The S6720-LI series switches (S6720-LI) are next-generation simplified 10GE fixed switches and can be used as 10GE access switches on campus networks and data center networks.

The S6720-LI provides line-rate 10GE access ports and 40GE uplink ports. In addition, the S6720-LI delivers a wide variety of services, comprehensive security control policies, and various QoS features to help customers build scalable, reliable, manageable, and secure campus and data center networks.

• 24 x 10GE SFP+ ports, 2 x 40GE QSFP+ ports
• Built-in AC power supply and RPS
• USB
• Forwarding performance: 240 Mpps
• Switching capacity: 1.28 Tbit/s

High-Density 10GE Access Ports and 40GE Uplink Ports

To provide sufficient bandwidth for users, more and more servers use 10GE network adapters. Each S6720-LI provides up
to 32 line-rate 10GE ports and two line-rate 40GE QSFP+ ports.

Ports of the S6720-LI support GE access and 10GE access and can identify optical module types, maximizing the return on investment and allowing users to flexibly deploy services.

Comprehensive Security Control Policies

The S6720-LI provides multiple security measures to defend against Denial of Service (DoS) attacks, as well as attacks on networks or users. DoS attacks include SYN flood, Land, Smurf, and ICMP flood attacks. Attacks on networks refer to STP BPDU/root attacks. Attacks on users include bogus DHCP server attacks, man-in-the-middle attacks, IP/MAC spoofing attacks, and DHCP request flood attacks. DoS attacks that change the CHADDR field in DHCP packets are also attacks against users.

The S6720-LI supports DHCP snooping, which generates user binding entries. DHCP snooping discards invalid packets
that do not match any binding entries, such as ARP spoofing packets and IP spoofing packets. This prevents hackers from using ARP packets to initiate attacks on campus networks. DHCP snooping trusted ports can be specified to ensure that users connect only to the authorized DHCP server.

The S6720-LI supports strict ARP learning. This feature prevents ARP spoofing attackers from exhausting ARP entries so that users can connect to the Internet normally. The S6720-LI supports IP source check to prevent DoS attacks caused by MAC address spoofing, IP address spoofing, and MAC/IP spoofing.

The S6720-LI supports centralized MAC address authentication and 802.1X authentication. It authenticates users based
on statically or dynamically bound user information such as the user name, IP address, MAC address, VLAN ID, port number, and flag indicating whether antivirus software is installed. VLANs, QoS policies, and ACLs can be applied to users dynamically.

The S6720-LI can limit the number of MAC addresses learned on a port to prevent attackers from exhausting MAC address entries by using bogus source MAC addresses. This function minimizes packet flooding that occurs when MAC addresses of users cannot be found in the MAC address table.

Comprehensive Reliability Mechanisms

The S6720-LI supports MSTP multi-process that enhances the existing STP, RSTP, and MSTP implementation. This function increases the number of MSTIs supported on a network. It also supports enhanced Ethernet reliability technologies such as Smart Link and RRPP, which implement millisecond-level protection switchover and ensure network reliability. Smart Link and RRPP both support multi-instance to implement load balancing among links, improving bandwidth use efficiency.

The S6720-LI supports enhanced trunk (E-trunk). A CE can be dual-homed to two PEs through Eth-Trunk links. This implements inter-device link aggregation and link load balancing, and greatly improves reliability of access devices.

The S6720-LI supports the Smart Ethernet Protection (SEP) protocol, a ring network protocol applied to the link layer of an Ethernet network. SEP can be used on open ring networks and provides millisecond-level switchover to ensure nonstop services. SEP features simplicity, high reliability, fast switchover, easy maintenance, and flexible topology, facilitating network planning and management.

The S6720-LI supports G.8032, also called Ethernet Ring Protection Switching (ERPS). ERPS is based on traditional Ethernet MAC and bridging functions. It uses the mature Ethernet OAM and Ring Automatic Protection Switching (Ring APS or R-APS) technologies to implement millisecond-level protection switchover on Ethernet. ERPS supports multiple services and provides flexible networking options, reducing the OPEX and CAPEX.

The S6720-LI supports VRRP. Two S6720-LIs can form a VRRP group to ensure nonstop and reliable communication. Multiple equal-cost routes to an upstream device can be configured on the S6720-LI to provide route redundancy. When an active route is unreachable, traffic is switched to a backup route.

Various QoS Control Mechanisms

The S6720-LI implements complex traffic classification based on packet information such as the 5-tuple, IP preference, ToS, DSCP, IP protocol type, ICMP type, TCP source port, VLAN ID, Ethernet protocol type, and CoS. ACLs can be applied to the inbound or outbound direction to filter packets. The S6720-LI supports a flow-based two-rate three-color CAR. Each port supports eight priority queues and multiple queue scheduling algorithms such as WRR, DRR, PQ, WRR+PQ, and DRR+PQ. All of these ensure the quality of voice, video, and data services.

High Scalability

The S6720-LI supports intelligent stack (iStack) and virtualizes multiple switches into one logical switch. A port of the S6720-LI can be configured as a stack port using a command for flexible stack deployment. The distance between stacked switches is further increased when the switches are connected with optical fibers. Compared with a single device, iStack has advantages on scalability, reliability, performance, and overall architecture. A new switch can join a stack to increase the system capacity or replace a faulty member switch without interrupting services. Compared with stacking of modular switches, the iStack function can increase system capacity and port density with no restriction of the hardware architecture. Multiple devices in a stack can be considered as one logical device. These switches can be managed using a single IP address, which greatly reduces system expansion and O&M costs.

Convenient Management

The S6720-LI supports automatic configuration, plug-and-play, deployment using a USB flash drive, and batch remote upgrade. These capabilities simplify device management and maintenance, and greatly reduce maintenance costs.

The S6720-LI supports SNMPv1/v2/v3 and provides flexible methods for managing and maintaining devices, such as CLI and Web NMS. The NQA function helps users with network planning and upgrades. In addition, the S6720-LI supports NTP, SSH v2, HWTACACS, RMON, log hosts, and port-based traffic statistics.

The S6720-LI supports GVRP, which dynamically distributes, registers, and propagates VLAN attributes to reduce the manual configuration workloads of network administrators and ensure correct VLAN configuration.

The S6720-LI supports MUX VLAN that isolates Layer 2 traffic between ports in a VLAN. MUX VLAN defines principal VLANs and subordinate VLANs. Subordinate VLANs can communicate with the principal VLAN but cannot communicate with each other. This function prevents communication between network devices connected to certain ports or port groups but allows the devices to communicate with the default gateway. MUX VLAN is usually used on an enterprise intranet to isolate user ports from each other but allow them to communicate with server ports.

Complying with IEEE 802.3ah and 802.1ag, the S6720-LI supports point-to-point Ethernet fault management and can detect faults in the last mile of an Ethernet link to users. Ethernet OAM improves the Ethernet network management and
maintenance capabilities and ensures a stable network.

Various IPv6 Features

The S6720-LI supports various IPv6 routing protocols including RIPng and OSPFv3. It uses the IPv6 Neighbor Discovery Protocol (NDP) to manage packets exchanged between neighbors. It also provides the Path MTU Discovery (PMTU) mechanism to select a proper MTU on the path from the source to the destination, optimizing network resources and obtaining the maximum throughput.

Intelligent O&M

The S6720-LI provides telemetry technology to collect device data in real time and send the data to Huawei campus network analyzer CampusInsight. The CampusInsight analyzes network data based on the intelligent fault identification algorithm, accurately displays the real-time network status, effectively demarcates and locates faults in a timely manner, and identifies network problems that affect user experience, accurately guaranteeing user experience.

The S6720-LI supports a variety of intelligent O&M features for audio and video services, including the enhanced Media Delivery Index (eMDI). With this eDMI function, the S6720-LI can function as a monitored node to periodically conduct statistics and report audio and video service indicators to the CampusInsight platform. In this way, the CampusInsight platform can quickly demarcate audio and video service quality faults based on the results of multiple monitored nodes.

Intelligent Upgrade

Switches support the intelligent upgrade feature. Specifically, switches obtain the version upgrade path and download the
newest version for upgrade from the Huawei Online Upgrade Platform (HOUP). The entire upgrade process is highly automated and achieves one-click upgrade. In addition, preloading the version is supported, which greatly shortens the upgrade time and service interruption time.

The intelligent upgrade feature greatly simplifies device upgrade operations and makes it possible for the customer to upgrade the version independently. This greatly reduces the customer's maintenance costs. In addition, the upgrade policies on the HOUP platform standardize the upgrade operations, which greatly reduces the risk of upgrade failures.

High-Performance VRP Software System

Huawei S series switches build on a unified Versatile Routing Platform (VRP) software system, meeting the growing network scale and the evolving Internet technologies and guaranteeing network services and network quality.

VRP is a network operating system developed by Huawei with independent intellectual property rights. It can run on multiple hardware platforms and provide unified network, user, and management views. VRP provides flexible application solutions for users. In addition, VRP is a future-proof platform that maximally protects customer investments.

The VRP platform is focused on IP services and uses a component-based architecture to provide more than 300 features. Besides, VRP stands out for its application-based tailorable and scalable capabilities.

Specification:

S6720-26Q-LI-24S-AC
Fixed port
10GE port	24
40GE port	2
Management port
ETH management port	Supported
Console port (RJ45)	Supported
USB port	USB 2.0
CPU
Frequency	1 GHz
Cores	2
Memory
Memory (RAM)	1 GB
Flash	Hardware: 512 MB, of which 240 MB is available for users
Power supply system
Power supply type	Built-in AC
Power supply redundancy	Built-in single power supply and RPS in 6:1 mode
RPS	Supported
Rated voltage range	100 - 40 V AC 50/60 Hz
Maximum voltage range	90 - 264 V AC 47 - 63 Hz
Maximum input current	3 A
Maximum power consumption of the device	100.2 W
Power consumption in the case of 30% traffic load	67.1 W
Heat dissipation system
Heat dissipation mode	Air-cooled heat dissipation and intelligent fan speed adjustment
Number of fan modules	3
Airflow	Air flows in from the left side and front panel, and exhausts from the right side.
Maximum heat dissipation of the device (BTU/hour)	342
Physical specifications
Chassis dimensions (W x D x H, mm)	420 x 220 x 43.6
Chassis height	1 U
Chassis weight	4.2 kg
Environment parameters
Long-term operating temperature	0 - 1800 m: 0°C - 45°C 1800-5000 m: The operating temperature decreases 1°C for every 220 m increase in altitude.
Short-term operating temperature	0 - 1800 m: -5°C - 50°C   1800-5000 m: The operating temperature decreases 1°C for every 220 m increase in altitude.
Storage temperature	-40°C - 70°C
Relative humidity	5%-95% (non-condensing)
Noise under normal temperature (sound power)	46.5 dB(A)
Noise under high temperature (sound power)	72.9 dB(A)
Noise under normal temperature (sound pressure)	34.6 dB(A)
MTBF	39.2 years
Software
Ethernet features
Ethernet basics	Full-duplex, halfduplex, and auto-negotiation Rate autonegotiation on an interface Flow control on an interface Jumbo frames Link aggregation Load balancing among links of a trunk Transparent transmission of Layer 2 protocol packets Device Link Detection Protocol (DLDP) Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED) Interface isolation Broadcast traffic suppression on an interface Multicast traffic suppression on an interface Unknown unicast traffic suppression on an interface VLAN broadcast traffic suppression VLAN multicast traffic suppression VLAN unknown unicast traffic suppression
VLAN	VLAN specification: 4094 VLANIF interface specification: 1024 Access mode Trunk mode Hybrid mode QinQ mode Default VLAN VLAN assignment based on interfaces VLAN assignment based on protocols VLAN assignment based on IP subnets VLAN assignment based on MAC addresses VLAN assignment based on MAC address + IP address VLAN assignment based on MAC address + IP address + interface number Adding double VLAN tags to packets based on interfaces VLAN mapping Selective QinQ MUX VLAN Voice VLAN Guest VLAN
GVRP	GARP GVRP
MAC	MAC address: 32K Automatic learning of MAC addresses Automatic aging of MAC addresses Static, dynamic, and blackhole MAC address entries Interface-based MAC address learning limiting Sticky MAC MAC address flapping detection MAC address spoofing defense Port bridge
ARP	Static ARP Dynamic ARP ARP entry: 8K ARP aging detection Intra-VLAN proxy ARP Routed proxy ARP
Ethernet loop protection
MSTP	STP RSTP MSTP VBST BPDU protection Root protection Loop protection Defense against TC BPDU attacks
Loopback detection	Loop detection on an interface
SEP	SEP
Smart Link	Smart Link Smart Link multi-instance Monitor Link
RRPP	RRPP Single RRPP ring Tangent RRPP ring Intersecting RRPP ring Hybrid networking of RRPP rings and other ring networks
ERPS	G.8032 v1 G.8032 v2 ERPS semi-ring topology ERPS closed-ring topology
IPv4/IPv6 forwarding
IPv4 and unicast routing	IPv4 static routing VRF DHCP client DHCP server DHCP relay DHCP policy check Routing policies IPv4 routes: 8K RIPv1 RIPv2 OSPF Policy-based routing (PBR)
Multicast routing features	IGMPv1/v2/v3 PIM-DM PIM-SM MSDP IPv4 multicast routes: 1,5K IPv6 multicast routes: 0,5K Multicast routing policies RPF
IPv6 features	IPv6 protocol stack ND ND entry ND snooping DHCPv6 snooping RIPng DHCPv6 server
Layer 2 multicast features
-	IGMPv1/v2/v3 snooping IGMP snooping proxy MLD snooping Multicast traffic suppression Inter-VLAN multicast replication
Device reliability
Stacking	Service interface-based stacking Maximumnumber of stacked devices: 9 Stack bandwidth (Unidirectional): 176 Gb/s
VRRP	VRRP standard protocol
Ethernet OAM
EFM (802.3ah)	Automatic discovery of links Link fault detection Link troubleshooting Remote loopback
CFM (802.1ag)	Software-level CCM 802.1ag MAC ping 802.1ag MAC trace
OAM association	Association between 802.1ag and 802.3ah
Y.1731	Unidirectional delay and jitter measurement Bidirectional delay and jitter measurement
QoS features
Traffic classification	Traffic classification based on ACLs Configuring traffic classification priorities Matching the simple domains of packets
Traffic behavior	Traffic filtering Traffic policing (CAR) Modifying the packet priorities Modifying the simple domains of packets Modifying the packet VLANs
Traffic shaping	Traffic shaping on an egress interface Traffic shaping on queues on an interface
Congestion avoidance	Tail drop
Congestion management	Priority Queuing (PQ) Weighted Deficit Round Robin (WDRR) PQ+WDRR Weighted Round Robin (WRR) PQ+WRR
ACL
Packet filtering at Layer 2 to Layer 4	Number of rules per IPv4 ACL: 2K Number of rules per IPv6 ACL: 2K Basic IPv4 ACL Advanced IPv4 ACL Basic IPv6 ACL Advanced IPv6 ACL Layer 2 ACL User-defined ACL
Configuration and maintenance
Login and configuration management	Command line interface (CLI)- based configuration Console terminal service Telnet terminal service SSH v1.5 SSH v2.0 SNMP-based NMS for unified configuration Web page-based configuration and management EasyDeploy (client) SVF OPS
File system	Directory and file management File upload and download
Monitoring and maintenance	eMDI Hardware monitoring Log information output Alarm information output Debugging information output Port mirroring Flow mirroring Remote mirroring Energy saving
Version upgrade	Version upgrade Version rollback
Security
ARP security	ARP packet rate limiting ARP anti-spoofing Association between ARP and STP Dynamic ARP Inspection (DAI) Static ARP Inspection (SAI) Egress ARP Inspection (EAI)
IP security	ICMP attack defense IPSG for IPv4 IPSG user capacity: 1000 IPSG for IPv6 IPSGv6 user capacity: 512
Local attack defense	CPU attack defense
MFF	MFF
DHCP Snooping	DHCP snooping Option 82 function Dynamic rate limiting for DHCP packets
Attack defense	Defense against malformed packet attacks Defense against UDP flood attacks Defense against TCP SYN flood attacks Defense against ICMP flood attacks Defense against packet fragment attacks Local URPF
User access and authentication
AAA	Local authentication Local authorization RADIUS authentication RADIUS authorization RADIUS accounting HWTACACS authentication HWTACACS authorization HWTACACS accounting
NAC	802.1X authentication MAC address authentication Portal authentication Hybrid authentication
Policy association	Functioning as the access device
Network management
-	Ping Tracert NQA NTP sFlow SNMP v1 SNMP v2c SNMP v3 HTTP HTTPS RMON NETCONF/YANG
Interoperability
-	VLAN-based Spanning Tree (VBST) Link-type Negotiation Protocol (LNP) VLAN Central Management Protocol (VCMP)