h3c s3600 series switches - 群環科技 bestcom file... · · 2010-07-17 2 agenda market trends....
TRANSCRIPT
H3C S3600 Series Switches
www.h3c.com.cn 2
Agenda
Market Trends
S3600 Overview
S3600 Key Features
V1.5 New Feature
IRF
RPS1000-A
Feature Summary
End-to-End Intelligent Solution
Summary
www.h3c.com.cn 3
Agenda
Market Trends
S3600 Overview
S3600 Key Features
End-to-End Intelligent Solution
Summary
www.h3c.com.cn 4
Challenges for Enterprise Networks
How to manage/operate/control the network equipments located in different sites?
Application server farm
How to make easy network expansion without any network interruption?
How to avoid single failure on the networks ?
How to Maximum the bandwidth for Voice traffic?How to ensure the critical applications?
www.h3c.com.cn 5
Five Key Factors for Enterprise Network
ReliabilityAchieving reliable networks is still a challenge
Network ManagementNetwork management is a labor intensive and costly job
IntelligenceEffective Application-Awareness
Network ExpansionContinue to be a “puzzle” for network administrators – even the simplest expansion can bring
hidden threats to reliability
Existing network expansion technologies are like adding a floor to an existing house – an “add on” but never “true part of it”
SecurityTo protect your network against illegal use / anonymous virus
www.h3c.com.cn 6
New Generation Switches Innovation
H3C S3600
Reliability
Network Management
Intelligence
Network Expansion
Security
www.h3c.com.cn 7
Agenda
Market Trends
S3600 Overview
S3600 Key Features
End-to-End Intelligent Solution
Summary
www.h3c.com.cn 8
Comprehensive Switch Portfolio
S3100-SI L2 Switch
S3600 L2/3 Switch
S5100/S5600 Intelligent Switch
S7500 modular chassis switch
S9500 Core Routing switch
Core Modular Chassis Deployment Focus• Multiple service options• Highest availability & 10/100/1000 densities• Abundant service modules• Wire-speed 10GE aggregation
• Core• Distribution• Data center access/core service• High performance wiring closet
Mid-range Modular Chassis Deployment Focus• Resilient L3 routing & Intelligent L4 services • Highest density 10/100/1000• 10GE aggregation
• Medium wiring closet• Small/Medium Distribution/Core• Data center access/core • Large/Medium branch
Advanced GE fixed configuration Deployment Focus• Resilient L3 routing & Intelligent L4 services • Medium density 10/100/1000• Resilient stacking• 10GE uplinks
• wiring closet• Middle branch office• Data center• Medium Network aggregation
Optimized fixed configuration Deployment Focus• Wire-speed L2 switching and resilient L3/L4 services• 10/100 + 4 x GE uplinks • Resilient stacking• Advanced QoS mechanism
• Small wiring closet• Small branch office• Small network aggregation • Desktop/Workgroup switch
Basic fixed configuration Deployment Focus• Wire-speed L2 switching • Stacking• Intelligent Service
• Small wiring closet• Small branch office• Desktop/Workgroup switch
Gig
abit
/ 10G
10/1
00M
www.h3c.com.cn 9
S3600 FE Series Switches
24 / 48 10/100M Ethernet Ports 4 x 1000 Base-X SFP Port 802.3af POE compatible 8 Hardware Queues Voice VLAN Enhanced L2-L4 functionalities Static/RIP/OSPF(EI) 802.1x local / external radius authentication ACL both inbound and outbound direction
Switch Capacity : 12.8Gbps/17.6GbpsForwarding rate: 9.5/11.78 Mpps
Deployment Focus• Small wiring closet• Small branch office• Small network aggregation (EI)• Desktop/Workgroup switch
S3600-28F-EI S3600-52P-SIS3600-52P-EIS3600-52P- PWR-SIS3600-52P- PWR-EI
S3600-28TP-SIS3600-28P-SIS3600-28P-EIS3600-28P- PWR - SI S3600-28P- PWR - EI
www.h3c.com.cn 10
S3600-SI Series Switches Features
Target use: Enterprise wiring closet access switch; branch office switch
Availability: Simply power the switch via a standard AC input
Scalability: Patented IRF technology automatically creates a stack of switches and allows single IP management; Extend connectivity with a mixture of PoE
Connectivity: Each switch allows up to 4 active Gigabit ports with any combination of copper and/or fibre accepted
Application-Aware: Automatically detects, prioritizes and places VoIP traffic in a separate VLAN
Port Configurations:24 x 10/100 Ports + 4 SFP48 x 10/100 Ports + 4 SFP
Includes Standard Image (SI) software
IRF: Distributed Device Management
Scalable to 384 10/100 + 32 SFP
Built-in resilient loop stacking via SFP ports
Features Highlights:
64 Static Routes
Dynamic routing (RIPv1/2) – 1K entries
2K ARP Table
Intelligent security services including 802.1X
RADA – RADIUS Authenticated Device Access
SSHv1.5 / SNMPv3
Full QoS Prioritisation and full classification
8 Egress Queues
4K Port-Based VLANs
AC input
802.3ad Link Aggregation – up to 8 groups
Multiple/Rapid Spanning Tree with STP Route Guard
IGMP Snooping V1/V2
NTP / FTP Server and Client
Key Points
Switch 3600 -- The new choice for access network deployments
H3C S3600-28P(PWR)24-Port + 4 SFP
H3C S3600-52P(PWR)48-Port + 4 SFP
H3C S3600-28TP 24-Port+ 2*10/100/1000Base-T+2SFP
www.h3c.com.cn 11
S3600-EI Series Switches Features
Target use: Advanced Enterprise wiring closet access switch; small aggregation
Availability: Routing functions are totally distributed across all switches in the stack massively increasing performance and uptime
Scalability: Extend connectivity with a mixture of PoE and fibre switches
Connectivity: Jumbo Frames are supported on all gigabit uplinks for interoperability with equipment downstream
Application-Aware: Advanced Time-Based ACLs are supported that can be automatically executed on a per user or machine basis
Includes Enhanced Image (EI) software
Includes ALL SI software plus:
IRF
Distributed Device Management
Mix and match any S3600-EI product in a stack,
including PWR
Distributed Link Aggregation
Allows up to 8 groups to be spread across any ports in
the stack (8 FE / 4 GE per group)
Distributed Resilient Routing
All switches in the stack are actively routing and
sharing LSDB and ARP tables
RIP/OSPF
Multicast Routing PIM Sparse Mode / Dense Mode
JumboFrame
AC & DC input
Central MAC authentication
Time-based Access Control Lists
DHCP Tracker
ECMP,VRRP,QinQ
Traffic Redirection
HWTACACS
Traffic Mirroring
Syslog
Key Points
Switch 3600 -- The new choice for access network deployments
H3C S3600-28P(PWR)24-Port + 4 SFP
H3C S3600-52P(PWR)48-Port + 4 SFP H3C S3600-28F
24-Port + 2 SFP + 2 1000BaseT
www.h3c.com.cn 12
Enterprise Networking with S3600
10/100M Desktops
Space -ConstrainedServer Racks
Mission-Critical10/100/1000MWorkstations
Network Core
Availability • IP Unicast Routing- Static, RIPv1/v2, OSPF,
• IP Multicast Routing• VRRP• DTP and PAgP• Dynamic VLANs• IGMP snooping• STP enhancements• Distributed L2/L3 functions
• MAC address notification• DHCP interface tracker• CMS security wizard• Access control lists• Private VLAN edge• Port security • SNMPv3• 802.1x• SSH
Security
• Queue servicing:- Shaped round robin and strict priority queuing- Weighted tail drop- Ingress traffic policing- Egress traffic shaping
• 802.1p CoS and DSCP• Congestion avoidance
- Granular rate limiting- Jumbo Frames
Quality of Service
S3600
www.h3c.com.cn 13
Agenda
Market Trends
S3600 Overview
S3600 Key Features
V1.5 New Feature
IRF
RPS1000-A
Feature Summary
End-to-End Intelligent Solution
Summary
www.h3c.com.cn 14
S3600 V1.5 New Features
New!✔VRRP (EI)
✔HGMPv2
✔DHCP-SERVER (EI)
✔QINQ
✔GVRP
✔MVR
✔DLDP
✔IGMP Snooping Fast Leave
✔DHCP Snooping Trust
✔DHCP Relay Security
✔DHCP Option 82
✔802.1X and Mac address Authentication At the Same Time/ Port
✔802.1X with PEAP/TLS
✔Dynamic VLAN Delivery
✔Guest VLAN
✔Jumbo Frame for SI
✔Group Policy
✔Protocol Based VLAN
✔SSHv2
✔VCT (Virtual Circuit Test)
✔RSPAN (Remote Port Mirroring)
✔HWTACACS
www.h3c.com.cn 15
VRRP
In the VRRP router Standby Group, there always exists a Master router to complete the task of virtual router. All other routers in the group serve as Backup to monitor the Master all the time. When the Master fails to work, the Backups will elect a new Master automatically to fulfill the task.
VRRP (Virtual Router Redundancy Protocol)
Master Router
Backup Router
Benefits: ✔ Improve the network reliability
✔ Transparent to the end users
S3600
www.h3c.com.cn 16
HGMPv2
HGMP (Huawei Group Management Protocol)
HGMP
H3C S5600 series
H3C
S3600 series
H3C
S3600 series
Command Switch
Member Switches
Benefits: ✔ Save IP address for network management
✔ Easy to install and maintain
S5600 series are designated as command switch S3600 series automatically join the cluster after startup as member switchesHandshake and status maintenance between S5600 and S3600 seriesAlarm failure and recovery on line ……
www.h3c.com.cn 17
QinQ
Without QinQ
With QinQ
Benefits: ✔ Save VLAN Resource
www.h3c.com.cn 18
QinQ Application for Service Provider
VLAN 20
VLAN 30
VLAN 20
VLAN 30
header datauservlan
20header datauservlan
header datauservlan
Tunnel port for assigning or extracting exterior VLAN tag
Client side: single tag, PE side: double tags.
www.h3c.com.cn 19
802.1X with PEAP/TLS
802.1X authentication
PCSupplicant
S5600 Series
Radius/EAP server
S3600Authenticator
PCSupplicant
PCSupplicant
Benefits: ✔ Improve the security
✔ Provide AAA (Authentication, Authorization, Accounting) functions
Efficient port/MAC basedBuilt-in 802.1X serverSupport EAP relay function
www.h3c.com.cn 20
802.1X and MAC Authentication
Without 802.1X Client
With 802.1X Client
How can PC and IP phone be authenticated on the same port?
IP Phone
PC
S3600 supports 802.1X and MAC Authentication at the Same Time on One Port
Benefits: ✔ Authenticate devices with or without 802.1x Client at the same time
www.h3c.com.cn 21
Dynamic VLAN via 802.1x
CoreCAMS
4、Authenticated legally,users accept the vlanid ,ACL,/usage parameter control sended by
CAMS, and accquire the IP
S3100
S3600
DHCP Server
Solve user roaming
1. User authentication initiate. 2. User can’t access anywhere and
get IP address before authentication.
3. Authenticated by user name and password, if legality,assign the
dynamic vlan
5. User can access Internet after getting IP address, then IP+MAC+VLAN binding by
switch.
www.h3c.com.cn 22
VCT (Virtual Cable Test)
H3C S3600Benefits: ✔ Easy maintenance
✔ Save labour
X
www.h3c.com.cn 23
What is IRF ?
Huawei-3Com’s industry leading stacking technology
Innovation of LAN switching
Create Intelligent Resilient Framework Network
Core features:
Distributed Device Management (DDM)
Distributed Link Aggregation (DLA)
Distributed Resilient Routing (DRR)
Intelligent Resilient Framework
IR F
Distributed Fabric
FlexibleHigh efficientCost-effective
www.h3c.com.cn 24
IRF Based Easy Management
All switches act as a single logical device
Resilient architecture provides access to management in the event of ANY
switch failing
Rapid stack-wide feature configuration
Hot-insert and removal of switches
Automatic and manual stack configuration
Stack up to 8 units
Stack Management
Single entity for SNMP, WEB and CLI Management
ACL configurations in one screen with All the device View
Reduces configuration time
Improved monitoring responsiveness
Distributed Device Management (DDM)
1
34
Only one logical device2
3 4
IRF fabric
www.h3c.com.cn 25
S3600 IRF Stacking
Each switch uses the last two ports to provide a 2 * 2 Gbps stacking,
No extra hardware required
Stack up to 8 units
Automatic or manual stack configuration
A return link provides rapid fail-over in the event of a normal link or unit failing
IRF Stack units together over 70Km apart
Normal Stacking Link: 1 Gbps UP / 1 Gbps DOWN
Standby Stacking loop connection:1 Gbps UP / 1 Gbps DOWN
H3C S3600
Use SFP to link the units together
IRF Stacking
www.h3c.com.cn 26
IRF Based Network Expansion
Creates incredibly resilient network design
Allows connections from ANY port across the fabric to be connected together using IEEE 802.3ad LACP – as aggregated links
Distributed Link Aggregation (DLA)
H3C S5600
H3C S3600
4 Gbps Load-balancedLAG
H3C S3600
DLA will facilitate the re-distribution of traffic in case of any uplink fail
www.h3c.com.cn 27
IRF Based Resilient Network
Changes traditional L3 forwarding of stack devices with implementing new distributed L3 forwarding procedure
Each unit provides local L3 switching and holds distributed routing tables
Unit failure in the IRF stack will not affect routing for the other units
Master device is not required – all commands and data are synchronized across all units
1
2
ROUTER TABLEVLAN 10.0.0.0255.255.0.1
Router Interface information is synchronised across all switches
L3 traffic can be handled locally by the switch and intelligently passed up or down the IRF stack
VLAN 1
VLAN 2
Distributed Resilient Routing (DRR)
www.h3c.com.cn 28
IRF Based Resilient Network
Distributed Resilient Routing (DRR)
• Only the active unit device (Unit 1) has the L3
forwarding capability
• Other unit devices have to deliver the received packets
to the active unit device for L3 forwarding
L3 forwarding
IRF stack devices
Traditional stack devices
• Any Unit of a Fabric has a complete L3 forwarding capacity
• When receiving a L3 packet to be forwarded, the Unit
directly obtains the egress port and next hop of the packets
Router1
Router2
Router3
Router4
IP packet
Unit1
Unit3Unit4
Unit2
Normal stack
Router1
Router2
Router3Router4
IP packet
Unit1
Unit3Unit4
Unit2
IRF basedDistributed forwarding
www.h3c.com.cn 29
Basic Security Features
• SNMPv3/ SSHv2• Authorized IP for management:
• support 16 authorized management IP• User authentication
• 802.1x• Centralized Mac authentication• Local password base authentication (128 users )• Radius based authentication (1024 users)
• Packet Filtering• L2/L3/L4• Time-based ACLs• ACL entries per port
• Others• DoS protection• DHCP security• Port Mirroring/Traffic Mirroring
www.h3c.com.cn 30
Device Security
Advanced Device Security
Access Levels – 4 levels can be set for multiple users
SNMPv3 / SSHv2 - Encrypt all SNMP and Telnet traffic to stop middle-man attacks 56bit / 168bit
Authorized IP - Lock access to the management interface by routed Access Control List
Switch Login (RADIUS) – Support RADIUS Authentication for CLI / Console and web interfaces. RADIUS return attribute will set individual privilege levels
Denial of Service Attack Preventions – Attacks to the host CPU sub systems and memory are protected via a traffic classification queuing system
Syslog - All commands can be tracked and sent to a Syslog server
www.h3c.com.cn 31
Application-Aware Services
Advanced Traffic Management
Voice VLAN – All voice traffic can be automatically placed into a private secure VLAN; switch will detect VoIP phone OUI and register with the correct VLAN
Traffic Redirection / Mirror – Mirror or redirect any type of network traffic based upon an ACL to any port
Configurable Queue Processing – 8 hardware-based queues; Strict Priority;
Weighted Round Robin; Weighted Fair Queuing; WRED; WRR + SP
Advanced Traffic Classification – All ACL classifications are available
Traffic Actions – Remark DSCP; Drop or set the IP-Precedence, rate limit (64kbps granularity)
Define your own Classification rule and mask for the ACL
Define ACLs based uponIngress & Egress ControlSource / Destination IP AddressSource / Destination MAC addressSource / Destination TCP and/or UDP PortICMPDSCP / COS / Precedence / TOSVLAN
www.h3c.com.cn 32
Voice Queue
Data Queue 1
Data Queue 2
Voice VLAN1. Mac address 00E0-BB00-0000 mask ffff-ff00-00002. Ah! It is an IP Phone of Vendor A, B, C……( Totally, 16 Vendors)3. Put the traffic from IP Phone into Voice VLAN automatically4. Other traffic will be processed with lower priority
Voice Data
Other Data
Voice VLAN
Benefits: ✔ Guarantee the QoS of voice data
✔ Improve the security
www.h3c.com.cn 33
RPS1000-A Front Panel
www.h3c.com.cn 34
RPS1000-A Rear Panel
Two Outputs for PoE Device or Non PoE Device
Six Outputs for Non PoE Device Only
The two main inputs are for
the two PSUs in the RPS1000-A
rack respectively
www.h3c.com.cn 35
S3600 Rear Panel
(1) (2)(1) (2) S3600-EI rear panel, AC input socket
S3600-EI rear panel, DC input socket.
(1) (2) (3)(1) (2) (3)
S3600-SI rear panel, ACinput socket
RPS Connects Here! Only S3600-EI Supports RPS
S3600-SI
S3600-EI
www.h3c.com.cn 36
RPS1000-A Connects to PoE Device
OUTPUT3: -54V;8A OUTPUT4: -54V;8A OUTPUT5: -54V;8A OUTPUT6: -54V;8A OUTPUT7: -54V;8A OUTPUT8: -54V;8A
++ + + + + +
+
!!!!!! ! !RPS1000-A
OUTPUT1: -54V;25A OUTPUT2: -54V;25A
(1) (2) (3)(1) (2) (3)
BOM:0404A053 - Cable with JD5 type connector for PoE switches
Two Outputs for PoE Device or Non PoE Device
www.h3c.com.cn 37
RPS1000-A Connects to Non PoE Device
OUTPUT3: -54V;8A OUTPUT4: -54V;8A OUTPUT5: -54V;8A OUTPUT6: -54V;8A OUTPUT7: -54V;8A OUTPUT8: -54V;8A
++ + + + + +
+
!!!!!! ! !RPS1000-A
OUTPUT1: -54V;25A OUTPUT2: -54V;25A
(1) (2) (3)(1) (2) (3)
BOM:0404A055 - Cable with JD5 type connector for Non-PoE switches
BOM:0404A054 - Cable with JD5-A type connector for Non-PoE switches
Six Outputs for Non PoE Device Only
Two Outputs for PoE Device or Non PoE Device
www.h3c.com.cn 38
Feature Summary
Port Features
SPAN (Port Mirroring)
RSPAN (Remote Port Mirroring) New!
Port Isolation
Port Rate-limiting (64kbps)
IP + MAC + Port Binding
DUD (Disconnect Unauthorized Device) New!
DLDP (smillar to UDLD) New!
VCT (Virtual Cable Test) New!High Performance
4 GE uplinks
4K VLAN/16K MAC
Jumbo FrameHigh Reliability
STP/RSTP/MSTP
VRRP for S3600-EI New!
ECMP for S3600-EI
Redundant Power Supply for S3600-EI
Redundant Power Supply for S3600-EI
Distributed Layer 2 and Layer 3 IRF!
Layer 2/3 failover with nonstop forwarding IRF!
4Gbps fault tolerant bidirectional stack interconnection IRF!
Cross-stack link aggregations technology, cross-stack QoS IRF!
www.h3c.com.cn 39
Feature Summary (Cont.)
Abundant Security
SSHv2 New!
SNMPv3
MAC Black Hole
Disconnect Unauthorized Device
802.1X with PEAP/TLS New!
Centralized MAC Address Authentication
Enable 802.1X and MAC Authentication on the same port New!
Dynamic VLAN Delivery/Guest VLAN New!
DHCP Relay Security New!
DHCP Snooping Trust New!Abundant QACL
WRED
8 Queues/SP/WRR/WFQ/SP+WRR/SP+WFQ
CAR
Ingress & Egress ACL
ACL Traffic Limit
Traffic Classification/Traffic Shaping
Tail Drop
DSCP<->CoS
Voice VLAN
www.h3c.com.cn 40
Feature Summary (Cont.)
Multicast
MVR New!
IGMPv1/v2 Snooping
IGMPv1/v2 Snooping Fast Leave New!
PIM-SM/PIM-DM for S3600-EI
Extends Web-based management suiteEase Management
GVRP New!
SNMPv1/v2/v3
HGMPv2 New!
One IP address and configuration file for entire stack IRF!
Extends Web-based management suite
Automatic stacking configuration of new units when connected to the stack IRF!Cost Effective
PoE
QinQ New!
802.1X Server
DHCP Option 82 New!
DHCP Server for S3600-EI New!Return of Investment
High Performance/Cost Ratio
Seamless Network Expansion IRF!
www.h3c.com.cn 41
Agenda
Market Trends
S3600 Overview
S3600 Key Features
End-to-End Intelligent Solution
Summary
www.h3c.com.cn 42
S3600 Deployment Scenario
Application server farm
H3C S3600
H3C S3600
H3C S3600
H3C S3600
H3C S5600
H3C S5600
Voice VLAN
POE
IRF stacking
www.h3c.com.cn 43
End-to-End Intelligent Solution
Application server farm
S7500
Security Policy Control SecurityAutomatic User Security Authentication, Authorisation and Accounting; Peace of mind for businesses
PoE: Powered, traffic optimized and secured by Switch 3600
Router AR4600
Best of Breed Core PerformanceIndustry leading Terabit Performance with investment protected backplane
Industry Leading PerformanceUnique Distributed Resilient 96Gbps
link via IRF
Total FlexibilityComprehensive
media flexibility for abundant
applications
S3600
SecPath Security System
S9500
Service System Fully Standards Based Infrastructure
Unique Investment ProtectionAdd Power over Ethernet anytime to the Switch S5600
S5600
S3600
www.h3c.com.cn 44
Shinsei Bank Office Building Network
PCPC
S3600-52-PWR-EI
IP Phone
S9505 S9505 OSPF
VRRP RSTP Root
IP Phone
VRRP
S3600-52P-PWR-EI
S3600-52P-PWR-EI
DHCP Server
PC Data and IP Phone data are forwarded into different VLAN.S3600-52P-PWR-EI Voice VLANmethod set IP Phone packets with high priority.
Power over Ethernet
IP Phone PC DataMulticast
S5516 S5516 S5516S5516
RSTP Root
Backbone Network
Shinsei Bank is one of the first group customers in Japan who introduced IP Phone Solution into their enterprises’ network.
• Reliability ensured by dual-host, dual-homing, VRRP and RSTP • Voice VLAN and PoE deployment
S3600-52-PWR-EI
www.h3c.com.cn 45
Agenda
Market Trends
S3600 Overview
S3600 Key Features
End-to-End Intelligent Solution
Summary
www.h3c.com.cn 46
Summary
IRF basedEasy management
IRF based Network Expansion
IRF based Resilient Network
Advanced NetworkSecurity
Network Application-Awareness H3C S3600
Low TCO
Enterprise-class services
High Availability: IP Routing, VRRP, MSTP, 802.1s/w, IGMP snooping, RPS
Security: ACL, port security, MAC address notify, RADIUS/TACAC+, 802.1x, SSHv2, SNMPv3, DUD,
Advanced QoS: Layer 2–4 QoS with CoS/DSCP, shaped round robin, WRR,strict priority queuing, Ingress and Egress ACL (only for S3600)
VOICE VLAN/PoEAbundant Security
SSHv2/SNMPv3
802.1X with PEAP/TLS, Centralized MAC Address Authentication/Enable 802.1X and MAC Authentication on the same port
Dynamic VLAN Delivery/Guest VLAN
DHCP Relay Security/DHCP Snooping TrustIRF technology
4Gbps fault tolerant bidirectional stack interconnection
Distributed architecture
Layer 2/3 failover with nonstop forwarding
Cross-stack link aggregations technology, cross-stack QoS
Single network instance (IP, SNMP, CLI, STP, VLAN)
www.h3c.com.cn 47
Summary (Cont.)
IRF basedEasy management
IRF based Network Expansion
IRF based Resilient Network
Advanced NetworkSecurity
Network Application-Awareness H3C S3600
Low TCO
High performance
Gigabit Ethernet and Fast Ethernet configurations provide
Distributed Layer 2 and Layer 3Ease of management/deployment
One IP address and configuration file for entire stack
Extends Web-based management suite to Layer 2/3/4 services
Automatic stacking configuration of new units when connected to the stackReturn of Investment
High Performance/Cost Ratio
Seamless Network Expansion
www.h3c.com.cn 48