Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

Overview

This document will help you with the steps to ingest the Huawei Switch with Seceon SIEM to have better visibility of threats happening in your environment.

The configuration roadmap is as follows:

  1. Configure an IP address for each switch interface.

  2. Configure sFlow agent and collector information on the device.

  3. Configure flow sampling on the interface.

  4. Configure counter sampling on the interface.

Configuration Steps

  1. Configure an IP address for the interface of Switch

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] vlan batch 10 20 30
    [SwitchA] interface gigabitethernet 0/0/1
    [SwitchA-GigabitEthernet0/0/1] port link-type access
    [SwitchA-GigabitEthernet0/0/1] port default vlan 10
    [SwitchA-GigabitEthernet0/0/1] quit
    [SwitchA] interface vlanif 10
    [SwitchA-Vlanif10] ip address 10.1.10.1 24
    [SwitchA-Vlanif10] quit
    [SwitchA] interface gigabitethernet 0/0/2
    [SwitchA-GigabitEthernet0/0/2] port link-type hybrid
    [SwitchA-GigabitEthernet0/0/2] port hybrid pvid vlan 20
    [SwitchA-GigabitEthernet0/0/2] port hybrid untagged vlan 20
    [SwitchA-GigabitEthernet0/0/2] quit
    [SwitchA] interface vlanif 20
    [SwitchA-Vlanif20] ip address 10.1.20.1 24
    [SwitchA-Vlanif20] quit
    [SwitchA] interface gigabitethernet 0/0/3
    [SwitchA-GigabitEthernet0/0/3] port link-type hybrid
    [SwitchA-GigabitEthernet0/0/3] port hybrid pvid vlan 30
    [SwitchA-GigabitEthernet0/0/3] port hybrid untagged vlan 30
    [SwitchA-GigabitEthernet0/0/3] quit
    [SwitchA] interface vlanif 30
    [SwitchA-Vlanif30] ip address 10.1.30.1 24
    [SwitchA-Vlanif30] quit

2. Configure sFlow agent and collector information

  • Configure an IP address for the sFlow agent

    [SwitchA] sflow agent ip 10.1.10.1
  • Configure sFlow collector information: ID 2, CCE IP address (here we are using 10.1.10.2 as an example ), and description netserver.

    [SwitchA] sflow collector 2 ip 10.1.10.2 description netserver

3. Configure flow sampling

  • Set the sampling rate

    [SwitchA] interface gigabitethernet 0/0/2
    [SwitchA-GigabitEthernet0/0/2] sflow flow-sampling rate 4000
  • Specify collector 2 as the target collector to receive sFlow packets sent by the agent.

    [SwitchA-GigabitEthernet0/0/2] sflow flow-sampling collector 2

4. Configure counter sampling

  • Set the counter sampling interval to 120s.

    [SwitchA-GigabitEthernet0/0/2] sflow counter-sampling interval 120
  • Specify collector 2 as the target collector to receive sFlow packets sent by the agent.

    [SwitchA-GigabitEthernet0/0/2] sflow counter-sampling collector 2
    [SwitchA-GigabitEthernet0/0/2] quit
    [SwitchA] quit

Verification

On the Huawei server

  • After the configuration is complete, run the display sflow command on SwitchA to check the global sFlow configuration.

    <SwitchA> display sflow
    sFlow Version 5 Information:                                                               
    --------------------------------------------------------------------------                  
    Agent Information:                                                                         
    
         IP Address: 10.1.10.1(CLI)                                                                  
     Address family: IPV4                                                                      
       Vpn-instance: NA                                                                         
    --------------------------------------------------------------------------                 
    Collector Information:                                                                     
    
       Collector ID: 2                                                                      
         IP Address: 10.1.10.2                                                                  
     Address family: IPV4                                                                      
       Vpn-instance: NA                                                                         
               Port: 6343                                                                                
      Datagram size: 1400                                                                       
           Time out: NA                                                                             
        Description: netserver                                                                    
    --------------------------------------------------------------------------                 
    Port on slot 0 Information:                                                                
    
    Interface: GE0/0/2                                     
     Flow-sample collector: 2            Counter-sample collector  : 2               
     Flow-sample rate(1/x): 4000         Counter-sample interval(s): 120             
     Flow-sample maxheader: 64                                                           
     Flow-sample direction: IN,OUT
  • SwitchA configuration file

    #
    sysname SwitchA
    #
    vlan batch 10 20 30 
    #
    interface Vlanif10
     ip address 10.1.10.1 255.255.255.0
    #
    interface Vlanif20
     ip address 10.1.20.1 255.255.255.0
    #
    interface Vlanif30
     ip address 10.1.30.1 255.255.255.0
    #
    interface GigabitEthernet0/0/1
     port link-type access
     port default vlan 10 
    #
    interface GigabitEthernet0/0/2
     port link-type hybrid
     port hybrid pvid vlan 20
     port hybrid untagged vlan 20
     sflow counter-sampling collector 2 
     sflow counter-sampling interval 120 
     sflow flow-sampling collector 2 
     sflow flow-sampling rate 4000
    #
    interface GigabitEthernet0/0/3
     port link-type hybrid
     port hybrid pvid vlan 30
     port hybrid untagged vlan 30
    # 
    sflow collector 2 ip 10.1.10.2 description netserver 
    # 
    sflow agent ip 10.1.10.1   
    #
    return

On Seceon UI

  • Login to UI >> SYSTEM>> LOGS AND FLOWS COLLECTION STATUS .

  • LOGS AND FLOWS COLLECTION STATUS .

  • Inside SOURCE DEVICE IP, IP will reflect.

Reference: https://support.huawei.com/enterprise/en/doc/EDOC1000178174/d73ef0a7/example-for-configuring-sflow

  • No labels