Upload
others
View
83
Download
3
Embed Size (px)
Citation preview
Мазитов АлмазВедущий менеджер по сетевым продуктам HUAWEI
Roadshow DC + Agile Controller
CloudEngine Series Data Center Switch Portfolio
Core Switches Access Switches
CloudEngine 16800 (new)
CloudEngine 16816 CloudEngine 16808 CloudEngine 16804
CloudEngine 6881-48S6CQ
CloudEngine 6863-48S6CQ
10GE TOR switch (new)
25GE TOR switch (new)
CloudEngine 16800: Leading Hardware Architecture, Extensive Software Features, and Complete
Solution Mapping Capabilities
CloudEngine 16808 CloudEngine 16804CloudEngine 16816
36*100GE
36*40GE
24*40GE48*10GE
18*100GE
Complete Solution
Mapping CapabilitiesAgile Controller-DCN provides simplified
deployment capabilities throughout the life cycle.
FabricInsight analyzes TCP flows and network-
wide health.
Leading Hardware Architecture
Flexible NSH: Flexible and simplified VAS deployment
High security: Microsegmentation (VM-level security
isolation)
Telemetry technology, detecting the network quality in
real time
Edge intelligence and local processing of network behaviors
Orthogonal architecture, backplane-free cabling, strict
front-to-back airflow, cell switching
Mixed-flow fan, VC phase change heat dissipation
Smooth evolution to 400G
AI engine (V1R19C10)
Extensive Software Features
CloudEngine 16800: 400G platform supports 10GE, 40GE, and 100GE interfaces, and AI engine.
Orthogonal ArchitectureStrict Front-to-Back Airflow
DesignNon-blocking Switching
Mixed-flow Fan,VC Phase Change Heat
Dissipation
Line
card
Backplane-free cablingHigher chassis bandwidth
Independent front-to-back
airflowEven heat dissipation, basic
requirements for data centers
Cell switching, VoQBalanced traffic distribution, higher
bandwidth usage
Mixed-flow fan,
VC phase change heat
dissipation Air volume three times higher than
the industry average, greatly
reducing noise
Leading energy-saving design
Hardware Architecture: Industry-leading Architecture Design and Innovate Heat Dissipation
The CloudEngine16800 supports the network lifecycle of four generations of servers and smooth evolution to 400G.
1/31/3
1/3
1/3
1/3
1/3
1/3
1/3
1/
3
1/3
1/3
1/3
1/3 1/3
1/3
1/3
1/3
1/3
VC heat
dissipation
substrate
Heat
dissipation fin
Chip
Air intake Air exhaust
Introduction to CloudEngine 16800
Specification CE16804 CE16808 CE16816
Dimensions
(W x D x H, mm)482.6 x 990.3 x
437(10U)
482.6 x 990.3 x 703.6
(16U)
482.6 x 1149.2 x
1435.7(32U)
Switching capacity 43 Tbit/s 86 Tbit/s 173 Tbit/s
Packet forwarding
rate11,280 Mpps 22,560 Mpps 45,120 Mpps
LPU slots 4 8 16
MPU 1+1
SFUs 6 (scalable to 9 for future expansion)
Architecture Clos switching architecture, cell switching, VoQ
Number of fan trays 3 3 3
Number of power
supplies6 10 20
Power inputDC: 2200 W (-48 V/-60 V)
AC/HVDC: 3000 W (AC: 220 V, HVDC: 240 V/380 V)
Two MPUs: 1+1
redundancy
The CloudEngine 16808 has
10 power modules in total.
The CloudEngine 16808
has a total of eight slots.
The CloudEngine 16808
has three fan trays.
The CloudEngine 16808
has up to nine SFUs and
supports N+1 or N+M
redundancy.
CloudEngine 16800: 100G/40GE/10GE Line Cards
36*100GE QSFP28 36*40GE QSFP+
24*40GE QSFP+
48*10GE SFP+
18*100GE QSFP28
Item 100GE Line Card 40GE Line Card 10GE Line Card
Card name CEL36CQFD-G CEL18CQFD-G CEL36LQFD-G CEL24LQFD-G CEL48XSFD-G
Port36*100GE/36*40GE/
144*25GE/144*10GE
18*100GE/18*40GE/
72*25GE/72*10GE
36*40GE/
144*10GE24*40GE/96*10GE 48*10GE
MAC address
tableStandard mode: 96K Large routing mode: 32K Large MAC mode: 256K
FIB (IPv4/IPv6) Standard mode: 220K/80K Large routing mode: 256K/80K Large MAC mode: 128K/64K
ND Standard mode: 80K Large routing mode: 80K Large MAC mode: 64K
ARP
<Non-contiguous
and contiguous
MAC addresses>
Standard mode: 96K-220K Large routing mode: 96K-256K Large MAC mode: 96K-128K
ACL 6*7.5K 3*7.5K 3*7.5K 2*7.5K 1*7.5K
MPUs of the CloudEngine 16800
Half-width MPU of the
CloudEngine
16804/CloudEngine 16808
Full-width MPU of the
CloudEngine 16816
• The CloudEngine 16804/CloudEngine 16808 uses half-width
MPUs, and active and standby MPUs are installed side by side.
• The CloudEngine 16816 uses full-width MPUs, and the active
and standby MPUs are arranged vertically.
• HiSilicon CPU
16-core, single-core 1.8 GHz
• Memory: 8 GB
• CMU
• Integrated AI chip (GA in February 2020)
• 1588v2 (GA in February 2020)
MPU Description
CE-MPUD-HALFHalf-width MPU, adapting to the CloudEngine
16804/CloudEngine 16808
CE-MPUD-FULL Full-width MPU, adapting to the CloudEngine 16816
SFUs of the CloudEngine 16800
SFU04
SFU08
SFU16
SFU Performance
CE-SFU04G-G 8.4 Tbit/s
CE-SFU04F-G4.2 Tbit/s
CE-SFU08G-G 16.8 Tbit/s
CE-SFU08F-G8.4 Tbit/s
CE-SFU16G-G 28.8 Tbit/s
CE-SFU16F-G 16.8 Tbit/s
Mapping Between Cards and SFUs of the CloudEngine 16800
Device Model Card SFU
Number of SFUs
Required for Line-
rate Forwarding
CE 16804/
CE16808/
CE16816
36*100GE CE-SFU04G-G/ CE-SFU08G-G/CE-SFU16G-G 5
36*40GECE-SFU04F-G/ CE-SFU08F-G/CE-SFU16F-G 4
CE-SFU04G-G/ CE-SFU08G-G/CE-SFU16G-G 4
48*10GECE-SFU04F-G/ CE-SFU08F-G/CE-SFU16F-G 4
CE-SFU04G-G/ CE-SFU08G-G/CE-SFU16G-G 4
18*100GE CE-SFU04F-G/ CE-SFU08F-G/CE-SFU16F-G 5
CE-SFU04G-G/ CE-SFU08G-G/CE-SFU16G-G 5
24*40GE CE-SFU04F-G/ CE-SFU08F-G/CE-SFU16F-G 4
CE-SFU04G-G/ CE-SFU08G-G/CE-SFU16G-G 4
Remarks: The CloudEngine 16800 uses the 6-plane SFU design.
Recommended CE Series Switch Model — CloudEngine 6881& CloudEngine 6863
Diversified DC features: M-LAG, iStack, VXLAN, and BGP EVPN
Hardware-based BFD
Telemetry and ERSPAN enhancement
Microsegmentation and NSH
1+1 power redundancyFour fan trays (one fan
module in each tray)
Parameter CloudEngine 6881-48S6CQ
Port model48*10GE SFP+ and 6*100GE QSFP28 (Each QSFP28 port can be used as
one 40GE QSFP+ port)
Switching capacity 2.16 Tbit/s
Forwarding performance 940 Mpps
Maximum number of
stacked switches16
Buffer capacity 42 MB
Performance
specificationsFIB (v4/v6): 256K/80K, MAC: 256K, ARP: 256K
Diversified DC features: M-LAG, iStack, VXLAN, and BGP EVPN
Hardware-based BFD
Telemetry and ERSPAN enhancement
Microsegmentation and NSH
1+1 redundancyFour fan trays (one fan
module in each tray)
Parameter CloudEngine 6863-48S6CQ
Port model48*25GE SFP28 and 6*100GE QSFP28 (Each QSFP28 port can be used as
one 40GE QSFP+ port)
Switching capacity 3.6 Tbit/s
Forwarding performance 940 Mpps
Maximum number of
stacked switches16
Buffer capacity 42 MB
Performance
specificationsFIB (v4/v6): 256K/80K, MAC: 256K, ARP: 256K
Recommended Mapping Version for CloudFabric Solution V1R19C00
Device Series Device Model Software Version
Cloud computing FusionCloud
(1) Network overlay: FusionCloud 6.5 (private cloud based on
Mitaka, supporting IPv6)
(2) Network overlay: FusionCloud 6.3.1 (based on Mitaka, and
integrating some features of Ocata)
CE16800 series CE16800 series: CE16804, CE12808, and CE16816V200R005C20
CE6800 series CE6863-48S6CQ and CE6881-48S6CQ
vSwitch
CE1800V (OpenStack Mitaka + KVM CentOS7.2, OpenStack
Ocata + KVM CentOS7.3, OpenStack Queens + KVM
CentOS7.5)
(1) V100R019C00 (2) V100R002C10 (3) V100R002C00
SdSec solution V100R019C00
SdSec solution
Old hardware firewall:
USG6660/Eudemon1000E-N6, USG6670/Eudemon1000E-
N7, USG6680/Eudemon1000E-N7E,
USG9520/Eudemon8000E-X3, USG9560/Eudemon8000E-
X8, USG9580/Eudemon8000E-X16
Old hardware firewall: V500R005C20 (for both carriers and
enterprise networks)
New hardware firewall:
SG6650E/Eudemon1000E-G5, USG6680E/Eudemon1000E-
G8, USG6712E/Eudemon1000E-G12,
USG6716E/Eudemon1000E-G16
New hardware firewall: V600R007C00 (for both carriers and
enterprise networks)
Forward compatibility: V600R006C00
vNGFW:
USG6000V8/Eudemon1000E-V8
V500R005C20 (for both carriers and enterprise networks)
SecoManager V500R019C00
CIS V100R007C00
Agile Controller Agile Controller-DCN V300R019C00
eSight eSight-Solution V300R010C10
FabricInsight FabricInsight V100R019C00
. . .
Rapid response to service requirements
Hardware BFD Microsegmentation NSH-based SFC VXLAN over IPv6
CPU
Forwarding chip
Intra-card CPU chip
Quad-core CPU: Protocol packet
processing
FIB entry delivery
. . .
Co-processor Hardware BFD
High-performance
sFlow
. . .
Forwarding chip
Adjustable
processes
New service
processes
Adjustable entry
resources
Enhanced service
processes
VRP
NETCONF CLI
Linux container
gRPCOpenFlowSSH
FuncEdit
NETCONF
SNMP
Linux and driver
Fragmentation
and reassembly
Programmable Key Components, Flexible Customization of Service Functions
Simplified DeploymentThe SDN controller defines
SFC in drag-and-drop mode.
Efficient Forwarding
Traffic diversion for one time,
saving ACL resources and
providing simple configuration
Flexible OrchestrationDecouple VAS functions from
fabrics, providing flexible
orchestration.
WEBApp
A
FW IDS LB NAT
VAS
resource
pool
Switch Switch Switch
NSH-based SFC Provides Easy VAS Orchestration
VM 1 VM 2 VM 3
1.1.1.1 1.1.1.2 1.1.1.3
VM 4 VM 5 VM 6
2.2.2.1 2.2.2.2 2.2.2.3
As Is: Subnet-based isolation To Be: VM-level
isolation
Fine-grained DefenseDefine applications based on VM
names and discrete IP
addresses, with fine granularity.
Flexible DeploymentDefine services based on
application groups and decouple
them from subnets to achieve
flexible deployment.
Distributed SecurityTraffic of access switches is
filtered nearby and east-west
isolation is implemented
without using firewalls.
Microsegmentation Achieves Fine-grained Isolation and Service Security
• SNMP/NETCONF query/response mechanism, and
minute-level reporting
• Microburst detection is not supported, and traffic details
cannot be detected.
• The traditional network device reports only logs and
alarms, but cannot collect packet characteristic
information such as the delay and packet loss.
• gRPC subscription/active reporting mechanism, and millisecond-
level reporting
• The CloudEngine 16800 monitors the microburst status, detects
traffic details, and predicts congestion in real time.
• The CloudEngine 16800 uses the intelligent analysis algorithm to
detect packet characteristic information such as the delay,
packet loss, and packet loss location in real time.
As-Is: Network Device Used as Black Boxes To-Be: Visualized Network Management and Control
Industry-leading Telemetry Technology Achieves Visualized and Controllable Networks or Services in
Real Time
Collector Analyzer
CPUForwarding
chipNP
SNMP
NETCONFNetStream ERSPAN
Flow table
Protobuf
over UDP
gRPCERSPAN+
CPUForwarding
chip
Traditional NMS
AI
Chip
CloudEngine fixed switches: Diversified Models in All Scenarios and Sustainable Supply
CE5855GE
10G
CE6810
CE6870
CE6880
Low-end
(Layer 2)
Mid-range (VXLAN)
CE8860-4C-EI
Four subcards
CE8850-32Q-EI
High-end (large
buffer)
25G
40G CE7855
100G
CE6860-48S8CQ-EI
Extensible
Fixed
Medium
CE5855-48T4S2Q-EI
CE5855-24T4S2Q-EI
CE6870-48T6CQ-EI
CE6870-48S6CQ-EI
CE6870-24S6CQ-EI
CE6855-48S6Q-HI
CE6855-48T6Q-HI
CE6810-48S4Q-LI
CE6810-32T16S4Q-LI
CE7855-32Q-EI
CE6875
CE8861-4C-EI
CE6865-48S8CQ-EI
Large buffer,
MACsec
CE8850-64CQ-EI
CE6881-48S6CQ
CE6856-48T6Q-HI
CE6856-48S6Q-HI
The model in red can be
supplied continuously.
CE6875-48S4CQ-EI
CE6851-48S6Q-HI CE6855
4 GB large buffer,
100GE uplink
AI Fabric, 1588,
microsegmentation
Evolution stopped
Four subcards
Fixed
AI Fabric, microsegmentation
AI Fabric and 1588
100GE uplink
CE6863-48S6CQ
Note:
(1) CloudEngine 6881, CloudEngine 6863, and CloudEngine 6820: GA in September 30, 2019 GA.
(2) The models planned for V3R20C00 may change at any time. For the latest models, contact DCN product management personnel.
CE6820-48S6CQ
CE6856
Loopback on
interface cardMemory: 2
GB -> 4 GB 10GE optical downlink,100GE uplink
Medium (non-VXLAN)
Layer 3 functions
1U:CE8851-32CQ8DQ-P
CE6866-48S8CQ-P
CE6866-48S8CQ-PH
New Model in
V2R5C20Planning in V3R20C00
2 U: CE8852-96CQ-P
CE6880-24S4Q2C-EI10GE optical downlink
GE 100GE 400GE40GE10GE
F series cardsCE-48XS-FD/FDA
FDA: Built-in 2*40GE,
2*100GE
CE-36LQ-FD
CE-24LQ-FDCE-12CQ-FD
CE-36CQ-FD
16
16
08
0404S
08S
CloudEngine12800/12800S
CloudEngine16800
CEL48XSFD-G
CEL24LQFD-G
CEL36LQFD-G
FD-G series cards
36-port SFU with N+1
redundancy
08
04
CEL18CQFD-G
CEL36CQFD-G
Note:
(1) CloudEngine 16804/CloudEngine 16808/CloudEngine 16816 and all its cards reach GA on September 30, 2019.
(2) The models planned for V3R20C00 may change at any time. For the latest models, contact DCN product management personnel.
CEL72XSHGA-P
CEL48XSHGA-P
48*25/10G+4*100G
72*25/10G+4*100G
CEL48CQHG-P
48*100G CEL36DQHG-P
36*400G
The model in red can be supplied continuously.New Model
in V2R5C20
Planning in
V3R20C00
-P series cards
Panorama of CloudEngine Modular Switches: Continuous Expansion in Installed Base Markets and
Steady Switching in New Markets
CEL48DQHG-P
48*400G
CE-L24XS-EC
CE-L48XS-EA/EC/ED/EF
CE-L04CF-EF
CE-L24LQ-EC1
CE-L48GS-EA
CE-L48GT-EACE-L48XT-ECE series cards
SDN Baseline Networking of Category C Cards: Layer 3 Architecture Scenario
DC2
Spine
Server Leaf
Border leaf
Service leaf
Fabric gateway
M-LAG
Multi-active M-LAG
2. VAS device in
bypass mode
1. VAS device in
service mode
10/100GE servers are connected to uplink 100GE ports.
Device Role Device Model Selection Basis
Server leaf
10G server access
CloudEngine 6863-48S6CQ 25G server access
CloudEngine 16800
100G card recommended: CEL36CQFD-G and CEL18CQFD-G
40G card recommended: CEL36LQFD-G and CEL24LQFD-G
10G card recommended: CEL48XSFD-G
Spine CloudEngine 16800100G card recommended: CEL36CQED1-E and CEL18CQED1-E
40G card recommended: CEL36LQED1-E and CEL24LQED1-E
Border leafCloudEngine 16800
100G card recommended: CEL36CQED1-E and CEL18CQED1-E
40G card recommended: CEL36LQED1-E and CEL24LQED1-E
10G card recommended: CEL48XSED1-E
CloudEngine 6881-48S6CQ
Service leaf
(when there are
a large number
of NFV NEs or
VAS devices)
CloudEngine 6881-48S6CQ 10G VAS device access
CloudEngine 16800
VAS device access
100G card recommended: CEL36CQED1-E and CEL18CQED1-E
40G card recommended: CEL36LQED1-E and CEL24LQED1-E
10G card recommended: CEL48XSED1-E
Fabric gatewayCloudEngine 16800
100G card recommended: CEL36CQED1-E and CEL18CQED1-E
40G card recommended: CEL36LQED1-E and CEL24LQED1-E
10G card recommended: CEL48XSED1-E
CloudEngine 6881-48S6CQ
Combination of the border leaf node and
service leaf node
North-south gateways and VAS devices do not need to be
expanded.
In Layer 3 networking, border leaf nodes and spine nodes
are independently configured.
If the number of physical servers on the entire network exceeds
200 or the number of VMs exceeds 6000, you are advised to use
the three-layer architecture where border leaf nodes and spine
nodes are independently deployed.
Design principle:
The solution does not support automatic loop acknowledgment in loop detection, suspected loop reporting, or path detection based on ICMP packets. The solution
supports path detection based on TCP/UDP packets.
The solution in which FabricInsight is used supports IPv4 and does not support IPv6. The solution does not support overlay multicast or traffic statistics collection on
Layer 2 sub-interfaces.
CloudFabric N1 Software Package Covers All Scenarios, Hardware, and Features
Add-on software packageAI Fabric package
Security package (MACsec)
Intelligent network analysis value-added package (traffic analysis)
Telco cloud DC gateway package (NEs managed by Agile Controller-DCN)
N1 premier software packageAll functions of the Advanced software package
Intent assurance package...
CloudEngine hardware switch
CE switch hardware
N1 Advanced software packageAll functions of the Foundation software package
MPLS/SR and NSH-based SFC
V1R19C10: multi-DC automation (MDO)...
N1 Foundation software packageAll functions of the Management software package
Telemetry, VS, PTP (1588v2), and number of CE switches managed by Agile Controller-DCN
FabricInsight intelligent network analysis basic package (V1R19C00, only for the
CE16800&CE6800)
Value-added scenario function
Enterprise edition (future)
Agile Controller-DCN
Purchase or prepare the hardware platform
and operating system as required.
N1 Management software packageBasic software (Layer 2 or Layer 3 basic functions) + VXLAN + IPv6
NCE network device management license (V1R19C10)
Non-SDN scenario
Single-DC SDN scenario
SDN enhancement scenario (single-
DC enhancement and multi-DC)
FabricInsight
FabricInsight big data analytics platformAgile Controller-DCN software platform free
of charge
Purchase or prepare the hardware platform
and operating system as required.
CloudEngine 1800V
Software switch
N1 Advanced
software package (A)All functions of the
Foundation software
package
LB, NAT, DHCP, container
N1 Foundation
software packageBasic software,
CE1800V managed by Agile
Controller-DCN
+
+
+
+
CloudEngine
1800V
Sales of fixed devices: underlay and third-party
controller interconnection scenario
Add-on
software
package(AI Fabric,
MACsec, etc.)
Management
software package(The default value of
SnS is 0, excluding
new functions of the
software package.)
Hicaremaintenance
service
unchanged
Solution sales: Agile Controller-DCN + FusionInsight
Promotes Sales of Hardware Switches in Virtualization
and Cloud-Network Integration Scenarios
Advanced
software
package
(single-DC
enhancement
and multi-DC)
Foundation
software
package
(Single DC,
basic functions
of Agile
Controller-DCN
+ FusionInsight)
Package
(single-DC
enhancement
and multi-DC)
CE1800V Advanced software
package(One for each server, with 10 Gbit/s
traffic as the measurement principle)
Hicare
maintenance
service
unchanged
Hicaremaintenance
service
unchanged
Solution sales: CE1800V and Agile Controller-DCN Are
Sold as a Bundle in Container Interconnection Scenarios
Compared with the Traditional Model, the N1 Model Is Cost-Effective and Has More Flexible Functions
Commercial Comparison of Solution Sales Scenarios: Simplified Quotation, Low Price, and Flexible License Transfer (SnS)
Commercial Comparison of Pure Hardware Device Sales Scenario: New Hardware, More Functions, and Lower Price
CE6865 (22500) < CE6881 (20000 + Management software package 4500)
Bundle (36000) + software is the same as the old hardware, and the microsegmentation capability is stronger.
Model Description
Unit List
Price Quantity Total List Price
AC-DCN-SW PlatformAgile Controller-DCN software
platform 10,000 3 30,000
AC-DCN-SW Platform-
SnS-3Y
Three-year SnS of Agile Controller-
DCN software platform5,100 3 15,300
AC-DCN-FixedManagement of each fixed device
by Agile Controller-DCN11,800 50 590,000
AC-DCN-Fixed-SnS-3Y
Three-year SnS of management of
each fixed device by Agile
Controller-DCN
6,018 50 300,900
CE68-LIC-VXLANCloudEngine 6800 VXLAN
Function8,000 50 400,000
CE68-LIC-TLM CE6800 Telemetry Function 6,000 50 300,000
Total 1,636,200
Model DescriptionUnit
PriceQuantity
Total List
Price
N1-CE68LIC-CFFDN1-CloudFabric Foundation SW License for
CloudEngine 68009,900 50 495,000
N1-CE68CFFD-SnS1YN1-CloudFabric Foundation SW License for
CloudEngine 6800-SnS-1 Year1,980 150 297,000
Total 792,000
Cost-effective price and simple quotation: The controller platform is free of charge, which reduces the
threshold for using the solution. The total list price of a single TOR N1 software package is reduced by
40% compared with the traditional model. For example, in the case of 50 TOR switches, the total list price of
the N1 model is reduced by 50% compared with that of the traditional model, which is the same as that of CE
switches. The order placement process is simpler.
Flexible license transfer to protect customers' investment. The license is more flexible. The software
used on the old hardware can be switched to the new hardware that is upgraded based on the old
hardware, building customer loyalty. The customer does not need to purchase the software again,
which protects the customer's software investment.
Traditional Model N1 Model
Model Description List Price
CE6857-EI-B-B0B
CE6857-48S6CQ-EI switch(48*10GE SFP+,6*100GE
QSFP28,2*AC power modules,4*fan modules,port-side
intake)
18900
CE68-LIC-VXLAN CloudEngine 6800 VXLAN Function 8000
Model Description List Price
CE6881-48S6CQ-BCE6881-48S6CQ-B switch (48*10G SFP+, 6*100G QSFP28, 2*AC
power modules, 4*fan modules, port-side intake)14400
N1-CE68LIC-CFMMN1-CE68LIC-CFMM,N1-CloudFabric Management SW License for
CloudEngine 168004500
Traditional Model N1 Model
The hardware price of new models is gradually shifted to software. In the project, try to persuade customers to configure VXLAN on uplink 100G ports. The CE6820 is recommended in non-
VXLAN scenarios. The CE6820 has a lower price than the CE6881.
The N1 Foundation software package is recommended if required functions are not included in the Management software package.
Commercial Comparison: N1 Management software package ($4,500) + Telemetry ($6,000) > N1 Foundation software package ($9,900)
100GE 400GE40GE10GE
48*10GE 36*40GE 36*100GE
18*100GE24*40GE
48*100GE 36*400GE
16
CE16800
08
04
GA on September 30, 2019
72*25/10+6*100GE
48*25/10+4*100GE
GA on July 30, 2019
48x10G
48*10G FD
FD1:Support 25G;
IEEE 1588V2
FG:4M FIB
Uplink 2*40GE+2*100GE
36*40G FD
24*40G FD
12*100G FD 36*100G FD
24 GB buffer8 GB buffer
16*100G FD
8*100G FG
36*100G FG
16 GB buffer,
2 MB FIB
16 GB buffer, MACsec
IEEE 1588v2
4 GB buffer,
MACsec, 2 MB FIB
16
08
0404S
08S
CE12800/CE12800S
36*100G SD
64 MB buffer,
Cost-effective
18*40G+18*100G
V2R5C20
V3R20C00
CloudEngine 16800 Roadmap
48*400GE POC
V3R20C00 has not passed the PDCP, and the roadmap planning may change. Therefore,
V3R20C00 cannot be used as a formal commitment to customers.
CloudEngine TOR Switch Roadmap
~2018
10G
25G
40G
100G
400G
GE CE5855
CE6851
CE6856
CE6880
High
(Large buffer)CE6870 CE6875
ENP
CE6860
CE7855
CE8850-32
CE8860
CE6865
CE8861
CE8850-64
CE5880
CE6857
25G, AI Fabric, 1588,
microsegmentation
GE VXLAN
Low (Layer 2)
Middle
V2R5C20
2019 2020
CE6810
CE6881
CE6863
CE6820
GA on September 30, 2019
2020.7.30GA
CE8851: 32*100+8*400GE
CE8852: 96*100GE
V3R20C00
CE6866 HI: 48*25+8*100GE
CE6866: 48*25+8*100GE
V3R20C00 has not passed the PDCP, and the roadmap planning may change. Therefore,
V3R20C00 cannot be used as a formal commitment to customers.
RDMA Effectively Improves Throughput and Reduces Latency, but Current Network Bearer Solutions Have Disadvantages
Challenges: Packet loss: The packet loss rate of 1% decreases the RoCE throughput from
100% to 0. However, packet loss on traditional Ethernet networks in best-effort (BE) mode is inevitable.
Introduction to RDMA/RoCE
Technical description: RDMA technology implements kernel bypass and zero copy of the buffer,
provides RDMA read/write access between remote nodes, and implements the control plane protocol in the NIC hardware.
RDMA technology is used in HPC, distributed storage, and AI scenarios to reduce the CPU load and latency, greatly improving the application performance.
RoCEv2 migrates RDMA traffic to the ETH/IP network. In this way, the ETH/IP network supports HPC, distributed storage, and AI application deployment, and is required to provide the same network performance as memory access.
vs.
RDMA over InfiniBand
Advantage: Zero packet loss, low latency, and high throughputDisadvantage: Manual O&M performed by dedicated personnel, high cost
Proprietary Technology, Dedicated Network
RDMA over CEE (current)
Advantage: SDN automation, low priceDisadvantage: High latency and low throughput
Open Ethernet, Converged Network
Current RDMA Network Bearer Solutions (IB vs. CEE)
IB CEE
Performance High Low
O&M Difficult Easy
Price High Low
Scale Small Ultra-large
OthersDedicated
network
Cloud-
network
synergy
Dynamic ECN: Local device-level intelligence (implemented by the intelligent chip)
Question:Statically configured thresholdStatic queue type
• Set priorities through multiple queues• Prevent packet loss through PFC
backpressure• Use ECN to notify the transmit end to
avoid congestion
ECN thresholdPFC threshold
Basic Flow Control Model
Queue
AI ECN: Global network-level intelligence (optimal application experience)
The CPU sensitivity is a key indicator.
Set the optimal threshold based on the current traffic model.
The queue type and threshold are the key.
Application-based priority queues are generated based on application requirements.
AI chip
Application-oriented optimal queue on the entire network
Local optimal threshold based on intelligent chip detection
Set the optimal threshold based on the current traffic model.
Local optimal threshold based on CPU’s dynamic ECN
CPU
LSW chip
Static ECN: Local device-level intelligence (implemented by the CPU)
November 2019
The threshold is setted by CPUStatic ECN performance: 50% higher than that
of other vendorsStatic ECN performance: 30% higher than that
of other vendors
AI Fabric Implements Zero Packet Loss, Low Latency, and High Throughput Based on the Ethernet to Meet Service Requirements in the AI Era
CloudEngine 6865/8850/8861 CloudEngine 16800Mainstream solutions in the industry
CPU
LSW chip
Intelligent chip
Five Scenarios of CloudFabric Solution: Based on Whether the Controller
and Cloud Platform Are Available
FusionSphere Third-party OpenStack
Scenario 3: computing and hosting with the controller but no cloud platform
Scenario 4: Cloud platform, third-party controller, and OpenStack interconnection
Network administrator
Computing administrator
Network administrator
Service administrator
Remarks: The network overlay supports centralized and distributed deployment. The distributed solution is recommended. The centralized mode does not continue to evolve. The hybrid overlay supports only the distributed mode.
Network overlay Network overlayHybrid overlay
System Center/vCenter
Network overlay Network overlay
Scenario 2: Cloud platform and third-party controller
Scenario 1: Underlay, without the cloud platform or controller
Network administrator
Underlay
CloudEngine Layer 2 VTEP
VMware NSX controller
Third-party configuration toolssuch as Ansible or Microsoft Azure
Service administrator
Network overlay extensionCloudEngine 1800V
ComputingHosting
Cloud platform and network association
Container platform and network association
Scenario 5: Cloud platform, third-party controller, and container cloud interconnection
Kubernetes
Agile Controller-DCNSecoManager
Agile Controller-DCNSecoManager
Agile Controller-DCNSecoManager
New
ContainerOverall Intent SummarySFC Microsegmentation
Features of the CloudFabric Solution in Five Scenarios
Item Functional Unit Network Virtualization Cloud-Network Integration Container Cloud
Cloud
management
platform
Cloud management
platform
Hosting
(No cloud platform)
Microsoft
System Center
VMware
vCenterFusionSphere
Third-party
OpenStackKubernetes
Controller
Active/Standby controller
clusterSupported Supported Supported
Supported SupportedNot supported
RTT of remote controller
cluster < 50 ms (less
than 250 km)
Supported Supported Supported Supported Supported Supported
L2-L3 network
Overlay mode Network overlay Network overlay Network overlay Network overlayNetwork overlay
Hybrid overlay
Network overlay
Extend
ZTP User-defined, wizard-based, and one-click ZTP
Intent Pre-event simulation, resource and connection verification, and device fault impact analysis
IPv6 Supported Supported Supported Supported Supported Not supported
L4-L7 security
IPv4 microsegmentation
(new models) Supported Supported Supported Supported Supported Not supported
IPv4 SFC Supported Supported Supported Supported SupportedNot supported
Server access Type N/A Microsoft Hyper-V VMware ESXiFusionCompute
BMSKVM Container
DCI Interconnection type IPv4 L2&L3 IPv4 L2&L3 IPv4 L2&L3 IPv4 L2&L3 IPv4 L2&L3 IPv4 L2&L3
The texts in red refer to new functions in V1R19C00.
ContainerOverall Intent SummarySFC Microsegmentation
Inline deployment causes complex configuration of the control plane.
Diversified policies are deployed, and ACLs become the bottleneck.
NSH: NSH Copes with Challenges Brought by Diversified DC Security to the Network
• The switch needs to eliminate the ACL bottleneck.
• Security policies need to be configured on the GUI.
• Security devices are pooled, implementing scaling on demand.
The security service is coupled with the physical topology, leading to low scalability.
App 1 App 2 App n……
QoS, routing, O&M, and security policies
Static traffic diversion depends on the physical topology
ContainerOverall Intent SummarySFC Microsegmentation
NSH-based SFC in the CloudFabric Solution Solves the ACL Bottleneck of Switches
VMWAN
SFP 1
VAS resource pool
VM resource pool
External network
PBR-based forwarding3 ACL rules3 policy-based routes
ACL entry bottleneck
NSH VAS resource pool supported
VM resource pool
External network
NSH-based forwarding
One ACL ruleOne policy-based route
PBR depends heavily on ACL entries. NSH overcomes entry restrictions.
Add the NSH
Solution 1
NSH added
Original packet
Solution 2
Case 1: At a bank, PBR and antivirus preempt ACLs. As a result, ACLs are insufficient and services fail to be provisioned (due to conflicts with security policies).
Case 2: A financial institution deploys microsegmentation and traditional PBR. As a result, the ACL overflow function fails (due to conflicts with microsegmentation).
Solution benefits: Traffic is forwarded based on the SPI in the NSH, which does
not consume ACLs. Compatibility with the live network: The solution supports
two modes: NSH aware and unware (proxy). The number of ACLs is reduced by more than half.
VMVMVM
OVS
VMVMVM
OVS
NSH VAS resource pool not supported
ContainerOverall Intent SummarySFC Microsegmentation
NSH-based SFC in the CloudFabric Solution Provides Standard Interconnection
and Delivers Simplified and Efficient VAS Orchestration
Note: The proprietary SFC solution of some vendors in the industry uses the VXLAN extended field to identify the SPI and cannot interconnect with third parties, forming closed ecosystem.
Service leaf
VM8Internet
SFP 2
VM5VM2
SFP 1
VAS resource pool
Simplified deployment
Defining SFC in drag-and-drop
mode
Flexible orchestration
Full decoupling from the fabric
Efficient forwarding
The ACL consumption is reduced
by more than half.
Solution implementation:
The RFC-compliant NSH solution replaces the traditional PBR solution.
Agile Controller-DCN globally configures the NSH to identify the service path.
Traffic is forwarded based on the NSH at each hop. NSH-based SFC uses an
independent forwarding table, which does not consume ACLs.
Product selection:
CloudEngine CE5880, CloudEngine 6880CloudEngine 6881, CloudEngine
6863, CloudEngine 12800E, CloudEngine 16800
Highlights:
Standard SFC: complies with RFC, provides good interoperability, and
maintains compatibility with third-party NSH devices.
Large specifications: The chip supports 20K SFC entries, which is two times
higher than commercial chip.VMVMVM
OVS
Resource pooling deployment
ContainerOverall Intent SummarySFC Microsegmentation
Traditional isolation brings traffic bypassing.
Traditional security depends on different service partitions.
Microsegmentation Copes with Challenges Caused by Diversified DC Security
• Cloud sharing and security isolation create a conflict.
• Access switches support security isolation. • Switches need to eliminate the ACL bottleneck.
Due to diversified isolation policies, ACLs become scarce resources.
Web App Database
Externalnetwork Untrusted
Source: Forrester Research
Zero-trust security model was proposed in
2012.
Internalnetwork
Segmentation
Subnet
Microsegmentation
VM name/Container
Discrete IP address
Spine
VTEP
VMVMVM
OVS
Server leaf
VTEP
VMVMVM
OVS
Server leaf
ContainerOverall Intent SummarySFC Microsegmentation
VM name = Web*
Microsegmentation solves the problem of the zero-trust security model. Compared with the zero-trust security model, microsegmentation provides security isolation in a more fine-grained manner. It covers physical machines and addresses east-west security issues.
Microsegmentation Provides Fine-grained Security Isolation
SegmentationMicro
Microsegmentation
SubnetVM name/Container
Discrete IP address
OS typeOrganization
name
Web 1 Web 2
Web 3 Web 4
Security group = App
App 1 App 2
App 3 App 4
Operating system = Linux
Linux Linux
Linux Linux
IP
IP1=10.0.0.1
IP2=10.0.0.2
MAC
MAC1=11-
11-11
MAC1=22-
22-22
VLAN=10
DB1 DB2
DB3 DB4
ContainerOverall Intent SummarySFC Microsegmentation
Microsegmentation Solves the ACL Bottleneck of Switches
VM
Microsegmentation
VAS resource pool
VM resource pool
External network
Divert traffic to the firewall3 ACL rules3 policy-based routes
ACL entry bottleneck
VM resource pool
External network
Microsegmentation-based isolation0 ACL rule0 microsegmentation policy
PBR depends heavily on ACL entries. Microsegmentation overcomes entry
restrictions.
Solution 1 Solution 2
Case 1: At a bank, PBR and antivirus preempt
ACLs. As a result, ACLs are insufficient and
services fail to be provisioned (due to conflicts
with security policies).
Solution benefits:
Microsegmentation used to isolate east-west
traffic on switches instead of firewalls
VMVMVM
OVS
VMVMVM
OVS
VM resource pool
VMVMVM
OVS
VM
ContainerOverall Intent SummarySFC Microsegmentation
OpenStack
Microsegmentation Provides East-West Security Isolation in a Fine-grained Manner
Server leaf
VTEP
Server leaf
Spine
Server leaf
VMVMVM
OVS
Border leaf
VTEP
VMVMVM
OVS
Server leaf
VTEP
BM
FusionSphere
Interconnection with FusionSphere
Interconnection with OpenStack
Product selection:
Microsegmentation-supported models: CloudEngine 6880, CloudEngine 6881, CloudEngine
5880 (sold only outside China), CloudEngine 6857, CloudEngine 6865, CloudEngine 8861, and
CloudEngine 8868.
VTEP
VMVMVM
OVS
①North-south isolation
②East-west isolation
Unified isolation
Microsegmentation implements the zero-trust security model. It provides security
isolation based on discrete IP addresses and VM names, and covers PMs. It can
uniformly isolate traffic of VMs and BMs.
Large specifications
The mask length of the EPG member is not limited. Each EPG of the commercial chip
supports a maximum of three mask lengths.
Efficient forwarding
Microsegmentation has a unique value in mutual access control scenarios that have
high forwarding efficiency and low security requirements. There is no traffic bypassing
problem, and the forwarding performance is not a bottleneck.
(Secondary orchestration)
ContainerOverall Intent SummarySFC Microsegmentation
Intelligent O&M: FabricInsight Provides Specified Flow Analysis, Edge Intelligence + Cloud Training, and 100% Traffic Visualization
Switch-based load balancing
Collector
Collector
SNMP: device managementERSPAN: full flowsgRPC: performance indicatorsNetStream v9: specified flows
Big Data
Query
Filter
Aggregation
TCPVisualized
FabricInsight
UDP RoCE
1
2
Distributed intelligenceSwitches provide edge intelligence, and analyze flows and send them to the cloud for processing. The analyzer configuration is reduced by five times.Device Type(V1R19C10): CloudEngine 6881, CloudEngine 6863, CloudEngine 16800。Device Type(V1R19C00):CloudEngine 6865, CloudEngine 8850-64CQ, CloudEngine 6857,CloudEngine 12800。
TCP Fine-grained capabilityFabricInsight analyzes all packets of a specified flow and displays the network quality on the GUI.CloudEngine 6800, CloudEngine 7800, CloudEngine8800,CloudEngine 12800, CloudEngine 16800
Multi-protocol processing capabilityDistributed flow awareness based on Telemetry and multi-protocol full-data packet analysis (TCP/UDP/RoCE)
Co-processor, edge intelligence
Cloud training
СПАСИБО!