H3C SecBlade NetStream Card Configuration Examples

Similar documents
HPE IMC NTA MPLS VPN Traffic Analysis Configuration Examples

H3C Firewall and UTM Devices Log Management with IMC Firewall Manager Configuration Examples (Comware V5)

H3C S12500 sflow Configuration Examples

SecBlade Firewall Cards Attack Protection Configuration Example

SecBlade Firewall Cards NAT Configuration Examples

SecBlade Firewall Cards Stateful Failover Configuration Examples

SecBlade Firewall Cards ARP Attack Protection Configuration Examples

H3C S12500 VLAN Configuration examples

H3C S12500 Unauthorized DHCP Server Detection Configuration Examples

Command Manual MAC Address Table Management H3C S5500-EI Series Ethernet Switches. Table of Contents

SecBlade Firewall Cards Log Management and SecCenter Configuration Example

Logging in through SNMP from an NMS 22 Overview 22 Configuring SNMP agent 22 NMS login example 24

H3C SecBlade IPS Cards

H3C S10500 OpenFlow Configuration Examples

User FAQ for H3C Security Products

HP 5820X & 5800 Switch Series Network Management and Monitoring. Configuration Guide. Abstract

H3C S5130-EI Switch Series

Access Control List Enhancements on the Cisco Series Router

Table of Contents 1 QinQ Configuration 1-1

Login management commands

H3C SecPath Series High-End Firewalls

H3C S7500E Switch Series

H3C S9800 Switch Series

H3C S7500E-X OSPF Configuration Examples

HP High-End Firewalls

H3C SecPath Series High-End Firewalls

Monitor Commands. monitor session source, page 2 monitor session destination, page 4

HPE IMC NTA/UBA Cisco Network Traffic Monitoring Through NetFlow Configuration Examples

H3C SR6600/SR6600-X Routers

Information about Network Security with ACLs

H3C S5120-EI Switch Series

H3C S9500 Series Routing Switches

User authentication configuration example 11 Command authorization configuration example 13 Command accounting configuration example 14

H3C Firewall and UTM Devices L2TP VPN Virtual Firewall Configuration Examples (Comware V5)

Loop detection commands 1

H3C S7500E Series Ethernet Switches. Network Management and Monitoring. Configuration Guide. Hangzhou H3C Technologies Co., Ltd.

Using the Web Graphical User Interface

H3C MSR Router Series

HP 5920 & 5900 Switch Series

H3C S5820X&S5800 Switch Series

CCNA Course Access Control Lists

Contents. Configuring LLDP 2

DHCP H3C Low-End Ethernet Switches Configuration Examples. Table of Contents

Configuring ARP attack protection 1

H3C SecPath Series Firewalls and UTM Devices

H3C S5500-HI Switch Series

Table of Contents 1 Port Mirroring Configuration 1-1

Operation Manual SNMP-RMON H3C S3610&S5510 Series Ethernet Switches. Table of Contents

Table of Contents 1 Commands for Access Controller Switch Interface Board 1-1

Configuring ARP attack protection 1

DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

HP 6125G & 6125G/XG Blade Switches

Configuring Devices for Flow Collection

Converged Access CT 5760 AVC Deployment Guide, Cisco IOS XE Release 3.3

Switch Configuration Example for Q-SYS Platform Hewlett-Packard HP 1910 (Gigabit only, minimum buffer size 40 kb per port)

Management Software AT-S101. User s Guide. For use with the AT-GS950/8POE Gigabit Ethernet WebSmart Switch. Version Rev.

HP 6125 Blade Switch Series

HP 830 Series PoE+ Unified Wired-WLAN Switch Switching Engine

Managing Standalone EAP

H3C S9500 QoS Technology White Paper

Lab - Troubleshooting Standard IPv4 ACL Configuration and Placement Topology

Network Switch Setup for Q-SYS Platform Hewlett-Packard HP 1910 (Gigabit only)

Using the Web Graphical User Interface

GSS Administration and Troubleshooting

Logging in to the CLI

H3C SR6600 Routers DVPN Configuration Example

Configuring ACLs. ACL overview. ACL categories. ACL numbering and naming

IMC Network Traffic Analyzer 7.3 (E0504) Copyright 2015, 2017 Hewlett Packard Enterprise Development LP

H3C SecPath Series High-End Firewalls

Configuring NetFlow. About NetFlow. This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.

Table of Contents. 1 TFTP Configuration Commands 1-1 TFTP Client Configuration Commands 1-1 tftp-server acl 1-1 tftp 1-2 tftp ipv6 1-3

Access Control List Overview

Table of Contents 1 Basic Configuration Commands 1-1

CCNA Semester 2 labs. Labs for chapters 2 10

HP 5120 SI Switch Series

H3C SecPath UTM Series. Configuration Examples. Hangzhou H3C Technologies Co., Ltd. Manual Version: 5W

HP A5500 EI & A5500 SI Switch Series Network Management and Monitoring. Configuration Guide. Abstract

HP Load Balancing Module

H3C Intelligent Management Center

H3C S10500 IP Unnumbered Configuration Examples

Configuring Web Cache Services By Using WCCP

Port ACLs (PACLs) Prerequisites for PACls CHAPTER

HP A6600 Routers Network Management and Monitoring. Command Reference. Abstract

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

HP Intelligent Management Center

Contents. QoS overview 1

This chapter describes how to configure the NetFlow feature on Cisco NX-OS devices.

Table of Contents. 2 MIB Style Configuration 2-1 Setting the MIB Style 2-1 Displaying and Maintaining MIB 2-1

Implementing Access Lists and Prefix Lists

Table of Contents. 2 MIB Style Configuration 2-1 Overview 2-1 Setting the MIB Style 2-1 Displaying and Maintaining MIB 2-1

HP 5920 & 5900 Switch Series

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

Configuring OpenFlow 1

Table of Contents. 2 Static Route Configuration Commands 2-1 Static Route Configuration Commands 2-1 delete static-routes all 2-1 ip route-static 2-1

Operation Manual SNMP. Table of Contents

HP MSR Router Series. Network Management and Monitoring Configuration Guide(V7)

Operation Manual ARP H3C S5500-SI Series Ethernet Switches. Table of Contents

Configuring Cache Services Using the Web Cache Communication Protocol

Table of Contents. 2 MIB Configuration Commands 2-1 MIB Configuration Commands 2-1 display mib-style 2-1 mib-style 2-1

Transcription:

H3C SecBlade NetStream Card Configuration Examples Copyright 2012 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.

Contents Software version used 1 Feature overview 1 Application scenarios 1 Configuration considerations 1 IPv4 NetStream configuration example 2 Network requirements 2 Configuration procedures 2 Configuration procedures without NetStream sampling enabled 2 Configuration procedures with NetStream sampling enabled 19 IPv6 NetStream configuration example 23 Network requirements 23 Configuration procedures 24 Configuring S7500E 24 Configuring the NS card 25 Related documentation 31 i

Software version used This document describes the example for the H3C SecBlade NetStrearm cards (Release 3109) installed on the H3C S7500E switches. The configuration examples also apply to the H3C SecBlade NetStream cards installed on the H3C S9500E and S12500 switches. The configuration examples in this document were created and verified in a lab environment, and all the devices started with the factory default configuration. If you are working in a live network, make sure you understand the potential impact of every command on your network. Feature overview NetStream is an accounting technology that provides statistics on a per-flow basis. A flow is identified by the following elements: source IP address, destination IP address, source port number, destination port number, protocol number, ToS, and inbound or outbound interface. NetStream provides the statistics for different flows. A typical NetStream system comprises the following parts: NetStream data exporter (NDE) An H3C SecBlade NetStream card (NS card) with NetStream configured acts as an NDE. It analyzes traffic flows that pass through it, collects necessary data from the target flows, and exports the data to the NSC. Before exporting data, the NDE might perform processes on the data, such as aggregation. NetStream collector (NSC) The NSC parses the packets received from the NDE, stores the statistics to the database, and then filters and aggregates the total received data for the NDA. NetStream data analyzer (NDA) The NDA collects statistics from the NSC, performs further process, and generates various types of reports for applications of traffic billing, network planning. H3C IMC-NTA, which supports both NSC and NDA, gathers the data from the NS card and generates reports. Configurations for NetStream involve configurations for the switch, the NS card, and IMC-NTA. The NS card can be installed on the H3C S7500E, S9500E, and S12500 switch. This document uses S7500E as an example, and explains the NS card configuration differences between the S7500E switches and S9500E/S12500 switches. Application scenarios NetStream provides statistics about network traffic flows, and it can be deployed on access, distribution, and core layers. Configuration considerations Configure S7500E to mirror the traffic accounted by NetStream to the 10-GE interface connecting the NS card. Configure the NS card to account the traffic copied to the interface Ten-GigabitEthernet 0/0 and send it to the NSC for analyzing. 1

Configure protocol-port aggregation. (Optional.) Configure sampling. (Optional.) Configure the traffic analysis service on the NSC server (IMC-NTA) to account the traffic statistics received from the NS card. IPv4 NetStream configuration example Network requirements As shown in Figure 1, install an NS card in slot 4 of the switch to collect statistics on packets passing through it, and mirror the intranet-to-extranet traffic from source IP addresses belonging to the subnet 10.1.0.0/16 to the NS card for flow analyzing. GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 on the switch are access ports, and belong to VLAN 10 (the intranet VLAN) and VLAN 20 (the extranet VLAN), respectively. Ten-GigabitEthernet 4/0/1 on the switch is a trunk port and allows packets from all VLANs to pass through. Configure traffic mirroring on GigabitEthernet 2/0/1 to mirror the incoming traffic to Ten-GigabitEthernet 4/0/1. Enable NetStream on Ten-GigabitEthernet 0/0 on the NS card. The statistics on the NS card are sent out of the management interface GigabitEthernet 0/1 to the NSC for analyzing. Figure 1 Network diagram Configuration procedures Configuration procedures without NetStream sampling enabled Configuring S7500E Create VLAN10 and VLAN20, and assign GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 to VLAN 10 and VLAN 20, respectively. <Sysname> system-view 2

[Sysname] vlan 10 [Sysname-vlan10] port GigabitEthernet 2/0/1 [Sysname-vlan10] vlan 20 [Sysname-vlan20] port GigabitEthernet 2/0/2 [Sysname-vlan20] quit Create VLAN-interface 10, and assign an IP address to the VLAN-interface. [Sysname]interface Vlan-interface 10 [Sysname-Vlan-interface10] ip address 10.1.1.1 255.255.0.0 [Sysname-Vlan-interface10]quit [Sysname]interface Vlan-interface 20 [Sysname-Vlan-interface20] ip address 20.1.1.1 255.255.0.0 [Sysname-Vlan-interface20]quit Configure Ten-GigabitEthernet 4/0/1 as a trunk port, and configure the port to allow packets from VLAN 10 and VLAN 20 to pass through. [Sysname] interface Ten-GigabitEthernet4/0/1 [Sysname-Ten-GigabitEthernet4/0/1] port link-type trunk [Sysname-Ten-GigabitEthernet4/0/1] port trunk permit vlan 10 20 [Sysname-Ten-GigabitEthernet4/0/1] quit Create ACL 2000 for traffic classification and flitering. [Sysname] acl number 2000 [Sysname-basic-acl-2000] rule 0 permit source 10.1.0.0 0.0.255.255 [Sysname-basic-acl-2000] quit Create class 1, and use ACL 2000 as the match criterion. [Sysname] traffic classifier 1 [Sysname-classifier-1] if-match acl 2000 [Sysname-classifier-1] quit Create traffic behavior 1, and configure the action of mirroring traffic to Ten-GigabitEthernet 4/0/1 for the traffic behavior. [Sysname] traffic behavior 1 [Sysname-behavior-1] mirror-to interface Ten-GigabitEthernet 4/0/1 [Sysname-behavior-1] quit Create QoS policy 1, and associate traffic class 1 with the traffic behavior 1 in QoS policy 1. [Sysname] qos policy 1 [Sysname-qospolicy-1] classifier 1 behavior 1 [Sysname-qospolicy-1] quit Apply QoS policy 1 to the incoming traffic of the interface GigabitEthernet 2/0/1. [Sysname] interface GigabitEthernet 2/0/1 [Sysname-GigabitEthernet2/0/1] qos apply policy 1 inbound [Sysname-GigabitEthernet2/0/1] quit Enable ACSEI server for the NS card to synchronize the MPU's clock on the switch. [Sysname] acsei server enable Configuring the NS card Configure Ten-GigabitEthernet 0/0 as a trunk port, and configure the port to allow packets from VLAN 10 and VLAN 20 to pass through. <Sysname> system-view 3

[Sysname] interface Ten-GigabitEthernet0/0 [Sysname-Ten-GigabitEthernet0/0] port link-type trunk [Sysname-Ten-GigabitEthernet0/0] port trunk permit vlan 10 20 [Sysname-Ten-GigabitEthernet0/0] quit Create a blackhole-type inline forwarding entry 1. [Sysname] inline-interfaces 1 blackhole Assign Ten-GigabitEthernet 0/0 to the blackhole-type inline forwarding entry 1 for discarding the packets when they are received and processed. [Sysname] interface Ten-GigabitEthernet0/0 [Sysname-Ten-GigabitEthernet0/0] port inline-interfaces 1 Enable NetStream for incoming traffic on Ten-GigabitEthernet 0/0. [Sysname-Ten-GigabitEthernet0/0] ip netstream inbound Enable ACSEI client on Ten-GigabitEthernet 0/0 to synchronize the MPU's clock on the switch. [Sysname-Ten-GigabitEthernet0/0] acsei-client enable [Sysname-Ten-GigabitEthernet0/0] quit Set the destination address for NetStream data export with a destination UDP port. (The destination UDP port number can be 9020, 9021, or 6343.) [Sysname] ip netstream export host 192.168.100.51 9020 Set the aging timers for active flows and inactive flows. (Optional. You can just use the default settings or set the two timers at the same time. Flows age out when either aging timer is reached. The time resolution is 10 seconds.) [Sysname] ip netstream timeout active 1 [Sysname] ip netstream timeout inactive 10 Assign an IP address to GigabitEthernet 0/1, and use the interface to send the traffic statistics to the NSC server. [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] ip address 192.168.253.109 255.255.255.0 [Sysname-GigabitEthernet0/1] quit Configure a static route destined for the NSC server. [Sysname] ip route-static 192.168.100.0 255.255.252.0 192.168.253.254 Configure SNMP parameters for connecting the NSC server (IMC-NTA). [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private [Sysname] snmp-agent sys-info version all Configuring NSC server (IMC-NTA) 1. Log in to the Web page of IMC-NTA. Open a browser (IE, for example), and enter the server address (for example, http://192.168.100.51:8080/imc) to enter the login page of IMC-NTA. 4

Figure 2 IMC-NTA login page 2. Enter the imc homepage. On the imc login page, enter the default username admin and password admin, and then click Login. 3. Add a monitor: a. On the imc homepage, click the Service tab. The service configuration page appears. Figure 3 Service configuration page 5

b. Select Traffic Analysis and Audit > Settings from the navigation tree. The setting page for IMC-NTA appears. Figure 4 Setting page for IMC-NTA c. Click the Device Management link in the Guide to Quick Traffic Analysis And Audit Configuration area to enter the Device Management page. Figure 5 Device management page d. Click Add to enter the Add Device page. 6

Figure 6 Adding device e. Select a device in one of the following ways: From the device list Click Select. Select the device required from the dialogue box, and then click Add. Manually adding a device Enter 192.168.253.109 in the Device IP area and the device's name in the Name area. (The device IP is the address of the interface GigabitEthernet 0/1 on the NS card connecting the NSC server.) The device can be the one managed or not managed by the system. f. Configure an SNMP community and an SNMP port. An SNMP community is a read-only community. The default SNMP community for IMC-NTA is public. Enter the SNMP community based on the NS card configurations. Keep the default settings for SNMP community and SNMP port here. g. Configure the source IP for sending logs. When imc cannot obtain information about an interface through SNMP, the source IP for sending logs should be configured. It is the IP address for the interface sending logs. Enter the IP address for GigabitEthernet 0/1 here. h. Select validity for the NetStream statistics identifier. The statistics attribute, 0 or 1, for NetStream V5, identifies the way to collect traffic statistics. When the statistics identifier is valid, 0 means collecting the traffic statistics based on the input interface or VLAN, and 1 means based on the output interface or VLAN. When the statistics identifier is invalid, 0 and 1 both mean collecting the traffic statistics based on the input interface or VLAN and the output interface or VLAN. Select Valid from the NetStream Statistics Identifier list here. i. Select support for NetStream New Feature: NetStream new feature mainly includes the traffic sampling feature for Comware V5. Select the default Enable for the option here. j. Click OK. 7

Figure 7 Adding a device 4. Modify configurations on the NSC server, and add the data analyzer server to be monitored to the corresponding NSC server: a. Click the Server Management link in the Settings area to enter the Server List page. Figure 8 Server list page b. Click the Modify icon for a server in the Server List to enter the Server Configuration page. 8

Figure 9 Server configuration page c. Use the default settings of the options in the Basic Information area. d. In the Traffic Analysis area, select the monitoring device in the Device Information list. Click Deploy. 5. Add traffic analysis task: a. Click the Traffic Analysis Task Management link in the Guide to Quick Traffic Analysis And Audit Configuration area to enter the Traffic Analysis Task List page. Figure 10 Traffic analysis task list page 9

b. Click Add to enter the Select Task Type page. Figure 11 Selecting task type c. Select Interface, and click Next to enter the Add Traffic Analysis Task page. 10

Figure 12 Adding traffic analysis task d. Enter SecBladeNS in the Task Name field. e. Select the NSC server to which the device belongs. Enter 127.0.0.1 here. f. Click Select in the Interface Information area to enter the page for adding interfaces. Select interface Ten-GigabitEthernet0/0, and click OK. Figure 13 Interface information page g. On the Add Traffic Analysis Task page, click OK. 11

Figure 14 Completing adding traffic analysis task Verifying the configuration Connect port-a and port-b of Smartbits to GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 on the S7500E switch, respectively. Port-a sends UDP packets with the source IP 10.1.1.2 and destination IP 20.1.1.2. Port-b sends UDP packets with the source IP 20.1.1.2 and destination IP 10.1.1.2. View the following information through IMC-NTA: Whole statistics on all traffic analysis tasks Click the Service tab to enter the service configuration page. Select Traffic Analysis and Audit > Interface Traffic Analysis Task from the navigation tree. Figure 15 Interface traffic analysis task page 12

You can view the whole statistics on all traffic analysis tasks, including average rate and summary list. Figure 16 Whole statistics on all traffic analysis tasks Whole statistics on all interfaces for a traffic analysis task Select Traffic Analysis and Audit > Interface Traffic Analysis Task from the navigation tree, and click SecBlade NS. Figure 17 SecBlade NS You can view the whole statistics on all interfaces for the traffic analysis task, including information about traffic, application, source host, destination host, and sessions. "Traffic" includes pages for traffic trend, flux distribution in interface, and traffic details. 13

Figure 18 Traffic trend Figure 19 Flux distribution in interface Figure 20 Traffic details "Application" displays information about the application layer traffic, and includes pages for application list and application traffic trend. 14

Figure 21 Application list and application traffic trend "Source host" displays traffic information based on IP address for the source host. Figure 22 Traffic information for source host "Destination host" displays information based on IP address for the destination host. 15

Figure 23 Traffic information for destination host "Session" displays traffic information based on sessions. Figure 24 Traffic information for session host Statistics on an interface for a traffic analysis task Select Traffic Analysis and Audit > Interface Traffic Analysis Task from the navigation tree, and click the Ten-GigabitEthernet0/0 Interface link under the traffic analysis task SecBlade NS to view the statistics on the interface. 16

Figure 25 Ten-GigabitEthernet 0/0 Complete configuration You can view the same information about traffic, application, source host, destination host, and session host as the traffic analysis task information. Therefore, it is not described here. 1. S7500E: acsei server enable acl number 2000 rule 0 permit source 10.1.0.0 0.0.255.255 vlan 10 vlan 20 traffic classifier 1 operator and if-match acl 2000 traffic behavior 1 mirror-to interface Ten-GigabitEthernet4/0/1 qos policy 1 classifier 1 behavior 1 interface Vlan-interface10 ip address 10.1.1.1 255.255.0.0 interface Vlan-interface20 17

ip address 20.1.1.1 255.255.0.0 interface GigabitEthernet2/0/1 port link-mode bridge port access vlan 10 qos apply policy 1 inbound interface GigabitEthernet2/0/2 port link-mode bridge port access vlan 20 interface Ten-GigabitEthernet4/0/1 port link-mode bridge port link-type trunk port trunk permit vlan 1 10 20 2. NS card: telnet server enable inline-interfaces 1 blackhole vlan 10 vlan 20 interface GigabitEthernet0/1 port link-mode route ip address 192.168.253.109 255.255.255.0 interface Ten-GigabitEthernet0/0 port link-mode bridge port link-type trunk port trunk permit vlan 1 10 20 ip netstream inbound port inline-interfaces 1 acsei-client enable ip route-static 192.168.100.0 255.255.252.0 192.168.253.254 snmp-agent snmp-agent local-engineid 800063A2033822D6295F38 snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all ip netstream timeout active 1 ip netstream timeout inactive 10 18

ip netstream export host 192.168.100.51 9020 user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme Configuration procedures with NetStream sampling enabled Sampling selects one packet from a fixed number of packets to the NSC for analyzing. The following sampling modes are available: fixed and random. NetStream supports the fixed mode, which selects the first packet from among sequential packets in each sampling for analyzing. The sampling feature of S7500E+NS system is implemented by the NS card for the S7500E swithes do not support sampling. Configuring S7503E The configurations with sampling enabled are the same as those without sampling enabled. Therefore, they are not be decribed here. Configuring the NS card Configure Ten-GigabitEthernet 0/0 as a trunk port, and configure the port to allow packets from VLAN 10 and VLAN 20 to pass through. <Sysname> system-view [Sysname] interface Ten-GigabitEthernet0/0 [Sysname-Ten-GigabitEthernet0/0] port link-type trunk [Sysname-Ten-GigabitEthernet0/0] port trunk permit vlan 10 20 [Sysname-Ten-GigabitEthernet0/0] quit Create a blackhole-type inline forwarding entry 1. [Sysname] inline-interfaces 1 blackhole Assign Ten-GigabitEthernet 0/0 to the blackhole-type inline forwarding entry 1 for discarding the packets when they are received and processed. [Sysname] interface Ten-GigabitEthernet0/0 [Sysname-Ten-GigabitEthernet0/0] port inline-interfaces 1 Enable NetStream for incoming traffic on Ten-GigabitEthernet 0/0. [Sysname-Ten-GigabitEthernet0/0] ip netstream inbound Enable ACSEI client on Ten-GigabitEthernet 0/0 to synchronize the MPU's clock on the switch. [Sysname-Ten-GigabitEthernet0/0] acsei-client enable [Sysname-Ten-GigabitEthernet0/0] quit Enable NetStream sampling on the NS card. (Enabled by default.) [Sysname] ip netstream sample enable Create a fixed sampler with the name fix-16 and the sampling interval 4, which means sampling one out of 2 4 packets. [Sysname] sampler fix-16 mode fixed packet-interval 4 Enable NetStream sampling in the inbound direction of Ten-GigabitEthernet 0/0 by referencing sampler fix-16. [Sysname] interface Ten-GigabitEthernet 0/0 19

[Sysname-Ten-GigabitEthernet0/0] ip netstream sampler fix-16 inbound [Sysname-Ten-GigabitEthernet0/0] quit Set the destination address for NetStream data export with a destination UDP port. (The destination UDP port number can be port 9020, 9021 or 6343.) [Sysname] ip netstream export host 192.168.100.51 9020 Set the aging timers for active and inactive flows. (Optional. You can use the default settings or set the two timers at the same time. Flows age out when either aging timer is reached. The time resolution is 10 seconds.) [Sysname] ip netstream timeout active 1 [Sysname] ip netstream timeout inactive 10 Assign an IP address to GigabitEthernet 0/1, and use the interface to send the traffic statistics to the NSC server. [Sysname-GigabitEthernet0/1] ip address 192.168.253.109 255.255.255.0 [Sysname-GigabitEthernet0/1] quit Configure a static route destined for the NSC server. [Sysname] ip route-static 192.168.100.0 255.255.252.0 192.168.253.254 Configure SNMP parameters for connecting the NSC server (IMC-NTA). [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private [Sysname] snmp-agent sys-info version all Configuring NSC server (IMC-NTA) Select Enable for the NetStream New Feature option. Then the server supports the traffic sampling feature of Comware V5. Other configurations are the same as the configurations on the NSC server (IMC-NTA) without NetStream sampling enabled. Therefore, they are not described here. Verifying the configuration Connect port-a and port-b of Smartbits to GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 on the S7500E switch, respectively. Port-a sends UDP packets with the source IP 10.1.1.2 and destination IP 20.1.1.2. Port-b sends UDP packets with the source IP 20.1.1.2 and destination IP 10.1.1.2. View the information about traffic analysis through IMC-NTA. They are not described here. See "Configuration procedures without NetStream sampling enabled." Complete configuration 1. S7500E: acsei server enable acl number 2000 rule 0 permit source 10.1.0.0 0.0.255.255 vlan 10 20

vlan 20 traffic classifier 1 operator and if-match acl 2000 traffic behavior 1 mirror-to interface Ten-GigabitEthernet4/0/1 qos policy 1 classifier 1 behavior 1 interface Vlan-interface10 ip address 10.1.1.1 255.255.0.0 interface Vlan-interface20 ip address 20.1.1.1 255.255.0.0 interface GigabitEthernet2/0/1 port link-mode bridge port access vlan 10 qos apply policy 1 inbound interface GigabitEthernet2/0/2 port link-mode bridge port access vlan 20 interface Ten-GigabitEthernet4/0/1 port link-mode bridge port link-type trunk port trunk permit vlan 1 10 20 2. NS card: sampler fix-16 mode fixed packet-interval 4 telnet server enable inline-interfaces 1 blackhole vlan 10 vlan 20 interface GigabitEthernet0/1 port link-mode route ip address 192.168.253.109 255.255.255.0 interface Ten-GigabitEthernet0/0 21

port link-mode bridge port link-type trunk port trunk permit vlan 1 10 20 ip netstream inbound ip netstream sampler fix-16 inbound port inline-interfaces 1 acsei-client enable ip route-static 192.168.100.0 255.255.252.0 192.168.253.254 snmp-agent snmp-agent local-engineid 800063A2033822D6295F38 snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all ip netstream timeout active 1 ip netstream timeout inactive 10 ip netstream export host 192.168.100.51 9020 user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme Configuration guidelines S9500E + NetStream and S12500 + NetStream implement the configurations of traffic sampling. Both the S9500E switches and S12500 switches support the mirroring and sampling features, so sampling is implemented on the switch side. Disable sampling on the NS card (enabled by default), and configure a sampler with the same sampling interval as the switch. Apply the sampler to the Ten-GigabitEthernet interface for sampling. The following describes the configuration differences between S9500E + NetStream and S7500E + NetStream. Configurations on S12500 + NetStream are the same as those on S9500E+ NetStream. Therefore, they are not described here. Configuring the S9500E switch: Create a fixed sampler with the name fix-16 and the sampling interval 4, which means sampling one out of 2 4 packets. [Sysname] sampler fix-16 mode fixed packet-interval 4 Configure local mirroring group 1 to reference the sampler. Apply the sampler to the incoming traffic of GigabitEthernet 2/0/1 for sampling. Mirror the sampled traffic to Ten-GigabitEthernet 1/0/1 connecting the NS card. [Sysname] mirroring-group 1 local sampler fix-16 [Sysname] interface GigabitEthernet 2/0/1 [Sysname-GigabitEthernet2/0/1] mirroring-group 1 mirroring-port inbound [Sysname-GigabitEthernet2/0/1] quit [Sysname] interface Ten-GigabitEthernet 1/0/1 [Sysname-Ten-GigabitEthernet0/0] mirroring-group 1 monitor-port [Sysname-Ten-GigabitEthernet0/0] quit 22

Configuring the NS card: Create a sampler with the same mode and same sampling interval as the S9500E switch (the sampling mode fixed, the sampling interval 4). [Sysname] sampler fix-16 mode fixed packet-interval 4 Apply the sampler to the incoming traffic of Ten-GigabitEthernet 0/0 for reporting the statistics to the NSC server. [Sysname] interface Ten-GigabitEthernet 0/0 [Sysname-Ten-GigabitEthernet0/0] ip netstream sampler fix-16 inbound [Sysname-Ten-GigabitEthernet0/0] quit Disable NetStream sampling on the NS card. [Sysname] undo ip netstream sample enable IPv6 NetStream configuration example Network requirements As shown in Figure 26, install an NS card in slot 4 of the switch to collect statistics on IPv6 packets passing through it. The intranet-to-extranet traffic from source IP addresses belonging to the subnet 10:1::0/96 are mirrored to the NS card for flow analyzing. GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 on the switch are access ports, and belong to VLAN 10 (the intranet VLAN) and VLAN 20 (the extranet VLAN), respectively. Ten-GigabitEthernet 4/0/1 on the switch is a trunk port, and allows packets from all VLANs to pass through. Configure traffic mirroring on GigabitEthernet 2/0/1 to mirror the incoming traffic to Ten-GigabitEthernet 4/0/1. Enable NetStream on Ten-GigabitEthernet 0/0 on the NS card. The statistics on the NS card are sent out of the management interface GigabitEthernet 0/1 to the NSC for analyzing. Figure 26 Network diagram 23

Configuration procedures Configuring S7500E Enable IPv6 on the switch. <Sysname> system-view [Sysname] ipv6 Create VLAN10 and VLAN20, and assign GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 to VLAN 10 and VLAN 20, respectively. [Sysname] vlan 10 [Sysname-vlan10] port GigabitEthernet 2/0/1 [Sysname-vlan10] vlan 20 [Sysname-vlan20] port GigabitEthernet 2/0/2 [Sysname] quit Create VLAN-interface 10, and assign an IPv6 address to the VLAN-interface. [Sysname] interface Vlan-interface 10 [Sysname-Vlan-interface10] ipv6 address 10:1::1/96 [Sysname-Vlan-interface10] quit [Sysname] interface Vlan-interface 20 [Sysname-Vlan-interface20] ipv6 address 20:1::1/96 [Sysname-Vlan-interface20] quit Configure Ten-GigabitEthernet 4/0/1 as a trunk port, and configure the port to allow packets from VLAN 10 and VLAN 20 to pass through. [Sysname] interface Ten-GigabitEthernet4/0/1 [Sysname-Ten-GigabitEthernet4/0/1] port link-type trunk [Sysname-Ten-GigabitEthernet4/0/1] port trunk permit vlan 10 20 [Sysname-Ten-GigabitEthernet4/0/1] quit Create IPv6 basic ACL 2000 for traffic classification and flitering. [Sysname] acl ipv6 number 2000 [Sysname-acl6-basic-2000] rule 0 permit source 10:1::/96 [Sysname-acl6-basic-2000] quit Create class 1, and use IPv6 basic ACL 2000 as the match criterion of the class. [Sysname] traffic classifier 1 [Sysname-classifier-1] if-match acl ipv6 2000 Create traffic behavior 1, and configure the action of mirroring traffic to Ten-GigabitEthernet 4/0/1 for the traffic behavior. [Sysname] traffic behavior 1 [Sysname-behavior-1] mirror-to interface Ten-GigabitEthernet 4/0/1 Define QoS policy 1, and associate traffic class 1 with the traffic behavior 1 in QoS policy 1. [Sysname] qos policy 1 [Sysname-qospolicy-1] classifier 1 behavior 1 Apply QoS policy 1 to the incoming traffic of the interface GigabitEthernet 2/0/1. [Sysname] interface GigabitEthernet 2/0/1 [Sysname-GigabitEthernet2/0/1] qos apply policy 1 inbound 24

Enable ACSEI server for the NS card to synchronize the MPU's clock on the switch. [Sysname]acsei server enable Configuring the NS card Enable IPv6. <Sysname> system-view [Sysname] ipv6 Configure Ten-GigabitEthernet 0/0 as a trunk port, and configure the port to allow packets from VLAN 10 and VLAN 20 to pass through. [Sysname] interface Ten-GigabitEthernet0/0 [Sysname-Ten-GigabitEthernet0/0] port link-type trunk [Sysname-Ten-GigabitEthernet0/0] port trunk permit vlan 10 20 [Sysname-Ten-GigabitEthernet0/0] quit Create a blackhole-type inline forwarding entry 1. [Sysname] inline-interfaces 1 blackhole Assign Ten-GigabitEthernet 0/0 to the blackhole-type inline forwarding entry 1 for discarding the packets when they are received and processed. [Sysname] interface Ten-GigabitEthernet0/0 [Sysname-Ten-GigabitEthernet0/0] port inline-interfaces 1 Enable IPv6 NetStream for incoming traffic on Ten-GigabitEthernet 0/0. [Sysname-Ten-GigabitEthernet0/0] ipv6 netstream inbound Enable ACSEI client on Ten-GigabitEthernet 0/0 to synchronize the MPU's clock on the switch. [Sysname-Ten-GigabitEthernet0/0] acsei-client enable [Sysname-GigabitEthernet0/0] quit Set the destination address for NetStream data export with a destination UDP port. (The destination UDP port number can be port 9020, 9021 or 6343.) [Sysname]ipv6 netstream export host 192.168.100.51 9020 Set the aging timers for active flows and inactive flows. (Optional. You can use the default settings or set the two timers at the same time. Flows age out when either aging timer is reached. The time resolution is 10 seconds.) [Sysname] ipv6 netstream timeout active 1 [Sysname] ipv6 netstream timeout inactive 10 Assign an IP address to GigabitEthernet 0/1, and use the interface to send the traffic statistics to the NSC server. [Sysname] interface GigabitEthernet 0/1 [Sysname-GigabitEthernet0/1] ip address 192.168.253.109 255.255.255.0 [Sysname-GigabitEthernet0/1] quit Configure a static route destined for the NSC server. [Sysname] ip route-static 192.168.100.0 255.255.252.0 192.168.253.254 Configure SNMP parameters for connecting the NSC server (IMC-NTA). [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private [Sysname] snmp-agent sys-info version all 25

Configuring NSC server (IMC-NTA) For the IMC-NTA server, configurations for IPv6 traffic analysis tasks are the same as IPv4 traffic analysis tasks. Therefore, they are not described here. See "Configuring NSC server (IMC-NTA)." Verifying the configuration Connect port-a and port-b of Smartbits to GigabitEthernet 2/0/1 and Gigabit Ethernet 2/0/2 on the S7500E switch, respectively. Port-a sends UDP packets with the source IP 10:1::2 and destination IP 20.1::2. View the following information through IMC-NTA: Whole statistics on all traffic analysis tasks Click the Service tab, and select Traffic Analysis and Audit > Interface Traffic Analysis Task from the navigation tree to view the whole statistics on all traffic analysis tasks, including average rate and summary list. Figure 27 Average rate Figure 28 Summary list Whole statistics on all interfaces for a traffic analysis task Select Traffic Analysis and Audit > SecBlade NS to view the whole statistics on all interfaces for a traffic analysis task, including information about traffic, application, source host, destination host, and sessions. "Traffic" includes pages for traffic trend, flux distribution in interface, and traffic details. 26

Figure 29 Traffic trend Figure 30 Traffic details "Application" displays information about the application layer traffic, and includes pages for application list and application traffic trend. Figure 31 Application list 27

"Source host" displays traffic information based on IP address for the source host. Figure 32 Traffic information for source host "Destination host" displays information based on IP address for the destination host. Figure 33 Traffic information for destination host "Session" displays traffic information based on sessions. 28

Figure 34 Traffic information for session host Statistics on every host for a traffic analysis task Complete configuration Select the interface on the SecBlade NS list to view the corresponding statistics on that interface. You can view the same information about traffic, application, source host, destination host and session host as the traffic analysis task information. Therefore, it is not described and illustrated here. 1. S7500E: ipv6 acsei server enable acl ipv6 number 2000 rule 0 permit source 10:1::/96 vlan 10 vlan 20 traffic classifier 1 operator and if-match acl ipv6 2000 traffic behavior 1 mirror-to interface Ten-GigabitEthernet4/0/1 qos policy 1 classifier 1 behavior 1 29

interface Vlan-interface10 ipv6 address 10:1::1/96 interface Vlan-interface20 ipv6 address 20:1::1/96 interface GigabitEthernet2/0/1 port link-mode bridge port access vlan 10 qos apply policy 1 inbound interface GigabitEthernet2/0/2 port link-mode bridge port access vlan 20 interface Ten-GigabitEthernet4/0/1 port link-mode bridge port link-type trunk port trunk permit vlan 1 10 20 2. NS card: ipv6 telnet server enable inline-interfaces 1 blackhole vlan 10 vlan 20 interface GigabitEthernet0/1 port link-mode route ip address 192.168.253.109 255.255.255.0 interface Ten-GigabitEthernet0/0 port link-mode bridge port link-type trunk port trunk permit vlan 1 10 20 ipv6 netstream inbound port inline-interfaces 1 acsei-client enable ip route-static 192.168.100.0 255.255.252.0 192.168.253.254 snmp-agent 30

snmp-agent local-engineid 800063A2033822D6295F38 snmp-agent community read public snmp-agent community write private snmp-agent sys-info version all ipv6 netstream timeout active 1 ipv6 netstream timeout inactive 10 ipv6 netstream export host 192.168.100.51 9020 user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode scheme Related documentation H3C SecBlade NetStream Card Configuration Guide H3C SecBlade NetStream Card Command Reference 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback