3com 5500G SERIES Configuration And Command Reference Manual

Brand: 3com

Model: 5500G SERIES

Type: Configuration And Command Reference Manual

www.3Com.com

Part Number 10016378 -AA

Published March 2008

3Com

Switch 5500G Open Services

Networking

Configuration and Command Reference

Guide

3Com Corporation

350 Campus Drive

Marlborough,

MA 01752-3064

reproduced in any form or by any means or used to make any derivative work (such as translation,

transformation, or adaptation) without written permission from 3Com Corporation.

3Com Corporation reserves the right to revise this documentation and to make changes in content from time

to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.

3Com Corporation provides this documentation without warranty, term, or condition of any kind, either

implied or expressed, including, but not limited to, the implied warranties, terms or conditions of

merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or

changes in the product(s) and/or the program(s) described in this documentation at any time.

If there is any software on removable media described in this documentation, it is furnished under a license

agreement included with the product as a separate document, in the hard copy documentation, or on the

removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy,

please contact 3Com and a copy will be provided to you.

UNITED STATES GOVERNMENT LEGEND

If you are a United States government agency, then this documentation and the software described herein are

provided to you subject to the following:

All technical data and computer software are commercial in nature and developed solely at private expense.

Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or

as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are

provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights

only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable.

You agree not to remove or deface any portion of any legend provided on any licensed program or

documentation contained in, or delivered to you in conjunction with, this User Guide.

Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not

be registered in other countries.

3Com and the 3Com logo are registered trademarks of 3Com Corporation. All other company and product

names may be trademarks of the respective companies with which they are associated.

ENVIRONMENTAL STATEMENT

It is the policy of 3Com Corporation to be environmentally friendly in all operations. To uphold our policy, we

are committed to:

Establishing environmental performance standards that comply with national legislation and regulations.

Conserving energy, materials and natural resources in all operations.

Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental

standards. Maximizing the recyclable and reusable content of all products.

Ensuring that all products can be recycled, reused and disposed of safely.

Ensuring that all products are labelled according to recognized environmental standards.

Improving our environmental record on a continual basis.

End of Life Statement

3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.

Regulated Materials Statement

3Com products do not contain any hazardous or ozone-depleting material.

Contents

Introduction

Get the latest documentation and software for your 3Com OSN|M 5

About this guide 5

1 Configuring the OSN|M

OSN|M Overview 7

Switching to the OSN|M’s Operating Interface 7

Restarting the OSN|M’s Linux OS 8

2 Configuring the Application Control Forwarding

Protocol (ACFP)

Introduction to ACFP 9

Configuring ACFP 15

Displaying ACFP 16

ACFP Configuration Example 16

3 Configuring an Application Control System Exchange

Interface

Introduction to ACSEI 21

Configuring an ACSEI Server on a Switch 23

ACSEI Client Configuration on Linux System 25

4 OSN|M Configuration Commands

osm connect unit 31

osm reboot unit 32

5 ACFP Configuration Commands

acfp enable 33

display acfp client-info 33

display acfp policy-info 35

display acfp rule-info 36

display acfp server-info 38

snmp-agent trap enable 39

6 ACSEI Server Configuration Commands

acsei client close 41

acsei client reboot 41

acsei server 42

acsei server enable 42

acsei timer clock-sync 43

acsei timer monitor 44

display acsei client info 44

display acsei client summary 46

7 ACSEI Client Configuration Commands on the OSN|M

acsei-client debug disable 47

acsei-client debug enable 47

acsei-client debug show 48

chkconfig acseid off 49

chkconfig acseid on 49

service acseid condrestart 50

service acseid reload 51

service acseid restart 51

service acseid start 52

service acseid status 53

service acseid stop 53

Introduction

Get the latest

documentation and

software for your

3Com OSN|M

Thank you for purchasing the 3Com

OSN|M Open Services Networking

Module. As part of our commitment to help you get the most out of your

3Com network equipment, we offer updated documentation and

software on our web site.

To obtain the most up-to-date user documentation and operating

software for the 3Com OSN|M, point your web browser to:

www.3Com.com and select the “Support and Registration” link.

You must register your 3Com switch to receive software upgrades. To

About this guide This guide provides all the information you need to use the 3Com

Open

Services Networking Module for your Switch 5500G.

This guide is intended for network administrators who are responsible for

installing and setting up network equipment; consequently, it assumes a

basic working knowledge of LANs (Local Area Networks).

Notice Icons Table 1 lists important conventions that are used throughout this guide.

Table 1 Notice Icons

Icon Notice Type Description

Information note Information that describes important features or

instructions

Caution Information that alerts you to potential loss of data or

potential damage to an application, system, or device

Warning Information that alerts you to potential personal injury

6 Introduction

1 Configuring the OSN|M

OSN|M Overview You can use the Open Services Networking Module (OSN|M) as an

expansion module installed in an expansion module slot on the rear panel

of a Switch 5500G. The OSN|M runs the Linux operating system (Linux

OS) with which you can load software such as security and voice software

as needed.

You can log into the OSN|M’s Linux system through:

■ The OSN|M’s console port.

■ The OSN|M’s management Ethernet port using SSH.

■ The OSN|M’s internal service interface using SSH

■ The user interface of the Switch 5500G using serial interface

redirection.

This chapter introduces how to operate and configure an OSN|M after

you log into the OSN|M’s Linux OS using the last method. The OSN|M

configurations on the switch include:

■ “Switching to the OSN|M’s Operating Interface” on page 7

■ “Restarting the OSN|M’s Linux OS” on page 8

For an introduction to other login options, refer to 3Com Switch 5500G

OSN|M Getting Started Guide.

Switching to the

OSN|M’s Operating

Interface

You can log into a switch through its console port or an Ethernet

interface, then connect to the switch’s OSN|M or to another switch’s

OSN|M in the same fabric. In this case, if the OSN|M’s Linux system is

running, the terminal display interface switches from the switch’s

command line interface (CLI) to the Linux OS interface. After the

switchover, you can return to the switch’s CLI using the shortcut key

Ctrl+K.

To connect to the OSN|M’s Linux system, use the

OSM connect unit unit-id

command. This command is available in user view.

8 Chapter 1: Configuring the OSN|M

Restarting the

OSN|M’s Linux OS

After you log into a switch, you can restart the OSN|M’s Linux OS of the

local switch or another switch in the same fabric if you need to

troubleshoot that system.

An OSN|M has an independent CPU. Therefore, restarting the Linux OS

does not affect the status of the switch. That is, the OSN|M and the

switch can restart independently. Restarting the Linux OS on the OSN|M

will not result in restarting the switch.

To restart to the OSN|M’s Linux system, use the

OSM reboot unit unit-id

command. This command is available in user view.

CAUTION: Restarting the Linux OS on an OSN|M may cause data loss and

service interruption. Therefore, before restarting the module, make sure

to save the Linux OS data.

2 Configuring the Application

Control Forwarding Protocol

(ACFP)

Introduction to

ACFP

Basic data communication networks are composed of routers and

switches, which forward data packets. With the development of data

networks, more and more services run on the networks. It has become

difficult to use traditional network devices (routers and switches) to

handle all the services. Therefore, some products are designed to handle

specific services. For example, firewalls, Intrusion Detection Systems (IDS),

Intrusion Prevention Systems (IPS), and voice and wireless products.

For better support of these services, application modules are being

developed on networking devices (routers and switches in this document)

to specifically handle these services. Some networking device

manufacturers provide software and hardware interfaces to allow

modules or devices from other manufacturers to be plugged into or

connected to their networking devices to provide these services.

3Com’s Open Systems Networking (OSN) provides customers with an

open service architecture developed to achieve this functionality.

Compatible IPS/IDS application modules or IPS/IDS applications running as

ACFP clients allow software packages developed by other manufacturers

to support the IPS/IDS services. A router or switch mirrors or redirects the

packets received from another interface to an ACFP client after matching

the ACFP collaboration rules. The software running on the ACFP client

monitors and detects the packets. Based on the monitoring and detection

results, the ACFP client sends back responses to the router or switch

through collaborative Management Information Bases (MIBs) to instruct

the router or switch to process the results, such as filtering out specific

packets.

10 Chapter 2: Configuring the Application Control Forwarding Protocol (ACFP)

ACFP Architecture Figure 1 Diagram for ACFP architecture

As shown in Figure 1, the ACFP architecture consists of:

■ Routing/switching component (ACFP server): As the main part of a

router and a switch, it performs complete router/switch functionality

and is the core of user management control.

■ Independent service component (ACFP client): Also known as the

Open Service Networking Module (OSN|M), this is the main

component open for development by a third party and is mainly used

to provide various unique service functions.

■ Interface-connecting component: This component connects the

routing/switching component’s interface to that of the independent

service component, allowing the devices of two manufacturers to be

interconnected.

A Switch 5500G Ethernet switch provides two internal ports,

GigabitEthernet 1/1/1 and GigabitEthernet 1/1/2, to connect to the

OSN|M. 3Com recommends that you do not to perform any

configurations except for disabling the Spanning Tree Protocol (STP) on

GigabitEthernet 1/1/1, and adding GigabitEthernet 1/1/2 to a VLAN.

ACFP Collaboration ACFP collaboration means that the independent service component can

send instructions to the routing or switching component to change its

functions. ACFP collaboration is mainly implemented through the Simple

Network Management Protocol (SNMP). Acting as a network

management system, the independent service component sends various

SNMP commands to the routing or switching component, which can

then execute the instructions received because it supports the SNMP

agent. During this process, the cooperating MIB is key that associates the

two components.

ACFP Management ACFP collaboration provides a mechanism that enables the ACFP client

(namely, the independent service component shown in Figure 1) to

Independent

service component

Routing/switching

component

Interface-connecting

component

Introduction to ACFP 11

control the traffic on the ACFP server (namely, the routing/switching

component shown in Figure 1), by implementing the following functions:

■ Mirroring and redirecting the traffic on the ACFP server to the ACFP

client

■ Permitting or denying the traffic from the ACFP server

■ Carrying the context ID in a packet to enable the ACFP server and

ACFP client to communicate the packet context with each other. The

detailed procedure is as follows:

The ACFP server maintains a context table that can be queried by context

ID. Each context ID corresponds with an ACFP collaboration policy that

contains information including the packet’s inbound and outbound ports

and the collaboration rules. When the packet received by the ACFP server

is redirected or mirrored to the ACFP client after matching a collaboration

rule, the packet carries the context ID of the collaboration policy to which

the collaboration rule belongs. When the redirected packet is returned

from the ACFP client, the packet also carries the context ID. With the

context ID, the ACFP server knows that the packet is returned after being

redirected and then forwards the packet normally.

For the ACFP client to better control traffic, the two-level structure of the

collaboration policy and collaboration rules is set in the collaboration MIB

to manage the traffic matching the collaboration rule based on the

collaboration policy. This provides flexible traffic management.

To better support the client/server collaboration mode and to be flexible

with setting different rules, the collaboration content is divided into four

parts:

■ ACFP server information

■ ACFP client information

■ ACFP collaboration policy

■ ACFP collaboration rules

This information is saved in the ACFP server. An ACFP server supports

multiple ACFP clients. Therefore, ACFP client information, ACFP

collaboration policy, and ACFP collaboration rules are organized in the

form of tables.

12 Chapter 2: Configuring the Application Control Forwarding Protocol (ACFP)

ACFP server information is generated by the ACFP server itself. ACFP

client information, ACFP collaboration policy, and ACFP collaboration

rules are generated on the ACFP server after being sent by the ACFP

client through the collaboration MIB or collaboration protocol.

ACFP Information

Overview

ACFP server information

ACFP server information contains the following:

■ Supported working modes: host, pass-through, mirroring, and

redirect. An ACFP server can support multiple working modes at the

same time. The ACFP server and client(s) can collaborate with each

other only when the ACFP server supports the working mode of the

ACFP client.

■ Maximum expiration time of the supported collaboration policy: This

indicates for how long the collaboration policy of the ACFP server will

remain valid.

■ Whether the ACFP server can permanently save the collaboration

policy: It mainly refers to whether the ACFP server can keep the

original collaboration policy after a reboot.

■ The context ID type supported by the Switch 5500G’s Ethernet

switches is 2. Figure 2 shows the corresponding packet format (the

Context field indicates the context ID location):

Figure 2 Packet format corresponding to context ID type 2.

ACFP clients can access this information through a collaboration protocol

or collaboration MIB.

ACFP client information

ACFP client information contains the following:

■ ACFP client identifier. It can be assigned by the ACFP server through a

collaboration protocol or specified by the network administrator to

ensure that each ACFP client has a unique client ID on the ACFP

server.

■ Description: ACFP client description information.

■ Hw-Info: ACFP client hardware type and version number, for example.

DMAC SMAC

VLAN type PCP CFI VLAN ID

Type

(0800)

IP packet

Context

Packet format when the context ID type is 2

(

8100

)

(1- 4094)(3-digit ) (1- digit) ( 32- digit)

Introduction to ACFP 13

■ OS-Info: System name and version number of the ACFP client.

■ App-Info: Application software type and version number of the ACFP

client.

■ Client IP: ACFP client IP address.

■ Client Mode: Working mode currently supported by the ACFP client;

namely, the combination of the host, pass-through, mirroring, and

redirect modes.

ACFP collaboration policy

ACFP collaboration policy refers to the collaboration policy that the ACFP

client sends to the ACFP server for application. The policy information

includes:

■ Client ID: ACFP client identifier.

■ Policy-Index

■ Rule-Num: Number of rules corresponding to the policy.

■ In-interface: Port through which the packet is sent to the ACFP server.

■ Dest-interface: Port through which the packet is sent to the ACFP

client.

■ Context ID: Used when the packet is mirrored or redirected to an

ACFP client. It can be 0, meaning context exchange is not supported.

After the port connected to the ACFP client is specified in the policy

sent, the ACFP server assigns it a global serial number, that is, the

Context ID, with each Context ID corresponding to an ACFP

collaboration policy.

■ Admin-Status: Indicates whether to enable the policy.

■ Effect-Status: Indicates the expiration time of the policy in seconds

and is used to control the expiration time of all the rules under the

policy.

■ Start-Time: Indicates the time (second/minute/hour) at which the

policy takes effect and is used to control the start time that all rules

under the policy take effect.

■ End-time: Indicates the start time (second/minute/hour) at which the

policy becomes invalid and is used to control the start time that all

rules under the policy become invalid.

■ Exist-Time: The length of time, in seconds, the policy has existed.

14 Chapter 2: Configuring the Application Control Forwarding Protocol (ACFP)

ACFP collaboration rules

ACFP collaboration rules refer to the rules that the ACFP client sends to

the ACFP server for an application. There are two types of collaboration

rules:

■ Monitoring rules, which monitor, analyze, and process the packets to

be sent to the ACFP client. The action types corresponding to

monitoring rules are redirect, mirror and rate.

■ Filtering rules, which determine the packets to deny and permit. The

action types corresponding to filtering rules are deny and permit.

Rule information includes:

■ ClientID: ACFP client identifier

■ Policy index

■ Rule index: rule identifier

■ Status: Indicates whether the rule is applied successfully

■ Action: Either mirror, redirect, deny, permit, or rate

■ Match all packets: Indicates whether to match all the packets. If this is

set to yes, the following matching does not need to be performed.

■ Source MAC address

■ Destination MAC address

■ Starting VLAN ID

■ Ending VLAN ID

■ Protocol number in IP packet

■ Source IP address

■ Inverse mask of source IP address

■ Source port operator: Either equal to, not equal to, greater than,

less than, greater than and less than. The following ending source

port number takes effect only when the type is greater than and

less than. The source port number of the packets matched by the

identifier must be greater than the starting source port number and

less than the ending source port number.

■ Starting source port number

■ Ending source port number

■ Destination IP address

Configuring ACFP 15

■ Inverse mask of destination IP address

■ Destination port number operator: Its type can be equal to, not

equal to, greater than, less than, greater than and less than. The

following ending destination port number is meaning only when the

type is greater than and less than. The destination port number of

the packets matched by the identifier must be greater than the

starting destination port number and less than the ending destination

port number.

■ Starting destination port number

■ Ending destination port number

■ Pro: Protocol type, which can be GRE, ICMP, IGMP, OSPF, TCP, UDP,

and IP.

■ IP precedence: Packet precedence, a number in the range of 0 to 7.

■ IP ToS: Type of Service (ToS) of the IP

■ IP DSCP: Differentiated Services Code Point (DSCP) of the IP

■ TCP control packet: Indicates whether the packet is a TCP control

packet.

■ IP fragment: Indicates whether the packet is an IP packet fragment.

■ Rate limit

■ Row state

You can use the collaboration policy to manage the collaboration rules

that belong to it.

The Switch 5500G Ethernet does not support ACFP’s pass-through mode.

Using ACFP

■ ACFP does not process IPv6 packets.

■ With ACFP, a stream cannot be mirrored or redirected to multiple

ACFP clients.

Configuring ACFP Follow these steps to configure ACFP.

To... Use the command... Remarks

Enter system view system-view -

16 Chapter 2: Configuring the Application Control Forwarding Protocol (ACFP)

Displaying ACFP

ACFP Configuration

Example

Network

Requirements

The internal networking of a company is as following:

■ Different departments are connected to the intranet through Switch

5500G units (ACFP server).

Enable ACFP acfp enable Required

Disabled by default

Enable ACFP traps snmp-agent trap enable acfp

[ client | policy | rule | server ]

Optional

Allowed by default

To... Use the command... Remarks

Display the configuration

information of the ACFP

server

display acfp server-info Available in any view

Display the configuration

information of an ACFP

client

display acfp client-info [

client-id ]

Display the configuration

information of an ACFP

policy

display acfp policy-info [

client client-id [

policy-index ] |

dest-interface

interface-type

interface-number |

in-interface

interface-type

interface-number ] [ active

| inactive ]

Display ACFP rule

configuration information

display acfp rule-info {

in-interface [

interface-type

interface-number ] | policy

[ client-id policy-index ] }

Display the configuration

information of ACFP Trap

display snmp-agent

trap-list

ACFP Configuration Example 17

■ The IP address of Host A is 192.168.1.1/24, and that of Host B is

192.168.2.1/24. They are connected to the switch through

GigabitEthernet 1/0/1.

■ The IP address of Host C is 192.168.3.1/24, and that of Host D is

192.168.3.2/24. They are connected to the switch through

GigabitEthernet 1/0/2.

■ The OSN|M (ACFP client) is installed in the expansion module slot on

the switch’s rear panel. The ACFP client is used to analyze traffic on

ACFP server’s GigabitEthernet 1/0/1 port. After the ACFP client

analyzes the traffic, all packets with the source IP address in network

segment 192.168.1.0/24 are permitted and all packets with the

source IP address in network segment 192.168.2.0/24 are denied.

Network Diagram

Figure 3 Network diagram for an ACFP configuration

Configuration

Procedure

■ Configure the Switch.

# Enable ACFP.

<Switch> system-view

[Switch] acfp enable

■ Configure the collaboration policy and rules for the ACFP client

through MIB.

# Configure the ACFP client.

192.168.1.1/24

Host A

192.168.2.1/24

Host B

GE1/1/1

GE1/0/2

Switch

ACFP client

192.168 .3.1 /24

Host C

192.168 .3.2 /24

Host D

ACFP server

GE1/0 /1

18 Chapter 2: Configuring the Application Control Forwarding Protocol (ACFP)

Configure the ACFP client through a MIB browser to send information to

the Switch, where the client index is 1, three working modes are

supported; host, redirect, and mirror (achieved by setting node

h3cAcfpClientMode), the client row status is 4 (achieved by setting node

h3cAcfpClientRowStatus) and the other parameters adopt the default

values.

# Configure the ACFP policy

Configure the ACFP policy through the MIB browser to send information

to the Switch, where the policy index is 1.1, the policy inbound port is

GigabitEthernet 1/0/1 (achieved by setting node h3cacfpPolicyInIfIndex),

the policy destination port is GigabitEthernet 1/1/1 (achieved by setting

node h3cAcfpPolicyDestIfIndex), the policy row status is 4 (achieved by

setting node h3cAcfpPolicyRowStatus) and the other parameters adopt

the default values.

# Configure ACFP rules.

Configure an ACFP rule through a MIB browser to send information to

the Switch, where the rule index is 1.1.1, the action is mirror (achieved

by setting node h3cAcfpRuleAction), matching all packets (achieved by

setting node h3cAcfpRuleAll), the rule row status is 4 (achieved by setting

node h3cAcfpRuleRowStatus) and the other parameters adopt the

default values.

CAUTION: When the ACFP policy action is set to mirror, you need to

disable the Spanning Tree Protocol (STP) on the destination port

GigabitEthernet 1/1/1.

Configure an ACFP rule through the MIB browser to send information to

the Switch, where the rule index is 1.1.2, the action is permit (achieved

by setting node h3cAcfpRuleAction), the packets whose source IP address

is in network segment 192.168.1.0 (achieved by setting node

h3cAcfpRuleSrcIP) and source IP wildcard-mask is 0.0.0.255 (achieved by

setting node h3cAcfpRuleSrcIPMask) are matched, the rule row status is 4

(achieved by setting node h3cAcfpRuleRowStatus) and the other

parameters adopt the default values.

Configure an ACFP rule through the MIB browser to send information to

the Switch, where the rule index is 1.1.3, the action is deny (achieved by

setting node h3cAcfpRuleAction), the packets whose source IP address is

ACFP Configuration Example 19

in network segment 192.168.2.0 (achieved by setting node

h3cAcfpRuleSrcIP) and source IP wildcard-mask is 0.0.0.255 (achieved by

setting node h3cAcfpRuleSrcIPMask) are matched, the rule row status is 4

(achieved by setting node h3cAcfpRuleRowStatus) and the other

parameters adopt the default values.

# Apply ACFP rules

Configure the ACFP policy through the MIB browser, where the policy

index is 1.1. Configure the Admin-Status as enable (achieved by setting

node h3cAcfpPolicyAdminStatus).

■ Verify the configuration.

Use the ping command to verify the connectivity between Host A and

Host C, Host B and Host C. The test results show that Host C can be

pinged through on Host A and Host C cannot be pinged through on Host

20 Chapter 2: Configuring the Application Control Forwarding Protocol (ACFP)

Page is loading ...

3com 5500G SERIES Configuration And Command Reference Manual

3com 5500G SERIES Configuration And Command Reference Manual

3com 5500G SERIES Configuration And Command Reference Manual

Related papers

Other documents