H3C SR8800 10G Core Routers

OAA Configuration Guide

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

Software version: SR8800-CMW520-R3347

Document version: 6W103-20120224
Copyright © 2011-2012, Hangzhou H3C Technologies Co., Ltd. and its licensors

All rights reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks

H3C, , Aolynk, , H3Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL,

SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice

The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface

The H3C SR8800 documentation set includes 13 configuration guides, which describe the software
features for the H3C SR8800 10G Core Routers and guide you through the software configuration
procedures. These configuration guides also provide configuration examples to help you apply software
features to different network scenarios.
The OAA Configuration Guide describes how to log in to the H3C open application platform (OAP) card
connected to your router and reset the operating system of the OAP card.
This preface includes:
• Audience
• Conventions
• About the H3C SR8800 documentation set
• Obtaining documentation
• Technical support
• Documentation feedback

Audience
This documentation is intended for:
• Network planners
• Field technical support and servicing engineers
• Network administrators working with the SR8800 series

Conventions
This section describes the conventions used in this documentation set.

Command conventions

Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[] Square brackets enclose syntax choices (keywords or arguments) that are optional.

Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.

Square brackets enclose a set of optional syntax choices separated by vertical bars, from
[ x | y | ... ]
which you select one or none.

Asterisk marked braces enclose a set of required syntax choices separated by vertical
{ x | y | ... } *
bars, from which you select at least one.

Asterisk marked square brackets enclose optional syntax choices separated by vertical
[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.
 Convention Description
The argument or keyword and argument combination before the ampersand (&) sign can
&<1-n>
be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description
Window names, button names, field names, and menu items are in Boldface. For
Boldface
example, the New User window appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Symbols

Convention Description
An alert that calls attention to important information that if not understood or followed can
WARNING result in personal injury.

An alert that calls attention to important information that if not understood or followed can
CAUTION result in data loss, data corruption, or damage to hardware or software.

IMPORTANT An alert that calls attention to essential information.

NOTE An alert that contains additional or supplementary information.

TIP An alert that provides helpful information.

Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.

Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your router.

About the H3C SR8800 documentation set

The H3C SR8800 documentation set includes:
Category Documents Purposes
Marketing brochures Describe product specifications and benefits.

Product description and Provide an in-depth description of software features

Technology white papers
specifications and technologies.

Card datasheets Describe card specifications, features, and standards.

 Category Documents Purposes
Compliance and safety Provides regulatory information and the safety
manual instructions that must be followed during installation.

Provides a complete guide to hardware installation

Installation guide
and hardware specifications.

H3C N68 Cabinet

Guides you through installing and remodeling H3C
Installation and Remodel
N68 cabinets.
Hardware specifications Introduction
and installation
H3C Pluggable SFP
[SFP+][XFP] Transceiver Guides you through installing SFP/SFP+/XFP
Modules Installation transceiver modules.
Guide

H3C High-End Network Describes the hot-swappable modules available for

Products Hot-Swappable the H3C high-end network products, their external
Module Manual views, and specifications.

Describe software features and configuration

Configuration guides
Software configuration procedures.

Command references Provide a quick reference to all available commands.

Provide information about the product release,

including the version history, hardware and software
Operations and
Release notes compatibility matrix, version upgrade information,
maintenance
technical support information, and software
upgrading.

Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with the
software version.

Technical support
service@h3c.com
http://www.h3c.com

Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents

Configuring OAP modules ·········································································································································· 1

OAP module overview ······················································································································································ 1
Logging in to the operating system of an OAP module ································································································ 1
Logging in through the console port of an OAP module ····················································································· 1
Telnetting to an OAP module through the network management port ······························································· 2
Logging in through the network management port of an OAP module with SSH ············································· 2
Redirecting to an OAP module from the router ····································································································· 3
Resetting the system of an OAP module ························································································································· 3

Configuring ACSEI ······················································································································································· 5

ACSEI overview ································································································································································· 5
ACSEI functions ························································································································································ 5
ACSEI timers ····························································································································································· 5
ACSEI startup and running ······································································································································ 6
Configuring the ACSEI server ·········································································································································· 6
Enabling ACSEI server ············································································································································· 6
Configuring the clock synchronization timer ········································································································· 6
Configuring the monitoring timer····························································································································7
Restarting an ACSEI client ······································································································································· 7
Displaying and maintaining ACSEI server ············································································································ 7

Configuring ACFP ························································································································································ 8

ACFP overview ·································································································································································· 8
ACFP architecture ····················································································································································· 9
ACFP collaboration ·················································································································································· 9
ACFP management··················································································································································· 9
ACFP information overview ·································································································································· 10
Using ACFP ···························································································································································· 12
ACFP configuration task list ·········································································································································· 13
Enabling the ACFP server ·············································································································································· 13
Configuring the connection mode for an internal interface on an OAP module ···················································· 13
Enabling the ACFP trap function ·································································································································· 14
Displaying and maintaining ACFP ······························································································································· 15
ACFP configuration example ········································································································································ 16

Index ··········································································································································································· 27

i
Configuring OAP modules

OAP module overview

As an open software and hardware system, the Open Application Architecture (OAA) of Hangzhou H3C
Technologies Co., Ltd. (referred to as H3C herein after) provides a set of complete standard software and
hardware interfaces based on H3C devices. The third party vendors can develop products with special
functions. These products can be compatible with H3C devices as long as they conform to the OAA
interface standards. Therefore the functions of single network products can be expanded and the users
can get more benefits.
The Open Application Platform (OAP) is developed based on the OAA. It can be an independent
network device, or a card used as an extended part of a device or integrated into a network device. This
kind of OAP is called an OAP module. An OAP module runs an independent operating system. You can
load software such as security and voice in the operating system as needed. Meanwhile, after an OAP
module is inserted into the expansion module slot of the router, it interacts with the router on data, status
information and control information through its internal service interfaces.

NOTE:
For the installation, startup and configuration, and software upgrading of the SecBlade firewall card
(IM-FW), you can obtain the information by following these steps:
• Go to the homepage of the website at http://www.h3c.com.
• Select Technical Support & Document > Technical Documents from the homepage.
• Select SecBlade II Firewall Cards in the Security Products area, and you can view the related manuals.

Logging in to the operating system of an OAP

module
NOTE:
This document only covers the OAP module related operations on a router. For the operations on an OAP
module, see the documentation of the OAP module.

Logging in through the console port of an OAP module

You can log in to the operating system on an OAP module directly through the console port on the OAP
module. In this example, a PC acts as a terminal.
1. Connect one end of the configuration cable to the serial port of the PC, and the other end to the
console port of the OAP module.
2. Start the PC and run the terminal emulation program such as the HyperTerminal. Select the
connection mode COM and set the terminal parameters as follows: set the bits per seconds to
9600, data bits to 8, parity to none, stop bits to 1, and flow control to none.

1
 After the configuration, you can log in to the operating system of the OAP module through the terminal
emulation program on the PC.

Telnetting to an OAP module through the network management

port
You can telnet to the operating system on an OAP module directly through the network management port
of the OAP module.

Telnetting to an OAP module from a router

1. Assign an IP address to the network management port of the OAP module.
2. Enable the Telnet server on the OAP v with the telnet server enable command.
3. Connect one end of the cable to the Ethernet port of the router, and the other end to the network
management port of the OAP module.
4. Make sure that the network management port of the router and that of the OAP module can reach
each other.
5. Execute the telnet command on the router, with the IP address of the network management port of
the OAP module as the destination address. You can log in to the operating system of the OAP
module after a connection is established.

Telnetting to an OAP module from a PC

1. Assign an IP address to the network management port of the OAP module.
2. Enable the Telnet server on the OAP module with the telnet server enable command.
3. Connect one end of the cable to the Ethernet port of the PC, and the other end to the network
management port of the OAP module.
4. Make sure that the network management port of the PC and that of the OAP module can reach
each other.
5. Execute the telnet command on the PC, with the IP address of the network management port of the
OAP module as the destination address. You can log in to the operating system of the OAP module
after a connection is established.

Logging in through the network management port of an OAP

module with SSH
You can use the SSH client to log in to the operating system of an OAP module through its network
management port.

Using a router as the SSH client

1. Assign an IP address to the network management port of the OAP module.
2. Enable the SSH server on the OAP module with the ssh server enable command.
3. Connect one end of the cable to the Ethernet port of the router, and the other end to the network
management port of the OAP module.
4. Make sure that the network management port of the router and that of the OAP module can reach
each other.

2
 5. Execute the ssh command on the router, with the IP address of the network management port of the
OAP module as the SSH server address. You can log in to the operating system of the OAP module
after the connection is established.

Using a PC as the SSH client

1. Assign an IP address to the network management port of the OAP module.
2. Enable the SSH server on the OAP module with the ssh server enable command.
3. Connect one end of the cable to the Ethernet port of the PC, and the other end to the network
management port of the OAP module.
4. Make sure that the network management port of the PC and that of the OAP module can reach
each other.
5. Execute the ssh command on the PC, with the IP address of the network management port of the
OAP module as the SSH server address. You can log in to the operating system of the OAP module
after the connection is established.

Redirecting to an OAP module from the router

You can redirect to the operating system of an OAP module from the router through the following
operation. In this way, the terminal display interface is switched from the command line interface (CLI) on
the router to the operating interface of the operating system of the OAP module, and you can manage
the system and application software on the OAP module. You can press Ctrl+k to return to the router CLI.
To redirect from the router to the OAP module:

Task Command Remarks

Redirect from the router to the
oap connect slot slot-number Available in user view
OAP module.

NOTE:
• Before redirecting from the router to the OAP module, perform basic configurations to the AUX port of
the router from the console port of the OAP module to allow the login from the router.
• The IM-SSL card does not support the redirection from the router to the OAP module through the oap
connect command.

Resetting the system of an OAP module

If the operating system of an OAP module works abnormally or is under other anomalies (for example,
the system does not respond), you can reset the system of an OAP module with the following operation
to power on the OAP module again. This operation is equal to resetting the OAP module by pressing the
reset button on the OAP module.
OAP modules have independent CPU systems. The router can still recognize and control the OAP module
after you reset the OAP system.
To reset the system of an OAP module:

Task Command Remarks

Reset the system of an OAP
oap reboot slot slot-number Available in user view
module.

3
CAUTION:
Reset of the OAP module may cause data loss and service interruption. Therefore, before resetting the
OAP module, you need to save the configurations of the OAP module operating system and shut down the
OAP module operating system to avoid service interruption and hardware data loss.

4
Configuring ACSEI

ACSEI overview
As a private protocol, ACSEI provides a method for exchanging information between ACFP clients and
ACFP server. It well supports Application Control Forwarding Protocol (ACFP) collaboration, ensuring
valid information interaction between the ACFP clients and the ACFP server, so that the ACFP server and
clients can cooperate to run a service.
As a supporting protocol of ACFP, ACSEI also has two entities: server and client.
• ACSEI server is integrated into the software system (Comware) of the device and is supported by the
device.
• ACSEI client is implemented in two ways. One way is to integrate it into the system software
(Comware) of the device. In this way it is a function supported by the device. The other way is to
integrate it into the software system of the OAP module. In this way it is a function supported by the
OAP module. Hardware and configurations needed in the two implementations are different. This
chapter will introduce them respectively.

NOTE:
• ACFP is designed based on the Open Application Architecture (OAA).
• OAP is designed for new services. On OAP module runs the operating system. You can load various
service software, such as security, voice, and so on as needed. For more information about the OAP
module, see the chapter “Configuring OAP modules.”
• This manual covers the configuration of the ACSEI server integrated into the software system of the
router.

ACSEI functions
ACSEI mainly provides the following functions:
• Registration and deregistration of an ACSEI client to the ACSEI server.
• ID assignment. The ACSEI server assigns IDs to ACSEI clients to distinguish between them.
• Mutual monitoring and awareness between an ACSEI client and the ACSEI server.
• Information interaction between the ACSEI server and ACSEI clients, including clock
synchronization.
• Control of the ACSEI clients on the ACSEI server. For example, you can restart ACSEI client on the
ACSEI server.

ACSEI timers
An ACSEI server uses two timers, the clock synchronization timer and the monitoring timer.
• The clock synchronization timer is used to periodically trigger the ACSEI server to send clock
synchronization advertisements to ACSEI clients. You can set this timer through command lines.

5
 • The monitoring timer is used to periodically trigger the ACSEI server to send monitoring requests to
ACSEI clients. You can set this timer through command lines.
An ACSEI client starts two timers, the registration timer and the monitoring timer.
• The registration timer is used to periodically trigger the ACSEI client to multicast registration requests
(with the multicast MAC address being 010F-E200-0021). You cannot set this timer.
• The monitoring timer is used to periodically trigger the ACSEI client to send monitoring requests to
the ACSEI server. You cannot set this timer.

ACSEI startup and running

ACSEI starts up and runs in the following procedures:
1. Run the ACSEI client application to enable ACSEI client.
2. Start up the router and enable the ACSEI server function on it.
3. The ACSEI client multicasts registration requests.
4. After the ACSEI server receives a valid registration request, it negotiates parameters with the
ACSEI client and establishes connection with the client if the negotiation succeeds.
5. The ACSEI server and the ACSEI client mutually monitor the connection.
6. If detecting the disconnection of the ACSEI client, the ACFP server will remove the configuration
and policies associated with the client.

Configuring the ACSEI server

Enabling ACSEI server
To enable ACSEI server:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable ACSEI server. acsei server enable Disabled by default.

Configuring the clock synchronization timer

To configure the clock synchronization timer:

Step Command Remarks

3. Enter system view. system-view N/A
4. Enable the ACSEI server
acsei server enable N/A
function.
5. Enter ACSEI server view. acsei server N/A
6. Configure the clock
Optional.
synchronization timer from acsei timer clock-sync minutes
ACSEI server to ACSEI client. Five minutes by default.

6
Configuring the monitoring timer
To configure the monitoring timer:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable the ACSEI server
acsei server enable N/A
function.
3. Enter ACSEI server view. acsei server N/A
4. Configure the monitoring
Optional.
timer for ACSEI server to acsei timer monitor seconds
monitor ACSEI client. Five seconds by default.

Restarting an ACSEI client

To restart an ACSEI client:

Step Command
1. Enter system view. system-view
2. Enable the ACSEI server function. acsei server enable
3. Enter ACSEI server view. acsei server
4. Restart the specified ACSEI client. acsei client reboot client-id

Displaying and maintaining ACSEI server

Task
Display ACSEI client summary.
Display ACSEI client information.
Command Remarks
display acsei client summary [ client-id ] [ |
{ begin | exclude | include }
regular-expression ] Available in any view
display acsei client info [ client-id ] [ | { begin |
exclude | include } regular-expression ]

7
Configuring ACFP

NOTE:
In this documentation, SPC cards refer to the interface cards prefixed with SPC, for example, SPC-GT48L.
SPE cards refer to the base cards prefixed with SPE, for example, SPE-1020-E.

ACFP overview
Basic data communication networks comprise of routers and switches, which forward data packets. As
data networks develop, more and more services run on them. It has become inappropriate to use legacy
routers for handling some new services. Therefore, some security products such as firewalls, Intrusion
Detection System (IDS), and Intrusion Prevention System (IPS), and voice and wireless products are
designed to handle specific services.
For better support of new services, manufacturers of legacy networking devices (routers and switches in
this document) have developed various dedicated service boards (cards) to specifically handle these
services. Some manufacturers of legacy networking devices provide a set of software/hardware
interfaces to allow the boards (cards) or devices of other manufacturers to be plugged or connected to
these legacy networking devices for cooperating to handle these services. This gives full play to the
advantages of respective manufacturers for better support of new services while reducing user
investments.
The open application architecture (OAA) is an open service architecture developed with this concept. It
integrates routers and software produced by different manufacturers, making them function as one router,
and thus providing integrated resolutions for the customers.
The Application Control Forwarding Protocol (ACFP) is developed based on the OAA architecture. For
example, collaborating IPS/IDS cards or IPS/IDS devices acting as ACFP clients run software packages
developed by other manufacturers to support the IPS/IDS services. A router or switch mirrors or redirects
the received packets to an ACFP client after matching the ACFP collaboration rules. The software running
on the ACFP client monitors and detects the packets. Based on the monitoring and detection results, the
ACFP client sends back responses to the router or switch through collaboration Management Information
Bases (MIBs) to instruct the router or switch to process the results, such as filtering out the specified
packets.

NOTE:
Only IM-IPS and IM-ACG cards support ACFP.

8
ACFP architecture
Figure 1 ACFP architecture
ACFP client ACFP server
Interface-connecting
component

Independent Routing/switching
service component component

As shown in Figure 1, the ACFP architecture consists of:

• Routing/switching component—As the main part of a routers and a switch, it performs complete
router/switch functions and is also the core of user management control. This part is called the
ACFP server.
• Independent service component—It is the main part open for development by a third party and is
mainly used to provide various unique service functions. This part is called the ACFP client.
• Interface-connecting component—It connects the interface of the routing/switching component to
that of the independent service component, allowing the routers of two manufacturers to be
interconnected.

ACFP collaboration
ACFP collaboration means that the independent service component can send instructions to the
routing/switching component to change its functions. ACFP collaboration is mainly implemented through
the Simple Network Management Protocol (SNMP). Acting as a network management system, the
independent service component sends various SNMP commands to the routing/switching component,
which can then execute the instructions received because it supports SNMP agent. In this process, the
cooperating MIB is the key to associating the two components with each other.

ACFP management
ACFP collaboration provides a mechanism that enables the ACFP client to control the traffic on the ACFP
server by implementing the following functions:
• Mirroring and redirecting the traffic on the ACFP server to the ACFP client
• Permitting/denying the traffic from the ACFP server
• Restricting the rate of the traffic on the ACFP server
• Carrying the context ID in a packet to enable the ACFP server and ACFP client to communicate the
packet context with each other. The detailed procedure is as follows:
The ACFP server maintains a context table that can be queried with context ID. Each context ID
corresponds with an ACFP collaboration policy that contains information including inbound interface
and outbound interface of the packet, and collaboration rules. When the packet received by the ACFP
server is redirected or mirrored to the ACFP client after matching a collaboration rule, the packet carries
the context ID of the collaboration policy to which the collaboration rule belongs. When the redirected
packet is returned from the ACFP client, the packet also carries the context ID. With the context ID, the
ACFP server knows that the packet is returned after being redirected and then forwards the packet
normally.

9
 For the ACFP client to better control traffic, the two-level structure of collaboration policy and
collaboration rules is set in the collaboration to manage the traffic matching the collaboration rule based
on the collaboration policy, implementing flexible traffic management.
To better support the Client/Server collaboration mode and granularly and flexibly set different rules, the
collaboration content is divided into four parts: ACFP server information, ACFP client information, ACFP
collaboration policy and ACFP collaboration rules. These four parts of information are saved in the ACFP
server.
An ACFP server supports multiple ACFP clients. Therefore, ACFP client information, ACFP collaboration
policy, and ACFP collaboration rules are organized in the form of tables.
ACFP server information is generated by the ACFP server itself. ACFP client information, ACFP
collaboration policy, and ACFP collaboration rules are generated on the ACFP client and sent to the
ACFP server through the collaboration MIB or collaboration protocol.

ACFP information overview

ACFP server information
ACFP server information contains the following:
• Supported working modes—host, pass-through, mirroring, and redirect. An ACFP server can
support multiple working modes among these four at the same time. The ACFP server and client(s)
can collaborate with each other only when the ACFP server supports the working mode of the ACFP
client.
• Maximum expiration time of the supported collaboration policy—This indicates for how long the
collaboration policy of the ACFP server will remain valid.
• Whether the ACFP server can permanently save the collaboration policy—It mainly refers to
whether the ACFP server can keep the original collaboration policy after reboot.
• Currently supported context ID type—The location of the context ID in the packet is HGPlus-context
(carrying the preamble HGPlus as the context ID).
The above-mentioned information indicates the collaboration capabilities of an ACFP server. ACFP
clients can access this information through a collaboration protocol or collaboration MIB.

ACFP client information

ACFP client information contains the following:
• ACFP client identifier. It can be assigned by the ACFP server through a collaboration protocol or
specified by the network administrator to make sure that each ACFP client has a unique client ID on
the ACFP server.
• Description—ACFP client description information.
• Hw-Info—ACFP client hardware type, version number, and so on.
• OS-Info—System name and version number of the ACFP client.
• App-Info—Application software type and version number of the ACFP client.
• Client IP—ACFP client IP address.
• Client Mode—Working mode currently supported by the ACFP client, namely, the combination of
the host, pass-through, mirroring, and redirect modes.

ACFP collaboration policy

ACFP collaboration policy refers to the collaboration policy that the ACFP client sends to the ACFP server
for application. The policy information is as follows:

10
 • Client ID—ACFP client identifier.
• Policy-Index
• In-interface—Interface through which the packet is sent to the ACFP server.
• Out-interface—Interface through which the packet is forwarded normally.
• Dest-interface—ACFP server interface connected with ACFP client.
• Context ID—It is used when the packet is mirrored or redirected to an ACFP client. After the
interface connected to the ACFP client is specified in the policy sent, the ACFP server assigns it a
global serial number, that is, the Context ID, with each Context ID corresponding to an ACFP
collaboration policy.
• Admin-Status—It indicates whether to enable the policy.
• Effect-Status—It indicates the expiration time of the policy and is used to control the expiration time
of all the rules under the policy.
• Start-Time—It indicates starting from what time (second/minute/hour) the policy takes effect and is
used to control starting from what time all the rules under the policy take effect.
• End-time—It indicates starting from what time (second/minute/hour) the policy turns invalid and is
used to control starting from what time all the rules under the policy turn invalid.
• DestIfFailAction—If the policy dest-interface is down, the actions to all rules under the policy will be
as follows—for forwarding first routers, select the delete action to keep the redirected and mirrored
packets being forwarded; for security first routers, select the reserve action to discard the redirected
and mirrored packets.
• Priority—It indicates the priority of a policy, number notation, in the range of 1 to 8. The bigger the
number, the higher the priority.

ACFP collaboration rules

ACFP collaboration rules refer to the collaboration rules that the ACFP client sends to the ACFP server for
application. There are three types of collaboration rules:
• Monitoring rules—Monitoring, analyzing, and processing the packets to be sent to the ACFP client.
The action types corresponding to monitoring rules are redirect and mirror.
• Filtering rules—Determining which packets to deny and which packets to permit. The action types
corresponding to filtering rules are deny and permit.
• Restricting rules—Determining the rate of which packets is to be restricted. The action type
corresponding to restricting rules is rate.
Rule information is described as follows:
• ClientID—ACFP client identifier.
• Policy index
• Rule index—rule identifier
• Status—It indicates whether the rule is applied successfully.
• Action—It can be mirror, redirect, deny, permit, or rate.
• Match all packets—It indicates whether to match all the packets. If yes, the following matching
needs not be performed.
• Source MAC address
• Destination MAC address
• Starting VLAN ID
• Ending VLAN ID

11
 • Protocol number in IP
• Source IP address
• Wildcard mask of source IP address
• Source port operator—Its type can be equal to, not equal to, greater than, less than, greater than
and less than. The following ending source port number takes effect only when the type is greater
than and less than. The source port number of the packets matched by the identifier must be greater
than the starting source port number and less than the ending source port number.
• Starting source port number
• Ending source port number
• Destination IP address
• Wildcard mask of destination IP address
• Destination port number operator—Its type can be equal to, not equal to, greater than, less than,
greater than and less than. The following ending destination port number is meaning only when
the type is greater than and less than. The destination port number of the packets matched by the
identifier must be greater than the starting destination port number and less than the ending
destination port number.
• Starting destination port number
• Ending destination port number
• Pro—Protocol type, which can be GRE, ICMP, IGMP, OSPF, TCP, UDP, and IP.
• IP precedence—Packet precedence, a number in the range of 0 to 7.
• IP ToS—Type of Service (ToS) of IP
• IP DSCP—Differentiated Services Code Point (DSCP) of IP
• TCP flag—It indicates that some bits in the six flag bits (URG, ACK, PSH, RST, SYN, FIN) are
concerned.
• IP fragment—It indicates whether the packet is an IP packet fragment.
• Rate limit
You can use the collaboration policy to manage the collaboration rules that belong to it.

Using ACFP
• ACFP does not support policy-based routing services or NetStream services.
• The handling of the packets redirected by ACFP is mutually exclusive with ordinary ACL rules. No
QoS processing is performed on the packets returned after they are redirected to the ACFP client.
• A stream cannot be mirrored or redirected to multiple ACFP clients.
• ACFP does not support applying flow redirect policies to an aggregate interface.
• SPE cards support applying flow redirect policies only to Layer 3 interfaces.
• If a Layer 3 interface is added into an aggregation group, or an aggregate interface leaves an
aggregation group, the configured flow redirect policies on the interface will become ineffective
and you need to first delete the original flow redirect policies and then configure new policies on the
interface.
• When the ACFP server is enabled, the internal interface cannot act as the source port for port
mirroring.

12
 • When ACFP server is enabled on an IM-IPS or IM-ACG card, the connection mode for the internal
interface must be set to extend, the internal interface must be configured as a trunk port, and the
PVID of the internal interface cannot be the VLAN ID of the management VLAN.
• When the connection mode of the internal interface on an IM-IPS or IM-ACG card is set to extend,
you cannot specify a VLAN as both the user service VLAN and the management VLAN.

ACFP configuration task list

Complete the following tasks to configure ACFP:

Task Remarks
Enabling the ACFP server Required

Configuring the connection mode for an internal interface on an OAP module Required

Enabling the ACFP trap function Optional

Enabling the ACFP server

To configure to enable the ACFP server:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable the ACFP server. acfp server enable Disabled by default.

Configuring the connection mode for an internal

interface on an OAP module
The OAP module integrates a front card and a rear card. The front card provides value-added security
services, such as firewall, intrusion prevention, and application control. The rear card is responsible for
the data exchange between the front card and the router.
An internal interface is a virtual interface that is used for the data communication between the front and
rear cards, as shown in Figure 2.

13
 Figure 2 Schematic diagram for the internal interface

When configuring ACFP on an OAP module, to ensure the normal communication between the router
and the OAP module, you must configure the connection mode for the OAP module internal interface as
extend.
To configure the connection mode for an internal interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter internal interface interface interface-type
N/A
view. interface-number
3. Configure the connection
port connection-mode { extend |
mode for the internal normal by default.
normal }
interface.

NOTE:
• For more information about the port connection-mode command, see Layer 2—LAN Switching
Command Reference.
• When you disable the ACSEI function or change the connection mode for an internal interface, to avoid
disrupting the traffic, perform the operation on the ACFP client first, and then on the ACFP server.
• Spanning Tree Protocol (STP) cannot be enabled on the internal interface of an IM-IPS or IM-ACG card.
For more information about STP, see Layer 2—LAN Switching Configuration Guide.

Enabling the ACFP trap function

To make ACFP work normally, you must enable the router to send traps of the ACFP module.
After the trap function on the ACFP module is enabled, the ACFP module will generate traps to report
important events of the module. The levels of the ACFP traps are described in Table 1.
Table 1 ACFP trap message level

Trap message Level

Context ID type changed notifications

14
 Trap message Level
ACFP client registration notifications

ACFP client deregistration notifications

ACSEI detects that ACFP client had no response warnings

ACFP server does not support the working mode of the ACFP client errors

Expiration period of ACFP collaboration policy changed notifications

ACFP collaboration rules are created informational

ACFP collaboration rules are removed informational

ACFP collaboration rules failed errors

Expiration period of ACFP collaboration policy timed out notifications

The generated traps will be sent to the information center of the router. With the parameters for the
information center set, the output rules for traps (that is, whether the traps are allowed to be output and
the output destinations) are decided. For the configuration of the parameters for the information center,
see Network Management and Monitoring Configuration Guide.
To enable the ACFP function:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable the trap function of the snmp-agent trap enable acfp Optional.
ACFP module. [ client | policy | rule | server ] Enabled by default.

NOTE:
For more information about the snmp-agent trap enable command, see Network Management and
Monitoring Command Reference.

Displaying and maintaining ACFP

Task
Display the configuration
information of the ACFP server.
Display the configuration
information of an ACFP client.
Command Remarks
display acfp server-info [ | { begin
| exclude | include }
regular-expression ]
Available in any view
display acfp client-info [ client-id ]
[ | { begin | exclude | include }
regular-expression ]

15
 Task
Display the configuration
information of an ACFP policy.
Command Remarks
display acfp policy-info [ client
client-id [ policy-index ] |
dest-interface interface-type
interface-number | global |
in-interface interface-type
interface-number | out-interface
interface-type interface-number ]
[ active | inactive ] [ | { begin |
exclude | include }
regular-expression ]

display acfp rule-info { global |

in-interface [ interface-type
interface-number ] | out-interface
Display ACFP rule configuration
[ interface-type interface-number ]
information.
| policy [ client-id policy-index ] }
[ | { begin | exclude | include }
regular-expression ]

display snmp-agent trap-list [ |

Display the configuration
{ begin | exclude | include }
information of ACFP Trap.
regular-expression ]

ACFP configuration example

Network requirements
Different departments are interconnected on the intranet through Device, which serves as the ACFP server.
An ACFP client is inserted in Device.
Configure the ACFP client to analyze traffic arriving at interface GigabitEthernet 2/1/7, and control the
traffic as follows:
• Permit all packets with the source IP address 192.168.1.1/24.
• Deny all packets with the source IP address 192.168.1.2/24.
Figure 3 Network diagram

16
Configuration procedure
1. Configure Router:
# Enable the ACFP server.
<Router> system-view
[Router] acfp server enable
[Router] acsei server enable
# Assign an IP address to the VLAN interface of the management VLAN.
[Router] vlan 4093
[Router-vlan4093] interface Vlan-interface 4093
[Router-Vlan-interface4093] undo shutdown
[Router-Vlan-interface4093] ip address 40.94.1.1 24
[Router-Vlan-interface4093] quit
# Configure the internal interface Ten-GigabitEthernet 4/0/1 on the ACFP client as a trunk port,
and assign the trunk port to VLAN 4094, which is not allowed to learn MAC addresses. Then, set
the working mode for the internal Ethernet interface to extended.
[Router] interface Ten-GigabitEthernet 4/0/1
[Router-Ten-GigabitEthernet4/0/1] undo shutdown
[Router-Ten-GigabitEthernet4/0/1] port link-type trunk
[Router-Ten-GigabitEthernet4/0/1] port trunk permit vlan 4093
[Router-Ten-GigabitEthernet4/0/1] mac-address max-mac-count 0
[Router-Ten-GigabitEthernet4/0/1] port connection-mode extend
[Router-Ten-GigabitEthernet4/0/1] quit
# Configure SNMP parameters.
[Router] snmp-agent
[Router] snmp-agent sys-info version all
[Router] snmp-agent group v3 v3group_no read-view iso write-view iso
[Router] snmp-agent mib-view included iso iso
[Router] snmp-agent usm-user v3 v3user_no v3group_no
# Verify that the MIB style of Router is new. If not, set the MIB style of Router to new and reboot
Router.
[Router] mib-style new
# Configure the user interfaces.
[Router] interface GigabitEthernet 2/1/7
[Router-GigabitEthernet2/1/7] ip address 192.168.1.254 24
[Router-GigabitEthernet2/1/7] undo shutdown
[Router-GigabitEthernet2/1/7] quit
[Router] interface GigabitEthernet 2/1/8
[Router-GigabitEthernet2/1/8] ip address 192.168.2.254 24
2. Configure line card IM-IPS:
# Log in to the operating system on the IM-IPS card through the console port on the card, and enter
password H3C.
Password:H3C
# Enter system view.
<IPS> system-view
# Assign an IP address for the network management port on the card to make the network
management ports of the PC and the card reachable to each other.

17
 [IPS]interface meth0/2
[IPS-if]ip address 192.168.3.14 24
[IPS-if]undo shutdown
# Open IE on the PC and enter https://192.168.3.14 at the address bar. Enter admin as the
username and the password.
Figure 4 Web login interface

# Configure the ACFP client:

a. Select System Management > Network Management > ACFP Client Configuration from the
navigation tree.
Figure 5 Configuring the ACFP client

b. Select Enable ACFP Client, select the SNMP version SNMPv3, enter the server security
username v3user_no, enter the server IP address 40.94.1.1, the client IP address 40.94.1.2,
the mask 24, and the VLAN ID 4093.
c. Click Apply.
d. Click Connectivity Test to perform a connectivity test.

18
 # Add security zone inbound:
e. Select System Management > Network Management > Security Zone from the navigation
tree.
f. Click <<.
Figure 6 Adding security zone inbound

c. Enter the name inbound, select GigabitEthernet2/1/7 from the list, and click Add to add it
into the Interface box.
d. Click Apply.
# Add security zone outbound:
e. Select System Management > Network Management > Security Zone from the navigation
tree.
f. Click <<.
Figure 7 Creating security zone outbound

19
 c. Enter the name outbound, select GigabitEthernet2/1/8 from the list, and click Add to add it
into the Interface box.
d. Click Apply.
# Add segment 10:
e. Select System Management > Network Management > Segment Configuration from the
navigation tree.
Figure 8 Adding segment 10

b. Select 10 from the Segment No. list.

c. Select inbound from the Internal Zone list.
d. Select outbound from the External Zone list.
e. Click Apply.
# Configure the collaboration policy and rules:
f. Select System Management > Network Management > ACFP Policy from the navigation tree.
g. Click Create Policy.

Figure 9 Configuring collaboration policy

c. Enter the description t1.

d. Select GigabitEthernet2/1/7 from the Source Interface list.
e. Select the Enable option.
f. Select 0 from the Priority list.
# Add rule 1:
g. Click Add on the Configure Rule tab as shown in Figure 9. After the page for creating a rule
pops up, perform the following configuration as shown in Figure 10.

20
Figure 10 Creating rule 1

b. Select the Specified Packets option.

c. Select All from the Protocol list.
d. Enter the source IP address 192.168.1.1.
e. Enter the source mask 32.
f. Click Apply.
# Create rule 2:
g. Click Add on the Configure Rule tab as shown in Figure 9.

Figure 11 Creating rule 2

b. Select the Specified Packets option.

c. Select All from the Protocol list.
d. Enter the source IP address 192.168.1.2.
e. Enter the source mask 32.
f. Click Apply.
# Configure ACFP filtering rule 1:
g. Select Bandwidth Management > Bandwidth Policies from the navigation tree.
h. Click Add.

21
Figure 12 Creating a policy application

c. Enter the name user1, select the working mode Group mode, and select Permit from the
Action Set list.
d. Click Add to add a new entry in the policy application list.

Figure 13 Policy application range

e. Click .
The page for adding IP address group pops up.

22
Figure 14 Adding IP address group 1

f. Enter the name 192.168.1.1/32, select the protocol IPv4, enter the IPv4 address
192.168.1.1/32, click <<Add to add the address to the IP address box, and click Apply.
g. In the policy application range page, click .
Figure 15 Advanced configuration

h. Select 10 from the Segment list, select the Internal Zone option, select IP address
192.168.1.1/32 from the Internal Zone IP Addresses area, and click Apply.
a. After finishing the above configuration, click OK on the page shown in Figure 12.
# Configure ACFP filtering rule 2:
a. Select Bandwidth Management > Bandwidth Policies from the navigation tree.
b. Click Add.

23
Figure 16 Creating a policy application

c. Enter the name user2, select the working mode Group mode, and select Block from the Action
Set list.
a. Click Add to add a new entry in the policy application list.

Figure 17 Policy application range

e. Click .
The page for adding IP address group pops up.

24
Figure 18 Adding IP address group 2

f. Enter the name 192.168.1.2/32, select the protocol IPv4, enter the IPv4 address
192.168.1.2/32, and click <<Add to add the address to the IP address box.
a. Click Apply.

b. In the policy application range page, click .

Figure 19 Advanced configuration

Select 10 from the Segment list, select the Internal Zone option, select IP address 192.168.1.2/32
from the Internal Zone IP Addresses area, and click Apply.
a. After finishing the above configuration, click OK on the page shown in Figure 12.
# Activate configurations:
After you finish the above configuration, the page jumps to the page as shown in Figure 20.

25
Figure 20 Activating configurations

a. Click Activate.
A confirm dialog box pops up.
b. Click OK to activate the configuration.
Verify the configuration:
Use the ping command to verify the connectivity between Host A and Host C, Host B and Host C.
The test results show that Host A can ping Host C but Host B cannot.

CAUTION:
Set the ACL rule length limit mode to 3 or 4 with the acl mode command before you creating an ACFP
policy rule of IPv6 protocol. For more information about ACL rule length limit mode, see ACL and QoS
Command Reference.

26
Index

ACDELOR
A E
ACFP configuration example,16 Enabling the ACFP server,13
ACFP configuration task list,13 Enabling the ACFP trap function,14
ACFP overview,8 L
ACSEI overview,5
Logging in to the operating system of an OAP
C module,1
Configuring the ACSEI server,6 O
Configuring the connection mode for an internal
OAP module overview,1
interface on an OAP module,13
R
D
Resetting the system of an OAP module,3
Displaying and maintaining ACFP,15

27