Monday , September 24 2018

outbound NAT on Huawei USG5500

What does it mean outbound NAT?

Outbound NAT translates the source IP addresses of packets sent from a high-priority security zone to a low-priority one.

I allowed myself to post a flowchart of configuring intranet users to access extranet through NAT (from Huawei documentation):

It easily lets us to choose a suitable way of configuring outbound NAT. In this lab I will try to do a review of these methods.

Read More »

huawei cheat sheet – information center

I am often asked how to find syslog commands on Huawei devices. As one is familiar with Cisco‘s devices, he is looking for “logging” command in Huawei’s VRP. And this is the main problem. Remember that equivalent of Cisco’s logging is info-center on Huawei.

The information center functions as an information hub. The information center manages most output information. Output information is classified and then effectively filtered. Together with debugging commands and the SNMP module, the information center provides powerful support for the network administrator to monitor the operation of devices and locate faults.

Generally speaking, the information center distributes three types of information with eight severity levels to ten information channels, and then outputs that information in different directions.

Today I decided to create a simple cheat sheet, describing Huawei’s information center:

Read More »

https—>webUI—>Huawei Secospace USG6300

As a graphical user interface is useless in case of routers and switches, it looks useful when configuring a firewall. Of course it is my point of view. I do not go into what is better for you. I like using CLI but, sometimes, it is worth to simplify your daily routine. The first step is to configure HTTPS access to webUI of USG6300. This is what we will focus today.

Well known topology from the last post:

Topology_USG_access

Configure IP address of firewall’s interface and add it to trust zone:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]ip address 172.16.1.1 24

[USG6300]firewall zone trust
[USG6300-zone-trust]add interface GigabitEthernet 0/0/7

Read More »

VTY access to Secospace USG6300

A new box for fun 🙂

Thanks to my colleagues I have opportunity to test Huawei Secospace USG6300.

A rental period is not long, so let’s start from the beginning.

Telnet and SSH

Topology_USG_access

Configure IP address of firewall’s interface and assign it to trust zone:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]ip address 172.16.1.1 24

[USG6300]firewall zone trust
[USG6300-zone-trust]add interface GigabitEthernet 0/0/7

Read More »

CPU usage alarm threshold

Huawei AR routers have easy and effective CPU usage monitoring tool. They generate alarm, when CPU usage reaches 80%. When CPU usage falls to 75%, recovery usage alarm is generated again (clear alarm). This is a default behaviour, but these values can be easily changed in order to help optimize system performance and ensure system stability.

Let’s configure CPU usage alarm threshold as 85% and recovery usage alarm threshold as 80%. The following command can be used for that:

<labnario>system-view [labnario]set cpu-usage threshold 85 restore 80 Info: Succeeding in setting task cpu usage threshold 85 restore 80.

Read More »