< Home

Configuring Basic ECA Functions

Context

Before enabling ECA on a switch, ensure that the switch and the CIS server are routable and the resource allocation mode has been set to eca or sac. In addition, you need to configure a NetStream flexible flow statistics profile to output statistics on the ECA session.

Procedure

  1. Set the resource allocation mode of the switch to eca or sac.
    1. Run system-view

      The system view is displayed.

    2. Set the resource allocation mode of the switch.

      • On the S5720-HI, run assign resource-mode eca

        The resource allocation mode of the switch is set to eca.

      • On the S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S, run assign resource-mode sac

        The resource allocation mode of the switch is set to sac.

      • On the S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, or S6720-HI, run assign resource-mode eca or assign resource-mode sac

        The resource allocation mode of the switch is set to eca or sac.

      By default, the resource allocation mode on the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S is enhanced-arp. For details about changes in entry specifications in the new resource allocation mode, see assign resource-mode.

    After the resource allocation mode of the switch is set to eca or sac, restart the switch for the configuration to take effect.

  2. Enable ECA.
    1. Run system-view

      The system view is displayed.

    2. Run defence engine enable

      The IAE is enabled.

      You must enable the IAE before enabling ECA. By default, the IAE is disabled.

  3. Configure parameters for the interconnection between the switch and CIS server.
    1. Run flow-probe metadata-collect server ip ip-address [ port port-number ]

      The IP address and port number of the CIS server are configured.

      By default, the IP address of the CIS server is not specified and the default port number is 8514.

    2. Run flow-probe metadata-collect source { ip ip-address port port-number | vpn-instance vpn-instance-name } *

      The source IP address for sending metadata from the switch to the CIS server is configured.

      By default, the source IP address is not specified.

  4. Enable ECA.
    1. Run interface interface-type interface-number

      The interface view is displayed.

      ECA can only be configured on physical and VLANIF interfaces. If ECA is enabled on a VLANIF interface, you do not need to enable ECA on the physical interface of the VLAN corresponding to the VLANIF interface. When ECA needs to be enabled on many interfaces, you can configure a port group to simplify the configuration.

    2. Run ec-analytics enable [ inbound | outbound ]

      ECA is enabled.

      By default, the ECA function is disabled.

    3. Run quit

      Return to the system view.

  5. Configure a NetStream flexible flow statistics profile.

    To obtain abundant ECA session statistics, you need to configure a NetStream flexible flow statistics profile to collect information, such as the 5-tuple information, packet quantity, byte quantity, inbound and outbound interface index, and apply the profile to an ECA-enabled interface.

    1. Run ip netstream record record-name

      A NetStream flexible flow statistics profile is created and the profile view is displayed.

    2. Configure aggregation keywords for the NetStream flexible flow statistics profile.

      • Run match ip source-address

        ECA session statistics are aggregated based on the source IP address.

      • Run match ip destination-address

        ECA session statistics are aggregated based on the destination IP address.

      • Run match ip source-port

        ECA session statistics are aggregated based on the source port number.

      • Run match ip destination-port

        ECA session statistics are aggregated based on the destination port number.

      • Run match ip protocol

        ECA session statistics are aggregated based on the protocol type.

      • Run collect counter packets

        ECA session statistics are specified to include the packet quantity.

      • Run collect counter bytes

        ECA session statistics are specified to include the byte quantity.

      • Run collect interface input

        ECA session statistics are specified to include the inbound interface index.

      • Run collect interface output

        ECA session statistics are specified to include the outbound interface index.

    3. Run quit

      Return to the system view.

    4. Run interface interface-type interface-number

      The interface view is displayed.

      • The NetStream flexible flow statistics profile must be applied on an ECA-enabled interface.
      • The NetStream flexible flow statistics profile cannot be applied on a VLANIF interface. If ECA is enabled on a VLANIF interface, apply the NetStream flexible flow statistics profile on all physical interfaces in the VLAN corresponding to the VLANIF interface.
      • When ECA needs to be enabled on many interfaces, you can configure a port group to simplify the configuration.

    5. Enable the IPv4 traffic statistics collection function on an interface.

      • Run ip netstream inbound

        The IPv4 traffic statistics collection function is enabled on the inbound interface.

      • Run ip netstream outbound

        The IPv4 traffic statistics collection function is enabled on the outbound interface.

    6. Configure the sampling ratio for IPv4 packets on an interface.

      • Run ip netstream sampler fix-packets 1 inbound

        The sampling ratio for IPv4 packets on the inbound interface is set to 1:1.

      • Run ip netstream sampler fix-packets 1 outbound

        The sampling ratio for IPv4 packets on the outbound interface is set to 1:1.

      By default, the sampling ratio of IPv4 packets is 1000:1. For ECA, the sampling ratio must be set to 1:1; otherwise, the ECA effect is poor.

    7. Run port ip netstream record record-name

      The NetStream flexible flow statistics profile is applied to the interface.

    8. Run quit

      Return to the system view.

    9. (Optional) Run ip netstream tcp-flag enable

      NetStream flows are aged according to the FIN or RST flag in TCP packet headers to save memory space.

  6. (Optional) Run ec-analytics enhanced-mode disable

    The ECA enhanced mode is disabled.

    By default, the ECA enhanced mode is enabled. After the ECA enhanced mode is disabled, the number of packets sent for each ECA session flow to the IAE decreases from 50 to 20. This improves the processing performance of the IAE, but reduces the accuracy of encrypted traffic identification. Therefore, you are advised to enable the ECA enhanced mode when the device performance meets requirements.

Parent Topic: Configuring ECA
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >