Contents
OAP card configuration ·············································································································································· 1
OAP card overview ·························································································································································· 1
Open Application Platform (OAP) ·························································································································· 1
Redirecting to the SecBlade firewall card from the device ··························································································· 1
Configuring the management IP address of the SecBlade firewall card····································································· 2
Resetting the operating system of the SecBlade firewall card ······················································································ 2
ACSEI configuration ····················································································································································· 4
ACSEI overview ································································································································································· 4
ACSEI functions ························································································································································ 4
ACSEI timers ····························································································································································· 4
ACSEI startup and running ······································································································································ 4
ACSEI server configuration (supported on a host device) ···························································································· 5
Enabling ACSEI server ············································································································································· 5
Configuring the clock synchronization timer ········································································································· 5
Configuring the monitoring timer ···························································································································· 5
Closing an ACSEI client ··········································································································································· 6
Restarting an ACSEI client ······································································································································· 6
Displaying and maintaining ACSEI server ············································································································ 6
Configuring ACSEI client (supported on a SecBlade firewall card) ············································································ 6
Enabling ACSEI client ·············································································································································· 6
Displaying and maintaining ACSEI client ·············································································································· 7
i
g
g
OAP card configuration
OAP card overview
Open Application Platform (OAP)
is developed by Hangzhou H3C Technologies Co., Ltd. (referred to as H3C hereinafter), aimed at new
services. An OAP card runs an independent operating system. You can load software such as security
and voice in the operating system as needed.
By using OAP, the primary network devices such as an
S5800/S7500E/S9500E/S12500/SR6600/SR8800 of H3C integrate the security functions with
firewall cards. A SecBlade firewall card runs an independent operating system; it interacts with the
device on data, status information and control information through its internal service interfaces.
Redirecting to the SecBlade firewall card from the device
You can redirect to the system of a SecBlade firewall card from a host device (such as an
S5800/S7500E/9500 E/S12500/SR6600/SR8800) through the following operation. In this way, the
terminal display interface will be switched from the command line interface of the host device to the
operating interface of the system on the SecBlade firewall card. After the switch, you can press Ctrl+K to
return to the command line interface on the host device.
CAUTION:
If you lo
SecBlade firewall card system as if you log in through the AUX port. Therefore, to ensure normal login,
you need to set the authentication mode at lo
card user interface.
Follow these steps to redirect from the device to the SecBlade firewall card:
To do… Use the command…
Redirect from the host device to the
SecBlade firewall card (SR6600/SR8800,
or S7500E/S9500E/S12500 in
standalone mode)
Redirect from the host device to the
SecBlade firewall card (S5800)
in to a SecBlade firewall card using the following command from a host device, you log in to the
in and the user level in AUX view on the SecBlade firewall
Remarks
oap connect slot slot-number
oap connect slot slot-number
system system-name
Required
Available in user view
Required
Available in user view
Redirect from the host device to the
SecBlade firewall card
(S7500E/S9500E/S12500 in IRF mode)
oap connect chassis
chassis-number slot slot-number
1
Required
Available in user view
g
Configuring the management IP address of the SecBlade firewall card
In the OAA system, a device and an OAP card integrate together and function as one device. For the
snmp UDP Domain-based network management station (NMS), however, a device and an OAP card are
independent SNMP agents. Physically, two agents are on the same managed object; while logically,
they belong to two different systems, and they manage their own MIB objects on the device and the card
separately. Therefore, when you use the NMS to manage the device and the OAP card on the same
interface, you must first obtain the management IP addresses of the two SNMP agents and obtain the link
relationship between them, and then you can access the two agents. By default, the management IP
address of an OAP card is not configured.
Follow these steps to configure the management IP address of an OAP card:
To do… Use the command…
Enter system view system-view —
Configure the management IP address
of the SecBlade firewall card
(S9500E/S12500 in standalone
mode)
Configure the management IP address
of the SecBlade firewall card
(S9500E/S12500 in IRF mode)
CAUTION:
Before the above confi
side; otherwise, the NMS cannot access the OAP card by using the configured management IP address.
uration, you are recommended to configure the same IP address at the OAP card
oap management-ip ip-address slot
slot-number
oap management-ip ip-address
chassis chassis-number slot
slot-number
Remarks
Required
Not configured by default.
Required
Not configured by default.
Resetting the operating system of the SecBlade firewall card
If the operating system works abnormally or is under other anomalies, you can reset the system of a
SecBlade firewall card with the following command, which equals to resetting the firewall card by
pressing the reset button on the firewall card.
A firewall card has its independent CPU; therefore, the device can still recognize and control the firewall
card after you reset the system. That is, restart of the firewall card does not result in the restart of the
device.
Follow these steps to reset the system of the SecBlade firewall card:
To do… Use the command…
Reset the system of a SecBlade firewall
card (SR6600/SR8800, or
S7500E/S9500E/S12500 in
standalone mode)
Reset the system of a SecBlade firewall
card (S5800)
oap reboot slot slot-number
oap reboot slot slot-number
system system-name
2
Remarks
Required
Available in user view
Required
Available in user view
To do… Use the command…
Reset the system of a SecBlade firewall
card (S7500E/S9500E/S12500 in IRF
mode)
CAUTION:
oap reboot chassis
chassis-number slot slot-number
Remarks
Required
Available in user view
Reset of the firewall card may cause data loss and service interruption. Before resetting the firewall card,
you must save the data on the operating system and shut down the operating system to avoid service
interruption and hardware data loss.
3
ACSEI configuration
ACSEI overview
As a private protocol, ACSEI provides a method for exchanging information between ACFP clients and
ACFP server. It well supports Application Control Forwarding Protocol (ACFP) collaboration, ensuring
valid information interaction between the ACFP clients and the ACFP server, so that the ACFP server and
clients can cooperate to run a service.
As a supporting protocol of ACFP, ACSEI also has two entities: server and client.
A primary network device such as an S5800/S7500E/S9500E/S12500/SR6600/SR8800 of H3C
that integrates security functions using a firewall card supports ACSEI, serving as the ACSEI server; a
SecBlade firewall card supports ACSEI, serving as the ACSEI client.
ACSEI functions
ACSEI mainly provides the following functions:
• Registration and deregistration of an ACSEI client to the ACSEI server.
• ID assignment. The ACSEI server assigns IDs to ACSEI clients to distinguish between them.
• Mutual monitoring and awareness between an ACSEI client and the ACSEI server.
• Information interaction between the ACSEI server and ACSEI clients, including clock
synchronization.
• Control of the ACSEI clients on the ACSEI server. For example, you can close ACSEI client, or restart
ACSEI client on the ACSEI server.
An ACSEI server can register multiple ACSEI clients. The maximum number of ACSEI clients that an
ACSEI server allows to register depends on the host device model.
ACSEI timers
An ACSEI server uses two timers, the clock synchronization timer and the monitoring timer.
• The clock synchronization timer is used to periodically trigger the ACSEI server to send clock
synchronization advertisements to ACSEI clients. You can set this timer through command lines.
• The monitoring timer is used to periodically trigger the ACSEI server to send monitoring requests to
ACSEI clients. You can set this timer through command lines.
• An ACSEI client starts two timers, the registration timer and the monitoring timer.
• The registration timer is used to periodically trigger the ACSEI client to multicast registration requests
(with the multicast MAC address being 010F-E200-0021). You cannot set this timer.
• The monitoring timer is used to periodically trigger the ACSEI client to send monitoring requests to
the ACSEI server. You cannot set this timer.
ACSEI startup and running
ACSEI starts up and runs in the following procedures:
4
Enable ACSEI client.
1.
2. Start up the device and enable the ACSEI server function on it.
3. The ACSEI client multicasts registration requests.
4. After the ACSEI server receives a valid registration request, it negotiates parameters with the
ACSEI client and establishes a connection with the client if the negotiation succeeds.
5. The ACSEI server and the ACSEI client mutually monitor the connection.
6. If detecting the disconnection of the ACSEI client, the ACFP server will remove the configuration
and policies associated with the client.
ACSEI server configuration (supported on a host device)
Enabling ACSEI server
Follow these steps to enable ACSEI server:
To do… Use the command…
Enter system view system-view —
Enable ACSEI server acsei server enable
Configuring the clock synchronization timer
Follow these steps to configure the clock synchronization timer:
To do… Use the command…
Enter system view system-view —
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server —
Configure the clock
synchronization timer from ACSEI
server to ACSEI client
acsei timer clock-sync minutes
Configuring the monitoring timer
Remarks
Required
Disabled by default.
Remarks
Optional
Five minutes by default.
Follow these steps to configure the monitoring timer:
To do… Use the command…
Enter system view system-view —
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server —
Configure the monitoring timer for the
ACSEI server to monitor the ACSEI client
acsei timer monitor
seconds
5
Remarks
Optional
Five seconds by default.
Closing an ACSEI client
Follow these steps to close an ACSEI client:
To do… Use the command…
Enter system view system-view —
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view
Close the specified ACSEI client acsei client close client-id Required
acsei server
Restarting an ACSEI client
Follow these steps to restart an ACSEI client:
To do… Use the command…
Enter system view system-view —
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server —
Restart the specified ACSEI client acsei client reboot client-id Required
Displaying and maintaining ACSEI server
Remarks
—
Remarks
To do… Use the command…
Display ACSEI client summary display acsei client summary [ client-id ]
Display ACSEI client information display acsei client info [ client-id ]
Remarks
Available in any view
Configuring ACSEI client (supported on a SecBlade firewall card)
As a function supported by a SecBlade firewall card, ACSEI client is integrated into the software system
of the SecBlade firewall card.
Enabling ACSEI client
Follow these steps to enable ACSEI client:
To do… Use the command…
Enter system view system-view —
Enter the interface view of the
internal Ethernet interface
Enable ACSEI client acsei-client enable
interface interface-type
interface-number
Remarks
Required
Required
Disabled by default.
6
Displaying and maintaining ACSEI client
To do… Use the command…
Display information about ACSEI client display acsei-client information Available in any view
Display the current state of ACSEI client display acsei-client status Available in any view
Remarks
7
Contents
OAP card configuration commands ··························································································································· 1
oap connect ······························································································································································ 1
oap management-ip ················································································································································· 2
oap reboot ································································································································································ 3
ACSEI configuration commands ································································································································· 5
ACSEI server configuration commands ·························································································································· 5
acsei client close ······················································································································································· 5
acsei client reboot ···················································································································································· 5
acsei server ······························································································································································· 6
acsei server enable ·················································································································································· 6
acsei timer clock-sync ··············································································································································· 7
acsei timer monitor ··················································································································································· 7
display acsei client info ··········································································································································· 8
display acsei client summary ······························································································································· 10
ACSEI client configuration commands ························································································································· 10
acsei-client enable ················································································································································· 10
display acsei-client information ···························································································································· 11
display acsei-client status ······································································································································ 12
i
OAP card configuration commands
oap connect
Syntax
SR6600/SR8800, or S7500E/S9500E/S12500 in standalone mode:
oap connect slot slot-number
S5800:
oap connect slot slot-number system system-name
S7500E/S9500E/S12500 in IRF mode:
oap connect chassis chassis-number slot slot-number
View
User view
Default Level
2: System level
Parameters
slot slot-number: Specifies the OAP card residing in a slot. (SR6600/SR8800, or
S7500E/S9500E/S12500 in standalone mode)
slot slot-number system system-name: Specifies the OAP card residing in a slot on an IRF member device.
(S5800)
chassis chassis-number slot slot-number: Specifies the OAP card residing in a slot on an IRF member
device. (S7500E/S9500E/S12500 in IRF mode)
Description
Use the oap connect command to redirect from the device to the OAP card.
You can p ress Ctrl+K to return from the operating system of the OAP card to the command line interface
of the device.
Examples
# Redirect from the device to the OAP card in slot 3. (SR6600/SR8800, or S7500E/S9500E/S12500
in standalone mode)
<Sysname> oap connect slot 3
Press CTRL+K to quit.
Connected to OAP!
# Redirect from the device to the OAP card in slot 3 on member device 1 (S5800)
<Sysname> oap connect slot 1 system SubSlot3
Press CTRL+K to quit.
Connected to SubSlot3
# Redirect from the device to the OAP card in slot 5 on member device 2. (S7500E/S9500E/S12500 in
IRF mode)
1
<Sysname> oap connect chassis 2 slot 5
Press CTRL+K to quit.
Connected to OAP!
oap management-ip
Syntax
S9500E/S12500 in standalone mode:
oap management-ip ip-address slot slot-number
undo oap management-ip slot slot-number
S9500E/S12500 in IRF mode:
oap management-ip ip-address chassis chassis-number slot slot-number
undo oap management-ip chassis chassis-number slot slot-number
View
System view
Default Level
2: System level
Parameters
slot slot-number: Number of the slot where an OAP card resides.
ip-address: Management IP address of the OAP card. This address must be configured on the OAP card
beforehand.
chassis chassis-number slot slot-number: Number of the slot and ID of the member device where an OAP
card resides
Description
Use the oap management-ip command to configure the management IP address of an OAP card.
Use the undo oap management-ip command to restore the default.
By default, the management IP address of an OAP card is not configured.
When you use network management station (NMS) to manage an OAP card, you must first configure the
management IP address of the OAP card.
Examples
# Configure the management IP address of the OAP card in slot 3 as 1.1.1.1. (S9500E/S12500 in
standalone mode)
<Sysname> System-view
[Sysname] oap management-ip 1.1.1.1 slot 3
# Configure the management IP address of the OAP card in slot 5 on member device 2 as 1.1.1.1.
(S9500E/S12500 in IRF mode)
<Sysname> System-view
[Sysname] oap management-ip 1.1.1.1 chassis 2 slot 5
2
oap reboot
Syntax
SR6600/SR8800, or S7500E/S9500E/S12500 in standalone mode:
oap reboot slot slot-number
S5800:
oap reboot slot slot-number system system-name
S7500E/S9500E/S12500 in IRF mode:
oap reboot chassis chassis-number slot slot-number
View
User view
Default Level
2: System level
Parameters
slot slot-number: Specifies the OAP card residing in a slot. (SR6600/SR8800, or
S7500E/S9500E/S12500 in standalone mode)
slot slot-number system system-name: Spe cifies t he OAP card re s idi ng in a sl ot on an I RF m embe r device.
(S5800)
chassis chassis-number slot slot-number: Specifies the OAP card residing in a slot on an IRF member
device. (S7500E/S9500E/S12500 in IRF mode)
Description
Use the oap reboot command to reset the system of an OAP card.
Examples
# Reset the system of the OAP card in slot 3. (SR6600/SR8800, or S7500E/S9500E/S12500 in
standalone mode)
<Sysname> oap reboot slot 3
This command will recover the OAP from shutdown or other failed state.
Warning: This command may lose the data on the hard disk if the OAP is not being shut down!
Continue? [Y/N]:y
Reboot OAP by command.
# Reset the system of the OAP card in slot 3 on member device 1. (S5800)
<Sysname> oap reboot slot 1 system SubSlot3
This command will recover the SubSlot3 from shutdown or other failed state.
Warning: This command may lose the data on the hard disk if the SubSlot3 is not
being shut down! Continue? [Y/N]:y
Reboot SubSlot3 by command.
# Reset the system of the OAP card in slot 5 on member device 2. (S7500E/S9500E/S12500 in IRF
mode)
<Sysname> oap reboot chassis 2 slot 5
This command will recover the OAP from shutdown or other failed state.
Warning: This command may lose the data on the hard disk if the OAP is not being shut down!
Continue? [Y/N]:y
3
Reboot OAP by command.
4
ACSEI configuration commands
ACSEI server configuration commands
acsei client close
Syntax
acsei client close client-id
View
ACSEI server view
Default Level
2: System level
Parameters
client-id: ID of the ACSEI client to be closed, in the range 1 to 10. An ACSEI client ID is assigned by the
ACSEI server.
Description
Use the acsei client close command to close the specified ACSEI client.
Examples
# Close ACSEI client 1.
<Sysname> system-view
[Sysname] acsei server
[Sysname-acsei-server] acsei client close 1
acsei client reboot
Syntax
acsei client reboot client-id
View
ACSEI server view
Default Level
2: System level
Parameters
client-id: ID of the ACSEI client to be restarted, in the range 1 to 10.
Description
Use the acsei client reboot command to restart the specified ACSEI client.
Examples
# Restart ACSEI client 1.
5
<Sysname> system-view
[Sysname] acsei server
[Sysname-acsei-server] acsei client reboot 1
acsei server
Syntax
acsei server
View
System view
Default Level
2: System level
Parameters
None
Description
Use the acsei server command to enter ACSEI server view.
Examples
# Enter ACSEI server view.
<Sysname> system-view
[Sysname] acsei server
[Sysname-acsei-server]
acsei server enable
Syntax
acsei server enable
undo acsei server enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the acsei server enable command to enable ACSEI server.
Examples
Use the undo acsei server enable command to disable ACSEI server.
By default, ACSEI server is disabled.
# Enable ACSEI server.
<Sysname> system-view
6
[Sysname] acsei server enable
acsei timer clock-sync
Syntax
acsei timer clock-sync minutes
undo acsei timer clock-sync
View
ACSEI server view
Default Level
2: System level
Parameters
minutes: Value of the synchronization timer that is used for clock synchronization from ACSEI server to
ACSEI client. It ranges from 0 to 1440 (in minutes), where value 0 specifies to disable the clock
synchronization from ACSEI server to ACSEI client.
Description
Use the acsei timer clock-sync command to set the synchronization timer that is used for clock
synchronization from ACSEI server to ACSEI client.
Use the undo acsei timer clock-sync command to restore the default.
By default, the clock synchronization timer is set to five minutes.
Examples
# Set the clock synchronization timer from ACSEI server to ACSEI client to 20 minutes.
<Sysname> system-view
[Sysname] acsei server
[Sysname-acsei-server] acsei timer clock-sync 20
acsei timer monitor
Syntax
acsei timer monitor seconds
undo acsei timer monitor
View
ACSEI server view
Default Level
2: System level
Parameters
seconds: Value of the monitoring timer that is used for the ACSEI server to monitor the ACSEI clients. It
ranges from 0 to 10 (in seconds), where 0 specifies to disable ACSEI server from monitoring the ACSEI
clients.
7
Description
Use the acsei timer monitor command to set the monitoring timer for the ACSEI server to monitor the
ACSEI clients.
Use the undo acsei timer monitor command to restore the default.
By default, the monitoring timer is set to 5 seconds.
Examples
# Set the monitor timer for the ACSEI server to monitor the ACSEI clients to 6 seconds.
<Sysname> system-view
[Sysname] acsei server
[Sysname-acsei-server] acsei timer monitor 6
display acsei client info
Syntax
display acsei client info [ client-id ]
View
Any view
Default Level
1: Monitor level
Parameters
client-id: ID of an ACSEI client, in the range 1 to 10.
Description
Use the display acsei client info command to display the ACSEI client information. The client information
is retrieved from the advertisement packet sent by the client, so that when there is no ACSEI client
information, the command displays the information keywords only.
If executed without the client-id argument, the command displays information about all the ACSEI clients
in order of registration time.
Examples
# Display information about ACSEI client 1.
<Sysname> display acsei client info 1
client ID: 1
client Description:
Hardware:
System Software:
Application Software:
CPU: Intel(R) Pentium(R) M processor 1.40GHz
PCB Version: 3.00
CPLD Version: 1.00
Bootrom Version: 1.12
CF card: 256 MB
Memory: 512 MB
Harddisk: 40.0 GB
# Display information about all ACSEI clients.
8
p
<Sysname> display acsei client info
Total client Number: 2
client ID: 1
client Description:
Hardware:
System Software:
Application Software:
CPU: Intel(R) Pentium(R) M processor 1.40GHz
PCB Version: 3.00
CPLD Version: 1.00
Bootrom Version: 1.12
CF card: 256 MB
Memory: 512 MB
Harddisk: 40.0 GB
client ID: 2
client Description:
Hardware:
System Software:
Application Software:
CPU: Intel(R) Pentium(R) M processor 1.40GHz
PCB Version: 3.00
CPLD Version: 1.00
Bootrom Version: 1.12
CF card: 256 MB
Memory: 512 MB
Harddisk: 40.0 GB
Table 1 Output description
Field Descri
client ID ID of the ACSEI client
client Description ACSEI client description
Hardware Hardware version of the ACSEI client
System Software System software name and version of the ACSEI client
Application Software Application name and version of the ACSEI client
CPU CPU information of the ACSEI client
PCB Version PCB version of the ACSEI client
CPLD Version CPLD version of the ACSEI client
Bootrom Version Boot ROM version of the ACSEI client
CF card CF card information of the ACSEI client
Memory Memory information of the ACSEI client
Harddisk Harddisk information of the ACSEI client
tion
9
p
display acsei client summary
Syntax
display acsei client summary [ client-id ]
View
Any view
Default Level
1: Monitor level
Parameters
client-id: ID of an ACSEI client whose summary is to be displayed, in the range 1 to 10.
Description
Use the display acsei client summary command to display ACSEI client summary information. Summary
information of multiple ACSEI clients is displayed in order of registration time.
If executed without the client-id argument, the command displays summary information about all the
ACSEI clients.
Examples
# Display the summary of all ACSEI clients.
<Sysname> display acsei client summary
Total client Number: 1
client ID: 1
Status: Open
MAC Address: 00e0-fc0a-c3ef
Interface: Ten-GigabitEthernet3/0/1
Last registered: 02/08/2007 12:00:00
Table 2 Output description
Field Descri
client ID ID of the ACSEI client
Status ACSEI client status
MAC Address MAC address of the ACSEI client
Interface Interface carrying the ACSEI client
Last registered The last registration time of the ACSEI client
tion
ACSEI client configuration commands
acsei-client enable
Syntax
acsei-client enable
undo acsei-client enable
10
View
Interface view
Default Level
2: System level
Parameters
None
Description
Use the acsei-client enable command to enable ACSEI client.
Use the undo acsei-client enable command to disable ACSEI client.
By default, ACSEI client is disabled.
Examples
# Enable ACSEI client on interface Ten-GigabitEthernet 0/0.
<Sysname> system-view
[Sysname] interface ten-gigabitEthernet 0/0
[Sysname-Ten-GigabitEthernet0/0] acsei-client enable
display acsei-client information
Syntax
display acsei-client information
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display acsei-client information command to display information about ACSEI client.
Examples
# Display information about the current ACSEI client.
<Sysname> display acsei-client information
Client Description: SecBlade II
Hardware: A.0
System Software: COMWAREV500R002B38D001
Application Software: V300R001B01D006
CPU: RMI XLR732 1000MHz
PCB Version: A.0
CPLD Version: 1.0
Bootrom Version: Basic BootRom Version:1.02,Extend BootRom Version:1.01
CF card: 256M Bytes Compact Flash Storage Device
Memory: 1024M Bytes DDR2 SDRAM Memory
11
p
Harddisk:
display acsei-client status
Syntax
display acsei-client status
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display acsei-client status command to display the current state of ACSEI client.
Examples
# Display the current state of ACSEI client.
<Sysname> display acsei-client status
Client ID: 1
Status: Open
Slot Number: 1
Interface: Ten-GigabitEthernet0/0
Table 3 Output description
Field Descri
Client ID ID of the ACSEI client
ACSEI client status:
Status
Slot Number Sequence number of the slot where the ACSEI client resides
Interface Interface enabled with ACSEI client
Open: Enabled.
Closed: Not enabled.
Reg_Sent: Registration in process.
tion
12
Loading...