Product Overview Product Portfolio Nowadays, network bandwidths increase rapidly, and security threats and attacks also flood on networks. Therefore, enterprise and carriers must ensure the service security and continuity while extending network structure. The E8000E adopts distributed hardware and software design. Its LPUs and SPUs are mutually independent and support on-demand configuration. Therefore, the E8000E provides flexible processing capability, diversified I/O interfaces, and abundant security services. This perfectly satisfies the requirements of users (including data centers, carriers, ISPs, and governments) for high integrity, quick response, high-speed processing, and long-term guarantee. E8080E E8160E Product Description Combining the dedicated multi-core processor and distributed hardware platform and adopting innovative NP+multicore+distributed architecture, the E8000E breaks through the performance bottleneck of the CPU. It delivers industry-leading service processing capability and service expansion capability. In addition, the full-redundancy technology is applied on all components. The E8000E provides diversified technical guarantees, including dual-np interface module, dual-cpu service processing module, dual-mpu control module, dual power supplies, and load balancing. All these ensure the core router-level reliability, which further guarantees the service continuity in high-speed networking. The E8000E utilizes the dynamic distributed concurrent processing technology. Service traffic is forwarded to multiple dedicated SPUs at the line rate in distributed manner. Additionally, the SPUs support on-demand configuration, which thoroughly solves the conflict between the service processing performance and data forwarding capability in ever-increasing high-speed networking. This distributed technology uses line-rate intelligent traffic splitting for data forwarding. All data flows are equally distributed to service processing modules to prevent performance bottleneck. In so doing, the service processing performance increases at the line rate in accordance with service modules, fundamentally supporting the long-term development of networks. The E8000E supports multiple LPUs, and users can realize flexible LPU configuration as required. Furthermore, LPUs and SPUs adopt the same slot type. Thus, different combinations of LPUs and SPUs can be implemented for various interface and performance requirements, providing users with customized security protection solutions.the E8000E has a maximum interface capacity of 320 Gbps and provides 30 10GE interfaces and 360 GE interfaces. The E8000E also supports various POS interfaces and cross-board interface binding, which meets the requirements for large interface capacity and high interface intensity. Moreover, this also meets the networking requirements in complicated situations, such as the Metropolitan Area Networks (MANs) of carriers, large enterprises, and data centers. The E8000E series includes two models, namely, the E8080E HUAWEI TECHNOLOGIES CO., LTD.
and E8160E. The E8160E provides industry-leading security protection capability and scalability. It supports 16 extension slots. The maximum firewall throughput reaches 160 Gbps; the IPS performance is 64 Gbps; the number of new connections per second is 4M, and 64M concurrent connections are supported; the VPN performance is 96 Gbps. The E8080E adopts the same software and hardware architecture as the E8160E. The E8080E, however, supports only 8 extension slots, and its integrated performance is just half that of the E8160E. The SPU, heart of the E8000E, processes all services.to realize flexible configuration, the board combination design is adopted. Each SPU contains two parts, that is, the mother board and extension board, which can be deployed either independently or separately. The mother board provides 10G firewall performance and the mother board+extension board provides 20G firewall performance.the SPU adopts the multi-core+multi-processor hardware and implements service features through software modules. The heartbeat detection mechanism is realized between the SPU and LPU. Moreover, the SPU supports mutual backup.when an SPU is faulty, all its traffic is immediately distributed to other SPUs, preventing service interruption. The LPU, limb of the E8000E, is responsible for external connection and data transmission.the LPU integrates the high-speed network processor to ensure flexibility.certain firewall functions can be implemented on the LPU, which significantly reduces the pressure of the SPU.The network processor provides special processing design for each type of packets, for example, dedicated co-processor for hardware-based table searching and professional bit operation design, enabling unique advantage for small packet processing. Thus, the E8000E can realize almost-line-rate performance when processing mixed traffic on the network.through the interworking between the LPU and SPU, the E8000E delivers high performance for services processing, as well as sound scalability. Product Feature Advanced NP + multi-system + distributed architecture breaking traditional performance bottlenecks E8000E adopts the architecture of independent control modules, interface modules, and service processing modules. Based on the dual NP, the interface module ensures the line-speed forwarding of interface traffic. Based on the multi-core and multi-thread architecture, the service processing module ensures the highspeed concurrent processing of multiple services, such as the Network Address Translation (NAT), Application Specific Packet Filter (ASPF), Anti-DDoS, and VPN. E8000E adopts the distributed concurrent processing mechanism, which greatly enhances the product performance. Thus, users can expand capacities with low pre-phase investment. High firewall performance guaranteeing users key services The three main indexes of the E8000E, throughput, number of connections established per second, and maximum number of concurrent connections, are in leading roles. The throughput of one service processing module of E8000E is 20 G; the number of connections established per second is 500,000; and the maximum number of concurrent connections is 8,000,000. Furthermore, E8000E has a maximum of eight service processing modules and its entire throughput reaches 160 G; the number of connections established per second is 4,000,000; the maximum number of concurrent connections is 64,000,000; and the number of virtual firewalls is 1024. The high performance and expandability of E8000E can meet high-end users requirements for high performance. Stable and reliable security gateway ensuring consistency of users services Network security is a key point for enterprise operations. E8000E supports the redundant components, such as interface, fan, and power, networking of hot swap, dual processing engine, master/ backup, master/master, and high reliability. Different service boards of E8000E support the load balancing and mutual hot backup, so the abnormity of a single board will not influence the entire system. Meanwhile, together with BYPASS devices, services will not be interrupted even if faults or power failures occur on devices. The mean time between failures of E8000E is as long as 500,000 hours, and the failover time is less than 0.1 second. These ensure the consistent and stable service operations. Optimal VPN performance adapting to requirements for encrypted transmission of mass services With the increase of network applications, more and more services need to be transmitted on the public network safely. Subsequently, services that require mass VPN access gateway
of 100-Gigabit emerge, such as mobile security access, Short Message Service (SMS) push, and email push. E8000E provides a maximum of 96 Gbps encryption and decryption performance and supports 320,000 concurrent VPN tunnels, which is the VPN access gateway of the highest performance for the moment. E8000E also supports the IKEv2 protocol and enhances the functions of user authentication, packet authentication, and NAT traversal. Thus, E8000E eliminates the hidden hazards of the middleman attack and the DDoS attack, and supports wireless authentication protocols, such as EAP-SIM and EAP-AKA, which effectively ensures the wireless network security. Practical IPS feature defending against external threats and promoting network security The core technologies of the IPS are embodied in the detection engine performance, signature identification efficiency, and integrated processing performance. Adopting the advanced IPS detection engine and mature signature database, Huawei E8000E defends against various threats, including system vulnerabilities, unauthorized automatic downloading, spoofing software, spyware/adware, abnormal protocols, and P2P anomalies' single vulnerability-based signature covers thousands of attacks. Supplemented with globally deployed honeypot system, the E8000E can capture the latest attack, worm, and Trojan horse features, thus providing zero-day attack defense capability. Moreover, the practicability of the IPS is significantly promoted. The E8000E adopts internal off-line and "one board one feature" technologies; certain necessary service traffic is split to the dedicated SPU. In so doing, the service processing capability is improved; further more, the traffic processing does not affect the basic services of the firewall, ensuring service continuity. Product Specification Performance Firewall throughput (Max) 80Gbps 160Gbps Firewall throughput (IMIX) 80Gbps 160Gbps Firewall throughput (HTTP) 78Gbps 156Gbps Firewall packets per second (64bytes) 30Mpps 60Mpps IPSec VPN performance (3DES) 48Gbps 96Gbps IPSec VPN performance (AES) 48Gbps 96Gbps Maximum IPS performance 32Gbps 64Gbps New sessions per second 2M 4M Maximum concurrent sessions 32M 64M Maximum security policies 128K 128K Maximum users supported unrestricted unrestricted MAC table size 128K/LPU 128K/LPU Connectivity Available slots 8 (SPU+LPU) 16 (SPU+LPU) Main control slots 2 2 SPU options Mother board: 2CPU + 8G memory Daughter board: 2CPU + 8G memory Interfaces ETH: 24 GE / 2 10GE / 1 10G+12 GE POS: OC192 Firewall basic feature Working mode Transparent / Routing / Hybrid ASPF Access control State validation detection Black/White list Virtual Firewall Security zones
Application level recognition Defense of DDoS attack Bi-directional protection SYN Flood SYN-ACK Flood FIN/RST Flood UDP Flood DNS Query Flood HTTP Flood ICMP flood Intrusion Prevention System Stateful protocol signatures Simple Configuration IPS Attack detection mechanisms Abnormal protocol / Abnormal traffic / Pattern matching Attack response mechanisms Drop connection / Close connection / log / email Worm protection zero Day attack protection Trojan protection Adware/key logger protection Web Attack Toolkit Attack detection Web 2.0 Attack protection Drive by download attack prevention Botnet Protection Protection against attack proliferation from infected systems Interception protection Application level DDoS attacks protection Compound attacks protection Vulnerability-based signature database Multi-levels compressed file Independent PDF detection Custom attack signatures Attack editing (port range) Stream signatures Overload protection Approximate number of attacks covered 8000+ NAT Destination NAT/PAT Destination NAT within same subnet as ingress interface IP Destination addresses to one single address (M:1) Destination addresses to another range of addresses (M:M) NO-PAT PAT Source NAT - IP address persistency Source pool grouping Source IP outside of the interface subnet NAT Server Bi-directional NAT
NAT-ALG Unlimited address expansion Policy-based destination NAT VPN IPSec VPN tunnels 320K DES/3DES/AES encryption MD-5 and SHA-1 authentication Manual key, PKI (X.509), IKEv2 Perfect forward secrecy (DH groups) 1, 2, 5 Prevent replay attack Remote access VPN EAP certification Redundant VPN gateways GRE Tunnel 8192 High Availability Active/passive active/active Configuration synchronization Session synchronization for firewall and IPSec VPN Device failure detection Link failure detection Dual control User Authentication and Access Control Built-in (internal) database RADIUS accounting Web-based authentication Public Key Infrastructure (PKI) PKI certificate requests (PKCS 10) Certificate authorities Self-signed certificates Routing BGP routes 200K BGP peers 1000 BGP instances 1000 OSPF routes 200K OSPF instances 2000 RIP v2 table size 200K RIP v1/v2 instances 2000 Dynamic routing Static routing Source-based routing Policy-based routing PBR instances 1024 FIB Routing iteration IPv6 State filtering OSPFv3 BGP4+ ISIS6 IPv6 ACL Standard
IPv6 ACL Extended IPv6 interface statistic NATPT (4 to 6, 6 to 4,) IPv6 ND Virtualization Maximum security zones Root firewall: 32 Virtual firewall: 8 Maximum virtual firewall 1024 Maximum VLAN supported per interface 4094 Management WebUI (HTTP and HTTPS) CLI (console) CLI (telnet) CLI (SSH) U2000/VSM network management Level-based administrator Software upgrade Configuration rollback Logging/Monitoring Structured syslog SNMP (v2) Binary log Traceroute Logging server (elog) Dimensions and Power Dimensions (W H D) 442 669 886 442 669 1600 Weight 100Kg 150Kg AC Power supply AC: 180~275V; 50/60Hz AC: 180V~264V; 50/60Hz DC Power supply DC: -75~-38V DC: -75~-38V Maximum Power draw 3000W 5000W Operating temperature 0~45 C 0~45 C Humidity 0~95% 0~95% Certification Safety certification EMC CB Rohs FCC MET C-tick VCCI Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved. General Disclaimer The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. HUAWEI TECHNOLOGIES CO., LTD. Huawei Industrial Base Bantian Longgang Shenzhen 518129, P.R. China Tel: +86-755-28780808 Version No.: M3-110019999-20110629-C-1.0 www.huawei.com