0

Paweł Wachelka

Product Manager – Huawei Polska Sp. z o.o.

Sieć oraz bezpieczeństwo w chmurze

1

Content

SVF SVF

CSS CSS

Service Chain Orchestration Service Chain Orchestration

1 1

2 2

3 3

2

Introduction

• A cluster switch system (CSS), is a logical switch consisting of two clustering-capable switches

• Cluster Switch System 2 (CSS2) Architecture

•High Performance

•High Availability

3

Clustering through CSS cards on the MPUs

4

Service port connection mode

5

Clustering through CSS cards on the SFUs

6

CSS2 forwarding model

Chassis 1 Chassis 2

Service

card Service

card

Service

card

SFU

Service

card

SFU

Service port cluster forwarding model

SFU

Service

card

Service

card Service

card

Data packets Cluster cable

Chassis 1 Chassis 2

SFU

Service

card

• Twice switching with service port cluster vs. once with CSS2

• 4 μs inter-chassis delay in CSS2

Data packets Cluster cable

CSS2: Lowest Inter-Chassis Delay

7

Content

SVF SVF

CSS CSS

Service Chain Orchestration Service Chain Orchestration

1 1

2 2

3 3

8

Super Virtual Fabric (SVF) - Concept

• Parent A parent is an aggregation device that manages and configures an SVF system.

• Client Client refers to all access devices, including wired access devices (ASs) and wireless access devices (AP)

• Level-1 AS Directly connected to the parent or is connected to the parent across a Layer 2 network.

• Level-2 AS Directly connected to a level-1 AS.

• Access point (AP) When APs access an SVF system, the parent functions as an AC to control and manage all the APs in the SVF system.

10

12

Network Basics

(Mandatory)

VLAN assignment

LAN

configuration

Specifying ports

Partition a logical

network.

Network Security

(Optional)

Edge security

configuration such as

IPSG, ARP rate limiting,

storm control, and so

on

QoS

Port isolation

The logical

network is secure

and reliable.

User Access (Optional)

AAA configuration including the

authentication template, RADIUS

server, and Portal Server

Authentication mode: 802.1x, MAC,

and Portal authentication

Terminal users can

connect to the network

and obtain network

rights.

Service Profiles

Network basic profile

(mandatory)

Network security profile

(optional)

User access profile

(optional)

Configure service profiles

on the parent.

Specify the AS port group

on the parent.

Bind service profiles to the

port group. Then services in

the service profiles are

delivered to all the members

in the group.

Profile-based Configuration

13

Policy Association The SVF-Parent authenticates all users and delivers policies for

dynamic authorization after users are successfully authenticated. User

policies can be enforced on the SVF-Parent or delivered to access

devices from the SVF-Parent and enforced on access devices.

Advantages Simplifies management to the maximum degree, allows flexible

deployment of local and remote authentication, rejects unauthenticated

users to ensure security. The SVF-Parent provides fine-granular

access control.

CAPWAP tunnel

Core agile switch

Agile

campus

network

User policies (UCL/ACL, VLAN,

QoS, and so on)

Policy

association

delivery

Access switch

Authentication point

Management point

Enforcement

point

Enforcement

point

Controller

eSight

Accounting server

SVF

Access switch

Policy Association

14

CSS

Distributed (Local) Forwarding

SVF-

Parent

SVF-

Client

• Each device looks up outbound interfaces of packets in its

local forwarding table and forwards packets from the

outbound interfaces directly.

• This mode makes full use of each device's bandwidth.

Centralized Forwarding

CSS SVF-

Parent

SVF-

Client

• Packets are sent to the SVF-Parent.

• All user ports and AS downlink ports are isolated.

Distributed and centralized forwarding can be configured using CLI

The CAPWAP tunnel between the AS and SVF-Parent transmits only control information but not wired data flows. An AP and the SVF-Parent providing native

AC establishes a CAPWAP tunnel to transmit wireless data flows in a centralized manner.

L3 routing

L2 switching

L3 routing

L2 switching

Packet Forwarding Rules in the SVF

15

SVF Networking Important Features Support

S-Series (Campus)

TRILL No

FCoE No

DCB (Data Center Bridging) No

Virtualization awareness No

Template Based Configuration Yes

Cloud Engine - Series

TRILL Yes

FCoE Yes

DCB (Data Center Bridging) Yes

Virtualization awareness Yes

Template Based Configuration No

Supported Features on SVF

16

Content

SVF SVF

CSS CSS

Service Chain Orchestration Service Chain Orchestration

1 1

2 2

3 3

17

Service Chain Orchestration

Parent Switch

AS Layer 1

AS Layer 2

1. Authentication (802.1x)

2. Communication between Orchestration Device and Service Device (GRE Tunnel)

Orchestration device

Service device

3. Service Chain resource

4. Service flow

5. Service Chain

6. Policy on Service Device

Copyright©2012 Huawei Technologies Co., Ltd. All Rights Reserved.

The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product

portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive

statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time

without notice.

HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY