1. Open Multi-Core Router － H3C SR66

2. Development Trends of High-end Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Typical Cases of H3C SR66

3. www.h3c.com 3 Information basic platform All units covered Improve office efficiency Improve enterprise competitiveness Advancement of products and technologies High expandability Satisfy the requirements of development in the coming few years Reliable network topology Reliable network equipment Reliable network link Localized services by original manufacturer Fast on-site support by original manufacturer Quality network Delay-free voice transfer Smooth video images Isolation of different service logics Defense against a variety of attacks Quality Foundation Reliability Service Advancement Security Communication data network Requirement Analysis of High-End Routers

4. www.h3c.com 4 Integration of being open and multi-service Data sharing The Internet and bandwidth New applications and new services 1990s Today 2000  High-density narrowband convergence => Broadband and narrowband integrated convergence => Large-capacity broadband and narrowband convergence with services  Best effort => Carrier-class reliability of equipment => Carrier-class quality assurance of services  Data and Internet access => Integration of 3 networks in 1 => Unified communication  Standardization => customization => open Connection Performance Service Application Development Trends of High-End Routers

5. Development Trends of High-end Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Typical Cases of H3C SR66

6. www.h3c.com 6 10G 2.5G GE 100M SR6602 SR6608 MSR 20 AR46 SR88 Product Positioning of H3C SR66 Router AR18 AR28 MSR 30 MSR 50 The first ever multi-core router in the industry!

7. www.h3c.com 7 Community network edge convergence router Campus network egress router Medium and small enterprise core routers Large enterprise convergence and access routers Finance and power industries Medium and small enterprises Government community / resident community Schools of higher education nationwide Product Positioning

8. www.h3c.com 8 Multi-Core Centralized Router SR6602  Multi-core multi-threaded processor  Memory: 1GB; expansion to 2GB allowed  High performance: Packet forwarding rate: 4.5Mpps IPSec encryption: > 3Gbps  Fixed interface: 4 GE interfaces (optical and electrical combined)  Flexible configuration: Intermix of HIM and MIM  Built-in 1 CF card, and 1 CF card interface reserved  The interface module supports hot swapping.  Multi-core multi-threaded processor  Memory: 1GB; expansion to 2GB allowed  High performance: Packet forwarding rate: 4.5Mpps IPSec encryption: > 3Gbps  Fixed interface: 4 GE interfaces (optical and electrical combined)  Flexible configuration: Intermix of HIM and MIM  Built-in 1 CF card, and 1 CF card interface reserved  The interface module supports hot swapping. Multi-core compact design High performance and strong services

9. www.h3c.com 9 Multi-Core Distributed SR6608  High reliability Distributed processing Dual main control systems Dual power supply design All engines and modules support hot swapping.  Configuration of multiple service engines FIP-100 (high-performance CPU processor) FIP-200 (multi-core multi-threaded processor)  High performance 100G backplane bandwidth Forwarding performance: 18 Mpps Support high-density cPOS linear convergence  High reliability Distributed processing Dual main control systems Dual power supply design All engines and modules support hot swapping.  Configuration of multiple service engines FIP-100 (high-performance CPU processor) FIP-200 (multi-core multi-threaded processor)  High performance 100G backplane bandwidth Forwarding performance: 18 Mpps Support high-density cPOS linear convergence Multi-coreDistributed Strong service processing High-speed and low-speed compatible

10. www.h3c.com 10 Power supply Fan Note: During the play, click the components of the indexes to view the video. Route engine (RPE-X1) Service sub- card (CL2P) Service engine (FIP-200) Multi-Core Distributed Router SR6608

11. www.h3c.com 11 Route Engine RPE-X1 of SR6608  High-performance CPU: 1G Hz  Memory: 1GB; expansion to 2GB allowed  Console port  Aux port  GE management network port  Built-in 1 CF card and 1 CF card interface reserved  1 Host USB interface and 1 Device USB interface  High-performance CPU: 1G Hz  Memory: 1GB; expansion to 2GB allowed  Console port  Aux port  GE management network port  Built-in 1 CF card and 1 CF card interface reserved  1 Host USB interface and 1 Device USB interface

12. www.h3c.com 12 FIP-200 Multi-core multi-threaded processor 1GB memory; expansion to 2GB allowed 2×GE (optical and electrical combined) 2×HIM/MIM compatible slot Forwarding performance: 4.5Mpps IPSec encrypted performance: >3Gbps FIP-100 High-performance CPU processor 512MB memory; expansion to 2GB allowed 2×GE (optical and electrical combined) 4×MIM slot Forwarding performance: 800Kpps Ipsec encrypted performance: 500Mbps FIP Service Engine of SR6608

13. www.h3c.com 13 8GBE/4GBE 8/4 ports GE (electrical port) All 3-layer GE interfaces (routing interface) CL2P/CL1P 2/1 port cPOS Each port supports 63 E1s or 84 T1s. Support channelization to DS0 (each port with 512 DS0s maximally) High-Speed HIM Sub-Card of SR66

14. www.h3c.com 14 2/4/8 SAE8 E1 1 POS2 GBE Compatible MIM Sub-Card of SR66

15. Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S)  Speed your Network  Stable  Security  Service  Save Typical Cases of H3C SR66

16. www.h3c.com 16 Service capability L3 L4 L7 Ideal processor Universal CPU The flexible programming platform can adapt to different types of service processing. Lack hardware escalation capability ASIC Interface integration Basic packet processing and hardware encrypted capability Forwarding performance Network processor: Dedicated hardware forwarding engine to provide extremely high forwarding performance Micro code based programming, instruction space limit, weak service processing capability at layers 4 to 7 Embedded CPU Interface integration Limited packet processing and encrypted capability Multi-core CPU * Standard C programming to adapt to different types of service processing * Parallel hardware system, built-in hardware escalation and encrypted engine provide powerful service processing and security capability. First Application of Multi-Core CPU on Router

17. www.h3c.com 17 Route calculation, configuration management and table item delivery Firewall IPSEC NetStream QoS 8 cores to process services in parallel Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS SR66 multi- core CPU Sharp Improvement of Service Processing Capability of SR66

18. www.h3c.com 18 CPU Single thread Memory access delay CPU processing Hardware thread 1 Hardware thread2 Hardware thread 2 Hardware thread3 Hardware thread 3 Hardware thread4 Hardware thread 4 CPU 4 threads Time t1 t2 Save time! Description of Competitive Edge of CPU Multi-Thread

19. www.h3c.com 19 Multiple hardware CPU threads –32 hardware threads –Each CPU core with 4 hardware threads Flexible scheduling mechanism, which satisfies different applications –Rotation –Priority –Timeslot Multiple hardware CPU threads –32 hardware threads –Each CPU core with 4 hardware threads Flexible scheduling mechanism, which satisfies different applications –Rotation –Priority –Timeslot SR66 multi- core CPU Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS Firewall IPSEC NetStream QoS 32 threads process services in parallel! The multi-core hardware structure and the software parallel processing provide all-round improvement of service performance. Sharp Improvement of Service Processing Capability of SR66 Multi-Thread

20. www.h3c.com 20 GE CPOS GE Distributor Rx Fast messaging network GE Packet distribution engine Parser Distributor Parser Distributor Parser  The parser rules are flexible and diverse. They can be adjusted dynamically to achieve load balancing.  TCAM is used to perform fast parallel matching of the table item features. SR66 multi-core hardware packet distribution engine  The distributor is attached to the fast messaging network. It notifies the CPU core of the processing, which leads to high efficiency and no occupation of the CPU resources. CPU thread 1 CPU thread 2CPU thread 3CPU thread 31CPU thread 32 Thread hardware load balancing Load Balancing of SR66 Multi-Core Hardware Packet Distribution Engine

21. www.h3c.com 21 CPU-1CPU-2 CPU-3CPU-4CPU-5CPU-6CPU-7CPU-8 10G encrypted engine Slot 2 Slot 1 Fixed port ： Fast Messaging Network (FMN) ： Multi-core CPU ： CPU core ： Site of messaging network ： CPU hardware thread The FMN completes the fast communication between the cores of the multi-core CPU.  The work speed is as the same frequency as the CPU. The CPU resource is not used.  The main components are attached to the FMN sites. The communication reaches the precision of the CPU hardware threads.  Unique Credit mechanism to ensure unblocked communication Efficient and Fast Hardware Collaboration Mechanism

22. www.h3c.com 22  MP fragmentation processing of the traditional link layer The link layer fragmentation and reassembly processing fully rely on the CPU. The weaknesses are low efficiency, failure of improving relevant performance, serious consumption of system resources, and impact on the system performance of the MP fragmentation processing on the traditional link layer. CPOS 分片处理引擎 1 2 3 1 2 3 4 1 324 1 2 3 CPOS fragmentation processing engine Multi-core CPOS of SR66 supports hardware MP, greatly easing the pressure on the CPU and improving the MP performance.  Each bundle supports 12 E1s/T1s.  Support three sizes of MP packet fragmentation (128/256/512) and multiple sizes of reassembly.  The whole system can implement the linear MP binding of up to 60 12E1s or 84 12T1s. Powerful Hardware MP Capability

23. www.h3c.com 23 China Netcom Internet Internet café AR46 SR6608 S3526 GE FE AR28 China Telecom Broadband convergence key indexes Convergent broadband user type  Direct access of Ethernet optical fiber  PPPoE  With the help of the AAA server, complete the authentication (PAP/CHAP), accounting and authorization Access capability of broadband user  The throughput of the whole system reaches 18Mpps.  32,000 concurrent PPP connections  Provide 72 GEs  The HIM GE card uses 10G bus exclusively. The fixed GE uses the GE bus exclusively, without bandwidth bottleneck.  The hardware packet distribution engine automatically identifies different Ethernet packet types. It distributes the packets of different flow features evenly to different CPU threads. The packets are processed concurrently. The throughput is greatly improved. MSTP Narrowband convergence key indexes Narrowband interface types of cPOS convergence  DS0  E1/T1 Narrowband interface density of cPOS convergence  DS0: 4096  E1: 756 (linear)  T1: 800 (linear)  The HIM CPOS card uses the 10G bus exclusively, without bandwidth bottleneck.  The hardware packet distribution engine automatically identifies different Ethernet packet types. It distributes the packets of different flow features evenly to different CPU threads. The packets are processed concurrently. The throughput is greatly improved. Powerful Convergent Capability

24. www.h3c.com 24 Full scale upgrade of the hardware architecture First application of the multi-core multi-threaded CPU on router The FMN completes the fast communication between the cores of the multi-core CPU Packet distribution engine Strong convergence capability \ each card uses 10G bus exclusively. The multi-core hardware structure and the software parallel processing provide all-round improvement of service performance. Speed your network! Summary of Hardware Speed Escalation

25. Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S)  Speed your Network  Stable  Security  Service  Save Typical Cases of H3C SR66

26. www.h3c.com 26 Service reliability Service reliability Network reliability Network reliability Link reliability Equipment reliability  Physical reliability: Dual main control systems, dual power supplies, forwarding engine/sub-card/main control system/power supply/fan support hot swapping.  Software reliability: Hot patching, host defense against attack, control plane speed limit, and management security  Multi-link binding and IP Trunk  Non-stop forwarding, redundant gateway technology (VRRP), ECMP, dynamic route fast convergence, and BFD  Separation of control and service, service processing isolation, and TE FRR All-Round Product Reliability

27. www.h3c.com 27 Highly Reliable Hardware Design The fan frame supports hot swapping. All high- and low- speed daughter-cards support hot swapping. Dual power supplies that support AC and DC as well as hot swapping FIP-100/200, two service engines, support hot swapping. Dual main control systems that support hot swapping

28. www.h3c.com 28  Separation of control and service System configuration management Route calcula tion Protocol state machine Delivery of service table items CPU1 (control plane) Forward packets Packet filtering Encryption and decryption NAT QoS GRE CPU2-8 (service plane) System configuration management Route calculati on Protocol state machine Delivery of service table items CPU1 (control plane) Forward packets Packet filtering Encryption and decryption NAT QoS GRE CPU2-8 (service plane) System configuration management Route calculation FIB delivery Main control system (route engine) IO (service engine) System configuration management Route calcula tion Protocol state machine Delivery of service table items CPU1 (control plane) Forward packets Packet filtering Encryption and decryption NAT QoS GRE CPU2-8 (service plane) IO (service engine) SR6602 software architecture SR6608 software architecture  Separation of routing and service engines  Different cores of the multi-core CPU work on different tasks, which suppresses service interference naturally. Highly Reliable Multi-Core Software Architecture

29. www.h3c.com 29 Replace the original code segment with the enhanced patch code segment Code segment Original code segment Code segment Original program Patch code zone Online loading  SR66 supports the software hot patching technology of the single-core CPU and the multi-core CPU.  On the condition that the equipment is not reset, the software bugs are modified in the in-service state, or a small scale of new features are added.  The user command of control patch unit state switching is provided. The command helps the user to conveniently load/deactivate/operate/delete the patch unit. Optimize Code segment Patch code The online patch technology provides flexible defect modification means to guarantee the reliable and continuous provisioning of network services. Online Software Hot Patching Technology Supported

30. www.h3c.com 30 IGP Route Fast Convergence Supported Test result display: the fastest convergence time of IS-IS route is less than 50ms. The convergence time of 10,000 IS-IS routes is 300ms.  Real-time flooding and fast notification of the link state information Detect the link faults, and perform instant flooding and then calculation.  Incremental SPF calculation (i-SPF) A certain tree trunk in the SPF tree changes (down/up). In that case, SPF needs only to calculate the part of the tree impacted by the changed tree trunk. It is not necessary to re-calculate the routes.  Partial Route Calculation (PRC) In the SPF tree, if only the leaves change, the part of the leaves is needed to be calculated only. It is not necessary to re-calculate the routes.  Intelligent timer According to the preset parameters, dynamically change the time interval with reference to exponential backoff algorithm, and solve the conflict between frequent generation and long time interval.

31. www.h3c.com 31 FIB High-speed backplane  During working/protection switching, the data forwarding and services between the two boards are uninterrupted. Control IPC Main Control Backup Backup control board control boardBackup Interface board Main control board Interface board Universal fast hand shake (10ms) Normal Hello (1s) Fault alarm Original protocol session is switched. Protocol session is maintained. Control SR66 main control switching detection mechanism Uninterrupted Services During Working/Protection Switching

32. www.h3c.com 32 FIB High-speed backplane Main control system Backup main control system Neighbor router Notify the router to activate the GR feature The session continues after switching, implementing stable restart. Neighbor router  SR66 supports the GR features in a full scale, including GR for OSPF/IS-IS/BGP/LDP/RSVP.  The network stays stable during the working/protection switching. After the switching, the equipment learns quickly the network route with the help of the neighbor router. Short interruption does not need dele tion of the route. All-Round Support of GR Features

33. www.h3c.com 33 Backup control board Interface board Main control board Interface board Universal fast handshake (10ms) Fault alarm Bidirectional forwarding detection  BFD: Bidirectional Forwarding Detection (IETF standard) is a technology of fast detecting node and link faults. The handshake time is 10ms by default and can be configured.  BFD provides light-load, short-time detection. It can be used to provide real-time detection of any media and any protocol layer. The detection time and the overhead scope are wide.  According to BFD, fault detection can be performed on any type of channels between two systems, including the direct physical link, virtual circuit, tunnel, MPLS LSPs, multi-hop routing channel and indirect channel.  The BFD detection result can be applied to IGP fast convergence and FRR.  The BFD protocol has been extensively accepted and recognized in the industry. It has been deployed substantively in real applications. Fast Detection of Link Failure Supported: BFD

34. www.h3c.com 34 Main control board 1 System backplane Main control board 0 Service board BFD processing core Packet processing core Control processing core Service board BFD processing core Packet processing core Control processing core BFD processing core Packet processing core Control processing core Service board BFD processing core Packet processing core Control processing core  When BFD is applied, the feature of the multi-core CPU is utilized. Part of the processing capability of one of the cores (for example, one thread) is used for BFD processing to reduce the load of the management control CPU core and ensure the security of the management CPU core. Meanwhile, such measure greatly improves the processing performance of BFD service and other OAM services.  SR66 supports BFD for BGP/IS-IS/OSPF/RSVP/VPLS PW/VRRP to implement the fast fault detection mechanism of the protocols. The fault detection time is less than 20ms.  On the basis of BFD, SR66 supports IP FRR, TE FRR, LDP FRR and VPN FRR. The service switching time is less than 50ms. Perfect Support of BFD by CPU

35. www.h3c.com 35 Route security Service access security Management security Forwarding security SSH RADIUS TACACS+ SYSLOG Firewall URPF IPSec Routing protocol MD5 authentication Strict isolation of management and service planes Secure Comware route software system ARP speed limitAddress binding Filtering and speed limit of control information NQA Port speed limit IPS Broadcasting/abnormal traffic suppression All-Round Security Features to Ensure Equipment Reliability and Security ASPF  Diverse security protocols and strict service access control greatly improve the reliability of the operation of the SR66 router.

36. www.h3c.com 36 SR66 is designed with full orientation to carrier-class application. By taking the advantage of the strong multi-core CPU service processing capabilities, SR66 provides all-round software and hardware reliability at the layers of equipment, link, network and service. Hardware supports the hot swapping of key components. The software architecture supports the separation of control and service. Hot patching ECMP VRRP BFD Support GR in a full scale Support FRR Control plane protection Make your network Stable ！ Summary of High Stability

37. Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S)  Speed your Network  Stable  Security  Service  Save Typical Cases of H3C SR66

38. www.h3c.com 38 Destination addressNext hopEgress 202.98.3.0202.93.3.1POS3/0/1 10.10.87.0 …… GE2/0/1 GE2/0/2 POS3/0/1 202.98.3.510.10.87.3Data 202.98.3.510.10.87.3virus Attack data packet Normal data packet GE2/0/1 CPU core 1 CPU core 2 Main control system CPU core 1 CPU core 2 POS3/1/0  Multiple attack packets apply the same destination and source addresses as those of the normal packets. Or they generate source address at random, and deliver them to different CPU cores through the hardware distribution engine.  The normal packets are forwarded according to the destination address. At the same time, they search for the source address route in the reverse direction. After they judge that the ingress is consistent, they are forwarded normally.  The source address of the attack packets has no route, or the ingress is incorrect. They are discarded.  Defense against the source spoofing and distributed types of attacks. URPF Secure Forwarding Supported

39. www.h3c.com 39  Identify different services on the PE equipment, differentiate voice/video real-time services and the data services and encapsulate them to the VPN. In that way, the secure isolation of different services is implemented.  The MPLS VPN is applied to carry multiple services to ensure security of the services on the network. MPLS VPN can provide security protection equivalent to the level of dedicated line. PE PE Data service VoiceVoice VideoVideo Other services PE PE CE CE CE CECECE CE CE VPN1 VPN2 VPN3 VPN4  The SR66 hardware distribution engine automatically identifies the MPLS packets, and distributes evenly the traffic to different hardware CPU threads.  The CPU threads operate in parallel and perform priority mapping.  During packet transfer, multiple CPU threads perform QoS guarantee. Fully support the L2/L3 VPN services VPN Service Isolation

40. www.h3c.com 40 Main CPU system IPSec Engine PCI Bridge Hardware encryption engine of SR66 security features  10G encryption engine embedded in the multi-core CPU  4 encryption cores + 1 RSA core  The load balancing engine ensures the parallel operation of the cores.  Support DES/3DES/AES and other mainstream algorithms.  Support SHA/MD5 authentication.  Support CRC check and RSA Key hardware escalation. Security feature hardware architecture of the traditional router  Pure CPU calculation and poor performance  IPSEC escalation card of the PCI interface offers low performance. Load balancing engine Encryption core RSA core SR66 hardware encryption engine Built-in 10G Hardware Encryption Engine of SR66

41. www.h3c.com 41 Enterprise headquarters PSTN/ISDN L2TP+IPSec+Nat LNS LAC ＋ NAT SR66 PPPoE SOHO Mobile user Conventional Upgrade of IP VPN Branch AR46 GRE+IPSec+Nat  Hardware encryption does not affect forwarding.  With multi-core encryption and parallel operation of the internal cores, the encryption throughput of the service engine is sharply increased.  Encryption and decryption adopt a distributed mode. The encryption capability of the whole system is sharply increased.  The traditional VPNs can be stacked flexibly. GRE/L2tp/IPsec can be stacked to satisfy different networking requirements.

42. www.h3c.com 42 VPN1 MPLS PSTN BAS(LAC) DSLAM NAS(LAC) PE L2tp ＋ IPSec Tunnel L2tp+IPSecTunnel GRE+IPSecTunnel DSL PE X X X SR66 supports L2tp and IPSec multiple instances. Headquarters server Headquarters Mobile user access via Modem Branch Soho ADSL access SR66 supports IPSec and L2tp multiple instances to fuse IP VPN and MPLS VPN perfectly.  The fast decryption of the encrypted IP VPN is performed through multi-core encryption and parallel processing of the internal cores.  The hardware distribution engine distributes the traffic evenly to the CPUs and transfers in parallel the traffic to MPLS VPN. Perfect Fusion of IP VPN and MPLS VPN - VPE

43. www.h3c.com 43  Packet filtering affects the operation of other services Definition of packet filtering firewall  Some packets are allowed to pass according to a set of rules. At the same time, other packets are blocked. The rules can be formulated according to the address information of the network layer protocol (for example, IP) or the transmission layer information (for example, TCP header or UDP header).  Low filtering performance due to the constraints of the CPU capability Problems of single-core CPU packet filtering  Multi-core parallel processing of packet filtering to improve the performance sharply  The control plane does not process and filter data, which leads to stable management functions. SR66 multi-core packet filtering Hardware packet Distribution engine Packet filtering SR66 multi-core parallel packet filtering 加密核 Packet filtering Control plane  The distributed packet filtering to improve the processing capability of the whole system sharply Multi-Core Packet Filtering Firewall

44. www.h3c.com 44  The patented ASPF state machine technology guarantees the support of diverse network applications and the improvement of security.  Support the state detection of multiple application protocols, including H323/MGCP/SIP/H248/RTSP/HWCC/ICMP/FTP/DNS/PPTP/NBT/ILS. SR66 ASPF state firewall  Support the state detection of SMTP/HTTP/Java/ActiveX/SQL injection attacks SR66 UserServer The user initializes a session of the server. The follow-up data packets of the user session are allowed. The externally initiated session by non user is rejected. The packets during communication monitoring dynamically establish and delete the access rules  Multi-core parallel processing of ASPF to offer sharp increase of performance  The control plane does not process and filter data, which leads to stable management functions. SR66 ASPF state firewall  Distributed ASPFs to improve the processing capability of the whole system sharply. Multi-Core ASPF Application State Firewall ASPF SR66 multiple cores and parallel ASPF 加密核 ASPF Control plane Hardware packet Distribution engine

45. www.h3c.com 45 Attack fragmentation can easily break the firewall. Some of the attacks will fragment the packets and reassembly the packets at the destination to launch the attack. In that way, the firewall is broken. Virtual Fragmentation and Reassembly Attack

46. www.h3c.com 46 Fragmentation reassembly against attack! SR66 SR66 supports virtual fragmentation reassembly.  Fast reassembly of the fragmented packets to guard against the attack on the firewall.  Fast reassembly of the fragmented packets for the alg conversion of part of the applications. Virtual Fragmentation and Reassembly Supported

47. www.h3c.com 47 SR66 uses the multi-core CPU to process services in parallel, and the embedded 10G hardware encrypted engine to provide diverse and powerful security features. Powerful VPN isolation High-speed IPSec VPN Encrypted IP VPN The access of IP VPN to MPLS VPN Packet filtering and state firewall Anti-attack virtual fragmentation reassembly Make your network Secure! Summary of Diverse Security Features

48. Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S)  Speed your Network  Safe  Security  Service  Save Typical Cases of H3C SR66

49. www.h3c.com 49 10.1.1.3 10.1.1.20 202.10.88.2 Private network IP address Public network address SR66 Internet NAT 10.1.1.3 Web server 10.1.1.4 Mail server The session-based mode, parallel processing of NAT service by multi-core and multi-thread CPU, and distributed processing sharply improve the NAT processing capability of the whole system.  Adopt the port cyclical multiplexing mode. Meanwhile, automatically detect the quintuple conflict so that NAPT supports unlimited connections.  Support NAT/NAPT/internal server to support blacklist  Support limit of connection number  Support session log  Support multiple instances Key indexes of NAT gateway features NAT service capability  2M concurrent sessions  Throughput of up to 4Gbps NAT ALG capability  MSN  QQ  FTP  DNS  PPTP  SIP  NetBios  H323  …… Multi-Core Distributed NAT

50. www.h3c.com 50 NetStream V5/V8 DOS 攻击 Flood 攻击 … The 1:1 sampling causes 10% or less impact on the forwarding performance. Multi-Core Distributed NetStream ……  During the forwarding, the traffic is evenly distributed on the threads of the multi-core CPU. The system performs parallel NetStream statistics. Load balancing leads to basically no impact on the forwarding performance. The parallel processing of NetStream is greatly improved.  With the fully distributed NetStream processing, the NetStream processing capability of the whole system is greatly improved.  When the traditional single-CPU processes NetStream, the CPU performance is the bottleneck. The larger the traffic is, the larger impact is caused on the performance.

51. www.h3c.com 51 OAP motherboard Network traffic analysis SSL VPN L4-L7 load balancing WAN optimization WLAN controller More… SR66 can provide customized service modules on the Open Application Platform (OAP) based on the Open Application Architecture (OAA). The service capability can be expanded unlimitedly. WAN optimization module Network traffic analysis module … service module OAP of SR66 Open Architecture

52. www.h3c.com 52 SR66 utilizes the multi-core CPU to process services in parallel. It also provides the open OAP architecture to offer more diverse services. Multi-core distributed NAT Multi-core distributed NetStream OAP platform Service aggregation! Summary of Service Aggregation

53. Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S)  Speed your Network  Stable  Security  Service  Save Typical Cases of H3C SR66

54. www.h3c.com 54 SR6602 router SR6608 router MSR router AR28 router According to the design, the boards and cards of the SR66 series routers and those of the H3C AR28 and the MSR series routers are compatible. To perform an upgrade to the SR66 series routers, the original boards and cards can still be used. The combinations of the boards and cards are flexible. The user investment is effectively saved. What to do with the MIM card? AR/MSR Compatible MIM Plug-in Card

55. www.h3c.com 55 Requirement 1: GRE Requirement 2: High-performance L2TP Requirement 3: High-performance NAT Requirement 4: High-performance IPsec encryption Independent GRE board should be added. Independent L2TP board should be added. Independent NAT board should be added. Independent encryption board should be added. To implement the high-performance GRE tunnel, L2TP tunnel, NAT conversion and IPsec encryption, the traditional high-end router needs to add independent hardware boards. In that way, the user investment is increased. Requirement 1: High-performance GRE Requirement 2: High-performance L2TP Requirement 3: High-performance NAT Requirement 4: High-performance IPsec encryption SR66 series routers adopt the parallel processing by the multi-core CPU and the encryption engine embedded in the boards. Without adding any boards, the SR66 routers can implement high-performance GRE tunnel, L2TP tunnel, NAT conversion and IPsec encryption. User investment is reduced sharply. Supported without adding boards and cards! Traditional high- end router Multi-core distributed SR66 Implementation of High-Speed Services Without Adding Boards

56. www.h3c.com 56 POS 155M interface board POS 622M interface board Command line switching 155M 622M ? The interface speed of the POS interface board of the SR66 series routers can be configured through command lines and switched between 155M and 622M. In that way, the user investment is effectively reduced. The requirement that the extensive access speeds options are achieved with limited investment can be satisfied. Command Line Switching POS 155M/622M Rate

57. www.h3c.com 57 IPv4 network IPv6 backbone network IPv4/IPv6 dual stack network IPv6 network NAT-PT conversion IPv4 access IPv6 access Tunnel access IPv4 network SR6608 SR6602 Network management center IPV6 feature key indexes Forwarding performance  Linear forwarding  Throughput of the whole system: 6Gbps Route table capacity  Larger than 100,000 Number of IPv6 over IPv4 tunnels  10000 Number of NAT-PT sessions  100,000 concurrent sessions The multi-core distributed system supports the IPV6 features in a full scale. The user does not need to add any investment to smoothly upgrade the network from IPv4 to IPV6.  IPv6 protocol stack: ICMPv6, Path MTU, ND, automatic configuration and DNS Client  IPv6 transitional technologies: dual stacks, NAT-PT, automatic tunneling, configuration tunnel, and 6to4 tunnel  IPv6 routing protocols: BGP4+, IS-ISv6, OSPFv6 and RIPng Implementation of IPv6 Smooth Upgrade Without Additional Investment

58. www.h3c.com 58 With full consideration of the user requirements, SR66 provides a compatibility design of the architecture and future orientation of software features to save user investment substantively. AR/MSR compatible MIM card Command line switching POS 155M/622M rate No need to add investment in implementing IPv6 smooth upgrade No need to add boards to implement high-speed services Save your money ！ Summary of Investment Saving

59. www.h3c.com 59 Development Trends of High-End Routers H3C SR66 Open Multi-Core Router Technical Features of H3C SR66 Router (5S) Typical Cases of H3C SR66

60. www.h3c.com 60 ASON Network of China Netcom (Beijing) NE40-4 (Legacy)SR8805 Branch procuratorate WAN router SR6602 Load balancing S7506R Firewall 100M firewall Intrusion detection system Network isolator Municipal politics and law network Internet Firewall of extranet S8512 SR8805 Redundant disaster recovery center (placed in a branch procuratorate) Municipal procuratorate LAN S7506R Existing firewall SR6602 Beijing Municipal Procuratorate

61. www.h3c.com 61 e-Administration Intranet of Jiaxing City S7506E SR6608 Shitai Sanshuiwan Daoqian StreetHexi Ziyang Street Internal access units in administration center building External access units of administration center Server zone Zhejiang e- administration intranet iMC intelligent management platform Xlog log audit IPS Secpath F1000-S HA heartbeat cable District and county e- administration intranet Zapu Economic Development Zone S5600-50C

62. www.h3c.com 62 Heilongjiang Local Taxation Bureau 12 prefectural centers Provincial core router SR8812 Videoconference controller 124 district and county centers Videoconference terminal Transmission platform Videoconference terminal S3100-26C Core switch S7506 Provincial center Transmission platform Core switch S7506 8M 12*8M 4M Access by provincial departments Provincial central LAN GE FE Core switch Provincial and prefectural core router SR6608 Provincial and prefectural core router MSR30-16 S3100-26C SR6608 MSR30-16 GE

63. www.h3c.com 63 Five-Section Social Security System of Changzhou Server farm SR6608 (working) S7510E SR6608 (protection) SDH Business-related units VPN access Hospitals, pharmacies, street social security sites, 97 medical units, 103 pharmacies and 1000 townships E1 GE FE Secpath F1800 Secpath F1000 SDH District and County Labor Security Information Center ….. Business Handling Sites SR6608 N*2M SDH/VPN SDH MSTP Social Security Building Access in the building S3600-28TP 100M AR4640SR6608AR4640SR6608AR4640 SR6608AR4640

64. www.h3c.com 64 No. 1 Middle School of Mudanjiang E352 E328 E126 SR6608 Firewall S7500E

65. Hangzhou H3C Technologies Co., Ltd. www.h3c.com.cn