Document Code
Issue 01 (2010-03-10)
Contents
Contents
1 Product Overview ................................................................................................................. 1-3
1.1 Introduction............................................................................................................................................ 1-3 1.2 Network Status and Network Applications .............................................................................................. 1-3 1.2.1 Introduction................................................................................................................................... 1-3 1.2.2 Protecting Internal LANs ............................................................................................................... 1-3 1.2.3 Opening Intranet Servers Securely ................................................................................................. 1-3 1.2.4 VPN Access Applications .............................................................................................................. 1-3 1.2.5 Multiple Modes of Accessing the Internet ...................................................................................... 1-3
ii
Issue 01 (2010-03-10)
Contents
3.1 Product Appearance................................................................................................................................ 3-3 3.1.1 Front Panel of the EGW................................................................................................................. 3-3 3.1.2 Rear Panel of the EGW.................................................................................................................. 3-3 3.2 Interfaces ............................................................................................................................................... 3-3 3.2.1 Interface Introduction .................................................................................................................... 3-3 3.2.2 Interface Parameters ...................................................................................................................... 3-3 3.2.3 WLAN .......................................................................................................................................... 3-3
6 Feature List............................................................................................................................. 6-3 7 Compliant Standards............................................................................................................ 7-3 8 Acronyms and Abbreviations.............................................................................................. 8-3
Issue 01 (2010-03-10)
iii
Figures
Figures
Figure 1-1 Networking of protecting internal LANs ..................................................................................... 1-3 Figure 1-2 Networking of opening intranet servers securely ......................................................................... 1-3 Figure 1-3 Networking of VPN access applications...................................................................................... 1-3 Figure 1-4 Networking of multiple modes of accessing the Internet.............................................................. 1-3 Figure 3-1 Front Panel................................................................................................................................. 3-3 Figure 3-2 Rear Panel.................................................................................................................................. 3-3
Issue 01 (2010-03-10)
Tables
Tables
Table 3-1 Console port parameters ............................................................................................................... 3-3 Table 3-2 10 M /100 M electronic interface parameters ................................................................................ 3-3 Table 3-3 USB2.0 interface parameters ........................................................................................................ 3-3 Table 3-4 3G card parameters ...................................................................................................................... 3-3 Table 3-5 1-port 10 M/100 M Ethernet electrical interface /5-port 10 M/100 M Ethernet electrical interface parameters ................................................................................................................................................... 3-3 Table 3-6 1-port E1/CE1 interface parameters .............................................................................................. 3-3 Table 3-7 1-port ADSL2+ interface parameters ............................................................................................ 3-3 Table 3-8 1-port / 2-port SA interface parameters ......................................................................................... 3-3 Table 3-9 1-port / 2-port / 4-port SHSDL interface parameters ...................................................................... 3-3 Table 3-10 WLAN parameters ..................................................................................................................... 3-3 Table 4-1 System specifications ................................................................................................................... 4-3 Table 4-2 Environment specifications for long-term operation ...................................................................... 4-3 Table 5-1 List of the EGW series models...................................................................................................... 5-3 Table 5-2 List of interface modules and mandatory cables of the EGW......................................................... 5-3 Table 5-3 List of interface modules and optonal cables of the EGW.............................................................. 5-3 Table 6-1 Feature list of the EGW................................................................................................................ 6-3
Issue 01 (2010-03-10)
1 Product Overview
1
1.1 Introduction
Product Overview
The EGW2100 is a piece of enterprise gateway equipment applied to small and medium-sized enterprises, branches of large and medium-sized enterprises, branches of industrial networks, and some telecom networks. The EGW2100 (hereinafter referred to as EGW) integrates the data security, routing, switching, VPN, and wireless functions, so multiple services can be deployed at the same node, which greatly reduces the initial investment and long-term operation and maintenance cost of the construction of enterprise networks. The advanced software structure and hardware platform of the EGW enable customers to obtain an integrated network solution with the lowest investment. This meets the service extension requirements for all-around applications and complies with the current situation and development of the enterprise IT construction. Major features of the EGW:
l
Expandable hardware platform The EGW is designed with processor of carrier-class reliability, and perfect backup and security technologies and provides reliable and high quality of services. The EGW supports extensive interface types, providing the FE interface, console port, 3G card interface, FLASH card interface, and optional mini interface card (MIC) slot. The MIC slots can be inserted with the 1-port or 5-port Ethernet electrical interface card, Asymmetric Digital Subscriber Line 2+ (ADSL2+) interface card, Single-pair high-speed digital subscriber line (SHDSL) interface card, E1/CE1 interface card, and synchronous serial interface card. Users can select different interface cards according to the network environment. EGW also support Wireless Local Area Network (WLAN) access through Wireless Fidelity (WiFi) antenna. The built-in encryption engine greatly enhances the encryption performance of the product, thus meeting the continuously increasing security demand. The EGW provides a variety of extension services and supports new storage media such as FLASH card. The strong hardware expandability provides users with an economical solution to multiple access and future network upgrades.
Advanced software structure The EGW is based on Huawei-proprietary Versatile Routing Platform (VRP) and has a perfect processing capability of routing services.
Issue 01 (2010-03-10)
1-1
1 Product Overview
The EGW adopts the self-developed software platform and a secure operating system with independent intellectual property rights. The packet processing system is completely separated from the operating system, which enhances the system security. It provides more abundant protocols and features, and is a scalable, configurable, multi-service, modular and advanced system platform
l
Multi-service integration capability The EGW fully incorporates multiple service functions such as security, routing, switching, VPN and voice, enhancing the multi-service integration capability of products greatly. For example, this series offers the industry-leading and ever-innovating network security functions, truly implements the thorough convergence of Ethernet switches. The EGW provides multiple modes of access internet such as Ethernet, ADSL2+, SHDSL, E1/CE1, synchronous serial interface, and wireless. At the same time, the EGW supports Wireless Local Area Network (WLAN) function.
High cost performance ratio The EGW adopts the latest technology of the telecom industry, the processors with faster operation speed and highly integrated chips, enhancing significantly the IP forwarding, service processing and data encryption capability of the products. In addition, this series expands the interface density and enhances further the software features and service integration capability.
Protecting internal LANs Opening intranet servers securely VPN access applications Multiple modes of accessing the Internet
1-2
Issue 01 (2010-03-10)
1 Product Overview
EGW
Wifi 0
As shown in Figure 1-1, the enterprise LAN is connected with the Internet through the EGW to restrict Internet users' access the enterprise LANs. If enterprise LAN users need to access Internet resources, access can be initiated after the Network Address Translation (NAT). Key departments such as the finance department have their own LANs protected by the EGW to prevent unauthorized internal users from accessing key resources.
Issue 01 (2010-03-10)
1-3
1 Product Overview
L2TP VPN GRE VPN SSL VPN IPSec VPN L2TP over IPSec VPN GRE over IPSec VPN IPSec over L2TP VPN IPSec over GRE VPN
Through the VPN function of the EGW, branches of all places and employees on business trips can use the Internet to establish secure and dedicated connections with the headquarters.
1-4
Issue 01 (2010-03-10)
1 Product Overview
Headquarter
USG2200
Branch
As shown in Figure 1-3, the headquarter network is connected with the Internet through the USG2200. The headquarter server can provide services to internal users including those at branches and on business trips. The LANs of branch networks are connected with the Internet through the EGW. The branches provide services to the external users as well. Meanwhile, LAN users from branches need to access the headquarter server or the headquarter LAN hosts. In addition, employees on business trips are connected to the headquarter network through IPSec VPN or SSL VPN to access related resources. To construct an enterprise intranet combining the headquarter and branches, three types of VPN tunnels can be established. The tunnels include the Layer 2 Tunneling Protocol (L2TP), Generic Route Encapsulation (GRE), and Internet Protocol Security (IPSec) tunnels. Employees on business trips establish the IPSec VPN or SSL VPN tunnel with the headquarter EGW. They can access the intranet after being authenticated by the headquarter server.
Users can select the E1/CE1, FE, 3G, ADSL2+, SHDSL or SA access mode according to the network environment provided by the carrier. The EGW provides dual uplinks, which ensures the reliability of Internet services.
Issue 01 (2010-03-10)
1-5
1 Product Overview
l l l l
It provides the data security, routing, switching, VPN and wireless functions, which facilitates the fast and precise forwarding of data packets. It provides the attack defending function, which defends various attacks from external and internal networks. It provides the congestion management and CAR control, which ensures the bandwidth for users to log in to the Internet. It provides the NAT function.
Figure 1-4 Networking of multiple modes of accessing the Internet Enterprise A Enterprise B
3G ADSL/SHDSL FE EGW
EGW 3G E1/CE1
EGW
Enterprise D
Enterprise C
As shown in Figure 1-4, enterprise A adopts the ADSL/SHDSL access mode. Enterprise B adopts the FE and 3G dual-link access mode. Enterprise C adopts the E1/CE1 access mode. Enterprise D adopts the 3G access mode.
1-6
Issue 01 (2010-03-10)
Load Balancing
When one server cannot process the access requests of several users, multiple servers can be used to share network traffic. In this case, the EGW can be deployed at the egress of the network where the servers reside. For users, only one IP address exists. The EGW distributes access traffic to several servers according to the algorithm configured. Load-balancing mechanism distributes traffic among several servers, thus fully utilizing the processing capacity of each server, ensuring the availability of servers, and obtaining optimal network scalability. The EGW supports health check on servers.
Issue 01 (2010-03-10)
2-1
Log Types
The EGW provides the following types of log information:
l l l l
Attack-defending logs Traffic monitoring logs Blacklist logs Multiple kinds of statistics
Local configuration and maintenance through Console port. Local and remote maintenance based on Telnet. Maintenance and management based on Secure Shell (SSH) The SSH maintenance and management mode ensures information security and powerful authentication functions over an insecure network, thus avoiding such attacks as IP spoofing and plain text password interception.
2-2
Issue 01 (2010-03-10)
Controlling the range of the broadcast domain: The broadcast packets of the Local Area Network (LAN) is restricted within a VLAN. Thus, the bandwidth is saved and the network processing capability is improved. Enhancing the LAN security: Because packets are isolated by the broadcast domain on the data link layer, hosts of each VLAN cannot communicate directly. The layer 3 packet forwarding should be carried out through network layer devices, such as the router or layer 3 switch. Creating virtual workgroups flexibly: virtual workgroups that cross the physical network can be created through a VLAN. Information exchanging of users in the same VLAN is free from the access policy of firewall. Information exchanging of users in deferent VLANs is under the control of the access policy of firewall.
l l l
Static Route
The EGW supports users manually configuring the static routing to a specific destination. In a simple network, configuring the static routing is enough to ensure normal services of the network. You can properly configure and use static route to improve the network performance and ensure the bandwidth for important applications.
RIP
The EGW supports the configuration of Routing Information Protocol (RIP) to guide the packet forwarding.
Issue 01 (2010-03-10)
2-3
RIP is a simple internal gateway protocol, which is based on the distance vector algorithm. It exchanges routing information through the User Datagram Protocol (UDP) packets. The port 520 is used. RIP uses the hop count to measure the distance to a destination IP address, which is called the metric value. In RIP, the hop count between the router and its directly connected network is 0. The hop count between the router and the network that can be reached through one router is 1. Every time the router is added, the hop count is added with the same number. To restrict the convergence time, RIP regulates that the metric value should be from 0 to 15. Hop counts that are 16 or larger than 16 are defined as infinity. The destination network or host is unreachable. Because of this restriction, RIP cannot be applied to large-sized networks. To improve performance and avoid the routing loop, RIP supports the split horizon and poison reverse functions. Compared with Open Shortest Path First (OSPF) and IS-IS, RIP is easy to be implemented, configured, maintained, and managed, so it is still widely used in the actual networking. Users can configure RIP to discover and generate routing information according to actual networking requirements.
OSPF
OSPF is an internal gateway protocol based on the link state developed by the Internet Engineering Task Force (IETF). OSPF has the following features:
l l
Wide application scope: It supports networks of various scales and supports a maximum of hundreds of routers. Fast convergence: It will send the updated packets immediately after the network topology structure changes and synchronize the updated network topology in the autonomous system. Loop free: OSPF calculates the routing with the shortest path tree according to the link state collected, which avoids the routing loop. Zone division: It allows the network of the autonomous system to be divided. Routing information among divided zones is further abstracted, which reduces the bandwidth it occupies. Equivalent routing: It supports the multiple equivalent routing to the same destination IP address. Routing hierarchy: It uses four different types of routing. According to their priorities, they are the intra-area routing, inter-area routing, external type 1 routing, and external type 2 routing. Authentication: It supports the packet authentication based on interfaces, which ensures the security of packet transmission. Multicast sending: It sends protocol packets with multicast IP addresses on some types of links, which reduces the interference to other devices.
l l
l l
l l
Routing Policy
The routing policy is a technology for revising routing information to change the path that network traffic flows through. The technology is realized mainly by changing routing attributes including reachability.
2-4
Issue 01 (2010-03-10)
When the EGW advertises or receives routing information, some policies can be implemented to filter routing information. For example, the EGW only receives or advertises routing information that meets the specified conditions. In addition, a routing protocol may need to import routing information discovered by other routing protocols. The imported routing information must meet certain conditions and users need to configure some attributes of the imported routing information. In this way, the routing information meets the requirements of this protocol.
Policy-based Routing
Policy-based routing is a routing mechanism that employs customized policies. Different from the forwarding by searching the routing table only according to the destination IP addresses of IP packets, policy-based routing of the EGW supports flexible routing specifying based on source IP addresses and length of arrival packets.
DHCP
The EGW supports Dynamic Host Configuration Protocol (DHCP). Through configuring DHCP:
l l
A computer can obtain all configuration information with only one message. A computer can obtain IP addresses quickly and dynamically, rather than statically waiting for the assigned IP address.
Access control Connectionless integrity Data source authentication anti-replay Encryption Data flow classification
The EGW protects IP packets or upper level protocols based on Authentication Header (AH) protocol and Encapsulating Security Payload (ESP) protocol. The EGW supports Internet Key Exchange (IKE) and Kerberos protocol for key negotiation and SA establishment. The EGW supports the certification authority (CA). The CA can provide a centralized key management mechanism for the IPSec network and enhances the flexibility of the entire IPSec network. The EGW supports Security Socket Layer (SSL) VPN, which provides the following functions:
l l l l
Issue 01 (2010-03-10)
2-5
The EGW accomplishes secure access of Site to Site by IPSec protocol, and accomplishes secure access of Point to Site by SSL protocol. The EGW not only supports the application of IPSec Virtual Private Network (VPN) and Security Socket Layer (SSL) VPN, providing high reliable transmission channel, but also provides various VPN applications by integrating with Layer 2 Tunneling Protocol (L2TP), Generic Routing Encapsulation (GRE). The EGW provides the following VPN applications:
l l l l l l l l
L2TP VPN GRE VPN SSL VPN IPSec VPN L2TP over IPSec VPN GRE over IPSec VPN IPSec over L2TP IPSec over GRE
The EGW also supports Border Gateway Protocol (BGP)/Multi-Protocol Label Switch (MPLS) IP VPN. As a Provider Edge (PE) device in MPLS networking, the EGW provides MPLS L3VPN to implement communications between branches and the headquarters via the public network.
The EGW discards a packet from the supposed IP address if the MAC address is not the one specified in the binding configuration. When a packet from the supposed IP address passes the EGW, it will be forcibly sent to the MAC address associated with this IP address, which can effectively protect the user.
2-6
Issue 01 (2010-03-10)
MAC and the IP address binding is an effective means to avoid IP address spoofing attacks.
Java Blocking: It protects the network from malicious Java Applets attacks. ActiveX Blocking: It protects the network from malicious ActiveX attacks.
Address Translation
The address translation is to facilitate internal networks (private IP addresses) to access external networks (public IP addresses). Through NAT, many private IP addresses can be translated into fewer public IP addresses to slow down the exhaustion of IP addresses. The EGW supports the following address translations:
l l l l l
NAT based on IP address pool NAT implementing different policies based on different addresses PAT based on IP address and port (TCP or UDP port) NAT based on ACL rules Port-level NAT
The EGW changes the destination IP address of request packets of external users to the private address of the internal servers. The EGW changes the source IP address (private address) of reply packets of the internal server to the public address.
The EGW can provide external users with many same type of servers, such as Web servers.
Issue 01 (2010-03-10)
2-7
NAT ALG of the FTP protocol NAT ALG of the H.323 protocol (including T.120, RAS, Q.931 and H.245) NAT ALG of the Huawei Conference Control Protocol (HWCC) protocol NAT ALG of the Subnetwork Point (SNP) protocol NAT ALG of the Session Initiation Protocol (SIP) protocol NAT ALG of the Media Gateway Control Protocol (MGCP) protocol NAT ALG of the Domain Name System (DNS) protocol NAT ALG of the ICMP protocol NAT ALG of the Real-Time Streaming Protocol (RTSP) protocol NAT ALG of the NetBIOS over TCP (NBT) protocol NAT ALG of the Internet locator service (ILS) protocol NAT ALG of the Point to Point Tunneling Protocol (PPTP) protocol NAT ALG of Tencent QQ chatting NAT ALG of MSN massager provided by Microsoft NAT ALG of the IPSec Encapsulating Security Payload (ESP) protocol NAT ALG of the SQL.NET protocol NAT ALG of the Multimedia Messaging Service (MMS) protocol Triplet NAT ALG
Supporting the special protocols in the registration mode, NAT can be expanded flexibly so as to support new protocols easily without changing the software architecture.
Traffic monitoring and inspection Connection number inspection Defense of IP address scanning Defense of port scanning Blacklist filtering
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
2-8
Issue 01 (2010-03-10)
Address scanning Port scanning IP source routing options IP routing record options Network architecture snooping through the tracert tool
Automatically identifies known services that use non-standard ports, for example, the HTTP service that uses port 8000. This reduces the number of errors and omissions during the identification of application layer packets. Provides detailed analysis of extensive application layer protocols, such as HTTP, FTP, Simple Mail Transfer Protocol (SMTP), Post Office Protocol revision 3 (POP3), Internet Message Access Protocol (IMAP), DNS, and Remote Procedural Calls (RPC) to detect these protocols. In addition, the EGW can restrict the use of these protocols. Can impose restrictions on the use of commands that are supported by the HTTP, FTP, SMTP, and IMAP protocols.
Rule Customization
The EGW enables you to customize intrusion prevention system (IPS) rules, which help you defend your networks against any threats at the first time. You can also use the customized rules for special measures against traffic of the same type.
Issue 01 (2010-03-10)
2-9
Mail Filtering
The EGW supports mail filtering in the security interzone according to the Real-time Blackhole List (RBL). After users query mails through the RBL server and obtain the response code, the system performs mail filtering according to the configured response code and processing policy corresponding to the response code. If the system does not find the response code, it performs mail filtering according to the default policy.
Controls the login to QQ and MSN by binding user groups and time to access control policies. Audits login behaviors, including the time, account, IP address, and login result.
The EGW supports the control of games, stock software, and P2P traffic. The details are as follows:
l l
Identifies various online games and stock software traffic; and constantly updates its library. Enables users to customize rules to deny or allow specified IP addresses to access online games, stock software, or P2P traffic.
Global IP packet statistics Shortening the entry aging time when the connections reach the threshold Controlling the number or rate of connections based on specific destination IP addresses Controlling the number or rate of connections based on specific source IP addresses Controlling the bandwidth of connections based on specific source or destination IP addresses
2-10
Issue 01 (2010-03-10)
Local authentication Standard RADIUS authentication Huawei RADIUS+ authentication HWTACACS authentication Plain text authentication MD5 authentication
RADIUS is short for Remote Authentication Dial-in User Service. HWTACACS is short for Terminal Access Controller Access Control System. The EGW supports local management to verify and authorize legal users and deny illegal users. EGW supports the following encryption modes:
l l l
IKE is short for Internet Key Exchange. PKI is short for Public Key Infrastructure.
Secospace Cooperation
Cooperation of the EGW with the Secospace terminal security management system mainly applies to large and medium-sized enterprise networks. The EGW functions as the Security Access Control Gateway (SACG) and cooperates with the Secospace terminal security management system to segment user roles, thus ensuring that users can access only the network resources which they have rights to. This helps prevent internal users from stealing confidential data or accessing application systems without permissions. The EGW can control accesses based on users' roles. For terminal users, the Secospace server accomplishes ID authentication and health check of the terminals, and then notifies the EGW so that the latter can control users' accesses. The Secospace cooperation function is configurable and maintainable. The Secospace cooperation function also supports functions such as the dual-system hot backup and log server.
2.2.10 QoS
With QoS, you can manage the traffic on the Wide Area Network (WAN) (for example, PPP) or LAN by taking measures such as traffic categorization, traffic monitoring and shaping, congestion management, congestion avoidance, and traffic shaping. That minimizes the
Issue 01 (2010-03-10)
2-11
influence of the factors such as delay and jitters onto the transmission information, and provides different levels of QoS for different requirements. The EGW provides special QoS guarantees for the multimedia or Next Generation Network (NGN) services by marking the traffic with special QoS labels.
PPPoE
Point-to-Point Protocol over Ethernet (PPPoE) uses the Ethernet to form a network of a large number of hosts and connects the network to the Internet through a remote access device. Through configuring PPPoE, a PPP session with remote devices can be created to implement the access control and accounting. The EGW can be used as the PPP over Ethernet (PPPoE) server for PPPoE user access in Ethernet environment. The EGW can be used as a PPPoE client to implement the dialing function of the client.
ADSL
ADSL is a technology that provides the high bandwidth access. It is mainly applied to the asymmetric rate transmission. ADSL uses current telephone lines to transmit high speed data and provides users with multiple services, such as the high speed Internet access, Video on Demand (VOD), and video telephony. Both MIC and FIC extension slots of the EGW support the ADSL2+ interface card, which consequently supports the ADSL2+ features.
G.SHDSL
Defined by the ITU-T, SHDSL is the technology that transmits bidirectional symmetric bandwidth data services on a single twisted pair. SHDSL complies with the G.991.2 recommendation standard of the ITU-T and is also called G.SHDSL. Both MIC and FIC extension slots of the EGW support the SHDSL interface card, which consequently supports the SHDSL features.
3G
3G is an International Telecommunication Union (ITU) specification for the third generation (analog cellular was the first generation, digital system such as GSM and TDMA was the second generation) of mobile communications technology. It is a technology integrating wireless communications with multimedia communications such as the Internet. 3G can process multiple media forms such as images, music, and video streams. 3G also provides a variety of information services including web browsing, teleconference, and E-commerce. In
2-12
Issue 01 (2010-03-10)
May 2000, the ITU established standards for three mainstream wireless interfaces standards (W-CDMA, CDMA2000, and TDS-CDMA). The standards are written into the 3G technical guide documentInternational Mobile Telecommunications 2000 (IMT-2000). LAN users can access the Internet through the 3G card.
FR
FR (Frame Relay) is a statistically multiplexing protocol. It provides multiple Virtual Circuits (VCs) on a single physical transmission line.Data Link Connection Identifier (DLCI) is used to differentiate VCs. It is valid only on the local interface and the remote interface directly connected with it. In an FR network, the same DLCI on different physical interfaces do not indicate the same virtual connection. When transmitting IP packets over FR links, the EGW searches for the next hop address in the routing table first, and it finds the corresponding DLCl in the address mapping table of FR. This table maintains the mapping information between remote IP address and next hop DLCL. It can be configured manually or maintained through inverse ARP.
2.2.12 WLAN
EGW provides Wireless Local Area Network (WLAN) access. WiFi is currently a common standard for constructing WLAN because of the simple technology, stable communication quality, and comparatively larger transmission bandwidths. The standards of WiFi are 802.11a, 802.11b, 802.11g and 802.11n. WiFi can fufill the abundant requirements for wireless access of user.
Issue 01 (2010-03-10)
2-13
3
3.1 Product Appearance
l l l l
The EGW2100 series are classified into the following types: EGW2130 ( one MIC slot; the WiFi function is not supported) EGW2130W ( one MIC slot; the WiFi function is supported) EGW2160 ( two MIC slot; the WiFi function is not supported) EGW2160W ( two MIC slot; the WiFi function is supported)
Please refer color and shape to product. Reserves the right to make changes or improvements to any of the products without prior notice.
6
3. WiFi on-off 6. Reset button
Issue 01 (2010-03-10)
3-1
10
4
2. Power supply 6. 10/100M LAN interface 10. Security lock hole
5
3. AC power switch 7. Console port
6 7
4. MIC1 slots 8. WiFi antenna connectors
Only the models whose suffixes contain W support the WiFi antenna connector. The EGW2130 and EGW2130W supports MIC slot 1 (numbered 4 in Figure 3-2) rather than MIC slot 2 (numbered 9 in Figure 3-2).
3.2 Interfaces
3.2.1 Interface Introduction
The physical interfaces consist of the fixed interfaces and the extensible interfaces.
l
The fixed interfaces are fixed on the front panel or the rear panel of the EGW when leaving factory. The fixed interfaces of EGW include:
One WAN 10 M/100 M Ethernet interface Eight switching LAN 10 M/100 M Ethernet interfaces One Console port One USB port One FLASH card interface One Express interface WiFi wireless interface
The extensible interfaces are supplied by the MIC extension module. Users can insert specific interface modules in the MIC slots according to actual networking requirements.
1-port 10 M/100 M Ethernet electrical interface card 1-port E1/CE1 interface card 5-port 10 M/100 M Ethernet electrical interface card 1-port ADSL2+ interface card 1-port / 2-port SA interface card 1-port / 2-port / 4-port SHSDL interface card
Huawei Proprietary and Confidential Copyright Huawei Technologies Co., Ltd.
3-2
Issue 01 (2010-03-10)
3G data card
Table 3-2 10 M /100 M electronic interface parameters Item Interface standard Connector Transfer rate Description 100Base-TX, 802.3u RJ45 10 M/100 Mbit/s supports full-duplex and half-duplex modes
Table 3-3 USB2.0 interface parameters Item Interface standard Connector Transfer rate Description USB2.0 USB A 480 Mbit/s, full capacity
Table 3-4 3G card parameters Model E180 Interface Type USB Network Standard WCDMA Parameters
l l
HSPA/UMTS: 900/2100 MHz GSM/GPRS/EDGE: 1900/1800/900/850 MHz HSPA: DPA 7.2 Mbit/s, UPA 2 Mbit/s UMTS: 384 kbps EDGE: 236.8 kbps GPRS: 85.6 kbps
l l l l
Issue 01 (2010-03-10)
3-3
Model ET128
Parameters
l
TD-HSDPA/TD-SCDMA: 2010-2025 MHz GSM/GPRS/EDGE: 900/1800 MHz TD-HSDPA: 2.8 Mbps TD-SCDMA: 384 kbps EDGE: 236.8 kbps GPRS: 85.6 kbps CDMA 2000 1X 800 MHz CDMA2000 1x EVDO: upstream 1.8 Mbps and downstream 3.1 Mbps CDMA 2000 1X 800 MHz CDMA2000 1x EVDO: upstream 1.8 Mbps and downstream 3.1 Mbps CDMA 2000 1X 800 MHz CDMA2000 1x EVDO: upstream 1.8 Mbps and downstream 3.1 Mbps CDMA 2000 1X 800 MHz CDMA2000 1x EVDO: upstream 1.8 Mbps and downstream 3.1 Mbps CDMA 2000 1X 800 MHz CDMA2000 1x EVDO: upstream 1.8 Mbps and downstream 3.1 Mbps HSUPA/HSDPA/UMTS: 2100/1900/900/850 MHz GSM/GPRS/EDGE: 1900/1800/900/850 MHz HSUPA: 5.76 Mbps HSDPA: 7.2 Mbps TD-HSDPA/TD-SCDMA:1880-1920 Mhz/2010-2025 MHz GSM/GPRS/EDGE:900 Mhz/1800 MHz TD-HSDPA:2.8 Mbps TD-SCDMA:384 kbps HSPA/UMTS:850/900/1900/2100 MHz HSPA:upstream 5.76 Mbps and downstream 7.2 Mbps UMTS:384kbps (upstream/downstream) EDGE:236.8kpbs (upstream/downstream)
l l l l l
EC122
USB
CDMA2000
l l
EC1260
USB
CDMA2000
l l
EC1261
USB
CDMA2000
l l
EC169
USB
CDMA2000
l l
EC169C
USB
CDMA2000
l l
E881E
Express
WCDMA
l l
ET8282
Express
TD-SCDMA
l l l
3G-WCDMA
MIC
WCDMA
l l
l l
3-4
Issue 01 (2010-03-10)
Model 3G-TD/GSM
Parameters
l
TD-SCDMA 2010-2025 MHz/1880-1920 MHz TD-SCDMA:upstream 384 kbps and downstream 2.8 Mbps CDMA 2000 1x EV-DO Rev.A:800/1900 MHz CDMA 2000 1x EV-DO Rev.A: upstream 1.8 Mbps and downstream 3.1 Mbps
3G-CDMA
MIC
CDMA2000
Table 3-5 1-port 10 M/100 M Ethernet electrical interface /5-port 10 M/100 M Ethernet electrical interface parameters Item Interface standard Connector Transfer rate Description 10/100Base-TX RJ45 10/100 Mbit/s
Table 3-6 1-port E1/CE1 interface parameters Item Interface standard Description
l l
DB15 75 ohm non-balanced cable 120 ohm balanced twisted pair cable 2.048 Mbit/s
Transfer rate
Table 3-7 1-port ADSL2+ interface parameters Item Interface standard Description ADSL standard:
l l l l
ANSI T1.413 Issue 2 ITU G.992.1 (G.dmt) Annex A ITU G.992.2 (G.lite) Annex A ITU G.994.1 (G.hs)
Issue 01 (2010-03-10)
3-5
Item
Description
l
ITU G.992.7 ITU G.992.3 (G.dmt.bis) Annex A ITU G.992.4 (G.lite.bis) Annex A ITU G.992.5 Annex A
ADSL2 standard:
l l
ADSL2+ standard:
l
RJ11 G.dmt full speed: The traffic rate of downstream data is 8 Mbit/s, and that of upstream data is 896 kbit/s. G.lite: The traffic rate of downstream data is 1.5 Mbit/s, and that of upstream data is 512 kbit/s. T1.413: The traffic rate of downstream data is 8 Mbit/s, and that of upstream data is 896 kbit/s. G.992.5 (ADSL2+): The traffic rate of downstream data is 24 Mbit/s, and that of upstream data is 1.2 Mbit/s.
Table 3-8 1-port / 2-port SA interface parameters Item Interface standard Description V.24 DTEDCE Minimum baud rate (bit/s) Maximum baud rate (bit/s) Connector Interface cable 2400 64 k DB28 V.24 DTE cable V.24 DCE cable V.35 DTE cable V.35 DCE cable X.21 DTE cable X.21 DCE cable RS449 DTE cable RS449 DCE cable V.35X.21RS449 DTEDCE 2400 2.048 M
3-6
Issue 01 (2010-03-10)
Table 3-9 1-port / 2-port / 4-port SHSDL interface parameters Item Interface standard Connector Transfer rate Description G.991.2 RJ11 192kbps5696kbps
3.2.3 WLAN
WLAN can fufill the abundant requirements for wireless access of user. Table 3-10 show the indexes and parameters of the WLAN. Table 3-10 WLAN parameters Item Interface standard Connection type Transfer rate Description 802.11a802.11b802.11g802.11n wireless 1 Mbps300 Mbps
Issue 01 (2010-03-10)
3-7
4 Technical Specifications
4
4.1 System Specifications
Table 4-1 System specifications Item CPU SDRAM BootROM Flash Memory Dimensions (W x D x H) Weight Rated voltage Input rated voltage Maximum input voltage Maximum output power
Technical Specifications
Description 333 MHz 512 MB 512 KB 32 MB 442 mm x 255 mm x 43.6 mm 5 kg AC: 220 V AC: 100 V to 240 V (50/60 Hz) AC: 90 V to 264 V (47/63 Hz) 54 W
Issue 01 (2010-03-10)
4-1
4 Technical Specifications
4-2
Issue 01 (2010-03-10)
5 Purchase Guide
5
5.1 Host Purchase
5.1.1 Factors for Your Purchase 5.1.2 Optional List for Host Purchase
Table 5-1 lists the host and related accessories Table 5-1 List of the EGW series models Item Host Accessories Quantity 1 1 Remarks
Purchase Guide
Choose the types and amount of interfaces according to the scale and performance of your networking. Then choose the product model according to the interfaces.
When users connect multiple devices to the EGW and apply switching features such as the VLAN, they can purchase the 5-port 10 M/100 M Ethernet electrical interface module. When users connect to the carrier through the uplink, they can purchase the E1/CE1 interface module, ADSL2+ interface module, SHDSL interface module, FE interface module, SA interface module, or 3G data module. When users need the link backup through dual uplink, they can purchase the E1/CE1 interface module, ADSL2+ interface module, SHDSL interface module, FE interface module, SA interface module, or 3G data card.
Issue 01 (2010-03-10)
5-1
5 Purchase Guide
If an interface module has multiple cables, users should select cables from the external cable installation suite according to the line features and interface numbers. Table 5-3 shows the details. Table 5-3 List of interface modules and optonal cables of the EGW Interface Module 10/100 M Ethernet electrical interface E1/CE1 interface Cable Ethernet cable 75-ohm non-balanced coaxial cable 120-ohm balanced twisted pair cable Synchornous serial interface
l l l l l
5-2
Issue 01 (2010-03-10)
6 Feature List
6
Table 6-1 lists the features of the EGW. Table 6-1 Feature list of the EGW Attribute Security defending Description Packet filtering
l l l l l l l l
Feature List
Supports basic ACL, advanced ACL and MAC address ACL. Supports accelerated ACL search Supports time-range ACLs Supports address set and port set Supports dynamic maintenance of ACL rules Supports blacklist, MAC address and IP address binding. Supports ASPF and state inspection. Provides port mapping mechanism. Supports address translation. Supports internal server and port-level internal server. Supports one NAT server configured with multiple public addresses. Supports multiple NAT ALGs, including FTP, PPTP, DNS, NBT, ILS, ICMP, H.323, MGCP, MMS, HWCC, QQ, MSN, RTSP, SIP and conference control protocol, and so on.
NAT
l l l
Issue 01 (2010-03-10)
6-1
6 Feature List
Attribute
Defends against multiple DoS attacks such as SYN Flood, ICMP Flood, and UDP Flood. Defends against scanning and snooping such as address scanning, port scanning, IP source routing option, IP routing record option, and network architecture sniffing with the Tracert. Defends against malformed packet attacks, including WinNuke, ICMP redirected packets and ICMP unreachable packets, Land, Smurf, Fraggle, Ping of Death, Tear Drop, invalid TCP packet flag bit. Defends against ARP attacks, including ARP Flood and ARP Spoofing. Defends against other attacks such as IP Spoofing. Supports limitation to connection numbers. Supports bandwidth control. Supports committed access rate. Supports real-time traffic statistics and analysis. Supports P2P traffic monitoring. Supports global IP packet statistics and bandwidth management based on IP packet type.
Traffic monitoring
l l l l l l
IPS
l l l l
Supports reassembling of fragments Supports reassembling of traffic Supports identification of protocols on non-standard ports Supports analysis of protocols and detection of abnormalities on standard ports Supports delivery of IPS rules by the system and IPS rule customization Supports response policies, including reporting alarms, discarding packets, terminating sessions, and re-establishing sessions Supports audit and control of IM logins, including QQ login and logout audit, MSN login and logout audit, and real-time QQ/MSN login control based on IP addresses, user groups, and time Supports P2P identification and traffic restriction Supports identification and termination of online games and stock software Supports manually configuring the Real-time Blackhole List (RBL) server and response codes. Supports RBL remote query and filtering Supports configuring email response policies
l l
l l l
Email filtering
l l
6-2
Issue 01 (2010-03-10)
6 Feature List
Supports Ethernet_II and Ethernet_SNAP. Supports VLAN. Supports the Point-to-Point Protocol (PPP). Supports the Point-to-Point Protocol over Ethernet (PPPoE). Supports High-level Data Link Control (HDLC). Supports Frame Relay (FR). Supports IP. Supports ICMP. Supports Tracert. Supports UDP. Supports TCP. Supports DNS. Supports Socket. Supports ARP. Supports Ping. Supports DHCP Server, DHCP Client, and DHCP Relay. Supports static routing. Supports RIP, OSPF and BGP dynamic routing. Supports policy routing. Supports routing policy and iteration. Ethernet ADSL2+ G.SHDSL 3G E1/CE1 WLAN Synchronous Serial Interface Supports Local, RADIUS, and HWTACACS authentications. Provides verification modes of PAP and CHAP. Supports user authentication of PPP and Login. Supports AAA domain. Supports local user management.
l l
IP service
l l l l l l l l l l
Routing protocol
l l l l
l l l l l l l
Service application
AAA
l l l l
Issue 01 (2010-03-10)
6-3
6 Feature List
Attribute
Description VPN
l l l l l
Supports L2TP VPN. Supports GRE VPN. Supports BGP/MPLS IP VPN. Supports IPSec VPN. Supports the Internet Key Exchange (IKE) and Kerberos protocol. Supports CA-based IPSec VPN. Supports SSL VPN
l l
Supports load-balancing algorithm, which helps distribute traffic destined to the same IP address to several servers. Supports cooperation of the EGW and the Secospace server to manage the user access authority by precise user classifications.
l l l
Supports traffic classification and traffic policing. Supports traffic shaping: GTS. Supports congestion management: FIFO, PQ, CQ, WFQ and CBQ. Supports congestion avoidance: RED and WRED. Supports routing mode. Supports transparent mode. Supports composite mode. Supports hierarchical protection of command line against the intrusion from the unauthorized users. Provides multiple configuration files and program files. Provides Web-based GUI configuration and management. Supports remote configuration and management through Telnet of Telnet Server, Telnet Client, and Reverse Telnet. Supports SSH maintenance and management.
l l l l
l l l
Complies with multiple national and international certification and design standards.
l l l
Supports VRRP, VGMP and HRP. Supports hot backup of commands. Supports hot backup of state: ACL, ASPF, traffic monitoring and NAT. Supports standard network management protocol SNMPv1/v2c/v3. Supports CWMP. Supports NTP.
System management
l l
6-4
Issue 01 (2010-03-10)
6 Feature List
Description
l l
Supports Syslog log output and binary high-speed flow log output. Provides log server for browsing and querying log information and supports elog log server. Provides input and output IP packets statistics, NAT log, ASPF log, attack-defending log, history and real-time traffic monitoring log, blacklist log, and P2P traffic monitoring log. Provides multiple statistics (traffic statistics and attack packets).
Issue 01 (2010-03-10)
6-5
7 Compliant Standards
7
7.1 ETS Standards
Standard ETS 300 019-2-2 ETS 300 119-3 EN 300 386 Version 1.2.1 Description
Compliant Standards
Equipment Engineering ;Environmental conditions and environmental tests for telecommunications equipment.part2-2:specification of environmental tests transportation European telecommunication standard for equipment practice Part 3: Engineering requirements for miscellaneous racks and cabinets Electromagnetic compatibility and Radio spectrum Matters (ERM);Telecommunication network equipment; Electromagnetic Compatibility (EMC) requirements
IEC 61000-4-3
IEC 61000-4-4
IEC 61000-4-5
Issue 01 (2010-03-10)
7-1
7 Compliant Standards
Description Electromagnetic compatibility (EMC) Part 4: Testing and measurement techniques Section 6: Immunity to conducted disturbances, induced by radio-frequency fields Electromagnetic compatibility (EMC) Part 3-2: Limits; Limits for harmonic current emissions (equipment input current <kleiner =>16 A per phase) Electromagnetic compatibility (EMC) Part 3: Limits; section 3: Limitation of voltage fluctuations and flicker in low-voltage supply systems for equipment with rated current <kleiner =>16 A Safety of equipment electrically connected to a telecommunication network
IEC 61000-3-2
IEC 61000-3-3
IEC 62151
7-2
Issue 01 (2010-03-10)
7 Compliant Standards
Issue 01 (2010-03-10)
7-3
8
Numerics 3G A ACL ADSL ALG ASPF
Access Control List Asymmetric Digital Subscriber Line Application Level Gateway Application Specific Packet Filter
D DdoS DHCP DMZ DoS Distributed Denial of Service Dynamic Host Configuration Protocol Demilitarized Zone Denial of Service
F FE FLASH FR FTP Fast Ethernet FLASH memory Frame Relay File Transfer Protocol
Issue 01 (2010-03-10)
8-1
H HWCC HWTACACS Huawei Conference Control Protocol Huawei Terminal Access Controller Access Control System
I ICMP IETF IKE ILS IP IPSec IS-IS ISDN ISP IT ITU ITU-T Internet Control Message Protocol Internet Engineering Task Force Internet Key Exchange Internet Locator Service Internet Protocol IP Security Protocol Intermedia System-Intermedia System Integrated Services Digital Network Internet Service Provider Information Technology International Telecommunication Union International Telecommunication Union - Telecommunication Standardization Sector
M MAC MD5 MGCP MIC MMS Media Access Control Message-Digest Algorithm 5 Media Gateway Control Protocol Mini Interface Card Multimedia Messaging Service
8-2
Issue 01 (2010-03-10)
N NAT NBT NetBIOS NGN NMS Network Address Translation NetBIOS over TCP/IP Network Basic Input/Output System Next Generation Network Network Management System
P PAT PKI PoE PPP PPPoE PPTP Port Address Translation Public Key Interface Power over Ethernet Point-to-Point Protocol PPP over Ethernet Point to Point Tunneling Protocol
R RADIUS RAS RIP RPC RTSP Remote Authentication Dial in User Service RAS message (Registration, Admission and Status) Routing Information Protocol Remote Procedure Call Real-Time Streaming Protocol
S SIP SNMP SNP SSH Session Initiation Protocol Simple Network Management Protocol Subnetwork Point Secure Shell
Issue 01 (2010-03-10)
8-3
V VLAN VOD VPN VRP Virtual Local Area Network Video On Demand Virtual Private Network Versatile Routing Platform
8-4
Issue 01 (2010-03-10)