Product Characteristics

The S6700 series Ethernet switches are next-generation 10G fixed switches. The S6700 can function as an access switch in an Internet data center (IDC) or a core switch on a campus network. The S6700 has industry-leading performance and provides line-speed 10GE access ports and line-speed 40GE even 100GE uplink ports. It can be used in a data center to provide 10 Gbit/s access to servers or function as a core switch on a campus network to provide 40 Gbit/s even 100 Gbit/s traffic aggregation. In addition, the S6700 provides a wide variety of services, comprehensive security policies, and various QoS features to help customers build scalable, manageable, reliable, and secure data centers.

Enabling Networks to Be More Agile for Services

The high-speed ethernet network processor embedded in the S6720-HI, CloudEngine S6730-S, CloudEngine S6730S-S, CloudEngine S6730-H, and CloudEngine S6730S-H is tailored for Ethernet.

The flexible packet processing and traffic control capabilities of processor can meet current and future service requirements, helping build a highly scalable network.

The processor has a fully programmable architecture, on which enterprises can define their own forwarding models, forwarding behaviors, and lookup algorithms. Microcode programmability makes it possible to provide new services within six months, without the need of replacing the hardware. In contrast, traditional devices use a fixed forwarding architecture and follow a fixed forwarding process. For this reason, new services cannot be provisioned until new hardware is developed to support the services one to three years later.
In addition to capabilities of traditional switches, they provide fully programmable open interfaces and support user-defined forwarding behavior. Enterprises can use the open interfaces to develop new protocols and functions independently or jointly with equipment vendors to build campus networks meeting their own needs.

Delivering Abundant Services More Agilely

The S6720-HI, CloudEngine S6730-H, and CloudEngine S6730S-H integrate the AC function, so customers do not need to buy independent AC devices or hardware components.

With the unified user management function, the S6720-HI, CloudEngine S6730-H, and CloudEngine S6730S-H can authenticate both wired and wireless users, ensuring a consistent user experience no matter whether they are connected to the network through wired or wireless access devices. The unified user management function supports various authentication methods, including 802.1X, MAC address, and Portal authentication, and is capable of managing users based on user groups, domains, and time ranges. These functions visualize user and service management and boost the transformation from device-centric management to user-centric management.
The S6700 provides excellent quality of service (QoS) capabilities and supports queue scheduling and congestion control algorithms. Additionally, it adopts innovative priority queuing and multi-level scheduling mechanisms to implement fine-grained scheduling of data flows, meeting service quality requirements of different user terminals and services.

Providing Fine Granular Network Management More Agilely

The S6720-HI, CloudEngine S6730-S, CloudEngine S6730S-S, CloudEngine S6730-H, and CloudEngine S6730S-H use the Packet Conservation Algorithm for Internet (iPCA) technology that changes the traditional method of using simulated traffic for fault location. iPCA technology can monitor network quality for any service flow anywhere, anytime, without extra costs. It can detect temporary service interruptions in a very short time and can identify faulty ports accurately. This cutting-edge fault detection technology turns "extensive management" to "fine granular management."
The S6720-EI, S6720S-EI, S6720-HI, CloudEngine S6730-S, CloudEngine S6730S-S, CloudEngine S6730-H, and CloudEngine S6730S-H support a simple structure of Two-Way Active Measurement Protocol (TWAMP Light) to accurately check any IP link and obtain the entire network's IP performance. This protocol eliminates the need of using a dedicated probe or a proprietary protocol.
With the Super Virtual Fabric (SVF), a physical network with the "Small-sized core/aggregation switches + Access switches + APs" structure can be virtualized into a "super switch", offering the industry's simplest network management solution.
With the Easy Deploy function, a similar way an AC manages APs, access switches and APs can go online with zero-touch configuration. In the Easy Deploy solution, the Commander collects topology information about the connected clients and stores the clients' startup information based on the topology. Clients can be replaced with zero-touch configuration. The Commander can deliver configurations and scripts to clients in batches and query the delivery results. In addition, the Commander can collect and display information about power consumption on the entire network.

Intelligent Stack

The intelligent stack (iStack) technology combines multiple stacking-capable switches into a logical switch. The entire stack works as a single entity to the network.

Member switches in a stack back up each other to improve device reliability and establish inter-device link aggregation to improve link reliability.
iStack provides high network scalability and allows for flexible expansion of ports, bandwidth, and processing capacity by simply adding member switches to the stack.
iStack also simplifies device configuration and management by virtualizing multiple physical switches into one logical device. You can log in to any member switch to manage all the stack member switches.

Cloud-based Management

In Huawei CloudCampus Solution, some switches can be managed by the management and control system (CloudCampus@AC-Campus for switches running V200R019C00 and earlier versions; iMaster NCE-Campus for switches running V200R019C10 and later versions).

The switches are plug-and-play.
The switches can automatically connect to the management and control system and use bidirectional certificate authentication to ensure management channel security.
The switches provide the NETCONF and YANG interfaces, through which the management and control system delivers configurations to them.
Remote maintenance and fault diagnosis can be performed on the switches using the management and control system.

VXLAN Features

The S6720-EI, S6720S-EI, S6720-HI, CloudEngine S6730-S, CloudEngine S6730S-S, CloudEngine S6730-H, and CloudEngine S6730S-H support VXLAN L2 gateway, VXLAN L3 gateway, and BGP EVPN functions, which can be configured using NETCONF/YANG. Based on this feature, multiple service networks or tenant networks can be deployed together on the same physical network. Service networks or tenant networks are isolated from each other, achieving one network for multiple purposes. This helps meet data bearing requirements of different services or customers while reducing network construction costs and improving network resource utilization efficiency.

Big Data Security Collaboration

S6720-HI, CloudEngine S6730-S, CloudEngine S6730S-S, CloudEngine S6730-H, and CloudEngine S6730S-H support Encrypted Communication Analytics (ECA). It is a traffic identification and detection technology that identifies encrypted traffic and non-encrypted traffic on the network, and extracts and sends encrypted traffic characteristics to the Cybersecurity Intelligence System (CIS). The CIS uses the AI algorithm to train traffic models based on enormous data, compares the encrypted traffic characteristics sent by switches with the traffic models to identify malicious traffic, and automatically isolates threats by collaborating with Agile Controller-Campus, ensuring campus network security.
S6720-HI, CloudEngine S6730-S, CloudEngine S6730S-S, CloudEngine S6730-H, and CloudEngine S6730S-H support the deception technology. By responding to scanning requests for nonexistent IP addresses and unopened ports, the switches lure attackers to attack a fake target (Decoy, that is, CIS). Through interaction with attackers, the CIS obtains their attack behavior, extracts attack tools, analyzes suspicious traffic by means of traffic diversion to form a defense policy, and automatically isolates threats by collaborating with the Agile Controller-Campus to block the spread of attack behavior, ensuring campus network security.

Large-Capacity, High-Density, 10 Gbit/s Access, 40 Gbit/s and even 100 Gbit/s Uplink

To provide sufficient bandwidth for users, many servers use 10G network adapters, especially servers in data centers. The S6700 can be used in data centers to provide high forwarding performance and 10GE ports.

The S6700 has the highest density of 10GE ports and largest switching capacity among counterpart switches. These ports support 1GE and 10GE access and can identify optical module types, maximizing the return on investment and allowing users to deploy service flexibly.

The S6700 has a large buffer capacity and uses advanced buffer scheduling mechanism to ensure non-blocking transmission of high traffic volume in data centers.

Comprehensive Security Control Policies

The S6700 provides multiple security measures to defend against Denial of Service (DoS) attacks (such as SYN, Land, Smurf, and ICMP Flood), attacks to networks (STP BPDU/root attacks), and attacks to users (bogus DHCP server attacks, man-in-the-middle attacks, IP/MAC spoofing attacks, DHCP request flood attacks, and attacks with variable CHADDR field of packets). DHCP snooping discards invalid packets that do not match any binding entries, such as ARP spoofing packets and IP spoofing packets. This prevents man-in-the-middle attacks that hackers initiate using ARP packets. The interface connected to a DHCP server can be configured as a trusted interface to protect the system against bogus DHCP server attacks.

The S6700 supports strict ARP learning, which prevents ARP spoofing from exhausting ARP entries to ensure normal Internet normally access. The switch also provides IP source check to prevent DoS attacks caused by MAC address spoofing, IP address spoofing, and MAC/IP spoofing. The unicast reverse path forwarding (URPF) function protects a network against source address spoofing attacks by reversely checking packet transmission paths.

The S6700 supports centralized MAC address authentication and 802.1X authentication. It authenticates users based on static or dynamic bindings of information such as the user name, IP address, MAC address, VLAN ID, interface number, and antivirus software installation flag. VLANs, QoS policies, and ACLs can be applied to users dynamically. The S6700 can limit the number of MAC addresses learned on an interface to prevent attackers from exhausting MAC address entries using bogus source MAC addresses. This function minimizes packet flooding that occurs when MAC addresses of users cannot be found in the MAC address table.

Comprehensive Reliability Mechanisms

The S6700 supports redundant power supplies. You choose a single power supply or use two power supplies to ensure power reliability. With two swappable fans, the S6700 has a longer MTBF time than counterpart switches. The S6700 supports multi-process MSTP that enhances the existing STP, RSTP, and MSTP implementation by increasing the number of MSTIs supported on a network. It also supports enhanced Ethernet reliability technologies such as Smart Link and RRPP, which implement millisecond-level protection switching to ensure network reliability. Smart Link and RRPP both support multiple instances to implement load balancing among links, improving the bandwidth efficiency.

The S6700 supports enhanced trunk (E-Trunk) that enables a CE to be dual-homed to two PEs using Eth-Trunk links. This implements inter-device link aggregation and link load balancing, and greatly improves reliability of access devices.

The S6700 supports the Smart Ethernet Protection (SEP) protocol, a ring network protocol applied to the link layer of an Ethernet network. SEP features simplicity, high reliability, high switching performance, convenient maintenance, and flexible topology, enabling users to manage and plan networks conveniently.

The S6700 supports G.8032, also called Ethernet Ring Protection Switch (ERPS). ERPS is based on traditional Ethernet MAC and bridging functions and uses mature Ethernet OAM and Ring Automatic Protection Switching (Ring APS or R-APS) technologies to implement fast protection switching on Ethernet networks. ERPS supports multiple services and provides flexible networking, reducing the OPEX and CAPEX. Two S6700s can form a VRRP group to ensure nonstop communication. Multiple equal-cost routes to an upstream device can be configured on the S6700 to provide route redundancy. When an active route is unreachable, traffic is switched to a backup route.

Extensive QoS Control Mechanisms

The S6700 implements complex traffic classification based on packet information such as the 5-tuple, IP preference, ToS, DSCP, IP protocol type, ICMP type, TCP source port, VLAN ID, Ethernet protocol type, and CoS. ACLs can be applied to inbound or outbound direction to filter packets. The S6700 supports a per flow two-rate three-color CAR. Each port supports eight priority queues, multiple queue scheduling algorithms such as WRR, WDRR, PQ, WRR+PQ, and WDRR+PQ, and congestion avoidance algorithm WRED. All of these ensure the quality of voice, video, and data services.

High Scalability

The S6700 supports the intelligent stack (iStack) function that allows switches far from each other to set up a stack. A port of the S6700 can be configured as a stack port for flexible stack deployment. The distance between stacked switches is further increased when the switches are connected with optical fibers. Compared with a single device, iStack provides higher expansibility, reliability, and performance. New member switches can be added to a stack without interrupting services when the system capacity needs to be increased or a member switch fails. Compared with stacking of modular switches, iStack can increase system capacity and port density without restricted by the hardware structure. Multiple stack switches are managed as one logical device with a single IP address, which greatly reduces system expansion, operation, and maintenance costs.

Convenient Management

The S6700 supports automatic configuration, plug-and-play, USB-based deployment, and batch remote upgrade. These capabilities simplify device management and maintenance while reducing maintenance costs. The S6700 supports SNMPv1/v2c/v3 and provides flexible device management methods. You can manage the S6700 using the CLI, Web system, or Telnet. The NQA function helps you with network planning and upgrades. In addition, the S6700 supports NTP, SSH v2, HWTACACS, RMON, log hosts, and port-based traffic statistics collection. The switch supports GVRP, which dynamically distributes, registers, and propagates VLAN attributes to reduce the manual configuration workload of network administrators and ensure correct VLAN configuration.

The S6700 supports MUX VLAN that isolates Layer 2 traffic between interfaces in a VLAN. Interfaces in a subordinate separate VLAN can communicate with interfaces in the principal VLAN but cannot communicate with each other. This function prevents communication between network devices connected to certain interfaces or interface groups but allows the devices to communicate with the default gateway. MUX VLAN is usually used on an enterprise intranet to isolate user interfaces from each other but allow them to communicate with server interfaces.

The S6700 supports BFD, which provides millisecond-level fault detection for protocols such as OSPF, IS-IS, VRRP, and PIM to improve network reliability. Complying with IEEE 802.3ah and 802.1ag, the S6700 supports point-to-point Ethernet fault management and can detect faults in the last mile of an Ethernet link to users. Ethernet OAM improves the Ethernet network management and maintenance capabilities and ensures a stable network.

Various IPv6 Features

The S6700 hardware supports IPv4/IPv6 dual stack and IPv6 over IPv4 tunnels (including manual tunnels, 6to4 tunnels, and ISATAP tunnels). S6700 switches can be deployed on IPv4 networks, IPv6 networks, or networks that run both IPv4 and IPv6. This makes networking flexible and enables smooth network migration from IPv4 to IPv6.

The S6700 supports various IPv6 routing protocols including RIPng and OSPFv3. It uses the IPv6 Neighbor Discovery Protocol (NDP) to manage packets exchanged between neighbors. It also provides the Path MTU Discovery (PMTU) mechanism to select a proper MTU on the path from the source to the destination, optimizing network resources and obtaining the maximum throughput.

Clock Synchronization

The S6720-HI, CloudEngine S6730-H, and CloudEngine S6730S-H support the IEEE 1588v2 protocol, which implements low-cost, high-precision, and high-reliability time and clock synchronization. This feature can meet strict requirements of power and transportation industry customers on time and clock synchronization.

Open Programmability System (OPS)

Open Programmability System (OPS) is an open programmable system based on the Python language. IT administrators can program the O&M functions of a switch through Python scripts to quickly innovate functions and implement intelligent O&M.