Обзор новинок сетевых продуктов Huaweiebgevents.huawei.ru/ip_club_2019_kazan/clients/m/2.pdf · 10 Huawei Confidential CloudEngine S12700E: Industry-Leading

Обзор новинок сетевых продуктов Huawei

Security Level:

Huawei Confidential4

20 Series, 108 Models of New Products: A New Engine for IP Market Growth

DCN5 switch models

WAN19 router models

Security12 firewall models, 3 anti-DDoS

models

108 new models to be launched in 2019 Q3/Q4

Campus68 switch models, 1 WAC model

CloudEngine 16800 series

CloudEngine 6881/6863

NetEngine 8000/40E series

NetEngine

AR6300/6100/650 series

HiSecEngine

USG12000/AntiDDoS12000 series

USG6600E/6500E series

CloudEngine S12700E series

CloudEngine S67/57xx series


Campus Switches


Новая линейка коммутаторов для кампуса: Cloud Engine

S-seriesModular switches

CloudEngine S7700 series smart routing switches

CloudEngine S7703 (MCUD)

10GE fixed switches GE fixed switches

CloudEngine S12700E series

CloudEngineS12700E-12



CloudEngine S6730-H series

CloudEngine S6730-S series

CloudEngineS6730-H48X6C

CloudEngineS6730-H24X6C

CloudEngineS6730-S24X6Q

CloudEngine S6730S-S series

CloudEngine S6730S-S24X6Q-A


CloudEngineS5732-H48S6Q

CloudEngineS5732-H24S6Q


CloudEngine S5731-H24P4XC

CloudEngineS5731-H24T4XC

CloudEngine S5731-H48P4XC

CloudEngineS5731-H48T4XC

CloudEngine S5731S-H series

CloudEngine S5731S-H24T4XC-A

CloudEngine S5731S-H48T4XC-A

CloudEngine S5731-S series

CloudEngine S5731-S24P4X

CloudEngineS5731-S24T4X

CloudEngine S5731-S48P4X

CloudEngineS5731-S48T4X

CloudEngine S5731S-S series

CloudEngine S5731S-S24P4X-A

CloudEngine S5731S-S24T4X-A

CloudEngine S5731S-S48P4X-A

CloudEngine S5731S-S48T4X-A

*

*: CloudEngine S12700E-12 will be available at the end of Setember.


CloudEngine S12700E Series Agile Switch is Coming

Specifications S12700E-4 S12700E-8S12700E-12

(2019.9.30GA)

Main Processing Unit MPUA MPUA MPUA

Switch Fabric Unit :Slot

bandwidth

SFUE：1.6Tbps/Slot

SFUH：2.4Tbps/Slot

SFUE：1.6Tbps/Slot

SFUH：2.4Tbps/SlotSFUM：2.4Tbps/Slot

Height 10U 15U 19U

Maximum port density192×GE/192×10GE

/96×100GE384×GE/384×10GE

/192×100GE576×GE/576×10GE

/288×100GE


CloudEngine S12700E: Industry-Leading Core Switch

Ideal for Campus Networks

CloudEngine S12700E Distributed switching

Separation of control

and forwarding planes

Higher device reliability

and more smooth upgrade

MPU

Fabric

Industry-unique cell switching

Solar

Dynamic load

balancing

Non-blocking services,

zero packet loss

High port density

Total 12 service slots

288 x 100GE ports

One S12700E = 6

comparable switches

from peer vendors


CloudEngine S12700E: Industry-Leading Core Switch

Cell switching FIB 512KService port

stacking

Policy

association

control device

Parent node

in an SVF

system

Integrated

WLAN ACFree mobility iPCA

Netstream MPLS

TelemetryIntelligent O&M

NGSF

architecture Zero packet loos

HQoSRefined traffic

management

Typical Application Scenarios

Key Features

Scenario Description

Large- and

medium-sized

campuses

• Functions as a core switch and integrates the WLAN AC

capability to improve the wireless capacity and

forwarding capability

• Integrates wired and wireless policy control to reduce

configuration workloads and faulty nodes.

Virtualized

campuses

Functions as a border node on a VXLAN campus network,

and works together with the Agile Controller to build a

campus network for multiple purposes, improving the

network resource utilization by 30%+.

Large bandwidth

interconnection

scenarios in

campuses

Achieves 100G interconnection between the campus

network and DC, between the campus network and WAN,

and within campuses, meeting fast-growing service

requirements of campus networks.

VXLANVirtualization

Telemetry

CloudEngine

S12700E-4

CloudEngine

S12700E-12CloudEngine

S12700E-8

High-density

100GE

57.6 Tbit/s

switching

capacity

Control and

forwarding

separated

MPUE

SFUE

100G card (X6E/X6S) 10GE card (X6E/X6S)

GE optical card (X6E/X6S)

GE electrical card (X5E/X5S)


CloudEngine S6730-x10GE Fixed Switches

CloudEngine S6730-H

Integrated AC(1K AP,10000 Users), Free

Mobility ,iPCA,VxLAN,Netstream,Telemetry,SVF,Application identification, ECA,

Deception,MPLS,IPv6,1588v2, iStack ,128K MAC,140K ARP,192K FIBv4, 80K FIBv6,

6K ACL,1M Netstream,4095VxLAN BD,16K VxLAN IPv4,4K VxLAN IPv6

CloudEngine S6730-SVxLAN,Netstream,Telemetry,SVF,Application identification,ECA, Deception ,IPv6, iStack ,64K

MAC,64K ARP,64K FIBv4, 32K FIBv6, 6K ACL,64K Netstream,2K VxLAN BD,2K VxLAN

IPv4,2K VxLAN IPv6


CloudEngine S6730-x 10GE Fixed Switches

New CloudEngine S model Historical model

S6720-16X-LI-16S-AC S6720-26Q-LI-24S-AC S6720-32X-LI-32S-AC

S

S6720-30C-EI-48S-AC/DC S6720-54C-EI-48S-AC/DC

S6720-26Q-SI-24S-AC S6720-32X-SI-32S-AC S6720-32C-SI-AC/DC

S6720-56C-PWH-SI/AC S6720-52X-PWH-SI

HS6720-50L-HI-48S S6720-30L-HI-24S

S6720-32C-PWH-SI/AC

LI

SI

EI

HI

CloudEngine S6730-H24X6C CloudEngine S6730-H48X6C

CloudEngine S6730-S24X6Q


CloudEngine S6730-H48X6C CloudEngine S6730-H24X6C

48 x10Gig SFP+,6 x 100Gig QSFP28

Dual pluggable power modules, 1+1 power backup,

600W AC

Four independent hot-swappable fan modules,

supporting front-to-back airflow

CloudEngine S6730-H-Huawei new-generation 100G uplink

campus switch

4-core CPU,4G RAM

ENP Chip,Agile features

24 x10Gig SFP+,6 x 100Gig QSFP28


600W AC



4-core CPU,4G RAM



CloudEngine S6730-S24X6Q

24 x10Gig SFP+,6 x 40Gig QSFP


600W AC



CloudEngine S6730-S- Huawei new-generation 10GE campus

fixed switch

4-core CPU,4G RAM



CloudEngine S6730-x- Key Specifications of Huawei's New-

Generation 10GE SwitchesFeature/Specification CloudEngine S6730-H CloudEngine S6730-S

Key Feature

Port Density 24/48*10G+6*100GE 24*10GE+6*40GE

ETA Y Y

MPLS Y N

IPv6 Y Y

1588 Y N

VxLAN Y Y

WLAN Y N

Free Mobility Y Y

Netstream 1M-1 64K

sFlow N N

NAT N N

SAC Y Y

iStack iStack, max 9 iStack, max 9

MACSec N N

MultiGE N N

Key Specifications

Forwarding performance 1260/1620Mpps 720Mpps

Switch capacity 2.4Tbps 2.4Tbps

Manage AP Specification 1K N

NAC Users 10000 10000(Wired)

VxLAN BD 4095(16000) 2K

VxLAN IPv4 tunnel 16K 2K

VxLAN IPv6 tunnel 4K 2K

MAC 128K 64K

FIBv4 192K max (share) 64K

FIBv6 80K max (share) 32K

MFIB 64K max (share) 4K

MFIB6 4K 4K

ARP 140K max (share) 64K

ND 80K max (share) 32K

ACL 6K 6K


Campus Ultra-Broadband: Multi-GE Access + High-Density

10G/40G Aggregation + 100G Core

100G/40G

Highest switching capacity in the industry, 57.6Tbps for the entire system

High-density 100GE ports, supporting 288 100Gbit/s ports

Huawei next-generation campus core switches

Core layer

Aggregation

layer

Access layer

Huawei new-generation high-performance aggregation switch

GE/10G

CloudEngine S12700E

6*100GE

24*100GE

CloudEngine S6730-H

S7703

40G/10G

CloudEngine S6730-S CloudEngine S5731-H CloudEngine S5730-S

Huawei new-generation access switch

Supports 4K VN and has the strongest virtualization capability in the industry.

Supports ECA and is the only access switch that supports encrypted traffic monitoring in the industry.


Multi-Purpose Network, Simple and Automatic Virtual Network

Construction

UVF(Unified Virtual Fabric)

Office

network

VLAN

Security

protection

network

VLAN

IoT

VLAN

Office

network

VLAN

Security

protection

network

VLAN

IoT

VLAN

Office

network

VLAN

Security

protection

network

VLAN

IoT

VLAN

Office

network

VLAN

Security

protection

network

VLAN

IoT

VLAN

Simplest virtual network construction

• Supports both centralized and distributed

gateway networking.

• VxLAN only required at the aggregation

layer and zero reconstruction of access

devices

• Traversing the complex Layer 3 network

and zero reconstruction at the core layer

Fully automatic virtual network

construction• Unified virtual network deployment by the

controller, featuring Zero Touch Provisioning (ZTP) ofdevices

• Automatic tunnel establishment based on the BGP-EVPN control plane


OPS Implements Fast Function Innovation and Shortens

the O&M Period from Half a Year to One Week

AS-IS:>half a year TO-BE:<one week

Application scenario: For customers (such as large enterprises and ISPs) who have customized O&M

requirements on networks, an OPS based on the Python language is provided to help IT administrators quickly

implement function innovation and intelligent O&M.

New requirementNew requirement

Submit the requirement

to the device vendor

Script development

Waiting…

The version is upgraded

and functions take effectThe script is loaded and

functions take effect

1. Detect configuration changes

in real time, and notify the

administrator by email or

alarm to prevent misoperation

2. Detect the access terminal

type, and add APs to VLAN 1

and cameras to VLAN 2 to

automatically isolate services

3. Detect go-offline ports

(connected to key devices),

and notify the administrator

by email or alarm.

Application examples


Wired and Wireless Converged Forwarding with Integrated AC

S6720-HI agile switch

Integrated AC

Wired and wireless policy

control point

Separated forwarding: Traditional box devices do not have the AC

capability. A free-standing AC must be connected to the box

device. Wired forwarding and wireless forwarding are separated.

Distributed network elements (NEs): Customers have to buy

AC devices or subcards, increasing investment and potential

failure points.

Converged forwarding: Wired forwarding and wireless

forwarding converge. A maximum of 1K APs can bemanaged.

Converged NEs: ACs are integrated on switches, reducing

investment and potential failure points.

Free-standing AC


EasyDeploy Solution Simplifies Deployment and O&M

2 USB-based Deployment

1

DHCP server

TFTP/FTP/SFTP server

3

4

1 The engineer uploads configuration files to the

TFTP/FTP/SFTP server.

The engineer deploys hardware.

After power on, switches automatically obtain the allocated IP address

and FTP server IP address from the DHCP server.

4 Switches obtain configuration files from the FTP server.

5

5 The NMS can be used to configure more services.

NMS

1

3

4

2

1

2

3

The engineer uploads configuration files to a USB disk.

4

The engineer deploys hardware.

After power on, switches automatically obtain

configuration files from the inserted USB disk.

The NMS can be used to configure more services.

NMS

2

2

3


Wi-Fi


AP7060: первая в индустрии точка доступа Wi-Fi6

Intelligent• SmartRadio: Ultra-low latency of 10 ms

• CampusInsight: Identify 85% of network problems

IoT Openness• Cooperation with 30+ top partners

• Wi-Fi & IoT network converge reduces TCO by up to 50%

Virtual Reality (VR)

Interactive Class

High-Density Coverage

IoT-Powered Office

Connecting people

and IoT terminals

400+ users per AP

100 Mbit/s per user

Latency < 15 ms

AP7060DN

• 8*8 MU-MIMO, 1024QAM, OFDMA

• 2.4GHz: 1.15 Gbit/s + 5GHz: 4.8 Gbit/s

• IoT expansion

Ultra-High Speed

• 4 x Higher peak bandwidth

• 4 x greater concurrency


AirEngine 5760-10: бюджетная точка доступа Wi-Fi 6

Intelligent• SmartRadio: Ultra-low latency of 10 ms

• CampusInsight: Identify 85% of network problems

IoT Openness• Cooperation with 30+ top partners

• Wi-Fi & IoT network converge reduces TCO by up to 50%

Virtual Reality (VR)

Interactive Class

High-Density Coverage

IoT-Powered Office

Connecting people

and IoT terminals

400+ users per AP

100 Mbit/s per user

Latency < 15 ms

AirEngine5760-10

• 2*2 MU-MIMO, 1024QAM, OFDMA

• 2.4GHz: 574 Mbit/s + 5GHz: 1.2 Gbit/s

• IoT expansion through USB

Smart Antenna

• 20% Coverage increase

• Interference suppression up to 5 dB


Manage up to 2K APs and 40K STAs.

Новый контроллер Wi-Fi: AE9700-M

Item Specifications

Number of ports2 x 40GE (QSFP+) ports + 12 x 10GE (SFP+) ports + 12 x

GE ports

Maximum number of managed APs 2K

Maximum number of BSSIDs 48K

Maximum number of MAC addresses 100K

Maximum number of managed STAs 40K

Protection mode 1+1 HSB or N+1 backup

Power supplyPluggable power supply, AC and DC power supply

(optional), HSB of dual power supplies

Heat dissipation Four pluggable fans

Dimensions (H x W x D)44 mm x 420 mm x 442 mm

This AC can be installed in a 600-mm deep cabinet.

University Large-sized

enterprise

Wireless city

+ +


The AC6508 can manage up to 256 APs and 4K STAs,

and supports the 6 Gbit/s forwarding capacity.

AC6508: контроллер начального уровня

Item Specifications

Number of ports 10 x GE electrical ports + 2 x 10GE optical ports

Maximum number of managed APs 256

Maximum number of BSSIDs 4K

Maximum number of MAC addresses 8K

Maximum number of managed STAs 4K

Protection mode 1+1 HSB or N+1 backup

Heat dissipation Natural heat dissipation (noiseless), without fans

Dimensions (H x W x D) 43.6 mm x 210 mm x 250 mm

Small- or medium-

sized enterpriseBranch campus

+


DC Switches


Обновление линейки CloudEngine DCN продуктов

1680816804

CloudEngine 16800

16816

CloudEngine 6881-48S6CQ

CloudEngine 6863-48S6CQ

10GE TOR

GE TOR

25GE TOR

40GE TOR

100GE TOR

Modular

Switch

2019 Q3Оптические

трансиверы

QSFP-40G-iSR4

QSFP28-100G-SR4

QSFP-100G-CWDM4

SFP-10G-AOC-5M

OMXD30000

SFP-10G-LR

SFP-10G-ZR

SFP-25G-SR

100G Optical Transceiver




36*100GE36*40GE

24*40GE

48*10GE

18*100GE


CloudEngine 16800: Лидирующая аппаратная архитектура и

богатый функционал

CloudEngine 16808 CloudEngine 16804CloudEngine 16816

36*100GE

36*40GE

24*40GE48*10GE

18*100GE

Платформа под любые

задачиAgile Controller-DCN упрощает эксплуатацию в

течении всего жизненного цикла.

FabricInsight анализируя TCP сессии

определяет эффективность всей сети.

Лидирующая аппаратная архитектура

Гибкий NSH: Простое внедрение VAS

Высокая безопасность: Микросегментация (изоляция на

уровне VM)

Технология телеметрии: качество сети в реальном

времени

Ортогональная архитектура без общей шины данных,

продув воздуха «спереди назад», коммутация на

основе ячеек

Плавная эволюция к 400G

AI модуль

Богатый функционал

CloudEngine 16800: 400G платформа поддерживает 10GE, 40GE, 100GE интерфейсы, и имеет AI модуль.


Новые модели фиксированной конфигурации —

CloudEngine 6881и CloudEngine 6863

Diversified DC features: M-LAG, iStack, VXLAN, and BGP EVPN

Hardware-based BFD

Telemetry and ERSPAN enhancement

Microsegmentation and NSH

1+1 power redundancyFour fan trays (one fan

module in each tray)

Parameter CloudEngine 6881-48S6CQ

Port model48*10GE SFP+ and 6*100GE QSFP28 (Each QSFP28 port can be used as

one 40GE QSFP+ port)

Switching capacity 2.16 Tbit/s

Forwarding performance 940 Mpps

Maximum number of

stacked switches16

Buffer capacity 42 MB

Performance

specificationsFIB (v4/v6): 256K/80K, MAC: 256K, ARP: 256K

Diversified DC features: M-LAG, iStack, VXLAN, and BGP EVPN

Hardware-based BFD

Telemetry and ERSPAN enhancement

Microsegmentation and NSH

1+1 redundancyFour fan trays (one fan

module in each tray)

Parameter CloudEngine 6863-48S6CQ

Port model48*25GE SFP28 and 6*100GE QSFP28 (Each QSFP28 port can be used as

one 40GE QSFP+ port)

Switching capacity 3.6 Tbit/s

Forwarding performance 940 Mpps

Maximum number of

stacked switches16

Buffer capacity 42 MB

Performance

specificationsFIB (v4/v6): 256K/80K, MAC: 256K, ARP: 256K

https://e.huawei.com/cn/material/networking/ar/f6fbf62f03334bb7a27a744729ad5548https://e.huawei.com/cn/material/networking/ar/f6fbf62f03334bb7a27a744729ad5548

https://e.huawei.com/cn/material/networking/ar/f6fbf62f03334bb7a27a744729ad5548

https://e.huawei.com/cn/material/networking/ar/f6fbf62f03334bb7a27a744729ad5548


NE Routers


Product TypeNetEngine

8000 M1A

NetEngine

8000 F1A

NetEngine 40E -

M2K-B

NetEngine 8000

M8

NetEngine 8000

M14NetEngine 40E -X8A NetEngine 40E -X16A

NetEngine 8000

X4NetEngine 8000 X8

GA 2020 Q1 2020 Q1DC models have reached GA.

AC models will reach GA in

2019 Q3.2019 Q3 2020 Q1 GA passed GA passed 2020 Q1 2020 Q1

Forwarding capacity 176G 1.2T 910G 1.2T 2TScalable to 4.8T+

16T 32T 16TScalable to 14.4T/slot

32TScalable to 14.4T/slot

Number of slots Fixed Fixed 2 8 14 8 16 4 8

Depth 220 mm 420 mm 220 mm 220 mm 220 mm 650 mm 650 mm 874 mm 874 mm

Height 1U 1U 2U 3U 5U 21U 40U 9.8U 15.8U

100G port density 8 8 8 20 160 320 160 320

10G port density 16 80 46 80 140 640 1280 640 1280

• Data center

interconnection

• Gateway egress

• Aggregation and

access

• Multi-service transport

• Data center

interconnection

• Gateway egress

• Aggregation and

access

• Mini-BNG

• Data center

interconnection

• Gateway egress

• Aggregation and

access

• Leaf node

• Data center

interconnection

• Multi-service access

• Initial aggregation

and access

• Multi-service

transport

• Data center interconnection

• Gateway egress

• Backbone node

• Mini-BNG

• Multi-service

transport

Newest NetEngine Product Portfolio

Mid-range converged

routers

High-density fixed-

configuration routersModular backbone routers


NetEngine 8000 - Converged Routers with the Largest

Capacity in the Industry

Intelligent all-scenario converged

routers oriented to the cloud era

NetEngine 8000 series

Modular product: Industry's largest capacity of

14.4T/slot, 1.5 times that of Cisco

Per-slot capacity

14.4T

9.6T

400GE port

3624

100GE port

72

48

Huawei Cisco

V.S.

One platform applies to

multiple scenarios.

One platform applies

to one scenario.

SR DC gatewayPE

+ +

Fixed-configuration product: Industry's first 300 mm deep

400G platform router

Ultra-broadband platform

400G

Platform100G

Platform

Super large capacity

2T

800G

Compact size

5U7U

Huawei Cisco

NetEngine 8000 X4 NetEngine 8000 X8

NetEngine 8000 M14

NetEngine 8000 F1A

NetEngine 8000 M1A

NetEngine 8000 M8Unified full-service platform and simplified architecture


AR Routers


Huawei NetEngine AR Product Portfolio, High Performance and Various Ports

NetEngine

AR6000 Series

Medium/Small-

scale branch AR6121

AR6300

SRU-400H/SRU-600H

AR6280

GA

NetEngine

AR6000 Series

Headquarters/La

rge-scale branch

NetEngine

AR600 Series

SOHO

AR651C

AR651

TR5: 30/11/2019 GA: 28/02/2020

Launched in July 2019

GA: 30/10/2019

Launched in Oct 2019 Launched in Nov 2019

AR6140-9G-2AC

AR6120

AR617VW

AR657W TR5 15/1/2020

AR611W

AR651U-A4

AR651WAR617VW-LTE4EA

AR6140-16G4XG


Differences Between NetEngine AR Series and AR G3 Series

Scenario NetEngine AR AR G3 Advantages of NetEngine AR over AR G3

Enterprise headquarters and

large branch

AR6300+

(SRU-400H/600H)AR3260 + (SRU400)

1.1 times higher performance (NetEngine AR: 12 Gbps; AR G3: 10

Gbbps) Four times more fixed ports (NetEngine AR: 24; AR G3: 6) Support for SD-WANLarge branch

AR6280+

(SRU-400H/600H)

AR2240C

AR2240 + (SRU200)

Small and medium branch

AR6140-9G-2AC AR2220E

1.2 times WAN performance than AR G3: 2Gbps vs 1.6Gbps Doubled fixed interface Support SD-WAN Note: AR6140-9G-2AC don’t support voice function and RPS

AR6121 AR1220E

More than two times higher performance (NetEngine AR: 2 Gbps;

AR G3: 800 Mbps) Support for 10GE ports Support for SD-WAN

SOHO/SMB

AR651C/AR651/AR657W AR161/AR169

Three times higher performance

(NetEngine AR boost license: 1.5 Gbps; AR G3: 500 Mbps) Support for all GE ports as fixed ports Support for SD-WAN

AR617VW/617VW-LAR109/AR129 with voice

and Wifi

AR611W/AR651W/AR657W AR161/AR169 with Wifi


Huawei NetEngine AR6000 Series CPE

Specification AR6300 (SRU-400H) AR6300 (SRU-600H)

Service performance(LAN - > WAN +

WAN - > LAN, NAT + ACL + QoS, IMIX)10 Gbps 12 Gbps

Dual SRUs Dual SRUs and dual forwarding Dual SRUs and dual forwarding

Dual power supplies Supported Supported

Port14*10GE optical ports + 10*GE electrical ports (can be

configured as LAN)

14*10GE optical ports + 10*GE electrical ports (can be

configured as LAN)

Memory 8 GB 16 GB

Slot 4 x SIC slots + 2 x WSIC slots + 4 x XSIC slots 4 x SIC slots + 2 x WSIC slots + 4 x XSIC slots

Voice - -

Front view of the AR6300 Rear view of the AR6300



Specification AR6280 (SRU-400H) AR6280 (SRU-600H)

Service performance(LAN - > WAN +

WAN - > LAN, NAT + ACL + QoS, IMIX)10 Gbps 12 Gbps

Dual power supplies Supported Supported

Port14 *10GE optical ports + 10*GE electrical ports

(can be configured as LAN)

14*10GE optical ports + 10*GE electrical ports (can be

configured as LAN)

Memory 8 GB 16 GB

Slot 4 x SIC slots + 2 x WSIC slots + 2 x XSIC slots 4 x SIC slots + 2 x WSIC slots + 2 x XSIC slots

Voice - -

Front view of the AR6280 Rear view of the AR6280



Specification AR6120 AR6121 AR6140-9G-2AC AR6140-16G4XG

Service

performance(LAN -

> WAN + WAN - >

LAN, NAT + ACL +

QoS, IMIX)

2 Gbps 2 Gbps 2 Gbps 6 Gbps

Port

WAN: 1*10GE optical port +

1*GE combo + 1*GE

LAN: 8*GE ports (can be

configured as WAN)

WAN: 1*10GE optical port +

2*GE combo port

LAN: 8*GE ports+1*GE Combo

(can be configured as WAN)

WAN: 2*GE optical port+2*GE

LAN: 2*GE optical port+3*GE (can

be configured as WAN)

WAN: 4*GE + 4*10GE SFP+

(compatible with GE optical ports)

LAN: 12*GE (can be configured as

WAN)

Memory 2G 2G 2G 2G

Slot 2*SIC 2*SIC 4*SIC 4*SIC

AR6121 AR6140-9G-2AC

TR5: 30/11/2019GA:28/02/2020

AR6140-16G4XGAR6120



Specification AR651C AR651 AR651U-A4 AR651W AR657W

Service performance(LAN

- > WAN + WAN - > LAN,

NAT + ACL + QoS, IMIX)

Defualt:1G

Boost License:1.5G

Defualt:1G

Boost License:2G 2G

Defualt:1G

Boost License:2G

Defualt:1G

Boost License:2G

Port

WAN: 2*GE optical ports + 2*GE

ports

LAN: 2*GE optical ports + 6*GE

(can be configured as WAN)

WAN: 2*GE Combo


WAN)

WAN: 2*GE Combo


WAN)

WAN: 2*GE Combo

LAN: 8*GE (can be

configured as WAN)

WAN: 2*GE

Combo+1*VDSL 35B

LAN: 8*GE (can be

configured as WAN)

Memory 1 GB 2GB 4GB 2GB 2GB

Slot - 1 1 1 1

Wi-Fi - 802.11ac/b/g/n 802.11ac/b/g/n

LTE - LTE MIC LTE MIC LTE MIC LTE MIC

AR651C AR651 AR651U-A4 AR651W AR657W

TR5: 30/11/2019

GA:28/02/2020

TR5: 30/11/2019

GA:28/02/2020

TR5: 30/11/2019

GA:28/02/2020

TR5: 15/1/2020

GA:28/02/2020



Specification AR611W AR617VW AR617VW-LTE4EA

Service

performance(LAN - >

WAN + WAN - > LAN,

NAT + ACL + QoS, IMIX)

300 Mbps 300 Mbps 300 Mbps

PortWAN: 1*GE Combo

LAN: 4*GE (can be configured as WAN)

WAN: 1*GE Combo+ 1*VDSL 35B


Voice:2*FXS

WAN: 1*GE Combo+ 1*VDSL 35B+1*LTE


Voice:2*FXS

Memory 1 GB 1GB 1GB

Slot - - -

Wi-Fi 802.11ac/b/g/n 802.11ac/b/g/n 802.11ac/b/g/n

LTE - - Y

AR611W AR617VW AR617VW-LTE4EA

TR5: 30/11/2019

GA:28/02/2020

TR5: 30/11/2019

GA:28/02/2020

TR5: 30/11/2019

GA:28/02/2020


Integrated routing

and switching

Firewall and

IPS

Multiple Layer

2/Layer 3 VPNs

eSight and

Web……

All-in-one


Switching Router, Supporting Flexible Switching

Routing Security VPN NMS

Fixed port: The undo port switch

command can be executed to

configure LAN ports as WAN ports.

Fixed port: WAN ports can

be configured as LAN ports

on some product models.

Layer 2 cards support VLANIF interfaces for

simple Layer 3 forwarding, but do not support

NAT, MPLS, IPsec, and HQoS.

Some Layer 2 cards support

LAN/WAN switchover,

1 3

2 4


Comprehensive Security ProtectionRouting Security VPN NMS

Data encryptionData encryption based on

IPSec VPN

Mainstream encryption

algorithms such as

AES128/256

URL filtering130+ categories

Accuracy > 96%

Application access controlIdentification of 6000+ well-known and user-

defined applications

Identification of popular encrypted P2P

applications

IPS intrusion preventionFastest attack defense

Updated IPS engine, defending against

latest intrusion behavior

Detect 5500+ attacks

Detection rate > 90%

HQBranch

Internet

EncryptionExternal

defense

Internal

control


URL Filtering, Providing Refined Internet Access Control


Policy setting

• Prevent employees from visiting illegitimate or malicious websites,

defending against threats such as worms, viruses, and Trojan horses.

• Specify the effective time of website access control and prevent

employees from visiting websites that are irrelevant to job at work time.

• Set user groups based on IP addresses or IP address segments and

set website access rights based on user groups.

• Add or delete URLs.

URL matching mode

• Exact matching: Matches the URL that contains the complete character

string.

• Suffix matching: Matches all URLs that end with a specified character

string.

• Prefix matching: Matches all URLs that start with a specified character

string.

• Keyword matching: Matches all URLs that contain a specified character

string.

• The priorities of URL matching modes in descending order are as

follows: Exact matching > suffix matching > prefix matching > keyword

matching

URL Matching Mode

http://w3.abc.com/travel Suffix matching

http://w3.abc.com/next/index_hr.html#path=newhr Prefix matching

http://w3.abc.com/travel Keyword matching

http://w3.abc.com/travel Exact matching

Http：//www.example.com/news/index.html?cat=1&id=2

Protocol

Host

Path

Parameter

Branch

Internet

Forbidding access to

URLs in the blacklist

Number of classified

websites > 65 million

Number of

categories > 130

Accuracy >

96%


Application Access Control, Providing the Most Extensive Application Library in the Industry


Identification of 6000+ applications

• Support multiple identification methods, such as packet signature

identification, association identification, and behavior identification.

• Support 6,000+ mainstream protocols and applications, such as P2P,

VoIP, IM, games, and emails.

Flexible upgrade of the SA signature database

• SA signature database files are maintained and released by Huawei Security

Competence Center, and can be added with user-defined applications.

• The Agile Controller centrally maintains SA signature databases, upgrades

them in batches or as scheduled, and releases new signature databases

periodically.

• The update status of the SA signature database can be viewed, including

upgrade time, countdown, upgrade progress bar, and upgrade result.

• Rollback is supported when the SA signature database fails to be upgraded.

Signature

database

(new)

Signature

database

(old)

Seamless

switchoverProtocol 1

Protocol 2

…

New

protocol

Protocol 1

Protocol 2

……

Signature

database file

SA engineUnclassified

packets

Classified packets

Signature identification

Association identification

Behavior identification

…


IPS, Focusing on Application-Layer Attack Defense


User traffic User traffic

The firewall blocks only the illegal traffic

at Layer 2 to Layer 4.

AR that integrates the

IPS function

The IPS provides security defense

capabilities at Layer 7.

L7 attack packets

L2-L4 attack packets

Normal packets

AR that integrates the

firewall function

IPS focuses on attack defense, especially at the application layer

• Pushes security protection to a higher level to make up for the disadvantages of traditional firewalls defending against application-layer attacks.

• Implements attack detection on 1600+ signature databases, achieving the detection rate of higher than 90%.

• Supports online update of the signature databases and real-time update of the IPS engine to defend against latest intrusion behavior.

• Contains signature databases based on network behavior such as Trojan horses, worms, botnets, spyware, vulnerability attacks, and web attacks.

• Integrated into AR routers without the need to deploy fault detection points, reducing operation costs.


Overview of IPSec VPN


Internet

• Enterprise branch: Different VPN access modes can be applied to branches based on the scale. In a single network topology, GRE over IPSec VPN is recommended for

secure access. In a hub-spoke topology, VPNs need to be dynamically established between branches for secure access, and IPSec DSVPN is recommended. For small

branches, IPSec VPN is recommended. For terminals connected to the Internet through 4G, IPSec over L2TP VPN is recommended.

• Mobile employees: Due to flexible location, clients are used to connect mobile employees to the internal network. L2TP over IPSec VPN is recommended.

• Enterprise headquarters: VPN gateways are used to construct VPN data channels between gateways and between gateways and clients.

Branch A

Branch B

Branch C

Mobile employees

VPN server

HQ

VPN management

system

Enterprise

data center

IPSec DSVPN

Branch D


Deployment Scenario of the DSVPN Solution


Application scenarios: This solution applies to enterprises with multiple branches. When the enterprise headquarters uses a static public IP address to access the Internet and branches use the dynamic

public IP address to access the Internet, if the traditional VPN is used to construct networks, branches cannot directly communicate with each other. (The source branch cannot obtain the public IP address of

the destination branch and no tunnel can be established between these branches.) The communication data between all the branches can only be forwarded by the headquarters. In this case, devices in the

headquarters are overloaded.

Highlights:

• DSVPN uses NHRP to dynamically collect, maintain, and advertise public network addresses of nodes. This solves the problem that the source branch cannot obtain the public IP address of the

destination branch. In this mode, dynamic VPN tunnels are established between the branches to implement direct communication, reducing the burden of the headquarters and avoiding the network

delay. The tunnel is triggered by inter-branch traffic and tunnels are established based on requirements. If no traffic is transmitted, the tunnel is automatically torn down.

• DSVPN uses the mGRE technology to enable a tunnel interface to establish VPN tunnels with multiple peers, reducing the workload of VPN configuration. When a branch is created or the public IP

address of a branch changes, the tunnel relationship between the headquarters and branches can be automatically maintained without the need to adjust the tunnel configuration at the headquarters,

making network maintenance more intelligent.

Traditional branch VPN interconnection

solution

Dynamic deployment and easy multi-branch access

DSVPN interconnection

solution

DSVPN

Hub

Spoke Spoke

Spoke

DSVPN

Hub

Spoke Spoke

Spoke


GUI-based Simple Web Management System, Facilitating Local Management


Real-time device monitoring

Monitors site status in real time based on

devices, interfaces, and network applications.

Intelligent O&M

• Provides device log and alarm functions and traces

network behavior and device running status.

• Provides the intelligent diagnosis function for users

to obtain the abnormal running status of the network

and the recommended solution by one click.

Abundant configuration management

capabilities

• Supports WAN and LAN configuration, and quick

configuration wizard, meeting complex network requirements.

• Supports online behavior management, improving branch

network resource efficiency and ensuring network security.


Security


Newest HiSecEngine Security Product Portfolio

DC

N

2019-09-21 GA

2020-03-31 GA

Chassis-based NGFW

HiSecEngine USG12004/12008

HiSecEngine NGFW

40 Gbit/s–2 Tbit/s

AntiDDoS1825

20 Gbit/s

AntiDDoS12004/12008

HiSecEngine AntiDDoS

USG6510E: 2*GE (SFP) + 10*GECa

mp

us

an

d B

ran

ch

USG6525E/6555E/6565E/6585E

2–8 Gbit/s, 1 U

USG6615E/6625E

10–40 Gbit/s, 1 U

USG6510E/6530E

Branch Branch/Small Campus Large Campus/Small DC

USG6530E: 2*10GE (SFP+) + 10*GE

Desktop

2*10GE (SFP+) + 8*GE Combo + 2*GE (WAN)6*10GE (SFP+) + 6*GE (SFP) + 16*GE

2*40GE (QSFP+) + 12*10GE (SFP+) + 16*GE

USG6635E / 6655E

HiSecEngine NGFW


Наиболее обширный функционал в индустрии

Web Filtering

• 120M+ URL knowledge database

• 130+ Category

Access Control / Policy

•Policy control by 6 dimension of App,

Content, Time, User, attack, Location

VPN

• IPsec, L2TP,SSL,GRE,MPLS,…

• DSVPN

Anti-DDOS

•SYN Flood、UDP Flood、ICMP Flood、HTTP Flood、HTTPS Flood、DNS Flood ，SIP Flood

•IP Reputation

DLP

• 120+ file type filtering

Routing & Intelligent Routing IPv4: static routing, RIP, OSPF, BGP, and IS-IS

IPv6: RIPng, OSPFv3, BGP4+, IPv6 IS-IS, IPv6

App Controlling

•6000+ App identification & Controlling

NAT

NAT No-PAT, NAPT, Easy IP, Smart

NAT, Bi-Direction NAT,NAT ALG

Authentication

• AD, LDAP, Radius, AC

HWTACACS

Anti Virus

• 5M virus signature

• signature update per day

SSL Inspection

Campus：SSL Client Protection (SSL proxy)

Data Center: Server protection(SSL Offload)

CGN (IPV4 IPV6)

•NAT444, DS-Lite,NAT64, NAT66(2019.7)

•IPv4 over IPv6

•IPV6 Over IPV4

Bandwidth Management

Bandwidth limitation by application or user

Bandwidth guarantee for key services

Log & Report

log store and query

Security reports based on logs

IPS

• 8000+ local Signatures

• 20000+ totally

• malware, botnet, worm…


NGFW важный элемент комплексного решения SDSec

Элемент применения политик( Руки, Ноги)

Модуль управления (Нервная система)

SecoManager

CIS FireHunter

Анализатор (Мозг)

Global Security Intelligence Center

SwitchRouter WIFI AR FW/vFW AntiDDoS

DFW

3rd Security

Convergence

Collaboration

Big Data

& AI

Controller• Политики с учетом бизнес потребностей

приложений

• Автоматизация политик безопасности

Analyzer• Искусственный интеллект с использованием Big

Data и машинного обучения

• Песочница 3rd поколения

• Мимикрия

Enforcer• Повсеместно!

• Адаптивность

Copyright©2018 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding

the future financial and operating results, future product

portfolio, new technology, etc. There are a number of factors that

could cause actual results and developments to differ materially

from those expressed or implied in the predictive statements.

Therefore, such information is provided for reference purpose

only and constitutes neither an offer nor an acceptance. Huawei

may change the information at any time without notice.

把数字世界带入每个人、每个家庭、每个组织，构建万物互联的智能世界。

Bring digital to every person, home, and organization for a fully connected, intelligent world.

Thank you.

Documents

Обзор новинок сетевых продуктов Huaweiebgevents.huawei.ru/ip_club_2019_kazan/clients/m/2.pdf · 10 Huawei Confidential CloudEngine S12700E: Industry-Leading