- Table of Contents
-
- H3C SecPath AFC2000-EX0-G Series Abnormal Traffic Cleaning System Configuration Examples-5W100
- 00-Preface
- 01-Series Deployment Single-Machine Single-Channel and Multi-Channel Configuration Example.
- 02-BGP Layer 3 Bypass Return Path Configuration Example
- 03-BGP Auto-Diversion Deployment with Bypass and Abnormal Traffic Detection System Example
- 04-TCP Port Protection Configuration Example
- 05-AFC Comprehensive Protection Configuration Example
- 06-Typical Configuration Examples of Traction Management Example
- 07-OSPF Layer 2 Reintroduction Configuration Example
- 08-Cascaded Cluster and Dual-Node Active-Standby Configuration Example
- 09-Bypass BGP Layer 2 Return Traffic Configuration Example
- 10-OSPF-Based Three-Layer Return Injection Configuration Example
- 11-BGP-Based Three-Layer Injection Configuration Example for Bypass Single-Device Multi-Channel Deployment Example
- 12-BGP-Based Three-Layer Injection Configuration Example for Bypass Multi-Device Cluster Deployment Example
- 13-Bypass GRE Layer 3 Return Injection Configuration Example
- 14-Typical Configuration for HTTPS CC Protection Example
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Series Deployment Single-Machine Single-Channel and Multi-Channel Configuration Example. | 454.12 KB |
AFC Business Configuration Guide
AFC Series - Deployment Single - Channel Equipment Typical Configuration Example
Configuration Example of Series - Single - Channel Mode
Applicable Products and Versions
AFC Series - Connection Deployment of Multi - Channel Equipment: Typical Configuration Examples
Configuration Examples of Series - Connection Multi - Channel Mode
Applicable Products and Versions
Feature Introduction
The AFC supports multiple deployment methods to meet traffic - cleaning requirements in different scenarios. These methods are summarized as serial deployment mode and bypass deployment mode.
This chapter mainly introduces the single - machine deployment and single - machine multi - path deployment under the serial mode. For the bypass deployment, please refer to the corresponding documents.
The serial deployment is carried out in a transparent mode for network formation. The AFC is serially connected to the egress of the protected network so as to filter out attack traffic before it reaches the servers and allow normal traffic to pass through.
Feature Usage
This document is not strictly mapped to specific software and hardware versions. If there are any differences between the usage process and the actual product situation, please refer to the actual device situation.
All configurations in this document are carried out and verified in a laboratory environment, and all parameters of the devices adopt the default configurations at the time of factory - delivery. If you have already configured the device, in order to ensure the configuration effect, please confirm that the existing configuration does not conflict with the configurations in the following examples.
This document assumes that you are familiar with VLAN and link - aggregation features.
Configuration Guide
System configuration includes basic configuration and business - related configuration of AFD devices and AFC devices, all of which are configured via the WEB interface. The basic configuration of switches is carried out through command - lines. This configuration takes the deployment of a single AFC device for traffic cleaning as an example.
AFC Business Configuration Guide
· Single - channel Device
For a single - channel device, modify the AFC device to Series Network - out and Series Network - in, and simultaneously perform mutual binding of internal network ports. Connect the Series Network - out of the AFC device to the upper - level network device, and connect the Series Network - in of the AFC device to the lower - level network device to enable the AFC to clean and filter the incoming and outgoing network traffic.
· Multi - channel Device
For a multi - path device, after configuring link aggregation on the upper and lower layer switches, insert multiple groups of Series Network - out of the AFC into the aggregation group of the upper - level switch, and insert multiple groups of Series Network - in of the AFC into the aggregation group of the lower - level switch.
Precautions
· The upper - and lower - layer switches for AFC series deployment need to support the port aggregation function.
· Different manufacturers and models of switches or routers have different configuration commands. Please follow the equipment operation manuals for configuration operations.
AFC Series - Deployment Single - Channel Equipment Typical Configuration Example
Introduction
This chapter describes how to perform configuration operations when the equipment for AFC series - deployment is a single link.
Usage Restrictions
The application scenarios of the serial - mode are as follows: customers need to conduct real - time full - link detection and cleaning of the inbound and outbound network traffic, or there are no three - layer routing devices in the customer's network equipment, making it impossible to perform bypass deployment.
Configuration Example of Series - Single - Channel Mode
Applicable Products and Versions
Software version: H3C i - Ware Software, Version 7.1, ESS 6401.
Networking Requirements
In order to achieve the traffic cleaning of the traffic targeting the protected IP 171.0.3.21, the AFC device is connected in series in the customer's network. The AFC Series Network - out is connected to the upper - layer switch, and the AFC Series Network - in is connected to the lower - layer switch. The AFC inspects and filters the received mixed traffic and then forwards it to the lower - layer network. The networking is shown in the figure.
Figure 0‑1 AFC Series - connected Deployment Single - channel Equipment Configuration Networking Diagram
Implementation Details:
· Interface Connection:AFC Inline Upstream Interface GE1/0 connects to the upper-layer switch, and AFC Inline Downstream Interface GE1/1 connects to the lower-layer switch.
· Host Traffic Cleaning:The global module strategy filters and inspects real-time host traffic.
Table 0‑1 VLAN Allocation List
|
VLAN ID |
Description |
IP Address |
|
1711 |
· Interface for connecting the core switch to the AFC Inline Upstream Interface; · Gateway address for the lower-layer network. |
171.0.1.1/24 |
Table 0‑2 AFC Interface IP Assignment List
|
Interface |
Description |
IP Address |
|
GE1/0 |
In series - mode, no configuration is required. If configured, it should not conflict with the network address. |
|
|
GE1/1 |
In series - mode, no configuration is required. If configured, it should not conflict with the network address. |
|
|
GE0/0 |
AFC management port |
192.168.0.1/24 |
The interface names of [AFC] are determined by the specific device models and are for guidance and reference only. For the functions of the interfaces, please refer to the specific device models and perform usage and configuration according to the default interface functions of the devices. Do not modify them without authorization.
Configuration Ideas
To implement the configuration of AFC (Automatic Fare Collection) in series - deployed single - pass mode, the following configuration ideas can be followed:
Configure the basic network of the core switch R2 Configure the G1/0/17 interface of the core switch R2 to interconnect and communicate with the G1/0/17 interface of the lower - layer switch R3.
Configure the basic network of the lower - layer switch R3 Configure the G1/0/17 interface of the lower - layer switch R3 to interconnect and communicate with the G1/0/17 interface of the core switch R2.
Configure the business ports of the AFC device Configure the serial network ports for binding.
Configuration of upper and lower layer switches: Configure the second - layer attributes of the interfaces connecting the upper and lower layer switches to the AFC to be the same. For example, they are both in VLAN 1711, or they are both in Trunk mode and allow VLAN 1711 to pass through.
Configuration Steps
Configure Basic Network on Core Switch R2
Create VLAN 1711. VLAN 1711 corresponds to the 171.0.1.0/24 network segment, serving to place downstream terminal devices in the same network segment while acting as their gateway.
# Create VLAN
[R2]vlan 1711
[R2]quit
# Configure VLAN IP
[R2]interface Vlan-interface1711
[R2-Vlan-interface1711]ip address 171.0.1.1 255.255.255.0
[R2-Vlan-interface1711]quit
[R2]interface GigabitEthernet1/0/17
[R2-GigabitEthernet1/0/17]port link-mode bridge
[R2-GigabitEthernet1/0/17]port access vlan 1711
[R2-GigabitEthernet1/0/17]quit
Configure the Basic Network of the Lower - layer Switch R3
Create VLAN 1711, which is used as the uplink port for connecting to the upper - layer network.
# Create VLAN
[R3]vlan 1711
# Add the interface of the switch connected to the host to the VLAN
[R3]interface GigabitEthernet1/0/13
# Connect to the protected host
[R3-GigabitEthernet1/0/13]port link-mode bridge
[R3-GigabitEthernet1/0/13]port access vlan 1711
[R3-GigabitEthernet1/0/13]quit
# Configure the VLAN of the interface connecting the lower - layer switch to the core switch
[R3]interface GigabitEthernet1/0/17
# Connect to the upper - layer three - layer switch
[R3-GigabitEthernet1/0/17]port link-mode bridge
[R3-GigabitEthernet1/0/17]port access vlan 1711
[R3-GigabitEthernet1/0/17]quit
If the upper - layer and lower - layer switches are unmanaged switches, there is no need to configure VLANs. Just make sure there are no loops.
AFC Equipment Business - Port Configuration
To achieve the transparent deployment of a single - node AFC in series, the configuration can be carried out according to the following steps:
Note! For the steps in the configuration that have an 【Apply Config】 button, you need to click this button to make the configuration take effect. This will not be mentioned again below.
Log in to the AFC System Page
Access and log in through a browser: https://192.168.0.1. The account is "admin" and the password is "admin".
Figure 0‑2 Log in to the AFC system page
AFC Address and Port - type Configuration
Enter [System] - [Device] - [Device Manage], click [Setup] on the right - hand side of the device, select [Port Settings] in the left navigation bar, click the [Modify] button, modify GE0/0 to be the management port, and configure the management address, subnet mask, and gateway. Set GE1/0 as Series Network - out, and GE1/1 as Series Network - in, and bind the data ports simultaneously.
Figure 0‑3 Configure GE0/0
Figure 0‑4 Configure GE1/0
Figure 0‑5 Configure GE1/1
Note! For the configuration steps that contain an 【Apply Config】 button, you need to click this button to make the configuration take effect.
Configuration Verification
Verify whether the communication between the client and the traffic - diversion server is normal
Test whether the client can communicate with the server route through the ping command.
[root@AFCTest_Client ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:9D:1B:7A
inet addr:184.0.0.75 Bcast:184.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe9d:1b7a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:257120 errors:0 dropped:0 overruns:0 frame:0
TX packets:47273087 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28882056 (27.5 MiB) TX bytes:3460908912 (3.2 GiB)
[root@AFCTest_Client ~]# ping -c 5 171.0.3.21
PING 171.0.3.21 (171.0.3.21) 56(84) bytes of data.
64 bytes from 171.0.3.21: icmp_seq=1 ttl=124 time=0.799 ms
64 bytes from 171.0.3.21: icmp_seq=2 ttl=124 time=0.736 ms
64 bytes from 171.0.3.21: icmp_seq=3 ttl=124 time=0.862 ms
64 bytes from 171.0.3.21: icmp_seq=4 ttl=124 time=1.47 ms
64 bytes from 171.0.3.21: icmp_seq=5 ttl=124 time=1.02 ms
--- 171.0.1.21 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.736/0.977/1.470/0.266 ms
AFC Series - Connection Deployment of Multi - Channel Equipment: Typical Configuration Examples
Introduction
This chapter describes how to perform configuration operations when the equipment for AFC series - connection deployment is multi - channel.
Usage Restrictions
The application scenarios of the series - connection mode are when customers need to perform full - link detection and cleaning of the incoming and outgoing network traffic in real - time, or when there are no layer - 3 routing devices in the customer's network equipment, making bypass deployment impossible.
Configuration Examples of Series - Connection Multi - Channel Mode
Applicable Products and Versions
Software version: H3C i - Ware Software, Version 7.1, ESS 6401.
Networking Requirements
To achieve the cleaning of traffic targeting the protected IP 171.0.3.21, the AFC equipment is connected in series to the customer's network. All AFC Series Network - out interfaces are connected to the port aggregation groups of the upper - layer switches, and all AFC Series Network - in interfaces are connected to the port aggregation groups of the lower - layer switches. The AFC detects and filters the received mixed traffic and then forwards it to the lower - layer network. The networking is shown in the figure.
Figure 0‑1 AFC Series - connected Deployment and Multi - channel Equipment Configuration Networking Diagram
Implementation Details:
· AFC Network-out interfaces connect to the upper-layer switch's port aggregation group aggregation 8.AFC Network-in interfaces connect to the lower-layer switch's port aggregation group aggregation 8.
· Host Traffic Cleaning:Configure protection scopes and host protection policies on the AFC.
Implement real-time traffic filtering and inspection for host traffic through these policies.
Table 0‑1 VLAN Allocation List
|
VLAN ID |
Description |
IP Address |
|
1711 |
· Interface for the connection between the core switch and the AFC Series Network - out. · VLAN to which the aggregation groups of the upper - lower layer switches · Gateway of the lower - layer network |
171.0.1.1/24 |
Table 0‑2 AFC Interface IP Assignment List
|
Interface |
Description |
IP Address |
|
GE1/0 |
· In series - mode, no configuration is required. If configuration is needed, it should not conflict with the network address. |
|
|
GE1/1 |
· In series - mode, no configuration is required. If configuration is needed, it should not conflict with the network address. |
|
|
GE1/2 |
· In series - mode, no configuration is required. If configuration is needed, it should not conflict with the network address. |
|
|
GE1/3 |
· In series - mode, no configuration is required. If configuration is needed, it should not conflict with the network address. |
|
|
GE0/0 |
· AFC management port |
192.168.0.1/24 |
The interface names of [AFC] are determined by the specific equipment models. They are provided here only for guidance and reference purposes.
Configuration Ideas
To achieve the configuration of the AFC series - deployment multi - channel mode, the following steps can be followed for configuration:
Configure the basic network on the core switch R2
Configure the G1/0/17 interface of the core switch R2 to be interconnected with the G1/0/17 interface of the lower - layer switch R3;
Configure the basic network on the lower - layer switch R3
Configure the G1/0/17 interface of the lower - layer switch R3 to be interconnected with the G1/0/17 interface of the core switch R2;
Configure the business ports of the AFC equipment
Configure the inter - binding of serial network ports.
· Configuration of upper and lower switches: The upper and lower switches respectively establish port aggregation groups, and the aggregation groups have the same configured attributes. For example, the VLAN information all belongs to VLAN 1711;
· AFC configuration: Connect all Series Network - out of the AFC to the aggregation group of the upper - layer switch, and connect all Series Network - in of the AFC to the aggregation group of the lower - layer switch.
Configuration Steps
Configure Basic Network on Core Switch R2
Create VLAN 1711. VLAN 1711 corresponds to the 171.0.1.0/24 network segment, serving to place downstream terminal devices in the same network segment while acting as their gateway.
# Create VLAN
[R2]vlan 1711
[R2]quit
# Configure VLAN IP
[R2]interface Vlan-interface1711
[R2-Vlan-interface1711]ip address 171.0.1.1 255.255.255.0
[R2-Vlan-interface1711]quit
# Create Port Aggregation Group
[R2]int Bridge-Aggregation 8
[R2-Bridge-Aggregation8]quit
# Add interfaces G1/0/10 and G1/0/11 to the aggregation group.
[R2]int GigabitEthernet 1/0/10
[R2-GigabitEthernet1/0/10]port link-aggregation group 8
[R2-GigabitEthernet1/0/10]quit
[R2]int GigabitEthernet 1/0/11
[R2-GigabitEthernet1/0/11]port link-aggregation group 8
[R2-GigabitEthernet1/0/11]quit
# Configure VLAN information for aggregation groups
[R2]int Bridge-Aggregation 8
[R2-Bridge-Aggregation8]port access vlan 1711
[R2-Bridge-Aggregation8]quit
# View interface configuration here
[R2]int GigabitEthernet 1/0/10
[R2-GigabitEthernet1/0/10]dis this
#
interface GigabitEthernet1/0/10
port link-mode bridge
port access vlan 1711
port link-aggregation group 8
[R2-GigabitEthernet1/0/10]quit
[R2]int GigabitEthernet 1/0/11
[R2-GigabitEthernet1/0/11]dis this
#
interface GigabitEthernet1/0/11
port link-mode bridge
port access vlan 1711
port link-aggregation group 8
# Check the status of the aggregation group, which by default is Layer 2 static aggregation.
[R2]display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregation Interface: Bridge-Aggregation8
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Oper-Key
--------------------------------------------------------------------------------
GE1/0/10 S 1
GE1/0/11 S 1
# View load mode, default is destination/source IP load sharing
[R2]display link-aggregation load-sharing mode interface
Bridge-Aggregation8 Load-Sharing Mode:
Layer 2 traffic: ingress-port, destination-mac address,
source-mac address
Layer 3 traffic: destination-ip address, source-ip address
Configure the Basic Network of the Lower - layer Switch R3
Create VLAN 1711, which serves as the uplink port connecting to the upper-layer network and protects the VLAN where hosts reside.
# Create VLAN
[R3]vlan 1711
# Add the interface connecting the switch to the host to VLAN
[R3]interface GigabitEthernet1/0/13
# Connect to the protected host
[R3-GigabitEthernet1/0/13]port link-mode bridge
[R3-GigabitEthernet1/0/13]port access vlan 1711
[R3-GigabitEthernet1/0/13]quit
# Aggregation group configuration
[R3]interface Bridge-Aggregation 8
# Add interfaces G1/0/10 and G1/0/11 to the aggregation group
[R3]int GigabitEthernet 1/0/10
[R3-GigabitEthernet1/0/10]port link-aggregation group 8
[R3-GigabitEthernet1/0/10]quit
[R3]int GigabitEthernet 1/0/11
[R3-GigabitEthernet1/0/11]port link-aggregation group 8
[R3-GigabitEthernet1/0/11]quit
# Configure VLAN information for aggregation groups
[R3]int Bridge-Aggregation 8
[R3-Bridge-Aggregation8]port access vlan 1711
[R3-Bridge-Aggregation8]quit
# View interface configuration here
[R3]int GigabitEthernet 1/0/10
[R3-GigabitEthernet1/0/10]dis this
#
interface GigabitEthernet1/0/10
port link-mode bridge
port access vlan 1711
port link-aggregation group 8
[R3-GigabitEthernet1/0/10]quit
[R3]int GigabitEthernet 1/0/11
[R3-GigabitEthernet1/0/11]dis this
#
interface GigabitEthernet1/0/11
port link-mode bridge
port access vlan 1711
port link-aggregation group 8
#
return
# Aggregation status viewing
[R3]display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregation Interface: Bridge-Aggregation8
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Oper-Key
--------------------------------------------------------------------------------
GE1/0/10 S 1
GE1/0/11 S 1
# View aggregated load mode
[R3]display link-aggregation load-sharing mode interface
Bridge-Aggregation8 Load-Sharing Mode:
Layer 2 traffic: ingress-port, destination-mac address,
source-mac address
Layer 3 traffic: destination-ip address, source-ip address
Require upper and lower level switches to support port aggregation.
Configure AFC
To achieve transparent multi link deployment of AFC single machine series connection, the following steps can be followed for configuration:
Note! For the steps in the configuration that have an 【Apply Config】 button, you need to click this button to make the configuration take effect. This will not be mentioned again below.
Log in to the AFC System Page
Access and log in through a browser: https://192.168.0.1. The account is "admin" and the password is "admin".
Figure 4‑1 Log in to the AFC system page
AFC Address and Port - type Configuration
Enter 【System】 - 【Device】 - 【Device Manage】, click 【Setup】 on the right - hand side of the device, select 【Port Settings】 in the left - hand navigation bar, click the 【Modify】 button, set GE0/0 as the management port to configure the management address, subnet mask, and gateway. Set GE0/1 as Series Network - out, GE1/1 as Series Network - in, and perform data port cross - binding at the same time. Set GE1/2 as Series Network - out, GE1/3 as Series Network - in, and perform data port cross - binding at the same time.
Figure 4‑2 Configure GE0/0
Figure 4‑3 Configure GE1/0
Figure 4‑4 Configure GE1/1
Figure 4‑5 Configure GE1/2
4‑6 Configure GE1/3
Note! For the configuration steps that contain an 【Apply Config】 button, you need to click this button to make the configuration take effect.
Configuration Verification
Verify whether the communication between the client and the traffic - diversion server is normal
Test whether the client can communicate with the server route through the ping command.
[root@AFCTest_Client ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:9D:1B:7A
inet addr:184.0.0.75 Bcast:184.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe9d:1b7a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:257120 errors:0 dropped:0 overruns:0 frame:0
TX packets:47273087 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28882056 (27.5 MiB) TX bytes:3460908912 (3.2 GiB)
[root@AFCTest_Client ~]# ping -c 5 171.0.3.21
PING 171.0.3.21 (171.0.3.21) 56(84) bytes of data.
64 bytes from 171.0.3.21: icmp_seq=1 ttl=124 time=0.799 ms
64 bytes from 171.0.3.21: icmp_seq=2 ttl=124 time=0.736 ms
64 bytes from 171.0.3.21: icmp_seq=3 ttl=124 time=0.862 ms
64 bytes from 171.0.3.21: icmp_seq=4 ttl=124 time=1.47 ms
64 bytes from 171.0.3.21: icmp_seq=5 ttl=124 time=1.02 ms
--- 171.0.1.21 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.736/0.977/1.470/0.266 ms












