Labnario Huawei From Scratch
What does it mean outbound NAT?
Outbound NAT translates the source IP addresses of packets sent from a high-priority security zone to a low-priority one.
I allowed myself to post a flowchart of configuring intranet users to access extranet through NAT (from Huawei documentation):
It easily lets us to choose a suitable way of configuring outbound NAT. In this lab I will try to do a review of these methods.
Huawei VRP quick start
Useful training for beginners. If you want to start your adventure with Huawei VRP just click on the link and enjoy!
routing policy configuration
Some time ago I wrote about local PBR and interface PBR.
It’s time to talk about routing policy, that is a different mechanism. Routing policy is applied to routing information and it is combined with routing protocols to form policies. PBR mechanism is applied to data flows and and packets are forwarded according to the configured policy.
Routing policy is a tool which can be used to filter routes and set route attributes, when importing routing information into OSPF, RIP, ISIS or BGP protocols. BGP can use routing policy to filter advertising routes as well. Routing policy defines which of the routes from the specific routing protocol are allowed to be imported into the target routing protocol. It can be also used to match routes or certain route attributes and to change these attributes when the matching rules are met.
Routing policy command syntax:
route-policy route-policy-name { permit | deny } node node
A route-policy may consists of multiple nodes, for example:
route-policy LABNARIO-POLICY permit node 10 route-policy LABNARIO-POLICY deny node 20
from Huawei CLI – upgrade rollback …
As I am in the process of upgrading Huawei ATN950B routers, I decided to describe very useful command, supported by carrier class routers like NE40E, CX600 and ATN950B – “upgrade rollback enable rollback-timer time”
When you are doing upgrade, there is always a small risk that something goes wrong and you will lose this router, I mean it will fall out of management. To minimize such risk, you can use the command in question.
Let’s look at the upgrade procedure:
<labnario>startup system-software v200r002c00spc300.cc Info: Succeeded in setting the software for booting system. <labnario>startup system-software v200r002c00spc300.cc slave-board Info: Succeeded in setting the software for booting system. <labnario>startup patch v200r002sph008.pat Info: Succeeded in setting main board resource file for system. <labnario>startup patch v200r002sph008.pat slave-board Info: Succeeded in setting slave board resource file for system.
HWTACACS configuration on Huawei device
Let’s look at a typical configuration of HWTACACS server on Huawei device:
# hwtacacs-server template labnario hwtacacs-server authentication 172.16.10.1 hwtacacs-server authorization 172.16.10.1 hwtacacs-server accounting 172.16.10.1 hwtacacs-server source-ip 172.16.10.10 hwtacacs-server shared-key cipher %$%$;XioR#N`7=~][vLDTr2S(2.#%$%$ undo hwtacacs-server user-name domain-included # aaa authentication-scheme hwtacacs authentication-mode hwtacacs local authorization-scheme hwtacacs authorization-mode hwtacacs local accounting-scheme hwtacacs accounting-mode hwtacacs domain default_admin authentication-scheme hwtacacs accounting-scheme hwtacacs authorization-scheme hwtacacs hwtacacs-server labnario local-user labnario password cipher %$%$'3N&Y#>c>Ibb;f:!o4mW(7#h%$%$ local-user labnario privilege level 15 local-user labnario service-type telnet terminal ssh ftp # user-interface vty 0 4 authentication-mode aaa