Eudemon8000E Series

10-Gigabits IPS security gateway

Nowadays, network bandwidths increase rapidly, and security

threats and attacks also flood on networks. Therefore, enterprise
and carriers must ensure the service security and continuity while
extending network structure. The E8000E adopts distributed
hardware and software design. Its LPUs and SPUs are mutually
independent and support on-demand configuration. Therefore,
the E8000E provides flexible processing capability, diversified I/O
interfaces, and abundant security services. This perfectly satisfies
the requirements of users (including data centers, carriers, ISPs,
and governments) for high integrity, quick response, high-speed
processing, and long-term guarantee.

E8080E

E8160E

Product Description
Combining the dedicated multi-core processor and distributed
h a rd w a re p l a t f o r m a n d a d o p t i n g i n n o v a t i v e N P + m u l t i core+distributed architecture, the E8000E breaks through the
performance bottleneck of the CPU. It delivers industry-leading
service processing capability and service expansion capability.
In addition, the full-redundancy technology is applied on all
components. The E8000E provides diversified technical guarantees,
including dual-NP interface module, dual-CPU service processing
module, dual-MPU control module, dual power supplies, and load
balancing. All these ensure the core router-level reliability, which
further guarantees the service continuity in high-speed networking.
The E8000E utilizes the dynamic distributed concurrent processing
technology. Service traffic is forwarded to multiple dedicated
SPUs at the line rate in distributed manner. Additionally, the SPUs
support on-demand configuration, which thoroughly solves the
conflict between the service processing performance and data
forwarding capability in ever-increasing high-speed networking.
This distributed technology uses line-rate intelligent traffic splitting
for data forwarding. All data flows are equally distributed to service

HUAWEI TECHNOLOGIES CO., LTD.

processing modules to prevent performance bottleneck. In so

doing, the service processing performance increases at the line rate
in accordance with service modules, fundamentally supporting the
long-term development of networks.
The E8000E supports multiple LPUs, and users can realize flexible
LPU configuration as required. Furthermore, LPUs and SPUs adopt the
same slot type. Thus, different combinations of LPUs and SPUs can
be implemented for various interface and performance requirements,
providing users with customized security protection solutions.The
E8000E has a maximum interface capacity of 320 Gbps and provides
30 10GE interfaces and 360 GE interfaces. The E8000E also supports
various POS interfaces and cross-board interface binding, which
meets the requirements for large interface capacity and high interface
intensity. Moreover, this also meets the networking requirements
in complicated situations, such as the Metropolitan Area Networks
(MANs) of carriers, large enterprises, and data centers.
The E8000E series includes two models, namely, the E8080E
and E8160E. The E8160E provides industry-leading security

Eudemon8000E Series
10-Gigabits IPS security gateway

protection capability and scalability. It supports 16 extension

slots. The maximum firewall throughput reaches 160 Gbps; the
IPS performance is 64 Gbps; the number of new connections per
second is 4M, and 64M concurrent connections are supported;
the VPN performance is 96 Gbps. The E8080E adopts the same
software and hardware architecture as the E8160E. The E8080E,
however, supports only 8 extension slots, and its integrated
performance is just half that of the E8160E.
The SPU, heart of the E8000E, processes all services.To realize
flexible configuration, the board combination design is adopted.
Each SPU contains two parts, that is, the mother board and
extension board, which can be deployed either independently or
separately. The mother board provides 10G firewall performance
and the mother board+extension board provides 20G firewall
performance.The SPU adopts the multi-core+multi-processor
hardware and implements service features through software

modules. The heartbeat detection mechanism is realized between

the SPU and LPU. Moreover, the SPU supports mutual backup.When
an SPU is faulty, all its traffic is immediately distributed to other
SPUs, preventing service interruption.
The LPU, limb of the E8000E, is responsible for external connection
and data transmission.The LPU integrates the high-speed network
processor to ensure flexibility.Certain firewall functions can be
implemented on the LPU, which significantly reduces the pressure of
the SPU.The network processor provides special processing design
for each type of packets, for example, dedicated co-processor for
hardware-based table searching and professional bit operation
design, enabling unique advantage for small packet processing.
Thus, the E8000E can realize almost-line-rate performance when
processing mixed traffic on the network.Through the interworking
between the LPU and SPU, the E8000E delivers high performance
for services processing, as well as sound scalability.

Product Features
Advanced NP + multi-system + distributed
architecture breaking traditional performance
bottlenecks
E8000E adopts the architecture of independent control modules,
interface modules, and service processing modules. Based on the
dual NP, the interface module ensures the line-speed forwarding
of interface traffic. Based on the multi-core and multi-thread
architecture, the service processing module ensures the highspeed concurrent processing of multiple services, such as the
Network Address Translation (NAT), Application Specific Packet
Filter (ASPF), Anti-DDoS, and VPN. E8000E adopts the distributed
concurrent processing mechanism, which greatly enhances the
product performance. Thus, users can expand capacities with low
pre-phase investment.

High firewall performance guaranteeing

users key services
The three main indexes of the E8000E, throughput, number of
connections established per second, and maximum number of
concurrent connections, are in leading roles. The throughput of
one service processing module of E8000E is 20 G; the number of
connections established per second is 500,000; and the maximum
number of concurrent connections is 8,000,000. Furthermore,
E8000E has a maximum of eight service processing modules and
its entire throughput reaches 160 G; the number of connections

established per second is 4,000,000; the maximum number of

concurrent connections is 64,000,000; and the number of virtual
firewalls is 1024. The high performance and expandability of E8000E
can meet high-end users requirements for high performance.

Stable and reliable security gateway ensuring

consistency of users services
Network security is a key point for enterprise operations. E8000E
supports the redundant components, such as interface, fan, and
power, networking of hot swap, dual processing engine, master/
backup, master/master, and high reliability. Different service
boards of E8000E support the load balancing and mutual hot
backup, so the abnormity of a single board will not influence the
entire system. Meanwhile, together with BYPASS devices, services
will not be interrupted even if faults or power failures occur on
devices. The mean time between failures of E8000E is as long
as 500,000 hours, and the failover time is less than 0.1 second.
These ensure the consistent and stable service operations.

Optimal VPN performance adapting to

requirements for encrypted transmission of mass
services
With the increase of network applications, more and more
services need to be transmitted on the public network safely.
Subsequently, services that require mass VPN access gateway

Eudemon8000E Series
10-Gigabits IPS security gateway

of 100-Gigabit emerge, such as mobile security access, Short

Message Service (SMS) push, and email push. E8000E provides
a maximum of 96 Gbps encryption and decryption performance
and supports 320,000 concurrent VPN tunnels, which is the VPN
access gateway of the highest performance for the moment.
E8000E also supports the IKEv2 protocol and enhances the
functions of user authentication, packet authentication, and NAT
traversal. Thus, E8000E eliminates the hidden hazards of the
middleman attack and the DDoS attack, and supports wireless
authentication protocols, such as EAP-SIM and EAP-AKA, which
effectively ensures the wireless network security.

Practical IPS feature defending against

external threats and promoting network security
The core technologies of the IPS are embodied in the detection

engine performance, signature identification efficiency, and

integrated processing performance.Adopting the advanced IPS
detection engine and mature signature database, Huawei E8000E
defends against various threats, including system vulnerabilities,
unauthorized automatic downloading, spoofing software,
spyware/adware, abnormal protocols, and P2P anomalies.A
single vulnerability-based signature covers thousands of attacks.
Supplemented with globally deployed honeypot system, the
E8000E can capture the latest attack, worm, and Trojan horse
features, thus providing zero-day attack defense capability.
Moreover, the practicability of the IPS is significantly promoted.
The E8000E adopts internal off-line and "one board one feature"
technologies; certain necessary service traffic is split to the
dedicated SPU. In so doing, the service processing capability is
improved; further more, the traffic processing does not affect the
basic services of the firewall, ensuring service continuity.

Product Specification
Models
Performance
Firewall throughput (Max)
Firewall throughput (IMIX)
Firewall throughput (HTTP)
Firewall packets per second (64bytes)
IPsec VPN performance (3DES)
IPsec VPN performance (AES)
Maximum IPS performance
New sessions per second
Maximum concurrent sessions
Maximum security policies
Maximum users supported
Connectivity
Available slots
Main control slots
SPU options
Interfaces
Firewall basic feature
Working mode
ASPF
Access control
State validation detection
Black/White list
Virtual Firewall
Security zones
Application level recognition

E8080E

E8160E

80Gbps
80Gbps
78Gbps
30Mpps
48Gbps
48Gbps
32Gbps
2M
32M
128K
unrestricted

160Gbps
160Gbps
156Gbps
60Mpps
96Gbps
96Gbps
64Gbps
4M
64M
128K
unrestricted

8 (SPU+LPU)
2
Mother board: 2CPU + 8G memory
Daughter board: 2CPU + 8G memory
ETH: 24GE / 210GE / 110G+12GE
POS: OC192

16 (SPU+LPU)
2

Transparent / Routing / Hybrid

Yes
Yes
Yes
Yes
Yes
Yes
Yes

Eudemon8000E Series
10-Gigabits IPS security gateway

Models
Defense of DDoS attack
Bi-directional protection
SYN Flood
SYN-ACK Flood
FIN/RST Flood
UDP Flood
DNS Query Flood
HTTP Flood
ICMP flood
Intrusion Prevention System
Stateful protocol signatures
Simple Configuration IPS
Attack detection mechanisms
Attack response mechanisms
Worm protection
zero Day attack protection
Trojan protection
Adware/keylogger protection
Web Attack Toolkit Attack detection
Web 2.0 Attack protection
Drive by download attack prevention
Botnet Protection
Protection against attack proliferation from
infected systems
Interception protection
Application level DDoS attacks protection
Compound attacks protection
Vulnerability-based signature database
Multi-levels compressed file
Independent PDF detection
Custom attack signatures
Attack editing (port range)
Stream signatures
Overload protection
Approximate number of attacks covered
NAT
Destination NAT/PAT
Destination NAT within same subnet as ingress
interface IP
Destination addresses to one single address
(M:1)
Destination addresses to another range of
addresses (M:M)
NO-PAT
PAT
Source NAT - IP address persistency
Source pool grouping
Source IP outside of the interface subnet
NAT Server
Bi-directional NAT
NAT-ALG

E8080E
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Abnormal protocol / Abnormal traffic / Pattern matching
Drop connection / Close connection / log / email
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
8000+
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes

E8160E

Eudemon8000E Series
10-Gigabits IPS security gateway

Models
Unlimited address expansion
Policy-based destination NAT
IPsec VPN
IPsec VPN tunnels
DES/3DES/AES encryption
MD-5 and SHA-1 authentication
Manual key, PKI (X.509), IKEv2
Perfect forward secrecy (DH groups)
Prevent replay attack
Remote access VPN
EAP certification
Redundant VPN gateways
High Availability
Active/passive active/active
Configuration synchronization
Session synchronization for firewall and IPsec
VPN
Device failure detection
Link failure detection
Dual control
User Authentication and Access Control
Built-in (internal) database
RADIUS accounting
Web-based authentication
Public Key Infrastructure (PKI)
PKI certificate requests (PKCS 10)
Certificate authorities
Self-signed certificates
Routing
BGP routes
BGP peers
BGP instances
OSPF routes
OSPF instances
RIP v2 table size
RIP v1/v2 instances
Dynamic routing
Static routing
Source-based routing
Policy-based routing
PBR instances
FIB
Routing iteration
IPv6
State filtering
OSPFv3
BGP4+
ISIS6
IPv6 ACL Standard
IPv6 ACL Extended
IPv6 interface statistic

E8080E
Yes
Yes
320K
Yes
Yes
Yes
1, 2, 5
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
200K
1000
1000
200K
1000
200K
1000
Yes
Yes
Yes
Yes
1024
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes

E8160E

Eudemon8000E Series
10-Gigabits IPS security gateway

Models
NATPT (4 to 6, 6 to 4,)
IPv6 ND
Virtualization
Maximum security zones
Maximum virtual firewall
Maximum VLAN supported per interface
Management
WebUI (HTTP and HTTPS)
CLI (console)
CLI (telnet)
CLI (SSH)
U2000/VSM network management
Level-based administrator
Software upgrade
Configuration rollback
Logging/Monitoring
Structured syslog
SNMP (v2)
Binary log
Traceroute
Logging server (eLog)
Dimensions and Power
Dimensions (WDH)
Weight
AC Power supply
DC Power supply
Maximum Power draw
Operating temperature
Humidity
Certification
Safety certification
EMC
CB
Rohs
FCC
MET
C-tick
VCCI

E8080E

E8160E

Yes
Yes
Root firewall: 32
Virtual firewall: 8
1024
4094
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
442669886
100Kg
AC: 180~275V; 50/60Hz
DC: -75~-38V
3000W
0~45C
0~95%

4426691600
150Kg
AC: 180V~264V; 50/60Hz
DC: -75~-38V
5000W
0~45C
0~95%

Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes

Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.

General Disclaimer
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors
that could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information
is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Industrial Base
Bantian Longgang
Shenzhen 518129, P.R. China
Tel: +86-755-28780808
Version No.: M3-110019999-20110805-C-1.0
www.huawei.com