Open Application Platform (OAP) ·························································································································· 1
Redirecting to the SecBlade firewall card from the device ··························································································· 1
Configuring the management IP address of the SecBlade firewall card····································································· 2
Resetting the operating system of the SecBlade firewall card ······················································································ 2
ACSEI startup and running ······································································································································ 4
ACSEI server configuration (supported on a host device) ···························································································· 5
Enabling ACSEI server ············································································································································· 5
Configuring the clock synchronization timer ········································································································· 5
Configuring the monitoring timer ···························································································································· 5
Closing an ACSEI client ··········································································································································· 6
Restarting an ACSEI client ······································································································································· 6
Displaying and maintaining ACSEI server ············································································································ 6
Configuring ACSEI client (supported on a SecBlade firewall card) ············································································ 6
Displaying and maintaining ACSEI client ·············································································································· 7
i
g
g
OAP card configuration
OAP card overview
Open Application Platform (OAP)
is developed by Hangzhou H3C Technologies Co., Ltd. (referred to as H3C hereinafter), aimed at new
services. An OAP card runs an independent operating system. You can load software such as security
and voice in the operating system as needed.
By using OAP, the primary network devices such as an
S5800/S7500E/S9500E/S12500/SR6600/SR8800 of H3C integrate the security functions with
firewall cards. A SecBlade firewall card runs an independent operating system; it interacts with the
device on data, status information and control information through its internal service interfaces.
Redirecting to the SecBlade firewall card from the
device
You can redirect to the system of a SecBlade firewall card from a host device (such as an
S5800/S7500E/9500 E/S12500/SR6600/SR8800) through the following operation. In this way, the
terminal display interface will be switched from the command line interface of the host device to the
operating interface of the system on the SecBlade firewall card. After the switch, you can press Ctrl+K to
return to the command line interface on the host device.
CAUTION:
If you lo
SecBlade firewall card system as if you log in through the AUX port. Therefore, to ensure normal login,
you need to set the authentication mode at lo
card user interface.
Follow these steps to redirect from the device to the SecBlade firewall card:
To do… Use the command…
Redirect from the host device to the
SecBlade firewall card (SR6600/SR8800,
or S7500E/S9500E/S12500 in
standalone mode)
Redirect from the host device to the
SecBlade firewall card (S5800)
in to a SecBlade firewall card using the following command from a host device, you log in to the
in and the user level in AUX view on the SecBlade firewall
Remarks
oap connect slot slot-number
oap connect slot slot-number
system system-name
Required
Available in user view
Required
Available in user view
Redirect from the host device to the
SecBlade firewall card
(S7500E/S9500E/S12500 in IRF mode)
oapconnectchassis
chassis-numberslotslot-number
1
Required
Available in user view
g
Configuring the management IP address of the
SecBlade firewall card
In the OAA system, a device and an OAP card integrate together and function as one device. For the
snmp UDP Domain-based network management station (NMS), however, a device and an OAP card are
independent SNMP agents. Physically, two agents are on the same managed object; while logically,
they belong to two different systems, and they manage their own MIB objects on the device and the card
separately. Therefore, when you use the NMS to manage the device and the OAP card on the same
interface, you must first obtain the management IP addresses of the two SNMP agents and obtain the link
relationship between them, and then you can access the two agents. By default, the management IP
address of an OAP card is not configured.
Follow these steps to configure the management IP address of an OAP card:
To do… Use the command…
Enter system view system-view —
Configure the management IP address
of the SecBlade firewall card
(S9500E/S12500 in standalone
mode)
Configure the management IP address
of the SecBlade firewall card
(S9500E/S12500 in IRF mode)
CAUTION:
Before the above confi
side; otherwise, the NMS cannot access the OAP card by using the configured management IP address.
uration, you are recommended to configure the same IP address at the OAP card
Resetting the operating system of the SecBlade
firewall card
If the operating system works abnormally or is under other anomalies, you can reset the system of a
SecBlade firewall card with the following command, which equals to resetting the firewall card by
pressing the reset button on the firewall card.
A firewall card has its independent CPU; therefore, the device can still recognize and control the firewall
card after you reset the system. That is, restart of the firewall card does not result in the restart of the
device.
Follow these steps to reset the system of the SecBlade firewall card:
To do… Use the command…
Reset the system of a SecBlade firewall
card (SR6600/SR8800, or
S7500E/S9500E/S12500 in
standalone mode)
Reset the system of a SecBlade firewall
card (S5800)
oap reboot slot slot-number
oap reboot slot slot-number
system system-name
2
Remarks
Required
Available in user view
Required
Available in user view
To do… Use the command…
Reset the system of a SecBlade firewall
card (S7500E/S9500E/S12500 in IRF
mode)
Reset of the firewall card may cause data loss and service interruption. Before resetting the firewall card,
you must save the data on the operating system and shut down the operating system to avoid service
interruption and hardware data loss.
3
ACSEI configuration
ACSEI overview
As a private protocol, ACSEI provides a method for exchanging information between ACFP clients and
ACFP server. It well supports Application Control Forwarding Protocol (ACFP) collaboration, ensuring
valid information interaction between the ACFP clients and the ACFP server, so that the ACFP server and
clients can cooperate to run a service.
As a supporting protocol of ACFP, ACSEI also has two entities: server and client.
A primary network device such as an S5800/S7500E/S9500E/S12500/SR6600/SR8800 of H3C
that integrates security functions using a firewall card supports ACSEI, serving as the ACSEI server; a
SecBlade firewall card supports ACSEI, serving as the ACSEI client.
ACSEI functions
ACSEI mainly provides the following functions:
• Registration and deregistration of an ACSEI client to the ACSEI server.
• ID assignment. The ACSEI server assigns IDs to ACSEI clients to distinguish between them.
• Mutual monitoring and awareness between an ACSEI client and the ACSEI server.
• Information interaction between the ACSEI server and ACSEI clients, including clock
synchronization.
• Control of the ACSEI clients on the ACSEI server. For example, you can close ACSEI client, or restart
ACSEI client on the ACSEI server.
An ACSEI server can register multiple ACSEI clients. The maximum number of ACSEI clients that an
ACSEI server allows to register depends on the host device model.
ACSEI timers
An ACSEI server uses two timers, the clock synchronization timer and the monitoring timer.
• The clock synchronization timer is used to periodically trigger the ACSEI server to send clock
synchronization advertisements to ACSEI clients. You can set this timer through command lines.
• The monitoring timer is used to periodically trigger the ACSEI server to send monitoring requests to
ACSEI clients. You can set this timer through command lines.
• An ACSEI client starts two timers, the registration timer and the monitoring timer.
• The registration timer is used to periodically trigger the ACSEI client to multicast registration requests
(with the multicast MAC address being 010F-E200-0021). You cannot set this timer.
• The monitoring timer is used to periodically trigger the ACSEI client to send monitoring requests to
the ACSEI server. You cannot set this timer.
ACSEI startup and running
ACSEI starts up and runs in the following procedures:
4
Enable ACSEI client.
1.
2. Start up the device and enable the ACSEI server function on it.
3. The ACSEI client multicasts registration requests.
4. After the ACSEI server receives a valid registration request, it negotiates parameters with the
ACSEI client and establishes a connection with the client if the negotiation succeeds.
5. The ACSEI server and the ACSEI client mutually monitor the connection.
6. If detecting the disconnection of the ACSEI client, the ACFP server will remove the configuration
and policies associated with the client.
ACSEI server configuration (supported on a host
device)
Enabling ACSEI server
Follow these steps to enable ACSEI server:
To do… Use the command…
Enter system view system-view —
Enable ACSEI server acsei server enable
Configuring the clock synchronization timer
Follow these steps to configure the clock synchronization timer:
To do… Use the command…
Enter system view system-view —
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server —
Configure the clock
synchronization timer from ACSEI
server to ACSEI client
acsei timer clock-syncminutes
Configuring the monitoring timer
Remarks
Required
Disabled by default.
Remarks
Optional
Five minutes by default.
Follow these steps to configure the monitoring timer:
To do… Use the command…
Enter system view system-view —
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server —
Configure the monitoring timer for the
ACSEI server to monitor the ACSEI client
acsei timer monitor
seconds
5
Remarks
Optional
Five seconds by default.
Closing an ACSEI client
Follow these steps to close an ACSEI client:
To do… Use the command…
Enter system view system-view —
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view
Close the specified ACSEI client acsei client closeclient-id Required
acsei server
Restarting an ACSEI client
Follow these steps to restart an ACSEI client:
To do… Use the command…
Enter system view system-view —
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server —
Restart the specified ACSEI client acsei client rebootclient-id Required