600 likes | 662 Views
Main Slides on H3C S7500E Multi-Service Switch. Network Product Dept. Contents. Trend of the IP Networks Introduction to the S7500E Series Service Features of the S7500E Series Typical Networking and Application. IT-CMM Model of H3C. IT-CMM1. IT-CMM2. IT-CMM3. IT-CMM4. IT-CMM5.
E N D
Main Slides on H3C S7500E Multi-Service Switch Network Product Dept.
Contents • Trend of the IP Networks • Introduction to the S7500E Series • Service Features of the S7500E Series • Typical Networking and Application
IT-CMM Model of H3C IT-CMM1 IT-CMM2 IT-CMM3 IT-CMM4 IT-CMM5 IT support for systems IT centralization IT integration IT support for resources IT support for products Service description: Interconnection service Technical feature description: • LAN: Ethernet interconnection/FAT-AP access • WAN: DDN/ATM/FR/SDH interconnection • Security: Security policies deployed in single devices to ensure local security • Network management: Network element management and decentralized service management Service description: Service integration Technical feature description: • Network: Data center application, end-to-end network virtualization, wired-wireless integration, safe endpoint admission • Network management: management and deployment of end-to-end services oriented to humans and resources • Security: Global security and in-depth security Service description: Intelligent applications Technical feature description: • WEB2.0 and XML become standards • Ensure integrated, optimized, and safe network applications • Management: Integration of IT management and service workflow management • Security: Intelligent security • Service description: • Single-system service • Technical feature description: • No requirement for network interconnection • Anti-virus software installed in stand-alone devices to guarantee security Service description: IT support for resources, strategy-oriented IT, and IT infrastructure visibility Stand-alone phase Interconnection phase Intelligent phase Integrated phase
Connection to outside IT-CMM3: Converged Network Carrying Multiple Services Internet Extranet Intranet Converged network Multimedia service Voice Video IPSurveillance Streaming media CRM ERP ISC R&D ...... Data service
A E B C D Requirement of Multi-Service Bearer for Network Integrated access Granular service management Virtual service network New intelligent network Global security High reliability
Requirement 1 of Multi-Service Bearer: Integrated Access Mobile office IP phone & video Common terminal IP surveillance Wired terminal SOHO Large and medium-sized branch leased lines LAN WAN Wireless terminal
Requirement 2 of Multi-Service Bearer: Virtual Service Network • Driven by service convergence: • Data service • Video conference • IP voice • IP video surveillance • Streaming media on demand • Driven by service isolation: • Isolation of services of different classes in an Intranet • Complying with laws and regulations • Extranet/Virtual enterprise • Service outsourcing/Consultation/Visitor Virtual service network A Virtual service network B Virtual service network C Physical network
Requirement 3 of Multi-Service Bearer: High Reliability Carrier-class reliability reaches 99.999%, which guarantees reliability of a single device. High-reliability campus network High-reliability networking technologies, which guarantee networking reliability. Rapid fault detection and location.
Users need a complete solution to enterprise security policies! Requirement 4 of Multi-service Bearer: Global Security I want to deploy security policies for different networks. I want to assign different authorities to different users. Difficulity in configuration and management caused by a great number of devices I want to effectively manage devices in the whole network. Service interruption caused by virus outbreak and hacker attack I want to change policies of the whole network within several minutes. I want to have the security policies deployed automatically! Hidden security troubles from headquarters, business trips, and SOHO
Simple management Requirement 5 of Multi-service Bearer: Granual Service Management • After the peak period of network construction, network management gradually becomes the focus of customers. • Customers' requirement of network management does not lie in using management tools. Customers pursue flexible and intelligent granular control that is effectively integrated in daily services. No network Network construction No management Granular management
Contents • Trend of the IP Networks • Introduction to the S7500E Series • Service Features of the S7500E Series • Typical Networking and Application
Position of H3C S7500E 2-service slot chassis Deployed on the edge of the WAN, in the convergence layer of the small and medium-sized network, core layer of the small network, and the small cable distribution room 3-service slot chassis Deployed on the edge of WAN, in the convergence layer of the medium-sized network, core layer of the small and medium-sized network, and small and medium-sized cable distribution room Horizontal 6-service slot chassis Deployed on the edge of the WAN, in the convergence layer of the large network, core layer of the small and medium-sized network, and large and medium-sized cable distribution room Vertical 6-service slot chassis Professional design of fire resistance, shock resistance and heat dissipation, deployed in the large data center and the central equipment room of the carrier 10-service slot chassis Deployed in the high-density cable distribution room and the core layer of the large network
Overview of H3C S7500E Series S7506E-V S7510E S7506E S7503E S7502E
Major Features of H3C S7500E Series • Capability of providing a wide range of services • MPLS/IPv6/EPON/WLAN/PoE • Firewall/IPS/OAA • High-performance multi-service bearer platform • Wirespeed IPv6 forwarding • Wirespeed MPLS forwarding • Most cost-effective 10 Gigabit ports • The price of a 10 Gigabit port is less than 50% of the 10 Gigabit port price in earlier products. • Flexible configuration • Combination of multiple chassises, engines, and cards • High security and reliability • Endpoint admission defense (EAD) • Built-in security plug-in card • Graceful restart technology Full service High performance Flexible configuration Security and reliability
Flexible Configuration of H3C S7500E Chassis 10 Gigabit Ethernet Service module with the function of firewall Gigabit Ethernet optical interface Service module with the function of NAT/NetStream Gigabit Ethernet optical interface 4, 5, 8, 8, 12 slots Service module with the function of IPS Gigabit Ethernet electrical interface Dedicated engine of the S7502E Salience VI Passive optical network module 100M Ethernet electrical interface Functional service module Salience VI-10G Salience VI-Turbo Ethernet module Route Switching Engine
Engine Selection of H3C S7500E • Switching capacity of a single engine: 384G • Switching capacity of two engines that work in the load-balancing mode • Supporting IPv6 and Multi VRF • 32K MAC address table, 12K IPv4 route forward table • Can be used together with Salience VI-10G Salience VI • Switching capacity of a single engine: 384G • Switching capacity of two engines that work in the load-balancing mode • With two wirespeed 10 Gigabit interfaces • Supporting IPv6 and Multi VRF • 32K MAC address table, 12K IPv4 route forward table • Can be used together with Salience VI-10G Salience VI-10G Salience VI-Turbo • Switching capacity of a single engine: 384G • Switching capacity of two engines that work in the load-balancing mode • Supporting IPv6 and MPLS VPN • 128K MACaddress table, 128K IPv4route forward table
Interface Board Selection of H3C S7500E Standard A type of boards (SA) • Distributed L2 wirespeed forwarding • Centralized IPv4 L3 forwarding • by the engineCentralized IPv6/MPLS forwarding • by the engineSupporting VLAN ACL • Can be used together with SC boards Standard C type of boards (SC) • Distributed L2 wirespeed forwarding • Distributed IPv4/IPv6 L3 wirespeed forwarding • Supporting Multi VRF • Gigabit optical interface board supports the 100M optical module. • Centralized MPLS forwarding • by the engineSupporting VLAN ACL and ACL in the egress direction • Can be used together with SA boards Enhanced A type of boards (EA) • Distributed L2 wirespeed forwarding • Distributed IPv4 L3/MPLS wirespeed forwarding • Supporting VLAN ACL and ACL in the egress direction
Functional Module Selection of H3C S7500E High-performance firewall module • Up to 8G processing capability • Supporting virtual firewall • Supporting load balancing of multiple cards • Supporting IPSec VPN Radio network controller module • Supporting 640 APs and 10000 concurrent users • Automatic configuration and upgrade • Supporting rapid roaming • Diversified RF managment, only load sharing available • Supporting IPv6 and EAD Passive optical network module • 16 PON ports in a board • Supporting 1:64 coupling ratio • Available for a stand-alone device to access up to 10240 fiber users • Graphic configuration management
Security Flexible Reliable H3C S7500E Series Are Based on the Unified Comware V5 Platform • A wide range of Internet protocols • Support for multiple platforms and products • Security protection of the platform • Security policy of the network-wide system Diversified • Multi-plane modular design • Cuttable and scalable features • Unification of the command line and interface • Visual operations and maintenance COMWARE Convenient • Distributed processing concept • Online patching and upgrading • Service-oriented architecture • Open software interfaces Open
New Features of COMWARE 5 Security L4-L7 L3 • IPv6 • IPv4/IPv6 dual-stack technology • IPv4/IPv6 tunnelling technology • RIPng • OSPFv3 • IGMPv3/PIM SSM • Open Application Architecture (OAA) • Deep Application Recognition (DAR) • Match between DAR and QoS policies • Statistics of application protocol protocols • Application protocol detection (HWPing) • HTTP URL filtering • Prevention against ARP spoofing and attack • 802.1X/PORTAL security authentication Pretection against attacks/worm virus • Prevention against illegal DHCP servers • Key technology and digital certificate • SSH 2.0/HWTACACS MPLS Reliability L2 • Deep convergence between switching and routing • Multiple Spanning Tree Protocol (MSTP) • Rapid Spanning Tree Protocol (RSTP) • Link Aggregation Control Protocol (LACP) • GVRP dynamically registers VLANs • Voice VLAN • MPLS Traffic Engineering (MPLS TE) • Resource ReSerVation Protocol-Traffic Engineering (RSVP TE) • LSP hot-standby • Fast Reroute (FR) • LSP priority and preemption • Specify the notdes that an LSP cannot pass • VRRP v3 (supports IPv6) • Backup center • Technology for redundancy of key components • Graceful Restart (GR) • Hot-swappable modules/fans/power supply • L3MONITOR
H3C S7500E Has Passed the EMC and Safety Certification • Designed in compliance with the industry-leading standards, the S7500E series satisfy the stringent EMC and safety requirements in the countries and regions such as European Union, North America, German, Japan and Russia, and have passed the authoritative certification in different countries.
H3C S7500E Series Are Green Environment-Frdiendly Products • In the production process of traditional electronic products, abundant heavy metals and toxic substances such as lead, mercury, cadmium, hexavalent chrome, PBB and PBDE, which result in long-term and serious damages to the environment. Improving the production processing is costly and technically complex, thus terrifying a majority of the manufacturers. • Backed up by its powerful technical strength, H3C invests a huge amount of fund in researching, developing and introducing the industry-leading production and design technologies. In designing and manufacturing the S7500E series, H3C strictly complies with the RoHS order promulgated by European Union and has passed the certification. When made, used, and recycled, these switches will not pollute the environment. RoHS (The Restriction of the use of certain Hazardous substances in Electnical and Electronic Equipment )
Contents • Trend of the IP Networks • Introduction to the S7500E Series • Service Features of the S7500E Series • Typical Networking and Application
Services Provided by H3C S7500E • Service Access Capability of the S7500E • Service Virtualization Capability of the S7500E Series • High Reliability and High Security of the S7500E • Granular Service Management Capability of the S7500E Series
Integrated Service Access Capability of the S7500E Series Terminal Access and Automatic Identification PoE power supply Wired-wireless integration Active-passive integration Unified identification and EAD
MAC-Basec VLAN • The S7500E can dynamically allocate VLAN IDs to the ports of a switch based on the MAC address of a terminal without a client or username. • The MAC-based VLAN feature provide sa simple and easy-to-use authentication mode and improves the network security.
IPv6 Network IPv4 Network IPv6 Service Capabilities • IPv6 routing protocol: IPv6 static route/RIPng/OSPFV3/BGP+/IS-ISv6 • IPv6 multicast protocol: MLD/MLD Snooping/PIM6/IPv6 multicast vlan • IPv6 tunnel technology: manually configured tunnel, automatic 6-to-4 tunnel, ISATAP tunnel • IPv6 access control: support for IPv6 ACLs The IPv6 features of H3C S7500E have been certified to pass the "IPv6 Ready Phase 2" tests performed by the IPv6 Forum and the IPv6 tests performed by the Ministry of Information Industry. They have been used commercially and maturely.
PoE Supported in Multiple Modes AC power supply environment Equipped with a PSR2800-V AC 2800W power supply without an external PoE power supply, the switch can support 90 PoE ports (based on the assumption that the maximum power consumption of each port is 15.4 W). DC power supply environment Equipped with a PSR1400-D DC power supply, the switch is powered over Ethernet by an external DC power supply and can support 480 PoE ports (based on the assumption that the maximum power consumption of each port is 15.4 W). External PoE power supply Equipped with an external PSE4500A PoE power supply, the S7502E can have all of its ports provide the PoE function concurrently. Other hosts are served by PSR1400-D DC power supply and external PSE4500A PoE power supply, and can support 200 PoE ports.
Wired-Wireless Integration: Wireless Plug-in Card IPV6 • Performance • Switching capacity: • Number of manageable APs: 640 • A wireless plug-in card that provides the highest performance and the most manageable APs in the industry • Functions • Abundant wireless features • When used in S7500E and S9500, the card can provide a wide range of wired services to users: MPLS/IPSEC VPN, firewall, IDS • When used in S7500E and S9500, the card can provide aundant user interfaces • Support for L2 switching WAPI
Converging Passive EPON to an Active Switch • A fiber can access 64 FTTH users, thus greatly saving the fiber resource. • EPON access of the highest capacity in the world: A single H3C S7510E can access up to 10240 FTTH users. A few H3C S7510Es can be deployed in the central office to satisfy the networking requirement, thus sharply reducing the cost spent in building and maintaining the network. • Carrier-class reliability Developed on the mature multi-service routing switches of the S7500 series, H3C OLT products provide the carrier-class reliability • Can be used together with the MPLS technology of 75E to provide the e-government access solution based on the EPON technology
Support for Portal Authentication • In the office network of an enterprise, the S7500E can act as an EAD gateway to provide the EAD Portal authentication function to the network-wide users. • In a large-size campus network, the S7500E, while acting as a convergence device, can provide the L3 Portal authentication function to the users it converges. • Portal authentication well supports the security improvement of the old networks.
Services Provided by H3C S7500E • Service Access Capability of the S7500E • Service Virtualization Capability of the S7500E Series • High Reliability and High Security of the S7500E • Granular Service Management Capability of the S7500E Series
Service Virtualization Capability of the S7500E Series • Virtualized transport path: • Tunnelling technology: MPLS VPN/MCE • Virtualized data center service: • Virtual firewall • Virtualized security access: • Deployment of the user-based access policies: dynamic VLAN, ACL, PBR, QoS
S7500E S7500E S7500E S7500E Abundant MPLS VPN Services • Supports MPLS BGP VPN at layer 3, Martini and Kompella at layer 2, as well as MPLS OAM features; • Supports distributed or centralized MPLS,of which the performance items can be selected flexbily based on the service requirements; • Comes with H3C MPLS VPN Manager software to allow the user to manage the MPLS simply in a graphic way. • The H3C S7500E is a cost-effective PE device for users in the government and electric power industries. It can be widely applied to build a level-2 or level-3 government network and an electric power dispatching network.
Highly Reliable MCE • The customer can use the H3C S7500E as a CE device to access as many as 255 VPN users. • The H3C S7500E is a highly reliable MCE device with a redundant power supply and a redundant engine for users in the government and electric power industries. It can be widely applied to build a level-3 or level-4 government network and an electric power dispatching network.
Virtualized Firewall SecBlade II Core of MAN/ Internet • The SecBlade II firewall of a high-end switch can allocate different virtual firewalls based on different applications. • The SecBlade II firewall isolates the access users from the server in a unidirectional way, restricts the port access, and prevents the virus spreading. • In the MPLS environment, the SecBlade II firewall can implement independent firewall policies for different VPNs. H3C S9500 H3C S7500E VLAN/VPN of OA users VLAN/VPN of marketing users VLAN/VPN of financial users VFW VFW VFW Marketing server Financial server OA server
Services Provided by H3C S7500E • Service Access Capability of the S7500E • Service Virtualization Capability of the S7500E • High Reliability and High Security of the S7500E Series • Granular Service Management Capability of the S7500E Series
Large-capacity bidirectional ACL and VLAN ACL Strictly control the rights of access to the network 3 3 3 3 3 3 3 3 3 3 10 5 6 9 3 8 5 2 4 1 High Reliability and High Security of the S7500E Hot patching of software This function allows you to fix the software bugs or add small-scale new features on the line. Rapid Ring Protection Protocol (RRPP) The ring network provides switching protection in less than 200ms. Smart-Link Replaces the STP in dual-homed networking to provide switching protection in less than 50ms Graceful Restart (GR) After GR is configured, the traffic does not lose any packet in active/standby switching. Loopback Detection (LDT) Detects whetner a port loops back outside Device Link Detection Protocol (DLDP) DLDP can completes detection within 2 seconds, faster than Unidirectional Link Detection (UDLD). Virtual Cable Test (VCT) Decides the location of a cable failure, and thus helps remove the failures quickly. ARP intrustion detection and ARP spoofing prevention Prevents ARP attacks in the network Unicast Reverse Path Forwarding (uRPF) Prevents the IP Spoofing attack
Hot Patching • The S7500E allows you to fix the software bugs or add new features on the line without resetting the S7500E. • Control commands are provided for you to load, activate, deactivate, run and delete any patch unit conveniently. states, which can be used more flexbily. Working state transition of hot patching
Enhanced Features of the RRPP • The S7500E supports VLAN-based load balancing among multiple instances of the RRPP, thus utilizing the bandwidth effectively. • The hardware supports you to maintain MAC entries based on VLAN (each instance). • The RRPP ring supports link aggregation, which greatly expands the link bandwidth. Master Transit When the link in a direction is broken, the original traffic in this direction is switched to another direction and thus is not affected. Normally, the traffic is grouped by VLAN and transmitted in different directions, thus utilizing the bandwidth effectively. Ring X S7500E
IP/MPLS Core Smart Link, a Dual-Uplink Protection Technology Backup Link B Forwarding traffic S7500E Active Link S7500E Blocking Metro Ethernet Network DSLAM LSW A Blocking CE Backup Link Forwarding traffic Active Link S7500E C AMG • Smart Link applies to the dual-homed uplink network topology and can be used instead of the Spanning Tree Protocol (STP). It applies to the networks that carry real-time services and require high reliability. • The dual uplinks work in the active/backup mode. When the active link fails, it can switch to the backup link quickly in less than 50ms.
I'm back. I'm back. Graceful Restart (GR) ACTIVE 1.I may be away for a while and will be back soon; forwards packets as usual Protocol/Signaling This node Restart Routing information Protocol/Signaling Routing information ACTIVE ACTIVE Restored!! Protocol/Signaling I may be away for a while and will be back soon; forwards packets as usual After GR is configured, the traffic does not lose any packet in active/standby switching. • The control plane is separated from the forwarding plane. • When only the main control fails, the neighboring switch does not inject routing information into other switches, but maintains the same routing protocol state, and the forwarding plan still works normally. • When the standby main control engine takes over the control role, it receives routing information from the neighboring device to take over the state. • All these procedures are transparent to the neighboring device as if this switch has had a dogsleep.
LDP LDT: Loopback Detection LDT aims to detect whether a port of a switch is looped. After you enable the LDT function for Ethernet ports, the switch periodically detects all ports to see whether any of them is looped back by the outside. If discovering a port is looped back, the switch will place the port under control. If the system discovers a port is looped back, it closes the port and reports a Trap message. Additionally, it deletes the MAC address forwarding entry matching the port. • [H3C-S7500E]loopback-detection enable • [H3C-S7500E]display loopback-detection • Port loopback-detection is running • System Loopback-detection is running • Detection interval time is 30 seconds • Loopback link is Dectected • The Loopback link is Port 3 The time can be set.
VCT VCT: Virtual Cable Test • [H3C S7500E-Ethernet0/4]virtual-cable-test • Cable pair: RX Status:Open Cable Error lenth:5 metres • Cable pair: TX Status:Open Cable Error lenth:5 metres • -------- The network cable fails (is open) at the pint 5 meters away from the switch. VCT is a special function of Huawei switches placed in a campus or on a passageway. It can detect whether the cable connected to a physical port (electrical port) of a switch works well, is short or is open. Additionally, it can calculates the distance from the point of failure. VCT can isolate the failures of an Ethernet link quickly.
ARP Intrusion Detection and ARP Spoofing Prevention GW =10.1.1.1/24 MAC=A • The S7500E implements ARP intrustion detection through DHCP Snooping. • The S7500E allows you to set ARP aging time, thus reducing the effect of ARP Spoofing. • The S7500E supports ARP modification confirmation to prevent ARP Spoofing. STOP ARP packet Sender's IP=10.1.1.50 Sender's MAC= B ARP intrustion detection access switch Access switch ARP packet Sender's IP=10.1.1.1 Sender's MAC= B Affected party =10.1.1.50/24 MAC=C Attacker =10.1.1.20/24 MAC=B 10.2.1.50/24 MAC=D
Prevention against STP Attack ROOT Blocked • STP attack: • The attacker can see the network topology information that he/she should not see. • Although STP considers the speed of links, it does so in the perspective of the root bridge. The attacker will turn the Gigabit backbone into 10 Mbi/s half-duplex. • BPDU protection does not allow any port to get involved in STP. In this way, an untrusty port can be closed once it receives BPDU information from other switches, thus preventing the access of illegal switches. • ROOT protection is to prevent a new switch from becoming the root. If a new switch tries to become the root, the port will stop working. Send BPDU information to become a root bridge ROOT ROOT protection ROOT Blocked BPDU BPDU BPDU protection BPDU protection
VLAN ACL Switch VACL VLAN 10 VLAN 20 VACL applied to traffic bridged within a VLAN Switch VACL VLAN 10 VLAN 20 VACL applied to traffic routed between VLAN’s • The S7500E supports VLAN-based ACLs. You can configure ACL actions for a VLAN to implement access control for all ports in the VLAN. • VLAN-ACL allows you to manage the network more conveniently and greately saves the ACL resource.
Services Provided by H3C S7500E • Service Access Capability of the S7500E • Service Virtualization Capability of the S7500E • High Reliability and High Security of the S7500E • Granular Service Management Capability of the S7500E
3 3 3 3 1 3 2 4 Granular Service Management Capability of the S7500E Network Stream Analysis Technologies Supports sFlow and NetStream technologies Graphic service management ACL Manager and VPN Manager Security management of terminals Endpoint Admission Defense (EAD) system Intelligent management H3C inteligent Management Center (iMC) Note: The S7500E provides the above-mentioned features only when it works together with H3C application & software products.
Network Stream Analysis Technologies • The S7500E supports the sFLOW and NetStream technologies. • sFLOW is a standardized, low-cost technology for analyzing the network stream. • NetStream is a technology for analyzing the network stream in an all-round perspective.