manualshive.com logo in svg

H3C SecBlade, Руководство пользователя

Поделиться
Скачать
H3C SecBlade Скачать руководство пользователя страница 36

 

29 

To do… 

Use the command… 

Remarks 

Add the external network port to 
the external network VLAN 

port 

interface-list

 

Required 
 By default, all ports belong to 

VLAN 1. 

Return to system view 

quit 

Required 

Create the internal network VLAN 
interface 

interface Vlan-interface 

vlan-id

 

Required 

Configure the IP address of the 
internal network VLAN interface 

ip

 

address

 

ip-address

 { 

mask | 

mask-length 

} [ 

sub

 ]

 

Required 
Not configured by default.  

Return to system view 

quit 

Required 

Create the external network VLAN 
interface 

interface vlan-interface 

vlan

-

id

 

Required 

Configure the IP address of the 
external network VLAN interface 

ip

 

address

 

ip-address

 { 

mask | 

mask-length 

} [ 

sub

 ]

 

Required 
Not configured by default. 

Return to system view 

quit 

Required 

Enter the view of the 10GE 
interface connected to the 

SecBlade IPS card 

interface

 interface-type 

interface-number

 

Required 

Configure the link type of the 
interface as trunk 

port link-type trunk 

Required 

Permit the packets of specified 
VLANs to pass 

port trunk permit vlan

 { 

vlan-id-list

 | 

all 

Required 
The two VLANs configured above 
should be permitted.  

Configure the default VLAN of the 
trunk interface 

port trunk pvid vlan

 

vlan-id

 

Required 
The default VLAN must not be 
either of the two VLANs configured 

above.  

Disable MAC address learning on 
the 10GE interface  

mac-address max-mac-count 

0 Required 

Return to system view 

quit 

Required 

Create an advanced ACL to be 
used on the internal network 
interface 

acl number 

acl-number

 

Required 

Create a rule to permit all Layer 3 

IP packets 

rule

 rule-id

 permit ip packet-level 

route 

Required 

Return to system view 

quit 

Required 

Create an advanced ACL to be 
used on the external network 

interface 

acl number 

acl-number

 

Required 

Create a rule to permit packets 
destined to the internal network  

rule

 rule-id

 permit ip packet-level 

route destination 

network-address 

wild-mask

 

Required 
If the internal network interface has 
multiple subnets attached, you 

need to create a rule for each 

subnet.  

Содержание SecBlade

Страница 1: ...H3C SecBlade IPS Cards User Manual Hangzhou H3C Technologies Co Ltd http www h3c com Document version 5PW104 20101210 ...

Страница 2: ...mware Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensure accuracy of ...

Страница 3: ...commands and keywords that you enter literally as shown Italic Italic text represents arguments that you replace with actual values Square brackets enclose syntax choices keywords or arguments that are optional x y Braces enclose a set of required syntax choices separated by vertical bars from which you select one x y Square brackets enclose a set of optional syntax choices separated by vertical b...

Страница 4: ...rds Document Set The H3C SecBlade IPS cards documentation set includes Category Documents Purposes Marketing brochures Describe product specifications and benefits Product description and specifications Technology white papers Provide an in depth description of software features and technologies Card Manual Provides the card types hardware specifications and interface attributes Software Upgrade G...

Страница 5: ...dware installation software upgrading and software feature configuration and maintenance documentation Products Solutions Provides information about products and technologies as well as solutions Technical Support Documents Software Download Provides the documentation released with the software version Technical support customer_service h3c com http www h3c com Documentation feedback You can e mai...

Страница 6: ...xample 22 LSB1IPS1A0 Card Configuration 27 Configuration Overview 27 Configuration Procedure 28 Configuration Example 31 LSR1IPS1A1 Card Configuration 35 Configuration Overview 35 Configuration Procedure 36 Configuration Example 40 LST1IPS1A1 Card Configuration 44 Configuration Overview 44 Configuration Procedure 45 Configuration Example 49 SPE IPS 200 Card Configuration 53 Configuration Overview ...

Страница 7: ...ii Index 78 ...

Страница 8: ...d presents the configurations on the switch router and the SecBlade IPS card and provides configuration examples Appendix OAA Configuration Describes OAA basic principles and configuration procedure and gives configuration examples Related Manuals For the installation startup and configuration software upgrade and hardware maintenance of the SecBlade IPS cards see the H3C SecBlade Cards Software U...

Страница 9: ...al time to precisely identify and stop limit various attacks and network abuses such as hackers worms viruses Trojans DoS DDoS scans spyware protocol anomalies phishing P2P IM and network games and to ensure the security service continuity and performance of network applications H3C IPS products can also be deployed in bypass mode to implement intrusion detection In addition H3C IPS products provi...

Страница 10: ...lade IPS cards can provide Distributed Denial of Service DDoS defense in various network environments by performing deep analysis of DDoS attacks including SYN flood RST flood ACK flood UDP flood ICMP flood Connection flood CPS flood DNS query flood and HTTP get flood and using advanced defense algorithms 3 AV function SecBlade IPS cards are integrated with the KasperSky anti virus engine and viru...

Страница 11: ...umber of SecBlade IPS cards deployed you can manage the cards through the web interface embedded For a network with a large number of SecBlade IPS cards deployed you can implement unified upgrade monitoring analysis and policy management for the cards through the H3C security management center SecCenter ...

Страница 12: ...t Actions management Log management IPS URL filtering Anti virus DDoS protection Web Configuration Bandwidth management Blacklist Reports Commonly used network application commands Interface management commands Static route configuration commands CLI Configuration Device management commands System basic configuration commands Encrypted P2P traffic identification configuration commands ...

Страница 13: ...h IPS card Console cable Ethernet cable Serial interface Ethernet interface Management interface IPS card Console interface Switch For a non LSWM1IPS10 card Prepare a console cable with a RJ 45 connector at one end and a DB9 female connector at the other Connect the RJ 45 connector to the console port of the SecBlade IPS card and connect the DB9 female connector to the serial port of the PC Then c...

Страница 14: ...nt IP address of the IPS card this step is optional the default management IP address is 192 168 1 1 Configure the management IP address of the IPS card The default management interface of LSWM1IPS10 card is meth 0 0 and that of other cards is meth 0 2 The following takes management interface meth0 2 as an example Sysname system view Sysname interface meth0 2 Enter the management interface Sysname...

Страница 15: ...e checkbox before HTTP and click Apply A confirmation dialog box pops up showing Changing the IP address of the management interface may break the network connection Continue Click OK on the dialog box to complete configuration WARNING The PC in Figure 2 is a common configuration terminal and is not required to be a web network management terminal Do not log in to the web interface through both HT...

Страница 16: ...rwarding process is as follows From internal network to external network 1 A packet from the internal network enters the switch 2 The switch reprocesses the packet for Layer 3 forwarding during which the switch inserts an outgoing VLAN tag in to the packet 3 After the Layer 3 preprocessing the switch redirects the packet to the SecBlade IPS card according to the receiving port the incoming VLAN an...

Страница 17: ...nd Remarks Enter system view system view Configure the MIB style of the switch mib style new compatible Required new Specifies the MIB style H3C new With this style both the sysOID and private MIB of the switch are located under the H3C enterprise ID 25506 compatible Specifies the MIB style H3C compatible With this style the sysOID of the switch is located under the H3C enterprise ID 25506 and the...

Страница 18: ...able the ACFP server acfp server enable Required Disabled by default Enable the ACSEI server acsei server enable Required Disabled by default Create a VLAN and enter VLAN view vlan vlan id1 to vlan id2 all Required Return to system view quit Required Enter the specified VLAN interface view interface vlan interface vlan interface id Required Before creating the VLAN interface you need to create the...

Страница 19: ... to login to the web interface of the SecBlade IPS card Configure the internal interface and the OAA client and test its connectivity to the switch Create security zones and add the interfaces of the switch to corresponding security zones Create a segment and add internal and external zones to the segment Follow these steps to configure the SecBlade IPS card To do Use the command Remarks Configure...

Страница 20: ...t Select a segment number the internal zone and the external zone Required You need to specify the internal interface when creating the segment The internal interface connects to the switch Displaying the configuration After completing above configurations you can use the display command in any view of the SecBlade IPS card to view forwarding information on the internal 10GE interface and verify y...

Страница 21: ...private MIB are both under H3C enterprise ID 25506 You need to reboot the switch to validate the configuration You can reboot the switch after completing all configurations Sysname system view Sysname mib style new Configure SNMPv3 parameters Sysname snmp agent Sysname snmp agent sys info version all Sysname snmp agent group v3 v3group_no read view iso write view iso Sysname snmp agent mib view in...

Страница 22: ... card in sub slot 3 of slot 1 corresponds to the switch s internal interface Ten GigabitEthernet 1 3 1 2 Configure the SecBlade IPS card Configure an IP address for the management interface and enable the management interface This configuration is optional By default the IP address of the management interface is 192 168 1 1 You can also change this IP address through the web interface Sysname oap ...

Страница 23: ... the S5800 S5820X you can add any physical ports of the S5800 S5820X to a security zone except the internal interface In this example Create internal security zone Inside add GigabitEthernet 1 0 15 to the internal security zone as shown in Figure 9 Create external security zone Outside and add GigabitEthernet 1 0 16 to the external security zone in the same way Figure 9 Create a security zone Giga...

Страница 24: ... internal 10GE interfaces With OAA configured the switch redirects traffic to the SecBlade IPS card through its 10GE interface automatically After processing the traffic the SecBlade IPS card sends it back to the switch through its internal 10GE interface and the switch forwards the traffic The detailed data forwarding process is as follows From internal network to external network 1 Packets from ...

Страница 25: ...card configure the interface to permit packets of VLAN 2 through VLAN 4094 to pass and configure its connection mode as extended Configure the traffic switching mode of the main control board of the switch Save the configuration and reboot the switch Follow these steps to configure the switch To do Use the command Remarks Enter system view system view Configure the MIB style of the switch mib styl...

Страница 26: ...snmp agent group v3 command adopts non authentication and non encryption Create or update a MIB view to specify the MIB objects that the NMS can access snmp agent mib view excluded included view name oid tree mask mask value Required The default view is ViewDefault Add a user to the SNMP group snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy mode...

Страница 27: ...hes a VLAN interface can have up to five IP addresses configured Return to system view quit Required Enter the view of the 10GE interface connected to the SecBlade IPS card interface Ten GigabitEthernet interface number Required Configure the link type of the interface port link type access hybrid trunk Required By default the link type of an interface is access Specify permitted VLANs on the trun...

Страница 28: ...e SecBlade IPS card Configure the SecBlade IPS card as follows Configure the IP address of the management interface at the CLI and use the IP address to login to the web interface of the SecBlade IPS card Configure the internal interface and the OAA client and test its connectivity to the switch Create security zones and add the interfaces of the switch to corresponding security zones Create a seg...

Страница 29: ...e configurations you can use the display command in any view of the SecBlade IPS card to view forwarding information on the internal 10GE interface and verify you configurations To do Use the command Display the running status and forwarding information of the 10GE interface display interface interface name Use the following commands on the switch to display ACFP information To do Use the command ...

Страница 30: ...eboot the switch after completing all configurations Sysname system view Sysname mib style new Configure SNMP parameters configure SNMPv3 users and adopt non authentication and non encryption Sysname snmp agent Sysname snmp agent sys info version all Sysname snmp agent group v3 v3group_no read view iso write view iso Sysname snmp agent mib view included iso iso Sysname snmp agent usm user v3 v3use...

Страница 31: ... configuration you need to save all configurations and restart the switch to validate the configurations Sysname switch mode l2 enhanced Sysname quit Save the configurations and restart the switch Sysname save Sysname reboot NOTE Make sure that the OAA card in slot n corresponds to the switch s internal interface Ten GigabitEthernet n 0 1 For example the OAA card in slot 2 corresponds to the switc...

Страница 32: ...figure OAA Configure the OAA client and the internal interface and test the connectivity to the switch Figure 14 Configure the OAA client After completing configuration click Test Connectivity If the following message appears the switch is reachable ...

Страница 33: ...e create internal security zone Inside and add GigabitEthernet 3 0 1 and GigabitEthernet 3 0 2 to the internal security zone as shown in Figure 16 Create external security zone Outside and add GigabitEthernet 3 0 20 to the external security zone in the same way Figure 16 Create a security zone Configure a segment Figure 17 Create a segment NOTE When creating a segment you need to select the intern...

Страница 34: ...ess being the MAC address of the VLAN interface are redirected to the SecBlade IPS card 3 After processing the packets the SecBlade IPS card forwards them back to the switch 4 The switch forwards the packets out its external network interface From external network to internal network 1 Packets from the external network enter the switch 2 Packets with the destination MAC address being the MAC addre...

Страница 35: ... interface Create an advanced ACL to be used by the internal network redirection policy to match all layer 3 IP packets Create an advanced ACL to be used by the external network redirection policy to match layer 3 IP packets destined to the internal network Create a Layer 2 ACL to deny ARP and Layer 2 packets forwarding Configure a redirection policy on the internal network interface to redirect p...

Страница 36: ...the interface as trunk port link type trunk Required Permit the packets of specified VLANs to pass port trunk permit vlan vlan id list all Required The two VLANs configured above should be permitted Configure the default VLAN of the trunk interface port trunk pvid vlan vlan id Required The default VLAN must not be either of the two VLANs configured above Disable MAC address learning on the 10GE in...

Страница 37: ...group acl number interface interface type interface number Required Use the ACL configured for the external network interface Return to system view quit Required Enter the view of the 10GE interface connected to the SecBlade IPS card interface interface type interface number Required Configure a filtering policy to deny forwarding incoming ARP and Layer 2 packets packet filter inbound link group a...

Страница 38: ...gments Select System Management Network Management Segment Configuration Click the Add Segment button Select a segment number the internal zone and the external zone Required You need to create a segment for each internal zone or external zone Displaying the configuration After completing above configurations you can use the display command in any view of the SecBlade IPS card to view forwarding i...

Страница 39: ...card that processed the corresponding request packet Configure the interface swap table of the SecBlade IPS cards and configure security zones and segments Figure 19 S9500 switch and the LSB1IPS1A0 cards Configuration procedure 1 Configure the switch Configure Ethernet 5 1 1 Ethernet 5 1 2 and Ethernet 5 1 3 to belong to VLAN 10 VLAN 20 and VLAN 30 respectively and configure VLAN interfaces and th...

Страница 40: ...name acl number 3002 Sysname acl adv 3002 rule 0 permit ip packet level route destination 20 0 0 0 0 255 255 255 Sysname acl adv 3002 quit Configure a Layer 2 ACL Sysname acl number 4000 Sysname acl ethernetframe 4000 rule 0 deny arp Sysname acl ethernetframe 4000 rule 1 deny packet level bridge Sysname acl ethernetframe 4000 quit Configure traffic redirection on the internal and external network ...

Страница 41: ...ge this IP address through the web interface Sysname interface meth0 2 Sysname if ip address 192 168 0 21 255 255 255 0 Sysname if undo shutdown Sysname if quit Log in to the web interface of the SecBlade IPS cards using default user name admin and default password admin Figure 20 Log in to the SecBlade IPS card web interface Select System Management Network Management Interface Swap Table Configu...

Страница 42: ...he SecBlade IPS cards LSR1IPS1A1 Card Configuration NOTE The LSR1IPS1A1 card is only for the Comware V5 S9500E switches Configuration Overview The switch and the SecBlade IPS card are connected through internal 10GE interfaces With OAA configured the switch redirects traffic to the SecBlade IPS card through its 10GE interface automatically After processing the traffic the SecBlade IPS card sends i...

Страница 43: ...e MAC address learning on the internal interface Save the configuration and reboot the switch Follow these steps to configure the switch To do Use the command Remarks Enter system view system view Configure the MIB style of the switch mib style new compatible Required new Specifies the MIB style H3C new With this style both the sysOID and private MIB of the switch are located under the H3C enterpr...

Страница 44: ...snmp agent group v3 command adopts non authentication and non encryption Create or update a MIB view to specify the MIB objects that the NMS can access snmp agent mib view excluded included view name oid tree mask mask value Required The default view is ViewDefault Add a user to the SNMP group snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy mode...

Страница 45: ...urn to system view quit Required Enter the view of the 10GE interface connected to the SecBlade IPS card interface Ten GigabitEthernet interface number Required Configure the link type of the interface port link type access hybrid trunk Required By default the link type of an interface is access Specify permitted VLANs on the trunk port port trunk permit vlan vlan id list all Required A trunk port...

Страница 46: ...ip address mask Optional By default the IP address of the management interface meth0 2 is 192 168 1 1 Enable the management interface undo shutdown Required Disabled by default Use the IP address of the management interface to login to the web interface of the SecBlade IPS card Required The default username and password are both admin Configure the OAA client and internal interface Select System M...

Страница 47: ...lient id Display the ACFP policy information display acfp policy info client client id policy index dest interface interface type interface number global in interface interface type interface number out interface interface type interface number active inactive Display the ACFP rule information display acfp rule info global in interface interface type interface number out interface interface type i...

Страница 48: ...iew iso Sysname snmp agent mib view included iso iso Sysname snmp agent usm user v3 v3user_no v3group_no Enable the ACFP server and the ACSEI server Sysname acfp server enable Sysname acsei server enable Configure the internal interface Create a VLAN VLAN 100 for example which must not conflict with any existing VLAN and configure the IP address of the VLAN interface Sysname vlan 100 Sysname vlan1...

Страница 49: ...igabitEthernet 8 0 1 2 Configure the SecBlade IPS card Configure an IP address for the management interface and enable the management interface This configuration is optional By default the IP address of the management interface is 192 168 1 1 You can also change this IP address through the web interface Sysname system view Sysname interface meth0 2 Sysname if ip address 192 168 0 11 255 255 255 0...

Страница 50: ...the SecBlade IPS card and the S9500E you can add any physical ports of the S9500E to a security zone except the internal interface In this example create internal security zone Inside add GigabitEthernet 3 0 1 and GigabitEthernet 3 0 2 to the internal security zone as shown in Figure 16 Create external security Outside and add GigabitEthernet 3 0 20 to the external security zone in the same way Fi...

Страница 51: ...PS card sends the traffic back to the switch through its internal 10GE interface and the switch forwards the traffic The detailed data forwarding process is as follows From internal network to external network 1 Packets from the internal network enter the switch 2 The switch redirects the packets to the SecBlade IPS card 3 The SecBlade IPS card processes the packets and then forwards them back to ...

Страница 52: ...ps to configure the switch To do Use the command Remarks Enter system view system view Configure the MIB style of the switch mib style new compatible Required new Specifies the MIB style H3C new With this style both the sysOID and private MIB of the switch are located under the H3C enterprise ID 25506 compatible Specifies the MIB style H3C compatible With this style the sysOID of the switch is loc...

Страница 53: ...agent group v3 command uses non authentication and non encryption Create or update a MIB view to specify the MIB objects that the NMS can access snmp agent mib view excluded included view name oid tree mask mask value Required The default view is ViewDefault Add a user to the SNMP group snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy mode des56 ...

Страница 54: ...the interface port link type access hybrid trunk Required By default the link type of an interface is access Specify permitted VLANs on the trunk port port trunk permit vlan vlan id list all Required A trunk port can allow packets of multiple VLANs to pass If you use the command repeatedly on the interface all the specified VLANs are permitted Configure the extended port connection mode for the tr...

Страница 55: ... parameters in OAA Client Configuration and Internal Interface Configuration to complete OAA configuration Required Configure OAA Test the connectivity Click the Test Connectivity button to test the connectivity between the OAA client and the server Required Create security zones Select System Management Network Management Security Zone Use the Add button to create security zones and add the inter...

Страница 56: ...cy client id policy index Configuration Example Network requirements As shown in Figure 31 the switch has one SRPU installed in slot 0 one switching board installed in slot 4 and one SecBlade IPS card installed in slot 5 The switch uses GigabitEthernet 4 0 1 and GigabitEthernet 4 0 2 to connect to the internal network uses GigabitEthernet 4 0 20 to connect to the external network and uses its inte...

Страница 57: ... 255 255 255 0 Sysname Vlan interface100 undo shutdown Sysname Vlan interface100 quit Configure the internal interface as a trunk port assign it to all VLANs configure its port connect mode as extended and disable MAC address learning on it Sysname interface Ten GigabitEthernet5 0 1 Sysname Ten GigabitEthernet port link type trunk Sysname Ten GigabitEthernet port trunk permit vlan all Sysname Ten ...

Страница 58: ...e SecBlade IPS card The username and password are both admin Figure 32 Log into the SecBlade IPS card Configure OAA Configure the OAA client and the internal interface and test the connectivity to the switch Figure 33 Configure the OAA client After completing configuration click Test Connectivity If the following message appears the switch is reachable ...

Страница 59: ...e create internal security zone Inside and add GigabitEthernet 4 0 1 and GigabitEthernet 4 0 2 to the internal security zone as shown in Figure 35 Create external security zone Outside and add GigabitEthernet 4 0 20 to the external security zone in the same way Figure 35 Create a security zone Configure a segment Figure 36 Create a segment NOTE When creating a segment you need to select the intern...

Страница 60: ...2 The router redirects the packets to the SecBlade IPS card 3 The SecBlade IPS card processes the packets and then forwards them back to the router 4 The router forwards the packets out its external network interface From external network to internal network 1 Packets from the external network enter the router 2 The router redirects the packets to the SecBlade IPS card 3 The SecBlade IPS card proc...

Страница 61: ...pleting all configurations CAUTION Make sure that the router s the MIB style is new If you specify compatible for the router the router cannot work normally Enable SNMP agent snmp agent Required Disabled by default Set the SNMP version snmp agent sys info contact sys contact location sys location version all v1 v2c v3 Required The SecBlade IPS card supports only SNMPv3 By default SNMPv3 applies Cr...

Страница 62: ... ip address ip address mask mask length sub Required Save all configurations save file name safely Required Configuring the SecBlade IPS card Perform the following configurations on the SecBlade IPS card Configure an IP address for the management interface through the CLI and use the IP address to log in to the web interface of the SecBlade IPS card Configure the internal interface and the OAA cli...

Страница 63: ...nagement Network Management Segment Configuration Click Add Segment Select a segment number internal zone and external zone Required You need to specify the internal interface when creating the segment The internal interface connects to the router Displaying the configuration Use the following command in any view of the SecBlade IPS card to view the forwarding information of the internal 10GE inte...

Страница 64: ...H3C new MIB style With this style the sysOID and the private MIB are both under H3C enterprise ID 25506 You need to reboot the router to validate the configuration you can reboot the router after completing all configurations Sysname system view Sysname mib style new Configure SNMP parameters Sysname snmp agent Sysname snmp agent sys info version all Sysname snmp agent group v3 v3group_no read vie...

Страница 65: ...nt interface This configuration is optional By default the IP address of the management interface is 192 168 1 1 You can also change this IP address through the web interface Sysname system view Sysname interface meth0 2 Sysname if ip address 192 168 0 11 255 255 255 0 Sysname if undo shutdown Sysname if quit Log in to the web interface of the SecBlade IPS card The username and password are both a...

Страница 66: ... OAA configuration on the SecBlade IPS card and the router you can add any physical ports of the router except the internal interface to a security zone In this example create internal security zone Inside and add GigabitEthernet 3 0 0 to the internal zone as shown in Figure 42 Create external zone Outside and add GigabitEthernet 3 0 1 to the external zone in the same way Figure 42 Create a securi...

Страница 67: ...ter forwards the traffic The detailed data forwarding process is as follows From internal network to external network 1 Packets from the internal network enter the router 2 The router redirects the packets to the SecBlade IPS card 3 The SecBlade IPS card processes the packets and then forwards them back to the router 4 The router forwards the packets out its external network interface From externa...

Страница 68: ...e router mib style new compatible Required new Specifies the MIB style H3C new With this style both the sysOID and private MIB of the router are located under the H3C enterprise ID 25506 compatible Specifies the MIB style H3C compatible With this style the sysOID of the router is located under the H3C enterprise ID 25506 and the private MIB is located under the enterprise ID 201 1 By default the M...

Страница 69: ... configuration takes effect Enable the ACFP server acfp server enable Required Disabled by default Enable the ACSEI server acsei server enable Required Disabled by default Create a VLAN and enter VLAN view vlan vlan id1 to vlan id2 all Required Return to system view quit Required Create a VLAN interface and enter VLAN interface view interface Vlan interface vlan interface id Required Before creati...

Страница 70: ...ress to log in to the web interface of the SecBlade IPS card Configure the internal interface and the OAA client and test the connectivity between the OAA client and the router Create security zones and add the interfaces of the router to the security zones Create a segment and add the internal zone and the external zone to the segment Table 6 Follow these steps to configure the SecBlade IPS card ...

Страница 71: ...cts to the router Displaying the configuration Use the following command in any view of the SecBlade IPS card to view the forwarding information of the internal 10GE interface To do Use the command Display the running status and forwarding information of the 10GE interface display interface interface name Table 7 Use the following commands in any view of the router to view ACFP information To do U...

Страница 72: ...IB are both under H3C enterprise ID 25506 You need to reboot the router to validate the configuration you can reboot the router after completing all configurations Sysname system view Sysname mib style new Configure SNMP parameters Sysname snmp agent Sysname snmp agent sys info version all Sysname snmp agent group v3 v3group_no read view iso write view iso Sysname snmp agent mib view included iso ...

Страница 73: ... Sysname save NOTE Make sure that the OAA card in slot n corresponds to the router s internal interface Ten GigabitEthernet n 0 0 For example the OAA card in slot 11 corresponds to the router s internal interface Ten GigabitEthernet 11 0 0 2 Configure the SecBlade IPS card Configure an IP address for the management interface and enable the management interface This configuration is optional By def...

Страница 74: ...48 Connectivity test result Configure security zones After completing OAA configuration on the SecBlade IPS card and the router you can add any physical ports of the router except the internal interface to a security zone In this example create internal security zone Inside add GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to the internal zone as shown in Figure 49 Create external security zone ...

Страница 75: ...68 Figure 49 Create a security zone Configure a segment Figure 50 Create a segment Figure 51 Configure the segment ...

Страница 76: ...turers for better support of new services while reducing user investments The open application architecture OAA is an open service architecture developed with this concept The Application Control Forwarding Protocol ACFP is developed based on the OAA architecture For example collaborating IPS IDS cards or IPS IDS devices acting as ACFP clients run software packages developed by other manufacturers...

Страница 77: ...bound interface and outbound interface of the packet and collaboration rules When the packet received by the ACFP server is redirected or mirrored to the ACFP client after matching a collaboration rule the packet carries the context ID of the collaboration policy to which the collaboration rule belongs When the redirected packet is returned from the ACFP client the packet also carries the context ...

Страница 78: ...ould be the same with the related configuration of the SNMP on the OAA server NOTE The switch supports MD5 authentication and DES encryption To perform authentication with privacy configure MD5 authentication and DES encryption for the SNMP configuration on the OAA server OAA Server IP Set the IP address for the OAA server VLAN ID Specify the VLAN to which the internal interface belongs IP Address...

Страница 79: ...rver Vlan int100 192 168 1 1 24 Ten GigabitEthernet2 0 1 192 1681 2 24 GE4 0 1 GE4 0 2 Configuration procedure 1 Configure the OAA server Follow these steps to configure the OAA server the detailed configuration is omitted here Enable the OAA server Configure a VLAN interface for VLAN 100 and set the IP address of the interface to 192 168 1 1 Configure the port connect mode of the internal interfa...

Страница 80: ...Test the connectivity Click Test Connectivity on OAA configuration page The system shows that the connectivity test is successful Add an internal security zone Select System Management Network Management Security Zone and click Add as shown in Figure 56 Perform the following operations on the Add Security Zone page as shown in Figure 57 Figure 56 Security zone Figure 57 Add a security zone Type zo...

Страница 81: ...page as shown in Figure 59 Figure 58 Segment configuration Figure 59 Add a segment Select 0 from the Segment No drop down list Select zone1 from the Internal Zone drop down list and zone2 from the External Zone drop down list Select Ten GigabitEthernet2 0 1 from the Internal Interface drop down list Click Apply Add a rule for URL Filter Policy which is the default URL filtering policy Select URL F...

Страница 82: ...75 Figure 60 Rule management Figure 61 Add a rule Select URL Filter Policy from the Policy drop down list Type rule1 as the name ...

Страница 83: ...orm the following operations on the Apply Policy page as shown in Figure 63 Figure 62 Policy application Figure 63 Apply policy Select 0 from the Segment drop down list Select URL Filter Policy from the Policy drop down list Select the Internal zone to External zone check box Add IP address 192 168 2 0 24 to the internal zone IP addresses list Click Apply Activate the configuration After the above...

Страница 84: ...77 Figure 64 Activate the configuration ...

Страница 85: ... Configuration 27 LSQ1IPSSC0 Card Configuration Only for the S7500E Switch and Supporting OAA Configuration 17 LSR1IPS1A1 Card Configuration 35 LST1IPS1A1 Card Configuration 44 LSWM1IPS10 Card Configuration 9 M Main Characteristics 2 Main Functions 3 O OAA Configuration Example 72 Overview69 R Related Manuals 1 S SPE IPS 200 Card Configuration 53 ...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды