Wednesday, December 1, 2010

IP Accounting in H3C Devices


Configuration Procedure in H3C devices

Configure the router.

# Enable IP accounting.

<Router> system-view
[Router] ip count enable

# Configure an IP accounting rule.
[Router] ip count rule 1.1.1.1 24

# Set the aging time to 1440 minutes (24 hours).
[Router] ip count timeout 1440

# Set the maximum number of accounting entries in the interior table to 100.
[Router] ip count interior-threshold 100

# Set the maximum number of accounting entries in the exterior table to 20.
[Router] ip count exterior-threshold 20

# Assign Ethernet 1/0 an IP address and count both incoming and outgoing IP packets on it.
[Router] interface ethernet 1/0
[Router-Ethernet1/0] ip address 1.1.1.2 24
[Router-Ethernet1/0] ip count inbound-packets
[Router-Ethernet1/0] ip count outbound-packets
[Router-Ethernet1/0] quit

# Assign Ethernet 1/1 an IP address.
[Router] interface ethernet 1/1
[Router-Ethernet1/1] ip address 2.2.2.1 24
[Router-Ethernet1/1] quit

 Configure Host A and Host B.

# Configure static routes from Host A to Host B and from Host B to Host A. Ping Host B from Host A.
Omitted.
#Display the IP accounting information.
# Display IP accounting information on the router.

[Router] display ip count inbound-packets interior
1 Inbound streams information in interior list:

SrcIP DstIP Protocol Pkts Bytes
1.1.1.1 2.2.2.2 ICMP 4 240
[Router] display ip count outbound-packets interior
1 Outbound streams information in interior list:
15-4
SrcIP DstIP Protocol Pkts Bytes
2.2.2.2 1.1.1.1 ICMP 4 240

The two hosts can be replaced by other types of network devices such as routers.

Displaying and Maintaining IP Accounting Configuration

To do… Use the command… Remarks
Display the IP accounting
rules

display ip count rule Available in any view

display ip count { inbound-packets |
outbound-packets } { exterior | firewall-denied |
interior }

Clear IP accounting information

reset ip count { all | exterior | firewall | interior } Available in user view

After you configure a new IP accounting rule, it is possible that some originally rule-incompliant
packets from a subnet comply with the new rule. Information about these packets is then saved in the
interior table. The exterior table, however, may still contain information about the IP packets from the
same subnet. Therefore, in some cases, the interior and exterior tables contain statistics information
about the IP packets from the same subnet. The statistics information in the exterior table will be
removed when the aging time expires.

By -
Labels:

Optimization of fortigate IPS

IPS signature need select according to infrastructure environment  Eg:-  if  we are not have Linux servers this ips signature can disable (d...