Introduction

Huawei S6720-SI series switches are next-generation multi-gigabit 10GE fixed switches. It can provide high-speed wireless device access and 10GE data center server access and also function as an access/aggregation switch on a campus network.

The S6720-SI is one of the multi-gigabit fixed switches in the industry, providing line-rate multi-gigabit 100M/1G/2.5G/5G/10G access ports and 40GE uplink ports. It can provide high-speed access for APs, enable 10 Gbit/s access to high-density servers, and function as a core/aggregation switch on a campus network to provide 40 Gbit/s rate. In addition, the S6720-SI provides a wide variety of services, comprehensive security policies, and various QoS features to help customers build scalable, manageable, reliable, and secure campus and data center networks.

Product Overview

• 24 × 10GE SFP+, 2 × 40GE QSFP+
• Double pluggable power supplies, AC power supply
• USB
• Forwarding performance: 240Mpps
• Switching capacity: 2.56 Tbit/s

High-Density Multi-Gigabit Access Ports and 40GE Uplink Ports

As the 802.11ac standard and related products are released, the wireless access rate has reached 2.5 Gbit/s. The S6720-SI multi-gigabit fixed switches match perfectly with high-speed APs, and provide the long distance PoE++ function and 60 W PoE on a port. The S6720-SI can provide Ethernet power supply for APs and surveillance cameras.

Each S6720-SI provides up to two line-rate QSFP+ ports and 24 100M/1G/2.5G/5G/10G Base-T ports. Ports of the S6720-SI support 100M/1G/2.5G/5G/10G Base-T access and auto-sensing, maximizing the return on investment (ROI) and allowing users to flexibly deploy services.

Comprehensive Security Policies

The S6720-SI provides multiple security measures to defend against Denial of Service (DoS) attacks and other attacks on networks or users. DoS attacks include SYN flood, Land, Smurf, and ICMP flood attacks. Attacks on networks refer to STP BPDU/root attacks. Attacks on users include bogus DHCP server attacks, man-in-the-middle attacks, IP/MAC spoofing attacks, DHCP request flood attacks, and DoS attacks by changing the CHADDR field of packets.

The S6720-SI supports DHCP snooping, which generates user binding entries. DHCP snooping discards invalid packets that do not match any binding entries, such as ARP spoofing packets and IP spoofing packets. This prevents hackers from using ARP packets to initiate man-in-the-middle attacks on campus networks. DHCP snooping trusted and untrusted ports can be specified to ensure that users connect only to the authorized DHCP server.

The S6720-SI supports strict ARP learning. This feature prevents ARP spoofing attackers from exhausting ARP entries so that users can connect to the Internet normally. It also provides IP source check to prevent DoS attacks caused by MAC address spoofing, IP address spoofing, and MAC/IP spoofing. URPF provided by the S6720-SI reversely checks packet transmission path to authenticate packets, which can protect the network against source address spoofing attacks.

The S6720-SI supports centralized MAC address authentication and 802.1X authentication. It authenticates users based
on statically or dynamically bound user information such as the user name, IP address, MAC address, VLAN ID, port number, and flag indicating whether antivirus software is installed. VLANs, QoS policies, and ACLs can be delivered to users dynamically.

The S6720-SI can limit the number of MAC addresses learned on a port to prevent MAC address entries from being exhausted by source MAC address spoofing packets. This function minimizes packet flooding that occurs when MAC addresses of users cannot be found in the MAC address table.

This series of switches supports MACsec, a secure LAN communication method based on 802.1AE and 802.1X. The switches provide identity authentication, data encryption, integrity check, and replay protection to protect Ethernet frames and prevent attack packets.

Comprehensive Reliability Mechanisms

The S6720-SI supports redundant power supplies. Users can choose a single power supply or use two power supplies to ensure device reliability. With two pluggable fan modules, the S6720-SI has a longer MTBF time than counterpart switches.

The S6720-SI supports MSTP multi-process that enhances the existing STP, RSTP, and MSTP implementation. This function increases the number of MSTIs supported on a network. It also supports enhanced Ethernet reliability technologies such as Smart Link and RRPP, which implement millisecond-level link protection switchover and ensure network reliability. Smart Link and RRPP both support multi-instance to implement load balancing among links, further improving bandwidth use efficiency.

The S6720-SI supports enhanced trunk (E-trunk). A CE can be dual-homed to two PEs through Eth-Trunk links. This implements inter-device link aggregation and link load balancing, and greatly improves reliability of access devices.

The S6720-SI supports the Smart Ethernet Protection (SEP) protocol, a ring network protocol applied to the link layer of an Ethernet network. SEP can be used on open ring networks and provides millisecond-level switchover to ensure uninterrupted services. This protocol is simple, reliable, easy to maintain, and supports fast switchover and flexible topology, facilitating network planning and management.

The S6720-SI supports G.8032, also called Ethernet Ring Protection Switching (ERPS). ERPS is based on traditional Ethernet MAC and bridging functions. It uses the mature Ethernet OAM and Ring Automatic Protection Switching (Ring APS or R-APS) technologies to implement millisecond-level protection switching on Ethernet. ERPS supports multiple services and provides flexible networking options, reducing the OPEX and CAPEX.

The S6720-SI supports VRRP. Two S6720-SI switches can form a VRRP group to ensure nonstop and reliable communication. Multiple equal-cost routes to an upstream device can be configured on the S6720-SI to provide route redundancy. When an active route is unreachable, traffic is switched to a backup route.

Various QoS Control Mechanisms

The S6720-SI implements complex traffic classification based on packet information such as the 5-tuple, IP precedence,
ToS, DSCP, IP protocol type, ICMP type, TCP source port, VLAN ID, Ethernet protocol type, and CoS. ACLs can be applied to the inbound or outbound direction to filter packets. The S6720-SI supports the flow-based two-rate and three-color CAR. Each port supports eight priority queues and multiple queue scheduling algorithms such as WRR, DRR, PQ, WRR+PQ, and DRR+PQ, which ensures the quality of network services such as voice, video and data services.

High Scalability

The S6720-SI supports iStack and virtualizes multiple switches into one logical switch. A port of the S6720-SI can be configured as a stack port using a command for flexible stack deployment. The distance between stacked switches is further increased when the switches are connected with optical fibers. Compared with a single device, iStack features powerful scalability, reliability, performance, and architecture. Member switches in a stack implement redundancy backup to improve device reliability and use inter-device link aggregation to improve link reliability, which help to provide within 200 millisecond failover for path failure and hitless master/ backup failover.New member switches can join a stack to increase the system capacity or replace a faulty member switch without interrupting services. Compared with stacking of modular switches, the iStack function can increase system capacity and port density with no restriction of the hardware structure. Multiple devices in a stack can be considered as one logical device. These switches can be managed using a single IP address, which greatly reduces system expansion and O&M costs.

Convenient Management

The S6720-SI supports automatic configuration, plug-and-play, deployment using a USB flash drive, and batch remote
upgrade. These capabilities facilitate deployment, upgrade, and service provisioning, and simplify device management and maintenance. The maintenance costs are greatly reduced.

The S6720-SI supports SNMPv1/v2/v3 and provides flexible methods for managing devices. Users can manage the S6720-SI using the CLI and Web NMS. The NQA function helps users with network planning and upgrades. In addition, the S6720-SI supports NTP, SSH v2, HWTACACS, RMON, log hosts, and port-based traffic statistics.

The S6720-SI supports GVRP, which dynamically distributes, registers, and propagates VLAN attributes to reduce the manual configuration workloads of network administrators and ensure correct VLAN configuration.

The S6720-SI supports MUX VLAN, a mechanism that isolates Layer 2 traffic between ports in a VLAN. MUX VLAN defines principal VLANs and subordinate VLANs. Subordinate VLANs can communicate with the principal VLAN but cannot communicate with each other. This function prevents communication between network devices connected to certain ports or port groups but allows the devices to communicate with the default gateway. MUX VLAN is usually used on an enterprise intranet to isolate user ports from each other but allow them to communicate with server ports.

The S6720-SI supports BFD, which provides millisecond-level fault detection for protocols such as OSPF, IS-IS, VRRP, and PIM to improve network reliability. The S6720-SI supports IEEE 802.1ag and IEEE 802.3ah. 802.1ag allows for point-topoint Ethernet fault management, and IEEE 802.3ah can detect faults in the last mile of an Ethernet link. Ethernet OAM improves the Ethernet network management and maintenance capabilities and ensures a stable network.

Various IPv6 Features

The S6720-SI supports IPv4/IPv6 dual stack and can migrate from an IPv4 network to an IPv6 network. The S6720-SI hardware supports IPv4/IPv6 dual stack and IPv6 over IPv4 tunnels (including manual tunnels, 6to4 tunnels, and ISATAP tunnels). The S6720-SI can be deployed on IPv4 networks, IPv6 networks, or networks that run both IPv4 and IPv6. This makes networking flexible and enables a network to migrate from IPv4 to IPv6.

The S6720-SI supports various IPv6 routing protocols including RIPng and OSPFv3. The S6720-SI supports the Neighbor
Discovery Protocol (NDP) of IPv6, and manages packets exchanged between neighbors. It also provides the Path MTU Discovery (PMTU) mechanism to select a proper MTU on the path from the source to the destination, optimizing network
resources and obtaining the maximum throughput.

Cloud Management

The Huawei cloud management platform allows users to configure, monitor, and inspect switches on the cloud, reducing on-site deployment and O&M manpower costs and decreasing network OPEX. Huawei switches support both cloud management and on-premise management modes. These two management modes can be flexibly switched as required to achieve smooth evolution while maximizing return on investment (ROI).

High-Performance VRP Software System

Huawei S series switches build on a unified Versatile Routing Platform (VRP) software system, meeting the growing network scale and the evolving Internet technologies and guaranteeing network services and network quality.

VRP is a network operating system developed by Huawei with independent intellectual property rights. It can run on multiple hardware platforms and provide unified network, user, and management views. VRP provides flexible application solutions for users. In addition, VRP is a future-proof platform that maximally protects customer investments.

The VRP platform is focused on IP services and uses a component-based architecture to provide more than 300 features. Besides, VRP stands out for its application-based tailorable and scalable capabilities.

OPS

Open Programmability System (OPS) is an open programmable system based on the Python language. IT administrators can program the O&M functions of a switch through Python scripts to quickly innovate functions and implement intelligent O&M.

Intelligent O&M

The S6720-SI provides telemetry technology to collect device data in real time and send the data to Huawei campus network analyzer CampusInsight. The CampusInsight analyzes network data based on the intelligent fault identification algorithm, accurately displays the real-time network status, effectively demarcates and locates faults in a timely manner, and identifies network problems that affect user experience, accurately guaranteeing user experience.

The S6720-SI supports a variety of intelligent O&M features for audio and video services, including the enhanced Media Delivery Index (eMDI). With this eDMI function, the S6720-SI can function as a monitored node to periodically conduct statistics and report audio and video service indicators to the CampusInsight platform. In this way, the CampusInsight platform can quickly demarcate audio and video service quality faults based on the results of multiple monitored nodes.

Intelligent Upgrade

Switches support the intelligent upgrade feature. Specifically, switches obtain the version upgrade path and download the
newest version for upgrade from the Huawei Online Upgrade Platform (HOUP). The entire upgrade process is highly automated and achieves one-click upgrade. In addition, preloading the version is supported, which greatly shortens the upgrade time and service interruption time.

The intelligent upgrade feature greatly simplifies device upgrade operations and makes it possible for the customer to upgrade the version independently. This greatly reduces the customer's maintenance costs. In addition, the upgrade policies on the HOUP platform standardize the upgrade operations, which greatly reduces the risk of upgrade failures.

Specification

S6720-26Q-SI-24S-AC
Fixed port
10GE port	24
40GE port	2
Management port
ETH port	Supported
Console port (RJ45)	Supported
USB port	USB 2.0
CPU
Frequency	1 GHz
Cores	2
Storage
Memory (RAM)	1 GB
Flash memory	Hardware: 512 MB, of which 240 MB is available for users
Power supply system
Power supply type	150W AC (pluggable)
Power supply redundancy	1+1 backup
Rated voltage range	100 - 240 V AC 50/60 Hz
Maximum voltage range	90 - 264 V AC 47 - 63 Hz
Maximum input current	3 A
Maximum power consumption of the device	97 W
Power consumption in the case of 30% traffic load	68,4 W
Heat dissipation system
Heat dissipation mode	Air-cooled heat dissipation and intelligent fan speed adjustment
Number of fan modules	Pluggable dual fans
Airflow	Air flows in from the left, right, and front sides and exhausts from the rear side
Maximum heat dissipation of the device (BTU/hour)	331
Physical specifications
Chassis dimensions (W x D x H, mm)	420 x 220 x 44,4
Chassis height	1 U
Chassis weight (full configuration weight, including weight of packaging materials)	8,83 kg
Environment parameters
Long-term operating temperature	0 - 1800 m: 0°C - 45°C 1800 - 5000 m: Zakres temperatury spada o 1°C na każde 220 m
Short-term operating temperature	0 - 1800 m: -5°C - 50°C 1800 - 5000 m Zakres temperatury spada o 1°C na każde 220 m
Storage temperature	-40°C - 70°C
Relative humidity	5%-95% niekondensująca
Noise under normal temperature (sound power)	57 dB(A)
Noise under high temperature (sound power)	71,6 dB(A)
Noise under normal temperature (sound pressure)	34,9 dB(A)
MTBF	41,9 lat
Software
Ethernet features
Ethernet basics	Full-duplex, halfduplex, and auto-negotiation Rate autonegotiation on an interface Flow control on an interface Jumbo frames Link aggregation Load balancing among links of a trunk Transparent transmission of Layer 2 protocol packets Device Link Detection Protocol (DLDP) Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED) Interface isolation Broadcast traffic suppression on an interface Multicast traffic suppression on an interface Unknown unicast traffic suppression on an interface VLAN broadcast traffic suppression VLAN multicast traffic suppression VLAN unknown unicast traffic suppression
VLAN	VLAN specification: 4094 VLANIF interface specification: 1024 Access mode Trunk mode Hybrid mode QinQ mode Default VLAN VLAN assignment based on interfaces VLAN assignment based on protocols VLAN assignment based on IP subnets VLAN assignment based on MAC addresses VLAN assignment based on MAC address + IP address VLAN assignment based on MAC address + IP address + interface number Adding double VLAN tags to packets based on interfaces VLAN mapping Selective QinQ MUX VLAN Voice VLAN Guest VLAN
GVRP	GARP GVRP
MAC	MAC address: 32K Automatic learning of MAC addresses Automatic aging of MAC addresses Static, dynamic, and blackhole MAC address entries Interface-based MAC address learning limiting Sticky MAC MAC address flapping detection MAC address spoofing defense Port bridge
ARP	Static ARP Dynamic ARP ARP entry: 20K ARP aging detection Intra-VLAN proxy ARP Routed proxy ARP
Ethernet loop protection
MSTP	STP RSTP MSTP VBST BPDU protection Root protection Loop protection Defense against TC BPDU attacks
Ethernet basics	Loop detection on an interface
SEP	SEP
Smart Link	Smart Link Smart Link multi-instance Monitor Link
RRPP	RRPP Single RRPP ring Tangent RRPP ring Intersecting RRPP ring Hybrid networking of RRPP rings and other ring networks
ERPS	G.8032 v1 G.8032 v2 ERPS semi-ring topology ERPS closed-ring topology
IPv4/IPv6 forwarding
IPv4 and unicast routing	IPv4 static routing VRF DHCP client DHCP server DHCP relay DHCP policy check Routing policies IPv4 routes: 8K RIPv1 RIPv2 OSPF Policy-based routing (PBR)
Multicast routing features	IGMPv1/v2/v3 PIM-DM PIM-SM MSDP IPv4 multicast routes: 1,5K IPv6 multicast routes: 0,5K Multicast routing policies RPF
IPv6 features	IPv6 protocol stack ND ND entry: 10K ND snooping DHCPv6 snooping RIPng DHCPv6 server DHCPv6 relay OSPFv3 IPv6 routes VRRP6 MLDv1/v2 PIM-DM for IPv6 PIM-SM for IPv6
Layer 2 multicast features
-	IGMPv1/v2/v3 snooping IGMP snooping proxy MLD snooping Multicast traffic suppression Inter-VLAN multicast replication
Device reliability
Stacking	Service interface-based stacking Maximum number of stacked devices: 9 Stack bandwidth (Unidirectional): 176 Gb/s
VRRP	VRRP standard protocol
Ethernet OAM
EFM (802.3ah)	Automatic discovery of links Link fault detection Link troubleshooting Remote loopback
CFM (802.1ag)	Software-level CCM 802.1ag MAC ping 802.1ag MAC trace
OAM association	Association between 802.1ag and 802.3ah
Y.1731	Unidirectional delay and jitter measurement Bidirectional delay and jitter measurement
QoS features
Traffic classification	Traffic classification based on ACLs Configuring traffic classification priorities Matching the simple domains of packets
Traffic behavior	Traffic filtering Traffic policing (CAR) Modifying the packet priorities Modifying the simple domains of packets Modifying the packet VLANs
Traffic shaping	Traffic shaping on an egress interface Traffic shaping on queues on an interface
Congestion avoidance	Tail drop
Congestion management	Priority Queuing (PQ) Weighted Deficit Round Robin (WDRR) PQ+WDRR Weighted Round Robin (WRR) PQ+WRR
ACL
Packet filtering at Layer 2 to Layer 4	Number of rules per IPv4 ACL: 2K Number of rules per IPv6 ACL: 2K Basic IPv4 ACL Advanced IPv4 ACL Basic IPv6 ACL Advanced IPv6 ACL Layer 2 ACL User-defined ACL
Configuration and maintenance
Login and configuration management	Command line interface (CLI)- based configuration Console terminal service Telnet terminal service SSH v1.5 SSH v2.0 SNMP-based NMS for unified configuration Web page-based configuration and management EasyDeploy (client) SVF OPS
File system	Directory and file management File upload and download
Monitoring and maintenance	eMDI Hardware monitoring Log information output Alarm information output Debugging information output Port mirroring Flow mirroring Remote mirroring Energy saving
Version upgrade	Version upgrade Version rollback
Security
ARP security	ARP packet rate limiting ARP anti-spoofing Association between ARP and STP Dynamic ARP Inspection (DAI) Static ARP Inspection (SAI) Egress ARP Inspection (EAI)
IP security	ICMP attack defense IPSG for IPv4 IPSG user capacity: 1000 IPSG for IPv6 IPSGv6 user capacity: 512
Local attack defense	CPU attack defense
MFF	MFF
DHCP Snooping	DHCP snooping Option 82 function Dynamic rate limiting for DHCP packets
Attack defense	Defense against malformed packet attacks Defense against UDP flood attacks Defense against TCP SYN flood attacks Defense against ICMP flood attacks Defense against packet fragment attacks Local URPF
User access and authentication
AAA	Local authentication Local authorization RADIUS authentication RADIUS authorization RADIUS accounting HWTACACS authentication HWTACACS authorization HWTACACS accounting
NAC	802.1X authentication MAC address authentication Portal authentication Hybrid authentication
Policy association	Functioning as the control device Functioning as the access device
Network management
-	Ping Tracert NQA NTP sFlow SNMP v1 SNMP v2c SNMP v3 HTTP HTTPS RMON NETCONF/YANG
Interoperability
-	VLAN-based Spanning Tree (VBST) Link-type Negotiation Protocol (LNP) VLAN Central Management Protocol (VCMP)