Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-ACFP Configuration | 314.59 KB |
Configuring the connection mode for an internal interface on an OAP card
Enabling the ACFP trap function
Displaying and maintaining ACFP
ACFP overview
Basic data communication networks comprise of routers and switches, which forward data packets. As data networks develop, more services run on them. It has become inappropriate to use legacy devices for handling some new services. Therefore, some security products such as firewalls, Intrusion Detection System (IDS), and Intrusion Prevention System (IPS), and voice and wireless products are designed to handle specific services.
For better support of new services, manufacturers of legacy networking devices (routers and switches in this document) have developed various dedicated service boards (cards) to specifically handle these services. Some manufacturers of legacy networking devices provide a set of software/hardware interfaces to allow the boards (cards) or devices of other manufacturers to be plugged or connected to these legacy networking devices for cooperating to handle these services. This gives full play to the advantages of respective manufacturers for better support of new services while reducing user investments.
The open application architecture (OAA) is an open service architecture developed with this concept. It integrates switches and software produced by different manufacturers, making them function as one switch, and thus providing integrated resolutions for the customers.
The Application Control Forwarding Protocol (ACFP) is developed based on the OAA architecture. For example, collaborating IPS/IDS cards or IPS/IDS devices acting as ACFP clients run software packages developed by other manufacturers to support the IPS/IDS services. A router or switch mirrors or redirects the received packets to an ACFP client after matching the ACFP collaboration rules. The software running on the ACFP client monitors and detects the packets. Based on the monitoring and detection results, the ACFP client sends back responses to the router or switch through collaboration Management Information Bases (MIBs) to instruct the router or switch to process the results, such as filtering out the specified packets.
|
|
NOTE: Only the LSR1IPS1A1 and LSR1ACG1A1 line cards support ACFP. |
ACFP architecture
As shown in Figure 1, the ACFP architecture comprises the following components:
· Routing/switching component—The main part of a router and a switch. It performs complete router/switch functions and is also the core of user management control. This part is called the ACFP server.
· Independent service component—The main part open for development by a third party and is mainly used to provide various unique service functions. This part is called the ACFP client.
· Interface-connecting component—It connects the interface of the routing/switching component to that of the independent service component, allowing the switches of two manufacturers to be interconnected.
ACFP collaboration
ACFP collaboration means that the independent service component can send instructions to the routing/switching component to change its functions. ACFP collaboration is mainly implemented through the Simple Network Management Protocol (SNMP). Acting as a network management system, the independent service component sends various SNMP commands to the routing/switching component, which can then execute the instructions received because it supports SNMP agent. In this process, the cooperating MIB is the key to associating the two components with each other.
ACFP management
ACFP collaboration provides a mechanism that enables the ACFP client to control the traffic on the ACFP server by implementing the following functions:
· Mirroring and redirecting the traffic on the ACFP server to the ACFP client
· Permitting/denying the traffic from the ACFP server
· Restricting the rate of the traffic on the ACFP server
· Carrying the context ID in a packet to enable the ACFP server and ACFP client to communicate the packet context with each other. The detailed procedure is as follows:
The ACFP server maintains a context table that can be queried with context ID. Each context ID corresponds with an ACFP collaboration policy that contains information including inbound interface and outbound interface of the packet, and collaboration rules. When the packet received by the ACFP server is redirected or mirrored to the ACFP client after matching a collaboration rule, the packet carries the context ID of the collaboration policy to which the collaboration rule belongs. When the redirected packet is returned from the ACFP client, the packet also carries the context ID. With the context ID, the ACFP server knows that the packet is returned after being redirected and then forwards the packet normally.
For the ACFP client to optimally control traffic, the two-level structure of collaboration policy and collaboration rules is set in the collaboration to manage the traffic matching the collaboration rule based on the collaboration policy. This enables flexible traffic management.
To better support the Client/Server collaboration mode and granularly and flexibly set different rules, the collaboration content is divided into the following parts: ACFP server information, ACFP client information, ACFP collaboration policy and ACFP collaboration rules. This information is saved in the ACFP server.
An ACFP server supports multiple ACFP clients. Therefore, ACFP client information, ACFP collaboration policy, and ACFP collaboration rules are organized in the form of tables.
ACFP server information is generated by the ACFP server itself. ACFP client information, ACFP collaboration policy, and ACFP collaboration rules are generated on the ACFP client and sent to the ACFP server through the collaboration MIB or collaboration protocol.
ACFP information overview
ACFP server information
ACFP server information contains the following parts:
· Supported working modes, including host, pass-through, mirroring, and redirect. An ACFP server can support multiple working modes among these four at the same time. The ACFP server and client(s) can collaborate with each other only when the ACFP server supports the working mode of the ACFP client.
· Maximum expiration time of the supported collaboration policy, which indicates for how long the collaboration policy of the ACFP server will remain valid.
· Whether the ACFP server can permanently save the collaboration policy. It mainly refers to whether the ACFP server can keep the original collaboration policy after reboot.
· Currently supported context ID type, the location of the context ID in the packet is HGPlus-context (carrying the preamble HGPlus as the context ID).
This information indicates the collaboration capabilities of an ACFP server. ACFP clients can access this information through a collaboration protocol or collaboration MIB.
ACFP client information
ACFP client information contains the following parts:
· ACFP client identifier—It can be assigned by the ACFP server through a collaboration protocol or specified by the network administrator to make sure that each ACFP client has a unique client ID on the ACFP server.
· Description—ACFP client description information.
· Hw-Info—ACFP client hardware type, version number, and so on.
· OS-Info—System name and version number of the ACFP client.
· App-Info—Application software type and version number of the ACFP client.
· Client IP—ACFP client IP address.
· Client Mode—Working mode currently supported by the ACFP client, namely, the combination of the host, pass-through, mirroring, and redirect modes.
ACFP collaboration policy
ACFP collaboration policy refers to the collaboration policy that the ACFP client sends to the ACFP server for application. The policy information includes the following parts:
· Client ID—ACFP client identifier.
· Policy-Index
· In-interface—Interface through which the packet is sent to the ACFP server.
· Out-interface—Interface through which the packet is forwarded normally.
· Dest-interface—ACFP server interface connected with ACFP client.
· Context ID—Used when the packet is mirrored or redirected to an ACFP client. After the interface connected to the ACFP client is specified in the policy sent, the ACFP server assigns it a global serial number, that is, the Context ID, with each Context ID corresponding to an ACFP collaboration policy.
· Admin-Status—Indicates whether to enable the policy.
· Effect-Status—Indicates the expiration time of the policy and is used to control the expiration time of all the rules under the policy.
· Start-Time—Indicates starting from what time (second/minute/hour) the policy takes effect and is used to control starting from what time all the rules under the policy take effect.
· End-time—Indicates starting from what time (second/minute/hour) the policy turns invalid and is used to control starting from what time all the rules under the policy turn invalid.
· DestIfFailAction—If the policy dest-interface is down, the actions to all rules under the policy will be as follows: for forwarding first switches, select the delete action to keep the redirected and mirrored packets being forwarded; for security first switches, select the reserve action to discard the redirected and mirrored packets.
· Priority—Indicates the priority of a policy, number notation, in the range of 1 to 8. The bigger the number, the higher the priority.
ACFP collaboration rules
ACFP collaboration rules refer to the collaboration rules that the ACFP client sends to the ACFP server for application. There are three types of collaboration rules:
· Monitoring rules—Monitoring, analyzing, and processing the packets to be sent to the ACFP client. The action types corresponding to monitoring rules are redirect and mirror.
· Filtering rules—Determining which packets to deny and which packets to permit. The action types corresponding to filtering rules are deny and permit.
· Restricting rules—Determining the rate of which packets is to be restricted. The action type corresponding to restricting rules is rate.
Rule information is described as follows:
· ClientID—ACFP client identifier.
· Policy index
· Rule index—rule identifier.
· Status—It indicates whether the rule is applied successfully.
· Action—It can be mirror, redirect, deny, permit, or rate.
· Match all packets—It indicates whether to match all the packets. If yes, the following matching needs not be performed.
· Source MAC address
· Destination MAC address
· Starting VLAN ID
· Ending VLAN ID
· Protocol number in IP
· Source IP address
· Wildcard mask of source IP address
· Source port operator—Its type can be equal to, not equal to, greater than, less than, greater than and less than. The following ending source port number takes effect only when the type is greater than and less than. The source port number of the packets matched by the identifier must be greater than the starting source port number and less than the ending source port number.
· Starting source port number
· Ending source port number
· Destination IP address
· Wildcard mask of destination IP address
· Destination port number operator—Its type can be equal to, not equal to, greater than, less than, greater than and less than. The following ending destination port number is meaning only when the type is greater than and less than. The destination port number of the packets matched by the identifier must be greater than the starting destination port number and less than the ending destination port number.
· Starting destination port number
· Ending destination port number
· Pro—Protocol type, which can be GRE, ICMP, IGMP, OSPF, TCP, UDP, and IP.
· IP precedence—Packet precedence, a number in the range of 0 to 7.
· IP ToS—Type of Service (ToS) of IP
· IP DSCP—Differentiated Services Code Point (DSCP) of IP
· TCP flag—It indicates that some bits in the six flag bits (URG, ACK, PSH, RST, SYN, FIN) are concerned.
· IP fragment—It indicates whether the packet is an IP packet fragment.
· Rate limit
You can use the collaboration policy to manage the collaboration rules that belong to it.
ACFP usage guidelines
|
|
NOTE: By default, the internal interfaces of the OAA card are down. Before configuring the internal interfaces, use the undo shutdown command to bring them up. |
· ACFP does not support policy-based routing services or NetStream services.
· The handling of the packets redirected by ACFP is mutually exclusive with ordinary ACL rules. No QoS processing is performed on the packets returned after they are redirected to the ACFP client.
· With ACFP, a stream cannot be mirrored or redirected to multiple ACFP clients.
· ACFP supports applying flow redirect polices to Layer 2 Ethernet interfaces only.
· ACFP does not support applying flow redirect policies to a subcard.
· When the ACFP server is enabled, the internal interface cannot act as the source port for port mirroring.
· When the ACFP server is enabled on an LSR1IPS1A1 or LSR1ACG1A1 card, the connection mode for the internal interface must be set to extend, the internal interface must be configured as a trunk port, and the PVID of the internal interface cannot be the VLAN ID of the management VLAN.
· When the connection mode of the internal interface on an LSR1IPS1A1 or LSR1ACG1A1 card is set to extend, you cannot specify a VLAN as both the user service VLAN and the management VLAN.
· When the switch operates in Intelligent Resilient Framework (IRF) mode, LSR1IPS1A1 and LSR1ACG1A1 cards do not support ACFP dynamic flow redirection.
ACFP configuration task list
Complete the following tasks to configure ACFP:
|
Task |
Remarks |
|
Required |
|
|
Configuring the connection mode for an internal interface on an OAP card |
Required |
|
Optional |
Enabling the ACFP server
To enable the ACFP server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the ACFP server. |
acfp server enable |
Disabled by default. |
Configuring the connection mode for an internal interface on an OAP card
An OAP card integrates a front card and a rear card. The front card provides value-added security services, such as firewall, intrusion prevention, and application control. The rear card is responsible for the data exchange between the front card and the switch.
An internal interface is a virtual interface that is used for the data communication between the front and rear cards, as shown in Figure 2.
Figure 2 Schematic diagram for the internal interface
When configuring ACFP on an OAP card, to ensure the normal communication between the switch and the OAP card, you must configure the connection mode for the internal interface on the OAP card as extend.
To configure the connection mode for an internal interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter internal interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the connection mode for the internal interface. |
port connection-mode { extend | normal } |
Normal by default. |
|
|
NOTE: · For more information about the port connection-mode command, see Interface Command Reference. · When you disable the ACSEI function or change the working mode for an internal interface, to avoid disrupting the traffic, perform the operation on the ACFP client first, and then on the ACFP server. |
Enabling the ACFP trap function
To make ACFP work normally, you must enable the switch to send traps of the ACFP module.
After the trap function on the ACFP module is enabled, the ACFP module will generate traps to report important events of the module. The levels of the ACFP traps are described in Table 1.
Table 1 ACFP trap message level
|
Trap message |
Level |
|
Context ID type changed |
notifications |
|
ACFP client registration |
notifications |
|
ACFP client deregistration |
notifications |
|
ACSEI detects that ACFP client had no response |
warnings |
|
ACFP server does not support the working mode of the ACFP client |
errors |
|
Expiration period of ACFP collaboration policy changed |
notifications |
|
ACFP collaboration rules are created |
informational |
|
ACFP collaboration rules are removed |
informational |
|
ACFP collaboration rules failed |
errors |
|
Expiration period of ACFP collaboration policy timed out |
notifications |
The generated traps will be sent to the information center of the switch. With the parameters for the information center set, the output rules for traps (that is, whether the traps are allowed to be output and the output destinations) are decided. For the configuration of the parameters for the information center, see Network Management and Monitoring Configuration Guide.
To enable the ACFP function:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the trap function of the ACFP module. |
snmp-agent trap enable acfp [ client | policy | rule | server ] |
Optional. Enabled by default. |
|
|
NOTE: For more information about the snmp-agent trap enable command, see Network Management and Monitoring Command Reference. |
Displaying and maintaining ACFP
|
Task |
Command |
Remarks |
|
Display the configuration information of the ACFP server. |
display acfp server-info [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display the configuration information of an ACFP client. |
display acfp client-info [ client-id ] [ | { begin | exclude | include } regular-expression ] |
|
|
Display the configuration information of an ACFP policy. |
display acfp policy-info [ client client-id [ policy-index ] | dest-interface interface-type interface-number | global | in-interface interface-type interface-number | out-interface interface-type interface-number ] [ active | inactive ] [ | { begin | exclude | include } regular-expression ] |
|
|
Display ACFP rule configuration information. |
display acfp rule-info { global | in-interface [ interface-type interface-number ] | out-interface [ interface-type interface-number ] | policy [ client-id policy-index ] } [ | { begin | exclude | include } regular-expression ] |
|
|
Display the configuration information of ACFP Trap. |
display snmp-agent trap-list [ | { begin | exclude | include } regular-expression ] |
ACFP configuration example
|
|
NOTE: By default, Ethernet, VLAN, and aggregate interfaces are down. Before configuring these types of interfaces, use the undo shutdown command to bring them up. |
Network requirements
Different departments are connected on the intranet through Device, which serves as the ACFP server. An ACFP client is inserted in Device and connected to Device through the internal interface Ten-GigabitEthernet 4/0/1.
Configure the ACFP client to analyze traffic arriving at interface GigabitEthernet 5/0/23, and control the traffic as follows:
· Permit all packets with the source IP address 192.168.1.1/24.
· Deny all packets with the source IP address 192.168.1.2/24.
Figure 3 Network diagram
Configuration procedure
1. Configure Device
# Enable the ACFP server.
<Device> system-view
[Device] acfp server enable
[Device] acsei server enable
# Assign an IP address to the VLAN interface of the management VLAN.
[Device] vlan 4094
[Device-vlan4094] interface vlan 4094
[Device-Vlan-interface4094] undo shutdown
[Device-Vlan-interface4094] ip address 40.94.1.1 24
[Device-Vlan-interface4094] quit
# Configure the internal interface Ten-GigabitEthernet 4/0/1 on the ACFP client as a trunk port, and assign the trunk port to VLAN 4094, which is not allowed to learn MAC addresses. Then, set the working mode for the internal Ethernet interface to extended.
[Device] interface Ten-GigabitEthernet 4/0/1
[Device-Ten-GigabitEthernet4/0/1] undo shutdown
[Device-Ten-GigabitEthernet4/0/1] port link-type trunk
[Device-Ten-GigabitEthernet4/0/1] port trunk permit vlan 4094
[Device-Ten-GigabitEthernet4/0/1] mac-address max-mac-count 0
[Device-Ten-GigabitEthernet4/0/1] port connection-mode extend
[Device-Ten-GigabitEthernet4/0/1] quit
# Configure SNMP parameters.
[Device] snmp-agent
[Device] snmp-agent sys-info version all
[Device] snmp-agent group v3 v3group_no read-view iso write-view iso
[Device] snmp-agent mib-view included iso iso
[Device] snmp-agent usm-user v3 v3user_no v3group_no
# Verify whether the MIB style of Device is new. If not, set the MIB style of Device to new and reboot Device.
[Device] mib-style new
# Configure the service VLANs.
[Device] vlan 100
[Device-vlan100] port GigabitEthernet 5/0/24
[Device] vlan 101
[Device-vlan101] port GigabitEthernet 5/0/23
[Device] interface Vlan-interface 100
[Device-Vlan-interface100] undo shutdown
[Device-Vlan-interface100] ip address 192.168.1.254 24
[Device] interface Vlan-interface 101
[Device-Vlan-interface101] undo shutdown
[Device-Vlan-interface101] ip address 192.168.2.254 24
2. Configure line card LSR1ACG1A1
# Log in to the operating system on the LSR1ACG1A1 card through the console port on the card, and enter password H3C.
Password:H3C
# Enter system view.
<ACG> system-view
# Assign an IP address for the network management port on the card to make the network management ports of the PC and the card reachable to each other.
[ACG] interface meth0/1
[ACG-if] ip address 192.168.0.14 24
[ACG-if] undo shutdown
# Launch IE on the PC and enter https://192.168.0.14 at the address bar. Both the username and the password are admin.
Figure 4 Web login interface
# Configure the ACFP client:
a. Select System Management > Network Management > ACFP Client Configuration from the navigation tree.
Figure 5 Configuring the ACFP client
b. Select Enable ACFP Client.
c. Select the SNMP version SNMPv3.
d. Enter the server security username v3user_no.
e. Enter the server IP address 40.94.1.1.
f. Enter the client IP address 40.94.1.2.
g. Enter the mask 24.
h. Enter the VLAN ID 4094.
i. Click Apply.
j. Click Connectivity Test to perform a connectivity test.
# Add security zone inbound:
a. Select System Management > Network Management > Security Zone from the navigation tree, and click << to enter the page for adding a security zone.
Figure 6 Adding security zone inbound
b. Enter the name inbound.
c. Select GigabitEthernet5/0/23 from the list, and click Add to add it into the Interface box.
d. Enter 100 in the field, and click Add to add it to the VLAN ID box.
e. Click Apply.
# Add security zone outbound:
a. Select System Management > Network Management > Security Zone from the navigation tree, and click << to enter the page for adding a security zone.
Figure 7 Creating security zone outbound
b. Enter the name outbound.
c. Select GigabitEthernet5/0/24 from the list, and click Add to add it into the Interface box.
d. Enter 101 in the field, and click Add to add it into the VLAN ID box.
e. Click Apply.
# Add segment 10:
a. Select System Management > Network Management > Segment Configuration from the navigation tree.
b. Select 10 from the Segment No. list.
c. Select inbound from the Internal Zone list.
d. Select outbound from the External Zone list.
e. Click Apply.
# Configure the collaboration policy and rules:
a. Select System Management > Network Management > ACFP Policy from the navigation tree, and click Create Policy to enter the page for creating a policy.
Figure 9 Configuring collaboration policy
b. Enter the description t1.
c. Select GigabitEthernet5/0/23 from the Source Interface list.
d. Select the Enable option.
e. Select 0 from the Priority list.
# Add rule 1:
a. On the Configure Rule tab as shown in Figure 9, click Add.
b. Select the Specified Packets option.
c. Select All from the Protocol list.
d. Enter the source IP address 192.168.1.1.
e. Enter the source mask 32.
f. Click Apply.
# Create rule 2:
a. On the Configure Rule tab as shown in Figure 9, click Add.
b. Select the Specified Packets option.
c. Select All from the Protocol list.
d. Enter the source IP address 192.168.1.2.
e. Enter the source mask 32.
f. Click Apply.
# Configure ACFP filtering rule 1:
a. Select Bandwidth Management > Bandwidth Policies from the navigation tree, and click Add to enter the page for creating a policy application.
Figure 12 Creating a policy application
b. Enter the name user1, select Group mode as the working mode, select Permit from the Action Set list, and click Add to add a new entry in the policy application list.
Figure 13 Policy application range
c.
Click 
to
bring up the page for adding IP address group.
Figure 14 Adding IP address group 1
d. Enter the name 192.168.1.1/32, select IPv4 as the protocol, enter the IPv4 address 192.168.1.1/32, click <<Add to add the address to the IP address box, and click Apply.
e. In the policy application range page, click 
to
bring up the advanced configuration page.
Figure 15 Advanced configuration
f. Select 10 from the Segment list, select the Internal Zone option, add IP address 192.168.1.1/32 from the Internal Zone IP Addresses area, and click Apply.
g. After finishing the above configuration, click OK on the page shown in Figure 12.
# Configure ACFP filtering rule 2:
a. Select Bandwidth Management > Bandwidth Policies from the navigation tree, and click Add to enter the page for creating a policy application.
Figure 16 Creating a policy application
b. Enter the name user2, select the working mode Group mode, select Block from the Action Set list, and click Add to add a new entry in the policy application list.
Figure 17 Policy application range
c.
Click .
The page for adding IP address group pops up, as shown in Figure 18.
Figure 18 Adding IP address group 2
d. Enter the name 192.168.1.2/32, select IPv4 as the protocol, enter the IPv4 address 192.168.1.2/32, click <<Add to add the address to the IP address box, and click Apply.
e. In the policy application range page, click .
The corresponding advanced configuration page pops up, as shown in Figure 19.
Figure 19 Advanced configuration
f. Select 10 from the Segment list, select the Internal Zone option, select IP address 192.168.1.2/32 from the Internal Zone IP Addresses area, and click Apply.
g. After finishing the above configuration, click OK on the page shown in Figure 12.
# Activate configurations
After you finish the above configuration, the page jumps to the page as shown in Figure 20. Click Activate, and confirm your operation to activate the configuration.
Figure 20 Activating configurations
3. Verify the configuration
Use the ping command to verify the connectivity between Host A and Host C, Host B and Host C. The test results show that Host A can ping Host C but Host B cannot.
|
|
CAUTION: Configure the acl ipv6 enable command before you creating an ACFP policy rule of IPv6 protocol. For more information about the command, see ACL and QoS Command Reference. |
