background image

 

2-4 

2  

ACFP Configuration 

This chapter includes these sections: 

z

 

Introduction to ACFP 

z

 

Enabling the ACFP Server 

z

 

Configuring ACFP Client 

z

 

Enabling the ACFP Trap Function 

z

 

Displaying and Maintaining ACFP 

z

 

ACFP Configuration Example 

Introduction to ACFP 

Basic data communication networks comprise of routers and switches, which forward data packets. As 

data networks develop, more and more services run on them. It has become inappropriate to use 

legacy devices for handling some new services. Therefore, some security products such as firewalls, 

Intrusion Detection System (IDS), and Intrusion Prevention System (IPS), and voice and wireless 

products are designed to handle specific services. 

For better support of new services, manufacturers of legacy networking devices (routers and switches 

in this document) have developed various dedicated service boards (service cards) to specifically 

handle these services. Some manufacturers of legacy networking devices provide a set of 

software/hardware interfaces to allow the boards (cards) or devices of other manufacturers to be 

plugged or connected to these legacy networking devices for cooperating to handle these services. 

This gives full play to the advantages of respective manufacturers for better support of new services 

while reducing user investments. 

The open application architecture (OAA) is an open service architecture developed with this concept. It 

integrates devices and software produced by different manufacturers, making them function as one 

device, and thus providing integrated resolutions for the customers. 

The Application Control Forwarding Protocol (ACFP) is developed based on the OAA architecture. For 

example, collaborating IPS/IDS cards or IPS/IDS devices acting as ACFP clients run software 

packages developed by other manufacturers to support the IPS/IDS services. A router or switch mirrors 

or redirects the received packets to an ACFP client after matching the ACFP collaboration rules. The 

software running on the ACFP client monitors and detects the packets. Based on the monitoring and 

detection results, the ACFP client sends back responses to the router or switch through collaboration 

Management Information Bases (MIBs) to instruct the router or switch to process the results, such as 

filtering out the specified packets. 

Содержание SR6600 SPE-FWM

Страница 1: ...H3C SR6600 Routers OAA Configuration Guide Hangzhou H3C Technologies Co Ltd http www h3c com Document Version 20100930 C 1 08 Product Version SR6600 CMW520 R2420...

Страница 2: ...ware Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are th...

Страница 3: ...R6600 Conventions This section describes the conventions used in this documentation set Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter li...

Страница 4: ...as a router switch or firewall Represents a routing capable device such as a router or Layer 3 switch Represents a generic switch such as a Layer 2 or Layer 3 switch or a router that supports Layer 2...

Страница 5: ...upgrading Obtaining Documentation You can access the most up to date H3C product documentation on the World Wide Web at http www h3c com Click the links on the top navigation bar to obtain different c...

Страница 6: ...ration 2 5 ACFP Management 2 5 ACFP Information Overview 2 6 Using ACFP 2 9 ACFP Configuration Task List 2 9 Enabling the ACFP Server 2 9 Configuring ACFP Client 2 10 Enabling the ACFP Trap Function 2...

Страница 7: ...evice it interacts with the device on data status information and control information through its internal service interfaces Logging In to the Operating System of an OAP Card Logging In Through the C...

Страница 8: ...ou can log in to the operating system of an OAP card through its internal Ethernet interface To configure the OAP card as the SSH server follow these steps 1 Log in to the OAP card through the console...

Страница 9: ...ntals Configuration Guide Resetting the System of an OAP Card If the operating system works abnormally or is under other anomalies you can reset the system of an OAP card with the following command wh...

Страница 10: ...r manufacturers to be plugged or connected to these legacy networking devices for cooperating to handle these services This gives full play to the advantages of respective manufacturers for better sup...

Страница 11: ...nt which can then execute the instructions received because it supports SNMP agent In this process the cooperating MIB is the key to associating the two components with each other ACFP Management ACFP...

Страница 12: ...FP server information contains the following z Supported working modes host pass through mirroring and redirect An ACFP server can support multiple working modes among these four at the same time The...

Страница 13: ...ent After the interface connected to the ACFP client is specified in the policy sent the ACFP server assigns it a global serial number that is the Context ID with each Context ID corresponding to an A...

Страница 14: ...to not equal to greater than less than greater than and less than The following ending source port number takes effect only when the type is greater than and less than The source port number of the p...

Страница 15: ...ce processing such as non Layer 2 QoS processing and non QoS service processing z With ACFP a stream cannot be mirrored or redirected to multiple ACFP clients z ACFP cannot process outbound packets z...

Страница 16: ...t ACFP client had no response warnings ACFP server does not support the working mode of the ACFP client errors Expiration period of ACFP collaboration policy changed notifications ACFP collaboration r...

Страница 17: ...ce number out interface interface type interface number policy client id policy index Display ACFP rule cache configuration information display acfp rule cache in interface interface type interface nu...

Страница 18: ...olicyInIfIndex the policy destination interface is GigabitEthernet 3 0 3 by setting the node h3cAcfpPolicyDestIfIndex and the other parameters adopt the default values Configure the ACFP rule Configur...

Страница 19: ...node h3cAcfpRuleAction the packets whose source IP address is 192 168 1 2 are matched by setting the node h3cAcfpRuleSrcMAC the wildcard mask of the source IP address mask is 0 0 0 255 by setting the...

Страница 20: ...ule In this way it is a function supported by the OAP module Hardware and configurations needed in the two implementations are different This chapter will introduce them respectively z ACFP is designe...

Страница 21: ...on requests with the multicast MAC address being 010F E200 0021 You cannot set this timer z The monitoring timer is used to periodically trigger the ACSEI client to send monitoring requests to the ACS...

Страница 22: ...iguring the Monitoring Timer Follow theses steps to configure the monitoring timer To do Use the command Remarks Enter system view system view Enable the ACSEI server function acsei server enable Requ...

Страница 23: ...ACSEI server view acsei server Restart the specified ACSEI client acsei client reboot client id Required Displaying and Maintaining ACSEI Server To do Use the command Remarks Display ACSEI client summ...

Страница 24: ...FP Client 2 10 D Displaying and Maintaining ACFP 2 11 E Enabling the ACFP Server2 9 Enabling the ACFP Trap Function 2 10 F G H I Introduction to ACFP 2 4 Introduction to ACSEI3 14 J K L Logging In to...

Отзывы: