Huawei Egw2130 & Egw2160w Product Description - v400r004 - 01

Contents
HUAWEI EGW2100 Product Description
Document Code
EGW2100 Product Description
Document Version V1.0 Release Date 2010-08-31
Huawei Technologies Co., Ltd.
Issue 01 (2010-03-10)
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
Contents
Contents
1 Product Overview ................................................................................................................. 1-3
1.1 Introduction............................................................................................................................................ 1-3 1.2 Network Status and Network Applications .............................................................................................. 1-3 1.2.1 Introduction................................................................................................................................... 1-3 1.2.2 Protecting Internal LANs ............................................................................................................... 1-3 1.2.3 Opening Intranet Servers Securely ................................................................................................. 1-3 1.2.4 VPN Access Applications .............................................................................................................. 1-3 1.2.5 Multiple Modes of Accessing the Internet ...................................................................................... 1-3
2 Product Features and Service Functions ............................................................................ 2-3

2.1 System Features ..................................................................................................................................... 2-3 2.1.1 High Reliability ............................................................................................................................. 2-3 2.1.2 High Data Forwarding Capability .................................................................................................. 2-3 2.1.3 Enhanced Log Management........................................................................................................... 2-3 2.1.4 Rich Maintenance and Management............................................................................................... 2-3 2.1.5 SNMP Based Terminal System Management.................................................................................. 2-3 2.1.6 Web Configuration and Management ............................................................................................. 2-3 2.1.7 CWMP Management ..................................................................................................................... 2-3 2.2 Service Features ..................................................................................................................................... 2-3 2.2.1 Abundant Switching and Routing Features ..................................................................................... 2-3 2.2.2 Secure VPN Application ................................................................................................................ 2-3 2.2.3 Enhanced Packet Filtering.............................................................................................................. 2-3 2.2.4 Multiple NAT Applications ............................................................................................................ 2-3 2.2.5 Powerful Attack-Defending Capability........................................................................................... 2-3 2.2.6 Powerful Intrusion Defense............................................................................................................ 2-3 2.2.7 Surfing Behavior Management....................................................................................................... 2-3 2.2.8 Perfect Traffic Monitoring ............................................................................................................. 2-3 2.2.9 Access and Authentication ............................................................................................................. 2-3 2.2.10 QoS............................................................................................................................................. 2-3 2.2.11 Abundant Remote Access Features ............................................................................................... 2-3 2.2.12 WLAN ........................................................................................................................................ 2-3
3 Appearance and Hardware .................................................................................................. 3-3
ii
Issue 01 (2010-03-10)
Contents
3.1 Product Appearance................................................................................................................................ 3-3 3.1.1 Front Panel of the EGW................................................................................................................. 3-3 3.1.2 Rear Panel of the EGW.................................................................................................................. 3-3 3.2 Interfaces ............................................................................................................................................... 3-3 3.2.1 Interface Introduction .................................................................................................................... 3-3 3.2.2 Interface Parameters ...................................................................................................................... 3-3 3.2.3 WLAN .......................................................................................................................................... 3-3
4 Technical Specifications ...................................................................................................... 4-3

4.1 System Specifications............................................................................................................................. 4-3 4.2 Environment Specifications .................................................................................................................... 4-3
5 Purchase Guide ..................................................................................................................... 5-3

5.1 Host Purchase......................................................................................................................................... 5-3 5.1.1 Factors for Your Purchase .............................................................................................................. 5-3 5.1.2 Optional List for Host Purchase ..................................................................................................... 5-3 5.2 Interface Module Purchase...................................................................................................................... 5-3 5.3 Cable Purchase....................................................................................................................................... 5-3
6 Feature List............................................................................................................................. 6-3 7 Compliant Standards............................................................................................................ 7-3 8 Acronyms and Abbreviations.............................................................................................. 8-3
Issue 01 (2010-03-10)
iii
Figures
Figures
Figure 1-1 Networking of protecting internal LANs ..................................................................................... 1-3 Figure 1-2 Networking of opening intranet servers securely ......................................................................... 1-3 Figure 1-3 Networking of VPN access applications...................................................................................... 1-3 Figure 1-4 Networking of multiple modes of accessing the Internet.............................................................. 1-3 Figure 3-1 Front Panel................................................................................................................................. 3-3 Figure 3-2 Rear Panel.................................................................................................................................. 3-3
Issue 01 (2010-03-10)
Tables
Tables
Table 3-1 Console port parameters ............................................................................................................... 3-3 Table 3-2 10 M /100 M electronic interface parameters ................................................................................ 3-3 Table 3-3 USB2.0 interface parameters ........................................................................................................ 3-3 Table 3-4 3G card parameters ...................................................................................................................... 3-3 Table 3-5 1-port 10 M/100 M Ethernet electrical interface /5-port 10 M/100 M Ethernet electrical interface parameters ................................................................................................................................................... 3-3 Table 3-6 1-port E1/CE1 interface parameters .............................................................................................. 3-3 Table 3-7 1-port ADSL2+ interface parameters ............................................................................................ 3-3 Table 3-8 1-port / 2-port SA interface parameters ......................................................................................... 3-3 Table 3-9 1-port / 2-port / 4-port SHSDL interface parameters ...................................................................... 3-3 Table 3-10 WLAN parameters ..................................................................................................................... 3-3 Table 4-1 System specifications ................................................................................................................... 4-3 Table 4-2 Environment specifications for long-term operation ...................................................................... 4-3 Table 5-1 List of the EGW series models...................................................................................................... 5-3 Table 5-2 List of interface modules and mandatory cables of the EGW......................................................... 5-3 Table 5-3 List of interface modules and optonal cables of the EGW.............................................................. 5-3 Table 6-1 Feature list of the EGW................................................................................................................ 6-3
Issue 01 (2010-03-10)
1 Product Overview
1
1.1 Introduction
Product Overview
The EGW2100 is a piece of enterprise gateway equipment applied to small and medium-sized enterprises, branches of large and medium-sized enterprises, branches of industrial networks, and some telecom networks. The EGW2100 (hereinafter referred to as EGW) integrates the data security, routing, switching, VPN, and wireless functions, so multiple services can be deployed at the same node, which greatly reduces the initial investment and long-term operation and maintenance cost of the construction of enterprise networks. The advanced software structure and hardware platform of the EGW enable customers to obtain an integrated network solution with the lowest investment. This meets the service extension requirements for all-around applications and complies with the current situation and development of the enterprise IT construction. Major features of the EGW:
l
Expandable hardware platform The EGW is designed with processor of carrier-class reliability, and perfect backup and security technologies and provides reliable and high quality of services. The EGW supports extensive interface types, providing the FE interface, console port, 3G card interface, FLASH card interface, and optional mini interface card (MIC) slot. The MIC slots can be inserted with the 1-port or 5-port Ethernet electrical interface card, Asymmetric Digital Subscriber Line 2+ (ADSL2+) interface card, Single-pair high-speed digital subscriber line (SHDSL) interface card, E1/CE1 interface card, and synchronous serial interface card. Users can select different interface cards according to the network environment. EGW also support Wireless Local Area Network (WLAN) access through Wireless Fidelity (WiFi) antenna. The built-in encryption engine greatly enhances the encryption performance of the product, thus meeting the continuously increasing security demand. The EGW provides a variety of extension services and supports new storage media such as FLASH card. The strong hardware expandability provides users with an economical solution to multiple access and future network upgrades.
Advanced software structure The EGW is based on Huawei-proprietary Versatile Routing Platform (VRP) and has a perfect processing capability of routing services.
Issue 01 (2010-03-10)
1-1
1 Product Overview
The EGW adopts the self-developed software platform and a secure operating system with independent intellectual property rights. The packet processing system is completely separated from the operating system, which enhances the system security. It provides more abundant protocols and features, and is a scalable, configurable, multi-service, modular and advanced system platform
l
Multi-service integration capability The EGW fully incorporates multiple service functions such as security, routing, switching, VPN and voice, enhancing the multi-service integration capability of products greatly. For example, this series offers the industry-leading and ever-innovating network security functions, truly implements the thorough convergence of Ethernet switches. The EGW provides multiple modes of access internet such as Ethernet, ADSL2+, SHDSL, E1/CE1, synchronous serial interface, and wireless. At the same time, the EGW supports Wireless Local Area Network (WLAN) function.
High cost performance ratio The EGW adopts the latest technology of the telecom industry, the processors with faster operation speed and highly integrated chips, enhancing significantly the IP forwarding, service processing and data encryption capability of the products. In addition, this series expands the interface density and enhances further the software features and service integration capability.
1.2 Network Status and Network Applications

1.2.1 Introduction
The EGW has functions of the router, firewall, switch, wireless and Virtual Private Network (VPN) access. Generally, the EGW is located in the node where the internal network is connected with the external network and is the only ingress and egress for the traffic between the internal network and the external network. The EGW security gateway is applied to the following scenarios:
l l l l
Protecting internal LANs Opening intranet servers securely VPN access applications Multiple modes of accessing the Internet
1.2.2 Protecting Internal LANs

The EGW can be used to ensure the information security of enterprise networks and internal LANs of enterprises. The EGW can be either deployed at the interface between enterprise intranets and external networks, or deployed at each key position of internal enterprise LANs. In this way, the information security of important resources is ensured.
1-2
Issue 01 (2010-03-10)
1 Product Overview
Figure 1-1 Networking of protecting internal LANs
EGW
Wifi 0
EGW PC Internal Server PC PC PC Others Department

Laptop
PC PC PDA Finance Department
As shown in Figure 1-1, the enterprise LAN is connected with the Internet through the EGW to restrict Internet users' access the enterprise LANs. If enterprise LAN users need to access Internet resources, access can be initiated after the Network Address Translation (NAT). Key departments such as the finance department have their own LANs protected by the EGW to prevent unauthorized internal users from accessing key resources.
1.2.3 Opening Intranet Servers Securely

If information data centers (IDCs), Internet Service Providers (ISPs), residential communities, schools, and governments need to provide services such as Web and Email, packets can be filtered through the EGW. For example, only packets to certain ports opened to external users can be allowed to pass through. The EGW can also detect and prevent various attacks. The EGW can perform multi-user management and authenticate specific traffic through configurations to prevent unauthorized traffic from entering the internal network.
Issue 01 (2010-03-10)
1-3
1 Product Overview
Figure 1-2 Networking of opening intranet servers securely
1.2.4 VPN Access Applications

The headquarters can use the Internet to connect with its branches or partners and ensure data security by establishing Layer 2 Tunneling Protocol (L2TP), Generic Routing Encapsulation (GRE), or IPSec VPN tunnels. In this case, the headquarters side need to deploy the USG2200 and the branches or partners need to deploy the EGW. The employees on business trips can use the EGW to establish Security Socket Layer (SSL) VPN tunnels to the headquarters through the Internet to ensure data security. In this case, only the headquarters need to deploy the EGW. The EGW not only supports the application of IPSec VPN and SSL VPN, which provide high reliable transmission channel, but also provides various VPN applications by integrating with L2TP and GRE:
l l l l l l l l
L2TP VPN GRE VPN SSL VPN IPSec VPN L2TP over IPSec VPN GRE over IPSec VPN IPSec over L2TP VPN IPSec over GRE VPN
Through the VPN function of the EGW, branches of all places and employees on business trips can use the Internet to establish secure and dedicated connections with the headquarters.
1-4
Issue 01 (2010-03-10)
1 Product Overview
Figure 1-3 Networking of VPN access applications
Headquarter
USG2200
L2TP/GRE/IPSec VPN Tunnel
The Employee on Business Trips
SSL VPN Tunnel EGW The Employee on Business Trips
Branch
IPSec VPN Tunnel
As shown in Figure 1-3, the headquarter network is connected with the Internet through the USG2200. The headquarter server can provide services to internal users including those at branches and on business trips. The LANs of branch networks are connected with the Internet through the EGW. The branches provide services to the external users as well. Meanwhile, LAN users from branches need to access the headquarter server or the headquarter LAN hosts. In addition, employees on business trips are connected to the headquarter network through IPSec VPN or SSL VPN to access related resources. To construct an enterprise intranet combining the headquarter and branches, three types of VPN tunnels can be established. The tunnels include the Layer 2 Tunneling Protocol (L2TP), Generic Route Encapsulation (GRE), and Internet Protocol Security (IPSec) tunnels. Employees on business trips establish the IPSec VPN or SSL VPN tunnel with the headquarter EGW. They can access the intranet after being authenticated by the headquarter server.
1.2.5 Multiple Modes of Accessing the Internet

The EGW is deployed at the network egress of small and medium-sized enterprises:
l
Users can select the E1/CE1, FE, 3G, ADSL2+, SHDSL or SA access mode according to the network environment provided by the carrier. The EGW provides dual uplinks, which ensures the reliability of Internet services.
Issue 01 (2010-03-10)
1-5
1 Product Overview
l l l l
It provides the data security, routing, switching, VPN and wireless functions, which facilitates the fast and precise forwarding of data packets. It provides the attack defending function, which defends various attacks from external and internal networks. It provides the congestion management and CAR control, which ensures the bandwidth for users to log in to the Internet. It provides the NAT function.
Figure 1-4 Networking of multiple modes of accessing the Internet Enterprise A Enterprise B
3G ADSL/SHDSL FE EGW
EGW 3G E1/CE1
EGW
Enterprise D
Enterprise C
As shown in Figure 1-4, enterprise A adopts the ADSL/SHDSL access mode. Enterprise B adopts the FE and 3G dual-link access mode. Enterprise C adopts the E1/CE1 access mode. Enterprise D adopts the 3G access mode.
1-6
Issue 01 (2010-03-10)
2 Product Features and Service Functions
Product Features and Service Functions
2.1 System Features

2.1.1 High Reliability
Cost-effective Product Design
The EGW supports voltage check, temperature monitoring, default settings restoring, BootROM redundant design, and fault management, which ensures high stability of the EGW and fault-handling capabilities.
1+1 Backup of Routing Information

The EGW supports Virtual Router Redundancy Protocol (VRRP). A backup group in a network can be set based on a virtual IP address. The hosts in the network can communicate with other networks through the virtual router.
Dual-System Hot Backup

The EGW supports Huawei Redundancy Protocol (HRP). In this case, a backup group includes an active device and a standby device. The HRP backs up key configuration commands and state information of the session table. In this way, the HRP ensures that the standby EGW can smoothly take over the work when the active EGW is faulty.
Load Balancing
When one server cannot process the access requests of several users, multiple servers can be used to share network traffic. In this case, the EGW can be deployed at the egress of the network where the servers reside. For users, only one IP address exists. The EGW distributes access traffic to several servers according to the algorithm configured. Load-balancing mechanism distributes traffic among several servers, thus fully utilizing the processing capacity of each server, ensuring the availability of servers, and obtaining optimal network scalability. The EGW supports health check on servers.
Issue 01 (2010-03-10)
2-1
2.1.2 High Data Forwarding Capability

The EGW uses the high speed algorithm and optimized software structure, which effectively ensures the system performance.
2.1.3 Enhanced Log Management

Two Log Output Formats
The EGW can output Syslog in text. It can create the information table based on traffic state for all data traffic passing through the EGW. Besides, it can output high speed binary flow logs.
Log Types
The EGW provides the following types of log information:
l l l l
Attack-defending logs Traffic monitoring logs Blacklist logs Multiple kinds of statistics
2.1.4 Rich Maintenance and Management

The EGW supports the following local and remote maintenances:
l l l
Local configuration and maintenance through Console port. Local and remote maintenance based on Telnet. Maintenance and management based on Secure Shell (SSH) The SSH maintenance and management mode ensures information security and powerful authentication functions over an insecure network, thus avoiding such attacks as IP spoofing and plain text password interception.
2.1.5 SNMP Based Terminal System Management

The EGW supports Simple Network Management Protocol (SNMP) (V1/V2c/V3) protocol and Client/Server structure. It can be managed by Network Management Station (NMS). For example, it can be managed by Huawei network management platforms such as iManager N2000.
2.1.6 Web Configuration and Management

The EGW provides a friendly Web interface based on GUI for configuration and management. The users can access the Web interface of EGW using the HTTP protocol or the Secure Hyper Text Transfer Protocol (HTTPS). You can configure static routing, ACL, NAT, ASPF, attack defending, blacklist, ADSL, SHDSL, 3G, E1/CE1, VLAN, QoS, instrusion defense system, surfing behavior management, VPN, and statistics parameters through the GUI.
2-2
Issue 01 (2010-03-10)
2.1.7 CWMP Management

The CPE WAN Management Protocol (CWMP) is a network management system (NMS) protocol made by the Digital Subscriber Line (DSL) forum for terminals. CWMP defines a set of mechanisms for the communications between the Customer Premises Equipment (CPE) and Auto-Configuration Server (ACS), implementing the centralized management of the CPE by the ACS.The document number of CWMP in the DSL forum is TR069. Thus, CWMP is also called the TR069 protocol. The EGW is deployed at the user network side as the CPE. After CWMP is configured, the ACS can remotely manage the EGW.
2.2 Service Features

2.2.1 Abundant Switching and Routing Features
VLAN
The EGW supports the Virtual Local Area Network (VLAN) division. Users can divide VLANs on the EGW according to actual networking requirements to realize the following functions:
l
Controlling the range of the broadcast domain: The broadcast packets of the Local Area Network (LAN) is restricted within a VLAN. Thus, the bandwidth is saved and the network processing capability is improved. Enhancing the LAN security: Because packets are isolated by the broadcast domain on the data link layer, hosts of each VLAN cannot communicate directly. The layer 3 packet forwarding should be carried out through network layer devices, such as the router or layer 3 switch. Creating virtual workgroups flexibly: virtual workgroups that cross the physical network can be created through a VLAN. Information exchanging of users in the same VLAN is free from the access policy of firewall. Information exchanging of users in deferent VLANs is under the control of the access policy of firewall.
l l l
Static Route
The EGW supports users manually configuring the static routing to a specific destination. In a simple network, configuring the static routing is enough to ensure normal services of the network. You can properly configure and use static route to improve the network performance and ensure the bandwidth for important applications.
RIP
The EGW supports the configuration of Routing Information Protocol (RIP) to guide the packet forwarding.
Issue 01 (2010-03-10)
2-3
RIP is a simple internal gateway protocol, which is based on the distance vector algorithm. It exchanges routing information through the User Datagram Protocol (UDP) packets. The port 520 is used. RIP uses the hop count to measure the distance to a destination IP address, which is called the metric value. In RIP, the hop count between the router and its directly connected network is 0. The hop count between the router and the network that can be reached through one router is 1. Every time the router is added, the hop count is added with the same number. To restrict the convergence time, RIP regulates that the metric value should be from 0 to 15. Hop counts that are 16 or larger than 16 are defined as infinity. The destination network or host is unreachable. Because of this restriction, RIP cannot be applied to large-sized networks. To improve performance and avoid the routing loop, RIP supports the split horizon and poison reverse functions. Compared with Open Shortest Path First (OSPF) and IS-IS, RIP is easy to be implemented, configured, maintained, and managed, so it is still widely used in the actual networking. Users can configure RIP to discover and generate routing information according to actual networking requirements.
OSPF
OSPF is an internal gateway protocol based on the link state developed by the Internet Engineering Task Force (IETF). OSPF has the following features:
l l
Wide application scope: It supports networks of various scales and supports a maximum of hundreds of routers. Fast convergence: It will send the updated packets immediately after the network topology structure changes and synchronize the updated network topology in the autonomous system. Loop free: OSPF calculates the routing with the shortest path tree according to the link state collected, which avoids the routing loop. Zone division: It allows the network of the autonomous system to be divided. Routing information among divided zones is further abstracted, which reduces the bandwidth it occupies. Equivalent routing: It supports the multiple equivalent routing to the same destination IP address. Routing hierarchy: It uses four different types of routing. According to their priorities, they are the intra-area routing, inter-area routing, external type 1 routing, and external type 2 routing. Authentication: It supports the packet authentication based on interfaces, which ensures the security of packet transmission. Multicast sending: It sends protocol packets with multicast IP addresses on some types of links, which reduces the interference to other devices.
l l
l l
l l
OSPF is suitable for large and medium-sized networks.
Routing Policy
The routing policy is a technology for revising routing information to change the path that network traffic flows through. The technology is realized mainly by changing routing attributes including reachability.
2-4
Issue 01 (2010-03-10)
When the EGW advertises or receives routing information, some policies can be implemented to filter routing information. For example, the EGW only receives or advertises routing information that meets the specified conditions. In addition, a routing protocol may need to import routing information discovered by other routing protocols. The imported routing information must meet certain conditions and users need to configure some attributes of the imported routing information. In this way, the routing information meets the requirements of this protocol.
Policy-based Routing
Policy-based routing is a routing mechanism that employs customized policies. Different from the forwarding by searching the routing table only according to the destination IP addresses of IP packets, policy-based routing of the EGW supports flexible routing specifying based on source IP addresses and length of arrival packets.
DHCP
The EGW supports Dynamic Host Configuration Protocol (DHCP). Through configuring DHCP:
l l
A computer can obtain all configuration information with only one message. A computer can obtain IP addresses quickly and dynamically, rather than statically waiting for the assigned IP address.
2.2.2 Secure VPN Application

The EGW provides IP Security (IPSec) mechanism to provide the following services:
l l l l l l
Access control Connectionless integrity Data source authentication anti-replay Encryption Data flow classification
The EGW protects IP packets or upper level protocols based on Authentication Header (AH) protocol and Encapsulating Security Payload (ESP) protocol. The EGW supports Internet Key Exchange (IKE) and Kerberos protocol for key negotiation and SA establishment. The EGW supports the certification authority (CA). The CA can provide a centralized key management mechanism for the IPSec network and enhances the flexibility of the entire IPSec network. The EGW supports Security Socket Layer (SSL) VPN, which provides the following functions:
l l l l
Web proxy Port forwarding File sharing Network extension
Issue 01 (2010-03-10)
2-5
The EGW accomplishes secure access of Site to Site by IPSec protocol, and accomplishes secure access of Point to Site by SSL protocol. The EGW not only supports the application of IPSec Virtual Private Network (VPN) and Security Socket Layer (SSL) VPN, providing high reliable transmission channel, but also provides various VPN applications by integrating with Layer 2 Tunneling Protocol (L2TP), Generic Routing Encapsulation (GRE). The EGW provides the following VPN applications:
l l l l l l l l
L2TP VPN GRE VPN SSL VPN IPSec VPN L2TP over IPSec VPN GRE over IPSec VPN IPSec over L2TP IPSec over GRE
The EGW also supports Border Gateway Protocol (BGP)/Multi-Protocol Label Switch (MPLS) IP VPN. As a Provider Edge (PE) device in MPLS networking, the EGW provides MPLS L3VPN to implement communications between branches and the headquarters via the public network.
2.2.3 Enhanced Packet Filtering

Malicious Host Filtering Based on the Blacklist
The EGW discards the packets originated from the users in the blacklist. In this way, the security of the Internet Service Providers (ISP) and enterprises is ensured. When perceiving attacking attention from the user with a specific IP address based on the behaviors of the packets, the EGW will automatically add the user to the blacklist and screen out the packets sent from this IP address to protect the network. The blacklist also can be added manually. The EGW can dynamically add or delete the blacklist and associate the blacklist with the ACL. After the packets hit the blacklist, the EGW searches the ACL policy associated with the blacklist. If the EGW hits the ACL policy and the policy is allowed to pass, the packets can pass. Otherwise, the packets will be filtered and discarded. Compared with the ACL-based filtering function, the blacklist only matches IP addresses, so the matching of the blacklist entry can be realized at a high speed, which effectively shields users with specific IP addresses.
MAC Address and IP Address Binding

The EGW can configure Media Access Control (MAC) and IP address binding. According to configurations of users, the EGW can associate an IP address and an MAC address.
l l
The EGW discards a packet from the supposed IP address if the MAC address is not the one specified in the binding configuration. When a packet from the supposed IP address passes the EGW, it will be forcibly sent to the MAC address associated with this IP address, which can effectively protect the user.
2-6
Issue 01 (2010-03-10)
MAC and the IP address binding is an effective means to avoid IP address spoofing attacks.
Packet Filtering Based on the Application Layer

Application Specific Packet Filter (ASPF) is a packet filtering applied at the application layer. That is, the status-based packet filtering, which facilitates the implementation of the security policy of the internal network. ASPF can detect the application layer protocol session information that attempts to pass the EGW and prevent the data packets that do not conform to the set rules from passing the EGW. In the EGW, ASPF also provides the following functions:
l l
Java Blocking: It protects the network from malicious Java Applets attacks. ActiveX Blocking: It protects the network from malicious ActiveX attacks.
2.2.4 Multiple NAT Applications

Network Address Translation (NAT) is a process that changes the IP address of the IP packet header to another IP address.
Address Translation
The address translation is to facilitate internal networks (private IP addresses) to access external networks (public IP addresses). Through NAT, many private IP addresses can be translated into fewer public IP addresses to slow down the exhaustion of IP addresses. The EGW supports the following address translations:
l l l l l
NAT based on IP address pool NAT implementing different policies based on different addresses PAT based on IP address and port (TCP or UDP port) NAT based on ACL rules Port-level NAT
PAT is short for port address translation.
NAT Internal Server

NAT hides the structure of the internal network, which shields the internal host. But in actual applications, the chance that external users access the internal host may be needed, such as the www server or FTP server. NAT can flexibly add internal servers. NAT of the EGW can provide external network users with internal servers. When external users access internal servers, two operations are needed:
l l
The EGW changes the destination IP address of request packets of external users to the private address of the internal servers. The EGW changes the source IP address (private address) of reply packets of the internal server to the public address.
The EGW can provide external users with many same type of servers, such as Web servers.
Issue 01 (2010-03-10)
2-7
Multiple NAT ALGs

For some special protocols, such as Internet Control Message Protocol (ICMP) and File Transfer Protocol (FTP), the data part in the packet may contain the IP address or port information. Such contents cannot be translated through NAT. In this case, problems may occur. The EGW supports the application of Application Level Gateway (ALG) in NAT. NAT supports multiple Application Level Gateways (ALGs) in the registration mode, including:
l l l l l l l l l l l l l l l l l l
NAT ALG of the FTP protocol NAT ALG of the H.323 protocol (including T.120, RAS, Q.931 and H.245) NAT ALG of the Huawei Conference Control Protocol (HWCC) protocol NAT ALG of the Subnetwork Point (SNP) protocol NAT ALG of the Session Initiation Protocol (SIP) protocol NAT ALG of the Media Gateway Control Protocol (MGCP) protocol NAT ALG of the Domain Name System (DNS) protocol NAT ALG of the ICMP protocol NAT ALG of the Real-Time Streaming Protocol (RTSP) protocol NAT ALG of the NetBIOS over TCP (NBT) protocol NAT ALG of the Internet locator service (ILS) protocol NAT ALG of the Point to Point Tunneling Protocol (PPTP) protocol NAT ALG of Tencent QQ chatting NAT ALG of MSN massager provided by Microsoft NAT ALG of the IPSec Encapsulating Security Payload (ESP) protocol NAT ALG of the SQL.NET protocol NAT ALG of the Multimedia Messaging Service (MMS) protocol Triplet NAT ALG
Supporting the special protocols in the registration mode, NAT can be expanded flexibly so as to support new protocols easily without changing the software architecture.
2.2.5 Powerful Attack-Defending Capability

The EGW provides the function of defending attacks. This function can detect multiple types of network attacks and help to protect internal networks against malicious attacks and ensure the normal running of internal networks and systems.
Defending Worm Virus

According to the features of worms, the EGW is designed with the following enhanced defense functions:
l l l l l
Traffic monitoring and inspection Connection number inspection Defense of IP address scanning Defense of port scanning Blacklist filtering
2-8
Issue 01 (2010-03-10)
Defending Multiple DoS Attacks

The EGW can effectively detect DoS attack packets, and then forward or discard them to avoid the attacks. Meanwhile, it records the attack behavior in the logs.
Defending Scanning and Snooping Attacks

The EGW detects the scanning and snooping packets flexibly through comparison and analysis, so as to avoid the subsequent attacks. The scanning and snooping attacks include the following:
l l l l l
Address scanning Port scanning IP source routing options IP routing record options Network architecture snooping through the tracert tool
Defending Other Attacks

The EGW can also guard against IP Spoofing attacks to avoid the intrusion of the system.
2.2.6 Powerful Intrusion Defense

Analysis and Detection of Application Layer Protocols
The EGW can detect and analyze application layer protocols. The EGW:
l
Automatically identifies known services that use non-standard ports, for example, the HTTP service that uses port 8000. This reduces the number of errors and omissions during the identification of application layer packets. Provides detailed analysis of extensive application layer protocols, such as HTTP, FTP, Simple Mail Transfer Protocol (SMTP), Post Office Protocol revision 3 (POP3), Internet Message Access Protocol (IMAP), DNS, and Remote Procedural Calls (RPC) to detect these protocols. In addition, the EGW can restrict the use of these protocols. Can impose restrictions on the use of commands that are supported by the HTTP, FTP, SMTP, and IMAP protocols.
State-based Deep Packet Inspection

The EGW supports at most 1000 IPS rules. By analyzing application protocols, extracting key information, and implementing in-depth matching, the EGW comprehensively defends against all sorts of vulnerability-based attacks, such as worms, Trojan horses, DoS attacks, and code attacks. The EGW can keep the event library up to date by updating it online to deliver the most effective defense against new attacks.
Rule Customization
The EGW enables you to customize intrusion prevention system (IPS) rules, which help you defend your networks against any threats at the first time. You can also use the customized rules for special measures against traffic of the same type.
Issue 01 (2010-03-10)
2-9
Extensive Event Response Policies

After detecting abnormalities on the network, the EGW generates alarms, logs the events, and audits the security conditions of the network in a timely manner. This can provide reference for the network administrators and other security-related decision making personnel to make decisions. In addition, the EGW can act against abnormalities on the network at the first time according to the response policies you have configured. In this way, the intranet is more secure, and is less likely to be victimized by attacks. The EGW can meet your needs for a clean network environment by warding off malware such as worms and Trojan horses in real time. All historical alarm logs on the EGW can be viewed afterwards, and can be queried and classified by conditions.
Mail Filtering
The EGW supports mail filtering in the security interzone according to the Real-time Blackhole List (RBL). After users query mails through the RBL server and obtain the response code, the system performs mail filtering according to the configured response code and processing policy corresponding to the response code. If the system does not find the response code, it performs mail filtering according to the default policy.
2.2.7 Surfing Behavior Management

The EGW supports the control and audit of nstant Message ( IM) login. The details are as I follows:
l l
Controls the login to QQ and MSN by binding user groups and time to access control policies. Audits login behaviors, including the time, account, IP address, and login result.
The EGW supports the control of games, stock software, and P2P traffic. The details are as follows:
l l
Identifies various online games and stock software traffic; and constantly updates its library. Enables users to customize rules to deny or allow specified IP addresses to access online games, stock software, or P2P traffic.
2.2.8 Perfect Traffic Monitoring

The EGW supports multiple traffic monitoring, including:
l l l l l
Global IP packet statistics Shortening the entry aging time when the connections reach the threshold Controlling the number or rate of connections based on specific destination IP addresses Controlling the number or rate of connections based on specific source IP addresses Controlling the bandwidth of connections based on specific source or destination IP addresses
2-10
Issue 01 (2010-03-10)
2.2.9 Access and Authentication

Multiple Authentication and Encryption Modes
The EGW provides uniform framework for authentication, authorization and accounting. It manages the security of network access in a centralized manner. The EGW provides the following authentication modes:
l l l l l l
Local authentication Standard RADIUS authentication Huawei RADIUS+ authentication HWTACACS authentication Plain text authentication MD5 authentication
RADIUS is short for Remote Authentication Dial-in User Service. HWTACACS is short for Terminal Access Controller Access Control System. The EGW supports local management to verify and authorize legal users and deny illegal users. EGW supports the following encryption modes:
l l l
IKE IPSec PKI
IKE is short for Internet Key Exchange. PKI is short for Public Key Infrastructure.
Secospace Cooperation
Cooperation of the EGW with the Secospace terminal security management system mainly applies to large and medium-sized enterprise networks. The EGW functions as the Security Access Control Gateway (SACG) and cooperates with the Secospace terminal security management system to segment user roles, thus ensuring that users can access only the network resources which they have rights to. This helps prevent internal users from stealing confidential data or accessing application systems without permissions. The EGW can control accesses based on users' roles. For terminal users, the Secospace server accomplishes ID authentication and health check of the terminals, and then notifies the EGW so that the latter can control users' accesses. The Secospace cooperation function is configurable and maintainable. The Secospace cooperation function also supports functions such as the dual-system hot backup and log server.
2.2.10 QoS
With QoS, you can manage the traffic on the Wide Area Network (WAN) (for example, PPP) or LAN by taking measures such as traffic categorization, traffic monitoring and shaping, congestion management, congestion avoidance, and traffic shaping. That minimizes the
Issue 01 (2010-03-10)
2-11
influence of the factors such as delay and jitters onto the transmission information, and provides different levels of QoS for different requirements. The EGW provides special QoS guarantees for the multimedia or Next Generation Network (NGN) services by marking the traffic with special QoS labels.
2.2.11 Abundant Remote Access Features

PPP
Point to Point Protocol (PPP) is a link layer protocol that bears the network layer packets on the point to point link. PPP provides the authentication function and supports the synchronization and asynchronization. The EGW supports the PPP function.
PPPoE
Point-to-Point Protocol over Ethernet (PPPoE) uses the Ethernet to form a network of a large number of hosts and connects the network to the Internet through a remote access device. Through configuring PPPoE, a PPP session with remote devices can be created to implement the access control and accounting. The EGW can be used as the PPP over Ethernet (PPPoE) server for PPPoE user access in Ethernet environment. The EGW can be used as a PPPoE client to implement the dialing function of the client.
ADSL
ADSL is a technology that provides the high bandwidth access. It is mainly applied to the asymmetric rate transmission. ADSL uses current telephone lines to transmit high speed data and provides users with multiple services, such as the high speed Internet access, Video on Demand (VOD), and video telephony. Both MIC and FIC extension slots of the EGW support the ADSL2+ interface card, which consequently supports the ADSL2+ features.
G.SHDSL
Defined by the ITU-T, SHDSL is the technology that transmits bidirectional symmetric bandwidth data services on a single twisted pair. SHDSL complies with the G.991.2 recommendation standard of the ITU-T and is also called G.SHDSL. Both MIC and FIC extension slots of the EGW support the SHDSL interface card, which consequently supports the SHDSL features.
3G
3G is an International Telecommunication Union (ITU) specification for the third generation (analog cellular was the first generation, digital system such as GSM and TDMA was the second generation) of mobile communications technology. It is a technology integrating wireless communications with multimedia communications such as the Internet. 3G can process multiple media forms such as images, music, and video streams. 3G also provides a variety of information services including web browsing, teleconference, and E-commerce. In
2-12
Issue 01 (2010-03-10)
May 2000, the ITU established standards for three mainstream wireless interfaces standards (W-CDMA, CDMA2000, and TDS-CDMA). The standards are written into the 3G technical guide documentInternational Mobile Telecommunications 2000 (IMT-2000). LAN users can access the Internet through the 3G card.
FR
FR (Frame Relay) is a statistically multiplexing protocol. It provides multiple Virtual Circuits (VCs) on a single physical transmission line.Data Link Connection Identifier (DLCI) is used to differentiate VCs. It is valid only on the local interface and the remote interface directly connected with it. In an FR network, the same DLCI on different physical interfaces do not indicate the same virtual connection. When transmitting IP packets over FR links, the EGW searches for the next hop address in the routing table first, and it finds the corresponding DLCl in the address mapping table of FR. This table maintains the mapping information between remote IP address and next hop DLCL. It can be configured manually or maintained through inverse ARP.
2.2.12 WLAN
EGW provides Wireless Local Area Network (WLAN) access. WiFi is currently a common standard for constructing WLAN because of the simple technology, stable communication quality, and comparatively larger transmission bandwidths. The standards of WiFi are 802.11a, 802.11b, 802.11g and 802.11n. WiFi can fufill the abundant requirements for wireless access of user.
Issue 01 (2010-03-10)
2-13
3
3.1 Product Appearance
l l l l
Appearance and Hardware
The EGW2100 series are classified into the following types: EGW2130 ( one MIC slot; the WiFi function is not supported) EGW2130W ( one MIC slot; the WiFi function is supported) EGW2160 ( two MIC slot; the WiFi function is not supported) EGW2160W ( two MIC slot; the WiFi function is supported)
Please refer color and shape to product. Reserves the right to make changes or improvements to any of the products without prior notice.
The following figures takes the EGW2160W as an example.
3.1.1 Front Panel of the EGW

Figure 3-1 Front Panel
6
3. WiFi on-off 6. Reset button
1. Express interface 4. Flash memory interface
2. USB interface 5. Indicator
Issue 01 (2010-03-10)
3-1
3 Appearance and Hardware
3.1.2 Rear Panel of the EGW

Figure 3-2 Rear Panel
10
4
2. Power supply 6. 10/100M LAN interface 10. Security lock hole
5
3. AC power switch 7. Console port
6 7
4. MIC1 slots 8. WiFi antenna connectors
1. Grounding terminal 5. 10/100M LAN interface 9. MIC2 slots
Only the models whose suffixes contain W support the WiFi antenna connector. The EGW2130 and EGW2130W supports MIC slot 1 (numbered 4 in Figure 3-2) rather than MIC slot 2 (numbered 9 in Figure 3-2).
3.2 Interfaces
3.2.1 Interface Introduction
The physical interfaces consist of the fixed interfaces and the extensible interfaces.
l
The fixed interfaces are fixed on the front panel or the rear panel of the EGW when leaving factory. The fixed interfaces of EGW include:

One WAN 10 M/100 M Ethernet interface Eight switching LAN 10 M/100 M Ethernet interfaces One Console port One USB port One FLASH card interface One Express interface WiFi wireless interface
The extensible interfaces are supplied by the MIC extension module. Users can insert specific interface modules in the MIC slots according to actual networking requirements.

1-port 10 M/100 M Ethernet electrical interface card 1-port E1/CE1 interface card 5-port 10 M/100 M Ethernet electrical interface card 1-port ADSL2+ interface card 1-port / 2-port SA interface card 1-port / 2-port / 4-port SHSDL interface card
3-2
Issue 01 (2010-03-10)
3G data card
3.2.2 Interface Parameters

Table 3-1 Console port parameters Item Port standard Connector Transfer rate Description RS232 RJ45 9600 bit/s -115200 bit/s
Table 3-2 10 M /100 M electronic interface parameters Item Interface standard Connector Transfer rate Description 100Base-TX, 802.3u RJ45 10 M/100 Mbit/s supports full-duplex and half-duplex modes
Table 3-3 USB2.0 interface parameters Item Interface standard Connector Transfer rate Description USB2.0 USB A 480 Mbit/s, full capacity
Table 3-4 3G card parameters Model E180 Interface Type USB Network Standard WCDMA Parameters
l l
HSPA/UMTS: 900/2100 MHz GSM/GPRS/EDGE: 1900/1800/900/850 MHz HSPA: DPA 7.2 Mbit/s, UPA 2 Mbit/s UMTS: 384 kbps EDGE: 236.8 kbps GPRS: 85.6 kbps
l l l l
Issue 01 (2010-03-10)
3-3
Model ET128
Interface Type USB
Network Standard TD-SCDMA
Parameters
l
TD-HSDPA/TD-SCDMA: 2010-2025 MHz GSM/GPRS/EDGE: 900/1800 MHz TD-HSDPA: 2.8 Mbps TD-SCDMA: 384 kbps EDGE: 236.8 kbps GPRS: 85.6 kbps CDMA 2000 1X 800 MHz CDMA2000 1x EVDO: upstream 1.8 Mbps and downstream 3.1 Mbps CDMA 2000 1X 800 MHz CDMA2000 1x EVDO: upstream 1.8 Mbps and downstream 3.1 Mbps CDMA 2000 1X 800 MHz CDMA2000 1x EVDO: upstream 1.8 Mbps and downstream 3.1 Mbps CDMA 2000 1X 800 MHz CDMA2000 1x EVDO: upstream 1.8 Mbps and downstream 3.1 Mbps CDMA 2000 1X 800 MHz CDMA2000 1x EVDO: upstream 1.8 Mbps and downstream 3.1 Mbps HSUPA/HSDPA/UMTS: 2100/1900/900/850 MHz GSM/GPRS/EDGE: 1900/1800/900/850 MHz HSUPA: 5.76 Mbps HSDPA: 7.2 Mbps TD-HSDPA/TD-SCDMA:1880-1920 Mhz/2010-2025 MHz GSM/GPRS/EDGE:900 Mhz/1800 MHz TD-HSDPA:2.8 Mbps TD-SCDMA:384 kbps HSPA/UMTS:850/900/1900/2100 MHz HSPA:upstream 5.76 Mbps and downstream 7.2 Mbps UMTS:384kbps (upstream/downstream) EDGE:236.8kpbs (upstream/downstream)
l l l l l
EC122
USB
CDMA2000
l l
EC1260
USB
CDMA2000
l l
EC1261
USB
CDMA2000
l l
EC169
USB
CDMA2000
l l
EC169C
USB
CDMA2000
l l
E881E
Express
WCDMA
l l
ET8282
Express
TD-SCDMA
l l l
3G-WCDMA
MIC
WCDMA
l l
l l
3-4
Issue 01 (2010-03-10)
Model 3G-TD/GSM
Interface Type MIC
Network Standard TD-SCDMA
Parameters
l
TD-SCDMA 2010-2025 MHz/1880-1920 MHz TD-SCDMA:upstream 384 kbps and downstream 2.8 Mbps CDMA 2000 1x EV-DO Rev.A:800/1900 MHz CDMA 2000 1x EV-DO Rev.A: upstream 1.8 Mbps and downstream 3.1 Mbps
3G-CDMA
MIC
CDMA2000
Table 3-5 1-port 10 M/100 M Ethernet electrical interface /5-port 10 M/100 M Ethernet electrical interface parameters Item Interface standard Connector Transfer rate Description 10/100Base-TX RJ45 10/100 Mbit/s
Table 3-6 1-port E1/CE1 interface parameters Item Interface standard Description
l l
ITU-T G.703 ITU-T G.704
Connector Interface cable
DB15 75 ohm non-balanced cable 120 ohm balanced twisted pair cable 2.048 Mbit/s
Transfer rate
Table 3-7 1-port ADSL2+ interface parameters Item Interface standard Description ADSL standard:
l l l l
ANSI T1.413 Issue 2 ITU G.992.1 (G.dmt) Annex A ITU G.992.2 (G.lite) Annex A ITU G.994.1 (G.hs)
Issue 01 (2010-03-10)
3-5
Item
Description
l
ITU G.992.7 ITU G.992.3 (G.dmt.bis) Annex A ITU G.992.4 (G.lite.bis) Annex A ITU G.992.5 Annex A
ADSL2 standard:
l l
ADSL2+ standard:
l
Connector Transfer rate
RJ11 G.dmt full speed: The traffic rate of downstream data is 8 Mbit/s, and that of upstream data is 896 kbit/s. G.lite: The traffic rate of downstream data is 1.5 Mbit/s, and that of upstream data is 512 kbit/s. T1.413: The traffic rate of downstream data is 8 Mbit/s, and that of upstream data is 896 kbit/s. G.992.5 (ADSL2+): The traffic rate of downstream data is 24 Mbit/s, and that of upstream data is 1.2 Mbit/s.
Table 3-8 1-port / 2-port SA interface parameters Item Interface standard Description V.24 DTEDCE Minimum baud rate (bit/s) Maximum baud rate (bit/s) Connector Interface cable 2400 64 k DB28 V.24 DTE cable V.24 DCE cable V.35 DTE cable V.35 DCE cable X.21 DTE cable X.21 DCE cable RS449 DTE cable RS449 DCE cable V.35X.21RS449 DTEDCE 2400 2.048 M
3-6
Issue 01 (2010-03-10)
Table 3-9 1-port / 2-port / 4-port SHSDL interface parameters Item Interface standard Connector Transfer rate Description G.991.2 RJ11 192kbps5696kbps
3.2.3 WLAN
WLAN can fufill the abundant requirements for wireless access of user. Table 3-10 show the indexes and parameters of the WLAN. Table 3-10 WLAN parameters Item Interface standard Connection type Transfer rate Description 802.11a802.11b802.11g802.11n wireless 1 Mbps300 Mbps
Issue 01 (2010-03-10)
3-7
4 Technical Specifications
4
4.1 System Specifications
Table 4-1 System specifications Item CPU SDRAM BootROM Flash Memory Dimensions (W x D x H) Weight Rated voltage Input rated voltage Maximum input voltage Maximum output power
Technical Specifications
Table 4-1 lists system specifications of the EGW.
Description 333 MHz 512 MB 512 KB 32 MB 442 mm x 255 mm x 43.6 mm 5 kg AC: 220 V AC: 100 V to 240 V (50/60 Hz) AC: 90 V to 264 V (47/63 Hz) 54 W
4.2 Environment Specifications

The EGW works indoors. The EGW can operate normally for a long term in the environment defined in Table 4-2. Table 4-2 Environment specifications for long-term operation Item Altitude Description 5000 m
Issue 01 (2010-03-10)
4-1
4 Technical Specifications
Item Air pressure Temperature Relative humidity
Description 86 kPa to 106 kPa 0 to 40 10 % RH to 90 % RH
4-2
Issue 01 (2010-03-10)
5 Purchase Guide
5
5.1 Host Purchase
5.1.1 Factors for Your Purchase 5.1.2 Optional List for Host Purchase
Table 5-1 lists the host and related accessories Table 5-1 List of the EGW series models Item Host Accessories Quantity 1 1 Remarks
Purchase Guide
Choose the types and amount of interfaces according to the scale and performance of your networking. Then choose the product model according to the interfaces.
Mandatory, provides hosts powered by AC input Mandatory
5.2 Interface Module Purchase

The following factors need to be considered when users purchase interface modules:
l
When users connect multiple devices to the EGW and apply switching features such as the VLAN, they can purchase the 5-port 10 M/100 M Ethernet electrical interface module. When users connect to the carrier through the uplink, they can purchase the E1/CE1 interface module, ADSL2+ interface module, SHDSL interface module, FE interface module, SA interface module, or 3G data module. When users need the link backup through dual uplink, they can purchase the E1/CE1 interface module, ADSL2+ interface module, SHDSL interface module, FE interface module, SA interface module, or 3G data card.
Issue 01 (2010-03-10)
5-1
5 Purchase Guide
5.3 Cable Purchase

Generally, if an interface module has its fixed type of cables, users do not have to purchase cables. Table 5-2 shows the details. Table 5-2 List of interface modules and mandatory cables of the EGW Interface Module AC power supply interface Console port ADSL2+ interface SHDSL interface Grounding Terminal Cable Power cable Console port cable Standard phone line Standard phone line Grounding Cable for the Casings Note The cable is mandatory.
If an interface module has multiple cables, users should select cables from the external cable installation suite according to the line features and interface numbers. Table 5-3 shows the details. Table 5-3 List of interface modules and optonal cables of the EGW Interface Module 10/100 M Ethernet electrical interface E1/CE1 interface Cable Ethernet cable 75-ohm non-balanced coaxial cable 120-ohm balanced twisted pair cable Synchornous serial interface
l l l l l
Note The cable is optional.
V.24DTE/DCE V.35DTE/DCE X.21DTE/DCE RS.449DTE/DCE RS.530DTE
5-2
Issue 01 (2010-03-10)
6 Feature List
6
Table 6-1 lists the features of the EGW. Table 6-1 Feature list of the EGW Attribute Security defending Description Packet filtering
l l l l l l l l
Feature List
Supports basic ACL, advanced ACL and MAC address ACL. Supports accelerated ACL search Supports time-range ACLs Supports address set and port set Supports dynamic maintenance of ACL rules Supports blacklist, MAC address and IP address binding. Supports ASPF and state inspection. Provides port mapping mechanism. Supports address translation. Supports internal server and port-level internal server. Supports one NAT server configured with multiple public addresses. Supports multiple NAT ALGs, including FTP, PPTP, DNS, NBT, ILS, ICMP, H.323, MGCP, MMS, HWCC, QQ, MSN, RTSP, SIP and conference control protocol, and so on.
NAT
l l l
Issue 01 (2010-03-10)
6-1
6 Feature List
Attribute
Description Attack defending

l
Defends against multiple DoS attacks such as SYN Flood, ICMP Flood, and UDP Flood. Defends against scanning and snooping such as address scanning, port scanning, IP source routing option, IP routing record option, and network architecture sniffing with the Tracert. Defends against malformed packet attacks, including WinNuke, ICMP redirected packets and ICMP unreachable packets, Land, Smurf, Fraggle, Ping of Death, Tear Drop, invalid TCP packet flag bit. Defends against ARP attacks, including ARP Flood and ARP Spoofing. Defends against other attacks such as IP Spoofing. Supports limitation to connection numbers. Supports bandwidth control. Supports committed access rate. Supports real-time traffic statistics and analysis. Supports P2P traffic monitoring. Supports global IP packet statistics and bandwidth management based on IP packet type.
Traffic monitoring
l l l l l l
IPS
l l l l
Supports reassembling of fragments Supports reassembling of traffic Supports identification of protocols on non-standard ports Supports analysis of protocols and detection of abnormalities on standard ports Supports delivery of IPS rules by the system and IPS rule customization Supports response policies, including reporting alarms, discarding packets, terminating sessions, and re-establishing sessions Supports audit and control of IM logins, including QQ login and logout audit, MSN login and logout audit, and real-time QQ/MSN login control based on IP addresses, user groups, and time Supports P2P identification and traffic restriction Supports identification and termination of online games and stock software Supports manually configuring the Real-time Blackhole List (RBL) server and response codes. Supports RBL remote query and filtering Supports configuring email response policies
l l
Online behavior managemen t
l l l
Email filtering
l l
6-2
Issue 01 (2010-03-10)
6 Feature List
Attribute Network interconnec ting
Description Link layer protocol

l l l l
Supports Ethernet_II and Ethernet_SNAP. Supports VLAN. Supports the Point-to-Point Protocol (PPP). Supports the Point-to-Point Protocol over Ethernet (PPPoE). Supports High-level Data Link Control (HDLC). Supports Frame Relay (FR). Supports IP. Supports ICMP. Supports Tracert. Supports UDP. Supports TCP. Supports DNS. Supports Socket. Supports ARP. Supports Ping. Supports DHCP Server, DHCP Client, and DHCP Relay. Supports static routing. Supports RIP, OSPF and BGP dynamic routing. Supports policy routing. Supports routing policy and iteration. Ethernet ADSL2+ G.SHDSL 3G E1/CE1 WLAN Synchronous Serial Interface Supports Local, RADIUS, and HWTACACS authentications. Provides verification modes of PAP and CHAP. Supports user authentication of PPP and Login. Supports AAA domain. Supports local user management.
l l
IP service
l l l l l l l l l l
Routing protocol
l l l l
Network access mode
l l l l l l l
Service application
AAA
l l l l
Issue 01 (2010-03-10)
6-3
6 Feature List
Attribute
Description VPN
l l l l l
Supports L2TP VPN. Supports GRE VPN. Supports BGP/MPLS IP VPN. Supports IPSec VPN. Supports the Internet Key Exchange (IKE) and Kerberos protocol. Supports CA-based IPSec VPN. Supports SSL VPN
l l
Load balancing Secospace cooperation QoS
Supports load-balancing algorithm, which helps distribute traffic destined to the same IP address to several servers. Supports cooperation of the EGW and the Secospace server to manage the user access authority by precise user classifications.
l l l
Supports traffic classification and traffic policing. Supports traffic shaping: GTS. Supports congestion management: FIFO, PQ, CQ, WFQ and CBQ. Supports congestion avoidance: RED and WRED. Supports routing mode. Supports transparent mode. Supports composite mode. Supports hierarchical protection of command line against the intrusion from the unauthorized users. Provides multiple configuration files and program files. Provides Web-based GUI configuration and management. Supports remote configuration and management through Telnet of Telnet Server, Telnet Client, and Reverse Telnet. Supports SSH maintenance and management.
Configurati Working mode on and managemen t Configuratio n method
l l l l
l l l
Maintenanc e and reliability
Product design Dual-system hot backup
Complies with multiple national and international certification and design standards.
l l l
Supports VRRP, VGMP and HRP. Supports hot backup of commands. Supports hot backup of state: ACL, ASPF, traffic monitoring and NAT. Supports standard network management protocol SNMPv1/v2c/v3. Supports CWMP. Supports NTP.
System management
l l
6-4
Issue 01 (2010-03-10)
6 Feature List
Attribute System logs
Description
l l
Supports Syslog log output and binary high-speed flow log output. Provides log server for browsing and querying log information and supports elog log server. Provides input and output IP packets statistics, NAT log, ASPF log, attack-defending log, history and real-time traffic monitoring log, blacklist log, and P2P traffic monitoring log. Provides multiple statistics (traffic statistics and attack packets).
Issue 01 (2010-03-10)
6-5
7 Compliant Standards
7
7.1 ETS Standards
Standard ETS 300 019-2-2 ETS 300 119-3 EN 300 386 Version 1.2.1 Description
Compliant Standards
This chapter lists the standards that EGW complies with.
Equipment Engineering ;Environmental conditions and environmental tests for telecommunications equipment.part2-2:specification of environmental tests transportation European telecommunication standard for equipment practice Part 3: Engineering requirements for miscellaneous racks and cabinets Electromagnetic compatibility and Radio spectrum Matters (ERM);Telecommunication network equipment; Electromagnetic Compatibility (EMC) requirements
7.2 IEC Standards

Standard IEC 61000 IEC 61000-4-2 Description Electromagnetic compatibility(EMC) Electromagnetic compatibility (EMC) Part 4: Testing and measuring techniques Section 2: Electrostatic discharge immunity test Basic EMC publication Electromagnetic compatibility (EMC) Part 4-3: Testing and measurement techniques; Radiated, radio-frequency, electromagnetic field immunity test Electromagnetic compatibility (EMC) Part 4: Testing and measuring techniques Section 4: Electrical fast transient/burst immunity test Basic EMC publication Electromagnetic compatibility (EMC) Part 4: Testing and measurement techniques Section 5: Surge immunity test
IEC 61000-4-3
IEC 61000-4-4
IEC 61000-4-5
Issue 01 (2010-03-10)
7-1
Standard IEC 61000-4-6
Description Electromagnetic compatibility (EMC) Part 4: Testing and measurement techniques Section 6: Immunity to conducted disturbances, induced by radio-frequency fields Electromagnetic compatibility (EMC) Part 3-2: Limits; Limits for harmonic current emissions (equipment input current <kleiner =>16 A per phase) Electromagnetic compatibility (EMC) Part 3: Limits; section 3: Limitation of voltage fluctuations and flicker in low-voltage supply systems for equipment with rated current <kleiner =>16 A Safety of equipment electrically connected to a telecommunication network
IEC 61000-3-2
IEC 61000-3-3
IEC 62151
7.3 ISO Standards

Standard ISO/IEC 11801 ISO/IEC 15802-2 Description Information technology Generic cabling for customer premises Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Common specifications Part 2: LAN/MAN management
7.4 CISPR Standards

Standard CISPR 22 Description Information technology equipment Radio disturbance characteristics Limits and methods of measurement
7.5 ITU-T Standards

Standard I.430 I.431 Description [I.430] Recommendation I.430 (11/95) Basic user-network interface Layer 1 specification [I.431] Recommendation I.431 (03/93) Primary rate user-network interface Layer 1 specification
7-2
Issue 01 (2010-03-10)
7.6 IEEE Standards

Standard IEEE802.3 IEEE802.3u IEEE802.1D IEEE802.3af Description Carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer specification Media Access Control (MAC) parameters, physical Layer, medium attachment units, and repeater for 100 Mb/s operation, type 100Base-T Media Access Control (MAC) Bridges DTE Power via MDI
Issue 01 (2010-03-10)
7-3
8 Acronyms and Abbreviations
8
Numerics 3G A ACL ADSL ALG ASPF
Acronyms and Abbreviations
The Third Generation
Access Control List Asymmetric Digital Subscriber Line Application Level Gateway Application Specific Packet Filter
D DdoS DHCP DMZ DoS Distributed Denial of Service Dynamic Host Configuration Protocol Demilitarized Zone Denial of Service
E ESP Encapsulating Security Payload
F FE FLASH FR FTP Fast Ethernet FLASH memory Frame Relay File Transfer Protocol
Issue 01 (2010-03-10)
8-1
G GRE GUI Generic Routing Encapsulation Graphic User Interface
H HWCC HWTACACS Huawei Conference Control Protocol Huawei Terminal Access Controller Access Control System
I ICMP IETF IKE ILS IP IPSec IS-IS ISDN ISP IT ITU ITU-T Internet Control Message Protocol Internet Engineering Task Force Internet Key Exchange Internet Locator Service Internet Protocol IP Security Protocol Intermedia System-Intermedia System Integrated Services Digital Network Internet Service Provider Information Technology International Telecommunication Union International Telecommunication Union - Telecommunication Standardization Sector
L L2TP LAN Layer 2 Tunneling Protocol Local Area Network
M MAC MD5 MGCP MIC MMS Media Access Control Message-Digest Algorithm 5 Media Gateway Control Protocol Mini Interface Card Multimedia Messaging Service
8-2
Issue 01 (2010-03-10)
N NAT NBT NetBIOS NGN NMS Network Address Translation NetBIOS over TCP/IP Network Basic Input/Output System Next Generation Network Network Management System
O OSPF Open Shortest Path First
P PAT PKI PoE PPP PPPoE PPTP Port Address Translation Public Key Interface Power over Ethernet Point-to-Point Protocol PPP over Ethernet Point to Point Tunneling Protocol
Q QoS Quality of Service
R RADIUS RAS RIP RPC RTSP Remote Authentication Dial in User Service RAS message (Registration, Admission and Status) Routing Information Protocol Remote Procedure Call Real-Time Streaming Protocol
S SIP SNMP SNP SSH Session Initiation Protocol Simple Network Management Protocol Subnetwork Point Secure Shell
Issue 01 (2010-03-10)
8-3
T TCP Transmission Control Protocol
U UDP USB User Datagram Protocol Universal Serial Bus
V VLAN VOD VPN VRP Virtual Local Area Network Video On Demand Virtual Private Network Versatile Routing Platform
W WAN WWW Wide Area Network World Wide Web
8-4
Issue 01 (2010-03-10)

Huawei Egw2130 & Egw2160w Product Description - v400r004 - 01

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Huawei Egw2130 & Egw2160w Product Description - v400r004 - 01

Diunggah oleh

Hak Cipta:

Format Tersedia

Contents

HUAWEI EGW2100 Product Description

EGW2100 Product Description

Document Version V1.0 Release Date 2010-08-31

Huawei Technologies Co., Ltd.

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI EGW2100 Product Description

2 Product Features and Service Functions ............................................................................ 2-3

3 Appearance and Hardware .................................................................................................. 3-3

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI EGW2100 Product Description

4 Technical Specifications ...................................................................................................... 4-3

5 Purchase Guide ..................................................................................................................... 5-3

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI EGW2100 Product Description

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI EGW2100 Product Description

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI EGW2100 Product Description

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI EGW2100 Product Description

1.2 Network Status and Network Applications

1.2.2 Protecting Internal LANs

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI EGW2100 Product Description

Figure 1-1 Networking of protecting internal LANs

EGW PC Internal Server PC PC PC Others Department

PC PC PDA Finance Department

1.2.3 Opening Intranet Servers Securely

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI EGW2100 Product Description

Figure 1-2 Networking of opening intranet servers securely

1.2.4 VPN Access Applications

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI EGW2100 Product Description

Figure 1-3 Networking of VPN access applications

L2TP/GRE/IPSec VPN Tunnel

The Employee on Business Trips

SSL VPN Tunnel EGW The Employee on Business Trips

IPSec VPN Tunnel

1.2.5 Multiple Modes of Accessing the Internet

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI EGW2100 Product Description

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI EGW2100 Product Description

2 Product Features and Service Functions

Product Features and Service Functions

2.1 System Features

1+1 Backup of Routing Information

Dual-System Hot Backup

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

2 Product Features and Service Functions

HUAWEI EGW2100 Product Description

2.1.2 High Data Forwarding Capability

2.1.3 Enhanced Log Management

2.1.4 Rich Maintenance and Management

2.1.5 SNMP Based Terminal System Management

2.1.6 Web Configuration and Management

Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.

HUAWEI EGW2100 Product Description

2 Product Features and Service Functions

2.1.7 CWMP Management