manualshive.com logo in svg

H3C SecBlade, User Manual

Share
Download
H3C SecBlade User Manual Download Page 29

 

22 

To do… 

Use the command… 

Remarks 

Configure the 
OAA client 
and internal 

interface 

Select 

System Management > Device 

Management > OAA Configuration

. Input 

parameters in 

OAA Client Configuration

 

and 

Internal Interface Configuration

 to 

complete OAA configuration.   

Required 

Configure 
OAA 

Test the 
connectivity 

Click the 

Test

 

Connectivity 

button to test 

the connectivity between the OAA client 

and the server.  

Required 

Create security zones 

Select 

System Management > Network 

Management > Security Zone

. Use the 

Add

 button to create security zones and 

add the interfaces of the S7500E switch to 

the security zone. 

Required 
The interface list of the switch is 
sent to the OAA board (the 

SecBlade IPS card in this case), 

and you can add interfaces to 

security zones.  

Create a segment 

Select 

System Management > Network 

Management > Segment Configuration

Click 

Add Segment

. Select a segment 

number, the internal zone, and the 

external zone.  

Required 
You need to specify the internal 
interface when creating the 

segment. The internal interface 
connects to the switch.  

 

Displaying the configuration 

After completing above configurations, you can use the 

display

 command in any view of the SecBlade 

IPS card to view forwarding information on the internal 10GE interface and verify you configurations. 

To do… 

Use the command… 

Display the running status and forwarding 
information of the 10GE interface 

display

 

interface

 [ 

interface-name

 ]

 

 

Use the following commands on the switch to display ACFP information. 

To do… 

Use the command… 

Display the ACFP server information 

display acfp server-info 

Display the ACFP client information 

display acfp client-info

 [ 

client-id

 ]

 

Display the ACFP policy information 

display acfp policy-info

 [ 

client

 

client-id

 [ 

policy-index

 ] |

 

dest-interface

  

interface-type interface-number

 | 

global

 | 

in-interface

 

interface-type interface-number

 | 

out-interface

 

interface-type interface-number 

] [ 

active

 | 

inactive

 ]

 

Display the ACFP rule information 

display acfp rule-info

 { 

global

 | 

in-interface

 [ 

interface-type 

interface-number

 ] | 

out-interface

 [ 

interface-type 

interface-number

 ] | 

policy

 [ 

client-id policy-index

 ] }

 

 

Configuration Example 

Network requirements 

As shown in 

Figure 12

, the switch has a SecBlade IPS card installed on slot 2. The switch uses 

GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to connect to the internal network, uses 

GigabitEthernet 3/0/20 to connect to the external network, and uses its internal interface 

Summary of Contents for SecBlade

Page 1: ...H3C SecBlade IPS Cards User Manual Hangzhou H3C Technologies Co Ltd http www h3c com Document version 5PW104 20101210 ...

Page 2: ...mware Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensure accuracy of ...

Page 3: ...commands and keywords that you enter literally as shown Italic Italic text represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional x y Braces enclose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choices separated by vertical b...

Page 4: ...rds Document Set The H3C SecBlade IPS cards documentation set includes Category Documents Purposes Marketing brochures Describe product specifications and benefits Product description and specifications Technology white papers Provide an in depth description of software features and technologies Card Manual Provides the card types hardware specifications and interface attributes Software Upgrade G...

Page 5: ...dware installation software upgrading and software feature configuration and maintenance documentation Products Solutions Provides information about products and technologies as well as solutions Technical Support Documents Software Download Provides the documentation released with the software version Technical support customer_service h3c com http www h3c com Documentation feedback You can e mai...

Page 6: ...xample 22 LSB1IPS1A0 Card Configuration 27 Configuration Overview 27 Configuration Procedure 28 Configuration Example 31 LSR1IPS1A1 Card Configuration 35 Configuration Overview 35 Configuration Procedure 36 Configuration Example 40 LST1IPS1A1 Card Configuration 44 Configuration Overview 44 Configuration Procedure 45 Configuration Example 49 SPE IPS 200 Card Configuration 53 Configuration Overview ...

Page 7: ...ii Index 78 ...

Page 8: ...d presents the configurations on the switch router and the SecBlade IPS card and provides configuration examples Appendix OAA Configuration Describes OAA basic principles and configuration procedure and gives configuration examples Related Manuals For the installation startup and configuration software upgrade and hardware maintenance of the SecBlade IPS cards see the H3C SecBlade Cards Software U...

Page 9: ...al time to precisely identify and stop limit various attacks and network abuses such as hackers worms viruses Trojans DoS DDoS scans spyware protocol anomalies phishing P2P IM and network games and to ensure the security service continuity and performance of network applications H3C IPS products can also be deployed in bypass mode to implement intrusion detection In addition H3C IPS products provi...

Page 10: ...lade IPS cards can provide Distributed Denial of Service DDoS defense in various network environments by performing deep analysis of DDoS attacks including SYN flood RST flood ACK flood UDP flood ICMP flood Connection flood CPS flood DNS query flood and HTTP get flood and using advanced defense algorithms 3 AV function SecBlade IPS cards are integrated with the KasperSky anti virus engine and viru...

Page 11: ...umber of SecBlade IPS cards deployed you can manage the cards through the web interface embedded For a network with a large number of SecBlade IPS cards deployed you can implement unified upgrade monitoring analysis and policy management for the cards through the H3C security management center SecCenter ...

Page 12: ...t Actions management Log management IPS URL filtering Anti virus DDoS protection Web Configuration Bandwidth management Blacklist Reports Commonly used network application commands Interface management commands Static route configuration commands CLI Configuration Device management commands System basic configuration commands Encrypted P2P traffic identification configuration commands ...

Page 13: ...h IPS card Console cable Ethernet cable Serial interface Ethernet interface Management interface IPS card Console interface Switch For a non LSWM1IPS10 card Prepare a console cable with a RJ 45 connector at one end and a DB9 female connector at the other Connect the RJ 45 connector to the console port of the SecBlade IPS card and connect the DB9 female connector to the serial port of the PC Then c...

Page 14: ...nt IP address of the IPS card this step is optional the default management IP address is 192 168 1 1 Configure the management IP address of the IPS card The default management interface of LSWM1IPS10 card is meth 0 0 and that of other cards is meth 0 2 The following takes management interface meth0 2 as an example Sysname system view Sysname interface meth0 2 Enter the management interface Sysname...

Page 15: ...e checkbox before HTTP and click Apply A confirmation dialog box pops up showing Changing the IP address of the management interface may break the network connection Continue Click OK on the dialog box to complete configuration WARNING The PC in Figure 2 is a common configuration terminal and is not required to be a web network management terminal Do not log in to the web interface through both HT...

Page 16: ...rwarding process is as follows From internal network to external network 1 A packet from the internal network enters the switch 2 The switch reprocesses the packet for Layer 3 forwarding during which the switch inserts an outgoing VLAN tag in to the packet 3 After the Layer 3 preprocessing the switch redirects the packet to the SecBlade IPS card according to the receiving port the incoming VLAN an...

Page 17: ...nd Remarks Enter system view system view Configure the MIB style of the switch mib style new compatible Required new Specifies the MIB style H3C new With this style both the sysOID and private MIB of the switch are located under the H3C enterprise ID 25506 compatible Specifies the MIB style H3C compatible With this style the sysOID of the switch is located under the H3C enterprise ID 25506 and the...

Page 18: ...able the ACFP server acfp server enable Required Disabled by default Enable the ACSEI server acsei server enable Required Disabled by default Create a VLAN and enter VLAN view vlan vlan id1 to vlan id2 all Required Return to system view quit Required Enter the specified VLAN interface view interface vlan interface vlan interface id Required Before creating the VLAN interface you need to create the...

Page 19: ... to login to the web interface of the SecBlade IPS card Configure the internal interface and the OAA client and test its connectivity to the switch Create security zones and add the interfaces of the switch to corresponding security zones Create a segment and add internal and external zones to the segment Follow these steps to configure the SecBlade IPS card To do Use the command Remarks Configure...

Page 20: ...t Select a segment number the internal zone and the external zone Required You need to specify the internal interface when creating the segment The internal interface connects to the switch Displaying the configuration After completing above configurations you can use the display command in any view of the SecBlade IPS card to view forwarding information on the internal 10GE interface and verify y...

Page 21: ...private MIB are both under H3C enterprise ID 25506 You need to reboot the switch to validate the configuration You can reboot the switch after completing all configurations Sysname system view Sysname mib style new Configure SNMPv3 parameters Sysname snmp agent Sysname snmp agent sys info version all Sysname snmp agent group v3 v3group_no read view iso write view iso Sysname snmp agent mib view in...

Page 22: ... card in sub slot 3 of slot 1 corresponds to the switch s internal interface Ten GigabitEthernet 1 3 1 2 Configure the SecBlade IPS card Configure an IP address for the management interface and enable the management interface This configuration is optional By default the IP address of the management interface is 192 168 1 1 You can also change this IP address through the web interface Sysname oap ...

Page 23: ... the S5800 S5820X you can add any physical ports of the S5800 S5820X to a security zone except the internal interface In this example Create internal security zone Inside add GigabitEthernet 1 0 15 to the internal security zone as shown in Figure 9 Create external security zone Outside and add GigabitEthernet 1 0 16 to the external security zone in the same way Figure 9 Create a security zone Giga...

Page 24: ... internal 10GE interfaces With OAA configured the switch redirects traffic to the SecBlade IPS card through its 10GE interface automatically After processing the traffic the SecBlade IPS card sends it back to the switch through its internal 10GE interface and the switch forwards the traffic The detailed data forwarding process is as follows From internal network to external network 1 Packets from ...

Page 25: ...card configure the interface to permit packets of VLAN 2 through VLAN 4094 to pass and configure its connection mode as extended Configure the traffic switching mode of the main control board of the switch Save the configuration and reboot the switch Follow these steps to configure the switch To do Use the command Remarks Enter system view system view Configure the MIB style of the switch mib styl...

Page 26: ...snmp agent group v3 command adopts non authentication and non encryption Create or update a MIB view to specify the MIB objects that the NMS can access snmp agent mib view excluded included view name oid tree mask mask value Required The default view is ViewDefault Add a user to the SNMP group snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy mode...

Page 27: ...hes a VLAN interface can have up to five IP addresses configured Return to system view quit Required Enter the view of the 10GE interface connected to the SecBlade IPS card interface Ten GigabitEthernet interface number Required Configure the link type of the interface port link type access hybrid trunk Required By default the link type of an interface is access Specify permitted VLANs on the trun...

Page 28: ...e SecBlade IPS card Configure the SecBlade IPS card as follows Configure the IP address of the management interface at the CLI and use the IP address to login to the web interface of the SecBlade IPS card Configure the internal interface and the OAA client and test its connectivity to the switch Create security zones and add the interfaces of the switch to corresponding security zones Create a seg...

Page 29: ...e configurations you can use the display command in any view of the SecBlade IPS card to view forwarding information on the internal 10GE interface and verify you configurations To do Use the command Display the running status and forwarding information of the 10GE interface display interface interface name Use the following commands on the switch to display ACFP information To do Use the command ...

Page 30: ...eboot the switch after completing all configurations Sysname system view Sysname mib style new Configure SNMP parameters configure SNMPv3 users and adopt non authentication and non encryption Sysname snmp agent Sysname snmp agent sys info version all Sysname snmp agent group v3 v3group_no read view iso write view iso Sysname snmp agent mib view included iso iso Sysname snmp agent usm user v3 v3use...

Page 31: ... configuration you need to save all configurations and restart the switch to validate the configurations Sysname switch mode l2 enhanced Sysname quit Save the configurations and restart the switch Sysname save Sysname reboot NOTE Make sure that the OAA card in slot n corresponds to the switch s internal interface Ten GigabitEthernet n 0 1 For example the OAA card in slot 2 corresponds to the switc...

Page 32: ...figure OAA Configure the OAA client and the internal interface and test the connectivity to the switch Figure 14 Configure the OAA client After completing configuration click Test Connectivity If the following message appears the switch is reachable ...

Page 33: ...e create internal security zone Inside and add GigabitEthernet 3 0 1 and GigabitEthernet 3 0 2 to the internal security zone as shown in Figure 16 Create external security zone Outside and add GigabitEthernet 3 0 20 to the external security zone in the same way Figure 16 Create a security zone Configure a segment Figure 17 Create a segment NOTE When creating a segment you need to select the intern...

Page 34: ...ess being the MAC address of the VLAN interface are redirected to the SecBlade IPS card 3 After processing the packets the SecBlade IPS card forwards them back to the switch 4 The switch forwards the packets out its external network interface From external network to internal network 1 Packets from the external network enter the switch 2 Packets with the destination MAC address being the MAC addre...

Page 35: ... interface Create an advanced ACL to be used by the internal network redirection policy to match all layer 3 IP packets Create an advanced ACL to be used by the external network redirection policy to match layer 3 IP packets destined to the internal network Create a Layer 2 ACL to deny ARP and Layer 2 packets forwarding Configure a redirection policy on the internal network interface to redirect p...

Page 36: ...the interface as trunk port link type trunk Required Permit the packets of specified VLANs to pass port trunk permit vlan vlan id list all Required The two VLANs configured above should be permitted Configure the default VLAN of the trunk interface port trunk pvid vlan vlan id Required The default VLAN must not be either of the two VLANs configured above Disable MAC address learning on the 10GE in...

Page 37: ...group acl number interface interface type interface number Required Use the ACL configured for the external network interface Return to system view quit Required Enter the view of the 10GE interface connected to the SecBlade IPS card interface interface type interface number Required Configure a filtering policy to deny forwarding incoming ARP and Layer 2 packets packet filter inbound link group a...

Page 38: ...gments Select System Management Network Management Segment Configuration Click the Add Segment button Select a segment number the internal zone and the external zone Required You need to create a segment for each internal zone or external zone Displaying the configuration After completing above configurations you can use the display command in any view of the SecBlade IPS card to view forwarding i...

Page 39: ...card that processed the corresponding request packet Configure the interface swap table of the SecBlade IPS cards and configure security zones and segments Figure 19 S9500 switch and the LSB1IPS1A0 cards Configuration procedure 1 Configure the switch Configure Ethernet 5 1 1 Ethernet 5 1 2 and Ethernet 5 1 3 to belong to VLAN 10 VLAN 20 and VLAN 30 respectively and configure VLAN interfaces and th...

Page 40: ...name acl number 3002 Sysname acl adv 3002 rule 0 permit ip packet level route destination 20 0 0 0 0 255 255 255 Sysname acl adv 3002 quit Configure a Layer 2 ACL Sysname acl number 4000 Sysname acl ethernetframe 4000 rule 0 deny arp Sysname acl ethernetframe 4000 rule 1 deny packet level bridge Sysname acl ethernetframe 4000 quit Configure traffic redirection on the internal and external network ...

Page 41: ...ge this IP address through the web interface Sysname interface meth0 2 Sysname if ip address 192 168 0 21 255 255 255 0 Sysname if undo shutdown Sysname if quit Log in to the web interface of the SecBlade IPS cards using default user name admin and default password admin Figure 20 Log in to the SecBlade IPS card web interface Select System Management Network Management Interface Swap Table Configu...

Page 42: ...he SecBlade IPS cards LSR1IPS1A1 Card Configuration NOTE The LSR1IPS1A1 card is only for the Comware V5 S9500E switches Configuration Overview The switch and the SecBlade IPS card are connected through internal 10GE interfaces With OAA configured the switch redirects traffic to the SecBlade IPS card through its 10GE interface automatically After processing the traffic the SecBlade IPS card sends i...

Page 43: ...e MAC address learning on the internal interface Save the configuration and reboot the switch Follow these steps to configure the switch To do Use the command Remarks Enter system view system view Configure the MIB style of the switch mib style new compatible Required new Specifies the MIB style H3C new With this style both the sysOID and private MIB of the switch are located under the H3C enterpr...

Page 44: ...snmp agent group v3 command adopts non authentication and non encryption Create or update a MIB view to specify the MIB objects that the NMS can access snmp agent mib view excluded included view name oid tree mask mask value Required The default view is ViewDefault Add a user to the SNMP group snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy mode...

Page 45: ...urn to system view quit Required Enter the view of the 10GE interface connected to the SecBlade IPS card interface Ten GigabitEthernet interface number Required Configure the link type of the interface port link type access hybrid trunk Required By default the link type of an interface is access Specify permitted VLANs on the trunk port port trunk permit vlan vlan id list all Required A trunk port...

Page 46: ...ip address mask Optional By default the IP address of the management interface meth0 2 is 192 168 1 1 Enable the management interface undo shutdown Required Disabled by default Use the IP address of the management interface to login to the web interface of the SecBlade IPS card Required The default username and password are both admin Configure the OAA client and internal interface Select System M...

Page 47: ...lient id Display the ACFP policy information display acfp policy info client client id policy index dest interface interface type interface number global in interface interface type interface number out interface interface type interface number active inactive Display the ACFP rule information display acfp rule info global in interface interface type interface number out interface interface type i...

Page 48: ...iew iso Sysname snmp agent mib view included iso iso Sysname snmp agent usm user v3 v3user_no v3group_no Enable the ACFP server and the ACSEI server Sysname acfp server enable Sysname acsei server enable Configure the internal interface Create a VLAN VLAN 100 for example which must not conflict with any existing VLAN and configure the IP address of the VLAN interface Sysname vlan 100 Sysname vlan1...

Page 49: ...igabitEthernet 8 0 1 2 Configure the SecBlade IPS card Configure an IP address for the management interface and enable the management interface This configuration is optional By default the IP address of the management interface is 192 168 1 1 You can also change this IP address through the web interface Sysname system view Sysname interface meth0 2 Sysname if ip address 192 168 0 11 255 255 255 0...

Page 50: ...the SecBlade IPS card and the S9500E you can add any physical ports of the S9500E to a security zone except the internal interface In this example create internal security zone Inside add GigabitEthernet 3 0 1 and GigabitEthernet 3 0 2 to the internal security zone as shown in Figure 16 Create external security Outside and add GigabitEthernet 3 0 20 to the external security zone in the same way Fi...

Page 51: ...PS card sends the traffic back to the switch through its internal 10GE interface and the switch forwards the traffic The detailed data forwarding process is as follows From internal network to external network 1 Packets from the internal network enter the switch 2 The switch redirects the packets to the SecBlade IPS card 3 The SecBlade IPS card processes the packets and then forwards them back to ...

Page 52: ...ps to configure the switch To do Use the command Remarks Enter system view system view Configure the MIB style of the switch mib style new compatible Required new Specifies the MIB style H3C new With this style both the sysOID and private MIB of the switch are located under the H3C enterprise ID 25506 compatible Specifies the MIB style H3C compatible With this style the sysOID of the switch is loc...

Page 53: ...agent group v3 command uses non authentication and non encryption Create or update a MIB view to specify the MIB objects that the NMS can access snmp agent mib view excluded included view name oid tree mask mask value Required The default view is ViewDefault Add a user to the SNMP group snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy mode des56 ...

Page 54: ...the interface port link type access hybrid trunk Required By default the link type of an interface is access Specify permitted VLANs on the trunk port port trunk permit vlan vlan id list all Required A trunk port can allow packets of multiple VLANs to pass If you use the command repeatedly on the interface all the specified VLANs are permitted Configure the extended port connection mode for the tr...

Page 55: ... parameters in OAA Client Configuration and Internal Interface Configuration to complete OAA configuration Required Configure OAA Test the connectivity Click the Test Connectivity button to test the connectivity between the OAA client and the server Required Create security zones Select System Management Network Management Security Zone Use the Add button to create security zones and add the inter...

Page 56: ...cy client id policy index Configuration Example Network requirements As shown in Figure 31 the switch has one SRPU installed in slot 0 one switching board installed in slot 4 and one SecBlade IPS card installed in slot 5 The switch uses GigabitEthernet 4 0 1 and GigabitEthernet 4 0 2 to connect to the internal network uses GigabitEthernet 4 0 20 to connect to the external network and uses its inte...

Page 57: ... 255 255 255 0 Sysname Vlan interface100 undo shutdown Sysname Vlan interface100 quit Configure the internal interface as a trunk port assign it to all VLANs configure its port connect mode as extended and disable MAC address learning on it Sysname interface Ten GigabitEthernet5 0 1 Sysname Ten GigabitEthernet port link type trunk Sysname Ten GigabitEthernet port trunk permit vlan all Sysname Ten ...

Page 58: ...e SecBlade IPS card The username and password are both admin Figure 32 Log into the SecBlade IPS card Configure OAA Configure the OAA client and the internal interface and test the connectivity to the switch Figure 33 Configure the OAA client After completing configuration click Test Connectivity If the following message appears the switch is reachable ...

Page 59: ...e create internal security zone Inside and add GigabitEthernet 4 0 1 and GigabitEthernet 4 0 2 to the internal security zone as shown in Figure 35 Create external security zone Outside and add GigabitEthernet 4 0 20 to the external security zone in the same way Figure 35 Create a security zone Configure a segment Figure 36 Create a segment NOTE When creating a segment you need to select the intern...

Page 60: ...2 The router redirects the packets to the SecBlade IPS card 3 The SecBlade IPS card processes the packets and then forwards them back to the router 4 The router forwards the packets out its external network interface From external network to internal network 1 Packets from the external network enter the router 2 The router redirects the packets to the SecBlade IPS card 3 The SecBlade IPS card proc...

Page 61: ...pleting all configurations CAUTION Make sure that the router s the MIB style is new If you specify compatible for the router the router cannot work normally Enable SNMP agent snmp agent Required Disabled by default Set the SNMP version snmp agent sys info contact sys contact location sys location version all v1 v2c v3 Required The SecBlade IPS card supports only SNMPv3 By default SNMPv3 applies Cr...

Page 62: ... ip address ip address mask mask length sub Required Save all configurations save file name safely Required Configuring the SecBlade IPS card Perform the following configurations on the SecBlade IPS card Configure an IP address for the management interface through the CLI and use the IP address to log in to the web interface of the SecBlade IPS card Configure the internal interface and the OAA cli...

Page 63: ...nagement Network Management Segment Configuration Click Add Segment Select a segment number internal zone and external zone Required You need to specify the internal interface when creating the segment The internal interface connects to the router Displaying the configuration Use the following command in any view of the SecBlade IPS card to view the forwarding information of the internal 10GE inte...

Page 64: ...H3C new MIB style With this style the sysOID and the private MIB are both under H3C enterprise ID 25506 You need to reboot the router to validate the configuration you can reboot the router after completing all configurations Sysname system view Sysname mib style new Configure SNMP parameters Sysname snmp agent Sysname snmp agent sys info version all Sysname snmp agent group v3 v3group_no read vie...

Page 65: ...nt interface This configuration is optional By default the IP address of the management interface is 192 168 1 1 You can also change this IP address through the web interface Sysname system view Sysname interface meth0 2 Sysname if ip address 192 168 0 11 255 255 255 0 Sysname if undo shutdown Sysname if quit Log in to the web interface of the SecBlade IPS card The username and password are both a...

Page 66: ... OAA configuration on the SecBlade IPS card and the router you can add any physical ports of the router except the internal interface to a security zone In this example create internal security zone Inside and add GigabitEthernet 3 0 0 to the internal zone as shown in Figure 42 Create external zone Outside and add GigabitEthernet 3 0 1 to the external zone in the same way Figure 42 Create a securi...

Page 67: ...ter forwards the traffic The detailed data forwarding process is as follows From internal network to external network 1 Packets from the internal network enter the router 2 The router redirects the packets to the SecBlade IPS card 3 The SecBlade IPS card processes the packets and then forwards them back to the router 4 The router forwards the packets out its external network interface From externa...

Page 68: ...e router mib style new compatible Required new Specifies the MIB style H3C new With this style both the sysOID and private MIB of the router are located under the H3C enterprise ID 25506 compatible Specifies the MIB style H3C compatible With this style the sysOID of the router is located under the H3C enterprise ID 25506 and the private MIB is located under the enterprise ID 201 1 By default the M...

Page 69: ... configuration takes effect Enable the ACFP server acfp server enable Required Disabled by default Enable the ACSEI server acsei server enable Required Disabled by default Create a VLAN and enter VLAN view vlan vlan id1 to vlan id2 all Required Return to system view quit Required Create a VLAN interface and enter VLAN interface view interface Vlan interface vlan interface id Required Before creati...

Page 70: ...ress to log in to the web interface of the SecBlade IPS card Configure the internal interface and the OAA client and test the connectivity between the OAA client and the router Create security zones and add the interfaces of the router to the security zones Create a segment and add the internal zone and the external zone to the segment Table 6 Follow these steps to configure the SecBlade IPS card ...

Page 71: ...cts to the router Displaying the configuration Use the following command in any view of the SecBlade IPS card to view the forwarding information of the internal 10GE interface To do Use the command Display the running status and forwarding information of the 10GE interface display interface interface name Table 7 Use the following commands in any view of the router to view ACFP information To do U...

Page 72: ...IB are both under H3C enterprise ID 25506 You need to reboot the router to validate the configuration you can reboot the router after completing all configurations Sysname system view Sysname mib style new Configure SNMP parameters Sysname snmp agent Sysname snmp agent sys info version all Sysname snmp agent group v3 v3group_no read view iso write view iso Sysname snmp agent mib view included iso ...

Page 73: ... Sysname save NOTE Make sure that the OAA card in slot n corresponds to the router s internal interface Ten GigabitEthernet n 0 0 For example the OAA card in slot 11 corresponds to the router s internal interface Ten GigabitEthernet 11 0 0 2 Configure the SecBlade IPS card Configure an IP address for the management interface and enable the management interface This configuration is optional By def...

Page 74: ...48 Connectivity test result Configure security zones After completing OAA configuration on the SecBlade IPS card and the router you can add any physical ports of the router except the internal interface to a security zone In this example create internal security zone Inside add GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to the internal zone as shown in Figure 49 Create external security zone ...

Page 75: ...68 Figure 49 Create a security zone Configure a segment Figure 50 Create a segment Figure 51 Configure the segment ...

Page 76: ...turers for better support of new services while reducing user investments The open application architecture OAA is an open service architecture developed with this concept The Application Control Forwarding Protocol ACFP is developed based on the OAA architecture For example collaborating IPS IDS cards or IPS IDS devices acting as ACFP clients run software packages developed by other manufacturers...

Page 77: ...bound interface and outbound interface of the packet and collaboration rules When the packet received by the ACFP server is redirected or mirrored to the ACFP client after matching a collaboration rule the packet carries the context ID of the collaboration policy to which the collaboration rule belongs When the redirected packet is returned from the ACFP client the packet also carries the context ...

Page 78: ...ould be the same with the related configuration of the SNMP on the OAA server NOTE The switch supports MD5 authentication and DES encryption To perform authentication with privacy configure MD5 authentication and DES encryption for the SNMP configuration on the OAA server OAA Server IP Set the IP address for the OAA server VLAN ID Specify the VLAN to which the internal interface belongs IP Address...

Page 79: ...rver Vlan int100 192 168 1 1 24 Ten GigabitEthernet2 0 1 192 1681 2 24 GE4 0 1 GE4 0 2 Configuration procedure 1 Configure the OAA server Follow these steps to configure the OAA server the detailed configuration is omitted here Enable the OAA server Configure a VLAN interface for VLAN 100 and set the IP address of the interface to 192 168 1 1 Configure the port connect mode of the internal interfa...

Page 80: ...Test the connectivity Click Test Connectivity on OAA configuration page The system shows that the connectivity test is successful Add an internal security zone Select System Management Network Management Security Zone and click Add as shown in Figure 56 Perform the following operations on the Add Security Zone page as shown in Figure 57 Figure 56 Security zone Figure 57 Add a security zone Type zo...

Page 81: ...page as shown in Figure 59 Figure 58 Segment configuration Figure 59 Add a segment Select 0 from the Segment No drop down list Select zone1 from the Internal Zone drop down list and zone2 from the External Zone drop down list Select Ten GigabitEthernet2 0 1 from the Internal Interface drop down list Click Apply Add a rule for URL Filter Policy which is the default URL filtering policy Select URL F...

Page 82: ...75 Figure 60 Rule management Figure 61 Add a rule Select URL Filter Policy from the Policy drop down list Type rule1 as the name ...

Page 83: ...orm the following operations on the Apply Policy page as shown in Figure 63 Figure 62 Policy application Figure 63 Apply policy Select 0 from the Segment drop down list Select URL Filter Policy from the Policy drop down list Select the Internal zone to External zone check box Add IP address 192 168 2 0 24 to the internal zone IP addresses list Click Apply Activate the configuration After the above...

Page 84: ...77 Figure 64 Activate the configuration ...

Page 85: ... Configuration 27 LSQ1IPSSC0 Card Configuration Only for the S7500E Switch and Supporting OAA Configuration 17 LSR1IPS1A1 Card Configuration 35 LST1IPS1A1 Card Configuration 44 LSWM1IPS10 Card Configuration 9 M Main Characteristics 2 Main Functions 3 O OAA Configuration Example 72 Overview69 R Related Manuals 1 S SPE IPS 200 Card Configuration 53 ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands