H3C SR6600-X Configuration manual

Brand: H3C

Model: SR6600-X

Type: Configuration manual

This manual is also suitable for

SR6600 SPE-FWM

The H3C SR6600-X, a high-performance router, offers advanced features for diverse applications. With its Open Application Architecture (OAA) platform, it supports various protocols like ACFP and ACSEI, enabling flexible integration with third-party applications. It provides comprehensive traffic management capabilities, ensuring optimal network performance. The device's robust security features safeguard data and network integrity. Additionally, the SR6600-X simplifies management with a user-friendly interface and extensive monitoring tools.

H3C SR6600/SR6600-X Routers

OAA Configuration Guide

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

Software version: SR6600X-CMW520-R3303

SR6602-CMW520-R3303

SR6602X_MCP-CMW520-R3303

SR6600-CMW520-R3303-RPE

SR6600-CMW520-R3303-RSE

Document version: 20150715-C-1.14

No part of this manual may be reproduced or transmitted in any form or by any means without prior

written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H

Care, , IRF, NetPilot, Netflow,

SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of

Hangzhou H3C Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners

Notice

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Preface

The H3C SR6600/SR6600-X documentation set includes 14 configuration guides, which describe the

software features for the H3C SR6600/SR6600-X Routers and guide you through the software

configuration procedures. These configuration guides also provide configuration examples to help you

apply software features to different network scenarios.

The OAA Configuration Guide describes the Open Application Architecture (OAA) supported protocols

(such as ACFP and ACSEI), their configurations, and the configuration of the H3C open application

platform (OAP) card.

This preface includes:

• Audience

• Conventions

• About the H3C SR6600/SR6600-X documentation set

• Obtaining documentation

• Technical support

• Documentation feedback

Audience

This documentation is intended for:

• Network planners

• Field technical support and servicing engineers

• Network administrators working with the routers

Conventions

This section describes the conventions used in this documentation set.

Command conventions

Convention Descri

tion

Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[ ] Square brackets enclose syntax choices (keywords or arguments) that are optional.

{ x | y | ... }

Braces enclose a set of required syntax choices separated by vertical bars, from which

you select one.

[ x | y | ... ]

Square brackets enclose a set of optional syntax choices separated by vertical bars, from

which you select one or none.

{ x | y | ... } *

Asterisk marked braces enclose a set of required syntax choices separated by vertical

bars, from which you select at least one.

[ x | y | ... ] *

Asterisk marked square brackets enclose optional syntax choices separated by vertical

bars, from which you select one choice, multiple choices, or none.

&<1-n>

The argument or keyword and argument combination before the ampersand (&) sign can

be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Descri

tion

Boldface

Window names, button names, field names, and menu items are in Boldface. For

example, the New User window appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Symbols

Convention Descri

tion

WARNING

An alert that calls attention to important information that if not understood or followed can

result in personal injury.

CAUTION

An alert that calls attention to important information that if not understood or followed can

result in data loss, data corruption, or damage to hardware or software.

IMPORTANT

An alert that calls attention to essential information.

NOTE

An alert that contains additional or supplementary information.

TIP

An alert that provides helpful information.

Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports

Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the access controller

engine on a unified wired-WLAN switch.

Represents an access point.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

Represents a security product, such as a firewall, UTM, multiservice security gateway, or

load balancing device.



Represents a security card, such as a firewall, load balancing, NetStream, SSL VPN, IPS,

or ACG card.

Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.

About the H3C SR6600/SR6600-X documentation

set

The H3C SR6600/SR6600-X documentation set includes:

Cate

Documents

Pur

oses

Product description and

specifications

Marketing brochures Describe product specifications and benefits.

Technology white papers

Provide an in-depth description of software features

and technologies.

Card datasheets

Describe card specifications, features, and

standards.

Hardware specifications

and installation

Compliance and safety

manual

Provides regulatory information and the safety

instructions that must be followed during installation.

Installation guide

Provides a complete guide to hardware installation

and hardware specifications.

Card manuals Provide the hardware specifications of cards.

H3C N68 Cabinet

Installation and Remodel

Introduction

Guides you through installing and remodeling H3C

N68 cabinets.

Software configuration

Configuration guides

Describe software features and configuration

procedures.

Command references

Provide a quick reference to all available

commands.

Operations and

maintenance

H3C SR6602 Release

notes

Provide information about the product release,

including the version history, hardware and software

compatibility matrix, version upgrade information,

technical support information, and software

upgrading.

H3C SR6608 Release

notes

Obtaining documentation

You can access the most up-to-date H3C product documentation on the World Wide Web

at http://www.h3c.com

Click the links on the top navigation bar to obtain different categories of product documentation:

[Technical Support & Documents > Technical Documents]

– Provides hardware installation, software

upgrading, and software feature configuration and maintenance documentation.

[Products & Solutions]

– Provides information about products and technologies, as well as solutions.

[Technical Support & Documents > Software Download] – Provides the documentation released with the

software version.

Technical support

servic[email protected]

http://www.h3c.com

Documentation feedback

You can e-mail your comments about product documentation to info@h3c.com.

We appreciate your comments.

Contents

Configuring OAP modules ·········································································································································· 1

Logging in to the operating system of an OAP module ································································································ 1

Logging in through the console port on the OAP module ···················································································· 1

Logging in through the management Ethernet port of the OAP module by using SSH ···································· 2

Logging in through the internal Ethernet interface on the OAP module by using SSH ····································· 2

Switching to the OAP module's CLI from the device ···························································································· 2

Resetting OAP modules ···················································································································································· 3

Configuring ACFP ························································································································································ 4

Overview ············································································································································································ 4

ACFP collaboration ·················································································································································· 4

ACFP traffic management ········································································································································ 5

ACFP information ····················································································································································· 5

ACFP usage guidelines ············································································································································ 8

ACFP configuration task list ············································································································································· 9

Enabling the ACFP server on the device ························································································································ 9

Configuring the ACFP client (the OAP module) ············································································································· 9

Enabling the ACFP trap function on the device ············································································································· 9

Displaying and maintaining ACFP ······························································································································· 10

ACFP configuration example ········································································································································ 10

Configuring ACSEI ····················································································································································· 13

ACSEI functions ····················································································································································· 13

ACSEI timers ·························································································································································· 14

ACSEI startup and operation ······························································································································· 14

Configuring the ACSEI server ······································································································································· 14

Displaying ACSEI client information on the server side ····························································································· 15

Index ··········································································································································································· 16

Configuring OAP modules

The H3C Open Application Architecture (OAA) provides an open interface for third-party vendors to

develop value-added applications (such as firewall and IPS) and integrate the applications into H3C

products. H3C has developed some application-specific modules called "Open Application Platform

(OAP) module."

The following matrix shows the OAP feature and router compatibility:

SR6602 SR6602-X SR6604/SR6608/SR6616

SR6604-X/SR6608-X/SR6

616-

No. No.

Yes when RPE-X1 and RSE-X1 MPUs

are used and no when MCP MPUs

are used.

Yes.

Logging in to the operating system of an OAP

module

An OAP module has an independent operating system and CLI. You must log in to the module's CLI to

configure it.

Logging in through the console port on the OAP module

You can log in to the operating system on an OAP module directly through the console port on the OAP

module. In the following procedure, the PC acts as a terminal.

1. Connect one end of the configuration cable to the serial port of the PC and the other end to the

console port of the OAP module.

2. Start the PC and run a terminal emulation program such as the HyperTerminal. Select the COM

connection mode and set the terminal parameters as follows:

{ Bits per second—9600

{ Data bits—8

{ Parity check mode—None

{ Stop bits—1

{ Flow control—None

After the configuration, you can log in to the operating system of the OAP module through the terminal

emulation program on the PC.

Logging in through the management Ethernet port of the OAP

module by using SSH

To log in to the operating system of an OAP module through its management Ethernet port, you must first

configure the OAP module as the SSH server. To do so, follow these steps:

1. Log in to the OAP module through the console port, and then enable the SSH server function on the

OAP module.

2. Connect the management Ethernet port of the OAP module to the network by using a network

cable.

3. Assign an IP address to the management Ethernet port of the OAP module, and make sure the SSH

client (the H3C device or a PC that has the SSH client software installed) and the management

Ethernet port can reach each other.

4. Establish an SSH connection, entering the IP address of the management Ethernet port as the SSH

server IP address.

After the SSH connection is successfully established, you are logged in to the operating system of the

OAP module.

Logging in through the internal Ethernet interface on the OAP

module by using SSH

When installed in the expansion slot of a device, an OAP module exchanges information with the device

through its two internal service interfaces. One of these is a serial interface, and the other is a fast

Ethernet interface. The fast Ethernet interface is used in this login mode.

To log in to the operating system of an OAP module through its internal Ethernet interface, you must first

configure the OAP module as the SSH server. To do so, follow these steps:

1. Log in to the OAP module through the console port, and then enable the SSH server function on the

OAP module.

2. Assign an IP address to the fast Ethernet interface on the OAP module.

3. Connect one end of the cable to the PC and the other end to the Ethernet port of the device.

4. Make sure the PC and the fast Ethernet interface can reach each other.

5. Establish an SSH connection, entering the IP address of the management Ethernet port as the SSH

server IP address.

After the SSH connection is successfully established, you are logged in to the operating system of the

OAP module.

Switching to the OAP module's CLI from the device

From the device's CLI, you can switch to the OAP module's CLI to manage and configure the OAP

module's system and software. To switch back to the device's CLI, press Ctrl+K.

To switch to the CLI of the OAP module from the device, execute the following command in user view:

Task Command

Switch to the CLI of the OAP module from the device.

• In standalone mode:

oap connect slot slot-number

• In IRF mode:

oap connect chassis chassis-number slot slot-number

Using the oap connect command is the same as logging in to the CLI of the OAP module through the AUX

port. To ensure successful login, you must configure login authentication parameters and assign a user

privilege level. For more information, see the chapter on logging in to the CLI in Fundamentals

Configuration Guide.

Resetting OAP modules

CAUTION:

To avoid data loss, shut down (poweroff) the operating system of the OAP module before you reset an

OAP module.

To recover an OAP module from an error condition, reboot the module at the CLI or press the reset button

on the module. The device can still identify and control the OAP module after the reset.

To reset the OAP module, execute the following command in user view:

Task Command

Reset the OAP module.

• In standalone mode:

oap reboot slot slot-number

• In IRF mode:

oap reboot chassis chassis-number slot slot-number

Configuring ACFP

The following matrix shows the ACFP feature and router compatibility:

SR6602 SR6602-X SR6604/SR6608/SR6616

SR6604-X/SR6608-X/SR6

616-

No. No.

Yes when RPE-X1 and RSE-X1 MPUs

are used and no when MCP MPUs

are used.

Yes.

Overview

The Application Control Forwarding Protocol (ACFP) is designed based on the OAA architecture and

operates in the server/client model (see Figure 1)

. In this model, an OAP module (the independent

service component) operating as the ACFP client to provide value-added services such as traffic

monitoring, control, and process for the ACFP server (the routing/switching component).

Figure 1 Network diagram

As shown in Figure 1, the ACFP architecture consists of the following components:

• Routing/switching component—Main part of a router or switch, performs complete router/switch

functions and is also the core of user management control. This part is called the ACFP server.

• Independent service component—Main part open for development by a third party, mainly used to

provide various unique service functions. This part is called the ACFP client.

• Interface component—Interface between the routing/switching component and the independent

service component, used to enable the devices of two manufacturers to interconnect.

ACFP collaboration

ACFP collaboration means that the independent service component can send instructions to the

routing/switching component to change its functions. ACFP collaboration is mainly implemented through

the SNMP. Acting as a network management system, the independent service component sends various

SNMP commands to the routing/switching component, which can then execute the instructions because

it supports SNMP agent. In this process, the cooperating MIB is the key to associating the two

components.

ACFP traffic management

ACFP collaboration provides a mechanism that enables the ACFP client to manage the traffic on the

ACFP server by implementing the following functions:

• Mirroring and redirecting the traffic on the ACFP server to the ACFP client.

• Permitting/denying the traffic from the ACFP server.

• Restricting the rate of the traffic on the ACFP server.

• Carrying the context ID in a packet to enable the ACFP server and ACFP client to communicate the

packet context with each other.

The ACFP server maintains a context table that can be queried by context ID. Each context ID

corresponds to an ACFP collaboration policy that contains information such as the packet inbound and

outbound interfaces and the collaboration rules. When the packet that the ACFP server receives is

redirected or mirrored to the ACFP client after matching a collaboration rule, the packet carries the

context ID of the collaboration policy to which the collaboration rule belongs. When the ACFP client

returns the packet, the packet also carries the context ID. With the context ID, the ACFP server recognizes

that the packet has been returned after being redirected and then forwards the packet.

For the ACFP client to control traffic optimally, the two-level structure of collaboration policy and

collaboration rules is set to manage the traffic matching the collaboration rule based on the collaboration

policy. This enables flexible traffic management.

To better support the client/server collaboration mode and to granularly and flexibly set different rules,

the collaboration content is divided into the following parts:

• ACFP server information

• ACFP client information

• ACFP collaboration policy

• ACFP collaboration rules.

This information is saved in the ACFP server.

An ACFP server supports multiple ACFP clients. Therefore, ACFP client information, ACFP collaboration

policy, and ACFP collaboration rules are organized in the form of tables.

ACFP server information is generated by the ACFP server itself. ACFP client information, ACFP

collaboration policy, and ACFP collaboration rules are generated on the ACFP client and sent to the

ACFP server through the collaboration MIB or collaboration protocol.

ACFP information

This section describes the ACFP collaboration content.

ACFP server information

ACFP server information includes the following items:

• Supported working modes—Host, pass-through, mirroring, and redirect. An ACFP server can

support multiple working modes at the same time. An ACFP server and an ACFP client can

collaborate only when the ACFP server supports the working modes of the ACFP client.

• Maximum expiration time of the supported collaboration policy—How long the collaboration

policy of the ACFP server remains valid.

• Collaboration policy retention—Whether the ACFP server has the original collaboration policy

after reboot.

• Supported context ID type—The location of the context ID in the packet might vary with ACFP

servers. Context IDs include the following categories:

{ No-context (no context ID is carried)

{ HG-context (carrying the preamble HG as the context ID)

{ HGPlus-context (carrying the preamble HGPlus as the context ID)

{ FlowID-context (carrying the preamble Flow ID as the context ID)

{ VLANID-context (carrying VLAN ID as the context ID)

NOTE:

SR6600 routers support only VLANID-context.

ACFP server information indicates the collaboration capabilities of an ACFP server. ACFP clients can

access this information through a collaboration protocol or collaboration MIB.

ACFP client information

ACFP client information includes the following items:

• ACFP client identifier—An identifier that is assigned by the ACFP server through a collaboration

protocol or is specified by the network administrator. On an ACFP server, each ACFP client must

have a unique client ID.

• Description—ACFP client description information.

• Hw-Info—ACFP client hardware information, such as the hardware type and version number.

• OS-Info—ACFP client operating system name and version number.

• App-Info—ACFP client application software type and version number.

• Client IP—ACFP client IP address.

• Client Mode—Working mode supported by the ACFP client, which is a combination of the host,

pass-through, mirroring, and redirect modes.

ACFP collaboration policy

ACFP collaboration policy refers to the collaboration policy that the ACFP client sends to the ACFP server

for application. The policy information includes the following parts:

• Client ID—ACFP client identifier.

• Policy-Index

• In-interface—Interface through which the packet enters the ACFP server.

• Out-interface—Interface through which the packet is forwarded.

• Dest-interface—ACFP server interface that is connected to the ACFP client.

• Context ID—Carried in packets that are mirrored or redirected to the ACFP client. If the interface

connected to the ACFP client is specified in the policy, the ACFP server assigns it a global serial

number, called the context ID. Each context ID corresponds to one ACFP collaboration policy.

• Admin-Status—Whether the policy is enabled.

• Effect-Status—Expiration time of the policy and its rules.

• Start-Time—Time when the policy starts to take effect during a day.

• End-time—Time when the policy stops working during a day.

• DestIfFailAction—Actions to be taken for all rules in the policy when the policy's dest-interface is

down. For forwarding-first devices, select the delete action to continue forwarding the redirected

and mirrored packets; for security-first devices, select the reserve action to discard the redirected

and mirrored packets.

• Priority—Priority of the policy, a number in the range of 1 to 8. The bigger the number, the higher

the priority.

ACFP collaboration rules

ACFP collaboration rules refer to the collaboration rules that the ACFP client sends to the ACFP server for

application. Collaboration rules include the following categories:

• Monitoring rules—Used to monitor, analyze, and process packets to be sent to the ACFP client. Rule

actions include redirect and mirror.

• Filtering rules—Used to determine which packets to deny and which packets to permit. Rule actions

include deny and permit.

• Restricting rules—Used to determine the rate at which packets are to be restricted. The rule action

is rate.

Rule information is described as follows:

• ClientID—ACFP client identifier.

• Policy index

• Rule index—Rule identifier.

• Status—Whether the rule is applied successfully.

• Action—Rule action: mirror, redirect, deny, permit, or rate limit.

• Match all packets—Whether to use the rule for all packets. If yes, the matching that follows does not

need to be performed.

• Source MAC address

• Destination MAC address

• Starting VLAN ID

• Ending VLAN ID

• Protocol number in the IP header

• Source IP address

• Wildcard mask of the source IP address

• Source port number operator—Operator for the source port number: equal to, not equal to,

greater than, less than, or greater than and less than. The ending source port number that follows

takes effect only when the operator is greater than and less than. The source port number of a

matched packet is greater than the starting source port number and less than the ending source port

number.

• Starting source port number

•

Ending source port number

• Destination I

P address

• Wildcard mask of destination IP address

• Destination port number operator—Operator for the destination port number: equal to, not equal

to, greater than, less than, or greater than and less than. The ending destination port number that

follows takes effect only when the operator is greater than and less than. The destination port

number of a matched packet must be greater than the starting destination port number and less

than the ending destination port number.

• Starting destination port number

• Ending destination port number

• Pro—Protocol type: GRE, ICMP, IGMP, OSPF, TCP, UDP, or IP.

• IP precedence—Packet precedence, a number in the range of 0 to 7.

• IP ToS—ToS of IP.

• IP DSCP—DSCP of IP.

• TCP flag—Some bits in the six flag bits (URG, ACK, PSH, RST, SYN, and FIN) are concerned.

• IP fragment—Whether the packet is an IP packet fragment.

• Rate limit.

You can use the collaboration policy to manage the collaboration rules that belong to it.

ACFP usage guidelines

The following are ACFP usage guidelines:

• For VLANID-context devices, after ACFP is enabled, some VLAN IDs must not be used by any other

modules; otherwise, some data packets might be forwarded incorrectly. The range for the VLAN IDs

that cannot be used varies with the device.

• In a GRE tunneling environment, an ACFP policy can be configured on a tunnel interface only.

• ACFP does not support policy-based routing services or NetStream services.

• The handling of the packets that are redirected by ACFP and the part of the QoS processing (FR-DE

matching, ATM-CLP matching, inbound interface matching, QoS local-id, local precedence, and so

on) are mutually exclusive. No QoS processing is performed on the packets returned after they are

redirected to the ACFP client.

• On the destination interface, packets redirected or mirrored by ACFP support only Layer 2 QoS

processing, including queuing and WRED. They do not support any other service processing, such

as non-Layer 2 QoS processing and non-QoS service processing.

• With ACFP, a stream cannot be mirrored or redirected to multiple ACFP clients.

• ACFP cannot process outbound packets.

• For multi-core and software-based forwarding devices, ACFP does not support handling these types

of packets:

{ Broadcasts

{ Multicasts

{ MPLS packets

{ Inbound packets

{ IPv6 packets

• For multi-core and software-based forwarding devices, ACFP redirects and mirrors any IP datagram

not greater than 1500 bytes (length of the Layer 3 packet, excluding the link layer header), and

discards any IP datagram greater than 1500 bytes.

• For software-based forwarding devices, if the contents of the rules matched by the packet on the

inbound interface or outbound interface exceed the quintuple information, no fast-forwarding

cache entry is created for the packet and the packet is not fast-forwarded.

ACFP configuration task list

Task Remarks

Enabling the ACFP server on the device Required.

Configuring the ACFP client (the OAP module) Required.

Enabling the ACFP trap function on the device Optional.

Enabling the ACFP server on the device

Ste

Command Remarks

1. Enter system view.

system-view N/A

2. Enable the ACFP server.

acfp server enable Disabled by default.

Configuring the ACFP client (the OAP module)

You can use a MIB browser on the ACFP client to configure ACFP collaboration policies and ACFP

collaboration rules. The configuration procedure depends on the software used on the ACFP client.

When you disable the ACSEI function or change the working mode for an internal interface (a virtual

interface connecting the ACFP server with the ACFP client), to avoid service interruption, perform the

operation first on the ACFP client and then on the ACFP server.

Enabling the ACFP trap function on the device

To make ACFP work, enable the device to send trap messages of the ACFP module.

After the trap function on the ACFP module is enabled, the ACFP module generates trap messages to

report important events. The levels of the ACFP trap messages are described in Table 1.

Table 1 ACFP trap message level

Tra

messa

e Level

Context ID type changed Notifications

ACFP client registration Notifications

ACFP client deregistration Notifications

ACSEI detects that ACFP client had no response Warnings

ACFP server does not support the working mode of the ACFP client Errors

Expiration period of ACFP collaboration policy changed Notifications

ACFP collaboration rules are created Informational

ACFP collaboration rules are removed Informational

ACFP collaboration rules failed Errors

Tra

messa

e Level

Expiration period of ACFP collaboration policy timed out Notifications

The generated trap messages are sent to the information center of the device. With the parameters for the

information center set, the output rules for traps (that is, whether the traps are allowed to be output and

the output destinations) are decided. For more information about the configuration of the parameters for

the information center, see Network Management and Monitoring Configuration Guide.

To enable the ACFP function:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enable the trap function of the

ACFP module.

snmp-agent trap enable acfp

[ client | policy | rule | server ]

Optional.

Enabled by default.

For more information about the snmp-agent trap enable command, see Network Management and

Monitoring Command Reference.

Displaying and maintaining ACFP

Task Command Remarks

Display the configuration

information of the ACFP

server.

display acfp server-info [ | { begin | exclude | include }

regular-expression ]

Available in any

view.

Display the configuration

information of an ACFP client.

display acfp client-info [ client-id ] [ | { begin | exclude |

include } regular-expression ]

Available in any

view.

Display the configuration

information of an ACFP

policy.

display acfp policy-info [ client client-id [ policy-index ] |

dest-interface interface-type interface-number |

in-interface interface-type interface-number | out-interface

interface-type interface-number ] [ active | inactive ] [ |

{ begin | exclude | include } regular-expression ]

Available in any

view.

Display ACFP rule

configuration information.

display acfp rule-info { in-interface [ interface-type

interface-number ] | out-interface [ interface-type

interface-number ] | policy [ client-id policy-index ] } [ |

{ begin | exclude | include } regular-expression ]

Available in any

view.

Display the configuration

information of ACFP Trap.

display snmp-agent trap-list [ | { begin | exclude |

include } regular-expression ]

Available in any

view.

ACFP configuration example

Network requirements

As shown in Figure 2, different departments are interconnected on the intranet through Router, which

serves as the ACFP server. An ACFP client is inserted in Router.

Configure the ACFP client to analyze traffic arriving at interface GigabitEthernet 3/0/2, and control the

traffic as follows:

• Permit all packets whose source IP address is 192.168.1.1/24.

• Deny all packets whose source IP address is 192.168.1.2/24.

Figure 2 Network diagram

Configuration procedure

1. Configure Router:

# Enable the ACFP server and ACSEI server.

<Router> system-view

[Router] acfp server enable

[Router] acsei server enable

2. Use a MIB browser to configure a collaboration policy to redirect traffic arriving at interface

GigabitEthernet 3/0/2 to the ACFP client:

a. Set the value of the node hh3cAcfpClientRowStatus to 4 to create an ACFP client with the index

1, and set the value of the node hh3cAcfpClientMode to 1 to enable working mode redirect for

the client.

b. Set the node hh3cAcfpPolicyRowStatus to 4 to create an ACFP policy and assign index 1.1 to

the policy, where the first "1" represents the index of the ACFP client you just created. Search

the ifTable node for the indexes of interfaces GigabitEthernet 3/0/2 and GigabitEthernet

3/0/3, and set the value of the node hh3cAcfpPolicyInIfIndex to the index of GigabitEthernet

3/0/2 and set the value of the node hh3cAcfpPolicyDestIfIndex to the index of

GigabitEthernet 3/0/3 to specify the interfaces as the inbound interface and outbound

interface of the policy respectively.

c. Set the value of the node hh3cAcfpRuleRowStatus to 4 to create an ACFP rule, and assign

index 1.1.1 to the rule, where the first "1" is the client index and the second "1" is the policy

index. Set the value of the node hh3cAcfpRuleAction to 3 to specify the redirect action.

3. Use the MIB browser to configure a collaboration policy to permit packets from 192.168.1.1/24

and drop packets from 192.168.1.2/24:

a. Set the node hh3cAcfpPolicyRowStatus to 4 to create an ACFP policy and assign index 1.2 to

the policy, and set the value of the node hh3cAcfpPolicyInIfIndex to the index of

GigabitEthernet 3/0/2 to specify the interface as the inbound interface of the policy.

b. Set the value of the node hh3cAcfpRuleRowStatus to 4 to create an ACFP rule, and assign

index 1.2.1 to the rule. Set the value of the node hh3cAcfpRuleAction to 1 to specify the permit

action. Set the value of the node hh3cAcfpRuleSrcIP to 192.168.1.1 and set the value of the

node hh3cAcfpRuleSrcIPMask to 0.0.0.255 to match packets from 192.168.1.1/24.

GE3/0/3

GE3/0/2 GE3/0/1

Router

ACFP client

ACFP server

Host A

192.168.1.1/24

Host B

192.168.1.2/24

Host C

192.168.2.1/24

Host D

192.168.2.2/24

c. Set the value of the node hh3cAcfpRuleRowStatus to 4 to create an ACFP rule, and assign

index 1.2.2 to the rule. Set the value of the node hh3cAcfpRuleAction to 2 to specify the deny

action. Set the value of the node hh3cAcfpRuleSrcIP to 192.168.1.2 and set the value of the

node hh3cAcfpRuleSrcIPMask to 0.0.0.255 to match packets from 192.168.1.2/24.

For more information about MIB, see the SNMP white paper and Network Management and

Monitoring Configuration Guide.

For more information about the involved MIB nodes, see the description fields of the nodes by

using a MIB browser.

4. Verify the configuration:

Use the ping command to verify the connectivity between Host A and Host C, Host B and Host C.

The test results show that Host C can be pinged through on Host A and Host C cannot be pinged

through on Host B.

Configuring ACSEI

The following matrix shows the ACSEI feature and router compatibility:

SR6602 SR6602-X SR6604/SR6608/SR6616

SR6604-X/SR6608-X/SR6

616-

No. No.

Yes when RPE-X1 and RSE-X1 MPUs

are used and no when MCP MPUs

are used.

Yes.

Overview

H3C ACFP Client and Server Exchange Information (ACSEI) provides a method for exchanging

information between an ACFP server and its ACFP clients. As a supporting protocol for ACFP

collaboration, ACSEI makes sure an ACFP server can cooperate with its ACFP clients to provide services.

Like ACFP, ACSEI uses the server/client model:

• The ACSEI server is integrated in the Comware software system of the device as a function.

• The ACSEI client is integrated in the Comware software system of the device as a function or in the

software system of the OAP module as a function.

The ACSEI server and the ACFP server run on the same entity. The ACSEI client and the ACFP client run

on the same entities.

The hardware and configurations needed for the two ACSEI client implementation modes are different.

This chapter introduces them separately.

For more information about ACFP, see "configuring ACFP." For more information about the OAP module,

see "Configuring OAP modules."

ACSEI functions

ACSEI provides the following functions:

• Enables ACFP clients to register and deregister with the ACFP server.

• Enables the ACFP server to assign IDs to ACFP clients to distinguish among them.

• Allows the ACFP server and an ACFP client to mutually monitor and detect each other.

• Supports information interaction between the ACFP server and ACFP clients, including clock

synchronization.

• Allows the ACFP server to manage the ACFP clients. For example, you can close or restart an ACFP

client on the ACFP server.

An ACFP server supports multiple ACFP clients. An ACFP server allows up to 10 ACFP clients to register

with.

Page is loading ...

H3C SR6600-X Configuration manual

Brand: H3C

Model: SR6600-X

Type: Configuration manual

This manual is also suitable for

SR6600 SPE-FWM

Download PDF

report

H3C SR6600-X Configuration manual

This manual is also suitable for

H3C SR6600-X Configuration manual

Related papers

Other documents