H3c-technologies H3C SecBlade IPS Cards User Manual Page 1

H3C SecBlade IPS Cards User Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document version: 5PW104-2010

3 • SecBlade IPS cards adopt the multi-core high-performance processor and high-speed memory, and thus can ensure the processing of security service

4 SecBlade IPS cards support local and distributed management modes. For a network with one or a small number of SecBlade IPS cards deployed, you can

5 Features Feature List Table 1 Feature list of SecBlade IPS cards Module Features Web overview Device management User management Network managemen

6 Login With the web network management function, the administrator can manage and maintain a SecBlade IPS card through the web interface. Follow th

7 3. Enter the CLI of the device • For the LSWM1IPS10 card Power on the switch. As the S5800 and S5820X are centralized stacking devices, you need

8 Figure 3 web interface login interface By default, the IPS card has HTTPS enabled, but does not have HTTP enabled. Therefore, for the first login

9 Switch/Router and SecBlade IPS Card Network Configuration NOTE: For more information about the commands used in this chapter, see the Configurat

10 Configuration Procedure Configuring the switch Configure the switch as follows. • Configure the Management Information Base (MIB) style of the s

11 To do… Use the command… Remarks Create an SNMP group and set its access right For SNMP v3: snmp-agent group v3 group-name [ authentication | pri

12 To do… Use the command… Remarks Enter the view of the 10GE interface connected to the SecBlade IPS card interface Ten-GigabitEthernet interface-

Copyright © 2008-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi

13 To do… Use the command… Remarks Use the IP address of the management interface to login to the web interface of the SecBlade IPS card — Required

14 Configuration Example Network requirements As shown in Figure 5, the switch has a SecBlade IPS card installed on slot 3. The switch uses GigabitEt

15 • Configure the link type of the internal interface as access, add it to VLAN 100, which must be consistent with the VLAN ID configured on the OA

16 Figure 7 Configure the OAA client After completing configuration, click Test. If the following message appears, the switch is reachable. Figure

17 Figure 10 Create a segment NOTE: When creating a segment, you need to select the internal zone, external zone and the internal interface. Fig

18 From external network to internal network 1. Packets from the external network enter the switch. 2. The switch redirects the packets to the SecB

19 To do… Use the command… Remarks Set the SNMP version snmp-agent sys-info { contact sys-contact | location sys-location | version { all | { v1 |

20 To do… Use the command… Remarks Create a VLAN and enter VLAN view vlan { vlan-id1 [ to vlan-id2 ] | all } Required Return to system view quit R

21 To do… Use the command… Remarks Configure the extended port connection mode for the trunk port port connection-mode extend Required Return to sy

22 To do… Use the command… Remarks Configure the OAA client and internal interface Select System Management > Device Management > OAA Configu

Preface The H3C SecBlade IPS Cards User Manual describes the SecBlade IPS cards’ overview, features, and login methods, and the configurations on the

23 Ten-GigabitEthernet 2/0/1 to connect to the SecBlade IPS card’s internal interface Ten-GigabitEthernet 0/0. Traffic received on the switch’s inter

24 • Configure the internal interface as a trunk port, and its default VLAN ID as 100, which must be consistent with the VLAN ID configured on the O

25 Figure 13 Log into the SecBlade IPS card # Configure OAA. • Configure the OAA client and the internal interface and test the connectivity to t

26 Figure 15 Connectivity test result # Configure security zones. After completing OAA configuration on the SecBlade IPS card and the S7500E, you c

27 Figure 18 Configure the segment LSB1IPS1A0 Card Configuration NOTE: The LSB1IPS1A0 card is only for the Comware V3 S9500 switches. Configura

28 NOTE: • In this solution, packets need to re-enter the switch through the back board, and thus the same MAC address is learned on different por

29 To do… Use the command… Remarks Add the external network port to the external network VLAN port interface-list Required By default, all ports b

30 To do… Use the command… Remarks Return to system view quit Required Create a Layer 2 ACL acl number acl-number Required Create a rule to den

31 To do… Use the command… Remarks Enter management interface view interface meth interface-number Required Configure an IP address for the interfa

32 • Configure the link type of Ethernet 5/1/1, Ethernet 5/1/2 and Ethernet 5/1/3 as access, and configure them to belong to VLAN 10, VLAN 20 and VL

GUI conventions Convention Description Boldface Window names, button names, field names, and menu items are in Boldface. For example, the New User win

33 [Sysname]interface Vlan-interface 30 [Sysname-Vlan-interface30] ip address 30.0.0.1 255.0.0.0 [Sysname-Vlan-interface30] quit # Configure the link

34 [Sysname-GigabitEthernet3/1/1] quit [Sysname] interface GigabitEthernet4/1/1 [Sysname-GigabitEthernet4/1/1] packet-filter inbound link-group 4000

35 # Select System Management > Network Management > Security Zone. Click Add. Input Inside in the Name text box, add 10GE interface xeth0/0 an

36 2. The switch redirects the packets to the SecBlade IPS card. 3. After processing the packets, the SecBlade IPS card forwards them back to the s

37 To do… Use the command… Remarks Set the SNMP version snmp-agent sys-info { contact sys-contact | location sys-location | version { all | { v1 | v

38 To do… Use the command… Remarks Create a VLAN and enter VLAN view vlan { vlan-id1 [ to vlan-id2 ] | all } Required Return to system view quit Re

39 To do… Use the command… Remarks Save all configurations save [ file-name | [ safely ] Required Restart the switch reboot Required Configuring

40 To do… Use the command… Remarks Create a segment Select System Management > Network Management > Segment Configuration. Click Add Segment.

41 Figure 24 S9500E switch and the LSR1IPS1A1 card Configuration procedure 1. Configure the switch # Configure the H3C new MIB style. That is, the

42 [Sysname-Ten-GigabitEthernet] port trunk permit vlan all [Sysname-Ten-GigabitEthernet] port connection-mode extend [Sysname-Ten-GigabitEthernet] m

Obtaining documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on t

43 Figure 26 Configure the OAA client After completing configuration, click Test Connectivity. If the following message appears, the switch is reac

44 Figure 29 Create a segment NOTE: When creating a segment, you need to select the internal zone, external zone and the internal interface. Figu

45 4. The switch forwards the packets out its internal network interface. Configuration Procedure Configuring the switch Configure the switch as fol

46 To do… Use the command… Remarks Set the SNMP version snmp-agent sys-info { contact sys-contact | location sys-location | version { all | { v1 |

47 To do… Use the command… Remarks Create a VLAN and enter VLAN view vlan { vlan-id1 [ to vlan-id2 ] | all } Required Return to system view quit

48 • Configure the internal interface and the OAA client and test its connectivity to the switch. • Create security zones and add the interfaces of

49 Table 3 Use the following commands in any view of the switch to view ACFP information. To do… Use the command… Display the ACFP server informatio

50 # Configure the H3C new MIB style. That is, the sysOID and private MIB are both under H3C enterprise ID 25506. You need to reboot the switch to va

51 [Sysname] interface meth0/2 [Sysname-if]ip address 192.168.0.11 255.255.255.0 [Sysname-if] undo shutdown [Sysname-if] quit # Log in to the web in

52 Figure 34 Connectivity test result # Configure security zones. After completing OAA configuration on the SecBlade IPS card and the S12500, you c

i Contents Overview ··································································································································

53 Figure 37 Configure the segment SPE-IPS-200 Card Configuration NOTE: The SPE-IPS-200 card is only for the SR6600 routers. Configuration Over

54 • Save the configurations and reboot the router. Follow these steps to configure the router: To do… Use the command… Remarks Enter system view

55 To do… Use the command… Remarks Add a user to the SNMP group snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5

56 To do… Use the command… Remarks Enable the management interface undo shutdown Required Enabled by default. Use the IP address of the management

57 Configuration Example Network requirements As shown in Figure 38, the router has one SRPU inserted in slot 0, two switching boards inserted in slo

58 # Save the configurations. <Sysname> save NOTE: Make sure that the OAA card in slot n corresponds to the router’s internal interface Ten

59 Figure 40 Configure the OAA client After completing configuration, click Test Connectivity. If the following message appears, the router is reac

60 Figure 43 Create a segment Figure 44 Configure the segment IM-IPS Card Configuration NOTE: The IM-IPS card is only for the SR8800 routers.

61 Configuration Procedure Configuring the router Perform the following configurations on the router: • Configure the MIB style of the router. • Co

62 To do… Use the command… Remarks Create an SNMP group and set its access right For SNMP v3: snmp-agent group v3 group-name [ authentication | pri

ii Index ·············································································································································

63 To do… Use the command… Remarks Specify permitted VLANs on the trunk port port trunk permit vlan { vlan-id-list | all } Required A trunk port ca

64 To do… Use the command… Remarks Configure the OAA client and the internal interface Select System Management > Device Management > OAA Con

65 GigabitEthernet 1/0/2 to connect to the internal network, uses GigabitEthernet 1/0/3 to connect to the external network, and uses its internal int

66 [Sysname-Vlan-interface100] ip address 100.100.100.1 255.255.255.0 [Sysname-Vlan-interface100] undo shutdown [Sysname-Vlan-interface100] quit • C

67 • Configure the OAA client and the internal interface and test the connectivity between the OAA client and the router. Figure 47 Configure the OA

68 Figure 49 Create a security zone # Configure a segment. Figure 50 Create a segment Figure 51 Configure the segment

69 Appendix-OAA Configuration NOTE: The OAA client and the OAA server mentioned in the following configuration procedure and configuration example

70 • Interface-connecting component: It connects the interface of the routing/switching component to that of the independent service component, allo

71 Figure 53 OAA configuration Table 8 describes OAA client configuration items. Table 8 OAA client configuration items Item Description ACFP Clien

72 OAA Configuration Example Network requirements • The intranet is interconnected to the Internet through Device B that acts as the ACFP server. •

1 Overview Introduction to the Manual This manual mainly consists of the following chapters: • SecBlade IPS Cards Overview: Describes the functions a

73 Figure 55 OAA configuration • Type v3user as the username. • Type 192.168.1.1 as the IP address of the OAA server. • Type 100 as VLAN ID. •

74 • Add interface GigabitEthernet 4/0/1. • Click Apply. # Add an external security zone. • Click Add. • Type zone2 as the name. • Add interface

75 Figure 60 Rule management Figure 61 Add a rule • Select URL Filter Policy from the Policy drop-down list. • Type rule1 as the name.

76 • Type filter www.abc.com as the description. • Select the By fixed string check box and type www.abc.com. • Select Any time from the Time Tabl

77 Figure 64 Activate the configuration

78 Index C Configuring OAA Client 70 F Feature List 5 I IM-IPS Card Configuration 60 Introduction to the Manual 1 Introduction 2 L LSB1IPS1A0 Card Co

2 SecBlade IPS Cards Overview Introduction H3C Intrusion Prevention System (IPS) products fall into two categories. 1. H3C SecPath T series • T20