H3C s5800 series Configuration manual

Brand: H3C

Model: s5800 series

Type: Configuration manual

This manual is also suitable for

s5820x series

H3C S5820X&S5800 Switch Series

OAA Configuration Guide

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

Software version: Release 1211

Document version: 6W100-20110415

No part of this manual may be reproduced or transmitted in any form or by any means without prior

written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C,

, Aolynk, , H

Care,

, TOP G, , IRF, NetPilot, Neocean, NeoVTL,

SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V

G, V

G, PSPT,

XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,

Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners

Notice

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Preface

The H3C S5800&S5820X documentation set includes 12 configuration guides, which describe the

software features for the S5800&S5820X Switch Series and guide you through the software

configuration procedures. These configuration guides also provide configuration examples to help you

apply software features to different network scenarios.

The OAA Configuration Guide describes OAA fundamentals and configuration. It describes how to log

in to the H3C open application platform (OAP) card connected to your switch and reset the operating

system of the OAP card, and configure the ACFP and ACSEI protocols to exchange information

between your switch and the OAP card.

This preface includes:

•

Audience

•

Added and modified features

•

Conventions

•

About the H3C S5800&S5820X documentation set

•

Obtaining documentation

•

Technical support

•

Documentation feedback

Audience

This documentation is intended for:

• Network planners

• Field technical support and servicing engineers

• Network administrators working with the S5800 and S5820X switch series

Added and modified features

Compared to Release1110, Release1211 adds the following features:

Configuration guide Added and modified features

OAP Card —

ACFP Added features: ACFP supports the handling of the IPv6 packets

ACSEI —

Conventions

This section describes the conventions used in this documentation set.

Command conventions

Convention Description

Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... }

Braces enclose a set of required syntax choices separated by vertical bars, from which

you select one.

[ x | y | ... ]

Square brackets enclose a set of optional syntax choices separated by vertical bars, from

which you select one or none.

{ x | y | ... } *

Asterisk marked braces enclose a set of required syntax choices separated by vertical

bars, from which you select at least one.

[ x | y | ... ] *

Asterisk marked square brackets enclose optional syntax choices separated by vertical

bars, from which you select one choice, multiple choices, or none.

&<1-n>

The argument or keyword and argument combination before the ampersand (&) sign can

be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description

Boldface

Window names, button names, field names, and menu items are in Boldface. For

example, the New User window appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Convention Description

< > Button names are inside angle brackets. For example, click <OK>.

[ ]

Window names, menu items, data table and field names are inside square brackets. For

example, pop up the [New User] window.

/ Multi-level menus are separated by forward slashes. For example, [File/Create/Folder].

Symbols

Convention Description

WARNING

An alert that calls attention to important information that if not understood or followed can

result in personal injury.

CAUTION

An alert that calls attention to important information that if not understood or followed can

result in data loss, data corruption, or damage to hardware or software.

IMPORTANT

An alert that calls attention to essential information.

NOTE

An alert that contains additional or supplementary information.

Convention Description

TIP

An alert that provides helpful information.

Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports

Layer 2 forwarding and other Layer 2 features.

About the H3C S5800&S5820X documentation set

The H3C S5800&S5820X documentation set includes:

Category Documents Purposes

Marketing brochures Describe product specifications and benefits.

Product description and

specifications

Technology white papers

Provide an in-depth description of software features

and technologies.

PSR150-A [ PSR150-D ]

Power Modules User

Manual

Describes the appearances, features, specifications,

installation, and removal of the pluggable 150W

power modules available for the products.

PSR300-12A

[ PSR300-12D1 ] Power

Modules User Manual

Describes the appearances, features, specifications,

installation, and removal of the pluggable 300W

power modules available for the products.

PSR750-A [ PSR750-D ]

Power Modules User

Manual

Describes the appearances, features, specifications,

installation, and removal of the pluggable 750W

power modules available for the products.

RPS User Manual

Describes the appearances, features, and

specifications of the RPS units available for the

products.

LSW1FAN and

LSW1BFAN Installation

Manual

Describes the appearances, specifications,

installation, and removal of the pluggable fan

modules available for the products.

LSW148POEM Module

User Manual

Describes the appearance, features, installation,

and removal of the pluggable PoE module available

for the products.

S5820X [ S5800 ] Series

Ethernet Switches

Interface Cards User

Manual

Describes the models, hardware specifications,

installation, and removal of the interface cards

available for the products.

H3C OAP Cards User

Manual

Describes the benefits, features, hardware

specifications, installation, and removal of the OAP

cards available for the products.

Pluggable module

description

H3C Low End Series Describes the models, appearances, and

Ethernet Switches

Pluggable Modules

Manual

specifications of the pluggable modules available

for the products.

S5800-60C-PWR

Ethernet Switch Hot

Swappable Power

Module Ordering Guide

Guides you through ordering the hot-swappable

power modules available for the S5800-60C-PWR

switches in different cases.

Power configuration

RPS Ordering Information

for H3C Low-End Ethernet

Switches

Provides the RPS and switch compatibility matrix and

RPS cable specifications.

• S5800 Series Ethernet

Switches Quick Start

• S5820X Series

Ethernet Switches

Quick Start

• S5800 Series Ethernet

Switches CE DOC

• S5820X Series

Ethernet Switches CE

DOC

Provides regulatory information and the safety

instructions that must be followed during

installation.

• S5800 Series Ethernet

Switches Quick Start

• S5820X Series

Ethernet Switches

Quick Start

Guides you through initial installation and setup

procedures to help you quickly set up and use your

device with the minimum configuration.

• S5800 Series Ethernet

Switches Installation

Manual

• S5820X Series

Ethernet Switches

Installation Manual

Provides a complete guide to hardware installation

and hardware specifications.

Pluggable SFP[SFP+][XFP]

Transceiver Modules

Installation Guide

Guides you through installing SFP/SFP+/XFP

transceiver modules.

Hardware installation

• S5800-60C-PWR

Switch Video

Installation Guide

• S5820X-28C Switch

Video Installation

Guide

Shows how to install the H3C S5800-60C-PWR and

H3C S5820X-28C Ethernet switches.

Configuration guide

Describe software features and configuration

procedures.

Software configuration

Command reference

Provide a quick reference to all available

commands.

H3C Series Ethernet

Switches Login Password

Recovery Manual

Tells how to find the lost password or recover the

password when the login password is lost.

Operations and

maintenance

Release notes

Provide information about the product release,

including the version history, hardware and software

compatibility matrix, version upgrade information,

technical support information, and software

upgrading.

Obtaining documentation

You can access the most up-to-date H3C product documentation on the World Wide Web at

http://www.h3c.com.

Click the links on the top navigation bar to obtain different categories of product documentation:

[Technical Support & Documents > Technical Documents] – Provides hardware installation, software

upgrading, and software feature configuration and maintenance documentation.

[Products & Solutions] – Provides information about products and technologies, as well as solutions.

[Technical Support & Documents > Software Download] – Provides the documentation released with the

software version.

Technical support

customer_service@h3c.com

http://www.h3c.com

Documentation feedback

You can e-mail your comments about product documentation to [email protected].

We appreciate your comments.

Contents

OAP card configuration ·············································································································································· 1

OAP card overview ··························································································································································1

Configuring an OAP card················································································································································1

Logging in to the software system of an OAP card through the switch······························································1

Restarting an OAP card···········································································································································2

ACFP configuration······················································································································································ 3

Introduction to ACFP·························································································································································3

ACFP architecture·····················································································································································3

ACFP collaboration ··················································································································································4

ACFP management···················································································································································4

ACFP information overview·····································································································································5

Using ACFP ·······························································································································································7

ACFP configuration task list ·············································································································································8

Configuring the ACFP server (switch) ·····························································································································8

Enabling the ACFP server········································································································································8

Enabling the ACFP trap function·····························································································································8

Displaying and maintaining ACFP ·························································································································9

Configuring the ACFP client (OAP card)························································································································9

ACSEI configuration···················································································································································10

Introduction to ACSEI····················································································································································· 10

Functions of ACSEI ················································································································································ 10

ACSEI timers ·························································································································································· 11

ACSEI startup and running··································································································································· 11

ACSEI server configuration (switch) ····························································································································· 11

Enabling ACSEI server·········································································································································· 11

Configuring the clock synchronization timer······································································································ 12

Configuring the monitoring timer························································································································· 12

Closing an ACSEI client········································································································································ 12

Restarting an ACSEI client···································································································································· 12

Displaying and maintaining ACSEI server ········································································································· 13

ACSEI client configuring (OAP card)··························································································································· 13

Index ···········································································································································································14

OAP card configuration

This chapter includes these sections:

•

OAP card overview

•

Configuring an OAP card

OAP card overview

The Open Application Platform (OAP) cards are developed based on the Open Application Architecture

(OAA) by Hangzhou H3C Technologies Co., Ltd. (hereinafter referred to as H3C).

An OAP card has an independent CPU and memory card (CF card), and it can load various service

software. When an OAP card is installed in a switch, the switch can provide security, management, and

wireless communication applications flexibly and rapidly besides basic data forwarding functions. In this

way, multiple kinds of applications are implemented on the same device, facilitating network and service

deployment and reducing overall cost at the same time.

Configuring an OAP card

Logging in to the software system of an OAP card through the

switch

You can redirect to the operating system of an OAP card from the switch when the OAP card is installed

on the switch. In this way, the terminal display interface is switched from the command line interface (CLI)

on the switch to the operating interface of the software system on the OAP card, and you can manage

the system and application software of the OAP card on the switch.

To return to the CLI on the switch after the operating interface switch, press Ctrl+K.

Follow the step below to redirect from the switch to the software system on the OAP card:

To do… Use the command… Remarks

Redirect from the switch to the

software system on the OAP card

oap connect slot slot-number

system system-name

Required

Available in user view

NOTE:

• You can install multiple OAP cards on some models of the S5800 and S5820X switches. If you lo

in to

the software system of one OAP card first, you cannot log in to the software system of another by usin

the oap connect command. To log in to the software system of another

OAP card, return to the CLI on

the switch by pressing Ctrl+K.

• For an Intelligent Resilient Framework (IRF) virtual device, use the oap connect command repeatedly to

in to the software systems of multiple OAP cards installed on different member switches, but not on

the same member switch.

Restarting an OAP card

If the software system of an OAP card works abnormally or is under other anomalies, restart the OAP

card with the following command.

Follow the step below to restart an OAP card:

To do… Use the command… Remarks

Restart the OAP card

oap reboot slot slot-number

system system-name

Required

Available in user view

CAUTION:

To avoid service interruption and hardware data loss, save the configurations of the OAP card before

restarting it.

ACFP configuration

This chapter includes these sections:

•

Introduction to ACFP

•

ACFP configuration task list

•

Configuring the ACFP server (switch)

•

Configuring the ACFP client (OAP card)

Introduction to ACFP

Basic data communication networks comprise of routers and switches, which forward data packets. As

data networks develop, more and more services run on them. It has become inappropriate to use legacy

devices for handling some new services. Some security products such as firewalls, Intrusion Detection

System (IDS), and Intrusion Prevention System (IPS), and voice and wireless products are designed to

handle specific services.

For better support of new services, manufacturers of legacy networking devices—routers and switches in

this document—have developed various dedicated service boards/cards to specifically handle these

services. Some manufacturers of legacy networking devices provide a set of software/hardware

interfaces to allow the boards/cards or devices of other manufacturers to be plugged or connected to

these legacy networking devices for cooperating to handle these services. This gives full play to the

advantages of respective manufacturers for better support of new services while reducing user

investments.

The open application architecture (OAA) is an open service architecture developed with this concept. It

integrates devices and software produced by different manufacturers, making them function as one

device, and providing integrated resolutions for the customers.

The Application Control Forwarding Protocol (ACFP) is developed based on the OAA architecture. A

router or switch mirrors or redirects the received packets to an ACFP client after matching the ACFP

collaboration rules. The ACFP client then processes the packets in different ways.

ACFP architecture

Figure 1 Diagram for ACFP architecture

As shown in Figure 1, the ACFP architecture consists of the following components:

• Routing/switching component—As the main part of a routers and a switch, it performs complete

router/switch functions and is also the core of user management control. This part is the ACFP

server.

• Independent service component—It is the main part open for development by a third party and

provides various unique service functions. This part is the ACFP client.

• Interface-connecting component—It connects the interface of the routing/switching component to

that of the independent service component, allowing the devices of two manufacturers to be

interconnected.

ACFP collaboration

ACFP collaboration means that the independent service component can send instructions to the

routing/switching component in order to change its functions. ACFP collaboration is mainly

implemented through the Simple Network Management Protocol (SNMP). Acting as a network

management system, the independent service component sends various SNMP commands to the

routing/switching component, which can then execute the instructions received because it supports

SNMP agent. In this process, the cooperating MIB is the key to associating the two components with

each other.

ACFP management

ACFP collaboration provides a mechanism that enables the ACFP client to control the traffic on the ACFP

server by implementing the following functions:

• Mirroring and redirecting the traffic on the ACFP server to the ACFP client

• Permitting/denying the traffic from the ACFP server

• Restricting the rate of the traffic on the ACFP server

• Carrying the context ID in a packet to enable the ACFP server and ACFP client to communicate the

packet context with each other. The detailed procedure is as follows:

The ACFP server maintains a context table that can be queried with context ID. Each context ID

corresponds with an ACFP collaboration policy that contains information including inbound interface

and outbound interface of the packet, and collaboration rules. When the packet received by the ACFP

server is redirected or mirrored to the ACFP client after matching a collaboration rule, the packet carries

the context ID of the collaboration policy to which the collaboration rule belongs. When the redirected

packet is returned from the ACFP client, the packet also carries the context ID. With the context ID, the

ACFP server knows that the packet is returned after being redirected and then forwards the packet

normally.

For the ACFP client to better control traffic, the two-level structure of collaboration policy and

collaboration rules is set in the collaboration to manage the traffic matching the collaboration rule based

on the collaboration policy, implementing flexible traffic management.

To better support the Client/Server collaboration mode and granularly and flexibly set different rules, the

collaboration content is divided into four parts: ACFP server information, ACFP client information, ACFP

collaboration policy and ACFP collaboration rules. These four parts of information are saved in the ACFP

server.

An ACFP server supports multiple ACFP clients. ACFP client information, ACFP collaboration policy, and

ACFP collaboration rules are organized in the form of tables.

ACFP server information is generated by the ACFP server itself. ACFP client information, ACFP

collaboration policy, and ACFP collaboration rules are generated on the ACFP client and sent to the

ACFP server through the collaboration MIB or collaboration protocol.

ACFP information overview

ACFP server information

ACFP server information includes the following contents:

• Supported working modes—Host, pass-through, mirroring, and redirect. An ACFP server can

support multiple working modes among these four at the same time. The ACFP server and client(s)

can collaborate with each other only when the ACFP server supports the working mode of the ACFP

client.

• Maximum expiration time of the supported collaboration policy—Indicates for how long the

collaboration policy of the ACFP server will remain valid.

• Whether the ACFP server can permanently save the collaboration policy—Refers to whether the

ACFP server can keep the original collaboration policy after reboot.

• Supported context ID type—The location of the context ID in the packet may vary with ACFP servers.

Context IDs fall in the following types: no-context (no context ID is carried), HG-context (carrying the

preamble HG as the context ID), HGPlus-context (carrying the preamble HGPlus as the context ID),

FlowID-context (carrying the preamble Flow ID as the context ID), VLANID-context (carrying VLAN

ID as the context ID).

NOTE:

• The S5800&S5820X switches support the mirroring and redirect modes only.

• The S5800&S5820X switches support carrying the preamble HGPlus as the context ID (the

HGPlus-context) only.

The above-mentioned information indicates the collaboration capabilities of an ACFP server. ACFP

clients can access this information through a collaboration protocol or collaboration MIB.

ACFP client information

ACFP client information includes the following contents:

• ACFP client identifier—It can be assigned by the ACFP server through a collaboration protocol or

specified by the network administrator to ensure that each ACFP client has a unique client ID on the

ACFP server.

• Description—ACFP client description information.

• Hw-Info—ACFP client hardware type, version number, and so on.

• OS-Info—System name and version number of the ACFP client.

• App-Info—Application software type and version number of the ACFP client.

• Client IP—ACFP client IP address.

• Client Mode—Working mode supported by the ACFP client, which is the combination of the host,

pass-through, mirroring, and redirect modes.

ACFP collaboration policy

ACFP collaboration policy refers to the collaboration policy that the ACFP client sends to the ACFP server

for application. The policy information includes the following contents:

• Client ID—ACFP client identifier.

• Policy-Index

• In-interface—Interface through which the packet is sent to the ACFP server.

• Out-interface—Interface through which the packet is forwarded normally.

• Dest-interface—ACFP server interface connected with ACFP client.

• Context ID—Used when the packet is mirrored or redirected to an ACFP client. After the interface

connected to the ACFP client is specified in the policy sent, the ACFP server assigns it a global serial

number (the Context ID) with each Context ID corresponding to an ACFP collaboration policy.

• Admin-Status—Indicates whether to enable the policy.

• Effect-Status—Indicates the expiration time of the policy and is used to control the expiration time of

all the rules under the policy.

• Start-Time—Indicates starting from what time (second/minute/hour) the policy takes effect and is

used to control starting from what time all the rules under the policy take effect.

• End-time—Indicates starting from what time (second/minute/hour) the policy turns invalid and is

used to control starting from what time all the rules under the policy turn invalid.

• DestIfFailAction—If the policy dest-interface is down, the actions to all rules under the policy will be

as follows: for forwarding first devices, select the delete action to keep the redirected and mirrored

packets being forwarded; for security first devices, select the reserve action to discard the redirected

and mirrored packets.

• Priority—Indicates the priority of a policy, number notation, in the range of 1 to 8. The bigger the

number, the higher the priority.

ACFP collaboration rules

ACFP collaboration rules refer to the collaboration rules that the ACFP client sends to the ACFP server for

application. Collaboration rules fall in the following types:

• Monitoring rules—Monitors, analyzes, and processes the packets to be sent to the ACFP client. The

action types corresponding to monitoring rules are redirect and mirror.

• Filtering rules—Determines which packets to deny and which packets to permit. The action types

corresponding to filtering rules are deny and permit.

• Restricting rules—Determines the rate of which packets is to be restricted. The action type

corresponding to restricting rules is rate.

Rule information is described as follows:

• ClientID—ACFP client identifier.

• Policy index

• Rule index—Rule identifier.

• Status—Indicates whether the rule is applied successfully.

• Action—Can be mirror, redirect, deny, permit, or rate.

• Match all packets—Indicates whether to match all the packets. If yes, the following matching needs

not be performed.

• Source MAC address

• Destination MAC address

• Starting VLAN ID

• Ending VLAN ID

• Protocol number in IP

• Source IP address

• Wildcard mask of source IP address

• Source port operator—Its type can be equal to, not equal to, greater than, less than, greater than

and less than. The following ending source port number takes effect only when the type is greater

than and less than. The source port number of the packets matched by the identifier must be greater

than the starting source port number and less than the ending source port number.

• Starting source port number

• Ending source port number

• Destination IP address

• Wildcard mask of destination IP address

• Destination port number operator—Its type can be equal to, not equal to, greater than, less than,

greater than and less than. The following ending destination port number is meaning only when

the type is greater than and less than. The destination port number of the packets matched by the

identifier must be greater than the starting destination port number and less than the ending

destination port number.

• Starting destination port number

• Ending destination port number

• Pro—Protocol type, which can be GRE, ICMP, IGMP, OSPF, TCP, UDP, and IP.

• IP precedence: Packet precedence, a number in the range of 0 to 7.

• IP ToS—Type of Service (ToS) of IP

• IP DSCP—Differentiated Services Code Point (DSCP) of IP

• TCP flag—Indicates that some bits in the six flag bits—URG, ACK, PSH, RST, SYN, FIN—are

concerned.

• IP fragment—Indicates whether the packet is an IP packet fragment.

• Rate limit

• Row state

You can use the collaboration policy to manage the collaboration rules that belong to it.

Using ACFP

• The S5800 and S5820X switches can be installed with various types of OAP cards. If you install an

IPS card on the switch, disable STP on the internal 10 Gigabit Ethernet port that connects the IPS

card to the switch. In addition, when the IPS card operates in redirection mode, if you add an

interface on the switch into a zone configured on the IPS card and configure the IPS card to monitor

the interface, then the interface does not support Portal authentication.

• In a GRE tunneling environment, an ACFP policy can be configured on a tunnel interface only.

• ACFP does not support NetStream services.

• QoS processing such as marking the QoS local ID and local priority for the packets is not

performed on the packets returned after they are redirected to the ACFP client.

• On the destination interface, the packets redirected or mirrored by ACFP only support Layer 2 QoS

processing, including queuing, WRED (Weighted Random Early Detection), and so on; but not any

other service processing, such as non-Layer 2 QoS processing and non-QoS service processing.

• With ACFP, a stream cannot be mirrored or redirected to multiple ACFP clients.

• ACFP cannot process outbound packets.

• ACFP does not support the handling of the following types of packets: broadcasts, multicasts, MPLS

packets, and inbound packets.

• ACFP redirects and mirrors any IP datagram not greater than 1,500 bytes—length of Layer 3 packet,

excluding link layer header—but discards any IP datagram greater than 1,500 bytes.

ACFP configuration task list

Complete the following tasks to configure ACFP:

Task Remarks

Enabling the ACFP server Required

Configuring the ACFP server

(switch)

Enabling the ACFP trap function Optional

Configuring the ACFP client (OAP card) Required

Configuring the ACFP server (switch)

Enabling the ACFP server

Follow these steps to configure to enable the ACFP server:

To do… Use the command… Remarks

Enter system view system-view —

Enable the ACFP server acfp server enable

Required

Disabled by default

Enabling the ACFP trap function

To make ACFP work normally, you must enable the device to send traps of the ACFP module.

After the trap function on the ACFP module is enabled, the ACFP module will generate traps to report

important events of the module.

Table 1 ACFP trap message level

Trap message Level

Context ID type changed notifications

ACFP client registration notifications

ACFP client deregistration notifications

ACSEI detects that ACFP client had no response warnings

ACFP server does not support the working mode of the

ACFP client

errors

Expiration period of ACFP collaboration policy

changed

notifications

ACFP collaboration rules are created informational

ACFP collaboration rules are removed informational

ACFP collaboration rules failed errors

Trap message Level

Expiration period of ACFP collaboration policy timed

out

notifications

The generated traps will be sent to the information center of the device. With the parameters for the

information center set, the output rules for traps—whether the traps are allowed to be output and the

output destinations—are decided. For more information about the configuration of the parameters for the

information center, see Information center configuration in the Network Management and Monitoring

Configuration Guide.

Follow these steps to enable the ACFP function:

To do… Use the command… Remarks

Enter system view system-view —

Enable the trap function of the

ACFP module

snmp-agent trap enable acfp [ client |

policy | rule | server ]

Optional

Enabled by default

NOTE:

For more information about the description of the snmp-agent trap enable command, see SNMP

commands in the

Network Management and Monitoring Command Reference

Displaying and maintaining ACFP

To do… Use the command… Remarks

Display the configuration

information of the ACFP server

display acfp server-info [ | { begin | exclude |

include } regular-expression ]

Display the configuration

information of an ACFP client

display acfp client-info [ client-id ] [ | { begin |

exclude | include } regular-expression ]

Display the configuration

information of an ACFP policy

display acfp policy-info [ client client-id

[ policy-index ] | dest-interface interface-type

interface-number | in-interface interface-type

interface-number | out-interface interface-type

interface-number ] [ active | inactive ] [ | { begin

| exclude | include } regular-expression ]

Display ACFP rule configuration

information

display acfp rule-info { in-interface

[ interface-type interface-number ] |

out-interface [ interface-type interface-number ]

| policy [ client-id policy-index ] } [ | { begin |

exclude | include } regular-expression ]

Display the configuration

information of ACFP Trap

display snmp-agent trap-list [ | { begin |

exclude | include } regular-expression ]

Available in any view

Configuring the ACFP client (OAP card)

You need to configure the ACFP collaboration policy and ACFP collaboration rules on the ACFP client,

which is the OAP card through MIB. The specific configuration depends on the service software used on

the ACFP client. For more information about OAP card, see the related manual of the ordered OAP card.

ACSEI configuration

This chapter includes these sections:

•

Introduction to ACSEI

•

ACSEI server configuration (switch)

•

ACSEI client configuring (OAP card)

Introduction to ACSEI

As a private protocol, ACSEI provides a method for exchanging information between ACFP clients and

ACFP server. It well supports Application Control Forwarding Protocol (ACFP) collaboration, ensuring

valid information interaction between the ACFP clients and the ACFP server, so that the ACFP server and

clients can cooperate to run a service.

As a supporting protocol of ACFP, ACSEI also has two entities: server and client.

• ACSEI server is integrated into the software system of the switch and is supported by the switch.

• ACSEI client is integrated into the software system of the OAP card. In this way it is a function

supported by the OAP card.

NOTE:

• ACFP is designed based on the Open Application Architecture (OAA). The collaborating IDS (Intrusion

Detection System) cards or IDS devices serve as the ACFP clients which run applications of other vendors

and support the IPS (Intrusion Prevention System)/IDS services. For more information about ACFP, see

ACFP configuration in the OAA

Configuration Guide

• The open application platform (OAP) is designed for new services. On OAP card runs the operating

system, you can load various service software, such as security, voice, and so on as needed. For more

information about the OAP card, see OAP card configuration in the OAA

Configuration Guide

Functions of ACSEI

ACSEI mainly provides the following functions:

• Registration and deregistration of an ACSEI client to the ACSEI server.

• ID assignment. The ACSEI server assigns IDs to ACSEI clients to distinguish between them.

• Mutual monitoring and awareness between an ACSEI client and the ACSEI server.

• Information interaction between the ACSEI server and ACSEI clients, including clock

synchronization.

• Control of the ACSEI clients on the ACSEI server. For example, close an ACSEI client, or restart an

ACSEI client on the ACSEI server.

An ACSEI server can register multiple ACSEI clients. The maximum number of ACSEI clients that an

ACSEI server allows to register is 10.

ACSEI timers

An ACSEI server uses two timers, the clock synchronization timer and the monitoring timer.

• The clock synchronization timer periodically triggers the ACSEI server to send clock synchronization

advertisements to ACSEI clients. You can set this timer through command lines.

• The monitoring timer periodically triggers the ACSEI server to send monitoring requests to ACSEI

clients. You can set this timer through command lines.

An ACSEI client starts two timers, the registration timer and the monitoring timer.

• The registration timer periodically triggers the ACSEI client to multicast registration requests with the

multicast MAC address being 010F-E200-0021. You cannot set this timer.

• The monitoring timer periodically triggers the ACSEI client to send monitoring requests to the ACSEI

server. You cannot set this timer.

ACSEI startup and running

ACSEI starts up and runs in the following procedures:

1. Run the ACSEI client application to enable ACSEI client.

2. Start up the device and enable the ACSEI server function on it.

3. The ACSEI client multicasts registration requests.

4. After the ACSEI server receives a valid registration request, it negotiates parameters with the

ACSEI client and establishes connection with the client if the negotiation succeeds.

5. The ACSEI server and the ACSEI client mutually monitor the connection.

6. If detecting the disconnection of the ACSEI client, the ACFP server will remove the configuration

and policies associated with the client.

ACSEI server configuration (switch)

The section covers these topics:

•

Enabling ACSEI server

•

Configuring the clock synchronization timer

•

Configuring the monitoring timer

•

Closing an ACSEI client

•

Restarting an ACSEI client

•

Displaying and maintaining ACSEI server

Enabling ACSEI server

Follow these steps to enable ACSEI server:

To do… Use the command… Remarks

Enter system view system-view —

Enable ACSEI server acsei server enable

Required

Disabled by default.

Configuring the clock synchronization timer

Follow these steps to configure the clock synchronization timer:

To do… Use the command… Remarks

Enter system view system-view —

Enable the ACSEI server function acsei server enable Required

Enter ACSEI server view acsei server —

Configure the clock

synchronization timer from ACSEI

server to ACSEI client

acsei timer clock-sync minutes

Optional

Five minutes by default.

Configuring the monitoring timer

Follow theses steps to configure the monitoring timer:

To do… Use the command… Remarks

Enter system view system-view —

Enable the ACSEI server function acsei server enable Required

Enter ACSEI server view acsei server —

Configure the monitoring timer for

ACSEI server to monitor ACSEI

client

acsei timer monitor seconds

Optional

Five seconds by default.

Closing an ACSEI client

Follow these steps to close an ACSEI client:

To do… Use the command… Remarks

Enter system view system-view —

Enable the ACSEI server function acsei server enable Required

Enter ACSEI server view acsei server —

Close the specified ACSEI client acsei client close client-id Required

Restarting an ACSEI client

Follow these steps to restart an ACSEI client:

To do… Use the command… Remarks

Enter system view system-view —

Enable the ACSEI server function acsei server enable Required

Enter ACSEI server view acsei server —

Restart the specified ACSEI client acsei client reboot client-id Required

Page is loading ...

H3C s5800 series Configuration manual

Brand: H3C

Model: s5800 series

Type: Configuration manual

This manual is also suitable for

s5820x series

Download PDF

report

H3C s5800 series Configuration manual

This manual is also suitable for

H3C s5800 series Configuration manual

Related papers

Other documents