* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Open Multi-Core Router
Survey
Document related concepts
Airborne Networking wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Computer network wikipedia , lookup
Distributed operating system wikipedia , lookup
Computer security wikipedia , lookup
Network tap wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Wireless security wikipedia , lookup
Bus (computing) wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Deep packet inspection wikipedia , lookup
Quality of service wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Transcript
Open Multi-Core Router -H3C SR66 Development Trends of High-end Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Typical Cases of H3C SR66 Requirement Analysis of High-End Routers Information basic platform All units covered Improve office efficiency Improve enterprise competitiveness Foundation Quality network Delay-free voice transfer Smooth video images Quality Reliability Reliable network topology Reliable network equipment Reliable network link Communication data network Security Service Isolation of different service logics Defense against a variety of attacks Advancement www.h3c.com Localized services by original manufacturer Fast on-site support by original manufacturer Advancement of products and technologies High expandability Satisfy the requirements of development in the coming few years 3 Development Trends of High-End Routers Integration of being open and multi-service Application Service Performance Standardization => customization => open Data and Internet access => Integration of 3 networks in 1 => Unified communication Connection Best effort => Carrier-class reliability of equipment => Carrier-class quality assurance of services High-density narrowband convergence => Broadband and narrowband integrated convergence => Large-capacity broadband and narrowband convergence with services 1990s Data sharing www.h3c.com 2000 The Internet and bandwidth Today New applications and new services 4 Development Trends of High-end Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Typical Cases of H3C SR66 Product Positioning of H3C SR66 Router 10G SR88 2.5G The first ever multi-core router in the industry! SR6602 SR6608 GE MSR 50 AR46 MSR 30 100M AR28 MSR 20 AR18 www.h3c.com 6 Product Positioning Large enterprise convergence and access routers Finance and power industries www.h3c.com Medium and small enterprise core routers Medium and small enterprises Community network edge convergence router Government community / resident community Campus network egress router Schools of higher education nationwide 7 Multi-Core Centralized Router SR6602 Multi-core compact design High performance and strong services www.h3c.com Multi-core multi-threaded processor Memory: 1GB; expansion to 2GB allowed High performance: Packet forwarding rate: 4.5Mpps IPSec encryption: > 3Gbps Fixed interface: 4 GE interfaces (optical and electrical combined) Flexible configuration: Intermix of HIM and MIM Built-in 1 CF card, and 1 CF card interface reserved The interface module supports hot swapping. 8 Multi-Core Distributed SR6608 Multi-core Distributed Strong service processing High-speed and low-speed compatible High reliability Distributed processing Dual main control systems Dual power supply design All engines and modules support hot swapping. Configuration of multiple service engines FIP-100 (high-performance CPU processor) FIP-200 (multi-core multi-threaded processor) High performance 100G backplane bandwidth Forwarding performance: 18 Mpps Support high-density cPOS linear convergence www.h3c.com 9 Multi-Core Distributed Router SR6608 Route engine (RPE-X1) Service engine (FIP-200) Service subcard (CL2P) Power supply Note: During the play, click the components of the indexes to view the video. www.h3c.com Fan 10 Route Engine RPE-X1 of SR6608 High-performance CPU: 1G Hz Memory: 1GB; expansion to 2GB allowed Console port Aux port GE management network port Built-in 1 CF card and 1 CF card interface reserved 1 Host USB interface and 1 Device USB interface www.h3c.com 11 FIP Service Engine of SR6608 FIP-200 • Multi-core multi-threaded processor • 1GB memory; expansion to 2GB allowed • 2×GE (optical and electrical combined) • 2×HIM/MIM compatible slot • Forwarding performance: 4.5Mpps • IPSec encrypted performance: >3Gbps FIP-100 • High-performance CPU processor • 512MB memory; expansion to 2GB allowed • 2×GE (optical and electrical combined) • 4×MIM slot • Forwarding performance: 800Kpps • Ipsec encrypted performance: 500Mbps www.h3c.com 12 High-Speed HIM Sub-Card of SR66 8GBE/4GBE •8/4 ports GE (electrical port) •All 3-layer GE interfaces (routing interface) CL2P/CL1P •2/1 port cPOS •Each port supports 63 E1s or 84 T1s. •Support channelization to DS0 (each port with 512 DS0s maximally) www.h3c.com 13 Compatible MIM Sub-Card of SR66 2/4/8 SAE 8 E1 1 POS 2 GBE www.h3c.com 14 Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Speed your Network Stable Security Service Save Typical Cases of H3C SR66 First Application of Multi-Core CPU on Router Ideal processor Universal CPU •The flexible programming platform can adapt to different types of service processing. Service capability •Lack hardware escalation capability L7 Multi-core CPU * Standard C programming to adapt to different types of service processing * Parallel hardware system, built-in hardware escalation and encrypted engine provide powerful service processing and security capability. Network processor: •Dedicated hardware forwarding engine to provide extremely high forwarding performance L4 Embedded CPU •Interface integration •Limited packet processing and encrypted capability •Micro code based programming, instruction space limit, weak service processing capability at layers 4 to 7 ASIC •Interface integration Basic packet processing and hardware encrypted capability L3 Forwarding performance www.h3c.com 16 Sharp Improvement of Service Processing Capability of SR66 Route calculation, configuration management and table item delivery 8 cores to process services in parallel SR66 multicore CPU www.h3c.com Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS 17 Description of Competitive Edge of CPU Multi-Thread CPU Single thread Memory access delay CPU 4 threads Memory access delay Memory access delay CPU processing Memory access delay Hardware thread 1 Hardware thread 2 Hardware thread 3 Hardware thread 4 Save time! t1 www.h3c.com t2 Time 18 Sharp Improvement of Service Processing Capability of SR66 Multi-Thread Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS Multiple hardware CPU threads –32 hardware threads –Each CPU core with 4 hardware threads Flexible scheduling mechanism, which satisfies different applications –Rotation –Priority –Timeslot 32 threads process services in parallel! SR66 multicore CPU Firewall IPSEC The multi-core hardware structure and the software parallel processing provide all-round improvement of service performance. NetStream QoS www.h3c.com 19 Load Balancing of SR66 Multi-Core Hardware Packet Distribution Engine CPU thread 1 Rx GE Packet distribution engine GE Parser Distributor CPOS Parser Distributor GE Parser Distributor CPU thread 2 Fast messaging network CPU thread 3 Thread hardware load balancing CPU thread 31 CPU thread 32 SR66 multi-core hardware packet distribution engine The parser rules are flexible and diverse. They can be adjusted dynamically to achieve load balancing. TCAM is used to perform fast parallel matching of the table item features. The distributor is attached to the fast messaging network. It notifies the CPU core of the processing, which leads to high efficiency and no occupation of the CPU resources. www.h3c.com 20 Efficient and Fast Hardware Collaboration Mechanism :Fast Messaging Network (FMN) :Multi-core CPU :CPU core :CPU hardware thread :Site of messaging network Fixed port Slot 1 CPU-1 CPU-2 CPU-3 CPU-4 CPU-5 CPU-6 CPU-7 CPU-8 Slot 2 The FMN completes the fast communication between the cores of the multi-core CPU. The work speed is as the same frequency as the CPU. The CPU resource is not used. The main components are attached to the FMN sites. The communication reaches the precision of the CPU hardware threads. Unique Credit mechanism to ensure unblocked communication www.h3c.com 10G encrypted engine 21 Powerful Hardware MP Capability MP fragmentation processing of the traditional link layer The link layer fragmentation and reassembly processing fully rely on the CPU. The weaknesses are low efficiency, failure of improving relevant performance, serious consumption of system resources, and impact on the system performance of the MP fragmentation processing on the traditional link layer. 1 1 2 2 3 3 4 3 2 3 2 1 1 Multi-core 4 CPOS fragmentation CPOS分片处理引擎 processing engine CPOS of SR66 supports hardware MP, greatly easing the pressure on the CPU and improving the MP performance. Each bundle supports 12 E1s/T1s. Support three sizes of MP packet fragmentation (128/256/512) and multiple sizes of reassembly. The whole system can implement the linear MP binding of up to 60 12E1s or 84 12T1s. www.h3c.com 22 Powerful Convergent Capability Broadband convergence key indexes Internet S3526 AR28 AR46 Convergent broadband user type China Netcom Direct access of Ethernet optical fiber PPPoE SR6608 GE FE China Telecom With the help of the AAA server, complete the authentication (PAP/CHAP), accounting and authorization Access capability of broadband user The throughput of the whole system reaches 18Mpps. 32,000 concurrent PPP connections Internet café Internet café Internet café Internet café Provide 72 GEs MSTP Internet café Internet café Internet café Internet café Narrowband convergence key indexes Narrowband interface types of cPOS convergence DS0 The HIM GE card uses 10G bus exclusively. The fixed GE uses the GE bus exclusively, without bandwidth bottleneck. The hardware packet distribution engine automatically identifies different Ethernet packet types. It distributes the packets of different flow features evenly to different CPU threads. The packets are processed concurrently. The throughput is greatly improved. E1/T1 Narrowband interface density of cPOS convergence DS0: 4096 The HIM CPOS card uses the 10G bus exclusively, without bandwidth bottleneck. The hardware packet distribution engine automatically identifies different Ethernet packet types. It distributes the packets of different flow features evenly to different CPU threads. The packets are processed concurrently. The throughput is greatly improved. www.h3c.com E1: 756 (linear) T1: 800 (linear) 23 Summary of Hardware Speed Escalation Speed your network! Full scale upgrade of the hardware architecture First application of the multi-core multi-threaded CPU on router The FMN completes the fast communication between the cores of the multi-core CPU Packet distribution engine Strong convergence capability \ each card uses 10G bus exclusively. The multi-core hardware structure and the software parallel processing provide all-round improvement of service performance. www.h3c.com 24 Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Speed your Network Stable Security Service Save Typical Cases of H3C SR66 All-Round Product Reliability Service reliability Network reliability Link reliability Equipment reliability www.h3c.com Separation of control and service, service processing isolation, and TE FRR Non-stop forwarding, redundant gateway technology (VRRP), ECMP, dynamic route fast convergence, and BFD Multi-link binding and IP Trunk Physical reliability: Dual main control systems, dual power supplies, forwarding engine/sub-card/main control system/power supply/fan support hot swapping. Software reliability: Hot patching, host defense against attack, control plane speed limit, and management security 26 Highly Reliable Hardware Design Dual main control systems that support hot swapping All high- and lowspeed daughter-cards support hot swapping. FIP-100/200, two service engines, support hot swapping. The fan frame supports hot swapping. Dual power supplies that support AC and DC as well as hot swapping www.h3c.com 27 Highly Reliable Multi-Core Software Architecture SR6602 software architecture SR6608 software architecture Main control system (route engine) System configuration management CPU1 (control plane) System configuration management Route calcula tion Protocol state machine Route calculation FIB delivery Delivery of service table items CPU2-8 (service plane) Forward packets NAT Packet filtering QoS Encryption and decryption GRE IO (service engine) IO (service engine) CPU1 (control plane) CPU1 (control plane) System configuration management Route calculati on Protocol state machine Delivery of service table items NAT Packet filtering QoS Encryption and decryption GRE Separation of control and service Separation of routing and service engines Different cores of the multi-core CPU work on different tasks, which suppresses service interference naturally. www.h3c.com Route calcula tion Protocol state machine Delivery of service table items CPU2-8 (service plane) CPU2-8 (service plane) Forward packets System configuration management Forward packets NAT Packet filtering QoS Encryption and decryption GRE 28 Online Software Hot Patching Technology Supported Replace the original code segment with the enhanced patch code segment Online loading Original program Patch code zone Code segment Optimize Code segment Code segment Code segment Code segment Original code segment Code segment Patch code The online patch technology provides flexible defect modification means to guarantee the reliable and continuous provisioning of network services. SR66 supports the software hot patching technology of the single-core CPU and the multi-core CPU. On the condition that the equipment is not reset, the software bugs are modified in the in-service state, or a small scale of new features are added. The user command of control patch unit state switching is provided. The command helps the user to conveniently load/deactivate/operate/delete the patch unit. www.h3c.com 29 IGP Route Fast Convergence Supported Real-time flooding and fast notification of the link state information Detect the link faults, and perform instant flooding and then calculation. Incremental SPF calculation (i-SPF) A certain tree trunk in the SPF tree changes (down/up). In that case, SPF needs only to calculate the part of the tree impacted by the changed tree trunk. It is not necessary to re-calculate the routes. Partial Route Calculation (PRC) In the SPF tree, if only the leaves change, the part of the leaves is needed to be calculated only. It is not necessary to re-calculate the routes. Intelligent timer According to the preset parameters, dynamically change the time interval with reference to exponential backoff algorithm, and solve the conflict between frequent generation and long time interval. Test result display: the fastest convergence time of IS-IS route is less than 50ms. The convergence time of 10,000 IS-IS routes is 300ms. Convergence time (unit: second) Before optimization www.h3c.com After optimization 30 Uninterrupted Services During Working/Protection Switching Protocol session is Original protocol session is switched. Main Backup Control IPC Control maintained. Main control board High-speed backplane Control SR66 main control switching detection mechanism Control Normal Hello (1s) Fault alarm Universal fast hand shake (10ms) Interface board FIB FIB FIB Backup control board Interface board FIB During working/protection switching, the data forwarding and services between the two boards are uninterrupted. www.h3c.com 31 All-Round Support of GR Features Notify the router to activate the GR feature Backup main control system Main control system Neighbor router The session continues after switching, implementing stable restart. Neighbor router High-speed backplane Short interruption does not need dele tion of the route. FIB FIB FIB FIB SR66 supports the GR features in a full scale, including GR for OSPF/IS-IS/BGP/LDP/RSVP. The network stays stable during the working/protection switching. After the switching, the equipment learns quickly the network route with the help of the neighbor router. www.h3c.com 32 Fast Detection of Link Failure Supported: BFD Main control board Backup control board Fault alarm Interface board Universal fast handshake (10ms) Interface board Bidirectional forwarding detection BFD: Bidirectional Forwarding Detection (IETF standard) is a technology of fast detecting node and link faults. The handshake time is 10ms by default and can be configured. BFD provides light-load, short-time detection. It can be used to provide real-time detection of any media and any protocol layer. The detection time and the overhead scope are wide. According to BFD, fault detection can be performed on any type of channels between two systems, including the direct physical link, virtual circuit, tunnel, MPLS LSPs, multi-hop routing channel and indirect channel. The BFD detection result can be applied to IGP fast convergence and FRR. The BFD protocol has been extensively accepted and recognized in the industry. It has been deployed substantively in real applications. www.h3c.com 33 Perfect Support of BFD by CPU Main control board 1 Control processing core Main control board 0 Service board Service board Control processing core Packet processing core Packet processing core BFD processing core BFD processing core Control processing core Service board System backplane Service board Control processing core Packet processing core Packet processing core BFD processing core BFD processing core When BFD is applied, the feature of the multi-core CPU is utilized. Part of the processing capability of one of the cores (for example, one thread) is used for BFD processing to reduce the load of the management control CPU core and ensure the security of the management CPU core. Meanwhile, such measure greatly improves the processing performance of BFD service and other OAM services. SR66 supports BFD for BGP/IS-IS/OSPF/RSVP/VPLS PW/VRRP to implement the fast fault detection mechanism of the protocols. The fault detection time is less than 20ms. On the basis of BFD, SR66 supports IP FRR, TE FRR, LDP FRR and VPN FRR. The service switching time is less than 50ms. www.h3c.com 34 All-Round Security Features to Ensure Equipment Reliability and Security Strict isolation of management and service planes Routing protocol MD5 authentication Filtering and speed limit of control information SSH Secure Comware route software system Firewall Route security RADIUS TACACS+ SYSLOG URPF Management security ASPF IPSec Service access security NQA Address binding Forwarding security IPS ARP speed limit Port speed limit Broadcasting/abnormal traffic suppression Diverse security protocols and strict service access control greatly improve the reliability of the operation of the SR66 router. www.h3c.com 35 Summary of High Stability SR66 is designed with full orientation to carrier-class application. By taking the advantage of the strong multi-core CPU service processing capabilities, SR66 provides all-round software and hardware reliability at the layers of equipment, link, network and service. Hardware supports the hot swapping of key components. The software architecture supports the separation of control and service. Hot patching ECMP VRRP BFD Support GR in a full scale Make your network Stable! Support FRR Control plane protection www.h3c.com 36 Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Speed your Network Stable Security Service Save Typical Cases of H3C SR66 URPF Secure Forwarding Supported Main control system Main control system CPU core 1 CPU core 1 CPU core 2 CPU core 2 POS3/0/1 GE2/0/1 GE2/0/2 POS3/1/0 Normal data packet 202.98.3.5 10.10.87.3 Data Attack data packet 202.98.3.5 10.10.87.3 virus Destination address Next hop Egress 202.98.3.0 202.93.3.1 POS3/0/1 10.10.87.0 10.10.87.0 GE2/0/1 …… Multiple attack packets apply the same destination and source addresses as those of the normal packets. Or they generate source address at random, and deliver them to different CPU cores through the hardware distribution engine. The normal packets are forwarded according to the destination address. At the same time, they search for the source address route in the reverse direction. After they judge that the ingress is consistent, they are forwarded normally. The source address of the attack packets has no route, or the ingress is incorrect. They are discarded. Defense against the source spoofing and distributed types of attacks. www.h3c.com 38 VPN Service Isolation CE CE PE CE CE PE VPN1 Data PE service VPN2 Voice VPN3 Video VPN4 Other CE PE CE services CE CE The SR66 hardware distribution engine automatically identifies the MPLS packets, and distributes evenly the traffic to different hardware CPU threads. The CPU threads operate in parallel and perform priority mapping. During packet transfer, multiple CPU threads perform QoS guarantee. Identify different services on the PE equipment, differentiate voice/video real-time services and the data services and encapsulate them to the VPN. In that way, the secure isolation of different services is implemented. The MPLS VPN is applied to carry multiple services to ensure security of the services on the network. MPLS VPN can provide security protection equivalent to the level of dedicated line. Fully support the L2/L3 VPN services www.h3c.com 39 Built-in 10G Hardware Encryption Engine of SR66 Main CPU system SR66 hardware encryption engine PCI Bridge Hardware encryption engine of SR66 security features 10G encryption engine embedded in the multi-core Security feature hardware architecture of the traditional CPU router 4 encryption cores + 1 RSA core Pure CPU calculation and poor performance The load balancing engine ensures the parallel IPSEC escalation card of the PCI interface offers operation of the cores. low performance. Support DES/3DES/AES and other mainstream algorithms. Support SHA/MD5 authentication. Support CRC check and RSA Key hardware escalation. www.h3c.com Load balancing engine IPSec Engine Encryption core Encryption core Encryption core Encryption core RSA core 40 Conventional Upgrade of IP VPN L2TP+IPSec+Nat PPPoE LAC + NAT LNS AR46 Enterprise headquarters SR66 SOHO PSTN/ISDN GRE+IPSec+Nat Mobile user Branch Hardware encryption does not affect forwarding. With multi-core encryption and parallel operation of the internal cores, the encryption throughput of the service engine is sharply increased. Encryption and decryption adopt a distributed mode. The encryption capability of the whole system is sharply increased. The traditional VPNs can be stacked flexibly. GRE/L2tp/IPsec can be stacked to satisfy different networking requirements. www.h3c.com 41 Perfect Fusion of IP VPN and MPLS VPN - VPE Headquarters server VPN1 Mobile user access via Modem PSTN X L2tp+IPSec Tunnel VPN1 PE NAS(LAC) MPLS L2tp+IPSecTunnel DSL X BAS(LAC) DSLAM X VPN1 SR66 PE Headquarters supports L2tp and IPSec multiple instances. GRE+IPSecTunnel Soho ADSL access PE VPN1 Branch VPN1 SR66 supports IPSec and L2tp multiple instances to fuse IP VPN and MPLS VPN perfectly. The fast decryption of the encrypted IP VPN is performed through multi-core encryption and parallel processing of the internal cores. The hardware distribution engine distributes the traffic evenly to the CPUs and transfers in parallel the traffic to MPLS VPN. www.h3c.com 42 Multi-Core Packet Filtering Firewall Definition of packet filtering firewall Some packets are allowed to pass according to a set of rules. At the same time, other packets are blocked. The rules can be formulated according to the address information of the network layer protocol (for example, IP) or the transmission layer information (for example, TCP header or UDP header). Problems of single-core CPU packet filtering SR66 multi-core parallel packet filtering Control plane Packet filtering affects the operation of other services Packet filtering Low filtering performance due to the constraints of the CPU capability Hardware packet SR66 multi-core packet filtering Multi-core parallel processing of packet filtering to improve the performance sharply The control plane does not process and filter data, which leads to stable management functions. The distributed packet filtering to improve the processing capability of the whole system sharply Packet filtering Distribution engine Packet filtering Packet filtering Packet 加密核 filtering www.h3c.com 43 Multi-Core ASPF Application State Firewall SR66 multiple cores and parallel ASPF SR66 ASPF state firewall Control plane Multi-core parallel processing of ASPF to offer sharp increase of performance The control plane does not process and filter data, which leads to stable management functions. ASPF Distributed ASPFs to improve the processing capability of the whole system sharply. Hardware packet ASPF Distribution SR66 ASPF state firewall engine The patented ASPF state machine technology guarantees the support of diverse network applications and the improvement of security. Support the state detection of multiple application protocols, including H323/MGCP/SIP/H248/RTSP/HWCC/ICMP/FTP/DNS/PPTP/NBT/ILS. ASPF ASPF ASPF 加密核 Support the state detection of SMTP/HTTP/Java/ActiveX/SQL injection attacks SR66 The externally initiated session by non user is rejected. The user initializes a session of the server. LAN The follow-up data packets of the user session are allowed. User www.h3c.com The packets during communication monitoring dynamically establish and delete the access rules Server 44 Virtual Fragmentation and Reassembly Attack Attack fragmentation can easily break the firewall. Some of the attacks will fragment the packets and reassembly the packets at the destination to launch the attack. In that way, the firewall is broken. www.h3c.com 45 Virtual Fragmentation and Reassembly Supported Fragmentation reassembly against attack! SR66 SR66 supports virtual fragmentation reassembly. Fast reassembly of the fragmented packets to guard against the attack on the firewall. Fast reassembly of the fragmented packets for the alg conversion of part of the applications. www.h3c.com 46 Summary of Diverse Security Features Make your network Secure! SR66 uses the multi-core CPU to process services in parallel, and the embedded 10G hardware encrypted engine to provide diverse and powerful security features. Powerful VPN isolation High-speed IPSec VPN Encrypted IP VPN The access of IP VPN to MPLS VPN Packet filtering and state firewall Anti-attack virtual fragmentation reassembly www.h3c.com 47 Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Speed your Network Safe Security Service Save Typical Cases of H3C SR66 Multi-Core Distributed NAT Key indexes of NAT gateway features Internet Mail server 2M concurrent sessions NAT 10.1.1.4 Throughput of up to 4Gbps 202.10.88.2 Public network address 10.1.1.3 NAT ALG capability MSN SR66 Web server NAT service capability QQ FTP DNS PPTP Private network IP address 10.1.1.3 SIP NetBios 10.1.1.20 H323 …… The session-based mode, parallel processing of NAT service by multi-core and multi-thread CPU, and distributed processing sharply improve the NAT processing capability of the whole system. Adopt the port cyclical multiplexing mode. Meanwhile, automatically detect the quintuple conflict so that NAPT supports unlimited connections. Support NAT/NAPT/internal server to support blacklist Support limit of connection number Support session log Support multiple instances www.h3c.com 49 Multi-Core Distributed NetStream When the traditional single-CPU processes NetStream, the CPU performance is the bottleneck. The larger the traffic is, the larger impact is caused on the performance. The 1:1 sampling causes 10% or less impact on the forwarding performance. DOS攻击Flood 攻击 … LAN …… NetStream V5/V8 During the forwarding, the traffic is evenly distributed on the threads of the multi-core CPU. The system performs parallel NetStream statistics. Load balancing leads to basically no impact on the forwarding performance. The parallel processing of NetStream is greatly improved. With the fully distributed NetStream processing, the NetStream processing capability of the whole system is greatly improved. www.h3c.com 50 OAP of SR66 Open Architecture OAP motherboard Network traffic analysis SSL VPN WAN optimization module L4-L7 load balancing WAN optimization Network traffic analysis module WLAN controller More… … service module SR66 can provide customized service modules on the Open Application Platform (OAP) based on the Open Application Architecture (OAA). The service capability can be expanded unlimitedly. www.h3c.com 51 Summary of Service Aggregation Service aggregation! SR66 utilizes the multi-core CPU to process services in parallel. It also provides the open OAP architecture to offer more diverse services. Multi-core distributed NAT Multi-core distributed NetStream OAP platform www.h3c.com 52 Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Speed your Network Stable Security Service Save Typical Cases of H3C SR66 AR/MSR Compatible MIM Plug-in Card What to do with the MIM card? AR28 router SR6608 router SR6602 router MSR router According to the design, the boards and cards of the SR66 series routers and those of the H3C AR28 and the MSR series routers are compatible. To perform an upgrade to the SR66 series routers, the original boards and cards can still be used. The combinations of the boards and cards are flexible. The user investment is effectively saved. www.h3c.com 54 Implementation of High-Speed Services Without Adding Boards Traditional highend router Requirement 1: GRE Independent GRE board should be added. Requirement 2: High-performance L2TP Independent L2TP board should be added. Requirement 3: High-performance NAT Independent NAT board should be added. Requirement 4: High-performance IPsec encryption Independent encryption board should be added. To implement the high-performance GRE tunnel, L2TP tunnel, NAT conversion and IPsec encryption, the traditional high-end router needs to add independent hardware boards. In that way, the user investment is increased. Requirement 1: High-performance GRE Requirement 2: High-performance L2TP Requirement 3: High-performance NAT Multi-core distributed SR66 Supported without adding boards and cards! Requirement 4: High-performance IPsec encryption SR66 series routers adopt the parallel processing by the multi-core CPU and the encryption engine embedded in the boards. Without adding any boards, the SR66 routers can implement high-performance GRE tunnel, L2TP tunnel, NAT conversion and IPsec encryption. User investment is reduced sharply. www.h3c.com 55 Command Line Switching POS 155M/622M Rate 155M POS 155M interface board ? 622M Command line switching POS 622M interface board The interface speed of the POS interface board of the SR66 series routers can be configured through command lines and switched between 155M and 622M. In that way, the user investment is effectively reduced. The requirement that the extensive access speeds options are achieved with limited investment can be satisfied. www.h3c.com 56 Implementation of IPv6 Smooth Upgrade Without Additional Investment Network management center IPV6 feature key indexes Forwarding performance IPv4/IPv6 dual stack network Linear forwarding Throughput of the whole system: 6Gbps Route table capacity IPv4 access SR6602 Larger than 100,000 IPv6 access Number of IPv6 over IPv4 tunnels SR6608 10000 Number of NAT-PT sessions IPv6 backbone network SR6608 IPv4 network NAT-PT conversion 100,000 concurrent sessions IPv4 network SR6608 Tunnel access IPv6 network The multi-core distributed system supports the IPV6 features in a full scale. The user does not need to add any investment to smoothly upgrade the network from IPv4 to IPV6. IPv6 protocol stack: ICMPv6, Path MTU, ND, automatic configuration and DNS Client IPv6 transitional technologies: dual stacks, NAT-PT, automatic tunneling, configuration tunnel, and 6to4 tunnel IPv6 routing protocols: BGP4+, IS-ISv6, OSPFv6 and RIPng www.h3c.com 57 Summary of Investment Saving Save your money! With full consideration of the user requirements, SR66 provides a compatibility design of the architecture and future orientation of software features to save user investment substantively. AR/MSR compatible MIM card Command line switching POS 155M/622M rate No need to add investment in implementing IPv6 smooth upgrade No need to add boards to implement high-speed services www.h3c.com 58 Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Typical Cases of H3C SR66 www.h3c.com 59 Beijing Municipal Procuratorate S7506R Load balancing Municipal procuratorate LAN Firewall S8512 Municipal politics and law network Internet Network isolator Existing firewall Firewall of extranet SR8805 NE40-4 (Legacy) ASON Network of China Netcom (Beijing) Branch procuratorate WAN router SR6602 Branch procuratorate WAN router SR6602 100M firewall Intrusion detection system ASON Network of China Netcom (Beijing) Branch procuratorate WAN router SR6602 100M firewall Intrusion detection system Redundant disaster recovery center (placed in a branch procuratorate) SR8805 SR6602 100M firewall Intrusion detection system S7506R www.h3c.com 60 e-Administration Intranet of Jiaxing City District and county eadministration intranet Zhejiang eadministration intranet Zapu SR6608 Economic Development Zone Secpath F1000-S iMC intelligent management platform Secpath F1000-S Xlog log audit HA heartbeat cable S7506E Shitai Sanshuiwan S5600-50C S5600-50C Daoqian Street S5600-50C S7506E Hexi S5600-50C Ziyang Street IPS S5600-50C Internal access units in administration center building External access units of administration center www.h3c.com External access units of administration center Server zone 61 Heilongjiang Local Taxation Bureau Videoconference controller Videoconference terminal Access by provincial departments GE Provincial center Provincial central LAN Core switch Provincial core router SR8812 12*8M Transmission platform Videoconference terminal Core switch S7506 Core switch S7506 GE GE 8M 8M Provincial and prefectural core router SR6608 SR6608 Videoconference terminal SR6608 12 prefectural centers Transmission platform Videoconferen ce terminal S3100-26C 4M 4M FE 124 district and county centers Provincial and prefectural core router MSR30-16 MSR30-16 www.h3c.com S3100-26C Videoconference terminal FE MSR30-16 62 Five-Section Social Security System of Changzhou Business-related units Secpath F1000 Server farm E1 SDH E1 VPN access GE GE Secpath F1800 S7510E S7510E GE Hospitals, pharmacies, street social security sites, 97 medical units, 103 pharmacies and 1000 townships Secpath F1800 GE E1 SDH Social Security Building Access in the building FE S3600-28TP SR6608 (protection) SR6608 (working) E1 MSTP SDH SDH/VPN N*2M 100M ….. SR6608 AR4640 District and County Labor Security Information Center www.h3c.com ….. SR6608 AR4640 District and County Labor Security Information Center SR6608 AR4640 District and County Labor Security Information Center SR6608 AR4640 Business Handling Sites 63 No. 1 Middle School of Mudanjiang SR6608 Firewall S7500E S7500E E328 E352 E126 www.h3c.com E328 E126 E126 E126 64 IToIP Solutions Expert Hangzhou H3C Technologies Co., Ltd. www.h3c.com.cn