H3C s5800 series Configuration manual

Type
Configuration manual

This manual is also suitable for

H3C S5820X&S5800 Switch Series
OAA Configuration Guide
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Software version: Release 1211
Document version: 6W100-20110415
Copyright © 2011, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C,
, Aolynk, , H
3
Care,
, TOP G, , IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V
2
G, V
n
G, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C S5800&S5820X documentation set includes 12 configuration guides, which describe the
software features for the S5800&S5820X Switch Series and guide you through the software
configuration procedures. These configuration guides also provide configuration examples to help you
apply software features to different network scenarios.
The OAA Configuration Guide describes OAA fundamentals and configuration. It describes how to log
in to the H3C open application platform (OAP) card connected to your switch and reset the operating
system of the OAP card, and configure the ACFP and ACSEI protocols to exchange information
between your switch and the OAP card.
This preface includes:
Audience
Added and modified features
Conventions
About the H3C S5800&S5820X documentation set
Obtaining documentation
Technical support
Documentation feedback
Audience
This documentation is intended for:
Network planners
Field technical support and servicing engineers
Network administrators working with the S5800 and S5820X switch series
Added and modified features
Compared to Release1110, Release1211 adds the following features:
Configuration guide Added and modified features
OAP Card
ACFP Added features: ACFP supports the handling of the IPv6 packets
ACSEI —
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Convention Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention Description
< > Button names are inside angle brackets. For example, click <OK>.
[ ]
Window names, menu items, data table and field names are inside square brackets. For
example, pop up the [New User] window.
/ Multi-level menus are separated by forward slashes. For example, [File/Create/Folder].
Symbols
Convention Description
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
An alert that calls attention to essential information.
NOTE
An alert that contains additional or supplementary information.
Convention Description
TIP
An alert that provides helpful information.
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
About the H3C S5800&S5820X documentation set
The H3C S5800&S5820X documentation set includes:
Category Documents Purposes
Marketing brochures Describe product specifications and benefits.
Product description and
specifications
Technology white papers
Provide an in-depth description of software features
and technologies.
PSR150-A [ PSR150-D ]
Power Modules User
Manual
Describes the appearances, features, specifications,
installation, and removal of the pluggable 150W
power modules available for the products.
PSR300-12A
[ PSR300-12D1 ] Power
Modules User Manual
Describes the appearances, features, specifications,
installation, and removal of the pluggable 300W
power modules available for the products.
PSR750-A [ PSR750-D ]
Power Modules User
Manual
Describes the appearances, features, specifications,
installation, and removal of the pluggable 750W
power modules available for the products.
RPS User Manual
Describes the appearances, features, and
specifications of the RPS units available for the
products.
LSW1FAN and
LSW1BFAN Installation
Manual
Describes the appearances, specifications,
installation, and removal of the pluggable fan
modules available for the products.
LSW148POEM Module
User Manual
Describes the appearance, features, installation,
and removal of the pluggable PoE module available
for the products.
S5820X [ S5800 ] Series
Ethernet Switches
Interface Cards User
Manual
Describes the models, hardware specifications,
installation, and removal of the interface cards
available for the products.
H3C OAP Cards User
Manual
Describes the benefits, features, hardware
specifications, installation, and removal of the OAP
cards available for the products.
Pluggable module
description
H3C Low End Series Describes the models, appearances, and
Ethernet Switches
Pluggable Modules
Manual
specifications of the pluggable modules available
for the products.
S5800-60C-PWR
Ethernet Switch Hot
Swappable Power
Module Ordering Guide
Guides you through ordering the hot-swappable
power modules available for the S5800-60C-PWR
switches in different cases.
Power configuration
RPS Ordering Information
for H3C Low-End Ethernet
Switches
Provides the RPS and switch compatibility matrix and
RPS cable specifications.
S5800 Series Ethernet
Switches Quick Start
S5820X Series
Ethernet Switches
Quick Start
S5800 Series Ethernet
Switches CE DOC
S5820X Series
Ethernet Switches CE
DOC
Provides regulatory information and the safety
instructions that must be followed during
installation.
S5800 Series Ethernet
Switches Quick Start
S5820X Series
Ethernet Switches
Quick Start
Guides you through initial installation and setup
procedures to help you quickly set up and use your
device with the minimum configuration.
S5800 Series Ethernet
Switches Installation
Manual
S5820X Series
Ethernet Switches
Installation Manual
Provides a complete guide to hardware installation
and hardware specifications.
Pluggable SFP[SFP+][XFP]
Transceiver Modules
Installation Guide
Guides you through installing SFP/SFP+/XFP
transceiver modules.
Hardware installation
S5800-60C-PWR
Switch Video
Installation Guide
S5820X-28C Switch
Video Installation
Guide
Shows how to install the H3C S5800-60C-PWR and
H3C S5820X-28C Ethernet switches.
Configuration guide
Describe software features and configuration
procedures.
Software configuration
Command reference
Provide a quick reference to all available
commands.
H3C Series Ethernet
Switches Login Password
Recovery Manual
Tells how to find the lost password or recover the
password when the login password is lost.
Operations and
maintenance
Release notes
Provide information about the product release,
including the version history, hardware and software
compatibility matrix, version upgrade information,
technical support information, and software
upgrading.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at
http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with the
software version.
Technical support
customer_service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to [email protected].
We appreciate your comments.
i
Contents
OAP card configuration ·············································································································································· 1
OAP card overview ··························································································································································1
Configuring an OAP card················································································································································1
Logging in to the software system of an OAP card through the switch······························································1
Restarting an OAP card···········································································································································2
ACFP configuration······················································································································································ 3
Introduction to ACFP·························································································································································3
ACFP architecture·····················································································································································3
ACFP collaboration ··················································································································································4
ACFP management···················································································································································4
ACFP information overview·····································································································································5
Using ACFP ·······························································································································································7
ACFP configuration task list ·············································································································································8
Configuring the ACFP server (switch) ·····························································································································8
Enabling the ACFP server········································································································································8
Enabling the ACFP trap function·····························································································································8
Displaying and maintaining ACFP ·························································································································9
Configuring the ACFP client (OAP card)························································································································9
ACSEI configuration···················································································································································10
Introduction to ACSEI····················································································································································· 10
Functions of ACSEI ················································································································································ 10
ACSEI timers ·························································································································································· 11
ACSEI startup and running··································································································································· 11
ACSEI server configuration (switch) ····························································································································· 11
Enabling ACSEI server·········································································································································· 11
Configuring the clock synchronization timer······································································································ 12
Configuring the monitoring timer························································································································· 12
Closing an ACSEI client········································································································································ 12
Restarting an ACSEI client···································································································································· 12
Displaying and maintaining ACSEI server ········································································································· 13
ACSEI client configuring (OAP card)··························································································································· 13
Index ···········································································································································································14
1
OAP card configuration
This chapter includes these sections:
OAP card overview
Configuring an OAP card
OAP card overview
The Open Application Platform (OAP) cards are developed based on the Open Application Architecture
(OAA) by Hangzhou H3C Technologies Co., Ltd. (hereinafter referred to as H3C).
An OAP card has an independent CPU and memory card (CF card), and it can load various service
software. When an OAP card is installed in a switch, the switch can provide security, management, and
wireless communication applications flexibly and rapidly besides basic data forwarding functions. In this
way, multiple kinds of applications are implemented on the same device, facilitating network and service
deployment and reducing overall cost at the same time.
Configuring an OAP card
Logging in to the software system of an OAP card through the
switch
You can redirect to the operating system of an OAP card from the switch when the OAP card is installed
on the switch. In this way, the terminal display interface is switched from the command line interface (CLI)
on the switch to the operating interface of the software system on the OAP card, and you can manage
the system and application software of the OAP card on the switch.
To return to the CLI on the switch after the operating interface switch, press Ctrl+K.
Follow the step below to redirect from the switch to the software system on the OAP card:
To do… Use the command… Remarks
Redirect from the switch to the
software system on the OAP card
oap connect slot slot-number
system system-name
Required
Available in user view
NOTE:
You can install multiple OAP cards on some models of the S5800 and S5820X switches. If you lo
g
in to
the software system of one OAP card first, you cannot log in to the software system of another by usin
g
the oap connect command. To log in to the software system of another
OAP card, return to the CLI on
the switch by pressing Ctrl+K.
For an Intelligent Resilient Framework (IRF) virtual device, use the oap connect command repeatedly to
lo
g
in to the software systems of multiple OAP cards installed on different member switches, but not on
the same member switch.
2
Restarting an OAP card
If the software system of an OAP card works abnormally or is under other anomalies, restart the OAP
card with the following command.
Follow the step below to restart an OAP card:
To do… Use the command… Remarks
Restart the OAP card
oap reboot slot slot-number
system system-name
Required
Available in user view
CAUTION:
To avoid service interruption and hardware data loss, save the configurations of the OAP card before
restarting it.
3
ACFP configuration
This chapter includes these sections:
Introduction to ACFP
ACFP configuration task list
Configuring the ACFP server (switch)
Configuring the ACFP client (OAP card)
Introduction to ACFP
Basic data communication networks comprise of routers and switches, which forward data packets. As
data networks develop, more and more services run on them. It has become inappropriate to use legacy
devices for handling some new services. Some security products such as firewalls, Intrusion Detection
System (IDS), and Intrusion Prevention System (IPS), and voice and wireless products are designed to
handle specific services.
For better support of new services, manufacturers of legacy networking devicesrouters and switches in
this documenthave developed various dedicated service boards/cards to specifically handle these
services. Some manufacturers of legacy networking devices provide a set of software/hardware
interfaces to allow the boards/cards or devices of other manufacturers to be plugged or connected to
these legacy networking devices for cooperating to handle these services. This gives full play to the
advantages of respective manufacturers for better support of new services while reducing user
investments.
The open application architecture (OAA) is an open service architecture developed with this concept. It
integrates devices and software produced by different manufacturers, making them function as one
device, and providing integrated resolutions for the customers.
The Application Control Forwarding Protocol (ACFP) is developed based on the OAA architecture. A
router or switch mirrors or redirects the received packets to an ACFP client after matching the ACFP
collaboration rules. The ACFP client then processes the packets in different ways.
ACFP architecture
Figure 1 Diagram for ACFP architecture
As shown in Figure 1, the ACFP architecture consists of the following components:
Routing/switching componentAs the main part of a routers and a switch, it performs complete
router/switch functions and is also the core of user management control. This part is the ACFP
server.
Independent service componentIt is the main part open for development by a third party and
provides various unique service functions. This part is the ACFP client.
4
Interface-connecting componentIt connects the interface of the routing/switching component to
that of the independent service component, allowing the devices of two manufacturers to be
interconnected.
ACFP collaboration
ACFP collaboration means that the independent service component can send instructions to the
routing/switching component in order to change its functions. ACFP collaboration is mainly
implemented through the Simple Network Management Protocol (SNMP). Acting as a network
management system, the independent service component sends various SNMP commands to the
routing/switching component, which can then execute the instructions received because it supports
SNMP agent. In this process, the cooperating MIB is the key to associating the two components with
each other.
ACFP management
ACFP collaboration provides a mechanism that enables the ACFP client to control the traffic on the ACFP
server by implementing the following functions:
Mirroring and redirecting the traffic on the ACFP server to the ACFP client
Permitting/denying the traffic from the ACFP server
Restricting the rate of the traffic on the ACFP server
Carrying the context ID in a packet to enable the ACFP server and ACFP client to communicate the
packet context with each other. The detailed procedure is as follows:
The ACFP server maintains a context table that can be queried with context ID. Each context ID
corresponds with an ACFP collaboration policy that contains information including inbound interface
and outbound interface of the packet, and collaboration rules. When the packet received by the ACFP
server is redirected or mirrored to the ACFP client after matching a collaboration rule, the packet carries
the context ID of the collaboration policy to which the collaboration rule belongs. When the redirected
packet is returned from the ACFP client, the packet also carries the context ID. With the context ID, the
ACFP server knows that the packet is returned after being redirected and then forwards the packet
normally.
For the ACFP client to better control traffic, the two-level structure of collaboration policy and
collaboration rules is set in the collaboration to manage the traffic matching the collaboration rule based
on the collaboration policy, implementing flexible traffic management.
To better support the Client/Server collaboration mode and granularly and flexibly set different rules, the
collaboration content is divided into four parts: ACFP server information, ACFP client information, ACFP
collaboration policy and ACFP collaboration rules. These four parts of information are saved in the ACFP
server.
An ACFP server supports multiple ACFP clients. ACFP client information, ACFP collaboration policy, and
ACFP collaboration rules are organized in the form of tables.
ACFP server information is generated by the ACFP server itself. ACFP client information, ACFP
collaboration policy, and ACFP collaboration rules are generated on the ACFP client and sent to the
ACFP server through the collaboration MIB or collaboration protocol.
5
ACFP information overview
ACFP server information
ACFP server information includes the following contents:
Supported working modes—Host, pass-through, mirroring, and redirect. An ACFP server can
support multiple working modes among these four at the same time. The ACFP server and client(s)
can collaborate with each other only when the ACFP server supports the working mode of the ACFP
client.
Maximum expiration time of the supported collaboration policy—Indicates for how long the
collaboration policy of the ACFP server will remain valid.
Whether the ACFP server can permanently save the collaboration policyRefers to whether the
ACFP server can keep the original collaboration policy after reboot.
Supported context ID type—The location of the context ID in the packet may vary with ACFP servers.
Context IDs fall in the following types: no-context (no context ID is carried), HG-context (carrying the
preamble HG as the context ID), HGPlus-context (carrying the preamble HGPlus as the context ID),
FlowID-context (carrying the preamble Flow ID as the context ID), VLANID-context (carrying VLAN
ID as the context ID).
NOTE:
The S5800&S5820X switches support the mirroring and redirect modes only.
The S5800&S5820X switches support carrying the preamble HGPlus as the context ID (the
HGPlus-context) only.
The above-mentioned information indicates the collaboration capabilities of an ACFP server. ACFP
clients can access this information through a collaboration protocol or collaboration MIB.
ACFP client information
ACFP client information includes the following contents:
ACFP client identifier—It can be assigned by the ACFP server through a collaboration protocol or
specified by the network administrator to ensure that each ACFP client has a unique client ID on the
ACFP server.
Description—ACFP client description information.
Hw-Info—ACFP client hardware type, version number, and so on.
OS-Info—System name and version number of the ACFP client.
App-Info—Application software type and version number of the ACFP client.
Client IP—ACFP client IP address.
Client Mode—Working mode supported by the ACFP client, which is the combination of the host,
pass-through, mirroring, and redirect modes.
ACFP collaboration policy
ACFP collaboration policy refers to the collaboration policy that the ACFP client sends to the ACFP server
for application. The policy information includes the following contents:
Client ID—ACFP client identifier.
Policy-Index
In-interface—Interface through which the packet is sent to the ACFP server.
6
Out-interface—Interface through which the packet is forwarded normally.
Dest-interface—ACFP server interface connected with ACFP client.
Context ID—Used when the packet is mirrored or redirected to an ACFP client. After the interface
connected to the ACFP client is specified in the policy sent, the ACFP server assigns it a global serial
number (the Context ID) with each Context ID corresponding to an ACFP collaboration policy.
Admin-Status—Indicates whether to enable the policy.
Effect-Status—Indicates the expiration time of the policy and is used to control the expiration time of
all the rules under the policy.
Start-Time—Indicates starting from what time (second/minute/hour) the policy takes effect and is
used to control starting from what time all the rules under the policy take effect.
End-time—Indicates starting from what time (second/minute/hour) the policy turns invalid and is
used to control starting from what time all the rules under the policy turn invalid.
DestIfFailAction—If the policy dest-interface is down, the actions to all rules under the policy will be
as follows: for forwarding first devices, select the delete action to keep the redirected and mirrored
packets being forwarded; for security first devices, select the reserve action to discard the redirected
and mirrored packets.
Priority—Indicates the priority of a policy, number notation, in the range of 1 to 8. The bigger the
number, the higher the priority.
ACFP collaboration rules
ACFP collaboration rules refer to the collaboration rules that the ACFP client sends to the ACFP server for
application. Collaboration rules fall in the following types:
Monitoring rules—Monitors, analyzes, and processes the packets to be sent to the ACFP client. The
action types corresponding to monitoring rules are redirect and mirror.
Filtering rules—Determines which packets to deny and which packets to permit. The action types
corresponding to filtering rules are deny and permit.
Restricting rules—Determines the rate of which packets is to be restricted. The action type
corresponding to restricting rules is rate.
Rule information is described as follows:
ClientID—ACFP client identifier.
Policy index
Rule index—Rule identifier.
Status—Indicates whether the rule is applied successfully.
Action—Can be mirror, redirect, deny, permit, or rate.
Match all packets—Indicates whether to match all the packets. If yes, the following matching needs
not be performed.
Source MAC address
Destination MAC address
Starting VLAN ID
Ending VLAN ID
Protocol number in IP
Source IP address
Wildcard mask of source IP address
7
Source port operator—Its type can be equal to, not equal to, greater than, less than, greater than
and less than. The following ending source port number takes effect only when the type is greater
than and less than. The source port number of the packets matched by the identifier must be greater
than the starting source port number and less than the ending source port number.
Starting source port number
Ending source port number
Destination IP address
Wildcard mask of destination IP address
Destination port number operator—Its type can be equal to, not equal to, greater than, less than,
greater than and less than. The following ending destination port number is meaning only when
the type is greater than and less than. The destination port number of the packets matched by the
identifier must be greater than the starting destination port number and less than the ending
destination port number.
Starting destination port number
Ending destination port number
Pro—Protocol type, which can be GRE, ICMP, IGMP, OSPF, TCP, UDP, and IP.
IP precedence: Packet precedence, a number in the range of 0 to 7.
IP ToS—Type of Service (ToS) of IP
IP DSCP—Differentiated Services Code Point (DSCP) of IP
TCP flag—Indicates that some bits in the six flag bits—URG, ACK, PSH, RST, SYN, FIN—are
concerned.
IP fragment—Indicates whether the packet is an IP packet fragment.
Rate limit
Row state
You can use the collaboration policy to manage the collaboration rules that belong to it.
Using ACFP
The S5800 and S5820X switches can be installed with various types of OAP cards. If you install an
IPS card on the switch, disable STP on the internal 10 Gigabit Ethernet port that connects the IPS
card to the switch. In addition, when the IPS card operates in redirection mode, if you add an
interface on the switch into a zone configured on the IPS card and configure the IPS card to monitor
the interface, then the interface does not support Portal authentication.
In a GRE tunneling environment, an ACFP policy can be configured on a tunnel interface only.
ACFP does not support NetStream services.
QoS processing such as marking the QoS local ID and local priority for the packets is not
performed on the packets returned after they are redirected to the ACFP client.
On the destination interface, the packets redirected or mirrored by ACFP only support Layer 2 QoS
processing, including queuing, WRED (Weighted Random Early Detection), and so on; but not any
other service processing, such as non-Layer 2 QoS processing and non-QoS service processing.
With ACFP, a stream cannot be mirrored or redirected to multiple ACFP clients.
ACFP cannot process outbound packets.
ACFP does not support the handling of the following types of packets: broadcasts, multicasts, MPLS
packets, and inbound packets.
8
ACFP redirects and mirrors any IP datagram not greater than 1,500 byteslength of Layer 3 packet,
excluding link layer headerbut discards any IP datagram greater than 1,500 bytes.
ACFP configuration task list
Complete the following tasks to configure ACFP:
Task Remarks
Enabling the ACFP server Required
Configuring the ACFP server
(switch)
Enabling the ACFP trap function Optional
Configuring the ACFP client (OAP card) Required
Configuring the ACFP server (switch)
Enabling the ACFP server
Follow these steps to configure to enable the ACFP server:
To do… Use the command… Remarks
Enter system view system-view
Enable the ACFP server acfp server enable
Required
Disabled by default
Enabling the ACFP trap function
To make ACFP work normally, you must enable the device to send traps of the ACFP module.
After the trap function on the ACFP module is enabled, the ACFP module will generate traps to report
important events of the module.
Table 1 ACFP trap message level
Trap message Level
Context ID type changed notifications
ACFP client registration notifications
ACFP client deregistration notifications
ACSEI detects that ACFP client had no response warnings
ACFP server does not support the working mode of the
ACFP client
errors
Expiration period of ACFP collaboration policy
changed
notifications
ACFP collaboration rules are created informational
ACFP collaboration rules are removed informational
ACFP collaboration rules failed errors
9
Trap message Level
Expiration period of ACFP collaboration policy timed
out
notifications
The generated traps will be sent to the information center of the device. With the parameters for the
information center set, the output rules for trapswhether the traps are allowed to be output and the
output destinationsare decided. For more information about the configuration of the parameters for the
information center, see Information center configuration in the Network Management and Monitoring
Configuration Guide.
Follow these steps to enable the ACFP function:
To do… Use the command… Remarks
Enter system view system-view
Enable the trap function of the
ACFP module
snmp-agent trap enable acfp [ client |
policy | rule | server ]
Optional
Enabled by default
NOTE:
For more information about the description of the snmp-agent trap enable command, see SNMP
commands in the
Network Management and Monitoring Command Reference
.
Displaying and maintaining ACFP
To do… Use the command… Remarks
Display the configuration
information of the ACFP server
display acfp server-info [ | { begin | exclude |
include } regular-expression ]
Display the configuration
information of an ACFP client
display acfp client-info [ client-id ] [ | { begin |
exclude | include } regular-expression ]
Display the configuration
information of an ACFP policy
display acfp policy-info [ client client-id
[ policy-index ] | dest-interface interface-type
interface-number | in-interface interface-type
interface-number | out-interface interface-type
interface-number ] [ active | inactive ] [ | { begin
| exclude | include } regular-expression ]
Display ACFP rule configuration
information
display acfp rule-info { in-interface
[ interface-type interface-number ] |
out-interface [ interface-type interface-number ]
| policy [ client-id policy-index ] } [ | { begin |
exclude | include } regular-expression ]
Display the configuration
information of ACFP Trap
display snmp-agent trap-list [ | { begin |
exclude | include } regular-expression ]
Available in any view
Configuring the ACFP client (OAP card)
You need to configure the ACFP collaboration policy and ACFP collaboration rules on the ACFP client,
which is the OAP card through MIB. The specific configuration depends on the service software used on
the ACFP client. For more information about OAP card, see the related manual of the ordered OAP card.
10
ACSEI configuration
This chapter includes these sections:
Introduction to ACSEI
ACSEI server configuration (switch)
ACSEI client configuring (OAP card)
Introduction to ACSEI
As a private protocol, ACSEI provides a method for exchanging information between ACFP clients and
ACFP server. It well supports Application Control Forwarding Protocol (ACFP) collaboration, ensuring
valid information interaction between the ACFP clients and the ACFP server, so that the ACFP server and
clients can cooperate to run a service.
As a supporting protocol of ACFP, ACSEI also has two entities: server and client.
ACSEI server is integrated into the software system of the switch and is supported by the switch.
ACSEI client is integrated into the software system of the OAP card. In this way it is a function
supported by the OAP card.
NOTE:
ACFP is designed based on the Open Application Architecture (OAA). The collaborating IDS (Intrusion
Detection System) cards or IDS devices serve as the ACFP clients which run applications of other vendors
and support the IPS (Intrusion Prevention System)/IDS services. For more information about ACFP, see
ACFP configuration in the OAA
Configuration Guide
.
The open application platform (OAP) is designed for new services. On OAP card runs the operating
system, you can load various service software, such as security, voice, and so on as needed. For more
information about the OAP card, see OAP card configuration in the OAA
Configuration Guide
.
Functions of ACSEI
ACSEI mainly provides the following functions:
Registration and deregistration of an ACSEI client to the ACSEI server.
ID assignment. The ACSEI server assigns IDs to ACSEI clients to distinguish between them.
Mutual monitoring and awareness between an ACSEI client and the ACSEI server.
Information interaction between the ACSEI server and ACSEI clients, including clock
synchronization.
Control of the ACSEI clients on the ACSEI server. For example, close an ACSEI client, or restart an
ACSEI client on the ACSEI server.
An ACSEI server can register multiple ACSEI clients. The maximum number of ACSEI clients that an
ACSEI server allows to register is 10.
11
ACSEI timers
An ACSEI server uses two timers, the clock synchronization timer and the monitoring timer.
The clock synchronization timer periodically triggers the ACSEI server to send clock synchronization
advertisements to ACSEI clients. You can set this timer through command lines.
The monitoring timer periodically triggers the ACSEI server to send monitoring requests to ACSEI
clients. You can set this timer through command lines.
An ACSEI client starts two timers, the registration timer and the monitoring timer.
The registration timer periodically triggers the ACSEI client to multicast registration requests with the
multicast MAC address being 010F-E200-0021. You cannot set this timer.
The monitoring timer periodically triggers the ACSEI client to send monitoring requests to the ACSEI
server. You cannot set this timer.
ACSEI startup and running
ACSEI starts up and runs in the following procedures:
1. Run the ACSEI client application to enable ACSEI client.
2. Start up the device and enable the ACSEI server function on it.
3. The ACSEI client multicasts registration requests.
4. After the ACSEI server receives a valid registration request, it negotiates parameters with the
ACSEI client and establishes connection with the client if the negotiation succeeds.
5. The ACSEI server and the ACSEI client mutually monitor the connection.
6. If detecting the disconnection of the ACSEI client, the ACFP server will remove the configuration
and policies associated with the client.
ACSEI server configuration (switch)
The section covers these topics:
Enabling ACSEI server
Configuring the clock synchronization timer
Configuring the monitoring timer
Closing an ACSEI client
Restarting an ACSEI client
Displaying and maintaining ACSEI server
Enabling ACSEI server
Follow these steps to enable ACSEI server:
To do… Use the command… Remarks
Enter system view system-view
Enable ACSEI server acsei server enable
Required
Disabled by default.
12
Configuring the clock synchronization timer
Follow these steps to configure the clock synchronization timer:
To do… Use the command… Remarks
Enter system view system-view
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server
Configure the clock
synchronization timer from ACSEI
server to ACSEI client
acsei timer clock-sync minutes
Optional
Five minutes by default.
Configuring the monitoring timer
Follow theses steps to configure the monitoring timer:
To do… Use the command… Remarks
Enter system view system-view
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server
Configure the monitoring timer for
ACSEI server to monitor ACSEI
client
acsei timer monitor seconds
Optional
Five seconds by default.
Closing an ACSEI client
Follow these steps to close an ACSEI client:
To do… Use the command… Remarks
Enter system view system-view
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server
Close the specified ACSEI client acsei client close client-id Required
Restarting an ACSEI client
Follow these steps to restart an ACSEI client:
To do… Use the command… Remarks
Enter system view system-view
Enable the ACSEI server function acsei server enable Required
Enter ACSEI server view acsei server
Restart the specified ACSEI client acsei client reboot client-id Required
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22

H3C s5800 series Configuration manual

Type
Configuration manual
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI