eudemon series firewall p2p traffic policing technology white paper

目录第1章 IP组播公共配置...........................................................................................................1-11.1 IP组播概述.........................................................................................................................1-11.1.1 单播/广播的困惑......................................................................................................1-11.1.2 组播的优点..............................................................................................................1-21.1.3 组播的应用..............................................................................................................1-31.2 VRP上IP组播的实现..........................................................................................................1-41.2.1 组播机制构成...........................................................................................................1-41.2.2 IP组播报文的转发机制............................................................................................1-71.2.3 多实例组播..............................................................................................................1-91.3 IP组播公共配置................................................................................................................1-101.3.1 启动组播功能.........................................................................................................1-101.3.2 配置组播转发报文的最小TTL值.............................................................................1-111.3.3 配置组播转发边界..................................................................................................1-111.3.4 配置组播路由项数量限制.......................................................................................1-121.3.5 清除组播转发或路由信息.......................................................................................1-121.4 IP组播静态路由配置.........................................................................................................1-131.4.1 配置组播静态路由..................................................................................................1-131.4.2 配置组播RPF路由选择策略...................................................................................1-141.5 IP组播公共配置的显示和调试..........................................................................................1-141.6 IP组播静态路由配置举例.................................................................................................1-15第2章 IGMP配置...................................................................................................................2-12.1 IGMP简介...........................................................................................................................2-12.1.1 IGMP介绍................................................................................................................2-12.1.2 IGMP Proxy介绍......................................................................................................2-22.2 VRP上IGMP的实现............................................................................................................2-32.2.1 IGMPv1的基本机制................................................................................................2-32.2.2 IGMPv2的基本机制................................................................................................2-32.2.3 多实例的IGMP.........................................................................................................2-42.3 IGMP配置...........................................................................................................................2-42.3.1 启动组播功能...........................................................................................................2-52.3.2 启动IGMP功能.........................................................................................................2-52.3.3 启动IGMP Proxy功能..............................................................................................2-52.3.4 配置路由器成为组成员............................................................................................2-62.3.5 控制对IP组播组的访问............................................................................................2-72.3.6 配置IGMP版本.........................................................................................................2-72.3.7 配置接口上加入IGMP组的数量限制........................................................................2-72.3.8 配置IGMP查询报文间隔..........................................................................................2-82.3.9 配置IGMP查询器存在时间.......................................................................................2-82.3.10 配置IGMP最大查询响应时间.................................................................................2-92.3.11 配置发送IGMP指定组查询报文的时间间隔...........................................................2-92.3.12 配置发送IGMP指定组查询报文的次数................................................................2-102.3.13 删除接口上已加入的IGMP组...............................................................................2-102.4 IGMP显示和调试..............................................................................................................2-112.5 IGMP典型配置举例..........................................................................................................2-112.6 IGMP常见故障诊断和排除...............................................................................................2-13第3章 PIM配置......................................................................................................................3-13.1 PIM协议简介......................................................................................................................3-13.1.1 PIM-DM介绍............................................................................................................3-13.1.2 PIM-SM介绍............................................................................................................3-13.2 VRP上PIM的实现...............................................................................................................3-23.2.1 PIM-DM的工作机制.................................................................................................3-23.2.2 PIM-SM工作机制.....................................................................................................3-33.2.3 PIM-SM配置前准备工作..........................................................................................3-43.3 PIM-DM配置.......................................................................................................................3-53.3.1 启动组播功能...........................................................................................................3-53.3.2 启动IGMP功能.........................................................................................................3-63.3.3 启动PIM-DM功能.....................................................................................................3-63.3.4 配置接口的Hello报文发送间隔................................................................................3-63.3.5 配置接口的PIM邻居过滤.........................................................................................3-73.3.6 配置接口的PIM邻居最大数量..................................................................................3-73.3.7 进入PIM视图............................................................................................................3-73.3.8 配置PIM的组播源（组）过滤..................................................................................3-83.4 PIM-SM配置.......................................................................................................................3-83.4.1 启动组播功能...........................................................................................................3-93.4.2 启动IGMP功能.........................................................................................................3-93.4.3 启动PIM-SM功能.....................................................................................................3-93.4.4 配置PIM-SM域边界.................................................................................................3-93.4.5 配置候选BSR.........................................................................................................3-103.4.6 配置RP选择...........................................................................................................3-113.4.7 配置接口的Hello报文发送间隔..............................................................................3-123.4.8 配置接口的PIM邻居过滤.......................................................................................3-123.4.9 配置接口的PIM邻居最大数量................................................................................3-123.4.10 进入PIM视图........................................................................................................3-123.4.11 配置PIM的组播源（组）过滤..............................................................................3-133.4.12 配置PIM的RP对注册报文进行过滤......................................................................3-133.4.13 配置从RPT切换到SPT的阈值..............................................................................3-133.4.14 限定合法BSR和C-RP的范围...............................................................................3-143.4.15 清除PIM路由项或邻居.........................................................................................3-143.5 PIM显示和调试.................................................................................................................3-153.6 PIM典型配置举例.............................................................................................................3-163.6.1 PIM-DM典型配置举例...........................................................................................3-163.6.2 PIM-SM典型配置举例............................................................................................3-173.7 PIM常见故障诊断与排除..................................................................................................3-20第4章 MSDP配置..................................................................................................................4-14.1 MSDP简介.........................................................................................................................4-14.1.1 MSDP协议介绍........................................................................................................4-14.2 VRP上MSDP的实现...........................................................................................................4-24.2.1 识别组播源和接收组播数据.....................................................................................4-24.2.2 MSDP对等体之间消息转发过程和RPF检查............................................................4-34.3 MSDP配置.........................................................................................................................4-44.3.1 使能MSDP功能........................................................................................................4-54.3.2 配置MSDP对等体....................................................................................................4-54.3.3 配置静态RPF对等体................................................................................................4-64.3.4 配置Originating RP..................................................................................................4-64.3.5 配置缓存SA状态......................................................................................................4-74.3.6 配置缓存SA的最大数量...........................................................................................4-74.3.7 控制创建的源信息....................................................................................................4-84.3.8 控制转发的源信息....................................................................................................4-94.3.9 控制接收的源信息..................................................................................................4-104.3.10 请求MSDP对等体的源信息.................................................................................4-104.3.11 配置MSDP全连接组............................................................................................4-114.3.12 配置MSDP连接重试周期.....................................................................................4-114.3.13 关闭MSDP对等体................................................................................................4-114.3.14 清除MSDP连接、统计和SA缓存.........................................................................4-124.4 MSDP显示和调试.............................................................................................................4-124.5 MSDP典型配置举例.........................................................................................................4-134.5.1 静态RPF对等体典型配置举例...............................................................................4-134.5.2 Anycast RP典型配置举例......................................................................................4-154.6 MSDP常见故障诊断与排除..............................................................................................4-18第1章 IP组播公共配置1.1 IP组播概述1.1.1 单播/广播的困惑随着Internet网络的不断发展，一方面网络中交互的各种数据、语音和视频信息越来越多，另外新兴的电子商务、网上会议、网上拍卖、视频点播、远程教学等服务逐渐兴起。

Eudemon系列防火墙可以设置流量监管，用QOS CAR做限速。

不过好像不支持每IP限速，只能针对IP地址段去做限制，不能做的太细致。

举个例子—比如上网的网段IP地址范围是“192.168.1.0/24”，防火墙连接内网的端口号是“Ethernet 0/0/1”，那么可以把“192.168.1.0/24”这个大网段划分为“192.168.1.0/27、192.168.1.32/27、192.168.1.64 /27、192.168.1.96/27、192.168.1.128/27、192.168.1.160/27、192.168.1.192/27、 192.168.1.224/27”这8个小网段，对每个地址段来做限速。

大体步骤如下：引用://进入系统配置视图system-view//用8个ACL分别描述8个IP地址段的流量acl number 3001rule 10 permit ip source 192.168.1.0 0.0.0.31rule 11 permit ip destination 192.168.1.0 0.0.0.31acl number 3002rule 10 permit ip source 192.168.32 0.0.0.31rule 11 permit ip destination 192.168.32.0 0.0.0.31acl number 3003rule 10 permit ip source 192.168.64 0.0.0.31rule 11 permit ip destination 192.168.64.0 0.0.0.31acl number 3004rule 10 permit ip source 192.168.96 0.0.0.31rule 11 permit ip destination 192.168.96.0 0.0.0.31 acl number 3005rule 10 permit ip source 192.168.128 0.0.0.31rule 11 permit ip destination 192.168.128.0 0.0.0.31 acl number 3006rule 10 permit ip source 192.168.160 0.0.0.31rule 11 permit ip destination 192.168.160.0 0.0.0.31 acl number 3007rule 10 permit ip source 192.168.192 0.0.0.31rule 11 permit ip destination 192.168.192.0 0.0.0.31 acl number 3008rule 10 permit ip source 192.168.224 0.0.0.31rule 11 permit ip destination 192.168.224.0 0.0.0.31 quit//引用ACL定义8个类traffic classifier class1if-match acl 3001traffic classifier class2if-match acl 3002traffic classifier class3if-match acl 3003traffic classifier class4if-match acl 3004traffic classifier class5if-match acl 3005traffic classifier class6if-match acl 3006traffic classifier class7if-match acl 3007traffic classifier class8if-match acl 3008quit//定义8个行为(每个类限速3Mbps)traffic behaviour behav1car cir 3000000 cbs 0 ebs 0 green pass reddiscard traffic behaviour behav2car cir 3000000 cbs 0 ebs 0 green pass reddiscard traffic behaviour behav3car cir 3000000 cbs 0 ebs 0 green pass reddiscard traffic behaviour behav4car cir 3000000 cbs 0 ebs 0 green pass reddiscard traffic behaviour behav5car cir 3000000 cbs 0 ebs 0 green pass reddiscard traffic behaviour behav6car cir 3000000 cbs 0 ebs 0 green pass reddiscard traffic behaviour behav7car cir 3000000 cbs 0 ebs 0 green pass reddiscard traffic behaviour behav8car cir 3000000 cbs 0 ebs 0 green pass reddiscard quit//定义一个QOS策略来限制8个网段的上传和下载速率qos policy speed_limitclassifier class1 behaviour behav1classifier class2 behaviour behav2classifier class3 behaviour behav3classifier class4 behaviour behav4classifier class5 behaviour behav5classifier class6 behaviour behav6classifier class7 behaviour behav7classifier class8 behaviour behav8quit//在内网接口的inbound和outbound方向应用QOS策略，分别对上传和下载速率进行限制interface ethernet 0/0/1qos apply policy speed_limit inboundqos apply policy speed_limit outboundquit//返回用户视图，保存配置quitsave这样做完之后，每个地址段的32台主机最大上传和下载速率分别被限制在3Mbps(总共8X3=24Mbps)。

Eudemon 1000E 系列防火墙产品概述网络安全状况不断的恶化，越来越多基于各项应用和业务的深层次层网络安全问题困扰着用户。

恶意入侵、钓鱼网站、木马程序以及P2P泛滥等网络安全问题，导致企业网络效率低下，业务安全受到严重威胁。

华为公司长期致力于为用户提供全面的网络安全解决方案，拥有业界最强的网络协议分析团队以及最全的协议知识库，针对各种网络协议的安全威胁有着深入的分析和理解，可以为用户提供应对各种网络安全威胁的技术支撑。

Eudemon1000E系列防火墙是华为公司推出的新一代多功能防火墙产品，能够为用户提供防火墙、VPN、IPS、反病毒、URL过滤等多项领先的安全功能，提供全方位的网络系统安全防护，保障网络系统高效运行。

产品系列产品特点完善的防火墙功能领先的架构平台Eudemon1000E系列防火墙采用了先进的RISC多核硬件架构，多线程并行处理，优化了安全业务处理流程，特别是针对首包处理的优化，使Eudemon1000E 系列产品具备同档产品业界第一的每秒新建连接数，足以应对各种大规模网络流量的应用。

同时，将数据解封装和深度检测进行分离，实现多种深度检测并行，大幅度提升设备在深度检测状态下的性能。

10年成功的商业应用，成熟的VRP软件平台为Eudemon1000E系列产品提供健壮的操作系统，是用户最可信赖的安全操作系统。

业界领先的产品性能Eudemon1000E系列防火墙采用多核并行处理技术，最大可支持数十条线程并用户登录登录忘记密码行处理，产品在性能上有了质的飞跃，三大主要性能指标在业界处于领先位置，为用户带来超高的性能体验，尤其是作为防火墙最关键的性能指标“每秒新建连接数”，达到了惊人的每秒15万条，在业界同类产品中处于绝对的领先，能在短时间内为用户的网络访问建立大量的连接，提供网络的高速转发和低延迟，同时，也可以有效的应对网络中产生的大量突发流量和网络攻击流量。

可满足多种高速转发的网络应用的要求，充分满足用户网络对带宽高速增长的需要。

HUAWEI TECHNOLOGIES CO., LTD.Burgeoning services such as high-speed Internet access, video, and media stream lead to the rocketing of network traffic and ever-increasing service requirements of large organizations, intranets, and data centers in the 10-Gigabit epoch. New applications emerge and occupy the fixed ports of traditional services, making traditional port-dependent firewalls inadequate to cope with such applications. For the sake of illegal profits, hacker attacks and malware are spreading at will. Under this background, false positive and false negative are frequently seen in traditional traffic-based attacks. IT administrators find it difficult to deal with so many problems; therefore, large organizations, intranets, and data centers have to be confronted with such predicaments:How to select a cost-effective product to deal with ever- •increasing service requirements at present and in the future?How to block abuse and provide sufficient bandwidths for mission-•critic applications in the case of so many new applications?How to deal with flooding worms, effectively protecting intranets •and securing office environments?With in-depth understanding of service and customer requirements, Huawei launches its Eudemon1000E-X series. This series employs the new 10-Gigabit multi-core hardware platform and constructs a more high-speed network with no delay for processing mass services. By integrating advanced Symantec intrusion prevention and anti-virus technologies, it delivers content security protection and builds a secure network; with Huawei industry-leading deep packet inspection (DPI) technology, it manages thousands of application programs subtly and provides an effective network. All in all, the Eudemon1000E-X series brings "continuous, cost-effective, and secure" network experiencefor large organizations, intranets, and data centers.Eudemon1000E-X3Eudemon1000E-X5Eudemon1000E-X6Highlights10-Gigabit Multi-Core Hardware PlatformProminent performance, realizing mass service processing ■Provides 15G firewall throughput, 200,000 new connections •per second, 4,000,000 concurrent connections, and 15,000 concurrent VPN tunnels.Supports high-capacity NAT.•High-density 10G interfaces, suiting different application ■scenariosDelivers 64 Gigabit+14 x 10-Gigabit high-density interfaces. •Super-long mean time between failures (MTBF), safeguarding ■service continuitySupplies redundant key components and mature link conversion. •Provides built-in bypass cards for both optical and electrical links. •Relies on a stable software platform for over 10 years' •commercial use, and more than 100,000 devices concurrently online in the world.1Refined Management over Thousands of Application Programs, Building an Efficient NetworkWide application identification, providing visibility into the ■applications running on your networkPossesses 150 application identification experts, and over 850 •identifiable categories.Massive Web site categories, constructing a green Internet ■access environmentEquips with 65 million Web sites and over 130 content •categories, blocking Trojan horse-embedded and phishing Web sites, isolating pornographic and gambling Web sites, and preventing employees against maloperations.Refined application management, creating an efficient ■working networkOffers multi-dimensional control measures specific to time, •application, user, bandwidth, and connection number, effectively providing bandwidths for mission-critic applications, improving bandwidth usage and working efficiency, and making P2P/IM//Web sites at your mercy.Professional Content Security Defense, Providing a Secure NetworkIndustry-leading anti-virus engine with 99% high identification ■accuracyBases on Symantec accumulative anti-virus technologies, •adopts the anti-virus engine with file-level content scanning, combines the globally leading emulation environment and virtual execution technology, provides a 99% identification ratio, and gains good reputation from the international assessment organization.Dedicated vulnerability patching, making transformation ■illuminatedMaintains and updates the huge signature database by the •traditional attack code-based defense mode due to the transformation of attack types, which imposes overload on the IPS engine and leads to low detection performance and high false negative and false positive ratios. The Eudemon1000E-X is backed by advanced Symantec vulnerability defense technology and delivers virtual patches for vulnerabilities (not attack code), disabling various attacks from transforming.Real-time update by a professional team, realizing zero-day ■attack defenseSupplies the honeynet system deployed globally together •with a professional team of over 300 experts to keep tracking the latest, hottest, and most dangerous system and software vulnerabilities, and to defend against zero-day attacks quickly.One-Key Configuration, Freeing You from Complicated Policy OptimizationGUI, a farewell to CLI■Delivers the Web page–based configuration and management, •visualized and simple.Professional configuration wizard, simplifying policy configuration ■Provides a professional configuration wizard for each independent •service.One-key enabling of IPS and anti-virus, reducing maintenance ■workloadBuilds the IPS/anti-virus rule base, with a 99% detection •ratio, which can be directly enabled without commissioning. Therefore, administrators are freed from time-consuming, strenuous, and complicated policy optimization, and quick deployment comes true, that is, plug and play.Application ScenariosNetwork Isolation and VPN InterconnectionCustomer challenges■Because user networks reside in different network areas, •problems such as unclear borders, improper access control management, and disordered mutual access may occur. When branches and mobile employees communicate with the headquarters, data may be intercepted or tampered.Solution strengths ■Delivers 15G processing performance, avoiding the bottleneck •of border deployment.Divides security zones on demand, clearly planning network •borders.Provides the flexible packet filtering policies, accurately •controlling mutual access.Comes with 15,000 concurrent VPN tunnels, 7G VPN •encryption and decryption capabilities, ensuring mass secure interconnection and securing data communication.2External Threat PreventionCustomer challenges■Coming along with the abundant Internet resources are •threats such as DDoS attacks, malicious intrusions, and viruses.Solution strengths■Supplies 200,000 new connections per second and 4,000,000•concurrent connections, easily coping with millions of DDoS attack packets per second.Empowered by advanced IPS and anti-virus technologies •of Symantec as well as vulnerability-based and abundant signature database, ensuring near-zero false positives and negatives, and a detection ratio of higher than 99%; providespowerful security defense against diversified security threats.Office networkOnline Behavior ManagementCustomer challenges■None-work-related Internet surfing, P2P download, online •games, and stock transaction waste bandwidths for business, reduce productivity, and increase the risks of potential malicious code and hacker attacks.Solution strengths■Provides over 850 identifiable application categories, providing•visibility into the applications running on your network.Equips with 65 million Web sites, blocking Trojan horse- •embedded and phishing Web sites, isolating pornographic and gambling Web sites, and preventing employees against maloperations.Offers multi-dimensional control measures specific to the •time, application, user, and bandwidth, effectively providing bandwidths for mission-critic applications, improving working efficiency, and making P2P/IM//Web sites at your mercy.P2POffice networkProduct Specifications456Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.General DisclaimerThe information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factorsthat could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such informationis provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.HUAWEI TECHNOLOGIES CO., LTD.Huawei Industrial BaseBantian LonggangShenzhen 518129, P.R. ChinaTel: +86-755-28780808 Version No.: M3-110019999-20110805-C-1.0。

Eudemon系列防火墙P2P流量监管技术白皮书Huawei Technologies Co., Ltd.华为技术有限公司All rights reserved版权所有侵权必究Catalog 目录1P2P业务概述 (4)1.1简介 (4)1.2带来的变化 (4)1.3流行的P2P软件 (5)2Eudemon系列防火墙解决方案 (5)2.1深度检测技术 (5)2.2可以基于不同时间段进行控制 (5)2.3优异的业务处理性能 (5)2.4基于用户的带宽管理 (6)2.5基于用户的连接数目管理 (6)2.6灵活的组网模式 (6)2.7Eudemon防火墙的技术优势 (6)3组网模型 (7)3.1接入用户的P2P流量阻挡 (7)3.2使用在城域网的出口 (7)3.3基于时间进行P2P流量控制 (8)Eudemon系列防火墙P2P流量监管技术白皮书Keywords 关键词：P2P、BT、eDonkey、eMule、Eudemon系列防火墙Abstract 摘要：本文介绍了Eudemon系列防火墙支持的P2P流量监管技术。

List of abbreviations 缩略语清单：1 P2P业务概述1.1 简介简单地说，P2P技术是一种用于不同PC用户之间、不经过中继设备直接交换数据或服务的技术。

它打破了传统的Client/Server模式，在对等网络中，每个节点的地位都是相同的，具备客户端和服务器双重特性，可以同时作为服务使用者和服务提供者。

由于P2P技术的飞速发展，互联网的存储模式将由目前的“内容位于中心”模式转变为“内容分散存储”模式，改变了Internet现在的以大网站为中心的流量状态。

现在网上常用的P2P软件主要有BT、eDonkey、eMule等。

传统的Internet流量模型和P2P的流量模型的差别如图1所示。

图1传统的Internet流量模型和P2P流量模型的区别1.2 带来的变化P2P技术主要提供了分布式交换数据的能力，由于个人用户PC的处理能力和硬盘空间逐步增大，资源分布存储已经变为可能。

HiSecEngine Eudemon1000E-F Series AI FirewallsOverviewThe Eudemon1000E-F is a new series firewall developed by Huawei to meet the needs of carriers, enterprises, and next-generation data centers. It combines industry-leading security technologies such as access control, intrusion prevention (IPS), antivirus (AV), URL filtering, anti-spam, and data loss prevention with rich security, robust processing and carrier-class reliability. Inheriting the Eudemon series' outstanding firewall, VPN, and routing features, it helps you build a fast, efficient, and secure network.Product HighlightsComprehensive and Integrated Protection⚫Integrates the traditional firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, URL filtering, and online behavior management functions all in one device.⚫Implements refined bandwidth management based on applications and websites, preferentially forwards key services, and ensures bandwidth for key services.⚫Comes with an antivirus content-based detection engine (CDE) powered by intelligence technologies that helps detect unknown threats, and provides in-depth data analysis to gain insight into threat activities and quickly detect malicious files, effectively improving the threatdetection rate.Easy Security Management⚫Rapidly deploys security policies using scenario-specific templates.⚫Complies with the minimum permission control principle and automatically generates policy tuning suggestions based on network traffic and application risks.⚫Analyzes the policy matching ratio and discovers redundant and invalid policies to remove policies and simplify policy management.⚫Supports Huawei SecoManager to achieve a unified configuration, management and maintenance of all devices.High Performance⚫Uses the network processing platform, improving forwarding performance significantly.⚫Enables pattern matching and accelerates encryption/decryption, improving the performance for processing IPS, antivirus, and IPSec services. High Port Density⚫The device has multiple types of interfaces, such as 100G,40G, 10G, and 1G interfaces. Services can be flexibly expanded without extra interface cards.Note: The interface types supported by different models vary. For details, see the specification table.DeploymentExternal Threat Prevention⚫Coming along with the abundant Internet resources are threats such as DDoS attacks, maliciousintrusions, and viruses.⚫The capabilities of supporting large numbers of concurrent connections and new connections persecond help to combat the numerous DDoS attacks.Empowered by advanced IPS and antivirustechnologies as well as vulnerability-based andreal-time updated signature database, theEudemon1000E-F series implements near-zerofalse positives and negatives and a detection ratio of higher than 99%; defends against diversifiedthreats from the Internet, and ensures the security of the intranet . Network Isolation and VPN Interconnection⚫Network areas are not clearly divided, access control is insufficient, and the data transmittedbetween mobile employees or branches and theheadquarters is likely to be intercepted or tampered with.⚫Delivers high throughput to avoid bottleneck at network borders, supports security zones to clearly divide networks, offers flexible packet filteringpolicies to accurately control communication, and encapsulates and checks packets of VPN users to ensure the security of data communication.HackerMalwareInternetEudemonDatacenterBranchInternetHeadquartersUserIPSec VPNSSL VPNEudemonHardwareSoftware FeaturesFeature DescriptionIntegrated protection Integrates firewall, VPN, intrusion prevention, antivirus, data leak prevention, bandwidth management, anti-DDoS, URL filtering, and anti-spam functions. Provides a global configuration view, and manages policies in a unified manner.Application identification and control Identifies over 6000 applications and supports the access control granularity down to application functions. The firewall combines application identification with intrusion detection, antivirus, and data filtering, improving detection performance and accuracy.Intrusion prevention and web protection Accurately detects and defends against vulnerability-specific attacks based on up-to-date threat information. The firewall can defend against web-specific attacks, including SQL injection and XSS attacks.Antivirus Supports intelligent antivirus engine that helps detect hundreds of millions of virus variants.Bandwidth management Manages per-user and per-IP bandwidth in addition to identifying service applications to ensure the network access experience of key services and users. Control methods include limiting the maximum bandwidth, ensuring the minimumbandwidth, and changing application forwarding priorities.Eudemon1000E-F15/F25Eudemon1000E-F35/F55/F85Eudemon1000E-F125Eudemon1000E-F205Feature DescriptionURL filtering Supports remote query for URL categories. The URL category database contains over 140 million URL categories. URL category query servers are deployed globally to offer high-speed, low-latency category query services and meet the regulatory requirements of different countries and regions. URL category filtering can implement URL access control for users or groups based on information such as users or groups, time ranges, and security zones, accurately managing users' online behaviors.Intelligent uplink selection Supports service-specific PBR and intelligent uplink selection based on multiple load balancing algorithms (for example, based on bandwidth ratio and link health status) in multi-egress scenarios.VPN encryption Supports multiple highly available VPN features, such as IPSec VPN, SSL VPN, and GRE, as well as multiple encryption algorithms, such as DES, 3DES, AES, and SHA.Anti-DDoS Defends against more than 10+types of common DDoS attacks, including SYN flood and UDP flood attacks.Security virtualization Supports virtualization of multiple types of security services, including firewall, intrusion prevention, antivirus, and VPN. Users can separately conduct personal management on the same physical device.Security policy management Controls traffic based on the 5-tuples, security zone, application, and time range, and implements integrated content security detection.Uses predefined templates for common attack defense scenarios to rapidly deploy security policies, reducing learning costs.Diversified reports Provides visualized and multi-dimensional report display by user, application, content, time, traffic, threat, and URL.Routing Supports multiple types of routing protocols and features, such as RIP, OSPF, BGP, IS-IS, RIPng, OSPFv3, BGP4+, and IPv6 IS-IS.Deployment and reliability Supports transparent, routing, and hybrid working modes and high availability (HA), including the Active/Active and Active/Standby modes.SpecificationPerformance and Capability Eudemon1000E-F15Eudemon1000E-F25 IPv4 Firewall Throughput1(1518/512/64-byte, UDP)15/15/15 Gbit/s25/25/25 Gbit/s IPv6 Firewall Throughput1(1518/512/84-byte, UDP)15/15/15 Gbit/s25/2525 Gbit/s Firewall Throughput(Packet per Second)22.5 Mpps37.5 M pps Firewall Latency (64-byte, UDP)18 µs18 µsFW + SA* Throughput28Gbps12Gbps NGFW Throughput36Gbps10Gbps NGFW Throughput(Enterprise Mix)4 4.6Gbps 4.6Gbps Threat Protection Throughput (Enterprise Mix)54Gbps4Gbps Concurrent Sessions (HTTP1.1)110,000,00010,000,000 New Sessions/Second (HTTP1.1)1250,000250,000 IPSec VPN Throughput1 (AES-256 + SHA256, 1420-byte)10 Gbit/s15 Gbit/s Maximum IPSec VPN Tunnels (GW to GW)15,00015,000 Maximum IPSec VPN Tunnels (Client to GW)15,00015,000SSL VPN Throughput6 1 Gbit/s 1.5 Gbit/s Concurrent SSL VPN Users (Default/Maximum)100/2000100/2000 Security Policies (Maximum)40,00040,000 Virtual Firewalls 10001000URL Filtering: Categories More than 130URL Filtering: URLs Can access a database of over 120 million URLs in the cloudAutomated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei (/sec/web/index.do)Centralized Management Centralized configuration, logging, monitoring, and reporting is performed by Huawei SecoManagerVLANs (Max)4094VLANIF Interfaces (Max)1000High Availability Configurations Active/Active, Active/StandbyPerformance and CapabilityNote:1. Performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. SA performance is measured using 100 KB HTTP files.3. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using 100 KB HTTP files.4. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using the Enterprise Mix Traffic Model.5. The threat protection throughput is measured with Firewall, SA, IPS,and AV enabled; the performance is measured using the Enterprise Mix Traffic Model.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.Hardware Specification Eudemon1000E-F15Eudemon1000E-F25 Dimensions (H x W x D) mm43.6 x 442 x 420Form Factor/Height1UFixed Interface8*GE COMBO + 4*GE(RJ45) + 4*GE(SFP)+ 6*10GE(SFP+)USB Port 1 x USB 3.0 portsWeight (Empty Configuration) 6.3 kgLocal Storage Optional, 1 * 2.5 inch 240G SSD storage, or 1 * 2.5 inch 1TB HDD storage Maximum Power Consumption222WAC Power Supply AC:100V to 240V, 50/60Hz DC: -48V to 60VPower Supplies Dual AC or dual DC power suppliesOperating Environment (Temperature/Humidity)Temperature: 0°C to 45°C (without optional HDD);5°C to 40°C (with optional HDD)Humidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingNon-operating Environment Temperature: –40°C to +70°CHumidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingOperating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Non-operating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Noise Maximum value < 72 DbaHardware SpecificationSpecificationPerformance and Capability Eudemon1000E-F35Eudemon1000E-F55Eudemon1000E-F85IPv4 Firewall Throughput1(1518/512/64-byte, UDP)35/35/35 Gbit/s50/50/40 Gbit/s80/80/40 Gbit/s IPv6 Firewall Throughput1(1518/512/84-byte, UDP)35/35/25 Gbit/s50/50/25 Gbit/s80/80/25 Gbit/s Firewall Throughput(Packet per Second)52.5 Mpps60 Mpps60 M pps Firewall Latency (64-byte, UDP)18 µs18 µs18 µsFW + SA* Throughput218Gbps25Gbps25Gbps NGFW Throughput312Gbps18Gbps18Gbps NGFW Throughput (Enterprise Mix)48Gbps8Gbps8Gbps Threat Protection Throughput (Enterprise Mix)57Gbps7Gbps7Gbps Concurrent Sessions (HTTP1.1)120,000,00020,000,00025,000,000 New Sessions/Second (HTTP1.1)1500,000500,000750,000 IPSec VPN Throughput1 (AES-256 + SHA256, 1420-byte)20 Gbit/s30 Gbit/s30Gbit/s Maximum IPSec VPN Tunnels (GW to GW)200002000020000 Maximum IPSec VPN Tunnels (Client to GW)200002000020000 SSL VPN Throughput6 3 Gbit/s 3 Gbit/s 5 Gbit/s Concurrent SSL VPN Users (Default/Maximum)50005000100/5000 Security Policies (Maximum)60,00060,00060000 Virtual Firewalls 100010001000 URL Filtering: Categories More than 130URL Filtering: URLs Can access a database of over 120 million URLs in the cloudAutomated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei (/sec/web/index.do)Centralized Management Centralized configuration, logging, monitoring, and reporting is performed by Huawei SecoManagerVLANs (Max)4094VLANIF Interfaces (Max)1000High Availability Configurations Active/Active, Active/Standby Performance and CapabilityHardware SpecificationEudemon1000E-F35Eudemon1000E-F55Eudemon1000E-F85Dimensions (H x W x D) mm43.6 x 442 x 420Form Factor/Height1UFixed Interface 8*GE COMBO + 4*GE(RJ45)+ 10*10GE(SFP+)USB Port 1 x USB 3.0 portsWeight (Empty Configuration)7.3 kgLocal Storage Optional, 1 * 2.5 inch 240G SSD storage, or 1 * 2.5 inch 1TB HDD storage Maximum Power Consumption242WAC Power Supply AC:100V to 240V, 50/60Hz DC: -48V to 60VPower SuppliesDual AC or dual DC power suppliesOperating Environment (Temperature/Humidity)Temperature: 0°C to 45°C (without optional HDD); 5°C to 40°C (with optional HDD)Humidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingNon-operating Environment Temperature: –40°C to +70°CHumidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingOperating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD)Non-operating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD)Noise Maximum value < 72 DbaHardware SpecificationNote :1. Performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. SA performance is measured using 100 KB HTTP files.3. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using 100 KB HTTP files.4. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using the Enterprise Mix Traffic Model.5. The threat protection throughput is measured with Firewall, SA, IPS, and AV enabled; the performance is measured using the Enterprise Mix Traffic Model.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.SpecificationPerformance and Capability Eudemon1000E-F125Eudemon1000E-F205 IPv4 Firewall Throughput1(1518/512/64-byte, UDP)160/160/80 Gbit/s240/240/120 Gbit/s IPv6 Firewall Throughput1(1518/512/84-byte, UDP)160/120/50 Gbit/s240/200/75 Gbit/s Firewall Throughput(Packet per Second)120 M pps180 M pps Firewall Latency (64-byte, UDP)35 µs35 µsFW + SA* Throughput250Gbps75Gbps NGFW Throughput336Gbps54Gbps NGFW Throughput(Enterprise Mix)416Gbps24Gbps Threat Protection Throughput (Enterprise Mix)514Gbps21Gbps Concurrent Sessions (HTTP1.1)150,000,00075,000,000New Sessions/Second (HTTP1.1)11,500,0002,250,000 IPSec VPN Throughput1 (AES-256 + SHA256, 1420-byte)45Gbit/s65Git/s Maximum IPSec VPN Tunnels (GW to GW)4000060000 Maximum IPSec VPN Tunnels (Client to GW)4000060000SSL VPN Throughput610 Gbit/s12 Gbit/s Concurrent SSL VPN Users (Default/Maximum)100/10000100/15000 Security Policies (Maximum)6000060000Virtual Firewalls 10001000URL Filtering: Categories More than 130URL Filtering: URLs Can access a database of over 120 million URLs in the cloudAutomated Threat Feed and IPS Signature Updates Yes, an industry-leading security center from Huawei (/sec/web/index.do)Centralized Management Centralized configuration, logging, monitoring, and reporting is performed by Huawei SecoManagerVLANs (Max)4094VLANIF Interfaces (Max)1000High Availability Configurations Active/Active, Active/StandbyPerformance and CapabilityNote:1. Performance is tested under ideal conditions based on RFC2544, 3511. The actual result may vary with deployment environments.2. SA performance is measured using 100 KB HTTP files.3. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using 100 KB HTTP files.4. NGFW throughput is measured with Firewall, SA, and IPS enabled; the performance is measured using the Enterprise Mix Traffic Model.5. The threat protection throughput is measured with Firewall, SA, IPS, and AV enabled; the performance is measured using the Enterprise Mix Traffic Model.6. SSL VPN throughput is measured using TLS v1.2 with AES128-SHA.*SA: Service Awareness.Hardware Specification Eudemon1000E-F125Eudemon1000E-F205 Dimensions (H x W x D) mm43.6 x 442 x 600Form Factor/Height1UFixed Interface 2*100GE(QSFP28) + 2*40G(QSFP+)+8*25(ZSFP+) + 20*GE(SFP+)14*100GE(QSFP28) +16*25GE(ZSFP+) + 8*GE(SFP+)2USB Port 1 x USB 3.0 portsWeight (Empty Configuration) 6.3 kgLocal Storage Optional, 1 * 2.5 inch 240G SSD storage, or 1 * 2.5 inch 1TB HDD storage Maximum Power Consumption222WAC Power Supply AC:100V to 240V, 50/60Hz DC: -48V to 60VPower Supplies Dual AC or dual DC power suppliesOperating Environment (Temperature/Humidity)Temperature: 0°C to 45°C (without optional HDD);5°C to 40°C (with optional HDD)Humidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingNon-operating Environment Temperature: –40°C to +70°CHumidity: 5% to 95% (without optional HDD), non-condensing; 5% to 95% (with optional HDD), non-condensingOperating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Non-operating Altitude (Maximum)5,000 meters (without optional HDD); 3,000 meters (with optional HDD) Noise Maximum value < 72 DbaHardware SpecificationNote:1. Some 100GE interfaces and 25GE interfaces of Eudemon1000E-F125 are mutually exclusive.2. Some 100GE interfaces and 25GE interfaces of Eudemon1000E-F205 are mutually exclusive.Order InformationProductEudemon1000E-F15-AC Eudemon1000E-F15 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 AC power supply) Eudemon1000E-F15-DC Eudemon1000E-F15 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 DC power supply) Eudemon1000E-F25-AC Eudemon1000E-F25 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 AC power supply) Eudemon1000E-F25-DC Eudemon1000E-F25 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 6*10GE SFP+, 1 DC power supply) Eudemon1000E-F35-AC Eudemon1000E-F35 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 AC power supply) Eudemon1000E-F35-DC Eudemon1000E-F35 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 DC power supply) Eudemon1000E-F55-AC Eudemon1000E-F55 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 AC power supply) Eudemon1000E-F55-DC Eudemon1000E-F55 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 DC power supply) Eudemon1000E-F85-AC Eudemon1000E-F85 AC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 AC power supply) Eudemon1000E-F85-DC Eudemon1000E-F85 DC Host (8*GE COMBO + 4*GE RJ45 + 4*GE SFP + 10*10GE SFP+, 2 DC power supply) Eudemon1000E-F125-AC Eudemon1000E-F125 AC Host (2*QSFP28 + 2*QSFP+ + 8*ZSFP+ + 20*SFP+, 2 AC power supplies) Eudemon1000E-F125-DC Eudemon1000E-F125 DC Host (2*QSFP28 + 2*QSFP+ + 8*ZSFP+ + 20*SFP+, 2 DC power supplies) Eudemon1000E-F205-AC Eudemon1000E-F205 AC Host (4*QSFP28 + 16*ZSFP+ + 8*SFP+, 2 AC power supplies)Eudemon1000E-F205-DC Eudemon1000E-F205 DC Host (4*QSFP28 + 16*ZSFP+ + 8*SFP+, 2 DC power supplies)SSL VPN LicenseLIC-E1KF-SSLVPN-100Quantity of SSL VPN Concurrent Users(100 Users)LIC-E1KF-SSLVPN-200Quantity of SSL VPN Concurrent Users(200 Users)LIC-E1KF-SSLVPN-500Quantity of SSL VPN Concurrent Users(500 Users)LIC-E1KF-SSLVPN-1000Quantity of SSL VPN Concurrent Users(1000 Users)LIC-E1KF-SSLVPN-2000Quantity of SSL VPN Concurrent Users(2000 Users)LIC-E1KF-SSLVPN-5000Quantity of SSL VPN Concurrent Users(5000 Users)VSYS LicenseLIC-E1KF--VSYS-10Quantity of Virtual Firewall (10 Vsys)LIC-E1KF--VSYS-20Quantity of Virtual Firewall (20 Vsys)LIC-E1KF--VSYS-50Quantity of Virtual Firewall (50 Vsys)LIC-E1KF--VSYS-100Quantity of Virtual Firewall (100 Vsys)LIC-E1KF--VSYS-200Quantity of Virtual Firewall (200 Vsys)LIC-E1KF--VSYS-500Quantity of Virtual Firewall (500 Vsys)LIC-E1KF--VSYS-1000Quantity of Virtual Firewall (1000 Vsys)Threat Protection LicenseLIC-E1KE-Fxx-IPS-1YIPS Update Service Subscribe 12 MonthsLIC-E1KE-Fxx-IPS-3YIPS Update Service Subscribe 36 MonthsLIC-E1KE-Fxx-AV-1YAV Update Service Subscribe 12 MonthsLIC-E1KE-Fxx-AV-3YAV Update Service Subscribe 36 MonthsLIC-E1KE-Fxx-URL-1YURL Remote Query Service Subscribe 12MonthsLIC-E1KE-Fxx-URL-3YURL Remote Query Service Subscribe 36MonthsLIC-E1KE-Fxx-TP-1Y-OVSThreat Protection Subscription 12 MonthsLIC-E1KE-Fxx-TP-3Y-OVSThreat Protection Subscription 36 MonthsLIC-E1KE-F-CONTENTContent Security Group FunctionAbout This PublicationThis publication is for reference only and shall not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party.For more information, visit /en/products/enterprise-networking/security. Copyright©2021 Huawei Technologies Co., Ltd. All rights reserved.Huawei Technologies Co., Ltd.Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129, People's Republic of ChinaWebsite: Tel: 4008302118Page 7。

高速Internet、视频、流媒体等业务的兴起，导致网络流量飞速增长，大型机构、园区和数据中心快速步入万兆时代；各种新型的应用层出不穷，频繁挤占传统业务的固有端口，导致传统端口检测FW无能为力；利益驱动下的黑客攻击和恶意软件肆意传播，传统防护方式或频频误报虚惊一场，或经常漏报造成损失，IT管理员疲于应付，效果甚微；因此，大型机构、园区和数据中心不得不面对以下困境：步入万兆时代，何处寻觅一款高性价比的产品来应对不断增•长的业务需求？新型应用层出不穷，如何练就火眼金睛，阻断滥用行为，保•障关键业务带宽？蠕虫病毒肆意传播，如何有效保护内网安全，营造真正安全•办公环境？正是基于对业务和客户需求的持续深入思考，华为公司面向大型机构、园区和数据中心推出Eudemon1000E-X系列产品。

该系列产品采用万兆多核全新硬件平台，轻松实现海量业处理，打造业务永续的办公网络；融合Symantec先进的入侵防御和反病毒技术，重新演绎专业内容安全防御，营造更安全的办公网络；集成华为业界领先的DPI（深度包检测）识别技术，精细管理超千种应用程序，创建更高效的办公环境。

为大型机构、园区和数据中心打造“业务永续、更高效、更安全”的高性价比网络体验。

Eudemon1000E-X3Eudemon1000E-X5Eudemon1000E-X6产品外观华为技术有限公司万兆多核全新硬件平台，为您打造更高速的网络性能优异，实现海量业务处理：■15G防火墙吞吐，200K每秒新建连接数，400万并发连接数，15K并发VPN隧道，大容量NAT转换能力，轻松实现海量业务处理；高密度万兆接口，适应不同应用场景需求：■64千兆+14万兆的高密度接口，为提前跨入万兆时代的您提供不同组网情况下的安全防护，方便您细化安全区域；超长无故障运行时间，确保客户业务连续性：■关键部件冗余配置，成熟的链路转换机制，支持光、电两类内置Bypass插卡，为您提供超长无故障硬件保障；商用10年+的超稳定软件平台，全球在线设备超过10万台，为您打造永续的办公环境。

目录第1章 VLAN配置..................................................................................................................1-11.1 VLAN简介..........................................................................................................................1-11.2 VLAN基本配置..................................................................................................................1-31.3 VLAN显示和调试...............................................................................................................1-31.4 VLAN典型配置举例...........................................................................................................1-4第2章 PPP配置.....................................................................................................................2-12.1 PPP协议简介.....................................................................................................................2-12.2 PPP配置............................................................................................................................2-32.2.1 配置接口封装的链路层协议为PPP.........................................................................2-32.2.2 配置PPP验证方式及用户名、用户口令.................................................................2-32.2.3 配置PPP的AAA验证及计费参数..........................................................................2-52.2.4 配置PPP协商参数..................................................................................................2-62.2.5 配置PPP压缩.........................................................................................................2-62.2.6 配置PPP链路质量监测...........................................................................................2-72.2.7 配置回呼功能..........................................................................................................2-72.2.8 配置回呼防火墙时所需要的拨号串..........................................................................2-82.2.9 配置DNS服务器地址协商.......................................................................................2-82.2.10 配置VJ TCP头压缩..............................................................................................2-92.3 PPP显示和调试.................................................................................................................2-92.4 PPP典型配置举例.............................................................................................................2-92.4.1 采用PAP验证的PPP应用举例..............................................................................2-92.4.2 采用CHAP验证的PPP举例................................................................................2-102.5 PPP故障诊断与排除........................................................................................................2-11第3章 PPPoE配置................................................................................................................3-13.1 PPPoE简介.......................................................................................................................3-13.1.1 PPPoE协议介绍......................................................................................................3-13.1.2 PPPoE应用介绍......................................................................................................3-13.2 PPPoE Server配置............................................................................................................3-23.2.1 启用/禁止PPPoE协议............................................................................................3-23.2.2 配置PPPoE协议参数.............................................................................................3-33.3 PPPoE Client配置.............................................................................................................3-33.3.1 配置拨号接口...........................................................................................................3-43.3.2 配置PPPoE会话.....................................................................................................3-43.3.3 复位或删除PPPoE会话..........................................................................................3-53.4 PPPoE显示和调试............................................................................................................3-53.5 PPPoE典型配置举例.........................................................................................................3-6第4章 ATM配置....................................................................................................................4-14.1 ATM技术简介....................................................................................................................4-14.2 IPoA、IPoEoA、PPPoA、PPPoEoA应用介绍.................................................................4-24.3 ATM的配置........................................................................................................................4-34.3.1 配置ATM接口.........................................................................................................4-34.3.2 定制ATM接口.........................................................................................................4-44.3.3 配置PVC.................................................................................................................4-44.3.4 配置PVC业务映射..................................................................................................4-54.3.5 配置ATM-Class类..................................................................................................4-54.3.6 设置VP监管...........................................................................................................4-64.3.7 配置IPoA................................................................................................................4-74.3.8 配置IPoEoA............................................................................................................4-74.3.9 配置PPPoA.............................................................................................................4-74.3.10 配置PPPoEoA......................................................................................................4-84.4 ATM显示和调试.................................................................................................................4-84.5 ATM典型配置举例.............................................................................................................4-94.5.1 IPoA典型配置举例..................................................................................................4-94.5.2 IPoEoA典型配置举例............................................................................................4-114.5.3 PPPoA典型配置举例............................................................................................4-124.5.4 PPPoEoA典型配置举例........................................................................................4-144.6 ATM故障诊断与排除.......................................................................................................4-15第1章 VLAN配置1.1 VLAN简介以太网是一种基于CSMA/CD（Carrier Sense Multiple Access/CollisionDetect：载波侦听多路访问/冲突检测）的共享通讯介质的数据网络通讯技术，共享介质上的各节点轮流使用介质传送帧，同一时刻只能有一个主机发，其他主机只能收。

Product OverviewAs a new-generation unified security gateway, Huawei Eudemon200E-X Series product family transforms today’s Small Business and Enterprise’s workspace experience by delivering them high performance routing and switching, strong security enhancement, wireless access and voice business in an integrated single platform.HUAWEI Eudemon200E-X series products using Huawei's unified software platform which named VRP, providing a combination of traditional network access and network security integration business standards. In addition to a strong routing and switching features, Unified Security Gateway Eudemon200E-X with a variety of professional security features including stateful firewall, VPN, Network Address Translation (NAT), authentication, access control, anti-virus, anti-spam , URL filtering, IPS, application security and other security features can protect the network against DDoS attacks, worms, Trojan horses, viruses, spam, illegal invasion and illegal networks. These safety features and wide area network WAN, local area network LAN, wireless WAN and wireless LAN WLAN WWAN interface provides a high degree of integration makes the sustainability of flexible end to end security services become a reality.Product DescriptionProduct FeaturesLeading infrastructure platformsEudemon200E-X series products using advanced multi-threaded ■multi-core hardware architectures and parallel processing technology to optimize the safety of business processes, making the Eudemon200E-X series products sufficient to meet all kinds of large-scale application of network traffic. Mature VRP software platform Eudemon200E-X Series products provide a robust operating system, a user's most trusted security operating system.Extensive routing, switching, wireless (Wi-Fi,3G) and securityEudemon200E-X series of products set routing, switching, ■wireless (Wi-Fi, 3G), voice, security functions into one, integrating the traditional routers, traditional switches, the deployment of traditional firewall and UTM solutions can help companies improve efficiency, reduce maintenance complexity, and reduce TCO.Comprehensive dedicated technologies for network protectionIntegrated UTM functions:■IPS:• IPS Intrusion detection using Symantec's advanced IPS detection engines to provide efficient and accurate networkpacket scanning capability, with advanced software andhardware platforms and rich signature library, Eudemon200E-X series products can quickly and accurately identify attacks.AV:• efficiently and precisely detects and removes hiddenviruses in network traffic by virtue of Symantec cutting-edgevirus detection engine.AS:• effectively blocks spam and purifies enterprises' mail systems, thus preventing spam from interfering with normalservices.URL filtering and P2P/IM control:• precisely identifies access to illegitimate Web sites and over 60 P2P/IM applications,and provides alerting, traffic limiting, and blocking actions toguarantee bandwidth for normal services.Diversified VPNsThe Eudemon200E-X delivers powerful VPN function, and ■supports the following common VPNs for differentiated VPN applications:L2TP•IPSec VPN•Dynamic VPN (DVPN)•SSL VPN•GRE•MPLS VPN•Flexible scalabilityEudemon200E-X series products support MIC, FIC, DFIC three ■types of expansion slot that can support the FE, GE, E1/CE1, SA, ADSL2 +, G. SHDSL, WIFI, 3G,GPON and other access ways into the Internet to provide users with a wealth of access.Product SpecificationsCopyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.General DisclaimerThe information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factorsthat could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such informationis provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.HUAWEI TECHNOLOGIES CO., LTD.Huawei Industrial BaseBantian LonggangShenzhen 518129, P.R. ChinaTel: +86-755-28780808 Version No.: M3-110019999-20110629-C-1.0。

目录第1章防火墙概述 ..................................................................................................................... 1-11.1 网络安全概述 ..................................................................................................................... 1-11.1.1 安全威胁.................................................................................................................. 1-11.1.2 网络安全服务分类 ................................................................................................... 1-11.1.3 安全服务的实现方法................................................................................................ 1-21.2 防火墙概述......................................................................................................................... 1-41.2.1 安全防范体系的第一道防线——防火墙................................................................... 1-41.2.2 防火墙发展历史....................................................................................................... 1-41.3 Eudemon产品简介............................................................................................................. 1-61.3.1 Eudemon产品系列 .................................................................................................. 1-61.3.2 Eudemon500/1000防火墙简介................................................................................ 1-61.3.3 Eudemon500/1000防火墙功能特性列表 ................................................................. 1-8第2章 Eudemon防火墙配置基础 .............................................................................................. 2-12.1 通过Console接口搭建本地配置环境 .................................................................................. 2-12.1.1 通过Console接口搭建 ............................................................................................. 2-12.1.2 实现设备和Eudemon防火墙互相ping通 .................................................................. 2-42.1.3 实现跨越Eudemon防火墙的两个设备互相ping通.................................................... 2-52.2 通过其他方式搭建配置环境................................................................................................ 2-62.2.1 通过AUX接口搭建 ................................................................................................... 2-72.2.2 通过Telnet方式搭建................................................................................................. 2-92.2.3 通过SSH方式搭建 ................................................................................................. 2-112.3 命令行接口....................................................................................................................... 2-122.3.1 命令行级别 ............................................................................................................ 2-122.3.2 命令行视图 ............................................................................................................ 2-132.3.3 命令行在线帮助..................................................................................................... 2-242.3.4 命令行错误信息..................................................................................................... 2-252.3.5 历史命令................................................................................................................ 2-262.3.6 编辑特性................................................................................................................ 2-262.3.7 查看特性................................................................................................................ 2-272.3.8 快捷键.................................................................................................................... 2-272.4 防火墙的基本配置............................................................................................................ 2-302.4.1 进入和退出系统视图.............................................................................................. 2-302.4.2 切换语言模式......................................................................................................... 2-302.4.3 配置防火墙名称..................................................................................................... 2-312.4.4 配置系统时钟......................................................................................................... 2-312.4.5 配置命令级别......................................................................................................... 2-312.4.6 查看系统状态信息 ................................................................................................. 2-322.5 用户管理........................................................................................................................... 2-332.5.1 用户管理概述......................................................................................................... 2-332.5.2 用户管理的配置..................................................................................................... 2-342.5.3 用户登录相关信息的配置....................................................................................... 2-372.5.4 典型配置举例......................................................................................................... 2-382.6 用户界面（User-interface）............................................................................................. 2-392.6.1 用户界面简介......................................................................................................... 2-392.6.2 进入用户界面视图 ................................................................................................. 2-402.6.3 配置异步接口属性 ................................................................................................. 2-412.6.4 配置终端属性......................................................................................................... 2-422.6.5配置Modem属性................................................................................................... 2-442.6.6 配置重定向功能..................................................................................................... 2-452.6.7 配置VTY类型用户界面的呼入呼出限制................................................................. 2-462.6.8 用户界面的显示和调试 .......................................................................................... 2-472.7 终端服务........................................................................................................................... 2-472.7.1 Console接口终端服务 ........................................................................................... 2-472.7.2 AUX接口终端服务 ................................................................................................. 2-482.7.3 Telnet终端服务...................................................................................................... 2-482.7.4 SSH终端服务......................................................................................................... 2-51第3章 Eudemon防火墙工作模式 .............................................................................................. 3-13.1 防火墙工作模式简介 .......................................................................................................... 3-13.1.1 工作模式介绍........................................................................................................... 3-13.1.2 路由模式工作过程 ................................................................................................... 3-33.1.3 透明模式工作过程 ................................................................................................... 3-33.1.4 混合模式工作过程 ................................................................................................... 3-73.2 防火墙路由模式配置 .......................................................................................................... 3-83.2.1 配置防火墙工作在路由模式..................................................................................... 3-83.2.2 配置路由模式其它参数 ............................................................................................ 3-83.3 防火墙透明模式配置 .......................................................................................................... 3-83.3.1 配置防火墙工作在透明模式..................................................................................... 3-93.3.2 配置地址表项........................................................................................................... 3-93.3.3 配置对未知MAC地址的IP报文的处理方式............................................................... 3-93.3.4 配置MAC地址转发表的老化时间........................................................................... 3-103.4 防火墙混合模式配置 ........................................................................................................ 3-103.4.1 配置防火墙工作在混合模式................................................................................... 3-103.4.2 配置混合模式其它参数 .......................................................................................... 3-113.5 防火墙工作模式的切换..................................................................................................... 3-113.6 防火墙工作模式的查看和调试.......................................................................................... 3-113.7 防火墙工作模式典型配置举例.......................................................................................... 3-123.7.1 处理未知MAC地址的IP报文 .................................................................................. 3-123.7.2 透明防火墙连接多个局域网................................................................................... 3-12第1章防火墙概述1.1 网络安全概述随着Internet的迅速发展，越来越多的企业借助网络服务来加速自身的发展，此时，如何在一个开放的网络应用环境中守卫自身的机密数据、资源及声誉已越来越为人们所关注。

[原创]华为Eudemon防火墙NAT配置实例Post By：2007-7-11 11:35:00贴一下我公司里防火墙的配置，希望能够起到抛砖引玉的作用。

具体外网IP和内网ARP绑定信息已经用“x”替代，请根据实际情况更换。

“／／”后面的部分是我导出配置后添加的注释。

防火墙型号为华为Eudemon 200，E0/0/0口为外网接口，E0/0/1口为内网。

另外此配置方法也完全适用于华为Secpath系列防火墙，略加改动也可适用于华为AR系列路由器。

------------------------------------------传说中的分隔线------------------------------------------#sysname Eudemon／／设置主机名#super password level 3 simple xxxxxxxx／／Ｓｕｐｅｒ密码为xxxxxxxx #firewall packet-filter default permit interzone local trust direction inboundfirewall packet-filter default permit interzone local trust direction outboundfirewall packet-filter default permit interzone local untrust direction inboundfirewall packet-filter default permit interzone local untrust direction outboundfirewall packet-filter default permit interzone local dmz direction inboundfirewall packet-filter default permit interzone local dmz direction outboundfirewall packet-filter default permit interzone trust untrust direction inboundfirewall packet-filter default permit interzone trust untrust direction outboundfirewall packet-filter default permit interzone trust dmz direction inboundfirewall packet-filter default permit interzone trust dmz direction outboundfirewall packet-filter default permit interzone dmz untrust direction inboundfirewall packet-filter default permit interzone dmz untrust direction outbound／／设置默认允许所有数据包通过#青岛IT社区提醒：本地交易眼见为实，当面验货！不要嫌麻烦！交易地点建议在人多地方，防止抢劫！QQ:支持(0) 中立(0) 反对(0)wanghaoqd 小大 2楼个性首页| QQ| 信息| 搜索| 邮箱| 主页| 手机号码所在地查询|加好友发短信蛋白超人等级：退役版主帖子：206 7积分：185 威望：5精华：1 注册：2004-3-24Post By：2007-7-11 11:35:00nat address-group 1 ／／将ＩＳＰ分配的公网ＩＰ加入地址池１nat server global insidenat server global insidenat server global insidenat server global insidenat server global inside ／／将几个公网ＩＰ地址映射到内部服务器nat alg enable ftpnat alg enable dnsnat alg enable icmpnat alg enable netbiosundo nat alg enable h323undo nat alg enable hwccundo nat alg enable ilsundo nat alg enable pptpundo nat alg enable qqundo nat alg enable msnundo nat alg enable user-defineundo nat alg enable rtspfirewall permit sub-ip#firewall statistic system enable#interface Aux0async mode flowlink-protocol ppp#interface Ethernet0/0/0ip address ／／设置外网端口ＩＰ地址，此处为网通分配的内部私有ＩＰ，#interface Ethernet0/0/1ip address ／／设置内网ＩＰ地址，采用#interface NULL0#acl number 2000rule 0 permit source ／／ACL 2000，目的是只允许rule 1 deny#acl number 3001rule 0 deny udp destination-port eq 445rule 1 deny udp destination-port eq netbios-nsrule 2 deny udp destination-port eq netbios-dgmrule 3 deny udp destination-port eq netbios-ssnrule 4 deny udp destination-port eq 1434rule 5 deny tcp destination-port eq 135rule 6 deny tcp destination-port eq 139rule 7 deny tcp destination-port eq 389rule 8 deny tcp destination-port eq 445rule 9 deny tcp destination-port eq 636rule 10 deny tcp destination-port eq 1025rule 11 deny tcp destination-port eq 1503rule 12 deny tcp destination-port eq 3268rule 13 deny tcp destination-port eq 3269rule 14 deny tcp destination-port eq 4444rule 15 deny tcp destination-port eq 5554rule 16 deny tcp destination-port eq 5800rule 17 deny tcp destination-port eq 5900rule 18 deny tcp destination-port eq 9996rule 19 deny tcp destination-port eq 6667／／ACL 300 1，关闭常见蠕虫病毒使用的端口#firewall zone localset priority 100QQ:支持(0) 中立(0) 反对(0)wanghaoqd 小大 3楼个性首页| QQ| 信息| 搜索| 邮箱| 主页| 手机号码所在地查询|加好友发短信蛋白超人等级：退役版主帖子：206 7积分：185 威望：5精华：1 注册：2004-3-24Post By：2007-7-11 11:36:00#firewall zone trustset priority 85add interface Ethernet0/0/1／／将E0/ 0/1口加入TRUST区#firewall zone untrustset priority 5add interface Ethernet0/0/0 ／／将E0/0/0口加入UN TRUST区#firewall zone dmzset priority 50#firewall interzone local trustpacket-filter 3001 inbound／／在LO CAL到TRUST方向应用ACL 3001号#firewall interzone local untrustpacket-filter 3001 inbound／／在LO CAL到UNTRUST方向应用ACL 3001号#firewall interzone local dmz#firewall interzone trust untrustnat outbound 2000 address-group 1 ／／在TRUST到U NTRUST的方向做NAT，使用2000号ACL#firewall interzone trust dmz#firewall interzone dmz untrust#aaalocal-user admin password cipher A^.5<+_KCH)./a!1$H@GYA!!／／建立用户admin，密码为密文local-user admin level 3 ／／用户权限为3（最高级）authentication-scheme default#authorization-scheme default#accounting-scheme default#domain default##arp static xxxx-xxxx-xxxx／／做ＩＰ和ＭＡＣ地址绑定arp static xxxx-xxxx-xxxxarp static xxxx-xxxx-xxxxarp static xxxx-xxxx-xxxxarp static xxxx-xxxx-xxxxarp static xxxx-xxxx-xxxx…………………………／／省略许多行......arp static 1111-1111-1111arp static 1111-1111-1111arp static 1111-1111-1111arp static 1111-1111-1111arp static 1111-1111-1111／／把不使用的ＩＰ与不存在的#ip route-static ／／设置缺省路由，此处ＩＰ地址为网通内部ＩＰ，#snmp-agentsnmp-agent local-engineid 000007DB7F00000Dsnmp-agent community read xxxxxxsnmp-agent community write xxxxxxsnmp-agent sys-info version all／／设置SNMP参数，以使用网管软件来监控#user-interface con 0user-interface aux 0user-interface vty 0 4authentication-mode aaa／／设置VTY口的认证模式为AAA#returnQQ:支持(0) 中立(0) 反对(0) pladin123小大 4楼个性首页| 信息| 搜索| 邮箱| 主页| 手机号码所在地查询|加好友发短信等级：QDIT游民帖子：23 8积分：1309 威望：0 精华：0 注册：2007-3-30 16:0 4:00Post By：2007-7-23 13:12:00楼上的这种方法带宽方面的如何的呢？内网所有都用一个IP，那不是浪费了吗还有我们和美国视频会议的时候，会不会有影响。

华为USG防⽕墙运维命令⼤全华为USG防⽕墙运维命令⼤全1查会话使⽤场合针对可以建会话的报⽂，可以通过查看会话是否创建以及会话详细信息来确定报⽂是否正常通过防命令介绍（命令类）display firewall session table [ verbose ] { source { inside | global } | destination { { STRING<1-19> | public } | dest-vpn-instance { STRING<1-19> | public } ] [ application { dns | pptp | qq | rtsp | ils | smtp | sip | nbt | stun | rpc | sqlnet | mms } ] [ nat ] [ des 使⽤⽅法（⼯具类）⾸先确定该五元组是否建会话，对于TCP/UDP/ICMP（ICMP只有echo request和echo reply建会话SCTP/OSPF/VRRP等报⽂防⽕墙不建会话。

如果会话已经建⽴，并且⼀直有后续报⽂命中刷新，基本可以需要关闭状态检测。

如果没有对应的五元组会话或者对于不建会话的报⽂，继续后续排查⽅法。

Global：表⽰在做NAT时转换后的IP。

Inside：表⽰在做NAT时转换前的IP。

使⽤⽰例14:29:51 2010/07/01Current total sessions : 1icmp VPN: public ->publicZone: trust -> local TTL: 00:00:20 Left: 00:00:20Interface: I0 Nexthop<-- packets:4462 bytes:374808 --> packets:4461 bytes:374724对于TCP/UDP/ICMP/GRE/ESP/AH的报⽂防⽕墙会建会话，其它⽐如SCTP/OSPF/VRRP⽆法使⽤该⽅法2检查接⼝状态使⽤场合在报⽂不通时，可以先检查接⼝状态，排除由于接⼝down⽽导致报⽂不通的情况。