1 / 23

H3C S3100-EI Intelligent Secure Switches

Learn about H3C S3100-EI switches with advanced features like PoE, VLAN ACL, DHCP snooping, and anti-ARP spoofing for secure and efficient network operations. Manage network traffic effectively with SNMP, IPv6 support, and VCT technology. Ensure end-point security with EAD, VLAN-based ACL, and system patch enforcement. Implement high availability solutions with Smart Link and prevent network loops with LDT.

brittanyp
Download Presentation

H3C S3100-EI Intelligent Secure Switches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. H3C S3100-EI Intelligent Secure Switches

  2. Content • Introduction • Highlight Features • Typical Solutions

  3. Content • Introduction • Highlight Features • Typical Solutions

  4. Hardware Specification S3100-26TP-EI S3100-16TP-EI S3100-8TP-EI S3100-26TP-PWR-EI S3100-16TP-PWR-EI S3100-8TP-PWR-EI Highlights • 8/16/24 * 10/100Base-TX (PoE) + 1/2 * 10/100/1000Base-T and 2 * 1000Base-SFP • Switch Capacity: up to 17.6Gbps / Throughput 13.1Mpps • Full wire speed FE ports and GE uplink • PoE

  5. Content • Introduction • Highlight Features • Typical Solutions

  6. Highlights of S3100-EI • Up to 17.6Gbps witching fabric • Up to 6.55Mpps • 8K MAC • 4K VLAN Performance • VLAN and port based ACL • ARP detection • Port security • IP source guard • DHCP snooping trust Security • Smart link • Power over Ethernet • Voice VLAN Availability • SNMPv1/v2/v3 • IPv6 host • RSPAN • VCT, DLDP • LDT Management & Maintenance S3100-EI

  7. Device A IP :10.1.1.1 MAC A:0002:5547:bc34 Free ARP 10.1.1.50=MAC B Device B IP :10.1.1.50 MAC C:0010:a4aa:36db Device C IP :10.1.1.20 MAC B:0009:6b71:877e Free ARP 10.1.1.1=MAC B 图例: Normal flow ARP Spoofing – How to attack Attacked flow

  8. Gateway 10.1.1.1 MAC A Free ARP 10.1.1.50=MAC B Free ARP 10.1.1.1=MAC B How To Anti ARP Spoofing • DHCP Snooping Create dynamic binding table of MAC+IP+Port+VLAN Detect if the ARP packet match with DHCP binding table • ARP Intrusion Detection Detect the ARP packet if match with binding table; if no, discard the packet to anti ARP spoofing NO! • ARP Packet Rate Limit Limit ARP packet rate on the ports in order to protect CPU from the massive abnormal packets ARP rate limit Only ARP Intrusion Detection can solve the problem of ARP Spoofing Attacker 10.1.1.20 MAC B Victim 10.1.1.50 MAC C

  9. VLAN Based ACL • Traditional ACL policy is configured based on port, so users have to configure ACL policy on all ports one by one; • S5500-EI supports VLAN based ACL policy. Therefore users can define ACL policy easily and flexibly Traditional port based ACL: # Interface Port 1> Deny ftp Permit any # Interface Port 2> Deny ftp Permit any # Interface Port 3> Deny ftp Permit any # Interface Port 3> Deny ftp Permit any # … VLAN based ACL # Vlan 100> Deny ftp Permit any #

  10. DynamicAuthorization IdentityAuthentication Security Authentication Access Request Qualified User Legal User Enterprise Network Unqualified user is directed to isolation zone Deny Invalid user Different user has different access right Isolation Zone Reinforcement Activity Audit EAD solves end use secure access problems Are you secure? What can you do? Who are you? What are you doing?

  11. EAD Basic Function Inspect end point security status and defense ability Guarantee user security & defense ability OS version, Hot Fix, Antivirus software version, Virus Definition; Unqualified software installation & execution; Virus check; Shared Folder check; Screen saver pwd check; Enhanced Identity Authentication (user name, password, IP, MAC binding) End point Security Inspection Isolatethose not complying with security policy Prevent cross infection & virus outbreak Stop invalid user through 802.1x, Portal authentication Limit user access authority by VLAN, ACL restriction Isolate end user who does not update system patch or virus definition Isolate end user who install, run unqualified software Unqualified User Isolation Force repair of system patch & update antivirus software Enhance immunity & Increase security System Security Reinforcement Notify and assist user to repair system hole Security policy Implement Automated or compulsory manual system patch or virus definition update

  12. IP/MPLS Core Smart Link B Forwarding traffic S7800 Active Link Backup Link S7800 Blocking Metro Ethernet Network DSLAM LSW A Blocking CE Forwarding traffic Backup Link Active Link S7800 C AMG • Suitable for dual uplink circumstances, better than Spanning tree technology for brings higher reliability to the network; • Working in the active/standby mode, once active link gets failed, standby link will be enabled, and the recovery time is less than 50ms;

  13. VCT – Virtual Cable Test S5500-EI VCT (Virtual Cable Test) testing items include: whether short or open circuit exists in the Rx/Tx direction of the cable, and what is the length of the cable in normal status or the length from the port to the fault point of the cable. X S3100 • [S5500-Ethernet0/4]virtual-cable-test • Cable pair: RX Status:Open Cable Error lenth:5 metres • Cable pair: TX Status:Open Cable Error lenth:5 metres

  14. LDT: Loopback Detection • [S5500-EI]loopback-detection enable • [S5500-EI]display loopback-detection • Port loopback-detection is running • System Loopback-detection is running • Detection interval time is 30 seconds • Loopback link is Dectected • The Loopback link is Port 3 Loopback Detection is used to monitoring the network to avoid loop, which may bring broadcast storm to influence the common network application

  15. Remote mirroring Port NetStream Module Local mirroring port Source port Local mirror Remote Switch Port Analysis(RSPAN) Application server farm XE 200 Quidview Video- Server Video- Server VCX VCX RSPAN can realize port mirroring across devices; working with Netstream module, it can realize the traffic analysis and monitoring of the whole network

  16. Power Over Ethernet (POE) S5500-EI can provide power to those powered devices including wireless AP, IP Phone, web camera over the unified Ethernet. • Support IEEE 802.3af standard, providing maximum 15.4w to each port • Support THREE levels of power provide: critical/high/low • Equipped with 370w high power supply to cover maximum 24 ports powered devices S5500-EI PD switch AP Power over Ethernet PD: Powered Device AP: Access Point

  17. 1. Mac address 00E0-BB00-0000 mask ffff-ff00-0000 2. Ah! It is an IP Phone of Vendor A, B, C……( Totally, 16 Vendors) 3. Put the traffic from IP Phone into Voice VLAN automatically 4. Other traffic will be processed with lower priority Voice Queue Data Queue 1 Voice Data Data Queue 2 Other Data Voice VLAN Benefits: • Guarantee the QoS of voice data • Improve the security

  18. RoHS Product H3C always pay great investment on the R&D and even the advanced manufacture technology as well. H3C S3100-EI’s whole design and manufacturing process complied to RoHS standard released by European government, therefore, it is an absolutely GREEN product which won’t pollute the environment. RoHS(The Restriction of the use of certain Hazardous substances in Electnical and Electronic Equipment )

  19. Content • Introduction • Highlight Features • Typical Solutions

  20. Edge of Campus Network S9500/S7500E/S7500 S5500 S5500 S5500 S3100-EI S3100-EI S3100-EI

  21. Core of Mid-to-small sized Network Server Farm CAMS NMS GE S5500-EI S5500-EI Firewall 10 GE S5500-SI S5500-SI S5500-SI S5500-SI S5100-SI S5100-SI GE PoE PoE GE GE GE PoE GE GE GE GE PoE PoE GE GE

  22. IPv6/IPv4 Hybrid Network S5500-EI IPv6 组网方案 IPv6 Internet IPv6 Island IPv6 Link IPv4 Internet S5500-EI IPv6 IDC Network Manager 6to4 Relay IPv6 Network S5500-EI S5500-EI IPv6 Access IPv6 Over IPv4 Tunnel Mobile Network Dual-Stack Access IPv6 Access IPv4 Network S5500-EI WLAN IPv4 Access Dual-Stack Access IPv6 Mobile Terminal IPv6 Enterprise Users IPv6 Users IPv4 User

More Related