 5 (1536 bits), 14 (2048 bits), 31 (curve25519) and 32 (curve448), DH PFS, ECDSA, RSA-PSS, EdDSA
High performance (AES-NI, QAT)
Tunnel, Transport or BEET mode
Static SVTI, Dynamic SVTI
tenant provisioning through Radius(PSK)

1.1.5. CG-NAT 1 ¶

NAT44
NAT64 in conjunction with DNS64
Port Assignment
- Random or parity
- Port Block Allocation (PBA)
- Per user/per CPE session limiter
IP Pool Management
- Paired pooling
- IP pool resize
Logging
- Port batching
- Syslog
- Per session logging
ALG support
- ICMP, FTP, TFTP, RTSP, PPTP, SIP, H323
Hairpinning
Endpoint-Independent Mapping and Filtering
Address and Port Dependent Mapping and Filtering
Deterministic NAT
NAT-PT port overloading
Inactivity timeout per protocol/port couple
Stateful destination NAT
DS-lite

1.1.6. Security¶

Access Control Lists
Unicast Reverse Path Forwarding
Control Plane Protection
BGP Flowspec
Certificates management
Fast Path Firewall 1
- Match criteria: 5-tuples, DSCP, address/network group, app name
- Action: TCP MSS, DSCP update
- Verdict: accept, drop, track, reject
DDoS 1
- Traffic types: ICMP, DNS, QUIC, UDP, TCP
- Rate limiter: global, per source IP, per destination IP
- Trusted addresses list

1.1.7. QoS¶

Rate limiting per interface, per VRF
Class-based QoS
- Classification: ToS / IP / DSCP / CoS
- Shaping and Policing
- Scheduling: PQ, PB-DWRR, HTB
- Fair Queuing: SFQ
Ingress hardware-assisted based on DSCP

1.1.8. IP Services¶

DHCP v4 client
DHCP v4 server
DHCP v4 relay
DHCP v6 client
DNS client
DNS proxy
NTP

1.1.9. BNG 1 ¶

PPPoE v4/v6, PAP/CHAP/MS-CHAPv2
IPoE v4/v6, DHCP option 60, 82
Radius accounting
IPv6 Prefix Delegation
Hierarchical QoS (HTB)
Session termination in L3 VRF
PADO Delay and DHCP offer delay

1.1.10. UPF 1 ¶

Support Relay and Gateway session creation modes
Packet Detection Rules (PDR)
Forwarding Action Rules (FAR)
Downlink Data Buffering support (BUCP)
QoS Enforcement Rules Support (QER)
- Rate limiter for AMBR and MBR of GBR flows
Usage Reporting Rules support (URR)
Support Error indication
PFCP
Up to 1M GTP-u tunnels
DL buffering duration
UL/DL buffering control

1.1.11. Management/Monitoring¶

SSHv2
CLI
NETCONF / YANG API
SNMP
KPIs / Telemetry (YANG-based)
Data streaming: InfluxDB, Elastic Search, Kafka, Amazon CloudWatch, Graphite
Role-Based Access Control with AAA (TACACS, Radius)
Syslog
802.1ab LLDP
sFlow
Netflow / IPFIX
BMP
Netconf alarms based on Yang push
Audit Trail
Custom user roles with TACACS

1.1.12. Operations¶

Installation: PXE, USB, ISO, QCOW2, OVA
Update / Rollback Support
Provisioning: cloud-init, Ansible
Licensing: online licensing system with flexible feature and capacity enablement

1.1.13. High Availability¶

VRRP
IKE/IPsec synchronization 1

1.1.14. Power consumption¶

Eco mode leveraging cpu frequency scaling according to workload

1.2. System Requirements¶

Bare metal or VM (KVM, VMware, AWS, Azure)
- Virtio vNIC, VMXNET3, ENA, PCI passthrough and SR-IOV
A container engine (Docker, Podman, Kubernetes, …)
- Virtio vNIC, PCI passthrough and SR-IOV
Supported processors
- Intel Xeon E5-1600/2600/4600 v2 family (Ivy Bridge EP)*
- Intel Xeon E5-1600/2600/4600 v3 family (Haswell EP)
- Intel Xeon E5-1600/2600/4600 v4 family (Broadwell EP)*
- Intel Xeon E7-2800/4800 v2 family (Ivy Bridge EX)
- Intel Xeon E7-2800/4800 v3 family (Haswell EX)
- Intel Xeon E7-4800/8800 v4 family (Broadwell)
- Intel Xeon Platinum/Gold/Silver/Bronze family Skylake
- Intel Xeon Platinum/Gold/Silver/Bronze family Cascade Lake*
- Intel Xeon Platinum/Gold/Silver family Ice Lake*
- Intel Xeon Platinum/Gold/Silver family Sapphire Rapids*
- Intel Xeon Platinum/Gold/Silver family Emerald Rapids
- Intel Atom C3000 family (Denverton)*
- Intel Xeon D family
- AMD Epyc 4 Genoa and Siena*
- Ampere Altra Server Snow*
- AWS Graviton2*

Supported Ethernet NICs
- Intel 1G 82573, 82576, 82580, I210, I211, I350, I354 (igb)
- Intel 10G 82599*, X520*, X540, X550* (ixgbe)
- Intel 10G/40G X710*, XL710*, X722, XXV710* (i40e)
- Intel 25G*/100G* E810 (ice)
- Mellanox 10G*/25G*/40G*/50G/100G* Connect-X 4/5/6 (mlx5)
- Broadcom NetExtreme E-Series 100G* (bnxt)

Note: marked references (*) on processors and NICs are fully integrated in 6WIND’s CI with a wide functional and performance test coverage.

Memory footprint

For baremetal and VNF: Virtual Service Router requires at least 2GB of RAM. Default capabilities are automatically adjusted to the amount of RAM available.
For CNF: to run Virtual Service Router, we recommend at least 6GB of hugepages, 2GB of standard memory, and 512MB of POSIX shared memory. The minimum requirements are 1GB of hugepages, 1GB of standard memory, and 64MB of POSIX shared memory.

Virtual Service Router requires 8G of RAM to achieve the following capabilities:

VRs	32
Routes	1000000
Next-hops	200000
Neighbors	10300
PBR rules	4096
Netfilter rules	10000
Netfilter conntracks	262144
Netfilter ebtables	10000
Netfilter ipset	64 ipsets per VR, 2048 entries per ipset
VXLAN interfaces	512
IPsec tunnels 1	100000
CG-NAT Max conntracks 1	4M
CG-NAT Max NAT entries 1	4M
CG-NAT Max cpe (users) 1	20K
CG-NAT Max blocks 1	80K

Note

Some of these numbers (CG-NAT) are empirical. They may have to be tuned according to your use case.