H3C S3100-EI Intelligent Secure Switches Content Introduction - - PowerPoint PPT Presentation

h3c s3100 ei intelligent secure switches content
SMART_READER_LITE
LIVE PREVIEW

H3C S3100-EI Intelligent Secure Switches Content Introduction - - PowerPoint PPT Presentation

Aug 18, 2023 320 likes •554 views

H3C S3100-EI Intelligent Secure Switches Content Introduction Highlight Features Typical Solutions www.h3c.com.cn 2 Content Introduction Highlight Features Typical Solutions www.h3c.com.cn 3 Hardware Specification

slide-1
SLIDE 1

H3C S3100-EI Intelligent Secure Switches

slide-2
SLIDE 2

www.h3c.com.cn

2

Content Introduction Highlight Features Typical Solutions

slide-3
SLIDE 3

www.h3c.com.cn

3

Content Introduction Highlight Features Typical Solutions

slide-4
SLIDE 4

www.h3c.com.cn

4

  • 8/16/24 * 10/100Base-TX (PoE) + 1/2 * 10/100/1000Base-T and 2 * 1000Base-SFP
  • Switch Capacity: up to 17.6Gbps / Throughput 13.1Mpps
  • Full wire speed FE ports and GE uplink
  • PoE

Highlights

Hardware Specification

S3100-26TP-EI S3100-16TP-EI S3100-8TP-EI S3100-26TP-PWR-EI S3100-16TP-PWR-EI S3100-8TP-PWR-EI

slide-5
SLIDE 5

www.h3c.com.cn

5

Content Introduction Highlight Features Typical Solutions

slide-6
SLIDE 6

www.h3c.com.cn

6

 SNMPv1/v2/v3  IPv6 host  RSPAN  VCT, DLDP  LDT  VLAN and port based ACL  ARP detection  Port security  IP source guard  DHCP snooping trust  Smart link  Power over Ethernet  Voice VLAN  Up to 17.6Gbps witching fabric  Up to 6.55Mpps  8K MAC  4K VLAN

S3100-EI

Highlights of S3100-EI

Performance Security Availability Management & Maintenance

slide-7
SLIDE 7

www.h3c.com.cn

7

ARP Spoofing ARP Spoofing – How to attack How to attack

Devi evice ce A IP :10 IP :10.1.1.1 MAC A:0002: 02:554 5547:b 7:bc34 c34 Devi evice ce C IP : :10.1 .1.1. .1.20 20 MAC B:0009: 09:6b7 6b71:8 1:877e 77e Devi evice ce B B IP : :10.1 .1.1. .1.50 50 MAC C:0010: 10:a4a a4aa:3 a:36db 6db

ARP table ARP table MAC MAC IP IP 0009:6b71:877e 9:6b71:877e 10.1.1.20 1.1.20 0010:a4aa:36db 0:a4aa:36db 10.1.1.50 1.1.50 0009:6b71:877e 9:6b71:877e 10.1.1.50 1.1.50 ARP table ARP table MAC MAC IP IP 0002:5547:bc34 2:5547:bc34 10.1.1.1 1.1.1 0010:a4aa:36db 0:a4aa:36db 10.1.1.50 1.1.50 ARP table ARP table MAC MAC IP IP 0009:6b71:877e 9:6b71:877e 10.1.1.20 1.1.20 0002:5547:bc34 2:5547:bc34 10.1.1.1 1.1.1 0009:6b71:877e 9:6b71:877e 10.1.1.1 1.1.1

Fr Free ARP ARP 10.1. 1.1.5 1.50=M 0=MAC B AC B Fr Free ARP ARP 10.1. 1.1.1 1.1=MA =MAC B C B

Attacked flow Normal flow 图例:

slide-8
SLIDE 8

www.h3c.com.cn

8

How To How To Anti Anti ARP Spoofing ARP Spoofing

Only Only ARP ARP Intrusio Intrusion Detectio n Detection n can can solve the problem solve the problem of

  • f ARP

ARP Spoofi Spoofing ng

Fr Free ARP ARP 10.1. 1.1.1 1.1=MA =MAC B C B Fr Free ARP ARP 10.1. 1.1.5 1.50=M 0=MAC B AC B

 DHCP Snooping DHCP Snooping Create dynamic binding table of MAC+IP+Port+VLAN

Vict ictim im 10.1. .1.1.5 .50 MAC AC C Atta ttack cker 1 r 10.1 .1.1 .1.20 20 MAC AC B Gatew eway 1 ay 10.1.1 1.1.1 .1 MAC AC A De Detect if the if the ARP ARP pack acket et match tch with th DHCP HCP bind nding ng table ble

 ARP ARP Intrusion Detection Intrusion Detection Detect the ARP packet if match with binding table; if no, discard the packet to anti ARP spoofing NO! NO!  ARP Packet Rate Limit ARP Packet Rate Limit Limit ARP packet rate on the ports in

  • rder to protect CPU from the massive

abnormal packets

ARP RP rate l te limi mit

slide-9
SLIDE 9

www.h3c.com.cn

9

VLAN Based ACL

  • Traditional ACL policy is configured based on port, so users have to configure

ACL policy on all ports one by one;

  • S5500-EI supports VLAN based ACL policy. Therefore users can define ACL

policy easily and flexibly Traditional port based ACL:

# Interface Port 1> Deny ftp Permit any # Interface Port 2> Deny ftp Permit any # Interface Port 3> Deny ftp Permit any # Interface Port 3> Deny ftp Permit any # …

VLAN based ACL VLAN based ACL

# Vlan 100> Deny ftp Permit any #

slide-10
SLIDE 10

www.h3c.com.cn

10 Are you secure? What can you do? What are you doing? Activity Audit

Enterprise Network

Unqualified user is directed to isolation zone

Isolation Zone Security Authentication

Legal User Reinforcement Who are you? Deny Invalid user

Identity Authentication

Access Request

Dynamic Authorization

Qualified User Different user has different access right

EAD solves end use secure access problems

slide-11
SLIDE 11

www.h3c.com.cn

11

End point Security Inspection Unqualified User Isolation System Security Reinforcement

Isolate those not complying with security policy

Stop invalid user through 802.1x, Portal authentication Limit user access authority by VLAN, ACL restriction Isolate end user who does not update system patch or virus definition Isolate end user who install, run unqualified software

Prevent cross infection & virus

  • utbreak

Guarantee user security & defense ability

Force repair of system patch & update antivirus software

Notify and assist user to repair system hole Security policy Implement Automated or compulsory manual system patch or virus definition update

Enhance immunity & Increase security

EAD Basic Function

Inspect end point security status and defense ability

OS version, Hot Fix, Antivirus software version, Virus Definition; Unqualified software installation & execution; Virus check; Shared Folder check; Screen saver pwd check; Enhanced Identity Authentication (user name, password, IP, MAC binding)

slide-12
SLIDE 12

www.h3c.com.cn

12

Metro Ethernet Network AMG CE LSW DSLAM I P/ MPLS Core

A B C

Active Link Backup Link

 Suitable for dual uplink circumstances, better than Spanning tree technology for brings higher reliability to the network;  Working in the active/standby mode, once active link gets failed, standby link will be enabled, and the recovery time is less than 50ms;

S7800 Backup Link Active Link

Blocking Blocking

S7800 S7800

Smart Link

slide-13
SLIDE 13

www.h3c.com.cn

13

VCT – Virtual Cable Test

VCT (Virtual Cable Test) testing items include: whether short or

  • pen circuit exists in the Rx/Tx

direction of the cable, and what is the length of the cable in normal status or the length from the port to the fault point of the cable.

X

S5500-EI S3100 [S5500-Ethernet0/4]virtual-cable-test

Cable pair: RX Status:Open Cable Error lenth:5 metres Cable pair: TX Status:Open Cable Error lenth:5 metres

slide-14
SLIDE 14

www.h3c.com.cn

14

LDT: Loopback Detection

Loopback Detection is used to monitoring the network to avoid loop, which may bring broadcast storm to influence the common network application [S5500-EI]loopback-detection enable [S5500-EI]display loopback-detection

Port loopback-detection is running System Loopback-detection is running Detection interval time is 30 seconds Loopback link is Dectected The Loopback link is Port 3

slide-15
SLIDE 15

www.h3c.com.cn

15

Local mirror Local mirror

Sour

  • urce

ce port rt

Local mirroring port Local mirroring port

RSPAN c RSPAN can realize an realize port mirroring across port mirroring across devices; working with devices; working with Netstream Netstream module, i module, it can t can realize the traffic analysis realize the traffic analysis and monitoring of and monitoring of the whole the whole network network

Application s lication server f er farm

Remote mirroring Remote mirroring Port Port

NetStream NetStream Module Module

Remote Remote Switch Port Switch Port Analysis Analysis(RS RSPAN PAN)

slide-16
SLIDE 16

www.h3c.com.cn

16

S5500-EI can provide power to those powered devices including wireless AP, IP Phone, web camera over the unified Ethernet.

  • Support IEEE 802.3af standard, providing maximum 15.4w to each port
  • Support THREE levels of power provide: critical/high/low
  • Equipped with 370w high power supply to cover maximum 24 ports powered

devices

PD switch AP S5500-EI PD: Powered Device AP: Access Point Power over Ethernet

Power Over Ethernet (POE)

slide-17
SLIDE 17

www.h3c.com.cn

17

Voice VLAN

Benefits:

✔ Guarantee the QoS of voice data ✔ Improve the security

Voice Queue Data Queue 1 Data Queue 2

  • 1. Mac address 00E0-BB00-0000 mask ffff-ff00-0000
  • 2. Ah! It is an IP Phone of Vendor A, B, C……( Totally, 16 Vendors)
  • 3. Put the traffic from IP Phone into Voice VLAN automatically
  • 4. Other traffic will be processed with lower priority

Voice Data Other Data

slide-18
SLIDE 18

www.h3c.com.cn

18

RoHS Product

H3C always pa H3C always pay great inves y great investment on the tment on the R&D and even R&D and even the advanced the advanced manufacture t manufacture technology as echnology as well. well. H3C S3100 H3C S3100-EI EI’s whole s whole design and manufacturing design and manufacturing process complied to process complied to RoHS standard RoHS standard released by released by European gove European government, there rnment, therefore, it is fore, it is an a an absolutely bsolutely GREEN product which won GREEN product which won’t pollute t pollute the environment. the environment.

RoHS(The Restriction of the use of certain Hazardous substances in Electnical and Electronic Equipment )

slide-19
SLIDE 19

www.h3c.com.cn

19

Content Introduction Highlight Features Typical Solutions

slide-20
SLIDE 20

www.h3c.com.cn

20

Edge of Campus Network

S3100-EI S3100-EI S3100-EI S5500 S5500 S5500 S9500/S7500E/S7500

slide-21
SLIDE 21

www.h3c.com.cn

21

S5500-SI S5500-SI

GE PoE GE GE PoE

10 GE GE

CAMS NMS Server Farm

Firewall

S5500-EI S5500-EI

S5500-SI S5500-SI

GE GE GE PoE GE

S5100-SI S5100-SI

GE PoE GE GE PoE

Core of Mid-to-small sized Network

slide-22
SLIDE 22

www.h3c.com.cn

22

S5500-EI IPv6 组网方案

IPv4 Network

IPv6 Enterprise Users IPv6 Users

WLAN

IPv6 Network

Dual-Stack Access Dual-Stack Access

Mobile Network

IPv4 Access IPv6 IDC Network Manager IPv6 Mobile Terminal

IPv6 Island

IPv4 Internet

IPv6 Internet IPv6 Over IPv4 Tunnel

IPv6 Access IPv6 Access IPv4 User

IPv6 Link 6to4 Relay

S5500-EI S5500-EI S5500-EI S5500-EI

IPv6/IPv4 Hybrid Network

slide-23
SLIDE 23

杭州华三通信技术有限公司 www.h3c.com.cn