No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Network Management and Monitoring

S2720, S5700, and S6720 V200R013C00

This document describes the configurations of Network Management and Monitoring, including SNMP, RMON, RMON2, LLDP, Performance Management, iPCA, NQA, Service Diagnosis, Mirroring, Packet Capture, NetStream, sFlow, TWAMP Light, NETCONF, ECA, Intelligent Video O&M, eMDI, and Network Deception.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring ECA

Example for Configuring ECA

Networking Requirements

On the network shown in Figure 14-3, the customer wants to perform ECA on traffic sent from and to SwitchB and SwitchC. The traffic from PC1 is trusted and does not require ECA.

Figure 14-3  Networking diagram for configuring ECA

Procedure

  1. Configure SwitchA.
    1. Set the resource allocation mode of SwitchA to eca.

      <HUAWEI> system-view
      <HUAWEI> sysname SwitchA
      [SwitchA] assign resource-mode eca
      NOTE:

      After the resource allocation mode of a switch is set to eca, restart the switch for the configuration to take effect.

    2. Configure parameters for SwitchA to interoperate with the CIS server.

      # Specify the IP address and port number of the CIS server. The CIS server must provide basic big data services.

      [SwitchA] flow-probe metadata-collect server ip 10.10.11.11 port 8514

      # Specify the source IP address and port number used by SwitchA to connect to the CIS server. The source IP address can be randomly selected from the switch and must be reachable to the CIS server.

      [SwitchA] flow-probe metadata-collect source ip 10.10.10.1 port 11111

    3. Configure an ECA whitelist so that ECA is not performed on the traffic sent from PC1.

      # Add a rule in ACL 3000 to allow the traffic with the source address of 10.10.10.2/24 to pass through.

      [SwitchA] acl 3000
      [SwitchA-acl-adv-3000] rule permit ip source 10.10.10.2 0.0.0.255
      [SwitchA-acl-adv-3000] quit

      # Add ACL 3000 to the ECA whitelist.

      [SwitchA] ec-analytics whitelist acl 3000

    4. Enable the IAE and enable ECA on VLANIF 10 and VLANIF 20.

      [SwitchA] defence engine enable
      [SwitchA] interface vlanif 10
      [SwitchA-Vlanif10] ec-analytics enable
      [SwitchA-Vlanif10] quit
      [SwitchA] interface vlanif 20
      [SwitchA-Vlanif20] ec-analytics enable
      [SwitchA-Vlanif20] quit

    5. Configure a NetStream flexible flow statistics template and apply the template to the physical interfaces corresponding to VLANIF 10 and VLANIF 20.

      # Configure a NetStream flexible flow statistics template to aggregate flows based on 5-tuple information and collect statistics about the number of packets, number of bytes, and inbound and outbound interface indexes.

      [SwitchA] ip netstream record eca
      [SwitchA-record-eca] match ip source-address
      [SwitchA-record-eca] match ip destination-address
      [SwitchA-record-eca] match ip source-port
      [SwitchA-record-eca] match ip destination-port
      [SwitchA-record-eca] match ip protocol
      [SwitchA-record-eca] collect counter packets
      [SwitchA-record-eca] collect counter bytes
      [SwitchA-record-eca] collect interface input
      [SwitchA-record-eca] collect interface output
      [SwitchA-record-eca] quit

      # Enable IPv4 flow statistics collection in the outbound and inbound directions of GE0/0/1 and GE0/0/2, set the fixed sampling ratio to 1:1, and apply the NetStream flexible flow statistics template.

      [SwitchA] interface gigabitethernet 0/0/1
      [SwitchA-GigabitEthernet0/0/1] ip netstream inbound
      [SwitchA-GigabitEthernet0/0/1] ip netstream outbound
      [SwitchA-GigabitEthernet0/0/1] ip netstream sampler fix-packets 1 inbound
      [SwitchA-GigabitEthernet0/0/1] ip netstream sampler fix-packets 1 outbound
      [SwitchA-GigabitEthernet0/0/1] port ip netstream record eca
      [SwitchA-GigabitEthernet0/0/1] quit
      [SwitchA] interface gigabitethernet 0/0/2
      [SwitchA-GigabitEthernet0/0/2] ip netstream inbound
      [SwitchA-GigabitEthernet0/0/2] ip netstream outbound
      [SwitchA-GigabitEthernet0/0/2] ip netstream sampler fix-packets 1 inbound
      [SwitchA-GigabitEthernet0/0/2] ip netstream sampler fix-packets 1 outbound
      [SwitchA-GigabitEthernet0/0/2] port ip netstream record eca

  2. Configure parameters for the CIS server to interoperate with SwitchA.
    1. Log in to the CIS server using an administrator account.
    2. Choose System > System Management > Service and click next to Big Data Basic Service.
    3. On the Third-Party Data Source tab page, click Add, set Data Source Name to SwitchA, set Data Source IP Address to 10.10.10.1, and click Save and Deliver.

  3. Configure the CIS server to deliver associated policies to the Agile Controller-Campus.
    1. Configure the Agile Controller-Campus.

      1. Log in to the Agile Controller-Campus using an administrator account.
      2. Choose System > Terminal Configuration > Global Parameters > Third-Party Interconnection.
      3. Click Configure Restful Webservice Authentication, enable HTTP protocol and HTTPS protocol, set Account to admin, set both Authentication password and Confirm password to Huawei@2018, and click OK.

    2. Configure the CIS server.

      1. Return to the CIS homepage and choose Security Response > Linkage Device Conf.
      2. On the Device tab page, click Add, and configure the Agile Controller-Campus information. The user name and password must be the same as those configured on the Agile Controller-Campus. After setting the parameters, click Save.

      3. Choose Linkage Rule Conf from the navigation tree. On the Linkage Rule tab page, click Create to create an associated rule. In the Linkage Rule area, set Trigger Mode to Manual Linkage, Threat Type to Suspicious C&C Traffic, and Change Event Status to OFF (if Change Event Status is set to ON, the event status is automatically confirmed). In the Device Linkage area, select Agile Controller-Campus. After setting the parameters, click OK.

      4. On the Linkage Rule tab page, enable the new associated rule as required. If the rule is enabled, the system automatically changes the status of a successfully associated threat event to a threat. If the rule is not enabled, you need to manually check whether an event is a threat.

    3. Manually enable the CIS server to deliver associated policies to the Agile Controller-Campus.

      1. Return to the CIS homepage and choose Threat Event > Threat Detail.
      2. Set event query parameters and click Search. View events with Event Name being Suspicious C&C Traffic, and view information of IP/Asset under Threat and Threat Source. After confirming an event to be a threat, click to manually deliver associated policies to the Agile Controller-Campus to block the traffic.

  4. Verify the configuration.
    1. View traffic on which ECA is performed.

      # Log in to the CIS server and choose Intelligent Retrieval > Metadata Retrieval to view the traffic on which ECA is performed.

      # Choose Intelligent Retrieval > Event Retrieval to view ECA events.

    2. Check whether the CIS server has delivered the associated rule to the Agile Controller-Campus.

      # Choose Security Response > Linkage Device Conf and click the Results tab to view the blocked traffic. If Linkage Status is displayed Linkage Success, the CIS server has successfully delivered the associated rule to the Agile Controller-Campus. The following figure is for reference only.

    3. Check whether the Agile Controller-Campus has delivered the associated rule to SwitchA.

      # Run the display current-configuration command on SwitchA. If information similar to the following is displayed, the Controller-Campus has blocked attack traffic matching the ACL rule.

      [SwitchA] display current-configuration
      ...
      #
      acl name Auto_PGM_OPEN_POLICY 3999
       rule 1 deny ip source 192.168.10.3 0 destination 10.10.10.3 0
      #
      ...
      #
      traffic-secure inbound acl name Auto_PGM_OPEN_POLICY
      #
      ...

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100065680

Views: 50546

Downloads: 485

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next