13-OAA Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10313-OAA Configuration Guide
03-ACFP Configuration
Title Size Download
03-ACFP Configuration 301.15 KB

 

 

NOTE:

In this documentation, SPC cards refer to the interface cards prefixed with SPC, for example, SPC-GT48L. SPE cards refer to the base cards prefixed with SPE, for example, SPE-1020-E.

 

ACFP overview

Basic data communication networks comprise of routers and switches, which forward data packets. As data networks develop, more and more services run on them. It has become inappropriate to use legacy routers for handling some new services. Therefore, some security products such as firewalls, Intrusion Detection System (IDS), and Intrusion Prevention System (IPS), and voice and wireless products are designed to handle specific services.

For better support of new services, manufacturers of legacy networking devices (routers and switches in this document) have developed various dedicated service boards (cards) to specifically handle these services. Some manufacturers of legacy networking devices provide a set of software/hardware interfaces to allow the boards (cards) or devices of other manufacturers to be plugged or connected to these legacy networking devices for cooperating to handle these services. This gives full play to the advantages of respective manufacturers for better support of new services while reducing user investments.

The open application architecture (OAA) is an open service architecture developed with this concept. It integrates routers and software produced by different manufacturers, making them function as one router, and thus providing integrated resolutions for the customers.

The Application Control Forwarding Protocol (ACFP) is developed based on the OAA architecture. For example, collaborating IPS/IDS cards or IPS/IDS devices acting as ACFP clients run software packages developed by other manufacturers to support the IPS/IDS services. A router or switch mirrors or redirects the received packets to an ACFP client after matching the ACFP collaboration rules. The software running on the ACFP client monitors and detects the packets. Based on the monitoring and detection results, the ACFP client sends back responses to the router or switch through collaboration Management Information Bases (MIBs) to instruct the router or switch to process the results, such as filtering out the specified packets.

 

 

NOTE:

Only IM-IPS and IM-ACG cards support ACFP.

 

ACFP architecture

Figure 1 ACFP architecture

 

As shown in Figure 1, the ACFP architecture consists of:

·           Routing/switching componentAs the main part of a routers and a switch, it performs complete router/switch functions and is also the core of user management control. This part is called the ACFP server.

·           Independent service componentIt is the main part open for development by a third party and is mainly used to provide various unique service functions. This part is called the ACFP client.

·           Interface-connecting componentIt connects the interface of the routing/switching component to that of the independent service component, allowing the routers of two manufacturers to be interconnected.

ACFP collaboration

ACFP collaboration means that the independent service component can send instructions to the routing/switching component to change its functions. ACFP collaboration is mainly implemented through the Simple Network Management Protocol (SNMP). Acting as a network management system, the independent service component sends various SNMP commands to the routing/switching component, which can then execute the instructions received because it supports SNMP agent. In this process, the cooperating MIB is the key to associating the two components with each other.

ACFP management

ACFP collaboration provides a mechanism that enables the ACFP client to control the traffic on the ACFP server by implementing the following functions:

·           Mirroring and redirecting the traffic on the ACFP server to the ACFP client

·           Permitting/denying the traffic from the ACFP server

·           Restricting the rate of the traffic on the ACFP server

·           Carrying the context ID in a packet to enable the ACFP server and ACFP client to communicate the packet context with each other. The detailed procedure is as follows:

The ACFP server maintains a context table that can be queried with context ID. Each context ID corresponds with an ACFP collaboration policy that contains information including inbound interface and outbound interface of the packet, and collaboration rules. When the packet received by the ACFP server is redirected or mirrored to the ACFP client after matching a collaboration rule, the packet carries the context ID of the collaboration policy to which the collaboration rule belongs. When the redirected packet is returned from the ACFP client, the packet also carries the context ID. With the context ID, the ACFP server knows that the packet is returned after being redirected and then forwards the packet normally.

For the ACFP client to better control traffic, the two-level structure of collaboration policy and collaboration rules is set in the collaboration to manage the traffic matching the collaboration rule based on the collaboration policy, implementing flexible traffic management.

To better support the Client/Server collaboration mode and granularly and flexibly set different rules, the collaboration content is divided into four parts: ACFP server information, ACFP client information, ACFP collaboration policy and ACFP collaboration rules. These four parts of information are saved in the ACFP server.

An ACFP server supports multiple ACFP clients. Therefore, ACFP client information, ACFP collaboration policy, and ACFP collaboration rules are organized in the form of tables.

ACFP server information is generated by the ACFP server itself. ACFP client information, ACFP collaboration policy, and ACFP collaboration rules are generated on the ACFP client and sent to the ACFP server through the collaboration MIB or collaboration protocol.

ACFP information overview

ACFP server information

ACFP server information contains the following:

·           Supported working modeshost, pass-through, mirroring, and redirect. An ACFP server can support multiple working modes among these four at the same time. The ACFP server and client(s) can collaborate with each other only when the ACFP server supports the working mode of the ACFP client.

·           Maximum expiration time of the supported collaboration policyThis indicates for how long the collaboration policy of the ACFP server will remain valid.

·           Whether the ACFP server can permanently save the collaboration policyIt mainly refers to whether the ACFP server can keep the original collaboration policy after reboot.

·           Currently supported context ID typeThe location of the context ID in the packet is HGPlus-context (carrying the preamble HGPlus as the context ID).

The above-mentioned information indicates the collaboration capabilities of an ACFP server. ACFP clients can access this information through a collaboration protocol or collaboration MIB.

ACFP client information

ACFP client information contains the following:

·           ACFP client identifier. It can be assigned by the ACFP server through a collaboration protocol or specified by the network administrator to make sure that each ACFP client has a unique client ID on the ACFP server.

·           DescriptionACFP client description information.

·           Hw-InfoACFP client hardware type, version number, and so on.

·           OS-InfoSystem name and version number of the ACFP client.

·           App-InfoApplication software type and version number of the ACFP client.

·           Client IPACFP client IP address.

·           Client ModeWorking mode currently supported by the ACFP client, namely, the combination of the host, pass-through, mirroring, and redirect modes.

ACFP collaboration policy

ACFP collaboration policy refers to the collaboration policy that the ACFP client sends to the ACFP server for application. The policy information is as follows:

·           Client IDACFP client identifier.

·           Policy-Index

·           In-interfaceInterface through which the packet is sent to the ACFP server.

·           Out-interfaceInterface through which the packet is forwarded normally.

·           Dest-interfaceACFP server interface connected with ACFP client.

·           Context IDIt is used when the packet is mirrored or redirected to an ACFP client. After the interface connected to the ACFP client is specified in the policy sent, the ACFP server assigns it a global serial number, that is, the Context ID, with each Context ID corresponding to an ACFP collaboration policy.

·           Admin-StatusIt indicates whether to enable the policy.

·           Effect-StatusIt indicates the expiration time of the policy and is used to control the expiration time of all the rules under the policy.

·           Start-TimeIt indicates starting from what time (second/minute/hour) the policy takes effect and is used to control starting from what time all the rules under the policy take effect.

·           End-timeIt indicates starting from what time (second/minute/hour) the policy turns invalid and is used to control starting from what time all the rules under the policy turn invalid.

·           DestIfFailActionIf the policy dest-interface is down, the actions to all rules under the policy will be as followsfor forwarding first routers, select the delete action to keep the redirected and mirrored packets being forwarded; for security first routers, select the reserve action to discard the redirected and mirrored packets.

·           PriorityIt indicates the priority of a policy, number notation, in the range of 1 to 8. The bigger the number, the higher the priority.

ACFP collaboration rules

ACFP collaboration rules refer to the collaboration rules that the ACFP client sends to the ACFP server for application. There are three types of collaboration rules:

·           Monitoring rulesMonitoring, analyzing, and processing the packets to be sent to the ACFP client. The action types corresponding to monitoring rules are redirect and mirror.

·           Filtering rulesDetermining which packets to deny and which packets to permit. The action types corresponding to filtering rules are deny and permit.

·           Restricting rulesDetermining the rate of which packets is to be restricted. The action type corresponding to restricting rules is rate.

Rule information is described as follows:

·           ClientIDACFP client identifier.

·           Policy index

·           Rule indexrule identifier

·           StatusIt indicates whether the rule is applied successfully.

·           ActionIt can be mirror, redirect, deny, permit, or rate.

·           Match all packetsIt indicates whether to match all the packets. If yes, the following matching needs not be performed.

·           Source MAC address

·           Destination MAC address

·           Starting VLAN ID

·           Ending VLAN ID

·           Protocol number in IP

·           Source IP address

·           Wildcard mask of source IP address

·           Source port operatorIts type can be equal to, not equal to, greater than, less than, greater than and less than. The following ending source port number takes effect only when the type is greater than and less than. The source port number of the packets matched by the identifier must be greater than the starting source port number and less than the ending source port number.

·           Starting source port number

·           Ending source port number

·           Destination IP address

·           Wildcard mask of destination IP address

·           Destination port number operatorIts type can be equal to, not equal to, greater than, less than, greater than and less than. The following ending destination port number is meaning only when the type is greater than and less than. The destination port number of the packets matched by the identifier must be greater than the starting destination port number and less than the ending destination port number.

·           Starting destination port number

·           Ending destination port number

·           ProProtocol type, which can be GRE, ICMP, IGMP, OSPF, TCP, UDP, and IP.

·           IP precedencePacket precedence, a number in the range of 0 to 7.

·           IP ToSType of Service (ToS) of IP

·           IP DSCPDifferentiated Services Code Point (DSCP) of IP

·           TCP flagIt indicates that some bits in the six flag bits (URG, ACK, PSH, RST, SYN, FIN) are concerned.

·           IP fragmentIt indicates whether the packet is an IP packet fragment.

·           Rate limit

You can use the collaboration policy to manage the collaboration rules that belong to it.

Using ACFP

·           ACFP does not support policy-based routing services or NetStream services.

·           The handling of the packets redirected by ACFP is mutually exclusive with ordinary ACL rules. No QoS processing is performed on the packets returned after they are redirected to the ACFP client.

·           A stream cannot be mirrored or redirected to multiple ACFP clients.

·           ACFP does not support applying flow redirect policies to an aggregate interface.

·           SPE cards support applying flow redirect policies only to Layer 3 interfaces.

·           If a Layer 3 interface is added into an aggregation group, or an aggregate interface leaves an aggregation group, the configured flow redirect policies on the interface will become ineffective and you need to first delete the original flow redirect policies and then configure new policies on the interface.

·           When the ACFP server is enabled, the internal interface cannot act as the source port for port mirroring.

·           When ACFP server is enabled on an IM-IPS or IM-ACG card, the connection mode for the internal interface must be set to extend, the internal interface must be configured as a trunk port, and the PVID of the internal interface cannot be the VLAN ID of the management VLAN.

·           When the connection mode of the internal interface on an IM-IPS or IM-ACG card is set to extend, you cannot specify a VLAN as both the user service VLAN and the management VLAN.

ACFP configuration task list

Complete the following tasks to configure ACFP:

 

Task

Remarks

Enabling the ACFP server

Required

Configuring the connection mode for an internal interface on an OAP module

Required

Enabling the ACFP trap function

Optional

 

Enabling the ACFP server

To configure to enable the ACFP server:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable the ACFP server.

acfp server enable

Disabled by default.

 

Configuring the connection mode for an internal interface on an OAP module

The OAP module integrates a front card and a rear card. The front card provides value-added security services, such as firewall, intrusion prevention, and application control. The rear card is responsible for the data exchange between the front card and the router.

An internal interface is a virtual interface that is used for the data communication between the front and rear cards, as shown in Figure 2.

Figure 2 Schematic diagram for the internal interface

 

When configuring ACFP on an OAP module, to ensure the normal communication between the router and the OAP module, you must configure the connection mode for the OAP module internal interface as extend.

To configure the connection mode for an internal interface:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter internal interface view.

interface interface-type interface-number

N/A

3.     Configure the connection mode for the internal interface.

port connection-mode { extend | normal }

normal by default.

 

 

NOTE:

·       For more information about the port connection-mode command, see Layer 2LAN Switching Command Reference.

·       When you disable the ACSEI function or change the connection mode for an internal interface, to avoid disrupting the traffic, perform the operation on the ACFP client first, and then on the ACFP server.

·       Spanning Tree Protocol (STP) cannot be enabled on the internal interface of an IM-IPS or IM-ACG card. For more information about STP, see Layer 2—LAN Switching Configuration Guide.

 

Enabling the ACFP trap function

To make ACFP work normally, you must enable the router to send traps of the ACFP module.

After the trap function on the ACFP module is enabled, the ACFP module will generate traps to report important events of the module. The levels of the ACFP traps are described in Table 1.

Table 1 ACFP trap message level

Trap message

Level

Context ID type changed

notifications

ACFP client registration

notifications

ACFP client deregistration

notifications

ACSEI detects that ACFP client had no response

warnings

ACFP server does not support the working mode of the ACFP client

errors

Expiration period of ACFP collaboration policy changed

notifications

ACFP collaboration rules are created

informational

ACFP collaboration rules are removed

informational

ACFP collaboration rules failed

errors

Expiration period of ACFP collaboration policy timed out

notifications

 

The generated traps will be sent to the information center of the router. With the parameters for the information center set, the output rules for traps (that is, whether the traps are allowed to be output and the output destinations) are decided. For the configuration of the parameters for the information center, see Network Management and Monitoring Configuration Guide.

To enable the ACFP function:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable the trap function of the ACFP module.

snmp-agent trap enable acfp [ client | policy | rule | server ]

Optional.

Enabled by default.

 

 

NOTE:

For more information about the snmp-agent trap enable command, see Network Management and Monitoring Command Reference.

 

Displaying and maintaining ACFP

 

Task

Command

Remarks

Display the configuration information of the ACFP server.

display acfp server-info [ | { begin | exclude | include } regular-expression ]

Available in any view

Display the configuration information of an ACFP client.

display acfp client-info [ client-id ] [ | { begin | exclude | include } regular-expression ]

Display the configuration information of an ACFP policy.

display acfp policy-info [ client client-id [ policy-index ] | dest-interface  interface-type interface-number | global | in-interface interface-type interface-number | out-interface interface-type interface-number ] [ active | inactive ] [ | { begin | exclude | include } regular-expression ]

Display ACFP rule configuration information.

display acfp rule-info { global | in-interface [ interface-type interface-number ] | out-interface [ interface-type interface-number ] | policy [ client-id policy-index ] } [ | { begin | exclude | include } regular-expression ]

Display the configuration information of ACFP Trap.

display snmp-agent trap-list [ | { begin | exclude | include } regular-expression ]

 

ACFP configuration example

Network requirements

Different departments are interconnected on the intranet through Device, which serves as the ACFP server. An ACFP client is inserted in Device.

Configure the ACFP client to analyze traffic arriving at interface GigabitEthernet 2/1/7, and control the traffic as follows:

·           Permit all packets with the source IP address 192.168.1.1/24.

·           Deny all packets with the source IP address 192.168.1.2/24.

Figure 3 Network diagram

 

Configuration procedure

1.      Configure Router:

# Enable the ACFP server.

<Router> system-view

[Router] acfp server enable

[Router] acsei server enable

# Assign an IP address to the VLAN interface of the management VLAN.

[Router] vlan 4093

[Router-vlan4093] interface Vlan-interface 4093

[Router-Vlan-interface4093] undo shutdown

[Router-Vlan-interface4093] ip address 40.94.1.1 24

[Router-Vlan-interface4093] quit

# Configure the internal interface Ten-GigabitEthernet 4/0/1 on the ACFP client as a trunk port, and assign the trunk port to VLAN 4094, which is not allowed to learn MAC addresses. Then, set the working mode for the internal Ethernet interface to extended.

[Router] interface Ten-GigabitEthernet 4/0/1

[Router-Ten-GigabitEthernet4/0/1] undo shutdown

[Router-Ten-GigabitEthernet4/0/1] port link-type trunk

[Router-Ten-GigabitEthernet4/0/1] port trunk permit vlan 4093

[Router-Ten-GigabitEthernet4/0/1] mac-address max-mac-count 0

[Router-Ten-GigabitEthernet4/0/1] port connection-mode extend

[Router-Ten-GigabitEthernet4/0/1] quit

# Configure SNMP parameters.

[Router] snmp-agent

[Router] snmp-agent sys-info version all

[Router] snmp-agent group v3 v3group_no read-view iso write-view iso

[Router] snmp-agent mib-view included iso iso

[Router] snmp-agent usm-user v3 v3user_no v3group_no

# Verify that the MIB style of Router is new. If not, set the MIB style of Router to new and reboot Router.

[Router] mib-style new

# Configure the user interfaces.

[Router] interface GigabitEthernet 2/1/7

[Router-GigabitEthernet2/1/7] ip address 192.168.1.254 24

[Router-GigabitEthernet2/1/7] undo shutdown

[Router-GigabitEthernet2/1/7] quit

[Router] interface GigabitEthernet 2/1/8

[Router-GigabitEthernet2/1/8] ip address 192.168.2.254 24

2.      Configure line card IM-IPS:

# Log in to the operating system on the IM-IPS card through the console port on the card, and enter password H3C.

Password:H3C

# Enter system view.

<IPS> system-view

# Assign an IP address for the network management port on the card to make the network management ports of the PC and the card reachable to each other.

[IPS]interface meth0/2

[IPS-if]ip address 192.168.3.14 24

[IPS-if]undo shutdown

# Open IE on the PC and enter https://192.168.3.14 at the address bar. Enter admin as the username and the password.

Figure 4 Web login interface

 

# Configure the ACFP client:

a.    Select System Management > Network Management > ACFP Client Configuration from the navigation tree.

Figure 5 Configuring the ACFP client

 

b.    Select Enable ACFP Client, select the SNMP version SNMPv3, enter the server security username v3user_no, enter the server IP address 40.94.1.1, the client IP address 40.94.1.2, the mask 24, and the VLAN ID 4093.

a.    Click Apply.

b.    Click Connectivity Test to perform a connectivity test.

# Add security zone inbound:

a.    Select System Management > Network Management > Security Zone from the navigation tree.

c.    Click <<.

Figure 6 Adding security zone inbound

 

c.    Enter the name inbound, select GigabitEthernet2/1/7 from the list, and click Add to add it into the Interface box.

a.    Click Apply.

# Add security zone outbound:

a.    Select System Management > Network Management > Security Zone from the navigation tree.

b.    Click <<.

Figure 7 Creating security zone outbound

 

c.    Enter the name outbound, select GigabitEthernet2/1/8 from the list, and click Add to add it into the Interface box.

a.    Click Apply.

# Add segment 10:

a.    Select System Management > Network Management > Segment Configuration from the navigation tree.

Figure 8 Adding segment 10

 

b.    Select 10 from the Segment No. list.

a.    Select inbound from the Internal Zone list.

b.    Select outbound from the External Zone list.

c.    Click Apply.

# Configure the collaboration policy and rules:

a.    Select System Management > Network Management > ACFP Policy from the navigation tree.

d.    Click Create Policy.

Figure 9 Configuring collaboration policy

 

c.    Enter the description t1.

a.    Select GigabitEthernet2/1/7 from the Source Interface list.

b.    Select the Enable option.

c.    Select 0 from the Priority list.

# Add rule 1:

a.    Click Add on the Configure Rule tab as shown in Figure 9. After the page for creating a rule pops up, perform the following configuration as shown in Figure 10.

Figure 10 Creating rule 1

 

b.    Select the Specified Packets option.

a.    Select All from the Protocol list.

b.    Enter the source IP address 192.168.1.1.

c.    Enter the source mask 32.

d.    Click Apply.

# Create rule 2:

a.    Click Add on the Configure Rule tab as shown in Figure 9.

Figure 11 Creating rule 2

 

b.    Select the Specified Packets option.

a.    Select All from the Protocol list.

b.    Enter the source IP address 192.168.1.2.

c.    Enter the source mask 32.

d.    Click Apply.

# Configure ACFP filtering rule 1:

a.    Select Bandwidth Management > Bandwidth Policies from the navigation tree.

e.    Click Add.

Figure 12 Creating a policy application

 

c.    Enter the name user1, select the working mode Group mode, and select Permit from the Action Set list.

a.    Click Add to add a new entry in the policy application list.

Figure 13 Policy application range

 

e.    Click .

The page for adding IP address group pops up.

Figure 14 Adding IP address group 1

 

f.     Enter the name 192.168.1.1/32, select the protocol IPv4, enter the IPv4 address 192.168.1.1/32, click <<Add to add the address to the IP address box, and click Apply.

a.    In the policy application range page, click .

Figure 15 Advanced configuration

 

h.    Select 10 from the Segment list, select the Internal Zone option, select IP address 192.168.1.1/32 from the Internal Zone IP Addresses area, and click Apply.

a.    After finishing the above configuration, click OK on the page shown in Figure 12.

# Configure ACFP filtering rule 2:

a.    Select Bandwidth Management > Bandwidth Policies from the navigation tree.

b.    Click Add.

Figure 16 Creating a policy application

 

c.    Enter the name user2, select the working mode Group mode, and select Block from the Action Set list.

a.    Click Add to add a new entry in the policy application list.

Figure 17 Policy application range

 

e.    Click .

The page for adding IP address group pops up.

Figure 18 Adding IP address group 2

 

f.     Enter the name 192.168.1.2/32, select the protocol IPv4, enter the IPv4 address 192.168.1.2/32, and click <<Add to add the address to the IP address box.

a.    Click Apply.

b.    In the policy application range page, click .

Figure 19 Advanced configuration

 

i.     Select 10 from the Segment list, select the Internal Zone option, select IP address 192.168.1.2/32 from the Internal Zone IP Addresses area, and click Apply.

j.     After finishing the above configuration, click OK on the page shown in Figure 12.

# Activate configurations:

After you finish the above configuration, the page jumps to the page as shown in Figure 20.

Figure 20 Activating configurations

 

a.    Click Activate.

A confirm dialog box pops up.

b.    Click OK to activate the configuration.

3.      Verify the configuration:

Use the ping command to verify the connectivity between Host A and Host C, Host B and Host C. The test results show that Host A can ping Host C but Host B cannot.

 

CAUTION

CAUTION:

Set the ACL rule length limit mode to 3 or 4 with the acl mode command before you creating an ACFP policy rule of IPv6 protocol. For more information about ACL rule length limit mode, see ACL and QoS Command Reference.