H3C SecBlade NetStream Card Configuration Examples

Transcription

1 H3C SecBlade NetStream Card Configuration Examples Copyright 2012 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.

2 Contents Software version used 1 Feature overview 1 Application scenarios 1 Configuration considerations 1 IPv4 NetStream configuration example 2 Network requirements 2 Configuration procedures 2 Configuration procedures without NetStream sampling enabled 2 Configuration procedures with NetStream sampling enabled 19 IPv6 NetStream configuration example 23 Network requirements 23 Configuration procedures 24 Configuring S7500E 24 Configuring the NS card 25 Related documentation 31 i

3 Software version used This document describes the example for the H3C SecBlade NetStrearm cards (Release 3109) installed on the H3C S7500E switches. The configuration examples also apply to the H3C SecBlade NetStream cards installed on the H3C S9500E and S12500 switches. The configuration examples in this document were created and verified in a lab environment, and all the devices started with the factory default configuration. If you are working in a live network, make sure you understand the potential impact of every command on your network. Feature overview NetStream is an accounting technology that provides statistics on a per-flow basis. A flow is identified by the following elements: source IP address, destination IP address, source port number, destination port number, protocol number, ToS, and inbound or outbound interface. NetStream provides the statistics for different flows. A typical NetStream system comprises the following parts: NetStream data exporter (NDE) An H3C SecBlade NetStream card (NS card) with NetStream configured acts as an NDE. It analyzes traffic flows that pass through it, collects necessary data from the target flows, and exports the data to the NSC. Before exporting data, the NDE might perform processes on the data, such as aggregation. NetStream collector (NSC) The NSC parses the packets received from the NDE, stores the statistics to the database, and then filters and aggregates the total received data for the NDA. NetStream data analyzer (NDA) The NDA collects statistics from the NSC, performs further process, and generates various types of reports for applications of traffic billing, network planning. H3C IMC-NTA, which supports both NSC and NDA, gathers the data from the NS card and generates reports. Configurations for NetStream involve configurations for the switch, the NS card, and IMC-NTA. The NS card can be installed on the H3C S7500E, S9500E, and S12500 switch. This document uses S7500E as an example, and explains the NS card configuration differences between the S7500E switches and S9500E/S12500 switches. Application scenarios NetStream provides statistics about network traffic flows, and it can be deployed on access, distribution, and core layers. Configuration considerations Configure S7500E to mirror the traffic accounted by NetStream to the 10-GE interface connecting the NS card. Configure the NS card to account the traffic copied to the interface Ten-GigabitEthernet 0/0 and send it to the NSC for analyzing. 1

4 Configure protocol-port aggregation. (Optional.) Configure sampling. (Optional.) Configure the traffic analysis service on the NSC server (IMC-NTA) to account the traffic statistics received from the NS card. IPv4 NetStream configuration example Network requirements As shown in Figure 1, install an NS card in slot 4 of the switch to collect statistics on packets passing through it, and mirror the intranet-to-extranet traffic from source IP addresses belonging to the subnet /16 to the NS card for flow analyzing. GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 on the switch are access ports, and belong to VLAN 10 (the intranet VLAN) and VLAN 20 (the extranet VLAN), respectively. Ten-GigabitEthernet 4/0/1 on the switch is a trunk port and allows packets from all VLANs to pass through. Configure traffic mirroring on GigabitEthernet 2/0/1 to mirror the incoming traffic to Ten-GigabitEthernet 4/0/1. Enable NetStream on Ten-GigabitEthernet 0/0 on the NS card. The statistics on the NS card are sent out of the management interface GigabitEthernet 0/1 to the NSC for analyzing. Figure 1 Network diagram Configuration procedures Configuration procedures without NetStream sampling enabled Configuring S7500E Create VLAN10 and VLAN20, and assign GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 to VLAN 10 and VLAN 20, respectively. <Sysname> system-view 2

5 [Sysname] vlan 10 [Sysname-vlan10] port GigabitEthernet 2/0/1 [Sysname-vlan10] vlan 20 [Sysname-vlan20] port GigabitEthernet 2/0/2 [Sysname-vlan20] quit Create VLAN-interface 10, and assign an IP address to the VLAN-interface. [Sysname]interface Vlan-interface 10 [Sysname-Vlan-interface10] ip address [Sysname-Vlan-interface10]quit [Sysname]interface Vlan-interface 20 [Sysname-Vlan-interface20] ip address [Sysname-Vlan-interface20]quit Configure Ten-GigabitEthernet 4/0/1 as a trunk port, and configure the port to allow packets from VLAN 10 and VLAN 20 to pass through. [Sysname] interface Ten-GigabitEthernet4/0/1 [Sysname-Ten-GigabitEthernet4/0/1] port link-type trunk [Sysname-Ten-GigabitEthernet4/0/1] port trunk permit vlan [Sysname-Ten-GigabitEthernet4/0/1] quit Create ACL 2000 for traffic classification and flitering. [Sysname] acl number 2000 [Sysname-basic-acl-2000] rule 0 permit source [Sysname-basic-acl-2000] quit Create class 1, and use ACL 2000 as the match criterion. [Sysname] traffic classifier 1 [Sysname-classifier-1] if-match acl 2000 [Sysname-classifier-1] quit Create traffic behavior 1, and configure the action of mirroring traffic to Ten-GigabitEthernet 4/0/1 for the traffic behavior. [Sysname] traffic behavior 1 [Sysname-behavior-1] mirror-to interface Ten-GigabitEthernet 4/0/1 [Sysname-behavior-1] quit Create QoS policy 1, and associate traffic class 1 with the traffic behavior 1 in QoS policy 1. [Sysname] qos policy 1 [Sysname-qospolicy-1] classifier 1 behavior 1 [Sysname-qospolicy-1] quit Apply QoS policy 1 to the incoming traffic of the interface GigabitEthernet 2/0/1. [Sysname] interface GigabitEthernet 2/0/1 [Sysname-GigabitEthernet2/0/1] qos apply policy 1 inbound [Sysname-GigabitEthernet2/0/1] quit Enable ACSEI server for the NS card to synchronize the MPU's clock on the switch. [Sysname] acsei server enable Configuring the NS card Configure Ten-GigabitEthernet 0/0 as a trunk port, and configure the port to allow packets from VLAN 10 and VLAN 20 to pass through. <Sysname> system-view 3

6 [Sysname] interface Ten-GigabitEthernet0/0 [Sysname-Ten-GigabitEthernet0/0] port link-type trunk [Sysname-Ten-GigabitEthernet0/0] port trunk permit vlan [Sysname-Ten-GigabitEthernet0/0] quit Create a blackhole-type inline forwarding entry 1. [Sysname] inline-interfaces 1 blackhole Assign Ten-GigabitEthernet 0/0 to the blackhole-type inline forwarding entry 1 for discarding the packets when they are received and processed. [Sysname] interface Ten-GigabitEthernet0/0 [Sysname-Ten-GigabitEthernet0/0] port inline-interfaces 1 Enable NetStream for incoming traffic on Ten-GigabitEthernet 0/0. [Sysname-Ten-GigabitEthernet0/0] ip netstream inbound Enable ACSEI client on Ten-GigabitEthernet 0/0 to synchronize the MPU's clock on the switch. [Sysname-Ten-GigabitEthernet0/0] acsei-client enable [Sysname-Ten-GigabitEthernet0/0] quit Set the destination address for NetStream data export with a destination UDP port. (The destination UDP port number can be 9020, 9021, or 6343.) [Sysname] ip netstream export host Set the aging timers for active flows and inactive flows. (Optional. You can just use the default settings or set the two timers at the same time. Flows age out when either aging timer is reached. The time resolution is 10 seconds.) [Sysname] ip netstream timeout active 1 [Sysname] ip netstream timeout inactive 10 Assign an IP address to GigabitEthernet 0/1, and use the interface to send the traffic statistics to the NSC server. [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] ip address [Sysname-GigabitEthernet0/1] quit Configure a static route destined for the NSC server. [Sysname] ip route-static Configure SNMP parameters for connecting the NSC server (IMC-NTA). [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private [Sysname] snmp-agent sys-info version all Configuring NSC server (IMC-NTA) 1. Log in to the Web page of IMC-NTA. Open a browser (IE, for example), and enter the server address (for example, to enter the login page of IMC-NTA. 4

7 Figure 2 IMC-NTA login page 2. Enter the imc homepage. On the imc login page, enter the default username admin and password admin, and then click Login. 3. Add a monitor: a. On the imc homepage, click the Service tab. The service configuration page appears. Figure 3 Service configuration page 5

8 b. Select Traffic Analysis and Audit > Settings from the navigation tree. The setting page for IMC-NTA appears. Figure 4 Setting page for IMC-NTA c. Click the Device Management link in the Guide to Quick Traffic Analysis And Audit Configuration area to enter the Device Management page. Figure 5 Device management page d. Click Add to enter the Add Device page. 6

9 Figure 6 Adding device e. Select a device in one of the following ways: From the device list Click Select. Select the device required from the dialogue box, and then click Add. Manually adding a device Enter in the Device IP area and the device's name in the Name area. (The device IP is the address of the interface GigabitEthernet 0/1 on the NS card connecting the NSC server.) The device can be the one managed or not managed by the system. f. Configure an SNMP community and an SNMP port. An SNMP community is a read-only community. The default SNMP community for IMC-NTA is public. Enter the SNMP community based on the NS card configurations. Keep the default settings for SNMP community and SNMP port here. g. Configure the source IP for sending logs. When imc cannot obtain information about an interface through SNMP, the source IP for sending logs should be configured. It is the IP address for the interface sending logs. Enter the IP address for GigabitEthernet 0/1 here. h. Select validity for the NetStream statistics identifier. The statistics attribute, 0 or 1, for NetStream V5, identifies the way to collect traffic statistics. When the statistics identifier is valid, 0 means collecting the traffic statistics based on the input interface or VLAN, and 1 means based on the output interface or VLAN. When the statistics identifier is invalid, 0 and 1 both mean collecting the traffic statistics based on the input interface or VLAN and the output interface or VLAN. Select Valid from the NetStream Statistics Identifier list here. i. Select support for NetStream New Feature: NetStream new feature mainly includes the traffic sampling feature for Comware V5. Select the default Enable for the option here. j. Click OK. 7

10 Figure 7 Adding a device 4. Modify configurations on the NSC server, and add the data analyzer server to be monitored to the corresponding NSC server: a. Click the Server Management link in the Settings area to enter the Server List page. Figure 8 Server list page b. Click the Modify icon for a server in the Server List to enter the Server Configuration page. 8

11 Figure 9 Server configuration page c. Use the default settings of the options in the Basic Information area. d. In the Traffic Analysis area, select the monitoring device in the Device Information list. Click Deploy. 5. Add traffic analysis task: a. Click the Traffic Analysis Task Management link in the Guide to Quick Traffic Analysis And Audit Configuration area to enter the Traffic Analysis Task List page. Figure 10 Traffic analysis task list page 9

12 b. Click Add to enter the Select Task Type page. Figure 11 Selecting task type c. Select Interface, and click Next to enter the Add Traffic Analysis Task page. 10

13 Figure 12 Adding traffic analysis task d. Enter SecBladeNS in the Task Name field. e. Select the NSC server to which the device belongs. Enter here. f. Click Select in the Interface Information area to enter the page for adding interfaces. Select interface Ten-GigabitEthernet0/0, and click OK. Figure 13 Interface information page g. On the Add Traffic Analysis Task page, click OK. 11

14 Figure 14 Completing adding traffic analysis task Verifying the configuration Connect port-a and port-b of Smartbits to GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 on the S7500E switch, respectively. Port-a sends UDP packets with the source IP and destination IP Port-b sends UDP packets with the source IP and destination IP View the following information through IMC-NTA: Whole statistics on all traffic analysis tasks Click the Service tab to enter the service configuration page. Select Traffic Analysis and Audit > Interface Traffic Analysis Task from the navigation tree. Figure 15 Interface traffic analysis task page 12

15 You can view the whole statistics on all traffic analysis tasks, including average rate and summary list. Figure 16 Whole statistics on all traffic analysis tasks Whole statistics on all interfaces for a traffic analysis task Select Traffic Analysis and Audit > Interface Traffic Analysis Task from the navigation tree, and click SecBlade NS. Figure 17 SecBlade NS You can view the whole statistics on all interfaces for the traffic analysis task, including information about traffic, application, source host, destination host, and sessions. "Traffic" includes pages for traffic trend, flux distribution in interface, and traffic details. 13

16 Figure 18 Traffic trend Figure 19 Flux distribution in interface Figure 20 Traffic details "Application" displays information about the application layer traffic, and includes pages for application list and application traffic trend. 14

17 Figure 21 Application list and application traffic trend "Source host" displays traffic information based on IP address for the source host. Figure 22 Traffic information for source host "Destination host" displays information based on IP address for the destination host. 15

18 Figure 23 Traffic information for destination host "Session" displays traffic information based on sessions. Figure 24 Traffic information for session host Statistics on an interface for a traffic analysis task Select Traffic Analysis and Audit > Interface Traffic Analysis Task from the navigation tree, and click the Ten-GigabitEthernet0/0 Interface link under the traffic analysis task SecBlade NS to view the statistics on the interface. 16

19 Figure 25 Ten-GigabitEthernet 0/0 Complete configuration You can view the same information about traffic, application, source host, destination host, and session host as the traffic analysis task information. Therefore, it is not described here. 1. S7500E: acsei server enable acl number 2000 rule 0 permit source vlan 10 vlan 20 traffic classifier 1 operator and if-match acl 2000 traffic behavior 1 mirror-to interface Ten-GigabitEthernet4/0/1 qos policy 1 classifier 1 behavior 1 interface Vlan-interface10 ip address interface Vlan-interface20 17

20 ip address interface GigabitEthernet2/0/1 port link-mode bridge port access vlan 10 qos apply policy 1 inbound interface GigabitEthernet2/0/2 port link-mode bridge port access vlan 20 interface Ten-GigabitEthernet4/0/1 port link-mode bridge port link-type trunk port trunk permit vlan NS card: telnet server enable inline-interfaces 1 blackhole vlan 10 vlan 20 interface GigabitEthernet0/1 port link-mode route ip address interface Ten-GigabitEthernet0/0 port link-mode bridge port link-type trunk port trunk permit vlan ip netstream inbound port inline-interfaces 1 acsei-client enable ip route-static snmp-agent snmp-agent local-engineid A D6295F38 snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all ip netstream timeout active 1 ip netstream timeout inactive 10 18

21 ip netstream export host user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme Configuration procedures with NetStream sampling enabled Sampling selects one packet from a fixed number of packets to the NSC for analyzing. The following sampling modes are available: fixed and random. NetStream supports the fixed mode, which selects the first packet from among sequential packets in each sampling for analyzing. The sampling feature of S7500E+NS system is implemented by the NS card for the S7500E swithes do not support sampling. Configuring S7503E The configurations with sampling enabled are the same as those without sampling enabled. Therefore, they are not be decribed here. Configuring the NS card Configure Ten-GigabitEthernet 0/0 as a trunk port, and configure the port to allow packets from VLAN 10 and VLAN 20 to pass through. <Sysname> system-view [Sysname] interface Ten-GigabitEthernet0/0 [Sysname-Ten-GigabitEthernet0/0] port link-type trunk [Sysname-Ten-GigabitEthernet0/0] port trunk permit vlan [Sysname-Ten-GigabitEthernet0/0] quit Create a blackhole-type inline forwarding entry 1. [Sysname] inline-interfaces 1 blackhole Assign Ten-GigabitEthernet 0/0 to the blackhole-type inline forwarding entry 1 for discarding the packets when they are received and processed. [Sysname] interface Ten-GigabitEthernet0/0 [Sysname-Ten-GigabitEthernet0/0] port inline-interfaces 1 Enable NetStream for incoming traffic on Ten-GigabitEthernet 0/0. [Sysname-Ten-GigabitEthernet0/0] ip netstream inbound Enable ACSEI client on Ten-GigabitEthernet 0/0 to synchronize the MPU's clock on the switch. [Sysname-Ten-GigabitEthernet0/0] acsei-client enable [Sysname-Ten-GigabitEthernet0/0] quit Enable NetStream sampling on the NS card. (Enabled by default.) [Sysname] ip netstream sample enable Create a fixed sampler with the name fix-16 and the sampling interval 4, which means sampling one out of 2 4 packets. [Sysname] sampler fix-16 mode fixed packet-interval 4 Enable NetStream sampling in the inbound direction of Ten-GigabitEthernet 0/0 by referencing sampler fix-16. [Sysname] interface Ten-GigabitEthernet 0/0 19

22 [Sysname-Ten-GigabitEthernet0/0] ip netstream sampler fix-16 inbound [Sysname-Ten-GigabitEthernet0/0] quit Set the destination address for NetStream data export with a destination UDP port. (The destination UDP port number can be port 9020, 9021 or 6343.) [Sysname] ip netstream export host Set the aging timers for active and inactive flows. (Optional. You can use the default settings or set the two timers at the same time. Flows age out when either aging timer is reached. The time resolution is 10 seconds.) [Sysname] ip netstream timeout active 1 [Sysname] ip netstream timeout inactive 10 Assign an IP address to GigabitEthernet 0/1, and use the interface to send the traffic statistics to the NSC server. [Sysname-GigabitEthernet0/1] ip address [Sysname-GigabitEthernet0/1] quit Configure a static route destined for the NSC server. [Sysname] ip route-static Configure SNMP parameters for connecting the NSC server (IMC-NTA). [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private [Sysname] snmp-agent sys-info version all Configuring NSC server (IMC-NTA) Select Enable for the NetStream New Feature option. Then the server supports the traffic sampling feature of Comware V5. Other configurations are the same as the configurations on the NSC server (IMC-NTA) without NetStream sampling enabled. Therefore, they are not described here. Verifying the configuration Connect port-a and port-b of Smartbits to GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 on the S7500E switch, respectively. Port-a sends UDP packets with the source IP and destination IP Port-b sends UDP packets with the source IP and destination IP View the information about traffic analysis through IMC-NTA. They are not described here. See "Configuration procedures without NetStream sampling enabled." Complete configuration 1. S7500E: acsei server enable acl number 2000 rule 0 permit source vlan 10 20

23 vlan 20 traffic classifier 1 operator and if-match acl 2000 traffic behavior 1 mirror-to interface Ten-GigabitEthernet4/0/1 qos policy 1 classifier 1 behavior 1 interface Vlan-interface10 ip address interface Vlan-interface20 ip address interface GigabitEthernet2/0/1 port link-mode bridge port access vlan 10 qos apply policy 1 inbound interface GigabitEthernet2/0/2 port link-mode bridge port access vlan 20 interface Ten-GigabitEthernet4/0/1 port link-mode bridge port link-type trunk port trunk permit vlan NS card: sampler fix-16 mode fixed packet-interval 4 telnet server enable inline-interfaces 1 blackhole vlan 10 vlan 20 interface GigabitEthernet0/1 port link-mode route ip address interface Ten-GigabitEthernet0/0 21

24 port link-mode bridge port link-type trunk port trunk permit vlan ip netstream inbound ip netstream sampler fix-16 inbound port inline-interfaces 1 acsei-client enable ip route-static snmp-agent snmp-agent local-engineid A D6295F38 snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all ip netstream timeout active 1 ip netstream timeout inactive 10 ip netstream export host user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme Configuration guidelines S9500E + NetStream and S NetStream implement the configurations of traffic sampling. Both the S9500E switches and S12500 switches support the mirroring and sampling features, so sampling is implemented on the switch side. Disable sampling on the NS card (enabled by default), and configure a sampler with the same sampling interval as the switch. Apply the sampler to the Ten-GigabitEthernet interface for sampling. The following describes the configuration differences between S9500E + NetStream and S7500E + NetStream. Configurations on S NetStream are the same as those on S9500E+ NetStream. Therefore, they are not described here. Configuring the S9500E switch: Create a fixed sampler with the name fix-16 and the sampling interval 4, which means sampling one out of 2 4 packets. [Sysname] sampler fix-16 mode fixed packet-interval 4 Configure local mirroring group 1 to reference the sampler. Apply the sampler to the incoming traffic of GigabitEthernet 2/0/1 for sampling. Mirror the sampled traffic to Ten-GigabitEthernet 1/0/1 connecting the NS card. [Sysname] mirroring-group 1 local sampler fix-16 [Sysname] interface GigabitEthernet 2/0/1 [Sysname-GigabitEthernet2/0/1] mirroring-group 1 mirroring-port inbound [Sysname-GigabitEthernet2/0/1] quit [Sysname] interface Ten-GigabitEthernet 1/0/1 [Sysname-Ten-GigabitEthernet0/0] mirroring-group 1 monitor-port [Sysname-Ten-GigabitEthernet0/0] quit 22

25 Configuring the NS card: Create a sampler with the same mode and same sampling interval as the S9500E switch (the sampling mode fixed, the sampling interval 4). [Sysname] sampler fix-16 mode fixed packet-interval 4 Apply the sampler to the incoming traffic of Ten-GigabitEthernet 0/0 for reporting the statistics to the NSC server. [Sysname] interface Ten-GigabitEthernet 0/0 [Sysname-Ten-GigabitEthernet0/0] ip netstream sampler fix-16 inbound [Sysname-Ten-GigabitEthernet0/0] quit Disable NetStream sampling on the NS card. [Sysname] undo ip netstream sample enable IPv6 NetStream configuration example Network requirements As shown in Figure 26, install an NS card in slot 4 of the switch to collect statistics on IPv6 packets passing through it. The intranet-to-extranet traffic from source IP addresses belonging to the subnet 10:1::0/96 are mirrored to the NS card for flow analyzing. GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 on the switch are access ports, and belong to VLAN 10 (the intranet VLAN) and VLAN 20 (the extranet VLAN), respectively. Ten-GigabitEthernet 4/0/1 on the switch is a trunk port, and allows packets from all VLANs to pass through. Configure traffic mirroring on GigabitEthernet 2/0/1 to mirror the incoming traffic to Ten-GigabitEthernet 4/0/1. Enable NetStream on Ten-GigabitEthernet 0/0 on the NS card. The statistics on the NS card are sent out of the management interface GigabitEthernet 0/1 to the NSC for analyzing. Figure 26 Network diagram 23

26 Configuration procedures Configuring S7500E Enable IPv6 on the switch. <Sysname> system-view [Sysname] ipv6 Create VLAN10 and VLAN20, and assign GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 to VLAN 10 and VLAN 20, respectively. [Sysname] vlan 10 [Sysname-vlan10] port GigabitEthernet 2/0/1 [Sysname-vlan10] vlan 20 [Sysname-vlan20] port GigabitEthernet 2/0/2 [Sysname] quit Create VLAN-interface 10, and assign an IPv6 address to the VLAN-interface. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ipv6 address 10:1::1/96 [Sysname-Vlan-interface10] quit [Sysname] interface Vlan-interface 20 [Sysname-Vlan-interface20] ipv6 address 20:1::1/96 [Sysname-Vlan-interface20] quit Configure Ten-GigabitEthernet 4/0/1 as a trunk port, and configure the port to allow packets from VLAN 10 and VLAN 20 to pass through. [Sysname] interface Ten-GigabitEthernet4/0/1 [Sysname-Ten-GigabitEthernet4/0/1] port link-type trunk [Sysname-Ten-GigabitEthernet4/0/1] port trunk permit vlan [Sysname-Ten-GigabitEthernet4/0/1] quit Create IPv6 basic ACL 2000 for traffic classification and flitering. [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] rule 0 permit source 10:1::/96 [Sysname-acl6-basic-2000] quit Create class 1, and use IPv6 basic ACL 2000 as the match criterion of the class. [Sysname] traffic classifier 1 [Sysname-classifier-1] if-match acl ipv Create traffic behavior 1, and configure the action of mirroring traffic to Ten-GigabitEthernet 4/0/1 for the traffic behavior. [Sysname] traffic behavior 1 [Sysname-behavior-1] mirror-to interface Ten-GigabitEthernet 4/0/1 Define QoS policy 1, and associate traffic class 1 with the traffic behavior 1 in QoS policy 1. [Sysname] qos policy 1 [Sysname-qospolicy-1] classifier 1 behavior 1 Apply QoS policy 1 to the incoming traffic of the interface GigabitEthernet 2/0/1. [Sysname] interface GigabitEthernet 2/0/1 [Sysname-GigabitEthernet2/0/1] qos apply policy 1 inbound 24

27 Enable ACSEI server for the NS card to synchronize the MPU's clock on the switch. [Sysname]acsei server enable Configuring the NS card Enable IPv6. <Sysname> system-view [Sysname] ipv6 Configure Ten-GigabitEthernet 0/0 as a trunk port, and configure the port to allow packets from VLAN 10 and VLAN 20 to pass through. [Sysname] interface Ten-GigabitEthernet0/0 [Sysname-Ten-GigabitEthernet0/0] port link-type trunk [Sysname-Ten-GigabitEthernet0/0] port trunk permit vlan [Sysname-Ten-GigabitEthernet0/0] quit Create a blackhole-type inline forwarding entry 1. [Sysname] inline-interfaces 1 blackhole Assign Ten-GigabitEthernet 0/0 to the blackhole-type inline forwarding entry 1 for discarding the packets when they are received and processed. [Sysname] interface Ten-GigabitEthernet0/0 [Sysname-Ten-GigabitEthernet0/0] port inline-interfaces 1 Enable IPv6 NetStream for incoming traffic on Ten-GigabitEthernet 0/0. [Sysname-Ten-GigabitEthernet0/0] ipv6 netstream inbound Enable ACSEI client on Ten-GigabitEthernet 0/0 to synchronize the MPU's clock on the switch. [Sysname-Ten-GigabitEthernet0/0] acsei-client enable [Sysname-GigabitEthernet0/0] quit Set the destination address for NetStream data export with a destination UDP port. (The destination UDP port number can be port 9020, 9021 or 6343.) [Sysname]ipv6 netstream export host Set the aging timers for active flows and inactive flows. (Optional. You can use the default settings or set the two timers at the same time. Flows age out when either aging timer is reached. The time resolution is 10 seconds.) [Sysname] ipv6 netstream timeout active 1 [Sysname] ipv6 netstream timeout inactive 10 Assign an IP address to GigabitEthernet 0/1, and use the interface to send the traffic statistics to the NSC server. [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] ip address [Sysname-GigabitEthernet0/1] quit Configure a static route destined for the NSC server. [Sysname] ip route-static Configure SNMP parameters for connecting the NSC server (IMC-NTA). [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private [Sysname] snmp-agent sys-info version all 25

28 Configuring NSC server (IMC-NTA) For the IMC-NTA server, configurations for IPv6 traffic analysis tasks are the same as IPv4 traffic analysis tasks. Therefore, they are not described here. See "Configuring NSC server (IMC-NTA)." Verifying the configuration Connect port-a and port-b of Smartbits to GigabitEthernet 2/0/1 and Gigabit Ethernet 2/0/2 on the S7500E switch, respectively. Port-a sends UDP packets with the source IP 10:1::2 and destination IP 20.1::2. View the following information through IMC-NTA: Whole statistics on all traffic analysis tasks Click the Service tab, and select Traffic Analysis and Audit > Interface Traffic Analysis Task from the navigation tree to view the whole statistics on all traffic analysis tasks, including average rate and summary list. Figure 27 Average rate Figure 28 Summary list Whole statistics on all interfaces for a traffic analysis task Select Traffic Analysis and Audit > SecBlade NS to view the whole statistics on all interfaces for a traffic analysis task, including information about traffic, application, source host, destination host, and sessions. "Traffic" includes pages for traffic trend, flux distribution in interface, and traffic details. 26

29 Figure 29 Traffic trend Figure 30 Traffic details "Application" displays information about the application layer traffic, and includes pages for application list and application traffic trend. Figure 31 Application list 27

30 "Source host" displays traffic information based on IP address for the source host. Figure 32 Traffic information for source host "Destination host" displays information based on IP address for the destination host. Figure 33 Traffic information for destination host "Session" displays traffic information based on sessions. 28

31 Figure 34 Traffic information for session host Statistics on every host for a traffic analysis task Complete configuration Select the interface on the SecBlade NS list to view the corresponding statistics on that interface. You can view the same information about traffic, application, source host, destination host and session host as the traffic analysis task information. Therefore, it is not described and illustrated here. 1. S7500E: ipv6 acsei server enable acl ipv6 number 2000 rule 0 permit source 10:1::/96 vlan 10 vlan 20 traffic classifier 1 operator and if-match acl ipv traffic behavior 1 mirror-to interface Ten-GigabitEthernet4/0/1 qos policy 1 classifier 1 behavior 1 29

32 interface Vlan-interface10 ipv6 address 10:1::1/96 interface Vlan-interface20 ipv6 address 20:1::1/96 interface GigabitEthernet2/0/1 port link-mode bridge port access vlan 10 qos apply policy 1 inbound interface GigabitEthernet2/0/2 port link-mode bridge port access vlan 20 interface Ten-GigabitEthernet4/0/1 port link-mode bridge port link-type trunk port trunk permit vlan NS card: ipv6 telnet server enable inline-interfaces 1 blackhole vlan 10 vlan 20 interface GigabitEthernet0/1 port link-mode route ip address interface Ten-GigabitEthernet0/0 port link-mode bridge port link-type trunk port trunk permit vlan ipv6 netstream inbound port inline-interfaces 1 acsei-client enable ip route-static snmp-agent 30

33 snmp-agent local-engineid A D6295F38 snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all ipv6 netstream timeout active 1 ipv6 netstream timeout inactive 10 ipv6 netstream export host user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme Related documentation H3C SecBlade NetStream Card Configuration Guide H3C SecBlade NetStream Card Command Reference 31