Professional Documents
Culture Documents
99-Book 761977 1285 0
99-Book 761977 1285 0
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C SR8800 documentation set includes 13 configuration guides, which describe the software
features for the H3C SR8800 10G Core Routers and guide you through the software configuration
procedures. These configuration guides also provide configuration examples to help you apply software
features to different network scenarios.
The OAA Configuration Guide describes how to log in to the H3C open application platform (OAP) card
connected to your router and reset the operating system of the OAP card.
This preface includes:
• Audience
• Conventions
• About the H3C SR8800 documentation set
• Obtaining documentation
• Technical support
• Documentation feedback
Audience
This documentation is intended for:
• Network planners
• Field technical support and servicing engineers
• Network administrators working with the SR8800 series
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
[ x | y | ... ]
which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical
{ x | y | ... } *
bars, from which you select at least one.
Asterisk marked square brackets enclose optional syntax choices separated by vertical
[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.
Convention Description
The argument or keyword and argument combination before the ampersand (&) sign can
&<1-n>
be entered 1 to n times.
GUI conventions
Convention Description
Window names, button names, field names, and menu items are in Boldface. For
Boldface
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention Description
An alert that calls attention to important information that if not understood or followed can
WARNING result in personal injury.
An alert that calls attention to important information that if not understood or followed can
CAUTION result in data loss, data corruption, or damage to hardware or software.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with the
software version.
Technical support
service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents
Index ··········································································································································································· 27
i
Configuring OAP modules
NOTE:
For the installation, startup and configuration, and software upgrading of the SecBlade firewall card
(IM-FW), you can obtain the information by following these steps:
• Go to the homepage of the website at http://www.h3c.com.
• Select Technical Support & Document > Technical Documents from the homepage.
• Select SecBlade II Firewall Cards in the Security Products area, and you can view the related manuals.
1
After the configuration, you can log in to the operating system of the OAP module through the terminal
emulation program on the PC.
2
5. Execute the ssh command on the router, with the IP address of the network management port of the
OAP module as the SSH server address. You can log in to the operating system of the OAP module
after the connection is established.
NOTE:
• Before redirecting from the router to the OAP module, perform basic configurations to the AUX port of
the router from the console port of the OAP module to allow the login from the router.
• The IM-SSL card does not support the redirection from the router to the OAP module through the oap
connect command.
3
CAUTION:
Reset of the OAP module may cause data loss and service interruption. Therefore, before resetting the
OAP module, you need to save the configurations of the OAP module operating system and shut down the
OAP module operating system to avoid service interruption and hardware data loss.
4
Configuring ACSEI
ACSEI overview
As a private protocol, ACSEI provides a method for exchanging information between ACFP clients and
ACFP server. It well supports Application Control Forwarding Protocol (ACFP) collaboration, ensuring
valid information interaction between the ACFP clients and the ACFP server, so that the ACFP server and
clients can cooperate to run a service.
As a supporting protocol of ACFP, ACSEI also has two entities: server and client.
• ACSEI server is integrated into the software system (Comware) of the device and is supported by the
device.
• ACSEI client is implemented in two ways. One way is to integrate it into the system software
(Comware) of the device. In this way it is a function supported by the device. The other way is to
integrate it into the software system of the OAP module. In this way it is a function supported by the
OAP module. Hardware and configurations needed in the two implementations are different. This
chapter will introduce them respectively.
NOTE:
• ACFP is designed based on the Open Application Architecture (OAA).
• OAP is designed for new services. On OAP module runs the operating system. You can load various
service software, such as security, voice, and so on as needed. For more information about the OAP
module, see the chapter “Configuring OAP modules.”
• This manual covers the configuration of the ACSEI server integrated into the software system of the
router.
ACSEI functions
ACSEI mainly provides the following functions:
• Registration and deregistration of an ACSEI client to the ACSEI server.
• ID assignment. The ACSEI server assigns IDs to ACSEI clients to distinguish between them.
• Mutual monitoring and awareness between an ACSEI client and the ACSEI server.
• Information interaction between the ACSEI server and ACSEI clients, including clock
synchronization.
• Control of the ACSEI clients on the ACSEI server. For example, you can restart ACSEI client on the
ACSEI server.
ACSEI timers
An ACSEI server uses two timers, the clock synchronization timer and the monitoring timer.
• The clock synchronization timer is used to periodically trigger the ACSEI server to send clock
synchronization advertisements to ACSEI clients. You can set this timer through command lines.
5
• The monitoring timer is used to periodically trigger the ACSEI server to send monitoring requests to
ACSEI clients. You can set this timer through command lines.
An ACSEI client starts two timers, the registration timer and the monitoring timer.
• The registration timer is used to periodically trigger the ACSEI client to multicast registration requests
(with the multicast MAC address being 010F-E200-0021). You cannot set this timer.
• The monitoring timer is used to periodically trigger the ACSEI client to send monitoring requests to
the ACSEI server. You cannot set this timer.
6
Configuring the monitoring timer
To configure the monitoring timer:
Step Command
1. Enter system view. system-view
2. Enable the ACSEI server function. acsei server enable
3. Enter ACSEI server view. acsei server
4. Restart the specified ACSEI client. acsei client reboot client-id
7
Configuring ACFP
NOTE:
In this documentation, SPC cards refer to the interface cards prefixed with SPC, for example, SPC-GT48L.
SPE cards refer to the base cards prefixed with SPE, for example, SPE-1020-E.
ACFP overview
Basic data communication networks comprise of routers and switches, which forward data packets. As
data networks develop, more and more services run on them. It has become inappropriate to use legacy
routers for handling some new services. Therefore, some security products such as firewalls, Intrusion
Detection System (IDS), and Intrusion Prevention System (IPS), and voice and wireless products are
designed to handle specific services.
For better support of new services, manufacturers of legacy networking devices (routers and switches in
this document) have developed various dedicated service boards (cards) to specifically handle these
services. Some manufacturers of legacy networking devices provide a set of software/hardware
interfaces to allow the boards (cards) or devices of other manufacturers to be plugged or connected to
these legacy networking devices for cooperating to handle these services. This gives full play to the
advantages of respective manufacturers for better support of new services while reducing user
investments.
The open application architecture (OAA) is an open service architecture developed with this concept. It
integrates routers and software produced by different manufacturers, making them function as one router,
and thus providing integrated resolutions for the customers.
The Application Control Forwarding Protocol (ACFP) is developed based on the OAA architecture. For
example, collaborating IPS/IDS cards or IPS/IDS devices acting as ACFP clients run software packages
developed by other manufacturers to support the IPS/IDS services. A router or switch mirrors or redirects
the received packets to an ACFP client after matching the ACFP collaboration rules. The software running
on the ACFP client monitors and detects the packets. Based on the monitoring and detection results, the
ACFP client sends back responses to the router or switch through collaboration Management Information
Bases (MIBs) to instruct the router or switch to process the results, such as filtering out the specified
packets.
NOTE:
Only IM-IPS and IM-ACG cards support ACFP.
8
ACFP architecture
Figure 1 ACFP architecture
ACFP client ACFP server
Interface-connecting
component
Independent Routing/switching
service component component
ACFP collaboration
ACFP collaboration means that the independent service component can send instructions to the
routing/switching component to change its functions. ACFP collaboration is mainly implemented through
the Simple Network Management Protocol (SNMP). Acting as a network management system, the
independent service component sends various SNMP commands to the routing/switching component,
which can then execute the instructions received because it supports SNMP agent. In this process, the
cooperating MIB is the key to associating the two components with each other.
ACFP management
ACFP collaboration provides a mechanism that enables the ACFP client to control the traffic on the ACFP
server by implementing the following functions:
• Mirroring and redirecting the traffic on the ACFP server to the ACFP client
• Permitting/denying the traffic from the ACFP server
• Restricting the rate of the traffic on the ACFP server
• Carrying the context ID in a packet to enable the ACFP server and ACFP client to communicate the
packet context with each other. The detailed procedure is as follows:
The ACFP server maintains a context table that can be queried with context ID. Each context ID
corresponds with an ACFP collaboration policy that contains information including inbound interface
and outbound interface of the packet, and collaboration rules. When the packet received by the ACFP
server is redirected or mirrored to the ACFP client after matching a collaboration rule, the packet carries
the context ID of the collaboration policy to which the collaboration rule belongs. When the redirected
packet is returned from the ACFP client, the packet also carries the context ID. With the context ID, the
ACFP server knows that the packet is returned after being redirected and then forwards the packet
normally.
9
For the ACFP client to better control traffic, the two-level structure of collaboration policy and
collaboration rules is set in the collaboration to manage the traffic matching the collaboration rule based
on the collaboration policy, implementing flexible traffic management.
To better support the Client/Server collaboration mode and granularly and flexibly set different rules, the
collaboration content is divided into four parts: ACFP server information, ACFP client information, ACFP
collaboration policy and ACFP collaboration rules. These four parts of information are saved in the ACFP
server.
An ACFP server supports multiple ACFP clients. Therefore, ACFP client information, ACFP collaboration
policy, and ACFP collaboration rules are organized in the form of tables.
ACFP server information is generated by the ACFP server itself. ACFP client information, ACFP
collaboration policy, and ACFP collaboration rules are generated on the ACFP client and sent to the
ACFP server through the collaboration MIB or collaboration protocol.
10
• Client ID—ACFP client identifier.
• Policy-Index
• In-interface—Interface through which the packet is sent to the ACFP server.
• Out-interface—Interface through which the packet is forwarded normally.
• Dest-interface—ACFP server interface connected with ACFP client.
• Context ID—It is used when the packet is mirrored or redirected to an ACFP client. After the
interface connected to the ACFP client is specified in the policy sent, the ACFP server assigns it a
global serial number, that is, the Context ID, with each Context ID corresponding to an ACFP
collaboration policy.
• Admin-Status—It indicates whether to enable the policy.
• Effect-Status—It indicates the expiration time of the policy and is used to control the expiration time
of all the rules under the policy.
• Start-Time—It indicates starting from what time (second/minute/hour) the policy takes effect and is
used to control starting from what time all the rules under the policy take effect.
• End-time—It indicates starting from what time (second/minute/hour) the policy turns invalid and is
used to control starting from what time all the rules under the policy turn invalid.
• DestIfFailAction—If the policy dest-interface is down, the actions to all rules under the policy will be
as follows—for forwarding first routers, select the delete action to keep the redirected and mirrored
packets being forwarded; for security first routers, select the reserve action to discard the redirected
and mirrored packets.
• Priority—It indicates the priority of a policy, number notation, in the range of 1 to 8. The bigger the
number, the higher the priority.
11
• Protocol number in IP
• Source IP address
• Wildcard mask of source IP address
• Source port operator—Its type can be equal to, not equal to, greater than, less than, greater than
and less than. The following ending source port number takes effect only when the type is greater
than and less than. The source port number of the packets matched by the identifier must be greater
than the starting source port number and less than the ending source port number.
• Starting source port number
• Ending source port number
• Destination IP address
• Wildcard mask of destination IP address
• Destination port number operator—Its type can be equal to, not equal to, greater than, less than,
greater than and less than. The following ending destination port number is meaning only when
the type is greater than and less than. The destination port number of the packets matched by the
identifier must be greater than the starting destination port number and less than the ending
destination port number.
• Starting destination port number
• Ending destination port number
• Pro—Protocol type, which can be GRE, ICMP, IGMP, OSPF, TCP, UDP, and IP.
• IP precedence—Packet precedence, a number in the range of 0 to 7.
• IP ToS—Type of Service (ToS) of IP
• IP DSCP—Differentiated Services Code Point (DSCP) of IP
• TCP flag—It indicates that some bits in the six flag bits (URG, ACK, PSH, RST, SYN, FIN) are
concerned.
• IP fragment—It indicates whether the packet is an IP packet fragment.
• Rate limit
You can use the collaboration policy to manage the collaboration rules that belong to it.
Using ACFP
• ACFP does not support policy-based routing services or NetStream services.
• The handling of the packets redirected by ACFP is mutually exclusive with ordinary ACL rules. No
QoS processing is performed on the packets returned after they are redirected to the ACFP client.
• A stream cannot be mirrored or redirected to multiple ACFP clients.
• ACFP does not support applying flow redirect policies to an aggregate interface.
• SPE cards support applying flow redirect policies only to Layer 3 interfaces.
• If a Layer 3 interface is added into an aggregation group, or an aggregate interface leaves an
aggregation group, the configured flow redirect policies on the interface will become ineffective
and you need to first delete the original flow redirect policies and then configure new policies on the
interface.
• When the ACFP server is enabled, the internal interface cannot act as the source port for port
mirroring.
12
• When ACFP server is enabled on an IM-IPS or IM-ACG card, the connection mode for the internal
interface must be set to extend, the internal interface must be configured as a trunk port, and the
PVID of the internal interface cannot be the VLAN ID of the management VLAN.
• When the connection mode of the internal interface on an IM-IPS or IM-ACG card is set to extend,
you cannot specify a VLAN as both the user service VLAN and the management VLAN.
Task Remarks
Enabling the ACFP server Required
Configuring the connection mode for an internal interface on an OAP module Required
13
Figure 2 Schematic diagram for the internal interface
When configuring ACFP on an OAP module, to ensure the normal communication between the router
and the OAP module, you must configure the connection mode for the OAP module internal interface as
extend.
To configure the connection mode for an internal interface:
NOTE:
• For more information about the port connection-mode command, see Layer 2—LAN Switching
Command Reference.
• When you disable the ACSEI function or change the connection mode for an internal interface, to avoid
disrupting the traffic, perform the operation on the ACFP client first, and then on the ACFP server.
• Spanning Tree Protocol (STP) cannot be enabled on the internal interface of an IM-IPS or IM-ACG card.
For more information about STP, see Layer 2—LAN Switching Configuration Guide.
14
Trap message Level
ACFP client registration notifications
ACFP server does not support the working mode of the ACFP client errors
The generated traps will be sent to the information center of the router. With the parameters for the
information center set, the output rules for traps (that is, whether the traps are allowed to be output and
the output destinations) are decided. For the configuration of the parameters for the information center,
see Network Management and Monitoring Configuration Guide.
To enable the ACFP function:
2. Enable the trap function of the snmp-agent trap enable acfp Optional.
ACFP module. [ client | policy | rule | server ] Enabled by default.
NOTE:
For more information about the snmp-agent trap enable command, see Network Management and
Monitoring Command Reference.
15
Task Command Remarks
display acfp policy-info [ client
client-id [ policy-index ] |
dest-interface interface-type
interface-number | global |
Display the configuration in-interface interface-type
information of an ACFP policy. interface-number | out-interface
interface-type interface-number ]
[ active | inactive ] [ | { begin |
exclude | include }
regular-expression ]
16
Configuration procedure
1. Configure Router:
# Enable the ACFP server.
<Router> system-view
[Router] acfp server enable
[Router] acsei server enable
# Assign an IP address to the VLAN interface of the management VLAN.
[Router] vlan 4093
[Router-vlan4093] interface Vlan-interface 4093
[Router-Vlan-interface4093] undo shutdown
[Router-Vlan-interface4093] ip address 40.94.1.1 24
[Router-Vlan-interface4093] quit
# Configure the internal interface Ten-GigabitEthernet 4/0/1 on the ACFP client as a trunk port,
and assign the trunk port to VLAN 4094, which is not allowed to learn MAC addresses. Then, set
the working mode for the internal Ethernet interface to extended.
[Router] interface Ten-GigabitEthernet 4/0/1
[Router-Ten-GigabitEthernet4/0/1] undo shutdown
[Router-Ten-GigabitEthernet4/0/1] port link-type trunk
[Router-Ten-GigabitEthernet4/0/1] port trunk permit vlan 4093
[Router-Ten-GigabitEthernet4/0/1] mac-address max-mac-count 0
[Router-Ten-GigabitEthernet4/0/1] port connection-mode extend
[Router-Ten-GigabitEthernet4/0/1] quit
# Configure SNMP parameters.
[Router] snmp-agent
[Router] snmp-agent sys-info version all
[Router] snmp-agent group v3 v3group_no read-view iso write-view iso
[Router] snmp-agent mib-view included iso iso
[Router] snmp-agent usm-user v3 v3user_no v3group_no
# Verify that the MIB style of Router is new. If not, set the MIB style of Router to new and reboot
Router.
[Router] mib-style new
# Configure the user interfaces.
[Router] interface GigabitEthernet 2/1/7
[Router-GigabitEthernet2/1/7] ip address 192.168.1.254 24
[Router-GigabitEthernet2/1/7] undo shutdown
[Router-GigabitEthernet2/1/7] quit
[Router] interface GigabitEthernet 2/1/8
[Router-GigabitEthernet2/1/8] ip address 192.168.2.254 24
2. Configure line card IM-IPS:
# Log in to the operating system on the IM-IPS card through the console port on the card, and enter
password H3C.
Password:H3C
# Enter system view.
<IPS> system-view
# Assign an IP address for the network management port on the card to make the network
management ports of the PC and the card reachable to each other.
17
[IPS]interface meth0/2
[IPS-if]ip address 192.168.3.14 24
[IPS-if]undo shutdown
# Open IE on the PC and enter https://192.168.3.14 at the address bar. Enter admin as the
username and the password.
Figure 4 Web login interface
b. Select Enable ACFP Client, select the SNMP version SNMPv3, enter the server security
username v3user_no, enter the server IP address 40.94.1.1, the client IP address 40.94.1.2,
the mask 24, and the VLAN ID 4093.
c. Click Apply.
d. Click Connectivity Test to perform a connectivity test.
18
# Add security zone inbound:
e. Select System Management > Network Management > Security Zone from the navigation
tree.
f. Click <<.
Figure 6 Adding security zone inbound
c. Enter the name inbound, select GigabitEthernet2/1/7 from the list, and click Add to add it
into the Interface box.
d. Click Apply.
# Add security zone outbound:
e. Select System Management > Network Management > Security Zone from the navigation
tree.
f. Click <<.
Figure 7 Creating security zone outbound
19
c. Enter the name outbound, select GigabitEthernet2/1/8 from the list, and click Add to add it
into the Interface box.
d. Click Apply.
# Add segment 10:
e. Select System Management > Network Management > Segment Configuration from the
navigation tree.
Figure 8 Adding segment 10
20
Figure 10 Creating rule 1
21
Figure 12 Creating a policy application
c. Enter the name user1, select the working mode Group mode, and select Permit from the
Action Set list.
d. Click Add to add a new entry in the policy application list.
e. Click .
The page for adding IP address group pops up.
22
Figure 14 Adding IP address group 1
f. Enter the name 192.168.1.1/32, select the protocol IPv4, enter the IPv4 address
192.168.1.1/32, click <<Add to add the address to the IP address box, and click Apply.
g. In the policy application range page, click .
Figure 15 Advanced configuration
h. Select 10 from the Segment list, select the Internal Zone option, select IP address
192.168.1.1/32 from the Internal Zone IP Addresses area, and click Apply.
a. After finishing the above configuration, click OK on the page shown in Figure 12.
# Configure ACFP filtering rule 2:
a. Select Bandwidth Management > Bandwidth Policies from the navigation tree.
b. Click Add.
23
Figure 16 Creating a policy application
c. Enter the name user2, select the working mode Group mode, and select Block from the Action
Set list.
a. Click Add to add a new entry in the policy application list.
e. Click .
The page for adding IP address group pops up.
24
Figure 18 Adding IP address group 2
f. Enter the name 192.168.1.2/32, select the protocol IPv4, enter the IPv4 address
192.168.1.2/32, and click <<Add to add the address to the IP address box.
a. Click Apply.
Select 10 from the Segment list, select the Internal Zone option, select IP address 192.168.1.2/32
from the Internal Zone IP Addresses area, and click Apply.
a. After finishing the above configuration, click OK on the page shown in Figure 12.
# Activate configurations:
After you finish the above configuration, the page jumps to the page as shown in Figure 20.
25
Figure 20 Activating configurations
a. Click Activate.
A confirm dialog box pops up.
b. Click OK to activate the configuration.
Verify the configuration:
Use the ping command to verify the connectivity between Host A and Host C, Host B and Host C.
The test results show that Host A can ping Host C but Host B cannot.
CAUTION:
Set the ACL rule length limit mode to 3 or 4 with the acl mode command before you creating an ACFP
policy rule of IPv6 protocol. For more information about ACL rule length limit mode, see ACL and QoS
Command Reference.
26
Index
ACDELOR
A E
ACFP configuration example,16 Enabling the ACFP server,13
ACFP configuration task list,13 Enabling the ACFP trap function,14
ACFP overview,8 L
ACSEI overview,5
Logging in to the operating system of an OAP
C module,1
Configuring the ACSEI server,6 O
Configuring the connection mode for an internal
OAP module overview,1
interface on an OAP module,13
R
D
Resetting the system of an OAP module,3
Displaying and maintaining ACFP,15
27