Table of Contents - HP Enterprise Group

Comments

Transcription

Table of Contents - HP Enterprise Group
System Description
H3C S5500-EI Series Ethernet Switches
Table of Contents
Table of Contents
Chapter 1 Product Overview ........................................................................................................ 1-1
1.1 Preface............................................................................................................................... 1-1
1.2 System Features ................................................................................................................ 1-3
1.3 Service Features ................................................................................................................ 1-6
Chapter 2 Hardware Description.................................................................................................. 2-1
2.1 S5500-28C-EI Ethernet Switch .......................................................................................... 2-1
2.1.1 Appearance ............................................................................................................. 2-1
2.1.2 Front Panel .............................................................................................................. 2-2
2.1.3 Rear Panel .............................................................................................................. 2-2
2.1.4 Power Supply System ............................................................................................. 2-2
2.1.5 Cooling System ....................................................................................................... 2-3
2.1.6 Description of S5500-28C-EI LEDs ........................................................................ 2-3
2.1.7 Description of Ports ................................................................................................. 2-6
2.2 S5500-52C-EI Ethernet Switch .......................................................................................... 2-7
2.2.1 Appearance ............................................................................................................. 2-7
2.2.2 Front Panel .............................................................................................................. 2-7
2.2.3 Rear Panel .............................................................................................................. 2-8
2.2.4 Power Supply System ............................................................................................. 2-8
2.2.5 Cooling System ....................................................................................................... 2-8
2.2.6 Description of S5500-52C-EI LEDs ........................................................................ 2-8
2.2.7 Description of Ports ................................................................................................. 2-8
2.3 S5500-28C-PWR-EI Ethernet Switch ................................................................................ 2-9
2.3.1 Appearance ............................................................................................................. 2-9
2.3.2 Front Panel .............................................................................................................. 2-9
2.3.3 Rear Panel ............................................................................................................ 2-10
2.3.4 Power Supply System ........................................................................................... 2-10
2.3.5 Cooling System ..................................................................................................... 2-10
2.3.6 Description of S5500-28C-PWR-EI LEDs ............................................................. 2-10
2.3.7 Description of Ports ............................................................................................... 2-14
2.4 S5500-52C-PWR-EI Ethernet Switch .............................................................................. 2-14
2.4.1 Appearance ........................................................................................................... 2-14
2.4.2 Front Panel ............................................................................................................ 2-15
2.4.3 Rear Panel ............................................................................................................ 2-15
2.4.4 Power Supply System ........................................................................................... 2-15
2.4.5 Cooling System ..................................................................................................... 2-16
2.4.6 Description of S5500-52C-PWR-EI LEDs ............................................................. 2-16
2.4.7 Description of Ports ............................................................................................... 2-16
i
System Description
H3C S5500-EI Series Ethernet Switches
Table of Contents
2.5 S5500-28F-EI Ethernet Switch ........................................................................................ 2-16
2.5.1 Appearance ........................................................................................................... 2-16
2.5.2 Front Panel ............................................................................................................ 2-17
2.5.3 Rear Panel ............................................................................................................ 2-17
2.5.4 Power Supply System ........................................................................................... 2-17
2.5.5 Cooling System ..................................................................................................... 2-18
2.5.6 Description of S5500-28F-EI LEDs ....................................................................... 2-18
2.5.7 Port Attributes ....................................................................................................... 2-22
2.6 S5500-28C-EI-DC Ethernet Switch ................................................................................. 2-22
2.6.1 Appearance ........................................................................................................... 2-22
2.6.2 Front Panel ............................................................................................................ 2-22
2.6.3 Rear Panel ............................................................................................................ 2-23
2.6.4 Power System ....................................................................................................... 2-23
2.6.5 Cooling System ..................................................................................................... 2-23
2.6.6 LED Description .................................................................................................... 2-23
2.6.7 Description of Port Attributes ................................................................................ 2-23
2.7 Optional Interface Modules .............................................................................................. 2-23
2.7.1 1-port 10 Gbps XFP Module ................................................................................. 2-24
2.7.2 2-Port 10-GE XFP Module .................................................................................... 2-24
2.7.3 2-port 10-GE CX4 Short Haul Module .................................................................. 2-25
2.7.4 2-Port GE SFP Module ......................................................................................... 2-25
2.7.5 2-Port 10-GE SFP+ Module .................................................................................. 2-26
2.7.6 Description of Extension Module LEDs ................................................................. 2-26
2.8 CX4 Cable........................................................................................................................ 2-27
Chapter 3 Software Features ........................................................................................................ 3-1
3.1 Basic Features ................................................................................................................... 3-1
3.1.1 Link Aggregation ..................................................................................................... 3-1
3.1.2 Traffic Control .......................................................................................................... 3-1
3.1.3 DLDP ....................................................................................................................... 3-1
3.1.4 Broadcast Storm Control ......................................................................................... 3-2
3.1.5 VLAN ....................................................................................................................... 3-2
3.1.6 GARP/GVRP ........................................................................................................... 3-4
3.1.7 QinQ ........................................................................................................................ 3-5
3.1.8 VLAN Mapping ........................................................................................................ 3-5
3.2 Network Protocol Features ................................................................................................ 3-6
3.2.1 ARP ......................................................................................................................... 3-6
3.2.2 DHCP ...................................................................................................................... 3-9
3.2.3 UDP Helper ........................................................................................................... 3-12
3.2.4 DNS ....................................................................................................................... 3-12
3.2.5 OAM (802.3ah) ...................................................................................................... 3-13
3.2.6 Connectivity Fault Detection (802.1ag) ................................................................. 3-13
3.3 NTP .................................................................................................................................. 3-15
ii
System Description
H3C S5500-EI Series Ethernet Switches
Table of Contents
3.4 Routing Features ............................................................................................................. 3-15
3.4.1 Static Route and Default Route............................................................................. 3-16
3.4.2 RIP v1/v2 ............................................................................................................... 3-16
3.4.3 RIPng .................................................................................................................... 3-16
3.4.4 OSPF v1/v2 ........................................................................................................... 3-17
3.4.5 OSPF v3 ................................................................................................................ 3-18
3.4.6 Introduction to IS-IS .............................................................................................. 3-19
3.4.7 Introduction to IPv6 IS-IS ...................................................................................... 3-22
3.4.8 BGP ....................................................................................................................... 3-22
3.4.9 BGP4+ ................................................................................................................... 3-22
3.4.10 Equivalent Route ................................................................................................. 3-23
3.4.11 Routing Policy ..................................................................................................... 3-23
3.4.12 MCE Features ..................................................................................................... 3-24
3.4.13 URPF Features ................................................................................................... 3-25
3.5 Multicast Features ........................................................................................................... 3-25
3.5.1 IGMP Snooping ..................................................................................................... 3-25
3.5.2 IGMP ..................................................................................................................... 3-26
3.5.3 PIM-DM ................................................................................................................. 3-30
3.5.4 PIM-SM ................................................................................................................. 3-31
3.5.5 MSDP .................................................................................................................... 3-31
3.5.6 MBGP .................................................................................................................... 3-33
3.5.7 Multicast VLAN ...................................................................................................... 3-33
3.6 STP/RSTP/MSTP ............................................................................................................ 3-36
3.6.1 STP/RSTP ............................................................................................................. 3-36
3.6.2 MSTP .................................................................................................................... 3-37
3.6.3 STP Protection ...................................................................................................... 3-37
3.7 IPv6 Features................................................................................................................... 3-38
3.7.2 NDP ....................................................................................................................... 3-40
3.7.3 Introduction to IPv6 DNS....................................................................................... 3-41
3.7.4 Ping IPv6 and Tracert IPv6 ................................................................................... 3-42
3.7.5 IPv6 Telnet ............................................................................................................ 3-42
3.7.6 IPv6 TFTP ............................................................................................................. 3-42
3.8 IPv6 Multicast Features ................................................................................................... 3-42
3.8.1 MLD Snooping ...................................................................................................... 3-42
3.8.2 MLD ....................................................................................................................... 3-43
3.9 IPv6 over IPv4 Tunnel Features ...................................................................................... 3-43
3.9.1 IPv6 manually configured tunnel ........................................................................... 3-44
3.9.2 6to4 tunnel............................................................................................................. 3-44
3.9.3 ISATAP Tunnel ..................................................................................................... 3-45
3.10 QACL ............................................................................................................................. 3-45
3.10.1 Traffic Classification ............................................................................................ 3-45
3.10.2 Priority Marking ................................................................................................... 3-46
iii
System Description
H3C S5500-EI Series Ethernet Switches
Table of Contents
3.10.3 Traffic Policing/Bandwidth Assurance ................................................................. 3-46
3.10.4 Traffic Statistics ................................................................................................... 3-46
3.10.5 Traffic Mirroring ................................................................................................... 3-47
3.10.6 Traffic Redirection ............................................................................................... 3-47
3.10.7 Port Mirroring ...................................................................................................... 3-47
3.10.8 Queue Scheduling ............................................................................................... 3-47
3.10.9 Congestion Avoidance ........................................................................................ 3-51
3.10.10 User Profile........................................................................................................ 3-51
3.11 Centralized Management Features ............................................................................... 3-52
3.11.1 HGMP.................................................................................................................. 3-52
3.12 Security Features ........................................................................................................... 3-53
3.12.1 Terminal Access User Classification ................................................................... 3-53
3.12.2 SSH ..................................................................................................................... 3-53
3.12.3 Port Isolation ....................................................................................................... 3-54
3.12.4 IEEE 802.1x Authentication ................................................................................ 3-54
3.12.5 802.1x EAD Fast Deployment ............................................................................. 3-54
3.12.6 IP Source Guard ................................................................................................. 3-55
3.12.7 MAC address authentication ............................................................................... 3-55
3.12.8 MAC Address Learning Limit .............................................................................. 3-56
3.12.9 Binding of MAC Addresses to Ports .................................................................... 3-56
3.12.10 MAC Address Black Hole .................................................................................. 3-56
3.12.11 AAA, RADIUS and HWTACACS ....................................................................... 3-56
3.12.12 Introduction to Portal ......................................................................................... 3-57
3.13 Reliability Features ........................................................................................................ 3-58
3.13.1 Smart Link ........................................................................................................... 3-58
3.13.2 Monitor Link ......................................................................................................... 3-60
3.13.3 VRRP .................................................................................................................. 3-60
3.13.4 RRPP .................................................................................................................. 3-62
3.14 IRF ................................................................................................................................. 3-63
3.14.1 Physical Connections .......................................................................................... 3-64
3.14.2 Easy Management .............................................................................................. 3-65
3.14.3 Efficient Redundancy Backup ............................................................................. 3-65
Chapter 4 System Maintenance and Management ..................................................................... 4-1
4.1 Simple and Flexible Maintenance System ......................................................................... 4-1
4.1.1 System Configuration .............................................................................................. 4-1
4.1.2 System Maintenance ............................................................................................... 4-1
4.1.3 System Test and Diagnosis .................................................................................... 4-1
4.1.4 Software Upgrade ................................................................................................... 4-1
4.2 Quidview NMS ................................................................................................................... 4-2
4.2.1 Topology Management ........................................................................................... 4-2
4.2.2 Configuration Management ..................................................................................... 4-2
4.2.3 Fault Management .................................................................................................. 4-2
iv
System Description
H3C S5500-EI Series Ethernet Switches
Table of Contents
4.2.4 Performance Management...................................................................................... 4-2
4.2.5 Security Management ............................................................................................. 4-3
4.3 Web-Based Network Management .................................................................................... 4-3
Chapter 5 Networking Applications............................................................................................. 5-1
5.1 Distribution Layer Devices in Medium- and Large-Sized Enterprise or Campus Networks5-1
5.2 Access Switches ................................................................................................................ 5-2
5.3 Distribution Layer Devices in Large-Sized Enterprise Networks ....................................... 5-3
5.4 Core in Small- and Medium-Sized Enterprise Networks ................................................... 5-4
5.5 Interconnectivity Devices for an IP SAN ............................................................................ 5-5
Chapter 6 Guide to Purchase ....................................................................................................... 6-1
6.1 Purchasing the S5500-EI Series........................................................................................ 6-1
6.2 Supported Interface Modules............................................................................................. 6-1
6.3 Purchasing SFP Modules .................................................................................................. 6-2
6.4 Purchasing XFP Optical Modules ...................................................................................... 6-3
6.5 Purchasing SFP+ Optical Modules and SFP+ cables ....................................................... 6-4
6.6 Purchasing the Short-haul 2-port 10-GE CX4 Module ...................................................... 6-4
v
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 1 Product Overview
Chapter 1 Product Overview
1.1 Preface
H3C S5500-EI Series Ethernet Switches (hereinafter referred to as the S5500-EI series)
are Gigabit Ethernet switching products developed by Hangzhou H3C Technology Co.,
Ltd. The S5500-EI series have abundant service features. They provide the IPv6
forwarding function and 10-GE uplink interfaces. Through H3C-specific cluster
management, you can streamline network management. The S5500-EI series are
designed as distribution and access devices for intranets and metropolitan area
networks (MANs). Supporting IPv4/IPv6 dual-stack, the S5500-EI series provide
abundant service features and routing functions and can also be used for connecting
server groups in data centers.
The S5500-EI series support the innovative Intelligent Resilient Framework (IRF)
technology. With IRF, multiple S5500-EI switches can be interconnected as a logical
entity to form a new intelligent network featuring high availability, scalability, and
manageability.
Table 1-1 lists the models in the S5500-EI series:
Table 1-1 Models in the H3C S5500-EI series
Model
Power
supply unit
H3C
S5500-28C-EI
AC-input +
RPS (remote
power
supply) (12
V)
H3C
S5500-52C-EI
H3C
S5500-28C-P
WR-EI
AC-input +
RPS (12 V)
AC-input +
RPS (48 V)
Number of
service ports
Ports
Console
port
24 10/100/1,000 M
electrical ports
28
+ 4 Gigabit SFP
Combo ports + 2
10-GE module slots
1
48 10/100/1,000 M
electrical ports
52
28
H3C Proprietary
1-1
+ 4 Gigabit SFP
Combo ports + 2
10-GE module slots
24 10/100/1,000 M
PoE electrical ports +
4 Gigabit SFP Combo
ports + 2 10-GE
module slots
1
1
System Description
H3C S5500-EI Series Ethernet Switches
Model
Chapter 1 Product Overview
Power
supply unit
H3C
S5500-52C-P
WR-EI
AC-input +
RPS (48 V)
H3C
S5500-28F-EI
Hot-swappab
le AC or 48
VDC 1 + 1
backup
power supply
H3C
S5500-28C-EI
-DC
DC 48 V +
RPS (12 V)
Number of
service ports
Ports
Console
port
52
48
10/100/1000-Mbps
PoE electrical ports +
4 Gigabit SFP Combo
ports + 2 10-GE
module slots
1
28
24 100/1,000 M SFP
ports
+
8
10/100/1,000
M
Combo
electrical
ports + 2 10-GE
module slots
1
24 10/100/1,000 M
electrical ports
28
+ 4 Gigabit SFP
Combo ports + 2
10-GE module slots
1
An S5500-EI series Ethernet switch provides two module slots and power inputs on its
rear panel, and each module slot can be configured with a 1-port or 2-port 10-GE
module. In addition, an S5500-EI series Ethernet switch, except an S5500-28F-EI and
S5500-28C-EI-DC, provides an AC power (48 V) input with an RPS (12 V) input on its
rear panel.
An S5500-28F-EI Ethernet switch provides two power module slots on its rear panel.
When an S5500-28F-EI is delivered, it has a module in the power module slot PWR1
only, while PWR2 is on a filler panel. You can optionally configure a power module for
PWR2 as needed. You can select an AC or DC power module for redundant backup
together with PWR1.
An S5500-28C-EI-DC provides a DC power input with an RPS input on its rear panel.
The feature-rich S5500-EI series support the following services:

Broadband Internet access

Access of MAN and intranet users

Multimedia services, such as VOD

Delay-sensitive voice services, such as VoIP

Enhanced multicast, providing audio/video services over IPv4/IPv6 multicast

The S5500-EI series deliver these features:

IPv4/IPv6 dual-stack and hardware forwarding

Abundant IPv4/IPv6 routing protocols

MCE

IPv6-over-IPv4, 6to4, and ISATAP tunneling

GE and 10-GE uplink ports
H3C Proprietary
1-2
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 1 Product Overview

Forwarding of jumbo frames

Port security features

ARP attack defense functions, such as ARP detection

Link Aggregation Control Protocol (LACP)

Smart Link and Rapid Ring Protection Protocol (RRPP), multi-instance Smart Link
and multi-instance RRPP for load balancing

4K VLANs

One-to-one, many-to-one and two-to-two VLAN mapping

Abundant QoS/ACL functions, including VLAN ACLs and egress ACLs

QinQ and VLAN mapping

Port- and flow-based mirroring

RSPAN

Reliable power backup through RPSs or 1 + 1 redundant power supply

IRF

802.3ah Ethernet OAM and 802.1ag Connectivity Fault Detection (CFD)
1.2 System Features
Table 1-2 System features of the S5500-EI series
Item
S550
0-28
C-EI
S5500
-52CEI
S5500-28
C-PWR-EI
S5500-52
C-PWR-EI
S550028F-EI
S5500-28C
-EI-DC
43.6 × 440
× 300 mm
(1.72 ×
17.3 × 11.8
in.)
<5 kg (11.0
lb)
Physical
dimensions
(H × W × D)
43.6 × 440 ×
300 mm (1.72 ×
17.3 × 11.8 in.)
43.6 × 440 × 420 mm
(1.72 × 17.3 × 16.5 in.)
43.6 ×
440 ×
360 mm
(1.72 ×
17.3 ×
14.2 in.)
Weight
<5 kg
(11.0
lb)
<7.5 kg
(16.6 lb)
<6 kg
(13.2 lb)
Managemen
t port
1 × console port
<5 kg
(11.0
lb)
H3C Proprietary
1-3
<7.5 kg
(16.6 lb)
System Description
H3C S5500-EI Series Ethernet Switches
Item
GE ports
Chapter 1 Product Overview
S550
0-28
C-EI
S5500
-52CEI
24 ×
10/10
0/100
0Bas
e-T
Ether
net
port
48 ×
10/100
/1000
BaseT
Ethern
et port
4×
1000
BaseX
SFP
port
4×
1000B
ase-X
SFP
port
S5500-28
C-PWR-EI
24 ×
10/100/10
00Base-T
Ethernet
port
4×
1000Base
-X SFP
port
S5500-52
C-PWR-EI
48 ×
10/100/10
00Base-T
Ethernet
port
4×
1000BaseX SFP port
S550028F-EI
8×
10/100/
1000Ba
se-T
Etherne
t port
24 ×
100/100
0BaseX SFP
port
S5500-28C
-EI-DC
24 ×
10/100/100
0Base-T
Ethernet
port
4×
1000BaseX SFP port
One-port 10 GE XFP module (Support IRF)
2-port 10 GE XFP module (Support IRF)
Optional
interface
modules
Short-haul dual-port 10 GE CX4 module (Support IRF)
2-port GE SFP interface module (Do not support IRF)
2-port 10 GE SFP+ module (Support IRF)
AC
Input
voltag
e
DC
Rated voltage range: 100 VAC to 240 VAC, 50 Hz or
60 Hz
Input voltage range: 90 VAC to 264 VAC, 47 Hz to 63
Hz
Rated voltage
range (RPS
input): 10.8
VDC to 13.2
VDC
Rated voltage range
(RPS input): –52 VDC to
–55 VDC
H3C Proprietary
1-4
Rated
voltage
range
(RPS
input):
–48
VDC to
–60
VDC
—
Rated
voltage
range

DC
input:
–48 VDC to
–60 VDC

RPS
input:
10.8 VDC
to 13.2
VDC
System Description
H3C S5500-EI Series Ethernet Switches
Item
S550
0-28
C-EI
Chapter 1 Product Overview
S5500
-52CEI
S5500-28
C-PWR-EI

Power
consumption
(full load)
110
W
155 W
AC
power
supply:
575 W,
where the
system
power is
205 W
and the
PoE
power is
370 W.

DC
power
supply:
485 W,
where the
system
power is
115 W
and the
PoE
power is
370 W.
Operating
temperature
0°C to 45°C (32°F to 113°F)
Relative
humidity
(nonconden
sing)
10% to 90%
S5500-52
C-PWR-EI

S5500-28C
-EI-DC
115 W
105 W
AC
power
supply:
640 W,
where the
system
power is
270 W and
the PoE
power is
370 W.

S550028F-EI
DC
power
supply:
910 W,
where the
system
power is
170 W and
the PoE
power is
740 W.
Together with an auto-sensing 10/100/1000BASE-T Ethernet port, each 1000Base-X
SFP port forms a Combo port. For each Combo port, either the SFP port or the
auto-sensing 10/100/1000BASE-T Ethernet port can be used at a time. For the
mapping between the two ports forming a Combo port, refer to Table 1-3.
Table 1-3 Mapping between two ports forming a Combo port
1000Base-X SFP port
number
Auto-sensing 10/100/1000Base-T
Ethernet port number
GigabitEthernet1/0/25
GigabitEthernet1/0/22
S5500-28C-EI-DC
GigabitEthernet1/0/26
GigabitEthernet1/0/24
S5500-28C-PWREI
GigabitEthernet1/0/27
GigabitEthernet1/0/21
GigabitEthernet1/0/28
GigabitEthernet1/0/23
Model
S5500-28C-EI
H3C Proprietary
1-5
System Description
H3C S5500-EI Series Ethernet Switches
1000Base-X SFP port
number
Auto-sensing 10/100/1000Base-T
Ethernet port number
GigabitEthernet1/0/49
GigabitEthernet1/0/46
GigabitEthernet1/0/50
GigabitEthernet1/0/48
GigabitEthernet1/0/51
GigabitEthernet1/0/45
GigabitEthernet1/0/52
GigabitEthernet1/0/47
GigabitEthernet1/0/25
GigabitEthernet1/0/17
GigabitEthernet1/0/26
GigabitEthernet1/0/18
GigabitEthernet1/0/27
GigabitEthernet1/0/19
GigabitEthernet1/0/28
GigabitEthernet1/0/20
GigabitEthernet1/0/29
GigabitEthernet1/0/21
GigabitEthernet1/0/30
GigabitEthernet1/0/22
GigabitEthernet1/0/31
GigabitEthernet1/0/23
GigabitEthernet1/0/32
GigabitEthernet1/0/24
Model
S5500-52C-EI
S5500-52C-PWREI
Chapter 1 Product Overview
S5500-28F-EI
1.3 Service Features
The S5500-EI series feature the following advantages:
Table 1-4 Service features of the S5500-EI series
S5500-28C-EI
S5500-52C
-EI
S5500-28C
-PWR-EI
S5500-5
2C-PWR
-EI
128 Gbps
176 Gbps
128 Gbps
176
Gbps
95.2 Mpps
130.9 Mpps
95.2 Mpps
130.9
Mpps
S5500-28F-EI
Feature
S5500-28C-EI-D
C
Switching
capacity
Wire
speed L2
switching
(Full
duplex)
Packet
forwarding
rate
Power over Ethernet
Not supported


Link aggregation



Supported
aggregation of GE ports
aggregation of 10-GE ports
Static link aggregation
Dynamic link aggregation
Supports up to 128 aggregation groups, each
supporting up to eight GE ports or four 10-GE ports
H3C Proprietary
1-6
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 1 Product Overview
S5500-28C-EI
S5500-28F-EI
Feature
S5500-28C-EI-D
C
S5500-52C
-EI
S5500-28C
-PWR-EI
Flow control
IEEE 802.3x flow control and back pressure
Jumbo Frame
Supports maximum frame size of 9 KB
32K MAC addresses
1K static MAC addresses
Blackhole MAC addresses
MAC address learning limit on a port

MAC address table



Port-based VLANs (4094 VLANs)
QinQ and selective QinQ
Voice VLAN
Protocol-based VLANs
MAC-based VLANs
IP subnet-based VLANs
GVRP



VLAN




One-to-one VLAN mapping
Many-to-one VLAN mapping
Two-to-two VLAN mapping

VLAN mapping


8K entries
1K static entries
Gratuitous ARP
Standard proxy ARP and local proxy ARP
ARP source suppression
ARP detection (based on DHCP snooping
entries/802.1x security entries/static IP-to-MAC
bindings)



ARP



ND
VLAN virtual interface
DHCP

1K



UDP Helper
DHCP Client
DHCP Snooping
DHCP Relay
DHCP Server
UDP Helper

DNS
4K entries
1K static entries




S5500-5
2C-PWR
-EI
Dynamic domain name resolution
Dynamic domain name resolution client
IPv4/IPv6 addresses
H3C Proprietary
1-7
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 1 Product Overview
S5500-28C-EI
S5500-28F-EI
Feature
S5500-28C-EI-D
C



IPv4 route










IPv6 route





S5500-52C
-EI
1K static routes
RIPng; up to 2K IPv6 routes
OSPF v3; up to 6K IPv6 routes
BGP4+ for IPV6; up to 6K IPv6 routes
ISIS for IPV6;up to 6K IPv6 routes
Four equal-cost routes
Routing policy
VRRP
Policy routing
Reverse route check
MCE
Supported
BFD




IPv6 over IPv4 Tunnel






IPv4 multicast





S5500-5
2C-PWR
-EI
1K static routes
RIP (Routing Information Protocol) v1/2; up to 2K IPv4
routes
OSPF (Open Shortest Path First) v1/v2; up to 12K IPv4
routes
BGP (Border Gateway Protocol); up to 12K IPv4 routes
ISIS (Intermediate System to Intermediate system); up
to 12K IPv4 routes
Four equal-cost routes
Routing policy
VRRP
Policy routing
URPF

S5500-28C
-PWR-EI
OSPF
BGP
IS-IS
Static Route
IPv6 Manual tunnel
6to4 tunnel
ISATAP (Intra-Site Automatic Tunneling Protocol)
tunnel
IGMP (Internet Group Management Protocol)
Snooping v1/v2/v3
Multicast VLAN
Multicast VLAN+
IGMP v1/v2/v3
PIM-DM (Protocol Independent Multicast-dense mode)
PIM-SM (Protocol Independent Multicast-sparse
mode)
PIM-SSM (PIM Source Specific Multicast)
MSDP (Multicast Source Discovery Protocol)
MBGP
H3C Proprietary
1-8
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 1 Product Overview
S5500-28C-EI
S5500-28F-EI
Feature
S5500-28C-EI-D
C


IPv6 multicast




Broadcast/multicast/un
icast storm control



MSTP


RRPP
Smart link
Monitor link














Mirroring
Remote mirroring
S5500-28C
-PWR-EI
S5500-5
2C-PWR
-EI
MLD Snooping v1/v2
MLD v1/v2
PIM-DM/SM/SSM for IPv6
IPv6 multicast VLAN
IPv6 multicast VLAN+
MBGP for IPv6
Storm control based on port rate percentage
PPS-based storm control
STP/RSTP/MSTP protocol
STP Root Guard
BPDU Guard
RRPP protocol
Multi-instance RRPP
Up to 26 groups supported
Multi-instance Smart Link
Supported

QoS/ACL
S5500-52C
-EI


Restriction of the rates at which a port sends and
receives packets, with a granularity of 64 kbps.
Packet redirection
Committed access rate (CAR), with a granularity of
traffic limit 64 kbps.
Eight output queues for each port
Flexible queue scheduling algorithms based on port
and queue, including strict priority (SP), weighted
round robin (WRR), WFQ(Weighted Fair Queuing)
and SP + WRR.
Remarking of 802.1p and DSCP priorities
Packet filtering at L2 (Layer 2) through L4 (Layer 4);
flow classification based on source MAC address,
destination MAC address, source IP (IPv4/IPv6)
address, destination IP (IPv4/IPv6) address, port,
protocol, and VLAN.
Time range
Weighted Random Early Detection (WRED)
Traffic shaping
User Profile
Traffic mirroring
Port mirroring
Remote port mirroring
H3C Proprietary
1-9
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 1 Product Overview
S5500-28C-EI
S5500-28F-EI
Feature
S5500-28C-EI-D
C







Security











802.1X




Loading and upgrading







Management








S5500-52C
-EI
S5500-28C
-PWR-EI
S5500-5
2C-PWR
-EI
Hierarchical management and password protection of
users
AAA authentication
RADIUS authentication
HWTACACS
SSH 2.0
Port isolation
Port security
MAC address authentication
IP-MAC-port binding
IP Source Guard
Https
SSL
PKI
Portal
EAD
Boot ROM access control(password recovery)
Up to 1,024 users
Port-based and MAC address–based authentication
Guest VLAN
Trunk port authentication
802.1x-based dynamic QoS/ACL/VLAN delivery
Loading and upgrading through XModem protocol
Loading and upgrading through FTP
Loading and upgrading through the trivial file transfer
protocol (TFTP)
Configuration at the command line interface
Remote configuration through Telnet
Configuration through Console port
Simple network management protocol (SNMP)
Remote monitoring (RMON) alarm, event and history
recording
Quidview NMS
Web-based network management
System log
Hierarchical alarms
Huawei group management protocol (HGMP) V2
NTP
Power supply alarm function
Fan and temperature alarms
H3C Proprietary
1-10
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 1 Product Overview
S5500-28C-EI
S5500-28F-EI
Feature
S5500-28C-EI-D
C




Maintenance





S5500-52C
-EI
S5500-28C
-PWR-EI
Debugging information output
Ping and Tracert
NQA
Track
Remote maintenance through Telnet
Virtual cable test
802.1ag
802.3ah
DLDP
H3C Proprietary
1-11
S5500-5
2C-PWR
-EI
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
Chapter 2 Hardware Description
2.1 S5500-28C-EI Ethernet Switch
2.1.1 Appearance
S5500-28C-EI Ethernet switch provides 24 x 10/100/1000BASE-T Ethernet ports, four
Gigabit SFP Combo ports and one console port on the front panel, and an AC power
input, an RPS input, and two extension slots on the rear panel. The following figure
describes the appearance of the S5500-28C-EI Ethernet switch.
Figure 2-1 Appearance of S5500-28C-EI Ethernet switch
 Note:
A Combo port is defined as follows: an SFP Combo electrical port and its
corresponding 10/100/1000BASE-T Ethernet port logically provide optoelectronic
multiplexing function. Users can select either to meet the networking requirement, but
the two ports cannot work at the same time.
H3C Proprietary
2-1
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
2.1.2 Front Panel
(2)
(1)
(3)
(4)
(5)
(7)
(8)
(9)
(10)
(1): 10/100/1000 Base-T autosensing
Ethernet port status LEDs
(3): Console port
(5): Power LED
(7): Extension slot LED 1
(9): Mode LED
(6)
(2): Gigabit SFP Combo port status LED
(4): Seven-segment Nixie Display
(6): RPS LED
(8): Extension slot LED 2
(10): Mode switch LED
Figure 2-2 Front panel of S5500-28C-EI Ethernet switch
2.1.3 Rear Panel
(1)
(2)
(1): AC power input
(3): Grounding screw
(5): Extension slot 2
(3)
(4)
(5)
(2): RPS power input
(4): Extension slot 1
Figure 2-3 Rear panel of S5500-28C-EI Ethernet switch
2.1.4 Power Supply System
S5500-28C-EI Ethernet switch supports the use of AC input and RPS 12 V input, the
use of both AC and DC inputs (one as backup for the other) at the same time and AC
power input alone. RPS DC input can use the RPS power supply recommended by
H3C only.

AC input:
Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz
Input voltage: 90 VAC to 264 VAC, 47 Hz or 63 Hz
H3C Proprietary
2-2
System Description
H3C S5500-EI Series Ethernet Switches

Chapter 2 Hardware Description
RPS (DC) input:
Rated voltage: 10.8 VDC to 13.2 VDC
2.1.5 Cooling System
S5500-28C-EI Ethernet switch provides four fans for heat dissipation.
2.1.6 Description of S5500-28C-EI LEDs
The LEDs on the front panels of the S5500-28C-EI switches can help you monitor the
running status of the switches. Table 2-1 describes the LEDs. You can use the “Mode”
button on the panel to switch the LED display mode between rate mode and duplex
mode.
Table 2-1 Description of S5500-28C-EI LEDs
LED
Mode LED
Power LED
Redundant
power
system LED
Mark
Status
Description
Speed
Solid green
Rate of the port
Duplex
Solid yellow
Duplex mode of the port
Mode
PWR
Solid green
The
switch
normally.
Flashing green (1 Hz)
The system is running a
power-on self-test (POST).
Solid red
The system fails the POST or
a power failure occurs.
Flashing yellow (1 Hz)
Some ports fail a POST or a
port failure occurs.
OFF
The power is disconnected.
Solid green
The AC power supply is
normal and the RPS is
connected
and
works
normally.
Solid yellow
The RPS input is normal, but
an AC input failure occurs or
no AC power is connected.
OFF
No RPS is connected.
RPS
H3C Proprietary
2-3
is
started
System Description
H3C S5500-EI Series Ethernet Switches
LED
Module LED
Seven-seg
ment digital
LED
Chapter 2 Hardware Description
Mark
MOD
Unit
Status
Description
Solid green
The module is in position and
works normally.
Flashing yellow
The switch does not support
the module or a module
failure occurs.
OFF
No module is installed.
The LED displays the POST
test ID.
POST
running
The
power
LED flashes
green
POST
failed
The
power
LED flashes
red
Software
loading
The
power
LED flashes
green
The LED displays F.
Fan failure
The
power
LED is solid
red
Over-temp
erature
alarm
The
power
LED is solid
red
The LED displays t.
The LED flashes the POST
test ID of the failed test.
A bar rotates
around the LED.
clockwise
If no stack ports are
configured and the cluster
feature is enabled, the LED
displays status of the switch in
a cluster; otherwise, the LED
displays the member ID of the
switch in a stack.
Status of
the switch
in a cluster
or
its
member
ID in an
IRF stack
The
power
LED is solid
green
The status of a switch in a
cluster can be one of the
following:
C (upper case)
command switch
for
a
S for a member switch
c (lower case) for a candidate
switch.
The following are member IDs
that can be displayed:
H3C Proprietary
2-4
System Description
H3C S5500-EI Series Ethernet Switches
LED
Chapter 2 Hardware Description
Mark
Status
Speed
10/100/1000
Base-T port
status LED
Green
A 1000 Mbps link is present.
When data is being received
or sent, the LED flashes at a
high frequency.
Yellow
A 10/100 Mbps link is present.
When data is being received
or sent, the LED flashes at a
high frequency.
Flashing
yellow (3 Hz)
The port fails the POST.
OFF
The port is not up.
Green
The port works in the full
duplex mode. The LED
flashes at a high frequency
when data is being received
or sent.
Yellow
The port works in the half
duplex mode. The LED
flashes at a high frequency
when data is being received
or sent
Flashing
yellow (3 Hz)
The port fails the POST.
OFF
The port is not up.
Yellow
A 100 Mbps link is present.
When data is being received
or sent, the LED flashes at a
high frequency.
Flashing
yellow (3 Hz)
The port failed the POST.
OFF
The port is not up.
Green
The port operates in the full
duplex mode. When data is
being received or sent, the
LED flashes at a high
frequency.
Flashing
yellow (3 Hz)
The port fails the POST.
OFF
The port is not up.
—
Duplex
Speed
SFP
port
status LED
(1000 Mbps)
—
Duplex
H3C Proprietary
2-5
Description
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
2.1.7 Description of Ports
I. Console ports
The S5500-EI series switches provide a console port that satisfies the EIA/TIA-232
asynchronous specification. Through the console port, you can perform local or remote
configuration.
Table 2-2 Attributes of the console port
Item
Description
Connector
RJ-45
Interface standard
EIA/TIA-232
Baud rate
9600 bps (default)
Connection with a character terminal
Connection with a serial port of a local
terminal (it can be a PC) or a remote
terminal (it needs a pair of modems),
which runs a terminal simulator.
Supported services
II. Attributes of Gigabit Ethernet ports
Table 2-3 Attributes of Gigabit Ethernet ports
Item
Description
Connector
RJ-45
Number of ports
24/48
10 M, half duplex/full duplex
100 M, half duplex/full duplex
Port specifications
1,000 M, full duplex
MDI/MDI-X autosensing
Standard
IEEE 802.3u
Medium and transmission distance
Category-5 unshielded twisted pairs.
The maximum transmission distance is
100 m (328.1 ft)
III. Attributes of Gigabit SFP Combo ports
The S5500-EI series provide four SFP Combo ports on the front panel. You can
configure the number of ports or port types freely.
Hot-swapping feature and flexible configuration method increases networking flexibility.
You can select the SFP modules in Table 6-2 based on your requirements.
H3C Proprietary
2-6
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
 Note:
The types of the SFP modules may change. If you need accurate module type
information, please consult H3C marketing engineers or technical support engineers.
2.2 S5500-52C-EI Ethernet Switch
2.2.1 Appearance
An S5500-52C-EI Ethernet switch provides 48 x 10/100/1000BASE-T Ethernet ports,
four Gigabit SFP Combo ports and one console port on the front panel, and an AC
power input, an RPS input, and two extension slots on the rear panel. The following
figure describes the appearance of the S5500-52C-EI Ethernet switch.
Figure 2-4 Appearance of S5500-52C-EI Ethernet switch
2.2.2 Front Panel
(1): 10/100/1000 Base-T autosensing
Ethernet port status LEDs
(3): Seven-segment Nixie Display
(5): Mode LED
(7): RPS LED
H3C Proprietary
2-7
(2): Console port
(4): Mode switch button
(6): Power LED
(8): Extension slot LED 1
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
(9): Extension slot LED 2
(10): Gigabit SFP Combo port status LED
Figure 2-5 Front panel of S5500-52C-EI Ethernet switch
2.2.3 Rear Panel
(2)
(1)
(1): AC power input
(3): Grounding screw
(5): Extension slot 2
(3)
(4)
(5)
(2): RPS power input
(4): Extension slot 1
Figure 2-6 Rear panel of S5500-52C-EI Ethernet switch
2.2.4 Power Supply System
S5500-52C-EI Ethernet switch supports the use of AC and RPS 12 V inputs, the use of
both AC and DC inputs (one as backup for the other) at the same time and AC power
input alone. RPS DC input can use the RPS power supply recommended by H3C only.

AC input:
Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz
Input voltage: 90 VAC to 264 VAC, 47 Hz or 63 Hz

RPS (DC) input:
Rated voltage: 10.8 VDC to 13.2 VDC
2.2.5 Cooling System
S5500-52C-EI Ethernet switch provides four fans for heat dissipation.
2.2.6 Description of S5500-52C-EI LEDs
LED description of S5500-52C-EI and S5500-28C-EI is the same. See Table 2-1.
2.2.7 Description of Ports
For port description of the S5500-EI series, see 2.1.7 “Description of Ports”.
H3C Proprietary
2-8
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
2.3 S5500-28C-PWR-EI Ethernet Switch
2.3.1 Appearance
S5500-28C-PWR-EI Ethernet switch provides 24 x 10/100/1000BASE-T Ethernet ports,
four Gigabit SFP Combo ports and one console port on the front panel, and an AC
power input, an RPS input, and two extension slots on the rear panel. The following
figure describes the appearance of the S5500-28C-PWR-EI Ethernet switch.
Figure 2-7 Appearance of S5500-28C-PWR-EI Ethernet switch
2.3.2 Front Panel
(1): 10/100/1000 Base-T autosensing
Ethernet port status LEDs
(3): Console port
(5): Power LED
(7): Extension slot LED 1
(9): Mode LED
(2): Gigabit SFP Combo port status LED
(4): Seven-segment Nixie display
(6): RPS LED
(8): Extension slot LED 2
(10): Mode switch LED
Figure 2-8 Front panel of S5500-28C-PWR-EI Ethernet switch
H3C Proprietary
2-9
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
2.3.3 Rear Panel
(1)
(2)
(3)
(1): RPS power input
(3): Grounding screw
(5): Extension slot 2
(4)
(5)
(2): AC power input
(4): Extension slot 1
Figure 2-9 Rear panel of S5500-28C-PWR-EI Ethernet switch
2.3.4 Power Supply System
S5500-28C-PWR-EI Ethernet switch supports the use of both AC and DC inputs (one
as backup for the other) at the same time, and AC power input or DC power input alone.

AC input:
Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz
Input voltage: 90 VAC to 264 VAC, 47 Hz or 63 Hz
The S5500-28C-PWR-EI switch can use only the external RPS power supply
recommended by H3C as the AC power supply. Do not use 48 VAC power in the
equipment room; otherwise the switch may be damaged.

RPS DC input:
Voltage range: -52 VDC to -55 VDC
2.3.5 Cooling System
S5500-28C-PWR-EI Ethernet switch provides six fans for heat dissipation, and three of
them are for power supply dissipation.
2.3.6 Description of S5500-28C-PWR-EI LEDs
The LEDs on the front panels of the S5500-28C-PWR-EI switches can help you
monitor the running status of the switches. Table 2-4 describes the LEDs. You can use
the “Mode” button on the panel to switch the LED display mode between rate mode and
duplex mode.
H3C Proprietary
2-10
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
Table 2-4 Description of S5500-28C-PWR-EI LEDs
LED
Mode LED
Power LED
Redundant
power
system
LED
Module
LED
Mark
Status
Speed
Solid green
Rate of the port
Duplex
Solid
yellow
Duplex mode of the port
PoE
Flashing
green
(1
Hz)
PoE mode of the port
Mode
PWR
Solid green
The
switch
normally.
Flashing green (1 Hz)
The system is running a
power-on self-test (POST).
Solid red
The system fails the POST or
a power failure occurs.
Flashing yellow (1 Hz)
Some ports fail a POST or a
port failure occurs.
OFF
The power is disconnected.
Solid green
The AC power input and the
DC power input are both
normal.
Solid yellow
The DC power input is
normal, but an AC power
failure occurs or no AC power
is connected.
OFF
No DC power is connected.
Solid green
The module is in position and
works normally.
Flashing yellow
The switch does not support
the module or a module
failure occurs.
OFF
No module is installed.
RPS
MOD
Description
H3C Proprietary
2-11
is
started
System Description
H3C S5500-EI Series Ethernet Switches
LED
Seven
-segment
digital LED
Chapter 2 Hardware Description
Mark
Status
Description
The LED displays the POST
test ID.
POST
running
The power
LED flashes
green
POST failed
The power
LED flashes
red
Software
loading
The power
LED flashes
green
The LED displays F.
Fan failure
The power
LED is solid
red
The power
LED is solid
red
The LED displays t.
Over-tempe
rature alarm
The LED flashes the POST
test ID of the failed test.
A bar rotates
around the LED.
clockwise
If no stack ports are
configured and the cluster
feature is enabled, the LED
displays status of the switch
in a cluster; otherwise, the
LED displays the member ID
of the switch in a stack.
Unit
Status of the
switch in a
cluster or its
member ID
in an IRF
stack
The power
LED is solid
green
The status of a switch in a
cluster can be one of the
following:
C (upper case)
command switch
for
a
S for a member switch
c (lower case) for a candidate
switch.
The following are member IDs
that can be displayed:
PoE mode
The power
LED is solid
green
The LED displays the
utilization of the power
supply.
81 - 100%
61 - 80%
41 - 60%
21 - 40%
0 - 20%
H3C Proprietary
2-12
System Description
H3C S5500-EI Series Ethernet Switches
LED
Chapter 2 Hardware Description
Mark
Status
Speed
Duplex
10/100/100
0Base-T
Ethernet
port status
LED
—
Description
Green
A 1000 Mbps link is present.
When data is being received
or sent, the LED flashes at a
high frequency.
Yellow
A 10/100 Mbps link is present.
When data is being received
or sent, the LED flashes at a
high frequency.
Flashing
yellow (3 Hz)
The port fails the POST.
OFF
No link is present.
Green
The port works in the full
duplex mode. The LED
flashes at a high frequency
when data is being received
or sent.
Yellow
The port works in the half
duplex mode. The LED
flashes at a high frequency
when data is being received
or sent
Flashing
yellow (3 Hz)
The port fails the POST.
OFF
The port is not up.
Solid green
The port
normally.
Flashing
green (1 Hz)
PoE
Solid yellow
supplies
power
The required power of the
attached device exceeds the
maximum power that the port
can supply.
The total power reaches the
maximum power, so the port
stops supplying power.
The device attached to the
port is not a powered device
(PD), so the port cannot
supply power.
A PoE failure occurs, so the
port cannot supply power.
Flashing
yellow (3 Hz)
The port fails the POST.
OFF
The port is not up.
H3C Proprietary
2-13
System Description
H3C S5500-EI Series Ethernet Switches
LED
Chapter 2 Hardware Description
Mark
Status
Yellow
A 100 Mbps link is present.
When data is being received
or sent, the LED flashes at a
high frequency.
Flashing
yellow (3 Hz)
The port failed the POST.
OFF
The port is not up.
Green
The port operates in the full
duplex mode. When data is
being received or sent, the
LED flashes at a high
frequency.
Flashing
yellow (3 Hz)
The port fails the POST.
OFF
The port is not up.
Speed/ PoE
SFP port
status LED
(1000
Mbps)
Description
—
Duplex
2.3.7 Description of Ports
For port description of the S5500-EI series, see section 2.1.7 “Description of Ports”.
2.4 S5500-52C-PWR-EI Ethernet Switch
2.4.1 Appearance
S5500-52C-PWR-EI Ethernet switch provides 48 x 10/100/1000BASE-T Ethernet ports,
four Gigabit SFP Combo ports and one console port on the front panel, and an AC
power input, an RPS input, and two extension slots on the rear panel. The following
figure describes the appearance of the S5500-52C-PWR-EI Ethernet switch.
Figure 2-10 Appearance of S5500-52C-PWR-EI Ethernet switch
H3C Proprietary
2-14
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
2.4.2 Front Panel
(1): 10/100/1000 Base-T autosensing
Ethernet port status LEDs
(3): Seven-segment Nixie Display
(5): Mode LED
(7): RPS LED
(9): Extension slot LED 2
(2): Console port
(4): Mode switch button
(6): Power LED
(8): Extension slot LED 1
(10): Gigabit SFP Combo port status LED
Figure 2-11 Front panel of S5500-52C-PWR-EI Ethernet switch
2.4.3 Rear Panel
(1)
(2)
(3)
(1): RPS power input
(3): Grounding screw
(5): Extension slot 2
(4)
(5)
(2): AC power input
(4): Extension slot 1
Figure 2-12 Front panel of S5500-52C-PWR-EI Ethernet switch
2.4.4 Power Supply System
S5500-52C-PWR-EI Ethernet switch supports the use of both AC and DC inputs (one
as backup for the other) at the same time, and AC power input or DC power input alone.

AC input:
Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz
Input voltage: 90 VAC to 264 VAC, 47 Hz or 63 Hz
The S5500-52C-PWR-EI switch can use only the external RPS power supply
recommended by H3C as the AC power supply. Do not use 48 VAC power in the
equipment room; otherwise the switch may be damaged.
H3C Proprietary
2-15
System Description
H3C S5500-EI Series Ethernet Switches

Chapter 2 Hardware Description
RPS DC input:
Voltage range: -52 VDC to -55 VDC
2.4.5 Cooling System
S5500-52C-PWR-EI Ethernet switch provides six fans for heat dissipation, and three of
them are for power supply dissipation.
2.4.6 Description of S5500-52C-PWR-EI LEDs
LED description of S5500-52C-PWR-EI and S5500-28C-PWR-EI is the same.
See Table 2-4.
2.4.7 Description of Ports
For port description of the S5500-EI series, see section 2.1.7 “Description of Ports”.
2.5 S5500-28F-EI Ethernet Switch
2.5.1 Appearance
The S5500-28F-EI provides twenty-four 1000Base-X SFP ports, eight auto-sensing
10/100/1000Base-T Ethernet ports, and one console port on the front panel, and two
AC or DC power sockets and two extended module slots on the rear panel. Together
with a 1000Base-X SFP port, each auto-sensing 10/100/1000BASE-T Ethernet port
forms a Combo port. Figure 2-13 illustrates the appearance of an S5500-28F-EI.
Figure 2-13 Appearance of an S5500-28F-EI Ethernet switch
H3C Proprietary
2-16
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
 Note:
A Combo port is defined as follows: an SFP Combo electrical port and its
corresponding 10/100/1000BASE-T Ethernet port logically provide optoelectronic
multiplexing function. Users can select either to meet the networking requirement, but
the two ports cannot work at the same time.
2.5.2 Front Panel
(1)
(2)
(3)
(4)
(5)
(11)
(1): 100/1,000 M SFP port LEDs
(6)
(10)
(7)
(8)
(9)
(2): 10/100/1000 Base-T Combo autosensing
Ethernet port LEDs
(4): Seven-segment Nixie display
(6): AC power input 1 LED
(8): Extension slot 1 LED
(10): Mode LED
(3): Console port
(5): System LED
(7): AC power input 2 LED
(9): Extension slot 2 LED
(11): Mode control button
Figure 2-14 Front panel of S5500-28F-EI Ethernet switch
2.5.3 Rear Panel
(1)
(2)
(3)
(4)
(1): Grounding screw
(3): AC power input 2
(5): Extension slot 2
(5)
(2): AC power input 1
(4): Extension slot 1
Figure 2-15 Rear panel of S5500-28F-EI Ethernet switch
2.5.4 Power Supply System
An S5500-28F-EI is connected to two hot-swappable AC or DC power inputs, which act
as backup for each other.
H3C Proprietary
2-17
System Description
H3C S5500-EI Series Ethernet Switches

Chapter 2 Hardware Description
AC input:
Rated voltage: 100 VAC to 240 VAC, 50 Hz or 60 Hz
Input voltage: 90 VAC to 264 VAC, 47 Hz or 63 Hz

DC input:
Rated voltage range: -48 VDC to -60 VDC
Max voltage range: -36 VDC to -72 VDC
2.5.5 Cooling System
The S5500-28F-EI is equipped with six fans (four for the system, and one for each
pluggable power module) for heat dissipation.
2.5.6 Description of S5500-28F-EI LEDs
The LEDs on the front panels of the S5500-28F-EI switches can help you monitor the
running status of the switches. Table 2-5 describes the LEDs. You can use the “Mode”
button on the panel to switch the LED display mode between rate mode and duplex
mode.
Table 2-5 Description of the LEDs on an S5500-28F-EI
LED
Mode LED
Mark
State
Description
Rate
mode
Green,
ON
The port LED is indicating
port rate mode.
Duplex
mode
Yellow,
ON
The port LED is indicating
duplex mode.
Mode
The switch has
normally started.
Green, ON
Green,
HZ)
Power LED
SYS
blinking
(1
been
The system is performing
POST (power-on self test).
Red, ON
POST fails because a fault
occurs
Yellow, blinking (1
HZ)
Some ports fail in POST
because the function fails.
OFF
The switch
powered off.
H3C Proprietary
2-18
has
been
System Description
H3C S5500-EI Series Ethernet Switches
LED
AC power input 1
LED
AC power input 2
LED
Module LED
Chapter 2 Hardware Description
Mark
PWR1
PWR2
Module
(MOD)
State
Description
Green, ON
The
power
input
is
connected to a power
module and the output is
normal.
Yellow, ON
The
power
input
is
connected to a power
module but the output is
abnormal.
OFF
No
power
module
is
connected or there is no
power being input.
Green, ON
The
power
input
is
connected to a power
module and the output is
normal.
Yellow, ON
The
power
input
is
connected to a power
module but the output is
abnormal.
OFF
No
power
module
is
connected or there is no
power being input.
Green, ON
The module is in position
and is working normally.
Yellow, blinking
The module is not supported
or a fault has been detected.
OFF
No module is installed.
H3C Proprietary
2-19
System Description
H3C S5500-EI Series Ethernet Switches
LED
Seven-segment
Nixie display
Chapter 2 Hardware Description
Mark
Unit
State
Description
The nixie display indicates
the number of the ongoing
self test item.
In POST
Power
LED is
green
and
blinking.
POST
has
failed
LED is
red and
blinking.
Loading
software
Power
LED is
green
and
blinking.
Fan
failure
Power
LED is
red and
on.
The nixie display shows an
“F”.
Over-tem
perature
alarm
Power
LED is
red and
on.
The nixie display shows a
"t".
Status of
the
switch in
a cluster
or
its
member
ID in an
IRF stack
The nixie display indicates
the number of the self test
item that failed in POST
The short bars are lit up one
by one clockwise when the
software is being loaded
If no stack ports are
configured and the cluster
feature is enabled, the LED
displays status of the switch
in a cluster; otherwise, the
LED displays the member ID
of the switch in a stack.
The
power
LED is
solid
green
The status of a switch in a
cluster can be one of the
following:
C (upper case)
command switch
for
a
S for a member switch
c (lower case)
candidate switch.
for
a
The following are member
IDs that can be displayed:
H3C Proprietary
2-20
System Description
H3C S5500-EI Series Ethernet Switches
LED
Chapter 2 Hardware Description
Mark
State
Rate
mode
10/100/1000BAS
E-T Combo port
LEDs
Rate
mode
SFP
Green
The port is blinking when it is
receiving or sending data at
1000 Mbps.
Yellow
The port is blinking when it is
receiving or sending data at
10/100 Mbps
Yellow,
blinking
(3 Hz)
Port POST has failed.
OFF
The port is not up.
Green
The port is blinking when it is
receiving or sending data in
the full-duplex mode.
Yellow
The port is blinking when it is
receiving or sending data in
the half-duplex mode.
Yellow,
blinking
(3 Hz)
Port POST has failed.
OFF
The port is not up.
Green
The port is blinking when it is
receiving or sending data at
1000 Mbps.
Yellow
The port is blinking when it is
receiving or sending data at
100 Mbps.
Yellow,
blinking
(3 Hz)
Port POST has failed.
OFF
The port is not up.
Green
The port is blinking when it is
receiving or sending data in
the full-duplex mode.
Yellow,
blinking
(3 Hz)
Port POST has failed.
OFF
The port is not up.
—
Duplex
mode
1000Base
port LEDs
Description
—
Duplex
mode
H3C Proprietary
2-21
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
2.5.7 Port Attributes
For port description of the S5500-EI series, see section 2.1.7 “Description of Ports”.
2.6 S5500-28C-EI-DC Ethernet Switch
2.6.1 Appearance
An S5500-28C-EI-DC Ethernet switch provides 24 10/100/1000Base-T Ethernet ports,
four Gigabit SFP Combo ports, and one Console port on the front panel, and 48 VDC
power inputs, RPS input, and two extension slots on the rear panel. Figure 2-16
illustrates the appearance of the switch.
Figure 2-16 Appearance of an S5500-28C-EI-DC
2.6.2 Front Panel
(1)
(2)
(3)
(4)
(5)
(10)
(1): 10/100/1000 Base-T autosensing
Ethernet port LEDs
(3): Console port
(5): Power LED
(7): Extension slot 1 LED
(9): Mode LED
2-22
(9)
(2): Gigabit SFP Combo port LEDs
(4): Seven-segment nixie display
(6): RPS LED
(8): Extension slot 2 LED
(10): Mode control button
Figure 2-17 Front panel of an S5500-28C-EI-DC
H3C Proprietary
(6)
(7) (8)
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
2.6.3 Rear Panel
(1)
(2)
(1): -48 VDC power input
(3): Grounding screw
(5): Extension slot 2
(3)
(4)
(5)
(2): RPS power input
(4): Extension slot 1
Figure 2-18 Rear panel of an S5500-28C-EI-DC
2.6.4 Power System
An S5500-28C-EI-DC switch provides two DC inputs and one RPS 12 V input. The two
DC inputs can be used at the same time, acting as backup for each other. Alternatively,
you can use either the DC inputs only or the RPS only. Make sure you use an RPS
recommended by H3C as a DC input.

-48 V DC input:
Rated voltage range: -48 VDC to -60 VDC.
Max voltage range: -36 VDC to -72 VDC

RPS DC input:
Rated voltage range: 10.8 V to 13.2 V
2.6.5 Cooling System
An S5500-28C-EI-DC switch is cooled by four fans.
2.6.6 LED Description
LED description of S5500-52C-EI and S5500-28C-EI is the same. See Table 2-1.
2.6.7 Description of Port Attributes
For the description on the port attributes of the S5500-28C-EI-DC switch, see
section 2.1.7 Description of Ports".
2.7 Optional Interface Modules
An S5500-EI switch provides two extension module slots on the rear panel, which
accept the following modules:

1-port 10-GE XFP modules (supporting IRF)
H3C Proprietary
2-23
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description

2-port 10-GE XFP modules (supporting IRF)

2-port 10-GE CX4 short haul module (supporting IRF)

2-port GE SFP modules (not supporting IRF)

2-port 10 GE SFP+ module (Support IRF)
2.7.1 1-port 10 Gbps XFP Module
Figure 2-19 Front view of a 1-port 10-GE XFP module
This module can provide one 10-GE XFP optical interface. You can select the XFP
optical modules in Table 6-3 based on your requirements.
 Note:
The type of XFP modules may be updated as time goes by. For updated module types,
consult marketing or technical support personnel of H3C.
2.7.2 2-Port 10-GE XFP Module
Figure 2-20 Front view of 2-port 10-GE XFP module
This module can provide two 10Gbps XFP optical interfaces. You can select the XFP
optical modules in Table 6-3 based on your requirements.
H3C Proprietary
2-24
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
 Note:
The type of XFP modules may be updated as time goes by. For updated module types,
consult marketing or technical support personnel of H3C.
2.7.3 2-port 10-GE CX4 Short Haul Module
Figure 2-21 2-port 10-GE CX4 short haul module
This module provides two 10-GE electrical interfaces. It supports CX4 electrical
standards and protocols. The maximum transmission distance is 3 meters (9.8 ft). Use
CX4 cables dedicated for H3C devices to interconnect devices.
 Note:
You can use only dedicated CX4 cable to connect the port on the CX4 extension
module and another CX4 port. For dedicated CX4 cable, see section 2.8 "CX4 Cable".
2.7.4 2-Port GE SFP Module
Figure 2-22 Front view of 2-port GE SFP module
This module can provide two 1-Gbps SFP optical interfaces. You can select the Gigabit
SFP modules in Table 6-2 based on your requirements.
H3C Proprietary
2-25
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
 Note:

The two 1-Gbps SFP optical interfaces of the 2-port GE SFP module do not support
the 100 Mbps SFP modules in Table 6-2.

The type of XFP modules may be updated as time goes by. For updated module
types, consult marketing or technical support personnel of H3C.
2.7.5 2-Port 10-GE SFP+ Module
Figure 2-23 Front view of 2-port 10-GE SFP+ module
This module can provide two 10Gbps SFP+ optical interfaces. You can select the SFP+
optical modules and SFP+ cables in Table 6-4 based on your requirements.
 Note:

The two 10-Gbps SFP+ optical interfaces of the 2-port 10-GE SFP+ module do not
support the SFP modules in Table 6-2.

The type of SFP+ optical modules and SFP+ cables may be updated as time goes
by. For updated information, contact H3C technical support or marketing staff.
2.7.6 Description of Extension Module LEDs
There is a LED for each port on the extension module panel. Table 2-6 describes the
LEDs.
H3C Proprietary
2-26
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 2 Hardware Description
Table 2-6 Description of extension module LEDs
LED
Extension
module LED
Mark
—
State
This LED is
not affected
by the mode
button
Description
Green
The port is normally connected.
The port is blinking when it is
receiving or sending data
OFF
The port is not connected
2.8 CX4 Cable
You can use the CX4 cable to connect the CX4 port on the rear panel of an S5500-EI
series switch to another CX4 port.
Figure 2-24 CX4 cable
The following three types of cables are available (refer to Table 6-5 List of CX4
modules ):

50 cm (19.7 in.): the connectors at both ends of the cable are bayonet connectors.

100 cm (39.4 in.): the connectors at both ends of the cable are screw connectors.

300 cm (118.1 in.): the connectors at both ends of the cable are screw connectors.
H3C Proprietary
2-27
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Chapter 3 Software Features
3.1 Basic Features
3.1.1 Link Aggregation
The link aggregation function is used for the connection between Ethernet switches or
between the switches and high-speed servers. It is a simple and cheap way to expand
the bandwidth of a switch port and balance the traffic among all the ports in a link
aggregation. Moreover, it enhances the connection reliability.
With link aggregation, several Ethernet ports on a switch are bundled together and are
considered one logical port inside the switch. The switch automatically balances the
traffic among the ports in the aggregation and increases the bandwidth of the ports. If
the link on a port in the aggregation fails, the traffic on it is distributed among other ports
without interrupting the normal service. After the port recovers, the traffic is
automatically distributed again so that the port can share the load with others.
The S5500-EI series support static link aggregation and dynamic link aggregation.
3.1.2 Traffic Control
Traffic control is a congestion management mode of switches.
S5500-EI Ethernet switches support full-duplex traffic control and half-duplex back
pressure traffic control. 10-GE uplink interfaces support received pause frames only. In
the half-duplex traffic control mode, the switch performs traffic control by sending Jam
signals to the peer end.
3.1.3 DLDP
A special phenomenon, unidirectional links, may occur in actual networking. When a
unidirectional link occurs, the local device can receive packets from the peer device
through the link layer, but the peer device cannot receive packets from the local device.
Unidirectional links may cause a series of problems, such as spanning-tree topology
loop.
The device link detection protocol (DLDP) can monitor the link status of fiber or copper
twisted pairs (such as Enhanced Cat-5 twisted pairs). Based on the configuration,
DLDP automatically closes, or notifies the user to close manually, the corresponding
ports when it finds any unidirectional link, so as to prevent network problems.
DLDP has the following features:
H3C Proprietary
3-1
System Description
H3C S5500-EI Series Ethernet Switches

Chapter 3 Software Features
As a link layer protocol, it works in cooperation with physical layer protocols to
supervise the link status of devices.

The automatic negation mechanism of the physical layer detects physical signals
and faults, while DLDP identifies the peer device and unidirectional links, and
closes unreachable ports.

When auto-negotiation mechanism and DLDP are enabled, they work together to
detect and disable physical and logical unidirectional links, and to prevent the
failure of other protocols such as STP.

If links of both ends function independently and normally at the physical layer,
DLDP will check whether these links are correctly connected at the link layer and
whether packets can be normally exchanged between both ends. This kind of
detection cannot be achieved through the automatic negation mechanism.
3.1.4 Broadcast Storm Control
The broadcast storm control function suppresses the propagation of unknown unicast
packets, multicast packets, and broadcast packets in a network, thus limiting their
impact on the operating efficiency of the network.
For the S5500-EI series, the broadcast storm control function is configured on ports.
After storm control is enabled on a port, you can monitor the unknown unicast traffic,
multicast traffic, and the broadcast traffic received on it. When the traffic exceeds the
specified bandwidth limit, the switch drops the excessive traffic to reduce the traffic ratio
to a rational range, so as to guarantee the normal operation of network services. The
S5500-EI series can implement both broadcast storm control based on port rate
percentage and broadcast storm control based on pps.
3.1.5 VLAN
Virtual local area network (VLAN) is a technology that implements virtual workgroups
by assigning the devices in a LAN into network segments logically rather than
physically. VLAN standard is described in IEEE 802.1Q protocol standard, which is
issued in 1999.
You can use VLAN to divide a LAN into multiple broadcast domains known as virtual
LANs, namely, VLANs, the computers in each of which are correlated in a certain way.
As VLANs are implemented logically rather than physically, the computers in the same
VLAN do not necessarily reside on the same physical LAN segment; instead, they can
belong to different physical LAN network segments.
On a switch, following types of VLAN are supported.

Port-based VLAN

MAC-based VLAN

Protocol-based VLAN

IP multicast-based VLAN (In this case, a multicast group forms a VLAN.)
H3C Proprietary
3-2
System Description
H3C S5500-EI Series Ethernet Switches

Chapter 3 Software Features
Network layer-based VLAN (In this case, VLANs are created based on the
network layer addresses of the hosts).
VLAN offers the benefit that the broadcast and unicast traffic inside a VLAN are not
forwarded to other VLANs, thereby helping implement network traffic control, save
equipment investment, streamline network management, and enhance network
security.
The H3C S5500-EI series support the following types of VLAN.
I. Port-based VLAN
In a port-based VLAN, VLAN members are defined based on the Ethernet switch ports.
You can add specific ports to the same VLAN, through which the hosts connecting to
these can communicate with each other. This is the simplest way of creating a VLAN.
An S5500-EI Ethernet switch supports up to 4,094 port-based VLANs.
II. Protocol-based VLAN
VLANs can be divided based on protocol. With this type of VLANs configured, a switch
inserts tags to the untagged packets received by the protocols the packets belong to so
that the packets are forwarded in the corresponding VLANs. Protocol-based VLANs
are usually bound to specific services for ease of management and maintenance.
III. Voice VLAN
Voice VLAN is designed for voice traffic. An S5500-EI Ethernet switch with voice
VLANs configured determines whether or not a received packet carries voice data by
checking its source MAC address and forwards the packets carrying voice data in the
voice VLANs. .Voice VLAN insures transmission priority of voice traffic and improves
voice quality.
IV. VLAN Trunk
The VLAN trunk function is used for the connections between switches. A VLAN trunk
is a point-to-point link between two switches. The ports of the two switches across a
VLAN trunk are called trunk ports. Multiple VLANs can be carried over the same trunk
port.
The implementation principle is as follows: On a trunk port, messages of different
VLANs are differentiated through different 802.1Q tags. In this way, interconnections
among all VLANs are enabled networkwide.
H3C Proprietary
3-3
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
3.1.6 GARP/GVRP
I. GARP
Generic attribute registration protocol (GARP) provides a means of distributing,
propagating, and registering specific type of information (such as VLAN and multicast
group address) among the members inside the same switched network.
A GARP member can be a workstation or a switch. GARP members communicate with
each other by exchanging their messages. By exchanging messages, all the member
switches on a switching network get all the attribute information to be registered. GARP
enables the configuration information of a GARP member to be propagated throughout
the entire switched network. A GARP member triggers other GARP members, through
declaration/declaration cancellation messages, to register/deregister its attribute
information. It also registers/deregisters the attribute information of other GARP
members in response to their declaration/declaration cancellation messages.
GARP by itself does not exist on the routing switch as an entity. It takes the form of
GARP application, which is implemented on entities adopting GARP. Commonly used
GARP applications are GVRP (GARP VLAN registration protocol) and GMRP (generic
multicast registration protocol). The PDUs (protocol data unit) of different GARP
applications (GVRP and GMRP for example) carry the MAC addresses peculiar to the
applications, according to which a routing switch with GARP-employed can recognize
the received GARP packets and pass them to the corresponding GARP applications for
processing.
II. GVRP
GVRP is a GARP application that maintains VLAN dynamic registration information in a
routing switch and transmits the information to other routing switches, based on the
operating mechanism of GARP.
A routing switch with GVRP-employed receives VLAN registration information from
other routing switches and dynamically updates the local VLAN registration information,
including current VLAN members and the ports through which these VLAN members
can be reached, etc. Moreover, in a switched network, all the routing switches with
GVRP employed transmit the local VLAN registration information to other routing
switches, thus keeping the VLAN information maintained by them in consistency. VLAN
registration information transmitted by these routing switches includes both the static
registration information manually configured locally and the dynamic registration
information from other routing switches.
H3C Proprietary
3-4
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
3.1.7 QinQ
I. QinQ characteristics
QinQ enables packets to traverse the backbone network (public network) of the
operator with two layers of VLAN tags, where VLAN tag of the customer network is
encapsulated in the VLAN tag of the public network. In the public network, packets are
forwarded based on the outer VLAN tag (that is, the public network VLAN tag) only,
while the customer network VLAN tag is shielded.
Compared with MPLS-based L2 VPN, QinQ has the following features:

It provides simpler L2 VPN tunnels.

It can be implemented through full-static configuration, without the need of a
signaling protocol.
QinQ mainly provides the following benefits:

Saving public network VLAN IDs

Enabling private network VLAN IDs that do not conflict with those of the public
network

Providing small-sized MANs or intranets with simpler L2 VPN solutions
II. BPDU Tunnel
BPDU tunnel enables BPDUs to be transmitted transparently between geographically
dispersed user networks through the designated VLAN VPN in the carrier’s network for
uniform spanning tree calculation across the user networks. In this case, the spanning
tree of the user network is independent of that of the carrier’s network.
3.1.8 VLAN Mapping
With VLAN mapping, the S5500-EI switch can flexibly classify packets at the access
layer and distribution layer to promote transmission efficiency.
The S5500-EI series switches support the following three types of VLAN mapping:

One-to-one VLAN mapping, which maps one customer VLAN (CVLAN) ID to one
service-provider VLAN (SVLAN) ID.
VLAN X
Data
VLAN Y
Data
Figure 3-1 One-to-one VLAN mapping

Many-to-one VLAN mapping, which maps multiple CVLAN IDs to one SVLAN IDs.
H3C Proprietary
3-5
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
VLAN A
Data
VLAN Y
Data
VLAN B
Data
VLAN Y
Data
VLAN C
Data
VLAN Y
Data
Figure 3-2 Many-to-one VLAN mapping

Two-to-two VLAN mapping, which maps the outer and inner VLAN IDs of double
tagged traffic to a new pair of outer and inner VLAN IDs.
VLAN A
VLAN B
Data
VLAN X
VLAN Y
Data
Figure 3-3 Two-to-two VLAN mapping
One-to-one VLAN mapping and many-to-one VLAN mapping mainly apply to intelligent
network environments with mixed data, voice and video applications. In such a network,
different VLANs are used for transmitting different services of a user to the corridor
access device through a home gateway.
To differentiate users that are using the same service, you can perform one-to-one
VLAN mapping to map the service traffic to different VLANs by user on an access
device.
Then, you can perform many-to-one VLAN mapping at the distribution layer to map the
traffic to different VLANs by service type, allowing different transmission policies to be
applied to the traffic of different service types.
Two-to-two VLAN mapping mainly applies to VPN networks. When a packet enters an
SP network, the edge device of the SP network adds an outer VLAN tag to the packet
through QinQ or selective QinQ. Then, two-to-two VLAN mapping replaces both the
original inner VLAN tag and outer VLAN tag of the packet with the inner VLAN tag of the
destination network and the outer VLAN tag of another SP network, so that the packet
can travel across the two SP networks to reach the destination.
3.2 Network Protocol Features
3.2.1 ARP
Address resolution protocol (ARP) dynamically maps IP addresses to specific MAC
addresses. Upon being enabled, ARP carries out the address resolution without
manual intervention.
H3C Proprietary
3-6
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
The S5500-EI series switches support the following extended ARP and attack defense
implementations:
I. Gratuitous ARP
Gratuitous ARP enables a device to test whether or not IP address conflicts exist
between itself and other devices in the network by sending ARP requests. Since both
the source and destination IP addresses of a gratuitous ARP request packet are set to
the local IP address, an IP address conflict exists if a host responds to the ARP request.
A gratuitous ARP request is also used to update the corresponding MAC address
entries maintained by other devices. A switch updates the corresponding MAC address
entry if the IP address contained in a received ARP request packet matches the MAC
address entry. As an ARP request packet is broadcast across the network, all the MAC
address entries matching the ARP request packet are updated.
II. Proxy ARP
The S5500-EI series support the following two types of proxy ARP, standard proxy ARP
and local proxy ARP.
Standard proxy ARP conforms to the related protocol; it responds to ARP requests
sourced from other network segments. As shown in Figure 3-4, Host A and Host B are
of different network segments connected to an S5500-EI Ethernet switch. Although the
gateways configured for Host A and Host B are of different network segments, their IP
addresses indicate that they are of the same network segment. Normally, ARP
requests sourced from Host A and destined for Host B, which are inter-network
segment, are dropped in this case. With standard proxy ARP enabled, the S5500-EI
Ethernet switch looks up in the routing table for the route upon receiving an ARP
request packet and sends its MAC address to the ARP request sender if the route
exists. The ARP request sender then sends another packet to the switch, with the
address contained in the route as the destination address. The switch in turn forwards
the packet.
Switch
Vlan-int1
(gateway IP address)
10.110.104.1/24
Vlan-int2
(gateway IP address)
10.110.105.1/24
Host A
Host B
10.110.104.11/16
10.110.105.11/16
Figure 3-4 A standard proxy ARP implementation
H3C Proprietary
3-7
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Local proxy ARP only responds to ARP requests on the same network segment. As for
the S5500-EI series switches, local proxy ARP is mainly employed on port
isolation-enabled ports to allow Layer 3 communication between isolated users.
Vlan-int1
(gateway IP address)
10.110.104.1/24
Switch
GE1/0/1
GE1/0/2
Host A
Host B
10.110.104.11/24
10.110.104.12/24
Port isolate
Figure 3-5 A local ARP proxy implementation
As shown in Figure 3-5, port isolation is enabled on the S5500-EI Ethernet switch;
therefore, ARP packets cannot be forwarded between downlink ports. If the switch also
has local proxy ARP enabled and receives an ARP request sourced from Host A and
destined for Host B, the switch looks up in the routing table and sends its MAC address
to the ARP request sender if the route exists. The ARP request sender then sends the
packet to the switch, with the address contained in the route as the destination address.
The switch in turn forwards the packet.
III. ARP Attack Defense
ARP attacks and viruses are threatening LAN security. H3C S5500-EI Series Ethernet
Switches can provide multiple features to detect and prevent such attacks.
1)
ARP Source Suppression
If a device receives large numbers of IP packets from a host to unreachable
destinations,

The device sends large numbers of ARP requests to the destination subnets,
which increase the load of the destination subnets.

The device continuously resolves destination IP addresses, which increase the
load of the CPU.
To protect the device from such attacks, you can enable the ARP source suppression
function. With the function enabled, whenever the number of packets with unresolvable
destination IP addresses from a host within five seconds exceeds a specified threshold,
the device suppress the sending host from triggering any ARP requests within the
following five seconds.
H3C Proprietary
3-8
System Description
H3C S5500-EI Series Ethernet Switches
2)
Chapter 3 Software Features
Source MAC Address Based ARP Attack Detection
This feature allows the device to check the source MAC address of ARP packets that
delivered to the CPU. If the number of ARP packets sent from a MAC address within
five seconds exceeds the specified value, the device considers this an attack.
3)
ARP Detection
In normal cases, a Layer 2 access device broadcasts an ARP request within a VLAN,
and forwards ARP responses at Layer 2. If an attacker sends an ARP request with the
source being the IP address of another client, the corresponding ARP entry maintained
by the gateway or other clients is modified. Consequently, the attacker will receive the
packets sent to the client.
The ARP detection feature allows only the ARP packets of legal clients to be forwarded.
ARP Detection consists of two functions: user validity check and ARP packet validity
check.

User validity check: With this feature enabled, the device compares the source IP
and MAC addresses of an ARP packet received from the VLAN against the DHCP
snooping entries, 802.1x security entries, or static IP-to-MAC binding entries.

ARP packet validity check: With this feature enabled, the device filters out invalid
ARP packets received on ARP untrusted ports. You can base ARP packet validity
check on the source MAC address, destination MAC address or IP address. ARP
packet validity check does not apply to packets received on ARP trusted ports.
4)
ARP packet rate limit
ARP packets that pass ARP detection are delivered to the CPU. This feature allows you
to limit the rate of ARP packets to be sent to the CPU.
3.2.2 DHCP
I. DHCP Relay
A routing switch operating as a DHCP relay can relay messages between a DHCP
server and a client, making it possible for a DHCP server in a subnet to provide DHCP
service to the hosts in another subnet. With DHCP Relay, a network manager needs
not to set DHCP server for every subnet, thereby reducing DHCP server costs.
II. DHCP Client
On a contemporary large-sized and complex network, some computers are mobile and
the available IP addresses are far from adequate comparing with the fast-growing
number of computers. To address the issue, the dynamic host configuration protocol
(DHCP) was introduced. DHCP works in the client/server model, where the DHCP
client requests the DHCP server for configuration information dynamically, and upon
the receipt of the request the DHCP server returns the configuration information (IP
address for example) based on the adopted policy.
H3C Proprietary
3-9
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
III. DHCP Server
With the built-in DHCP server function, an S5500-EI Ethernet switch can assign IP
addresses to the hosts attached to it and manage the addresses, thus saving the
operator’s investment on external DHCP server.
IV. DHCP Snooping
The DHCP snooping function enables the acquisition of user IP addresses and MAC
addresses by listening to DHCP broadcast packets. It can be used to improve network
security and prevent unauthorized accesses. Additionally, with the DHCP snooping
function employed, ports are classified into trusted ports and untrusted ports. Ports with
DHCP servers attached are trusted ports; and those with hosts attached are untrusted
ports. The DHCP_ACK and DHCP_OFF packets received through untrusted are
discarded, through which illegal DHCP servers can be prevented.
V. DHCP Option 82
DHCP uses the option field in DHCP messages to carry control information and
network configuration parameters, implementing dynamic address allocation and
providing more network configuration information for clients.
Figure 3-6 shows the DHCP option format.
0
7
Option type
15
Option length
Value (variable)
Figure 3-6 DHCP option format
Option 82 is the relay agent option in the option field of the DHCP message. It records
the location information of the DHCP client. When a DHCP relay agent or DHCP
snooping device receives a client’s request, it adds Option 82 to the request message
and sends it to the server.
The administrator can locate the DHCP client to further implement security control and
accounting. The Option 82 supporting server can also use such information to define
individual assignment policies of IP address and other parameters for the clients.
Option 82 involves at most 255 sub-options. At least one sub-option must be defined.
Now the DHCP relay agent supports two sub-options: sub-option 1 (Circuit ID) and
sub-option 2 (Remote ID).
Option 82 has no unified definition. Its padding formats vary with vendors.
You can use the following two methods to configure Option 82:

User-defined method: Manually specify the content of Option 82.
H3C Proprietary
3-10
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Non-user-defined method: Pad Option 82 in the default normal or verbose mode.

If you choose the second method, you can specify the padding format for the
sub-options as ASCII or HEX.
2)
Normal padding format
sub-option 1: Padded with the VLAN ID and number of the port that received the

client’s request. The following figure gives its format. The value of the sub-option
type is 1, and that of the circuit ID type is 0.
0
7
Sub-option type (0x01)
23
15
Circuit ID type (0x00)
Length (0x06)
VLAN ID
31
Length (0x04)
Port number
Figure 3-7 Sub-option 1 in normal padding format
sub-option 2: Padded with the MAC address of the DHCP relay agent interface or

the MAC address of the DHCP snooping device that received the client’s request.
The following figure gives its format. The value of the sub-option type is 2, and that
of the remote ID type is 0.
0
7
Sub-option type (0x02)
15
Length (0x08)
23
Remote ID type (0x00)
31
Length (0x06)
MAC Address
Figure 3-8 Sub-option 2 in normal padding format
3)
Verbose padding format:
The padding contents for sub-options in the verbose padding format are:

sub-option 1: Padded with the user-specified access node identifier (ID of the
device that adds Option 82 in DHCP messages), and type, number, and VLAN ID of
the port that received the client’s request. Its format is shown in the following figure.
Sub-option type (0x01)
Length
Node identifier
Port type
Port number
VLAN ID
Figure 3-9 Sub-option 1 in verbose padding format

sub-option 2: Padded with the MAC address of the interface that received the
client’s request. It has the same format as that in normal padding format, as shown
in Figure 3-8.
H3C Proprietary
3-11
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
3.2.3 UDP Helper
The UDP helper function mainly functions to relay and forward the specified UDP
broadcast packets. It can transform UDP broadcast packets into unicast packets and
send them to the specified servers.
With the UDP helper function enabled, a switch determines whether or not to forward a
received packet by the UDP port number carried in the packet. If the packet is to be
forwarded, the switch modifies the destination IP address in the IP header and sends
the packet to a specific destination server. Otherwise, the switch passes the packet to
the upper layer modules.
With the presence of the DHCP relay function, the UDP helper function does not relay
DHCP packets on the S5500-EI series switches.
3.2.4 DNS
Domain name system (DNS) is a distributed database used for TCP/IP applications. It
performs translations between domain names and IP addresses. DNS allows you to
replace IP addresses with domain names, which is easy to memorize and meaningful.
Domain name-to-IP address resolution is carried out by DNS server.
There are two kinds of domain name resolution, namely the static domain name
resolution and dynamic domain name resolution, both of which supplement each other
in real application. You can configure to resolve domain names in the static way, with
the dynamic resolution as the ultimate measure. By adding commonly used domain
names to the static domain name resolution table, you can greatly improve the
efficiency of domain name resolution.
I. Static domain name resolution
To enable static domain name resolution, you need to establish domain name-to-IP
address maps. When you use a domain name for an application, the corresponding IP
address can be obtained through the static domain name resolution table.
II. Dynamic domain name resolution
Dynamic domain name resolution is implemented by querying the DNS server. With
dynamic domain name resolution adopted, a DNS client sends DNS requests to the
DNS server for the corresponding IP address. The DNS server in turn searches in its
own database for the IP address corresponding to the domain name and sends the IP
address back to the DNS client. If the DNS server cannot find the corresponding IP
address in its database, it forwards the DNS request to the DNS server one level higher
than itself for the domain name to be resolved. Such a process goes on and on until the
domain name is resolved.
An S5500-EI Ethernet switch supports the static domain name resolution and can
operate as a DNS client when dynamic domain name resolution is adopted. Besides
H3C Proprietary
3-12
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
IPv4 address-to-domain name conversion, that of IPv6 is also available on an
S5500-EI switch.
3.2.5 OAM (802.3ah)
Ethernet OAM (meaning operation, administration, and maintenance) is a tool for
monitoring network. It operates on data link layer and can report information about
networks to network administrators through the OAMPDUs exchanged between
devices, enabling network administrators to manage the network more effectively.
Currently, Ethernet OAM is mainly used for detecting data link layer problems occurred
in the “last mile”. By enabling Ethernet OAM on two devices connected by a
point-to-point connection, you can monitor the status of the link between the two
devices. Ethernet OAM provides the following functions.

Link performance monitoring, for detecting link errors

Fault detection and alarm, for reporting link errors to the administrators

Loopback testing, for detecting link errors through non-OAMPDUs
3.2.6 Connectivity Fault Detection (802.1ag)
Connectivity fault detection (CFD) is a Layer 2 link OAM (Operations, Administration
and Maintenance) mechanism used for link connectivity detection and fault locating.
I. Maintenance domain
A maintenance domain (MD) is the part of network where CFD plays its role. The MD
boundary is defined by some maintenance points configured on the ports. MD is
identified by MD name and is divided into 8 levels, represented by integer 0 to 7. The
bigger the number, the higher the level. A higher level MD can contain lower level MDs,
but they cannot overlap. In other words, a higher level MD covers larger area than a
lower level MD.
II. Maintenance association
Maintenance association (MA) is a set of maintenance points in a maintenance domain.
It is identified in the form “MD name + MA name”.
MA works within a VLAN. Packets sent by the maintenance points in an MA carry the
corresponding VLAN tag. A maintenance point can receive packets sent by other
maintenance points in the same MA.
III. Maintenance point
A maintenance point (MP) is configured on a port and belongs to an MA. MP can be
divided into two types: maintenance association end point (MEP) and maintenance
association intermediate point (MIP).

MEP
H3C Proprietary
3-13
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Each MEP is identified by an integer called MEP ID. The MEPs define the range of MD.
The MA and MD that MEPs belong to define the VLAN attribute and level of the packets
sent by the MEPs. MEPs are divided into inbound MEP and outbound MEP.
On Figure 3-10, outbound MEPs are configured on the ports. On Figure 3-11, inbound
MEPs are configured on the two ports.
Maintenance Association
Bridge
Bridge
Bridge
Bridge
Relay
Entity
Relay
Entity
Port
Port
Figure 3-10 Outbound MEP
Maintenance Association
Bridge
Bridge
Bridge
Bridge
Relay
Entity
Relay
Entity
Port
Port
Figure 3-11 Inbound MEP

MIP
Maintenance association intermediate point (MIP) can handle and respond to CFD
packets. The MA and MD that a MIP belongs to define the VLAN attribute and level of
the packets received.
Figure 3-12 demonstrates a grading example of CFD module. In the figure, there are
six devices, labeled as 1 to 6 respectively. Suppose each device has two ports, and
MEPs and MIPs are configured on some of these ports. Four levels of MDs are
designed in this example, the bigger the number, the higher the level and the larger the
area covered. In this example, the X port of device 2 is configured with the following
MPs: a level 5 MEP, a level 3 inbound MEP, a level 2 inbound MEP, and a level 0
outbound MEP.
H3C Proprietary
3-14
System Description
H3C S5500-EI Series Ethernet Switches
1
Chapter 3 Software Features
2
x
3
y
4
5
6
MD Level 5
5
5
5
5
MD Level 3
3
3
3
3
MD Level 2
2
0
2
MD Level 2
2
2
0
2
0
2
2
2
0
0
0
MD Level 0
Port
Maintenance Association
5
MEP ( number is MD level )
5
MIP ( number is MD level )
Logical path of CFD Messages
Figure 3-12 Levels of MPs
3.3 NTP
Clock synchronization among devices becomes important given increasingly complex
network topologies. The network time protocol (NTP) is a TCP/IP protocol that
advertises accurate time on the entire network.
NTP provides consistency guarantee for the following applications:

When increment backup is performed between a backup server and a client, it
ensures the clock between the two system be synchronous.

When multiple systems are used to deal with complex events, it ensures the
correct order of these events.

It ensures the normal performance of the Remote Procedure Call (RPC) between
systems.

It provides time information about such operations as system login of users and
file modification for application program.
3.4 Routing Features
 Note:
As L3 switch is capable of routing, router in this chapter refers to generic routers or L3
routing switches that have routing protocols employed.
H3C Proprietary
3-15
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
3.4.1 Static Route and Default Route
I. Static route
Static routes are configured by the network administrator manually. In a network with a
simple structure, static routes can ensure normal running of the switches.
Configuring static routes correctly can ensure network security effectively and provide
bandwidth for important applications. The disadvantage of static routes is that static
routes cannot vary with a network topology when the network topology changes due to
some reasons, such as network device failure. The network administrator has to
configure static routes again based on the new network topology.
II. Default route
Default routes are used only when a router fails to find any matching route. In a routing
table, the default route is the route to 0.0.0.0. Default routes can save bandwidth
resources occupied by packet forwarding and save routing time, thus enabling a great
number of users to communicate simultaneously.
3.4.2 RIP v1/v2
Route information protocol (RIP) is a widely used interior gateway protocol (IGP). It is
based on the distance-vector (D-V) algorithm and is suitable for small-sized and simple
networks.
RIP exchanges routing information regularly through user datagram protocol (UDP)
packets. The port used is port 520. It uses hop count as the routing metric and allows
up to 15 hops.
RIPv2 supports plain text authentication and message-digest 5 (MD5) authentication,
as well as variable-length subnet masks.
RIP v1 and RIPv2 support IPv4 routes only.
3.4.3 RIPng
RIP next generation (RIPng) is enhanced RIP-2. Most RIP parameters remain valid in
RIPng.
Compared with RIP, the following are new in RIPng, which enable it to be implemented
in an IPv6 network.

Port 521 is used to send and receive routing information.

FF02::9 is used as the local RIPng multicast address.

The prefix (also the mask) is 128 bits in length.

The next hop address is IPv6 address, which is 128 bits in length.

The local link address (FE80::/10) is used as the source address to send RIPng
routing information update packets.
H3C Proprietary
3-16
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
RIPng is based on the D-V algorithm. It uses UDP to exchange routing information
through port 521. In RIPng, hop count is used to measure the distance to the
destination host; the distance is also known as metric or overhead. In RIPng, the hop
count to a directly connected network is 0, The hop count between two directly
connected routers is 1, and so on. A metric equal to or exceeding 16 indicates that the
destination network or host is unreachable.
By default, RIPng sends route update packets once in every 30 seconds. If no route
update packet is received from a network neighbor within 180 seconds, RIPng
identifies all the routes learned from the neighbor as unreachable. If no route update
packet is received from a neighbor within 300 seconds, RIPng removes the routes from
the routing table.
To improve performance and avoid route loop, RIPng supports both split horizon and
poison reverse. Besides, RIPng can also use routes learned by other routing protocols.
Each router with RIPng employed maintains a route database that contains the routes
to all reachable destination addresses in the destination network. A route entry in the
routing database contains the following information:

Destination address: IPv6 address of a host or a network

Next hop address: Address of the next router to the destination

Interface: Interface through which the IP packets are forwarded

Overhead: Number of hops to reach the destination

Timer: Records the time elapsed since the latest modification made to the route
entry. Modifying a route entry resets the corresponding timer to 0.

Route tag: Tag differentiating between internal routing protocols and external
routing protocols
3.4.4 OSPF v1/v2
Open shortest path first (OSPF) is a kind of IGP protocol. It operates based on
link-state (L-S) messages and is designed for networks that are larger in size and
complicated in structure.
A router uses OSPF to maintain the routing information within an autonomous system
(AS). In an AS, each OSPF router collects and broadcasts link state information
throughout the AS by using the flooding algorithm to keep the link state database
(LSDB) of the AS to be synchronized. A router calculates the shortest-path tree using
the LSDB, taking itself as the root and other network nodes as leaves, thus obtain its
optimal reachable routes inside the system.
Both OSPF v1 and OSPFv2 support IPv4-based routing only. Figure 3-13 shows the
format of the header of an OSPF packet.
H3C Proprietary
3-17
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Figure 3-13 OSPF packet header
Some of the fields are described as follows:

Version: OSPF version number. For OSPFv2, this field takes the value of 2.

Type: OSPF packet type. It is in the range of 1 to 5, which correspond to Hello, DD
(database description), LSR (link state request), LSU (link state update), and
LSAck (link state acknowledgement) packet.

Packet Length: Total size (in bytes) of an OSPF packet (including the header).

AuType: Authentication type. The value can be 0, 1, and 2, which correspond to
no authentication, simple authentication, and MD5 authentication.

Authentication: Its value depends on the AuType filed. If AuType is set to 0, this
field is not defined; if AuType is set to 1, this field holds the password; and if
AuType is set to 2, this field holds the Key ID, the MD5 authentication data length,
and the serial number.
3.4.5 OSPF v3
OSPFv3 provides support for IPv6 and is described in RFC 2740 (OSPF for IPv6).
Figure 3-14 illustrates the format of the header of an OSPFv3 packet.
Figure 3-14 OSPFv3 packet header
Some of the fields are described as follows:

Version: OSPF version number. For OSPFv3, this field takes the value of 3.

Type: OSPF packet type. It is in the range of 1 to 5, which corresponds to Hello,
DD, LSR, LSU, and LSAck packet.

Packet Length: Total size (in bytes) of an OSPF packet (including the header).

Instance ID: ID of an instance attached to the same link.
H3C Proprietary
3-18
System Description
H3C S5500-EI Series Ethernet Switches

Chapter 3 Software Features
0: This field is reserved and must be 0.
The following are common to both OSPFv3 and OSPFv2:

Both have 32-bit Router ID and Area ID.

Both process the same types of packets: Hello, DD, LSR, LSU, and LSAck.

Both adopt the same mechanism for neighbor discovery and neighborhood
formation

Both adopt the same LSA advertisement and aging mechanism.
OSPFv3 and OSPFv2 are different in that:

OSPFv3 is link-based, while OSPFv2 is network-based.

OSPFv3 allows multiple instances on the same link.

OPSFv3 identifies neighbors by router ID. OSPFv2, however, identifies neighbors
by IP address.
3.4.6 Introduction to IS-IS
Intermediate System-to-Intermediate System (IS-IS) is an interior gateway protocol
(IGP) used within an Autonomous System. It adopts the Shortest Path First (SPF)
algorithm for route calculation.
I. Two-level hierarchy
IS-IS uses two-level hierarchy in the routing domain to support large scale routing
networks. A large routing domain is divided into multiple Areas. The Level-1 router is in
charge of forwarding routes within an area, and the Level-2 router is in charge of
forwarding routes between areas.
II. Level-1 and Level-2
1)
Level-1 router
The Level-1 router only establishes the neighbor relationship with Level-1 and
Level-1-2 routers in the same area. The LSDB maintained by the Level-1 router
contains the local area routing information. It directs the packets out of the area to the
nearest Level-1-2 router.
2)
Level-2 router
The Level-2 router establishes the neighbor relationships with the Level-2 and
Level-1-2 routers in the same or in different areas. It maintains a Level-2 LSDB which
contains inter area routing information. All the Level-2 and Level-1-2 routers must be
contiguous to form the backbone in a routing domain. Only Level-2 routers can directly
communicate with routers outside the routing domain.
3)
Level-1-2 router
A router with both Level-1 and Level-2 router functions is called a Level-1-2 router. It
can establish the Level-1 neighbor relationship with the Level-1 and Level-1-2 routers
H3C Proprietary
3-19
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
in the same area, or establish Level-2 neighbor relationship with the Level-2 and
Level-1-2 routers in different areas. A Level-1 router must be connected to other areas
via a Level-1-2 router. The Level-1-2 router maintains two LSDBs, where the Level-1
LSDB is for routing within the area, and the Level-2 LSDB is for routing between areas.
 Note:

The Level-1 routers in different areas can not establish the neighbor relationship.

The neighbor relationship establishment of Level-2 routers has nothing to do with
area.
Figure 3-15 shows a network topology running the IS-IS protocol. Area 1 is a set of
Level-2 routers, called backbone network. The other four areas are non-backbone
networks connected to the backbone through Level-1-2 routers.
Area 3
Area 2
L1/L2
L1/L2
L1
L2
L2
Area 1
L2
L2
Area 5
Area 4
L1
L1/L2
L1
L1/L2
L1
L1
L1
Figure 3-15 IS-IS topology
Figure 3-16 shows another network topology running the IS-IS protocol. The Level-1-2
routers connect the Level-1 and Level-2 routers, and also form the IS-IS backbone
together with the Level-2 routers. There is no area defined as the backbone in this
topology. The backbone is composed of all contiguous Level-2 and Level-1-2 routers
which can reside in different areas.
H3C Proprietary
3-20
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Area 1
L2
L1
Area 4
Area 2
L1/L2
L1
L1
L1/L2
Area 3
L2
Figure 3-16 IS-IS topology
 Note:
The IS-IS backbone does not need to be a specific Area.
Both the IS-IS Level-1 and Level-2 routers use the SPF algorithm to generate the
Shortest Path Tree (SPT).
III. Interface routing hierarchy type
You can configure the routing type for each interface. For a Level-1-2 router, one
interface may establish Level-1 adjacency with a router, and another one may establish
Level-2 adjacency with another router. You can limit the adjacency type by configuring
the routing hierarchy on the interface. For example, the level-1 interface can only
establish Level-1 adjacency, while the level-2 interface can only establish Level-2
adjacency.
By having this function, you can prevent the Level-1 hello packets from propagating to
the Level-2 backbone through the Lever-1-2 router. This can result in bandwidth
saving.
IV. Route leaking
An IS-IS routing domain is comprised of only one Level-2 area and multiple Level-1
areas. A Level-1 area is connected with the Level-2 area rather than other Level-1
areas.
The routing information of the Level-1 area is sent to the Level-2 area through the
Level-1-2 router. Therefore, the Level-2 router knows the routing information of the
entire IS-IS routing domain but does not share the information with the Level-1 area by
default.
H3C Proprietary
3-21
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Since the Level-1 router simply sends the routing information for destinations outside
the area to the nearest Level-1-2 router, this may cause a problem that the best path
cannot be selected.
To solve this problem, route leaking was introduced. The Level-2 router can advertise
the Level-2 routing information to a specified Level-1 area. By having the routing
information of other areas, the Level-1 router can make a better routing choice for the
packets destined outside the area.
3.4.7 Introduction to IPv6 IS-IS
The IS-IS routing protocol (Intermediate System-to-Intermediate System intra-domain
routing information exchange protocol) supports multiple network protocols, including
IPv6. IS-IS with IPv6 support is called IPv6 IS-IS dynamic routing protocol. The
international engineer task force (IETF) defines two type-length-values (TLVs) and a
new network layer protocol identifier (NLPID) to enable IPv6 support for IS-IS.
TLV is a variable field in the link state PDU or link state packet (LSP). The two TLVs are:

IPv6 Reachability: Defines the prefix, metric of routing information to indicate the
network reachability, with a type value of 236 (0xEC).

IPv6 Interface Address: Similar with the “IP Interface Address” TLV of IPv4, it
transforms the 32-bit IPv4 address to the 128-bit IPv6 address.
NLPID is an 8-bit field with a value of 142 (0x8E), which indicates the network layer
protocol packet. If the IS-IS router supports IPv6, the advertised routing information
must be marked with the NLPID.
3.4.8 BGP
Border gateway protocol (BGP) is an inter-AS dynamic route discovery protocol. BGP
basically functions to exchange loop-free routing information between ASs. As the path
reachability information contains attributes such as AS numbers, BGP enables routers
to obtain the AS topology of a network, eliminates routing loops, and implements user
routing policies. BGP is often used between Internet service providers (ISPs). It
provides various ways of exchanging border routing information and route selection
and is highly scalable to accommodate rapid growth of the Internet.
Different from other dynamic routing protocols, BGP exchanges routing information
through TCP packets. At present, BGPv4 is commonly used. It has become the de
facto external routing standard.
3.4.9 BGP4+
To provide support for multiple network layer protocols, IETF extended BGP-4 to form
BGP4+. BGP4+ is described in RFC 2858 (Multiprotocol extensions for BGP-4).
H3C Proprietary
3-22
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
BGP4+ provides support for IPv6 by mapping IPv6 network layer protocol information
to the NLRI (network layer reachable information) and Next_Hop attributes.
In BGP4+, the following two NLRI attributes are added:

MP_REACH_NLRI (multiprotocol reachable NLRI), which is used to advertise
reachable routes and next-hop information.

MP_UNREACH_NLRI (multiprotocol unreachable NLRI), which is used to remove
unreachable routes.
In BGP4+, the Next_Hop attribute holds an IPv6 address, which can be either an IPv6
global unicast address or the local address of the next-hop.
BGP multi-protocol extension enables BGP4+ to be employed in IPv6 networks. Note
that the BGP message mechanism and routing mechanism remain unchanged.
3.4.10 Equivalent Route
Equivalent routes are routes whose destinations and the priorities are the same.
Equivalent routes are used when no route leading to the same destination and with
higher priority exists. Packets are forwarded to the destination through a path
calculated based on packet source and destination IP addresses, so as to implement
load sharing in the network.
A routing protocol may discover different routes to the same destination. If the routing
protocol has the highest priority among all the active routing protocols, these routes are
regarded as valid routes. Thus, load sharing of IP traffic is ensured in terms of routing
protocol.
3.4.11 Routing Policy
Routing policies are used to improve the control and management of routing protocols.
As for the exchange of routing information performed between routers, you can
configure the routers to receive/advertise specific types of routing information only.
When a router imports the routing information generated by other routing protocols, you
can specify to import specific type of routing information and modify the attributes of the
routing information for the current protocol. All these can be achieved through routing
policies.
A routing policy comprises of a set of rules that regulate route advertisement, route
receiving, and route importing procedures. Routing policy is also known as route
filtering. A rule in a routing policy is actually a filter. Rules of a routing policy are used
when a piece of routing information is to be received/advertised or when routing
information of different protocols is exchanged.
H3C Proprietary
3-23
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
3.4.12 MCE Features
It is difficult to use traditional routers to isolate services in LANs. There are two ways to
isolate services in LANs:

As shown in Figure 3-17, you can use VLANs to isolate services, partitioning a
user to an independent VLAN.
Station 1
User 1
VLAN1
VLAN2
MPLS
domain
PE
Switch
CE
User 2
VLAN3
User 3
Figure 3-17 Isolate services with VLANs

As shown in, you can use CEs to isolate services, deploying an independent CE
router for each user.
Station1
User1
CE1
MPLS
domain
User2
PE
CE2
User3
CE3
Figure 3-18 Isolate services with CEs
Deploying traditional devices and being not cost-effective, the above solutions require
more network management and user/site deployment.
To solve the problem, Multi-VPN-Instance CE (MCE) can provide logically independent
route instances and addresses on CEs, allowing multiple users to share a CE. MCE
solves the problem of isolating services in LANs and ensure security, providing a new,
cost-effective, and easy-to-management solution.
H3C Proprietary
3-24
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
3.4.13 URPF Features
The main function of Unicast Reverse Path Forwarding (URPF) is to prevent source IP
address-based spoofing network attacks.
Source IP address-based spoofing attackers fake a series of packets carrying spoofed
source IP addresses. For IP address authentication-based applications, such attack
can cause unauthorized users to access the system as other legal users, even as the
administrator, therefore causing damage to the attack objects even if response packets
cannot reach the attacker.
2.2.2.1/8
1.1.1.8/8
源IP地址:2.2.2.1/8
Switch A
Switch B
Switch C
Figure 3-19 Source IP address attack
As shown in Figure 3-19, the attacker fakes a packet with the source IP address being
2.2.2.1/8 on Switch A and sends a request to Switch B. When retuning a response,
Switch B will sends a packet to the router whose authenticate IP address is “2.2.2.1/8”.
Such illegal packet can attack both Switch B and Switch C.
The URPF technology is used in the above environment to prevent source IP
address-based spoofing attacks.
3.5 Multicast Features
3.5.1 IGMP Snooping
Internet group management protocol snooping (IGMP Snooping) operates on Layer 2
Ethernet switches. It provides a mechanism to manage and control multicast groups.
IGMP snooping runs on the link layer. It checks the information carried in the IGMP
packets exchanged between hosts and routers. On the detection of an IGMP host
report message, the switch adds the host to the corresponding multicast table. And on
the detection of an IGMP Leave message, the switch removes the corresponding
multicast entry from the multicast table. By continuously listening to IGMP packets, a
switch creates and maintains a Layer 2 MAC multicast address table, through which
the switch forwards the multicast packets transmitted by the routers.
When IGMP Snooping is not enabled, multicast packets are broadcast on Layer 2.
While when IGMP Snooping is enabled, the packets are multicast instead of being
broadcast on Layer 2.
H3C Proprietary
3-25
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Multicast packet transmission
when IGMP Snooping runs
Multicast packet transmission
without IGMP Snooping
Multicast router
Multicast router
Source
Source
Layer 2 switch
Layer 2 switch
Host A
Receiver
Host C
Receiver
Host A
Receiver
Host C
Receiver
Host B
Host B
Multicast packets
Figure 3-20 IGMP Snooping
3.5.2 IGMP
Internet group management protocol (IGMP) is a protocol in TCP/IP protocol suite. It
manages the members of an IP multicast group by establishing and maintaining the
multicast membership between IP hosts and the directly connected multicast routers.
IGMP has two components, one of which is for hosts and the other for routers. A host
reports its group membership information to the shared network it resides in. All the
IGMP-enabled routers in the same network segment elect the querier. The querier
periodically advertises group member query messages in the shared network. The
hosts in the network respond the messages by reporting their group membership
information. Then, the querier refreshes the group membership based on the response
received.
IGMP is required for all the hosts participating multicast. A host participating IP
multicast can join/exit a multicast group anywhere at any time, regardless of the total
number of group members. A multicast router does not (and cannot) save the
membership information of all the hosts. It only uses IGMP to check the network
segment connected to each of its interface for any receiver of a multicast group, namely,
multicast group member. A host only needs to keep the information about the multicast
group which it belongs to.
Currently, IGMP is available in three versions: IGMPv1 (described in RFC 1112),
IGMPv2 (described in RFC 2236), and IGMPv3 (described in RFC 3376), all of which
support the ASM (any-source multicast) model. In addition, IGMPv3 provides support
for the SSM (source-specific multicast) model.
H3C Proprietary
3-26
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
The S5500-EI series support IGMPv1/v2/v3.
I. IGMPv1 operating mechanism
Comware implements IGMPv1 and achieves multicast group management by adopting
the query and response mechanism. IGMP uses Designated Routers (DR) elected by
Layer 3 routing protocols as the querier. Query messages are sent by DRs. Figure 3-21
shows how IGMPv1 works:
IP network
DR
Router A
Router B
Ethernet
Host A
(G2)
Host B
(G1)
Host C
(G1)
Query
Report
Figure 3-21 IGMPv1 operating mechanism
A host goes through the following phases to join a multicast group.
Assume that Host B and Host C are expected to receive multicast data addressed to
multicast group G1, while Host A is expected to receive multicast data addressed to G2,
as shown in Figure 3-21. The following describes how the hosts join the multicast
groups and the IGMP querier (Router B in the figure) maintains the multicast group
memberships:
1)
The hosts send unsolicited IGMP reports to the addresses of the multicast groups
that they want to join, without having to wait for the IGMP queries from the IGMP
querier.
2)
The IGMP querier periodically multicasts IGMP queries (with the destination
address of 224.0.0.1) to all hosts and routers on the local subnet.
3)
Upon receiving a query message, Host B or Host C (the delay timer of whichever
expires first) sends an IGMP report to the multicast group address of G1, to
announce its membership for G1. Assume it is Host B that sends the report
message. Upon hearing the report from Host B, Host C, which is on the same
subnet with Host B, suppresses its own report for G1, because the IGMP routers
(Router A and Router B) already know that at least one host on the local subnet is
H3C Proprietary
3-27
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
interested in G1. This mechanism, known as IGMP report suppression, helps
reduce traffic on the local subnet.
4)
At the same time, because Host A is interested in G2, it sends a report to the
multicast group address of G2.
5)
Through the above-mentioned query/report process, the IGMP routers learn that
members of G1 and G2 are attached to the local subnet, and the multicast routing
protocol (PIM for example) running on the routers generates (*, G1) and (*, G2)
multicast forwarding entries, which will be the basis for subsequent multicast
forwarding, where * represents any multicast source.
6)
When the multicast data addressed to G1 or G2 reaches an IGMP router, because
the (*, G1) and (*, G2) multicast forwarding entries exist on the IGMP router, the
router forwards the multicast data to the local subnet, and then the receivers on
the subnet receive the data.
No leave multicast group message is defined in IGMPv1; therefore, a host is
considered to leave a multicast group if it does not respond to query messages for
specific period of time. When all the multicast group members exit the multicast group,
the branch corresponding to the network segment is pruned from the multicast tree.
II. Newly added functions in IGMPv2
In IGMPv2, the following are new to IGMPv1.

Querier election mechanism
In a shared network segment with multiple routers operating in it, all routers running
IGMP in this network segment can receive the membership report from the hosts. As
only one router is needed to send membership query messages, the one acting as the
querier needs to be determined among these routers. In IGMPv1, the querier is
determined by multicast routing protocols. While in IGMPv2, the multicast router with
the smallest IP address acts as the querier.

Leave-group mechanism
In IGMPv1, a host leaves a multicast group without informing any multicast router. A
multicast router determines whether or not a host has left a multicast group by checking
timed out query messages. In IGMPv2, however, a host multicasts (224.0.0.2) a
leave-group message to all the multicast routers in the network before leaving the
multicast group. A multicast router sends group-specific query messages to the
network to determine if a multicast group is empty.

Group-specific query message
In IGMPv1, general queries are performed, that is, query messages generated by a
multicast router are sent to all the multicast groups in the network segment. In IGMPv2,
group-specific queries are performed in addition to general queries. In a group-specific
query message, both the destination IP address field and the group address field hold
the IP address of the same multicast group. And only the members of the multicast
H3C Proprietary
3-28
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
group respond to the query message. This prevents hosts of other multicast group from
sending the response packets.

The maximum response time field
The maximum response time field is added in IGMPv2. This field enables a host to
adjust the interval to respond multicast group query messages dynamically.
III. Enhancements made in IGMPv3
1)
Enhancement in host control
In addition to being compatible with IGMPv1 and IGMPv2, IGMPv3 enhances host
control. You can not only designate the multicast group that a host is to join, but also
specify the multicast source whose information is to be received. (The latter is known
as the source-specified multicast function.) By setting the Filter-Mode field in the IGMP
report messages to the Include mode and specifying in the IGMP report messages the
multicast source addresses, a host can obtain information from specific multicast
sources. The multicast sources here are marked as Include Sources (S1, S2,…) in the
IGMP report messages. To reject information sent from specific sources, the host can
request to receive multicast packets from the multicast sources other than those
specified, which are identified as Exclude Sources (S1, S2,…) in IGMP report
messages.
For example, assume that S1 and S2 are two multicast sources in the same multicast
group G. The host User B wants the information sent from S1 only. Figure 3-22 shows
the network diagram.
Source 1
Host A
Receiver
Host B
Source 2
Host C
Packets (S1,G)
Packets (S2,G)
Figure 3-22 Path of the multicast flow with multicast source/multicast group specified
If IGMPv1 or IGMPv2 is employed between the hosts and the routers, the host User B
can only join the multicast group G but cannot select the multicast sources. Therefore,
the information for the multicast sources S1 and S2 are forwarded to User B no matter
H3C Proprietary
3-29
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
whether or not User B wants the information. With IGMPv3 employed, the host User B
can request to join the multicast group G corresponding to the specified multicast
source S1 or exit the multicast group G corresponding to the specified multicast source
S2. Therefore, only the information from the multicast source S1 is forwarded to User
B.
2)
Enhancement in query and response messages

Query messages carrying source address
Besides general query (available in IGMPv1) and group-specific query (available in
IGMPv2), IGMPv3 supports source-/group-specific query. An IGMPv3 message carries
the multicast source address and a number of control fields, such as the querier robust
index and query interval. A general query message carries no group address or source
address. A group-specific query message carries a group address but no source
address. A source-/group-specific query message carries one or more source
addresses besides a group address.

Response message carrying multiple multicast group entries
The response messages and query messages in IGMPv1 and IGMPv1 have the same
packet structure. That is, a IGMPv1/IGMPv2 response packet or query packet contains
a multicast group address information only besides the payload. An IGMPv3 response
message contains the group address 224.0.0.22, carrying one or more group entries,
each of which contains a multicast group address and one or more multicast source
addresses. The multicast group entries in an IGMPv3 response message fall into the
following types.

Current state. Entries of this type indicate the current receiving state of the
interface. The state can be Include or Exclude. In the Include state, the specified
multicast source addresses are included. In the Exclude state, the multicast
source addresses other than the specified source addresses are included.

Filter mode change. Entries of this type indicate the switching between the Include
state and the Exclude state.

Source address list change. Entries of this type indicate that new multicast
sources are added or certain multicast sources are removed.
3.5.3 PIM-DM
Protocol independent multicast, dense mode (PIM-DM) is a multicast routing protocol
suitable for small-sized networks where multicast group members are relatively dense.
PIM-DM assumes that each subnet in the network contains at least one receiver that is
interested in the multicast source. Therefore, multicast packets flood to all over the
nodes in the network. This consumes related system resources (such as bandwidth
and router CPUs).
To decrease resource consumption, the PIM-DM prunes the branches where no
multicast packets are forwarded. The system periodically restores the pruned branches
H3C Proprietary
3-30
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
back into forwarding status for fear of multicast packets to be forwarded occurring in
them. To reduce the delay involved in this status recovery, the PIM-DM implements
automatic recovery of packet forwarding by using the graft mechanism. Such periodic
flooding and pruning are characteristic of the PIM-DM and suitable for small-sized
LANs only. The "flood-prune" technology adopted in PIM-DM does not work on a wide
area network (WAN).
Generally, the forwarding path of packets in dense mode is a "source tree" with the
multicast source as its root and the multicast group members as its leaves. Since the
source tree follows the shortest paths from the multicast source to the receivers, it is
also called the shortest path tree (SPT).
3.5.4 PIM-SM
Protocol Independent Multicast, Sparse Mode (PIM-SM) is a multicast routing protocol
mainly used in large-scaled networks where group members are scattered sparsely.
PIM-SM assumes that no host needs to receive multicast packets unless there is an
explicit request.
PIM-SM uses (Rendezvous Points) RPs to forward multicast information to all PIM-SM
routers connected to the receiver so that the receiver can receive the multicast data
flow from a specific multicast group. Multicast forwarding through an RP reduces the
bandwidth consumed by data packets and control packets and lowers router
processing overhead
At the receiving end, the router connected to the receiver that is to receive the
information sends a Join message to the RP corresponding to the multicast group. The
Join message reaches the root (RP) after passing through routers. The paths that the
message followed becomes the braches of the rendezvous point tree (RPT). For the
transmitting end to send data to a specific multicast group, the first hop router requests
registration with the RP, which triggers the generation of the source tree upon receiving
the registration message. Then, the multicast source sends the data to the RP. When
the data reaches the RP, the multicast packet is replicated and sent to receivers along
the braches of the RPT. Replication occurs only where the RPT branches. This process
automatically repeats until the packets reach the receivers.
PIM-SM uses an existing unicast routing table, instead of a unicast routing protocol, to
perform the RPF check.
3.5.5 MSDP
No ISP would like to forward multicast traffic through the RP of any competitor.
However, an ISP has to obtain information from the source and distribute it among its
members wherever the source RP is. Multicast Source Discovery Protocol (MSDP) is
used to discover multicast source information in other PIM-SM domains. MSDP is
significant to the Any-Source Multicast (ASM) model only.
H3C Proprietary
3-31
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
MSDP describes the mechanism for interconnecting multiple PIM-SM domains and
allows RPs from different domains to share the multicast source information as long as
PIM-SM is the adopted intra-domain multicast routing protocol.
I. MSDP peer
If an active multicast source S exists in a PIM-SM domain, the RP in the domain can
learn of the existence of the multicast source S through multicast source registration.
For a PIM-SM domain administered by another ISP to retrieve information from the
multicast group, the routers in the two PIM-SM domains must become MSDP peers, as
shown in Figure 3-23.
Receiver
DR 2
MSDP peers
Multicast packets
SA message
RP 2
Join message
PIM-SM 2
Register message
DR 1
Source
PIM-SM 4
RP 3
RP 1
PIM-SM 1
PIM-SM 3
Figure 3-23 MSDP peers
An active multicast source S is on the PIM-SM1 network, where RP1 learns of the
location of the multicast source S through multicast source registration and periodically
sends Source Active (SA) messages to the MSDP peers (RPs) in other PIM-SM
domains. An SA message contains the IP address of the multicast source S, multicast
group address G, and the RP address of the generated message. In addition, it
contains the multicast data received by the RP in PIM-SM 1. The SA message is
forwarded and ultimately reaches all MSDP peers. Thus, the information of the
multicast source S in a PIM-SM domain is forwarded to all PIM-SM domains.
II. Typical MSDP implementation
MSDP can also be used to implement Anycast RP. Anycast RP forms MSDP peer
relationship in a PIM-SM domain between two RPs that have the same address,
H3C Proprietary
3-32
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
thereby implementing traffic sharing and redundant backup among RPs within the
domain. Within a PIM-SM domain, configure an interface (usually Loopback interface)
on each router with the same IP address and enable C-RP on these interfaces; so that
MSDP peer relationship is formed among them, as shown in Figure 3-24.
RP 1
RP 2
Router B
Router A
Source
Receiver
PIM-SM
MSDP peers
SA message
Figure 3-24 An anycast RP implementation
3.5.6 MBGP
BGP-4 is capable of carrying routing information for IPv4 only. IETF defined
multiprotocol BGP extensions to carry routing information for multiple network layer
protocols.
For a network, the multicast topology may be different from the unicast topology. To
meet the requirement, the multiprotocol BGP extensions enable BGP to carry the
unicast Network Layer Reachability Information (NLRI) and multicast NLRI separately,
and the multicast NLRI is used to perform reverse path forwarding (RPF) exclusively. In
this way, route selection for a destination through the unicast routing table and through
the multicast routing table will have different results, ensuring normal unicast and
multicast routing.
Multi-protocol BGP is defined in RFC 2858 (Multiprotocol Extensions for BGP-4).
Multi-protocol BGP for IP multicast is referred to as Multicast BGP (MBGP) for short.
3.5.7 Multicast VLAN
As shown in Figure 3-25, in the traditional multicast programs-on-demand mode, when
hosts, Host A, Host B and Host C, belonging to different VLANs require multicast
programs on demand service, the Layer 3 device, Router A, needs to forward a
separate copy of the multicast traffic in each user VLAN to the Layer 2 device, Switch A.
This results in not only waste of network bandwidth but also extra burden on the Layer
3 device.
H3C Proprietary
3-33
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Multicast packets
VLAN 2
VLAN 2
Receiver
Host A
VLAN 3
VLAN 4
VLAN 3
Receiver
Host B
Source
Switch A
Router A
IGMP querier
VLAN 4
Receiver
Host C
Figure 3-25 Multicast transmission without multicast VLAN
The multicast VLAN feature configured on the Layer 2 device is the solution to this
issue. With the multicast VLAN feature, the Layer 3 device needs to replicate the
multicast traffic only in the multicast VLAN instead of making a separate copy of the
multicast traffic in each user VLAN. This saves the network bandwidth and lessens the
burden of the Layer 3 device.
The multicast VLAN feature can be implemented in two approaches, as described
below:
I. Port-based multicast VLAN
Port-based multicast VLAN is also known as the traditional multicast VLAN. By
assigning hybrid ports to a multicast VLAN in untagged mode, you can forward
multicast data to all multicast recipients attached to the hybrid ports in the multicast
VLAN. This is possible because a hybrid port can forward traffic of multiple VLANs
untagged.
As shown in Figure 3-26, Host A, Host B and Host C are in three different user VLANs.
All the user ports (ports with attached hosts) on Switch A are hybrid ports. On Switch A,
configure VLAN 10 as a multicast VLAN, assign all the user ports to this multicast
VLAN, and enable IGMP Snooping in the multicast VLAN and all the user VLANs.
H3C Proprietary
3-34
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Multicast packets
VLAN 2
VLAN 10 (Multicast VLAN)
Receiver
Host A
Eth1/2
Eth1/1
Source
Switch A
Router A
IGMP querier
Eth1/3
VLAN 3
Receiver
Host B
Eth1/4
VLAN 4
Receiver
Host C
Figure 3-26 Port-based multicast VLAN
After the configuration, upon receiving an IGMP message on a user port, Switch A tags
the message with the multicast VLAN ID and relays it to the IGMP querier, so that IGMP
Snooping can uniformly manage the router ports and member ports in the multicast
VLAN. When forwarding multicast data to Switch A, Router A needs to send only one
copy of multicast traffic to Switch A in the multicast VLAN, and Switch A distributes the
traffic to all the member ports in the multicast VLAN.
II. Sub-VLAN-based multicast VLAN
Sub-VLAN-based multicast VLAN is also known as multicast VLAN+, which is easier to
configure. After you configure a list of user VLANs as the sub-VLANs of a multicast
VLAN, the device forwards data received from the multicast VLAN to all the recipients
in each sub-VLAN.
As shown in Figure 3-27, Host A, Host B and Host C are in three different user VLANs.
On Switch A, configure VLAN 10 as a multicast VLAN, configure all the user VLANs as
sub-VLANs of this multicast VLAN, and enable IGMP Snooping in the multicast VLAN.
H3C Proprietary
3-35
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Multicast packets
VLAN 10 (Multicast VLAN)
VLAN 2
VLAN 2
Receiver
Host A
VLAN 3
VLAN 4
VLAN 3
Receiver
Host B
Source
Router A
IGMP querier
Switch A
VLAN 4
Receiver
Host C
Figure 3-27 Sub-VLAN-based multicast VLAN
After the configuration, IGMP Snooping manages router ports in the multicast VLAN
and member ports in the sub-VLANs. When forwarding multicast data to Switch A,
Router A needs to send only one copy of multicast traffic to Switch A in the multicast
VLAN, and Switch A distributes the traffic to the multicast VLAN’s sub-VLANs that
contain receivers.
3.6 STP/RSTP/MSTP
3.6.1 STP/RSTP
Spanning tree protocol (STP)/rapid spanning tree protocol (RSTP) prunes a loop L2
switching network into a loop-free tree (all data on the L2 switching network must travel
along the spanning tree), thereby avoiding network broadcast storms caused by
network loops and providing redundant links for data forwarding.
Basically, STP/RSTP is used to generate a "tree" whose root is a switch called root
bridge. Which switch is to be selected as root bridge is based on their settings (such as
switch priority and MAC address), but there should be only one root bridge at any time.
From the root bridge, a tree stretches through the switches. A non-root switch forwards
data to the root through its root port and to the connected network segment through its
designated port. A root periodically transmits configuration BPDUs, while a non-root
switch receives and forwards them. If a switch receives configuration BPDUs from two
or more ports, it assumes that there is a loop in the network. To eliminate the loop, the
switch selects one of the ports as the root port and blocks others. When a port receives
no configuration BPDUs for a long time, the switch considers that the configuration of
this port has timed out and the network topology may have changed. Then, it
recalculates the network topology and generates a new tree.
H3C Proprietary
3-36
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
RSTP is an STP enhancement that significantly shortens the time for the network
topology to stabilize.
3.6.2 MSTP
Multiple spanning tree protocol (MSTP) is compatible with STP and RSTP.
STP cannot transit fast. Even on the point-to-point link or the edge port, it has to take an
interval twice as long as forward delay before the network converges.
RSTP can converge fast. However, like STP, RSTP has this drawback: All the network
bridges in a VLAN share a spanning tree and the redundant links cannot be blocked by
VLAN, with all the packets in the VLAN forwarded along a spanning tree.
MSTP makes up for the drawback of STP and RSTP. It makes the network converge
fast and enables the traffic of different VLANs to be distributed along their respective
paths, which provides a better load sharing mechanism for the redundant links.
MSTP associates VLAN with spanning tree by using a VLAN mapping table; that is, a
table showing the correspondence relationship between VLANs and spanning tree.
Meanwhile, MSTP divides a switched network into several domains. In each domain,
multiple independent STPs are generated. MSTP prunes a loop network to a loop-free
network so as to avoid packet propagation and endless loop. It also provides multiple
redundant paths for load balancing of VLAN data in the process of data forwarding.
3.6.3 STP Protection
I. BPDU guard
For access layer devices, the access ports are usually connected directly with the user
terminals (such as PCs) or file servers. In this case, the access ports are configured as
edge ports to allow fast migration of these ports. When these ports receive
configuration messages (BPDUs), the system will automatically set these ports as
non-edge ports and recalculate the spanning tree. This will cause flapping of the
network topology. Under normal conditions, these ports should not receive STP BPDUs.
If someone forges BPDUs maliciously to attack the switch, network flapping will occur.
The BPDU guard function protects the system against such attacks.
II. Root guard
The root bridge and backup switches in a spanning tree must reside in the same
domain. This is especially true for the root bridge and backup switches of a common
and internal spanning tree (CIST). This is because the root bridge and backup switches
of a CIST are normally placed in a high-bandwidth core domain. However, due to
misconfiguration or a malicious network attack, a legal root bridge in the network may
receive a BPDU that has a higher priority. This turns the current root bridge into a
non-root switch, causing a wrong change in the network topology. Such illegal change
H3C Proprietary
3-37
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
leads the traffic that would otherwise pass through a high-speed link to follow a
lower-speed link, causing network congestion. The root guard function prevents this
from occurring.
III. Loop guard
A switch can keep track of the states of the root port and blocked ports by continuously
receiving the BPDUs sent by upstream switches. However, these ports may be unable
to receive the BPDUs sent by upstream switches due to link congestion or
unidirectional links. In this case, the switch reelects a root port, the original root port
turns into a designated port, and blocked ports go into the forwarding state. This
causes loops in the switched network. The loop guard function prevents such loops.
With the loop guard function enabled, the role of the root port remains unchanged and
blocked ports remains in the Discarding state without forwarding any packet. This
prevents loops in the network.
IV. TC-BPDU attack prevention
Upon receiving a TC-BPDU, the switch deletes MAC address entries and ARP entries.
If someone forges TC-BPDUs to attack the switch maliciously, the switch will receive
excessive TC-BPDUs in a short time. Frequent packet deletion places a heavy burden
on the switch and compromises network stability.
After TC-BPDU attack prevention is enabled, the switch deletes the received
TC-BPDUs only once within a specific timer (usually 10 seconds) and monitors whether
any TC-BPDU is received during that timer. If any TC-BPDUs are received within the
timer, the switch deletes the TC-BPDUs again after the timer times out. This saves the
switch from deleting MAC address entries and ARP entries frequently.
3.7 IPv6 Features
Internet protocol version 6 (IPv6) is a second-generation standard network layer
protocol. Also known as IP Next Generation (IPng), it is a standard developed by
Internet Engineering Task Force (IETF) as an upgrade from IPv4. The main difference
between IPv4 and IPv6 lies in that the addresses used in the latter are 128 bits in length,
whereas those used in the former is only 32 bits in length.
Following are the features of IPv6.
I. Simplified packet header
The size of the header of an IPv6 basic packet is reduced, because some fields in IPv4
packet header are removed or moved to extension headers. This simplifies the
processes used to perform in network devices when packets are forwarded and
improves the forwarding efficiency. Despite of the 128-bit IPv6 address, the size of an
IPv6 basic packet header is only twice that of IPv4 packet header (the Options field not
counted in).
H3C Proprietary
3-38
System Description
H3C S5500-EI Series Ethernet Switches
0
3
Ver
7
IHL
15
23
Protocol
31 0
Total length
ToS
Identification
TTL
Chapter 3 Software Features
F
Ver
Fragment offset
3
11
15
Traffic
class
23
31
Flow label
Payload length
Next
header
Hop limit
Header checksum
Source address (32 bits)
Source address (128 bits)
Destination address (32 bits)
Options
Padding
IPv4 header
Destination address (128 bits)
Basic IPv6 header
Figure 3-28 IPv4 packet header vs. IPv6 packet header
II. Sufficient address space
In IPv6, the source and destination addresses of a packet are both 128 bits (16 bytes)
38
in length. Such an address scheme can provide more than 3.4 × 10 addresses, which
are enough to fully accommodate multi-level address allocation, public address
allocation, and address allocation in private networks.
III. Hierarchical address structure
IPv6 address space is hierarchically organized. Such a structure improves routing
performance and route aggregation is made possible. Route aggregation helps
reducing the system resource occupied by IPv6 routing tables.
IV. Automatic address allocation
IPv6 supports stateful address allocation and stateless address allocation, both of
which simplify host configuration. The stateful address allocation enables hosts to
obtain IPv6 addresses and the related information from servers (for example, DHCP
servers). The stateless address allocation enables a host to configure the IPv6 address
and related information automatically according to its own link layer address and the
prefix information advertised by the router. A host can also generate its link-local
address according to its own link layer address and the default prefix (FE80::/64) to
communicate with other hosts that on the same link.
V. Built-in security
In IPv6, IPsec is implemented through the standard expansion header to provide
end-to-end security. This feature also provides a standard for addressing network
security issues and improves the interoperability among different IPv6 applications.
H3C Proprietary
3-39
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
VI. QoS support
The Flow Label field in IPv6 packet header labels flows. Network devices can perform
traffic classification and provide differentiated services according to the Flow Label
field.
VII. Enhanced neighbor discovery mechanism
The neighbor discovery protocol for IPv6 is implemented by a group of ICMPv6
(internet control message protocol for IPv6) messages. The interactions among
neighboring nodes on the same link are under the administration of IPv6 neighbor
discovery protocol. It replaces ARP (address resolution protocol), ICMPv4 router
discovery and ICMPv4 redirect messages, and provides a series of other functions.
VIII. Flexible extension packet header
In the header of an IPv6 packet, multiple extension packet headers replace the Option
field. This not only improves the processing efficiency but also enhances flexibility of
IPv6 and provides good extendibility for the IP protocol. The Options field in an IPv4
packet header can only be 40 bytes in size, while the sizes of IPv6 extension headers
are only limited by the size of the IPv6 packet.
3.7.2 NDP
The neighbor discovery protocol (NDP) for IPv6 is implemented by a group of ICMPv6
messages. The interactions among neighboring nodes on the same link are under the
administration of IPv6 NDP. It replaces ARP, ICMPv4 router discovery and ICMPv4
redirect messages and provides a series of other functions.
In IPv6 NDP, the following five types of ICMPv6 messages are used.

NS (neighbor solicitation) message, which is used to request for the link layer
address of a neighbor, check the reachability of a neighbor, and detect for
duplicate addresses.

NA (Neighbor Advertisement) message. A device answers with an NA message
when it receives an NS message. The device can also send NA messages actively
to notify its neighbors of the link layer changes.

RS (Router Solicitation) message. A host sends RS messages to the router to
request for the prefix and other configuration information after it starts.

RA (Router Advertisement) message. A router answers with RA messages when it
receives RS messages. It also advertises RA messages periodically, which
contain prefix and flag bit information.

Redirect message. When a router finds that the receiving interface and sending
interface of a packet are the same, it sends redirect messages to trigger the
corresponding host to use anther next hop address.
Table 3-1 summarizes the NDP functions.
H3C Proprietary
3-40
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Table 3-1 NDP functions
Function
Description
Router
discovery/prefix
discovery/parameter
discovery
Discovers the local routers on the same link (this process is
the same as that of ICMPv4 router discovery) and obtain
address prefixes and other configuration parameters for
address auto-configuration. This is achieved through RS
and RA messages.
Address
auto-configuration
Automatically configures IPv6 addresses and other
information of interfaces according to the address prefixes
and other configuration parameters carried in the RA
messages.
Address resolution
Maps the IPv6 address of a neighboring node to the
corresponding link layer address (this process is the same
as that of IPv4 ARP). This is achieved through NS and NA
messages. A node multicasts an NS message, with the
destination address being the IPv6 address of the requested
node and the local link layer address carried in it. When
other nodes on the same link receive the message, each of
them checks whether or not the destination address is the
local address. If yes, the node answers with an NA message
that contains its own link layer address. A node obtains the
link layer addresses of neighboring nodes through the
procedure above.
Neighbor
unreachable
detection (NUD)
This function is used to check whether or not a node is
reachable. If a node receives an acknowledgment message
from the neighbor after sending a NUD message, it
considers the neighbor to be reachable. Otherwise, it
considers the neighbor to be unreachable.
Duplicate
address
detection (DAD)
When a node obtains an IPv6 address, it checks whether or
not the address conflicts with that of another node through
the duplicate address detection function. (This process is
similar to the gratuitous ARP function in IPv4.) The node
sends an NS message. If the node receives an NA message
from another node, it indicates that the address is already in
use. Otherwise, it indicates the IPv6 address is not in use.
Redirect
A router informs a host of the optimal next-hop IPv6 address
to reach a particular destination through this function. (This
is similar to the ICMP redirect function in IPv4).
3.7.3 Introduction to IPv6 DNS
In an IPv6 network, translation between domain names and IPv6 addresses is also
required. This translation can be achieved through IPv6 Domain Name System (DNS).
The only difference between IPv6 DNS and IPv4 DNS is that IPv6 DNS translates
domain names into IPv6 addresses, instead of IPv4 addresses.
H3C Proprietary
3-41
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Similar to IPv4 DNS, IPv6 DNS also implements static and dynamic domain name
resolution. In addition, the purpose and implementation method of the static and
dynamic domain name resolution through IPv6 DNS are the same as those of IPv4
DNS. For details, see the related sections in the IPv4 network protocol part.
Normally, a DNS server connecting an IPv4 network to an IPv6 network stores A entries
(IPv4 addresses) and AAAA entries (IPv6 addresses). Therefore, the DNS server can
resolve domain names into IPv4 addresses and IPv6 addresses. In this case, the DNS
server can implement both IPv6 DNS and IPv4 DNS. To resolve domain names into
IPv4/IPv6 addresses on a DNS server, configuration is required.
3.7.4 Ping IPv6 and Tracert IPv6
You can perform the ping IPv6 operation in an IPv6 network to test the connection
between two devices. It can be your first choice to check whether a host is reachable.
The operation sends ICMPv6 packets to the destination host and records the round trip
time.
The traceroute IPv6 operation can record the gateways along the path from a host to a
specific node. This operation enables you to locate problems in an IPv6 network by
testing the reachability of network connections.
3.7.5 IPv6 Telnet
Telnet is an application layer protocol of the TCP/IP protocol suite. It implements
remote logon and virtual terminal. The host runs the IPv6 Telnet client program
establishes an IPv6 Telnet connection with Device A. In this case, Device A serves as
the Telnet server. If Device A is connected to Device B through Telnet, the former
functions as a Telnet client and Device B functions as a Telnet server. Both Telnet
server and Telnet client support IPv6 connections.
3.7.6 IPv6 TFTP
IPv6
supports
trivial
file
transfer
protocol
(TFTP)
applications.
You
can
upload/download files in an IPv6 network using TFTP.
Currently, an S5500-EI Ethernet switch can only operate as an IPv6 TFTP client.
3.8 IPv6 Multicast Features
3.8.1 MLD Snooping
Multicast Listener Discovery Snooping (MLD Snooping) is an IPv6 multicast
constraining mechanism that runs on Layer 2 Ethernet switches to manage and control
IPv6 multicast groups.
H3C Proprietary
3-42
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
MLD Snooping is analogous to IGMP Snooping in IPv4: a switch can establish and
maintain the corresponding MLD Snooping multicast group table at data link layer by
monitoring MLD messages, and forward the IPv6 multicasts delivered by a multicast
router based on the MAC multicast group information in the table.
3.8.2 MLD
Corresponding to IPv4 IGMP, the Multicast Listener Discovery protocol (MLD) is
running between the host and multicast routers to discover the presence of multicast
listeners. Multicast routers periodically send MLD messages to discover the presence
of multicast listeners on the directly connected subnets. The host sends MLD report
messages to join the multicast group.
So far, two MLD versions are available supported by the S5500-EI series switches:

MLDv1

MLDv2
3.9 IPv6 over IPv4 Tunnel Features
The IPv6 over IPv4 tunneling mechanism encapsulates an IPv4 header in IPv6 data
packets so that IPv6 packets can pass an IPv4 network through a tunnel to realize
interworking between isolated IPv6 networks, as shown in Figure 3-29. The devices at
both ends of an IPv6 over IPv4 tunnel must support IPv4/IPv6 dual stack.
IPv4 header
IPv6 header
IPv6 header
IPv6 data
IPv6 data
IPv6 header
IPv4 network
IPv6 network
IPv6 data
IPv6 network
IPv6 over IPv4 tunnel
Dual stack router
Dual stack router
IPv6 host
IPv6 host
Figure 3-29 IPv6 over IPv4 tunnel
The IPv6 over IPv4 tunnel processes packets in the following way:
1)
A host in the IPv6 network sends an IPv6 packet to the device at the source end of
the tunnel.
2)
After determining according to the routing table that the packet needs to be
forwarded through the tunnel, the device at the source end of the tunnel
encapsulates the IPv6 packet with an IPv4 header and forwards it through the
physical interface of the tunnel.
H3C Proprietary
3-43
System Description
H3C S5500-EI Series Ethernet Switches
3)
Chapter 3 Software Features
The encapsulated packet goes through the tunnel to reach the device at the
destination end of the tunnel. The device at the destination end decapsulates the
packet if the destination address of the encapsulated packet is the device itself.
4)
The destination device forwards the packet according to the destination address in
the decapsulated IPv6 packet. If the destination address is the device itself, the
device forwards the IPv6 packet to the upper-layer protocol for processing.
An IPv6 over IPv4 tunnel can be established between hosts, between hosts and
devices, and between devices. The tunnel destination needs to forward packets if the
tunnel destination is not the final destination of the IPv6 packet.
Tunnels are divided into configured tunnels and automatic tunnels depending on how
the IPv4 address of the tunnel destination is acquired.

If the destination address of an IPv6 over IPv4 tunnel cannot be acquired from the
destination address of IPv6 packets, it needs to be configured manually. Such a
tunnel is called a configured tunnel.

If the interface address of an IPv6 over IPv4 tunnel has an IPv4 address
embedded into an IPv6 address, the IPv4 address of the tunnel destination can be
acquired automatically. Such a tunnel is called an automatic tunnel.
According to the way an IPv6 packet is encapsulated, IPv6 over IPv4 tunnels are
divided into the following types:

IPv6 manual tunnel

6to4 tunnel

ISATAP tunnel
Among the above tunnels, the IPv6 manual tunnel is a configured tunnel, while the 6to4
tunnel, and intra-site automatic tunnel address protocol (ISATAP) tunnel are automatic
tunnels.
3.9.1 IPv6 manually configured tunnel
A manually configured tunnel is a point-to-point link. One link is a separate tunnel. The
IPv6 manually configured tunnels provide stable connections requiring regular secure
communication between two border routers or between a border router and a host for
access to remote IPv6 networks.
3.9.2 6to4 tunnel
An automatic 6to4 tunnel is a point-to-multipoint tunnel and is used to connect multiple
isolated IPv6 networks over an IPv4 network to remote IPv6 networks. The embedded
IPv4 address in an IPv6 address is used to automatically acquire the destination of the
tunnel. The automatic 6to4 tunnel adopts 6to4 addresses. The address format is
2002:abcd:efgh:subnet number::interface ID/64, where abcd:efgh represents the 32-bit
source IPv4 address of the 6to4 tunnel, in hexadecimal notation. For example, 1.1.1.1
H3C Proprietary
3-44
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
can be represented by 0101:0101. The tunnel destination is automatically determined
by the embedded IPv4 address, which makes it easy to create a 6to4 tunnel.
Since the 16-bit subnet number of the 64-bit address prefix in 6to4 addresses can be
customized and the first 48 bits in the address prefix are fixed by a permanent value
and the IPv4 address of the tunnel source or destination, it is possible that IPv6 packets
can be forwarded by the tunnel.
3.9.3 ISATAP Tunnel
With the application of the IPv6 technology, there will be more and more IPv6 hosts in
the existing IPv4 network. The ISATAP tunneling technology provides a satisfactory
solution for IPv6 application. An ISATAP tunnel is a point-to-point automatic tunnel. The
destination of a tunnel can automatically be acquired from the embedded IPv4 address
in the destination address of an IPv6 packet. When an ISATAP tunnel is used, the
destination address of an IPv6 packet and the IPv6 address of a tunnel interface both
adopt special addresses: ISATAP addresses. The ISATAP address format is
prefix(64bit):0:5EFE:ipv4-address. The ipv4-address is in the form of a.b.c.d or
abcd:efgh, where abcd:efgh represents a 32-bit source IPv4 address. Through the
embedded IPv4 address, an ISATAP tunnel can automatically be created to transfer
IPv6 packets. The ISATAP tunnel is mainly used for connection between IPv6 routers
or between a host and an IPv6 router over an IPv4 network.
IPv4 network
ISATAP tunnel
IPv6 network
IPv6 host
ISATAP router
IPv4 address:
2.1.1.1/24
IPv6 address:
FE80::5EFE:0201:0101
3FFE::5EFE:0201:0101
IPv4/IPv6 host
Figure 3-30 ISATAP tunnel
3.10 QACL
Quality of service (QoS) provides network services of different types and grades
selected by users, from the top service quality to normal service quality networkwide to
accommodate to various demands. An access control list (ACL) is used primarily to
identify traffic flows. In order to filter data packets, a series of match rules must be
configured on the network device to identify the packets to be filtered. After the specific
packets are identified, and based on the predefined policy, the network device can
permit/prohibit the corresponding packets to pass.
3.10.1 Traffic Classification
Traffic classification is to classify packets according to the packet filtering keywords
configured by the user. Various types of user-defined service processing can be
implemented on the classified packets.
H3C Proprietary
3-45
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
In traffic classification, rules are defined to discriminate packets that conform to certain
characteristics. The classification rules can be very simple. For example, traffic flows
with different priority characteristics can be discriminated according to the differentiated
services codepoint (DSCP) in the packet header. They can also be quite complicated.
For example, packets can be classified according to combinations of information
involving the data link layer, network layer and transport layer -- such as MAC address,
IP protocol type, source host/network segment address, destination host/network
segment address, and even application port number.
3.10.2 Priority Marking
The S5500-EI series support priority marking for classified packets and modification of
the DSCP or 802.1p priority in the packets according to the user-specified preferred
priority values, so as to provide the specified QoS networkwide.
The S5500-EI series can provide priority marking service for classified packets. The
marking contents include DSCP and 802.1p priority. The series also support
assignment of drop precedence and local precedence to packets according to the
DSCP or 802.1p level.
3.10.3 Traffic Policing/Bandwidth Assurance
Traffic policing polices the traffic matching a traffic classification rule on the port where
the packets are received, so that the traffic can effectively use the assigned network
resources such as bandwidth. Traffic policing can also secure the bandwidth for
specific services.
Bandwidth assurance refers to assuring the minimum bandwidth for a special traffic so
that it can satisfy such QoS requirements as packet loss rate, delay, jitter even when
network congestion occurs.
The S5500-EI series implement traffic policing mainly by limiting the rate of
packet-receiving ports, supervising traffic entering a specific network, and performing
priority marking for packets within the traffic limit to provide differentiated services. If the
traffic is too big, you can drop or try to forward the excessive traffic or remark the priority
of the traffic.
3.10.4 Traffic Statistics
Based on traffic classification, the S5500-EI series can perform traffic statistics for the
identified packets.
This function counts the total number of all packets that match the specified traffic
classification rule to facilitate the analysis of specific traffic flows on the network.
H3C Proprietary
3-46
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
3.10.5 Traffic Mirroring
Based on traffic classification, the S5500-EI series can perform traffic mirroring for the
identified packets to re-monitor service traffic flows that match the traffic classification
rule. This function copies the data packets that match the traffic classification rule to the
monitoring port to facilitate network tests and troubleshooting.
3.10.6 Traffic Redirection
Based on traffic classification, the S5500-EI series can redirect the identified packets.
The traffic redirection function enables you to re-specify the output port of packet
forwarding and bypass the Bridge mechanism, with the destination port determined by
the traffic redirection function.
3.10.7 Port Mirroring
Port mirroring is used for monitoring packets on a specific port.
This function copies the data packets on the specified port to the monitoring port to
facilitate network tests and troubleshooting.
The S5500-EI series support inbound and outbound port mirroring.
3.10.8 Queue Scheduling
Queue scheduling applies to the situation where multiple forwarded packets compete
for the resources. The S5500 series support four queue scheduling algorithms: strict
priority (SP), weighted fair queuing (WFQ), weighted round robin (WRR) and SP+WRR.
These algorithms process packet forwarding problems of each output queue on the
switch ports based on their own rules. The following sections describe these algorithms
briefly:
H3C Proprietary
3-47
System Description
H3C S5500-EI Series Ethernet Switches
1)
Chapter 3 Software Features
SP queue-scheduling algorithm
Queue 7
High priority
Packets to be sent through
this port
Queue 6
Sent packets
Interface
……
Queue 1
Packet
classification
Queue
scheduling
Sending queue
Queue 0
Low priority
Figure 3-31 Diagram for SP queuing
SP queue-scheduling algorithm is specially designed for critical service applications.
An important feature of critical services is that they demand preferential service in
congestion in order to reduce the response delay. Assume that there are eight output
queues on the port and the preferential queue classifies the eight output queues on the
port into eight classes, which are queue7, queue6, queue5, queue4, queue3, queue2,
queue1, and queue0. Their priorities decrease in order.
In queue scheduling, SP sends packets in the queue with higher priority strictly
following the priority order from high to low. When the queue with higher priority is
empty, packets in the queue with lower priority are sent. You can put critical service
packets into the queues with higher priority and put non-critical service (such as e-mail)
packets into the queues with lower priority. In this case, critical service packets are sent
preferentially and non-critical service packets are sent when critical service groups are
not sent.
The disadvantage of SP queue is that: if there are packets in the queues with higher
priority for a long time in congestion, the packets in the queues with lower priority will be
“starved” because they are not served.
H3C Proprietary
3-48
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
II. WFQ queuing
Queue 1 Band width 1
Packets to be sent through
this port
Queue 2 Band width 2
Sent packets
Interface
……
Queue N-1 Band width N-1
Queue
scheduling
Packet
classification
Sending queue
Queue N Band width N
Figure 3-32 Diagram for WFQ queuing
Before WFQ is introduced, you must understand fair queuing (FQ) first. FQ is designed
for the purpose of sharing network resources fairly and optimizing the delays and delay
jitters of all the flows. It takes the interests of all parties into account, such as:

Different queues are scheduled fairly, so the delay of each flow is balanced
globally.

Both short and long packets are scheduled fairly. When there are multiple long
packets and short packets to be sent among different queues, the short packets
must be scheduled preferentially, so that the delay jitters of packets of each flow is
reduced globally.
Compared with FQ, WFQ takes the priority into account when calculating the
scheduling sequence of packets. Statistically speaking, WFQ assigns more scheduling
chances to high priority packets than those to low priority packets. WFQ can classify
the traffic automatically according to the session information of traffic including the
protocol types, source and destination TCP or UDP port numbers, source and
destination IP addresses, and priority values in the ToS field. WFQ also provide as
many queues as possible to accommodate each flow evenly. Thus, the delay of each
flow is balanced globally. When the packets dequeue, WFQ assigns the bandwidth to
each flow on the egress according to the traffic precedence or DSCP precedence. The
lower the traffic precedence is, the less bandwidth the traffic gets. The higher the traffic
precedence is, the more bandwidth the traffic gets. Finally, each queue is polled and
the corresponding number of packets is taken out to be sent according to the proportion
of bandwidth.
You can use the WFQ algorithm to assign bandwidth to the output queues of a port, and
then decide which queue a traffic flows into according to the mapping between the COS
H3C Proprietary
3-49
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
value of the traffic and the queue, and also deicide how much bandwidth is to be
assigned to each traffic.
III. WRR queue-scheduling algorithm
Queue 1 Weight 1
Packets to be sent through
this port
Queue 2 Weight 2
Sent packets
Interface
……
Queue N-1 Weight N-1
Queue
scheduling
Packet
classification
Sending queue
Queue N Weight N
Figure 3-33 Diagram for WRR queuing
WRR queue-scheduling algorithm schedules all the queues in turn and every queue
can be assured of a certain service time.
In a typical H3C switch there are eight output queues on each port. WRR configures a
weight value for each queue, for example: w7, w6, w5, w4, w3, w2, w1, and w0
respectively for queue 7 through queue 0. A weight value indicates the proportion of
resources available for a queue. On a 100-Mbps port, configure the weight value of
WRR queue-scheduling algorithm to 5, 5, 3, 3, 1, 1, 1, and 1 (corresponding to w7, w6,
w5, w4, w3, w2, w1, and w0 in order). In this way, the queue with the lowest priority can
get 5 Mbps (100 Mbps × 1/(5+5+3+3+1+1+1+1)) bandwidth at least, and the
disadvantage of SP queue-scheduling that the packets in queues with lower priority
may not get service for a long time is avoided. Another advantage of WRR queue is that:
though the queues are scheduled in order, the service time for each queue is not fixed;
that is to say, if a queue is empty, the next queue will be scheduled. In this way, the
bandwidth resources are made full use.
IV. SP+WRR
SP + WRR queue scheduling algorithm is used to configure some queues of each port
with the SP algorithm and configure other queues with the WRR algorithm so that
bandwidth resources can be fully utilized.
A port of an S5500-EI Ethernet switch supports eight output queues. If you set the
weight or the bandwidth of one or multiple queues to 0, the switch will add the queue or
H3C Proprietary
3-50
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
these queues to the SP group, where SP is adopted. For other queues, WRR still
applies. In this case, both SP and WRR are adopted.
In cases where both SP and WRR queue scheduling algorithms are adopted, the
queues in the SP group take precedence over other queues. For example, if queue 0,
queue 1, queue 2, and queue 3 are in the SP group, queue 4, queue 5, queue 6, and
queue 7 are scheduled using WRR, the switch will schedule the queues in the SP
group preferentially by using the SP algorithm. Then queues outside the SP group are
scheduled by using WRR algorithm only when all the queues in the SP group are
empty.
3.10.9 Congestion Avoidance
Serious congestion causes great damages to the network resources, and therefore
some measures must be taken to avoid such congestion. As a flow control mechanism,
congestion avoidance can actively drop packets when congestion deteriorates through
monitoring the utilization of network resources (such as queues or memory buffers) to
prevent network overload.
You can use random early detection (RED) or weighted random early detection (WRED)
to avoid global TCP synchronization caused traditional packet drop policy.
The RED or WRED algorithm sets an upper threshold and lower threshold for each
queue, and processes the packets in a queue as follows:

When the queue size is shorter than the lower threshold, no packet is dropped;

When the queue size reaches the upper threshold, all subsequent packets are
dropped;

When the queue size is between the lower threshold and the upper threshold, the
received packets are dropped at random. The longer a queue is, the higher the
drop probability is. However, a maximum drop probability exists.
Different from RED, WRED determines differentiated drop policies for packets with
different IP precedence values. Packets with a lower IP precedence are more likely to
be dropped.
Both RED and WRED avoid global TCP synchronization by randomly dropping packets.
When the sending rate of a TCP session slows down after its packets are dropped, the
other TCP sessions remain in high packet sending rates. In this way, some TCP
sessions remain in high sending rates in any case, and the link bandwidth can be fully
utilized.
3.10.10 User Profile
The S5500-EI series switches use user profiles to control the effective scope of a QoS
policy, and flexibly control system resource assignment for users.
H3C Proprietary
3-51
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
A user profile provides a configuration template to save predefined configurations.
Based on different application scenarios, you can configure different items for a user
profile, such as Committed Access Rate (CAR), Quality of Service (QoS), and so on.
With user profiles, you can:

Make use of system resources more granularly. For example, without user profiles,
you can apply a QoS policy based on interface, VLAN, globally and so on. This
QoS policy is applicable to a group of users. With user profile, however, you can
apply a QoS policy on a per-user basis which pass the authentication and access
the device.

Control system resource assignment for users more flexibly. For example, without
user profiles, you can perform traffic policing based on CAR, ACL, or for all the
traffic of the current interface; when the physical position of users changes (for
example, the users access the network using another interface), you need to
configure traffic policing on another interface. With user profiles, however, you can
perform traffic policing on a per-user basis. As long as users are online, the
authentication server applies the corresponding user profile (with CAR configured)
to the users; when the users are offline, the system automatically removes the
corresponding configuration.
3.11 Centralized Management Features
3.11.1 HGMP
Through cluster management, the network administrator can configure and
troubleshoot multiple switches through a single public network IP address of a primary
switch. In each cluster, there is a master switch called a command switch. The rest of
the switches serve as member switches. A member switch is typically not configured
with an IP address. The command switch and member switches form a cluster. In a
cluster the switches have different roles based on different roles and functions. You can
specify switch roles. The roles can be switched based on certain rules.
Switch roles in a cluster include command switch, member switch, standby switch, and
candidate switch.
1) Command switch: the switch configured with a public network IP address. A
management command is sent to the command switch and the command switch
processes this command. If the destination is a member switch, the management
command will be forwarded to the command switch.
2) Member switch: a member in a cluster. The member switch is managed through the
proxy of the command switch. Typically no public network IP address is set for the
member switch.
3) Candidate switch: Candidate switches are cluster-capable devices that have not yet
been added to a cluster.
H3C Proprietary
3-52
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
3.12 Security Features
The popularity of network applications, especially in some sensitive occasions
(e-commerce for example), highlights the issue of network security.
The S5500-EI series have been designed based on full consideration of customers’
demands, so as to provide full-range network solutions.
With respect to terminal access control and user access control, the S5500-EI series
provide the following network security features:

Hierarchical user management and password protection

IP Source Guard

MAC address black hole

MAC address learning limit

Binding of MAC addresses to ports

Supports SSH 2.0

IEEE 802.1x compliant access user authentication

Supports MAC address based authentication

Supports local and RADIUS authentication modes

Supports port isolation
With respect to filtering and authenticating Ethernet frames and packets from the upper
layers, the S5500-EI series support:

ACL, with which information is filtered at layers 2 through 4 (such as based on port,
by source/destination MAC address, by source/destination IP address, or by the
type of upper layer protocol).

Encrypted authentication of SNMPv3
3.12.1 Terminal Access User Classification
The S5500-EI series protect command lines in a hierarchical way by dividing the
command lines into four levels: visitor, monitor, operator, and administrator.
Commensurate with the command division, login users are classified into four levels. A
login user can use only the commands equal to or lower than its level.
3.12.2 SSH
When users log in to the Ethernet switch from an insecure network, Secure Shell (SSH)
offers security information protection and powerful authentication function to safeguard
the Ethernet switch from attacks, such as IP address spoofing and plain text cipher
interception. An Ethernet switch can accept multiple SSH customer connections at the
same time. The SSH client allows users to connect to the Ethernet switches and UNIX
mainframes that support SSH servers.
The S5500-EI series Ethernet switches support SSH2.0.
H3C Proprietary
3-53
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
3.12.3 Port Isolation
Port isolation means isolating ports of the same switch so that Layer 2 and Layer 3
packet forwarding cannot be implemented between these ports. This prevents visiting
between the ports, effectively controls unnecessary broadcasting and increases the
network throughput.
3.12.4 IEEE 802.1x Authentication
IEEE 802.1x is virtually a port-based network access control protocol. As “port-based
network access control” implies, the NAS on a LAN authenticates and controls the
connected customer premises equipment (CPE) at the port level. If the CPE connected
to a port passes authentication, it is allowed to access the LAN resources. Otherwise, it
is rejected just like its physical link is disconnected.
In implementing 802.1x, the Ethernet switches not only support the port-based access
authentication, but also extends and optimizes it by:

Allowing a physical port to be connected to several terminals.

Supporting access control (that is user authentication) based on MAC address in
addition to port.
This greatly enhances the security, operability and manageability of the system.
Note that, although 802.1x provides an implementation scheme for user authentication,
the protocol itself is not enough to implement the scheme. The NAS administrators,
however, can use RADIUS or local authentication to complete the user authentication
with 802.1x.
3.12.5 802.1x EAD Fast Deployment
I. Overview
As an integrated security scheme, an endpoint admission defense (EAD) scheme can
improve the overall defense capability of a network. However, EAD deployment brings
much workload in actual applications. To solve this problem, you can use 802.1x
functions to implement fast deployment of EAD scheme.
To address the issue, the S5500-EI series switches enable the user’s quick redirection
to EAD client download server with 802.1x authentication, easing the work of EAD
client deployment.
II. Operation of Quick EAD Deployment
Quick EAD deployment is achieved with the two functions: restricted access and HTTP
redirection.
1)
Restricted access
H3C Proprietary
3-54
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Before passing 802.1x authentication, a user is restricted (through ACLs) to a specific
range
of
IP
addresses
or
a
specific
server.
Services
like
EAD
client
upgrading/download and dynamic address assignment are available on the specific
server.
2)
HTTP redirection
In the HTTP redirection approach, when the terminal users that have not passed
802.1x authentication access the Internet through Internet Explorer, they are redirected
to a predefined URL for EAD client download.
The two functions ensure that all the users without an EAD client have downloaded and
installed one from the specified server themselves before they can access the Internet,
thus decreasing the complexity and effort that EAD client deployment may involve.
3.12.6 IP Source Guard
By filtering packets on a per-port basis, IP source guard prevents illegal packets from
traveling through, thus improving the network security. After receiving a packet, the port
looks up the key attributes (including IP address, MAC address and VLAN tag) of the
packet in the binding entries of the IP source guard. If there is a matching entry, the port
will forward the packet. Otherwise, the port will abandon the packet.
IP source guard filters packets based on the following types of binding entries:

IP-port binding entry,

MAC-port binding entry

IP-MAC-port binding entry

IP-VLAN-port binding entry

MAC-VLAN-port binding entry

IP-MAC-VLAN-port binding entry.
You can manually set static binding entries, or use DHCP Snooping to provide dynamic
binding entries. Binding is on a per-port basis. After a binding entry is configured on a
port, it is effective only to the port, instead of other ports.
3.12.7 MAC address authentication
MAC address authentication is a port and Mac address based authentication method to
control the network access authority of users. MAC address authentication does not
the users to install any client software. The switch enables authentication on a user
once it detects a new MAC address of the user.
The S5500-EI series support the following two types of MAC address authentication:

MAC address mode: the MAC address of a user is used as both the user name
and password.
H3C Proprietary
3-55
System Description
H3C S5500-EI Series Ethernet Switches

Chapter 3 Software Features
Fixed mode: the user name and password are configured on the switch
beforehand. In this case, all the users correspond to the fixed user names and
passwords configured on the switch.
3.12.8 MAC Address Learning Limit
MAC address learning limit: limits the number of MAC addresses learned by an
Ethernet switch port. The number ranges from 0 to 4k. Static MAC addresses added on
the port are not affected.
3.12.9 Binding of MAC Addresses to Ports
If the MAC address of a network device is bound with a port, you can access the
Internet through this port only.
3.12.10 MAC Address Black Hole
On an S5500-EI series switch, you can enable the black hole function and configure a
black hole list. When the switch receives a packet with a source or destination MAC
address in the black hole, it drops the packet.
3.12.11 AAA, RADIUS and HWTACACS
The S5500-EI series support user authentication locally or with RADIUS/HWTACACS
servers.
I. AAA
AAA is the abbreviation of Authentication, Authorization and Accounting. It provides a
uniform framework to configure the security functions including authentication,
authorization, and accounting. Actually, it offers a way to control the network security,
which can be implemented with RADIUS.
AAA performs the following services:

Authentication: Authenticates if the user can access the network sever.

Authorization: Authorizes the user with specified services.

Accounting: Tracks the network resources consumed by users.
II. RADIUS
RADIUS is a distributed system in the client/server model. It can fend off invalid users
and is often used in a network environment where both high security and remote user
access are desired. For example, it can be used to manage the access based on
802.1x.
RADIUS is based on the client/server model where user authentication always involves
a device that can provide the proxy function, such as NAS. Between the RADIUS client
H3C Proprietary
3-56
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
and server, the exchanged messages are authenticated using a shared key and user
passwords are sent encrypted over the network. The security is thus ensured.
III. HWTACACS
HWTACACS is a security protocol providing enhanced functions based on TACACS
(RFC1492). Similar to RADIUS, this protocol mainly enables the AAA for multiple types
of users in the Server-Client mode. It can be used for the AAA of PPP and VPDN
access users and login users.
Compared with RADIUS, HWTACACS features more reliable transmission and
encryption, making it more suitable for security control. The major differences between
HWTACACS and RADIUS are listed in the table below:
Table 3-2 HWTACACS vs. RADIUS
HWTACACS
RADIUS
Uses TCP for more reliable transmissions
over the network.
Uses UDP.
Encrypts packet body completely, except
the standard HWTACACS packet header.
Encrypts only the password field in
authentication packets.
Authentication and authorization are
separated. For example, RADIUS can be
used for authentication, while
HWTACACS is used for authorization.
Authentication and authorization are not
separated.
Suitable for security control.
Suitable for accounting.
Allows different users to use different
configuration commands on the routing
module of the switch.
Does not support this feature.
HWTACACS is mainly used when a dialup user or terminal user needs to log on to the
switch. As the client of HWTACACS, the switch sends the user name and password to
the HWTACACS server for authentication. After passing the authentication, the user
can log on to the switch and perform operations.
3.12.12 Introduction to Portal
I. Portal
Portal authentication, as its name implies, helps control access to the Internet. Portal
authentication is also called web authentication and a website implementing portal
authentication is called a portal website.
With portal authentication, an access device forces any user to log into the portal
website at first. A user can access the free services provided on the portal website; but
to access the Internet, the user must pass portal authentication on the portal website.
H3C Proprietary
3-57
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
A user can access a known portal Website, enter username and password for
authentication. This authentication mode is called active authentication. There is still
another authentication mode, namely forced authentication, in which the access device
forces a user trying to access the Internet through HTTP to log in to a portal website for
authentication.
The portal feature provides the flexibility for Internet service providers (ISPs) to
manage services. A portal website can, for example, present advertisements, and
deliver community services and personalized services. In this way, broadband network
providers, equipment providers, and content service providers form an industrial
ecological system.
II. Extended portal
By forcing users to implement patching and anti-virus policies, Extended portal helps
users to defend against viruses.
Extended portal implements a security authentication mechanism to enhance portal
authentication. The security authentication mechanism works after the identity
authentication process to check that the required anti-virus software, virus definition
updates and OS patches are installed, and no unauthorized software is installed on the
terminal of a user.
A user passing identity authentication can access only network resources like the
anti-virus server or OS patch server, which are called the restricted resources. Only
users passing security authentication can access more network resources, which are
called the unrestricted resources.
3.13 Reliability Features
3.13.1 Smart Link
Dual-uplink networks (as shown in Figure 3-34) are common in use. In a network of this
type, Spanning Tree Protocol (STP) is usually employed to allow for link redundancy.
However, STP cannot satisfy the users with high demand on convergence time.
Smart Link is dedicated to dual-link networks as shown in Figure 3-34 to provide link
redundancy with rapid convergence (sub-second level). It allows the backup link to take
over quickly when the primary link fails. In addition to fast convergence, Smart Link is
easy to configure.
H3C Proprietary
3-58
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Internet
GE1/0/1
GE1/0/1
Switch B
GE1/0/2
Switch A
GE1/0/2
GE1/0/1
GE1/0/2
GE1/0/3
GE1/0/3
GE1/0/1
Switch C
Switch D
GE1/0/2
GE1/0/1
GE1/0/2
Switch E
Figure 3-34 Smart link application scenario
I. Smart link group
A smart link group consists of only two member ports: the master and the slave. At a
time, only one port is active for forwarding, and the other port is blocked, that is, in the
standby state. When link failure occurs on the active port due to port shutdown or
presence of unidirectional link for example, the standby port becomes active to take
over while the original active port transits to the blocked state.
Note that a port can join only one smart link group.
As shown in Figure 3-34 , GE1/0/1 and GE1/0/2 of Switch C form a smart link group,
with GE1/0/1 being active and GE1/0/2 being standby. GE1/0/1 and GE1/0/2 of Switch
E form another smart link group, with GE1/0/2 being active and GE1/0/1 being standby.
II. Master port
Master port is a port role in a smart link group. When both ports in a smart link group are
up, the master port preferentially transits to the forwarding state. Once the master port
fails, the slave port takes over to forward traffic until next link switchover. During this
period, the master port stays in standby state even if it has recovered.
As shown in Figure 3-34, you can configure GE1/0/1 of C and E GE1/0/2 of Switch E as
master ports.
III. Slave port
Slave port is a port role in a smart link group. When both ports in a smart link group are
up, the slave port is placed in the standby state. When the master port fails, the slave
port takes over to forward traffic.
As shown in Figure 3-34, you can configure GE1/0/2 of Switch C and GE1/0/1 of Switch
E as slave ports.
H3C Proprietary
3-59
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
IV. Flush message
Flush messages are used by a smart link group to notify other devices to refresh their
MAC address forwarding entries and ARP/ND entries when link switchover occurs in
the link group.
V. Transmit control VLAN
The transmit control VLAN is used for transmitting flush messages. When link
switchover occurs, the devices (such as Switch C and E in Figure 3-34) broadcast flush
messages within the VLAN.
VI. Receive control VLAN
The receive control VLAN is used for receiving and processing flush messages. When
link switchover occurs, the devices (such as Switch A, B, and D in Figure 3-34) receive
and process flush messages in the receive control VLAN and refresh their MAC
address forwarding entries and ARP/ND entries.
3.13.2 Monitor Link
Monitor Link is a collaboration scheme introduced to complement for Smart Link. It is
usually used in conjunction with Layer-2 topology protocols. The idea is to adapt the
up/down state of downlink ports to the up/down state of uplink ports, triggering link
switchover on the downlink device in time. It is used to monitor uplink and to perfect the
backup function of Smart Link.
3.13.3 VRRP
 Note:
A switch running VRRP also functions as a router. The routers covered in the following
text represent routers in common sense and L3 switches running (virtual router
redundancy protocol) VRRP.
Normally, as shown in Figure 3-35, you can configure a default route with the gateway
as the next hop for every host on a network segment. All packets destined to other
network segments are sent over the default route to the gateway and then be
forwarded by the gateway. However, when the gateway fails, all the hosts using the
gateway as the default next-hop router fail to communicate with the external network.
H3C Proprietary
3-60
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Host A
Network
Host B
Gateway
Host C
Figure 3-35 LAN networking
Virtual Router Redundancy Protocol (VRRP) is designed to address this problem.
VRRP adds routers that can act as network gateways to a VRRP group, which forms a
virtual router. Routers in the VRRP group elect a master through the VRRP election
mechanism to take the responsibility of a gateway, and hosts on a LAN only need to
configure the virtual router as their default network gateway.
VRRP is an error-tolerant protocol, which improves the network reliability and simplifies
configurations on hosts. Deploying VRRP on multicast and broadcast LANs such as
Ethernet, you can ensure that the system can still provide highly reliable default links
without changing configurations (such as dynamic routing protocols, route discovery
protocols) when a device fails, and prevent network interruption due to failure of a
single link.
VRRP has two versions: VRRPv2 and VRRPv3. VRRPv2 is based on IPv4, and
VRRPv3 is based on IPv6. The two versions implement the same functions but provide
different commands.
A VRRP group has the following features:

A virtual router has an IP address. A host on the LAN only needs to know the IP
address of the virtual router and uses the IP address as the next hop of the default
route.

Every host on the LAN communicates with external networks through the virtual
router.

Routers in the VRRP group elect the gateway according to their priorities. When
the master acting as the gateway fails, to ensure that the hosts in the network
segment can communicate with the external networks uninterruptedly, the other
routers in the VRRP group elect a new gateway to undertake the responsibility of
the failed router.
H3C Proprietary
3-61
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Virtual IP address:
10.1.1.1/24
Switch A
Master
Host A
10.1.1.2/24
Switch B
Backup
10.1.1.3/24
Host B
Network
Switch C
Backup
10.1.1.4/24
Host C
Figure 3-36 Network diagram for VRRP
As shown in Figure 3-36, the virtual switch has its own actual IP address: 10.1.1.1 (This
address can be the same as that of an interface of a switch within the standby group). A
switch within the standby group has its own IP address (10.1.1.2 for a master switch,
and 10.1.1.3 and 10.1.1.4 for the standby switch). Hosts within the LAN only know the
IP address of this virtual router: 10.1.1.1 (generally referred to as the virtual IP address
of the backup group), but they do not know the specific IP addresses of the master
switch and of the standby routers. They configure the next hop for their own default
routes as the IP address of this virtual router: 10.1.1.1. Therefore, hosts within the
network will communicate with the external network through this virtual switch. When
the master switch in a standby group fails, a backup switch in the group will take over
the work of the faulty master switch and become a new master switch. The new master
switch continues providing routing services for the hosts within the network so that they
can communicate with external networks continuously.
3.13.4 RRPP
The Rapid Ring Protection Protocol (RRPP) is a link layer protocol designed for
Ethernet rings. RRPP can prevent broadcast storms caused by data loops when an
Ethernet ring is healthy, and rapidly restore the communication paths between the
nodes in the event that a link is disconnected on the ring.
Compared with the IEEE spanning tree protocols, RRPP features the following:

Fast topology convergence

Convergence time independent of Ethernet ring size
H3C Proprietary
3-62
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Domain 1
Device A
Device B
Port 1
Edge node
Port 1
Port 3
Master node
Port 2
Ring 1
Transit node
Master node
Port 2
Port 2
Ring 2
Device E
Port 1
Port 1
Port 3
Port 2
Device C
Device D
Assistant edge node
Figure 3-37 Network diagram for RRPP
By configuring an individual RRPP domain for transmitting the traffic of the specified
VLANs (referred to as protected VLANs) in a ring network, traffic of different VLANs can
be transmitted according to different topologies in the ring network. In this way, load
balancing is achieved.
As shown in Figure 3-38, Ring 1 is configured as the primary ring of both Domain 1 and
Domain 2. In Domain 1, Device A is configured as the master node of Ring 1; in Domain
2, Device B is configured as the master node of Ring 1. Such configurations enable the
ring to block different links based on VLANs, thus achieving single-ring load balancing.
Device A
Device B
Ring 1
Domain 1
Device D
Domain 2
Device C
Figure 3-38 Network diagram for single-ring load balancing
3.14 IRF
The Intelligent Resilient Framework (IRF) is an innovative technology developed by
H3C for mid-range and low-end switches. With IRF, users can design and realize high
H3C Proprietary
3-63
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
availability, scalability and reliability at the core layer and distribution layer of gigabit
Ethernet networks.
3.14.1 Physical Connections
You can connect multiple IRF supporting S5500-EI switches to form a logical switching
entity, which looks like a switching device from the management view. This type of
virtual device features low cost like box-type switches, and high scalability and
availability of distributed chassis switches.
Figure 3-39 IRF virtual device
The devices in an IRF stack exchange hello packets to collect topology of the entire
stack and to inform topology changes to the management module. Adding or deleting a
member device is similar to inserting or removing a board to or from a chassis switch.
This mechanism realizes hot backup and provides excellent scalability.
Figure 3-40 Add a member to the IRF stack
In an IRF stack, every single device is a stack member, and plays one of the following
two roles according to its function:

Master: The stack member elected to manage the entire stack. An IRF stack has
only one master at one time.

Slave: A stack member managed by the master and operates as a backup of the
master. In an IRF stack, except for the master, all the other devices are slaves.
A typical IRF stack has a bus connection or a ring connection:
H3C Proprietary
3-64
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
Master
Master
Slave
Slave
IRF
IRF
Slave
Slave
Slave
Bus topology
Slave
Ring topology
Figure 3-41 Physical connections of an IRF stack
The orange lines in the figure represent stack links, which are different from common
Ethernet network cables. A stack link can be composed of either one physical line or
multiple physical lines.
3.14.2 Easy Management
An IRF stack can be regarded as a single entity. You can manage the entire IRF stack
by logging in to any unit in the stack either from its console port or a network port
through Telnet.
The management center of an IRF stack is its master device. All login requests and
configurations you made are processed on the master device, regardless of by what
means or from which member device you log in to the stack. Eventually, the
configurations you made are synchronized by the master to the slaves.
An IRF stack uses member IDs to uniquely identify member devices. The member IDs
are also used in port numbers to identify users. For example, if the member ID of a
device is 3, its port number is GigabitEthernet 3/0/x.
3.14.3 Efficient Redundancy Backup
By using S5500-EI series switches to form an IRF stack, you can provide abundant
access ports and enhanced forwarding capability. Considering strict requirements for
reliability at the distribution layer of a network and data centers, IRF is designed to
provide redundancy at the device level, protocol level and link level.
I. Device level 1:N backup
Common distributed chassis devices use 1:1 backup, where a backup module keeps
synchronization with the primary module and takes over when the primary module fails.
H3C Proprietary
3-65
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
IRF uses 1:N backup, where multiple slaves are configured as the backups of the
master and are strictly synchronized with the master. Once the master fails, a new
master is elected from the slaves to prevent service interruption. Because the slaves
are strictly synchronized with the master, the switchover has little impact on ongoing
services. Thus, reliability is improved.
II. Protocol level hot backup
When an IRF stack works normally, all protocol information and entries are
synchronized among the devices. If one or more devices fail, other devices can take
the services from the failed devices immediately to ensure normal working of the entire
stack.
For example, the master in normal working state synchronizes the routing information
to all the devices in the IRF stack.
RIP
OSPF
1
2
Backup
information
IRF
3
4
Figure 3-42 Routing information synchronization
If the master fails, the IRF stack elects a slave (suppose its member ID is 2) as the new
master, which then continues communicating with the uplink routers using the routing
information synchronized from the former master, and synchronizes update information
to other slaves. Thus, the operation of the entire IRF stack is uninterrupted.
H3C Proprietary
3-66
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 3 Software Features
RIP
OSPF
1
2
Backup
information
IRF
3
4
Figure 3-43 Routing protocol backup
III. Link level backup
Traditional link aggregation technologies provide protection against link failures but not
protection against single point of failures caused by node failures. The new distributed
link aggregation technology provided by IRF can effectively address this single-point
failure issue.
With distributed link aggregation of IRF, you can assign ports on different stack units to
the same link aggregation group. Thus, even when a unit fails causing unavailability of
the link aggregation member port or ports on the unit, traffic can be forwarded out the
link aggregation member ports on any other available stack unit to the destination.
Meanwhile, the stack links between IRF member devices provide a rate up to 12/24
Gbps, which allows multiple aggregation groups to work at the same time.
H3C Proprietary
3-67
System Description
H3C S5500-EI Series Ethernet Switches
2
Chapter 3 Software Features
1
Data
pack
ets
IRF
ts
acke
3
4
2
1
p
Data
Data
IRF
3
4
Figure 3-44 Distributed aggregation
H3C Proprietary
3-68
pack
ets
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 4 System Maintenance and Management
Chapter 4 System Maintenance and Management
4.1 Simple and Flexible Maintenance System
4.1.1 System Configuration
The S5500-EI series can be configured through the command line interface (CLI), NMS,
or Web.

In the CLI approach, you can configure the S5500-EI series locally through the
console port, or configure it remotely through modem dialup or Telnet. As for
Telnet, both Telnet server and Telnet client are supported.

In the NMS approach, you can configure the S5500-EI series through an
SNMP-based NMS.

In the Web approach, you can configure the models in the S5500-EI series that
support the Web-based network management.
4.1.2 System Maintenance
The S5500-EI series provide diverse management and maintenance functions:

LEDs are available on the switches and optional modules, indicating the board
running status.

Remote maintenance through Telnet

Hierarchical management of user authorities and operation logs, as well as online
help function

Hierarchical alarm management and alarm filtering

System status query, version query, debugging and tracing functions, to monitor
system running status
4.1.3 System Test and Diagnosis
The S5500-EI series provide means for system software and hardware fault detection
and diagnosis. The tools such as ping and tracert are available for you to test network
connectivity and trace packet transmission paths on line and hence address faults.
4.1.4 Software Upgrade
The S5500-EI series provide multiple approaches to software upgrade, and support
remote upgrade and rollback to the previous version after upgrade.
The S5500-EI series support software upgrade methods:

Software upgrade through a serial port by using the XModem protocol.
H3C Proprietary
4-1
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 4 System Maintenance and Management

Software upgrade through an Ethernet port through TFTP or FTP.

Software upgrade through the Web-based NMS through HTTP.
4.2 Quidview NMS
The S5500-EI series support Quidview NMS for centralized management, which is
usually implemented in multilingual graphic interfaces. The NMS provides
management in topology, configuration, fault, security, and performance.
4.2.1 Topology Management
The Quidview NMS helps you learn your network in the most direct and convenient way
by providing a network-wide device topology view. The NMS delivers powerful topology
management. It provides physical topology view, logical topology view, and customized
views, offering a unified network-wide equipment view. It also provides user-friendly
interfaces for network/equipment operation and maintenance. The NMS supports
automatic topology discovery, reflecting the real-time changes in network topology and
equipment status.
4.2.2 Configuration Management
With the Quidview, you can configure and manage the S5500-EI series Ethernet
switches, such as querying/enabling/disabling ports, querying/resetting/loading boards,
and querying port parameters/VLAN configurations.
4.2.3 Fault Management
Fault management is the most important and common management approach during
the network operation and maintenance. In the graphic interfaces, you can implement
equipment
running/fault
status
query,
real-time
monitoring,
fault
filtering/locating/check/analysis. The system provides audio prompt and graphical
displays on the alarm card. Additionally, it can be connected to the alarm box and
therefore facilitates routine maintenance.
4.2.4 Performance Management
The Quidview can collect and analyze performance data, monitor performance, and
provide graphical performance reports in different forms. You can thus learn the
information on equipment load and access traffic, track network service quality, and
allocate network resources based on your network evaluation.
H3C Proprietary
4-2
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 4 System Maintenance and Management
4.2.5 Security Management
The Quidview provides many security measures to strictly authenticate the user’s
operations and ensure the system security. It offers detailed operation log for later
query and analysis.
4.3 Web-Based Network Management
Web-based network management allows you to manage and maintain a switch through
Web. In the implementation of Web-based network management, the switch provides a
built-in Web server and runs a Web-based network management program on the
homepage at the IP address of the management VLAN. The PC users connected to the
Ethernet ports on the switch can access and use, through a browser, the program on
the homepage to manage the switch. Figure 4-1 shows the Web-based network
operating environment:
Figure 4-1 Web-based network management operating environment
H3C Proprietary
4-3
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 5 Networking Applications
Chapter 5 Networking Applications
The S5500-EI series are designed as distribution layer switches or access layer
switches for enterprise networks and MANs. The S5500-EI series provide 24 or 48
autosensing Gigabit Ethernet ports and four SFP Combo Gigabit optical interfaces. In
addition, the S5500-EI series provide two extension slots. You can configure
XFP/CX4/SFP/SFP+ extension module and up to four 10-GE ports are supported.
Networking is very flexible. The S5500-EI series can apply to Gigabit Ethernet to the
desktop (GTTD) access of enterprise networks, user access of campus networks, and
connection of data center server clusters. Several typical networking applications are
described as follows.
5.1 Distribution Layer Devices in Medium- and Large-Sized
Enterprise or Campus Networks
In medium- and large-sized enterprises or campus networks, the S5500-EI series
Ethernet
switches
can
serve
as
distribution
layer
switches
that
provide
high-performance and large-capacity switching service and support 10-GE uplink
interfaces, which provide larger bandwidth for the devices.
Huawei Technologies Proprietary
5-1
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 5 Networking Applications
Core
Distribution
S9500/S7500E
Access
S5500-EI
S5500-EI
S3600
S5100
Figure 5-1 Application of the S5500-EI series at the distribution layer of enterprise
networks/campus networks
5.2 Access Switches
The S5500-EI series can serve as access switches to provide large access bandwidth
and high port density. The S5500-EI series also provide PoE. Through Ethernet cables,
the S5500-EI series can provide power to IP phone, WLAN AP, and other PD devices
that support IEEE 802.3af to facilitate network maintenance and management.
Huawei Technologies Proprietary
5-2
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 5 Networking Applications
Core/Aggregation
S9500/S7500E
Access
S5500-EI
S5500PWR-EI
Figure 5-2 Application of the S5500-EI series at the access layer
5.3 Distribution Layer Devices in Large-Sized Enterprise
Networks
The S5500-EI series can serve as distribution layer devices at the distribution layer of
large-sized enterprise networks/campus networks.
You can uplink the S5500-EI series to H3C S7500 or S9500 series switches through
10-Gigabit interfaces and downlink them to the H3C S3600 series Layer 3 switches or
H3C S5100/3100 series Layer 2 switches.
To expand switching capacity at the distribution layer seamlessly, you can use multiple
S5500-EI series switches to build an IRF stack.
Huawei Technologies Proprietary
5-3
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 5 Networking Applications
Server Farm
iMC
IP network
GE
Firewall
10GE
10GE
S5500
IRF Stack
S5500
IRF Stack
GE
GE
S3100
……
S3100
Figure 5-3 Application of the S5500-EI series in large-sized enterprise networks
5.4 Core in Small- and Medium-Sized Enterprise Networks
The S5500-EI series can be used at the core of small- and medium-sized enterprise
networks and downlinked to the S3600 series switches.
To expand switching capacity at the core seamlessly, you can use multiple S5500-EI
series switches to build an IRF stack and expand the stack when necessary. Thus, both
expansion and initial investment control is achieved.
Huawei Technologies Proprietary
5-4
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 5 Networking Applications
Server Farm
iMC
IP network
GE
S5500
IRF Stack
Firewall
GE
GE
S3600
IRF Stack
S3600
IRF Stack
FE
FE
S3100
……
S3100
Figure 5-4 Deploy the S5500-EI series at the core of a small-and medium-sized
enterprise network
5.5 Interconnectivity Devices for an IP SAN
You can configure the S5500-EI series switches with 10-GE optical interface modules
to connect to storage devices at a data center for transferring storage data over an IP
SAN.
By building an IRF stack of S5500-EI series switches, you can achieve high reliability of
data center level.
Huawei Technologies Proprietary
5-5
System Description
H3C S5500-EI Series Ethernet Switches
Linux server A
Linux server B
Chapter 5 Networking Applications
Linux server C
Linux server D
S5500
IRF Stack
IX3000
IX3620
Figure 5-5 Build an IP SAN with the S5500-EI series providing connectivity
Huawei Technologies Proprietary
5-6
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 6 Guide to Purchase
Chapter 6 Guide to Purchase
To meet varied customer needs, the S5500-EI series can be delivered to your order.
You can purchase the S5500-EI series and optional interface modules as needed.
6.1 Purchasing the S5500-EI Series
When you order the S5500-EI series, take the following points into account.
I. Network requirements

Location and function of the switch in your network

Desired processing and access capabilities in both directions

Desired scalability (in case of network capacity expansion)

Transmission distance of the switch in the network
II. Power system

DC power supply or AC power supply

Whether to support PoE
Table 6-1 List of the S5500-EI series and corresponding power supply systems
Switch model
Description
S5500-28C-EI
Use the AC power supply, the input voltage
range is 90 V to 264 V; when RPS is used,
the input voltage range is 10.8 V to 13.2 V.
S5500-52C-EI
S5500-28C-PWR-EI
Use AC power supply, support PoE power
supply, and the input voltage range is 90 V
to 264 V; when RPS is used, the input
voltage range is -52 V to -55V.
S5500-52C-PWR-EI
S5500-28F-EI (with one AC input)
Use AC power supply. The input voltage
range is 90 V to 264 V.
S5500-28F-EI (with one DC input)
Use DC power supply. The input voltage
range is -36 V to -72 V.
S5500-28C-EI-DC
Use DC power supply. The input voltage
range is -36 V to -72 V; when RPS is used,
the input voltage range is 10.8 V to 13.2 V.
6.2 Supported Interface Modules
The device supports five types of interface modules:
Huawei Technologies Proprietary
6-1
System Description
H3C S5500-EI Series Ethernet Switches

Chapter 6 Guide to Purchase
1-port XFP 10-GE interface module: supports the XFP modules listed in Table 6-3,
supports IRF stack.

2-port XFP 10-GE interface module: supports the XFP modules listed in Table 6-3,
supports IRF stack.

2-port CX4 10-GE interface module: supports the CX4 modules listed in Table 6-5,
supports IRF stack.

2-port 1000Base-X SFP interface module: supports only the Gigabit SFP modules
listed in Table 6-2, does not support 100 Mbps SFP modules, does not support
IRF stack.

2-port SFP+ 10-GE interface module: supports only the SFP+ modules listed
in Table 6-4, does not support 1-Gbps and 100 Mbps SFP modules, supports IRF
stack.
6.3 Purchasing SFP Modules
Table 6-2 List of SFP modules
SFP module name
SFP-GE-SX-MM
850-A
Central
wavele
ngth
User
interface
connect
or type
Fiber
specifications
Max.
transmis
sion
distance
50/125 µm
multi-mode fiber
550 m
62.5/125 µm
multi-mode fiber
275 m
850nm
SFP-GE-LX-SM
1310-A
10 km
1310nm
Gigabit
SFP
modules
LC
SFP-GE-LH40SM1310
40 km
9/125 µm
single-mode fiber
SFP-GE-LH40SM1550
40 km
1550nm
SFP-GE-LH70SM1550
SFP-GE-LX-SM
1310-BIDI
70 km
TX1310/
RX1490
SFP-GE-LX-SM
1490-BIDI
TX1490/
RX1310
SFP-GE-T
None
LC
9/125 µm
single-mode fiber
10 km
RJ-45
twisted-pair
100 m
Huawei Technologies Proprietary
6-2
System Description
H3C S5500-EI Series Ethernet Switches
SFP module name
Chapter 6 Guide to Purchase
Central
wavele
ngth
User
interface
connect
or type
SFP-FE-SX-MM
1310-A
SFP-FE-LX-SM
1310-A
1310nm
Fiber
specifications
Max.
transmis
sion
distance
62.5/125 µm
multi-mode fiber
2 km
9/125 µm
multi-mode fiber
15 km
9/125 µm
single-mode fiber
40 km
9/125 µm
single-mode fiber
80 km
9/125 µm
single-mode fiber
15 km
LC
100
Mbps
SFP
modules
SFP-FE-LH40-S
M1310
SFP-FE-LH80-S
M1550
1550nm
SFP-FE-LX-SM
1310-BIDI
TX1310/
RX1550
LC
SFP-FE-LX-SM
1550-BIDI
TX1550/
RX1310
6.4 Purchasing XFP Optical Modules
Table 6-3 List of XFP modules
XFP module
name
XFP-SX-MM8
50
XFP-LX-SM13
10
Central
wavelength
850 nm
User
interface
connector
type
Optical fiber
Max.
transmission
distance
50/125
µm
multi-mode fiber
300 m (984.3
ft)
62.5/125
µm
multi-mode fiber
33 m (108.3 ft)
9/125
µm
single-mode fiber
10 km
miles)
9/125
µm
single-mode fiber
40 km (24.9
miles)
LC
1310 nm
(6.2
LC
XFP-LH40-S
M1550-F1
1550 nm
Huawei Technologies Proprietary
6-3
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 6 Guide to Purchase
6.5 Purchasing SFP+ Optical Modules and SFP+ cables
Table 6-4 List of SFP+ optical modules and SFP+ cables
Transceiver
/Cable type
10 GE SFP+
transceiver
Transceiver/
Cable
Central
wavele
ngth
SFP-XG-SXMM850-A
850 nm
SFP-XG-LX2
20-MM1310
Conn
ector
Fiber
LC
1310
nm
SFP-XG-LXSM1310
Short-haul
10 GE SFP+
cable
Max
transmissio
n distance
50/125 µm
multimode
optical fiber
300 m
(984.25 ft.)
62.5/125 µm
multimode
optical fiber
220 m
(721.78 ft.)
9/125 µm single
mode optical
fiber
10 km (6.21
mi)
LSWM1STK
0.65 m (2.13
ft.)
LSWM2STK
1.2 m (3.94
ft.)
LSWM3STK
—
—
SFP+ cable
3 m (9.84 ft.)
LSTM1STK
5 m (16.40
ft.)
LSWM4STK
10 m (32.81
ft.)
6.6 Purchasing the Short-haul 2-port 10-GE CX4 Module
This module provides two 10-GE electrical interfaces. It supports CX4 electrical
standards and protocols. The maximum transmission distance is 3 meters (9.8 ft). CX4
cables are used to connect the devices.
Table 6-5 List of CX4 modules
CX4 module
name
Central
wavelength
User
interface
connector
type
Optical fiber
LSPM2STKA
LSPM2STKB
Max.
transmission
distance
0.5 m
––
4X
Infiniband
CX4 cable
LSPM2STKC
1m
3m
Huawei Technologies Proprietary
6-4
System Description
H3C S5500-EI Series Ethernet Switches
Chapter 6 Guide to Purchase
 Note:
Connect the ports on CX4 extension modules to other CX4 ports with CX4 cables. For
details about CX4 cables, see section 2.8 CX4 Cable.
Huawei Technologies Proprietary
6-5

Similar documents

IPexpert-CCIE-Data-Center-Volume-1

IPexpert-CCIE-Data-Center-Volume-1 Lab  Preparation  Workbook  for  Cisco’s  CCIE  Data  Center  Lab  .................................................................  1   Before  We  Begin  ...............

More information

HP 3600 v2 Switch Series - Hewlett Packard Enterprise

HP 3600 v2 Switch Series - Hewlett Packard Enterprise Information transmission techniques ······················································································································· 1  Multicast features ···················...

More information