Open Multi-Core Router H3C SR66 Development Trends of High-end - - PowerPoint PPT Presentation

Open Multi-Core Router －H3C SR66

Development Trends of High-end Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Typical Cases of H3C SR66

www.h3c.com

3



Information basic platform



All units covered



Improve office efficiency



Improve enterprise competitiveness



Advancement of products and technologies



High expandability



Satisfy the requirements of development in the coming few years



Reliable network topology



Reliable network equipment



Reliable network link



Localized services by original manufacturer



Fast on-site support by original manufacturer



Quality network



Delay-free voice transfer



Smooth video images



Isolation of different service logics



Defense against a variety of attacks

Quality Foundation Reliability Service Advancement Security

Communication data network

Requirement Analysis of High-End Routers

www.h3c.com

4 Integration of being

• pen and multi-service

Data sharing The Internet and bandwidth New applications and new services 1990s Today 2000

• High-density narrowband convergence => Broadband and narrowband integrated

convergence => Large-capacity broadband and narrowband convergence with services

• Best effort => Carrier-class reliability of equipment => Carrier-class quality

assurance of services

• Data and Internet access => Integration of 3 networks in 1 =>

Unified communication

• Standardization => customization => open

Connection Performance Service Application

Development Trends of High-End Routers

Development Trends of High-end Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Typical Cases of H3C SR66

www.h3c.com

6

10G 2.5G GE 100M

SR6602 SR6608 MSR 20 AR46 SR88

Product Positioning of H3C SR66 Router

AR18 AR28

MSR 30 MSR 50

The first ever multi-core router in the industry!

www.h3c.com

7

Community network edge convergence router Campus network egress router Medium and small enterprise core routers Large enterprise convergence and access routers Finance and power industries Medium and small enterprises Government community / resident community Schools of higher education nationwide

Product Positioning

www.h3c.com

8

Multi-Core Centralized Router SR6602

• Multi-core multi-threaded processor
• Memory: 1GB; expansion to 2GB allowed
• High performance:

Packet forwarding rate: 4.5Mpps IPSec encryption: > 3Gbps

• Fixed interface: 4 GE interfaces (optical and

electrical combined)

• Flexible configuration: Intermix of HIM and MIM
• Built-in 1 CF card, and 1 CF card interface

reserved

• The interface module supports hot swapping.

Multi-core compact design High performance and strong services

www.h3c.com

9

Multi-Core Distributed SR6608

• High reliability

Distributed processing Dual main control systems Dual power supply design All engines and modules support hot swapping.

• Configuration of multiple service engines

FIP-100 (high-performance CPU processor) FIP-200 (multi-core multi-threaded processor)

• High performance

100G backplane bandwidth Forwarding performance: 18 Mpps Support high-density cPOS linear convergence

Multi-core Distributed Strong service processing High-speed and low-speed compatible

www.h3c.com

10

Power supply

Fan

Note: During the play, click the components of the indexes to view the video.

Route engine (RPE-X1) Service sub- card (CL2P) Service engine (FIP-200)

Multi-Core Distributed Router SR6608

www.h3c.com

11

Route Engine RPE-X1 of SR6608

• High-performance CPU: 1G Hz
• Memory: 1GB; expansion to 2GB allowed
• Console port
• Aux port
• GE management network port
• Built-in 1 CF card and 1 CF card interface reserved
• 1 Host USB interface and 1 Device USB interface

www.h3c.com

12

FIP-200

• Multi-core multi-threaded processor
• 1GB memory; expansion to 2GB allowed
• 2×GE (optical and electrical combined)
• 2×HIM/MIM compatible slot
• Forwarding performance: 4.5Mpps
• IPSec encrypted performance: >3Gbps

FIP-100

• High-performance CPU processor
• 512MB memory; expansion to 2GB allowed
• 2×GE (optical and electrical combined)
• 4×MIM slot
• Forwarding performance: 800Kpps
• Ipsec encrypted performance: 500Mbps

FIP Service Engine of SR6608

www.h3c.com

13

8GBE/4GBE

• 8/4 ports GE (electrical port)
• All 3-layer GE interfaces (routing interface)

CL2P/CL1P

• 2/1 port cPOS
• Each port supports 63 E1s or 84 T1s.
• Support channelization to DS0 (each port with 512

DS0s maximally)

High-Speed HIM Sub-Card of SR66

www.h3c.com

14

2/4/8 SAE 8 E1 1 POS 2 GBE

Compatible MIM Sub-Card of SR66

Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S)

• Speed your Network
• Stable
• Security
• Service
• Save

Typical Cases of H3C SR66

www.h3c.com

16 Service capability

L3 L4 L7

Ideal processor

Universal CPU

• The flexible

programming platform can adapt to different types of service processing.

• Lack hardware

escalation capability

ASIC

• Interface integration

Basic packet processing and hardware encrypted capability

Forwarding performance

Network processor:

• Dedicated hardware

forwarding engine to provide extremely high forwarding performance

• Micro code based

programming, instruction space limit, weak service processing capability at layers 4 to 7 Embedded CPU

• Interface

integration

• Limited packet

processing and encrypted capability

Multi-core CPU

* Standard C programming to adapt to different types of service processing * Parallel hardware system, built-in hardware escalation and encrypted engine provide powerful service processing and security capability.

First Application of Multi-Core CPU on Router

www.h3c.com

17

Route calculation, configuration management and table item delivery

Firewall

IPSEC NetStream QoS 8 cores to process services in parallel

Firewall

IPSEC NetStream QoS

Firewall

IPSEC NetStream QoS

Firewall

IPSEC NetStream QoS

Firewall

IPSEC NetStream QoS

Firewall

IPSEC NetStream QoS

Firewall

IPSEC NetStream QoS

SR66 multi- core CPU

Sharp Improvement of Service Processing Capability of SR66

www.h3c.com

18 CPU Single thread

Memory access delay Memory access delay Memory access delay Memory access delay

CPU processing Hardware thread 1

Hardware thread 2 Hardware thread 3 Hardware thread 4

CPU 4 threads

Time t1 t2

Save time!

Description of Competitive Edge of CPU Multi-Thread

www.h3c.com

19

Multiple hardware CPU threads –32 hardware threads –Each CPU core with 4 hardware threads Flexible scheduling mechanism, which satisfies different applications –Rotation –Priority –Timeslot

SR66 multi- core CPU

Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS

32 threads process services in parallel!

The multi-core hardware structure and the software parallel processing provide all-round improvement of service performance.

Sharp Improvement of Service Processing Capability of SR66 Multi-Thread

www.h3c.com

20

GE CPOS GE

Distributor

Rx Fast messaging network

GE

Packet distribution engine Parser

Distributor

Parser

Distributor

Parser

• The parser rules are flexible and diverse. They can be adjusted dynamically to achieve load balancing.
• TCAM is used to perform fast parallel matching of the table item features.

SR66 multi-core hardware packet distribution engine

• The distributor is attached to the fast messaging network. It notifies the CPU core of the processing, which leads to high efficiency and

no occupation of the CPU resources.

CPU thread 1

CPU thread 2 CPU thread 3 CPU thread 31 CPU thread 32

Thread hardware load balancing

Load Balancing of SR66 Multi-Core Hardware Packet Distribution Engine

www.h3c.com

21

CPU-1 CPU-2 CPU-3 CPU-4 CPU-5 CPU-6 CPU-7 CPU-8

10G encrypted engine Slot 2 Slot 1 Fixed port

：Fast Messaging Network (FMN) ：Multi-core CPU ：CPU core ：Site of messaging network ：CPU hardware thread

The FMN completes the fast communication between the cores of the multi-core CPU.

• The work speed is as the same frequency as the CPU. The CPU resource is not used.
• The main components are attached to the FMN sites. The communication reaches the precision of the CPU

hardware threads.

• Unique Credit mechanism to ensure unblocked communication

Efficient and Fast Hardware Collaboration Mechanism

www.h3c.com

22

• MP fragmentation processing of the traditional link layer

The link layer fragmentation and reassembly processing fully rely on the CPU. The weaknesses are low efficiency, failure

• f improving relevant performance, serious consumption of system resources, and impact on the system performance of

the MP fragmentation processing on the traditional link layer. CPOS分片处理引擎 1 2 3 1 2 3 4 1 3 2 4 1 2 3 CPOS fragmentation processing engine

Multi-core

CPOS of SR66 supports hardware MP, greatly easing the pressure on the CPU and improving the MP performance.

• Each bundle supports 12 E1s/T1s.
• Support three sizes of MP packet fragmentation (128/256/512) and multiple sizes of reassembly.
• The whole system can implement the linear MP binding of up to 60 12E1s or 84 12T1s.

Powerful Hardware MP Capability

www.h3c.com

23

China Netcom

Internet Internet café Internet café Internet café Internet café

AR46 SR6608 S3526 GE FE AR28

Internet café Internet café Internet café

Internet café

China Telecom

Broadband convergence key indexes Convergent broadband user type

• Direct access of Ethernet optical fiber
• PPPoE
• With the help of the AAA server, complete

the authentication (PAP/CHAP), accounting and authorization Access capability of broadband user

• The throughput of the whole system

reaches 18Mpps.

• 32,000 concurrent PPP connections
• Provide 72 GEs
• The HIM GE card uses 10G bus exclusively. The fixed GE uses the GE bus exclusively, without bandwidth bottleneck.
• The hardware packet distribution engine automatically identifies different Ethernet packet types. It distributes the packets of

different flow features evenly to different CPU threads. The packets are processed concurrently. The throughput is greatly improved.

MSTP

Narrowband convergence key indexes Narrowband interface types of cPOS convergence

• DS0
• E1/T1

Narrowband interface density of cPOS convergence

• DS0: 4096
• E1: 756 (linear)
• T1: 800 (linear)
• The HIM CPOS card uses the 10G bus exclusively, without bandwidth bottleneck.
• The hardware packet distribution engine automatically identifies different Ethernet packet types. It distributes the packets of

different flow features evenly to different CPU threads. The packets are processed concurrently. The throughput is greatly improved.

Powerful Convergent Capability

www.h3c.com

24

Full scale upgrade of the hardware architecture  First application of the multi-core multi-threaded CPU on router  The FMN completes the fast communication between the cores of the multi-core CPU  Packet distribution engine  Strong convergence capability \ each card uses 10G bus exclusively.

The multi-core hardware structure and the software parallel processing provide all-round improvement

• f service performance.

Speed your network!

Summary of Hardware Speed Escalation

Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S)

• Speed your Network
• Stable
• Security
• Service
• Save

Typical Cases of H3C SR66

www.h3c.com

26

Service reliability Network reliability Link reliability Equipment reliability

• Physical reliability: Dual main control systems, dual power supplies, forwarding

engine/sub-card/main control system/power supply/fan support hot swapping.

• Software reliability: Hot patching, host defense against attack, control plane speed

limit, and management security

• Multi-link binding and IP Trunk
• Non-stop forwarding, redundant gateway technology (VRRP),

ECMP, dynamic route fast convergence, and BFD

• Separation of control and service, service

processing isolation, and TE FRR

All-Round Product Reliability

www.h3c.com

27

Highly Reliable Hardware Design

The fan frame supports hot swapping. All high- and low- speed daughter-cards support hot swapping. Dual power supplies that support AC and DC as well as hot swapping FIP-100/200, two service engines, support hot swapping. Dual main control systems that support hot swapping

www.h3c.com

28

• Separation of control and service

System configuration management Route calcula tion Protocol state machine Delivery of service table items CPU1 (control plane) Forward packets Packet filtering Encryption and decryption NAT QoS GRE

CPU2-8 (service plane)

System configuration management Route calculati

• n

Protocol state machine Delivery of service table items

CPU1 (control plane)

Forward packets Packet filtering Encryption and decryption NAT QoS GRE

CPU2-8 (service plane)

System configuration management Route calculation FIB delivery Main control system (route engine)

IO (service engine)

System configuration management Route calcula tion Protocol state machine Delivery of service table items

CPU1 (control plane)

Forward packets Packet filtering Encryption and decryption NAT QoS GRE

CPU2-8 (service plane) IO (service engine) SR6602 software architecture SR6608 software architecture

• Separation of routing and service engines
• Different cores of the multi-core CPU work on different tasks, which suppresses service interference naturally.

Highly Reliable Multi-Core Software Architecture

www.h3c.com

29

Replace the original code segment with the enhanced patch code segment Code segment Code segment Original code segment Code segment Code segment Code segment Original program Patch code zone Online loading

• SR66 supports the software hot patching technology of the single-core CPU and the multi-core CPU.
• On the condition that the equipment is not reset, the software bugs are modified in the in-service state, or a small scale of new features are added.
• The user command of control patch unit state switching is provided. The command helps the user to conveniently load/deactivate/operate/delete the

patch unit.

Optimize Code segment Patch code The online patch technology provides flexible defect modification means to guarantee the reliable and continuous provisioning of network services.

Online Software Hot Patching Technology Supported

www.h3c.com

30

IGP Route Fast Convergence Supported

Test result display: the fastest convergence time of IS-IS route is less than 50ms. The convergence time of 10,000 IS-IS routes is 300ms.

• Real-time flooding and fast notification of the link state information

Detect the link faults, and perform instant flooding and then calculation.

• Incremental SPF calculation (i-SPF)

A certain tree trunk in the SPF tree changes (down/up). In that case, SPF needs only to calculate the part of the tree impacted by the changed tree trunk. It is not necessary to re-calculate the routes.

• Partial Route Calculation (PRC)

In the SPF tree, if only the leaves change, the part of the leaves is needed to be calculated only. It is not necessary to re-calculate the routes.

• Intelligent timer

According to the preset parameters, dynamically change the time interval with reference to exponential backoff algorithm, and solve the conflict between frequent generation and long time interval.

Before optimization After optimization Convergence time (unit: second)

www.h3c.com

31

FIB FIB FIB FIB

High-speed backplane

• During working/protection switching, the data forwarding and services

between the two boards are uninterrupted.

Control

IPC Main

Control

Backup

Backup control board Interface board Main control board Interface board

Universal fast hand shake (10ms) Normal Hello (1s) Fault alarm Original protocol session is switched.

Protocol session is maintained.

Control Control

SR66 main control switching detection mechanism

Uninterrupted Services During Working/Protection Switching

www.h3c.com

32

FIB FIB FIB FIB High-speed backplane Main control system Backup main control system Neighbor router Notify the router to activate the GR feature The session continues after switching, implementing stable restart. Neighbor router

• SR66 supports the GR features in a full scale, including GR for OSPF/IS-IS/BGP/LDP/RSVP.
• The network stays stable during the working/protection switching. After the switching, the equipment learns quickly the network route with the help of the

neighbor router. Short interruption does not need dele tion of the route.

All-Round Support of GR Features

www.h3c.com

33

Backup control board Interface board Main control board Interface board Universal fast handshake (10ms) Fault alarm Bidirectional forwarding detection

• BFD: Bidirectional Forwarding Detection (IETF standard) is a technology of fast detecting node and link faults. The handshake time is 10ms

by default and can be configured.

• BFD provides light-load, short-time detection. It can be used to provide real-time detection of any media and any protocol layer. The

detection time and the overhead scope are wide.

• According to BFD, fault detection can be performed on any type of channels between two systems, including the direct physical link, virtual

circuit, tunnel, MPLS LSPs, multi-hop routing channel and indirect channel.

• The BFD detection result can be applied to IGP fast convergence and FRR.
• The BFD protocol has been extensively accepted and recognized in the industry. It has been deployed substantively in real applications.

Fast Detection of Link Failure Supported: BFD

www.h3c.com

34

Main control board 1 System backplane Main control board 0 Service board Service board BFD processing core Packet processing core Control processing core Service board BFD processing core Packet processing core Control processing core BFD processing core Packet processing core Control processing core Service board BFD processing core Packet processing core Control processing core

• When BFD is applied, the feature of the multi-core CPU is utilized. Part of the processing capability of one of the cores (for example, one thread) is used for BFD

processing to reduce the load of the management control CPU core and ensure the security of the management CPU core. Meanwhile, such measure greatly improves the processing performance of BFD service and other OAM services.

• SR66 supports BFD for BGP/IS-IS/OSPF/RSVP/VPLS PW/VRRP to implement the fast fault detection mechanism of the protocols. The fault detection time is less than

20ms.

• On the basis of BFD, SR66 supports IP FRR, TE FRR, LDP FRR and VPN FRR. The service switching time is less than 50ms.

Perfect Support of BFD by CPU

www.h3c.com

35

Route security Service access security Management security Forwarding security SSH RADIUS TACACS+ SYSLOG Firewall URPF IPSec Routing protocol MD5 authentication Strict isolation of management and service planes Secure Comware route software system ARP speed limit Address binding Filtering and speed limit

• f control information

NQA Port speed limit IPS Broadcasting/abnormal traffic suppression

All-Round Security Features to Ensure Equipment Reliability and Security

ASPF

• Diverse security protocols and strict service access control greatly improve the reliability of the operation of the SR66

router.

www.h3c.com

36

SR66 is designed with full orientation to carrier-class application. By taking the advantage of the strong multi-core CPU service processing capabilities, SR66 provides all-round software and hardware reliability at the layers of equipment, link, network and service.  Hardware supports the hot swapping of key components.  The software architecture supports the separation of control and service.  Hot patching  ECMP  VRRP  BFD  Support GR in a full scale  Support FRR  Control plane protection

Make your network Stable！

Summary of High Stability

Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S)

• Speed your Network
• Stable
• Security
• Service
• Save

Typical Cases of H3C SR66

www.h3c.com

38

Destination address Next hop Egress 202.98.3.0 202.93.3.1 POS3/0/1 10.10.87.0 10.10.87.0 …… GE2/0/1 GE2/0/2 POS3/0/1 202.98.3.5 10.10.87.3 Data 202.98.3.5 10.10.87.3 virus Attack data packet Normal data packet GE2/0/1 CPU core 1 CPU core 2 Main control system Main control system CPU core 1 CPU core 2 POS3/1/0

• Multiple attack packets apply the same destination and source addresses as those of the normal packets. Or they generate source address at random, and deliver them to

different CPU cores through the hardware distribution engine.

• The normal packets are forwarded according to the destination address. At the same time, they search for the source address route in the reverse direction. After they

judge that the ingress is consistent, they are forwarded normally.

• The source address of the attack packets has no route, or the ingress is incorrect. They are discarded.
• Defense against the source spoofing and distributed types of attacks.

URPF Secure Forwarding Supported

www.h3c.com

39

• Identify different services on the PE equipment, differentiate voice/video real-time services and the data services and

encapsulate them to the VPN. In that way, the secure isolation of different services is implemented.

• The MPLS VPN is applied to carry multiple services to ensure security of the services on the network. MPLS VPN can

provide security protection equivalent to the level of dedicated line.

PE PE Data service Voice Video Other services PE PE CE CE CE CE CE CE CE CE

VPN1 VPN2 VPN3 VPN4

• The SR66 hardware distribution engine automatically identifies the MPLS packets, and distributes evenly the traffic to

different hardware CPU threads.

• The CPU threads operate in parallel and perform priority mapping.
• During packet transfer, multiple CPU threads perform QoS guarantee.

Fully support the L2/L3 VPN services

VPN Service Isolation

www.h3c.com

40

Main CPU system IPSec Engine PCI Bridge Hardware encryption engine of SR66 security features

• 10G encryption engine embedded in the multi-core

CPU

• 4 encryption cores + 1 RSA core
• The load balancing engine ensures the parallel
• peration of the cores.
• Support DES/3DES/AES and other mainstream

algorithms.

• Support SHA/MD5 authentication.
• Support CRC check and RSA Key hardware

escalation. Security feature hardware architecture of the traditional router

• Pure CPU calculation and poor performance
• IPSEC escalation card of the PCI interface offers

low performance. Load balancing engine Encryption core Encryption core Encryption core Encryption core RSA core SR66 hardware encryption engine

Built-in 10G Hardware Encryption Engine of SR66

www.h3c.com

41

Enterprise headquarters PSTN/ISDN L2TP+IPSec+Nat LNS LAC ＋ NAT SR66 PPPoE SOHO Mobile user

Conventional Upgrade of IP VPN

Branch AR46 GRE+IPSec+Nat

• Hardware encryption does not affect forwarding.
• With multi-core encryption and parallel operation of the internal cores, the encryption

throughput of the service engine is sharply increased.

• Encryption and decryption adopt a distributed mode. The encryption capability of the

whole system is sharply increased.

• The traditional VPNs can be stacked flexibly. GRE/L2tp/IPsec can be stacked to satisfy different networking requirements.

www.h3c.com

42

VPN1 VPN1 VPN1 VPN1 VPN1 MPLS PSTN BAS(LAC) DSLAM NAS(LAC) PE PE L2tp＋IPSec Tunnel L2tp+IPSecTunnel GRE+IPSecTunnel DSL PE X X X SR66 supports L2tp and IPSec multiple instances. Headquarters server Headquarters Mobile user access via Modem Branch Soho ADSL access SR66 supports IPSec and L2tp multiple instances to fuse IP VPN and MPLS VPN perfectly.

• The fast decryption of the encrypted IP VPN is performed through multi-core encryption and parallel

processing of the internal cores.

• The hardware distribution engine distributes the traffic evenly to the CPUs and transfers in parallel the traffic

to MPLS VPN.

Perfect Fusion of IP VPN and MPLS VPN - VPE

www.h3c.com

43

• Packet filtering affects the operation of other services

Definition of packet filtering firewall

• Some packets are allowed to pass according to a set of rules. At the same time, other packets are blocked. The rules can be

formulated according to the address information of the network layer protocol (for example, IP) or the transmission layer information (for example, TCP header or UDP header).

• Low filtering performance due to the constraints of the CPU

capability Problems of single-core CPU packet filtering

• Multi-core parallel processing of packet filtering to improve the

performance sharply

• The control plane does not process and filter data, which

leads to stable management functions. SR66 multi-core packet filtering

Hardware packet Distribution engine Packet filtering SR66 multi-core parallel packet filtering 加密核 Packet filtering Packet filtering Packet filtering Packet filtering Control plane

• The distributed packet filtering to improve the processing

capability of the whole system sharply

Multi-Core Packet Filtering Firewall

www.h3c.com

44 LAN

• The patented ASPF state machine technology guarantees the support of diverse network applications and the

improvement of security.

• Support the state detection of multiple application protocols, including

H323/MGCP/SIP/H248/RTSP/HWCC/ICMP/FTP/DNS/PPTP/NBT/ILS. SR66 ASPF state firewall

• Support the state detection of SMTP/HTTP/Java/ActiveX/SQL injection attacks

SR66 User Server The user initializes a session of the server. The follow-up data packets

• f the user session are allowed.

The externally initiated session by non user is rejected. The packets during communication monitoring dynamically establish and delete the access rules

• Multi-core parallel processing of ASPF to offer sharp increase of

performance

• The control plane does not process and filter data, which leads to

stable management functions. SR66 ASPF state firewall

• Distributed ASPFs to improve the processing capability of the whole

system sharply.

Multi-Core ASPF Application State Firewall

ASPF SR66 multiple cores and parallel ASPF 加密核 ASPF ASPF ASPF ASPF Control plane

Hardware packet Distribution engine

www.h3c.com

45

Attack fragmentation can easily break the firewall.

Some of the attacks will fragment the packets and reassembly the packets at the destination to launch the attack. In that way, the firewall is broken.

Virtual Fragmentation and Reassembly Attack

www.h3c.com

46 Fragmentation reassembly against attack!

SR66

SR66 supports virtual fragmentation reassembly.

• Fast reassembly of the fragmented packets to guard against the attack on the firewall.
• Fast reassembly of the fragmented packets for the alg conversion of part of the applications.

Virtual Fragmentation and Reassembly Supported

www.h3c.com

47 SR66 uses the multi-core CPU to process services in parallel, and the embedded 10G hardware encrypted engine to provide diverse and powerful security features.  Powerful VPN isolation  High-speed IPSec VPN  Encrypted IP VPN  The access of IP VPN to MPLS VPN  Packet filtering and state firewall  Anti-attack virtual fragmentation reassembly

Make your network Secure!

Summary of Diverse Security Features

Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S)

• Speed your Network
• Safe
• Security
• Service
• Save

Typical Cases of H3C SR66

www.h3c.com

49

10.1.1.3 10.1.1.20 202.10.88.2 Private network IP address Public network address SR66 Internet NAT 10.1.1.3 Web server 10.1.1.4 Mail server

The session-based mode, parallel processing of NAT service by multi-core and multi-thread CPU, and distributed processing sharply improve the NAT processing capability of the whole system.

• Adopt the port cyclical multiplexing mode. Meanwhile, automatically detect the quintuple conflict so that NAPT supports unlimited connections.
• Support NAT/NAPT/internal server to support blacklist
• Support limit of connection number
• Support session log
• Support multiple instances

Key indexes of NAT gateway features

 NAT service capability

• 2M concurrent sessions
• Throughput of up to 4Gbps

NAT ALG capability

• MSN
• QQ
• FTP
• DNS
• PPTP
• SIP
• NetBios
• H323
• ……

Multi-Core Distributed NAT

www.h3c.com

50 NetStream V5/V8

DOS攻击Flood 攻击 …

The 1:1 sampling causes 10% or less impact on the forwarding performance.

Multi-Core Distributed NetStream

……

• During the forwarding, the traffic is evenly distributed on the threads of the multi-core CPU. The system performs parallel NetStream statistics.

Load balancing leads to basically no impact on the forwarding performance. The parallel processing of NetStream is greatly improved.

• With the fully distributed NetStream processing, the NetStream processing capability of the whole system is greatly improved.
• When the traditional single-CPU processes NetStream, the CPU performance is the bottleneck.

The larger the traffic is, the larger impact is caused on the performance.

LAN

www.h3c.com

51

OAP motherboard

Network traffic analysis SSL VPN L4-L7 load balancing WAN optimization WLAN controller More…

SR66 can provide customized service modules on the Open Application Platform (OAP) based on the Open Application Architecture (OAA). The service capability can be expanded unlimitedly.

WAN optimization module Network traffic analysis module … service module

OAP of SR66 Open Architecture

www.h3c.com

52 SR66 utilizes the multi-core CPU to process services in parallel. It also provides the open OAP architecture to offer more diverse services.  Multi-core distributed NAT  Multi-core distributed NetStream  OAP platform

Service aggregation!

Summary of Service Aggregation

Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S)

• Speed your Network
• Stable
• Security
• Service
• Save

Typical Cases of H3C SR66

www.h3c.com

54 SR6602 router SR6608 router MSR router AR28 router

According to the design, the boards and cards of the SR66 series routers and those of the H3C AR28 and the MSR series routers are

• compatible. To perform an upgrade to the SR66 series routers, the original boards and cards can still be used. The combinations of the boards

and cards are flexible. The user investment is effectively saved.

What to do with the MIM card?

AR/MSR Compatible MIM Plug-in Card

www.h3c.com

55

Requirement 1: GRE Requirement 2: High-performance L2TP Requirement 3: High-performance NAT Requirement 4: High-performance IPsec encryption Independent GRE board should be added. Independent L2TP board should be added. Independent NAT board should be added. Independent encryption board should be added. To implement the high-performance GRE tunnel, L2TP tunnel, NAT conversion and IPsec encryption, the traditional high-end router needs to add independent hardware

• boards. In that way, the user investment is increased.

Requirement 1: High-performance GRE Requirement 2: High-performance L2TP Requirement 3: High-performance NAT Requirement 4: High-performance IPsec encryption SR66 series routers adopt the parallel processing by the multi-core CPU and the encryption engine embedded in the boards. Without adding any boards, the SR66 routers can implement high-performance GRE tunnel, L2TP tunnel, NAT conversion and IPsec encryption. User investment is reduced sharply. Supported without adding boards and cards! Traditional high- end router Multi-core distributed SR66

Implementation of High-Speed Services Without Adding Boards

www.h3c.com

56 POS 155M interface board POS 622M interface board Command line switching 155M 622M

?

The interface speed of the POS interface board of the SR66 series routers can be configured through command lines and switched between 155M and 622M. In that way, the user investment is effectively reduced. The requirement that the extensive access speeds options are achieved with limited investment can be satisfied.

Command Line Switching POS 155M/622M Rate

www.h3c.com

57

IPv4 network

IPv6 backbone network IPv4/IPv6 dual stack network

IPv6 network

NAT-PT conversion IPv4 access IPv6 access Tunnel access

IPv4 network SR6608 SR6608 SR6608 SR6602

Network management center

IPV6 feature key indexes

Forwarding performance

• Linear forwarding
• Throughput of the whole system: 6Gbps

Route table capacity

• Larger than 100,000

Number of IPv6 over IPv4 tunnels

• 10000

Number of NAT-PT sessions

• 100,000 concurrent sessions

The multi-core distributed system supports the IPV6 features in a full scale. The user does not need to add any investment to smoothly upgrade the network from IPv4 to IPV6.

• IPv6 protocol stack: ICMPv6, Path MTU, ND, automatic configuration and DNS Client
• IPv6 transitional technologies: dual stacks, NAT-PT, automatic tunneling, configuration tunnel, and 6to4 tunnel
• IPv6 routing protocols: BGP4+, IS-ISv6, OSPFv6 and RIPng

Implementation of IPv6 Smooth Upgrade Without Additional Investment

www.h3c.com

58 With full consideration of the user requirements, SR66 provides a compatibility design of the architecture and future orientation

• f software features to save user investment substantively.

AR/MSR compatible MIM card Command line switching POS 155M/622M rate No need to add investment in implementing IPv6 smooth upgrade No need to add boards to implement high-speed services

Save your money！

Summary of Investment Saving

www.h3c.com

59 Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Typical Cases of H3C SR66

www.h3c.com

60

ASON Network

• f China

Netcom (Beijing) ASON Network

• f China

Netcom (Beijing)

NE40-4 (Legacy) SR8805 Branch procuratorate WAN router SR6602 Branch procuratorate WAN router SR6602 Branch procuratorate WAN router SR6602 Load balancing S7506R Firewall 100M firewall 100M firewall 100M firewall Intrusion detection system Intrusion detection system Intrusion detection system Network isolator Municipal politics and law network Internet Firewall of extranet S8512 SR8805

Redundant disaster recovery center (placed in a branch procuratorate)

Municipal procuratorate LAN S7506R Existing firewall SR6602

Beijing Municipal Procuratorate

www.h3c.com

61

e-Administration Intranet of Jiaxing City

S7506E S7506E SR6608 Shitai Sanshuiwan Daoqian Street Hexi Ziyang Street Internal access units in administration center building External access units of administration center External access units of administration center Server zone Zhejiang e- administration intranet iMC intelligent management platform Xlog log audit IPS Secpath F1000-S Secpath F1000-S HA heartbeat cable District and county e- administration intranet Zapu Economic Development Zone S5600-50C S5600-50C S5600-50C S5600-50C S5600-50C

www.h3c.com

62

Heilongjiang Local Taxation Bureau

12 prefectural centers

Provincial core router SR8812

Videoconference controller

124 district and county centers

Videoconference terminal Videoconference terminal Videoconference terminal Transmission platform Videoconference terminal Videoconferen ce terminal

S3100-26C

Core switch S7506

Provincial center

Transmission platform Core switch S7506

8M 8M 12*8M 4M 4M

Access by provincial departments Provincial central LAN

GE FE FE Core switch

Provincial and prefectural core router SR6608 Provincial and prefectural core router MSR30-16

S3100-26C SR6608 SR6608 MSR30-16 MSR30-16 GE GE

www.h3c.com

63

Five-Section Social Security System of Changzhou

Server farm

SR6608 (working)

S7510E S7510E

SR6608 (protection)

SDH

Business-related units

VPN access

Hospitals, pharmacies, street social security sites, 97 medical units, 103 pharmacies and 1000 townships

E1 E1 E1 E1 GE GE

GE

GE FE

Secpath F1800 Secpath F1800 Secpath F1000

SDH District and County Labor Security Information Center District and County Labor Security Information Center District and County Labor Security Information Center ….. ….. Business Handling Sites SR6608 N*2M SDH/VPN SDH MSTP

Social Security Building Access in the building

S3600-28TP 100M AR4640 SR6608 AR4640 SR6608 AR4640 SR6608 AR4640

www.h3c.com

64

• No. 1 Middle School of Mudanjiang

E352 E328 E328 E126 E126 E126 E126 SR6608 Firewall S7500E S7500E

Hangzhou H3C Technologies Co., Ltd.

www.h3c.com.cn

IToIP Solutions Expert