No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Outputting SSL-Encrypted Logs to a Log Host

Example for Outputting SSL-Encrypted Logs to a Log Host

Networking Requirements

As shown in Figure 16-7, SwitchA connects to four log hosts. The network administrator wants logs of different types and severities to be sent to different log hosts, so that information generated by different modules on SwitchA can be monitored in real time. Reliability of the logs must also be ensured.

Figure 16-7 Networking diagram for outputting logs to a log host

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an SSL client policy to verify the identity of the log host and ensure secure transmission of logs.

    Assume that the log host has obtained a certificate from the CA. The trusted-CA files are 1_cacert_pem_rsa.pem and 1_rootcert_pem_rsa.pem, which have been uploaded to a subdirectory of security on SwitchA.

  2. Enable the information center.

  3. Configure SwitchA to send logs of notification generated by the ARP module to Server1, and specify Server3 as the backup of Server1. Configure SwitchA to send logs of warning generated by the AAA module to Server2, and specify Server4 as the backup of Server2.

  4. Configure the log host on the server so that the network administrator can receive logs generated by SwitchA on the log host.

Procedure

  1. Configure an SSL client policy.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] commit
    [~SwitchA] ssl policy syslog_client
    [*SwitchA-ssl-policy-syslog_client] trusted-ca load pem-ca 1_cacert_pem_rsa.pem
    [*SwitchA-ssl-policy-syslog_client] trusted-ca load pem-ca 1_rootcert_pem_rsa.pem
    [*SwitchA-ssl-policy-syslog_client] commit
    [~SwitchA-ssl-policy-syslog_client] quit
    
    After the configuration is complete, run the display ssl policy command on SwitchA to view detailed information about the trusted-CA files that have been loaded.
    [~SwitchA] display ssl policy
    
           SSL Policy Name: syslog_client 
         Policy Applicants: 
             Key-pair Type:
     Certificate File Type:
          Certificate Type:
      Certificate Filename:
         Key-file Filename:
                  CRL File:
           Trusted-CA File:
         Trusted-CA File 1: Format = PEM, Filename = 1_cacert_pem_rsa.pem
         Trusted-CA File 2: Format = PEM, Filename = 1_rootcert_pem_rsa.pem

  2. Enable the information center.

    [~SwitchA] info-center enable
    [*SwitchA] commit
    

  3. Configure a channel and a rule for outputting logs to a log host.

    # Name a channel.

    [~SwitchA] info-center channel 6 name loghost1
    [*SwitchA] info-center channel 7 name loghost2
    [*SwitchA] commit
    

    # Configure a channel for outputting logs to a log host.

    [~SwitchA] info-center loghost 10.1.1.1 channel loghost1 transport tcp ssl-policy syslog_client
    [*SwitchA] info-center loghost 10.1.1.2 channel loghost1 transport tcp ssl-policy syslog_client
    [*SwitchA] info-center loghost 10.2.1.1 channel loghost2 transport tcp ssl-policy syslog_client
    [*SwitchA] info-center loghost 10.2.1.2 channel loghost2 transport tcp ssl-policy syslog_client
    [*SwitchA] commit
    

    # Configure a rule for outputting logs to a log host.

    [~SwitchA] info-center source arp channel loghost1 log level notification
    [*SwitchA] info-center source aaa channel loghost2 log level warning
    [*SwitchA] commit
    

  4. Specify the source interface for sending logs.

    # Specify the source interface for sending logs.

    [~SwitchA] info-center loghost source vlanif 100
    [*SwitchA] commit
    

  5. Configure the log host on the server.

    The device can generate many logs, which may exceed the limited storage space of the device. To address this problem, configure a log host to store all the logs.

    The log host can run the Unix or Linux operating system or run third-party log software. For details about the configuration procedure, see the relevant documentation.

  6. Verify the configuration.

    # View the configured lost host.

    [~SwitchA] display info-center
    Information Center:enabled
    Log host: 
            10.1.1.1, channel number 6, channel name loghost1,
    language English , host facility local7, transport tcp ssl-policy syslog_client
            10.1.1.2, channel number 6, channel name loghost1, 
    language English , host facility local7, transport tcp ssl-policy syslog_client
            10.2.1.1, channel number 7, channel name loghost2,
    language English , host facility local7, transport tcp ssl-policy syslog_client
            10.2.1.2, channel number 7, channel name loghost2, 
    language English , host facility local7, transport tcp ssl-policy syslog_client
    Console: 
            channel number : 0, channel name : console 
    Monitor: 
            channel number : 1, channel name : monitor  
    SNMP Agent:  
            channel number : 5, channel name : snmpagent 
    Log buffer:  
            enabled,max buffer size 10240, current buffer size 512,
    current messages 316, channel number : 4, channel name : logbuffer 
    dropped messages 0, overwritten messages 0
    Trap buffer: 
            enabled,max buffer size 1024, current buffer size 256,
    current messages 256, channel number:3, channel name:trapbuffer
    dropped messages 0, overwritten messages 53
    logfile: 
            channel number : 9, channel name : channel9, language : English
    Information timestamp setting:
            log - date, trap - date, debug - date millisecond
    

Configuration Files

  • Configuration file of SwitchA
    #
    sysname SwitchA
    #
    ssl policy syslog_client
     trusted-ca load pem-ca 1_cacert_pem_rsa.pem
     trusted-ca load pem-ca 1_rootcert_pem_rsa.pem
    #
    info-center channel 6 name loghost1
    info-center channel 7 name loghost2
    info-center source arp channel 6 log level notification
    info-center source aaa channel 7 log level warning
    info-center loghost source Vlanif100
    info-center loghost 10.1.1.1 channel 6 transport tcp ssl-policy syslog_client
    info-center loghost 10.1.1.2 channel 6 transport tcp ssl-policy syslog_client
    info-center loghost 10.2.1.1 channel 7 transport tcp ssl-policy syslog_client
    info-center loghost 10.2.1.2 channel 7 transport tcp ssl-policy syslog_client
    #
    return
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18198

Downloads: 60

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next