H3c-technologies H3C SecBlade NetStream Cards Bedienungsanleitung

H3C SecBlade NetStream Card Configuration Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 6PW107

v Configuring a static ARP entry ·····················································································································

85 VLAN types You can implement VLANs based on the following criteria: • Port • MAC address • Protocol • IP subnet • Policy • Other criteria Th

86 NOTE: • As the default VLAN, VLAN 1 cannot be created or removed. • You cannot manually create or remove VLANs reserved for special purposes.

87 To do… Use the command… Remarks Shut down the VLAN interface shutdown Optional By default, a VLAN interface is in the up state. The VLAN interfa

88 [SecBlade-vlan5] port gigabitethernet 0/2 # Create VLAN 10 and assign GigabitEthernet 0/3 to it. [SecBlade-vlan5] vlan 10 [SecBlade-vlan10] port g

89 • A trunk port can carry multiple VLANs to receive and send traffic for them. Except traffic of the default VLAN, traffic sent through a trunk po

90 NOTE: • H3C recommends that you set the same default VLAN ID for local and remote ports. • Make sure that a port is assigned to its default V

91 To do… Use the command… Remarks Enter system view system-view — Enter Layer 2 Ethernet interface view interface interface-type interface-number

92 Assigning a hybrid port to a VLAN A hybrid port can carry multiple VLANs. You can assign it to a VLAN in Layer 2 Ethernet interface view only. Fol

93 Figure 31 Network diagram for port-based VLAN configuration Configuration procedure 1. Configuration on SecBlade A # Create VLAN 100, and assig

94 VLAN Type: static Route Interface: not configured Description: VLAN 0100 Name: VLAN 0100 Broadcast MAX-ratio: 100% Tagged Ports: Gigab

vi Enabling IPv4 NetStream ···························································································································

95 Isolate-user-VLAN configuration This chapter includes these sections: • Overview • Configuring an isolate-user-VLAN • Displaying and maintainin

96 2. Configure the secondary VLANs. 3. Assign non-trunk ports to the isolate-user-VLAN and ensure that at least one port takes the isolate-user-VL

97 Isolate-user-VLAN configuration example Network requirements As shown in Figure 33, • Connect SecBlade A to downstream devices SecBlade B and Se

98 # Configure the secondary VLANs. [SecBladeB] vlan 3 [SecBladeB-vlan3] port gigabitethernet 0/2 [SecBladeB-vlan3] quit [SecBladeB] vlan 2 [SecBlade

99 Route Interface: not configured Description: VLAN 0002 Name: VLAN 0002 Broadcast MAX-ratio: 100% Tagged Ports: none Untagged Ports: Gi

100 Layer 2 forwarding configuration This chapter includes these sections: • Configuring general Layer 2 forwarding • Configuring inline Layer 2 fo

101 • Blackhole type: A packet received on an interface is discarded. A complete configuration contains an ID, which uniquely identifies an inline L

102 Forward-type inline Layer 2 forwarding configuration example Network requirements Configure forward-type inline Layer 2 forwarding between Ten-Gi

103 As shown in Figure 34, the SecBlade card collaborates with a host device to filter Layer 2 traffic arriving at the host device before forwarding

104 To do… Use the command… Remarks Enter system view system-view — Create a VLAN and enter VLAN view vlan vlan-id Required Assign the access po

vii Scheduled task configuration example ·············································································································

105 To do… Use the command… Remarks Create a subinterface of the ten-GigabitEthernet interface and enter subinterface view interface ten-gigabitethe

106 Inter-VLAN Layer 2 forwarding configuration example Network requirements As shown in Figure 35, traffic between GigabitEthernet 3/0/1 and Gigabit

107 2. Configure the SecBlade card. # Create VLAN 1000. <SecBlade> system-view [SecBlade] vlan 1000 [SecBlade-vlan1000] quit # Configure the

108 MAC address table configuration This chapter includes these sections: • Overview • Configuring the MAC address table • Displaying and maintain

109 You can manually add MAC address entries to the MAC address table of the device to bind specific user devices to the port. Because manually confi

110 You can also configure blackhole MAC address entries to filter out packets with certain destination MAC addresses. Add or modify a static, dynam

111 Displaying and maintaining MAC address tables To do… Use the command… Remarks Display MAC address table information display mac-address [ mac-ad

112 # Display the MAC address entry for port GigabitEthernet 0/2. [SecBlade] display mac-address interface gigabitethernet 0/2 MAC ADDR VLAN

113 ARP configuration This chapter includes these sections: • ARP overview • Configuring ARP • Displaying and maintaining ARP • ARP configuration

114 • Sender protocol address: Protocol address of the device sending the message. • Target hardware address: Hardware address of the device the me

viii Displaying and maintaining FTP ··················································································································

115 3. If the gateway maintains the ARP entry of Host B, it forwards the packet to Host B directly; if not, it broadcasts an ARP request, in which t

116 Follow these steps to configure a static ARP entry: To do… Use the command… Remarks Enter system view system-view — Configure a static ARP ent

117 Enabling dynamic ARP entry check The dynamic ARP entry check function controls whether the device supports dynamic ARP entries with multicast MAC

118 To do… Use the command… Remarks Display the age timer for dynamic ARP entries display arp timer aging Available in any view Clear ARP entries f

119 # Add interface GigabitEthernet 0/2 to VLAN 10. [SecBlade] interface gigabitethernet 0/2 [SecBlade-GigabitEthernet0/2] port link-type trunk [SecB

120 Gratuitous ARP configuration This chapter includes these sections: • Introduction to gratuitous ARP • Configuring gratuitous ARP Introduction t

121 • Prevent the virtual IP address of a VRRP group from being used by a host The master router of a VRRP group can periodically send gratuitous AR

122 Proxy ARP configuration This chapter includes these sections: • Proxy ARP overview • Enabling proxy ARP • Displaying and maintaining proxy ARP

123 Figure 40 Application environment of proxy ARP Because Host A considers that Host B is on the same network, it broadcasts an ARP request for th

124 Enable local proxy ARP in one of the following cases: • Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicat

ix Restoring a startup configuration file ············································································································

125 to the same network 192.168.0.0/16), but are located on different subnets. As a result, Host D cannot receive or respond to any ARP request from

126 Configure port isolation on Ethernet 1/3 and Ethernet 1/1 of Switch to isolate Host A from Host B at Layer 2. Enable local proxy ARP on the SecBl

127 [SecBlade] interface gigabitethernet 0/2 [SecBlade-GigabitEthernet0/2] ip address 192.168.10.100 255.255.0.0 The ping operation from Host A to Ho

128 [Switch] vlan 5 [Switch-vlan5] port ethernet 1/2 [Switch-vlan5] isolate-user-vlan enable [Switch-vlan5] quit [Switch] isolate-user-vlan 5 seconda

129 ACL configuration This chapter includes these sections: • ACL overview • ACL configuration task list • Displaying and maintaining ACLs • ACL

130 Match order The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the

131 Automatic rule numbering and renumbering The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step to

132 To do… Use the command… Remarks Create an IPv4 basic ACL and enter its view acl number acl-number [ name acl-name ] [ match-order { auto | conf

133 To do… Use the command… Remarks Create or edit a rule rule [ rule-id ] { deny | permit } protocol [ { { ack ack-value | fin fin-value | psh psh-

134 To do… Use the command… Remarks Configure or edit a rule description rule rule-id comment text Optional By default, an Ethernet frame header AC

x Displaying and maintaining information center ······································································································

135 CAUTION: • ACL acceleration is not available for ACLs that contain a non-contiguous wildcard mask. • After you modify an IPv4 ACL with ACL acc

136 CAUTION: If you are using the host device to generate comprehensive log data for the ACL matching packets, also follow these guidelines: • Do n

137 ACL configuration example IPv4 packet filtering and NetStream logging configuration example Network requirements Apply an IPv4 ACL to deny the tr

138 # Configure Ten-GigabitEthernet 2/0/1 as a trunk port, and configure the port to deny all VLANs to pass through. [Device] interface ten-gigabitet

139 NetStream overview This chapter includes these sections: • Basic concepts of NetStream • Key technologies of NetStream • NetStream sampling an

140 How NetStream works A typical NetStream system comprises three parts: NetStream data exporter (NDE), NetStream collector (NSC), and NetStream dat

141 When the timer of the entry expires, the NDE exports the summarized data to the NetStream server in a specified NetStream version export format.

142 NetStream aggregation data export, which decreases the bandwidth usage compared to traditional data export. For example, the aggregation mode con

143 • Random mode—Any packet might be selected out of a number of sequential packets in each sampling. Sampling basically reflects the network traff

144 IPv4 NetStream configuration This chapter includes these sections: • IPv4 NetStream configuration task list • Displaying and maintaining IPv4 N

1 CLI configuration This chapter includes these sections: • What is CLI? • Entering the CLI • Command conventions • Undo form of a command • CLI

145 Complete these tasks to configure NetStream: Task Remarks Enabling IPv4 NetStream Required Configuring ACL-based NetStream filtering Optional

146 To do… Use the command… Remarks Enable ACL-based NetStream filtering in the inbound or outbound direction of an interface ip netstream filter ac

147 Follow these steps to configure NetStream sampling: To do… Use the command… Remarks Enter system view system-view — Enable sampling ip netstr

148 To do… Use the command… Remarks Configure the source interface for NetStream traditional data export ip netstream export source interface inter

149 To do… Use the command… Remarks Enable the IPv4 NetStream aggregation configuration enable Required Disabled by default NOTE: Configurations

150 NOTE: The refresh frequency and interval can be both configured, and the template is resent when either of thecondition is reached. Configurin

151 Displaying and maintaining IPv4 NetStream To do… Use the command… Remarks Display the IPv4 NetStream entry information in the cache display ip n

152 IPv6 NetStream configuration This chapter includes these sections: • IPv6 NetStream configuration task list • Displaying and maintaining IPv6 N

153 Configuring IPv6 NetStream data export To allow the NDE to export collected statistics to the NetStream server, configure the source interface ou

154 To do… Use the command… Remarks Enable IPv6 NetStream ipv6 netstream { inbound | outbound } Required Disabled by default. This outbound keyword

2 Entering the CLI H3C devices provide multiple methods for entering the CLI, such as through the console port and through telnet. For more informatio

155 To do… Use the command… Remarks Enter system view system-view — Configure the version for IPv6 NetStream export format ipv6 netstream export

156 To do… Use the command… Remarks Configure forced aging of the IPv6 NetStream entries Set the maximum entries that the cache can accommodate, and

157 NetStream configuration examples Configuration considerations Connect the host device and the SecBlade NS card through the internal ten-GigabitEt

158 Configuring the host device and the SecBlade NS card NetStream must be configured on both the SecBlade NetStream card and the host device. The ex

159 To do… Use the command… Remarks Exit QoS policy view and enter system view quit Required Enter service port view interface interface-type inter

160 To do… Use the command… Remarks Enable NetStream on the incoming traffic of the port ip netstream inbound Required Disabled by default. Enable t

161 Traffic from network 10.1.0.0/16 needs to be mirrored to the SecBlade NS card for traffic statistics collection, as shown in Figure 49. • Assign

162 # Configure ACL 2000. [Device] acl number 2000 [Device-acl-basic-2000] rule 0 permit source 10.1.0.0 0.0.255.255 [Device-acl-basic-2000] quit # C

163 # Configure the IP address of GigabitEthernet 0/1. [SecBlade] interface gigabitethernet 0/1 [SecBlade-GigabitEthernet0/1] ip address 192.168.103.

164 [Device-vlan20] quit # Create VLAN-interface, and assign an IP address to the VLAN-interface. [Device] interface Vlan-interface 10 [Device-Vlan-i

3 You can read any command that is more complicated according to Table 1. Undo form of a command The undo form of a command restores the default, disa

165 # Create a blackhole-type inline forwarding entry 1. [SecBlade] inline-interfaces 1 blackhole # Assign Ten-GigabitEthernet 0/0 to the blackhole-t

166 Configuration procedure 1. Configure the Device # Create VLAN 10 and VLAN 20, and assign GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to VLAN

167 [SecBlade] inline-interfaces 1 blackhole # Assign Ten-GigabitEthernet 0/0 to the blackhole-type inline forwarding entry 1 for discarding the pack

168 Configuration procedure 1. Configure the Device. # Enable IPv6. <Device> system-view [Device] ipv6 # Create VLAN 10 and VLAN 20, and assig

169 [Device-GigabitEthernet3/0/1] quit # Enable ACSEI server for the NS card to synchronize the clock on the Device. [Device] acsei server enable 2.

170 Figure 53 Network diagram for configuring IPv6 NetStream aggregation data export Configuration procedure 1. Configure the Device. # Enable I

171 [Device-classifier-1] quit # Create a traffic behavior, and configure the action of mirroring traffic to port Ten-GigabitEthernet 4/0/1 for the t

172 # Configure the aggregation mode as protocol-port, and in aggregation view configure the destination address for the IPv6 NetStream protocol-port

173 Device management This chapter includes these sections: • Device management overview • Configuring the device name • Configuring and displayin

174 Configuring and displaying the system time Configuring the system time The system time is determined by the configured relative time, time zone,

4 Entering system view When you log in to the device, you automatically enter user view, where <Device name> is displayed. You can perform limit

175 Configuration System time configured Example 2 The original system time ± “zone-offset” Configure: clock timezone zone-time add 1 System time con

176 Configuration System time configured Example “date-time” is in the daylight saving time range: If the value of “date-time” - “summer-offset” is n

177 Configuration System time configured Example [1], 2, 3 and 1 or [1], 3, 2 and 1 If “date-time” is not in the daylight saving time range, the syst

178 • incoming banner—Also called user interface banner, displayed when a user interface is activated by a Modem user. • login banner—Login welcome

179 • Method II—Type a character after the command keywords at the first line, and then press Enter. Type the banner information, and finish your se

180 To do… Use the command… Remarks Enter system view system-view — Configure the exception handling method system-failure { maintain | reboot } O

181 CAUTION: • A device reboot interrupts ongoing services. Use these commands with caution. • Before rebooting a device, use the save command to

182 Comparison item Configuring a scheduled task—approach 1 Configuring a scheduled task—approach 2 Supported views User view and system view. In the

183 To do… Use the command… Remarks Create a scheduled task and enter job view job job-name Required Specify the view in which the task is executed

184 Figure 54 Network diagram for scheduled task configuration Configuration procedure # Enter system view. <SecBlade> system-view # Create

Copyright © 2008-2012, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi

5 cd Change current directory clock Specify the system clock …Omitted… 2. Type part of a command and a ? separated by

185 [SecBlade-job-pc3] time 1 repeating at 8:00 week-day mon tue wed thu fri command undo shutdown # Configure the Secblade to shut down GigabitEther

186 If you repeatedly insert and remove different subcards or interface cards to create or delete a large number of logical interfaces, the interface

187 Identifying pluggable transceivers Because pluggable transceivers are of various types and from different vendors, you can use the following comm

188 To do… Use the command… Remarks Display the terminal user information display users [ all ] Available in any view Display the information of th

189 NOTE: For more information about the display users command, see the Fundamentals Command Reference.

190 NTP configuration This chapter includes these sections: • NTP overview • NTP configuration task list • Displaying and maintaining NTP • NTP c

191 How NTP works Figure 55 shows the basic workflow of NTP. Device A and Device B are connected over a network. They have their own independent syst

192 This is only a rough description of the work mechanism of NTP. For more information, see RFC 1305. NTP message format NTP uses two types of messa

193 • Precision: An 8-bit signed integer that indicates the precision of the local clock. • Root Delay: Roundtrip delay to the primary reference so

194 Symmetric peers mode Figure 58 Symmetric peers mode In symmetric peers mode, devices that work in symmetric active mode and symmetric passive m

6 Key Function Left arrow key or Ctrl+B The cursor moves one character space to the left. Right arrow key or Ctrl+F The cursor moves one character s

195 Multicast mode Figure 60 Multicast mode In multicast mode, a server periodically sends clock synchronization messages to the user-configured mu

196 NOTE: • A single device can have a maximum of 128 associations at the same time, including static associationsand dynamic associations. • A s

197 To do… Use the command… Remarks Enter system view system-view — Specify the source interface for NTP messages ntp-service source-interface int

198 Configuration prerequisites The configuration of NTP authentication involves configuration tasks to be implemented on the client and on the serve

199 Displaying and maintaining NTP To do… Use the command… Remarks Display information about NTP service status display ntp-service status Availabl

200 Actual frequency: 64.0000 Hz Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.0

201 Figure 62 Network diagram for configuration of NTP client/server mode with authentication Configuration procedure 1. Set the IP address for ea

202 Root dispersion: 1.05 ms Peer dispersion: 7.81 ms Reference time: 14:53:27.371 UTC Sep 19 2005 (C6D94F67.5EF9DB22) As shown above, SecBlade ha

203 Automatic configuration This chapter includes these sections: • Introduction to automatic configuration • Typical automatic configuration netwo

204 • DNS server—Resolves between IP addresses and host names. In some cases, the device resolves its IP address to the corresponding host name thro

7 To do… Use the command… Remarks Enable the command alias function command-alias enable Required Disabled by default, which means you cannot confi

205 Figure 64 Work flow of automatic configuration Using DHCP to obtain an IP address and other configuration information Address acquisition proce

206 NOTE: The temporary configuration contains two parts: the configuration made on the interface through which automatic configuration is perform

207 CAUTION: • There must be a space before the keyword ip host. • The host name of a device saved in the host name file must be the same as the

208 • If all the above operations fail, the device requests the default configuration file from the TFTP server. TFTP request sending mode The devi

209 FTP configuration This chapter includes these sections: • FTP overview • Configuring the FTP client • Configuring the FTP server • Displaying

210 When SecBlade serves as the FTP client, you need to perform the following configuration: Table 15 Configuration when the device serves as the FTP

211 Establishing an FTP connection Before you can access the FTP server, you must establish a connection from the FTP client to the FTP server. You c

212 To do… Use the command… Remarks Display detailed information about a directory or file on the remote FTP server dir [ remotefile [ localfile ] ]

213 To do… Use the command… Remarks Set the file transfer mode to binary binary Optional ASCII by default. Set the data transmission mode to passive

214 To do… Use the command… Remarks Terminate the connection to the FTP server without exiting FTP client view disconnect Optional Equal to the clos

8 Hotkey Function Ctrl+V Pastes the content in the clipboard. Ctrl+W Deletes all the characters in a continuous string to the left of the cursor. Ct

215 Trying 10.1.1.1 Connected to 10.1.1.1 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(10.1.1.1:(none)):abc 331 Give m

216 To do… Use the command… Remarks Enter system view system-view — Enable the FTP server ftp server enable Required Disabled by default. Use an

217 To do… Use the command… Remarks Configure user properties authorization-attribute { acl acl-number | callback-number callback-number | idle-cut

218 # Enable FTP server. [SecBlade] ftp server enable [SecBlade] quit # Check files on your device. Remove those redundant to ensure adequate space f

219 CAUTION: The boot file used for the next startup must be saved under the root directory of the storage medium (Fora device that has been partiti

220 TFTP configuration This chapter includes these sections: • TFTP overview • Configuring the TFTP client • Displaying and maintaining the TFTP c

221 Figure 69 TFTP configuration diagram Before using TFTP, the administrator needs to configure IP addresses for the TFTP client and server, and m

222 When using the tftp client source or tftp command, you can specify the source interface (such as a loopback interface) or source IP address. The

223 TFTP client configuration example Network requirements • As shown in Figure 70, use a PC as the TFTP server and SecBlade as the TFTP client. The

224 File management This chapter includes these sections: • Managing files • Performing directory operations • Performing file operations • Perfo

9 Checking command-line errors If a command contains syntax errors, the CLI reports error information. Table 4 lists some common command line errors.

225 Format Description Length Example path/file-name Specifies a file in the specified folder in the current working directory. path indicates the na

226 Creating a directory To do… Use the command… Remarks Create a directory mkdir directory Required Available in user view Removing a directory T

227 Renaming a file To do… Use the command… Remarks Rename a file rename fileurl-source fileurl-dest Required Available in user view Copying a fil

228 Emptying the recycle bin To do… Use the command… Remarks Enter the original working directory of the file to be deleted cd { directory | .. | /

229 CAUTION: • When you format a storage medium, all the files stored on it are erased and cannot be restored. If a startup configuration file exi

230 The following two partitioning modes are supported on a CF card or a USB disk: • Simple: In this mode, you need to specify the number of partiti

231 To do… Use the command… Remarks Set the operation prompt mode of the file system file prompt { alert | quiet } Optional The default is alert. E

232 Configuration file management The device provides the configuration file management function. You can manage configuration files on the user-frie

233 system operation. The running configuration is stored in a temporary storage medium. You must save a setting you have made so it can survive a re

234 To do… Use the command… Remarks Enter system view system-view — Enable configuration file encryption configuration encrypt { private-key | pub

10 more information about the history-command max-size command, see the Fundamentals Command Reference. Configuring the history buffer size Follow the

235 Setting configuration rollback Configuration rollback Configuration rollback allows you to revert to a previous configuration state based on a sp

236 prefix_serial number.cfg) to the specified path. The filename of a saved configuration file is like 20080620archive_1.cfg, or 20080620archive_2.c

237 To do… Use the command… Remarks Enter system view system-view — Enable the automatic saving of the running configuration, and set the interval

238 CAUTION: Configuration rollback may fail if one of the following situations is present (if a command cannot be rolledback, the system skips it a

239 To do… Use the command… Remarks Back up the startup configuration file to be used at the next startup to the specified TFTP server backup startu

240 To do… Use the command… Remarks Restore a startup configuration file to be used at the next startup restore startup-configuration from src-addr

241 Software upgrade configuration This chapter includes these sections: • Device software overview • Software upgrade methods • Software upgrade

242 Software upgrade methods The Boot ROM program and system boot file can both be upgraded at the Boot ROM menu or at the command line interface (CL

243 Upgrading the boot file through a system reboot Centralized device Follow the steps to upgrade the boot file: 1. Save the boot file to the root

244 Common patches always include the functions of the previous temporary patches. The patch type affects only the patch loading process; the system

11 To do… Use the command… Remarks Disable the multi-screen display function screen-length disable Required By default, a login user uses the setting

245 Figure 73 Patches are not loaded to the memory patch area NOTE: Currently, the memory patch area supports up to 200 patches. DEACTIVE state

246 Figure 75 Patches are activated RUNNING state After you confirm the running of the ACTIVE patches, the state of the patches become RUNNING and

247 Configuration prerequisites Patches are released per device model. Before patching the system, you need to save the appropriate patch files to th

248 Step-by-step patch installation task list Task Remarks Configuring the patch file location Optional Loading a patch file Required Activating pa

249 If you find that an ACTIVE patch is of some problem, reboot the device to deactivate the patch to avoid faults resulting from patch error. Follow

250 To do… Use the command… Remarks Delete the specified patches from the memory patch area patch delete patch-number Required Displaying and maint

251 • Set the access parameters for the FTP client (including enabling the FTP server function, setting the FTP username to aaa and password to hell

252 To check if the upgrade is successful after the device reboots, use the display version command. Hotfix configuration example Network requirement

253 System maintenance and debugging This chapter includes these sections: • Ping • Tracert • System debugging • Ping and tracert configuration e

254 Tracert Introduction By using the tracert command, you can trace the Layer 3 devices involved in delivering an IP packet from source to destinati

12 Character Meaning Remarks _ If it is at the beginning or the end of a regular expression, it equals ^ or $. In other cases, it equals comma, space,

255 Tracert configuration Follow these steps to configure tracert: To do… Use the command… Remarks Enter system view system-view — Display the rou

256 corresponding debugging function, or use the undo debugging all command to disable all the debugging functions. Output of debugging information d

257 Configuration procedure # Use the ping command to display whether the PC and the SecBlade can reach each other. <SecBlade> ping 1.1.1.1 P

258 Information center configuration This chapter includes these sections: • Information center configuration • Configuring information center • D

259 Figure 82 Information center diagram (default) (log file is supported) NOTE: By default, the information center is enabled. An enabled inform

260 Table 18 Severity description Severity Severity value Description Corresponding keyword in commands Emergency 0 The system is unusable. emergen

261 Information channel number Default channel name Default output destination Description 8 channel8 Not specified Receives log, trap, and debugg

262 Output destination Modules allowed LOG TRAP DEBUG Enabled/disabled Severity Enabled/disabled Severity Enabled/disabled Severity Log buffer defaul

263 PRI (priority) The priority is calculated using the following formula: facility*8+severity, in which facility represents the logging facility nam

264 Sysname (host name or host IP address) • If the system information is sent to a log host in the format of UNICOM, and the info-center loghost so

13 Character Meaning Remarks character1\w Matches character1character2. character2 must be a number, letter, or underline, and \w equals [^A-Za-z0-9_]

265 content This field provides the content of the system information. Configuring information center Information center configuration task list Comp

266 To do… Use the command… Remarks Configure the format of the time stamp info-center timestamp { debugging | log | trap } { boot | date | none } O

267 To do… Use the command… Remarks Configure the output rules of the system information info-center source { module-name | default } channel { chan

268 To do… Use the command… Remarks Specify the source IP address for the log information info-center loghost source interface-type interface-numbe

269 To do… Use the command… Remarks Configure the output rules of the system information info-center source { module-name | default } channel { chan

270 Outputting system information to the SNMP module NOTE: The SNMP module receives the trap information only, and discards the log and debugging

271 To do… Use the command… Remarks Enable information center info-center enable Optional Enabled by default. Name the channel with a specified cha

272 To do… Use the command… Remarks Enable the log file feature info-center logfile enable Optional Enabled by default Configure the frequency with

273 To do… Use the command… Remarks Move a specified file from a storage medium to the recycle bin delete [ /unreserved ] file-url Remove a folder

274 Disabling a port from generating link up/down logging information By default, all the ports of the device generate link up/down logging informati

14 Configuring user privilege and command levels Introduction To avoid unauthorized access, the device defines user privilege levels and command level

275 To do… Use the command… Remarks Reset the log buffer reset logbuffer Available in user view Reset the trap buffer reset trapbuffer Available

276 # Configure the information output rule: allow log information of ARP and IP modules with severity equal to or higher than informational to be ou

277 Figure 84 Network diagram for outputting log information to a Linux log host Configuration procedure Before the configuration, make sure that t

278 In the above configuration, local5 is the name of the logging facility used by the log host to receive logs. info is the information level. The L

279 # Use channel console to output log information to the console (optional, console by default). [SecBlade] info-center console channel console # D

280 SNMP configuration This chapter includes these sections: • SNMP overview • SNMP configuration task list • Displaying and maintaining SNMP • S

281 Figure 87 MIB tree SNMP provides the following four basic operations: • Get—The NMS retrieves SNMP object nodes in an agent MIB. • Set—The NM

282 Configuring SNMP basic parameters SNMPv3 differs from SNMPv1 and SNMPv2c in many aspects. Their configuration procedures are described in separat

283 Configuring SNMPv1 or SNMPv2c basic parameters Follow these steps to configure SNMPv1 or SNMPv2c basic parameters: To do… Use the command… Remar

284 Configuring SNMP logging The SNMP logging function logs the Get requests, Set requests, and Set responses that the NMS has performed on the SNMP

Preface An H3C SecBlade NetStream (referred to as NS hereinafter) card is inserted in an H3C S7500E, S9500E, or S12500 switch, implementing classifica

15 To do… Use the command… Remarks Enter user interface view user-interface { first-num1 [ last-num1 ] | { aux | console | vty } first-num2 [ last-nu

285 Two types of traps are available: generic traps and vendor-specific traps. Generic traps supported on the device include: authentication, coldst

286 Follow these steps to configure trap parameters: To do… Use the command… Remarks Enter system view system-view — Configure target host attribu

287 To do… Use the command… Remarks Display MIB view information for an SNMP agent display snmp-agent mib-view [ exclude | include | viewname view-n

288 With SNMPv1/v2c, specify the read only community, the read and write community, the timeout time, and the number of retries. The user can inquire

289 [SecBlade] snmp-agent usm-user v3 managev3user managev3group authentication-mode md5 authkey privacy-mode des56 prikey # Configure the contact pe

290 Configuration procedure NOTE: For the configurations for the NMS and SecBlade, see “SNMPv1/SNMPv2c configuration example” and“SNMPv3 configura

291 NOTE: The system information of the information center can be output to the terminal or to the log buffer. In thisexample, SNMP logs are output

292 MIB style configuration This chapter includes these sections: • Overview • Setting the MIB style • Displaying and maintaining MIB style Overvi

293 RMON configuration This chapter includes these sections: • RMON overview • Configuring the RMON statistics function • Configuring the RMON ala

294 • Using RMON probes. Management devices can obtain management information from RMON probes directly and control network resources. In this appro

16 To do… Use the command… Remarks Enter system view system-view — Enter user interface view user-interface { first-num1 [ last-num1 ] | { aux | co

295 Alarm group The RMON alarm group monitors specified alarm variables, such as total number of received packets (etherStatsPkts) on an interface. A

296 Configuring the RMON statistics function RMON statistics function can be implemented by either the Ethernet statistics group or the history group

297 NOTE: • The entry-number must be globally unique and cannot be used on another interface; otherwise, the operation fails. • You can configure

298 NOTE: • A new entry cannot be created if its parameters are identical with the corresponding parameters of anexisting entry. If the created en

299 Gather performance statistics on received packets on GigabitEthernet 0/1 through RMON Ethernet statistics table, and thus the administrator can v

300 Gather statistics on received packets on GigabitEthernet 0/1 every one minute through RMON history statistics table, and thus the administrator c

301 fragments : 0 , jabbers : 0 collisions : 0 , utilization : 0 Sampled values of rec

302 • Connect GigabitEthernet 0/1 to the FTP server. Gather statistics on traffic of the server on GigabitEthernet 0/1 with the sampling interval be

303 Variable formula : 1.3.6.1.2.1.16.1.1.1.4.1<etherStatsOctets.1> Sampling interval : 5(sec) Rising threshold : 100(linke

304 H3C network technology acronyms # A B C D E F G H I K L M N O P Q R S T U V W X Z 3DES Triple Data Encryption Standard 6PE IPv6 Provider Edge A

17 need to re-log in, but the commands that they can execute have changed. For example, if the current user privilege level is 3, the user can configu

305 AM Analog Modem AMB Active Main Board AMD Answering Machine Detection AMI Alternate Mark Inversion A-MPDU Aggregated MAC Protocol Data Unit AN

306 BECN Backward Explicit Congestion Notification BERT Bit Error Rate Test BFD Bidirectional Forwarding Detection BGP Border Gateway Protocol BID

307 CC Continuity Check CC Call Control CCC Circuit Cross Connect CCITT Consultative Committee for International Telegraph and Telephone CCM Contin

308 CoS Class of Service CPE Customer Premises Equipment CPOS Channelized POS CPS Certification Practice Statement CPTone Call Progress Tone CQ Cu

309 DD Database Description DDN Digital Data Network DDNS Dynamic Domain Name System DDoS Distributed Denial of Service DE Discard Eligibility DED

310 DS-lite Dual Stack Lite DSP Domain Specific Part DS-TE DiffServ-aware TE DSU Data Service Unit DTE Data Terminal Equipment DTIM Delivery Traf

311 EFM Ethernet First Mile EGP Exterior Gateway Protocol ENDC EVI Neighbor Discovery Client End-Of-RIB End of Routing-Information-Base ENDP EVI

312 FEP Front End Processor FF Fixed-Filter FFD Fast Failure Detection FIB Forwarding Information Base FIFO First In First Out FIP FCoE Initiali

313 GTK Group Temporal Key GTP GPRS Tunneling Protocol GTP-U GPRS Tunneling Protocol User GTP-V0 GPRS Tunneling Protocol V0 GTS Generic Traffic

314 ICPIF Calculated Planning Impairment Factor I-DEI Backbone Service Instance Drop Eligibility Indicator IDI Initial Domain Identifier IDN Inte

18 When you switch the user privilege level, the information you need to provide varies with combinations of the user interface authentication mode an

315 IRDP ICMP Router Discovery Protocol IRF Intelligent Resilient Framework IS Intermediate System ISAKMP Internet Security Association and Key Ma

316 LDAP Lightweight Directory Access Protocol LDP Label Distribution Protocol LDP ID LDP Identifier LER Label Edge Router LFA Loss of Frame Ali

317 LSPDU Link State Protocol Data Unit LSR Link State Request LSR Label Switching Router LSU Link State Update LT Linktrace LTM Linktrace Messag

318 MGCP Media Gateway Control Protocol MIB Management Information Base MIC Message Integrity Check MIP Maintenance association Intermediate Point

319 MSOH Multiplex Section Overhead MSS Maximum Segment Size MST Multiple Spanning Tree MSTI Multiple Spanning Tree Instance MSTP Multiple Spann

320 NLRI Network Layer Reachability Information NM Network Management NMFAS Non-Multiframe FAS NMS Network Management Station NMS Network Manageme

321 OSI Open System Interconnection OSPF Open Shortest Path First OU Organization Unit OUI Organizationally Unique Identifier P Return P device P

322 Authentication Protocol v2 PEM Power Entry Module PEM Privacy Enhanced Mail PEP Policy Enforcement Point PFC Priority-based Flow Control PFC

323 PQ Priority Queuing PQL Priority Queue List PRBS Pseudo Random Bit Sequence PRF Pseudo-Random Function PRI Primary Rate Interface PRL Preferr

324 RAI Remote Alarm Indication RALM RADIUS Authenticated Login Using MAC-address RAS Registration, Admission, and Status RB Routing Bridge RBAC

19 Modifying the level of a command All the commands in a view default to different levels. The administrator can change the default level of a comman

325 RSH Remote Shell RSN Robust Security Network RSNA Robust Security Network Association RSOH Regenerator Section Overhead RSSI Received Signal

326 SDLC Synchronous Data Link Control SDMF Single Data Message Format SDP Session Description Protocol SDSL Symmetric Digital Subscriber Line SD

327 SPCS Stored Program Control Switching System SPE Superstratum PE or Service Provider-end PE SPF Shortest Path First SPI Security Parameter In

328 TCN BPDU Topology Change Notification BPDU TDM Time Division Multiplexing TE Traffic Engineering TEC Thermoelectric Cooler TEDB TE DataBase TFC

329 UBR Unspecified Bit Rate UDLD Uni-directional Link Direction UDP User Datagram Protocol UFC Update Fabric Configuration UIM User Identity Mod

330 VNC Virtual Network Computing VoD Video on Demand VoFR Voice Over Frame Relay VoIP Voice over IP VP Virtual Path VPC Virtual Path Connection

331 X2T X.25 to TCP Switch XFP 10-Gigabit Small Form-factor Pluggable XML Extensible Markup Language XOT X.25 Over TCP XSD XML Schema Definition

332 Index A B C D E F G H I K L M N O P R S T U W A ACL configuration example,137 ACL configuration task list,131 ACL overview,129 Alarm group co

333 Configuring the TFTP client,221 Configuring user privilege and command levels,14 Controlling the CLI display,10 D Deleting a startup configurati

334 Managing files,224 N NetStream sampling and filtering,142 NMS login example,48 NMS login overview,46 NTP configuration examples,199 NTP configur

20 Login methods This chapter includes these sections: • Login methods • User interface overview Login methods You can log in to a SecBlade card in

21 One user interface corresponds to one user interface view where you can configure a set of parameters, such as whether to authenticate users at lo

22 CLI login This chapter includes these sections: • Overview • Logging in through the console port • Logging in through telnet • Displaying and

23 Object Requirements Terminal Run the hyper terminal program. Configure the hyper terminal attributes. The port properties of the hyper terminal m

24 NOTE: On Windows 2003 Server operating system, add the HyperTerminal program first, and then log in to andmanage the SecBlade card as described

Convention Description [ x | y | ... ] * Asterisk marked square brackets enclose optional syntax choices separated by vertical bars, from which you se

25 Figure 7 Set the properties of the serial port Step3 Turn on the SecBlade card. You are prompted to press Enter if the SecBlade card successful

26 Console login authentication modes The following authentication modes are available for console port login: none, password, and scheme. • none—Re

27 To do… Use the command… Remarks Specify the none authentication mode authentication-mode none Required By default, you can log in to the SecBlad

28 To do… Use the command… Remarks Configure the authentication mode as local password authentication authentication-mode password Required By defau

29 To do… Use the command… Remarks Enter console user interface view user-interface console first-number [ last-number ] — Specify the scheme authen

30 Figure 11 Configuration page Configuring common settings for console login (optional) Follow these steps to configure common settings for consol

31 To do… Use the command… Remarks Configure the data bits databits { 5 | 6 | 7 | 8 } Optional By default, the data bits of the console port is 8. D

32 To do… Use the command… Remarks Set the idle-timeout timer idle-timeout minutes [ seconds ] Optional The default idle-timeout is 10 minutes. The

33 in to the SecBlade card through the console port, enable the telnet server function, and configure the authentication mode, user privilege level,

34 Configuration procedure Follow these steps to configure none authentication for telnet login: To do… Use the command… Remarks Enter system view

About the SecBlade NetStream card documentation set The H3C SecBlade NetStream card documentation set includes: Category Documents Purposes Product de

35 By default, you can log in to the SecBlade card through the console port without authentication and have user privilege level 3 after login. For i

36 Figure 14 Configuration page Configuring scheme authentication for telnet login Configuration prerequisites You have logged in to the SecBlade c

37 To do… Use the command… Remarks Create a local user and enter local user view local-user user-name By default, no local user exists. Set the loc

38 Configuring common settings for VTY user interfaces (optional) Follow these steps to configure Common settings for VTY user interfaces: To do… Us

39 To do… Use the command… Remarks Set the idle-timeout timer idle-timeout minutes [ seconds ] Optional The default idle-timeout is 10 minutes for a

40 Figure 16 Telnet from telnet client to telnet server NOTE: Make sure that the telnet client and telnet server can reach each other. Configur

41 To do… Use the command… Remarks Release a specified user interface free user-interface { num1 | { aux | console | vty } num2 } Available in user

42 Logging in to the SecBlade NS card from the host device Logging in to the SecBlade NS card from the host device Before logging in to the SecBlade

43 To do… Use the command… Remarks Reset the system of the SecBlade NS card • When the host device works in standalone mode: oap reboot slot slot-

44 4. After the ACSEI server receives a valid registration request, it negotiates parameters with the ACSEI client and establishes connection with t

i Contents CLI configuration ·························································································································

45 To do… Use the command… Remarks Display ACSEI client information on the ACSEI server display acsei client info [ client-id ] Available in any vie

46 NMS login This chapter includes these sections: • NMS login overview • Configuring NMS login • NMS login example NMS login overview A Network M

47 To do… Use the command… Remarks Enter system view system-view — Enable SNMP agent snmp-agent Optional Disabled by default. You can also enable

48 NOTE: The SecBlade card supports three SNMP versions: SNMPv1, SNMPv2c and SNMPv3. For more information about SNMP, see the System Management an

49 Type the username and password, and then click Login. The iMC homepage appears, as shown in Figure 19. Figure 19 iMC homepage Log in to the iMC

50 User login control This chapter includes these sections: • User login control overview • Configuring login control over telnet users • Configur

51 To do… Use the command… Remarks Exit the basic ACL view quit — Enter user interface view user-interface [ type ] first-number [ last-number ] —

52 To do… Use the command… Remarks Enter system view system-view — Create an Ethernet frame header ACL and enter its view acl number acl-number [ m

53 # Reference ACL 2000 in user interface view to allow telnet users from Host A and Host B to access the SecBlade card. [SecBlade] user-interface vt

54 To do… Use the command… Remarks Associate the user with the ACL snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ] snmp-age

ii Introduction ······································································································································

55 Interface configuration This chapter includes these sections: • Ethernet interface overview • General configuration • Configuring a Layer 2 Eth

56 • Null interface: A software-only virtual interface. A null interface is always up and can neither forward data packets nor be configured with an

57 Configuring basic settings of an Ethernet interface or subinterface Configuring an Ethernet interface You can set an Ethernet interface to operate

58 NOTE: • To use an Ethernet subinterface to transmit and receive packets, you must associate it with a VLAN. • For the local and remote Etherne

59 Configuring loopback testing on an Ethernet interface If an Ethernet interface does not work normally, you can enable loopback testing on it to id

60 Configuring a Layer 2 Ethernet interface or subinterface Layer 2 Ethernet interface or subinterface configuration task list Complete these tasks t

61 Setting the MDI mode of an Ethernet interface NOTE: Optical interfaces do not support the MDI mode setting. You can use both crossover and str

62 Task Remarks Setting the MTU for an Ethernet interface or subinterface Optional Applicable to Layer 3 Ethernet interfaces and subinterfaces Config

63 Displaying and maintaining an Ethernet interface or subinterface To do… Use the command… Remarks Display Ethernet interface or subinterface infor

64 Configuring the null interface Follow these steps to enter null interface view: To do… Use the command… Remarks Enter system view system-view —

iii Configuring the null interface ···················································································································

65 IP addressing configuration This chapter includes these sections: • IP addressing overview • Configuring IP addresses • Displaying and maintain

66 Class Address range Remarks C 192.0.0.0 to 223.255.255.255 –– D 224.0.0.0 to 239.255.255.255 Multicast addresses. E 240.0.0.0 to 255.255.255.255 R

67 • With subnetting: Using the first 9 bits of the host-id for subnetting provides 512 (29) subnets. However, only 7 bits remain available for the

68 Figure 24 Network diagram for IP address configuration Configuration procedure # Assign a primary IP address and a secondary IP address to Gigab

69 <SecBlade> ping 172.16.2.2 PING 172.16.2.2: 56 data bytes, press CTRL_C to break Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 t

70 IP routing basics configuration This chapter includes these sections: • IP routing overview • Displaying and maintaining a routing table NOTE

71 Routing table information You can view the brief information of a routing table by using the display ip routing-table command. For example: <S

72 Criterion Categories Destination address type • Unicast routing protocols—RIP, OSPF, BGP, and IS-IS • Multicast routing protocols—PIM-SM and PIM

73 Displaying and maintaining a routing table To do… Use the command… Remarks Display brief information about the active routes in the routing table

74 Static routing configuration This chapter includes these sections: • Introduction • Configuring a static route • Displaying and maintaining st

iv Introduction to port-based VLAN ···················································································································

75 In fact, each route lookup operation has to find the next hop to resolve the destination link layer address. When specifying the output interface

76 Displaying and maintaining static routes To do… Use the command… Remarks Display information of static routes display ip routing-table protocol s

77 1.1.3.0/24 Static 60 0 1.1.4.2 GE0/1 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/

78 Policy-based routing configuration This chapter includes these sections: • Introduction to policy-based routing • Configuring PBR • Displaying

79 apply clause The following types of apply clauses are available: apply ip-precedence, apply output-interface, apply ip-address next-hop, apply def

80 To do… Use the command… Remarks Enter system view system-view –– Create a policy or policy node and enter PBR policy node view policy-based-rou

81 NOTE: • If an ACL match criterion is defined, packets are matched against the ACL rules, whereas the permit ordeny action of the specified ACL

82 To do… Use the command… Remarks Enter interface view interface interface-type interface-number — Configure interface PBR ip policy-based-route p

83 VLAN configuration This chapter includes these sections: • Introduction to VLAN • Configuring basic VLAN settings • Configuring basic settings

84 3. Flexible virtual workgroup creation. As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations,