Ruijie RG-WLAN Series Configuration Manual
  1. Manuals
  2. Brands
  3. Ruijie Manuals
  4. Wireless Access Point
  5. RG-WLAN Series
  6. Configuration manual

Ruijie RG-WLAN Series Configuration Manual

Hide thumbs Also See for RG-WLAN Series:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
Table of Contents

Advertisement

Quick Links

RG-WLAN Series Access Point RGOS
Configuration Guide, Release 10.4(1b19)p2

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the RG-WLAN Series and is the answer not in the manual?

Questions and answers

Related Manuals for Ruijie RG-WLAN Series

Summary of Contents for Ruijie RG-WLAN Series

  • Page 1 RG-WLAN Series Access Point RGOS Configuration Guide, Release 10.4(1b19)p2...
  • Page 2 This document is provided “as is”. The contents of this document are subject to change without any notice. Please obtain the latest information through the Ruijie Networks website. Ruijie Networks endeavors to ensure content accuracy and will not shoulder any responsibility for losses and damages caused by content omissions, inaccuracies or errors.
  • Page 3 Target Readers This manual is intended for the following readers: Network engineers Technical salespersons Network administrators Obtaining Technical Assistance Ruijie Networks website: http://www.ruijienetworks.com/ Online customer services: http://webchat.ruijie.com.cn Customer service center: http://www.ruijie.com.cn/service.aspx Customer services hotline: +86-4008-111-000 BBS: http://support.ruijie.com.cn Customer services email: service@ruijie.com.cn...
  • Page 4 Format of information displayed on the terminal: Courier New, point size 8, indicating the screen output. User's entries among the information shall be indicated with bolded characters. 2. Command Line Format Convention Arial is used as the font for the command line. The meanings of specific formats are described below: Bold: Key words in the command line, which shall be entered exactly as they are displayed, shall be indicated with bolded characters.
  • Page 5 Configuration Guide Configuring Fat AP Configuring Fat AP Understanding Fat AP Figure 1-1 Typical Application of Fat AP Overview A fat access point (AP) is a wireless device that controls and manages wireless clients. It serves as a bridge between the client and the local area network and forwards frames between the wired and wireless interfaces.
  • Page 6 Configuration Guide Configuring Fat AP Multiple ESS Multiple extended service sets (ESS) topology is used in the case of multiple logical management domains or ESS. When a mobile subscriber joins a fat AP, it can join an available ESS. Figure 3 is the network of multiple ESS. Figure 1-3 Multiple ESS Network...

  • Page 7: Ruijie(Config)# Dot11 Wlan

    The network of single ESS and multiple BSS is also applicable when both 802.11a and 802.11b/g are supported. Figure 4 shows two clients connecting to two radios while in the same ESS but different BSS. Protocol Specification IEEE Std 802.11-2012 Default Configuration Configuring WLAN Command Function Ruijie#config Enters global configuration mode. Ruijie(config)#dot11 wlan 1 Enters WLAN configuration mode.

  • Page 8: Ruijie(Dot11-Wlan-Config)# Vlan

    Enters global configuration mode. Ruijie(config)# interface Dot11radio 1/0 Enters Dot11radio interface configuration mode. Ruijie(config-if-Dot11radio 1/0)#channel 11 Configures radio channels. Ruijie(config-if-Dot11radio 1/0)# antenna transmit 7 Configures the transmitting antenna. Configures the receiving antenna. Ruijie(config-if-Dot11radio 1/0)# antenna receive 7 Ruijie(config-if-Dot11radio 1/0)# beacon dtim-period 10 Sets the delivery traffic indication message (DTIM) period.
  • Page 9 Centralized Management of 802.11n Networking Requirements The 2.4 GHz (802.11g, Radio1) network operates in Channel 6. The SSID is RUIJIE-2G. Parameter configuration is required; The 5 GHz (802.11a, Radio2) network operates in Channel 149. The SSID is RUIJIE-5G. Parameter configuration is required.
  • Page 10 Configuration Guide Configuring Fat AP Configuration Tips Configuration Steps Step 1: Configure WLAN Ruijie#config Ruijie(config)# dot11 wlan 1 Ruijie(dot11-wlan-config)# ssid RUIJIE-2G Ruijie(dot11-wlan-config)# vlan 2 Ruijie#config Ruijie(config)# dot11 wlan 2 Ruijie(dot11-wlan-config)# ssid RUIJIE-5G Ruijie(dot11-wlan-config)# vlan 3 Step 2: Configure Dot11radio sub-interface...
  • Page 11 Ruijie(config-if-Dot11radio 1/0)# rts threshold 1500 Ruijie(config-if-Dot11radio 1/0)# antenna receive 7 Ruijie(config-if-Dot11radio 1/0)# antenna transmit 7 Ruijie(config-if-Dot11radio 1/0)# no short-preamble Ruijie(config-if-Dot11radio 1/0)# short-gi enable chan-width 20 Ruijie(config-if-Dot11radio 1/0)# short-gi enable chan-width 40 Ruijie(config-if-Dot11radio 1/0)# beacon period 200 Ruijie(config-if-Dot11radio 1/0)# beacon dtim-period 2...
  • Page 12 Configuration Guide Configuring Fat AP interface Dot11radio 1/0 no ip proxy-arp rate-set 11b mandatory 1 2 5 11 rate-set 11b support 1 2 5 11 rate-set 11g support 6 9 12 18 24 36 48 54 rate-set 11a mandatory 6 12 24 rate-set 11a support 9 18 36 48 54 rate-set 11n mcs-support 15 rate-set 11n mcs-mandatory 10...
  • Page 13 Configuration Guide Configuring Fat AP station-role root-ap mac-mode fat no short-preamble slottime long chan-width 40 radio-type 802.11a antenna receive 7 antenna transmit 7 country-code CNI channel 149 mcast_rate 54 coverage-rssi 10 wlan-id 2 interface Dot11radio 2/0.1 encapsulation dot1Q 3 mac-mode fat mcast_rate 54...
  • Page 14 Enter the configuration mode of the specified AP. Ruijie(config)# ap-config ap-name Configure the AMPDU software retransmission times on Ruijie(config-ap)#ampdu-retries times radio radio_id the designated AP. times: AMPDU software retransmission times; within the range from 1 to 10; by default the value is 4.
  • Page 15 Ethernet package limit per time to 25. Command Function Ruijie(config)# ap-config ap-name Enter the configuration mode of the specified AP.
  • Page 16 Configuration Guide Configuring WLAN Configure received Ethernet package limit per time on Ruijie(config-ap)#eth-schd limit the designated AP. The limit value range of the following APs: 1-256 AP220-I v1.0, AP220-I v1.1, AP220-SI v1.0 AP220-SI v1.1, AP220-E v2.03, AP220-E v2.0 AP220-SH v2.0, AP220-SH (C) v3.0, AP220-E(M) v2.0, AP220-E(M) v2.20, AP620-H(C) v2.0, AP220-E(C) v3.0,...
  • Page 17 Configuring WLAN Ruijie(config)# ap-config ap-name Enter the configuration mode of the specified AP. Ruijie(config-ap)#[no] stbc radio radio_id Use this command to enable LDPC on the designated Use the no form of this command to disable LDPC on the designated AP.
  • Page 18 Configuration Guide Configuring WLAN-VLAN Mapping Configuring WLAN-VLAN Mapping Understanding VLAN Groups Overview A VLAN group including multiple VLANs can be associated with a wireless LAN (WLAN) to form mapping between a WLAN and N VLANs, so that VLANs can be flexibly assigned to STAs that access the WLAN. VLANs are assigned to STA based on the idle situation of the address pool of the DHCP server.
  • Page 19 Configuration Guide Configuring WLAN-VLAN Mapping VLANs. To better understand the subsequent configuration process, learn about the following concepts: VLAN Group VLAN group: You can add multiple VLANs to one VLAN group. When STAs access a WLAN, VLANs in the VLAN group associated with the WLAN are assigned to the STAs VLAN Assignment Mode VLAN assignment mode: VLANs in each VLAN group can be assigned based on the 802.1x assignment VLAN.

  • Page 20: Ruijie(Config)# Dot11 Wlan

    Command Function Enters global configuration mode. Ruijie# configure terminal Creates a WLAN and enter the WLAN configuration Ruijie(config)# dot11 wlan wlan-id mode. Maps a WLAN to the VLAN group. Ruijie(dot11-wlan-config)# vlan-group group-id Ruijie(dot11-wlan-config)# end Exits from the WLAN configuration mode.

  • Page 21: Ruijie(Config-Subif)# Encapsulation Dot1Q

    In privileged EXEC mode, use the following command to show VLAN group configuration. Command Function Shows configuration information about a specific VLAN Ruijie# show vlan-group [ group-id ] group or all VLAN groups. The example below shows how to show configuration information about all VLAN groups. Ruijie# show vlan-group...

  • Page 22: Vlan

    Configuration Guide Configuring WLAN-VLAN Mapping In a WLAN, users are classified into leaders, staff, and visitors. They can access the device through the same WLAN but with different access rights. Network Topology The network topology above is deployed as follows: Add VLANs 10, 20, and 30 to VLAN group 100.

  • Page 23: Vlan

    WLAN. Ruijie(config)# wlan-config 1 office_wifi Ruijie(config-wlan)# exit Ruijie(config)# wlansec 1 Ruijie(wlansec)# security wpa enable Ruijie(wlansec)# security wpa akm 802.1x enable Ruijie(wlansec)# security wpa ciphers aes enable Map WLAN 1 to VLAN group100. Ruijie(config)# ap-group default Ruijie(config-ap-group)# interface-mapping 1 vlan-group 100 (3) Configure the authentication server.
  • Page 24 Configuration Guide Configuring WLAN-WLOG Configuring WLAN-WLOG Understanding WLAN-WLOG Description Overview WLAN-WLOG is used to collect, store, and check information about WLANs and terminals over a period of time. The latest 24-hour information about WLANs, APs, and STAs provided through the CLI can help users analyze and locate problems on WLANs.
  • Page 25 Configuration Guide Configuring WLAN-WLOG Information about each radio Working channel Sending frequency (the absolute value of dBm) Number of terminals that are successfully associated Number of terminals that pass Web authentication Number of terminals that pass 802.1x authentication Co-frequency interference intensity Number of received incorrect frames Number of retransmission times of packets STA Overview...
  • Page 26 Configuration Guide Configuring WLAN-WLOG Space information shows whether an STA is running at a low rate, whether the proportion of no-ACK frames is high, and whether excessive management frames are received. It helps users to locate the problems caused by low-rate nodes, management frame attacks, and tough network environment.
  • Page 27 Command Function Shows STA statistics. Ruijie#show wlan diag sta [ sta-mac STA_MAC] [ ip-range IP_PREFIX ] [ action ACTION [ result RESULT ] ] [ number NUMBER ] The example below shows how to show STA statistics on an AC: Ruijie# show wlan diag sta sta_record: c83a.35c6.0c72...
  • Page 28 SUCCESS AP circular AC user is offline The following command is used to show STA statistics on an AP. Command Function Ruijie#show wlan diag sta [ sta-mac STA_MAC ] Shows STA statistics. [ number NUMBER ] The option [ sta-mac STA_MAC ] specifies an STA whose statistics are displayed.
  • Page 29 Key Points Enable the WLAN-WLOG function. Configuration Procedure Enable the WLAN-WLOG function. Ruijie# configure terminal Ruijie(config)#wlan diag enable Verifying the Configuration Use the show running-config command to check whether WLAN-WLOG is enabled. Show information collected by the WLAN-WLOG module.
  • Page 30 802.11 technologies. The devices share the same feature of sending wireless signals around periodically.  The device receiving location information: Ruijie adopts the AP with standard 820.11 technologies or the AE-produced Tag exciter (a device which motivates Tag to send specified wireless signals and which is not engaged in collecting location information).
  • Page 31 Configuration Guide Configuring WLAN Location Triangulation location technology using received signal strength indication (RSSI): The basic principle is to estimate distance d, the distance from the MU to the BS through RSSI and the propagation mode of the wireless information channel between them.
  • Page 32 Enters AP configuration mode on the fit AP or AC. Enters wlocation mode on the fat AP. Configures the IP address of the AE server connected Ruijie(config-ap)# wlocation ae-ip x.x.x.x with the specified AP. Configuration Example: Configure the IP address of the AE server.
  • Page 33 Enters AP configuration mode on the fit AP or AC. Ruijie(config)# ap-config apname Enters wlocation mode on the fat AP. Configures the port of AE server connected with the Ruijie(config-ap)# wlocation ae-port NUM specified AP. Configuration Example: Set the port number of the AE server.
  • Page 34 Configuration Guide Configuring WLAN Location Ruijie(config-ap)# wlocation mu enable Enables MU location on the specified AP. Configuration Example: Enable the MU location. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ap-config apname Ruijie(config-ap)# wlocation mu enable...
  • Page 35 Configuration Guide Configuring WLAN Location Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ap-config apname Ruijie(config-ap)# wlocation send-mu-time 400 Configuring the Frequency to Send TAG Wireless Location Information Command Function Enters global configuration mode. Ruijie# config terminal Ruijie(config)# ap-config apname Enters AP configuration mode on the fit AP or AC.
  • Page 36 Ruijie(config)# ap-config apname Ruijie(ap-config)# wlocation enable This command is used to enable WLAN location. Ruijie(ap-config)# wlocation ae-ip 1.1.1.1 This command is used to configure the IP address of the location server. Ruijie(ap-config)# wlocation mu enable This command is used to enable MU device location according to application requirement.
  • Page 37 Configuration Guide Configuring WLAN Location wlocation tag enable...
  • Page 38 Configuration Guide Configuring Wireless LAN Security Configuring Wireless LAN Security Wireless LAN or WLAN security is a broad concept. This document focuses on the WLAN security based on the 802.11 or Wired Equivalence Privacy (WEP), and the 802.11i standards. Overview WLAN security is an important component of WLAN system.

  • Page 39: Open System Authentication

    Configuration Guide Configuring Wireless LAN Security GMK (Group Master Key): The key used by an authenticator to derive the group transient key (GTK), and is usually a group of random numbers generated by the authenticator. GTK (Group Transient Key): Derived from the group master key (GMK) through cryptographic hash algorithm, and is used to protect the key of broadcast and multicast data.

  • Page 40: Access Authentication

    Configuration Guide Configuring Wireless LAN Security Step 2: AP will randomly generate a Challenge packet (a character string) which is then sent to STA; Step 3: STA will copy the character string received to the new message, which is encrypted with the key before being sent to AP;...

  • Page 41: Wep Encryption

    Configuration Guide Configuring Wireless LAN Security 802.1x Access Authentication IEEE 802.1X protocol is a port-based network access control protocol. This authentication method implements authentication and control of user devices at the port level of WLAN access device. If the user device connected to the interface can pass the authentication, then it can access WLAN resources.
  • Page 42 Configuration Guide Configuring Wireless LAN Security WEP uses RC4 algorithm to protect data privacy and realize authentication via the shared key. Without specifying the scheme for key management, WEP generally configures and maintains the key in a manual way. WEP without key allocation is called manual WEP or static WEP.
  • Page 43 Configuration Guide Configuring Wireless LAN Security During the past years, the wireless security protocol has witnessed substantial development. The encryption technique has developed from the traditional WEP encryption to the AES-CCMP encryption of IEEE 802.11i, and the authentication method has also developed from WEP shared-key authentication to 802.1x security authentication. With the introduction of new protocols and new technologies, the entire network architecture has become more complicated.
  • Page 44 Configuration Guide Configuring Wireless LAN Security The operating process of RSN (WPA2) is basically the same as that of WPA. For the operating mechanism of RSN, please refer to the operating mechanism of WPA. Security Capability Advertisement and Negotiation The security capability advertisement takes place at the phase when STA and AP associate with 802.11: 1.
  • Page 45 Configuration Guide Configuring Wireless LAN Security AP and STA will carry out 4-way WPA handshake via EAPOL-KEY frames. During this process, AP and STA will calculate a 512-bit PTK on the basis of PMK, and divide this PTK into keys for multiple purposes: data encryption key, MIC key (data integrity key), EAPOL-Key encryption key, EAPOL-Key integrity key and etc, which are used to provide encryption and integrity protection for the subsequent unicast data frames and EAPOL-Key frames.

  • Page 46: Configuration Guide

    Configuration Guide Configuring Wireless LAN Security Configuring Wireless Security Encryption In practical applications, different levels of wireless security policies shall be implemented as per different user needs. Three security levels of the wireless security mechanism are shown below: Security level Security Mechanism Description Early wireless security mechanism featuring simple design...

  • Page 47: Configuring Static Wep

    Open system authentication share-key: Shared key authentication Ruijie(wlansec)# show wlan security wlan-id Displays the security configuration of the specified WLAN. The shared key authentication mode can only be configured during WEP encryption configuration.
  • Page 48 Ruijie(config)# wlansec wlan-id refers to an existing WLAN ID. A WLAN must be created before this configuration. (Required) Enables/disables WPA security mode. Ruijie(wlansec)# security wpa [ enable | disable ] Ruijie(wlansec)#show wlan security wlan-id Displays the security configuration of the specified WLAN.
  • Page 49 Ruijie(config)# wlansec wlan-id refers to an existing WLAN ID. A WLAN must be created before this configuration. Ruijie(wlansec)# security rsn [ enable | disable ] (Required) Enables RSN security mode Ruijie(wlansec)#show wlan security wlan-id Displays the security configuration of the specified WLAN.
  • Page 50 Ruijie(config)# wlansec wlan-id refers to an existing WLAN ID. A WLAN must be created before this configuration. Configures the encryption mode of WPA to AES or TKIP, Ruijie(wlansec)# security wpa ciphers [aes | tkip ] or enable both. enable Disabled by default.
  • Page 51 (Required) Configures WPA authentication mode to PSK or IEEE802.1X, or enable both. When the authentication Ruijie(wlansec)# security wpa akm [ psk | 802.1x ] mode is set to PSK, the PSK shall be configured. This enable function is disabled by default.
  • Page 52 Ruijie (config)#wlansec 10 Ruijie(wlansec)# security rsn enable Ruijie(wlansec)# security wpa ciphers aes enable Ruijie(wlansec)# security wpa akm psk enable Ruijie(wlansec)# security wpa akm psk set-key ascci 12345 Ruijie(wlansec)# show wlan security 10 Security Policy : WPA none (no AKM) WPA version...
  • Page 53 Ruijie(config)# wlansec wlan-id The wlan-id specifies an existing WLAN ID, which must be created before this configuration. Ruijie(wlansec)# webauth prevent-jitter timeout Sets the timeout for jitter prevention during Web authentication. The range of timeout is from 0 to 86400 seconds.
  • Page 54 Configuration Guide Configuring Wireless LAN Security Ruijie#show wlan security 10 Security Policy :WPA2(RSN) PSK WPA version : WPA2(RSN) AKM type :preshare key pairwise cipher type:AES group cipher type :AES WLAN SSID :SSID_wlan10 wpa_passhraselen wpa_passphrase 30 30 30 31 31 31 32 32 32...
  • Page 55 Enable PSK authentication mode and configure PSK To configure WPA/RSN security mode, the open system authentication must be enabled Configuration Steps Apply the following configurations on AC: Step 1: Create WLAN 1. Create a layer-3 virtual interface CVI on the basis of VLAN2 Ruijie(config)#vlan 2...
  • Page 56 Ruijie(wlansec)#security wpa ciphers aes enable 4. Enable PSK authentication mode and configure PSK to 12345678. Ruijie(wlansec)# security wpa akm psk enable Ruijie(wlansec)# security wpa akm psk set-key ascci 12345678 Verifying Configurations Step 1: Display the security configurations of WLAN 100.
  • Page 57 Configuration Guide Configuring Wireless LAN Security Step 2: Display the authentication state of current user Ruijie# show wlan stainfo summury INDEX MAC-address WLAN ID VLAN ID Wireless-state PTK-state 00:23:cd:ad:d3:da AUTH-and-ASSOC Step 3: Enter correct and wrong passphrase on the wireless client to verify whether the security function is effective or not.
  • Page 58 Configuration Guide Configuring WIDS Configuring WIDS Introduction to WIDS Overview Compared with wired network, WLAN is convenient to deploy, flexible to use, cost-efficient and easy to expand, and is thus applied more and more widely. However, due to the openness of WLAN channel, the wireless networks are susceptible to a wide array of threats such as unauthorized APs, ad-hoc networks and different kinds of protocol attacks.
  • Page 59 Configuration Guide Configuring WIDS Rogue device detection is performed by APs operating in monitor mode. WIDS deploys some APs in the wireless network and instructs them to operating in monitor mode in order to capture the wireless packets transmitted over air medium. Besides listening for packets, AP will also send broadcast detection requests and wait for the reply messages.
  • Page 60 Configuration Guide Configuring WIDS After a Rogue device is detected, you can enable the countermeasures. The monitor AP downloads an attack list from the AC according to the countermeasure mode and takes countermeasures against detected rogue devices. For example, you the use the address of Rogue device to sent spoofed de-authentication frame to take countermeasure against the Rogue device (this feature is not provided for the moment).
  • Page 61 Configuration Guide Configuring WIDS WIDS supports Flooding attack detection of the following frames: Authentication requests and de-authentication requests Association requests, disassociation requests and reassociation requests Probe requests Null data frames Action frames Spoof Attack Detection Spoof attack refers to the case in which a potential attacker sends a frame in the air on behalf of another device. For instance, a spoofed de-authentication frame can cause a station to get de-authenticated from the network.
  • Page 62 Configuration Guide Configuring WIDS a terminal device, it will dynamically add the MAC address of this device into the blacklist and discard any frame received from this device, allowing security protection of WLAN network. User Isolation Due to the mobility and uncertainty of wireless clients, the privacy of user information is especially important under certain circumstances (especially in public places), and the direct access between clients shall be restricted.
  • Page 63 Configuration Guide Configuring WIDS AC (but not the same AP) won't be able to communicate with each other, namely Client 1 cannot ping Client 3 and Client 4, and Client 2 cannot ping Client 3 and Client 4. However, Client 1 can still ping Client 2, and Client 3 can still ping Client 4. Client 1-Client 4 can maintain their access to Internet.
  • Page 64 Function Accesses global configuration mode. Ruijie# config terminal Ruijie(config)# ap-config ap-name Enters the configuration mode of specified AP. Ruijie(ap-config)# device mode {monitor | normal | Configures AP operation mode. The operation mode is hybrid mode by default. hybrid} Ruijie(ap-config)#show Displays configurations...
  • Page 65 Ruijie(config-wids)# device pemit ssid ssid (Optional) Configures the permitted SSID list. By default, no entry exists. Ruijie(config-wids)# device pemit vendor bssid bssid (Optional) Configures the permitted vendor list. By default, no entry exists. Ruijie(config-wids)# show wids permitted { mac-address...
  • Page 66 Ruijie# configure terminal Enters global configuration mode. Ruijie(config)# wids Enters WIDS configuration mode. Ruijie(config-wids)# device aging duration duration Displays configurations Ruijie(config-wids)# show run Displaying and Clearing the Result of Rogue Device Detection Display and clear the list of all WLAN devices detected, including legal devices, unclassified devices and illegal devices.
  • Page 67 In WIDS configuration mode, enable the corresponding IDS attack detection function to activate IDS attack detection. The user can apply the corresponding counter-attack policies according to actual network conditions. The configuration steps are shown below: Command Function Enters global configuration mode. Ruijie# configure terminal Ruijie(config)# wids Enters WIDS configuration mode.
  • Page 68 Configuration Guide Configuring WIDS Ruijie(config-wids)# attack-detection enable all (Optional) Enables all IDS attack detection functions, including Flooding, Spoof and Weak-IV attack detection. This function is disabled by default. Ruijie(config-wids)#attack-detection enable flood (Required) Enables Flooding attack detection. This function is disabled by default.
  • Page 69 The user can add or delete entries by executing relevant commands. Command Function Enters global configuration mode. Ruijie# configure terminal Ruijie(config)# wids Enters WIDS configuration mode. Ruijie(config-wids)# [ no ] whitelist mac-address (Required) Configures white list. Blank by default. mac-address Ruijie(config-wids)# show wids whitelist Displays white list Configuring Static Blacklist Configure static blacklist in WIDS configuration mode.
  • Page 70 Ruijie(config)# wids Enters the WIDS configuration Ruijie(config-wids)# countermeasure enable Makes it countermeasure, disable the default Ruijie(config-wids)# countermeasure { config | all | Configures the countermeasure mode, default config adhoc | rouge } Configuring the User Isolation Enable the isolation function in the wireless device (the AP or the AC). When the device receives a certain user’s report, it will judge if it’s the same device according to the resource port and the destination port in the information it forwards.
  • Page 71 Configuration Guide Configuring WIDS The user can also add the permitted interflow user table entry through configuring isolation permit list. If the MAC address of two users on the same AP or AC is added into the user isolation permit list, then these two users can visit each other. The process of enabling the user isolation function is showed in the picture below: Figure 2-4 Figure Flow of user isolation Typical WIDS Configuration Examples...
  • Page 72 A client is dynamically added to the list only if Flooding attack from this client is detected by WIDS. Configuration Steps Apply the following configurations on AC: Configure the operating mode of AP1 to Hybrid mode (AP operates in Hybrid mode by default) Ruijie(config)# ap-config AP001...
  • Page 73 Configuration Guide Configuring WIDS Ruijie(ap-config)# device mode hybrid Ruijie(ap-config)#exit Configure white list Ruijie(config)# wids Ruijie(config-wids)# whitelist mac-address 0000.0000.0002 Configure static blacklist Ruijie(config-wids)# static-blacklist mac-address 0000.0000.0001 Configure intrusion detection to detect Flooding attack Ruijie(config-wids)#attack-detection enable flood Configure dynamic blacklist Ruijie(config-wids)# dynamic-blacklist enable...

  • Page 74: Configuring Wds

    Configuration Guide Configuring WDS Configuring WDS WDS Overview A wireless distribution system (WDS) enables interconnection of APs via wireless bridges or repeaters to allow connection of a distributed network and expansion of wireless signals. AP Working Mode In a WDS network, APs work as autonomous ones. You may configure different working modes for the APs according to the needs of the network.
  • Page 75 Configuration Guide Configuring WDS Point-to-Multipoint Structure Since wireless devices are connected from one point to multiple points, this structure is suitable for a network with a central point and multiple remote points. The network topology is shown below: Root Bridge + multiple Non-root Bridges The root bridge serves as the root node, with its wireless interfaces being connected multiple non-root bridges.
  • Page 76 Configuration Guide Configuring WDS should be designated for APs under other working modes except Root Bridge to associate the APs up to each level and final form the corresponding network topology. 802.11 MAC Frame Address Structure In the IEEE 802.11 standard, a MAC frame format has been defined for wireless technology. In the format, the MAC frame header has four address fields, as shown in the figure below: Depending on the transmission types of 802.11 MAC frames, the address structures of MAC frames may be of three addresses or four addresses.

  • Page 77: Interface Dot11Radio

    Ruijie(config)#interface dot11radio radio-id /0 Enters the configuration mode of the designated wireless interface. radio-id: Specify the radio of the AP. Ruijie(config-if-Dot11radio X/Y)# station-role { root-ap | Configures the AP working mode. The AP working mode is “root-ap” by default. non-root-bridge | root-bridge } Ruijie(config-if-Dot11radio X/Y)# show running-config Views the configuration result.
  • Page 78 The configurations are described below: Command Function Enters global configuration mode. Ruijie# config terminal Ruijie(config)#interface dot11radio radio-id /0 Enters configuration mode of the specified wireless interface. radio-id: The radio of the specified AP. Ruijie(config-if-Dot11radio X/Y)# parent mac-address Configures the parent node of the non root bridge.
  • Page 79 Configuration Guide Configuring WDS Moreover, wireless commutation between buildings may be hindered due to the limited coverage of wireless devices, wireless repeaters may be used between buildings to extend the coverage of wireless signals and realize long-distance wireless bridging. See the following figure. Deploying WDS Network Considering the above application background, it is possible to place an AP under the working mode of Root Bridge at building A, place an AP under the working mode of Non-root Bridge at building B, and C.
  • Page 80 Configuration Guide Configuring WDS Configuration Procedure Configure AP1 ! Enter wireless interface dot11radio 1/0 on AP1, and configure the working mode to be Root Bridge. AP1(config)#interface dot11radio 1/0 AP1(config-if-Dot11radio 1/0)#station-role root-bridge Configure AP2 ! Enter wireless interface dot11radio 1/0 on AP2, configure the working mode to be Non-root Bridge, and set the MAC address of the upper level node to be “0000.0000.0001”.
  • Page 81 Command Function Configure gateway anti-ARP spoofing on this port. Ruijie ( config-if )# anti-arp-spoofing ip ip-address ip-address: specify the IP address of the gateway. In interface configuration mode, use the no anti-arp-spoofing ip ip-address command to disable anti-ARP spoofing. Gateway anti-ARP spoofing cannot be configured on an upper link port.
  • Page 82 Configuration Guide Configuring Anti-ARP Spoofing Command Function Display the gateway anti-ARP spoofing configuration. Ruijie #show anti-arp-spoofing...
  • Page 83 Configuration Guide Configuring Link Check Configuring Link Check Understanding Link Check Overview As a wireless access device, AP plays a part of the physical layer and MAC, and generally has no switching function.In view of hardware structure, there is only one wired uplink which serves as the data channel for all access users in either a fat or a fit AP.
  • Page 84 Configuration Guide Configuring Link Check The link integrity check is necessary because when the only uplink is disconnected, the AP can no longer provide access function to STA. Rather than continuing the association with the STA, it is better to disable the RF of the AP and force the STA to be offline to allow the STA to select another AP.
  • Page 85 Configuration Guide Configuring Link Check Compared to link integrity check, RF resource scheduling can not only disable the RF of an AP but also disable specifically one or more WLANs to achieve more accurate control. Working Principles Link integrity check After the function of link integrity check is enabled based on an AC, all APs under the AC will continue detecting their respective wired links.
  • Page 86 Configuring Link Integrity Check Enabling Command Function Ruijie# config terminal Enters global configuration mode. Ruijie(config)# link-check { enable | disable } Enables or disables link integrity check. Example: # Enable the function of link integrity check Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
  • Page 87 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# schedule session 1 Ruijie(config)# schedule session 1 time-range 1 period mon to fri time 21:00 to 7:00 Ruijie(config)# schedule session 1 time-range 2 period Sat to Sun time 1:00 to 7:00...
  • Page 88 Ruijie(config)#ap-config ap-name Enters AP Configuration Mode ap-name is the name of the AP to be configured. Ruijie(config-ap)# schedule session num radio mem Applies the schedule session to the radio of the AP provided the schedule session has been created. num is the ID of the schedule session, which ranges from 1 to 64.
  • Page 89 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ap-group APG-001 // “AP-001” is the name of the AP group to be configured. Ruijie(config-ap-group)# schedule session 1 radio 2 Applying schedule session on WLAN in the fit AP architecture Command Function...
  • Page 90 Ruijie(config-ap)# schedule session 1 wlan 2 Viewing configuration Command Function Ruijie# show schedule session [ num ] Shows configuration of the current schedule session. num is the specified session ID, which ranges from 1 to Configuration Example: # Show configuration of the current schedule session.
  • Page 91 # Enable the function of link integrity check Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# link-check enable Configure a schedule session # schedule session of the AP group “apg1” and wlan1 Ruijie(config)# schedule session 1...
  • Page 92 # schedule session of AP3 Ruijie(config)# schedule session 2 Ruijie(config)# schedule session 2 time-range 1 period mon to fri time 21:30 to 7:00 Ruijie(config)# schedule session 2 time-range 2 period Sat to Sun time 1:00 to 7:00 Apply the schedule session of the AP group “apg1”...
  • Page 93 Configuration Guide Configuring Link Check schedule session 1 …… ap-group apg1 …… schedule session 1 radio 1 schedule session 1 radio 2 …… ap-config AP3 …… schedule session 2 radio 1 …… ……...
  • Page 94 Configuration Guide Configuring RADIUS Dynamic Authorization Extension Configuring RADIUS Dynamic Authorization Extension  This configuration is supported by ACs and fat APs. Understanding RADIUS Dynamic Authorization Extension Overview The Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) protocol is defined in RFC 3576 by IETF.
  • Page 95 Use the no radius dynamic-authorization-extension enable command to disable RADIUS dynamic authorization extension in global configuration mode. The example below shows how to configure RADIUS dynamic authorization extension: Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# radius dynamic-authorization-extension enable Ruijie(config)# show run...
  • Page 96 # Set the port numbered 8080 to intercept RADIUS requests: Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# radius dynamic-authorization-extension port 8080 Ruijie(config)# show running-config # Repeat the configuration: Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
  • Page 97 # Set the interval at which the event-timestamp attribute takes effect to 0 seconds: Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# radius dynamic-authorization-extension event-timestamp interval 0 Ruijie(config)# show running-config If the interval at which the event-timestamp attribute takes effect is set to 0 seconds, the event-timestamp attribute will not expire.
  • Page 98 Examples for Configuring RADIUS Dynamic Authorization Extension Networking Requirements RADIUS dynamic authorization extension must work with the authentication mechanism. The network comprises SAM servers, RADIUS servers, Ruijie access devices, and PCs of users. Ruijie access devices must support RADIUS dynamic authorization extension. Networking Topology...
  • Page 99 Configuration Guide Configuring RADIUS Dynamic Authorization Extension Configuration Procedure Enable RADIUS authentication on the access authentication device (this example uses the 802.1x authentication mode). Ruijie# config Enter configuration commands, one per line. End with CNTL/Z. aaa new-model Ruijie(config)# aaa authentication dot1x default group radius...
  • Page 100 Configuration Guide Configuring WLAN QoS Configuring WLAN QoS Understanding WLAN QoS WLAN QoS Overview WLANs compliant with 802.11 provide wireless access equally available to users. However, different applications may have various requirements for networks, but the original 802.11 networks provide no mechanism for differentiating between service priorities.
  • Page 101 Configuration Guide Configuring WLAN QoS IEEE 802.11e adds QoS features to WLANs based on 802.11. It takes quite a long time to standardize the protocol. During the standardization process, the Wi-Fi Alliance defined WMM to ensure interconnectivity between devices with QoS from different WLAN vendors.
  • Page 102 Configuration Guide Configuring WLAN QoS Parameters for assessing traffic are described below: Average-data-rate The allowable average rate of flows, also known as the undertaken information rate Burst-data-rate The maximum allowable bust traffic, also known as the undertaken bust size. The set bust size must be longer than the maximum message length.
  • Page 103 On fat APs, perform the following steps: Command Function Ruijie# configure terminal Enters global configuration mode. Ruijie(config)# interface dot11radio interface-number Enters the AP primary interface configuration mode. Ruijie(config-if-Dot11radio interface-number )# wmm (Mandatory) Enables or disables the WMM service/QoS service. { enable | disable } The WMM service/QoS service is enabled by default.
  • Page 104 This parameter is not available on fat APs. The configuration of this parameter is supported only on ACs. Ruijie(config-ap)# no wmm edca-client { back-groud | (Optional) Restores the default EDCA parameters used best-effort | video | voice } [ radio radio-id ]...
  • Page 105 The configuration of this parameter is supported only on ACs. (Optional) Restores the default EDCA parameters used Ruijie(config-ap)# no wmm edca-radio { back-groud | best-effort | video | voice } [ radio radio-id ] by specified priority queues of clients, including back-groud, best-effort, video and voice and their queue lengths.
  • Page 106 Enters global configuration mode. Ruijie# configure terminal Ruijie(config)# wlan-config wlan-id Enters WLAN configuration mode. Ruijie(config-wlan)# [ no ] enable-qos (Mandatory) Activate/deactivate the QoS service. The QoS service is activated by default. Ruijie(config-wlan)# Configures the total uplink traffic rate limit based on WLAN.
  • Page 107 Configure this command on fat APs is to use the following command in the global configure terminal configuration mode. Ruijie(config)# [ no ] wlan-qos ap-based { per-user-limit | total-user-limit } { up-streams | down-streams } average-data-rate average-data-rate burst-data-rate burst-data-rate Configuring Fair Scheduling...

  • Page 108: Antenna Transmit

    Step 1: Enter the ap-config configuration mode on the AC. ruijie(config)# ap-config ruijie_ap_001 Step 2: Configure relevant EDCA parameters. ruijie(config-ap)#wmm edca-client voice aifsn 10 cwmin 1 cwmax 5 txop 50 radio 1 ruijie(config-ap)#wmm edca-radio voice aifsn 10 cwmin 1 cwmax 5 txop 50 radio 1 Verification...
  • Page 109 Configuration Guide Configuring Smartant Configuring Smartant Understanding Smartant Overview Antennas are passive devices that fall into the categories of omni-directional antennas and directional antennas according to the radiation lobe. An omni-directional antenna covers a broad area over a relatively short distance, while a directional antenna covers limited areas over a long distance.
  • Page 110 Configuration Guide Configuring Smartant As shown in Figure 0-4, although a directional antenna focuses the energy and the signal intensity within the coverage area is higher, the coverage angle is small and many areas are not within the signal coverage. If signals can be transferred for other clients when Client A is in idle state, the coverage effectiveness and user access capability will highly increase.
  • Page 111 Configuration Guide Configuring Smartant Smartant Characteristics Obstacles blocking in the transmission path lead to wireless signal attenuation. Signals coming across obstacles reflex or refract, which changes the cycle of the signal phase. Signal attenuation varies with the type of obstacle, as shown in Table 3-1.
  • Page 112 Ruijie# config terminal Enters global configuration mode. Ruijie(config)# ap-config apname Enters AP configuration mode. Ruijie(config-ap)# smartant enable radio radio-id Enables the SA of the specified radio on the specified AP. The example is as follow: # Enable the smartant function.
  • Page 113 Configuration Steps # Enable the smartant function. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ap-config apname Ruijie(config)# smartant enable radio 1 Verifying the Configuration AC5302_7#sh ap-config running ap-config ap320 smartant enable radio 1 long-retries 3 radio 1...
  • Page 114 When many APs are in a network, and each AP extends several feeders, for the management convenience, Ruijie products provide feeder link detection function which can automatically detect the operational status of each feeder. Users can detect any abnormal operation due to poor contact or artificial damage, and perform debugging.
  • Page 115 Configuration Guide Configuring i-Share Antenna Feeder Link Detection Ruijie# show antenna single ap-name Displays the link detection status. In the hot backup mode, currently only the status of the master AC’s feeder will be displayed, and the status of the slave AC’s feeder is displayed as normal by default.
  • Page 116 Configuration Guide Configuring i-Share Antenna Feeder Link Detection Ruijie(config)# ap-config apname Ruijie(config)# antdetect enable Ruijie(config)# antdetect interval 2 Verification #Shows configurations AC5302#sh ap-config running ! ap-config 220em antdetect enable antdetect interval 2 antenna receive 3 radio 1 antenna receive 3 radio 2...

  • Page 117: Channel

    Configuration Guide Configuring WLAN Capture Configuring WLAN Capture overview On a wireless network, a special network card is used to perform troubleshooting and wireless network optimization. But this way is complex and time consuming. To simplify the packets capture and analysis, this chapter introduces the WLAN capture.
  • Page 118 Configure WLAN capture service Disabled Configuring WLAN capture interfaces list The WLAN capture interface indicates the Wireless Sniffing Radio interface of the AP under the AC. Command Function Ruijie(config)#ap-config ap-name Enters AP configuration mode or AP group configuration mode. Ruijie(config)#ap-group ap-group-name...
  • Page 119 Configuration Guide Configuring WLAN Capture Ruijie(config-ap)#[no] wlan-cap enable radio-id Configures the Radio interface to be added or to be removed from the WLAN capture interface list. By Ruijie(config-ap-group)#[no] wlan-cap enable radio-id default, the Radio interface is not in the list. radio-id indicates the ID of the radio to be configured, which ranges from 1 to 31.
  • Page 120 Configuring the sniffing interface Command Function Enter WLAN capture mode. Ruijie(config)#wlan-cap Ruijie(wlan-cap)#rpcap port port-value Configure TCP monitor port number, the default value is 2002. Ruijie#show wlan-cap config Show current configuration of the WLAN capture. the sniffing ports must be configured before the WLAN capture is configured.
  • Page 121 Configures remote host login authentication, use the no Ruijie(wlan-cap)#no rpcap login form of this command to restore the default settings. By default, both the username and the password are “Ruijie”. (excluding the double quotation marks). Ruijie#show wlan-cap config Shows current configuration of the WLAN capture service.

  • Page 122: Antenna Receive

    Configuring forward mode Command Function Ruijie(config)#wlan-cap Enters AP configuration mode. Ruijie(wlan-cap)#forward { central | local } Configures packets forward mode: Central Forward Mode. The RPCAP packets are centralized by AC, and then be forwarded to the remote device. Local Forward Mode. The RPCAP packets are forwarded by AP directly to the remote device.

  • Page 123: Channel

    The forward mode must be configured before the WLAN capture is configured. This command is supported only by the AC. Configuration Example: The example configures Local Forward Mode for AP. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#wlan-cap Ruijie(wlan-cap)#forward local...
  • Page 124 Configuration Guide Configuring WLAN Capture Login info: Anonymous Forward: Central Service enable: Yes Showing WLAN Capture Configuration After the above-mentioned configuration, you can use the show commands to check the relevant configuration. Command Function Shows the WLAN capture interfaces list. show wlan-cap config Shows current state of the WLAN capture.
  • Page 125 Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#ap-config AP2 You are going to config AP(AP2), which is on line now. Ruijie(config-ap)#wlan-cap channel all 1 Ruijie(config-ap)#exit 10) Enable the WLAN capture service. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
  • Page 126 Uses the WireShark on the remote host to control sniffing. Configuration Steps 14) Enable sniffing channel 149 in the monitor mode of the Radio2 in the AP. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#wlan-cap channel all 2...
  • Page 127 Configuration Guide Configuring WLAN Capture Ruijie(config)#exit 15) Enable the WLAN capture service. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#wlan-cap Ruijie(wlan-cap)#service enable Ruijie(wlan-cap)#exit Verifying the configurations 16) Show the WLAN capture configuration information. Ruijie#show wlan-cap config...
  • Page 128 Configuration Guide Configuring WLAN Capture 21) Select the tab Remote Interface, add remote interfaces on the Remote Interfaces tab. 22) Enter the AC address, port number as well as authentication information.
  • Page 129 Configuration Guide Configuring WLAN Capture 23) After the interface information of the AC is received, click Close to confirm the information and to back to the option tab. 24) In option tab, double click the interface in Remote Interfaces to enter Capture Options.
  • Page 130 Configuration Guide Configuring WLAN Capture 25) In interface settings, click Remote Settings to enter the Remote Capture Settings. 26) In Remote Capture Settings, select Use UDP for data transfer, click OK to return to the interface settings.
  • Page 131 Configuration Guide Configuring WLAN Capture 27) In Capture Options, select Use UDP for data transfer if you want to set the channel in monitor mode, otherwise the channel is in mirror mode. Click OK to return to the interface settings. 28) Configure filtering rule.
  • Page 132 Configuration Guide Configuring WLAN Capture...
  • Page 133 Function Locally forward DHCP packets to the AC. IP addresses Ruijie(config-wlan)# [ no ] central dhcp enable are obtained in a centralized manner. Use the central dhcp enable command to locally forward DHCP packets to the AC. IP addresses are obtained in a centralized manner.
  • Page 134 Working Principle Ruijie wireless access points (Aps) contain basic hardware of a mini spectral analyzer, covering 2.4GHz and 5GHz frequency range of 802.11a/b/g. The wireless transceiver in the AP device detects RF signals and transmits data to the spectral analyzer engine. The spectral analyzer receives data, performs Fast Fourier Transform (FFT), and sends spectral-related information to the controller, including basic information such as the power and monopulse-related information of the RF spectral.
  • Page 135 Enters AP configuration mode on the Fit AP or AC. Ruijie(config)# ap-config apname Enters spectral mode on the fat AP. Ruijie(config-ap)# [ no ] spectral stability vbr num Configures recognition accuracy of the video bridge within the range from 1 to 5. The default value is 5.
  • Page 136 Configuration Guide Configuring Spectral Analysis Ruijie(config-ap)# [ no ] spectral stability cph num Configures recognition accuracy of the cordless phone within the range from 3 to 5. The default value is 5. Ruijie(config-ap)# [ no ] spectral stability cwa num Configures recognition accuracy of the continuous wave within the range from 4 to10.
  • Page 137 Configuration Guide Configuring Spectral Analysis Configuration Steps # Enable SA. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ap-config apname Ruijie(config)# spectral enable Verification AC5302_7#show ap-config running ap-config ap320 spectral enable...
  • Page 138 Command Mode The management interface of Ruijie network devices falls into multiple modes. The command mode you are working with determines the commands you can use. To list the usable commands in each mode, enter a question mark (?) at the command prompt.

  • Page 139: Getting Help

    In privileged press Ctrl+C. In this mode, you can EXEC mode, To access interface execute commands to Global enter command Ruijie ( config )# configuration mode, enter configure global configuration command interface with parameters influencing the configure an interface specified.

  • Page 140: Abbreviating Commands

    List a command's associated arguments. (Leave a space between the keyword and question mark.) For example: command keyword ? Ruijie( config )# snmp-server community ? WORD SNMP community string Obtain the brief description of the help system under any Help command mode.
  • Page 141 Configuration Guide Command Line Interface Configuration Understanding CLI Error Messages The following table lists the error prompt messages that may occur when you use the CLI to manage equipment. Common CLI error messages: Command Meaning Function The device cannot identify the Re-input the command with a question % Ambiguous unique command for you input...
  • Page 142 Configuration Guide Command Line Interface Configuration Editing Shortcut Keys The following table lists the edit shortcut keys. Function Shortcut Key Description Move cursor in an editing line Left direction key or Ctrl+B Move the cursor to left by one character. Right direction key or Ctrl+F Move the cursor to right by one character.
  • Page 143 Command Function Look up the specified content from the information output Ruijie# show any-command | begin regular-expression by the show command and output all information of the first line that contains this content and subsequent lines. You can execute show command in any mode.
  • Page 144 The command that an alias represents must run under the mode you have defined in the current system. In global configuration mode, you can enter alias? to list all command modes that can configure alias. Ruijie(config)#alias ? aaa-gs AAA server group mode...
  • Page 145 Configuration Guide Command Line Interface Configuration An alias must be inputted fully for use. Otherwise, it can not be identified. Use the show aliases command to view the setting of aliases in the system. Accessing CLI Before using CLI, you need to use a terminal or PC to connect with the network device. Power on the network device. After the initialization of hardware and software, you can use CLI.
  • Page 146 After entering the specific LINE mode, you can configure the specified line. Execute the following command to enter the specified LINE mode: Command Function Ruijie ( config )# line [aux | console | tty | vty] first-line Enters the specified LINE mode. [ last-line ] Increasing/Decreasing LINE VTY By default, the number of line vty is 5.
  • Page 147 Configuration Guide Configuring LINE Mode access-class { access-list-number | access-list-name } Configures the access control list on the line. { in | out } no access-class{ access-list-number| access-list-name } Removes the configuration. { in|out }...
  • Page 148 If you have set a non-level-15 password, the system will show a message and automatically convert it into a security password. Ruijie(config)# enable password If you have set the same level-15 static password as the [level level] {password | encryption-type...
  • Page 149 For example, config indicates global configuration mode, exec indicates privileged command mode, and interface indicates interface configuration mode. Ruijie(config)# privilege mode [all] {level level | reset} all – Changes the privileges of all the sub-commands of a command-string specified command to the same level.
  • Page 150 Function Specifies a line password. 0: The password is configured in plaintext. Ruijie(config-line)# password [0 | 7] line 7: The password is encrypted by a Ruijie device. Line: the character string of the password to be configured. Ruijie(config-line)# login Enables line password protection.
  • Page 151 To enable username identity authentication, run the following commands in global configuration mode: Command Function Enables username identity authentication with encrypted Ruijie(config)# username name password. Encryption type 0 defines a password in plaintext. [password password | Encryption type 7 defines an encrypted password.
  • Page 152 Ruijie# clock set hh:mm:ss month Sets system date and time. day year For example, change the system time to10:10:12, 2003-6-20: Ruijie# clock set 10:10:12 6 20 2003 //Set system time and date. Ruijie# show clock //Confirm the modification takes effect.
  • Page 153 Showing System Time and Date You can show system time and date by using the show clock command in privileged mode. The following example shows the format: Ruijie# sh clock //Show the current system time and date. clock: 2003-5-20 11:11:34 Updating Hardware Clock Some platforms use hardware clock (calendar) to double as software clock.
  • Page 154 Function Reloads at hh:mm,month day,year. reload-reason (if Ruijie# reload at hh:mm month day [year] [reload-reason] any); indicates the reason that the system reloads. The following example shows an example of system reload at 12:00 a.m. January 11, 2005 (suppose the current system clock is 8:30 a.m.

  • Page 155: Configuring A System Name And Prompt

    Ruijie# reload in 125 test //Set the system reload time Ruijie# reload in 2:5 test //Set the system reload time Ruijie# show reload //Confirm whether the restart time change takes effect System will reload in 7485 seconds. Immediate Restart The reload command without any parameter will restart the device immediately. In privileged mode, you can restart the system immediately by using the reload command.
  • Page 156 Enter. Now, you can type text. You need to input the delimiter and then press Enter. Note Ruijie(Config)# banner motd c that if you type additional characters after the ending delimiter, these characters will be discarded by the message c system.

  • Page 157: Configuring A Login Banner

    The following example shows how to configure a login banner. The pound sign (#) is used as the starting and end delimiters and the text of the login banner is "Access for authorized users only. Please enter your password." Ruijie(config)# banner login # //Start delimiter Enter TEXT message. End with the character '#'.
  • Page 158 (the number of ports on the plugged module). You may use the following commands to show the information about the device and slots in privileged mode: Command Function Ruijie# show version devices Shows the current device information. Ruijie# show version slots Shows current information about slots and modules.

  • Page 159: Configuring Telnet

    Switch B for management and configuration using the telnet command. Ruijie's telnet program supports IPV4 and IPV6 addresses. The telnet server can receive IPV4 and IPV6 telnet connection requests. The telnet client can send connection requests to an IPV4 or IPV6 host.
  • Page 160 Password: The following example shows how to establish a Telnet session and manage the remote device with the IPv6 address 2AAA:BBBB::CCCC: Ruijie# telnet 2AAA:BBBB::CCCC //Establish the telnet session to the remote device Trying 2AAA:BBBB::CCCC ... Open User Access Verification //Enter into the login interface of the remote device...
  • Page 161 You can cancel the connection timeout by using the no exec-timeout command in line configuration mode. Ruijie# configure terminal //Enter global configuration mode. Ruijie# line vty 0 //Enter the line configuration mode...
  • Page 162 You can remove the timeout setting for the session set up with the remote terminal by using the no exec-timeout command in the line configuration mode. Ruijie# configure terminal //Enter global configuration mode. Ruijie(config)# line vty 0 //Enter the line configuration mode...
  • Page 163 ..executing done Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# line vty 1 16 Ruijie(config-line)# transport input all Ruijie(config-line)# no exec Ruijie(config-line)# end The file name and contents of a batch file can be specified. You can send an edited batch file to the flash memory of the network device in TFTP mode.
  • Page 164 Ruijie(config)# enable service ssh-server //Enable SSH Server To enable http service only, use the following command: Ruijie(config)# enable service web-server http To enable https service only, use the following command: Ruijie(config)# enable service web-server https The enable service web-server command can be followed by three optional keywords: enable service web-server [http | https | all] If the command is followed by no keyword or by all, the command enables http and https services.
  • Page 165 HTTP Server, sets the service port to 8080, and uses the local username for login authentication. Ruijie# configure terminal //Enter global configuration mode. Ruijie(config)# enable service web-server http //Enable http Server Ruijie(config)# username name password pass //Set local user Ruijie(config)# username name privilege 15 //Bind user right Ruijie(config)# ip http port 8080 //Set service port Ruijie(config)# ip http authentication local //Set authentication method Use the following command to configure an HTTPS service port.
  • Page 166 HTTP Server and sets the service port to 4443. Ruijie# configure terminal //Enter global configuration mode. Ruijie(config)# enable service web-server https//Enable https Server Ruijie(config)# ip http secure-port 4443 Use the following command to verify the status of Web server.
  • Page 167 Configuration Guide Configuring the HTTP Service Configuring the HTTP Service Understanding HTTP Overview The Hypertext Transfer Protocol (HTTP) is used to transmit Web page information over the Internet. HTTP resides at the application layer of the TCP/IP protocol stack. The transmission layer uses connection-oriented TCP. Hypertext Transfer Protocol Secure (HTTPS) is the HTTP supporting the Secure Sockets Layer (SSL).
  • Page 168 The client can send the next request before the previous request is completed, thereby reducing network delay and enhancing performance, as shown in Figure 2. Figure 2 HTTP/1.1 Protocol Packet Exchange Currently, Ruijie devices support HTTP/1.0 and HTTP/1.1. The protocol version used by a device depends on the specific Web browser. HTTPS Service HTTPS adds the security base of SSL to HTTP.
  • Page 169 Configuration Guide Configuring the HTTP Service Authenticating users and servers to ensure that data is sent to correct clients and servers Encrypting data to prevent data interception during transmission Keeping data integrity to ensure that data is not changed during transmission Figure 3 HTTPS Service HTTP Upgrade Service The HTTP upgrade service includes local and remote HTTP upgrade services.

  • Page 170: Typical Application

    HTTP Application Service Currently, the Web NMS is still a major method for users to maintain and manage devices. Ruijie network devices also provide the Web management function. When HTTP is enabled, users can log in to the Web management interface after entering "http://+device IP address"...
  • Page 171 The HTTP Remote Upgrade Service means that a device serving as a client connects the remote HTTP server and obtains files from the server to upgrade local files. The default domain name of Ruijie Web server is "rgos.ruijie.com.cn." Figure 5 shows a typical application scenario.
  • Page 172 Use the following commands to enable the HTTP service in configuration mode. Command Function Ruijie# configure terminal Enters global configuration mode. Ruijie(config)#enable service web-server http (Mandatory) Enables the HTTP service. Ruijie(config)#enable service web-server https (Mandatory) Enables the HTTPS service. (Mandatory) Enables both HTTP and HTTPS services.
  • Page 173 Usernames and passwords come with three permission levels, each of which includes at most 20 usernames and passwords. Configuration example: The following example uses the username admin and plain-text password ruijie at level 0 to perform Web authentication on a Ruijie device. Ruijie# configure terminal Enter configuration commands, one per line.
  • Page 174 The server address cannot be an IPv6 address. Configuration example: The following example configures the domain name of the HTTP upgrade server as rgos.ruijie.com.cn and the port number as 85 on a Ruijie device. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
  • Page 175 This configuration command takes effect only when the HTTP upgrade mode is auto-detection. Configuration example: The following example configures the HTTP auto-detection time as 3:00 am on a Ruijie device. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
  • Page 176 1.2.1(82379) web1.2.1(145680).upd 1.2.1(82378) web1.2.1(145680).upd Local Upgrade You can use the copy tftp command to download latest Web files to a Ruijie device and then use the following command to upgrade the Web package. Command Function Updates the Web package. Ruijie# http web-file update To enable the new Web package to take effect, log in to the Web interface again.
  • Page 177 Configuration Guide Configuring the HTTP Service Configuration example: The following example displays the HTTP configuration information of a Ruijie device. Ruijie# show web-server status http server status : enabled http server port : 80 https server status: enabled https server port: 443...
  • Page 178 And when be upgraded to the new version Smart Web management system, the configuration ip http authentication, will be automatically removed Configuration Steps 30) Configure the username as admin and the password as ruijie. Ruijie#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
  • Page 179 Networking Requirements An enterprise purchasing a Ruijie device hopes to use the HTTP upgrade function to upgrade files. Ensure that the device can periodically and remotely obtain information about the files available for upgrade from a Ruijie server. Check the files currently available for upgrade.
  • Page 180 36) Configure the address of the upgrade server. Ruijie#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# http update server rgos.ruijie.com.cn 37) Enable the auto-detection mode and configure the remote detection time of the device as 2:00 am. Ruijie#configure terminal Enter configuration commands, one per line.
  • Page 181 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#vlan 1 Ruijie(config-vlan)#exit Ruijie(config)#interface vlan 1 Ruijie(config-VLAN 1)#ip address 10.10.10.131 255.255.255.0 Enable the TFTP server function on the PC and run the copy tftp command on the device to download the Web  package.
  • Page 182 As with the basic ping function, the extended ping also shows statistics. The following example shows an extended ping: Ruijie ping 192.168.5.197 length 1500 ntimes 100 data ffff source 192.168.4.190 timeout 3 Sending 100, 1000-byte ICMP Echoes to 192.168.5.197, timeout is 3 seconds: <...
  • Page 183 As with the basic ping function, the extended ping also shows statistics. The following example shows an extended ping: Ruijie# ping ipv6 2000::1 length 1500 ntimes 100 data ffff source 2000::2 timeout 3 Sending 100, 1000-byte ICMP Echoes to 2000::1, timeout is 3 seconds: <...
  • Page 184 The traceroute command can run in ordinary user mode and privileged user mode. The command format is as follows: Command Function Ruijie# traceroute [ vrf vrf-name | ip ] [address [probe probe] [ttl minimum maximum] [ source source] [timeout Traces the path that a packet passes through.
  • Page 185 Command Function Ruijie# traceroute ipv6 [address [probe probe] [ttl Traces the path that a packet passes through. minimum maximum] [ source source] [timeout seconds]] The following are two examples that apply traceroute ipv6. In one example, network connectivity is good. In another example, some gateways in a network are not connected.
  • Page 186 Meanwhile, you can know the time that the network packet spennds to reach a gateway. This is very useful for network analysis. traceroute ipv6 example where some gateways in a network are not connected: Ruijie# traceroute ipv6 3004::1 < press Ctrl+C to break > Tracing the route to 3004::1...
  • Page 187 Enter the IP address of the TFTP Server if the parameter location is not specified. Command Function Ruijie# copy tftp: //location / filename flash: filename [ vrf Downloads the file filename specified by URL of the host vrfname ] to the device.
  • Page 188 Command Function Downloads the file filename specified by URL of the host Ruijie# copy tftp://[2000::100]/ filename flash:filename to the device. In CLI command mode, upload the file by performing the following steps: Before uploading the file, enable the TFTP Server software on the local host, and then select the directory for saving the file to be uploaded on the host, and use the following command in the privileged mode to upload the file.
  • Page 189 Command Function Ruijie# copy flash:filename xmodem Upload the file filename from the device to the host. Upgrading System You can transfer the upgrading file to a device via TFTP or Xmodem, no matter the device is box-mount or chassis-mount.
  • Page 190 Configuration Guide System Upgrade and Maintenance 40) Confirm the filename of the upgrade file to be loaded is rgos.bin. 41) Download the file to the device by using the copy command. 42) If there is a slave supervisor engine on the device, you need to first upgrade the main programs of the master and slave supervisor engines successfully.
  • Page 191 Configuration Guide System Upgrade and Maintenance Current software version in slot [1] is synchronous. System needn't to do version synchronization for this card ..Or, the system prompts: System is doing version synchronization checking ..Card in slot [3] need to do version synchronization ..Other Printing Information Version synchronization begain ..
  • Page 192 Configuration Guide System Upgrade and Maintenance Upgrade the box-mount device by the upgrade file: To upgrade the box-mount device, follow Steps 1 to 7, and then the system reboots. After that, the device runs normally.
  • Page 193 Configuration Guide Configuring Interface Configuring Interface Overview of Interface Types This chapter classifies the interfaces used on Ruijie devices and defines interface types. Interfaces on Ruijie devices are divided into two types: L2 Interfaces L3 Interfaces (supported on layer 3 devices) L2 Interfaces This section presents the types of L2 interfaces and their definitions.

  • Page 194: Trunk Port

    Configuration Guide Configuring Interface Tagged frames whose VID is 0 Untagged frame An access port receives untagged frames and then adds the tag of the default VLAN to them. The added tag will be removed before the access port sends them out. Tagged frame An access port handles tagged frames in the following ways: When the VID (VLAN ID) of the tag is the same as the default VLAN ID, the access port receives the frame and removes...
  • Page 195 Configuration Guide Configuring Interface When the trunk port receives a tagged frame whose VID is the same as that of its native VLAN, this frame is accepted. The tag will be removed before it sends the frame. When the trunk port receives a tagged frame whose VID is different from that of its native VLAN but is permitted by the port, the frame is accepted.
  • Page 196 Configuration Guide Configuring Interface L3 Aggregate Ports SVI (Switch virtual interface) SVI, short for Switch Virtual Interface, is used to implement the logical interface for layer 3 switching. SVI can work as the local management interface through which administrator can manage devices. You can also create SVI as a gateway interface that serves as the virtual sub-interface of each VLAN.

  • Page 197: Configuring Interfaces

    Configuration Guide Configuring Interface L3 Aggregate Port Just like a L2 aggregate port, a L3 aggregate port is a logically aggregated port group that consists of multiple physical ports. The aggregated ports must be layer 3 ports of the same type. For layer 3 switching, an AP that serves as the gateway interface for layer 3 switching considers multiple physical links in the same aggregate group as one logical link.
  • Page 198 Use the interface command to enter interface configuration mode in the global configuration mode. Command Function Ruijie(config)# interface interface ID Input interface to enter the interface configuration mode in the global configuration mode. You can also configure an interface range by using the interface range or interface range macro command.
  • Page 199 SVI. This example shows how to use the interface range command in the global configuration mode: Ruijie# configure terminal Ruijie(config)# interface range fastethernet 1/1 - 10 Ruijie(config-if-range)# no shutdown Ruijie(config-if-range)# This example shows how to separate multiple ranges by a comma “,”:...
  • Page 200 The string defined by the macro will be saved in the memory. When you use the interface range command, Ruijie(config)# interface range macro macro_name you can use the macro name to replace the interface-range string. To delete a macro, use the no define interface-range macro_name command in the global configuration mode.
  • Page 201 The ports configured to be the members of an aggregate port must have the same media type. Otherwise, they cannot be added to the AP. The port type of the members of the aggregate port cannot be changed. Command Function Ruijie(config-if)# medium-type { fiber | copper } Set the media type of a port.
  • Page 202 Configuration Guide Configuring Interface Ruijie(config-if)# media-type { baset | baset | auto } Set the media type of a port. This example sets the media type of gigabitethernet 1/1 on AC devices: Ruijie# config terminal Enter configuration commands, one per line. End with CNTL/Z.
  • Page 203 Function Select a speed or set it to auto. Caution: 1000M applies only to gigabit interfaces. The Ruijie(config-if)# speed {10 | 100 | 1000 | auto } rate of the optical interface for other devices is forced to be 1000M.
  • Page 204 Configuration Guide Configuring Interface Ruijie(config-if)# duplex {auto | full | half } Set duplex mode. In the interface configuration mode, you can restore the settings of speed, duplexing, and flow control to the default values (auto-negotiation) by using the no speed, no duplex, and no flowcontrol commands. The following example shows how to set the speed of Gigabitethernet 1/1 to 1000M, its duplex mode to full, and its flow control to off.
  • Page 205 To set the related attributes of a switch port, use the switchport command or other commands in the interface configuration mode: Command Function Ruijie(config-if)# switchport mode {access | trunk } Set the operation mode. The following example shows how to set the operation mode of Gigabitethernet 1/2 to access port.
  • Page 206 The following example shows how to set Gigabitethernet 2/1 to access port, its VLAN to 100, its speed, duplexing, and flow control to self-negotiation and enable port security. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie (config)# interface gigabitethernet 2/1 Ruijie (config-if)# switchport access vlan 100 Ruijie (config-if)# speed auto...
  • Page 207 Set the output rule for the port. [[add] [tagged | untaged]] |remove ] vlist Ruijie# configure terminal Ruijie(config)# interface g 0/1 Ruijie(config-if)# switchport mode hybrid Ruijie(config-if)# switchport hybrid native vlan 3...
  • Page 208 Configuration Guide Configuring Interface Ruijie(config-if)# switchport hybrid allowed vlan untagged 20-30 Ruijie(config-if)# end Ruijie# show running interface g 0/1 Configuring L2 Aggregate Ports This section describes how to create an L2 aggregate port and some related settings. You may create an L2 aggregate port by using the aggregateport command in the interface configuration mode. For details, see Configuring Aggregate Port.
  • Page 209 Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# interface gigabitethernet 2/1 Ruijie(config-if)# no switchport Ruijie(config-if)# ip address 192.20.135.21 255.255.255.0 Ruijie(config-if)# no shutdown Ruijie(config-if)# end Configuring L3 Aggregate Ports This section deals with how to create an L3 aggregate port and some related configuration.

  • Page 210: Encapsulation Dot1Q

    Configuring Interface Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# interface aggregateport 2 Ruijie(config-if)# no switchport Ruijie(config-if)# ip address 192.168.1.1 255.255.255.0 Ruijie(config-if)# no shutdown Ruijie(config-if)# end Configuring Sub Interfaces This section deals with how to create sub interfaces and some related configuration.
  • Page 211 Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# interface BVI 100 Ruijie(config-if)# ip address 192.168.2.1 255.255.255.0 Ruijie(config-if)# end Showing Interface Configuration and Status This section covers interface status display and gives examples. You may view interface status by using the show command in the privileged EXEC mode.
  • Page 212 Configuration Guide Configuring Interface Show the statistics of the specified port. Ruijie# show interfaces [interface-id] counters Where, the rate displayed may have an error of less than 0.5%. The following example shows how to display the status of Gigabitethernet 0/1.
  • Page 213 Configuration Guide Configuring Interface Ruijie# show interfaces vlan 5 VLAN : V5 Description : SVI 5 AdminStatus : up OperStatus : down Primary Internet address : 192.168.65.230/24 Broadcast address : 192.168.65.255 PhysAddress : 00d0.f800.0001 LastChange : 0:0h:0m:5s The following example shows the status of aggregate port 3.
  • Page 214 : Unknown FlowControlAdminStatus : Autonego FlowControlOperStatus : Disabled Priority This example shows the configuration of GigabitEthernet 1/1: Ruijie# show interfaces gigabitEthernet 1/1 switchport Interface Switchport Mode Access Native Protected VLAN lists ---------- ---------- --------- --------- --------- --------- ------------ gigabitethernet 1/1...
  • Page 215 Configuration Command Command Function Enable or disable the function of sending the LinkTrap Ruijie(config-if)# [ no ] snmp trap link-status function of this interface. Configuration Example The following configuration shows how to configure the interface not to send LinkTrap: Ruijie(config)# interface gigabitEthernet 1/1...
  • Page 216 Configuration Guide Configuring MAC Address Configuring MAC Address Understanding the MAC Address Table Overview Layer-2 forwarding, a major function of the Ethernet Switch, is to forward the messages by identifying the data link layer information. The switch forwards the messages to the corresponding interface through the destination MAC addresses carried by the messages, and stores the information about the relationship between the destination MAC address and the interface in the MAC address table.
  • Page 217 Configuration Guide Configuring MAC Address Multicast forwarding: if the switch searches for the corresponding entry of the packet destination MAC address and VLAN ID in the MAC address table and this entry is correspondent with a group of outgoing forward interfaces, the packets are forwarded through the interfaces directly.
  • Page 218 Configuration Guide Configuring MAC Address Status VLAN MAC address Interface Dynamic 00d0.f8a6.5af7 GigabitEthernet 0/2 Figure MAC Address Table1 Upon receiving the packets, UserB will send them to UserA through interface GigabitEthernet 0/3. The MAC address for UserA exits in the MAC address table. Therefore, the packets are forwarded to interface GigabitEthernet 0/2 in the unicast form and the switch learns the MAC address for UserB at the same time.
  • Page 219 Configuration Guide Configuring MAC Address Static Address A static address is a manually configured MAC address. A static address is the same as a dynamic address in terms of function. However, you can only manually add and delete a static address rather than learn and age out a static address. A static address is stored in the configuration file and will not be lost even if the device restarts.
  • Page 220 Configuration Guide Configuring MAC Address The notification about adding a MAC address lets you know a newcomer (identified by the MAC address) is using the device. The notification about deleting a MAC address (in the case of that the user did not communicate with the device within the aging time) lets you know that a user does not use the device any more.
  • Page 221 Limit of VLAN dynamic address disabled MAC address change notification disabled Address-bind mode compatible Bridge Protocol Frame Forwarding Action BPDU: not forward 802.1x: forward GVRP: not forward Setting Dynamic Addresses Clearing Dynamic Addresses Command Function Ruijie#clear mac-address-table dynamic Clear all dynamic addresses.
  • Page 222 VLAN to which the dynamic address to be cleared belongs. The following example shows how to clear all dynamic addresses in VLAN 1 on interface GigabitEthernet 0/1: Ruijie#clear mac-address-table dynamic interface GigabitEthernet 0/1 vlan 1 Viewing Configurations Command...
  • Page 223 Configuring MAC Address Ruijie# show mac-address-table count Show the statistics in the mac address table. The following example shows all dynamic MAC addresses in VLAN 1 on interface GigabitEthernet 0/1: Ruijie#show mac-address-table dynamic interface gigabitEthernet 0/1 vlan 1 Vlan MAC Address Type...
  • Page 224 Configuring MAC Address Set the time for an address to be stored in the dynamic MAC address table after it has been learned. It is in the Ruijie(config)# mac-address-table aging-time [0 range of 10 to 1000000 seconds, 300 seconds by default. |10-1000000]...
  • Page 225 VLAN 4, it is forwarded to Gigabitethernet 0/3. Ruijie#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# mac-address-table static 00d0.f800.073c vlan 4 interface gigabitethernet 0/3 The following example shows how to remove the static address 00d0.f800.073c. Ruijie#configure terminal Enter configuration commands, one per line.
  • Page 226 VLAN 4, it will be discarded. Ruijie#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# mac-address-table filtering 00d0.f800.073c vlan 4 The following example shows how to remove the filtering address 00d0.f800.073c. Ruijie#configure terminal...
  • Page 227 Configuration Guide Configuring MAC Address Ruijie(config)#no mac-address-table filtering 00d0.f800.073c vlan 4 Viewing Configurations Command Function Show the information of all the filtering MAC addresses. Ruijie# show mac-address-table filtering The following example shows how to view the information of all the filtering MAC addresses:...
  • Page 228 Enable the MAC address change notification on the interface. added: Send a MAC address change notification when a Ruijie(config-if)# snmp trap mac-notification {added | MAC address is added on this interface. removed} Removed: Send a MAC address change notification when an address is deleted.
  • Page 229 Figure Typical Configuration Topology Configurations The following example shows how to configure the device: Ruijie#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#mac-address-table static 00d0.f800.0001 vlan 1 interface GigabitEthernet 0/1 Ruijie(config)#mac-address-table static 00d0.f800.0002 vlan 1 interface GigabitEthernet 0/2...
  • Page 230 Configuration Guide Configuring MAC Address Ruijie(config)#mac-address-table static 00d0.f800.0003 vlan 1 interface GigabitEthernet 0/3 The following example shows the device configurations: Ruijie#show mac-address-table static Vlan MAC Address Type Interface ---------- -------------------- -------- ------------------- 00d0.f800.0001 STATIC GigabitEthernet 0/1 00d0.f800.0002 STATIC GigabitEthernet 0/2 00d0.f800.0003...

  • Page 231: Configuring Vlan

    Like a physical network, a VLAN is usually connected to an IP subnet. A typical example is that all the hosts in the same IP subnet belong to the same VLAN. A layer 3 device must be used for communication between VLANs. Ruijie L3 devices can perform IP routing between VLANs through SVI (Switch Virtual Interfaces).

  • Page 232: Configuring A Vlan

    In privileged EXEC mode, you can create or modify a VLAN by executing the following commands. Command Function Enters a VLAN ID. If you enter a new VLAN ID, the Ruijie(config)# vlan vlan-id device will create it. If you enter an existing VLAN ID, the device modifies the corresponding VLAN.
  • Page 233 A trunk is a point-to-point link that connects one or multiple Ethernet switching interfaces to other network devices (for instance, router or switch). A trunk can transmit the traffics of multiple VLANs. The Trunk encapsulation of Ruijie device is 802.1Q-complied. The following diagram shows a network connected with trunks.
  • Page 234 Basic Trunk Port Configuration In privileged EXEC mode, you can configure a trunk port by executing the following command. Command Function Ruijie(config-if)# switchport Configures the port as a L2 trunk port. mode trunk Ruijie(config-if)# switchport Specifies a native VLAN for the port.
  • Page 235 Gi0/16, Gi0/17, Gi0/18, Gi0/19 Gi0/20, Gi0/21, Gi0/22, Gi0/23 Gi0/24 10 VLAN0010 STATIC Gi0/2, Gi0/3 20 VLAN0020 STATIC Gi0/2, Gi0/3, Gi0/4 30 VLAN0030 STATIC Gi0/3, Gi0/4 Ruijie#show vlan id 20 VLAN Name Status Ports ---- -------- ------ ----------------------- 20 VLAN0020 STATIC Gi0/2, Gi0/3, Gi0/4 ...
  • Page 236 Configuration Guide Configuring VLAN Configuration Examples Network Topology Networking Requirements As shown above, an Intranet is divided into VLAN 10, VLAN 20 and VLAN 30 in order to realize laye-2 isolation. The IP subnets corresponding to three VLANs are 192.168.10.0/24, 192.168.20.0/24 and 192.168.30.0/24. The three VLANs are interconnected through the IP forwarding capacity of layer-3 core switch.
  • Page 237 Ruijie(config)#interface GigabitEthernet 0/2 # Delete all vlans from the allowed vlan list of this port Ruijie(config-if)#switchport trunk allowed vlan remove 1-4094 # Add vlan 10 and vlan 20 into the allowed vlan list of this port Ruijie(config-if)#switchport trunk allowed vlan add 10,20...
  • Page 238 Configuring VLAN # Delete all vlans from the allowed vlan list of this port Ruijie(config-if)#switchport trunk allowed vlan remove 1-4094 # Add vlan 10, vlan 20 and vlan 30 into the allowed vlan list of this port Ruijie(config-if)#switchport trunk allowed vlan add 10,20,30...
  • Page 239 20 VLAN0020 STATIC Gi0/2, Gi0/3, Gi0/4 30 VLAN0030 STATIC Gi0/3, Gi0/4 # Display the vlan state of port Gi 0/2 Ruijie#show interface GigabitEthernet 0/2 switchport Interface Switchport Mode Access Native Protected VLAN lists -------- ---------- ----- ------ ------ --------- --------- Gi0/2 enabled...
  • Page 240 Configuring VLAN # Create SVI 20 Ruijie(config-if)#interface vlan 20 # Configure the IP address of SVI 20 Ruijie(config-if)#ip address 192.168.20.1 255.255.255.0 # Create SVI 30 Ruijie(config-if)#interface vlan 30 # Configure the IP address of SVI 30 Ruijie(config-if)#ip address 192.168.30.1 255.255.255.0...
  • Page 241 Configuration Guide Configuring VLAN # Add Gi 0/2-12 to VLAN 10 Ruijie(config-if)#switchport access vlan 10 # Enter the interface range of Gi 0/13-24 Ruijie(config-if)#interface range GigabitEthernet 0/13-24 # Configure Gi 0/13-24 as Access ports Ruijie(config-if)#switchport mode access # Add Gi 0/13-24 to VLAN 20...

  • Page 242: Ip Address Configuration

    Configuration Guide Configuring IP Address and Service Configuring IP Address and Service IP Address Configuration IP Address Overview IP address is made up of 32 binary bits and expressed in the dotted decimal format for the convenience of writing and description.
  • Page 243 Configuration Guide Configuring IP Address and Service An IP address whose highest four bits are 1111 is prohibited. This type of IP address, also called Class E IP address, is reserved. When you build up a network, you should execute IP addressing according to the real network environment. To make the network connect to the Internet, you need apply for IP addresses from a central authority, for example, the China Internet Network Information Center (CNNIC) in China.
  • Page 244 To assign an IP address to an interface, execute the following commands in the interface configuration mode: Command Function Ruijie(config-if)# ip address ip-address mask Assign an IP address for the interface. Ruijie(config-if)# no ip address Remove the IP address configuration for the interface.
  • Page 245 Configuration Guide Configuring IP Address and Service Theoretically, any bit of the host address of an IP address can be used as the subnet mask. Ruijie product only supports continuous subnet masks from left to right starting from the network ID.
  • Page 246 The ARP offers dynamic IP address to MAC address mapping. It is not necessary to configure ARP statically in most cases. By configuring ARP Statically, Ruijie product can respond to the ARP request from other IP addresses. To configure static ARP, execute the following command in the global configuration mode:...
  • Page 247 Configuration Guide Configuring IP Address and Service So far Ruijie products only support Ethernet II type ARP encapsulations, also known as ARPA keyword. Setting ARP Timeout ARP timeout takes effect for only the dynamically learned IP address to MAC address mapping. The shorter the timeout, the truer the mapping table saved in the ARP cache is , but the more network bandwidth the ARP occupies.
  • Page 248 Handling Broadcast Packets A broadcast packet is destined for all hosts in a physical network. Ruijie product supports two kinds of broadcast packets: directed broadcast and flooding. A directed broadcast packet is sent to all the hosts in a specific network that the host IDs of their IP addresses are all set to 1.
  • Page 249 Establishing an IP Broadcast Address Currently, the most popular way is the destination address consisting of all 1s (255.255.255.255). Ruijie product can be configured to generate any form of IP broadcast address and receive any form of IP broadcast packets.
  • Page 250 Ruijie# show ip arp Ruijie# show ip interface [interface-type Show the interface information. interface-number] Ruijie# show ip route [network [mask] ] Show the routing table. Ruijie#show ip route Show the brief information of the routing table. Ruijie# ping ip-address [length bytes] [ntimes times] Test network reachability.
  • Page 251 Configuration Guide Configuring IP Address and Service Configure RIPv1. You can see the routes of 172.16.2.0/24 on router C and the routes of 172.16.1.0/24 on router D. Configuration of the Routers: RIPv1 does not support classless-based routes. This means masks are not carried with routing advertisement. 172.16.1.0/24 and 172.16.2.0/24 that belong to the same network are separated by the Class C network 192.168.12.0/2.
  • Page 252 ICMP host unreachable message. This feature is enabled by default. To enable this service, execute the following command in the interface configuration mode: Command Function Enable the ICMP protocol unreachable and host Ruijie(config-if)# ip unreachables unreachable messages.
  • Page 253 Occasionally, a network device needs to know the mask of a subnetwork in the Internet. To obtain this information, the device can send the ICMP mask request message. The receiving device will send the ICMP mask reply message. Ruijie product can respond the ICMP mask request message. This function is enabled by default.
  • Page 254 Configuring IP Address and Service Ruijie product allows you to adjust the MTU on an interface. Changing the MTU value can affect the IP MTU value, and the IP MTU value will be modified automatically to match the new MTU. However, changing the IP MTU value has no effect on the value of MTU.
  • Page 255 Configuration Guide Configuring TCP Configuring TCP Overview TCP module provides a reliable and connective IP-based transmission layer protocol for the application layer. The application layer sends data streams represented in 8-bit bytes for Internet transmission to the TCP layer, which separates the data streams into packet segments with proper size.
  • Page 256 TCP session. Command Function Change the timeout value for establishing TCP session. Ruijie(config)# ip tcp syntime-out seconds Range: 5-300 seconds; default: 20 Use the no ip tcp syntime-out command to restore the default value. ...
  • Page 257 Execute the following command to prohibit/restore the reset packet sent when the port-unreachable TCP packet is received. Command Function Prohibit sending reset packet when the port-unreachable Ruijie(config)# ip tcp not-send-rst TCP packet is received. Use the no ip tcp not-send-rst command to restore default setting.  This command only applies to IPv4 TCP.
  • Page 258 Command Function Enable PMTU discovery. The time interval for further discovery age-timer minutes: Ruijie(config)# ip tcp path-mtu-discovery [ age-timer after discovering PMTU. Range: 10-30 minutes. Default: minutes | age-timer infinite ] No further discovery after discovering age-timer infinite: PMTU.
  • Page 259 This command does not apply to the existing TCP session; it applies only to the newly established TCP session. Monitoring and Maintenance Command Function Display basic information about the current TCP Ruijie# show tcp connect sessions. Ruijie# show tcp pmtu Display information about TCP PMTU. Ruijie# show tcp port Display information about the current TCP port.
  • Page 260 RFC 951 and RFC 1542. Introduction to the DHCP Server As specified in RFC2131, the DHCP server of Ruijie is implemented to assign and manage IP addresses for the DHCP clients.The following figure shows the DHCP operation process. Figure DHCP operation process...
  • Page 261 DHCPNAK packet to the DHCP client, initiating the address request process again. The advantages of using the DHCP server of Ruijie for network construction are: Decrease network access cost. Generally, dynamic address assignment costs less than static address assignment.
  • Page 262 Ruijie(config)# service dhcp Enables the DHCP server and the DHCP relay agent. Ruijie(config)# no service dhcp Disables the DHCP server and the DHCP relay agent. By default, in v10.1 and later, the command service dhcp can be used for both DHCP server and DHCP relay, which are two mutually-exclusive functions.
  • Page 263 You can give a meaningful name that can be memorized easily to the DHCP address pool. The name of address pool contains characters and digits. Ruijie product allows you to define multiple address pools. The IP address of the DHCP relay agent in the DHCP request packet is used to determine which address pool is used for address assignment.
  • Page 264 Ruijie(config)# ip dhcp pool dhcp-pool pool configuration mode The address pool configuration mode is shown as “Ruijie(dhcp-config)#”. Configuring the Boot File for the DHCP Client The boot image file is the one used when the client starts. The boot image file is often the operation system to be downloaded by the DHCP client.
  • Page 265 Configuration Guide Configuring DHCP Ruijie(dhcp-config)# lease {days [ hours ] [ minutes ] | Configures the address lease period. infinite } Configuring the Domain Name of the DHCP Client The domain name of the DHCP client can be specified. In this way, the domain name suffix will be automatically added to the incomplete host name to form a complete host name when the DHCP client accesses the network resources using the host name.
  • Page 266 DHCP server will check the next address until it assigns a valid address. The network segments for which an address pool can be configured are added in Ruijie wireless products. You can specify the start address and end address, and this is an optional configuration.
  • Page 267 [low-ip-address high-ip-address] For the DHCP dynamic address pool of Ruijie products, addresses are assigned based on the physical address and ID of a DHCP client. This means there should not be two leases for the same DHCP client in the DHCP dynamic address pool.
  • Page 268 Command Function Configures the DHCP server to forcibly reply with a NAK Ruijie(dhcp-config)#ip dhcp used in wlan packet. This command is disabled by default. When this command is enabled, you cannot enable multiple DHCP servers in one broadcast domain.
  • Page 269 To configure the manual address binding, execute the following commands in the address pool configuration mode: Command Function Defines the name of the DHCP address pool and enter Ruijie(config)# ip dhcp pool name the DHCP configuration mode. Ruijie(dhcp-config)# host address Defines an IP address for the DHCP client.
  • Page 270 Configuring the DHCP Client on the Ethernet Interface Ruijie products support obtaining the IP address dynamicaly assigned by the DHCP server on an Ethernet interface. To configure the DHCP client on the Ethernet port, execute the following command in the interface configuration mode:...
  • Page 271 Configuring the DHCP Client on a Wireless Environment Ruijie wireless products support configuration of DHCP option mode on an AP to allow the AP to obtain an IP address from an AC via DHCP. Supported DHCP option modes include the standard mode and private mode. The standard mode uses CAPWAP AC DHCPv4 (Option 138) and CAPWAP AC DHCPv6 (Option 52);...
  • Page 272 1. For option format definitions of Option 138 and Option 52, see RFC 5417. 2. For option format definitions of Option 43 and Option 60, see RFC 2132. 3. Ruijie APs support the following TLV format for Option 43 returned by the server: Type: 0xf1 Length: Number of IP addresses of AC x 4 Value: IP address list of AC, which is stored in hexadecimal notation.
  • Page 273 Configuration Guide Configuring DHCP Command Function Ruijie# clear ip dhcp binding { address | *} Clears the DHCP address binding information. Ruijie# clear ip dhcp conflict { address | *} Clears the DHCP address conflict information. Ruijie# clear ip dhcp server statistics Clears the DHCP server statistics.
  • Page 274 Configuration Guide Configuring DHCP Ruijie# debug ip dhcp client Debugs the DHCP client. To show information about the lease that the DHCP client obtains, execute the following command in the command execution mode: Command Function Ruijie# show dhcp lease Shows the information about DHCP lease.
  • Page 275 Configuration Guide Configuring DHCP netbios-node-type h-node lease 30 Manual Binding Configuration Example In the following example, a DHCP client with the MAC address as 00d0.df34.32a3 is allocated with the IP address of 172.16.1.101, the mask of 255.255.255.0, the host name of Billy.rg.com, the default gateway of 172.16.1.254, WINS server of 172.16.1.252, and NetNIOS node type of compound.
  • Page 276 Configuration Guide Configuring DHCP Relay Configuring DHCP Relay Understanding DHCP The DHCP protocol is widely used to dynamically allocate the reusable network resources, for example, IP address. The DHCP Client sends the DHCP DISCOVER packet in broadcast form to the DHCP Server. After the DHCP Server receives the DHCP DISCOVER packet, it allocates resources such as IP address to the the DHCP Client according to the appropriate policy, and sends the DHCP OFFER packet.
  • Page 277 Configuring the DHCP Relay Agent To configure the DHCP relay agent, execute the following commands in the global configurtion mode: Command Function Ruijie (config)# service dhcp Enables the DHCP agent. Ruijie(config)# no service dhcp Disables the DHCP agent. Configuring the IP Address of the DHCP Server After you have configured the IP address of the DHCP Server, the DHCP request message received by the device will be forwarded to it.
  • Page 278 This command must be set on the layer 3 global ] A.B.C.D interface. Deletes the globally configured IP address of the DHCP Ruijie(config)# no IP helper-address [ vrf { vrf-name } | global ] A.B.C.D server. Ruijie(config-if)# no IP helper-address [ vrf { vrf-name } | Deletes the IP address of the DHCP server configured on global ] A.B.C.D...
  • Page 279 Configuration Guide Configuring DHCP Relay Ruijie(config)# no ip dhcp relay information option vpn Disables the DHCP Aware VRF function. Configuring DHCP relay check server-id After the ip dhcp relay check server-id command is configured, the device resolves DHCP SERVER-ID option upon receiving DHCP relay.
  • Page 280 //Add an IP address globally Ruijie(config)# interface GigabitEthernet 0/3 Ruijie(config-if)# ip helper-address 192.18.200.1 //Add an IP address on the interface Ruijie(config-if)# ip helper-address 192.18.200.2 // Add an IP address on the interface Ruijie(config-if)# end Other Precausions on DHCP Relay Configuration For layer 2 network devices, you must enable at least one of the option dot1x, dynamic address binding and option82 functions when the cross-management vlan relay function is required.
  • Page 281 Configuration Guide Configuring DHCP Relay vlan 1 ip helper-address 192.18.100.1 ip helper-address 192.18.100.2 ip dhcp relay information option dot1x interface GigabitEthernet 0/1 interface GigabitEthernet 0/2 interface GigabitEthernet 0/3 no switchport ip helper-address 192.168.200.1 ip helper-address 192.168.200.2 interface VLAN 1 ip address 192.168.193.91 255.255.255.0 line con 0 exec-timeout 0 0 line vty 0...
  • Page 282 Configuration Guide Configuring DHCP Relay login Typical DHCP Relay Configuration Example Topological Diagram Figure 1-2 Diagram for DHCP Relay configuration Application Requirements As shown above, Switch C and Switch D are access devices connecting with PC users belonging to VLAN 10 and VLAN 20.
  • Page 283 Configuration Guide Configuring DHCP Relay On Switch C and Switch D, configure the VLAN to which the corresponding ports belong, and the access PC can acquire dynamic IP address once connected. Configuration Steps Step 1: Configure DHCP Server. ! In global mode, create a DHCP address pool named "vlan10" on Switch A, with corresponding IP network segment being 192.168.1.0/24 and the address of network gateway being 192.168.1.1.
  • Page 284 Configuration Guide Configuring DHCP Relay SwitchA(config-if-GigabitEthernet 0/1)#no switchport SwitchA(config-if-GigabitEthernet 0/1)#ip address 10.1.1.2 255.255.255.0 SwitchA(config-if-GigabitEthernet 0/1)#exit ! On Switch B, configure port Gi 0/1 as the Route Port, with corresponding IP address being 10.1.1.3/24. SwitchB(config)#interface gigabitEthernet 0/1 SwitchB(config-if)#no switchport SwitchB(config-if)#ip address 10.1.1.3 255.255.255.0 SwitchB(config-if)#exit ! Configure default route on Switch A SwitchA(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.3...
  • Page 285 Configuration Guide Configuring DHCP Relay ! On Switch B, globally configure the address of DHCP server as 10.1.1.2 and enable DHCP Server. SwitchB(config)#ip helper-address 10.1.1.2 SwitchB(config)#service dhcp Step 5: Configure layer-2 communication between Switch B and Switch C/D. ! On Switch B, configure ports Gi 0/2 and Gi 0/3 as the Trunk Port. SwitchB(config)#interface range gigabitEthernet 0/2-3 SwitchB(config-if-range)#switchport mode trunk ! Configure port Fa 0/1 of Switch C and Switch D as the Trunk Port.
  • Page 286 Configuration Guide Configuring DHCP Relay network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 interface GigabitEthernet 0/1 no switchport no ip proxy-arp ip address 10.1.1.2 255.255.255.0 ip route 0.0.0.0 0.0.0.0 10.1.1.3 ! Configurations of Switch B SwitchB#show running-config vlan 10 vlan 20 service dhcp ip helper-address 10.1.1.2 interface GigabitEthernet 0/1 no switchport...
  • Page 287 Configuration Guide Configuring DHCP Relay no ip proxy-arp ip address 10.1.1.3 255.255.255.0 interface GigabitEthernet 0/2 switchport mode trunk interface GigabitEthernet 0/3 switchport mode trunk interface VLAN 10 no ip proxy-arp ip address 192.168.1.1 255.255.255.0 interface VLAN 20 no ip proxy-arp ip address 192.168.2.1 255.255.255.0 Step 2: Connect two PCs with the ports belonging to VLAN 10 and VLAN 20 and verify dynamic IP address allocation.
  • Page 288 Configuration Guide Configuring DHCP Relay...
  • Page 289 Configuration Guide Configuring DHCP Snooping Configuring DHCP Snooping Overview Understanding DHCP The DHCP protocol is widely used to dynamically allocate the recycled network resources, for example, IP address. A typical IP acquisition process using DHCP is shown below: The DHCP Client sends a DHCP DISCOVER broadcast packet to the DHCP Server. The Client will send the DHCP DISCOVER again if it does not receive a response from the server within a specified time.
  • Page 290 Configuration Guide Configuring DHCP Snooping forwards only the DHCP reply packets received through the TRUST port while discarding all the DHCP reply packets from the UNTRUST port. In this way, the illegal DHCP Server can be shielded by setting the port connected to the legal DHCP Server as a TRUST port and other ports as UNTRUST ports.
  • Page 291 Configuration Guide Configuring DHCP Snooping DHCP Snooping Related Security Functions In the DHCP-enabled network, the general problem facing administrator is that some users use private IP addresses rathe than dynamically obtaining IP addresses. As a result, some users using dynamic IP addresses cannot access the network, making network application more complex.
  • Page 292 Command Function Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# [no] ip dhcp snooping Enable or disable DHCP snooping. The following example demonstrates how to enable the DHCP snooping function of the device: Ruijie# configure terminal Ruijie(config)# ip dhcp snooping Ruijie(config)# end DHCP Snooping and Private VLAN function cannot enabled at the same time.
  • Page 293 The following example shows how to enable the DHCP source MAC address check function: Ruijie# configure terminal Ruijie(config)# ip dhcp snooping verify mac-address Ruijie(config)# end Configuring DHCP Snooping Information Option By default, this function is disabled. After configuring this command, when DHCP Snooping forwards the packets, option82 will be added to all DHCP request packets and removed from all reply packets.
  • Page 294 The following example sets the interval at which the switch writes the DHCP databse to the flash to 3600s: Ruijie# configure terminal Ruijie(config)# ip dhcp snooping database write-delay 3600 Ruijie(config)# end You need to set a proper time for writing to the flash since erasing and writing to the flash frequently shortens its life.
  • Page 295 Configuring DHCP Snooping The following example demonstrates how to write the DHCP Snooping binding database to the flash: Ruijie# configure terminal Ruijie(config)# ip dhcp snooping database write-to-flash Ruijie(config)# end Configuring a Port as a TRUST Port By default, all the ports are UNTRUST ports. After configuring this command, a port is set as the TRUST port and connected to the legal DHCP server.
  • Page 296 Configuration Guide Configuring DHCP Snooping Ruijie# clear ip dhcp snooping binding Showing DHCP Snooping Configuration Showing DHCP Snooping To show DHCP Snooping, execute the following command: Command Function Ruijie# show ip dhcp snooping Show the configuration of DHCP snooping. For example:...
  • Page 297 Configuration Guide Configuring DHCP Snooping For example: Ruijie# show ip dhcp snooping binding Total number of bindings: 1 MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ------------ ------------- ----- -------------------- 001b.241e.6775 192.168.12.9 863996 dhcp-snooping 1 GigabitEthernet 0/5 Typical Configuration Example of DHCP Snooping...
  • Page 298 Ruijie(config)#ip dhcp snooping Configure the uplink port as the trusted port. Ruijie(config)#interface gigabitEthernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)#ip dhcp snooping trust Displaying Verifications Check the configuration for the Switch B. Key points: whether the DHCP Snooping function is enabled or not, whether the trusted port configured is the uplink port.
  • Page 299 Rate limit (pps) ------------------------ ------- ---------------- GigabitEthernet 0/1 unlimited Display the information about the DHCP Snooping binding database. Ruijie#show ip dhcp snooping binding Total number of bindings: 1 MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ------------ ------------- ----- -------------------- 0013.2049.9014...
  • Page 300 The domain name resolution (or host name resolution) is the process that the device obtains IP address which corresponds to the host name by the host name. The Ruijie switches support the host name resolution locally or by the DNS. During the resolution of domain name, you can firstly adopt the static method. If it fails, use the dynamic method instead.
  • Page 301 You can obtain the mapping table in two ways: manual configuration and dynamic learning. Manually configure the mapping table if the dynamic learning method is not available. Command Function Configures the host names (in the maximum of 255 Ruijie(config)# ip host host-name ip-address characters) to the IP address mapping manually.
  • Page 302 WLAN-based IP addresses of legal DNS servers, instead of being matched with the global DNS white list. Command Function Ruijie(config)# ip name-server white-list [ wlan wlan-id ] Enables the DNS white list check function. If no legal enable DNS server is configured, all DNS packets will be filtered.
  • Page 303 This section describes how to display configuration information related to the DNS white list. Command Function Displays configuration information related to the DNS Ruijie# show ip name-server white-list [ wlan wlan-id ] white list. Ruijie# show ip name-server white-list white-list check: enable...
  • Page 304 Configuring DNS white-list name-server: 192.168.5.134 192.168.5.135 Application Example Ping the host with the specified domain name: Ruijie# ping www.ietf.org Resolving host[www.ietf.org]…… Sending 5,100-byte ICMP Echos to 192.168.5.123, timeout is 2000 milliseconds. !!!!! Success rate is 100 percent(5/5) Minimum = 1ms Maximum = 1ms, Average = 1ms...

  • Page 305: Configuring Sntp

    Configuration Guide Configuring SNTP Configuring SNTP Overview Network Time Protocol (NTP) is designed for time synchronization on network devices. Another protocol, the Simple Network Time Protocol (SNTP) can also be used to synchronize the network time. NTP can be used across various platforms and operating systems, provide precise time calculation (1-50 ms precision), and prevent from latency and jitter in the network.
  • Page 306 Configuration Guide Configuring SNTP T3: Time reply by server (refer to the server time) with the mark “Transmit Timestamp”; T4: Time reply received at client (refer to the client time) with the mark “Destination Timestamp”. T: Time offset between the server and the client d: Round-tour time between the server and the client The following formula calculates the time: ∵...
  • Page 307 Show the current configuration: Ruijie# show running-config Save the configuration: Ruijie# copy running-config startup-config To disable the SNTP, use the no sntp enable command. Configuring the IP address of the SNTP Server The SNTPclient is totally compatible with the NTP server due to the consistency between SNTP and NTP packets. There are many NTP servers in the network, and you can choose one with less latency.
  • Page 308 Show the current configuration: Ruijie# show running-config Save the configuration: Ruijie# copy running-config startup-config Configuring the SNTP Synchronization Interval To adjust the time regularly, you need to set the synchronization interval for SNTP client to access the NTP server SNTP client regularly.
  • Page 309 "-8" indicates the 8 western time zone and “0” indicates Greenwich mean time. Universal Time Coordinated (UTC) is the default time zone name and the default value is 0. Ruijie(config)# clock timezone <time-zone> Return to privileged mode: Ruijie(config)# end...
  • Page 310 Ruijie switches support the NTP client and server. That is, the switch can synchronize the time from the time server and work as the time server (only in unicast server mode) to synchronize the time of other switches.
  • Page 311 [ enc-type ] The global authentication key takes effect after being configured as a global trusted key. Ruijie's current NTP version supports up to 1024 authentication keys, but only one key can be set for each server for encrypted communication.
  • Page 312 Configuring the NTP Server No NTP server is configured by default. Ruijie’s client can simultaneously interact with up to 20 NTP servers, and one authentication key can be set for each server to initiate encrypted communication with the NTP server after relevant settings of global authentication and keys are completed.
  • Page 313 Configuration Guide Configuring NTP The NTP client can initiate the encrypted communication with the NTP server only when the global security authentication and key setting mechanisms are completed and the trusted key for communicating with the server is set. To this end, the NTP server should have the same trusted key.
  • Page 314 Disables the NTP real-time synchronization. no ntp synchronization The synchronization is set to be implemented every 30 minutes on Ruijie's client system. New servers will trigger the real-time synchronization, which is also be implemented when this command is used during the synchronization interval.
  • Page 315 Configuration Guide Configuring NTP Command Function Configures the update-calendar. ntp update-calendar Disables the update-calendar. no ntp update-calendar The update-calendar is not configured by default. After configuration, the NTP client updates the calendar when the time synchronization of external clock source is successful. It is recommended to enable this function for keeping the accurate calendar.
  • Page 316 The following example shows how to allow the peer device in acl1 to control the query, request for and synchronize the time with the local device; and limit the peer device in acl2 to request the time for the local device. Ruijie(config)# ntp access-group peer 1 Ruijie(config)# ntp access-group serve-only 2...
  • Page 317 Configuration Guide Configuring NTP Ruijie# show ntp status Clock is synchronized, stratum 9, reference is 192.168.217.100 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18 reference time is AF3CF6AE.3BF8CB56 (20:55:10.000 UTC Mon Mar 1 1993) clock offset is 32.97540 sec, root delay is 0.00000 sec root dispersion is 0.00003 msec, peer dispersion is 0.00003 msec...
  • Page 318 Configuration Guide Configuring NTP The hardware clock of Host B shall be synchronized as well. Configuration Tips NTP server Generally, the local system will directly or indirectly synchronize with the external clock sources. However, the local system may not be able to synchronize with the external clock sources due to the network connection failure. In this case, you can use the ntp master command to configure the local clock as NPT master to synchronize time to other devices.
  • Page 319 Configuration Guide Configuring NTP ! Verify the NTP status of client before synchronization. HostB(config)#show ntp status Clock is unsynchronized, stratum 16, no reference clock nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**0 reference time is 0.0 (00:00:00.000 UTC Thu, Jan 1, 1970) clock offset is 0.00000 sec, root delay is 0.00000 sec root dispersion is 0.00000 msec, peer dispersion is 0.00000 msec The output shows that the time hasn't been synchronized.
  • Page 320 Configuration Guide Configuring NTP Configuring NTP Client or Server Mode with Authentication Topological Diagram NTP client/server model Application Requirements On Host A, the local clock is confiugred as the NTP master clock, with the clock stratum being 12; Host B is configured as the NTP client and Host A is specified as the NTP server; The authentication mechanism is enabled to prevent illegal users from maliciously attacking the clock server.
  • Page 321 Configuration Guide Configuring NTP HostA(config)# ntp authentication-key 6 md5 helloworld ! Specify 6 as the NTP global trusted key ID HostA(config)# ntp trusted-key 6 Configuration of the NTP client Step 1: Configure NTP authentication; ! Enable NTP global authentication. HostB(config)# ntp authenticate ! Configure NTP global authentication key as helloworld and the corresponding key ID as 6.
  • Page 322 Configuration Guide Configuring NTP ntp master 12 Verify the configurations of NTP client. Key points: the IP address and key ID of NTP server, and authentication related configurations. HostB #show run interface fastEthernet 0/2 ip address 1.1.1.20 255.255.255.0 ntp authentication-key 6 md5 141a4f012d1d3c23174905 7 ntp authenticate ntp trusted-key 6 ntp server 1.1.1.1 key 6...
  • Page 323 Configuration Guide Configuring NTP root dispersion is 0.00002 msec, peer dispersion is 0.00002 msec Verify NTP client status. Key points: the NTP server address and stratum. HostB# show ntp status Clock is synchronized, stratum 13, reference is 1.1.1.1 nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24 reference time is CE5212A1.E5D712A0 (11:40:17.000 UTC Wed, Sep 9, 2009) clock offset is -0.00005 sec, root delay is 0.00000 sec root dispersion is 0.00002 msec, peer dispersion is 0.00002 msec...
  • Page 324 Configuration Guide Configuring FTP Server Configuring FTP Server Overview You can set a device as the FTP server. Then you can connect to the FTP server through a FTP client and upload or download documents through the FTP protocol. FTP server enables you to get documents from devices like Syslog file. You can also copy documents to the file system of devices directly.
  • Page 325 Function Ruijie(config)# ftp-server enable Enable the FTP Server. Ruijie(config)# no ftp-server enable Disable the FTP Server. In real network, only one client is allowed to access the FTP server at a time. Before the client currently in service is disconnected, no other clients can connect to the FTP server.
  • Page 326 PC while prohibiting the FTP client from accessing the files other than the “/syslog” directory, configure the top directory as below: Ruijie(config)# ftp-server topdir /syslog After configuration, the FTP client can only access the files and sub directories under the “/syslog” directory. Given the limit of the top directory, the FTP client cannot back to the parent directory of the “/syslog”...
  • Page 327 Ruijie(config)# ftp-server username username Sets user name. Ruijie(config)# no ftp-server username Removes the user name configuration. Ruijie(config)# ftp-server password [ type ] password Sets a password. Ruijie(config)# no ftp-server password Removes the password configuration. A user name consists of up to 64 characters, including English letter, half-width numeral and half-width symbol, not blank space.
  • Page 328 Configuration Guide Configuring FTP Server Ruijie# no debug ftpserver Turns off the debugging of the FTP Server. The following example shows the status information of the FTP Server: Ruijie# show ftp-server ftp-server information ======================================= enable : Y topdir : /...
  • Page 329 Configure session timeout timer as 5 minutes; Configure the top directory of server as "/syslog"; Enable FTP server; Configuration Steps # Configure SwitchA as the FTP Server Step 1: Configure the username and password for server login as "admin" and "ruijie" respectively Ruijie#configure...
  • Page 330 Configuration Guide Configuring FTP Server Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#ftp-server username admin Ruijie(config)#ftp-server password ruijie Step 2: Configure session timeout timer as 5 minutes Ruijie(config)#ftp-server timeout 5 Step 3: Configure the top directory of server as "/syslog";...
  • Page 331 Configuration Guide Configuring FTP Server passive data connection : N Step 2: Debug the FTP server Ruijie# debug ftpserver FTPSRV_DEBUG:(RECV) SYST FTPSRV_DEBUG:(REPLY) 215 RGOS Type: L8 FTPSRV_DEBUG:(RECV) PORT 192,167,201,82,7,120 FTPSRV_DEBUG:(REPLY) 200 PORT Command okay.
  • Page 332 Configuration Guide Configuring UDP-Helper Configuring UDP-Helper Understanding UDP-Helper Overview UDP-Helper relays and forwards User Datagram Protocol (UDP) broadcast packets. As a relay, UDP-Helper can convert the UDP broadcast packets into the unicast packets and then forward them to the specified destination server by configuring the destination server for the UDP broadcast packets to be forwarded.
  • Page 333 Command Function Configures the destination server to which the UDP Ruijie(config-if)# ip helper-address IP-address broadcast packets are relayed and forwarded. By default, it is not configured. To remove the destination server for relay and forwarding, use the no ip helper-address command.
  • Page 334 Configures the UDP port for relay and forwarding. If only the UDP parameter is specified, the default port will be used for relay and forwarding; otherwise, the port Ruijie(config)# ip forward-protocol udp [ port ] can be configured if necessary. When UDP-Helper is enabled, the broadcast packets from Ports 69, 53, 37, 137, 138 and 49 are relayed and forwarded by default.
  • Page 335 Step 2: Configure the IP address for the destination server of UDP-Helper relay forwarding as 30.1.1.2 on fastEthernet 1/1. Ruijie(config)# interface fastEthernet 1/1 Ruijie(config-if-VLAN 10)#ip address 10.1.1.1 255.255.255.0 Ruijie(config-if-VLAN 10)# ip helper-address 30.1.1.2 Ruijie(config-if-VLAN 10)#exit Step 3: Configure the Switch to forward UDP broadcast packets carrying the destination port number 1000.
  • Page 336 Configuration Guide Configuring UDP-Helper Ruijie(config)#ip forward-protocol udp 1000 Verification Verify configurations of the switch. Key points: whether relay forwarding is enabled or not; IP address of relay server; destination port number carried in UPD broadcast packets requiring relay forwarding. Ruijie#show run...
  • Page 337 Configuration Guide Configuring UDP-Helper Dst_ip:255.255.255.255 Dst_port:999 PC2 acts as UDP-Helper server. Such packet is not received on PC2. Step 2: Send UDP broadcast packets carrying the destination port number of 1000. PC1 sends a UDP broadcast packet of the following format: Src_mac:0000.0000.0001 Dst_mac:0xFFFFFFFFFFFF Src_ip:1.0.0.3...

  • Page 338: Configuring Snmp

    Configuration Guide Configuring SNMP Configuring SNMP SNMP Overview Introduction As the abbreviation of Simple Network Management Protocol, SNMP has been a network management standard (RFC1157) since the August, 1988. So far, the SNMP becomes the actual network management standard for the support from many manufacturers.

  • Page 339: Snmp Versions

    Configuration Guide Configuring SNMP message, the tree-type hierarchy is used to by the MIB to describe the management units in the network management equipment. The node in the tree indicates a specific management unit. Take the following figure of MIB as an example to name the objectives in the tree.
  • Page 340 Configuration Guide Configuring SNMP error codes to distinguish different kinds of errors, which are represented by one error code in SNMPv1. Now, error types can be distinguished by error codes. Since there may be the management workstations supporting SNMPv1 and SNMPv2C in a network, the SNMP agent must be able to recognize both SNMPv1 and SNMPv2C messages, and return the corresponding version of messages.
  • Page 341 Configuration Guide Configuring SNMP When managing the R2700 switching card (NM2-24ESW/NM2-16ESW) via SNMP, NM2-16ESW obtains the inexistent error message of port 17-26, while NM2-24ESW obtains the inexistent error message of port 25-26. SNMP Security Both SNMPv1 and SNMPv2 use the community string to check whether the management workstation is entitled to use MIB objects.

  • Page 342: Snmp Configuration

    Configuration Guide Configuring SNMP Model Level Authentication Encryption Description Provides HMAC-MD5 or HMAC-SHA-based authentication SNMPv3 authPriv MD5 or SHA mechanism and CBC-DES-based encryption mechanism. SNMP Engine ID The engine ID is designed to identify a SNMP engine uniquely. Every SNMP entity contains a SNMP engine, a SNMP engine ID identifies a SNMP entity in a management domain.
  • Page 343 To configure the SNMP community string, use the following command in global configuration mode: Command Function Ruijie(config)# snmp-server community string [ view view-name] [ ro | rw ] [ host host-ip ] [ ipv6 ipv6-aclname ] Sets the community string and its right.

  • Page 344: Configuring Snmp Users

    Configuration Guide Configuring SNMP Ruijie(config)# snmp-server group groupname { v1 | v2c | v3 { auth | noauth | priv } [ read readview ] [ write Creates a group and associate it with the view. writeview ] [ access { [ ipv6 ipv6_aclname ] [ aclnum |...
  • Page 345 Shielding the SNMP Agent The SNMP Agent service is a service provided by Ruijie product and it is enabled by default. You can shield the SNMP agent service and related configuration by executing the following command in global configuration mode:...
  • Page 346 Allows the SNMP Agent to send the TRAP message Ruijie(config)# snmp-server enable traps [ type ] [ option ] proactively. Ruijie(config)# no snmp-server enable traps [ type ] Forbids the SNMP Agent to send the TRAP message [ option ] proactively.
  • Page 347 Checking the Current SNMP Status To monitor the SNMP status and troubleshoot SNMP configurations, Ruijie product provides monitoring commands for SNMP, with which it is possible to easily check the SNMP status of the current network device. In privileged user mode, use the show snmp command to check the current SNMP status.
  • Page 348 Configuration Guide Configuring SNMP 2339 Get-next PDUs 0 Set-request PDUs 2406 SNMP packets output 0 Too big errors (Maximum packet size 1500) 4 No such name errors 0 Bad values errors 0 General errors 2370 Get-response PDUs 36 SNMP trap PDUs SNMP global trap: disabled SNMP logging: enabled SNMP agent: enabled...
  • Page 349 SNMP trap message Checking the MIB Objects Supported by the Current SNMP Agent To check the MIB objects supported by the current SNMP Agent, use the show snmp mib command in privileged user mode: Ruijie# show snmp mib sysDescr sysObjectID sysUpTime...
  • Page 350 … Viewing SNMP Users To view the SNMP users configured on the current SNMP agent, use the show snmp user command in privileged user mode: Ruijie# show snmp user User name: test Engine ID: 8000131103000000000000 storage-type: permanent active Security level: auth priv...
  • Page 351 To view the view configured on the current SNMP agent, use the show snmp view command in privileged user mode: Ruijie# show snmp view default(include) 1.3.6.1 test-view(include) 1.3.6.1.2.1 Viewing Host Information To view the host information configured on the SNMP agent, use the show snmp host command in privileged user mode: Ruijie# show snmp host Notification host: 192.168.64.221...
  • Page 352 Configuration Guide Configuring SNMP user: public security model: v1 Notification host: 2000:1234::64 udp-port: 162 type: trap user: public security model: v1 Typical SNMP Configuration Example SNMP v1/v2 Configuration Example Topological Diagram Figure 4 Topology for SNMP v1/2 application Application Requirements The Network Management Station (NMS) manages the network device (Agent) by applying the community-based authentication model, and the network device can control the operation permission (read or write) of the community to access the specified MIB objects.
  • Page 353 Step 2: Configure community string and access permission. ! Configure Community of "user1", associate write permission for MIB view of "v1", and associate the ACL of "a1". Ruijie(config)#snmp-server community user1 view v1 rw a1 Step 3: Configure the Agent to actively send messages to NMS.
  • Page 354 Configuration Guide Configuring SNMP ! Configure the IP address of Gi 0/1 as 192.168.3.1/24. Ruijie(config)#interface GigabitEthernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)#ip address 192.168.3.1 255.255.255.0 Ruijie(config-if-GigabitEthernet 0/1)#exit Verification Step 1: Display configurations of the device. Ruijie#show running-config ip access-list standard a1 10 permit host 192.168.3.2...
  • Page 355 Configuration Guide Configuring SNMP Step 2: Display information about SNMP view and group. Ruijie#show snmp view v1(include) 1.3.6.1.2.1.1 //define MIB object of “v1” default(include) 1.3.6.1 //default MIB object Ruijie#show snmp group groupname: user1 //Configure Community as SNMP group securityModel: v1...
  • Page 356 Configuration Guide Configuring SNMP SNMP v3 Configuration Example Topological Diagram Figure 6 SNMPv3 application topology Application Requirements Network Management Station manages the network device (Agent) by applying user-based security model. For example: the user name is "user1", authentication mode is MD5, authentication key is "123", encryption algorithm is DES56, and the encryption key is "321".
  • Page 357 ! Create a user named "user1", which belongs to group "g1"; select version number of "v3" and configure authentication mode as "md5", authentication key as "123", encryption mode as "DES56" and encryption key as "321". Ruijie(config)#snmp-server user user1 g1 v3 auth md5 123 priv des56 321 Step 3: Configure the address of SNMP host.
  • Page 358 Configuration Guide Configuring SNMP Ruijie(config-if-GigabitEthernet 0/1)#ip address 192.168.3.1 255.255.255.0 Ruijie(config-if-GigabitEthernet 0/1)#exit Verification Step 1: Display configurations of device. Ruijie#show running-config interface GigabitEthernet 0/1 no ip proxy-arp ip address 192.168.3.1 255.255.255.0 snmp-server view view1 1.3.6.1.2.1.1 include snmp-server view view2 1.3.6.1.2.1.1.4.0 include...
  • Page 359 Group-name: g1 Step 3: Display SNMP view. Ruijie#show snmp view view1(include) 1.3.6.1.2.1.1 view2(include) 1.3.6.1.2.1.1.4.0 default(include) 1.3.6.1 Step 4: Display SNMP group. Ruijie# show snmp group groupname: g1 securityModel: v3 securityLevel:authPriv readview: view1 writeview: view2 notifyview: Step 5: Display host information configured by the user.
  • Page 360 Configuration Guide Configuring SNMP security model: v3 authPriv Step 6: Install MIB-Browser. Type in device IP of "192.168.3.1" in the field of IP Address; type in "user1" in the field of UserName; select "AuthPriv" from Security Level; type in "123" in the field of AuthPassWord; select "MD5" from AuthProtocol;...
  • Page 361 Configuration Guide Configuring IPv6 Configuring IPv6 IPv6 Overview As the Internet is growing rapidly and the IPv4 address space is exhausting, the limitation of the IPv4 is more obvious. The research and practice of the next generation of the Internet Protocol becomes popular. Furthermore, the IPng workgroup of the IETF determines the protocol specification of IPng referred to as IPv6.
  • Page 362 Configuration Guide Configuring IPv6 The IPSec is an optional extended protocol of the IPv4, while it is only a component of the IPv6 used to provide security. At present, the IPv6 implements the Authentication Header (AH) and Encapsulated Security Payload (ESP) mechanisms. Where, the former authenticates the integrity of the data and the source of the IP packet to ensure that the packet does come from the node marked by the source address, while the latter provides the data encryption function to implement the end-to-end encryption.
  • Page 363 Configuration Guide Configuring IPv6 IPv6 Address Configuration IPv6 Route Forwarding (supporting static route configuration) Configuration of various IPv6 parameters Diagnosis Tool Ping IPv6 IPv6 Address Format The basic format of an IPv6 address is X : X : X : X : X : X : X : X, where X is a 4 hex integers (16 bits). Each digit contains 4 bits of information, each integer contains 4 hex digits and each address contains 8 integers, so it is total for 128 bits.
  • Page 364 Configuration Guide Configuring IPv6 Anycast: Identifiers of a set of interfaces. The packet to be sent to an anycast address will be transmitted to one of the interfaces identified by this address (select the nearest one according to the routing protocol). Multicast: Identifiers of a set of interfaces (In general, they are of different nodes).
  • Page 365 Configuration Guide Configuring IPv6 Site-level Local Address The format of site-level local address: Figure 2 The site-level local address can be taken to transmit the data within the site, and the router will not forward the message of the source address or the destination address with the site-level local address to Internet. Namely, such packet can only be forwarded within the site, but cannot be forwarded to out of the site.
  • Page 366 Configuration Guide Configuring IPv6 The IPv4-compatible IPv6 address is mainly used to the automatic tunneling, which supports both the IPv4 and IPv6. The IPv4-compatible IPv6 address will transmit the IPv6 packet via the IPv4 router in the tunneling way. Now the IPv4-compatible IPv6 address has been repealed.
  • Page 367 Configuration Guide Configuring IPv6 If they are routers, it is necessary to add the multicast address FF02::2 of all routers for the local link. The multicast address of the solicited node corresponds to the IPv6 unicast and anycast address, so it is necessary for the IPv6 node to add corresponding multicast address of the solicited node for each configured unicast address and anycast address.
  • Page 368 Configuration Guide Configuring IPv6 IPv6 Packet Header Structure The format of the IPv6 packet header is shown as the figure below: Figure 8 The IPv4 packet header takes 4 bytes as the unit; the IPv6 packet header takes 8 bytes as the unit and the total length of the packet header is 40 bytes.
  • Page 369 Configuration Guide Configuring IPv6 Next Header: This field indicates the protocol type in the header field following the IPv6 header. Similar to the IPv4 protocol field, the Next Header field can be used to indicate whether the upper level is TCP or UDP. It can also be used to indicate whether an extended IPv6 header exists.
  • Page 370 Configuration Guide Configuring IPv6 Furthermore, the extended header of the Authentication and the Encapsulating Security Payload will be described in the IPSec section. At present, the IPv6 implemented by us cannot support the IPSec. IPv6 Path MTU Discovery As with the path MTU discovery of the IPv4, the path MTU discovery of the IPv6 allows one host to discover and adjust the size of the MTU in the data transmission path.
  • Page 371 Configuration Guide Configuring IPv6 Neighbor Unreachability Detection Enabling the Neighbor Unreachability Detection function to send the IPv6 unicast packet to the neighbor whose reachable time expires. Neighbor Unreachability Detection and sending the IPv6 packet to the neighbor can be co-processed. During the detection, it continues to forward the IPv6 packet to the neighbor.
  • Page 372 Configuration Guide Configuring IPv6 Effective period of the IPv6 address prefix. Usage of the host auto-configuration (Stateful or stateless). Information for the default router (namely, determine whether this router is taken as the default router. If yes, it will announce the time as the default router itself). Other information for configuration such as the hop limit, the MTU and the neighbor solicitation retransmission interval.
  • Page 373 Configure the IPv6 unicast address for this interface. The key word Eui-64 indicates the generated IPv6 address consists of the configured address prefix and the 64-bit Ruijie(config-if)#ipv6 address ipv6-address/prefix-length interface ID. Note: Whether the key word eui-64 is used, it is necessary to enter the complete address format to delete an IPv6 address (Prefix + interface ID/prefix length).
  • Page 374 The following is an example of the configuration of the IPv6 address: Ruijie(config)# interface GigabitEthernet 0/1 Ruijie(config-if)# ipv6 enable Ruijie(config-if)# ipv6 address fec0:0:0:1::1/64 Ruijie(config-if)# end Ruijie(config-if)# show ipv6 interface GigabitEthernet 0/1 Interface GigabitEthernet 0/1 is Up, ifindex: 1 address(es): Mac Address: 00:00:00:00:00:01 INET6: fe80::200:ff:fe00:1 , subnet is fe80::/64...
  • Page 375 The router other than the host can generate the redirection message, and the router will not update its routing table when it receives the redirection message. To enable redirection on the interface, execute the following commands in the global configuration mode: Command Function Ruijie#configure terminal Enter the global configuration mode.
  • Page 376 Use the no ipv6 redirects command to disable the redirection function. The following is an example to configure the redirection function: Ruijie(config)# interface GigabitEthernet 0/1 Ruijie (config-if)# ipv6 redirects Ruijie (config-if)# end Ruijie # show ipv6 interface GigabitEthernet 0/1 Interface GigabitEthernet 0/1 is Up, ifindex: 1 address(es): Mac Address: 00:d0:f8:00:00:01 INET6: fe80::2d0:f8ff:fe00:1 , subnet is fe80::/64...
  • Page 377 To configure the static neighbor, execute the following commands in the global configuration mode. Command Function Enter the global configuration mode. Ruijie#configure terminal Ruijie(config)#ipv6 neighbor ipv6-address interface-id Configure a static neighbor on the interface. hardware-address Ruijie(config)#end Return to the privileged EXEC mode.
  • Page 378 Use the no ipv6 neighbor ipv6-address interface-id command to delete the specified neighbor. The following is an example to configure a static neighbor on GigabitEthernet 0/1: Ruijie(config)# ipv6 neighbor fec0:0:0:1::100 GigabitEthernet 0/1 00d0.f811.1234 Ruijie (config)# end Ruijie# show ipv6 neighbors verbose fec0:0:0:1::100...
  • Page 379 Use the no ipv6 nd dad attempts command to restore the default value. The following is an example to configure the times of the neighbor solicitation (NS) message sent for the address conflict detection on the SVI1: Ruijie(config)# interface GigabitEthernet 0/1 Ruijie(config-if)# ipv6 nd dad attempts 3 Ruijie(config-if)# end Ruijie# show ipv6 interface GigabitEthernet 0/1...
  • Page 380 Configuration Guide Configuring IPv6 Ruijie# show ipv6 interface vlan 1 Interface GigabitEthernet 0/1 is Up, ifindex: 1 address(es): Mac Address: 00:d0:f8:00:00:01 INET6: fe80::2d0:f8ff:fe00:1 , subnet is fe80::/64 INET6: fec0:0:0:1::1 , subnet is fec0:0:0:1::/64 Joined group address(es): ff01:1::1 ff02:1::1 ff02:1::2 ff02:1::1:ff00:1...
  • Page 381 For device interfaces on the same physical network segment, the MTU values of the same protocol must be consistent. To set the IPv6 MTU value, use the following commands in the interface configuration mode. Command Function Ruijie(config-if)# ipv6 mtu bytes Set the MTU value within the range 1280–1500.. Ruijie(config-if)# no ipv6 mtu Restore the default value.
  • Page 382 (Optional) Set the time interval for the router to send the router advertisement (RA) message periodically, in second, and the default value is 200s. Ruijie(config-if)#ipv6 nd ra-interval { seconds min-max min_value max_value } With the min-max specified, the actual interval of the message sending is a random value between the minimum and maximum value.
  • Page 383 By default, the flag bit is not configured for the router advertisement (RA) message. Ruijie(config-if)#end Return to the privileged EXEC mode. Ruijie#show ipv6 interface [ interface-id ] Show the ipv6 interface of the interface or the information of RA sent [ra-info] by this interface.
  • Page 384 Configuration Guide Configuring IPv6 View the IPv6 information of an interface. Ruijie# show ipv6 interface interface GigabitEthernet 0/1 is Down, ifindex: 1 address(es): Mac Address: 00:d0:f8:00:00:01 INET6: fe80::2d0:f8ff:fe00:1 , subnet is fe80::/64 INET6: fec0:1:1:1::1 , subnet is fec0:1:1:1::/64 Joined group address(es):...
  • Page 385 Configuration Guide Configuring IPv6 View the information of the router advertisement (RA) message to be sent of an interface Ruijie# show ipv6 interface ra-info GigabitEthernet 0/1: DOWN RA timer is stopped waits: 0, initcount: 3 statistics: RA(out/in/inconsistent): 4/0/0, RS(input): 0...
  • Page 386 Configuration Guide Configuring DHCPv6 Relay Agent Configuring DHCPv6 Relay Agent Understanding DHCPv6 Relay Agent DHCPv6 Overview With IPv6 network development, more IPv6-based applications are being deployed. Automatic configuration of nodes, which was proposed at the time of IPv6 design, has become a major feature of an IPv6 network. In the new network structure, stateless configuration and stateful configuration are developed.
  • Page 387 As defined in RFC3315, DHCP Unique Identifier (DUID) uniquely identifies a DHCPv6 device and is used for mutual authentication of DHCPv6 devices (including DHCPv6 clients, relay agents, and servers). Ruijie DHCPv6 devices are identified by DUID Based on Link-layer Addresses (DUID-LLs) specified by RFC3315. The structure of a DUID-LL is as follows: DUID type: type of a DUID.
  • Page 388 Configuration Guide Configuring DHCPv6 Relay Agent As shown in Figure 3, the DHCPv6 client forwards packets through the DHCPv6 relay agent. The following details the process of obtaining an IPv6 address and other parameter settings. The DHCPv6 client sends a DHCPv6 Solicit packet to the destination FF02::1:2 (the address of a multicast group including all DHCPv6 servers and relay agents).
  • Page 389 Querying Statistics on DHCPv6 Relay Agent Ruijie devices also provide the function of counting received packets so that users can trace the running of DHCPv6 Relay Agent to detect exceptions such as existence of a large number of invalid packets.

  • Page 390: Clearing Statistics

    Configuration Guide Configuring DHCPv6 Relay Agent Querying Statistics on DHCPv6 Relay Agent Command Function Ruijie# show ipv6 dhcp relay statistics Displays the counts of packets related to the DHCPv6 Relay Agent function. Configuration example: Ruijie# show ipv6 dhcp relay statistics...
  • Page 391 In this way, traffic pressure can be alleviated due to distribution of relay agents. Configuration Steps Enable DHCPv6 Relay Agent on device 1 and set the destination address to 3001::2. Ruijie#config...
  • Page 392 Enable DHCPv6 Relay Agent on device 2 and set the destination address to FF02::1:2. Ruijie#config Enter configuration commands, one per line. End with CNTL/Z Ruijie(config)#interface vlan 1 Ruijie(config-if)#ipv6 dhcp relay destination FF02::1:2 interface gi 0/1 Verification Query the DHCPv6 Relay Agent configuration on device 1. Ruijie# show ipv6 dhcp relay destination all...
  • Page 393 Configuration Guide Configuring DHCPv6 Configuring DHCPv6 DHCPv6 Overview Along with the development of IPv6 network, IPv6-based network is being applied more and more widely. As the framework proposed at the beginning of IPv6 design, the automatic configuration of network nodes has become a key feature of IPv6 network.
  • Page 394 Configuration Guide Configuring DHCPv6 Multicast is used instead of broadcast because broadcast has been abolished in the IPv6 network. By utilizing the option of Rapid Commit, the 4-message interaction can be simplified into 2-message interaction (Solicit - Reply). New DHCP message structure, DHCPv6 has made huge modifications to the original DHCPv4 message, and has removed optional parameters in the header of DHCP message.
  • Page 395 In network planning, the above-mentioned IPv6 address and parameter allocation methods can be used concurrently. Ruijie DHCPv6 Server supports IPv6 address and prefix allocation. The IPv6 address allocation is to allocate IPv6 addresses automatically to DHCPv6 Client. The prefix allocation realizes flexible and automatic site-level configuration to control the site address space flexibly.
  • Page 396 Configuration Guide Configuring DHCPv6 The above figure illustrates the application of prefix-based DHCPv6 in IPv6 network. Core router runs prefix delegation (PD) based DHCPv6 server. IPv6 multi-service router runs the DHCPv6 client on the interface connecting to the core router, acquiring prefix space from the core router and storing it in the global prefix pool of IPv6.
  • Page 397 DUID assigned by vendor based on enterprise number, DUID-EN; and link-layer address, DUID-LL Currently, Ruijie DHCPv6 devices apply DUID-LL. The structure of the DUID-LL is as follows: Figure 1-4 In the structure, the DUID type is DUID, DUID-LL type value is 0x0003; the Hardware type is hardware, the hardware type supported by the device is Ethernet, the value is 0x0001;...
  • Page 398 Prefix delegation (PD); According to the types of addresses contained in IAs, IAs can be divided into three types, namely IA_NA, IA_TA and IA_PD. Ruijie DHCPv6 Server supports IA_NA and IA_PD, but not IA_TA. DHCPv6 Bindings The DHCPv6 Bindings is a group of manageable address information structures. The binding is based on the IA and can be identified by Server and Clients.
  • Page 399 DHCPFORCERENEW Relay-forward (12), Relay-reply (13) None The Reconfigure type of packets is not supported by Ruijie DHCPv6 Server. Please refer to the Guide for DHCP Configuration chapter for information about DHCPv4. Working principle of DHCPv6 Server The application mode of DHCPv6 is generally developed based on the framework of DHCPv4. The application mode of DHCPv6 comprises Server, Client and Relay.
  • Page 400 Configuration Guide Configuring DHCPv6 A typical DHCPv6 address allocation process is shown in the following figure: DHCPv6 Client sends a multicast Solicit packet with the destination address of FF02::1:2 and destination UDP port of 547 on the local link. All the DHCPv6 Servers and Relays on the local link will receive the packet. After DHCPv6 Servers receive the packet, they will send unicast Advertise packets in reply;...
  • Page 401 Configuration Guide Configuring DHCPv6 When the Client's network connection changes, Client will send the Confirm packet to Server to inquire whether the resource allocated by Server previously is available. After Server receives the packet, it will send a Reply packet to Client. The process is shown as follows: Figure 1-8 Server replies to a Confirm packet If Client adopts the stateless address configuration but obtains other parameters through the DHCP method, the Client will...
  • Page 402 Command Function Enter global configuration mode. Ruijie# configure terminal Configure the DHCPv6 configuration information pool Ruijie(config)# ipv6 dhcp pool poolname and enter pool configuration mode. Configure a domain name that can be assigned to the Ruijie(config-dhcp)#domain-name domain DHCPv6 client. Configure a DNS server that can be assigned to the Ruijie(config-dhcp)#dns-server ipv6-address DHCPv6 client.
  • Page 403 DHCPv6 Server does not support allocation of gateway addresses for clients. To do this, the RA notification function Ruijie(config-if)# no ipv6 nd suppress-ra must be enabled on the device. The flag bit "managed address configuration" in the Router Announcement (RA) packet should also be set to...
  • Page 404 RA should use the stateful automatic configuration to obtain information other than the addresses. By default, the flag bit in the RA packet is not set by Ruijie(config-if)# ipv6 nd other-config-flag Finally, disable the prefix notification function: Ruijie(config-if)# ipv6 nd prefix ipv6-prefix/prefix-length...
  • Page 405 Ruijie(config-if)# ipv6 nd other-config-flag DHCPv6 Server does not support allocation of gateway addresses for clients. To do this, the RA notification function Ruijie(config-if)# no ipv6 nd suppress-ra must be enabled on the device. Showing the DHCPv6 Server configuration Use the following commands to show information about DHCPv6 Server configuration and state:...
  • Page 406 Jan 1 2008 2:23 (3600 seconds) Ruijie show ipv6 dhcp interface VLAN 1 is in server mode Server pool dhcp-pool Rapid-Commit: disable Ruijie# show ipv6 dhcp pool DHCPv6 pool: dhcp-pool DNS server: 2011:1::1 DNS server: 2011:1::2 Domain name: example.com Typical configuration examples...
  • Page 407 Ruijie(config-if)# ipv6 dhcp server pool1 Ruijie(config-if)# no ipv6 nd suppress-ra Ruijie(config-if)# ipv6 nd managed-config-flag Ruijie(config-if)# ipv6 nd other-config-flag Ruijie(config-if)# ipv6 nd prefix 2008:50::/64 no-advertise Showing verification Show the configuration of the DHCPv6 Server on the convergence gateway device: Ruijie# show ipv6 dhcp interface...
  • Page 408 Configuration Guide Configuring DHCPv6 Ruijie# show ipv6 dhcp pool DHCPv6 pool: pool1 DNS server: 2008:1::1 Domain name: example.com Ruijie# show ipv6 dhcp server statistics DHCPv6 server statistics: Packet statistics: DHCPv6 packets received: Solicit received: Request received: Confirm received: Renew received:...
  • Page 409 Configuration Guide Configuring DHCPv6 Server Configuring DHCPv6 Server AP110 series does not support the DHCPv6 server. Understanding DHCPv6 Server Overview With IPv6 network development, more IPv6-based applications are being deployed. The fact that IPv6 Internet addresses are 128 bits in length and written in hexadecimal format makes automatic address assignment an important aspect within network design.
  • Page 410 The preceding IPv6 address and parameter assignment methods can be available at the same time in some cases. The DHCPv6 server of Ruijie supports IPv6 address assignment and prefix delegation. IPv6 assignment means to assign IPv6 addresses for DHCPv6 clients. Prefix delegation implements auto-configuration of sites flexibly and helps control site address space.
  • Page 411 Configuration Guide Configuring DHCPv6 Server Based on the address type, IAs are classified as IA_NA, IA_TA, and IA_PD. Ruijie DHCPv6 servers support IA_NA and IA_PD only. Address binding A DHCPv6 binding is a manageable address information structure based on IAs and can be identified by DHCPv6 servers and clients.
  • Page 412 Configuration Guide Configuring DHCPv6 Server Working Principle As a succession of DHCPv4, DHCPv6 uses a similar framework, in which the server, client, and relay agent are interworking. Through the request-response interaction, the DHCPv6 server and client obtain configurations from each other.
  • Page 413 Configuration Guide Configuring DHCPv6 Server DHCPv6 server may directly return a Reply packet as a response. Figure 2 illustrates the simplified address assignment procedure. Figure 14 Simplified address assignment DHCPv6 Relay is introduced to enable a client to request an address from a server when the client and server are on different network segments.
  • Page 414 The configuration steps are as follows: Command Function Ruijie# configure terminal Enters global configuration mode. Ruijie(config)# ipv6 dhcp pool poolname Configures a DHCPv6 configuration pool and enters pool configuration mode. Ruijie(config-dhcp)# domain-name domain Configures a domain name for the DHCPv6 client.
  • Page 415 Ruijie(config-dhcp)# exit Exits DHCPv6 pool configuration mode. Ruijie(config)# interface interface-name Enters interface configuration mode. Ruijie(config-if)# ipv6 dhcp server poolname Enables DHCPv6 Server on an interface. [ rapid-commit ] [ preference value ] Configuration example: # Create a configuration pool named pool1, configure information such as the domain name, DNS server, IA_NA, and IA_PD, and enable DHCPv6 Server on FastEthernet 0/1.
  • Page 416 # Create a configuration pool named pool1, configure information such as the domain name and DNS server, and enable DHCPv6 Server on FastEthernet 0/1. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ipv6 dhcp pool pool1 Ruijie(config-dhcp)# domain-name example.com Ruijie(config-dhcp)# dns-server 2008:1::1 Ruijie(config-dhcp)# exit...
  • Page 417 Configuration Guide Configuring DHCPv6 Server Ruijie# show ipv6 dhcp pool DHCPv6 pool: dhcp-pool DNS server: 2011:1::1 DNS server: 2011:1::2 Domain name: example.com Typical DHCPv6 Server Configuration Networking Requirement On live networks, DHCPv6 servers are usually deployed at the core or convergence layer to assign and manage IP addresses of the entire subnet.
  • Page 418 # Create a configuration pool named pool1, configure information such as the domain name, DNS server, and IA_NA, and enable DHCPv6 Server on the interface vlan1. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ipv6 dhcp pool pool1 Ruijie(config-dhcp)# domain-name example.com Ruijie(config-dhcp)# dns-server 2008:1::1 Ruijie(config-dhcp)# iana-address prefix 2008:50::/64...
  • Page 419 ARP fraud in the network and improving the network stability. Brief introduction Ruijie devices support multiple IP security application(such as IP Source Guard, global IP+MAC binding, port security), which effectively filter the user IP packets and avoid the illegal user to use the network resources. The ARP check function generates the corresponding ARP filtering information according to the legal user information (IP or IP+MAC), implementing the illegal ARP packet filtering in the network.
  • Page 420 Use the following commands to configure ARP-CHECK inprivileged EXEC mode: Command Function Enter interface configuration mode. Ruijie(config)#interface interface-id Ruijie(config-if)# arp-check Enable arp check. Ruijie(config-if)# no arp-check Disable arp check. Use the following commands to configure ARP-CHECK function Command Function Ruijie# configure t Enters configuration mode.
  • Page 421 Showing the ARP Check Entry on the interface Use the following commands to show the ARP check entry information on the interface: Command Function Ruijie#show interface { interface-type Show the ARP check entry information. interface-number } arp-check list The example below shows the ARP-check entry information:...
  • Page 422 Configuration Guide Configuring 802.1x Configuring 802.1x This chapter describes the contents related to the AAA service configurations. The 802.1x is used to control the authentication over network access of users, and provide authorization and accounting functions for users. This chapter includes: Overview Configuring 802.1x Viewing the Configuration and Current Statistics of the 802.1x...
  • Page 423 Configuration Guide Configuring 802.1x Authentication Initiation and Packet Interaction During Authentication States of Authorized Users and Unauthorized Users Topologies of Typical Applications Device Roles In the IEEE802.1x standard, there are three roles: supplicant, authenticator, and authentication server. In practice, they are the Client, network access server (NAS) and Radius-Server. Figure 1 Supplicant: The supplicant is a role played by the end user, usually a PC.
  • Page 424 Configuration Guide Configuring 802.1x management of users. The authentication server also manages the accounting data from the authenticator. Our 802.1x device is fully compatible with the standard Radius Server, for example, the Radius Server carried on Microsoft Windows Server and the Free Radius Server on Linux. In additional, we have already introduced the Radius server software SAM (Security Accounting Management Platform) complying with standards.
  • Page 425 Configuration Guide Configuring 802.1x If the workstation does not support 802.1x while the machine is connected with the controlled port, when the equipment requests the username of the user, the workstation will not respond to the request due to no support. This means that the user is still unauthorized and cannot access the network resources.
  • Page 426 Configuration Guide Configuring 802.1x This solution is described as below: Requirements of this solution: The user supports 802.1x. That is, it is installed with the 802.1x client (Windows XP carried, Star-supplicant or other IEEE802.1x compliant client software). The access layer device supports IEEE 802.1x. One or multiple RADIUS compliant servers are available as the authentication server.
  • Page 427 Configuration Guide Configuring 802.1x This solution is described as below: Requirements of this solution: The user supports 802.1x. That is, it is installed with the 802.1x client (Windows XP carried, Star-supplicant or other IEEE802.1x compliant client software). The access layer device should be able to transparently transmit IEEE 802.1x. frames (EAPOL) The convergence layer device supports 802.1x (playing the role of the authenticator) One or multiple RADIUS compliant servers are available as the authentication server.
  • Page 428 The users of MAC addresses corresponding to the static addresses or IP+MAC bindings can access the Internet without 802.1x authentication. The 802.1x supported functions include the standard function and private function. The private function needs to be co-used with Ruijie Supplicant and Ruijie SAM software.

  • Page 429: Configuring The Radius Server

    Radius Server. The following example sets the Server IP as 192.168.4.12, authentication UDP port as 600, and the key as agreed password: Ruijie# configure terminal Ruijie(config)# radius-server host 192.168.4.12 Ruijie(config)# radius-server host 192.168.4.12 auth-port 600 Ruijie(config)# radius-server key MsdadShaAdasdj878dajL6g6ga Ruijie(config)# end For details about RADIUS configuration, please refer to RADIUS Configuration Manual.
  • Page 430 Show the configuration. Configuration example: Ruijie# configure terminal Ruijie(config)# aaa new-model Ruijie(config)# aaa authentication dot1x authen group radius Ruijie(config)# dot1x authentication authen Ruijie(config)# end For details about AAA configuration, please refer to AAA Configuration Manual. Enabling/Disabling the 802.1x Authentication of a WLAN If you enable 802.1x authentication for a WLAN when the 802.1x is enabled, the WLAN enables the 802.1x controlled...
  • Page 431 In privileged EXEC mode, you can enable/disable re-authentication and set the re-authentication interval by performing the following steps. Command Function Ruijie#configure terminal Enters global configuration mode. Ruijie(config)#dot1x re-authentication Enables timed re-authentication. Sets the re-authentication interval. Ruijie(config)#dot1x timeout re-authperiod seconds...
  • Page 432 You can use the no dot1x timeout quiet-period command to restore the Quiet Period to its default. In the example below the QuietPeriod value is set as 500 seconds: Ruijie# configure terminal Ruijie (config)# dot1x timeout quiet-period 500 Ruijie(config)# end Setting the Packet Retransmission Interval After the device sends the EAP-request/identity, it resends that message if no response is received from the user within a certain period.
  • Page 433 You can use the no dot1x timeout tx-period to restore the packet re-transmission interval to its default. The following example sets the packet retransmission interval as 100 seconds: Ruijie# configure terminal Ruijie(config)# dot1x timeout tx-period 100 Ruijie(config)# end Setting the Maximum Number of Requests If the switch does not receive response within the ServerTimeout after it sends an authentication request to the RadiusServer, it will retransmit the packets.
  • Page 434 You can use the no dot1x reauth-max command to restore the maximum number of re-authentications to its default. The following example sets the maximum number of re-authentications to 3: Ruijie# configure terminal Ruijie(config)# dot1x reauth-max 3 Ruijie(config)# end Setting the Server-timeout This value indicates the maximum response time of the Radius Server.
  • Page 435 Enters global configuration mode. The device proactively initiates num 802.1x authentication request messages. If num is equal to 0, the device will Ruijie(config)#dot1x auto-req packet-num num continually send that message. The default is 0 (infinite). Ruijie(config)#end Returns to the privileged EXEC mode.
  • Page 436 Returns to the privileged EXEC mode. Saves the configuration. Ruijie#write Ruijie#show dot1x auto-req Shows the configuration. The no option of the command restores the value to its default. Since sending the authentication request multicast message will cause re-authentication for all users under the authentication interface, the sending interval shall not be too small lest the authentication efficiency is affected.
  • Page 437 In privileged EXEC mode, you can set the accounting service by performing the following steps: Command Function Ruijie#configure terminal Enters global configuration mode. Ruijie(config)#aaa new-model Enables the AAA function Ruijie(config)#aaa group server radius gs Configures the accounting server group. Ruijie(config-gs-radius)#server 192.168.4.12 acct-port 11 Adds a server to the server group.
  • Page 438 Ruijie(config)# aaa new-model Ruijie(config)# aaa group server radius acct-use Ruijie(config-gs-radius)# server 192.168.4.12 acct-port 1200 Ruijie(config-gs-radius)# server 192.168.4.13 acct-port 1200 Ruijie(config-gs-radius)# exit Ruijie(config)# aaa accounting network acct-list start-stop group acct-use Ruijie(config)# dot1x accounting acct-list Ruijie(config)# end Ruijie# write memory Ruijie# show running-config ■...
  • Page 439 Ruijie# write memory Ruijie# show running-config The following chapters introduce the propriety features of Ruijie’s network products: To make it easy for broadband operators and to accommodate use in special environments, our 802.1x has been expanded on the basis of the account (such expansion is completely based on the standard, and has totally compatible with IEEE 802.1x).
  • Page 440 Configuring the IP authorization mode The 802.1x implemented by Ruijie Network can force the authenticated users to use fixed IP. By configuring the IP authorization mode, the administrator can limit the way the user gets IP address. There are three IP authorization modes: DISABLE, DHCP SERVER, and RADIUS SERVER.
  • Page 441 Command Function Enter the global configuration mode. Ruijie#configure terminal Enable the AAA function Ruijie(config)#aaa new-model Ruijie(config)#aaa authorization ip-auth-mode { disabled Configure the IP authorization mode | dhcp-server | radius-server } Ruijie(config)#end Return to the privileged EXEC mode. Save the configuration.
  • Page 442 Configuration Guide Configuring 802.1x Releasing Advertisement Our 802.1x allows you to configure the Reply-Message field on the Radius Server. When authentication succeeds, the information of the field is shown on our 802.1x client of Star-Supplicant, by which the operators can release some information.
  • Page 443 Configuring the Authentication Mode In the standard, the 802.1x implements authentication through the EAP-MD5. The 802.1X designed by Ruijie can perform authentication through both the EAP-MD5 (default) mode and the CHAP and PAP mode. The advantage of the CHAP is that it reduces the communication between the switch and the RADIUS SERVER, thus alleviating the pressure on the RADIUS SERVER.
  • Page 444 Configuring and Managing Online Users Ruijie’s devices provide management for authenticated users via SNMP. The administrator can view the information of the authorized users via SNMP, and forcedly log off a user. The user forcedly logged off must pass the authentication again before it can use network resources.
  • Page 445 Configuration Guide Configuring 802.1x The proxy server shielding function defines the Vendor type of 0x20, and the dial-up shielding function defines the Vendor type of 0x21. The Attribute-Specific field is a 4-byte manufacturer defined attribute, which defines the actions taken against proxy server access and dial-up access.
  • Page 446 Shows the configuration. show running-config In IPv4 environment where the Ruijie supplicant client is deployed, you do not need to enable this function since the supplicant client is equipped with the capacity of uploading the terminal's IPv4 address. This function cannot be used in environments where static IP addresses are deployed.
  • Page 447 Viewing the Radius Authentication and Accounting Configuration Use the show radius server command to check the related configuration of the Radius Sever, and use the show aaa user all command to view the user-related information. Ruijie# sh radius server Server IP: 192.168.5.11...
  • Page 448 Configuration Guide Configuring 802.1x Ruijie# show dot1x summary Interface VLAN Auth-State Backend-State Port-Status ---- ----------- --------- ---- ---------- ------------ ----------- 00d0f8000001 Gi3/1 Authenticated IDLE Authed...
  • Page 449 Overview of Ruijie Web Authentication There are two versions of Ruijie Portal server. They are called Ruijie first generation Web authentication and Ruijie second generation Web authentication because different version has different authentication process. A simple version of the Portal server is designed on devices, which is called the built-in Portal Web authentication.
  • Page 450 Configuration Guide Configuring Web Authentication After the HTTP interception, the access device directs the HTTP connection requests from the user to itself and thus establishes a session between the access device and the user. The access device uses the HTTP redirection function to push the redirection page to the user, and the user’s browser will show a window which may require authentication, or may display a link for downloading software.
  • Page 451 Configuration Guide Configuring Web Authentication Roles related to Web authentication: Authentication client: refers to a browser running the HTTP protocol. It sends HTTP requests when the user uses the browser to access the network. Access device: generally refers to an access layer device (for example, a wireless AP in a WLAN) in the network topology. It is generally directly connected to the user’s terminal device, and Web authentication must be enabled on the access device.
  • Page 452 Configuration Guide Configuring Web Authentication Figure 2 Ruijie first generation Web authentication procedures User logout procedures: There are two types of user logout: one is the logout detected by the access device, because the user's time is out and the flow is used up or the link is interrupted.
  • Page 453 The same as the HTTP redirection technology of Ruijie First generation Web Authentication Operating Principle The networking topology of Ruijie second generation Web authentication is the same as that of Ruijie first generation Web authentication (Figure 1). Roles related to Web authentication: Authentication client: refers to a browser running the HTTP protocol.
  • Page 454 Configuration Guide Configuring Web Authentication Figure 3 Ruijie second generation Web authentication procedures User logout procedures: There are two types of user logout: one is the user logout detected by the access device because user’s time is out, the flow is used up or the link is interrupted. The other is that the user logout detected by the Portal Server because the user triggers the logout application through a logout page.
  • Page 455 The communication protocol between the device and the Portal server is private. Ruijie Built-in Portal Web Authentication HTTP Interception The same as the HTTP interception technology of Ruijie First generation Web Authentication HTTP Redirection The same as the HTTP redirection technology of Ruijie First generation Web Authentication...
  • Page 456 The authentication module accepts user's authentication request, indirectly initiate an authentication request to the Radius Server and forward the authentication result to the Portal Server. The built-in portal module will respond the user with a Webpage indicating the authentication result (login page/success or failure information). Figure 5 Ruijie Built-in Portal Web Authentication Procedures...
  • Page 457 Configuration Guide Configuring Web Authentication User logout procedures: The access device detects the user's logout through the information on the logout page of the built-in Portal Server, or the link is lost or no online hours or traffic is available. The access device sends a stop-accounting request to the Radius Server and logs out the user.
  • Page 458 Portal Server about whether the user can access network. Ruijie built-in portal authentication mechanism simplifies the role of the portal server in the first generation and the second generation authentication mechanism. This role is now supported by the access device.
  • Page 459 Configuration Guide Configuring Web Authentication Function Default Settings IP address and URL of WLAN-based Portal Server By default, all WLANs use the globally configured Portal Server (only required for the second generation Web authentication) Enabling Web authentication on WLAN By default, Web authentication is not enabled on WLAN Configuring the IP address of the server to be By default, the IP address of server is not configured on the redirected for Web authentication...
  • Page 460 Configure the requisite information for Web authentication, such as the IP address and URL of Portal Server. If you are using Ruijie second generation or the built-in Web authentication mechanism, the corresponding AAA method list and RADIUS server should be configured.
  • Page 461 Configuration Guide Configuring Web Authentication Please refer to the following sections for detailed configurations: Configuring Relevant Parameters of Ruijie First Generation Web Authentication Configuring Relevant Parameters of Ruijie Second Generation Web Authentication Configuring Relevant Parameters of Ruijie Built-in Portal Web Authentication...
  • Page 462 Configuring Modes of Web Authentication You can configure the modes of Web authentication. Ruijie devices support three modes of Web authentication: IPv4 authentication, IPv6 authentication and IPv4/IPv6 authentication. If IPv4 authentication mode is configured, users can perform Web authentication only by using IPv4 addresses while their IPv6 packets are discarded by default.
  • Page 463 However, when IPv6-compatible mode is enabled, the device will deliver the user's IPv6 packets. For details about IPv6-compatible mode, see the MAC-SCG. The configuration of Web authentication mode is supported in Ruijie second generation Web authentication and built-in Portal authentication only.
  • Page 464 Configuring the IP Address of Portal Server To successfully deploy Ruijie first generation Web authentication, the IP address of Portal Server must be configured. By default, the IP address of Portal Server is not configured on the device. The configuration steps are shown below:...
  • Page 465 Configuring Web Authentication Command Function Enter the global configuration mode. Ruijie# configure terminal Ruijie(config)# http redirect ip-address Configure the IP address for HTTP redirection, namely the IP address of Portal Server. Ruijie(config)# show http redirect View the configuration of HTTP redirection.
  • Page 466 According to the procedures of the first generation Web authentication, SNMP protocol is required between the Portal Server and the access device to control the login and logout of users. Therefore, to successfully apply Ruijie first generation Web authentication, you have to configure the SNMP parameters used between the device and the Portal Server.
  • Page 467 Ruijie(config)# snmp-server community web-auth rw Ruijie(config)# snmp-server enable traps web-auth Ruijie(config)# snmp-server host 176.10.0.1 informs version 2c web-auth web-auth The SNMP communication parameters listed herein are based on SNMPv2. If higher security is required for the SNMP communication between device and Portal Server, SNMPv3 is suggested. In such a case, SNMP Community should be set as SNMP User, and the version of SNMP-Inform should be changed into SNMPv3.
  • Page 468 Function Display the configuration of Portal Server. show http redirect Configuring Relevant Parameters of Ruijie Second Generation Web Authentication By default, the second generation Web authentication is disabled. Likewise, to use the second generation Web authentication, you have to configure relevant parameters. The following sections describe how to configure parameters...
  • Page 469 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# portal-server edu-server ip 172.20.1.10 url http://172.20.1.10:7080/index.php Ruijie(config)# show web-auth portal v2 by-name edu-server Configuring AAA Web Authentication Method List In the second generation Web authentication, the device will initiate radius authentication. Therefore, to deploy the second generation Web authentication, you need to configure AAA authentication method list on the device.
  • Page 470 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# aaa new-model Ruijie(config)# aaa accounting network default start-stop group radius Ruijie(config)# show aaa method-list The device uses RADIUS group to perform user accounting, and you need to configure the accounting RADIUS server for the specific RADIUS group.
  • Page 471 Web authentication: Command Function Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# web-auth authentication v2 { default Configure the global authentication method list for the second | list-name } generation Web authentication. Ruijie(config)# show web-auth portal v2 aaa View the configuration of AAA authentication method list.
  • Page 472 Web authentication: Command Function Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# web-auth accounting v2 { default | Configure the global accounting method list for Web list-name } authentication. Ruijie(config)# show web-auth portal v2 aaa View the configurations of AAA accounting method list.
  • Page 473 Configuration Guide Configuring Web Authentication Ruijie(config)# wlansec 100 Ruijie(wlansec)# web-auth authentication v2 web-100 Ruijie(wlansec)# exit Ruijie(config)# show running-config Configuring WLAN-Based Accounting Method List By default, the global accounting method list is used for WLAN-based Web authentication. You can also configure a different accounting method list for the WLAN according to your actual deployment needs.
  • Page 474 Configuring Web Authentication Command Function Creating a Portal Server Ruijie(config)# portal-server [ eportalv2 | portal-name ] ip { ip-address | ipv6-address } [ port port-num ] [ url url-string ] Ruijie(config)# web-auth portal { eportalv2 v2 | Specify the global Portal Server.
  • Page 475 Configure the accounting update interval for Web authentication. acct-update-interval minutes View parameters of Web authentication. Ruijie(config)# show web-auth portal v2 parameters To restore the default accounting update interval, use the no web-auth portal acct-update-interval command in the global configuration mode.
  • Page 476 The built-in portal Web authentication is highly dependent on the device performance. If there are excessive users, it is suggested to use Ruijie first generation or second generation Web authentication mechanism. Configuring AAA Authentication Method List for Built-in Web Authentication To successfully deploy the built-in portal Web authentication, you need to configure the AAA authentication method list for the built-in portal Web authentication.
  • Page 477 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# aaa new-model Ruijie(config)# aaa accounting network default start-stop group radius Ruijie(config)# show aaa method-list The device uses RADIUS group to perform user accounting, and you need to configure the accounting RADIUS server for a specific RADIUS group.
  • Page 478 Ruijie# configure terminal Enter the global configuration mode. Configure the portal type as built-in; the default type is the second Ruijie(config)# portal-server { iportal | generation portal. Configure the authentication method list and portal-name } type intra authentication accounting method list for the portal; the default configuration is the { list-name } accounting { list-name } default list.
  • Page 479 By default, the first generation portal server will be used globally. The configuration steps are shown below: Command Function Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# web-auth portal { portal-name } Configure global portal server. View current configuration of the device. Ruijie(config)# show running-config Configuration example: # Configure the global portal server as my-portal.
  • Page 480 Webpages for PCs and mobile terminals separately. The Webpages that can be customized include the login page, the online page and the offline page. Ruijie devices' built-in Portal Servers push proper pages to users according to the type of terminal. For example, if a user uses a mobile phone for authentication, the Portal Server will push the Webpage designed for mobile terminals;...
  • Page 481 Configuration Guide Configuring Web Authentication Login Page According to the page naming conventions, the name of the login page for PCs is login.htm and the name of the login page for mobile terminals is login_mobile.htm. Content specifications of the login page are described as follows: Form elements Each login page must contain a form, which is submitted by means of POST.
  • Page 482 Configuration Guide Configuring Web Authentication [AAAA]: the username entered by the user in the username textbox (required); [BBBB]: the password entered by the user in the password textbox (required); [CCCC]: the current language used by the user; 1 indicates Simplified Chinese; 2 indicates English; others are undefined and defaulted to Simplified Chinese (optional).
  • Page 483 Configuration Guide Configuring Web Authentication <input type="text" name="username" accesskey="u" size="25" value="" id="usrename"> <br> password:<br> <input type="password" name="password" accesskey="p" size="25" value="" id="password"> <br> <input type="button" onclick=”login()” value="login" id=”loginButton”> <input type="hidden" name="lang" value="" id="lan"> <p name=”errormsg” id="errormsg"></p> </form> </body> </html> According to the preceding customization, the login page is pushed by the built-in Portal Server to users. The login page has all required elements after the preceding customization, but such a page looks not good.
  • Page 484 Configuration Guide Configuring Web Authentication <script language="javascript"> //Obtain information about online users, including username, IP address, MAC address, associated SSID, and available time. function requestOnlineInfo() { var _availTime=document.getElementById("availtime"); var script=document.createElement(“script”); script.src="getonlineinfo"+location.search; _availTime.appendChild(script); function init() { requestOnlineInfo(); </script> <body onload="init()"> …… </body>...
  • Page 485 Configuration Guide Configuring Web Authentication </script> <body onload="init()"> <form method="post" action="/portal/offline.htm" id="logoutform"> <input type="button" onclick="logout()" value="logout" id="logoutButton"> </form> <table> <tr><td>username:</td><td id="username"></td></tr> <tr><td>user IP address:</td><td id="userip"></td></tr> <tr><td>user MAC address:</td><td id="usermac"></td></tr> <tr><td>associated SSID:</td><td id="ssid"></td></tr> <tr><td>available time:</td><td id="availtime"></td></tr> </table> </body> </html> According to the preceding customization, the online page is pushed by the built-in Portal Server to users. The preceding online page has all required elements.
  • Page 486 Configuration Guide Configuring Web Authentication _timeused.appendChild(script); function init() { requestUserInfo(); </script> <body onload="init()"> …… </body> The basic HTML source code of the offline page is shown below: <html> <head> <title>offline page of web authentication<title> </head> <script language="javascript"> //Obtain information about the time used function requestOfflineInfo() { var _timeused=document.getElementById("timeused");...
  • Page 487 The third-party Webpage can adopt GB2312 or UTF-9 character set. Make sure the same character set is adopted for all pages. Since Ruijie's authentication servers adopt GB2312 character set to encode the returned messages about authentication failure of users, the built-in Portal authentication server must also adopt GB2312 to encode the Webpage to match Ruijie authentication servers.
  • Page 488 Function Ruijie# configure terminal Enter the global configuration mode. Configure to intercept HTTP requests with the specified TCP Ruijie(config)# http redirect port port-num port number. Allow to configure a maximum of 10 interception ports. Ruijie(config)# show http redirect View the configurations of HTTP redirection.
  • Page 489 Example: # Set the maximum number of HTTP sessions of unauthenticated user to 10. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# http redirect session-limit 4 Ruijie(config)# show http redirect...
  • Page 490 Command Function Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# http redirect timeout seconds Set timeout (in seconds) for maintaining redirection connection. Seconds Ruijie(config)# show http redirect View the configurations of HTTP redirection.
  • Page 491 Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# http redirect direct-site 172.16.0.0 255.255.0.0 Ruijie(config)# show http redirect In the wireless environment and AP local forwarding scenario, the IP address of AC cannot be configured as the network resource requiring no authentication.
  • Page 492 ARP resource. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# http redirect direct-arp 172.16.0.0 255.255.0.0 Ruijie(config)# show http redirect Configuring Information Updating Interval of Authenticated Users The access device keeps information of authenticated users and periodically updates such information as time of being online, to monitor the traffic and the online hours of the users.
  • Page 493 Command Function Enter the global configuration mode. Ruijie# configure terminal Ruijie(config)# web-auth direct-host ipv6-address | Configure authentication-free IP, the maximum number { ip-address [ ip-mask ] [ arp ] } of such IP is 100. Use parameter ip-mask to configure an IP address segment as authentication-free.
  • Page 494 Configuring Web Authentication Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# web-auth offline-detect flow idle-timeout 3 threshold 1024 Ruijie(config)# show running-config The Web authentication supports the following three methods of logout detection: Link-based detection. Assume that the user logs out when user’s physical signal is disconnected.
  • Page 495 Perform the following steps: Command Function Enter the global configuration mode. Ruijie# configure terminal Ruijie(config)# web-auth accounting jitter-off Include the jitter detection interval in online hours for accounting. Ruijie(config)# show running-config View current configuration of the device.
  • Page 496 By default, the detection interval is not included in the online hours for accounting. The user is recommended to use this default configuration. The jitter-prevention accounting functionality only supports the Ruijie second generation Portal Server and the built-in Portal Server.
  • Page 497 Configuration Guide Configuring Web Authentication Only the Portal detection of Ruijie second generation Portal configured by the portal server command is supported. During the hot standby switchover, since the device uses the portal server to detect IPs of packets, the portal server may not respond to the portal detection packet sent by the device.
  • Page 498 This function is disabled by default. To enable this function, perform the following steps: Command Function Ruijie# configure terminal Enter global configuration mode. Ruijie(config)# ip dhcp snooping Enable the DHCP Snooping function. Ruijie(config)# web-auth dhcp-check Enable the DHCP resource check function. Display the device configuration.
  • Page 499 WLAN 100 (SSID: ruijie) adopts Open Authentication for wireless encryption and enables Web authentication by using the default global Portal Server. User host (Station) is connected to the wireless network using the SSID “ruijie” and submitted to the authentication through a manually configured or DHCP-assigned IP address. Before passing the Web authentication, it can only access the Portal Server.
  • Page 500 Community as web-auth and configure the parameters used for sending SNMP-Inform messages. Ruijie(config)# snmp-server community web-auth rw Ruijie(config)# snmp-server enable traps web-auth Ruijie(config)# snmp-server host 172.20.1.100 informs version 2c web-auth web-auth Apply Web authentication on WLAN # Enable web authentication on WLAN 100...
  • Page 501 Portal Server and the default authentication and accounting methods. User’s host (Station) is connected to the wireless network using the SSID “ruijie” and submitted to the authentication through a manually configured or DHCP-assigned IP address. Before passing the Web authentication, it can only access the Portal Server.
  • Page 502 Ruijie(config)# aaa authentication web-auth default group radius # Configure the AAA accounting method list and use the default RADIUS group Ruijie(config)# aaa accounting network default start-stop group radius Apply Web authentication on WLAN # Enable web authentication on WLAN 100 (use the default authentication method and accounting...
  • Page 503 Ruijie SAM server serves as the authentication/accounting server for built-in portal Web authentication. WLAN 100 (SSID: ruijie) adopts Open Authentication for wireless encryption and enables Web authentication by using the default global Portal Server and the default authentication and accounting methods.
  • Page 504 Configuration Guide Configuring Web Authentication User host (Station) is connected to the wireless network using the SSID “ruijie” and submitted to the authentication through a manually configured or DHCP-assigned IP address. Before passing the built-in portal Web authentication, it can only access the built-in Portal Server.
  • Page 505 Networking Requirements AP is connected to AC through layer-2 and layer-3 devices. Ruijie first generation portal server and second generation portal server are used at the same time, and the first generation portal server serves as the global Portal Server.
  • Page 506 Configure relevant parameters of the first generation Web authentication # Configure these parameters of the first generation Portal Server: IP address as 172.20.1.100, authentication homepage as http://172.20.1.100:8888/eportal/index.jsp and the communication key used between device and first generation Portal Server as ruijie. Ruijie# configure terminal Ruijie(config)# http redirect 172.20.1.100 Ruijie(config)# http redirect homepage http://172.20.1.100:8888/eportal /index.jsp...
  • Page 507 Ruijie second generation portal web authentication Ruijie(config)# radius-server host 172.20.1.11 auth-port 3645 acct-port 3646 key 88----89 # Configure AAA RADIUS server group named “edu” and specify to use Ruijie second generation Portal Server (172.20.1.11). Ruijie(config)# aaa group server radius edu Ruijie(config-gs-radius)# server 172.20.1.11 auth-port 3645 acct-port 3646...
  • Page 508 Accounting method-list aaa accounting network edu_acct start-stop group edu Authorization method-list Display the global authentication and accounting method list for Ruijie second generation Web authentication Ruijie# show web-auth portal v2 aaa V2 Portal Global AAA Config Authentication: edu_authen...
  • Page 509 User host (station) is connected to the wireless Web through SSID ruijie and submitted for authentication through a manually configured or DHCP-assigned IP address. Before passing the Web authentication, it can only access the portal server.
  • Page 510 Configuring Web Authentication Configuration Tips The corresponding device information for the AC device must be configured in Ruijie second generation portal server and the SAM server. The Web authentication method on the AC must be the second generation Web authentication.
  • Page 511 Ruijie(config)# aaa authentication web-auth default group radius # Configure the AAA accounting method list, and use the default RADIUS group Ruijie(config)# aaa accounting network default start-stop group radius Apply Web authentication on WLAN # On WLAN100, enter the wlan safe mode...
  • Page 512 Accounting method-list aaa accounting network default start-stop group radius Authorization method-list View the configuration of the default portal server of Ruijie second generation Web authentication Ruijie# show web-auth portal v2 by-name edu1 Portal Server: IPv4 Address: 172.20.1.10 Redirect-URL: http://172.20.1.10:7080/index.php...
  • Page 513 Some products only provide the authentication function. For all problems with product specifications, contact the marketing or technical support personnel. Although AAA is the primary access control method boasting superior security protection, Ruijie products also provide simpler control access methods, such as the local username authentication and line password authentication.
  • Page 514 The method list can define one or more security protocols for authentication, so that a backup system takes effect when the first method fails. In Ruijie products, a next method is selected if no response is received from the previous method till there is successful communication with a method or all methods in the list are attempted.
  • Page 515 To disable AAA, use the following command in global configuration mode: Command Function Ruijie(config)# no aaa new-model Disables AAA. Follow-up Configuration The following tables lists the possible configuration tasks that need to be completed after AAA enabling and chapters they are described in.
  • Page 516 Ruijie products use the first method listed to authorize users for specific network services; if that method fails to respond, Ruijie products select the next method listed in the method list. This process continues till there is successful communication with a listed authorization method, or all methods defined are exhausted.

  • Page 517: Authentication Type

    TACACS+ is not supported by the DOT1X authentication on Ruijie products. Configuring the AAA Login Authentication This section describes how to configure the AAA Login authentication methods supported by Ruijie products: AAA security features can be made available only after AAA is enabled by using the aaa new-model...
  • Page 518 The preceding table lists the AAA login authentication methods supported by Ruijie products. Using the Local Database for Login Authentication To use the local database for Login authentication, configure the local database first. Ruijie product supports authentication based on the local database. To enable the username authentication, use the following commands in...
  • Page 519 Using Radius for Login Authentication To use RADIUS for Login authentication, configure the RADIUS server. Ruijie products support the authentication based on the RADIUS server. To configure the RADIUS server, use the following commands in global configuration mode:...
  • Page 520 Configuration Guide Configuring AAA Command Function Enters global configuration mode. configure terminal Enters line configuration mode line vty line-num login authentication { default | list-name } Applies the method list. Returns to privileged mode. Verifies the configuration. show running-config Configuring the AAA Enable Authentication This section describes how to configure the AAA Enable authentication methods supported by our product: In many cases, the user needs to Telnet the NAS.
  • Page 521 Configuration Guide Configuring AAA protocol can bind the security level, the level shall be verified while authenticating. If the binded level is more than or equal to the level to be configured, the enable authentication and level switchover succeed. But if the bound level is less than the level to be configured, the Enable authentication fails, prompting an error message and keeping the current level.
  • Page 522 LAN device. This section describes how to configure the 802.1x authentication methods supported by Ruijie products. To configure the AAA Enable authentication, use the following command in global configuration mode:...
  • Page 523 Configuration Guide Configuring AAA Ruijie(config)# username Ruijie password starnet Ruijie(config)# radius-server host 192.168.217.64 Ruijie(config)# aaa authentication login test group radius local Ruijie(config)# line vty 0 Ruijie(config-line)# login authentication test Ruijie(config-line)# end Ruijie# show running-config aaa new-model aaa authentication login test group radius local username Ruijie password 0 starnet radius-server host 192.168.217.64...
  • Page 524 After the authorization is completed, the user can only use the services allowed in the profile or has the assigned rights. Authorization Types Ruijie products support the following AAA authorization methods:...
  • Page 525 Configuration Guide Configuring AAA Exec authorization: The user terminal loggs in to the CLI of the NAS and is granted the privilege level (0-15). Command authorization: After a user logs in to the CLI of the NAS, the user is specific commands are authorized. Network authorization: Grants the available service to the user session in the network.
  • Page 526 Uses TACACS+ for Exec authorization. group tacacs+ The preceding table lists the AAA Exec authorization methods supported by Ruijie products. The exec authorization is always used together with the login authentication, and they can be applied to the same line at the same time. But note that it is possible to have different results of the authentication and the authorization towards the same user because they can use different methods and servers.
  • Page 527 “Radius+local” Exec authorization are used when the user logs in through VTY lines 0-4. The NAS uses the RADIUS server with IP address set to 192.168.217.64 and shared keyword test. The local username and password are Ruijie, and the privilege level is 6.
  • Page 528 Configuring AAA Network Authorization Ruijie product support PPP and SLIP network authorization. The network authorization makes service configuration regarding traffic, bandwidth, and timeout available on the network connection. The network authorization only supports RADIUS and TACACS+. The authorization information assigned by the server are encapsulated in the RADIUS attribute or TACACS+ attribute.
  • Page 529 Network authorization. Ruijie# configure terminal Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 192.168.217.64 Ruijie(config)# radius-server key test Ruijie(config)# aaa authorization network test group radius local Ruijie(config-line)# end Ruijie(config)# show running-config aaa new-model aaa authorization network test group radius none radius-server host 192.168.217.64...
  • Page 530 Configuring AAA Accounting Types Ruijie products currently support the following accounting types: Exec accounting -- records the accounting information when users access or exit the CLI of the NAS. Command accounting – records the specific commands used after the user logs in to the CLI of the NAS.
  • Page 531 Exec accounting. The local login authentication and the RADIUS Exec authorization are used when the user logs in through VTY lines 0-4. The IP address and shared key of the RADIUS server are 192.168.217.64 and test respectively. The local username and password both are Ruijie Ruijie# configure terminal Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 192.168.217.64...
  • Page 532 IP address and username. Now network accounting only supports RADIUS. The format of RADIUS accounting information varies with the RADIUS security server. The contents of the accounting records may also vary with Ruijie product versions. To configure the AAA network accounting, use the following commands in global configuration mode:...
  • Page 533 RADIUS. Ruijie# configure terminal Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 192.168.217.64 Ruijie(config)# radius-server key test Ruijie(config)# aaa accounting network acct start-stop group radius Ruijie(config-line)# end Ruijie(config)# show running-config aaa new-model aaa accounting network acct start-stop group radius radius-server host 192.168.217.64...
  • Page 534 Returns to privilege mode.  VRF must be supported by Ruijie products. Configuring Login Lockout for Failed Authentication To prevent users from cracking passwords, use a command to specify the number of attempts. If the number of login attempts exceeds the limit, the user is locked and cannot log in again in a period.
  • Page 535 (such as the username, password, service type, privilege, ect) in each domain, users need to be distinguished by setting domains and each domain is configured with a unique attribute set including the AAA service method list (RADIUS for example). Ruijie products support the following username formats: 1. userid@domain-name 2. domain-name\userid 3.
  • Page 536 Configuration Guide Configuring AAA Domain name-based AAA Service Configuration Tasks The system supports up to 32 domains. Enabling AAA Command Function Enters global configuration mode. configure terminal Enables AAA. aaa new-model For detailed command descriptions, see the "Enabling AAA" section. Defining the AAA Service Method List Command Function...
  • Page 537 Configuration Guide Configuring AAA Creating a Domain You shall follow the following rules when searching for a domain by username: A single character such as “.”, “\”, “@” can be used to distinguish between usernames and domain names. The single “@” character is followed by the character string “domain-name”. With multiple “@” characters in the username, use the character string following the last “@”...
  • Page 538 Configuration Guide Configuring AAA Command Function username carries the domain name information when the NAS is interacting with the server. Use this command to set the maximum number of users supported in the domain: Command Function In domain configuration mode, set the upper limit of users access-limit num allowed in the domain.
  • Page 539 The following is an example of configuring the domain name-based AAA service: Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 192.168.197.154 Ruijie(config)# radius-server key test Ruijie(config)# aaa authentication dot1x default group radius Ruijie(config)# aaa domain domain.com Ruijie(config-aaa-domain)# authentication dot1x default Ruijie(config-aaa-domain)# username-format without-domain After the configuration, with the user a1 in the radius server, use the 802.1x client to login the server for authentication by...
  • Page 540 Define the ID authentication, authorization and accounting type by creating the method list, and apply the method list to the specified service or interface. For details, see the “Configuration Steps” section. Configuration Steps Enable AAA: ! Enable the AAA function on the device Ruijie#configure terminal Ruijie(config)#aaa new-model...
  • Page 541 Ruijie(config)#service password-encryption ! Configure the local user database (Configure the username and the password, and set the user privilege level). Ruijie(config)#username bank privilege 10 password yinhang Ruijie(config)#username super privilege 15 password star Ruijie(config)#username normal privilege 2 password normal Ruijie(config)#username test privilege 1 password test ! Configure the local enable password for the local Enable authentication.
  • Page 542 Configuration Guide Configuring AAA Ruijie(config)# aaa authentication login hello group radius local Ruijie(config)# line vty 0 15 Ruijie(config-line)# login authentication hello To prevent the user from using the exhaust algorithm to crack the password during the Login authentication, AAA is used to limit the user Login attempts.
  • Page 543 ! Configure the command accounting method list (TACACS+ only) and apply it to all lines. Ruijie(config)#aaa accounting commands 2 default start-stop group tacacs+ Configuration verification Step 1: Use the show running-config command to query the current configurations: Ruijie(config)#show run Building configuration...
  • Page 544 Configuration Guide Configuring AAA username super password 7 093c011335 username super privilege 15 username normal password 7 09211a002a041e username normal privilege 2 username test password 7 093b100133 service password-encryption tacacs-server key 7 072c062b121b260b06 tacacs-server host 10.1.1.2 radius-server host 10.1.1.1 radius-server key 7 072c16261f1b22 enable secret 5 $1$2MjW$xr1t0s1Euvt76xs2 line con 0 line vty 0 4...
  • Page 545 Network Requirements Configure the NAS device to enable the domain name-based AAA services: Use the 802.1x client for the login authentication with the username PC1@ruijie.com or PC2@ruijie.com.cn or PC3@ruijie,.net and the password. User network management: classify the users into superusers and common users, wherein the superusers are able to read and write while the common users are able to read only.
  • Page 546 ! Configure the local Enable password for the local Enable authentication. Ruijie(config)#enable secret w Define the AAA service method list ! Configure dot1x authentication. Ruijie(config)#aaa authentication dot1x renzheng group radius local ! Configure network authorization. Ruijie(config)#aaa authorization network shouquan group radius Configure network accounting.
  • Page 547 Ruijie(config)#aaa accounting network jizhang start-stop group g2 The configurations of the ruijie.com.cn and the ruijie.net are similar. Configuration Verification Step 1: Use the show running-config command to query the current configurations ( take the domain name ruijie.com for example): Ruijie#show run Building configuration...
  • Page 548 !vlan 1 no service password-encryption radius-server key ruijie Step 2: Query the domain name-based AAA service domain information: Ruijie#show aaa domain =============Domain ruijie.com============= State: Active...

  • Page 549: Configuring Radius

    Configuration Guide Configuring RADIUS Configuring RADIUS Overview of RADIUS The Remote Authentication Dial-In User Service (Radius) is a distributed client/server system that works with the AAA to perform authentication for the users who are attempting to make connection and prevent unauthorized access. In the RGOS implementation, the RADIUS client runs on the router or the network access server (NAS) to send the authentication requests to the central RADIUS server.
  • Page 550 Function Ruijie# configure terminal Enters global configuration mode. Ruijie(config)# radius-server host ip-address Configures the IP address or hostname of the remote Radius security [ auth-port port ] [ acct-port port ] server and specifies the authentication port and accounting port.
  • Page 551 | unformatted } attribute. The default format is unformatted. Specifying Private Radius Attribute Type This section describes how to configure private attributes of RADIUS. By default, private RADIUS attributes are classified into Ruijie attributes and extended vendor types: Extended TYPE Function TYPE...
  • Page 552 Two attributes cannot be configured with the same type number. The following is an example about private attributes of network devices: Ruijie# show radius vendor-specific vendor-specific type-value ----- -------------------- ---------- max-down-rate port-priority user-ip vlan-id ..Ruijie# configure Ruijie(config)# radius attribute 4 vendor-type 67 Ruijie(config)# show radius vendor-specific vendor-specific type-value...
  • Page 553 ..Ruijie(config)# Configuring RADIUS Server Reachability Detection The device maintains the reachability state of each RADIUS server configured: reachable or unreachable. The device does not send authentication, authorization and accounting requests of users to an unreachable RADIUS server, unless all RADIUS servers in the RADIUS server group are unreachable.
  • Page 554 The following example shows how to configure the Radius on the network device: Ruijie# configure terminal Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 192.168.12.219 auth-port 1645 acct-port 1646 Ruijie(config)# radius-server key aaa...
  • Page 555 Configuration Guide Configuring RADIUS Ruijie(config)# aaa authentication login test group radius Ruijie(config)# end Ruijie# show radius server Server IP: 192.168.12.219 Accounting Port: 1646 Authen Port: 1645 Test Username: <Not Configured> Test Idle Time: 60 Minutes Test Ports: Authen and Accounting...
  • Page 556 The following example shows how to configure RADIUS on the network device: Ruijie# configure terminal Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 3000::100 auth-port 1645 acct-port 1646 Ruijie(config)# radius-server key aaa Ruijie(config)# aaa authentication login test group radius Ruijie(config)# end...
  • Page 557 Configuration Guide Configuring RADIUS line vty 0 login authentication test line vty 1 4...

  • Page 558: Configuring Tacacs

    Configuration Guide Configuring TACACS+ Configuring TACACS+ TACACS+ Overview TACACS+ is a security protocol with enhanced functions on the basis of RFC 1492 Terminal Access Controller Access Control System (TACACS). It implements AAA function of multi-users through Client-Server mode and TACACS server communication.
  • Page 559 Configuration Guide Configuring TACACS+ TACACS+ Application The typical application of TACACS+ is the login management control of terminal users. TACACS+ client sends user name and password to TACACS+ server for authentication. After authentication and authorization, you can login to the network device to operate, which is shown as figure 2: Figure 2: Login to the Network Device to Operate Figure 3 Interaction of the Packets Interaction in TACACS+ by Login AAA:...
  • Page 560 Configuration Guide Configuring TACACS+ The whole process of basic information interaction is divided into three parts: 70) Authentication process includes: Users request for logging in to the network device. After receiving the request, the TACACS+ client sends the authentication beginning message to the TACACS+ server. The TACACS+ server sends the authentication reply message, requesting for the user name.
  • Page 561 Configuration Guide Configuring TACACS+ After receiving the user name, the TACACS+ client sends the authentication continue message including the user name to the TACACS+ server. The TACACS+ server sends authentication reply message, requesting for login password; The TACACS+ client receives the login password; The user enters the login password;...
  • Page 562 Configuration Guide Configuring TACACS+ Configures the TACACS+ group server, dividing different aaa group server tacacs+ group-name TACACS+ servers into different groups. Configures the server addresses in the TACACS+ group server ip-address server. Configures vrf name used in the TACACS+ group server ip vrf forwarding vrf-name (this command exits on the device supporting VRF.) Configures the IP address of a remote TACACS+...
  • Page 563 74) Then configure the TACACS+ server information: Ruijie(config)# tacacs-server host 192.168.12.219 Ruijie(config)# tacacs-server key aaa 75) Configure the TACACS+ authentication method: Ruijie(config)# aaa authentication login test group tacacs+ 76) Apply the authentication method on the interface: Ruijie(config)# line vty 0 4 Ruijie (config-line)# login authentication test 77) Through the above configuration, you implement to configure login tacacs+ authentication.
  • Page 564 Ruijie(config)# tacacs-server host 192.168.12.219 Ruijie(config)# tacacs-server key aaa 85) Configure the authorization method of using TACACS+: Ruijie(config)# aaa authorization exec test group tacacs+ 86) Apply the authorization on the interface: Ruijie(config)# line vty 0 4 Ruijie (config-line)# authorization exec test 87) Through the above configuration, you implement to configure to use TACACS+ by login authorization.
  • Page 565 Ruijie(config)# tacacs-server host 192.168.12.219 Ruijie(config)# tacacs-server key aaa 90) Configure command audit method of using TACACS+: Ruijie(config)# aaa accounting commands 15 test start-stop group tacacs+ 91) Apply the authorization on the interface: Ruijie(config)# line vty 0 4 Ruijie (config-line)# accounting commands 15 test 92) Through the above configuration, you implement to configure enable authentication of some TACACS+ servers.

  • Page 566: Ssh Configuration

    IP spoofing, plain password interception and other kinds of attacks. Ruijie SSH service supports both the IPv4 and IPv6 protocols. SSH Algorithms Supported by Ruijie Products Supported Algorithm...
  • Page 567 Enters global configuration mode. Ruijie(config)# enable service ssh-server Enables the SSH Server. Ruijie(config)# crypto key generate { rsa | dsa } Generates a key To delete a key, use the crypto key zeroize command rather than the [no] crypto key generate command.
  • Page 568 Command Function Restores the default SSH user authentication timeout period to Ruijie(config)# no ip ssh time-out 120 seconds. Configuring SSH Re-authentication Times This command is used to set the authentication attempts for SSH users requesting connections to prevent illegal actions such as malicious guesswork.
  • Page 569 Configuration Guide Configuring SSH Terminal Service authentication mode, and the username/password authentication is supported here. The used password is the same as the password used for Telnet. Click OK. The following dialog box pops up: Figure 3 Click Connect to log in to the host, as shown below: Figure 4 Ask the user whose is logging in to the host 192.168.5.245 whether to receive the key from the server.
  • Page 570 Configuration Guide Configuring SSH Terminal Service Enter the Telnet login password. A window pops up as follows: Figure 6 Typical SSH Configuration Examples Configuring SSH Local Authentication Figure 7 Networking diagram for SSH local password protection Application Requirements As shown in Figure 7, to ensure the security of information exchange, PC1 and PC2 serve as SSH clients from which users will log in to the SSH Server through SSH.
  • Page 571 Step 3: Configure the IP address of Gi 1/1 interface. The client will use this IP address to connect to the SSH server. Ruijie(config)#interface gigabitEthernet 1/1 Ruijie(config-if- gigabitEthernet 1/1)#ip address 10.10.10.10 255.255.255.0 Ruijie(config-if- gigabitEthernet 1/1)#exit Step 4: Configure login passwords for lines ! Configure the login password for line 0 as "passzero"...
  • Page 572 Configuration Guide Configuring SSH Terminal Service ! Configure the login password for lines 1 to 4 as "pass" Ruijie(config)#line vty 1 4 Ruijie(config-line)#password pass Ruijie(config-line)#privilege level 15 Ruijie(config-line)#exit Configure SSH Clients (PC1 and PC2) Start SecureCRT, as shown in Figure 7. Use SSH1 for login authentication. Any session name can be specified (here the session name is configured as PC1-SSH1-10.10.10.10).
  • Page 573 Configuration Guide Configuring SSH Terminal Service Verifying the Configuration Verify the SSH Server configuration Step 1: Use the show running-config command to verify the current configuration: Ruijie#show running-config Building configuration... enable secret 5 $1$eyy2$xs28FDw4s2q0tx97 enable service ssh-server interface gigabitEthernet 1/1 ip address 10.10.10.10 255.255.255.0...
  • Page 574 Establish a connection and type in the correct password in order to enter the interface of the SSH Server. The login password for line 0 is "passzero", and the login password for other four lines is "pass". Step 2: Query the online user. Ruijie#show users Line User...
  • Page 575 % Generating 512 bit DSA keys ...[ok] Step 3: Configure the IP address of the device. The clients will use this address to connect to the SSH server. Ruijie(config)#interface gigabitEthernet 1/1 Ruijie(config-if-gigabitEthernet 1/1)#ip address 192.168.217.81 255.255.255.0 Ruijie(config-if-gigabitEthernet 1/1)#exit Configure AAA authentication on the network device...
  • Page 576 ! Configure a login authentication method list (Radius server authentication followed by local authentication), and the name of the method list is "method". Ruijie(config)#aaa authentication login method group radius local Step 4: Apply this method list to the lines Ruijie(config)#line vty 0 4...
  • Page 577 For details about how to set SSH client software and establish a connection, see the previous example. Type in user as the SSH user and pass as the password. The user will log in successfully. Step 4: Query the online user. Ruijie#show users Line User...
  • Page 578 Configuration Guide Configuring FTP Client Configuring FTP Client FTP Client provides users with the feature of file transfer with remote FTP server through FTP protocol. Introduction to FTP FTP (File Transfer Protocol) is a concrete application of TCP/IP for establishing connection-oriented and reliable TCP session between FTP client and server.
  • Page 579 Configuration Guide Configuring FTP Client Active Mode Figure 1-2 Port (active) Mode In this mode, FTP server actively establishes data connection with FTP client through the following four steps: 93) The client uses the source port 5150 to communicate with the port 21 of server. The client requests to establish connection and notify the server that it is using the port 5151.
  • Page 580 By default, Ruijie FTP client uses passive mode. FTP Transfer Mode There are two FTP transfer modes: text (ASCII) transfer mode and binary (BINARY) data transfer mode. Currently, Ruijie FTP Client supports both modes, and the default mode is BINARY. Text Mode The difference between ASCII mode and BINARY mode is the handling of new line.
  • Page 581 Introduction to FTP Client Instead of any standard FTP client using interactive commands, Ruijie FTP Client uses the copy command to complete the steps of open, user and pass. After control connection is established, it will enter file transfer process and establish data connection, allowing file upload or download.
  • Page 582 Before downloading, launch FTP Server program on the host and then log into the device. In privileged EXEC mode, execute the following command to download file. Command Function Ruijie# copy ftp://username:password@dest-address Downloads the file specified in URL to the device. The [ /remote-directory ] /remote-file filename can be reset.
  • Page 583 The key word "dest-address" specifies the IP address of FTP Server. Command Function Ruijie# copy flash: [ local-directory/ ] local-file Uploads the file specified in Flash URL to the host. The ftp://username:password@dest-address filename can be reset.
  • Page 584 This causes destructive impact on switch security and network stability. Ruijie network switch provides the CPU Protect Policy (CPP) function to effectively protect the network against malicious attacks. By identifying packets and suppressing attack packets, the CPP function: Weakens the impacts of attack packets on the switch (switch processor protection).
  • Page 585 Function Sets the corresponding bandwidth of packets. pps_value is Ruijie(config)# cpu-protect type { arp | bpdu | dhcp | an integer. The ellipsis (…) refers to the types not listed. For ipv6mc | igmp | rip | ospf | vrrp | pim | err-ttl | details about the types supported by each product, see the unknown-ipmc | dvmrp | …...
  • Page 586 Use the following command to view statistics about the received packets of the CPP management board/standalone machine/stacked system: Command Function Displays statistics about the received packets of the Ruijie# show cpu-protect mboard management board/standalone machine/stacked system. The following example displays the information of the CPP management board: Ruijie# show cpu-protect mboard Type...
  • Page 587 Command Function Displays the statistics about the received packets of a Ruijie# show cpu-protect slot slot_id specified line card. slot_id: slot number The following example displays the CPU protection information of the line card in slot 2: Ruijie# show cpu-protect slot 2...
  • Page 588 Configuration Guide Configuring CPU Protection dvmrp igmp mpls ospf ospf3 pimv6 vrrp vrrp6 dhcps6 dhcp6_client dhcp6_server nd-snp-ns-na nd-snp-rs nd-snp-ra-redirect 0 unknown-ipmc unknown-ipmcv6 stargv-ipmc stargv6-ipmc bgp_ttl1 ttl1 hop_limit1 mpls-ttl1 ttl0 mpls-ttl0 dhcp-relay-c dhcp-relay-s option82 udp-helper tunnel-bpdu tunnel-gvrp ip4-packet-local ip6-packet-local ip4-packet-other ip6-packet-other ipv6mc non-ip-packet-other Viewing Statistics About the Received Packets of a Specified Type...
  • Page 589 Configuration Guide Configuring CPU Protection Ruijie# show cpu-protect type arp | bpdu | dhcp | ipv6mc | igmp | rip | ospf | vrrp | pim | ttl1 | Displays statistics about the received packets of each type. unknown-ipmc | dvmrp...
  • Page 590 Configuration Guide Configuring CPU Protection dhcps6 dhcp6_client dhcp6_server 1000 nd-snp-ns-na 10000 nd-snp-rs nd-snp-ra-redirect 128 unknown-ipmc unknown-ipmcv6 stargv-ipmc stargv6-ipmc bgp_ttl1 ttl1 2000 hop_limit1 mpls-ttl1 ttl0 mpls-ttl0 dhcp-relay-c dhcp-relay-s option82 udp-helper tunnel-bpdu tunnel-gvrp ip4-packet-local 4096 ip6-packet-local 4096 ip4-packet-other ip6-packet-other ipv6mc non-ip-packet-other 4096...
  • Page 591 Function Default Value CPU utilization threshold Warning threshold: 90; Critical threshol:100. Memory utilization threshold Warning threshold: 90; Critical threshol:100. Temperature threshold Warning threshold: 90; Critical threshol:100. Configuring the CPU Utilization Threshold Command Purpose Enters global configuration mode. Ruijie# configure terminal...
  • Page 592 Use the no threshold set cpu command to return to the default configuration. Configuration example: #Setting threshold CPU utilization Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# threshold set cpu member 1 80 90 Configuring the Memory Utilization Threshold Command Purpose Ruijie# configure terminal Enters the global configuration mode.
  • Page 593 Configuration example: #Setting threshold temperature Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# threshold set temperature member 60 80 Viewing the Configuration The following commands are used to view the threshold values of different categories: Command...
  • Page 594 Configuration Guide Configuring NFPP Configuring NFPP Overview NFPP is the abbreviation of Network Foundation Protection Policy. NFPP Function In the network, some malicious attacks put too much burden on the switch, thus the CPU of the switch cannot operate normally. DoS attack may lead to the consumption of a large amount of the switch memory, entries and other resources, resulting in the system service failure.
  • Page 595 Configuration Guide Configuring NFPP NFPP provides the host-based/port-based attack and rate-limit threshold configuration for the administrator to set in the specific network flexibly to control the rate of receiving the packets based on the host/port. With the attack threshold configured, after detecting the attack, the anti-attack policy implements the attack-warning or the isolation action. For the isolation action, the anti-attack policy uses the hardware filter in order to make sure that the attack packets will not be sent to the CPU and ensure the normal device operation.
  • Page 596 IP address is changing, or the source MAC address and source IP address are fixed while the destination IP address is changing. Ruijie products only support to detect the first ARP scan (the source MAC address on link layer is...
  • Page 597 Ruijie(config-if)# nfpp arp-guard enable not enabled on the interface. Ruijie(config-if)# end Return to the privileged EXEC mode. Ruijie# show nfpp arp-guard summary Show the configurations. Save the configurations. Ruijie# copy running-config startup-config With the arp-guard disabled, the monitored hosts and scan hosts are auto-cleared.
  • Page 598 1000. monitored-host-limit seconds Ruijie(config-nfpp)# end Return to the privileged EXEC mode. Ruijie# show nfpp arp-guard summary Show the arp-guard parameter settings. Ruijie# copy running-config startup-config Save the configurations. To restore the monitored host limit to the default value, use the no arp-guard monitored-host-limit command in the nfpp configuration mode.
  • Page 599 Configuration Guide Configuring NFPP It prompts the following message if the ARP DoS attack was detected: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was detected.(2009-07-01 13:00:00) The content in brackets is the attack detection time. The following example shows the describing information included in the sent TRAP messages: ARP DoS attack from host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1>...
  • Page 600 The administrator can configure the host-based rate-limit and attack detection in the nfpp configuration mode and in the interface configuration mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Enter the nfpp configuration mode. Ruijie(config)# nfpp Configure the arp-guard rate-limit, ranging from 1 to 9999, 4 by default.
  • Page 601 The valid range is 1-9999 and by default, it adopts the global rate-limit threshold value. Ruijie(config-if)#nfpp arp-guard policy { per-src-ip attack-threshold-pps: set the attack threshold. The valid range | per-src-mac } rate-limit-pps attack-threshold-pps is 1-9999 and by default, it adopts the global attack threshold value.
  • Page 602 Function If no parameter is specified, all hosts detected to be under Ruijie# clear nfpp arp-guard hosts [ vlan vid ] attack will be cleared. If any parameter is specified, only eligible [ interface interface-id ] [ ip-address | mac-address ] hosts will be cleared.
  • Page 603 Show the isolated hosts information. Ruijie#show nfpp arp-guard hosts [ vlan vid ] If no parameter is specified, all hosts detected to be under [ interface interface-id ] [ ip-address | mac-address ] attack will be displayed.
  • Page 604 Gi0/3 0000.0000.1111 110 Gi0/4 0000.0000.2222 Total: 4 hosts Ruijie# show nfpp arp-guard hosts vlan 1 interface G 0/1 1.1.1.1 If column 1 shows '*', it means "hardware do not isolate user". VLAN interface IP address MAC address remain-time(s) ---- --------...
  • Page 605 Ruijie Layer-3 device provides the IP-guard function to prevent the attacks from the hacker and the virus such as “Blaster”, reducing the CPU burden of the Layer 3 devices.
  • Page 606 Ruijie(config-if)# nfpp ip-guard enable ip-guard is not enabled on the interface. Ruijie(config-if)# end Return to the privileged EXEC mode. Ruijie# show nfpp ip-guard summary Show the configurations. Ruijie# copy running-config startup-config Save the configurations. With the ip-guard disabled, the monitored hosts are auto-cleared.
  • Page 607 0s represents no isolation. Permanent represents permanent isolation. Ruijie(config-if)# end Return to the privileged EXEC mode. Ruijie# show nfpp ip-guard summary Show the parameter settings. Save the configurations. Ruijie# copy running-config startup-config To restore the global isolated time to the default value, use the no ip-guard isolate-period command in the nfpp configuration mode.
  • Page 608 1000. seconds Ruijie(config-nfpp)# end Return to the privileged EXEC mode. Ruijie# show nfpp ip-guard summary Show the parameter settings. Ruijie# copy running-config startup-config Save the configurations. To restore the monitored host limit to the default value, use the no ip-guard monitored-host-limit command in the nfpp configuration mode.
  • Page 609 Enter the global configuration mode. Ruijie(config)# nfpp Enter the nfpp configuration mode. Configure the ip-guard rate-limit, ranging from 1 to 9999, 20 by Ruijie(config-nfpp)# ip-guard rate-limit per-src-ip default. per-src-ip: detect the hosts based on the source IP address/VID/port; Configure the ip-guard attack threshold, ranging from 1 to 9999, 20 by default.
  • Page 610 1-9999, in 10s. By default, it adopts the global pkt-cnt arp-guard scan threshold value. Ruijie(config-nfpp)# end Return to the privileged EXEC mode. Ruijie(config-if)# show nfpp ip-guard summary Show the parameter settings. Ruijie# copy running-config startup-config Save the configurations. Configuring Port-based Rate-limit and Attack Detection You can configure the ip-guard rate limt and attack threshold on the port.
  • Page 611 Ruijie(config-nfpp)# no ip-guard trusted-host all The following example shows how to delete a trusted host entry: Ruijie(config-nfpp)# no ip-guard trusted-host 1.1.1.1 255.255.255.255 It prompts that “%ERROR: Attempt to exceed limit of 500 trusted hosts.”to inform the administrator of the full trusted host table.
  • Page 612 Command Function If no parameter is specified, all hosts detected to be under Ruijie# clear nfpp ip-guard hosts [ vlan vid ] attack will be cleared. If any parameter is specified, only [ interface interface-id ] [ ip-address ] eligible hosts will be cleared.
  • Page 613 1.1.1.1 ATTACK Gi0/2 1.1.2.1 SCAN Total: 2 hosts Ruijie# show nfpp ip-guard hosts vlan 1 interface G 0/1 1.1.1.1 If column 1 shows '*', it means "hardware do not isolate user". VLAN interface IP address MAC address remain-time(s) ---- --------...
  • Page 614 Configuration Guide Configuring NFPP Showing the Trusted Host Configuration Command Function Show the trusted hosts. Ruijie# show nfpp ip-guard trusted-host For example, Ruijie#show nfpp ip-guard trusted-host IP address mask --------- ------ 1.1.1.0 255.255.255.0 1.1.2.0 255.255.255.0 Total: 2 record(s) ICMP-guard The ICMP attack detection could be host-based or port-based. Host-based ICMP protocol is used to diagnose the network trouble.
  • Page 615 Configuration Guide Configuring NFPP Command Function Ruijie# show nfpp icmp-guard summary Show the configurations. Save the configurations. Ruijie# copy running-config startup-config With the icmp-guard disabled, the monitored hosts are auto-cleared. Configuring the Isolated Time For the isolated time of the attacker, it can be configured in the global or interface configuration mode. By default, the isolated time is configured in the global configuration mode.
  • Page 616 The default value is 600s. seconds Ruijie(config-nfpp)# end Return to the privileged EXEC mode. Ruijie# show nfpp icmp-guard summary Show the parameter settings. Ruijie# copy running-config startup-config Save the configurations. To restore the monitored time to the default value, use the no icmp-guard monitor-period command in the nfpp configuration mode.
  • Page 617 This section shows the administrator how to configure the host-based rate-limit and attack detection in the nfpp configuration mode and in the interface configuration mode: Command Function Enter the global configuration mode. Ruijie# configure terminal Ruijie(config)# nfpp Enter the nfpp configuration mode.
  • Page 618 IP/VID/port; Ruijie(config-nfpp)# end Return to the privileged EXEC mode. Ruijie(config-if)# show nfpp icmp-guard summary Show the parameter settings. Save the configurations. Ruijie# copy running-config startup-config Configuring Port-based Rate-limit and Attack Detection You can configure the icmp-guard rate limt and attack threshold on the port.
  • Page 619 Ruijie(config)# nfpp Enter the nfpp configuration mode. Configure the icmp-guard rate-limit of the ICMP packet on the Ruijie(config)# icmp-guard rate-limit per-port pps port, ranging from 1 to 9999. The default values vary with different products. Configure the icmp-guard attack threshold, ranging from 1 to Ruijie(config)# icmp-guard attack-threshold 9999.
  • Page 620 Command Function If no parameter is specified, all hosts detected to be under Ruijie# clear nfpp icmp-guard hosts [ vlan vid ] attack will be cleared. If any parameter is specified, only eligible [ interface interface-id ] [ ip-address ] hosts will be cleared.
  • Page 621 Ruijie# show nfpp icmp-guard hosts statistics amount, isolated host amount and non-isolated host amount. Show the isolated hosts information. Ruijie#show nfpp icmp-guard hosts [ vlan vid ] If no parameter is specified, all hosts detected to be under [ interface interface-id ] [ ip-address ] attack will be displayed.
  • Page 622 Configuration Guide Configuring NFPP Ruijie# show nfpp icmp-guard hosts vlan 1 interface G 0/1 1.1.1.1 If column 1 shows '*', it means "hardware do not isolate user". VLAN interface IP address remain-time(s) ---- -------- --------- ------------- Gi0/1 1.1.1.1 Total: 1 host The preceding fields indicate VLAN number, interface, IP address, MAC address and remaining time of isolation.
  • Page 623 Ruijie(config-if)# nfpp dhcp-guard enable is not enabled on the interface. Ruijie(config-if)# end Return to the privileged EXEC mode. Ruijie# show nfpp dhcp-guard summary Show the configurations. Ruijie# copy running-config startup-config Save the configurations. With the dhcp-guard disabled, the monitored hosts are auto-cleared.
  • Page 624 Configuring NFPP Command Function Show the parameter settings. Ruijie# show nfpp dhcp-guard summary Ruijie# copy running-config startup-config Save the configurations. To restore the global isolated time to the default value, use the no dhcp-guard isolate-period command in the nfpp configuration mode. If the isolated time has been configured on a port, you can use the no dhcp-guard isolate-period command to remove the port-based isolated time configuration in the interface configuration mode.
  • Page 625 Configuration Guide Configuring NFPP Ruijie# show nfpp dhcp-guard summary Show the parameter settings. Ruijie# copy running-config startup-config Save the configurations. To restore the monitored host limit to the default value, use the no dhcp-guard monitored-host-limit command in the nfpp configuration mode.
  • Page 626 1-9999 and by default, it adopts the global attack threshold value. per-src-mac: to detect the hosts based on the source MAC/VID/port; Return to the privileged EXEC mode. Ruijie(config-nfpp)# end Ruijie(config-if)# show nfpp dhcp-guard summary Show the parameter settings. Ruijie# copy running-config startup-config Save the configurations.
  • Page 627 Ruijie(config)# nfpp Enter the nfpp configuration mode. Configure the dhcp-guard rate-limit of the DHCP packet on the Ruijie(config)# dhcp-guard rate-limit per-port pps port, ranging from 1 to 9999, 150 by default. Configure the dhcp-guard attack threshold, ranging from 1 to 9999, 300 by default.
  • Page 628 Command Function If no parameter is specified, all hosts detected to be under Ruijie# clear nfpp dhcp-guard hosts [ vlan vid ] attack will be cleared. If any parameter is specified, only eligible [ interface interface-id ] [ mac-address ] hosts will be cleared.
  • Page 629 ------------- Gi0/1 0000.0000.0001 110 Gi0/2 0000.0000.2222 Total: 2 host(s) Ruijie# show nfpp dhcp-guard hosts vlan 1 interface g 0/1 0000.0000.0001 If column 1 shows '*', it means "hardware failed to isolate host". VLAN interface MAC address remain-time(s) ---- -------- -----------...
  • Page 630 Ruijie(config-if)# nfpp dhcpv6-guard enable dhcpv6-guard is not enabled on the interface. Ruijie(config-if)# end Return to the privileged EXEC mode. Ruijie# show nfpp dhcpv6-guard summary Show the configurations. Ruijie# copy running-config startup-config Save the configurations. With the dhcpv6-guard disabled, the monitored hosts are auto-cleared.
  • Page 631 0s represents no isolation. Permanent represents permanent isolation. Ruijie(config-if)# end Return to the privileged EXEC mode. Ruijie# show nfpp dhcpv6-guard summary Show the parameter settings. Ruijie# copy running-config startup-config Save the configurations. To restore the global isolated time to the default value, use the no dhcpv6-guard isolate-period command in the nfpp configuration mode.
  • Page 632 1000. monitored-host-limit seconds Ruijie(config-nfpp)# end Return to the privileged EXEC mode. Ruijie# show nfpp dhcpv6-guard summary Show the parameter settings. Ruijie# copy running-config startup-config Save the configurations. To restore the monitored host limit to the default value, use the no dhcpv6-guard monitored-host-limit command in the nfpp configuration mode.
  • Page 633 Enter the global configuration mode. Enter the interface configuration mode. Ruijie(config)# interface interface-name Return to the privileged EXEC mode. Ruijie(config-nfpp)# end Ruijie(config-if)# show nfpp dhcpv6-guard Show the parameter settings. summary Ruijie# copy running-config startup-config Save the configurations. Configuring Port-based Rate-limit and Attack Detection You can configure the dhcpv6-guard rate limt and attack threshold on the port.
  • Page 634 Ruijie(config)# nfpp Enter the nfpp configuration mode. Configure the dhcpv6-guard rate-limit of the DHCPV6 packet Ruijie(config)# dhcpv6-guard rate-limit per-port pps on the port, ranging from 1 to 9999, 150 by default. Configure the dhcpv6-guard attack threshold, ranging from 1 to 9999, 300 by default.
  • Page 635 Command Function If no parameter is specified, all hosts detected to be under Ruijie# clear nfpp dhcpv6-guard hosts [ vlan vid ] attack will be cleared. If any parameter is specified, only eligible [ interface interface-id ] [ mac-address ] hosts will be cleared.
  • Page 636 ------------- Gi0/1 0000.0000.0001 110 Gi0/2 0000.0000.2222 Total: 2 host(s) Ruijie# show nfpp dhcpv6-guard hosts vlan 1 interface g 0/1 0000.0000.0001 If column 1 shows '*', it means "hardware failed to isolate host". VLAN interface MAC address remain-time(s) ---- -------- -----------...
  • Page 637 Enable the nd-guard on the interface. By default, nd-guard is Ruijie(config-if)# nfpp nd-guard enable not enabled on the interface. Ruijie(config-if)# end Return to the privileged EXEC mode. Ruijie# show nfpp dhcpv6-guard summary Show the configurations. Ruijie# copy running-config startup-config Save the configurations. Configuring Port-based Rate-limit and Attack Detection You can configure the ND-guard rate-limit and attack threshold on the port.
  • Page 638 Enter the nfpp configuration mode. Ruijie(config)# nfpp Configure the rate-limit of the ND packets on the port, ranging Ruijie(config)# nd-guard rate-limit per-port [ ns-na | rs | ra-redirect ] pps from 1 to 9999, 15 by default. Configure the attack threshold, ranging from 1 to 9999, 30 by Ruijie(config)# nd-guard attack-threshold per-port default.
  • Page 639 Given the diversity of network protocols and the fact that different protocols may be used under different user environment during sustainable development, Ruijie devices have provided the feature of Defined Guard to allow users to define guard against various attacks, so as meet different attack protection needs.
  • Page 640 Configure the name of defined guard type Ruijie(config-nfpp)#define name Configure the packet fields to be matched by the defined guard Ruijie(config-nfpp-define)# match [ etype type ] type. [ src-mac smac [ src-mac-mask smac_mask ] ] [ dst-mac dmac [ dst-mac-mask dst_mask ] ]...
  • Page 641 Configuration Guide Configuring NFPP with define name (name of the existing defined guard type)", indicating that the configuration has failed. When protocol has been configured for the match field but etype is neither IPv4 or IPv6, the following prompting message will be displayed: ”%ERROR: protocol is valid only when etype is IPv4 (0x0800) or IPv6 (0x86dd).”...
  • Page 642 Enter NFPP configuration mode. Ruijie(config-nfpp)#define name Enter defined guard configuration mode Configure attacker isolation period Ruijie(config-nfpp)#isolate-period { seconds | Range: 0 and 30-86400 seconds (i.e., one day); default value is 0 permanent } second, meaning no isolation; permanent means permanent isolation.
  • Page 643 Enter global configuration mode. Ruijie(config)#nfpp Enter NFPP configuration mode. Enter defined guard configuration mode Ruijie(config-nfpp)#define name Configure attacker monitoring period. Ruijie(config-nfpp)# monitor-period seconds Range: 180-86400 seconds (i.e., one day); default value is 600 seconds. Ruijie(config-nfpp)#end Return to privileged EXEC mode. Ruijie#copy running-config startup-config Save configurations.
  • Page 644 1000. Return to privileged EXEC mode. Ruijie(config-nfpp)#end Ruijie#copy running-config startup-config Save configurations. To restore the maximum number of monitored hosts to default value, use "no monitored-host-limit" command in NFPP defined guard configuration mode. If the maximum number of monitored hosts has reached the default value of 1000 and the administrator configures a...
  • Page 645 To delete all trusted hosts: Ruijie(config-nfpp-define)# no trusted-host all Or to delete one trusted host: Ruijie(config-nfpp)# no trusted-host 1.1.1.1 255.255.255.255 When match rule is not configured, the following prompting message will be displayed: "%ERROR: Please configure match rule first." While adding an IPv4 trusted host but the etype of match rule is not IPv4, the following prompting message will be displayed: "%ERROR: Match type can't support IPv4 trusted host."...
  • Page 646 MAC/VID/port. Rate-limit-pps means the rate-limiting threshold (1-9999). By default, no rate limiting will be implemented. Packets Ruijie(config-nfpp-define)# define-policy { per-src-ip | exceeding the rate-limiting threshold will be discarded. per-src-mac } rate-limit-pps attack-threshold-pps Attack-threshold-pps means the attack threshold (1-9999).
  • Page 647 MAC/VID/port. Rate-limit-pps means the rate-limiting threshold (1-9999). By default, no rate limiting will be implemented. Packets Ruijie(config-if)#nfpp define name policy { per-src-ip | exceeding the rate-limiting threshold will be discarded. per-src-mac } rate-limit-pps attack-threshold-pps Attack-threshold-pps means the attack threshold (1-9999).
  • Page 648 Rate-limit-pps means the rate-limiting threshold (1-9999). By default, no rate limiting will be implemented. Packets exceeding Ruijie(config-if)#nfpp define name policy the rate-limiting threshold will be discarded. per-port rate-limit-pps attack-threshold-pps Attack-threshold-pps means the attack threshold (1-9999). When the packets of defined type exceed the attack threshold, an attack is considered existing and will be logged.
  • Page 649 Enter global configuration mode. Ruijie#configure terminal Ruijie(config)#nfpp Enter NFPP configuration mode. Globally enable defined guard. By default, defined guard is enabled Ruijie(config-nfpp)# define name enable on all ports. Ruijie(config-nfpp)#end Return to privileged EXEC mode. Ruijie#configure terminal Enter global configuration mode.
  • Page 650 Isolated hosts will be released after certain period. To manually clear this host, the administrator can use the following commands in the privileged EXEC mode. Command Function Ruijie# clear nfpp define hosts name [ vlan vid ] [ interface interface-id ] [ ip-address ] The parameters define the specific hosts to be cleared. [ mac-address ] Configuring NFPP Syslog A NFPP log is generated in the NFPP syslog buffer area after detecting the attack.
  • Page 651 Ruijie# show nfpp log summary Show the NFPP syslog configuration. Show the NFPP syslog in the log-buffer area. Ruijie# show nfpp log buffer [ statistics ] The parameter statistics shows the log number in the log-buffer area. The following example shows the NFPP syslog configuration:...
  • Page 652 Gi 0/1 interface Gi 0/2 The following example shows the NFPP syslog number in the log-buffer area: Ruijie#show nfpp log buffer statistics There are 6 logs in buffer. The following example shows the NFPP syslog buffer area: Ruijie#show nfpp log buffer...
  • Page 653 Configuration Guide Configuring NFPP If the syslog buffer area is full, the subsequent syslog will be discarded and an entry with all attributes “-” will be shown in the syslog buffer area. The administrator shall increase the capacity of the syslog buffer area or improve the rate of generating the syslog.

  • Page 654: Configuring Acls

    Configuring ACLs Configuring ACLs Overview As part of Ruijie's security solution, an access control list (ACL) is used to provide a powerful traffic filtering function. Currently, Ruijie products support the following ACLs: Standard and extended IP ACLs MAC Extended ACLs...
  • Page 655 Configuration Guide Configuring ACLs When to Configure Access Lists Depending on your requirements, you can select the basic ACL or dynamic ACL. In general, the basic ACL can meet the security requirement. However, experienced hackers may use some software to forge source addresses and spoof the devices so as to gain access.
  • Page 656 Configuration Guide Configuring ACLs 48-bit source MAC address (all the 48 bits must be declared) 48-bit destination MAC address (all the 48 bits must be declared) 16-bit layer-2 type field Layer 3 fields: Source IP address field (you can specify all the 32 bits of the IP address, or specify a type of streams of the defined subnet) Destination IP address field (you can specify all the 32 bits of the IP address, or specify a type of streams of the defined subnet)
  • Page 657 Configuration Guide Configuring ACLs A filtering domain template can be the collection of L3 fields and L4 fields or the collection of multiple L2 fields. However, the filtering domain templates of a standard and extended ACL cannot be the collection of L2 and L3, L2 and 4, L2 and L3, or L4 fields.
  • Page 658 Configuration Guide Configuring ACLs Standard IP ACLs (numbered from 1 to 99 and from 1300 to 1999) forward or block packets according to source addresses. Extended IP ACLs (numbered from 100 to 199 and from 2000 to 2699) use the above four combinations to forward or block packets.
  • Page 659 Selects the interface to which the ACL is to be applied. Ruijie(config)# interface interface Ruijie(config-if)# ip access-group id { in | out } [ unreflect ] Applies the ACL to the specific interface Method 2: Use the following command in ACL configuration mode:...
  • Page 660 Ruijie(config)# expert access-list extended { id | name } Enters ACL configuration mode. Ruijie (config-exp-nacl)# [ sn ] { permit | deny } [ prot | Adds ACEs to the ACL. For details about the { [ ethernet-type] [ cos cos ] } ] [ VID vid ] { src src-wildcard | host command, see command reference.
  • Page 661 Ruijie(config)# interface interface Selects the interface to which the ACL is to be applied. Ruijie(config-if)# expert access-group { id|name } { in | out } Applies the ACL to the specific interface. [ unreflect ] In method 1, an ACL can only be numbered. In method 2, an ACL can be numbered and named, and ACE priority can be specified if available.
  • Page 662 Ruijie(config)# mac access-list extended { id | name } Adds ACEs to the ACL. For details about the command, Ruijie (config-mac-nacl)# [ sn ] { permit | deny } {any | host see command reference. src-mac-addr } { any | host dst-mac-addr } [ ethernet-type ]...
  • Page 663 10 ace2: 20 ace3: 30 The ACEs are numbered as follows after “the ip access-list resequence tst_acl 100 3” command is used: Ruijie(config)# ip access-list resequence tst_acl 100 3 ace1: 100 ace2: 103 ace3: 106 If you do not specify sn-num when adding ACE 4, ACE 4 is numbered as follows: Ruijie(config-std-nacl)# permit …...
  • Page 664 Function Ruijie(config)# ip access-list extended { id | name } Enters ACL configuration mode. Ruijie(config-ext-nacl)# [ sn ] { permit | deny } protocol source source-wildcard destination destination-wildcard Adds ACEs to the ACL. For details about the command, [ precedence precedence ] [ tos tos ] [ fragment ] [ range see command reference.
  • Page 665 Ruijie(config)# ip access-list logging interval 1 Enter ACL configuration mode and enable logging on the desired ACE. Ruijie(config-ext-nacl)# permit ip 99.9.9.0 0.0.0.255 any log Add a deny ACE and enable the logging function on the ACE. Ruijie(config-ext-nacl)# deny ip any any log...
  • Page 666 Ruijie(config)#interface FastEthernet 0/4 Ruijie(config-if)#switchport port-security Ruijie(config-if)#switchport port-security binding 0000.0000.0011 vlan 1 192.168.6.3 Only the packets whose source IP address is 192.168.6.3 and MAC address is 0000.0000.0011 can pass the device through port 4. To receive IPX packets, set a security tunnel as follows:...
  • Page 667 Exits ACL configuration mode and selects the interface to Ruijie(config)# interface interface which the ACL is to be applied. Ruijie(config-if)# ip access-group { id | name } { in | out } Applies the ACL to the specific interface. Configuration example: Configure the permission and password for enabling the IP Option feature.
  • Page 668 ACLs: Ruijie(config)# time-range no-http Ruijie(config-time-range)# periodic weekdays 8:00 to 18:00 Ruijie(config)# end Ruijie(config)# ip access-list extended limit-udp Ruijie(config-ext-nacl)# deny tcp any any eq www time-range no-http Ruijie(config-ext-nacl)# exit Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# ip access-group no-http in Ruijie(config)# end...
  • Page 669 Ruijie(config)# interface interface interface to which the ACL is to be applied. Ruijie(config-if)# ip access-group { id | name } { in | out } Applies the ACL to the specific interface The following example explains how to configure TCP Flag filtering.
  • Page 670 Configuration Guide Configuring ACLs Add an ACE. Ruijie(config-ext-nacl)# permit tcp any any match-all rst Ruijie(config-ext-nacl)# permit tcp host 1.1.1.1 any established Add a deny ACE. Ruijie(config-ext-nacl)# deny tcp any any match-all fin Ruijie(config-ext-nacl)# end Show Ruijie# show access-list test-tcp-flag ip access-lists extended test-tcp-flag...
  • Page 671 Configuration Guide Configuring ACLs Ruijie(config)#ip access-list standard 1 Ruijie(config-std-nacl)#remark ace_remark_permit_62_start Ruijie(config-std-nacl)#permit 192.168.197.62 0.0.0.0 Ruijie(config-std-nacl)#remark ace_remark_permit_62_end Ruijie(config-std-nacl)#list-remark acl_remark_foo Ruijie(config-std-nacl)#end Ruijie#write Ruijie#show access-lists 1 ip access-list standard 1 remark ace_remark_permit_62_start 10 permit host 192.168.197.62 remark ace_remark_permit_62_end list-remark acl_remark_foo Ruijie# Configuration Examples IP ACL Example...
  • Page 672 According to requirements, configure an extended ACL numbered 101 access-list 101 permit tcp 192.168.12.0 0.0.0.255 any eq telnet time-range check Ruijie(config)# access-list 101 deny icmp 192.168.12.0 0.0.0.255 any Ruijie(config)# access-list 101 deny ip 2.2.2.0 0.0.0.255 any Ruijie(config)# access-list 101 deny ip any any...
  • Page 673 It cannot access other interfaces. Ruijie> enable Ruijie# config terminal Ruijie(config)# expert access-list Expert extended-list Ruijie(config-exp-nacl)# permit ip vid 20 any host 0013.2049.8272 any any Ruijie(config-exp-nacl)# deny any any any any Ruijie(config-exp-nacl)# exit Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# expert access-group expert-list in...
  • Page 674 Configuration Guide Configuring ACLs Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# mac access-group mac-list in Ruijie(config-if)# end Ruijie# show access-lists mac access-list extended mac-list deny host 0013.2049.8272 any ipx permit any any The ”permit any any” statement is required because the end of an ACL contains an implicit deny statement for all packets.
  • Page 675 # Create extended ACL 101 in configuration mode Ruijie(config)# ip access-list extended 101 # Deny the packets whose SYN is 1 and permit packets whose SYN is 0 (including ACK). Ruijie(config-ext-nacl)# deny tcp any any match-all SYN # Permit other IP packets. Ruijie(config-ext-nacl)# permit ip any any Apply the ACL to the interface.
  • Page 676 Configuration Guide Configuring ACLs The preceding diagram shows the typical topology of an Intranet: The access switch (Switch C) connecting PCs of respective departments is connected to the convergence switch through Gigabit optical cable (trunk mode). The convergence switch (Switch B) assigns one VLAN for each department and is connected to the core switch through 10G optical fiber cable (trunk mode).
  • Page 677 Configuration Guide Configuring ACLs As for the requirement that internal PCs can access the servers while external PCs are not allowed to access these servers, IP extended ACLs can be defined and applied to ports (G2/2, SVI2) of the core switch (Switch A) that connect with the convergence switch and server.
  • Page 678 Configuration Guide Configuring ACLs A(config-ext-nacl)#deny udp any eq 135 any A(config-ext-nacl)#deny udp any any eq 137 A(config-ext-nacl)#deny udp any eq 137 any …………! The configuration on other ports is similar. A(config-ext-nacl)#deny udp any any eq 1434 A(config-ext-nacl)#deny udp any eq 1434 any ! Deny ICMP packets.
  • Page 679 Configuration Guide Configuring ACLs A(config-if)#exit ! Apply the ACL to the inbound direction of the server-connecting interface. A(config)#interface vlan 2 A(config-if-VLAN 2)# ip access-group access_server in A(config-if-VLAN 2)# ip address 192.168.4.2 255.255.255.0 A(config-ext-nacl)#end Configure the convergence switch: SwitchB Step 1: Create VLAN 2, VLAN 3, and VLAN 4. B#configure terminal ! Create VLAN 2, VLAN 3, and VLAN 4.
  • Page 680 Configuration Guide Configuring ACLs ! Configure the IP address of SVI 2. B(config)#interface vlan 2 B(config-if)#ip address 192.168.1.100 255.255.255.0 ! Configure the IP address of SVI 3. B(config)#interface vlan 3 B(config-if)#ip address 192.168.2.100 255.255.255.0 ! Configure the IP address of SVI 4. B(config)#interface vlan 4 B(config-if)#ip address 192.168.4.1 255.255.255.0 Step 4: Define time range.
  • Page 681 Configuration Guide Configuring ACLs Step 1: Verify whether ACEs are correct. The key is that whether the priorities of ACEs are correct and whether ACEs are effective. SwitchA#show access-lists ip access-list extended Virus_Defence 10 deny tcp any any eq 135 20 deny tcp any eq 135 any 30 deny tcp any eq 4444 any 40 deny tcp any any eq 5554...
  • Page 682 Configuration Guide Configuring ACLs 420 deny icmp any any 430 permit tcp any any 440 permit udp any any 450 permit ip any any ip access-list extended access_server 10 permit ip 192.168.2.0 0.0.0.255 host 192.168.4.100 20 permit ip 192.168.1.0 0.0.0.255 host 192.168.4.100 30 permit ip 192.168.3.0 0.0.0.255 host 192.168.4.100 40 deny ip any any SwitchB#show access-lists...
  • Page 683 Configuration Guide Configuring ACLs interface GigabitEthernet 2/2 switchport mode trunk ip access-group access_server in interface VLAN 2 no ip proxy-arp ip access-group access_server in ip address 192.168.4.2 255.255.255.0 Device B configuration: B#show run interface GigabitEthernet 0/22 switchport mode trunk ip access-group vlan_access1 in interface GigabitEthernet 0/23 switchport mode trunk ip access-group vlan_access2 in...
  • Page 684 Configuration Guide Configuring ACLs The preceding figure shows the simplified topology of a campus network: Switch A is the convergence device assigning one VLAN for each faculty and is connected to the campus network through 10G optical cable (trunk mode). Switch B and Switch C are access devices connecting PCs of respective faculties, and are connected to the convergence switch through Gigabit optical cable (trunk mode).
  • Page 685 Configuration Guide Configuring ACLs ! Permit DHCP packets with UDP port being 67 (Bootstrap Protocol Server) and 68 (Bootstrap Protocol Client) (offset in protocol number being 35; hexadecimal value of 11 to indicate UDP; offset in port being 46; hexadecimal value of 43/44 corresponding to 67 and 68).
  • Page 686 Configuration Guide Configuring ACLs expert access-list advanced tongdao security global access-group tongdao C#show run expert access-list advanced tongdao1 security global access-group tongdao1...
  • Page 687 Configuration Guide Configuring File System Configuring File System Overview The file system offers a unified management of file crossing platforms, no matter what kinds of devices, storages and file transmission protocol are used. Locally, there are many kinds of storage media, for instance, USB and FLASH, which can be distributed on different boards like primary control module and secondary module.
  • Page 688 Configuration Guide Configuring File System location: IP address or host name/directory: position for file transmission. For instance, the file transission directory specified by the TFTP server is C:\download, the file path specified by the device is the one under C:\download. tftp://192.168.0.1/binary/rgos.bin refers to the c:\download\binary\rgos.bin file on the TFTP server of the IP address of 192.168.0.1.
  • Page 689 VSU system primary control module through commands such as dir sw1-m1-disk0:/ Showing the File System Information This command shows all the file systems supported on the device and their available spaces. In the privileged EXEC mode, use the following command: Ruijie#show file systems...
  • Page 690 Configuration Guide Configuring File System File Systems: Size(b) Free(b) Type Flags Prefixes ------------ ------------ --------- ------- ---------- 33488896 16191488 flash flash: flash usb0: flash usb1: flash sd0: flash slave: network tftp: network xmodem: -------------------------------------------------------------------- In this informatin, “*” means the active file system, size meanse the space of the fiel system and free means the available space Free means the available space of the file system, not the size of the file to be stored.
  • Page 691 Ruijie# delete rgos.bin File [rgos.bin] is a system file. System may not work properly without it. Are you sure you want to delete it? [no] yes 0:1:1:38 Ruijie: FS-4-SYSTEM_FILE_DELETED: System file [rgos.bin] deleted! Transmitting Files through Communication Protocols Transmit files through TFTP: You are allowed to upload and download files to the TFTP server.
  • Page 692 Run the TFTP Server on the host and select C:\download where the file to be downloaded locates. Use the ping command to test the connection between the device and the TFTP server. Log on the device, enter the privileged EXEC mode and use the command: Ruijie#copy tftp://192.168.201.54/a.dat flash: Destination filename [a.dat]? Accessing tftp://192.168.201.54/a.dat...
  • Page 693 Run the hyperterminal of Windows to connect to the console of the device. In the privileged EXEC mode, use the following command to download file: Ruijie# copy xmodem: flash:/config.text In the Windows hyperterminal of local deivce, select Transmit files of Transmit menu.
  • Page 694 Enter the root directory of U-shaped disc Ruijie#cd usb0:/ Confirm the current path: Ruijie#pwd usb0:/ Create backup directory on U-shaped disc: Ruijie#mkdir backup Copy the file to U-shaped disc: Ruijie#copy flash:/config.text config.text Check the result. Ruijie#dir backup Directory of usb0:/backup Mode Link Size MTime Name -------- ---- --------- ------------------- ------------------ 2009-01-01 00:01:37 config.text...
  • Page 695 -------------------------------------------------------------- 3 Files (Total size 11181455 Bytes), 0 Directories. Total 33030144 bytes (31MB) in this device, 20492288 bytes (19MB) available. Copy the file to the SD card: Ruijie# copy flash:/config.text backup/config.text Check the result: Ruijie#dir backup Directory of sd0:/backup Mode Link...
  • Page 696 -------------------------------------------------------------- 2 Files (Total size 15300224 Bytes), 1 Directories. Total 528482304 bytes (504MB) in this device, 459571200 bytes (438MB) available. Copy the file from SD card to U-shaped disc: Ruijie#copy sd0:/rgos_10_4.bin usb0:/new_rgos.bin [OK 7,650,112 bytes] Check the result: Ruijie#dir usb0:/...
  • Page 697 149 2006-01-01 08:01:37 backup.txt -------------------------------------------------------------- 1Files (Total size 149 Bytes), 0 Directories Total 33030144 bytes (31MB) in this device, 9563693 bytes (9MB) available Delete non-empty directories Ruijie# delete recursive aaa Delete the empty directory: Ruijie# rmdir aaa Check the result: Ruijie#dir...
  • Page 698 Use the show cpu command to show the total CPU utilization and the CPU utilization per process: Command Function Ruijie# show cpu Shows CPU utilization. By default, the switch name is Ruijie. Below is the result of executing this command: Ruijie#show cpu ======================================= CPU Using Rate Information...
  • Page 699 Configuration Guide Displaying System Configuration dhcpa_task dhcpsnp_task igmp_snp mstp_event GVRP_EVENT rldp_task rerp_task reup_event_handler tpp_task ip6timer rtadvd tnet6 tnet Tarptime gra_arp Ttcptimer ef_res ef_rcv_msg ef_inconsistent_daemon ip6_tunnel_rcv_pkt res6t tunrt6 ef6_rcv_msg ef6_inconsistent_daemon imid nsmd ripd ripngd ospfd ospf6d bgpd pimd pim6d pdmd dvmrpd vty_connect aaa_task Tlogtrap...
  • Page 700 Configuration Guide Displaying System Configuration psnpd igsnpd coa_recv co_oper co_mac radius_task tac+_acct_task tac+_task dhcpd_task dhcps_task dhcpping_task dhcpc_task uart_debug_file_task ssp_init_task rl_listen ikl_msg_operate_thread bcmDPC bcmL2X.0 bcmL2X.0 bcmCNTR.0 bcmTX bcmXGS3AsyncTX bcmLINK.0 bcmRX mngpkt_rcv_thread mngpkt_recycle_thread stack_task stack_disc_task redun_sync_task conf_dispatch_task devprob_task rdp_snd_thread rdp_rcv_thread rdp_slot_change_thread datapkt_rcv_thread keepalive_link_notify rerp_msg_recv_thread ip_scan_guard_task...
  • Page 701 Ruijie# configure terminal // Enter the global configuration mode Ruijie(config)# cpu-log log-limit 70 80 // Configure the CPU logging trigger threshold If the CPU utilization rises from lower than 80% to higher than 80%, it will trigger the high threshold for only one time and...
  • Page 702 Use the show memory command to show the usage and status of system memory: Command Function Ruijie# show memory Shows the usage of system memory. By default, the switch name is Ruijie. Below is the result of executing this command: Ruijie#show memory System Memory Statistic: Free pages: 174164...
  • Page 703 For example: <189> 226:Mar 5 02:09:10 Ruijie %SYS-5-CONFIG_I: Configured from console by console The priority field is not attached to the log messages that are printed in the user window. It only appears in the log messages that are sent to the syslog server.
  • Page 704 When the log switch is turned on, the log information will be displayed on the console and also sent to different displaying devices. To configure different displaying devices to receive logs, use the following commands in global configuration mode or privileged user level: Command Function Ruijie(config)# buffered [ buffer-size | level ] Records log in memory buffer...
  • Page 705 Enables the timestamp in the log information [ message-type [ uptime | datetime [ msec ] [ year ] ] ] Ruijie(config)# no service timestamps [ message-type ] Disables the timestamp in the log information The timestamp are available in two formats: device uptime and device datetime. Select the type of timestamp as required.
  • Page 706 By default, the system name is not included in the log information. To add or remove the system name in the log information, use the following commands in global configuration mode. Command Function Ruijie(config)# no service sysname Removes the system name in the log message. Ruijie(config)# service sysname Adds a system name to the log message.
  • Page 707 As following shows, the status of FastEthernet 0/12 changes and a log is printed after the user entered vlan, so that the user forgot which character he was entering previously, affecting the coherence of command entering. Ruijie(config)#vlan Aug 20 16:46:49 %LINK-5-CHANGED: Interface FastEthernet 0/12, changed state to down...
  • Page 708 Ruijie(config)# logging trap [ level ] Sets the level of log information that is allowed to be sent to syslog server. The log information of Ruijie Networks products is classified into the following eight levels: Level Keyword Level Description...
  • Page 709 Configures the device value of the log information. Ruijie(config)# logging facility facility-type Restores the device value of the log information to the Ruijie(config)# no logging facility facility-type default value. The meanings of various device values are described as below: Numerical Code...
  • Page 710 Configuration Guide Configuring Syslog The default device value of Ruijie products is 23. Configuring the Source Address of Log Messages By default, the source address of the log messages sent to the syslog server is the address of the port that sends the messages.
  • Page 711 Connect the device to the log server, whose IP address is 192.168.200.2. Perform the following configuration to make all logs carry timestamps and allow logs of all levels to be sent to the log server: Ruijie(config)# service timestamps debug datetime //Enable debug information timestamp, in date format...
  • Page 712 Configuration Guide...

Table of Contents

Save PDF