How it Works
H3C
Loading...
SecBlade FW
User Manual
21 pgs159.16 Kb0
User Manual
12 pgs643.15 Kb0
User Manual
16 pgs386.26 Kb0
User Manual
6 pgs267.83 Kb0
User Manual
5 pgs956.84 Kb0
Table of contents
Loading...

H3C SecBlade FW User Manual

Contents
OAP card configuration ·············································································································································· 1
OAP card overview ·························································································································································· 1
Open Application Platform (OAP) ·························································································································· 1 Redirecting to the SecBlade firewall card from the device ··························································································· 1 Configuring the management IP address of the SecBlade firewall card····································································· 2 Resetting the operating system of the SecBlade firewall card ······················································································ 2
ACSEI configuration ····················································································································································· 4
ACSEI overview ································································································································································· 4
ACSEI functions ························································································································································ 4
ACSEI timers ····························································································································································· 4
ACSEI startup and running ······································································································································ 4 ACSEI server configuration (supported on a host device) ···························································································· 5
Enabling ACSEI server ············································································································································· 5
Configuring the clock synchronization timer ········································································································· 5
Configuring the monitoring timer ···························································································································· 5
Closing an ACSEI client ··········································································································································· 6
Restarting an ACSEI client ······································································································································· 6
Displaying and maintaining ACSEI server ············································································································ 6 Configuring ACSEI client (supported on a SecBlade firewall card) ············································································ 6
Enabling ACSEI client ·············································································································································· 6
Displaying and maintaining ACSEI client ·············································································································· 7
i
g
g

OAP card overview

Open Application Platform (OAP)
is developed by Hangzhou H3C Technologies Co., Ltd. (referred to as H3C hereinafter), aimed at new services. An OAP card runs an independent operating system. You can load software such as security and voice in the operating system as needed.
By using OAP, the primary network devices such as an S5800/S7500E/S9500E/S12500/SR6600/SR8800 of H3C integrate the security functions with firewall cards. A SecBlade firewall card runs an independent operating system; it interacts with the device on data, status information and control information through its internal service interfaces.

Redirecting to the SecBlade firewall card from the device

You can redirect to the system of a SecBlade firewall card from a host device (such as an S5800/S7500E/9500 E/S12500/SR6600/SR8800) through the following operation. In this way, the terminal display interface will be switched from the command line interface of the host device to the operating interface of the system on the SecBlade firewall card. After the switch, you can press Ctrl+K to return to the command line interface on the host device.
CAUTION:
If you lo SecBlade firewall card system as if you log in through the AUX port. Therefore, to ensure normal login, you need to set the authentication mode at lo card user interface.
Follow these steps to redirect from the device to the SecBlade firewall card:
To do… Use the command…
Redirect from the host device to the SecBlade firewall card (SR6600/SR8800, or S7500E/S9500E/S12500 in standalone mode)
Redirect from the host device to the SecBlade firewall card (S5800)
in to a SecBlade firewall card using the following command from a host device, you log in to the
in and the user level in AUX view on the SecBlade firewall
Remarks
oap connect slot slot-number
oap connect slot slot-number system system-name
Required
Available in user view
Required
Available in user view
Redirect from the host device to the SecBlade firewall card (S7500E/S9500E/S12500 in IRF mode)
oap connect chassis chassis-number slot slot-number
1
Required
Available in user view
g

Configuring the management IP address of the SecBlade firewall card

In the OAA system, a device and an OAP card integrate together and function as one device. For the snmp UDP Domain-based network management station (NMS), however, a device and an OAP card are independent SNMP agents. Physically, two agents are on the same managed object; while logically, they belong to two different systems, and they manage their own MIB objects on the device and the card separately. Therefore, when you use the NMS to manage the device and the OAP card on the same interface, you must first obtain the management IP addresses of the two SNMP agents and obtain the link relationship between them, and then you can access the two agents. By default, the management IP address of an OAP card is not configured.
Follow these steps to configure the management IP address of an OAP card:
To do… Use the command…
Enter system view system-view
Configure the management IP address of the SecBlade firewall card (S9500E/S12500 in standalone mode)
Configure the management IP address of the SecBlade firewall card (S9500E/S12500 in IRF mode)
CAUTION:
Before the above confi side; otherwise, the NMS cannot access the OAP card by using the configured management IP address.
uration, you are recommended to configure the same IP address at the OAP card
oap management-ip ip-address slot slot-number
oap management-ip ip-address chassis chassis-number slot slot-number
Remarks
Required
Not configured by default.
Required
Not configured by default.

Resetting the operating system of the SecBlade firewall card

If the operating system works abnormally or is under other anomalies, you can reset the system of a SecBlade firewall card with the following command, which equals to resetting the firewall card by pressing the reset button on the firewall card.
A firewall card has its independent CPU; therefore, the device can still recognize and control the firewall card after you reset the system. That is, restart of the firewall card does not result in the restart of the device.
Follow these steps to reset the system of the SecBlade firewall card:
To do… Use the command…
Reset the system of a SecBlade firewall card (SR6600/SR8800, or S7500E/S9500E/S12500 in standalone mode)
Reset the system of a SecBlade firewall card (S5800)
oap reboot slot slot-number
oap reboot slot slot-number system system-name
2
Remarks
Required
Available in user view
Required
Available in user view
To do… Use the command…
Reset the system of a SecBlade firewall card (S7500E/S9500E/S12500 in IRF mode)
CAUTION:
oap reboot chassis chassis-number slot slot-number
Remarks
Required
Available in user view
Reset of the firewall card may cause data loss and service interruption. Before resetting the firewall card, you must save the data on the operating system and shut down the operating system to avoid service interruption and hardware data loss.
3

ACSEI configuration

ACSEI overview

As a private protocol, ACSEI provides a method for exchanging information between ACFP clients and ACFP server. It well supports Application Control Forwarding Protocol (ACFP) collaboration, ensuring valid information interaction between the ACFP clients and the ACFP server, so that the ACFP server and clients can cooperate to run a service.
As a supporting protocol of ACFP, ACSEI also has two entities: server and client.
A primary network device such as an S5800/S7500E/S9500E/S12500/SR6600/SR8800 of H3C that integrates security functions using a firewall card supports ACSEI, serving as the ACSEI server; a SecBlade firewall card supports ACSEI, serving as the ACSEI client.
ACSEI functions
ACSEI mainly provides the following functions:
Registration and deregistration of an ACSEI client to the ACSEI server.
ID assignment. The ACSEI server assigns IDs to ACSEI clients to distinguish between them.
Mutual monitoring and awareness between an ACSEI client and the ACSEI server.
Information interaction between the ACSEI server and ACSEI clients, including clock
synchronization.
Control of the ACSEI clients on the ACSEI server. For example, you can close ACSEI client, or restart
ACSEI client on the ACSEI server.
An ACSEI server can register multiple ACSEI clients. The maximum number of ACSEI clients that an ACSEI server allows to register depends on the host device model.
ACSEI timers
An ACSEI server uses two timers, the clock synchronization timer and the monitoring timer.
The clock synchronization timer is used to periodically trigger the ACSEI server to send clock
synchronization advertisements to ACSEI clients. You can set this timer through command lines.
The monitoring timer is used to periodically trigger the ACSEI server to send monitoring requests to
ACSEI clients. You can set this timer through command lines.
An ACSEI client starts two timers, the registration timer and the monitoring timer.
The registration timer is used to periodically trigger the ACSEI client to multicast registration requests
(with the multicast MAC address being 010F-E200-0021). You cannot set this timer.
The monitoring timer is used to periodically trigger the ACSEI client to send monitoring requests to
the ACSEI server. You cannot set this timer.
ACSEI startup and running
ACSEI starts up and runs in the following procedures:
4
Enable ACSEI client.
1.
2. Start up the device and enable the ACSEI server function on it.
3. The ACSEI client multicasts registration requests.
4. After the ACSEI server receives a valid registration request, it negotiates parameters with the
ACSEI client and establishes a connection with the client if the negotiation succeeds.
5. The ACSEI server and the ACSEI client mutually monitor the connection.
6. If detecting the disconnection of the ACSEI client, the ACFP server will remove the configuration
and policies associated with the client.

ACSEI server configuration (supported on a host device)

Enabling ACSEI server
Follow these steps to enable ACSEI server:
To do… Use the command…
Enter system view system-view
Enable ACSEI server acsei server enable
Configuring the clock synchronization timer
Follow these steps to configure the clock synchronization timer:
To do… Use the command…
Enter system view system-view
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server
Configure the clock synchronization timer from ACSEI server to ACSEI client
acsei timer clock-sync minutes
Configuring the monitoring timer
Remarks
Required
Disabled by default.
Remarks
Optional
Five minutes by default.
Follow these steps to configure the monitoring timer:
To do… Use the command…
Enter system view system-view
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server
Configure the monitoring timer for the ACSEI server to monitor the ACSEI client
acsei timer monitor
seconds
5
Remarks
Optional
Five seconds by default.
Closing an ACSEI client
Follow these steps to close an ACSEI client:
To do… Use the command…
Enter system view system-view
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view
Close the specified ACSEI client acsei client close client-id Required
acsei server
Restarting an ACSEI client
Follow these steps to restart an ACSEI client:
To do… Use the command…
Enter system view system-view
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server
Restart the specified ACSEI client acsei client reboot client-id Required
Displaying and maintaining ACSEI server
Remarks
Remarks
To do… Use the command…
Display ACSEI client summary display acsei client summary [ client-id ]
Display ACSEI client information display acsei client info [ client-id ]
Remarks
Available in any view

Configuring ACSEI client (supported on a SecBlade firewall card)

As a function supported by a SecBlade firewall card, ACSEI client is integrated into the software system of the SecBlade firewall card.
Enabling ACSEI client
Follow these steps to enable ACSEI client:
To do… Use the command…
Enter system view system-view
Enter the interface view of the internal Ethernet interface
Enable ACSEI client acsei-client enable
interface interface-type interface-number
Remarks
Required
Required
Disabled by default.
6
Loading...
+ 14 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use