650 likes | 682 Views
Open Multi-Core Router - H3C SR66. Development Trends of High-end Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Typical Cases of H3C SR66. Information basic platform All units covered. Improve office efficiency Improve enterprise competitiveness.
E N D
Open Multi-Core Router -H3C SR66
Development Trends of High-end Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Typical Cases of H3C SR66
Information basic platform • All units covered • Improve office efficiency • Improve enterprise competitiveness • Reliable network topology • Reliable network equipment • Reliable network link • Quality network • Delay-free voice transfer • Smooth video images • Advancement of products and technologies • High expandability • Satisfy the requirements of development in the coming few years Requirement Analysis of High-End Routers Foundation Quality Reliability Communication data network Security Service • Localized services by original manufacturer • Fast on-site support by original manufacturer • Isolation of different service logics • Defense against a variety of attacks Advancement
Integration of being open and multi-service Development Trends of High-End Routers Application Service • Standardization => customization => open Performance • Data and Internet access => Integration of 3 networks in 1 => Unified communication Connection • Best effort => Carrier-class reliability of equipment => Carrier-class quality assurance of services • High-density narrowband convergence => Broadband and narrowband integrated convergence => Large-capacity broadband and narrowband convergence with services Today 1990s 2000 New applications and new services Data sharing The Internet and bandwidth
Development Trends of High-end Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Typical Cases of H3C SR66
Product Positioning of H3C SR66 Router 10G SR88 The first ever multi-core router in the industry! 2.5G SR6602 SR6608 GE MSR 50 AR46 MSR 30 100M AR28 MSR 20 AR18
Product Positioning Large enterprise convergence and access routers Community network edge convergence router Campus network egress router Medium and small enterprise core routers Finance and power industries Medium and small enterprises Government community / resident community Schools of higher education nationwide
Multi-core multi-threaded processor Memory: 1GB; expansion to 2GB allowed High performance: Packet forwarding rate: 4.5Mpps IPSec encryption: > 3Gbps Fixed interface: 4 GE interfaces (optical and electrical combined) Flexible configuration: Intermix of HIM and MIM Built-in 1 CF card, and 1 CF card interface reserved The interface module supports hot swapping. Multi-Core Centralized Router SR6602 Multi-core compact design High performance and strong services
Multi-Core Distributed SR6608 Multi-core Distributed Strong service processing High-speed and low-speed compatible • High reliability • Distributed processing • Dual main control systems • Dual power supply design • All engines and modules support hot swapping. • Configuration of multiple service engines • FIP-100 (high-performance CPU processor) • FIP-200 (multi-core multi-threaded processor) • High performance • 100G backplane bandwidth • Forwarding performance: 18 Mpps • Support high-density cPOS linear convergence
Multi-Core Distributed Router SR6608 Route engine (RPE-X1) Service engine (FIP-200) Service sub-card (CL2P) Power supply Fan Note: During the play, click the components of the indexes to view the video.
High-performance CPU: 1G Hz Memory: 1GB; expansion to 2GB allowed Console port Aux port GE management network port Built-in 1 CF card and 1 CF card interface reserved 1 Host USB interface and 1 Device USB interface Route Engine RPE-X1 of SR6608
Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) • Speed your Network • Stable • Security • Service • Save Typical Cases of H3C SR66
Universal CPU • The flexible programming platform can adapt to different types of service processing. • Lack hardware escalation capability Ideal processor Service capability L7 • ASIC • Interface integration Basic packet processing and hardware encrypted capability L4 • Network processor: • Dedicated hardware forwarding engine to provide extremely high forwarding performance • Micro code based programming, instruction space limit, weak service processing capability at layers 4 to 7 • Embedded CPU • Interface integration • Limited packet processing and encrypted capability L3 First Application of Multi-Core CPU on Router Multi-core CPU * Standard C programming to adapt to different types of service processing * Parallel hardware system, built-in hardware escalation and encrypted engine provide powerful service processing and security capability. Forwarding performance
Route calculation, configuration management and table item delivery Firewall Firewall Firewall Firewall Firewall Firewall Firewall QoS QoS QoS QoS QoS QoS QoS IPSEC IPSEC IPSEC IPSEC IPSEC IPSEC IPSEC NetStream NetStream NetStream NetStream NetStream NetStream NetStream MultiCore Processor Sharp Improvement of Service Processing Capability of SR66 8 cores to process services in parallel SR66 multi-core CPU
CPU processing Save time! Time t1 t2 Description of Competitive Edge of CPU Multi-Thread CPU Single thread Memory access delay Memory access delay Memory access delay Memory access delay CPU 4 threads Hardware thread 1 Hardware thread2 Hardware thread3 Hardware thread4
Firewall Firewall IPSEC IPSEC NetStream NetStream QoS QoS MultiCore Processor Sharp Improvement of Service Processing Capability of SR66 Multi-Thread Multiple hardware CPU threads • 32 hardware threads • Each CPU core with 4 hardware threads Flexible scheduling mechanism, which satisfies different applications • Rotation • Priority • Timeslot 32 threads process services in parallel! SR66 multi-core CPU The multi-core hardware structure and the software parallel processing provide all-round improvement of service performance. Firewall IPSEC NetStream QoS
CPUthread32 CPUthread31 CPUthread3 CPUthread2 CPU thread 1 Load Balancing of SR66 Multi-Core Hardware Packet Distribution Engine Fast messaging network Rx Packet distribution engine GE Parser GE Distributor CPOS Thread hardwareload balancing Parser Distributor GE Parser Distributor SR66 multi-core hardware packet distribution engine • The parser rules are flexible and diverse. They can be adjusted dynamically to achieve load balancing. • TCAM is used to perform fast parallel matching of the table item features. • The distributor is attached to the fast messaging network. It notifies the CPU core of the processing, which leads to high efficiency and no occupation of the CPU resources.
:Fast Messaging Network (FMN) :Multi-core CPU :CPU core :CPU hardware thread :Site of messaging network Efficient and Fast Hardware Collaboration Mechanism Fixed port Slot 1 CPU-3 CPU-4 CPU-5 CPU-6 CPU-7 CPU-8 CPU-1 CPU-2 Slot 2 10G encrypted engine The FMN completes the fast communication between the cores of the multi-core CPU. • The work speed is as the same frequency as the CPU. The CPU resource is not used. • The main components are attached to the FMN sites. The communication reaches the precision of the CPU hardware threads. • Unique Credit mechanism to ensure unblocked communication
CPOS分片处理引擎 CPOS of SR66 supports hardware MP, greatly easing the pressure on the CPU and improving the MP performance. • Each bundle supports 12 E1s/T1s. • Support three sizes of MP packet fragmentation (128/256/512) and multiple sizes of reassembly. • The whole system can implement the linear MP binding of up to 60 12E1s or 84 12T1s. Powerful Hardware MP Capability • MP fragmentation processing of the traditional link layer The link layer fragmentation and reassembly processing fully rely on the CPU. The weaknesses are low efficiency, failure of improving relevant performance, serious consumption of system resources, and impact on the system performance of the MP fragmentation processing on the traditional link layer. 1 4 3 2 4 1 1 Multi-core CPOS fragmentation processing engine 2 2 3 3 1 3 2
Powerful Convergent Capability Broadband convergence key indexes Internet S3526 • Convergent broadband user type • Direct access of Ethernet optical fiber • PPPoE • With the help of the AAA server, complete the authentication (PAP/CHAP), accounting and authorization • Access capability of broadband user • The throughput of the whole system reaches 18Mpps. • 32,000 concurrent PPP connections • Provide 72 GEs AR28 China Netcom AR46 SR6608 GE China Telecom FE Internet café Internet café MSTP Internet café Narrowband convergence key indexes Internet café Internet café Internet café Internet café Internet café • Narrowband interface types of cPOS convergence • DS0 • E1/T1 • Narrowband interface density of cPOS convergence • DS0: 4096 • E1: 756 (linear) • T1: 800 (linear) • The HIM GE card uses 10G bus exclusively. The fixed GE uses the GE bus exclusively, without bandwidth bottleneck. • The hardware packet distribution engine automatically identifies different Ethernet packet types. It distributes the packets of different flow features evenly to different CPU threads. The packets are processed concurrently. The throughput is greatly improved. • The HIM CPOS card uses the 10G bus exclusively, without bandwidth bottleneck. • The hardware packet distribution engine automatically identifies different Ethernet packet types. It distributes the packets of different flow features evenly to different CPU threads. The packets are processed concurrently. The throughput is greatly improved.
Speed your network! Summary of Hardware Speed Escalation Full scale upgrade of the hardware architecture • First application of the multi-core multi-threaded CPU on router • The FMN completes the fast communication between the cores of the multi-core CPU • Packet distribution engine • Strong convergence capability \ each card uses 10G bus exclusively. • The multi-core hardware structure and the software parallel processing provide all-round improvement of service performance.
Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) • Speed your Network • Stable • Security • Service • Save Typical Cases of H3C SR66
Service reliability Network reliability Link reliability Equipment reliability All-Round Product Reliability • Separation of control and service, service processing isolation, and TE FRR • Non-stop forwarding, redundant gateway technology (VRRP), ECMP, dynamic route fast convergence, and BFD • Multi-link binding and IP Trunk • Physical reliability: Dual main control systems, dual power supplies, forwarding engine/sub-card/main control system/power supply/fan support hot swapping. • Software reliability: Hot patching, host defense against attack, control plane speed limit, and management security
Highly Reliable Hardware Design Dual main control systems that support hot swapping All high- and low-speed daughter-cards support hot swapping. FIP-100/200, two service engines, support hot swapping. The fan frame supports hot swapping. Dual power supplies that support AC and DC as well as hot swapping
Highly Reliable Multi-Core Software Architecture SR6602 software architecture SR6608 software architecture Main control system (route engine) System configuration management Route calculation CPU1 (control plane) System configuration management Protocol state machine Route calculation FIB delivery Delivery of service table items IO (service engine) IO (service engine) CPU2-8 (service plane) Packet filtering Forward packets Encryption and decryption CPU1 (control plane) CPU1 (control plane) Protocol state machine Route calculation System configuration management System configuration management Route calculation Protocol state machine GRE NAT QoS Delivery of service table items Delivery of service table items CPU2-8 (service plane) CPU2-8 (service plane) Forward packets Packet filtering Encryption and decryption Packet filtering Forward packets Encryption and decryption GRE NAT QoS GRE NAT QoS • Separation of control and service • Separation of routing and service engines • Different cores of the multi-core CPU work on different tasks, which suppresses service interference naturally.
Online Software Hot Patching Technology Supported Replace the original code segment with the enhanced patch code segment Online loading Original program Patch code zone Code segment OptimizeCode segment Patch code Code segment Code segment The online patch technology provides flexible defect modification means to guarantee the reliable and continuous provisioning of network services. Original code segment Code segment Code segment • SR66 supports the software hot patching technology of the single-core CPU and the multi-core CPU. • On the condition that the equipment is not reset, the software bugs are modified in the in-service state, or a small scale of new features are added. • The user command of control patch unit state switching is provided. The command helps the user to conveniently load/deactivate/operate/delete the patch unit.
IGP Route Fast Convergence Supported • Real-time flooding and fast notification of the link state information Detect the link faults, and perform instant flooding and then calculation. • Incremental SPF calculation (i-SPF) A certain tree trunk in the SPF tree changes (down/up). In that case, SPF needs only to calculate the part of the tree impacted by the changed tree trunk. It is not necessary to re-calculate the routes. • Partial Route Calculation (PRC) In the SPF tree, if only the leaves change, the part of the leaves is needed to be calculated only. It is not necessary to re-calculate the routes. • Intelligent timer According to the preset parameters, dynamically change the time interval with reference to exponential backoff algorithm, and solve the conflict between frequent generation and long time interval. Test result display: the fastest convergence time of IS-IS route is less than 50ms. The convergence time of 10,000 IS-IS routes is 300ms.
FIB FIB FIB Uninterrupted Services During Working/Protection Switching Protocol session is maintained. Original protocol session is switched. Main Backup SR66 main control switching detection mechanism Control Control IPC Main control board Backup control board High-speed backplane Control Normal Hello (1s) Control Fault alarm Universal fast handshake (10ms) Interface board Interface board FIB • During working/protection switching, the data forwarding and services between the two boards are uninterrupted.
FIB FIB FIB All-Round Support of GR Features Notify the router to activate the GR feature Backup main control system Main control system Neighbor router The session continues after switching, implementing stable restart. Neighbor router High-speed backplane Short interruption does not need deletion of the route. FIB • SR66 supports the GR features in a full scale, including GR for OSPF/IS-IS/BGP/LDP/RSVP. • The network stays stable during the working/protection switching. After the switching, the equipment learns quickly the network route with the help of the neighbor router.
Fault alarm Fast Detection of Link Failure Supported: BFD Main control board Backup control board Universal fast handshake (10ms) Interface board Interface board Bidirectional forwarding detection • BFD: Bidirectional Forwarding Detection (IETF standard) is a technology of fast detecting node and link faults. The handshake time is 10ms by default and can be configured. • BFD provides light-load, short-time detection. It can be used to provide real-time detection of any media and any protocol layer. The detection time and the overhead scope are wide. • According to BFD, fault detection can be performed on any type of channels between two systems, including the direct physical link, virtual circuit, tunnel, MPLS LSPs, multi-hop routing channel and indirect channel. • The BFD detection result can be applied to IGP fast convergence and FRR. • The BFD protocol has been extensively accepted and recognized in the industry. It has been deployed substantively in real applications.
Perfect Support of BFD by CPU Main control board 1 Main control board 0 Control processing core Control processing core Service board Service board Packet processing core Packet processing core System backplane BFD processing core BFD processing core Control processing core Service board Control processing core Service board Packet processing core Packet processing core BFD processing core BFD processing core • When BFD is applied, the feature of the multi-core CPU is utilized. Part of the processing capability of one of the cores (for example, one thread) is used for BFD processing to reduce the load of the management control CPU core and ensure the security of the management CPU core. Meanwhile, such measure greatly improves the processing performance of BFD service and other OAM services. • SR66 supports BFD for BGP/IS-IS/OSPF/RSVP/VPLS PW/VRRP to implement the fast fault detection mechanism of the protocols. The fault detection time is less than 20ms. • On the basis of BFD, SR66 supports IP FRR, TE FRR, LDP FRR and VPN FRR. The service switching time is less than 50ms.
All-Round Security Features to Ensure Equipment Reliability and Security Routing protocol MD5authentication Strict isolation of management and service planes Filtering and speed limit of control information Secure Comware route software system SSH Firewall Route security RADIUS URPF TACACS+ ASPF Management security Forwarding security SYSLOG IPSec Service access security NQA IPS Address binding ARP speed limit Port speed limit Broadcasting/abnormal traffic suppression • Diverse security protocols and strict service access control greatly improve the reliability of the operation of the SR66 router.
Make your network Stable! Summary of High Stability SR66 is designed with full orientation to carrier-class application. By taking the advantage of the strong multi-core CPU service processing capabilities, SR66 provides all-round software and hardware reliability at the layers of equipment, link, network and service. • Hardware supports the hot swapping of key components. • The software architecture supports the separation of control and service. • Hot patching • ECMP • VRRP • BFD • Support GR in a full scale • Support FRR • Control plane protection
Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) • Speed your Network • Stable • Security • Service • Save Typical Cases of H3C SR66
Internet URPF Secure Forwarding Supported Main control system Main control system POS3/0/1 GE2/0/1 CPU core 1 CPU core 1 POS3/1/0 CPU core 2 CPU core 2 GE2/0/2 Normal data packet Attack data packet GE2/0/1 • Multiple attack packets apply the same destination and source addresses as those of the normal packets. Or they generate source address at random, and deliver them to different CPU cores through the hardware distribution engine. • The normal packets are forwarded according to the destination address. At the same time, they search for the source address route in the reverse direction. After they judge that the ingress is consistent, they are forwarded normally. • The source address of the attack packets has no route, or the ingress is incorrect. They are discarded. • Defense against the source spoofing and distributed types of attacks.
CE CE PE PE Data service CE CE VPN1 Voice VPN2 CE CE Video PE VPN3 PE Other services VPN4 CE CE VPN Service Isolation • The SR66 hardware distribution engine automatically identifies the MPLS packets, and distributes evenly the traffic to different hardware CPU threads. • The CPU threads operate in parallel and perform priority mapping. • During packet transfer, multiple CPU threads perform QoS guarantee. • Identify different services on the PE equipment, differentiate voice/video real-time services and the data services and encapsulate them to the VPN. In that way, the secure isolation of different services is implemented. • The MPLS VPN is applied to carry multiple services to ensure security of the services on the network. MPLS VPN can provide security protection equivalent to the level of dedicated line. Fully support the L2/L3 VPN services
SR66 hardware encryption engine Main CPU system Encryption core Load balancing engine PCI Bridge Encryption core IPSec Engine Encryption core Encryption core RSA core Built-in 10G Hardware Encryption Engine of SR66 Hardware encryption engine of SR66 security features • 10G encryption engine embedded in the multi-core CPU • 4 encryption cores + 1 RSA core • The load balancing engine ensures the parallel operation of the cores. • Support DES/3DES/AES and other mainstream algorithms. • Support SHA/MD5 authentication. • Support CRC check and RSA Key hardware escalation. Security feature hardware architecture of the traditional router • Pure CPU calculation and poor performance • IPSEC escalation card of the PCI interface offers low performance.
PSTN/ISDN • Hardware encryption does not affect forwarding. • With multi-core encryption and parallel operation of the internal cores, the encryption throughput of the service engine is sharply increased. • Encryption and decryption adopt a distributed mode. The encryption capability of the whole system is sharply increased. • The traditional VPNs can be stacked flexibly. GRE/L2tp/IPsec can be stacked to satisfy different networking requirements. Conventional Upgrade of IP VPN L2TP+IPSec+Nat PPPoE LAC + NAT Enterprise headquarters LNS AR46 SR66 SOHO GRE+IPSec+Nat Mobile user Branch
VPN1 VPN1 MPLS Internet VPN1 PSTN SR66 supports IPSec and L2tp multiple instances to fuse IP VPN and MPLS VPN perfectly. DSL VPN1 VPN1 • The fast decryption of the encrypted IP VPN is performed through multi-core encryption and parallel processing of the internal cores. • The hardware distribution engine distributes the traffic evenly to the CPUs and transfers in parallel the traffic to MPLS VPN. Perfect Fusion of IP VPN and MPLS VPN - VPE Headquarters server Mobile user access via Modem X L2tp+IPSec Tunnel PE NAS(LAC) L2tp+IPSecTunnel X PE PE BAS(LAC) Headquarters SR66 supports L2tp and IPSec multiple instances. DSLAM X GRE+IPSecTunnel Soho ADSL access Branch
Multi-Core Packet Filtering Firewall Definition of packet filtering firewall • Some packets are allowed to pass according to a set of rules. At the same time, other packets are blocked. The rules can be formulated according to the address information of the network layer protocol (for example, IP) or the transmission layer information (for example, TCP header or UDP header). SR66 multi-core parallel packet filtering Control plane Problems of single-core CPU packet filtering • Packet filtering affects the operation of other services Packet filtering • Low filtering performance due to the constraints of the CPU capability Hardware packet Distribution engine Packet filtering SR66 multi-core packet filtering Packet filtering • Multi-core parallel processing of packet filtering to improve the performance sharply • The control plane does not process and filter data, which leads to stable management functions. Packet filtering • The distributed packet filtering to improve the processing capability of the whole system sharply Packet filtering 加密核
SR66 multiple cores and parallel ASPF Control plane ASPF Hardware packet Distribution engine ASPF ASPF ASPF ASPF 加密核 Multi-Core ASPF Application State Firewall SR66 ASPF state firewall • Multi-core parallel processing of ASPF to offer sharp increase of performance • The control plane does not process and filter data, which leads to stable management functions. • Distributed ASPFs to improve the processing capability of the whole system sharply. SR66 ASPF state firewall • The patented ASPF state machine technology guarantees the support of diverse network applications and the improvement of security. • Support the state detection of multiple application protocols, including H323/MGCP/SIP/H248/RTSP/HWCC/ICMP/FTP/DNS/PPTP/NBT/ILS. • Support the state detection of SMTP/HTTP/Java/ActiveX/SQL injection attacks The externally initiated session by non user is rejected. SR66 The user initializes a session of the server. The follow-up data packets of the user session are allowed. The packets during communication monitoring dynamically establish and delete the access rules User Server
Attack fragmentation can easily break the firewall. Virtual Fragmentation and Reassembly Attack Some of the attacks will fragment the packets and reassembly the packets at the destination to launch the attack. In that way, the firewall is broken.
SR66 Virtual Fragmentation and Reassembly Supported Fragmentation reassembly against attack! SR66 supports virtual fragmentation reassembly. • Fast reassembly of the fragmented packets to guard against the attack on the firewall. • Fast reassembly of the fragmented packets for the alg conversion of part of the applications.
Make your network Secure! Summary of Diverse Security Features SR66 uses the multi-core CPU to process services in parallel, and the embedded 10G hardware encrypted engine to provide diverse and powerful security features. • Powerful VPN isolation • High-speed IPSec VPN • Encrypted IP VPN • The access of IP VPN to MPLS VPN • Packet filtering and state firewall • Anti-attack virtual fragmentation reassembly
Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) • Speed your Network • Safe • Security • Service • Save Typical Cases of H3C SR66
Key indexes of NAT gateway features • NAT service capability • 2M concurrent sessions • Throughput of up to 4Gbps • NAT ALG capability • MSN • QQ • FTP • DNS • PPTP • SIP • NetBios • H323 • …… Internet Multi-Core Distributed NAT Mail server NAT 10.1.1.4 202.10.88.2 SR66 Web server Public network address 10.1.1.3 Private network IP address 10.1.1.20 10.1.1.3 The session-based mode, parallel processing of NAT service by multi-core and multi-thread CPU, and distributed processing sharply improve the NAT processing capability of the whole system. • Adopt the port cyclical multiplexing mode. Meanwhile, automatically detect the quintuple conflict so that NAPT supports unlimited connections. • Support NAT/NAPT/internal server to support blacklist • Support limit of connection number • Support session log • Support multiple instances
Multi-Core Distributed NetStream • When the traditional single-CPU processes NetStream, the CPU performance is the bottleneck. The larger the traffic is, the larger impact is caused on the performance. The 1:1 sampling causes 10% or less impact on the forwarding performance. DOS攻击Flood 攻击 … …… NetStream V5/V8 • During the forwarding, the traffic is evenly distributed on the threads of the multi-core CPU. The system performs parallel NetStream statistics. Load balancing leads to basically no impact on the forwarding performance. The parallel processing of NetStream is greatly improved. • With the fully distributed NetStream processing, the NetStream processing capability of the whole system is greatly improved.