Open Multi-Core Router

Download Report

Transcript Open Multi-Core Router

Open Multi-Core Router
-H3C SR66
Development Trends of High-end Routers
H3C SR66 Open Multi-Core Router
Technical Features of H3C SR66 Router (5S)
Typical Cases of H3C SR66
Requirement Analysis of High-End Routers


Information basic platform
All units covered


Improve office efficiency
Improve enterprise
competitiveness
Foundation



Quality network
Delay-free voice transfer
Smooth video images


Quality
Reliability

Reliable network topology
Reliable network equipment
Reliable network link
Communication
data network
Security


Service

Isolation of different service logics
Defense against a variety of attacks

Advancement



www.h3c.com
Localized services by original manufacturer
Fast on-site support by original
manufacturer
Advancement of products and technologies
High expandability
Satisfy the requirements of development in the
coming few years
3
Development Trends of High-End Routers
Integration of being
open and multi-service
Application
Service
Performance
Standardization => customization => open
Data and Internet access => Integration of 3 networks in 1 =>
Unified communication
Connection
Best effort => Carrier-class reliability of equipment => Carrier-class quality
assurance of services
High-density narrowband convergence => Broadband and narrowband integrated
convergence => Large-capacity broadband and narrowband convergence with services
1990s
Data sharing
www.h3c.com
2000
The Internet and bandwidth
Today
New applications and new
services
4
Development Trends of High-end Routers
H3C SR66 Open Multi-Core Router
Technical Features of H3C SR66 Router (5S)
Typical Cases of H3C SR66
Product Positioning of H3C SR66 Router
10G
SR88
2.5G
The first ever multi-core
router in the industry!
SR6602
SR6608
GE
MSR 50
AR46
MSR 30
100M
AR28
MSR 20
AR18
www.h3c.com
6
Product Positioning
Large enterprise
convergence and access
routers
Finance and power
industries
www.h3c.com
Medium and small
enterprise core routers
Medium and small
enterprises
Community network
edge convergence
router
Government community /
resident community
Campus network
egress router
Schools of higher
education nationwide
7
Multi-Core Centralized Router SR6602
Multi-core
compact design
High performance and
strong services
www.h3c.com

Multi-core multi-threaded processor

Memory: 1GB; expansion to 2GB allowed

High performance:
Packet forwarding rate: 4.5Mpps
IPSec encryption: > 3Gbps

Fixed interface: 4 GE interfaces (optical and
electrical combined)

Flexible configuration: Intermix of HIM and MIM

Built-in 1 CF card, and 1 CF card interface
reserved

The interface module supports hot swapping.
8
Multi-Core Distributed SR6608
Multi-core
Distributed
Strong service processing
High-speed and low-speed compatible
 High reliability
Distributed processing
Dual main control systems
Dual power supply design
All engines and modules support hot swapping.
 Configuration of multiple service engines
FIP-100 (high-performance CPU processor)
FIP-200 (multi-core multi-threaded processor)
 High performance
100G backplane bandwidth
Forwarding performance: 18 Mpps
Support high-density cPOS linear convergence
www.h3c.com
9
Multi-Core Distributed Router SR6608
Route engine
(RPE-X1)
Service engine
(FIP-200)
Service subcard (CL2P)
Power supply
Note: During the play, click the components of the indexes to view the video.
www.h3c.com
Fan
10
Route Engine RPE-X1 of SR6608







High-performance CPU: 1G Hz
Memory: 1GB; expansion to 2GB allowed
Console port
Aux port
GE management network port
Built-in 1 CF card and 1 CF card interface reserved
1 Host USB interface and 1 Device USB interface
www.h3c.com
11
FIP Service Engine of SR6608
FIP-200
• Multi-core multi-threaded processor
• 1GB memory; expansion to 2GB allowed
• 2×GE (optical and electrical combined)
• 2×HIM/MIM compatible slot
• Forwarding performance: 4.5Mpps
• IPSec encrypted performance: >3Gbps
FIP-100
• High-performance CPU processor
• 512MB memory; expansion to 2GB allowed
• 2×GE (optical and electrical combined)
• 4×MIM slot
• Forwarding performance: 800Kpps
• Ipsec encrypted performance: 500Mbps
www.h3c.com
12
High-Speed HIM Sub-Card of SR66
8GBE/4GBE
•8/4 ports GE (electrical port)
•All 3-layer GE interfaces (routing interface)
CL2P/CL1P
•2/1 port cPOS
•Each port supports 63 E1s or 84 T1s.
•Support channelization to DS0 (each port with 512
DS0s maximally)
www.h3c.com
13
Compatible MIM Sub-Card of SR66
2/4/8 SAE
8 E1
1 POS
2 GBE
www.h3c.com
14
Development Trends of High-End Routers
H3C SR66 Open Multi-Core Router
Technical Features of H3C SR66 Router (5S)
 Speed your Network
 Stable
 Security
 Service
 Save
Typical Cases of H3C SR66
First Application of Multi-Core CPU on Router
Ideal
processor
Universal CPU
•The flexible
programming platform
can adapt to different
types of service
processing.
Service
capability
•Lack hardware
escalation capability
L7
Multi-core CPU
* Standard C programming to adapt to different types of
service processing
* Parallel hardware system, built-in hardware escalation
and encrypted engine provide powerful service
processing and security capability.
Network processor:
•Dedicated hardware
forwarding engine to
provide extremely high
forwarding performance
L4
Embedded CPU
•Interface
integration
•Limited packet
processing and
encrypted capability
•Micro code based
programming, instruction
space limit, weak service
processing capability at
layers 4 to 7
ASIC
•Interface integration
Basic packet
processing and
hardware encrypted
capability
L3
Forwarding performance
www.h3c.com
16
Sharp Improvement of Service Processing
Capability of SR66
Route calculation, configuration management and
table item delivery
8 cores to process
services in parallel
SR66 multicore CPU
www.h3c.com
Firewall
IPSEC
NetStream
QoS
Firewall
IPSEC
NetStream
QoS
Firewall
IPSEC
NetStream
QoS
Firewall
IPSEC
NetStream
QoS
Firewall
IPSEC
NetStream
QoS
Firewall
IPSEC
NetStream
QoS
Firewall
IPSEC
NetStream
QoS
17
Description of Competitive Edge of CPU
Multi-Thread
CPU
Single
thread
Memory access delay
CPU 4
threads
Memory access delay
Memory access delay
CPU processing
Memory access delay
Hardware thread 1
Hardware thread 2
Hardware thread 3
Hardware thread 4
Save time!
t1
www.h3c.com
t2
Time
18
Sharp Improvement of Service Processing Capability of
SR66 Multi-Thread
Firewall
IPSEC
NetStream
QoS
Firewall
IPSEC
NetStream
QoS
Multiple hardware CPU threads
–32 hardware threads
–Each CPU core with 4 hardware threads
Flexible scheduling mechanism, which satisfies
different applications
–Rotation
–Priority
–Timeslot
32 threads process
services in parallel!
SR66 multicore CPU
Firewall
IPSEC
The multi-core hardware
structure and the software
parallel processing provide
all-round improvement of
service performance.
NetStream
QoS
www.h3c.com
19
Load Balancing of SR66 Multi-Core Hardware
Packet Distribution Engine
CPU thread 1
Rx
GE
Packet distribution engine
GE
Parser
Distributor
CPOS
Parser
Distributor
GE
Parser
Distributor
CPU thread 2
Fast messaging network
CPU thread 3
Thread
hardware
load
balancing
CPU thread 31
CPU thread 32
SR66 multi-core hardware packet distribution engine
 The parser rules are flexible and diverse. They can be adjusted dynamically to achieve load balancing.
 TCAM is used to perform fast parallel matching of the table item features.
 The distributor is attached to the fast messaging network. It notifies the CPU core of the processing, which leads to high efficiency and
no occupation of the CPU resources.
www.h3c.com
20
Efficient and Fast Hardware Collaboration Mechanism
:Fast Messaging Network (FMN)
:Multi-core CPU
:CPU core
:CPU hardware thread
:Site of messaging network
Fixed
port
Slot 1
CPU-1
CPU-2
CPU-3
CPU-4
CPU-5
CPU-6
CPU-7
CPU-8
Slot 2
The FMN completes the fast communication between the cores of the multi-core CPU.

The work speed is as the same frequency as the CPU. The CPU resource is not used.

The main components are attached to the FMN sites. The communication reaches the precision of the CPU
hardware threads.

Unique Credit mechanism to ensure unblocked communication
www.h3c.com
10G encrypted
engine
21
Powerful Hardware MP Capability
MP fragmentation processing of the traditional link layer

The link layer fragmentation and reassembly processing fully rely on the CPU. The weaknesses are low efficiency, failure
of improving relevant performance, serious consumption of system resources, and impact on the system performance of
the MP fragmentation processing on the traditional link layer.
1
1
2
2
3
3
4
3
2
3
2
1
1
Multi-core
4
CPOS fragmentation
CPOS分片处理引擎
processing engine
CPOS of SR66 supports hardware MP, greatly easing the pressure on the CPU and improving the MP performance.

Each bundle supports 12 E1s/T1s.

Support three sizes of MP packet fragmentation (128/256/512) and multiple sizes of reassembly.

The whole system can implement the linear MP binding of up to 60 12E1s or 84 12T1s.
www.h3c.com
22
Powerful Convergent Capability
Broadband convergence key indexes
Internet
S3526
AR28
AR46
Convergent broadband user type
China Netcom
Direct access of Ethernet optical fiber
PPPoE
SR6608
GE
FE
China Telecom
With the help of the AAA server, complete
the authentication (PAP/CHAP),
accounting and authorization
Access capability of broadband user
The throughput of the whole system
reaches 18Mpps.
32,000 concurrent PPP connections
Internet café
Internet café
Internet café
Internet café
Provide 72 GEs
MSTP
Internet café
Internet café
Internet café
Internet café
Narrowband convergence key indexes
Narrowband interface types of cPOS
convergence
 DS0
 The HIM GE card uses 10G bus exclusively. The fixed GE uses the GE bus exclusively, without bandwidth bottleneck.
 The hardware packet distribution engine automatically identifies different Ethernet packet types. It distributes the packets of
different flow features evenly to different CPU threads. The packets are processed concurrently. The throughput is greatly
improved.
 E1/T1
Narrowband interface density of cPOS
convergence
 DS0: 4096
 The HIM CPOS card uses the 10G bus exclusively, without bandwidth bottleneck.
 The hardware packet distribution engine automatically identifies different Ethernet packet types. It distributes the packets of
different flow features evenly to different CPU threads. The packets are processed concurrently. The throughput is greatly
improved.
www.h3c.com
 E1: 756 (linear)
 T1: 800 (linear)
23
Summary of Hardware Speed Escalation
Speed your network!
Full scale upgrade of the hardware architecture
 First application of the multi-core multi-threaded CPU on router
 The FMN completes the fast communication between the cores of the multi-core CPU
 Packet distribution engine
 Strong convergence capability \ each card uses 10G bus exclusively.
The multi-core hardware structure and the software parallel processing provide all-round improvement
of service performance.
www.h3c.com
24
Development Trends of High-End Routers
H3C SR66 Open Multi-Core Router
Technical Features of H3C SR66 Router (5S)
 Speed your Network
 Stable
 Security
 Service
 Save
Typical Cases of H3C SR66
All-Round Product Reliability
Service reliability
Network reliability
Link reliability
Equipment reliability
www.h3c.com
 Separation of control and service, service
processing isolation, and TE FRR
 Non-stop forwarding, redundant gateway technology (VRRP),
ECMP, dynamic route fast convergence, and BFD
 Multi-link binding and IP Trunk
 Physical reliability: Dual main control systems, dual power supplies, forwarding
engine/sub-card/main control system/power supply/fan support hot swapping.
 Software reliability: Hot patching, host defense against attack, control plane speed
limit, and management security
26
Highly Reliable Hardware Design
Dual main control
systems that support
hot swapping
All high- and lowspeed daughter-cards
support hot swapping.
FIP-100/200, two service
engines, support hot
swapping.
The fan frame
supports hot
swapping.
Dual power supplies that support AC and DC as well as hot swapping
www.h3c.com
27
Highly Reliable Multi-Core Software Architecture
SR6602 software
architecture
SR6608 software
architecture
Main control system (route engine)
System
configuration
management
CPU1 (control plane)
System
configuration
management
Route
calcula
tion
Protocol
state
machine
Route
calculation
FIB delivery
Delivery of service table items
CPU2-8 (service plane)
Forward
packets
NAT
Packet
filtering
QoS
Encryption
and
decryption
GRE
IO (service engine)
IO (service engine)
CPU1 (control plane)
CPU1 (control plane)
System
configuration
management
Route
calculati
on
Protocol
state
machine
Delivery of service table items
NAT
Packet
filtering
QoS
Encryption and
decryption
GRE

Separation of control and service

Separation of routing and service engines

Different cores of the multi-core CPU work on different tasks, which suppresses service interference naturally.
www.h3c.com
Route
calcula
tion
Protocol
state
machine
Delivery of service table items
CPU2-8 (service plane)
CPU2-8 (service plane)
Forward
packets
System
configuration
management
Forward
packets
NAT
Packet
filtering
QoS
Encryption
and decryption
GRE
28
Online Software Hot Patching Technology
Supported
Replace the original code segment
with the enhanced patch code
segment
Online loading
Original program
Patch code zone
Code
segment
Optimize
Code
segment
Code
segment
Code
segment



Code
segment
Original
code
segment
Code
segment
Patch
code
The online patch technology
provides flexible defect
modification means to guarantee
the reliable and continuous
provisioning of network services.
SR66 supports the software hot patching technology of the single-core CPU and the multi-core CPU.
On the condition that the equipment is not reset, the software bugs are modified in the in-service state, or a small scale of new features are added.
The user command of control patch unit state switching is provided. The command helps the user to conveniently load/deactivate/operate/delete the
patch unit.
www.h3c.com
29
IGP Route Fast Convergence Supported

Real-time flooding and fast notification of the link state information
Detect the link faults, and perform instant flooding and then calculation.



Incremental SPF calculation (i-SPF)
A certain tree trunk in the SPF tree changes (down/up). In that case, SPF needs only to calculate the part of the
tree impacted by the changed tree trunk. It is not necessary to re-calculate the routes.
Partial Route Calculation (PRC)
In the SPF tree, if only the leaves change, the part of the leaves is needed to be calculated only. It is not necessary
to re-calculate the routes.
Intelligent timer
According to the preset parameters, dynamically change the time interval with reference to exponential backoff
algorithm, and solve the conflict between frequent generation and long time interval.
Test result display: the fastest convergence
time of IS-IS route is less than 50ms. The
convergence time of 10,000 IS-IS routes is
300ms.
Convergence time
(unit: second)
Before optimization
www.h3c.com
After optimization
30
Uninterrupted Services During Working/Protection
Switching
Protocol session is
Original protocol
session is switched.
Main
Backup
Control
IPC
Control
maintained.
Main
control board
High-speed backplane
Control
SR66 main control switching
detection mechanism
Control
Normal Hello
(1s)
Fault alarm Universal fast hand
shake (10ms)
Interface board
FIB

FIB
FIB
Backup
control board
Interface board
FIB
During working/protection switching, the data forwarding and services
between the two boards are uninterrupted.
www.h3c.com
31
All-Round Support of GR Features
Notify the router to activate
the GR feature
Backup
main control
system
Main
control
system
Neighbor router
The session continues after
switching, implementing
stable restart.
Neighbor router
High-speed backplane
Short interruption
does not need dele
tion of the route.
FIB


FIB
FIB
FIB
SR66 supports the GR features in a full scale, including GR for OSPF/IS-IS/BGP/LDP/RSVP.
The network stays stable during the working/protection switching. After the switching, the equipment learns quickly the network route with the help of the
neighbor router.
www.h3c.com
32
Fast Detection of Link Failure Supported: BFD
Main control board
Backup control board
Fault alarm
Interface board
Universal fast handshake (10ms)
Interface board
Bidirectional forwarding detection





BFD: Bidirectional Forwarding Detection (IETF standard) is a technology of fast detecting node and link faults. The handshake time is 10ms
by default and can be configured.
BFD provides light-load, short-time detection. It can be used to provide real-time detection of any media and any protocol layer. The
detection time and the overhead scope are wide.
According to BFD, fault detection can be performed on any type of channels between two systems, including the direct physical link, virtual
circuit, tunnel, MPLS LSPs, multi-hop routing channel and indirect channel.
The BFD detection result can be applied to IGP fast convergence and FRR.
The BFD protocol has been extensively accepted and recognized in the industry. It has been deployed substantively in real applications.
www.h3c.com
33
Perfect Support of BFD by CPU
Main control board 1
Control processing
core
Main control board 0
Service board
Service board
Control processing
core
Packet processing
core
Packet processing
core
BFD processing
core
BFD processing
core
Control processing
core
Service board
System backplane
Service board
Control processing
core
Packet processing
core
Packet processing
core
BFD processing
core
BFD processing
core



When BFD is applied, the feature of the multi-core CPU is utilized. Part of the processing capability of one of the cores (for example, one thread) is used for BFD
processing to reduce the load of the management control CPU core and ensure the security of the management CPU core. Meanwhile, such measure greatly improves
the processing performance of BFD service and other OAM services.
SR66 supports BFD for BGP/IS-IS/OSPF/RSVP/VPLS PW/VRRP to implement the fast fault detection mechanism of the protocols. The fault detection time is less than
20ms.
On the basis of BFD, SR66 supports IP FRR, TE FRR, LDP FRR and VPN FRR. The service switching time is less than 50ms.
www.h3c.com
34
All-Round Security Features to Ensure Equipment
Reliability and Security
Strict isolation of
management and
service planes
Routing protocol
MD5 authentication
Filtering and speed limit
of control information
SSH
Secure Comware
route software system
Firewall
Route security
RADIUS
TACACS+
SYSLOG
URPF
Management
security

ASPF
IPSec
Service access security
NQA
Address binding
Forwarding security
IPS
ARP speed limit
Port speed limit
Broadcasting/abnormal traffic suppression
Diverse security protocols and strict service access control greatly improve the reliability of the operation of the SR66
router.
www.h3c.com
35
Summary of High Stability
SR66 is designed with full orientation to carrier-class application. By taking the advantage of the strong multi-core CPU service
processing capabilities, SR66 provides all-round software and hardware reliability at the layers of equipment, link, network and
service.
 Hardware supports the hot swapping of key components.
 The software architecture supports the separation of control and service.
 Hot patching
 ECMP
 VRRP
 BFD
 Support GR in a full scale
Make your network
Stable!
 Support FRR
 Control plane protection
www.h3c.com
36
Development Trends of High-End Routers
H3C SR66 Open Multi-Core Router
Technical Features of H3C SR66 Router (5S)
 Speed your Network
 Stable
 Security
 Service
 Save
Typical Cases of H3C SR66
URPF Secure Forwarding Supported
Main
control
system
Main
control
system
CPU core
1
CPU core
1
CPU core
2
CPU core
2
POS3/0/1
GE2/0/1
GE2/0/2
POS3/1/0
Normal data packet
202.98.3.5
10.10.87.3
Data
Attack data packet
202.98.3.5




10.10.87.3
virus
Destination address
Next hop
Egress
202.98.3.0
202.93.3.1
POS3/0/1
10.10.87.0
10.10.87.0
GE2/0/1
……
Multiple attack packets apply the same destination and source addresses as those of the normal packets. Or they generate source address at random, and deliver them to
different CPU cores through the hardware distribution engine.
The normal packets are forwarded according to the destination address. At the same time, they search for the source address route in the reverse direction. After they
judge that the ingress is consistent, they are forwarded normally.
The source address of the attack packets has no route, or the ingress is incorrect. They are discarded.
Defense against the source spoofing and distributed types of attacks.
www.h3c.com
38
VPN Service Isolation
CE
CE
PE
CE
CE
PE
VPN1
Data
PE
service
VPN2
Voice
VPN3
Video
VPN4
Other
CE
PE
CE
services
CE
CE

The SR66 hardware distribution engine automatically identifies the MPLS packets, and distributes evenly the traffic to
different hardware CPU threads.

The CPU threads operate in parallel and perform priority mapping.

During packet transfer, multiple CPU threads perform QoS guarantee.

Identify different services on the PE equipment, differentiate voice/video real-time services and the data services and
encapsulate them to the VPN. In that way, the secure isolation of different services is implemented.

The MPLS VPN is applied to carry multiple services to ensure security of the services on the network. MPLS VPN can
provide security protection equivalent to the level of dedicated line.
Fully support the L2/L3 VPN services
www.h3c.com
39
Built-in 10G Hardware Encryption Engine of SR66
Main CPU
system
SR66 hardware
encryption
engine
PCI
Bridge
Hardware encryption engine of SR66 security features

10G encryption engine embedded in the multi-core
Security
feature hardware architecture of the traditional
CPU
router

4 encryption cores + 1 RSA core

Pure CPU calculation and poor performance

The load balancing engine ensures the parallel

IPSEC
escalation
card of the PCI interface offers
operation
of the cores.
low performance.

Support DES/3DES/AES and other mainstream
algorithms.

Support SHA/MD5 authentication.

Support CRC check and RSA Key hardware
escalation.
www.h3c.com
Load balancing engine
IPSec Engine
Encryption
core
Encryption
core
Encryption
core
Encryption
core
RSA core
40
Conventional Upgrade of IP VPN
L2TP+IPSec+Nat
PPPoE
LAC + NAT
LNS
AR46
Enterprise headquarters
SR66
SOHO
PSTN/ISDN
GRE+IPSec+Nat
Mobile user
Branch

Hardware encryption does not affect forwarding.

With multi-core encryption and parallel operation of the internal cores, the encryption
throughput of the service engine is sharply increased.

Encryption and decryption adopt a distributed mode. The encryption capability of the
whole system is sharply increased.

The traditional VPNs can be stacked flexibly. GRE/L2tp/IPsec can be stacked to satisfy different networking requirements.
www.h3c.com
41
Perfect Fusion of IP VPN and MPLS VPN - VPE
Headquarters
server
VPN1
Mobile user access via
Modem
PSTN
X
L2tp+IPSec
Tunnel
VPN1
PE
NAS(LAC)
MPLS
L2tp+IPSecTunnel
DSL
X
BAS(LAC)
DSLAM
X
VPN1
SR66
PE
Headquarters
supports L2tp
and IPSec
multiple instances.
GRE+IPSecTunnel
Soho
ADSL access
PE
VPN1
Branch
VPN1
SR66 supports IPSec and L2tp multiple instances to fuse IP VPN and MPLS VPN perfectly.

The fast decryption of the encrypted IP VPN is performed through multi-core encryption and parallel
processing of the internal cores.

The hardware distribution engine distributes the traffic evenly to the CPUs and transfers in parallel the traffic
to MPLS VPN.
www.h3c.com
42
Multi-Core Packet Filtering Firewall
Definition of packet filtering firewall
Some packets are allowed to pass according to a set of rules. At the same time, other packets are blocked. The rules can be
formulated according to the address information of the network layer protocol (for example, IP) or the transmission layer
information (for example, TCP header or UDP header).
Problems of single-core CPU packet filtering
SR66 multi-core
parallel packet
filtering
Control
plane
 Packet filtering affects the operation of other services
Packet
filtering
 Low filtering performance due to the constraints of the CPU
capability
Hardware
packet
SR66 multi-core packet filtering
 Multi-core parallel processing of packet filtering to improve the
performance sharply
 The control plane does not process and filter data, which
leads to stable management functions.
 The distributed packet filtering to improve the processing
capability of the whole system sharply
Packet
filtering
Distribution
engine
Packet
filtering
Packet
filtering
Packet
加密核
filtering
www.h3c.com
43
Multi-Core ASPF Application State Firewall
SR66 multiple cores
and parallel ASPF
SR66 ASPF state firewall
Control plane
Multi-core parallel processing of ASPF to offer sharp increase of
performance
The control plane does not process and filter data, which leads to
stable management functions.
ASPF
Distributed ASPFs to improve the processing capability of the whole
system sharply.
Hardware
packet
ASPF
Distribution
SR66 ASPF state firewall
engine
The patented ASPF state machine technology guarantees the support of diverse network applications and the
improvement of security.
Support the state detection of multiple application protocols, including
H323/MGCP/SIP/H248/RTSP/HWCC/ICMP/FTP/DNS/PPTP/NBT/ILS.
ASPF
ASPF
ASPF
加密核
Support the state detection of SMTP/HTTP/Java/ActiveX/SQL injection attacks
SR66
The externally initiated session
by non user is rejected.
The user initializes
a session of the server.
LAN
The follow-up data packets
of the user session are allowed.
User
www.h3c.com
The packets during communication monitoring
dynamically establish and delete the access rules
Server
44
Virtual Fragmentation and Reassembly Attack
Attack
fragmentation
can easily break
the firewall.
Some of the attacks will fragment the packets and reassembly
the packets at the destination to launch the attack. In that way,
the firewall is broken.
www.h3c.com
45
Virtual Fragmentation and Reassembly Supported
Fragmentation
reassembly
against attack!
SR66
SR66 supports virtual fragmentation reassembly.

Fast reassembly of the fragmented packets to guard against the attack on the firewall.

Fast reassembly of the fragmented packets for the alg conversion of part of the applications.
www.h3c.com
46
Summary of Diverse Security Features
Make your network
Secure!
SR66 uses the multi-core CPU to process services in parallel, and the embedded 10G hardware encrypted engine to provide
diverse and powerful security features.
 Powerful VPN isolation
 High-speed IPSec VPN
 Encrypted IP VPN
 The access of IP VPN to MPLS VPN
 Packet filtering and state firewall
 Anti-attack virtual fragmentation reassembly
www.h3c.com
47
Development Trends of High-End Routers
H3C SR66 Open Multi-Core Router
Technical Features of H3C SR66 Router (5S)
 Speed your Network
 Safe
 Security
 Service
 Save
Typical Cases of H3C SR66
Multi-Core Distributed NAT
Key indexes of NAT gateway features
Internet
Mail server
2M concurrent sessions
NAT
10.1.1.4
Throughput of up to 4Gbps
202.10.88.2
Public network
address
10.1.1.3
NAT ALG capability
MSN
SR66
Web server
 NAT service capability
QQ
FTP
DNS
PPTP
Private network IP
address
10.1.1.3
SIP
NetBios
10.1.1.20
H323
……
The session-based mode, parallel processing of NAT service by multi-core and multi-thread CPU, and distributed processing sharply improve the NAT
processing capability of the whole system.
Adopt the port cyclical multiplexing mode. Meanwhile, automatically detect the quintuple conflict so that NAPT supports unlimited connections.
Support NAT/NAPT/internal server to support blacklist
Support limit of connection number
Support session log
Support multiple instances
www.h3c.com
49
Multi-Core Distributed NetStream
 When the traditional single-CPU processes NetStream, the CPU performance is the bottleneck.
The larger the traffic is, the larger impact is caused on the performance.
The 1:1 sampling causes
10% or less impact on the
forwarding performance.
DOS攻击Flood
攻击 …
LAN
……
NetStream V5/V8
 During the forwarding, the traffic is evenly distributed on the threads of the multi-core CPU. The system performs parallel NetStream statistics.
Load balancing leads to basically no impact on the forwarding performance. The parallel processing of NetStream is greatly improved.
 With the fully distributed NetStream processing, the NetStream processing capability of the whole system is greatly improved.
www.h3c.com
50
OAP of SR66 Open Architecture
OAP
motherboard
Network traffic analysis
SSL VPN
WAN optimization
module
L4-L7 load balancing
WAN optimization
Network traffic
analysis module
WLAN controller
More…
… service
module
SR66 can provide customized service modules on the Open Application Platform
(OAP) based on the Open Application Architecture (OAA). The service capability
can be expanded unlimitedly.
www.h3c.com
51
Summary of Service Aggregation
Service
aggregation!
SR66 utilizes the multi-core CPU to process services in parallel. It also provides the open OAP architecture to offer more
diverse services.

Multi-core distributed NAT

Multi-core distributed NetStream

OAP platform
www.h3c.com
52
Development Trends of High-End Routers
H3C SR66 Open Multi-Core Router
Technical Features of H3C SR66 Router (5S)
 Speed your Network
 Stable
 Security
 Service
 Save
Typical Cases of H3C SR66
AR/MSR Compatible MIM Plug-in Card
What to do with the MIM card?
AR28 router
SR6608 router
SR6602 router
MSR router
According to the design, the boards and cards of the SR66 series routers and those of the H3C AR28 and the MSR series routers are
compatible. To perform an upgrade to the SR66 series routers, the original boards and cards can still be used. The combinations of the boards
and cards are flexible. The user investment is effectively saved.
www.h3c.com
54
Implementation of High-Speed Services Without Adding
Boards
Traditional highend router
Requirement 1: GRE
Independent GRE board should be added.
Requirement 2: High-performance L2TP
Independent L2TP board should be added.
Requirement 3: High-performance NAT
Independent NAT board should be added.
Requirement 4: High-performance IPsec
encryption
Independent encryption board should be added.
To implement the high-performance GRE tunnel, L2TP tunnel, NAT conversion and IPsec encryption, the traditional high-end router needs to add independent hardware
boards. In that way, the user investment is increased.
Requirement 1: High-performance GRE
Requirement 2: High-performance L2TP
Requirement 3: High-performance NAT
Multi-core distributed
SR66
Supported without adding boards and cards!
Requirement 4: High-performance IPsec
encryption
SR66 series routers adopt the parallel processing by the multi-core CPU and the encryption engine embedded in the boards. Without adding any boards, the
SR66 routers can implement high-performance GRE tunnel, L2TP tunnel, NAT conversion and IPsec encryption. User investment is reduced sharply.
www.h3c.com
55
Command Line Switching POS 155M/622M Rate
155M
POS 155M
interface board
?
622M
Command line switching
POS 622M
interface board
The interface speed of the POS interface board of the SR66 series routers can be configured through command lines and switched between
155M and 622M. In that way, the user investment is effectively reduced. The requirement that the extensive access speeds options are
achieved with limited investment can be satisfied.
www.h3c.com
56
Implementation of IPv6 Smooth Upgrade Without
Additional Investment
Network management
center
IPV6 feature key indexes
Forwarding performance
IPv4/IPv6 dual
stack network
Linear forwarding
Throughput of the whole system: 6Gbps
Route table capacity
IPv4 access
SR6602
Larger than 100,000
IPv6 access
Number of IPv6 over IPv4 tunnels
SR6608
10000
Number of NAT-PT sessions
IPv6 backbone network
SR6608
IPv4
network
NAT-PT conversion
100,000 concurrent sessions
IPv4
network
SR6608
Tunnel access
IPv6
network
The multi-core distributed system supports the IPV6 features in a full scale. The user does not need to add any investment to smoothly
upgrade the network from IPv4 to IPV6.
IPv6 protocol stack: ICMPv6, Path MTU, ND, automatic configuration and DNS Client
IPv6 transitional technologies: dual stacks, NAT-PT, automatic tunneling, configuration tunnel, and 6to4 tunnel
IPv6 routing protocols: BGP4+, IS-ISv6, OSPFv6 and RIPng
www.h3c.com
57
Summary of Investment Saving
Save your money!
With full consideration of the user requirements, SR66 provides a compatibility design of the architecture and future orientation
of software features to save user investment substantively.
AR/MSR compatible MIM card
Command line switching POS 155M/622M rate
No need to add investment in implementing IPv6 smooth upgrade
No need to add boards to implement high-speed services
www.h3c.com
58
Development Trends of High-End Routers
H3C SR66 Open Multi-Core Router
Technical Features of H3C SR66 Router (5S)
Typical Cases of H3C SR66
www.h3c.com
59
Beijing Municipal Procuratorate
S7506R
Load balancing
Municipal procuratorate LAN
Firewall
S8512
Municipal politics
and law network
Internet
Network isolator
Existing firewall
Firewall of extranet
SR8805
NE40-4 (Legacy)
ASON Network
of China
Netcom (Beijing)
Branch
procuratorate
WAN router
SR6602
Branch
procuratorate
WAN router
SR6602
100M firewall
Intrusion detection system
ASON Network
of China
Netcom (Beijing)
Branch
procuratorate
WAN router
SR6602
100M firewall
Intrusion detection system
Redundant disaster recovery center
(placed in a branch procuratorate)
SR8805
SR6602
100M firewall
Intrusion detection system
S7506R
www.h3c.com
60
e-Administration Intranet of Jiaxing City
District and county eadministration intranet
Zhejiang eadministration
intranet
Zapu
SR6608
Economic Development
Zone
Secpath F1000-S
iMC intelligent management
platform
Secpath F1000-S
Xlog log audit
HA heartbeat cable
S7506E
Shitai
Sanshuiwan
S5600-50C
S5600-50C
Daoqian Street
S5600-50C
S7506E
Hexi
S5600-50C
Ziyang Street
IPS
S5600-50C
Internal access units
in administration
center building
External access units of
administration center
www.h3c.com
External access units of
administration center
Server zone
61
Heilongjiang Local Taxation Bureau
Videoconference
controller
Videoconference
terminal
Access by
provincial
departments
GE
Provincial center
Provincial
central LAN
Core switch
Provincial core router SR8812
12*8M
Transmission platform
Videoconference
terminal
Core switch S7506
Core switch
S7506
GE
GE
8M
8M
Provincial and prefectural core router SR6608
SR6608
Videoconference
terminal
SR6608
12 prefectural centers
Transmission platform
Videoconferen
ce terminal
S3100-26C
4M
4M
FE
124 district and county centers
Provincial and prefectural core router MSR30-16
MSR30-16
www.h3c.com
S3100-26C
Videoconference
terminal
FE
MSR30-16
62
Five-Section Social Security System of Changzhou
Business-related
units
Secpath F1000
Server farm
E1
SDH
E1
VPN access
GE
GE
Secpath F1800
S7510E
S7510E
GE
Hospitals, pharmacies, street social security sites,
97 medical units, 103 pharmacies and 1000 townships
Secpath F1800
GE
E1
SDH
Social Security Building
Access in the building
FE
S3600-28TP
SR6608
(protection)
SR6608
(working)
E1
MSTP
SDH
SDH/VPN
N*2M
100M
…..
SR6608
AR4640
District and County Labor
Security Information Center
www.h3c.com
…..
SR6608
AR4640
District and County Labor
Security Information Center
SR6608
AR4640
District and County Labor
Security Information Center
SR6608
AR4640
Business Handling
Sites
63
No. 1 Middle School of Mudanjiang
SR6608
Firewall
S7500E
S7500E
E328
E352
E126
www.h3c.com
E328
E126
E126
E126
64
IToIP Solutions Expert
Hangzhou H3C Technologies Co., Ltd.
www.h3c.com.cn