H3C SecBlade User Manual
H3C SecBlade IPS Cards
User Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Document version: 5PW104-20101210
Copyright © 2008-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C,
, Aolynk, , H3Care,
, TOP G, , IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V
2
G, VnG, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C SecBlade IPS Cards User Manual describes the SecBlade IPS cards’ overview, features, and
login methods, and the configurations on the switches and routers that hold the cards.
This preface includes:
•
Audience
•
Conventions
•
About the H3C SecBlade IPS Cards Document Set
•
Obtaining documentation
•
Technical support
•
Documentation feedback
Audience
This documentation is intended for:
• Network planners
• Field technical support and servicing engineers
• Network administrators working with the H3C SecBlade IPS cards
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you may select multiple choices or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
Convention Description
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.
NOTE
An alert that contains additional or supplementary information.
TIP
An alert that provides helpful information.
About the H3C SecBlade IPS Cards Document Set
The H3C SecBlade IPS cards documentation set includes:
Category Documents Purposes
Marketing brochures Describe product specifications and benefits.
Product description and
specifications
Technology white papers
Provide an in-depth description of software features
and technologies.
Card Manual
Provides the card types, hardware specifications,
and interface attributes.
Software Upgrade Guide Guides you through the software upgrade.
Installation and
commissioning
License Registration and
Activation Guide
Provides the configuration procedure and guidelines
to activate and register the license.
User Manual
Describes the data forwarding procedure of the card
sand basic network configuration with switches
Web-Based
Configuration Guide
Describe how to configure and deploy the cards
Typical Configuration
Example
Provide configuration examples and instructions of
the cards.
Configuration Guide
Service configuration
Command Reference
Configure and maintain the card at the CLI
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at
http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with the
software version.
Technical support
customer_service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
i
Contents
Overview ······································································································································································ 1
Introduction to the Manual ···············································································································································1
Related Manuals································································································································································1
SecBlade IPS Cards Overview···································································································································· 2
Introduction ········································································································································································2
Main Characteristics·························································································································································2
Main Functions ··································································································································································3
Features········································································································································································· 5
Feature List ·········································································································································································5
Login·············································································································································································· 6
Switch/Router and SecBlade IPS Card Network Configuration···············································································9
LSWM1IPS10 Card Configuration ·································································································································9
Configuration Overview ··········································································································································9
Configuration Procedure······································································································································· 10
Configuration Example ·········································································································································14
LSQ1IPSSC0 Card Configuration (Only for the S7500E Switch and Supporting OAA Configuration)·············· 17
Configuration Overview ······································································································································· 17
Configuration Procedure······································································································································· 18
Configuration Example ·········································································································································22
LSB1IPS1A0 Card Configuration ································································································································· 27
Configuration Overview ······································································································································· 27
Configuration Procedure······································································································································· 28
Configuration Example ·········································································································································31
LSR1IPS1A1 Card Configuration ·································································································································35
Configuration Overview ······································································································································· 35
Configuration Procedure······································································································································· 36
Configuration Example ·········································································································································40
LST1IPS1A1 Card Configuration·································································································································· 44
Configuration Overview ······································································································································· 44
Configuration Procedure······································································································································· 45
Configuration Example ·········································································································································49
SPE-IPS-200 Card Configuration ·································································································································· 53
Configuration Overview ······································································································································· 53
Configuration Procedure······································································································································· 53
Configuration Example ·········································································································································57
IM-IPS Card Configuration ············································································································································ 60
Configuration Overview ······································································································································· 60
Configuration Procedure······································································································································· 61
Configuration Example ·········································································································································64
Appendix-OAA Configuration ··································································································································69
Overview········································································································································································· 69
ACFP Architecture ················································································································································· 69
OAA Collaboration··············································································································································· 70
ACFP Management ··············································································································································· 70
Configuring OAA Client················································································································································ 70
OAA Configuration Example········································································································································ 72
ii
Index ···········································································································································································78
1
Overview
Introduction to the Manual
This manual mainly consists of the following chapters:
•
SecBlade IPS Cards Overview: Describes the functions and service features of the SecBlade IPS
cards.
•
Features: Describes the features of the SecBlade IPS cards. For how to configure these features, see
the H3C Intrusion Prevention System Web-Based Configuration Guide.
•
Login: Describes how to log in to the web interface of the SecBlade IPS cards.
•
Switch/Router and SecBlade IPS Card Network Configuration: Describes the work flow and
principles of data forwarding between a switch/router and a SecBlade IPS card, presents the
configurations on the switch/router and the SecBlade IPS card, and provides configuration
examples.
•
Appendix-OAA Configuration: Describes OAA basic principles and configuration procedure, and
gives configuration examples.
Related Manuals
For the installation, startup and configuration, software upgrade and hardware maintenance of the
SecBlade IPS cards, see the H3C SecBlade Cards Software Upgrade Guide and the hardware
documents of the devices using the cards, such as the installation guides of
S5800/S5820X/S7500E/S9500/S9500E/S12500 series switches and SR6600/SR8800 routers.
Follow these steps to obtain the product documentation from www.h3c.com:
• Select Technical Support & Document > Technical Documents from the home page.
• Select a device type, and then you can view the related manuals.
2
SecBlade IPS Cards Overview
Introduction
H3C Intrusion Prevention System (IPS) products fall into two categories.
1. H3C SecPath T series
• T200 series: T200, T200-E (enhanced), T200-A (advanced), T200-M (middle), T200-S (standard)
• T1000 series: T1000-A (advanced), T1000-M (middle), T1000-S (standard), T1000-C (compact)
• T5000 series: T5000-S3
2. H3C SecBlade IPS card series
• LSWM1IPS10: Applicable to H3C S5800/S5820X series switches that support OAA
• LSQ1IPSSC0: Applicable to H3C S7500E series switches
• LSB1IPS1A0: Applicable to H3C S9500 series switches
• LSR1IPS1A1: Applicable to H3C S9500E series switches
• LST1IPS1A1: Applicable to H3C S12500 series switches
• SPE-IPS-200: Applicable to H3C SR6600 routers
• IM-IPS: Applicable to H3C SR8800 routers
In this manual, the switches and routers that support ISP cards are referred to as main network devices.
This manual mainly describes the features and typical configuration of the two types of H3C SecBlade
IPS cards.
H3C IPS products are mainly online deployed on the key paths of user networks and perform Layer 2
through Layer 7 data analysis in real time to precisely identify and stop/limit various attacks and network
abuses such as hackers, worms, viruses, Trojans, DoS/DDoS, scans, spyware, protocol anomalies,
phishing, P2P, IM, and network games, and to ensure the security, service continuity and performance of
network applications.
H3C IPS products can also be deployed in bypass mode to implement intrusion detection. In addition,
H3C IPS products provide powerful, practical bandwidth management and URL filtering functions.
H3C SecBlade IPS cards are based on the latest hardware platform and architecture of H3C. They
support distributed deployment, centralized management and flexible scalability, and can be managed
using a web browser. H3C SecBlade IPS cards can be inserted to the main network devices to satisfy the
traffic management needs of users.
Main Characteristics
• SecBlade IPS cards enable main network devices to provide network security services without
affecting data forwarding performance.
• SecBlade IPS cards are based on the H3C Open Application Architecture (OAA). A SecBlade IPS
card is connected to a main network device through an internal 10GE Ethernet interface. The
wire-speed forwarding capability of the back card of the main network device ensures smooth data
exchange with the SecBlade IPS card.
3
• SecBlade IPS cards adopt the multi-core high-performance processor and high-speed memory, and
thus can ensure the processing of security services without affecting the normal operation of the
main network device.
• Multiple slots on the main network device can accommodate SecBlade IPS cards. You can plug
multiple SecBlade IPS cards in to a main network device for service expansion, meeting the update
requirements of enterprise and carrier networks.
Main Functions
SecBlade IPS cards provide the following main functions.
1. Application layer based attack detection and defense
SecBlade IPS cards adopt the proprietary engine of H3C, Full Inspection with Rigorous State Test (FIRST ).
The FIRST engine provides multiple detection technologies, and improves the preciseness of attack
detection by implementing full inspection based on rigorous state. It adopts concurrent detection
technology and supports flexible hardware&sofware configurations, greatly improving the intrusion
detection performance. The FIRST engine integrates protocol identification and characteristic matching.
It uses protocol identification to identify application layer protocols and detect abnormal protocols, and
uses characteristic matching to determine attacks. Only the traffic matching the specific attacking
characteristics of a detected abnormal protocol is considered as an attack. This method greatly improves
inspection preciseness and reduces false positive and false negative rates.
2. DDoS defense
SecBlade IPS cards can provide Distributed Denial of Service (DDoS) defense in various network
environments by performing deep analysis of DDoS attacks (including SYN flood, RST flood, ACK flood,
UDP flood, ICMP flood, Connection flood, CPS flood, DNS query flood and HTTP get flood), and using
advanced defense algorithms.
3. AV function
SecBlade IPS cards are integrated with the KasperSky anti-virus engine and virus definitions. The engine
adopts advanced anti-virus technologies such as the second generation heuristic code analysis method,
iChecker real-time monitoring and unique script virus interception, and can scan and kill viruses of
various types, such as file type, network type and mixed type. In addition, it incorporates the next
generation virtual machine unpack engine and behavior estimation technologies to kill derived viruses
and unknown viruses accurately.
4. URL filtering
SecBlade IPS cards provide the URL filtering function, which allows you to define URL filtering rules that
support regular expression to filter specific web pages.
5. Application based bandwidth control
Based on protocol identification, which can identify more than 1000 protocols, SecBlade IPS cards can
perform flexible bandwidth control to ensure bandwidth for critical applications by limiting non-critical
applications from using bandwidth.
6. Various actions
SecBlade IPS cards provide various actions to be taken on detected abnormal traffic, including stop,
restrict, TCP reset, get original packets, redirect, isolate, report syslogs, and record local logs. You can
combine actions as needed, and SecBlade IPS cards also provide some commonly used action
combinations.
7. Unified management and policy assignment
4
SecBlade IPS cards support local and distributed management modes. For a network with one or a small
number of SecBlade IPS cards deployed, you can manage the cards through the web interface
embedded. For a network with a large number of SecBlade IPS cards deployed, you can implement
unified upgrade, monitoring, analysis and policy management for the cards through the H3C security
management center SecCenter.
5
Features
Feature List
Table 1 Feature list of SecBlade IPS cards
Module Features
Web overview Device management User management
Network management High reliability Time table management
Actions management Log management IPS
URL filtering Anti-virus DDoS protection
Web Configuration
Bandwidth management Blacklist Reports
Commonly used network
application commands
Interface management
commands
Static route configuration
commands
CLI Configuration
Device management
commands
System basic
configuration commands
Encrypted P2P traffic
identification configuration
commands
6
Login
With the web network management function, the administrator can manage and maintain a SecBlade
IPS card through the web interface.
Follow these steps to log in to the web interface of the SecBlade IPS card.
1. Connect the SecBlade IPS card to a PC
• For the LSWM1IPS10 card
Prepare a console cable with a RJ 45 connector at one end and a DB9 female connector at the other.
Connect the RJ 45 connector to the console port of the switch, and connect the DB9 female connector to
the serial port of the PC. Then connect the management port of the SecBlade IPS card to the network
interface of the PC by using a crossover Ethernet cable.
Figure 1 Connect the SecBlade IPS card to a PC
PC
Switch & IPS card
Console cable
Ethernet cable
Serial interface
Ethernet interface
Management interface
(IPS card)
Console interface
(Switch)
• For a non-LSWM1IPS10 card
Prepare a console cable with a RJ 45 connector at one end and a DB9 female connector at the other.
Connect the RJ 45 connector to the console port of the SecBlade IPS card, and connect the DB9 female
connector to the serial port of the PC. Then connect the management port of the SecBlade IPS card to the
network interface of the PC by using a crossover Ethernet cable.
Figure 2 Connect the SecBlade IPS card to a PC
2. Set terminal parameters on the PC
Run the terminal emulator on the PC (for example, Terminal of Windows 3.X, hyper terminal of Windows
9X and Windows XP).
Set the bits per second to 9600, data bits to 8, parity to none, stop bits to 1, and flow control to none,.
NOTE:
Settings of terminal parameters depend on the device model.
7
3. Enter the CLI of the device
• For the LSWM1IPS10 card
Power on the switch. As the S5800 and S5820X are centralized stacking devices, you need to execute
the command for logging into the OAP system before you can enter the CLI of the LSWM1IPS10 card.
# Enter the CLI of the LSWM1IPS10 card.
<Sysname> oap connect slot 1 system SubSlot3
Press CTRL+K to quit.
Connected to SubSlot3!
The PC then displays the Power On Self Test (POST) information of the IPS card. After the POST, you are
prompted to enter the password (the default password is H3C, which is case-sensitive). Enter the correct
password to enter the CLI of the IPS card.
• For a non-LSWM1IPS10 card
Power on the switch or router. The PC shows the POST information of the IPS card. After the POST, you are
prompted to enter the system password, which defaults to H3C (case-sensitive). After you input the
correct password, you can enter the CLI of the IPS card.
4. Configure the management IP address of the IPS card (this step is optional; the default
management IP address is 192.168.1.1).
# Configure the management IP address of the IPS card (The default management interface of
LSWM1IPS10 card is meth 0/0, and that of other cards is meth 0/2. The following takes management
interface meth0/2 as an example.)
<Sysname> system-view
[Sysname] interface meth0/2 ←Enter the management interface
[Sysname-if] ip address 10.153.17.82 255.255.255.0 ←Configure the IP address and mask of
the management interface as 10.153.17.82/24
[Sysname-if] undo shutdown←Enable the management interface
The system automatically saves the above configuration.
5. Configure an IP address for the PC to ensure connectivity with the SecBlade IPS card.
Configure an IP address in the subnet 10.153.17.0/24 (except for 10.153.17.82), for example,
1 0 .15 3 .1 7. 8 3 .
6. Open the browser to login
Open the IE browser on the PC, and input the IP address 10.153.17.82 to enter the login interface shown
in
Figure 3.
On the login interface, input the default user name admin and the default password admin, and click
Login to log in to the device through the web interface.
8
Figure 3 web interface login interface
By default, the IPS card has HTTPS enabled, but does not have HTTP enabled. Therefore, for the first login,
only the HTTPS method is available. After the first login through HTTPS, you can enable HTTP as follows:
select System Management > Network Management > Management Interface from the navigation tree
to enter the page shown in
Figure 4.
Figure 4 HTTP/HTTPS configuration
Select the checkbox before HTTP and click Apply. A confirmation dialog box pops up, showing
“Changing the IP address of the management interface may break the network connection. Continue?”.
Click OK on the dialog box to complete configuration.
WARNING!
• The PC in
Figure 2 is a common configuration terminal and is not required to be a web network
management terminal.
• Do not log in to the web interface through both HTTP and HTTPS at the same time from a PC.
After the first login, H3C recommends changing the default password. For more information, see
User
Management
in the
H3C Intrusion Prevention System Web-Based Configuration Guide.
9
Switch/Router and SecBlade IPS Card Network
Configuration
NOTE:
For more information about the commands used in this chapter, see the Configuration Guides and
Command References shipped with switch and router that installated the SecBlade IPS Card.
LSWM1IPS10 Card Configuration
NOTE:
The LSWM1IPS10 card is only for S5800&S5820X series switches and supports the OAA feature.
Configuration Overview
The switch and the SecBlade IPS card are connected through internal 10GE interfaces. The switch uses
VLAN interfaces to perform Layer 3 forwarding. Configure redirection on the internal and external
network interfaces of the switch to redirect incoming IP packets to be forwarded through the VLAN
interfaces to the internal 10GE interface connected to the SecBlade IPS card. The switch performs normal
Layer-3 forwarding to the packets and then sends them to the SecBlade IPS card through its internal
10GE interface. The detailed data forwarding process is as follows.
From internal network to external network
1. A packet from the internal network enters the switch.
2. The switch reprocesses the packet for Layer 3 forwarding, during which the switch inserts an
outgoing VLAN tag in to the packet.
3. After the Layer 3 preprocessing, the switch redirects the packet to the SecBlade IPS card according
to the receiving port, the incoming VLAN and the outgoing port.
4. After reprocessing the packet, the SecBlade IPS card forwards the packet back to the switch.
5. The switch forwards the packet out its external network interface.
From external network to internal network
1. A packet from the external network enters the switch.
2. The switch preprocesses the packet for Layer 3 forwarding, during which the switch removes the
incoming VLAN tag from the packet.
3. After the Layer 3 preprocessing, the switch redirects the packet to the SecBlade IPS card according
to the receiving port, the incoming VLAN and the outgoing port.
4. After reprocessing the packet, the SecBlade IPS card forwards the packet back to the switch.
5. The switch forwards the packet out its internal network interface.
10
Configuration Procedure
Configuring the switch
Configure the switch as follows.
• Configure the Management Information Base (MIB) style of the switch.
• Configure SNMP parameters. Configure SNMPv3 users and adopt non-authentication and
non-encryption.
• Enable the ACFP server and the ACSEI server.
• Configure a VLAN, VLAN 100, for example, which must not conflict with any existing VLANs on the
switch, and configure an IP address for the VLAN interface.
• Configure the internal 10GE interface as an Access interface, add it to a VLAN for example VLAN
100 (which must be consistent with the VLAN ID configured on the OAA configuration page of the
SecBlade IPS card), and configure the interface’s port-connect-mode as extended.
• Save the configuration.
Follow these steps to configure the switch:
To do… Use the command… Remarks
Enter system view system-view —
Configure the MIB style of the
switch
mib-style [ new |
compatible ]
Required
• new: Specifies the MIB style H3C new.
With this style, both the sysOID and
private MIB of the switch are located
under the H3C enterprise ID 25506.
• compatible: Specifies the MIB style H3C
compatible. With this style, the sysOID
of the switch is located under the H3C
enterprise ID 25506, and the private
MIB is located under the enterprise ID
2011.
By default, the MIB style of the switch is
new.
You need to reboot the switch to validate
this configuration (you can reboot the
switch after completing all configurations).
CAUTION:
Make sure that the switch’s the MIB style is
new. If you specify compatible for the switch,
the switch cannot work normally.
Enable SNMP agent snmp-agent
Required
Disabled by default.
Set the SNMP version
snmp-agent sys-info
{ contact sys-contact |
location sys-location |
version { all | { v1 | v2c |
v3 }* } }
Required
The SecBlade IPS card supports only
SNMPv3.
By default, SNMPv3 applies.
11
To do… Use the command… Remarks
Create an SNMP group and set its
access right
For SNMP v3:
snmp-agent group v3
group-name
[ authentication | privacy ]
[ read-view read-view ]
[ write-view write-view ]
[ notify-view notify-view ]
[ acl acl-number ]
Required
By default, the SNMP group configured
with the snmp-agent group v3 command
uses non-authentication and
non-encryption.
Create or update a MIB view to
specify the MIB objects that the
NMS can access
snmp-agent mib-view
{ excluded | included }
view-name oid-tree [ mask
mask-value ]
Required
The default view is ViewDefault.
Add a user to the SNMP group
snmp-agent usm-user v3
user-name group-name
[ [ cipher ]
authentication-mode
{ md5 | sha }
auth-password
[ privacy-mode { des56 |
aes128 } priv-password ] ]
[ acl acl-number ]
Required
If you execute this command for the same
user repeatedly, the last configuration takes
effect.
Enable the ACFP server acfp server enable
Required
Disabled by default.
Enable the ACSEI server acsei server enable
Required
Disabled by default.
Create a VLAN
and enter VLAN
view
vlan { vlan-id1 [ to
vlan-id2 ] | all }
Required
Return to system
view
quit Required
Enter the specified
VLAN interface
view
interface vlan-interface
vlan-interface-id
Required
Before creating the VLAN interface, you
need to create the corresponding VLAN.
Otherwise, the VLAN interface cannot be
created.
Configure an IP
address and mask
for the VLAN
interface
ip address ip-address
{ mask | mask-length }
[ sub ]
Required
Not configured by default.
In general, you need to configure only one
IP address for a VLAN interface. To enable
a VLAN to connect multiple subnets, you
can configure multiple IP addresses for the
VLAN interface. One of them is the primary
IP address and others are secondary IP
addresses. On the S5800&S5820X series
switches, a VLAN interface can have up to
10 IP addresses configured.
Configure
the internal
10GE
interface
Return to system
view
quit Required
12
To do… Use the command… Remarks
Enter the view of
the 10GE interface
connected to the
SecBlade IPS card
interface
Ten-GigabitEthernet
interface-number
Required
Configure the link
type of the
interface as access
port link-type access
Required
By default, the link type of an interface is
access.
Add the interface
to a VLAN
port access vlan vlan-id
Required
Add the internal interface to the
management VLAN.
Configure the
extended port
connection mode
for the port
port connection-mode
extend
Required
Return to system
view
quit Required
Save the configuration to a
configuration file
save [ file-name | [ safely ]
Required
Configuring the SecBlade IPS card
Configure the SecBlade IPS card as follows.
• Configure the IP address of the management interface at the CLI and use the IP address to login to
the web interface of the SecBlade IPS card.
• Configure the internal interface and the OAA client and test its connectivity to the switch.
• Create security zones and add the interfaces of the switch to corresponding security zones.
• Create a segment and add internal and external zones to the segment.
Follow these steps to configure the SecBlade IPS card:
To do… Use the command… Remarks
Configure redirection from
the device to the OAP system
(for centralized stacking
devices/distributed devices)
oap connect [ slot slot-number ] system
system-name
Required
Perform this operation in user
view to enter the CLI of the
SecBlade IPS card.
Enter system view system-view —
Enter management interface
view
interface meth interface-number Optional
Configure an IP address for
the management interface
ip address ip-address mask
Optional
By default, the IP address of the
management interface meth0/0 is
192.168.1.1.
Enable the management
interface
undo shutdown
Required
Disabled by default.
13
To do… Use the command… Remarks
Use the IP address of the
management interface to
login to the web interface of
the SecBlade IPS card
—
Required
The default username and
password are both admin.
Configure the
OAA client
and internal
interface
Select System Management > Device
Management > OAA Configuration. Input
parameters in OAA Client Configuration
and Internal Interface Configuration to
complete OAA configuration.
Required
Configure
OAA
Test the
connectivity
Click the Test Connectivity button to test
the connectivity between the OAA client
and the server.
Required
Create security zones
Select System Management > Network
Management > Security Zone. Use the
Add button to create security zones and
add the interfaces of the S5800/S5820X
switch to the security zone.
Required
The interface list of the switch is
sent to the OAA board (the
SecBlade IPS card in this case),
and you can add interfaces to
security zones.
Create a segment
Select System Management > Network
Management > Segment Configuration.
Click Add Segment. Select a segment
number, the internal zone, and the
external zone.
Required
You need to specify the internal
interface when creating the
segment. The internal interface
connects to the switch.
Displaying the configuration
After completing above configurations, you can use the display command in any view of the SecBlade
IPS card to view forwarding information on the internal 10GE interface and verify you configurations.
To do… Use the command…
Display the running status and forwarding
information of the 10GE interface
display interface [ interface-name ]
Use the following commands on the switch to display ACFP information.
To do… Use the command…
Display the ACFP server information display acfp server-info
Display the ACFP client information display acfp client-info [ client-id ]
Display the ACFP policy information
display acfp policy-info [ client client-id [ policy-index ] |
dest-interface interface-type interface-number | global |
in-interface interface-type interface-number | out-interface
interface-type interface-number ] [ active | inactive ]
Display the ACFP rule information
display acfp rule-info { global | in-interface [ interface-type
interface-number ] | out-interface [ interface-type
interface-number ] | policy [ client-id policy-index ] }
14
Configuration Example
Network requirements
As shown in Figure 5, the switch has a SecBlade IPS card installed on slot 3. The switch uses
GigabitEthernet 1/0/15 to connect to the internal network, uses GigabitEthernet 1/0/16 to connect to
the external network, and uses its internal interface Ten-GigabitEthernet 1/3/1 to connect to the
SecBlade card’s internal interface Ten-GigabitEthernet 0/0. Traffic received on the switch’s interfaces
GigabitEthernet 1/0/15 and GigabitEthernet 1/0/16 must be sent to the SecBlade IPS card for
inspection.
Figure 5 S5800&S5820X switch and the LSWM1IPS card
Configuration procedure
1. Configure the switch
# Configure the H3C new MIB style. That is, the sysOID and private MIB are both under H3C enterprise
ID 25506. You need to reboot the switch to validate the configuration (You can reboot the switch after
completing all configurations).
<Sysname> system-view
[Sysname] mib-style new
# Configure SNMPv3 parameters.
[Sysname] snmp-agent
[Sysname] snmp-agent sys-info version all
[Sysname] snmp-agent group v3 v3group_no read-view iso write-view iso
[Sysname] snmp-agent mib-view included iso iso
[Sysname] snmp-agent usm-user v3 v3user_no v3group_no
# Enable the ACFP server and the ACSEI server.
[Sysname] acfp server enable
[Sysname] acsei server enable
# Configure the internal interface.
• Create VLAN 100 and configure an IP address for the VLAN interface. Make sure the VLAN does
not conflict with any existing VLAN.
[Sysname] vlan 100
[Sysname-vlan100] quit
[Sysname] interface Vlan-interface100
[Sysname-Vlan-interface100] ip address 100.100.100.1 255.255.255.0
[Sysname-Vlan-interface100] quit
15
• Configure the link type of the internal interface as access, add it to VLAN 100, which must be
consistent with the VLAN ID configured on the OAA configuration page of the SecBlade IPS card,
and configure its port-connect-mode as extended.
[Sysname] interface Ten-GigabitEthernet1/3/1
[Sysname-Ten-GigabitEthernet] port access vlan 100
[Sysname-Ten-GigabitEthernet] port connection-mode extend
[Sysname-Ten-GigabitEthernet] quit
# Save the configuration.
<Sysname> save
NOTE:
Make sure that the OAA card in sub-slot m of slot n corresponds to the switch’s internal interface
Ten-GigabitEthernet n/m/1. For example, the OAA card in sub-slot 3 of slot 1 corresponds to the switch’s
internal interface Ten-GigabitEthernet 1/3/1.
2. Configure the SecBlade IPS card
# Configure an IP address for the management interface and enable the management interface. This
configuration is optional. By default, the IP address of the management interface is 192.168.1.1. You can
also change this IP address through the web interface.
<Sysname> oap connect slot 1 system SubSlot3
<Sysname> system-view
[Sysname] interface meth0/0
[Sysname-if]ip address 192.168.0.11 255.255.255.0
[Sysname-if] undo shutdown
[Sysname-if] quit
# Log in to the web interface of the SecBlade IPS card. The username and password are both admin.
Figure 6 Log into the SecBlade IPS card
# Configure OAA.
• Configure the OAA client and the internal interface and test the connectivity to the switch.
16
Figure 7 Configure the OAA client
After completing configuration, click Test. If the following message appears, the switch is reachable.
Figure 8 Connectivity test result
# Configure security zones.
After completing OAA configuration on the SecBlade IPS card and the S5800/S5820X, you can add
any physical ports of the S5800/S5820X to a security zone except the internal interface.
In this example, Create internal security zone Inside add GigabitEthernet 1/0/15 to the internal security
zone, as shown in
Figure 9. Create external security zone Outside and add GigabitEthernet 1/0/16 to
the external security zone in the same way.
Figure 9 Create a security zone
GigabitEthernet1/0/15
GigabitEthernet1/0/15
# Configure a segment.
17
Figure 10 Create a segment
NOTE:
When creatin
g
a segment, you need to select the internal zone, external zone and the internal interface.
Figure 11 Configure the segment
TenGigabitEthernet1/2/1
LSQ1IPSSC0 Card Configuration (Only for the
S7500E Switch and Supporting OAA
Configuration)
NOTE:
The LSQ1IPSSC0 card is only for the S7500E switches and supports the OAA feature.
Configuration Overview
The switch and the SecBlade IPS card are connected through internal 10GE interfaces. With OAA
configured, the switch redirects traffic to the SecBlade IPS card through its 10GE interface automatically.
After processing the traffic, the SecBlade IPS card sends it back to the switch through its internal 10GE
interface, and the switch forwards the traffic. The detailed data forwarding process is as follows.
From internal network to external network
1. Packets from the internal network enter the switch.
2. The switch redirects the packets to the SecBlade IPS card.
3. After processing the packets, the SecBlade IPS card forwards them back to the switch.
4. The switch forwards the packets out its external network interface.
18
From external network to internal network
1. Packets from the external network enter the switch.
2. The switch redirects the packets to the SecBlade IPS card.
3. After processing the packets, the SecBlade IPS card forwards them back to the switch.
4. The switch forwards the packets out its internal network interface.
Configuration Procedure
Configuring the switch
Configure the switch as follows.
• Configure the MIB style of the switch.
• Configure SNMP parameters. Configure SNMPv3 users and adopt non-authentication and
non-encryption.
• Enable the ACFP server and the ACSEI server.
• Configure a VLAN, VLAN 100, for example, which must not conflict with any existing VLANs on the
switch, and configure an IP address for the VLAN interface.
• Configure the internal 10GE interface as a trunk interface, configure its default VLAN ID as 100
(which must be consistent with the VLAN ID configured on the OAA configuration page of the
SecBlade IPS card), configure the interface to permit packets of VLAN 2 through VLAN 4094 to
pass, and configure its connection mode as extended.
• Configure the traffic switching mode of the main control board of the switch.
• Save the configuration and reboot the switch.
Follow these steps to configure the switch:
To do… Use the command… Remarks
Enter system view system-view —
Configure the MIB style of the
switch
mib-style [ new |
compatible ]
Required
• new: Specifies the MIB style H3C new.
With this style, both the sysOID and
private MIB of the switch are located
under the H3C enterprise ID 25506.
• compatible: Specifies the MIB style H3C
compatible. With this style, the sysOID of
the switch is located under the H3C
enterprise ID 25506, and the private MIB
is located under the enterprise ID 2011.
By default, the MIB style of the switch is new.
You need to reboot the switch to validate the
configuration (you can reboot the switch
after completing all configurations).
CAUTION:
Make sure that the switch’s the MIB style is
new. If you specify compatible for the switch,
the switch cannot work normally.
Enable SNMP agent snmp-agent
Required
Disabled by default.
19
To do… Use the command… Remarks
Set the SNMP version
snmp-agent sys-info { contact
sys-contact | location
sys-location | version { all |
{ v1 | v2c | v3 }* } }
Required
Currently, the SecBlade IPS card only
supports SNMPv3.
By default, SNMPv3 applies.
Configure a new SNMP group
and configure its access right
For SNMP v3:
snmp-agent group v3
group-name [ authentication
| privacy ] [ read-view
read-view ] [ write-view
write-view ] [ notify-view
notify-view ] [ acl
acl-number ]
Required
By default, the SNMP group configured with
the snmp-agent group v3 command adopts
non-authentication and non-encryption.
Create or update a MIB view
to specify the MIB objects that
the NMS can access
snmp-agent mib-view
{ excluded | included }
view-name oid-tree [ mask
mask-value ]
Required
The default view is ViewDefault.
Add a user to the SNMP group
snmp-agent usm-user v3
user-name group-name
[ [ cipher ]
authentication-mode { md5 |
sha } auth-password
[ privacy-mode { des56 |
aes128 } priv-password ] ]
[ acl acl-number ]
Required
If you execute this command for the same
user repeatedly, the last configuration takes
effect.
Enable the ACFP server acfp server enable
Required
Disabled by default.
Enable the ACSEI server acsei server enable
Required
Disabled by default.
Loading...