Overview
This document will help you with the steps to ingest the Huawei Switch with Seceon SIEM to have better visibility of threats happening in your environment.
The configuration roadmap is as follows:
Configure an IP address for each switch interface.
Configure sFlow agent and collector information on the device.
Configure flow sampling on the interface.
Configure counter sampling on the interface.
Configuration Steps
Configure an IP address for the interface of Switch
<HUAWEI> system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 10 20 30 [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type access [SwitchA-GigabitEthernet0/0/1] port default vlan 10 [SwitchA-GigabitEthernet0/0/1] quit [SwitchA] interface vlanif 10 [SwitchA-Vlanif10] ip address 10.1.10.1 24 [SwitchA-Vlanif10] quit [SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] port link-type hybrid [SwitchA-GigabitEthernet0/0/2] port hybrid pvid vlan 20 [SwitchA-GigabitEthernet0/0/2] port hybrid untagged vlan 20 [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] interface vlanif 20 [SwitchA-Vlanif20] ip address 10.1.20.1 24 [SwitchA-Vlanif20] quit [SwitchA] interface gigabitethernet 0/0/3 [SwitchA-GigabitEthernet0/0/3] port link-type hybrid [SwitchA-GigabitEthernet0/0/3] port hybrid pvid vlan 30 [SwitchA-GigabitEthernet0/0/3] port hybrid untagged vlan 30 [SwitchA-GigabitEthernet0/0/3] quit [SwitchA] interface vlanif 30 [SwitchA-Vlanif30] ip address 10.1.30.1 24 [SwitchA-Vlanif30] quit
2. Configure sFlow agent and collector information
Configure an IP address for the sFlow agent
[SwitchA] sflow agent ip 10.1.10.1
Configure sFlow collector information: ID 2, CCE IP address (here we are using 10.1.10.2 as an example ), and description netserver.
[SwitchA] sflow collector 2 ip 10.1.10.2 description netserver
3. Configure flow sampling
Set the sampling rate
[SwitchA] interface gigabitethernet 0/0/2 [SwitchA-GigabitEthernet0/0/2] sflow flow-sampling rate 4000
Specify collector 2 as the target collector to receive sFlow packets sent by the agent.
[SwitchA-GigabitEthernet0/0/2] sflow flow-sampling collector 2
4. Configure counter sampling
Set the counter sampling interval to 120s.
[SwitchA-GigabitEthernet0/0/2] sflow counter-sampling interval 120
Specify collector 2 as the target collector to receive sFlow packets sent by the agent.
[SwitchA-GigabitEthernet0/0/2] sflow counter-sampling collector 2 [SwitchA-GigabitEthernet0/0/2] quit [SwitchA] quit
Verification
On the Huawei server
After the configuration is complete, run the display sflow command on SwitchA to check the global sFlow configuration.
<SwitchA> display sflow sFlow Version 5 Information: -------------------------------------------------------------------------- Agent Information: IP Address: 10.1.10.1(CLI) Address family: IPV4 Vpn-instance: NA -------------------------------------------------------------------------- Collector Information: Collector ID: 2 IP Address: 10.1.10.2 Address family: IPV4 Vpn-instance: NA Port: 6343 Datagram size: 1400 Time out: NA Description: netserver -------------------------------------------------------------------------- Port on slot 0 Information: Interface: GE0/0/2 Flow-sample collector: 2 Counter-sample collector : 2 Flow-sample rate(1/x): 4000 Counter-sample interval(s): 120 Flow-sample maxheader: 64 Flow-sample direction: IN,OUT
SwitchA configuration file
# sysname SwitchA # vlan batch 10 20 30 # interface Vlanif10 ip address 10.1.10.1 255.255.255.0 # interface Vlanif20 ip address 10.1.20.1 255.255.255.0 # interface Vlanif30 ip address 10.1.30.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # interface GigabitEthernet0/0/2 port link-type hybrid port hybrid pvid vlan 20 port hybrid untagged vlan 20 sflow counter-sampling collector 2 sflow counter-sampling interval 120 sflow flow-sampling collector 2 sflow flow-sampling rate 4000 # interface GigabitEthernet0/0/3 port link-type hybrid port hybrid pvid vlan 30 port hybrid untagged vlan 30 # sflow collector 2 ip 10.1.10.2 description netserver # sflow agent ip 10.1.10.1 # return
On Seceon UI
Login to UI >> SYSTEM>> LOGS AND FLOWS COLLECTION STATUS .
LOGS AND FLOWS COLLECTION STATUS .
Inside SOURCE DEVICE IP, IP will reflect.
Reference: https://support.huawei.com/enterprise/en/doc/EDOC1000178174/d73ef0a7/example-for-configuring-sflow