e8000e series firewall hardware.pdf
TRANSCRIPT
-
8/11/2019 E8000E Series Firewall Hardware.pdf
1/39
Huawei Symantec Technologies Co., Ltd.
E8000E Series Firewall ProductsIntroduction
-
8/11/2019 E8000E Series Firewall Hardware.pdf
2/39
page 2Huawei Symantec Technologies Co., Ltd.
Foreword
The Eudemon 8080E/8160E is a new generation and high end Gigabit
firewall developed by Huawei for the core network and backbone
network. The Eudemon 8080E/8160E is of large capacity, high
performance, and high reliability. As a high performance security device,
the Eudemon 8080E/8160E provides an all-round and flexible network
solution for network applications.
-
8/11/2019 E8000E Series Firewall Hardware.pdf
3/39
Huawei Symantec Technologies Co., Ltd.
Objectives
Master the hardware structure of E8000E
Know about the Characteristics of E8000E
Know about the typical application of E8000E
-
8/11/2019 E8000E Series Firewall Hardware.pdf
4/39
page 4Huawei Symantec Technologies Co., Ltd.
E8000E Series Firewall Introduction
Network orientation of E8000E
Hardware structure of E8000E
1
2
3 Characteristics of E8000E
4 Typical application of E8000E
Co
ntents
-
8/11/2019 E8000E Series Firewall Hardware.pdf
5/39
page 5Huawei Symantec Technologies Co., Ltd.
Higher performanceIndexes such as the throughput, new
connection established per second,and maximum concurrent services
must adapt to network development to
avoid the firewall being the bottleneck.
New requirements
New devices
Larger interface
capacitiesRicher interface types
more interfaceslarger interface capacities
Better flexibility
Quick response to new threadsand customer requirements
Lower deployment
costs
True extensible architecturesupporting virtual technologies
Requirements for the New Generation Firewall
-
8/11/2019 E8000E Series Firewall Hardware.pdf
6/39
page 6Huawei Symantec Technologies Co., Ltd.
E300/500/1000 E1000E-U2/3/5/6 E8040/8080 E8080E/8160E
Gigabit security
gateways
10 G-80 Gperformance
Mass VPN access
Distributed
architecture
NP and multi-coreprocessor
100M security
gateways
10 G-20 Gperformance
Distributedarchitecture
NP and distributedarchitectures
Best DDoSprotection
2 G-8 Gperformance
High-densityinterfaces
Multi-coreprocessor
Best DDoSprotection
2 G-4 Gperformance
NP architecture
High VPNperformance
Best DDoSprotection
E100E/200/200S
100-500M performance
P2P traffic control
Supporting of E1 andT1 interfaces
Rich routing features
High-end 10Gigabit
security gateways
Network Orientation of E8000E
-
8/11/2019 E8000E Series Firewall Hardware.pdf
7/39
page 7Huawei Symantec Technologies Co., Ltd.
NP high performance interface boards:
-forwarding of consistent and stable line speed
Multi-core and multi-thread service processing cards:
-Process services such as NAT, ASPF, Anti-DDoS,
and VPN at high speed with flexible extensions.
Distributed hardware architecture:
-Solve the performance bottleneck
Enhance the whole performance greatly
MultiMulti--corecore
Advanced Architecture
-
8/11/2019 E8000E Series Firewall Hardware.pdf
8/39
page 8Huawei Symantec Technologies Co., Ltd.
GE10 G10 G2.5 G622 M155 M
9644161632E8080E
19288323264E8160E
2411448Board
density
EthernetPOSType
Dual NP high speed hardware forwarding engines for implementing line speed forwarding
Unique 155 M, 622 M, 2.5 G, and 10 G POS interfaces for accessing backbone networks and
improving transmission efficiency
Maximum interface capacities for supporting 192 X GE or 8 10GE and facilitating user networking
and capacity expansion
Various Interfaces of Capacity
-
8/11/2019 E8000E Series Firewall Hardware.pdf
9/39
page 9Huawei Symantec Technologies Co., Ltd.
10241024Virtual firewall
Eudemon8160E
250,000*8250,000*4New connections
established per second
8 Gbps*8/40,000*8
Component redundancy and hot swap/dual-system hot backup/link
aggregation/dual main control boards/service load balancing and mutual
backup/supports of BYPASS device
Reliability
Ethernet interface: 5
GE, 10
GE, 24
GE, 1
10 G (optical or electrical interfaces)
POS interface: 8 155 M, 4 622 M, 4 2.5 G, 1 10 G
Interface type
Working mode: transparent/routing/mixed
FW: ASPF/DDOS defense/NAT/PAT/virtual FW
VPN: MPLS/IPSEC/GRE/L2TP/IKEv2
Routing feature: RIP/OSPF/BGP/static routes/I GMP/source address routing
Software feature
16 extended slots8 extended slotsExtended slot
8 Gbps*4/40,000*4VPN performance
number of tunnels
4 million*84 million*4Concurrent connection
10Gbps*810Gbps*4Throughput
Eudemon8080EProduct model
E8000E Product Specifications
-
8/11/2019 E8000E Series Firewall Hardware.pdf
10/39
page 10Huawei Symantec Technologies Co., Ltd.
E8000E Series Firewall Introduction
Network orientation of E8000E
Hardware structure of E8000E
1
2
3 Characteristics of E8000E
4
Typical application of E8000E
Co
ntents
-
8/11/2019 E8000E Series Firewall Hardware.pdf
11/39
page 11Huawei Symantec Technologies Co., Ltd.
E8000E Appearance
E8160E
MPU1+1 backup
SFU3+1 backup
LPU8
ESPU8
E8080E
SRU1+1 backup
SFU3+1 backupLPU4
ESPU4
MPU/SRU
SFU
LPU
ESPU
-
8/11/2019 E8000E Series Firewall Hardware.pdf
12/39
page 12Huawei Symantec Technologies Co., Ltd.
Equipment Structure of E8160E
1. LCD
2. Fan module3. Cable management bracket
4. Board frame
5. Cable management bracket
6. Air intake frame
7. Plastic panel of the power supply module
8. Power supply module
9. Rack-mounting ear
10. Handle
1. LCD
2. Fan module
3. Cable management bracket
4. Board frame
5. Cable management bracket
6. Air intake frame
7. Plastic panel of the power supply module
8. Power supply module
9. Rack-mounting ear
10. Handle
-
8/11/2019 E8000E Series Firewall Hardware.pdf
13/39
page 13Huawei Symantec Technologies Co., Ltd.
1 2 3 4 17 18 5 6 7
10 11 12 13 19 20 21 22 14
8
15
9
16
L
P
U
L
P
U
L
P
U
L
P
U
M
P
U
M
P
U
L
P
U
L
P
U
L
P
U
L
P
U
L
P
U
L
P
U
L
P
U
L
P
U
L
P
U
S
F
U
S
F
U
S
F
U
S
F
U
L
P
U
L
P
U
L
P
U
Board Cage Distribution of E8160E
-
8/11/2019 E8000E Series Firewall Hardware.pdf
14/39
page 14Huawei Symantec Technologies Co., Ltd.
Equipment Structure of E8080E
1. Plastic panel of the FAN module
2. Fan module
3. Board cage
4. Air intake frame
5. Plastic panel of the power supplymodule
6. Power supply module
7. Handle
8. Rack-mounting ear
9. Cable management bracket
1. Plastic panel of the FAN module
2. Fan module
3. Board cage
4. Air intake frame
5. Plastic panel of the power supply
module
6. Power supply module
7. Handle
8. Rack-mounting ear
9. Cable management bracket
-
8/11/2019 E8000E Series Firewall Hardware.pdf
15/39
page 15Huawei Symantec Technologies Co., Ltd.
Board Cage Distribution of E8080E
1 2 3 4 9 11 10 5 6 7 8
L
PU
L
PU
L
PU
L
PU
S
RU
S
F
U S
RU
L
PU
L
PU
L
PU
L
PU
1 2 3 4 9 12 10 5 6 7 8
S
F
U
-
8/11/2019 E8000E Series Firewall Hardware.pdf
16/39
page 16Huawei Symantec Technologies Co., Ltd.
E8000E Hardware Structure
LPU
(NP inside)
LPU(NP inside)
Heat Dissipation System
Redundancy Backup
Heat Dissipation System
Redundancy Backup
Power Supply
Redundancy Backup
Power Supply
Redundancy Backup
MPU(1+1 backup)
MPU(1+1 backup)
SFU
(1+3 )
SFU
(1+3
)
Monitoring bus Management bus
ESPU
(multi-core cpu inside)
ESPU
(multi-core cpu inside)
SFU
3+1 backup
SFU
3+1 backup
LPU
(NP inside)
LPU(NP inside)
Heat Dissipation System
Redundancy Backup
Heat Dissipation System
Redundancy Backup
Power Supply
Redundancy Backup
Power Supply
Redundancy Backup
MPU(1+1 backup)
MPU(1+1 backup)
SFU
(1+3 )
SFU
(1+3
)
SFU
(1+3 )
SFU
(1+3
)
Monitoring bus Management bus
ESPU
(multi-core cpu inside)
ESPU
(multi-core cpu inside)
SFU
3+1 backup
SFU
3+1 backup
-
8/11/2019 E8000E Series Firewall Hardware.pdf
17/39
page 17Huawei Symantec Technologies Co., Ltd.
Function
Routing calculation
Provide clock unit
Monitoring and
management
NM
offline button
E8000E Hardware Structure -
MPU/SRU
clock
-
8/11/2019 E8000E Series Firewall Hardware.pdf
18/39
page 18Huawei Symantec Technologies Co., Ltd.
512MBCF Card
-32MBFlash Memory
-512KBNVRAM
-2GBSDRAM
-1MBBoot ROM
-1GHzCPU
RemarkDescriptionParameters
Processor and Storage of MPU Board
CF cards of different capacities
can be configured.
-
8/11/2019 E8000E Series Firewall Hardware.pdf
19/39
page 19Huawei Symantec Technologies Co., Ltd.
Function
line-rate switching
3+1 redundant
backup; working in
the loading balance
mode
E8000E Hardware Structure - SFU
8160E SFU Board
8080E SFU Board
-
8/11/2019 E8000E Series Firewall Hardware.pdf
20/39
page 20Huawei Symantec Technologies Co., Ltd.
Function
Physical-Layer adapter
Link-Layer protocol
disposal
Traffic Management
Forwarding according to
FIB
E8000E Hardware Structure - LPU
-
8/11/2019 E8000E Series Firewall Hardware.pdf
21/39
page 21Huawei Symantec Technologies Co., Ltd.
The types of LPUs supported by the Eudemon 8080E/8160E are as
follows:
4-port or 8-port OC-3c/STM-1 POS-SFP optical interface LPU
4-port OC-12c/STM-4c POS-SFP optical interface LPU
1-port or 2-port or 4 port OC-48c/STM-16c POS-SFP optical interface LPU
1-port OC-192c/STM-64c POS-XFP optical interface LPU
1-port 10 GBase WAN-XFP optical interface LPU
1-port 10 GBase LAN-XFP optical interface LPU
24-port 100Base-FX/1000Base-X-SFP optical interface LPU
5-port or 10-port 1000Base-X-SFP optical interface LPU
24-port 10Base-T/100Base-TX/1000Base-T-RJ45 electrical interface LPU
LPU Types
-
8/11/2019 E8000E Series Firewall Hardware.pdf
22/39
page 22Huawei Symantec Technologies Co., Ltd.
Function
Filtering application layer packets
Defending attacks
Blacklist function
NAT
Multiple Virtual Private Network (VPN)
instances
E8000E Hardware Structure - ESPU
-
8/11/2019 E8000E Series Firewall Hardware.pdf
23/39
page 23Huawei Symantec Technologies Co., Ltd.
E8000E Series Firewall Introduction
Network orientation of E8000E
Hardware structure of E8000E
1
2
3 Characteristics of E8000E
4
Typical application of E8000E
Co
ntents
-
8/11/2019 E8000E Series Firewall Hardware.pdf
24/39
page 24Huawei Symantec Technologies Co., Ltd.
Security defense-Packet filtering
Supporting basic ACL and advanced ACL.
Supporting time range ACL.
Supporting preference of configuration time for sequencing ACL
rules.
Supporting dynamic addition of ACL rules.
Supporting blacklist.
Supporting the ASPF and the state inspection.
Providing the port mapping mechanism.
Packet
filtering
DescriptionAttribute
-
8/11/2019 E8000E Series Firewall Hardware.pdf
25/39
page 25Huawei Symantec Technologies Co., Ltd.
Security defense-NAT
Supporting address translation (NAT and NAPT).
Providing static address mapping of internal server addresses.
Supporting security zone-based static address mapping of internal server
addresses.
Supporting multiple NAT ALGs, including FTP, HTTP, SMTP, RTSP, MSN, QQ.
NAT
DescriptionAttribute
PC202.130.10.3
Server202.120.10.2
Server192.168.1.2
PC192.168.1.3
EudemonEth0/0/0202.169.10.1
Eth0/0/0192.168.1.1
Trust Untrust
Packet 1source192.168.1.3
destination202.120.10.2
Packet 2
source202.120.10.2
destination202.169.10.1
Packet 1source202.169.10.1
.destination202.120.10.2
Packet 2
source
202.120.10.2destination192.168.1.3
Internet
-
8/11/2019 E8000E Series Firewall Hardware.pdf
26/39
page 26Huawei Symantec Technologies Co., Ltd.
Security defense-Attack defense
Eudemon
8000E
Attacking traffic
Ordinary traffic
Defective packet attackScanning and snooping attack
Denial of service attack
Scanning and snooping attack
Defective packet attack
Network Aabnormal traffic
Network Babnormal traffic
Network Cnormal traffic
Network ANetwork B
Network C
Eudemon
8000E
Attacking traffic
Ordinary traffic
Defective packet attackScanning and snooping attack
Denial of service attack
Scanning and snooping attack
Defective packet attack
Network Aabnormal traffic
Network Babnormal traffic
Network Cnormal traffic
Network Aabnormal traffic
Network Babnormal traffic
Network Cnormal traffic
Network ANetwork B
Network C
-
8/11/2019 E8000E Series Firewall Hardware.pdf
27/39
page 27Huawei Symantec Technologies Co., Ltd.
Supporting static routing
Supporting dynamic routing through RIP, OSPF and BGP
Supporting policy-based routing
Supporting routing policy , routing iteration and routing
management
Routing
Protocol
Supporting ARP address resolutionIP
Service
Supporting Ethernet
Supporting VLANSupporting PPP
Supporting HDLC
Supporting Trunk
Supporting IP-link
Link layer
protocol
Network
interconnection
DescriptionAttribute
Network interconnection
-
8/11/2019 E8000E Series Firewall Hardware.pdf
28/39
page 28Huawei Symantec Technologies Co., Ltd.
By the firewall multi-instance solution of Huawei, the network operator can divide
one Eudemon firewall into multiple VPN instances, so as to provide independent
security services for multiple small private networks.
vfw1
Trust
Eth4/0/1
10.1.1.1/24
vfw2
Trust
Eth4/0/210.1.1.1/24
vfw1
DMZ
Eth4/0/3
192.168.1.1/24
Eth4/0/4
192.168.2.1/24
vfw2
DMZ
vfw1
Untrust
Eth4/0/5
2.1.1.1/24
vfw2
UntrustEth4/0/6
2.1.2.1/24
Virtual Firewall
-
8/11/2019 E8000E Series Firewall Hardware.pdf
29/39
page 29Huawei Symantec Technologies Co., Ltd.
32 Gbps encryption and decryption performance;
320,000 concurrent IPSec tunnels.
Supports the IKEv2 protocol, enhance the authenticationmechanism, and eliminates attack threads. It also supports
wireless authentication protocols such as EAP-SIM and
EAP-AKA.
Supports the L2TP protocol.
Support GRE protocol.
Branch
Internal Server
L2TP
Tunnel
IPSEC Tunnel
HQ
HOME/OFFICEHundred thousands of
concurrent access
VPN Features
-
8/11/2019 E8000E Series Firewall Hardware.pdf
30/39
page 30Huawei Symantec Technologies Co., Ltd.
EudemonA
Master
EudemonB
Backup
Backup group 1
Backup group 2
Untrust
Trust
DMZ
VPPR+VGMP+HRP
N+1
High Reliability
-
8/11/2019 E8000E Series Firewall Hardware.pdf
31/39
page 31Huawei Symantec Technologies Co., Ltd.
E8000E Series Firewall Introduction
Network orientation of E8000E
Hardware structure of E8000E
1
2
3 Characteristics of E8000E
4
Typical application of E8000E
Co
ntents
-
8/11/2019 E8000E Series Firewall Hardware.pdf
32/39
page 32Huawei Symantec Technologies Co., Ltd.
CHINANET CNC backbone
networks
Large IDCs
10 G links
Data storage area Service area Management and
maintenance area
Other areas
Provide the best firewall performance
in the industry
Provide high density 10 Gigabit
Ethernet and POS interfaces.
Support dual-system hot backup/dual
main control boards/card backup/link
aggregation
Anti-attack capabilities of ten million
packets per second
Adopt the distributed and
salable architecture
Traffic cleaning/VPN/NAT/virtual FW
Security Protection of Large IDCs
-
8/11/2019 E8000E Series Firewall Hardware.pdf
33/39
-
8/11/2019 E8000E Series Firewall Hardware.pdf
34/39
page 34Huawei Symantec Technologies Co., Ltd.
INTERNET CERNET
Administrative areaTeaching buildingsNMS center Data center Sub campus
10 G links
Eudemon8000E
High density Gigabit and 10 Gigabit
interfaces for ensuing interworking
Rich routing features for ensuring
intercommunications
Powerful DDoS protection capabilities for
ensuring service continuity
High scalability for following updates and
capacity expansion
Mass concurrent connections for ensuring user
access to external network resources
Security of High-speed Campus Network
Egress
-
8/11/2019 E8000E Series Firewall Hardware.pdf
35/39
page 35Huawei Symantec Technologies Co., Ltd.
With the rapid increase of mobile users, traffic of WAP services is also increasing
dramatically. The WAP gateway urgently requires security gateways of large capacities and
high performance for security separation and attack defense. The Eudemon8000E provides:
10 G-80 G scalability to meet users growing performance requirements.
Tens of millions of concurrent connections to ensure concurrent access of a large number of
mobile users.
Powerful DDoS defense capabilities to ensure stability of WAP gateway services.
CMNET INTERNET
Mobile accessGGSN
Eudemon8000E
WAP gateways
Terminals with
worms Attackers
Security Protection of Large-capacity WAP
Gateways
-
8/11/2019 E8000E Series Firewall Hardware.pdf
36/39
page 36Huawei Symantec Technologies Co., Ltd.
With the reorganization of services, large carriers are facing service integration and network capacity expansion,
which requires security gateway products of higher performance stability. The Eudemon8000E provides:
A maximum of 80 G salability and the best DDoS defense function to fully meet carriers requirements on high
performance.
Multiple 10 Gigabit interfaces and unique POS interfaces to facilitating access of high-speed networks, including SDH.
A virtual system to effectively ensure security separation of different services in each network.
ChinaNET public network CN2 dedicated network
Capital cities Small cities
Security Separation of Carrier Network Planes
-
8/11/2019 E8000E Series Firewall Hardware.pdf
37/39
page 37Huawei Symantec Technologies Co., Ltd.
AP
Internet
HLR
AHR
AG
AAA
IPClock
ADSL Dialing+NAT
Private network
Public network
Intranet
BRAS
Base station
Wireless terminal
SIM Card
SIM Card
Intranet
NM Platform
IPSecTunnel
Typical Application of uBroUTMS Broadband
-
8/11/2019 E8000E Series Firewall Hardware.pdf
38/39
page 38Huawei Symantec Technologies Co., Ltd.
Summary
How many kinds of boards does E8000E have?
What are the differences of hardware structure between E8080E
and E8160E?
-
8/11/2019 E8000E Series Firewall Hardware.pdf
39/39
Huawei Symantec Technologies Co., Ltd.