Introduction of Huawei USG9000 Specifications

As a world leading Huawei networking products supplier, Hong Telecom Equipment Service LTD(HongTelecom) keeps regular stock of Huawei router and switch and all cards at very good price, also HongTelecom ship to worldwide with very fast delivery.

For related articles, visit the HongTelecom Blog and HongTelecom WordPress.

For real pictures of related product, visit the HongTelecom Gallery.

To buy related product, visit the HongTelecom Online Shop.

Introduction to the USG9000

At present, the USG9000 can work in three modes: routed mode, transparent mode, and composite mode.

  • routing mode

    In routing mode, the USG9000 uses the layer 3 for external connections, and all interfaces must be assigned with IP addresses. When the USG9000 is located between the internal network and the external network, you need to configure the interfaces, through which the USG9000 is connected with the internal network and the external network, with IP addresses on different network segments and re-plan the network topology. In this case, the USG9000 serves as a router.

    As shown in Figure 2-1, the USG9000 is connected with the internal network through an interface in the Trust zone, while it is connected with the external network through an interface in the Untrust zone.

    Note that the interface in Trust zone and the interface in Untrust zone reside in different two subnets.

    Figure 2-1  Networking in routing mode

    When working in routing mode, the USG9000 can complete ACL packet filtering. However, network topology needs to be changed. For example, internal network users need to change their gateways and routers' routing configurations need to be changed.

  • transparent mode

    In transparent mode, the USG9000 uses the layer 2 for external connections, and none of the interfaces can be assigned with IP addresses. In this case, the USG9000 is transparent to users in subnets and routers. That is, users do not feel the existence of the USG9000.

    As shown in Figure 2-2, the USG9000 is connected with the internal network through interfaces in the Trust zone, while it is connected with the external network through interfaces in the Untrust zone.

    Note that the internal network and the external network must reside in the same subnet.

    Figure 2-2  Networking in transparent mode

    If the USG9000 works in transparent mode, you do not need to change network topology. In transparent mode, you only need to place the USG9000 in the network like placing a bridge without need of modifying any existing configuration. Similar to the routing mode, IP packets also need to be filtered and checked in transparent mode, and internal users can be protected by the USG9000.

  • composite mode

    If there are both interfaces working in routing mode (such interfaces have IP addresses) and interfaces working in transparent mode (such interfaces have no IP address) in the USG9000, the USG9000 is working in composite mode.

    Composite mode is applied in the case of dual-system hot backup with transparent mode. The interface on which VRRP is enabled needs to be configured with an IP address, and other interfaces do not.

    Figure 2-3 shows a typical networking in composite mode.

    Figure 2-3  Networking in composite mode

    Master and backup USG9000s are connected with the internal network through interfaces in the Trust zone, while they are connected with the external network through interfaces in the Untrust zone. In addition, master and backup USG9000s connect each other and perform hot standby through VRRP.

    Note that the internal network and the external network must reside in the same subnet.


    This document is for HUAWEI Secospace USG9000 V200R001.

    HUAWEI Secospace USG9000 series (the USG9000 for short) is a high-end 10-Gigabit cloud data center security gateway. The USG9000 is applicable to data centerand campus and large enterprises' network egress. It provides multiple powerful and all-round security solution with great flexibility.

    The USG9000 comprises the USG9520, the USG9560, and the USG9580.

    In addition, the USG9520 provides AC and DC models for users to select.

    Figure 1 USG9000 series 


    Industry No. 1 performance, ready to cope with surging traffic

    The USG9000 performs best in the industry:

    • The 10-Gigabit line-speed forwarding and the performance of up to 200 Gbit/s easily address the challenges brought by Web 2.0.
    • With up to 80,000,000 concurrent connections and coordinated overall performance with connection quality, the USG9000 supports Web 2.0 applications.
    • With up to 5,000,000 new connections per second, the USG9000 easily meets the challenges of burst problems such as surging traffic in rush hours and DDoS attacks to ensure a non-disruptive network.

    With the overall penetration of wireless services, the number of mobile subscribers grows rapidly. The concurrent access of numerous mobile subscribers imposes a higher requirement for device performance. In addition, security problems in the transmission of wireless network information become increasingly pressing. VPN devices are facing new challenges of stronger processing capability and larger capacity.

    The USG9000 provides the best VPN performance in the industry:

    • Up to 320,000 VPN concurrent tunnels
    • Up to 144 Gbps Gbps (3DES/DES/AES) encryption performance

    The USG9000 supports the IKE v2 protocol and enhances the functions of user authentication, packet authentication, and NAT traversal. Thus, the USG9000 eliminates the hidden hazards of man-in-the-middle attacks and DDoS attacks and supports wireless authentication protocols, such as EAP-SIM and EAP-AKA. In addition, the device supports PKI/CA, and can authorize and authenticate VPN access devices. All these features effectively safeguard wireless networks.

    Distributed and scalable architecture, improving the return on investment (ROI)

    The USG9000 adopts the distributed and scalable architecture with independent service processing units (SPUs) and line interface processing units (LPUs) which can be configured as per requirements. The flexible scalability satisfies the demand of increasing service traffic, and improves the investment return ratio.

    The overall performance of the USG9000 including throughput, number of concurrent connections, number of connections established per second, and other indexes increases linearly as the number of SPUs grows.

    Full redundancy and high reliability, ensuring service continuity

    The USG9000 provides a comprehensive and reliable end-to-end solution. With high-end router level reliability, the USG9000 ensures service continuity:

    • Device-level reliability
      • Dual-Main Processing Unit (MPU) backup supports a smooth switchover between MPUs.
      • N+1 backup of Switch Fabric Units (SFUs) enables inter-board data exchange and load balancing.
      • SPUs are load balanced and backed up. If one SPU is faulty, subsequent service traffic will be distributed to other SPUs for processing.
      • The USG9000 has redundant components. In addition, the power modules and fan modules are hot-swappable.
    • Network-level reliability
      • The USG9000 supports the dual-system hot backup based on the Huawei Redundancy Protocol (HRP), including active/standby backup and load balancing modes. The HRP backs up key configuration commands and the information about session table status from the active device to the standby device. In this manner, the standby device can smoothly take the place of the failed active device.
      • The USG9000 supports dedicated external bypass devices. When the USG9000 is faulty, network traffic can be forwarded by the Bypass device in a timely manner to ensure service continuity.
    • Link-level reliability
      • The USG9000 supports cross-board interface binding enabling balanced traffic forwarding, improving the link availability, and broadening total bandwidth.
      • The USG9000 supports Bidirectional Forwarding Detection (BFD).