3Com 5500G SERIES, Configuration And Command Reference Manual

Page 1: ...www 3Com com Part Number 10016378 AA Published March 2008 3Com Switch 5500G Open Services Networking Configuration and Command Reference Guide ...

Page 2: ...mputer Software as defined in DFARS 252 227 7014 June 1995 or as a commercial item as defined in FAR 2 101 a and as such is provided with only such rights as are provided in 3Com s standard commercial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or de...

Page 3: ...cation Control Forwarding Protocol ACFP Introduction to ACFP 9 Configuring ACFP 15 Displaying ACFP 16 ACFP Configuration Example 16 3 Configuring an Application Control System Exchange Interface Introduction to ACSEI 21 Configuring an ACSEI Server on a Switch 23 ACSEI Client Configuration on Linux System 25 4 OSN M Configuration Commands osm connect unit 31 osm reboot unit 32 5 ACFP Configuration ...

Page 4: ...imer clock sync 43 acsei timer monitor 44 display acsei client info 44 display acsei client summary 46 7 ACSEI Client Configuration Commands on the OSN M acsei client debug disable 47 acsei client debug enable 47 acsei client debug show 48 chkconfig acseid off 49 chkconfig acseid on 49 service acseid condrestart 50 service acseid reload 51 service acseid restart 51 service acseid start 52 service ...

Page 5: ...browser to eSupport 3Com com About this guide This guide provides all the information you need to use the 3Com Open Services Networking Module for your Switch 5500G This guide is intended for network administrators who are responsible for installing and setting up network equipment consequently it assumes a basic working knowledge of LANs Local Area Networks Notice Icons Table 1 lists important co...

Page 6: ...6 Introduction ...

Page 7: ...OSN M s Linux OS using the last method The OSN M configurations on the switch include Switching to the OSN M s Operating Interface on page 7 Restarting the OSN M s Linux OS on page 8 For an introduction to other login options refer to 3Com Switch 5500G OSN M Getting Started Guide Switching to the OSN M s Operating Interface You can log into a switch through its console port or an Ethernet interfac...

Page 8: ...ing the Linux OS does not affect the status of the switch That is the OSN M and the switch can restart independently Restarting the Linux OS on the OSN M will not result in restarting the switch To restart to the OSN M s Linux system use the OSM reboot unit unit id command This command is available in user view c CAUTION Restarting the Linux OS on an OSN M may cause data loss and service interrupt...

Page 9: ...ers provide software and hardware interfaces to allow modules or devices from other manufacturers to be plugged into or connected to their networking devices to provide these services 3Com s Open Systems Networking OSN provides customers with an open service architecture developed to achieve this functionality Compatible IPS IDS application modules or IPS IDS applications running as ACFP clients a...

Page 10: ... GigabitEthernet 1 1 1 and GigabitEthernet 1 1 2 to connect to the OSN M 3Com recommends that you do not to perform any configurations except for disabling the Spanning Tree Protocol STP on GigabitEthernet 1 1 1 and adding GigabitEthernet 1 1 2 to a VLAN ACFP Collaboration ACFP collaboration means that the independent service component can send instructions to the routing or switching component to...

Page 11: ...ID of the collaboration policy to which the collaboration rule belongs When the redirected packet is returned from the ACFP client the packet also carries the context ID With the context ID the ACFP server knows that the packet is returned after being redirected and then forwards the packet normally For the ACFP client to better control traffic the two level structure of the collaboration policy a...

Page 12: ...in valid Whether the ACFP server can permanently save the collaboration policy It mainly refers to whether the ACFP server can keep the original collaboration policy after a reboot The context ID type supported by the Switch 5500G s Ethernet switches is 2 Figure 2 shows the corresponding packet format the Context field indicates the context ID location Figure 2 Packet format corresponding to conte...

Page 13: ...ent Context ID Used when the packet is mirrored or redirected to an ACFP client It can be 0 meaning context exchange is not supported After the port connected to the ACFP client is specified in the policy sent the ACFP server assigns it a global serial number that is the Context ID with each Context ID corresponding to an ACFP collaboration policy Admin Status Indicates whether to enable the polic...

Page 14: ...entifier Status Indicates whether the rule is applied successfully Action Either mirror redirect deny permit or rate Match all packets Indicates whether to match all the packets If this is set to yes the following matching does not need to be performed Source MAC address Destination MAC address Starting VLAN ID Ending VLAN ID Protocol number in IP packet Source IP address Inverse mask of source IP...

Page 15: ...can be GRE ICMP IGMP OSPF TCP UDP and IP IP precedence Packet precedence a number in the range of 0 to 7 IP ToS Type of Service ToS of the IP IP DSCP Differentiated Services Code Point DSCP of the IP TCP control packet Indicates whether the packet is a TCP control packet IP fragment Indicates whether the packet is an IP packet fragment Rate limit Row state You can use the collaboration policy to m...

Page 16: ... To Use the command Remarks Display the configuration information of the ACFP server display acfp server info Available in any view Display the configuration information of an ACFP client display acfp client info client id Display the configuration information of an ACFP policy display acfp policy info client client id policy index dest interface interface type interface number in interface interf...

Page 17: ...erver s GigabitEthernet 1 0 1 port After the ACFP client analyzes the traffic all packets with the source IP address in network segment 192 168 1 0 24 are permitted and all packets with the source IP address in network segment 192 168 2 0 24 are denied Network Diagram Figure 3 Network diagram for an ACFP configuration Configuration Procedure Configure the Switch Enable ACFP Switch system view Swit...

Page 18: ...n to the Switch where the rule index is 1 1 1 the action is mirror achieved by setting node h3cAcfpRuleAction matching all packets achieved by setting node h3cAcfpRuleAll the rule row status is 4 achieved by setting node h3cAcfpRuleRowStatus and the other parameters adopt the default values c CAUTION When the ACFP policy action is set to mirror you need to disable the Spanning Tree Protocol STP on...

Page 19: ...tatus and the other parameters adopt the default values Apply ACFP rules Configure the ACFP policy through the MIB browser where the policy index is 1 1 Configure the Admin Status as enable achieved by setting node h3cAcfpPolicyAdminStatus Verify the configuration Use the ping command to verify the connectivity between Host A and Host C Host B and Host C The test results show that Host C can be pi...

Page 20: ...20 Chapter 2 Configuring the Application Control Forwarding Protocol ACFP ...

Page 21: ...tegrated into the OSN M s software system It is a default function supported by the OSN M n ACFP is designed based on the Open Services Networking OSN The collaborating Intrusion Prevention System IPS Intrusion Detection System IDS cards or IPS IDS devices serve as the ACFP clients that run other vendors applications and support the IPS IDS services Refer to Configuring the Application Control For...

Page 22: ...y trigger the ACSEI server to send monitoring requests to ACSEI clients You can set this timer through commands An ACSEI client starts two timers the registration timer and the monitoring timer The registration timer is used to periodically trigger the ACSEI client to multicast registration requests with the multicast MAC address being 010F E200 0021 You cannot set this timer The monitoring timer ...

Page 23: ...s to enable ACSEI server Configuring the Clock Synchronization Timer Follow these steps to configure the clock synchronization timer Configuring the Monitoring Timer Follow theses steps to configure the monitoring timer To Use the command Remarks Enter system view system view Enable ACSEI server acsei server enable Required Disabled by default To Use the command Remarks Enter system view system vi...

Page 24: ... is integrated is restarted Enter ACSEI server view acsei server Configure the monitoring timer for ACSEI server to monitor ACSEI client acsei timer monitor seconds Optional Five seconds by default To Use the command Remarks To Use the command Remarks Enter system view system view Enable the ACSEI server function acsei server enable Required Enter ACSEI server view acsei server Close the specified...

Page 25: ...pm package such as acsei client 1 0 0 i386 rpm where 1 0 0 is the version number To Use the command Remarks Display ACSEI client summary display acsei client summary client id Available in any view Display ACSEI client information display acsei client info client id To Use the command Remarks Switch to the Linux system of the OSN M from the switch s CLI osm connect unit unit id Required Available ...

Page 26: ...modify the default startup settings through the GUI perform the following steps 1 Execute the osm connect unit command in user view to enter the OSN M s Linux system 2 Execute the setup command and the ACSEI GUI is displayed as shown in Figure 4 To Use the command Remarks Switch to the OSN M s Linux OS from the switch s CLI osm connect unit unit id Required Available in user view After the operati...

Page 27: ...face for the ACSEI client default startup 3 Select System services press Enter The Services screen is displayed as shown in Figure 5 Figure 5 Service interface for an ACSEI client default startup 4 Move the cursor to acseid and use the Space key to choose that option ...

Page 28: ...unning the command does not restart the process Do not stop and restart the ACSEI client process repeatedly within five seconds otherwise other applications may not be aware of the ACSEI client change To Use the command Remarks Switch to the OSN M s Linux system from the switch s CLI osm connect unit unit id Required Available in user view After the operation the operating interface is switched to...

Page 29: ... Available in user view After the operation the operating interface is switched to the Linux system interface where you can execute the following commands Display the running status of the ACSEI client service acseid status Optional Enable the ACSEI client debugging acsei client debug enable Display the ACSEI client debugging acsei client debug show Disable the ACSEI client debugging acsei client ...

Page 30: ...30 Chapter 3 Configuring an Application Control System Exchange Interface ...

Page 31: ...nother switch in the same fabric as the local switch Press Ctrl K to return from the OSN M s Linux OS to the local switch s command line interface Only one user can switch to the OSN M s Linux OS at a time Examples Switch from the local switch s command line interface to the OSN M s Linux OS on unit 1 SW5500G osm connect unit 1 Connected to OSM Press Enter after the above prompt is displayed If th...

Page 32: ... the unit ID of another switch in the same fabric as the local switch Note that before restarting an OSN M 3Com recommends that you save the data on the Linux OS and shut down the Linux OS to avoid service interruption and hardware data loss Examples Restart the OSN M s Linux OS on unit 1 SW5500G osm reboot unit 1 This command will recover the OSM from shutdown or other failed state Warning This c...

Page 33: ...e command to disable ACFP By default ACFP is disabled Examples Enable ACFP SW5500G system view System View return to User View with Ctrl Z SW5500G acfp enable display acfp client info Syntax display acfp client info client id View Any view Parameters client id Displays information about the specified ACFP client where client id is the ACFP client identifier in the range of 1 to 2147483647 ...

Page 34: ...ientID 1 Description IDS Hw Info 1 0 OS Info Fedora release 6 0 Zod App Info 2 0 Client IP 1 1 1 1 Client Mode ipserver redirect mirror Table 1 Description of the display acfp client info command fields Field Description ACFP client total number Total number of ACFP clients ClientID Index of the client list Description Description information of the client application program Hw Info Hardware info...

Page 35: ...all the policies that use the specified port as the inbound port where interface type interface number is the port type and port number active Displays active policies only inactive Displays inactive policies only Description Use the display acfp policy info command to display the ACFP policy information n When you use this command to display the policy information sent by the specified ACFP clien...

Page 36: ...erface type interface number policy client id policy index View Any view Table 2 Description of the display acfp policy info command fields Field Description ACFP policy total number Total number of ACFP policies ClientID Client ID index of client list Policy Index Policy index Rule Num Number of rules under the policy ContextID Context ID Exist Time Indicates in seconds how long the policy has ex...

Page 37: ...f all the policies is displayed When you use this command to display ACFP rule information in order of inbound port if you do not specify a port the rule information of all the inbound ports is displayed Examples Display ACFP rule information in order of inbound port SW5500G display acfp rule info in interface ACFP rule total number 2 ClientID 1 Policy Index 1 Rule Index 1 Action deny Status activ...

Page 38: ...ct mirror Max Life Time 2147483647 s PersistentRules false ContextType switch context Table 3 Description of the display acfp rule info command fields Field Description ACFP rule total number Total number of ACFP rules ClientID Client list index Policy Index Policy index Rule Index Rule index SIP Source IP address SMask Inverse mask of source IP address Action Either permit permit packets deny den...

Page 39: ... acfp command to enable the switch to send ACFP traps Use the undo snmp agent trap enable acfp command to disable the switch from sending ACFP traps By default a switch is enabled to send ACFP traps Table 4 Description of the display acfp server info command fields Field Description Server Info ACFP client working mode supported by the ACFP server ipserver host mode redirect redirect mode mirror m...

Page 40: ...40 Chapter 5 ACFP Configuration Commands Examples Enable the switch to send all ACFP traps SW5500G system view System View return to User View with Ctrl Z SW5500G snmp agent trap enable acfp ...

Page 41: ...mand to close the specified ACSEI client n After you close an ACSEI client using the acsei client close command the OSN M where the ACSEI client is integrated is shut down Examples Close ACSEI client 1 SW5500G system view System View return to User View with Ctrl Z SW5500G acsei server SW5500G acsei server acsei client close 1 acsei client reboot Syntax acsei client reboot client id View ACSEI ser...

Page 42: ... 1 SW5500G system view System View return to User View with Ctrl Z SW5500G acsei server SW5500G acsei server acsei client reboot 1 acsei server Syntax acsei server View System view Parameters None Description Use the acsei server command to enter ACSEI server view Examples Enter ACSEI server view SW5500G system view System View return to User View with Ctrl Z SW5500G acsei server SW5500G acsei ser...

Page 43: ...ed for clock synchronization from the ACSEI server to the ACSEI client It ranges from 0 to 1440 in minutes where value 0 disables the clock synchronization Description Use the acsei timer clock sync command to set the synchronization timer that is used for clock synchronization from the ACSEI server to the ACSEI client Use the undo acsei timer clock sync command to restore the default By default t...

Page 44: ...mer for the ACSEI server to monitor the ACSEI client Use the undo acsei timer monitor command to restore the default By default the monitoring timer is set to five seconds Examples Set the monitor timer for the ACSEI server to monitor the ACSEI client to six seconds SW5500G system view System View return to User View with Ctrl Z SW5500G acsei server SW5500G acsei server acsei timer monitor 6 displ...

Page 45: ...el R Celeron R M processor 1 00GHz PCB Version 1 00 CPLD Version 1 00 Bootrom Version 1 00 CF card 0 MB Memory 512 MB Harddisk 80 0 GB Table 5 Description of the display acsei client info command fields Field Description Client ID ID of the ACSEI client Client Description ACSEI client description Hardware ACSEI client hardware version System Software ACSEI client system software name and version A...

Page 46: ...stration time If executed without the client id argument the command displays summary information about all the ACSEI clients Examples Display the summary of ACSEI client 1 SW5500G display acsei client summary 1 Client ID 1 Status Open MAC Address 0012 3456 0005 Interface GigabitEthernet1 1 2 Last registered 01 01 2005 18 57 44 Table 6 Description of the display acsei client summary command fields...

Page 47: ... page 31 acsei client debug disable Syntax acsei client debug disable View Any directory of the Linux system Parameters None Description Use the acsei client debug disable command to disable debugging for the ACSEI client By default debugging for the ACSEI client is disabled Examples Disable debugging for the ACSEI client on unit 1 SW5500G osm connect unit 1 Connected to OSM root localhost acsei c...

Page 48: ...ug show Syntax acsei client debug show View Any Linux system directory Parameters None Description Use the acsei client debug show command to display the debugging information about the ACSEI client By default no ACSEI client debugging is displayed Note that ACSEI client debugging is displayed through a pipe therefore part of the debugging information may fail to be displayed when the pipe is full...

Page 49: ...ure the ACSEI client not to start up on unit 1 when the Linux system is started SW5500G osm connect unit 1 Connected to OSM root localhost chkconfig acseid off chkconfig acseid on Syntax chkconfig acseid on View Any Linux system directory Parameters None Description Use the chkconfig acseid on command to automatically start up ACSEI client when the Linux system starts By default ACSEI client is st...

Page 50: ...es not restart the ACSEI client Examples Execute conditional ACSEI client restart on unit 1 when the ACSEI client is running and then view the ACSEI client s running status SW5500G osm connect unit 1 Connected to OSM root localhost service acseid status acseic daemon pid 2335 is running root localhost service acseid condrestart Stopping acseic daemon OK Starting acseic daemon OK root localhost ser...

Page 51: ...y when the ACSEI client is running Otherwise you will fail to load the ACSEI client configuration file Examples Load the ACSEI client configuration file on unit 1 SW5500G osm connect unit 1 Connected to OSM root localhost service acseid status acseic daemon pid 2335 is running root localhost service acseid reload Reloading configuration OK service acseid restart Syntax service acseid restart View ...

Page 52: ...t the ACSEI client on unit 1 when the ACSEI client is stopped SW5500G osm connect unit 1 Connected to OSM root localhost service acseid status acseic daemon is stopped root localhost service acseid restart Stopping acseic daemon FAILED Starting acseic daemon OK service acseid start Syntax service acseid start View Any Linux system directory Parameters None Description Use the service acseid start ...

Page 53: ...rvice acseid status command to query the running status of an ACSEI client Examples View the running status of the ACSEI client on unit 1 SW5500G osm connect unit 1 Connected to OSM root localhost service acseid status acseic daemon pid 2335 is running service acseid stop Syntax service acseid stop View Any Linux system directory Parameters None Description Use the service acseid stop command to s...

Page 54: ...n Commands on the OSN M Examples Stop the ACSEI client on unit 1 SW5500G osm connect unit 1 Connected to OSM root localhost service acseid status acseic daemon pid 2335 is running root localhost service acseid stop Stopping acseic daemon OK ...