Roadshow DC + Agile Controller

Мазитов Алмаз
Ведущий менеджер по сетевым продуктам HUAWEI
CloudEngine Series Data Center Switch Portfolio

Core Switches Access Switches

CloudEngine 16800 (new)

10GE TOR switch (new)

CloudEngine 6881-48S6CQ

25GE TOR switch (new)

CloudEngine 6863-48S6CQ

CloudEngine 16816 CloudEngine 16808 CloudEngine 16804

CloudEngine 16800: Leading Hardware Architecture, Extensive Software Features, and Complete
Solution Mapping Capabilities

Leading Hardware Architecture

Orthogonal architecture, backplane-free cabling, strict

front-to-back airflow, cell switching
Mixed-flow fan, VC phase change heat dissipation
Smooth evolution to 400G
AI engine (V1R19C10)

Extensive Software Features

CloudEngine 16816 CloudEngine 16808 CloudEngine 16804
Flexible NSH: Flexible and simplified VAS deployment
High security: Microsegmentation (VM-level security
isolation)
Telemetry technology, detecting the network quality in
real time
Edge intelligence and local processing of network behaviors

48*10GE
Complete Solution
24*40GE
36*100GE Mapping Capabilities
Agile Controller-DCN provides simplified
deployment capabilities throughout the life cycle.
FabricInsight analyzes TCP flows and network-
36*40GE 18*100GE wide health.

CloudEngine 16800: 400G platform supports 10GE, 40GE, and 100GE interfaces, and AI engine.
Hardware Architecture: Industry-leading Architecture Design and Innovate Heat Dissipation

Mixed-flow Fan,
Strict Front-to-Back Airflow Non-blocking Switching VC Phase Change Heat
Orthogonal Architecture
Design Dissipation
Leading energy-saving design

Air intake Air exhaust

1/3
1/3 1/3 1/3
1/3
1/3 1/3
1/3 1/3
1/ 1/3
3
1/3 1/3
1/3
1/3 Heat
Line 1/3
card 1/3 dissipation fin
1/3

VC heat Chip
dissipation
substrate
Mixed-flow fan,
Backplane-free cabling Independent front-to-back Cell switching, VoQ
airflow Balanced traffic distribution, higher VC phase change heat
Higher chassis bandwidth
Even heat dissipation, basic bandwidth usage dissipation
requirements for data centers Air volume three times higher than
the industry average, greatly
reducing noise

The CloudEngine16800 supports the network lifecycle of four generations of servers and smooth evolution to 400G.
Introduction to CloudEngine 16800

The CloudEngine 16808 has

10 power modules in total. Specification CE16804 CE16808 CE16816
Two MPUs: 1+1
redundancy Dimensions 482.6 x 990.3 x 482.6 x 990.3 x 703.6 482.6 x 1149.2 x
(W x D x H, mm) 437(10U) (16U) 1435.7(32U)

Switching capacity 43 Tbit/s 86 Tbit/s 173 Tbit/s

The CloudEngine 16808 Packet forwarding

11,280 Mpps 22,560 Mpps 45,120 Mpps
rate
has a total of eight slots.
LPU slots 4 8 16

MPU 1+1
SFUs 6 (scalable to 9 for future expansion)
Architecture Clos switching architecture, cell switching, VoQ
The CloudEngine 16808
Number of fan trays 3 3 3
has three fan trays.
Number of power
The CloudEngine 16808 6 10 20
supplies
has up to nine SFUs and
supports N+1 or N+M DC: 2200 W (-48 V/-60 V)
Power input
redundancy. AC/HVDC: 3000 W (AC: 220 V, HVDC: 240 V/380 V)
CloudEngine 16800: 100G/40GE/10GE Line Cards

36*100GE QSFP28 36*40GE QSFP+ 48*10GE SFP+

18*100GE QSFP28 24*40GE QSFP+

Item 100GE Line Card 40GE Line Card 10GE Line Card
Card name CEL36CQFD-G CEL18CQFD-G CEL36LQFD-G CEL24LQFD-G CEL48XSFD-G

36*100GE/36*40GE/ 18*100GE/18*40GE/ 36*40GE/

Port 24*40GE/96*10GE 48*10GE
144*25GE/144*10GE 72*25GE/72*10GE 144*10GE
MAC address
Standard mode: 96K Large routing mode: 32K Large MAC mode: 256K
table

FIB (IPv4/IPv6) Standard mode: 220K/80K Large routing mode: 256K/80K Large MAC mode: 128K/64K

ND Standard mode: 80K Large routing mode: 80K Large MAC mode: 64K
ARP
<Non-contiguous
Standard mode: 96K-220K Large routing mode: 96K-256K Large MAC mode: 96K-128K
and contiguous
MAC addresses>
ACL 6*7.5K 3*7.5K 3*7.5K 2*7.5K 1*7.5K
MPUs of the CloudEngine 16800

MPU Description
Half-width MPU, adapting to the CloudEngine
CE-MPUD-HALF
16804/CloudEngine 16808

CE-MPUD-FULL Full-width MPU, adapting to the CloudEngine 16816

• The CloudEngine 16804/CloudEngine 16808 uses half-width

Half-width MPU of the
MPUs, and active and standby MPUs are installed side by side.
CloudEngine
16804/CloudEngine 16808 • The CloudEngine 16816 uses full-width MPUs, and the active
and standby MPUs are arranged vertically.
• HiSilicon CPU
 16-core, single-core 1.8 GHz
• Memory: 8 GB
• CMU
Full-width MPU of the
CloudEngine 16816
• Integrated AI chip (GA in February 2020)
• 1588v2 (GA in February 2020)
SFUs of the CloudEngine 16800

SFU Performance

CE-SFU04G-G 8.4 Tbit/s

SFU04
4.2 Tbit/s
CE-SFU04F-G

CE-SFU08G-G 16.8 Tbit/s

SFU08 8.4 Tbit/s

CE-SFU08F-G

CE-SFU16G-G 28.8 Tbit/s

CE-SFU16F-G 16.8 Tbit/s

SFU16
Mapping Between Cards and SFUs of the CloudEngine 16800

Number of SFUs
Device Model Card SFU Required for Line-
rate Forwarding
36*100GE CE-SFU04G-G/ CE-SFU08G-G/CE-SFU16G-G 5
CE-SFU04F-G/ CE-SFU08F-G/CE-SFU16F-G 4
36*40GE
CE-SFU04G-G/ CE-SFU08G-G/CE-SFU16G-G 4
CE-SFU04F-G/ CE-SFU08F-G/CE-SFU16F-G 4
CE 16804/ 48*10GE
CE16808/ CE-SFU04G-G/ CE-SFU08G-G/CE-SFU16G-G 4
CE16816
18*100GE CE-SFU04F-G/ CE-SFU08F-G/CE-SFU16F-G 5
CE-SFU04G-G/ CE-SFU08G-G/CE-SFU16G-G 5

24*40GE CE-SFU04F-G/ CE-SFU08F-G/CE-SFU16F-G 4

CE-SFU04G-G/ CE-SFU08G-G/CE-SFU16G-G 4

Remarks: The CloudEngine 16800 uses the 6-plane SFU design.

Recommended CE Series Switch Model — CloudEngine 6881& CloudEngine 6863

Four fan trays (one fan 1+1 power redundancy Four fan trays (one fan 1+1 redundancy
module in each tray) module in each tray)

 Diversified DC features: M-LAG, iStack, VXLAN, and BGP EVPN  Diversified DC features: M-LAG, iStack, VXLAN, and BGP EVPN
 Hardware-based BFD  Hardware-based BFD
 Telemetry and ERSPAN enhancement  Telemetry and ERSPAN enhancement
 Microsegmentation and NSH  Microsegmentation and NSH

Parameter CloudEngine 6881-48S6CQ Parameter CloudEngine 6863-48S6CQ

48*10GE SFP+ and 6*100GE QSFP28 (Each QSFP28 port can be used as 48*25GE SFP28 and 6*100GE QSFP28 (Each QSFP28 port can be used as
Port model Port model
one 40GE QSFP+ port) one 40GE QSFP+ port)

Switching capacity 2.16 Tbit/s Switching capacity 3.6 Tbit/s

Forwarding performance 940 Mpps Forwarding performance 940 Mpps

Maximum number of Maximum number of

16 16
stacked switches stacked switches

Buffer capacity 42 MB Buffer capacity 42 MB

Performance Performance
FIB (v4/v6): 256K/80K, MAC: 256K, ARP: 256K FIB (v4/v6): 256K/80K, MAC: 256K, ARP: 256K
specifications specifications
Recommended Mapping Version for CloudFabric Solution V1R19C00
Device Series Device Model Software Version
(1) Network overlay: FusionCloud 6.5 (private cloud based on
Mitaka, supporting IPv6)
Cloud computing FusionCloud
(2) Network overlay: FusionCloud 6.3.1 (based on Mitaka, and
integrating some features of Ocata)
CE16800 series CE16800 series: CE16804, CE12808, and CE16816
V200R005C20
CE6800 series CE6863-48S6CQ and CE6881-48S6CQ
CE1800V (OpenStack Mitaka + KVM CentOS7.2, OpenStack
vSwitch Ocata + KVM CentOS7.3, OpenStack Queens + KVM (1) V100R019C00 (2) V100R002C10 (3) V100R002C00
CentOS7.5)
SdSec solution V100R019C00
Old hardware firewall:
USG6660/Eudemon1000E-N6, USG6670/Eudemon1000E-
Old hardware firewall: V500R005C20 (for both carriers and
N7, USG6680/Eudemon1000E-N7E,
enterprise networks)
USG9520/Eudemon8000E-X3, USG9560/Eudemon8000E-
X8, USG9580/Eudemon8000E-X16

SdSec solution New hardware firewall:

New hardware firewall: V600R007C00 (for both carriers and
SG6650E/Eudemon1000E-G5, USG6680E/Eudemon1000E-
enterprise networks)
G8, USG6712E/Eudemon1000E-G12,
Forward compatibility: V600R006C00
USG6716E/Eudemon1000E-G16
V500R005C20 (for both carriers and enterprise networks)
vNGFW:
USG6000V8/Eudemon1000E-V8
SecoManager V500R019C00
CIS V100R007C00
Agile Controller Agile Controller-DCN V300R019C00
eSight eSight-Solution V300R010C10
FabricInsight FabricInsight V100R019C00
Programmable Key Components, Flexible Customization of Service Functions

Fragmentation Hardware BFD Microsegmentation NSH-based SFC VXLAN over IPv6

and reassembly

...

Rapid response to service requirements

FuncEdit
NETCONF CLI SSH SNMP OpenFlow gRPC
Forwarding chip
NETCONF
VRP Linux container

CPU
Linux and driver

Quad-core CPU: Co-processor Adjustable Adjustable entry

 Protocol packet  Hardware BFD processes resources
processing  High-performance
 FIB entry delivery sFlow New service Enhanced service
 ...  ... processes processes
Intra-card CPU chip Forwarding chip
NSH-based SFC Provides Easy VAS Orchestration

Simplified Deployment
The SDN controller defines
FW IDS LB NAT
SFC in drag-and-drop mode.

Flexible Orchestration
Switch Switch Switch Decouple VAS functions from
A fabrics, providing flexible
orchestration.
App
WEB

Efficient Forwarding
Traffic diversion for one time,
VAS
resource saving ACL resources and
pool providing simple configuration
Microsegmentation Achieves Fine-grained Isolation and Service Security

Fine-grained Defense
Define applications based on VM
names and discrete IP
addresses, with fine granularity.

Distributed Security
Traffic of access switches is
filtered nearby and east-west
isolation is implemented
without using firewalls.

Flexible Deployment
Define services based on
VM 1 VM 2 VM 3 VM 4 VM 5 VM 6
application groups and decouple
1.1.1.1 1.1.1.2 1.1.1.3 2.2.2.1 2.2.2.2 2.2.2.3 them from subnets to achieve
flexible deployment.
As Is: Subnet-based isolation To Be: VM-level
isolation
Industry-leading Telemetry Technology Achieves Visualized and Controllable Networks or Services in
Real Time

As-Is: Network Device Used as Black Boxes To-Be: Visualized Network Management and Control
• SNMP/NETCONF query/response mechanism, and • gRPC subscription/active reporting mechanism, and millisecond-
minute-level reporting level reporting
• Microburst detection is not supported, and traffic details • The CloudEngine 16800 monitors the microburst status, detects
cannot be detected. traffic details, and predicts congestion in real time.
• The traditional network device reports only logs and • The CloudEngine 16800 uses the intelligent analysis algorithm to
alarms, but cannot collect packet characteristic detect packet characteristic information such as the delay,
information such as the delay and packet loss. packet loss, and packet loss location in real time.

Traditional NMS Collector Analyzer

gRPC Flow table

SNMP NetStream ERSPAN ERSPAN+
NETCONF Protobuf
over UDP

Forwarding AI Forwarding
CPU CPU NP
chip Chip chip
CloudEngine fixed switches: Diversified Models in All Scenarios and Sustainable Supply
The model in red can be New Model in
Planning in V3R20C00
V2R5C20
CE5855-48T4S2Q-EI
supplied continuously.
GE
CE5855 CE5855-24T4S2Q-EI

4 GB large buffer, CE6870-48T6CQ-EI Large buffer, CE6875-48S4CQ-EI

100GE uplink 100GE uplink
CE6870-48S6CQ-EI MACsec CE6875
High-end (large CE6870 CE6870-24S6CQ-EI
buffer) CE6880-24S4Q2C-EI
10GE optical downlink
CE6880
10G Mid-range (VXLAN) Loopback on CE6855-48S6Q-HI Memory: 2 CE6856-48T6Q-HI
interface card CE6855-48T6Q-HI GB -> 4 GB
CE6856-48S6Q-HI 10GE optical downlink,100GE uplink
CE6851-48S6Q-HI CE6855 CE6856 CE6881-48S6CQ

Medium (non-VXLAN) CE6820-48S6CQ

CE6810-48S4Q-LI
Low-end CE6810
CE6810-32T16S4Q-LI Layer 3 functions
(Layer 2)
AI Fabric, 1588, CE6866-48S8CQ-PH
microsegmentation
25G Medium CE6865-48S8CQ-EI CE6863-48S6CQ
CE6860-48S8CQ-EI CE6866-48S8CQ-P

40G Fixed CE7855 CE7855-32Q-EI Evolution stopped

Four subcards Four subcards AI Fabric, microsegmentation

Extensible CE8860-4C-EI CE8861-4C-EI

100G
Fixed AI Fabric and 1588 1U:CE8851-32CQ8DQ-P
CE8850-32Q-EI CE8850-64CQ-EI
2 U: CE8852-96CQ-P

Note:
(1) CloudEngine 6881, CloudEngine 6863, and CloudEngine 6820: GA in September 30, 2019 GA.
(2) The models planned for V3R20C00 may change at any time. For the latest models, contact DCN product management personnel.
Panorama of CloudEngine Modular Switches: Continuous Expansion in Installed Base Markets and
Steady Switching in New Markets
New Model Planning in
The model in red can be supplied continuously. V3R20C00
in V2R5C20
GE 10GE 40GE 100GE 400GE

FDA: Built-in 2*40GE, CE-12CQ-FD

2*100GE CE-24LQ-FD
16 F series cards CE-48XS-FD/FDA CE-36CQ-FD
CE-36LQ-FD
36-port SFU with N+1
08S
redundancy
08
04S
04
CE-L24XS-EC CE-L24LQ-EC1
CE-L48GS-EA
E series cards CE-L48XT-EC
CloudEngine12800/12800S
CE-L48GT-EA CE-L04CF-EF
CE-L48XS-
EA/EC/ED/EF

16
CEL48XSFD-G CEL36LQFD-G CEL36CQFD-G

FD-G series cards CEL18CQFD-G

CEL24LQFD-G
08

04 72*25/10G+4*100G 36*400G
CEL72XSHGA-P 48*100G CEL36DQHG-P
-P series cards CEL48CQHG-P
48*25/10G+4*100G 48*400G
CloudEngine16800 CEL48XSHGA-P CEL48DQHG-P

Note:
(1) CloudEngine 16804/CloudEngine 16808/CloudEngine 16816 and all its cards reach GA on September 30, 2019.
(2) The models planned for V3R20C00 may change at any time. For the latest models, contact DCN product management personnel.
SDN Baseline Networking of Category C Cards: Layer 3 Architecture Scenario

10/100GE servers are connected to uplink 100GE ports.

In Layer 3 networking, border leaf nodes and spine nodes Device Role Device Model Selection Basis
are independently configured.
10G server access
If the number of physical servers on the entire network exceeds
200 or the number of VMs exceeds 6000, you are advised to use Server leaf CloudEngine 6863-48S6CQ 25G server access
the three-layer architecture where border leaf nodes and spine 100G card recommended: CEL36CQFD-G and CEL18CQFD-G
nodes are independently deployed. CloudEngine 16800 40G card recommended: CEL36LQFD-G and CEL24LQFD-G
10G card recommended: CEL48XSFD-G
100G card recommended: CEL36CQED1-E and CEL18CQED1-E
Spine CloudEngine 16800
DC2 Service leaf 40G card recommended: CEL36LQED1-E and CEL24LQED1-E
100G card recommended: CEL36CQED1-E and CEL18CQED1-E
CloudEngine 16800 40G card recommended: CEL36LQED1-E and CEL24LQED1-E
Border leaf 10G card recommended: CEL48XSED1-E
Multi-active M-LAG
CloudEngine 6881-48S6CQ
Border leaf
Service leaf CloudEngine 6881-48S6CQ 10G VAS device access
Fabric gateway 1. VAS device in (when there are VAS device access
service mode a large number 100G card recommended: CEL36CQED1-E and CEL18CQED1-E
of NFV NEs or CloudEngine 16800
40G card recommended: CEL36LQED1-E and CEL24LQED1-E
VAS devices) 10G card recommended: CEL48XSED1-E
2. VAS device in
100G card recommended: CEL36CQED1-E and CEL18CQED1-E
bypass mode Spine CloudEngine 16800 40G card recommended: CEL36LQED1-E and CEL24LQED1-E
Fabric gateway 10G card recommended: CEL48XSED1-E
CloudEngine 6881-48S6CQ
M-LAG
Combination of the border leaf node and North-south gateways and VAS devices do not need to be
Server Leaf service leaf node expanded.

Design principle:
 The solution does not support automatic loop acknowledgment in loop detection, suspected loop reporting, or path detection based on ICMP packets. The solution
supports path detection based on TCP/UDP packets.
 The solution in which FabricInsight is used supports IPv4 and does not support IPv6. The solution does not support overlay multicast or traffic statistics collection on
Layer 2 sub-interfaces.
CloudFabric N1 Software Package Covers All Scenarios, Hardware, and Features
Agile Controller-DCN FabricInsight
Purchase or prepare the hardware platform Purchase or prepare the hardware platform Sales of fixed devices: underlay and third-party
and operating system as required. and operating system as required.
controller interconnection scenario
Agile Controller-DCN software platform free
FabricInsight big data analytics platform
of charge
Management Add-on
software package software Hicare
CloudEngine hardware switch CloudEngine 1800V (The default value of maintenance
SnS is 0, excluding
package service
Add-on software package
AI Fabric package
Value-added scenario function Software switch new functions of the (AI Fabric, unchanged
Security package (MACsec) software package.) MACsec, etc.)
Intelligent network analysis value-added package (traffic analysis)
Telco cloud DC gateway package (NEs managed by Agile Controller-DCN)
Solution sales: Agile Controller-DCN + FusionInsight
N1 Advanced
Promotes Sales of Hardware Switches in Virtualization
software package (A)
N1 premier software package All functions of the
and Cloud-Network Integration Scenarios
Enterprise edition (future)
All functions of the Advanced software package Foundation software Foundation
Intent assurance package...
package software Advanced
LB, NAT, DHCP, container package software Package Hicare
N1 Advanced software package SDN enhancement scenario (single-
+ (Single DC, package (single-DC maintenance
All functions of the Foundation software package N1 Foundation basic functions (single-DC enhancement service
MPLS/SR and NSH-based SFC
DC enhancement and multi-DC)
V1R19C10: multi-DC automation (MDO)... software package + of Agile enhancement and multi-DC) unchanged
Basic software, Controller-DCN and multi-DC)
CE1800V managed by Agile + FusionInsight)
N1 Foundation software package Single-DC SDN scenario
All functions of the Management software package
Controller-DCN
Telemetry, VS, PTP (1588v2), and number of CE switches managed by Agile Controller-DCN Solution sales: CE1800V and Agile Controller-DCN Are
FabricInsight intelligent network analysis basic package (V1R19C00, only for the
CE16800&CE6800) Sold as a Bundle in Container Interconnection Scenarios

N1 Management software package Non-SDN scenario

CE1800V Advanced software Hicare
Basic software (Layer 2 or Layer 3 basic functions) + VXLAN + IPv6
NCE network device management license (V1R19C10)
+ package maintenance
CloudEngine (One for each server, with 10 Gbit/s service
1800V traffic as the measurement principle) unchanged
CE switch hardware +
Compared with the Traditional Model, the N1 Model Is Cost-Effective and Has More Flexible Functions

Commercial Comparison of Solution Sales Scenarios: Simplified Quotation, Low Price, and Flexible License Transfer (SnS)
Traditional Model N1 Model
Unit List Unit Total List
Model Description Quantity
Model Description Price Quantity Total List Price Price Price
Agile Controller-DCN software N1-CloudFabric Foundation SW License for
AC-DCN-SW Platform 10,000 3 30,000 N1-CE68LIC-CFFD 9,900 50 495,000
platform CloudEngine 6800
AC-DCN-SW Platform- Three-year SnS of Agile Controller- N1-CloudFabric Foundation SW License for
5,100 3 15,300 N1-CE68CFFD-SnS1Y 1,980 150 297,000
SnS-3Y DCN software platform CloudEngine 6800-SnS-1 Year
Management of each fixed device Total 792,000
AC-DCN-Fixed 11,800 50 590,000
by Agile Controller-DCN
 Cost-effective price and simple quotation: The controller platform is free of charge, which reduces the
Three-year SnS of management of threshold for using the solution. The total list price of a single TOR N1 software package is reduced by
AC-DCN-Fixed-SnS-3Y each fixed device by Agile 6,018 50 300,900 40% compared with the traditional model. For example, in the case of 50 TOR switches, the total list price of
Controller-DCN the N1 model is reduced by 50% compared with that of the traditional model, which is the same as that of CE
CloudEngine 6800 VXLAN switches. The order placement process is simpler.
CE68-LIC-VXLAN 8,000 50 400,000
Function  Flexible license transfer to protect customers' investment. The license is more flexible. The software
CE68-LIC-TLM CE6800 Telemetry Function 6,000 50 300,000 used on the old hardware can be switched to the new hardware that is upgraded based on the old
Total 1,636,200 hardware, building customer loyalty. The customer does not need to purchase the software again,
which protects the customer's software investment.

Commercial Comparison of Pure Hardware Device Sales Scenario: New Hardware, More Functions, and Lower Price
Traditional Model N1 Model
Model Description List Price Model Description List Price
CE6857-48S6CQ-EI switch(48*10GE SFP+,6*100GE CE6881-48S6CQ-B switch (48*10G SFP+, 6*100G QSFP28, 2*AC
CE6881-48S6CQ-B 14400
CE6857-EI-B-B0B QSFP28,2*AC power modules,4*fan modules,port-side 18900 power modules, 4*fan modules, port-side intake)
intake) N1-CE68LIC-CFMM,N1-CloudFabric Management SW License for
N1-CE68LIC-CFMM 4500
CE68-LIC-VXLAN CloudEngine 6800 VXLAN Function 8000 CloudEngine 16800

The hardware price of new models is gradually shifted to software. In the project, try to persuade customers to configure VXLAN on uplink 100G ports. The CE6820 is recommended in non-
VXLAN scenarios. The CE6820 has a lower price than the CE6881.
The N1 Foundation software package is recommended if required functions are not included in the Management software package.
Commercial Comparison: N1 Management software package ($4,500) + Telemetry ($6,000) > N1 Foundation software package ($9,900)

CE6865 (22500) < CE6881 (20000 + Management software package 4500)

Bundle (36000) + software is the same as the old hardware, and the microsegmentation capability is stronger.
CloudEngine 16800 Roadmap

10GE 40GE 100GE 400GE

16 48*10GE 36*40GE 36*100GE

24*40GE 18*100GE
08 GA on September 30, 2019 V2R5C20
04
72*25/10+6*100GE 48*100GE 36*400GE
48*25/10+4*100GE 48*400GE POC

CE16800 GA on July 30, 2019 V3R20C00

48*10G FD 24*40G FD 8*100G FG 36*100G SD

16
Uplink 2*40GE+2*100GE 4 GB buffer, 64 MB buffer,
MACsec, 2 MB FIB Cost-effective
08S 48x10G 36*40G FD 12*100G FD 36*100G FD
08
04S FD1：Support 25G; 18*40G+18*100G 8 GB buffer 24 GB buffer
04
IEEE 1588V2
FG：4M FIB 16*100G FD 36*100G FG
CE12800/CE12800S 16 GB buffer, MACsec 16 GB buffer,
IEEE 1588v2 2 MB FIB

V3R20C00 has not passed the PDCP, and the roadmap planning may change. Therefore,
V3R20C00 cannot be used as a formal commitment to customers.
CloudEngine TOR Switch Roadmap

GE VXLAN
GE CE5855 CE5880
V2R5C20
ENP CE6880
GA on September 30, 2019
High
CE6870 CE6875
(Large buffer)

10G CE6851
V3R20C00
Middle CE6857 CE6881 2020.7.30GA
CE6856

Low (Layer 2) CE6810 CE6820

CE6863 CE6866 HI: 48*25+8*100GE

25G CE6860 CE6865
25G, AI Fabric, 1588, CE6866: 48*25+8*100GE
microsegmentation

40G CE7855

CE8850-32 CE8850-64 CE8851: 32*100+8*400GE

CE8852: 96*100GE
100G

CE8860 CE8861

400G

~2018 2019 2020

V3R20C00 has not passed the PDCP, and the roadmap planning may change. Therefore,
V3R20C00 cannot be used as a formal commitment to customers.
RDMA Effectively Improves Throughput and Reduces Latency, but Current Network Bearer Solutions Have
Disadvantages

Introduction to RDMA/RoCE
Current RDMA Network Bearer Solutions (IB
vs. CEE)
RDMA over InfiniBand RDMA over CEE (current)
Proprietary Technology,
Open Ethernet, Converged
Dedicated Network
Network
Advantage: Zero packet loss, low latency,
vs.
and high throughput Advantage: SDN automation, low
Disadvantage: Manual O&M performed price
by dedicated personnel, high cost Disadvantage: High latency and
low throughput

Challenges:
 Packet loss: The packet loss rate of 1% decreases the RoCE throughput from
Technical description: 100% to 0. However, packet loss on traditional Ethernet networks in best-
 RDMA technology implements kernel bypass and zero copy of the buffer, effort (BE) mode is inevitable.
provides RDMA read/write access between remote nodes, and
implements the control plane protocol in the NIC hardware. IB CEE

 RDMA technology is used in HPC, distributed storage, and AI scenarios to Performance High Low
reduce the CPU load and latency, greatly improving the application O&M Difficult Easy
performance. Price High Low

 RoCEv2 migrates RDMA traffic to the ETH/IP network. In this way, the Scale Small Ultra-large
Cloud-
ETH/IP network supports HPC, distributed storage, and AI application Others
Dedicated
network
network
deployment, and is required to provide the same network performance synergy
as memory access.
AI Fabric Implements Zero Packet Loss, Low Latency, and High Throughput Based on the Ethernet to Meet Service
Requirements in the AI Era
Basic Flow Control Model
• Set priorities through multiple queues
PFC threshold ECN threshold • Prevent packet loss through PFC Question: The CPU sensitivity is
backpressure Statically configured a key indicator.
• Use ECN to notify the transmit end to threshold
avoid congestion The queue type and
Queue Static queue type
threshold are the key.

Static ECN: Local device-level intelligence Dynamic ECN: Local device-level intelligence AI ECN: Global network-level intelligence
(implemented by the CPU) (implemented by the intelligent chip) (optimal application experience)
AI chip
Intelligent
CPU CPU
chip November
2019

LSW chip LSW chip

Local optimal threshold based on Local optimal threshold based on Application-oriented optimal
CPU’s dynamic ECN intelligent chip detection queue on the entire network
Static ECN performance: 30% higher than that Static ECN performance: 50% higher than that
The threshold is setted by CPU of other vendors
of other vendors
Set the optimal threshold based on Set the optimal threshold based on the Application-based priority queues are generated
the current traffic model. current traffic model. based on application requirements.

Mainstream solutions in the industry CloudEngine 6865/8850/8861 CloudEngine 16800

 Overall Container Intent SFC Microsegmentation Summary

Five Scenarios of CloudFabric Solution: Based on Whether the Controller

and Cloud Platform Are Available
Scenario 2: Cloud platform and third- Scenario 4: Cloud platform, third-party controller, and Scenario 5: Cloud platform, third-party controller, and
party controller OpenStack interconnection container cloud interconnection
Service Cloud platform and Service Container platform and
Network administrator network association administrator network association
administrator
FusionSphere Third-party Kubernetes
VMware NSX controller OpenStack
New
Agile Controller-DCN
SecoManager

CloudEngine Layer 2 VTEP Network overlay Network overlay Network overlay extension
Hybrid overlay CloudEngine 1800V

Scenario 1: Underlay, without the Scenario 3: computing and hosting with the controller but no cloud platform
cloud platform or controller
Computing Network
Hosting Network
Computing administrator
Third-party configuration tools administrator
administrator
such as Ansible or Microsoft Azure
System Center Agile Controller-DCN Agile Controller-DCN
/vCenter SecoManager SecoManager

Network overlay Network overlay

Underlay

Remarks: The network overlay supports centralized and distributed deployment. The distributed solution is recommended. The
centralized mode does not continue to evolve. The hybrid overlay supports only the distributed mode.
 Overall Container Intent SFC Microsegmentation Summary

Features of the CloudFabric Solution in Five Scenarios

The texts in red refer to new functions in V1R19C00.
Item Functional Unit Network Virtualization Cloud-Network Integration Container Cloud

Cloud
Cloud management Hosting Microsoft VMware Third-party
management FusionSphere Kubernetes
platform (No cloud platform) System Center vCenter OpenStack
platform
Active/Standby controller Supported Supported
Supported Supported Supported Not supported
cluster
Controller RTT of remote controller
cluster < 50 ms (less Supported Supported Supported Supported Supported Supported
than 250 km)
Network overlay Network overlay
Overlay mode Network overlay Network overlay Network overlay Network overlay
Hybrid overlay Extend

ZTP User-defined, wizard-based, and one-click ZTP

L2-L3 network
Intent Pre-event simulation, resource and connection verification, and device fault impact analysis

IPv6 Supported Supported Supported Supported Supported Not supported

IPv4 microsegmentation
(new models) Supported Supported Supported Supported Supported Not supported
L4-L7 security
Not supported
IPv4 SFC Supported Supported Supported Supported Supported

FusionCompute
Server access Type N/A Microsoft Hyper-V VMware ESXi KVM Container
BMS

DCI Interconnection type IPv4 L2&L3 IPv4 L2&L3 IPv4 L2&L3 IPv4 L2&L3 IPv4 L2&L3 IPv4 L2&L3
 Overall Container Intent SFC Microsegmentation Summary

NSH: NSH Copes with Challenges Brought by Diversified DC Security to the Network

Diversified policies are deployed, and ACLs Inline deployment causes complex configuration of The security service is coupled with the physical
become the bottleneck. the control plane. topology, leading to low scalability.

… Static traffic diversion depends on

App 1 App 2 … App n the physical topology

QoS, routing, O&M, and security policies

• The switch needs to eliminate • Security policies need to be configured • Security devices are pooled,
the ACL bottleneck. on the GUI. implementing scaling on demand.
 Overall Container Intent SFC Microsegmentation Summary

NSH-based SFC in the CloudFabric Solution Solves the ACL Bottleneck of

Switches
SFP 1

WAN VM

Case 1: At a bank, PBR and antivirus preempt

ACLs. As a result, ACLs are insufficient and
services fail to be provisioned (due to conflicts
Solution benefits:
with security policies).
 Traffic is forwarded based on the SPI in the NSH, which does
Case 2: A financial institution deploys not consume ACLs.
microsegmentation and traditional PBR. As a Solution 1 Solution 2  Compatibility with the live network: The solution supports
result, the ACL overflow function fails (due to
two modes: NSH aware and unware (proxy). The number of
conflicts with microsegmentation).
ACLs is reduced by more than half.

PBR depends heavily on ACL entries. NSH overcomes entry restrictions.

External External Original packet

network network NSH added

PBR-based forwarding NSH-based forwarding

3 ACL rules Add the NSH One ACL rule
3 policy-based routes One policy-based route
ACL entry bottleneck
OVS OVS
VM VM
VM VM
VM VM
VM resource VAS resource VM resource NSH VAS resource pool NSH VAS resource pool
pool pool pool supported not supported
 Overall Container Intent SFC Microsegmentation Summary

NSH-based SFC in the CloudFabric Solution Provides Standard Interconnection

and Delivers Simplified and Efficient VAS Orchestration

SFP 1 Solution implementation:

VM2 VM5  The RFC-compliant NSH solution replaces the traditional PBR solution.
 Agile Controller-DCN globally configures the NSH to identify the service path.
SFP 2  Traffic is forwarded based on the NSH at each hop. NSH-based SFC uses an
Internet VM8 independent forwarding table, which does not consume ACLs.

Product selection:
 CloudEngine CE5880, CloudEngine 6880CloudEngine 6881, CloudEngine
Resource pooling 6863, CloudEngine 12800E, CloudEngine 16800
deployment

Highlights:
 Standard SFC: complies with RFC, provides good interoperability, and
Service leaf maintains compatibility with third-party NSH devices.
 Large specifications: The chip supports 20K SFC entries, which is two times
OVS higher than commercial chip.
VM
VM
VM
VAS resource pool

Simplified deployment Flexible orchestration Efficient forwarding

Note: The proprietary SFC solution of some vendors in the Full decoupling from the fabric
Defining SFC in drag-and-drop The ACL consumption is reduced
industry uses the VXLAN extended field to identify the SPI
and cannot interconnect with third parties, forming closed mode by more than half.
ecosystem.
 Overall Container Intent SFC Microsegmentation Summary

Microsegmentation Copes with Challenges Caused by Diversified DC Security

Traditional security depends on different Traditional isolation brings traffic Due to diversified isolation policies, ACLs
service partitions. bypassing. become scarce resources.

Segmentation

Spine
Subnet
Web App Database

Zero-trust security model was proposed in

2012.
VTEP VTEP Microsegmentation
External Internal
network Untrusted network OVS OVS
VM VM
VM VM
VM VM

Source: Forrester Research Discrete IP VM

Server leaf Server leaf address name/Container

• Cloud sharing and security isolation create a • Access switches support security isolation. • Switches need to eliminate the
conflict. ACL bottleneck.
 Overall Container Intent SFC Microsegmentation Summary

Microsegmentation Provides Fine-grained Security Isolation

Micro Segmentation

Microsegmentation
IP MAC VLAN=10

IP1=10.0.0.1 DB1 DB2

MAC1 MAC1
Discrete VM name/ Organization
Subnet OS type =11- =22-
IP address Container name
11-11 22-22 DB3 DB4
IP2=10.0.0.2

VM name = Web* Security group = App Operating system = Linux

Web 1 Web 2 App 1 App 2 Linux Linux

Web 3 Web 4 App 3 App 4 Linux Linux

 Microsegmentation solves the problem of the zero-trust security model. Compared with the zero-trust security
model, microsegmentation provides security isolation in a more fine-grained manner. It covers physical machines
and addresses east-west security issues.
 Overall Container Intent SFC Microsegmentation Summary

Microsegmentation Solves the ACL Bottleneck of Switches

Microseg
mentatio
VM n VM

Case 1: At a bank, PBR and antivirus preempt Solution benefits:

ACLs. As a result, ACLs are insufficient and  Microsegmentation used to isolate east-west
Solution 1 Solution 2
services fail to be provisioned (due to conflicts traffic on switches instead of firewalls
with security policies).

PBR depends heavily on ACL entries. Microsegmentation overcomes entry

restrictions.

External External
network network

Divert traffic to the firewall Microsegmentation-

3 ACL rules based isolation
3 policy-based routes 0 ACL rule
0 microsegmentation policy
ACL entry bottleneck
OVS OVS OVS
VM VM VM
VM VM VM
VM VM VM
VM resource VM resource VM resource
VAS resource
pool pool pool
pool
 Overall Container Intent SFC Microsegmentation Summary

Microsegmentation Provides East-West Security Isolation in a Fine-grained Manner

Interconnection with Interconnection with

OpenStack FusionSphere Product selection:
OpenStack FusionSphere
 Microsegmentation-supported models: CloudEngine 6880, CloudEngine 6881, CloudEngine
5880 (sold only outside China), CloudEngine 6857, CloudEngine 6865, CloudEngine 8861, and
CloudEngine 8868.
(Secondary
orchestration)

Unified isolation
①North-south
isolation Microsegmentation implements the zero-trust security model. It provides security
Border leaf
isolation based on discrete IP addresses and VM names, and covers PMs. It can
uniformly isolate traffic of VMs and BMs.

Spine Efficient forwarding

Microsegmentation has a unique value in mutual access control scenarios that have
②East-west high forwarding efficiency and low security requirements. There is no traffic bypassing
isolation problem, and the forwarding performance is not a bottleneck.
VTEP VTEP VTEP VTEP

OVS OVS OVS

VM VM VM
VM VM VM Large specifications
VM VM VM
BM
The mask length of the EPG member is not limited. Each EPG of the commercial chip
Server leaf Server leaf Server leaf Server leaf
supports a maximum of three mask lengths.
Intelligent O&M: FabricInsight Provides Specified Flow Analysis, Edge
Intelligence + Cloud Training, and 100% Traffic Visualization
Distributed intelligence
Switches provide edge intelligence, and analyze flows and
Visualized TCP UDP RoCE send them to the cloud for processing. The analyzer
Co-processor, edge configuration is reduced by five times.
1 intelligence Device Type(V1R19C10)： CloudEngine 6881,
CloudEngine 6863， CloudEngine 16800。
Device Type(V1R19C00)：CloudEngine 6865,
CloudEngine 8850-64CQ， CloudEngine 6857，
CloudEngine 12800。
FabricInsight

SNMP: device management

Multi-protocol processing capability
2 Cloud training Distributed flow awareness based on Telemetry and multi-
ERSPAN: full flows
Query protocol full-data packet analysis (TCP/UDP/RoCE)
gRPC: performance indicators
NetStream v9: specified flows
Collector

TCP Fine-grained capability

Switch-based load Filter FabricInsight analyzes all packets of a specified flow
Big Data and displays the network quality on the GUI.
balancing
CloudEngine 6800, CloudEngine 7800， CloudEngine
8800，CloudEngine 12800, CloudEngine 16800
Aggregation
Collector
СПАСИБО!