No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R010C00 Operation Guide 07

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical Configuration Examples

Typical Configuration Examples

This section describes typical configuration examples in typical application scenarios, helping users complete various operations based on the actual scenarios.

Configuring NTA Port Traffic Monitoring

The NTA can monitor network-wide traffic in real time and provide multi-dimensional traffic analysis reports, helping users detect abnormal traffic on the network and network bandwidth usage in time.

Applicable Products and Versions

V200R005C00 or later versions

Networking Requirements

Enterprise user departments A and B are connected to Internet through switches and firewalls. Users want to know the communication between the two departments and Internet.

Figure 12-67 Traffic Monitoring Networking
Data Plan
Table 12-55 Basic data

Item

Data

Collector (eSight)

IP address: 10.1.2.2/24

S9700 devices

SNMP parameters:

  • Version: SNMPv2c
  • Read community: public123
  • Write community: private123

IP address: 10.1.1.10/24

Requirement Analysis

To monitor traffic of departments A and B in an enterprise, you can use either of the following methods to configure NetStream sampling:

  • Perform bidirectional sampling on GE0/0/1 through which traffic of the two departments passes.
  • Perform inbound one-way sampling on the incoming ports GE0/0/25 and GE0/0/26 of the two departments and incoming port GE0/0/1 of Internet traffic.
Configuration Roadmap
  1. Set SNMP parameters and NetStream parameters on the S9700 device.
  2. Add the S9700 device to eSight.
  3. Add a collector.
  4. Configure the device and port for traffic monitoring.
  5. Monitor port traffic.
Procedure
  1. Set SNMP and NetStream parameters on the S9700 device.

    NOTE:

    This section uses S9700 NetStream V5 as an example. For other device models, see the configuration manual.

    # Set SNMP parameters on the S9700 device.

    <S9700>system-view 
    [S9700]snmp-agent 
    [S9700]snmp-agent sys-info version v2c  
    [S9700]snmp-agent mib-view included View_ALL iso 
    [S9700]snmp-agent community read cipher public123 mib-view View_ALL
    [S9700]snmp-agent community write cipher private123 mib-view View_ALL
    [S9700]snmp-agent trap enable 
    Info: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
    [S9700]snmp-agent target-host trap address udp-domain 10.1.2.2 source GigabitEthernet 0/0/1 udp-port 162 params securityname Public_123 v2c
    [S9700]snmp-agent packet max-size 12000
    [S9700]quit

    # Set NetStream parameters on the S9700 device. Any of the following configurations can be used:

    • Perform bidirectional sampling on GE0/0/1 through which traffic of the two departments passes.
      <S9700> system-view
      <S9700> ip netstream export source 10.1.1.10 
      <S9700> ip netstream export host 10.1.2.2 9995 
      <S9700> ip netstream timeout active 60  
      <S9700> interface gigabitethernet  0/0/1
      <S9700-GigabitEthernet0/0/1> ip netstream inbound  
      <S9700-GigabitEthernet0/0/1> ip netstream outbound
      <S9700-GigabitEthernet0/0/1> quit
      <S9700> quit
      <S9700> save
    • Perform inbound one-way sampling on the incoming ports GE0/0/25 and GE0/0/26 of the two departments and incoming port GE0/0/1 of Internet traffic.
      <S9700> system-view
      <S9700> ip netstream export source 10.1.1.10 
      <S9700> ip netstream export host 10.1.2.2 9995 
      <S9700> ip netstream timeout active 60  
      <S9700> interface gigabitethernet  0/0/1
      <S9700-GigabitEthernet0/0/1> ip netstream inbound  
      <S9700-GigabitEthernet0/0/1> quit
      <S9700> interface gigabitethernet  0/0/25
      <S9700-GigabitEthernet0/0/25> ip netstream inbound 
      <S9700-GigabitEthernet0/0/25> quit
      <S9700> interface gigabitethernet  0/0/26
      <S9700-GigabitEthernet0/0/26> ip netstream inbound  
      <S9700-GigabitEthernet0/0/26> quit
      <S9700> quit
      <S9700> save

  2. Add the S9700 device to eSight.

    1. Choose Resource > Common > Add Resource > Add Resource from the main menu.
    2. Set SNMP parameters and click OK.

  3. Add a collector.

    1. Choose Resource > Network > Network Traffic Analysis > Traffic Config from the main menu

    2. Choose Basic Config > Collector, click Add, and set collector parameters.

  4. Configure the port for traffic monitoring.

    Choose Basic Config > Interface from the navigation tree on the left, select the status check box, and click .
    • Perform bidirectional sampling on GE0/0/1 through which traffic of the two departments passes.

    • Perform inbound one-way sampling on the incoming ports GE0/0/25 and GE0/0/26 of the two departments and incoming port GE0/0/1 of Internet traffic.

  5. Monitor port traffic.

    1. Choose Resource > Network > Network Traffic Analysis > Traffic Monitor from the main menu.
    2. Choose Traffic Monitor > Interface from the navigation tree on the left to view the port traffic.

Verification

Log in to the S9700 device and check the ratios of incoming and outgoing traffic on ports GE0/0/25, GE0/0/26, and GE0/0/1 on the device. If the ratios for the three ports are the same as those displayed on eSight, the configurations are correct.

NOTE:

If the ratios for the three ports are different from those on eSight and the error range is within 10%, the configurations are also correct.

<S9700>display interface brief | include up                                                                                    
PHY: Physical                                                                                                                       
*down: administratively down                                                                                                        
#down: LBDT down                                                                                                                    
(l): loopback                                                                                                                       
(s): spoofing                                                                                                                       
(E): E-Trunk down                                                                                                                   
(b): BFD down                                                                                                                       
(e): ETHOAM down                                                                                                                    
(dl): DLDP down                                                                                                                     
(lb): LBDT block                                                                                                                    
InUti/OutUti: input utility/output utility                                                                                          
Interface                   PHY   Protocol  InUti OutUti   inErrors  outErrors                                                      
Eth-Trunk1                  up    up(s)       20%    20%          0          0                                                      
  GigabitEthernet0/0/25     up    up(s)       20%    20%          0          0                                                      
  GigabitEthernet0/0/26     up    up(s)       20%    20%          0          0                                                      
GigabitEthernet0/0/10       up    up(s)     0.01%  0.20%          0          0                                                      
MEth0/0/1                   up    up        0.05%  0.01%          0          0                                                      
NULL0                       up    up(s)        0%     0%          0          0                                                      
Vlanif1                     up    up           --     --          0          0                                                      
GigabitEthernet0/0/1        up    up           40%   40%          0          0                                                                                      
<S9700>                 

Example for Using NTA to Quickly Locate the Source Host That Sends Attack Packets

This section describes how to use the traffic analysis function provided by the NTA component to quickly locate the source host that sends attack packets, and restore normal network operations.

Applicable Products and Versions

V200R005C00 or later versions

Networking Requirements

Devices on the campus network of a company have been added to eSight. The network administrator Thomas finds that the user number and network scale remain stable in the recent two years. However, access speed to the email server becomes slow. Thomas also receives an alarm from eSight, indicating that the interface usage of the access device connected to the email server is high. Thomas needs to locate the fault based on the detailed alarm information.

Figure 12-68 Networking of the company

Configuration Roadmap
  1. Switch from the topology view to the NTA traffic analysis page to view detailed traffic data of the access switch connected to the email server.
  2. Create a traffic forensics task to view detailed information about original flows.
  3. Execute the traffic forensics task.
  4. View detailed data in the task execution result, and save the data to a local device. This enables network security specialists to view data.
Prerequisites
  • You have the operator user rights or higher.
  • Communication has been established between eSight and the devices, and eSight can manage and maintain the devices. For details, see Example for Configuring Automatic Device Discovery Using SNMPv2c.
  • eSight NTA can normally monitor the devices, and you have received NTA traffic alarms from eSight.
Procedure
  1. Click the icon indicating critical alarms on the eSight home page to display the current alarm list.

  2. Click next to the desired traffic alarm to display the topology page.
  3. Switch from the topology view to the NTA traffic analysis page to view detailed traffic data of the access switch connected to the email server.

    1. In the topology view, right-click the link that reports an alarm and choose View Interface Traffic > Last 15 minutes from the shortcut menu.

    2. On the displayed NTA interface traffic analysis page, you can view top N source hosts with high interface traffic volume in TOP N Host - From. Click the link of the host name with the highest interface traffic volume to display the traffic analysis page of the source host.

    3. In TOP N Conversation, you can find that the percentage of traffic from the source host to the access switch connected to the email server is 100%, indicating that the source host is consuming email server resources.

    4. Click Conversation to view detailed conversation information. You can find that the traffic and packet number of all the records are the same, indicating that attacks may exist.

  4. Create a traffic forensics task to view detailed information about original flows. Attacks do not exist if the original flows are of a specific protocol, with specific source and destination host ports, and have fixed flow size and packet number.

    1. In the navigation tree on the left, choose Traffic Monitor > Flow Forensic.
    2. Click Create. The page for creating a traffic forensics task is displayed.

    3. Set Name, Description, and Time Range.
    4. Set Interface and click Add Interface to specify an interface filter criterion. You can specify multiple interface filter criteria simultaneously.
    5. Set Filter and click Add to add an interface filter criterion to the list below. You can add multiple filter criteria simultaneously.
    6. Set Data Save Days. The value of the parameter ranges from 1 to 30 days, and the default value is 7 days.
    7. Click OK. A traffic forensics task is created.

  5. Click in the traffic forensics task list to perform a traffic forensics task manually.
  6. On the Flow Forensic page, click in the Operation column to view detailed traffic data.
  7. On the Traffic Forensics page, click Export Data to export the data to a local device. This enables network security specialists to view data.

Verification
  • Check the port number and TCP flag to determine whether the host initiates TCP Flood attacks to the email server.
  • After the fault is rectified, check whether the alarm is cleared and the link traffic restores.
Summary and Suggestions
  • Typical characteristics of virus-infected packets: The packets are of a specific protocol, with specific source and destination host ports, and have fixed flow size and packet number.
  • Attack characteristics: The attacker initiates the largest number of SMTP connections (generally, TCP connections) to the server from different ports, and sends packets with fixed length at a fixed speed.
Translation
Download
Updated: 2019-06-30

Document ID: EDOC1100044378

Views: 58465

Downloads: 268

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next