E8000E Series Firewall Hardware.pdf

8/11/2019 E8000E Series Firewall Hardware.pdf

1/39

Huawei Symantec Technologies Co., Ltd.

E8000E Series Firewall ProductsIntroduction


2/39

page 2Huawei Symantec Technologies Co., Ltd.

Foreword

The Eudemon 8080E/8160E is a new generation and high end Gigabit

firewall developed by Huawei for the core network and backbone

network. The Eudemon 8080E/8160E is of large capacity, high

performance, and high reliability. As a high performance security device,

the Eudemon 8080E/8160E provides an all-round and flexible network

solution for network applications.


3/39


Objectives

Master the hardware structure of E8000E

Know about the Characteristics of E8000E

Know about the typical application of E8000E


4/39


E8000E Series Firewall Introduction

Network orientation of E8000E

Hardware structure of E8000E

1

2

3 Characteristics of E8000E

4 Typical application of E8000E

Co

ntents


5/39


Higher performanceIndexes such as the throughput, new

connection established per second,and maximum concurrent services

must adapt to network development to

avoid the firewall being the bottleneck.

New requirements

New devices

Larger interface

capacitiesRicher interface types

more interfaceslarger interface capacities

Better flexibility

Quick response to new threadsand customer requirements

Lower deployment

costs

True extensible architecturesupporting virtual technologies

Requirements for the New Generation Firewall


6/39


E300/500/1000 E1000E-U2/3/5/6 E8040/8080 E8080E/8160E

Gigabit security

gateways

10 G-80 Gperformance

Mass VPN access

Distributed

architecture

NP and multi-coreprocessor

100M security

gateways

10 G-20 Gperformance

Distributedarchitecture

NP and distributedarchitectures

Best DDoSprotection

2 G-8 Gperformance

High-densityinterfaces

Multi-coreprocessor

Best DDoSprotection

2 G-4 Gperformance

NP architecture

High VPNperformance

Best DDoSprotection

E100E/200/200S

100-500M performance

P2P traffic control

Supporting of E1 andT1 interfaces

Rich routing features

High-end 10Gigabit

security gateways

Network Orientation of E8000E


7/39


NP high performance interface boards:

-forwarding of consistent and stable line speed

Multi-core and multi-thread service processing cards:

-Process services such as NAT, ASPF, Anti-DDoS,

and VPN at high speed with flexible extensions.

Distributed hardware architecture:

-Solve the performance bottleneck

Enhance the whole performance greatly

MultiMulti--corecore

Advanced Architecture


8/39


GE10 G10 G2.5 G622 M155 M

9644161632E8080E

19288323264E8160E

2411448Board

density

EthernetPOSType

Dual NP high speed hardware forwarding engines for implementing line speed forwarding

Unique 155 M, 622 M, 2.5 G, and 10 G POS interfaces for accessing backbone networks and

improving transmission efficiency

Maximum interface capacities for supporting 192 X GE or 8 10GE and facilitating user networking

and capacity expansion

Various Interfaces of Capacity


9/39


10241024Virtual firewall

Eudemon8160E

250,000*8250,000*4New connections

established per second

8 Gbps*8/40,000*8

Component redundancy and hot swap/dual-system hot backup/link

aggregation/dual main control boards/service load balancing and mutual

backup/supports of BYPASS device

Reliability

Ethernet interface: 5

GE, 10

GE, 24

GE, 1

10 G (optical or electrical interfaces)

POS interface: 8 155 M, 4 622 M, 4 2.5 G, 1 10 G

Interface type

Working mode: transparent/routing/mixed

FW: ASPF/DDOS defense/NAT/PAT/virtual FW

VPN: MPLS/IPSEC/GRE/L2TP/IKEv2

Routing feature: RIP/OSPF/BGP/static routes/I GMP/source address routing

Software feature

16 extended slots8 extended slotsExtended slot

8 Gbps*4/40,000*4VPN performance

number of tunnels

4 million*84 million*4Concurrent connection

10Gbps*810Gbps*4Throughput

Eudemon8080EProduct model

E8000E Product Specifications


10/39





1

2


4

Typical application of E8000E

Co

ntents


11/39


E8000E Appearance

E8160E

MPU1+1 backup

SFU3+1 backup

LPU8

ESPU8

E8080E

SRU1+1 backup

SFU3+1 backupLPU4

ESPU4

MPU/SRU

SFU

LPU

ESPU


12/39


Equipment Structure of E8160E

1. LCD

2. Fan module3. Cable management bracket

4. Board frame

5. Cable management bracket

6. Air intake frame

7. Plastic panel of the power supply module

8. Power supply module

9. Rack-mounting ear

10. Handle

1. LCD

2. Fan module


4. Board frame


6. Air intake frame

7. Plastic panel of the power supply module



10. Handle


13/39


1 2 3 4 17 18 5 6 7

10 11 12 13 19 20 21 22 14

8

15

9

16

L

P

U

L

P

U

L

P

U

L

P

U

M

P

U

M

P

U

L

P

U

L

P

U

L

P

U

L

P

U

L

P

U

L

P

U

L

P

U

L

P

U

L

P

U

S

F

U

S

F

U

S

F

U

S

F

U

L

P

U

L

P

U

L

P

U

Board Cage Distribution of E8160E


14/39


Equipment Structure of E8080E

1. Plastic panel of the FAN module

2. Fan module

3. Board cage

4. Air intake frame

5. Plastic panel of the power supplymodule


7. Handle



1. Plastic panel of the FAN module

2. Fan module

3. Board cage

4. Air intake frame

5. Plastic panel of the power supply

module


7. Handle




15/39


Board Cage Distribution of E8080E

1 2 3 4 9 11 10 5 6 7 8

L

PU

L

PU

L

PU

L

PU

S

RU

S

F

U S

RU

L

PU

L

PU

L

PU

L

PU

1 2 3 4 9 12 10 5 6 7 8

S

F

U


16/39


E8000E Hardware Structure

LPU

(NP inside)

LPU(NP inside)

Heat Dissipation System

Redundancy Backup


Redundancy Backup

Power Supply

Redundancy Backup

Power Supply

Redundancy Backup

MPU(1+1 backup)

MPU(1+1 backup)

SFU

(1+3 )

SFU

(1+3

)

Monitoring bus Management bus

ESPU

(multi-core cpu inside)

ESPU


SFU

3+1 backup

SFU

3+1 backup

LPU

(NP inside)

LPU(NP inside)


Redundancy Backup


Redundancy Backup

Power Supply

Redundancy Backup

Power Supply

Redundancy Backup

MPU(1+1 backup)

MPU(1+1 backup)

SFU

(1+3 )

SFU

(1+3

)

SFU

(1+3 )

SFU

(1+3

)

Monitoring bus Management bus

ESPU


ESPU


SFU

3+1 backup

SFU

3+1 backup


17/39


Function

Routing calculation

Provide clock unit

Monitoring and

management

NM

offline button

E8000E Hardware Structure -

MPU/SRU

clock


18/39


512MBCF Card

-32MBFlash Memory

-512KBNVRAM

-2GBSDRAM

-1MBBoot ROM

-1GHzCPU

RemarkDescriptionParameters

Processor and Storage of MPU Board

CF cards of different capacities

can be configured.


19/39


Function

line-rate switching

3+1 redundant

backup; working in

the loading balance

mode

E8000E Hardware Structure - SFU

8160E SFU Board

8080E SFU Board


20/39


Function

Physical-Layer adapter

Link-Layer protocol

disposal

Traffic Management

Forwarding according to

FIB

E8000E Hardware Structure - LPU


21/39


The types of LPUs supported by the Eudemon 8080E/8160E are as

follows:

4-port or 8-port OC-3c/STM-1 POS-SFP optical interface LPU

4-port OC-12c/STM-4c POS-SFP optical interface LPU

1-port or 2-port or 4 port OC-48c/STM-16c POS-SFP optical interface LPU

1-port OC-192c/STM-64c POS-XFP optical interface LPU

1-port 10 GBase WAN-XFP optical interface LPU

1-port 10 GBase LAN-XFP optical interface LPU

24-port 100Base-FX/1000Base-X-SFP optical interface LPU

5-port or 10-port 1000Base-X-SFP optical interface LPU

24-port 10Base-T/100Base-TX/1000Base-T-RJ45 electrical interface LPU

LPU Types


22/39


Function

Filtering application layer packets

Defending attacks

Blacklist function

NAT

Multiple Virtual Private Network (VPN)

instances

E8000E Hardware Structure - ESPU


23/39





1

2


4


Co

ntents


24/39


Security defense-Packet filtering

Supporting basic ACL and advanced ACL.

Supporting time range ACL.

Supporting preference of configuration time for sequencing ACL

rules.

Supporting dynamic addition of ACL rules.

Supporting blacklist.

Supporting the ASPF and the state inspection.

Providing the port mapping mechanism.

Packet

filtering

DescriptionAttribute


25/39


Security defense-NAT

Supporting address translation (NAT and NAPT).

Providing static address mapping of internal server addresses.

Supporting security zone-based static address mapping of internal server

addresses.

Supporting multiple NAT ALGs, including FTP, HTTP, SMTP, RTSP, MSN, QQ.

NAT


PC202.130.10.3

Server202.120.10.2

Server192.168.1.2

PC192.168.1.3

EudemonEth0/0/0202.169.10.1

Eth0/0/0192.168.1.1

Trust Untrust

Packet 1source192.168.1.3

destination202.120.10.2

Packet 2

source202.120.10.2

destination202.169.10.1

Packet 1source202.169.10.1

.destination202.120.10.2

Packet 2

source

202.120.10.2destination192.168.1.3

Internet


26/39


Security defense-Attack defense

Eudemon

8000E

Attacking traffic

Ordinary traffic

Defective packet attackScanning and snooping attack

Denial of service attack

Scanning and snooping attack

Defective packet attack

Network Aabnormal traffic

Network Babnormal traffic

Network Cnormal traffic

Network ANetwork B

Network C

Eudemon

8000E

Attacking traffic

Ordinary traffic

Defective packet attackScanning and snooping attack

Denial of service attack

Scanning and snooping attack

Defective packet attack







Network ANetwork B

Network C


27/39


Supporting static routing

Supporting dynamic routing through RIP, OSPF and BGP

Supporting policy-based routing

Supporting routing policy , routing iteration and routing

management

Routing

Protocol

Supporting ARP address resolutionIP

Service

Supporting Ethernet

Supporting VLANSupporting PPP

Supporting HDLC

Supporting Trunk

Supporting IP-link

Link layer

protocol

Network

interconnection


Network interconnection


28/39


By the firewall multi-instance solution of Huawei, the network operator can divide

one Eudemon firewall into multiple VPN instances, so as to provide independent

security services for multiple small private networks.

vfw1

Trust

Eth4/0/1

10.1.1.1/24

vfw2

Trust

Eth4/0/210.1.1.1/24

vfw1

DMZ

Eth4/0/3

192.168.1.1/24

Eth4/0/4

192.168.2.1/24

vfw2

DMZ

vfw1

Untrust

Eth4/0/5

2.1.1.1/24

vfw2

UntrustEth4/0/6

2.1.2.1/24

Virtual Firewall


29/39


32 Gbps encryption and decryption performance;

320,000 concurrent IPSec tunnels.

Supports the IKEv2 protocol, enhance the authenticationmechanism, and eliminates attack threads. It also supports

wireless authentication protocols such as EAP-SIM and

EAP-AKA.

Supports the L2TP protocol.

Support GRE protocol.

Branch

Internal Server

L2TP

Tunnel

IPSEC Tunnel

HQ

HOME/OFFICEHundred thousands of

concurrent access

VPN Features


30/39


EudemonA

Master

EudemonB

Backup

Backup group 1

Backup group 2

Untrust

Trust

DMZ

VPPR+VGMP+HRP

N+1

High Reliability


31/39





1

2


4


Co

ntents


32/39


CHINANET CNC backbone

networks

Large IDCs

10 G links

Data storage area Service area Management and

maintenance area

Other areas

Provide the best firewall performance

in the industry

Provide high density 10 Gigabit

Ethernet and POS interfaces.

Support dual-system hot backup/dual

main control boards/card backup/link

aggregation

Anti-attack capabilities of ten million

packets per second

Adopt the distributed and

salable architecture

Traffic cleaning/VPN/NAT/virtual FW

Security Protection of Large IDCs


33/39


34/39


INTERNET CERNET

Administrative areaTeaching buildingsNMS center Data center Sub campus

10 G links

Eudemon8000E

High density Gigabit and 10 Gigabit

interfaces for ensuing interworking

Rich routing features for ensuring

intercommunications

Powerful DDoS protection capabilities for

ensuring service continuity

High scalability for following updates and

capacity expansion

Mass concurrent connections for ensuring user

access to external network resources

Security of High-speed Campus Network

Egress


35/39


With the rapid increase of mobile users, traffic of WAP services is also increasing

dramatically. The WAP gateway urgently requires security gateways of large capacities and

high performance for security separation and attack defense. The Eudemon8000E provides:

10 G-80 G scalability to meet users growing performance requirements.

Tens of millions of concurrent connections to ensure concurrent access of a large number of

mobile users.

Powerful DDoS defense capabilities to ensure stability of WAP gateway services.

CMNET INTERNET

Mobile accessGGSN

Eudemon8000E

WAP gateways

Terminals with

worms Attackers

Security Protection of Large-capacity WAP

Gateways


36/39


With the reorganization of services, large carriers are facing service integration and network capacity expansion,

which requires security gateway products of higher performance stability. The Eudemon8000E provides:

A maximum of 80 G salability and the best DDoS defense function to fully meet carriers requirements on high

performance.

Multiple 10 Gigabit interfaces and unique POS interfaces to facilitating access of high-speed networks, including SDH.

A virtual system to effectively ensure security separation of different services in each network.

ChinaNET public network CN2 dedicated network

Capital cities Small cities

Security Separation of Carrier Network Planes


37/39


AP

Internet

HLR

AHR

AG

AAA

IPClock

ADSL Dialing+NAT

Private network

Public network

Intranet

BRAS

Base station

Wireless terminal

SIM Card

SIM Card

Intranet

NM Platform

IPSecTunnel

Typical Application of uBroUTMS Broadband


38/39


Summary

How many kinds of boards does E8000E have?

What are the differences of hardware structure between E8080E

and E8160E?


39/39


E8000E Series Firewall Hardware.pdf

Documents

Transcript of E8000E Series Firewall Hardware.pdf