Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Overview Operation | 86 KB |
Table of Contents
Chapter 2 SecBlade Configuration
2.1.1 Configuring Interface Aggregation for the SecBlade Card
2.1.2 Creating a SecBlade Module
2.1.3 Specifying the Layer 3 Interface Connecting the Switch and the SecBlade Card
2.1.4 Specifying the VLANs Protected by the SecBlade Card
2.1.5 Mapping the SecBlade Module to the SecBlade Card
2.1.6 Logging into the SecBlade Card
2.1.7 Configuring Default Login User Function
2.2 Displaying Information about the SecBlade Module
Chapter 1 SecBlade Overview
1.1 SecBlade Firewall Cards
SecBlade firewall cards are designed to address the requirements on the security of enterprise or campus networks. By integrating the forwarding function of the switch and services processing, it enables the switch to handle security services as required for security defense and monitoring while forwarding data high efficiently.
SecBlade firewall cards are security-specific cards that combine the VLAN switching technology of the switch and the network security technology. Furthermore, it inherits the feature of wire speed-based high capacity forwarding of the switch, and integrates the secureVlan technology into the VLAN technology for security purpose. SecBlade firewall cards can protect network borders as well as multiple demilitarized zones (DMZs) and VLANs crossing areas in the Intranet.
Table 1-1 SecBlade FW card functions
|
Attribute |
Description |
|
|
Network security |
Authentication, authorization and accounting (AAA) |
RADIUS HWTACACS CHAP authentication PAP authentication Domain authentication |
|
Firewall |
Packet filtering Access control list on the basis of interface Access control list on the basis of time period ASPF status firewall Anti-attack features: Land, Smurf, Fraggle, WinNuke, Ping of Death, Tear Drop, IP Spoofing, SYN Flood, ICMP Flood, UDP Flood, ARP spoofing attack defending Initiative and reverse ARP query Illegal flag bit attack defending of TCP packets Super ICMP packet attack defending Address/port scanning defending DoS/DDoS attack defending ICMP redirection and unreachable packets controlling Tracert packets controlling IP packets with route record controlling Static and dynamic blacklist MAC and IP addresses binding Worm virus defending Transparent firewall Reverse path forwarding |
|
|
Mail/network page filtering |
Mail filtering: SMTP mail addresses SMTP mail titles SMTP mail contents SMTP mail attachments Network page filtering: HTTP URLs HTTP contents |
|
|
Security management |
Real time attack log Blacklist log Address binding log Traffic alarm log Session log Binary format log function Traffic statistics and analysis function Monitoring rate globally or on the basis of security domain Monitoring the percentage of protocol packets globally or on the basis of security domain Security event statistics Real time E-Mail alarm Periodical E-Mail transmission |
|
|
NAT |
Address transmission in address pool mode Address transmission by ACL Easy IP NAT Server Valid time for address transmission Multiple ALGs, including FTP, H323, DNS, and SIP |
|
|
VPN |
L2TP VPN |
Initiating a connection to the specified LNS according to the full user name and domain name of the VPN user Assigning addresses for VPN users LCP re-negotiation and CHAP re-authentication L2TP multi-instance |
|
GRE VPN |
Using the tunnel technology to encapsulate and decapsulate data packets at both sides of the tunnel |
|
|
Network interconnection |
LAN protocol |
Ethernet_II Ethernet_SNAP VLAN |
|
Data link layer protocol |
PPP PPPoE |
|
|
Network protocol |
IP service |
ARP Static domain name resolution IP address borrowing DHCP relay DHCP server DHCP client |
|
IP routing |
Static route management RIP-1/RIP-2 OSPF BGP Routing policy Policy routing |
|
|
Network reliability |
Supporting virtual router redundancy protocol to implement backup |
|
|
Configuration management |
Command line interface |
Local configuration through the Console interface Remote configuration through the AUX interface Local or remote configuration through Telnet or SSH Configuration through switch Hierarchical protection for configuration commands to make sure illegal users cannot configure the device Prompts and help information in Chinese Detailed debugging information for diagnosing network failures Test tools such as Tracert and Ping commands for network diagnosis Telnet for directly logging into and managing other network devices FTP Server/Client TFTP Logging File system management User interface configuration to provide multiple authentication and authorization functions for login users |
|
SNMPv3 and SNMPv2C- and SNMPv1-compatible NTP synchronization |
||
1.2 SecBlade VPN Cards
SecBlade VPN cards support various VPN services such as L2TP VPN, IPSec VPN, GRE VPN and dynamic VPN. With SecBlade VPN cards, integrating access to LANs and WANs can implement flatted network aggregation for easing maintenance and reducing costs. In addition, integrating the Internet, Intranet and Extranet can provide for safe access.
Table 1-2 SecBlade VPN card functions
|
Attribute |
Description |
|
|
Network security |
Authentication, authorization and accounting (AAA) |
RADIUS HWTACACS CHAP authentication PAP authentication Domain authentication |
|
Firewall |
Packet filtering Access control list on the basis of interface Access control list on the basis of time period |
|
|
VPN |
L2TP VPN |
Initiating a connection to the specified LNS according to the full user name and domain name of the VPN user Assigning addresses for VPN users LCP re-negotiation and CHAP re-authentication |
|
IPSec/IKE |
AH and ESP protocols Establishing security association manually or through IKE negotiation automatically DES, 3DES and AES (only for ESP) MD5 and SHA-1 IKE main mode and aggressive mode NAT traversing |
|
|
GRE VPN |
Using the tunnel technology to encapsulate and decapsulate data packets at both sides of the tunnel |
|
|
DVPN |
Automatic tunnel establishment Tunnel establishment in UDP mode Client access authentication and inter-node encryption and authentication VPN building through dynamical IP addresses Supporting a node in multiple VPN areas Multiple VPN areas NAT traversing IPSec encryption. Server bandwidth saving through dynamic tunnel establishment |
|
|
Network interconnection |
LAN protocol |
Ethernet_II Ethernet_SNAP VLAN |
|
Link layer protocol |
PPP PPPoE |
|
|
Network protocol |
IP service |
ARP Static domain name resolution IP address borrowing DHCP relay DHCP server DHCP client |
|
IP routing |
Static route management RIP-1/RIP-2 OSPF BGP Routing policy Policy routing |
|
|
Network reliability |
Supporting virtual router redundancy protocol to implement backup |
|
|
Configuration management |
Command line interface |
Local configuration through the Console interface Remote configuration through the AUX interface Local or remote configuration through Telnet or SSH Configuration through switch Hierarchical protection for configuration commands to make sure illegal users cannot configure the device Detailed debugging information for diagnosing network failures Test tools such as Tracert and Ping commands for network diagnosis Telnet for directly logging into and managing other network devices FTP Server/Client TFTP Logging File system management User interface configuration to provide multiple authentication and authorization functions for login users |
|
SNMPv3 and SNMPv2C- and SNMPv1-compatible NTP synchronization |
||
Chapter 2 SecBlade Configuration
2.1 SecBlade Configuration
To make switch and SecBlade work together, perform the following SecBlade configurations on the switch:
l Configuring Interface Aggregation for the SecBlade Card
l Creating a SecBlade Module
l Specifying the Layer 3 Interface Connecting the Switch and the SecBlade Card
l Specifying the VLANs Protected by the SecBlade Card
l Mapping the SecBlade Module to the SecBlade Card
l Logging into the SecBlade Card
l Configuring Default Login User Function (Optional)
2.1.1 Configuring Interface Aggregation for the SecBlade Card
Two internal GE interfaces are used to connect the SecBlade card to the switch. You can aggregate these two interfaces into a logical interface for higher bandwidth.
Perform the following configuration in system view of the switch.
Table 2-1 Configure interface aggregation for the SecBlade card
|
Operation |
Command |
|
Configure two GE interfaces for aggregation |
secblade aggregation slot slot-number |
|
Remove the configuration |
undo secblade aggregation slot slot-number |
By default, no interface aggregation is configured and only one GE interface is available.
Caution:
When you use the secblade aggregation slot command to configure interface aggregation for the SecBlade card, the SecBlade card will occupy the resources used by other aggregation groups if its resources for interface aggregation are not enough.
2.1.2 Creating a SecBlade Module
To make the SecBlade card and the switch work together, you first need to create a SecBlade module to enter SecBlade module view.
Perform the following configuration in system view of the switch.
Table 2-2 Create the SecBlade module
|
Operation |
Command |
|
Create a SecBlade module |
secblade module sec-mod-name |
|
Remove the SecBlade module |
undo secblade module sec-mod-name |
By default, no SecBlade module is created.
2.1.3 Specifying the Layer 3 Interface Connecting the Switch and the SecBlade Card
To make the SecBlade card and the switch communicate at Layer 3, you must specify the Layer 3 interface connecting the switch and the SecBlade card.
Perform the following configuration in SecBlade module view of the switch.
Table 2-3 Specify the Layer 3 interface connecting the switch and the SecBlade card
|
Operation |
Command |
|
Specify the Layer 3 interface connecting the switch and the SecBlade card |
secblade-interface vlan-interface |
|
Remove the configuration |
undo secblade-interface vlan-interface interface-number |
By default, the Layer 3 interface connecting the switch and the SecBlade card is not configured.
2.1.4 Specifying the VLANs Protected by the SecBlade Card
To make the SecBlade card protect data streams of the specified VLANs, you need to specify the VLANs to be protected.
Perform the following configuration in SecBlade module view of the switch.
Table 2-4 Specify the VLANs to be protected
|
Operation |
Command |
|
Specify the VLAN to be protected |
security-vlan vlan-range |
|
Cancel the VLAN protection |
undo security-vlan vlan-range |
By default, no VLAN is protected.
2.1.5 Mapping the SecBlade Module to the SecBlade Card
After implementing the above configuration on the SecBlade module, you need to map this module to the SecBlade card to apply the configuration.
Perform the following configuration in SecBlade module view of the switch.
Table 2-5 Map the SecBlade module to the SecBlade card
|
Operation |
Command |
|
Map the SecBlade module to the SecBlade card |
map to slot slot-number |
|
Remove the configuration |
undo map to slot slot-number |
By default, the SecBlade module is not mapped to the SecBlade card.
2.1.6 Logging into the SecBlade Card
You can directly log in to the SecBlade card through the switch for configuration and management.
Perform the following configuration in user view of the switch.
Table 2-6 Log in to the SecBlade card
|
Operation |
Command |
|
Log into the SecBlade |
secblade slot slot-number |
2.1.7 Configuring Default Login User Function
For login convenience, a user whose name and password are both SecBlade is created in the SecBlade card. You can use this user name and password to log in to the SecBlade card.
Perform the following configuration in system view of the SecBlade card.
Table 2-7 Configure default login user function
|
Operation |
Command |
|
Enable default login user function |
default-login-user |
|
Disable default login user function |
undo default-login-user |
By default, the default login user function is enabled. You are allowed to use the internally created user to log in to the SecBlade card.
2.2 Displaying Information about the SecBlade Module
After the above configuration, you can execute the following command in any view to display information about the SecBlade module to verify the configuration.
Table 2-8 Display information about the SecBlade module
|
Operation |
Command |
|
Display information about the SecBlade module |
display secblade module [sec-mod-name ] |
