Main Slides on H3C S7500E Multi-Service Switch Network Product Dept. - - PowerPoint PPT Presentation

Main Slides on H3C S7500E Multi-Service Switch

Network Product Dept.

 Trend of the IP Networks  Introduction to the S7500E Series  Service Features of the S7500E Series  Typical Networking and Application

Contents

www.h3c.com.cn

‹#›

Resource isolated island 1 Resource isolated island 2 Infrastructure integration BI Business continuity Resource pool Law compliance

IT-CMM Model of H3C

IT support for products IT support for systems IT centralization IT integration IT support for resources

IT-CMM1 IT-CMM2 IT-CMM3 IT-CMM4 IT-CMM5

Stand-alone phase Interconnection phase

Service description: Interconnection service Technical feature description: LAN: Ethernet interconnection/FAT-AP access WAN: DDN/ATM/FR/SDH interconnection Security: Security policies deployed in single devices to ensure local security  Network management: Network element management and decentralized service management Service description: Single-system service Technical feature description:

• No requirement for

network interconnection

• Anti-virus software

installed in stand-alone devices to guarantee security

Integrated phase Intelligent phase

Service description: Service integration Technical feature description: Network: Data center application, end-to-end network virtualization, wired-wireless integration, safe endpoint admission Network management: management and deployment of end-to-end services oriented to humans and resources Security: Global security and in-depth security Service description: Intelligent applications Technical feature description: WEB2.0 and XML become standards Ensure integrated,

• ptimized, and safe network

applications Management: Integration

• f IT management and

service workflow management Security: Intelligent security Service description: IT support for resources, strategy-oriented IT, and IT infrastructure visibility

www.h3c.com.cn

‹#›

IT-CMM3: Converged Network Carrying Multiple Services

Converged network Connection to outside Multimedia service Data service Voice Video IPSurveillance Streaming media CRM ERP ISC R&D ...... Internet Extranet Intranet

www.h3c.com.cn

‹#›

New intelligent network

A D B C E

Granular service management Integrated access Virtual service network Global security High reliability

Requirement of Multi-Service Bearer for Network

www.h3c.com.cn

‹#›

Requirement 1 of Multi-Service Bearer: Integrated Access

IP surveillance IP phone & video Common terminal Wired terminal Mobile office SOHO Large and medium-sized branch leased lines

LAN WAN

Wireless terminal

www.h3c.com.cn

‹#›

Requirement 2 of Multi-Service Bearer: Virtual Service Network

Virtual service network A Virtual service network B Virtual service network C Physical network Driven by service convergence:

• Data service
• Video conference
• IP voice
• IP video surveillance
• Streaming media on demand

Driven by service isolation:

• Isolation of services of different classes in an

Intranet

• Complying with laws and regulations
• Extranet/Virtual enterprise
• Service outsourcing/Consultation/Visitor

www.h3c.com.cn

‹#›

Requirement 3 of Multi-Service Bearer: High Reliability

High-reliability networking technologies, which guarantee networking reliability. Rapid fault detection and location.

High-reliability campus network

Carrier-class reliability reaches 99.999%, which guarantees reliability of a single device.

www.h3c.com.cn

‹#›

I want to have the security policies deployed automatically! I want to change policies of the whole network within several minutes. I want to effectively manage devices in the whole network. I want to assign different authorities to different users. I want to deploy security policies for different networks.

Users need a complete solution to enterprise security policies!

Difficulity in configuration and management caused by a great number of devices Service interruption caused by virus outbreak and hacker attack Hidden security troubles from headquarters, business trips, and SOHO

Requirement 4 of Multi-service Bearer: Global Security

www.h3c.com.cn

‹#›

• After the peak period of network construction,

network management gradually becomes the focus of customers.

• Customers' requirement of network

management does not lie in using management tools. Customers pursue flexible and intelligent granular control that is effectively integrated in daily services.

Granular management Simple management Network construction No management No network

Requirement 5 of Multi-service Bearer: Granual Service Management

 Trend of the IP Networks  Introduction to the S7500E Series  Service Features of the S7500E Series  Typical Networking and Application

Contents

www.h3c.com.cn

‹#›

Position of H3C S7500E

2-service slot chassis

Deployed on the edge of the WAN, in the convergence layer of the small and medium-sized network, core layer of the small network, and the small cable distribution room

3-service slot chassis

Deployed on the edge of WAN, in the convergence layer of the medium-sized network, core layer of the small and medium-sized network, and small and medium-sized cable distribution room

Horizontal 6-service slot chassis

Deployed on the edge of the WAN, in the convergence layer of the large network, core layer of the small and medium-sized network, and large and medium-sized cable distribution room

Vertical 6-service slot chassis

Professional design of fire resistance, shock resistance and heat dissipation, deployed in the large data center and the central equipment room of the carrier

10-service slot chassis

Deployed in the high-density cable distribution room and the core layer of the large network

www.h3c.com.cn

‹#›

Overview of H3C S7500E Series

S7502E S7503E S7506E S7506E-V S7510E

Number of slots 4 5 8 8 (vertical) 12 Backplane bandwidth

≥ 400G

≥1T ≥1.6T ≥1.6T ≥2.4T Switching capacity 192G 480G 768G 768G 1152G/768G Packet forward capability 143Mpps 274Mpps 488Mpps 488Mpps 773M/488Mpps Engine redundancy Support Support Support Support Support Power supply redundancy 1+1 1+1 1+1 1+1 1+1 Maximum Gigabit port 96 144 288 288 480 Maximum 10 Gigabit port 4 10 16 16 24 Occupied rack size 4U 10U 13U 21U 16U

www.h3c.com.cn

‹#›

Major Features of H3C S7500E Series

Full service High performance Flexible configuration Security and reliability

• Capability of providing a wide range of

services

• MPLS/IPv6/EPON/WLAN/PoE
• Firewall/IPS/OAA
• High-performance multi-service bearer

platform

• Wirespeed IPv6 forwarding
• Wirespeed MPLS forwarding
• Most cost-effective 10 Gigabit ports
• The price of a 10 Gigabit port is less than 50%
• f the 10 Gigabit port price in earlier products.
• Flexible configuration
• Combination of multiple chassises, engines,

and cards

• High security and reliability
• Endpoint admission defense (EAD)
• Built-in security plug-in card
• Graceful restart technology

www.h3c.com.cn

‹#›

Ethernet module Functional service module Route Switching Engine

Dedicated engine of the S7502E Salience VI

Chassis

Gigabit Ethernet optical interface 10 Gigabit Ethernet

4, 5, 8, 8, 12 slots

Service module with the function of IPS Service module with the function of NAT/NetStream Service module with the function of firewall

Flexible Configuration of H3C S7500E

Salience VI-Turbo Salience VI-10G Gigabit Ethernet optical interface Gigabit Ethernet electrical interface 100M Ethernet electrical interface Passive optical network module

www.h3c.com.cn

‹#›

Salience VI-Turbo Salience VI-10G Salience VI

Engine Selection of H3C S7500E

• Switching capacity of a single engine: 384G
• Switching capacity of two engines that work

in the load-balancing mode

• Supporting IPv6 and Multi VRF
• 32K MAC address table, 12K IPv4 route

forward table

• Can be used together with Salience VI-10G
• Switching capacity of a single engine: 384G
• Switching capacity of two engines that work

in the load-balancing mode

• With two wirespeed 10 Gigabit interfaces
• Supporting IPv6 and Multi VRF
• 32K MAC address table, 12K IPv4 route

forward table

• Can be used together with Salience VI-10G
• Switching capacity of a single engine: 384G
• Switching capacity of two engines that work

in the load-balancing mode

• Supporting IPv6 and MPLS VPN
• 128K MAC address table, 128K IPv4 route

forward table

www.h3c.com.cn

‹#›

Standard A type of boards (SA)

Interface Board Selection of H3C S7500E

• Distributed L2 wirespeed forwarding
• Centralized IPv4 L3 forwarding
• by the engineCentralized IPv6/MPLS

forwarding

• by the engineSupporting VLAN ACL
• Can be used together with SC boards
• Distributed L2 wirespeed forwarding
• Distributed IPv4/IPv6 L3 wirespeed forwarding
• Supporting Multi VRF
• Gigabit optical interface board supports the

100M optical module.

• Centralized MPLS forwarding
• by the engineSupporting VLAN ACL and ACL

in the egress direction

• Can be used together with SA boards
• Distributed L2 wirespeed forwarding
• Distributed IPv4 L3/MPLS wirespeed forwarding
• Supporting VLAN ACL and ACL in the egress

direction

Standard C type of boards (SC) Enhanced A type of boards (EA)

www.h3c.com.cn

‹#›

High-performance firewall module

Functional Module Selection of H3C S7500E

• Up to 8G processing capability
• Supporting virtual firewall
• Supporting load balancing of multiple cards
• Supporting IPSec VPN
• Supporting 640 APs and 10000 concurrent

users

• Automatic configuration and upgrade
• Supporting rapid roaming
• Diversified RF managment, only load sharing

available

• Supporting IPv6 and EAD
• 16 PON ports in a board
• Supporting 1:64 coupling ratio
• Available for a stand-alone device to access up

to 10240 fiber users

• Graphic configuration management

Radio network controller module Passive optical network module

www.h3c.com.cn

‹#›

H3C S7500E Series Are Based on the Unified Comware V5 Platform

COMWARE

Diversified Security Open Convenient Reliable Flexible

• A wide range of Internet

protocols

• Support for multiple platforms

and products

• Multi-plane modular

design

• Cuttable and scalable

features

• Distributed processing concept
• Online patching and upgrading
• Unification of the

command line and interface

• Visual operations

and maintenance

• Service-oriented architecture
• Open software interfaces
• Security protection of the

platform

• Security policy of the network-

wide system

www.h3c.com.cn

‹#›

New Features of COMWARE 5

L4-L7 Security

 Prevention against ARP spoofing and attack  802.1X/PORTAL security authentication Pretection against attacks/worm virus  Prevention against illegal DHCP servers  Key technology and digital certificate  SSH 2.0/HWTACACS

MPLS Reliability L3 L2

 Open Application Architecture (OAA)  Deep Application Recognition (DAR)  Match between DAR and QoS policies  Statistics of application protocol protocols  Application protocol detection (HWPing)  HTTP URL filtering  IPv6  IPv4/IPv6 dual-stack technology  IPv4/IPv6 tunnelling technology  RIPng  OSPFv3  IGMPv3/PIM SSM  VRRP v3 (supports IPv6)  Backup center  Technology for redundancy of key components  Graceful Restart (GR)  Hot-swappable modules/fans/power supply  L3MONITOR  MPLS Traffic Engineering (MPLS TE)  Resource ReSerVation Protocol-Traffic Engineering (RSVP TE)  LSP hot-standby  Fast Reroute (FR)  LSP priority and preemption  Specify the notdes that an LSP cannot pass  Deep convergence between switching and routing  Multiple Spanning Tree Protocol (MSTP)  Rapid Spanning Tree Protocol (RSTP)  Link Aggregation Control Protocol (LACP)  GVRP dynamically registers VLANs  Voice VLAN

www.h3c.com.cn

‹#›

H3C S7500E Has Passed the EMC and Safety Certification

Designed in compliance with the industry-leading standards, the S7500E series satisfy the stringent EMC and safety requirements in the countries and regions such as European Union, North America, German, Japan and Russia, and have passed the authoritative certification in different countries.

www.h3c.com.cn

‹#›

H3C S7500E Series Are Green Environment-Frdiendly Products



In the production process of traditional electronic products, abundant heavy metals and toxic substances such as lead, mercury, cadmium, hexavalent chrome, PBB and PBDE, which result in long-term and serious damages to the environment. Improving the production processing is costly and technically complex, thus terrifying a majority of the manufacturers.



Backed up by its powerful technical strength, H3C invests a huge amount of fund in researching, developing and introducing the industry-leading production and design

• technologies. In designing and manufacturing the S7500E series, H3C strictly complies with

the RoHS order promulgated by European Union and has passed the certification. When made, used, and recycled, these switches will not pollute the environment.

RoHS (The Restriction of the use of certain Hazardous substances in Electnical and Electronic Equipment )

www.h3c.com.cn

‹#›

 Trend of the IP Networks  Introduction to the S7500E Series  Service Features of the S7500E Series  Typical Networking and Application

Contents

www.h3c.com.cn

‹#›

• 1. Service Access Capability of the S7500E
• 2. Service Virtualization Capability of the S7500E Series
• 3. High Reliability and High Security of the S7500E
• 4. Granular Service Management Capability of the

S7500E Series

Services Provided by H3C S7500E

www.h3c.com.cn

‹#›

Integrated Service Access Capability of the S7500E Series

Terminal Access and Automatic Identification PoE power supply Wired-wireless integration Active-passive integration

• Multimedia terminal
• Automatic right allocation
• IPv6 terminal access
• Fiber To The Home FTTX
• Solution for active-passive integration:
• IP surveillance
• split ratio, 16 ports per slot
• Communications in mining wells
• High-density, high-reliability EPON system
• WLAN AP
• Built-in 2800 W power supply to provide PoE
• IP Phone
• Support for an external PoE power supply frame of high power
• IP camera
• Support for the output of a wide range of powers, with a maximum of 15.4

W

• Thin AP + wireless controller
• Solution for wired-wireless integration:
• Wireless controller module converged with the network
• Wireless-and-wireless unified security authentication and admission
• Wireless security, roaming and RF management
• Switch + wireless controller module + PoE £« thin AP
• Voice VLAN technology
• MAC Based VLAN
• Perfect IPv6 service capabilities

Unified identification and EAD

• 802.1X authentication (wired/wireless)
• Support for Portal authentication
• VPN authentication
• Unified Endpoint Admission Defence (EAD) and access control policies
• Portal authentication
• Unified authentication client (iNODE)

www.h3c.com.cn

‹#›

Even if a computer’s port changes, the switch still can find out its MAC address and assigns a right VLAN to the port.

MAC-Basec VLAN

 The S7500E can dynamically allocate VLAN IDs to the ports of a switch based on the MAC address of a terminal without a client or username.  The MAC-based VLAN feature provide sa simple and easy-to-use authentication mode and improves the network security.

www.h3c.com.cn

‹#›

IPv6 Service Capabilities

IPv6 routing protocol: IPv6 static route/RIPng/OSPFV3/BGP+/IS-ISv6 IPv6 multicast protocol: MLD/MLD Snooping/PIM6/IPv6 multicast vlan IPv6 tunnel technology: manually configured tunnel, automatic 6-to-4 tunnel, ISATAP tunnel IPv6 access control: support for IPv6 ACLs IPv6 Network IPv4 Network

The IPv6 features of H3C S7500E have been certified to pass the "IPv6 Ready Phase 2" tests performed by the IPv6 Forum and the IPv6 tests performed by the Ministry of Information Industry. They have been used commercially and maturely.

www.h3c.com.cn

‹#›

PoE Supported in Multiple Modes

Equipped with a PSR2800-V AC 2800W power supply without an external PoE power supply, the switch can support 90 PoE ports (based on the assumption that the maximum power consumption of each port is 15.4 W). Equipped with a PSR1400-D DC power supply, the switch is powered over Ethernet by an external DC power supply and can support 480 PoE ports (based on the assumption that the maximum power consumption of each port is 15.4 W). AC power supply environment Equipped with an external PSE4500A PoE power supply, the S7502E can have all of its ports provide the PoE function concurrently. Other hosts are served by PSR1400-D DC power supply and external PSE4500A PoE power supply, and can support 200 PoE ports. External PoE power supply DC power supply environment

www.h3c.com.cn

‹#›

Wired-Wireless Integration: Wireless Plug-in Card

Performance

Switching capacity: Number of manageable APs: 640 A wireless plug-in card that provides the highest performance and the most manageable APs in the industry

Functions

Abundant wireless features When used in S7500E and S9500, the card can provide a wide range of wired services to users: MPLS/IPSEC VPN, firewall, IDS When used in S7500E and S9500, the card can provide aundant user interfaces Support for L2 switching

IPV6 WAPI

www.h3c.com.cn

‹#›

Central office

OLT

Optical splitter Optical splitter Optical splitter

ONU ONU ONU ONU

User User User User IP MAN

Converging Passive EPON to an Active Switch

 A fiber can access 64 FTTH users, thus greatly saving the fiber resource.  EPON access of the highest capacity in the world: A single H3C S7510E can access up to 10240 FTTH users. A few H3C S7510Es can be deployed in the central office to satisfy the networking requirement, thus sharply reducing the cost spent in building and maintaining the network.  Carrier-class reliability Developed on the mature multi-service routing switches of the S7500 series, H3C OLT products provide the carrier-class reliability  Can be used together with the MPLS technology of 75E to provide the e-government access solution based on the EPON technology

www.h3c.com.cn

‹#›

Support for Portal Authentication

Convergence switch Convergence switch Access switch Access switch Access switch Core switch

EAD gateway S7500E CAMS CAMS self-service Antivirus server Patch server

Agent Agent Agent

 In the office network of an enterprise, the S7500E can act as an EAD gateway to provide the EAD Portal authentication function to the network-wide users.  In a large-size campus network, the S7500E, while acting as a convergence device, can provide the L3 Portal authentication function to the users it converges.  Portal authentication well supports the security improvement of the old networks.

S7500E CAMS CAMS self-service Antivirus server Patch server

Agent Agent Agent Access switch Access switch Access switch

S7500E S7500E

Core switch

www.h3c.com.cn

‹#›

• 1. Service Access Capability of the S7500E
• 2. Service Virtualization Capability of the S7500E Series
• 3. High Reliability and High Security of the S7500E
• 4. Granular Service Management Capability of the

S7500E Series

Services Provided by H3C S7500E

www.h3c.com.cn

‹#›

Service Virtualization Capability of the S7500E Series

Virtualized security access:

• Deployment of the user-based access

policies: dynamic VLAN, ACL, PBR, QoS

Virtualized transport path:

• Tunnelling technology: MPLS VPN/MCE

Virtualized data center service:

• Virtual firewall

www.h3c.com.cn

‹#›

Abundant MPLS VPN Services

 The H3C S7500E is a cost-effective PE device for users in the government and electric power industries. It can be widely applied to build a level-2 or level-3 government network and an electric power dispatching network. S7500E S7500E S7500E S7500E  Supports MPLS BGP VPN at layer 3, Martini and Kompella at layer 2, as well as MPLS OAM features;  Supports distributed or centralized MPLS,of which the performance items can be selected flexbily based on the service requirements;  Comes with H3C MPLS VPN Manager software to allow the user to manage the MPLS simply in a graphic way.

www.h3c.com.cn

‹#›

Highly Reliable MCE

 The customer can use the H3C S7500E as a CE device to access as many as 255 VPN users.  The H3C S7500E is a highly reliable MCE device with a redundant power supply and a redundant engine for users in the government and electric power industries. It can be widely applied to build a level-3 or level-4 government network and an electric power dispatching network.

vpn-instance：Configured with interfaces. Each subinterface is bound to different vpn instances. Configuration diagram of MCE, a CE device supporting multiple instances

www.h3c.com.cn

‹#›

Virtualized Firewall SecBlade II

Core of MAN/ Internet

H3C S9500 H3C S7500E  The SecBlade II firewall of a high-end switch can allocate different virtual firewalls based on different applications.  The SecBlade II firewall isolates the access users from the server in a unidirectional way, restricts the port access, and prevents the virus spreading.  In the MPLS environment, the SecBlade II firewall can implement independent firewall policies for different VPNs. VLAN/VPN

• f marketing

users VLAN/VPN of financial users VLAN/VPN of OA users Marketing server Financial server OA server VFW VFW VFW

www.h3c.com.cn

‹#›

• 1. Service Access Capability of the S7500E
• 2. Service Virtualization Capability of the S7500E
• 3. High Reliability and High Security of the S7500E Series
• 4. Granular Service Management Capability of the S7500E

Series

Services Provided by H3C S7500E

www.h3c.com.cn

‹#›

High Reliability and High Security of the S7500E

Loopback Detection (LDT)

3 5

Detects whetner a port loops back outside

Device Link Detection Protocol (DLDP)

3 6

DLDP can completes detection within 2 seconds, faster than Unidirectional Link Detection (UDLD).

Rapid Ring Protection Protocol (RRPP)

3 2

The ring network provides switching protection in less than 200ms.

Smart-Link

3

Replaces the STP in dual-homed networking to provide switching protection in less than 50ms

Hot patching of software

3 1

This function allows you to fix the software bugs or add small-scale new features on the line.

Graceful Restart (GR)

3 4

After GR is configured, the traffic does not lose any packet in active/standby switching.

ARP intrustion detection and ARP spoofing prevention

3 8

Prevents ARP attacks in the network

Unicast Reverse Path Forwarding (uRPF)

3 9

Prevents the IP Spoofing attack

Large-capacity bidirectional ACL and VLAN ACL

3 10

Strictly control the rights of access to the network

Virtual Cable Test (VCT)

3 5

Decides the location of a cable failure, and thus helps remove the failures quickly.

www.h3c.com.cn

‹#›

Hot Patching

 The S7500E allows you to fix the software bugs or add new features on the line without resetting the S7500E.  Control commands are provided for you to load, activate, deactivate, run and delete any patch unit conveniently.

IDLE DEACTIVE RUN ACTIVE

load delete active deactive run delete delete

Working state transition of hot patching

states, which can be used more flexbily.

www.h3c.com.cn

‹#›

Enhanced Features of the RRPP

 The S7500E supports VLAN-based load balancing among multiple instances of the RRPP, thus utilizing the bandwidth effectively.  The hardware supports you to maintain MAC entries based on VLAN (each instance).  The RRPP ring supports link aggregation, which greatly expands the link bandwidth. Ring Master Transit S7500E

X

Normally, the traffic is grouped by VLAN and transmitted in different directions, thus utilizing the bandwidth effectively. When the link in a direction is broken, the original traffic in this direction is switched to another direction and thus is not affected.

www.h3c.com.cn

‹#›

Metro Ethernet Network AMG CE LSW DSLAM IP/MPLS Core

A B C

Active Link Backup Link

 Smart Link applies to the dual-homed uplink network topology and can be used instead of the Spanning Tree Protocol (STP). It applies to the networks that carry real-time services and require high reliability.  The dual uplinks work in the active/backup mode. When the active link fails, it can switch to the backup link quickly in less than 50ms.

S7500E Backup Link Active Link

Blocking Blocking

S7500E S7500E

Smart Link, a Dual-Uplink Protection Technology

www.h3c.com.cn

‹#›

Graceful Restart (GR)

The control plane is separated from the forwarding plane.

n When only the main control fails, the neighboring switch does not inject routing information into other switches, but maintains the same routing protocol state, and the forwarding plan still works normally. n When the standby main control engine takes over the control role, it receives routing information from the neighboring device to take over the state. n All these procedures are transparent to the neighboring device as if this switch has had a dogsleep.

ACTIVE ACTIVE ACTIVE

This node Restart

Restored!!

After GR is configured, the traffic does not lose any packet in active/standby switching.

Protocol/Signaling Protocol/Signaling Protocol/Signaling

www.h3c.com.cn

‹#›

LDP

LDT: Loopback Detection

LDT aims to detect whether a port of a switch is looped. After you enable the LDT function for Ethernet ports, the switch periodically detects all ports to see whether any of them is looped back by the outside. If discovering a port is looped back, the switch will place the port under control. If the system discovers a port is looped back, it closes the port and reports a Trap message. Additionally, it deletes the MAC address forwarding entry matching the port.

[H3C-S7500E]loopback-detection enable [H3C-S7500E]display loopback-detection

Port loopback-detection is running System Loopback-detection is running Detection interval time is 30 seconds Loopback link is Dectected The Loopback link is Port 3

The time can be set.

www.h3c.com.cn

‹#›

VCT: Virtual Cable Test

VCT is a special function of

Huawei switches placed in a campus or on a passageway. It can detect whether the cable connected to a physical port (electrical port) of a switch works well, is short or is

• pen. Additionally, it can calculates

the distance from the point of failure. VCT can isolate the failures of an Ethernet link quickly.

[H3C S7500E-Ethernet0/4]virtual-cable-test

Cable pair: RX Status:Open Cable Error lenth:5 metres Cable pair: TX Status:Open Cable Error lenth:5 metres

• ------- The network cable fails (is open) at the pint 5 meters

away from the switch.

VCT

www.h3c.com.cn

‹#›

ARP Intrusion Detection and ARP Spoofing Prevention

Affected party =10.1.1.50/24 MAC=C Attacker =10.1.1.20/24 MAC=B GW =10.1.1.1/24 MAC=A

STOP

ARP intrustion detection access switch Access switch

ARP packet Sender's IP=10.1.1.50 Sender's MAC= B ARP packet Sender's IP=10.1.1.1 Sender's MAC= B

10.2.1.50/24 MAC=D The S7500E implements ARP intrustion detection through DHCP Snooping. The S7500E allows you to set ARP aging time, thus reducing the effect of ARP Spoofing. The S7500E supports ARP modification confirmation to prevent ARP Spoofing.

www.h3c.com.cn

‹#›

Prevention against STP Attack

Send BPDU information to become a root bridge

ROOT ROOT Blocked

 STP attack:

 The attacker can see the network topology information that he/she should not see.

 Although STP considers the speed of links, it does so in the perspective of the root

• bridge. The attacker will turn the Gigabit

backbone into 10 Mbi/s half-duplex.  BPDU protection does not allow any port to get involved in STP. In this way, an untrusty port can be closed once it receives BPDU information from other switches, thus preventing the access

• f illegal switches.

 ROOT protection is to prevent a new switch from becoming the root. If a new switch tries to become the root, the port will stop working.

BPDU

ROOT Blocked

BPDU protection BPDU protection ROOT protection

BPDU

www.h3c.com.cn

‹#›

VLAN ACL

 The S7500E supports VLAN-based ACLs. You can configure ACL actions for a VLAN to implement access control for all ports in the VLAN.  VLAN-ACL allows you to manage the network more conveniently and greately saves the ACL resource.

Switch VLAN 10 VLAN 20 VACL VACL applied to traffic bridged within a VLAN Switch VLAN 10 VLAN 20 VACL applied to traffic routed between VLAN’s VACL

www.h3c.com.cn

‹#›

• 1. Service Access Capability of the S7500E
• 2. Service Virtualization Capability of the S7500E
• 3. High Reliability and High Security of the S7500E
• 4. Granular Service Management Capability of the

S7500E

Services Provided by H3C S7500E

www.h3c.com.cn

‹#›

Granular Service Management Capability of the S7500E

Network Stream Analysis Technologies

3 1 Supports sFlow and NetStream technologies

Graphic service management

3 2 ACL Manager and VPN Manager

Security management of terminals

3 Endpoint Admission Defense (EAD) system

Intelligent management

3 4 H3C inteligent Management Center (iMC)

Note: The S7500E provides the above-mentioned features only when it works together with H3C application & software products.

www.h3c.com.cn

‹#›  The S7500E supports the sFLOW and NetStream technologies.  sFLOW is a standardized, low-cost technology for analyzing the network stream.  NetStream is a technology for analyzing the network stream in an all-round perspective.

Network Stream Analysis Technologies

www.h3c.com.cn

‹#›

Graphic MPLS VPN Service Management

Deployment Surveillance Dispatch Audit Authentication

iMC VPN Manager

 Based on wizard-type VPN service discovery and service deployment  Based on service functions and user authentication

Through which PEs are CEs connected in a VPN?

What are the connection relations betwen CEs in a VPN? Abundant virtual VPN topology functions  VPN physical topology  VPN service topology  Virutal VPN alarm and performance monitoring functions

PE PE PE PE PE PE

P P

CE CE  Audit the configuration and connectivity immediately or periodically to assure reliability of the VPNs  Policy-based VPN deployment adjustment to provide closed-loop assuarance for VPN service operations

www.h3c.com.cn

‹#›

Solution deployment

• Deployment of security

interaction devices; (802.1x, Portal, VPN)

• Quick deployment of iNode

client;

• Deployment of ACL policies;
• Deployment of a security

server

• ...
• System patch policy;
• Antivirus software policy;
• Blank/white software

policy;

• Policies for VIP, Guest

and other special users;

• ...
• Security check of

terminals;

• User authentication;
• Support the

authentication of the standard Windows CSP certificate;

• Use the USB-Key

authentication

• …
• Dynamic delivery of

MAC-based ACLs;

• Dynamic delivery of

VLANs;

• Different rights for

different users;

• ...
• Audit of the user security

authentication log;

• Real-time statistics of the

security states of online users;

• Real-time statistics of

security events;

• Statistics of security trend;
• ...

Security policy setting Security authentication Dynamic authorization Security audit

EAD

www.h3c.com.cn

‹#›

Converged Intelligent Management of Network Resource and Users

 Topology shows the connection relations between and the use of the network resources.

 Unification and convergence of the NM software function and access authentication

www.h3c.com.cn

‹#›

 Trend of the IP Networks  Introduction to the S7500E Series  Service Features of the S7500E Series  Typical Networking and Application

Contents

www.h3c.com.cn

‹#›

Application in the MPLS VPN MAN

S7500E 10GE RRPP Convergence VPN 1 HQ S7500E S7500E

L3 MPLS to the edge MPLS L3 VPN

Convergence S7500E S7500E S7500E PE PE PE P P P VPN 1 VPN 2 VPN 2

VLL / QinQ MCE

Backbone network Convergence

www.h3c.com.cn

‹#›

Wired-Wireless Integration Applied in an IPv6 Campus Network

S7500E+AC S7500E+AC

GE/10GE GE/10GE GE

Core layer External network

GE

IPv4 IPv6

IPv6 server

GE

Convergence layer S7502E/S7503E

GE

S5510/55EI L2 Access layer User end L2 L2

FE FE FE FE FE FE

IPv4 server

WA2110 WA2110 WA2110 PC PC PC

GE/10GE

www.h3c.com.cn

‹#›

Application in the High-Density Multi-Service Cable Distribution Room

1

A single device can access 480 users.

2

Provides PoE power supply function

3

The engine integrates two 10 Gigabit interfaces

4

Supports intermixing of different types of engines

5 6 7 8

The built-in power supply provides PoE power Supports wireless access control Provides 8 priority levels Supports EAD

www.h3c.com.cn

‹#›

Application in the Enterprise Data Center

Firewall Load-balancing device IPS Core router Switch at the core layer Switch at the access layer Connected to the backup data center Server cluster Switch at the convergence layer S7500E S7500E

S7500

WEB servers Application servers Database servers

S5600

www.h3c.com.cn

‹#›

Bidirectional Network Consolidation of China Broadcast & Television

Passive optical splitter Passive optical splitter Sub-headend IPQAM device

H3C S7500E OLT

Low cost of consolidation Small difficulty of works Applicable to network consolidation in old areas Cost-effective Mature technology Applied to new construction ONU

…

PC STB

Passageway coxial network

EPON+ LAN Optical node ONU EOC combiner PC STB EOC terminal Optical node EPON + passirive EoC PC STB High bandwidth Passive and reliable Easy to maintain

H3C Technologies Co., Limited www.h3c.com.cn

ITOIP solution expert