H 3 C S 3100 -EI Intelligent Secure

H 3 C S 3100 -EI Intelligent Secure Switches

Content n Introduction n Highlight Features n Typical Solutions www. h 3 c. com. cn 2

Content n Introduction n Highlight Features n Typical Solutions www. h 3 c. com. cn 3

Hardware Specification S 3100 -26 TP-EI S 3100 -26 TP-PWR-EI S 3100 -16 TP-PWR-EI S 3100 -8 TP-PWR-EI Highlights Ø 8/16/24 * 10/100 Base-TX (Po. E) + 1/2 * 10/1000 Base-T and 2 * 1000 Base-SFP Ø Switch Capacity: up to 17. 6 Gbps / Throughput 13. 1 Mpps Ø Full wire speed FE ports and GE uplink Ø Po. E www. h 3 c. com. cn 4

Content n Introduction n Highlight Features n Typical Solutions www. h 3 c. com. cn 5

Highlights of S 3100 -EI Performance Security Availability S 3100 -EI Management & Maintenance l l Up to 17. 6 Gbps witching fabric Up to 6. 55 Mpps 8 K MAC 4 K VLAN l l l VLAN and port based ACL ARP detection Port security IP source guard DHCP snooping trust l Smart link l Power over Ethernet l Voice VLAN l SNMPv 1/v 2/v 3 l IPv 6 host l RSPAN l VCT, DLDP l LDT www. h 3 c. com. cn 6

ARP Spoofing – How to attack Device A ARP table IP : 10. 1. 1. 1 MAC IP 0009: 6 b 71: 877 e 10. 1. 1. 20 0010: a 4 aa: 36 db 10. 1. 1. 50 0009: 6 b 71: 877 e 10. 1. 1. 50 MAC A: 0002: 5547: bc 34 Free ARP 10. 1. 1. 50=MAC B Device B IP : 10. 1. 1. 50 Device C MAC C: 0010: a 4 aa: 36 db IP : 10. 1. 1. 20 MAC B: 0009: 6 b 71: 877 e Free ARP 10. 1. 1. 1=MAC B ARP table MAC 0002: 5547: bc 34 10. 1. 1. 1 0010: a 4 aa: 36 db 10. 1. 1. 50 0009: 6 b 71: 877 e IP IP 10. 1. 1. 20 0002: 5547: bc 34 10. 1. 1. 1 0009: 6 b 71: 877 e 10. 1. 1. 1 图例： www. h 3 c. com. cn Normal flow Attacked flow 7

How To Anti ARP Spoofing Gateway 10. 1. 1. 1 MAC A n DHCP Snooping Create dynamic binding table of MAC+IP+Port+VLAN Detect if the ARP packet match with n ARP Intrusion Detection DHCP binding table Detect the ARP packet if match with Free ARP 10. 1. 1. 50=MAC B binding table; if no, discard the packet to anti ARP spoofing NO! n ARP Packet Rate Limit ARP packet rate on the ports in order to protect CPU from the massive abnormal packets ARP rate limit Only ARP Intrusion Detection can solve the problem of ARP Spoofing Free ARP 10. 1. 1. 1=MAC B Attacker 10. 1. 1. 20 Victim 10. 1. 1. 50 MAC B MAC C www. h 3 c. com. cn 8

VLAN Based ACL Ø Traditional ACL policy is configured based on port, so users have to configure ACL policy on all ports one by one; Ø S 5500 -EI supports VLAN based ACL policy. Therefore users can define ACL policy easily and flexibly Traditional port based ACL: VLAN based ACL # Interface Port 1> Deny ftp Permit any # Interface Port 2> Deny ftp Permit any # Interface Port 3> Deny ftp Permit any # … www. h 3 c. com. cn # Vlan 100> Deny ftp Permit any # 9

EAD solves end use secure access problems What can you do? Are you secure? Identity Authentication Access Request Deny Invalid user Who are you? Security Authentication Legal User Qualified User Unqualified user is directed to isolation zone Isolation Zone Reinforcement www. h 3 c. com. cn Dynamic Authorization Enterprise Network Different user has different access right What are you doing? Activity Audit 10

EAD Basic Function Inspect end point security status and defense ability End point Security Inspection OS version, Hot Fix, Antivirus software version, Virus Definition; Unqualified software installation & execution; Virus check; Shared Folder check; Screen saver pwd check; Enhanced Identity Guarantee user Authentication (user security & name, password, IP, defense ability MAC binding) Isolate those not complying with security policy Unqualified User Isolation Stop invalid user through 802. 1 x, Portal authentication Limit user access authority by VLAN, ACL restriction Isolate end user who does not update system patch or virus definition Isolate end user who install, run unqualified software Prevent cross infection & virus outbreak Force repair of system patch & update antivirus software System Security Reinforcement www. h 3 c. com. cn Notify and assist user to repair system hole Security policy Implement Automated or compulsory manual system patch or virus definition update Enhance immunity & Increase security 11

Smart Link ffic B g tra rdin a Forw Active Backup Link S 7800 Blocking Metro Ethernet Network DSLAM LSW IP/MPLS Core A Blocking CE For Backup Link Active war ding traf fic C S 7800 AMG þ Suitable for dual uplink circumstances, better than Spanning tree technology for brings higher reliability to the network; þ Working in the active/standby mode, once active link gets failed, standby link will be enabled, and the recovery time is less than 50 ms; www. h 3 c. com. cn 12

VCT – Virtual Cable Test S 5500 -EI VCT (Virtual Cable Test) testing items include: whether short or open circuit exists in the Rx/Tx direction of the cable, and what is the length of the cable in normal status or the length from the port to the fault point of the cable. X S 3100 [S 5500 -Ethernet 0/4]virtual-cable-test Cable pair: RX Error lenth: 5 metres Cable pair: TX www. h 3 c. com. cn Status: Open Cable Error lenth: 5 metres 13

LDT: Loopback Detection [S 5500 -EI]loopback-detection enable [S 5500 -EI]display loopback-detection Loopback Detection is used to monitoring the network to avoid loop, Port loopback-detection is running System Loopback-detection is running Detection interval time is 30 seconds Loopback link is Dectected The Loopback link is Port 3 which may bring broadcast storm to influence the common network application www. h 3 c. com. cn 14

Remote Switch Port Analysis（RSPAN） Application server farm Remote mirroring Port Net. Stream Module Local mirroring port Source port Local mirror RSPAN can realize port mirroring across devices; working with Netstream module, it can realize the traffic analysis and monitoring of the whole network www. h 3 c. com. cn 15

Power Over Ethernet (POE) S 5500 -EI can provide power to those powered devices including wireless AP, IP Phone, web camera over the unified Ethernet. Ø Support IEEE 802. 3 af standard, providing maximum 15. 4 w to each port Ø Support THREE levels of power provide: critical/high/low Ø Equipped with 370 w high power supply to cover maximum 24 ports powered devices S 5500 -EI PD switch AP Power over Ethernet PD: Powered Device AP: Access Point www. h 3 c. com. cn 16

Voice VLAN 1. Mac address 00 E 0 -BB 00 -0000 mask ffff-ff 00 -0000 2. Ah! It is an IP Phone of Vendor A, B, C……( Totally, 16 Vendors) 3. Put the traffic from IP Phone into Voice VLAN automatically 4. Other traffic will be processed with lower priority Voice Queue Data Queue 1 Voice Data Queue 2 Other Data Benefits: ✔ Guarantee the Qo. S of voice data ✔ Improve the security www. h 3 c. com. cn 17

Ro. HS Product H 3 C always pay great investment on the R&D and even the advanced manufacture technology as well. H 3 C S 3100 -EI’s whole design and manufacturing process complied to Ro. HS standard released by European government, therefore, it is an absolutely GREEN product which won’t pollute the environment. Ro. HS（The Restriction of the use of certain Hazardous substances in Electnical and Electronic Equipment ） www. h 3 c. com. cn 18

Content n Introduction n Highlight Features n Typical Solutions www. h 3 c. com. cn 19

Edge of Campus Network S 9500/S 7500 E/S 7500 S 5500 S 3100 -EI www. h 3 c. com. cn S 5500 S 3100 -EI 20

Core of Mid-to-small sized Network CAMS Server Farm NMS GE S 5500 -EI Firewall 10 GE S 5500 -SI Po. E www. h 3 c. com. cn GE GE Po. E S 5500 -SI GE GE Po. E GE S 5100 -SI Po. E GE GE Po. E 21

IPv 6/IPv 4 Hybrid Network S 5500 -EI IPv 6 组 网方案 IPv 6 Internet IPv 6 Island IPv 6 Link IPv 4 Internet S 5500 -EI 6 to 4 Relay IPv 6 IDC Network Manager IPv 6 Network S 5500 -EI IPv 6 Over IPv 4 Tunnel Dual-Stack Access IPv 4 Network S 5500 -EI IPv 6 Access S 5500 -EI IPv 4 Access WLAN Dual-Stack Access IPv 6 Enterprise Users IPv 4 User www. h 3 c. com. cn Mobile Network IPv 6 Mobile Terminal IPv 6 Users 22

杭州华三通信技术有限公司 www. h 3 c. com. cn