table of contents...system description h3c s5120-ei series ethernet switches chapter 1 product...

System Description H3C S5120-EI Series Ethernet Switches Table of Contents

i

Table of Contents

Chapter 1 Product Overview ........................................................................................................ 1-1 1.1 Preface ............................................................................................................................... 1-1 1.2 System Features ................................................................................................................ 1-2 1.3 Service Features ................................................................................................................ 1-4

Chapter 2 Hardware Description .................................................................................................. 2-1 2.1 S5120-28C-EI Ethernet Switch .......................................................................................... 2-1

2.1.1 Appearance ............................................................................................................. 2-1 2.1.2 Front Panel .............................................................................................................. 2-2 2.1.3 Rear Panel .............................................................................................................. 2-2 2.1.4 Power Supply System ............................................................................................. 2-2 2.1.5 Cooling System ....................................................................................................... 2-3 2.1.6 Description of S5120-28C-EI LEDs ........................................................................ 2-3 2.1.7 Description of Ports ................................................................................................. 2-6

2.2 S5120-52C-EI Ethernet Switch .......................................................................................... 2-7 2.2.1 Appearance ............................................................................................................. 2-7 2.2.2 Front Panel .............................................................................................................. 2-7 2.2.3 Rear Panel .............................................................................................................. 2-8 2.2.4 Power Supply System ............................................................................................. 2-8 2.2.5 Cooling System ....................................................................................................... 2-8 2.2.6 Description of S5120-52C-EI LEDs ........................................................................ 2-8 2.2.7 Description of Ports ................................................................................................. 2-8

2.3 S5120-28C-PWR-EI Ethernet Switch ................................................................................ 2-8 2.3.1 Appearance ............................................................................................................. 2-8 2.3.2 Front Panel .............................................................................................................. 2-9 2.3.3 Rear Panel .............................................................................................................. 2-9 2.3.4 Power Supply System ........................................................................................... 2-10 2.3.5 Cooling System ..................................................................................................... 2-10 2.3.6 Description of S5120-28C-PWR-EI LEDs ............................................................. 2-10 2.3.7 Description of Ports ............................................................................................... 2-13

2.4 S5120-52C-PWR-EI Ethernet Switch .............................................................................. 2-14 2.4.1 Appearance ........................................................................................................... 2-14 2.4.2 Front Panel ............................................................................................................ 2-14 2.4.3 Rear Panel ............................................................................................................ 2-15 2.4.4 Power Supply System ........................................................................................... 2-15 2.4.5 Cooling System ..................................................................................................... 2-15 2.4.6 Description of S5120-52C-PWR-EI LEDs ............................................................. 2-15 2.4.7 Description of Ports ............................................................................................... 2-15


ii

2.5 S5120-24P-EI Ethernet Switch ........................................................................................ 2-16 2.5.1 Appearance ........................................................................................................... 2-16 2.5.2 Front Panel ............................................................................................................ 2-16 2.5.3 Rear Panel ............................................................................................................ 2-17 2.5.4 Power Supply System ........................................................................................... 2-17 2.5.5 Cooling System ..................................................................................................... 2-17 2.5.6 Description of S5120-24P-EI LEDs ....................................................................... 2-17 2.5.7 Description of Ports ............................................................................................... 2-20

2.6 S5120-48P-EI Ethernet Switch ........................................................................................ 2-20 2.6.1 Appearance ........................................................................................................... 2-20 2.6.2 Front Panel ............................................................................................................ 2-20 2.6.3 Rear Panel ............................................................................................................ 2-21 2.6.4 Power Supply System ........................................................................................... 2-21 2.6.5 Cooling System ..................................................................................................... 2-21 2.6.6 Description of S5120-48P-EI LEDs ....................................................................... 2-21 2.6.7 Description of Ports ............................................................................................... 2-21

2.7 Optional Interface Modules .............................................................................................. 2-21 2.7.1 One-port 10 Gbps XFP Module............................................................................. 2-22 2.7.2 Dual-port 10GE XFP Module ................................................................................ 2-22 2.7.3 Dual-port 10GE CX4 Module for Short Haul ......................................................... 2-23 2.7.4 Dual-port 10 GE SFP+ Interface Module .............................................................. 2-23 2.7.5 Description of Extension Module LEDs ................................................................. 2-24

2.8 CX4 Cable ........................................................................................................................ 2-24 2.9 SFP+ Cable ..................................................................................................................... 2-25

Chapter 3 Software Features ........................................................................................................ 3-1 3.1 Basic Features ................................................................................................................... 3-1

3.1.1 Link Aggregation ..................................................................................................... 3-1 3.1.2 Traffic Control .......................................................................................................... 3-1 3.1.3 DLDP ....................................................................................................................... 3-1 3.1.4 Broadcast Storm Control ......................................................................................... 3-2 3.1.5 VLAN ....................................................................................................................... 3-2 3.1.6 GARP/GVRP ........................................................................................................... 3-4 3.1.7 QinQ ........................................................................................................................ 3-5

3.2 Network Protocol Features ................................................................................................ 3-7 3.2.1 ARP ......................................................................................................................... 3-7 3.2.2 DHCP .................................................................................................................... 3-10 3.2.3 UDP Helper ........................................................................................................... 3-12 3.2.4 DNS ....................................................................................................................... 3-12 3.2.5 OAM (802.3ah) ...................................................................................................... 3-13 3.2.6 Connectivity Fault Detection (802.1ag) ................................................................. 3-13

3.3 NTP .................................................................................................................................. 3-16 3.4 Routing Features ............................................................................................................. 3-16


iii

3.4.1 Static Route and Default Route............................................................................. 3-16 3.5 Multicast Features ........................................................................................................... 3-17

3.5.1 IGMP Snooping ..................................................................................................... 3-17 3.5.2 Multicast VLAN ...................................................................................................... 3-17

3.6 STP/RSTP/MSTP ............................................................................................................ 3-19 3.6.1 STP/RSTP ............................................................................................................. 3-19 3.6.2 MSTP .................................................................................................................... 3-20 3.6.3 STP Protection ...................................................................................................... 3-20

3.7 IPv6 Features................................................................................................................... 3-21 3.7.1 NDP ....................................................................................................................... 3-23 3.7.2 Introduction to IPv6 DNS ....................................................................................... 3-24 3.7.3 Ping IPv6 and Tracert IPv6 ................................................................................... 3-25 3.7.4 IPv6 Telnet ............................................................................................................ 3-25 3.7.5 IPv6 TFTP ............................................................................................................. 3-25

3.8 IPv6 Multicast Features ................................................................................................... 3-25 3.8.1 MLD Snooping ...................................................................................................... 3-25

3.9 QACL ............................................................................................................................... 3-26 3.9.1 Traffic Classification .............................................................................................. 3-26 3.9.2 Priority Marking ..................................................................................................... 3-26 3.9.3 Traffic Policing/Bandwidth Assurance ................................................................... 3-26 3.9.4 Traffic Statistics ..................................................................................................... 3-27 3.9.5 Traffic Mirroring ..................................................................................................... 3-27 3.9.6 Traffic Redirection ................................................................................................. 3-27 3.9.7 Port Mirroring......................................................................................................... 3-27 3.9.8 Queue Scheduling ................................................................................................. 3-27 3.9.9 User Profile............................................................................................................ 3-30

3.10 Centralized Management Features ............................................................................... 3-30 3.10.1 HGMP .................................................................................................................. 3-30

3.11 Security Features ........................................................................................................... 3-31 3.11.1 Terminal Access User Classification ................................................................... 3-31 3.11.2 SSH ..................................................................................................................... 3-32 3.11.3 Port Isolation ....................................................................................................... 3-32 3.11.4 IEEE 802.1x Authentication ................................................................................ 3-32 3.11.5 802.1x EAD Fast Deployment ............................................................................. 3-33 3.11.6 IP Source Guard ................................................................................................. 3-33 3.11.7 MAC address authentication ............................................................................... 3-34 3.11.8 MAC Address Learning Limit .............................................................................. 3-34 3.11.9 Binding of MAC Addresses to Ports .................................................................... 3-34 3.11.10 MAC Address Black Hole .................................................................................. 3-34 3.11.11 AAA/RADIUS/HWTACACS ............................................................................... 3-34

3.12 Reliability Features ........................................................................................................ 3-36 3.12.1 Smart Link ........................................................................................................... 3-36


iv

3.12.2 Monitor Link ......................................................................................................... 3-37 3.12.3 RRPP .................................................................................................................. 3-38

3.13 IRF ................................................................................................................................. 3-39 3.13.1 Physical Connections .......................................................................................... 3-39 3.13.2 Easy Management .............................................................................................. 3-40 3.13.3 Efficient Redundancy Backup ............................................................................. 3-41

Chapter 4 System Maintenance and Management ..................................................................... 4-1 4.1 Simple and Flexible Maintenance System ......................................................................... 4-1

4.1.1 System Configuration .............................................................................................. 4-1 4.1.2 System Maintenance ............................................................................................... 4-1 4.1.3 System Test and Diagnosis .................................................................................... 4-1 4.1.4 Software Upgrade ................................................................................................... 4-1

4.2 iMC NMS ............................................................................................................................ 4-2 4.2.1 Topology Management ........................................................................................... 4-2 4.2.2 Configuration Management ..................................................................................... 4-2 4.2.3 Fault Management .................................................................................................. 4-2 4.2.4 Performance Management ...................................................................................... 4-2 4.2.5 Security Management ............................................................................................. 4-3

4.3 Web-Based Network Management .................................................................................... 4-3

Chapter 5 Networking Applications............................................................................................. 5-1

Chapter 6 Guide to Purchase ....................................................................................................... 6-1 6.1 Purchasing the S5120-EI Series........................................................................................ 6-1 6.2 Supported Interface Modules ............................................................................................. 6-1 6.3 Purchasing SFP Modules .................................................................................................. 6-2 6.4 Purchasing XFP Optical Modules ...................................................................................... 6-3 6.5 Purchasing the Short-haul 2-port 10-GE CX4 Module ...................................................... 6-3 6.6 Purchasing the SFP+ Transceivers and SFP+ Cables ..................................................... 6-4

System Description H3C S5120-EI Series Ethernet Switches Chapter 1 Product Overview

H3C Proprietary

1-1

Chapter 1 Product Overview

1.1 Preface

H3C S5120-EI Series Ethernet Switches (hereinafter referred to as the S5120-EI series) are Gigabit Ethernet switching products developed by Hangzhou H3C Technology Co., Ltd. The S5120-EI series have abundant service features. They provide the IPv6 forwarding function and 10GE uplink interfaces (only S5120-C-EI series switches support). Through H3C-specific cluster management, you can streamline network management. The S5120-EI series are designed as access devices for intranets and metropolitan area networks (MANs).

The S5120-C-EI series switches support the Intelligent Resilient Framework (IRF) technology. You can connect multiple S5120-C-EI switches through 10 GE ports to form a logical entity, thus to establish a new intelligent network with high reliability, expandability and manageability.

The S5120-EI series include the following models:

S5120-28C-EI

S5120-52C-EI

S5120-28C-PWR-EI

S5120-52C-PWR-EI

S5120-24P-EI

S5120-48P-EI

The feature-rich S5120-EI series support the following services:

Broadband Internet access Access of MAN and intranet users Multimedia services, such as VOD Delay-sensitive voice services, such as VoIP Enhanced multicast, providing audio/video services over IPv4/IPv6 multicast

The S5120-EI series feature the following advantages:

Provides full-Gigabit access ports Provides 10GE uplink ports(only S5120-C-EI series switches support) Supports jumbo frames Supports port security Supports Link Aggregation Control Protocol (LACP) Supports 4K VLANs Supports IPv4/IPv6 dual-stack and hardware forwarding


H3C Proprietary

1-2

Supports abundant QoS/ACL functions Supports QinQ Supports port- and flow-based mirroring Supports RSPAN Supports IRF (only S5120-C-EI series switches support)

1.2 System Features

Table 1-1 System features of the S5120-EI series

Item S5120-28C-EI

S5120-52C-EI

S5120-28C-PWR-EI

S5120-52C-PWR-EI

S5120-24P-EI

S5120-48P-EI

Dimensions (height × width × depth)

440 × 300 × 43.6 mm (17.3 × 11.8 × 1.7 in.)

440 × 420 × 43.6 mm (17.3 × 16.5 × 1.7 in.)

440 × 300 × 43.6 mm (17.3 × 11.8 × 1.7 in.)

Weight <4.5 kg (9.9 lb.)

<5 kg (11.0 lb.)

<7 kg (15.4 lb.)

<7.5 kg (16.5 lb.)

<4.5 kg (9.9 lb.)

<5 kg (11.0 lb.)

Console port One Console port

GE ports on the front panel

24 10/100/1,000 M electrical ports 4 Gigabit SFP Combo ports


24 10/100/1,00 0M electrical ports 4 Gigabit SFP Combo ports




Optional modules

One-port 10 GE XFP interface module Dual-port 10 GE XFP interface module Short-haul dual-port 10GE CX4 interface module Dual-port 10 GE SFP+ interface module

Not supported

Voltage

AC Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz Input voltage: 90 VAC to 264 VAC, 47 Hz to 63 Hz

DC Rated voltage range: 10.8 VDC to 13.2 VDC

Rated voltage range: -52 VDC to 55 VDC

Rated voltage range: 10.8 VDC to 13.2 VDC


H3C Proprietary

1-3

Item S5120-28C-EI

S5120-52C-EI

S5120-28C-PWR-EI

S5120-52C-PWR-EI

S5120-24P-EI

S5120-48P-EI

Power consumption

36 W 55 W 55 W 78 W 35 W 54 W

Power consumption (full configuration)

103 W 145 W

495 W, with 125 W of system power consumption and 370 W of PoE power

550 W when RPS is not connected, with 180 W of system power consumption and 370 W of PoE power 920 W when RPS is connected, with 180 W of system power consumption and 740 W of PoE power

62 W 110 W

Operating temperature

0°C to 45°C (32 °F to 113 °F)

Relative humidity (noncondensing)

10% to 90%

Table 1-2 Correspondence between Combo SFP ports and electrical ports

Model Combo SFP port Corresponding electrical port

S5120-28C-EI S5120-28C-PWR-EI S5120-24P-EI

25 22

26 24

27 21

28 23

S5120-52C-EI S5120-52C-PWR-EI

49 46

50 48


H3C Proprietary

1-4

Model Combo SFP port Corresponding electrical port

S5120-48P-EI 51 45

52 47

Note:

Any of the four Combo ports and its corresponding 10/100/1000Base-T autosensing Ethernet port cannot be used at the same time

1.3 Service Features

The S5120-EI series feature the following advantages:

Table 1-3 Service features of the S5120-EI series

Feature S5120-28C-EI

S5120-52C-EI

S5120-28C-PWR

-EI S5120-52C-PWR-EI

S5120-24P-EI

S5120-48P-EI

Wire speed L2 switching

Switching capacity (Full duplex)

128 Gbps

176 Gbps

128 Gbps 176 Gbps 48 Gbps 96 Gbps

Packet forwarding rate

95.2 Mpps

130.9 Mpps

95.2 Mpps

130.9 Mpps

35.7 Mpps 71.4 Mpps

Power over Ethernet Not supported Supported Not supported

Link aggregation

Aggregation of GE ports Aggregation of 10GE ports (S5120-24P-EI and S5120-48P-EI do not support) Dynamic link aggregation Static link aggregation Supports up to 128 aggregation groups, each supporting up to eight GE ports or four 10GE ports


H3C Proprietary

1-5


S5120-52C-EI

S5120-28C-PWR


S5120-24P-EI

S5120-48P-EI

Flow control IEEE 802.3x flow control and back pressure

Jumbo Frame Supports maximum frame size of 9 KB

MAC address table

16K MAC addresses 1024 static MAC addresses Blackhole MAC addresses MAC address learning limit on a port

VLAN

Port-based VLANs (4,094 VLANs) QinQ and selective QinQ Voice VLAN Protocol-based VLANs GVRP MAC-based VLANs IP subnet-based VLANs

ARP

256 entries 256 static entries Gratuitous ARP Standard proxy ARP and local proxy ARP ARP Detection

ND 256 entries 256 static entries

VLAN virtual interface

8

DHCP DHCP Client DHCP Snooping DHCP Relay

UDP Helper UDP Helper

DNS Dynamic domain name resolution Dynamic domain name resolution client IPv4/IPv6 addresses

IPv4 route 32 static routes

IPv6 route 32 static routes


H3C Proprietary

1-6


S5120-52C-EI

S5120-28C-PWR


S5120-24P-EI

S5120-48P-EI

IPv4 multicast

IGMP (Internet Group Management Protocol) Snooping v1/v2/v3 Multicast VLAN 1024 multicast groups Unknown multicast packets dropping

IPv6 multicast

MLD Snooping v1/v2 IPv6 multicast VLAN 1024 multicast groups

Broadcast/multicast/unicast storm control

Storm control based on port rate percentage PPS-based storm control

MSTP

MSTP protocol 16 instances STP Root Guard BPDU Guard

RRPP RRPP protocol Multi-instance RRPP

Smart link Up to 26 groups supported

Monitor link Supported

QoS/ACL

Restriction of the rates at which a port sends and receives packets, with a granularity of 64 kbps. Packet redirection Committed access rate (CAR), with a granularity of traffic limit 64 kbps. Eight output queues for each port Flexible queue scheduling algorithms based on port and queue, including strict priority (SP), weighted round robin (WRR), and SP + WRR. Remarking of 802.1p and DSCP priorities Packet filtering at L2 (Layer 2) through L4 (Layer 4); flow classification based on source MAC address, destination MAC address, source IP (IPv4/IPv6) address, destination IP (IPv4/IPv6) address, port, protocol, and VLAN. Time range

Mirroring Traffic mirroring Port mirroring

Remote mirroring Remote port mirroring


H3C Proprietary

1-7


S5120-52C-EI

S5120-28C-PWR


S5120-24P-EI

S5120-48P-EI

Security

Hierarchical management and password protection of users AAA authentication RADIUS authentication HWTACACS+ SSH 2.0 Port isolation Port security Centralized MAC address authentication IP-MAC-port binding IP Source Guard Https SSL PKI ( Public Key Infrastructure ) EAD

802.1X

Up to 1,024 users Port-based and MAC address–based authentication Guest VLAN Trunk port authentication Dynamic assignment of QoS/ACL/VLAN based on 802.1X

Loading and upgrading

Loading and upgrading through XModem protocol Loading and upgrading through FTP Loading and upgrading through the trivial file transfer protocol (TFTP)

Management

Configuration through CLI Remote configuration through Telnet Configuration through Console port Simple network management protocol (SNMP) Remote monitoring (RMON) alarm, event and history recording iMC NMS Web-based network management System log Hierarchical alarms Huawei group management protocol (HGMP) V2 NTP Power supply alarm function Fan and temperature alarms IRF( only supported by S5120-C-EI series switches)


H3C Proprietary

1-8


S5120-52C-EI

S5120-28C-PWR


S5120-24P-EI

S5120-48P-EI

Maintenance

Debugging information output Ping and Tracert NQA Track Remote maintenance through Telnet Virtual cable test 802.1ag 802.3ah DLDP

System Description H3C S5120-EI Series Ethernet Switches Chapter 2 Hardware Description

H3C Proprietary

2-1

Chapter 2 Hardware Description

2.1 S5120-28C-EI Ethernet Switch

2.1.1 Appearance

S5120-28C-EI Ethernet switch provides 24 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input, and two extension slots on the rear panel. The following figure describes the appearance of the S5120-28C-EI Ethernet switch.

Figure 2-1 Appearance of S5120-28C-EI Ethernet switch

Note:

A Combo port is defined as follows: an SFP Combo electrical port and its corresponding 10/100/1000BASE-T Ethernet port logically provide optoelectronic multiplexing function. Users can select either to meet the networking requirement, but the two ports cannot work at the same time.


H3C Proprietary

2-2

2.1.2 Front Panel

(1)

(8)(9)(10)(11)

(2) (3) (4) (5) (6) (7)

(12) (1): 10/100/1000 Base-T auto-sensing Ethernet port

(2): 10/100/1000 Base-T auto-sensing Ethernet port status LED

(3): 1000 Base-X SFP port (4): 1000Base-X SFP port status LED (5): Console port (6): Seven-segment LED (7): Port mode LED (Mode) (8): System LED (PWR) (9): RPS status LED (RPS) (10): Interface module 1 status LED (MOD1) (11): Interface module 2 status LED (MOD2) (12): Port status LED mode switching button

Figure 2-2 Front panel of S5120-28C-EI Ethernet switch

2.1.3 Rear Panel

(1) (2) (3) (4) (5)

(1): AC power input (2): RPS power input (shipped with a filler panel) (3): Grounding screw (4): Interface module slot 1 (MOD1) (5): Interface module slot 2 (MOD2)

Figure 2-3 Rear panel of S5120-28C-EI Ethernet switch

2.1.4 Power Supply System

S5120-28C-EI Ethernet switch supports the use of AC input and RPS 12 V input, the use of both AC and DC inputs (one as backup for the other) at the same time and AC power input alone. RPS DC input can use the RPS power supply recommended by H3C only.

AC input:

Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz

Input voltage: 90 VAC to 264 VAC, 47 Hz to 63 Hz

RPS (DC) input:

Rated voltage: 10.8 V to 13.2 V


H3C Proprietary

2-3

2.1.5 Cooling System

S5120-28C-EI Ethernet switch provides four fans for heat dissipation.

2.1.6 Description of S5120-28C-EI LEDs

The LEDs on the front panels of the S5120-28C-EI switches can help you monitor the running status of the switches. Table 2-1 describes the LEDs. You can use the “Mode” button on the panel to switch the LED display mode between rate mode and duplex mode.

Table 2-1 Description of S5120-28C-EI LEDs

LED Mark State Description

Mode LED Mode

Rate mode

Green, ON

The port LED is indicating rate mode

Duplex mode

Yellow, ON

The port LED is indicating duplex mode

Power LED PWR

Green, ON The switch has been normally started

Green, blinking (1 Hz)

The system is performing POST

Red, ON POST fails because a fault occurs

Yellow, blinking (1 Hz)

Some ports fail in POST because the function fails

OFF The switch has been powered off

DC power LED RPS

Green, ON The AC input is normal, and the RPS is in the position or works normally.

Yellow, ON RPS input is normal, but AC input fails or AC input is not connected.

OFF RPS is not connected.

Module LED Module (MOD)

Green, ON The module is in position and working normally

Yellow, blinking Not supported or the module fails

OFF This module is not installed


H3C Proprietary

2-4


Seven-segment Nixie display Unit

In POST

The power LED is green and blinking

The nixie display indicates the number of the ongoing self test item

POST has failed

The power LED is red and blinking

The nixie display indicates the number of the self test item failed in POST

Loading software


The short bars are lit up one by one clockwise while the software is being loaded

Fan failure

The power LED is red and on

The nixie display shows an “F”

Over-temperature alarm


The nixie display shows a “t”

Status of the switch in a cluster or its member ID in an IRF stack

The power LED is solid green

If no stack ports are configured and the cluster feature is enabled, the LED displays status of the switch in a cluster; otherwise, the LED displays the member ID of the switch in a stack. The status of a switch in a cluster can be one of the following: C (upper case) for a command switch S for a member switch c (lower case) for a candidate switch. The following are member IDs that can be displayed:


H3C Proprietary

2-5


10/100/1000BASE-T port LED

Rate mode

Green The port is blinking when it is receiving or sending data at 1,000 M

Yellow The port is blinking when it is receiving or sending data at 10/100 M


Port POST has failed

OFF The port is not connected

Duplex mode

Green The port is blinking when it is receiving or sending data in the full duplex mode

Yellow The port is blinking when it is receiving or sending data in the half duplex mode




1000Base SFP port LED

Rate mode





Duplex mode






H3C Proprietary

2-6

2.1.7 Description of Ports

I. Console ports

The S5120-EI series switches provide a console port that satisfies the EIA/TIA-232 asynchronous specification. Through the console port, you can perform local or remote configuration.

Table 2-2 Attributes of the console port

Item Description

Connector RJ-45

Interface standard EIA/TIA-232

Baud rate 9600 bps (default)

Supported services

Connection with a character terminal Connection with a serial port of a local terminal (it can be a PC) or a remote terminal (it needs a pair of modems), which runs a terminal simulator.

II. Attributes of Gigabit Ethernet ports

Table 2-3 Attributes of Gigabit Ethernet ports

Item Description

Connector RJ-45

Number of ports 24/48

Port specifications

10 M, half duplex/full duplex 100 M, half duplex/full duplex 1,000 M, full duplex MDI/MDI-X autosensing

Standard IEEE802.3i , IEEE 802.3u, IEEE802.3ab

Medium and transmission distance Category-5 unshielded twisted pairs. The maximum transmission distance is 100 m (328.1 ft)

III. Attributes of Gigabit SFP Combo ports

The S5120-EI series provide four SFP Combo ports on the front panel. You can configure the number of ports or port types freely.

Hot-swapping feature and flexible configuration method increases networking flexibility.

You can select the SFP modules in Table 6-2 based on your requirements.


H3C Proprietary

2-7

Note:

The types of the Gigabit SFP modules may change. If you need accurate module type information, please consult H3C marketing engineers or technical support engineers.

2.2 S5120-52C-EI Ethernet Switch

2.2.1 Appearance

An S5120-52C-EI Ethernet switch provides 48 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input, and two extension slots on the rear panel. The following figure describes the appearance of the S5120-52C-EI Ethernet switch.

Figure 2-4 Appearance of S5120-52C-EI Ethernet switch

2.2.2 Front Panel

(1) (2) (3) (4) (5)

(6)(7)(8)(9)(10)(11)(12)

(1): 10/100/1000 Base-T auto-sensing Ethernet port


(3): Console port (4): Seven-segment LED (5): Port mode LED (Mode) (6): System LED (PWR) (7): RPS status LED (RPS) (8): Interface module 1 status LED (MOD1) (9): Interface module 2 status LED (MOD2) (10): Port status LED mode switching button (11): 1000 Base-X SFP port (12): 1000Base-X SFP port status LED

Figure 2-5 Front panel of S5120-52C-EI Ethernet switch


H3C Proprietary

2-8

2.2.3 Rear Panel

(1) (2) (3) (4) (5)

(1): AC power input (2): RPS power input (shipped with a filler panel) (3): Grounding screw (4): Interface module slot 1 (MOD1) (5): Interface module slot 2 (MOD2)

Figure 2-6 Rear panel of S5120-52C-EI Ethernet switch


S5120-52C-EI Ethernet switch supports the use of AC and RPS 12 V inputs, the use of both AC and DC inputs (one as backup for the other) at the same time and AC power input alone. RPS DC input can use the RPS power supply recommended by H3C only.

AC input:



RPS (DC) input:



S5120-52C-EI Ethernet switch provides four fans for heat dissipation.

2.2.6 Description of S5120-52C-EI LEDs

LED description of S5120-52C-EI and S5120-28C-EI is the same. See Table 2-1.


For port description of the S5120-EI series, see 2.1.7 “Description of Ports”.

2.3 S5120-28C-PWR-EI Ethernet Switch

2.3.1 Appearance

S5120-28C-PWR-EI Ethernet switch provides 24 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC


H3C Proprietary

2-9

power input, an RPS input, and two extension slots on the rear panel. The following figure describes the appearance of the S5120-28C-PWR-EI Ethernet switch.

Figure 2-7 Appearance of S5120-28C-PWR-EI Ethernet switch

2.3.2 Front Panel

(1)

(8)(9)(10)(11)

(2) (3) (4) (5) (6) (7)

(12) (1): 10/100/1000 Base-T auto-sensing Ethernet port


(3): 1000 Base-X SFP port (4): 1000Base-X SFP port status LED (5): Console port (6): Seven-segment LED (7): Port mode LED (Mode) (8): System LED (PWR) (9): RPS status LED (RPS) (10): Interface module 1 status LED (MOD1) (11): Interface module 2 status LED (MOD2) (12): Port status LED mode switching button

Figure 2-8 Front panel of S5120-28C-PWR-EI Ethernet switch

2.3.3 Rear Panel

(1) (2) (3) (4) (5)

(1): RPS power input (2): AC power input (3): Grounding screw (4): Interface module slot 1 (MOD1) (5): Interface module slot 2 (MOD2)

Figure 2-9 Rear panel of S5120-28C-PWR-EI Ethernet switch


H3C Proprietary

2-10


S5120-28C-PWR-EI Ethernet switch supports the use of both AC and DC inputs (one as backup for the other) at the same time, and AC power input or DC power input alone.

AC input:



The S5120-28C-PWR-EI switch can use only the PoE external power supply recommended by H3C as the AC power supply. Do not use 48 VAC power in the equipment room; otherwise the switch may be damaged.

RPS DC input:

Voltage range: -52 V to -55 V


S5120-28C-PWR-EI Ethernet switch provides six fans for heat dissipation, and three of them are for power supply dissipation.

2.3.6 Description of S5120-28C-PWR-EI LEDs

The LEDs on the front panels of the S5120-28C-PWR-EI switches can help you monitor the running status of the switches. Table 2-4 describes the LEDs. You can use the “Mode” button on the panel to switch the LED display mode between rate mode, duplex mode and PoE mode.

Table 2-4 Description of S5120-28C-PWR-EI LEDs


Mode LED Mode

Rate mode Green, ON


Duplex mode Yellow, ON


PoE mode


The port LED is indicating PoE state

Power LED PWR


Green, blinking (1 Hz) The system is performing POST

Red, ON POST fails and a fault occurs


H3C Proprietary

2-11


Yellow, blinking (1 Hz) POST on some ports fails and the ports are not available


DC power LED RPS

Green, ON Both AC and RPS inputs are normal


OFF RPS input is not normal

Module LED

Module (MOD)

Green, ON The module is in position and working normally

Yellow, blinking Not supported or the module fails

OFF This module is not installed


In POST



POST has failed



Loading software



Fan failure







H3C Proprietary

2-12


Status of the switch in a cluster or its member ID in an IRF stack

The power LED is solid green

If no stack ports are configured and the cluster feature is enabled, the LED displays status of the switch in a cluster; otherwise, the LED displays the member ID of the switch in a stack. The status of a switch in a cluster can be one of the following: C (upper case) for a command switch S for a member switch c (lower case) for a candidate switch. The following are member IDs that can be displayed:

PoE mode

The power LED is green and on

The nixie displays the utilization rate of the power supply

0 - 20%

21 - 40%

41 - 60%

61 - 80%

81 - 100%

10/100/1000BASE-T port mode LED

Rate mode






Duplex mode







H3C Proprietary

2-13


PoE mode

Green, ON

The port supplies power normally


The power consumption required by the external device exceeds the maximum power consumption that the port can provide. The total power consumption of the switch reaches the maximum power consumption. The port cannot provide power.

Yellow, ON

The device connected to the port is a non-PD device. This port cannot provide power to the connected device. PoE power supply fails. This port cannot provide power to the connected device.



OFF The port does not supply power

1000Base SFP port mode LED

Rate mode/ PoE mode





Duplex mode






For port description of the S5120-EI series, see section 2.1.7 “Description of ”. Ports


H3C Proprietary

2-14

2.4 S5120-52C-PWR-EI Ethernet Switch

2.4.1 Appearance

S5120-52C-PWR-EI Ethernet switch provides 48 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input, and two extension slots on the rear panel. The following figure describes the appearance of the S5120-52C-PWR-EI Ethernet switch.

Figure 2-10 Appearance of S5120-52C-PWR-EI Ethernet switch

2.4.2 Front Panel

(1) (2) (3) (4) (5)

(6)(7)(8)(9)(10)(11)(12)



(3): Console port (4): Seven-segment LED (5): Port mode LED (Mode) (6): System LED (PWR) (7): RPS status LED (RPS) (8): Interface module 1 status LED (MOD1) (9): Interface module 2 status LED (MOD2) (10): Port status LED mode switching button (11): 1000 Base-X SFP port (12): 1000Base-X SFP port status LED



H3C Proprietary

2-15

2.4.3 Rear Panel

(1) (2) (3) (4) (5)

(1): RPS power input (2): AC power input (3): Grounding screw (4): Interface module slot 1 (MOD1) (5): Interface module slot 2 (MOD2)



S5120-52C-PWR-EI Ethernet switch supports the use of both AC and DC inputs (one as backup for the other) at the same time, and AC power input or DC power input alone.

AC input:



The S5120-52C-PWR-EI switch can use only the PoE external power supply recommended by H3C as the AC power supply. Do not use 48 VAC power in the equipment room; otherwise the switch may be damaged.

RPS DC input:

Voltage range: -52 V to -55 V


S5120-52C-PWR-EI Ethernet switch provides six fans for heat dissipation, and three of them are for power supply dissipation.

2.4.6 Description of S5120-52C-PWR-EI LEDs

LED description of S5120-52C-PWR-EI and S5120-28C-PWR-EI is the same. See Table 2-4.


For port description of the S5120-EI series, see section 2.1.7 “Description of Ports”.


H3C Proprietary

2-16

2.5 S5120-24P-EI Ethernet Switch

2.5.1 Appearance

S5120-24P-EI Ethernet switch provides 24 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input. The following figure describes the appearance of the S5120-24P-EI Ethernet switch.

Figure 2-13 Appearance of S5120-24P-EI Ethernet switch

Note:

A Combo port is defined as follows: an SFP Combo electrical port and its corresponding 10/100/1000BASE-T Ethernet port logically provide optoelectronic multiplexing function. Users can select either to meet the networking requirement, but the two ports cannot work at the same time.

2.5.2 Front Panel

(1)

(8)(9)(10)

(2) (3) (4) (5) (6) (7)



(3): 1000 Base-X SFP port (4): 1000Base-X SFP port status LED (5): Console port (6): Seven-segment LED (7): Port mode LED (Mode) (8): System LED (PWR) (9): RPS status LED (RPS) (10): Port status LED mode switching button

Figure 2-14 Front panel of S5120-24P-EI Ethernet switch


H3C Proprietary

2-17

2.5.3 Rear Panel

(1) (2) (3) (4) (4)

(1): AC power input (2): RPS power input (shipped with a filler panel) (3): Grounding screw (4): “DO NOT REMOVE” label

Figure 2-15 Rear panel of S5120-24P-EI Ethernet switch


S5120-24P-EI Ethernet switch supports the use of AC input and RPS 12 V input, the use of both AC and DC inputs (one as backup for the other) at the same time and AC power input alone. RPS DC input can use the RPS power supply recommended by H3C only.

AC input:



RPS (DC) input:



S5120-24P-EI Ethernet switch provides four fans for heat dissipation.

2.5.6 Description of S5120-24P-EI LEDs

The LEDs on the front panels of the S5120-24P-EI switches can help you monitor the running status of the switches. Table 2-1 describes the LEDs. You can use the “Mode” button on the panel to switch the LED display mode between rate mode and duplex mode.

Table 2-5 Description of S5120-24P-EI LEDs


Mode LED Mode

Rate mode

Green, ON


Duplex mode

Yellow, ON



H3C Proprietary

2-18


Power LED PWR



The system is performing POST

Red, ON POST fails because a fault occurs


Some ports fail in POST because the function fails


DC power LED RPS

Green, ON The AC input is normal, and the RPS is in the position or works normally.


OFF RPS is not connected.


In POST



POST has failed



Loading software



Fan failure







H3C Proprietary

2-19


Cluster status

The power LED is green and on

Command switch, “C” is displayed Member switch, “S” is displayed Candidate switch, “C” is displayed “1” is displayed if cluster is disabled

10/100/1000BASE-T port LED

Rate mode






Duplex mode






1000Base SFP port LED

Rate mode





Duplex mode





H3C Proprietary

2-20





2.6 S5120-48P-EI Ethernet Switch

2.6.1 Appearance

An S5120-48P-EI Ethernet switch provides 48 x 10/100/1000BASE-T Ethernet ports, four Gigabit SFP Combo ports and one console port on the front panel, and an AC power input, an RPS input. The following figure describes the appearance of the S5120-48P-EI Ethernet switch.

Figure 2-16 Appearance of S5120-48P-EI Ethernet switch

2.6.2 Front Panel

(1) (2) (3) (4) (5)

(6)(7)(8)(9)(10)



(3): Console port (4): Seven-segment LED (5): Port mode LED (Mode) (6): System LED (PWR) (7): RPS status LED (RPS) (8): Port status LED mode switching button (9): 1000 Base-X SFP port (10): 1000Base-X SFP port status LED

Figure 2-17 Front panel of S5120-48P-EI Ethernet switch


H3C Proprietary

2-21

2.6.3 Rear Panel

(1) (2) (3) (4) (4)

(1): AC power input (2): RPS power input (shipped with a filler panel) (3): Grounding screw (4): “DO NOT REMOVE” label

Figure 2-18 Rear panel of S5120-48P-EI Ethernet switch


S5120-48P-EI Ethernet switch supports the use of AC and RPS 12 V inputs, the use of both AC and DC inputs (one as backup for the other) at the same time and AC power input alone. RPS DC input can use the RPS power supply recommended by H3C only.

AC input:



RPS (DC) input:



S5120-48P-EI Ethernet switch provides four fans for heat dissipation.

2.6.6 Description of S5120-48P-EI LEDs

LED description of S5120-48P-EI and S5120-24P-EI is the same. See Table 2-15


.


2.7 Optional Interface Modules

S5120-28C-EI/S5120-52C-EI/S5120-28C-PWR-EI/S5120-52C-PWR-EI switch provides two extension module slots on the rear panel. You can select the following interface modules:

One-port 10 GE XFP interface module

Dual-port 10 GE XFP interface module


H3C Proprietary

2-22

Short-haul dual-port 10GE CX4 interface module Dual-port 10 GE SFP+ interface module

2.7.1 One-port 10 Gbps XFP Module

Figure 2-19 Front view of a one-port 10GE XFP module

This module can provide one 10GE XFP optical interface. You can select the XFP optical modules in Table 6-3 based on your requirements.

Note:

The type of XFP modules may be updated as time goes by. For updated module types, consult marketing or technical support personnel of H3C.

2.7.2 Dual-port 10GE XFP Module

Figure 2-20 Front view of dual-port 10GE XFP module

This module can provide two 10 Gbps XFP optical interfaces. You can select the XFP optical modules in Table 6-3 based on your requirements.

Note:

The type of XFP modules may be updated as time goes by. For updated module types, consult marketing or technical support personnel of H3C.


H3C Proprietary

2-23

2.7.3 Dual-port 10GE CX4 Module for Short Haul

Figure 2-21 Dual-port 10GE CX4 module for short haul

This module provides two 10GE electrical interfaces. It supports CX4 electrical standards and protocols. The maximum transmission distance is 3 meters (9.8 ft). Use CX4 cables dedicated for H3C devices to interconnect devices.

Note:

You can use only dedicated CX4 cable to connect the port on the CX4 extension module and another CX4 port. For dedicated CX4 cable, see section 2.8 "CX4 Cable".

2.7.4 Dual-port 10 GE SFP+ Interface Module

Figure 2-22 Dual-port 10 GE SFP+ interface module

This module provides two 10GE SFP+ ports. You can select the SFP+ transceivers or the SFP+ cables provided by H3C list in Table 6-5.


H3C Proprietary

2-24

Note:

The 10GE SFP+ ports do not support GE SFP transceivers. The type of SFP+ transceivers and SFP+ cables may be updated as time goes by.

For updated module types, consult marketing or technical support personnel of H3C.

2.7.5 Description of Extension Module LEDs

There is a LED for each port on the extension module panel. Table 2-6 describes the LEDs.

Table 2-6 Description of extension module LEDs


Extension module LED —

This LED is not affected by the mode button

Green

The port is normally connected. The port is blinking when it is receiving or sending data


2.8 CX4 Cable

You can use the CX4 cable to connect the CX4 port on the Dual-port 10GE CX4 Module to another CX4 port.

Handle HandleConnector 1 Connector 2

Figure 2-23 CX4 cable

The following four types of cables are available:

50 cm (19.7 in.): the connectors at both ends of the cable are bayonet connectors. 100 cm (39.4 in.): the connectors at both ends of the cable are bayonet

connectors. 300 cm (118.1 in.): the connectors at both ends of the cable are bayonet

connectors.


H3C Proprietary

2-25

2.9 SFP+ Cable

You can use the SFP+ cable to connect the SFP+ port on the Dual-port 10 GE SFP+ interface module to another SFP+ port.

Handle

HandleConnector 1Connector 2

Figure 2-24 SFP+ Cable

The following four types of cables are available: 0.65m (25.6 in.), 1.2m (47.2 in.) and 3m (118.1 in.).

For details about these four types of SFP+ cables, please refer to Table 6-5 SFP+ transceivers and SFP+ cables supported by dual-port 10 GE SFP+ interface module

System Description H3C S5120-EI Series Ethernet Switches Chapter 3 Software Features

H3C Proprietary

3-1

Chapter 3 Software Features

3.1 Basic Features

3.1.1 Link Aggregation

The link aggregation function is used for the connection between Ethernet switches or between the switches and high-speed servers. It is a simple and cheap way to expand the bandwidth of a switch port and balance the traffic among all the ports in a link aggregation. Moreover, it enhances the connection reliability.

With link aggregation, several Ethernet ports on a switch are bundled together and are considered one logical port inside the switch. The switch automatically balances the traffic among the ports in the aggregation and increases the bandwidth of the ports. If the link on a port in the aggregation fails, the traffic on it is distributed among other ports without interrupting the normal service. After the port recovers, the traffic is automatically distributed again so that the port can share the load with others.

The S5120-EI series support static link aggregation and dynamic link aggregation.

3.1.2 Traffic Control

Traffic control is a congestion management mode of switches.

S5120-EI Ethernet switches support full-duplex traffic control and half-duplex back pressure traffic control. 10-GE uplink interfaces support received pause frames only. In the half-duplex traffic control mode, the switch performs traffic control by sending Jam signals to the peer end.

3.1.3 DLDP

A special phenomenon, unidirectional links, may occur in actual networking. When a unidirectional link occurs, the local device can receive packets from the peer device through the link layer, but the peer device cannot receive packets from the local device. Unidirectional links may cause a series of problems, such as spanning-tree topology loop.

The device link detection protocol (DLDP) can monitor the link status of fiber or copper twisted pairs (such as Enhanced Cat-5 twisted pairs). Based on the configuration, DLDP automatically closes, or notifies the user to close manually, the corresponding ports when it finds any unidirectional link, so as to prevent network problems.

DLDP has the following features:


H3C Proprietary

3-2

As a link layer protocol, it works in cooperation with physical layer protocols to supervise the link status of devices.

The automatic negation mechanism of the physical layer detects physical signals and faults, while DLDP identifies the peer device and unidirectional links, and closes unreachable ports.

When auto-negotiation mechanism and DLDP are enabled, they work together to detect and disable physical and logical unidirectional links, and to prevent the failure of other protocols such as STP.

If links of both ends function independently and normally at the physical layer, DLDP will check whether these links are correctly connected at the link layer and whether packets can be normally exchanged between both ends. This kind of detection cannot be achieved through the automatic negation mechanism.

3.1.4 Broadcast Storm Control

The broadcast storm control function suppresses the propagation of unknown unicast packets, multicast packets, and broadcast packets in a network, thus limiting their impact on the operating efficiency of the network.

For the S5120-EI series, the broadcast storm control function is configured on ports. After storm control is enabled on a port, you can monitor the unknown unicast traffic, multicast traffic, and the broadcast traffic received on it. When the traffic exceeds the specified bandwidth limit, the switch drops the excessive traffic to reduce the traffic ratio to a rational range, so as to guarantee the normal operation of network services. The S5120-EI series can implement both broadcast storm control based on port rate percentage and broadcast storm control based on pps.

3.1.5 VLAN

Virtual local area network (VLAN) is a technology that implements virtual workgroups by assigning the devices in a LAN into network segments logically rather than physically. VLAN standard is described in IEEE 802.1Q protocol standard, which is issued in 1999.

You can use VLAN to divide a LAN into multiple broadcast domains known as virtual LANs, namely, VLANs, the computers in each of which are correlated in a certain way. As VLANs are implemented logically rather than physically, the computers in the same VLAN do not necessarily reside on the same physical LAN segment; instead, they can belong to different physical LAN network segments.

On a switch, following types of VLAN are supported.

Port-based VLAN MAC-based VLAN Protocol-based VLAN IP multicast-based VLAN (In this case, a multicast group forms a VLAN.)


H3C Proprietary

3-3

Network layer-based VLAN (In this case, VLANs are created based on the network layer addresses of the hosts).

VLAN offers the benefit that the broadcast and unicast traffic inside a VLAN are not forwarded to other VLANs, thereby helping implement network traffic control, save equipment investment, streamline network management, and enhance network security.

The H3C S5120-EI series support the following types of VLAN.

I. Port-based VLAN

In a port-based VLAN, VLAN members are defined based on the Ethernet switch ports. You can add specific ports to the same VLAN, through which the hosts connecting to these can communicate with each other. This is the simplest way of creating a VLAN. An S5120-EI Ethernet switch supports up to 4,094 port-based VLANs.

II. Protocol-based VLAN

VLANs can be divided based on protocol. With this type of VLANs configured, a switch inserts tags to the untagged packets received by the protocols the packets belong to so that the packets are forwarded in the corresponding VLANs. Protocol-based VLANs are usually bound to specific services for ease of management and maintenance.

III. MAC-based VLAN

1) Overview

MAC-based VLANs group VLAN members by MAC address. They only apply to untagged frames.

When receiving an untagged frame, the device looks up the list of MAC-to-VLAN mappings based on the MAC address of the frame for a match. If a match is found, the system forwards the frame in the corresponding VLAN. If no match is found, the system looks up other types of VLANs to make the forwarding decision.

MAC-based VLANs are mostly used in conjunction with security technologies such as 802.1X to provide secure, flexible network access for terminal devices.

2) Approaches to Creating MAC Address-to-VLAN Mappings

In addition to creating MAC address-to-VLAN mappings at the CLI, you can use an authentication server to automatically issue MAC address-to-VLAN mappings.

Manually Static configuration (through CLI)

You can associate MAC addresses with VLANs by using corresponding commands.

Automatic configuration through the authentication server (that is, VLAN issuing)

The device associates MAC addresses with VLANs dynamically based on the information provided by the authentication server. If a user goes offline, the


H3C Proprietary

3-4

corresponding MAC address-to-VLAN association is removed automatically. Automatic configuration requires MAC address-to–VLAN mapping be configured on the authentication server. For detailed information, refer to 802.1X Configuration in the Security Volume.

The two configuration approaches can be used at the same time, that is, you can configure a MAC address-to-VLAN entry on both the local device and the authentication server at the same time. Note that the MAC address-to-VLAN entry configuration takes effect only when the configuration on the local device is consistent with that on the authentication server. Otherwise, the previous configuration takes effect.

The S5120-EI supports 1024 VLANs based on MAC addresses without masks globally.

IV. IP subnet-based VLAN

In this approach, packets are assigned to VLANs based on their source IP addresses and subnet masks. A port configured with IP subnet-based VLANs assigns a received untagged packet to a VLAN based on the source address of the packet.

This feature is used to assign packets from the specified network segment or IP address to a specific VLAN.

One VLAN supports 12 network segments for the S5120-EI.

3.1.6 GARP/GVRP

I. GARP

Generic attribute registration protocol (GARP) provides a means of distributing, propagating, and registering specific type of information (such as VLAN and multicast group address) among the members inside the same switched network.

A GARP member can be a workstation or a switch. GARP members communicate with each other by exchanging their messages. By exchanging messages, all the member switches on a switching network get all the attribute information to be registered. GARP enables the configuration information of a GARP member to be propagated throughout the entire switched network. A GARP member triggers other GARP members, through declaration/declaration cancellation messages, to register/deregister its attribute information. It also registers/deregisters the attribute information of other GARP members in response to their declaration/declaration cancellation messages.

GARP by itself does not exist on the routing switch as an entity. It takes the form of GARP application, which is implemented on entities adopting GARP. Commonly used GARP applications are GVRP (GARP VLAN registration protocol) and GMRP (generic multicast registration protocol). The PDUs (protocol data unit) of different GARP applications (GVRP and GMRP for example) carry the MAC addresses peculiar to the applications, according to which a routing switch with GARP-employed can recognize


H3C Proprietary

3-5

the received GARP packets and pass them to the corresponding GARP applications for processing.

II. GVRP

GVRP is a GARP application that maintains VLAN dynamic registration information in a routing switch and transmits the information to other routing switches, based on the operating mechanism of GARP.

A routing switch with GVRP-employed receives VLAN registration information from other routing switches and dynamically updates the local VLAN registration information, including current VLAN members and the ports through which these VLAN members can be reached, etc. Moreover, in a switched network, all the routing switches with GVRP employed transmit the local VLAN registration information to other routing switches, thus keeping the VLAN information maintained by them in consistency. VLAN registration information transmitted by these routing switches includes both the static registration information manually configured locally and the dynamic registration information from other routing switches.

3.1.7 QinQ

I. QinQ characteristics

QinQ enables packets to traverse the backbone network (public network) of the operator with two layers of VLAN tags, where VLAN tag of the customer network is encapsulated in the VLAN tag of the public network. In the public network, packets are forwarded based on the outer VLAN tag (that is, the public network VLAN tag) only, while the customer network VLAN tag is shielded.

Compared with MPLS-based L2 VPN, QinQ has the following features:

It provides simpler L2 VPN tunnels. It can be implemented through full-static configuration, without the need of a

signaling protocol.

QinQ mainly provides the following benefits:

Saving public network VLAN IDs Enabling private network VLAN IDs that do not conflict with those of the public

network Providing small-sized MANs or intranets with simpler L2 VPN solutions

II. BPDU Tunnel

As a Layer 2 tunneling technology, BPDU tunneling enables Layer 2 protocol packets from geographically dispersed customer networks to be transparently transmitted over specific channels across a service provider network.


H3C Proprietary

3-6

Customers usually use dedicated lines in a service provider network to build their own Layer 2 networks. As a result, very often, a customer network is broken down into parts located at different sides of the service provider network. As shown in Figure 3-1, User A has two devices: CE 1 and CE 2, both of which belong to VLAN 100. User A’s network is divided into network 1 and network 2, which are connected by the service provider network. When Layer 2 protocol packets cannot be transparently transmitted in the service provider network, User A’s network cannot implement independent Layer 2 protocol calculation (for example, STP spanning tree calculation). In this case, the Layer 2 protocol calculation in User A’s network is mixed with that in the service provider network.

ISP network

User A network 1VLAN 100

User A network 2VLAN 100

CE 1 CE 2

PE 1 PE 2

Figure 3-1 BPDU tunneling application scenario

With BPDU tunneling, Layer 2 protocol packets from customer networks can be transparently transmitted in the service provider network:

1) After receiving a Layer 2 protocol packet from User A network 1, PE 1 in the

service provider network encapsulates the packet, replaces its destination MAC

address with a specific multicast MAC address, and then forwards the packet in

the service provider network;

2) The encapsulated Layer 2 protocol packet (called bridge protocol data unit,

BPDU) is forwarded to PE 2 at the other end of the service provider network,

which decapsulates the packet, restores the original destination MAC address of

the packet, and then sends the packet to User A network 2.

On the S5120-EI series switches, BPDU tunneling may support the transparent transmission of these types of Layer 2 protocol packets:

Cisco Discovery Protocol (CDP)

Device Link Detection Protocol (DLDP)

Ethernet Operation, Administration and Maintenance (EOAM)

GARP VLAN Registration Protocol (GVRP)

HW Group Management Protocol (HGMP)


H3C Proprietary

3-7

Link Aggregation Control Protocol (LACP)

Link Layer Discovery Protocol (LLDP)

Port Aggregation Protocol (PAGP)

Per VLAN Spanning Tree (PVST)

Spanning tree protocol (STP)

Uni-directional Link Direction (UDLD)

VLAN Trunking Protocol (VTP)

3.2 Network Protocol Features

3.2.1 ARP

Address resolution protocol (ARP) dynamically maps IP addresses to specific MAC addresses. Upon being enabled, ARP carries out the address resolution without manual intervention.

The S5120-EI series switches support the following extended ARP and attack defense implementations:

I. Gratuitous ARP

Gratuitous ARP enables a device to test whether or not IP address conflicts exist between itself and other devices in the network by sending ARP requests. Since both the source and destination IP addresses of a gratuitous ARP request packet are set to the local IP address, an IP address conflict exists if a host responds to the ARP request.

A gratuitous ARP request is also used to update the corresponding MAC address entries maintained by other devices. A switch updates the corresponding MAC address entry if the IP address contained in a received ARP request packet matches the MAC address entry. As an ARP request packet is broadcast across the network, all the MAC address entries matching the ARP request packet are updated.

II. Proxy ARP

The S5120-EI series support the following two types of proxy ARP, standard proxy ARP and local proxy ARP.

Standard proxy ARP conforms to the related protocol; it responds to ARP requests sourced from other network segments. As shown in Figure 3-2, Host A and Host B are of different network segments connected to an S5120-EI Ethernet switch. Although the gateways configured for Host A and Host B are of different network segments, their IP addresses indicate that they are of the same network segment. Normally, ARP requests sourced from Host A and destined for Host B, which are inter-network segment, are dropped in this case. With standard proxy ARP enabled, the S5120-EI Ethernet switch looks up in the routing table for the route upon receiving an ARP


H3C Proprietary

3-8

request packet and sends its MAC address to the ARP request sender if the route exists. The ARP request sender then sends another packet to the switch, with the address contained in the route as the destination address. The switch in turn forwards the packet.

Vlan-int1(gateway IP address)

10.110.104.1/24

Host A10.110.104.11/16

Host B10.110.105.11/16


10.110.105.1/24

Switch

Figure 3-2 A standard proxy ARP implementation

Local proxy ARP only responds to ARP requests on the same network segment. As for the S5120-EI series switches, local proxy ARP is mainly employed on port isolation-enabled ports to allow Layer 3 communication between isolated users.


10.110.104.1/24

Host A10.110.104.11/24

Host B10.110.104.12/24

Switch

Port isolate

GE1/0/1 GE1/0/2

Figure 3-3 A local ARP proxy implementation

As shown in Figure 3-3, port isolation is enabled on the S5120-EI Ethernet switch; therefore, ARP packets cannot be forwarded between downlink ports. If the switch also has local proxy ARP enabled and receives an ARP request sourced from Host A and destined for Host B, the switch looks up in the routing table and sends its MAC address to the ARP request sender if the route exists. The ARP request sender then sends the packet to the switch, with the address contained in the route as the destination address. The switch in turn forwards the packet.


H3C Proprietary

3-9

III. ARP Attack Defense

ARP attacks and viruses are threatening LAN security. H3C S5120-EI Series Ethernet Switches can provide multiple features to detect and prevent such attacks.

1) ARP Source Suppression

If a device receives large numbers of IP packets from a host to unreachable destinations,

The device sends large numbers of ARP requests to the destination subnets, which increase the load of the destination subnets.

The device continuously resolves destination IP addresses, which increase the load of the CPU.

To protect the device from such attacks, you can enable the ARP source suppression function. With the function enabled, whenever the number of packets with unresolvable destination IP addresses from a host within five seconds exceeds a specified threshold, the device suppress the sending host from triggering any ARP requests within the following five seconds.

2) Source MAC Address Based ARP Attack Detection

This feature allows the device to check the source MAC address of ARP packets that delivered to the CPU. If the number of ARP packets sent from a MAC address within five seconds exceeds the specified value, the device considers this an attack.

3) ARP Detection

In normal cases, a Layer 2 access device broadcasts an ARP request within a VLAN, and forwards ARP responses at Layer 2. If an attacker sends an ARP request with the source being the IP address of another client, the corresponding ARP entry maintained by the gateway or other clients is modified. Consequently, the attacker will receive the packets sent to the client.

The ARP detection feature allows only the ARP packets of legal clients to be forwarded.

ARP Detection consists of two functions: user validity check and ARP packet validity check.

User validity check: With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet received from the VLAN against the DHCP snooping entries, 802.1x security entries, or static IP-to-MAC binding entries.

ARP packet validity check: With this feature enabled, the device filters out invalid ARP packets received on ARP untrusted ports. You can base ARP packet validity check on the source MAC address, destination MAC address or IP address. ARP packet validity check does not apply to packets received on ARP trusted ports.

4) ARP packet rate limit


H3C Proprietary

3-10

ARP packets that pass ARP detection are delivered to the CPU. This feature allows you to limit the rate of ARP packets to be sent to the CPU.

3.2.2 DHCP

I. DHCP Relay

A routing switch operating as a DHCP relay can relay messages between a DHCP server and a client, making it possible for a DHCP server in a subnet to provide DHCP service to the hosts in another subnet. With DHCP Relay, a network manager needs not to set DHCP server for every subnet, thereby reducing DHCP server costs.

II. DHCP Client

On a contemporary large-sized and complex network, some computers are mobile and the available IP addresses are far from adequate comparing with the fast-growing number of computers. To address the issue, the dynamic host configuration protocol (DHCP) was introduced. DHCP works in the client/server model, where the DHCP client requests the DHCP server for configuration information dynamically, and upon the receipt of the request the DHCP server returns the configuration information (IP address for example) based on the adopted policy.

III. DHCP Snooping

The DHCP snooping function enables the acquisition of user IP addresses and MAC addresses by listening to DHCP broadcast packets. It can be used to improve network security and prevent unauthorized accesses. Additionally, with the DHCP snooping function employed, ports are classified into trusted ports and untrusted ports. Ports with DHCP servers attached are trusted ports; and those with hosts attached are untrusted ports. The DHCP_ACK and DHCP_OFF packets received through untrusted are discarded, through which illegal DHCP servers can be prevented.

IV. DHCP option82

DHCP uses the option field in DHCP messages to carry control information and network configuration parameters, implementing dynamic address allocation and providing more network configuration information for clients.

Figure 3-4 shows the DHCP option format.

Option type Option length0 7 15

Value (variable)

Figure 3-4 DHCP option format


H3C Proprietary

3-11

Option 82 is the relay agent option in the option field of the DHCP message. It records the location information of the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client’s request, it adds Option 82 to the request message and sends it to the server.

The administrator can locate the DHCP client to further implement security control and accounting. The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients.

Option 82 involves at most 255 sub-options. At least one sub-option must be defined. Now the DHCP relay agent supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID).

Option 82 has no unified definition. Its padding formats vary with vendors.

You can use the following two methods to configure Option 82:

User-defined method: Manually specify the content of Option 82. Non-user-defined method: Pad Option 82 in the default normal or verbose

mode.

If you choose the second method, you can specify the padding format for the sub-options as ASCII or HEX.

2) Normal padding format

sub-option 1: Padded with the VLAN ID and number of the port that received the client’s request. The following figure gives its format. The value of the sub-option type is 1, and that of the circuit ID type is 0.

Sub-option type (0x01)

0 7 15

Length (0x06) Circuit ID type (0x00) Length (0x04)

23 31

VLAN ID Port number

Figure 3-5 Sub-option 1 in normal padding format

sub-option 2: Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that received the client’s request. The following figure gives its format. The value of the sub-option type is 2, and that of the remote ID type is 0.

Sub-option type (0x02)

0 7 15

Length (0x08) Remote ID type (0x00) Length (0x06)

23 31

MAC Address

Figure 3-6 Sub-option 2 in normal padding format

3) Verbose padding format:


H3C Proprietary

3-12

The padding contents for sub-options in the verbose padding format are:

sub-option 1: Padded with the user-specified access node identifier (ID of the device that adds Option 82 in DHCP messages), and type, number, and VLAN ID of the port that received the client’s request. Its format is shown in the following figure.

Sub-option type (0x01) Length Node identifier

Port type Port number

VLAN ID

Figure 3-7 Sub-option 1 in verbose padding format

sub-option 2: Padded with the MAC address of the interface that received the client’s request. It has the same format as that in normal padding format, as shown in Figure 3-6.

3.2.3 UDP Helper

The UDP helper function mainly functions to relay and forward the specified UDP broadcast packets. It can transform UDP broadcast packets into unicast packets and send them to the specified servers.

With the UDP helper function enabled, a switch determines whether or not to forward a received packet by the UDP port number carried in the packet. If the packet is to be forwarded, the switch modifies the destination IP address in the IP header and sends the packet to a specific destination server. Otherwise, the switch passes the packet to the upper layer modules.

With the presence of the DHCP relay function, the UDP helper function does not relay DHCP packets on the S5120-EI series switches.

3.2.4 DNS

Domain name system (DNS) is a distributed database used for TCP/IP applications. It performs translations between domain names and IP addresses. DNS allows you to replace IP addresses with domain names, which is easy to memorize and meaningful. Domain name-to-IP address resolution is carried out by DNS server.

There are two kinds of domain name resolution, namely the static domain name resolution and dynamic domain name resolution, both of which supplement each other in real application. You can configure to resolve domain names in the static way, with the dynamic resolution as the ultimate measure. By adding commonly used domain names to the static domain name resolution table, you can greatly improve the efficiency of domain name resolution.


H3C Proprietary

3-13

I. Static domain name resolution

To enable static domain name resolution, you need to establish domain name-to-IP address maps. When you use a domain name for an application, the corresponding IP address can be obtained through the static domain name resolution table.

II. Dynamic domain name resolution

Dynamic domain name resolution is implemented by querying the DNS server. With dynamic domain name resolution adopted, a DNS client sends DNS requests to the DNS server for the corresponding IP address. The DNS server in turn searches in its own database for the IP address corresponding to the domain name and sends the IP address back to the DNS client. If the DNS server cannot find the corresponding IP address in its database, it forwards the DNS request to the DNS server one level higher than itself for the domain name to be resolved. Such a process goes on and on until the domain name is resolved.

An S5120-EI Ethernet switch supports the static domain name resolution and can operate as a DNS client when dynamic domain name resolution is adopted. Besides IPv4 address-to-domain name conversion, that of IPv6 is also available on an S5120-EI switch.

3.2.5 OAM (802.3ah)

Ethernet OAM (meaning operation, administration, and maintenance) is a tool for monitoring network. It operates on data link layer and can report information about networks to network administrators through the OAMPDUs exchanged between devices, enabling network administrators to manage the network more effectively.

Currently, Ethernet OAM is mainly used for detecting data link layer problems occurred in the “last mile”. By enabling Ethernet OAM on two devices connected by a point-to-point connection, you can monitor the status of the link between the two devices. Ethernet OAM provides the following functions.

Link performance monitoring, for detecting link errors Fault detection and alarm, for reporting link errors to the administrators Loopback testing, for detecting link errors through non-OAMPDUs

3.2.6 Connectivity Fault Detection (802.1ag)

Connectivity fault detection (CFD) is a Layer 2 link OAM (Operations, Administration and Maintenance) mechanism used for link connectivity detection and fault locating.

I. Maintenance domain

A maintenance domain (MD) is the part of network where CFD plays its role. The MD boundary is defined by some maintenance points configured on the ports. MD is


H3C Proprietary

3-14

identified by MD name and is divided into 8 levels, represented by integer 0 to 7. The bigger the number, the higher the level. A higher level MD can contain lower level MDs, but they cannot overlap. In other words, a higher level MD covers larger area than a lower level MD.

II. Maintenance association

Maintenance association (MA) is a set of maintenance points in a maintenance domain. It is identified in the form “MD name + MA name”.

MA works within a VLAN. Packets sent by the maintenance points in an MA carry the corresponding VLAN tag. A maintenance point can receive packets sent by other maintenance points in the same MA.

III. Maintenance point

A maintenance point (MP) is configured on a port and belongs to an MA. MP can be divided into two types: maintenance association end point (MEP) and maintenance association intermediate point (MIP).

MEP

Each MEP is identified by an integer called MEP ID. The MEPs define the range of MD. The MA and MD that MEPs belong to define the VLAN attribute and level of the packets sent by the MEPs. MEPs are divided into inbound MEP and outbound MEP.

On Figure 3-8, outbound MEPs are configured on the ports. On Figure 3-9, inbound MEPs are configured on the two ports.

RelayEntity

Maintenance Association

RelayEntity

Bridge Bridge

Bridge

Port

Bridge

Port

Figure 3-8 Outbound MEP


H3C Proprietary

3-15

RelayEntity


RelayEntity

Bridge Bridge

Bridge

Port

Bridge

Port

Figure 3-9 Inbound MEP

MIP

Maintenance association intermediate point (MIP) can handle and respond to CFD packets. The MA and MD that a MIP belongs to define the VLAN attribute and level of the packets received.

Figure 3-10 demonstrates a grading example of CFD module. In the figure, there are six devices, labeled as 1 to 6 respectively. Suppose each device has two ports, and MEPs and MIPs are configured on some of these ports. Four levels of MDs are designed in this example, the bigger the number, the higher the level and the larger the area covered. In this example, the X port of device 2 is configured with the following MPs: a level 5 MEP, a level 3 inbound MEP, a level 2 inbound MEP, and a level 0 outbound MEP.

5 5

0 0

x y5

3 3

MD Level 55

0 0

2

1 2 3 4 5 6

2 2 2MD Level 2

MD Level 33 3

0 0

2 2 2 2MD Level 2

MD Level 0

Port

5

5

MEP ( number is MD level )

MIP ( number is MD level )


Logical path of CFD Messages

Figure 3-10 Levels of MPs


H3C Proprietary

3-16

3.3 NTP

Clock synchronization among devices becomes important given increasingly complex network topologies. The network time protocol (NTP) is a TCP/IP protocol that advertises accurate time on the entire network.

NTP provides consistency guarantee for the following applications:

When increment backup is performed between a backup server and a client, it ensures the clock between the two system be synchronous.

When multiple systems are used to deal with complex events, it ensures the correct order of these events.

It ensures the normal performance of the Remote Procedure Call (RPC) between systems.

It provides time information about such operations as system login of users and file modification for application program.

3.4 Routing Features

Note:

The S5120-EI is a Layer 2 switch capable of some Layer 3 functions because it supports 32 static routes.

3.4.1 Static Route and Default Route

I. Static route

Static routes are configured by the network administrator manually. In a network with a simple structure, static routes can ensure normal running of the switches.

Configuring static routes correctly can ensure network security effectively and provide bandwidth for important applications. The disadvantage of static routes is that static routes cannot vary with a network topology when the network topology changes due to some reasons, such as network device failure. The network administrator has to configure static routes again based on the new network topology.

II. Default route

Default routes are used only when a router fails to find any matching route. In a routing table, the default route is the route to 0.0.0.0. Default routes can save bandwidth resources occupied by packet forwarding and save routing time, thus enabling a great number of users to communicate simultaneously.


H3C Proprietary

3-17

3.5 Multicast Features

3.5.1 IGMP Snooping

Internet group management protocol snooping (IGMP Snooping) operates on Layer 2 Ethernet switches. It provides a mechanism to manage and control multicast groups.

IGMP snooping runs on the link layer. It checks the information carried in the IGMP packets exchanged between hosts and routers. On the detection of an IGMP host report message, the switch adds the host to the corresponding multicast table. And on the detection of an IGMP Leave message, the switch removes the corresponding multicast entry from the multicast table. By continuously listening to IGMP packets, a switch creates and maintains a Layer 2 MAC multicast address table, through which the switch forwards the multicast packets transmitted by the routers.

When IGMP Snooping is not enabled, multicast packets are broadcast on Layer 2. While when IGMP Snooping is enabled, the packets are multicast instead of being broadcast on Layer 2.

Multicast packet transmission without IGMP Snooping

Source

Multicast router

Host AReceiver

Host B

Host CReceiver

Multicast packets

Layer 2 switch

Multicast packet transmission when IGMP Snooping runs

Source

Multicast router

Host AReceiver

Host B

Host CReceiver

Layer 2 switch

Figure 3-11 IGMP Snooping

3.5.2 Multicast VLAN

As shown in Figure 3-12, in the traditional multicast programs-on-demand mode, when hosts, Host A, Host B and Host C, belonging to different VLANs require multicast programs on demand service, the Layer 3 device, Router A, needs to forward a separate copy of the multicast traffic in each user VLAN to the Layer 2 device, Switch A.


H3C Proprietary

3-18

This results in not only waste of network bandwidth but also extra burden on the Layer 3 device.

Source

ReceiverHost A

Multicast packets VLAN 2

VLAN 3

VLAN 4

VLAN 2

VLAN 3

VLAN 4

Switch A

ReceiverHost B

ReceiverHost C

Router AIGMP querier

Figure 3-12 Multicast transmission without multicast VLAN

The multicast VLAN feature configured on the Layer 2 device is the solution to this issue. With the multicast VLAN feature, the Layer 3 device needs to replicate the multicast traffic only in the multicast VLAN instead of making a separate copy of the multicast traffic in each user VLAN. This saves the network bandwidth and lessens the burden of the Layer 3 device.

The multicast VLAN feature can be implemented in two approaches, as described below:

I. Port-based multicast VLAN

Port-based multicast VLAN is also known as the traditional multicast VLAN. By assigning hybrid ports to a multicast VLAN in untagged mode, you can forward multicast data to all multicast recipients attached to the hybrid ports in the multicast VLAN. This is possible because a hybrid port can forward traffic of multiple VLANs untagged.

As shown in Figure 3-13, Host A, Host B and Host C are in three different user VLANs. All the user ports (ports with attached hosts) on Switch A are hybrid ports. On Switch A, configure VLAN 10 as a multicast VLAN, assign all the user ports to this multicast VLAN, and enable IGMP Snooping in the multicast VLAN and all the user VLANs.


H3C Proprietary

3-19

Source

VLAN 2

VLAN 3

VLAN 4

Eth1/1

Eth1/2

Eth1/3

Eth1/4Switch A

Multicast packets

ReceiverHost A

ReceiverHost B

ReceiverHost C

Router AIGMP querier

VLAN 10 (Multicast VLAN)

Figure 3-13 Port-based multicast VLAN

After the configuration, upon receiving an IGMP message on a user port, Switch A tags the message with the multicast VLAN ID and relays it to the IGMP querier, so that IGMP Snooping can uniformly manage the router ports and member ports in the multicast VLAN. When forwarding multicast data to Switch A, Router A needs to send only one copy of multicast traffic to Switch A in the multicast VLAN, and Switch A distributes the traffic to all the member ports in the multicast VLAN.

3.6 STP/RSTP/MSTP

3.6.1 STP/RSTP

Spanning tree protocol (STP)/rapid spanning tree protocol (RSTP) prunes a loop L2 switching network into a loop-free tree (all data on the L2 switching network must travel along the spanning tree), thereby avoiding network broadcast storms caused by network loops and providing redundant links for data forwarding.

Basically, STP/RSTP is used to generate a "tree" whose root is a switch called root bridge. Which switch is to be selected as root bridge is based on their settings (such as switch priority and MAC address), but there should be only one root bridge at any time. From the root bridge, a tree stretches through the switches. A non-root switch forwards data to the root through its root port and to the connected network segment through its designated port. A root periodically transmits configuration BPDUs, while a non-root switch receives and forwards them. If a switch receives configuration BPDUs from two or more ports, it assumes that there is a loop in the network. To eliminate the loop, the switch selects one of the ports as the root port and blocks others. When a port receives no configuration BPDUs for a long time, the switch considers that the configuration of this port has timed out and the network topology may have changed. Then, it recalculates the network topology and generates a new tree.


H3C Proprietary

3-20

RSTP is an STP enhancement that significantly shortens the time for the network topology to stabilize.

3.6.2 MSTP

Multiple spanning tree protocol (MSTP) is compatible with STP and RSTP.

STP cannot transit fast. Even on the point-to-point link or the edge port, it has to take an interval twice as long as forward delay before the network converges.

RSTP can converge fast. However, like STP, RSTP has this drawback: All the network bridges in a VLAN share a spanning tree and the redundant links cannot be blocked by VLAN, with all the packets in the VLAN forwarded along a spanning tree.

MSTP makes up for the drawback of STP and RSTP. It makes the network converge fast and enables the traffic of different VLANs to be distributed along their respective paths, which provides a better load sharing mechanism for the redundant links.

MSTP associates VLAN with spanning tree by using a VLAN mapping table; that is, a table showing the correspondence relationship between VLANs and spanning tree. Meanwhile, MSTP divides a switched network into several domains. In each domain, multiple independent STPs are generated. MSTP prunes a loop network to a loop-free network so as to avoid packet propagation and endless loop. It also provides multiple redundant paths for load balancing of VLAN data in the process of data forwarding.

3.6.3 STP Protection

I. BPDU guard

For access layer devices, the access ports are usually connected directly with the user terminals (such as PCs) or file servers. In this case, the access ports are configured as edge ports to allow fast migration of these ports. When these ports receive configuration messages (BPDUs), the system will automatically set these ports as non-edge ports and recalculate the spanning tree. This will cause flapping of the network topology. Under normal conditions, these ports should not receive STP BPDUs. If someone forges BPDUs maliciously to attack the switch, network flapping will occur. The BPDU guard function protects the system against such attacks.

II. Root guard

The root bridge and backup switches in a spanning tree must reside in the same domain. This is especially true for the root bridge and backup switches of a common and internal spanning tree (CIST). This is because the root bridge and backup switches of a CIST are normally placed in a high-bandwidth core domain. However, due to misconfiguration or a malicious network attack, a legal root bridge in the network may receive a BPDU that has a higher priority. This turns the current root bridge into a non-root switch, causing a wrong change in the network topology. Such illegal change


H3C Proprietary

3-21

leads the traffic that would otherwise pass through a high-speed link to follow a lower-speed link, causing network congestion. The root guard function prevents this from occurring.

III. Loop guard

A switch can keep track of the states of the root port and blocked ports by continuously receiving the BPDUs sent by upstream switches. However, these ports may be unable to receive the BPDUs sent by upstream switches due to link congestion or unidirectional links. In this case, the switch reelects a root port, the original root port turns into a designated port, and blocked ports go into the forwarding state. This causes loops in the switched network. The loop guard function prevents such loops. With the loop guard function enabled, the role of the root port remains unchanged and blocked ports remains in the Discarding state without forwarding any packet. This prevents loops in the network.

IV. TC-BPDU attack prevention

Upon receiving a TC-BPDU, the switch deletes MAC address entries and ARP entries. If someone forges TC-BPDUs to attack the switch maliciously, the switch will receive excessive TC-BPDUs in a short time. Frequent packet deletion places a heavy burden on the switch and compromises network stability.

After TC-BPDU attack prevention is enabled, the switch deletes the received TC-BPDUs only once within a specific timer (usually 10 seconds) and monitors whether any TC-BPDU is received during that timer. If any TC-BPDUs are received within the timer, the switch deletes the TC-BPDUs again after the timer times out. This saves the switch from deleting MAC address entries and ARP entries frequently.

3.7 IPv6 Features

Internet protocol version 6 (IPv6) is a second-generation standard network layer protocol. Also known as IP Next Generation (IPng), it is a standard developed by Internet Engineering Task Force (IETF) as an upgrade from IPv4. The main difference between IPv4 and IPv6 lies in that the addresses used in the latter are 128 bits in length, whereas those used in the former is only 32 bits in length.

Following are the features of IPv6.

I. Simplified packet header

The size of the header of an IPv6 basic packet is reduced, because some fields in IPv4 packet header are removed or moved to extension headers. This simplifies the processes used to perform in network devices when packets are forwarded and improves the forwarding efficiency. Despite of the 128-bit IPv6 address, the size of an IPv6 basic packet header is only twice that of IPv4 packet header (the Options field not counted in).


H3C Proprietary

3-22

Basic IPv6 header

Ver

0 113Traffic class Flow label

Payload length Next header Hop limit

Source address (128 bits)

Destination address (128 bits)

3115 23

Ver IHL ToS Total length

0 73 3115 23

Identification Fragment offsetF

TTL Protocol Header checksum

Source address (32 bits)

Destination address (32 bits)

Options Padding

IPv4 header

Figure 3-14 IPv4 packet header vs. IPv6 packet header

II. Sufficient address space

In IPv6, the source and destination addresses of a packet are both 128 bits (16 bytes) in length. Such an address scheme can provide more than 3.4 × 1038 addresses, which are enough to fully accommodate multi-level address allocation, public address allocation, and address allocation in private networks.

III. Hierarchical address structure

IPv6 address space is hierarchically organized. Such a structure improves routing performance and route aggregation is made possible. Route aggregation helps reducing the system resource occupied by IPv6 routing tables.

IV. Automatic address allocation

IPv6 supports stateful address allocation and stateless address allocation, both of which simplify host configuration. The stateful address allocation enables hosts to obtain IPv6 addresses and the related information from servers (for example, DHCP servers). The stateless address allocation enables a host to configure the IPv6 address and related information automatically according to its own link layer address and the prefix information advertised by the router. A host can also generate its link-local address according to its own link layer address and the default prefix (FE80::/64) to communicate with other hosts that on the same link.

V. Built-in security

In IPv6, IPsec is implemented through the standard expansion header to provide end-to-end security. This feature also provides a standard for addressing network security issues and improves the interoperability among different IPv6 applications.


H3C Proprietary

3-23

VI. QoS support

The Flow Label field in IPv6 packet header labels flows. Network devices can perform traffic classification and provide differentiated services according to the Flow Label field.

VII. Enhanced neighbor discovery mechanism

The neighbor discovery protocol for IPv6 is implemented by a group of ICMPv6 (internet control message protocol for IPv6) messages. The interactions among neighboring nodes on the same link are under the administration of IPv6 neighbor discovery protocol. It replaces ARP (address resolution protocol), ICMPv4 router discovery and ICMPv4 redirect messages, and provides a series of other functions.

VIII. Flexible extension packet header

In the header of an IPv6 packet, multiple extension packet headers replace the Option field. This not only improves the processing efficiency but also enhances flexibility of IPv6 and provides good extendibility for the IP protocol. The Options field in an IPv4 packet header can only be 40 bytes in size, while the sizes of IPv6 extension headers are only limited by the size of the IPv6 packet.

3.7.1 NDP

The neighbor discovery protocol (NDP) for IPv6 is implemented by a group of ICMPv6 messages. The interactions among neighboring nodes on the same link are under the administration of IPv6 NDP. It replaces ARP, ICMPv4 router discovery and ICMPv4 redirect messages and provides a series of other functions.

In IPv6 NDP, the following five types of ICMPv6 messages are used.

NS (neighbor solicitation) message, which is used to request for the link layer address of a neighbor, check the reachability of a neighbor, and detect for duplicate addresses.

NA (Neighbor Advertisement) message. A device answers with an NA message when it receives an NS message. The device can also send NA messages actively to notify its neighbors of the link layer changes.

RS (Router Solicitation) message. A host sends RS messages to the router to request for the prefix and other configuration information after it starts.

RA (Router Advertisement) message. A router answers with RA messages when it receives RS messages. It also advertises RA messages periodically, which contain prefix and flag bit information.

Redirect message. When a router finds that the receiving interface and sending interface of a packet are the same, it sends redirect messages to trigger the corresponding host to use anther next hop address.

Table 3-1 summarizes the NDP functions.


H3C Proprietary

3-24

Table 3-1 NDP functions

Function Description

Router discovery/prefix discovery/parameter discovery

Discovers the local routers on the same link (this process is the same as that of ICMPv4 router discovery) and obtain address prefixes and other configuration parameters for address auto-configuration. This is achieved through RS and RA messages.

Address auto-configuration

Automatically configures IPv6 addresses and other information of interfaces according to the address prefixes and other configuration parameters carried in the RA messages.

Address resolution

Maps the IPv6 address of a neighboring node to the corresponding link layer address (this process is the same as that of IPv4 ARP). This is achieved through NS and NA messages. A node multicasts an NS message, with the destination address being the IPv6 address of the requested node and the local link layer address carried in it. When other nodes on the same link receive the message, each of them checks whether or not the destination address is the local address. If yes, the node answers with an NA message that contains its own link layer address. A node obtains the link layer addresses of neighboring nodes through the procedure above.

Neighbor unreachable detection (NUD)

This function is used to check whether or not a node is reachable. If a node receives an acknowledgment message from the neighbor after sending a NUD message, it considers the neighbor to be reachable. Otherwise, it considers the neighbor to be unreachable.

Duplicate address detection (DAD)

When a node obtains an IPv6 address, it checks whether or not the address conflicts with that of another node through the duplicate address detection function. (This process is similar to the gratuitous ARP function in IPv4.) The node sends an NS message. If the node receives an NA message from another node, it indicates that the address is already in use. Otherwise, it indicates the IPv6 address is not in use.

Redirect A router informs a host of the optimal next-hop IPv6 address to reach a particular destination through this function. (This is similar to the ICMP redirect function in IPv4).

3.7.2 Introduction to IPv6 DNS

In an IPv6 network, translation between domain names and IPv6 addresses is also required. This translation can be achieved through IPv6 Domain Name System (DNS). The only difference between IPv6 DNS and IPv4 DNS is that IPv6 DNS translates domain names into IPv6 addresses, instead of IPv4 addresses.


H3C Proprietary

3-25

Similar to IPv4 DNS, IPv6 DNS also implements static and dynamic domain name resolution. In addition, the purpose and implementation method of the static and dynamic domain name resolution through IPv6 DNS are the same as those of IPv4 DNS. For details, see the related sections in the IPv4 network protocol part.

Normally, a DNS server connecting an IPv4 network to an IPv6 network stores A entries (IPv4 addresses) and AAAA entries (IPv6 addresses). Therefore, the DNS server can resolve domain names into IPv4 addresses and IPv6 addresses. In this case, the DNS server can implement both IPv6 DNS and IPv4 DNS. To resolve domain names into IPv4/IPv6 addresses on a DNS server, configuration is required.

3.7.3 Ping IPv6 and Tracert IPv6

You can perform the ping IPv6 operation in an IPv6 network to test the connection between two devices. It can be your first choice to check whether a host is reachable. The operation sends ICMPv6 packets to the destination host and records the round trip time.

The traceroute IPv6 operation can record the gateways along the path from a host to a specific node. This operation enables you to locate problems in an IPv6 network by testing the reachability of network connections.

3.7.4 IPv6 Telnet

Telnet is an application layer protocol of the TCP/IP protocol suite. It implements remote logon and virtual terminal. The host runs the IPv6 Telnet client program establishes an IPv6 Telnet connection with Device A. In this case, Device A serves as the Telnet server. If Device A is connected to Device B through Telnet, the former functions as a Telnet client and Device B functions as a Telnet server. Both Telnet server and Telnet client support IPv6 connections.

3.7.5 IPv6 TFTP

IPv6 supports trivial file transfer protocol (TFTP) applications. You can upload/download files in an IPv6 network using TFTP.

Currently, an S5120-EI Ethernet switch can only operate as an IPv6 TFTP client.

3.8 IPv6 Multicast Features

3.8.1 MLD Snooping

Multicast Listener Discovery Snooping (MLD Snooping) is an IPv6 multicast constraining mechanism that runs on Layer 2 Ethernet switches to manage and control IPv6 multicast groups.


H3C Proprietary

3-26

MLD Snooping is analogous to IGMP Snooping in IPv4: a switch can establish and maintain the corresponding MLD Snooping multicast group table at data link layer by monitoring MLD messages, and forward the IPv6 multicasts delivered by a multicast router based on the MAC multicast group information in the table.

3.9 QACL

Quality of service (QoS) provides network services of different types and grades selected by users, from the top service quality to normal service quality networkwide to accommodate to various demands. An access control list (ACL) is used primarily to identify traffic flows. In order to filter data packets, a series of match rules must be configured on the network device to identify the packets to be filtered. After the specific packets are identified, and based on the predefined policy, the network device can permit/prohibit the corresponding packets to pass.

3.9.1 Traffic Classification

Traffic classification is to classify packets according to the packet filtering keywords configured by the user. Various types of user-defined service processing can be implemented on the classified packets.

In traffic classification, rules are defined to discriminate packets that conform to certain characteristics. The classification rules can be very simple. For example, traffic flows with different priority characteristics can be discriminated according to the differentiated services codepoint (DSCP) in the packet header. They can also be quite complicated. For example, packets can be classified according to combinations of information involving the data link layer, network layer and transport layer -- such as MAC address, IP protocol type, source host/network segment address, destination host/network segment address, and even application port number.

3.9.2 Priority Marking

The S5120-EI series support priority marking for classified packets and modification of the DSCP or 802.1p priority in the packets according to the user-specified preferred priority values, so as to provide the specified QoS networkwide.

The S5120-EI series can provide priority marking service for classified packets. The marking contents include DSCP and 802.1p priority. The series also support assignment of drop precedence and local precedence to packets according to the DSCP or 802.1p level.

3.9.3 Traffic Policing/Bandwidth Assurance

Traffic policing polices the traffic matching a traffic classification rule on the port where the packets are received, so that the traffic can effectively use the assigned network


H3C Proprietary

3-27

resources such as bandwidth. Traffic policing can also secure the bandwidth for specific services.

Bandwidth assurance refers to assuring the minimum bandwidth for a special traffic so that it can satisfy such QoS requirements as packet loss rate, delay, jitter even when network congestion occurs.

The S5120-EI series implement traffic policing mainly by limiting the rate of packet-receiving ports, supervising traffic entering a specific network, and performing priority marking for packets within the traffic limit to provide differentiated services. If the traffic is too big, you can drop or try to forward the excessive traffic or remark the priority of the traffic.

3.9.4 Traffic Statistics

Based on traffic classification, the S5120-EI series can perform traffic statistics for the identified packets.

This function counts the total number of all packets that match the specified traffic classification rule to facilitate the analysis of specific traffic flows on the network.

3.9.5 Traffic Mirroring

Based on traffic classification, the S5120-EI series can perform traffic mirroring for the identified packets to re-monitor service traffic flows that match the traffic classification rule. This function copies the data packets that match the traffic classification rule to the monitoring port to facilitate network tests and troubleshooting.

3.9.6 Traffic Redirection

Based on traffic classification, the S5120-EI series can redirect the identified packets. The traffic redirection function enables you to re-specify the output port of packet forwarding and bypass the Bridge mechanism, with the destination port determined by the traffic redirection function.

3.9.7 Port Mirroring

Port mirroring is used for monitoring packets on a specific port.

This function copies the data packets on the specified port to the monitoring port to facilitate network tests and troubleshooting.

The S5120-EI series support inbound and outbound port mirroring.

3.9.8 Queue Scheduling

Queue scheduling applies to the situation where multiple forwarded packets compete for the resources. The S5120 series support four queue scheduling algorithms: strict


H3C Proprietary

3-28

priority (SP), weighted round robin (WRR) and SP+WRR. These algorithms process packet forwarding problems of each output queue on the switch ports based on their own rules. The following sections describe these algorithms briefly:

1) SP queue-scheduling algorithm

Queue 7

Queue 6

Queue 1

Queue 0

……

Packets to be sent through this port

Packet classification

High priority

Low priority

Sent packets

Interface

Sending queueQueue scheduling

Figure 3-15 Diagram for SP queuing

SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay. Assume that there are eight output queues on the port and the preferential queue classifies the eight output queues on the port into eight classes, which are queue7, queue6, queue5, queue4, queue3, queue2, queue1, and queue0. Their priorities decrease in order.

In queue scheduling, SP sends packets in the queue with higher priority strictly following the priority order from high to low. When the queue with higher priority is empty, packets in the queue with lower priority are sent. You can put critical service packets into the queues with higher priority and put non-critical service (such as e-mail) packets into the queues with lower priority. In this case, critical service packets are sent preferentially and non-critical service packets are sent when critical service groups are not sent.

The disadvantage of SP queue is that: if there are packets in the queues with higher priority for a long time in congestion, the packets in the queues with lower priority will be “starved” because they are not served.


H3C Proprietary

3-29

II. WRR queue-scheduling algorithm

Queue 1 Weight 1

……

Queue 2 Weight 2

Queue N-1 Weight N-1

Queue N Weight N

Packets to be sent through this port Sent packets

Interface

Queue scheduling

Sending queuePacket

classification

Figure 3-16 Diagram for WRR queuing

WRR queue-scheduling algorithm schedules all the queues in turn and every queue can be assured of a certain service time.

In a typical H3C switch there are eight output queues on each port. WRR configures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2, w1, and w0 respectively for queue 7 through queue 0. A weight value indicates the proportion of resources available for a queue. On a 100-Mbps port, configure the weight value of WRR queue-scheduling algorithm to 5, 5, 3, 3, 1, 1, 1, and 1 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 in order). In this way, the queue with the lowest priority can get 5 Mbps (100 Mbps × 1/(5+5+3+3+1+1+1+1)) bandwidth at least, and the disadvantage of SP queue-scheduling that the packets in queues with lower priority may not get service for a long time is avoided. Another advantage of WRR queue is that: though the queues are scheduled in order, the service time for each queue is not fixed; that is to say, if a queue is empty, the next queue will be scheduled. In this way, the bandwidth resources are made full use.

III. SP+WRR

SP + WRR queue scheduling algorithm is used to configure some queues of each port with the SP algorithm and configure other queues with the WRR algorithm so that bandwidth resources can be fully utilized.

A port of an S5120-EI Ethernet switch supports eight output queues. If you set the weight or the bandwidth of one or multiple queues to 0, the switch will add the queue or these queues to the SP group, where SP is adopted. For other queues, WRR still applies. In this case, both SP and WRR are adopted.


H3C Proprietary

3-30

In cases where both SP and WRR queue scheduling algorithms are adopted, the queues in the SP group take precedence over other queues. For example, if queue 0, queue 1, queue 2, and queue 3 are in the SP group, queue 4, queue 5, queue 6, and queue 7 are scheduled using WRR, the switch will schedule the queues in the SP group preferentially by using the SP algorithm. Then queues outside the SP group are scheduled by using WRR algorithm only when all the queues in the SP group are empty.

3.9.9 User Profile

The S5120-EI series switches use user profiles to control the effective scope of a QoS policy, and flexibly control system resource assignment for users.

A user profile provides a configuration template to save predefined configurations. Based on different application scenarios, you can configure different items for a user profile, such as Committed Access Rate (CAR), Quality of Service (QoS), and so on.

With user profiles, you can:

Make use of system resources more granularly. For example, without user profiles, you can apply a QoS policy based on interface, VLAN, globally and so on. This QoS policy is applicable to a group of users. With user profile, however, you can apply a QoS policy on a per-user basis which pass the authentication and access the device.

Control system resource assignment for users more flexibly. For example, without user profiles, you can perform traffic policing based on CAR, ACL, or for all the traffic of the current interface; when the physical position of users changes (for example, the users access the network using another interface), you need to configure traffic policing on another interface. With user profiles, however, you can perform traffic policing on a per-user basis. As long as users are online, the authentication server applies the corresponding user profile (with CAR configured) to the users; when the users are offline, the system automatically removes the corresponding configuration.

3.10 Centralized Management Features

3.10.1 HGMP

Through cluster management, the network administrator can configure and troubleshoot multiple switches through a single public network IP address of a primary switch. In each cluster, there is a master switch called a command switch. The rest of the switches serve as member switches. A member switch is typically not configured with an IP address. The command switch and member switches form a cluster. In a cluster the switches have different roles based on different roles and functions. You can specify switch roles. The roles can be switched based on certain rules.


H3C Proprietary

3-31

Switch roles in a cluster include command switch, member switch, standby switch, and candidate switch.

1) Command switch: the switch configured with a public network IP address. A management command is sent to the command switch and the command switch processes this command. If the destination is a member switch, the management command will be forwarded to the command switch.

2) Member switch: a member in a cluster. The member switch is managed through the proxy of the command switch. Typically no public network IP address is set for the member switch.

3) Candidate switch: Candidate switches are cluster-capable devices that have not yet been added to a cluster.

3.11 Security Features

The popularity of network applications, especially in some sensitive occasions (e-commerce for example), highlights the issue of network security.

The S5120-EI series have been designed based on full consideration of customers’ demands, so as to provide full-range network solutions.

With respect to terminal access control and user access control, the S5120-EI series provide the following network security features:

Hierarchical user management and password protection IP Source Guard MAC address black hole MAC address learning limit Binding of MAC addresses to ports Supports SSH 2.0 IEEE 802.1x compliant access user authentication Supports MAC address based authentication Supports local and RADIUS authentication modes Supports port isolation

With respect to filtering and authenticating Ethernet frames and packets from the upper layers, the S5120-EI series support:

ACL, with which information is filtered at layers 2 through 4 (such as based on port, by source/destination MAC address, by source/destination IP address, or by the type of upper layer protocol).

Encrypted authentication of SNMPv3

3.11.1 Terminal Access User Classification

The S5120-EI series protect command lines in a hierarchical way by dividing the command lines into four levels: visitor, monitor, operator, and administrator.


H3C Proprietary

3-32

Commensurate with the command division, login users are classified into four levels. A login user can use only the commands equal to or lower than its level.

3.11.2 SSH

When users log in to the Ethernet switch from an insecure network, Secure Shell (SSH) offers security information protection and powerful authentication function to safeguard the Ethernet switch from attacks, such as IP address spoofing and plain text cipher interception. An Ethernet switch can accept multiple SSH customer connections at the same time. The SSH client allows users to connect to the Ethernet switches and UNIX mainframes that support SSH servers.

The S5120-EI series Ethernet switches support SSH2.0.

3.11.3 Port Isolation

Port isolation means isolating ports of the same switch so that Layer 2 and Layer 3 packet forwarding cannot be implemented between these ports. This prevents visiting between the ports, effectively controls unnecessary broadcasting and increases the network throughput.

3.11.4 IEEE 802.1x Authentication

IEEE 802.1x is virtually a port-based network access control protocol. As “port-based network access control” implies, the NAS on a LAN authenticates and controls the connected customer premises equipment (CPE) at the port level. If the CPE connected to a port passes authentication, it is allowed to access the LAN resources. Otherwise, it is rejected just like its physical link is disconnected.

In implementing 802.1x, the Ethernet switches not only support the port-based access authentication, but also extends and optimizes it by:

Allowing a physical port to be connected to several terminals. Supporting access control (that is user authentication) based on MAC address

in addition to port.

This greatly enhances the security, operability and manageability of the system.

Note that, although 802.1x provides an implementation scheme for user authentication, the protocol itself is not enough to implement the scheme. The NAS administrators, however, can use RADIUS or local authentication to complete the user authentication with 802.1x.


H3C Proprietary

3-33

3.11.5 802.1x EAD Fast Deployment

I. Overview

As an integrated security scheme, an endpoint admission defense (EAD) scheme can improve the overall defense capability of a network. However, EAD deployment brings much workload in actual applications. To solve this problem, you can use 802.1x functions to implement fast deployment of EAD scheme.

To address the issue, the S5120-EI series switches enable the user’s quick redirection to EAD client download server with 802.1x authentication, easing the work of EAD client deployment.

II. Operation of Quick EAD Deployment

Quick EAD deployment is achieved with the two functions: restricted access and HTTP redirection.

1) Restricted access

Before passing 802.1x authentication, a user is restricted (through ACLs) to a specific range of IP addresses or a specific server. Services like EAD client upgrading/download and dynamic address assignment are available on the specific server.

2) HTTP redirection

In the HTTP redirection approach, when the terminal users that have not passed 802.1x authentication access the Internet through Internet Explorer, they are redirected to a predefined URL for EAD client download.

The two functions ensure that all the users without an EAD client have downloaded and installed one from the specified server themselves before they can access the Internet, thus decreasing the complexity and effort that EAD client deployment may involve.

3.11.6 IP Source Guard

By filtering packets on a per-port basis, IP source guard prevents illegal packets from traveling through, thus improving the network security. After receiving a packet, the port looks up the key attributes (including IP address, MAC address and VLAN tag) of the packet in the binding entries of the IP source guard. If there is a matching entry, the port will forward the packet. Otherwise, the port will abandon the packet.

IP source guard filters packets based on the following types of binding entries:

IP-port binding entry, MAC-port binding entry IP-MAC-port binding entry IP-VLAN-port binding entry MAC-VLAN-port binding entry


H3C Proprietary

3-34

IP-MAC-VLAN-port binding entry.

You can manually set static binding entries, or use DHCP Snooping to provide dynamic binding entries. Binding is on a per-port basis. After a binding entry is configured on a port, it is effective only to the port, instead of other ports.

3.11.7 MAC address authentication

MAC address authentication is a port and Mac address based authentication method to control the network access authority of users. MAC address authentication does not the users to install any client software. The switch enables authentication on a user once it detects a new MAC address of the user.

The S5120-EI series support the following two types of MAC address authentication:

MAC address mode: the MAC address of a user is used as both the user name and password.

Fixed mode: the user name and password are configured on the switch beforehand. In this case, all the users correspond to the fixed user names and passwords configured on the switch.

3.11.8 MAC Address Learning Limit

MAC address learning limit: limits the number of MAC addresses learned by an Ethernet switch port. The number ranges from 0 to 4k. Static MAC addresses added on the port are not affected.

3.11.9 Binding of MAC Addresses to Ports

If the MAC address of a network device is bound with a port, you can access the Internet through this port only.

3.11.10 MAC Address Black Hole

On an S5120-EI series switch, you can enable the black hole function and configure a black hole list. When the switch receives a packet with a source or destination MAC address in the black hole, it drops the packet.

3.11.11 AAA/RADIUS/HWTACACS

The S5120-EI series support user authentication locally or with RADIUS/HWTACACS servers.

I. AAA

AAA is the abbreviation of Authentication, Authorization and Accounting. It provides a uniform framework to configure the security functions including authentication,


H3C Proprietary

3-35

authorization, and accounting. Actually, it offers a way to control the network security, which can be implemented with RADIUS.

AAA performs the following services:

Authentication: Authenticates if the user can access the network sever. Authorization: Authorizes the user with specified services. Accounting: Tracks the network resources consumed by users.

II. RADIUS

RADIUS is a distributed system in the client/server model. It can fend off invalid users and is often used in a network environment where both high security and remote user access are desired. For example, it can be used to manage the access based on 802.1x.

RADIUS is based on the client/server model where user authentication always involves a device that can provide the proxy function, such as NAS. Between the RADIUS client and server, the exchanged messages are authenticated using a shared key and user passwords are sent encrypted over the network. The security is thus ensured.

III. HWTACACS

HWTACACS is a security protocol providing enhanced functions based on TACACS (RFC1492). Similar to RADIUS, this protocol mainly enables the AAA for multiple types of users in the Server-Client mode. It can be used for the AAA of PPP and VPDN access users and login users.

Compared with RADIUS, HWTACACS features more reliable transmission and encryption, making it more suitable for security control. The major differences between HWTACACS and RADIUS are listed in the table below:

Table 3-2 HWTACACS vs. RADIUS

HWTACACS RADIUS

Uses TCP for more reliable transmissions over the network. Uses UDP.

Encrypts packet body completely, except the standard HWTACACS packet header.

Encrypts only the password field in authentication packets.

Authentication and authorization are separated. For example, RADIUS can be used for authentication, while HWTACACS is used for authorization.

Authentication and authorization are not separated.

Suitable for security control. Suitable for accounting.

Allows different users to use different configuration commands on the routing module of the switch.

Does not support this feature.


H3C Proprietary

3-36

HWTACACS is mainly used when a dialup user or terminal user needs to log on to the switch. As the client of HWTACACS, the switch sends the user name and password to the HWTACACS server for authentication. After passing the authentication, the user can log on to the switch and perform operations.

3.12 Reliability Features

3.12.1 Smart Link

Dual-uplink networks (as shown in Figure 3-17) are common in use. In a network of this type, Spanning Tree Protocol (STP) is usually employed to allow for link redundancy. However, STP cannot satisfy the users with high demand on convergence time.

Smart Link is dedicated to dual-link networks as shown in Figure 3-17 to provide link redundancy with rapid convergence (sub-second level). It allows the backup link to take over quickly when the primary link fails. In addition to fast convergence, Smart Link is easy to configure.

Switch A

Switch B

Switch C Switch E

Switch D

GE1/0/1 GE1/0/2

GE1/0/1

GE1/0/2

GE1/0/1

GE1/0/1

GE1/0/1

GE1/0/2

GE1/0/2

GE1/0/2

GE1/0/3 GE1/0/3

Internet

Figure 3-17 Smart link application scenario

II. Smart link group

A smart link group consists of only two member ports: the master and the slave. At a time, only one port is active for forwarding, and the other port is blocked, that is, in the standby state. When link failure occurs on the active port due to port shutdown or presence of unidirectional link for example, the standby port becomes active to take over while the original active port transits to the blocked state.

Note that a port can join only one smart link group.

As shown in Figure 3-17 , GE1/0/1 and GE1/0/2 of Switch C form a smart link group, with GE1/0/1 being active and GE1/0/2 being standby. GE1/0/1 and GE1/0/2 of Switch E form another smart link group, with GE1/0/2 being active and GE1/0/1 being standby.


H3C Proprietary

3-37

III. Master port

Master port is a port role in a smart link group. When both ports in a smart link group are up, the master port preferentially transits to the forwarding state. Once the master port fails, the slave port takes over to forward traffic until next link switchover. During this period, the master port stays in standby state even if it has recovered.

As shown in Figure 3-17, you can configure GE1/0/1 of C and E GE1/0/2 of Switch E as master ports.

IV. Slave port

Slave port is a port role in a smart link group. When both ports in a smart link group are up, the slave port is placed in the standby state. When the master port fails, the slave port takes over to forward traffic.

As shown in Figure 3-17, you can configure GE1/0/2 of Switch C and GE1/0/1 of Switch E as slave ports.

V. Flush message

Flush messages are used by a smart link group to notify other devices to refresh their MAC address forwarding entries and ARP/ND entries when link switchover occurs in the link group.

VI. Transmit control VLAN

The transmit control VLAN is used for transmitting flush messages. When link switchover occurs, the devices (such as Switch C and E in Figure 3-17) broadcast flush messages within the VLAN.

VII. Receive control VLAN

The receive control VLAN is used for receiving and processing flush messages. When link switchover occurs, the devices (such as Switch A, B, and D in Figure 3-17) receive and process flush messages in the receive control VLAN and refresh their MAC address forwarding entries and ARP/ND entries.

3.12.2 Monitor Link

Monitor Link is a collaboration scheme introduced to complement for Smart Link. It is usually used in conjunction with Layer-2 topology protocols. The idea is to adapt the up/down state of downlink ports to the up/down state of uplink ports, triggering link switchover on the downlink device in time. It is used to monitor uplink and to perfect the backup function of Smart Link.


H3C Proprietary

3-38

3.12.3 RRPP

The Rapid Ring Protection Protocol (RRPP) is a link layer protocol designed for Ethernet rings. RRPP can prevent broadcast storms caused by data loops when an Ethernet ring is healthy, and rapidly restore the communication paths between the nodes in the event that a link is disconnected on the ring.

Compared with the IEEE spanning tree protocols, RRPP features the following:

Fast topology convergence Convergence time independent of Ethernet ring size

Port 1

Port 2

Port 1

Port 2

Port 1

Port 2 Port 1

Port 2

Port 3

Port 3

Device A Device B

Device CDevice D

Device E

Edge node

Master node

Transit node

Assistant edge node

Domain 1

Ring 1 Ring 2

Master node

Figure 3-18 Network diagram for RRPP

By configuring an individual RRPP domain for transmitting the traffic of the specified VLANs (referred to as protected VLANs) in a ring network, traffic of different VLANs can be transmitted according to different topologies in the ring network. In this way, load balancing is achieved.

As shown in Figure 3-19, Ring 1 is configured as the primary ring of both Domain 1 and Domain 2. In Domain 1, Device A is configured as the master node of Ring 1; in Domain 2, Device B is configured as the master node of Ring 1. Such configurations enable the ring to block different links based on VLANs, thus achieving single-ring load balancing.


H3C Proprietary

3-39

Device A Device B

Device CDevice D

Domain 1 Ring 1 Domain 2

Figure 3-19 Network diagram for single-ring load balancing

3.13 IRF

The Intelligent Resilient Framework (IRF) is an innovative technology developed by H3C for mid-range and low-end switches. With IRF, users can design and realize high availability, scalability and reliability at the core layer and distribution layer of gigabit Ethernet networks.

3.13.1 Physical Connections

You can connect multiple IRF supporting S5120-EI switches to form a logical switching entity, which looks like a switching device from the management view. This type of virtual device features low cost like box-type switches, and high scalability and availability of distributed chassis switches.

Figure 3-20 IRF virtual device

The devices in an IRF stack exchange hello packets to collect topology of the entire stack and to inform topology changes to the management module. Adding or deleting a member device is similar to inserting or removing a board to or from a chassis switch. This mechanism realizes hot backup and provides excellent scalability.


H3C Proprietary

3-40

Figure 3-21 Add a member to the IRF stack

In an IRF stack, every single device is a stack member, and plays one of the following two roles according to its function:

Master: The stack member elected to manage the entire stack. An IRF stack has only one master at one time.

Slave: A stack member managed by the master and operates as a backup of the master. In an IRF stack, except for the master, all the other devices are slaves.

A typical IRF stack has a bus connection or a ring connection:

Bus topology Ring topology

IRF

Master

Slave

Slave

Slave IRF

Slave Slave

Slave Master

Figure 3-22 Physical connections of an IRF stack

The orange lines in the figure represent stack links, which are different from common Ethernet network cables. A stack link can be composed of either one physical line or multiple physical lines.

3.13.2 Easy Management

An IRF stack can be regarded as a single entity. You can manage the entire IRF stack by logging in to any unit in the stack either from its console port or a network port through Telnet.


H3C Proprietary

3-41

The management center of an IRF stack is its master device. All login requests and configurations you made are processed on the master device, regardless of by what means or from which member device you log in to the stack. Eventually, the configurations you made are synchronized by the master to the slaves.

An IRF stack uses member IDs to uniquely identify member devices. The member IDs are also used in port numbers to identify users. For example, if the member ID of a device is 3, its port number is GigabitEthernet 3/0/x.

3.13.3 Efficient Redundancy Backup

By using S5120-EI series switches to form an IRF stack, you can provide abundant access ports and enhanced forwarding capability. Considering strict requirements for reliability at the distribution layer of a network and data centers, IRF is designed to provide redundancy at the device level, protocol level and link level.

I. Device level 1:N backup

Common distributed chassis devices use 1:1 backup, where a backup module keeps synchronization with the primary module and takes over when the primary module fails.

IRF uses 1:N backup, where multiple slaves are configured as the backups of the master and are strictly synchronized with the master. Once the master fails, a new master is elected from the slaves to prevent service interruption. Because the slaves are strictly synchronized with the master, the switchover has little impact on ongoing services. Thus, reliability is improved.

II. Protocol level hot backup

When an IRF stack works normally, all protocol information and entries are synchronized among the devices. If one or more devices fail, other devices can take the services from the failed devices immediately to ensure normal working of the entire stack.

For example, the master in normal working state synchronizes the ARP information to all the devices in the IRF stack.


H3C Proprietary

3-42

12

3 4

ARP ARP

Backup Information

IRF

Figure 3-23 ARP information synchronization

If the master fails, the IRF stack elects a slave (suppose its member ID is 2) as the new master, which then continues communicating with the uplink routers using the ARP information synchronized from the former master, and synchronizes update information to other slaves. Thus, the operation of the entire IRF stack is uninterrupted.

12

3 4

ARP ARP

IRF

Backup Information

Figure 3-24 ARP protocol backup

III. Link level backup

Traditional link aggregation technologies provide protection against link failures but not protection against single point of failures caused by node failures. The new distributed link aggregation technology provided by IRF can effectively address this single-point failure issue.

With distributed link aggregation of IRF, you can assign ports on different stack units to the same link aggregation group. Thus, even when a unit fails causing unavailability of the link aggregation member port or ports on the unit, traffic can be forwarded out the


H3C Proprietary

3-43

link aggregation member ports on any other available stack unit to the destination. Meanwhile, the stack links between IRF member devices provide a rate up to 12/24 Gbps, which allows multiple aggregation groups to work at the same time.

12

3 4

IRF

12

3 4

IRF

Data packets

Data packets

Data packets

Figure 3-25 Distributed aggregation

System Description H3C S5120-EI Series Ethernet Switches Chapter 4 System Maintenance and Management

H3C Proprietary

4-1

Chapter 4 System Maintenance and Management

4.1 Simple and Flexible Maintenance System

4.1.1 System Configuration

The S5120-EI series can be configured through the command line interface (CLI), NMS, or Web.

In the CLI approach, you can configure the S5120-EI series locally through the console port, or configure it remotely through modem dialup or Telnet. As for Telnet, both Telnet server and Telnet client are supported.

In the NMS approach, you can configure the S5120-EI series through an SNMP-based NMS.

In the Web approach, you can configure the models in the S5120-EI series that support the Web-based network management.

4.1.2 System Maintenance

The S5120-EI series provide diverse management and maintenance functions:

LEDs are available on the switches and optional modules, indicating the board running status.

Remote maintenance through Telnet Hierarchical management of user authorities and operation logs, as well as online

help function Hierarchical alarm management and alarm filtering System status query, version query, debugging and tracing functions, to monitor

system running status

4.1.3 System Test and Diagnosis

The S5120-EI series provide means for system software and hardware fault detection and diagnosis. The tools such as ping and tracert are available for you to test network connectivity and trace packet transmission paths on line and hence address faults.

4.1.4 Software Upgrade

The S5120-EI series provide multiple approaches to software upgrade, and support remote upgrade and rollback to the previous version after upgrade.

The S5120-EI series support software upgrade methods:

Software upgrade through a serial port by using the XModem protocol.


H3C Proprietary

4-2

Software upgrade through an Ethernet port through TFTP or FTP. Software upgrade through the Web-based NMS through HTTP.

4.2 iMC NMS

The S5120-EI series support iMC NMS for centralized management, which is usually implemented in multilingual graphic interfaces. The NMS provides management in topology, configuration, fault, security, and performance.

4.2.1 Topology Management

The iMC NMS helps you learn your network in the most direct and convenient way by providing a network-wide device topology view. The NMS delivers powerful topology management. It provides physical topology view, logical topology view, and customized views, offering a unified network-wide equipment view. It also provides user-friendly interfaces for network/equipment operation and maintenance. The NMS supports automatic topology discovery, reflecting the real-time changes in network topology and equipment status.

4.2.2 Configuration Management

With the IMC, you can configure and manage the S5120-EI series Ethernet switches, such as querying/enabling/disabling ports, querying/resetting/loading boards, and querying port parameters/VLAN configurations.

4.2.3 Fault Management

Fault management is the most important and common management approach during the network operation and maintenance. In the graphic interfaces, you can implement equipment running/fault status query, real-time monitoring, fault filtering/locating/check/analysis. The system provides audio prompt and graphical displays on the alarm card. Additionally, it can be connected to the alarm box and therefore facilitates routine maintenance.

4.2.4 Performance Management

The IMC can collect and analyze performance data, monitor performance, and provide graphical performance reports in different forms. You can thus learn the information on equipment load and access traffic, track network service quality, and allocate network resources based on your network evaluation.


H3C Proprietary

4-3

4.2.5 Security Management

The IMC provides many security measures to strictly authenticate the user’s operations and ensure the system security. It offers detailed operation log for later query and analysis.

4.3 Web-Based Network Management

Web-based network management allows you to manage and maintain a switch through Web. In the implementation of Web-based network management, the switch provides a built-in Web server and runs a Web-based network management program on the homepage at the IP address of the management VLAN. The PC users connected to the Ethernet ports on the switch can access and use, through a browser, the program on the homepage to manage the switch. Figure 4-1 shows the Web-based network operating environment:

Figure 4-1 Web-based network management operating environment

System Description H3C S5120-EI Series Ethernet Switches Chapter 5 Networking Applications

Huawei Technologies Proprietary

5-1

Chapter 5 Networking Applications

The S5120-EI series are designed as access layer switches for enterprise networks and MANs. The S5120-EI series provide 24 or 48 autosensing Gigabit Ethernet ports and four SFP Combo Gigabit optical interfaces. In addition, the S5120-EI series provide two extension slots. You can configure XFP/CX4/SFP+ extension module and up to four 10GE ports are supported. Networking is very flexible. The S5120-EI series can apply to Gigabit Ethernet to the desktop (GTTD) access of enterprise networks, user access of campus networks.

The S5120-EI series can serve as access layer switches that provide large access bandwidth and high port density. The S5120-EI series also provide PoE. Through Ethernet cables, the S5120-EI series can provide power to IP phone, WLAN AP, and other PD devices that support IEEE 802.3af to facilitate network maintenance and management.

S5120-EI/ S5120-PWR-EI

Access

CoreDistribution

S9500/S7500E

S5120-EI/ S5120-PWR-EI

S5500-EIS5800

Figure 5-1 Application of the S5120-EI series at the access layer

System Description H3C S5120-EI Series Ethernet Switches Chapter 6 Guide to Purchase


6-1

Chapter 6 Guide to Purchase

To meet varied customer needs, the S5120-EI series can be delivered to your order. You can purchase the S5120-EI series and optional interface modules as needed.

6.1 Purchasing the S5120-EI Series

When you order the S5120-EI series, take the following points into account.

I. Network requirements

Location and function of the switch in your network Desired processing and access capabilities in both directions Desired scalability (in case of network capacity expansion) Transmission distance of the switch in the network

II. Power system

DC power supply or AC power supply Whether to support PoE

Table 6-1 List of the S5120-EI series and corresponding power supply systems

Device name Description

S5120-28C-EI Ethernet switch Use the AC power supply, the input voltage range is 100 V to 240 V; when RPS is used, the input voltage range is 10.8 V to 13.2 V.

S5120-52C-EI Ethernet switch

S5120-24P-EI Ethernet switch

S5120-48P-EI Ethernet switch

S5120-28C-PWR-EI Ethernet switch Use AC power supply, support PoE power supply, and the input voltage range is 100 V to 240 V; when RPS is used, the input voltage range is -52 V to -55V.

S5120-52C-PWR-EI Ethernet switch

6.2 Supported Interface Modules

The S5120-C-EI series switches support four types of interface modules:

1-port XFP 10-GE interface module: supports the XFP modules listed in

Table 6-3, supports IRF stack.



6-2

2-port XFP 10-GE interface module: supports the XFP modules listed in


2-port CX4 10-GE interface module: supports the CX4 modules listed in


2-port SFP+ 10-GE interface module: supports only the SFP+ modules and

SFP+ cables listed in Table 6-5, does not support 1000 Mbps SFP modules,

supports IRF stack.

6.3 Purchasing SFP Modules

Table 6-2 List of SFP modules

SFP module name

Central wavelengt

h

User interface

connector type

Fiber specifications Max.

transmission

distance

SFP-GE-SX-MM850-A 850nm

LC

50/125µm multi-mode fiber

550 m (1804.5 ft.)

62.5/125µm multi-mode fiber

275 m (902.2 ft.)

SFP-GE-LX-SM1310-A

1310nm

single-mode fiber

10 km (6.2 miles)

SFP-GE-LH40-SM1310

40 km (24.9 miles)

SFP-GE-LH40-SM1550

1550nm

40 km (24.9 miles)

SFP-GE-LH70-SM1550

70 km (43.5 miles)

SFP-GE-LX-SM1310-BIDI

TX1310/RX1490

LC single-mode fiber 10 km (6.2 miles) SFP-GE-LX-S

M1490-BIDI TX1490/RX1310,

SFP-GE-T None RJ-45 twisted-pair 100 m (328.1 ft.)



6-3

6.4 Purchasing XFP Optical Modules

Table 6-3 List of XFP modules

XFP module name

Central wavelength

User interface

connector type

Optical fiber Max.

transmission distance

XFP-SX-MM850 850 nm LC

50/125 µm multi-mode fiber

300 m (984.3 ft)

62.5/125 µm multi-mode fiber 33 m (108.3 ft)

XFP-LX-SM1310 1310 nm

LC

9/125 µm single-mode fiber

10 km (6.2 miles)

XFP-LH40-SM1550-F1 1550 nm 9/125 µm

single-mode fiber 40 km (24.9 miles)

6.5 Purchasing the Short-haul 2-port 10-GE CX4 Module

This module provides two 10GE electrical interfaces. It supports CX4 electrical standards and protocols. The maximum transmission distance is 3 meters (9.8 ft). CX4 cables are used to connect the devices.

Table 6-4 List of CX4 modules

CX4 module name

Central wavelength

User interface

connector type

Optical fiber Max.

transmission distance

LSPM2STKA

–– 4X Infiniband CX4 cable

0.5 m (1.6 ft.)

LSPM2STKB 1 m (3.3 ft.)

LSPM2STKC 3 m (9.8 ft.)

Note:

The ports on the CX4 extension modules are connected to other CX4 ports through CX4 cables. For details about CX4 cables, see section 2.8 CX4 Cable.



6-4

6.6 Purchasing the SFP+ Transceivers and SFP+ Cables

A dual-port 10 GE SFP+ interface module provides two 10 Gbps SFP+ ports. You can insert an SFP+ transceiver into the port to connect it to another SFP+ port through an optical fiber, or an SFP+ cable provided by H3C. For details about the supported SFP+ transceivers and SFP+ cables, refer to Table 6-5.

Table 6-5 SFP+ transceivers and SFP+ cables supported by dual-port 10 GE SFP+ interface module

Transceiver/Cable type

Transceiver/Cabl

e Central

wavelength Connector Fiber Max

transmission

distance

10 GE SFP+ transceiver

SFP-XG-SX-MM850-A

850 nm

LC

50/125 µm multimode optical fiber

300 m (984.3 ft.)

SFP-XG-LX220-MM1310

1310 nm

62.5/125 µm multimode optical fiber

220 m (721.8 ft.)

SFP-XG-LX-SM1310

9/125 µm single mode optical fiber

10 km (about 6.2 mi)

Short-haul 10 GE SFP+ cable

LSWM1STK

— SFP+ SFP+ cable

0.65 m (2.1 ft.)

LSWM2STK

1.2 m (3.9 ft.)

LSWM3STK 3 m (9.8 ft.)

Note:

The types of SFP+ transceivers and SFP+ cables may update with time. For information about them, contact H3C technical support or marketing staff.

table of contents...system description h3c s5120-ei series ethernet switches chapter 1 product...

Documents